📄 forcelibrary.cpp
字号:
{
GlobalFree(pCodeEntry);
return FALSE;
}
// write the loader code to the EntryPoint
if (!WriteProcessMemory(
pProcInfo->hProcess,
(VOID*)dwEntryPoint,
&LibLoadCode,
sizeof(LibLoadCode),
&dwBytesWritten))
{
GlobalFree(pCodeEntry);
return FALSE;
}
// execute the copied code
Regs = InitRegs;
Regs.Eip = dwEntryPoint;
ResumeThread(pProcInfo->hThread);
// wait until the thread finishes
dwCodeEnd = dwEntryPoint + offsetof(sLibLoadCode,jmp_$);
TestRegs.ContextFlags = CONTEXT_CONTROL | CONTEXT_INTEGER;
do
{
Sleep(50);
GetThreadContext(pProcInfo->hThread,&TestRegs);
} while (TestRegs.Eip != dwCodeEnd);
dwLibBase = TestRegs.Eax;
// suspend the thread and restore all !
SuspendThread(pProcInfo->hThread);
if (!WriteProcessMemory(
pProcInfo->hProcess,
(VOID*)dwEntryPoint,
pCodeEntry,
sizeof(LibLoadCode),
&dwBytesWritten))
{
GlobalFree(pCodeEntry);
return FALSE;
}
GlobalFree(pCodeEntry);
VirtualProtectEx(
pProcInfo->hProcess,
(VOID*)dwCodeStart,
sizeof(LibLoadCode),
dwOldProt,
&dwEWRProt);
InitRegs.Eip = dwEntryPoint;
if (!SetThreadContext(pProcInfo->hThread,&InitRegs))
return FALSE;
return TRUE;
}
BOOL ForceLibraryNT(CHAR* szLibraryPath,PROCESS_INFORMATION* pProcInfo)
{
sLibLoadCodeNT LibLoadCode;
DWORD dwRemoteThreadID;
HANDLE hRemoteThread;
_CodeEntry CodeEntry;
// import NT only stuff manually
HMODULE kernel = GetModuleHandle("kernel32.dll");
typedef LPVOID (WINAPI*VirtualAllocExFunc)(
HANDLE hProcess, // process to allocate memory
LPVOID lpAddress, // desired starting address
SIZE_T dwSize, // size of region to allocate
DWORD flAllocationType, // type of allocation
DWORD flProtect // type of access protection
);
VirtualAllocExFunc VirtualAllocExPtr = (VirtualAllocExFunc)GetProcAddress(kernel,"VirtualAllocEx");
typedef BOOL (WINAPI*VirtualFreeExFunc)(
HANDLE hProcess, // handle to process
LPVOID lpAddress, // starting address of memory region
SIZE_T dwSize, // size of memory region
DWORD dwFreeType // operation type
);
VirtualFreeExFunc VirtualFreeExPtr = (VirtualFreeExFunc)GetProcAddress(kernel,"VirtualFreeEx");
if(!VirtualFreeExPtr || !VirtualAllocExPtr)
{
MessageBox(0,"couldnt import virtualallocex",0,0);
ExitProcess(1);
}
// get some mem in the target's process memory
dwCodeStart = (DWORD)VirtualAllocExPtr(
pProcInfo->hProcess,
NULL,
sizeof(LibLoadCode),
MEM_COMMIT,
PAGE_EXECUTE_READWRITE);
if (!dwCodeStart)
return FALSE;
// init the LibLoadCode struct
if (!InitCodeStruct(0, &LibLoadCode, szLibraryPath, dwCodeStart))
{
VirtualFreeExPtr(
pProcInfo->hProcess,
(VOID*)dwCodeStart,
sizeof(LibLoadCode),
MEM_DECOMMIT);
return FALSE;
}
// copy the code into the allocated mem
if (!WriteProcessMemory(
pProcInfo->hProcess,
(VOID*)dwCodeStart,
&LibLoadCode,
sizeof(LibLoadCode),
&dwBytesWritten))
{
VirtualFreeExPtr(
pProcInfo->hProcess,
(VOID*)dwCodeStart,
sizeof(LibLoadCode),
MEM_DECOMMIT);
return FALSE;
}
// execute it
CodeEntry = (_CodeEntry)dwCodeStart;
if (!(hRemoteThread = CreateRemoteThread(
pProcInfo->hProcess,
NULL,
0,
CodeEntry,
NULL,
0,
&dwRemoteThreadID)))
{
VirtualFreeExPtr(
pProcInfo->hProcess,
(VOID*)dwCodeStart,
sizeof(LibLoadCode),
MEM_DECOMMIT);
return FALSE;
}
// wait until the thread finishes
WaitForSingleObject(hRemoteThread, INFINITE);
if (!GetExitCodeThread(hRemoteThread, &dwLibBase))
{
VirtualFreeExPtr(
pProcInfo->hProcess,
(VOID*)dwCodeStart,
sizeof(LibLoadCode),
MEM_DECOMMIT);
return FALSE;
}
// clean up
VirtualFreeExPtr(
pProcInfo->hProcess,
(VOID*)dwCodeStart,
sizeof(LibLoadCode),
MEM_DECOMMIT);
CloseHandle(hRemoteThread);
if (dwLibBase)
return TRUE;
else
return FALSE;
}
extern "C" BOOL WINAPI TrapEntry(DWORD dwEntryPoint,PROCESS_INFORMATION *pPI)
{
// simply set a 0CCh at the EntryPoint
VirtualProtectEx(
pPI->hProcess,
(VOID*)dwEntryPoint,
1,
PAGE_EXECUTE_READWRITE,
&dwOldProt);
if (!ReadProcessMemory(
pPI->hProcess,
(VOID*)dwEntryPoint,
(VOID*)&bOrgEntry,
1,
&dwBytesRead))
return FALSE;
if (!WriteProcessMemory(
pPI->hProcess,
(VOID*)dwEntryPoint,
(VOID*)&Int3,
1,
&dwBytesWritten))
return FALSE;
VirtualProtectEx(
pPI->hProcess,
(VOID*)dwEntryPoint,
1,
dwOldProt,
&dwNewProt);
return TRUE;
}
extern "C" BOOL WINAPI ForceLibraryDBG(CHAR* szTargetLib,
DWORD dwEntryPoint,
PROCESS_INFORMATION *pPI)
{
// save the regs
Regs.ContextFlags = CONTEXT_INTEGER | CONTEXT_CONTROL;
if (!GetThreadContext(pPI->hThread,&Regs))
return FALSE;
Regs.Eip = dwEntryPoint;
InitRegs = Regs;
// init the LibLoadCodeDBG struct
if (!InitCodeStructDBG(LibLoadCodeDBG,szTargetLib,dwEntryPoint))
return FALSE;
VirtualProtectEx(
pPI->hProcess,
(VOID*)dwEntryPoint,
LOADCODESIZEDBG,
PAGE_EXECUTE_READWRITE,
&dwOldProt);
// restore the EntryPoint-byte
if (!WriteProcessMemory(
pPI->hProcess,
(VOID*)dwEntryPoint,
&bOrgEntry,
1,
&dwBytesWritten))
return FALSE;
// save the code at the EntryPoint
pCodeEntry = GlobalAlloc(GMEM_FIXED,LOADCODESIZEDBG);
if (!pCodeEntry)
return FALSE;
if (!ReadProcessMemory(
pPI->hProcess,
(VOID*)dwEntryPoint,
pCodeEntry,
LOADCODESIZEDBG,
&dwBytesRead))
{
GlobalFree(pCodeEntry);
return FALSE;
}
// write the loader code to the EntryPoint and restore protection of the code page
if (!WriteProcessMemory(
pPI->hProcess,
(VOID*)dwEntryPoint,
&LibLoadCodeDBG,
LOADCODESIZEDBG,
&dwBytesWritten))
{
GlobalFree(pCodeEntry);
return FALSE;
}
// prepare the execution of the copied code
SetThreadContext(pPI->hThread,&Regs);
return TRUE;
}
extern "C" DWORD WINAPI PerformCleanup(DWORD dwEntryPoint,PROCESS_INFORMATION *pPI)
{
// grab the result of the "LoadLibraryA" call
GetThreadContext(pPI->hThread,&Regs);
dwLibBase = Regs.Eax;
// restore all !
if (!WriteProcessMemory(
pPI->hProcess,
(VOID*)dwEntryPoint,
pCodeEntry,
LOADCODESIZEDBG,
&dwBytesWritten))
{
GlobalFree(pCodeEntry);
return 0;
}
GlobalFree(pCodeEntry);
VirtualProtectEx(
pPI->hProcess,
(VOID*)dwEntryPoint,
LOADCODESIZEDBG,
dwOldProt,
&dwNewProt);
if (!SetThreadContext(pPI->hThread,&InitRegs))
return 0;
return dwLibBase;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -