首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 社区
  2. 编程技术
    3. 发新帖
[分享]年末发点代码系列(1)
发表于: 2016-12-28 13:07 10553

[分享]年末发点代码系列(1)

cvcvxk 活跃值
10
2016-12-28 13:07
10553
实现pchunter里看起来模块都是被替换的功能。
头文件太多内容,就不发了。
实际上就是PEB LDR遍历一遍,修改一下PE的属性
获得PEB使用Ntdll的函数

#include "../Common/common.h"

namespace user
{

#define RVATOVA(_base_, _offset_) ((PUCHAR)(_base_) + (ULONG)(_offset_))
	static void mark_pe_packed(PVOID Image)
	{
		__try
		{
			PIMAGE_NT_HEADERS32 pHeaders32 = (PIMAGE_NT_HEADERS32)
				((PUCHAR)Image + ((PIMAGE_DOS_HEADER)Image)->e_lfanew);

			auto _is64 = false;
			auto image_base = reinterpret_cast<char *>(Image);

			if (pHeaders32->FileHeader.Machine == IMAGE_FILE_MACHINE_I386)
			{
				// 32-bit image
				//if (pHeaders32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress)
				{
					DWORD old = 0;
					VirtualProtectEx(GetCurrentProcess(), pHeaders32, sizeof(IMAGE_NT_HEADERS32), PAGE_EXECUTE_READWRITE, &old);
					pHeaders32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress = 1;
					pHeaders32->OptionalHeader.AddressOfEntryPoint = 0;
				}
			}
			else if (pHeaders32->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64)
			{
				// 64-bit image
				PIMAGE_NT_HEADERS64 pHeaders64 = (PIMAGE_NT_HEADERS64)
					((PUCHAR)Image + ((PIMAGE_DOS_HEADER)Image)->e_lfanew);

				//if (pHeaders64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress)
				{
					DWORD old = 0;
					VirtualProtectEx(GetCurrentProcess(), pHeaders64, sizeof(IMAGE_NT_HEADERS64), PAGE_EXECUTE_READWRITE, &old);
					pHeaders64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress = 1;
					pHeaders64->OptionalHeader.AddressOfEntryPoint = 0;
					_is64 = true;
				}
			}
		}
		__except (EXCEPTION_EXECUTE_HANDLER)
		{
			MessageBoxA(nullptr, "fucker", "ff", MB_OK);
		}


	}
	void mark_all_modules(PVOID Self)
	{
		NTDLL::PROCESS_BASIC_INFORMATION stInfo = { 0 };
		DWORD dwRetnLen = 0;
		DWORD dw = NTDLL::NtQueryInformationProcess(GetCurrentProcess(), NTDLL::ProcessBasicInformation, &stInfo, sizeof(stInfo), &dwRetnLen);
		PPEB pPeb = (PPEB)stInfo.PebBaseAddress;
		PLIST_ENTRY ListHead, Current;
		NTDLL::LDR_DATA_TABLE_ENTRY *pstEntry = NULL;

		ListHead = &(((PPEB)stInfo.PebBaseAddress)->Ldr->InMemoryOrderModuleList);
		Current = ListHead->Flink;
		while (Current != ListHead)
		{
			pstEntry = CONTAINING_RECORD(Current, NTDLL::LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
			mark_pe_packed(pstEntry->DllBase);
			Current = pstEntry->InMemoryOrderLinks.Flink;
		}
	}
};

int main()
{
	user::mark_all_modules(GetModuleHandle(nullptr));
	MessageBoxA(nullptr, "test", "me", MB_OK);
    return 0;
}


有兴趣研究一些奇葩代码的人可以加QQ群:48715131

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 1
支持
分享
最新回复 (14)
z许
雪    币: 1905
活跃值: (1537)
能力值: ( LV5,RANK:60 )
在线值:
发帖
回帖
粉丝
私信
2


赞。。

虽然早知道了。

哈哈。

V校不要停~~
2016-12-28 13:13
0
轩辕之风
雪    币: 2291
活跃值: (933)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
私信
3
这个系列名称不错,要赞!
2016-12-28 13:15
0
altmanx
雪    币: 145
活跃值: (40)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
私信
4
思路无极限...
2016-12-28 13:26
0
我是谁!
雪    币: 115
活跃值: (23)
能力值: (RANK:20 )
在线值:
发帖
回帖
粉丝
私信
5
V 校,发点免杀的东西给我可否
2016-12-28 14:00
0
空白即是正义
雪    币: 2347
活跃值: (58)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
6
伪前 支持v校
2016-12-28 17:14
0
ugvjewxf
雪    币: 615
活跃值: (530)
能力值: ( LV4,RANK:40 )
在线值:
发帖
回帖
粉丝
私信
7
怎么检测vmware等类似的虚拟机
2016-12-28 18:46
0
安于此生
雪    币: 2664
活跃值: (3401)
能力值: ( LV13,RANK:1760 )
在线值:
发帖
回帖
粉丝
私信
8
Anti-Virtualization / Full-System Emulation

Registry key value artifacts

HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VBOX)
HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (QEMU)
HARDWARE\Description\System (SystemBiosVersion) (VBOX)
HARDWARE\Description\System (SystemBiosVersion) (QEMU)
HARDWARE\Description\System (VideoBiosVersion) (VIRTUALBOX)
HARDWARE\Description\System (SystemBiosDate) (06/23/99)
HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VMWARE)
HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VMWARE)
HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VMWARE)
Registry Keys artifacts

"HARDWARE\ACPI\RSDT\VBOX__"
"HARDWARE\ACPI\FADT\VBOX__"
"HARDWARE\ACPI\RSDT\VBOX__"
"SOFTWARE\Oracle\VirtualBox Guest Additions"
"SYSTEM\ControlSet001\Services\VBoxGuest"
"SYSTEM\ControlSet001\Services\VBoxMouse"
"SYSTEM\ControlSet001\Services\VBoxService"
"SYSTEM\ControlSet001\Services\VBoxSF"
"SYSTEM\ControlSet001\Services\VBoxVideo"
SOFTWARE\VMware, Inc.\VMware Tools
SOFTWARE\Wine
File system artifacts

"system32\drivers\VBoxMouse.sys"
"system32\drivers\VBoxGuest.sys"
"system32\drivers\VBoxSF.sys"
"system32\drivers\VBoxVideo.sys"
"system32\vboxdisp.dll"
"system32\vboxhook.dll"
"system32\vboxmrxnp.dll"
"system32\vboxogl.dll"
"system32\vboxoglarrayspu.dll"
"system32\vboxoglcrutil.dll"
"system32\vboxoglerrorspu.dll"
"system32\vboxoglfeedbackspu.dll"
"system32\vboxoglpackspu.dll"
"system32\vboxoglpassthroughspu.dll"
"system32\vboxservice.exe"
"system32\vboxtray.exe"
"system32\VBoxControl.exe"
"system32\drivers\vmmouse.sys"
"system32\drivers\vmhgfs.sys"
Directories artifacts

"%PROGRAMFILES%\oracle\virtualbox guest additions\"
"%PROGRAMFILES%\VMWare\"
Memory artifacts - Interupt Descriptor Table (IDT) location - Local Descriptor Table (LDT) location - Global Descriptor Table (GDT) location - Task state segment trick with STR

MAC Address

"\x08\x00\x27" (VBOX)
"\x00\x05\x69" (VMWARE)
"\x00\x0C\x29" (VMWARE)
"\x00\x1C\x14" (VMWARE)
"\x00\x50\x56" (VMWARE)
Virtual devices

"\\.\VBoxMiniRdrDN"
"\\.\VBoxGuest"
"\\.\pipe\VBoxMiniRdDN"
"\\.\VBoxTrayIPC"
"\\.\pipe\VBoxTrayIPC")
"\\.\HGFS"
"\\.\vmci"
Hardware Device information

SetupAPI SetupDiEnumDeviceInfo (GUID_DEVCLASS_DISKDRIVE)
QEMU
VMWare
VBOX
VIRTUAL HD
Adapter name

VMWare
Windows Class

VBoxTrayToolWndClass
VBoxTrayToolWnd
Network shares

VirtualBox Shared Folders
Processes

vboxservice.exe (VBOX)
vboxtray.exe (VBOX)
vmtoolsd.exe (VMWARE)
vmwaretray.exe (VMWARE)
vmwareuser (VMWARE)
vmsrvc.exe (VirtualPC)
vmusrvc.exe (VirtualPC)
prl_cc.exe (Parallels)
prl_tools.exe (Parallels)
xenservice.exe (Citrix Xen)
WMI

SELECT * FROM Win32_Bios (SerialNumber) (VMWARE)
SELECT * FROM Win32_PnPEntity (DeviceId) (VBOX)
SELECT * FROM Win32_NetworkAdapterConfiguration (MACAddress) (VBOX)
SELECT * FROM Win32_NTEventlogFile (VBOX)
SELECT * FROM Win32_Processor (NumberOfCores) (GENERIC)
SELECT * FROM Win32_LogicalDisk (Size) (GENERIC)
DLL Exports and Loaded DLLs

kernel32.dll!wine_get_unix_file_nameWine (Wine)
sbiedll.dll (Sandboxie)
dbghelp.dll (MS debugging support routines)
api_log.dll (iDefense Labs)
dir_watch.dll (iDefense Labs)
pstorec.dll (SunBelt Sandbox)
vmcheck.dll (Virtual PC)
wpespy.dll (WPE Pro)

https://github.com/LordNoteworthy/al-khaser
2016-12-28 18:51
0
Tennn
雪    币: 1176
活跃值: (1234)
能力值: ( LV12,RANK:380 )
在线值:
发帖
回帖
粉丝
私信
9
后排支持
2016-12-28 19:42
0
shopinng
雪    币: 396
活跃值: (54)
能力值: ( LV3,RANK:30 )
在线值:
发帖
回帖
粉丝
私信
10
安于此生大牛一不留神就放大招,招架不住。。。
2016-12-29 09:49
0
xacker
雪    币: 522
活跃值: (10)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
私信
11
这样可以做什么呢,看不大懂。
2016-12-29 14:40
0
拍拖
雪    币: 1790
活跃值: (3530)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
私信
12

看说明该代码是防止别人用pchunter进行应用程序内HOOK分析的。病毒或补丁可以用它隐藏自己自己对进程的导入表HOOK。

2017-4-9 10:03
0
wx_战无不胜
雪    币: 135
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
私信
13
学习之
2017-10-4 17:31
0
编程小白
雪    币: 441
活跃值: (995)
能力值: ( LV2,RANK:15 )
在线值:
发帖
回帖
粉丝
私信
14
又到年末啦
2020-1-9 17:26
0
bkhumor
雪    币: 694
活跃值: (3495)
能力值: (RANK:15 )
在线值:
发帖
回帖
粉丝
私信
15
2020-1-9 18:06
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//