‹‹ 上一主题 | 下一主题 ››
发新话题
打印

[原创]多种语言的ShellCode Loader

Anskya

技术核心组

Rank: 8Rank: 8

E.S.T核心成员

帖子
63 
精华
8 
积分
3922 
阅读权限
200 
在线时间
36 小时 
注册时间
2004-11-17 
最后登录
2009-1-6 
楼主 发表于 2006-5-31 11:55  只看该作者

[原创]多种语言的ShellCode Loader

文章作者:Anskya(Anskya@Gmail.com
信息来源:邪恶八进制信息安全团队(www.eviloctal.com

明天就封闭式手术~远离网络了~写点什么玩玩吧......
无聊之作~绝对无聊之作 转载请保留版权: By Anskya 谢谢~

大家经常拿到ShellCode代码~可是如何去执行他呢?
这个问题郁闷吧~不过没关系~后来有人公开了~~
平常情况下~C语言写的ShellCode都是按照以下方式加载的

C语言:
复制内容到剪贴板
代码:
#include <windows.h>

  unsigned char ShellCode[] =
  {
   0xE8,0x00,0x00,0x00,0x00,0x5F,0x81,0xEF,0x1E,0x10,0x40,0x00,0x8D,0x87,0x94,0x10,
   0x40,0x00,0x50,0xE8,0x83,0x00,0x00,0x00,0x8D,0x87,0xA5,0x10,0x40,0x00,0x50,0xE8,
   0x77,0x00,0x00,0x00,0x2B,0xC0,0x50,0x8D,0x9F,0x83,0x10,0x40,0x00,0x53,0x8D,0x9F,
   0x5E,0x10,0x40,0x00,0x53,0x50,0xFF,0x97,0xAC,0x10,0x40,0x00,0x6A,0x00,0xFF,0x97,
   0x9D,0x10,0x40,0x00,0xC3,0x5B,0x2A,0x5D,0x20,0x48,0x65,0x6C,0x6C,0x6F,0x20,0x57,
   0x6F,0x72,0x6C,0x64,0x20,0x43,0x6F,0x64,0x65,0x72,0x21,0x20,0x28,0x43,0x29,0x20,
   0x41,0x6E,0x73,0x6B,0x79,0x61,0x2E,0x0D,0x0A,0x00,0x4D,0x73,0x67,0x42,0x6F,0x78,
   0x20,0x42,0x79,0x20,0x41,0x6E,0x73,0x6B,0x79,0x61,0x00,0x6B,0x65,0x72,0x6E,0x65,
   0x6C,0x33,0x32,0x00,0x01,0x92,0x8F,0x05,0x00,0x00,0x00,0x00,0x75,0x73,0x65,0x72,
   0x33,0x32,0x00,0xF7,0x6C,0x55,0xD8,0x00,0x00,0x00,0x00,0x60,0x8B,0x74,0x24,0x24,
   0xE8,0x97,0x00,0x00,0x00,0x68,0xAD,0xD1,0x34,0x41,0x50,0xE8,0x1F,0x00,0x00,0x00,
   0x56,0xFF,0xD0,0x8B,0xD8,0x2B,0xC0,0xAC,0x84,0xC0,0x75,0xFB,0x8B,0xFE,0xAD,0x85,
   0xC0,0x74,0x0A,0x50,0x53,0xE8,0x05,0x00,0x00,0x00,0xAB,0xEB,0xF1,0x61,0xC3,0x60,
   0x8B,0x5C,0x24,0x24,0x8B,0x74,0x24,0x28,0x2B,0xED,0x8B,0xD3,0x03,0x52,0x3C,0x8B,
   0x52,0x78,0x03,0xD3,0x8B,0x42,0x18,0x8B,0x7A,0x1C,0x03,0xFB,0x8B,0x7A,0x20,0x03,
   0xFB,0x52,0x8B,0xD7,0x8B,0x17,0x03,0xD3,0x45,0x60,0x8B,0xF2,0x2B,0xC9,0xAC,0x41,
   0x84,0xC0,0x75,0xFA,0x89,0x4C,0x24,0x18,0x61,0x60,0x2B,0xC0,0xE8,0x51,0x00,0x00,
   0x00,0x3B,0xC6,0x61,0x74,0x08,0x83,0xC7,0x04,0x48,0x74,0x18,0xEB,0xD6,0x5A,0x4D,
   0x8B,0x4A,0x24,0x03,0xCB,0x0F,0xB7,0x04,0x69,0x8B,0x6A,0x1C,0x03,0xEB,0x8B,0x44,
   0x85,0x00,0x03,0xC3,0x89,0x44,0x24,0x1C,0x61,0xC2,0x08,0x00,0x60,0x2B,0xC0,0x64,
   0x8B,0x40,0x30,0x85,0xC0,0x78,0x0C,0x8B,0x40,0x0C,0x8B,0x70,0x1C,0xAD,0x8B,0x40,
   0x08,0xEB,0x09,0x8B,0x40,0x34,0x8D,0x40,0x7C,0x8B,0x40,0x3C,0x89,0x44,0x24,0x1C,
   0x61,0xC3,0x60,0xE3,0x18,0xF7,0xD0,0x32,0x02,0x42,0xB3,0x08,0xD1,0xE8,0x73,0x05,
   0x35,0x20,0x83,0xB8,0xED,0xFE,0xCB,0x75,0xF3,0xE2,0xEC,0xF7,0xD0,0x89,0x44,0x24,
   0x1C,0x61,0xC3
  };

int main()
{
  (void (*) (void) )&ShellCode();
  return 0;
}
反汇编一下就可以发现了~其实最后那个代码的意思就是
将ShellCode数组转换成指针然后在将数组指针转换成过程指针
然后再强行调用这个过程指针
在汇编下就是
复制内容到剪贴板
代码:
lea eax,ShellCode
call eax
好了~既然知道原理了我们再来写Delphi的也比较容易了
复制内容到剪贴板
代码:
asm
  lea eax,ShellCode
  call eax
end;
这样我们就写好了调用方法

什么?这个是汇编?你要的是纯正的Delphi代码?靠~当然这也可以做到了
思路有了~将数组转换成指针,然后将指针转换成过程指针,然后调用过程!
Ok于是我们就有了以下的代码
复制内容到剪贴板
代码:
{
  ShellCode Loader For Delphi
  Coded By Anskya
  Email:Anskya@Gmail.com
}
program ShellCodeLoader;

const

  ShellCode:Array [0..386] of Byte =
  (
   $E8,$00,$00,$00,$00,$5F,$81,$EF,$1E,$10,$40,$00,$8D,$87,$94,$10,
   $40,$00,$50,$E8,$83,$00,$00,$00,$8D,$87,$A5,$10,$40,$00,$50,$E8,
   $77,$00,$00,$00,$2B,$C0,$50,$8D,$9F,$83,$10,$40,$00,$53,$8D,$9F,
   $5E,$10,$40,$00,$53,$50,$FF,$97,$AC,$10,$40,$00,$6A,$00,$FF,$97,
   $9D,$10,$40,$00,$C3,$5B,$2A,$5D,$20,$48,$65,$6C,$6C,$6F,$20,$57,
   $6F,$72,$6C,$64,$20,$43,$6F,$64,$65,$72,$21,$20,$28,$43,$29,$20,
   $41,$6E,$73,$6B,$79,$61,$2E,$0D,$0A,$00,$4D,$73,$67,$42,$6F,$78,
   $20,$42,$79,$20,$41,$6E,$73,$6B,$79,$61,$00,$6B,$65,$72,$6E,$65,
   $6C,$33,$32,$00,$01,$92,$8F,$05,$00,$00,$00,$00,$75,$73,$65,$72,
   $33,$32,$00,$F7,$6C,$55,$D8,$00,$00,$00,$00,$60,$8B,$74,$24,$24,
   $E8,$97,$00,$00,$00,$68,$AD,$D1,$34,$41,$50,$E8,$1F,$00,$00,$00,
   $56,$FF,$D0,$8B,$D8,$2B,$C0,$AC,$84,$C0,$75,$FB,$8B,$FE,$AD,$85,
   $C0,$74,$0A,$50,$53,$E8,$05,$00,$00,$00,$AB,$EB,$F1,$61,$C3,$60,
   $8B,$5C,$24,$24,$8B,$74,$24,$28,$2B,$ED,$8B,$D3,$03,$52,$3C,$8B,
   $52,$78,$03,$D3,$8B,$42,$18,$8B,$7A,$1C,$03,$FB,$8B,$7A,$20,$03,
   $FB,$52,$8B,$D7,$8B,$17,$03,$D3,$45,$60,$8B,$F2,$2B,$C9,$AC,$41,
   $84,$C0,$75,$FA,$89,$4C,$24,$18,$61,$60,$2B,$C0,$E8,$51,$00,$00,
   $00,$3B,$C6,$61,$74,$08,$83,$C7,$04,$48,$74,$18,$EB,$D6,$5A,$4D,
   $8B,$4A,$24,$03,$CB,$0F,$B7,$04,$69,$8B,$6A,$1C,$03,$EB,$8B,$44,
   $85,$00,$03,$C3,$89,$44,$24,$1C,$61,$C2,$08,$00,$60,$2B,$C0,$64,
   $8B,$40,$30,$85,$C0,$78,$0C,$8B,$40,$0C,$8B,$70,$1C,$AD,$8B,$40,
   $08,$EB,$09,$8B,$40,$34,$8D,$40,$7C,$8B,$40,$3C,$89,$44,$24,$1C,
   $61,$C3,$60,$E3,$18,$F7,$D0,$32,$02,$42,$B3,$08,$D1,$E8,$73,$05,
   $35,$20,$83,$B8,$ED,$FE,$CB,$75,$F3,$E2,$EC,$F7,$D0,$89,$44,$24,
   $1C,$61,$C3
  );

var
  ShellCodeProc: procedure;

begin
  ShellCodeProc := @ShellCode;
  ShellCodeProc();
end.
代码执行后显示一个对话框~如果不执行和跟踪谁又知道我里面写了什么呢~
呵呵~文章到此结束~希望大家玩的愉快~谢谢大家这么长时间的支持和帮助~
转载请保留版权: By Anskya@Gmail.com

TOP

sunlion

技术核心组

Rank: 8Rank: 8

E.S.T核心成员

帖子
337 
精华
28 
积分
4204 
阅读权限
200 
性别
男 
在线时间
434 小时 
注册时间
2004-7-22 
最后登录
2008-12-3 

资料收集奖 原创技术奖

沙发 发表于 2006-5-31 15:58  只看该作者
asm
lea eax,ShellCode
call eax
end

这个对于是之前定义好的shellcode,是可以运行的,因为定义的shellcode与程序在同一个段内,段地址一样,只取偏移地址lea eax,shellcode,然后调用call eax,就可以 了,但是如果你是在程序中从新分配了一个新的newshellcode的话( newshellcode = new char[];),在leax  eax ,newshellcode,这个方法就不行了:)
这样的情况就得,mov eax,newshellcode
垃圾一个,00...

TOP

‹‹ 上一主题 | 下一主题 ››
发新话题