global _start_start:fabs ; fabs指令fnstenv [esp] ; 保存环境,该结构偏移12字节处就是最后执行的浮点指令的运行时地址pop edxpop edxpop edxpop edx ;此处将fabs指令的运行时地址传给edxsub dl, -25 ; offset from fabs -> xor buffer edx = edx + 25,25的大小指的是从shllcode到fabs的偏移begin:xor ecx,ecx ; 清零循环计数器ecxsub cx, -0x15F ; 设置cx为shellcode长度decode:xor byte [ebx], 0x99 ; 异或key来解码inc ebx ; 进入下一字节loop decode ; 循环解码shellcode:db ...........................
JMP/CALL decoder
global _start_start:jmp short getdata ; 跳转到getdatabegin:pop ebx ; 弹出shellcode的地址xor ecx,ecx ; 清零循环计数器ecxsub cx, -0x15F ; 设置cx为shellcode长度decode:xor byte [ebx], 0x99 ; 异或key来解码inc ebx ; 进入下一字节loop decode ; 循环解码jmp short shellcode ; 跳到解码完成的shellcodegetdata:call begin ; 将下一条指令(shellcode)位置压栈,跳到beginshellcode: ; 异或加密后的shellcodedb ..........................
shellcode工具
字符集
alphanumeric指令集
Alphanumeric shellcode:用的 AT&T 语法,%{16bit}表示16位寄存器,(%{64bit})表示64位寄存器指针,[byte]表示字节大小立即数。
X86 alphanumeric opcodes
X64 alphanumeric opcodes
ascii指令集
Ascii shellcode
编码工具
可以利用工具进行编码,但是现在的题目限制比较严格,一般都要手写:
pwntools encoders:这个用作者的话来说目前还是一团糟,没啥用
msfvenom:目前我用的这个,比较好安装,使用也没什么问题
ALPHA3:这个安装好像有点不便,兼容性也有些问题
AE64
PolyAsciiShellGen: Caezar ASCII Shellcode Generator
pwntools encoders
安装方法不介绍了。
使用方法看文档:/en/latest/
msfvenom
安装
msf的一个模块。Kali下自带,其他环境到官网装。
使用
先执行msfvenom -l encoders挑选一个编码器:
$ msfvenom -l encoders Framework Encoders [--encoder <value>]====================================== Name Rank Description ---- ---- ----------- cmd/brace low Bash Brace Expansion Command Encoder cmd/echo good Echo Command Encoder cmd/generic_sh manual Generic Shell Variable Substitution Command Encoder cmd/ifs low Bourne ${IFS} Substitution Command Encoder cmd/perl normal Perl Command Encoder cmd/powershell_base64 excellent Powershell Base64 Command Encoder cmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encoder generic/eicar manual The EICAR Encoder generic/none normal The "none" Encoder mipsbe/byte_xori normal Byte XORi Encoder mipsbe/longxor normal XOR Encoder mipsle/byte_xori normal Byte XORi Encoder mipsle/longxor normal XOR Encoder php/base64 great PHP Base64 Encoder ppc/longxor normal PPC LongXOR Encoder ppc/longxor_tag normal PPC LongXOR Encoder ruby/base64 great Ruby Base64 Encoder sparc/longxor_tag normal SPARC DWORD XOR Encoder x64/xor normal XOR Encoder x64/xor_context normal Hostname-based Context Keyed Payload Encoder x64/xor_dynamic normal Dynamic key XOR Encoder x64/zutto_dekiru manual Zutto Dekiru x86/add_sub manual Add/Sub Encoder x86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoder x86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoder x86/avoid_underscore_tolower manual Avoid underscore/tolower x86/avoid_utf8_tolower manual Avoid UTF8/tolower x86/bloxor manual BloXor - A Metamorphic Block Based XOR Encoder x86/bmp_polyglot manual BMP Polyglot x86/call4_dword_xor normal Call+4 Dword XOR Encoder x86/context_cpuid manual CPUID-based Context Keyed Payload Encoder x86/context_stat manual stat(2)-based Context Keyed Payload Encoder x86/context_time manual time(2)-based Context Keyed Payload Encoder x86/countdown normal Single-byte XOR Countdown Encoder x86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoder x86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoder x86/nonalpha low Non-Alpha Encoder x86/nonupper low Non-Upper Encoder x86/opt_sub manual Sub Encoder (optimised) x86/service manual Register Service x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder x86/single_static_bit manual Single Static Bit x86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoder x86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder x86/xor_dynamic normal Dynamic key XOR Encoder
Copyright 2015-2022 财务报告网版权所有 备案号: 京ICP备12018864号-19 联系邮箱:29 13 23 6 @qq.com
