Explore Enterprise Education Gitee Premium Gitee AI AI teammates
Fetch the repository succeeded.
Donate
Please sign in before you donate.
Scan WeChat QR to Pay
Cancel
Complete
Prompt
Switch to Alipay.
OK
Cancel
1 Star 0 Fork 19

y11en/shellcode_driver

Create your Gitee Account
Explore and code with more than 14 million developers,Free private repositories !:)
Sign up
Already have an account? Sign in
文件
master
Branches (1)
master
This repository doesn't specify license. Please pay attention to the specific project description and its upstream code dependency when using it.
The license selected for the repository is subject to the license used by the main branch of the repository.
master
Branches (1)
master
Clone or Download
Clone/Download
Prompt
To download the code, please copy the following command and execute it in the terminal
To ensure that your submitted code identity is correctly recognized by Gitee, please execute the following command.
When using the SSH protocol for the first time to clone or push code, follow the prompts below to complete the SSH configuration.
1 Generate RSA keys.
2 Obtain the content of the RSA public key and configure it in SSH Public Keys
To use SVN on Gitee, please visit the usage guide
When using the HTTPS protocol, the command line will prompt for account and password verification as follows. For security reasons, Gitee recommends configure and use personal access tokens instead of login passwords for cloning, pushing, and other operations.
Username for 'https://gitee.com': userName
Password for 'https://userName@gitee.com': # Private Token
master
Branches (1)
master
shellcode_driver
/
shellcode
/
shellcode.cpp
shellcode_driver
/
shellcode
/
shellcode.cpp
shellcode.cpp 7.75 KB
Copy Edit Raw Blame History
老爷爷 authored 2017年09月19日 20:15 +08:00 . #up
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <TlHelp32.h>
#include <lzexpand.h>
#pragma warning(disable:4152)
typedef unsigned __int64 QWORD, *PQWORD;
#include "kernel32_hash.h"
//
//#define H_CloseHandle 0x0ffd97fb
//#define H_CreatePipe 0x170c8f80
//#define H_CreateProcessA 0x16b3fe72
//#define H_CreateThread 0xca2bd06b
//#define H_GetExitCodeProcess 0xac30ab74
//#define H_GetLastError 0x75da1966
//#define H_LocalAlloc 0x4c0297fa
//#define H_LocalFree 0x5cbaeaf6
//#define H_ReadFile 0x10fa6516
//#define H_Sleep 0xdb2d49b0
//#define H_WriteFile 0xe80a791f
////////////////////////////////////////////////////////////////////////////
//#define H_GetProcAddress 0x7c0dfcaa
//#define H_GetModuleHandleA 0xd3324904
//#define H_VirtualAlloc 0x91afca54
//#define H_VirtualProtect 0x7946c61b
//#define H_CreateFileW 0x7c0017bb
//#define H_VirtualFree 0x30633ac
////////////////////////////////////////////////////////////////////////////
typedef struct tdArgs
{
DWORD64 r9;
DWORD64 r8;
DWORD64 rdx;
DWORD64 rcx;
DWORD64 rsp;
}HOOKARGS,*PHOOKARGS;
void jmp_old_hook();
//////////////////////////////////////////////////////////////////////////
typedef struct tdUserShellFunctions {
BOOL(WINAPI*CloseHandle)(
_In_ HANDLE hObject
);
BOOL(WINAPI*CreatePipe)(
_Out_ PHANDLE hReadPipe,
_Out_ PHANDLE hWritePipe,
_In_opt_ LPSECURITY_ATTRIBUTES lpPipeAttributes,
_In_ DWORD nSize
);
BOOL(WINAPI*CreateProcessA)(
_In_opt_ LPCSTR lpApplicationName,
_Inout_opt_ LPSTR lpCommandLine,
_In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes,
_In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes,
_In_ BOOL bInheritHandles,
_In_ DWORD dwCreationFlags,
_In_opt_ LPVOID lpEnvironment,
_In_opt_ LPCSTR lpCurrentDirectory,
_In_ LPSTARTUPINFO lpStartupInfo,
_Out_ LPPROCESS_INFORMATION lpProcessInformation
);
HANDLE(WINAPI*CreateThread)(
_In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes,
_In_ SIZE_T dwStackSize,
_In_ LPTHREAD_START_ROUTINE lpStartAddress,
_In_opt_ LPVOID lpParameter,
_In_ DWORD dwCreationFlags,
_Out_opt_ LPDWORD lpThreadId
);
BOOL(WINAPI*GetExitCodeProcess)(
_In_ HANDLE hProcess,
_Out_ LPDWORD lpExitCode
);
DWORD(WINAPI*GetLastError)(void);
HLOCAL(WINAPI*LocalAlloc)(
_In_ UINT uFlags,
_In_ SIZE_T uBytes
);
HLOCAL(WINAPI*LocalFree)(
_In_ HLOCAL hMem
);
BOOL(WINAPI*ReadFile)(
_In_ HANDLE hFile,
_Out_ LPVOID lpBuffer,
_In_ DWORD nNumberOfBytesToRead,
_Out_opt_ LPDWORD lpNumberOfBytesRead,
_Inout_opt_ LPOVERLAPPED lpOverlapped
);
VOID(WINAPI*Sleep)(
_In_ DWORD dwMilliseconds
);
BOOL(WINAPI*WriteFile)(
_In_ HANDLE hFile,
_In_ LPCVOID lpBuffer,
_In_ DWORD nNumberOfBytesToWrite,
_Out_opt_ LPDWORD lpNumberOfBytesWritten,
_Inout_opt_ LPOVERLAPPED lpOverlapped
);
FARPROC
(WINAPI*GetProcAddress)(
_In_ HMODULE hModule,
_In_ LPCSTR lpProcName
);
HMODULE
(WINAPI*GetModuleHandleA)(
_In_opt_ LPCSTR lpModuleName
);
LPVOID
(WINAPI*VirtualAlloc)(
_In_opt_ LPVOID lpAddress,
_In_ SIZE_T dwSize,
_In_ DWORD flAllocationType,
_In_ DWORD flProtect
);
BOOL
(WINAPI *VirtualProtect)(
_In_ LPVOID lpAddress,
_In_ SIZE_T dwSize,
_In_ DWORD flNewProtect,
_Out_ PDWORD lpflOldProtect
);
BOOL
(WINAPI*VirtualFree)(
_In_ LPVOID lpAddress,
_In_ SIZE_T dwSize,
_In_ DWORD dwFreeType
);
HANDLE
(WINAPI*CreateFileW)(
_In_ LPCWSTR lpFileName,
_In_ DWORD dwDesiredAccess,
_In_ DWORD dwShareMode,
_In_opt_ LPSECURITY_ATTRIBUTES lpSecurityAttributes,
_In_ DWORD dwCreationDisposition,
_In_ DWORD dwFlagsAndAttributes,
_In_opt_ HANDLE hTemplateFile
);
PVOID pvStart;
} USERSHELL_FUNCTIONS, *PUSERSHELL_FUNCTIONS;
DWORD HashROR13A(_In_ LPCSTR sz)
{
DWORD dwVal, dwHash = 0;
while(*sz) {
dwVal = (DWORD)*sz++;
dwHash = (dwHash >> 13) | (dwHash << 19);
dwHash += dwVal;
}
return dwHash;
}
PVOID PEGetProcAddressH(_In_ HMODULE hModuleIn, _In_ DWORD dwProcNameH)
{
ULONG_PTR hModule = (ULONG_PTR)hModuleIn;
PDWORD pdwRVAAddrNames, pdwRVAAddrFunctions;
PWORD pwNameOrdinals;
DWORD i, dwFnIdx, dwHash;
LPSTR sz;
PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)hModule; // dos header.
PIMAGE_NT_HEADERS ntHeader = (PIMAGE_NT_HEADERS)(hModule + dosHeader->e_lfanew); // nt header
PIMAGE_EXPORT_DIRECTORY exp = (PIMAGE_EXPORT_DIRECTORY)(ntHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + hModule);
pdwRVAAddrNames = (PDWORD)(hModule + exp->AddressOfNames);
pwNameOrdinals = (PWORD)(hModule + exp->AddressOfNameOrdinals);
pdwRVAAddrFunctions = (PDWORD)(hModule + exp->AddressOfFunctions);
for(i = 0; i < exp->NumberOfNames; i++) {
sz = (LPSTR)(hModule + pdwRVAAddrNames[i]);
dwHash = HashROR13A(sz);
if(dwHash == dwProcNameH) {
dwFnIdx = pwNameOrdinals[i];
return (PVOID)(hModule + pdwRVAAddrFunctions[dwFnIdx]);
}
}
return 0;
}
VOID UserShellInitializeFunctions(_In_ HMODULE hModuleKernel32, _Out_ PUSERSHELL_FUNCTIONS fnu)
{
fnu->pvStart = (PVOID)hModuleKernel32;
fnu->CloseHandle = (T_CloseHandle)PEGetProcAddressH(hModuleKernel32, H_CloseHandle);
fnu->CreatePipe = (T_CreatePipe)PEGetProcAddressH(hModuleKernel32, H_CreatePipe);
fnu->CreateProcessA = (T_CreateProcessA)PEGetProcAddressH(hModuleKernel32, H_CreateProcessA);
fnu->CreateThread = (T_CreateThread)PEGetProcAddressH(hModuleKernel32, H_CreateThread);
fnu->GetExitCodeProcess = (T_GetExitCodeProcess)PEGetProcAddressH(hModuleKernel32, H_GetExitCodeProcess);
fnu->GetLastError = (T_GetLastError)PEGetProcAddressH(hModuleKernel32, H_GetLastError);
fnu->LocalAlloc = (T_LocalAlloc)PEGetProcAddressH(hModuleKernel32, H_LocalAlloc);
fnu->LocalFree = (T_LocalFree)PEGetProcAddressH(hModuleKernel32, H_LocalFree);
fnu->ReadFile = (T_ReadFile)PEGetProcAddressH(hModuleKernel32, H_ReadFile);
fnu->Sleep = (T_Sleep)PEGetProcAddressH(hModuleKernel32, H_Sleep);
fnu->WriteFile = (T_WriteFile)PEGetProcAddressH(hModuleKernel32, H_WriteFile);
fnu->GetModuleHandleA = (T_GetModuleHandleA)PEGetProcAddressH(hModuleKernel32, H_GetModuleHandleA);
fnu->GetProcAddress = (T_GetProcAddress)PEGetProcAddressH(hModuleKernel32, H_GetProcAddress);
fnu->VirtualAlloc = (T_VirtualAlloc)PEGetProcAddressH(hModuleKernel32, H_VirtualAlloc);
fnu->VirtualProtect = (T_VirtualProtect)PEGetProcAddressH(hModuleKernel32, H_VirtualProtect);
fnu->VirtualFree = (T_VirtualFree)PEGetProcAddressH(hModuleKernel32, H_VirtualFree);
fnu->CreateFileW = (T_CreateFileW)PEGetProcAddressH(hModuleKernel32, H_CreateFileW);
}
EXTERN_C void hookcode(PHOOKARGS arg1, ULONG_PTR lpBaseKernel32,ULONG_PTR oldAddress,ULONG_PTR oldData)
//arg1是
{
WCHAR szFile[MAX_PATH];
UNREFERENCED_PARAMETER(arg1);
auto fnLocalAlloc = (T_LocalAlloc)PEGetProcAddressH((HMODULE)lpBaseKernel32, H_LocalAlloc);
auto func = (PUSERSHELL_FUNCTIONS)fnLocalAlloc(LMEM_ZEROINIT, sizeof(USERSHELL_FUNCTIONS));
UserShellInitializeFunctions((HMODULE)lpBaseKernel32, func);
//下面只是shellcode的一个测试用例
szFile[0] = L'F';
szFile[1] = L':';
szFile[2] = L'\\';
szFile[3] = L'S';
szFile[4] = L'.';
szFile[5] = L't';
szFile[6] = L'x';
szFile[7] = L't';
szFile[8] = L'0円';
if (func->CreateFileW)
{
DWORD dwWrite;
dwWrite = 0;
auto hFile = func->CreateFileW(szFile, GENERIC_ALL, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
func->WriteFile(hFile, szFile, sizeof(szFile), &dwWrite, NULL);
func->CloseHandle(hFile);
}
if (oldAddress)
{
//恢复oldAddress的oldcode并调用
*(ULONG_PTR*)oldAddress = oldData;
}
}
Loading...
Report
Report success
We will send you the feedback within 2 working days through the letter!
Please fill in the reason for the report carefully. Provide as detailed a description as possible.
Please select a report type
Cancel
Send
误判申诉

此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。

如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。

取消
提交

About

无导入表的driver与shellcode化——因为SEH问题项目报废--2018年正式解封开源
Cancel

Releases

No release

Contributors

All

Activities

can not load any more
Edit
About
Homepage
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
1
https://gitee.com/yllen/shellcode_driver.git
git@gitee.com:yllen/shellcode_driver.git
yllen
shellcode_driver
shellcode_driver
master
Going to Help Center

Search

Comment
Repository Report
Back to the top
Login prompt
This operation requires login to the code cloud account. Please log in before operating.
Go to login
No account. Register

AltStyle によって変換されたページ (->オリジナル) /