Начинающий
-
Автор темы
- #1
Есть такой код:
И есть длл в байтах такого размера:
Вопрос в том, как изменить код под такой размер длл.
Вот что выдаёт отладка >
C++:
#include "inject.h"
#include <stdio.h>
#include <string>
#include <iostream>
#ifdef _WIN64
#define CURRENT_ARCH IMAGE_FILE_MACHINE_AMD64
#else
#define CURRENT_ARCH IMAGE_FILE_MACHINE_I386
#endif
void __stdcall Shellcode(MANUAL_MAPPING_DATA* pData);
void Inject(HANDLE hProc, BYTE* pSrcData)
{
IMAGE_NT_HEADERS* pOldNtHeader = nullptr;
IMAGE_OPTIONAL_HEADER* pOldOptHeader = nullptr;
IMAGE_FILE_HEADER* pOldFileHeader = nullptr;
BYTE* pTargetBase = nullptr;
if (reinterpret_cast<IMAGE_DOS_HEADER*>(pSrcData)->e_magic != 0x5A4D) { //"MZ"
exit(0);
}
pOldNtHeader = reinterpret_cast<IMAGE_NT_HEADERS*>(pSrcData + reinterpret_cast<IMAGE_DOS_HEADER*>(pSrcData)->e_lfanew);
pOldOptHeader = &pOldNtHeader->OptionalHeader;
pOldFileHeader = &pOldNtHeader->FileHeader;
if (pOldFileHeader->Machine != CURRENT_ARCH)
{
exit(0);
}
printf("File ok\n");
pTargetBase = reinterpret_cast<BYTE*>(VirtualAllocEx(hProc, nullptr, pOldOptHeader->SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE));
if (!pTargetBase)
{
exit(0);
}
MANUAL_MAPPING_DATA data{ 0 };
data.pLoadLibraryA = LoadLibraryA;
data.pGetProcAddress = GetProcAddress;
data.pbase = pTargetBase;
//File header
if (!WriteProcessMemory(hProc, pTargetBase, pSrcData, 0x1000, nullptr)) { //only first 0x1000 byes for the header
exit(0);
}
IMAGE_SECTION_HEADER* pSectionHeader = IMAGE_FIRST_SECTION(pOldNtHeader);
for (UINT i = 0; i != pOldFileHeader->NumberOfSections; ++i, ++pSectionHeader) {
if (pSectionHeader->SizeOfRawData) {
if (!WriteProcessMemory(hProc, pTargetBase + pSectionHeader->VirtualAddress, pSrcData + pSectionHeader->PointerToRawData, pSectionHeader->SizeOfRawData, nullptr)) {
exit(0);
}
}
}
//Mapping params
BYTE* MappingDataAlloc = reinterpret_cast<BYTE*>(VirtualAllocEx(hProc, nullptr, sizeof(MANUAL_MAPPING_DATA), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE));
if (!MappingDataAlloc) {
exit(0);
}
if (!WriteProcessMemory(hProc, MappingDataAlloc, &data, sizeof(MANUAL_MAPPING_DATA), nullptr)) {
exit(0);
}
//Shell code
void* pShellcode = VirtualAllocEx(hProc, nullptr, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (!pShellcode) {
exit(0);
}
if (!WriteProcessMemory(hProc, pShellcode, Shellcode, 0x1000, nullptr)) {
exit(0);
}
HANDLE hThread = CreateRemoteThread(hProc, nullptr, 0, reinterpret_cast<LPTHREAD_START_ROUTINE>(pShellcode), MappingDataAlloc, 0, nullptr);
if (!hThread) {
exit(0);
}
CloseHandle(hThread);
printf("Thread created at: %p, waiting for return...\n", pShellcode);
HINSTANCE hCheck = NULL;
while (!hCheck) {
DWORD exitcode = 0;
GetExitCodeProcess(hProc, &exitcode);
if (exitcode != STILL_ACTIVE) {
exit(0);
}
MANUAL_MAPPING_DATA data_checked{ 0 };
ReadProcessMemory(hProc, MappingDataAlloc, &data_checked, sizeof(data_checked), nullptr);
hCheck = data_checked.hMod;
if (hCheck == (HINSTANCE)0x404040) {
exit(0);
}
else if (hCheck == (HINSTANCE)0x606060) {
exit(0);
}
Sleep(10);
}
//CLEAR PE HEAD
BYTE emptyBuffer[0x1000] = { 0 };
memset(emptyBuffer, 0, 0x1000);
if (!WriteProcessMemory(hProc, pTargetBase, emptyBuffer, 0x1000, nullptr)) {
printf("WARNING!: Can't clear HEADER\n");
}
//END CLEAR PE HEAD
BYTE* emptyBuffer2 = (BYTE*)malloc(1024 * 1024);
if (emptyBuffer2 == nullptr) {
exit(0);
}
memset(emptyBuffer2, 0, 1024 * 1024);
pSectionHeader = IMAGE_FIRST_SECTION(pOldNtHeader);
for (UINT i = 0; i != pOldFileHeader->NumberOfSections; ++i, ++pSectionHeader) {
if (pSectionHeader->SizeOfRawData) {
if (strcmp((char*)pSectionHeader->Name, ".pdata") == 0 ||
strcmp((char*)pSectionHeader->Name, ".rsrc") == 0 ||
strcmp((char*)pSectionHeader->Name, ".reloc") == 0) {// || strcmp((char*)pSectionHeader->Name, ".rdata") == 0 ) {
printf("Processing %s removal\n", pSectionHeader->Name);
if (!WriteProcessMemory(hProc, pTargetBase + pSectionHeader->VirtualAddress, emptyBuffer2, pSectionHeader->SizeOfRawData, nullptr))
{
printf("Can't clear section %s: 0x%x\n", pSectionHeader->Name, GetLastError());
}
}
}
}
delete[] pSrcData;
VirtualFreeEx(hProc, pShellcode, 0, MEM_RELEASE);
VirtualFreeEx(hProc, MappingDataAlloc, 0, MEM_RELEASE);
Sleep(500);
return;
}
#define RELOC_FLAG32(RelInfo) ((RelInfo >> 0x0C) == IMAGE_REL_BASED_HIGHLOW)
#define RELOC_FLAG64(RelInfo) ((RelInfo >> 0x0C) == IMAGE_REL_BASED_DIR64)
#ifdef _WIN64
#define RELOC_FLAG RELOC_FLAG64
#else
#define RELOC_FLAG RELOC_FLAG32
#endif
void __stdcall Shellcode(MANUAL_MAPPING_DATA* pData)
{
if (!pData) {
pData->hMod = (HINSTANCE)0x404040;
return;
}
BYTE* pBase = pData->pbase;
auto* pOpt = &reinterpret_cast<IMAGE_NT_HEADERS*>(pBase + reinterpret_cast<IMAGE_DOS_HEADER*>((uintptr_t)pBase)->e_lfanew)->OptionalHeader;
auto _LoadLibraryA = pData->pLoadLibraryA;
auto _GetProcAddress = pData->pGetProcAddress;
auto _DllMain = reinterpret_cast<f_DLL_ENTRY_POINT>(pBase + pOpt->AddressOfEntryPoint);
BYTE* LocationDelta = pBase - pOpt->ImageBase;
if (LocationDelta)
{
if (!pOpt->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size) {
pData->hMod = (HINSTANCE)0x606060;
return;
}
auto* pRelocData = reinterpret_cast<IMAGE_BASE_RELOCATION*>(pBase + pOpt->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);
while (pRelocData->VirtualAddress)
{
UINT AmountOfEntries = (pRelocData->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(WORD);
WORD* pRelativeInfo = reinterpret_cast<WORD*>(pRelocData + 1);
for (UINT i = 0; i != AmountOfEntries; ++i, ++pRelativeInfo)
{
if (RELOC_FLAG(*pRelativeInfo))
{
UINT_PTR* pPatch = reinterpret_cast<UINT_PTR*>(pBase + pRelocData->VirtualAddress + ((*pRelativeInfo) & 0xFFF));
*pPatch += reinterpret_cast<UINT_PTR>(LocationDelta);
}
}
pRelocData = reinterpret_cast<IMAGE_BASE_RELOCATION*>(reinterpret_cast<BYTE*>(pRelocData) + pRelocData->SizeOfBlock);
}
}
if (pOpt->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size)
{
auto* pImportDescr = reinterpret_cast<IMAGE_IMPORT_DESCRIPTOR*>(pBase + pOpt->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
while (pImportDescr->Name)
{
char* szMod = reinterpret_cast<char*>(pBase + pImportDescr->Name);
HINSTANCE hDll = _LoadLibraryA(szMod);
ULONG_PTR* pThunkRef = reinterpret_cast<ULONG_PTR*>(pBase + pImportDescr->OriginalFirstThunk);
ULONG_PTR* pFuncRef = reinterpret_cast<ULONG_PTR*>(pBase + pImportDescr->FirstThunk);
if (!pThunkRef)
pThunkRef = pFuncRef;
for (; *pThunkRef; ++pThunkRef, ++pFuncRef)
{
if (IMAGE_SNAP_BY_ORDINAL(*pThunkRef))
{
*pFuncRef = (ULONG_PTR)_GetProcAddress(hDll, reinterpret_cast<char*>(*pThunkRef & 0xFFFF));
}
else
{
auto* pImport = reinterpret_cast<IMAGE_IMPORT_BY_NAME*>(pBase + (*pThunkRef));
*pFuncRef = (ULONG_PTR)_GetProcAddress(hDll, pImport->Name);
}
}
++pImportDescr;
}
}
if (pOpt->DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size)
{
auto* pTLS = reinterpret_cast<IMAGE_TLS_DIRECTORY*>(pBase + pOpt->DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress);
auto* pCallback = reinterpret_cast<PIMAGE_TLS_CALLBACK*>(pTLS->AddressOfCallBacks);
for (; pCallback && *pCallback; ++pCallback)
(*pCallback)(pBase, DLL_PROCESS_ATTACH, nullptr);
}
_DllMain(pBase, DLL_PROCESS_ATTACH, nullptr);
pData->hMod = reinterpret_cast<HINSTANCE>(pBase);
}
C++:
unsigned char rawData[5736448]Вот что выдаёт отладка >
Пожалуйста, авторизуйтесь для просмотра ссылки.
<
Последнее редактирование:
