shellcode定位kernel32与LoadLibrary

//定位Kernel32 __declspec(naked) int GetKernel32Base() { __asm { XOR ECX, ECX ; ECX = 0 MOV ESI, FS:[ECX + 0x30] ; ESI = &(PEB) ([FS:0x30]) MOV ESI, [ESI + 0x0C] ; ESI = PEB->Ldr MOV ESI, [ESI + 0x1C] ; ESI = PEB->Ldr.InInitOrder next_module: MOV EAX, [ESI + 0x08] ; EBP = InInitOrder[X].base_address MOV EDI, [ESI + 0x20] ; EBP = InInitOrder[X].module_name (unicode) MOV ESI, [ESI] ; ESI = InInitOrder[X].flink (next module) CMP [EDI + 12*2], CL ; modulename[12] == 0 ? JNE next_module ; No: try next module. ret } }  

以上代码兼容windows任何版本 包括windows7

 

api搜索

常见的api搜索方法有

1:暴力搜索

2:通过函数名称的哈希值来搜索

 

由于在写本程序的时候没有想到那么麻烦,也没有在网上找参考代码

一下是我自己实现的,比以上两种办法都要琐碎的多,就严格根据

函数名称来搜索的,兼容性当然要好于以上两种,不过占用的代码空间

要大,以上两种办法网上代码很多,就不贴上了,把自己写的贴过来

以备后查

 

在写的过程中,不是很难,但是很琐碎,自己会变掌握又不好,所以程序

基本上没有封装新可言,需要的时候要重新封装

DWORD MyKernelBase = NULL; //Kernel.dll基地址 DWORD MyLoadLibrary = NULL; //LoadLibrary地址 __asm pushad MyKernelBase = GetKernel32Base(); __asm push ebp __asm mov ebp,MyKernelBase GetLoadLibrary(); __asm pop ebp __asm mov MyLoadLibrary,eax 

//定位LoadLibrary地址 __declspec(naked) int GetLoadLibrary() { __asm { push 0x0 push 0x41797261 push 0x7262694c push 0x64616F4C mov esi,esp push esi ;esi = "LoadLibraryStrA" get_function: mov ebx,dword ptr[ebp+0x3c] ;ebx = e_lfanew ebp = dllbase add ebx,ebp ;ebx = &(pe header) mov ebx,dword ptr[ebx+0x78] ;offset(export table) add ebx,ebp ;ebx = &(import direcrory Rva) mov ecx,dword ptr[ebx+0x18] ;ecx = number of name pointers getnext_function: dec ecx ;ecx = (number--) of name pointers xor eax,eax cmp ecx,eax jl exit ;if ecx less zero no found so failure exit functionaddr: mov edx,dword ptr[ebx+0x1c] ;edx = offset(addrs table) add edx,ebp ;edx = &(addrs table) mov edx,dword ptr[edx+ecx*4] ;edx = offset(function addr) from last function add edx,ebp ;edx = &(function addr) functionname: mov edi,dword ptr[ebx+0x20] ;edi = offset(names table) add edi,ebp ;edi = &(names table) mov edi,dword ptr[edi+ecx*4] ;edi = offset(function name) from last function add edi,ebp ;edi = &(function name) pop esi ;esi = "LoadLibraryStrA" push esi ;protection Stack esi = "LoadLibraryStrA" compare_loop: push ecx ;ecx = number of name pointers push edx ;edx = &(function addr) push esi ;Passing Parameters esi push edi ;Passing Parameters edi call strcmp ;使用OD将汇编代码抠出来 add esp,8 test eax,eax ;eax = strcmp(apiname,"LoadLibraryStrA") pop edx ;edx = &(function addr) pop ecx ;ecx = number of name pointers pop esi ;Stack Recovery esi = "LoadLibraryStrA" push esi jnz getnext_function mov eax,edi ;eax = &(LoadLibraryStrA) exit: add esp,0x14 ret } } 

 

你可能感兴趣的:(ShellCode)