zoukankan      html  css  js  c++  java
  • 简单Src加壳程序

    写了很久了,但对Windows的api不了解,

    1比如创建挂起进程报05拒绝访问错误,再比如报了这个错还能正常运行,所以我推测挂起创建进程可能本身就会产生这种错误。(但Win32手册上不是这么说的,就让我感觉到很奇怪,我也尝试着运行了,从网上下载下来的代码,但最终会报错0xc0000005,我的程序有时候也会报这个,太奇怪了)

    2其次就是获取线程的context了,这个在我验证地址的时候是af开头的也就是说到了内核部分,但Windows是没有共享内存的,所以我猜测这里要提权可能才能访问了

    3再其次就是说管理员运行好像也不能让进程访问Windows的内核,只能用提权,不说了(还没完成提权的操作呢,晚上接着试,先博客放上来,看看有没有师傅能指点一下我)

    贴代码:

    加密代码

      1 #define _CRT_SECURE_NO_WARNINGS
      2 #include<Windows.h>
      3 #include<CommCtrl.h>
      4 #include<Psapi.h>
      5 #include<iostream>
      6 #include<iomanip>
      7 #include <Tlhelp32.h.>
      8 #include<stdlib.h>
      9 #include<Shlwapi.h>
     10 #include<iostream>
     11 #pragma comment(lib,"shlwapi.lib")
     12 #pragma comment(lib,"comctl32.lib")
     13 #pragma comment(lib,"Psapi.lib")
     14 using namespace std;
     15 
     16 int filesize = 0;
     17 
     18 VOID CacuFileOfSize(IMAGE_OPTIONAL_HEADER pOptionHeader,DWORD *size_,DWORD EncryptOfsize)
     19 {
     20     int count = EncryptOfsize / pOptionHeader.SectionAlignment+ 1;
     21     *size_ += count * pOptionHeader.SectionAlignment;
     22 }
     23 
     24 PVOID pReadFile(LPSTR lpszFile,DWORD *size_)
     25 {
     26     FILE* pFile = NULL;
     27     DWORD filesize = 0;
     28     LPVOID FileBuffer = NULL;
     29 
     30     pFile = fopen(lpszFile, "rb+");
     31     if (!pFile) {
     32         cout << "读取文件失败" << endl;
     33         return NULL;
     34     }
     35 
     36     fseek(pFile, NULL, SEEK_END);
     37     filesize = ftell(pFile);
     38     fseek(pFile, NULL, SEEK_SET);
     39 
     40     FileBuffer = malloc(filesize);
     41     if (!FileBuffer)
     42     {
     43         cout << "内存分配失败" << endl;
     44         fclose(pFile);
     45         return NULL;
     46     }
     47 
     48     size_t size = fread(FileBuffer, 1, filesize, pFile);
     49     *size_ = size;
     50     if (!size)
     51     {
     52         cout << "读取数据失败" << endl;
     53         fclose(pFile);
     54         return NULL;
     55     }
     56     fclose(pFile);
     57     return FileBuffer;
     58 }
     59 
     60 BOOL MemoryToFile(LPSTR NewFileName, PVOID pFileBuffer, DWORD size_)
     61 {
     62     FILE* pFile = NULL;
     63     DWORD filesize = 0;
     64     LPVOID FileBuffer = NULL;
     65 
     66     pFile = fopen(NewFileName, "wb+");
     67     if (!pFile) {
     68         cout << "创建文件失败" << endl;
     69         ExitProcess(0);
     70         return NULL;
     71     }
     72 
     73     fwrite(pFileBuffer, size_, 1, pFile);
     74     fclose(pFile);
     75 }
     76 
     77 VOID ExtendSection(PVOID pFileBuffer, DWORD EncryptOfSize)
     78 {
     79     PIMAGE_DOS_HEADER pDosHeader;
     80     PIMAGE_NT_HEADERS pNTHeader;
     81     PIMAGE_FILE_HEADER pFileHeader;
     82     PIMAGE_OPTIONAL_HEADER pOptionHeader;
     83     PIMAGE_SECTION_HEADER pSectionHeader;
     84     PIMAGE_DATA_DIRECTORY pDataDir;
     85     PIMAGE_BASE_RELOCATION pRelocTable;
     86 
     87     pDosHeader = (PIMAGE_DOS_HEADER)pFileBuffer;
     88     pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pDosHeader + pDosHeader->e_lfanew);
     89     pFileHeader = (PIMAGE_FILE_HEADER)((DWORD)pNTHeader + 4);
     90     pOptionHeader = (PIMAGE_OPTIONAL_HEADER)(DWORD(pFileHeader) + IMAGE_SIZEOF_FILE_HEADER);
     91     pDataDir = (PIMAGE_DATA_DIRECTORY)((PIMAGE_DATA_DIRECTORY)((DWORD)pNTHeader + 0x78) + 8 * 5);
     92     pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pOptionHeader + pFileHeader->SizeOfOptionalHeader);
     93 
     94 
     95 
     96     //在当前节的最后一个结构体后,再加一个结构体,改变属性值、大小值等
     97     PIMAGE_SECTION_HEADER pCurSection = pSectionHeader + pFileHeader->NumberOfSections;
     98     PIMAGE_SECTION_HEADER temp = pSectionHeader;
     99     //找到代码段
    100     while (temp)
    101     {
    102         if (temp->Name[0] == '.' && temp->Name[1] == 't' && temp->Name[2] == 'e' && temp->Name[3] == 'x' && temp->Name[4] == 't')
    103         {
    104             pCurSection->Characteristics |= temp->Characteristics;
    105             break;
    106         }
    107         temp++;
    108     }
    109     //找到新加节的文件偏移
    110     pCurSection->Misc.PhysicalAddress = pOptionHeader->SectionAlignment;
    111     pCurSection->Name[0] = '.';
    112     pCurSection->Name[1] = 'e';
    113     pCurSection->Name[2] = 'n';
    114     pCurSection->Name[3] = 'S';
    115     pCurSection->Name[4] = 'e';
    116     pCurSection->Name[5] = 'c';
    117     pCurSection->PointerToRawData = (pSectionHeader + pFileHeader->NumberOfSections - 1)->PointerToRawData
    118         + (pSectionHeader + pFileHeader->NumberOfSections - 1)->SizeOfRawData;
    119     //pCurSection.
    120     pCurSection->Misc.PhysicalAddress = EncryptOfSize;
    121     //计算加密文件后对齐后的文件大小
    122     DWORD count = EncryptOfSize / pOptionHeader->SectionAlignment + 1;
    123     //在虚拟内存中的虚拟偏移
    124     pCurSection->VirtualAddress = pOptionHeader->SizeOfImage;
    125     //内存中对齐后的大小
    126     pCurSection->SizeOfRawData = count * pOptionHeader->SectionAlignment;
    127     //在扩展头中将数量加1
    128     pFileHeader->NumberOfSections += 1;
    129     //增加扩展头的大小
    130     pOptionHeader->SizeOfImage += count * pOptionHeader->SectionAlignment;
    131     
    132 }
    133 
    134 VOID Encrypt(PCHAR pFile, DWORD size_)
    135 {
    136     for (int i = 0; i < size_; i++)
    137         *(pFile + i) = *(pFile + i) ^ 0x56;
    138 }
    139 
    140 PVOID AddFileOFSize(LPSTR SFile,char NFile[],LPSTR EncryptOfFileName)
    141 {
    142     //读取shell文件并且为其分配一个新节
    143     PVOID pSFileBuffer;
    144     DWORD size_;
    145     PVOID pNewFileBuffer;
    146     pSFileBuffer = pReadFile(SFile, &size_);
    147     
    148     DWORD EncryptOfSize_;
    149     PVOID EncryptOfFile = pReadFile(EncryptOfFileName, &EncryptOfSize_);
    150 
    151 
    152     PIMAGE_DOS_HEADER pDosHeader;
    153     PIMAGE_NT_HEADERS pNTHeader;
    154     PIMAGE_FILE_HEADER pFileHeader;
    155     PIMAGE_OPTIONAL_HEADER pOptionHeader;
    156     PIMAGE_SECTION_HEADER pSectionHeader;
    157     PIMAGE_DATA_DIRECTORY pDataDir;
    158     PIMAGE_BASE_RELOCATION pRelocTable;
    159 
    160     pDosHeader = (PIMAGE_DOS_HEADER)pSFileBuffer;
    161     pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pDosHeader + pDosHeader->e_lfanew);
    162     pFileHeader = (PIMAGE_FILE_HEADER)((DWORD)pNTHeader + 4);
    163     pOptionHeader = (PIMAGE_OPTIONAL_HEADER)(DWORD(pFileHeader) + IMAGE_SIZEOF_FILE_HEADER);
    164     pDataDir = (PIMAGE_DATA_DIRECTORY)((PIMAGE_DATA_DIRECTORY)((DWORD)pNTHeader + 0x78) + 8 * 5);
    165     pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pOptionHeader + pFileHeader->SizeOfOptionalHeader);
    166 
    167 
    168     DWORD OldSize_ = size_;
    169     //计算文件加密后的大小
    170     CacuFileOfSize(*pOptionHeader, &size_,EncryptOfSize_);
    171 
    172     pNewFileBuffer = malloc(size_);
    173     memset(pNewFileBuffer, 0, size_);
    174     memcpy(pNewFileBuffer, pSFileBuffer, OldSize_);
    175     ExtendSection(pNewFileBuffer,EncryptOfSize_);
    176 
    177     //读取需要加密的文件,并且进行加密
    178     Encrypt((PCHAR)EncryptOfFile, EncryptOfSize_);
    179 
    180     memcpy(PVOID((DWORD)pNewFileBuffer+ OldSize_), EncryptOfFile, EncryptOfSize_);
    181 
    182     MemoryToFile(NFile, pNewFileBuffer, size_);
    183     return pNewFileBuffer;
    184 }
    185 
    186 
    187 
    188 int main(int argc,WCHAR* argv[])
    189 {
    190     char lpszFile[] = "shell.exe";
    191     
    192     char lpszNewFile[50] = { 0 };
    193     cin >> lpszNewFile;
    194 
    195     char lpCryptFile[] ="peinfo.exe";
    196     PVOID NewFileBuffer=AddFileOFSize(lpszFile, lpszNewFile,lpCryptFile);
    197 
    198     printf("success");
    199     return 0;
    200 }
    View Code

    壳代码

      1 #define _CRT_SECURE_NO_WARNINGS
      2 #include<Windows.h>
      3 #include<CommCtrl.h>
      4 #include<Psapi.h>
      5 #include<iostream>
      6 #include<iomanip>
      7 #include <Tlhelp32.h.>
      8 #include<stdlib.h>
      9 #include<iostream>
     10 #include<Shlwapi.h>
     11 #pragma comment(lib,"shlwapi.lib")
     12 #pragma comment(lib,"comctl32.lib")
     13 #pragma comment(lib,"Psapi.lib")
     14 #pragma once
     15 
     16 #pragma region private
     17 
     18 #define __Macro_ToStringFunc__(x) #x
     19 
     20 #pragma endregion private
     21 
     22 #pragma region public
     23 
     24 #define MacroToString(x) __Macro_ToStringFunc__(x)
     25 #define MacroLine MacroToString(__LINE__)
     26 
     27 #pragma endregion public
     28 int flag;
     29 WCHAR errorMessage[20] = { 0 };
     30 #define messagebox {
     31     flag=GetLastError();
     32     wsprintf(errorMessage,L"%d",flag);
     33     MessageBoxW(0,errorMessage,0,0);
     34 }
     35 
     36 using namespace std;
     37 
     38 
     39 DWORD RVAToFOA(PVOID pFileBuffer,DWORD dwRva)
     40 {
     41     PIMAGE_DOS_HEADER pDosHeader = NULL;
     42     PIMAGE_NT_HEADERS pNTHeader = NULL;
     43     PIMAGE_FILE_HEADER pPEHeader = NULL;
     44     PIMAGE_OPTIONAL_HEADER32 pOptionHeader = NULL;
     45     PIMAGE_SECTION_HEADER pSectionHeader = NULL;
     46     
     47     if (!pFileBuffer)
     48     {
     49         printf("文件读取失败
    ");
     50         return NULL;
     51     }
     52 
     53     //Header信息
     54     pDosHeader = (PIMAGE_DOS_HEADER)pFileBuffer;
     55     pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pFileBuffer + pDosHeader->e_lfanew);
     56     pPEHeader = (PIMAGE_FILE_HEADER)(((DWORD)pNTHeader) + 4);
     57     pOptionHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)pPEHeader + IMAGE_SIZEOF_FILE_HEADER);
     58     pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pOptionHeader + pPEHeader->SizeOfOptionalHeader);
     59 
     60     DWORD ImageSize = pOptionHeader->SizeOfImage;
     61     int Section_Number = pPEHeader->NumberOfSections;
     62     int i = 0;
     63     for (i = 0; i < Section_Number; i++)
     64     {
     65         //printf("VirualSize : %x
    ",pSectionHeader->Misc);
     66         //printf("VirualAddress: %x
    ",pSectionHeader->VirtualAddress);
     67 
     68         DWORD dumpVirualSize = pSectionHeader->Misc.VirtualSize;
     69         DWORD dumpVirualAddress = pSectionHeader->VirtualAddress;
     70 
     71         if (dwRva >= dumpVirualAddress && dwRva <= dumpVirualAddress + dumpVirualSize)
     72         {
     73             //printf("地址在第:%d 节 %s 
    ",i+1,pSectionHeader->Name);
     74             break;
     75         }
     76         //下一个节表
     77         pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pSectionHeader + 40);
     78     }
     79 
     80     //确定是第i+1节
     81     //确定偏移距离
     82     DWORD fileOff = pSectionHeader->PointerToRawData + (dwRva - pSectionHeader->VirtualAddress);
     83 
     84     return fileOff;
     85 }
     86 
     87 PVOID pReadFile(LPSTR lpszFile)
     88 {
     89     FILE* pFile = NULL;
     90     DWORD fileSize = 0;
     91     LPVOID pFileBuffer = NULL;
     92 
     93     //打开文件
     94     pFile = fopen(lpszFile, "rb");
     95 
     96     if (!pFile)
     97     {
     98         printf("无法打开文件EXE文件");
     99         return NULL;
    100     }
    101 
    102     fseek(pFile, 0, SEEK_END);
    103     fileSize = ftell(pFile);
    104     fseek(pFile, 0, SEEK_SET);
    105 
    106     //分配缓冲区
    107     pFileBuffer = malloc(fileSize);
    108     if (!pFileBuffer)
    109     {
    110         printf("分配空间失败!
    ");
    111         fclose(pFile);
    112         return NULL;
    113     }
    114 
    115     //文件读取
    116 
    117     size_t n = fread(pFileBuffer, fileSize, 1, pFile);
    118 
    119     if (!n)
    120     {
    121         printf("读取数据失败
    ");
    122         free(pFileBuffer);
    123         fclose(pFile);
    124         return NULL;
    125     }
    126 
    127     //关闭文件
    128     fclose(pFile);
    129     return pFileBuffer;
    130 }
    131 
    132 PVOID StretchingFile(PVOID pFileBuffer)
    133 {
    134     PIMAGE_DOS_HEADER pDosHeader = NULL;
    135     PIMAGE_NT_HEADERS pNTHeader = NULL;
    136     PIMAGE_FILE_HEADER pPEHeader = NULL;
    137     PIMAGE_OPTIONAL_HEADER32 pOptionHeader = NULL;
    138     PIMAGE_SECTION_HEADER pSectionHeader = NULL;
    139 
    140     if (!pFileBuffer)
    141     {
    142         printf("文件读取失败
    ");
    143         return NULL;
    144     }
    145 
    146     //Header信息
    147     pDosHeader = (PIMAGE_DOS_HEADER)pFileBuffer;
    148     pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pFileBuffer + pDosHeader->e_lfanew);
    149     pPEHeader = (PIMAGE_FILE_HEADER)(((DWORD)pNTHeader) + 4);
    150     pOptionHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)pPEHeader + IMAGE_SIZEOF_FILE_HEADER);
    151     pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pOptionHeader + pPEHeader->SizeOfOptionalHeader);
    152 
    153     DWORD ImageSize = pOptionHeader->SizeOfImage;
    154 
    155     //LPVOID pImageBuffer=NULL;
    156     //分配缓冲区
    157     LPVOID pImageBuffer = NULL;
    158     pImageBuffer = malloc(ImageSize);
    159 
    160     if (!pImageBuffer)
    161     {
    162         printf("pImageBuffer分配空间失败!
    ");
    163         return NULL;
    164     }
    165     //printf("%x 
    ",ImageSize);
    166 
    167     memset(pImageBuffer, 0, ImageSize);
    168 
    169     //分段拷贝数据到ImageBuffer中
    170     //1 拷贝头
    171     DWORD HeaderSize = pOptionHeader->SizeOfHeaders;
    172     //DWORD Head_i = 0;
    173     //copy header
    174     memcpy(pImageBuffer, pFileBuffer, HeaderSize);
    175 
    176     //2 拷贝节 pSectionHeader
    177     //数量,位置
    178     int Section_Number = pPEHeader->NumberOfSections;
    179     //分节进行写入
    180 
    181     LPVOID pFileBuffer_sec = pFileBuffer;
    182     LPVOID pImageBuffer_sec = pImageBuffer;
    183 
    184     //printf("pFileBuffer_sec: %x 
    ",pFileBuffer_sec);
    185     //printf("pImageBuffer_sec: %x 
    ",pImageBuffer_sec);
    186 
    187     for (int i = 0; i < Section_Number; i++)
    188     {
    189         DWORD FileSizeOfRawData = pSectionHeader->SizeOfRawData;
    190         DWORD FilePointerToRawData = pSectionHeader->PointerToRawData;
    191         DWORD MemVirtualAddress = pSectionHeader->VirtualAddress;
    192         pFileBuffer_sec = (LPVOID)((DWORD)pFileBuffer + FilePointerToRawData);
    193         pImageBuffer_sec = (LPVOID)((DWORD)pImageBuffer + MemVirtualAddress);
    194 
    195         //printf("pFileBuffer_sec: %x 
    ",pFileBuffer_sec);
    196         //printf("pImageBuffer_sec: %x 
    ",pImageBuffer_sec);
    197 
    198         memcpy(pImageBuffer_sec, pFileBuffer_sec, FileSizeOfRawData);
    199         //下一个节表
    200         pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pSectionHeader + 40);
    201     }
    202 
    203     //写出
    204     //WirteToFile(pImageBuffer,ImageSize,"c://image.exe");
    205 
    206     return pImageBuffer;
    207 }
    208 
    209 BOOL MemoryToFile(LPSTR NewFileName, PVOID pFileBuffer, DWORD size_)
    210 {
    211     FILE* pFile = NULL;
    212     DWORD filesize = 0;
    213     LPVOID FileBuffer = NULL;
    214 
    215     pFile = fopen(NewFileName, "wb+");
    216     if (!pFile) {
    217         cout << "创建文件失败" << endl;
    218         ExitProcess(0);
    219         return NULL;
    220     }
    221 
    222     fwrite(pFileBuffer, size_, 1, pFile);
    223     fclose(pFile);
    224 }
    225 
    226 VOID Decrypt(PVOID pFileBuffer, PIMAGE_SECTION_HEADER lastSection)
    227 {
    228     for (int i = 0; i < lastSection->Misc.VirtualSize; i++)
    229     {
    230         *((PBYTE)((int)pFileBuffer + i)) ^= 0x56;
    231     }
    232     char b[] = "aaaa.exe";
    233     MemoryToFile(b, pFileBuffer, lastSection->Misc.VirtualSize);
    234 }
    235 
    236 
    237 
    238 PVOID GetSrcData(CHAR* lpName)
    239 {
    240 
    241     PVOID pFileBuffer = pReadFile(lpName);
    242 
    243     PIMAGE_DOS_HEADER pDosHeader;
    244     PIMAGE_NT_HEADERS pNTHeader;
    245     PIMAGE_FILE_HEADER pFileHeader;
    246     PIMAGE_OPTIONAL_HEADER pOptionHeader;
    247     PIMAGE_SECTION_HEADER pSectionHeader;
    248     PIMAGE_DATA_DIRECTORY pDataDir;
    249     PIMAGE_BASE_RELOCATION pRelocTable;
    250 
    251     pDosHeader = (PIMAGE_DOS_HEADER)pFileBuffer;
    252     pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pDosHeader + pDosHeader->e_lfanew);
    253     pFileHeader = (PIMAGE_FILE_HEADER)((DWORD)pNTHeader + 4);
    254     pOptionHeader = (PIMAGE_OPTIONAL_HEADER)(DWORD(pFileHeader) + IMAGE_SIZEOF_FILE_HEADER);
    255     pDataDir = (PIMAGE_DATA_DIRECTORY)((DWORD)pOptionHeader + 0x60);
    256     pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pOptionHeader + pFileHeader->SizeOfOptionalHeader);
    257 
    258     PIMAGE_SECTION_HEADER lastSection = pSectionHeader + pFileHeader->NumberOfSections-1;
    259 
    260     PVOID MainModule = (PVOID)((DWORD)pFileBuffer + lastSection->PointerToRawData);
    261 
    262     Decrypt(MainModule, lastSection);
    263 
    264     PVOID TempFileMemory = malloc(lastSection->Misc.VirtualSize);
    265     memcpy(TempFileMemory, MainModule,lastSection->Misc.VirtualSize);
    266 
    267     return TempFileMemory;
    268 }
    269 
    270 PVOID MyAnyAllocAddr(PVOID pFileBuffer,HANDLE hProcess,DWORD ImageOfSize)
    271 {
    272     PIMAGE_DOS_HEADER pDosHeader;
    273     PIMAGE_NT_HEADERS pNTHeader;
    274     PIMAGE_FILE_HEADER pFileHeader;
    275     PIMAGE_OPTIONAL_HEADER pOptionHeader;
    276     PIMAGE_SECTION_HEADER pSectionHeader;
    277     PIMAGE_DATA_DIRECTORY pDataDir;
    278     PIMAGE_BASE_RELOCATION pRelocTable;
    279 
    280     pDosHeader = (PIMAGE_DOS_HEADER)pFileBuffer;
    281     pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pDosHeader + pDosHeader->e_lfanew);
    282     pFileHeader = (PIMAGE_FILE_HEADER)((DWORD)pNTHeader + 4);
    283     pOptionHeader = (PIMAGE_OPTIONAL_HEADER)(DWORD(pFileHeader) + IMAGE_SIZEOF_FILE_HEADER);
    284     pDataDir = (PIMAGE_DATA_DIRECTORY)((DWORD)pNTHeader + 0x78);
    285     pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pOptionHeader + pFileHeader->SizeOfOptionalHeader);
    286     
    287 
    288     //查看是否有重定位表
    289     printf("%x	%x
    ", (pDataDir + 5)->VirtualAddress, (pDataDir + 5)->Size);
    290     if ((pDataDir + 5)->VirtualAddress == 0&&(pDataDir+5)->Size==0)
    291     {
    292 
    293         MessageBox(0, L"没有重定位表1,出错了", 0, 0);
    294         ExitProcess(0);
    295     }
    296     PIMAGE_BASE_RELOCATION RelAddr=(PIMAGE_BASE_RELOCATION)(RVAToFOA(pFileBuffer,
    297         (pDataDir + 5)->VirtualAddress)
    298         +(DWORD)pFileBuffer);
    299 
    300     PVOID VirAddr=VirtualAllocEx(hProcess, NULL, ImageOfSize, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    301     
    302     if (VirAddr == NULL)
    303     {
    304         MessageBox(0, L"随意地址未分配成功", 0, 0);
    305         ExitProcess(0);
    306     }
    307 
    308     //修复重定位表
    309     while (1)
    310     {
    311         if (RelAddr->SizeOfBlock == 0 || RelAddr->VirtualAddress == 0)
    312         {
    313             break;
    314         }
    315         printf("%d	%d", RelAddr->VirtualAddress);
    316         RelAddr->VirtualAddress += (DWORD)VirAddr - pOptionHeader->ImageBase;
    317         RelAddr = (PIMAGE_BASE_RELOCATION)((DWORD)RelAddr + RelAddr->SizeOfBlock);
    318 
    319     }
    320     return VirAddr;
    321 }
    322 
    323 int EnablePrivilege(bool isStart)
    324 {
    325     //1. 得到令牌句柄  
    326     HANDLE  hToken = NULL;      //令牌句柄    
    327     if (!OpenProcessToken(GetCurrentProcess(),
    328         TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY | TOKEN_READ,
    329         &hToken))
    330     {
    331         return FALSE;
    332     }
    333 
    334     //2. 得到特权值  
    335     LUID    luid = { 0 };         //特权值  
    336     if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))
    337     {
    338         return FALSE;
    339     }
    340     //3. 提升令牌句柄权限  
    341     TOKEN_PRIVILEGES tp = { 0 };  //令牌新权限  
    342     tp.PrivilegeCount = 1;
    343     tp.Privileges[0].Luid = luid;
    344     tp.Privileges[0].Attributes = isStart ? SE_PRIVILEGE_ENABLED : 0;
    345     if (!AdjustTokenPrivileges(hToken, FALSE, &tp, 0, NULL, NULL))
    346     {
    347         return FALSE;
    348     }
    349     //4. 关闭令牌句柄  
    350     CloseHandle(hToken);
    351     return 0;
    352 }
    353 
    354 VOID MainPro()
    355 {
    356     EnablePrivilege(true);
    357     PIMAGE_DOS_HEADER pDosHeader;
    358     PIMAGE_NT_HEADERS pNTHeader;
    359     PIMAGE_FILE_HEADER pFileHeader;
    360     PIMAGE_OPTIONAL_HEADER pOptionHeader;
    361     PIMAGE_SECTION_HEADER pSectionHeader;
    362     PIMAGE_BASE_RELOCATION pRelocTable;
    363 
    364     CHAR shellDirectory[256] = { 0 };
    365     GetModuleFileNameA(NULL, shellDirectory, 256);
    366 
    367 
    368     TCHAR W_CHAR_shellDirectory[256] = { 0 };
    369     GetModuleFileName(NULL, W_CHAR_shellDirectory, 256);
    370     
    371     MessageBox(0, W_CHAR_shellDirectory, 0, 0);
    372 
    373     //messagebox;
    374     //MessageBoxA(0, MacroLine, 0, 0);
    375 
    376     PVOID TempFileMemory = GetSrcData(shellDirectory);
    377 
    378     pDosHeader = (PIMAGE_DOS_HEADER)TempFileMemory;
    379     pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pDosHeader + pDosHeader->e_lfanew);
    380     pFileHeader = (PIMAGE_FILE_HEADER)((DWORD)pNTHeader + 4);
    381     pOptionHeader = (PIMAGE_OPTIONAL_HEADER)(DWORD(pFileHeader) + IMAGE_SIZEOF_FILE_HEADER);
    382     pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pOptionHeader + pFileHeader->SizeOfOptionalHeader);
    383 
    384     STARTUPINFO si = { 0 };
    385     si.cb = sizeof(STARTUPINFO);
    386     PROCESS_INFORMATION pi;
    387 
    388     //以挂起的形式创建进程
    389     int f=CreateProcess(W_CHAR_shellDirectory,
    390         NULL,
    391         NULL, 
    392         NULL, 
    393         FALSE, 
    394         CREATE_SUSPENDED,
    395         NULL,
    396         NULL,
    397         &si,
    398         &pi);
    399     CHAR szTempStr[256] = { 0 };
    400     if (!f)
    401     {
    402         MessageBox(0, L"failed create process", 0, 0);
    403         ExitProcess(0);
    404     }
    405 
    406 
    407     messagebox;
    408     MessageBoxA(0, MacroLine, 0, 0);
    409     //获取context信息
    410 
    411 
    412     CONTEXT context;
    413     context.ContextFlags = CONTEXT_FULL;
    414     GetThreadContext(pi.hThread, &context);
    415     printf("%x	%x
    ", pi.hThread,&context);
    416 
    417 
    418     messagebox;
    419     MessageBoxA(0, MacroLine, 0, 0);
    420     
    421     //char* baseaddress = (char*)context.ebx + 8;
    422     //tchar* szbuffer[4] = { 0 };
    423     //readprocessmemory(pi.hprocess, baseaddress, szbuffer, 4, null);
    424     //int* fileimagebase = (int*)szbuffer;
    425 
    426 
    427     char* baseAddress = (CHAR*)context.Ebx + 8;
    428     TCHAR szBuffer[4] = { 0 };
    429     ReadProcessMemory(pi.hProcess, baseAddress, szBuffer, 4, NULL);
    430     int* fileImageBase;
    431     fileImageBase = (int*)szBuffer;
    432     DWORD shellImageBase = *fileImageBase;
    433 
    434 
    435     /*
    436     char* baseAddress = (CHAR*)contx.Ebx+8;
    437     TCHAR szBuffer[4]={0};
    438     ReadProcessMemory(pi.hProcess,baseAddress,szBuffer,4,NULL);
    439     int* fileImageBase;
    440     fileImageBase = (int*)szBuffer;
    441     DWORD shellImageBase  = *fileImageBase;
    442     */
    443 
    444 
    445     messagebox;
    446     MessageBoxA(0,MacroLine,0,0);
    447 
    448 
    449 
    450     //卸载外壳程序
    451     HMODULE hModuleNt = LoadLibrary(L"ntdll.dll");
    452     if (hModuleNt == NULL)
    453     {
    454         MessageBox(0, L"导入ntdll.dll失败", 0, 0);
    455         ExitProcess(0);
    456     }
    457     typedef DWORD(WINAPI* _ZwUnmapViewOfSection)(unsigned long, unsigned long);
    458 
    459     _ZwUnmapViewOfSection pZwUnmapViewOfSection = (_ZwUnmapViewOfSection)GetProcAddress(hModuleNt, "ZwUnmapViewOfSection");
    460     pZwUnmapViewOfSection((unsigned long)pi.hProcess, shellImageBase);
    461 
    462 
    463 
    464     messagebox;
    465     MessageBoxA(0, MacroLine, 0, 0);
    466     //在指定位置分配空间
    467 
    468 
    469     PVOID OtherAddress = VirtualAllocEx(pi.hProcess, (PVOID)pOptionHeader->ImageBase, pOptionHeader->SizeOfImage, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    470     
    471     
    472     messagebox;
    473     MessageBoxA(0, MacroLine, 0, 0);
    474 
    475 
    476     if (OtherAddress == NULL)
    477     {
    478         OtherAddress=MyAnyAllocAddr(TempFileMemory, pi.hProcess, pOptionHeader->SizeOfImage);
    479     }
    480 
    481     PVOID StretchedFileMemory = StretchingFile(TempFileMemory);
    482     
    483     unsigned long old;
    484     WriteProcessMemory(pi.hProcess, (void*)(context.Ebx + 8), &OtherAddress, sizeof(DWORD), NULL);
    485     ;
    486 
    487 
    488     messagebox;
    489     MessageBoxA(0, MacroLine, 0, 0);
    490 
    491 
    492     if (WriteProcessMemory(pi.hProcess, OtherAddress, StretchedFileMemory, pOptionHeader->SizeOfImage, &old)) {
    493         context.ContextFlags = CONTEXT_FULL;
    494         //context.Eax = pOptionHeader->ImageBase;
    495         context.Eax = pOptionHeader->AddressOfEntryPoint + (DWORD)OtherAddress;
    496         SetThreadContext(pi.hThread, &context);
    497 
    498         int z = ResumeThread(pi.hThread);
    499         printf("success!%d", f);
    500         CloseHandle(pi.hThread);
    501     }
    502     else
    503     {
    504         printf("Failed");
    505     }
    506     EnablePrivilege(false);
    507     //messagebox;
    508     //MessageBoxA(0, MacroLine, 0, 0);
    509 }
    510 
    511 int main()
    512 {
    513     MainPro();
    514 }
    View Code
  • 相关阅读:
    全网首发|阿里资深技术专家数仓调优经验分享(上)
    用跨进程子类化技术实现对其它进程消息的拦载
    字符串与16进制互转
    Windows消息前缀
    Delphi 关于钩子函数HOOK (二)
    ACCESS SQL语法参考
    从内存中加载并运行exe
    浅谈Delphi中进程间的数据共享
    字符串排序等算法
    利用内存映射文件在两个进程间共享数据
  • 原文地址:https://www.cnblogs.com/pppyyyzzz/p/13809329.html
Copyright © 2011-2022 走看看