解析coff文件之提取shellcode代码

admin_user

呵.....就叫SClinker吧-.-Shell code linker...
主要是提取代码段(.text)的数据,这个还算不上是真正的linker.
其他说明：
第一请不要再shellcode中全局变量.
第二请不要调用API（你懂的-.-）
shellcode无聊代码：

1.      .386
   
2.         .model flat,stdcall
   
3.         option casemap:none
   
4. include windows.inc
   
5.     .code
   
6. start:
   
7. ;瞎编乱写仅仅用于举例
   
8. mov eax,410f2h ;补丁地址
   
9. mov byte ptr[eax],90h ;nop指令
   
10. mov ebx,[eax+4]
    
11. .if ebx==0E8h
    
12. mov byte ptr[ebx],90h
    
13. .endif
    
14. end start

复制代码

命令行:
SCLinker obj文件 目标文件
例如:SCLinker myshellcode.obj shellcode.bin
把这个加在MakeFile里面就很方便了 呵呵

1. 
   
2. <p> #include <stdio.h>
   
3. #include <stdlib.h>
   
4. #include <string.h>
   
5. #pragma pack(push)
   
6. #pragma pack(1)
   
7. typedef struct{
   
8.     unsigned short usMagic;
   
9.     unsigned short usNumSec;
   
10.     unsigned long ulTime;
    
11.     unsigned long ulSymolOffset;
    
12.     unsigned long ulNumSymbol;
    
13.     unsigned short usOptHdrSZ;
    
14.     unsigned short usFlags;
    
15. }COFF_FILE_HEADER;
    
16. typedef struct {
    
17.     unsigned short usMagic;
    
18.     unsigned short usVersion;
    
19.     unsigned long ulTextSize;
    
20.     unsigned long ulInitDataSZ;
    
21.     unsigned long ulUnintiDataSZ;
    
22.     unsigned long uEntry;
    
23.     unsigned long ulTextBase;
    
24.     unsigned long ulDataBase;
    
25. }OPTHDR;
    
26. typedef struct {
    
27.     char cName[8];
    
28.     unsigned long ulVSize;
    
29.     unsigned long ulVAddr;
    
30.     unsigned long ulSize;
    
31.     unsigned long ulSecOffset;
    
32.     unsigned long ulRelOffset;
    
33.     unsigned long ulLNOffset;
    
34.     unsigned short ulNumRel;
    
35.     unsigned short ulNumLN;
    
36.     unsigned long ulFlags;
    
37. }SECHDR;</p><p>typedef struct {
    
38.     unsigned long ulAddr;/* virtual address of reference */
    
39.     unsigned long uSymbol;
    
40.     unsigned short usType;
    
41. } RELOC;</p><p>typedef struct {
    
42.     unsigned long ulAddrORSymbol;
    
43.     unsigned short usLineNq;</p><p>} LINENO;</p><p>typedef struct {
    
44.     union {
    
45.         char cName[8];
    
46.         struct {
    
47.             unsigned long ulZero;
    
48.             unsigned long ulOffset;
    
49.         }e;
    
50.     }e;
    
51.     unsigned long ulValue;
    
52.     short iSection;
    
53.     unsigned short usType;
    
54.     unsigned char usClass;
    
55.     unsigned char usNumAux;
    
56. }SYMENT;
    
57. #pragma pack(pop)</p><p>int main(int argv,char **argc)
    
58. {
    
59.     FILE *fp;
    
60.     COFF_FILE_HEADER head;
    
61.     OPTHDR option;
    
62.     SECHDR sec;
    
63.     if (argv<3)
    
64.     {
    
65.         printf("参数错误[SCLinker obj文件 目标文件]\n");
    
66.         return -1;
    
67.     }
    
68.     fp=fopen(argc[1],"rb+");
    
69.     if(!fp)
    
70.     {
    
71.         printf("文件不能打开\n");
    
72.         return -1;
    
73.     }
    
74.     // 读入文件头
    
75.     fread(&head,sizeof(head),1,fp);\
    
76.     if(head.usMagic!=0x014c)
    
77.     {
    
78.         printf("不是有效的coff文件\n");
    
79.         goto exit_;
    
80.     }
    
81.     if (head.usOptHdrSZ!=0)
    
82.     {
    
83.         //文件指针正好指向 Optional Header
    
84.         //不用fseek 因为有可能会用到这个结构
    
85.         fread(&option,sizeof(OPTHDR),1,fp);
    
86.     }
    
87.     for (unsigned i=0;i<head.usnumsec;i++)
    
88.     {
    
89.         fread(&sec,sizeof(SECHDR),1,fp);
    
90.         if(!strcmp(sec.cName,".text"))
    
91.         {
    
92.             char *buff;
    
93.             FILE *s;
    
94.             fseek(fp,sec.ulSecOffset,SEEK_SET);
    
95.             buff = new char[sec.ulSize];
    
96.             fread(buff,sec.ulSize,1,fp);
    
97.             s=fopen(argc[2],"wb+");
    
98.             fwrite(buff,sec.ulSize,1,s);
    
99.             fclose(s);
    
100.             break;
     
101.         }
     
102.     }
     
103. exit_:
     
104.     fclose(fp);
     
105.     return 0;
     
106. }</p>

复制代码