arm shellcode 编写详析2
生活随笔
收集整理的這篇文章主要介紹了
arm shellcode 编写详析2
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
前一篇中介紹了arm shellcode基本用法,現在涉及到arm和thumb狀態
在前一篇中默認為arm32模式:
text:00008074 ; Segment type: Pure code .text:00008074 AREA .text, CODE .text:00008074 ; ORG 0x8074 .text:00008074 CODE32 .text:00008074 .text:00008074 EXPORT _start .text:00008074 _start .text:00008074 MOV R2, #0x10 .text:00008078 ADR R1, ascii ; "hello shell\n" .text:0000807C MOV R0, #1 .text:00008080 MOV R7, #4 .text:00008084 SVC 0 .text:00008088 SUB R0, R0, R0 .text:0000808C MOV R7, #1 .text:00008090 SVC 0 .text:00008090 ; --------------------------------------------------------------------------- .text:00008094 ascii DCB "hello shell",0xA,0 ; DATA XREF: .text:00008078o .text:000080A1 DCB 0, 0, 0 .text:000080A1 ; .text ends若要轉化為thumb狀態則需要先得到thumb狀態的地址存放到r6,然后通過bx r6命令來轉換:
.section .text .global _start_start:.code 32#thumb-Mode onadd r6, pc, #1bx r6.code 16mov r2, #16adr r1, asciimov r0, $0x1mov r7, $0x4svc 0// _exitsub r0, r0, r0mov r7, #1svc 0ascii:.string "hello shell\n".balign 4效果如下:
.text:00008074 AREA .text, CODE .text:00008074 ; ORG 0x8074 .text:00008074 CODE32 .text:00008074 .text:00008074 EXPORT _start .text:00008074 _start .text:00008074 ADR R6, (loc_807C+1) .text:00008078 BX R6 ; loc_807C .text:0000807C ; --------------------------------------------------------------------------- .text:0000807C CODE16 .text:0000807C .text:0000807C loc_807C ; CODE XREF: .text:00008078j .text:0000807C ; DATA XREF: .text:_starto .text:0000807C MOVS R2, #0x10 .text:0000807E ADR R1, ascii ; "hello shell\n" .text:00008080 MOVS R0, #1 .text:00008082 MOVS R7, #4 .text:00008084 SVC 0 .text:00008086 SUBS R0, R0, R0 .text:00008088 MOVS R7, #1 .text:0000808A SVC 0 .text:0000808A ; --------------------------------------------------------------------------- .text:0000808C ascii DCB "hello shell",0xA,0 ; DATA XREF: .text:0000807Eo .text:00008099 DCB 0, 0xC0, 0x46 .text:00008099 ; .text ends若主函數是thumb狀態,而子函數是32位arm的話,需要用到blx指令來做狀態轉換,可以這樣做:
.section .text .global _start_start:.code 32#thumb-Mode onadd r6, pc, #1bx r6.code 16//blx _writeblx j_writemov r2, #16adr r1, ascii2mov r0, $0x1mov r7, $0x4svc 0// _exitsub r0, r0, r0mov r7, #1svc 0j_write:.code 32b _write _write:STMFD SP!, {R0-R7,LR}mov r2, #16adr r1, asciimov r0, $0x1mov r7, $0x4svc 1LDMFD SP!, {R0-R7,PC} ascii:.string "hello shell\n".balign 4 ascii2:.string "shell storm\n".balign 4效果如下:
.text:00008074 AREA .text, CODE .text:00008074 ; ORG 0x8074 .text:00008074 CODE32 .text:00008074 .text:00008074 ; =============== S U B R O U T I N E ======================================= .text:00008074 .text:00008074 .text:00008074 EXPORT _start .text:00008074 _start .text:00008074 01 60 8F E2 ADR R6, (loc_807C+1) .text:00008078 16 FF 2F E1 BX R6 ; loc_807C .text:0000807C ; --------------------------------------------------------------------------- .text:0000807C CODE16 .text:0000807C .text:0000807C loc_807C ; CODE XREF: _start+4j .text:0000807C ; DATA XREF: _starto .text:0000807C 00 F0 08 E8 BLX j_write .text:00008080 10 22 MOVS R2, #0x10 .text:00008082 0F A1 ADR R1, ascii2 ; "shell storm\n" .text:00008084 01 20 MOVS R0, #1 .text:00008086 04 27 MOVS R7, #4 .text:00008088 00 DF SVC 0 .text:0000808A 00 1A SUBS R0, R0, R0 .text:0000808C 01 27 MOVS R7, #1 .text:0000808E 00 DF SVC 0 .text:0000808E ; End of function _start .text:0000808E .text:00008090 CODE32 .text:00008090 .text:00008090 ; =============== S U B R O U T I N E ======================================= .text:00008090 .text:00008090 .text:00008090 j_write ; CODE XREF: _start:loc_807Cp .text:00008090 FF FF FF EA B _write .text:00008094 ; --------------------------------------------------------------------------- .text:00008094 .text:00008094 _write ; CODE XREF: j_writej .text:00008094 FF 40 2D E9 STMFD SP!, {R0-R7,LR} .text:00008098 10 20 A0 E3 MOV R2, #0x10 .text:0000809C 0C 10 8F E2 ADR R1, ascii ; "hello shell\n" .text:000080A0 01 00 A0 E3 MOV R0, #1 .text:000080A4 04 70 A0 E3 MOV R7, #4 .text:000080A8 01 00 00 EF SVC 1 .text:000080AC FF 80 BD E8 LDMFD SP!, {R0-R7,PC} .text:000080AC ; End of function j_write .text:000080AC .text:000080AC ; --------------------------------------------------------------------------- .text:000080B0 68 65 6C 6C 6F 20 73 68+ascii DCB "hello shell",0xA,0 ; DATA XREF: j_write+Co .text:000080BD 00 00 00 DCB 0, 0, 0 .text:000080C0 73 68 65 6C 6C 20 73 74+ascii2 DCB "shell storm",0xA,0 ; DATA XREF: _start+Eo .text:000080CD 00 00 00 DCB 0, 0, 0 .text:000080CD ; .text ends
總結
以上是生活随笔為你收集整理的arm shellcode 编写详析2的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: nlp cs224n 学习笔记1 Int
- 下一篇: java 调用groovy脚本,实现多个