相关知识: Windows在调用进程,创建线程时,操作系统都会为每个线程创建TEB,而且FS段寄存器总是被设置成FS:0,指向线程的TEB数据,TEB结构的0x30偏移处是PEB。
基本原理: 根据系统版本(Win7 Or Not)和架构(64\32位)加载不同的Dll,在explorer中开启一个远线程执行,远线程中根据PEB,动态获取LoadLibrary的地址,加载该DLL.在DLL加载时,Hook以下4个系统位置函数:MoveWindow,SetWindowPos,DeferWindowPos和EndPaint
我的是Win7系统,所以QDesk.exe 中,加载\\ProgramData\\Module\\QDPatch1.1.dll
0143B4AD |. 6A 00 push 0 ; /Title = NULL
0143B4AF |. 68 B4724A01 push 014A72B4 ; |Class = "Shell_TrayWnd"
0143B4B4 |. 8BF0 mov esi, eax ; |
0143B4B6 |. FFD5 call ebp ; \FindWindowW
0143B4E1 |. 6A 00 push 0 ; /Title = NULL
0143B4E3 |. 68 14F44A01 push 014AF414 ; |Class = "ReBarWindow32"
0143B4E8 |. 6A 00 push 0 ; |hAfterWnd = NULL
0143B4EA |. 50 push eax ; |hParent
0143B4EB |. FFD7 call edi ; \FindWindowExW
0143B628 |. 52 push edx ; /pProcessID
0143B629 |. 50 push eax ; |RebarWindow32句柄
0143B62A |. 896C24 18 mov dword ptr [esp+18], ebp ; |
0143B62E |. FF15 90F54901 call dword ptr [<&USER32.GetWindowThreadProcessId>] ; \GetWindowThreadProcessId
01403D2C |. 52 push edx ; /ProcessId ; explorer.exe 进程ID
01403D2D |. 53 push ebx ; |Inheritable
01403D2E |. 50 push eax ; |Access
01403D2F |. FF15 14F14901 call dword ptr [<&KERNEL32.OpenProcess>] ; \OpenProcess
01403D51 |. 57 push edi
01403D52 |. 68 00100000 push 1000
01403D57 |. 53 push ebx
01403D58 |. 56 push esi
01403D59 |. FF15 F4F24901 call dword ptr [<&KERNEL32.VirtualAllocEx>] ; kernel32.VirtualAllocEx
01403D69 |. 6A 00 push 0 ; /pBytesWritten = NULL
01403D6B |. 68 00100000 push 1000 ; |BytesToWrite = 1000 (4096.)
01403D70 |. 68 303B4001 push 01403B30 ; |Buffer = QDesk.01403B30
01403D75 |. 55 push ebp ; |Address
01403D76 |. 56 push esi ; |hProcess
01403D77 |. FF15 18F14901 call dword ptr [<&KERNEL32.WriteProcessMemory>] ; \WriteProcessMemory
01403DAF |. 6A 00 push 0 ; /pBytesWritten = NULL
01403DB1 |. 52 push edx ; |BytesToWrite
01403DB2 |. 8D4424 30 lea eax, dword ptr [esp+30] ; |ProgramData\Module\QDPatch1.1.dll
01403DB6 |. 50 push eax ; |Buffer
01403DB7 |. 57 push edi ; |Address
01403DB8 |. 56 push esi ; |hProcess
01403DB9 |. FF15 18F14901 call dword ptr [<&KERNEL32.WriteProcessMemory>] ; \WriteProcessMemory
//上面的过程,大概意思是在explorer中开启一个远线程,远线程参数为DLL的地址,将下面的代码注入并执行
02ED0000 83EC 14 sub esp, 14
02ED0003 53 push ebx ; QDPatch1.1.dll
02ED0004 55 push ebp
02ED0005 56 push esi
02ED0006 57 push edi
02ED0007 33FF xor edi, edi
02ED0009 897C24 10 mov dword ptr [esp+10], edi
02ED000D 897C24 14 mov dword ptr [esp+14], edi
02ED0011 64:A1 30000000 mov eax, dword ptr fs:[30]
02ED0017 8B40 0C mov eax, dword ptr [eax+C]
02ED001A 8B40 0C mov eax, dword ptr [eax+C]
02ED001D 8B00 mov eax, dword ptr [eax]
02ED001F 8B00 mov eax, dword ptr [eax]
02ED0021 8B40 18 mov eax, dword ptr [eax+18] ; ds:[005623A0]=77930000 (kernel32.77930000)
02ED0024 894424 10 mov dword ptr [esp+10], eax
02ED0028 8B7424 10 mov esi, dword ptr [esp+10]
02ED002C 66:813E 4D5A cmp word ptr [esi], 5A4D
02ED0031 0F85 CD000000 jnz 02ED0104
02ED0037 8B4E 3C mov ecx, dword ptr [esi+3C]
02ED003A 03CE add ecx, esi
02ED003C 8139 50450000 cmp dword ptr [ecx], 4550
02ED0042 0F85 BC000000 jnz 02ED0104
02ED0048 8B41 78 mov eax, dword ptr [ecx+78]
02ED004B 3BC7 cmp eax, edi
02ED004D 8B49 7C mov ecx, dword ptr [ecx+7C]
02ED0050 0F84 AE000000 je 02ED0104
02ED0056 3BCF cmp ecx, edi
02ED0058 0F84 A6000000 je 02ED0104
02ED005E 8B5C30 20 mov ebx, dword ptr [eax+esi+20]
02ED0062 8B6C30 24 mov ebp, dword ptr [eax+esi+24]
02ED0066 8B4C30 1C mov ecx, dword ptr [eax+esi+1C]
02ED006A 8B4430 18 mov eax, dword ptr [eax+esi+18]
02ED006E 03CE add ecx, esi
02ED0070 03DE add ebx, esi
02ED0072 03EE add ebp, esi
02ED0074 3BC7 cmp eax, edi
02ED0076 894C24 20 mov dword ptr [esp+20], ecx
02ED007A 894424 18 mov dword ptr [esp+18], eax
02ED007E 76 76 jbe short 02ED00F6
02ED0080 0FB74C7D 00 movzx ecx, word ptr [ebp+edi*2]
02ED0085 8B04BB mov eax, dword ptr [ebx+edi*4]
02ED0088 03C6 add eax, esi
02ED008A 894C24 1C mov dword ptr [esp+1C], ecx
02ED008E 8A08 mov cl, byte ptr [eax]
02ED0090 33D2 xor edx, edx
02ED0092 84C9 test cl, cl
02ED0094 74 1E je short 02ED00B4
02ED0096 EB 08 jmp short 02ED00A0
02ED0098 8DA424 00000000 lea esp, dword ptr [esp]
02ED009F 90 nop
02ED00A0 69D2 83000000 imul edx, edx, 83
02ED00A6 0FBEC9 movsx ecx, cl
02ED00A9 83C0 01 add eax, 1
02ED00AC 03D1 add edx, ecx
02ED00AE 8A08 mov cl, byte ptr [eax]
02ED00B0 84C9 test cl, cl
02ED00B2 ^ 75 EC jnz short 02ED00A0
02ED00B4 81E2 FFFFFF7F and edx, 7FFFFFFF
02ED00BA 81FA 781F207F cmp edx, 7F201F78
02ED00C0 74 17 je short 02ED00D9
02ED00C2 83C7 01 add edi, 1
02ED00C5 3B7C24 18 cmp edi, dword ptr [esp+18]
02ED00C9 ^ 72 B5 jb short 02ED0080
02ED00CB 8B4424 14 mov eax, dword ptr [esp+14]
02ED00CF 5F pop edi
02ED00D0 5E pop esi
02ED00D1 5D pop ebp
02ED00D2 5B pop ebx
02ED00D3 83C4 14 add esp, 14
02ED00D6 C2 0400 retn 4
02ED00D9 0FB74424 1C movzx eax, word ptr [esp+1C] ; 堆栈 ss:[0541FF54]=033C
02ED00DE 8B5424 28 mov edx, dword ptr [esp+28] ; 堆栈 ss:[0541FF60]=02EE0000, (ASCII "C:\Program Files\Tencent\QDesk\\ProgramData\Module\QDPatch1.1.dll")
02ED00E2 8B4C24 20 mov ecx, dword ptr [esp+20] ; 堆栈 ss:[0541FF58]=779E4FEC (kernel32.779E4FEC)
02ED00E6 52 push edx
02ED00E7 8B1481 mov edx, dword ptr [ecx+eax*4] ; ds:[779E5CDC]=0005395C
02ED00EA 03D6 add edx, esi
02ED00EC FFD2 call edx
02ED00EE C74424 14 01000>mov dword ptr [esp+14], 1
02ED00F6 8B4424 14 mov eax, dword ptr [esp+14]
02ED00FA 5F pop edi
02ED00FB 5E pop esi
02ED00FC 5D pop ebp
02ED00FD 5B pop ebx
02ED00FE 83C4 14 add esp, 14
02ED0101 C2 0400 retn 4
// 以上为根据PEB,动态获取LoadLibrary的地址,加载传递进来的参数,也就是DLL的路径.
QDPatch1.1.dll 中实现过程如下
DLL_PROCESS_ATTACH 如下
text:10001020 OpenShareMemView proc near ; CODE XREF: DllMain(x,x,x)+3Ap
.text:10001020 mov eax, hFileMappingObject
.text:10001025 test eax, eax
.text:10001027 jz short loc_1000102E
.text:10001029 cmp eax, 0FFFFFFFFh
.text:1000102C jnz short loc_10001042
.text:1000102E
.text:1000102E loc_1000102E: ; CODE XREF: OpenShareMemView+7j
.text:1000102E push offset Name ; "QQHookSharedMem_{2D622292-0C55-40f7-BBF"...
.text:10001033 push 0 ; bInheritHandle
.text:10001035 push 6 ; dwDesiredAccess
.text:10001037 call ds:OpenFileMappingW
.text:1000103D mov hFileMappingObject, eax
.text:10001042
.text:10001042 loc_10001042: ; CODE XREF: OpenShareMemView+Cj
.text:10001042 test eax, eax
.text:10001044 jnz short loc_10001047
.text:10001046 retn
.text:10001047 ; ---------------------------------------------------------------------------
.text:10001047
.text:10001047 loc_10001047: ; CODE XREF: OpenShareMemView+24j
.text:10001047 push 0 ; dwNumberOfBytesToMap
.text:10001049 push 0 ; dwFileOffsetLow
.text:1000104B push 0 ; dwFileOffsetHigh
.text:1000104D push 6 ; dwDesiredAccess
.text:1000104F push eax ; hFileMappingObject
.text:10001050 call ds:MapViewOfFile
.text:10001056 test eax, eax
.text:10001058 mov lpBaseAddress, eax
.text:1000105D jnz short loc_10001070
.text:1000105F mov eax, hFileMappingObject
.text:10001064 push eax ; hObject
.text:10001065 call ds:CloseHandle
.text:1000106B mov eax, lpBaseAddress
.text:10001070
.text:10001070 loc_10001070: ; CODE XREF: OpenShareMemView+3Dj
.text:10001070 xor ecx, ecx
.text:10001072 test eax, eax
.text:10001074 setnz cl
.text:10001077 mov eax, ecx
.text:10001079 retn
.text:10001079 OpenShareMemView endp
//以上代码功能是: 打开名为:QQHookSharedMem_{2D622292-0C55-40f7-BBF1-65F50514B2F2}的文件内存映射,将地址放入lpBaseAddress变量中
//下面是一些逻辑判断
call ds:GetCurrentProcessId
mov esi, eax
mov eax, lpBaseAddress
cmp esi, [eax+8]
jz short loc_10002044
// 比较当前进程,也就是explorer 的进程ID和lpBaseAddress+8偏移处的值是否相等,不等则关闭内存映射
cmp dword ptr [eax], 0B
// 比较lpBaseAddress+0偏移处的标志位是否等于0Bh,不等则关闭内存映射
DisableThreadLibraryCalls // 防止多次加载
mov ecx, lpBaseAddress
mov edx, [ecx+86Ch]
add esp, 4
push offset sub_10001910 ; dwNewLong
push GWL_WNDPROC ; nIndex
push edx ; hWnd
call ds:SetWindowLongW
mov lpPrevWndFunc, eax
call HookSysFunc
// lpBaseAddress+86Ch处存放窗口句柄,替换该窗口的窗口过程为sub_10001910
//接下来Hook几个系统函数,下面是 HookSysFunc的实现
call sub_10009380
push offset NewFunc_MoveWindow
push offset SysFunc_MoveWindow
call HookFunc
push offset NewFunc_SetWindowPos
push offset sysFunc_SetWindowPos
call HookFunc
push offset NewFunc_DeferWindowPos
push offset sysFunc_DeferWindowPos
call HookFunc
push offset NewFunc_EndPaint
push offset sysFunc_EndPaint
call HookFunc
call sub_10009960
mov ecx, lpBaseAddress
mov edx, [ecx+86Ch]
// 然后向QDesk.exe发送消息
push 0 ; lParam
push 0 ; wParam
push 0BD0h ; Msg
push edx ; hWnd
call ds:PostMessageW
mov eax, lpBaseAddress
mov ecx, [eax+86Ch]
push 1 ; bErase
push 0 ; lpRect
push ecx ; hWnd
call ds:InvalidateRect
mov g_isHooked, 1
219
04-29
“相关推荐”对你有帮助么?
-
非常没帮助 -
没帮助 -
一般 -
有帮助 -
非常有帮助
提交
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
