首页
社区
课程
招聘
[原创]VC8编写ShellCode以及辅助工具
发表于: 2006-7-8 22:02 9167

[原创]VC8编写ShellCode以及辅助工具

2006-7-8 22:02
9167

.地球人都知道ShellCode的用处。就不多说了
例程演示了一个ShellCode的MessageBox
包括完整代码即:手动获取输出表
                嵌入字符串等操作
工具包括,一个字符串潜入辅助工具,以及OD汇编码到易语言数据代码的工具
演示了如何 嵌入代码到易语言。
DFCG// ShellCodeTest.cpp : 定义控制台应用程序的入口点。
//

/*

VC ShellCode代码例子
fox原创

*/

#include "stdafx.h"
#include <Windows.h>
#include <WinBase.h>
#include <WinUser.h>

int main()
        {
        //Get Kernel32 base addr
        int Kernel32Base;
        int a,b,c;
        char *p;
        __asm
                {
                mov eax,fs:[0] //唯一用到的汇编指令
                mov b,eax;
                }
        while (b!=-1)
                {
                a=b;
                b=*(int *)b;
                }
        b=*(int *)(a+4);
        p=(char *)b;
        while (*p!='M' || *(p+1)!='Z')
                {
                p--;
                }
        Kernel32Base=int(p);
        //找到GetProcAddress的地址;
        _IMAGE_EXPORT_DIRECTORY *k32Export;
        //IMAGE_EXPORT_DIRECTORY::
        k32Export=(IMAGE_EXPORT_DIRECTORY *)(Kernel32Base+int(*(int *)(Kernel32Base+0x160)));
        c=k32Export->NumberOfNames;
        int i=-1;
        char *name;
        char NameOfGetProcAddress[]={0x47,0x65,0x74,0x50,0x72,0x6F,0x63,0x41,0x64,0x64,0x72,0x65,0x73,0x73,0x00};
        do
                {
                i++;
                int tmp;
                tmp=Kernel32Base+ k32Export->AddressOfNames+i*4;
                tmp=*(int *)tmp;
                tmp+=Kernel32Base;
                name=(char *)tmp;
                } while(strcmp(name,NameOfGetProcAddress)!=0);

                //获取GetProcAddress地址
                DWORD AddressOfGetProcAddress;
                AddressOfGetProcAddress=*(int *)(Kernel32Base+k32Export->AddressOfFunctions+i*4);
                AddressOfGetProcAddress=(Kernel32Base+AddressOfGetProcAddress);
                //typedef void DRAWF( int, int );
                FARPROC typedef WINAPI GetProcAddress (__in HMODULE hModule,__in LPCSTR lpProcName);
                GetProcAddress *HGetProcAddress;
                HGetProcAddress=*(GetProcAddress *)AddressOfGetProcAddress;
                //找到LoadLibrary的地址
                char str_LoadLibraryA[]={0x4C,0x6F,0x61,0x64,0x4C\
                        ,0x69,0x62,0x72,0x61,0x72,0x79\
                        ,0x41,0x00};//字符串:LoadLibraryA
                FARPROC AddressOfLoadLibrary;
                AddressOfLoadLibrary=HGetProcAddress(HMODULE(Kernel32Base),str_LoadLibraryA);
                char str_user32_dll[]={0x75,0x73,0x65,0x72,0x33\
                        ,0x32,0x2E,0x64,0x6C,0x6C,0x00};//字符串:user32.dll;
                HMODULE typedef WINAPI LoadLibraryA(
                        LPCTSTR lpFileName
                        );
                //HMODULE AddressOfLoadLibrary;
                LoadLibraryA *HLoadLibrary;
                HLoadLibrary=(LoadLibraryA *)AddressOfLoadLibrary;
                HMODULE USER32;
                USER32=HLoadLibrary(str_user32_dll);
                FARPROC HMessageBox;
                char str_MessageBoxA[]={0x4D,0x65,0x73,0x73,0x61\
                        ,0x67,0x65,0x42,0x6F,0x78,0x41,0x00};//字符串:MessageBoxA;
                HMessageBox= HGetProcAddress(USER32,str_MessageBoxA);
                char str_Title[]={0xCC,0xE1,0xCA,0xBE,0x00};//字符串:提示;
                char str_Data[]={0x53,0x68,0x65,0x6C,0x6C\
                        ,0x43,0x6F,0x64,0x65,0xCC,0xE1\
                        ,0xCA,0xBE,0xA3,0xBA,0xD,0xA\
                        ,0x20,0x20,0x20,0x20,0x20,0xC4\
                        ,0xE3,0xCF,0xD6,0xD4,0xDA,0xCA\
                        ,0xC7,0xD4,0xDA,0x53,0x68,0x65\
                        ,0x6C,0x6C,0x43,0x6F,0x64,0x65\
                        ,0xB9,0xFD,0xB3,0xCC,0xD6,0xD0\
                        ,0xA3,0xA1,0xD,0xA,0x20,0x20\
                        ,0x20,0x20,0x20,0xCD,0xEA,0xC8\
                        ,0xAB,0xB6,0xC0,0xC1,0xA2,0xB4\
                        ,0xFA,0xC2,0xEB,0xA3,0xAC,0xC8\
                        ,0xCE,0xBA,0xCE,0xB5,0xD8,0xB7\
                        ,0xBD,0xD4,0xCB,0xD0,0xD0,0xA1\
                        ,0xA3,0xD,0xA,0x20,0x20,0x20\
                        ,0x20,0x20,0xCF,0xD4,0xCA,0xBE\
                        ,0x53,0x68,0x65,0x6C,0x6C,0x43\
                        ,0x6F,0x64,0x65,0xF7,0xC8,0xC1\
                        ,0xA6,0xA3,0xA1,0x00};//字符串:ShellCode提示:
                //你现在是在ShellCode过程中!
                //完全独立代码,任何地方运行。
                //显示ShellCode魅力!;
                int typedef  WINAPI MessageBox(          HWND hWnd,
                        LPCTSTR lpText,
                        LPCTSTR lpCaption,
                        UINT uType
                        );
                MessageBox *FMessageBox;
                FMessageBox=(MessageBox *)HMessageBox;
                FMessageBox(NULL,str_Data,str_Title,MB_ICONINFORMATION);
                //return AddressOfGetProcAddress;
                //如果是要潜入纯汇编代码 也就是不返回的 可以手动将后面的Retn 去掉
        }

把代码嵌入易语言以及字符串转换工具原代码:
.版本 2
.支持库 spec

.子程序 __启动窗口_创建完毕

置入代码 ({ 129, 236, 184, 0, 0, 0, 100, 161, 0, 0, 0, 0, 137, 68, 36, 32, 139, 68, 36, 32, 131, 248, 255, 116, 22, 141, 164, 36, 0, 0, 0, 0, 139, 200, 139, 0, 131, 248, 255, 137, 68, 36, 32, 117, 243, 235, 7, 139, 140, 36, 180, 0, 0, 0, 139, 65, 4, 137, 68, 36, 32, 177, 90, 144, 128, 56, 77, 117, 5, 56, 72, 1, 116, 5, 131, 232, 1, 235, 241, 83, 85, 86, 87, 139, 184, 96, 1, 0, 0, 139, 76, 7, 32, 3, 248, 179, 114, 131, 205, 255, 198, 68, 36, 68, 71, 198, 68, 36, 69, 101, 198, 68, 36, 70, 116, 198, 68, 36, 71, 80, 136, 92, 36, 72, 198, 68, 36, 73, 111, 198, 68, 36, 74, 99, 198, 68, 36, 75, 65, 198, 68, 36, 76, 100, 198, 68, 36, 77, 100, 136, 92, 36, 78, 198, 68, 36, 79, 101, 198, 68, 36, 80, 115, 198, 68, 36, 81, 115, 198, 68, 36, 82, 0, 141, 76, 1, 252, 235, 7, 139, 140, 36, 196, 0, 0, 0, 131, 193, 4, 137, 140, 36, 196, 0, 0, 0, 139, 9, 131, 197, 1, 141, 116, 36, 68, 3, 200, 144, 138, 17, 58, 22, 117, 26, 132, 210, 116, 18, 138, 81, 1, 58, 86, 1, 117, 14, 131, 193, 2, 131, 198, 2, 132, 210, 117, 228, 51, 201, 235, 5, 27, 201, 131, 217, 255, 133, 201, 117, 186, 139, 87, 28, 141, 12, 170, 139, 52, 1, 141, 84, 36, 52, 177, 76, 82, 3, 240, 80, 136, 76, 36, 60, 198, 68, 36, 61, 111, 198, 68, 36, 62, 97, 198, 68, 36, 63, 100, 136, 76, 36, 64, 198, 68, 36, 65, 105, 198, 68, 36, 66, 98, 136, 92, 36, 67, 198, 68, 36, 68, 97, 136, 92, 36, 69, 198, 68, 36, 70, 121, 198, 68, 36, 71, 65, 198, 68, 36, 72, 0, 255, 214, 136, 92, 36, 27, 141, 76, 36, 24, 179, 108, 81, 198, 68, 36, 28, 117, 198, 68, 36, 29, 115, 198, 68, 36, 30, 101, 198, 68, 36, 32, 51, 198, 68, 36, 33, 50, 198, 68, 36, 34, 46, 198, 68, 36, 35, 100, 136, 92, 36, 36, 136, 92, 36, 37, 198, 68, 36, 38, 0, 255, 208, 141, 84, 36, 36, 82, 80, 198, 68, 36, 44, 77, 198, 68, 36, 45, 101, 198, 68, 36, 46, 115, 198, 68, 36, 47, 115, 198, 68, 36, 48, 97, 198, 68, 36, 49, 103, 198, 68, 36, 50, 101, 198, 68, 36, 51, 66, 198, 68, 36, 52, 111, 198, 68, 36, 53, 120, 198, 68, 36, 54, 65, 198, 68, 36, 55, 0, 255, 214, 139, 248, 176, 225, 177, 32, 178, 163, 198, 68, 36, 16, 204, 136, 68, 36, 17, 198, 68, 36, 18, 202, 198, 68, 36, 19, 190, 198, 68, 36, 20, 0, 198, 68, 36, 84, 83, 198, 68, 36, 85, 104, 198, 68, 36, 86, 101, 136, 92, 36, 87, 136, 92, 36, 88, 198, 68, 36, 89, 67, 198, 68, 36, 90, 111, 198, 68, 36, 91, 100, 198, 68, 36, 92, 101, 198, 68, 36, 93, 204, 136, 68, 36, 94, 198, 68, 36, 95, 202, 198, 68, 36, 96, 190, 136, 84, 36, 97, 198, 68, 36, 98, 186, 198, 68, 36, 99, 13, 198, 68, 36, 100, 10, 136, 76, 36, 101, 136, 76, 36, 102, 176, 212, 136, 76, 36, 103, 136, 76, 36, 104, 136, 76, 36, 105, 198, 68, 36, 106, 196, 198, 68, 36, 107, 227, 198, 68, 36, 108, 207, 198, 68, 36, 109, 214, 136, 68, 36, 110, 198, 68, 36, 111, 218, 198, 68, 36, 112, 202, 198, 68, 36, 113, 199, 136, 68, 36, 114, 198, 68, 36, 115, 218, 198, 68, 36, 116, 83, 198, 68, 36, 117, 104, 198, 68, 36, 118, 101, 136, 92, 36, 119, 136, 92, 36, 120, 198, 68, 36, 121, 67, 198, 68, 36, 122, 111, 198, 68, 36, 123, 100, 198, 68, 36, 124, 101, 198, 68, 36, 125, 185, 198, 68, 36, 126, 253, 198, 68, 36, 127, 179, 198, 132, 36, 128, 0, 0, 0, 204, 198, 132, 36, 129, 0, 0, 0, 214, 198, 132, 36, 130, 0, 0, 0, 208, 136, 148, 36, 131, 0, 0, 0, 198, 132, 36, 132, 0, 0, 0, 161, 198, 132, 36, 133, 0, 0, 0, 13, 198, 132, 36, 134, 0, 0, 0, 10, 136, 140, 36, 135, 0, 0, 0, 136, 140, 36, 136, 0, 0, 0, 136, 140, 36, 137, 0, 0, 0, 136, 140, 36, 138, 0, 0, 0, 136, 140, 36, 139, 0, 0, 0, 198, 132, 36, 140, 0, 0, 0, 205, 198, 132, 36, 141, 0, 0, 0, 234, 198, 132, 36, 142, 0, 0, 0, 200, 198, 132, 36, 143, 0, 0, 0, 171, 198, 132, 36, 144, 0, 0, 0, 182, 198, 132, 36, 145, 0, 0, 0, 192, 198, 132, 36, 146, 0, 0, 0, 193, 198, 132, 36, 147, 0, 0, 0, 162, 198, 132, 36, 148, 0, 0, 0, 180, 198, 132, 36, 149, 0, 0, 0, 250, 198, 132, 36, 150, 0, 0, 0, 194, 198, 132, 36, 151, 0, 0, 0, 235, 136, 148, 36, 152, 0, 0, 0, 198, 132, 36, 153, 0, 0, 0, 172, 198, 132, 36, 154, 0, 0, 0, 200, 198, 132, 36, 155, 0, 0, 0, 206, 198, 132, 36, 156, 0, 0, 0, 186, 198, 132, 36, 157, 0, 0, 0, 206, 198, 132, 36, 158, 0, 0, 0, 181, 198, 132, 36, 159, 0, 0, 0, 216, 198, 132, 36, 160, 0, 0, 0, 183, 198, 132, 36, 161, 0, 0, 0, 189, 136, 132, 36, 162, 0, 0, 0, 198, 132, 36, 163, 0, 0, 0, 203, 198, 132, 36, 164, 0, 0, 0, 208, 198, 132, 36, 165, 0, 0, 0, 208, 198, 132, 36, 166, 0, 0, 0, 161, 136, 148, 36, 167, 0, 0, 0, 198, 132, 36, 168, 0, 0, 0, 13, 198, 132, 36, 169, 0, 0, 0, 10, 136, 140, 36, 170, 0, 0, 0, 136, 140, 36, 171, 0, 0, 0, 136, 140, 36, 172, 0, 0, 0, 136, 140, 36, 173, 0, 0, 0, 136, 140, 36, 174, 0, 0, 0, 198, 132, 36, 175, 0, 0, 0, 207, 136, 132, 36, 176, 0, 0, 0, 198, 132, 36, 177, 0, 0, 0, 202, 198, 132, 36, 178, 0, 0, 0, 190, 198, 132, 36, 179, 0, 0, 0, 83, 198, 132, 36, 180, 0, 0, 0, 104, 198, 132, 36, 181, 0, 0, 0, 101, 136, 156, 36, 182, 0, 0, 0, 106, 64, 141, 68, 36, 20, 80, 141, 76, 36, 92, 81, 106, 0, 136, 156, 36, 199, 0, 0, 0, 198, 132, 36, 200, 0, 0, 0, 67, 198, 132, 36, 201, 0, 0, 0, 111, 198, 132, 36, 202, 0, 0, 0, 100, 198, 132, 36, 203, 0, 0, 0, 101, 198, 132, 36, 204, 0, 0, 0, 247, 198, 132, 36, 205, 0, 0, 0, 200, 198, 132, 36, 206, 0, 0, 0, 193, 198, 132, 36, 207, 0, 0, 0, 166, 136, 148, 36, 208, 0, 0, 0, 198, 132, 36, 209, 0, 0, 0, 161, 198, 132, 36, 210, 0, 0, 0, 0, 255, 215, 95, 139, 198, 94, 93, 91, 129, 196, 184, 0, 0, 0 })

.子程序 _按钮1_被单击
.局部变量 n, 整数型
.局部变量 字节集, 字节集
.局部变量 输出, 文本型

字节集 = 到字节集 (编辑框1.内容)
.计次循环首 (取字节集长度 (字节集), n)
    .如果真 (输出 ≠ “” 且 n % 6 = 0)
        输出 = 输出 + “\” + #换行符
    .如果真结束
    .如果 (输出 = “”)
        输出 = 输出 + “0x” + 取十六进制文本 (字节集 [n])
    .否则
        输出 = 输出 + “,0x” + 取十六进制文本 (字节集 [n])

    .如果结束

.计次循环尾 ()
输出 = “{” + 输出 + “,0x00}” + “;”
' 输出 = 子文本替换 (输出, “.”, “_”, , , 真)
' 输出 = 子文本替换 (输出, “->”, “_”, , , 真)
输出 = 输出 + “/*字符串:” + 编辑框1.内容 + “*/”
.如果真 (选择框1.选中)
    输出 = “char ” + “str_” + 取文本左边 (子文本替换 (编辑框1.内容, “.”, “_”, , , 真), 10) + “[]=” + 输出
.如果真结束
编辑框2.内容 = 输出

置剪辑板文本 (输出)

执行效果:

压缩包内含了完整的VC工程文件。


[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

上传的附件:
收藏
免费 7
支持
分享
最新回复 (8)
雪    币: 461
活跃值: (93)
能力值: ( LV9,RANK:1170 )
在线值:
发帖
回帖
粉丝
2
虽然看不懂,顶一下.楼主辛苦了!
2006-7-8 22:49
0
雪    币: 220
活跃值: (35)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
shellcode跟易语言怎么扯上关系了?
被整糊涂了。
2006-7-9 11:48
0
雪    币: 201
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
NIU
4
奇怪了,我这里竟然看不到主帖的文章,只看到一大片空白。

前面两位的回复可以看到的。

晕了
2006-7-9 16:23
0
雪    币: 47147
活跃值: (20455)
能力值: (RANK:350 )
在线值:
发帖
回帖
粉丝
5
最初由 NIU 发布
奇怪了,我这里竟然看不到主帖的文章,只看到一大片空白。

前面两位的回复可以看到的。

晕了


还有这事?
2006-7-9 16:25
0
雪    币: 201
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
NIU
6
可能和浏览器有关,换用IE试了一下可以看到主帖的,用OPERA 9 看不到主帖。

别的主题都正常的,就这个帖子有问题。
2006-7-9 16:29
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
7
可以看到的啊,换个浏览器试试吧,再不行就换个系统。
2006-7-9 21:08
0
雪    币: 2559
活跃值: (176)
能力值: ( LV5,RANK:60 )
在线值:
发帖
回帖
粉丝
8
很好,感谢楼主!
2006-7-10 18:10
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
9
不错,回头仔细研究一下shellcode的原理。
2006-7-17 15:07
0
游客
登录 | 注册 方可回帖
返回
//