[原创]多种语言的ShellCode Loader
文章作者:Anskya([email]Anskya@Gmail.com[/email])信息来源:邪恶八进制信息安全团队([url]www.eviloctal.com[/url])
明天就封闭式手术~远离网络了~写点什么玩玩吧......
无聊之作~绝对无聊之作 转载请保留版权: By Anskya 谢谢~
大家经常拿到ShellCode代码~可是如何去执行他呢?
这个问题郁闷吧~不过没关系~后来有人公开了~~
平常情况下~C语言写的ShellCode都是按照以下方式加载的
C语言:
[code]
#include <windows.h>
unsigned char ShellCode[] =
{
0xE8,0x00,0x00,0x00,0x00,0x5F,0x81,0xEF,0x1E,0x10,0x40,0x00,0x8D,0x87,0x94,0x10,
0x40,0x00,0x50,0xE8,0x83,0x00,0x00,0x00,0x8D,0x87,0xA5,0x10,0x40,0x00,0x50,0xE8,
0x77,0x00,0x00,0x00,0x2B,0xC0,0x50,0x8D,0x9F,0x83,0x10,0x40,0x00,0x53,0x8D,0x9F,
0x5E,0x10,0x40,0x00,0x53,0x50,0xFF,0x97,0xAC,0x10,0x40,0x00,0x6A,0x00,0xFF,0x97,
0x9D,0x10,0x40,0x00,0xC3,0x5B,0x2A,0x5D,0x20,0x48,0x65,0x6C,0x6C,0x6F,0x20,0x57,
0x6F,0x72,0x6C,0x64,0x20,0x43,0x6F,0x64,0x65,0x72,0x21,0x20,0x28,0x43,0x29,0x20,
0x41,0x6E,0x73,0x6B,0x79,0x61,0x2E,0x0D,0x0A,0x00,0x4D,0x73,0x67,0x42,0x6F,0x78,
0x20,0x42,0x79,0x20,0x41,0x6E,0x73,0x6B,0x79,0x61,0x00,0x6B,0x65,0x72,0x6E,0x65,
0x6C,0x33,0x32,0x00,0x01,0x92,0x8F,0x05,0x00,0x00,0x00,0x00,0x75,0x73,0x65,0x72,
0x33,0x32,0x00,0xF7,0x6C,0x55,0xD8,0x00,0x00,0x00,0x00,0x60,0x8B,0x74,0x24,0x24,
0xE8,0x97,0x00,0x00,0x00,0x68,0xAD,0xD1,0x34,0x41,0x50,0xE8,0x1F,0x00,0x00,0x00,
0x56,0xFF,0xD0,0x8B,0xD8,0x2B,0xC0,0xAC,0x84,0xC0,0x75,0xFB,0x8B,0xFE,0xAD,0x85,
0xC0,0x74,0x0A,0x50,0x53,0xE8,0x05,0x00,0x00,0x00,0xAB,0xEB,0xF1,0x61,0xC3,0x60,
0x8B,0x5C,0x24,0x24,0x8B,0x74,0x24,0x28,0x2B,0xED,0x8B,0xD3,0x03,0x52,0x3C,0x8B,
0x52,0x78,0x03,0xD3,0x8B,0x42,0x18,0x8B,0x7A,0x1C,0x03,0xFB,0x8B,0x7A,0x20,0x03,
0xFB,0x52,0x8B,0xD7,0x8B,0x17,0x03,0xD3,0x45,0x60,0x8B,0xF2,0x2B,0xC9,0xAC,0x41,
0x84,0xC0,0x75,0xFA,0x89,0x4C,0x24,0x18,0x61,0x60,0x2B,0xC0,0xE8,0x51,0x00,0x00,
0x00,0x3B,0xC6,0x61,0x74,0x08,0x83,0xC7,0x04,0x48,0x74,0x18,0xEB,0xD6,0x5A,0x4D,
0x8B,0x4A,0x24,0x03,0xCB,0x0F,0xB7,0x04,0x69,0x8B,0x6A,0x1C,0x03,0xEB,0x8B,0x44,
0x85,0x00,0x03,0xC3,0x89,0x44,0x24,0x1C,0x61,0xC2,0x08,0x00,0x60,0x2B,0xC0,0x64,
0x8B,0x40,0x30,0x85,0xC0,0x78,0x0C,0x8B,0x40,0x0C,0x8B,0x70,0x1C,0xAD,0x8B,0x40,
0x08,0xEB,0x09,0x8B,0x40,0x34,0x8D,0x40,0x7C,0x8B,0x40,0x3C,0x89,0x44,0x24,0x1C,
0x61,0xC3,0x60,0xE3,0x18,0xF7,0xD0,0x32,0x02,0x42,0xB3,0x08,0xD1,0xE8,0x73,0x05,
0x35,0x20,0x83,0xB8,0xED,0xFE,0xCB,0x75,0xF3,0xE2,0xEC,0xF7,0xD0,0x89,0x44,0x24,
0x1C,0x61,0xC3
};
int main()
{
(void (*) (void) )&ShellCode();
return 0;
}
[/code]
反汇编一下就可以发现了~其实最后那个代码的意思就是
将ShellCode数组转换成指针然后在将数组指针转换成过程指针
然后再强行调用这个过程指针
在汇编下就是
[code]
lea eax,ShellCode
call eax
[/code]
好了~既然知道原理了我们再来写Delphi的也比较容易了
[code]
asm
lea eax,ShellCode
call eax
end;
[/code]
这样我们就写好了调用方法
什么?这个是汇编?你要的是纯正的Delphi代码?靠~当然这也可以做到了
思路有了~将数组转换成指针,然后将指针转换成过程指针,然后调用过程!
Ok于是我们就有了以下的代码
[code]
{
ShellCode Loader For Delphi
Coded By Anskya
Email:Anskya@Gmail.com
}
program ShellCodeLoader;
const
ShellCode:Array [0..386] of Byte =
(
$E8,$00,$00,$00,$00,$5F,$81,$EF,$1E,$10,$40,$00,$8D,$87,$94,$10,
$40,$00,$50,$E8,$83,$00,$00,$00,$8D,$87,$A5,$10,$40,$00,$50,$E8,
$77,$00,$00,$00,$2B,$C0,$50,$8D,$9F,$83,$10,$40,$00,$53,$8D,$9F,
$5E,$10,$40,$00,$53,$50,$FF,$97,$AC,$10,$40,$00,$6A,$00,$FF,$97,
$9D,$10,$40,$00,$C3,$5B,$2A,$5D,$20,$48,$65,$6C,$6C,$6F,$20,$57,
$6F,$72,$6C,$64,$20,$43,$6F,$64,$65,$72,$21,$20,$28,$43,$29,$20,
$41,$6E,$73,$6B,$79,$61,$2E,$0D,$0A,$00,$4D,$73,$67,$42,$6F,$78,
$20,$42,$79,$20,$41,$6E,$73,$6B,$79,$61,$00,$6B,$65,$72,$6E,$65,
$6C,$33,$32,$00,$01,$92,$8F,$05,$00,$00,$00,$00,$75,$73,$65,$72,
$33,$32,$00,$F7,$6C,$55,$D8,$00,$00,$00,$00,$60,$8B,$74,$24,$24,
$E8,$97,$00,$00,$00,$68,$AD,$D1,$34,$41,$50,$E8,$1F,$00,$00,$00,
$56,$FF,$D0,$8B,$D8,$2B,$C0,$AC,$84,$C0,$75,$FB,$8B,$FE,$AD,$85,
$C0,$74,$0A,$50,$53,$E8,$05,$00,$00,$00,$AB,$EB,$F1,$61,$C3,$60,
$8B,$5C,$24,$24,$8B,$74,$24,$28,$2B,$ED,$8B,$D3,$03,$52,$3C,$8B,
$52,$78,$03,$D3,$8B,$42,$18,$8B,$7A,$1C,$03,$FB,$8B,$7A,$20,$03,
$FB,$52,$8B,$D7,$8B,$17,$03,$D3,$45,$60,$8B,$F2,$2B,$C9,$AC,$41,
$84,$C0,$75,$FA,$89,$4C,$24,$18,$61,$60,$2B,$C0,$E8,$51,$00,$00,
$00,$3B,$C6,$61,$74,$08,$83,$C7,$04,$48,$74,$18,$EB,$D6,$5A,$4D,
$8B,$4A,$24,$03,$CB,$0F,$B7,$04,$69,$8B,$6A,$1C,$03,$EB,$8B,$44,
$85,$00,$03,$C3,$89,$44,$24,$1C,$61,$C2,$08,$00,$60,$2B,$C0,$64,
$8B,$40,$30,$85,$C0,$78,$0C,$8B,$40,$0C,$8B,$70,$1C,$AD,$8B,$40,
$08,$EB,$09,$8B,$40,$34,$8D,$40,$7C,$8B,$40,$3C,$89,$44,$24,$1C,
$61,$C3,$60,$E3,$18,$F7,$D0,$32,$02,$42,$B3,$08,$D1,$E8,$73,$05,
$35,$20,$83,$B8,$ED,$FE,$CB,$75,$F3,$E2,$EC,$F7,$D0,$89,$44,$24,
$1C,$61,$C3
);
var
ShellCodeProc: procedure;
begin
ShellCodeProc := @ShellCode;
ShellCodeProc();
end.
[/code]
代码执行后显示一个对话框~如果不执行和跟踪谁又知道我里面写了什么呢~
呵呵~文章到此结束~希望大家玩的愉快~谢谢大家这么长时间的支持和帮助~
转载请保留版权: By [email]Anskya@Gmail.com[/email] asm
lea eax,ShellCode
call eax
end
这个对于是之前定义好的shellcode,是可以运行的,因为定义的shellcode与程序在同一个段内,段地址一样,只取偏移地址lea eax,shellcode,然后调用call eax,就可以 了,但是如果你是在程序中从新分配了一个新的newshellcode的话( newshellcode = new char[];),在leax eax ,newshellcode,这个方法就不行了:)
这样的情况就得,mov eax,newshellcode
页:
[1]