前言
在恶意软件分析的过程中,很多时候都会遇见shellcode,单独dump出来的shellcode在IDA中很难进行静态分析,但是由于Windows加载程序无法执行独立的shellcode,所以我们需要用工具来加载shellcode进行动态调试。
虽然已经有很好用的工具BlobRunner,但我仍然准备自己写一个去更好的学习理解
代码
#include <windows.h>
#include <stdio.h>
LPVOID read_shellcodefile_into_memory(char* shellcode)
{
FILE* hFile = NULL;
DWORD dwFileSize = 0;
hFile = fopen(shellcode, "rb");
if (!hFile)
{
printf(" [!] File open fail\n");
return NULL;
}
fseek(hFile, 0, SEEK_END);
dwFileSize = ftell(hFile) + 1;
printf(" [*] Shellcode Size: 0x%04x\n", dwFileSize);
fseek(hFile, 0, SEEK_SET);
LPVOID lpBase = VirtualAlloc(NULL, dwFileSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
printf(" [*] Allocated Address: 0x%08x\n", lpBase);
fread(lpBase, dwFileSize, 1, hFile);
fclose(hFile);
return lpBase;
}
int execute(int entry)
{
DWORD dwId;
DWORD dwStatus;
LPVOID bReadBuffer;
SIZE_T nReadSize = 0;
HANDLE hHandle = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)entry, NULL, 0x4, &dwId);
if (!hHandle)
{
printf(" [!] CreateThread Failed!\n");
return -1;
}
printf(" [*] Please jmp to 0x%08x set a breakpoint\n\ Then press any key to resume the thread\n", entry);
getchar();
ResumeThread(hHandle);
while (1)
{
dwStatus = WaitForSingleObject(hHandle, 0);
if (dwStatus == WAIT_FAILED || dwStatus == WAIT_OBJECT_0)
{
CloseHandle(hHandle);
printf(" [*] Thread Exited!\n");
ExitThread(-1);
}
}
}
int main(int argc, char* argv[])
{
int nEntry = 0;
if (argc < 2)
{
printf(" [!] Please input the shellcode filename on the parameter\n");
return -1;
}
printf(" [*] Shellcode File: %s\n", argv[1]);
LPVOID lpBase = read_shellcodefile_into_memory(argv[1]);
if (!lpBase)
{
printf(" [!] Allocated memory failed!\n");
return -2;
}
nEntry = (int)lpBase;
printf(" [*] Shellcode EntryPoint: 0x%08x\n", nEntry);
execute(nEntry);
return 0;
}
使用方法
首先使用Metasploit工具msfvenom快速生成使用winexec创建计算器的shellcode
msfvenom -a x86 --platform windows -p windows/exec cmd=calc.exe -o calc.bin
使用OD打开编译好的工具,参数填写shellcode文件名
F9进行程序,跳转到shellcode入口点设置断点
设置好断点后,按任意键,程序在shellcode上断下,然后就可以进行调试了