在第二種shellcode編寫實戰(1)的基礎上,新增加一個CAPI類,將所有用到的函數都在這個類中做動態調用的處理,這樣使得整個shellcode功能結構更加清晰。
1. 新建類CAPI(即api.h和api.cpp兩個文件):
api.h:
#pragma once#include <windows.h>
#include <Winternl.h>class CAPI
{
private:HMODULE GetKernel32BaseAddress();FARPROC _GetPorcAddress();public:void InitFunctions();public:typedef HANDLE(WINAPI* FN_CreateFileA)(_In_ LPCSTR lpFileName,_In_ DWORD dwDesiredAccess,_In_ DWORD dwShareMode,_In_opt_ LPSECURITY_ATTRIBUTES lpSecurityAttributes,_In_ DWORD dwCreationDisposition,_In_ DWORD dwFlagsAndAttributes,_In_opt_ HANDLE hTemplateFile);typedef int (WINAPI* FN_MessageBoxA)(__in_opt HWND hWnd,__in_opt LPCSTR lpText,__in_opt LPCSTR lpCaption,__in UINT uType);typedef HMODULE(WINAPI* FN_LoadLibraryA)(__in LPCSTR lpLibFileName);public:FN_CreateFileA CreateFileA;FN_MessageBoxA MessageBoxA;FN_LoadLibraryA LoadLibraryA;
};api.cpp:
#include "api.h"// 獲取kernel32基址
HMODULE CAPI::GetKernel32BaseAddress()
{HMODULE hKernel32 = NULL;// 用戶保存模塊名WCHAR wszModuleName[MAX_PATH];#ifdef _WIN64 // 64位PEB偏移為0x60PPEB lpPeb = (PPEB)__readgsqword(0x60);
#else // 32位PEB偏移為0x30PPEB lpPeb = (PPEB)__readfsdword(0x30);
#endifPLIST_ENTRY pListHead = &lpPeb->Ldr->InMemoryOrderModuleList;PLIST_ENTRY pListData = pListHead->Flink;// 遍歷所有模塊while (pListData != pListHead){PLDR_DATA_TABLE_ENTRY pLDRData = CONTAINING_RECORD(pListData, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);DWORD dwLen = pLDRData->FullDllName.Length / 2;if (dwLen > 12) // 12 是"kernel32.dll"的長度,獲取到的完整路徑肯定要比模塊名長{// 從獲取到的模塊完整路徑中提取模塊名for (size_t i = 0; i < 12; i++){wszModuleName[11 - i] = pLDRData->FullDllName.Buffer[dwLen - 1 - i];}// 最終要獲取的目標模塊名("kernel32.dll"),逐個字節比較,包含大小寫。if ((wszModuleName[0] == 'k' || wszModuleName[0] == 'K') &&(wszModuleName[1] == 'e' || wszModuleName[1] == 'E') &&(wszModuleName[2] == 'r' || wszModuleName[2] == 'R') &&(wszModuleName[3] == 'n' || wszModuleName[3] == 'N') &&(wszModuleName[4] == 'e' || wszModuleName[4] == 'E') &&(wszModuleName[5] == 'l' || wszModuleName[5] == 'L') &&(wszModuleName[6] == '3') &&(wszModuleName[7] == '2') &&(wszModuleName[8] == '.') &&(wszModuleName[9] == 'd' || wszModuleName[9] == 'D') &&(wszModuleName[10] == 'l' || wszModuleName[10] == 'L') &&(wszModuleName[11] == 'l' || wszModuleName[11] == 'L')){hKernel32 = (HMODULE)pLDRData->DllBase;break;}}pListData = pListData->Flink;}return hKernel32;
}// 獲取GetPorcAddress函數地址
FARPROC CAPI::_GetPorcAddress()
{// 保存最終結果FARPROC pGetPorcAddress = NULL;// kernel32基址HMODULE hKernel32 = GetKernel32BaseAddress();if (!hKernel32){return NULL;}PIMAGE_DOS_HEADER lpDosHeader = (PIMAGE_DOS_HEADER)hKernel32;PIMAGE_NT_HEADERS lpNTHeader = (PIMAGE_NT_HEADERS)((unsigned char*)hKernel32 + lpDosHeader->e_lfanew);// 模塊有效性驗證if (!lpNTHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size){return NULL;}if (!lpNTHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress){return NULL;}// 通過導出表中的導出函數名,定位"GetProcAddress"的位置PIMAGE_EXPORT_DIRECTORY lpExports = (PIMAGE_EXPORT_DIRECTORY)((unsigned char*)hKernel32 + lpNTHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);PDWORD lpdwFunName = (PDWORD)((unsigned char*)hKernel32 + lpExports->AddressOfNames);PWORD lpdwOrd = (PWORD)((unsigned char*)hKernel32 + lpExports->AddressOfNameOrdinals);PDWORD lpdwFunAddr = (PDWORD)((unsigned char*)hKernel32 + lpExports->AddressOfFunctions);for (DWORD dwLoop = 0; dwLoop <= lpExports->NumberOfNames - 1; dwLoop++){char* pFunName = (char*)(lpdwFunName[dwLoop] + (unsigned char*)hKernel32);// 比較函數名if (pFunName[0] == 'G' &&pFunName[1] == 'e' &&pFunName[2] == 't' &&pFunName[3] == 'P' &&pFunName[4] == 'r' &&pFunName[5] == 'o' &&pFunName[6] == 'c' &&pFunName[7] == 'A' &&pFunName[8] == 'd' &&pFunName[9] == 'd' &&pFunName[10] == 'r' &&pFunName[11] == 'e' &&pFunName[12] == 's' &&pFunName[13] == 's'){pGetPorcAddress = (FARPROC)(lpdwFunAddr[lpdwOrd[dwLoop]] + (unsigned char*)hKernel32);break;}}return pGetPorcAddress;
}// 初始化所有用到的函數
void CAPI::InitFunctions()
{// 獲取GetPorcAddress函數地址typedef FARPROC(WINAPI* FN_GetProcAddress)(__in HMODULE hModule, __in LPCSTR lpProcName);FN_GetProcAddress fn_GetProcAddress = (FN_GetProcAddress)_GetPorcAddress();if (fn_GetProcAddress){// 獲取LoadLibraryA函數地址char szLoadLibraryA[] = { 'L','o','a','d','L','i','b','r','a','r','y','A',0 };LoadLibraryA = (FN_LoadLibraryA)fn_GetProcAddress(GetKernel32BaseAddress(), szLoadLibraryA);if (LoadLibraryA){// 獲取MessageBoxA函數地址char szUser32[] = { 'U','s','e','r','3','2','.','d','l','l',0 };char szMessageBoxA[] = { 'M','e','s','s','a','g','e','B','o','x','A',0 };MessageBoxA = (FN_MessageBoxA)fn_GetProcAddress(LoadLibraryA(szUser32), szMessageBoxA);// 獲取CreateFileA函數地址char szCreateFileA[] = { 'C','r','e','a','t','e','F','i','l','e','A',0 };CreateFileA = (FN_CreateFileA)fn_GetProcAddress(GetKernel32BaseAddress(), szCreateFileA);}}
}2. 在CAPI中,使用InitFunctions函數來初始化所有shellcode中用到的函數,在shellcode執行功能處,進行如下調用即可(a.start.cpp):
#include "a.start.h"
#include "shellcode.h"
#include "api.h"void ShellCodeStart()
{CAPI api;// 初始化所有用到的函數api.InitFunctions();CDoShellcode shellcode;// 創建文件shellcode.DoCreateFile(&api);// 彈框提示shellcode.DoMessageBox(&api);// 其他功能...
}3. 在類CDoShellcode中,將所有函數功能執行的參數都傳遞一個CAPI的指針變量,那么所有功能都可以使用CAPI中的函數。比如CDoShellcode中的DoCreateFile方法:
// 功能:創建文件 D:\1.txt
int CDoShellcode::DoCreateFile(CAPI* api)
{// 執行動態CreateFileA,創建文件char szFilePath[] = { 'D',':','\\','1','.','t','x','t',0 };api->CreateFileA(szFilePath, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL);return 0;
}如此一來,對類CDoShellcode而言,我們只關注功能的實現,不必再顧及函數動態調用的問題。所有用到的動態函數的實現都可以共享CAPI中的實現。
項目結構:
兩個類:
- CDoShellcode(shellcode.h和shellcode.cpp):shellcode執行的各類功能;
- CAPI(api.h和api.cpp):所有shellcode使用到的動態函數。
)
)
:深入LangGraph的高級功能與最佳實踐)
?)
