shellcode编写之获取kernel32.DLL基址及GetProcAddress 

 1 #include <windows.h>
 2 #include <stdio.h>
 3 
 4 //内嵌汇编获取Kernel32的地址
 5 __declspec(naked) DWORD getKernel32()
 6 {
 7     __asm
 8     {
 9         mov eax,fs:[30h]
10         mov eax,[eax+0ch]
11         mov eax,[eax+14h]
12         mov eax,[eax]
13         mov eax,[eax]
14         mov eax,[eax+10h]
15         ret
16     }
17 }
18 
19 //通过kernel32基址获取GetProcAddress的地址
20 FARPROC _GetProcAddress(HMODULE hModuleBase) 
21 {
22     PIMAGE_DOS_HEADER lpDosHeader = (PIMAGE_DOS_HEADER)hModuleBase;
23     PIMAGE_NT_HEADERS32 lpNtHeader = (PIMAGE_NT_HEADERS)((DWORD)hModuleBase + lpDosHeader->e_lfanew);
24     if (!lpNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size){
25         return NULL;
26     }
27     if (!lpNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress) {
28         return NULL;
29     }
30     PIMAGE_EXPORT_DIRECTORY lpExports = (PIMAGE_EXPORT_DIRECTORY)((DWORD)hModuleBase + (DWORD)lpNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
31     PDWORD lpdwFunName = (PDWORD)((DWORD)hModuleBase + (DWORD)lpExports->AddressOfNames);
32     PWORD lpword = (PWORD)((DWORD)hModuleBase + (DWORD)lpExports->AddressOfNameOrdinals);
33     PDWORD lpdwFunAddr = (PDWORD)((DWORD)hModuleBase + (DWORD)lpExports->AddressOfFunctions);
34 
35     DWORD dwLoop = 0;
36     FARPROC pRet = NULL;
37     for (; dwLoop <= lpExports->NumberOfNames - 1; dwLoop++) {
38         char* pFunName = (char*)(lpdwFunName[dwLoop] + (DWORD)hModuleBase);
39 
40         if (pFunName[0] == 'G'&&
41             pFunName[1] == 'e'&&
42             pFunName[2] == 't'&&
43             pFunName[3] == 'P'&&
44             pFunName[4] == 'r'&&
45             pFunName[5] == 'o'&&
46             pFunName[6] == 'c'&&
47             pFunName[7] == 'A'&&
48             pFunName[8] == 'd'&&
49             pFunName[9] == 'd'&&
50             pFunName[10] == 'r'&&
51             pFunName[11] == 'e'&&
52             pFunName[12] == 's'&&
53             pFunName[13] == 's')
54         {
55             pRet = (FARPROC)(lpdwFunAddr[lpword[dwLoop]] + (DWORD)hModuleBase);
56             break;
57         }
58     }
59     return pRet;
60 }
61 
62 int main()
63 {
64     //kernel32.dll 基址的动态获取
65     HMODULE hLoadLibrary = LoadLibraryA("kernel32.dll");
66     //使用内嵌汇编来获取基址
67     HMODULE _hLoadLibrary = (HMODULE)getKernel32();
68     //效果是一样的
69     printf("LoadLibraryA动态获取的地址: 0x%x\n", hLoadLibrary);
70     printf("内嵌汇编获取的地址: 0x%x\n", _hLoadLibrary);
71 
72     //声明定义,先转到到原函数定义,然后重新定义
73     typedef FARPROC(WINAPI *FN_GetProcAddress)(
74             _In_ HMODULE hModule,
75             _In_ LPCSTR lpProcName
76         );
77 
78     FN_GetProcAddress fn_GetProcAddress;
79     fn_GetProcAddress = (FN_GetProcAddress)_GetProcAddress(_hLoadLibrary);
80 
81     printf("动态获取GetProcAddress地址: 0x%x\n",fn_GetProcAddress);
82     printf("内置函数获取: 0x%x\n",GetProcAddress);
83 }

 

posted @ 2021-09-10 22:05  admrty  阅读(801)  评论(0)    收藏  举报