taibeihacker
Moderator
此方法利用TLS回调执行APAYLOAD,而无需在远程过程中产生任何线程。此方法启发了Bythreaps Indectionas remotetlscallscallyptive不会调用任何API调用以触发注射式PAYLOAD。
Quick Links
Maldev Academy Home马尔德夫学院教学大纲
Related Maldev Academy Modules
新模块34:反欺骗的回调新模块35:无螺纹注入
Implementation Steps
POC遵循这些步骤:使用CreateProcessviawinapisw函数(即RuntimeBroker.exe)创建悬挂过程。获取远程过程映像基础地址,然后读取该过程的PE标头。获取一个地址到TLS回调函数。用运行时返回值修补一个固定的shellCode(即g_fixedshellcode)。此ShellCode负责还原TLS回调函数地址的原始字节和内存许可。注入shellCodes: g_fixedshellcode和主有效载荷。修补TLS回调函数的地址,然后用注入的有效载荷的地址替换它。简历过程。 The g_FixedShellcode shellcode will then make sure that the main payload executes only once by restoring the original TLS callback's original address before calling the main payload. A TLS callback can execute multiple times across the lifespan of a process, therefore it is important to control the number of times the payload is triggered by restoring the original code path execution to the original TLS callback function.
Demo
以下图像显示了我们的实现,remotetlscallbackindoction.exe,将cmd.exe产卵作为其主要有效载荷。