windows上的x86注入程序一枚,有码有真相,娱乐娱乐,纪念我失去的青春。
#include "main.h"
typedef struct _LDRDLL_BLOCK
{
LDRLOADDLL LdrLoadDll;
LDRUNLOADDLL LdrUnloadDll;
LDRGETPROCEDUREADDRESS LdrGetProcedureAddress;
NTTERMINATEPROCESS NtTerminateProcess;
UNICODE_STRING DllName;
ANSI_STRING FuncName;
}LDRDLL_BLOCK, *PLDRDLL_BLOCK;
__declspec(naked)
VOID WINAPI ExecuteRoutine()
{
__asm
{
_emit 0x90;//__emit 0xCC
_emit 0x68;//push 11223344
_emit 0x44
_emit 0x33
_emit 0x22
_emit 0x11
_emit 0xe8;//call 55667788
_emit 0x88;
_emit 0x77;
_emit 0x66;
_emit 0x55;
_emit 0xc3;//ret
}
}
VOID WINAPI ExecuteRoutine2( IN PLDRDLL_BLOCK Block )
{
PVOID hModule;
INITFUNC InitFunc;
LONG Status;
Status = Block->LdrLoadDll(NULL, NULL, &Block->DllName, &hModule);
if ( Status >=0 )
{
Status = Block->LdrGetProcedureAddress( hModule, &Block->FuncName, 0, (PVOID*)&InitFunc );
if ( Status >=0 )
{
InitFunc();
}
Block->LdrUnloadDll(hModule);
}
Block->NtTerminateProcess((HANDLE)(LONG_PTR)-1, 0);
}
BOOL WINAPI InstHook2(IN HANDLE hProcess, IN PCWSTR DllPath )
{
PVOID ImageBase = TlGetProcessImageBase(hProcess);
PVOID lpOEP = TlGetProcessAddressOfEntryPoint(hProcess, ImageBase);
HMODULE hNtdll = GetModuleHandleW(L"ntdll.dll");
ULONG InstLen = (((ULONG)((PCH)InstHook2 - (PCH)ExecuteRoutine))+15)&0xFFFFFFF0;
ULONG Name1Offset = InstLen + sizeof(LDRDLL_BLOCK);
ULONG Name2Offset = Name1Offset + 16;
ULONG BufSize = ((Name2Offset + wcslen(DllPath)*sizeof(WCHAR)) + 15)&0xFFFFFFF0;
PUCHAR Buffer2 = NULL;
PUCHAR Buffer = NULL;
BOOL bRet = FALSE;
if ( !ImageBase || !lpOEP ) return bRet;
if ( !TlIsProcessImageFileI386(hProcess, ImageBase) ) return bRet;
Buffer2 = MmAlloc(BufSize+0x10);
if ( Buffer2 )
{
Buffer = Buffer2;
if ( ((ULONG)Buffer2 & 0x0F) )
{
Buffer = (PUCHAR)(((ULONG)Buffer2 & 0xFFFFFFF0) + 0x10);
}
}
if ( Buffer )
{
PUCHAR lpInst = Buffer;
PLDRDLL_BLOCK lpBlock = (PVOID)(Buffer + InstLen);
RtlCopyMemory( Buffer, ExecuteRoutine, InstLen );
*(PULONG)(Buffer + 2) = (ULONG)((PCH)lpOEP + InstLen);
*(PULONG)(Buffer + 7) = (ULONG)((PCH)ExecuteRoutine2 - (PCH)ExecuteRoutine) - 11;
RtlCopyMemory(Buffer+Name1Offset, "InitFunc", 8);
RtlCopyMemory(Buffer+Name2Offset, DllPath, wcslen(DllPath)*sizeof(WCHAR) );
lpBlock->DllName.Buffer = (PWSTR)((PCH)lpOEP + Name2Offset);
lpBlock->DllName.Length = (USHORT)(wcslen(DllPath)*sizeof(WCHAR));
lpBlock->DllName.MaximumLength = lpBlock->DllName.Length;
lpBlock->FuncName.Buffer = (PCH)lpOEP + Name1Offset;
lpBlock->FuncName.Length = 8;
lpBlock->FuncName.MaximumLength = lpBlock->FuncName.Length;
lpBlock->LdrLoadDll = (PVOID)GetProcAddress (hNtdll, "LdrLoadDll");
lpBlock->LdrUnloadDll = (PVOID)GetProcAddress (hNtdll, "LdrUnloadDll");
lpBlock->LdrGetProcedureAddress = (PVOID)GetProcAddress (hNtdll, "LdrGetProcedureAddress");
lpBlock->NtTerminateProcess = (PVOID)GetProcAddress (hNtdll, "NtTerminateProcess");
bRet = WriteProcessMemory(hProcess, lpOEP, Buffer, BufSize, NULL);
MmFree(Buffer2);
}
return bRet;
}
BOOL WINAPI
StartProcess(
IN PCWSTR ExePath,
IN PCWSTR DllPath
)
{
PROCESS_INFORMATION pi = {0};
STARTUPINFOW si = {0};
BOOL bRet = FALSE;
si.cb = sizeof(si);//__debugbreak();
bRet = CreateProcessW( ExePath,
NULL, // Command line
NULL, // Process handle not inheritable
NULL, // Thread handle not inheritable
FALSE, // Set handle inheritance to FALSE
CREATE_SUSPENDED, /* |DEBUG_PROCESS */
NULL, // Use parent's environment block
NULL, // Use parent's starting directory
&si, // Pointer to STARTUPINFO structure
&pi );
if( bRet )
{
if( !InstHook2(pi.hProcess, DllPath) )
{
TerminateProcess( pi.hProcess, 0 );
}
ResumeThread( pi.hThread );
CloseHandle( pi.hThread );
CloseHandle( pi.hProcess );
}
return bRet;
}
int APIENTRY
WinMain(
HINSTANCE hInstance,
HINSTANCE hPreInstance,
PSTR szCmdline,
INT iCmdShow
)
{
WCHAR DllPath[MAX_PATH] = {0};
WCHAR ExePath[MAX_PATH] = {0};
if( GetModuleFileNameW( NULL, ExePath, MAX_PATH-32 ) )
{
PWSTR pName = wcsrchr( ExePath, L'\\');
if( pName != NULL )
{
StringCchCopyW( pName, 32, L"\\LDRTOOL.INI");
if ( PathFileExistsW(ExePath) )
{
UINT dllLen = GetPrivateProfileStringW(L"setting", L"dllName", NULL,
DllPath, MAX_PATH-1, ExePath);
UINT exeLen = GetPrivateProfileStringW(L"setting", L"exeName", NULL,
ExePath, MAX_PATH-1, ExePath);
if ( dllLen && exeLen )
{
StartProcess(ExePath, DllPath);
}
}
}
}
return 0;
}
PVOID WINAPI
TlGetProcessImageBase(
IN HANDLE hProcess
)
{
NTQUERYINFORMATIONPROCESS _NtQueryInformationProcess;
PROCESS_BASIC_INFORMATION BasicInfo;
NTSTATUS Status;
SIZE_T BufLen;
PEB Peb;
BOOL bRet;
PVOID ImageBase = NULL;
HMODULE hMod = GetModuleHandleA("ntdll.dll");
*(FARPROC*)&_NtQueryInformationProcess = GetProcAddress( hMod, "NtQueryInformationProcess" );
if( _NtQueryInformationProcess )
{
Status = _NtQueryInformationProcess(
hProcess,
0/* ProcessBasicInformation */,
(PVOID)&BasicInfo,
sizeof(BasicInfo),
(PULONG)&BufLen
);
if ( NT_SUCCESS(Status) )
{
bRet = ReadProcessMemory(
hProcess,
BasicInfo.PebBaseAddress,
&Peb,
sizeof(Peb),
&BufLen
);
if ( bRet )
{
ImageBase = Peb.ImageBaseAddress;
}
}
}
return ImageBase;
}
BOOL WINAPI
TlIsProcessImageFileI386(
IN HANDLE hProcess,
IN PVOID lpImageBase
)
{
UCHAR Data[512] = {0};
ULONG NumOfBytesRead;
BOOL bRet;
bRet = ReadProcessMemory( hProcess,
lpImageBase,
Data,
sizeof(Data),
&NumOfBytesRead );
if( bRet )
{
PIMAGE_DOS_HEADER DosHdr = (PIMAGE_DOS_HEADER)Data;
PIMAGE_NT_HEADERS32 NtHdrs = (PIMAGE_NT_HEADERS32)(Data+DosHdr->e_lfanew);
if( DosHdr->e_lfanew <= (sizeof(Data)-sizeof(IMAGE_NT_HEADERS32)) )
{
bRet = (NtHdrs->FileHeader.Characteristics & IMAGE_FILE_32BIT_MACHINE)>0;
}
}
return bRet;
}
PVOID WINAPI
TlGetProcessAddressOfEntryPoint(
IN HANDLE hProcess,
IN PVOID lpImageBase
)
{
PVOID lpOEP = NULL;
PUCHAR Data = NULL;
ULONG NumOfBytesRead;
BOOL bRet;
Data = MmAlloc(PAGE_SIZE);
if ( !Data ) return NULL;
bRet = ReadProcessMemory( hProcess,
lpImageBase,
Data,
PAGE_SIZE,
&NumOfBytesRead );
if( bRet )
{
PIMAGE_DOS_HEADER DosHdr = (PIMAGE_DOS_HEADER)Data;
PIMAGE_NT_HEADERS32 NtHdrs = (PIMAGE_NT_HEADERS32)(Data+DosHdr->e_lfanew);
if( DosHdr->e_lfanew < (PAGE_SIZE-sizeof(IMAGE_NT_HEADERS32)) )
{
(PUCHAR)lpOEP = (PUCHAR)lpImageBase+NtHdrs->OptionalHeader.AddressOfEntryPoint;
}
}
if( lpImageBase < lpOEP && (PUCHAR)lpOEP < ((PUCHAR)lpImageBase+0x800000) )
{
RtlZeroMemory( Data, sizeof(Data) );
bRet = ReadProcessMemory( hProcess,
lpOEP,
Data,
sizeof(Data),
&NumOfBytesRead );
if( Data[0] == 0xE8 && Data[5] == 0xE9 )
{
(PUCHAR)lpOEP = (PUCHAR)lpOEP+5 + *(PULONG)(Data+6) + 5;
}
}
if( lpImageBase > lpOEP || (PUCHAR)lpOEP > ((PUCHAR)lpImageBase+0x800000) )
{
lpOEP = NULL;
}
MmFree(Data);
return lpOEP;
}
/*LDRTOOL.ini sample
[setting]
dllname = D:\WinDDK\LdrTool\i386\test.dll
exename = c:\windows\system32\mspaint.exe
*/
当然,还要有头文件:
#ifndef __MAIN_H__
#define __MAIN_H__
#include <windows.h>
#include <Shlwapi.h>
#include <Shellapi.h>
#include <strsafe.h>
typedef LONG KPRIORITY;
typedef LONG NTSTATUS;
#define NT_SUCCESS(_x_) ((_x_)>=0)
#ifndef PAGE_SIZE
#define PAGE_SIZE 4096
#endif
#ifndef MmAlloc
#define MmAlloc(size) HeapAlloc( GetProcessHeap(), HEAP_ZERO_MEMORY, size )
#define MmFree(p) HeapFree( GetProcessHeap(), 0, p )
#endif
typedef struct _ANSI_STRING {
USHORT Length;
USHORT MaximumLength;
PSTR Buffer;
} ANSI_STRING, *PANSI_STRING;
typedef struct _UNICODE_STRING{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef struct _PEB {
BYTE Reserved1[2];
BYTE BeingDebugged;
BYTE Reserved2[1];
HANDLE Mutant; // INITIAL_PEB structure is also updated.
PVOID ImageBaseAddress;
PVOID Ldr;
PVOID ProcessParameters;
BYTE Reserved4[104];
PVOID Reserved5[52];
PVOID PostProcessInitRoutine;
BYTE Reserved6[128];
PVOID Reserved7[1];
ULONG SessionId;
} PEB, *PPEB;
typedef struct _PROCESS_BASIC_INFORMATION
{
NTSTATUS ExitStatus;
PPEB PebBaseAddress;
ULONG_PTR AffinityMask;
KPRIORITY BasePriority;
ULONG_PTR UniqueProcessId;
ULONG_PTR InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;
typedef NTSTATUS
(NTAPI
*NTQUERYINFORMATIONPROCESS)(
__in HANDLE ProcessHandle,
__in ULONG ProcessInformationClass,
__out_bcount(ProcessInformationLength) PVOID ProcessInformation,
__in ULONG ProcessInformationLength,
__out_opt PULONG ReturnLength
);
PVOID WINAPI
TlGetProcessImageBase(
IN HANDLE hProcess
);
PVOID WINAPI
TlGetProcessAddressOfEntryPoint(
IN HANDLE hProcess,
IN PVOID lpImageBase
);
BOOL WINAPI
TlIsProcessImageFileI386(
IN HANDLE hProcess,
IN PVOID lpImageBase
);
typedef NTSTATUS
(NTAPI
*LDRLOADDLL)(
IN PWSTR SearchPath OPTIONAL,
IN PULONG DllCharacteristics OPTIONAL,
IN PUNICODE_STRING DllName,
OUT PVOID *BaseAddress
);
typedef NTSTATUS
(NTAPI
*LDRUNLOADDLL)(
IN PVOID BaseAddress
);
typedef NTSTATUS
(NTAPI
*LDRGETPROCEDUREADDRESS)(
IN PVOID BaseAddress,
IN PANSI_STRING Name,
IN ULONG Ordinal,
OUT PVOID *ProcedureAddress
);
typedef NTSTATUS
(NTAPI
*NTTERMINATEPROCESS)(
IN HANDLE ProcessHandle,
IN NTSTATUS ExitStatus
);
typedef VOID (WINAPI* INITFUNC)();
#endif//__MAIN_H__
最后是Sources文件
TARGETNAME = LdrTool
TARGETTYPE = PROGRAM
TARGETPATH = ..
MSC_WARNING_LEVEL=/W3 /WX
USE_MSVCRT = 1
UMTYPE = windows
UMENTRY = winmain
UMBASE = 0x400000
C_DEFINES=$(C_DEFINES) -DUNICODE -D_UNICODE
INCLUDES=$(INCLUDES); \
$(IFSKIT_INC_PATH);
TARGETLIBS= $(TARGETLIBS) \
$(SDK_LIB_PATH)\kernel32.lib \
$(SDK_LIB_PATH)\Shlwapi.lib
SOURCES = main.c main.rc