taibeihacker
Moderator
Noargs是一种工具,旨在在未被发现的同时动态欺骗和隐藏过程参数。它通过挂接Windows API来动态操纵Windows内部设备,从而实现这一目标。这允许Noargs谨慎地更改过程参数。
Custom Process Creation Function:Upon intercepting a CreateProcessW call, the custom function is executed, creating the new process and manipulating its arguments as necessary.
PEB Modification:Within the custom process creation function, the Process Environment Block (PEB) of the newly created process is accessed and modified to achieve the goal of manipulating or hiding the process arguments.
Execution Redirection:完成操作后,执行无缝返回命令提示(CMD),而不会中断。 This dynamic redirection ensures that subsequent commands entered undergo manipulation discreetly, evading detection and logging mechanisms that relay on getting the process details from the PEB.
您将需要安装Microsoft/Detours'microsoft弯路。
编译DLL。
将编译的DLL注入任何CMD实例,以动态操纵新创建的过程参数。Option 2:从“发行版”页面下载汇编的可执行文件(现成)。
Default Cmd:
Windows Event Logs:
Using NoArgs:
Windows Event Logs:
The tool primarily operates by intercepting process creation calls made by the Windows API function CreateProcessW.启动过程后,此功能负责产生新过程以及任何指定的命令行参数。 The tool intervals in this process creation flow, ensuring that the arguments are either hidden or manipulated before the new process is launched.Functionality Overview
挂在CreateProcessw中是通过Detours实现的,这是一个流行的库,用于拦截和重定向Win32 API功能。弯路允许在保留原始功能的同时,将功能调用重定向到自定义实现。 By hooking into CreateProcessW, the tool is able to intercept the process creation requests and execute its custom logic before allowing the process to be spawned.Hooking Mechanism
The Process Environment Block(PEB)is a data structure utilized by Windows to store information about a process's environment and execution state.该工具利用PEB操纵新创建的过程的命令行参数。通过修改存储在PEB中的命令行信息,该工具可以更改或隐藏传递给该过程的参数。Process Environment Block (PEB) Manipulation
Process Hacker View:Demo: Running Mimikatz and passing it the arguments:
Process Monitor View:
All the arguemnts are hidden dynamically
Injection into Command Prompt (cmd):该工具将其代码注入命令提示过程中,将其嵌入为独立代码(PIC)。这使得无缝集成到CMD的内存空间中,从而确保掩护操作而无需依赖特定的内存地址。(Only for The Obfuscated Executable in the releases page)Windows API Hooking:弯路用于拦截createProcessw函数的调用。通过将执行流重定向到自定义实现,该工具可以在原始Windows API函数之前执行其逻辑。Custom Process Creation Function:Upon intercepting a CreateProcessW call, the custom function is executed, creating the new process and manipulating its arguments as necessary.
PEB Modification:Within the custom process creation function, the Process Environment Block (PEB) of the newly created process is accessed and modified to achieve the goal of manipulating or hiding the process arguments.
Execution Redirection:完成操作后,执行无缝返回命令提示(CMD),而不会中断。 This dynamic redirection ensures that subsequent commands entered undergo manipulation discreetly, evading detection and logging mechanisms that relay on getting the process details from the PEB.
Technical Implementation
Option 1:编译NOARGS DLL:您将需要安装Microsoft/Detours'microsoft弯路。
编译DLL。
将编译的DLL注入任何CMD实例,以动态操纵新创建的过程参数。Option 2:从“发行版”页面下载汇编的可执行文件(现成)。