📄
字号:
#include "stdafx.h"
#include "InjectCode.h"
#ifdef _DEBUG
#define new DEBUG_NEW
#undef THIS_FILE
static char THIS_FILE[] = __FILE__;
#endif
typedef struct t_PDB
{
WORD Type;
WORD Refcount;
DWORD Unk0;
DWORD Unk1;
DWORD Unk2;
DWORD TermStatus;
DWORD Unk3;
DWORD DefaultHeap;
DWORD MemContext;
DWORD Flags;
DWORD pPsp;
WORD PSPSelector;
WORD MTEIndex;
WORD nThreads;
WORD nThreadsNotTerm;
WORD Unk5;
WORD nR0Threads;
DWORD HeapHandle;
WORD K16TDBSel;
WORD Unk6;
DWORD Unk7;
DWORD pEDB;
DWORD pHandleTable;
struct t_PDB *ParentPDB;
DWORD MODREFList;
DWORD ThreadList;
DWORD DebugeeCB;
DWORD LHFreeHead;
DWORD InitialR0ID;
}PDB, *PPDB;
typedef struct t_TCB
{
WORD Type;
WORD RefCount;
DWORD Unk1;
DWORD pvExcept;
DWORD TopOfStack;
DWORD BaseOfStack;
WORD K16TDB;
WORD StackSel16;
DWORD Unk2;
DWORD UserPointer;
DWORD pTIB;
WORD TIBflags;
WORD Win16MutxCnt;
DWORD DebugContext;
DWORD PtrToCurPri;
DWORD MsgQueue;
DWORD pTLSarray;
PPDB pParentPDB;
DWORD SelmanList;
DWORD Unk3;
DWORD Flags;
DWORD Status;
WORD TIBsel;
WORD EmulatorSel;
DWORD HandleCount;
DWORD WaitNodeList;
DWORD R0hThread;
DWORD ptdbx;
}TCB, *PTCB;
typedef DWORD (WINAPI*OTFUNC)(HANDLE*,DWORD,void*,void*);
typedef LPVOID (WINAPI *OBFUNC)(DWORD dwPTID);
LPVOID WINAPI GetTrueProcAddress(LPSTR lpMod, LPTSTR lpFunc);
HANDLE WINAPI OpenThreadNT(DWORD dwThreadID, BOOL bInherit);
LPVOID WINAPI XORProcessThreadID(DWORD dwPTID)
{
OBFUNC obfuscate;
DWORD dwMain,*lpdw,dw1;
dwMain = (DWORD)GetTrueProcAddress(_T("KERNEL32"),
_T("GetCurrentThreadId"));
lpdw = (LPDWORD)((DWORD)dwMain + 8);
dw1 = ((DWORD)dwMain + 12);
obfuscate = (OBFUNC)(dw1+*lpdw);
return(obfuscate(dwPTID));
}
//这个函数,传给他ThreadID,返回ThreadHandle
HANDLE WINAPI OpenThread2(DWORD dwThreadID, BOOL bInherit)
{
HANDLE hThread,hprc;
LPDWORD lp1;
DWORD dwProcessID,dwWhere,dwTable;
BOOL b1;
PTCB lpThreadObj;
PPDB ppdb;
OSVERSIONINFO osvi;
osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx(&osvi);
SetLastError(50);
if(osvi.dwPlatformId == VER_PLATFORM_WIN32_NT)
return OpenThreadNT(dwThreadID, bInherit);
ppdb = (PPDB)XORProcessThreadID(GetCurrentProcessId());
lpThreadObj = (PTCB)XORProcessThreadID(dwThreadID);
/* check to make sure its valid */
if(IsBadReadPtr(lpThreadObj, sizeof(TCB))) return NULL;
/* object type */
if(*(LPBYTE)lpThreadObj != 7) return NULL;
dwProcessID =
(DWORD)XORProcessThreadID((DWORD)lpThreadObj->pParentPDB);
if(dwProcessID == GetCurrentProcessId())
hprc = GetCurrentProcess();
else
{
hprc = OpenProcess(PROCESS_ALL_ACCESS,
FALSE, dwProcessID);
if(!hprc) return NULL;
}
/*
* 4 is the lowest handle in the table.
* All processes have this handle.
*/
b1 = DuplicateHandle(hprc,
(HANDLE)4,
GetCurrentProcess(),
&hThread,
THREAD_ALL_ACCESS,
bInherit, 0);
if(hprc != GetCurrentProcess())
CloseHandle(hprc);
if(!b1) return NULL;
dwWhere = ((DWORD)hThread) >> 2;
dwTable = ppdb->pHandleTable;
lp1 = (LPDWORD)(dwTable+(dwWhere*8)+8);
*lp1 = (DWORD)lpThreadObj;
return(hThread);
}
HANDLE WINAPI OpenThreadNT(DWORD dwThreadID, BOOL bInherit)
{
HANDLE hThread = NULL;
DWORD struct1[] = {0x18, 0, 0, 0, 0, 0};
DWORD struct2[] = {0,dwThreadID};
HMODULE hLib = LoadLibrary(_T("ntdll.dll"));
OTFUNC OpenThatNTThread =
(OTFUNC)GetProcAddress(hLib, _T("NtOpenThread"));
struct1[3] = bInherit;
OpenThatNTThread(&hThread, THREAD_ALL_ACCESS, struct1, struct2);
FreeLibrary(hLib);
return hThread;
}
LPVOID WINAPI GetTrueProcAddress(LPSTR lpMod, LPTSTR lpFunc)
{
LPVOID bla = GetProcAddress(GetModuleHandle(lpMod), lpFunc);
if(!bla) return NULL;
if(*(LPBYTE)bla == 0x68)
bla = (LPVOID)*(LPDWORD)((DWORD)bla + 1);
return bla;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -