Home > Cloud Computing > Cloud Security

Production of Netsowell new shell shelling machine

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

1.0 Preface
==========

I have never written anything for a long time, and I have not spent any instruction or debugging,
So it's easy to write one.

1.1 search for IAT
================

First load with OllyDbg:


Code :--------------------------------------------------------------------------------
01001000> 60 PUSHA
01001001 6A 00 PUSH 0
01001003 E8 00000000 CALL 01001008
01001008 55 PUSH EBP
01001009 8BEC mov ebp, ESP
0100100B 81EC 20020000 sub esp, 220
01001011 53 PUSH EBX
01001012 56 PUSH ESI
01001013 57 push edi; ntdll.7C930738
01001014 8DBD E0FDFFFF lea edi, [EBP-220]
0100101A B9 88000000 mov ecx, 88
0100101F B8 cccccccccc mov eax, CCCCCCCC
01001024 F3: AB REP STOS DWORD PTR ES: [EDI]
01001026 C745 F8 0000000> mov dword ptr [EBP-8], 0
0100102D 8B45 08 mov eax, [EBP + 8]; notepad. <ModuleEntryPoint>
01001030 8985 E0FDFFFF MOV [EBP-220], EAX
--------------------------------------------------------------------------------

 

Enter "hr esp-4" in Cmdbar"
After running F9, enter the password "123456" to interrupt the OEP:

 

Code :--------------------------------------------------------------------------------
00A01F41 E8 00000000 CALL 00A01F46
00A01F46 58 pop eax; kernel32.7C816D4F
00A01F47 2D 461FA000 sub eax, 0A01F46
00A01F4C 8B9D 74 fcffff mov ebx, [EBP-38C]
00A01F52 035D 08 add ebx, [EBP + 8]; notepad. <ModuleEntryPoint>
00A01F55 8998 621FA000 MOV [EAX + A01F62], EBX
00A01F5B C9 LEAVE
00A01F5C C9 LEAVE
00A01F5D 83C4 10 add esp, 10
00A01F60 61 POPA
00A01F61 68 9D730001 PUSH 100739D; interrupt here
00A01F66 C3 RETN
--------------------------------------------------------------------------------

 

We can see that OEP = 100739D.

1.2 IAT repair
================

Go to OEP and select a call:


Code :--------------------------------------------------------------------------------
0100739D 6A 70 PUSH 70
0100739F 68 98180001 PUSH 01001898
010073A4 E8 BF010000 CALL 01007568
010073A9 33DB xor ebx, EBX
010073AB 53 PUSH EBX
010073AC 8B3D CC100001 mov edi, [10010CC ];
010073B2 FFD7 call edi; ntdll.7C930738
--------------------------------------------------------------------------------

 

Go to [10010CC] and see:

 

Code :--------------------------------------------------------------------------------
01770000 68 9F6E2719 PUSH 19276E9F
01770005 68 816B2819 PUSH 19286B81
0177000A 68 D61EC686 PUSH 86C61ED6
0177000F 68 01028819 PUSH 19880201
01770014 E8 E7FFF9FF CALL 01710000
01770019 0000 ADD [EAX], AL
0177001B 0000 ADD [EAX], AL
0177001D 0000 ADD [EAX], AL
0177001F 0000 ADD [EAX], AL
01770021 0000 ADD [EAX], AL
01770023 0000 ADD [EAX], AL
01770025 0000 ADD [EAX], AL
01770027 0000 ADD & n

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
function of shell shell length of string what function of shell come out of shell quotes first line of shell script shell script list of strings mother of pearl whole shell
Related Article
How does personal cloud security guarantee data security?
Model-driven cloud security-automating cloud security with cl...
Cloud security to achieve effective prevention of the future ...
Focus on three major cloud security areas, you know?
Decrypting Cisco type 5 password hashes
Using redis to write webshell

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More