求大神帮忙看看我这段代码,意在利用傀儡进程加载我自己的程序
typedef long NTSTATUS;
typedef NTSTATUS (__stdcall *pfnZwUnmapViewOfSection)(
IN HANDLE ProcessHandle, // 接收进程句柄
IN LPVOID BaseAddress // 接收基地址
);
pfnZwUnmapViewOfSection ZwUnmapViewOfSection;
int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
// TODO: Place code here.
//加载ZwUnmapViewOfSection函数
ZwUnmapViewOfSection = (pfnZwUnmapViewOfSection)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwUnmapViewOfSection");
//读取文件最后一个节的地址
CHAR szBuf[256] = "c:\\1.exe";
ifstream infile;
infile.open(szBuf, ios::in | ios::binary);
if(!infile.is_open()){
MessageBox(NULL, "文件打开失败", "信息", MB_OK);
return 0;
}
//读取文件到缓冲区
infile.seekg(0, ios::end);
int fileSize = infile.tellg();
infile.seekg(0, ios::beg);
PBYTE buffer = new BYTE[fileSize];
infile.read((char*)buffer, fileSize);
infile.close();
//为PE配置指针
PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)buffer;
PIMAGE_NT_HEADERS pNtHeader = (PIMAGE_NT_HEADERS)(buffer + pDosHeader->e_lfanew);
PIMAGE_SECTION_HEADER pSecHeader = (PIMAGE_SECTION_HEADER)((PBYTE)&pNtHeader->OptionalHeader + pNtHeader->FileHeader.SizeOfOptionalHeader);
PBYTE pBegin = buffer + pSecHeader[pNtHeader->FileHeader.NumberOfSections-1].PointerToRawData;
PIMAGE_DOS_HEADER pDos = (PIMAGE_DOS_HEADER)pBegin;
PIMAGE_NT_HEADERS pNt = (PIMAGE_NT_HEADERS)(pBegin + pDos->e_lfanew);
PIMAGE_SECTION_HEADER pSec = (PIMAGE_SECTION_HEADER)((PBYTE)&pNt->OptionalHeader + pNt->FileHeader.SizeOfOptionalHeader);
//打开一个进程
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(STARTUPINFO));
ZeroMemory(&pi, sizeof(PROCESS_INFORMATION));
si.cb = sizeof(STARTUPINFO);
DWORD dwFlag = ::CreateProcess(NULL, szBuf, NULL, NULL, FALSE, CREATE_SUSPENDED,NULL, NULL, &si, &pi);
if(!dwFlag) {
MessageBox(NULL, "进程创建失败", "信息", MB_OK);
return 0;
}
//获取进程上下文
CONTEXT ctx;
ctx.ContextFlags = CONTEXT_FULL;
if(!GetThreadContext(pi.hThread, &ctx)){
MessageBox(NULL, "获取进程上下文失败", "信息", MB_OK);
return 0;
}
//获取进程基址和入口
DWORD entryPoint = ctx.Eax;
char* BaseAddress = (char*)ctx.Ebx + 8;
DWORD ImageBase;
ReadProcessMemory(pi.hProcess, BaseAddress, &ImageBase, sizeof(DWORD), NULL);
ZeroMemory(szBuf,256);
sprintf(szBuf, "%.8X", ImageBase);
MessageBox(NULL, szBuf, "ImageBase", MB_OK);
//卸载原来的镜像地址
NTSTATUS flag = ZwUnmapViewOfSection(pi.hProcess, (LPVOID)ImageBase);
if(flag < 0){
MessageBox(NULL, "卸载原来的镜像地址失败", "信息", MB_OK);
return 0;
}
//重新分配内存空间
LPVOID newAddress = VirtualAllocEx(pi.hProcess,
&pNt->OptionalHeader.ImageBase,
pNt->OptionalHeader.SizeOfImage,
MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE);
if(newAddress == NULL){
MessageBox(NULL, "重新分配内存失败", "信息", MB_OK);
return 0;
}
//最后一个节的文件装载到内存
//将信息写入到新的内存中
PBYTE memBuffer = new BYTE[pNt->OptionalHeader.SizeOfImage];
ZeroMemory(memBuffer, pNt->OptionalHeader.SizeOfImage);
memcpy(memBuffer, pBegin, pNt->OptionalHeader.SizeOfHeaders);
for (UINT i = 0; i < pNt->FileHeader.NumberOfSections; i++) {
memcpy(memBuffer + pSec[i].VirtualAddress,
pBegin + pSec[i].PointerToRawData,
pSec[i].SizeOfRawData);
}
WriteProcessMemory(pi.hProcess,
(LPVOID)pNt->OptionalHeader.ImageBase,
memBuffer,
pNt->OptionalHeader.SizeOfImage,
NULL);
//写CONTEXT
DWORD newImageBase = (DWORD)pNt->OptionalHeader.ImageBase;
ctx.Eax = newImageBase + pNt->OptionalHeader.AddressOfEntryPoint;
WriteProcessMemory(pi.hProcess, BaseAddress, &newImageBase, 4, NULL);
SetThreadContext(pi.hThread, &ctx);
ResumeThread(pi.hThread);
delete [] buffer;
return 0;
}
其中 1.exe 是我已经将我自己的代码放到最后一个节中,这段代码运行希望可以把最后一个节的代码提出来并且运行,在WINDOWS Xp系统上可以运行,但是无效果(什么都不显示)
在WIN10 64位系统上会出现内存0x00000005的错误,求大神解答!!!调试了好久都没有调试出问题
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法