穿越wow64到native64

最新推荐文章于 2024-05-07 17:59:34 发布
最新推荐文章于 2024-05-07 17:59:34 发布
阅读量109 收藏
点赞数
原文链接:https://my.oschina.net/ejoyc/blog/198363
版权

为什么80%的码农都做不了架构师?>>>   hot3.png

// just test on win7sp1x64
#include <windows.h>
#include <stdlib.h>
  
typedef enum _MEMORY_INFORMATION_CLASS {
    MemoryBasicInformation,
    MemoryWorkingSetList,
    MemorySectionName,
    MemoryBasicVlmInformation
} MEMORY_INFORMATION_CLASS;

LONG (WINAPI 
*pfn_NtQueryVirtualMemory)(
    IN HANDLE ProcessHandle,
    IN PVOID BaseAddress,
    IN MEMORY_INFORMATION_CLASS MemoryInformationClass,
    OUT PVOID MemoryInformation,
    IN SIZE_T MemoryInformationLength,
    OUT PSIZE_T ReturnLength
    );
    
typedef struct _UNICODE_STRING {
  USHORT Length;
  USHORT MaximumLength;
  PWSTR  Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

WCHAR gModuleName[] = L"C:\\windows\\system32\\kernelbase.dll";
WCHAR gNtdllPath[]  = L"\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll";

PVOID __fastcall GetFuncAddress64(PVOID ImageBase, PUCHAR ApiName )
{
    PVOID   FuncAddress = NULL;
    
    PIMAGE_DOS_HEADER       DosHdr ;
    PIMAGE_NT_HEADERS32     NtHdrs ;
    PIMAGE_NT_HEADERS64     NtHdrs2;
    PIMAGE_DATA_DIRECTORY   DatDir ;
    PIMAGE_EXPORT_DIRECTORY ExpDir ;
    PULONG          AddressOfNames ;
    PULONG      AddressOfFunctions ;
    PUSHORT  AddressOfNameOrdinals ;    
    BOOL    bAMD64 = FALSE;
    LONG    Idx;
    LONG    ret;
    LONG    low;
    LONG    mid;
    LONG    high;
    PCHAR   pName;
    
    do
    {
        (PVOID)DosHdr  = ImageBase;
        if( !DosHdr || DosHdr->e_magic != IMAGE_DOS_SIGNATURE )
        {
            break;
        }
        
        (PUCHAR)NtHdrs = (PUCHAR)ImageBase + DosHdr->e_lfanew;   
        if( (PUCHAR)NtHdrs <(PUCHAR)DosHdr || NtHdrs->Signature != IMAGE_NT_SIGNATURE )
        {
            break;
        }        
        
        (PUCHAR)NtHdrs2 = (PUCHAR)NtHdrs;        
        if( NtHdrs->OptionalHeader.Magic != IMAGE_NT_OPTIONAL_HDR32_MAGIC && NtHdrs2->OptionalHeader.Magic != IMAGE_NT_OPTIONAL_HDR64_MAGIC )
        {
            break;
        }
        
        bAMD64 = NtHdrs2->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC;        
        if( bAMD64 )
        {                        
            DatDir = &NtHdrs2->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
        }
        else
        {   
            DatDir = &NtHdrs->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
        }    
        
        if( DatDir->Size == 0 || DatDir->VirtualAddress == 0 )
        {
            break;
        }
        
        (PUCHAR)ExpDir = (PUCHAR)ImageBase + DatDir->VirtualAddress;
        if ( (PUCHAR)ExpDir < (PUCHAR)NtHdrs )
        {
            break;
        }
        
        AddressOfNames          = (PULONG)( (ULONG)ImageBase + ExpDir->AddressOfNames );
        AddressOfFunctions      = (PULONG)( (ULONG)ImageBase + ExpDir->AddressOfFunctions );
        AddressOfNameOrdinals   = (PUSHORT)( (ULONG)ImageBase + ExpDir->AddressOfNameOrdinals );

        high = ExpDir->NumberOfNames-1;
        low  = 0;
        while(low <= high)//二分查找,快速定位
        {
            mid   = (high+low)>>1;
            pName = (PCHAR)ImageBase+AddressOfNames[mid] ;

            Idx = 0;
            while( pName[Idx] && pName[Idx] == ApiName[Idx] )
            {
                ++Idx;
            }

            ret = pName[Idx] - ApiName[Idx];
            if ( ret==0 )
            {
                (PUCHAR)FuncAddress=(PUCHAR)ImageBase + AddressOfFunctions[ AddressOfNameOrdinals[ mid ] ];
                break;
            }
            else if( ret > 0 )
            {
                high=mid-1;
            }
            else
            {
                low=mid+1;
            }
        } 
        
    }while( FALSE );

    return FuncAddress;
}

PVOID WINAPI GetNativeNtdll( )
{
    PVOID  hNtdll = NULL;
    PUCHAR ptr = (PUCHAR)GetModuleHandleA( NULL ) + 0x100000;
    MEMORY_BASIC_INFORMATION MemInfo;
    SIZE_T RetLen;
    LONG   Status;
    WCHAR   NameBuf[MAX_PATH+16];    
    HANDLE hProcess = GetCurrentProcess();
    PUNICODE_STRING Filename = (PUNICODE_STRING)NameBuf;
    
    if( !pfn_NtQueryVirtualMemory )
    {
        (FARPROC)pfn_NtQueryVirtualMemory = GetProcAddress( GetModuleHandleA("ntdll.dll"), "NtQueryVirtualMemory" );
    }
    
    if( !pfn_NtQueryVirtualMemory )
    {
        return hNtdll;
    }
    
    while( ptr < (PUCHAR)0x80000000 )
    {
        Status = pfn_NtQueryVirtualMemory( hProcess, ptr, MemoryBasicInformation, &MemInfo, sizeof(MemInfo), &RetLen);        
        if( Status < 0 )
        {
            ptr += 0x10000;
            continue;
        }
         
        if( MemInfo.State == MEM_COMMIT && MEM_IMAGE == MemInfo.Type )
        {
            Status = pfn_NtQueryVirtualMemory( hProcess, ptr, MemorySectionName, Filename, sizeof(NameBuf), &RetLen );
            if( Status == 0 )
            {   
                if( !_wcsnicmp(gNtdllPath, Filename->Buffer, Filename->Length) )
                {
                    hNtdll = (PVOID)ptr;
                    break;
                }
            }             
        }
        
        ptr += MemInfo.RegionSize;
    }
    
    return hNtdll;
}

PVOID WINAPI MapDllToMem( PCWSTR FileName )
{
    PVOID  DllBase = NULL;
    HANDLE hFile;
    CHAR   DllData[512];
    DWORD  dwRetLen;
    BOOL   bRet;
    ULONG  SizeOfImage;
    ULONG  SizeOfHeaders;
    ULONG  NumOfSections;
    ULONG  Index;
    
    PIMAGE_DOS_HEADER DosHdr ;
    PIMAGE_NT_HEADERS NtHdrs ;
    PIMAGE_SECTION_HEADER SecHdr;

    BOOL    bAMD64 = FALSE;
    
    do
    {
        hFile = CreateFileW( FileName, GENERIC_READ, FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL );
        if( hFile ==  INVALID_HANDLE_VALUE ) break;
        
        bRet = ReadFile( hFile, DllData, sizeof(DllData), &dwRetLen, NULL );
        if( !bRet ) break;
        
        DosHdr = (PIMAGE_DOS_HEADER)DllData;
        if( !DosHdr || DosHdr->e_magic != IMAGE_DOS_SIGNATURE )
        {
            break;
        }
        
        (PUCHAR)NtHdrs = (PUCHAR)DllData + DosHdr->e_lfanew;   
        if( (PUCHAR)NtHdrs <(PUCHAR)DosHdr || NtHdrs->Signature != IMAGE_NT_SIGNATURE )
        {
            break;
        }
                
        NumOfSections = NtHdrs->FileHeader.NumberOfSections;
        SizeOfHeaders = NtHdrs->OptionalHeader.SizeOfHeaders;
        SizeOfImage   = NtHdrs->OptionalHeader.SizeOfImage;        
        
        DllBase = VirtualAlloc( NULL, SizeOfImage, MEM_COMMIT|MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE);
        if( !DllBase )break;
        
        RtlZeroMemory( DllBase, SizeOfImage );
        SetFilePointer( hFile, 0, NULL, FILE_BEGIN );
        ReadFile( hFile, DllBase, SizeOfHeaders, &dwRetLen, NULL );
        
        (PUCHAR)SecHdr = (PUCHAR)DllBase + ((PUCHAR)&NtHdrs->OptionalHeader - DllData) + NtHdrs->FileHeader.SizeOfOptionalHeader ;
        for( Index=0; Index<NumOfSections; Index++ )
        {
            SetFilePointer( hFile, SecHdr->PointerToRawData, NULL, FILE_BEGIN );
            ReadFile( hFile, (PUCHAR)DllBase + SecHdr->VirtualAddress, SecHdr->SizeOfRawData, &dwRetLen, NULL );
            
            SecHdr++;
        }
        
    }while( FALSE );    
    
    return DllBase;
}

VOID WINAPI UnMapDllFromMem( PVOID DllBase )
{
    VirtualFree( DllBase, 0, MEM_RELEASE );
}

BOOL WINAPI Wow64Check()
{
    BOOL    bWow64 = FALSE;    
    return IsWow64Process(GetCurrentProcess(), &bWow64) && bWow64;
}

int APIENTRY WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd )
{   
    HMODULE hNtdll32 = GetModuleHandleA("ntdll.dll");
    HMODULE hNtdll = (HMODULE)GetNativeNtdll( );
    
    if( hNtdll32 && hNtdll && Wow64Check() )
    {
        PVOID   OldValue;
        PVOID   MemNtdllx64;
        BOOL    bProtectChanged;
        ULONG   OldProtect;
        PUCHAR  Buf = VirtualAlloc( NULL, 4096, MEM_COMMIT|MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE);    
        if( Buf )
        {        
            LONG (WINAPI* pfn_NtDeleteKey)( HANDLE );
            PUCHAR pData = Buf+256;
            PUCHAR pInst = Buf+256+256; 
            
            RtlFillMemory( Buf,   256, 0 );
            RtlFillMemory( pData, 256, 0 );
            RtlFillMemory( pInst, 256, 0xCC );
            
            *(PULONG)(Buf+0) = 0x00460044;        
            *(PULONG)(Buf+8) = (ULONG)Buf + 0x10;
            RtlMoveMemory( Buf + 16 , gModuleName, 34*sizeof(WCHAR) );
            
            *(PULONG)(pInst+ 0) = 0x40EC8148;    //sub rsp, 40;
            *(PULONG)(pInst+ 4) = 0x90000000;
            *(PULONG)(pInst+ 8) = 0x90C93348;    //xor rcx,rcx
            *(PULONG)(pInst+12) = 0x90D23348;    //xor rdx,rdx
            *(PULONG)(pInst+16) = 0xF9000068;    //push, dllpath 
            *(PULONG)(pInst+20) = 0x9058417E;    //pop r8
            *(PULONG)(pInst+17) = (ULONG)Buf;            
            *(PULONG)(pInst+24) = 0xF9000068;    //push, pData
            *(PULONG)(pInst+28) = 0x9059417E;    //pop r9
            *(PULONG)(pInst+25) = (ULONG)pData;             
            *(PULONG)(pInst+32) = 0x017AC068;    //push offset ntdll!LdrLoadDll 
            *(PULONG)(pInst+36) = 0xD0FF5877;    //pop  rax; call rax
            /*  00000000`7ef90228 680001f97e      push    7EF90100h
                00000000`7ef9022d 5e              pop     rsi
                00000000`7ef9022e 8b06            mov     eax,dword ptr [rsi]
                00000000`7ef90230 014610          add     dword ptr [rsi+10h],eax
                00000000`7ef90233 014618          add     dword ptr [rsi+18h],eax
                00000000`7ef90236 014620          add     dword ptr [rsi+20h],eax
                00000000`7ef90239 4833c9          xor     rcx,rcx
                00000000`7ef9023c 681000f97e      push    7EF90010h
                00000000`7ef90241 5a              pop     rdx
                00000000`7ef90242 ff5620          call    qword ptr [rsi+20h]
                00000000`7ef90245 83c440          add     esp,40h
                00000000`7ef90248 c3              ret     */       
            *(PULONG)(pInst+40) = 0xf9010068;
            *(PULONG)(pInst+44) = 0x068b5e7e;
            *(PULONG)(pInst+48) = 0x01104601;
            *(PULONG)(pInst+52) = 0x46011846;
            *(PULONG)(pInst+56) = 0xc9334820;
            *(PULONG)(pInst+60) = 0xf9001068;
            *(PULONG)(pInst+64) = 0x56ff5a7e; 
            *(PULONG)(pInst+68) = 0x40c48320;
            *(PSHORT)(pInst+72) = 0xCCC3;             
            *(PULONG)(pInst+41) = (ULONG)pData;
            *(PULONG)(pInst+61) = (ULONG)Buf+16;
              
            *(PVOID*)(pInst+33) = GetFuncAddress64( (PVOID)hNtdll, "LdrLoadDll" );
            (PVOID)pfn_NtDeleteKey  = GetFuncAddress64( (PVOID)hNtdll, "NtDeleteKey" );
            
            Wow64DisableWow64FsRedirection(&OldValue);
            MemNtdllx64 = MapDllToMem( gModuleName ); 
            Wow64RevertWow64FsRedirection(OldValue);
            
            if( MemNtdllx64 )
            {
                *(PULONG)(pData + 0x10) = (ULONG)GetFuncAddress64( (PVOID)MemNtdllx64, "GetProcAddress" ) - (ULONG)MemNtdllx64;
                *(PULONG)(pData + 0x18) = (ULONG)GetFuncAddress64( (PVOID)MemNtdllx64, "OpenProcess" ) - (ULONG)MemNtdllx64;
                *(PULONG)(pData + 0x20) = (ULONG)GetFuncAddress64( (PVOID)MemNtdllx64, "FatalAppExitW" ) - (ULONG)MemNtdllx64;
                UnMapDllFromMem( MemNtdllx64 );  
            }

            bProtectChanged = VirtualProtect( (PVOID)pfn_NtDeleteKey, 0x20, PAGE_EXECUTE_READWRITE, &OldProtect );
            if( bProtectChanged )
            {
                *(PUSHORT)pfn_NtDeleteKey = 0xB848;
                *(PULONG)((PUCHAR)pfn_NtDeleteKey + 2) = (ULONG)pInst;
                *(PULONG)((PUCHAR)pfn_NtDeleteKey + 6) = 0x00;
                *(PULONG)((PUCHAR)pfn_NtDeleteKey + 10)= 0xCCCCE0FF;
                VirtualProtect( (PVOID)pfn_NtDeleteKey, 0x20, OldProtect, &OldProtect );
                
                (PVOID)pfn_NtDeleteKey  = GetFuncAddress64( (PVOID)hNtdll32, "NtDeleteKey" );
                pfn_NtDeleteKey( (HANDLE)pInst );
            }
            
            VirtualFree( Buf, 0, MEM_RELEASE );
        }
    }
    
    return 0;
}


转载于:https://my.oschina.net/ejoyc/blog/198363

weixin_34185320
关注
Wow64 环境检测
songbei6的博客
03-31 1448
1、使用 IsWow64Process2 说明 Determines whether the specified process is running under WOW64; also returns additional machine process and architecture information. 语法 BOOL IsWow64Process2( HANDLE hProcess...
在windows 7上是否可以运行win 10的应用
wch1618的博客
06-01 3213
一种可以解决"无法定位程序输入点IsWow64Process2于动态链接库KERNEL32.dll"的想法
html页面枚举 暴力,暴力枚举进程模块(示例代码)
weixin_32446549的博客
06-05 338
同学问过我进程体中EPROCESS的三条链断了怎么枚举模块,这也是也腾讯面试题。我当时听到也是懵逼的。后来在网上看到了一些内存暴力枚举的方法ZwQueryVirtualMemory。函数原型是NTSTATUS NtQueryVirtualMemory(HANDLE ProcessHandle, //目标进程句柄PVOID BaseAddress, ...
obs64无法定位程序输入点IsWow64Process2
最新发布
nownow_的博客
05-07 3071
obs安装后,打开提示:obs64无法定位程序输入点IsWow64Process2。如果打开dll文件出现乱码,请使用hex-editor软件打开。
WOW64通过PEB获取32/64位进程以及模块信息(附带DEMO)
06-23
使用API NtWow64QueryInformationProcess64 获取进程的64位PEB结构地址。使用API NtWow64ReadVirtualMemory64 读取进程的64位内存地址的数据。通过PEB64结构进行遍历进程的64位模块。对于32位进程,通过 ...
rewolf.wow64ext.v1.0.0.4
03-20
1. **调试支持**:为开发者提供更深入的调试功能,如附加到32位进程,查看WOW64内部状态,以及跟踪系统调用。 2. **性能分析**:可能包含性能监视工具,帮助开发者识别32位应用在64位系统上的瓶颈和性能问题。 3. ...
wow-32-64 汇编调试器 V2.0
02-23
wow_32_64 汇编调试器 V2.0
wow-32-64 汇编调试器 V1.5
02-23
wow_32_64 汇编调试器 V1.5
vbwow64ext.rar
09-25
'VB6作为古懂级开发工具,不能与时俱进编译64位程序, ... '模块使用网上开源的WOW64EXT稍作修改,使其能在VB6中使用,仅64位系统可用 'VB6没有INT64类型整数,所有64位整数都使用CURRENCY类型,很多时候需要
e语言-32位进程枚举64位进程模块信息
08-23
资源介绍:' WOW64的32位程序其实拥有64位程序的全部功能,包括32注入64位、枚举64位进程模块、Hook64位模块、调用64位API等等等等....' 因为WOW64程序不是完全的虚拟化的,是伪虚拟化,本身就是一个64位进程,只是自己以为是32位程序而已. 所以Wow64进程 里面' 既有 64位环境结构,又有32位环境结构, 使用api  NtWow64QueryInformationProcess64 可以获取 进程的64位PEB结构地址,' 使用api  NtWow64ReadVirtualMemory64 可以读取进程的64位内存地址的数据. 通过PEB64结构进行遍历进程的64位模块!资源作者:
一步一步教你写DOTA外挂
huobengle
12-22 817
好久木有研究DOTA了,整理篇小菜文章。 首先,我们要提升外挂本身程序权限,使其能够有权限修改war3游戏的内存。这个c++可以使用如下代码 void EnableDebugPriv()//提升程序自身权限 { HANDLE hToken; LUID sedebugnameValue; TOKEN_PRIVILEGES tkp; ...
IsWow64Process 判断操作系统位数
十年磨一剑,霜刃未曾试!
10-16 4700
判断操作系统是不是64位 typedef BOOL (WINAPI *LPFN_ISWOW64PROCESS) (HANDLE, PBOOL); LPFN_ISWOW64PROCESS fnIsWow64Process = (LPFN_ISWOW64PROCESS)GetProcAddress(GetModuleHandle("kernel32"), "IsW
C/C++ 遍历进程内存块
热门推荐
CSDN
07-16 1万+
它使用了Windows API函数来遍历指定进程的所有内存块,并输出每个内存块的相关信息。该代码可以帮助了解目标进程的内存布局,以及各个内存块的属性。的函数,用于枚举指定进程的所有内存块。该代码使用Windows API函数实现了遍历指定进程的内存块的功能,并输出了每个内存块的地址、大小和保护属性等信息。使用循环遍历内存块的向量,并输出每个内存块的相关信息,包括基地址、分配基地址、内存块大小、内存块状态、内存保护属性等。在主函数中,创建了一个进程快照句柄,用于获取当前系统中的进程信息。
用ZwQueryVirtualMemory枚举进程模块
yuli1234147的博客
12-23 931
转自:http://www.cppblog.com/aurain/archive/2010/07/05/119361.html [cpp] view plain copy 用ZwQueryVirtualMemory枚举进程模块   枚举进程模块通常可以使用诸如:CreateToolhelp32Snapshot,Module32First,Mod
获取进程的信息
甜筒八部 的专栏
08-08 2752
使用 NtQueryInformationProcess 函数Retrieves information about the specified process. Windows NT/2000系统的NTDLL.DLL包含了许多未公开的API函数。 NtQueryInformationProcess就是微软 NTDLL.DLL包含的未公开 的一个 API。 NTDLL.DLL中有一个函数叫NtQueryInformationProcess,用它可以指定参数,获得指定结构体类型的进程信息,拷贝到...
IsWow64Process函数理解的偏差
myjisgreat的专栏
06-13 4002
 IsWow64Process函数理解的偏差 搬运自我的百度空间 IsWow64Process并不像网上很多文章说的那样,可以直接判断进程的位数。其实他的实际含义是某个进程是不是在wow64虚拟环境下。 所以说各种可能的情况如下: 64-bit process on 64-bit Windows : FALSE 32-bit proc
IsWow64Process函数判断程序位数
tatorey的博客
07-25 2125
IsWow64Process函数判断程序位数 IsWow64Process返回值为TRUE&FALSE,在MSDN上的解释和定义如下: BOOL IsWow64Process( HANDLE hProcess, //目标进程句柄 PBOOL Wow64Process //反出值TRUE&FALSE ); The IsWow64Process function determines whether the specified process is running under WOW
linux 枚举进程,ZwQueryVirtualMemory枚举进程模块
weixin_39911066的博客
04-29 471
ZwQueryVirtualMemory算是枚举进程方法中的黑科技吧,主要是该方法可以检测出隐藏的模块(类似IceSword)。代码VS2015测试通过好的下面我们进入正题 这个没有深入研究 就是简单测试读了下代码 很久了 忘记差不多了 所以只是整理献上一个比较好的其他博友的1常见的枚举进程模块的方法有CreateToolhelp32Snaphot,Module32First,Module32Ne...
termux如何配置wow64
04-04
然而,在Termux上配置Wow64(Windows on Windows 64-bit)可能会非常困难,因为Wow64需要Windows操作系统的支持。 所以,如果你想在Android设备上运行Windows应用程序,我建议你考虑使用其他工具或方法,比如虚拟机...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值