re | 通过C语言编写shellcode(vc6)
接上一篇博客:https://www.cnblogs.com/Mz1-rc/p/17923224.html
对上文中代码进行修改,不使用全局字符串,不使用外部函数调用,关闭/GZ编译选项(栈检查):
#include <stdio.h>
#include <windows.h>
typedef int (WINAPI* PMESSAGEBOXA)(HWND hWnd,LPCSTR lpText,LPCSTR lpCaption, UINT uType);
typedef FARPROC (WINAPI* PGETPROCADDRESS)(HMODULE hModule,LPCSTR lpProcName);
typedef HMODULE (WINAPI* PLOADLIBRARY)(LPCTSTR lpFileName);
/*
typedef struct _LIST_ENTRY {
struct _LIST_ENTRY *Flink;
struct _LIST_ENTRY *Blink;
} LIST_ENTRY, *PLIST_ENTRY, *RESTRICTED_POINTER PRLIST_ENTRY;
*/
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef struct _LDR_DATA_TABLE_ENTRY
{
LIST_ENTRY InLoadOrderLinks; // 3个双向链表
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;
UINT SizeOfImage; // 这里32位的就是UINT 64位是UINT64
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName; // 查找这个
//...
}LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
void shellcode(){
// 准备字符串备用
// wchar_t wsKernel32Dll[] = L"kernel32.dll";
char wsKernel32Dll[] = {'K', 0, 'E', 0, 'R', 0, 'N', 0, 'E', 0, 'L', 0, '3', 0, '2', 0, '.', 0, 'D', 0, 'L', 0, 'L', 0, 0, 0};
char sUser32Dll[] = {'U', 'S', 'E', 'R', '3', '2', '.', 'd', 'l', 'l', 0};
char sGetProcAddr[] = {'G', 'e', 't', 'P', 'r', 'o', 'c', 'A', 'd', 'd', 'r', 'e', 's', 's', 0};
char sLoadLibraryA[] = {'L', 'o', 'a', 'd', 'L', 'i', 'b', 'r', 'a', 'r', 'y', 'A', 0};
char sMessageBoxA[] = {'M', 'e', 's', 's', 'a', 'g', 'e', 'B', 'o', 'x', 'A', 0};
// 通过fs:[0x30]查找PEB 找到3个链表 找到K32.dll
/*
_PEB_LDR_DATA
[0] Length
[4] Initialized
[8] SsHandle
[c] InLoadOrderModuleList : _LIST_ENTRY
[14] InMemoryOrderModuleList : _LIST_ENTRY
[1c] InInitializationOrderModuleList : _LIST_ENTRY
...
*/
DWORD pBeg = 0;
DWORD pPLD = 0;
PLIST_ENTRY pInLoadOrderModuleList = 0;
__asm{
pushad
mov eax, fs:[0x30] ; PEB
mov eax, [eax+0x0c] ; PEB->Ldr
add eax, 0x0c ; _PEB_LDR_DATA->InLoadOrderModuleList
lea ebx, dword ptr [pInLoadOrderModuleList] ; 获取InLoadOrderModuleList的地址保存在变量中
mov [ebx], eax;
popad
}
//printf("InLoadOrderModuleList: %p %p \n",pInLoadOrderModuleList->Flink, pInLoadOrderModuleList->Blink);
// 拿到第一个LDR_DATA_TABLE_ENTRY节点的地址
PLDR_DATA_TABLE_ENTRY pFirstLdrDataEntry = (PLDR_DATA_TABLE_ENTRY)pInLoadOrderModuleList->Flink;
// 循环遍历所有的模块 查找kernel32.dll
DWORD dwKernel32Base = 0;
PLDR_DATA_TABLE_ENTRY pLdrDataEntry = pFirstLdrDataEntry;
while(1){
//printf("[%p] %p %p \n", pLdrDataEntry, pLdrDataEntry->InLoadOrderLinks.Flink, pLdrDataEntry->InLoadOrderLinks.Blink);
//printf(" [%S(%p)] %S \n", pLdrDataEntry->BaseDllName.Buffer, pLdrDataEntry->DllBase, pLdrDataEntry->FullDllName.Buffer);
if (pLdrDataEntry->InLoadOrderLinks.Flink == (PLIST_ENTRY)pFirstLdrDataEntry){
break;
}
// 判断是不是kernel32.dll
/*
if(wcsicmp(pLdrDataEntry->BaseDllName.Buffer, (wchar_t*)wsKernel32Dll) == 0){
//printf("~~~~~~ find it! ~~~~~~~\n");
dwKernel32Base = (DWORD)pLdrDataEntry->DllBase;
}
*/
// 手动编写wcscmp
wchar_t* wtmp = (wchar_t*)(pLdrDataEntry->BaseDllName.Buffer);
int index = 0;
int length = 0;
while(((wchar_t*)wsKernel32Dll)[index] != 0){ // 计算长度
index ++;
}
length = index;
for (index = 0; index < length; index ++){ // 对比
if (((wchar_t*)wsKernel32Dll)[index] != wtmp[index]){
break;
}
}
if (index == length){ // 找到了
//puts("found"); // 找到kernel32.dll
dwKernel32Base = (DWORD)pLdrDataEntry->DllBase;
}
pLdrDataEntry = (PLDR_DATA_TABLE_ENTRY)pLdrDataEntry->InLoadOrderLinks.Flink;
}
//printf("kernel32.dll base: %p \n", dwKernel32Base); // 拿到kernel32.dll基址
// 通过导出表查找LoadLibrary
PIMAGE_DOS_HEADER pIDH = (PIMAGE_DOS_HEADER)dwKernel32Base;
PIMAGE_NT_HEADERS pINHS = (PIMAGE_NT_HEADERS)(dwKernel32Base+pIDH->e_lfanew);
PIMAGE_EXPORT_DIRECTORY pIED = (PIMAGE_EXPORT_DIRECTORY)(dwKernel32Base + pINHS->OptionalHeader.DataDirectory[0].VirtualAddress);
DWORD* pAddressOfFunctions = (DWORD*)(dwKernel32Base + pIED->AddressOfFunctions);
DWORD* pAddressOfNames = (DWORD*)(dwKernel32Base + pIED->AddressOfNames);
WORD* pAddressOfNameOrdinals = (WORD*)(dwKernel32Base + pIED->AddressOfNameOrdinals);
int i = 0;
while(1){
// printf("[%d] %s {%d} \n", i, dwKernel32Base+pAddressOfNames[i], pAddressOfNameOrdinals[i]);
/*
if (strcmp(sGetProcAddr, (char*)(dwKernel32Base + pAddressOfNames[i]))==0){
//puts("found"); // 找到对应在序号表的第i个位置
break;
}
*/
// 手动编写strcmp
char* tmp = (char*)(dwKernel32Base + pAddressOfNames[i]);
int index = 0;
int length = 0;
while(sGetProcAddr[index] != '\0'){ // 计算长度
index ++;
}
length = index;
for (index = 0; index < length; index ++){ // 对比
if (sGetProcAddr[index] != tmp[index]){
break;
}
}
if (index == length){ // 找到了
// puts("found"); // 找到对应在序号表的第i个位置
break;
}
// 下一个条目
i ++;
}
i = pAddressOfNameOrdinals[i];
//printf("i=%d in AddressOfFunctions = 0x%p \n", i, dwKernel32Base + pAddressOfFunctions[i]);
PGETPROCADDRESS pGetProcAddress = (PGETPROCADDRESS)(dwKernel32Base + pAddressOfFunctions[i]);
PLOADLIBRARY pLoadLibrary = (PLOADLIBRARY)pGetProcAddress((HMODULE)dwKernel32Base, sLoadLibraryA);
//printf("loadlibrary: 0x%p \n", pLoadLibrary);
HMODULE hUser32DLL = pLoadLibrary(sUser32Dll);
PMESSAGEBOXA pMessageBoxA = (PMESSAGEBOXA)pGetProcAddress(hUser32DLL, sMessageBoxA);
char sHeader[] = {'M', 'z', '1', 0};
char sText[] = {'i', 'n', 'j', 'e', 'c', 't', 'e', 'd', 0};
pMessageBoxA(0,sText ,sHeader,0);
}
int main(){
shellcode();
return 0;
}
然后提取shellcode,可以在任何位置独立执行:
558BEC81EC00010000535657C645E44BC645E500C645E645C645E700C645E852C645E900C645EA4EC645EB00C645EC45C645ED00C645EE4CC645EF00C645F033C645F100C645F232C645F300C645F42EC645F500C645F644C645F700C645F84CC645F900C645FA4CC645FB00C645FC00C645FD00C645D855C645D953C645DA45C645DB52C645DC33C645DD32C645DE2EC645DF64C645E06CC645E16CC645E200C645C847C645C965C645CA74C645CB50C645CC72C645CD6FC645CE63C645CF41C645D064C645D164C645D272C645D365C645D473C645D573C645D600C645B84CC645B96FC645BA61C645BB64C645BC4CC645BD69C645BE62C645BF72C645C061C645C172C645C279C645C341C645C400C645AC4DC645AD65C645AE73C645AF73C645B061C645B167C645B265C645B342C645B46FC645B578C645B641C645B700C745A800000000C745A400000000C745A0000000006064A1300000008B400C83C00C8D9DA0FFFFFF8903618B45A08B08894D9CC74598000000008B559C895594B80100000085C00F849B0000008B4D948B113B559C7505E98C0000008B45948B4830894D90C7458C00000000C74588000000008B558C33C0668B4455E485C0740B8B4D8C83C101894D8CEBE78B558C895588C7458C00000000EB098B458C83C00189458C8B4D8C3B4D887D1E8B558C33C0668B4455E48B4D8C8B559033F6668B344A3BC67402EB02EBD18B458C3B458875098B4D948B51188955988B45948B08894D94E958FFFFFF8B55988955848B45848B4D9803483C894D808B55808B459803427889857CFFFFFF8B8D7CFFFFFF8B559803511C899578FFFFFF8B857CFFFFFF8B4D98034820898D74FFFFFF8B957CFFFFFF8B4598034224898570FFFFFFC7856CFFFFFF00000000B90100000085C90F84C70000008B956CFFFFFF8B8574FFFFFF8B4D98030C90898D68FFFFFFC78564FFFFFF00000000C78560FFFFFF000000008B9564FFFFFF0FBE4415C885C074118B8D64FFFFFF83C101898D64FFFFFFEBE08B9564FFFFFF899560FFFFFFC78564FFFFFF00000000EB0F8B8564FFFFFF83C001898564FFFFFF8B8D64FFFFFF3B8D60FFFFFF7D228B9564FFFFFF0FBE4415C88B8D68FFFFFF038D64FFFFFF0FBE113BC27402EB02EBC18B8564FFFFFF3B8560FFFFFF7502EB148B8D6CFFFFFF83C101898D6CFFFFFFE92CFFFFFF8B956CFFFFFF8B8570FFFFFF33C9668B0C50898D6CFFFFFF8B956CFFFFFF8B8578FFFFFF8B4D98030C90898D5CFFFFFF8D55B8528B459850FF955CFFFFFF898558FFFFFF8D4DD851FF9558FFFFFF898554FFFFFF8D55AC528B8554FFFFFF50FF955CFFFFFF898550FFFFFFC6854CFFFFFF4DC6854DFFFFFF7AC6854EFFFFFF31C6854FFFFFFF00C68540FFFFFF69C68541FFFFFF6EC68542FFFFFF6AC68543FFFFFF65C68544FFFFFF63C68545FFFFFF74C68546FFFFFF65C68547FFFFFF64C68548FFFFFF006A008D8D4CFFFFFF518D9540FFFFFF526A00FF9550FFFFFF5F5E5B8BE55DC3CCCCCCCCCCCCCCCCCCCCCCCCCCCC
爽!!!!!!!!!!!!!!!!!!!!!