论坛 › 〖视频转载〗 › 解析coff文件之提取shellcode代码

admin_user 发表于 2015-3-11 14:25:37

解析coff文件之提取shellcode代码

呵.....就叫SClinker吧-.-Shell code linker...
主要是提取代码段(.text)的数据,这个还算不上是真正的linker.
其他说明：
第一请不要再shellcode中全局变量.
第二请不要调用API（你懂的-.-）
shellcode无聊代码：   .386
      .model flat,stdcall
      option casemap:none
include windows.inc
    .code
start:
;瞎编乱写仅仅用于举例
mov eax,410f2h ;补丁地址
mov byte ptr,90h ;nop指令
mov ebx,
.if ebx==0E8h
mov byte ptr,90h
.endif
end start


命令行:
SCLinker obj文件 目标文件
例如:SCLinker myshellcode.obj shellcode.bin
把这个加在MakeFile里面就很方便了 呵呵


<p> #include <stdio.h>
#include <stdlib.h>
#include <string.h>
#pragma pack(push)
#pragma pack(1)
typedef struct{
    unsigned short usMagic;
    unsigned short usNumSec;
    unsigned long ulTime;
    unsigned long ulSymolOffset;
    unsigned long ulNumSymbol;
    unsigned short usOptHdrSZ;
    unsigned short usFlags;
}COFF_FILE_HEADER;
typedef struct {
    unsigned short usMagic;
    unsigned short usVersion;
    unsigned long ulTextSize;
    unsigned long ulInitDataSZ;
    unsigned long ulUnintiDataSZ;
    unsigned long uEntry;
    unsigned long ulTextBase;
    unsigned long ulDataBase;
}OPTHDR;
typedef struct {
    char cName;
    unsigned long ulVSize;
    unsigned long ulVAddr;
    unsigned long ulSize;
    unsigned long ulSecOffset;
    unsigned long ulRelOffset;
    unsigned long ulLNOffset;
    unsigned short ulNumRel;
    unsigned short ulNumLN;
    unsigned long ulFlags;
}SECHDR;</p><p>typedef struct {
    unsigned long ulAddr;/* virtual address of reference */
    unsigned long uSymbol;
    unsigned short usType;
} RELOC;</p><p>typedef struct {
    unsigned long ulAddrORSymbol;
    unsigned short usLineNq;</p><p>} LINENO;</p><p>typedef struct {
    union {
      char cName;
      struct {
            unsigned long ulZero;
            unsigned long ulOffset;
      }e;
    }e;
    unsigned long ulValue;
    short iSection;
    unsigned short usType;
    unsigned char usClass;
    unsigned char usNumAux;
}SYMENT;
#pragma pack(pop)</p><p>int main(int argv,char **argc)
{
    FILE *fp;
    COFF_FILE_HEADER head;
    OPTHDR option;
    SECHDR sec;
    if (argv<3)
    {
      printf("参数错误\n");
      return -1;
    }
    fp=fopen(argc,"rb+");
    if(!fp)
    {
      printf("文件不能打开\n");
      return -1;
    }
    // 读入文件头
    fread(&head,sizeof(head),1,fp);\
    if(head.usMagic!=0x014c)
    {
      printf("不是有效的coff文件\n");
      goto exit_;
    }
    if (head.usOptHdrSZ!=0)
    {
      //文件指针正好指向 Optional Header
      //不用fseek 因为有可能会用到这个结构
      fread(&option,sizeof(OPTHDR),1,fp);
    }
    for (unsigned i=0;i<head.usnumsec;i++)
    {
      fread(&sec,sizeof(SECHDR),1,fp);
      if(!strcmp(sec.cName,".text"))
      {
            char *buff;
            FILE *s;
            fseek(fp,sec.ulSecOffset,SEEK_SET);
            buff = new char;
            fread(buff,sec.ulSize,1,fp);
            s=fopen(argc,"wb+");
            fwrite(buff,sec.ulSize,1,s);
            fclose(s);
            break;
      }
    }
exit_:
    fclose(fp);
    return 0;
}</p>

查看完整版本: 解析coff文件之提取shellcode代码