制作 shellcode 的艰辛旅途
程序代码:
#include "stdafx.h"
#include "windows.h"
#define var_MessageBox 4
#define var_ExitProcess 8
#define var_LoadLibrary 12
#define var_DllBase 16
#define var_Export 20
#define var_Libname 28
int _tmain(int argc, _TCHAR* argv[])
{
_asm{
push ebp
mov ebp,esp
sub esp,0D4h
mov dword ptr [ebp-var_MessageBox],0x1e380a6a
mov dword ptr [ebp-var_ExitProcess],0x4fd18963
mov dword ptr [ebp-var_LoadLibrary],0xc0d83287
mov dword ptr [ebp-var_Libname],0x72657375
mov dword ptr [ebp-24],0x3233
mov eax,fs:[0x30]
mov eax,[eax+0x0c]
mov eax,[eax+0x1c]
mov eax,[eax]
mov eax,[eax+08h]
mov [ebp-var_DllBase],eax
mov esi,ebp
sub esi,12
Find_Next:
lodsd
cmp eax,0x1e380a6a
jne Find_lib_Function
push 0
push 0
mov eax,ebp
sub eax,28
push eax
call [ebp-var_LoadLibrary]
mov [ebp-var_DllBase],eax
Find_lib_Function:
mov eax,[ebp-var_DllBase]
add eax,[eax+03ch]
mov eax,[eax+078h]
add eax,[ebp-var_DllBase]
mov [ebp-var_Export],eax
mov ecx,[eax+018h]
mov eax,[eax+020h]
add eax,[ebp-var_DllBase]
xor edx,edx
Next_Loop:
cmp edx,ecx
jge nofind
mov edi,[eax]
add edi,[ebp-var_DllBase]
xor ebx,ebx
Get_Hash:
cmp byte ptr [edi],0
je xxx
ror ebx,7
push eax
movzx eax,byte ptr [edi]
add ebx,eax
pop eax
inc edi
jmp Get_Hash
xxx:
cmp ebx,dword ptr [esi-4]
jz find
add eax,4
inc edx
jmp Next_Loop
find:
mov eax,[ebp-var_Export]
mov ecx,[eax+024h]
add ecx,[ebp-var_DllBase]
shl edx,1
add ecx,edx
movzx ecx,word ptr [ecx]
shl ecx,2
mov eax,[eax+01ch]
add eax,[ebp-var_DllBase]
add eax,ecx
mov eax,[eax]
add eax,[ebp-var_DllBase]
mov [esi-4],eax
cmp ebx,0x1e380a6a
jz call_function
jmp Find_Next
call_function:
push 0
push 0
mov eax,ebp
sub eax,28
push eax
push 0
call [ebp-var_MessageBox]
push 0
call [ebp-var_ExitProcess]
nofind:
}
printf("hello,word");
getchar();
return 0;
}
下面是可运行的shellcode
程序代码:
#include "stdafx.h"
#include <windows.h>
#include <stdio.h>
int main()
{
byte shellcode[] =
"\x55\x8B\xEC\x81\xEC\xD4\x00\x00\x00\xC7\x45\xFC\x6A\x0A\x38\x1E\xC7\x45\xF8\x63\x89\xD1\x4F\xC7\x45\xF4\x87\x32\xD8\xC0\xC7\x45"
"\xE4\x75\x73\x65\x72\xC7\x45\xE8\x33\x32\x00\x00\x64\xA1\x30\x00\x00\x00\x8B\x40\x0C\x8B\x40\x1C\x8B\x00\x8B\x40\x08\x89\x45\xF0"
"\x8B\xF5\x83\xEE\x0C\xAD\x3D\x6A\x0A\x38\x1E\x75\x10\x6A\x00\x6A\x00\x8B\xC5\x83\xE8\x1C\x50\xFF\x55\xF4\x89\x45\xF0\x8B\x45\xF0"
"\x03\x40\x3C\x8B\x40\x78\x03\x45\xF0\x89\x45\xEC\x8B\x48\x18\x8B\x40\x20\x03\x45\xF0\x33\xD2\x3B\xD1\x7D\x68\x8B\x38\x03\x7D\xF0"
"\x33\xDB\x80\x3F\x00\x74\x0D\xC1\xCB\x07\x50\x0F\xB6\x07\x03\xD8\x58\x47\xEB\xEE\x3B\x5E\xFC\x74\x06\x83\xC0\x04\x42\xEB\xD8\x8B"
"\x45\xEC\x8B\x48\x24\x03\x4D\xF0\xD1\xE2\x03\xCA\x0F\xB7\x09\xC1\xE1\x02\x8B\x40\x1C\x03\x45\xF0\x03\xC1\x8B\x00\x03\x45\xF0\x89"
"\x46\xFC\x81\xFB\x6A\x0A\x38\x1E\x74\x05\xE9\x76\xFF\xFF\xFF\x6A\x00\x6A\x00\x8B\xC5\x83\xE8\x1C\x50\x6A\x00\xFF\x55\xFC\x6A\x00"
"\xFF\x55\xF8";
printf("size of shellcode: %d/n", sizeof(shellcode));
system("pause");
byte *bCall=shellcode;
DWORD dwOld=0;
VirtualProtect(bCall,sizeof(bCall),PAGE_EXECUTE_READWRITE,&dwOld);
typedef void (WINAPI *pGGCall)();
pGGCall pss=(pGGCall)&shellcode[0];
pss();
return 0;
}
[ 本帖最后由 zhu224039 于 2014-6-7 15:22 编辑 ]
