簡單Src加殼程式
阿新 • • 發佈:2020-10-13
寫了很久了,但對Windows的api不瞭解,
1比如建立掛起程序報05拒絕訪問錯誤,再比如報了這個錯還能正常執行,所以我推測掛起建立程序可能本身就會產生這種錯誤。(但Win32手冊上不是這麼說的,就讓我感覺到很奇怪,我也嘗試著運行了,從網上下載下來的程式碼,但最終會報錯0xc0000005,我的程式有時候也會報這個,太奇怪了)
2其次就是獲取執行緒的context了,這個在我驗證地址的時候是af開頭的也就是說到了核心部分,但Windows是沒有共享記憶體的,所以我猜測這裡要提權可能才能訪問了
3再其次就是說管理員執行好像也不能讓程序訪問Windows的核心,只能用提權,不說了(還沒完成提權的操作呢,晚上接著試,先部落格放上來,看看有沒有師傅能指點一下我)
貼程式碼:
加密程式碼
1 #define _CRT_SECURE_NO_WARNINGS 2 #include<Windows.h> 3 #include<CommCtrl.h> 4 #include<Psapi.h> 5 #include<iostream> 6 #include<iomanip> 7 #include <Tlhelp32.h.> 8 #include<stdlib.h> 9 #include<Shlwapi.h> 10 #include<iostream> 11View Code#pragma comment(lib,"shlwapi.lib") 12 #pragma comment(lib,"comctl32.lib") 13 #pragma comment(lib,"Psapi.lib") 14 using namespace std; 15 16 int filesize = 0; 17 18 VOID CacuFileOfSize(IMAGE_OPTIONAL_HEADER pOptionHeader,DWORD *size_,DWORD EncryptOfsize) 19 { 20 int count = EncryptOfsize / pOptionHeader.SectionAlignment+ 1; 21 *size_ += count * pOptionHeader.SectionAlignment; 22 } 23 24 PVOID pReadFile(LPSTR lpszFile,DWORD *size_) 25 { 26 FILE* pFile = NULL; 27 DWORD filesize = 0; 28 LPVOID FileBuffer = NULL; 29 30 pFile = fopen(lpszFile, "rb+"); 31 if (!pFile) { 32 cout << "讀取檔案失敗" << endl; 33 return NULL; 34 } 35 36 fseek(pFile, NULL, SEEK_END); 37 filesize = ftell(pFile); 38 fseek(pFile, NULL, SEEK_SET); 39 40 FileBuffer = malloc(filesize); 41 if (!FileBuffer) 42 { 43 cout << "記憶體分配失敗" << endl; 44 fclose(pFile); 45 return NULL; 46 } 47 48 size_t size = fread(FileBuffer, 1, filesize, pFile); 49 *size_ = size; 50 if (!size) 51 { 52 cout << "讀取資料失敗" << endl; 53 fclose(pFile); 54 return NULL; 55 } 56 fclose(pFile); 57 return FileBuffer; 58 } 59 60 BOOL MemoryToFile(LPSTR NewFileName, PVOID pFileBuffer, DWORD size_) 61 { 62 FILE* pFile = NULL; 63 DWORD filesize = 0; 64 LPVOID FileBuffer = NULL; 65 66 pFile = fopen(NewFileName, "wb+"); 67 if (!pFile) { 68 cout << "建立檔案失敗" << endl; 69 ExitProcess(0); 70 return NULL; 71 } 72 73 fwrite(pFileBuffer, size_, 1, pFile); 74 fclose(pFile); 75 } 76 77 VOID ExtendSection(PVOID pFileBuffer, DWORD EncryptOfSize) 78 { 79 PIMAGE_DOS_HEADER pDosHeader; 80 PIMAGE_NT_HEADERS pNTHeader; 81 PIMAGE_FILE_HEADER pFileHeader; 82 PIMAGE_OPTIONAL_HEADER pOptionHeader; 83 PIMAGE_SECTION_HEADER pSectionHeader; 84 PIMAGE_DATA_DIRECTORY pDataDir; 85 PIMAGE_BASE_RELOCATION pRelocTable; 86 87 pDosHeader = (PIMAGE_DOS_HEADER)pFileBuffer; 88 pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pDosHeader + pDosHeader->e_lfanew); 89 pFileHeader = (PIMAGE_FILE_HEADER)((DWORD)pNTHeader + 4); 90 pOptionHeader = (PIMAGE_OPTIONAL_HEADER)(DWORD(pFileHeader) + IMAGE_SIZEOF_FILE_HEADER); 91 pDataDir = (PIMAGE_DATA_DIRECTORY)((PIMAGE_DATA_DIRECTORY)((DWORD)pNTHeader + 0x78) + 8 * 5); 92 pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pOptionHeader + pFileHeader->SizeOfOptionalHeader); 93 94 95 96 //在當前節的最後一個結構體後,再加一個結構體,改變屬性值、大小值等 97 PIMAGE_SECTION_HEADER pCurSection = pSectionHeader + pFileHeader->NumberOfSections; 98 PIMAGE_SECTION_HEADER temp = pSectionHeader; 99 //找到程式碼段 100 while (temp) 101 { 102 if (temp->Name[0] == '.' && temp->Name[1] == 't' && temp->Name[2] == 'e' && temp->Name[3] == 'x' && temp->Name[4] == 't') 103 { 104 pCurSection->Characteristics |= temp->Characteristics; 105 break; 106 } 107 temp++; 108 } 109 //找到新加節的檔案偏移 110 pCurSection->Misc.PhysicalAddress = pOptionHeader->SectionAlignment; 111 pCurSection->Name[0] = '.'; 112 pCurSection->Name[1] = 'e'; 113 pCurSection->Name[2] = 'n'; 114 pCurSection->Name[3] = 'S'; 115 pCurSection->Name[4] = 'e'; 116 pCurSection->Name[5] = 'c'; 117 pCurSection->PointerToRawData = (pSectionHeader + pFileHeader->NumberOfSections - 1)->PointerToRawData\ 118 + (pSectionHeader + pFileHeader->NumberOfSections - 1)->SizeOfRawData; 119 //pCurSection. 120 pCurSection->Misc.PhysicalAddress = EncryptOfSize; 121 //計算加密檔案後對齊後的檔案大小 122 DWORD count = EncryptOfSize / pOptionHeader->SectionAlignment + 1; 123 //在虛擬記憶體中的虛擬偏移 124 pCurSection->VirtualAddress = pOptionHeader->SizeOfImage; 125 //記憶體中對齊後的大小 126 pCurSection->SizeOfRawData = count * pOptionHeader->SectionAlignment; 127 //在擴充套件頭中將數量加1 128 pFileHeader->NumberOfSections += 1; 129 //增加擴充套件頭的大小 130 pOptionHeader->SizeOfImage += count * pOptionHeader->SectionAlignment; 131 132 } 133 134 VOID Encrypt(PCHAR pFile, DWORD size_) 135 { 136 for (int i = 0; i < size_; i++) 137 *(pFile + i) = *(pFile + i) ^ 0x56; 138 } 139 140 PVOID AddFileOFSize(LPSTR SFile,char NFile[],LPSTR EncryptOfFileName) 141 { 142 //讀取shell檔案並且為其分配一個新節 143 PVOID pSFileBuffer; 144 DWORD size_; 145 PVOID pNewFileBuffer; 146 pSFileBuffer = pReadFile(SFile, &size_); 147 148 DWORD EncryptOfSize_; 149 PVOID EncryptOfFile = pReadFile(EncryptOfFileName, &EncryptOfSize_); 150 151 152 PIMAGE_DOS_HEADER pDosHeader; 153 PIMAGE_NT_HEADERS pNTHeader; 154 PIMAGE_FILE_HEADER pFileHeader; 155 PIMAGE_OPTIONAL_HEADER pOptionHeader; 156 PIMAGE_SECTION_HEADER pSectionHeader; 157 PIMAGE_DATA_DIRECTORY pDataDir; 158 PIMAGE_BASE_RELOCATION pRelocTable; 159 160 pDosHeader = (PIMAGE_DOS_HEADER)pSFileBuffer; 161 pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pDosHeader + pDosHeader->e_lfanew); 162 pFileHeader = (PIMAGE_FILE_HEADER)((DWORD)pNTHeader + 4); 163 pOptionHeader = (PIMAGE_OPTIONAL_HEADER)(DWORD(pFileHeader) + IMAGE_SIZEOF_FILE_HEADER); 164 pDataDir = (PIMAGE_DATA_DIRECTORY)((PIMAGE_DATA_DIRECTORY)((DWORD)pNTHeader + 0x78) + 8 * 5); 165 pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pOptionHeader + pFileHeader->SizeOfOptionalHeader); 166 167 168 DWORD OldSize_ = size_; 169 //計算檔案加密後的大小 170 CacuFileOfSize(*pOptionHeader, &size_,EncryptOfSize_); 171 172 pNewFileBuffer = malloc(size_); 173 memset(pNewFileBuffer, 0, size_); 174 memcpy(pNewFileBuffer, pSFileBuffer, OldSize_); 175 ExtendSection(pNewFileBuffer,EncryptOfSize_); 176 177 //讀取需要加密的檔案,並且進行加密 178 Encrypt((PCHAR)EncryptOfFile, EncryptOfSize_); 179 180 memcpy(PVOID((DWORD)pNewFileBuffer+ OldSize_), EncryptOfFile, EncryptOfSize_); 181 182 MemoryToFile(NFile, pNewFileBuffer, size_); 183 return pNewFileBuffer; 184 } 185 186 187 188 int main(int argc,WCHAR* argv[]) 189 { 190 char lpszFile[] = "shell.exe"; 191 192 char lpszNewFile[50] = { 0 }; 193 cin >> lpszNewFile; 194 195 char lpCryptFile[] ="peinfo.exe"; 196 PVOID NewFileBuffer=AddFileOFSize(lpszFile, lpszNewFile,lpCryptFile); 197 198 printf("success"); 199 return 0; 200 }
殼程式碼
1 #define _CRT_SECURE_NO_WARNINGS 2 #include<Windows.h> 3 #include<CommCtrl.h> 4 #include<Psapi.h> 5 #include<iostream> 6 #include<iomanip> 7 #include <Tlhelp32.h.> 8 #include<stdlib.h> 9 #include<iostream> 10 #include<Shlwapi.h> 11 #pragma comment(lib,"shlwapi.lib") 12 #pragma comment(lib,"comctl32.lib") 13 #pragma comment(lib,"Psapi.lib") 14 #pragma once 15 16 #pragma region private 17 18 #define __Macro_ToStringFunc__(x) #x 19 20 #pragma endregion private 21 22 #pragma region public 23 24 #define MacroToString(x) __Macro_ToStringFunc__(x) 25 #define MacroLine MacroToString(__LINE__) 26 27 #pragma endregion public 28 int flag; 29 WCHAR errorMessage[20] = { 0 }; 30 #define messagebox {\ 31 flag=GetLastError();\ 32 wsprintf(errorMessage,L"%d",flag);\ 33 MessageBoxW(0,errorMessage,0,0);\ 34 } 35 36 using namespace std; 37 38 39 DWORD RVAToFOA(PVOID pFileBuffer,DWORD dwRva) 40 { 41 PIMAGE_DOS_HEADER pDosHeader = NULL; 42 PIMAGE_NT_HEADERS pNTHeader = NULL; 43 PIMAGE_FILE_HEADER pPEHeader = NULL; 44 PIMAGE_OPTIONAL_HEADER32 pOptionHeader = NULL; 45 PIMAGE_SECTION_HEADER pSectionHeader = NULL; 46 47 if (!pFileBuffer) 48 { 49 printf("檔案讀取失敗\n"); 50 return NULL; 51 } 52 53 //Header資訊 54 pDosHeader = (PIMAGE_DOS_HEADER)pFileBuffer; 55 pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pFileBuffer + pDosHeader->e_lfanew); 56 pPEHeader = (PIMAGE_FILE_HEADER)(((DWORD)pNTHeader) + 4); 57 pOptionHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)pPEHeader + IMAGE_SIZEOF_FILE_HEADER); 58 pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pOptionHeader + pPEHeader->SizeOfOptionalHeader); 59 60 DWORD ImageSize = pOptionHeader->SizeOfImage; 61 int Section_Number = pPEHeader->NumberOfSections; 62 int i = 0; 63 for (i = 0; i < Section_Number; i++) 64 { 65 //printf("VirualSize : %x\n",pSectionHeader->Misc); 66 //printf("VirualAddress: %x\n",pSectionHeader->VirtualAddress); 67 68 DWORD dumpVirualSize = pSectionHeader->Misc.VirtualSize; 69 DWORD dumpVirualAddress = pSectionHeader->VirtualAddress; 70 71 if (dwRva >= dumpVirualAddress && dwRva <= dumpVirualAddress + dumpVirualSize) 72 { 73 //printf("地址在第:%d 節 %s \n",i+1,pSectionHeader->Name); 74 break; 75 } 76 //下一個節表 77 pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pSectionHeader + 40); 78 } 79 80 //確定是第i+1節 81 //確定偏移距離 82 DWORD fileOff = pSectionHeader->PointerToRawData + (dwRva - pSectionHeader->VirtualAddress); 83 84 return fileOff; 85 } 86 87 PVOID pReadFile(LPSTR lpszFile) 88 { 89 FILE* pFile = NULL; 90 DWORD fileSize = 0; 91 LPVOID pFileBuffer = NULL; 92 93 //開啟檔案 94 pFile = fopen(lpszFile, "rb"); 95 96 if (!pFile) 97 { 98 printf("無法開啟檔案EXE檔案"); 99 return NULL; 100 } 101 102 fseek(pFile, 0, SEEK_END); 103 fileSize = ftell(pFile); 104 fseek(pFile, 0, SEEK_SET); 105 106 //分配緩衝區 107 pFileBuffer = malloc(fileSize); 108 if (!pFileBuffer) 109 { 110 printf("分配空間失敗!\n"); 111 fclose(pFile); 112 return NULL; 113 } 114 115 //檔案讀取 116 117 size_t n = fread(pFileBuffer, fileSize, 1, pFile); 118 119 if (!n) 120 { 121 printf("讀取資料失敗\n"); 122 free(pFileBuffer); 123 fclose(pFile); 124 return NULL; 125 } 126 127 //關閉檔案 128 fclose(pFile); 129 return pFileBuffer; 130 } 131 132 PVOID StretchingFile(PVOID pFileBuffer) 133 { 134 PIMAGE_DOS_HEADER pDosHeader = NULL; 135 PIMAGE_NT_HEADERS pNTHeader = NULL; 136 PIMAGE_FILE_HEADER pPEHeader = NULL; 137 PIMAGE_OPTIONAL_HEADER32 pOptionHeader = NULL; 138 PIMAGE_SECTION_HEADER pSectionHeader = NULL; 139 140 if (!pFileBuffer) 141 { 142 printf("檔案讀取失敗\n"); 143 return NULL; 144 } 145 146 //Header資訊 147 pDosHeader = (PIMAGE_DOS_HEADER)pFileBuffer; 148 pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pFileBuffer + pDosHeader->e_lfanew); 149 pPEHeader = (PIMAGE_FILE_HEADER)(((DWORD)pNTHeader) + 4); 150 pOptionHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)pPEHeader + IMAGE_SIZEOF_FILE_HEADER); 151 pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pOptionHeader + pPEHeader->SizeOfOptionalHeader); 152 153 DWORD ImageSize = pOptionHeader->SizeOfImage; 154 155 //LPVOID pImageBuffer=NULL; 156 //分配緩衝區 157 LPVOID pImageBuffer = NULL; 158 pImageBuffer = malloc(ImageSize); 159 160 if (!pImageBuffer) 161 { 162 printf("pImageBuffer分配空間失敗!\n"); 163 return NULL; 164 } 165 //printf("%x \n",ImageSize); 166 167 memset(pImageBuffer, 0, ImageSize); 168 169 //分段拷貝資料到ImageBuffer中 170 //1 拷貝頭 171 DWORD HeaderSize = pOptionHeader->SizeOfHeaders; 172 //DWORD Head_i = 0; 173 //copy header 174 memcpy(pImageBuffer, pFileBuffer, HeaderSize); 175 176 //2 拷貝節 pSectionHeader 177 //數量,位置 178 int Section_Number = pPEHeader->NumberOfSections; 179 //分節進行寫入 180 181 LPVOID pFileBuffer_sec = pFileBuffer; 182 LPVOID pImageBuffer_sec = pImageBuffer; 183 184 //printf("pFileBuffer_sec: %x \n",pFileBuffer_sec); 185 //printf("pImageBuffer_sec: %x \n",pImageBuffer_sec); 186 187 for (int i = 0; i < Section_Number; i++) 188 { 189 DWORD FileSizeOfRawData = pSectionHeader->SizeOfRawData; 190 DWORD FilePointerToRawData = pSectionHeader->PointerToRawData; 191 DWORD MemVirtualAddress = pSectionHeader->VirtualAddress; 192 pFileBuffer_sec = (LPVOID)((DWORD)pFileBuffer + FilePointerToRawData); 193 pImageBuffer_sec = (LPVOID)((DWORD)pImageBuffer + MemVirtualAddress); 194 195 //printf("pFileBuffer_sec: %x \n",pFileBuffer_sec); 196 //printf("pImageBuffer_sec: %x \n",pImageBuffer_sec); 197 198 memcpy(pImageBuffer_sec, pFileBuffer_sec, FileSizeOfRawData); 199 //下一個節表 200 pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pSectionHeader + 40); 201 } 202 203 //寫出 204 //WirteToFile(pImageBuffer,ImageSize,"c://image.exe"); 205 206 return pImageBuffer; 207 } 208 209 BOOL MemoryToFile(LPSTR NewFileName, PVOID pFileBuffer, DWORD size_) 210 { 211 FILE* pFile = NULL; 212 DWORD filesize = 0; 213 LPVOID FileBuffer = NULL; 214 215 pFile = fopen(NewFileName, "wb+"); 216 if (!pFile) { 217 cout << "建立檔案失敗" << endl; 218 ExitProcess(0); 219 return NULL; 220 } 221 222 fwrite(pFileBuffer, size_, 1, pFile); 223 fclose(pFile); 224 } 225 226 VOID Decrypt(PVOID pFileBuffer, PIMAGE_SECTION_HEADER lastSection) 227 { 228 for (int i = 0; i < lastSection->Misc.VirtualSize; i++) 229 { 230 *((PBYTE)((int)pFileBuffer + i)) ^= 0x56; 231 } 232 char b[] = "aaaa.exe"; 233 MemoryToFile(b, pFileBuffer, lastSection->Misc.VirtualSize); 234 } 235 236 237 238 PVOID GetSrcData(CHAR* lpName) 239 { 240 241 PVOID pFileBuffer = pReadFile(lpName); 242 243 PIMAGE_DOS_HEADER pDosHeader; 244 PIMAGE_NT_HEADERS pNTHeader; 245 PIMAGE_FILE_HEADER pFileHeader; 246 PIMAGE_OPTIONAL_HEADER pOptionHeader; 247 PIMAGE_SECTION_HEADER pSectionHeader; 248 PIMAGE_DATA_DIRECTORY pDataDir; 249 PIMAGE_BASE_RELOCATION pRelocTable; 250 251 pDosHeader = (PIMAGE_DOS_HEADER)pFileBuffer; 252 pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pDosHeader + pDosHeader->e_lfanew); 253 pFileHeader = (PIMAGE_FILE_HEADER)((DWORD)pNTHeader + 4); 254 pOptionHeader = (PIMAGE_OPTIONAL_HEADER)(DWORD(pFileHeader) + IMAGE_SIZEOF_FILE_HEADER); 255 pDataDir = (PIMAGE_DATA_DIRECTORY)((DWORD)pOptionHeader + 0x60); 256 pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pOptionHeader + pFileHeader->SizeOfOptionalHeader); 257 258 PIMAGE_SECTION_HEADER lastSection = pSectionHeader + pFileHeader->NumberOfSections-1; 259 260 PVOID MainModule = (PVOID)((DWORD)pFileBuffer + lastSection->PointerToRawData); 261 262 Decrypt(MainModule, lastSection); 263 264 PVOID TempFileMemory = malloc(lastSection->Misc.VirtualSize); 265 memcpy(TempFileMemory, MainModule,lastSection->Misc.VirtualSize); 266 267 return TempFileMemory; 268 } 269 270 PVOID MyAnyAllocAddr(PVOID pFileBuffer,HANDLE hProcess,DWORD ImageOfSize) 271 { 272 PIMAGE_DOS_HEADER pDosHeader; 273 PIMAGE_NT_HEADERS pNTHeader; 274 PIMAGE_FILE_HEADER pFileHeader; 275 PIMAGE_OPTIONAL_HEADER pOptionHeader; 276 PIMAGE_SECTION_HEADER pSectionHeader; 277 PIMAGE_DATA_DIRECTORY pDataDir; 278 PIMAGE_BASE_RELOCATION pRelocTable; 279 280 pDosHeader = (PIMAGE_DOS_HEADER)pFileBuffer; 281 pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pDosHeader + pDosHeader->e_lfanew); 282 pFileHeader = (PIMAGE_FILE_HEADER)((DWORD)pNTHeader + 4); 283 pOptionHeader = (PIMAGE_OPTIONAL_HEADER)(DWORD(pFileHeader) + IMAGE_SIZEOF_FILE_HEADER); 284 pDataDir = (PIMAGE_DATA_DIRECTORY)((DWORD)pNTHeader + 0x78); 285 pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pOptionHeader + pFileHeader->SizeOfOptionalHeader); 286 287 288 //檢視是否有重定位表 289 printf("%x\t%x\n", (pDataDir + 5)->VirtualAddress, (pDataDir + 5)->Size); 290 if ((pDataDir + 5)->VirtualAddress == 0&&(pDataDir+5)->Size==0) 291 { 292 293 MessageBox(0, L"沒有重定位表1,出錯了", 0, 0); 294 ExitProcess(0); 295 } 296 PIMAGE_BASE_RELOCATION RelAddr=(PIMAGE_BASE_RELOCATION)(RVAToFOA(pFileBuffer,\ 297 (pDataDir + 5)->VirtualAddress)\ 298 +(DWORD)pFileBuffer); 299 300 PVOID VirAddr=VirtualAllocEx(hProcess, NULL, ImageOfSize, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); 301 302 if (VirAddr == NULL) 303 { 304 MessageBox(0, L"隨意地址未分配成功", 0, 0); 305 ExitProcess(0); 306 } 307 308 //修復重定位表 309 while (1) 310 { 311 if (RelAddr->SizeOfBlock == 0 || RelAddr->VirtualAddress == 0) 312 { 313 break; 314 } 315 printf("%d\t%d", RelAddr->VirtualAddress); 316 RelAddr->VirtualAddress += (DWORD)VirAddr - pOptionHeader->ImageBase; 317 RelAddr = (PIMAGE_BASE_RELOCATION)((DWORD)RelAddr + RelAddr->SizeOfBlock); 318 319 } 320 return VirAddr; 321 } 322 323 VOID MainPro() 324 { 325 PIMAGE_DOS_HEADER pDosHeader; 326 PIMAGE_NT_HEADERS pNTHeader; 327 PIMAGE_FILE_HEADER pFileHeader; 328 PIMAGE_OPTIONAL_HEADER pOptionHeader; 329 PIMAGE_SECTION_HEADER pSectionHeader; 330 PIMAGE_BASE_RELOCATION pRelocTable; 331 332 CHAR shellDirectory[256] = { 0 }; 333 GetModuleFileNameA(NULL, shellDirectory, 256); 334 335 336 TCHAR W_CHAR_shellDirectory[256] = { 0 }; 337 GetModuleFileName(NULL, W_CHAR_shellDirectory, 256); 338 339 MessageBox(0, W_CHAR_shellDirectory, 0, 0); 340 341 messagebox; 342 MessageBoxA(0, MacroLine, 0, 0); 343 344 PVOID TempFileMemory = GetSrcData(shellDirectory); 345 346 pDosHeader = (PIMAGE_DOS_HEADER)TempFileMemory; 347 pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pDosHeader + pDosHeader->e_lfanew); 348 pFileHeader = (PIMAGE_FILE_HEADER)((DWORD)pNTHeader + 4); 349 pOptionHeader = (PIMAGE_OPTIONAL_HEADER)(DWORD(pFileHeader) + IMAGE_SIZEOF_FILE_HEADER); 350 pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pOptionHeader + pFileHeader->SizeOfOptionalHeader); 351 352 STARTUPINFO si = { 0 }; 353 si.cb = sizeof(STARTUPINFO); 354 PROCESS_INFORMATION pi; 355 356 //以掛起的形式建立程序 357 int f=CreateProcess(W_CHAR_shellDirectory,\ 358 NULL,\ 359 NULL, \ 360 NULL, \ 361 FALSE, \ 362 CREATE_SUSPENDED,\ 363 NULL,\ 364 NULL,\ 365 &si,\ 366 &pi); 367 CHAR szTempStr[256] = { 0 }; 368 if (!f) 369 { 370 MessageBox(0, L"failed create process", 0, 0); 371 ExitProcess(0); 372 } 373 //messagebox; 374 //MessageBoxA(0, MacroLine, 0, 0); 375 //獲取context資訊 376 CONTEXT context; 377 GetThreadContext(pi.hThread, &context); 378 printf("%x\t%x\n", pi.hThread,&context); 379 //messagebox; 380 //MessageBoxA(0, MacroLine, 0, 0); 381 382 //char* baseaddress = (char*)context.ebx + 8; 383 //tchar* szbuffer[4] = { 0 }; 384 //readprocessmemory(pi.hprocess, baseaddress, szbuffer, 4, null); 385 //int* fileimagebase = (int*)szbuffer; 386 char* baseAddress = (CHAR*)context.Ebx + 8; 387 TCHAR szBuffer[4] = { 0 }; 388 ReadProcessMemory(pi.hProcess, baseAddress, szBuffer, 4, NULL); 389 int* fileImageBase; 390 fileImageBase = (int*)szBuffer; 391 DWORD shellImageBase = *fileImageBase; 392 /* 393 char* baseAddress = (CHAR*)contx.Ebx+8; 394 TCHAR szBuffer[4]={0}; 395 ReadProcessMemory(pi.hProcess,baseAddress,szBuffer,4,NULL); 396 int* fileImageBase; 397 fileImageBase = (int*)szBuffer; 398 DWORD shellImageBase = *fileImageBase; 399 */ 400 401 402 //messagebox; 403 //MessageBoxA(0,MacroLine,0,0); 404 //解除安裝外殼程式 405 HMODULE hModuleNt = LoadLibrary(L"ntdll.dll"); 406 if (hModuleNt == NULL) 407 { 408 MessageBox(0, L"匯入ntdll.dll失敗", 0, 0); 409 ExitProcess(0); 410 } 411 typedef DWORD(WINAPI* _ZwUnmapViewOfSection)(unsigned long, unsigned long); 412 413 _ZwUnmapViewOfSection pZwUnmapViewOfSection = (_ZwUnmapViewOfSection)GetProcAddress(hModuleNt, "ZwUnmapViewOfSection"); 414 pZwUnmapViewOfSection((unsigned long)pi.hProcess, shellImageBase); 415 //messagebox; 416 //MessageBoxA(0, MacroLine, 0, 0); 417 //在指定位置分配空間 418 419 420 PVOID OtherAddress = VirtualAllocEx(pi.hProcess, (PVOID)pOptionHeader->ImageBase, pOptionHeader->SizeOfImage, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); 421 //messagebox; 422 //MessageBoxA(0, MacroLine, 0, 0); 423 if (OtherAddress == NULL) 424 { 425 OtherAddress=MyAnyAllocAddr(TempFileMemory, pi.hProcess, pOptionHeader->SizeOfImage); 426 } 427 428 PVOID StretchedFileMemory = StretchingFile(TempFileMemory); 429 430 unsigned long old; 431 WriteProcessMemory(pi.hProcess, (void*)(context.Ebx + 8), &OtherAddress, sizeof(DWORD), &old); 432 ; 433 //messagebox; 434 //MessageBoxA(0, MacroLine, 0, 0); 435 if (WriteProcessMemory(pi.hProcess, OtherAddress, StretchedFileMemory, pOptionHeader->SizeOfImage, &old)) { 436 context.ContextFlags = CONTEXT_FULL; 437 //context.Eax = pOptionHeader->ImageBase; 438 context.Eax = pOptionHeader->AddressOfEntryPoint + (DWORD)OtherAddress; 439 SetThreadContext(pi.hThread, &context); 440 441 int z = ResumeThread(pi.hThread); 442 printf("success!%d", f); 443 CloseHandle(pi.hThread); 444 } 445 else 446 { 447 printf("Failed"); 448 } 449 //messagebox; 450 //MessageBoxA(0, MacroLine, 0, 0); 451 } 452 453 int main() 454 { 455 MainPro(); 456 }View Code
這個殼寫了3-4個下午了,目前還沒完成,還有許多以前沒見過的錯誤,今天晚上接著寫完,希望能有師傅指點一下我在上面提出來的3個錯誤。