#define _CRT_SECURE_NO_WARNINGS #include <stdio.h> #include <stdlib.h> #include <iostream> #include <windows.h> using namespace std; char shellcode[] = "x4Fx4Ex44x72" "x61x67x6Fx6E";//ONDragon ascii code typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING, *PUNICODE_STRING; typedef struct _PEB_LDR_DATA { DWORD Length; UCHAR Initialized; PVOID SsHandle; LIST_ENTRY InLoadOrderModuleList; LIST_ENTRY InMemoryOrderModuleList; LIST_ENTRY InInitializationOrderModuleList; PVOID EntryInProgress; }PEB_LDR_DATA, *PPEB_LDR_DATA; typedef struct _LDR_DATA_TABLE_ENTRY { LIST_ENTRY InLoadOrderLinks; LIST_ENTRY InMemoryOrderLinks; LIST_ENTRY InInitializationOrderLinks; PVOID DllBase; PVOID EntryPoint; DWORD SizeOfImage; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; DWORD Flags; WORD LoadCount; WORD TlsIndex; LIST_ENTRY HashLinks; PVOID SectionPointer; DWORD CheckSum; DWORD TimeDateStamp; PVOID LoadedImports; PVOID EntryPointActivationContext; PVOID PatchInformation; }LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; typedef struct _PEB { UCHAR InheritedAddressSpace; UCHAR ReadImageFileExecOptions; UCHAR BeingDebugged; UCHAR SpareBool; PVOID Mutant; PVOID ImageBaseAddress; PPEB_LDR_DATA Ldr; }PEB, *PPEB; DWORD GetHash(char * fun_name) { DWORD digest = 0; while (*fun_name) { digest = ((digest << 25) | (digest >> 7)); digest += *fun_name; fun_name++; } return digest; } void getExporAddr(PIMAGE_DOS_HEADER baseAddr) { PIMAGE_DOS_HEADER Pdos = baseAddr; if (Pdos == NULL) { return; } PIMAGE_NT_HEADERS Pnt = (PIMAGE_NT_HEADERS)((int)Pdos->e_lfanew + (int)Pdos); IMAGE_OPTIONAL_HEADER32 Popt = Pnt->OptionalHeader; IMAGE_EXPORT_DIRECTORY * Export; Export = (IMAGE_EXPORT_DIRECTORY*)(Popt.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + (ULONG_PTR)Pdos); DWORD * AllAddress; DWORD * AllName; USHORT * AllOrg; AllAddress = (DWORD*)((int)Export->AddressOfFunctions + (int)Pdos); //函数地址数组 AllName = (DWORD*)((int)Export->AddressOfNames + (int)Pdos); //函数名称数组 AllOrg = (USHORT *)((int)Export->AddressOfNameOrdinals + (int)Pdos); //序号数组 int OneAddress; char * OneName; USHORT OneOrg; char * Buf = new char[500]; int ListId = NULL; for (int i = 0; i < (int)Export->NumberOfNames; i++) { OneName = (char*)((BYTE*)Pdos + AllName[i]); OneOrg = (USHORT)AllOrg[i]; OneAddress = (int)((int)Pdos + AllAddress[OneOrg]); printf("Name: %s, Order :%d,Address :%x ", OneName, OneOrg, OneAddress); if (GetHash("MessageBoxA") == GetHash(OneName) ) { __asm { push eax push ebx lea eax, shellcode lea ebx, shellcode push 0 push eax push ebx push 0 call OneAddress pop ebx pop eax } } } } int main(void) { PPEB pPeb = NULL; PPEB_LDR_DATA pPebLdrData = NULL; PLDR_DATA_TABLE_ENTRY pLdrDataEntry = NULL; PLIST_ENTRY pListEntryStart = NULL, pListEntryEnd = NULL; //测试模块 HMODULE hDll = LoadLibrary("TestDll.dll"); if (!hDll) { printf("No Loading dll "); } __asm { //1、通过fs:[30h]获取当前进程的_PEB结构 mov eax, dword ptr fs : [30h]; mov pPeb, eax } //2、通过_PEB的Ldr成员获取_PEB_LDR_DATA结构 pPebLdrData = pPeb->Ldr; //3、通过_PEB_LDR_DATA的InMemoryOrderModuleList成员获取_LIST_ENTRY结构 pListEntryStart = pListEntryEnd = pPebLdrData->InMemoryOrderModuleList.Flink; DWORD baseAddr = 0; //4、查找所有已载入到内存中的模块 do { pListEntryStart = pListEntryStart->Flink; //5、通过_LIST_ENTRY的Flink成员获取_LDR_DATA_TABLE_ENTRY结构 pLdrDataEntry = (PLDR_DATA_TABLE_ENTRY)CONTAINING_RECORD(pListEntryStart, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks); baseAddr = (DWORD)pLdrDataEntry->DllBase; //6、输出_LDR_DATA_TABLE_ENTRY成员信息 printf("%S->%x ", pLdrDataEntry->BaseDllName.Buffer, baseAddr); getExporAddr((PIMAGE_DOS_HEADER)baseAddr); pListEntryStart = pListEntryStart->Flink; } while (pListEntryStart != pListEntryEnd); system("pause"); return 0; }