diff --git a/CcMainDll/CcMainDll/dllmain.cpp b/CcMainDll/CcMainDll/dllmain.cpp index d87ff80..62da920 100644 --- a/CcMainDll/CcMainDll/dllmain.cpp +++ b/CcMainDll/CcMainDll/dllmain.cpp @@ -781,8 +781,277 @@ extern "C" __declspec(dllexport) void ReflectiveLoader() add edx, [ecx+0x0C] // 名称读取 dllName push edx call [ebp+LoadLibraryA] // 获取模块句柄 - mov [ebp+address], eax + mov [ebp+module_handle], eax // module_handle = 模块句柄 + + mov eax, [ebp+name_hash] // name_hash = 申请地址的导入表 + mov ecx, [ebp+var_8] // var_8 = mem_address + add ecx, [eax] // 找到新内存的导入表位置 + mov [ebp+var_14], ecx // var_14 = new_mem_import + mov edx, [ebp+name_hash] + mov eax, [ebp+var_8] + add eax, [edx+0x10] // IMAGE_IMPORT_DESCRIPTOR -> FirstThunk + mov [ebp+var_C], eax // var_C = MAGE_IMPORT_DESCRIPTOR -> FirstThunk +loc_463665: + mov ecx, [ebp+var_C] + cmp dword ptr [ecx], 0 + jz loc_46371B + cmp [ebp+var_14], 0 + jz short loc_4636E0 + mov edx, [ebp+var_14] + mov eax, [edx] + and eax, 0x80000000 + jz short loc_4636E0 + mov ecx, [ebp+module_handle] + mov edx, [ebp+module_handle] + add edx, [ecx+0x3C] + mov [ebp+var_20], edx + mov eax, 8 + imul ecx, eax, 0 + mov edx, [ebp+var_20] + lea eax, [edx+ecx+0x78] + mov [ebp+exp_AddressOfNames], eax + mov ecx, [ebp+exp_AddressOfNames] + mov edx, [ebp+module_handle] + add edx, [ecx] + mov [ebp+var_20], edx + mov eax, [ebp+var_20] + mov ecx, [ebp+module_handle] + add ecx, [eax+0x1C] + mov [ebp+var_28], ecx + mov edx, [ebp+var_14] + mov eax, [edx] + and eax, 0FFFFh + mov ecx, [ebp+var_20] + sub eax, [ecx+0x10] + mov edx, [ebp+var_28] + lea eax, [edx+eax*4] + mov [ebp+var_28], eax + mov ecx, [ebp+var_28] + mov edx, [ebp+module_handle] + add edx, [ecx] + mov eax, [ebp+var_C] + mov [eax], edx + jmp short loc_4636FE + +loc_4636E0: + mov ecx, [ebp+var_C] + mov edx, [ebp+var_8] + add edx, [ecx] + mov [ebp+BaseDllName], edx + mov eax, [ebp+BaseDllName] + add eax, 2 + push eax + mov ecx, [ebp+module_handle] + push ecx + call [ebp+GetProcAddress] ; 读取函数名称获取函数地址 + mov edx, [ebp+var_C] + mov [edx], eax ; 填充导入表IAT + +loc_4636FE: + mov eax, [ebp+var_C] + add eax, 4 + mov [ebp+var_C], eax + cmp [ebp+var_14], 0 + jz short loc_463716 + mov ecx, [ebp+var_14] + add ecx, 4 + mov [ebp+var_14], ecx + +loc_463716: + jmp loc_463665 + +loc_46371B: + mov edx, [ebp+name_hash] + add edx, 0x14 + mov [ebp+name_hash], edx + jmp loc_463631 + +loc_463729: + mov eax, [ebp+var_24] + mov ecx, [ebp+var_8] + sub ecx, [eax+0x34] + mov [ebp+address], ecx + mov edx, 8 + imul eax, edx, 5 + mov ecx, [ebp+var_24] + lea edx, [ecx+eax+0x78] + mov [ebp+BaseDllName], edx + mov eax, [ebp+BaseDllName] + cmp dword ptr [eax+4], 0 + jz loc_4638F2 + mov ecx, [ebp+BaseDllName] + mov edx, [ebp+var_8] + add edx, [ecx] + mov [ebp+name_hash], edx + +loc_46375F: + mov eax, [ebp+name_hash] + cmp dword ptr [eax+4], 0 + jz loc_4638F2 + mov ecx, [ebp+name_hash] + mov edx, [ebp+var_8] + add edx, [ecx] + mov [ebp+var_C], edx + mov eax, [ebp+name_hash] + mov ecx, [eax+4] + sub ecx, 8 + shr ecx, 1 + mov [ebp+BaseDllName], ecx + mov edx, [ebp+name_hash] + add edx, 8 + mov [ebp+var_14], edx + +loc_46378E: + mov eax, [ebp+BaseDllName] + mov [ebp+var_60], eax + mov ecx, [ebp+BaseDllName] + sub ecx, 1 + mov [ebp+BaseDllName], ecx + cmp [ebp+var_60], 0 + jz loc_4638E1 + mov edx, [ebp+var_14] + mov ax, [edx] ; 获取重定位表 + shr ax, 0x0C + and ax, 0x0F + movzx ecx, ax + cmp ecx, 0x0A + jnz short loc_4637ED + mov edx, 0x0FFF + mov eax, [ebp+var_14] + and dx, [eax] + movzx ecx, dx + mov edx, [ebp+var_C] + mov eax, [edx+ecx] + add eax, [ebp+address] + mov ecx, 0x0FFF + mov edx, [ebp+var_14] + and cx, [edx] + movzx ecx, cx + mov edx, [ebp+var_C] + mov [edx+ecx], eax + jmp loc_4638D3 + +loc_4637ED: + mov eax, [ebp+var_14] + mov cx, [eax] + shr cx, 0x0C + and cx, 0x0F + movzx edx, cx + cmp edx, 3 //; 当此标记为0011(3)时低12为才有效 TypeOffset + jnz short loc_463833 + mov eax, 0x0FFF + mov ecx, [ebp+var_14] + and ax, [ecx] + movzx edx, ax + mov eax, [ebp+var_C] // ; self_baseaddress 加载基址 + mov ecx, [eax+edx] //; 默认加载基址 + 重定位列表项 + add ecx, [ebp+address] // ; 计算当前基址 重定位后的地址 + mov edx, 0x0FFF + mov eax, [ebp+var_14] + and dx, [eax] + movzx edx, dx + mov eax, [ebp+var_C] + mov [eax+edx], ecx // ; 修复重定位 + jmp loc_4638D3 + +loc_463833: + mov ecx, [ebp+var_14] + mov dx, [ecx] + shr dx, 0x0C + and dx, 0x0F + movzx eax, dx + cmp eax, 1 + jnz short loc_463886 + mov ecx, 0x0FFF + mov edx, [ebp+var_14] + and cx, [edx] + movzx eax, cx + mov ecx, [ebp+address] + shr ecx, 0x10 + and ecx, 0x0FFFF + movzx edx, cx + mov ecx, [ebp+var_C] + movzx eax, word ptr [ecx+eax] + add eax, edx + mov ecx, 0x0FFF + mov edx, [ebp+var_14] + and cx, [edx] + movzx ecx, cx + mov edx, [ebp+var_C] + mov [edx+ecx], ax + jmp short loc_4638D3 + +loc_463886: + mov eax, [ebp+var_14] + mov cx, [eax] + shr cx, 0x0C + and cx, 0x0F + movzx edx, cx + cmp edx, 2 + jnz short loc_4638D3 + mov eax, 0x0FFF + mov ecx, [ebp+var_14] + and ax, [ecx] + movzx edx, ax + mov eax, [ebp+address] + and eax, 0x0FFFF + movzx ecx, ax + mov eax, [ebp+var_C] + movzx edx, word ptr [eax+edx] + add edx, ecx + mov eax, 0x0FFF + mov ecx, [ebp+var_14] + and ax, [ecx] + movzx eax, ax + mov ecx, [ebp+var_C] + mov [ecx+eax], dx + +loc_4638D3: + mov edx, [ebp+var_14] + add edx, 2 + mov [ebp+var_14], edx + jmp loc_46378E + +loc_4638E1: + mov eax, [ebp+name_hash] + mov ecx, [ebp+name_hash] + add ecx, [eax+4] + mov [ebp+name_hash], ecx + jmp loc_46375F + + +loc_4638F2: + mov edx, [ebp+var_24] + mov eax, [ebp+var_8] + add eax, [edx+0x28] + mov [ebp+var_C], eax + push 0 + push 0 + push 0xFFFFFFFF + call [ebp+NtFlushInstructionCache] + lea ecx, [ebp+var_64] + push ecx + push 0x20 + mov edx, [ebp+var_4C] + push edx + mov eax, [ebp+var_50] + push eax + call [ebp+VirtualProtect] + push 0 + push 1 + mov ecx, [ebp+var_8] + push ecx + call [ebp+var_C] // ; call dllmain + push 0 + push 4 + mov edx, [ebp+var_8] + push edx + call [ebp+var_C] + mov eax, [ebp+var_C] + mov esp, ebp + pop ebp + retn }