官方bilibiliWindows破解入门Android逆向入门
【网络诊断修复工具】切换到窄版

吾爱破解 - LCG - LSG |安卓破解|病毒分析|www.52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

吾爱破解 - LCG - LSG |安卓破解|病毒分析|www.52pojie.cn»网站 【 软件安全 】 『编程语言区』 小玩意 模块提前注入 主要是shellCode的使用
返回列表 发新帖
查看: 1662|回复: 4
收起左侧

[C&C++ 转载] 小玩意 模块提前注入 主要是shellCode的使用

[复制链接]
古月不傲
古月不傲 发表于 2020-2-20 23:22
本帖最后由 古月不傲 于 2020-2-20 23:26 编辑

[C] 纯文本查看 复制代码
#include <iostream>
#include <Windows.h>

using namespace std;

#define DLL_PATH L"C:\\Users\\25335\\Desktop\\nihao.dll"
//转自看雪 https://bbs.pediy.com/thread-181174.htm

//构造shellCode
/*
pushad
pushfd
push 模块名
call [LoadLibraryW]
popfd
popad
jmp [eip]
*/

UCHAR shellCode[128] = {
		0x60,
		0x9C,
		0x68, 0x00, 0x00, 0x00, 0x00,
		0xFF, 0x15, 0x00, 0x00, 0x00, 0x00,
		0x9D,
		0x61,
		0xFF, 0x25, 0x00, 0x00, 0x00, 0x00,
		0x00, 0x00, 0x00, 0x00,
		0x00, 0x00, 0x00, 0x00 };

//提升权限 
BOOL EnableDebugPriv() 
{
	HANDLE hToken = NULL;		
	LUID seDebugValue = { 0 };	
	TOKEN_PRIVILEGES tkp = { 0 };
	//获取当前进程的令牌句柄
	if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) 
	{
		printf("OpenProcessToken Error! %d\n", GetLastError());
		return FALSE;
	}
	//获取系统特殊权限  SE_DEBUG_NAME代表拥有调试权限
	if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &seDebugValue))
	{
		printf("LookupPrivilegeValue Error! %d\n", GetLastError());
		CloseHandle(hToken);
		return FALSE;
	}
	tkp.PrivilegeCount = 1;								//数组的个数
	tkp.Privileges[0].Luid = seDebugValue;				//调试权限 就是一个特殊值而已
	tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;//权限启用
	//启用或禁用令牌的权限
	if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL))
	{
		printf("AdjustTokenPrivileges Error! %d\n", GetLastError());
		CloseHandle(hToken);
		return FALSE;
	}
	CloseHandle(hToken);
	return TRUE;
}

BOOL StartHook(HANDLE hProcess, HANDLE hThread)
{
	CONTEXT context = { 0 };
	context.ContextFlags = CONTEXT_ALL;
	if (!GetThreadContext(hThread, &context))
	{
		printf("GetThreadContext Error! %d\n", GetLastError());
		return FALSE;
	}
	//目标进程空间内申请一块内存
	PVOID pVirutalAddress = VirtualAllocEx(hProcess, NULL, 128, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	if (pVirutalAddress == NULL)
	{
		printf("pVirutalAddress Error! %d\n", GetLastError());
		return FALSE;
	}
	//获取LoadLibraryW的地址
	PVOID pLoadLibraryAddress = (PVOID)GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryW");
	__try
	{
		PUCHAR pDllAddress = shellCode + 29;
		//拷贝模块名
		CopyMemory(pDllAddress, DLL_PATH, sizeof(DLL_PATH) + 2);
		//设置shellCode
		//为什么不直接这样写呢 因为这样写是本进程的 我们要在其他进程中执行所以不能这样写
		//*(PDWORD)(shellCode + 3) = (DWORD)pDllAddress; 
		*(PDWORD)(shellCode + 3) = (DWORD)pVirutalAddress + 29;
		*(PDWORD)(shellCode + 21) = (DWORD)pLoadLibraryAddress;
		*(PDWORD)(shellCode + 9) = (DWORD)pVirutalAddress + 21;
		*(PDWORD)(shellCode + 25) = context.Eip;
		*(PDWORD)(shellCode + 17) = (DWORD)pVirutalAddress + 25;
		if (!WriteProcessMemory(hProcess, pVirutalAddress, shellCode, 128, NULL))
		{
			printf("WriteProcessMemory Error! %d\n", GetLastError());
			return FALSE;
		}
		context.Eip = (DWORD)pVirutalAddress;
		if (!SetThreadContext(hThread, &context))
		{
			printf("SetThreadContext Error! %d\n", GetLastError());
			return FALSE;
		}
	}
	__except (EXCEPTION_EXECUTE_HANDLER)
	{
		printf("异常\n");
	}
	return TRUE;
}

int main(void) 
{
	if (!EnableDebugPriv())
	{
		printf("EnableDebugPriv Error!\n");
		return 0;
	}
	STARTUPINFO startupInfo = { 0 };
	PROCESS_INFORMATION processInfo = { 0 };
	startupInfo.cb = sizeof(startupInfo);
	//挂起的方式创建进程
	if (!CreateProcess(L"C:\\Users\\25335\\Desktop\\异常研究.exe", NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &startupInfo, &processInfo)) 
	{
		printf("CreateProcess Error! %d\n", GetLastError());
		return 0;
	}
	if (!StartHook(processInfo.hProcess, processInfo.hThread)) 
	{
		printf("StartHook Error!\n");
		return 0;
	}
	ResumeThread(processInfo.hThread);
	CloseHandle(processInfo.hProcess);
	CloseHandle(processInfo.hThread);

	system("pause");
	return 0;
}

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。
回复

举报

18036948381
18036948381 发表于 2020-3-12 09:08
push ebp
mov ebp, esp
sub esp, 0x2C
mov eax, dword [fs:0x00000030]
push ebx
push esi
push edi
mov eax, dword [eax+0x0C]
mov eax, dword [eax+0x0C]
mov dword [ebp-0x0C], eax
nop dword [eax+eax+0x00000000]
Label4:
movzx ecx, word [eax+0x2C]
mov ebx, 0x811C9DC5
mov edi, dword [eax+0x30]
shr ecx, 1
lea ecx, dword [edi+ecx*2]
mov dword [ebp-0x08], ecx
cmp edi, ecx
je Label1
mov eax, ecx
nop word [eax+eax+0x00]
Label2:
mov dl, byte [edi]
movsx esi, dl
sub dl, 0x41
mov ecx, esi
or ecx, 0x20
cmp dl, 0x19
cmovnbe ecx, esi
add edi, 0x02
xor ecx, ebx
imul ebx, ecx, 0x01000193
cmp edi, eax
jne Label2
mov eax, dword [ebp-0x0C]
cmp ebx, 0xC0323159
je Label3
Label1:
mov eax, dword [eax]
mov dword [ebp-0x0C], eax
cmp dword [eax+0x18], 0x00000000
jne Label4
jmp Label5
Label3:
cmp dword [eax+0x18], 0x00000000
jne Label6
Label5:
mov eax, dword [fs:0x00000030]
mov dword [ebp-0x1C], 0x72657375
mov dword [ebp-0x18], 0x642E3233
mov word [ebp-0x14], 0x6C6C
mov byte [ebp-0x12], 0x00
mov eax, dword [eax+0x0C]
mov eax, dword [eax+0x0C]
mov dword [ebp-0x0C], eax
nop dword [eax+eax+0x00]
Label10:
movzx ecx, word [eax+0x2C]
mov ebx, 0x811C9DC5
mov edi, dword [eax+0x30]
shr ecx, 1
lea ecx, dword [edi+ecx*2]
mov dword [ebp-0x08], ecx
cmp edi, ecx
je Label7
mov eax, ecx
nop word [eax+eax+0x00]
Label8:
mov dl, byte [edi]
movsx esi, dl
sub dl, 0x41
mov ecx, esi
or ecx, 0x20
cmp dl, 0x19
cmovnbe ecx, esi
add edi, 0x02
xor ecx, ebx
imul ebx, ecx, 0x01000193
cmp edi, eax
jne Label8
mov eax, dword [ebp-0x0C]
cmp ebx, 0xA3E6F6C3
je Label9
Label7:
mov eax, dword [eax]
mov dword [ebp-0x0C], eax
cmp dword [eax+0x18], 0x00000000
jne Label10
xor ecx, ecx
Label15:
mov eax, dword [ecx+0x3C]
mov dword [ebp-0x0C], ecx
mov edx, dword [eax+ecx+0x78]
xor eax, eax
add edx, ecx
mov dword [ebp-0x10], edx
mov edi, dword [edx+0x20]
add edi, ecx
Label14:
mov edx, dword [edi]
mov esi, 0x811C9DC5
add edx, ecx
mov dword [ebp-0x08], eax
mov bl, byte [edx]
inc edx
test bl, bl
je Label11
Label12:
movsx ecx, bl
lea edx, dword [edx+0x01]
sub bl, 0x41
mov eax, ecx
or eax, 0x20
cmp bl, 0x19
mov bl, byte [edx-0x01]
cmovnbe eax, ecx
xor eax, esi
imul esi, eax, 0x01000193
test bl, bl
jne Label12
cmp esi, 0x4DBC712F
je Label13
mov ecx, dword [ebp-0x0C]
mov eax, dword [ebp-0x08]
Label11:
inc eax
add edi, 0x04
jmp Label14
Label9:
mov ecx, dword [eax+0x18]
jmp Label15
Label13:
mov esi, dword [ebp-0x10]
lea eax, dword [ebp-0x1C]
mov ecx, dword [ebp-0x08]
mov edx, dword [ebp-0x0C]
push eax
mov eax, dword [esi+0x24]
lea eax, dword [eax+ecx*2]
movzx ecx, word [eax+edx]
mov eax, dword [esi+0x1C]
lea eax, dword [eax+ecx*4]
mov eax, dword [eax+edx]
add eax, edx
call eax
Label6:
mov eax, dword [fs:0x00000030]
mov dword [ebp-0x2C], 0x6C6C6548
mov dword [ebp-0x28], 0x6F57206F
mov dword [ebp-0x24], 0x21646C72
mov byte [ebp-0x20], 0x00
mov dword [ebp-0x04], 0x002D2E2D
mov eax, dword [eax+0x0C]
mov eax, dword [eax+0x0C]
mov dword [ebp-0x0C], eax
Label19:
movzx ecx, word [eax+0x2C]
mov ebx, 0x811C9DC5
mov edi, dword [eax+0x30]
shr ecx, 1
lea ecx, dword [edi+ecx*2]
mov dword [ebp-0x10], ecx
cmp edi, ecx
je Label16
mov eax, ecx
nop dword [eax+0x00]
Label17:
mov dl, byte [edi]
movsx esi, dl
sub dl, 0x41
mov ecx, esi
or ecx, 0x20
cmp dl, 0x19
cmovnbe ecx, esi
add edi, 0x02
xor ecx, ebx
imul ebx, ecx, 0x01000193
cmp edi, eax
jne Label17
mov eax, dword [ebp-0x0C]
cmp ebx, 0xC0323159
je Label18
Label16:
mov eax, dword [eax]
mov dword [ebp-0x0C], eax
cmp dword [eax+0x18], 0x00000000
jne Label19
xor ecx, ecx
Label24:
mov eax, dword [ecx+0x3C]
mov dword [ebp-0x08], ecx
mov edx, dword [eax+ecx+0x78]
xor eax, eax
add edx, ecx
mov dword [ebp-0x10], edx
mov edi, dword [edx+0x20]
add edi, ecx
Label23:
mov edx, dword [edi]
mov esi, 0x811C9DC5
add edx, ecx
mov dword [ebp-0x0C], eax
mov bl, byte [edx]
inc edx
test bl, bl
je Label20
Label21:
movsx ecx, bl
lea edx, dword [edx+0x01]
sub bl, 0x41
mov eax, ecx
or eax, 0x20
cmp bl, 0x19
mov bl, byte [edx-0x01]
cmovnbe eax, ecx
xor eax, esi
imul esi, eax, 0x01000193
test bl, bl
jne Label21
cmp esi, 0x28255F84
je Label22
mov ecx, dword [ebp-0x08]
mov eax, dword [ebp-0x0C]
Label20:
inc eax
add edi, 0x04
jmp Label23
Label18:
mov ecx, dword [eax+0x18]
jmp Label24
Label22:
mov esi, dword [ebp-0x10]
lea eax, dword [ebp-0x04]
mov ecx, dword [ebp-0x0C]
mov edx, dword [ebp-0x08]
push 0x00
push eax
lea eax, dword [ebp-0x2C]
push eax
mov eax, dword [esi+0x24]
push 0x00
lea eax, dword [eax+ecx*2]
movzx ecx, word [eax+edx]
mov eax, dword [esi+0x1C]
lea eax, dword [eax+ecx*4]
mov eax, dword [eax+edx]
add eax, edx
call eax
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3

大神能不能解析一下这个帮一下小白哦
【吾爱破解论坛总版规】 - [让你充分了解吾爱破解论坛行为规则]
回复 支持

举报

古月不傲
 楼主| 古月不傲 发表于 2020-3-12 13:23
吾爱破解论坛没有任何官方QQ群,禁止留联系方式,禁止任何商业交易。
本帖最后由 古月不傲 于 2020-3-12 14:16 编辑
18036948381 发表于 2020-3-12 09:08
push ebp
mov ebp, esp
sub esp, 0x2C

感觉下面对不上号 总体是在遍历模块 没法动态跟踪不好看
[Asm] 纯文本查看 复制代码
push ebp
mov ebp, esp
sub esp, 0x2C                                        //分配堆栈空间
mov eax, dword [fs:0x00000030]        //取进程环境块 _PEB
push ebx
push esi
push edi                                                //保存要用到的寄存器
mov eax, dword [eax+0x0C]                kd> dt _PEB_LDR_DATA
                                                                ntdll!_PEB_LDR_DATA
                                                                   +0x000 Length           : Uint4B
                                                                   +0x004 Initialized      : UChar
                                                                   +0x008 SsHandle         : Ptr32 Void
                                                                   +0x00c InLoadOrderModuleList : _LIST_ENTRY
                                                                   +0x014 InMemoryOrderModuleList : _LIST_ENTRY
                                                                   +0x01c InInitializationOrderModuleList : _LIST_ENTRY
                                                                   +0x024 EntryInProgress  : Ptr32 Void
mov eax, dword [eax+0x0C]                //取到 InLoadOrderModuleList 用于遍历该进程模块
mov dword [ebp-0x0C], eax                //局部保存                _LIST_ENTRY *p = (_LIST_ENTRY *)InLoadOrderModuleList;
nop dword [eax+eax+0x00000000]        //可能是断链 不清楚
Label4:
movzx ecx, word [eax+0x2C]
mov ebx, 0x811C9DC5
mov edi, dword [eax+0x30]
shr ecx, 1 
lea ecx, dword [edi+ecx*2]
mov dword [ebp-0x08], ecx
cmp edi, ecx
je Label1
mov eax, ecx
nop word [eax+eax+0x00]
如何升级?如何获得积分?积分对应解释说明!
回复 支持

举报

18036948381
18036948381 发表于 2020-3-12 16:49
《站点帮助文档》有什么问题来这里看看吧,这里有你想知道的内容!
古月不傲 发表于 2020-3-12 13:23
感觉下面对不上号 总体是在遍历模块 没法动态跟踪不好看
[mw_shl_code=asm,true]push ebp
mov ebp, esp ...

上面是获取fs寄存器 peb啥的,下面的就是由很多固定的值.shellcode怎么里面会写那么多固定值呢,想不懂
这个源码就是一个messge box的
呼吁大家发布原创作品添加吾爱破解论坛标识!
回复 支持

举报

古月不傲
 楼主| 古月不傲 发表于 2020-3-12 17:14
18036948381 发表于 2020-3-12 16:49
上面是获取fs寄存器 peb啥的,下面的就是由很多固定的值.shellcode怎么里面会写那么多固定值呢,想不懂
这 ...

你可以发到求助区 不过代码没人愿意读吧 太怪了
如何快速判断一个文件是否为病毒!
回复 支持

举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则 警告:本版块禁止灌水或回复与主题无关内容,违者重罚!


免责声明:
吾爱破解所发布的一切破解补丁、注册机和注册信息及软件的解密分析文章仅限用于学习和研究目的;不得将上述内容用于商业或者非法用途,否则,一切后果请用户自负。本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑中彻底删除上述内容。如果您喜欢该程序,请支持正版软件,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。

Mail To:Service@52pojie.cn

快速回复 收藏帖子 返回列表 搜索

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-5-6 14:05

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表