反向进程注入及隐藏--动手做一个最简单的PELoader

 

 

创建时间:2007-07-27 更新时间:2007-07-28
文章属性:原创
文章提交:Luke0314 (msfocus_at_hotmail.com)

动手做一个最简单的PELoader
Luke [email protected]

一.废话

最近因为公司的项目需要,顺带的学习了一点和PELoader相关的东西,恰见网上正在沸沸扬扬的谈论虚拟脱壳。本人不才,实在是没能力也没精力去写一个真正意义上的虚拟机,因此尝试做了一个简单而偷懒的PE加载器。这个PE加载器也可以看做是VM的前身吧。我想它可以成为一个简易脱壳工具或者用户态的进程内调试器基础。

二.做这个东西干嘛?

1.公司的项目需要实现但进程内多插件并发运行,也就是说,1个PID需要同时给n个进程使用,这牵扯到更麻烦的进程内内存切换工作
2.实现反向进程注入,隐藏进程,这样做的RK更不容易被发现。
3.自从离开了安全的伤心地之后,一直堕落于做IM软件的Server,很久没有碰windows了,需要活动一下大脑。

三.PELoader完成了什么工作?

这个PELoader写得很乱很粗糙,全部代码+调试基本上是在两天之内堆完的。由于时间关系,我只实现了它如下几个特性:
1.    在普通用户权限下实现用户态的PE文件启动执行;
2.    被启动的程序无进程,而嵌与宿主(PELoader)程序体内,与宿主共享一个进程ID;
3.    实现了大部分资源文件的加载;
4.    实现了进程内API调试,跟踪
5.    最基础的内存Dump脱壳(没做OEP等的修正工作);
6.    宿主可在程序被加载启动后继续执行;
7.    支持console和gui程序执行;

四.目前可支持的程序

1.cmd.exe 经过测试,我发现存一些显示资源的小问题,但仍然可以比较健壮的运行;
2.Excel.exe(Office10) 这个程序在PELoader里运行的非常好,但还是有一个小Bug,就是窗体资源图标不是很对劲…问题还没找到

五.目前的问题

还是因为时间的问题,好多东西我没处理好,如果有朋友能改出一个不错的版本,希望可以mail我一份:[email protected]
1.目前我正在做多进程共享的问题,在进程间切换的时候,如果完全切换所有被使用的内存,程序将异常的慢。如果仅切换部分需要使用的内存,将牵扯到复杂的虚拟页表切换,搞得很头大;
2.由于进程自身资源错位,因此需要拦截非常多的API,写到手酸,还是没有写全,不知道哪里能有个完整的需要拦截的API的列表;
3.在debug状态下运行,经常崩溃,烦躁…
4.很多程序在加载时候会失败或者启动之后崩溃,我一直没功夫检查这个错误;

六.技术原理说明

正常情况下,一个PE文件被系统加载后,系统会自动处理好IAT和IID表,然后找到OEP开始执行代码,一般情况下call OEP后的第一条API为GetVersion。
我们要动手做一个PELoader则必须先将进程代码注入自己的内存空间,并手工解决IAT,定位OEP,如果你以为仅仅如此,那么我保证你的代码最多运行你自己写的一小段shellcode
要运行一个真正的进程,还需要做类似资源管理,句柄管理等很多的工作。

没关系,我们一个一个来:

1、首先解决加载问题。

加载可以有很多方式如:alloc一块内存保存或利用LoadLiarbryEx作为一个数据文件加载。但无论是哪种方法都没有解决IAT的问题,如果我们自己手工解决IAT,可能需要比较多的计算过程,这个过程可以参考kanxue的Linxer写的PE重定位函数。

但本文所要提的并不是这种方法。也许有人说,有文章提到过ntdll.dll中自己搜索并导出LdrLoadDllEx就可以实现加载并解决IAT,但实际上这种方法至少在我的winxp系统上是失败的。所以我采用了另外一种方式用LoadLibrary来加载
A、   修改PE头中的Characteristics属性,为其增加IMAGE_FILE_DLL属性,此外我还为其增加了一个非必须的IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP属性。让LoadLibrary误认为这是一个DLL文件。
B、   将PE选项部分的AddressOfEntryPoint设置为空,至于原因不要奇怪,msdn是这样描述的:
AddressOfEntryPoint
Pointer to the entry point function, relative to the image base address. The entry point function is optional for DLLs. When no entry point is present, this member is zero.

我们这样做只是为了让LoadLibrary认为这个假DLL文件没有dll_main入口点。因为实际上,我们的EXE文件只有main入口点。
C、   HOOK API,我们需要HOOK非常多的API来保证这个PE文件能够正确的获取自身句柄,资源等。确保启动过程中不会发生资源找不到之类的问题。因为本人太懒的原因,HOOK的方法参考了eyas的一个程序。这里和我们的何大侠讨论了很久,发现还是有很多问题要处理的。
D、   这是非必须的一步—恢复入口点及Characteristics属性,确保个别BT一点的进程也能够正常运行。
E、   Call 原始的EntryPoint,这实际上会调用到目标程序的main函数,此时程序就已经正常运行起来了。
F、   扩展VUE。这一步也不是必要的,但如果你想试试,可以考虑用我提供的dumpfile函数在执行GetVersion的时候,或者是第一个API的时候,尝试目标程序的dump内存。当然,修复工作还是需要自己去完成的。
G、   在宿主内继续执行代码,包括可以设置断点对目标程序进行调试。
H、    编译时候,记得设置编译选项,把代码放到0x0f400000的地方,把0x400000等常用地址让出给目标程序,因为我实在太懒了,这样我就可以偷懒解决没有IID的问题了。当然这个是不稳妥的解决方案。
I、  没了,哪位兄弟改出漂亮的代码mail我一份:[email protected]

 

后面给出一个bug重重的代码:

/*********************************************************/
//PELoader.exe v1.0
//Luke msn:[email protected]
//2007.7.25
/*********************************************************/
#include <windows.h>
#include <stdio.h>
#include <imagehlp.h>
#include <psapi.h>
#pragma pack(1)
#pragma comment(lib, "imagehlp.lib")
#pragma comment(lib, "psapi.lib")
#pragma comment(lib, "user32.lib")

HMODULE hmod = NULL;
char *lpNewBaseOfDll = NULL;
char *lpNewBaseOfDll1 = NULL;
MODULEINFO mi;
MODULEINFO mi1;
HMODULE OldKernel32Address = NULL;
HMODULE OldUser32Address = NULL;
char PEFile[MAX_PATH] = {0};
unsigned long OEP = 0;
char *addr_GetModuleHandleExA = NULL;
char *addr_GetModuleHandleExW = NULL;

unsigned long LoadPEFile(char *FileName, char **Buffer)
{
    FILE *fp = fopen(FileName, "rb");
    fseek(fp, 0, SEEK_END);
    unsigned long len = ftell(fp);
    fseek(fp, 0, SEEK_SET);
    *Buffer = new char[len + 4];
    memset(*Buffer, 0x0, len + 4);
    unsigned long i = 0;
    while(i < len)
    {
        fread(*Buffer + i, 4, 1, fp);
        i+=4;
    }
    fclose(fp);
    return len;
}

void SaveAs(char *FileName, char *Buffer, unsigned long len)
{
    FILE *fp = fopen(FileName, "wb");
    unsigned long i = 0;
    while(i < len)
    {
        fwrite(Buffer + i, 4, 1, fp);
        fflush(fp);
        i+=4;
    }
    fclose(fp);
}

void WINAPI DumpFile(char *FileName)
{
    MODULEINFO dumpinfo;
    DWORD dw = 0;
    GetModuleInformation(GetCurrentProcess(), hmod, &dumpinfo, sizeof MODULEINFO);
    //printf("dump size:%d/n", dumpinfo.SizeOfImage);
    SaveAs(FileName, (char *)dumpinfo.lpBaseOfDll, dumpinfo.SizeOfImage);
}

BOOL WINAPI MyGetModuleHandleExA(DWORD dwFlags, LPCSTR lpModuleName, HMODULE *phModule)
{
    printf("in MyGetModuleHandleExA/n");
    BOOL realbool = false;
    char *lpm = new char[MAX_PATH];
    memset(lpm, 0x0, MAX_PATH);
    if(lpModuleName == NULL)
        strcpy(lpm, PEFile);
    else
        strcpy(lpm, lpModuleName);
    DWORD pNewFunc = (DWORD)addr_GetModuleHandleExA - (DWORD)mi.lpBaseOfDll + (DWORD)lpNewBaseOfDll;
    __asm push phModule
    __asm push lpm
    __asm push dwFlags
    __asm call pNewFunc
    __asm mov realbool, eax
    printf("realbool:%d/n", realbool);
    delete []lpm;
//    if(*phModule == OldKernel32Address)
//        *phModule = (HMODULE)lpNewBaseOfDll;
    printf("out MyGetModuleHandleExA/n");
    return realbool;
}

BOOL WINAPI MyGetModuleHandleExW(DWORD dwFlags, LPCWSTR lpModuleName, HMODULE *phModule)
{
    printf("in MyGetModuleHandleExW/n");
    BOOL realbool = false;
    WCHAR *lpm = new WCHAR[MAX_PATH];
    memset(lpm, 0x0, sizeof(WCHAR) * MAX_PATH);
    if(lpModuleName == NULL)
    {
        swprintf(lpm, L"%s", PEFile);
    //    wcscpy(lpm, L"c://a.exe");
    }
    else
        wcscpy(lpm, lpModuleName);
    DWORD pNewFunc = (DWORD)addr_GetModuleHandleExW - (DWORD)mi.lpBaseOfDll + (DWORD)lpNewBaseOfDll;
    __asm push phModule
    __asm push lpm
    __asm push dwFlags
    __asm call pNewFunc
    __asm mov realbool, eax
    printf("realbool:%d/n", realbool);
    delete []lpm;
//    if(*phModule == OldKernel32Address)
//        *phModule = (HMODULE)lpNewBaseOfDll;
    printf("out MyGetModuleHandleExW/n");
    return realbool;
}

DWORD WINAPI MyGetModuleFileNameA(HMODULE hModule, LPSTR lpFilename, DWORD nSize)
{
    printf("in MyGetModuleFileNameA/n");
    printf("in MyGetModuleFileNameA:hModule:0x%.8x, lpFilename:%s/n", hModule, lpFilename);
    DWORD realdword = 0;
    if(!hModule)
        hModule = hmod;
    printf("new hmod:0x%.8x/n", hModule);
//    if(hModule == (HMODULE)lpNewBaseOfDll)
//    {
//        strcpy(lpFilename, "Kernel32.dll");
//        return strlen("Kernel32.dll");
//    }
    DWORD pNewFunc = (DWORD)GetModuleFileNameA - (DWORD)mi.lpBaseOfDll + (DWORD)lpNewBaseOfDll;
    __asm push nSize
    __asm push lpFilename
    __asm push hModule
    __asm call pNewFunc
    __asm mov realdword, eax
    printf("File:%s/n", lpFilename);
    printf("realdword:%d/n", realdword);
    printf("out MyGetModuleFileNameA/n");
    return realdword;
}

DWORD WINAPI MyGetModuleFileNameW(HMODULE hModule, LPWSTR lpFilename, DWORD nSize)
{
    printf("in MyGetModuleFileNameW/n");
    DWORD realdword = 0;
    if(!hModule)
        hModule = hmod;
    printf("hModule:0x%.8x/n", hModule);
//    if(hModule == (HMODULE)lpNewBaseOfDll)
//    {
//        wcscpy(lpFilename, L"Kernel32.dll");
//        return wcslen(L"Kernel32.dll");
//    }
    DWORD pNewFunc = (DWORD)GetModuleFileNameW - (DWORD)mi.lpBaseOfDll + (DWORD)lpNewBaseOfDll;
    __asm push nSize
    __asm push lpFilename
    __asm push hModule
    __asm call pNewFunc
    __asm mov realdword, eax
    printf("realdword:%d, lpFilename:%S/n", realdword, lpFilename);
    printf("out MyGetModuleFileNameW/n");
    return realdword;
}

HMODULE WINAPI MyGetModuleHandleA(LPCTSTR lpModuleName)
{
    DumpFile("c://ps.exe");
    //printf("in MyGetModuleHandleA/n");
    char *lpm = new char[MAX_PATH];
    memset(lpm, 0x0, MAX_PATH);
    HMODULE realhmod = NULL;
   // printf("in MyGetModuleHandleA:%s/n", lpModuleName);
    if(lpModuleName == NULL)
        strcpy(lpm, PEFile);
    else
        strcpy(lpm, lpModuleName);
    DWORD pNewFunc = (DWORD)GetModuleHandleA - (DWORD)mi.lpBaseOfDll + (DWORD)lpNewBaseOfDll;
    __asm push lpm
    __asm call pNewFunc
    __asm mov realhmod, eax
    delete []lpm;
//    if(realhmod == OldKernel32Address)
//        realhmod = (HMODULE)lpNewBaseOfDll;
  //  printf("realhmod:0x%.8x/n", realhmod);
  //  printf("out MyGetModuleHandleA/n");
    return realhmod;
}

HMODULE WINAPI MyGetModuleHandleW(LPCWSTR lpModuleName)
{
    printf("in MyGetModuleHandleW/n");
    WCHAR *lpm = new WCHAR[MAX_PATH];
    memset(lpm, 0x0, sizeof(WCHAR) * MAX_PATH);
    HMODULE realhmod = NULL;
    printf("in MyGetModuleHandleW:%S/n", lpModuleName);
    if(lpModuleName == NULL)
    {
        swprintf(lpm, L"%s", PEFile);
        //wcscpy(lpm, L"c://a.exe");
    }
    else
        wcscpy(lpm, lpModuleName);
    DWORD pNewFunc = (DWORD)GetModuleHandleW - (DWORD)mi.lpBaseOfDll + (DWORD)lpNewBaseOfDll;
    __asm push lpm
    __asm call pNewFunc
    __asm mov realhmod, eax
    delete []lpm;
//    if(realhmod == OldKernel32Address)
//        realhmod = (HMODULE)lpNewBaseOfDll;
    printf("realhmod:0x%.8x/n", realhmod);
    printf("out MyGetModuleHandleW/n");
    return realhmod;
}

HGLOBAL WINAPI MyLoadResource(HMODULE hModule, HRSRC hResInfo)
{
    printf("in MyLoadResource/n");
    HGLOBAL glb = NULL;
    printf("In MyLoadResource/n");
    if(!hModule)
        hModule = hmod;
    DWORD pNewFunc = (DWORD)LoadResource - (DWORD)mi.lpBaseOfDll + (DWORD)lpNewBaseOfDll;
    __asm push hResInfo
    __asm push hModule
    __asm call pNewFunc
    __asm mov glb, eax
    printf("out MyLoadResource/n");
    return glb;//LoadResource(hModule, hResInfo);
}

HRSRC WINAPI MyFindResourceA(HMODULE hModule, LPCSTR lpName, LPCSTR lpType)
{
    printf("in MyFindResourceA/n");
    HRSRC src;
    if(!hModule)
        hModule = hmod;
    DWORD pNewFunc = (DWORD)FindResourceA - (DWORD)mi.lpBaseOfDll + (DWORD)lpNewBaseOfDll;
    __asm push lpType
    __asm push lpName
    __asm push hModule
    __asm call pNewFunc
    __asm mov src, eax
    printf("MyFindResourceA/n");
    printf("out MyFindResourceA/n");
    return src;
}

HRSRC WINAPI MyFindResourceW(HMODULE hModule, LPCWSTR lpName, LPCWSTR lpType)
{
    printf("in MyFindResourceW/n");
    HRSRC src;
    if(!hModule)
        hModule = hmod;
    DWORD pNewFunc = (DWORD)FindResourceW - (DWORD)mi.lpBaseOfDll + (DWORD)lpNewBaseOfDll;
    __asm push lpType
    __asm push lpName
    __asm push hModule
    __asm call pNewFunc
    __asm mov src, eax
    printf("MyFindResourceW/n");
    printf("out MyFindResourceW/n");
    return src;
}

HRSRC WINAPI MyFindResourceExA(HMODULE hModule, LPCSTR lpType, LPCSTR lpName, WORD wLanguage)
{
    printf("in MyFindResourceExA/n");
    HRSRC src;
    if(!hModule)
        hModule = hmod;
    DWORD pNewFunc = (DWORD)FindResourceExA - (DWORD)mi.lpBaseOfDll + (DWORD)lpNewBaseOfDll;
    __asm push wLanguage
    __asm push lpName
    __asm push lpType
    __asm push hModule
    __asm call pNewFunc
    __asm mov src, eax
    printf("MyFindResourceExA/n");
    printf("out MyFindResourceExA/n");
    return src;
}

HRSRC WINAPI MyFindResourceExW(HMODULE hModule, LPCWSTR lpType, LPCWSTR lpName, WORD wLanguage)
{
    printf("in MyFindResourceExW/n");
    HRSRC src = NULL;
    if(!hModule)
        hModule = hmod;
    DWORD pNewFunc = (DWORD)FindResourceExW - (DWORD)mi.lpBaseOfDll + (DWORD)lpNewBaseOfDll;
    __asm push wLanguage
    __asm push lpName
    __asm push lpType
    __asm push hModule
    __asm call pNewFunc
    __asm mov src, eax
    //printf("MyFindResourceExW/n");
    printf("out MyFindResourceExW/n");
    return src;
}

VOID WINAPI MyExitProcess(UINT uExitCode)
{
    printf("ExitProcess/n");
    //DumpFile("c://ps.exe");
    DWORD pNewFunc = (DWORD)ExitProcess - (DWORD)mi.lpBaseOfDll + (DWORD)lpNewBaseOfDll;
    __asm push uExitCode
    __asm call pNewFunc
    return;
}

BOOL WINAPI MyTerminateProcess(HANDLE hProcess, UINT uExitCode)
{
    printf("TerminateProcess/n");
    //DumpFile("c://ps.exe");
    DWORD pNewFunc = (DWORD)TerminateProcess - (DWORD)mi.lpBaseOfDll + (DWORD)lpNewBaseOfDll;
    __asm push uExitCode
    __asm push hProcess
    __asm call pNewFunc
    return true;
}

DWORD WINAPI MyFormatMessageA(DWORD dwFlags, LPCVOID lpSource, DWORD dwMessageId, DWORD dwLanguageId, LPSTR lpBuffer, DWORD nSize, va_list *Arguments)
{
    printf("FormatMessageA:0x%.8x, %d/n", dwFlags, nSize);
    DWORD retdword = 0;
    if(!lpSource)
        lpSource = hmod;
    if(dwFlags == 0x1900)
        dwFlags = FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_FROM_HMODULE;
    DWORD pNewFunc = (DWORD)FormatMessageA - (DWORD)mi.lpBaseOfDll + (DWORD)lpNewBaseOfDll;
    __asm push Arguments
    __asm push nSize
    __asm push lpBuffer
    __asm push dwLanguageId
    __asm push lpSource
    __asm push dwFlags
    __asm call pNewFunc
    __asm mov retdword, eax
    printf("msg:%s/n", lpBuffer);
    return retdword;
}

HICON WINAPI MyLoadIconA(HINSTANCE hInstance, LPCSTR lpIconName)
{
    HICON reticon = NULL;
    DWORD pNewFunc = (DWORD)LoadIconA - (DWORD)mi1.lpBaseOfDll + (DWORD)lpNewBaseOfDll1;
    if(hInstance == NULL)
        hInstance = hmod;
    __asm push lpIconName
    __asm push hInstance
    __asm call pNewFunc
    __asm mov reticon, eax
    return reticon;
}

HANDLE WINAPI MyLoadImageA(HINSTANCE hinst, LPCTSTR lpszName, UINT uType, int cxDesired, int cyDesired, UINT fuLoad)
{
    HANDLE rethand = NULL;
    DWORD pNewFunc = (DWORD)LoadImageA - (DWORD)mi1.lpBaseOfDll + (DWORD)lpNewBaseOfDll1;
    if(hinst == NULL)
        hinst = hmod;
    __asm push fuLoad
    __asm push cyDesired
    __asm push cxDesired
    __asm push uType
    __asm push lpszName
    __asm push hinst
    __asm call pNewFunc
    __asm mov rethand, eax
    return rethand;
}

HANDLE WINAPI MyLoadImageW(HINSTANCE hinst, LPCWSTR lpszName, UINT uType, int cxDesired, int cyDesired, UINT fuLoad)
{
    HANDLE rethand = NULL;
    DWORD pNewFunc = (DWORD)LoadImageW - (DWORD)mi1.lpBaseOfDll + (DWORD)lpNewBaseOfDll1;
    if(hinst == NULL)
        hinst = hmod;
    __asm push fuLoad
    __asm push cyDesired
    __asm push cxDesired
    __asm push uType
    __asm push lpszName
    __asm push hinst
    __asm call pNewFunc
    __asm mov rethand, eax
    return rethand;
}

HICON WINAPI MyLoadIconW(HINSTANCE hInstance, LPCWSTR lpIconName)
{
    HICON reticon = NULL;
    DWORD pNewFunc = (DWORD)LoadIconW - (DWORD)mi1.lpBaseOfDll + (DWORD)lpNewBaseOfDll1;
    if(hInstance == NULL)
        hInstance = hmod;
    __asm push lpIconName
    __asm push hInstance
    __asm call pNewFunc
    __asm mov reticon, eax
    return reticon;
}

DWORD WINAPI MyGetVersion()
{
    printf("================================GetVersion=====================================/n");
    DWORD retdword = 0;
    //exit(1);
    DumpFile("c://ps.exe");
    DWORD pNewFunc = (DWORD)GetVersion - (DWORD)mi.lpBaseOfDll + (DWORD)lpNewBaseOfDll;
    __asm call pNewFunc
    __asm mov retdword, eax
    return retdword;
}

DWORD WINAPI MyGetProcAddress(HMODULE hModule, LPCSTR lpProcName)
{
    printf("================================GetProcAddress=================================/n");
    DWORD retdword = 0;
    if(lpProcName)
        printf("GetProcAddress:%s/n", lpProcName);
//    else
//        printf("GetProcAddress:NULL/n");
    //exit(1);
    DWORD pNewFunc = (DWORD)GetProcAddress - (DWORD)mi.lpBaseOfDll + (DWORD)lpNewBaseOfDll;
    __asm push lpProcName
    __asm push hModule
    __asm call pNewFunc
    __asm mov retdword, eax
    printf("GetProcAddress:%s,0x%.8x/n", lpProcName, retdword);
    return retdword;
}

DWORD WINAPI MyFormatMessageW(DWORD dwFlags, LPCVOID lpSource, DWORD dwMessageId, DWORD dwLanguageId, LPWSTR lpBuffer, DWORD nSize, va_list *Arguments)
{
    printf("FormatMessageW:0x%.8x, %d/n", dwFlags, nSize);
    if(!lpSource)
        lpSource = hmod;
    DWORD retdword = 0;
    if(dwFlags == 0x1900)
        dwFlags = FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_FROM_HMODULE;
    DWORD pNewFunc = (DWORD)FormatMessageW - (DWORD)mi.lpBaseOfDll + (DWORD)lpNewBaseOfDll;
    __asm push Arguments
    __asm push nSize
    __asm push lpBuffer
    __asm push dwLanguageId
    __asm push lpSource
    __asm push dwFlags
    __asm call pNewFunc
    __asm mov retdword, eax
    printf("msg:%S/n", lpBuffer);
    return retdword;
}

typedef struct{BYTE mov_eax;LPVOID address;WORD jump_eax;}ASMJUMP, *PASMJUMP;//0xB8//0xE0FF

void WINAPI HookAPI(int s)
{
    OldKernel32Address = GetModuleHandle("Kernel32.dll");
    OldUser32Address = GetModuleHandle("User32.dll");
    char *pGetVersion = (char *)GetProcAddress(OldKernel32Address, "GetVersion");
    char *pLoadIconA = (char *)GetProcAddress(OldUser32Address, "LoadIconA");
    char *pLoadIconW = (char *)GetProcAddress(OldUser32Address, "LoadIconW");
    char *pLoadImageA = (char *)GetProcAddress(OldUser32Address, "LoadImageA");
    char *pLoadImageW = (char *)GetProcAddress(OldUser32Address, "LoadImageW");
    char *pFormatMessageA = (char *)GetProcAddress(OldKernel32Address, "FormatMessageA");
    char *pFormatMessageW = (char *)GetProcAddress(OldKernel32Address, "FormatMessageW");
    char *pLoadResource = (char *)GetProcAddress(OldKernel32Address, "LoadResource");
    char *pGetModuleHandleW = (char *)GetProcAddress(OldKernel32Address, "GetModuleHandleW");
    char *pGetModuleHandleA = (char *)GetProcAddress(OldKernel32Address, "GetModuleHandleA");
    char *pExitProcess = (char *)GetProcAddress(OldKernel32Address, "ExitProcess");
    char *pTerminateProcess = (char *)GetProcAddress(OldKernel32Address, "TerminateProcess");
    char *pGetModuleHandleExA = (char *)GetProcAddress(OldKernel32Address, "GetModuleHandleExA");
    char *pGetModuleHandleExW = (char *)GetProcAddress(OldKernel32Address, "GetModuleHandleExW");
    addr_GetModuleHandleExA = pGetModuleHandleExA;
    addr_GetModuleHandleExW = pGetModuleHandleExW;
    char *pGetModuleFileNameA = (char *)GetProcAddress(OldKernel32Address, "GetModuleFileNameA");
    char *pGetModuleFileNameW = (char *)GetProcAddress(OldKernel32Address, "GetModuleFileNameW");
    char *pFindResourceA = (char *)GetProcAddress(OldKernel32Address, "FindResourceA");
    char *pFindResourceW = (char *)GetProcAddress(OldKernel32Address, "FindResourceW");
    char *pFindResourceExA = (char *)GetProcAddress(OldKernel32Address, "FindResourceExA");
    char *pFindResourceExW = (char *)GetProcAddress(OldKernel32Address, "FindResourceExW");
    if(!GetModuleInformation(GetCurrentProcess(), OldKernel32Address, &mi, sizeof MODULEINFO)) return;
    if(!GetModuleInformation(GetCurrentProcess(), OldUser32Address, &mi1, sizeof MODULEINFO)) return;
    MEMORY_BASIC_INFORMATION mbi;
    ASMJUMP    jmpcode;
    jmpcode.mov_eax = (BYTE)0xB8;
    jmpcode.jump_eax = (WORD)0xE0FF;
    DWORD dw;
    lpNewBaseOfDll = new char[mi.SizeOfImage];
    if(!lpNewBaseOfDll) return;
    lpNewBaseOfDll1 = new char[mi1.SizeOfImage];
    if(!lpNewBaseOfDll) return;
        memcpy(lpNewBaseOfDll, mi.lpBaseOfDll, mi.SizeOfImage);
    if(!lpNewBaseOfDll1) return;
        memcpy(lpNewBaseOfDll1, mi1.lpBaseOfDll, mi1.SizeOfImage);
    {
        if(!VirtualQuery((void *)pGetVersion, &mbi, sizeof MEMORY_BASIC_INFORMATION)) return;
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READWRITE, &dw)) return;
        jmpcode.address = (void *)MyGetVersion;
        memcpy((void *)pGetVersion, (unsigned char *)&jmpcode, sizeof ASMJUMP);
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READ, &dw)) return;
    }
    {
        if(!VirtualQuery((void *)pLoadImageA, &mbi, sizeof MEMORY_BASIC_INFORMATION)) return;
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READWRITE, &dw)) return;
        jmpcode.address = (void *)MyLoadImageA;
        memcpy((void *)pLoadImageA, (unsigned char *)&jmpcode, sizeof ASMJUMP);
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READ, &dw)) return;
    }
    {
        if(!VirtualQuery((void *)pLoadImageW, &mbi, sizeof MEMORY_BASIC_INFORMATION)) return;
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READWRITE, &dw)) return;
        jmpcode.address = (void *)MyLoadImageW;
        memcpy((void *)pLoadImageW, (unsigned char *)&jmpcode, sizeof ASMJUMP);
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READ, &dw)) return;
    }
    {
        if(!VirtualQuery((void *)pLoadIconA, &mbi, sizeof MEMORY_BASIC_INFORMATION)) return;
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READWRITE, &dw)) return;
        jmpcode.address = (void *)MyLoadIconA;
        memcpy((void *)pLoadIconA, (unsigned char *)&jmpcode, sizeof ASMJUMP);
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READ, &dw)) return;
    }
    {
        if(!VirtualQuery((void *)pLoadIconW, &mbi, sizeof MEMORY_BASIC_INFORMATION)) return;
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READWRITE, &dw)) return;
        jmpcode.address = (void *)MyLoadIconW;
        memcpy((void *)pLoadIconW, (unsigned char *)&jmpcode, sizeof ASMJUMP);
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READ, &dw)) return;
    }
    {
        if(!VirtualQuery((void *)pFormatMessageW, &mbi, sizeof MEMORY_BASIC_INFORMATION)) return;
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READWRITE, &dw)) return;
        jmpcode.address = (void *)MyFormatMessageW;
        memcpy((void *)pFormatMessageW, (unsigned char *)&jmpcode, sizeof ASMJUMP);
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READ, &dw)) return;
    }
    {
        if(!VirtualQuery((void *)pFormatMessageA, &mbi, sizeof MEMORY_BASIC_INFORMATION)) return;
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READWRITE, &dw)) return;
        jmpcode.address = (void *)MyFormatMessageA;
        memcpy((void *)pFormatMessageA, (unsigned char *)&jmpcode, sizeof ASMJUMP);
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READ, &dw)) return;
    }
    {
        if(!VirtualQuery((void *)pGetModuleHandleExA, &mbi, sizeof MEMORY_BASIC_INFORMATION)) return;
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READWRITE, &dw)) return;
        jmpcode.address = (void *)MyGetModuleHandleExA;
        memcpy((void *)pGetModuleHandleExA, (unsigned char *)&jmpcode, sizeof ASMJUMP);
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READ, &dw)) return;
    }
    {
        if(!VirtualQuery((void *)pGetModuleHandleExW, &mbi, sizeof MEMORY_BASIC_INFORMATION)) return;
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READWRITE, &dw)) return;
        jmpcode.address = (void *)MyGetModuleHandleExW;
        memcpy((void *)pGetModuleHandleExW, (unsigned char *)&jmpcode, sizeof ASMJUMP);
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READ, &dw)) return;
    }
    {
        if(!VirtualQuery((void *)pGetModuleFileNameA, &mbi, sizeof MEMORY_BASIC_INFORMATION)) return;
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READWRITE, &dw)) return;
        jmpcode.address = (void *)MyGetModuleFileNameA;
        memcpy((void *)pGetModuleFileNameA, (unsigned char *)&jmpcode, sizeof ASMJUMP);
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READ, &dw)) return;
    }
    {
        if(!VirtualQuery((void *)pGetModuleFileNameW, &mbi, sizeof MEMORY_BASIC_INFORMATION)) return;
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READWRITE, &dw)) return;
        jmpcode.address = (void *)MyGetModuleFileNameW;
        memcpy((void *)pGetModuleFileNameW, (unsigned char *)&jmpcode, sizeof ASMJUMP);
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READ, &dw)) return;
    }
    {
        if(!VirtualQuery((void *)pLoadResource, &mbi, sizeof MEMORY_BASIC_INFORMATION)) return;
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READWRITE, &dw)) return;
        jmpcode.address = (void *)MyLoadResource;
        memcpy((void *)pLoadResource, (unsigned char *)&jmpcode, sizeof ASMJUMP);
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READ, &dw)) return;
    }
    {
        if(!VirtualQuery((void *)pFindResourceA, &mbi, sizeof MEMORY_BASIC_INFORMATION)) return;
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READWRITE, &dw)) return;
        jmpcode.address = (void *)MyFindResourceA;
        memcpy((void *)pFindResourceA, (unsigned char *)&jmpcode, sizeof ASMJUMP);
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READ, &dw)) return;
    }
    {
        if(!VirtualQuery((void *)pFindResourceW, &mbi, sizeof MEMORY_BASIC_INFORMATION)) return;
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READWRITE, &dw)) return;
        jmpcode.address = (void *)MyFindResourceW;
        memcpy((void *)pFindResourceW, (unsigned char *)&jmpcode, sizeof ASMJUMP);
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READ, &dw)) return;
    }
    {
        if(!VirtualQuery((void *)pFindResourceExA, &mbi, sizeof MEMORY_BASIC_INFORMATION)) return;
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READWRITE, &dw)) return;
        jmpcode.address = (void *)MyFindResourceExA;
        memcpy((void *)pFindResourceExA, (unsigned char *)&jmpcode, sizeof ASMJUMP);
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READ, &dw)) return;
    }
    {
        if(!VirtualQuery((void *)pFindResourceExW, &mbi, sizeof MEMORY_BASIC_INFORMATION)) return;
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READWRITE, &dw)) return;
        jmpcode.address = (void *)MyFindResourceExW;
        memcpy((void *)pFindResourceExW, (unsigned char *)&jmpcode, sizeof ASMJUMP);
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READ, &dw)) return;
    }
    {
        if(!VirtualQuery((void *)pGetModuleHandleW, &mbi, sizeof MEMORY_BASIC_INFORMATION)) return;
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READWRITE, &dw)) return;
        jmpcode.address = (void *)MyGetModuleHandleW;
        memcpy((void *)pGetModuleHandleW, (unsigned char *)&jmpcode, sizeof ASMJUMP);
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READ, &dw)) return;
    }
    {
        if(!VirtualQuery((void *)pGetModuleHandleA, &mbi, sizeof MEMORY_BASIC_INFORMATION)) return;
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READWRITE, &dw)) return;
        jmpcode.address = (void *)MyGetModuleHandleA;
        memcpy((void *)pGetModuleHandleA, (unsigned char *)&jmpcode, sizeof ASMJUMP);
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READ, &dw)) return;
    }
    {
        if(!VirtualQuery((void *)pExitProcess, &mbi, sizeof MEMORY_BASIC_INFORMATION)) return;
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READWRITE, &dw)) return;
        jmpcode.address = (void *)MyExitProcess;
        memcpy((void *)pExitProcess, (unsigned char *)&jmpcode, sizeof ASMJUMP);
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READ, &dw)) return;
    }
    {
        if(!VirtualQuery((void *)pTerminateProcess, &mbi, sizeof MEMORY_BASIC_INFORMATION)) return;
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READWRITE, &dw)) return;
        jmpcode.address = (void *)MyTerminateProcess;
        memcpy((void *)pTerminateProcess, (unsigned char *)&jmpcode, sizeof ASMJUMP);
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READ, &dw)) return;
    }
    {
        if(!VirtualQuery((void *)GetProcAddress, &mbi, sizeof MEMORY_BASIC_INFORMATION)) return;
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READWRITE, &dw)) return;
        jmpcode.address = (void *)MyGetProcAddress;
        if(s == 1)
            memcpy((void *)GetProcAddress, (unsigned char *)&jmpcode, sizeof ASMJUMP);
        if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READ, &dw)) return;
    }
    return;
}


void main(int argc, char **argv)
{
    char *Buffer = NULL;
    if(argc >= 2)
        strcpy(PEFile, argv[1]);
    else
    //    strcpy(PEFile, "C://Downloads//VMUnpacker//VMUnpacker//VMUnpacker.exe");
        strcpy(PEFile, "c://windows//system32//cmd.exe");
    //    strcpy(PEFile, "D://Program Files//Microsoft Office//Office10//excel.EXE");
    char lpBuffer[MAX_PATH] = {0};
    char *p = NULL;
    GetFullPathName(PEFile, MAX_PATH, lpBuffer, &p);
    char *s = lpBuffer + (p - lpBuffer);
    s[0] = '/0';
    printf("path:%s/n", lpBuffer);
    SetCurrentDirectory(lpBuffer);
    unsigned long len = LoadPEFile(PEFile, &Buffer);
    IMAGE_DOS_HEADER *dos_header = (IMAGE_DOS_HEADER *)Buffer;
    IMAGE_NT_HEADERS *pINH = (IMAGE_NT_HEADERS *)((DWORD)dos_header + dos_header->e_lfanew);
//    long PESignOffset = *(long *)(Buffer + 0x3c);
//    IMAGE_NT_HEADERS *pINH = (IMAGE_NT_HEADERS *)(Buffer + PESignOffset);
    pINH->FileHeader.Characteristics |= IMAGE_FILE_DLL;
    pINH->FileHeader.Characteristics |= IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP;
    OEP = pINH->OptionalHeader.AddressOfEntryPoint;
    printf("OldEntryPoint:0x%.8x/n", pINH->OptionalHeader.AddressOfEntryPoint);
    pINH->OptionalHeader.AddressOfEntryPoint = 0x0;
    printf("pINH->OptionalHeader.AddressOfEntryPoint:0x%.8x/n", pINH->OptionalHeader.AddressOfEntryPoint);
    printf("len:%d/n", len);
/*    unsigned long HeaderSum = 0;
    unsigned long CheckSum = 0;
    pINH->OptionalHeader.CheckSum = 0;
    CheckSumMappedFile(Buffer, len, &HeaderSum, &CheckSum);
    pINH->OptionalHeader.CheckSum = CheckSum;
*/    strcat(PEFile, ".new.exe");
    SaveAs(PEFile, Buffer, len);
    delete []Buffer;
    Buffer = NULL;
    printf("Load/n");
    hmod = LoadLibrary(PEFile);
    if (!hmod)
        printf("LoadLibrary Error %.8X/n", GetLastError());
    else
    {
        printf("base address:0x%.8x/n", hmod);
        MODULEINFO dumpinfo;
        DWORD dw = 0;
        GetModuleInformation(GetCurrentProcess(), hmod, &dumpinfo, sizeof MODULEINFO);
        IMAGE_DOS_HEADER *dos_header = (IMAGE_DOS_HEADER *)hmod;
        IMAGE_NT_HEADERS *pINH = (IMAGE_NT_HEADERS *)((DWORD)dos_header + dos_header->e_lfanew);
        if(!VirtualProtect((char *)pINH, sizeof(IMAGE_NT_HEADERS), PAGE_EXECUTE_READWRITE, &dw)) return;
        pINH->OptionalHeader.AddressOfEntryPoint = OEP;
        printf("pINH->FileHeader.Characteristics:0x%.8x/n", pINH->FileHeader.Characteristics);
        pINH->FileHeader.Characteristics &= ~IMAGE_FILE_DLL;
        printf("pINH->FileHeader.Characteristics:0x%.8x/n", pINH->FileHeader.Characteristics);
        if(!VirtualProtect((char *)pINH, sizeof(IMAGE_NT_HEADERS), PAGE_EXECUTE_READ, &dw)) return;
        printf("Call/n");
        DWORD id = 0;
        if(argc == 3)
            HookAPI(1);
        else
            HookAPI(0);
        OEP += (DWORD)hmod;
        CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)OEP, 0, 0, &id);
        printf("OK!/n");
        HANDLE hOut;
        COORD Position;
        DWORD Written;
        char string[80] = {0};
        WORD c = FOREGROUND_RED | FOREGROUND_INTENSITY;
        Position.X = 0;
        Position.Y = 0;
        while(1)
        {
            Position.X = 0;
            hOut = GetStdHandle(STD_OUTPUT_HANDLE);
            SYSTEMTIME t;
            GetLocalTime(&t);
            
            sprintf(string, "PELoader ver 1.0 PID:%d HookGetProcAddress:%d Time:%d/%d/%d %d:%d:%d:%d    ", GetCurrentProcessId(), argc == 3?1:0, t.wMonth, t.wDay, t.wYear, t.wHour, t.wMinute, t.wSecond, t.wMilliseconds);
            SetConsoleTextAttribute(hOut, FOREGROUND_GREEN);
            WriteConsoleOutputCharacter(hOut, string, strlen(string), Position, &Written);
            while(Position.X <= strlen(string))
            {
                WriteConsoleOutputAttribute(hOut, &c, 1, Position, &Written);
                Position.X++;
            }
            Sleep(50);
        }
    }
    delete []lpNewBaseOfDll;
    delete []lpNewBaseOfDll1;
    FreeLibrary(hmod);
    DeleteFile(PEFile);
}


 

 

测试结果:main进行循环后,系统的调用会进入我们自己设置的API函数中。



 









 

你可能感兴趣的:(反向进程注入及隐藏--动手做一个最简单的PELoader)