Windows Shellcode开发完全指南<\/h1>

一、Shellcode基础概念<\/h2>

1.1 什么是Shellcode<\/h3>

一段精心编写的机器代码，具有位置无关、紧凑高效、直接在CPU上执行等特性<\/li>
无需编译即可运行<\/li>

在攻防对抗中常用于网络操作、权限提升、文件操作等<\/li> <\/ul>

1.2 开发Shellcode的必要性<\/h3>

避免使用公开工具生成的固定特征Shellcode<\/li>
扩展自定义功能<\/li>
规避AV\/EDR查杀<\/li>

安全开发人员必备技能<\/li> <\/ol>

二、汇编基础<\/h2>

2.1 寄存器<\/h3>

x86架构<\/h4>

寄存器<\/th> 名称<\/th> 用途<\/th> <\/tr> <\/thead>

EAX<\/td> 累加器<\/td> 算术运算和函数返回值<\/td> <\/tr>

EBX<\/td> 基址寄存器<\/td> 内存寻址<\/td> <\/tr>

ECX<\/td> 计数器<\/td> 循环计数<\/td> <\/tr>

EDX<\/td> 数据寄存器<\/td> I\/O操作<\/td> <\/tr>

ESI<\/td> 源索引<\/td> 字符串\/数组操作源指针<\/td> <\/tr>

EDI<\/td> 目的索引<\/td> 字符串\/数组操作目的指针<\/td> <\/tr>

EBP<\/td> 基址指针<\/td> 栈帧指针<\/td> <\/tr>

ESP<\/td>

栈指针<\/td>

栈顶指针<\/td> <\/tr> <\/tbody> <\/table>

x64架构<\/h4>

扩展了x86的8个通用寄存器(R开头的寄存器)<\/li>

新增r8-r15寄存器<\/li> <\/ul>

2.2 常用指令<\/h3>

指令<\/th>	功能<\/th> <\/tr> <\/thead>
mov<\/td>	数据传输<\/td> <\/tr>
xor<\/td>	寄存器清零或数据解密<\/td> <\/tr>
push\/pop<\/td>	栈操作<\/td> <\/tr>
jmp<\/td>	无条件跳转<\/td> <\/tr>
call<\/td>	函数调用<\/td> <\/tr>
lea<\/td>	计算内存地址<\/td> <\/tr>
cmp<\/td>	比较指令<\/td> <\/tr> <\/tbody> <\/table> 2.3 调用约定<\/h3> __stdcall (WINAPI)<\/h4> 参数顺序: 右→左<\/li> 堆栈清理: 被调用者<\/li> 典型应用: Windows API<\/li> <\/ul> __cdecl<\/h4> 参数顺序: 右→左<\/li> 堆栈清理: 调用者<\/li> 支持变参<\/li> <\/ul> __fastcall<\/h4> 部分参数通过寄存器传递<\/li> <\/ul> 三、开发环境配置<\/h2> 3.1 Visual Studio配置<\/h3> 关闭安全检查: 避免使用security cookie全局变量<\/li> 关闭优化: 最小优化可使Shellcode体积减小<\/li> 启用MASM: 项目→生成依赖性→生成自定义→勾选masm<\/li> <\/ol> 3.2 注意事项<\/h3> 32位项目需使用低版本工具集(如VS2017)<\/li> 64位项目需使用汇编文件(MSVC不支持内联汇编)<\/li> <\/ul> 四、Shellcode开发关键点<\/h2> 4.1 必须避免的操作<\/h3> 不使用.rdata节中的全局变量\/常量<\/li> 不使用导入表<\/li> 不使用C++异常<\/li> 不使用导入延迟表<\/li> <\/ol> 4.2 动态获取API的方法<\/h3> 获取PEB地址: 通过FS\/GS寄存器<\/p> mov<\/span> edx<\/span>, fs<\/span>:[30<\/span>h<\/span>] ; 32位获取PEB <\/span><\/span><\/span><\/code><\/pre><\/li> 遍历模块列表:<\/p> 通过PEB→Ldr→InMemoryOrderModuleList<\/li> 比较BaseDllName与目标DLL名称<\/li> <\/ul> <\/li> 解析导出表:<\/p> 从DLL基地址获取PE头<\/li> 定位导出表(DataDirectory[0])<\/li> 遍历导出函数名称<\/li> <\/ul> <\/li> <\/ol> 4.3 位置无关代码技巧<\/h3> 字符串存储在栈中:<\/p> CHAR str[] =<\/span> {'H'<\/span>,'e'<\/span>,'l'<\/span>,'l'<\/span>,'o'<\/span>,'\0'<\/span>}; \/\/ 栈存储 <\/span><\/span><\/span><\/code><\/pre><\/li> 避免绝对地址引用<\/p> <\/li> <\/ol> 五、Shellcode开发实例<\/h2> 5.1 弹窗Shellcode (MessageBox)<\/h3> 纯汇编实现<\/h4> ; 计算API哈希值 <\/span><\/span><\/span><\/span>compute_hash: <\/span><\/span> xor<\/span> edi<\/span>, edi<\/span> <\/span><\/span> xor<\/span> eax<\/span>, eax<\/span> <\/span><\/span> lodsb<\/span> <\/span><\/span> test<\/span> al<\/span>, al<\/span> <\/span><\/span> jz<\/span> compute_hash_finished<\/span> <\/span><\/span> ror<\/span> edi<\/span>, 0<\/span>Dh<\/span> <\/span><\/span> add<\/span> edi<\/span>, eax<\/span> <\/span><\/span> jmp<\/span> compute_hash<\/span> <\/span><\/span>compute_hash_finished: <\/span><\/span> ret<\/span> <\/span><\/span> <\/span><\/span>; 动态获取API地址 <\/span><\/span><\/span><\/span>GetProcAddressByHash: <\/span><\/span> pushad<\/span> <\/span><\/span> push<\/span> eax<\/span> ; 保存目标hash <\/span><\/span><\/span><\/span> mov<\/span> edx<\/span>, fs<\/span>:[30<\/span>h<\/span>] ; 获取PEB <\/span><\/span><\/span><\/span> ; ... 完整代码见原文 ... <\/span><\/span><\/span><\/span> ret<\/span> <\/span><\/span><\/code><\/pre>关键步骤<\/h4> 计算kernel32.dll和MessageBoxA的哈希值<\/li> 动态获取LoadLibrary和GetProcAddress<\/li> 加载user32.dll并获取MessageBoxA地址<\/li> 调用MessageBoxA<\/li> <\/ol> 5.2 远程下载Shellcode<\/h3> 实现流程<\/h4> VirtualAlloc创建缓存<\/li> InternetOpenA初始化会话<\/li> InternetConnectA连接服务器<\/li> HttpOpenRequestA创建请求<\/li> HttpSendRequestA发送请求<\/li> InternetReadFile读取数据<\/li> InternetCloseHandle关闭句柄<\/li> <\/ol> 所需API<\/h4> WinINet API: InternetOpenA, InternetConnectA等<\/li> 内存管理: VirtualAlloc<\/li> <\/ul> 六、Shellcode提取与测试<\/h2> 6.1 提取.text节<\/h3> 使用010 Editor打开PE文件<\/li> 选择.text节区<\/li> 导出为二进制文件(.bin)<\/li> <\/ol> 6.2 测试方法<\/h3> 使用pe_to_shellcode工具<\/li> 转换为C数组格式<\/li> 通过线程注入执行<\/li> <\/ol> 七、高级主题<\/h2> 7.1 反射式DLL注入<\/h3> 实现自加载的DLL<\/li> 不依赖Windows加载器<\/li> <\/ul> 7.2 引导程序(Bootstrap)<\/h3> 定位ReflectiveLoader函数<\/li> 实现DLL的自加载<\/li> <\/ul> 八、总结与建议<\/h2> 纯汇编Shellcode体积最小但开发难度高<\/li> C\/C++开发需注意避免全局变量和导入表<\/li> 熟练掌握PEB遍历和导出表解析是关键<\/li> 反射式DLL注入是高级Shellcode的常见技术<\/li> 建议从简单功能开始逐步扩展<\/li> <\/ol> 附录：参考资源<\/h2> Stephen Fewer的Shellcode开发框架<\/li> Metasploit的block_api.asm和block_reverse_http.asm<\/li> PE文件结构文档<\/li> Windows API文档<\/li> <\/ol>

Windows Shellcode开发完全指南<\/h1>

一、Shellcode基础概念<\/h2>

二、汇编基础<\/h2>

2.1 寄存器<\/h3>

2.3 调用约定<\/h3>

三、开发环境配置<\/h2>

四、Shellcode开发关键点<\/h2>

五、Shellcode开发实例<\/h2>

5.1 弹窗Shellcode (MessageBox)<\/h3>

5.2 远程下载Shellcode<\/h3>

六、Shellcode提取与测试<\/h2>

七、高级主题<\/h2>

附录：参考资源<\/h2> Stephen Fewer的Shellcode开发框架<\/li> Metasploit的block_api.asm和block_reverse_http.asm<\/li> PE文件结构文档<\/li> Windows API文档<\/li> <\/ol>

附录：参考资源<\/h2>

Stephen Fewer的Shellcode开发框架<\/li>
Metasploit的block_api.asm和block_reverse_http.asm<\/li>
PE文件结构文档<\/li>
Windows API文档<\/li> <\/ol>