//获取当前程序运行路径 char FilePath[255] = {0}; GetModuleFileName(NULL, FilePath, 255);
LPVOID fileBuffer; DWORD size = 0; size = ReadFileBuffer(FilePath, &fileBuffer);
//获取源数据 DWORD GetSrcSource(IN LPVOID fileBuffer, OUT LPVOID* OutFileBuffer) { //初始化数据 PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)fileBuffer; PIMAGE_NT_HEADERS pNtHeader = (PIMAGE_NT_HEADERS)((DWORD)fileBuffer + pDosHeader->e_lfanew); PIMAGE_SECTION_HEADER pSectionHeader = IMAGE_FIRST_SECTION(pNtHeader);//第一个节位置 PIMAGE_SECTION_HEADER pLastHeader = pSectionHeader + pNtHeader->FileHeader.NumberOfSections - 1;//最后一个节位置 *OutFileBuffer = (LPVOID)((DWORD)fileBuffer + pLastHeader->PointerToRawData); return pLastHeader->SizeOfRawData; }
/* 解密函数 参数 文件大小 源文件 写出文件 */ VOID DecodeSource(DWORD size, PBYTE source, OUT LPVOID buffer) { for (DWORD i = 0; i < size; i++) { source[i] ^= 8888; } }
LPVOID srcImageBuffer; FileToImage(srcSource, &srcImageBuffer);
//创建进程 记得恢复进程 STARTUPINFO si = { 0 }; PROCESS_INFORMATION pi; si.cb = sizeof(si); //以挂起的方式创建进程 CreateProcess( NULL, // name of executable module FilePath, // command line string NULL, // SD NULL, // SD FALSE, // handle inheritance option CREATE_SUSPENDED, // creation flags NULL, // new environment block currentDirectory, // current directory name &si, // startup information &pi // process information );
CONTEXT contx; contx.ContextFlags = CONTEXT_FULL; GetThreadContext(pi.hThread, &contx); //获取入口点 DWORD dwEntryPoint = contx.Eax; //获取ImageBase char* baseAddress = (CHAR *)contx.Ebx + 8; DWORD imageBase = 0; SIZE_T byteSize = 0; //因为属于别人程序所以使用这个读 ReadProcessMemory(pi.hProcess, baseAddress, &imageBase, 4, &byteSize);
typedef long NTSTATUS; typedef NTSTATUS(__stdcall *pfnZwUnmapViewOfSection)( IN HANDLE ProcessHandle, IN LPVOID BaseAddress ); pfnZwUnmapViewOfSection ZwUnmapViewOfSection; ZwUnmapViewOfSection = (pfnZwUnmapViewOfSection)GetProcAddress( GetModuleHandleA("ntdll.dll"), "ZwUnmapViewOfSection"); if (!ZwUnmapViewOfSection) { ::TerminateThread(pi.hThread, 2); ::WaitForSingleObject(pi.hThread, INFINITE); return 0; } //卸载文件外壳镜像 DWORD a = 0; a = ZwUnmapViewOfSection(pi.hProcess, (PVOID)imageBase);
//获取src imagebase sizeofimage DWORD srcImageBase = 0; DWORD srcSizeOfImage = 0; DWORD srcOEP = 0; GetImageBase(srcImageBuffer, &srcImageBase,&srcSizeOfImage,&srcOEP); LPVOID status = NULL; //指定区域分配地址 status = VirtualAllocEx(pi.hProcess, (LPVOID)srcImageBase, srcSizeOfImage, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (status == NULL) { //判断有没有重定位 if (isRelocation(srcImageBuffer)) { ::TerminateThread(pi.hThread, 2); ::WaitForSingleObject(pi.hThread, INFINITE); return 0; } status = VirtualAllocEx(pi.hProcess, NULL, srcSizeOfImage, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); if (status == 0) { ::TerminateThread(pi.hThread, 2); ::WaitForSingleObject(pi.hThread, INFINITE); return 0; } //修复重定位 ModificationBaseRel(srcImageBuffer, (DWORD)status); GetImageBase(srcImageBuffer, &srcImageBase, &srcSizeOfImage, &srcOEP); }
//修复重定位 VOID ModificationBaseRel(IN LPVOID ImageBuffer, DWORD newImageBase) { PIMAGE_DOS_HEADER pDosHeader = NULL; //DOs 头 PIMAGE_NT_HEADERS pNTHeader = NULL; //NT头 PIMAGE_FILE_HEADER pFileHeader = NULL; // 标准PE头 PIMAGE_OPTIONAL_HEADER pOptionHerader = NULL; // 可选PE头 PIMAGE_SECTION_HEADER pSectionHeader = NULL; // 节表 PIMAGE_BASE_RELOCATION pBaseRelocation = NULL; //重定位表 pDosHeader = (PIMAGE_DOS_HEADER)ImageBuffer; pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pDosHeader + pDosHeader->e_lfanew); pFileHeader = (PIMAGE_FILE_HEADER)((DWORD)pNTHeader + sizeof(DWORD)); pOptionHerader = (PIMAGE_OPTIONAL_HEADER)((DWORD)pFileHeader + IMAGE_SIZEOF_FILE_HEADER); pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pOptionHerader + pFileHeader->SizeOfOptionalHeader); pBaseRelocation = (PIMAGE_BASE_RELOCATION)((DWORD)pDosHeader + pOptionHerader->DataDirectory[5].VirtualAddress); pOptionHerader->ImageBase = newImageBase; int index = 0; while (pBaseRelocation->VirtualAddress != 0) { int count = (pBaseRelocation->SizeOfBlock - 8) / 2; PWORD addr = (PWORD)((DWORD)pBaseRelocation + 8); for (int i = 0; i < count; i++) { DWORD height4 = addr[i] >> 12; if (height4 == 3) { DWORD low12 = addr[i] & 0x0fff; DWORD rva = pBaseRelocation->VirtualAddress + low12; PDWORD addr = (PDWORD)((DWORD)ImageBuffer + rva); *addr = *addr - pOptionHerader->ImageBase + newImageBase; } } index++; pBaseRelocation = (PIMAGE_BASE_RELOCATION)((DWORD)pBaseRelocation + pBaseRelocation->SizeOfBlock); } }
//将src复制到申请成功的地址中 SIZE_T srcResult = 0; WriteProcessMemory(pi.hProcess, status, srcImageBuffer, srcSizeOfImage, &srcResult); //修正context结构 SIZE_T oepResult = 0; WriteProcessMemory(pi.hProcess, baseAddress, &srcImageBase, sizeof(DWORD), &oepResult); contx.Eax = srcOEP + srcImageBase; SetThreadContext(pi.hThread, &contx); //记得恢复线程 ResumeThread(pi.hThread);
2020安全开发者峰会(2020 SDC)议题征集 中国.北京 7月!
最后于 2天前 被清风qfccc编辑 ,原因: 发现文章中错误的地方