Shellcode开发基础与免杀技术详解<\/h1>

1. Shellcode基础概念<\/h2>

Shellcode是一段位置无关的代码(Position Independent Code, PIC)，它不依赖外部环境，遵循以下规则：<\/p>

不能使用全局变量<\/li>
不能使用常量字符串<\/li>

不能直接调用Windows API<\/li> <\/ul>

2. Shellcode开发原理<\/h2>

2.1 传统API调用的问题<\/h3>

直接调用Windows API如MessageBox<\/code>是不可行的，因为：<\/p>


ASLR(地址空间布局随机化)导致每次API地址不同<\/li>
硬编码地址无法跨系统\/版本工作<\/li>
<\/ul>
2.2 动态获取API地址的解决方案<\/h3>
通过以下步骤动态获取API地址：<\/p>

获取Kernel32.dll基址<\/li>
解析PE导出表获取LoadLibrary<\/code>和GetProcAddress<\/code>地址<\/li>
使用这两个函数加载其他DLL并获取所需API<\/li>
<\/ol>
3. 关键技术实现<\/h2>
3.1 获取PEB(进程环境块)<\/h3>
#ifdef _WIN64
<\/span><\/span><\/span><\/span>PPEB peb =<\/span> (PPEB)__readgsqword(0x60<\/span>);
<\/span><\/span>#endif
<\/span><\/span><\/span>#ifdef _X86_
<\/span><\/span><\/span><\/span>PPEB peb =<\/span> (PPEB)__readfsdword(0x30<\/span>);
<\/span><\/span>#endif
<\/span><\/span><\/span><\/code><\/pre>3.2 遍历模块列表获取Kernel32.dll基址<\/h3>
PPEB_LDR_DATA pLdr =<\/span> peb-><\/span>LoaderData;
<\/span><\/span>PLIST_ENTRY moduleList =<\/span> &<\/span>pLdr-><\/span>InLoadOrderModuleList;
<\/span><\/span>PLIST_ENTRY current =<\/span> moduleList-><\/span>Flink;
<\/span><\/span>WCHAR target[] =<\/span> {L<\/span>'K'<\/span>,L<\/span>'e'<\/span>,L<\/span>'r'<\/span>,L<\/span>'n'<\/span>,L<\/span>'e'<\/span>,L<\/span>'l'<\/span>,L<\/span>'3'<\/span>,L<\/span>'2'<\/span>,L<\/span>'.'<\/span>,L<\/span>'d'<\/span>,L<\/span>'l'<\/span>,L<\/span>'l'<\/span>,L<\/span>'\0'<\/span>};
<\/span><\/span>PVOID dllBase =<\/span> NULL;
<\/span><\/span>
<\/span><\/span>while<\/span>(current !=<\/span> moduleList) {
<\/span><\/span>    PLDR_DATA_TABLE_ENTRY entry =<\/span> (PLDR_DATA_TABLE_ENTRY)current;
<\/span><\/span>    WCHAR*<\/span> buffer =<\/span> entry-><\/span>BaseDllName.Buffer;
<\/span><\/span>    \/\/ 自定义字符串比较逻辑(避免使用标准库函数)
<\/span><\/span><\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    if<\/span>(匹配成功<\/span>) {
<\/span><\/span>        dllBase =<\/span> entry-><\/span>DllBase;
<\/span><\/span>        break<\/span>;
<\/span><\/span>    }
<\/span><\/span>    current =<\/span> current-><\/span>Flink;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3.3 解析PE导出表<\/h3>
PIMAGE_DOS_HEADER pDosHeader =<\/span> (PIMAGE_DOS_HEADER)dllBase;
<\/span><\/span>PIMAGE_NT_HEADERS pNtHeader =<\/span> (PIMAGE_NT_HEADERS)((DWORD_PTR)dllBase +<\/span> pDosHeader-><\/span>e_lfanew);
<\/span><\/span>PIMAGE_DATA_DIRECTORY pDataDir =<\/span> (PIMAGE_DATA_DIRECTORY)&<\/span>pNtHeader-><\/span>OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
<\/span><\/span>PIMAGE_EXPORT_DIRECTORY exportTable =<\/span> (PIMAGE_EXPORT_DIRECTORY)(pDataDir-><\/span>VirtualAddress +<\/span> (DWORD_PTR)dllBase);
<\/span><\/span>
<\/span><\/span>\/\/ 获取导出函数名数组、地址数组和序号数组
<\/span><\/span><\/span><\/span>PDWORD NameArray =<\/span> (PDWORD)((DWORD64)dllBase +<\/span> exportTable-><\/span>AddressOfNames);
<\/span><\/span>PDWORD AddressArray =<\/span> (PDWORD)((DWORD64)dllBase +<\/span> exportTable-><\/span>AddressOfFunctions);
<\/span><\/span>PWORD OrdinalArray =<\/span> (PWORD)((DWORD64)dllBase +<\/span> exportTable-><\/span>AddressOfNameOrdinals);
<\/span><\/span>
<\/span><\/span>\/\/ 遍历查找目标函数
<\/span><\/span><\/span><\/span>for<\/span>(SIZE_T i =<\/span> 0<\/span>; i <<\/span> exportTable-><\/span>NumberOfNames; i++<\/span>) {
<\/span><\/span>    LPCSTR currentName =<\/span> (LPCSTR)((DWORD64)dllBase +<\/span> NameArray[i]);
<\/span><\/span>    \/\/ 自定义字符串比较逻辑
<\/span><\/span><\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    if<\/span>(匹配<\/span>"LoadLibraryW"<\/span>) {
<\/span><\/span>        LoadLibraryfuncAddr =<\/span> (FARPROC)((DWORD64)dllBase +<\/span> AddressArray[OrdinalArray[i]]);
<\/span><\/span>    }
<\/span><\/span>    else<\/span> if<\/span>(匹配<\/span>"GetProcAddress"<\/span>) {
<\/span><\/span>        GetProcAddrfuncAddr =<\/span> (FARPROC)((DWORD64)dllBase +<\/span> AddressArray[OrdinalArray[i]]);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3.4 自定义字符串比较函数<\/h3>
由于不能使用标准库函数，需要实现自定义比较：<\/p>
size_t j =<\/span> 0<\/span>;
<\/span><\/span>bool<\/span> match =<\/span> true;
<\/span><\/span>while<\/span>(str1[j] !=<\/span> '\0'<\/span> &&<\/span> currentName[j] !=<\/span> '\0'<\/span>) {
<\/span><\/span>    char<\/span> c1 =<\/span> str1[j];
<\/span><\/span>    char<\/span> c2 =<\/span> currentName[j];
<\/span><\/span>    \/\/ 转换为小写比较
<\/span><\/span><\/span><\/span>    if<\/span>(c1 >=<\/span> 'A'<\/span> &&<\/span> c1 <=<\/span> 'Z'<\/span>) c1 +=<\/span> 32<\/span>;
<\/span><\/span>    if<\/span>(c2 >=<\/span> 'A'<\/span> &&<\/span> c2 <=<\/span> 'Z'<\/span>) c2 +=<\/span> 32<\/span>;
<\/span><\/span>    if<\/span>(c1 !=<\/span> c2) {
<\/span><\/span>        match =<\/span> false;
<\/span><\/span>        break<\/span>;
<\/span><\/span>    }
<\/span><\/span>    j++<\/span>;
<\/span><\/span>}
<\/span><\/span>\/\/ 检查字符串长度是否相同
<\/span><\/span><\/span><\/span>if<\/span>(str1[j] !=<\/span> '\0'<\/span> ||<\/span> currentName[j] !=<\/span> '\0'<\/span>) {
<\/span><\/span>    match =<\/span> false;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4. Shellcode生成与测试<\/h2>
4.1 生成Shellcode字节数组<\/h3>
const<\/span> uintptr_t start_address =<\/span> (uintptr_t)&<\/span>shellcode_start;
<\/span><\/span>const<\/span> uintptr_t end_address =<\/span> (uintptr_t)&<\/span>shellcode_end;
<\/span><\/span>const<\/span> size_t shellcode_size =<\/span> end_address -<\/span> start_address;
<\/span><\/span>
<\/span><\/span>FILE*<\/span> output_file =<\/span> fopen("shellcode.h"<\/span>, "w"<\/span>);
<\/span><\/span>fprintf(output_file, "unsigned char shellcode[] = {<\/span>\n<\/span>"<\/span>);
<\/span><\/span>for<\/span>(size_t i =<\/span> 0<\/span>; i <<\/span> shellcode_size; ++<\/span>i) {
<\/span><\/span>    unsigned<\/span> char<\/span> sig_code =<\/span> ((unsigned<\/span> char<\/span>*<\/span>)start_address)[i];
<\/span><\/span>    fprintf(output_file, "0x%02X%s"<\/span>, sig_code, (i+<\/span>1<\/span> <<\/span> shellcode_size) ?<\/span> ","<\/span> :<\/span> ""<\/span>);
<\/span><\/span>    if<\/span>((i+<\/span>1<\/span>) %<\/span> 16<\/span> ==<\/span> 0<\/span> ||<\/span> i+<\/span>1<\/span> ==<\/span> shellcode_size) {
<\/span><\/span>        fprintf(output_file, "<\/span>\n<\/span>"<\/span>);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>fprintf(output_file, "};<\/span>\n<\/span>"<\/span>);
<\/span><\/span>fclose(output_file);
<\/span><\/span><\/code><\/pre>4.2 测试Shellcode<\/h3>
LPVOID lpMem =<\/span> VirtualAlloc(NULL, sizeof<\/span>(shellcode), MEM_COMMIT |<\/span> MEM_RESERVE, PAGE_EXECUTE_READWRITE);
<\/span><\/span>memcpy(lpMem, shellcode, sizeof<\/span>(shellcode));
<\/span><\/span>((void<\/span>(*<\/span>)(void<\/span>))lpMem)();
<\/span><\/span><\/code><\/pre>5. 开发注意事项<\/h2>

禁用编译器优化<\/strong>：确保生成的代码不会被优化器修改<\/li>
关闭安全检查<\/strong>：如堆栈检查等额外功能<\/li>
避免使用标准库函数<\/strong>：所有字符串操作等都需要自定义实现<\/li>
位置无关代码<\/strong>：确保代码不依赖固定地址<\/li>
大小写不敏感比较<\/strong>：Windows API名称比较通常不区分大小写<\/li>
<\/ol>
6. 扩展应用<\/h2>
掌握了基础Shellcode开发技术后，可以进一步实现：<\/p>

进程注入<\/li>
反射式DLL加载<\/li>
规避杀毒软件的检测<\/li>
加密与混淆技术<\/li>
多阶段加载技术<\/li>
<\/ul>
7. 参考资源<\/h2>

Windows Shellcode开发技术详解<\/a><\/li>
Shellcode开发实战<\/a><\/li>
<\/ol>
通过本文介绍的技术，读者可以开发出基本的免杀Shellcode，为进一步的二进制安全研究打下基础。<\/p>

Shellcode开发基础与免杀技术详解<\/h1>

2. Shellcode开发原理<\/h2>

3. 关键技术实现<\/h2>

4. Shellcode生成与测试<\/h2>

7. 参考资源<\/h2> Windows Shellcode开发技术详解<\/a><\/li> Shellcode开发实战<\/a><\/li> <\/ol> 通过本文介绍的技术，读者可以开发出基本的免杀Shellcode，为进一步的二进制安全研究打下基础。<\/p>

7. 参考资源<\/h2>

Windows Shellcode开发技术详解<\/a><\/li>
Shellcode开发实战<\/a><\/li> <\/ol>
通过本文介绍的技术，读者可以开发出基本的免杀Shellcode，为进一步的二进制安全研究打下基础。<\/p>