[C] 纯文本查看 复制代码
#include<stdio.h>
#include<Windows.h>
#define TOBYTE(X) ((BYTE*)X)
typedef struct
{
union OD_OR_NAME
{
CHAR* Name;
WORD Od;
};
}EXP_FUN_NAME;
typedef enum
{
NameFlag = 0x1,
OrderFlag = 0x2,
}EXP_FUN_MODE;
#pragma code_seg(".core")
DWORD _declspec(naked) WINAPI GetCurrentFunAddress()
{
__asm
{
mov eax, dword ptr ss : [esp] ;
ret;
}
}
DWORD _declspec(naked)Get32BitNtdllBase()
{
__asm
{
push ebp;
mov ebp, esp;
sub esp, 0x80;
mov dword ptr ds : [ebp - 0x4] , ecx;
mov dword ptr ds : [ebp - 0x8] , edx;
mov dword ptr ds : [ebp - 0xc] , ebx;
mov dword ptr ds : [ebp - 0x10] , esi;
mov dword ptr ds : [ebp - 0x1c] , edi;
mov eax, fs: [0x30] ;
mov eax, dword ptr ds:[eax + 0xc];
add eax, 0xc;
mov ecx, eax;
mov dword ptr ss : [esp - 0x4] , ecx;
sub_6:
mov ecx, dword ptr ss : [esp - 0x4] ;
mov esi, dword ptr ds : [eax + 0x4] ;
cmp esi, ecx;
jz sub_4;
mov dword ptr ss : [esp - 0xc] , esi;
mov ebx, dword ptr ds : [esi + 0x18] ;
mov dword ptr ss : [esp - 0x8] , ebx;//保存模块的DLLbase
lea ebx, dword ptr es : [esi + 0x2c];
mov eax, dword ptr ds : [ebx] ;//HWORD(EAX)为dllname的最大长度,LOWORD(EAX)为dllname长度
mov dword ptr ss:[esp + 0x10], eax;
mov esi, dword ptr ds : [ebx + 0x4] ;//esi为dllname
call GetCurrentFunAddress;
add eax, 0x76;
//add eax, 0xab;
mov edi, eax;
//lea edi, dword ptr[sub_1];
mov eax, dword ptr ss : [esp+0x10] ;
shr eax, 0x10;
mov cx, ax;
cmp cx, 0;
jz sub_4;
mov edx, edi;
sub_3:
mov bx, word ptr es : [edi] ;
//_emit 0x66;
cmp bx, word ptr es : [esi] ;
jnz sub_5;
add edi, 0x2;
add esi, 0x2;
sub cx, 0x2;
cmp cx, 0;
jnz sub_3;
mov eax, dword ptr ss : [esp - 0x8] ;
mov edx, dword ptr ds : [eax + 0x3c] ;
mov dx, word ptr ds : [eax + edx+0x4] ;
cmp dx, 0x8664;
jz sub_5;
mov eax, dword ptr ss : [esp - 0x8] ;
sub_2:
mov edi, dword ptr ds : [ebp - 0x1c] ;
mov esi, dword ptr ds : [ebp - 0x10] ;
mov ebx, dword ptr ds : [ebp - 0xc] ;
mov edx, dword ptr ds : [ebp - 0x8] ;
mov ecx, dword ptr ds : [ebp - 0x4] ;
mov esp, ebp;
pop ebp;
ret;
sub_4:
mov eax, 0;
jmp sub_2;
sub_5:
mov eax, dword ptr ss : [esp - 0xc] ;
jmp sub_6;
sub_1:
_emit 0x6e;
_emit 0x00;
_emit 0x74;
_emit 0x00;
_emit 0x64;
_emit 0x00;
_emit 0x6c;
_emit 0x00;
_emit 0x6c;
_emit 0x00;
_emit 0x2e;
_emit 0x00;
_emit 0x64;
_emit 0x00;
_emit 0x6c;
_emit 0x00;
_emit 0x6c;
_emit 0x00;
_emit 0x00;
_emit 0x00;
}
}
int _declspec(naked) WINAPI mystrcmp(char* str1, char* str2)
{
__asm
{
push ebp;
mov ebp, esp;
sub esp, 0x80;
push esi;
push edi;
mov dword ptr ss : [esp + 0x8] , 0xffffffff;
mov esi, ss: [ebp + 0x8] ;
dec esi;
sub_1:
inc dword ptr ss : [esp + 0x8] ;
inc esi;
xor cl, cl;
cmp cl,byte ptr es : [esi] ;
jnz sub_1;
mov esi, ss: [ebp + 0xc] ;
mov dword ptr ss : [esp + 0xc] , 0xffffffff;
dec esi;
sub_2:
inc dword ptr ss : [esp + 0xc] ;
inc esi;
xor cl, cl;
cmp cl, byte ptr es : [esi] ;
jnz sub_2;
mov eax, dword ptr ss : [esp + 0xc] ;
cmp eax, dword ptr ss : [esp + 0x8] ;
jnz sub_3;
mov word ptr ss:[esp+0x10] , ax;
mov esi, ss : [ebp + 0x8] ;
mov edi, ss : [ebp + 0xc] ;
sub_5:
mov cl, byte ptr es : [esi] ;
cmp cl, byte ptr es : [edi] ;
jnz sub_3;
inc esi;
inc edi;
dec word ptr ss:[esp + 0x10];
cmp word ptr ss:[esp + 0x10], 0;
jz sub_4;
jmp sub_5;
sub_4:
mov eax, 0;
sub_6:
pop edi;
pop esi;
mov esp, ebp;
pop ebp;
ret 0X8;
sub_3:
mov eax, 1;
jmp sub_6;
_emit 0x88;
_emit 0x88;
_emit 0x88;
_emit 0x88;
}
}
PVOID _declspec(naked) WINAPI GetFunAddrOfModuleAsm(PVOID pModule, EXP_FUN_NAME unFuntionName, EXP_FUN_MODE eMode)
{
_asm
{
push ebp;
mov ebp, esp;
sub esp,0x144;
push ebx;
push esi;
push edi;
lea edi, dword ptr ss : [ebp - 0x144] ;
mov ecx, 0x51;
mov eax, 0xcccccccc;
rep stosd;
mov dword ptr ss : [ebp - 0x8] , 0;
mov dword ptr ss : [ebp - 0x14] , 0;
mov dword ptr ss : [ebp - 0x20] , 0;
mov eax, dword ptr ss : [ebp + 0x8] ;
mov dword ptr ss : [ebp - 0x50] , eax;
mov eax, dword ptr ss : [ebp - 0x50] ;
mov ecx, dword ptr ds : [eax + 0x3c] ;
mov edx, dword ptr ss : [ebp - 0x50] ;
lea eax, dword ptr ds : [ecx + edx + 4] ;
mov dword ptr ss : [ebp - 0x5c] , eax;
mov eax, dword ptr ss : [ebp - 0x5c] ;
add eax, 0x14;
mov dword ptr ss : [ebp - 0x68] , eax;
mov eax, 0x8;
imul ecx, eax, 0;
mov edx, dword ptr ss : [ebp - 0x68] ;
lea eax, dword ptr ss : [edx + ecx + 0x60] ;
mov dword ptr ss : [ebp - 0x14] , eax;
mov eax, dword ptr ss : [ebp - 0x14] ;
mov ecx, dword ptr ss : [ebp + 0x8] ;
add ecx, dword ptr ds : [eax] ;
mov dword ptr ss : [ebp - 0x20] , ecx;
mov eax, dword ptr ss : [ebp - 0x20] ;
mov ecx, dword ptr ss : [ebp + 0x8] ;
add ecx, dword ptr ds : [eax + 0x20] ;
mov dword ptr ss : [ebp - 0x2C] , ecx;
mov eax, dword ptr ss : [ebp - 0x20] ;
mov ecx, dword ptr ss : [ebp + 0x8] ;
add ecx, dword ptr ds : [eax + 0x24] ;
mov dword ptr ss : [ebp - 0x38] , ecx;
mov eax, dword ptr ss : [ebp - 0x20] ;
mov ecx, dword ptr ss : [ebp + 0x8] ;
add ecx, dword ptr ds : [eax + 0x1C] ;
mov dword ptr ss : [ebp - 0x44] , ecx;
mov dword ptr ss : [ebp - 0x74] , 0x0;
cmp dword ptr ss : [ebp + 0x10] , 0x1;
jne sub_1;
mov dword ptr ss : [ebp - 0x74] , 0x0;
jmp sub_2;
sub_5:
mov eax, dword ptr ss : [ebp - 0x74] ;
add eax, 0x1;
mov dword ptr ss : [ebp - 0x74] , eax;
sub_2:
mov eax, dword ptr ss : [ebp - 0x20] ;
mov ecx, dword ptr ss : [ebp - 0x74] ;
cmp ecx, dword ptr ds : [eax + 0x18] ;
jge sub_3;
mov eax, dword ptr ss : [ebp - 0x74] ;
mov ecx, dword ptr ss : [ebp - 0x2C] ;
mov edx, dword ptr ss : [ebp + 0x8] ;
add edx, dword ptr ds : [ecx + eax * 4] ;
mov dword ptr ss : [ebp - 0x80] , edx;
mov eax, dword ptr ss : [ebp + 0xC] ;
push eax;
mov ecx, dword ptr ss : [ebp - 0x80] ;
push ecx;
call mystrcmp;
test eax, eax;
jne sub_4;
jmp sub_3;
sub_4:
jmp sub_5;
sub_3:
mov eax, dword ptr ss : [ebp - 0x74] ;
mov ecx, dword ptr ss : [ebp - 0x38] ;
movzx edx, word ptr ds : [ecx + eax * 2] ;
mov eax, dword ptr ss : [ebp - 0x44] ;
mov ecx, dword ptr ss : [ebp + 0x8] ;
add ecx, dword ptr ds : [eax + edx * 4] ;
mov dword ptr ss : [ebp - 0x8] , ecx;
jmp sub_6;
sub_1:
movzx eax, word ptr ss : [ebp + 0xC] ;
mov ecx, dword ptr ss : [ebp - 0x20] ;
sub eax, dword ptr ds : [ecx + 0x10] ;
mov edx, dword ptr ss : [ebp - 0x44] ;
mov ecx, dword ptr ss : [ebp + 0x8] ;
add ecx, dword ptr ds : [edx + eax * 4] ;
mov dword ptr ss : [ebp - 0x8] , ecx;
sub_6:
mov eax, dword ptr ss : [ebp - 0x8] ;
pop edi;
pop esi;
pop ebx;
//add esp, 0x144;
mov esp, ebp;
pop ebp;
ret 0xc;
}
}
DWORD _declspec(naked) WINAPI GetMainModuleBase()
{
__asm
{
push ebp;
mov ebp, esp;
sub esp, 0x10;
mov eax, fs: [0x30] ;
mov eax, dword ptr ds : [eax + 0x8] ;
mov esp, ebp;
pop ebp;
ret;
}
}
DWORD _declspec(naked) WINAPI FixShellRelocal(DWORD sReacalRva)
{
_asm
{
push ebp;
mov ebp, esp;
sub esp, 0x80;
push ebx;
push edx;
push edi;
call GetMainModuleBase;
mov dword ptr ss : [ebp - 0x20] , eax;//newimagebase
add eax, 0x3c;
mov ecx, dword ptr ds : [eax] ;
mov eax, dword ptr ss : [ebp - 0x20] ;
add eax, ecx;
add eax, 0x34;
mov eax, dword ptr ds : [eax] ;
mov dword ptr ss : [ebp - 0x24] , 0x400000;//oldimagebase
mov eax, dword ptr ss : [ebp - 0x20] ;
add eax, dword ptr ds : [ebp + 0x8] ;
mov dword ptr ss : [ebp - 0x4] , eax;
sub_4:
mov eax, dword ptr ss : [ebp - 0x4] ;
mov ebx, dword ptr ds : [eax] ;
mov edx, dword ptr ds : [eax + 4] ;
cmp ebx, 0;
jz sub_5;
mov dword ptr ss : [ebp - 0x8] , ebx;//VirtualAddress
mov dword ptr ss : [ebp - 0xc] , edx;//block
mov eax, edx;
sub eax, 0x8;
mov dl, 0x2;
div dl;
xor ebx, ebx;
mov bl, al;
mov dword ptr ss : [ebp - 0x10] , ebx;//重定位位置个数
mov dword ptr ss : [ebp - 0x1c] , 0;
sub_2:
mov ecx, dword ptr ss : [ebp - 0x1c] ;
cmp ecx, dword ptr ss : [ebp - 0x10] ;
jge sub_1;
mov edi, dword ptr ss : [ebp - 0x4] ;
lea edi, dword ptr es : [edi + 0x8] ;
mov ax, word ptr es : [edi + ecx * 0x2] ;
test ax, 0x3000;
jz sub_3;
and eax, 0xfff;
add eax, dword ptr ss : [ebp - 0x8] ;
add eax, dword ptr ss : [ebp - 0x20] ;
mov dword ptr ss : [ebp - 0x28] , eax;//要重定位的目标地址
mov ebx, dword ptr ds : [eax] ;
sub ebx, dword ptr ss : [ebp - 0x24] ;
add ebx, dword ptr ss : [ebp - 0x20] ;
mov edx, dword ptr ss : [ebp - 0x28] ;
mov dword ptr ds : [edx] ,ebx;
sub_3:
inc ecx;
mov dword ptr ss : [ebp - 0x1c] , ecx;
jmp sub_2;
sub_1:
mov edx, dword ptr ss : [ebp - 0xc] ;
mov eax, dword ptr ss : [ebp - 0x4] ;
add edx, eax;
mov dword ptr ss : [ebp - 0x4] , edx;
jmp sub_4;
sub_5:
pop edi;
pop edx;
pop ebx;
mov esp, ebp;
pop ebp;
ret 0x4;
}
}
VOID _declspec(naked) WINAPI DeCode(PVOID pBuff, SIZE_T sSize)
{
__asm
{
push ebp;
mov ebp, esp;
sub esp, 0x50;
push edi;
push edx;
mov eax, dword ptr ss : [ebp + 0xc] ;
mov dword ptr ss : [ebp - 0x8] , eax;
mov edi, dword ptr ss : [ebp + 0x8] ;
dec dword ptr ss : [ebp - 8] ;
sub_2:
mov ecx, dword ptr ss:[ebp - 0x8] ;
cmp ecx, 0;
jl sub_1;
mov dl, byte ptr es : [edi + ecx * 1] ;
and edx, 0xff;
cmp ecx, 0;
jnz sub_3;
xor dl, 0x50;
jmp sub_4;
sub_3:
mov eax, ecx;
dec eax;
xor dl, cl;
xor dl, byte ptr es : [edi + eax * 1] ;
sub_4:
mov byte ptr es : [edi + ecx * 1] , dl;
dec ecx;
mov dword ptr ss : [ebp - 0x8] , ecx;
jmp sub_2;
sub_1:
pop edx;
pop edi;
mov esp, ebp;
pop ebp;
ret 0x8;
}
}
VOID _declspec(naked)WINAPI ShellEntry()
{
_asm
{
pushad;
pushfd;
push ebp;
mov ebp, esp;
sub esp, 0x100;
mov dword ptr ss : [ebp - 0x4] , 0;
call Get32BitNtdllBase;
mov dword ptr ss : [ebp - 0x4] , eax;//ntdll.dll的BASE
mov dword ptr ss : [ebp - 0x8] , 0;
mov dword ptr ss : [ebp - 0xc] , 0;
xor eax, eax;
mov ecx, eax;
mov ax, 0x14;
mov cx, 0x16;
shl ecx, 0x10;
or eax, ecx;
mov dword ptr ss : [ebp - 0xc] , eax;
//lea eax, dword ptr ds : [sub_2] ;
call GetCurrentFunAddress;
add eax, 0x15d;
mov dword ptr ss : [ebp - 0x8] , eax;
lea eax, dword ptr ss : [ebp - 0xc] ;
mov dword ptr ss : [ebp - 0x10] , eax;//user32.dll字符串指针
push 0x1;
//lea eax, dword ptr ds : [sub_1] ;
call GetCurrentFunAddress;
add eax, 0x13a;
push eax;
mov eax, dword ptr ss : [ebp - 0x4] ;
push eax;
call GetFunAddrOfModuleAsm;
mov dword ptr ss : [ebp - 0x14] , eax;//LdrLoadDll地址
mov dword ptr ss : [ebp - 0x18] , 0;//LdrLoadDll返回的模块基址
lea eax, dword ptr ss : [ebp - 0x18] ;
push eax;
mov eax, dword ptr ss : [ebp - 0x10] ;
push eax;
push 0;
push 0;
mov ecx, dword ptr ss : [ebp - 0x14] ;
call ecx;
push 0x1;
//lea eax, dword ptr ds : [sub_3] ;
call GetCurrentFunAddress;
add eax, 0x124;
push eax;
mov eax, dword ptr ss : [ebp - 0x18] ;
push eax;
call GetFunAddrOfModuleAsm;
mov dword ptr ss : [ebp - 0x1c] , eax;//MessageBoxA地址
push 6;
push 0;
push 0;
push 0;
call eax;
push 0x1;
call GetCurrentFunAddress;
add eax, 0x10b;
push eax;
push dword ptr ss : [ebp - 0x4] ;
call GetFunAddrOfModuleAsm;
mov dword ptr ss : [ebp - 0x28],eax;//ZwProtectMemory
mov dword ptr ss : [ebp - 0x14] , 0;
lea eax, dword ptr ss : [ebp - 0x14] ;//oldprotect
push eax;
push PAGE_EXECUTE_READWRITE;
mov dword ptr ss : [ebp - 0x18] , 0x2000;
lea eax, dword ptr ss : [ebp - 0x18] ;
push eax;
call GetMainModuleBase;
mov dword ptr ss : [ebp - 0x20] , eax;
add eax, 0x1000;
mov dword ptr ss : [ebp - 0x8] , eax;
lea eax,dword ptr ss : [ebp - 0x8] ;
push eax;
push 0xffffffff;
mov eax, dword ptr ss: [ebp - 0x28] ;
call eax;
mov eax, dword ptr ss : [ebp - 0x20] ;
mov ecx, dword ptr ds : [eax + 0x3c] ;
lea eax, dword ptr ds : [ecx + eax + 0x4] ;
mov dword ptr ss : [ebp - 0x24] , eax;//pfileheader
mov dx, word ptr ds : [eax + 0x10] ;
and edx, 0xffff;
add edx, dword ptr ss : [ebp - 0x24] ;
add edx, 0x14;
mov eax, dword ptr ds : [edx + 0x10] ;
push eax;
mov eax, dword ptr ds : [edx + 0xc] ;//节RVA
add eax, dword ptr ss : [ebp - 0x20] ;
push eax;
call DeCode;
mov eax, dword ptr ss : [ebp - 0x20] ;
cmp eax, 0x400000;
jz sub_4;
mov eax, dword ptr ss : [ebp - 0x20] ;
mov eax, dword ptr ds : [eax + 0x40] ;
push eax;
call FixShellRelocal;
mov dword ptr ss : [ebp - 0x14] , 0;
lea eax, dword ptr ss : [ebp - 0x14] ;//oldprotect
push eax;
push PAGE_EXECUTE_READ;
lea eax, dword ptr ss : [ebp - 0x18] ;
push eax;
lea eax, dword ptr ss : [ebp - 0x8] ;
push eax;
push 0xffffffff;
mov eax, dword ptr ss : [ebp - 0x28] ;
call eax;
mov eax, dword ptr ds : [ebp - 0x1c] ;
push 0x4;
push 0;
push 0;
push 0;
call eax;
sub_4:
mov esp, ebp;
pop ebp;
popfd;
popad;
call GetMainModuleBase;
add eax, 0x22e4;
call eax;
ret;
sub_1:
_emit 0x4c;
_emit 0x64;
_emit 0x72;
_emit 0x4c;
_emit 0x6f;
_emit 0x61;
_emit 0x64;
_emit 0x44;
_emit 0x6c;
_emit 0x6c;
_emit 0x00;
sub_2:
_emit 0x75;
_emit 0x00;
_emit 0x73;
_emit 0x00;
_emit 0x65;
_emit 0x00;
_emit 0x72;
_emit 0x00;
_emit 0x33;
_emit 0x00;
_emit 0x32;
_emit 0x00;
_emit 0x2e;
_emit 0x00;
_emit 0x64;
_emit 0x00;
_emit 0x6c;
_emit 0x00;
_emit 0x6c;
_emit 0x00;
_emit 0x00;
_emit 0x00;
sub_3:
_emit 0x4d;
_emit 0x65;
_emit 0x73;
_emit 0x73;
_emit 0x61;
_emit 0x67;
_emit 0x65;
_emit 0x42;
_emit 0x6f;
_emit 0x78;
_emit 0x41;
_emit 0x00;
sub_6:
_emit 0x5a;
_emit 0x77;
_emit 0x50;
_emit 0x72;
_emit 0x6f;
_emit 0x74;
_emit 0x65;
_emit 0x63;
_emit 0x74;
_emit 0x56;
_emit 0x69;
_emit 0x72;
_emit 0x74;
_emit 0x75;
_emit 0x61;
_emit 0x6c;
_emit 0x4d;
_emit 0x65;
_emit 0x6d;
_emit 0x6f;
_emit 0x72;
_emit 0x79;
_emit 0x00;
}
}
#pragma code_seg(".text")
DWORD dTargetFileSize;
PIMAGE_SECTION_HEADER pShellCodeSection;
PIMAGE_SECTION_HEADER pEncodeHandleSection;
//PVOID pTargetEncodeSection;
//DWORD dTargetEncodeSectionSize;
VOID Encode(UCHAR* bytearr, LONG size)
{
for (int i = 0; i < size; ++i)
{
if (i == 0)
{
bytearr[i] = bytearr[i] ^ 0x50;
}
else
{
bytearr[i] = bytearr[i] ^ bytearr[i - 1];
bytearr[i] = bytearr[i] ^ i;
}
}
return;
}
PVOID CreateFileBuff(CHAR* path)
{
DWORD dHighDword;
HANDLE hFile = CreateFileA(path, GENERIC_READ | GENERIC_WRITE | DELETE, 0, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == 0)
{
return NULL;
}
DWORD size = GetFileSize(hFile, &dHighDword);
dTargetFileSize = size;
PVOID pFileBuff = VirtualAlloc(NULL,size+0x9000, MEM_COMMIT, PAGE_READWRITE);
if (pFileBuff == NULL)
{
return NULL;
}
ZeroMemory(pFileBuff, size + 0x9000);
if (!ReadFile(hFile, pFileBuff, size, NULL, NULL))
{
VirtualFree(pFileBuff, size+0x9000, MEM_DECOMMIT);
return NULL;
}
CloseHandle(hFile);
return pFileBuff;
}
BOOL WriteBuffToDisk(CHAR* path,PVOID pBuff, DWORD dSize)
{
BOOL ret = FALSE;
HANDLE hFile = CreateFileA(path, GENERIC_READ | GENERIC_WRITE | DELETE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == 0)
{
return ret;
}
if (!WriteFile(hFile, pBuff, dSize, NULL, NULL))
{
return ret;
}
CloseHandle(hFile);
return TRUE;
}
PVOID GetShellCodeSection()
{
PVOID ret = NULL;
HMODULE hModule = GetModuleHandle(NULL);
BYTE chSectionName[] = {0x2e,0x63,0x6f,0x72,0x65,0x00,0x00,0x00};
PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)hModule;
PIMAGE_FILE_HEADER pFileHeader = pDosHeader->e_lfanew + (LONG)pDosHeader+4;
PIMAGE_OPTIONAL_HEADER32 pOptionaleHeader = pFileHeader + 1;
PIMAGE_SECTION_HEADER pSection = (DWORD)pOptionaleHeader + pFileHeader->SizeOfOptionalHeader;
for (int i = 0; i < pFileHeader->NumberOfSections; ++i)
{
if (strcmp(&(pSection[i].Name), chSectionName) == 0)
{
ret = &pSection[i];
break;
}
}
return ret;
}
VOID GetTargtFileBuffCodeSection(PVOID pFileBuff)
{
PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)pFileBuff;
PIMAGE_FILE_HEADER pFileHeader = pDosHeader->e_lfanew + (LONG)pDosHeader+4;
PIMAGE_OPTIONAL_HEADER32 pOptionaleHeader = pFileHeader + 1;
PIMAGE_SECTION_HEADER pSection = (DWORD)pOptionaleHeader + pFileHeader->SizeOfOptionalHeader;
for (int i = 0; i < pFileHeader->NumberOfSections; ++i)
{
if ((pSection[i].Characteristics & 0x60000000) != 0)
{
pEncodeHandleSection = &pSection[i];
// pSection[i].Characteristics |= 0x80000000;
break;
}
}
return;
}
VOID AddSection(PVOID pFileBuff,DWORD dWritePosOffset, DWORD dOffset)
{
PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)pFileBuff;
PIMAGE_FILE_HEADER pFileHeader = pDosHeader->e_lfanew + (LONG)pDosHeader+4;
PIMAGE_OPTIONAL_HEADER32 pOptionaleHeader = pFileHeader + 1;
PIMAGE_SECTION_HEADER pSection = (DWORD)pOptionaleHeader + pFileHeader->SizeOfOptionalHeader;
PIMAGE_SECTION_HEADER pLastSection = &(pSection[pFileHeader->NumberOfSections - 1]);
DWORD dWritePos = (DWORD)pFileBuff + dWritePosOffset+dOffset;
DWORD dStratCopyPos = (DWORD)(pShellCodeSection->VirtualAddress) + (DWORD)GetModuleHandle(NULL);
int j = 0;
memcpy(dWritePos, dStratCopyPos, pShellCodeSection->SizeOfRawData);
pLastSection->SizeOfRawData = pLastSection->SizeOfRawData + dOffset + pShellCodeSection->SizeOfRawData;
pLastSection->Misc.VirtualSize = pLastSection->SizeOfRawData;
pLastSection->Characteristics |= 0x60000000;
if (pLastSection->Misc.VirtualSize % 0X1000 == 0)
{
pOptionaleHeader->SizeOfImage = pLastSection->VirtualAddress + pLastSection->Misc.VirtualSize;
}
else
{
pOptionaleHeader->SizeOfImage = pLastSection->VirtualAddress + (pLastSection->Misc.VirtualSize & 0xfffff000) + 0x1000;
}
return;
}
PVOID GetRelocalTableHeader(PVOID pFileBuff)
{
PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)pFileBuff;
PIMAGE_FILE_HEADER pFileHeader = pDosHeader->e_lfanew + (LONG)pDosHeader + 4;
PIMAGE_OPTIONAL_HEADER32 pOptionaleHeader = pFileHeader + 1;
PIMAGE_SECTION_HEADER pSection = (DWORD)pOptionaleHeader + pFileHeader->SizeOfOptionalHeader;
int iSectionNum = pFileHeader->NumberOfSections;
DWORD dRelocaBaseRva = pOptionaleHeader->DataDirectory[5].VirtualAddress;
if (dRelocaBaseRva==0)
{
return NULL;
}
for (int i = 0; i < iSectionNum; ++i)
{
if (pSection[i].VirtualAddress == dRelocaBaseRva)
{
return pSection[i].PointerToRawData+(DWORD)pFileBuff;
}
}
return NULL;
}
BOOL IsMoveRelocaData(PIMAGE_BASE_RELOCATION pRelocaTable, PIMAGE_SECTION_HEADER pEncodeSec)
{
DWORD dSectionRealVirtualSize = 0;
BOOL ret = FALSE;
if (pEncodeSec->Misc.VirtualSize % 0x1000 == 0)
{
dSectionRealVirtualSize = pEncodeSec->Misc.VirtualSize;
}
else
{
dSectionRealVirtualSize = (pEncodeSec->Misc.VirtualSize & 0xfffff000) + 0x1000;
}
if ((pRelocaTable->VirtualAddress >= pEncodeSec->VirtualAddress) && (pRelocaTable->VirtualAddress < (pEncodeSec->VirtualAddress + dSectionRealVirtualSize)))
{
ret = TRUE;
}
return ret;
}
PVOID GetMoveRelocaPotin(PVOID pRealocTableHeader, PIMAGE_SECTION_HEADER pEncodeSec)
{
PIMAGE_BASE_RELOCATION pRelocTable = pRealocTableHeader;
PVOID ret = NULL;
while ((pRelocTable->VirtualAddress != 0) && (pRelocTable->SizeOfBlock != 0))
{
if (pRelocTable->VirtualAddress >= pEncodeSec->VirtualAddress)
{
ret = pRelocTable;
break;
}
pRelocTable = pRelocTable->SizeOfBlock + (DWORD)pRelocTable;
}
return ret;
}
DWORD MoveRelocaDataOfEndcodeSection(PVOID pFileBuff, PIMAGE_SECTION_HEADER pEncodeSec, DWORD dReloctableNewLocal)
{
PVOID pRelocBasePoint = GetRelocalTableHeader(pFileBuff);
PIMAGE_BASE_RELOCATION pTemp = pRelocBasePoint;
DWORD dMoveBlockSize = 0;
PVOID pMovePoint=NULL;
DWORD dSconMovePotin = 0;
DWORD dSconMoveSize = 0;
PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)pFileBuff;
PIMAGE_FILE_HEADER pFileHeader = pDosHeader->e_lfanew + (LONG)pDosHeader + 4;
PIMAGE_OPTIONAL_HEADER32 pOptionaleHeader = pFileHeader + 1;
PIMAGE_SECTION_HEADER pSection = (DWORD)pOptionaleHeader + pFileHeader->SizeOfOptionalHeader;
if (pRelocBasePoint == 0)
{
MessageBox(0, TEXT("无重定位,加壳失败"), 0, 0);
return 0;
}
while ((pTemp->VirtualAddress != 0) && (pTemp->SizeOfBlock != 0))
{
if (IsMoveRelocaData(pTemp, pEncodeSec))
{
dMoveBlockSize += pTemp->SizeOfBlock;
}
pTemp = (DWORD)pTemp + pTemp->SizeOfBlock;
}
pMovePoint = GetMoveRelocaPotin(pRelocBasePoint, pEncodeSec);
dSconMoveSize = (DWORD)pMovePoint - (DWORD)pRelocBasePoint;
dSconMovePotin = ((DWORD)pMovePoint + dMoveBlockSize) - dSconMoveSize;
memcpy((DWORD)dReloctableNewLocal, pMovePoint, dMoveBlockSize);
memset((DWORD)pMovePoint, 0, dMoveBlockSize);
memcpy((PVOID)dSconMovePotin, pRelocBasePoint, dSconMoveSize);
pOptionaleHeader->DataDirectory[5].VirtualAddress += dMoveBlockSize;
pOptionaleHeader->DataDirectory[5].Size -= dMoveBlockSize;
dSconMoveSize = (DWORD)pFileHeader->NumberOfSections;
dSconMovePotin = pSection[dSconMoveSize - 1].VirtualAddress + pSection[dSconMoveSize - 1].SizeOfRawData;
*(DWORD*)(((DWORD)pFileBuff) + 0x40) = dSconMovePotin;
if (dMoveBlockSize % 0X200 == 0)
{
return dMoveBlockSize;
}
else
{
return (dMoveBlockSize & 0XFFFFFF00) + 0x200;
}
return 0;
}
VOID ChangeOEP(PVOID pFileBuff,PVOID pOrigeExcutePoint,DWORD dShellcodeStart)
{
PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)pFileBuff;
PIMAGE_FILE_HEADER pFileHeader = pDosHeader->e_lfanew + (LONG)pDosHeader+4;
PIMAGE_OPTIONAL_HEADER32 pOptionaleHeader = pFileHeader + 1;
PIMAGE_SECTION_HEADER pSection = (DWORD)pOptionaleHeader + pFileHeader->SizeOfOptionalHeader;
DWORD dOldOEPrva = pOptionaleHeader->AddressOfEntryPoint;
DWORD dOEPfoa = (DWORD)pOrigeExcutePoint - ((DWORD)(pShellCodeSection->VirtualAddress) + (DWORD)GetModuleHandle(NULL)) + dShellcodeStart;
int SecNum = pFileHeader->NumberOfSections;
pOptionaleHeader->AddressOfEntryPoint = dOEPfoa-pSection[SecNum-1].PointerToRawData+pSection[SecNum-1].VirtualAddress;
*(DWORD*)((DWORD)pFileBuff+dOEPfoa + 0X191) = dOldOEPrva;
return;
}
typedef struct
{
USHORT length;
USHORT MaxLenth;
PWCHAR Buffer;
}MYUNICODE_STRING, * PMYUNICODE_STRING;
typedef NTSTATUS (WINAPI*MYLOAD)(PWSTR,ULONG, PMYUNICODE_STRING,PHANDLE);
typedef DWORD(WINAPI* MYMEG)(HINSTANCE, LPSTR, LPSTR, DWORD);
int main()
{
CHAR* path = "C:\\Users\\YH\\Desktop\\子窗口.exe";
CHAR* outpath = "C:\\Users\\YH\\Desktop\\SH子窗口.exe";
DWORD dMoveSize = 0;
DWORD dShellcodeStart;
PVOID pFileBuff = CreateFileBuff(path);
if (pFileBuff==NULL)
{
return 0;
}
GetTargtFileBuffCodeSection(pFileBuff);
dMoveSize = MoveRelocaDataOfEndcodeSection(pFileBuff, pEncodeHandleSection, (DWORD)pFileBuff + dTargetFileSize);
dShellcodeStart = dMoveSize + dTargetFileSize;
pShellCodeSection = GetShellCodeSection();
AddSection(pFileBuff, dTargetFileSize, dMoveSize);
Encode(pEncodeHandleSection->PointerToRawData + (DWORD)pFileBuff, pEncodeHandleSection->SizeOfRawData);
ChangeOEP(pFileBuff,ShellEntry, dShellcodeStart);
WriteBuffToDisk(outpath, pFileBuff, dTargetFileSize + dMoveSize + pShellCodeSection->SizeOfRawData);
VirtualFree(pFileBuff, dTargetFileSize + 0x9000, MEM_DECOMMIT);
system("pause");
return 0;
}
发表于 2023-11-16 16:40
