├── ACG └── cgo.go ├── README.md └── UpdateProcThreadAttribute ├── blockdll.go ├── go.mod └── go.sum /ACG/cgo.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | /* 4 | #include 5 | #include 6 | #include 7 | #pragma comment(lib, "Advapi32.lib") 8 | 9 | 10 | static void add_mitigations(HANDLE hProc) 11 | { 12 | 13 | PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY signature = { 0 }; 14 | GetProcessMitigationPolicy(hProc, ProcessSignaturePolicy, &signature, sizeof(signature)); 15 | 16 | printf("ProcessSignaturePolicy:\n"); 17 | printf(" MicrosoftSignedOnly %u\n", signature.MicrosoftSignedOnly); 18 | signature.MicrosoftSignedOnly = 1; 19 | 20 | 21 | if (!SetProcessMitigationPolicy(ProcessSignaturePolicy, &signature, sizeof(signature))) { 22 | printf("[!] ProcessSignaturePolicy failed\n"); 23 | return; 24 | } 25 | printf("ProcessSignaturePolicy:\n"); 26 | printf(" MicrosoftSignedOnly %u\n", signature.MicrosoftSignedOnly); 27 | } 28 | 29 | int test() 30 | { 31 | HANDLE hProcess = GetCurrentProcess(); 32 | add_mitigations(hProcess); 33 | // getchar(); 34 | return 0; 35 | } 36 | */ 37 | import "C" 38 | import ( 39 | "bufio" 40 | "fmt" 41 | "os" 42 | ) 43 | 44 | func init(){ 45 | C.test() 46 | } 47 | 48 | func main() { 49 | 50 | fmt.Println("Gotcha!") 51 | fmt.Print("Press 'Enter' to continue...") 52 | bufio.NewReader(os.Stdin).ReadBytes('\n') 53 | 54 | } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Doge-BlockDLLs 2 | Preventing 3rd Party DLLs from Injecting into your Malware 3 | 4 | ACG(Arbitrary Code Guard)的方式采用cgo实现,dynamic code prohibit未能成功实现 5 | 6 | 7 | ### Ref 8 | https://www.ired.team/offensive-security/defense-evasion/preventing-3rd-party-dlls-from-injecting-into-your-processes 9 | 10 | https://blog.xpnsec.com/protecting-your-malware/ 11 | 12 | https://3gstudent.github.io/Cobalt_Strike%E7%9A%84blockdlls%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90 13 | 14 | ## etc 15 | 1. 开源的样本大部分可能已经无法免杀,需要自行修改 16 | 17 | 2. 我认为基础核心代码的开源能够帮助想学习的人 18 | 19 | 3. 本人从github大佬项目中学到了很多 20 | 21 | 4. 若用本人项目去进行:HW演练/红蓝对抗/APT/黑产/恶意行为/违法行为/割韭菜,等行为,本人概不负责,也与本人无关 22 | 23 | 5. 本人已不参与大小HW活动的攻击方了,若溯源到timwhite id与本人无关 24 | -------------------------------------------------------------------------------- /UpdateProcThreadAttribute/blockdll.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "github.com/D00MFist/Go4aRun/pkg/sliversyscalls/syscalls" 5 | "golang.org/x/sys/windows" 6 | 7 | "bufio" 8 | "fmt" 9 | "log" 10 | "os" 11 | "syscall" 12 | "unsafe" 13 | ) 14 | 15 | func CreateProcess(startupInfo syscalls.StartupInfoEx){ 16 | target := "C:\\Windows\\System32\\notepad.exe" 17 | commandLine, err := syscall.UTF16PtrFromString(target) 18 | 19 | if err != nil { 20 | panic(err) 21 | } 22 | 23 | var procInfo windows.ProcessInformation 24 | startupInfo.Cb = uint32(unsafe.Sizeof(startupInfo)) 25 | creationFlags := windows.EXTENDED_STARTUPINFO_PRESENT 26 | if err = syscalls.CreateProcess( 27 | nil, 28 | commandLine, 29 | nil, 30 | nil, 31 | true, 32 | uint32(creationFlags), 33 | nil, 34 | nil, 35 | &startupInfo, 36 | &procInfo); 37 | err != nil { 38 | log.Printf("CreateProcess failed: %v\n", err) 39 | } 40 | 41 | return 42 | } 43 | 44 | func main(){ 45 | procThreadAttributeSize := uintptr(0) 46 | _ = syscalls.InitializeProcThreadAttributeList(nil, 2, 0, &procThreadAttributeSize) 47 | procHeap, _ := syscalls.GetProcessHeap() 48 | attributeList, _ := syscalls.HeapAlloc(procHeap, 0, procThreadAttributeSize) 49 | defer syscalls.HeapFree(procHeap, 0, attributeList) 50 | var startupInfo syscalls.StartupInfoEx 51 | startupInfo.AttributeList = (*syscalls.PROC_THREAD_ATTRIBUTE_LIST)(unsafe.Pointer(attributeList)) 52 | _ = syscalls.InitializeProcThreadAttributeList(startupInfo.AttributeList, 2, 0, &procThreadAttributeSize) 53 | mitigate := 0x20007 //"PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY" 54 | //Options for Block Dlls 55 | nonms := uintptr(0x100000000000|0x1000000000) //"PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON"|"PROCESS_CREATION_MITIGATION_POLICY_PROHIBIT_DYNAMIC_CODE_ALWAYS_ON" 56 | onlystore := uintptr(0x300000000000|0x1000000000) //"BLOCK_NON_MICROSOFT_BINARIES_ALLOW_STORE" 57 | block := "nonms" 58 | 59 | if block == "nonms" { 60 | _ = syscalls.UpdateProcThreadAttribute(startupInfo.AttributeList, 0, uintptr(mitigate), &nonms, unsafe.Sizeof(nonms), 0, nil) 61 | } else if block == "onlystore" { 62 | _ = syscalls.UpdateProcThreadAttribute(startupInfo.AttributeList, 0, uintptr(mitigate), &onlystore, unsafe.Sizeof(onlystore), 0, nil) 63 | } else { 64 | fmt.Println("wrong block mode") 65 | } 66 | var si syscalls.StartupInfoEx 67 | si.AttributeList = startupInfo.AttributeList 68 | CreateProcess(si) 69 | fmt.Print("Press 'Enter' to continue...") 70 | bufio.NewReader(os.Stdin).ReadBytes('\n') 71 | } 72 | -------------------------------------------------------------------------------- /UpdateProcThreadAttribute/go.mod: -------------------------------------------------------------------------------- 1 | module github.com/timwhitez/Doge-BlockDLLs/UpdateProcThreadAttribute 2 | 3 | go 1.16 4 | 5 | require ( 6 | github.com/D00MFist/Go4aRun v0.0.0-20200730144529-493acbb0c38b 7 | golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf 8 | ) 9 | -------------------------------------------------------------------------------- /UpdateProcThreadAttribute/go.sum: -------------------------------------------------------------------------------- 1 | github.com/D00MFist/Go4aRun v0.0.0-20200730144529-493acbb0c38b h1:isKLawkqt+M31EDm9P2Vt5x1/VEpRQowfwUEno5DtLU= 2 | github.com/D00MFist/Go4aRun v0.0.0-20200730144529-493acbb0c38b/go.mod h1:uGf6pdElIGTFeXGIUeek3Fzs3uNcZjyhkBWWwhF9cI0= 3 | golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf h1:2ucpDCmfkl8Bd/FsLtiD653Wf96cW37s+iGx93zsu4k= 4 | golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 5 | --------------------------------------------------------------------------------