最近分析了冰蝎的jni库,发现其中的freeFile函数写的很底层,学习了一下:
#include <windows.h>
#include <stdio.h>
#define _DWORD DWORD
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation,// 0 Y N
SystemProcessorInformation,// 1 Y N
SystemPerformanceInformation,// 2 Y N
SystemTimeOfDayInformation,// 3 Y N
SystemNotImplemented1,// 4 Y N // SystemPathInformation
SystemProcessesAndThreadsInformation,// 5 Y N
SystemCallCounts,// 6 Y N
SystemConfigurationInformation,// 7 Y N
SystemProcessorTimes,// 8 Y N
SystemGlobalFlag,// 9 Y Y
SystemNotImplemented2,// 10 YN // SystemCallTimeInformation
SystemModuleInformation,// 11 YN
SystemLockInformation,// 12 YN
SystemNotImplemented3,// 13 YN // SystemStackTraceInformation
SystemNotImplemented4,// 14 YN // SystemPagedPoolInformation
SystemNotImplemented5,// 15 YN // SystemNonPagedPoolInformation
SystemHandleInformation,// 16 YN
SystemObjectInformation,// 17 YN
SystemPagefileInformation,// 18 YN
SystemInstructionEmulationCounts,// 19 YN
SystemInvalidInfoClass1,// 20
SystemCacheInformation,// 21 YY
SystemPoolTagInformation,// 22 YN
SystemProcessorStatistics,// 23 YN
SystemDpcInformation,// 24 YY
SystemNotImplemented6,// 25 YN // SystemFullMemoryInformation
SystemLoadImage,// 26 NY // SystemLoadGdiDriverInformation
SystemUnloadImage,// 27 NY
SystemTimeAdjustment,// 28 YY
SystemNotImplemented7,// 29 YN // SystemSummaryMemoryInformation
SystemNotImplemented8,// 30 YN // SystemNextEventIdInformation
SystemNotImplemented9,// 31 YN // SystemEventIdsInformation
SystemCrashDumpInformation,// 32 YN
SystemExceptionInformation,// 33 YN
SystemCrashDumpStateInformation,// 34 YY/N
SystemKernelDebuggerInformation,// 35 YN
SystemContextSwitchInformation,// 36 YN
SystemRegistryQuotaInformation,// 37 YY
SystemLoadAndCallImage,// 38 NY // SystemExtendServiceTableInformation
SystemPrioritySeparation,// 39 NY
SystemNotImplemented10,// 40 YN // SystemPlugPlayBusInformation
SystemNotImplemented11,// 41 YN // SystemDockInformation
SystemInvalidInfoClass2,// 42 // SystemPowerInformation
SystemInvalidInfoClass3,// 43 // SystemProcessorSpeedInformation
SystemTimeZoneInformation,// 44 YN
SystemLookasideInformation,// 45 YN
SystemSetTimeSlipEvent,// 46 NY
SystemCreateSession,// 47 NY
SystemDeleteSession,// 48 NY
SystemInvalidInfoClass4,// 49
SystemRangeStartInformation,// 50 YN
SystemVerifierInformation,// 51 YY
SystemAddVerifier,// 52 NY
SystemSessionProcessesInformation// 53 YN
} SYSTEM_INFORMATION_CLASS;
typedef enum _OBJECT_INFORMATION_CLASS { ObjectBasicInformation, ObjectNameInformation, ObjectTypeInformation, ObjectAllInformation, ObjectDataInformation } OBJECT_INFORMATION_CLASS, *POBJECT_INFORMATION_CLASS;
typedef NTSTATUS (WINAPI*pZwQueryObject)(
HANDLE Handle,
OBJECT_INFORMATION_CLASS ObjectInformationClass,
PVOID ObjectInformation,
ULONG ObjectInformationLength,
PULONG ReturnLength
);
typedef NTSYSAPI NTSTATUS (WINAPI*pZwQueryInformationFile)(
HANDLE FileHandle,
_DWORD IoStatusBlock,
PVOID FileInformation,
ULONG Length,
_DWORD FileInformationClass
);
typedef NTSTATUS (WINAPI*pZwQuerySystemInformation)(
_In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,
_Inout_ PVOID SystemInformation,
_In_ ULONG SystemInformationLength,
_Out_opt_ PULONG ReturnLength
);
typedef NTSTATUS (WINAPI* pZwQueryInformationProcess)(
HANDLE ProcessHandle,
_DWORD ProcessInformationClass,
PVOID ProcessInformation,
ULONG ProcessInformationLength,
PULONG ReturnLength
);
pZwQueryInformationFile ZwQueryInformationFile;
pZwQueryObject ZwQueryObject;
pZwQuerySystemInformation ZwQuerySystemInformation;
pZwQueryInformationProcess ZwQueryInformationProcess;
BOOL init()
{
HMODULE v0;
HMODULE v1;
HMODULE v2;
HMODULE v3;
v0 = GetModuleHandleW(L"ntdll.dll");
ZwQueryInformationFile = (pZwQueryInformationFile)GetProcAddress(
v0,
"ZwQueryInformationFile");
v1 = GetModuleHandleW(L"ntdll.dll");
ZwQuerySystemInformation = (pZwQuerySystemInformation)GetProcAddress(v1, "ZwQuerySystemInformation");
v2 = GetModuleHandleW(L"ntdll.dll");
ZwQueryObject = (pZwQueryObject)GetProcAddress(v2, "ZwQueryObject");
v3 = GetModuleHandleW(L"ntdll.dll");
ZwQueryInformationProcess = (pZwQueryInformationProcess)GetProcAddress(v3, "ZwQueryInformationProcess");
return ZwQuerySystemInformation && ZwQueryObject && ZwQueryInformationProcess;
}
wchar_t *__cdecl Free_file(wchar_t *SubStr)
{
wchar_t *result;
void *v2;
const wchar_t **v3;
void *v4;
HANDLE v5;
_DWORD v6[2];
HANDLE hSourceProcessHandle;
unsigned int v8;
unsigned int i;
int v10;
void *v11;
HANDLE TargetHandle;
v6[0] = 0;
v6[1] = 0;
v11 = malloc(0x210u);
memset(v11, 0, 0x210u);
result = (wchar_t *)init();
if (result)
{
v2 = malloc(0x1000u);
v3 = (const wchar_t **)malloc(0x1000u);
hSourceProcessHandle = GetCurrentProcess();
result = (wchar_t *)ZwQueryInformationProcess(hSourceProcessHandle, 20, &v8, 4, 0);
v10 = 4;
for (i = 0; i < v8; v10 += 4)
{
v4 = (void *)(unsigned __int16)v10;
v5 = GetCurrentProcess();
result = (wchar_t *)DuplicateHandle(hSourceProcessHandle, v4, v5, &TargetHandle, 0, 0, 2u);
if (result)
{
memset(v2, 0, 0x1000u);
memset(v3, 0, 0x1000u);
ZwQueryObject(TargetHandle, (OBJECT_INFORMATION_CLASS)1, v2, 4096, 0);
ZwQueryObject(TargetHandle, (OBJECT_INFORMATION_CLASS)2, v3, 4096, 0);
result = (wchar_t *)_wcsicmp(v3[1], L"file");
if (!result)
{
memset(v11, 0, 0x210u);
result = (wchar_t *)ZwQueryInformationFile(TargetHandle, (DWORD)v6, v11, 528, 9);
if ((int)result >= 0)
{
result = wcsstr((wchar_t *)v11 + 2, SubStr);
if (result)
{
printf("Win\n");
CloseHandle(v4);
result = (wchar_t *)CloseHandle(TargetHandle);
}
}
}
++i;
}
}
}
return result;
}
int main()
{
//LoadLibrary("JavaNative_x32.dll");
FILE* fp = fopen("OccupyMe", "wb");
getchar();
wchar_t* name = L"OccupyMe";
Free_file(name);
printf("Yep\n");
getchar();
return 0;
}
扫一扫
2259
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
