Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

混淆后的代码执行失败 #2

Open
zaza6677 opened this issue Nov 13, 2024 · 4 comments
Open

混淆后的代码执行失败 #2

zaza6677 opened this issue Nov 13, 2024 · 4 comments

Comments

@zaza6677
Copy link

你好,刚测试混淆shellcode执行失败了,无法正常弹窗
代码:示例代码
编译环境:VS2019 clang,配置如下
image
image
测试使用了
#include <stdio.h>
unsigned char obf_shellcode[] = {......};
int main() {
void (func)() = (void ()())obf_shellcode;
asm volatile (
"call *%0"
:
: "r"(func)
:
);

return 0;

}
和传统的执行方式,都失败了
void* p = VirtualAlloc(NULL, sizeof data, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(p, data, sizeof data);
((void(*)())p)();

是执行方式的问题还是什么原因,麻烦大佬给个执行示例,谢谢~
@HackerCalico
Copy link
Owner

HackerCalico commented Nov 13, 2024
edited
Loading

样例中 ShellCode 的调用位置要加一个偏移,调用参数是 LoadLibraryA("user32"),你可以看一下 README。比较建议运行生成的内联汇编,因为这样可以避免申请内存的敏感行为。
输出的代码最底部就是调用代码:((void(*)(...))((PBYTE)ShellCode + 1050))(LoadLibraryA("user32"));

@zaza6677
Copy link
Author

成功了🙏,之前是输出问题,漏了几行代码

@zaza6677
Copy link
Author

还有一个问题包括代码里也提到的,不支持类似jcc寄存器跳转像jmp rax和gs指令,现在大部分shellcode生成基本上都是通过gs和fs获取modulebase,这个导致过去一些项目生成的shellcode就没法兼容了

@HackerCalico
Copy link
Owner

出现 jmp rax 这种可能是因为用了 switch case,改成 if else 就没有了。
gs: 不能用是因为 Keystone 库有 bug,将指令编译成的机器码不正确,解决起来比较麻烦。
也可以从一个低危 Kernel32 Api 地址往前找 MZ9000 来获取 DLL 基址。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zaza6677 @HackerCalico