update hijack

CcMainDll/CcMainDll/dllmain.cpp

@@ -781,8 +781,277 @@ extern "C" __declspec(dllexport) void ReflectiveLoader()
         add     edx, [ecx+0x0C]				// 名称读取  dllName
         push    edx
         call    [ebp+LoadLibraryA]			// 获取模块句柄
-        mov     [ebp+address], eax
+		mov     [ebp+module_handle], eax	// module_handle = 模块句柄
 		
+		mov     eax, [ebp+name_hash]		// name_hash = 申请地址的导入表
+		mov     ecx, [ebp+var_8]			// var_8 = mem_address
+		add     ecx, [eax]					// 找到新内存的导入表位置
+		mov     [ebp+var_14], ecx			// var_14 = new_mem_import
+		mov     edx, [ebp+name_hash]
+		mov     eax, [ebp+var_8]
+		add     eax, [edx+0x10]				// IMAGE_IMPORT_DESCRIPTOR -> FirstThunk
+		mov     [ebp+var_C], eax			// var_C = MAGE_IMPORT_DESCRIPTOR -> FirstThunk
+
+loc_463665:                          
+		mov     ecx, [ebp+var_C]
+		cmp     dword ptr [ecx], 0
+		jz      loc_46371B
+		cmp     [ebp+var_14], 0
+		jz      short loc_4636E0
+		mov     edx, [ebp+var_14]
+		mov     eax, [edx]
+		and     eax, 0x80000000
+		jz      short loc_4636E0
+		mov     ecx, [ebp+module_handle]
+		mov     edx, [ebp+module_handle]
+		add     edx, [ecx+0x3C]
+		mov     [ebp+var_20], edx
+		mov     eax, 8
+		imul    ecx, eax, 0
+		mov     edx, [ebp+var_20]
+		lea     eax, [edx+ecx+0x78]
+		mov     [ebp+exp_AddressOfNames], eax
+		mov     ecx, [ebp+exp_AddressOfNames]
+		mov     edx, [ebp+module_handle]
+		add     edx, [ecx]
+		mov     [ebp+var_20], edx
+		mov     eax, [ebp+var_20]
+		mov     ecx, [ebp+module_handle]
+		add     ecx, [eax+0x1C]
+		mov     [ebp+var_28], ecx
+		mov     edx, [ebp+var_14]
+		mov     eax, [edx]
+		and     eax, 0FFFFh
+		mov     ecx, [ebp+var_20]
+		sub     eax, [ecx+0x10]
+		mov     edx, [ebp+var_28]
+		lea     eax, [edx+eax*4]
+		mov     [ebp+var_28], eax
+		mov     ecx, [ebp+var_28]
+		mov     edx, [ebp+module_handle]
+		add     edx, [ecx]
+		mov     eax, [ebp+var_C]
+		mov     [eax], edx
+		jmp     short loc_4636FE
+
+loc_4636E0:
+		mov     ecx, [ebp+var_C]
+		mov     edx, [ebp+var_8]
+		add     edx, [ecx]
+		mov     [ebp+BaseDllName], edx
+		mov     eax, [ebp+BaseDllName]
+		add     eax, 2
+		push    eax
+		mov     ecx, [ebp+module_handle]
+		push    ecx
+		call    [ebp+GetProcAddress] ; 读取函数名称获取函数地址
+		mov     edx, [ebp+var_C]
+		mov     [edx], eax      ; 填充导入表IAT
+
+loc_4636FE:
+		mov     eax, [ebp+var_C]
+		add     eax, 4
+		mov     [ebp+var_C], eax
+		cmp     [ebp+var_14], 0
+		jz      short loc_463716
+		mov     ecx, [ebp+var_14]
+		add     ecx, 4
+		mov     [ebp+var_14], ecx
+
+loc_463716:
+		jmp     loc_463665
+
+loc_46371B:
+		mov     edx, [ebp+name_hash]
+		add     edx, 0x14
+		mov     [ebp+name_hash], edx
+		jmp     loc_463631
+
+loc_463729:
+		mov     eax, [ebp+var_24]
+		mov     ecx, [ebp+var_8]
+		sub     ecx, [eax+0x34]
+		mov     [ebp+address], ecx
+		mov     edx, 8
+		imul    eax, edx, 5
+		mov     ecx, [ebp+var_24]
+		lea     edx, [ecx+eax+0x78]
+		mov     [ebp+BaseDllName], edx
+		mov     eax, [ebp+BaseDllName]
+		cmp     dword ptr [eax+4], 0
+		jz      loc_4638F2
+		mov     ecx, [ebp+BaseDllName]
+		mov     edx, [ebp+var_8]
+		add     edx, [ecx]
+		mov     [ebp+name_hash], edx
+
+loc_46375F:
+		mov     eax, [ebp+name_hash]
+		cmp     dword ptr [eax+4], 0
+		jz      loc_4638F2
+		mov     ecx, [ebp+name_hash]
+		mov     edx, [ebp+var_8]
+		add     edx, [ecx]
+		mov     [ebp+var_C], edx
+		mov     eax, [ebp+name_hash]
+		mov     ecx, [eax+4]
+		sub     ecx, 8
+		shr     ecx, 1
+		mov     [ebp+BaseDllName], ecx
+		mov     edx, [ebp+name_hash]
+		add     edx, 8
+		mov     [ebp+var_14], edx
+
+loc_46378E:
+		mov     eax, [ebp+BaseDllName]
+		mov     [ebp+var_60], eax
+		mov     ecx, [ebp+BaseDllName]
+		sub     ecx, 1
+		mov     [ebp+BaseDllName], ecx
+		cmp     [ebp+var_60], 0
+		jz      loc_4638E1
+		mov     edx, [ebp+var_14]
+		mov     ax, [edx]       ; 获取重定位表
+		shr     ax, 0x0C
+		and     ax, 0x0F
+		movzx   ecx, ax
+		cmp     ecx, 0x0A
+		jnz     short loc_4637ED
+		mov     edx, 0x0FFF
+		mov     eax, [ebp+var_14]
+		and     dx, [eax]
+		movzx   ecx, dx
+		mov     edx, [ebp+var_C]
+		mov     eax, [edx+ecx]
+		add     eax, [ebp+address]
+		mov     ecx, 0x0FFF
+		mov     edx, [ebp+var_14]
+		and     cx, [edx]
+		movzx   ecx, cx
+		mov     edx, [ebp+var_C]
+		mov     [edx+ecx], eax
+		jmp     loc_4638D3
+
+loc_4637ED:
+		mov     eax, [ebp+var_14]
+		mov     cx, [eax]
+		shr     cx, 0x0C
+		and     cx, 0x0F
+		movzx   edx, cx
+		cmp     edx, 3          		//; 当此标记为0011（3）时低12为才有效 TypeOffset
+		jnz     short loc_463833
+		mov     eax, 0x0FFF
+		mov     ecx, [ebp+var_14]
+		and     ax, [ecx]
+		movzx   edx, ax
+		mov     eax, [ebp+var_C]			// ; self_baseaddress 加载基址
+		mov     ecx, [eax+edx]  			//; 默认加载基址 + 重定位列表项
+		add     ecx, [ebp+address]			// ; 计算当前基址 重定位后的地址
+		mov     edx, 0x0FFF
+		mov     eax, [ebp+var_14]
+		and     dx, [eax]
+		movzx   edx, dx
+		mov     eax, [ebp+var_C]
+		mov     [eax+edx], ecx // ; 修复重定位
+		jmp     loc_4638D3
+
+loc_463833:
+		mov     ecx, [ebp+var_14]
+		mov     dx, [ecx]
+		shr     dx, 0x0C
+		and     dx, 0x0F
+		movzx   eax, dx
+		cmp     eax, 1
+		jnz     short loc_463886
+		mov     ecx, 0x0FFF
+		mov     edx, [ebp+var_14]
+		and     cx, [edx]
+		movzx   eax, cx
+		mov     ecx, [ebp+address]
+		shr     ecx, 0x10
+		and     ecx, 0x0FFFF
+		movzx   edx, cx
+		mov     ecx, [ebp+var_C]
+		movzx   eax, word ptr [ecx+eax]
+		add     eax, edx
+		mov     ecx, 0x0FFF
+		mov     edx, [ebp+var_14]
+		and     cx, [edx]
+		movzx   ecx, cx
+		mov     edx, [ebp+var_C]
+		mov     [edx+ecx], ax
+		jmp     short loc_4638D3
+
+loc_463886:
+		mov     eax, [ebp+var_14]
+		mov     cx, [eax]
+		shr     cx, 0x0C
+		and     cx, 0x0F
+		movzx   edx, cx
+		cmp     edx, 2
+		jnz     short loc_4638D3
+		mov     eax, 0x0FFF
+		mov     ecx, [ebp+var_14]
+		and     ax, [ecx]
+		movzx   edx, ax
+		mov     eax, [ebp+address]
+		and     eax, 0x0FFFF
+		movzx   ecx, ax
+		mov     eax, [ebp+var_C]
+		movzx   edx, word ptr [eax+edx]
+		add     edx, ecx
+		mov     eax, 0x0FFF
+		mov     ecx, [ebp+var_14]
+		and     ax, [ecx]
+		movzx   eax, ax
+		mov     ecx, [ebp+var_C]
+		mov     [ecx+eax], dx
+
+loc_4638D3:
+		mov     edx, [ebp+var_14]
+		add     edx, 2
+		mov     [ebp+var_14], edx
+		jmp     loc_46378E
+
+loc_4638E1:
+		mov     eax, [ebp+name_hash]
+		mov     ecx, [ebp+name_hash]
+		add     ecx, [eax+4]
+		mov     [ebp+name_hash], ecx
+		jmp     loc_46375F
+
+
+loc_4638F2: 
+		mov     edx, [ebp+var_24]
+		mov     eax, [ebp+var_8]
+		add     eax, [edx+0x28]
+		mov     [ebp+var_C], eax
+		push    0
+		push    0
+		push    0xFFFFFFFF
+		call    [ebp+NtFlushInstructionCache]
+		lea     ecx, [ebp+var_64]
+		push    ecx
+		push    0x20
+		mov     edx, [ebp+var_4C]
+		push    edx
+		mov     eax, [ebp+var_50]
+		push    eax
+		call    [ebp+VirtualProtect]
+		push    0
+		push    1
+		mov     ecx, [ebp+var_8]
+		push    ecx
+		call    [ebp+var_C]    // ; call dllmain
+		push    0
+		push    4
+		mov     edx, [ebp+var_8]
+		push    edx
+		call    [ebp+var_C]
+		mov     eax, [ebp+var_C]
+		mov     esp, ebp
+		pop     ebp
+		retn
 			
 	}