二开havoc需要看一下之前的几篇文章,感谢chatAI让我少吃了很多苦头,二开beacon(demon)环境终于搭建好了,之前想过使用ollvm编译demon,以便于源码级的混淆,但是试了以下,llvm能让人吃更多苦头,我没有测试过demon能不能使用llvm编译,因为llvm本身就很难编译成功,以至于我不想在llvm上花费任何精力,如果您有linux版本的ollvm编译后的二进制文件,希望您能分享给我,我会第一时间进行测试。下面是之前几篇文章的链接:
经过我对teamserver的调试,我发现demon的编译是用纯命令行的,因为命令行内容太多占用太多篇幅,我只提供能使用的版本
/usr/bin/nasm -f win64 src/asm/Spoof.x64.asm -o /tmp/ca501b78d3/381232c2a5.o
/usr/bin/nasm -f win64 src/asm/Syscall.x64.asm -o /tmp/ca501b78d3/18fb5b2891.o
"/root/Havoc_dbg/teamserver_proj/data/x86_64-w64-mingw32-cross/bin/x86_64-w64-mingw32-gcc" src/core/CoffeeLdr.c src/core/Command.c src/core/Dotnet.c src/core/Download.c src/core/HwBpEngine.c src/core/HwBpExceptions.c src/core/Jobs.c src/core/Kerberos.c src/core/Memory.c src/core/MiniStd.c src/core/Obf.c src/core/ObjectApi.c src/core/Package.c src/core/Parser.c src/core/Pivot.c src/core/Runtime.c src/core/Socket.c src/core/Spoof.c src/core/SysNative.c src/core/Syscalls.c src/core/Thread.c src/core/Token.c src/core/Transport.c src/core/TransportHttp.c src/core/TransportSmb.c src/core/Win32.c src/crypt/AesCrypt.c src/inject/Inject.c src/inject/InjectUtil.c /tmp/ca501b78d3/381232c2a5.o /tmp/ca501b78d3/18fb5b2891.o src/Demon.c -Iinclude -nostdlib -mwindows -Os -g -fno-asynchronous-unwind-tables -masm=intel -fno-ident -fpack-struct=8 -falign-functions=1 -ffunction-sections -fdata-sections -falign-jumps=1 -w -falign-labels=1 -fPIC -Wl,--no-seh,--enable-stdcall-fixup,--gc-sections -DCONFIG_BYTES={0x02\,0x00\,0x00\,0x00\,0x0f\,0x00\,0x00\,0x00\,0x02\,0x00\,0x00\,0x00\,0x02\,0x00\,0x00\,0x00\,0x40\,0x00\,0x00\,0x00\,0x43\,0x00\,0x3a\,0x00\,0x5c\,0x00\,0x57\,0x00\,0x69\,0x00\,0x6e\,0x00\,0x64\,0x00\,0x6f\,0x00\,0x77\,0x00\,0x73\,0x00\,0x5c\,0x00\,0x53\,0x00\,0x79\,0x00\,0x73\,0x00\,0x74\,0x00\,0x65\,0x00\,0x6d\,0x00\,0x33\,0x00\,0x32\,0x00\,0x5c\,0x00\,0x6e\,0x00\,0x6f\,0x00\,0x74\,0x00\,0x65\,0x00\,0x70\,0x00\,0x61\,0x00\,0x64\,0x00\,0x2e\,0x00\,0x65\,0x00\,0x78\,0x00\,0x65\,0x00\,0x00\,0x00\,0x40\,0x00\,0x00\,0x00\,0x43\,0x00\,0x3a\,0x00\,0x5c\,0x00\,0x57\,0x00\,0x69\,0x00\,0x6e\,0x00\,0x64\,0x00\,0x6f\,0x00\,0x77\,0x00\,0x73\,0x00\,0x5c\,0x00\,0x53\,0x00\,0x79\,0x00\,0x73\,0x00\,0x57\,0x00\,0x4f\,0x00\,0x57\,0x00\,0x36\,0x00\,0x34\,0x00\,0x5c\,0x00\,0x6e\,0x00\,0x6f\,0x00\,0x74\,0x00\,0x65\,0x00\,0x70\,0x00\,0x61\,0x00\,0x64\,0x00\,0x2e\,0x00\,0x65\,0x00\,0x78\,0x00\,0x65\,0x00\,0x00\,0x00\,0x00\,0x00\,0x00\,0x00\,0x00\,0x00\,0x00\,0x00\,0x00\,0x00\,0x00\,0x00\,0x00\,0x00\,0x00\,0x00\,0x00\,0x00\,0x00\,0x00\,0x00\,0x00\,0x00\,0x00\,0x00\,0x00\,0x00\,0x00\,0x00\,0x00\,0x00\,0x00\,0x00\,0x00\,0x00\,0x00\,0x0a\,0x00\,0x00\,0x00\,0x50\,0x00\,0x4f\,0x00\,0x53\,0x00\,0x54\,0x00\,0x00\,0x00\,0x00\,0x00\,0x00\,0x00\,0x01\,0x00\,0x00\,0x00\,0x1e\,0x00\,0x00\,0x00\,0x31\,0x00\,0x39\,0x00\,0x32\,0x00\,0x2e\,0x00\,0x31\,0x00\,0x36\,0x00\,0x38\,0x00\,0x2e\,0x00\,0x37\,0x00\,0x32\,0x00\,0x2e\,0x00\,0x31\,0x00\,0x36\,0x00\,0x32\,0x00\,0x00\,0x00\,0xbb\,0x01\,0x00\,0x00\,0x01\,0x00\,0x00\,0x00\,0xdc\,0x00\,0x00\,0x00\,0x4d\,0x00\,0x6f\,0x00\,0x7a\,0x00\,0x69\,0x00\,0x6c\,0x00\,0x6c\,0x00\,0x61\,0x00\,0x2f\,0x00\,0x35\,0x00\,0x2e\,0x00\,0x30\,0x00\,0x20\,0x00\,0x28\,0x00\,0x57\,0x00\,0x69\,0x00\,0x6e\,0x00\,0x64\,0x00\,0x6f\,0x00\,0x77\,0x00\,0x73\,0x00\,0x20\,0x00\,0x4e\,0x00\,0x54\,0x00\,0x20\,0x00\,0x36\,0x00\,0x2e\,0x00\,0x31\,0x00\,0x3b\,0x00\,0x20\,0x00\,0x57\,0x00\,0x4f\,0x00\,0x57\,0x00\,0x36\,0x00\,0x34\,0x00\,0x29\,0x00\,0x20\,0x00\,0x41\,0x00\,0x70\,0x00\,0x70\,0x00\,0x6c\,0x00\,0x65\,0x00\,0x57\,0x00\,0x65\,0x00\,0x62\,0x00\,0x4b\,0x00\,0x69\,0x00\,0x74\,0x00\,0x2f\,0x00\,0x35\,0x00\,0x33\,0x00\,0x37\,0x00\,0x2e\,0x00\,0x33\,0x00\,0x36\,0x00\,0x20\,0x00\,0x28\,0x00\,0x4b\,0x00\,0x48\,0x00\,0x54\,0x00\,0x4d\,0x00\,0x4c\,0x00\,0x2c\,0x00\,0x20\,0x00\,0x6c\,0x00\,0x69\,0x00\,0x6b\,0x00\,0x65\,0x00\,0x20\,0x00\,0x47\,0x00\,0x65\,0x00\,0x63\,0x00\,0x6b\,0x00\,0x6f\,0x00\,0x29\,0x00\,0x20\,0x00\,0x43\,0x00\,0x68\,0x00\,0x72\,0x00\,0x6f\,0x00\,0x6d\,0x00\,0x65\,0x00\,0x2f\,0x00\,0x39\,0x00\,0x36\,0x00\,0x2e\,0x00\,0x30\,0x00\,0x2e\,0x00\,0x34\,0x00\,0x36\,0x00\,0x36\,0x00\,0x34\,0x00\,0x2e\,0x00\,0x31\,0x00\,0x31\,0x00\,0x30\,0x00\,0x20\,0x00\,0x53\,0x00\,0x61\,0x00\,0x66\,0x00\,0x61\,0x00\,0x72\,0x00\,0x69\,0x00\,0x2f\,0x00\,0x35\,0x00\,0x33\,0x00\,0x37\,0x00\,0x2e\,0x00\,0x33\,0x00\,0x36\,0x00\,0x00\,0x00\,0x01\,0x00\,0x00\,0x00\,0x02\,0x00\,0x00\,0x00\,0x00\,0x00\,0x01\,0x00\,0x00\,0x00\,0x02\,0x00\,0x00\,0x00\,0x00\,0x00\,0x00\,0x00\,0x00\,0x00} -DTRANSPORT_HTTP -D MAIN_THREADED -e WinMain src/main/MainExe.c -o /tmp/ca501b78d3/demon.x64.exe
以上编译命令行的工作:
-
前两个命令是将汇编代码转化为可执行程序,存放在/tmp/ca501b78d3/目录
-
然后就是编译demon
注:
-
/tmp/ca501b78d3/目录名是随机生成的,之后的两个汇编可执行程序和demon.x64.exe都会存到这里
-
我做了很简单的修改,让原本的demon.x64.exe具有调试信息,将生成2400kb左右的exe文件(原本100kb)
demon调试的实现
和之前写的交叉编译原理一样,需要windows端和linux端各有一份源码(只需要Demon文件夹即可),你可以尝试使用以上命令编译以下Demon以确保emon.x64.exe会正确编译。
以上命令过于臃肿,我将以上命令放在了与Demon同级的目录下,并将其命名为compile,下面是compile简单的功能:
-
mkdir /Demon/.build:在Demon项目文件夹下新建.build用于存放只有剪切过来的demon.x64.exe
-
以上的编译命令
-
将编译后的demon.x64.exe移动到/Demon/.build/下
-
删除编译过程中生成tmp(缓存)文件夹
项目结构展示,以及json文件的编写:
sftp.json
{
"name": "KaliServer",
"host": "192.168.72.162",
"protocol": "sftp",
"port": 5022,
"username": "root",
"remotePath": "/root/Havoc_dbg/teamserver_proj/payloads/Demon",
"uploadOnSave": true,
"useTempFile": false,
"openSsh": false
}
以上是调试环境所必须的配置,主要作用是同步windows端和linux端代码
launch.json
{
// 使用 IntelliSense 了解相关属性。
// 悬停以查看现有属性的描述。
// 欲了解更多信息,请访问: https://go.microsoft.com/fwlink/?linkid=830387
"version": "0.2.0",
"configurations": [{
"name": "(gdb) 启动",
"type": "cppdbg",
"request": "launch",
"program": "F:/6.phrase_six/Havoc_dbg/teamserver_proj/payloads/Demon/.build/demon.x64.exe",
"args": [],
"stopAtEntry": false,
"cwd": "${fileDirname}",
"environment": [],
"externalConsole": false,
"MIMode": "gdb",
//"preLaunchTask": "copy_file",
"miDebuggerPath": "F:/6.phrase_six/GBD/GDB-Windows-Binaries-master/gdb.exe", // gdb路径
"sourceFileMap":
{
"/root/Havoc_dbg/teamserver_proj/payloads/Demon/": "${workspaceFolder}/"
},
"setupCommands": [
{
"description": "为 gdb 启用整齐打印",
"text": "-enable-pretty-printing",
"ignoreFailures": true
},
{
"description": "将反汇编风格设置为 Intel",
"text": "-gdb-set disassembly-flavor intel",
"ignoreFailures": true
}
]
}
]
}
以上内容是调试的配置,主要内容如下:
-
"program"变量:二进制文件demon.x64.exe的路径(exe文件的复制会在task.json中进行配置,task.json在下面)
-
//"preLaunchTask": "copy_file":这里就是配置的task.json的任务,我将它注释掉是因为,如果每次调试就编译的话太费时间了
-
"miDebuggerPath": "F:/6.phrase_six/GBD/GDB-Windows-Binaries-master/gdb.exe":gdb的路径(希望你下载了)
-
sourceFileMap:linux源码映像到windows源码的路径,用于gdb调试的时候能找到源码
task.json
{
"version": "2.0.0",
"tasks": [
{
"label": "cross_compile",
"type": "process",
"command": "powershell",
"args": [
"-Command",
"ssh -p 9722 [email protected] \"cd /root/Havoc_dbg/teamserver_proj/payloads/Demon && bash -c /root/Havoc_dbg/teamserver_proj/payloads/Demon/compile\""
],
"group": {
"kind": "build",
"isDefault": true
},
"problemMatcher": ["$gcc"]
}
,
{
"label": "copy_file",
"type": "shell",
"command": "ssh -p 9722 [email protected] \" scp -r /root/Havoc_dbg/teamserver_proj/payloads/Demon/.build/ andy@DESKTOP-T89LSP5:F:/6.phrase_six/Havoc_dbg/teamserver_proj/payloads/Demon/ \" ",
// "command": "ssh -p 9722 [email protected] \"/root/Havoc_dbg/teamserver_proj/data/x86_64-w64-mingw32-cross/bin/x86_64-w64-mingw32-gcc ~/Havoc_dbg/c_demo/main.c -g -o /tmp/a.exe\" && scp -o StrictHostKeyChecking=no /tmp/a.exe andy@DESKTOP-T89LSP5:F:\\6.phrase_six\\havoc\\c_demo_exe\\.build \" ",
"dependsOn": "cross_compile", // 等待 `task1` 完成后再执行
"group": {
"kind": "build",
"isDefault": true
},
"problemMatcher": ["$gcc"]
},
],
}
以上task内容如下:
-
cross_compile:运行存在linux端的compile脚本,linux开始编译demon.x64.exe并剪切到项目目录
-
copy_file:需要从将demon.x64.exe从linux端拷贝到windows端
-
"dependsOn": "cross_compile":表明copy_file运行之前会运行cross_compile
-
配置好这三个文件后就可以愉快的调试了
