首页 > 系统相关 >代码区添加shellcode

代码区添加shellcode

时间:2023-04-26 21:59:14浏览次数:36  
标签:return 代码 pOptionalHeader pImageBuffer 添加 PIMAGE printf DWORD shellcode 

// p44.cpp : Defines the entry point for the console application.
//

#include "stdafx.h"
#include <windows.h>
#include <malloc.h>
#define ShellCodeIen 0x12
#define MessageBoxAdder 0x77D507EA

BYTE ShellCode[]=
{
0x6A,00,0x6A,00,0x6A,00,0x6A,00,
0xE8,00,00,00,00,
0xE9,00,00,00,00
};


DWORD ReadPEFile(LPVOID *ppFileBuffer)
{
FILE* pFile = NULL;
DWORD SizeFileBuffer = 0;
pFile = fopen("C:\\WINDOWS\\system32\\notepad","rb");
if(!pFile)
{
printf("文件打开失败!\n");
return 0;
}

fseek(pFile,0,SEEK_END);
SizeFileBuffer = ftell(pFile);
fseek(pFile,0,SEEK_SET);
if(!SizeFileBuffer)
{
printf("读取文件大小失败\n");
return 0;
}

*ppFileBuffer = malloc(SizeFileBuffer);
if(!*ppFileBuffer)
{
printf("kai pi kong jian shi bai\n");
fclose(pFile);
return 0;
}

size_t n = fread(*ppFileBuffer,SizeFileBuffer,1,pFile);
if(!n)
{
printf("fu zhi shu ju shi bai\n");
free(*ppFileBuffer);
fclose(pFile);
return 0;
}
fclose(pFile);
return SizeFileBuffer;
}

DWORD FileBufferToImageBuffer(LPVOID pFileBuffer,LPVOID* ppImageBuffer)
{
PIMAGE_DOS_HEADER pDosHeader = NULL;
PIMAGE_NT_HEADERS pNTHeader = NULL;
PIMAGE_FILE_HEADER pPEHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 pOptionalHeader = NULL;
PIMAGE_SECTION_HEADER pSectionHeader = NULL;


if(!pFileBuffer)
{
printf("han shu diao yong shi bai\n");
return 0;
}
printf("pFileBuffer is %x\n",pFileBuffer);

pDosHeader = (PIMAGE_DOS_HEADER)pFileBuffer;
if(pDosHeader->e_magic!=IMAGE_DOS_SIGNATURE)
{
printf("not MZ signal");
return 0;
}

pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pFileBuffer+pDosHeader->e_lfanew);
if(pNTHeader->Signature!=IMAGE_NT_SIGNATURE)
{
printf("not PE signal");
return 0;
}

pPEHeader = (PIMAGE_FILE_HEADER)(((DWORD)pNTHeader)+4);

pOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)(((DWORD)pPEHeader)+20);

printf("SizeOfImage is %x\n",pOptionalHeader->SizeOfImage);
*ppImageBuffer = malloc(pOptionalHeader->SizeOfImage);
if(!*ppImageBuffer)
{
printf("kai pi nei cun shi bai\n");
return 0;
}

memset(*ppImageBuffer,0,pOptionalHeader->SizeOfImage);

printf("SizeOfHeader is %x\n",pOptionalHeader->SizeOfHeaders);
memcpy(*ppImageBuffer,pDosHeader,pOptionalHeader->SizeOfHeaders);

pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pOptionalHeader+pPEHeader->SizeOfOptionalHeader);
printf("NumberOfSections are %x\n",pPEHeader->NumberOfSections);
for(int i=0;i<pPEHeader->NumberOfSections;i++,pSectionHeader++)
{
memcpy((LPVOID)((DWORD)*ppImageBuffer+pSectionHeader->VirtualAddress),(LPVOID)((DWORD)*ppImageBuffer+pSectionHeader->PointerToRawData),(DWORD)pSectionHeader->SizeOfRawData);
}
printf("finish coping!");
return pOptionalHeader->SizeOfImage;
}

LPVOID shellCode(LPVOID pImageBuffer)
{
PIMAGE_DOS_HEADER pDosHeader = NULL;
PIMAGE_NT_HEADERS pNTHeader = NULL;
PIMAGE_FILE_HEADER pPEHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 pOptionalHeader = NULL;
PIMAGE_SECTION_HEADER pSectionHeader = NULL;
PBYTE ShellCodeBegin = NULL;
if(!pImageBuffer)
{
printf("pImageBuffer han shu diao yong shi bai\n");
return 0;
}

pDosHeader = (PIMAGE_DOS_HEADER)pImageBuffer;
pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pImageBuffer+pDosHeader->e_lfanew);
pPEHeader = (PIMAGE_FILE_HEADER)(((DWORD)pNTHeader)+4);
pOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)(((DWORD)pPEHeader)+20);
pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pOptionalHeader+pPEHeader->SizeOfOptionalHeader);

/* for(int j=0;j<pPEHeader->NumberOfSections;j++)
{
if((pSectionHeader[j].SizeOfRawData - pSectionHeader[j]Misc.VirtualSize) < shellCodeIen)
{
printf("第%d个节表空间不足\n",j);
free(pImageBuffer);
return 0;
}
} */
if((pSectionHeader->SizeOfRawData - pSectionHeader->Misc.VirtualSize) < ShellCodeIen)
{
printf("节表空间不足\n");
free(pImageBuffer);
return 0;
}
printf("SizeOfRaw=%x\n",pSectionHeader->SizeOfRawData);
printf("VirtualSize=%x\n",pSectionHeader->Misc.VirtualSize);
printf("nei cun chong zu");
if(pOptionalHeader->SectionAlignment == pOptionalHeader->FileAlignment)
{
printf("SectionAlignment == FileAlignment\n");
ShellCodeBegin=(PBYTE)(pSectionHeader->VirtualAddress+pSectionHeader->Misc.VirtualSize+(DWORD)pImageBuffer);
if(!memcpy(ShellCodeBegin,ShellCode,ShellCodeIen))
{
printf("dai ma chu bu jia ru shi bai\n");
return 0;
}
printf("代码初步加入成功!\n");

//E8
DWORD CallAdd = (DWORD)((DWORD)MessageBox-((DWORD)pOptionalHeader->ImageBase+(DWORD)ShellCodeBegin+0xD-(DWORD)pImageBuffer));
if(!CallAdd)
{
printf("ERROR E8\n");
return 0;
}
*(PDWORD)(ShellCodeBegin+0x9) = CallAdd;
printf("E8 ok\n");

//E9
DWORD JmpAdd=(DWORD)((DWORD)pOptionalHeader->AddressOfEntryPoint-((DWORD)ShellCodeBegin+ShellCodeIen-(DWORD)pImageBuffer));
if(!JmpAdd)
{
printf("ERROR E9\n");
return 0;
}
*(PDWORD)(ShellCodeBegin+0xE) = JmpAdd;
printf("E9 ok\n");
pOptionalHeader->AddressOfEntryPoint = (DWORD)ShellCodeBegin -(DWORD)pImageBuffer;
printf("OEP=%x\n",pOptionalHeader->AddressOfEntryPoint);
printf("OEP ok\n");
printf("finish");
return pImageBuffer;
}
else
{
printf("SectionAlignment != FileAlignment\n");
pSectionHeader=(PIMAGE_SECTION_HEADER)((DWORD)pOptionalHeader+pPEHeader->SizeOfOptionalHeader);
ShellCodeBegin=(PBYTE)(pSectionHeader->VirtualAddress+pSectionHeader->Misc.VirtualSize+(DWORD)pImageBuffer);
if(!memcpy(ShellCodeBegin,ShellCode,ShellCodeIen))
{
printf("dai ma chu bu jia ru shi bai\n");
return 0;
}
printf("代码初步加入成功!\n");

//E8
DWORD CallAdd = (DWORD)((DWORD)MessageBox-((DWORD)pOptionalHeader->ImageBase+(DWORD)ShellCodeBegin+0xD-(DWORD)pImageBuffer));
if(!CallAdd)
{
printf("ERROR E8\n");
return 0;
}
*(PDWORD)(ShellCodeBegin+0x9) = CallAdd;
printf("E8 ok\n");

DWORD JmpAdd=(DWORD)((DWORD)pOptionalHeader->AddressOfEntryPoint-((DWORD)ShellCodeBegin+ShellCodeIen-(DWORD)pImageBuffer));
if(!JmpAdd)
{
printf("ERROR E9\n");
return 0;
}
*(PDWORD)(ShellCodeBegin+0xE) = JmpAdd;
printf("E9 ok\n");
pOptionalHeader->AddressOfEntryPoint = (DWORD)ShellCodeBegin -(DWORD)pImageBuffer;
printf("OEP=%x\n",pOptionalHeader->AddressOfEntryPoint);
printf("OEP ok\n");
printf("finish");
return pImageBuffer;
}
}

DWORD ImageBufferToFileBuffer(LPVOID pImageBuffer,LPVOID *ppBuffer)
{
PIMAGE_DOS_HEADER pDosHeader = NULL;
PIMAGE_NT_HEADERS pNTHeader = NULL;
PIMAGE_FILE_HEADER pPEHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 pOptionalHeader = NULL;
PIMAGE_SECTION_HEADER pSectionHeader = NULL;

if(!pImageBuffer)
{
printf("error");
return 0;
}

pDosHeader = (PIMAGE_DOS_HEADER)pImageBuffer;
pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pImageBuffer+pDosHeader->e_lfanew);
pPEHeader = (PIMAGE_FILE_HEADER)(((DWORD)pNTHeader)+4);
pOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)(((DWORD)pPEHeader)+20);
pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pOptionalHeader+pPEHeader->SizeOfOptionalHeader);

DWORD SizeOfBuffer = pSectionHeader->PointerToRawData+pSectionHeader->SizeOfRawData;

*ppBuffer=malloc(SizeOfBuffer);
if(!*ppBuffer)
{
printf("malloc fail\n");
return 0;
}
printf("SizeOfBuffer=%x",SizeOfBuffer);
memset(*ppBuffer,0,SizeOfBuffer);

memcpy(*ppBuffer,pImageBuffer,pOptionalHeader->SizeOfHeaders);
for(int j=1;j<=pPEHeader->NumberOfSections;j++,pSectionHeader++)
{
memcpy((LPVOID)((DWORD)*ppBuffer+pSectionHeader->PointerToRawData),(LPVOID)((DWORD)pImageBuffer+pSectionHeader->VirtualAddress),pSectionHeader->SizeOfRawData);
}
printf("cpy success\n");
return SizeOfBuffer;

}

BOOL MemeryToFile(LPVOID pBuffer,DWORD SizeOfBuffer)
{
FILE* fpw = fopen("C:\\WINDOWS\\system32\\note","wb");
if(!fpw)
{
printf("fpw error");
return false;
}
if(!fwrite(pBuffer,1,SizeOfBuffer,fpw))
{
printf("fpw fwrite fail");
return false;
}
fclose(fpw);
fpw = NULL;
printf("success\n");
return true;
}

int main()
{
LPVOID pFileBuffer=NULL;
LPVOID* ppFileBuffer=&pFileBuffer;
LPVOID pImageBuffer=NULL;
LPVOID* ppImageBuffer=&pImageBuffer;
DWORD SizeOfFileBuffer=0;
DWORD SizeOfImageBuffer=0;
DWORD SizeOfBuffer=0;

LPVOID pBuffer=NULL;
LPVOID* ppBuffer=&pBuffer;


//调用filebuffer函数
SizeOfFileBuffer=ReadPEFile(ppFileBuffer);
if(!SizeOfFileBuffer)
{
printf("FileBuffer函数调用失败 \n");
return 0;
}
pFileBuffer=*ppFileBuffer;
printf("fail");


//调用FileBufferToImageBuffer函数
SizeOfBuffer=FileBufferToImageBuffer(pFileBuffer,ppImageBuffer);

if(!SizeOfBuffer)
{
printf("调用FileBufferToImageBuffer函数失败");
return 0;
}

//调用ShellCode函数
pImageBuffer=shellCode(pImageBuffer);

//调用ImageBufferToBuffer
SizeOfBuffer=ImageBufferToFileBuffer(pImageBuffer,ppBuffer);
pBuffer=*ppBuffer;
if(!SizeOfBuffer)
{
printf("SizeOfBuffer error");
return 0;
}

//调用MemeryToFile
if(MemeryToFile(pBuffer,SizeOfBuffer)==false)
{
printf("end");
return 0;
}

return 0;



}

 

标签:return,代码,pOptionalHeader,pImageBuffer,添加,PIMAGE,printf,DWORD,shellcode
From: https://www.cnblogs.com/cspecialr/p/17357461.html

相关文章

  • 梦断代码(3)
    程序“几乎全是纯思考”的产物,但不会永远停留在思考阶段,否则就什么也做不出来了。程序员从思维的沃土上摘取点子,再用一行行具有实际功能的代码实现它——让它在计算机世界中“有了居所和名字” 今天的软件项目,已经成为一个错综复杂的建筑工程,不断变化的应用环境(包括使用者),使得软......
  • FileBuffer-ImageBuffer代码实现
    #include"stdafx.h"#include<stdio.h>#include<windows.h>#include<malloc.h>////FileBuffer函数DWORDReadPEFile(LPVOID*ppFileBuffer){FILE*pFile=NULL;DWORDSizeFileBuffer=0;pFile=fopen("C://WINDOWS//system......
  • P44代码节空白区添加代码
    1.我们添加的代码不是c,不是汇编,而是二进制,因为exe都是二进制组成的,我们要知道一些汇编的硬编码,call的硬编码是E8,jmp的硬编码是E92.知道了call的硬编码,那么后面的地址是直接用编译器打开的地址吗?不是的,地址是经过转换得到的,公式:真正要跳转的地址=E8下一条指令的地址+X,X就是call后......
  • <packaging>war</packaging>在pom.xml文件里添加这个会导致404的出现
    Maven,javaweb我在pom.xml文件里面添加了这行代码<packaging>war</packaging>就会导致jsp界面的运行失败但是还无道理呀,以往都可以运行成功的啊我通过一行一行注释代码创建项目找到的答案,找了我好久。<?xmlversion="1.0"encoding="UTF-8"?><projectxmlns="http://maven.......
  • jQuery HTML之添加元素
    <!DOCTYPEhtml><html><head><metacharset="utf-8"/><title></title><scriptsrc="../Scripts/jquery-3.4.1.min.js"></script><scriptsrc="AddContent.js">&......
  • POT超阈值模型和极值理论EVT分析|附代码数据
    全文链接:http://tecdat.cn/?p=16845最近我们被客户要求撰写关于极值理论的研究报告,包括一些图形和统计输出。本文依靠EVT对任何连续分布的尾部建模。尾部建模,尤其是POT建模,对于许多金融和环境应用至关重要POT模型其主要动机是为高洪水流量的概率模型提供实用工具。但是,EVT的优......
  • 多元时间序列滚动预测:ARIMA、回归、ARIMAX模型分析|附代码数据
    原文链接:http://tecdat.cn/?p=22849最近我们被客户要求撰写关于多元时间序列滚动预测的研究报告,包括一些图形和统计输出。当需要为数据选择最合适的预测模型或方法时,预测者通常将可用的样本分成两部分:内样本(又称"训练集")和保留样本(或外样本,或"测试集")。然后,在样本中估计模型,并......
  • R语言Lee-Carter模型对年死亡率建模预测预期寿命|附代码数据
    原文链接:http://tecdat.cn/?p=17347最近我们被客户要求撰写关于Lee-Carter模型的研究报告,包括一些图形和统计输出。昨天上午,我们获得了分娩产妇的平均年龄两个图表,根据孩子的出生顺序排序,区间是1905-1965年然后是1960-2000年:点击标题查阅往期内容R语言分布滞后非线性模型......
  • 数据分享|逻辑回归、随机森林、SVM支持向量机预测心脏病风险数据和模型诊断可视化|附
    原文链接:http://tecdat.cn/?p=24973最近我们被客户要求撰写关于心脏病的研究报告,包括一些图形和统计输出。世界卫生组织估计全世界每年有1200万人死于心脏病。在美国和其他发达国家,一半的死亡是由于心血管疾病简介心血管疾病的早期预后可以帮助决定改变高危患者的生活方式,从......
  • yum 安装的nginx 添加其他模块 stream
    需求:生产有个接口是通过socket通信。nginx1.9开始支持tcp层的转发,通过stream实现的,而socket也是基于tcp通信。实现方法:Centos7.2下yum直接安装的nginx,添加新模块支持tcp转发;重新编译Nginx并添加--with-stream参数。实现过程:1. 查看nginx版本模块[root@pre~]#nginx-V......

赞助商

阅读排行

网站主页关于我们联系我们网站地图

本网站内容转载自其他媒体,侵权联系[admin##ips99.com]。

Copyright © 2020-2023 IPS99 版权所有 IPS99