2. 程式人生 > 實用技巧 >加殼:掛起方式建立程序

加殼:掛起方式建立程序

阿新 發佈:2020-12-13

寫入部分

1,殼檔案新增一個節
2,原始檔與Harmonica異或
3,加密後原始檔放入新增節中
4,存檔
VOID Shell(WCHAR* shellName, WCHAR* srcName) {
    FILE* fpShell;
    FILE* fpSrc;
    _wfopen_s(&fpShell, shellName, L"rb");
    _wfopen_s(&fpSrc, srcName, L"rb");
    if (fpShell == NULL||fpSrc==NULL) {
        MessageBox(0, L"can't open file
 
", 0, MB_OK);
        return;
    }
    fseek(fpShell, 0, SEEK_END);
    int shellLen = ftell(fpShell);
    fseek(fpShell, 0, SEEK_SET);
    fseek(fpSrc, 0, SEEK_END);
    int srcLen = ftell(fpSrc);
    fseek(fpSrc, 0, SEEK_SET);
    CHAR* shellBuffer = (CHAR*)malloc(2 * (shellLen + srcLen));
    if (shellBuffer != NULL) {
        memset(shellBuffer, 
 
'\x00', 2 * (shellLen + srcLen));
        fread(shellBuffer, shellLen , 1, fpShell);
    }
    else {
        return;
    }
    fclose(fpShell);
    CHAR* srcBuffer = (CHAR*)malloc(srcLen);
    if (srcBuffer != NULL) {
        memset(srcBuffer, '\x00', srcLen);
        fread(srcBuffer, srcLen, 1, fpSrc);
    }
    
 
else {
        free(shellBuffer);
        shellBuffer = NULL;
        return;
    }
    fclose(fpSrc);

    DWORD e_lfanew = *(DWORD*)(shellBuffer + 0x3c);
    CHAR* peHeader = shellBuffer + e_lfanew + 0x4;
    CHAR* opHeader = peHeader + 0x14;
    DWORD SectionAlignment = *(DWORD*)(opHeader + 0x20);
    DWORD SizeOfImage = *(DWORD*)(opHeader + 0x38);
    *(DWORD*)(opHeader + 0x38) = SizeOfImage + (srcLen / SectionAlignment + 1) * SectionAlignment;
    SizeOfImage = *(DWORD*)(opHeader + 0x38);
    DWORD SizeoOfHeaders = *(DWORD*)(opHeader + 0x3c);
    WORD NumberOfSections = *(WORD*)(peHeader + 0x2);
    *(WORD*)(peHeader + 0x2) = NumberOfSections + 1;
    WORD SizeOfOptionalHeader = *(WORD*)(peHeader + 0x10);
    CHAR* Sections_addr = opHeader + SizeOfOptionalHeader;

    DWORD Misc;
    DWORD VirtualAddress;
    DWORD SizeOfRawData;
    DWORD PointerToRawData;
    for (DWORD j = 0; j < NumberOfSections; j++) {
        Misc = *(DWORD*)(Sections_addr + 0x8);
        VirtualAddress = *(DWORD*)(Sections_addr + 0xc);
        SizeOfRawData = *(DWORD*)(Sections_addr + 0x10);
        PointerToRawData = *(DWORD*)(Sections_addr + 0x14);
        Sections_addr = Sections_addr + 0x28;
    }
    DWORD check = SizeoOfHeaders - (Sections_addr - shellBuffer);
    if (check < 0x50) {//太小了無法新增節
        free(shellBuffer);
        shellBuffer = NULL;
        free(srcBuffer);
        srcBuffer = NULL;
        return;
    }

    DWORD newSec_addr = VirtualAddress + SectionAlignment;
    DWORD newSec_PointerToRawData = PointerToRawData + SizeOfRawData;
    *(DWORD64*)Sections_addr = 0x000000007261482e;
    *(DWORD*)(Sections_addr + 0x8) = srcLen;
    *(DWORD*)(Sections_addr + 0xc) = newSec_addr;
    *(DWORD*)(Sections_addr + 0x10) = (srcLen / SectionAlignment + 1) * SectionAlignment;
    *(DWORD*)(Sections_addr + 0x14) = newSec_PointerToRawData;
    *(DWORD*)(Sections_addr + 0x24) = 0xC0000040;

    UCHAR key[9] = { 0x48,0x61,0x72,0x6d,0x6f,0x6e,0x69,0x63,0x61 };
    for (DWORD i = 0; i < srcLen; i++) {
        *(UCHAR*)(shellBuffer + newSec_PointerToRawData + i) = *(UCHAR*)(srcBuffer + i) ^ key[i % 9];
    }

    FILE* fpout;
    WCHAR fileName[256] = { 0 };
    wcscpy(fileName, srcName);
    WCHAR* tmp = wcsstr(fileName, L".exe");
    wcscpy(tmp, L"_shell.exe");
    _wfopen_s(&fpout, fileName, L"wb");
    if (fpout == NULL) {
        free(shellBuffer);
        shellBuffer = NULL;
        free(srcBuffer);
        srcBuffer = NULL;
        return;
    }
    fwrite(shellBuffer, (srcLen / SectionAlignment + 1) * SectionAlignment + newSec_PointerToRawData, 1, fpout);
    
    fclose(fpout);
    free(shellBuffer);
    shellBuffer = NULL;
    free(srcBuffer);
    srcBuffer = NULL;
    MessageBox(0, L"加殼成功", L"", MB_OK);
}

殼部分

1,解密原始檔
2,拉伸原始檔
3,以掛起方式建立程序,獲取程序資訊
4,強制解除安裝程序模組
5,在程序內分配空間
6,修復重定位表
7,原始檔寫入程序
8,修復Imagebase和oep
9,恢復程序
#define _CRT_SECURE_NO_WARNINGS
#include <windows.h>

CONTEXT cs;
CHAR* SrcBuffer;            //
CHAR* ImageBuffer;            //拉伸後的原始檔
DWORD SizeOfImage;
DWORD ImageBase;
DWORD OEP;

LPVOID lp;                    //VirtualAllocEx返回的地址
BOOL HasReloc = FALSE;


BOOL UnloadShell(HANDLE ProcHnd, unsigned long BaseAddr)
{
    typedef unsigned long(__stdcall* pfZwUnmapViewOfSection)(unsigned long, unsigned long);
    pfZwUnmapViewOfSection ZwUnmapViewOfSection = NULL;
    BOOL res = FALSE;
    HMODULE m = LoadLibraryA("ntdll.dll");
    if (m) {
            ZwUnmapViewOfSection = (pfZwUnmapViewOfSection)GetProcAddress(m, "ZwUnmapViewOfSection");
            if (ZwUnmapViewOfSection)
                res = (ZwUnmapViewOfSection((unsigned long)ProcHnd, BaseAddr) == 0);
            FreeLibrary(m);
    }
    return res;
}

BOOL DecodeSrc(HANDLE hShellModule) {
    //解密源程式
    CHAR* lpShellModule = (CHAR*)hShellModule;
    DWORD e_lfanew = *(DWORD*)(lpShellModule + 0x3c);
    CHAR* peHeader = lpShellModule + e_lfanew + 0x4;
    CHAR* opHeader = peHeader + 0x14;
    WORD NumberOfSections = *(WORD*)(peHeader + 0x2);
    WORD SizeOfOptionalHeader = *(WORD*)(peHeader + 0x10);
    CHAR* Sections_addr = opHeader + SizeOfOptionalHeader;
    DWORD Misc;
    DWORD VirtualAddress;
    DWORD SizeOfRawData;
    DWORD PointerToRawData;
    for (DWORD j = 0; j < NumberOfSections - 1; j++) {
        Sections_addr = Sections_addr + 0x28;
    }

    if (*(DWORD64*)Sections_addr != 0x000000007261482e) {
        return FALSE;
    }

    UCHAR key[9] = { 0x48,0x61,0x72,0x6d,0x6f,0x6e,0x69,0x63,0x61 };
    DWORD srcLen = *(DWORD*)(Sections_addr + 0x8);
    CHAR* lpSrc = lpShellModule + *(DWORD*)(Sections_addr + 0xc);
    SrcBuffer = (CHAR*)malloc(srcLen + 1);
    if (SrcBuffer != NULL) {
        memset(SrcBuffer, '\x00', srcLen + 1);
        for (DWORD i = 0; i < srcLen; i++) {
            *(SrcBuffer + i) = *(lpSrc + i) ^ key[i % 9];
        }
    }
    else {
        return FALSE;
    }
    return TRUE;
}

BOOL ExtendSrc() {
    WORD peCheck = *(WORD*)(SrcBuffer);
    if (peCheck != 0x5A4D) {
        return FALSE;
    }
    DWORD e_lfanew = *(DWORD*)(SrcBuffer + 0x3c);
    CHAR* peHeader = SrcBuffer + e_lfanew + 0x4;
    CHAR* opHeader = peHeader + 0x14;
    DWORD SectionAlignment = *(DWORD*)(opHeader + 0x20);
    SizeOfImage = *(DWORD*)(opHeader + 0x38);
    ImageBase = *(DWORD*)(opHeader + 0x1c);
    OEP = *(DWORD*)(opHeader + 0x10);
    if (*(DWORD*)(opHeader + 0x60 + 0x28) != NULL) {
        HasReloc = TRUE;
    }
    DWORD SizeoOfHeaders = *(DWORD*)(opHeader + 0x3c);
    WORD NumberOfSections = *(WORD*)(peHeader + 0x2);
    WORD SizeOfOptionalHeader = *(WORD*)(peHeader + 0x10);
    CHAR* Sections_addr = opHeader + SizeOfOptionalHeader;
    
    ImageBuffer = (CHAR*)malloc(SizeOfImage + 1);
    if (ImageBuffer == NULL) {
        return FALSE;
    }
    else {
        memset(ImageBuffer, '\x00', SizeOfImage + 1);
    }
    memcpy(ImageBuffer, SrcBuffer, SizeoOfHeaders);
    
    DWORD Misc;
    DWORD VirtualAddress;
    DWORD SizeOfRawData;
    DWORD PointerToRawData;
    for (DWORD j = 0; j < NumberOfSections; j++) {
        Misc = *(DWORD*)(Sections_addr + 0x8);
        VirtualAddress = *(DWORD*)(Sections_addr + 0xc);
        SizeOfRawData = *(DWORD*)(Sections_addr + 0x10);
        PointerToRawData = *(DWORD*)(Sections_addr + 0x14);
        if (SizeOfRawData == NULL) {
            Sections_addr = Sections_addr + 0x28;
            continue;
        }
        if (Misc > SizeOfRawData) {
            memcpy(ImageBuffer + VirtualAddress, SrcBuffer + PointerToRawData, Misc);
        }
        else {
            memcpy(ImageBuffer + VirtualAddress, SrcBuffer + PointerToRawData, SizeOfRawData);
        }
        Sections_addr = Sections_addr + 0x28;
    }
    free(SrcBuffer);
    SrcBuffer = NULL;
    return TRUE;
}

VOID repairReloc(DWORD newAddr) {
    DWORD e_lfanew = *(DWORD*)(ImageBuffer + 0x3c);
    CHAR* peHeader = ImageBuffer + e_lfanew + 0x4;
    CHAR* opHeader = peHeader + 0x14;
    DWORD relocRVA = *(DWORD*)(opHeader + 0x60 + 0x28);
    
    CHAR* addr = ImageBuffer + relocRVA;
    CHAR* size = addr + 4;
    CHAR* data = size + 4;
    while (*(DWORD*)addr != 0 && *(DWORD*)size != 0) {
        DWORD num = (*(DWORD*)size - 8) / 2;
        for (DWORD i = 0; i < num; i++) {
            WORD Characteristics = (*(WORD*)data & 0xf000) >> 12;
            WORD offset = *(WORD*)data & 0x0fff;
            if (Characteristics == 0x3) {
                DWORD NewData = *(DWORD*)(ImageBuffer + *(DWORD*)addr + offset) - ImageBase + newAddr;
                *(DWORD*)(ImageBuffer + *(DWORD*)addr + offset) = NewData;
            }
            data += 2;
        }
        addr += *(DWORD*)size;
        size = addr + 4;
        data = size + 4;
    }
}

BOOL MyAlloc(HANDLE p) {
    lp = VirtualAllocEx(p, (VOID*)ImageBase, SizeOfImage, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    if (lp == NULL) {
        if (HasReloc) {
            lp = VirtualAllocEx(p, NULL, SizeOfImage, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
            if (lp == NULL) {
                return FALSE;
            }
            repairReloc((DWORD)lp);
        }
        else
        {
            return FALSE;
        }
    }
    return TRUE;
}

int main()
{
    LPWSTR fileName;
    fileName = GetCommandLineW();
    HANDLE hShellProcess = GetCurrentProcess();
    HANDLE hShellModule = GetModuleHandleW(NULL);
    cs.ContextFlags = CONTEXT_FULL;

    //解密原始檔
    BOOL isDecode = DecodeSrc(hShellModule);
    if (isDecode == FALSE) {
        return 0;
    }
    //拉伸原始檔
    BOOL isExtend = ExtendSrc();
    if (isExtend == FALSE) {
        free(SrcBuffer);
        SrcBuffer = NULL;
    //    return 0;
    }

    //以掛起方式建立程序
    STARTUPINFO s = { 0 };
    s.cb = sizeof(STARTUPINFO);
    PROCESS_INFORMATION p;
    ::CreateProcess(
        NULL,
        fileName,
        NULL, NULL,
        FALSE,
        CREATE_SUSPENDED,
        NULL, NULL,
        &s, &p);
    //獲取程序資訊
    GetThreadContext(p.hThread, &cs);
    DWORD shellOEP = cs.Eax;
    CHAR* baseAddress = (CHAR*)cs.Ebx + 8;
    TCHAR szBuffer[4] = { 0 };
    ReadProcessMemory(p.hProcess, baseAddress, szBuffer, 4, NULL);
    DWORD shellImageBase = *(DWORD*)szBuffer;

    //解除安裝模組
    BOOL UnloadCheck = UnloadShell(p.hProcess, shellImageBase);
    if (UnloadCheck == FALSE) {
        free(ImageBuffer);
        ImageBuffer = NULL;
        ::TerminateProcess(p.hProcess, 0);
        return 0;
    }

    //分配空間
    BOOL allocCheck = MyAlloc(p.hProcess);
    if (allocCheck == FALSE) {
        free(ImageBuffer);
        ImageBuffer = NULL;
        ::TerminateProcess(p.hProcess, 0);
        return 0;
    }

    BOOL writeCheck = WriteProcessMemory(p.hProcess, lp, ImageBuffer, SizeOfImage, NULL);
    if (writeCheck == FALSE) {
        free(ImageBuffer);
        ImageBuffer = NULL;
        ::TerminateProcess(p.hProcess, 0);
        return 0;
    }

    //更改Imagebase和oep
    WriteProcessMemory(p.hProcess, (LPVOID)(cs.Ebx + 8), &lp, sizeof(DWORD), NULL);
    cs.Eax = (DWORD)lp + OEP;
    SetThreadContext(p.hThread, &cs);
    //::TerminateProcess(p.hProcess, 0);
    ::ResumeThread(p.hThread);
    ::CloseHandle(p.hProcess);
    
    return 0;

}

因為我沒修復IAT表,使用API會掛

相關推薦

方式建立程序

寫入部分 1,檔案新增一個節 2,原始檔與Harmonica異或 3,加密後原始檔放入新增節中

Java併發包原始碼學習系列與喚醒執行緒LockSupport工具類

技術標籤Java併發佇列多執行緒java併發程式設計 文章目錄 LockSupport概述park與unpark相關方法中斷演示blocker的作用測試無blocker測試帶blocker

Python建立程序、執行緒的兩種方式

程式碼建立程序和執行緒的兩種方式 """ 定心丸Python建立程序和執行緒的方式基本都是一致的,包括其中的呼叫方法等,學會一個

併發程式設計——建立程序的兩種方式程序間資料相互隔離,程序排程,殭屍程序與孤兒程序程序物件及其他方法,守護程序,互斥鎖,佇列介紹,IPC機制(程序間通訊)

一、建立程序的兩種方式 #第一種 from multiprocessing import Process import time def task(n):

ucos_ii-任務的、恢復、刪除和建立

以下內容主要注重應用,對原始碼不做分析,對原始碼有興趣的可參考官方具體文件,相關連結https://doc.micrium.com/display/ucos/

Windows cmd開啟方式和一些常用doc命令cd、刪除建立資料夾等

cmd開啟方式 開始+系統+命令提示符 win鍵+R 輸入cmd開啟控制檯(推薦使用) 在任意的資料夾下面,按住shift鍵+滑鼠右鍵點選,在此處開啟cmd

MongoDB 3.0原因?WiredTiger實現一個LRU cache深坑引發的分析

MongoDB 3.0掛起原因?WiredTiger實現一個LRU cache深坑引發的分析 導語計算機硬體在飛速發展,資料規模在急速膨脹,但是資料庫仍然使用是十年以前的架構體系,WiredTiger 嘗試打破這一切,充分利用多核與大記憶

使用軟體和powershell命令Windows系統中的程序

提出問題 Windows系統中的工作管理員實際上功能已經很完善了,但是實際上還缺少一個程序的功能(當前版本1909),這次的問題就是如何系統中指定的程序

linux核心休眠喚醒、流程分析之cpu(八)

技術標籤驅動LinuxAndroidkernel 從核心啟動說 // init\\main.c asmlinkage __visible void __init start_kernel(void)

VMP(一)原理

  1、軟體的逆向、外掛、破解等,本質上是想辦法改變原有程式碼的執行路徑,主要的方式有兩種

pythonwindows和linux下multiprocessing模組建立程序的區別

Windows下面的multiprocessing跟Linux下面略有不同,Linux下面的multiprocessing基於fork,fork之後所有的本地變數都複製一份,因此可以使用任意的全域性變數;

VMP(二)VMP的虛擬化原理

  介紹VMP虛擬化原理之前,先簡單介紹一下計算機執行的原理。總所周知,現代計算機的核心部件是CPU、記憶體、磁碟、鍵盤、顯示器等;最最最核心的就屬CPU、記憶體和磁碟了。使用者按開機鍵,CPU會把OS從磁碟載入到

25、建立程序的兩種方式

Day 25 一、知識儲備 併發程式設計中的重要概念 序列自上而下,順序執行 併發在多個程序間快速的來回切著執行

OPPO Find X3 登場,旗艦四攝可 60 倍顯微手機螢幕排列方式,還有姜文濾鏡

3月11日訊息 OPPO 今日正式推出了 Find 十年理想之作——OPPO Find X3 系列機型,3 月 19 日 10:00 正式開售。

天璣 1200 持,徐真我 GT Neo 是 realme 2021 年 “雙平臺”旗艦戰略產品

3月18日訊息今日上午,realme 官方宣佈,真我 GT Neo 首發天璣 1200 處理器,將於3 月 31 日正式釋出。

9 系列售價曝光 9 印度價售價約 4500 元,一 9 Pro 為 5800 元

3 月 22 日訊息 一 9 系列機型將於明日正式釋出,知名爆料者 @yabhishekhd 今日公佈了一 9 系列在印度的發售價,來源為一社群的 @jaj_18。

9 / Pro 618 大促3599 ,256GB 版減 500 元

6 月 14 日訊息根據官方訊息,一 9、9 Pro 兩款手機將在今年的 618 旗艦展開優惠活動,到手價直降 200-500 元。該系列手機於今年 3 月發售,搭載高通驍龍 888 處理器、哈蘇影像系統,首發售價 3799 元

汽車之家三面Linux作業系統裡一個程序最多可以建立多少個執行緒?

前言 昨天有位讀者被坑了,問了我這麼個問題 大致意思就是,他看了一個面經,說虛擬記憶體是 2G 大小,然後他看了我的圖解系統 PDF 裡說虛擬記憶體是 4G,然後他就懵逼了。

OS篇:OS中程序的阻塞與的區別

一、阻塞 VS   阻塞與都是程序的狀態,但他們有一些相似之處,也有一些區別,下面先對他們進行概述,再進行比較

雙 11 福利加碼 9RT 3199 元,支援 12 期免息

11 月 10 日訊息,據一雙十一開門紅戰報顯示手機全渠道銷量同比增幅超 400%,僅 1 分鐘全渠道銷量超去年 11 月 1 日全天。今日,一官方公佈雙十一狂歡終極攻略,至高優惠 1700 元,活動將於 11 月 11 日零