shellcode技术积累

1.  kernel32.ExpandEnvironmentStringsA可以把"%USERPROFILE%\a.exe"扩展成用户的目录如 "C:\Documents and Settings\Administrator\a.exe",这个有可能会在一些shellcode当中见到。

2.获取当前地址:

    00122528     E8 00000000       call 0012252D
    0012252D     58                pop eax

3. 一段精彩的修改IAT地址表的代码:

int __cdecl sub_402369()
{
  int result; // eax@1
  int pIID; // ebx@1
  HMODULE hmodule2; // esi@1
  HMODULE hModule; // eax@1
  int OrigianlFirstThunk; // edi@3
  void *FirstThunk; // esi@3
  HMODULE i; // [sp+8h] [bp-8h]@1
  DWORD flOldProtect; // [sp+Ch] [bp-4h]@5

  hModule = GetModuleHandleW(0);
  hmodule2 = hModule;
  pIID = (int)((char *)hModule + *(_DWORD *)((char *)hModule + *((_DWORD *)hModule + 15) + 128));// 输入表 IID数组指针
  result = *(_DWORD *)(pIID + 0xC);
  for ( i = hmodule2; result; pIID += 0x14u )
  {
    if ( !stricmp((const char *)hmodule2 + result, "user32.dll") )
    {
      OrigianlFirstThunk = (int)((char *)hmodule2 + *(_DWORD *)pIID);
      FirstThunk = (char *)i + *(_DWORD *)(pIID + 16);
      while ( *(_DWORD *)OrigianlFirstThunk )
      {
        if ( !stricmp((const char *)i + *(_DWORD *)OrigianlFirstThunk + 2, "RegisterClassExW") )
        {
          VirtualProtect(FirstThunk, 4u, 0x40u, &flOldProtect);// 修改内存属性
          *(_DWORD *)FirstThunk = sub_4019EF;   // 修改IAT
          VirtualProtect(FirstThunk, 4u, flOldProtect, &flOldProtect);// 恢复原内存属性
        }
        if ( !stricmp((const char *)i + *(_DWORD *)OrigianlFirstThunk + 2, "CreateWindowExW") )
        {
          VirtualProtect(FirstThunk, 4u, 0x40u, &flOldProtect);
          *(_DWORD *)FirstThunk = sub_402228;
          VirtualProtect(FirstThunk, 4u, flOldProtect, &flOldProtect);
        }
        OrigianlFirstThunk += 4;
        FirstThunk = (char *)FirstThunk + 4;
      }
      hmodule2 = i;
    }
    result = *(_DWORD *)(pIID + 0x20);
  }
  return result;
}

 

 

你可能感兴趣的:(c,user,扩展)