diff --git a/CcMainDll/.vs/CcMainDll/v15/.suo b/CcMainDll/.vs/CcMainDll/v15/.suo index 7f7ce75..5611911 100644 Binary files a/CcMainDll/.vs/CcMainDll/v15/.suo and b/CcMainDll/.vs/CcMainDll/v15/.suo differ diff --git a/CcMainDll/.vs/CcMainDll/v15/Solution.VC.db-shm b/CcMainDll/.vs/CcMainDll/v15/Solution.VC.db-shm new file mode 100644 index 0000000..eaa1bbd Binary files /dev/null and b/CcMainDll/.vs/CcMainDll/v15/Solution.VC.db-shm differ diff --git a/CcMainDll/.vs/CcMainDll/v15/Solution.VC.db-wal b/CcMainDll/.vs/CcMainDll/v15/Solution.VC.db-wal new file mode 100644 index 0000000..baa69ae Binary files /dev/null and b/CcMainDll/.vs/CcMainDll/v15/Solution.VC.db-wal differ diff --git a/CcMainDll/CcMainDll/dllmain.cpp b/CcMainDll/CcMainDll/dllmain.cpp index 5bb4d11..ac759b9 100644 --- a/CcMainDll/CcMainDll/dllmain.cpp +++ b/CcMainDll/CcMainDll/dllmain.cpp @@ -239,18 +239,13 @@ extern "C" __declspec(dllexport) void TestFun() } - +/* test asm FILE * pFile; - long lSize; - char * buffer; - size_t result; extern "C" __declspec(dllexport) bool InitTestReflectiveLoader() { - - // 一个不漏地读入整个文件,只能采用二进制方式打开 pFile = fopen(".\\..\\..\\bin\\server\\CcMainDll.dll", "rb"); @@ -267,8 +262,6 @@ extern "C" __declspec(dllexport) bool InitTestReflectiveLoader() } - - // 获取文件大小 fseek(pFile, 0, SEEK_END); @@ -276,9 +269,6 @@ extern "C" __declspec(dllexport) bool InitTestReflectiveLoader() lSize = ftell(pFile); rewind(pFile); - - - // 分配内存存储整个文件 buffer = (char*)malloc(sizeof(char)*lSize); @@ -294,9 +284,6 @@ extern "C" __declspec(dllexport) bool InitTestReflectiveLoader() return false; } - - - // 将文件拷贝到buffer中 result = fread(buffer, 1, lSize, pFile); @@ -313,10 +300,8 @@ extern "C" __declspec(dllexport) bool InitTestReflectiveLoader() } return true; - } - - +*/ inline DWORD GetCurrentPositionAddress() { diff --git a/CcMainDll/wsc/Release/wsc.log b/CcMainDll/wsc/Release/wsc.log index 589efb9..d4a13f4 100644 --- a/CcMainDll/wsc/Release/wsc.log +++ b/CcMainDll/wsc/Release/wsc.log @@ -1,7 +1,16 @@ - pch.cpp +G:\VS2017\Common7\IDE\VC\VCTargets\Microsoft.CppBuild.targets(377,5): warning MSB8004: Output 目录未以斜杠结尾。 此生成实例将添加斜杠,因为必须有这个斜杠才能正确计算 Output 目录。 + pch.cpp dllmain.cpp - 正在创建库 F:\myapp\CcRemote\CcMainDll\Release\wsc.lib 和对象 F:\myapp\CcRemote\CcMainDll\Release\wsc.exp +g:\ccremote\ccremote\ccmaindll\wsc\dllmain.cpp(9): warning C4018: “<=”: 有符号/无符号不匹配 +g:\ccremote\ccremote\ccmaindll\wsc\dllmain.cpp(11): warning C4267: “=”: 从“size_t”转换到“char”,可能丢失数据 +g:\ccremote\ccremote\ccmaindll\wsc\dllmain.cpp(62): warning C4838: 从“int”转换到“char”需要收缩转换 +g:\ccremote\ccremote\ccmaindll\wsc\dllmain.cpp(62): warning C4309: “初始化”: 截断常量值 +g:\ccremote\ccremote\ccmaindll\wsc\dllmain.cpp(63): warning C4838: 从“int”转换到“char”需要收缩转换 +g:\ccremote\ccremote\ccmaindll\wsc\dllmain.cpp(63): warning C4309: “初始化”: 截断常量值 +g:\ccremote\ccremote\ccmaindll\wsc\dllmain.cpp(64): warning C4838: 从“int”转换到“char”需要收缩转换 +g:\ccremote\ccremote\ccmaindll\wsc\dllmain.cpp(64): warning C4309: “初始化”: 截断常量值 + 正在创建库 ..\..\bin\hijack\wsc.lib 和对象 ..\..\bin\hijack\wsc.exp 正在生成代码 - All 6 functions were compiled because no usable IPDB/IOBJ from previous compilation was found. + All 8 functions were compiled because no usable IPDB/IOBJ from previous compilation was found. 已完成代码的生成 - wsc.vcxproj -> F:\myapp\CcRemote\CcMainDll\Release\wsc.dll + wsc.vcxproj -> G:\CcRemote\CcRemote\CcMainDll\wsc\..\..\bin\hijack\wsc.dll diff --git a/CcMainDll/wsc/Release/wsc.tlog/wsc.lastbuildstate b/CcMainDll/wsc/Release/wsc.tlog/wsc.lastbuildstate index 3f4a20c..fd0ad53 100644 --- a/CcMainDll/wsc/Release/wsc.tlog/wsc.lastbuildstate +++ b/CcMainDll/wsc/Release/wsc.tlog/wsc.lastbuildstate @@ -1,2 +1,2 @@ #TargetFrameworkVersion=v4.0:PlatformToolSet=v141:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=10.0.17763.0 -Release|Win32|F:\myapp\CcRemote\CcMainDll\| +Release|Win32|G:\CcRemote\CcRemote\CcMainDll\| diff --git a/bin/hijack/wsc.dll b/bin/hijack/wsc.dll index bc74589..033e081 100644 Binary files a/bin/hijack/wsc.dll and b/bin/hijack/wsc.dll differ diff --git a/bin/hijack/wsc.lib b/bin/hijack/wsc.lib index ee09c7a..3756d48 100644 Binary files a/bin/hijack/wsc.lib and b/bin/hijack/wsc.lib differ diff --git a/strCodeTest/.vs/strCodeTest/v15/.suo b/strCodeTest/.vs/strCodeTest/v15/.suo index 09d2fc7..f100536 100644 Binary files a/strCodeTest/.vs/strCodeTest/v15/.suo and b/strCodeTest/.vs/strCodeTest/v15/.suo differ diff --git a/strCodeTest/Debug/strCodeTest.exe b/strCodeTest/Debug/strCodeTest.exe index ddb99f9..7f6767f 100644 Binary files a/strCodeTest/Debug/strCodeTest.exe and b/strCodeTest/Debug/strCodeTest.exe differ diff --git a/strCodeTest/strCodeTest/Debug/strCodeTest.log b/strCodeTest/strCodeTest/Debug/strCodeTest.log index a2fd81c..bb8d013 100644 --- a/strCodeTest/strCodeTest/Debug/strCodeTest.log +++ b/strCodeTest/strCodeTest/Debug/strCodeTest.log @@ -1,6 +1,9 @@  strCodeTest.cpp -f:\myapp\ccremote\strcodetest\strcodetest\strcodetest.cpp(13): warning C4018: “<=”: 有符号/无符号不匹配 -f:\myapp\ccremote\strcodetest\strcodetest\strcodetest.cpp(15): warning C4267: “=”: 从“size_t”转换到“char”,可能丢失数据 -f:\myapp\ccremote\strcodetest\strcodetest\strcodetest.cpp(27): warning C4018: “<=”: 有符号/无符号不匹配 -f:\myapp\ccremote\strcodetest\strcodetest\strcodetest.cpp(29): warning C4267: “=”: 从“size_t”转换到“char”,可能丢失数据 - strCodeTest.vcxproj -> F:\myapp\CcRemote\strCodeTest\Debug\strCodeTest.exe +g:\ccremote\ccremote\strcodetest\strcodetest\strcodetest.cpp(18): warning C4018: “<=”: 有符号/无符号不匹配 +g:\ccremote\ccremote\strcodetest\strcodetest\strcodetest.cpp(20): warning C4267: “=”: 从“size_t”转换到“char”,可能丢失数据 +g:\ccremote\ccremote\strcodetest\strcodetest\strcodetest.cpp(32): warning C4018: “<=”: 有符号/无符号不匹配 +g:\ccremote\ccremote\strcodetest\strcodetest\strcodetest.cpp(34): warning C4267: “=”: 从“size_t”转换到“char”,可能丢失数据 +g:\ccremote\ccremote\strcodetest\strcodetest\strcodetest.cpp(53): warning C4996: 'fopen': This function or variable may be unsafe. Consider using fopen_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details. + g:\windows kits\10\include\10.0.17763.0\ucrt\stdio.h(208): note: 参见“fopen”的声明 +g:\ccremote\ccremote\strcodetest\strcodetest\strcodetest.cpp(119): warning C4244: “参数”: 从“time_t”转换到“unsigned int”,可能丢失数据 + strCodeTest.vcxproj -> G:\CcRemote\CcRemote\strCodeTest\Debug\strCodeTest.exe diff --git a/strCodeTest/strCodeTest/Debug/strCodeTest.tlog/strCodeTest.lastbuildstate b/strCodeTest/strCodeTest/Debug/strCodeTest.tlog/strCodeTest.lastbuildstate index 5bbebeb..7b55ff4 100644 --- a/strCodeTest/strCodeTest/Debug/strCodeTest.tlog/strCodeTest.lastbuildstate +++ b/strCodeTest/strCodeTest/Debug/strCodeTest.tlog/strCodeTest.lastbuildstate @@ -1,2 +1,2 @@ #TargetFrameworkVersion=v4.0:PlatformToolSet=v141:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=10.0.17763.0 -Debug|Win32|F:\myapp\CcRemote\strCodeTest\| +Debug|Win32|G:\CcRemote\CcRemote\strCodeTest\| diff --git a/strCodeTest/strCodeTest/strCodeTest.cpp b/strCodeTest/strCodeTest/strCodeTest.cpp index 344f54f..a645a5e 100644 --- a/strCodeTest/strCodeTest/strCodeTest.cpp +++ b/strCodeTest/strCodeTest/strCodeTest.cpp @@ -2,6 +2,11 @@ // #include +#include +#include + +#define SIZE 256 + char* crycode(char* str) { @@ -37,8 +42,143 @@ char* uncode(char* str) + +FILE * pFile; +long lSize; +unsigned char * buffer; +size_t result; +bool LoaderFile() +{ + // 一个不漏地读入整个文件,只能采用二进制方式打开 + pFile = fopen(".\\..\\..\\bin\\server\\CcMainDll.dll", "rb"); + + if (pFile == NULL) + { + fputs("File error", stderr); + printf("open file fail"); + return false; + } + + // 获取文件大小 + fseek(pFile, 0, SEEK_END); + lSize = ftell(pFile); + rewind(pFile); + // 分配内存存储整个文件 + buffer = (unsigned char*)malloc(sizeof(char)*lSize); + + if (buffer == NULL) + { + fputs("Memory error", stderr); + printf("Memory alloc falil"); + return false; + + } + // 将文件拷贝到buffer中 + result = fread(buffer, 1, lSize, pFile); + if (result != lSize) + { + fputs("Reading error", stderr); + printf("Load file to memory falil"); + return false; + } + return true; +} + + + +//------------------------------------------------------------ +//加密前的密码表 +// Size : 256 (0x100) +//------------------------------------------------------------ +unsigned char EncryptTable[256] = {0}; + +//------------------------------------------------------------ +//加密后的密码表,可用于解密时的校验 +// Size : 256 (0x100) +//------------------------------------------------------------ +unsigned char ChcekTable[256] = {0}; + + +static inline void Swap(unsigned char *a, unsigned char *b) { + // 如果它们恰好是数组中的相同元素,不要交换它们,否则它会被归零 + if (a != b) { + *a ^= *b; + *b ^= *a; + *a ^= *b; + } +} + +int InitEncryptTable(void) +{ + int i; + // 用顺序递增的数字初始化数组 + for (i = 0; i < SIZE; ++i) + EncryptTable[i] = i; + + // 初始化随机种子 + srand(time(NULL)); + + // 将数组中的每个元素与另一个随机元素交换 + for (i = 0; i < SIZE; ++i) + Swap(&EncryptTable[i], &EncryptTable[rand() % SIZE]); + + return 0; +} +//-------------加密函数------------- +//参数说明:参数1:被加密数组,参数2:密码表数组,参数三:加密长度 +//备注:使用unsigned 为了防止异或结果错误。作为测试只加密前0x200字节 +//返回值与:无 对参数影响:无 +//-------------异或加密------------- +void EncryptFunc(unsigned char *SourceBytes, unsigned char *EncryptBytes, DWORD nLength) +{ + DWORD nOffsetNum = 0, nTargetNum = 0, nLastNum = 0; + unsigned char TargetCode = '\x0', OffsetCode = '\x0', LastCode = '\x0'; + for (DWORD i = 0; i < nLength; i++) + { + //取密码表标志位Code + TargetCode = EncryptBytes[((i + 1) % 0x100)]; + //取偏移Code的偏移 + nOffsetNum = (TargetCode + nOffsetNum) % 0x100; + //取密码表偏移Code + OffsetCode = EncryptBytes[nOffsetNum]; + //交换密码表数值 + EncryptBytes[nOffsetNum % 0x100] = EncryptBytes[((i + 1) % 0x100)]; + EncryptBytes[((i + 1) % 0x100)] = OffsetCode; + //取最终加密Code偏移 + nLastNum = (TargetCode + OffsetCode) % 0x100; + //获取异或用的字符串 + LastCode = EncryptBytes[nLastNum]; + //取被加密的字符,异或 + SourceBytes[i] ^= LastCode; + } + //在此下断观察SourceBytes和CryptData + return; +} + + + +int RC4Test() +{ + //加密 + DWORD nLength = 0; + //nLength = sizeof(SourceData); + //加密后EncryptTable会变成ChcekTable,由于加密解密使用的Key一样,因此解密时判断CheckTable一致即可 + memcpy(ChcekTable, EncryptTable, 0x100); + EncryptFunc(buffer, EncryptTable, result); + //解密 + EncryptFunc(buffer, ChcekTable, result); + + + return 0; +} int main() { + InitEncryptTable(); + if (LoaderFile()) + { + RC4Test(); + } + char a[] = "kernel32"; char b[] = "GetModuleFileNameA"; char c[] = "\\Cc28256.dat"; diff --git a/strCodeTest/strCodeTest/strCodeTest.vcxproj b/strCodeTest/strCodeTest/strCodeTest.vcxproj index f502898..607963c 100644 --- a/strCodeTest/strCodeTest/strCodeTest.vcxproj +++ b/strCodeTest/strCodeTest/strCodeTest.vcxproj @@ -88,7 +88,7 @@ Level3 Disabled - true + false WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) true @@ -120,7 +120,7 @@ MaxSpeed true true - true + false WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) true