matasploit+shellcode编码学习

本文介绍了如何使用msfpescan和msfencode工具进行shellcode扫描和加密,详细讲解了不同shellcode编码方式,包括call $+4、FSTENV和Backward call。还探讨了通过PEB、SEH和TOPSTACK TEB寻找kernel32.dll的方法,以及UNICODE编码的学习。同时提到了在Windows环境下的应用示例。
摘要由CSDN通过智能技术生成




msfpescan ,msfencode 等命令使用

首先下面额指令都是我用到时记录的,可以说是经常用到吧


先找到memdump.exe文件:

C:\Program Files\Metasploit\Framework3\msf3\tools\memdump\memdump.exe

在CMD下 运行  memdump.exe 进程PID c:\abc

然后进入console

运行   msfpescan -p -m c:/abc  > 1.txt 妈个蛋 要安装ruby 不安装了·······直接用msfpescan -p xx.dll我还觉得方便些


eg:  msfpescan player.dll -p   搜索DLL中所有pop pop ret 指令

Usage: /msf3/msfpescan [mode] <options> [targets]

Modes:
    -j, --jump [regA,regB,regC]      Search for jump equivalent instructions
    -p, --poppopret                  Search for pop+pop+ret combinations
    -r, --regex [regex]              Search for regex match
    -a, --analyze-address [address]  Display the code at the specified address
    -b, --analyze-offset [offset]    Display the code at the specified offset
    -f, --fingerprint                Attempt to identify the packer/compiler
    -i, --info                       Display detailed information about the image
    -R, --ripper [directory]         Rip all module resources to disk 
        --context-map [directory]    Generate context-map files

Options:
    -M, --memdump                    The targets are memdump.exe directories
    -A, --after [bytes]              Number of bytes to show after match (-a/-b)
    -B, --before [bytes]             Number of bytes to show before match (-a/-b)
    -D, --disasm                     Disassemble the bytes at this address
    -I, --image-base [address]       Specify an alternate ImageBase
    -F, --filter-addresses [regex]   Filter addresses based on a regular expression
    -h, --help                       Show this message


下面学习用 msfencode 加密shellcode 的方法:

root@bt:/opt/framework/msf3# ./msfencode -h

    Usage: ./msfencode <options>

OPTIONS:

    -a <opt>  The architecture to encode as
    -b <opt>  The list of characters to avoid: '\x00\xff'
    -c <opt>  The number of times to encode the data
    -d <opt>  Specify the directory in which to look for EXE templates
    -e <opt>  The encoder to use
    -h        Help banner
    -i <opt>  Encode the contents of the supplied file path
    -k        Keep template working; run payload in new thread (use with -x)
    -l        List available encoders
    -m <opt>  Specifies an additional module search path
    -n        Dump encoder information
    -o <opt>  The output file
    -p <opt>  The platform to encode for
    -s <opt>  The maximum size of the encoded data
    -t <opt>  The output format: raw,ruby,rb,perl,pl,c,js_be,js_le,java,dll,exe,exe-small,elf,macho,vba,vbs,loop-vbs,asp,war
    -v        Increase verbosity
    -x <opt>  Specify an alternate executable template

root@bt:/opt/framework/msf3# ./msfencode -l

Framework Encoders
==================

    Name                    Rank       Description
    ----                    ----       -----------
    cmd/generic_sh          good       Generic Shell Variable Substitution Command Encoder
    cmd/ifs                 low        Generic ${IFS} Substitution Command Encoder
    cmd/printf_php_mq       manual     printf(1) via PHP magic_quotes Utility Command Encoder
    generic/none            normal     The "none" Encoder
    mipsbe/longxor          normal     XOR Encoder
    mipsle/longxor          normal     XOR Encoder
    php/base64              great      PHP Base64 encoder
    ppc/longxor             normal     PPC LongXOR Encoder
    ppc/longxor_tag         normal     PPC LongXOR Encoder
    sparc/longxor_tag       normal     SPARC DWORD XOR Encoder
    x64/xor                 normal     XOR Encoder
    x86/alpha_mixed         low        Alpha2 Alphanumeric Mixedcase Encoder
    x86/alpha_upper         low        Alpha2 Alphanumeric Uppercase Encoder
    x86/avoid_utf8_tolower  manual     Avoid UTF8/tolower
    x86/call4_dword_xor     normal     Call+4 Dword XOR Encoder
    x86/context_cpuid       manual     CPUID-based Context Keyed Payload Encoder
    x86/context_stat        manual     stat(2)-based Context Keyed Payload Encoder
    x86/context_time        manual     time(2)-based Context Keyed Payload Encoder
    x86/countdown           normal     Single-byte XOR Countdown Encoder
    x86/fnstenv_mov         normal     Variable-length Fnstenv/mov Dword XOR Encoder
    x86/jmp_call_additive   normal     Jump/Call XOR Additive Feedback Encoder
    x86/nonalpha            low        Non-Alpha Encoder
    x86/nonupper            low        Non-Upper Encoder
    x86/shikata_ga_nai      excellent  Polymorphic XOR Additive Feedback Encoder
    x86/single_static_bit   manual     Single Static Bit
    x86/unicode_mixed       manual     Alpha2 Alphanumeric Unicode Mixedcase Encoder
    x86/unicode_upper       manual     Alpha2 Alphanumeric Unicode Uppercase Encoder

学习几种shellcode编码/加密方式:

每次得到的shellcode 都不相同了, 放在ESI 中的值,得到解码器起始地址的指令位置,记录位置的寄存器 ,循环前面的指令,变量的值都变了


1)    x86/shikata_ga_nai   

00427400    BA 99B20D32     mov edx,0x320DB299
00427405    DBC9            fcmovne st,st(1)
00427407    D97424 F4       fstenv (28-byte) ptr ss:[esp-0xC]  //这句代码得到解码器第一个FPU指令的地址,这个指令能工作的必备条件是前面至少有个FPU指令被执行
                                                               //可以是 fcmovne st,st(1)   fldpi     fldz	ffree st(3) fcmovnb st,st fcmovnbe st,st(5)
0042740B    5D              pop ebp
0042740C    29C9            sub ecx,ecx
0042740E    B1 46           mov cl,0x46
00427410    3155 13         xor dword ptr ss:[ebp+0x13],edx    //xor 解码
00427413    83C5 04         add ebp,0x4
00427416    0355 96         add edx,dword ptr ss:[ebp-0x6A]
00427419  ^\E2 F5           loopd Xtest1231.00427410           //用LOOP 去循环取值

2)x86/alpha_mixed    主要思想是 重新产生原始代码(通过一个循环)

00427400 >  89E0            mov eax,esp
00427402    DBD3            fcmovnbe st,st(3)
00427404    D970 F4         fstenv (28-byte) ptr ds:[eax-0xC]
00427407    5D              pop ebp
00427408    55              push ebp
00427409    59              pop ecx
0042740A    49              dec ecx
0042740B    49              dec ecx
0042740C    49              dec ecx
0042740D    49              dec ecx
0042740E    49              dec ecx
0042740F    49              dec ecx
00427410    49              dec ecx
00427411    49              dec ecx
00427412    49 
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值