好友
阅读权限10
听众
最后登录1970-1-1
|
Patty
发表于 2020-5-19 17:07
本帖最后由 Patty 于 2020-5-19 18:03 编辑
语言:C/C++
工具:VS2017,PEid,IDA,OD,CE,随边1个exe程序
知识:Win32消息机制,PE结构,ShellCode编程技术,调试技术,IO驱动进程读写技术
------------------------------------------------------------------------------
一、介绍
这里解释什么是ShellCode程序:ShellCode是一段可执行的代码:主要有几个特征
1、 独立的存在:无需任何文件格式的包装
2、 内存中运行:无需固定指定的宿主进程
3、 不用编译器包装所以文件很小,同时执行时不会多调用无关函数
4、 灵活多变:因ShellCode不依赖任何编译器格式约束所以可以以任何方式加密与变形,是以二进制的方式来实现的
------------------------------------------------------------------------------
二、如何做到反检测的与逆向的
1,VS平台调用函数时是编译器通过函数名链接到函数地址中执行再跳转回来的:这个过程程序编译时已经完成了
但是在ShellCode编程中行不通的=需要自己去动态获取函数地址,所以ShellCode所编译的程序是没有输入表的,因为ShellCode所使用的函数是直接从系统的高2G获取的地址,在程序调用函数时是不需要重定位IDT表的
2,OD使用中文搜索引擎的字符串查找定位是空的
3,IDA的字符串查找也没有出现字符串。.rdata的内容是编译器的调试信息VS2017去不掉了,VS2008可以 这不影响提取ShellCode
4,如果在ShellCode中加密与变形 绝对令人逆向起来炸裂一般的感受。
运行ShellCode有三个方式
1,直接插入需要运行的进程中执行
2,静态插入exe文件中(这里讲第二种)
3,直接插入正在执行的内存中
【1】提取ShellCode用PEID找到程序入口点的文件偏移
【2.1】用[WinHex工具]将文件偏移后面的代码复制保存【2.2】保存后的文件很小
【3】将保存ShellCode的二进制粘贴到[科学型计算器]的文件偏移处保存运行即可,在粘贴之前需要删除与粘贴相等的代码
5,ShellCode的加载器与编译框架
看需要上传
------------------------------------------------------------------------------
三、演示
ShellCode实现简单的某游戏无限聚物(不三方,不制裁,不报毒)Win10与Win7及XP都可以运行
实现下面这份代码需要自己获取最核心的两个函数的地址动态获取函数地址=GetProcAddress(LoadLibraryA("user32.dll"),"MessageBoxA")
#include "ShellCodeFunc.h"
int EntryMain()
{
ShellCodeFunc Scf;
BYTE SelfPID[] = { 0xD7,0xD4,0xC9,0xED,0xBD,0xF8,0xB3,0xCC,0x49,0x44,0x3A,'%','d','\n',0 };
BYTE GamgePID[] = {0xD3,0xCE,0xCF,0xB7,0xBD,0xF8,0xB3,0xCC,0x49,0x44,0x3A,'%','d','\n','\n',0 };
BYTE szPrintf[] = {0xD0,0xA1,0xBC,0xFC,0xC5,0xCC,0x30,0x3D,0xBE,0xDB,0xCE,0xEF,'\n','\n',0 };
BYTE Error[] = {0xBD,0xF8,0xB3,0xCC,0x49,0x44,0xBB,0xF1,0xC8,0xA1,0xCA,0xA7,0xB0,0xDC,'\n',0 };
if(GetGameHandle(Scf)==false)
{
Scf.API._printf((char*)Error);
Scf.API._getchar();
return 0;
}
Scf.API._printf((char*)SelfPID, Scf.API._GetCurrentProcessId());
Scf.API._printf((char*)GamgePID,Scf.GameDate.ProcessID);
Scf.API._printf((char*)szPrintf);
HotKey(Scf);
return 0;
}
void HotKey(ShellCodeFunc& Scf)
{
MSG msg;
SecureZeroMemory(&msg, sizeof(msg));
DWORD Keypad_0 = 96;
DWORD TimesCount = 0;
BYTE TimesCountString[]= { 0xD2, 0xBB, 0xBC, 0xFC, 0xBE, 0xDB, 0xCE, 0xEF, 0xA1, 0xBE, '%', 'd',0xA1,0xBF,'\n',0 };
Scf.API._RegisterHotKey(NULL, Keypad_0, NULL, Keypad_0);
while (Scf.API._GetMessageA(&msg,NULL, 0, 0) != 0)
{
if (msg.message == WM_HOTKEY)
{
if (msg.wParam ==Keypad_0)
{
A_Key_Polymer(Scf);
TimesCount= TimesCount + 1;
Scf.API._printf((char*)TimesCountString,TimesCount);
}
}
}
}
void A_Key_Polymer(ShellCodeFunc& Scf)
{
DWORD CharacterPointer;
DWORD SecondOffset;
DWORD FirstAdrress;
DWORD EndAdrress;
DWORD TraversalData;
DWORD Type;
DWORD CharacterType = 0;
DWORD FirstAdrressPointer;
DWORD Materials_XYZ_Pointer = 0;
DWORD Character_XYZ_Pointer = 0;
FLOAT Character_X_Coordinate= 0;
FLOAT Character_Y_Coordinate = 0;
BYTE XYZ[] = { 0xC8 ,0xCB ,0xCE ,0xEF ,0xD7 ,0xF8,0xB1 ,0xEA ,0x3A ,'X','%','f','/','Y','%','f','\n',0 };
Scf.ReadMemory(Scf.GameDate.ProcessHandle,Scf.GameDate.人物基址, &CharacterPointer, 4);
Scf.ReadMemory(Scf.GameDate.ProcessHandle,CharacterPointer + Scf.GameDate.类型偏移, &CharacterType, 4);
Scf.ReadMemory(Scf.GameDate.ProcessHandle,CharacterPointer + Scf.GameDate.地图偏移, &SecondOffset, 4);
Scf.ReadMemory(Scf.GameDate.ProcessHandle,SecondOffset + Scf.GameDate.首地址偏移, &FirstAdrress, 4);
Scf.ReadMemory(Scf.GameDate.ProcessHandle,SecondOffset + Scf.GameDate.尾地址偏移, &EndAdrress, 4);
TraversalData= (EndAdrress - FirstAdrress) / 4;
for (DWORD i = 0; i <TraversalData; i++)
{
Scf.ReadMemory(Scf.GameDate.ProcessHandle,FirstAdrress, &FirstAdrressPointer, 4);
Scf.ReadMemory(Scf.GameDate.ProcessHandle,FirstAdrressPointer + Scf.GameDate.类型偏移, &Type, 4);
if (Type == 289)
{
Scf.ReadMemory(Scf.GameDate.ProcessHandle,FirstAdrressPointer + Scf.GameDate.方向偏移,&Materials_XYZ_Pointer, 4);
Scf.ReadMemory(Scf.GameDate.ProcessHandle,CharacterPointer + Scf.GameDate.人物坐标偏移, &Character_XYZ_Pointer, 4);
Scf.ReadMemory(Scf.GameDate.ProcessHandle,Character_XYZ_Pointer + 0, &Character_X_Coordinate, 4);
Scf.ReadMemory(Scf.GameDate.ProcessHandle,Character_XYZ_Pointer + 4, &Character_Y_Coordinate, 4);
Scf.API._printf((char*)XYZ,Character_X_Coordinate, Character_Y_Coordinate);
if (CharacterType ==273)
{
Scf.WriteMemory(Scf.GameDate.ProcessHandle,Materials_XYZ_Pointer + 0x10, &Character_X_Coordinate, 4);
Scf.WriteMemory(Scf.GameDate.ProcessHandle,Materials_XYZ_Pointer + 0x14, &Character_Y_Coordinate, 4);
}
}
FirstAdrress= FirstAdrress + 4;
}
}
bool GetGameHandle(ShellCodeFunc& Scf)
{
BYTE szWindow[13] = {0xB5,0xD8,0xCF,0xC2,0xB3,0xC7,0xD3,0xEB,0xD3,0xC2,0xCA,0xBF,0 };
Scf.GameDate.WindowsHwnd= Scf.GetWindowsHandle((char*)szWindow);
Scf.GameDate.ProcessID= Scf.GetWindowsProcessID(Scf.GameDate.WindowsHwnd);
Scf.GameDate.ProcessHandle= Scf.OpenProcess_X(Scf.GameDate.ProcessID);
if (Scf.GameDate.ProcessHandle== NULL)
{
return FALSE;
}
return TRUE;}
------------------------------------------------------------------------------
完毕谢谢观看!~
TestShellCode.rar
(2.18 KB, 下载次数: 77)
|
免费评分
-
查看全部评分
本帖被以下淘专辑推荐:
- · 学习及教程|主题: 1127, 订阅: 1119
|