Shellcode Runner Bypass AV

  • A+
所属分类:逆向工程

rundll32执行.Net程序集

前言

原理:https://blog.xpnsec.com/undersanding-and-evading-get-injectedthread/

Start

先使用CSharpSetThreadContext[1]生成dll

Shellcode Runner Bypass AV

用crpto.exe生成加密后的bin文件,然后把bin资源添加到runner里面. 生成即可.runner是加载器

Shellcode Runner Bypass AV

修改一下.我要的是dll 安装dllexport管理包

Shellcode Runner Bypass AV

要选中Runner

然后main函数是要导出的函数

[DllExport]static void Main(){    Detonate();}

编译的时候必须选择64位,要跟你的shellcode位数一样.32位杀的严格,建议64. 先来运行试试Shellcode Runner Bypass AV

Shellcode Runner Bypass AV上线没得问题,我怀疑我360抽风坏掉了,换个machine

Shellcode Runner Bypass AV

Shellcode Runner Bypass AV

Once again!

赛门360没问题,要过WD的话,可以试试ConfuserEx[2]

Shellcode Runner Bypass AV

Shellcode Runner Bypass AV

Comming Soon!

References

[1] CSharpSetThreadContext: https://github.com/djhohnstein/CSharpSetThreadContext
[2] ConfuserEx: https://github.com/mkaring/ConfuserEx/

[3] 【技术分享】Dll注入新姿势:SetThreadContext注入: https://www.anquanke.com/post/id/86786


碎碎念: 该技术的核心是XPN的一个思路. https://blog.xpnsec.com/undersanding-and-evading-get-injectedthread/ 

他介绍了三种方法,这个工具使用的是SetThreadContext. 

详细了解请转到:【技术分享】Dll注入新姿势:SetThreadContext注入[3]


 __      __.__                /      /  __| ____    ____     //   /  |/      / ___          /|  |   |  / /_/  >  __/  / |__|___|  /___  /        /          //_____/


QAQ凑不够300字不能申请原创.

  QAQ凑不够300字不能申请原创.

  QAQ凑不够300字不能申请原创.

  QAQ凑不够300字不能申请原创.

本文始发于微信公众号(RedTeamWing):Shellcode Runner Bypass AV

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: