写了很久了,但对Windows的api不了解,
1比如创建挂起进程报05拒绝访问错误,再比如报了这个错还能正常运行,所以我推测挂起创建进程可能本身就会产生这种错误。(但Win32手册上不是这么说的,就让我感觉到很奇怪,我也尝试着运行了,从网上下载下来的代码,但最终会报错0xc0000005,我的程序有时候也会报这个,太奇怪了)
2其次就是获取线程的context了,这个在我验证地址的时候是af开头的也就是说到了内核部分,但Windows是没有共享内存的,所以我猜测这里要提权可能才能访问了
3再其次就是说管理员运行好像也不能让进程访问Windows的内核,只能用提权,不说了(还没完成提权的操作呢,晚上接着试,先博客放上来,看看有没有师傅能指点一下我)
贴代码:
加密代码
1 #define _CRT_SECURE_NO_WARNINGS 2 #include<Windows.h> 3 #include<CommCtrl.h> 4 #include<Psapi.h> 5 #include<iostream> 6 #include<iomanip> 7 #include <Tlhelp32.h.> 8 #include<stdlib.h> 9 #include<Shlwapi.h> 10 #include<iostream> 11 #pragma comment(lib,"shlwapi.lib") 12 #pragma comment(lib,"comctl32.lib") 13 #pragma comment(lib,"Psapi.lib") 14 using namespace std; 15 16 int filesize = 0; 17 18 VOID CacuFileOfSize(IMAGE_OPTIONAL_HEADER pOptionHeader,DWORD *size_,DWORD EncryptOfsize) 19 { 20 int count = EncryptOfsize / pOptionHeader.SectionAlignment+ 1; 21 *size_ += count * pOptionHeader.SectionAlignment; 22 } 23 24 PVOID pReadFile(LPSTR lpszFile,DWORD *size_) 25 { 26 FILE* pFile = NULL; 27 DWORD filesize = 0; 28 LPVOID FileBuffer = NULL; 29 30 pFile = fopen(lpszFile, "rb+"); 31 if (!pFile) { 32 cout << "读取文件失败" << endl; 33 return NULL; 34 } 35 36 fseek(pFile, NULL, SEEK_END); 37 filesize = ftell(pFile); 38 fseek(pFile, NULL, SEEK_SET); 39 40 FileBuffer = malloc(filesize); 41 if (!FileBuffer) 42 { 43 cout << "内存分配失败" << endl; 44 fclose(pFile); 45 return NULL; 46 } 47 48 size_t size = fread(FileBuffer, 1, filesize, pFile); 49 *size_ = size; 50 if (!size) 51 { 52 cout << "读取数据失败" << endl; 53 fclose(pFile); 54 return NULL; 55 } 56 fclose(pFile); 57 return FileBuffer; 58 } 59 60 BOOL MemoryToFile(LPSTR NewFileName, PVOID pFileBuffer, DWORD size_) 61 { 62 FILE* pFile = NULL; 63 DWORD filesize = 0; 64 LPVOID FileBuffer = NULL; 65 66 pFile = fopen(NewFileName, "wb+"); 67 if (!pFile) { 68 cout << "创建文件失败" << endl; 69 ExitProcess(0); 70 return NULL; 71 } 72 73 fwrite(pFileBuffer, size_, 1, pFile); 74 fclose(pFile); 75 } 76 77 VOID ExtendSection(PVOID pFileBuffer, DWORD EncryptOfSize) 78 { 79 PIMAGE_DOS_HEADER pDosHeader; 80 PIMAGE_NT_HEADERS pNTHeader; 81 PIMAGE_FILE_HEADER pFileHeader; 82 PIMAGE_OPTIONAL_HEADER pOptionHeader; 83 PIMAGE_SECTION_HEADER pSectionHeader; 84 PIMAGE_DATA_DIRECTORY pDataDir; 85 PIMAGE_BASE_RELOCATION pRelocTable; 86 87 pDosHeader = (PIMAGE_DOS_HEADER)pFileBuffer; 88 pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pDosHeader + pDosHeader->e_lfanew); 89 pFileHeader = (PIMAGE_FILE_HEADER)((DWORD)pNTHeader + 4); 90 pOptionHeader = (PIMAGE_OPTIONAL_HEADER)(DWORD(pFileHeader) + IMAGE_SIZEOF_FILE_HEADER); 91 pDataDir = (PIMAGE_DATA_DIRECTORY)((PIMAGE_DATA_DIRECTORY)((DWORD)pNTHeader + 0x78) + 8 * 5); 92 pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pOptionHeader + pFileHeader->SizeOfOptionalHeader); 93 94 95 96 //在当前节的最后一个结构体后,再加一个结构体,改变属性值、大小值等 97 PIMAGE_SECTION_HEADER pCurSection = pSectionHeader + pFileHeader->NumberOfSections; 98 PIMAGE_SECTION_HEADER temp = pSectionHeader; 99 //找到代码段 100 while (temp) 101 { 102 if (temp->Name[0] == '.' && temp->Name[1] == 't' && temp->Name[2] == 'e' && temp->Name[3] == 'x' && temp->Name[4] == 't') 103 { 104 pCurSection->Characteristics |= temp->Characteristics; 105 break; 106 } 107 temp++; 108 } 109 //找到新加节的文件偏移 110 pCurSection->Misc.PhysicalAddress = pOptionHeader->SectionAlignment; 111 pCurSection->Name[0] = '.'; 112 pCurSection->Name[1] = 'e'; 113 pCurSection->Name[2] = 'n'; 114 pCurSection->Name[3] = 'S'; 115 pCurSection->Name[4] = 'e'; 116 pCurSection->Name[5] = 'c'; 117 pCurSection->PointerToRawData = (pSectionHeader + pFileHeader->NumberOfSections - 1)->PointerToRawData 118 + (pSectionHeader + pFileHeader->NumberOfSections - 1)->SizeOfRawData; 119 //pCurSection. 120 pCurSection->Misc.PhysicalAddress = EncryptOfSize; 121 //计算加密文件后对齐后的文件大小 122 DWORD count = EncryptOfSize / pOptionHeader->SectionAlignment + 1; 123 //在虚拟内存中的虚拟偏移 124 pCurSection->VirtualAddress = pOptionHeader->SizeOfImage; 125 //内存中对齐后的大小 126 pCurSection->SizeOfRawData = count * pOptionHeader->SectionAlignment; 127 //在扩展头中将数量加1 128 pFileHeader->NumberOfSections += 1; 129 //增加扩展头的大小 130 pOptionHeader->SizeOfImage += count * pOptionHeader->SectionAlignment; 131 132 } 133 134 VOID Encrypt(PCHAR pFile, DWORD size_) 135 { 136 for (int i = 0; i < size_; i++) 137 *(pFile + i) = *(pFile + i) ^ 0x56; 138 } 139 140 PVOID AddFileOFSize(LPSTR SFile,char NFile[],LPSTR EncryptOfFileName) 141 { 142 //读取shell文件并且为其分配一个新节 143 PVOID pSFileBuffer; 144 DWORD size_; 145 PVOID pNewFileBuffer; 146 pSFileBuffer = pReadFile(SFile, &size_); 147 148 DWORD EncryptOfSize_; 149 PVOID EncryptOfFile = pReadFile(EncryptOfFileName, &EncryptOfSize_); 150 151 152 PIMAGE_DOS_HEADER pDosHeader; 153 PIMAGE_NT_HEADERS pNTHeader; 154 PIMAGE_FILE_HEADER pFileHeader; 155 PIMAGE_OPTIONAL_HEADER pOptionHeader; 156 PIMAGE_SECTION_HEADER pSectionHeader; 157 PIMAGE_DATA_DIRECTORY pDataDir; 158 PIMAGE_BASE_RELOCATION pRelocTable; 159 160 pDosHeader = (PIMAGE_DOS_HEADER)pSFileBuffer; 161 pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pDosHeader + pDosHeader->e_lfanew); 162 pFileHeader = (PIMAGE_FILE_HEADER)((DWORD)pNTHeader + 4); 163 pOptionHeader = (PIMAGE_OPTIONAL_HEADER)(DWORD(pFileHeader) + IMAGE_SIZEOF_FILE_HEADER); 164 pDataDir = (PIMAGE_DATA_DIRECTORY)((PIMAGE_DATA_DIRECTORY)((DWORD)pNTHeader + 0x78) + 8 * 5); 165 pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pOptionHeader + pFileHeader->SizeOfOptionalHeader); 166 167 168 DWORD OldSize_ = size_; 169 //计算文件加密后的大小 170 CacuFileOfSize(*pOptionHeader, &size_,EncryptOfSize_); 171 172 pNewFileBuffer = malloc(size_); 173 memset(pNewFileBuffer, 0, size_); 174 memcpy(pNewFileBuffer, pSFileBuffer, OldSize_); 175 ExtendSection(pNewFileBuffer,EncryptOfSize_); 176 177 //读取需要加密的文件,并且进行加密 178 Encrypt((PCHAR)EncryptOfFile, EncryptOfSize_); 179 180 memcpy(PVOID((DWORD)pNewFileBuffer+ OldSize_), EncryptOfFile, EncryptOfSize_); 181 182 MemoryToFile(NFile, pNewFileBuffer, size_); 183 return pNewFileBuffer; 184 } 185 186 187 188 int main(int argc,WCHAR* argv[]) 189 { 190 char lpszFile[] = "shell.exe"; 191 192 char lpszNewFile[50] = { 0 }; 193 cin >> lpszNewFile; 194 195 char lpCryptFile[] ="peinfo.exe"; 196 PVOID NewFileBuffer=AddFileOFSize(lpszFile, lpszNewFile,lpCryptFile); 197 198 printf("success"); 199 return 0; 200 }
壳代码
1 #define _CRT_SECURE_NO_WARNINGS 2 #include<Windows.h> 3 #include<CommCtrl.h> 4 #include<Psapi.h> 5 #include<iostream> 6 #include<iomanip> 7 #include <Tlhelp32.h.> 8 #include<stdlib.h> 9 #include<iostream> 10 #include<Shlwapi.h> 11 #pragma comment(lib,"shlwapi.lib") 12 #pragma comment(lib,"comctl32.lib") 13 #pragma comment(lib,"Psapi.lib") 14 #pragma once 15 16 #pragma region private 17 18 #define __Macro_ToStringFunc__(x) #x 19 20 #pragma endregion private 21 22 #pragma region public 23 24 #define MacroToString(x) __Macro_ToStringFunc__(x) 25 #define MacroLine MacroToString(__LINE__) 26 27 #pragma endregion public 28 int flag; 29 WCHAR errorMessage[20] = { 0 }; 30 #define messagebox { 31 flag=GetLastError(); 32 wsprintf(errorMessage,L"%d",flag); 33 MessageBoxW(0,errorMessage,0,0); 34 } 35 36 using namespace std; 37 38 39 DWORD RVAToFOA(PVOID pFileBuffer,DWORD dwRva) 40 { 41 PIMAGE_DOS_HEADER pDosHeader = NULL; 42 PIMAGE_NT_HEADERS pNTHeader = NULL; 43 PIMAGE_FILE_HEADER pPEHeader = NULL; 44 PIMAGE_OPTIONAL_HEADER32 pOptionHeader = NULL; 45 PIMAGE_SECTION_HEADER pSectionHeader = NULL; 46 47 if (!pFileBuffer) 48 { 49 printf("文件读取失败 "); 50 return NULL; 51 } 52 53 //Header信息 54 pDosHeader = (PIMAGE_DOS_HEADER)pFileBuffer; 55 pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pFileBuffer + pDosHeader->e_lfanew); 56 pPEHeader = (PIMAGE_FILE_HEADER)(((DWORD)pNTHeader) + 4); 57 pOptionHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)pPEHeader + IMAGE_SIZEOF_FILE_HEADER); 58 pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pOptionHeader + pPEHeader->SizeOfOptionalHeader); 59 60 DWORD ImageSize = pOptionHeader->SizeOfImage; 61 int Section_Number = pPEHeader->NumberOfSections; 62 int i = 0; 63 for (i = 0; i < Section_Number; i++) 64 { 65 //printf("VirualSize : %x ",pSectionHeader->Misc); 66 //printf("VirualAddress: %x ",pSectionHeader->VirtualAddress); 67 68 DWORD dumpVirualSize = pSectionHeader->Misc.VirtualSize; 69 DWORD dumpVirualAddress = pSectionHeader->VirtualAddress; 70 71 if (dwRva >= dumpVirualAddress && dwRva <= dumpVirualAddress + dumpVirualSize) 72 { 73 //printf("地址在第:%d 节 %s ",i+1,pSectionHeader->Name); 74 break; 75 } 76 //下一个节表 77 pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pSectionHeader + 40); 78 } 79 80 //确定是第i+1节 81 //确定偏移距离 82 DWORD fileOff = pSectionHeader->PointerToRawData + (dwRva - pSectionHeader->VirtualAddress); 83 84 return fileOff; 85 } 86 87 PVOID pReadFile(LPSTR lpszFile) 88 { 89 FILE* pFile = NULL; 90 DWORD fileSize = 0; 91 LPVOID pFileBuffer = NULL; 92 93 //打开文件 94 pFile = fopen(lpszFile, "rb"); 95 96 if (!pFile) 97 { 98 printf("无法打开文件EXE文件"); 99 return NULL; 100 } 101 102 fseek(pFile, 0, SEEK_END); 103 fileSize = ftell(pFile); 104 fseek(pFile, 0, SEEK_SET); 105 106 //分配缓冲区 107 pFileBuffer = malloc(fileSize); 108 if (!pFileBuffer) 109 { 110 printf("分配空间失败! "); 111 fclose(pFile); 112 return NULL; 113 } 114 115 //文件读取 116 117 size_t n = fread(pFileBuffer, fileSize, 1, pFile); 118 119 if (!n) 120 { 121 printf("读取数据失败 "); 122 free(pFileBuffer); 123 fclose(pFile); 124 return NULL; 125 } 126 127 //关闭文件 128 fclose(pFile); 129 return pFileBuffer; 130 } 131 132 PVOID StretchingFile(PVOID pFileBuffer) 133 { 134 PIMAGE_DOS_HEADER pDosHeader = NULL; 135 PIMAGE_NT_HEADERS pNTHeader = NULL; 136 PIMAGE_FILE_HEADER pPEHeader = NULL; 137 PIMAGE_OPTIONAL_HEADER32 pOptionHeader = NULL; 138 PIMAGE_SECTION_HEADER pSectionHeader = NULL; 139 140 if (!pFileBuffer) 141 { 142 printf("文件读取失败 "); 143 return NULL; 144 } 145 146 //Header信息 147 pDosHeader = (PIMAGE_DOS_HEADER)pFileBuffer; 148 pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pFileBuffer + pDosHeader->e_lfanew); 149 pPEHeader = (PIMAGE_FILE_HEADER)(((DWORD)pNTHeader) + 4); 150 pOptionHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)pPEHeader + IMAGE_SIZEOF_FILE_HEADER); 151 pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pOptionHeader + pPEHeader->SizeOfOptionalHeader); 152 153 DWORD ImageSize = pOptionHeader->SizeOfImage; 154 155 //LPVOID pImageBuffer=NULL; 156 //分配缓冲区 157 LPVOID pImageBuffer = NULL; 158 pImageBuffer = malloc(ImageSize); 159 160 if (!pImageBuffer) 161 { 162 printf("pImageBuffer分配空间失败! "); 163 return NULL; 164 } 165 //printf("%x ",ImageSize); 166 167 memset(pImageBuffer, 0, ImageSize); 168 169 //分段拷贝数据到ImageBuffer中 170 //1 拷贝头 171 DWORD HeaderSize = pOptionHeader->SizeOfHeaders; 172 //DWORD Head_i = 0; 173 //copy header 174 memcpy(pImageBuffer, pFileBuffer, HeaderSize); 175 176 //2 拷贝节 pSectionHeader 177 //数量,位置 178 int Section_Number = pPEHeader->NumberOfSections; 179 //分节进行写入 180 181 LPVOID pFileBuffer_sec = pFileBuffer; 182 LPVOID pImageBuffer_sec = pImageBuffer; 183 184 //printf("pFileBuffer_sec: %x ",pFileBuffer_sec); 185 //printf("pImageBuffer_sec: %x ",pImageBuffer_sec); 186 187 for (int i = 0; i < Section_Number; i++) 188 { 189 DWORD FileSizeOfRawData = pSectionHeader->SizeOfRawData; 190 DWORD FilePointerToRawData = pSectionHeader->PointerToRawData; 191 DWORD MemVirtualAddress = pSectionHeader->VirtualAddress; 192 pFileBuffer_sec = (LPVOID)((DWORD)pFileBuffer + FilePointerToRawData); 193 pImageBuffer_sec = (LPVOID)((DWORD)pImageBuffer + MemVirtualAddress); 194 195 //printf("pFileBuffer_sec: %x ",pFileBuffer_sec); 196 //printf("pImageBuffer_sec: %x ",pImageBuffer_sec); 197 198 memcpy(pImageBuffer_sec, pFileBuffer_sec, FileSizeOfRawData); 199 //下一个节表 200 pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pSectionHeader + 40); 201 } 202 203 //写出 204 //WirteToFile(pImageBuffer,ImageSize,"c://image.exe"); 205 206 return pImageBuffer; 207 } 208 209 BOOL MemoryToFile(LPSTR NewFileName, PVOID pFileBuffer, DWORD size_) 210 { 211 FILE* pFile = NULL; 212 DWORD filesize = 0; 213 LPVOID FileBuffer = NULL; 214 215 pFile = fopen(NewFileName, "wb+"); 216 if (!pFile) { 217 cout << "创建文件失败" << endl; 218 ExitProcess(0); 219 return NULL; 220 } 221 222 fwrite(pFileBuffer, size_, 1, pFile); 223 fclose(pFile); 224 } 225 226 VOID Decrypt(PVOID pFileBuffer, PIMAGE_SECTION_HEADER lastSection) 227 { 228 for (int i = 0; i < lastSection->Misc.VirtualSize; i++) 229 { 230 *((PBYTE)((int)pFileBuffer + i)) ^= 0x56; 231 } 232 char b[] = "aaaa.exe"; 233 MemoryToFile(b, pFileBuffer, lastSection->Misc.VirtualSize); 234 } 235 236 237 238 PVOID GetSrcData(CHAR* lpName) 239 { 240 241 PVOID pFileBuffer = pReadFile(lpName); 242 243 PIMAGE_DOS_HEADER pDosHeader; 244 PIMAGE_NT_HEADERS pNTHeader; 245 PIMAGE_FILE_HEADER pFileHeader; 246 PIMAGE_OPTIONAL_HEADER pOptionHeader; 247 PIMAGE_SECTION_HEADER pSectionHeader; 248 PIMAGE_DATA_DIRECTORY pDataDir; 249 PIMAGE_BASE_RELOCATION pRelocTable; 250 251 pDosHeader = (PIMAGE_DOS_HEADER)pFileBuffer; 252 pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pDosHeader + pDosHeader->e_lfanew); 253 pFileHeader = (PIMAGE_FILE_HEADER)((DWORD)pNTHeader + 4); 254 pOptionHeader = (PIMAGE_OPTIONAL_HEADER)(DWORD(pFileHeader) + IMAGE_SIZEOF_FILE_HEADER); 255 pDataDir = (PIMAGE_DATA_DIRECTORY)((DWORD)pOptionHeader + 0x60); 256 pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pOptionHeader + pFileHeader->SizeOfOptionalHeader); 257 258 PIMAGE_SECTION_HEADER lastSection = pSectionHeader + pFileHeader->NumberOfSections-1; 259 260 PVOID MainModule = (PVOID)((DWORD)pFileBuffer + lastSection->PointerToRawData); 261 262 Decrypt(MainModule, lastSection); 263 264 PVOID TempFileMemory = malloc(lastSection->Misc.VirtualSize); 265 memcpy(TempFileMemory, MainModule,lastSection->Misc.VirtualSize); 266 267 return TempFileMemory; 268 } 269 270 PVOID MyAnyAllocAddr(PVOID pFileBuffer,HANDLE hProcess,DWORD ImageOfSize) 271 { 272 PIMAGE_DOS_HEADER pDosHeader; 273 PIMAGE_NT_HEADERS pNTHeader; 274 PIMAGE_FILE_HEADER pFileHeader; 275 PIMAGE_OPTIONAL_HEADER pOptionHeader; 276 PIMAGE_SECTION_HEADER pSectionHeader; 277 PIMAGE_DATA_DIRECTORY pDataDir; 278 PIMAGE_BASE_RELOCATION pRelocTable; 279 280 pDosHeader = (PIMAGE_DOS_HEADER)pFileBuffer; 281 pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pDosHeader + pDosHeader->e_lfanew); 282 pFileHeader = (PIMAGE_FILE_HEADER)((DWORD)pNTHeader + 4); 283 pOptionHeader = (PIMAGE_OPTIONAL_HEADER)(DWORD(pFileHeader) + IMAGE_SIZEOF_FILE_HEADER); 284 pDataDir = (PIMAGE_DATA_DIRECTORY)((DWORD)pNTHeader + 0x78); 285 pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pOptionHeader + pFileHeader->SizeOfOptionalHeader); 286 287 288 //查看是否有重定位表 289 printf("%x %x ", (pDataDir + 5)->VirtualAddress, (pDataDir + 5)->Size); 290 if ((pDataDir + 5)->VirtualAddress == 0&&(pDataDir+5)->Size==0) 291 { 292 293 MessageBox(0, L"没有重定位表1,出错了", 0, 0); 294 ExitProcess(0); 295 } 296 PIMAGE_BASE_RELOCATION RelAddr=(PIMAGE_BASE_RELOCATION)(RVAToFOA(pFileBuffer, 297 (pDataDir + 5)->VirtualAddress) 298 +(DWORD)pFileBuffer); 299 300 PVOID VirAddr=VirtualAllocEx(hProcess, NULL, ImageOfSize, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); 301 302 if (VirAddr == NULL) 303 { 304 MessageBox(0, L"随意地址未分配成功", 0, 0); 305 ExitProcess(0); 306 } 307 308 //修复重定位表 309 while (1) 310 { 311 if (RelAddr->SizeOfBlock == 0 || RelAddr->VirtualAddress == 0) 312 { 313 break; 314 } 315 printf("%d %d", RelAddr->VirtualAddress); 316 RelAddr->VirtualAddress += (DWORD)VirAddr - pOptionHeader->ImageBase; 317 RelAddr = (PIMAGE_BASE_RELOCATION)((DWORD)RelAddr + RelAddr->SizeOfBlock); 318 319 } 320 return VirAddr; 321 } 322 323 int EnablePrivilege(bool isStart) 324 { 325 //1. 得到令牌句柄 326 HANDLE hToken = NULL; //令牌句柄 327 if (!OpenProcessToken(GetCurrentProcess(), 328 TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY | TOKEN_READ, 329 &hToken)) 330 { 331 return FALSE; 332 } 333 334 //2. 得到特权值 335 LUID luid = { 0 }; //特权值 336 if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid)) 337 { 338 return FALSE; 339 } 340 //3. 提升令牌句柄权限 341 TOKEN_PRIVILEGES tp = { 0 }; //令牌新权限 342 tp.PrivilegeCount = 1; 343 tp.Privileges[0].Luid = luid; 344 tp.Privileges[0].Attributes = isStart ? SE_PRIVILEGE_ENABLED : 0; 345 if (!AdjustTokenPrivileges(hToken, FALSE, &tp, 0, NULL, NULL)) 346 { 347 return FALSE; 348 } 349 //4. 关闭令牌句柄 350 CloseHandle(hToken); 351 return 0; 352 } 353 354 VOID MainPro() 355 { 356 EnablePrivilege(true); 357 PIMAGE_DOS_HEADER pDosHeader; 358 PIMAGE_NT_HEADERS pNTHeader; 359 PIMAGE_FILE_HEADER pFileHeader; 360 PIMAGE_OPTIONAL_HEADER pOptionHeader; 361 PIMAGE_SECTION_HEADER pSectionHeader; 362 PIMAGE_BASE_RELOCATION pRelocTable; 363 364 CHAR shellDirectory[256] = { 0 }; 365 GetModuleFileNameA(NULL, shellDirectory, 256); 366 367 368 TCHAR W_CHAR_shellDirectory[256] = { 0 }; 369 GetModuleFileName(NULL, W_CHAR_shellDirectory, 256); 370 371 MessageBox(0, W_CHAR_shellDirectory, 0, 0); 372 373 //messagebox; 374 //MessageBoxA(0, MacroLine, 0, 0); 375 376 PVOID TempFileMemory = GetSrcData(shellDirectory); 377 378 pDosHeader = (PIMAGE_DOS_HEADER)TempFileMemory; 379 pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pDosHeader + pDosHeader->e_lfanew); 380 pFileHeader = (PIMAGE_FILE_HEADER)((DWORD)pNTHeader + 4); 381 pOptionHeader = (PIMAGE_OPTIONAL_HEADER)(DWORD(pFileHeader) + IMAGE_SIZEOF_FILE_HEADER); 382 pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pOptionHeader + pFileHeader->SizeOfOptionalHeader); 383 384 STARTUPINFO si = { 0 }; 385 si.cb = sizeof(STARTUPINFO); 386 PROCESS_INFORMATION pi; 387 388 //以挂起的形式创建进程 389 int f=CreateProcess(W_CHAR_shellDirectory, 390 NULL, 391 NULL, 392 NULL, 393 FALSE, 394 CREATE_SUSPENDED, 395 NULL, 396 NULL, 397 &si, 398 &pi); 399 CHAR szTempStr[256] = { 0 }; 400 if (!f) 401 { 402 MessageBox(0, L"failed create process", 0, 0); 403 ExitProcess(0); 404 } 405 406 407 messagebox; 408 MessageBoxA(0, MacroLine, 0, 0); 409 //获取context信息 410 411 412 CONTEXT context; 413 context.ContextFlags = CONTEXT_FULL; 414 GetThreadContext(pi.hThread, &context); 415 printf("%x %x ", pi.hThread,&context); 416 417 418 messagebox; 419 MessageBoxA(0, MacroLine, 0, 0); 420 421 //char* baseaddress = (char*)context.ebx + 8; 422 //tchar* szbuffer[4] = { 0 }; 423 //readprocessmemory(pi.hprocess, baseaddress, szbuffer, 4, null); 424 //int* fileimagebase = (int*)szbuffer; 425 426 427 char* baseAddress = (CHAR*)context.Ebx + 8; 428 TCHAR szBuffer[4] = { 0 }; 429 ReadProcessMemory(pi.hProcess, baseAddress, szBuffer, 4, NULL); 430 int* fileImageBase; 431 fileImageBase = (int*)szBuffer; 432 DWORD shellImageBase = *fileImageBase; 433 434 435 /* 436 char* baseAddress = (CHAR*)contx.Ebx+8; 437 TCHAR szBuffer[4]={0}; 438 ReadProcessMemory(pi.hProcess,baseAddress,szBuffer,4,NULL); 439 int* fileImageBase; 440 fileImageBase = (int*)szBuffer; 441 DWORD shellImageBase = *fileImageBase; 442 */ 443 444 445 messagebox; 446 MessageBoxA(0,MacroLine,0,0); 447 448 449 450 //卸载外壳程序 451 HMODULE hModuleNt = LoadLibrary(L"ntdll.dll"); 452 if (hModuleNt == NULL) 453 { 454 MessageBox(0, L"导入ntdll.dll失败", 0, 0); 455 ExitProcess(0); 456 } 457 typedef DWORD(WINAPI* _ZwUnmapViewOfSection)(unsigned long, unsigned long); 458 459 _ZwUnmapViewOfSection pZwUnmapViewOfSection = (_ZwUnmapViewOfSection)GetProcAddress(hModuleNt, "ZwUnmapViewOfSection"); 460 pZwUnmapViewOfSection((unsigned long)pi.hProcess, shellImageBase); 461 462 463 464 messagebox; 465 MessageBoxA(0, MacroLine, 0, 0); 466 //在指定位置分配空间 467 468 469 PVOID OtherAddress = VirtualAllocEx(pi.hProcess, (PVOID)pOptionHeader->ImageBase, pOptionHeader->SizeOfImage, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); 470 471 472 messagebox; 473 MessageBoxA(0, MacroLine, 0, 0); 474 475 476 if (OtherAddress == NULL) 477 { 478 OtherAddress=MyAnyAllocAddr(TempFileMemory, pi.hProcess, pOptionHeader->SizeOfImage); 479 } 480 481 PVOID StretchedFileMemory = StretchingFile(TempFileMemory); 482 483 unsigned long old; 484 WriteProcessMemory(pi.hProcess, (void*)(context.Ebx + 8), &OtherAddress, sizeof(DWORD), NULL); 485 ; 486 487 488 messagebox; 489 MessageBoxA(0, MacroLine, 0, 0); 490 491 492 if (WriteProcessMemory(pi.hProcess, OtherAddress, StretchedFileMemory, pOptionHeader->SizeOfImage, &old)) { 493 context.ContextFlags = CONTEXT_FULL; 494 //context.Eax = pOptionHeader->ImageBase; 495 context.Eax = pOptionHeader->AddressOfEntryPoint + (DWORD)OtherAddress; 496 SetThreadContext(pi.hThread, &context); 497 498 int z = ResumeThread(pi.hThread); 499 printf("success!%d", f); 500 CloseHandle(pi.hThread); 501 } 502 else 503 { 504 printf("Failed"); 505 } 506 EnablePrivilege(false); 507 //messagebox; 508 //MessageBoxA(0, MacroLine, 0, 0); 509 } 510 511 int main() 512 { 513 MainPro(); 514 }