-
-
[原创]简陋的小工具:DWORD数组形式拷贝shellcode内容;裸函数生成
-
发表于: 2018-3-7 18:22
-
在vs中写shellcode的时候,遇上字符串初始化或是拷贝一大串数据,如果字符串过长,即使是以字符数组形式初始化还是会被优化
所以写了个小工具
效果是这样的
当你想处理一段shellcode的时候,先用x64dbg以base64形式拷贝出来
之后打开程序,拷进去
还需输入指向shellcode的char*变量名和DWORD*变量名,也就是上面的shellcodech和shellcodedw;以及裸函数函数名func
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 | #include "stdafx.h"#include "windows.h"#pragma comment(lib,"crypt32.lib")LPBYTE MyBase64Decode(LPSTR lpBase64Str , LPDWORD lpdwLen){ DWORD dwLen ; DWORD dwNeed ; LPBYTE lpBuffer = NULL; dwLen = strlen(lpBase64Str); dwNeed = 0; CryptStringToBinaryA(lpBase64Str , 0 , CRYPT_STRING_BASE64 , NULL , &dwNeed , NULL , NULL); if(dwNeed) { lpBuffer = (LPBYTE)malloc(dwNeed); CryptStringToBinaryA(lpBase64Str , 0 , CRYPT_STRING_BASE64 , lpBuffer , &dwNeed , NULL , NULL); *lpdwLen = dwNeed ; } return lpBuffer ;}int main(){ // 这里写要变化的shellcode //char * shellcode = "\x89\x75\xFC\xEB\x0E\x33\xC0\x40\xC3\x8B\x65\xE8\xC7\x45\xFC\xFE\xFF\xFF\xFF\xE8\xD5\xCE\xF8\xFF\xC3\x90\x90\x90\x90\x90"; // 这里传入的是shellcode BASE64加密之后的 LPBYTE shellcode; char * base64Str = new char[ 10000 ]; memset(base64Str , 0 , 10000); printf("请输入shellcode的base64编码\n"); scanf("%s", base64Str); DWORD dwShellCodeSize; shellcode = MyBase64Decode(base64Str , &dwShellCodeSize); printf("请输入指向shellcode char*变量名 DWORD*变量名 ;函数名\n"); char shellcodechName[ 256 ] = { 0 }; char shellcodedwName[ 256 ] = { 0 }; char funcName[ 256 ] = { 0 }; scanf("%s%s%s", shellcodechName, shellcodedwName, funcName); // 判断可以转化为4字节的有多少个 DWORD dwDWORDNum = dwShellCodeSize / 4; // 计算最后以char方式传入的有多少个 DWORD * shellcodeTmp = (DWORD*)shellcode; //这是我们想要生成的代码文本 //char shellcode[ 28 ]; //DWORD * shellcodeTmp = (DWORD *)shellcode; //shellcodeTmp[ 0 ] = 0x12345678; //shellcodeTmp[ 1 ] = 0x55555555; ////..... //shellcode[ 26 ] = 0x1; //shellcode[ 27 ] = 0x1; char *codeText = new char[ 55555 ]; memset(codeText , 0, 55555); sprintf(codeText, "char %s[ 0x%X ];\nDWORD * %s = (DWORD *)%s;\n", shellcodechName,dwShellCodeSize,shellcodedwName,shellcodechName); for (int i = 0; i<dwDWORDNum; i++) { char tmp[ 256 ] = {0}; sprintf(tmp,"%s[ 0x%X ] = 0x%X;\n",shellcodedwName ,i, shellcodeTmp[i]); strcat(codeText , tmp); } for (int i = dwDWORDNum*4; i<dwShellCodeSize; i++) { char tmp[ 256 ] = { 0 }; sprintf(tmp , "%s[ 0x%X ] = 0x%X;\n" , shellcodechName,i , (unsigned char)shellcode[ i ]); strcat(codeText , tmp); } // 这里顺带把裸函数的形式输出 strcat(codeText , "\n\n\n\n\n\n\n\n"); char begin[ 256 ] = {0}; sprintf(begin , "void __declspec(naked) %s()\n{\n" , funcName); strcat(codeText , begin); for (int i = 0; i<dwShellCodeSize; i++) { char tmp[ 256 ] = { 0 }; sprintf(tmp , "\t_asm _emit(0x%X)\n" , (unsigned char)shellcode[ i ]); strcat(codeText , tmp); } strcat(codeText , "}"); FILE * fp = fopen("code.txt","w"); fwrite(codeText, 55555 ,1,fp); fclose(fp); free(shellcode); return 0;} |
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
|
