本文介绍了如何使用msfpescan和msfencode工具进行shellcode扫描和加密,详细讲解了不同shellcode编码方式,包括call $+4、FSTENV和Backward call。还探讨了通过PEB、SEH和TOPSTACK TEB寻找kernel32.dll的方法,以及UNICODE编码的学习。同时提到了在Windows环境下的应用示例。
msfpescan ,msfencode 等命令使用
首先下面额指令都是我用到时记录的,可以说是经常用到吧
先找到memdump.exe文件:
C:\Program Files\Metasploit\Framework3\msf3\tools\memdump\memdump.exe
在CMD下 运行 memdump.exe 进程PID c:\abc
然后进入console
运行 msfpescan -p -m c:/abc > 1.txt 妈个蛋 要安装ruby 不安装了·······直接用msfpescan -p xx.dll我还觉得方便些
eg: msfpescan player.dll -p 搜索DLL中所有pop pop ret 指令
Usage: /msf3/msfpescan [mode] <options> [targets]
Modes:
-j, --jump [regA,regB,regC] Search for jump equivalent instructions
-p, --poppopret Search for pop+pop+ret combinations
-r, --regex [regex] Search for regex match
-a, --analyze-address [address] Display the code at the specified address
-b, --analyze-offset [offset] Display the code at the specified offset
-f, --fingerprint Attempt to identify the packer/compiler
-i, --info Display detailed information about the image
-R, --ripper [directory] Rip all module resources to disk
--context-map [directory] Generate context-map files
Options:
-M, --memdump The targets are memdump.exe directories
-A, --after [bytes] Number of bytes to show after match (-a/-b)
-B, --before [bytes] Number of bytes to show before match (-a/-b)
-D, --disasm Disassemble the bytes at this address
-I, --image-base [address] Specify an alternate ImageBase
-F, --filter-addresses [regex] Filter addresses based on a regular expression
-h, --help Show this message
下面学习用 msfencode 加密shellcode 的方法:
root@bt:/opt/framework/msf3# ./msfencode -h
Usage: ./msfencode <options>
OPTIONS:
-a <opt> The architecture to encode as
-b <opt> The list of characters to avoid: '\x00\xff'
-c <opt> The number of times to encode the data
-d <opt> Specify the directory in which to look for EXE templates
-e <opt> The encoder to use
-h Help banner
-i <opt> Encode the contents of the supplied file path
-k Keep template working; run payload in new thread (use with -x)
-l List available encoders
-m <opt> Specifies an additional module search path
-n Dump encoder information
-o <opt> The output file
-p <opt> The platform to encode for
-s <opt> The maximum size of the encoded data
-t <opt> The output format: raw,ruby,rb,perl,pl,c,js_be,js_le,java,dll,exe,exe-small,elf,macho,vba,vbs,loop-vbs,asp,war
-v Increase verbosity
-x <opt> Specify an alternate executable template
root@bt:/opt/framework/msf3# ./msfencode -l
Framework Encoders
==================
Name Rank Description
---- ---- -----------
cmd/generic_sh good Generic Shell Variable Substitution Command Encoder
cmd/ifs low Generic ${IFS} Substitution Command Encoder
cmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encoder
generic/none normal The "none" Encoder
mipsbe/longxor normal XOR Encoder
mipsle/longxor normal XOR Encoder
php/base64 great PHP Base64 encoder
ppc/longxor normal PPC LongXOR Encoder
ppc/longxor_tag normal PPC LongXOR Encoder
sparc/longxor_tag normal SPARC DWORD XOR Encoder
x64/xor normal XOR Encoder
x86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoder
x86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoder
x86/avoid_utf8_tolower manual Avoid UTF8/tolower
x86/call4_dword_xor normal Call+4 Dword XOR Encoder
x86/context_cpuid manual CPUID-based Context Keyed Payload Encoder
x86/context_stat manual stat(2)-based Context Keyed Payload Encoder
x86/context_time manual time(2)-based Context Keyed Payload Encoder
x86/countdown normal Single-byte XOR Countdown Encoder
x86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoder
x86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoder
x86/nonalpha low Non-Alpha Encoder
x86/nonupper low Non-Upper Encoder
x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder
x86/single_static_bit manual Single Static Bit
x86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoder
x86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder学习几种shellcode编码/加密方式:
每次得到的shellcode 都不相同了, 放在ESI 中的值,得到解码器起始地址的指令位置,记录位置的寄存器 ,循环前面的指令,变量的值都变了
1) x86/shikata_ga_nai
00427400 BA 99B20D32 mov edx,0x320DB299
00427405 DBC9 fcmovne st,st(1)
00427407 D97424 F4 fstenv (28-byte) ptr ss:[esp-0xC] //这句代码得到解码器第一个FPU指令的地址,这个指令能工作的必备条件是前面至少有个FPU指令被执行
//可以是 fcmovne st,st(1) fldpi fldz ffree st(3) fcmovnb st,st fcmovnbe st,st(5)
0042740B 5D pop ebp
0042740C 29C9 sub ecx,ecx
0042740E B1 46 mov cl,0x46
00427410 3155 13 xor dword ptr ss:[ebp+0x13],edx //xor 解码
00427413 83C5 04 add ebp,0x4
00427416 0355 96 add edx,dword ptr ss:[ebp-0x6A]
00427419 ^\E2 F5 loopd Xtest1231.00427410 //用LOOP 去循环取值
2)x86/alpha_mixed 主要思想是 重新产生原始代码(通过一个循环)
00427400 > 89E0 mov eax,esp
00427402 DBD3 fcmovnbe st,st(3)
00427404 D970 F4 fstenv (28-byte) ptr ds:[eax-0xC]
00427407 5D pop ebp
00427408 55 push ebp
00427409 59 pop ecx
0042740A 49 dec ecx
0042740B 49 dec ecx
0042740C 49 dec ecx
0042740D 49 dec ecx
0042740E 49 dec ecx
0042740F 49 dec ecx
00427410 49 dec ecx
00427411 49 dec ecx
00427412 49 
最低0.47元/天 解锁文章
2290
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
