STRLCPY/SearchAvailableExe

代码备份
maoku committed 2 months ago

3b8d0e05

1 parent 9f40cae0

■ ■ ■ ■ ■ ■

SearchAvailableExe/Tools.cpp

		skipped 214 lines
215	215		return true; // 创建文件成功，目录有写权限
216	216		}
217	217
218		-	bool printImportTableInfo(BYTE* buffer, PResultInfo result, LPCWSTR filePath)
	218	+	void printImportTableInfo(BYTE* buffer, PResultInfo result, LPCWSTR filePath)
219	219		{
220	220		const char* known_dlls[] = {"kernel32", "wow64cpu", "wowarmhw", "xtajit", "advapi32", "clbcatq", "combase", "COMDLG32", "coml2", "difxapi", "gdi32", "gdiplus", "IMAGEHLP", "IMM32", "MSCTF", "MSVCRT", "NORMALIZ", "NSI", "ole32", "OLEAUT32", "PSAPI", "rpcrt4", "sechost", "Setupapi", "SHCORE", "SHELL32", "SHLWAPI", "user32", "WLDAP32", "wow64cpu", "wow64", "wow64base", "wow64con", "wow64win", "WS2_32", "xtajit64"};
221	221		string fileDir = GetDirectoryFromPath(ConvertWideToMultiByte(filePath)) + "\\";
		skipped 58 lines
280	280		searchDll(buffer, result, filePath, dllsName, fileDir);
281	281		break;
282	282		}
	283	+	else if (containsIgnoreCase(temp->Name, "CreateDialogParam") != NULL \|\| containsIgnoreCase(temp->Name, "CreateWindow") != NULL \|\| containsIgnoreCase(temp->Name, "CreateProcess") != NULL)
	284	+	{
	285	+	result->isCreateWindow = true;
	286	+	break;
	287	+	}
283	288		}
284	289		INT = PIMAGE_THUNK_DATA((PBYTE)INT + THUNK_DATA_SIZE);//INT在INT数组中下移
285	290		count++;
		skipped 11 lines
297	302
298	303		free(dllsName);
299	304
300		-	return true;
	305	+	return;
301	306		}
302	307
303	308		BOOL VerifyFileSignature(LPCWSTR filePath) {
		skipped 56 lines
360	365		ResultInfo* result = new ResultInfo;
361	366		result->filePath = wstring2string(filePath);
362	367
363		-	bool ret = printImportTableInfo(pbFile, result, filePath);
	368	+	printImportTableInfo(pbFile, result, filePath);
364	369
365		-	if (ret && result->preLoadDlls.size() > 0 \|\| result->postLoadDlls.size() > 0) {
	370	+	if (result->preLoadDlls.size() > 0 \|\| result->postLoadDlls.size() > 0) {
366	371		{
367	372		std::lock_guard<std::mutex> lock(mtx);
368	373		results.push_back(result);
		skipped 51 lines
420	425		}
421	426		}
422	427
423		-	DWORD getImportFuncAddr(char* buffer, PIMAGE_IMPORT_DESCRIPTOR ImportTable, char* name, int bit) {
	428	+	DWORD getImportFuncAddr(char* buffer, PIMAGE_IMPORT_DESCRIPTOR ImportTable, char* name, int bit, bool isExeFile, bool isUserDll) {
424	429		int THUNK_DATA_SIZE = 4;
425	430		if (bit == 64)
426	431		THUNK_DATA_SIZE = 8;
		skipped 16 lines
443	448		break;
444	449		if (containsIgnoreCase(temp->Name, name) != 0)
445	450		{
446		-	return foaToRVA(buffer, (size_t)IAT - (size_t)buffer + count * THUNK_DATA_SIZE);
	451	+	if (isExeFile) {
	452	+	memset(temp->Name, 0, strlen(temp->Name));
	453	+
	454	+	if (isUserDll)
	455	+	strcpy(temp->Name, "ShowWindow");
	456	+	else
	457	+	strcpy(temp->Name, "GetLastError");
	458	+	}
	459	+	else
	460	+	return foaToRVA(buffer, (size_t)IAT - (size_t)buffer + count * THUNK_DATA_SIZE);
447	461		}
448	462
449	463		if (strlen(temp->Name) >= hookNameLength) {
		skipped 5 lines
455	469		count++;
456	470		}
457	471
458		-	if (index > 0) {
	472	+	if (!isExeFile && index > 0) {
459	473		memset(str, 0, strlen(str));
460	474		strcpy(str, name);
461	475		return foaToRVA(buffer, (size_t)IAT - (size_t)buffer + index * THUNK_DATA_SIZE);
		skipped 57 lines
519	533
520	534		int fixFile(string targetFilePath, DWORD exitCode)
521	535		{
	536	+	bool isExeFile = targetFilePath.back() == 'e' ? true : false;
	537	+
522	538		char* targetBuffer;
523	539		DWORD fileSize = readFileContext(targetFilePath, &targetBuffer);
524	540
		skipped 41 lines
566	582		char* pName = rvaToFOA(targetBuffer, ImportTable->Name) + targetBuffer;
567	583		str_to_lower(pName);
568	584
569		-	for (int i = 0; i < nameSize; i++)
570		-	{
571		-	if (strstr(pName, names[i]) != NULL)
572		-	indexs[count++] = (size_t)ImportTable;
	585	+	if (isExeFile) {
	586	+	//替换掉创建窗口的函数
	587	+	if (strstr(pName, "user32.dll") != NULL) {
	588	+	getImportFuncAddr(targetBuffer, ImportTable, "Create", bit, true, true);
	589	+	}
	590	+	else if (strstr(pName, "kernel32.dll") != NULL) {
	591	+	getImportFuncAddr(targetBuffer, ImportTable, "CreateProcess", bit, true, false);
	592	+	}
573	593		}
	594	+	else {
	595	+	for (int i = 0; i < nameSize; i++)
	596	+	{
	597	+	if (strstr(pName, names[i]) != NULL)
	598	+	indexs[count++] = (size_t)ImportTable;
	599	+	}
574	600
575		-	if (!isHook && strstr(pName, "kernel32.dll") != NULL) {
576		-	addr = getImportFuncAddr(targetBuffer, ImportTable, "ExitProcess", bit);
577		-	if (addr != 0) {
578		-	repairReloc(targetBuffer, clear, 0, oep + 11);
	601	+	if (!isHook && strstr(pName, "kernel32.dll") != NULL) {
	602	+	addr = getImportFuncAddr(targetBuffer, ImportTable, "ExitProcess", bit, false, NULL);
	603	+	if (addr != 0) {
	604	+	repairReloc(targetBuffer, clear, 0, oep + 11);
	605	+
	606	+	if (bit == 64) {
	607	+	unsigned char hook_data[] = { 0xB9, 0x00, 0x00, 0x00, 0x00, 0xFF, 0x15, 0xC8, 0xEF, 0x00, 0x00 };
	608	+	improtFunc = addr - (oep + 11);
	609	+	memcpy((char*)oep_foa_addr, hook_data, 11);
	610	+	}
	611	+	else {
	612	+	unsigned char hook_data[] = { 0x68, 0x00, 0x00, 0x00, 0x00, 0xFF, 0x15, 0x08, 0x20, 0x40, 0x00 };
	613	+	improtFunc = imageBase + addr;
	614	+	memcpy((char*)oep_foa_addr, hook_data, 11);
579	615
580		-	if (bit == 64) {
581		-	unsigned char hook_data[] = { 0xB9, 0x00, 0x00, 0x00, 0x00, 0xFF, 0x15, 0xC8, 0xEF, 0x00, 0x00 };
582		-	improtFunc = addr - (oep + 11);
583		-	memcpy((char*)oep_foa_addr, hook_data, 11);
584		-	}
585		-	else {
586		-	unsigned char hook_data[] = { 0x68, 0x00, 0x00, 0x00, 0x00, 0xFF, 0x15, 0x08, 0x20, 0x40, 0x00 };
587		-	improtFunc = imageBase + addr;
588		-	memcpy((char*)oep_foa_addr, hook_data, 11);
	616	+	DWORD dataRva[] = { oep + 7 };
	617	+	repairReloc(targetBuffer, dataRva, 1, 0);
	618	+	}
589	619
590		-	DWORD dataRva[] = { oep + 7 };
591		-	repairReloc(targetBuffer, dataRva, 1, 0);
	620	+	*(PDWORD)(oep_foa_addr + 1) = exitCode;
	621	+	*(PDWORD)(oep_foa_addr + 7) = improtFunc;
	622	+	isHook = true;
592	623		}
593		-
594		-	*(PDWORD)(oep_foa_addr + 1) = exitCode;
595		-	*(PDWORD)(oep_foa_addr + 7) = improtFunc;
596		-	isHook = true;
597	624		}
598		-	}
599		-	else if (!isHook && strstr(pName, "ntdll.dll") != NULL) {
600		-	addr = getImportFuncAddr(targetBuffer, ImportTable, "NtTerminateProcess", bit);
601		-	if (addr != 0) {
602		-	repairReloc(targetBuffer, clear, 0, oep + 16);
	625	+	else if (!isHook && strstr(pName, "ntdll.dll") != NULL) {
	626	+	addr = getImportFuncAddr(targetBuffer, ImportTable, "NtTerminateProcess", bit, false, NULL);
	627	+	if (addr != 0) {
	628	+	repairReloc(targetBuffer, clear, 0, oep + 16);
603	629
604		-	if (bit == 64) {
605		-	unsigned char hook_data[] = { 0xBA, 0x00, 0x00, 0x00, 0x00, 0xB9, 0xff, 0xff, 0xff, 0xff, 0xFF, 0x15, 0xC8, 0xEF, 0x00, 0x00 };
606		-	improtFunc = addr - (oep + 16);
607		-	memcpy((char*)oep_foa_addr, hook_data, 16);
608		-	}
609		-	else {
610		-	unsigned char hook_data[] = { 0x68, 0x00, 0x00, 0x00, 0x00, 0x68, 0xff, 0xff, 0xff, 0xff, 0xFF, 0x15, 0x08, 0x20, 0x40, 0x00 };
611		-	improtFunc = imageBase + addr;
612		-	memcpy((char*)oep_foa_addr, hook_data, 16);
	630	+	if (bit == 64) {
	631	+	unsigned char hook_data[] = { 0xBA, 0x00, 0x00, 0x00, 0x00, 0xB9, 0xff, 0xff, 0xff, 0xff, 0xFF, 0x15, 0xC8, 0xEF, 0x00, 0x00 };
	632	+	improtFunc = addr - (oep + 16);
	633	+	memcpy((char*)oep_foa_addr, hook_data, 16);
	634	+	}
	635	+	else {
	636	+	unsigned char hook_data[] = { 0x68, 0x00, 0x00, 0x00, 0x00, 0x68, 0xff, 0xff, 0xff, 0xff, 0xFF, 0x15, 0x08, 0x20, 0x40, 0x00 };
	637	+	improtFunc = imageBase + addr;
	638	+	memcpy((char*)oep_foa_addr, hook_data, 16);
613	639
614		-	DWORD dataRva[] = { oep + 12 };
615		-	repairReloc(targetBuffer, dataRva, 1, 0);
616		-	}
	640	+	DWORD dataRva[] = { oep + 12 };
	641	+	repairReloc(targetBuffer, dataRva, 1, 0);
	642	+	}
617	643
618		-	*(PDWORD)(oep_foa_addr + 1) = exitCode;
619		-	*(PDWORD)(oep_foa_addr + 12) = improtFunc;
620		-	isHook = true;
	644	+	*(PDWORD)(oep_foa_addr + 1) = exitCode;
	645	+	*(PDWORD)(oep_foa_addr + 12) = improtFunc;
	646	+	isHook = true;
	647	+	}
621	648		}
622	649		}
623	650		ImportTable++;
624	651		}
625	652
626		-	for (int i = 0; i < count; i++)
627		-	{
628		-	memcpy(tmp_ImportTable, (char*)indexs[i], 0x14);
629		-	tmp_ImportTable++;
	653	+	if (!isExeFile) {
	654	+	for (int i = 0; i < count; i++)
	655	+	{
	656	+	memcpy(tmp_ImportTable, (char*)indexs[i], 0x14);
	657	+	tmp_ImportTable++;
	658	+	}
	659	+	memset(tmp_ImportTable, 0, 0x14);
630	660		}
631		-	memset(tmp_ImportTable, 0, 0x14);
632	661
633	662		saveFile(targetFilePath, targetBuffer, fileSize);
634	663
		skipped 144 lines
779	808
780	809		string folderPath = CreateRandomFolder(currentPath);
781	810
782		-	string runFilePath = CopyFileToFolder(result->filePath, folderPath, false, NULL);
	811	+	string runFilePath = CopyFileToFolder(result->filePath, folderPath, result->isCreateWindow, NULL);
783	812
784	813		map<DWORD, std::string> hookDllMap;
785	814		bool flag;
		skipped 27 lines

■ ■ ■ ■ ■ ■

SearchAvailableExe/Tools.h

		skipped 20 lines
21	21		string filePath;
22	22		string fileDir;
23	23		int bit;
	24	+	bool isCreateWindow;
24	25		vector<char*> preLoadDlls;
25	26		vector<char*> postLoadDlls;
26	27		string exploitDllPath;
		skipped 16 lines

代码备份