STRLCPY/SearchAvailableExe

64位代码备份
maoku committed 2 months ago

29d38c02

1 parent d4337ecf

■ ■ ■ ■ ■ ■

SearchAvailableExe/SearchAvailableExe.cpp

		skipped 57 lines
58	58		}
59	59
60	60		bool isUnwanted(const PResultInfo result) {
61		-	int preSize = result->preLoadDlls.size() == 0 ? 999 : result->preLoadDlls.size();
62		-	int postSize = result->postLoadDlls.size() == 0 ? 999 : result->postLoadDlls.size();
	61	+	int preSize = result->preLoadDlls.size();
	62	+	int postSize = result->postLoadDlls.size();
63	63
64	64		if (c.isWrite == 1 && result->isWrite == 0)
65	65		return true;
66	66		if ((c.bit == 32 && result->bit != 32) \|\| (c.bit == 64 && result->bit != 64))
67	67		return true;
68		-	if (c.dllCount < preSize && c.dllCount < postSize)
	68	+	if (preSize + postSize > c.dllCount)
69	69		return true;
70	70
71	71		return false;
		skipped 76 lines
148	148		sort(results.begin(), results.end(), compare);
149	149
150	150		results.erase(std::remove_if(results.begin(), results.end(), isUnwanted), results.end());
	151	+
	152	+	*output << "dll信息统计完毕，初步符合要求的白程序有：" << results.size() << "个" << endl;
151	153
152	154		//运行目标程序，判断是否会加载hook的dll
153	155		RunPE();
		skipped 38 lines

■ ■ ■ ■ ■ ■

SearchAvailableExe/SearchAvailableExe.vcxproj

		skipped 106 lines
107	107		<ClCompile>
108	108		<WarningLevel>Level3</WarningLevel>
109	109		<SDLCheck>true</SDLCheck>
110		-	<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
111		-	<ConformanceMode>true</ConformanceMode>
	110	+	<PreprocessorDefinitions>_DEBUG;_CONSOLE;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
	111	+	<ConformanceMode>false</ConformanceMode>
	112	+	<LanguageStandard>stdcpp17</LanguageStandard>
112	113		</ClCompile>
113	114		<Link>
114	115		<SubSystem>Console</SubSystem>
115	116		<GenerateDebugInformation>true</GenerateDebugInformation>
	117	+	<AdditionalDependencies>Crypt32.lib;%(AdditionalDependencies)</AdditionalDependencies>
116	118		</Link>
117	119		</ItemDefinitionGroup>
118	120		<ItemDefinitionGroup Condition="'$(Configuration)\|$(Platform)'=='Release\|x64'">
		skipped 30 lines

■ ■ ■ ■ ■ ■

SearchAvailableExe/SearchAvailableExe.vcxproj.user

1	1		<?xml version="1.0" encoding="utf-8"?>
2	2		<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3	3		<PropertyGroup Condition="'$(Configuration)\|$(Platform)'=='Debug\|Win32'">
4		-	<LocalDebuggerCommandArguments>-i "D:\software\WPS Office\12.1.0.16399\office6"</LocalDebuggerCommandArguments>
	4	+	<LocalDebuggerCommandArguments>-i "D:\Program Files (x86)\VMware\VMware Workstation\tools-upgraders\VMwareToolsUpgrader.exe"</LocalDebuggerCommandArguments>
	5	+	<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
	6	+	</PropertyGroup>
	7	+	<PropertyGroup Condition="'$(Configuration)\|$(Platform)'=='Debug\|x64'">
	8	+	<LocalDebuggerCommandArguments>-i "D:\Code\TeamWorkspace\beacon\白+黑嵌入生成"</LocalDebuggerCommandArguments>
5	9		<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
6	10		</PropertyGroup>
7	11		</Project>

■ ■ ■ ■ ■ ■

SearchAvailableExe/Tools.cpp

		skipped 56 lines
57	57		{
58	58		PIMAGE_NT_HEADERS32 pNtH32 = PIMAGE_NT_HEADERS32((size_t)pDH + pDH->e_lfanew);
59	59		PIMAGE_OPTIONAL_HEADER32 pOH32 = &pNtH32->OptionalHeader;
60		-	pFile = (PIMAGE_FILE_HEADER)((DWORD)pNtH32 + 4);
61		-	pFirstSection = PIMAGE_SECTION_HEADER((DWORD)pOH32 + pFile->SizeOfOptionalHeader);
	60	+	pFile = (PIMAGE_FILE_HEADER)((size_t)pNtH32 + 4);
	61	+	pFirstSection = PIMAGE_SECTION_HEADER((size_t)pOH32 + pFile->SizeOfOptionalHeader);
62	62
63	63		if (FOA < pOH32->SizeOfHeaders \|\| pOH32->FileAlignment == pOH32->SectionAlignment) {
64	64		return FOA;
		skipped 2 lines
67	67		else {
68	68		PIMAGE_NT_HEADERS64 pNtH64 = PIMAGE_NT_HEADERS64((size_t)pDH + pDH->e_lfanew);
69	69		PIMAGE_OPTIONAL_HEADER64 pOH64 = &pNtH64->OptionalHeader;
70		-	pFile = (PIMAGE_FILE_HEADER)((DWORD)pNtH64 + 4);
71		-	pFirstSection = PIMAGE_SECTION_HEADER((DWORD)pOH64 + pFile->SizeOfOptionalHeader);
	70	+	pFile = (PIMAGE_FILE_HEADER)((size_t)pNtH64 + 4);
	71	+	pFirstSection = PIMAGE_SECTION_HEADER((size_t)pOH64 + pFile->SizeOfOptionalHeader);
72	72
73	73		if (FOA < pOH64->SizeOfHeaders \|\| pOH64->FileAlignment == pOH64->SectionAlignment) {
74	74		return FOA;
		skipped 11 lines
86	86		return relSectionFileAdd + pSectionHeader->VirtualAddress;
87	87		}
88	88		/指向下一个节表/
89		-	pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pSectionHeader + IMAGE_SIZEOF_SECTION_HEADER);
	89	+	pSectionHeader = (PIMAGE_SECTION_HEADER)((size_t)pSectionHeader + IMAGE_SIZEOF_SECTION_HEADER);
90	90		}
91	91
92	92		return 0;
		skipped 179 lines
272	272		if (!(INT->u1.Ordinal & 0x80000000))
273	273		{
274	274		temp = (PIMAGE_IMPORT_BY_NAME)(rvaToFOA(buffer, INT->u1.AddressOfData) + buffer);
275		-	if (containsIgnoreCase(temp->Name, "loadlibrary") != NULL)
276		-	{
277		-	searchDll(buffer, result, filePath, dllsName, fileDir);
	275	+	if ((BYTE*)temp == buffer) {
278	276		break;
279	277		}
280		-	else if (containsIgnoreCase(temp->Name, "CreateDialogParam") != NULL \|\| containsIgnoreCase(temp->Name, "CreateWindow") != NULL \|\| containsIgnoreCase(temp->Name, "CreateProcess") != NULL)
	278	+	else if (containsIgnoreCase(temp->Name, "loadlibrary") != NULL)
281	279		{
282		-	result->isCreateWindow = true;
	280	+	searchDll(buffer, result, filePath, dllsName, fileDir);
283	281		break;
284	282		}
285	283		}
		skipped 136 lines
422	420		}
423	421		}
424	422
425		-	std::vector<std::string> splitStringWithSemicolon(const std::string& str) {
426		-	std::istringstream iss(str);
427		-	std::vector<std::string> result;
428		-	std::string token;
429		-
430		-	while (std::getline(iss, token, ';')) {
431		-	if (!token.empty()) {
432		-	result.push_back(token);
433		-	}
434		-	}
435		-
436		-	return result;
437		-	}
438		-
439		-	DWORD getImportFuncAddr(char* buffer, PIMAGE_IMPORT_DESCRIPTOR ImportTable, char* name, int bit, bool isExeFile) {
	423	+	DWORD getImportFuncAddr(char* buffer, PIMAGE_IMPORT_DESCRIPTOR ImportTable, char* name, int bit) {
440	424		int THUNK_DATA_SIZE = 4;
441	425		if (bit == 64)
442	426		THUNK_DATA_SIZE = 8;
		skipped 6 lines
449	433		int index = 0;
450	434		int hookNameLength = strlen(name);
451	435		char* str = "";
452		-	std::vector<std::string> functionList = splitStringWithSemicolon(name);
453	436
454	437		while (INT->u1.AddressOfData)//当遍历到的是最后一个是时候是会为0，所以随便遍历一个就好
455	438		{
456	439		if (!(INT->u1.Ordinal & 0x80000000))
457	440		{
458	441		temp = (PIMAGE_IMPORT_BY_NAME)(rvaToFOA(buffer, INT->u1.AddressOfData) + buffer);
459		-
460		-	for (const auto& func : functionList) {
461		-	if (containsIgnoreCase(temp->Name, func) != 0)
462		-	{
463		-	return foaToRVA(buffer, (DWORD)IAT - (DWORD)buffer + count * THUNK_DATA_SIZE);
464		-	}
	442	+	if ((char*)temp == buffer)
	443	+	break;
	444	+	if (containsIgnoreCase(temp->Name, name) != 0)
	445	+	{
	446	+	return foaToRVA(buffer, (size_t)IAT - (size_t)buffer + count * THUNK_DATA_SIZE);
465	447		}
466	448
467	449		if (strlen(temp->Name) >= hookNameLength) {
		skipped 5 lines
473	455		count++;
474	456		}
475	457
476		-	if (!isExeFile && index > 0) {
	458	+	if (index > 0) {
477	459		memset(str, 0, strlen(str));
478	460		strcpy(str, name);
479		-	return foaToRVA(buffer, (DWORD)IAT - (DWORD)buffer + index * THUNK_DATA_SIZE);
	461	+	return foaToRVA(buffer, (size_t)IAT - (size_t)buffer + index * THUNK_DATA_SIZE);
480	462		}
481	463
482	464		return 0;
		skipped 54 lines
537	519
538	520		int fixFile(string targetFilePath, DWORD exitCode)
539	521		{
540		-	bool isExeFile = targetFilePath.back() == 'e' ? true : false;
541		-
542	522		char* targetBuffer;
543	523		DWORD fileSize = readFileContext(targetFilePath, &targetBuffer);
544	524
545	525		PIMAGE_DOS_HEADER pDH = (PIMAGE_DOS_HEADER)targetBuffer;
546		-	PIMAGE_NT_HEADERS pNtH = (PIMAGE_NT_HEADERS)((DWORD)pDH + pDH->e_lfanew);
547		-	PIMAGE_OPTIONAL_HEADER pOH = &pNtH->OptionalHeader;
548	526		IMAGE_DATA_DIRECTORY importDirectory;
549	527		int bit;
550	528		DWORD imageBase = 0;
		skipped 24 lines
575	553		DWORD addr;
576	554		bool isHook = false;
577	555
578		-	PIMAGE_IMPORT_DESCRIPTOR ImportTable = PIMAGE_IMPORT_DESCRIPTOR((DWORD)targetBuffer + rvaToFOA(targetBuffer, importDirectory.VirtualAddress));
	556	+	PIMAGE_IMPORT_DESCRIPTOR ImportTable = PIMAGE_IMPORT_DESCRIPTOR((size_t)targetBuffer + rvaToFOA(targetBuffer, importDirectory.VirtualAddress));
	557	+	PIMAGE_IMPORT_DESCRIPTOR tmp_ImportTable = ImportTable;
	558	+
	559	+	const char* names[] = { "kernel32.dll", "ntdll.dll", "api-ms-win-", "msvcrt.dll", "oleaut32.dll", "user32.dll", "ole32.dll", "vcruntime140.dll", "advapi32.dll", "gdiplus.dll", "shell32.dll", "shlwapi.dll", "comctl32.dll" };
	560	+	size_t indexs[100] = { 0 };
	561	+	int count = 0;
	562	+	DWORD nameSize = sizeof(names) / sizeof(size_t);
579	563
580	564		while (ImportTable->Name)
581	565		{
582	566		char* pName = rvaToFOA(targetBuffer, ImportTable->Name) + targetBuffer;
583	567		str_to_lower(pName);
584	568
585		-	if (isExeFile) {
586		-	if (strstr(pName, "user32.dll") != NULL \|\| strstr(pName, "kernel32.dll") != NULL) {
587		-	addr = getImportFuncAddr(targetBuffer, ImportTable, "CreateDialogParam;CreateWindow;CreateProcess", bit, isExeFile);
588		-	if (addr != 0) {
589		-	DWORD textLength;
590		-	BYTE* textData = readSectionData((BYTE*)targetBuffer, &textLength, ".text");
591		-	for (int i = 0; i < textLength; i++) {
592		-	if (*(PWORD)((PBYTE)textData + i) == 0x15FF) {
593		-	DWORD value = *(PDWORD)((PBYTE)textData + i + 2);
594		-	if (bit == 64) {
595		-	if (value = addr - foaToRVA(targetBuffer, ((size_t)textData + i + 6)))
596		-	memset(textData + i, 0x90, 6);
597		-	}
598		-	else {
599		-	if (value == imageBase + addr)
600		-	memset(textData + i, 0x90, 6);
601		-	}
602		-	}
603		-	}
604		-	}
605		-	}
	569	+	for (int i = 0; i < nameSize; i++)
	570	+	{
	571	+	if (strstr(pName, names[i]) != NULL)
	572	+	indexs[count++] = (size_t)ImportTable;
606	573		}
607		-	else {
608		-	if (!isHook && strstr(pName, "kernel32.dll") != NULL) {
609		-	addr = getImportFuncAddr(targetBuffer, ImportTable, "ExitProcess", bit, isExeFile);
610		-	if (addr != 0) {
611		-	repairReloc(targetBuffer, clear, 0, oep + 11);
612	574
613		-	if (bit == 64) {
614		-	unsigned char hook_data[] = { 0xB9, 0x00, 0x00, 0x00, 0x00, 0xFF, 0x15, 0xC8, 0xEF, 0x00, 0x00 };
615		-	improtFunc = addr - (oep + 11);
616		-	memcpy((char*)oep_foa_addr, hook_data, 11);
617		-	}
618		-	else {
619		-	unsigned char hook_data[] = { 0x68, 0x00, 0x00, 0x00, 0x00, 0xFF, 0x15, 0x08, 0x20, 0x40, 0x00 };
620		-	improtFunc = imageBase + addr;
621		-	memcpy((char*)oep_foa_addr, hook_data, 11);
	575	+	if (!isHook && strstr(pName, "kernel32.dll") != NULL) {
	576	+	addr = getImportFuncAddr(targetBuffer, ImportTable, "ExitProcess", bit);
	577	+	if (addr != 0) {
	578	+	repairReloc(targetBuffer, clear, 0, oep + 11);
622	579
623		-	DWORD dataRva[] = { oep + 7 };
624		-	repairReloc(targetBuffer, dataRva, 1, 0);
625		-	}
	580	+	if (bit == 64) {
	581	+	unsigned char hook_data[] = { 0xB9, 0x00, 0x00, 0x00, 0x00, 0xFF, 0x15, 0xC8, 0xEF, 0x00, 0x00 };
	582	+	improtFunc = addr - (oep + 11);
	583	+	memcpy((char*)oep_foa_addr, hook_data, 11);
	584	+	}
	585	+	else {
	586	+	unsigned char hook_data[] = { 0x68, 0x00, 0x00, 0x00, 0x00, 0xFF, 0x15, 0x08, 0x20, 0x40, 0x00 };
	587	+	improtFunc = imageBase + addr;
	588	+	memcpy((char*)oep_foa_addr, hook_data, 11);
626	589
627		-	*(PDWORD)(oep_foa_addr + 1) = exitCode;
628		-	*(PDWORD)(oep_foa_addr + 7) = improtFunc;
629		-	isHook = true;
	590	+	DWORD dataRva[] = { oep + 7 };
	591	+	repairReloc(targetBuffer, dataRva, 1, 0);
630	592		}
631		-	}
632		-	else if (!isHook && strstr(pName, "ntdll.dll") != NULL) {
633		-	addr = getImportFuncAddr(targetBuffer, ImportTable, "NtTerminateProcess", bit, isExeFile);
634		-	if (addr != 0) {
635		-	repairReloc(targetBuffer, clear, 0, oep + 16);
636	593
637		-	if (bit == 64) {
638		-	unsigned char hook_data[] = { 0xBA, 0x00, 0x00, 0x00, 0x00, 0xB9, 0xff, 0xff, 0xff, 0xff, 0xFF, 0x15, 0xC8, 0xEF, 0x00, 0x00 };
639		-	improtFunc = addr - (oep + 16);
640		-	memcpy((char*)oep_foa_addr, hook_data, 16);
641		-	}
642		-	else {
643		-	unsigned char hook_data[] = { 0x68, 0x00, 0x00, 0x00, 0x00, 0x68, 0xff, 0xff, 0xff, 0xff, 0xFF, 0x15, 0x08, 0x20, 0x40, 0x00 };
644		-	improtFunc = imageBase + addr;
645		-	memcpy((char*)oep_foa_addr, hook_data, 16);
	594	+	*(PDWORD)(oep_foa_addr + 1) = exitCode;
	595	+	*(PDWORD)(oep_foa_addr + 7) = improtFunc;
	596	+	isHook = true;
	597	+	}
	598	+	}
	599	+	else if (!isHook && strstr(pName, "ntdll.dll") != NULL) {
	600	+	addr = getImportFuncAddr(targetBuffer, ImportTable, "NtTerminateProcess", bit);
	601	+	if (addr != 0) {
	602	+	repairReloc(targetBuffer, clear, 0, oep + 16);
646	603
647		-	DWORD dataRva[] = { oep + 12 };
648		-	repairReloc(targetBuffer, dataRva, 1, 0);
649		-	}
	604	+	if (bit == 64) {
	605	+	unsigned char hook_data[] = { 0xBA, 0x00, 0x00, 0x00, 0x00, 0xB9, 0xff, 0xff, 0xff, 0xff, 0xFF, 0x15, 0xC8, 0xEF, 0x00, 0x00 };
	606	+	improtFunc = addr - (oep + 16);
	607	+	memcpy((char*)oep_foa_addr, hook_data, 16);
	608	+	}
	609	+	else {
	610	+	unsigned char hook_data[] = { 0x68, 0x00, 0x00, 0x00, 0x00, 0x68, 0xff, 0xff, 0xff, 0xff, 0xFF, 0x15, 0x08, 0x20, 0x40, 0x00 };
	611	+	improtFunc = imageBase + addr;
	612	+	memcpy((char*)oep_foa_addr, hook_data, 16);
650	613
651		-	*(PDWORD)(oep_foa_addr + 1) = exitCode;
652		-	*(PDWORD)(oep_foa_addr + 12) = improtFunc;
653		-	isHook = true;
	614	+	DWORD dataRva[] = { oep + 12 };
	615	+	repairReloc(targetBuffer, dataRva, 1, 0);
654	616		}
	617	+
	618	+	*(PDWORD)(oep_foa_addr + 1) = exitCode;
	619	+	*(PDWORD)(oep_foa_addr + 12) = improtFunc;
	620	+	isHook = true;
655	621		}
656	622		}
657	623		ImportTable++;
658	624		}
	625	+
	626	+	for (int i = 0; i < count; i++)
	627	+	{
	628	+	memcpy(tmp_ImportTable, (char*)indexs[i], 0x14);
	629	+	tmp_ImportTable++;
	630	+	}
	631	+	memset(tmp_ImportTable, 0, 0x14);
659	632
660	633		saveFile(targetFilePath, targetBuffer, fileSize);
661	634
		skipped 144 lines
806	779
807	780		string folderPath = CreateRandomFolder(currentPath);
808	781
809		-	string runFilePath = CopyFileToFolder(result->filePath, folderPath, result->isCreateWindow, NULL);
	782	+	string runFilePath = CopyFileToFolder(result->filePath, folderPath, false, NULL);
810	783
811	784		map<DWORD, std::string> hookDllMap;
812	785		bool flag;
813	786		DWORD exitCode = 0x22222222;
814		-	if (result->preLoadDlls.size() > 0) {
815		-	flag = result->preLoadDlls.size() <= c.dllCount ? true : false;
816	787
817		-	for (const auto& dll : result->preLoadDlls) {
818		-	CopyFileToFolder(result->fileDir + dll, folderPath, flag, exitCode);
819		-	hookDllMap[exitCode] = dll;
820		-	exitCode++;
821		-	}
	788	+	for (const auto& dll : result->preLoadDlls) {
	789	+	CopyFileToFolder(result->fileDir + dll, folderPath, true, exitCode);
	790	+	hookDllMap[exitCode] = dll;
	791	+	exitCode++;
822	792		}
823	793
824		-	if (result->postLoadDlls.size() > 0) {
825		-	flag = result->postLoadDlls.size() <= c.dllCount ? true : false;
826		-
827		-	for (const auto& dll : result->postLoadDlls) {
828		-	CopyFileToFolder(result->fileDir + dll, folderPath, flag, exitCode);
829		-	hookDllMap[exitCode] = dll;
830		-	exitCode++;
831		-	}
	794	+	for (const auto& dll : result->postLoadDlls) {
	795	+	CopyFileToFolder(result->fileDir + dll, folderPath, true, exitCode);
	796	+	hookDllMap[exitCode] = dll;
	797	+	exitCode++;
832	798		}
833	799
834	800		DWORD retExitCode = TestCreateProcess(runFilePath);
835	801		result->exploitDllPath = hookDllMap[retExitCode];
836	802
837		-	//DeleteDirectory(folderPath.c_str());
	803	+	DeleteDirectory(folderPath.c_str());
838	804
839	805		if (result->exploitDllPath == "")
840	806		it = results.erase(it);
841	807		else {
842	808		++it;
843		-	DeleteDirectory(folderPath.c_str());
	809	+	//DeleteDirectory(folderPath.c_str());
844	810		}
845	811		}
846	812		}

■ ■ ■ ■ ■ ■

SearchAvailableExe/Tools.h

skipped 15 lines
16 16
17 17 typedef struct {
18 18 bool isWrite;
19 - bool isCreateWindow;
20 19 string filePath;
21 20 string fileDir;
22 21 int bit;
skipped 18 lines

All occurrences

		skipped 15 lines
16	16
17	17		typedef struct {
18	18		bool isWrite;
19		-	bool isCreateWindow;
20	19		string filePath;
21	20		string fileDir;
22	21		int bit;
		skipped 18 lines

64位代码备份