道。道。道

安全特性不等于安全的特性

:: 首頁 :: 聯系 :: 聚合

:: 管理

常用鏈接

隨筆分類

文章分類

資源鏈接站

aogo asm
boost-consulting
C/C++ Community
Communications Research Group
cplusplus site
CrackNews Site
Crackzplanet
Protocol Analyse
Software Security
squirrel's shared files
STL China site
The Code Project
The Number One Developer Site

搜索

最新評論

在內存中運行可執行程序

?????? 在內存中運行可執行程序，好處是可以給程序加殼，加密源程序，靜態反匯編無法獲得PE輸入節，但是因為運行后仍然是獨立的進程，所以沒辦法防止遠程線程注入，掛接API鉤子。

??1?typedef?IMAGE_SECTION_HEADER?(?*?PIMAGE_SECTION_HEADERS)[?1?];???
??2???
??3??//??計算對齊后的大小????
??4??unsigned??long??GetAlignedSize(unsigned??long??Origin,?unsigned??long??Alignment)???
??5???{???
??6??????return??(Origin??+??Alignment??-???1?)??/??Alignment??*??Alignment;???
??7?}????
??8???
??9??//??計算加載pe并對齊需要占用多少內存???
?10??//??未直接使用OptionalHeader.SizeOfImage作為結果是因為據說有的編譯器生成的exe這個值會填0????
?11??unsigned??long??CalcTotalImageSize(PIMAGE_DOS_HEADER?MzH???
?12??????????????????????????????????,?unsigned??long??FileLen???
?13??????????????????????????????????,?PIMAGE_NT_HEADERS?peH???
?14??????????????????????????????????,?PIMAGE_SECTION_HEADERS?peSecH)???
?15???{???
?16?????unsigned??long??res;???
?17??????//??計算pe頭的大小????
?18??????res??=??GetAlignedSize(?peH?->?OptionalHeader.SizeOfHeaders?,?peH?->?OptionalHeader.SectionAlignment);???
?19???
?20??????//??計算所有節的大小????
?21???????for?(??int??i??=???0?;?i??<??peH?->?FileHeader.NumberOfSections;??++?i)???
?22???????{???
?23??????????//??超出文件范圍????
?24???????????if?(peSecH[i]?->?PointerToRawData??+??peSecH[i]?->?SizeOfRawData??>??FileLen)??
?25???????????{
?26??????????????return???0?;???
?27?????????}?
?28??????????else???if?(peSecH[i]?->?VirtualAddress)?//?計算對齊后某節的大小????
?29?????????????{???
?30??????????????if?(peSecH[i]?->?Misc.VirtualSize)???
?31???????????????{???
?32?????????????????res??=??GetAlignedSize(?peSecH[i]?->?VirtualAddress??+??peSecH[i]?->?Misc.VirtualSize???
?33?????????????????????,?peH?->?OptionalHeader.SectionAlignment);???
?34?????????????}????
?35??????????????else???
?36???????????????{???
?37?????????????????res??=??GetAlignedSize(?peSecH[i]?->?VirtualAddress??+??peSecH[i]?->?SizeOfRawData???
?38?????????????????????,?peH?->?OptionalHeader.SectionAlignment);???
?39?????????????}????
?40?????????}????
?41??????????else???if?(?peSecH[i]?->?Misc.VirtualSize??<??peSecH[i]?->?SizeOfRawData?)???
?42???????????{???
?43?????????????res??+=??GetAlignedSize(?peSecH[i]?->?SizeOfRawData???
?44?????????????????,?peH?->?OptionalHeader.SectionAlignment);???
?45?????????}????
?46??????????else???
?47???????????{???
?48?????????????res??+=??GetAlignedSize(?peSecH[i]?->?Misc.VirtualSize???
?49?????????????????,?peH?->?OptionalHeader.SectionAlignment);???
?50?????????}?//??if_else????
?51??????}?//??for????
?52?????????
?53??????return??res;???
?54?}????
?55???
?56???
?57???
?58???
?59??//??加載pe到內存并對齊所有節????
?60??BOOL?AlignPEToMem(??void???*?Buf???
?61???????????????????,??long??Len???
?62???????????????????,?PIMAGE_NT_HEADERS??&?peH???
?63???????????????????,?PIMAGE_SECTION_HEADERS??&?peSecH???
?64???????????????????,??void???*&?Mem???
?65???????????????????,?unsigned??long???&?ImageSize)???
?66???{???
?67?????PIMAGE_DOS_HEADER?SrcMz;?//??DOS頭????
?68??????PIMAGE_NT_HEADERS?SrcPeH;?//??PE頭????
?69??????PIMAGE_SECTION_HEADERS?SrcPeSecH;?//??節表????
?70?????????
?71?????SrcMz??=??(PIMAGE_DOS_HEADER)Buf;???
?72???
?73??????if?(?Len??<???sizeof?(IMAGE_DOS_HEADER)?)????
?74??????????return??FALSE;???
?75????????
?76??????if?(?SrcMz?->?e_magic??!=??IMAGE_DOS_SIGNATURE?)???
?77??????????return??FALSE;???
?78????????
?79??????if?(?Len??<??SrcMz?->?e_lfanew??+??(?long?)?sizeof?(IMAGE_NT_HEADERS)?)???
?80??????????return??FALSE;???
?81???
?82?????SrcPeH??=??(PIMAGE_NT_HEADERS)((?int?)SrcMz??+??SrcMz?->?e_lfanew);???
?83??????if?(?SrcPeH?->?Signature??!=??IMAGE_NT_SIGNATURE?)???
?84??????????return??FALSE;???
?85???
?86??????if?(?(SrcPeH?->?FileHeader.Characteristics??&??IMAGE_FILE_DLL)??||????
?87?????????(SrcPeH?->?FileHeader.Characteristics??&??IMAGE_FILE_EXECUTABLE_IMAGE??==???0?)??||????
?88?????????(SrcPeH?->?FileHeader.SizeOfOptionalHeader??!=???sizeof?(IMAGE_OPTIONAL_HEADER))?)???
?89???????{???
?90??????????return??FALSE;???
?91?????}????
?92???
?93???
?94?????SrcPeSecH??=??(PIMAGE_SECTION_HEADERS)((?int?)SrcPeH??+???sizeof?(IMAGE_NT_HEADERS));???
?95?????ImageSize??=??CalcTotalImageSize(?SrcMz,?Len,?SrcPeH,?SrcPeSecH);???
?96???
?97??????if?(?ImageSize??==???0??)???
?98??????????return??FALSE;???
?99????????
100?????Mem??=??VirtualAlloc(?NULL,?ImageSize,?MEM_COMMIT,?PAGE_EXECUTE_READWRITE);??//??分配內存????
101???????if?(?Mem??!=??NULL?)???
102???????{???
103??????????//??計算需要復制的PE頭字節數????
104??????????unsigned??long??l??=??SrcPeH?->?OptionalHeader.SizeOfHeaders;???
105??????????for?(??int??i??=???0?;?i??<??SrcPeH?->?FileHeader.NumberOfSections;??++?i)???
106???????????{???
107??????????????if?(?(SrcPeSecH[i]?->?PointerToRawData)??&&????
108?????????????????(SrcPeSecH[i]?->?PointerToRawData??<??l)?)???
109???????????????{???
110?????????????????l??=??SrcPeSecH[i]?->?PointerToRawData;???
111?????????????}????
112?????????}????
113?????????memmove(?Mem,?SrcMz,?l);???
114?????????peH??=??(PIMAGE_NT_HEADERS)((?int?)Mem??+??((PIMAGE_DOS_HEADER)Mem)?->?e_lfanew);???
115?????????peSecH??=??(PIMAGE_SECTION_HEADERS)((?int?)peH??+???sizeof?(IMAGE_NT_HEADERS));???
116???
117??????????void???*?Pt??=??(?void???*?)((unsigned??long?)Mem????
118??????????????+??GetAlignedSize(?peH?->?OptionalHeader.SizeOfHeaders???
119?????????????,?peH?->?OptionalHeader.SectionAlignment)???
120?????????????);???
121???
122??????????for?(?i??=???0?;?i??<??peH?->?FileHeader.NumberOfSections;??++?i)???
123???????????{???
124??????????????//??定位該節在內存中的位置????
125???????????????if?(peSecH[i]?->?VirtualAddress)???
126?????????????????Pt??=??(?void???*?)((unsigned??long?)Mem??+??peSecH[i]?->?VirtualAddress);???
127???
128??????????????if?(peSecH[i]?->?SizeOfRawData)???
129???????????????{???
130??????????????????//??復制數據到內存????
131??????????????????memmove(Pt,?(?const???void???*?)((unsigned??long?)(SrcMz)??+??peSecH[i]?->?PointerToRawData),?peSecH[i]?->?SizeOfRawData);???
132??????????????????if?(peSecH[i]?->?Misc.VirtualSize??<??peSecH[i]?->?SizeOfRawData)???
133?????????????????????Pt??=??(?void???*?)((unsigned??long?)Pt??+??GetAlignedSize(peSecH[i]?->?SizeOfRawData,?peH?->?OptionalHeader.SectionAlignment));???
134??????????????????else???//??pt?定位到下一節開始位置????
135??????????????????????Pt??=??(?void???*?)((unsigned??long?)Pt??+??GetAlignedSize(peSecH[i]?->?Misc.VirtualSize,?peH?->?OptionalHeader.SectionAlignment));???
136?????????????}????
137??????????????else???
138???????????????{???
139?????????????????Pt??=??(?void???*?)((unsigned??long?)Pt??+??GetAlignedSize(peSecH[i]?->?Misc.VirtualSize,?peH?->?OptionalHeader.SectionAlignment));???
140?????????????}????
141?????????}????
142?????}????
143??????return??TRUE;???
144?}????
145???
146???
147???
148?typedef??void???*?(__stdcall??*?pfVirtualAllocEx)(unsigned??long?,??void???*?,?unsigned??long?,?unsigned??long?,?unsigned??long?);???
149?pfVirtualAllocEx?MyVirtualAllocEx??=??NULL;???
150???
151?BOOL?IsNT()???
152???{???
153??????return??MyVirtualAllocEx?!=?NULL;???
154?}????
155???
156??//??生成外殼程序命令行????
157??char???*?PrepareShellExe(?char???*?CmdParam,?unsigned??long??BaseAddr,?unsigned??long??ImageSize)???
158???{???
159??????if?(IsNT())???
160???????{???
161??????????char???*?Buf??=???new???char?[?256?];???
162?????????memset(Buf,??0?,??256?);???
163?????????GetModuleFileName(?0?,?Buf,??256?);???
164?????????strcat(Buf,?CmdParam);???
165??????????return??Buf;??//??請記得釋放內存;-)????
166??????}????
167??????else???
168???????{???
169??????????//??Win98
170
171???????????return??NULL;???
172?????}????
173?}????
174???
175??//??是否包含可重定向列表????
176??BOOL?HasRelocationTable(PIMAGE_NT_HEADERS?peH)???
177???{???
178??????return??(peH?->?OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress)???
179??????????&&??(peH?->?OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size);???
180?}????
181???
182???
183???
184???
185?#pragma?pack(push,??1?)???
186?typedef??struct??{???
187?????unsigned??long??VirtualAddress;???
188?????unsigned??long??SizeOfBlock;???
189?}???*?PImageBaseRelocation;???
190?#pragma?pack(pop)???
191???
192??//??重定向PE用到的地址????
193??void??DoRelocation(PIMAGE_NT_HEADERS?peH,??void???*?OldBase,??void???*?NewBase)???
194???{???
195?????unsigned??long??Delta??=??(unsigned??long?)NewBase??-??peH?->?OptionalHeader.ImageBase;???
196?????PImageBaseRelocation?p??=??(PImageBaseRelocation)((unsigned??long?)OldBase????
197??????????+??peH?->?OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);???
198??????while?(p?->?VirtualAddress??+??p?->?SizeOfBlock)???
199???????{???
200?????????unsigned??short???*?pw??=??(unsigned??short???*?)((?int?)p??+???sizeof?(?*?p));???
201??????????for?(unsigned??int??i?=?1?;?i??<=??(p?->?SizeOfBlock??-???sizeof?(?*?p))??/???2?;??++?i)???
202???????????{???
203??????????????if?((?*?pw)??&???0xF000???==???0x3000?)??{???
204?????????????????unsigned??long???*?t??=??(unsigned??long???*?)((unsigned??long?)(OldBase)??+??p?->?VirtualAddress??+??((?*?pw)??&???0x0FFF?));???
205??????????????????*?t??+=??Delta;???
206?????????????}????
207??????????????++?pw;???
208?????????}????
209?????????p??=??(PImageBaseRelocation)pw;???
210?????}????
211?}????
212???
213??//??卸載原外殼占用內存????
214??BOOL?UnloadShell(HANDLE?ProcHnd,?unsigned??long??BaseAddr)???
215???{???
216?????typedef?unsigned??long??(__stdcall??*?pfZwUnmapViewOfSection)(unsigned??long?,?unsigned??long?);???
217?????pfZwUnmapViewOfSection?ZwUnmapViewOfSection??=??NULL;???
218?????BOOL?res??=??FALSE;???
219?????HMODULE?m??=??LoadLibrary(?"?ntdll.dll?"?);???
220??????if?(m)??{???
221?????????ZwUnmapViewOfSection??=??(pfZwUnmapViewOfSection)GetProcAddress(m,??"?ZwUnmapViewOfSection?"?);???
222??????????if?(ZwUnmapViewOfSection)???
223?????????????res??=??(ZwUnmapViewOfSection((unsigned??long?)ProcHnd,?BaseAddr)??==???0?);???
224?????????FreeLibrary(m);???
225?????}????
226??????return??res;???
227?}????
228???
229??//??創建外殼進程并獲取其基址、大小和當前運行狀態????
230??BOOL?CreateChild(?char???*?Cmd,?CONTEXT??&?Ctx,?HANDLE??&?ProcHnd,?HANDLE??&?ThrdHnd,????
231??????????????????unsigned??long???&?ProcId,?unsigned??long???&?BaseAddr,?unsigned??long???&?ImageSize)???
232???{???
233?????STARTUPINFOA?si;???
234?????PROCESS_INFORMATION?pi;???
235?????unsigned??long??old;???
236?????MEMORY_BASIC_INFORMATION?MemInfo;???
237?????memset(?&?si,??0?,??sizeof?(si));???
238?????memset(?&?pi,??0?,??sizeof?(pi));???
239?????si.cb??=???sizeof?(si);???
240????????
241?????BOOL?res??=??CreateProcess(NULL,?Cmd,?NULL,?NULL,?FALSE,?CREATE_SUSPENDED,?NULL,?NULL,??&?si,??&?pi);??//??以掛起方式運行進程;????
242????????if?(res)??{???
243?????????ProcHnd??=??pi.hProcess;???
244?????????ThrdHnd??=??pi.hThread;???
245?????????ProcId??=??pi.dwProcessId;???
246??????????//??獲取外殼進程運行狀態，[ctx.Ebx+8]內存處存的是外殼進程的加載基址，ctx.Eax存放有外殼進程的入口地址????
247??????????Ctx.ContextFlags??=??CONTEXT_FULL;???
248?????????GetThreadContext(ThrdHnd,??&?Ctx);???
249?????????ReadProcessMemory(ProcHnd,?(?void???*?)(Ctx.Ebx?+?8?),??&?BaseAddr,??sizeof?(unsigned??long?),??&?old);??//??讀取加載基址????
250???????????void???*?p??=??(?void???*?)BaseAddr;???
251??????????//??計算外殼進程占有的內存????
252???????????while?(VirtualQueryEx(ProcHnd,?p,??&?MemInfo,??sizeof?(MemInfo)))???
253???????????{???
254??????????????if?(MemInfo.State??=??MEM_FREE)??break?;???
255?????????????p??=??(?void???*?)((unsigned??long?)p??+??MemInfo.RegionSize);???
256?????????}????
257?????????ImageSize??=??(unsigned??long?)p??-??(unsigned??long?)BaseAddr;???
258?????}????
259??????return??res;???
260?}????
261???
262??//??創建外殼進程并用目標進程替換它然后執行????
263??HANDLE?AttachPE(?char???*?CmdParam,?PIMAGE_NT_HEADERS?peH,?PIMAGE_SECTION_HEADERS?peSecH,????
264??????????????????void???*?Ptr,?unsigned??long??ImageSize,?unsigned??long???&?ProcId)???
265???{???
266?????HANDLE?res??=??INVALID_HANDLE_VALUE;???
267?????CONTEXT?Ctx;???
268?????HANDLE?Thrd;???
269?????unsigned??long??Addr,?Size;???
270??????char???*?s??=??PrepareShellExe(CmdParam,?peH?->?OptionalHeader.ImageBase,?ImageSize);???
271??????if?(s?==?NULL)??return??res;???
272??????if?(CreateChild(s,?Ctx,?res,?Thrd,?ProcId,?Addr,?Size))??{???
273??????????void???*?p??=??NULL;???
274?????????unsigned??long??old;???
275??????????if?((peH?->?OptionalHeader.ImageBase??==??Addr)??&&??(Size??>=??ImageSize))??{?//??外殼進程可以容納目標進程并且加載地址一致????
276??????????????p??=??(?void???*?)Addr;???
277?????????????VirtualProtectEx(res,?p,?Size,?PAGE_EXECUTE_READWRITE,??&?old);???
278?????????}????
279??????????else???if?(IsNT())??{???
280??????????????if?(UnloadShell(res,?Addr))??{?//??卸載外殼進程占有內存????
281??????????????????p??=??MyVirtualAllocEx((unsigned??long?)res,?(?void???*?)peH?->?OptionalHeader.ImageBase,?ImageSize,?MEM_RESERVE??|??MEM_COMMIT,?PAGE_EXECUTE_READWRITE);???
282?????????????}????
283??????????????if?((p??==??NULL)??&&??HasRelocationTable(peH))??{?//??分配內存失敗并且目標進程支持重定向????
284??????????????????p??=??MyVirtualAllocEx((unsigned??long?)res,?NULL,?ImageSize,?MEM_RESERVE??|??MEM_COMMIT,?PAGE_EXECUTE_READWRITE);???
285??????????????????if?(p)?DoRelocation(peH,?Ptr,?p);??//??重定向????
286??????????????}????
287?????????}????
288??????????if?(p)??{???
289?????????????WriteProcessMemory(res,?(?void???*?)(Ctx.Ebx?+?8?),??&?p,??sizeof?(DWORD),??&?old);??//??重置目標進程運行環境中的基址????
290??????????????peH?->?OptionalHeader.ImageBase??=??(unsigned??long?)p;???
291??????????????if?(WriteProcessMemory(res,?p,?Ptr,?ImageSize,??&?old))??{?//??復制PE數據到目標進程????
292??????????????????Ctx.ContextFlags??=??CONTEXT_FULL;???
293??????????????????if?((unsigned??long?)p??==??Addr)???
294?????????????????????Ctx.Eax??=??peH?->?OptionalHeader.ImageBase??+??peH?->?OptionalHeader.AddressOfEntryPoint;??//??重置運行環境中的入口地址????
295???????????????????else???
296?????????????????????Ctx.Eax??=??(unsigned??long?)p??+??peH?->?OptionalHeader.AddressOfEntryPoint;???
297?????????????????SetThreadContext(Thrd,??&?Ctx);?//??更新運行環境????
298??????????????????ResumeThread(Thrd);?//??執行????
299??????????????????CloseHandle(Thrd);???
300?????????????}????
301??????????????else??{?//??加載失敗,殺掉外殼進程????
302??????????????????TerminateProcess(res,??0?);???
303?????????????????CloseHandle(Thrd);???
304?????????????????CloseHandle(res);???
305?????????????????res??=??INVALID_HANDLE_VALUE;???
306?????????????}????
307?????????}????
308??????????else??{?//??加載失敗,殺掉外殼進程????
309??????????????TerminateProcess(res,??0?);???
310?????????????CloseHandle(Thrd);???
311?????????????CloseHandle(res);???
312?????????????res??=??INVALID_HANDLE_VALUE;???
313?????????}????
314?????}????
315?????delete[]?s;???
316??????return??res;???
317?}????
318???
319???
320???
321???
322???/**/?/**/?/**/?/*?******************************************************\??
323?{?*******************************************************?}??
324?{?*?????????????????從內存中加載并運行exe???????????????*?}??
325?{?*******************************************************?}??
326?{?*?參數：????????????????????????????????????????????????}??
327?{?*?Buffer:?內存中的exe地址???????????????????????????????}??
328?{?*?Len:?內存中exe占用長度????????????????????????????????}??
329?{?*?CmdParam:?命令行參數(不包含exe文件名的剩余命令行參數）}??
330?{?*?ProcessId:?返回的進程Id???????????????????????????????}??
331?{?*?返回值：?如果成功則返回進程的Handle(ProcessHandle),???}??
332?{????????????如果失敗則返回INVALID_HANDLE_VALUE???????????}??
333?{?*******************************************************?}??
334??\******************************************************?*/???
335?HANDLE?MemExecute(?void???*?ABuffer,??long??Len,??char???*?CmdParam,?unsigned??long???*?ProcessId)???
336???{???
337?????HANDLE?res??=??INVALID_HANDLE_VALUE;???
338?????PIMAGE_NT_HEADERS?peH;???
339?????PIMAGE_SECTION_HEADERS?peSecH;???
340??????void???*?Ptr;???
341?????unsigned??long??peSz;???
342??????if?(AlignPEToMem(ABuffer,?Len,?peH,?peSecH,?Ptr,?peSz))???
343???????{???
344?????????res??=??AttachPE(CmdParam,?peH,?peSecH,?Ptr,?peSz,??*?ProcessId);???
345?????????VirtualFree(Ptr,?peSz,?MEM_DECOMMIT);???
346?????}????
347??????return??res;???
348?}????
349???
350??//??初始化????
351??class??CInit???
352???{???
353??public?:???
354?????CInit()???
355???????{???
356?????????MyVirtualAllocEx??=??(pfVirtualAllocEx)GetProcAddress(GetModuleHandle(?"?Kernel32.dll?"?),??"?VirtualAllocEx?"?);???
357?????}????
358?}?Init;???
359???
360???
361???
362???
363?
364?
365?
366??int??main(?int??argc,??char?*??argv[])
367???{
368?????FILE?*??fp;
369?????fp??=??fopen(?"?E:\\CProject\\DBGVIEW.EXE?"?,?"?rb?"?);
370?
371??????if??(?fp?)
372???????{
373?
374?????????fseek(fp,?0l?,SEEK_END);
375??????????int??file_size?=?ftell(fp);?/**/?/*?獲取文件長度?*/?
376??????????fseek(fp,?0l?,SEEK_SET);?/**/?/*?回到文件頭部?*/????
377?????????
378?????????
379?????????LPBYTE?pBuf??=???new??BYTE[file_size];???
380?????????memset(?pBuf,??0?,?file_size);???
381?
382?????????fread(pBuf,file_size,?1?,fp);
383?
384?????????DWORD?id??=??GetCurrentProcessId();
385?????????unsigned??long??ulProcessId??=???0?;???
386?????????MemExecute(?pBuf,?file_size,??""?,??&?ulProcessId);???
387?????????delete[]?pBuf;???
388?????????
389?????}???
390?????
391??????return???0?;
392?}?

posted on 2007-01-19 22:28 獨孤九劍閱讀(1735) 評論(0) 編輯收藏引用所屬分類: Win32