;※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※
; ShellCodeTest.exe
;※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※
; Author: Goly
; Email:
; QQ: 402295354
;★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★
; Core:
; 1._GetKernel32Base 动态获取kenrnel32.dll基地址
; 2._GetCallBaseByName 通过函数名动态获取函数地址
;★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★
- .386
- .model flat,stdcall
- option casemap:none
- .const
- SZ_LoadLibraryA db 'LoadLibraryA',0
- SZ_MessageBoxA db 'MessageBoxA',0
- SZ_ExitProcess db 'ExitProcess',0
- AppName db 'ShellCode',0
- user32 db 'user32.dll',0
- .data?
- API_LoadLibraryA dd ?
- API_MessageBoxA dd ?
- .code
- _StrLenA proc pStr:DWORD
- mov esi,pStr
- xor eax,eax
- .while(byte ptr[esi]!=0)
- inc eax
- inc esi
- .endw
- ret
- _StrLenA endp
- _StrEqualA proc uses ecx esi edi pStr1:DWORD,pStr2:DWORD
- invoke _StrLenA,pStr1
- mov ecx,eax
- invoke _StrLenA,pStr2
- .if(ecx
- mov ecx,eax
- .endif
- mov esi,pStr1
- mov edi,pStr2
- LOOP2:
- mov al,byte ptr[esi]
- mov ah,byte ptr[edi]
- cmp al,ah
- jne NQ
- inc esi
- inc edi
- loop LOOP2
- mov eax,1
- ret
- NQ: xor eax,eax
- ret
- _StrEqualA endp
- _GetKernel32Base proc uses ecx ;根据FS:0处的TEB结构找到UnhandledExceptionFilter函数的地址,UnhandledExceptionFilter函数位于kernerl32.dll中,因此可由此查询得到kernel32.dll的基地址。
- assume fs:nothing
- mov eax,fs:[0]
- FindUEF:;通过TEB查找kernel32.dll中的UnhandledExceptionFilter函数的地址
- cmp dword ptr[eax],0ffffffffh
- je FoundUEF
- mov eax,[eax]
- jmp FindUEF
- FoundUEF:
- mov eax,[eax+4];获得UnhandledExceptionFilter函数的地址
- FindPeTag:;循环查找kernel32.dll的PE标志
- and eax,0ffff0000h
- cmp word ptr[eax],05A4Dh;'MZ'标志
- jne RollUp
- mov ecx,[eax+03ch]
- add ecx,eax
- cmp word ptr[ecx],4550h;'PE'标志
- je FoundPeTag
- RollUp:
- sub eax,0ffffh
- jmp FindPeTag
- FoundPeTag:
- ret
- _GetKernel32Base endp
- _GetCallBaseByName proc ImageBase:DWORD,pCallName:DWORD
- LOCAL ExportEntryAddr:DWORD
- ;LOCAL hList:DWORD
- LOCAL pName:DWORD
- LOCAL index:DWORD
- ;invoke GetDlgItem,hWnd,IDC_LIST
- ;mov hList,eax
- mov eax,ImageBase
- add eax,03ch
- mov eax,[eax]
- add eax,ImageBase
- mov ebx,[eax]
- cmp ebx,00004550h
- jne NotPe;'MZ'验证出错,ImageBase出错引起
- mov eax,[eax+078h]
- add eax,ImageBase
- ;mov eax,[eax]
- ;add eax,ImageBase
- mov ExportEntryAddr,eax
- mov eax,[eax+020h]
- add eax,ImageBase;eax为函数名所在数组的首地址
- mov ecx,ExportEntryAddr
- mov ecx,[ecx+018h];funcs个数
- dec ecx
- mov esi,ecx
- xor ecx,ecx
- .while(ecx<=esi)
- push eax
- push ecx
- mov eax,[eax+4*ecx]
- add eax,ImageBase
- mov index,ecx
- mov pName,eax
- ;函数名处理
- ;invoke SendMessage,hList,LB_ADDSTRING,0,pName
- invoke _StrEqualA,pName,pCallName
- .if(eax==1)
- mov eax,ExportEntryAddr
- mov eax,[eax+01ch]
- mov ecx,index
- shl ecx,2
- add eax,ecx
- add eax,ImageBase
- mov eax,[eax]
- add eax,ImageBase
- pop ecx
- pop ecx
- ret
- .endif
- pop ecx
- inc ecx
- pop eax
- .endw
- xor eax,eax
- ret
- NotPe:
- xor eax,eax
- ret
- _GetCallBaseByName endp
- start:
- invoke _GetKernel32Base
- invoke _GetCallBaseByName,eax,offset SZ_LoadLibraryA;eax=07c800000h
- .if(eax!=0)
- mov API_LoadLibraryA,eax
- push offset user32
- call API_LoadLibraryA
- push offset SZ_MessageBoxA
- push eax
- call _GetCallBaseByName
- .if(eax!=0)
- mov API_MessageBoxA,eax
- push 0
- push offset AppName
- push offset AppName
- push 0
- call API_MessageBoxA
- ;invoke MessageBox,0,offset buffer,offset AppName,MB_OK
- .endif
- .endif
- invoke _GetCallBaseByName,07c800000h,offset SZ_ExitProcess
- push 0
- call eax
- end start
阅读(1822) | 评论(0) | 转发(0) |
