|
思路来自网上,代码用Pascal编写!
{ 功能 :通过PEB获取EXE路径演示(可以修改该路经,以绕过防火墙) Email:[email protected] Web : http://yunuo.net by :渗透 } unit PEBtest; interface uses Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms, Dialogs, StdCtrls; type _UNICODE_STRING = record Length: WORD{Ushort}; MaximumLength: WORD; Buffer: PWideChar; end {_UNICODE_STRING}; UNICODE_STRING = _UNICODE_STRING; PUNICODE_STRING = ^_UNICODE_STRING; //PEB中的一个结构 type _PEB_LDR_DATA = record Length: ULONG; Initialized: BOOLEAN; SsHandle: pointer;//PVOID; InLoadOrderModuleList: LIST_ENTRY; InMemoryOrderModuleList: LIST_ENTRY; InInitializationOrderModuleList: LIST_ENTRY; end {_PEB_LDR_DATA}; PEB_LDR_DATA = _PEB_LDR_DATA; PPEB_LDR_DATA = ^_PEB_LDR_DATA; //模块结构 (72) type _LDR_MODULE = record InLoadOrderModuleList: LIST_ENTRY; InMemoryOrderModuleList: LIST_ENTRY; InInitializationOrderModuleList: LIST_ENTRY; BaseAddress: pointer; EntryPoint: pointer; SizeOfImage: ULONG; FullDllName: UNICODE_STRING; BaseDllName: UNICODE_STRING; Flags: ULONG; LoadCount: SmallInt; TlsIndex: SmallInt; HashTableEntry: LIST_ENTRY; TimeDateStamp: ULONG; end {_LDR_MODULE}; LDR_MODULE = _LDR_MODULE; PLDR_MODULE = ^_LDR_MODULE; type TForm1 = class(TForm) Button1: TButton; procedure Button1Click(Sender: TObject); private { Private declarations } public { Public declarations } end; var Form1: TForm1; implementation {$R *.dfm} procedure TForm1.Button1Click(Sender: TObject); var PEB :Pointer; pmod:PLDR_MODULE; pld :PPEB_LDR_DATA; test:pointer; begin //获取PEB asm mov eax,fs:$30 //$18是TEB的地址 ,$30是PEB地址 mov PEB,eax end; Showmessage('当前进程的PEB地址='+IntToHex(Integer(peb),8)); PLD:=PPEB_LDR_DATA(Pointer(Integer(Peb)+$0C)^) ; //PEB地址处开始$0C偏移处是一个PEB_LDR_DATA结构的指针 //该结构包含了程序所调用的模块 Pmod:=PLDR_MODULE(Pld.InLoadOrderModuleList.Flink); //获取第一个路径模块地址 (Exe本身) .Flink.flink是第二个模块 Showmessage('程序入口点='+Inttohex(integer(pmod.EntryPoint),8)); ShowMessage(Pmod.FullDllName.Buffer); //获取了EXE的路径,修改它可以穿透防火墙.例如修改为 //Pmod.FullDllName.Buffer:='C:/WINNT/system32/services.exe'; End; end. |
|---|
|
|
