|
#2
zklhp2012-11-23 21:31
|
程序代码:#include <windows.h>
int p_data[10], idx;
int load_kernel32_base(void)
{
struct _ldr {
int module_list;
};
struct _peb {
struct _ldr *ldr;
};
#define PEB_OFFSET 30h
#define LDR_OFFSET 0x0c
#define MODULELIST_OFFSET 0x1c
#define UNKNOWN_A 0x08
#define UNKNOWN_B 0x20
#define UNKNOWN_C 12
#define LOCK_DATA(__data) \
p_data[idx++] = (__data)
#define UNLOCK_DATA(__data) \
(__data) = p_data[--idx]
struct _peb *peb;
int kernel32, tmp;
__asm mov eax, fs:[PEB_OFFSET]
__asm mov dword ptr [peb], eax
//LOCK_DATA(peb->ldr->module_list);
LOCK_DATA((int)peb->ldr);
peb->ldr = (struct _ldr *)*(int *)((int)peb + LDR_OFFSET);
peb->ldr->module_list = *(int *)((int)peb->ldr + MODULELIST_OFFSET);
do {
kernel32 = *(int *)((int)peb->ldr->module_list + UNKNOWN_A);
tmp = *(int *)((int)peb->ldr->module_list + UNKNOWN_B);
peb->ldr->module_list = *(int *)peb->ldr->module_list;
} while (*(short *)(tmp + UNKNOWN_C * sizeof(short)) != 0);
UNLOCK_DATA((int)peb->ldr);
//UNLOCK_DATA(peb->ldr->module_list);
return kernel32;
}
typedef FARPROC (WINAPI *FUNC_G)(HMODULE, LPCSTR);
typedef HMODULE(WINAPI *FUNC_L)(LPCTSTR);
typedef int (WINAPI *FUNC_M)(HWND, LPCTSTR, LPCTSTR, UINT);
typedef VOID (WINAPI *FUNC_E)(UINT);
const char *usr_literal[] = {
"GetProcAddress",
"LoadLibraryA",
"user32",
"MessageBoxA",
"hello",
"ExitProcess"
};
FUNC_G load_GetProcAddress(int kernel32)
{
#define RVA_2_VA(__rva) ((kernel32) + (__rva))
#define MY_PREFIX(__name) (my_##__name)
int offset;
IMAGE_NT_HEADERS *nt_headers;
IMAGE_EXPORT_DIRECTORY *exp_dir;
int ent, eno, ordin, eat;
char *system_literal;
unsigned int idx;
FUNC_G MY_PREFIX(GetProcAddress);
offset = ((IMAGE_DOS_HEADER *)kernel32)->e_lfanew;
nt_headers = (IMAGE_NT_HEADERS *)RVA_2_VA(offset);
offset = nt_headers->OptionalHeader.DataDirectory->VirtualAddress;
exp_dir = (IMAGE_EXPORT_DIRECTORY *)RVA_2_VA(offset);
offset = *(int *)(RVA_2_VA((int)exp_dir->AddressOfNames));
ent = RVA_2_VA(offset);
system_literal = (char *)ent;
for (idx = 0; idx < exp_dir->NumberOfNames; idx++) {
if (strcmp(system_literal, usr_literal[0])) {
system_literal += strlen(system_literal) + 1;
} else {
break;
}
}
eno = RVA_2_VA(exp_dir->AddressOfNameOrdinals);
ordin = *(short *)(eno + idx * 2);
eat = RVA_2_VA(exp_dir->AddressOfFunctions);
offset = *(int *)(eat + idx * 4);
return my_GetProcAddress = (FUNC_G)RVA_2_VA(offset);
}
FUNC_L load_LoadLibraryA(FUNC_G func_g, int kernel32)
{
FUNC_L MY_PREFIX(LoadLibraryA);
return my_LoadLibraryA =
(FUNC_L)func_g((HMODULE)kernel32, (LPCSTR)usr_literal[1]);
}
FUNC_M load_MessageBoxA(FUNC_G func_g, FUNC_L func_l)
{
FUNC_M MY_PREFIX(MessageBoxA);
return my_MessageBoxA =
(FUNC_M)(func_g((HMODULE)func_l((LPCSTR)usr_literal[2]),
(LPCSTR)usr_literal[3]));
}
FUNC_E load_ExitProcess(FUNC_G func_g, int kernel32)
{
FUNC_E MY_PREFIX(ExitProcess);
return my_ExitProcess =
(FUNC_E)func_g((HMODULE)kernel32, (LPCSTR)usr_literal[5]);
}
enum func_type_t {
GetProcAddress_E = 0,
LoadLibraryA_E,
MessageBoxA_E,
ExitProcess_E,
FUNC_MAX_E
};
int show_my_function(int addr, int type)
{
switch(type) {
case MessageBoxA_E:
{
FUNC_M func_m = (FUNC_M)addr;
func_m(NULL, usr_literal[4], NULL, MB_OK);
}
break;
case ExitProcess_E:
{
FUNC_E func_e = (FUNC_E)addr;
func_e(0);
}
break;
default:
break;
}
return 0;
}
int main(int argc, char *argv[])
{
int kernel_base;
int func[FUNC_MAX_E];
kernel_base = load_kernel32_base();
func[GetProcAddress_E] = (int)load_GetProcAddress(kernel_base);
func[LoadLibraryA_E] =
(int)load_LoadLibraryA((FUNC_G)func[GetProcAddress_E], kernel_base);
func[MessageBoxA_E] =
(int)load_MessageBoxA((FUNC_G)func[GetProcAddress_E],
(FUNC_L)func[LoadLibraryA_E]);
func[ExitProcess_E] =
(int)load_ExitProcess((FUNC_G)func[GetProcAddress_E], kernel_base);
show_my_function(func[MessageBoxA_E], MessageBoxA_E);
show_my_function(func[ExitProcess_E], ExitProcess_E);
return 0;
}
对您的大作"一个shellcode的实例"c化了,有几个偏移能否帮着命名下,我懒的去细翻nt和pe的结构了,代码用vc6直接能跑int p_data[10], idx;
int load_kernel32_base(void)
{
struct _ldr {
int module_list;
};
struct _peb {
struct _ldr *ldr;
};
#define PEB_OFFSET 30h
#define LDR_OFFSET 0x0c
#define MODULELIST_OFFSET 0x1c
#define UNKNOWN_A 0x08
#define UNKNOWN_B 0x20
#define UNKNOWN_C 12
#define LOCK_DATA(__data) \
p_data[idx++] = (__data)
#define UNLOCK_DATA(__data) \
(__data) = p_data[--idx]
struct _peb *peb;
int kernel32, tmp;
__asm mov eax, fs:[PEB_OFFSET]
__asm mov dword ptr [peb], eax
//LOCK_DATA(peb->ldr->module_list);
LOCK_DATA((int)peb->ldr);
peb->ldr = (struct _ldr *)*(int *)((int)peb + LDR_OFFSET);
peb->ldr->module_list = *(int *)((int)peb->ldr + MODULELIST_OFFSET);
do {
kernel32 = *(int *)((int)peb->ldr->module_list + UNKNOWN_A);
tmp = *(int *)((int)peb->ldr->module_list + UNKNOWN_B);
peb->ldr->module_list = *(int *)peb->ldr->module_list;
} while (*(short *)(tmp + UNKNOWN_C * sizeof(short)) != 0);
UNLOCK_DATA((int)peb->ldr);
//UNLOCK_DATA(peb->ldr->module_list);
return kernel32;
}
typedef FARPROC (WINAPI *FUNC_G)(HMODULE, LPCSTR);
typedef HMODULE(WINAPI *FUNC_L)(LPCTSTR);
typedef int (WINAPI *FUNC_M)(HWND, LPCTSTR, LPCTSTR, UINT);
typedef VOID (WINAPI *FUNC_E)(UINT);
const char *usr_literal[] = {
"GetProcAddress",
"LoadLibraryA",
"user32",
"MessageBoxA",
"hello",
"ExitProcess"
};
FUNC_G load_GetProcAddress(int kernel32)
{
#define RVA_2_VA(__rva) ((kernel32) + (__rva))
#define MY_PREFIX(__name) (my_##__name)
int offset;
IMAGE_NT_HEADERS *nt_headers;
IMAGE_EXPORT_DIRECTORY *exp_dir;
int ent, eno, ordin, eat;
char *system_literal;
unsigned int idx;
FUNC_G MY_PREFIX(GetProcAddress);
offset = ((IMAGE_DOS_HEADER *)kernel32)->e_lfanew;
nt_headers = (IMAGE_NT_HEADERS *)RVA_2_VA(offset);
offset = nt_headers->OptionalHeader.DataDirectory->VirtualAddress;
exp_dir = (IMAGE_EXPORT_DIRECTORY *)RVA_2_VA(offset);
offset = *(int *)(RVA_2_VA((int)exp_dir->AddressOfNames));
ent = RVA_2_VA(offset);
system_literal = (char *)ent;
for (idx = 0; idx < exp_dir->NumberOfNames; idx++) {
if (strcmp(system_literal, usr_literal[0])) {
system_literal += strlen(system_literal) + 1;
} else {
break;
}
}
eno = RVA_2_VA(exp_dir->AddressOfNameOrdinals);
ordin = *(short *)(eno + idx * 2);
eat = RVA_2_VA(exp_dir->AddressOfFunctions);
offset = *(int *)(eat + idx * 4);
return my_GetProcAddress = (FUNC_G)RVA_2_VA(offset);
}
FUNC_L load_LoadLibraryA(FUNC_G func_g, int kernel32)
{
FUNC_L MY_PREFIX(LoadLibraryA);
return my_LoadLibraryA =
(FUNC_L)func_g((HMODULE)kernel32, (LPCSTR)usr_literal[1]);
}
FUNC_M load_MessageBoxA(FUNC_G func_g, FUNC_L func_l)
{
FUNC_M MY_PREFIX(MessageBoxA);
return my_MessageBoxA =
(FUNC_M)(func_g((HMODULE)func_l((LPCSTR)usr_literal[2]),
(LPCSTR)usr_literal[3]));
}
FUNC_E load_ExitProcess(FUNC_G func_g, int kernel32)
{
FUNC_E MY_PREFIX(ExitProcess);
return my_ExitProcess =
(FUNC_E)func_g((HMODULE)kernel32, (LPCSTR)usr_literal[5]);
}
enum func_type_t {
GetProcAddress_E = 0,
LoadLibraryA_E,
MessageBoxA_E,
ExitProcess_E,
FUNC_MAX_E
};
int show_my_function(int addr, int type)
{
switch(type) {
case MessageBoxA_E:
{
FUNC_M func_m = (FUNC_M)addr;
func_m(NULL, usr_literal[4], NULL, MB_OK);
}
break;
case ExitProcess_E:
{
FUNC_E func_e = (FUNC_E)addr;
func_e(0);
}
break;
default:
break;
}
return 0;
}
int main(int argc, char *argv[])
{
int kernel_base;
int func[FUNC_MAX_E];
kernel_base = load_kernel32_base();
func[GetProcAddress_E] = (int)load_GetProcAddress(kernel_base);
func[LoadLibraryA_E] =
(int)load_LoadLibraryA((FUNC_G)func[GetProcAddress_E], kernel_base);
func[MessageBoxA_E] =
(int)load_MessageBoxA((FUNC_G)func[GetProcAddress_E],
(FUNC_L)func[LoadLibraryA_E]);
func[ExitProcess_E] =
(int)load_ExitProcess((FUNC_G)func[GetProcAddress_E], kernel_base);
show_my_function(func[MessageBoxA_E], MessageBoxA_E);
show_my_function(func[ExitProcess_E], ExitProcess_E);
return 0;
}
主要是这几个
#define UNKNOWN_A 0x08
#define UNKNOWN_B 0x20
#define UNKNOWN_C 12
[ 本帖最后由 bccnyouke 于 2012-11-23 21:08 编辑 ]
