最短shellcode提取方法和测试【原创】

// aa.cpp : Defines the entry point for the console application. // #include "stdafx.h" #include <windows.h> #include <stdio.h> #define BUFF_SIZE 100 //shellcode字段 void shellcode() { __asm{ nop ;nop hex码0x90，用于查找入口和结束 nop nop nop ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ;shellcode 真正入口 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> xor ebx,ebx push ebx ;字符串结束符\x00，这里为了避免直接出现\x00，做了微调 mov WORD ptr [esp],0x3233 ;"32" push 0x72657375 ;"user" mov eax,esp ;相当于 char a[]="user32";lea eax,a; push ebx ;MessageBoxA参数 MB_OK=0; push eax ;MessageBoxA参数 "user32" push eax ;MessageBoxA参数 "user32" push ebx ;MessageBoxA参数 HWND=0; push eax ;LoadLibraryA参数"user32" mov eax,0x7C801D7B ;LoadLibraryA xp sp3 call eax mov eax,077D507EAh ;MessageBoxA xp sp3 call eax pop eax ;为了堆栈平衡 弹出"user" pop eax ;为了堆栈平衡 弹出"32" ret // mov eax,077C09E7Eh ;exit() xp sp3 // call eax ;FFD0 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> nop nop nop nop } } int main() { char shell[BUFF_SIZE]; DWORD start_offset=0; bool end=false; int count=0; //shellcode 出口偏移 char *buff=(char *)((void *)shellcode); //查找shellcode汇编内容真正入口和出口 int i=0; while(!end) { if(*(DWORD *)(buff+i)==0x90909090) //搜索shellcode中4个开始nop { if(start_offset==0) { start_offset=i+4; printf("char ShellCode[]=\n\""); //开始输出shellcode } while(*(DWORD *)(buff+start_offset)!=0x90909090) { if(count%16==0) { if(count) printf("\"\n\""); //16个字符一换行 } printf("\\x%02X",(unsigned char)buff[start_offset]); shell[count]=(unsigned char)buff[start_offset]; count++; if(count>=BUFF_SIZE) { printf("预设BUFF_SIZE=%d太小了\n",BUFF_SIZE); return 0; } start_offset++; } printf("\";\n"); printf("\nthe code length=%d\n",count); end=true; //输出shellcode结束 } i++; } ((void (*)(void)) &shell)();//对该shellcode进行测试 return 0; }