| skipped 56 lines |
57 | 57 | | { |
58 | 58 | | PIMAGE_NT_HEADERS32 pNtH32 = PIMAGE_NT_HEADERS32((size_t)pDH + pDH->e_lfanew); |
59 | 59 | | PIMAGE_OPTIONAL_HEADER32 pOH32 = &pNtH32->OptionalHeader; |
60 | | - | pFile = (PIMAGE_FILE_HEADER)((DWORD)pNtH32 + 4); |
61 | | - | pFirstSection = PIMAGE_SECTION_HEADER((DWORD)pOH32 + pFile->SizeOfOptionalHeader); |
| 60 | + | pFile = (PIMAGE_FILE_HEADER)((size_t)pNtH32 + 4); |
| 61 | + | pFirstSection = PIMAGE_SECTION_HEADER((size_t)pOH32 + pFile->SizeOfOptionalHeader); |
62 | 62 | | |
63 | 63 | | if (FOA < pOH32->SizeOfHeaders || pOH32->FileAlignment == pOH32->SectionAlignment) { |
64 | 64 | | return FOA; |
| skipped 2 lines |
67 | 67 | | else { |
68 | 68 | | PIMAGE_NT_HEADERS64 pNtH64 = PIMAGE_NT_HEADERS64((size_t)pDH + pDH->e_lfanew); |
69 | 69 | | PIMAGE_OPTIONAL_HEADER64 pOH64 = &pNtH64->OptionalHeader; |
70 | | - | pFile = (PIMAGE_FILE_HEADER)((DWORD)pNtH64 + 4); |
71 | | - | pFirstSection = PIMAGE_SECTION_HEADER((DWORD)pOH64 + pFile->SizeOfOptionalHeader); |
| 70 | + | pFile = (PIMAGE_FILE_HEADER)((size_t)pNtH64 + 4); |
| 71 | + | pFirstSection = PIMAGE_SECTION_HEADER((size_t)pOH64 + pFile->SizeOfOptionalHeader); |
72 | 72 | | |
73 | 73 | | if (FOA < pOH64->SizeOfHeaders || pOH64->FileAlignment == pOH64->SectionAlignment) { |
74 | 74 | | return FOA; |
| skipped 11 lines |
86 | 86 | | return relSectionFileAdd + pSectionHeader->VirtualAddress; |
87 | 87 | | } |
88 | 88 | | /*指向下一个节表*/ |
89 | | - | pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pSectionHeader + IMAGE_SIZEOF_SECTION_HEADER); |
| 89 | + | pSectionHeader = (PIMAGE_SECTION_HEADER)((size_t)pSectionHeader + IMAGE_SIZEOF_SECTION_HEADER); |
90 | 90 | | } |
91 | 91 | | |
92 | 92 | | return 0; |
| skipped 179 lines |
272 | 272 | | if (!(INT->u1.Ordinal & 0x80000000)) |
273 | 273 | | { |
274 | 274 | | temp = (PIMAGE_IMPORT_BY_NAME)(rvaToFOA(buffer, INT->u1.AddressOfData) + buffer); |
275 | | - | if (containsIgnoreCase(temp->Name, "loadlibrary") != NULL) |
276 | | - | { |
277 | | - | searchDll(buffer, result, filePath, dllsName, fileDir); |
| 275 | + | if ((BYTE*)temp == buffer) { |
278 | 276 | | break; |
279 | 277 | | } |
280 | | - | else if (containsIgnoreCase(temp->Name, "CreateDialogParam") != NULL || containsIgnoreCase(temp->Name, "CreateWindow") != NULL || containsIgnoreCase(temp->Name, "CreateProcess") != NULL) |
| 278 | + | else if (containsIgnoreCase(temp->Name, "loadlibrary") != NULL) |
281 | 279 | | { |
282 | | - | result->isCreateWindow = true; |
| 280 | + | searchDll(buffer, result, filePath, dllsName, fileDir); |
283 | 281 | | break; |
284 | 282 | | } |
285 | 283 | | } |
| skipped 136 lines |
422 | 420 | | } |
423 | 421 | | } |
424 | 422 | | |
425 | | - | std::vector<std::string> splitStringWithSemicolon(const std::string& str) { |
426 | | - | std::istringstream iss(str); |
427 | | - | std::vector<std::string> result; |
428 | | - | std::string token; |
429 | | - | |
430 | | - | while (std::getline(iss, token, ';')) { |
431 | | - | if (!token.empty()) { |
432 | | - | result.push_back(token); |
433 | | - | } |
434 | | - | } |
435 | | - | |
436 | | - | return result; |
437 | | - | } |
438 | | - | |
439 | | - | DWORD getImportFuncAddr(char* buffer, PIMAGE_IMPORT_DESCRIPTOR ImportTable, char* name, int bit, bool isExeFile) { |
| 423 | + | DWORD getImportFuncAddr(char* buffer, PIMAGE_IMPORT_DESCRIPTOR ImportTable, char* name, int bit) { |
440 | 424 | | int THUNK_DATA_SIZE = 4; |
441 | 425 | | if (bit == 64) |
442 | 426 | | THUNK_DATA_SIZE = 8; |
| skipped 6 lines |
449 | 433 | | int index = 0; |
450 | 434 | | int hookNameLength = strlen(name); |
451 | 435 | | char* str = ""; |
452 | | - | std::vector<std::string> functionList = splitStringWithSemicolon(name); |
453 | 436 | | |
454 | 437 | | while (INT->u1.AddressOfData)//当遍历到的是最后一个是时候是会为0,所以随便遍历一个就好 |
455 | 438 | | { |
456 | 439 | | if (!(INT->u1.Ordinal & 0x80000000)) |
457 | 440 | | { |
458 | 441 | | temp = (PIMAGE_IMPORT_BY_NAME)(rvaToFOA(buffer, INT->u1.AddressOfData) + buffer); |
459 | | - | |
460 | | - | for (const auto& func : functionList) { |
461 | | - | if (containsIgnoreCase(temp->Name, func) != 0) |
462 | | - | { |
463 | | - | return foaToRVA(buffer, (DWORD)IAT - (DWORD)buffer + count * THUNK_DATA_SIZE); |
464 | | - | } |
| 442 | + | if ((char*)temp == buffer) |
| 443 | + | break; |
| 444 | + | if (containsIgnoreCase(temp->Name, name) != 0) |
| 445 | + | { |
| 446 | + | return foaToRVA(buffer, (size_t)IAT - (size_t)buffer + count * THUNK_DATA_SIZE); |
465 | 447 | | } |
466 | 448 | | |
467 | 449 | | if (strlen(temp->Name) >= hookNameLength) { |
| skipped 5 lines |
473 | 455 | | count++; |
474 | 456 | | } |
475 | 457 | | |
476 | | - | if (!isExeFile && index > 0) { |
| 458 | + | if (index > 0) { |
477 | 459 | | memset(str, 0, strlen(str)); |
478 | 460 | | strcpy(str, name); |
479 | | - | return foaToRVA(buffer, (DWORD)IAT - (DWORD)buffer + index * THUNK_DATA_SIZE); |
| 461 | + | return foaToRVA(buffer, (size_t)IAT - (size_t)buffer + index * THUNK_DATA_SIZE); |
480 | 462 | | } |
481 | 463 | | |
482 | 464 | | return 0; |
| skipped 54 lines |
537 | 519 | | |
538 | 520 | | int fixFile(string targetFilePath, DWORD exitCode) |
539 | 521 | | { |
540 | | - | bool isExeFile = targetFilePath.back() == 'e' ? true : false; |
541 | | - | |
542 | 522 | | char* targetBuffer; |
543 | 523 | | DWORD fileSize = readFileContext(targetFilePath, &targetBuffer); |
544 | 524 | | |
545 | 525 | | PIMAGE_DOS_HEADER pDH = (PIMAGE_DOS_HEADER)targetBuffer; |
546 | | - | PIMAGE_NT_HEADERS pNtH = (PIMAGE_NT_HEADERS)((DWORD)pDH + pDH->e_lfanew); |
547 | | - | PIMAGE_OPTIONAL_HEADER pOH = &pNtH->OptionalHeader; |
548 | 526 | | IMAGE_DATA_DIRECTORY importDirectory; |
549 | 527 | | int bit; |
550 | 528 | | DWORD imageBase = 0; |
| skipped 24 lines |
575 | 553 | | DWORD addr; |
576 | 554 | | bool isHook = false; |
577 | 555 | | |
578 | | - | PIMAGE_IMPORT_DESCRIPTOR ImportTable = PIMAGE_IMPORT_DESCRIPTOR((DWORD)targetBuffer + rvaToFOA(targetBuffer, importDirectory.VirtualAddress)); |
| 556 | + | PIMAGE_IMPORT_DESCRIPTOR ImportTable = PIMAGE_IMPORT_DESCRIPTOR((size_t)targetBuffer + rvaToFOA(targetBuffer, importDirectory.VirtualAddress)); |
| 557 | + | PIMAGE_IMPORT_DESCRIPTOR tmp_ImportTable = ImportTable; |
| 558 | + | |
| 559 | + | const char* names[] = { "kernel32.dll", "ntdll.dll", "api-ms-win-", "msvcrt.dll", "oleaut32.dll", "user32.dll", "ole32.dll", "vcruntime140.dll", "advapi32.dll", "gdiplus.dll", "shell32.dll", "shlwapi.dll", "comctl32.dll" }; |
| 560 | + | size_t indexs[100] = { 0 }; |
| 561 | + | int count = 0; |
| 562 | + | DWORD nameSize = sizeof(names) / sizeof(size_t); |
579 | 563 | | |
580 | 564 | | while (ImportTable->Name) |
581 | 565 | | { |
582 | 566 | | char* pName = rvaToFOA(targetBuffer, ImportTable->Name) + targetBuffer; |
583 | 567 | | str_to_lower(pName); |
584 | 568 | | |
585 | | - | if (isExeFile) { |
586 | | - | if (strstr(pName, "user32.dll") != NULL || strstr(pName, "kernel32.dll") != NULL) { |
587 | | - | addr = getImportFuncAddr(targetBuffer, ImportTable, "CreateDialogParam;CreateWindow;CreateProcess", bit, isExeFile); |
588 | | - | if (addr != 0) { |
589 | | - | DWORD textLength; |
590 | | - | BYTE* textData = readSectionData((BYTE*)targetBuffer, &textLength, ".text"); |
591 | | - | for (int i = 0; i < textLength; i++) { |
592 | | - | if (*(PWORD)((PBYTE)textData + i) == 0x15FF) { |
593 | | - | DWORD value = *(PDWORD)((PBYTE)textData + i + 2); |
594 | | - | if (bit == 64) { |
595 | | - | if (value = addr - foaToRVA(targetBuffer, ((size_t)textData + i + 6))) |
596 | | - | memset(textData + i, 0x90, 6); |
597 | | - | } |
598 | | - | else { |
599 | | - | if (value == imageBase + addr) |
600 | | - | memset(textData + i, 0x90, 6); |
601 | | - | } |
602 | | - | } |
603 | | - | } |
604 | | - | } |
605 | | - | } |
| 569 | + | for (int i = 0; i < nameSize; i++) |
| 570 | + | { |
| 571 | + | if (strstr(pName, names[i]) != NULL) |
| 572 | + | indexs[count++] = (size_t)ImportTable; |
606 | 573 | | } |
607 | | - | else { |
608 | | - | if (!isHook && strstr(pName, "kernel32.dll") != NULL) { |
609 | | - | addr = getImportFuncAddr(targetBuffer, ImportTable, "ExitProcess", bit, isExeFile); |
610 | | - | if (addr != 0) { |
611 | | - | repairReloc(targetBuffer, clear, 0, oep + 11); |
612 | 574 | | |
613 | | - | if (bit == 64) { |
614 | | - | unsigned char hook_data[] = { 0xB9, 0x00, 0x00, 0x00, 0x00, 0xFF, 0x15, 0xC8, 0xEF, 0x00, 0x00 }; |
615 | | - | improtFunc = addr - (oep + 11); |
616 | | - | memcpy((char*)oep_foa_addr, hook_data, 11); |
617 | | - | } |
618 | | - | else { |
619 | | - | unsigned char hook_data[] = { 0x68, 0x00, 0x00, 0x00, 0x00, 0xFF, 0x15, 0x08, 0x20, 0x40, 0x00 }; |
620 | | - | improtFunc = imageBase + addr; |
621 | | - | memcpy((char*)oep_foa_addr, hook_data, 11); |
| 575 | + | if (!isHook && strstr(pName, "kernel32.dll") != NULL) { |
| 576 | + | addr = getImportFuncAddr(targetBuffer, ImportTable, "ExitProcess", bit); |
| 577 | + | if (addr != 0) { |
| 578 | + | repairReloc(targetBuffer, clear, 0, oep + 11); |
622 | 579 | | |
623 | | - | DWORD dataRva[] = { oep + 7 }; |
624 | | - | repairReloc(targetBuffer, dataRva, 1, 0); |
625 | | - | } |
| 580 | + | if (bit == 64) { |
| 581 | + | unsigned char hook_data[] = { 0xB9, 0x00, 0x00, 0x00, 0x00, 0xFF, 0x15, 0xC8, 0xEF, 0x00, 0x00 }; |
| 582 | + | improtFunc = addr - (oep + 11); |
| 583 | + | memcpy((char*)oep_foa_addr, hook_data, 11); |
| 584 | + | } |
| 585 | + | else { |
| 586 | + | unsigned char hook_data[] = { 0x68, 0x00, 0x00, 0x00, 0x00, 0xFF, 0x15, 0x08, 0x20, 0x40, 0x00 }; |
| 587 | + | improtFunc = imageBase + addr; |
| 588 | + | memcpy((char*)oep_foa_addr, hook_data, 11); |
626 | 589 | | |
627 | | - | *(PDWORD)(oep_foa_addr + 1) = exitCode; |
628 | | - | *(PDWORD)(oep_foa_addr + 7) = improtFunc; |
629 | | - | isHook = true; |
| 590 | + | DWORD dataRva[] = { oep + 7 }; |
| 591 | + | repairReloc(targetBuffer, dataRva, 1, 0); |
630 | 592 | | } |
631 | | - | } |
632 | | - | else if (!isHook && strstr(pName, "ntdll.dll") != NULL) { |
633 | | - | addr = getImportFuncAddr(targetBuffer, ImportTable, "NtTerminateProcess", bit, isExeFile); |
634 | | - | if (addr != 0) { |
635 | | - | repairReloc(targetBuffer, clear, 0, oep + 16); |
636 | 593 | | |
637 | | - | if (bit == 64) { |
638 | | - | unsigned char hook_data[] = { 0xBA, 0x00, 0x00, 0x00, 0x00, 0xB9, 0xff, 0xff, 0xff, 0xff, 0xFF, 0x15, 0xC8, 0xEF, 0x00, 0x00 }; |
639 | | - | improtFunc = addr - (oep + 16); |
640 | | - | memcpy((char*)oep_foa_addr, hook_data, 16); |
641 | | - | } |
642 | | - | else { |
643 | | - | unsigned char hook_data[] = { 0x68, 0x00, 0x00, 0x00, 0x00, 0x68, 0xff, 0xff, 0xff, 0xff, 0xFF, 0x15, 0x08, 0x20, 0x40, 0x00 }; |
644 | | - | improtFunc = imageBase + addr; |
645 | | - | memcpy((char*)oep_foa_addr, hook_data, 16); |
| 594 | + | *(PDWORD)(oep_foa_addr + 1) = exitCode; |
| 595 | + | *(PDWORD)(oep_foa_addr + 7) = improtFunc; |
| 596 | + | isHook = true; |
| 597 | + | } |
| 598 | + | } |
| 599 | + | else if (!isHook && strstr(pName, "ntdll.dll") != NULL) { |
| 600 | + | addr = getImportFuncAddr(targetBuffer, ImportTable, "NtTerminateProcess", bit); |
| 601 | + | if (addr != 0) { |
| 602 | + | repairReloc(targetBuffer, clear, 0, oep + 16); |
646 | 603 | | |
647 | | - | DWORD dataRva[] = { oep + 12 }; |
648 | | - | repairReloc(targetBuffer, dataRva, 1, 0); |
649 | | - | } |
| 604 | + | if (bit == 64) { |
| 605 | + | unsigned char hook_data[] = { 0xBA, 0x00, 0x00, 0x00, 0x00, 0xB9, 0xff, 0xff, 0xff, 0xff, 0xFF, 0x15, 0xC8, 0xEF, 0x00, 0x00 }; |
| 606 | + | improtFunc = addr - (oep + 16); |
| 607 | + | memcpy((char*)oep_foa_addr, hook_data, 16); |
| 608 | + | } |
| 609 | + | else { |
| 610 | + | unsigned char hook_data[] = { 0x68, 0x00, 0x00, 0x00, 0x00, 0x68, 0xff, 0xff, 0xff, 0xff, 0xFF, 0x15, 0x08, 0x20, 0x40, 0x00 }; |
| 611 | + | improtFunc = imageBase + addr; |
| 612 | + | memcpy((char*)oep_foa_addr, hook_data, 16); |
650 | 613 | | |
651 | | - | *(PDWORD)(oep_foa_addr + 1) = exitCode; |
652 | | - | *(PDWORD)(oep_foa_addr + 12) = improtFunc; |
653 | | - | isHook = true; |
| 614 | + | DWORD dataRva[] = { oep + 12 }; |
| 615 | + | repairReloc(targetBuffer, dataRva, 1, 0); |
654 | 616 | | } |
| 617 | + | |
| 618 | + | *(PDWORD)(oep_foa_addr + 1) = exitCode; |
| 619 | + | *(PDWORD)(oep_foa_addr + 12) = improtFunc; |
| 620 | + | isHook = true; |
655 | 621 | | } |
656 | 622 | | } |
657 | 623 | | ImportTable++; |
658 | 624 | | } |
| 625 | + | |
| 626 | + | for (int i = 0; i < count; i++) |
| 627 | + | { |
| 628 | + | memcpy(tmp_ImportTable, (char*)indexs[i], 0x14); |
| 629 | + | tmp_ImportTable++; |
| 630 | + | } |
| 631 | + | memset(tmp_ImportTable, 0, 0x14); |
659 | 632 | | |
660 | 633 | | saveFile(targetFilePath, targetBuffer, fileSize); |
661 | 634 | | |
| skipped 144 lines |
806 | 779 | | |
807 | 780 | | string folderPath = CreateRandomFolder(currentPath); |
808 | 781 | | |
809 | | - | string runFilePath = CopyFileToFolder(result->filePath, folderPath, result->isCreateWindow, NULL); |
| 782 | + | string runFilePath = CopyFileToFolder(result->filePath, folderPath, false, NULL); |
810 | 783 | | |
811 | 784 | | map<DWORD, std::string> hookDllMap; |
812 | 785 | | bool flag; |
813 | 786 | | DWORD exitCode = 0x22222222; |
814 | | - | if (result->preLoadDlls.size() > 0) { |
815 | | - | flag = result->preLoadDlls.size() <= c.dllCount ? true : false; |
816 | 787 | | |
817 | | - | for (const auto& dll : result->preLoadDlls) { |
818 | | - | CopyFileToFolder(result->fileDir + dll, folderPath, flag, exitCode); |
819 | | - | hookDllMap[exitCode] = dll; |
820 | | - | exitCode++; |
821 | | - | } |
| 788 | + | for (const auto& dll : result->preLoadDlls) { |
| 789 | + | CopyFileToFolder(result->fileDir + dll, folderPath, true, exitCode); |
| 790 | + | hookDllMap[exitCode] = dll; |
| 791 | + | exitCode++; |
822 | 792 | | } |
823 | 793 | | |
824 | | - | if (result->postLoadDlls.size() > 0) { |
825 | | - | flag = result->postLoadDlls.size() <= c.dllCount ? true : false; |
826 | | - | |
827 | | - | for (const auto& dll : result->postLoadDlls) { |
828 | | - | CopyFileToFolder(result->fileDir + dll, folderPath, flag, exitCode); |
829 | | - | hookDllMap[exitCode] = dll; |
830 | | - | exitCode++; |
831 | | - | } |
| 794 | + | for (const auto& dll : result->postLoadDlls) { |
| 795 | + | CopyFileToFolder(result->fileDir + dll, folderPath, true, exitCode); |
| 796 | + | hookDllMap[exitCode] = dll; |
| 797 | + | exitCode++; |
832 | 798 | | } |
833 | 799 | | |
834 | 800 | | DWORD retExitCode = TestCreateProcess(runFilePath); |
835 | 801 | | result->exploitDllPath = hookDllMap[retExitCode]; |
836 | 802 | | |
837 | | - | //DeleteDirectory(folderPath.c_str()); |
| 803 | + | DeleteDirectory(folderPath.c_str()); |
838 | 804 | | |
839 | 805 | | if (result->exploitDllPath == "") |
840 | 806 | | it = results.erase(it); |
841 | 807 | | else { |
842 | 808 | | ++it; |
843 | | - | DeleteDirectory(folderPath.c_str()); |
| 809 | + | //DeleteDirectory(folderPath.c_str()); |
844 | 810 | | } |
845 | 811 | | } |
846 | 812 | | } |