LyScript 插件通过配合内存读写,可实现对特定位置的ShellCode代码的导出,或者将一段存储在文本中的ShellCode代码插入到程序堆中,此功能可用于快速将自己编写的ShellCode注入到目标进程中,以用于后续测试工作。
插件地址:https://github.com/lyshark/LyScript
将本地ShellCode注入到堆中: 第一种用法是将一个本地文本中的ShellCode代码导入到堆中。
首先准备一个文本文件,将生成的shellcode放入文件内。
然后可以循环读取文本,并逐个将shellcode注入到目标堆空间中。
from LyScript32 import MyDebugdef read_shellcode (path ): shellcode_list = [] with open (path,"r" ,encoding="utf-8" ) as fp: for index in fp.readlines(): shellcode_line = index.replace('"' ,"" ).replace(" " ,"" ).replace("\n" ,"" ).replace(";" ,"" ) for code in shellcode_line.split("\\x" ): if code != "" and code != "\\n" : shellcode_list.append("0x" + code) return shellcode_list if __name__ == "__main__" : dbg = MyDebug() dbg.connect() address = dbg.create_alloc(1024 ) print ("开辟堆空间: {}" .format (hex (address))) if address == False : exit() dbg.set_local_protect(address,32 ,1024 ) shellcode = read_shellcode("d://shellcode.txt" ) for code_byte in range (0 ,len (shellcode)): bytef = int (shellcode[code_byte],16 ) dbg.write_memory_byte(code_byte + address, bytef) dbg.set_register("eip" ,address) input () dbg.delete_alloc(address) dbg.close()
执行后,堆空间内会自动填充。
如果把这个过程反过来,就是将特定位置的汇编代码保存到本地。
from LyScript32 import MyDebugdef write_shellcode (dbg,address,size,path ): with open (path,"a+" ,encoding="utf-8" ) as fp: for index in range (0 , size - 1 ): read_code = dbg.read_memory_byte(address + index) if (index+1 ) % 16 == 0 : print ("\\x" + str (read_code)) fp.write("\\x" + str (read_code) + "\n" ) else : print ("\\x" + str (read_code),end="" ) fp.write("\\x" + str (read_code)) if __name__ == "__main__" : dbg = MyDebug() dbg.connect() eip = dbg.get_register("eip" ) write_shellcode(dbg,eip,128 ,"d://lyshark.txt" ) dbg.close()
写出后的文件如下:
