exe2shellcode/RmExecute/Advapi32.h

//这个类专门导出Advapi32.dll中的系统API
class Advapi32 :BaseInclude
{
#define Advapi32_EXTEND_H win.advapi32
#define Advapi32_DEF(x) if (!Advapi32Base)GetAdvapi32();if (!g_##x##)Init_##x##();
public:
	HMODULE Advapi32Base = 0;//Shell32.dll的模块基址

public:
	typedef LSTATUS(WINAPI* fnRegCreateKeyExA)(
		_In_ HKEY hKey,
		_In_ LPCSTR lpSubKey,
		_Reserved_ DWORD Reserved,
		_In_opt_ LPSTR lpClass,
		_In_ DWORD dwOptions,
		_In_ REGSAM samDesired,
		_In_opt_ CONST LPSECURITY_ATTRIBUTES lpSecurityAttributes,
		_Out_ PHKEY phkResult,
		_Out_opt_ LPDWORD lpdwDisposition
		);
	fnRegCreateKeyExA g_RegCreateKeyExA = 0;


	typedef LSTATUS(WINAPI* fnRegSetValueExA)(
		_In_ HKEY hKey,
		_In_opt_ LPCSTR lpValueName,
		_Reserved_ DWORD Reserved,
		_In_ DWORD dwType,
		_In_reads_bytes_opt_(cbData) CONST BYTE * lpData,
		_In_ DWORD cbData
		);
	fnRegSetValueExA g_RegSetValueExA = 0;

	typedef LSTATUS(WINAPI* fnRegCloseKey)(
		_In_ HKEY hKey
		);
	fnRegCloseKey g_RegCloseKey = 0;


		typedef LSTATUS(WINAPI* fnRegOpenKeyExA)(
		_In_ HKEY hKey,
		_In_opt_ LPCSTR lpSubKey,
		_In_opt_ DWORD ulOptions,
		_In_ REGSAM samDesired,
		_Out_ PHKEY phkResult
		);
	fnRegOpenKeyExA g_RegOpenKeyExA = 0;
	
	
		typedef LSTATUS(WINAPI* fnRegEnumKeyExA)(
		_In_ HKEY hKey,
		_In_ DWORD dwIndex,
		_Out_writes_to_opt_(*lpcchName, *lpcchName + 1) LPSTR lpName,
		_Inout_ LPDWORD lpcchName,
		_Reserved_ LPDWORD lpReserved,
		_Out_writes_to_opt_(*lpcchClass, *lpcchClass + 1) LPSTR lpClass,
		_Inout_opt_ LPDWORD lpcchClass,
		_Out_opt_ PFILETIME lpftLastWriteTime
		);
		fnRegEnumKeyExA g_RegEnumKeyExA = 0;
		
		typedef BOOL(WINAPI* fnLookupAccountNameA)(
			_In_opt_  LPCTSTR       lpSystemName,
			_In_      LPCTSTR       lpAccountName,
			_Out_opt_ PSID          Sid,
			_Inout_   LPDWORD       cbSid,
			_Out_opt_ LPTSTR        ReferencedDomainName,
			_Inout_   LPDWORD       cchReferencedDomainName,
			_Out_     PSID_NAME_USE peUse
			);
		fnLookupAccountNameA g_LookupAccountNameA = 0;

		typedef BOOL(WINAPI* fnGetFileSecurityA)(
			_In_  LPCSTR lpFileName,
			_In_  SECURITY_INFORMATION RequestedInformation,
			_Out_writes_bytes_to_opt_(nLength, *lpnLengthNeeded) PSECURITY_DESCRIPTOR pSecurityDescriptor,
			_In_  DWORD nLength,
			_Out_ LPDWORD lpnLengthNeeded
			);
		fnGetFileSecurityA  g_GetFileSecurityA = 0;
		
		typedef BOOL(WINAPI* fnGetSecurityDescriptorDacl)(
			_In_ PSECURITY_DESCRIPTOR pSecurityDescriptor,
			_Out_ LPBOOL lpbDaclPresent,
			_Outptr_ PACL * pDacl,
			_Out_ LPBOOL lpbDaclDefaulted
			);
		fnGetSecurityDescriptorDacl g_GetSecurityDescriptorDacl = 0;

		typedef BOOL(WINAPI* fnGetAclInformation)(
			_In_ PACL pAcl,
			_Out_writes_bytes_(nAclInformationLength) LPVOID pAclInformation,
			_In_ DWORD nAclInformationLength,
			_In_ ACL_INFORMATION_CLASS dwAclInformationClass
			);
		fnGetAclInformation g_GetAclInformation = 0;
		
		typedef BOOL(WINAPI* fnGetAce)(
			_In_ PACL pAcl,
			_In_ DWORD dwAceIndex,
			_Outptr_ LPVOID * pAce
			);
		fnGetAce g_GetAce = 0;
		
		typedef BOOL(WINAPI* fnEqualSid)(
			_In_ PSID pSid1,
			_In_ PSID pSid2
			);
		fnEqualSid g_EqualSid = 0;
		
		typedef BOOL(WINAPI* fnGetUserNameA)(
			_Out_writes_to_opt_(*pcbBuffer, *pcbBuffer) LPSTR lpBuffer,
			_Inout_ LPDWORD pcbBuffer
			);
		fnGetUserNameA  g_GetUserNameA = 0;
		

public:
	Advapi32()
	{
	}

	void GetAdvapi32()//初始化，加载上预定好的函数的偏移，这里是ShellExecuteA函数
	{
		char Advapi32[] = { 'A', 'd', 'v', 'a', 'p', 'i', '3', '2', '.', 'd', 'l', 'l', '\0' };
		Advapi32Base = fLoadLibraryA(Advapi32);
	}

	//API寻址导出
public:

	void __stdcall Init_RegCreateKeyExA()
	{
		char szRegCreateKeyExA[16] = { 'R', 'e', 'g', 'C', 'r', 'e', 'a', 't', 'e', 'K', 'e', 'y', 'E', 'x', 'A', 0 };
		g_RegCreateKeyExA = (fnRegCreateKeyExA)fGetProcAddress(Advapi32Base, szRegCreateKeyExA);
	}
	LSTATUS
		APIENTRY
		RegCreateKeyExA(
		_In_ HKEY hKey,
		_In_ LPCSTR lpSubKey,
		_Reserved_ DWORD Reserved,
		_In_opt_ LPSTR lpClass,
		_In_ DWORD dwOptions,
		_In_ REGSAM samDesired,
		_In_opt_ CONST LPSECURITY_ATTRIBUTES lpSecurityAttributes,
		_Out_ PHKEY phkResult,
		_Out_opt_ LPDWORD lpdwDisposition
		)
	{
		Advapi32_DEF(RegCreateKeyExA);
		return g_RegCreateKeyExA(hKey, lpSubKey, Reserved, lpClass, dwOptions, samDesired, lpSecurityAttributes, phkResult, lpdwDisposition);
	}

	void __stdcall Init_RegSetValueExA()
	{
		char szRegSetValueExA[15] = { 'R', 'e', 'g', 'S', 'e', 't', 'V', 'a', 'l', 'u', 'e', 'E', 'x', 'A', 0 };
		g_RegSetValueExA = (fnRegSetValueExA)fGetProcAddress(Advapi32Base, szRegSetValueExA);
	}
	LSTATUS
		APIENTRY
		RegSetValueExA(
		_In_ HKEY hKey,
		_In_opt_ LPCSTR lpValueName,
		_Reserved_ DWORD Reserved,
		_In_ DWORD dwType,
		_In_reads_bytes_opt_(cbData) CONST BYTE * lpData,
		_In_ DWORD cbData
		)
	{
		Advapi32_DEF(RegSetValueExA);
		return g_RegSetValueExA(hKey, lpValueName, Reserved, dwType, lpData, cbData);
	}

	void __stdcall Init_RegCloseKey()
	{
		char szRegCloseKey[12] = { 'R', 'e', 'g', 'C', 'l', 'o', 's', 'e', 'K', 'e', 'y', 0 };
		g_RegCloseKey = (fnRegCloseKey)fGetProcAddress(Advapi32Base, szRegCloseKey);
	}
	LSTATUS
		APIENTRY
		RegCloseKey(
		_In_ HKEY hKey
		)
	{
		Advapi32_DEF(RegCloseKey);
		return g_RegCloseKey(hKey);
	}

	void __stdcall Init_RegOpenKeyExA()
	{
		char szRegOpenKeyExA[14] = { 'R', 'e', 'g', 'O', 'p', 'e', 'n', 'K', 'e', 'y', 'E', 'x', 'A', 0 };
		g_RegOpenKeyExA = (fnRegOpenKeyExA)fGetProcAddress(Advapi32Base, szRegOpenKeyExA);
	}
	LSTATUS
		APIENTRY
		RegOpenKeyExA(
		_In_ HKEY hKey,
		_In_opt_ LPCSTR lpSubKey,
		_In_opt_ DWORD ulOptions,
		_In_ REGSAM samDesired,
		_Out_ PHKEY phkResult
		)
	{
		Advapi32_DEF(RegOpenKeyExA);
		return g_RegOpenKeyExA(hKey, lpSubKey, ulOptions, samDesired, phkResult);
	}

	void __stdcall Init_RegEnumKeyExA()
	{
		char szRegEnumKeyExA[14] = { 'R', 'e', 'g', 'E', 'n', 'u', 'm', 'K', 'e', 'y', 'E', 'x', 'A', 0 };
		g_RegEnumKeyExA = (fnRegEnumKeyExA)fGetProcAddress(Advapi32Base, szRegEnumKeyExA);
	}
	LSTATUS
		APIENTRY
		RegEnumKeyExA(
		_In_ HKEY hKey,
		_In_ DWORD dwIndex,
		_Out_writes_to_opt_(*lpcchName, *lpcchName + 1) LPSTR lpName,
		_Inout_ LPDWORD lpcchName,
		_Reserved_ LPDWORD lpReserved,
		_Out_writes_to_opt_(*lpcchClass, *lpcchClass + 1) LPSTR lpClass,
		_Inout_opt_ LPDWORD lpcchClass,
		_Out_opt_ PFILETIME lpftLastWriteTime
		)
	{
		Advapi32_DEF(RegEnumKeyExA);
		return g_RegEnumKeyExA(hKey, dwIndex, lpName, lpcchName, lpReserved, lpClass, lpcchClass, lpftLastWriteTime);
	}

	void __stdcall Init_LookupAccountNameA()
	{
		char szLookupAccountNameA[19] = { 'L', 'o', 'o', 'k', 'u', 'p', 'A', 'c', 'c', 'o', 'u', 'n', 't', 'N', 'a', 'm', 'e','A', 0 };
		g_LookupAccountNameA = (fnLookupAccountNameA)fGetProcAddress(Advapi32Base, szLookupAccountNameA);
	}
	BOOL
		WINAPI
		LookupAccountNameA(
		_In_opt_  LPCTSTR       lpSystemName,
		_In_      LPCTSTR       lpAccountName,
		_Out_opt_ PSID          Sid,
		_Inout_   LPDWORD       cbSid,
		_Out_opt_ LPTSTR        ReferencedDomainName,
		_Inout_   LPDWORD       cchReferencedDomainName,
		_Out_     PSID_NAME_USE peUse
		)
	{
		Advapi32_DEF(LookupAccountNameA);
		return g_LookupAccountNameA(lpSystemName, lpAccountName, Sid, cbSid, ReferencedDomainName, cchReferencedDomainName, peUse);
	}

	void __stdcall Init_GetFileSecurityA()
	{
		char szGetFileSecurityA[18] = { 'G', 'e', 't', 'F', 'i', 'l', 'e', 'S', 'e', 'c', 'u', 'r', 'i', 't', 'y', 'A', 0 };
		g_GetFileSecurityA = (fnGetFileSecurityA)fGetProcAddress(Advapi32Base, szGetFileSecurityA);
	}
	BOOL
		WINAPI
		GetFileSecurityA(
		_In_  LPCSTR lpFileName,
		_In_  SECURITY_INFORMATION RequestedInformation,
		_Out_writes_bytes_to_opt_(nLength, *lpnLengthNeeded) PSECURITY_DESCRIPTOR pSecurityDescriptor,
		_In_  DWORD nLength,
		_Out_ LPDWORD lpnLengthNeeded
		)
	{
		Advapi32_DEF(GetFileSecurityA);
		return g_GetFileSecurityA(lpFileName, RequestedInformation, pSecurityDescriptor, nLength, lpnLengthNeeded);
	}

	void __stdcall Init_GetSecurityDescriptorDacl()
	{
		char szGetSecurityDescriptorDacl[26] = { 'G', 'e', 't', 'S', 'e', 'c', 'u', 'r', 'i', 't', 'y', 'D', 'e', 's', 'c', 'r', 'i', 'p', 't', 'o', 'r', 'D', 'a', 'c', 'l', 0 };
		g_GetSecurityDescriptorDacl = (fnGetSecurityDescriptorDacl)fGetProcAddress(Advapi32Base, szGetSecurityDescriptorDacl);
	}
	BOOL
		WINAPI
		GetSecurityDescriptorDacl(
		_In_ PSECURITY_DESCRIPTOR pSecurityDescriptor,
		_Out_ LPBOOL lpbDaclPresent,
		_Outptr_ PACL * pDacl,
		_Out_ LPBOOL lpbDaclDefaulted
		)
	{
		Advapi32_DEF(GetSecurityDescriptorDacl);
		return g_GetSecurityDescriptorDacl(pSecurityDescriptor, lpbDaclPresent, pDacl, lpbDaclDefaulted);
	}

	void __stdcall Init_GetAclInformation()
	{
		char szGetAclInformation[18] = { 'G', 'e', 't', 'A', 'c', 'l', 'I', 'n', 'f', 'o', 'r', 'm', 'a', 't', 'i', 'o', 'n', 0 };
		g_GetAclInformation = (fnGetAclInformation)fGetProcAddress(Advapi32Base, szGetAclInformation);
	}
	BOOL
		WINAPI
		GetAclInformation(
		_In_ PACL pAcl,
		_Out_writes_bytes_(nAclInformationLength) LPVOID pAclInformation,
		_In_ DWORD nAclInformationLength,
		_In_ ACL_INFORMATION_CLASS dwAclInformationClass
		)
	{
		Advapi32_DEF(GetAclInformation);
		return g_GetAclInformation(pAcl, pAclInformation, nAclInformationLength, dwAclInformationClass);
	}

	void __stdcall Init_GetAce()
	{
		char szGetAce[7] = { 'G', 'e', 't', 'A', 'c', 'e', 0 };
		g_GetAce = (fnGetAce)fGetProcAddress(Advapi32Base, szGetAce);
	}
	BOOL
		WINAPI
		GetAce(
		_In_ PACL pAcl,
		_In_ DWORD dwAceIndex,
		_Outptr_ LPVOID * pAce
		)
	{
		Advapi32_DEF(GetAce);
		return g_GetAce(pAcl, dwAceIndex, pAce);
	}

	void __stdcall Init_EqualSid()
	{
		char szEqualSid[9] = { 'E', 'q', 'u', 'a', 'l', 'S', 'i', 'd', 0 };
		g_EqualSid = (fnEqualSid)fGetProcAddress(Advapi32Base, szEqualSid);
	}
	BOOL
		WINAPI
		EqualSid(
		_In_ PSID pSid1,
		_In_ PSID pSid2
		)
	{
		Advapi32_DEF(EqualSid);
		return g_EqualSid(pSid1, pSid2);
	}

	void __stdcall Init_GetUserNameA()
	{
		char szGetUserNameA[14] = { 'G', 'e', 't', 'U', 's', 'e', 'r', 'N', 'a', 'm', 'e', 'A', 0 };
		g_GetUserNameA = (fnGetUserNameA)fGetProcAddress(Advapi32Base, szGetUserNameA);
	}
	BOOL
		WINAPI
		GetUserNameA(
		_Out_writes_to_opt_(*pcbBuffer, *pcbBuffer) LPSTR lpBuffer,
		_Inout_ LPDWORD pcbBuffer
		)
	{
		Advapi32_DEF(GetUserNameA);
		return g_GetUserNameA(lpBuffer, pcbBuffer);
	}

#define GetUserNameA Advapi32_EXTEND_H.GetUserNameA
#define EqualSid Advapi32_EXTEND_H.EqualSid
#define GetAce Advapi32_EXTEND_H.GetAce
#define GetAclInformation Advapi32_EXTEND_H.GetAclInformation
#define GetSecurityDescriptorDacl Advapi32_EXTEND_H.GetSecurityDescriptorDacl
#define GetFileSecurityA Advapi32_EXTEND_H.GetFileSecurityA
#define LookupAccountNameA Advapi32_EXTEND_H.LookupAccountNameA
#define RegEnumKeyExA Advapi32_EXTEND_H.RegEnumKeyExA
#define RegOpenKeyExA Advapi32_EXTEND_H.RegOpenKeyExA
#define RegCloseKey Advapi32_EXTEND_H.RegCloseKey
#define RegSetValueExA Advapi32_EXTEND_H.RegSetValueExA
#define RegCreateKeyExA Advapi32_EXTEND_H.RegCreateKeyExA
};