0x7 ShellCode编写
一、什么是shellcode?
不依赖环境,放到任何地方都可以执行的机器码(硬编码)。
二、编写规则
- 不能有全局变量(在全局区)
- 不能使用常量字符串(在常量区)
- 不能使用系统调用(每台机器函数的地址不一定相同)
- 不能嵌套调用函数
三、写一个符合上述规则的函数
所有版本windows系统可用,但是要注意kernel32.dll大小写
//vc6加上
//#include "stdafx.h"
#include "windows.h"
#include <stdio.h>
typedef int (WINAPI *PMESSAGEBOX)(HWND hWnd,LPCTSTR lpText,LPCTSTR lpCaption,UINT uType); //MessageBox函数指针
typedef FARPROC (WINAPI *PGETPROCADDRESS)(HMODULE hMoudule,LPCTSTR lpProcName); //GetProcAddress函数指针
typedef HMODULE (WINAPI *PLOADLIBRARY)(LPCTSTR lpFileName); //LoadLibraryA函数指针
//下面的结构前面都讲过了
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
}UNICODE_STRING, *PUNICODE_STRING;
typedef struct _PEB_LDR_DATA
{
ULONG Length; // +0x00
BOOLEAN Initialized; // +0x04
PVOID SsHandle; // +0x08
LIST_ENTRY InLoadOrderModuleList; // +0x0c
LIST_ENTRY InMemoryOrderModuleList; // +0x14
LIST_ENTRY InInitializationOrderModuleList;// +0x1c
PVOID EntryInProgress; // +0x24
} PEB_LDR_DATA,*PPEB_LDR_DATA;
typedef struct _LDR_DATA_TABLE_ENTRY
{
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;
UINT32 SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
UINT32 Flags;
WORD LoadCount;
WORD TlsIndex;
LIST_ENTRY HashLinks;
PVOID SectionPointer;
UINT32 CheckSum;
UINT32 TimeDateStamp;
PVOID LoadedImports;
PVOID EntryPointActivationContext;
PVOID PatchInformation;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
DWORD ShellCode()
{
typedef int (WINAPI *PMESSAGEBOX)(HWND hWnd,LPCTSTR lpText,LPCTSTR lpCaption,UINT uType); //MessageBox函数指针
typedef FARPROC (WINAPI *PGETPROCADDRESS)(HMODULE hMoudule,LPCTSTR lpProcName); //GetProcAddress函数指针
typedef HMODULE (WINAPI *PLOADLIBRARY)(LPCTSTR lpFileName); //LoadLibraryA函数指针
LDR_DATA_TABLE_ENTRY *pPLD = NULL,*pBeg = NULL;
PGETPROCADDRESS pGetProcAddress = NULL;
PMESSAGEBOX pMessageBox = NULL;
PLOADLIBRARY pLoadLibrary = NULL;
WORD *pFirstWin10 = NULL,*pFirst = NULL,*pLast = NULL;
DWORD ret = 0, i = 0;
DWORD dwKernelBase = 0;
//定义自己要使用的DLL、函数
char Win10szKernel32[] = {'K',0,'E',0,'R',0,'N',0,'E',0,'L',0,'3',0,'2',0,'.',0,'D',0,'L',0,'L',0,0,0};//win10要全大写"KERNEL32.DLL"
char szKernel32[] = {'k',0,'e',0,'r',0,'n',0,'e',0,'l',0,'3',0,'2',0,'.',0,'d',0,'l',0,'l',0,0,0};//xp win7要全大写"kernel32.dll"
char szUser32[] = {'U','S','E','R','3','2','.','d','l','l',0};
char szGetProcAddr[] = {'G','e','t','P','r','o','c','A','d','d','r','e','s','s',0};
char szLoadLibrary[] = {'L','o','a','d','L','i','b','r','a','r','y','A',0};
char szMessageBox[] = {'M','e','s','s','a','g','e','B','o','x','A',0};
//第五节的内容
//获取链表 TEB->PEB->_PEB_LDR_DATA->_LDR_DATA_TABLE_ENTRY
__asm
{
mov eax,fs:[0x30] //PEB
mov eax,[eax+0xC] //PEB->Ldr
add eax,0x0C //_PEB_LDR_DATA->InLoadOrderModuleList
mov pBeg,eax
mov eax,[eax]
mov pPLD,eax
}
//遍历找到Kernel32.dll
while (pPLD != pBeg)
{
DWORD flag1 = 0;
DWORD flag2 = 0;
pLast = (PWORD)pPLD->BaseDllName.Buffer;
pFirstWin10 = (PWORD)Win10szKernel32;
pFirst = (PWORD)szKernel32;
while(*pFirst || *pFirstWin10)
{
if (*pFirst != *pLast)
{
flag1 = 1;
}
if (*pFirstWin10 != *pLast)
{
flag2 = 1;
}
if (flag1 == 1 && flag2 ==1)
{
break;
}
pFirstWin10++;
pFirst++;
pLast++;
}
//只要两个不同时为1,就说明找到了
if (!(flag1 & flag2) )
{
dwKernelBase = (DWORD)pPLD->DllBase;
break;
}
pPLD = (PLDR_DATA_TABLE_ENTRY)pPLD->InLoadOrderLinks.Flink;
}
if (!dwKernelBase)
{
//printf函数不要用
//printf("获取kernel32.dll基址失败\n\请注意大小写WIN10系统为KERNEL32.DLL(全大写),WIN7 XP为kernel32.dll(全小写)");
return 0;
}
//PE结构的知识
//遍历Kernel32.dll的导入表 找到GetProcAddr函数地址
PIMAGE_DOS_HEADER pIDH = (PIMAGE_DOS_HEADER)(dwKernelBase);
PIMAGE_NT_HEADERS pINGS = (PIMAGE_NT_HEADERS)((DWORD)dwKernelBase + pIDH->e_lfanew);
PIMAGE_EXPORT_DIRECTORY pIED = (PIMAGE_EXPORT_DIRECTORY)((DWORD)dwKernelBase + pINGS->OptionalHeader.DataDirectory[0].VirtualAddress);
PDWORD pAddOfFun_Raw = (PDWORD)((DWORD)dwKernelBase + pIED->AddressOfFunctions);
PWORD pAddOfOrd_Raw = (PWORD)((DWORD)dwKernelBase + pIED->AddressOfNameOrdinals);
PDWORD pAddOfNames_Raw = (PDWORD)((DWORD)dwKernelBase + pIED->AddressOfNames);
DWORD dwCnt = 0;
char* pFinded = NULL,*pSrc = szGetProcAddr;
for (;dwCnt<pIED->NumberOfNames;dwCnt++)
{
pFinded = (char*)((DWORD)dwKernelBase + pAddOfNames_Raw[dwCnt]);
while (*pFinded && *pFinded==*pSrc)
pFinded++,pSrc++;
if (*pFinded == *pSrc)
{
pGetProcAddress = (PGETPROCADDRESS)((DWORD)dwKernelBase+ pAddOfFun_Raw[pAddOfOrd_Raw[dwCnt]]);
break;
}
pSrc = szGetProcAddr;
}
//有了GetProcAddr就可以得到任何API函数了;
pLoadLibrary = (PLOADLIBRARY)pGetProcAddress((HMODULE)dwKernelBase,szLoadLibrary);
pMessageBox = (PMESSAGEBOX)pGetProcAddress(pLoadLibrary(szUser32),szMessageBox);
//使用函数
char szTitle[] = {'S','h','e','l','l','C','o','d','e',0}; //弹窗标题
char szContent[] = {0xC8,0xCE,0xD2,0xE2,0xD4,0xCB,0xD0,0xD0,0}; //任意运行的ASCII码
pMessageBox(NULL,szContent,szTitle,0);
return 1;
}
int main(int argc, char* argv[])
{
ShellCode();
return 0;
}
WIN10效果如下:
四、抠出函数的硬编码
#include "windows.h"
#include <stdio.h>
int main(int argc, char* argv[])
{
FILE* fp;
size_t nBytes = 0x563; //ret的地址减去起始地址
PVOID startAddr = (PVOID)0x00541440; //ShellCode的起始地址
if (!(fp = fopen("ShellCode.txt","wb+"))) //打开文件
{
printf("打开文件失败!");
return 0;
}
fprintf(fp,"{");
for (size_t i = 0; i <= nBytes; i++)
{
if (i == nBytes)
{
fprintf(fp,"0x%02X", ((PBYTE)startAddr)[i]);
}
else
{
fprintf(fp,"0x%02X,", ((PBYTE)startAddr)[i]);
}
}
fprintf(fp,"};");
return 0;
}
效果如图
注意:
vs2010调用函数为间接call
直接PVOID startAddr = (PVOID)ShellCode;是无法获取地址的
建议在给StartAddr
赋值的地方下断点,得到ShellCode函数的地址再赋值给它,这是最简单的方法
五、ShellCode执行
在vs2010以上版本中执行ShellCode必须要使用VirtualProtect修改一段页的保护属性
BOOL VirtualProtect(
LPVOID lpAddress, // 目标地址起始位置
DWORD dwSize, // 大小
DWORD flNewProtect, // 请求的保护方式
PDWORD lpflOldProtect // 保存老的保护方式
);
类型 | 注释 |
---|---|
PAGE_READONLY | 该区域为只读。如果应用程序试图访问区域中的页的时候,将会被拒绝访问 |
PAGE_READWRITE | 区域可被应用程序读写 |
PAGE_EXECUTE | 区域包含可被系统执行的代码。试图读写该区域的操作将被拒绝 |
PAGE_EXECUTE_READ | 区域包含可执行代码,应用程序可以读该区域 |
PAGE_EXECUTE_READWRITE | 区域包含可执行代码,应用程序可以读写该区域 |
PAGE_GUARD | 区域第一次被访问时进入一个STATUS_GUARD_PAGE异常,这个标志要和其他保护标志合并使用,表明区域被第一次访问的权限 |
PAGE_NOACCESS | 任何访问该区域的操作将被拒绝 |
PAGE_NOCACHE | RAM中的页映射到该区域时将不会被微处理器缓存(cached) |
所有系统通用
//#include "stdafx.h"
#include "windows.h"
#include <stdio.h>
typedef DWORD (*Code)(); //函数指针
int main(int argc, char* argv[])
{
unsigned char ShellCodebuff[] = {0x55,0x8B,0xEC,0x81,0xEC,0x20,0x01,0x00,0x00,0x53,0x56,0x57,0xC7,0x45,0xFC,0x00,
0x00,0x00,0x00,0xC7,0x45,0xF8,0x00,0x00,0x00,0x00,0xC7,0x45,0xF4,0x00,0x00,0x00,0x00,0xC7,0x45,0xF0,0x00,0x00,
0x00,0x00,0xC7,0x45,0xEC,0x00,0x00,0x00,0x00,0xC7,0x45,0xE8,0x00,0x00,0x00,0x00,0xC7,0x45,0xE4,0x00,0x00,0x00,
0x00,0xC7,0x45,0xE0,0x00,0x00,0x00,0x00,0xC7,0x45,0xDC,0x00,0x00,0x00,0x00,0xC7,0x45,0xD8,0x00,0x00,0x00,0x00,
0xC7,0x45,0xD4,0x00,0x00,0x00,0x00,0xC6,0x45,0xB8,0x4B,0xC6,0x45,0xB9,0x00,0xC6,0x45,0xBA,0x45,0xC6,0x45,0xBB,
0x00,0xC6,0x45,0xBC,0x52,0xC6,0x45,0xBD,0x00,0xC6,0x45,0xBE,0x4E,0xC6,0x45,0xBF,0x00,0xC6,0x45,0xC0,0x45,0xC6,
0x45,0xC1,0x00,0xC6,0x45,0xC2,0x4C,0xC6,0x45,0xC3,0x00,0xC6,0x45,0xC4,0x33,0xC6,0x45,0xC5,0x00,0xC6,0x45,0xC6,
0x32,0xC6,0x45,0xC7,0x00,0xC6,0x45,0xC8,0x2E,0xC6,0x45,0xC9,0x00,0xC6,0x45,0xCA,0x44,0xC6,0x45,0xCB,0x00,0xC6,
0x45,0xCC,0x4C,0xC6,0x45,0xCD,0x00,0xC6,0x45,0xCE,0x4C,0xC6,0x45,0xCF,0x00,0xC6,0x45,0xD0,0x00,0xC6,0x45,0xD1,
0x00,0xC6,0x45,0x9C,0x6B,0xC6,0x45,0x9D,0x00,0xC6,0x45,0x9E,0x65,0xC6,0x45,0x9F,0x00,0xC6,0x45,0xA0,0x72,0xC6,
0x45,0xA1,0x00,0xC6,0x45,0xA2,0x6E,0xC6,0x45,0xA3,0x00,0xC6,0x45,0xA4,0x65,0xC6,0x45,0xA5,0x00,0xC6,0x45,0xA6,
0x6C,0xC6,0x45,0xA7,0x00,0xC6,0x45,0xA8,0x33,0xC6,0x45,0xA9,0x00,0xC6,0x45,0xAA,0x32,0xC6,0x45,0xAB,0x00,0xC6,
0x45,0xAC,0x2E,0xC6,0x45,0xAD,0x00,0xC6,0x45,0xAE,0x64,0xC6,0x45,0xAF,0x00,0xC6,0x45,0xB0,0x6C,0xC6,0x45,0xB1,
0x00,0xC6,0x45,0xB2,0x6C,0xC6,0x45,0xB3,0x00,0xC6,0x45,0xB4,0x00,0xC6,0x45,0xB5,0x00,0xC6,0x45,0x90,0x55,0xC6,
0x45,0x91,0x53,0xC6,0x45,0x92,0x45,0xC6,0x45,0x93,0x52,0xC6,0x45,0x94,0x33,0xC6,0x45,0x95,0x32,0xC6,0x45,0x96,
0x2E,0xC6,0x45,0x97,0x64,0xC6,0x45,0x98,0x6C,0xC6,0x45,0x99,0x6C,0xC6,0x45,0x9A,0x00,0xC6,0x45,0x80,0x47,0xC6,
0x45,0x81,0x65,0xC6,0x45,0x82,0x74,0xC6,0x45,0x83,0x50,0xC6,0x45,0x84,0x72,0xC6,0x45,0x85,0x6F,0xC6,0x45,0x86,
0x63,0xC6,0x45,0x87,0x41,0xC6,0x45,0x88,0x64,0xC6,0x45,0x89,0x64,0xC6,0x45,0x8A,0x72,0xC6,0x45,0x8B,0x65,0xC6,
0x45,0x8C,0x73,0xC6,0x45,0x8D,0x73,0xC6,0x45,0x8E,0x00,0xC6,0x85,0x70,0xFF,0xFF,0xFF,0x4C,0xC6,0x85,0x71,0xFF,
0xFF,0xFF,0x6F,0xC6,0x85,0x72,0xFF,0xFF,0xFF,0x61,0xC6,0x85,0x73,0xFF,0xFF,0xFF,0x64,0xC6,0x85,0x74,0xFF,0xFF,
0xFF,0x4C,0xC6,0x85,0x75,0xFF,0xFF,0xFF,0x69,0xC6,0x85,0x76,0xFF,0xFF,0xFF,0x62,0xC6,0x85,0x77,0xFF,0xFF,0xFF,
0x72,0xC6,0x85,0x78,0xFF,0xFF,0xFF,0x61,0xC6,0x85,0x79,0xFF,0xFF,0xFF,0x72,0xC6,0x85,0x7A,0xFF,0xFF,0xFF,0x79,
0xC6,0x85,0x7B,0xFF,0xFF,0xFF,0x41,0xC6,0x85,0x7C,0xFF,0xFF,0xFF,0x00,0xC6,0x85,0x64,0xFF,0xFF,0xFF,0x4D,0xC6,
0x85,0x65,0xFF,0xFF,0xFF,0x65,0xC6,0x85,0x66,0xFF,0xFF,0xFF,0x73,0xC6,0x85,0x67,0xFF,0xFF,0xFF,0x73,0xC6,0x85,
0x68,0xFF,0xFF,0xFF,0x61,0xC6,0x85,0x69,0xFF,0xFF,0xFF,0x67,0xC6,0x85,0x6A,0xFF,0xFF,0xFF,0x65,0xC6,0x85,0x6B,
0xFF,0xFF,0xFF,0x42,0xC6,0x85,0x6C,0xFF,0xFF,0xFF,0x6F,0xC6,0x85,0x6D,0xFF,0xFF,0xFF,0x78,0xC6,0x85,0x6E,0xFF,
0xFF,0xFF,0x41,0xC6,0x85,0x6F,0xFF,0xFF,0xFF,0x00,0x64,0xA1,0x30,0x00,0x00,0x00,0x8B,0x40,0x0C,0x83,0xC0,0x0C,
0x89,0x45,0xF8,0x8B,0x00,0x89,0x45,0xFC,0x8B,0x45,0xFC,0x3B,0x45,0xF8,0x0F,0x84,0xC8,0x00,0x00,0x00,0xC7,0x85,
0x60,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,0xC7,0x85,0x5C,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,0x8B,0x45,0xFC,0x8B,
0x48,0x30,0x89,0x4D,0xE0,0x8D,0x45,0xB8,0x89,0x45,0xE8,0x8D,0x45,0x9C,0x89,0x45,0xE4,0x8B,0x45,0xE4,0x0F,0xB7,
0x08,0x85,0xC9,0x75,0x0A,0x8B,0x45,0xE8,0x0F,0xB7,0x08,0x85,0xC9,0x74,0x65,0x8B,0x45,0xE4,0x0F,0xB7,0x08,0x8B,
0x55,0xE0,0x0F,0xB7,0x02,0x3B,0xC8,0x74,0x0A,0xC7,0x85,0x60,0xFF,0xFF,0xFF,0x01,0x00,0x00,0x00,0x8B,0x45,0xE8,
0x0F,0xB7,0x08,0x8B,0x55,0xE0,0x0F,0xB7,0x02,0x3B,0xC8,0x74,0x0A,0xC7,0x85,0x5C,0xFF,0xFF,0xFF,0x01,0x00,0x00,
0x00,0x83,0xBD,0x60,0xFF,0xFF,0xFF,0x01,0x75,0x0B,0x83,0xBD,0x5C,0xFF,0xFF,0xFF,0x01,0x75,0x02,0xEB,0x1D,0x8B,
0x45,0xE8,0x83,0xC0,0x02,0x89,0x45,0xE8,0x8B,0x45,0xE4,0x83,0xC0,0x02,0x89,0x45,0xE4,0x8B,0x45,0xE0,0x83,0xC0,
0x02,0x89,0x45,0xE0,0xEB,0x87,0x8B,0x85,0x60,0xFF,0xFF,0xFF,0x23,0x85,0x5C,0xFF,0xFF,0xFF,0x75,0x0B,0x8B,0x45,
0xFC,0x8B,0x48,0x18,0x89,0x4D,0xD4,0xEB,0x0D,0x8B,0x45,0xFC,0x8B,0x08,0x89,0x4D,0xFC,0xE9,0x2C,0xFF,0xFF,0xFF,
0x83,0x7D,0xD4,0x00,0x75,0x07,0x33,0xC0,0xE9,0x0B,0x02,0x00,0x00,0x8B,0x45,0xD4,0x89,0x85,0x58,0xFF,0xFF,0xFF,
0x8B,0x85,0x58,0xFF,0xFF,0xFF,0x8B,0x4D,0xD4,0x03,0x48,0x3C,0x89,0x8D,0x54,0xFF,0xFF,0xFF,0x8B,0x85,0x54,0xFF,
0xFF,0xFF,0x8B,0x4D,0xD4,0x03,0x48,0x78,0x89,0x8D,0x50,0xFF,0xFF,0xFF,0x8B,0x85,0x50,0xFF,0xFF,0xFF,0x8B,0x4D,
0xD4,0x03,0x48,0x1C,0x89,0x8D,0x4C,0xFF,0xFF,0xFF,0x8B,0x85,0x50,0xFF,0xFF,0xFF,0x8B,0x4D,0xD4,0x03,0x48,0x24,
0x89,0x8D,0x48,0xFF,0xFF,0xFF,0x8B,0x85,0x50,0xFF,0xFF,0xFF,0x8B,0x4D,0xD4,0x03,0x48,0x20,0x89,0x8D,0x44,0xFF,
0xFF,0xFF,0xC7,0x85,0x40,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,0xC7,0x85,0x3C,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,
0x8D,0x45,0x80,0x89,0x85,0x38,0xFF,0xFF,0xFF,0xEB,0x0F,0x8B,0x85,0x40,0xFF,0xFF,0xFF,0x83,0xC0,0x01,0x89,0x85,
0x40,0xFF,0xFF,0xFF,0x8B,0x85,0x50,0xFF,0xFF,0xFF,0x8B,0x8D,0x40,0xFF,0xFF,0xFF,0x3B,0x48,0x18,0x0F,0x83,0xA0,
0x00,0x00,0x00,0x8B,0x85,0x40,0xFF,0xFF,0xFF,0x8B,0x8D,0x44,0xFF,0xFF,0xFF,0x8B,0x55,0xD4,0x03,0x14,0x81,0x89,
0x95,0x3C,0xFF,0xFF,0xFF,0x8B,0x85,0x3C,0xFF,0xFF,0xFF,0x0F,0xBE,0x08,0x85,0xC9,0x74,0x36,0x8B,0x85,0x3C,0xFF,
0xFF,0xFF,0x0F,0xBE,0x08,0x8B,0x95,0x38,0xFF,0xFF,0xFF,0x0F,0xBE,0x02,0x3B,0xC8,0x75,0x20,0x8B,0x85,0x3C,0xFF,
0xFF,0xFF,0x83,0xC0,0x01,0x89,0x85,0x3C,0xFF,0xFF,0xFF,0x8B,0x8D,0x38,0xFF,0xFF,0xFF,0x83,0xC1,0x01,0x89,0x8D,
0x38,0xFF,0xFF,0xFF,0xEB,0xBD,0x8B,0x85,0x3C,0xFF,0xFF,0xFF,0x0F,0xBE,0x08,0x8B,0x95,0x38,0xFF,0xFF,0xFF,0x0F,
0xBE,0x02,0x3B,0xC8,0x75,0x21,0x8B,0x85,0x40,0xFF,0xFF,0xFF,0x8B,0x8D,0x48,0xFF,0xFF,0xFF,0x0F,0xB7,0x14,0x41,
0x8B,0x85,0x4C,0xFF,0xFF,0xFF,0x8B,0x4D,0xD4,0x03,0x0C,0x90,0x89,0x4D,0xF4,0xEB,0x0E,0x8D,0x45,0x80,0x89,0x85,
0x38,0xFF,0xFF,0xFF,0xE9,0x3C,0xFF,0xFF,0xFF,0x8D,0x85,0x70,0xFF,0xFF,0xFF,0x50,0x8B,0x4D,0xD4,0x51,0xFF,0x55,
0xF4,0x89,0x45,0xEC,0x8D,0x85,0x64,0xFF,0xFF,0xFF,0x50,0x8D,0x4D,0x90,0x51,0xFF,0x55,0xEC,0x50,0xFF,0x55,0xF4,
0x89,0x45,0xF0,0xC6,0x85,0x2C,0xFF,0xFF,0xFF,0x53,0xC6,0x85,0x2D,0xFF,0xFF,0xFF,0x68,0xC6,0x85,0x2E,0xFF,0xFF,
0xFF,0x65,0xC6,0x85,0x2F,0xFF,0xFF,0xFF,0x6C,0xC6,0x85,0x30,0xFF,0xFF,0xFF,0x6C,0xC6,0x85,0x31,0xFF,0xFF,0xFF,
0x43,0xC6,0x85,0x32,0xFF,0xFF,0xFF,0x6F,0xC6,0x85,0x33,0xFF,0xFF,0xFF,0x64,0xC6,0x85,0x34,0xFF,0xFF,0xFF,0x65,
0xC6,0x85,0x35,0xFF,0xFF,0xFF,0x00,0xC6,0x85,0x20,0xFF,0xFF,0xFF,0xC8,0xC6,0x85,0x21,0xFF,0xFF,0xFF,0xCE,0xC6,
0x85,0x22,0xFF,0xFF,0xFF,0xD2,0xC6,0x85,0x23,0xFF,0xFF,0xFF,0xE2,0xC6,0x85,0x24,0xFF,0xFF,0xFF,0xD4,0xC6,0x85,
0x25,0xFF,0xFF,0xFF,0xCB,0xC6,0x85,0x26,0xFF,0xFF,0xFF,0xD0,0xC6,0x85,0x27,0xFF,0xFF,0xFF,0xD0,0xC6,0x85,0x28,
0xFF,0xFF,0xFF,0x00,0x6A,0x00,0x8D,0x85,0x2C,0xFF,0xFF,0xFF,0x50,0x8D,0x8D,0x20,0xFF,0xFF,0xFF,0x51,0x6A,0x00,
0xFF,0x55,0xF0,0xB8,0x01,0x00,0x00,0x00,0x5F,0x5E,0x5B,0x8B,0xE5,0x5D,0xC3};
//Size:0x546
DWORD old;
Code ShellCodeAddr = (Code)&ShellCodebuff;
VirtualProtect(ShellCodebuff,0x546,PAGE_EXECUTE_READWRITE,&old);
int a = ShellCodeAddr();
printf("%d",a);
return 0;
}