mirror of
https://github.com/Cc28256/CcRemote.git
synced 2025-06-16 17:29:49 +00:00
部分汇编 区段分配到申请的内存
This commit is contained in:
parent
383be8f669
commit
fcae666dfd
@ -347,7 +347,7 @@ inline DWORD calc_name_hash()
|
||||
enum LocalEnum
|
||||
{
|
||||
Nop,
|
||||
memAddress = 4,
|
||||
PEAddress = 4,
|
||||
pLoadLibraryA = 8,
|
||||
pGetProcAddress = 0xC,
|
||||
pVirtualAlloc = 0x10,
|
||||
@ -385,20 +385,20 @@ extern "C" __declspec(dllexport) void ReflectiveLoader()
|
||||
|
||||
call GetCurrentPositionAddress // 获取当前位置地址
|
||||
mov eax, buffer
|
||||
mov [ebp + memAddress], eax // 保存当前代码所在的地址 memAddress
|
||||
mov [ebp + PEAddress], eax // 保存当前代码所在的地址 PEAddress
|
||||
|
||||
addressAdd :
|
||||
mov eax, 1
|
||||
test eax, eax // 判断eax是否获取到当前地址
|
||||
jz find_success
|
||||
|
||||
mov ecx, [ebp + memAddress] // 查找DOS头
|
||||
mov ecx, [ebp + PEAddress] // 查找DOS头
|
||||
movzx edx, word ptr[ecx]
|
||||
cmp edx, 0x5A4D
|
||||
jnz noFindFlag
|
||||
|
||||
|
||||
mov eax, [ebp + memAddress]
|
||||
mov eax, [ebp + PEAddress]
|
||||
mov ecx, [eax + 0x3C] // + 0x3C 找到DOS Header e_lfanew
|
||||
mov [ebp + varLocalFindPE], ecx
|
||||
cmp dword ptr[ebp + varLocalFindPE], 0x40
|
||||
@ -407,7 +407,7 @@ extern "C" __declspec(dllexport) void ReflectiveLoader()
|
||||
jnb noFindFlag // 地址address - 1
|
||||
|
||||
mov edx, [ebp + varLocalFindPE]
|
||||
add edx, [ebp + memAddress]
|
||||
add edx, [ebp + PEAddress]
|
||||
mov [ebp + varLocalFindPE], edx
|
||||
mov eax, [ebp + varLocalFindPE]
|
||||
cmp dword ptr[eax], 0x4550 // 判断PE Header Signature PE标志
|
||||
@ -415,9 +415,9 @@ extern "C" __declspec(dllexport) void ReflectiveLoader()
|
||||
jmp find_success // 找到了singtrue 跳转
|
||||
|
||||
noFindFlag :
|
||||
mov ecx, [ebp + memAddress] // 地址address - 1
|
||||
mov ecx, [ebp + PEAddress] // 地址address - 1
|
||||
sub ecx, 1
|
||||
mov [ebp + memAddress], ecx
|
||||
mov [ebp + PEAddress], ecx
|
||||
jmp addressAdd
|
||||
|
||||
find_success:
|
||||
@ -430,9 +430,9 @@ extern "C" __declspec(dllexport) void ReflectiveLoader()
|
||||
mov eax, [edx + 0x14] // 获取结构中InMemoryOrderModuleList 顺序模块列表
|
||||
mov [ebp + varLocalFS30_B], eax
|
||||
|
||||
loc_46327B:
|
||||
continue_find:
|
||||
cmp [ebp + varLocalFS30_B], 0
|
||||
jz find_moudle_null
|
||||
jz find_moudle_over
|
||||
mov ecx, [ebp + varLocalFS30_B]
|
||||
mov edx, [ecx + 0x28] // FullDllName_buff 模块名称
|
||||
mov [ebp + BaseDllName], edx
|
||||
@ -584,11 +584,11 @@ extern "C" __declspec(dllexport) void ReflectiveLoader()
|
||||
jmp find_next_ker_fun
|
||||
|
||||
cmp_need_function:
|
||||
jmp loc_463506
|
||||
jmp check_function
|
||||
|
||||
no_Kernel32_hash:
|
||||
cmp [ebp+name_hash], 0x3CFA685D //; 3CFA685D = ntdll
|
||||
jnz loc_463506
|
||||
jnz check_function
|
||||
mov ecx, [ebp+varLocalFS30_B]
|
||||
mov edx, [ecx+0x10] //; +10偏移获取DllBase基址
|
||||
mov [ebp+varLocalFS30_A], edx
|
||||
@ -617,12 +617,12 @@ extern "C" __declspec(dllexport) void ReflectiveLoader()
|
||||
mov [ebp+var_4], ax
|
||||
|
||||
find_next_nt_fun: // 同上面一样
|
||||
movzx ecx, [ebp+var_4]
|
||||
movzx ecx, [ebp+var_4] // 需要一个函数 var_4 = 1
|
||||
test ecx, ecx
|
||||
jle loc_463506
|
||||
mov edx, [ebp+exp_AddressOfNames]
|
||||
mov eax, [ebp+varLocalFS30_A]
|
||||
add eax, [edx]
|
||||
jle check_function
|
||||
mov edx, [ebp+exp_AddressOfNames] // exp_AddressOfNames = 函数名称表[]
|
||||
mov eax, [ebp+varLocalFS30_A] // varLocalFS30_A = 基地址
|
||||
add eax, [edx] // 计算hash
|
||||
push eax
|
||||
call calc_name_hash
|
||||
add esp, 4
|
||||
@ -659,12 +659,104 @@ extern "C" __declspec(dllexport) void ReflectiveLoader()
|
||||
mov [ebp+AddressOfNameOrdinals], edx
|
||||
jmp find_next_nt_fun
|
||||
|
||||
check_function:
|
||||
cmp [ebp+LoadLibraryA], 0
|
||||
jz continue_find_function
|
||||
cmp [ebp+GetProcAddress], 0
|
||||
jz continue_find_function
|
||||
cmp [ebp+VirtualAlloc], 0
|
||||
jz continue_find_function
|
||||
cmp [ebp+pNtFlushInstructionCache], 0
|
||||
jz continue_find_function
|
||||
jmp find_moudle_over
|
||||
|
||||
find_moudle_null:
|
||||
continue_find_function:
|
||||
mov eax, [ebp+var_C]
|
||||
mov ecx, [eax]
|
||||
mov [ebp+var_C], ecx
|
||||
jmp continue_find
|
||||
|
||||
loc_463506:
|
||||
find_moudle_over:
|
||||
mov edx, [ebp+PEAddress]
|
||||
mov eax, [ebp+PEAddress]
|
||||
add eax, [edx+3Ch]
|
||||
mov [ebp+var_24], eax
|
||||
push 0x04 // PAGE_READWRITE 区域不可执行代码,应用程序可以读写该区域
|
||||
push 0x3000 // MEM_COMMIT | MEM_RESERV
|
||||
mov ecx, [ebp+var_24]
|
||||
mov edx, [ecx+0x50] // PE signature 0x18 + 0x38 SizeOfImage 映像装入内存后的总大小
|
||||
add edx, 0x3C00000 // dwSize
|
||||
push edx
|
||||
push 0x0
|
||||
call [ebp+VirtualAlloc] // 申请一块 3C0000+SizeOfImage大小的内存
|
||||
mov [ebp+var_8], eax // var_8 = mem_address
|
||||
mov eax, [ebp+var_24] // var_24 = signature
|
||||
mov ecx, [eax+0x54] // ecx = SizeOfHeaders 0x18 + 0x3c
|
||||
mov [ebp+var_C], ecx
|
||||
mov edx, [ebp+PEAddress] // PEAddress = 4D5A address
|
||||
mov [ebp+BaseDllName], edx // BaseDllName = PEAddress
|
||||
mov eax, [ebp+var_8]
|
||||
mov [ebp+name_hash], eax // name_hash = mem_address
|
||||
mov ecx, [ebp+var_24]
|
||||
movzx edx, word ptr [ecx+0x14] // edx = WORD SizeOfOptionalHeader
|
||||
mov eax, [ebp+var_24]
|
||||
lea ecx, [eax+edx+0x18] // signature + SizeOfOptionalHeader + sizeof signature = struct _IMAGE_SECTION_HEADER address 区段地址
|
||||
mov [ebp+var_C], ecx // var_C = 区段地址
|
||||
mov edx, [ebp+var_24]
|
||||
movzx eax, word ptr [edx+0x06] // signature + 0x04 + 0x02
|
||||
mov [ebp+var_3C], eax // var_3C = NumberOfSections 节的数量
|
||||
|
||||
loc_463585:
|
||||
mov ecx, [ebp+var_3C]
|
||||
mov [ebp+var_58], ecx // var_58 = 剩余要处理的Sections数量 index
|
||||
mov edx, [ebp+var_3C]
|
||||
sub edx, 1
|
||||
mov [ebp+var_3C], edx
|
||||
cmp [ebp+var_58], 0 // 区段是否都处理了
|
||||
jz loc_463614
|
||||
mov eax, [ebp+var_C] // var_C = 区段地址
|
||||
mov ecx, [ebp+var_8] // var_8 = mem_address
|
||||
add ecx, [eax+0x0C] // 申请的地址计算 基址 + 区段地址 +0x0c = struct _IMAGE_SECTION_HEADER->VirtualAddress 节区的 RVA 地址
|
||||
mov [ebp+BaseDllName], ecx // BaseDllName = SECTION VirtualAddress new mem 新地址
|
||||
mov edx, [ebp+var_C]
|
||||
mov eax, [ebp+PEAddress] // eax = 4D5A address
|
||||
add eax, [edx+0x14] // 取值 4D5A address + PointerToRawData = 区段地址 + 0x14 = struct _IMAGE_SECTION_HEADER->PointerToRawData 文件中区段偏移
|
||||
mov [ebp+name_hash], eax // name_hash = _IMAGE_SECTION_HEADER->PointerToRawData 在文件中的偏移量
|
||||
mov ecx, [ebp+var_C] // var_C = 区段地址
|
||||
mov edx, [ecx+0x10] //
|
||||
mov [ebp+var_14], edx // var_14 = _IMAGE_SECTION_HEADER->SizeOfRawData 在文件中对齐后的尺寸
|
||||
cmp [ebp+var_50], 0
|
||||
jnz loc_4635C7
|
||||
mov eax, [ebp+BaseDllName]
|
||||
mov [ebp+var_50], eax // var_50 = SECTION VirtualAddress new mem 新地址
|
||||
|
||||
loc_4635C7:
|
||||
cmp [ebp+var_4C], 0
|
||||
jnz loc_4635D3
|
||||
mov ecx, [ebp+var_14]
|
||||
mov [ebp+var_4C], ecx // var_4C = SizeOfRawData
|
||||
|
||||
loc_4635D3:
|
||||
mov edx, [ebp+var_14]
|
||||
mov [ebp+var_5C], edx // var_5C = SizeOfRawData
|
||||
mov eax, [ebp+var_14]
|
||||
sub eax, 1 // 拷贝计数size - 1
|
||||
mov [ebp+var_14], eax // var_14 = SizeOfRawData 在文件中对齐后的尺寸 - 1
|
||||
cmp [ebp+var_5C], 0 // 为 0 拷贝完成
|
||||
jz short loc_463606
|
||||
mov ecx, [ebp+BaseDllName] // BaseDllName = SECTION VirtualAddress new mem 新地址
|
||||
mov edx, [ebp+name_hash] // PointerToRawData
|
||||
mov al, [edx] // 得到文件中的区段数据
|
||||
mov [ecx], al // 拷贝到申请的mem中 算出来的偏移VirtualAddress
|
||||
mov ecx, [ebp+BaseDllName]
|
||||
add ecx, 1 // 新的内存地址 + 1
|
||||
mov [ebp+BaseDllName], ecx
|
||||
mov edx, [ebp+name_hash] // 文件内存地址 + 1
|
||||
add edx, 1
|
||||
mov [ebp+name_hash], edx
|
||||
jmp loc_4635D3 //跳转后文件对其尺寸 - 1 为 0 时区段拷贝完毕
|
||||
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
Loading…
x
Reference in New Issue
Block a user