共有回帖数 0 个
-
许多人认为代码重定位在C语言中无法做到,它只属于汇编的专属,其实C语言也可以办到,当然了,里面要嵌入汇编.
在远程注入代码的时候,代码重定位用得比较多.但是还有2种取巧的方法就不用代码重定位,其中一种移植行查,一种要附加一个DLL.
第一种不用代码重定位的方法是:
1.自己在程序设定一个基址(最好不要设定一些比较常见的基址),这一步是必要的,因为很多的PE文件的基址都是相同的,所以可能会失败.
2.在使用VirtualAllocEx的时候,把这个基址作为申请内存区域的基址,如果成功的话,把代码写到这里的话,也就基本OK了.
第二种不用代码重定位的方法是:
1.把需要的远程执行的代码附加到一个DLL里面,然后把它注入到一个PE去执行.其实一般DLL也要重定位,只是这不是你的事而已.这种最简单,但是最不安全,因为别人用工具一看就知道一个PE加载了那些DLL.
下面是利用C语言进行代码重定位:
#include windows.h
#include iostream
#includetlhelp32.h
using namespace std;
#pragma data_seg(".mydat")
#pragma code_seg(".shell")
#pragma comment(linker,"/SECTION:.mydat,RWE")
#pragma comment(linker,"/SECTION:.shell,RWE")
#pragma comment(linker,"/MERGE:.mydat=.shell")
#define Recode _asm call A _asm A: _asm pop ebx _asm lea eax, A _asm sub ebx, eax
#define GetFunOffset(pFun) _asm mov eax, [ebx + pFun] _asm mov pFun, eax
#define GetStringOffset(pStr) _asm mov eax, [pStr] _asm lea eax, [ebx + eax] _asm mov pStr, eax _asm push pStr
#define VA_END -1
DWORD GetProcessIdFromName(LPCTSTR name) ;
void Fun2();
int Invoke(char*pDllName, char*pFunName, ...);
typedef HINSTANCE (WINAPI *pLoadLibraryDef)(LPCTSTR);
typedef DWORD (WINAPI *pMsgBoxDef)(DWORD,DWORD,DWORD,DWORD);
DWORD dwBegin = 0;
char szUser32[] = "User32.Dll";
char szMessageBox[] = "MessageBoxA";
char szText[] = "Hello World";
char szCaption[] = "C Language Recode";
DWORD WINAPI Fun1(PVOID)
{
Recode;
char* pUser32 = szUser32;
char* pMessageBox = szMessageBox;
char* pText = szText;
char* pCaption = szCaption;
GetStringOffset(pUser32);
GetStringOffset(pMessageBox);
GetStringOffset(pText);
GetStringOffset(pCaption);
Invoke(pUser32, pMessageBox, NULL, pText, pCaption, NULL, -1);
return 0;
}
int Invoke(char* pDllName, char* pFunName, ...)
{
DWORD dwLoadLib = 0x7C801D77;
HMODULE hDll = ((HMODULE(WINAPI*)(char*))dwLoadLib)(pDllName);
PROC dwFunAddr = ((PROC(WINAPI*)(HMODULE,char*))0x7C80ADA0)(hDll, pFunName);
DWORD dwRet = 0;
DWORD dwParam[128], dwParamTemp = 0;
DWORD dwParamLen = 0;
va_list stVaList;
va_start(stVaList, pFunName);
while((dwParam[dwParamLen++] = va_arg(stVaList,DWORD)) != VA_END);
dwParamLen -= 2;
while(dwParamLen != -1)
{
dwParamTemp = dwParam[dwParamLen--];
_asm push dwParamTemp
}
_asm mov eax, dwFunAddr
_asm call eax
_asm mov dwRet, eax
va_end(stVaList);
return dwRet;
}
void End()
{
}
int main()
{
printf("Begin Injectn");
DWORD dwSize = (DWORD)End - (DWORD)&dwBegin;
WinExec("notepad.exe", SW_SHOW);
Sleep(100);
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, GetProcessIdFromName("notepad.exe"));
PVOID pMem = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hProcess, pMem, &dwBegin, dwSize, NULL);
pMem = (PVOID)((DWORD)pMem + (DWORD)Fun1 - (DWORD)&dwBegin);
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (DWORD(__stdcall *)(PVOID))pMem, NULL, NULL, NULL);
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
printf("End Injectn");
return 0;
}
DWORD GetProcessIdFromName(LPCTSTR name) //通过执行文件名获得进程ID的方法
{
PROCESSENTRY32 pe;
DWORD id = 0;
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
pe.dwSize = sizeof(PROCESSENTRY32);
if( !Process32First(hSnapshot,&pe) )
return 0;
do
{
pe.dwSize = sizeof(PROCESSENTRY32);
if( Process32Next(hSnapshot,&pe)==FALSE )
break;
if(strcmp(pe.szExeFile,name) == 0)
{
id = pe.th32ProcessID;
break;
}
} while(1);
CloseHandle(hSnapshot);
return id;
}
楼主 2016-01-08 10:33 回复
Copyright © 2010~2015 直线网 版权所有,All Rights Reserved.沪ICP备10039589号
意见反馈 |
关于直线 |
版权声明 |
会员须知
