前言
红队在HVVIn general use fishing breakthrough boundaries,To stack by fishing back counter,But cannot leave a good free to kill the horse,Here to share your own free kill process,过火绒、360杀毒、windows defenderSoft and symantec mainstream kill all no problem.
Kill the working principle of the soft
There are many means to kill a soft killing,Such as character recognition,Is based on the various manufacturers to collect samples,On the basis of virus samples extracted features,So kill the soft ability to a certain extent also depends on the size of the virus,This kind of based on feature recognition is usually based on static.Heuristic principle of work can be defined as dynamic killing or basically is a machine learning method is a means of killing,Is on the basis of application system can execute a program or attention important regional behavior and make a killing behavior.
Free to kill means
修改特征码,According to stain detection way of locating the trigger to kill virus samples characteristics of soft rules,Modify the obvious characteristics in a certain extent can be get free to kill.
花指令免杀,在程序
shellcode或特征代码区域增添垃圾指令,Increase of garbage command execution does not affect the file,In the dynamic killing or filehashContrast is validation will not agree.加壳,比如upx加壳等,General file after landing contrast hash value can also be killed off around.
二次编译,一般用于对
shellcode进行二次编译bypass杀软.poweshell免杀,But general protection software or the system itself normal callpowershellThe application will produce a warning,The general safety equipment is too too,Need to use on the command means to bypass security equipment monitoring.
免杀
CS生成payload
添加监听器,生成payload
下载go-strip.exe,Mixed binarygo编译信息
下载地址
https://cdn.githubjs.cf/boy-hack/go-strip/releases/download/v3.0/go-strip_0.3.4_windows_amd64.zip
运行脚本bypass
go run main.go
The core content is encryption
shellcode二层加密.
【----帮助网安学习,以下所有学习资料免费领!加vx:yj009991,备注 “博客园” 获取!】
① 网安学习成长路径思维导图
② 60+网安经典常用工具包
③ 100+SRC漏洞分析报告
④ 150+网安攻防实战技术电子书
⑤ 最权威CISSP 认证考试指南+题库
⑥ 超1800页CTF实战技巧手册
⑦ 最新网安大厂面试题合集(含答案)
⑧ APP客户端安全检测指南(安卓+IOS)
There is no direct put the source code,Because of concerns about samples were playing tag,这里推荐几个项目,Here try to usego不建议python
https://github.com/TideSec/BypassAntiVirus
I have modified the generated hereexe.安装火绒,查杀
CS上线
加壳
In addition to add shell test.地址
Simple compression shell
upx.exe -f Go_bypass.exe
Add case after a birthexe文件大小为406KB
You can see add shell before the file size is1011kb
File named after the modification of packerupx_Go_bypassConvenient confirmed online status
成功上线,Continue to view the packers free kill effect after
The tinder for before and after adding shell by shell of documents are not submitted to the poison
Although the packers to poison before,But after add shell without reporting poison.
Symantec and not poison,Never let other antivirus software diagram.But it's important to note that don't use云沙箱检测.
总结
More testing there will always be new,Practice is relatively a little easier to,But need to pay attention to avoid after killing effect is one of the most important.
更多靶场实验练习、网安学习资料,请点击这里>>
