通⽤shellcode代码#include <stdio.h>
#include <windows.h>
int main()
{
__asm
{
CLD //清空标志位DF
push 0x1E380A6A //压⼊MessageBoxA-->user32.dll
push 0x4FD18963 //压⼊ExitProcess-->kernel32.dll
push 0x0C917432 //压⼊LoadLibraryA-->kernel32.dll
mov esi,esp //esi=esp,指向堆栈中存放LoadLibraryA的地址
lea edi,[esi-0xc] //edi = 栈顶位置-0xC,例如0x0012FF28 - 0xC==0x0012FF1C
//======开辟⼀些栈空间
xor ebx,ebx
mov bh,0x04shell代码
sub esp,ebx
//======压⼊"user32.dll"
mov bx,0x3233
push ebx //0x00003233
push 0x72657375 //user
push esp
xor edx,edx //edx=0
/
/======kernel32.dll的基地址
mov ebx,fs:[edx+0x30] //[TEB+0x30]-->PEB
mov ecx,[ebx+0xC] //[PEB+0xC]--->PEB_LDR_DATA
mov ecx,[ecx+0x1C] //[PEB_LDR_DATA+0x1C]--->InInitializationOrderModuleList
mov ecx,[ecx] //进⼊链表第⼀个就是ntdll.dll
mov ebp,[ecx+0x8] //ebp= kernel32.dll的基地址
find_lib_functions:
lodsd //eax=[ds*10H+esi],读出来是LoadLibraryA的Hash
cmp eax,0x1E380A6A //与MessageBoxA的Hash进⾏⽐较不等,必跳
jne find_functions
xchg eax,ebp
call [edi-0x8]
xchg eax,ebp
find_functions:
pushad //保护寄存器
mov eax,[ebp+0x3C] //PE头
mov ecx,[ebp+eax+0x78] //导出表的指针
add ecx,ebp //ecx=0x78C00000+0x262c
mov ebx,[ecx+0x20] //导出函数的名字列表
add ebx,ebp //ebx=0x78C00000+0x353C
xor edi,edi //这⾥了
next_function_loop:
inc edi
mov esi,[ebx+edi*4] //从列表数组中读取
add esi,ebp //esi = 函数名称所在地址
cdq
hash_loop:
movsx eax,byte ptr[esi]
cmp al,ah
jz compare_hash
ror edx,7
add edx,eax
inc esi
jmp hash_loop
compare_hash:
cmp edx,[esp+0x1C]
jnz next_function_loop
mov ebx,[ecx+0x24] //
add ebx,ebp //= 0x78C00000+0x4424 mov di,[ebx+2*edi]
mov ebx,[ecx+0x1C]
add ebx,ebp
add ebp,[ebx+4*edi]
xchg eax,ebp
pop edi
stosd
push edi
popad
cmp eax,0x1e380a6a
jne find_lib_functions
function_call:
xor ebx,ebx
push ebx //cut string
push 0x74736577
push 0x6c696166 //push failwest mov eax,esp
push ebx
push eax
push eax
push ebx
call [edi-0x04] //call MessageBoxA push ebx
call [edi-0x08] //call ExitProcess
nop
nop
nop
nop
}
return 0;
}
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。
发表评论