LOLSPOOF是一个交互式外壳程序,它会自动欺骗产卵过程的命令行参数。只需调用您的犯罪命令行LOLBIN(例如PowerShell -W隐藏-enc Zwblahqalqalqbwahiabwbjagua .),LOLSPOOF将确保过程创建遥测似乎合法且清晰。
Why
Process命令行是一项非常受监控的遥测,由AV/EDRS,SOC分析或威胁猎人彻底检查。How
Prepares the spoofed command line out of the real one: lolbin.exe ' ' * sizeof(real arguments) Spawns that suspended LOLBin with the spoofed command line Gets the remote PEB address Gets the address of RTL_USER_PROCESS_PARAMETERS struct Gets the address of the command line unicode buffer Overrides the fake command line with the real one Resumes the main threadOpsec considerations
尽管这种简单的技术有助于绕过命令行检测,但它可能会介绍其他可疑的遥测: 1。创建悬浮过程2。新过程具有落后的空间(但是很容易使其成为重复的字符甚至随机数据)3。Build
使用NIM 1.6.12构建(用NIM 2.x编译会产生错误!)敏捷安装Winim
