看雪学苑-看雪-安全培训|安全招聘|www.kanxue.com

求助《加密与解密》的第12章里的RtlCreateInject的shellcode开始地址的计算问题

mb_xfwmkqca 2023-3-8 199

__declspec (naked)
VOID ShellCodeFun(VOID)
{
    __asm
    {
        call L001
L001:
        pop ebx
        sub ebx,5
        push dword ptr ds:[ebx]INJECT_DATA.lpParameter //lpParameter
        call dword ptr ds:[ebx]INJECT_DATA.lpThreadStartRoutine //ThreadProc
        xor eax,eax
        push eax
        push -2 //CurrentThread
        call dword ptr ds:[ebx]INJECT_DATA.AddrOfZwTerminateThread //ZwTerminateThread
        nop //no return
        nop
        nop
        nop
        nop
    }
}

BYTE *pShellcodeStart = (BYTE*)ShellCodeFun;
 
BYTE *pShellcodeEnd = 0 ;
SIZE_T ShellCodeSize = 0 ;
if (pShellcodeStart[0] == 0xE9)
{
//Debug模式下，函数开头是一个跳转指令，这里取它的真正地址
    pShellcodeStart = pShellcodeStart + *(ULONG*)(pShellcodeStart +1 ) + 5;
}
 
//搜索Shellcode结束标志
pShellcodeEnd = pShellcodeStart;
while (memcmp(pShellcodeEnd,"\x90\x90\x90\x90\x90",5) != 0)
{
    pShellcodeEnd++;
}
 
ShellCodeSize = pShellcodeEnd - pShellcodeStart;
printf("[*] Shellcode Len = %d\n",ShellCodeSize);
memcpy(pOutShellCode,pShellcodeStart,ShellCodeSize);
 
}