能力值:
( LV4,RANK:40 )
|
-
-
5 楼
#include "stdafx.h"
#include <Windows.h>
// 函数声明
typedef BOOL (WINAPI* Proc_CreateProcessW)(LPCWSTR lpApplicationName,
LPWSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCWSTR lpCurrentDirectory,
LPSTARTUPINFOW lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation);
typedef HMODULE (WINAPI* Func_LoadLibraryW)(LPCWSTR lpLibFileName);
BYTE* mov_eax_xx(BYTE* lpCurAddres, DWORD eax)
{
*lpCurAddres = 0xB8;
*(DWORD*)(lpCurAddres + 1) = eax;
return lpCurAddres + 5;
}
BYTE* mov_ebx_xx(BYTE* lpCurAddres, DWORD ebx)
{
*lpCurAddres = 0xBB;
*(DWORD*)(lpCurAddres + 1) = ebx;
return lpCurAddres + 5;
}
BYTE* mov_ecx_xx(BYTE* lpCurAddres, DWORD ecx)
{
*lpCurAddres = 0xB9;
*(DWORD*)(lpCurAddres + 1) = ecx;
return lpCurAddres + 5;
}
BYTE* mov_edx_xx(BYTE* lpCurAddres, DWORD edx)
{
*lpCurAddres = 0xBA;
*(DWORD*)(lpCurAddres + 1) = edx;
return lpCurAddres + 5;
}
BYTE* mov_esi_xx(BYTE* lpCurAddres, DWORD esi)
{
*lpCurAddres = 0xBE;
*(DWORD*)(lpCurAddres + 1) = esi;
return lpCurAddres + 5;
}
BYTE* mov_edi_xx(BYTE* lpCurAddres, DWORD edi)
{
*lpCurAddres = 0xBF;
*(DWORD*)(lpCurAddres + 1) = edi;
return lpCurAddres + 5;
}
BYTE* mov_ebp_xx(BYTE* lpCurAddres, DWORD ebp)
{
*lpCurAddres = 0xBD;
*(DWORD*)(lpCurAddres + 1) = ebp;
return lpCurAddres + 5;
}
BYTE* mov_esp_xx(BYTE* lpCurAddres, DWORD esp)
{
*lpCurAddres = 0xBC;
*(DWORD*)(lpCurAddres + 1) = esp;
return lpCurAddres + 5;
}
BYTE* mov_eip_xx(BYTE* lpCurAddres, DWORD eip, DWORD newEip)
{
if ( !newEip )
{
newEip = (DWORD)lpCurAddres;
}
*lpCurAddres = 0xE9;
*(DWORD*)(lpCurAddres + 1) = eip - (newEip + 5);
return lpCurAddres + 5;
}
BYTE* push_xx(BYTE* lpCurAddres, DWORD dwAdress)
{
*lpCurAddres = 0x68;
*(DWORD*)(lpCurAddres + 1) = dwAdress;
return lpCurAddres + 5;
}
BYTE* Call_xx(BYTE* lpCurAddres, DWORD eip, DWORD newEip)
{
if ( !newEip )
{
newEip = (DWORD)lpCurAddres;
}
*lpCurAddres = 0xE8;
*(DWORD*)(lpCurAddres + 1) = eip - (newEip + 5);
return lpCurAddres + 5;
}
BOOL SuspendTidAndInjectCode(HANDLE hProcess, HANDLE hThread, DWORD dwFuncAdress, const BYTE * lpShellCode, size_t uCodeSize)
{
SIZE_T NumberOfBytesWritten = 0;
BYTE ShellCodeBuf[0x480];
CONTEXT Context;
DWORD flOldProtect = 0;
LPBYTE lpCurESPAddress = NULL;
LPBYTE lpCurBufAdress = NULL;
BOOL bResult = FALSE;
// 挂载起线程
SuspendThread(hThread);
memset(&Context,0,sizeof(Context));
Context.ContextFlags = CONTEXT_FULL;
if ( GetThreadContext(hThread, &Context))
{
// 在对方线程中开辟一个 0x480 大小的局部空
lpCurESPAddress = (LPBYTE)((Context.Esp - 0x480) & 0xFFFFFFE0);
// 获取指针 用指针来操作
lpCurBufAdress = &ShellCodeBuf[0];
if (lpShellCode)
{
memcpy(ShellCodeBuf + 128, lpShellCode, uCodeSize);
lpCurBufAdress = push_xx(lpCurBufAdress, (DWORD)lpCurESPAddress + 128); // push
lpCurBufAdress = Call_xx(lpCurBufAdress, dwFuncAdress, (DWORD)lpCurESPAddress + (DWORD)lpCurBufAdress - (DWORD)&ShellCodeBuf); //Call
}
lpCurBufAdress = mov_eax_xx(lpCurBufAdress, Context.Eax);
lpCurBufAdress = mov_ebx_xx(lpCurBufAdress, Context.Ebx);
lpCurBufAdress = mov_ecx_xx(lpCurBufAdress, Context.Ecx);
lpCurBufAdress = mov_edx_xx(lpCurBufAdress, Context.Edx);
lpCurBufAdress = mov_esi_xx(lpCurBufAdress, Context.Esi);
lpCurBufAdress = mov_edi_xx(lpCurBufAdress, Context.Edi);
lpCurBufAdress = mov_ebp_xx(lpCurBufAdress, Context.Ebp);
lpCurBufAdress = mov_esp_xx(lpCurBufAdress, Context.Esp);
lpCurBufAdress = mov_eip_xx(lpCurBufAdress, Context.Eip, (DWORD)lpCurESPAddress + (DWORD)lpCurBufAdress - (DWORD)&ShellCodeBuf);
Context.Esp = (DWORD)(lpCurESPAddress - 4);
Context.Eip = (DWORD)lpCurESPAddress;
if ( VirtualProtectEx(hProcess, lpCurESPAddress, 0x480, PAGE_EXECUTE_READWRITE, &flOldProtect)
&& WriteProcessMemory(hProcess, lpCurESPAddress, &ShellCodeBuf, 0x480, &NumberOfBytesWritten)
&& FlushInstructionCache(hProcess, lpCurESPAddress, 0x480)
&& SetThreadContext(hThread, &Context) )
{
bResult = TRUE;
}
}
// 回复线程
ResumeThread(hThread);
return TRUE;
}
DWORD GetFuncAdress()
{
return (DWORD)GetProcAddress(GetModuleHandleA("Kernel32"), "LoadLibraryW");
}
BOOL WINAPI CreateProcessWithDllW( LPCWSTR lpApplicationName,
LPWSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCWSTR lpCurrentDirectory,
LPSTARTUPINFOW lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation,
LPWSTR lpDllFullPath,
Proc_CreateProcessW FuncAdress
)
{
BOOL bResult = FALSE;
size_t uCodeSize = 0;
DWORD dwCreaFlags;
PROCESS_INFORMATION pi;
ZeroMemory( &pi, sizeof(pi) );
if (FuncAdress == NULL)
{
FuncAdress = CreateProcessW;
}
// 设置创建就挂起进程
dwCreaFlags = dwCreationFlags | CREATE_SUSPENDED;
if (CreateProcessW(lpApplicationName,
lpCommandLine,
lpProcessAttributes,
lpThreadAttributes,
bInheritHandles,
dwCreaFlags,
lpEnvironment,
lpCurrentDirectory,
lpStartupInfo,
&pi
))
{
if ( lpDllFullPath )
uCodeSize = 2 * wcslen(lpDllFullPath) + 2;
else
uCodeSize = 0;
// 得到LoadLibraryW 的地址
DWORD dwLoadDllProc = GetFuncAdress();
// 挂起线程 写入Shellcode
if (SuspendTidAndInjectCode(pi.hProcess, pi.hThread, dwLoadDllProc, (BYTE*)lpDllFullPath, uCodeSize))
{
if ( lpProcessInformation )
memcpy(lpProcessInformation, &pi, sizeof(PROCESS_INFORMATION));
if ( !(dwCreationFlags & CREATE_SUSPENDED) )
ResumeThread(pi.hThread);
bResult = TRUE;
}
}
return bResult;
}
int _tmain(int argc, _TCHAR* argv[])
{
WCHAR wszPath[] = L"D:\\TestCreateProcessWithDll.exe";
WCHAR wszDll[] = L"D:\\SampleDLL.dll";
STARTUPINFOW si;
PROCESS_INFORMATION pi;
ZeroMemory( &si, sizeof(si) );
si.cb = sizeof(si);
ZeroMemory( &pi, sizeof(pi) );
CreateProcessWithDllW(NULL, wszPath, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi, wszDll, NULL);
return 0;
}
我的有比你更舒服,更简洁嘛
|
能力值:
( LV2,RANK:10 )
|
-
-
6 楼
相比楼主的内容,老兄的ShellCode更人性化一点,免去了调试的过程,不过楼主比你的强的地方在于,至少先拿了个Token,让插入dll更舒服一点~~不过,技术嘛,互相学习~~让我受益匪浅~~
|
能力值:
( LV2,RANK:10 )
|
-
-
8 楼
看看Detours Express 3.0里的DetourCreateProcessWithDllEx源码也不错,支持64位
|
能力值:
( LV2,RANK:10 )
|
-
-
11 楼
5楼的代码写的挺有意思
可以不这样,申请dll需要的内存,按照目标地址重定位好,拷贝过去。
esp里做个 call dllentry,然后抹去PE头
|
能力值:
( LV2,RANK:10 )
|
-
-
23 楼
看起来和Detouts的代码很相似 话说你代码那里创建进程应该是FuncAdress()吧
|