pent

Shellcode和Payload?門101-超詳細源碼和注釋以及Hex?本

前?：

?先定義兩個概念，在?段ShellCode代碼中我們可以認為它有兩個部分。

ShellCode：?于創建PayLoad環境部分

PayLoad：實現需求部分

以下是源代碼，OPcode接近400個字節，僅僅完成了MessageBox彈窗，代碼有很?的優化空間。

//ShellCode_:定義控制臺應?程序的??點。

//

//Locals——局部變量

#defineKernalBaAddr[EBP-0x4]

#definepEAT[EBP-0x8]

#definepENT[EBP-0xC]

#definepEOT[EBP-0x10]

#definePGETPROCADDRESS[EBP-0x14]

#definePLOADLIBRARYA[EBP-0x18]

#definePEXITPROCESS[EBP-0x1C]

#defineUr32BaAddr[EBP-0x20]

#definePMESSAGEBOX[EBP-0x24]

//strRVA——字符串尋址

#definewzKERNAL32[EDX+0x9]

#defineszGetProcAddress[EDX+0x22]

#defineszLoadLibraryA[EDX+0x31]

#defineszExitProcess[EDX+0x3E]

#defineszUr32[EDX+0x4A]

#defineszMessageBoxA[EDX+0x55]

#defineszGreetings[EDX+0x61]

//Main

int_tmain(intargc,_TCHAR*argv[])

{

_asm

{

pushad;

SUBESP,0X60;

tag_OEP:

/*—————————————————————————————————

KeyNote

關于在ShellCode中動態獲取EIP?法——FSTENV?式

|有時候為了增強ShellCode的健壯性和普遍適?性,我們會選擇動態獲取函數來使?,

|?在獲取模塊地址和函數地址時難免會使?到字符串等常量,我們很難保證所有的?標程序中都有我們需要的字符串,

|所以我們需要將??所需要的字符串保存在?個隨時能夠簡單獲取的地?,那這要如何做到呢,

|?較容易想到的?個辦法就是將字符串藏到代碼?,然后在代碼中通過尋址找到相應的字符串。

|通常的尋址?式??就是?個基址+?個偏移:

|?個偏移：在內存中代碼就是OPcode,ShellCode也是16進制的數據,這些16進制數據加載到內存中和在?件中的相對位置是不變的,

|可以理解為ShellCode中任意?個字節相對另外?個字節的值在?件中和在內存中是?樣的,

|那么我們就可以?動算出這個值,作為某個數據相對于某個位置的偏移。

|?個基址：本項?的第?個難點就在于動態獲取?個基址即EIP,即某代碼字節在內存中的地址,我們可以動態獲取?個地址,?成好?件后,

|查看項?的OPcode來計算出字符串相對基址的偏移,然后就可以獲取到字符串的?地址了。

|動態獲取?個EIP的?法有?種,均來?于前輩們的??,?且?多看似很簡單,卻不失精妙,簡單的?個字節,就體現了前輩們思維的銳利。

|我這?使?的是稍顯不尋常的?法,希望能夠應變某些復雜?點的環境,下?為?家講述?下我對FSTENV?式的鄙見

|************************************************************************

|FSTENV是?個匯編指令,CPU?其記錄最后?條浮點數指令的環境到內存中,其中就包括了這條指令的EIP

|那么步驟便是小學生日記二年級 ：

|1.操作浮點數

|2.保存環境到棧中

|3.保存EIP

|NOTE:下?使?FNSTENV[ESP-0xc],因這條指令保存的是?個結構體,?我們所需要的EIP是第4個

|元素,將這個結構體從[ESP-0xc]開始PUSH,那么這條指令執?完后,ESP指向的便是我們所需

|要的數據,所以下?條匯編只需?個簡單的POP即可獲得我們夢寐以求的??的位置,哦不,是

|ShellCode的位置,?通往?標程序?臟的鑰匙就在你?中。

—————————————————————————————————*/

//GetPC——動態獲取ShellCode起始位置

FLDZ;//|ShellCodeBa

FNSTENV[ESP-0xc];//|

POPEDX;//|EDX==ShellCodeBa

JMPtag_shellcode;//|->0x9bytes

//.rdata——ShellCode全局變量

#pragmaregionCHAR*&WCHAR*

//DataSectionVA:[ShellCodeBa+0x9]

//L""[EDX+0x9]

_asm_emit(0x4b)_asm_emit(0x00)_asm_emit(0x45)_asm_emit(0x00)

_asm_emit(0x52)_asm_emit(0x00)_asm_emit(0x4e)_asm_emit(0x00)

_asm_emit(0x45)_asm_emit(0x00)_asm_emit(0x4c)_asm_emit(0x00)

_asm_emit(0x33)_asm_emit(0x00)_asm_emit(0x32)_asm_emit(0x00)

_asm_emit(0x2e)_asm_emit(0x00)_asm_emit(0x44)_asm_emit(0x00)

_asm_emit(0x4c)_asm_emit(0x00)_asm_emit(0x4c)_asm_emit(0x00)

_asm_emit(0x00)//0x19bytes

//"GetProcAddress"[EDX+0x22]

_asm_emit(0x47)_asm_emit(0x65)_asm_emit(0x74)_asm_駕照英文 emit(0x50)

_asm_emit(0x72)_asm_emit(0x6f)_asm_emit(0x63)_asm_emit(0x41)

_asm_emit(0x64)_asm_emit(0x64)_asm_emit(0x72)_asm_emit(0x65)

_asm_emit(0x73)_asm_emit(0x73)_asm_emit(0x00)//0xFbytes

//"LoadLibraryA"[EDX+0x31]

_asm_emit(0x4c)_asm_emit(0x6f)_asm_emit(0x61)_asm_emit(0x64)

_asm_emit(0x4c)_asm_emit(0x69)_asm_emit(0x62)_asm_emit(0x72)

_asm_emit(0x61)_asm_emit(0x72)_asm_emit(0x79)_asm_emit(0x41)

_asm_emit(0x00)//0xDbytes

//"ExitProcess"[EDX+0x3E]

_asm_emit(0x45)_asm_emit(0x78)_asm_emit(0x69)_asm_emit(0x74)

_asm_emit(0x50)_asm_emit(0x72)_asm_emit(0x6F)_asm_emit(0x63)

_asm_emit(0x65)_asm_emit(0x73)_asm_emit(0x73)_asm_emit(0x00)//0xCbytes

//""[EDX+0x4A]

_asm_emit(0x55)_asm_emit(0x73)_asm_emit(0x65)_asm_emit(0x72)

_asm_emit(0x33)_asm_emit(0x32)_asm_emit(0x2e)_asm_emit(0x64)

_asm_emit(0x6c)_asm_emit(0x6c)_asm_emit(0x00)//0xBbytes

//"MessageBoxA"[EDX+0x55]

_asm_emit(0x4D)_asm_emit(0x65)_asm_emit(0x73)_asm_emit(0x73)

_asm_emit(0x61)_asm_emit(0x67)_asm_emit(0x65)_asm_emit(0x42)

_asm_emit(0x6F)_asm_emit(0x78)_asm_emit(0x41)_asm_emit(0x00)//0xCbytes

//"Hello15PB"[EDX+0x61]

_asm_emit(0x48)_asm_emit(0x65)_asm_emit(0x6C)_asm_emit(0x6C)

_asm_emit(0x6F)_asm_emit(0x20)_asm_emit(0x31)_asm_emit(0x35)

_asm_emit(0x50)_asm_emit(0x42)_asm_emit(0x20)_asm_emit(0x00)//0xCbytes

#pragmaendregionCHAR*&WCHAR*

/*—————————————————————————————————

GetModuleBa——獲取基址

Ldr_PEB_LDR_DATA

InLoadOrderModuleList_List_ENTRY

_LIST_ENTRY{

+0x000Flink:Ptr32_LIST_ENTRY

+0x004Blink:Ptr32_LIST_ENTRY

}

_List_ENTRY地址即(_LIST_ENTRY+0x000Flink)前?個_LDR_DATA_TABLE_ENTRY地址

_LDR_DATA_TABLE_ENTRY第?個元素即_List_ENTRY

_List_ENTRY前移1次到ntdll

_List_ENTRY前移2次到Kernel32

—————————————————————————————————*/

tag_shellcode:

MOVEAX,FS:[0x30];//EAX==_PEB

MOVEAX,[EAX+0xC];//EAX==Ldr_PEB_LDR_DATA

MOVEAX,[EAX+0xC];//EAX==_List_ENTRY==_LDR_DATA_TABLE_ENTRY

JMPtag_checkname;

tag_nextModule:

MOVEAX,[EAX];//_LIST_ENTRY==_LIST_ENTRY->(+0x000)Flink==Previous_LDR_DATA_TABLE_ENTRYAddr

tag_checkname:

MOVEBX,DWORDPTRDS:[EAX+0x2C+0x4];//_UNICODE_STRING->BUFFER

PUSHEAX;//SaveListAddr

MOVEAX,DWORDPTRDS:[EAX+0x2C];//_UNICODE_STRING->Length(word)

ANDEAX,0X0000FFFF;//SaveLoword:Length(word)

SHREAX,2;//Length*2==bytes

MOVECX,EAX;//repcmpstimes

MOVESI,EBX;//

POPEAX;//EAX==_List_ENTRY

LEAEDI,wzKERNAL32;//ModuleNameinUNICODEL""

REPCMPS;//

JNZtag_nextModule;//

MOVEAX,DWORDPTRDS:[EAX+0x18];//_LDR_DATA_TABLE_ENTRY->DllBa

MOVKernalBaAddr,EAX;//[EBP-0x4]:PVOIDKernalBaAddr

PUSHEAX;

/*—————————————————————————————————

Get

pEAT

pENT

pEOT

——獲取導出表數據

Sourceccode:

typedefFARPROC(WINAPI*GETPROCADDR)(HMODULEhModule,LPCSTRlpProcName);

typedefHMODULE(WINAPI*LOADLIBRARYA)(_In_LPCSTRlpName);

GETPROCADDRg_getprocaddr;

LOADLIBRARYAg_loadlibA;

CHAR*ModuleBuf=(CHAR*)KernalBaAddr;

PIMAGE_DOS_HEADERpDos=(PIMAGE_DOS_HEADER)ModuleBuf;

PIMAGE_NT_HEADERSpNT=PIMAGE_NT_HEADERS(pDos->e_lfanew+ModuleBuf);

PIMAGE_OPTIONAL_HEADERpOpt=&pNT->OptionalHeader;

PIMAGE_DATA_DIRECTORYpExportDir=pOpt->DataDirectory+0;

PIMAGE_EXPORT_DIRECTORYpExport=PIMAGE_趟怎么組詞 EXPORT_DIRECTORY(pExportDir->VirtualAddress+ModuleBuf);

PDWORDpEAT=PDWORD(pExport->AddressOfFunctions+ModuleBuf);

PDWORDpENT=PDWORD(pExport->AddressOfNames+ModuleBuf);

PWORDpEOT=PWORD(pExport->AddressOfNameOrdinals+ModuleBuf);

DWORDNumONames=pExport->NumberOfNames;

—————————————————————————————————*/

MOVEAX,[EAX+0x3C];//|pDosHeader->e_lfanew

ADDEAX,KernalBaAddr;//|==pNTHeaderpDosHeader->e_lfanew+KernalBaAddr

LEAEAX,[EAX+0x18];//&pNTHeader->OptionalHeader

MOVEAX,[EAX+0x60];//OptionalHeader->DataDirectory->(+0x0)VirtualAddress

ADDEAX,KernalBaAddr;//pExportDir=VirtualAddress+KernalBaAddr

POPESI;//KernalBaAddr

MOVEBX,[EAX+0x1C];//|pExportDir->AddressOfFunction

MOVpEAT,ESI;//|+KernalBaAddr

ADDpEAT,EBX;//|==[EBP-0x8]:PDWORDpEAT

MOVEBX,[EAX+0x20];//|pExportDir->AddressOfNames

MOVpENT,ESI;//|+KernalBaAddr

ADDpENT,EBX;//|==[EBP-0xC]:PDWORDpENT

MOVEBX,[EAX+0x24];//|pExportDir->AddressOfNameOrdinals

MOVpEOT,ESI;//|+KernalBaAddr

ADDpEOT,EBX;//|==[EBP-0x10]:PWORDpEOT

MOVECX,[EAX+0x18];//DOWRDNumerOfNames

/*—————————————————————————————————

Get

GetProcAddress();

LoadLibraryA();

ExitPro幼兒美術作品 cess();

——獲取關鍵函數地址

sourceccode:

for(INTi=0;i

{

CHAR*pName=pENT[i]+ModuleBuf;

if(strcmp(pName,getProcAddr)==0)

{

g_getprocaddr=GETPROCADDR(pEAT[pEOT[i]]+(DWORD)ModuleBuf);

g_loadlibA=LOADLIBRARYA(g_getprocaddr((HMODULE)ModuleBuf,loadLibA));

break;

}

}

—————————————————————————————————*/

XOREAX,EAX;//INTi(EAX)=0;

loop_EXT:

CMPEAX,ECX;//EAX

JNBtag_elfin;//

PUSHEAX;//

SHLEAX,2;//|EAX*4

MOVEDI,pENT;//|pENT

ADDEDI,EAX;//|&pENT[EAX]==pENT+EAX*4

MOVEDI,[EDI];//|pENT[EAX]

ADDEDI,ESI;//|==szName==pENT[EAX](RVA)+KernalBaAddr

PUSHESI;//+KernalBaAddr

LEAESI,szGetProcAddress;//[EDX+0x22]"GetProcAddress"

PUSHECX;

MOVECX,0xF;//LengthOfsz"GetProcAddress"

repcmps;//strcmp(szName,"GetProcAddress")

POPECX;//|

POPESI;//|

POPEAX;//|->跳轉與否均需?到,提前POP

JZtag_foundproc;//if(strcmp()==0)JMPtag_foundproc

INCEAX;//++i(EAX);

JMPloop_EXT;//

tag_foundproc://

MOVECX,pEOT;//|[EBP-0x10]:PWORDpEOT

SHLEAX,1;//|EAX*2(PWORDpEOT)

ADDECX,EAX;//|&pEOT[pENT]

MOVCX,WORDPTR[ECX];//|==pEOT[pENT]

ANDECX,0x0000ffff;//SaveLoword

SHLECX,2;//|ECX*4(PDWORDpEAT)

MOVEAX,pEAT;//|EAX==pEAT[0]

ADDEAX,ECX;//|==pEAT[ECX]==pEAT[0]+ECX

MOVEAX,[EAX];//

ADDEAX,ESI;//+KernalBaAddr

MOVPGETPROCADDRESS,EAX;//[EBP-0x54]:GetProcAddress();

/*————————————————————————

LoadLibraryA=GetProcAddress(&,“LoadLibraryA”);

————————————————————————*/

PUSHEDX;//-------------------------------------白酒的保質期 --GetProcAddress()ChangesEDX

LEAECX,szLoadLibraryA;//|-&"LoadLibraryA"

PUSHECX;//|-&"LoadLibraryA"LPCSTRlpProcName

PUSHESI;//|-&DULEhModule

CALLPGETPROCADDRESS;//|->CALLGetProcAddress();

MOVPLOADLIBRARYA,EAX;//

POPEDX;//ResumeEDX

/*————————————————————————

ExitProcess=GetProcAddress(&,“ExitProcess”);

—————我的讀書心得 ———————————————————*/

PUSHEDX;//---------------------------------------GetProcAddress()ChangesEDX

LEAECX,szExitProcess;//&朋友過生日祝福語 "ExitProcess"

PUSHECX;//|-&"ExitProcess"LPCSTRlpProcName

PUSHESI;//|-&DULEhModule

CALLPGETPROCADDRESS;//|->GetProcAddress();

MOVPEXITPROCESS,EAX;//ExitProcess=RetVal

POPEDX;//ResumeEDX

//***************************************************Payload***************************************************

/*————————————————————————

MessageBoxA=GetProcAddress(LoadLibraryA(“”),“MessageBoxA”);

————————————————————————*/

PUSHEDX;//---------------------------------------LoadLibraryA()ChangesEDX

LEAECX,szUr32;//&""

PUSHECX;//|-&""LPCSTRlpLibFileName

CALLPLOADLIBRARYA;//|->LoadLibraryA();

MOVUr32BaAddr,EAX;//Ur32BaAddr=RetVal

POPEDX;//ResumeEDX

PUSHEDX;//----------------------------洋蔥炒豆腐 -----------GetProcAddress()ChangesEDX

LEAECX,szMessageBoxA;//|&"MessageBoxA"

PUSHECX;//|-&"MessageBoxA"LPCSTRlpProcName

PUSHEAX;//|-&DULEhModule

CALLPGETPROCADDRESS;//|->GetProcAddress();

MOVPMESSAGEBOX,EAX;//MessageBoxA=RetVal

POPEDX;//ResumeEDX

/*————————————————————————

MessageBoxA(NULL,“Hello15PB”,“Hello15PB”,NULL);

————————————————————————*/

LEAECX,szGreetings;//&"Hello15PB"

XOREBX,EBX;//EBX==0(NULL)

PUSHEBX;//|-NULLHWNDhWnd,

PUSHECX;//|-&"Hello15PB"LPCSTRlpText,

PUSHECX;//|-&"Hello15PB"LPCSTRlpCaption,

PUSHEBX;//|-NULLUINTuType

CALLPMESSAGEBOX;//|->MessageBoxA();

//***************************************************Payload***************************************************

/*—————————————————————————————————

ExitProcess(NULL);

—————————————————————————————————*/

tag_Exit://

XOREBX,EBX;//EBX==0

PUSHEBX;//|-NULLUINTuExitCode

CALLPEXITPROCESS;//|->ExitProcess();

/*—————————————————————————————————

Rerved

—————————————————————————————————*/

tag_elfin:

addESP,0X5C;

popad;

}

return0;

}

附：以上ShellCode的Hex形態

//ShellCode_Hex_:定義控制臺應?程序的??點。

charShellCode_Hex_01[]=

"x55x8BxECx53x56x57x60x83xECx60xD9xEExD9x74x24xF4x5AxEBx64x4Bx00x45x00x52x00x4Ex00x45x00x4Cx00x33"

"x00x32x00x2Ex00x44x00x4Cx00x4Cx00x00x47x65x74x50x72x6Fx63x41x64x64x72x65x73x73x00x4Cx6Fx61x64x4C"

"x69x62x72x61x72x79x41x00x55x73x65x72x33x32x2Ex64x6Cx6Cx00x4Dx65x73x73x61x67x65x42x6Fx78x41x00x48"

"x65x6Cx6Cx6Fx20x31x35x50x42x20x00x45x78x69x74x50x72x6Fx63x65x73x73x00x64xA1x30x00x00x00x8Bx40x0C"

"x8Bx40x0CxEBx02x8Bx00x3Ex8Bx58x30x50x3Ex8Bx40x2Cx25xFFxFFx00x00xC1xE8x02x8BxC8x8BxF3x58x8Dx7Ax09"

"xF3xA6x75xE1x3Ex8Bx40x18x89x45xFCx50x8Bx40x3Cx03x45xFCx8Dx40x18x8Bx40x60x03x45xFCx5Ex8Bx58x1Cx89"

"x75xF8x01x5DxF8x8Bx58x20x89x75xF4x01x5DxF4x8Bx58x24x89x75xF0x01x5DxF0x8Bx48x18x33xC0x3BxC1x0Fx83"

"x85x00x00x00x50xC1xE0x02x8Bx7DxF4x03xF8x8Bx3Fx03xFEx56x8Dx72x22x51xB9x0Fx00x00x00xF3xA6x59x5Ex58"

"x74x03x40xEBxD7x8Bx4DxF0xD1xE0x03xC8x66x8Bx09x81xE1xFFxFFx00x00xC1xE1x02x8Bx45xF8x03xC1x8Bx00x03"

"xC6x89x45xECx52x8Dx4Ax31x51x56xFFx55xECx89x45xE8x5Ax52x8Dx4Ax61x51x56xFFx55xECx89x45xDCx5Ax52x8D"

"x4Ax3Ex51xFFx55xE8x89x45xE4x5Ax52x8Dx4Ax49x51x50xFFx55xECx89x45xE0x5Ax8Dx4Ax55x33xDBx53x51x51x53"

"xFFx55xE0x33xDBx53xFFx55xDC";

int_tmain(intargc,_TCHAR*argv[])

{

_asm

{

LEAEAX,ShellCode_Hex_01;

pushEAX;

RETN;黃沙百戰穿金甲

}

return0;

}

注：