-
-
[原创]关于0day安全3.4节在win7下面无法运行的解决方法
-
发表于: 2022-8-25 00:04 9028
-
偶然发现该案例在win10下面可以正常shellcode,在win7 x64下面无法运行,经过对比发现,在win10下kernelbase.dll下有LoadLibraryA函数,而在win7 x64下kernelbase.dll下有LoadLibraryExA,所以对代码进行两部分的修改,hash散列的修改,识别之后对参数的修改,可以对比源码或调试
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 | int main() { _asm{ nop nop nop nop nop CLD ; clear flag DF ;store hash push 0x1e380a6a ; hash of MessageBoxA push 0x4fd18963 ; hash of ExitProcess push 0xc0d83287 ; hash of LoadLibraryExA mov esi,esp ; esi = addr of first function hash lea edi,[esi - 0xc ] ; edi = addr to start writing function ; make some stack space xor ebx,ebx mov bh, 0x04 sub esp, ebx ; push a pointer to "user32" onto stack mov bx, 0x3233 ; rest of ebx is null push ebx push 0x72657375 xor edx,edx push edx push edx lea edx,[esp + 8 ] push edx xor edx,edx ; find base addr of kernel32.dll mov ebx, fs:[edx + 0x30 ] ; ebx = address of PEB mov ecx, [ebx + 0x0c ] ; ecx = pointer to loader data mov ecx, [ecx + 0x1c ] ; ecx = first entry in initialisation order list mov ecx, [ecx] ; ecx = second entry in list (kernel32.dll) mov ebp, [ecx + 0x08 ] ; ebp = base address of kernel32.dll find_lib_functions: lodsd ; load next hash into al and increment esi cmp eax, 0x1e380a6a ; hash of MessageBoxA - trigger ; LoadLibrary( "user32" ) jne find_functions xchg eax, ebp ; save current hash call [edi - 0x8 ] ; LoadLibraryA xchg eax, ebp ; restore current hash , and update ebp ; with base address of user32.dll find_functions: pushad ; preserve registers mov eax, [ebp + 0x3c ] ; eax = start of PE header mov ecx, [ebp + eax + 0x78 ] ; ecx = relative offset of export table add ecx, ebp ; ecx = absolute addr of export table mov ebx, [ecx + 0x20 ] ; ebx = relative offset of names table add ebx, ebp ; ebx = absolute addr of names table xor edi, edi ; edi will count through the functions next_function_loop: inc edi ; increment function counter mov esi, [ebx + edi * 4 ] ; esi = relative offset of current function name add esi, ebp ; esi = absolute addr of current function name cdq ; dl will hold hash (we know eax is small) hash_loop: movsx eax, byte ptr[esi] cmp al,ah jz compare_hash ror edx, 7 add edx,eax inc esi jmp hash_loop compare_hash: cmp edx, [esp + 0x1c ] ; compare to the requested hash (saved on stack from pushad) jnz next_function_loop mov ebx, [ecx + 0x24 ] ; ebx = relative offset of ordinals table add ebx, ebp ; ebx = absolute addr of ordinals table mov di, [ebx + 2 * edi] ; di = ordinal number of matched function mov ebx, [ecx + 0x1c ] ; ebx = relative offset of address table add ebx, ebp ; ebx = absolute addr of address table add ebp, [ebx + 4 * edi] ; add to ebp (base addr of module) the ; relative offset of matched function xchg eax, ebp ; move func addr into eax pop edi ; edi is last onto stack in pushad stosd ; write function addr to [edi] and increment edi push edi popad ; restore registers ; loop until we reach end of last hash cmp eax, 0x1e380a6a jne find_lib_functions function_call: xor ebx,ebx push ebx / / cut string push 0x74736577 push 0x6C696166 / / push failwest mov eax,esp / / load address of failwest push ebx push eax push eax push ebx call [edi - 0x04 ] ; / / call MessageboxA push ebx call [edi - 0x08 ] ; / / call ExitProcess nop nop nop nop } } |
赞赏
他的文章
看原图
赞赏
雪币:
留言: