• 我们在哪一颗星上见过 ,以至如此相互思念 ;我们在哪一颗星上相互思念过,以至如此相互深爱
  • 我们在哪一颗星上分别 ,以至如此相互辉映 ;我们在哪一颗星上入睡 ,以至如此唤醒黎明
  • 认识世界 克服困难 洞悉所有 贴近生活 寻找珍爱 感受彼此

恶意代码技术理论:恶意脚本-shellcode恶意代码分析

恶意脚本 云涯 4年前 (2020-03-06) 1876次浏览

一 加载shellcode的C代码

#include <windows.h>
#include <stdio.h>

LPVOID read_shellcodefile_into_memory(char* shellcode)
{
FILE* hFile = NULL;
errno_t err; //判断此文件流是否存在 存在返回1
DWORD dwFileSize = 0;

err = fopen_s(&hFile,shellcode,"rb");

if (err!=0)
{
printf(" [!] File open fail\n");
return NULL;
}
fseek(hFile, 0, SEEK_END);
dwFileSize = ftell(hFile) + 1;
printf(" [*] Shellcode Size: 0x%04x\n", dwFileSize);
fseek(hFile, 0, SEEK_SET);
LPVOID lpBase = VirtualAlloc(NULL, dwFileSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
printf(" [*] Allocated Address: 0x%08x\n", lpBase);
fread(lpBase, dwFileSize, 1, hFile);
fclose(hFile);

return lpBase;
}

int execute(int entry)
{
DWORD dwId;
DWORD dwStatus;
LPVOID bReadBuffer;
SIZE_T nReadSize = 0;

HANDLE hHandle = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)entry, NULL, 0x4, &dwId);
if (!hHandle)
{
printf(" [!] CreateThread Failed!\n");
return -1;
}
printf(" [*] Please jmp to 0x%08x set a breakpoint\n\ Then press any key to resume the thread\n", entry);
getchar();

ResumeThread(hHandle);
while (1)
{
dwStatus = WaitForSingleObject(hHandle, 0);
if (dwStatus == WAIT_FAILED || dwStatus == WAIT_OBJECT_0)
{
CloseHandle(hHandle);
printf(" [*] Thread Exited!\n");
ExitThread(-1);
}
}
}

int main(int argc, char* argv[])
{
int nEntry = 0;

if (argc < 2)
{
printf(" [!] Please input the shellcode filename on the parameter\n");
return -1;
}
printf(" [*] Shellcode File: %s\n", argv[1]);
LPVOID lpBase = read_shellcodefile_into_memory(argv[1]);
if (!lpBase)
{
printf(" [!] Allocated memory failed!\n");
return -2;
}
nEntry = (int)lpBase;
printf(" [*] Shellcode EntryPoint: 0x%08x\n", nEntry);
execute(nEntry);

return 0;
}

images

images

Jump到这个内存下断点,即可调试shellcode。

images


云涯历险记 , 版权所有丨如未注明 , 均为原创丨本网站采用BY-NC-SA协议进行授权
转载请注明原文链接:恶意代码技术理论:恶意脚本-shellcode恶意代码分析
喜欢 (0)