ICode9

精准搜索请尝试: 精确搜索
首页 > 系统相关> 文章详细

x64 ShellCode 弹出计算器

2022-05-22 10:31:22  阅读:172  来源: 互联网

标签:rcx rsi rbx x64 mov rdx 计算器 ShellCode rax


Main.cpp

extern "C" void PopCalculator();

extern "C" void _INT3();

int main()
{
    _INT3();
    PopCalculator();
    return 0;
}

 

Code.asm

PopCalculator proto
_INT3 proto

; Hash:
;
; WinExec : 0x1A22F51
; LoadLibrary : 0x0C917432
; MessageBoxA : 0x1E380A6A
; GetProcAddress : 0xBBAFDF85

.code

_INT3 proc
    int 3
    ret
_INT3 endp

PopCalculator proc
    sub rsp, 100h

    ;
    ;   获取Kernel32基址
    ;

    mov rax, gs:[60h]       ; PEB
    mov rax, [rax+18h]      ; Ldr
    mov rax, [rax+30h]      ; InInitializationOrderModuleList

_kernel32:
    mov rsi, [rax+10h]      ; DllBase
    mov rbx, [rax+40h]      ; BaseDllName
    mov rax, [rax]
    cmp dword ptr [rbx+0Ch], 00320033h
    jnz _kernel32

    ;
    ;   Call LoadLibrary
    ;

    mov rcx, rsi
    mov rdx, 0C917432h
    call FindApi
    mov r14, rax

    mov rbx, 6C6Ch
    push rbx
    mov rbx, 642E323372657375h
    push rbx
    mov rcx, rsp
    sub rsp, 18h            ; 预留函数参数空间
    call r14
    mov rbx, rax

    ;
    ;   Call MessageBoxA
    ;

    mov rcx, rbx
    mov rdx, 1E380A6Ah
    call FindApi
    mov r14, rax

    xor r9, r9
    xor r8, r8
    xor rdx, rdx
    xor rcx, rcx
    call r14

    ;
    ;   Call WinExec
    ;

    mov rcx, rsi
    mov rdx, 1A22F51h
    call FindApi
    mov r14, rax

    xor rax, rax
    push rax
    mov rax, 6578652e636c6163h
    push rax
    mov rcx, rsp
    sub rsp, 20h            ; 预留函数参数空间
    mov rdx, 1
    call r14

    ;
    ;   Call ExitThread
    ;

    mov rcx, rsi
    mov rdx, 3148865413
    call FindApi
    mov r14, rax

    mov rax, 006461h
    push rax
    mov rax, 6572685474697845h
    push rax
    mov rcx, rsi
    mov rdx, rsp
    sub rsp, 20h            ; 预留函数参数空间
    call r14                ; GetProcAddress
    mov r14, rax

    add rsp, 188h

    sub rsp, 18h            ; 预留函数参数空间
    xor rcx, rcx
    call r14                ; ExitThread

    ret

FindApi:
;
;   rcx - DLL 基址
;   rdx - 函数 Hash 值
;
    sub rsp, 40h
    push rsi
    mov rdi, rdx

    mov rbx, rcx
    mov rsi, [rbx+3Ch]
    mov rax, rsi
    shl rax, 54
    shr rax, 54
    mov rsi, [rbx+rax+88h]      ; rsi = Export Table RVA
    shl rsi, 32
    shr rsi, 32
    add rsi, rbx                ; rsi = the base of Export Table
    push rsi
    mov esi, [rsi+20h]          ; esi = RVA of AddressOfNames
    add rsi, rbx                ; rsi = VA  of AddressOfNames

    xor rcx, rcx
    dec ecx
find_loop:
    inc ecx                     ; ecx = index of array
    lods dword ptr [rsi]
    add rax, rbx                ; rax = the base of a function string
    xor edx, edx

hash_loop:
    cmp byte ptr [rax], 0
    je isEqual
    ror edx, 7
    push rcx
    movsx ecx, byte ptr [rax]
    add edx, ecx                ; edx = one of function's hashes
    pop rcx
    inc rax
    jmp hash_loop

isEqual:
    cmp edx, edi
    jnz find_loop

    pop rsi                     ; rsi = the base of Export Table
    mov edx, [rsi+24h]          ; edx = RVA of AddressOfNameOrdinals
    add rdx, rbx                ; rdx = VA  of AddressOfNameOrdinals
    movsx ecx, word ptr [rdx+rcx*2]    ; ecx = the index of AddressOfFunctions
    mov edx, [rsi+1Ch]          ; edx = RVA of AddressOfFunctions
    add rdx, rbx                ; rdx = VA  of AddressOfFunctions
    mov eax, [rdx+rcx*4]        ; eax = the RVA of base of function
    add rax, rbx                ; rax = the VA  of base of function

    pop rsi
    add rsp, 40h
    ret

PopCalculator endp

end

 

标签:rcx,rsi,rbx,x64,mov,rdx,计算器,ShellCode,rax
来源: https://www.cnblogs.com/SuperGreen/p/16297129.html

本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享;
2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关;
3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关;
4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除;
5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。

专注分享技术,共同学习,共同进步。侵权联系[81616952@qq.com]

Copyright (C)ICode9.com, All Rights Reserved.

ICode9版权所有