21,459
社区成员
发帖
与我相关
我的任务
分享
#include<windows.h>
void main()
{
_asm
{
push ebp
mov ebp,esp
xor edi,edi
push edi
sub esp,04h
mov [ebp-08h],63h
mov [ebp-07h],6Dh
mov [ebp-06h],64h
mov [ebp-05h],2Eh
mov [ebp-04h],65h
mov [ebp-03h],78h
mov [ebp-02h],65h
push 1 //压入第一个参数
lea eax,[ebp-08h]
push eax //压入第二个参数
mov edx,0x7C86250D //WinExec地址通过Depends获取
call edx //调用WinExec
leave
};
}
;shellcode 原码(FASM语法描述)
proc main
push ebp
mov ebp,esp
xor eax,eax
push eax
sub esp,04h
mov byte[ebp-08h],'c' ;63h
mov byte[ebp-07h],'m' ;6Dh
mov byte[ebp-06h],'d' ;64h
mov byte[ebp-05h],'.' ;2Eh
mov byte[ebp-04h],'e' ;65h
mov byte[ebp-03h],'x' ;78h
mov byte[ebp-02h],'e' ;65h
mov eax,0x75a9edb2 ;这是WinExec地址,但FASM编译后它会变
push eax ;压入WinExec地址
push 1 ;//压入第一个参数
lea eax,[ebp-08h]
push eax ;//压入第二个参数
call dword[ebp-0ch]
;call [WinExec] ;edx ; //调用WinExec
leave
ret
endp
;===================================================
;下面这段代码经编译后可以运行,但新问题又来了,
;一旦把 _shellcode安排在数据段或者堆栈段就不行。
;我直觉地认为,这种限制可能是来源于操作系统;当然
;也不排除_shellcode不正确
;LZ可以将_shellcode数据调整后放进你的C语言中试试,
;有调试器可跟踪走走,看看。
;本人也将抽时间再琢磨琢磨。
;====================================================
;
;下面是我写的FASM汇编代码,编译器是FASM for WIN32
;我的操作系统也是Win7 编译后运行成功
;FASM包 下载地址:http://flatassembler.net/fasmw16931.zip
;FASM包很小,下载会很快
;解压fasmw16931.zip,假设解压放在 c:\fasm 文件夹下
;将下面的汇编代码取个dispshell.asm文件名,放在你想放的文件夹下,
;并用记事本在该文件夹下建个脚本文件(build.bat):
;
;rem buile.bat
;set path=c:\fasm;
;set include=c:\fasm\include;
;fasm.exe dispshell.asm
;
;调出dos控制台窗口,把光标所指文件夹调到dispshell.asm所在文件夹
;输入上面建的脚本文件名:build.bat
;运行:dispshell.exe
;
;--------------------------------
;dispshell.asm
;功能:调出控制台窗口。
;--------------------------------
format PE GUI 4.0
entry start
include 'win32ax.inc'
section '_code' code readable executable
start:
stdcall disp
invoke ExitProcess,0
proc disp uses ebx esi edi
call _shellcode
ret
_shellcode db 0x55, 0x89, 0xE5, 0x31, 0xC0, 0x50, 0x83, 0xEC, 0x04,\
0xC6, 0x45, 0xF8, 0x63, 0xC6, 0x45, 0xF9,\
0x6D, 0xC6, 0x45, 0xFA, 0x64, 0xC6, 0x45, 0xFB,\
0x2E, 0xC6, 0x45, 0xFC, 0x65, 0xC6, 0x45, 0xFD,\
0x78, 0xC6, 0x45, 0xFE, 0x65, 0xB8,\
0xB2, 0xED, 0xA9, 0x75,\
0x50, 0x6A, 0x01,\
0x8D, 0x45, 0xF8,\
0x50, 0xFF, 0x55,0xF4,\
0xC9, 0xC3
endp
section '_import' data import readable writeable
library kernel32, 'kernel32.dll',\
user32, 'user32.dll'
include 'api\kernel32.inc'
include 'api\user32.inc'
#include<windows.h>
void main()
{
_asm
{
push ebp
mov ebp,esp
xor edi,edi
push edi
sub esp,04h
mov [ebp-08h],63h
mov [ebp-07h],6Dh
mov [ebp-06h],64h
mov [ebp-05h],2Eh
mov [ebp-04h],65h
mov [ebp-03h],78h
mov [ebp-02h],65h
push 1 //压入第一个参数
lea eax,[ebp-08h]
push eax //压入第二个参数
mov edx,0x7C86250D
call edx //调用WinExec
leave
};
}
;改成下面这样,你再试试,如不成我也没办法了
push ebp
mov ebp,esp
sub esp,40h
push ebx
push esi
push edi
;栈缓冲区清
lea edi,[ebp-40h]
mov ecx,00000010h
mov eax,0cccccccch
repz
stosd
;push ebp
;mov ebp,esp
;xor edi,edi
;push edi
;sub esp,04h
mov byte ptr [ebp-08h],63h
mov byte ptr [ebp-07h],6Dh
mov byte ptr [ebp-06h],64h
mov byte ptr [ebp-05h],2eh
mov byte ptr [ebp-04h],65h
mov byte ptr [ebp-03h],78h
mov byte ptr [ebp-02h],65h
pushd 01h
lea eax,[ebp-08h]
push eax
mov edx,772ae76dh
call edx
;leave
pop edi
pop esi
pop ebx
add esp,40h
cmp ebp,esp
call 0ffff3d10h
mov esp,ebp
pop ebp
ret
#include <windows.h>
char *shellcode = "\x55\x8B\xEC\x83\xEC\x40\x53\x56\x57\x8D\x7D\xC0\xB9\x10\x00\x00\x00\xB8\xCC\xCC\xCC\xCC\xF3\xAB\x55\x8B\xEC\x33\xFF\x57\x83\xEC\x04\xC6\x45\xF8\x63\xC6\x45\xF9\x6D\xC6\x45\xFA\x64\xC6\x45\xFB\x2E\xC6\x45\xFC\x65\xC6\x45\xFD\x78\xC6\x45\xFE\x65\x6A\x01\x8D\x45\xF8\x50\xBA\x6D\xE7\x2A\x77\xFF\xD2\xC9\x5F\x5E\x5B\x83\xC4\x40\x3B\xEC\xE8\xB8\x3B\xFF\xFF\x8B\xE5\x5D\xC3";
int main(int argc, char* argv[])
{
typedef void (* FUNC_PTR)();
FUNC_PTR p = (FUNC_PTR)shellcode;
OutputDebugString("shellcode start...");
p();
OutputDebugString("shellcode end!");//此处还没执行到,程序就挂掉了
return 0;
}