# Beacon加载执行过程
前面粗略的分析了一下stager现在我们来动态调试一下,我也不用啥分析模拟工具了,就一小段也没混淆反调试,直接x32dbg手工走起(随意用啥都行看个人喜好)
shellcode转成exe直接x32dbg打开
断在系统断点后直接F9来到shellcode入口点
F7几次来到第一个call ebp看堆栈我们可以看到loadlibrarya api的哈希值第二个就是loadlibrarya函数的参数wininet,很明显是用来加载wininet.dll的,因为后面需要用到wininet.dll里的函数所以必须要先加载wininet.dll
msf和cs的shellcode基本都是这样来调用win api的有兴趣的可以跟一下,我这里直接向下走到VirtualAlloc
读取完成后直接ret到stage(shellcode)去执行
开始运行接收到的stage(shellcode)
跳过来后,还是一个call pop 将call后面的地址放到ebx里
这个解密出来的stage其实就是Beacon.dll(一个修补过的反射dll)。我们把东西dump出来重建一下看看
dump完了用PE工具查看一下
这个beacon.dll就是核心所在,前面所有的工作都是为了加载执行beacon.dll这个反射dll
关于反射dll的原理请自行谷歌,**反射dll修补技术**可以看我曾经开源的一个项目我这里就不在做详细讲解了\
仅供参考写的比较垃圾
基本上这块就写这么多吧,写的有些匆忙
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://wbglil.gitbook.io/cobalt-strike/cobalt-strike-yuan-li-jie-shao/beacon-jia-zai-zhi-hang-guo-cheng.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.