Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

检测绕过 #35

Open
UnknownOooo opened this issue Nov 18, 2024 · 4 comments
Open

检测绕过 #35

UnknownOooo opened this issue Nov 18, 2024 · 4 comments

Comments

@UnknownOooo
Copy link

UnknownOooo commented Nov 18, 2024
edited
Loading

冰盾似乎无法检测该样本篡改进程(colorcpl.exe )内存的行为

此外该样本似乎也绕过了冰盾自带的父进程欺骗检测?(此进程不应由explorer.exe启动)
Screenshot 2024-11-19 005731

样本(解压密码infected):https://wwjw.lanzouq.com/iu3IW2fgzape
@wecooperate
Copy link
Owner

  1. 篡改进程(colorcpl.exe )内存的行为 这个因为一些条件被过滤掉了,后面恢复加上检测
  2. 这个进程是通过shell接口让explorer发起的,具体怎么触发后面看能不能检测

1

@wecooperate
Copy link
Owner

2
1
等下个版本发布,可以拦截创建傀儡进程的过程

@UnknownOooo
Copy link
Author

2 1 等下个版本发布,可以拦截创建傀儡进程的过程

能再看看这个样本嘛?冰盾内置规则似乎没法检测到该样本的 镂空进程 和 修改线程上下文 的行为,解压密码依然是infected
sample.zip

@jnabnsn
Copy link

jnabnsn commented Jan 10, 2025

https://www.henry-blog.life/henry-blog/shellcode-jia-zai-qi/jin-cheng-lou-kong-zhu-ru-kui-lei-jin-cheng
我直接编译这里面的demo代码,也无法触发检测(已经开了”内存篡改“规则,未重启;开了增强防御-“禁止修改其他进程的线程上下文”规则,未重启)
目前版本4.6.5

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jnabnsn @wecooperate @UnknownOooo