補充:編寫shellcode時visualstudio的典型設置
編寫這篇博客的目的:
中級上項目 MessageBox 監視器需要編寫 shellcode,三期沒有講,于是補充學習了這部分知識。
一、ShellCode的定義和應用場景
Shellcode是不依賴環境,放到任何地方都可以執行的機器碼。
shellcode的應用場景很多,本文不研究shellcode的具體應用,而只是研究編寫一個shellcode需要掌握哪些知識。
二、ShellCode編寫原則
1、不能有全局變量
因為我們編寫shellcode時,使用的全局變量是自己的進程里面的全局變量,注入到別的進程里,這個地址就沒用了。
2、不能使用常量字符串
和第一點原因一樣,字符串常量值也是全局變量,注入到別的進程里,根本沒有這個字符串。
要使用字符串,請使用字符數組。
char s
[] = {'1','2',0};
3、不能直接調用系統函數
調用系統函數的方式是間接調用(FF15),需要從IAT表里獲取API地址,每個進程的IAT表位置不同,且對方的進程可能沒有導入你需要調用的函數的DLL,那么你是不能調用這個系統函數的。
所以我們需要用到 LoadLibrary 和 GetProcAddress 這兩個函數,來動態獲取系統API的函數指針。
但是 LoadLibrary,GetProcAddress 本身就是系統函數,它們本身就依賴IAT表,咋辦呢?
解決方案是這樣的:通過FS:[0x30] 找到PEB,然后通過PEB里的LDR鏈表 [PEB+0x0C]找到 kernel32.dll 的地址,然后我們遍歷它的 IAT表,找到 LoadLibrary 和 GetProcAddress 函數。
4、不能嵌套調用其他函數
和前兩點道理是一樣的,本進程里的函數地址,拿到別的進程的虛擬地址空間是無效的。
三、編寫Shellcode
下面通過一段程序,演示編寫一個shellcode函數,函數里調用 MessageBoxA 打印。
因為很多時候,shellcode都是用來注入的,所以我的代碼把shellcode函數定義成線程函數的形式了。
#include "stdafx.h"
#include <Windows.h>#define TOUPPER(x) ((((x)>='a')&&((x)<='z'))?((x)-32):(x))
#define TOLOWER(x) ((((x)>='A')&&((x)<='Z'))?((x)+32):(x))typedef struct _UNICODE_STRING
{USHORT Length
;USHORT MaximumLength
;PWSTR Buffer
;
} UNICODE_STRING
, *PUNICODE_STRING
;typedef struct _PEB_LDR_DATA
{DWORD Length
;bool Initialized
;PVOID SsHandle
; LIST_ENTRY InLoadOrderModuleList
;LIST_ENTRY InMemoryOrderModuleList
;LIST_ENTRY InInitializationOrderModuleList
;
} PEB_LDR_DATA
,*PPEB_LDR_DATA
;typedef struct _LDR_DATA_TABLE_ENTRY
{LIST_ENTRY InLoadOrderLinks
;LIST_ENTRY InMemoryOrderLinks
;LIST_ENTRY InInitializationOrderLinks
;PVOID DllBase
;PVOID EntryPoint
;UINT32 SizeOfImage
;UNICODE_STRING FullDllName
;UNICODE_STRING BaseDllName
;UINT32 Flags
;USHORT LoadCount
;USHORT TlsIndex
;LIST_ENTRY HashLinks
;PVOID SectionPointer
;UINT32 CheckSum
;UINT32 TimeDateStamp
;PVOID LoadedImports
;PVOID EntryPointActivationContext
;PVOID PatchInformation
;
} LDR_DATA_TABLE_ENTRY
, *PLDR_DATA_TABLE_ENTRY
;typedef HMODULE
(WINAPI
* PLOADLIBRARYA
)(LPCSTR
);
typedef DWORD
(WINAPI
* PGETPROCADDRESS
)(HMODULE
, LPCSTR
);
typedef DWORD
(WINAPI
* PMESSAGEBOXA
)(HWND
, LPCSTR
,LPCSTR
,UINT
);DWORD WINAPI
ShellCode(LPVOID lpThreadParameter
);int main(int argc
, char* argv
[])
{CreateThread(0,0,ShellCode
,0,0,0);getchar();return 0;
}DWORD WINAPI
ShellCode(LPVOID lpThreadParameter
)
{HMODULE hKernel32
= NULL;HMODULE hUser32
= NULL;PGETPROCADDRESS pGetProcAddress
= NULL;PLOADLIBRARYA pLoadLibraryA
= NULL;PMESSAGEBOXA pMessageBoxA
= NULL;PPEB_LDR_DATA pLDR
= NULL;PLDR_DATA_TABLE_ENTRY pLdteHead
;PLDR_DATA_TABLE_ENTRY pLdteCur
;BOOL bEqual
= FALSE
;char szKernel32
[] = {'k',0,'e',0,'r',0,'n',0,'e',0,'l',0,'3',0,'2',0,'.',0,'d',0,'l',0,'l',0,0,0}; char szUser32
[] = {'u','s','e','r','3','2','.','d','l','l',0};char szGetProcAddress
[] = {'G','e','t','P','r','o','c','A','d','d','r','e','s','s',0};char szLoadLibrary
[] = {'L','o','a','d','L','i','b','r','a','r','y','A',0};char szMessageBoxA
[] = {'M','e','s','s','a','g','e','B','o','x','A',0};char szHelloShellCode
[] = {'H','e','l','l','o','S','h','e','l','l','C','o','d','e',0};__asm
{mov eax
,fs
:[0x30] mov eax
,[eax
+0x0C] mov pLDR
,eax
}pLdteHead
= (PLDR_DATA_TABLE_ENTRY
)(&pLDR
->InLoadOrderModuleList
);pLdteCur
= (PLDR_DATA_TABLE_ENTRY
)(pLdteHead
->InLoadOrderLinks
.Flink
); do { PLDR_DATA_TABLE_ENTRY pLdte
= CONTAINING_RECORD(pLdteCur
, LDR_DATA_TABLE_ENTRY
, InLoadOrderLinks
); char *p1
= szKernel32
;char *p2
= (char*)pLdteCur
->BaseDllName
.Buffer
; bEqual
= FALSE
;while (1){ if (*(PWORD
)p1
== 0 && *(PWORD
)p2
== 0){bEqual
= TRUE
;break;} if (TOUPPER(*p1
) != TOUPPER(*p2
)){break;}p1
+=2;p2
+=2;}if (bEqual
){hKernel32
= (HMODULE
)pLdteCur
->DllBase
; break;}pLdteCur
= (PLDR_DATA_TABLE_ENTRY
)pLdteCur
->InLoadOrderLinks
.Flink
;} while (pLdteHead
!= pLdteCur
);if (hKernel32
!= NULL){PIMAGE_DOS_HEADER pDosHeader
= (PIMAGE_DOS_HEADER
)hKernel32
;PIMAGE_NT_HEADERS pNTHeader
= (PIMAGE_NT_HEADERS
)((DWORD
)pDosHeader
+ pDosHeader
->e_lfanew
);PIMAGE_FILE_HEADER pPEHeader
= (PIMAGE_FILE_HEADER
)((DWORD
)pDosHeader
+ pDosHeader
->e_lfanew
+ 4);PIMAGE_OPTIONAL_HEADER32 pOptionHeader
= (PIMAGE_OPTIONAL_HEADER32
)((DWORD
)pPEHeader
+ sizeof(IMAGE_FILE_HEADER
));PIMAGE_SECTION_HEADER pSectionHeader
= \
(PIMAGE_SECTION_HEADER
)((DWORD
)pOptionHeader
+ pPEHeader
->SizeOfOptionalHeader
);PIMAGE_EXPORT_DIRECTORY pExportDirectory
= \
(PIMAGE_EXPORT_DIRECTORY
)((DWORD
)hKernel32
+ pOptionHeader
->DataDirectory
[0].VirtualAddress
);PDWORD AddressOfFunctions
= (PDWORD
)((DWORD
)hKernel32
+ pExportDirectory
->AddressOfFunctions
);PDWORD AddressOfNames
= (PDWORD
)((DWORD
)hKernel32
+ pExportDirectory
->AddressOfNames
);PWORD AddressOfNameOridinals
= (PWORD
)((DWORD
)hKernel32
+ pExportDirectory
->AddressOfNameOrdinals
);int i
;for (i
= 0; i
< (int)pExportDirectory
->NumberOfNames
; i
++){char *p1
= szGetProcAddress
;char *p2
= (char *)((DWORD
)hKernel32
+ AddressOfNames
[i
]);bEqual
= FALSE
;while (1){ if (*p1
== 0 && *p2
== 0){bEqual
= TRUE
;break;} if (*p1
!= *p2
){break;}p1
++;p2
++;}if (bEqual
){pGetProcAddress
= (PGETPROCADDRESS
)(AddressOfFunctions
[AddressOfNameOridinals
[i
]] + pOptionHeader
->ImageBase
);}}}else{return 1;}pLoadLibraryA
= (PLOADLIBRARYA
)pGetProcAddress(hKernel32
,szLoadLibrary
); hUser32
= pLoadLibraryA(szUser32
);pMessageBoxA
= (PMESSAGEBOXA
)pGetProcAddress(hUser32
,szMessageBoxA
);pMessageBoxA(0,szHelloShellCode
,0,MB_OK
);return 0;
}
四、關閉運行時檢查生成純凈ShellCode
上一節編寫的shellcode能在本進程運行,但是這就完成了嗎?
為了測試生成的shellcode是否真的能夠在任意環境下運行,我們首先看一下生成的匯編:
vs2010
vc6
我本以為只有vs會生成堆棧檢查代碼,沒想到VC6也有。保留這些代碼,我們的shellcode肯定會出錯。
下面介紹VS怎么關閉運行時檢查:
重新生成寫成,看,代碼變得非常清爽:
把函數硬編碼提取出來:
unsigned char ShellCodebuff
[] = {0x55, 0x8B, 0xEC, 0x81, 0xEC, 0x0C, 0x01, 0x00, 0x00, 0x53, 0x56, 0x57, 0xC7, 0x45, 0xFC, 0x00,0x00, 0x00, 0x00, 0xC7, 0x45, 0xF8, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x45, 0xF4, 0x00, 0x00, 0x00,0x00, 0xC7, 0x45, 0xF0, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x45, 0xEC, 0x00, 0x00, 0x00, 0x00, 0xC7,0x45, 0xE8, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x45, 0xDC, 0x00, 0x00, 0x00, 0x00, 0xC6, 0x45, 0xC0,0x6B, 0xC6, 0x45, 0xC1, 0x00, 0xC6, 0x45, 0xC2, 0x65, 0xC6, 0x45, 0xC3, 0x00, 0xC6, 0x45, 0xC4,0x72, 0xC6, 0x45, 0xC5, 0x00, 0xC6, 0x45, 0xC6, 0x6E, 0xC6, 0x45, 0xC7, 0x00, 0xC6, 0x45, 0xC8,0x65, 0xC6, 0x45, 0xC9, 0x00, 0xC6, 0x45, 0xCA, 0x6C, 0xC6, 0x45, 0xCB, 0x00, 0xC6, 0x45, 0xCC,0x33, 0xC6, 0x45, 0xCD, 0x00, 0xC6, 0x45, 0xCE, 0x32, 0xC6, 0x45, 0xCF, 0x00, 0xC6, 0x45, 0xD0,0x2E, 0xC6, 0x45, 0xD1, 0x00, 0xC6, 0x45, 0xD2, 0x64, 0xC6, 0x45, 0xD3, 0x00, 0xC6, 0x45, 0xD4,0x6C, 0xC6, 0x45, 0xD5, 0x00, 0xC6, 0x45, 0xD6, 0x6C, 0xC6, 0x45, 0xD7, 0x00, 0xC6, 0x45, 0xD8,0x00, 0xC6, 0x45, 0xD9, 0x00, 0xC6, 0x45, 0xB4, 0x75, 0xC6, 0x45, 0xB5, 0x73, 0xC6, 0x45, 0xB6,0x65, 0xC6, 0x45, 0xB7, 0x72, 0xC6, 0x45, 0xB8, 0x33, 0xC6, 0x45, 0xB9, 0x32, 0xC6, 0x45, 0xBA,0x2E, 0xC6, 0x45, 0xBB, 0x64, 0xC6, 0x45, 0xBC, 0x6C, 0xC6, 0x45, 0xBD, 0x6C, 0xC6, 0x45, 0xBE,0x00, 0xC6, 0x45, 0xA4, 0x47, 0xC6, 0x45, 0xA5, 0x65, 0xC6, 0x45, 0xA6, 0x74, 0xC6, 0x45, 0xA7,0x50, 0xC6, 0x45, 0xA8, 0x72, 0xC6, 0x45, 0xA9, 0x6F, 0xC6, 0x45, 0xAA, 0x63, 0xC6, 0x45, 0xAB,0x41, 0xC6, 0x45, 0xAC, 0x64, 0xC6, 0x45, 0xAD, 0x64, 0xC6, 0x45, 0xAE, 0x72, 0xC6, 0x45, 0xAF,0x65, 0xC6, 0x45, 0xB0, 0x73, 0xC6, 0x45, 0xB1, 0x73, 0xC6, 0x45, 0xB2, 0x00, 0xC6, 0x45, 0x94,0x4C, 0xC6, 0x45, 0x95, 0x6F, 0xC6, 0x45, 0x96, 0x61, 0xC6, 0x45, 0x97, 0x64, 0xC6, 0x45, 0x98,0x4C, 0xC6, 0x45, 0x99, 0x69, 0xC6, 0x45, 0x9A, 0x62, 0xC6, 0x45, 0x9B, 0x72, 0xC6, 0x45, 0x9C,0x61, 0xC6, 0x45, 0x9D, 0x72, 0xC6, 0x45, 0x9E, 0x79, 0xC6, 0x45, 0x9F, 0x41, 0xC6, 0x45, 0xA0,0x00, 0xC6, 0x45, 0x88, 0x4D, 0xC6, 0x45, 0x89, 0x65, 0xC6, 0x45, 0x8A, 0x73, 0xC6, 0x45, 0x8B,0x73, 0xC6, 0x45, 0x8C, 0x61, 0xC6, 0x45, 0x8D, 0x67, 0xC6, 0x45, 0x8E, 0x65, 0xC6, 0x45, 0x8F,0x42, 0xC6, 0x45, 0x90, 0x6F, 0xC6, 0x45, 0x91, 0x78, 0xC6, 0x45, 0x92, 0x41, 0xC6, 0x45, 0x93,0x00, 0xC6, 0x85, 0x78, 0xFF, 0xFF, 0xFF, 0x48, 0xC6, 0x85, 0x79, 0xFF, 0xFF, 0xFF, 0x65, 0xC6,0x85, 0x7A, 0xFF, 0xFF, 0xFF, 0x6C, 0xC6, 0x85, 0x7B, 0xFF, 0xFF, 0xFF, 0x6C, 0xC6, 0x85, 0x7C,0xFF, 0xFF, 0xFF, 0x6F, 0xC6, 0x85, 0x7D, 0xFF, 0xFF, 0xFF, 0x53, 0xC6, 0x85, 0x7E, 0xFF, 0xFF,0xFF, 0x68, 0xC6, 0x85, 0x7F, 0xFF, 0xFF, 0xFF, 0x65, 0xC6, 0x45, 0x80, 0x6C, 0xC6, 0x45, 0x81,0x6C, 0xC6, 0x45, 0x82, 0x43, 0xC6, 0x45, 0x83, 0x6F, 0xC6, 0x45, 0x84, 0x64, 0xC6, 0x45, 0x85,0x65, 0xC6, 0x45, 0x86, 0x00, 0x64, 0xA1, 0x30, 0x00, 0x00, 0x00, 0x8B, 0x40, 0x0C, 0x89, 0x45,0xE8, 0x8B, 0x45, 0xE8, 0x83, 0xC0, 0x0C, 0x89, 0x45, 0xE4, 0x8B, 0x45, 0xE4, 0x8B, 0x08, 0x89,0x4D, 0xE0, 0x8B, 0x45, 0xE0, 0x89, 0x85, 0x74, 0xFF, 0xFF, 0xFF, 0x8D, 0x45, 0xC0, 0x89, 0x85,0x70, 0xFF, 0xFF, 0xFF, 0x8B, 0x45, 0xE0, 0x8B, 0x48, 0x30, 0x89, 0x8D, 0x6C, 0xFF, 0xFF, 0xFF,0xC7, 0x45, 0xDC, 0x00, 0x00, 0x00, 0x00, 0xB8, 0x01, 0x00, 0x00, 0x00, 0x85, 0xC0, 0x0F, 0x84,0xD7, 0x00, 0x00, 0x00, 0x8B, 0x85, 0x70, 0xFF, 0xFF, 0xFF, 0x0F, 0xB7, 0x08, 0x85, 0xC9, 0x75,0x19, 0x8B, 0x85, 0x6C, 0xFF, 0xFF, 0xFF, 0x0F, 0xB7, 0x08, 0x85, 0xC9, 0x75, 0x0C, 0xC7, 0x45,0xDC, 0x01, 0x00, 0x00, 0x00, 0xE9, 0xB1, 0x00, 0x00, 0x00, 0x8B, 0x85, 0x70, 0xFF, 0xFF, 0xFF,0x0F, 0xBE, 0x08, 0x83, 0xF9, 0x61, 0x7C, 0x22, 0x8B, 0x95, 0x70, 0xFF, 0xFF, 0xFF, 0x0F, 0xBE,0x02, 0x83, 0xF8, 0x7A, 0x7F, 0x14, 0x8B, 0x8D, 0x70, 0xFF, 0xFF, 0xFF, 0x0F, 0xBE, 0x11, 0x83,0xEA, 0x20, 0x89, 0x95, 0xF8, 0xFE, 0xFF, 0xFF, 0xEB, 0x0F, 0x8B, 0x85, 0x70, 0xFF, 0xFF, 0xFF,0x0F, 0xBE, 0x08, 0x89, 0x8D, 0xF8, 0xFE, 0xFF, 0xFF, 0x8B, 0x95, 0x6C, 0xFF, 0xFF, 0xFF, 0x0F,0xBE, 0x02, 0x83, 0xF8, 0x61, 0x7C, 0x22, 0x8B, 0x8D, 0x6C, 0xFF, 0xFF, 0xFF, 0x0F, 0xBE, 0x11,0x83, 0xFA, 0x7A, 0x7F, 0x14, 0x8B, 0x85, 0x6C, 0xFF, 0xFF, 0xFF, 0x0F, 0xBE, 0x08, 0x83, 0xE9,0x20, 0x89, 0x8D, 0xF4, 0xFE, 0xFF, 0xFF, 0xEB, 0x0F, 0x8B, 0x95, 0x6C, 0xFF, 0xFF, 0xFF, 0x0F,0xBE, 0x02, 0x89, 0x85, 0xF4, 0xFE, 0xFF, 0xFF, 0x8B, 0x8D, 0xF8, 0xFE, 0xFF, 0xFF, 0x3B, 0x8D,0xF4, 0xFE, 0xFF, 0xFF, 0x74, 0x02, 0xEB, 0x23, 0x8B, 0x85, 0x70, 0xFF, 0xFF, 0xFF, 0x83, 0xC0,0x02, 0x89, 0x85, 0x70, 0xFF, 0xFF, 0xFF, 0x8B, 0x85, 0x6C, 0xFF, 0xFF, 0xFF, 0x83, 0xC0, 0x02,0x89, 0x85, 0x6C, 0xFF, 0xFF, 0xFF, 0xE9, 0x1C, 0xFF, 0xFF, 0xFF, 0x83, 0x7D, 0xDC, 0x00, 0x74,0x0B, 0x8B, 0x45, 0xE0, 0x8B, 0x48, 0x18, 0x89, 0x4D, 0xFC, 0xEB, 0x14, 0x8B, 0x45, 0xE0, 0x8B,0x08, 0x89, 0x4D, 0xE0, 0x8B, 0x45, 0xE4, 0x3B, 0x45, 0xE0, 0x0F, 0x85, 0xD2, 0xFE, 0xFF, 0xFF,0x83, 0x7D, 0xFC, 0x00, 0x0F, 0x84, 0x92, 0x01, 0x00, 0x00, 0x8B, 0x45, 0xFC, 0x89, 0x85, 0x68,0xFF, 0xFF, 0xFF, 0x8B, 0x85, 0x68, 0xFF, 0xFF, 0xFF, 0x8B, 0x8D, 0x68, 0xFF, 0xFF, 0xFF, 0x03,0x48, 0x3C, 0x89, 0x8D, 0x64, 0xFF, 0xFF, 0xFF, 0x8B, 0x85, 0x68, 0xFF, 0xFF, 0xFF, 0x8B, 0x48,0x3C, 0x8B, 0x95, 0x68, 0xFF, 0xFF, 0xFF, 0x8D, 0x44, 0x0A, 0x04, 0x89, 0x85, 0x60, 0xFF, 0xFF,0xFF, 0x8B, 0x85, 0x60, 0xFF, 0xFF, 0xFF, 0x83, 0xC0, 0x14, 0x89, 0x85, 0x5C, 0xFF, 0xFF, 0xFF,0x8B, 0x85, 0x60, 0xFF, 0xFF, 0xFF, 0x0F, 0xB7, 0x48, 0x10, 0x03, 0x8D, 0x5C, 0xFF, 0xFF, 0xFF,0x89, 0x8D, 0x58, 0xFF, 0xFF, 0xFF, 0x8B, 0x85, 0x5C, 0xFF, 0xFF, 0xFF, 0x8B, 0x4D, 0xFC, 0x03,0x48, 0x60, 0x89, 0x8D, 0x54, 0xFF, 0xFF, 0xFF, 0x8B, 0x85, 0x54, 0xFF, 0xFF, 0xFF, 0x8B, 0x4D,0xFC, 0x03, 0x48, 0x1C, 0x89, 0x8D, 0x50, 0xFF, 0xFF, 0xFF, 0x8B, 0x85, 0x54, 0xFF, 0xFF, 0xFF,0x8B, 0x4D, 0xFC, 0x03, 0x48, 0x20, 0x89, 0x8D, 0x4C, 0xFF, 0xFF, 0xFF, 0x8B, 0x85, 0x54, 0xFF,0xFF, 0xFF, 0x8B, 0x4D, 0xFC, 0x03, 0x48, 0x24, 0x89, 0x8D, 0x48, 0xFF, 0xFF, 0xFF, 0xC7, 0x85,0x44, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xEB, 0x0F, 0x8B, 0x85, 0x44, 0xFF, 0xFF, 0xFF,0x83, 0xC0, 0x01, 0x89, 0x85, 0x44, 0xFF, 0xFF, 0xFF, 0x8B, 0x85, 0x54, 0xFF, 0xFF, 0xFF, 0x8B,0x8D, 0x44, 0xFF, 0xFF, 0xFF, 0x3B, 0x48, 0x18, 0x0F, 0x8D, 0xBC, 0x00, 0x00, 0x00, 0x8D, 0x45,0xA4, 0x89, 0x85, 0x40, 0xFF, 0xFF, 0xFF, 0x8B, 0x85, 0x44, 0xFF, 0xFF, 0xFF, 0x8B, 0x8D, 0x4C,0xFF, 0xFF, 0xFF, 0x8B, 0x55, 0xFC, 0x03, 0x14, 0x81, 0x89, 0x95, 0x3C, 0xFF, 0xFF, 0xFF, 0xC7,0x45, 0xDC, 0x00, 0x00, 0x00, 0x00, 0xB8, 0x01, 0x00, 0x00, 0x00, 0x85, 0xC0, 0x74, 0x5B, 0x8B,0x85, 0x40, 0xFF, 0xFF, 0xFF, 0x0F, 0xBE, 0x08, 0x85, 0xC9, 0x75, 0x16, 0x8B, 0x85, 0x3C, 0xFF,0xFF, 0xFF, 0x0F, 0xBE, 0x08, 0x85, 0xC9, 0x75, 0x09, 0xC7, 0x45, 0xDC, 0x01, 0x00, 0x00, 0x00,0xEB, 0x38, 0x8B, 0x85, 0x40, 0xFF, 0xFF, 0xFF, 0x0F, 0xBE, 0x08, 0x8B, 0x95, 0x3C, 0xFF, 0xFF,0xFF, 0x0F, 0xBE, 0x02, 0x3B, 0xC8, 0x74, 0x02, 0xEB, 0x20, 0x8B, 0x85, 0x40, 0xFF, 0xFF, 0xFF,0x83, 0xC0, 0x01, 0x89, 0x85, 0x40, 0xFF, 0xFF, 0xFF, 0x8B, 0x85, 0x3C, 0xFF, 0xFF, 0xFF, 0x83,0xC0, 0x01, 0x89, 0x85, 0x3C, 0xFF, 0xFF, 0xFF, 0xEB, 0x9C, 0x83, 0x7D, 0xDC, 0x00, 0x74, 0x25,0x8B, 0x85, 0x44, 0xFF, 0xFF, 0xFF, 0x8B, 0x8D, 0x48, 0xFF, 0xFF, 0xFF, 0x0F, 0xB7, 0x14, 0x41,0x8B, 0x85, 0x50, 0xFF, 0xFF, 0xFF, 0x8B, 0x0C, 0x90, 0x8B, 0x95, 0x5C, 0xFF, 0xFF, 0xFF, 0x03,0x4A, 0x1C, 0x89, 0x4D, 0xF4, 0xE9, 0x20, 0xFF, 0xFF, 0xFF, 0xEB, 0x07, 0xB8, 0x01, 0x00, 0x00,0x00, 0xEB, 0x38, 0x8D, 0x45, 0x94, 0x50, 0x8B, 0x4D, 0xFC, 0x51, 0xFF, 0x55, 0xF4, 0x89, 0x45,0xF0, 0x8D, 0x45, 0xB4, 0x50, 0xFF, 0x55, 0xF0, 0x89, 0x45, 0xF8, 0x8D, 0x45, 0x88, 0x50, 0x8B,0x4D, 0xF8, 0x51, 0xFF, 0x55, 0xF4, 0x89, 0x45, 0xEC, 0x6A, 0x00, 0x6A, 0x00, 0x8D, 0x85, 0x78,0xFF, 0xFF, 0xFF, 0x50, 0x6A, 0x00, 0xFF, 0x55, 0xEC, 0x33, 0xC0, 0x5F, 0x5E, 0x5B, 0x8B, 0xE5,0x5D, 0xC2, 0x04, 0x00};
現在,我開一個虛擬機,在里面起一個vc6,調用這段硬編碼:
五、注入Shellcode到其他進程
下面直接給出程序代碼,因為比較簡單,都是API,就不多做解釋了。
注意,如果你在win10上測試,需要提升調試權限,管理員運行,且目標進程是32位的。
#include "stdafx.h"
#include <Windows.h>#define TOUPPER(x) ((((x)>='a')&&((x)<='z'))?((x)-32):(x))
#define TOLOWER(x) ((((x)>='A')&&((x)<='Z'))?((x)+32):(x))typedef struct _UNICODE_STRING
{USHORT Length
;USHORT MaximumLength
;PWSTR Buffer
;
} UNICODE_STRING
, *PUNICODE_STRING
;typedef struct _PEB_LDR_DATA
{DWORD Length
;bool Initialized
;PVOID SsHandle
; LIST_ENTRY InLoadOrderModuleList
;LIST_ENTRY InMemoryOrderModuleList
;LIST_ENTRY InInitializationOrderModuleList
;
} PEB_LDR_DATA
,*PPEB_LDR_DATA
;typedef struct _LDR_DATA_TABLE_ENTRY
{LIST_ENTRY InLoadOrderLinks
;LIST_ENTRY InMemoryOrderLinks
;LIST_ENTRY InInitializationOrderLinks
;PVOID DllBase
;PVOID EntryPoint
;UINT32 SizeOfImage
;UNICODE_STRING FullDllName
;UNICODE_STRING BaseDllName
;UINT32 Flags
;USHORT LoadCount
;USHORT TlsIndex
;LIST_ENTRY HashLinks
;PVOID SectionPointer
;UINT32 CheckSum
;UINT32 TimeDateStamp
;PVOID LoadedImports
;PVOID EntryPointActivationContext
;PVOID PatchInformation
;
} LDR_DATA_TABLE_ENTRY
, *PLDR_DATA_TABLE_ENTRY
;typedef HMODULE
(WINAPI
* PLOADLIBRARYA
)(LPCSTR
);
typedef DWORD
(WINAPI
* PGETPROCADDRESS
)(HMODULE
, LPCSTR
);
typedef DWORD
(WINAPI
* PMESSAGEBOXA
)(HWND
, LPCSTR
,LPCSTR
,UINT
);DWORD WINAPI
ShellCode(PVOID lpThreadParameter
);void PrintHexArray(PVOID startAddr
, size_t nBytes
);unsigned char ShellCodebuff
[] = {0x55, 0x8B, 0xEC, 0x81, 0xEC, 0x0C, 0x01, 0x00, 0x00, 0x53, 0x56, 0x57, 0xC7, 0x45, 0xFC, 0x00,0x00, 0x00, 0x00, 0xC7, 0x45, 0xF8, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x45, 0xF4, 0x00, 0x00, 0x00,0x00, 0xC7, 0x45, 0xF0, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x45, 0xEC, 0x00, 0x00, 0x00, 0x00, 0xC7,0x45, 0xE8, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x45, 0xDC, 0x00, 0x00, 0x00, 0x00, 0xC6, 0x45, 0xC0,0x6B, 0xC6, 0x45, 0xC1, 0x00, 0xC6, 0x45, 0xC2, 0x65, 0xC6, 0x45, 0xC3, 0x00, 0xC6, 0x45, 0xC4,0x72, 0xC6, 0x45, 0xC5, 0x00, 0xC6, 0x45, 0xC6, 0x6E, 0xC6, 0x45, 0xC7, 0x00, 0xC6, 0x45, 0xC8,0x65, 0xC6, 0x45, 0xC9, 0x00, 0xC6, 0x45, 0xCA, 0x6C, 0xC6, 0x45, 0xCB, 0x00, 0xC6, 0x45, 0xCC,0x33, 0xC6, 0x45, 0xCD, 0x00, 0xC6, 0x45, 0xCE, 0x32, 0xC6, 0x45, 0xCF, 0x00, 0xC6, 0x45, 0xD0,0x2E, 0xC6, 0x45, 0xD1, 0x00, 0xC6, 0x45, 0xD2, 0x64, 0xC6, 0x45, 0xD3, 0x00, 0xC6, 0x45, 0xD4,0x6C, 0xC6, 0x45, 0xD5, 0x00, 0xC6, 0x45, 0xD6, 0x6C, 0xC6, 0x45, 0xD7, 0x00, 0xC6, 0x45, 0xD8,0x00, 0xC6, 0x45, 0xD9, 0x00, 0xC6, 0x45, 0xB4, 0x75, 0xC6, 0x45, 0xB5, 0x73, 0xC6, 0x45, 0xB6,0x65, 0xC6, 0x45, 0xB7, 0x72, 0xC6, 0x45, 0xB8, 0x33, 0xC6, 0x45, 0xB9, 0x32, 0xC6, 0x45, 0xBA,0x2E, 0xC6, 0x45, 0xBB, 0x64, 0xC6, 0x45, 0xBC, 0x6C, 0xC6, 0x45, 0xBD, 0x6C, 0xC6, 0x45, 0xBE,0x00, 0xC6, 0x45, 0xA4, 0x47, 0xC6, 0x45, 0xA5, 0x65, 0xC6, 0x45, 0xA6, 0x74, 0xC6, 0x45, 0xA7,0x50, 0xC6, 0x45, 0xA8, 0x72, 0xC6, 0x45, 0xA9, 0x6F, 0xC6, 0x45, 0xAA, 0x63, 0xC6, 0x45, 0xAB,0x41, 0xC6, 0x45, 0xAC, 0x64, 0xC6, 0x45, 0xAD, 0x64, 0xC6, 0x45, 0xAE, 0x72, 0xC6, 0x45, 0xAF,0x65, 0xC6, 0x45, 0xB0, 0x73, 0xC6, 0x45, 0xB1, 0x73, 0xC6, 0x45, 0xB2, 0x00, 0xC6, 0x45, 0x94,0x4C, 0xC6, 0x45, 0x95, 0x6F, 0xC6, 0x45, 0x96, 0x61, 0xC6, 0x45, 0x97, 0x64, 0xC6, 0x45, 0x98,0x4C, 0xC6, 0x45, 0x99, 0x69, 0xC6, 0x45, 0x9A, 0x62, 0xC6, 0x45, 0x9B, 0x72, 0xC6, 0x45, 0x9C,0x61, 0xC6, 0x45, 0x9D, 0x72, 0xC6, 0x45, 0x9E, 0x79, 0xC6, 0x45, 0x9F, 0x41, 0xC6, 0x45, 0xA0,0x00, 0xC6, 0x45, 0x88, 0x4D, 0xC6, 0x45, 0x89, 0x65, 0xC6, 0x45, 0x8A, 0x73, 0xC6, 0x45, 0x8B,0x73, 0xC6, 0x45, 0x8C, 0x61, 0xC6, 0x45, 0x8D, 0x67, 0xC6, 0x45, 0x8E, 0x65, 0xC6, 0x45, 0x8F,0x42, 0xC6, 0x45, 0x90, 0x6F, 0xC6, 0x45, 0x91, 0x78, 0xC6, 0x45, 0x92, 0x41, 0xC6, 0x45, 0x93,0x00, 0xC6, 0x85, 0x78, 0xFF, 0xFF, 0xFF, 0x48, 0xC6, 0x85, 0x79, 0xFF, 0xFF, 0xFF, 0x65, 0xC6,0x85, 0x7A, 0xFF, 0xFF, 0xFF, 0x6C, 0xC6, 0x85, 0x7B, 0xFF, 0xFF, 0xFF, 0x6C, 0xC6, 0x85, 0x7C,0xFF, 0xFF, 0xFF, 0x6F, 0xC6, 0x85, 0x7D, 0xFF, 0xFF, 0xFF, 0x53, 0xC6, 0x85, 0x7E, 0xFF, 0xFF,0xFF, 0x68, 0xC6, 0x85, 0x7F, 0xFF, 0xFF, 0xFF, 0x65, 0xC6, 0x45, 0x80, 0x6C, 0xC6, 0x45, 0x81,0x6C, 0xC6, 0x45, 0x82, 0x43, 0xC6, 0x45, 0x83, 0x6F, 0xC6, 0x45, 0x84, 0x64, 0xC6, 0x45, 0x85,0x65, 0xC6, 0x45, 0x86, 0x00, 0x64, 0xA1, 0x30, 0x00, 0x00, 0x00, 0x8B, 0x40, 0x0C, 0x89, 0x45,0xE8, 0x8B, 0x45, 0xE8, 0x83, 0xC0, 0x0C, 0x89, 0x45, 0xE4, 0x8B, 0x45, 0xE4, 0x8B, 0x08, 0x89,0x4D, 0xE0, 0x8B, 0x45, 0xE0, 0x89, 0x85, 0x74, 0xFF, 0xFF, 0xFF, 0x8D, 0x45, 0xC0, 0x89, 0x85,0x70, 0xFF, 0xFF, 0xFF, 0x8B, 0x45, 0xE0, 0x8B, 0x48, 0x30, 0x89, 0x8D, 0x6C, 0xFF, 0xFF, 0xFF,0xC7, 0x45, 0xDC, 0x00, 0x00, 0x00, 0x00, 0xB8, 0x01, 0x00, 0x00, 0x00, 0x85, 0xC0, 0x0F, 0x84,0xD7, 0x00, 0x00, 0x00, 0x8B, 0x85, 0x70, 0xFF, 0xFF, 0xFF, 0x0F, 0xB7, 0x08, 0x85, 0xC9, 0x75,0x19, 0x8B, 0x85, 0x6C, 0xFF, 0xFF, 0xFF, 0x0F, 0xB7, 0x08, 0x85, 0xC9, 0x75, 0x0C, 0xC7, 0x45,0xDC, 0x01, 0x00, 0x00, 0x00, 0xE9, 0xB1, 0x00, 0x00, 0x00, 0x8B, 0x85, 0x70, 0xFF, 0xFF, 0xFF,0x0F, 0xBE, 0x08, 0x83, 0xF9, 0x61, 0x7C, 0x22, 0x8B, 0x95, 0x70, 0xFF, 0xFF, 0xFF, 0x0F, 0xBE,0x02, 0x83, 0xF8, 0x7A, 0x7F, 0x14, 0x8B, 0x8D, 0x70, 0xFF, 0xFF, 0xFF, 0x0F, 0xBE, 0x11, 0x83,0xEA, 0x20, 0x89, 0x95, 0xF8, 0xFE, 0xFF, 0xFF, 0xEB, 0x0F, 0x8B, 0x85, 0x70, 0xFF, 0xFF, 0xFF,0x0F, 0xBE, 0x08, 0x89, 0x8D, 0xF8, 0xFE, 0xFF, 0xFF, 0x8B, 0x95, 0x6C, 0xFF, 0xFF, 0xFF, 0x0F,0xBE, 0x02, 0x83, 0xF8, 0x61, 0x7C, 0x22, 0x8B, 0x8D, 0x6C, 0xFF, 0xFF, 0xFF, 0x0F, 0xBE, 0x11,0x83, 0xFA, 0x7A, 0x7F, 0x14, 0x8B, 0x85, 0x6C, 0xFF, 0xFF, 0xFF, 0x0F, 0xBE, 0x08, 0x83, 0xE9,0x20, 0x89, 0x8D, 0xF4, 0xFE, 0xFF, 0xFF, 0xEB, 0x0F, 0x8B, 0x95, 0x6C, 0xFF, 0xFF, 0xFF, 0x0F,0xBE, 0x02, 0x89, 0x85, 0xF4, 0xFE, 0xFF, 0xFF, 0x8B, 0x8D, 0xF8, 0xFE, 0xFF, 0xFF, 0x3B, 0x8D,0xF4, 0xFE, 0xFF, 0xFF, 0x74, 0x02, 0xEB, 0x23, 0x8B, 0x85, 0x70, 0xFF, 0xFF, 0xFF, 0x83, 0xC0,0x02, 0x89, 0x85, 0x70, 0xFF, 0xFF, 0xFF, 0x8B, 0x85, 0x6C, 0xFF, 0xFF, 0xFF, 0x83, 0xC0, 0x02,0x89, 0x85, 0x6C, 0xFF, 0xFF, 0xFF, 0xE9, 0x1C, 0xFF, 0xFF, 0xFF, 0x83, 0x7D, 0xDC, 0x00, 0x74,0x0B, 0x8B, 0x45, 0xE0, 0x8B, 0x48, 0x18, 0x89, 0x4D, 0xFC, 0xEB, 0x14, 0x8B, 0x45, 0xE0, 0x8B,0x08, 0x89, 0x4D, 0xE0, 0x8B, 0x45, 0xE4, 0x3B, 0x45, 0xE0, 0x0F, 0x85, 0xD2, 0xFE, 0xFF, 0xFF,0x83, 0x7D, 0xFC, 0x00, 0x0F, 0x84, 0x92, 0x01, 0x00, 0x00, 0x8B, 0x45, 0xFC, 0x89, 0x85, 0x68,0xFF, 0xFF, 0xFF, 0x8B, 0x85, 0x68, 0xFF, 0xFF, 0xFF, 0x8B, 0x8D, 0x68, 0xFF, 0xFF, 0xFF, 0x03,0x48, 0x3C, 0x89, 0x8D, 0x64, 0xFF, 0xFF, 0xFF, 0x8B, 0x85, 0x68, 0xFF, 0xFF, 0xFF, 0x8B, 0x48,0x3C, 0x8B, 0x95, 0x68, 0xFF, 0xFF, 0xFF, 0x8D, 0x44, 0x0A, 0x04, 0x89, 0x85, 0x60, 0xFF, 0xFF,0xFF, 0x8B, 0x85, 0x60, 0xFF, 0xFF, 0xFF, 0x83, 0xC0, 0x14, 0x89, 0x85, 0x5C, 0xFF, 0xFF, 0xFF,0x8B, 0x85, 0x60, 0xFF, 0xFF, 0xFF, 0x0F, 0xB7, 0x48, 0x10, 0x03, 0x8D, 0x5C, 0xFF, 0xFF, 0xFF,0x89, 0x8D, 0x58, 0xFF, 0xFF, 0xFF, 0x8B, 0x85, 0x5C, 0xFF, 0xFF, 0xFF, 0x8B, 0x4D, 0xFC, 0x03,0x48, 0x60, 0x89, 0x8D, 0x54, 0xFF, 0xFF, 0xFF, 0x8B, 0x85, 0x54, 0xFF, 0xFF, 0xFF, 0x8B, 0x4D,0xFC, 0x03, 0x48, 0x1C, 0x89, 0x8D, 0x50, 0xFF, 0xFF, 0xFF, 0x8B, 0x85, 0x54, 0xFF, 0xFF, 0xFF,0x8B, 0x4D, 0xFC, 0x03, 0x48, 0x20, 0x89, 0x8D, 0x4C, 0xFF, 0xFF, 0xFF, 0x8B, 0x85, 0x54, 0xFF,0xFF, 0xFF, 0x8B, 0x4D, 0xFC, 0x03, 0x48, 0x24, 0x89, 0x8D, 0x48, 0xFF, 0xFF, 0xFF, 0xC7, 0x85,0x44, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xEB, 0x0F, 0x8B, 0x85, 0x44, 0xFF, 0xFF, 0xFF,0x83, 0xC0, 0x01, 0x89, 0x85, 0x44, 0xFF, 0xFF, 0xFF, 0x8B, 0x85, 0x54, 0xFF, 0xFF, 0xFF, 0x8B,0x8D, 0x44, 0xFF, 0xFF, 0xFF, 0x3B, 0x48, 0x18, 0x0F, 0x8D, 0xBC, 0x00, 0x00, 0x00, 0x8D, 0x45,0xA4, 0x89, 0x85, 0x40, 0xFF, 0xFF, 0xFF, 0x8B, 0x85, 0x44, 0xFF, 0xFF, 0xFF, 0x8B, 0x8D, 0x4C,0xFF, 0xFF, 0xFF, 0x8B, 0x55, 0xFC, 0x03, 0x14, 0x81, 0x89, 0x95, 0x3C, 0xFF, 0xFF, 0xFF, 0xC7,0x45, 0xDC, 0x00, 0x00, 0x00, 0x00, 0xB8, 0x01, 0x00, 0x00, 0x00, 0x85, 0xC0, 0x74, 0x5B, 0x8B,0x85, 0x40, 0xFF, 0xFF, 0xFF, 0x0F, 0xBE, 0x08, 0x85, 0xC9, 0x75, 0x16, 0x8B, 0x85, 0x3C, 0xFF,0xFF, 0xFF, 0x0F, 0xBE, 0x08, 0x85, 0xC9, 0x75, 0x09, 0xC7, 0x45, 0xDC, 0x01, 0x00, 0x00, 0x00,0xEB, 0x38, 0x8B, 0x85, 0x40, 0xFF, 0xFF, 0xFF, 0x0F, 0xBE, 0x08, 0x8B, 0x95, 0x3C, 0xFF, 0xFF,0xFF, 0x0F, 0xBE, 0x02, 0x3B, 0xC8, 0x74, 0x02, 0xEB, 0x20, 0x8B, 0x85, 0x40, 0xFF, 0xFF, 0xFF,0x83, 0xC0, 0x01, 0x89, 0x85, 0x40, 0xFF, 0xFF, 0xFF, 0x8B, 0x85, 0x3C, 0xFF, 0xFF, 0xFF, 0x83,0xC0, 0x01, 0x89, 0x85, 0x3C, 0xFF, 0xFF, 0xFF, 0xEB, 0x9C, 0x83, 0x7D, 0xDC, 0x00, 0x74, 0x25,0x8B, 0x85, 0x44, 0xFF, 0xFF, 0xFF, 0x8B, 0x8D, 0x48, 0xFF, 0xFF, 0xFF, 0x0F, 0xB7, 0x14, 0x41,0x8B, 0x85, 0x50, 0xFF, 0xFF, 0xFF, 0x8B, 0x0C, 0x90, 0x8B, 0x95, 0x5C, 0xFF, 0xFF, 0xFF, 0x03,0x4A, 0x1C, 0x89, 0x4D, 0xF4, 0xE9, 0x20, 0xFF, 0xFF, 0xFF, 0xEB, 0x07, 0xB8, 0x01, 0x00, 0x00,0x00, 0xEB, 0x38, 0x8D, 0x45, 0x94, 0x50, 0x8B, 0x4D, 0xFC, 0x51, 0xFF, 0x55, 0xF4, 0x89, 0x45,0xF0, 0x8D, 0x45, 0xB4, 0x50, 0xFF, 0x55, 0xF0, 0x89, 0x45, 0xF8, 0x8D, 0x45, 0x88, 0x50, 0x8B,0x4D, 0xF8, 0x51, 0xFF, 0x55, 0xF4, 0x89, 0x45, 0xEC, 0x6A, 0x00, 0x6A, 0x00, 0x8D, 0x85, 0x78,0xFF, 0xFF, 0xFF, 0x50, 0x6A, 0x00, 0xFF, 0x55, 0xEC, 0x33, 0xC0, 0x5F, 0x5E, 0x5B, 0x8B, 0xE5,0x5D, 0xC2, 0x04, 0x00};
BOOL
EnableDebugPrivilege()
{HANDLE hToken
;BOOL fOk
=FALSE
;if(OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES
,&hToken
)){TOKEN_PRIVILEGES tp
;tp
.PrivilegeCount
=1;LookupPrivilegeValue(NULL,SE_DEBUG_NAME
,&tp
.Privileges
[0].Luid
);tp
.Privileges
[0].Attributes
=SE_PRIVILEGE_ENABLED
;AdjustTokenPrivileges(hToken
,FALSE
,&tp
,sizeof(tp
),NULL,NULL);fOk
=(GetLastError()==ERROR_SUCCESS
);CloseHandle(hToken
);}return fOk
;
}int main(int argc
, char* argv
[])
{EnableDebugPrivilege();DWORD dwWritten
;DWORD pid
;printf("請輸入要注入的進程PID: ");scanf("%d", &pid
);HANDLE hProcess
= OpenProcess(PROCESS_ALL_ACCESS
,FALSE
,pid
);PVOID pAddr
= VirtualAllocEx(hProcess
,0,0x1000,MEM_COMMIT
|MEM_RESERVE
,PAGE_EXECUTE_READWRITE
);WriteProcessMemory(hProcess
,pAddr
,ShellCodebuff
,0x4F4,&dwWritten
);CreateRemoteThread(hProcess
,0,0,(LPTHREAD_START_ROUTINE
)pAddr
,0,0,0);getchar();return 0;
}DWORD WINAPI
ShellCode(PVOID lpThreadParameter
)
{HMODULE hKernel32
= NULL;HMODULE hUser32
= NULL;PGETPROCADDRESS pGetProcAddress
= NULL;PLOADLIBRARYA pLoadLibraryA
= NULL;PMESSAGEBOXA pMessageBoxA
= NULL;PPEB_LDR_DATA pLDR
= NULL;PLDR_DATA_TABLE_ENTRY pLdteHead
;PLDR_DATA_TABLE_ENTRY pLdteCur
;BOOL bEqual
= FALSE
;char szKernel32
[] = {'k',0,'e',0,'r',0,'n',0,'e',0,'l',0,'3',0,'2',0,'.',0,'d',0,'l',0,'l',0,0,0}; char szUser32
[] = {'u','s','e','r','3','2','.','d','l','l',0};char szGetProcAddress
[] = {'G','e','t','P','r','o','c','A','d','d','r','e','s','s',0};char szLoadLibrary
[] = {'L','o','a','d','L','i','b','r','a','r','y','A',0};char szMessageBoxA
[] = {'M','e','s','s','a','g','e','B','o','x','A',0};char szHelloShellCode
[] = {'H','e','l','l','o','S','h','e','l','l','C','o','d','e',0};__asm
{mov eax
,fs
:[0x30] mov eax
,[eax
+0x0C] mov pLDR
,eax
}pLdteHead
= (PLDR_DATA_TABLE_ENTRY
)(&pLDR
->InLoadOrderModuleList
);pLdteCur
= (PLDR_DATA_TABLE_ENTRY
)(pLdteHead
->InLoadOrderLinks
.Flink
); do { PLDR_DATA_TABLE_ENTRY pLdte
= CONTAINING_RECORD(pLdteCur
, LDR_DATA_TABLE_ENTRY
, InLoadOrderLinks
); char *p1
= szKernel32
;char *p2
= (char*)pLdteCur
->BaseDllName
.Buffer
; bEqual
= FALSE
;while (1){ if (*(PWORD
)p1
== 0 && *(PWORD
)p2
== 0){bEqual
= TRUE
;break;} if (TOUPPER(*p1
) != TOUPPER(*p2
)){break;}p1
+=2;p2
+=2;}if (bEqual
){hKernel32
= (HMODULE
)pLdteCur
->DllBase
; break;}pLdteCur
= (PLDR_DATA_TABLE_ENTRY
)pLdteCur
->InLoadOrderLinks
.Flink
;} while (pLdteHead
!= pLdteCur
);if (hKernel32
!= NULL){PIMAGE_DOS_HEADER pDosHeader
= (PIMAGE_DOS_HEADER
)hKernel32
;PIMAGE_NT_HEADERS pNTHeader
= (PIMAGE_NT_HEADERS
)((DWORD
)pDosHeader
+ pDosHeader
->e_lfanew
);PIMAGE_FILE_HEADER pPEHeader
= (PIMAGE_FILE_HEADER
)((DWORD
)pDosHeader
+ pDosHeader
->e_lfanew
+ 4);PIMAGE_OPTIONAL_HEADER32 pOptionHeader
= (PIMAGE_OPTIONAL_HEADER32
)((DWORD
)pPEHeader
+ sizeof(IMAGE_FILE_HEADER
));PIMAGE_SECTION_HEADER pSectionHeader
= \
(PIMAGE_SECTION_HEADER
)((DWORD
)pOptionHeader
+ pPEHeader
->SizeOfOptionalHeader
);PIMAGE_EXPORT_DIRECTORY pExportDirectory
= \
(PIMAGE_EXPORT_DIRECTORY
)((DWORD
)hKernel32
+ pOptionHeader
->DataDirectory
[0].VirtualAddress
);PDWORD AddressOfFunctions
= (PDWORD
)((DWORD
)hKernel32
+ pExportDirectory
->AddressOfFunctions
);PDWORD AddressOfNames
= (PDWORD
)((DWORD
)hKernel32
+ pExportDirectory
->AddressOfNames
);PWORD AddressOfNameOridinals
= (PWORD
)((DWORD
)hKernel32
+ pExportDirectory
->AddressOfNameOrdinals
);int i
;for (i
= 0; i
< (int)pExportDirectory
->NumberOfNames
; i
++){char *p1
= szGetProcAddress
;char *p2
= (char *)((DWORD
)hKernel32
+ AddressOfNames
[i
]);bEqual
= FALSE
;while (1){ if (*p1
== 0 && *p2
== 0){bEqual
= TRUE
;break;} if (*p1
!= *p2
){break;}p1
++;p2
++;}if (bEqual
){pGetProcAddress
= (PGETPROCADDRESS
)(AddressOfFunctions
[AddressOfNameOridinals
[i
]] + pOptionHeader
->ImageBase
);}}}else{return 1;}pLoadLibraryA
= (PLOADLIBRARYA
)pGetProcAddress(hKernel32
,szLoadLibrary
); hUser32
= pLoadLibraryA(szUser32
);pMessageBoxA
= (PMESSAGEBOXA
)pGetProcAddress(hUser32
,szMessageBoxA
);pMessageBoxA(0,szHelloShellCode
,0,MB_OK
);return 0;
}void PrintHexArray(PVOID startAddr
, size_t nBytes
)
{for (size_t i
= 0; i
< nBytes
; i
++){printf("0x%02X, ", ((PBYTE
)startAddr
)[i
]);if ((i
+ 1) % 16 == 0) putchar('\n');}putchar('\n');
}
注入前
注入后
總結
以上是生活随笔為你收集整理的(38)编写 ShellCode的全部內容,希望文章能夠幫你解決所遇到的問題。
如果覺得生活随笔網站內容還不錯,歡迎將生活随笔推薦給好友。
