• GetKernel32Moudle and GetProcAddress

    get kernel32 addr and get func

    #include <winternl.h>
typedef struct _MY_PEB_LDR_DATA {
    ULONG Length;
    BOOL Initialized;
    PVOID SsHandle;
    LIST_ENTRY InLoadOrderModuleList;
    LIST_ENTRY InMemoryOrderModuleList;
    LIST_ENTRY InInitializationOrderModuleList;
} MY_PEB_LDR_DATA, * PMY_PEB_LDR_DATA;
typedef struct _MY_LDR_DATA_TABLE_ENTRY
{
    LIST_ENTRY InLoadOrderLinks;
    LIST_ENTRY InMemoryOrderLinks;
    LIST_ENTRY InInitializationOrderLinks;
    PVOID DllBase;
    PVOID EntryPoint;
    ULONG SizeOfImage;
    UNICODE_STRING FullDllName;
    UNICODE_STRING BaseDllName;
} MY_LDR_DATA_TABLE_ENTRY, * PMY_LDR_DATA_TABLE_ENTRY;

LPBYTE  GetKernel32Moudle() {
#ifdef _WIN64
    PPEB PebAddress = (PPEB)__readgsqword(0x60);
#else
    PPEB PebAddress = (PPEB)__readfsdword(0x30);
#endif // _WIN64
    PMY_PEB_LDR_DATA pLdr = (PMY_PEB_LDR_DATA)PebAddress->Ldr;
    PMY_LDR_DATA_TABLE_ENTRY pDataTableEntry = (PMY_LDR_DATA_TABLE_ENTRY)pLdr->InLoadOrderModuleList.Flink;//InLoadOrderLinks
    pDataTableEntry = (PMY_LDR_DATA_TABLE_ENTRY)pDataTableEntry->InLoadOrderLinks.Flink;//-->ntdll.dll
    pDataTableEntry = (PMY_LDR_DATA_TABLE_ENTRY)pDataTableEntry->InLoadOrderLinks.Flink;//kernel32.dll
    return (LPBYTE)pDataTableEntry->DllBase;
}




LPVOID GetProcAddress2(LPBYTE hModule, LPCSTR lpProcName)
{
    PIMAGE_DOS_HEADER       dos;
    PIMAGE_NT_HEADERS       nt;
    PIMAGE_DATA_DIRECTORY   dir;
    PIMAGE_EXPORT_DIRECTORY exp;
    DWORD                   rva, ofs, cnt;
    PCHAR                   str;
    PDWORD                  adr, sym;
    PWORD                   ord;
    if (hModule == NULL || lpProcName == NULL) return NULL;
    dos = (PIMAGE_DOS_HEADER)hModule;
    nt = (PIMAGE_NT_HEADERS)(hModule + dos->e_lfanew);
    dir = (PIMAGE_DATA_DIRECTORY)nt->OptionalHeader.DataDirectory;
    // no exports? exit
    rva = dir[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
    if (rva == 0) return NULL;
    //ofs = rva2ofs(nt, rva);
    //if (ofs == -1) return NULL;
    // no exported symbols? exit
    exp = (PIMAGE_EXPORT_DIRECTORY)(rva + hModule);
    cnt = exp->NumberOfNames;
    if (cnt == 0) return NULL;
    // read the array containing address of api names
    //ofs = rva2ofs(nt, exp->AddressOfNames);
    //if (ofs == -1) return NULL;
    sym = (PDWORD)(exp->AddressOfNames + hModule);
    // read the array containing address of api
   /* ofs = rva2ofs(nt, exp->AddressOfFunctions);
    if (ofs == -1) return NULL;*/
    adr = (PDWORD)(exp->AddressOfFunctions + hModule);
    // read the array containing list of ordinals
    //ofs = rva2ofs(nt, exp->AddressOfNameOrdinals);
    //if (ofs == -1) return NULL;
    ord = (PWORD)(exp->AddressOfNameOrdinals + hModule);
    // scan symbol array for api string
    do {
        str = (PCHAR)(sym[cnt - 1] + hModule);
        // found it?
        if (strcmp(str, lpProcName) == 0) {
            // return the address
            return (LPVOID)(adr[ord[cnt - 1]] + hModule);
        }
    } while (--cnt);
    return NULL;
}

    函数有了,shellcode就简单了0.0
  • 相关阅读:
    网页布局1
    下拉菜单的制作
    状态玻璃效果菜单(实例)
    鼠标经过时整行变色
    鼠标经过时单元格变色
    Bootstrap3.0入门学习系列规划[持续更新]
    使用jQuery实现简单的拖动效果
    解决VS2012新建MVC3等项目时,收到加载程序集“NuGet.VisualStudio.Interop…”的错误
    Flash3D引擎:Away3D 4.1 Alpha版介绍
    Away3d 基础 1 ---对一个简单类的解释
  • 原文地址:https://www.cnblogs.com/DirWang/p/15314928.html
Copyright © 2020-2023  润新知