7.ShellCode相关实现

于 2020-10-28 20:11:37 发布
阅读量361 收藏
点赞数
分类专栏: 驱动 文章标签: 驱动程序 内核
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/Mikasys/article/details/109333759
版权

0x7 ShellCode编写

一、什么是shellcode?

不依赖环境,放到任何地方都可以执行的机器码(硬编码)。

二、编写规则

  1. 不能有全局变量(在全局区)
  2. 不能使用常量字符串(在常量区)
  3. 不能使用系统调用(每台机器函数的地址不一定相同)
  4. 不能嵌套调用函数

三、写一个符合上述规则的函数

所有版本windows系统可用,但是要注意kernel32.dll大小写

//vc6加上
//#include "stdafx.h"
#include "windows.h"
#include <stdio.h>

typedef int (WINAPI *PMESSAGEBOX)(HWND hWnd,LPCTSTR lpText,LPCTSTR lpCaption,UINT uType);	//MessageBox函数指针
typedef FARPROC (WINAPI *PGETPROCADDRESS)(HMODULE hMoudule,LPCTSTR lpProcName);				//GetProcAddress函数指针
typedef HMODULE (WINAPI *PLOADLIBRARY)(LPCTSTR lpFileName);									//LoadLibraryA函数指针

//下面的结构前面都讲过了
typedef struct _UNICODE_STRING {
	USHORT Length;
	USHORT MaximumLength;
	PWSTR  Buffer;
}UNICODE_STRING, *PUNICODE_STRING;

typedef struct _PEB_LDR_DATA
{
	ULONG Length; // +0x00
	BOOLEAN Initialized; // +0x04
	PVOID SsHandle; // +0x08
	LIST_ENTRY InLoadOrderModuleList; // +0x0c
	LIST_ENTRY InMemoryOrderModuleList; // +0x14
	LIST_ENTRY InInitializationOrderModuleList;// +0x1c
	PVOID EntryInProgress;			// +0x24
} PEB_LDR_DATA,*PPEB_LDR_DATA; 

typedef struct _LDR_DATA_TABLE_ENTRY
{
	LIST_ENTRY InLoadOrderLinks;
	LIST_ENTRY InMemoryOrderLinks;
	LIST_ENTRY InInitializationOrderLinks;
	PVOID DllBase;
	PVOID EntryPoint;
	UINT32 SizeOfImage;
	UNICODE_STRING FullDllName;
	UNICODE_STRING BaseDllName;
	UINT32 Flags;
	WORD LoadCount;
	WORD TlsIndex;
	LIST_ENTRY HashLinks;
	PVOID SectionPointer;
	UINT32 CheckSum;
	UINT32 TimeDateStamp;
	PVOID LoadedImports;
	PVOID EntryPointActivationContext;
	PVOID PatchInformation;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;

DWORD ShellCode()
{
	typedef int (WINAPI *PMESSAGEBOX)(HWND hWnd,LPCTSTR lpText,LPCTSTR lpCaption,UINT uType);	//MessageBox函数指针
	typedef FARPROC (WINAPI *PGETPROCADDRESS)(HMODULE hMoudule,LPCTSTR lpProcName);				//GetProcAddress函数指针
	typedef HMODULE (WINAPI *PLOADLIBRARY)(LPCTSTR lpFileName);									//LoadLibraryA函数指针
	
	LDR_DATA_TABLE_ENTRY *pPLD = NULL,*pBeg = NULL;
	PGETPROCADDRESS pGetProcAddress = NULL;
	PMESSAGEBOX pMessageBox = NULL;
	PLOADLIBRARY pLoadLibrary = NULL;
	WORD *pFirstWin10 = NULL,*pFirst = NULL,*pLast = NULL;
	DWORD ret = 0, i = 0;
	DWORD dwKernelBase = 0;

	//定义自己要使用的DLL、函数
	char Win10szKernel32[] = {'K',0,'E',0,'R',0,'N',0,'E',0,'L',0,'3',0,'2',0,'.',0,'D',0,'L',0,'L',0,0,0};//win10要全大写"KERNEL32.DLL"
	char szKernel32[] = {'k',0,'e',0,'r',0,'n',0,'e',0,'l',0,'3',0,'2',0,'.',0,'d',0,'l',0,'l',0,0,0};//xp win7要全大写"kernel32.dll"
	char szUser32[] = {'U','S','E','R','3','2','.','d','l','l',0};

	char szGetProcAddr[] = {'G','e','t','P','r','o','c','A','d','d','r','e','s','s',0};
	char szLoadLibrary[] = {'L','o','a','d','L','i','b','r','a','r','y','A',0};
	char szMessageBox[] = {'M','e','s','s','a','g','e','B','o','x','A',0};

	//第五节的内容
	//获取链表 TEB->PEB->_PEB_LDR_DATA->_LDR_DATA_TABLE_ENTRY
	__asm
	{
		mov eax,fs:[0x30]   //PEB
		mov eax,[eax+0xC]	//PEB->Ldr
		add eax,0x0C		//_PEB_LDR_DATA->InLoadOrderModuleList
			mov pBeg,eax
			mov eax,[eax]
		mov pPLD,eax
	}

	//遍历找到Kernel32.dll
	while (pPLD != pBeg)
	{
		DWORD flag1 = 0;
		DWORD flag2 = 0;
		pLast = (PWORD)pPLD->BaseDllName.Buffer;
		pFirstWin10 = (PWORD)Win10szKernel32;
		pFirst = (PWORD)szKernel32;

		while(*pFirst || *pFirstWin10)
		{
			if (*pFirst != *pLast)
			{
				flag1 = 1;			
			}
			if (*pFirstWin10 != *pLast)
			{
				flag2 = 1;			
			}
			if (flag1 == 1 && flag2 ==1)
			{
				break;
			}
			pFirstWin10++;
			pFirst++;
			pLast++;
		}
		//只要两个不同时为1,就说明找到了
		if (!(flag1 & flag2) )
		{
			dwKernelBase = (DWORD)pPLD->DllBase;
			break;
		}
		pPLD = (PLDR_DATA_TABLE_ENTRY)pPLD->InLoadOrderLinks.Flink;
	}
	if (!dwKernelBase)
	{
		//printf函数不要用
		//printf("获取kernel32.dll基址失败\n\请注意大小写WIN10系统为KERNEL32.DLL(全大写),WIN7 XP为kernel32.dll(全小写)");
		return 0;
	}

	//PE结构的知识
	//遍历Kernel32.dll的导入表 找到GetProcAddr函数地址
	PIMAGE_DOS_HEADER pIDH = (PIMAGE_DOS_HEADER)(dwKernelBase);
	PIMAGE_NT_HEADERS pINGS = (PIMAGE_NT_HEADERS)((DWORD)dwKernelBase + pIDH->e_lfanew);
	PIMAGE_EXPORT_DIRECTORY pIED = (PIMAGE_EXPORT_DIRECTORY)((DWORD)dwKernelBase + pINGS->OptionalHeader.DataDirectory[0].VirtualAddress);

	PDWORD pAddOfFun_Raw = (PDWORD)((DWORD)dwKernelBase + pIED->AddressOfFunctions);
	PWORD pAddOfOrd_Raw = (PWORD)((DWORD)dwKernelBase + pIED->AddressOfNameOrdinals);
	PDWORD pAddOfNames_Raw = (PDWORD)((DWORD)dwKernelBase + pIED->AddressOfNames);
	DWORD dwCnt = 0;

	char* pFinded = NULL,*pSrc = szGetProcAddr;
	for (;dwCnt<pIED->NumberOfNames;dwCnt++)
	{
		pFinded = (char*)((DWORD)dwKernelBase + pAddOfNames_Raw[dwCnt]);
		while (*pFinded && *pFinded==*pSrc)
			pFinded++,pSrc++;
		if (*pFinded == *pSrc)
		{
			pGetProcAddress = (PGETPROCADDRESS)((DWORD)dwKernelBase+ pAddOfFun_Raw[pAddOfOrd_Raw[dwCnt]]);
			break;
		}
		pSrc = szGetProcAddr;
	}
	//有了GetProcAddr就可以得到任何API函数了;
	pLoadLibrary = (PLOADLIBRARY)pGetProcAddress((HMODULE)dwKernelBase,szLoadLibrary);
	pMessageBox = (PMESSAGEBOX)pGetProcAddress(pLoadLibrary(szUser32),szMessageBox);

	//使用函数
	char szTitle[] = {'S','h','e','l','l','C','o','d','e',0};			//弹窗标题
	char szContent[] = {0xC8,0xCE,0xD2,0xE2,0xD4,0xCB,0xD0,0xD0,0};		//任意运行的ASCII码
	pMessageBox(NULL,szContent,szTitle,0);
	return 1;
}

int main(int argc, char* argv[])
{
	ShellCode();
	return 0;
}

WIN10效果如下:
在这里插入图片描述

四、抠出函数的硬编码

#include "windows.h"
#include <stdio.h>

int main(int argc, char* argv[])
{
	FILE* fp;
	size_t nBytes = 0x563;		//ret的地址减去起始地址
	PVOID startAddr = (PVOID)0x00541440;		//ShellCode的起始地址
	
	if (!(fp = fopen("ShellCode.txt","wb+")))	//打开文件
	{
		printf("打开文件失败!");
		return 0;
	}
	fprintf(fp,"{");
	for (size_t i = 0; i <= nBytes; i++)
	{
		if (i == nBytes)
		{
			fprintf(fp,"0x%02X", ((PBYTE)startAddr)[i]);
		}
		else
		{
			fprintf(fp,"0x%02X,", ((PBYTE)startAddr)[i]);
		}
		
	}
	fprintf(fp,"};");
	return 0;
}

效果如图
在这里插入图片描述
注意:

vs2010调用函数为间接call

在这里插入图片描述
在这里插入图片描述
直接PVOID startAddr = (PVOID)ShellCode;是无法获取地址的
建议在给StartAddr赋值的地方下断点,得到ShellCode函数的地址再赋值给它,这是最简单的方法
在这里插入图片描述
在这里插入图片描述

五、ShellCode执行

在vs2010以上版本中执行ShellCode必须要使用VirtualProtect修改一段页的保护属性

BOOL VirtualProtect(
LPVOID lpAddress, // 目标地址起始位置
DWORD dwSize, // 大小
DWORD flNewProtect, // 请求的保护方式
PDWORD lpflOldProtect // 保存老的保护方式
);
类型注释
PAGE_READONLY该区域为只读。如果应用程序试图访问区域中的页的时候,将会被拒绝访问
PAGE_READWRITE区域可被应用程序读写
PAGE_EXECUTE区域包含可被系统执行的代码。试图读写该区域的操作将被拒绝
PAGE_EXECUTE_READ区域包含可执行代码,应用程序可以读该区域
PAGE_EXECUTE_READWRITE区域包含可执行代码,应用程序可以读写该区域
PAGE_GUARD区域第一次被访问时进入一个STATUS_GUARD_PAGE异常,这个标志要和其他保护标志合并使用,表明区域被第一次访问的权限
PAGE_NOACCESS任何访问该区域的操作将被拒绝
PAGE_NOCACHERAM中的页映射到该区域时将不会被微处理器缓存(cached)

所有系统通用

//#include "stdafx.h"
#include "windows.h"
#include <stdio.h>

typedef DWORD (*Code)();	//函数指针

int main(int argc, char* argv[])
{
	unsigned char ShellCodebuff[] = {0x55,0x8B,0xEC,0x81,0xEC,0x20,0x01,0x00,0x00,0x53,0x56,0x57,0xC7,0x45,0xFC,0x00,
		0x00,0x00,0x00,0xC7,0x45,0xF8,0x00,0x00,0x00,0x00,0xC7,0x45,0xF4,0x00,0x00,0x00,0x00,0xC7,0x45,0xF0,0x00,0x00,
		0x00,0x00,0xC7,0x45,0xEC,0x00,0x00,0x00,0x00,0xC7,0x45,0xE8,0x00,0x00,0x00,0x00,0xC7,0x45,0xE4,0x00,0x00,0x00,
		0x00,0xC7,0x45,0xE0,0x00,0x00,0x00,0x00,0xC7,0x45,0xDC,0x00,0x00,0x00,0x00,0xC7,0x45,0xD8,0x00,0x00,0x00,0x00,
		0xC7,0x45,0xD4,0x00,0x00,0x00,0x00,0xC6,0x45,0xB8,0x4B,0xC6,0x45,0xB9,0x00,0xC6,0x45,0xBA,0x45,0xC6,0x45,0xBB,
		0x00,0xC6,0x45,0xBC,0x52,0xC6,0x45,0xBD,0x00,0xC6,0x45,0xBE,0x4E,0xC6,0x45,0xBF,0x00,0xC6,0x45,0xC0,0x45,0xC6,
		0x45,0xC1,0x00,0xC6,0x45,0xC2,0x4C,0xC6,0x45,0xC3,0x00,0xC6,0x45,0xC4,0x33,0xC6,0x45,0xC5,0x00,0xC6,0x45,0xC6,
		0x32,0xC6,0x45,0xC7,0x00,0xC6,0x45,0xC8,0x2E,0xC6,0x45,0xC9,0x00,0xC6,0x45,0xCA,0x44,0xC6,0x45,0xCB,0x00,0xC6,
		0x45,0xCC,0x4C,0xC6,0x45,0xCD,0x00,0xC6,0x45,0xCE,0x4C,0xC6,0x45,0xCF,0x00,0xC6,0x45,0xD0,0x00,0xC6,0x45,0xD1,
		0x00,0xC6,0x45,0x9C,0x6B,0xC6,0x45,0x9D,0x00,0xC6,0x45,0x9E,0x65,0xC6,0x45,0x9F,0x00,0xC6,0x45,0xA0,0x72,0xC6,
		0x45,0xA1,0x00,0xC6,0x45,0xA2,0x6E,0xC6,0x45,0xA3,0x00,0xC6,0x45,0xA4,0x65,0xC6,0x45,0xA5,0x00,0xC6,0x45,0xA6,
		0x6C,0xC6,0x45,0xA7,0x00,0xC6,0x45,0xA8,0x33,0xC6,0x45,0xA9,0x00,0xC6,0x45,0xAA,0x32,0xC6,0x45,0xAB,0x00,0xC6,
		0x45,0xAC,0x2E,0xC6,0x45,0xAD,0x00,0xC6,0x45,0xAE,0x64,0xC6,0x45,0xAF,0x00,0xC6,0x45,0xB0,0x6C,0xC6,0x45,0xB1,
		0x00,0xC6,0x45,0xB2,0x6C,0xC6,0x45,0xB3,0x00,0xC6,0x45,0xB4,0x00,0xC6,0x45,0xB5,0x00,0xC6,0x45,0x90,0x55,0xC6,
		0x45,0x91,0x53,0xC6,0x45,0x92,0x45,0xC6,0x45,0x93,0x52,0xC6,0x45,0x94,0x33,0xC6,0x45,0x95,0x32,0xC6,0x45,0x96,
		0x2E,0xC6,0x45,0x97,0x64,0xC6,0x45,0x98,0x6C,0xC6,0x45,0x99,0x6C,0xC6,0x45,0x9A,0x00,0xC6,0x45,0x80,0x47,0xC6,
		0x45,0x81,0x65,0xC6,0x45,0x82,0x74,0xC6,0x45,0x83,0x50,0xC6,0x45,0x84,0x72,0xC6,0x45,0x85,0x6F,0xC6,0x45,0x86,
		0x63,0xC6,0x45,0x87,0x41,0xC6,0x45,0x88,0x64,0xC6,0x45,0x89,0x64,0xC6,0x45,0x8A,0x72,0xC6,0x45,0x8B,0x65,0xC6,
		0x45,0x8C,0x73,0xC6,0x45,0x8D,0x73,0xC6,0x45,0x8E,0x00,0xC6,0x85,0x70,0xFF,0xFF,0xFF,0x4C,0xC6,0x85,0x71,0xFF,
		0xFF,0xFF,0x6F,0xC6,0x85,0x72,0xFF,0xFF,0xFF,0x61,0xC6,0x85,0x73,0xFF,0xFF,0xFF,0x64,0xC6,0x85,0x74,0xFF,0xFF,
		0xFF,0x4C,0xC6,0x85,0x75,0xFF,0xFF,0xFF,0x69,0xC6,0x85,0x76,0xFF,0xFF,0xFF,0x62,0xC6,0x85,0x77,0xFF,0xFF,0xFF,
		0x72,0xC6,0x85,0x78,0xFF,0xFF,0xFF,0x61,0xC6,0x85,0x79,0xFF,0xFF,0xFF,0x72,0xC6,0x85,0x7A,0xFF,0xFF,0xFF,0x79,
		0xC6,0x85,0x7B,0xFF,0xFF,0xFF,0x41,0xC6,0x85,0x7C,0xFF,0xFF,0xFF,0x00,0xC6,0x85,0x64,0xFF,0xFF,0xFF,0x4D,0xC6,
		0x85,0x65,0xFF,0xFF,0xFF,0x65,0xC6,0x85,0x66,0xFF,0xFF,0xFF,0x73,0xC6,0x85,0x67,0xFF,0xFF,0xFF,0x73,0xC6,0x85,
		0x68,0xFF,0xFF,0xFF,0x61,0xC6,0x85,0x69,0xFF,0xFF,0xFF,0x67,0xC6,0x85,0x6A,0xFF,0xFF,0xFF,0x65,0xC6,0x85,0x6B,
		0xFF,0xFF,0xFF,0x42,0xC6,0x85,0x6C,0xFF,0xFF,0xFF,0x6F,0xC6,0x85,0x6D,0xFF,0xFF,0xFF,0x78,0xC6,0x85,0x6E,0xFF,
		0xFF,0xFF,0x41,0xC6,0x85,0x6F,0xFF,0xFF,0xFF,0x00,0x64,0xA1,0x30,0x00,0x00,0x00,0x8B,0x40,0x0C,0x83,0xC0,0x0C,
		0x89,0x45,0xF8,0x8B,0x00,0x89,0x45,0xFC,0x8B,0x45,0xFC,0x3B,0x45,0xF8,0x0F,0x84,0xC8,0x00,0x00,0x00,0xC7,0x85,
		0x60,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,0xC7,0x85,0x5C,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,0x8B,0x45,0xFC,0x8B,
		0x48,0x30,0x89,0x4D,0xE0,0x8D,0x45,0xB8,0x89,0x45,0xE8,0x8D,0x45,0x9C,0x89,0x45,0xE4,0x8B,0x45,0xE4,0x0F,0xB7,
		0x08,0x85,0xC9,0x75,0x0A,0x8B,0x45,0xE8,0x0F,0xB7,0x08,0x85,0xC9,0x74,0x65,0x8B,0x45,0xE4,0x0F,0xB7,0x08,0x8B,
		0x55,0xE0,0x0F,0xB7,0x02,0x3B,0xC8,0x74,0x0A,0xC7,0x85,0x60,0xFF,0xFF,0xFF,0x01,0x00,0x00,0x00,0x8B,0x45,0xE8,
		0x0F,0xB7,0x08,0x8B,0x55,0xE0,0x0F,0xB7,0x02,0x3B,0xC8,0x74,0x0A,0xC7,0x85,0x5C,0xFF,0xFF,0xFF,0x01,0x00,0x00,
		0x00,0x83,0xBD,0x60,0xFF,0xFF,0xFF,0x01,0x75,0x0B,0x83,0xBD,0x5C,0xFF,0xFF,0xFF,0x01,0x75,0x02,0xEB,0x1D,0x8B,
		0x45,0xE8,0x83,0xC0,0x02,0x89,0x45,0xE8,0x8B,0x45,0xE4,0x83,0xC0,0x02,0x89,0x45,0xE4,0x8B,0x45,0xE0,0x83,0xC0,
		0x02,0x89,0x45,0xE0,0xEB,0x87,0x8B,0x85,0x60,0xFF,0xFF,0xFF,0x23,0x85,0x5C,0xFF,0xFF,0xFF,0x75,0x0B,0x8B,0x45,
		0xFC,0x8B,0x48,0x18,0x89,0x4D,0xD4,0xEB,0x0D,0x8B,0x45,0xFC,0x8B,0x08,0x89,0x4D,0xFC,0xE9,0x2C,0xFF,0xFF,0xFF,
		0x83,0x7D,0xD4,0x00,0x75,0x07,0x33,0xC0,0xE9,0x0B,0x02,0x00,0x00,0x8B,0x45,0xD4,0x89,0x85,0x58,0xFF,0xFF,0xFF,
		0x8B,0x85,0x58,0xFF,0xFF,0xFF,0x8B,0x4D,0xD4,0x03,0x48,0x3C,0x89,0x8D,0x54,0xFF,0xFF,0xFF,0x8B,0x85,0x54,0xFF,
		0xFF,0xFF,0x8B,0x4D,0xD4,0x03,0x48,0x78,0x89,0x8D,0x50,0xFF,0xFF,0xFF,0x8B,0x85,0x50,0xFF,0xFF,0xFF,0x8B,0x4D,
		0xD4,0x03,0x48,0x1C,0x89,0x8D,0x4C,0xFF,0xFF,0xFF,0x8B,0x85,0x50,0xFF,0xFF,0xFF,0x8B,0x4D,0xD4,0x03,0x48,0x24,
		0x89,0x8D,0x48,0xFF,0xFF,0xFF,0x8B,0x85,0x50,0xFF,0xFF,0xFF,0x8B,0x4D,0xD4,0x03,0x48,0x20,0x89,0x8D,0x44,0xFF,
		0xFF,0xFF,0xC7,0x85,0x40,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,0xC7,0x85,0x3C,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,
		0x8D,0x45,0x80,0x89,0x85,0x38,0xFF,0xFF,0xFF,0xEB,0x0F,0x8B,0x85,0x40,0xFF,0xFF,0xFF,0x83,0xC0,0x01,0x89,0x85,
		0x40,0xFF,0xFF,0xFF,0x8B,0x85,0x50,0xFF,0xFF,0xFF,0x8B,0x8D,0x40,0xFF,0xFF,0xFF,0x3B,0x48,0x18,0x0F,0x83,0xA0,
		0x00,0x00,0x00,0x8B,0x85,0x40,0xFF,0xFF,0xFF,0x8B,0x8D,0x44,0xFF,0xFF,0xFF,0x8B,0x55,0xD4,0x03,0x14,0x81,0x89,
		0x95,0x3C,0xFF,0xFF,0xFF,0x8B,0x85,0x3C,0xFF,0xFF,0xFF,0x0F,0xBE,0x08,0x85,0xC9,0x74,0x36,0x8B,0x85,0x3C,0xFF,
		0xFF,0xFF,0x0F,0xBE,0x08,0x8B,0x95,0x38,0xFF,0xFF,0xFF,0x0F,0xBE,0x02,0x3B,0xC8,0x75,0x20,0x8B,0x85,0x3C,0xFF,
		0xFF,0xFF,0x83,0xC0,0x01,0x89,0x85,0x3C,0xFF,0xFF,0xFF,0x8B,0x8D,0x38,0xFF,0xFF,0xFF,0x83,0xC1,0x01,0x89,0x8D,
		0x38,0xFF,0xFF,0xFF,0xEB,0xBD,0x8B,0x85,0x3C,0xFF,0xFF,0xFF,0x0F,0xBE,0x08,0x8B,0x95,0x38,0xFF,0xFF,0xFF,0x0F,
		0xBE,0x02,0x3B,0xC8,0x75,0x21,0x8B,0x85,0x40,0xFF,0xFF,0xFF,0x8B,0x8D,0x48,0xFF,0xFF,0xFF,0x0F,0xB7,0x14,0x41,
		0x8B,0x85,0x4C,0xFF,0xFF,0xFF,0x8B,0x4D,0xD4,0x03,0x0C,0x90,0x89,0x4D,0xF4,0xEB,0x0E,0x8D,0x45,0x80,0x89,0x85,
		0x38,0xFF,0xFF,0xFF,0xE9,0x3C,0xFF,0xFF,0xFF,0x8D,0x85,0x70,0xFF,0xFF,0xFF,0x50,0x8B,0x4D,0xD4,0x51,0xFF,0x55,
		0xF4,0x89,0x45,0xEC,0x8D,0x85,0x64,0xFF,0xFF,0xFF,0x50,0x8D,0x4D,0x90,0x51,0xFF,0x55,0xEC,0x50,0xFF,0x55,0xF4,
		0x89,0x45,0xF0,0xC6,0x85,0x2C,0xFF,0xFF,0xFF,0x53,0xC6,0x85,0x2D,0xFF,0xFF,0xFF,0x68,0xC6,0x85,0x2E,0xFF,0xFF,
		0xFF,0x65,0xC6,0x85,0x2F,0xFF,0xFF,0xFF,0x6C,0xC6,0x85,0x30,0xFF,0xFF,0xFF,0x6C,0xC6,0x85,0x31,0xFF,0xFF,0xFF,
		0x43,0xC6,0x85,0x32,0xFF,0xFF,0xFF,0x6F,0xC6,0x85,0x33,0xFF,0xFF,0xFF,0x64,0xC6,0x85,0x34,0xFF,0xFF,0xFF,0x65,
		0xC6,0x85,0x35,0xFF,0xFF,0xFF,0x00,0xC6,0x85,0x20,0xFF,0xFF,0xFF,0xC8,0xC6,0x85,0x21,0xFF,0xFF,0xFF,0xCE,0xC6,
		0x85,0x22,0xFF,0xFF,0xFF,0xD2,0xC6,0x85,0x23,0xFF,0xFF,0xFF,0xE2,0xC6,0x85,0x24,0xFF,0xFF,0xFF,0xD4,0xC6,0x85,
		0x25,0xFF,0xFF,0xFF,0xCB,0xC6,0x85,0x26,0xFF,0xFF,0xFF,0xD0,0xC6,0x85,0x27,0xFF,0xFF,0xFF,0xD0,0xC6,0x85,0x28,
		0xFF,0xFF,0xFF,0x00,0x6A,0x00,0x8D,0x85,0x2C,0xFF,0xFF,0xFF,0x50,0x8D,0x8D,0x20,0xFF,0xFF,0xFF,0x51,0x6A,0x00,
		0xFF,0x55,0xF0,0xB8,0x01,0x00,0x00,0x00,0x5F,0x5E,0x5B,0x8B,0xE5,0x5D,0xC3};
	//Size:0x546
	DWORD old;
	Code ShellCodeAddr = (Code)&ShellCodebuff;
	VirtualProtect(ShellCodebuff,0x546,PAGE_EXECUTE_READWRITE,&old);
	int a = ShellCodeAddr();
	printf("%d",a);
	return 0;
}

六、注入到别的进程中(待更新)

Mikasys
关注
专栏目录
Shellcode
weixin_43916678的博客
07-07 8989
shellcode简介 shellcode是一段用于利用软件漏洞而执行的代码,也可以认为是一段填充数据,shellcode为16进制的机器码,因为经常让攻击者获得shell而得名。shellcode常常使用机器语言编写。 可在暂存器eip溢出后,塞入一段可让CPU执行的shellcode机器码,让电脑可以执行攻击者的任意指令。 下面这张图就是shellcode工作流程,从功能上看,shellcode在整个漏洞利用过程中发挥主要作用就是对计算机端的控制。 shellcode可以按照攻击者执行的位置分为本地s
shellcode
WEB安全测试学习中……
03-09 1183
<br />Shellcode实际是一段代码(也可以是填充数据),是用来发送到服务器利用特定漏洞的代码,一般可以获取权限。<br />另外,Shellcode一般是作为数据发送给受攻击服务的。 <br />Shellcode是溢出程序和蠕虫病毒的核心,提到它自然就会和漏洞联想在一起,毕竟Shellcode只对没有打补丁的主机有用武之地。网络上数以万计带着漏洞顽强运行着的服务器给hacker和Vxer丰盛的晚餐。漏洞利用中最关键的是Shellcode的编写。由于漏洞发现者在漏洞发现之初并不会给出完整Shell
手把手简易实现shellcode及详解
3-Number
06-22 6382
转载理由: 处于安全行业靠边产业,经常听和看到shellcode,但是只有模糊的认识,于是学习一把,毕竟C和汇编了解,开阔下视野; 转载于:http://blog.nsfocus.net/simple-realization-hand-handle-shellcode-detailed-explanation/?utm_source=tuicool&utm_medium=referral
WIN7下可执行的ShellCode
小神兵之技术篇
01-16 4315
#include #include int main() { byte shellcode[] = { 0xE9, 0x96, 0x00, 0x00, 0x00, 0x56, 0x31, 0xC9, 0x64, 0x8B, 0x71, 0x30, 0x8B, 0x76, 0x0C, 0x8B, 0x76, 0x1C, 0x8B, 0x46, 0x08, 0x8B, 0x7E, 0x
win7下测试shellcode的方法1:关闭DEP
02-22 189
在win7下,通过下面的方法测试shellcode: char shellcode [] ="..." ; int main ( int argc , char ** argv) { __asm { lea eax , shellcode call eax } ...
第六十八课:基于Ruby内存加载shellcode第一季.docx
09-15
为了能够顺利执行shellcode相关的操作,还需要安装`fiddle`库,这是一个提供底层C语言API调用功能的Ruby库。 #### shellcode生成 示例中使用了Metasploit框架中的`msfvenom`工具来生成shellcode。具体命令如下: ...
利用图片隐写术来远程动态加载shellcode1
08-03
本篇文章主要探讨如何利用这种技术将shellcode隐藏在BMP图片中,从而实现远程动态加载,增加隐蔽性和免杀性。Shellcode是攻击者常用的代码片段,通常用于绕过系统安全机制执行特定操作。 首先,我们要了解BMP文件的...
ShellcodeMaker:Gui 开发用于制作 shellcode-开源
07-11
3. `savewindow.cpp`: 这个文件可能包含了保存 shellcode 输出的窗口类的实现,允许用户将生成的 shellcode 保存到文件中。 4. `savewindow.h`: 保存窗口类的头文件,声明了与保存相关的函数和数据结构。 5. `...
ElfWizard:将Shellcode注入ELF二进制文件的简单工具
02-21
此外,这也涉及到安全分析,因为Shellcode注入通常与黑客攻击相关。 6. **内存保护机制**: 当Shellcode在内存中执行时,可能会遇到现代操作系统提供的各种内存保护机制,如ASLR(地址空间布局随机化)和DEP(数据...
使用ICMP传递shellcode1
08-03
以下是利用C#实现ICMP shellcode注入的基本步骤和相关知识点: 1. **创建Ping对象**: 在C#代码中,首先需要创建一个`Ping`对象,这是.NET Framework提供的用于发送ICMP回显请求的类。例如: ```csharp Ping ...
ShellCode
qq_41490873的博客
04-18 224
编写规则 1:不能有全局变量 2:不能使用常量字符串 3:不能使用系统调用 4:不能嵌套调用其他函数 使用字符串的方式: char getName[]={‘G’,‘e’,‘t’,‘N’,‘a’,‘m’,‘e’,0}; 不使用系统调用的解决思路: 全部的函数都使用 GetProcAddress(LoadLibary()) LoadLibary 函数得到的是模块的基址 ,可以通过TEB->P...
怎么利用ConvertToShellcode.py文件实现dll转shellcode
最新发布
05-05
ConvertToShellcode.py 是一个Python脚本,可以将DLL文件转换为Shellcode格式,使其可以在内存中直接执行,而无需将其写入磁盘。以下是将DLL文件转换为Shellcode的步骤: 1. 在命令行中运行 ConvertToShellcode.py 脚本,指定要转换的 DLL 文件的路径。例如: ``` python ConvertToShellcode.py C:\Windows\System32\user32.dll ``` 2. 脚本将生成一个名为 shellcode.bin 的二进制文件,其中包含 DLL 文件的 Shellcode 格式。 3. 将 shellcode.bin 文件加载到内存中,以便可以执行其中的代码。这可以通过各种方式完成,例如使用编程语言中的内存映射文件功能或使用反汇编器中的“注入代码”选项。 请注意,在将 DLL 文件转换为 Shellcode 格式后,您需要自己编写代码来加载和执行 Shellcode。这通常需要一些专业的知识和技巧,因此请确保您了解相关的安全和编程最佳实践。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值