【C】wow64 切 w64
本帖最后由 Ayala 于 2017-3-22 10:41 编辑#define __STDC__ 1
#include "ntddk.h"
#include "ntimage.h"
/***********************************************************************/
/* shell code start */
/* linker command must append /MERGE:S_CODE=S_DATA /SECTION:S_DATA,RWE */
/***********************************************************************/
void GetRing3Base_m();
/*shellcode Global DATA*/
#pragma data_seg("S_DATA")
__int64 shell_data_sign_S=0;//sign data
__int64 k_Base=0;
__int64 n_Base=0;
__int64 shell_data_sign_E=0; //sign data
#pragma code_seg("S_CODE")
/*shlleocde entry*/
int shell_start(__int64* pf,char** pfn,__int64 pfmax) // sign code start
{
__int64 i;
GetRing3Base_m();
for (i=0;i<pfmax;i++)
{
GetProcAddress_m(n_Base,pfn,&pf);
}
return i;
}
int strlen_m(char* s)
{
int i=0;
for(;s;);
return i;
}
int strcmp_m(char* s1,char* s2)
{
int t,ta,tb;
t|=-1;
ta=strlen_m(s1);
tb=strlen_m(s2);
if (ta==tb)
{
t=ta;
do
{
--t;
}while (t>=0 && s1==s2);
t++;
}
return t;
}
/*get kernel32 and ntdll base*/
void GetRing3Base_m()
{
__int64 p;
p=*(__int64*)(*(__int64*)(*(__int64 *)(__readgsqword(0x30)+0x60)+0x18)+0x30);
n_Base=*(__int64*)(p+0x10);
k_Base=*(__int64*)(*(__int64*)(*(__int64*)p)+0x10);
}
int GetProcAddress_m(__int64 base,char* FuncName,__int64* FuncAddr)
{
__int64 addr=0;
__int32* AddressOfNames;
__int32* AddressOfFunctions;
__int16* AddressOfNameOrdinals;
IMAGE_DOS_HEADER* DOS_HEADER;
IMAGE_NT_HEADERS64* NT_HEADER;
IMAGE_OPTIONAL_HEADER64*OptionalHeader;
IMAGE_EXPORT_DIRECTORY* Export;
int i,n,t;
char* Dst;
char* Src;
if (!base || !FuncName) goto done;
DOS_HEADER=(IMAGE_DOS_HEADER*)(__int64)base;
if (DOS_HEADER->e_magic!='ZM') goto done;
NT_HEADER = (IMAGE_NT_HEADERS64*)((__int64)DOS_HEADER +(__int64)DOS_HEADER->e_lfanew);
if (NT_HEADER->Signature!='EP') goto done;
OptionalHeader=&NT_HEADER->OptionalHeader;
if (OptionalHeader->Magic!=0x20B) goto done;//pe 64
Export = (IMAGE_EXPORT_DIRECTORY*)(\
(__int64)DOS_HEADER + \
(__int64)(OptionalHeader->DataDirectory.VirtualAddress)\
);
t=Export->NumberOfNames;
AddressOfNameOrdinals =(__int16*)((__int64)DOS_HEADER + (__int64)Export->AddressOfNameOrdinals);
AddressOfNames =(__int32*)((__int64)DOS_HEADER + (__int64)Export->AddressOfNames);
AddressOfFunctions =(__int32*)((__int64)DOS_HEADER + (__int64)Export->AddressOfFunctions);
Src=FuncName;
for (i=0;i<t;i++)
{
Dst=(char*)((__int64)DOS_HEADER + AddressOfNames);
if (Dst==Src&& strcmp_m(Src,Dst)==0)
{
n=AddressOfNameOrdinals;
addr=(__int64)DOS_HEADER+AddressOfFunctions;
goto done;
}
}
done:
*FuncAddr=addr;
return (addr?1:0);
}
#pragma code_seg()
#pragma data_seg()
#include "..\beaengine\headers\BeaEngine.h"
struct FILE* __cdecl fopen();
main()
{
DISASM diasm={0};
struct FILE* file=fopen("shellcode.h","wt+");
__int64 i,j,k;
printf("shellcode start %llx \nend %llx \ndata start %llx \nlength = %d\n",\
&shell_start,\
&shell_data_sign_S,\
&shell_data_sign_E,\
(__int64)&shell_data_sign_S-(__int64)&shell_start);
fprintf(file,"unsigned char shellcode[] = {\n");
for (diasm.Archi=64,k=(__int64)&shell_start;k < (__int64)&shell_data_sign_S;k+=j)
{
diasm.EIP=k;
j=Disasm(&diasm);
fprintf(file,"\t\t");
for (i=0;i<j;i++) fprintf(file,"0x%.2X,",*(unsigned char*)(k+i));
fprintf(file,"% *s\t// %s\n",max(50-j*5,0),"",&diasm.CompleteInstr);
}
for (j=8,k=(__int64)&shell_data_sign_S;k<(__int64)&shell_data_sign_E;k+=j)
{
fprintf(file,"\t\t");
for (i=0;i<j;i++) fprintf(file,"0x%.2X,",*(unsigned char*)(k+i));
fprintf(file,"\n");
}
fprintf(file,"\t\t0\n};\n");
fprintf(file,"#define wow64GetProcAddress_m &shellcode\n",(char*)&GetProcAddress_m - (char*)&shell_start);
fprintf(file,"#define wow64GetRing3Base_m &shellcode\n",(char*)&GetRing3Base_m - (char*)&shell_start);
fprintf(file,"#define wow64kernel32_64 &shellcode\n",(char*)&k_Base - (char*)&shell_start);
fprintf(file,"#define wow64ntdll_64 &shellcode\n",(char*)&n_Base - (char*)&shell_start);
fclose(file);
system("pause");
}
用wrk自带tool编译可以不会打乱变量声明顺序
@echo off
:re
cls
echo /*********************************************/
echo / shellcode /
echo /*********************************************/
set path=F:\WinDDK\7600.16385.1
set obj=obj\amd64\BeaEngine.obj
set Compiler=.\tools\amd64\cl.exe
set linker=.\tools\amd64\link.exe
set ddkCompiler=%path%\bin\x86\amd64\cl.exe
set ddklinker=%path%\bin\x86\amd64\link.exe
set name=shellcode
%Compiler% .\src\%name%.c /D"_AMD64_" /I"%path%\inc\ddk" /I"%path%\inc\api" /I"%path%\inc\crt" /Fa"Debug\%name%.asm" /Fo"Debug\%name%.obj" /c /wd"4615" /wd"4616" /D"BEA_ENGINE_STATIC" /Od
echo /*********************************************/
echo / compile end /
echo /*********************************************/
%linker% .\Debug\%name%.obj %obj% /MERGE:S_CODE=S_DATA /SECTION:S_DATA,RWE /LIBPATH:"%path%\lib\win7\amd64" /LIBPATH:"%path%\lib\Crt\amd64"/OUT:"Debug\%name%.exe" /SUBSYSTEM:CONSOLE /MACHINE:AMD64 /IGNORE:4078
echo /*********************************************/
echo / build end /
echo /*********************************************/
pause
goto re
#include "shellcode.h"
#include "wow64.h"
__int64 _thunk_w64_data_list[]={
(__int64)wow64ntdll_64,
(__int64)wow64kernel32_64
};
__int64 _thunk_w64_func_list={
0
};
__int64 _thunk_w64_args_list={
8*32
};
void __declspec(naked) __fastcall _thunk_wow64_dispatch()
{
__asm ret
}
void __declspec(naked) __fastcall _thunk_w64_to_wow64()
{
__asm
{
mov esp,ebx
inc eax
mov ebx,
add esp,8
sub esp,8
mov dword ptr ,offset _thunk_wow64_dispatch
mov dword ptr ,23h
retf
}
}
void __declspec(naked)__fastcall _thunk_w64_invoke()
{
__asm
{
cmp dword ptr ,8*1
dec eax
cmovae ecx,
cmp dword ptr ,8*2
dec eax
cmovae edx,
cmp dword ptr ,8*3
dec esp
cmovae eax,
cmp dword ptr ,8*4
dec esp
cmovae ecx,
add esp,8
dec eax
jmp eax
}
}
void __declspec(naked) __fastcall _thunk_wow64_to_w64()
{
__asm
{
sub esp,8
mov ,ebx
mov ebx,esp
/*alloc stack*/
mov ecx,dword ptr _thunk_w64_args_list
sub esp,ecx
and esp,-16
/*strmov args*/
mov edi,esp
mov esi,edx
rep movsb
/*set return address*/
sub esp,8
mov dword ptr ,offset _thunk_w64_to_wow64
mov dword ptr ,0
/*log args*/
mov ecx,dword ptr _thunk_w64_args_list
sub esp,8
mov ,ecx
/*set tag func*/
mov eax,dword ptr _thunk_w64_func_list
/*jmp tag proc*/
sub esp,8
mov dword ptr ,offset _thunk_w64_invoke
mov dword ptr ,33h
retf
}
}
void __declspec(naked) wow64initEx(__int64 pf,__int64 pfn,__int64 pfmax)
{
__asm
{
lea edx,
xor eax,eax
call _thunk_wow64_to_w64
ret
}
}
void wow64init()
{
_thunk_w64_func_list=(__int64)&shellcode;
_thunk_w64_args_list=3*8;
wow64initEx((__int64)&_thunk_w64_func_list,(__int64)&_thunk_w64_pfn_list,(__int64)index_wow64_max);
}
#define w64bywow64(_s_) \
int __declspec(naked) wow64 ## _s_ ## () \
{ \
__asm lea edx, \
__asm mov eax,index ## _s_ \
__asm call _thunk_wow64_to_w64 \
__asm ret \
}
int main()
{
int i;
//__asm int 3
wow64init();
//__asm int 3
for (i=0;i<index_wow64_max;i++)
{
printf("0x%llx %s\n",_thunk_w64_func_list,_thunk_w64_pfn_list);
}
printf("done\n");
system("pause");
return 0;
}
beaengine.obj source
https://github.com/BeaEngine/beaengine
居然有obj 0xAA55 发表于 2017-3-21 21:48
居然有obj
经典反汇编引擎! Ayala 发表于 2017-3-21 23:36
经典反汇编引擎!
嗯我知道这玩意儿。 ;P;P;P;P;P;P;P ;P;P;P;P;P;P;P
页:
[1]