Shellcode分析与反射式DLL注入技术详解<\/h1>

0x01 背景知识<\/h2>

本文详细分析了一种高级shellcode实现技术，该技术主要用于反射式DLL注入，具有以下特点：<\/p>

隐藏PE文件在shellcode中<\/li>
使用多种反检测技术<\/li>
动态解密关键数据<\/li>

巧妙利用PE头废弃字段<\/li> <\/ul>

0x02 Shellcode结构分析<\/h2>

一、整体结构<\/h3>

该shellcode主要包含以下几个部分：<\/p>

头部垃圾代码（用于混淆）<\/li>
核心加载器代码<\/li>
隐藏的PE文件（DLL）<\/li>

配置数据（存储在PE头废弃字段中）<\/li> <\/ol>

二、关键函数调用流程<\/h3>

初始函数调用<\/strong>：<\/p>

CreatFileMappingA<\/code><\/li>
MapViewOfFile<\/code><\/li>
VirtualProtect<\/code><\/li> <\/ul> <\/li>
PE文件处理流程<\/strong>：<\/p> sub_188e6 (主加载函数) ├─ sub_18c66 (查找隐藏PE) ├─ sub_18cf6 (获取API地址) ├─ sub_19096 (初始化函数指针) ├─ sub_19396 (内存分配) ├─ sub_194b6 (PE头处理) ├─ sub_19576 (节区复制) ├─ sub_19676 (导入表处理) └─ sub_19456 (内存权限设置) <\/code><\/pre> <\/li> <\/ol> 0x03 关键技术点详解<\/h2> 一、PE文件隐藏技术<\/h3> 特征修改<\/strong>：<\/p> DOS头特征从"MZ"修改为"YA"<\/li> PE头特征从"PE"修改为"QJ"<\/li> <\/ul> <\/li> 查找算法<\/strong>：<\/p> for<\/span>(i =<\/span> start_addr; ; i--<\/span>) { <\/span><\/span> if<\/span>(*<\/span>(WORD*<\/span>)i ==<\/span> '<\/span>YA'<\/span> &&<\/span> <\/span><\/span> *<\/span>(i+<\/span>0x3c<\/span>)在<\/span>0x40<\/span>-<\/span>0x400<\/span>之间<\/span> &&<\/span> <\/span><\/span> *<\/span>(WORD*<\/span>)(i +<\/span> *<\/span>(i+<\/span>0x3c<\/span>)) ==<\/span> '<\/span>JQ'<\/span>) { <\/span><\/span> return<\/span> i; \/\/ 找到PE起始位置 <\/span><\/span><\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> <\/ol> 二、动态API解析技术<\/h3> PEB遍历<\/strong>：<\/p> 通过__readgsqword(0x60)<\/code>获取PEB<\/li> 遍历LDR链表查找模块<\/li> <\/ul> <\/li> 特征码计算<\/strong>：<\/p> \/\/ 计算DLL名称特征码 <\/span><\/span><\/span><\/span>for<\/span>(每个字符<\/span>) { <\/span><\/span> hash =<\/span> ROR(hash, 13<\/span>); <\/span><\/span> hash +=<\/span> toupper(当前字符<\/span>); <\/span><\/span>} <\/span><\/span>\/\/ 目标特征码：0x6A4ABC5B (对应kernel32.dll) <\/span><\/span><\/span><\/code><\/pre><\/li> 导出表解析<\/strong>：<\/p> 遍历导出名称表计算特征码<\/li> 匹配预定义特征码获取函数地址<\/li> <\/ul> <\/li> <\/ol> 三、内存分配技术<\/h3> 替代VirtualAlloc<\/strong>：<\/p> hMapping =<\/span> CreateFileMappingA(INVALID_HANDLE_VALUE, NULL, 0x40<\/span>, 0<\/span>, size, NULL); <\/span><\/span>pMemory =<\/span> MapViewOfFile(hMapping, FILE_MAP_ALL_ACCESS, 0<\/span>, 0<\/span>, size); <\/span><\/span><\/code><\/pre><\/li> 权限控制<\/strong>：<\/p> 使用PE头Characteristics<\/code>的IMAGE_FILE_BYTES_REVERSED_HI<\/code>位作为配置<\/li> 值为1：申请RWX内存<\/li> 值为0：先申请RW内存，后改为RX<\/li> <\/ul> <\/li> <\/ol> 四、PE加载技术<\/h3> PE头处理<\/strong>：<\/p> 复制隐藏PE头到分配的内存<\/li> 清除PE头特征（当IMAGE_FILE_RELOCS_STRIPPED<\/code>为1时）<\/li> <\/ul> <\/li> 节区处理<\/strong>：<\/p> 遍历节表复制各节区<\/li> 记录可执行节区的RVA和大小<\/li> <\/ul> <\/li> 导入表解密<\/strong>：<\/p> \/\/ 解密算法（异或） <\/span><\/span><\/span><\/span>for<\/span>(每个字节<\/span>) { <\/span><\/span> decrypted[i] =<\/span> encrypted[i] ^<\/span> key[i %<\/span> 4<\/span>]; <\/span><\/span>} <\/span><\/span>\/\/ key来自PE头的NumberOfSymbols字段 <\/span><\/span><\/span><\/code><\/pre><\/li> 重定位修复<\/strong>：<\/p> 使用原始PE的重定位表修复内存中的PE<\/li> <\/ul> <\/li> <\/ol> 五、反检测技术<\/h3> 代码混淆<\/strong>：<\/p> 头部插入垃圾代码<\/li> 消除call\/pop特征<\/li> <\/ul> <\/li> 数据隐藏<\/strong>：<\/p> 加密导入表名称<\/li> 加密可执行节区代码<\/li> <\/ul> <\/li> 配置存储<\/strong>：<\/p> 使用PE头废弃字段存储配置： NumberOfSymbols<\/code>：解密密钥<\/li> TimeDateStamp<\/code>和PointerToSymbolTable<\/code>：函数偏移<\/li> Characteristics<\/code>：内存权限控制<\/li> <\/ul> <\/li> <\/ul> <\/li> <\/ol> 0x04 CobaltStrike特征分析<\/h2> 该shellcode最终被确认为CobaltStrike的反射加载器，具有以下特征：<\/p> 初始化流程<\/strong>：<\/p> 计算security cookie<\/li> 获取系统信息（时间戳、进程\/线程ID）<\/li> <\/ul> <\/li> DLL入口调用<\/strong>：<\/p> 首次调用：初始化（fdwReason=1）<\/li> 二次调用：执行主逻辑（fdwReason=4）<\/li> <\/ul> <\/li> 配置对应<\/strong>：<\/p> stage { <\/span><\/span> set userwx "true"<\/span> \/\/ 避免申请RWX权限 <\/span><\/span><\/span><\/span> set allocator "MapViewOFFile"<\/span> \/\/ 使用MapViewOfFile分配内存 <\/span><\/span><\/span><\/span> set cleanup "true"<\/span> \/\/ 清理痕迹 <\/span><\/span><\/span><\/span> set magic_mz_x64 "YA"<\/span> \/\/ 修改DOS头特征 <\/span><\/span><\/span><\/span> set magic_pe "JQ"<\/span> \/\/ 修改PE头特征 <\/span><\/span><\/span><\/span> set obuscate "true"<\/span> \/\/ 混淆导入表 <\/span><\/span><\/span><\/span> set stomppe "true"<\/span> \/\/ 清除内存中PE头特征 <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> <\/ol> 0x05 防御检测建议<\/h2> 针对此类技术的防御措施：<\/p> 内存监控<\/strong>：<\/p> 监控CreateFileMapping\/MapViewOfFile的异常使用<\/li> 检测RW->RX权限变更<\/li> <\/ul> <\/li> 特征检测<\/strong>：<\/p> 检测"YA"、"JQ"特征组合<\/li> 监控PE头废弃字段异常使用<\/li> <\/ul> <\/li> 行为检测<\/strong>：<\/p> 反射加载行为<\/li> 异常DLL入口调用序列<\/li> <\/ul> <\/li> 流量分析<\/strong>：<\/p> 检测C2通信特征<\/li> 识别域名前置技术<\/li> <\/ul> <\/li> <\/ol> 0x06 总结<\/h2> 本文详细分析了一种高级shellcode实现技术，揭示了反射式DLL注入的内部机制和反检测技术。关键要点包括：<\/p> 巧妙利用PE结构实现数据隐藏<\/li> 多种内存分配技术绕过监控<\/li> 动态解密和配置管理<\/li> 与CobaltStrike实现的对应关系<\/li> <\/ol> 理解这些技术有助于提升攻防两端的技能水平，在红队操作中实现更隐蔽的驻留，在蓝队防御中建立更有效的检测机制。<\/p>