ansi c x64 shellcode template
ansi c语言 x64的shellcode 模板 未详细测试#ifndef BYTE
#define BYTE unsigned __int8
#endif
#ifndef WORD
#define WORD unsigned __int16
#endif
#ifndef LONG
#define LONG unsigned __int32
#endif
#ifndef DWORD
#define DWORD unsigned __int32
#endif
#ifndef ULONGLONG
#define ULONGLONG unsigned __int64
#endif
#ifndef IMAGE_NUMBEROF_DIRECTORY_ENTRIES
#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16
#define IMAGE_DIRECTORY_ENTRY_EXPORT 0 // Export Directory
#define IMAGE_DIRECTORY_ENTRY_IMPORT 1 // Import Directory
#define IMAGE_DIRECTORY_ENTRY_RESOURCE 2 // Resource Directory
#define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 // Exception Directory
#define IMAGE_DIRECTORY_ENTRY_SECURITY 4 // Security Directory
#define IMAGE_DIRECTORY_ENTRY_BASERELOC 5 // Base Relocation Table
#define IMAGE_DIRECTORY_ENTRY_DEBUG 6 // Debug Directory
// IMAGE_DIRECTORY_ENTRY_COPYRIGHT 7 // (X86 usage)
#define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7 // Architecture Specific Data
#define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 // RVA of GP
#define IMAGE_DIRECTORY_ENTRY_TLS 9 // TLS Directory
#define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10 // Load Configuration Directory
#define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11 // Bound Import Directory in headers
#define IMAGE_DIRECTORY_ENTRY_IAT 12 // Import Address Table
#define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13 // Delay Load Import Descriptors
#define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 // COM Runtime descriptor
#endif
#ifndef _IMAGE_DOS_HEADER
typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
WORD e_magic; // Magic number
WORD e_cblp; // Bytes on last page of file
WORD e_cp; // Pages in file
WORD e_crlc; // Relocations
WORD e_cparhdr; // Size of header in paragraphs
WORD e_minalloc; // Minimum extra paragraphs needed
WORD e_maxalloc; // Maximum extra paragraphs needed
WORD e_ss; // Initial (relative) SS value
WORD e_sp; // Initial SP value
WORD e_csum; // Checksum
WORD e_ip; // Initial IP value
WORD e_cs; // Initial (relative) CS value
WORD e_lfarlc; // File address of relocation table
WORD e_ovno; // Overlay number
WORD e_res; // Reserved words
WORD e_oemid; // OEM identifier (for e_oeminfo)
WORD e_oeminfo; // OEM information; e_oemid specific
WORD e_res2; // Reserved words
LONG e_lfanew; // File address of new exe header
} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
#endif
#ifndef IMAGE_FILE_HEADER
typedef struct _IMAGE_FILE_HEADER {
WORD Machine;
WORD NumberOfSections;
DWORD TimeDateStamp;
DWORD PointerToSymbolTable;
DWORD NumberOfSymbols;
WORD SizeOfOptionalHeader;
WORD Characteristics;
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
#endif
#ifndef IMAGE_DATA_DIRECTORY
typedef struct _IMAGE_DATA_DIRECTORY {
DWORD VirtualAddress;
DWORD Size;
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
#endif
#ifndef IMAGE_OPTIONAL_HEADER64
typedef struct _IMAGE_OPTIONAL_HEADER64 {
WORD Magic;
BYTE MajorLinkerVersion;
BYTE MinorLinkerVersion;
DWORD SizeOfCode;
DWORD SizeOfInitializedData;
DWORD SizeOfUninitializedData;
DWORD AddressOfEntryPoint;
DWORD BaseOfCode;
ULONGLONG ImageBase;
DWORD SectionAlignment;
DWORD FileAlignment;
WORD MajorOperatingSystemVersion;
WORD MinorOperatingSystemVersion;
WORD MajorImageVersion;
WORD MinorImageVersion;
WORD MajorSubsystemVersion;
WORD MinorSubsystemVersion;
DWORD Win32VersionValue;
DWORD SizeOfImage;
DWORD SizeOfHeaders;
DWORD CheckSum;
WORD Subsystem;
WORD DllCharacteristics;
ULONGLONG SizeOfStackReserve;
ULONGLONG SizeOfStackCommit;
ULONGLONG SizeOfHeapReserve;
ULONGLONG SizeOfHeapCommit;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory;
} IMAGE_OPTIONAL_HEADER64, *PIMAGE_OPTIONAL_HEADER64;
#endif
#ifndef IMAGE_NT_HEADERS64
typedef struct _IMAGE_NT_HEADERS64 {
DWORD Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER64 OptionalHeader;
} IMAGE_NT_HEADERS64, *PIMAGE_NT_HEADERS64;
#endif
#ifndef IMAGE_EXPORT_DIRECTORY
typedef struct _IMAGE_EXPORT_DIRECTORY {
DWORD Characteristics;
DWORD TimeDateStamp;
WORD MajorVersion;
WORD MinorVersion;
DWORD Name;
DWORD Base;
DWORD NumberOfFunctions;
DWORD NumberOfNames;
DWORD AddressOfFunctions; // RVA from base of image
DWORD AddressOfNames; // RVA from base of image
DWORD AddressOfNameOrdinals;// RVA from base of image
} IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;
#endif
#ifndef UNICODE_STRING
typedef struct
{
__int16 u;
__int16 m;
__int32 r;//align 8
__int16* B;
}UNICODE_STRING;
#endif
/***********************************************************************/
/* shell code start */
/* linker command must append /MERGE:S_CODE=S_DATA /SECTION:S_DATA,RWE */
/***********************************************************************/
int shell_start();
int s_ldrLoadDll();
void GetRing3Base();
int strlen(char *);
int strcmp(char *,char *);
__int64 GetProcAddress(__int64 base,char* FuncName);
#pragma alloc_text(S_CODE,shell_start)
#pragma alloc_text(S_CODE,s_ldrLoadDll)
#pragma alloc_text(S_CODE,GetRing3Base)
#pragma alloc_text(S_CODE,GetProcAddress)
#pragma alloc_text(S_CODE,strlen)
#pragma alloc_text(S_CODE,strcmp)
/*shellcode Global DATA*/
#define SHELLCODE_SEG "S_DATA"
#pragma data_seg(SHELLCODE_SEG)
typedef int (*_imp__LdrLoadDll)(PathToFile,Flags,ModuleFileName,ModuleHandle);
_imp__LdrLoadDll pLdrLoadDll=0;
__int64 k_Base=0;
__int64 n_Base=0;
char sLdrLoadDll[]="LdrLoadDll";
__int16sUser32[]=L"user32.dll";
#pragma data_seg()
/*shlleocde entry*/
int shell_start()
{
pLdrLoadDll=(_imp__LdrLoadDll)GetProcAddress(n_Base,(char*)&sLdrLoadDll);
return s_ldrLoadDll();//Used by GetThreadExitCode
}
/*get kernel32 and ntdll base*/
void GetRing3Base()
{
__int64 p;
p=*(__int64*)(*(__int64*)(*(__int64 *)(__readgsqword(0x30)+0x60)+0x18)+0x30);
n_Base=*(__int64*)(p+0x10);
k_Base=*(__int64*)(*(__int64*)(*(__int64*)p)+0x10);
}
int strlen(char* s)
{
int i=0;
for(;s;);
return i;
}
int strcmp(char* s1,char* s2)
{
int t,ta,tb;
t|=-1;
ta=strlen(s1);
tb=strlen(s2);
if (ta==tb)
{
t=ta;
do
{
--t;
}while (t>=0 && s1==s2);
t++;
}
return t;
}
/* */
__int64 GetProcAddress(__int64 base,char* FuncName)
{
__int64 addr=0;
__int32* AddressOfNames;
__int32* AddressOfFunctions;
__int16* AddressOfNameOrdinals;
int i,n,t;
char* Dst;
char* Src;
IMAGE_DOS_HEADER* DOS_HEADER;
IMAGE_NT_HEADERS64* NT_HEADER;
IMAGE_OPTIONAL_HEADER64*OptionalHeader;
IMAGE_EXPORT_DIRECTORY* Export;
DOS_HEADER=(IMAGE_DOS_HEADER*)(__int64)base;
if (DOS_HEADER->e_magic!='ZM') goto done;
NT_HEADER = (IMAGE_NT_HEADERS64*)((__int64)DOS_HEADER +(__int64)DOS_HEADER->e_lfanew);
if (NT_HEADER->Signature!='EP') goto done;
OptionalHeader=&NT_HEADER->OptionalHeader;
if (OptionalHeader->Magic!=0x20B) goto done;//pe 64
Export = (IMAGE_EXPORT_DIRECTORY*)(\
(__int64)DOS_HEADER + \
(__int64)(OptionalHeader->DataDirectory.VirtualAddress)\
);
t=Export->NumberOfNames;
AddressOfNameOrdinals =(__int16*)((__int64)DOS_HEADER + (__int64)Export->AddressOfNameOrdinals);
AddressOfNames =(__int32*)((__int64)DOS_HEADER + (__int64)Export->AddressOfNames);
AddressOfFunctions =(__int32*)((__int64)DOS_HEADER + (__int64)Export->AddressOfFunctions);
Src=FuncName;
for (i=0;i<t;i++)
{
Dst=(char*)((__int64)DOS_HEADER + AddressOfNames);
if (Dst==Src&& strcmp(Src,Dst)==0)
{
n=AddressOfNameOrdinals;
addr=(__int64)DOS_HEADER+AddressOfFunctions;
goto done;
}
}
done:
return addr;
}
/*main proc*/
int s_ldrLoadDll()
{
__int64* hMod;
UNICODE_STRING sMod;
sMod.u=sizeof(sUser32)-sizeof(__int16);
sMod.m=sizeof(sUser32);
sMod.B=(__int16*)&sUser32;
return (*pLdrLoadDll)(0,0,&sMod,&hMod);
}
#pragma data_seg(SHELLCODE_SEG)
int shell_end=0; //end sign
#pragma data_seg()
/* shell code End */
mainCRTStartup()
{
GetRing3Base();
printf("kernel32 base 0x%0I64X\n ntdll base 0x%0I64X\n",k_Base,n_Base);
printf("shellcode length = %d\n",&shell_end-(int*)shell_start);
printf("LdrLoadDll addr = 0x%0I64X\n",GetProcAddress(n_Base,"LdrLoadDll"));
system("pause");
}
@echo off
:re
cls
echo /*********************************************/
echo / /
echo /*********************************************/
.\tools\AMD64\cl.exe .\src\hello_world.c /Fa"Debug\hello_world.asm" /Fo"Debug\hello_world.obj" /c /MD
echo /*********************************************/
echo / /
echo /*********************************************/
.\tools\AMD64\link.exe .\Debug\hello_world.obj /MERGE:S_CODE=S_DATA /SECTION:S_DATA,RWE /LIBPATH:".\lib\win7\amd64" /LIBPATH:".\lib\Crt\amd64"/OUT:"Debug\hello_world_amd64_win7.exe" /NOLOGO /SUBSYSTEM:CONSOLE /MACHINE:AMD64 "kernel32.lib"
echo /*********************************************/
echo / /
echo /*********************************************/
pause
goto re
;/driver /base:0x10000 /align:32 /subsystem:native
前面那些定义,其实可以直接用windows.h的
页:
[1]