小玩意 模块提前注入 主要是shellCode的使用
本帖最后由 古月不傲 于 2020-2-20 23:26 编辑#include <iostream>
#include <Windows.h>
using namespace std;
#define DLL_PATH L"C:\\Users\\25335\\Desktop\\nihao.dll"
//转自看雪 https://bbs.pediy.com/thread-181174.htm
//构造shellCode
/*
pushad
pushfd
push 模块名
call
popfd
popad
jmp
*/
UCHAR shellCode = {
0x60,
0x9C,
0x68, 0x00, 0x00, 0x00, 0x00,
0xFF, 0x15, 0x00, 0x00, 0x00, 0x00,
0x9D,
0x61,
0xFF, 0x25, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00 };
//提升权限
BOOL EnableDebugPriv()
{
HANDLE hToken = NULL;
LUID seDebugValue = { 0 };
TOKEN_PRIVILEGES tkp = { 0 };
//获取当前进程的令牌句柄
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
printf("OpenProcessToken Error! %d\n", GetLastError());
return FALSE;
}
//获取系统特殊权限SE_DEBUG_NAME代表拥有调试权限
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &seDebugValue))
{
printf("LookupPrivilegeValue Error! %d\n", GetLastError());
CloseHandle(hToken);
return FALSE;
}
tkp.PrivilegeCount = 1; //数组的个数
tkp.Privileges.Luid = seDebugValue; //调试权限 就是一个特殊值而已
tkp.Privileges.Attributes = SE_PRIVILEGE_ENABLED;//权限启用
//启用或禁用令牌的权限
if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL))
{
printf("AdjustTokenPrivileges Error! %d\n", GetLastError());
CloseHandle(hToken);
return FALSE;
}
CloseHandle(hToken);
return TRUE;
}
BOOL StartHook(HANDLE hProcess, HANDLE hThread)
{
CONTEXT context = { 0 };
context.ContextFlags = CONTEXT_ALL;
if (!GetThreadContext(hThread, &context))
{
printf("GetThreadContext Error! %d\n", GetLastError());
return FALSE;
}
//目标进程空间内申请一块内存
PVOID pVirutalAddress = VirtualAllocEx(hProcess, NULL, 128, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (pVirutalAddress == NULL)
{
printf("pVirutalAddress Error! %d\n", GetLastError());
return FALSE;
}
//获取LoadLibraryW的地址
PVOID pLoadLibraryAddress = (PVOID)GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryW");
__try
{
PUCHAR pDllAddress = shellCode + 29;
//拷贝模块名
CopyMemory(pDllAddress, DLL_PATH, sizeof(DLL_PATH) + 2);
//设置shellCode
//为什么不直接这样写呢 因为这样写是本进程的 我们要在其他进程中执行所以不能这样写
//*(PDWORD)(shellCode + 3) = (DWORD)pDllAddress;
*(PDWORD)(shellCode + 3) = (DWORD)pVirutalAddress + 29;
*(PDWORD)(shellCode + 21) = (DWORD)pLoadLibraryAddress;
*(PDWORD)(shellCode + 9) = (DWORD)pVirutalAddress + 21;
*(PDWORD)(shellCode + 25) = context.Eip;
*(PDWORD)(shellCode + 17) = (DWORD)pVirutalAddress + 25;
if (!WriteProcessMemory(hProcess, pVirutalAddress, shellCode, 128, NULL))
{
printf("WriteProcessMemory Error! %d\n", GetLastError());
return FALSE;
}
context.Eip = (DWORD)pVirutalAddress;
if (!SetThreadContext(hThread, &context))
{
printf("SetThreadContext Error! %d\n", GetLastError());
return FALSE;
}
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
printf("异常\n");
}
return TRUE;
}
int main(void)
{
if (!EnableDebugPriv())
{
printf("EnableDebugPriv Error!\n");
return 0;
}
STARTUPINFO startupInfo = { 0 };
PROCESS_INFORMATION processInfo = { 0 };
startupInfo.cb = sizeof(startupInfo);
//挂起的方式创建进程
if (!CreateProcess(L"C:\\Users\\25335\\Desktop\\异常研究.exe", NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &startupInfo, &processInfo))
{
printf("CreateProcess Error! %d\n", GetLastError());
return 0;
}
if (!StartHook(processInfo.hProcess, processInfo.hThread))
{
printf("StartHook Error!\n");
return 0;
}
ResumeThread(processInfo.hThread);
CloseHandle(processInfo.hProcess);
CloseHandle(processInfo.hThread);
system("pause");
return 0;
} push ebp
mov ebp, esp
sub esp, 0x2C
mov eax, dword
push ebx
push esi
push edi
mov eax, dword
mov eax, dword
mov dword , eax
nop dword
Label4:
movzx ecx, word
mov ebx, 0x811C9DC5
mov edi, dword
shr ecx, 1
lea ecx, dword
mov dword , ecx
cmp edi, ecx
je Label1
mov eax, ecx
nop word
Label2:
mov dl, byte
movsx esi, dl
sub dl, 0x41
mov ecx, esi
or ecx, 0x20
cmp dl, 0x19
cmovnbe ecx, esi
add edi, 0x02
xor ecx, ebx
imul ebx, ecx, 0x01000193
cmp edi, eax
jne Label2
mov eax, dword
cmp ebx, 0xC0323159
je Label3
Label1:
mov eax, dword
mov dword , eax
cmp dword , 0x00000000
jne Label4
jmp Label5
Label3:
cmp dword , 0x00000000
jne Label6
Label5:
mov eax, dword
mov dword , 0x72657375
mov dword , 0x642E3233
mov word , 0x6C6C
mov byte , 0x00
mov eax, dword
mov eax, dword
mov dword , eax
nop dword
Label10:
movzx ecx, word
mov ebx, 0x811C9DC5
mov edi, dword
shr ecx, 1
lea ecx, dword
mov dword , ecx
cmp edi, ecx
je Label7
mov eax, ecx
nop word
Label8:
mov dl, byte
movsx esi, dl
sub dl, 0x41
mov ecx, esi
or ecx, 0x20
cmp dl, 0x19
cmovnbe ecx, esi
add edi, 0x02
xor ecx, ebx
imul ebx, ecx, 0x01000193
cmp edi, eax
jne Label8
mov eax, dword
cmp ebx, 0xA3E6F6C3
je Label9
Label7:
mov eax, dword
mov dword , eax
cmp dword , 0x00000000
jne Label10
xor ecx, ecx
Label15:
mov eax, dword
mov dword , ecx
mov edx, dword
xor eax, eax
add edx, ecx
mov dword , edx
mov edi, dword
add edi, ecx
Label14:
mov edx, dword
mov esi, 0x811C9DC5
add edx, ecx
mov dword , eax
mov bl, byte
inc edx
test bl, bl
je Label11
Label12:
movsx ecx, bl
lea edx, dword
sub bl, 0x41
mov eax, ecx
or eax, 0x20
cmp bl, 0x19
mov bl, byte
cmovnbe eax, ecx
xor eax, esi
imul esi, eax, 0x01000193
test bl, bl
jne Label12
cmp esi, 0x4DBC712F
je Label13
mov ecx, dword
mov eax, dword
Label11:
inc eax
add edi, 0x04
jmp Label14
Label9:
mov ecx, dword
jmp Label15
Label13:
mov esi, dword
lea eax, dword
mov ecx, dword
mov edx, dword
push eax
mov eax, dword
lea eax, dword
movzx ecx, word
mov eax, dword
lea eax, dword
mov eax, dword
add eax, edx
call eax
Label6:
mov eax, dword
mov dword , 0x6C6C6548
mov dword , 0x6F57206F
mov dword , 0x21646C72
mov byte , 0x00
mov dword , 0x002D2E2D
mov eax, dword
mov eax, dword
mov dword , eax
Label19:
movzx ecx, word
mov ebx, 0x811C9DC5
mov edi, dword
shr ecx, 1
lea ecx, dword
mov dword , ecx
cmp edi, ecx
je Label16
mov eax, ecx
nop dword
Label17:
mov dl, byte
movsx esi, dl
sub dl, 0x41
mov ecx, esi
or ecx, 0x20
cmp dl, 0x19
cmovnbe ecx, esi
add edi, 0x02
xor ecx, ebx
imul ebx, ecx, 0x01000193
cmp edi, eax
jne Label17
mov eax, dword
cmp ebx, 0xC0323159
je Label18
Label16:
mov eax, dword
mov dword , eax
cmp dword , 0x00000000
jne Label19
xor ecx, ecx
Label24:
mov eax, dword
mov dword , ecx
mov edx, dword
xor eax, eax
add edx, ecx
mov dword , edx
mov edi, dword
add edi, ecx
Label23:
mov edx, dword
mov esi, 0x811C9DC5
add edx, ecx
mov dword , eax
mov bl, byte
inc edx
test bl, bl
je Label20
Label21:
movsx ecx, bl
lea edx, dword
sub bl, 0x41
mov eax, ecx
or eax, 0x20
cmp bl, 0x19
mov bl, byte
cmovnbe eax, ecx
xor eax, esi
imul esi, eax, 0x01000193
test bl, bl
jne Label21
cmp esi, 0x28255F84
je Label22
mov ecx, dword
mov eax, dword
Label20:
inc eax
add edi, 0x04
jmp Label23
Label18:
mov ecx, dword
jmp Label24
Label22:
mov esi, dword
lea eax, dword
mov ecx, dword
mov edx, dword
push 0x00
push eax
lea eax, dword
push eax
mov eax, dword
push 0x00
lea eax, dword
movzx ecx, word
mov eax, dword
lea eax, dword
mov eax, dword
add eax, edx
call eax
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
大神能不能解析一下这个帮一下小白哦 本帖最后由 古月不傲 于 2020-3-12 14:16 编辑
18036948381 发表于 2020-3-12 09:08
push ebp
mov ebp, esp
sub esp, 0x2C
感觉下面对不上号 总体是在遍历模块 没法动态跟踪不好看
push ebp
mov ebp, esp
sub esp, 0x2C //分配堆栈空间
mov eax, dword //取进程环境块 _PEB
push ebx
push esi
push edi //保存要用到的寄存器
mov eax, dword kd> dt _PEB_LDR_DATA
ntdll!_PEB_LDR_DATA
+0x000 Length : Uint4B
+0x004 Initialized : UChar
+0x008 SsHandle : Ptr32 Void
+0x00c InLoadOrderModuleList : _LIST_ENTRY
+0x014 InMemoryOrderModuleList : _LIST_ENTRY
+0x01c InInitializationOrderModuleList : _LIST_ENTRY
+0x024 EntryInProgress: Ptr32 Void
mov eax, dword //取到 InLoadOrderModuleList 用于遍历该进程模块
mov dword , eax //局部保存 _LIST_ENTRY *p = (_LIST_ENTRY *)InLoadOrderModuleList;
nop dword //可能是断链 不清楚
Label4:
movzx ecx, word
mov ebx, 0x811C9DC5
mov edi, dword
shr ecx, 1
lea ecx, dword
mov dword , ecx
cmp edi, ecx
je Label1
mov eax, ecx
nop word 古月不傲 发表于 2020-3-12 13:23
感觉下面对不上号 总体是在遍历模块 没法动态跟踪不好看
push ebp
mov ebp, esp ...
上面是获取fs寄存器 peb啥的,下面的就是由很多固定的值.shellcode怎么里面会写那么多固定值呢,想不懂
这个源码就是一个messge box的 18036948381 发表于 2020-3-12 16:49
上面是获取fs寄存器 peb啥的,下面的就是由很多固定的值.shellcode怎么里面会写那么多固定值呢,想不懂
这 ...
你可以发到求助区 不过代码没人愿意读吧 太怪了
页:
[1]