- UID
- 100173
- 帖子
- 53
- 主題
- 20
- 精華
- 0
- 積分
- 145
- 楓幣
- 10466
- 威望
- 141
- 存款
- 0
- 贊助金額
- 0
- 推廣
- 0
- GP
- 88
- 閱讀權限
- 100
- 性別
- 保密
- 在線時間
- 75 小時
- 註冊時間
- 2015-4-23
- 最後登入
- 2022-5-4
|
Ps:代码写的丑,求不吐槽
=====================================以下是代码
#include "stdafx.h"
#include "BlackCipherPass.h"
#include "PSAPI.h"
DWORD CreateProcessWAddr = (DWORD)GetProcAddress(GetModuleHandleA("kernel32.dll"), "CreateProcessW");
HMODULE MyModuleBase;
DWORD g_pi;
DWORD CreateProcessWRET;
DWORD ZwReadID = Get_ZwID("ZwReadVirtualMemory");
DWORD ReadProcessMemoryAddr = (DWORD)GetProcAddress(GetModuleHandleA("ntdll.dll"), "ZwReadVirtualMemory");
DWORD ReadProcessMemoryRET = (DWORD)GetProcAddress(GetModuleHandleA("ntdll.dll"), "ZwReadVirtualMemory") + 5;
DWORD AdumpAddr;
DWORD ALen;
CHAR* BCCRCNAME;
CRITICAL_SECTION g_cs;
BOOL g_bool;
//初始化BChook 参数1填入自DLL 句柄 通过Dllmain 可以获得 参数2 是BC效验的目标进程 参数3 是导出的目标进程Dump
void ReadProcessMemoryHook();
void InitBcHook(HMODULE hModule, CHAR* Name, DWORD dumpAddr, DWORD Len)
{
InitializeCriticalSection(&g_cs);
MyModuleBase = hModule;
Hook_JmpADDR(CreateProcessWAddr, (DWORD)HOOKCreateProcessW);
if (dumpAddr == 0 && Len == 0)
{
return;
}
Hook_JmpADDR(ReadProcessMemoryAddr, (DWORD)ReadProcessMemoryHook);
AdumpAddr = dumpAddr;
ALen = Len;
BCCRCNAME = Name;
}
void 处理CreateProcessW(wchar_t *路径, DWORD _RET, DWORD PI)
{
if (路径 && wcsstr(路径, L"BlackCipher.aes"))
{
DebugMsg("My 启动BlackCipher.aes");
g_pi = PI;
CreateProcessWRET = RM_4(_RET);
RM_4(_RET) = (DWORD)&HOOKCreateProcessWBack;
}
}
__declspec(naked) void HOOKCreateProcessWBack()
{
_asm{
pushad;
mov eax, g_pi;
push[eax + 0xc];
push[eax + 0x8];
push[eax + 0x4];
push[eax];
call 注入DLL;
add esp, 0x10;
popad;
jmp CreateProcessWRET;
}
}
__declspec(naked) void HOOKCreateProcessW()
{
_asm{
mov edi, edi;
push ebp;
mov ebp, esp;
pushad;
push[ebp + 0x2c];
lea eax, [ebp + 0x4];
push eax;
push[ebp + 0xC];
Call 处理CreateProcessW;
add esp, 0xc;
popad;
mov eax, CreateProcessWAddr;
add eax, 5;
jmp eax;
}
}
void 注入DLL(HANDLE hProcess, HANDLE hThread, DWORD dwProcessId, DWORD dwThreadId)
{
DebugMsg("My 开始注入到BlackCipher.aes");
LPVOID LoadLibraryWAddr = GetProcAddress(GetModuleHandleA("kernel32"), "LoadLibraryW");
DWORD dwAddr = AllocMem(hProcess, 4096);
WCHAR wcName[4096] = { 0 };
HANDLE hObject;
GetModuleFileNameW(MyModuleBase, wcName, 4096);
WriteProcessMemory(hProcess, (LPVOID)dwAddr, (LPCVOID)&wcName, 4096, 0);
hObject = CreateRemoteThread(hProcess, 0, 0, (LPTHREAD_START_ROUTINE)LoadLibraryWAddr, (LPVOID)dwAddr, 0, 0);
WaitForSingleObject(hObject, 0xFFFFFFFF);
DebugMsg("My 结束注入");
}
void ReadProcessMemory处理(HANDLE hProcess, DWORD Addrthsi);
__declspec(naked) void ReadProcessMemoryHook()
{
__asm{
mov eax, ZwReadID;
pushad;
lea eax, [esp+0x28];
push eax;
push[ebp + 0x8];
Call ReadProcessMemory处理;
add esp, 0x8;
popad;
jmp ReadProcessMemoryRET
}
}
CHAR* BCGetRunFileName(HANDLE hProcess)
{
EnterCriticalSection(&g_cs);
static CHAR Name[255] = { 0 };
g_bool = TRUE;
GetModuleBaseNameA(hProcess, 0, Name, 255);
g_bool = FALSE;
LeaveCriticalSection(&g_cs);
return Name;
}
void ReadProcessMemory处理(HANDLE hProcess, DWORD Addrthsi)
{
if (g_bool)
{
return;
}
if (!stricmp(BCGetRunFileName(hProcess), BCCRCNAME))
{
int py;
py = *(int*)(Addrthsi) - 0x400000;
if (py > ALen || py < 0)
{
return;
}
DebugMsg("My 确认NG正在访问主进程内存, 地址0x%08X", RM_4(Addrthsi));
RM_4(Addrthsi) = (AdumpAddr+ py);
}
} |
|