原文的地址我没找到
只找到了这个
00aK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3u0D9L8$3N6Q4x3X3g2U0M7$3c8F1i4K6u0W2L8X3g2@1i4K6u0r3P5X3S2#2K9s2g2A6j5X3g2A6M7$3S2S2k6r3W2S2L8#2)9J5c8X3q4J5N6r3W2U0L8r3g2Q4x3V1k6V1k6i4c8S2K9h3I4K6i4K6u0r3y4e0p5J5x3U0V1K6y4U0j5`.
然后把这个英文的原文和论坛某牛的PDF汇编过PG的一起看的
在公司的虚拟机上成功绕过了
但是在家里机器上的虚拟机发现进入登录界面蓝屏
然而在原文和PDF中都没有提起过这个东西
后来我用文件对比之后 发现修改了3处\xC1\xF8\x30 30改2F
照葫芦画瓢之后的确成功了
不知道是为什么
我代码写的很乱 基本是瞎瘠薄写的
void Function()
{
fstream f("CG_winload.exe", ios::in | ios::binary | ios::out);
char p[] = "\xCC\x48\x8B\xC4\x53\x55\x57\x41\x54";
string str((std::istreambuf_iterator<char>(f)), std::istreambuf_iterator<char>());
int temp = str.find(p);
PIMAGE_DOS_HEADER DosHeader;
DosHeader = (PIMAGE_DOS_HEADER)str.c_str();
int CheckSum = DosHeader->e_lfanew;
CheckSum += 0x58;
f.seekp(temp +1);
f.write("\xB0\x01\xC3", 3);
f.close(); winload修改
f.open("CG_winload.exe", ios::in | ios::binary | ios::out);
DWORD Old, New;
MapFileAndCheckSumA("CG_winload.exe", &Old, &New);
cout << "OLD" << Old << "NEW" << New << endl; 修改校对
f.seekp(CheckSum);
char a[4] = { 0 };
memcpy(a, &New, 4);
f.write(a, 4);
f.close();
}
int _tmain(int argc, _TCHAR* argv[])
{
string File_Name1 = _getcwd(NULL, 0);
string File_Name2 = File_Name1;
File_Name1 += +"\\CG_winload.exe";
File_Name2 += +"\\CG_ntoskrnl.exe";
CopyFileA("C:\\Windows\\System32\\winload.exe", File_Name1.c_str(), 1);
CopyFileA("C:\\Windows\\System32\\ntoskrnl.exe", File_Name2.c_str(), 1); 文件复制
Function();
fstream f("CG_ntoskrnl.exe", ios::in | ios::binary | ios::out);
char p[] = "\x81\xEC\x58\x0F\x00\x00\x33\xFF\x39\x3D";
char p2[] = "\xE1\xFF\x0F\x85\x94\x00\x00\x00\x33\xC0";
char p3[] = "\xC1\xF8\x30";
string str((std::istreambuf_iterator<char>(f)), std::istreambuf_iterator<char>());
int index1 = str.find(p);
int index2 = str.find(p2);
int index3 = str.find(p3, 0);
int index4 = str.find(p3, index3);
int index5 = str.find(p3, index4);
PIMAGE_DOS_HEADER DosHeader;
DosHeader = (PIMAGE_DOS_HEADER)str.c_str();
int CheckSum = DosHeader->e_lfanew;
CheckSum += 0x58;
f.seekp(index1 + sizeof(p)-1 + 4);
f.write("\x90\x90", 2);
f.seekp(index2 + 2);
f.write("\x90\xE9\x94", 2);
f.seekp(index3 + 2);
f.write("\x2F", 1);
f.seekp(index4 + 2);
f.write("\x2F", 1);
f.seekp(index5 + 2);
f.write("\x2F", 1);
f.close();
f.open("CG_ntoskrnl.exe", ios::in | ios::binary | ios::out);
DWORD Old, New;
MapFileAndCheckSumA("CG_ntoskrnl.exe", &Old, &New);
cout << "OLD" << Old << "NEW" << New << endl;
f.seekp(CheckSum);
char a[4] = { 0 };
memcpy(a, &New, 4);
f.write(a, 4);
f.close();
cout << "OK" << endl;
重新修改BCD入口
string str_temp = "set CG={46595952-454E-4F50-4747-554944FFFFFF}&";
str_temp += "bcdedit -create {46595952-454E-4F50-4747-554944FFFFFF} -d \"DES_PG_CGeneraL\" -application OSLOADER&";
str_temp += "bcdedit -set {46595952-454E-4F50-4747-554944FFFFFF} device partition=%SYSTEMDRIVE%&";
str_temp += "bcdedit -set {46595952-454E-4F50-4747-554944FFFFFF} osdevice partition=%SYSTEMDRIVE%&";
str_temp += "bcdedit -set {46595952-454E-4F50-4747-554944FFFFFF} systemroot \\Windows&";
str_temp += "bcdedit -set {46595952-454E-4F50-4747-554944FFFFFF} path \\Windows\\system32\\CG_winload.exe&";
str_temp += "bcdedit -set {46595952-454E-4F50-4747-554944FFFFFF} kernel CG_ntoskrnl.exe&";
str_temp += "bcdedit -set {46595952-454E-4F50-4747-554944FFFFFF} recoveryenabled 0&";
str_temp += "bcdedit -set {46595952-454E-4F50-4747-554944FFFFFF} nx OptOut&";
str_temp += "bcdedit -set {46595952-454E-4F50-4747-554944FFFFFF} nointegritychecks 1&";
str_temp += "bcdedit -set {46595952-454E-4F50-4747-554944FFFFFF} testsigning 1&";
str_temp += "bcdedit -displayorder {46595952-454E-4F50-4747-554944FFFFFF} -addlast&";
str_temp += "bcdedit -timeout 30&PAUSE&";
system(str_temp.c_str());
cout << "OK" << endl;
CopyFileA(File_Name1.c_str(),"C:\\Windows\\System32\\CG_winload.exe" , 1);
CopyFileA(File_Name2.c_str(),"C:\\Windows\\System32\\CG_ntoskrnl.exe" , 1);
重新复制回去
getchar();
}
这个东西我一直也没找到源码.在某个视频教程中找到过成品 渣技术反汇编我也看不懂
这个方法应该是很老也是比较简单的方法了吧?我表示自己一直是关门造车 顺便求个大神帮忙指点下是否有误
[培训]科锐逆向工程师培训第53期2025年7月8日开班!
