加载shellcode

​​​​​​

复制代码
#include <stdio.h>#include <windows.h>DWORD GetHash(const char* fun_name){    DWORD digest = 0;    while (*fun_name)    {        digest = ((digest << 25) | (digest >> 7)); //循环右移 7 位        digest += *fun_name; //累加        fun_name++;    }    return digest;}void main(){    DWORD hash;     hash = GetHash("GetProcAddress");    printf("result of hash is 0x%.8x\n", hash);}
提取shellcode

源码

cpp 复制代码
#pragma code_seg("shellcode")
#include <windows.h>
#pragma comment(linker,"/entry:main")
 
void main()
{
    //the pointer of kernel32.dll base address
    DWORD dwKernel32Addr = 0;
    _asm {
        push eax
        mov eax, dword ptr fs:[0x30]
        mov eax, [eax + 0x0C]
        mov eax,[eax + 0x1C]
        mov eax, [eax]
        mov eax, [eax + 0x08]
        mov dwKernel32Addr, eax
        pop eax
    }
 
    PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)dwKernel32Addr;
    PIMAGE_NT_HEADERS32 pNtHeader = (PIMAGE_NT_HEADERS32)(dwKernel32Addr + pDosHeader->e_lfanew);
 
    PIMAGE_DATA_DIRECTORY pDataDirectory = pNtHeader->OptionalHeader.DataDirectory + IMAGE_DIRECTORY_ENTRY_EXPORT;
 
    PIMAGE_EXPORT_DIRECTORY pExportFuncTable = (PIMAGE_EXPORT_DIRECTORY)(dwKernel32Addr + pDataDirectory->VirtualAddress);
 
    PDWORD pAddrOfFunc = (PDWORD)(pExportFuncTable->AddressOfFunctions + dwKernel32Addr);
 
    PDWORD pAddrOfFuncNames = (PDWORD)(pExportFuncTable->AddressOfNames + dwKernel32Addr);
 
    PWORD  pAddrOfOrdinals = (PWORD)(pExportFuncTable->AddressOfNameOrdinals + dwKernel32Addr);
 
    DWORD dwFuncGetProcAddress = 0;
    for (size_t i = 0; i < pExportFuncTable->NumberOfNames; i++)
    {
        PCHAR lpFuncName = (PCHAR)(pAddrOfFuncNames[i] + dwKernel32Addr);
        DWORD digest = 0;
        while (*lpFuncName)
        {
            digest = ((digest << 25) | (digest >> 7));
            digest += *lpFuncName;
            lpFuncName++;
        }
        if (digest == 0xbbafdf85)//0xbbafdf85是经过自定义hash算法得到GetProcAddress函数的摘要
        {
            dwFuncGetProcAddress = pAddrOfFunc[pAddrOfOrdinals[i]] + dwKernel32Addr;
            break;
        }
    }
    /*
    如果是弹窗弹窗,这里我们需要 : LoadLibraryExA、MessageBoxA、ExitProcess、user32.dll
    */
 
    /*
    定义函数指针GetProcAddress
    */
    typedef    FARPROC (WINAPI *funcGetProcAddress)(
                HMODULE hModule,
                LPCSTR lpProcName
            );
 
    funcGetProcAddress pfuncGetProcAddress = (funcGetProcAddress)dwFuncGetProcAddress;
 
    /*
    LoadLibraryExA 函数指针获取
    */
    typedef HMODULE (WINAPI *funcLoadLibraryExA)(
             LPCSTR lpLibFileName,
             HANDLE hFile,
             DWORD dwFlags
        );
 
    //如果采用字符串模式,其字符串会被放入数据段,使用的每次加载地址都不一样,
    char szLoadLibraryExA[] = { 'L','o','a','d','L','i','b','r','a','r','y','E','x','A','\0' };
    char szUser32[] = { 'u','s','e','r','3','2','.','d','l','l','\0' };
    char szMessageBoxA[] = { 'M','e','s','s','a','g','e','B','o','x','A','\0' };
    char szExitProcess[] = { 'E','x','i','t','P','r','o','c','e','s','s','\0' };
 
    funcLoadLibraryExA pfuncLoadLibraryExA = (funcLoadLibraryExA)(pfuncGetProcAddress((HMODULE)dwKernel32Addr,szLoadLibraryExA));
 
    /*
    ExitProcess函数指针
    */
    typedef    VOID
    (WINAPI *funcExitProcess)(
            _In_ UINT uExitCode
            );
 
    funcExitProcess pfuncExitProcess = (funcExitProcess)(pfuncGetProcAddress((HMODULE)dwKernel32Addr, szExitProcess));
 
    /*
    * 加载user32.dll 和messagebox
    */
 
    typedef int    (WINAPI    *funcMessageBoxA)(
        _In_opt_ HWND hWnd,
        _In_opt_ LPCSTR lpText,
        _In_opt_ LPCSTR lpCaption,
        _In_ UINT uType);
 
    funcMessageBoxA pfuncMessageBoxA = (funcMessageBoxA)(pfuncGetProcAddress((HMODULE)(pfuncLoadLibraryExA(szUser32, NULL, NULL)), szMessageBoxA));
 
    char szContext[] = {'t','h','i','s',' ','i','s',' ','a',' ','t','e','s','t','\0' };
    char szTitle[] = { 't','e','s','t','\0' };
 
    pfuncMessageBoxA(NULL, szContext, szTitle, MB_OK);
    pfuncExitProcess(0);
}
相关推荐
还债大湿兄3 小时前
《C++内存泄漏8大战场:Qt/MFC实战详解 + 面试高频陷阱破解》
c++·qt·mfc
进击的杨厂长5 小时前
本地代码上传github的具体操作步骤
github
珊瑚里的鱼6 小时前
LeetCode 692题解 | 前K个高频单词
开发语言·c++·算法·leetcode·职场和发展·学习方法
AI+程序员在路上6 小时前
QTextCodec的功能及其在Qt5及Qt6中的演变
开发语言·c++·qt
Risehuxyc6 小时前
C++卸载了会影响电脑正常使用吗?解析C++运行库的作用与卸载后果
开发语言·c++
mCell7 小时前
Webhook:连接、自动化与系统集成的新范式
ci/cd·go·github
景彡先生9 小时前
C++编译期计算:常量表达式(constexpr)全解析
服务器·c++
OpenTiny社区9 小时前
告别代码焦虑,单元测试让你代码自信力一路飙升!
前端·github
tan77º10 小时前
【Linux网络编程】应用层自定义协议与序列化
linux·运维·服务器·网络·c++·tcp/ip
绝无仅有10 小时前
使用LNMP一键安装包安装PHP、Nginx、Redis、Swoole、OPcache
后端·面试·github