实战编写shellcode

最新推荐文章于 2024-05-13 10:45:14 发布
最新推荐文章于 2024-05-13 10:45:14 发布
阅读量1k 收藏 7
点赞数
CC 4.0 BY-SA版权
分类专栏: Windows应用层安全 shellcode 汇编 文章标签: 安全 windows
本文为博主原创文章,未经允许禁止转载!
本文链接:https://blog.csdn.net/Think88666/article/details/129433087
本文探讨了shellcode的概念,它是一种利用软件漏洞执行的16进制机器码,通常用于获取系统的shell。在编写shellcode时,需注意避免使用全局变量、常量字符串和直接调用系统函数,而是通过动态查找PEB和EAT来实现功能。文中还介绍了基本原理,并展示了如何编写不依赖特定环境的shellcode。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

 前言

shellcode是一段用于利用软件漏洞而执行的代码,shellcode为16进制的机器码,因为经常让攻击者获得shell而得名。shellcode常常使用机器语言编写。 可在暂存器eip溢出后,塞入一段可让CPU执行的shellcode机器码,让电脑可以执行攻击者的任意指令。

有时候要想不被杀软干掉,还得是shellcode

正文

注意事项:

1、不能有全局变量、静态变量等。因为在shellcode中我们只有代码段,也就是所有的变量都保存在栈中或者申请动态内存,而常量、全局变量等一般保存在 .data,.rdata等段,这些是shellcode所不能依赖的。

2、不能使用常量字符串。理由已经在1中讲了。

3、不能直接调用系统函数。我们生成的shellcode母体文件是不能有导入表的,不能依赖于IAT,我们所调用的函数得动态从宿主进程中通过PEB搜索系统模块。

4、不能嵌套调用其他函数。也就是我们在编写shellcode时不能调用自己封装的函数,当然也可以,得强制内联,还是那句话,我们的shellcode得运行在任意的进程中,不能依赖于任何环境,自己的函数地址在不同的进程中其地址也是不同的。

基本原理讲解:

1、宿主进程必然会加载ntdll和kernel32,至少会加载ntdll,我们可以从宿主的PEB中拿到ntdll或者kernel32的模块基地址。

2、再遍历其模块的EAT(Export Address table)拿到如LoadLibrary、GetProcAddress之类的函数地址。

3、此时就可以动态的调用任何模块任何函数了。
 

我们上手写一套代码:


#include "../../../include/shellcode/CShellCode.h"



typedef VOID(WINAPI*pFn_OutputDebugStringW)(_In_opt_ LPCWSTR lpOutputString);
typedef int (WINAPI* pFn_MessageBoxW)(_In_opt_ HWND hWnd, _In_opt_ LPCWSTR lpText, _In_opt_ LPCWSTR lpCaption, _In_ UINT uType);

int EntryMain()
{

	//为了示范,加载User32.dll,这个库不一定会被进程加载呀
	WCHAR wzUser32[] = {'U', 's', 'e', 'r', '3', '2', '.', 'd', 'l', 'l', '\0'};
	CHAR szMessagebox[] = {'M', 'e', 's', 's', 'a', 'g', 'e', 'B', 'o', 'x', 'W', '\0'};
	WCHAR wzKernel32[] = {'K', 'e', 'r', 'n', 'e', 'l', '3', '2', '.', 'd', 'l', 'l', '\0'};
	CHAR szOutput[] = {'O', 'u', 't', 'p', 'u', 't', 'D', 'e', 'b', 'u', 'g', 'S', 't', 'r', 'i', 'n', 'g', 'W', '\0'};

	//拿到模块的基地址
	PVOID pKernel32 = CShellCode::SCGetModuleHandle(wzKernel32);
	PVOID pUser32 = CShellCode::SCGetModuleHandle(wzUser32);

	if (pKernel32)
	{
		//检索函数地址
		//pFn_OutputDebugStringW pOutputDebugString = (pFn_OutputDebugStringW)CShellCode::SCGetProcAddress(pKernel32, "OutputDebugstringW");
		pFn_OutputDebugStringW pOutput = (pFn_OutputDebugStringW)CShellCode::SCGetProcAddress(pKernel32, szOutput);
		if (pOutput);
		{
			pOutput(wzUser32);
			pOutput(wzKernel32);
		}
	}

	if (pUser32)
	{
		pFn_MessageBoxW pMessageBoxW = (pFn_MessageBoxW)CShellCode::SCGetProcAddress(pUser32, szMessagebox);
		if (pMessageBoxW)
		{
			pMessageBoxW(NULL, wzUser32, wzUser32, MB_OK);
		}
	}

	return 0;
}

在此,我们还要做一些配置才行,否则生成的shellcode还是会依赖于母体PE文件的环境。

    

 编译后的文件PE信息:

编写出来的PE文件只能有一个函数

编写一个调用demo

// ShellCodeLoader.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。
//

#include <windows.h>
#include <stdio.h>


typedef int (*pFn_EntryMain)();

int main()
{
	//为做测试,引入User32.dll库
	MessageBox(NULL, L"start", L"tip", MB_OK);
	//
	char szShellCode[] = { 0x55,0x8B,0xEC,0x81,0xEC,0x9C,0x01,0x00,0x00,0xB8,0x55,0x00,0x00,0x00,0x66,0x89,0x85,0xC0,0xFE,0xFF,0xFF,0xB9,0x73,0x00,0x00,0x00,0x66,0x89,0x8D,0xC2,0xFE,0xFF,0xFF,0xBA,0x65,0x00,0x00,0x00,0x66,0x89,0x95,0xC4,0xFE,0xFF,0xFF,0xB8,0x72,0x00,0x00,0x00,0x66,0x89,0x85,0xC6,0xFE,0xFF,0xFF,0xB9,0x33,0x00,0x00,0x00,0x66,0x89,0x8D,0xC8,0xFE,0xFF,0xFF,0xBA,0x32,0x00,0x00,0x00,0x66,0x89,0x95,0xCA,0xFE,0xFF,0xFF,0xB8,0x2E,0x00,0x00,0x00,0x66,0x89,0x85,0xCC,0xFE,0xFF,0xFF,0xB9,0x64,0x00,0x00,0x00,0x66,0x89,0x8D,0xCE,0xFE,0xFF,0xFF,0xBA,0x6C,0x00,0x00,0x00,0x66,0x89,0x95,0xD0,0xFE,0xFF,0xFF,0xB8,0x6C,0x00,0x00,0x00,0x66,0x89,0x85,0xD2,0xFE,0xFF,0xFF,0x33,0xC9,0x66,0x89,0x8D,0xD4,0xFE,0xFF,0xFF,0xC6,0x85,0x64,0xFF,0xFF,0xFF,0x4D,0xC6,0x85,0x65,0xFF,0xFF,0xFF,0x65,0xC6,0x85,0x66,0xFF,0xFF,0xFF,0x73,0xC6,0x85,0x67,0xFF,0xFF,0xFF,0x73,0xC6,0x85,0x68,0xFF,0xFF,0xFF,0x61,0xC6,0x85,0x69,0xFF,0xFF,0xFF,0x67,0xC6,0x85,0x6A,0xFF,0xFF,0xFF,0x65,0xC6,0x85,0x6B,0xFF,0xFF,0xFF,0x42,0xC6,0x85,0x6C,0xFF,0xFF,0xFF,0x6F,0xC6,0x85,0x6D,0xFF,0xFF,0xFF,0x78,0xC6,0x85,0x6E,0xFF,0xFF,0xFF,0x57,0xC6,0x85,0x6F,0xFF,0xFF,0xFF,0x00,0xBA,0x4B,0x00,0x00,0x00,0x66,0x89,0x95,0xA4,0xFE,0xFF,0xFF,0xB8,0x65,0x00,0x00,0x00,0x66,0x89,0x85,0xA6,0xFE,0xFF,0xFF,0xB9,0x72,0x00,0x00,0x00,0x66,0x89,0x8D,0xA8,0xFE,0xFF,0xFF,0xBA,0x6E,0x00,0x00,0x00,0x66,0x89,0x95,0xAA,0xFE,0xFF,0xFF,0xB8,0x65,0x00,0x00,0x00,0x66,0x89,0x85,0xAC,0xFE,0xFF,0xFF,0xB9,0x6C,0x00,0x00,0x00,0x66,0x89,0x8D,0xAE,0xFE,0xFF,0xFF,0xBA,0x33,0x00,0x00,0x00,0x66,0x89,0x95,0xB0,0xFE,0xFF,0xFF,0xB8,0x32,0x00,0x00,0x00,0x66,0x89,0x85,0xB2,0xFE,0xFF,0xFF,0xB9,0x2E,0x00,0x00,0x00,0x66,0x89,0x8D,0xB4,0xFE,0xFF,0xFF,0xBA,0x64,0x00,0x00,0x00,0x66,0x89,0x95,0xB6,0xFE,0xFF,0xFF,0xB8,0x6C,0x00,0x00,0x00,0x66,0x89,0x85,0xB8,0xFE,0xFF,0xFF,0xB9,0x6C,0x00,0x00,0x00,0x66,0x89,0x8D,0xBA,0xFE,0xFF,0xFF,0x33,0xD2,0x66,0x89,0x95,0xBC,0xFE,0xFF,0xFF,0xC6,0x85,0x50,0xFF,0xFF,0xFF,0x4F,0xC6,0x85,0x51,0xFF,0xFF,0xFF,0x75,0xC6,0x85,0x52,0xFF,0xFF,0xFF,0x74,0xC6,0x85,0x53,0xFF,0xFF,0xFF,0x70,0xC6,0x85,0x54,0xFF,0xFF,0xFF,0x75,0xC6,0x85,0x55,0xFF,0xFF,0xFF,0x74,0xC6,0x85,0x56,0xFF,0xFF,0xFF,0x44,0xC6,0x85,0x57,0xFF,0xFF,0xFF,0x65,0xC6,0x85,0x58,0xFF,0xFF,0xFF,0x62,0xC6,0x85,0x59,0xFF,0xFF,0xFF,0x75,0xC6,0x85,0x5A,0xFF,0xFF,0xFF,0x67,0xC6,0x85,0x5B,0xFF,0xFF,0xFF,0x53,0xC6,0x85,0x5C,0xFF,0xFF,0xFF,0x74,0xC6,0x85,0x5D,0xFF,0xFF,0xFF,0x72,0xC6,0x85,0x5E,0xFF,0xFF,0xFF,0x69,0xC6,0x85,0x5F,0xFF,0xFF,0xFF,0x6E,0xC6,0x85,0x60,0xFF,0xFF,0xFF,0x67,0xC6,0x85,0x61,0xFF,0xFF,0xFF,0x57,0xC6,0x85,0x62,0xFF,0xFF,0xFF,0x00,0xC7,0x85,0x3C,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,0x33,0xC0,0x64,0xA1,0x30,0x00,0x00,0x00,0x89,0x45,0x8C,0x83,0x7D,0x8C,0x00,0x74,0x0F,0x83,0x7D,0x8C,0x00,0x74,0x17,0x8B,0x45,0x8C,0x83,0x78,0x0C,0x00,0x75,0x0E,0x8B,0x8D,0x3C,0xFF,0xFF,0xFF,0x89,0x4D,0xDC,0xE9,0x0C,0x03,0x00,0x00,0xC7,0x85,0x40,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,0xC7,0x85,0xF8,0xFE,0xFF,0xFF,0x00,0x00,0x00,0x00,0xC7,0x45,0xBC,0x00,0x00,0x00,0x00,0x8B,0x55,0x8C,0x8B,0x42,0x0C,0x83,0xC0,0x14,0x89,0x85,0xF8,0xFE,0xFF,0xFF,0x8B,0x8D,0xF8,0xFE,0xFF,0xFF,0x89,0x4D,0xBC,0x8B,0x55,0xBC,0x83,0x3A,0x00,0x0F,0x84,0xC4,0x02,0x00,0x00,0x8B,0x45,0xBC,0x8B,0x08,0x3B,0x8D,0xF8,0xFE,0xFF,0xFF,0x0F,0x84,0xB3,0x02,0x00,0x00,0x8B,0x55,0xBC,0x8B,0x02,0x89,0x45,0xBC,0x8B,0x4D,0xBC,0x83,0xE9,0x08,0x89,0x8D,0x40,0xFF,0xFF,0xFF,0x8B,0x95,0x40,0xFF,0xFF,0xFF,0x83,0xC2,0x24,0x89,0x55,0x88,0x33,0xC0,0x89,0x85,0x78,0xFF,0xFF,0xFF,0x89,0x85,0x7C,0xFF,0xFF,0xFF,0x8D,0x8D,0xA4,0xFE,0xFF,0xFF,0x89,0x8D,0x7C,0xFF,0xFF,0xFF,0x8D,0x95,0xA4,0xFE,0xFF,0xFF,0x89,0x95,0xF4,0xFE,0xFF,0xFF,0xC7,0x85,0x4C,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,0x8B,0x85,0xF4,0xFE,0xFF,0xFF,0x0F,0xB7,0x08,0x89,0x8D,0xA0,0xFE,0xFF,0xFF,0x8B,0x95,0xF4,0xFE,0xFF,0xFF,0x83,0xC2,0x02,0x89,0x95,0xF4,0xFE,0xFF,0xFF,0x83,0xBD,0xA0,0xFE,0xFF,0xFF,0x00,0x74,0x11,0x8B,0x85,0x4C,0xFF,0xFF,0xFF,0x83,0xC0,0x01,0x89,0x85,0x4C,0xFF,0xFF,0xFF,0xEB,0xC8,0x8B,0x8D,0x4C,0xFF,0xFF,0xFF,0xD1,0xE1,0x66,0x89,0x8D,0x78,0xFF,0xFF,0xFF,0x66,0x8B,0x95,0x78,0xFF,0xFF,0xFF,0x66,0x89,0x95,0x7A,0xFF,0xFF,0xFF,0x83,0x7D,0x88,0x00,0x74,0x0A,0x8D,0x85,0x78,0xFF,0xFF,0xFF,0x85,0xC0,0x75,0x0C,0xC7,0x45,0xB4,0xFF,0xFF,0xFF,0xFF,0xE9,0xD6,0x01,0x00,0x00,0x8B,0x4D,0x88,0x0F,0xB7,0x11,0xD1,0xEA,0x89,0x95,0x48,0xFF,0xFF,0xFF,0x0F,0xB7,0x85,0x78,0xFF,0xFF,0xFF,0xD1,0xE8,0x89,0x45,0xCC,0x8B,0x8D,0x48,0xFF,0xFF,0xFF,0x3B,0x4D,0xCC,0x7D,0x0C,0xC7,0x45,0xB4,0xFF,0xFF,0xFF,0xFF,0xE9,0xA5,0x01,0x00,0x00,0x8B,0x95,0x7C,0xFF,0xFF,0xFF,0x89,0x95,0xE0,0xFE,0xFF,0xFF,0xB8,0x01,0x00,0x00,0x00,0x85,0xC0,0x0F,0x84,0x05,0x01,0x00,0x00,0xC7,0x45,0xE4,0x00,0x00,0x00,0x00,0xEB,0x09,0x8B,0x4D,0xE4,0x83,0xC1,0x01,0x89,0x4D,0xE4,0x8B,0x95,0x48,0xFF,0xFF,0xFF,0x2B,0x55,0xCC,0x39,0x55,0xE4,0x0F,0x8F,0xDC,0x00,0x00,0x00,0x8B,0x45,0x88,0x8B,0x48,0x04,0x8B,0x55,0xE4,0x8D,0x04,0x51,0x89,0x85,0x44,0xFF,0xFF,0xFF,0xC7,0x45,0xEC,0x00,0x00,0x00,0x00,0xEB,0x09,0x8B,0x4D,0xEC,0x83,0xC1,0x01,0x89,0x4D,0xEC,0x8B,0x55,0xEC,0x3B,0x55,0xCC,0x0F,0x8D,0x94,0x00,0x00,0x00,0x8B,0x45,0xEC,0x8B,0x8D,0xE0,0xFE,0xFF,0xFF,0x66,0x8B,0x14,0x41,0x66,0x89,0x55,0xF8,0x8B,0x45,0xEC,0x8B,0x8D,0x44,0xFF,0xFF,0xFF,0x66,0x8B,0x14,0x41,0x66,0x89,0x55,0xFC,0x0F,0xB7,0x45,0xFC,0x0F,0xB7,0x4D,0xF8,0x3B,0xC1,0x75,0x0C,0xC7,0x85,0xE4,0xFE,0xFF,0xFF,0x00,0x00,0x00,0x00,0xEB,0x4A,0x0F,0xB7,0x55,0xFC,0x83,0xFA,0x61,0x7C,0x14,0x0F,0xB7,0x45,0xFC,0x83,0xF8,0x7A,0x7F,0x0B,0x0F,0xB7,0x4D,0xFC,0x83,0xE9,0x20,0x66,0x89,0x4D,0xFC,0x0F,0xB7,0x55,0xF8,0x83,0xFA,0x61,0x7C,0x14,0x0F,0xB7,0x45,0xF8,0x83,0xF8,0x7A,0x7F,0x0B,0x0F,0xB7,0x4D,0xF8,0x83,0xE9,0x20,0x66,0x89,0x4D,0xF8,0x0F,0xB7,0x55,0xFC,0x0F,0xB7,0x45,0xF8,0x2B,0xD0,0x89,0x95,0xE4,0xFE,0xFF,0xFF,0x83,0xBD,0xE4,0xFE,0xFF,0xFF,0x00,0x74,0x02,0xEB,0x05,0xE9,0x57,0xFF,0xFF,0xFF,0x8B,0x4D,0xEC,0x3B,0x4D,0xCC,0x75,0x0B,0x8B,0x55,0xE4,0x89,0x55,0xB4,0xE9,0x91,0x00,0x00,0x00,0xE9,0x09,0xFF,0xFF,0xFF,0xE9,0x80,0x00,0x00,0x00,0xC7,0x45,0xE4,0x00,0x00,0x00,0x00,0xEB,0x09,0x8B,0x45,0xE4,0x83,0xC0,0x01,0x89,0x45,0xE4,0x8B,0x8D,0x48,0xFF,0xFF,0xFF,0x2B,0x4D,0xCC,0x39,0x4D,0xE4,0x7F,0x60,0x8B,0x55,0x88,0x8B,0x42,0x04,0x8B,0x4D,0xE4,0x8D,0x14,0x48,0x89,0x95,0x44,0xFF,0xFF,0xFF,0xC7,0x45,0xEC,0x00,0x00,0x00,0x00,0xEB,0x09,0x8B,0x45,0xEC,0x83,0xC0,0x01,0x89,0x45,0xEC,0x8B,0x4D,0xEC,0x3B,0x4D,0xCC,0x7D,0x22,0x8B,0x55,0xEC,0x8B,0x85,0x44,0xFF,0xFF,0xFF,0x0F,0xB7,0x0C,0x50,0x8B,0x55,0xEC,0x8B,0x85,0xE0,0xFE,0xFF,0xFF,0x0F,0xB7,0x14,0x50,0x3B,0xCA,0x74,0x02,0xEB,0x02,0xEB,0xCD,0x8B,0x45,0xEC,0x3B,0x45,0xCC,0x75,0x08,0x8B,0x4D,0xE4,0x89,0x4D,0xB4,0xEB,0x09,0xEB,0x89,0xC7,0x45,0xB4,0xFF,0xFF,0xFF,0xFF,0x83,0x7D,0xB4,0xFF,0x7E,0x11,0x8B,0x95,0x40,0xFF,0xFF,0xFF,0x8B,0x42,0x18,0x89,0x85,0x3C,0xFF,0xFF,0xFF,0xEB,0x05,0xE9,0x30,0xFD,0xFF,0xFF,0x8B,0x8D,0x3C,0xFF,0xFF,0xFF,0x89,0x4D,0xDC,0xC7,0x85,0x20,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,0x33,0xC0,0x64,0xA1,0x30,0x00,0x00,0x00,0x89,0x45,0x84,0x83,0x7D,0x84,0x00,0x74,0x0F,0x83,0x7D,0x84,0x00,0x74,0x17,0x8B,0x55,0x84,0x83,0x7A,0x0C,0x00,0x75,0x0E,0x8B,0x85,0x20,0xFF,0xFF,0xFF,0x89,0x45,0xD8,0xE9,0x0C,0x03,0x00,0x00,0xC7,0x85,0x24,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,0xC7,0x85,0x38,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,0xC7,0x45,0xB8,0x00,0x00,0x00,0x00,0x8B,0x4D,0x84,0x8B,0x51,0x0C,0x83,0xC2,0x14,0x89,0x95,0x38,0xFF,0xFF,0xFF,0x8B,0x85,0x38,0xFF,0xFF,0xFF,0x89,0x45,0xB8,0x8B,0x4D,0xB8,0x83,0x39,0x00,0x0F,0x84,0xC4,0x02,0x00,0x00,0x8B,0x55,0xB8,0x8B,0x02,0x3B,0x85,0x38,0xFF,0xFF,0xFF,0x0F,0x84,0xB3,0x02,0x00,0x00,0x8B,0x4D,0xB8,0x8B,0x11,0x89,0x55,0xB8,0x8B,0x45,0xB8,0x83,0xE8,0x08,0x89,0x85,0x24,0xFF,0xFF,0xFF,0x8B,0x8D,0x24,0xFF,0xFF,0xFF,0x83,0xC1,0x24,0x89,0x4D,0x80,0x33,0xD2,0x89,0x95,0x70,0xFF,0xFF,0xFF,0x89,0x95,0x74,0xFF,0xFF,0xFF,0x8D,0x85,0xC0,0xFE,0xFF,0xFF,0x89,0x85,0x74,0xFF,0xFF,0xFF,0x8D,0x8D,0xC0,0xFE,0xFF,0xFF,0x89,0x8D,0x34,0xFF,0xFF,0xFF,0xC7,0x85,0x30,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,0x8B,0x95,0x34,0xFF,0xFF,0xFF,0x0F,0xB7,0x02,0x89,0x85,0x78,0xFE,0xFF,0xFF,0x8B,0x8D,0x34,0xFF,0xFF,0xFF,0x83,0xC1,0x02,0x89,0x8D,0x34,0xFF,0xFF,0xFF,0x83,0xBD,0x78,0xFE,0xFF,0xFF,0x00,0x74,0x11,0x8B,0x95,0x30,0xFF,0xFF,0xFF,0x83,0xC2,0x01,0x89,0x95,0x30,0xFF,0xFF,0xFF,0xEB,0xC8,0x8B,0x85,0x30,0xFF,0xFF,0xFF,0xD1,0xE0,0x66,0x89,0x85,0x70,0xFF,0xFF,0xFF,0x66,0x8B,0x8D,0x70,0xFF,0xFF,0xFF,0x66,0x89,0x8D,0x72,0xFF,0xFF,0xFF,0x83,0x7D,0x80,0x00,0x74,0x0A,0x8D,0x95,0x70,0xFF,0xFF,0xFF,0x85,0xD2,0x75,0x0C,0xC7,0x45,0xB0,0xFF,0xFF,0xFF,0xFF,0xE9,0xD6,0x01,0x00,0x00,0x8B,0x45,0x80,0x0F,0xB7,0x08,0xD1,0xE9,0x89,0x8D,0x2C,0xFF,0xFF,0xFF,0x0F,0xB7,0x95,0x70,0xFF,0xFF,0xFF,0xD1,0xEA,0x89,0x55,0xC8,0x8B,0x85,0x2C,0xFF,0xFF,0xFF,0x3B,0x45,0xC8,0x7D,0x0C,0xC7,0x45,0xB0,0xFF,0xFF,0xFF,0xFF,0xE9,0xA5,0x01,0x00,0x00,0x8B,0x8D,0x74,0xFF,0xFF,0xFF,0x89,0x8D,0xD8,0xFE,0xFF,0xFF,0xBA,0x01,0x00,0x00,0x00,0x85,0xD2,0x0F,0x84,0x05,0x01,0x00,0x00,0xC7,0x45,0xE0,0x00,0x00,0x00,0x00,0xEB,0x09,0x8B,0x45,0xE0,0x83,0xC0,0x01,0x89,0x45,0xE0,0x8B,0x8D,0x2C,0xFF,0xFF,0xFF,0x2B,0x4D,0xC8,0x39,0x4D,0xE0,0x0F,0x8F,0xDC,0x00,0x00,0x00,0x8B,0x55,0x80,0x8B,0x42,0x04,0x8B,0x4D,0xE0,0x8D,0x14,0x48,0x89,0x95,0x28,0xFF,0xFF,0xFF,0xC7,0x45,0xE8,0x00,0x00,0x00,0x00,0xEB,0x09,0x8B,0x45,0xE8,0x83,0xC0,0x01,0x89,0x45,0xE8,0x8B,0x4D,0xE8,0x3B,0x4D,0xC8,0x0F,0x8D,0x94,0x00,0x00,0x00,0x8B,0x55,0xE8,0x8B,0x85,0xD8,0xFE,0xFF,0xFF,0x66,0x8B,0x0C,0x50,0x66,0x89,0x4D,0xF0,0x8B,0x55,0xE8,0x8B,0x85,0x28,0xFF,0xFF,0xFF,0x66,0x8B,0x0C,0x50,0x66,0x89,0x4D,0xF4,0x0F,0xB7,0x55,0xF4,0x0F,0xB7,0x45,0xF0,0x3B,0xD0,0x75,0x0C,0xC7,0x85,0xDC,0xFE,0xFF,0xFF,0x00,0x00,0x00,0x00,0xEB,0x4A,0x0F,0xB7,0x4D,0xF4,0x83,0xF9,0x61,0x7C,0x14,0x0F,0xB7,0x55,0xF4,0x83,0xFA,0x7A,0x7F,0x0B,0x0F,0xB7,0x45,0xF4,0x83,0xE8,0x20,0x66,0x89,0x45,0xF4,0x0F,0xB7,0x4D,0xF0,0x83,0xF9,0x61,0x7C,0x14,0x0F,0xB7,0x55,0xF0,0x83,0xFA,0x7A,0x7F,0x0B,0x0F,0xB7,0x45,0xF0,0x83,0xE8,0x20,0x66,0x89,0x45,0xF0,0x0F,0xB7,0x4D,0xF4,0x0F,0xB7,0x55,0xF0,0x2B,0xCA,0x89,0x8D,0xDC,0xFE,0xFF,0xFF,0x83,0xBD,0xDC,0xFE,0xFF,0xFF,0x00,0x74,0x02,0xEB,0x05,0xE9,0x57,0xFF,0xFF,0xFF,0x8B,0x45,0xE8,0x3B,0x45,0xC8,0x75,0x0B,0x8B,0x4D,0xE0,0x89,0x4D,0xB0,0xE9,0x91,0x00,0x00,0x00,0xE9,0x09,0xFF,0xFF,0xFF,0xE9,0x80,0x00,0x00,0x00,0xC7,0x45,0xE0,0x00,0x00,0x00,0x00,0xEB,0x09,0x8B,0x55,0xE0,0x83,0xC2,0x01,0x89,0x55,0xE0,0x8B,0x85,0x2C,0xFF,0xFF,0xFF,0x2B,0x45,0xC8,0x39,0x45,0xE0,0x7F,0x60,0x8B,0x4D,0x80,0x8B,0x51,0x04,0x8B,0x45,0xE0,0x8D,0x0C,0x42,0x89,0x8D,0x28,0xFF,0xFF,0xFF,0xC7,0x45,0xE8,0x00,0x00,0x00,0x00,0xEB,0x09,0x8B,0x55,0xE8,0x83,0xC2,0x01,0x89,0x55,0xE8,0x8B,0x45,0xE8,0x3B,0x45,0xC8,0x7D,0x22,0x8B,0x4D,0xE8,0x8B,0x95,0x28,0xFF,0xFF,0xFF,0x0F,0xB7,0x04,0x4A,0x8B,0x4D,0xE8,0x8B,0x95,0xD8,0xFE,0xFF,0xFF,0x0F,0xB7,0x0C,0x4A,0x3B,0xC1,0x74,0x02,0xEB,0x02,0xEB,0xCD,0x8B,0x55,0xE8,0x3B,0x55,0xC8,0x75,0x08,0x8B,0x45,0xE0,0x89,0x45,0xB0,0xEB,0x09,0xEB,0x89,0xC7,0x45,0xB0,0xFF,0xFF,0xFF,0xFF,0x83,0x7D,0xB0,0xFF,0x7E,0x11,0x8B,0x8D,0x24,0xFF,0xFF,0xFF,0x8B,0x51,0x18,0x89,0x95,0x20,0xFF,0xFF,0xFF,0xEB,0x05,0xE9,0x30,0xFD,0xFF,0xFF,0x8B,0x85,0x20,0xFF,0xFF,0xFF,0x89,0x45,0xD8,0x83,0x7D,0xDC,0x00,0x0F,0x84,0xFD,0x01,0x00,0x00,0xC7,0x45,0xA4,0x00,0x00,0x00,0x00,0x8B,0x4D,0xDC,0x89,0x8D,0x1C,0xFF,0xFF,0xFF,0x8B,0x95,0x1C,0xFF,0xFF,0xFF,0x0F,0xB7,0x02,0x3D,0x4D,0x5A,0x00,0x00,0x74,0x0B,0x8B,0x4D,0xA4,0x89,0x4D,0x94,0xE9,0xAF,0x01,0x00,0x00,0x8B,0x85,0x1C,0xFF,0xFF,0xFF,0x99,0x8B,0xC8,0x8B,0x95,0x1C,0xFF,0xFF,0xFF,0x8B,0x42,0x3C,0x99,0x03,0xC8,0x89,0x8D,0xF0,0xFE,0xFF,0xFF,0x8B,0x85,0xF0,0xFE,0xFF,0xFF,0x81,0x38,0x50,0x45,0x00,0x00,0x74,0x0B,0x8B,0x4D,0xA4,0x89,0x4D,0x94,0xE9,0x7B,0x01,0x00,0x00,0x8B,0x45,0xDC,0x99,0xBA,0x08,0x00,0x00,0x00,0x6B,0xCA,0x00,0x8B,0x95,0xF0,0xFE,0xFF,0xFF,0x03,0x44,0x0A,0x78,0x89,0x45,0xAC,0x75,0x0B,0x8B,0x45,0xA4,0x89,0x45,0x94,0xE9,0x55,0x01,0x00,0x00,0x8B,0x45,0xDC,0x99,0x8B,0x4D,0xAC,0x03,0x41,0x20,0x89,0x85,0x9C,0xFE,0xFF,0xFF,0x8B,0x45,0xDC,0x99,0x8B,0x55,0xAC,0x03,0x42,0x1C,0x89,0x85,0x94,0xFE,0xFF,0xFF,0x8B,0x45,0xDC,0x99,0x8B,0x4D,0xAC,0x03,0x41,0x24,0x89,0x85,0x98,0xFE,0xFF,0xFF,0xC7,0x45,0xA8,0x00,0x00,0x00,0x00,0xEB,0x09,0x8B,0x55,0xA8,0x83,0xC2,0x01,0x89,0x55,0xA8,0x8B,0x45,0xAC,0x8B,0x4D,0xA8,0x3B,0x48,0x18,0x0F,0x83,0xFE,0x00,0x00,0x00,0x8B,0x45,0xDC,0x99,0x8B,0x55,0xA8,0x8B,0x8D,0x9C,0xFE,0xFF,0xFF,0x03,0x04,0x91,0x89,0x85,0x90,0xFE,0xFF,0xFF,0x8B,0x55,0xA8,0x8B,0x85,0x98,0xFE,0xFF,0xFF,0x66,0x8B,0x0C,0x50,0x66,0x89,0x8D,0x00,0xFF,0xFF,0xFF,0x8B,0x45,0xDC,0x99,0x0F,0xB7,0x95,0x00,0xFF,0xFF,0xFF,0x8B,0x8D,0x94,0xFE,0xFF,0xFF,0x03,0x04,0x91,0x89,0x85,0x84,0xFE,0xFF,0xFF,0x8D,0x95,0x50,0xFF,0xFF,0xFF,0x89,0x95,0x14,0xFF,0xFF,0xFF,0x8B,0x85,0x90,0xFE,0xFF,0xFF,0x89,0x85,0x18,0xFF,0xFF,0xFF,0x8B,0x8D,0x18,0xFF,0xFF,0xFF,0x0F,0xB6,0x11,0x89,0x55,0xD4,0x8B,0x45,0xD4,0x89,0x85,0x8C,0xFE,0xFF,0xFF,0x8B,0x8D,0x18,0xFF,0xFF,0xFF,0x83,0xC1,0x01,0x89,0x8D,0x18,0xFF,0xFF,0xFF,0x83,0xBD,0x8C,0xFE,0xFF,0xFF,0x41,0x7C,0x0F,0x83,0x7D,0xD4,0x5A,0x7F,0x09,0x8B,0x55,0xD4,0x83,0xC2,0x20,0x89,0x55,0xD4,0x8B,0x85,0x14,0xFF,0xFF,0xFF,0x0F,0xB6,0x08,0x89,0x4D,0xC4,0x8B,0x55,0xC4,0x89,0x95,0x88,0xFE,0xFF,0xFF,0x8B,0x85,0x14,0xFF,0xFF,0xFF,0x83,0xC0,0x01,0x89,0x85,0x14,0xFF,0xFF,0xFF,0x83,0xBD,0x88,0xFE,0xFF,0xFF,0x41,0x7C,0x0F,0x83,0x7D,0xC4,0x5A,0x7F,0x09,0x8B,0x4D,0xC4,0x83,0xC1,0x20,0x89,0x4D,0xC4,0x83,0x7D,0xD4,0x00,0x74,0x0C,0x8B,0x55,0xD4,0x3B,0x55,0xC4,0x0F,0x84,0x76,0xFF,0xFF,0xFF,0x8B,0x45,0xD4,0x2B,0x45,0xC4,0x75,0x0B,0x8B,0x8D,0x84,0xFE,0xFF,0xFF,0x89,0x4D,0xA4,0xEB,0x05,0xE9,0xEA,0xFE,0xFF,0xFF,0x8B,0x55,0xA4,0x89,0x55,0x94,0x8B,0x45,0x94,0x89,0x85,0x10,0xFF,0xFF,0xFF,0x8D,0x8D,0xC0,0xFE,0xFF,0xFF,0x51,0xFF,0x95,0x10,0xFF,0xFF,0xFF,0x8D,0x95,0xA4,0xFE,0xFF,0xFF,0x52,0xFF,0x95,0x10,0xFF,0xFF,0xFF,0x83,0x7D,0xD8,0x00,0x0F,0x84,0x05,0x02,0x00,0x00,0xC7,0x45,0x98,0x00,0x00,0x00,0x00,0x8B,0x45,0xD8,0x89,0x85,0x0C,0xFF,0xFF,0xFF,0x8B,0x8D,0x0C,0xFF,0xFF,0xFF,0x0F,0xB7,0x11,0x81,0xFA,0x4D,0x5A,0x00,0x00,0x74,0x0B,0x8B,0x45,0x98,0x89,0x45,0x90,0xE9,0xAF,0x01,0x00,0x00,0x8B,0x85,0x0C,0xFF,0xFF,0xFF,0x99,0x8B,0xC8,0x8B,0x95,0x0C,0xFF,0xFF,0xFF,0x8B,0x42,0x3C,0x99,0x03,0xC8,0x89,0x8D,0xEC,0xFE,0xFF,0xFF,0x8B,0x85,0xEC,0xFE,0xFF,0xFF,0x81,0x38,0x50,0x45,0x00,0x00,0x74,0x0B,0x8B,0x4D,0x98,0x89,0x4D,0x90,0xE9,0x7B,0x01,0x00,0x00,0x8B,0x45,0xD8,0x99,0xBA,0x08,0x00,0x00,0x00,0x6B,0xCA,0x00,0x8B,0x95,0xEC,0xFE,0xFF,0xFF,0x03,0x44,0x0A,0x78,0x89,0x45,0xA0,0x75,0x0B,0x8B,0x45,0x98,0x89,0x45,0x90,0xE9,0x55,0x01,0x00,0x00,0x8B,0x45,0xD8,0x99,0x8B,0x4D,0xA0,0x03,0x41,0x20,0x89,0x85,0x80,0xFE,0xFF,0xFF,0x8B,0x45,0xD8,0x99,0x8B,0x55,0xA0,0x03,0x42,0x1C,0x89,0x85,0x64,0xFE,0xFF,0xFF,0x8B,0x45,0xD8,0x99,0x8B,0x4D,0xA0,0x03,0x41,0x24,0x89,0x85,0x7C,0xFE,0xFF,0xFF,0xC7,0x45,0x9C,0x00,0x00,0x00,0x00,0xEB,0x09,0x8B,0x55,0x9C,0x83,0xC2,0x01,0x89,0x55,0x9C,0x8B,0x45,0xA0,0x8B,0x4D,0x9C,0x3B,0x48,0x18,0x0F,0x83,0xFE,0x00,0x00,0x00,0x8B,0x45,0xD8,0x99,0x8B,0x55,0x9C,0x8B,0x8D,0x80,0xFE,0xFF,0xFF,0x03,0x04,0x91,0x89,0x85,0x74,0xFE,0xFF,0xFF,0x8B,0x55,0x9C,0x8B,0x85,0x7C,0xFE,0xFF,0xFF,0x66,0x8B,0x0C,0x50,0x66,0x89,0x8D,0xFC,0xFE,0xFF,0xFF,0x8B,0x45,0xD8,0x99,0x0F,0xB7,0x95,0xFC,0xFE,0xFF,0xFF,0x8B,0x8D,0x64,0xFE,0xFF,0xFF,0x03,0x04,0x91,0x89,0x85,0x68,0xFE,0xFF,0xFF,0x8D,0x95,0x64,0xFF,0xFF,0xFF,0x89,0x95,0x04,0xFF,0xFF,0xFF,0x8B,0x85,0x74,0xFE,0xFF,0xFF,0x89,0x85,0x08,0xFF,0xFF,0xFF,0x8B,0x8D,0x08,0xFF,0xFF,0xFF,0x0F,0xB6,0x11,0x89,0x55,0xD0,0x8B,0x45,0xD0,0x89,0x85,0x70,0xFE,0xFF,0xFF,0x8B,0x8D,0x08,0xFF,0xFF,0xFF,0x83,0xC1,0x01,0x89,0x8D,0x08,0xFF,0xFF,0xFF,0x83,0xBD,0x70,0xFE,0xFF,0xFF,0x41,0x7C,0x0F,0x83,0x7D,0xD0,0x5A,0x7F,0x09,0x8B,0x55,0xD0,0x83,0xC2,0x20,0x89,0x55,0xD0,0x8B,0x85,0x04,0xFF,0xFF,0xFF,0x0F,0xB6,0x08,0x89,0x4D,0xC0,0x8B,0x55,0xC0,0x89,0x95,0x6C,0xFE,0xFF,0xFF,0x8B,0x85,0x04,0xFF,0xFF,0xFF,0x83,0xC0,0x01,0x89,0x85,0x04,0xFF,0xFF,0xFF,0x83,0xBD,0x6C,0xFE,0xFF,0xFF,0x41,0x7C,0x0F,0x83,0x7D,0xC0,0x5A,0x7F,0x09,0x8B,0x4D,0xC0,0x83,0xC1,0x20,0x89,0x4D,0xC0,0x83,0x7D,0xD0,0x00,0x74,0x0C,0x8B,0x55,0xD0,0x3B,0x55,0xC0,0x0F,0x84,0x76,0xFF,0xFF,0xFF,0x8B,0x45,0xD0,0x2B,0x45,0xC0,0x75,0x0B,0x8B,0x8D,0x68,0xFE,0xFF,0xFF,0x89,0x4D,0x98,0xEB,0x05,0xE9,0xEA,0xFE,0xFF,0xFF,0x8B,0x55,0x98,0x89,0x55,0x90,0x8B,0x45,0x90,0x89,0x85,0xE8,0xFE,0xFF,0xFF,0x83,0xBD,0xE8,0xFE,0xFF,0xFF,0x00,0x74,0x18,0x6A,0x00,0x8D,0x8D,0xC0,0xFE,0xFF,0xFF,0x51,0x8D,0x95,0xC0,0xFE,0xFF,0xFF,0x52,0x6A,0x00,0xFF,0x95,0xE8,0xFE,0xFF,0xFF,0x33,0xC0,0x8B,0xE5,0x5D,0xC3,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
	HANDLE hProcess = GetCurrentProcess();
	DWORD dwSize = sizeof(szShellCode) & 0x1000 + 0x1000;
	PVOID pShellCode = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

	do 
	{
		if (!pShellCode)
		{
			printf("VirtualAllocEx Error!\n");
			break;
		}

		SIZE_T sWriteBytes = 0;
		if (!WriteProcessMemory(hProcess, pShellCode, szShellCode, sizeof(szShellCode), &sWriteBytes))
		{
			printf("WriteProcessMemory Error!\n");
			break;
		}

        //直接调用shellcode或者CreateThread
		((pFn_EntryMain)(pShellCode))();


	} while (FALSE);

	system("pause");
}

第17节 实战shellcode进程注入
李小咖·网安技术库
05-15 714
我最近做了一个关于shellcode入门和开发的专题课👩🏻‍💻,主要面向对网络安全技术感兴趣的小伙伴。这是视频版内容对应的文字版材料,内容里面的每一个环境我都亲自测试实操过的记录,有需要的小伙伴可以参考。传统的exe文件执行都是在自己的进程空间中,而shellcode本身没有固定的执行进程,它取决于加载器将它“安排”到哪个进程,它就在哪个进程执行。这种以进程“寄宿”方式执行的方式就被称为进程注入。
第12节 第二种shellcode编写实战(1)
李小咖·网安技术库
05-11 993
我最近在做一个关于shellcode入门和开发的专题课👩🏻‍💻,主要面向对网络安全技术感兴趣的小伙伴。这是视频版内容对应的文字版材料,内容里面的每一个环境我都亲自测试实操过的记录,有需要的小伙伴可以参考🫡。
利用自定义堆栈进行 Shellcode 开发
2301_77498991的博客
04-12 670
最近学习了下 BRC4 作者1月发表的博客 Hiding In PlainSight - Indirect Syscall is Dead!
shellcode
WEB安全测试学习中……
03-09 1249
<br />Shellcode实际是一段代码(也可以是填充数据),是用来发送到服务器利用特定漏洞的代码,一般可以获取权限。<br />另外,Shellcode一般是作为数据发送给受攻击服务的。 <br />Shellcode是溢出程序和蠕虫病毒的核心,提到它自然就会和漏洞联想在一起,毕竟Shellcode只对没有打补丁的主机有用武之地。网络上数以万计带着漏洞顽强运行着的服务器给hacker和Vxer丰盛的晚餐。漏洞利用中最关键的是Shellcode编写。由于漏洞发现者在漏洞发现之初并不会给出完整Shell
Shellcode编写
weixin_54452942的博客
04-23 1467
二是ESI寄存器的值自动增加32位,也就是当第一轮执行之后,esi中放的是下一个函数名称的地址,继续将其指向的内存空间的前四个字节送到eax中(也就是函数名称列表中的第一个函数名称的前四个字节),同时esi加4,指向了第二个函数名称的地址,一直向后比对,直到每个字节都比对成功后,此时的ecx中存的就是目标函数在函数名称列表中的位置。这个成员在PEB结构体中的偏移量是0x0C。在32位Windows系统中,FS寄存器指向TEB的起始地址,而在64位Windows系统中,GS寄存器指向TEB的起始地址。
Windows Shellcode开发[1]
weixin_41487541的博客
03-24 605
0 前言 本文包含对shellcode开发技术及其特点的概述,了解了这些概念我们就可以编写自己的shellcode,而且我们还可以修改现有漏洞的shellcode来执行我们自定义的功能。 1 Shellcode介绍 维基百科中对shellcoed的介绍: “在计算机安全中,shellcode 是一小段代码,用作利用软件漏洞的有效载荷。之所以称为“shellcode”,是因为它通常启动一个命令shell,攻击者可以从中控制受感染的机器,但任何执行类似任务的代码都可以称为 shellcode……She
Shellcode的原理及编写
热门推荐
maotoula的专栏
01-19 6万+
1.shellcode原理
ARM汇编基础与Shellcode编写实战
这篇文档特别关注的是在ARM架构上编写SHELLCODE,这是一种广泛应用于移动设备、路由器、物联网设备以及部分服务器和桌面平台的处理器架构。 首先,文档介绍了ARM汇编的基础知识,包括寄存器的使用。在ARM架构中,有...
第14节 第二种shellcode编写实战(3)
最新发布
李小咖·网安技术库
05-13 738
使用ADVobfuscator来自动处理双引号字符串时,不能禁用项目“优化”选项,即工程 “属性”--->“C/C++”--->“优化”中,“优化”选项可以选择“/O1”、“/O2”,或者“/Ox”,不能使用“已禁用 (/Od)”,否则字符换处理无效。对于上述代码,表面看使用了双引号字符串,实际上在编译时对代码中O("xxx")的内容都是以宏定义的方式进行了转换处理,生成的PE文件中并没有双引号字符串的直接暴露,既符合shellcode编写规范,又一定程度提高了开发效率。
第13节 第二种shellcode编写实战(2)
李小咖·网安技术库
05-12 644
在类CDoShellcode中,将所有函数功能执行的参数都传递一个CAPI的指针变量,那么所有功能都可以使用CAPI中的函数。如此一来,对类CDoShellcode而言,我们只关注功能的实现,不必再顾及函数动态调用的问题。所有用到的动态函数的实现都可以共享CAPI中的实现。的基础上,新增加一个CAPI类,将所有用到的函数都在这个类中做动态调用的处理,这样使得整个shellcode功能结构更加清晰。
shellcode 执行盒
01-04
//msfvenom -p windows/exec CMD=calc.exe -f exe -e x86/shikata_ga_nai -i 6 -f c 生成shellcod 测试数据: bf6e4a2508d9ebd97424f45d33c9b131317d13037d1383c56aa8d0f49aae1b055acf92e06bcfc161dbff8224d774c6dc6cf8cfd3c5b729ddd6e40a7c54f75e5e6538939fa2255ecd7b21cde2087fce894291566d1290772029cb57c2fe67dedce342a857d7392bbe26c180ff8730d8382fabaf304c56a8862f8c3d1d9747e5f9268b70892460f6d52877db6d54fcdaa1dd46f965861d603f62f39d5fcdac3b2be3b93176693fc70cdf3fd70e4f28e685002ff74f65cf155a9378800f1ee533fa5c10b00f1ce7a86519a36e9553bc1a99c0bd0efa872dd2d322d6712c 将shellcode作为参数传入执行盒,./shllcode_Argv.exe bf6e4a2508d9ebd97424f45d33c9b131317d13037d1383c56aa8d0f49aae1b055acf92e06bcfc161dbff8224d774c6dc6cf8cfd3c5b729ddd6e40a7c54f75e5e6538939fa2255ecd7b21cde2087fce894291566d1290772029cb57c2fe67dedce342a857d7392bbe26c180ff8730d8382fabaf304c56a8862f8c3d1d9747e5f9268b70892460f6d52877db6d54fcdaa1dd46f965861d603f62f39d5fcdac3b2be3b93176693fc70cdf3fd70e4f28e685002ff74f65cf155a9378800f1ee533fa5c10b00f1ce7a86519a36e9553bc1a99c0bd0efa872dd2d322d6712c 即可执行该段shellcode。 该exe可传vt查看报毒情况,无特征码
[逆向工程] Shellcode 开发实验
[热爱分享]希望大家都能花时间在学习自己喜欢的东西上
05-11 1468
逆向工程实验一:Shellcode开发实验
shellcode开发艺术前导篇
乱七八糟の中转站
09-06 707
关于exploit和shellcode的区别: 植入代码前需要大量调试,如,弄清程序有几个输入点,这些输入将最终会当做哪几个函数的第几个参数读入到内存的哪一个区域,哪一个输入会造成栈溢出,在复制到栈区的时候对这些数据有没有额外的限制等。调试之后,还要计算函数返回地址距离缓冲区的偏移并淹没之,选择指令的地址,最终制作出一个有攻击效果的“承载”着shellcode的输入字符串。这个代码植入的过程就是
ShellCode
weixin_46661122的博客
11-16 1162
关于利用图片Alpha通道隐写术隐藏Shellcode的攻击 Alpha通道,又叫做阿尔法通道,是指一张图片的透明和半透明度。例如:一个使用16位存储的图片,可能5位表示红色,5位表示绿色,5位表示蓝色,1位是阿尔法。在这种情况下,它要么表示透明要么不是。一个使用32位存储的图片,每8位表示红绿蓝,和阿尔法通道。在这种情况下,就不光可以表示透明还是不透明,阿尔法通道还可以表示256级的半透明度。 一般alpha值取0~1之间。通道分为三种通道。也就是有三个作用。 Alpha通道与Rgb图片为乘法运算即:图片
Shellcode
weixin_43916678的博客
07-07 9155
shellcode简介 shellcode是一段用于利用软件漏洞而执行的代码,也可以认为是一段填充数据,shellcode为16进制的机器码,因为经常让攻击者获得shell而得名。shellcode常常使用机器语言编写。 可在暂存器eip溢出后,塞入一段可让CPU执行的shellcode机器码,让电脑可以执行攻击者的任意指令。 下面这张图就是shellcode工作流程,从功能上看,shellcode在整个漏洞利用过程中发挥主要作用就是对计算机端的控制。 shellcode可以按照攻击者执行的位置分为本地s
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

宇龍_

若帮助到你,希望能给予鼓励!

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值