patch_new
来源:互联网 发布:怎么申请淘宝工会 编辑:程序博客网 时间:2024/05/09 16:27
int rise_pri()
{
BOOL rc;
HANDLE hToken;
TOKEN_PRIVILEGES *pTokenPriv;
LUID_AND_ATTRIBUTES la;
DWORD Len;
rc=OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken);
if(rc==FALSE)return rc;
LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&la.Luid);
la.Attributes=SE_PRIVILEGE_ENABLED;
pTokenPriv = new TOKEN_PRIVILEGES[2];
pTokenPriv-> PrivilegeCount=1;
memcpy(pTokenPriv-> Privileges,&la,sizeof(LUID_AND_ATTRIBUTES));
rc=AdjustTokenPrivileges(hToken,FALSE,pTokenPriv,0,NULL,&Len);
return rc;
}
ULONG GetMyFunctionLen(DWORD pfn)
{
ULONG res = 0;
__asm
{
pushad
MOV EAX, 0x90909090 // 新的函数以0x90909090作为结束的标志
MOV ECX, 0xFFFFFFFF
MOV EDI, pfn
CLD
REPNZ SCASD
NOT ECX
DEC ECX
MOV res, ECX
popad
}
return res * 4;
}
int makerw(int address,int size,int newmode)
{
ULONG oldaccessattr = 0;
//ULONG a;
if(! VirtualProtectEx(GetCurrentProcess(),(void*)address,size,PAGE_EXECUTE_READWRITE,&oldaccessattr)){
OutputDebugStringA("virtualprotect error");
return -1;
}
//VirtualProtectEx(GetCurrentProcess(),(void*)address,size,PAGE_EXECUTE_READWRITE,&a);
//outputdstring("address %x --> %x from %x status %x",address,PAGE_EXECUTE_READWRITE,global_attr,a);
return oldaccessattr;
}
DWORD Patch_new(DWORD codeaddress,int thisclausebytes, DWORD pfnNewFunction)
{
ULONG fakefunctionlen,newplacecodelength;
DWORD SectionGapStart;
rise_pri();
fakefunctionlen = GetMyFunctionLen( pfnNewFunction);
OutputDebugStringApi("[Patch_new]functionlen=%d pfnNewFunction=%x codeaddress=%x thisclausebytes=%d",fakefunctionlen,pfnNewFunction,codeaddress,thisclausebytes);
newplacecodelength=fakefunctionlen+thisclausebytes+5;
SectionGapStart = (DWORD)new char[newplacecodelength];
if (SectionGapStart == NULL) return 0;
makerw((int)SectionGapStart,newplacecodelength,0);
makerw((int)pfnNewFunction,fakefunctionlen,0);
OutputDebugStringApi("makerw");
memcpy((void*)SectionGapStart,(void*)pfnNewFunction,fakefunctionlen);
OutputDebugStringApi("copynewcode.1");
memcpy((void*)(SectionGapStart+fakefunctionlen),(void*)codeaddress,thisclausebytes);
OutputDebugStringApi("copyclausecode.1");
/* 我的机器上的CreateProcessW的代码,是这样了。
KERNEL32!CreateProcessW
001B:77E6B252 55 PUSH EBP
001B:77E6B253 8BEC MOV EBP, ESP
001B:77E6B255 FF752C PUSH DWORD PTR [EBP+2C]
第二条和第三条指令正好是5Byte的长度,所以,我选择把第二条和第三条改成跳转指令。
跳转指令码为0xE9,位移计算:目的地址 - 起始地址 - 跳转指令本身的长度。
*/
*(PUCHAR)((PUCHAR)SectionGapStart +fakefunctionlen+thisclausebytes) = 0xE9;
*(PULONG)((PUCHAR)SectionGapStart+fakefunctionlen+thisclausebytes+1) = (ULONG)(codeaddress + thisclausebytes)
- (ULONG)(SectionGapStart + fakefunctionlen+thisclausebytes) - 5;
//__asm CLI
OutputDebugStringApi("[Patch_new]---2---");
makerw((int)codeaddress,5,0);
OutputDebugStringApi("[Patch_new]---3---");
*(PUCHAR)((PUCHAR)codeaddress) = 0xE9;
*(PULONG)((PCHAR)codeaddress + 1) = (ULONG)SectionGapStart - (ULONG)codeaddress- 5;
//__asm STI
//PTE_ENTRY((ULONG)pfnOrig) &= 0xFFD;
OutputDebugStringApi("[Patch_new]ok");
return SectionGapStart;
}
char string1[] = "--->condition 1";
char string2[] = "--->condition 2";
char string3[] = "--->condition 3";
char string4[] = "--->condition 4";
char string5[] = "--->condition 5";
char string6[] = "--->condition 6";
char string7[] = "--->condition 7";
char string8[] = "--->condition 8";
char string9[] = "--->condition 9";
char stringA[] = "--->condition A";
DWORD opfn=(DWORD)OutputDebugString;
__declspec(naked) NewCreateProcessW1()
{
__asm
{
PUSHAD
lea eax, string1
push eax
call opfn
POPAD
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
}
}
__declspec(naked) NewCreateProcessW2()
{
__asm
{
PUSHAD
lea eax, string2
push eax
call opfn
POPAD
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
}
}
__declspec(naked) condition3()
{
__asm
{
PUSHAD
lea eax, string3
push eax
call opfn
POPAD
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
}
}
__declspec(naked) condition4()
{
__asm
{
PUSHAD
lea eax, string4
push eax
call opfn
POPAD
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
}
}
__declspec(naked) condition5()
{
__asm
{
PUSHAD
lea eax, string5
push eax
call opfn
POPAD
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
}
}
__declspec(naked) condition6()
{
__asm
{
PUSHAD
lea eax, string6
push eax
call opfn
POPAD
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
}
}
__declspec(naked) condition7()
{
__asm
{
PUSHAD
lea eax, string7
push eax
call opfn
POPAD
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
}
}
__declspec(naked) condition8()
{
__asm
{
PUSHAD
lea eax, string8
push eax
call opfn
POPAD
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
}
}
__declspec(naked) condition9()
{
__asm
{
PUSHAD
lea eax, string9
push eax
call opfn
POPAD
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
}
}
__declspec(naked) conditionA()
{
__asm
{
PUSHAD
lea eax, stringA
push eax
call opfn
POPAD
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
}
}
void __stdcall printebpwidestring(WCHAR* ebpoffsetstringptr)
{
OutputDebugStringW(ebpoffsetstringptr);
}
void __stdcall printebpansistring(char* ebpoffsetstringptr)
{
OutputDebugStringA(ebpoffsetstringptr);
}
typedef void (__stdcall* printebpwidestring_T)(WCHAR* ebpoffsetstringptr);
typedef void (__stdcall* printebpansistring_T)(char* ebpoffsetstringptr);
DWORD ebpoffsetwide = 0;
DWORD ebpoffsetansi = 0;
printebpwidestring_T fn_printebpwidestring = printebpwidestring;
printebpansistring_T fn_printebpansistring = printebpansistring;
__declspec(naked) _printwidestringonebp()
{
__asm
{
PUSHAD
mov eax, ebpoffsetwide
sub ebp,eax
mov eax,ebp
push eax
call fn_printebpwidestring
POPAD
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
}
}
__declspec(naked) _printasnistringonebp()
{
__asm
{
PUSHAD
mov eax, ebpoffsetansi
sub ebp,eax
mov eax,ebp
push eax
call fn_printebpansistring
POPAD
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
}
}
void __stdcall printval(DWORD a)
{
char cc[10];
sprintf(cc,"0x%x",a);
OutputDebugStringA(cc);
}
typedef void (__stdcall* printval_T)(DWORD a);
DWORD stackvaraddress = 0;
DWORD globalvaraddress = 0;
DWORD ecxoffsetaddress = 0;
printval_T fn_printval = printval;
DWORD offset_ecx_class_wide = 0;
__declspec(naked) _printwidestringecxclass()
{
__asm
{
PUSHAD
mov eax, offset_ecx_class_wide
add eax,ecx
push eax
call fn_printebpwidestring
POPAD
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
}
}
DWORD offset_ecx_class_ansi = 0;
__declspec(naked) _printansistringecxclass()
{
__asm
{
PUSHAD
mov eax, offset_ecx_class_ansi
add eax,ecx
push eax
call fn_printebpansistring
POPAD
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
}
}
__declspec(naked) _printecxclassmember()
{
__asm
{
PUSHAD
mov eax, ecxoffsetaddress
add eax,ecx
push eax
call fn_printval
POPAD
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
}
}
__declspec(naked) _printstackvar()
{
__asm
{
PUSHAD
mov eax, stackvaraddress
sub ebp,eax
mov eax,[ebp]
push eax
call fn_printval
POPAD
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
}
}
__declspec(naked) _printglobalvar()
{
__asm
{
PUSHAD
mov eax, globalvaraddress
mov eax,[eax]
push eax
call fn_printval
POPAD
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
}
}
void __stdcall print_regs(int eax,int ebx,int ecx,int edx,int esi,int edi,int ebp)
{
char buffer[200];
sprintf(buffer,"eax=%x ebx=%x ecx=%x edx=%x esi=%x edi=%x ebp=%x",eax,ebx,ecx,edx,esi,edi,ebp);
OutputDebugStringA(buffer);
}
DWORD fnprint_regs=(DWORD)print_regs;
__declspec(naked) printregs()
{
__asm
{
PUSHAD
push ebp
push edi
push esi
push edx
push ecx
push ebx
push eax
call fnprint_regs
POPAD
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
}
}
void __stdcall print_8eax(int eax)
{
char buffer[30];
sprintf(buffer,"[%x]=%x",eax,*(DWORD*)eax);
OutputDebugStringA(buffer);
}
DWORD fnprint_8eax=(DWORD)print_8eax;
__declspec(naked) printLeax()
{
__asm
{
PUSHAD
push eax
call fnprint_8eax
POPAD
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
}
}
__declspec(naked) printLebx()
{
__asm
{
PUSHAD
push ebx
call fnprint_8eax
POPAD
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
}
}
__declspec(naked) printLecx()
{
__asm
{
PUSHAD
push ecx
call fnprint_8eax
POPAD
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
}
}
__declspec(naked) printLedx()
{
__asm
{
PUSHAD
push edx
call fnprint_8eax
POPAD
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
}
}
__declspec(naked) printLesi()
{
__asm
{
PUSHAD
push esi
call fnprint_8eax
POPAD
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
}
}
__declspec(naked) printLedi()
{
__asm
{
PUSHAD
push edi
call fnprint_8eax
POPAD
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
}
}
__declspec(naked) printLebp()
{
__asm
{
PUSHAD
push ebp
call fnprint_8eax
POPAD
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
}
}
void __stdcall print_stack(DWORD* esp)
{
char buffer[30];
int i;
for(i=0;i<32;i++){
sprintf(buffer,"[%x]=%x",&esp[i],esp[i]);
OutputDebugStringA(buffer);
}
}
DWORD fnprint_stack=(DWORD)print_stack;
__declspec(naked) printstack()
{
__asm
{
PUSHAD
push ebp
call fnprint_stack
POPAD
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
}
}
void __stdcall hook_cond1(DWORD addresshook,int instructionlen)
{
DWORD temp = (DWORD)NewCreateProcessW1;
#ifdef _DEBUG
DWORD* ptr =(DWORD*) (temp+1);
temp = temp+5+ptr[0];
#endif
Patch_new(addresshook,instructionlen,temp);
}
void __stdcall hook_cond2(DWORD addresshook,int instructionlen)
{
Patch_new(addresshook,instructionlen,(DWORD)NewCreateProcessW2);
}
void __stdcall hook_cond3(DWORD addresshook,int instructionlen)
{
Patch_new(addresshook,instructionlen,(DWORD)condition3);
}
void __stdcall hook_cond4(DWORD addresshook,int instructionlen)
{
Patch_new(addresshook,instructionlen,(DWORD)condition4);
}
void __stdcall hook_cond5(DWORD addresshook,int instructionlen)
{
Patch_new(addresshook,instructionlen,(DWORD)condition5);
}
void __stdcall hook_cond6(DWORD addresshook,int instructionlen)
{
Patch_new(addresshook,instructionlen,(DWORD)condition6);
}
void __stdcall hook_cond7(DWORD addresshook,int instructionlen)
{
Patch_new(addresshook,instructionlen,(DWORD)condition7);
}
void __stdcall hook_cond8(DWORD addresshook,int instructionlen)
{
Patch_new(addresshook,instructionlen,(DWORD)condition8);
}
void __stdcall hook_cond9(DWORD addresshook,int instructionlen)
{
Patch_new(addresshook,instructionlen,(DWORD)condition9);
}
void __stdcall hook_condA(DWORD addresshook,int instructionlen)
{
Patch_new(addresshook,instructionlen,(DWORD)conditionA);
}
void __stdcall hook_printregs(DWORD addresshook,int instructionlen)
{
Patch_new(addresshook,instructionlen,(DWORD)printregs);
}
void __stdcall hook_printstack(DWORD addresshook,int instructionlen)
{
Patch_new(addresshook,instructionlen,(DWORD)printstack);
}
void __stdcall hook_printmemeax(DWORD addresshook,int instructionlen)
{
Patch_new(addresshook,instructionlen,(DWORD)printLeax);
}
void __stdcall hook_printmemebx(DWORD addresshook,int instructionlen)
{
Patch_new(addresshook,instructionlen,(DWORD)printLebx);
}
void __stdcall hook_printmemecx(DWORD addresshook,int instructionlen)
{
Patch_new(addresshook,instructionlen,(DWORD)printLecx);
}
void __stdcall hook_printmemedx(DWORD addresshook,int instructionlen)
{
Patch_new(addresshook,instructionlen,(DWORD)printLedx);
}
void __stdcall hook_printmemesi(DWORD addresshook,int instructionlen)
{
Patch_new(addresshook,instructionlen,(DWORD)printLesi);
}
void __stdcall hook_printmemedi(DWORD addresshook,int instructionlen)
{
Patch_new(addresshook,instructionlen,(DWORD)printLedi);
}
void __stdcall hook_printmemebp(DWORD addresshook,int instructionlen)
{
Patch_new(addresshook,instructionlen,(DWORD)printLebp);
}
void __stdcall hook_printasnistringonebp(DWORD addresshook,int instructionlen,DWORD offset)
{
ebpoffsetansi = offset;
Patch_new(addresshook,instructionlen,(DWORD)_printasnistringonebp);
}
void __stdcall hook_printwidestringonebp(DWORD addresshook,int instructionlen,DWORD offset)
{
ebpoffsetwide = offset;
Patch_new(addresshook,instructionlen,(DWORD)_printwidestringonebp);
}
void __stdcall hook_printglobalvar(DWORD addresshook,int instructionlen,DWORD address)
{
globalvaraddress = address;
Patch_new(addresshook,instructionlen,(DWORD)_printglobalvar);
}
void __stdcall hook_printstackvar(DWORD addresshook,int instructionlen,DWORD address)
{
stackvaraddress = address;
Patch_new(addresshook,instructionlen,(DWORD)_printstackvar);
}
void __stdcall hook_printecxclassmember(DWORD addresshook,int instructionlen,DWORD address)
{
ecxoffsetaddress = address;
Patch_new(addresshook,instructionlen,(DWORD)_printecxclassmember);
}
void __stdcall hook_printwidestringecxclass(DWORD addresshook,int instructionlen,DWORD address)
{
offset_ecx_class_wide = address;
Patch_new(addresshook,instructionlen,(DWORD)_printwidestringecxclass);
}
void __stdcall hook_printansistringecxclass(DWORD addresshook,int instructionlen,DWORD address)
{
offset_ecx_class_ansi = address;
Patch_new(addresshook,instructionlen,(DWORD)_printansistringecxclass);
}
0 0
