标签：Windows 32 param dll kernel32 TEXT GetProcAddress pfn shellcode

BOOL WINAPI LoadDll(HANDLE hProcess,LPVOID lpBuf,int cbBuf)
{

BOOL br = FALSE;

LPVOID m_lpData  = VirtualAllocEx(hProcess, NULL,cbBuf,MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (m_lpData==NULL)
{
	goto cleanup0;
}
if(!WriteProcessMemory(hProcess,m_lpData,lpBuf,cbBuf,NULL))
{
	goto cleanup0;
}

pmemloadparam param = new memloadparam;
param->data = m_lpData;	
param->len = cbBuf;
param->userdata = 0;
param->fnLoadLibrary = (pfn_LoadLibraryA)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")),"LoadLibraryA");
param->fnGetProcAddress = (pfn_GetProcAddress)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")),"GetProcAddress");
param->fnFreeLibrary = (pfn_FreeLibrary)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")),"FreeLibrary");
param->fnSetLastError = (pfn_SetLastError)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")),"SetLastError");
param->fnVirtualAlloc = (pfn_VirtualAlloc)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")),"VirtualAlloc");
param->fnGetProcessHeap = (pfn_GetProcessHeap)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")),"GetProcessHeap");
param->fnHeapAlloc = (pfn_HeapAlloc)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")),"HeapAlloc");
param->fnVirtualFree = (pfn_VirtualFree)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")),"VirtualFree");
param->fnIsBadReadPtr = (pfn_IsBadReadPtr)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")),"IsBadReadPtr");
param->fnVirtualProtect = (pfn_VirtualProtect)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")),"VirtualProtect");
param->fnHeapFree = (pfn_HeapFree)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")),"HeapFree");
param->fnGetNativeSystemInfo = (pfn_GetNativeSystemInfo)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")),"GetNativeSystemInfo");
param->fnGetCurrentProcess = (pfn_GetCurrentProcess)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")),"GetCurrentProcess");
param->fnWriteProcessMemory = (pfn_WriteProcessMemory)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")),"WriteProcessMemory");
param->fnHeapReAlloc = (pfn_HeapReAlloc)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")),"HeapReAlloc");
param->fnWaitForSingleObject = (pfn_WaitForSingleObject)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")),"WaitForSingleObject");
param->fnOpenEventA = (pfn_OpenEventA)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")),"OpenEventA");
param->fnCloseHandle = (pfn_CloseHandle)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")),"CloseHandle");
param->fnCreateEventA = (pfn_CreateEventA)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")),"CreateEventA");

LPVOID m_lpParam  = VirtualAllocEx(hProcess, NULL,sizeof(memloadparam),MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (m_lpParam==NULL)
{
	goto cleanup0;
}
if(!WriteProcessMemory(hProcess,m_lpParam,param,sizeof(memloadparam),NULL))
{
	goto cleanup0;
}

LPVOID m_lpShell  = VirtualAllocEx(hProcess, NULL,g_ThreadShellCode32_Len,MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (m_lpShell==NULL)
{
	goto cleanup0;
}
if(!WriteProcessMemory(hProcess,m_lpShell,g_ThreadShellCode32,g_ThreadShellCode32_Len,NULL))
{
	goto cleanup0;
}
HANDLE hThread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)m_lpShell,m_lpParam,0,NULL);
WaitForSingleObject(hThread,INFINITE);
delete param;
br = TRUE;

cleanup0:

return br;

}

BOOL _LoadMemDll(LPVOID lpBuf,int cbBuf)
{
LoadDll(GetCurrentProcess(),lpBuf,cbBuf);

标签：Windows,32,param,dll,kernel32,TEXT,GetProcAddress,pfn,shellcode
来源： https://blog.csdn.net/hailong7308/article/details/121367551

本站声明： 1. iCode9 技术分享网（下文简称本站）提供的所有内容，仅供技术学习、探讨和分享；
2. 关于本站的所有留言、评论、转载及引用，纯属内容发起人的个人观点，与本站观点和立场无关；
3. 关于本站的所有言论和文字，纯属内容发起人的个人观点，与本站观点和立场无关；
4. 本站文章均是网友提供，不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属；如您发现该文章侵犯了您的权益，可联系我们第一时间进行删除；
5. 本站为非盈利性的个人网站，所有内容不会用来进行牟利，也不会利用任何形式的广告来间接获益，纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。