手写了个windows通用的messagebox shellcode,当作笔记备查
int _stdcall sc() { int ret=0; __asm { //get the address of kernel32.dll from peb xor eax, eax; mov eax, fs: [0x30] ; //eax=peb mov eax, ds: [eax + 0xc] ; //eax=struct _PEB_LDR_DATA mov eax, ds: [eax + 0x1c] ; //eax=InInitializationOrderModuleList find_kernel32: mov ebx, ds : [eax + 0x8] ; //get the dll base mov esi, ds: [eax + 0x20] ; //esi=dll name mov eax, [eax]; //iterate cmp[esi + 0xc], 0x33; //cmp the dll name if equs kernel32 jnz find_kernel32; mov esi, ebx; //esi=dll base //get the export table add ebx, [ebx + 0x3c]; //pe_header=dos_header_base+dos_header[0x3c],ebx=pe_header_base mov edi, [ebx + 0x78]; //edi=_IMAGE_DATA_DIRECTORY,0x78=_IMAGE_FILE_HEADER+_IMAGE_OPTIONAL_HEADER'offset=0x18+0x60 add edi, esi; //edi=export table mov eax, [edi + 0x20]; //eax=AddressOfNames add eax, esi; //eax=AddressOfNames FOA xor ecx, ecx; find_func: mov ebx, ds: [eax + ecx * 4] ; inc ecx; add ebx, esi; cmp long ptr ds : [ebx] , 0x61746146; jnz find_func; cmp long ptr ds : [ebx + 0x8] , 0x74697845; jnz find_func; //FatalAppExitA //ecx=AddressOfNameOrdinals'number mov ebx, [edi + 0x24]; add ebx, esi; //ebx=AddressOfNameOrdinals FOA mov cx, word ptr ds:[ebx + ecx * 2]; mov eax, [edi + 0x1c]; add eax, esi; //eax=AddressOfFunctions FOA mov edi, [eax + ecx * 4 - 0x4]; add edi, esi; //edi=func_addr FOA xor eax, eax; push 0x00797973; mov ecx, esp; push ecx; push 0; call edi; } return ret; } int main() { sc(); }