开源 企业版 高校版 私有云 模力方舟 AI 队友
代码拉取完成,页面将自动刷新
捐赠
捐赠前请先登录
扫描微信二维码支付
取消
支付完成
支付提示
将跳转至支付宝完成支付
确定
取消
1 Star 0 Fork 1

swordwalker/shellcode_driver

加入 Gitee
与超过 1400万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
已有帐号? 立即登录
文件
master
分支 (1)
master
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
项目仓库所选许可证以仓库主分支所使用许可证为准
master
分支 (1)
master
克隆/下载
克隆/下载
提示
下载代码请复制以下命令到终端执行
为确保你提交的代码身份被 Gitee 正确识别,请执行以下命令完成配置
初次使用 SSH 协议进行代码克隆、推送等操作时,需按下述提示完成 SSH 配置
1 生成 RSA 密钥
2 获取 RSA 公钥内容,并配置到 SSH公钥
在 Gitee 上使用 SVN,请访问 使用指南
使用 HTTPS 协议时,命令行会出现如下账号密码验证步骤。基于安全考虑,Gitee 建议 配置并使用私人令牌 替代登录密码进行克隆、推送等操作
Username for 'https://gitee.com': userName
Password for 'https://userName@gitee.com': # 私人令牌
master
分支 (1)
master
shellcode_driver
/
shellcode
/
shellcode.cpp
shellcode_driver
/
shellcode
/
shellcode.cpp
shellcode.cpp 7.75 KB
一键复制 编辑 原始数据 按行查看 历史
老爷爷 提交于 2017年09月19日 20:15 +08:00 . #up
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <TlHelp32.h>
#include <lzexpand.h>
#pragma warning(disable:4152)
typedef unsigned __int64 QWORD, *PQWORD;
#include "kernel32_hash.h"
//
//#define H_CloseHandle 0x0ffd97fb
//#define H_CreatePipe 0x170c8f80
//#define H_CreateProcessA 0x16b3fe72
//#define H_CreateThread 0xca2bd06b
//#define H_GetExitCodeProcess 0xac30ab74
//#define H_GetLastError 0x75da1966
//#define H_LocalAlloc 0x4c0297fa
//#define H_LocalFree 0x5cbaeaf6
//#define H_ReadFile 0x10fa6516
//#define H_Sleep 0xdb2d49b0
//#define H_WriteFile 0xe80a791f
////////////////////////////////////////////////////////////////////////////
//#define H_GetProcAddress 0x7c0dfcaa
//#define H_GetModuleHandleA 0xd3324904
//#define H_VirtualAlloc 0x91afca54
//#define H_VirtualProtect 0x7946c61b
//#define H_CreateFileW 0x7c0017bb
//#define H_VirtualFree 0x30633ac
////////////////////////////////////////////////////////////////////////////
typedef struct tdArgs
{
DWORD64 r9;
DWORD64 r8;
DWORD64 rdx;
DWORD64 rcx;
DWORD64 rsp;
}HOOKARGS,*PHOOKARGS;
void jmp_old_hook();
//////////////////////////////////////////////////////////////////////////
typedef struct tdUserShellFunctions {
BOOL(WINAPI*CloseHandle)(
_In_ HANDLE hObject
);
BOOL(WINAPI*CreatePipe)(
_Out_ PHANDLE hReadPipe,
_Out_ PHANDLE hWritePipe,
_In_opt_ LPSECURITY_ATTRIBUTES lpPipeAttributes,
_In_ DWORD nSize
);
BOOL(WINAPI*CreateProcessA)(
_In_opt_ LPCSTR lpApplicationName,
_Inout_opt_ LPSTR lpCommandLine,
_In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes,
_In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes,
_In_ BOOL bInheritHandles,
_In_ DWORD dwCreationFlags,
_In_opt_ LPVOID lpEnvironment,
_In_opt_ LPCSTR lpCurrentDirectory,
_In_ LPSTARTUPINFO lpStartupInfo,
_Out_ LPPROCESS_INFORMATION lpProcessInformation
);
HANDLE(WINAPI*CreateThread)(
_In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes,
_In_ SIZE_T dwStackSize,
_In_ LPTHREAD_START_ROUTINE lpStartAddress,
_In_opt_ LPVOID lpParameter,
_In_ DWORD dwCreationFlags,
_Out_opt_ LPDWORD lpThreadId
);
BOOL(WINAPI*GetExitCodeProcess)(
_In_ HANDLE hProcess,
_Out_ LPDWORD lpExitCode
);
DWORD(WINAPI*GetLastError)(void);
HLOCAL(WINAPI*LocalAlloc)(
_In_ UINT uFlags,
_In_ SIZE_T uBytes
);
HLOCAL(WINAPI*LocalFree)(
_In_ HLOCAL hMem
);
BOOL(WINAPI*ReadFile)(
_In_ HANDLE hFile,
_Out_ LPVOID lpBuffer,
_In_ DWORD nNumberOfBytesToRead,
_Out_opt_ LPDWORD lpNumberOfBytesRead,
_Inout_opt_ LPOVERLAPPED lpOverlapped
);
VOID(WINAPI*Sleep)(
_In_ DWORD dwMilliseconds
);
BOOL(WINAPI*WriteFile)(
_In_ HANDLE hFile,
_In_ LPCVOID lpBuffer,
_In_ DWORD nNumberOfBytesToWrite,
_Out_opt_ LPDWORD lpNumberOfBytesWritten,
_Inout_opt_ LPOVERLAPPED lpOverlapped
);
FARPROC
(WINAPI*GetProcAddress)(
_In_ HMODULE hModule,
_In_ LPCSTR lpProcName
);
HMODULE
(WINAPI*GetModuleHandleA)(
_In_opt_ LPCSTR lpModuleName
);
LPVOID
(WINAPI*VirtualAlloc)(
_In_opt_ LPVOID lpAddress,
_In_ SIZE_T dwSize,
_In_ DWORD flAllocationType,
_In_ DWORD flProtect
);
BOOL
(WINAPI *VirtualProtect)(
_In_ LPVOID lpAddress,
_In_ SIZE_T dwSize,
_In_ DWORD flNewProtect,
_Out_ PDWORD lpflOldProtect
);
BOOL
(WINAPI*VirtualFree)(
_In_ LPVOID lpAddress,
_In_ SIZE_T dwSize,
_In_ DWORD dwFreeType
);
HANDLE
(WINAPI*CreateFileW)(
_In_ LPCWSTR lpFileName,
_In_ DWORD dwDesiredAccess,
_In_ DWORD dwShareMode,
_In_opt_ LPSECURITY_ATTRIBUTES lpSecurityAttributes,
_In_ DWORD dwCreationDisposition,
_In_ DWORD dwFlagsAndAttributes,
_In_opt_ HANDLE hTemplateFile
);
PVOID pvStart;
} USERSHELL_FUNCTIONS, *PUSERSHELL_FUNCTIONS;
DWORD HashROR13A(_In_ LPCSTR sz)
{
DWORD dwVal, dwHash = 0;
while(*sz) {
dwVal = (DWORD)*sz++;
dwHash = (dwHash >> 13) | (dwHash << 19);
dwHash += dwVal;
}
return dwHash;
}
PVOID PEGetProcAddressH(_In_ HMODULE hModuleIn, _In_ DWORD dwProcNameH)
{
ULONG_PTR hModule = (ULONG_PTR)hModuleIn;
PDWORD pdwRVAAddrNames, pdwRVAAddrFunctions;
PWORD pwNameOrdinals;
DWORD i, dwFnIdx, dwHash;
LPSTR sz;
PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)hModule; // dos header.
PIMAGE_NT_HEADERS ntHeader = (PIMAGE_NT_HEADERS)(hModule + dosHeader->e_lfanew); // nt header
PIMAGE_EXPORT_DIRECTORY exp = (PIMAGE_EXPORT_DIRECTORY)(ntHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + hModule);
pdwRVAAddrNames = (PDWORD)(hModule + exp->AddressOfNames);
pwNameOrdinals = (PWORD)(hModule + exp->AddressOfNameOrdinals);
pdwRVAAddrFunctions = (PDWORD)(hModule + exp->AddressOfFunctions);
for(i = 0; i < exp->NumberOfNames; i++) {
sz = (LPSTR)(hModule + pdwRVAAddrNames[i]);
dwHash = HashROR13A(sz);
if(dwHash == dwProcNameH) {
dwFnIdx = pwNameOrdinals[i];
return (PVOID)(hModule + pdwRVAAddrFunctions[dwFnIdx]);
}
}
return 0;
}
VOID UserShellInitializeFunctions(_In_ HMODULE hModuleKernel32, _Out_ PUSERSHELL_FUNCTIONS fnu)
{
fnu->pvStart = (PVOID)hModuleKernel32;
fnu->CloseHandle = (T_CloseHandle)PEGetProcAddressH(hModuleKernel32, H_CloseHandle);
fnu->CreatePipe = (T_CreatePipe)PEGetProcAddressH(hModuleKernel32, H_CreatePipe);
fnu->CreateProcessA = (T_CreateProcessA)PEGetProcAddressH(hModuleKernel32, H_CreateProcessA);
fnu->CreateThread = (T_CreateThread)PEGetProcAddressH(hModuleKernel32, H_CreateThread);
fnu->GetExitCodeProcess = (T_GetExitCodeProcess)PEGetProcAddressH(hModuleKernel32, H_GetExitCodeProcess);
fnu->GetLastError = (T_GetLastError)PEGetProcAddressH(hModuleKernel32, H_GetLastError);
fnu->LocalAlloc = (T_LocalAlloc)PEGetProcAddressH(hModuleKernel32, H_LocalAlloc);
fnu->LocalFree = (T_LocalFree)PEGetProcAddressH(hModuleKernel32, H_LocalFree);
fnu->ReadFile = (T_ReadFile)PEGetProcAddressH(hModuleKernel32, H_ReadFile);
fnu->Sleep = (T_Sleep)PEGetProcAddressH(hModuleKernel32, H_Sleep);
fnu->WriteFile = (T_WriteFile)PEGetProcAddressH(hModuleKernel32, H_WriteFile);
fnu->GetModuleHandleA = (T_GetModuleHandleA)PEGetProcAddressH(hModuleKernel32, H_GetModuleHandleA);
fnu->GetProcAddress = (T_GetProcAddress)PEGetProcAddressH(hModuleKernel32, H_GetProcAddress);
fnu->VirtualAlloc = (T_VirtualAlloc)PEGetProcAddressH(hModuleKernel32, H_VirtualAlloc);
fnu->VirtualProtect = (T_VirtualProtect)PEGetProcAddressH(hModuleKernel32, H_VirtualProtect);
fnu->VirtualFree = (T_VirtualFree)PEGetProcAddressH(hModuleKernel32, H_VirtualFree);
fnu->CreateFileW = (T_CreateFileW)PEGetProcAddressH(hModuleKernel32, H_CreateFileW);
}
EXTERN_C void hookcode(PHOOKARGS arg1, ULONG_PTR lpBaseKernel32,ULONG_PTR oldAddress,ULONG_PTR oldData)
//arg1是
{
WCHAR szFile[MAX_PATH];
UNREFERENCED_PARAMETER(arg1);
auto fnLocalAlloc = (T_LocalAlloc)PEGetProcAddressH((HMODULE)lpBaseKernel32, H_LocalAlloc);
auto func = (PUSERSHELL_FUNCTIONS)fnLocalAlloc(LMEM_ZEROINIT, sizeof(USERSHELL_FUNCTIONS));
UserShellInitializeFunctions((HMODULE)lpBaseKernel32, func);
//下面只是shellcode的一个测试用例
szFile[0] = L'F';
szFile[1] = L':';
szFile[2] = L'\\';
szFile[3] = L'S';
szFile[4] = L'.';
szFile[5] = L't';
szFile[6] = L'x';
szFile[7] = L't';
szFile[8] = L'0円';
if (func->CreateFileW)
{
DWORD dwWrite;
dwWrite = 0;
auto hFile = func->CreateFileW(szFile, GENERIC_ALL, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
func->WriteFile(hFile, szFile, sizeof(szFile), &dwWrite, NULL);
func->CloseHandle(hFile);
}
if (oldAddress)
{
//恢复oldAddress的oldcode并调用
*(ULONG_PTR*)oldAddress = oldData;
}
}
Loading...
举报
举报成功
我们将于2个工作日内通过站内信反馈结果给你!
请认真填写举报原因,尽可能描述详细。
请选择举报类型
取消
发送
误判申诉

此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。

如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。

取消
提交

简介

无导入表的driver与shellcode化——因为SEH问题项目报废--2018年正式解封开源
取消

发行版

暂无发行版

贡献者

全部

近期动态

不能加载更多了
编辑仓库简介
简介内容
主页
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
1
https://gitee.com/swordwalker/shellcode_driver.git
git@gitee.com:swordwalker/shellcode_driver.git
swordwalker
shellcode_driver
shellcode_driver
master
点此查找更多帮助

搜索帮助

评论
仓库举报
回到顶部
登录提示
该操作需登录 Gitee 帐号,请先登录后再操作。
立即登录
没有帐号,去注册

AltStyle によって変換されたページ (->オリジナル) /