技术宅的结界

 找回密码
 立即注册→加入我们

QQ登录

只需一步,快速开始

搜索
热搜: 下载 VB C 实现 编写
查看: 893|回复: 1
收起左侧

ansi c x64 shellcode template

[复制链接]

25

主题

81

帖子

1090

积分

用户组: 版主

UID
1821
精华
6
威望
57 点
宅币
834 个
贡献
31 次
宅之契约
0 份
在线时间
196 小时
注册时间
2016-7-12
发表于 2016-8-9 19:03:15 | 显示全部楼层 |阅读模式

欢迎访问技术宅的结界,请注册或者登录吧。

您需要 登录 才可以下载或查看,没有帐号?立即注册→加入我们

x
ansi c语言 x64的shellcode 模板 未详细测试
[C] 纯文本查看 复制代码
#ifndef BYTE
#define BYTE unsigned __int8
#endif
#ifndef WORD
#define WORD unsigned __int16
#endif
#ifndef LONG
#define LONG unsigned __int32
#endif
#ifndef DWORD
#define DWORD unsigned __int32
#endif
#ifndef ULONGLONG
#define ULONGLONG unsigned __int64
#endif
#ifndef IMAGE_NUMBEROF_DIRECTORY_ENTRIES
#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES    16

#define IMAGE_DIRECTORY_ENTRY_EXPORT          0   // Export Directory
#define IMAGE_DIRECTORY_ENTRY_IMPORT          1   // Import Directory
#define IMAGE_DIRECTORY_ENTRY_RESOURCE        2   // Resource Directory
#define IMAGE_DIRECTORY_ENTRY_EXCEPTION       3   // Exception Directory
#define IMAGE_DIRECTORY_ENTRY_SECURITY        4   // Security Directory
#define IMAGE_DIRECTORY_ENTRY_BASERELOC       5   // Base Relocation Table
#define IMAGE_DIRECTORY_ENTRY_DEBUG           6   // Debug Directory
//      IMAGE_DIRECTORY_ENTRY_COPYRIGHT       7   // (X86 usage)
#define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE    7   // Architecture Specific Data
#define IMAGE_DIRECTORY_ENTRY_GLOBALPTR       8   // RVA of GP
#define IMAGE_DIRECTORY_ENTRY_TLS             9   // TLS Directory
#define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG    10   // Load Configuration Directory
#define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT   11   // Bound Import Directory in headers
#define IMAGE_DIRECTORY_ENTRY_IAT            12   // Import Address Table
#define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT   13   // Delay Load Import Descriptors
#define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14   // COM Runtime descriptor

#endif
#ifndef _IMAGE_DOS_HEADER
typedef struct _IMAGE_DOS_HEADER {      // DOS .EXE header
    WORD   e_magic;                     // Magic number
    WORD   e_cblp;                      // Bytes on last page of file
    WORD   e_cp;                        // Pages in file
    WORD   e_crlc;                      // Relocations
    WORD   e_cparhdr;                   // Size of header in paragraphs
    WORD   e_minalloc;                  // Minimum extra paragraphs needed
    WORD   e_maxalloc;                  // Maximum extra paragraphs needed
    WORD   e_ss;                        // Initial (relative) SS value
    WORD   e_sp;                        // Initial SP value
    WORD   e_csum;                      // Checksum
    WORD   e_ip;                        // Initial IP value
    WORD   e_cs;                        // Initial (relative) CS value
    WORD   e_lfarlc;                    // File address of relocation table
    WORD   e_ovno;                      // Overlay number
    WORD   e_res[4];                    // Reserved words
    WORD   e_oemid;                     // OEM identifier (for e_oeminfo)
    WORD   e_oeminfo;                   // OEM information; e_oemid specific
    WORD   e_res2[10];                  // Reserved words
    LONG   e_lfanew;                    // File address of new exe header
} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
#endif

#ifndef IMAGE_FILE_HEADER
typedef struct _IMAGE_FILE_HEADER {
    WORD    Machine;
    WORD    NumberOfSections;
    DWORD   TimeDateStamp;
    DWORD   PointerToSymbolTable;
    DWORD   NumberOfSymbols;
    WORD    SizeOfOptionalHeader;
    WORD    Characteristics;
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
#endif
#ifndef IMAGE_DATA_DIRECTORY
typedef struct _IMAGE_DATA_DIRECTORY {
    DWORD   VirtualAddress;
    DWORD   Size;
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
#endif
#ifndef IMAGE_OPTIONAL_HEADER64

typedef struct _IMAGE_OPTIONAL_HEADER64 {
    WORD        Magic;
    BYTE        MajorLinkerVersion;
    BYTE        MinorLinkerVersion;
    DWORD       SizeOfCode;
    DWORD       SizeOfInitializedData;
    DWORD       SizeOfUninitializedData;
    DWORD       AddressOfEntryPoint;
    DWORD       BaseOfCode;
    ULONGLONG   ImageBase;
    DWORD       SectionAlignment;
    DWORD       FileAlignment;
    WORD        MajorOperatingSystemVersion;
    WORD        MinorOperatingSystemVersion;
    WORD        MajorImageVersion;
    WORD        MinorImageVersion;
    WORD        MajorSubsystemVersion;
    WORD        MinorSubsystemVersion;
    DWORD       Win32VersionValue;
    DWORD       SizeOfImage;
    DWORD       SizeOfHeaders;
    DWORD       CheckSum;
    WORD        Subsystem;
    WORD        DllCharacteristics;
    ULONGLONG   SizeOfStackReserve;
    ULONGLONG   SizeOfStackCommit;
    ULONGLONG   SizeOfHeapReserve;
    ULONGLONG   SizeOfHeapCommit;
    DWORD       LoaderFlags;
    DWORD       NumberOfRvaAndSizes;
    IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} IMAGE_OPTIONAL_HEADER64, *PIMAGE_OPTIONAL_HEADER64;

#endif

#ifndef IMAGE_NT_HEADERS64
typedef struct _IMAGE_NT_HEADERS64 {
    DWORD Signature;
    IMAGE_FILE_HEADER FileHeader;
    IMAGE_OPTIONAL_HEADER64 OptionalHeader;
} IMAGE_NT_HEADERS64, *PIMAGE_NT_HEADERS64;
#endif
#ifndef IMAGE_EXPORT_DIRECTORY

typedef struct _IMAGE_EXPORT_DIRECTORY {
    DWORD   Characteristics;
    DWORD   TimeDateStamp;
    WORD    MajorVersion;
    WORD    MinorVersion;
    DWORD   Name;
    DWORD   Base;
    DWORD   NumberOfFunctions;
    DWORD   NumberOfNames;
    DWORD   AddressOfFunctions;     // RVA from base of image
    DWORD   AddressOfNames;         // RVA from base of image
    DWORD   AddressOfNameOrdinals;  // RVA from base of image
} IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;
#endif


#ifndef UNICODE_STRING
typedef struct
{
  __int16 u;
  __int16 m;
  __int32 r;//align 8
  __int16* B;
}UNICODE_STRING;
#endif

/***********************************************************************/
/* shell code start */
/* linker command must append /MERGE:S_CODE=S_DATA /SECTION:S_DATA,RWE */
/***********************************************************************/

int shell_start();
int s_ldrLoadDll();
void GetRing3Base();
int strlen(char *);
int strcmp(char *,char *);

__int64 GetProcAddress(__int64 base,char* FuncName);

#pragma alloc_text(S_CODE,shell_start)
#pragma alloc_text(S_CODE,s_ldrLoadDll)
#pragma alloc_text(S_CODE,GetRing3Base)
#pragma alloc_text(S_CODE,GetProcAddress)
#pragma alloc_text(S_CODE,strlen)
#pragma alloc_text(S_CODE,strcmp)


/*shellcode Global DATA*/
#define SHELLCODE_SEG "S_DATA"

#pragma data_seg(SHELLCODE_SEG)
typedef int (*_imp__LdrLoadDll)(PathToFile,Flags,ModuleFileName,ModuleHandle);
_imp__LdrLoadDll pLdrLoadDll=0;
__int64         k_Base=0;
__int64         n_Base=0;

char   sLdrLoadDll[]="LdrLoadDll";

__int16  sUser32[]=L"user32.dll";

#pragma data_seg()

/*shlleocde entry*/
int shell_start()
{
  pLdrLoadDll=(_imp__LdrLoadDll)GetProcAddress(n_Base,(char*)&sLdrLoadDll);
  
  return s_ldrLoadDll();//Used by GetThreadExitCode
}

/*get kernel32 and ntdll base*/
void GetRing3Base()
{
 __int64 p; 
   p=*(__int64*)(*(__int64*)(*(__int64 *)(__readgsqword(0x30)+0x60)+0x18)+0x30);
   n_Base=*(__int64*)(p+0x10);
   k_Base=*(__int64*)(*(__int64*)(*(__int64*)p)+0x10);
}

int strlen(char* s)
{
  int i=0;
  for(;s[i++];);
  return i;
}

int strcmp(char* s1,char* s2)
{
  int t,ta,tb;
  t|=-1;
  ta=strlen(s1);
  tb=strlen(s2);
  if (ta==tb)
  {
    t=ta;
    do
    {
      --t;
    }while (t>=0 && s1[t]==s2[t]);
    t++;
  }
  return t; 
}

/* */
__int64 GetProcAddress(__int64 base,char* FuncName)
{
  __int64 addr=0;
  __int32* AddressOfNames;
  __int32* AddressOfFunctions;
  __int16* AddressOfNameOrdinals;
  int i,n,t;
  char* Dst;
  char* Src;
  
  IMAGE_DOS_HEADER*         DOS_HEADER;
  IMAGE_NT_HEADERS64*       NT_HEADER;
  IMAGE_OPTIONAL_HEADER64*  OptionalHeader;
  IMAGE_EXPORT_DIRECTORY*   Export;
  
  DOS_HEADER=(IMAGE_DOS_HEADER*)(__int64)base;
  if (DOS_HEADER->e_magic!='ZM') goto done;
  
  NT_HEADER = (IMAGE_NT_HEADERS64*)((__int64)DOS_HEADER +(__int64)DOS_HEADER->e_lfanew);
  
  if (NT_HEADER->Signature!='EP') goto done;
  
  OptionalHeader=&NT_HEADER->OptionalHeader;
  
  if (OptionalHeader->Magic!=0x20B) goto done;//pe 64
  
  Export = (IMAGE_EXPORT_DIRECTORY*)(\
            (__int64)DOS_HEADER + \
            (__int64)(OptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress)\
            );
  t=Export->NumberOfNames;
  AddressOfNameOrdinals =(__int16*)((__int64)DOS_HEADER + (__int64)Export->AddressOfNameOrdinals);
  AddressOfNames        =(__int32*)((__int64)DOS_HEADER + (__int64)Export->AddressOfNames);
  AddressOfFunctions    =(__int32*)((__int64)DOS_HEADER + (__int64)Export->AddressOfFunctions);
  Src=FuncName;
  for (i=0;i<t;i++)
  {
    Dst=(char*)((__int64)DOS_HEADER + AddressOfNames[i]);
    if (Dst[0]==Src[0]&& strcmp(Src,Dst)==0)
    {
      n=AddressOfNameOrdinals[i];
      addr=(__int64)DOS_HEADER+AddressOfFunctions[n];
      goto done;
    }
  }
done:
  return addr;
}

/*main proc*/
int s_ldrLoadDll()
{
  __int64* hMod;
  UNICODE_STRING sMod;
  sMod.u=sizeof(sUser32)-sizeof(__int16);
  sMod.m=sizeof(sUser32);
  sMod.B=(__int16*)&sUser32;
  
  return (*pLdrLoadDll)(0,0,&sMod,&hMod);
}

#pragma data_seg(SHELLCODE_SEG)
int         shell_end=0; //end sign
#pragma data_seg()

/* shell code End */



mainCRTStartup() 
{ 
  GetRing3Base();
  printf("kernel32 base 0x%0I64X\n ntdll base 0x%0I64X\n",k_Base,n_Base);
  printf("shellcode length = %d\n",&shell_end-(int*)shell_start);
  
  printf("LdrLoadDll addr = 0x%0I64X\n",GetProcAddress(n_Base,"LdrLoadDll"));
  
  
  system("pause");
}



[Actionscript3] 纯文本查看 复制代码
@echo off
:re
cls
echo /*********************************************/
echo /                                             /
echo /*********************************************/
.\tools\AMD64\cl.exe .\src\hello_world.c /Fa"Debug\hello_world.asm" /Fo"Debug\hello_world.obj" /c /MD

echo /*********************************************/
echo /                                             /
echo /*********************************************/


.\tools\AMD64\link.exe .\Debug\hello_world.obj /MERGE:S_CODE=S_DATA /SECTION:S_DATA,RWE /LIBPATH:".\lib\win7\amd64" /LIBPATH:".\lib\Crt\amd64"  /OUT:"Debug\hello_world_amd64_win7.exe" /NOLOGO /SUBSYSTEM:CONSOLE /MACHINE:AMD64 "kernel32.lib"
echo /*********************************************/
echo /                                             /
echo /*********************************************/


pause
goto re
;/driver /base:0x10000 /align:32 /subsystem:native

评分

参与人数 1威望 +10 宅币 +30 贡献 +10 收起 理由
0xAA55 + 10 + 30 + 10 屌!

查看全部评分

本帖被以下淘专辑推荐:

995

主题

2207

帖子

5万

积分

用户组: 管理员

一只技术宅

UID
1
精华
197
威望
261 点
宅币
16463 个
贡献
32446 次
宅之契约
0 份
在线时间
1565 小时
注册时间
2014-1-26
发表于 2016-12-6 15:32:47 来自手机 | 显示全部楼层
前面那些定义,其实可以直接用windows.h的

本版积分规则

QQ|申请友链|Archiver|手机版|小黑屋|技术宅的结界 ( 滇ICP备16008837号|网站地图

GMT+8, 2018-9-24 07:47 , Processed in 0.100434 second(s), 34 queries , Gzip On.

Powered by Discuz! X3.2

© 2001-2013 Comsenz Inc.

快速回复 返回顶部 返回列表