X64驱动R3R0通用汇编call执行库源码(导师开发库部分)1030
发表时间:2020-07-05 21:17 这里是其中一小部分,需要全部源码可以加入我C++会员。 byte * push_rsp() //64位编码 { byte code[1] = { 0x54 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * push_rbp() //64位编码 { byte code[1] = { 0x55 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * push_rsi() //64位编码 { byte code[1] = { 0x56 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * push_rdi() //64位编码 { byte code[1] = { 0x57 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * mov_rax_value(__int64 value) //qword { byte code[2] = { 0x48,0xb8 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); RtlMoveMemory(ShellCode + CodeLen, &value, sizeof(__int64)); CodeLen = CodeLen + sizeof(__int64); return ShellCode; } byte * mov_rcx_value(__int64 value) //qword { byte code[2] = { 0x48,0xb9 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); RtlMoveMemory(ShellCode + CodeLen, &value, sizeof(__int64)); CodeLen = CodeLen + 8; return ShellCode; } byte * mov_rdx_value(__int64 value) //qword { byte code[2] = { 0x48,0xba }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); RtlMoveMemory(ShellCode + CodeLen, &value, sizeof(__int64)); CodeLen = CodeLen + 8; return ShellCode; } byte * mov_rbx_value(__int64 value) //qword { byte code[2] = { 0x48,0xbb }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); RtlMoveMemory(ShellCode + CodeLen, &value, sizeof(__int64)); CodeLen = CodeLen + 8; return ShellCode; } byte * mov_r8_value(__int64 value) //qword { byte code[2] = { 0x49,0xb8 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); RtlMoveMemory(ShellCode + CodeLen, &value, sizeof(__int64)); CodeLen = CodeLen + 8; return ShellCode; } byte * mov_r9_value(__int64 value) //qword { byte code[2] = { 0x49,0xb9 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); RtlMoveMemory(ShellCode + CodeLen, &value, sizeof(__int64)); CodeLen = CodeLen + 8; return ShellCode; } byte * mov_r10_value(__int64 value) //mov r10, 6FFFFFFFFFFFFFFF { byte code[2] = { 0x49,0xba }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); RtlMoveMemory(ShellCode + CodeLen, &value, sizeof(__int64)); CodeLen = CodeLen + 8; return ShellCode; } byte * mov_r11_value(__int64 value) //qword { byte code[2] = { 0x49,0xbb }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); RtlMoveMemory(ShellCode + CodeLen, &value, sizeof(__int64)); CodeLen = CodeLen + 8; return ShellCode; } byte * mov_r12_value(__int64 value) //qword { byte code[2] = { 0x49,0xbc }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); RtlMoveMemory(ShellCode + CodeLen, &value, sizeof(__int64)); CodeLen = CodeLen + 8; return ShellCode; } byte * mov_r13_value(__int64 value) //qword { byte code[2] = { 0x49,0xbd }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); RtlMoveMemory(ShellCode + CodeLen, &value, sizeof(__int64)); CodeLen = CodeLen + 8; return ShellCode; } byte * mov_r14_value(__int64 value) //qword { byte code[2] = { 0x49,0xbe }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); RtlMoveMemory(ShellCode + CodeLen, &value, sizeof(__int64)); CodeLen = CodeLen + 8; return ShellCode; } byte * mov_r15_value(__int64 value) //qword { byte code[2] = { 0x49,0xbf }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); RtlMoveMemory(ShellCode + CodeLen, &value, sizeof(__int64)); CodeLen = CodeLen + 8; return ShellCode; } byte * mov_rcx_rax() //64位编码 { byte code[3] = { 0x48,0x8b,0xc8 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * mov_rax_rcx() //64位编码 { byte code[3] = { 0x49,0x89,0xc8 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * mov_rax_rdx() //64位编码 { byte code[3] = { 0x48,0x89,0xd0 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * mov_rdx_rax() //64位编码 { byte code[3] = { 0x48,0x89,0xc2 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * mov_r8_r9() //64位编码 { byte code[3] = { 0x4d,0x89,0xc8 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * mov_r9_r8() //64位编码 { byte code[3] = { 0x4d,0x89,0xc1 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * mov_rcx_ptr_rcx() //64位编码 { byte code[3] = { 0x48,0x8b,0x09 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * mov_rcx_ptr_rax() //64位编码 { byte code[3] = { 0x48,0x8b,0x08 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * mov_rcx_ptr_rdx() //64位编码 { byte code[3] = { 0x48,0x8b,0x0a }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * mov_rcx_ptr_rbx() //64位编码 { byte code[3] = { 0x48,0x8b,0x0b }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * mov_rdx_ptr_rdx() //64位编码 { byte code[3] = { 0x48,0x8b,0x12 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * mov_rdx_ptr_rcx() //64位编码 { byte code[3] = { 0x48,0x8b,0x11 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * mov_rdx_ptr_rbx() //64位编码 { byte code[3] = { 0x48,0x8b,0x13 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * mov_rdx_ptr_rax() //64位编码 { byte code[3] = { 0x48,0x8b,0x10 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * mov_r8_ptr_r8() //64位编码 { byte code[3] = { 0x4d,0x8b,0x00 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * mov_r8_ptr_r9() //64位编码 { byte code[3] = { 0x4d,0x8b,0x01 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * mov_r8_ptr_r10() //64位编码 { byte code[3] = { 0x4d,0x8b,0x02 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * mov_r9_ptr_r8() //64位编码 { byte code[3] = { 0x4d,0x8b,0x08 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * mov_r9_ptr_r9() //64位编码 { byte code[3] = { 0x4d,0x8b,0x09 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * mov_r9_ptr_r10() //64位编码 { byte code[3] = { 0x4d,0x8b,0x0a }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * mov_r15_r8() //64位编码 { byte code[3] = { 0x4d,0x89,0xc7 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * mov_r15_r9() //64位编码 { byte code[3] = { 0x4d,0x89,0xcf }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * mov_r15_r10() //64位编码 { byte code[3] = { 0x4d,0x89,0xd7 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * mov_r15_r11() //64位编码 { byte code[3] = { 0x4d,0x89,0xdf }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * mov_r15_r12() //64位编码 { byte code[3] = { 0x4d,0x89,0xe7 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * mov_r15_r13() //64位编码 { byte code[3] = { 0x4d,0x89,0xef }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * mov_r15_r14() //64位编码 { byte code[3] = { 0x4d,0x89,0xf7 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * mov_r15_r15() //64位编码 { byte code[3] = { 0x4d,0x89,0xff }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * mov_r15_ptr_r8() //64位编码 { byte code[3] = { 0x4d,0x8b,0x38 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * mov_r15_ptr_r9() //64位编码 { byte code[3] = { 0x4d,0x8b,0x39 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * mov_r15_ptr_r10() //64位编码 { byte code[3] = { 0x4d,0x8b,0x3a }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * mov_r15_ptr_r11() //64位编码 { byte code[3] = { 0x4d,0x8b,0x3b }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * mov_r15_ptr_r12() //64位编码 { byte code[4] = { 0x4d,0x8b,0x3c,0x24 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * mov_r15_ptr_r13() //64位编码 { byte code[4] = { 0x4d,0x8b,0x7d,0x00 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * mov_r15_ptr_r14() //64位编码 { byte code[3] = { 0x4d,0x8b,0x3e }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * mov_r15_ptr_r15() //64位编码 { byte code[3] = { 0x4d,0x8b,0x3f }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * mov_qword_ptr_rax(__int64 value) //qword这里是个内存地址 { byte code[2] = { 0x48,0xa3 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); RtlMoveMemory(ShellCode + CodeLen, &value, sizeof(__int64)); CodeLen = CodeLen + 8; return ShellCode; } byte * mov_rax_qword_ptr_rbp_add(int value) //qword这里是个内存地址,mov rax, qword ptr ss:[rbp+FFFFFFF] { byte code[3] = { 0x48,0x8b,0x85 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); RtlMoveMemory(ShellCode + CodeLen, &value, sizeof(int)); CodeLen = CodeLen + 4; return ShellCode; } byte * mov_rcx_qword_ptr_rbp_add(int value) //qword这里是个内存地址,mov rax, qword ptr ss:[rbp+FFFFFFF] { byte code[3] = { 0x48,0x8b,0x8d }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); RtlMoveMemory(ShellCode + CodeLen, &value, sizeof(int)); CodeLen = CodeLen + 4; return ShellCode; } byte * lea_rcx_rcx() //64位编码 [rcx] { byte code[3] = { 0x48,0x8d,0x09 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * lea_rax_rcx() //64位编码 [eax] { byte code[3] = { 0x48,0x8d,0x08 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * lea_rax_rax() //64位编码 [eax] { byte code[3] = { 0x48,0x8d,0x00 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * lea_rcx_rax() //64位编码 [eax] { byte code[3] = { 0x48,0x8d,0x01 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * add_rax_rcx() //64位编码 [eax] { byte code[3] = { 0x48,0x01,0xc8 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * add_rcx_rax() //64位编码 [eax] { byte code[3] = { 0x48,0x01,0xc1 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * add_rsp_value(int value) //减法最大值是0xffffffff,这个是32位 { byte code[3] = { 0x48,0x81,0xc4 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); RtlMoveMemory(ShellCode + CodeLen, &value, sizeof(int)); CodeLen = CodeLen + 4; return ShellCode; } byte * sub_rsp_value(int value) //减法最大值是0xffffffff,这个是32位 { byte code[3] = { 0x48,0x81,0xec }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); RtlMoveMemory(ShellCode + CodeLen, &value, sizeof(int)); CodeLen = CodeLen + 4; return ShellCode; } byte * sub_rax_rcx() //减法 { byte code[3] = { 0x48,0x29,0xc3 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * sub_rcx_rax() //减法 { byte code[3] = { 0x48,0x29,0xc1 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * ret() // { byte code[1] = { 0xc3 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * retn(short value) //减法 { byte code[1] = { 0xc2 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); RtlMoveMemory(ShellCode + CodeLen, &value, sizeof(short)); CodeLen = CodeLen + sizeof(short); return ShellCode; } byte * idiv_rax() //除法 ,首先要讲值传到rax,最后的值传给rax 0x48,0x99 =cpo { byte code[5] = { 0x48,0x99,0x48,0xf7,0xf8 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * idiv_rcx() //除法 ,首先要讲值传到rax,最后的值传给rax 0x48,0x99 =cpo { byte code[5] = { 0x48,0x99,0x48,0xf7,0xf9 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * div_rax() //除法 ,首先要讲值传到rax,最后的值传给rax 0x48,0x99 =cpo { byte code[5] = { 0x48,0x99,0x48,0xf7,0xf0 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * div_rcx() //除法 ,首先要讲值传到rax,最后的值传给rax 0x48,0x99 =cpo { byte code[5] = { 0x48,0x99,0x48,0xf7,0xf1 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * imul_rax_rcx() //乘法 { byte code[4] = { 0x48,0x0f,0xaf,0xc1 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * imul_r8_r9() //乘法 { byte code[4] = { 0x4d,0x0f,0xaf,0xc1 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * call_rax() //易变 { byte code[2] = { 0xff,0xd0 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * call_rcx() //易变 { byte code[2] = { 0xff,0xd1 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * call_r8() //易变 { byte code[3] = { 0x41,0xff,0xd0 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * call_r9() //易变 { byte code[3] = { 0x41,0xff,0xd1 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * call_r10() //易变 { byte code[3] = { 0x41,0xff,0xd2 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * call_r11() //易变 { byte code[3] = { 0x41,0xff,0xd3 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * call_r12() //易变 { byte code[3] = { 0x41,0xff,0xd4 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * call_r13() //易变 { byte code[3] = { 0x41,0xff,0xd5 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * call_r14() //易变 { byte code[3] = { 0x41,0xff,0xd6 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * call_r15() //易变 { byte code[3] = { 0x41,0xff,0xd7 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * jmp_r15() //易变 { byte code[3] = { 0x41,0xff,0xe7 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * call_ptr(int value) //减法最大值是0xffffffff,这个是32位//这个函数x64有问题的,不建议用 { byte code[2] = { 0xff,0x14}; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); RtlMoveMemory(ShellCode + CodeLen, &value, sizeof(int)); CodeLen = CodeLen + 4; return ShellCode; } byte * movss_xmm0_dword_ptr_rcx() //浮点数地址传值 movss xmm0, dword ptr ds:[rax] { byte code[4] = { 0xF3, 0x0F, 0x10, 0x01 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * movss_xmm0_dword_ptr_rax() //浮点数地址传值 movss xmm0, dword ptr ds:[rax] { byte code[4] = { 0xF3, 0x0F, 0x10, 0x00 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * movss_xmm1_dword_ptr_rax() //浮点数地址传值 movss xmm1, dword ptr ds:[rax] { byte code[4] = { 0xF3, 0x0F, 0x10, 0x08 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * movss_xmm2_dword_ptr_rax() //浮点数地址传值 movss xmm2, dword ptr ds:[rax] { byte code[4] = { 0xF3, 0x0F, 0x10, 0x10 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * movss_xmm3_dword_ptr_rax() //浮点数地址传值 movss xmm3, dword ptr ds:[rax] { byte code[4] = { 0xF3, 0x0F, 0x10, 0x18 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * movss_xmm4_dword_ptr_rax() //浮点数地址传值 movss xmm4, dword ptr ds:[rax] { byte code[4] = { 0xF3, 0x0F, 0x10, 0x20 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * movss_xmm1_dword_ptr_rcx() //浮点数地址传值 movss xmm0, dword ptr ds:[rcx] { byte code[4] = { 0xF3, 0x0F, 0x10, 0x09 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * movss_xmm0_dword_ptr_r8() //浮点数地址传值 movss xmm0, dword ptr ds:[r8] { byte code[5] = { 0xF3, 0x41, 0x0f, 0x10,0x00 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * movss_xmm0_dword_ptr_r9() //浮点数地址传值 movss xmm0, dword ptr ds:[r9] { byte code[5] = { 0xF3, 0x41, 0x0f, 0x10,0x01 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * movss_dword_ptr_xmm0() // movss dword ptr ds : [rax], xmm0 | { byte code[5] = { 0xF3, 0x67, 0x0F, 0x11, 0x01 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * addss_xmm0_dword_ptr_rax() // addss xmm0, dword ptr ds : [rax] 浮点加法 { byte code[4] = { 0xF3, 0x0f, 0x58, 0x00 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * subss_xmm0_dword_ptr_rax() // addss xmm0, dword ptr ds : [rax] 浮点减法 { byte code[4] = { 0xF3, 0x0f, 0x5c, 0x00 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * mulss_xmm0_dword_ptr_rax() // addss xmm0, dword ptr ds : [rax] 浮点乘法 { byte code[4] = { 0xF3, 0x0f, 0x59, 0x00 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * divss_xmm0_dword_ptr_rax() // addss xmm0, dword ptr ds : [rax] 浮点除法 { byte code[4] = { 0xF3, 0x0f, 0x5e, 0x00 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * xor_r9d_r9d() // addss xmm0, dword ptr ds : [rax] 清空 { byte code[3] = { 0x45, 0x31, 0xc9 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * xor_r8d_r8d() // addss xmm0, dword ptr ds : [rax] 清空 { byte code[3] = { 0x45, 0x31, 0xc0 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * xor_eax_eax() // addss xmm0, dword ptr ds : [rax] 清空 { byte code[2] = { 0x31, 0xc0 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * xor_ecx_ecx() // addss xmm0, dword ptr ds : [rax] 清空 { byte code[2] = { 0x31, 0xc9 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * xor_edx_edx() // addss xmm0, dword ptr ds : [rax] 清空 { byte code[2] = { 0x31, 0xd2 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * xor_rax_rax() // addss xmm0, dword ptr ds : [rax] 清空 { byte code[3] = { 0x48, 0x31,0xc0 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * xor_rcx_rcx() // addss xmm0, dword ptr ds : [rax] 清空 { byte code[3] = { 0x48, 0x31,0xc9 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * xor_r8_r8() // addss xmm0, dword ptr ds : [rax] 清空 { byte code[3] = { 0x4d, 0x31,0xc0 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * xor_r9_r9() // addss xmm0, dword ptr ds : [rax] 清空 { byte code[3] = { 0x4d, 0x31,0xc9 }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } byte * int3() // addss xmm0, dword ptr ds : [rax] 清空 { byte code[1] = { 0xcc }; RtlMoveMemory(ShellCode + CodeLen, &code, sizeof(code)); CodeLen = CodeLen + sizeof(code); return ShellCode; } short WordToByteArray(short Value) //2字节整数转byte数组,网络转换 { return htons(Value); } int intToByteArray(int Value) //4字节整数转byte数组,网络转换 ntohl应该也可以 { return htonl(Value); } void ByteToHexStr(const unsigned char* source, char* dest, int sourceLen)//char*字符串转编码 备份函数 { short i; unsigned char highByte, lowByte; for (i = 0; i < sourceLen; i++) { highByte = source[i] >> 4; lowByte = source[i] & 0x0f; highByte += 0x30; if (highByte > 0x39) dest[i * 2] = highByte + 0x07; else dest[i * 2] = highByte; lowByte += 0x30; if (lowByte > 0x39) dest[i * 2 + 1] = lowByte + 0x07; else dest[i * 2 + 1] = lowByte; } return; } bool HexToString(unsigned char *pSrc, std::string &dest, int nL) //char[]字节数组转->字符串 { char buf[256]; memset((char *)buf, 0, sizeof(buf)); unsigned char hb; unsigned char lb; for (int i = 0; i < nL; i++) { hb = (pSrc[i] & 0xf0) >> 4; if (hb >= 0 && hb <= 9) hb += 0x30; else if (hb >= 10 && hb <= 15) hb = hb - 10 + 'A'; else return false; lb = pSrc[i] & 0x0f; if (lb >= 0 && lb <= 9) lb += 0x30; else if (lb >= 10 && lb <= 15) lb = lb - 10 + 'A'; else return false; buf[i * 2] = hb; buf[i * 2 + 1] = lb; } dest = buf; return true; } bool StringToHex(std::string &src, unsigned char *dest)////字符串====字节数组 { unsigned char hb; unsigned char lb; if (src.size() % 2 != 0) return false; transform(src.begin(), src.end(), src.begin(), toupper); for (int i = 0, j = 0; i < (int)src.size(); i++) { hb = src[i]; if (hb >= 'A' && hb <= 'F') hb = hb - 'A' + 10; else if (hb >= '0' && hb <= '9') hb = hb - '0'; else return false; i++; lb = src[i]; if (lb >= 'A' && lb <= 'F') lb = lb - 'A' + 10; else if (lb >= '0' && lb <= '9') lb = lb - '0'; else return false; dest[j++] = (hb << 4) | (lb); } return true; } |