添加:某些exe无法加载到其他基址,先试图申请默认的地址。

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/719f7eeb-2c55-40ad-94a8-582b3186b975/Untitled.png

某些程序有TLS 回调,要在EP前先运行。

原版:

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/231291b5-9d38-4cb0-844a-ccb3a8a9c666/Untitled.png

增加执行TLS callback后:

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/0ec63b91-f291-4cfa-837e-b51e1b23bfd0/Untitled.png

附上一个pe2shellcode.py(目前只有x64)


import os
import base64
import argparse

def getStub(arch='x64'):
    stub_x64 = '''QFNVQVdIg+xASIl0JHAz7UyJZCQwM/ZMiWwkKEUz5EUz7UyJdCQgSIlsJGjovwQAAEyL8LhNWgAA
Dx+AAAAAAGZBOQZ1G0ljVjxIjUrASIH5vwMAAHcKQoE8MlBFAAB0BUn/xuvaZUiLBCVgAAAAQbsB
AAAASIl8JDhMiXQkYEiLSBhMi3kgTYX/D4TDAQAAv///AABBjVsCDx+AAAAAAEmLV1AzwEUPt0dI
Dx9EAAAPtgrByA2A+WFyBEiDwOBIA8FI/8JmRAPHdeU9W7xKag+FxgAAAE2LTyBBvv//AABJY0E8
Qou8CIgAAABGi1QPIEaLXA8kTQPRTQPZDx9AAEGLCkkDyUUzwA+2AQ8fQABBwcgNSI1JAQ++wEQD
wA+2AYTAdetBgfiOTg7sdBJBgfiq/A18dAlBgfhUyq+RdUNCi0wPHEEPtxNJA8lBgfiOTg7sdQlE
iyyRTQPp6yFBgfiq/A18dQlEiySRTQPh6w9BgfhUyq+RdQaLNJFJA/FmQQPeSYPCBEmDwwJmhdsP
hWz///9Bi/7piAAAAD1daPo8D4WHAAAATYtXIEljQjxCi5wQiAAAAEaLRBMgRotMEyRNA8JNA8pm
Dx+EAAAAAABBixBJA9IzyQ+2Ag8fRAAAwckNSI1SAQ++wAPID7YChMB17YH5uApMU3UWQotMExxB
D7cRSQPKiyyRSQPqZkQD30mDwARJg8ECZkWF23WxSIlsJGhBuwEAAABBjVsCTYXtdA9NheR0CkiF
9nQFSIXtdQxNiz9Nhf8PhVL+//9Mi3QkYE1jfjxBuUAAAABNA/5BuAAwAABBi1dQSYtPMP/WSIvo
SIXAdRVBi1dQRI1IQDPJQbgAMAAA/9ZIi+hBi1dUSYvOSIXSdBhMi8VNK8aQD7YBQYgECEiNSQFI
g+oBde9FD7dPFEUPt1cGSYPBLE2F0nRHTQPPZg8fhAAAAAAAQYtJ+En/ykGLEUgDzUWLQfxJA9ZN
hcB0GQ8fgAAAAAAPtgJI/8KIAUiNSQFJg+gBde5Jg8EoTYXSdcVFi7eQAAAATAP1QYtGDIXAD4SL
AAAAi8hIA81B/9VBi34QSIvwQYseSAP9SAPdSIM/AHRdkEiF23QsSIsTSIXSeSRIY0Y8D7fSi4ww
iAAAAItEMRCLTDEcSCvQSAPOiwSRSAPG6xBIixdIi85Ig8ICSAPVQf/USIkHSIPHCEiF20iNQwhI
D0TDSIM/AEiL2HWkQYtGIEmDxhSFwA+Fdf///0yLdCQgTIvNTStPMEGDv7QAAAAATItsJChMi2Qk
MEiLfCQ4SIt0JHAPhLcAAABBi5+wAAAASAPdi0MEhcAPhKIAAACQRIsDTI1bCESL0EwDxUmD6ghJ
0ep0fWZmDx+EAAAAAABBD7cTSf/KD7fKD7fCZsHpDGaD+Qp1FIHi/w8AAEqLBAJJjQwBSokMAus8
ZoP5A3ULJf8PAABGAQwA6ytmg/kBdRUl/w8AAEqNDABJi8FIwegQZgEB6xBmg/kCdQol/w8AAGZG
AQwASYPDAk2F0nWQi0MESAPYi0MEhcAPhV////9Bi4fQAAAAhcB0LUiLXCgYSIXbdCNIiwNIhcB0
G2aQRTPASIvNQY1QAf/QSItDCEiNWwhIhcB150GLXygz0kUzwEgD3UiNSv//VCRoSIvDSIPEQEFf
XVtI/+DMzMzMzEiLBCTDzMzMzMzMzMzMzMw=
''' 
    if arch == 'x64':
        return base64.b64decode(stub_x64)
        

if __name__ == "__main__":
    parser = argparse.ArgumentParser()
    parser.add_argument("--exe",help="exe path, eg. test.exe")
    args = parser.parse_args()
    
    if not args.exe:
        print("--help")
        os._exit(0)
        
    print("Only for win x64!")
    f = open(args.exe,"rb")
    exe_buf = f.read()
    f.close()
    
    data = getStub("x64") + exe_buf
    f = open("sc_X64.bin","wb")
    f.write(data)
    f.close()
    
    print("Save to sc_X64.bin")

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/745f80e9-6062-4559-8c52-070431af221a/Untitled.png