Shellcode writing (unfinished)

One ： basic
about shellcode Come on , It's independent , It can be attached to various processes , So every sentence of his code is independent , Only with shellcode The code in is related , It is isolated from external code .
It's generating exe When , The compiler turns the function into the entry address that really realizes the function of this function （ Absolute address ）, because shellcode Is attached to other processes , Each process is different , This address may be for other functions , So the use of absolute address does not meet . So you need to call dynamically , Get the address of the function first , In the process of execution .
Similar to this ：
GetProcAddress(LoadLibraryA(“kernel32.dll”), “CreateFileA”);
however ,LoadLibraryA And GetProcAddress You also need to get the address of , stay windows Under the operating system , Every process will be right ntdll、kernel32、kernelbase Do an internal loading of the system , So just look for the address loaded internally , You can get LoadLibraryA(“kernel32.dll”) The address of .
1, obtain LoadLibraryA(“kernel32.dll”)
FS The register points to the of the currently active thread TEB structure （ Thread structure ）
The offset explain
000 Point to SEH Chain pointer
004 Top of thread stack
008 At the bottom of the thread stack
00C SubSystemTib
010 FiberData
014 ArbitraryUserPointer
018 FS The mirror address of the segment register in memory
020 process PID
024 Threads ID
02C Pointer to thread local storage
030 PEB Structure address （ Process structure ）
034 Last error number
Stole a picture ：

Modules are in memory order ：

__declspec(naked) DWORD getKernel32()
{
    
    __asm
    {
    
        mov eax,fs:[30h] // obtain PEB
        mov eax,[eax+0ch]  //PEB_LDR_DATA
        mov eax,[eax+14h]   // obtain inmemoryodermodulelist, The first module 
        mov eax,[eax]
        mov eax,[eax]     // The third module kernel32.dll
        mov eax,[eax+10h]  // obtain Baseaddress,kernel The base of 
        ret
    }
}

2, obtain GetProcAddress Address
GetProcAddress This function is also in kernel32 in ,

FARPROC _GetProcAddress(HMODULE hModuleBase) 
{
    
    PIMAGE_DOS_HEADER lpDosHeader = (PIMAGE_DOS_HEADER)hModuleBase;
    PIMAGE_NT_HEADERS32 lpNtHeader = (PIMAGE_NT_HEADERS)((DWORD)hModuleBase + lpDosHeader->e_lfanew);
    if (!lpNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size){
    
        return NULL;
    }
    if (!lpNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress) {
    
        return NULL;
    }
    PIMAGE_EXPORT_DIRECTORY lpExports = (PIMAGE_EXPORT_DIRECTORY)((DWORD)hModuleBase + (DWORD)lpNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
    PDWORD lpdwFunName = (PDWORD)((DWORD)hModuleBase + (DWORD)lpExports->AddressOfNames);
    PWORD lpword = (PWORD)((DWORD)hModuleBase + (DWORD)lpExports->AddressOfNameOrdinals);
    PDWORD lpdwFunAddr = (PDWORD)((DWORD)hModuleBase + (DWORD)lpExports->AddressOfFunctions);

    DWORD dwLoop = 0;
    FARPROC pRet = NULL;
    for (; dwLoop <= lpExports->NumberOfNames - 1; dwLoop++) {
    
        char* pFunName = (char*)(lpdwFunName[dwLoop] + (DWORD)hModuleBase);

        if (pFunName[0] == 'G'&&
            pFunName[1] == 'e'&&
            pFunName[2] == 't'&&
            pFunName[3] == 'P'&&
            pFunName[4] == 'r'&&
            pFunName[5] == 'o'&&
            pFunName[6] == 'c'&&
            pFunName[7] == 'A'&&
            pFunName[8] == 'd'&&
            pFunName[9] == 'd'&&
            pFunName[10] == 'r'&&
            pFunName[11] == 'e'&&
            pFunName[12] == 's'&&
            pFunName[13] == 's')
        {
    
            pRet = (FARPROC)(lpdwFunAddr[lpword[dwLoop]] + (DWORD)hModuleBase);
            break;
        }
    }
    return pRet;
}

3, String fragmentation
A string constant is a fixed address , Mentioned before , To avoid using absolute addresses , Use character arrays instead , And finally remember to add truncated characters , Avoid crossing borders .
4, Function generation location
In a single file , The order of function address is related to the order of function definition during code editing .
In multiple files , In this vcxproj below .

Two , To write shellcode
Basic framework ：

#include "pch.h"
#include <windows.h>
#include <stdio.h>

FARPROC  getProcAddress(HMODULE hModuleBase);
DWORD getKernel32();

int EntryMain()
{
    
	// Declaration definition GetProcAddress
	typedef FARPROC(WINAPI *FN_GetProcAddress)(
		_In_ HMODULE hModule,
		_In_ LPCSTR lpProcName
		);

	// obtain GetProcAddress Real address 
	FN_GetProcAddress fn_GetProcAddress = (FN_GetProcAddress)getProcAddress((HMODULE)getKernel32());


	// Declaration definition CreateFileA
	typedef HANDLE(WINAPI *FN_CreateFileA)(
		__in     LPCSTR lpFileName,
		__in     DWORD dwDesiredAccess,
		__in     DWORD dwShareMode,
		__in_opt LPSECURITY_ATTRIBUTES lpSecurityAttributes,
		__in     DWORD dwCreationDisposition,
		__in     DWORD dwFlagsAndAttributes,
		__in_opt HANDLE hTemplateFile
		);
	// Future replacements , Get all addresses dynamically 
	//FN_CreateFileA fn_CreateFileA = (FN_CreateFileA)GetProcAddress(LoadLibrary("kernel32.dll"), "CreateFileA");
	// The string with quotation marks is scattered 
	char xyCreateFile[] = {
     'C','r','e','a','t','e','F','i','l','e','A',0 };
	// Get dynamic CreateFile The address of 
	FN_CreateFileA fn_CreateFileA = (FN_CreateFileA)fn_GetProcAddress((HMODULE)getKernel32(), xyCreateFile);
	char xyNewFile[] = {
     '1','.','t','x','t','\0' };
	fn_CreateFileA(xyNewFile, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL);
}