最近我在转化llydd的VC代码,碰到了2个问题。
原文的连接:
http://bbs.pediy.com/showthread.php?t=36497我将对内联函数书写如下:
//****************************************
//打开备份的文件,并转入写入新节的处理过程
//****************************************
NewhFile := CreateFile(szNewFileName, GENERIC_READ or GENERIC_WRITE,
FILE_SHARE_READ or FILE_SHARE_WRITE, nil, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
//判断备份文件是否成功打开
if NewhFile = INVALID_HANDLE_VALUE then
begin
MessageBox(0, '打开文件失败!', '错误', MB_OK or MB_ICONHAND);
Exit;
end;
SetFilePointer(NewhFile, OldLastSection.PointerToRawData + OldLastSection.SizeOfRawData, nil, FILE_BEGIN);
asm
jmp @@ShellEnd;
//****************************************
//利用shellcode加载外部的dll
//****************************************
@@shell:
PUSHAD
MOV EAX, DWORD PTR FS:[30H] //;FS:[30H]指向PEB
MOV EAX, DWORD PTR [EAX + 0CH] //;获取PEB_LDR_DATA结构的指针
MOV EAX, DWORD PTR [EAX + 1CH] //;获取LDR_MODULE链表表首结点的inInitializeOrderModuleList成员的指针
MOV EAX, DWORD PTR [EAX] //;LDR_MODULE链表第二个结点的inInitializeOrderModuleList成员的指针
MOV EAX, DWORD PTR [EAX + 08H] //;inInitializeOrderModuleList偏移8h便得到Kernel32.dll的模块基址
MOV EBP, EAX //; 将Kernel32.dll模块基址地址放至kernel中
MOV EAX, DWORD PTR [EAX + 3CH] //;指向IMAGE_NT_HEADERS
MOV EAX, DWORD PTR [EBP+ EAX+ 120] //;指向导出表
MOV ECX, [EBP + EAX + 24] //;取导出表中导出函数名字的数目
MOV EBX, [EBP + EAX + 32] //;取导出表中名字表的地址
ADD EBX, EBP
PUSH WORD PTR 00h //;构造GetProcAddress字符串
PUSH DWORD PTR 73736572h
PUSH DWORD PTR 64644163h
PUSH DWORD PTR 6F725074h
PUSH WORD PTR 6547h
MOV EDX, ESP
PUSH ECX
@@F1:
MOV EDI, EDX
POP ECX
DEC ECX
TEST ECX, ECX
JZ @@EXIT
MOV ESI,[EBX + ECX * 4]
ADD ESI,EBP
PUSH ECX
MOV ECX, 15
REPZ CMPSB
TEST ECX, ECX
JNZ @@F1
POP ECX
MOV ESI, [EBP + EAX + 36] //;取得导出表中序号表的地址
ADD ESI, EBP
MOVZX ESI, WORD PTR[ESI + ECX * 2] //;取得进入函数地址表的序号
MOV EDI, [EBP + EAX + 28] //;取得函数地址表的地址
ADD EDI, EBP
MOV EDI, [EDI + ESI * 4] //;取得GetProcAddress函数的地址
ADD EDI, EBP
PUSH WORD PTR 00h //;构造LoadLibraryA字符串
PUSH DWORD PTR 41797261h
PUSH DWORD PTR 7262694Ch
PUSH DWORD PTR 64616F4Ch
PUSH ESP
PUSH EBP
CALL EDI //;调用GetProcAddress取得LoadLibraryA函数的地址
PUSH WORD PTR 00h //;构造test符串,测试新增节后的EXE是否能正常加载test.dll
PUSH DWORD PTR 74736574h
PUSH ESP
CALL EAX
@@EXIT: ADD ESP, 36 //;平衡堆栈
POPAD
//****************************************
//shellcode
//****************************************
@@ShellEnd:
LEA EAX, @@shell
MOV dCodeAddress, EAX
LEA ECX, @@ShellEnd
SUB ECX, EAX
MOV nShellLen, ECX
end;
//****************************************
//写入SHELLCODE,
//****************************************
WriteFile(NewhFile, Pointer(dCodeAddress), nShellLen, dwFileReadWritten, nil);
问题1:
我的代码这段反汇编的结果是:
0044E320 . 60 pushad
0044E321 . 64:8B05 30000>mov eax, dword ptr fs:[30]
0044E328 . 8B40 0C mov eax, dword ptr [eax+C]
0044E32B . 8B40 1C mov eax, dword ptr [eax+1C]
0044E32E . 8B00 mov eax, dword ptr [eax]
0044E330 . 8B40 08 mov eax, dword ptr [eax+8]
0044E333 . 89C5 mov ebp, eax
0044E335 . 8B40 3C mov eax, dword ptr [eax+3C]
0044E338 . 8B4428 78 mov eax, dword ptr [eax+ebp+78]
0044E33C . 8B4C28 18 mov ecx, dword ptr [eax+ebp+18]
0044E340 . 8B5C28 20 mov ebx, dword ptr [eax+ebp+20]
0044E344 . 01EB add ebx, ebp
0044E346 . 66:68 0000 push 0
0044E34A . 68 72657373 push 73736572
0044E34F . 68 63416464 push 64644163
0044E354 . 68 7450726F push 6F725074
0044E359 . 66:68 4765 push 6547
0044E35D . 89E2 mov edx, esp
0044E35F . 51 push ecx
0044E360 > 89D7 mov edi, edx
0044E362 . 59 pop ecx
0044E363 . 49 dec ecx
0044E364 . 85C9 test ecx, ecx
0044E366 . 74 4A je short 0044E3B2
0044E368 . 8B348B mov esi, dword ptr [ebx+ecx*4]
0044E36B . 01EE add esi, ebp
0044E36D . 51 push ecx
0044E36E . B9 0F000000 mov ecx, 0F
0044E373 . F3:A6 repe cmps byte ptr es:[edi], byte ptr>
0044E375 . 85C9 test ecx, ecx
0044E377 .^ 75 E7 jnz short 0044E360
0044E379 . 59 pop ecx
0044E37A . 8B7428 24 mov esi, dword ptr [eax+ebp+24]
0044E37E . 01EE add esi, ebp
0044E380 . 0FB7344E movzx esi, word ptr [esi+ecx*2]
0044E384 . 8B7C28 1C mov edi, dword ptr [eax+ebp+1C]
0044E388 . 01EF add edi, ebp
0044E38A . 8B3CB7 mov edi, dword ptr [edi+esi*4]
0044E38D . 01EF add edi, ebp
0044E38F . 66:68 0000 push 0
0044E393 . 68 61727941 push 41797261
0044E398 . 68 4C696272 push 7262694C
0044E39D . 68 4C6F6164 push 64616F4C
0044E3A2 . 54 push esp
0044E3A3 . 55 push ebp
0044E3A4 . FFD7 call edi
0044E3A6 . 66:68 0000 push 0
0044E3AA . 68 74657374 push 74736574
0044E3AF . 54 push esp
0044E3B0 . FFD0 call eax
0044E3B2 > 83C4 24 add esp, 24
0044E3B5 . 61 popad
llydd的VC的内联汇编的反汇编的结果是:
004013C8 . 60 pushad
004013C9 . 64:A1 3000000>mov eax, dword ptr fs:[30]
004013CF . 8B40 0C mov eax, dword ptr [eax+C]
004013D2 . 8B40 1C mov eax, dword ptr [eax+1C]
004013D5 . 8B00 mov eax, dword ptr [eax]
004013D7 . 8B40 08 mov eax, dword ptr [eax+8]
004013DA . 8BE8 mov ebp, eax
004013DC . 8B40 3C mov eax, dword ptr [eax+3C]
004013DF . 8B4405 78 mov eax, dword ptr [ebp+eax+78]
004013E3 . 8B4C05 18 mov ecx, dword ptr [ebp+eax+18]
004013E7 . 8B5C05 20 mov ebx, dword ptr [ebp+eax+20]
004013EB . 03DD add ebx, ebp
004013ED . 66:6A 00 push 0
004013F0 . 68 72657373 push 73736572
004013F5 . 68 63416464 push 64644163
004013FA . 68 7450726F push 6F725074
004013FF . 66:68 4765 push 6547
00401403 . 8BD4 mov edx, esp
00401405 . 51 push ecx
00401406 > 8BFA mov edi, edx
00401408 . 59 pop ecx
00401409 . 49 dec ecx
0040140A . 85C9 test ecx, ecx
0040140C . 74 48 je short 00401456
0040140E . 8B348B mov esi, dword ptr [ebx+ecx*4]
00401411 . 03F5 add esi, ebp
00401413 . 51 push ecx
00401414 . B9 0F000000 mov ecx, 0F
00401419 . F3:A6 repe cmps byte ptr es:[edi], byte ptr>
0040141B . 85C9 test ecx, ecx
0040141D .^ 75 E7 jnz short 00401406
0040141F . 59 pop ecx
00401420 . 8B7405 24 mov esi, dword ptr [ebp+eax+24]
00401424 . 03F5 add esi, ebp
00401426 . 0FB7344E movzx esi, word ptr [esi+ecx*2]
0040142A . 8B7C05 1C mov edi, dword ptr [ebp+eax+1C]
0040142E . 03FD add edi, ebp
00401430 . 8B3CB7 mov edi, dword ptr [edi+esi*4]
00401433 . 03FD add edi, ebp
00401435 . 66:6A 00 push 0
00401438 . 68 61727941 push 41797261
0040143D . 68 4C696272 push 7262694C
00401442 . 68 4C6F6164 push 64616F4C
00401447 . 54 push esp
00401448 . 55 push ebp
00401449 . FFD7 call edi
0040144B . 66:6A 00 push 0
0040144E . 68 74657374 push 74736574
00401453 . 54 push esp
00401454 . FFD0 call eax
00401456 > 83C4 24 add esp, 24
00401459 . 61 popad
我的代码长度是150bytes,而llydd的VC的代码长度是146bytes,比我的少了4bytes。
问题2:
在将shellcode写入文件的时候,llydd使用以下的循环:
//写入SHELLCODE,
for(i=0;i<nShellLen;i++)
fputc(pShell[i],newfile);
我是直接写入文件:
WriteFile(NewhFile, Pointer(dCodeAddress), nShellLen, dwFileReadWritten, nil);
我的写入的内容完全不是code的字节码,而是一堆乱码。
以上2个问题,我一直搞不明白,希望向各位讨教一下,请不吝赐教。
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!