pent

Shellcode和Payload⼊门101-超详细源码和注释以及Hex⽂本

前⾔：

⾸先定义两个概念，在⼀段ShellCode代码中我们可以认为它有两个部分。

ShellCode：⽤于创建PayLoad环境部分

PayLoad：实现需求部分

以下是源代码，OPcode接近400个字节，仅仅完成了MessageBox弹窗，代码有很⼤的优化空间。

//ShellCode_:定义控制台应⽤程序的⼊⼝点。

//

//Locals——局部变量

#defineKernalBaAddr[EBP-0x4]

#definepEAT[EBP-0x8]

#definepENT[EBP-0xC]

#definepEOT[EBP-0x10]

#definePGETPROCADDRESS[EBP-0x14]

#definePLOADLIBRARYA[EBP-0x18]

#definePEXITPROCESS[EBP-0x1C]

#defineUr32BaAddr[EBP-0x20]

#definePMESSAGEBOX[EBP-0x24]

//strRVA——字符串寻址

#definewzKERNAL32[EDX+0x9]

#defineszGetProcAddress[EDX+0x22]

#defineszLoadLibraryA[EDX+0x31]

#defineszExitProcess[EDX+0x3E]

#defineszUr32[EDX+0x4A]

#defineszMessageBoxA[EDX+0x55]

#defineszGreetings[EDX+0x61]

//Main

int_tmain(intargc,_TCHAR*argv[])

{

_asm

{

pushad;

SUBESP,0X60;

tag_OEP:

/*—————————————————————————————————

KeyNote

关于在ShellCode中动态获取EIP⽅法——FSTENV⽅式

|有时候为了增强ShellCode的健壮性和普遍适⽤性,我们会选择动态获取函数来使⽤,

|⽽在获取模块地址和函数地址时难免会使⽤到字符串等常量,我们很难保证所有的⽬标程序中都有我们需要的字符串,

|所以我们需要将⾃⼰所需要的字符串保存在⼀个随时能够简单获取的地⽅,那这要如何做到呢,

|⽐较容易想到的⼀个办法就是将字符串藏到代码⾥,然后在代码中通过寻址找到相应的字符串。

|通常的寻址⽅式⽆⾮就是⼀个基址+⼀个偏移:

|⼀个偏移：在内存中代码就是OPcode,ShellCode也是16进制的数据,这些16进制数据加载到内存中和在⽂件中的相对位置是不变的,

|可以理解为ShellCode中任意⼀个字节相对另外⼀个字节的值在⽂件中和在内存中是⼀样的,

|那么我们就可以⼿动算出这个值,作为某个数据相对于某个位置的偏移。

|⼀个基址：本项⽬的第⼀个难点就在于动态获取⼀个基址即EIP,即某代码字节在内存中的地址,我们可以动态获取⼀个地址,⽣成好⽂件后,

|查看项⽬的OPcode来计算出字符串相对基址的偏移,然后就可以获取到字符串的⾸地址了。

|动态获取⼀个EIP的⽅法有⼏种,均来⾃于前辈们的⼼⾎,⽽且⼤多看似很简单,却不失精妙,简单的⼏个字节,就体现了前辈们思维的锐利。

|我这⾥使⽤的是稍显不寻常的⽅法,希望能够应变某些复杂⼀点的环境,下⾯为⼤家讲述⼀下我对FSTENV⽅式的鄙见

|************************************************************************

|FSTENV是⼀个汇编指令,CPU⽤其记录最后⼀条浮点数指令的环境到内存中,其中就包括了这条指令的EIP

|那么步骤便是小学生日记二年级 ：

|1.操作浮点数

|2.保存环境到栈中

|3.保存EIP

|NOTE:下⾯使⽤FNSTENV[ESP-0xc],因这条指令保存的是⼀个结构体,⽽我们所需要的EIP是第4个

|元素,将这个结构体从[ESP-0xc]开始PUSH,那么这条指令执⾏完后,ESP指向的便是我们所需

|要的数据,所以下⼀条汇编只需⼀个简单的POP即可获得我们梦寐以求的⼈⽣的位置,哦不,是

|ShellCode的位置,⽽通往⽬标程序⼼脏的钥匙就在你⼿中。

—————————————————————————————————*/

//GetPC——动态获取ShellCode起始位置

FLDZ;//|ShellCodeBa

FNSTENV[ESP-0xc];//|

POPEDX;//|EDX==ShellCodeBa

JMPtag_shellcode;//|->0x9bytes

//.rdata——ShellCode全局变量

#pragmaregionCHAR*&WCHAR*

//DataSectionVA:[ShellCodeBa+0x9]

//L""[EDX+0x9]

_asm_emit(0x4b)_asm_emit(0x00)_asm_emit(0x45)_asm_emit(0x00)

_asm_emit(0x52)_asm_emit(0x00)_asm_emit(0x4e)_asm_emit(0x00)

_asm_emit(0x45)_asm_emit(0x00)_asm_emit(0x4c)_asm_emit(0x00)

_asm_emit(0x33)_asm_emit(0x00)_asm_emit(0x32)_asm_emit(0x00)

_asm_emit(0x2e)_asm_emit(0x00)_asm_emit(0x44)_asm_emit(0x00)

_asm_emit(0x4c)_asm_emit(0x00)_asm_emit(0x4c)_asm_emit(0x00)

_asm_emit(0x00)//0x19bytes

//"GetProcAddress"[EDX+0x22]

_asm_emit(0x47)_asm_emit(0x65)_asm_emit(0x74)_asm_驾照英文 emit(0x50)

_asm_emit(0x72)_asm_emit(0x6f)_asm_emit(0x63)_asm_emit(0x41)

_asm_emit(0x64)_asm_emit(0x64)_asm_emit(0x72)_asm_emit(0x65)

_asm_emit(0x73)_asm_emit(0x73)_asm_emit(0x00)//0xFbytes

//"LoadLibraryA"[EDX+0x31]

_asm_emit(0x4c)_asm_emit(0x6f)_asm_emit(0x61)_asm_emit(0x64)

_asm_emit(0x4c)_asm_emit(0x69)_asm_emit(0x62)_asm_emit(0x72)

_asm_emit(0x61)_asm_emit(0x72)_asm_emit(0x79)_asm_emit(0x41)

_asm_emit(0x00)//0xDbytes

//"ExitProcess"[EDX+0x3E]

_asm_emit(0x45)_asm_emit(0x78)_asm_emit(0x69)_asm_emit(0x74)

_asm_emit(0x50)_asm_emit(0x72)_asm_emit(0x6F)_asm_emit(0x63)

_asm_emit(0x65)_asm_emit(0x73)_asm_emit(0x73)_asm_emit(0x00)//0xCbytes

//""[EDX+0x4A]

_asm_emit(0x55)_asm_emit(0x73)_asm_emit(0x65)_asm_emit(0x72)

_asm_emit(0x33)_asm_emit(0x32)_asm_emit(0x2e)_asm_emit(0x64)

_asm_emit(0x6c)_asm_emit(0x6c)_asm_emit(0x00)//0xBbytes

//"MessageBoxA"[EDX+0x55]

_asm_emit(0x4D)_asm_emit(0x65)_asm_emit(0x73)_asm_emit(0x73)

_asm_emit(0x61)_asm_emit(0x67)_asm_emit(0x65)_asm_emit(0x42)

_asm_emit(0x6F)_asm_emit(0x78)_asm_emit(0x41)_asm_emit(0x00)//0xCbytes

//"Hello15PB"[EDX+0x61]

_asm_emit(0x48)_asm_emit(0x65)_asm_emit(0x6C)_asm_emit(0x6C)

_asm_emit(0x6F)_asm_emit(0x20)_asm_emit(0x31)_asm_emit(0x35)

_asm_emit(0x50)_asm_emit(0x42)_asm_emit(0x20)_asm_emit(0x00)//0xCbytes

#pragmaendregionCHAR*&WCHAR*

/*—————————————————————————————————

GetModuleBa——获取基址

Ldr_PEB_LDR_DATA

InLoadOrderModuleList_List_ENTRY

_LIST_ENTRY{

+0x000Flink:Ptr32_LIST_ENTRY

+0x004Blink:Ptr32_LIST_ENTRY

}

_List_ENTRY地址即(_LIST_ENTRY+0x000Flink)前⼀个_LDR_DATA_TABLE_ENTRY地址

_LDR_DATA_TABLE_ENTRY第⼀个元素即_List_ENTRY

_List_ENTRY前移1次到ntdll

_List_ENTRY前移2次到Kernel32

—————————————————————————————————*/

tag_shellcode:

MOVEAX,FS:[0x30];//EAX==_PEB

MOVEAX,[EAX+0xC];//EAX==Ldr_PEB_LDR_DATA

MOVEAX,[EAX+0xC];//EAX==_List_ENTRY==_LDR_DATA_TABLE_ENTRY

JMPtag_checkname;

tag_nextModule:

MOVEAX,[EAX];//_LIST_ENTRY==_LIST_ENTRY->(+0x000)Flink==Previous_LDR_DATA_TABLE_ENTRYAddr

tag_checkname:

MOVEBX,DWORDPTRDS:[EAX+0x2C+0x4];//_UNICODE_STRING->BUFFER

PUSHEAX;//SaveListAddr

MOVEAX,DWORDPTRDS:[EAX+0x2C];//_UNICODE_STRING->Length(word)

ANDEAX,0X0000FFFF;//SaveLoword:Length(word)

SHREAX,2;//Length*2==bytes

MOVECX,EAX;//repcmpstimes

MOVESI,EBX;//

POPEAX;//EAX==_List_ENTRY

LEAEDI,wzKERNAL32;//ModuleNameinUNICODEL""

REPCMPS;//

JNZtag_nextModule;//

MOVEAX,DWORDPTRDS:[EAX+0x18];//_LDR_DATA_TABLE_ENTRY->DllBa

MOVKernalBaAddr,EAX;//[EBP-0x4]:PVOIDKernalBaAddr

PUSHEAX;

/*—————————————————————————————————

Get

pEAT

pENT

pEOT

——获取导出表数据

Sourceccode:

typedefFARPROC(WINAPI*GETPROCADDR)(HMODULEhModule,LPCSTRlpProcName);

typedefHMODULE(WINAPI*LOADLIBRARYA)(_In_LPCSTRlpName);

GETPROCADDRg_getprocaddr;

LOADLIBRARYAg_loadlibA;

CHAR*ModuleBuf=(CHAR*)KernalBaAddr;

PIMAGE_DOS_HEADERpDos=(PIMAGE_DOS_HEADER)ModuleBuf;

PIMAGE_NT_HEADERSpNT=PIMAGE_NT_HEADERS(pDos->e_lfanew+ModuleBuf);

PIMAGE_OPTIONAL_HEADERpOpt=&pNT->OptionalHeader;

PIMAGE_DATA_DIRECTORYpExportDir=pOpt->DataDirectory+0;

PIMAGE_EXPORT_DIRECTORYpExport=PIMAGE_趟怎么组词 EXPORT_DIRECTORY(pExportDir->VirtualAddress+ModuleBuf);

PDWORDpEAT=PDWORD(pExport->AddressOfFunctions+ModuleBuf);

PDWORDpENT=PDWORD(pExport->AddressOfNames+ModuleBuf);

PWORDpEOT=PWORD(pExport->AddressOfNameOrdinals+ModuleBuf);

DWORDNumONames=pExport->NumberOfNames;

—————————————————————————————————*/

MOVEAX,[EAX+0x3C];//|pDosHeader->e_lfanew

ADDEAX,KernalBaAddr;//|==pNTHeaderpDosHeader->e_lfanew+KernalBaAddr

LEAEAX,[EAX+0x18];//&pNTHeader->OptionalHeader

MOVEAX,[EAX+0x60];//OptionalHeader->DataDirectory->(+0x0)VirtualAddress

ADDEAX,KernalBaAddr;//pExportDir=VirtualAddress+KernalBaAddr

POPESI;//KernalBaAddr

MOVEBX,[EAX+0x1C];//|pExportDir->AddressOfFunction

MOVpEAT,ESI;//|+KernalBaAddr

ADDpEAT,EBX;//|==[EBP-0x8]:PDWORDpEAT

MOVEBX,[EAX+0x20];//|pExportDir->AddressOfNames

MOVpENT,ESI;//|+KernalBaAddr

ADDpENT,EBX;//|==[EBP-0xC]:PDWORDpENT

MOVEBX,[EAX+0x24];//|pExportDir->AddressOfNameOrdinals

MOVpEOT,ESI;//|+KernalBaAddr

ADDpEOT,EBX;//|==[EBP-0x10]:PWORDpEOT

MOVECX,[EAX+0x18];//DOWRDNumerOfNames

/*—————————————————————————————————

Get

GetProcAddress();

LoadLibraryA();

ExitPro幼儿美术作品 cess();

——获取关键函数地址

sourceccode:

for(INTi=0;i

{

CHAR*pName=pENT[i]+ModuleBuf;

if(strcmp(pName,getProcAddr)==0)

{

g_getprocaddr=GETPROCADDR(pEAT[pEOT[i]]+(DWORD)ModuleBuf);

g_loadlibA=LOADLIBRARYA(g_getprocaddr((HMODULE)ModuleBuf,loadLibA));

break;

}

}

—————————————————————————————————*/

XOREAX,EAX;//INTi(EAX)=0;

loop_EXT:

CMPEAX,ECX;//EAX

JNBtag_elfin;//

PUSHEAX;//

SHLEAX,2;//|EAX*4

MOVEDI,pENT;//|pENT

ADDEDI,EAX;//|&pENT[EAX]==pENT+EAX*4

MOVEDI,[EDI];//|pENT[EAX]

ADDEDI,ESI;//|==szName==pENT[EAX](RVA)+KernalBaAddr

PUSHESI;//+KernalBaAddr

LEAESI,szGetProcAddress;//[EDX+0x22]"GetProcAddress"

PUSHECX;

MOVECX,0xF;//LengthOfsz"GetProcAddress"

repcmps;//strcmp(szName,"GetProcAddress")

POPECX;//|

POPESI;//|

POPEAX;//|->跳转与否均需⽤到,提前POP

JZtag_foundproc;//if(strcmp()==0)JMPtag_foundproc

INCEAX;//++i(EAX);

JMPloop_EXT;//

tag_foundproc://

MOVECX,pEOT;//|[EBP-0x10]:PWORDpEOT

SHLEAX,1;//|EAX*2(PWORDpEOT)

ADDECX,EAX;//|&pEOT[pENT]

MOVCX,WORDPTR[ECX];//|==pEOT[pENT]

ANDECX,0x0000ffff;//SaveLoword

SHLECX,2;//|ECX*4(PDWORDpEAT)

MOVEAX,pEAT;//|EAX==pEAT[0]

ADDEAX,ECX;//|==pEAT[ECX]==pEAT[0]+ECX

MOVEAX,[EAX];//

ADDEAX,ESI;//+KernalBaAddr

MOVPGETPROCADDRESS,EAX;//[EBP-0x54]:GetProcAddress();

/*————————————————————————

LoadLibraryA=GetProcAddress(&,“LoadLibraryA”);

————————————————————————*/

PUSHEDX;//-------------------------------------白酒的保质期 --GetProcAddress()ChangesEDX

LEAECX,szLoadLibraryA;//|-&"LoadLibraryA"

PUSHECX;//|-&"LoadLibraryA"LPCSTRlpProcName

PUSHESI;//|-&DULEhModule

CALLPGETPROCADDRESS;//|->CALLGetProcAddress();

MOVPLOADLIBRARYA,EAX;//

POPEDX;//ResumeEDX

/*————————————————————————

ExitProcess=GetProcAddress(&,“ExitProcess”);

—————我的读书心得 ———————————————————*/

PUSHEDX;//---------------------------------------GetProcAddress()ChangesEDX

LEAECX,szExitProcess;//&朋友过生日祝福语 "ExitProcess"

PUSHECX;//|-&"ExitProcess"LPCSTRlpProcName

PUSHESI;//|-&DULEhModule

CALLPGETPROCADDRESS;//|->GetProcAddress();

MOVPEXITPROCESS,EAX;//ExitProcess=RetVal

POPEDX;//ResumeEDX

//***************************************************Payload***************************************************

/*————————————————————————

MessageBoxA=GetProcAddress(LoadLibraryA(“”),“MessageBoxA”);

————————————————————————*/

PUSHEDX;//---------------------------------------LoadLibraryA()ChangesEDX

LEAECX,szUr32;//&""

PUSHECX;//|-&""LPCSTRlpLibFileName

CALLPLOADLIBRARYA;//|->LoadLibraryA();

MOVUr32BaAddr,EAX;//Ur32BaAddr=RetVal

POPEDX;//ResumeEDX

PUSHEDX;//----------------------------洋葱炒豆腐 -----------GetProcAddress()ChangesEDX

LEAECX,szMessageBoxA;//|&"MessageBoxA"

PUSHECX;//|-&"MessageBoxA"LPCSTRlpProcName

PUSHEAX;//|-&DULEhModule

CALLPGETPROCADDRESS;//|->GetProcAddress();

MOVPMESSAGEBOX,EAX;//MessageBoxA=RetVal

POPEDX;//ResumeEDX

/*————————————————————————

MessageBoxA(NULL,“Hello15PB”,“Hello15PB”,NULL);

————————————————————————*/

LEAECX,szGreetings;//&"Hello15PB"

XOREBX,EBX;//EBX==0(NULL)

PUSHEBX;//|-NULLHWNDhWnd,

PUSHECX;//|-&"Hello15PB"LPCSTRlpText,

PUSHECX;//|-&"Hello15PB"LPCSTRlpCaption,

PUSHEBX;//|-NULLUINTuType

CALLPMESSAGEBOX;//|->MessageBoxA();

//***************************************************Payload***************************************************

/*—————————————————————————————————

ExitProcess(NULL);

—————————————————————————————————*/

tag_Exit://

XOREBX,EBX;//EBX==0

PUSHEBX;//|-NULLUINTuExitCode

CALLPEXITPROCESS;//|->ExitProcess();

/*—————————————————————————————————

Rerved

—————————————————————————————————*/

tag_elfin:

addESP,0X5C;

popad;

}

return0;

}

附：以上ShellCode的Hex形态

//ShellCode_Hex_:定义控制台应⽤程序的⼊⼝点。

charShellCode_Hex_01[]=

"x55x8BxECx53x56x57x60x83xECx60xD9xEExD9x74x24xF4x5AxEBx64x4Bx00x45x00x52x00x4Ex00x45x00x4Cx00x33"

"x00x32x00x2Ex00x44x00x4Cx00x4Cx00x00x47x65x74x50x72x6Fx63x41x64x64x72x65x73x73x00x4Cx6Fx61x64x4C"

"x69x62x72x61x72x79x41x00x55x73x65x72x33x32x2Ex64x6Cx6Cx00x4Dx65x73x73x61x67x65x42x6Fx78x41x00x48"

"x65x6Cx6Cx6Fx20x31x35x50x42x20x00x45x78x69x74x50x72x6Fx63x65x73x73x00x64xA1x30x00x00x00x8Bx40x0C"

"x8Bx40x0CxEBx02x8Bx00x3Ex8Bx58x30x50x3Ex8Bx40x2Cx25xFFxFFx00x00xC1xE8x02x8BxC8x8BxF3x58x8Dx7Ax09"

"xF3xA6x75xE1x3Ex8Bx40x18x89x45xFCx50x8Bx40x3Cx03x45xFCx8Dx40x18x8Bx40x60x03x45xFCx5Ex8Bx58x1Cx89"

"x75xF8x01x5DxF8x8Bx58x20x89x75xF4x01x5DxF4x8Bx58x24x89x75xF0x01x5DxF0x8Bx48x18x33xC0x3BxC1x0Fx83"

"x85x00x00x00x50xC1xE0x02x8Bx7DxF4x03xF8x8Bx3Fx03xFEx56x8Dx72x22x51xB9x0Fx00x00x00xF3xA6x59x5Ex58"

"x74x03x40xEBxD7x8Bx4DxF0xD1xE0x03xC8x66x8Bx09x81xE1xFFxFFx00x00xC1xE1x02x8Bx45xF8x03xC1x8Bx00x03"

"xC6x89x45xECx52x8Dx4Ax31x51x56xFFx55xECx89x45xE8x5Ax52x8Dx4Ax61x51x56xFFx55xECx89x45xDCx5Ax52x8D"

"x4Ax3Ex51xFFx55xE8x89x45xE4x5Ax52x8Dx4Ax49x51x50xFFx55xECx89x45xE0x5Ax8Dx4Ax55x33xDBx53x51x51x53"

"xFFx55xE0x33xDBx53xFFx55xDC";

int_tmain(intargc,_TCHAR*argv[])

{

_asm

{

LEAEAX,ShellCode_Hex_01;

pushEAX;

RETN;黄沙百战穿金甲

}

return0;

}

注：