skipped 150 lines 151 151 152 152 void searchDll(BYTE* buffer, PResultInfo result, LPCWSTR filePath, char* dllsName, string fileDir) { 153 153 DWORD rdataLength; 154 - BYTE* rdata = readSectionData(buffer, &rdataLength, ".rdata"); 155 - if (rdata != 0) { 156 - char fileFullPath[0x255] = { 0 }; 157 - strcat(fileFullPath, fileDir.c_str()); 158 - int fileDirLength = fileDir.length(); 159 - DWORD vaule, vaule1; 160 - char* str; 161 - int strLength; 162 - char ch; 163 - int index = 0; 154 + char fileFullPath[0x255] = { 0 }; 155 + strcat(fileFullPath, fileDir.c_str()); 156 + int fileDirLength = fileDir.length(); 157 + map<string, bool> postDllMap; 158 + char* secNames[] = {".rdata", ".rsrc"}; 164 159 165 - for (int i = rdataLength - 8 ; i > 0 ; - - i, index = 0 ) {166 - vaule = *(PDWORD)((PBYTE)rdata + i); 167 - vaule1 = *(PDWORD)((PBYTE)rdata + i + 4); 160 + for (int i = 0 ; i < 2 ; i+ + ) { 161 + BYTE* rdata = readSectionData(buffer, &rdataLength, secNames[i]); 162 + if (rdata != 0) { 163 + DWORD vaule, vaule1; 164 + char* str; 165 + int strLength; 166 + char ch; 167 + int index = 0; 168 + 169 + for (int i = rdataLength - 8; i > 0; --i, index = 0) { 170 + vaule = *(PDWORD)((PBYTE)rdata + i); 171 + vaule1 = *(PDWORD)((PBYTE)rdata + i + 4); 168 172 169 - if (vaule == 0x6c6c642e) 170 - index = 1; 171 - else if (vaule1 == 0x6c && vaule == 0x6c0064) 172 - index = 2; 173 + if (vaule == 0x6c6c642e) 174 + index = 1; 175 + else if (vaule1 == 0x6c && vaule == 0x6c0064) 176 + index = 2; 173 177 174 - if (index > 0) { 175 - i -= index; 176 - ch = rdata[i]; 177 - while (((ch >= 'a' && ch <= 'z') || (ch >= 'A' && ch <= 'Z') || (ch >= '0' && ch <= '9') || ch == '_' || ch == '.' || ch == '-')) { 178 + if (index > 0) { 178 179 i -= index; 179 180 ch = rdata[i]; 180 - } 181 + while (((ch >= 'a' && ch <= 'z') || (ch >= 'A' && ch <= 'Z') || (ch >= '0' && ch <= '9') || ch == '_' || ch == '.' || ch == '-')) { 182 + i -= index; 183 + ch = rdata[i]; 184 + } 181 185 182 - if (ch != 0) 183 - continue; 186 + if (ch != 0) 187 + continue; 184 188 185 - if (index == 1) 186 - str = (char*)(rdata + i + 1); 187 - else 188 - str = ConvertWideToMultiByte((wchar_t*)(rdata + i + 2)); 189 + if (index == 1) 190 + str = (char*)(rdata + i + 1); 191 + else 192 + str = ConvertWideToMultiByte((wchar_t*)(rdata + i + 2)); 189 193 190 - strLength = strlen(str); 191 - if (str[strLength-1] != 'l') 192 - continue; 194 + strLength = strlen(str); 195 + if (str[strLength - 1] != 'l') 196 + continue; 193 197 194 - memcpy(fileFullPath + fileDirLength, str, strLength + 1); 198 + memcpy(fileFullPath + fileDirLength, str, strLength + 1); 195 199 196 - if (filesystem::exists(filesystem::path(fileFullPath)) && containsIgnoreCase(dllsName, str) == NULL) 197 - result->postLoadDlls.push_back(_strdup(str)); 200 + if (postDllMap [ str ] = = false & & filesystem::exists(filesystem::path(fileFullPath)) && containsIgnoreCase(dllsName, str) == NULL) { 201 + result->postLoadDlls.push_back(_strdup(str)); 202 + postDllMap[str] = true; 203 + } 204 + } 198 205 } 199 206 } 200 207 } skipped 108 lines 309 316 return; 310 317 } 311 318 319 + size_t memorySum(LPVOID shellcode, DWORD fileSize) 320 + { 321 + size_t sum = 0; 322 + for (int i = 0; i < fileSize; i+=0x10) 323 + sum += *(size_t*)((PBYTE)shellcode + i); 324 + return sum; 325 + } 326 + 312 327 BOOL VerifyFileSignature(LPCWSTR filePath) { 313 328 DWORD dwEncoding, dwContentType, dwFormatType; 314 329 HCERTSTORE hStore = NULL; skipped 53 lines 368 383 369 384 ResultInfo* result = new ResultInfo; 370 385 result->filePath = wstring2string(filePath); 386 + result->isCreateWindow = false; 387 + result->isSystemDll = false; 388 + result->fileHash = memorySum(pbFile, dwFileSize); 371 389 372 390 printImportTableInfo(pbFile, result, filePath); 373 391 skipped 234 lines 608 626 indexs[count++] = (size_t)ImportTable; 609 627 } 610 628 629 + DWORD offset = 0; 611 630 if (!isHook && strstr(pName, "kernel32.dll") != NULL) { 612 631 addr = getImportFuncAddr(targetBuffer, ImportTable, "ExitProcess", bit, false, NULL); 613 632 if (addr != 0) { 614 - repairReloc(targetBuffer, clear, 0, oep + 11); 615 - 616 633 if (bit == 64) { 617 - unsigned char hook_data[] = { 0xB9, 0x00, 0x00, 0x00, 0x00, 0xFF, 0x15, 0xC8, 0xEF, 0x00, 0x00 }; 618 - improtFunc = addr - (oep + 11 ); 619 - memcpy((char*)oep_foa_addr, hook_data, 11 ); 634 + unsigned char hook_data[] = { 0x48 , 0x83 , 0xEC , 0x28 , 0xB9, 0x00, 0x00, 0x00, 0x00, 0xFF, 0x15, 0xC8, 0xEF, 0x00, 0x00 }; 635 + improtFunc = addr - (oep + sizeof ( hook_data ) ); 636 + memcpy((char*)oep_foa_addr, hook_data, sizeof ( hook_data ) ); 637 + repairReloc(targetBuffer, clear, 0, oep + sizeof(hook_data)); 638 + offset = 4; 620 639 } 621 640 else { 622 - unsigned char hook_data[] = { 0x68, 0x00, 0x00, 0x00, 0x00, 0xFF, 0x15, 0x08, 0x20, 0x40, 0x00 }; 641 + unsigned char hook_data[] = { 0x83 , 0xEC , 0x14 , 0x68, 0x00, 0x00, 0x00, 0x00, 0xFF, 0x15, 0x08, 0x20, 0x40, 0x00 }; 623 642 improtFunc = imageBase + addr; 624 - memcpy((char*)oep_foa_addr, hook_data, 11 ); 643 + memcpy((char*)oep_foa_addr, hook_data, sizeof ( hook_data ) ); 644 + repairReloc(targetBuffer, clear, 0, oep + sizeof(hook_data)); 645 + offset = 3; 625 646 626 - DWORD dataRva[] = { oep + 7 }; 647 + DWORD dataRva[] = { oep + 7 + offset }; 627 648 repairReloc(targetBuffer, dataRva, 1, 0); 628 649 } 629 650 630 - *(PDWORD)(oep_foa_addr + 1) = exitCode; 631 - *(PDWORD)(oep_foa_addr + 7) = improtFunc; 651 + *(PDWORD)(oep_foa_addr + 1 + offset ) = exitCode; 652 + *(PDWORD)(oep_foa_addr + 7 + offset ) = improtFunc; 632 653 isHook = true; 633 654 } 634 655 } 635 656 else if (!isHook && strstr(pName, "ntdll.dll") != NULL) { 636 657 addr = getImportFuncAddr(targetBuffer, ImportTable, "NtTerminateProcess", bit, false, NULL); 637 658 if (addr != 0) { 638 - repairReloc(targetBuffer, clear, 0, oep + 16); 639 - 640 659 if (bit == 64) { 641 - unsigned char hook_data[] = { 0xBA, 0x00, 0x00, 0x00, 0x00, 0xB9, 0xff, 0xff, 0xff, 0xff, 0xFF, 0x15, 0xC8, 0xEF, 0x00, 0x00 }; 642 - improtFunc = addr - (oep + 16 ); 643 - memcpy((char*)oep_foa_addr, hook_data, 16 ); 660 + unsigned char hook_data[] = { 0x48 , 0x83 , 0xEC , 0x28 , 0xBA, 0x00, 0x00, 0x00, 0x00, 0xB9, 0xff, 0xff, 0xff, 0xff, 0xFF, 0x15, 0xC8, 0xEF, 0x00, 0x00 }; 661 + improtFunc = addr - (oep + sizeof ( hook_data ) ); 662 + memcpy((char*)oep_foa_addr, hook_data, sizeof ( hook_data ) ); 663 + repairReloc(targetBuffer, clear, 0, oep + sizeof(hook_data)); 664 + offset = 4; 644 665 } 645 666 else { 646 - unsigned char hook_data[] = { 0x68, 0x00, 0x00, 0x00, 0x00, 0x68, 0xff, 0xff, 0xff, 0xff, 0xFF, 0x15, 0x08, 0x20, 0x40, 0x00 }; 667 + unsigned char hook_data[] = { 0x83 , 0xEC , 0x14 , 0x68, 0x00, 0x00, 0x00, 0x00, 0x68, 0xff, 0xff, 0xff, 0xff, 0xFF, 0x15, 0x08, 0x20, 0x40, 0x00 }; 647 668 improtFunc = imageBase + addr; 648 - memcpy((char*)oep_foa_addr, hook_data, 16 ); 669 + memcpy((char*)oep_foa_addr, hook_data, sizeof ( hook_data ) ); 670 + repairReloc(targetBuffer, clear, 0, oep + sizeof(hook_data)); 671 + offset = 3; 649 672 650 - DWORD dataRva[] = { oep + 12 }; 673 + DWORD dataRva[] = { oep + 12 + offset }; 651 674 repairReloc(targetBuffer, dataRva, 1, 0); 652 675 } 653 676 654 - *(PDWORD)(oep_foa_addr + 1) = exitCode; 655 - *(PDWORD)(oep_foa_addr + 12) = improtFunc; 677 + *(PDWORD)(oep_foa_addr + 1 + offset ) = exitCode; 678 + *(PDWORD)(oep_foa_addr + 12 + offset ) = improtFunc; 656 679 isHook = true; 657 680 } 658 681 } skipped 275 lines 934 957 935 958 if (!std::filesystem::exists(folderPath + "\\test.txt")) 936 959 result->exploitDllPath = ""; 960 + 961 + if (std::filesystem::exists("C:\\Windows\\SysWOW64\\" + result->exploitDllPath) || std::filesystem::exists("C:\\Windows\\System32\\" + result->exploitDllPath)) 962 + result->isSystemDll = true; 937 963 } 938 964 939 965 if (!(c.isSaveFile && result->exploitDllPath != "")) skipped 2 lines