MOV

MOV

关注
发信
关注(28)粉丝(399)

通用shellcode代码

#include <stdio.h>
#include <windows.h>

int main()
{
__asm
{
CLD //清空标志位DF
push 0x1E380A6A //压入MessageBoxA-->user32.dll
push 0x4FD18963 //压入ExitProcess-->kernel32.dll
push 0x0C917432 //压入LoadLibraryA-->kernel32.dll
mov esi,esp //esi=esp,指向堆栈中存放LoadLibraryA的地址
lea edi,[esi-0xc]//edi = 栈顶位置-0xC,例如0x0012FF28 - 0xC==0x0012FF1C
//======开辟一些栈空间
xorebx,ebx
movbh,0x04
subesp,ebx
//======压入"user32.dll"
movbx,0x3233
pushebx//0x00003233
push0x72657375 //user
pushesp
xoredx,edx //edx=0
//======找kernel32.dll的基地址
movebx,fs:[edx+0x30] //[TEB+0x30]-->PEB
movecx,[ebx+0xC]//[PEB+0xC]--->PEB_LDR_DATA
movecx,[ecx+0x1C]//[PEB_LDR_DATA+0x1C]--->InInitializationOrderModuleList
movecx,[ecx] //进入链表第一个就是ntdll.dll
movebp,[ecx+0x8]//ebp= kernel32.dll的基地址

find_lib_functions:
lodsd //eax=[ds*10H+esi],读出来是LoadLibraryA的Hash
cmpeax,0x1E380A6A //与MessageBoxA的Hash进行比较不等,必跳
jnefind_functions
xchgeax,ebp
call[edi-0x8]
xchgeax,ebp

find_functions:
pushad //保护寄存器
moveax,[ebp+0x3C]//PE头
movecx,[ebp+eax+0x78]//导出表的指针
addecx,ebp//ecx=0x78C00000+0x262c
movebx,[ecx+0x20]//导出函数的名字列表
addebx,ebp //ebx=0x78C00000+0x353C
xoredi,edi //这里了

next_function_loop:
incedi
mov esi,[ebx+edi*4] //从列表数组中读取
addesi,ebp //esi = 函数名称所在地址
cdq

hash_loop:
movsxeax,byte ptr[esi]
cmpal,ah
jzcompare_hash
ror edx,7
addedx,eax
incesi
jmphash_loop

compare_hash:
cmpedx,[esp+0x1C]
jnznext_function_loop

movebx,[ecx+0x24] //
addebx,ebp //= 0x78C00000+0x4424
mov di,[ebx+2*edi]
movebx,[ecx+0x1C]
addebx,ebp
addebp,[ebx+4*edi]
xchgeax,ebp
popedi
stosd

pushedi
popad

cmpeax,0x1e380a6a
jnefind_lib_functions

function_call:
xorebx,ebx
pushebx //cut string
push0x74736577
push0x6c696166 //push failwest
moveax,esp
pushebx
pusheax
pusheax
pushebx
call[edi-0x04] //callMessageBoxA
pushebx
call[edi-0x08] //call ExitProcess
nop
nop
nop
nop
}
return 0;
}

05-28 03:06
Powered by LMLPHP ©2024 MOV 0.057020