-
-
[原创]免杀实验记录
-
发表于: 2025-4-11 07:27
-
1.背景
以往Go免杀大都是免杀shellcode,但根据需求编写shellcode,不如编写pe方便,而免杀pe的工作较少,于是做了款Go免杀壳,并测试其免杀执行pe的能力
2.实验环境:
实验时间:4.7
杀软配置:
杀软最新病毒库
360 5个查杀引擎全部开启,火绒默认设置,腾讯管家默认配置
3.实验过程
3.1 执行32位pe
3.1.1 配置
payload:
msfvenom --platform windows -p windows/meterpreter/reverse_tcp 写一个pe,执行该shellcode
go env:
GOARCH=386
加壳文件名:main_shellcode.exe
未加壳文件名:shellcode.exe/shell_c.exe
3.1.2 结果
未经壳保护,被查杀
有壳保护,可执行
4.10号在测试,360、卡巴已经可以检测了,4月10日,微步、vt检测图如下
shellcode 未加免杀壳情况
main_shellcode 加免杀壳情况
3.2 执行64位shellcode
3.2.1 配置
paylaod:
msfvenom --platform windows -p windows/x64/meterpreter/reverse_tcp
go env:
GOARCH=amd64
加壳文件名:main_shellcode.exe
未加壳文件名:shell_c.exe
3.2.2 结果
按照32位的方法,直接改成64位,360扫描报毒,火绒执行起来报毒
放弃原有思路,go写了个timer注入,执行上述shellcode,360扫描报毒,火绒轻松过
4月10日,vt+wb情况如下
未加免杀壳
加免杀壳
4.结论
360在注入时,对内存的扫描非常严格,且激进,通过加密混淆内存过,难度较大
有想法,但时间有限,后续在改进,大家有想法可以下面留言,私信没币回不了,交流邮箱1343270654@qq.com
32位代码地址:0d8K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6a6M7X3q4F1k6$3g2Q4x3X3c8t1N6h3q4Q4x3V1k6s2L8@1u0&6f1r3q4K6M7@1q4h3i4K6u0r3N6s2u0W2k6g2)9J5c8X3#2S2M7%4c8W2M7R3`.`.
声明
仅限用于技术研究和获得正式授权的攻防项目,请使用者遵守《中华人民共和国网络安全法》,切勿用于任何非法活动,若将工具做其他用途,由使用者承担全部法律及连带责任,作者及发布者不承担任何法律及连带责任!
5.参考文献
6e7K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6K6j5h3k6W2y4W2y4W2j5#2)9J5c8V1N6G2L8r3q4F1k6@1u0&6M7r3q4K6M7@1q4h3
ad9K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6b7K9i4A6*7x3K6y4Q4x3V1k6s2L8$3u0&6M7r3q4K6M7@1q4h3i4K6u0V1M7$3S2W2L8r3I4U0L8$3c8W2
c97K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6f1K9h3c8W2f1$3g2U0i4K6u0r3c8$3!0n7P5i4m8S2M7%4y4m8g2R3`.`.
b62K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6b7K9i4A6*7x3K6y4Q4x3V1k6v1L8@1A6G2e0r3!0S2k6r3g2J5i4K6u0r3N6s2u0W2k6g2)9J5c8X3#2S2K9h3^5`.
d07K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6S2M7r3I4&6j5K6q4S2i4K6u0r3j5X3I4G2k6%4y4Q4x3V1k6T1L8r3!0T1i4K6u0r3L8h3q4K6N6r3g2J5i4K6u0r3i4K6t1#2c8e0S2Q4x3U0g2n7b7g2)9J5y4f1t1J5i4K6t1#2c8e0W2Q4x3U0f1^5x3g2)9J5y4f1u0r3i4K6t1#2c8e0k6Q4x3U0g2m8x3#2)9J5y4e0R3H3i4K6t1#2c8e0k6Q4x3U0g2n7y4g2)9J5y4e0S2n7i4K6u0r3i4K6t1#2c8e0c8Q4x3U0g2n7b7g2)9J5y4e0S2o6i4K6t1#2c8e0S2Q4x3U0g2n7c8W2)9J5y4e0W2n7i4K6t1#2c8e0g2Q4x3U0f1^5z5q4)9J5y4f1t1$3i4K6t1#2c8e0g2Q4x3U0f1^5y4g2)9J5y4e0S2p5i4K6t1#2c8e0k6Q4x3U0f1&6c8q4)9J5y4e0R3H3i4K6t1#2c8e0k6Q4x3U0f1^5b7g2)9J5y4e0R3H3i4K6t1#2c8e0k6Q4x3U0f1&6b7#2)9J5y4f1q4r3i4K6t1#2c8e0N6Q4x3U0g2m8x3q4)9J5y4e0V1@1i4K6t1#2c8e0N6Q4x3U0g2m8z5g2)9J5y4f1t1$3i4K6u0W2L8h3b7`.
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
