能力值:
( LV3,RANK:20 )
|
-
-
2 楼
//code by the.night
#ifndef _MSC_VER //GCC
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Wreturn-type" //临时关闭无返回值的警告
#define FORCE_NO_INLINE __attribute__((noinline))//GCC_禁止内联展开程序
FORCE_NO_INLINE
DWORD64 X64Call(DWORD64 func,int argC, ...)
{//后面的参数必须都是DWORD64型.
asm(".byte 85,137,229,106,51,232,0,0,0,0,131,4,36,5,203,72,99,237,102,129,228,240,255,139,69,16,133,192,116,63,72,139,77,20,131,232,1,133,192,116,52,72,139,85,28,131,232,1,133,192,116,41,76,139,69,36,131,232,1,133,192,116,30,76,139,77,44,131,232,1,133,192,116,19,168,1,117,3,131,236,8,72,255,116,197,44,131,232,1,133,192,117,244,131,236,32,255,85,8,72,137,194,72,193,234,32,232,0,0,0,0,199,68,36,4,35,0,0,0,131,4,36,13,203,201,195;");
}
FORCE_NO_INLINE
DWORD64 x64proc_GetProcAddress64(DWORD64 hModule,const char* lpProcName)
{//x64的程序..c编译后.用调试工具提取的shellcode..只能用X64Call调用它
asm(".byte 87,86,83,49,192,102,129,57,77,90,117,113,76,99,65,60,73,1,200,65,129,56,80,69,0,0,117,97,69,139,128,136,0,0,0,69,133,192,116,85,74,141,60,1,68,139,71,32,139,119,20,133,246,78,141,20,1,116,66,15,182,26,69,49,219,69,139,10,73,1,201,65,56,25,117,34,132,219,116,49,72,137,208,235,5,69,132,192,116,39,72,131,192,1,73,137,192,73,41,208,71,15,182,4,8,68,58,0,116,231,65,131,195,1,73,131,194,4,65,57,243,117,198,49,192,91,94,95,195,68,57,222,116,245,139,87,36,78,141,4,89,139,71,28,65,15,183,20,16,72,141,20,145,139,4,2,72,1,200,91,94,95,195");
}
FORCE_NO_INLINE
DWORD64 x64proc_GetModuleHandle64(const wchar_t * lpModuleName)
{//x64的程序..c编译后.用调试工具提取的shellcode..只能用X64Call调用它
asm(".byte 86,83,101,72,139,4,37,96,0,0,0,72,139,64,24,72,139,88,16,72,141,112,16,72,57,222,116,88,15,31,64,0,76,139,75,96,73,137,200,235,11,15,31,128,0,0,0,0,57,208,117,52,73,131,193,2,65,15,183,65,254,68,141,80,191,141,80,32,65,131,250,25,15,70,194,73,131,192,2,65,15,183,80,254,68,141,90,191,68,141,82,32,65,131,251,25,65,15,70,210,133,192,117,200,57,208,116,13,72,139,27,72,57,222,117,172,49,192,91,94,195,72,139,67,48,91,94,195");
}
#pragma GCC diagnostic pop //临时关闭无返回值的警告
#else //ifndef _MSC_VER
#define NAKED __declspec(naked) //VC裸函数
NAKED
DWORD64 X64Call(DWORD64 func,int argC, ...)
{//后面的参数必须都是DWORD64类型
__asm {
_emit 0x55;_emit 0x89;_emit 0xE5;_emit 0x6A;_emit 0x33;_emit 0xE8;_emit 0x00;_emit 0x00;_emit 0x00;_emit 0x00;_emit 0x83;_emit 0x04;_emit 0x24;_emit 0x05;_emit 0xCB;_emit 0x48;_emit 0x63;_emit 0xED;_emit 0x66;_emit 0x81;_emit 0xE4;_emit 0xF0;_emit 0xFF;_emit 0x8B;_emit 0x45;_emit 0x10;_emit 0x85;_emit 0xC0;_emit 0x74;_emit 0x3F;_emit 0x48;_emit 0x8B;_emit 0x4D;_emit 0x14;_emit 0x83;_emit 0xE8;_emit 0x01;_emit 0x85;_emit 0xC0;_emit 0x74;_emit 0x34;_emit 0x48;_emit 0x8B;_emit 0x55;_emit 0x1C;_emit 0x83;_emit 0xE8;_emit 0x01;_emit 0x85;_emit 0xC0;_emit 0x74;_emit 0x29;_emit 0x4C;_emit 0x8B;_emit 0x45;_emit 0x24;_emit 0x83;_emit 0xE8;_emit 0x01;_emit 0x85;_emit 0xC0;_emit 0x74;_emit 0x1E;_emit 0x4C;_emit 0x8B;_emit 0x4D;_emit 0x2C;_emit 0x83;_emit 0xE8;_emit 0x01;_emit 0x85;_emit 0xC0;_emit 0x74;_emit 0x13;_emit 0xA8;_emit 0x01;_emit 0x75;_emit 0x03;_emit 0x83;_emit 0xEC;_emit 0x08;_emit 0x48;_emit 0xFF;_emit 0x74;_emit 0xC5;_emit 0x2C;_emit 0x83;_emit 0xE8;_emit 0x01;_emit 0x85;_emit 0xC0;_emit 0x75;_emit 0xF4;_emit 0x83;_emit 0xEC;_emit 0x20;_emit 0xFF;_emit 0x55;_emit 0x08;_emit 0x48;_emit 0x89;_emit 0xC2;_emit 0x48;_emit 0xC1;_emit 0xEA;_emit 0x20;_emit 0xE8;_emit 0x00;_emit 0x00;_emit 0x00;_emit 0x00;_emit 0xC7;_emit 0x44;_emit 0x24;_emit 0x04;_emit 0x23;_emit 0x00;_emit 0x00;_emit 0x00;_emit 0x83;_emit 0x04;_emit 0x24;_emit 0x0D;_emit 0xCB;_emit 0xC9;_emit 0xC3
};
}
NAKED
DWORD64 x64proc_GetProcAddress64(DWORD64 hModule,const char* lpProcName)
{//x64的程序..c编译后.用调试工具提取的shellcode..只能用X64Call调用它
__asm {
_emit 0x57;_emit 0x56;_emit 0x53;_emit 0x31;_emit 0xC0;_emit 0x66;_emit 0x81;_emit 0x39;_emit 0x4D;_emit 0x5A;_emit 0x75;_emit 0x71;_emit 0x4C;_emit 0x63;_emit 0x41;_emit 0x3C;_emit 0x49;_emit 0x01;_emit 0xC8;_emit 0x41;_emit 0x81;_emit 0x38;_emit 0x50;_emit 0x45;_emit 0x00;_emit 0x00;_emit 0x75;_emit 0x61;_emit 0x45;_emit 0x8B;_emit 0x80;_emit 0x88;_emit 0x00;_emit 0x00;_emit 0x00;_emit 0x45;_emit 0x85;_emit 0xC0;_emit 0x74;_emit 0x55;_emit 0x4A;_emit 0x8D;_emit 0x3C;_emit 0x01;_emit 0x44;_emit 0x8B;_emit 0x47;_emit 0x20;_emit 0x8B;_emit 0x77;_emit 0x14;_emit 0x85;_emit 0xF6;_emit 0x4E;_emit 0x8D;_emit 0x14;_emit 0x01;_emit 0x74;_emit 0x42;_emit 0x0F;_emit 0xB6;_emit 0x1A;_emit 0x45;_emit 0x31;_emit 0xDB;_emit 0x45;_emit 0x8B;_emit 0x0A;_emit 0x49;_emit 0x01;_emit 0xC9;_emit 0x41;_emit 0x38;_emit 0x19;_emit 0x75;_emit 0x22;_emit 0x84;_emit 0xDB;_emit 0x74;_emit 0x31;_emit 0x48;_emit 0x89;_emit 0xD0;_emit 0xEB;_emit 0x05;_emit 0x45;_emit 0x84;_emit 0xC0;_emit 0x74;_emit 0x27;_emit 0x48;_emit 0x83;_emit 0xC0;_emit 0x01;_emit 0x49;_emit 0x89;_emit 0xC0;_emit 0x49;_emit 0x29;_emit 0xD0;_emit 0x47;_emit 0x0F;_emit 0xB6;_emit 0x04;_emit 0x08;_emit 0x44;_emit 0x3A;_emit 0x00;_emit 0x74;_emit 0xE7;_emit 0x41;_emit 0x83;_emit 0xC3;_emit 0x01;_emit 0x49;_emit 0x83;_emit 0xC2;_emit 0x04;_emit 0x41;_emit 0x39;_emit 0xF3;_emit 0x75;_emit 0xC6;_emit 0x31;_emit 0xC0;_emit 0x5B;_emit 0x5E;_emit 0x5F;_emit 0xC3;_emit 0x44;_emit 0x39;_emit 0xDE;_emit 0x74;_emit 0xF5;_emit 0x8B;_emit 0x57;_emit 0x24;_emit 0x4E;_emit 0x8D;_emit 0x04;_emit 0x59;_emit 0x8B;_emit 0x47;_emit 0x1C;_emit 0x41;_emit 0x0F;_emit 0xB7;_emit 0x14;_emit 0x10;_emit 0x48;_emit 0x8D;_emit 0x14;_emit 0x91;_emit 0x8B;_emit 0x04;_emit 0x02;_emit 0x48;_emit 0x01;_emit 0xC8;_emit 0x5B;_emit 0x5E;_emit 0x5F;_emit 0xC3
};
}
NAKED
DWORD64 x64proc_GetModuleHandle64(const wchar_t * lpModuleName)
{//x64的程序..c编译后.用调试工具提取的shellcode..只能用X64Call调用它
__asm {
_emit 0x56;_emit 0x53;_emit 0x65;_emit 0x48;_emit 0x8B;_emit 0x04;_emit 0x25;_emit 0x60;_emit 0x00;_emit 0x00;_emit 0x00;_emit 0x48;_emit 0x8B;_emit 0x40;_emit 0x18;_emit 0x48;_emit 0x8B;_emit 0x58;_emit 0x10;_emit 0x48;_emit 0x8D;_emit 0x70;_emit 0x10;_emit 0x48;_emit 0x39;_emit 0xDE;_emit 0x74;_emit 0x58;_emit 0x0F;_emit 0x1F;_emit 0x40;_emit 0x00;_emit 0x4C;_emit 0x8B;_emit 0x4B;_emit 0x60;_emit 0x49;_emit 0x89;_emit 0xC8;_emit 0xEB;_emit 0x0B;_emit 0x0F;_emit 0x1F;_emit 0x80;_emit 0x00;_emit 0x00;_emit 0x00;_emit 0x00;_emit 0x39;_emit 0xD0;_emit 0x75;_emit 0x34;_emit 0x49;_emit 0x83;_emit 0xC1;_emit 0x02;_emit 0x41;_emit 0x0F;_emit 0xB7;_emit 0x41;_emit 0xFE;_emit 0x44;_emit 0x8D;_emit 0x50;_emit 0xBF;_emit 0x8D;_emit 0x50;_emit 0x20;_emit 0x41;_emit 0x83;_emit 0xFA;_emit 0x19;_emit 0x0F;_emit 0x46;_emit 0xC2;_emit 0x49;_emit 0x83;_emit 0xC0;_emit 0x02;_emit 0x41;_emit 0x0F;_emit 0xB7;_emit 0x50;_emit 0xFE;_emit 0x44;_emit 0x8D;_emit 0x5A;_emit 0xBF;_emit 0x44;_emit 0x8D;_emit 0x52;_emit 0x20;_emit 0x41;_emit 0x83;_emit 0xFB;_emit 0x19;_emit 0x41;_emit 0x0F;_emit 0x46;_emit 0xD2;_emit 0x85;_emit 0xC0;_emit 0x75;_emit 0xC8;_emit 0x39;_emit 0xD0;_emit 0x74;_emit 0x0D;_emit 0x48;_emit 0x8B;_emit 0x1B;_emit 0x48;_emit 0x39;_emit 0xDE;_emit 0x75;_emit 0xAC;_emit 0x31;_emit 0xC0;_emit 0x5B;_emit 0x5E;_emit 0xC3;_emit 0x48;_emit 0x8B;_emit 0x43;_emit 0x30;_emit 0x5B;_emit 0x5E;_emit 0xC3
};
}
#endif //ifndef _MSC_VER
/////////////////////////////////////////////////////////////////////////////
//返回函数地址.注意.没有实现序号模式.只能函数名获取
DWORD64 GetProcAddress64(DWORD64 hModule,const char* lpProcName)
{
return X64Call( (DWORD64)x64proc_GetProcAddress64,2,
(DWORD64)hModule,
(DWORD64)lpProcName);
}
//模块名必须带扩展名.不区分大小写.返回句柄
DWORD64 GetModuleHandle64(const wchar_t* lpModuleName)
{
return X64Call((DWORD64)x64proc_GetModuleHandle64,1,
(DWORD64)lpModuleName);
}
//取NTDLL64.返回句柄
DWORD64 getNTDLL64()
{
static DWORD64 hNtdll;
if(hNtdll == 0)
hNtdll = GetModuleHandle64(L"ntdll.dll");
return hNtdll;
}
//返回实际读出长度.
size_t ReadMemory64(HANDLE hProcess, DWORD64 lpRead, void* lpBuffer, SIZE_T nSize)
{
static DWORD64 pfn;
if (0 == pfn)
pfn = GetProcAddress64(getNTDLL64(), "NtReadVirtualMemory");
DWORD64 dw64ret = 0;
X64Call(pfn,5,(DWORD64)hProcess,lpRead,(DWORD64)lpBuffer, (DWORD64)nSize, (DWORD64)&dw64ret);
return dw64ret;
}
//返回实际写出长度.
size_t WriteMemory64(HANDLE hProcess, DWORD64 lpWrite,const void* lpBuffer, size_t nSize)
{
static DWORD64 pfn;
if (0 == pfn)
pfn = GetProcAddress64(getNTDLL64(), "NtWriteVirtualMemory");
DWORD64 dw64ret = 0;
X64Call(pfn,5,(DWORD64)hProcess,lpWrite,(DWORD64)lpBuffer, (DWORD64)nSize, (DWORD64)&dw64ret);
return dw64ret;
}
//返回申请到的地址
DWORD64 VirtualAllocEx64(HANDLE hProcess, DWORD64 lpAddress, size_t dwSize, DWORD flAllocationType, DWORD flProtect)
{
static DWORD64 pfn;
if (0 == pfn)
pfn = GetProcAddress64(getNTDLL64(), "NtAllocateVirtualMemory");
DWORD64 tmpAddr = lpAddress;
DWORD64 tmpSize = dwSize;
DWORD64 dw64ret = X64Call(pfn, 6,(DWORD64)hProcess,(DWORD64)&tmpAddr,(DWORD64)0, (DWORD64)&tmpSize, (DWORD64)flAllocationType,(DWORD64)flProtect);
return (dw64ret==NOERROR)?tmpAddr:0;
}
//创建远程线程 返回线程句柄
HANDLE CreateThread64(HANDLE hProcess,DWORD64 lpStartAddress,DWORD64 lpParameter)
{
static DWORD64 pfn;
if (pfn == 0)
pfn = GetProcAddress64(getNTDLL64(), "RtlCreateUserThread");
DWORD64 hThread = 0;
DWORD64 client_cid[2]={0};
X64Call(pfn,10,
(DWORD64)hProcess, // ProcessHandle
(DWORD64)NULL, // SecurityDescriptor
(DWORD64)FALSE, // CreateSuspended
(DWORD64)0, // StackZeroBits
(DWORD64)NULL, // StackReserved
(DWORD64)NULL, // StackCommit
lpStartAddress, // StartAddress
lpParameter, // StartParameter
(DWORD64)&hThread, // ThreadHandle
(DWORD64)&client_cid); // ClientID
return (HANDLE)(UINT_PTR)hThread;
}
BOOL VirtualFreeEx64(HANDLE hProcess, DWORD64 lpAddress, size_t dwSize, DWORD dwFreeType)
{
static DWORD64 pfn = 0;
if (0 == pfn)
pfn = GetProcAddress64(getNTDLL64(), "NtFreeVirtualMemory");
DWORD64 tmpAddr = lpAddress;
DWORD64 tmpSize = dwSize;
return NOERROR == X64Call(pfn, 4, (DWORD64)hProcess, (DWORD64)&tmpAddr, (DWORD64)&tmpSize, (DWORD64)dwFreeType);
}
BOOL VirtualProtectEx64(HANDLE hProcess, DWORD64 lpAddress, size_t dwSize, DWORD NewProtect, DWORD* pOldProtect)
{
static DWORD64 pfn;
if (0 == pfn)
pfn = GetProcAddress64(getNTDLL64(), "NtProtectVirtualMemory");
DWORD64 tmpAddr = lpAddress;
DWORD64 tmpSize = dwSize;
return NOERROR == X64Call(pfn, 5, (DWORD64)hProcess, (DWORD64)&tmpAddr, (DWORD64)&tmpSize, (DWORD64)NewProtect, (DWORD64)pOldProtect);
}
|