#include <stdio.h>#include <windows.h>DWORD GetHash(const char* fun_name){DWORD digest = 0;while (*fun_name){digest = ((digest << 25) | (digest >> 7)); //循环右移 7 位digest += *fun_name; //累加fun_name++;}return digest;}void main(){DWORD hash;hash = GetHash("GetProcAddress");printf("result of hash is 0x%.8x\n", hash);}
提取shellcode
源码
#pragma code_seg("shellcode")
#include <windows.h>
#pragma comment(linker,"/entry:main")void main()
{//the pointer of kernel32.dll base addressDWORD dwKernel32Addr = 0;_asm {push eaxmov eax, dword ptr fs:[0x30]mov eax, [eax + 0x0C]mov eax,[eax + 0x1C]mov eax, [eax]mov eax, [eax + 0x08]mov dwKernel32Addr, eaxpop eax}PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)dwKernel32Addr;PIMAGE_NT_HEADERS32 pNtHeader = (PIMAGE_NT_HEADERS32)(dwKernel32Addr + pDosHeader->e_lfanew);PIMAGE_DATA_DIRECTORY pDataDirectory = pNtHeader->OptionalHeader.DataDirectory + IMAGE_DIRECTORY_ENTRY_EXPORT;PIMAGE_EXPORT_DIRECTORY pExportFuncTable = (PIMAGE_EXPORT_DIRECTORY)(dwKernel32Addr + pDataDirectory->VirtualAddress);PDWORD pAddrOfFunc = (PDWORD)(pExportFuncTable->AddressOfFunctions + dwKernel32Addr);PDWORD pAddrOfFuncNames = (PDWORD)(pExportFuncTable->AddressOfNames + dwKernel32Addr);PWORD pAddrOfOrdinals = (PWORD)(pExportFuncTable->AddressOfNameOrdinals + dwKernel32Addr);DWORD dwFuncGetProcAddress = 0;for (size_t i = 0; i < pExportFuncTable->NumberOfNames; i++){PCHAR lpFuncName = (PCHAR)(pAddrOfFuncNames[i] + dwKernel32Addr);DWORD digest = 0;while (*lpFuncName){digest = ((digest << 25) | (digest >> 7));digest += *lpFuncName;lpFuncName++;}if (digest == 0xbbafdf85)//0xbbafdf85是经过自定义hash算法得到GetProcAddress函数的摘要{dwFuncGetProcAddress = pAddrOfFunc[pAddrOfOrdinals[i]] + dwKernel32Addr;break;}}/*如果是弹窗弹窗,这里我们需要 : LoadLibraryExA、MessageBoxA、ExitProcess、user32.dll*//*定义函数指针GetProcAddress*/typedef FARPROC (WINAPI *funcGetProcAddress)(HMODULE hModule,LPCSTR lpProcName);funcGetProcAddress pfuncGetProcAddress = (funcGetProcAddress)dwFuncGetProcAddress;/*LoadLibraryExA 函数指针获取*/typedef HMODULE (WINAPI *funcLoadLibraryExA)(LPCSTR lpLibFileName,HANDLE hFile,DWORD dwFlags);//如果采用字符串模式,其字符串会被放入数据段,使用的每次加载地址都不一样,char szLoadLibraryExA[] = { 'L','o','a','d','L','i','b','r','a','r','y','E','x','A','\0' };char szUser32[] = { 'u','s','e','r','3','2','.','d','l','l','\0' };char szMessageBoxA[] = { 'M','e','s','s','a','g','e','B','o','x','A','\0' };char szExitProcess[] = { 'E','x','i','t','P','r','o','c','e','s','s','\0' };funcLoadLibraryExA pfuncLoadLibraryExA = (funcLoadLibraryExA)(pfuncGetProcAddress((HMODULE)dwKernel32Addr,szLoadLibraryExA));/*ExitProcess函数指针*/typedef VOID(WINAPI *funcExitProcess)(_In_ UINT uExitCode);funcExitProcess pfuncExitProcess = (funcExitProcess)(pfuncGetProcAddress((HMODULE)dwKernel32Addr, szExitProcess));/** 加载user32.dll 和messagebox*/typedef int (WINAPI *funcMessageBoxA)(_In_opt_ HWND hWnd,_In_opt_ LPCSTR lpText,_In_opt_ LPCSTR lpCaption,_In_ UINT uType);funcMessageBoxA pfuncMessageBoxA = (funcMessageBoxA)(pfuncGetProcAddress((HMODULE)(pfuncLoadLibraryExA(szUser32, NULL, NULL)), szMessageBoxA));char szContext[] = {'t','h','i','s',' ','i','s',' ','a',' ','t','e','s','t','\0' };char szTitle[] = { 't','e','s','t','\0' };pfuncMessageBoxA(NULL, szContext, szTitle, MB_OK);pfuncExitProcess(0);
}
