-
-
[原创][封装]动态汇编引擎与反汇编引擎
-
发表于: 2024-11-20 20:57
-
DEMO:
#ifndef __GENIE_ASM_H#define __GENIE_ASM_H// 精灵动态汇编库
#ifdef __cplusplus#define WIN32_LEAN_AND_MEAN // 从 Windows 头中排除极少使用的资料// Windows 头文件:
#include <windows.h>#ifdef GENIEASM_EXPORTS#include "Genieasm_Aux.h"#define GENIEASM_API extern "C" __declspec(dllexport)#else#define GENIEASM_API extern "C" __declspec(dllimport)// 数据类型:指令
typedef char instruction[80];
#endif#else#ifndef UInt64#if defined(_WIN64)typedef unsigned long long UIntPtr;
#elsetypedef unsigned int UIntPtr;
#endiftypedef unsigned long long UInt64;
#endif#define GENIEASM_API extern// 数据类型:指令
typedef char instruction[80];
#endif//---------------------------------------------------------------------------------------------------
// @ 程序环境
//---------------------------------------------------------------------------------------------------
typedef void * Genie_Program_Environment;
// 创建环境
Genie_Program_Environment * geniepenv_create(BOOL platform64, UIntPtr address, UInt64 virtualAddr/* 基地址 */);
// 销毁环境
void geniepenv_destroy(Genie_Program_Environment * pGpenv);
//---------------------------------------------------------------------------------------------------
// @ 反汇编引擎
//---------------------------------------------------------------------------------------------------
// 进入反汇编环境
GENIEASM_API BOOL geniedisasm_enter_env(Genie_Program_Environment * pGpenv);
// 反汇编开始 返回字符串地址
GENIEASM_API char * geniedisasm_begin(UInt64 address);
// 反汇编
GENIEASM_API int geniedisasm();
// 取当前地址
GENIEASM_API UINT64 geniedisasm_geteip();// 反汇编结束
GENIEASM_API void geniedisasm_end();// 取函数真实地址
GENIEASM_API UINT64 geniedisasm_getrealfunadr(UInt64 address);// 取指定长度的指令集
GENIEASM_API unsigned int geniedisasm_query(UInt64 address, unsigned int size, instruction * instrs, unsigned int nbInstr);
// 退出反汇编环境
GENIEASM_API void geniedisasm_leave_env();//---------------------------------------------------------------------------------------------------
// @ 反汇编引擎宏
//---------------------------------------------------------------------------------------------------
static char * m_pszInstr = NULL;
#define __disasm_enter(ENV) if (geniedisasm_enter_env(ENV) == TRUE) { do#define __disasm_begin(ADR) m_pszInstr = geniedisasm_begin((UInt64)ADR); if (m_pszInstr != NULL) { char * instr = m_pszInstr; do#define __disasm geniedisasm()#define __disasmFrealadr(FUN) geniedisasm_getrealfunadr((UInt64)FUN)#define __disasm_end while(0); geniedisasm_end(); }#define __disasmX(ADR,_SIZE, INSTR, NBINSTR) geniedisasm_query((UInt64)ADR, (unsigned int)_SIZE, INSTR, NBINSTR)#define __disasm_leave while(0); geniedisasm_leave_env(); }//---------------------------------------------------------------------------------------------------
// @ 汇编引擎
//---------------------------------------------------------------------------------------------------
// 汇编
#ifdef _DEBUG// 设置编译名称
GENIEASM_API void genieassembly_setname(char * name);
// 设置错误回调
typedef void(_cdecl * on_assembly_error)(const char * name, const char * pszCode, const char * msg);
GENIEASM_API void genieassembly_seterr(on_assembly_error error);#else#define genieasm_assembly_seterr#define genieasm_assembly_setname#endif// 进入汇编环境(默认环境 当前程序环境)
GENIEASM_API BOOL genieassembly_enter_env(Genie_Program_Environment * pGpenv);
// 投递空间域
GENIEASM_API BOOL genieassembly_push_space(UInt64 address, unsigned int size);
// 汇编开始 (dest == NULL){使用已经存在的汇编地址(genieasm_assembly_push_space 提供的空间域)}
GENIEASM_API BOOL genieassembly_begin(UInt64 address, unsigned int size);
// 汇编开始 从dest目标处查找首个nop指令作为编译地址
/*
// 汇编静态与动态结合
void __declspec(naked) FUNCTION(int arg)
{ __asm
{
push ebp;
mov ebp, esp;
push dword ptr[ebp + 12];
nop;
nop;
nop;
nop;
nop;
mov ecx, dword ptr[ebp + 8];
nop;
nop;
nop;
nop;
nop;
add esp, 4;
pop ebp;
retn 8
}
}
} // 这种代码难理解
genieassembly_begin_search_nop(genieassembly_getrealfunadr((UIntPtr)FUNCTION));
genieassembly_fmt("push 0x%x", gameActskill);
genieassembly_to_nop();
genieassembly_fmt("call 0x%x", gameActcall);
genieasm_assembly_end();
// 使用宏封装代码
__masmSearchNop(FUNCTION) {
__masmF("push 0x%x", gameActskill);
__masmMtnop;
__masmF("call 0x%x", gameActcall);
}__masm__;
*/
// 开始汇编于NOP
GENIEASM_API BOOL genieassembly_begin_search_nop(UInt64 address, BOOL searchE);
// 开始汇编于特征码 遇到 0x90 跳过识别
GENIEASM_API BOOL genieassembly_begin_search_features(UInt64 address, unsigned int size, UIntPtr features, unsigned int sizeFeatures);
// 跳过指定字节
GENIEASM_API void genieassembly_skip(unsigned int size);
// 跳至NOP
GENIEASM_API void genieassembly_to_nop();// 汇编文本
GENIEASM_API void genieassembly_str(char * pszCode);
// 连续汇编 genieasm_assembly_coiled("push 0", "push 1", NULL);
GENIEASM_API void genieassembly_coiled(char * pszCode,...);
// 格式化文本汇编 genieasm_assembly_fmt("push 0x%x", 1024);
GENIEASM_API void genieassembly_fmt(char * pszCode, ...);
// 汇编指令集(反汇编过来的指令集)
GENIEASM_API void genieassembly_instrs(instruction * instrs, unsigned int nbInster);
// 插入机器码
GENIEASM_API void genieassembly_placemc(UInt64 address, unsigned int size);
// 插入机器码(源地址与环境无关)
GENIEASM_API void genieassembly_placemcne(LPVOID address, unsigned int size);
// 转录指令(源地址(与环境相关),指令长度, -1:不可以超出 0:绝对指令长度 1:可以超出)
GENIEASM_API unsigned int genieassembly_translated(UInt64 address, unsigned int size, int flag);
// 取当前eip
GENIEASM_API UInt64 genieassembly_geteip();// 填充NOP
GENIEASM_API void genieassembly_fillNop(unsigned int size); // 设置为 NOP
// 取函数真实地址
GENIEASM_API UINT64 genieassembly_getrealfunadr(UInt64 address);// 结束汇编(size 返回编译的机器字节数)
GENIEASM_API void genieassembly_end(unsigned int * size);
// 退出汇编环境
GENIEASM_API void genieassembly_leave_env();// 直接汇编(与环境无关)
GENIEASM_API unsigned int genieassembly(UIntPtr adr, UIntPtr adrV, char * pszInstrF, ...);
// 非汇编 插入机器码(目标地址(与环境相关), 源地址(与环境相关), 指令长度)
GENIEASM_API void genieassembly_placemcany(UInt64 dest, UInt64 machine, unsigned int size);
// 非汇编 插入机器码(目标地址(与环境相关), 源地址(与环境无关), 指令长度)
GENIEASM_API void genieassembly_placemcanyne(UInt64 dest, LPVOID machine, unsigned int size);
// 非汇编 读取内存
GENIEASM_API void genieassembly_readany(LPVOID dest, UInt64 address, unsigned int size);
//---------------------------------------------------------------------------------------------------
// @ 汇编引擎宏
//---------------------------------------------------------------------------------------------------
#define __masm_enter(ENV) if (genieassembly_enter_env(ENV) == TRUE) { do#define __masm_define_space(ADR, _SIZE) genieassembly_push_space((UInt64)ADR, (unsigned int)_SIZE)#define __masmFrealadr(FUN) genieassembly_getrealfunadr((UInt64)FUN)#define __masm(ADR, _SIZE) if (genieassembly_begin((UInt64)ADR, (unsigned int)_SIZE) == TRUE) { do#define __masmX(_SIZE) __masm(0, _SIZE)// 查找首尾NOP进行汇编
#define __masmSearchNop(ADR) if (genieassembly_begin_search_nop(__masmFrealadr(ADR), FALSE) == TRUE) { do// 查找首NOP进行汇编
#define __masmSearchNopE(ADR) if (genieassembly_begin_search_nop(__masmFrealadr(ADR), TRUE) == TRUE) { do#define NOP -1#define __masmMtnop genieassembly_to_nop();#define __masmSkip(L) genieassembly_skip#define __masmC(CODE) genieassembly_str(CODE)#define __masmS(...) genieassembly_coiled(__VA_ARGS__, NULL)#define __masmI genieassembly_instrs#define __masmF(...) genieassembly_fmt(__VA_ARGS__)// ADR(与环境相关)
#define __masmM(ADR, _SIZE) genieassembly_placemc((UIntPtr)ADR, (unsigned int)_SIZE)// ADR(与环境无关)
#define __masmMne(ADR, _SIZE) genieassembly_placemcne((LPVOID)ADR, (unsigned int)_SIZE)// 读取
#define __masmNOP(_SIZE) genieassembly_fillNop(_SIZE)#define __masmEIP genieassembly_geteip()// 转录代码
#define __masmTran genieassembly_translated#define __masm__ while(0); genieassembly_end(NULL); }#define __masmL__(_SIZE) while(0); genieassembly_end(&_SIZE); }#define __masm_leave while(0); genieassembly_leave_env(); }// 非汇编指令集(目标地址(与环境相关), 源地址(与环境无关), 指令长度)
#define __code_place(ADR, MCADR, _SIZE) genieassembly_placemcany((UInt64)ADR, (UInt64)MCADR, (unsigned int)_SIZE)#define __code_placeNE(ADR, MCADR, _SIZE) genieassembly_placemcanyne((UInt64)ADR, (LPVOID)MCADR, (unsigned int)_SIZE)// 读内存(目标地址(与环境无关), 原地址(与环境有关), 指令长度)
#define __code_read(DEST, ADR, _SIZE) genieassembly_readany((LPVOID)DEST, (UInt64)ADR, (unsigned int)_SIZE)// 调试
#ifdef _DEBUG#define __masmError(FUN) genieasm_assembly_seterr((genieasm_assembly_error)FUN)#define __masmName(ASMNAME) genieasm_assembly_setname(ASMNAME)#else#define __masmName(ASMNAME)#endif// 单行汇编
#define __assemblyEx(ADR, VADR,...) genieassembly((UIntPtr)ADR, (UIntPtr)VADR, __VA_ARGS__)#define __assembly(ADR,...) genieassembly((UIntPtr)ADR, 0, __VA_ARGS__)//---------------------------------------------------------------------------------------------------
// @ 其他函数
//---------------------------------------------------------------------------------------------------
// 申请机器码内存
GENIEASM_API UIntPtr genieshellcode_alloc(unsigned int size);
// 释放机器码内存
GENIEASM_API void genieshellcode_free(UIntPtr shellC);//---------------------------------------------------------------------------------------------------
// @ 其他函数引擎宏
//---------------------------------------------------------------------------------------------------
#define __shellcode_alloc(_SIZE) genieshellcode_alloc#define __shellcode_free(P) genieshellcode_free(UIntPtr(P))// 汇编与反汇编同时进入环境
GENIEASM_API BOOL geniepenv_enter(Genie_Program_Environment * env);
GENIEASM_API void geniepenv_leave();//---------------------------------------------------------------------------------------------------
// @ 宏
//---------------------------------------------------------------------------------------------------
#define __env_enter(ENV) if (geniepenv_enter(ENV) == TRUE) { do#define __env_leave while(0); geniepenv_leave(); }// PE 动态修改保存
#ifdef __PEMODIFY_DLL/* 装载PE */
GENIEASM_API void * geniepe_load(char * pszFile);
/* 卸载PE */
GENIEASM_API void geniepe_unload(void * pe);
/* 另存为PE */
GENIEASM_API BOOL geniepe_saveas(char * pszFile, void * pe);
/* 取PE环境 */
GENIEASM_API Genie_Program_Environment * geniepe_getenv(void * pe);
//---------------------------------------------------------------------------------------------------
// @ PE汇编引擎宏
//---------------------------------------------------------------------------------------------------
#define __peload(_FILE) geniepe_load(_FILE)#define __peunload(PE) geniepe_unload(PE)#define __pesaveas(PE, _FILE) geniepe_saveas(_FILE, PE)#define __peENV(PE) geniepe_getenv(PE)#else#define __peload(PE)#define __peunload(PE)#define __pesaveas(_FILE, PE)#define __peENV(PE) NULL#endiftypedef void * DETOUR;
// 衍生出来HOOK库
// 安装(源地址,跳转地址,指令对齐?, 启用线程安全?, 立即启用)
GENIEASM_API DETOUR geniedetour_install(UIntPtr src, UIntPtr dest, BOOL align, BOOL thrd, BOOL enable);
GENIEASM_API DETOUR geniedetour_installEx(UIntPtr src, UIntPtr dest, unsigned int dest_size, BOOL align, BOOL thrd, BOOL enable);
GENIEASM_API UIntPtr geniedetour_query_api(char * pszdllName, char * pszapiName);
// 卸载
GENIEASM_API void geniedetour_uninstall(DETOUR pDetour);// 挂起
GENIEASM_API void geniedetour_suspend(DETOUR pDetour);// 启动
GENIEASM_API void geniedetour_enable(DETOUR pDetour);//---------------------------------------------------------------------------------------------------
// @ HOOK 引擎宏
//---------------------------------------------------------------------------------------------------
#define detour_install geniedetour_install#define detour_installEx geniedetour_installEx#define detour_query_api geniedetour_query_api#define detour_uninstall geniedetour_uninstall#define detour_suspend geniedetour_suspend#define detour_enable geniedetour_enable#endif#ifndef __GENIE_ASM_H#define __GENIE_ASM_H// 精灵动态汇编库
#ifdef __cplusplus#define WIN32_LEAN_AND_MEAN // 从 Windows 头中排除极少使用的资料// Windows 头文件:
#include <windows.h>#ifdef GENIEASM_EXPORTS#include "Genieasm_Aux.h"#define GENIEASM_API extern "C" __declspec(dllexport)#else#define GENIEASM_API extern "C" __declspec(dllimport)// 数据类型:指令
typedef char instruction[80];
#endif#else#ifndef UInt64#if defined(_WIN64)typedef unsigned long long UIntPtr;
#elsetypedef unsigned int UIntPtr;
#endiftypedef unsigned long long UInt64;
#endif#define GENIEASM_API extern// 数据类型:指令
typedef char instruction[80];
#endif//---------------------------------------------------------------------------------------------------
// @ 程序环境
//---------------------------------------------------------------------------------------------------
typedef void * Genie_Program_Environment;
// 创建环境
Genie_Program_Environment * geniepenv_create(BOOL platform64, UIntPtr address, UInt64 virtualAddr/* 基地址 */);
// 销毁环境
void geniepenv_destroy(Genie_Program_Environment * pGpenv);
//---------------------------------------------------------------------------------------------------
// @ 反汇编引擎
//---------------------------------------------------------------------------------------------------
// 进入反汇编环境
GENIEASM_API BOOL geniedisasm_enter_env(Genie_Program_Environment * pGpenv);
// 反汇编开始 返回字符串地址
GENIEASM_API char * geniedisasm_begin(UInt64 address);
// 反汇编
GENIEASM_API int geniedisasm();
// 取当前地址
GENIEASM_API UINT64 geniedisasm_geteip();// 反汇编结束
GENIEASM_API void geniedisasm_end();// 取函数真实地址
GENIEASM_API UINT64 geniedisasm_getrealfunadr(UInt64 address);// 取指定长度的指令集
GENIEASM_API unsigned int geniedisasm_query(UInt64 address, unsigned int size, instruction * instrs, unsigned int nbInstr);
// 退出反汇编环境
GENIEASM_API void geniedisasm_leave_env();//---------------------------------------------------------------------------------------------------
// @ 反汇编引擎宏
//---------------------------------------------------------------------------------------------------
static char * m_pszInstr = NULL;
#define __disasm_enter(ENV) if (geniedisasm_enter_env(ENV) == TRUE) { do#define __disasm_begin(ADR) m_pszInstr = geniedisasm_begin((UInt64)ADR); if (m_pszInstr != NULL) { char * instr = m_pszInstr; do#define __disasm geniedisasm()#define __disasmFrealadr(FUN) geniedisasm_getrealfunadr((UInt64)FUN)#define __disasm_end while(0); geniedisasm_end(); }#define __disasmX(ADR,_SIZE, INSTR, NBINSTR) geniedisasm_query((UInt64)ADR, (unsigned int)_SIZE, INSTR, NBINSTR)#define __disasm_leave while(0); geniedisasm_leave_env(); }//---------------------------------------------------------------------------------------------------
// @ 汇编引擎
//---------------------------------------------------------------------------------------------------
// 汇编
#ifdef _DEBUG// 设置编译名称
GENIEASM_API void genieassembly_setname(char * name);
// 设置错误回调
typedef void(_cdecl * on_assembly_error)(const char * name, const char * pszCode, const char * msg);
GENIEASM_API void genieassembly_seterr(on_assembly_error error);#else#define genieasm_assembly_seterr#define genieasm_assembly_setname#endif// 进入汇编环境(默认环境 当前程序环境)
GENIEASM_API BOOL genieassembly_enter_env(Genie_Program_Environment * pGpenv);
// 投递空间域
GENIEASM_API BOOL genieassembly_push_space(UInt64 address, unsigned int size);
// 汇编开始 (dest == NULL){使用已经存在的汇编地址(genieasm_assembly_push_space 提供的空间域)}
GENIEASM_API BOOL genieassembly_begin(UInt64 address, unsigned int size);
// 汇编开始 从dest目标处查找首个nop指令作为编译地址
/*
// 汇编静态与动态结合
void __declspec(naked) FUNCTION(int arg)
{ __asm
{
push ebp;
mov ebp, esp;
push dword ptr[ebp + 12];
nop;
nop;
nop;
nop;
nop;
mov ecx, dword ptr[ebp + 8];
nop;
nop;
nop;
nop;
nop;
add esp, 4;
pop ebp;
retn 8
}
}
} // 这种代码难理解
genieassembly_begin_search_nop(genieassembly_getrealfunadr((UIntPtr)FUNCTION));
genieassembly_fmt("push 0x%x", gameActskill);
genieassembly_to_nop();
genieassembly_fmt("call 0x%x", gameActcall);
genieasm_assembly_end();
// 使用宏封装代码
__masmSearchNop(FUNCTION) {
__masmF("push 0x%x", gameActskill);
__masmMtnop;
__masmF("call 0x%x", gameActcall);
}__masm__;
*/
// 开始汇编于NOP
GENIEASM_API BOOL genieassembly_begin_search_nop(UInt64 address, BOOL searchE);
// 开始汇编于特征码 遇到 0x90 跳过识别
GENIEASM_API BOOL genieassembly_begin_search_features(UInt64 address, unsigned int size, UIntPtr features, unsigned int sizeFeatures);
// 跳过指定字节
GENIEASM_API void genieassembly_skip(unsigned int size);
// 跳至NOP
GENIEASM_API void genieassembly_to_nop();// 汇编文本
GENIEASM_API void genieassembly_str(char * pszCode);
// 连续汇编 genieasm_assembly_coiled("push 0", "push 1", NULL);
GENIEASM_API void genieassembly_coiled(char * pszCode,...);
// 格式化文本汇编 genieasm_assembly_fmt("push 0x%x", 1024);
GENIEASM_API void genieassembly_fmt(char * pszCode, ...);
// 汇编指令集(反汇编过来的指令集)
GENIEASM_API void genieassembly_instrs(instruction * instrs, unsigned int nbInster);
// 插入机器码
GENIEASM_API void genieassembly_placemc(UInt64 address, unsigned int size);
// 插入机器码(源地址与环境无关)
GENIEASM_API void genieassembly_placemcne(LPVOID address, unsigned int size);
// 转录指令(源地址(与环境相关),指令长度, -1:不可以超出 0:绝对指令长度 1:可以超出)
GENIEASM_API unsigned int genieassembly_translated(UInt64 address, unsigned int size, int flag);
// 取当前eip
GENIEASM_API UInt64 genieassembly_geteip();// 填充NOP
GENIEASM_API void genieassembly_fillNop(unsigned int size); // 设置为 NOP
// 取函数真实地址
GENIEASM_API UINT64 genieassembly_getrealfunadr(UInt64 address);// 结束汇编(size 返回编译的机器字节数)
GENIEASM_API void genieassembly_end(unsigned int * size);
// 退出汇编环境
GENIEASM_API void genieassembly_leave_env();// 直接汇编(与环境无关)
GENIEASM_API unsigned int genieassembly(UIntPtr adr, UIntPtr adrV, char * pszInstrF, ...);
// 非汇编 插入机器码(目标地址(与环境相关), 源地址(与环境相关), 指令长度)
GENIEASM_API void genieassembly_placemcany(UInt64 dest, UInt64 machine, unsigned int size);
// 非汇编 插入机器码(目标地址(与环境相关), 源地址(与环境无关), 指令长度)
GENIEASM_API void genieassembly_placemcanyne(UInt64 dest, LPVOID machine, unsigned int size);
// 非汇编 读取内存
GENIEASM_API void genieassembly_readany(LPVOID dest, UInt64 address, unsigned int size);
//---------------------------------------------------------------------------------------------------
// @ 汇编引擎宏
//---------------------------------------------------------------------------------------------------
#define __masm_enter(ENV) if (genieassembly_enter_env(ENV) == TRUE) { do#define __masm_define_space(ADR, _SIZE) genieassembly_push_space((UInt64)ADR, (unsigned int)_SIZE)#define __masmFrealadr(FUN) genieassembly_getrealfunadr((UInt64)FUN)#define __masm(ADR, _SIZE) if (genieassembly_begin((UInt64)ADR, (unsigned int)_SIZE) == TRUE) { do#define __masmX(_SIZE) __masm(0, _SIZE)// 查找首尾NOP进行汇编
#define __masmSearchNop(ADR) if (genieassembly_begin_search_nop(__masmFrealadr(ADR), FALSE) == TRUE) { do// 查找首NOP进行汇编
#define __masmSearchNopE(ADR) if (genieassembly_begin_search_nop(__masmFrealadr(ADR), TRUE) == TRUE) { do#define NOP -1#define __masmMtnop genieassembly_to_nop();#define __masmSkip(L) genieassembly_skip#define __masmC(CODE) genieassembly_str(CODE)#define __masmS(...) genieassembly_coiled(__VA_ARGS__, NULL)#define __masmI genieassembly_instrs#define __masmF(...) genieassembly_fmt(__VA_ARGS__)// ADR(与环境相关)
#define __masmM(ADR, _SIZE) genieassembly_placemc((UIntPtr)ADR, (unsigned int)_SIZE)// ADR(与环境无关)
#define __masmMne(ADR, _SIZE) genieassembly_placemcne((LPVOID)ADR, (unsigned int)_SIZE)// 读取
#define __masmNOP(_SIZE) genieassembly_fillNop(_SIZE)#define __masmEIP genieassembly_geteip()// 转录代码
#define __masmTran genieassembly_translated#define __masm__ while(0); genieassembly_end(NULL); }#define __masmL__(_SIZE) while(0); genieassembly_end(&_SIZE); }#define __masm_leave while(0); genieassembly_leave_env(); }// 非汇编指令集(目标地址(与环境相关), 源地址(与环境无关), 指令长度)
#define __code_place(ADR, MCADR, _SIZE) genieassembly_placemcany((UInt64)ADR, (UInt64)MCADR, (unsigned int)_SIZE)#define __code_placeNE(ADR, MCADR, _SIZE) genieassembly_placemcanyne((UInt64)ADR, (LPVOID)MCADR, (unsigned int)_SIZE)// 读内存(目标地址(与环境无关), 原地址(与环境有关), 指令长度)
#define __code_read(DEST, ADR, _SIZE) genieassembly_readany((LPVOID)DEST, (UInt64)ADR, (unsigned int)_SIZE)// 调试
#ifdef _DEBUG#define __masmError(FUN) genieasm_assembly_seterr((genieasm_assembly_error)FUN)#define __masmName(ASMNAME) genieasm_assembly_setname(ASMNAME)#else#define __masmName(ASMNAME)#endif// 单行汇编
#define __assemblyEx(ADR, VADR,...) genieassembly((UIntPtr)ADR, (UIntPtr)VADR, __VA_ARGS__)#define __assembly(ADR,...) genieassembly((UIntPtr)ADR, 0, __VA_ARGS__)//---------------------------------------------------------------------------------------------------
// @ 其他函数
//---------------------------------------------------------------------------------------------------
// 申请机器码内存
GENIEASM_API UIntPtr genieshellcode_alloc(unsigned int size);
// 释放机器码内存
GENIEASM_API void genieshellcode_free(UIntPtr shellC);//---------------------------------------------------------------------------------------------------
// @ 其他函数引擎宏
//---------------------------------------------------------------------------------------------------
#define __shellcode_alloc(_SIZE) genieshellcode_alloc#define __shellcode_free(P) genieshellcode_free(UIntPtr(P))// 汇编与反汇编同时进入环境
GENIEASM_API BOOL geniepenv_enter(Genie_Program_Environment * env);
GENIEASM_API void geniepenv_leave();//---------------------------------------------------------------------------------------------------
// @ 宏
//---------------------------------------------------------------------------------------------------
#define __env_enter(ENV) if (geniepenv_enter(ENV) == TRUE) { do#define __env_leave while(0); geniepenv_leave(); }// PE 动态修改保存
#ifdef __PEMODIFY_DLL/* 装载PE */
GENIEASM_API void * geniepe_load(char * pszFile);
/* 卸载PE */
GENIEASM_API void geniepe_unload(void * pe);
/* 另存为PE */
GENIEASM_API BOOL geniepe_saveas(char * pszFile, void * pe);
/* 取PE环境 */
GENIEASM_API Genie_Program_Environment * geniepe_getenv(void * pe);
//---------------------------------------------------------------------------------------------------
// @ PE汇编引擎宏
//---------------------------------------------------------------------------------------------------
#define __peload(_FILE) geniepe_load(_FILE)#define __peunload(PE) geniepe_unload(PE)#define __pesaveas(PE, _FILE) geniepe_saveas(_FILE, PE)#define __peENV(PE) geniepe_getenv(PE)#else#define __peload(PE)#define __peunload(PE)#define __pesaveas(_FILE, PE)#define __peENV(PE) NULL#endiftypedef void * DETOUR;
// 衍生出来HOOK库
// 安装(源地址,跳转地址,指令对齐?, 启用线程安全?, 立即启用)
GENIEASM_API DETOUR geniedetour_install(UIntPtr src, UIntPtr dest, BOOL align, BOOL thrd, BOOL enable);
GENIEASM_API DETOUR geniedetour_installEx(UIntPtr src, UIntPtr dest, unsigned int dest_size, BOOL align, BOOL thrd, BOOL enable);
GENIEASM_API UIntPtr geniedetour_query_api(char * pszdllName, char * pszapiName);
// 卸载
GENIEASM_API void geniedetour_uninstall(DETOUR pDetour);// 挂起
GENIEASM_API void geniedetour_suspend(DETOUR pDetour);// 启动
GENIEASM_API void geniedetour_enable(DETOUR pDetour);//---------------------------------------------------------------------------------------------------
// @ HOOK 引擎宏
//---------------------------------------------------------------------------------------------------
#define detour_install geniedetour_install#define detour_installEx geniedetour_installEx#define detour_query_api geniedetour_query_api#define detour_uninstall geniedetour_uninstall#define detour_suspend geniedetour_suspend#define detour_enable geniedetour_enable#endif#include "Genieasm.h"#include <malloc.h>__inline void enter(){#ifdef _WIN32 Genie_Program_Environment * env = geniepenv_create(FALSE, 0, 0);
#else Genie_Program_Environment * env = geniepenv_create(TRUE, 0, 0);
#endif geniepenv_enter(env);
genieassembly_enter_env(env);
}__inline void leave(){ geniedisasm_leave_env();
genieassembly_leave_env();
}BOOL geniepenv_enter(Genie_Program_Environment * env)
{ if (env != NULL)
{
if (geniedisasm_enter_env(env) == TRUE)
{
if (genieassembly_enter_env(env) == TRUE)
{
return TRUE;
}
geniedisasm_leave_env();
}
}
return FALSE;
}void geniepenv_leave(){ geniedisasm_leave_env();
genieassembly_leave_env();
}BOOL APIENTRY DllMain(HMODULE hModule, DWORD dwReason, LPVOID lpReserved)
{ switch (dwReason)
{
case DLL_PROCESS_ATTACH:
enter();
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
leave();
break;
}
return TRUE;
}// 申请机器码内存
UIntPtr genieshellcode_alloc(unsigned int size)
{ if (size != 0)
{
unsigned char * shellC = (unsigned char *)malloc(size + sizeof(size_t) + sizeof(size_t));
if (shellC != NULL)
{
*((unsigned int *)shellC) = size;
shellC += sizeof(unsigned int);
shellC += sizeof(unsigned int);
::VirtualProtect(shellC, size, PAGE_EXECUTE_READWRITE, (PDWORD)&shellC[0 - sizeof(unsigned int)]);
return (UIntPtr)shellC;
}
}
return NULL;
}// 释放机器码内存
void genieshellcode_free(UIntPtr shellC){ if (shellC != 0)
{
unsigned char * _FREE = (unsigned char *)shellC;
_FREE -= sizeof(size_t);
DWORD dwProtect = *((PDWORD)_FREE);
_FREE -= sizeof(size_t);
size_t _SIZE = *((unsigned int*)_FREE);
DWORD dwCONST = 0;
::VirtualProtect((LPVOID)shellC, _SIZE, dwProtect, &dwCONST);
free(_FREE);
}
}#ifdef _DEBUGvoid __declspec(naked) FUNCTION2(){ __asm
{
mov eax, 65536;
mov eax, 65536;
mov eax, 65536;
mov eax, 65536;
mov eax, 65536;
mov eax, 65536;
mov eax, 65536;
mov eax, 65536;
mov eax, 65536;
mov eax, 65536;
mov eax, 65536;
mov eax, 65536;
mov eax, 65536;
mov eax, 65536;
mov eax, 65536;
mov eax, 65536;
mov eax, 65536;
mov eax, 65536;
mov eax, 65536;
mov eax, 65536;
mov eax, 65536;
}
}void __declspec(naked) FUNCTION3(){ __asm
{
mov eax, 65537;
mov eax, 65538;
mov eax, 65536;
mov eax, 65539;
mov eax, 65536;
mov eax, 65536;
mov eax, 65536;
mov eax, 65536;
mov eax, 65536;
mov eax, 65536;
mov eax, 65536;
mov eax, 65536;
mov eax, 65536;
mov eax, 65536;
mov eax, 65536;
mov eax, 65536;
mov eax, 65536;
mov eax, 65536;
mov eax, 65536;
mov eax, 65536;
mov eax, 65536;
}
}// 汇编静态与动态结合
void __declspec(naked) FUNCTION(int arg)
{ __asm
{
push ebp;
mov ebp, esp;
push dword ptr[ebp + 12];
nop;
nop;
nop;
nop;
nop;
mov ecx, dword ptr[ebp + 8];
nop;
nop;
nop;
nop;
nop;
add esp, 4;
pop ebp;
retn 8
}
}void WINAPI hook_dest(char * pszMessage)
{ ::MessageBox(NULL, "流程正常", pszMessage, NULL);
}BYTE m_shell[0xff];
BYTE m_shell2[0x256];
int jmpCheck()
{ static int c = 0;
if (c == 0)
{
printf("%d\r\n", 0);
c++;
return 0;
}
printf("%d\r\n", 1);
return 1;
}void Func(){}int main()
{ enter();
// 使用当前程序环境 基地址0 虚拟地址 0 32位
// 汇编静态与动态结合
__masmSearchNop(FUNCTION)
{
__masmF("push 0x%x", 65536);
__masmMtnop(NOP);
__masmF("call 0x%x", main);
}__masm__;
// 反汇编输出查看
__disasm_begin(__disasmFrealadr(FUNCTION))
{
int line = 9;
while (line--)
{
__disasm;
printf("%s\r\n", instr);
}
}__disasm_end;
getchar();
printf("--------------------------------------------\r\n");
// 嵌套汇编 与预制空间
__masm_define_space(m_shell, 0xFF);
__masm_define_space(m_shell2, 0x256);
__masmX(48)
{
__masmS("push ebp",
"mov ebp, esp",
"push 1",
"push 2");
UInt64 adrCall = 0;
__masmX(46)
{
adrCall = __masmEIP;
__masmS("push ebp",
"mov ebp, esp",
"mov eax, dword ptr [ebp+8]",
"mov esi, dword ptr [ebp+12]",
"add eax, esi",
"pop ebp",
"retn");
}__masm__;
__masmF("call 0x%x", (UIntPtr)adrCall);
__masmS("add esp, 8",
"pop ebp",
"retn");
}__masm__;
// 反汇编输出查看
__disasm_begin(m_shell)
{
int line = 8;
while (line--)
{
__disasm;
printf("%s\r\n", instr);
}
}__disasm_end;
__disasm_begin(m_shell2)
{
int line = 8;
while (line--)
{
__disasm;
printf("%s\r\n", instr);
}
}__disasm_end;
printf("--------------------------------------------\r\n");
printf("-HOOK START!!! {src:%x, dest:%x}-\r\n", (UIntPtr)__masmFrealadr(hook_dest), (UIntPtr)__masmFrealadr(FUNCTION2));
getchar();
instruction inster[20];
// 使用静态汇编进行HOOK
UInt64 hookD = __disasmFrealadr(hook_dest);
// 对齐5个指令长度
unsigned int len = __disasmX(hookD, 5, inster, 20);
UInt64 jmpD = __disasmFrealadr(FUNCTION2);
__masm(jmpD, 0xFF)
{
__masmF("call 0x%x", jmpCheck);
__masmS("cmp eax, 0");
__masmF("jz 0x%x", __masmEIP + 1); // 1 拦截 0 不拦截放行
__masmC("retn 4"); // 直接返回
__masmI(inster, 20); // 输入刚刚反编译的指令
__masmF("jmp 0x%x", hookD + len); // 跳到源函数
}__masm__;
// 指令对齐hook
__masm(hookD, len)
{
__masmF("jmp 0x%x", jmpD);
__masmNOP(0); // 用 nop 对齐指令
}__masm__;
printf("--------------------------------------------\r\n");
printf("-HOOK OK! 使用OD下断吧,回车继续执行 CALL -\r\n");
getchar();
hook_dest("正常吗1");
hook_dest("正常吗2");
// 动态汇编测试结束
// 测试使用动态汇编永久修改exe
// 加载pe并进入pe环境
void * pe = __peload("E:GAME.client");
if (pe != NULL)
{
__env_enter(__peENV(pe)) // 汇编与反汇编进入pe环境
{
// LOGO 窗口创建与窗口过程线程
__masm_define_space(0x402320, 116);
__masm_define_space(0x402550, 400);
__masm_define_space(0x4023A0, 296);
__masm_define_space(0x4038C0, 106);
__masm_define_space(0x403530, 908);
__masm_define_space(0x403430, 241);
__masm(0x4092B9, 0x4092E3 - 0x4092B9) {
__masmC("xor esi, esi");
__masmC("jmp 0x4092E3");
__masmNOP(0);
}__masm__;
__disasm_begin(0x4092B9) {
int line = 42;
while (line--)
{
__disasm;
printf("%s\r\n", instr);
}
}__disasm_end;
// 线程里创建了 LOGO 动画
__masm(0x4092EE, 0x40931A - 0x4092EE)
{
__masmC("jnz 0x40931A");
__masmNOP(0);
}__masm__;
// 销毁LOGO
// .text:0040934D jnz short loc_409359
__masm(0x040934D, 0x40937A - 0x040934D)
{
__masmC("jnz 0x40937A");
__masmNOP(0);
}__masm__;
// 判断是否是录像 直接跳过判断并注入DLL
// 永久注入个dll试试
__masm(0x408FC1, 0x40900A - 0x408FC1)
{
__masmC("push 0x409033"); // 409033~409207
__masmC("call dword ptr [0xF8E0E8]");
__masmC("jmp 0x409207"); // 修改后会有段空间地址空出来 468个字节 直接用呗
__masmNOP(0);
}__masm__;
// 存在PE环境不能直接 memcpy
const char injectDLL[] = "test.dll";
__code_placeNE(0x409033, injectDLL, ::strlen(injectDLL) + sizeof(char));
char szDll[65];
__code_read(szDll, 0x409033, 16);
printf("set dll name : %s\r\n", szDll);
// 判断录像跳过
__masm(0x409246, 0x409261 - 0x409246)
{
__masmC("jmp 0x409261");
__masmNOP(0);
}__masm__;
// 屏蔽掉多开提示
// .text:00403226 cmp dword_117EA4C, 0
__masm(0x0403226, 0x403271 - 0x0403226)
{
__masmC("jmp 0x403271");
__masmNOP(0);
}__masm__;
// HOOK JMP CODE
UIntPtr jmpAdr = 0;
UIntPtr callNative = 0;
// 收包改写
unsigned int sizeHook = 0;
// JMP ONRECV
__masmX(50)
{
jmpAdr = __masmEIP;
__masmS("push ebp",
"mov ebp, esp");
__masmS("push dword [ebp+0xC]",
"push dword [ebp+0x8]");
printf("OnRecv Set:0x%x \r\n", __masmEIP);
__masmF("call 0x%x", Func);
__masmC("pop ebp");
callNative = __masmEIP;
__masmC("mov ecx, ds:[0x1417440]");
// __masmM(0x6C5D20, 8); // 首8字节没有涉及 JMP 直接 COPY 如果涉及 jmp 则需要转录
sizeHook = __masmTran(0x6C5D20, 5, 1); // 转录 虽然只有5字节但反汇编处理8字节 都会转录过去 如果有跳转会自动计算跳转偏移
printf("转录代码长度:%d\r\n", sizeHook);
__masmF("jmp 0x%x", 0x6C5D28);
}__masm__;
// call 汇编码
__masmX(50)
{
printf("SendLoc Native Call:0x%x \r\n", __masmEIP);
__masmS("push ebp",
"mov ebp, esp",
"push dword [ebp+0x10]",
"push dword [ebp+0xC]",
"push dword [ebp+0x8]");
__masmF("call 0x%x", callNative);
__masmC("retn 0xC");
}__masm__;
// HOOK
__masm(0x6C5D20, sizeHook) // 这里直接HOOK转录时的代码长度 并使用nop对齐指令
{
__masmF("jmp 0x%x", jmpAdr);
__masmNOP(3);
}__masm__;
// 发包改写
// JMP ONSEND
__masmX(50)
{
jmpAdr = __masmEIP;
__masmS("push ebp",
"mov ebp, esp",
"push dword [ebp+0x10]",
"push dword [ebp+0xC]");
printf("OnSend Set:0x%x \r\n", __masmEIP);
__masmF("call 0x%x", Func);
__masmC("pop ebp");
callNative = __masmEIP; // 记录 本程序使用的 发包 call 入口 绕过HOOK
__masmC("mov ecx, ds:[1417434]");
__masmM(0x6037A0, 5);
__masmC("jmp 0x6037A5");
}__masm__;
// call 汇编码
__masmX(50)
{
printf("SendNet Native Call:0x%x \r\n", __masmEIP);
__masmS("push ebp",
"mov ebp, esp",
"push 0",
"push 1",
"push 1",
"push dword [ebp + 0xC]",
"push dword [ebp + 0x8]",
"push 0");
__masmF("call 0x%x", callNative);
__masmS("pop ebp",
"retn 0x8");
}__masm__;
__masm(0x6037A0, 5) // HOOK
{
__masmF("jmp 0x%x", jmpAdr);
}__masm__;
// 自动寻路改写
// 初始化自动寻路 call 小于 10 时不触发
//.text : 005CF64C cmp eax, 0Ah
//.text : 005CF624 cmp eax, 0Ah
__masm(0x5CF64C, 3) { __masmC("cmp eax, 0"); }__masm__;
__masm(0x5CF624, 3) { __masmC("cmp eax, 0"); }__masm__;
// call 汇编码
__masmX(50)
{
printf("Moveto Native Call:0x%x \r\n", __masmEIP);
__masmS("push ebp",
"mov ebp, esp",
"push 0",
"push dword [ebp+0xC]",
"push dword [ebp+0x8]",
"call 0x7C22C0",
"pop ebp",
"retn 0x8");
}__masm__;
}__env_leave;
// 保存PE(用IDA查看吧)
// __pesaveas(pe, "E:GAME.client.new");
__peunload(pe);
}
getchar();
leave();
}#endif#include "Genieasm.h"#include <malloc.h>__inline void enter(){#ifdef _WIN32 Genie_Program_Environment * env = geniepenv_create(FALSE, 0, 0);
#else Genie_Program_Environment * env = geniepenv_create(TRUE, 0, 0);
#endif geniepenv_enter(env);
genieassembly_enter_env(env);
}__inline void leave(){ geniedisasm_leave_env();
genieassembly_leave_env();
}BOOL geniepenv_enter(Genie_Program_Environment * env)
{ if (env != NULL)
{
if (geniedisasm_enter_env(env) == TRUE)
{
if (genieassembly_enter_env(env) == TRUE)
{
return TRUE;
}
geniedisasm_leave_env();
}
}
return FALSE;
}void geniepenv_leave(){ geniedisasm_leave_env();
genieassembly_leave_env();
}BOOL APIENTRY DllMain(HMODULE hModule, DWORD dwReason, LPVOID lpReserved)
{ switch (dwReason)
{
case DLL_PROCESS_ATTACH:
enter();
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
leave();
break;
}
return TRUE;
}// 申请机器码内存
UIntPtr genieshellcode_alloc(unsigned int size)
{ if (size != 0)
{
unsigned char * shellC = (unsigned char *)malloc(size + sizeof(size_t) + sizeof(size_t));
if (shellC != NULL)
{
*((unsigned int *)shellC) = size;
shellC += sizeof(unsigned int);
shellC += sizeof(unsigned int);
::VirtualProtect(shellC, size, PAGE_EXECUTE_READWRITE, (PDWORD)&shellC[0 - sizeof(unsigned int)]);
return (UIntPtr)shellC;
}
}
return NULL;
}// 释放机器码内存
void genieshellcode_free(UIntPtr shellC){ if (shellC != 0)
{
unsigned char * _FREE = (unsigned char *)shellC;
_FREE -= sizeof(size_t);
DWORD dwProtect = *((PDWORD)_FREE);
_FREE -= sizeof(size_t);
size_t _SIZE = *((unsigned int*)_FREE);
DWORD dwCONST = 0;
::VirtualProtect((LPVOID)shellC, _SIZE, dwProtect, &dwCONST);
free(_FREE);
}
}#ifdef _DEBUGvoid __declspec(naked) FUNCTION2(){[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
