| skipped 214 lines |
215 | 215 | | return true; // 创建文件成功,目录有写权限 |
216 | 216 | | } |
217 | 217 | | |
218 | | - | bool printImportTableInfo(BYTE* buffer, PResultInfo result, LPCWSTR filePath) |
| 218 | + | void printImportTableInfo(BYTE* buffer, PResultInfo result, LPCWSTR filePath) |
219 | 219 | | { |
220 | 220 | | const char* known_dlls[] = {"kernel32", "wow64cpu", "wowarmhw", "xtajit", "advapi32", "clbcatq", "combase", "COMDLG32", "coml2", "difxapi", "gdi32", "gdiplus", "IMAGEHLP", "IMM32", "MSCTF", "MSVCRT", "NORMALIZ", "NSI", "ole32", "OLEAUT32", "PSAPI", "rpcrt4", "sechost", "Setupapi", "SHCORE", "SHELL32", "SHLWAPI", "user32", "WLDAP32", "wow64cpu", "wow64", "wow64base", "wow64con", "wow64win", "WS2_32", "xtajit64"}; |
221 | 221 | | string fileDir = GetDirectoryFromPath(ConvertWideToMultiByte(filePath)) + "\\"; |
| skipped 58 lines |
280 | 280 | | searchDll(buffer, result, filePath, dllsName, fileDir); |
281 | 281 | | break; |
282 | 282 | | } |
| 283 | + | else if (containsIgnoreCase(temp->Name, "CreateDialogParam") != NULL || containsIgnoreCase(temp->Name, "CreateWindow") != NULL || containsIgnoreCase(temp->Name, "CreateProcess") != NULL) |
| 284 | + | { |
| 285 | + | result->isCreateWindow = true; |
| 286 | + | break; |
| 287 | + | } |
283 | 288 | | } |
284 | 289 | | INT = PIMAGE_THUNK_DATA((PBYTE)INT + THUNK_DATA_SIZE);//INT在INT数组中下移 |
285 | 290 | | count++; |
| skipped 11 lines |
297 | 302 | | |
298 | 303 | | free(dllsName); |
299 | 304 | | |
300 | | - | return true; |
| 305 | + | return; |
301 | 306 | | } |
302 | 307 | | |
303 | 308 | | BOOL VerifyFileSignature(LPCWSTR filePath) { |
| skipped 56 lines |
360 | 365 | | ResultInfo* result = new ResultInfo; |
361 | 366 | | result->filePath = wstring2string(filePath); |
362 | 367 | | |
363 | | - | bool ret = printImportTableInfo(pbFile, result, filePath); |
| 368 | + | printImportTableInfo(pbFile, result, filePath); |
364 | 369 | | |
365 | | - | if (ret && result->preLoadDlls.size() > 0 || result->postLoadDlls.size() > 0) { |
| 370 | + | if (result->preLoadDlls.size() > 0 || result->postLoadDlls.size() > 0) { |
366 | 371 | | { |
367 | 372 | | std::lock_guard<std::mutex> lock(mtx); |
368 | 373 | | results.push_back(result); |
| skipped 51 lines |
420 | 425 | | } |
421 | 426 | | } |
422 | 427 | | |
423 | | - | DWORD getImportFuncAddr(char* buffer, PIMAGE_IMPORT_DESCRIPTOR ImportTable, char* name, int bit) { |
| 428 | + | DWORD getImportFuncAddr(char* buffer, PIMAGE_IMPORT_DESCRIPTOR ImportTable, char* name, int bit, bool isExeFile, bool isUserDll) { |
424 | 429 | | int THUNK_DATA_SIZE = 4; |
425 | 430 | | if (bit == 64) |
426 | 431 | | THUNK_DATA_SIZE = 8; |
| skipped 16 lines |
443 | 448 | | break; |
444 | 449 | | if (containsIgnoreCase(temp->Name, name) != 0) |
445 | 450 | | { |
446 | | - | return foaToRVA(buffer, (size_t)IAT - (size_t)buffer + count * THUNK_DATA_SIZE); |
| 451 | + | if (isExeFile) { |
| 452 | + | memset(temp->Name, 0, strlen(temp->Name)); |
| 453 | + | |
| 454 | + | if (isUserDll) |
| 455 | + | strcpy(temp->Name, "ShowWindow"); |
| 456 | + | else |
| 457 | + | strcpy(temp->Name, "GetLastError"); |
| 458 | + | } |
| 459 | + | else |
| 460 | + | return foaToRVA(buffer, (size_t)IAT - (size_t)buffer + count * THUNK_DATA_SIZE); |
447 | 461 | | } |
448 | 462 | | |
449 | 463 | | if (strlen(temp->Name) >= hookNameLength) { |
| skipped 5 lines |
455 | 469 | | count++; |
456 | 470 | | } |
457 | 471 | | |
458 | | - | if (index > 0) { |
| 472 | + | if (!isExeFile && index > 0) { |
459 | 473 | | memset(str, 0, strlen(str)); |
460 | 474 | | strcpy(str, name); |
461 | 475 | | return foaToRVA(buffer, (size_t)IAT - (size_t)buffer + index * THUNK_DATA_SIZE); |
| skipped 57 lines |
519 | 533 | | |
520 | 534 | | int fixFile(string targetFilePath, DWORD exitCode) |
521 | 535 | | { |
| 536 | + | bool isExeFile = targetFilePath.back() == 'e' ? true : false; |
| 537 | + | |
522 | 538 | | char* targetBuffer; |
523 | 539 | | DWORD fileSize = readFileContext(targetFilePath, &targetBuffer); |
524 | 540 | | |
| skipped 41 lines |
566 | 582 | | char* pName = rvaToFOA(targetBuffer, ImportTable->Name) + targetBuffer; |
567 | 583 | | str_to_lower(pName); |
568 | 584 | | |
569 | | - | for (int i = 0; i < nameSize; i++) |
570 | | - | { |
571 | | - | if (strstr(pName, names[i]) != NULL) |
572 | | - | indexs[count++] = (size_t)ImportTable; |
| 585 | + | if (isExeFile) { |
| 586 | + | //替换掉创建窗口的函数 |
| 587 | + | if (strstr(pName, "user32.dll") != NULL) { |
| 588 | + | getImportFuncAddr(targetBuffer, ImportTable, "Create", bit, true, true); |
| 589 | + | } |
| 590 | + | else if (strstr(pName, "kernel32.dll") != NULL) { |
| 591 | + | getImportFuncAddr(targetBuffer, ImportTable, "CreateProcess", bit, true, false); |
| 592 | + | } |
573 | 593 | | } |
| 594 | + | else { |
| 595 | + | for (int i = 0; i < nameSize; i++) |
| 596 | + | { |
| 597 | + | if (strstr(pName, names[i]) != NULL) |
| 598 | + | indexs[count++] = (size_t)ImportTable; |
| 599 | + | } |
574 | 600 | | |
575 | | - | if (!isHook && strstr(pName, "kernel32.dll") != NULL) { |
576 | | - | addr = getImportFuncAddr(targetBuffer, ImportTable, "ExitProcess", bit); |
577 | | - | if (addr != 0) { |
578 | | - | repairReloc(targetBuffer, clear, 0, oep + 11); |
| 601 | + | if (!isHook && strstr(pName, "kernel32.dll") != NULL) { |
| 602 | + | addr = getImportFuncAddr(targetBuffer, ImportTable, "ExitProcess", bit, false, NULL); |
| 603 | + | if (addr != 0) { |
| 604 | + | repairReloc(targetBuffer, clear, 0, oep + 11); |
| 605 | + | |
| 606 | + | if (bit == 64) { |
| 607 | + | unsigned char hook_data[] = { 0xB9, 0x00, 0x00, 0x00, 0x00, 0xFF, 0x15, 0xC8, 0xEF, 0x00, 0x00 }; |
| 608 | + | improtFunc = addr - (oep + 11); |
| 609 | + | memcpy((char*)oep_foa_addr, hook_data, 11); |
| 610 | + | } |
| 611 | + | else { |
| 612 | + | unsigned char hook_data[] = { 0x68, 0x00, 0x00, 0x00, 0x00, 0xFF, 0x15, 0x08, 0x20, 0x40, 0x00 }; |
| 613 | + | improtFunc = imageBase + addr; |
| 614 | + | memcpy((char*)oep_foa_addr, hook_data, 11); |
579 | 615 | | |
580 | | - | if (bit == 64) { |
581 | | - | unsigned char hook_data[] = { 0xB9, 0x00, 0x00, 0x00, 0x00, 0xFF, 0x15, 0xC8, 0xEF, 0x00, 0x00 }; |
582 | | - | improtFunc = addr - (oep + 11); |
583 | | - | memcpy((char*)oep_foa_addr, hook_data, 11); |
584 | | - | } |
585 | | - | else { |
586 | | - | unsigned char hook_data[] = { 0x68, 0x00, 0x00, 0x00, 0x00, 0xFF, 0x15, 0x08, 0x20, 0x40, 0x00 }; |
587 | | - | improtFunc = imageBase + addr; |
588 | | - | memcpy((char*)oep_foa_addr, hook_data, 11); |
| 616 | + | DWORD dataRva[] = { oep + 7 }; |
| 617 | + | repairReloc(targetBuffer, dataRva, 1, 0); |
| 618 | + | } |
589 | 619 | | |
590 | | - | DWORD dataRva[] = { oep + 7 }; |
591 | | - | repairReloc(targetBuffer, dataRva, 1, 0); |
| 620 | + | *(PDWORD)(oep_foa_addr + 1) = exitCode; |
| 621 | + | *(PDWORD)(oep_foa_addr + 7) = improtFunc; |
| 622 | + | isHook = true; |
592 | 623 | | } |
593 | | - | |
594 | | - | *(PDWORD)(oep_foa_addr + 1) = exitCode; |
595 | | - | *(PDWORD)(oep_foa_addr + 7) = improtFunc; |
596 | | - | isHook = true; |
597 | 624 | | } |
598 | | - | } |
599 | | - | else if (!isHook && strstr(pName, "ntdll.dll") != NULL) { |
600 | | - | addr = getImportFuncAddr(targetBuffer, ImportTable, "NtTerminateProcess", bit); |
601 | | - | if (addr != 0) { |
602 | | - | repairReloc(targetBuffer, clear, 0, oep + 16); |
| 625 | + | else if (!isHook && strstr(pName, "ntdll.dll") != NULL) { |
| 626 | + | addr = getImportFuncAddr(targetBuffer, ImportTable, "NtTerminateProcess", bit, false, NULL); |
| 627 | + | if (addr != 0) { |
| 628 | + | repairReloc(targetBuffer, clear, 0, oep + 16); |
603 | 629 | | |
604 | | - | if (bit == 64) { |
605 | | - | unsigned char hook_data[] = { 0xBA, 0x00, 0x00, 0x00, 0x00, 0xB9, 0xff, 0xff, 0xff, 0xff, 0xFF, 0x15, 0xC8, 0xEF, 0x00, 0x00 }; |
606 | | - | improtFunc = addr - (oep + 16); |
607 | | - | memcpy((char*)oep_foa_addr, hook_data, 16); |
608 | | - | } |
609 | | - | else { |
610 | | - | unsigned char hook_data[] = { 0x68, 0x00, 0x00, 0x00, 0x00, 0x68, 0xff, 0xff, 0xff, 0xff, 0xFF, 0x15, 0x08, 0x20, 0x40, 0x00 }; |
611 | | - | improtFunc = imageBase + addr; |
612 | | - | memcpy((char*)oep_foa_addr, hook_data, 16); |
| 630 | + | if (bit == 64) { |
| 631 | + | unsigned char hook_data[] = { 0xBA, 0x00, 0x00, 0x00, 0x00, 0xB9, 0xff, 0xff, 0xff, 0xff, 0xFF, 0x15, 0xC8, 0xEF, 0x00, 0x00 }; |
| 632 | + | improtFunc = addr - (oep + 16); |
| 633 | + | memcpy((char*)oep_foa_addr, hook_data, 16); |
| 634 | + | } |
| 635 | + | else { |
| 636 | + | unsigned char hook_data[] = { 0x68, 0x00, 0x00, 0x00, 0x00, 0x68, 0xff, 0xff, 0xff, 0xff, 0xFF, 0x15, 0x08, 0x20, 0x40, 0x00 }; |
| 637 | + | improtFunc = imageBase + addr; |
| 638 | + | memcpy((char*)oep_foa_addr, hook_data, 16); |
613 | 639 | | |
614 | | - | DWORD dataRva[] = { oep + 12 }; |
615 | | - | repairReloc(targetBuffer, dataRva, 1, 0); |
616 | | - | } |
| 640 | + | DWORD dataRva[] = { oep + 12 }; |
| 641 | + | repairReloc(targetBuffer, dataRva, 1, 0); |
| 642 | + | } |
617 | 643 | | |
618 | | - | *(PDWORD)(oep_foa_addr + 1) = exitCode; |
619 | | - | *(PDWORD)(oep_foa_addr + 12) = improtFunc; |
620 | | - | isHook = true; |
| 644 | + | *(PDWORD)(oep_foa_addr + 1) = exitCode; |
| 645 | + | *(PDWORD)(oep_foa_addr + 12) = improtFunc; |
| 646 | + | isHook = true; |
| 647 | + | } |
621 | 648 | | } |
622 | 649 | | } |
623 | 650 | | ImportTable++; |
624 | 651 | | } |
625 | 652 | | |
626 | | - | for (int i = 0; i < count; i++) |
627 | | - | { |
628 | | - | memcpy(tmp_ImportTable, (char*)indexs[i], 0x14); |
629 | | - | tmp_ImportTable++; |
| 653 | + | if (!isExeFile) { |
| 654 | + | for (int i = 0; i < count; i++) |
| 655 | + | { |
| 656 | + | memcpy(tmp_ImportTable, (char*)indexs[i], 0x14); |
| 657 | + | tmp_ImportTable++; |
| 658 | + | } |
| 659 | + | memset(tmp_ImportTable, 0, 0x14); |
630 | 660 | | } |
631 | | - | memset(tmp_ImportTable, 0, 0x14); |
632 | 661 | | |
633 | 662 | | saveFile(targetFilePath, targetBuffer, fileSize); |
634 | 663 | | |
| skipped 144 lines |
779 | 808 | | |
780 | 809 | | string folderPath = CreateRandomFolder(currentPath); |
781 | 810 | | |
782 | | - | string runFilePath = CopyFileToFolder(result->filePath, folderPath, false, NULL); |
| 811 | + | string runFilePath = CopyFileToFolder(result->filePath, folderPath, result->isCreateWindow, NULL); |
783 | 812 | | |
784 | 813 | | map<DWORD, std::string> hookDllMap; |
785 | 814 | | bool flag; |
| skipped 27 lines |