get kernel32 addr and get func
#include <winternl.h> typedef struct _MY_PEB_LDR_DATA { ULONG Length; BOOL Initialized; PVOID SsHandle; LIST_ENTRY InLoadOrderModuleList; LIST_ENTRY InMemoryOrderModuleList; LIST_ENTRY InInitializationOrderModuleList; } MY_PEB_LDR_DATA, * PMY_PEB_LDR_DATA; typedef struct _MY_LDR_DATA_TABLE_ENTRY { LIST_ENTRY InLoadOrderLinks; LIST_ENTRY InMemoryOrderLinks; LIST_ENTRY InInitializationOrderLinks; PVOID DllBase; PVOID EntryPoint; ULONG SizeOfImage; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; } MY_LDR_DATA_TABLE_ENTRY, * PMY_LDR_DATA_TABLE_ENTRY; LPBYTE GetKernel32Moudle() { #ifdef _WIN64 PPEB PebAddress = (PPEB)__readgsqword(0x60); #else PPEB PebAddress = (PPEB)__readfsdword(0x30); #endif // _WIN64 PMY_PEB_LDR_DATA pLdr = (PMY_PEB_LDR_DATA)PebAddress->Ldr; PMY_LDR_DATA_TABLE_ENTRY pDataTableEntry = (PMY_LDR_DATA_TABLE_ENTRY)pLdr->InLoadOrderModuleList.Flink;//InLoadOrderLinks pDataTableEntry = (PMY_LDR_DATA_TABLE_ENTRY)pDataTableEntry->InLoadOrderLinks.Flink;//-->ntdll.dll pDataTableEntry = (PMY_LDR_DATA_TABLE_ENTRY)pDataTableEntry->InLoadOrderLinks.Flink;//kernel32.dll return (LPBYTE)pDataTableEntry->DllBase; } LPVOID GetProcAddress2(LPBYTE hModule, LPCSTR lpProcName) { PIMAGE_DOS_HEADER dos; PIMAGE_NT_HEADERS nt; PIMAGE_DATA_DIRECTORY dir; PIMAGE_EXPORT_DIRECTORY exp; DWORD rva, ofs, cnt; PCHAR str; PDWORD adr, sym; PWORD ord; if (hModule == NULL || lpProcName == NULL) return NULL; dos = (PIMAGE_DOS_HEADER)hModule; nt = (PIMAGE_NT_HEADERS)(hModule + dos->e_lfanew); dir = (PIMAGE_DATA_DIRECTORY)nt->OptionalHeader.DataDirectory; // no exports? exit rva = dir[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; if (rva == 0) return NULL; //ofs = rva2ofs(nt, rva); //if (ofs == -1) return NULL; // no exported symbols? exit exp = (PIMAGE_EXPORT_DIRECTORY)(rva + hModule); cnt = exp->NumberOfNames; if (cnt == 0) return NULL; // read the array containing address of api names //ofs = rva2ofs(nt, exp->AddressOfNames); //if (ofs == -1) return NULL; sym = (PDWORD)(exp->AddressOfNames + hModule); // read the array containing address of api /* ofs = rva2ofs(nt, exp->AddressOfFunctions); if (ofs == -1) return NULL;*/ adr = (PDWORD)(exp->AddressOfFunctions + hModule); // read the array containing list of ordinals //ofs = rva2ofs(nt, exp->AddressOfNameOrdinals); //if (ofs == -1) return NULL; ord = (PWORD)(exp->AddressOfNameOrdinals + hModule); // scan symbol array for api string do { str = (PCHAR)(sym[cnt - 1] + hModule); // found it? if (strcmp(str, lpProcName) == 0) { // return the address return (LPVOID)(adr[ord[cnt - 1]] + hModule); } } while (--cnt); return NULL; }
函数有了,shellcode就简单了0.0