crash.software
Projects
Pull Requests
Issues
Builds
SearchAvailableExe
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY SearchAvailableExe Commits 90d5225c
🤬

  • 1.修复只读文件,无法写入bug 2.新增全段扫描动态dll参数,默认是扫rdata和rsrc段

  • Loading...
  • maoku committed 1 month ago
    90d5225c
    1 parent d3b8b7b3
  • ■ ■ ■ ■ ■ ■
    README.md
    skipped 34 lines
    35 35   
    36 36  -p:是否过滤系统dll,系统dll是指在system32或syswow64目录下存在的dll。默认为否
    37 37   
     38 +-a:是否开启全段扫描动态dll,默认是扫描rdata和rsrc段
     39 + 
     40 +```c
     41 +SearchAvailableExe.exe
     42 +SearchAvailableExe.exe -p -i "D:" -b 32
     43 +SearchAvailableExe.exe -i "D:" -o result.txt -c 2
     44 +SearchAvailableExe.exe -i "D:" -l 2 -w
     45 +SearchAvailableExe.exe -s -a 1
     46 +```
     47 + 
    38 48  B站地址:
    39 49   
    40 50  【一款自研的自动化挖掘白利用程序工具】 https://www.bilibili.com/video/BV1bm421n73Z/?share_source=copy_web&vd_source=c75cdcc6b49a06fd849f2d392e8e3218
    skipped 8 lines
    49 59  4. 优化有多个相同文件时,白程序只输出一次
    50 60  5. 修复相同动态加载dll记录多次bug
    51 61   
     62 +V2.0.1
     63 + 
     64 +1. 修复只读文件,无法写入bug
     65 +2. 新增全段扫描动态dll的-a参数,默认是扫rdata和rsrc段。提高工具的准确率
     66 + 
  • ■ ■ ■ ■ ■ ■
    SearchAvailableExe/SearchAvailableExe.cpp
    skipped 133 lines
    134 134   printf(" -s,--save: <bool> Whether to save available files, default is not to save.\n");
    135 135   printf(" -l,--load: <loadType> Dll loading method, 1 for static loading, 2 for dynamic loading, and 3 for both static and dynamic loading. Default value is 3.\n");
    136 136   printf(" -p,--pass: <bool> Filter system DLLs.\n");
     137 + printf(" -a,--pass: <int> Enable full-section scanning for dynamic DLLs by default, scanning rdata and rsrc segments.\n");
    137 138   exit(0);
    138 139  }
    139 140   
    skipped 35 lines
    175 176   c.dllCount = 1;
    176 177   c.bit = 96;
    177 178   c.loadType = 3;
     179 + c.isAllSectionSearch = 0;
    178 180   
    179 181   get_opt(argc, argv, OPT_TYPE_NONE, NULL, "h;?", "help", usage);
    180 182   get_opt(argc, argv, OPT_TYPE_STRING, c.output, "o", "output", NULL);
    skipped 4 lines
    185 187   get_opt(argc, argv, OPT_TYPE_FLAG, &c.isSaveFile, "s", "save", NULL);
    186 188   get_opt(argc, argv, OPT_TYPE_DEC, &c.loadType, "l", "load", NULL);
    187 189   get_opt(argc, argv, OPT_TYPE_FLAG, &c.isPassSystemDll, "p", "pass", NULL);
     190 + get_opt(argc, argv, OPT_TYPE_DEC, &c.isAllSectionSearch, "a", "search", NULL);
    188 191   
    189 192   ostream* output = &cout;
    190 193   ofstream outputFile;
    skipped 81 lines
  • ■ ■ ■ ■
    SearchAvailableExe/SearchAvailableExe.vcxproj.user
    1 1  <?xml version="1.0" encoding="utf-8"?>
    2 2  <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
    3 3   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
    4  - <LocalDebuggerCommandArguments>-i "D:\envPath\java\jdk1.8\lib\visualvm\platform\lib"</LocalDebuggerCommandArguments>
     4 + <LocalDebuggerCommandArguments>-i "D:\Code\github\C2\AV_Evasion_Tool\src\main\resources\bat\32\" -a 1</LocalDebuggerCommandArguments>
    5 5   <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
    6 6   </PropertyGroup>
    7 7   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
    skipped 8 lines
  • ■ ■ ■ ■ ■
    SearchAvailableExe/Tools.cpp
    skipped 154 lines
    155 155   strcat(fileFullPath, fileDir.c_str());
    156 156   int fileDirLength = fileDir.length();
    157 157   map<string, bool> postDllMap;
    158  - char* secNames[] = {".rdata", ".rsrc"};
     158 + char** secNames;
     159 + int cnt = 0;
     160 + 
     161 + if (c.isAllSectionSearch) {
     162 + PIMAGE_DOS_HEADER pDH = (PIMAGE_DOS_HEADER)buffer;
     163 + _IMAGE_SECTION_HEADER* sectionHeader;
     164 + IMAGE_FILE_HEADER fh;
     165 +
     166 + if (*(PWORD)((size_t)pDH + pDH->e_lfanew + 0x18) == IMAGE_NT_OPTIONAL_HDR32_MAGIC) {
     167 + PIMAGE_NT_HEADERS32 pNtH32 = PIMAGE_NT_HEADERS32((size_t)pDH + pDH->e_lfanew);
     168 + sectionHeader = (_IMAGE_SECTION_HEADER*)((UINT)pNtH32 + sizeof(_IMAGE_NT_HEADERS));
     169 + fh = pNtH32->FileHeader;
     170 + }
     171 + else {
     172 + PIMAGE_NT_HEADERS64 pNtH64 = PIMAGE_NT_HEADERS64((size_t)pDH + pDH->e_lfanew);
     173 + sectionHeader = (_IMAGE_SECTION_HEADER*)((UINT)pNtH64 + sizeof(_IMAGE_NT_HEADERS64));
     174 + fh = pNtH64->FileHeader;
     175 + }
    159 176   
    160  - for (int i = 0; i < 2; i++) {
     177 + char* temp[0x10];
     178 + secNames = (char**)malloc(sizeof(size_t) * fh.NumberOfSections);
     179 + while (cnt < fh.NumberOfSections) {
     180 + _IMAGE_SECTION_HEADER* section;
     181 + section = (_IMAGE_SECTION_HEADER*)((UINT)sectionHeader + sizeof(_IMAGE_SECTION_HEADER) * cnt);
     182 + temp[cnt++] = (char*)(section->Name);
     183 + }
     184 + secNames = temp;
     185 + }
     186 + else {
     187 + char* temp[] = { ".rdata", ".rsrc" };
     188 + secNames = temp;
     189 + cnt = 2;
     190 + }
     191 + 
     192 + for (int i = 0; i < cnt; i++) {
    161 193   BYTE* rdata = readSectionData(buffer, &rdataLength, secNames[i]);
    162 194   if (rdata != 0) {
    163 195   DWORD vaule, vaule1;
    skipped 268 lines
    432 464   return payloadFileSize;
    433 465  }
    434 466   
    435  -void saveFile(string filePath, char* buffer, DWORD fileSize)
     467 +bool saveFile(string filePath, char* buffer, DWORD fileSize)
    436 468  {
    437 469   std::ofstream outFile;
    438 470   outFile.open(filePath, std::ios::binary | std::ios::trunc);
     471 + if (!outFile.is_open()) {
     472 + printf("Failed to open file for writing.\n");
     473 + return false;
     474 + }
    439 475   outFile.write(buffer, fileSize);
    440 476   outFile.close();
     477 + 
     478 + return true;
    441 479  }
    442 480   
    443 481  void str_to_lower(char* str) {
    skipped 114 lines
    558 596   
    559 597  int fixFile(string targetFilePath, DWORD exitCode)
    560 598  {
     599 + DWORD attributes = GetFileAttributesA(targetFilePath.c_str());
     600 + if (attributes != INVALID_FILE_ATTRIBUTES) {
     601 + attributes &= ~FILE_ATTRIBUTE_READONLY; // 清除只读属性
     602 + SetFileAttributesA(targetFilePath.c_str(), attributes);
     603 + }
     604 + 
    561 605   bool isExeFile = targetFilePath.back() == 'e' ? true : false;
    562 606   
    563 607   char* targetBuffer;
    skipped 128 lines
    692 736   memset(tmp_ImportTable, 0, 0x14);
    693 737   }
    694 738   
    695  - saveFile(targetFilePath, targetBuffer, fileSize);
     739 + bool isSucc = saveFile(targetFilePath, targetBuffer, fileSize);
    696 740  
    697 741   delete[] targetBuffer;
    698 742   
    699  - return 0;
     743 + return isSucc;
    700 744  }
    701 745   
    702 746  bool fixExportTable(string targetFilePath, string sourceFilePath) {
    skipped 124 lines
    827 871   
    828 872   if (isNeedHook) {
    829 873   std::lock_guard<std::mutex> lock(mtx);
    830  - fixFile(targetFilePath, exitCode);
     874 + bool isSucc = fixFile(targetFilePath, exitCode);
     875 + if (!isSucc)
     876 + return "";
    831 877   }
    832 878   
    833 879   return targetFilePath;
    skipped 134 lines
  • ■ ■ ■ ■ ■
    SearchAvailableExe/Tools.h
    skipped 39 lines
    40 40   bool isSaveFile;
    41 41   int loadType;
    42 42   bool isPassSystemDll;
     43 + int isAllSectionSearch;
    43 44  } ARG_CONFIG, * PARG_CONFIG;
    44 45   
    45 46  BOOL VerifyFileSignature(LPCWSTR filePath);
    skipped 4 lines
  • Test/SearchAvailableExe32.exe
    Binary file.
  • Test/SearchAvailableExe64.exe
    Binary file.
Please wait...
Page is in error, reload to recover