|
[原创]lldb +debugserver调试环境部署(一)
[QUOTE=snakeninny;1303086]前辈你好,请问你原创PDF的第一段话,是否参考了小弟的帖子?[/QUOTE] 哈哈,大神就别折煞我了,就是参考你的 |
|
[求助]ios7本机无法连接lockdown的62078端口。有没有大神研究过
能否说详细,afcd的服务和端口62078好像扯不上关系吧~ |
|
|
|
[原创]YY-一种高可靠性Hook的思路
楼主,可以看下mhook,它能在hook前有检查,你的eip是否在要hook的代码上 |
|
[原创]iOS平台的ollydbg即将到来,求gikdbg内测伙伴!
GOOD JOY |
|
[求助]如何判断本进程被八门神器打开
你这样的话,你也就没用户了~ |
|
gdb Illegal instruction: 4 求解决
说明gdb的版本和你IOS固件的版本不匹配 |
|
[极力推荐]《OpenSSL编程》中文版
谢谢分享 |
|
[原创]代码Hook之指令级实现
我以为是 HOOK 一字节的指令呢~ |
|
[原创]IDA逆向分析某助手全民英雄外G插件
可以去分析子下最新的 appsync 的HOOK 实现,原生态的HOOK,可以不依赖Mobile Substrate |
|
|
|
[原创]通过DYLD_INSERT_LIBRARIES实现基于动态库的hook功能
精华,此次IOS的appsync实现原理就如楼主所说的~赞一个~ |
|
[推荐]最牛的逆向工具Ida pro 6.5 和最新的x86 arm Hex-Rays decompiler 1.9源码插件
一整套下来不便宜啊 Add to cart IDAPRONW IDA Pro Named License [Windows] 1129 USD Add to cart HEXALLW x86+ARM Decompiler Fixed License [Windows] 3519 USD 4648 美元 = 28218.4728 人民币 有些人,总是这样光说不掏钱,还说别人的不是,天天在等着别人放,还屁话一大堆,有本事自己也买去啊!!! |
|
[原创]创建进程时注入DLL
#include "stdafx.h" #include <Windows.h> // 函数声明 typedef BOOL (WINAPI* Proc_CreateProcessW)(LPCWSTR lpApplicationName, LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation); typedef HMODULE (WINAPI* Func_LoadLibraryW)(LPCWSTR lpLibFileName); BYTE* mov_eax_xx(BYTE* lpCurAddres, DWORD eax) { *lpCurAddres = 0xB8; *(DWORD*)(lpCurAddres + 1) = eax; return lpCurAddres + 5; } BYTE* mov_ebx_xx(BYTE* lpCurAddres, DWORD ebx) { *lpCurAddres = 0xBB; *(DWORD*)(lpCurAddres + 1) = ebx; return lpCurAddres + 5; } BYTE* mov_ecx_xx(BYTE* lpCurAddres, DWORD ecx) { *lpCurAddres = 0xB9; *(DWORD*)(lpCurAddres + 1) = ecx; return lpCurAddres + 5; } BYTE* mov_edx_xx(BYTE* lpCurAddres, DWORD edx) { *lpCurAddres = 0xBA; *(DWORD*)(lpCurAddres + 1) = edx; return lpCurAddres + 5; } BYTE* mov_esi_xx(BYTE* lpCurAddres, DWORD esi) { *lpCurAddres = 0xBE; *(DWORD*)(lpCurAddres + 1) = esi; return lpCurAddres + 5; } BYTE* mov_edi_xx(BYTE* lpCurAddres, DWORD edi) { *lpCurAddres = 0xBF; *(DWORD*)(lpCurAddres + 1) = edi; return lpCurAddres + 5; } BYTE* mov_ebp_xx(BYTE* lpCurAddres, DWORD ebp) { *lpCurAddres = 0xBD; *(DWORD*)(lpCurAddres + 1) = ebp; return lpCurAddres + 5; } BYTE* mov_esp_xx(BYTE* lpCurAddres, DWORD esp) { *lpCurAddres = 0xBC; *(DWORD*)(lpCurAddres + 1) = esp; return lpCurAddres + 5; } BYTE* mov_eip_xx(BYTE* lpCurAddres, DWORD eip, DWORD newEip) { if ( !newEip ) { newEip = (DWORD)lpCurAddres; } *lpCurAddres = 0xE9; *(DWORD*)(lpCurAddres + 1) = eip - (newEip + 5); return lpCurAddres + 5; } BYTE* push_xx(BYTE* lpCurAddres, DWORD dwAdress) { *lpCurAddres = 0x68; *(DWORD*)(lpCurAddres + 1) = dwAdress; return lpCurAddres + 5; } BYTE* Call_xx(BYTE* lpCurAddres, DWORD eip, DWORD newEip) { if ( !newEip ) { newEip = (DWORD)lpCurAddres; } *lpCurAddres = 0xE8; *(DWORD*)(lpCurAddres + 1) = eip - (newEip + 5); return lpCurAddres + 5; } BOOL SuspendTidAndInjectCode(HANDLE hProcess, HANDLE hThread, DWORD dwFuncAdress, const BYTE * lpShellCode, size_t uCodeSize) { SIZE_T NumberOfBytesWritten = 0; BYTE ShellCodeBuf[0x480]; CONTEXT Context; DWORD flOldProtect = 0; LPBYTE lpCurESPAddress = NULL; LPBYTE lpCurBufAdress = NULL; BOOL bResult = FALSE; // 挂载起线程 SuspendThread(hThread); memset(&Context,0,sizeof(Context)); Context.ContextFlags = CONTEXT_FULL; if ( GetThreadContext(hThread, &Context)) { // 在对方线程中开辟一个 0x480 大小的局部空 lpCurESPAddress = (LPBYTE)((Context.Esp - 0x480) & 0xFFFFFFE0); // 获取指针 用指针来操作 lpCurBufAdress = &ShellCodeBuf[0]; if (lpShellCode) { memcpy(ShellCodeBuf + 128, lpShellCode, uCodeSize); lpCurBufAdress = push_xx(lpCurBufAdress, (DWORD)lpCurESPAddress + 128); // push lpCurBufAdress = Call_xx(lpCurBufAdress, dwFuncAdress, (DWORD)lpCurESPAddress + (DWORD)lpCurBufAdress - (DWORD)&ShellCodeBuf); //Call } lpCurBufAdress = mov_eax_xx(lpCurBufAdress, Context.Eax); lpCurBufAdress = mov_ebx_xx(lpCurBufAdress, Context.Ebx); lpCurBufAdress = mov_ecx_xx(lpCurBufAdress, Context.Ecx); lpCurBufAdress = mov_edx_xx(lpCurBufAdress, Context.Edx); lpCurBufAdress = mov_esi_xx(lpCurBufAdress, Context.Esi); lpCurBufAdress = mov_edi_xx(lpCurBufAdress, Context.Edi); lpCurBufAdress = mov_ebp_xx(lpCurBufAdress, Context.Ebp); lpCurBufAdress = mov_esp_xx(lpCurBufAdress, Context.Esp); lpCurBufAdress = mov_eip_xx(lpCurBufAdress, Context.Eip, (DWORD)lpCurESPAddress + (DWORD)lpCurBufAdress - (DWORD)&ShellCodeBuf); Context.Esp = (DWORD)(lpCurESPAddress - 4); Context.Eip = (DWORD)lpCurESPAddress; if ( VirtualProtectEx(hProcess, lpCurESPAddress, 0x480, PAGE_EXECUTE_READWRITE, &flOldProtect) && WriteProcessMemory(hProcess, lpCurESPAddress, &ShellCodeBuf, 0x480, &NumberOfBytesWritten) && FlushInstructionCache(hProcess, lpCurESPAddress, 0x480) && SetThreadContext(hThread, &Context) ) { bResult = TRUE; } } // 回复线程 ResumeThread(hThread); return TRUE; } DWORD GetFuncAdress() { return (DWORD)GetProcAddress(GetModuleHandleA("Kernel32"), "LoadLibraryW"); } BOOL WINAPI CreateProcessWithDllW( LPCWSTR lpApplicationName, LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation, LPWSTR lpDllFullPath, Proc_CreateProcessW FuncAdress ) { BOOL bResult = FALSE; size_t uCodeSize = 0; DWORD dwCreaFlags; PROCESS_INFORMATION pi; ZeroMemory( &pi, sizeof(pi) ); if (FuncAdress == NULL) { FuncAdress = CreateProcessW; } // 设置创建就挂起进程 dwCreaFlags = dwCreationFlags | CREATE_SUSPENDED; if (CreateProcessW(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreaFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, &pi )) { if ( lpDllFullPath ) uCodeSize = 2 * wcslen(lpDllFullPath) + 2; else uCodeSize = 0; // 得到LoadLibraryW 的地址 DWORD dwLoadDllProc = GetFuncAdress(); // 挂起线程 写入Shellcode if (SuspendTidAndInjectCode(pi.hProcess, pi.hThread, dwLoadDllProc, (BYTE*)lpDllFullPath, uCodeSize)) { if ( lpProcessInformation ) memcpy(lpProcessInformation, &pi, sizeof(PROCESS_INFORMATION)); if ( !(dwCreationFlags & CREATE_SUSPENDED) ) ResumeThread(pi.hThread); bResult = TRUE; } } return bResult; } int _tmain(int argc, _TCHAR* argv[]) { WCHAR wszPath[] = L"D:\\TestCreateProcessWithDll.exe"; WCHAR wszDll[] = L"D:\\SampleDLL.dll"; STARTUPINFOW si; PROCESS_INFORMATION pi; ZeroMemory( &si, sizeof(si) ); si.cb = sizeof(si); ZeroMemory( &pi, sizeof(pi) ); CreateProcessWithDllW(NULL, wszPath, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi, wszDll, NULL); return 0; } 我的有比你更舒服,更简洁嘛 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值