; Code Lay dia chi Kernel32.dll find_kernel32: xor eax, eax mov eax, [fs:eax+0x30] ; eax -> cau truc PEB test eax, eax ; Win 9x ??? js find_kernel32_9x ; dung thi nhay toi Win9x find_kernel32_nt: ; sai thi day la Windows nt/2000/xp mov eax, [eax + 0x0c] ; eax -> cau truc ve cac Module da duoc LOAD mov esi, [eax + 0x1c] ; eax -> Entry dau tien cua cau truc nay lodsd ; eax -> Entry tiep theo la dia chi thong tin cua Kernel32.DLL mov eax, [eax + 0x8] ; eax -> Dia chi co so cua Kernel32.DLL jmp find_kernel32_finished ; Xong phan tim dia chi cua Kernel32.DLL find_kernel32_9x: mov eax, [eax + 0x34] lea eax, [eax + 0x7c] mov eax, [eax + 0x3c] find_kernel32_finished: ; Lay dia chi cua mot ham GetProcAddress() bang ma Assembly ; EAX : DIA CHI CUA MODULE KERNEL32.DLL push eax ; luu dia chi Kernel32.dll find_function: mov edi, eax ; edi -> Kernel32.dll mov eax, [edi + 0x3c] ; eax -> PE Header mov edx, [edi + eax + 0x78] add edx, edi ; edx -> Export Directory Table mov ecx, [edx + 0x18] ; ecx -> So luog ham xuat -> dung lam bien dem mov ebx, [edx + 0x20] add ebx, edi ; ebx -> Export Name Pointe Table find_function_loop: dec ecx ; giam bo dem ecx mov esi, DWORD [ebx + ecx * 4] add esi, edi ; esi -> chuoi chua ten mot ham push edi jmp strFuncName find_function_compare: pop edi ; edi -> chuoi chua ten muon tim cld ; dinh huong tien push ecx ; luu ecx mov ecx,14 ; do dai cua ham GetProcAddress la 14 repe cmpsb ; so sanh theo tung byte khi con bang nhau pop ecx pop edi jne find_function_loop ; neu khong bang thi nhay toi find_function_loop ; neu bang thi tim dia chi thuc theo cac buoc duoi mov ebx, [edx + 0x24] add ebx, edi ; ebx -> dia chi cua Ordinal Table mov cx, [ebx + 2 * ecx] ; ecx la chi so cua ham can tim trong Address Table mov ebx, [edx + 0x1c] add ebx, edi ; ebx -> dia chi cuar Address Table mov ebx, [ebx + 4 * ecx] add ebx, edi ; eax -> chinh la dia chi Ham GetProcAddress find_function_finished: pop eax ; phuc hoi dia chi Kernel32.dll vao eax ; EBX la dia chi cua ham GETPROCADDRESS ; Lấy địa chỉ hàm LoadLibray dựa vào địa chỉ Kernel32.dll và GetProcAdress ; Goi ham LoadLibrary push ebx ; luu dia chi ham GetProcAddress push eax ; luu dia chi Kernel32.dll ; LoadLibraryA xor ecx,ecx mov ecx,1 jmp strLoadLibrary find_function_loadlibrary: pop esi ; esi -> Ten ham can lay call GetAddressByName ; ham co 3 tham so esi,ecx,eax, dau ra la ebx mov edx,ebx ; edx luu dia chi ham vua tim pop eax ; phuc hoi dia chi Kernel32.dll pop ebx ; phuc hoi dia chi ham GetProcAddress ; EDX LUU DIA CHI CUA HAM LOADLIBRARY push ebx ; luu dia chi ham Getprocadress push eax ; luu dia chi Kernel32.dll ; Lay dia chi cua thu vien USER32.DLL su dung ham LoadLibrary jmp strUser32 find_mudule_dll: call edx ; Thuc hien ham LoadLibrary de lay dia chi cua Module ; EAX chua dia chi cua Modul USER32.DLL ; Lấy địa chỉ của hàm MessageBox trong User32.dll ; chuan chi tham so de lay dia chi Ham MessageBox trong USER32.DLL(EAX) bang GETPROCADDRESS(EBX) xor ecx,ecx mov ecx,1 ; chi tim dia chi cua mot ham jmp strMessageBox find_function_msgbox: pop esi ; esi -> Ten ham "MessageBox" ; esi : "MessageBax", eax : "USER32.DLL", ecx : 1 call GetAddressByName ; ebx luu dia chi ham can tim ; EBX luu dia chi ham MESSAGEBOX ; Thực thi hàm MessageBox xor eax,eax push eax ; MB_OK jmp strContenu lauch_msgbox : pop eax push eax ; title push eax ; message xor eax,eax push eax ; NULL call ebx pop eax ; phuc hoi dia chi Kernel32.dll pop ebx ; phuc hoi dia chi ham GetProcAddress jmp finish_shelcode ; Ham su dung de lay dia chi cua ham bat ky theo ten bang cach su dung GetProcAddress o tren ; In : esi (chuoi ten ham), ecx (so luong ham can lay dia chi), eax -> Module chua ham (se duoc giu nguyen sau ham) ; Out : ebx -> (Chua dia chi ham can tim) GetAddressByName: push ecx push esi push eax call ebx mov ebx,eax pop ecx loop GetAddressByName ret ; Kết thúc Shellcode finish_shelcode: jmp _end ; Lưu địa chỉ của các chuỗi cần sử dụng strFuncName: call find_function_compare db 'GetProcAddress',0 strLoadLibrary: call find_function_loadlibrary db 'LoadLibraryA',0 strUser32: call find_mudule_dll db 'User32.dll',0 strMessageBox: call find_function_msgbox db 'MessageBoxA',0 strExitProcess: call find_function_exitprocess db 'ExitProcess',0 strContenu: call lauch_msgbox db 'Test By Bkis',0 ; Kết thúc sử dụng ExitProcess _end: ; eax : KERNEL32.DLL, ebx : GETPROCADDRESS ; Thuc hien ham ExitProcess xor ecx,ecx mov ecx,1 ; chi tim dia chi cua mot ham jmp strExitProcess find_function_exitprocess: pop esi ; esi -> Ten ham "MessageBox" ; esi : "ExitProcess", eax : "Kernel32.DLL", ecx : 1 call GetAddressByName ; ebx luu dia chi ham can tim ; EBX luu dia chi ham MESSAGEBOX finish_program: push 1 call ebx ; thuc hien ham ExitProcess de ket thuc chuong trinh