Shellcode searching for Bytes String: 0C330408Bh
-
09-06-2021 - |
質問
I am learning the working of a malware(Blackhole Exploit) where I extracted the shellcode from a malicious code. I figured out everything except a search for the Byte String. Can anyone help me on this? Why this shellcode (most of the malicious shellcodes) search for this particular string? The searching code goes like this:
mov eax, 0C330408BH;
inc esi
cmp dword ptr [esi], eax
jne //back to top//
解決
If you take the magic bytes, convert them to little-endian format and disassemble, you get the following:
8B 40 30 mov eax, [eax+30h]
C3 retn
So, the shellcode is searching for this sequence of instructions. I'm not 100% sure but I think it's used to find kernel32 image in memory (since this sequence usually occurs there).
他のヒント
As an addition to the Igor's answer, I recommend you to read this article http://skypher.com/index.php/2010/11/17/bypassing-eaf/. The code looks for the specific instructions within system DLLs to use them for reading or writing data from/to arbitrary locations in memory. So to use this code just put the (address-0x30) to eax, and call the sequence above.