shellcode模板(使用hash获取API)
生活随笔
收集整理的這篇文章主要介紹了
shellcode模板(使用hash获取API)
小編覺得挺不錯的,現(xiàn)在分享給大家,幫大家做個參考.
一、獲取kernel32
通過 LDR 鏈表遍歷dll,檢查 BaseDllName.Buffer 的第6,7個字符是不是"32",如果是就認為是kernel32.
// CTF.cpp : 此文件包含 "main" 函數(shù)。程序執(zhí)行將在此處開始并結束。 // #define _CRT_SECURE_NO_WARNINGS #include <stdio.h> #include <windows.h>int main() {HMODULE hModule = 0;char lpszModuleFileName[MAX_PATH] = { 0 };// 按照加載順序找dll,ntdll第一個加載,然后是kernel32(kernelbase)__asm{mov eax, fs: [0x30] ; // PEBmov eax, dword ptr[eax + 0x0c]; // PEB->PEB_LDR_DATAmov esi, dword ptr[eax + 0x1c]; // PLDR_DATA_TABLE_ENTRY->InInitializationOrderLinkssc_goonkernel:mov eax, dword ptr[esi + 0x8]; // &InInitializationOrderModuleList + 8 == &DllBasemov ebx, dword ptr[esi + 0x20]; // BaseDllName.Buffermov esi, dword ptr[esi];cmp dword ptr[ebx + 0xc], 0x00320033; // L"32"jnz sc_goonkernel;mov hModule, eax;}GetModuleFileNameA(hModule, lpszModuleFileName, MAX_PATH);printf("[%p] %s\n", hModule, lpszModuleFileName);system("pause");return 0; }如果希望更加精確,可以做更加詳細的判斷,比如匹配"l32.“或"L32.”,比較兩次是因為32前面的L可能是大寫或小寫。
// CTF.cpp : 此文件包含 "main" 函數(shù)。程序執(zhí)行將在此處開始并結束。 // #define _CRT_SECURE_NO_WARNINGS #include <stdio.h> #include <windows.h>int main() {printf("%x %x\n", ((PDWORD)&L"L32.")[0], ((PDWORD)&L"L32.")[1]);printf("%x %x\n", ((PDWORD)&L"l32.")[0], ((PDWORD)&L"l32.")[1]);HMODULE hModule = 0;char lpszModuleFileName[MAX_PATH] = { 0 };// 按照加載順序找dll,ntdll第一個加載,然后是kernel32(kernelbase)__asm{mov eax, fs: [0x30] ; // PEBmov eax, dword ptr[eax + 0x0c]; // PEB->PEB_LDR_DATAmov esi, dword ptr[eax + 0x1c]; // PLDR_DATA_TABLE_ENTRY->InInitializationOrderLinkssc_goonkernel:mov eax, dword ptr[esi + 0x8]; // &InInitializationOrderModuleList + 8 == &DllBasemov ebx, dword ptr[esi + 0x20]; // BaseDllName.Buffermov esi, dword ptr[esi];cmp dword ptr[ebx + 0xe], 0x002e0032; // L"2."jnz sc_goonkernel;cmp dword ptr[ebx + 0xa], 0x0033006c; // L"l3" jz sc_foundkernel32;cmp dword ptr[ebx + 0xa], 0x0033004c; // L"L3"jnz sc_goonkernel;sc_foundkernel32:mov hModule, eax;}GetModuleFileNameA(hModule, lpszModuleFileName, MAX_PATH);printf("[%p] %s\n", hModule, lpszModuleFileName);system("pause");return 0; }二、獲取 LoadLibraryA GetProcAddress
實現(xiàn)一個簡單的hash計算方法,先算出這兩個API的hash,然后遍歷kernel32的導出表,通過計算函數(shù)名的hash來找函數(shù)地址。
// Find LoadLibraryA and GetProcAddressPIMAGE_EXPORT_DIRECTORY pExportDirectory = (PIMAGE_EXPORT_DIRECTORY)(hKernel32 +((PIMAGE_NT_HEADERS)(hKernel32 + ((PIMAGE_DOS_HEADER)hKernel32)->e_lfanew))->OptionalHeader.DataDirectory[0].VirtualAddress);PDWORD AddressOfFunctions = (PDWORD)(hKernel32 + pExportDirectory->AddressOfFunctions);PDWORD AddressOfNames = (PDWORD)(hKernel32 + pExportDirectory->AddressOfNames);PWORD AddressOfNameOridinals = (PWORD)(hKernel32 + pExportDirectory->AddressOfNameOrdinals);for (size_t i = 0; i < pExportDirectory->NumberOfNames; i++){char *FuncName = (char *)(hKernel32 + AddressOfNames[i]);char *p = FuncName;DWORD j = 0;DWORD hash = 1;DWORD len = 0;while (*p++)len++;while (len > 3 && j < len - 3){hash += ror(((PDWORD)FuncName)[j], 7);j++;} if (0x388dd59d == hash){pGetProcAddress = (PGETPROCADDRESS)(AddressOfFunctions[AddressOfNameOridinals[i]] + hKernel32);// 388dd59d GetProcAddress}else if (0x5e591b27 == hash){pLoadLibraryA = (PLOADLIBRARYA)(AddressOfFunctions[AddressOfNameOridinals[i]] + hKernel32);// 5e591b27 LoadLibraryA}}三、完整demo
測試一下獲取到的api,彈出一個消息框。
#define _CRT_SECURE_NO_WARNINGS #include <stdio.h> #include <windows.h>typedef HMODULE(WINAPI *PLOADLIBRARYA)(LPCSTR); typedef DWORD(WINAPI *PGETPROCADDRESS)(HMODULE, LPCSTR); #define ror(value, bits) ((value >> bits) | (value << (sizeof(value)*8 - bits)))int main() {DWORD hKernel32 = 0xFFFFFFFF;PGETPROCADDRESS pGetProcAddress = NULL;PLOADLIBRARYA pLoadLibraryA = NULL;// Find kernel32__asm{mov eax, fs: [0x30] ; // PEBmov eax, dword ptr[eax + 0x0c]; // PEB->PEB_LDR_DATAmov esi, dword ptr[eax + 0x1c]; // PLDR_DATA_TABLE_ENTRY->InInitializationOrderLinkssc_goonkernel:mov eax, dword ptr[esi + 0x8]; // &InInitializationOrderModuleList + 8 == &DllBasemov ebx, dword ptr[esi + 0x20]; // BaseDllName.Buffermov esi, dword ptr[esi];cmp dword ptr[ebx + 0xe], 0x002e0032; // L"2."jnz sc_goonkernel;cmp dword ptr[ebx + 0xa], 0x0033006c; // L"l3" jz sc_foundkernel32;cmp dword ptr[ebx + 0xa], 0x0033004c; // L"L3"jnz sc_goonkernel;sc_foundkernel32:mov hKernel32, eax;}// Find LoadLibraryA and GetProcAddressPIMAGE_EXPORT_DIRECTORY pExportDirectory = (PIMAGE_EXPORT_DIRECTORY)(hKernel32 +((PIMAGE_NT_HEADERS)(hKernel32 + ((PIMAGE_DOS_HEADER)hKernel32)->e_lfanew))->OptionalHeader.DataDirectory[0].VirtualAddress);PDWORD AddressOfFunctions = (PDWORD)(hKernel32 + pExportDirectory->AddressOfFunctions);PDWORD AddressOfNames = (PDWORD)(hKernel32 + pExportDirectory->AddressOfNames);PWORD AddressOfNameOridinals = (PWORD)(hKernel32 + pExportDirectory->AddressOfNameOrdinals);for (size_t i = 0; i < pExportDirectory->NumberOfNames; i++){char *FuncName = (char *)(hKernel32 + AddressOfNames[i]);char *p = FuncName;DWORD j = 0;DWORD hash = 1;DWORD len = 0;while (*p++)len++;while (len > 3 && j < len - 3){hash += ror(((PDWORD)FuncName)[j], 7);j++;} if (0x388dd59d == hash){pGetProcAddress = (PGETPROCADDRESS)(AddressOfFunctions[AddressOfNameOridinals[i]] + hKernel32);// 388dd59d GetProcAddress}else if (0x5e591b27 == hash){pLoadLibraryA = (PLOADLIBRARYA)(AddressOfFunctions[AddressOfNameOridinals[i]] + hKernel32);// 5e591b27 LoadLibraryA}}// testDWORD msgboxa = pGetProcAddress(pLoadLibraryA("user32.dll"), "MessageBoxA");((DWORD(WINAPI *)(DWORD, DWORD, DWORD, DWORD))msgboxa)(0, 0, 0, 0);system("pause");return 0; } 《新程序員》:云原生和全面數(shù)字化實踐50位技術專家共同創(chuàng)作,文字、視頻、音頻交互閱讀總結
以上是生活随笔為你收集整理的shellcode模板(使用hash获取API)的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: IDA分析shellcode导入wind
- 下一篇: 关闭生成调试信息和嵌入清单