Shellcode Programming Tips

Source: Internet
Author: User

Work needs to inject other programs to monitor something, the detected data is sent to the display form via wm_copy messages. (This is mostly not finalized yet)

# #1 Select a Frame # #

Tombkeeper/shellcode_template_in_c

Mattifestation/pic_bindshell

Frame selection, I chose the first, gynecological giant tomkeeper provided by the framework, compared to find this relatively simple.

# #2 Build Frame # #

I use VS10, (VS15 I tried all kinds of mistakes, maybe I am stupid, with the tube of VS10)

-Create a new solution (name to see your preference)

-A new empty Win32console project on the solution

-Create a new xxxx.c file on the project and copy the contents of the shellcode.c in the Tomkeeper project.

-Compile and try it.

-Other 2 tool file codes, which are the tools used to generate the string (STR2INTARR.C) and the gethash.c of the generated function hash macro definition (same as above)

-I have defined a string-generated enhanced version (as follows, I am the CPP file, and the above is different), according to the 2nd parameter <a/w> the string into a multibyte string and a wide-byte string.

#include <Windows.h>int_tmain (intargcChar*argv[]) {    if(ARGC <2) {printf ("Use %s <a/w> <string> \ n", argv[0]); }Else{printf ("DWORD str[] = {\n\t"); if(argv[1][0] =='a')        {            intStrLen = StrLen (argv[2]); StrLen= (StrLen/4+1)*4; intn = strLen/4 ; DWORD* PArry = (dword*)malloc(StrLen);            ZeroMemory (Parry,strlen); memcpy (parry,argv[2],strlen (argv[2]));  for(intI=0; i<n;i++) {printf ("0x%08x", * (parry+i)); if(I! = N1) {printf (", "); }                if(I && i%9==8) {printf ("\n\t"); }            }                }Else        {            intStrLen = StrLen (argv[2]); intNalloc = strlen*2+4; DWORD* Pwchar = (dword*)malloc(Nalloc);            ZeroMemory (Pwchar,nalloc); MultiByteToWideChar (GETACP (), null,argv[2],strlen, (wchar*) Pwchar,strlen); intn = (strlen/2+1);  for(intI=0;i< n;i++) {printf ("0x%08x", * (pwchar+i)); if(I! = N1) {printf (", "); }                if(I && i%9==8) {printf ("\n\t"); }}} printf ("\ n};");    GetChar (); }    return 0;}

# #3 the settings for compilation Options # #

The setting of the compilation option is directly related to the exact calculation of the shellcode size, the order of the Code, and the degree of refinement of the code, as well as the GS ... Whether it was added.

-Set to release mode, I will not say more, everyone will

-Get rid of GS option, if do not remove shellcode () there will be the GS detection function INSERT, this is what we do not want.

-Opt, I choose disable when commissioning, I use MinSize (smaller size) when I publish. Disable code sequence is the same as a lot more Int3 (cc).

-Debuging:generate Debug Info under linker I set to Yes. Easy to debug, no impact on Shellcode

# #4 Test the correctness of Shellcode # #

Tomkeeper's project can output shellcode in the form of a C array, and I've added a function to dump the shellcode into a 2 binary file.

-Using C array, char shellcode[] = {0xb8,....}; __asm{call Shellcode}, so be aware that the NX of the project is turned off (Data Execution protection DEP) and will not be self-brain

-the 2nd reads the dump file into the application's readable writable executable memory, then __asm {call Lpmem}. (I use this method, do not have to copy the paste, compile, execute)

# #5 Tips (troubleshooting, Programming Experience) # #

-Do not use *1.02 this floating-point algorithm, will die on such a command, the 2b2040 will definitely be wrong

000300B3 df6d D8 fild QWORD PTR ss:[ebp-28]
000300b6 dc0d 40202b00 fmul QWORD PTR ds:[2b2040]
000300BC d97d D6 FSTCW WORD PTR ss:[ebp-2a]

-How to follow the Shellcode after the configuration information for easy testing?

Shellcode will have a long view with some configuration information. Generally these are later used with tools to merge up.

It's too much trouble for us to debug every time we try to add a change. So use the #define NAKED __declspec (NAKED) and __asm{__emit 0XBB}

__emit can make the data written to the code snippet in the form of code, which is shellcode. Remember and DWORD str[] = {0xabcdef,0xbaddef ...} This technology separates. This enables the deposit of arbitrary data

NAKED Optimization: When we use the MinSize option, the code may be optimized, I tried, so I used the NAKED, notice that the function must have parameters, the declaration is not implemented.

Finally: In the place that will never be called, the compiler will definitely omit

void void0xff0xfe 0xff     .}

-Function Relocation

Our shellcode are all called by call, when the compiler has already calculated the offset, so there is no relocation problem, but to createthread this will pass into the function address as a parameter function will be the first problem;

The solution is to dynamically compute the address.

DWORD Geteip () {    __asm{call        get_eipget_eip:        pop eax    }}void  WINAPI adjustfunction (struct adjustfunctions* pfuns) {    DWORD dwgeteip;         = Geteip ();      8    ; Computes the address of the GETEIP () function in memory        pfuns->lpthreadproc = (DWORD) dwgeteip+ (DWORD) threadproc- (DWORD) GETEIP); Use the GETEIP () function as a reference to dynamically calculate the address of other functions}
When called, write this
Hthread = Modules.kernel32.CreateThread (null,0,adjustfuns. Lpthreadproc, &param,0,null);

Ps:shellcode really save the place, wrote so much code is not 2K yet.

Shellcode Programming Tips

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.