shellcode 版的MSG,自己写的

#include "stdafx.h"
#include "stdio.h"
#include "windows.h"
int LoadAddr=NULL;
int GetAddr=NULL;
int kernel32Addr=NULL;


__declspec(naked) int GetApi()
{
	
	_asm
	{
Begin:
	pushad
      
		push ebp
		
		xor ecx,ecx
		
		mov esi,fs:0x30
		
		mov esi, [esi + 0x0C];
	
	mov esi, [esi + 0x1C];
	
next_module:
	
	mov ebp, [esi + 0x08];
	
	mov edi, [esi + 0x20];
	
	mov esi, [esi];
	
	cmp [edi + 12*2],cl  
		
		jne next_module
		
		mov edi,ebp;BaseAddr of Kernel32.dll
		
		//	GetProcAddress地址的获取
		//	有了kernel32的地址以后,我们就可以方便的通过遍历的方式查询到GetProcAddress的地址
		
		sub esp,100
		
		mov ebp,esp;
	
	mov eax,[edi+3ch];//pe header
	
	mov edx,[edi+eax+78h]
		
		add edx,edi
		
		mov ecx,[edx+18h];//number of functions
	
	mov ebx,[edx+20h]
		
		add ebx,edi;AddressOfName
		
search:
	
	dec ecx
		
		mov esi,[ebx+ecx*4]
		
		add esi,edi;
	
	mov eax,0x50746547;PteG("GetP")
		
		cmp [esi],eax
		
		jne search
		
		mov eax,0x41636f72;Acor("rocA")
		
		cmp [esi+4],eax
		
		jne search
		
		mov ebx,[edx+24h]
		
		add ebx,edi;indexaddress
		
		mov cx,[ebx+ecx*2]
		
		mov ebx,[edx+1ch]
		
		add ebx,edi
		
		mov eax,[ebx+ecx*4]
		
		add eax,edi
		
		mov [ebp+76],eax;//将GetProcAddress地址存在ebp+76中
	
						 /*		LoadLibraryA地址的获取,通过调用API函数GetProcAddress获取LoadLibraryA的地址*/
	
	    push 0;
	
	    push DWORD PTR 0x41797261;//Ayra("aryA")
	
	    push DWORD PTR 0x7262694c;//rbiL("Libr")
	
	    push DWORD PTR 0x64616f4c;//daoL("Load")
	
	    push esp
		
		push edi
		
		call [ebp+76]
		
		mov [ebp+80],eax;//将LoadLibraryA地址存在ebp+80中
		//add esp,0x78 
		
	
	
//////////////////////////////////////////////////////////////////////////
        		mov byte ptr[esp+0x0],0x75
				mov byte ptr[esp+0x1],0x73
				mov byte ptr[esp+0x2],0x65
				mov byte ptr[esp+0x3],0x72
				mov byte ptr[esp+0x4],0x33
				mov byte ptr[esp+0x5],0x32
				mov byte ptr[esp+0x6],0x2e
				mov byte ptr[esp+0x7],0x64
				mov byte ptr[esp+0x8],0x6c
             	mov byte ptr[esp+0x9],0x6c
				mov byte ptr[esp+0xA],0x00
				push ESP
	
				call [ebp+80]
//////////////////////////////////////////////////////////////////////////

                mov [ebp+0x48],eax
//////////////////////////////////////////////////////////////////////////
               	mov byte ptr[esp+0x0],0x4D
				mov byte ptr[esp+0x1],0x65
				mov byte ptr[esp+0x2],0x73
				mov byte ptr[esp+0x3],0x73
				mov byte ptr[esp+0x4],0x61
				mov byte ptr[esp+0x5],0x67
				mov byte ptr[esp+0x6],0x65
				mov byte ptr[esp+0x7],0x42
				mov byte ptr[esp+0x8],0x6F
             	mov byte ptr[esp+0x9],0x78
				mov byte ptr[esp+0xA],0x41	
				mov byte ptr[esp+0xB],0x00	
                push ESP
				push [ebp+0x48]
				call  [ebp+76]
				mov  [ebp+44],eax
//////////////////////////////////////////////////////////////////////////
       
				mov byte ptr[esp+0x0],0x68
				mov byte ptr[esp+0x1],0x65
				mov byte ptr[esp+0x2],0x6c
				mov byte ptr[esp+0x3],0x6c
				mov byte ptr[esp+0x4],0x6f
				mov byte ptr[esp+0x5],0x6c
				mov byte ptr[esp+0x6],0x79
				mov byte ptr[esp+0x7],0x66
				mov byte ptr[esp+0x8],0x00
				mov byte ptr[esp+0x9],0x41
				mov byte ptr[esp+0xA],0x41
				mov byte ptr[esp+0xB],0x41
				mov byte ptr[esp+0xC],0x41
				mov byte ptr[esp+0x8],0x00
			
				push ESP
				lea ecx,[esp+4]
				lea edx,[ecx+9]
				push MB_OK
				push ecx
				push edx
				push 0x00
				call [ebp+44]
				add esp,0x7c
				popad
				retn 


                

				
				
				


		

	};
	}

	void main()
	{

		_asm pushad
	
		_asm call GetApi

		

		_asm popad
				
				
				

  

shellcode 版的MSG,自己写的

上一篇:necessary ting


下一篇:linux命令积累