最近看shellcode的东西,遇到问题如下(下面代码来自网上):
1,获得GetKernel32() 这个函数的shellcode ,过程如下
unsigned int GetKernel32()
{
DWORD ImageBase;
__asm
{
push esi
push ecx
mov esi,fs:0
lodsd
GetExeceptionFilter:
cmp [eax],0xffffffff
je GetedExeceptionFilter//如果到达最后一个节点(它的pfnHandler指向UnhandledExceptionFilter)
mov eax,[eax]//否则往后遍历,一直到最后一个节点
jmp GetExeceptionFilter
GetedExeceptionFilter:
mov eax, [eax+4]
FindMZ:
and eax,0xffff0000//根据PE执行文件以64k对界的特征加快查找速度
cmp word ptr [eax],'ZM'//根据PE可执行文件特征查找KERNEL32.DLL的基址
jne MoveUp//如果当前地址不符全MZ头部特征,则向上查找
mov ecx,[eax+0x3c]
add ecx,eax
cmp word ptr [ecx],'EP'//根据PE可执行文件特征查找KERNEL32.DLL的基址
je Found//如果符合MZ及PE头部特征,则认为已经找到,并通过Eax返回给调用者
MoveUp:
dec eax//准备指向下一个界起始地址
jmp FindMZ
Found:
pop ecx
pop esi
mov ImageBase,eax
}
return ImageBase;
__asm
{
_emit '^'
_emit '^'
}
}
void printsc(unsigned char *sc)
{
int x=0;
int i=0;
printf("unsigned char shellcode[]={");
while(i++<256)
{
//if ((*sc=='^')&&(*(sc+1)=='^')) break;
if(!(x++%10)) printf("\n\t");
printf("0x%0.2X,",*sc++);
}
printf("\n};\nTotal %d Bytes\r\n",x+1);
}
void main(void)
{
unsigned char *p=(unsigned char*)GetKernel32;
unsigned int k=0;
printf("return 0x%0.8x\n",((int (*)())(void*)(p))());
printf("return 0x%0.8x\n\n",GetKernel32());
if(*p==0xe9)
{
k=*(unsigned int*)(++p);
p+=k;
p+=4;
}
printsc(p);
getch();
getch();
}
执行以上获得shellcode:
unsigned char shellcode[]={
0x55,0x8B,0xEC,0x83,0xEC,0x44,0x53,0x56,0x57,0x8D,
0x7D,0xBC,0xB9,0x11,0x00,0x00,0x00,0xB8,0xCC,0xCC,
0xCC,0xCC,0xF3,0xAB,0x56,0x51,0x64,0x8B,0x35,0x00,
0x00,0x00,0x00,0xAD,0x80,0x38,0xFF,0x74,0x04,0x8B,
0x00,0xEB,0xF7,0x8B,0x40,0x04,0x25,0x00,0x00,0xFF,
0xFF,0x66,0x81,0x38,0x4D,0x5A,0x75,0x0C,0x8B,0x48,
0x3C,0x03,0xC8,0x66,0x81,0x39,0x50,0x45,0x74,0x03,
0x48,0xEB,0xE5,0x59,0x5E,0x89,0x45,0xFC,0x8B,0x45,
0xFC,0xEB,0x02,0x5E,0x5E,0x5F,0x5E,0x5B,0x83,0xC4,
0x44,0x3B,0xEC,0xE8,0xFE,0x01,0x00,0x00,0x8B,0xE5,
0x5D,0xC3,
};
然后执行以上shellcode:
int main()
{
int ire= ((int (*)()) ((void*)shellcode))();
}
此时出错。
如果把以上GetKernel32 函数换为简单的函数,比如
int GetKernel32()
{
int i=100;
int j=101;
if(i>j) return i;
return j;
}
然后通过上面的方法获得shellcode,并执行是可以的。
现想知道为什么第一个GetKernel32不行?测试了下,只要包含汇编好象就出现问题。
[注意]APP应用上架合规检测服务,协助应用顺利上架!