Windows下通用ShellCode原理

用 C 汇编实现,编译环境VC6.0, 实测 Win all x86 x64 系统可行

0x00 原理简述

  • 利用fs寄存器,找到TEB的地址->PEB的地址。PEB的0xC偏移处为一个指向PEB_LDR_DATA结构体的指针Ldr,PEB_LDR_DATA的0xC的偏移处为一个指向LIST_ENTRY结构体的指针InLoadOrderModuleList,这是一个按加载顺序构成的双向模块链表。同时LIST_ENTRY的父结构体为LDR_DATA_TABLE_ENTRY,该结构体里有俩有用信息->0x18 DLLBase(模块基址), ->0x2c BaseDllName(指向UNICODE_STRING结构体 模块名字为unicode类型)

  • 利用上述InLoadOrderModuleList双向链表查找kernel32.dll加载到内存的位置,找到其导出表,定位kernel32.dll导出的GetProcAddress函数,使用GetProcAddress函数获取LoadLibrary的函数地址,使用LoadLibrary函数加载user32.dll动态链接库,获取user32.dll中MessageBox的函数地址,调用MessageBox函数。

  • PEB结构图片如下:

0x01 代码实现

1, 分别为GetProcAddress,MessageBox(演示),Loadlibrary 定义函数指针

typedef DWORD (WINAPI *PGETPROCADDRESS) (HMODULE hModule , LPCSTR lpProcName);
typedef int (WINAPI * PMESSAGEBOX) (HWND hWnd,LPCTSTR lpText,LPCTSTR lpCaption,UINT uType);
typedef HMODULE (WINAPI * PLOADLIBRARY) (LPCTSTR lpFileName);

2, 定义UNICODE_STRING , PEB_LDR_DATA ,LDR_DATA_TABLE_ENTRY结构体

typedef struct UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
}UNICODE_STRING;
typedef struct PEB_LDR_DATA{
DWORD Length;
BYTE initialized;
PVOID SsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
VOID * EntryInProgress;
}PEB_LDR_DATA;
typedef struct LDR_DATA_TABLE_ENTRY
{
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
void* DllBase;
void* EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
SHORT LoadCount;
SHORT TlsIndex;
HANDLE SectionHandle;
ULONG CheckSum;
ULONG TimeDateStamp;
}LDR_DATA_TABLE_ENTRY;

3, 你在C/C++代码中定义一个全局变量,一个取值为“Hello world”的字符串,或直接把该字符串作为参数传递给某个函数。但是,编译器会把字符串放置在一个特定的Section中(如.rdata或.data)。所以定义模块和函数名的字符串的时候,为了使变量存在与栈中,因使用位置无关代码

char szKernel32[]={'k',0,'e',0,'r',0,'n',0,'e',0,'l',0,'3',0,'2',0,'.',0,'d',0,'l',0,'l',0,0,0};
char szUser32[]={'U','S','E','R','3','2','.','d','l','l',0};
char szGetProcAddr[]={'G','e','t','P','r','o','c','A','d','d','r','e','s','s',0};
char szLoadLibrary[]={'L','o','a','d','L','i','b','r','a','r','y','A',0};
char szMessageBox[]={'M','e','s','s','a','g','e','B','o','x','A',0};

注意Dll模块名称为Unicode格式。

4, 内联汇编,找到指向InLoadOrderModuleList头的指针pBeg,pPLD指向下一个模块。

__asm{
mov eax,fs:[0x30]
mov eax,[eax+0x0c]
add eax,0x0c
mov pBeg,eax
mov eax,[eax]
mov pPLD,eax
}

5, 遍历双向链表,找到kernel32.dll。由于有些系统中的kernel32.dll大小写不一样,所以这里在遍历时考虑大小写不同的情况。

while(pPLD!=pBeg)
{
pLast=(WORD*)pPLD->BaseDllName.Buffer;
pFirst=(WORD*)szKernel32;
while(*pFirst && (*pFirst-32==*pLast||*pFirst==*pLast))
{pFirst++,pLast++;}
if(*pFirst==*pLast)
{
dwKernelBase=(DWORD)pPLD->DllBase;
break;
}
pPLD=(LDR_DATA_TABLE_ENTRY*)pPLD->InLoadOrderModuleList.Flink;
}

6, PE操作,遍历kernel32.dll的导出表,根据找到GetProcAddr函数地址。(AddressOfNames的偏移号 对应AddressOfNameOrdinals的偏移,找到的序号为AddressOfFunctions表的偏移)

IMAGE_DOS_HEADER *pIDH=(IMAGE_DOS_HEADER *)dwKernelBase;
IMAGE_NT_HEADERS *pINGS=(IMAGE_NT_HEADERS *)((DWORD)dwKernelBase+pIDH->e_lfanew);
IMAGE_EXPORT_DIRECTORY *pIED=(IMAGE_EXPORT_DIRECTORY*)((DWORD)dwKernelBase+pINGS
->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
DWORD *pAddOfFun_Raw=(DWORD*)((DWORD)dwKernelBase+pIED->AddressOfFunctions);
WORD *pAddOfOrd_Raw=(WORD*)((DWORD)dwKernelBase+pIED->AddressOfNameOrdinals);
DWORD *pAddOfNames_Raw=(DWORD*)((DWORD)dwKernelBase+pIED->AddressOfNames);
DWORD dwCnt=0;
char *pFinded=NULL,*pSrc=szGetProcAddr;
for(;dwCnt<pIED->NumberOfNames;dwCnt++)
{
pFinded=(char *)((DWORD)dwKernelBase+pAddOfNames_Raw[dwCnt]);
while(*pFinded &&*pFinded==*pSrc)
{pFinded++;pSrc++;}
if(*pFinded == *pSrc)
{
pGetProcAddress=(PGETPROCADDRESS)((DWORD)dwKernelBase+pAddOfFun_Raw[pAddOfOrd_Raw[dwCnt]]);
break;
}
pSrc=szGetProcAddr;
}

7, 现在有了GetProcAddr的函数地址,我们可以用LoadLibrary获得任何api的函数地址,并调用。

pLoadLibrary=(PLOADLIBRARY)pGetProcAddress((HMODULE)dwKernelBase,szLoadLibrary);
pMessageBox=(PMESSAGEBOX)pGetProcAddress(pLoadLibrary(szUser32),szMessageBox);
char szTitle[]={'S','h','e','l','l','C','o','d','e',0};
char szContent[]={0x48,0x65,0x6c,0x6c,0x6f,0x20,0x57,0x6f,0x72,0x6c,0x64,0x20,0x21,0};
pMessageBox(NULL,szContent,szTitle,0);

0x02 运行结果

这里Hello World弹窗仅供测试,要实现更多的功能的话还需要你自己去挖掘噢 ╮( ̄▽  ̄)╭

0x03 完整代码

#include<windows.h>
typedef DWORD (WINAPI *PGETPROCADDRESS) (HMODULE hModule,LPCSTR lpProcName);
typedef int (WINAPI * PMESSAGEBOX) (HWND hWnd,LPCTSTR lpText,LPCTSTR lpCaption,UINT uType);
typedef HMODULE (WINAPI * PLOADLIBRARY) (LPCTSTR lpFileName);
typedef struct UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
}UNICODE_STRING;
typedef struct PEB_LDR_DATA{
DWORD Length;
BYTE initialized;
PVOID SsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
VOID * EntryInProgress;
}PEB_LDR_DATA;
typedef struct LDR_DATA_TABLE_ENTRY
{
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
void* DllBase;
void* EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
SHORT LoadCount;
SHORT TlsIndex;
HANDLE SectionHandle;
ULONG CheckSum;
ULONG TimeDateStamp;
}LDR_DATA_TABLE_ENTRY;
void ShellCode()
{
LDR_DATA_TABLE_ENTRY *pPLD=NULL,*pBeg=NULL;
PGETPROCADDRESS pGetProcAddress=NULL;
PMESSAGEBOX pMessageBox=NULL;
PLOADLIBRARY pLoadLibrary=NULL;
WORD *pFirst =NULL,*pLast=NULL;
DWORD ret =0,i=0;
DWORD dwKernelBase=0;
char szKernel32[]={'k',0,'e',0,'r',0,'n',0,'e',0,'l',0,'3',0,'2',0,'.',0,'d',0,'l',0,'l',0,0,0};
char szUser32[]={'U','S','E','R','3','2','.','d','l','l',0};
char szGetProcAddr[]={'G','e','t','P','r','o','c','A','d','d','r','e','s','s',0};
char szLoadLibrary[]={'L','o','a','d','L','i','b','r','a','r','y','A',0};
char szMessageBox[]={'M','e','s','s','a','g','e','B','o','x','A',0};
__asm{
mov eax,fs:[0x30]
mov eax,[eax+0x0c]
add eax,0x0c
mov pBeg,eax
mov eax,[eax]
mov pPLD,eax
}
// 遍历找到kernel32.dll
while(pPLD!=pBeg)
{
pLast=(WORD*)pPLD->BaseDllName.Buffer;
pFirst=(WORD*)szKernel32;
while(*pFirst && (*pFirst-32==*pLast||*pFirst==*pLast))
{ pFirst++,pLast++;}
if(*pFirst==*pLast)
{
dwKernelBase=(DWORD)pPLD->DllBase;
break;
}
pPLD=(LDR_DATA_TABLE_ENTRY*)pPLD->InLoadOrderModuleList.Flink;
}
// 遍历kernel32.dll的导出表,找到GetProcAddr函数地址
IMAGE_DOS_HEADER *pIDH=(IMAGE_DOS_HEADER *)dwKernelBase;
IMAGE_NT_HEADERS *pINGS=(IMAGE_NT_HEADERS *)((DWORD)dwKernelBase+pIDH->e_lfanew);
IMAGE_EXPORT_DIRECTORY *pIED=(IMAGE_EXPORT_DIRECTORY*)((DWORD)dwKernelBase+
pINGS->OptionalHeader.
DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
DWORD *pAddOfFun_Raw=(DWORD*)((DWORD)dwKernelBase+pIED->AddressOfFunctions);
WORD *pAddOfOrd_Raw=(WORD*)((DWORD)dwKernelBase+pIED->AddressOfNameOrdinals);
DWORD *pAddOfNames_Raw=(DWORD*)((DWORD)dwKernelBase+pIED->AddressOfNames);
DWORD dwCnt=0;
char *pFinded=NULL,*pSrc=szGetProcAddr;
for(;dwCnt<pIED->NumberOfNames;dwCnt++)
{
pFinded=(char *)((DWORD)dwKernelBase+pAddOfNames_Raw[dwCnt]);
while(*pFinded &&*pFinded==*pSrc)
{pFinded++;pSrc++;}
if(*pFinded == *pSrc)
{
pGetProcAddress=(PGETPROCADDRESS)((DWORD)dwKernelBase+pAddOfFun_Raw[pAddOfOrd_Raw[dwCnt]]);
break;
}
pSrc=szGetProcAddr;
}
// 有了GetProcAddr 可以获得任何api
pLoadLibrary=(PLOADLIBRARY)pGetProcAddress((HMODULE)dwKernelBase,szLoadLibrary);
pMessageBox=(PMESSAGEBOX)pGetProcAddress(pLoadLibrary(szUser32),szMessageBox);
// 使用函数
char szTitle[]={'S','h','e','l','l','C','o','d','e',0};
char szContent[]={0x48,0x65,0x6c,0x6c,0x6f,0x20,0x57,0x6f,0x72,0x6c,0x64,0x20,0x21,0};
pMessageBox(NULL,szContent,szTitle,0);
}
int main()
{
ShellCode();
return 0;
}

0x04 总结感悟

接下来研究的内容:

  • Hash API

  • 编码方式

  • 简单免杀