-
-
[原创]简陋的小工具:DWORD数组形式拷贝shellcode内容;裸函数生成
-
发表于: 2018-3-7 18:22
-
在vs中写shellcode的时候,遇上字符串初始化或是拷贝一大串数据,如果字符串过长,即使是以字符数组形式初始化还是会被优化
所以写了个小工具
效果是这样的
当你想处理一段shellcode的时候,先用x64dbg以base64形式拷贝出来
之后打开程序,拷进去
还需输入指向shellcode的char*变量名和DWORD*变量名,也就是上面的shellcodech和shellcodedw;以及裸函数函数名func
#include "stdafx.h"
#include "windows.h"
#pragma comment(lib,"crypt32.lib")
LPBYTE MyBase64Decode(LPSTR lpBase64Str , LPDWORD lpdwLen)
{
DWORD dwLen ;
DWORD dwNeed ;
LPBYTE lpBuffer = NULL;
dwLen = strlen(lpBase64Str);
dwNeed = 0;
CryptStringToBinaryA(lpBase64Str , 0 , CRYPT_STRING_BASE64 , NULL , &dwNeed , NULL , NULL);
if(dwNeed)
{
lpBuffer = (LPBYTE)malloc(dwNeed);
CryptStringToBinaryA(lpBase64Str , 0 , CRYPT_STRING_BASE64 , lpBuffer , &dwNeed , NULL , NULL);
*lpdwLen = dwNeed ;
}
return lpBuffer ;
}
int main()
{
// 这里写要变化的shellcode
//char * shellcode = "\x89\x75\xFC\xEB\x0E\x33\xC0\x40\xC3\x8B\x65\xE8\xC7\x45\xFC\xFE\xFF\xFF\xFF\xE8\xD5\xCE\xF8\xFF\xC3\x90\x90\x90\x90\x90";
// 这里传入的是shellcode BASE64加密之后的
LPBYTE shellcode;
char * base64Str = new char[ 10000 ];
memset(base64Str , 0 , 10000);
printf("请输入shellcode的base64编码\n");
scanf("%s", base64Str);
DWORD dwShellCodeSize;
shellcode = MyBase64Decode(base64Str , &dwShellCodeSize);
printf("请输入指向shellcode char*变量名 DWORD*变量名 ;函数名\n");
char shellcodechName[ 256 ] = { 0 };
char shellcodedwName[ 256 ] = { 0 };
char funcName[ 256 ] = { 0 };
scanf("%s%s%s", shellcodechName, shellcodedwName, funcName);
// 判断可以转化为4字节的有多少个
DWORD dwDWORDNum = dwShellCodeSize / 4;
// 计算最后以char方式传入的有多少个
DWORD * shellcodeTmp = (DWORD*)shellcode;
//这是我们想要生成的代码文本
//char shellcode[ 28 ];
//DWORD * shellcodeTmp = (DWORD *)shellcode;
//shellcodeTmp[ 0 ] = 0x12345678;
//shellcodeTmp[ 1 ] = 0x55555555;
////.....
//shellcode[ 26 ] = 0x1;
//shellcode[ 27 ] = 0x1;
char *codeText = new char[ 55555 ];
memset(codeText , 0, 55555);
sprintf(codeText, "char %s[ 0x%X ];\nDWORD * %s = (DWORD *)%s;\n", shellcodechName,dwShellCodeSize,shellcodedwName,shellcodechName);
for (int i = 0; i<dwDWORDNum; i++)
{
char tmp[ 256 ] = {0};
sprintf(tmp,"%s[ 0x%X ] = 0x%X;\n",shellcodedwName ,i, shellcodeTmp[i]);
strcat(codeText , tmp);
}
for (int i = dwDWORDNum*4; i<dwShellCodeSize; i++)
{
char tmp[ 256 ] = { 0 };
sprintf(tmp , "%s[ 0x%X ] = 0x%X;\n" , shellcodechName,i , (unsigned char)shellcode[ i ]);
strcat(codeText , tmp);
}
// 这里顺带把裸函数的形式输出
strcat(codeText , "\n\n\n\n\n\n\n\n");
char begin[ 256 ] = {0};
sprintf(begin , "void __declspec(naked) %s()\n{\n" , funcName);
strcat(codeText , begin);
for (int i = 0; i<dwShellCodeSize; i++)
{
char tmp[ 256 ] = { 0 };
sprintf(tmp , "\t_asm _emit(0x%X)\n" , (unsigned char)shellcode[ i ]);
strcat(codeText , tmp);
}
strcat(codeText , "}");
FILE * fp = fopen("code.txt","w");
fwrite(codeText, 55555 ,1,fp);
fclose(fp);
free(shellcode);
return 0;
}
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
|
|
|
|
|
|
|
|
|
