年末发点代码系列(1)

于 2017-01-23 00:51:04 发布
阅读量298 收藏
点赞数
分类专栏: Windows开发

转:http://bbs.pediy.com/showthread.php?t=214890


实现pchunter里看起来模块都是被替换的功能。
头文件太多内容,就不发了。
实际上就是PEB LDR遍历一遍,修改一下PE的属性
获得PEB使用Ntdll的函数


#include "../Common/common.h"

namespace user
{

#define RVATOVA(_base_, _offset_) ((PUCHAR)(_base_) + (ULONG)(_offset_))
  static void mark_pe_packed(PVOID Image)
  {
    __try
    {
      PIMAGE_NT_HEADERS32 pHeaders32 = (PIMAGE_NT_HEADERS32)
        ((PUCHAR)Image + ((PIMAGE_DOS_HEADER)Image)->e_lfanew);

      auto _is64 = false;
      auto image_base = reinterpret_cast<char *>(Image);

      if (pHeaders32->FileHeader.Machine == IMAGE_FILE_MACHINE_I386)
      {
        // 32-bit image
        //if (pHeaders32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress)
        {
          DWORD old = 0;
          VirtualProtectEx(GetCurrentProcess(), pHeaders32, sizeof(IMAGE_NT_HEADERS32), PAGE_EXECUTE_READWRITE, &old);
          pHeaders32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress = 1;
          pHeaders32->OptionalHeader.AddressOfEntryPoint = 0;
        }
      }
      else if (pHeaders32->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64)
      {
        // 64-bit image
        PIMAGE_NT_HEADERS64 pHeaders64 = (PIMAGE_NT_HEADERS64)
          ((PUCHAR)Image + ((PIMAGE_DOS_HEADER)Image)->e_lfanew);

        //if (pHeaders64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress)
        {
          DWORD old = 0;
          VirtualProtectEx(GetCurrentProcess(), pHeaders64, sizeof(IMAGE_NT_HEADERS64), PAGE_EXECUTE_READWRITE, &old);
          pHeaders64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress = 1;
          pHeaders64->OptionalHeader.AddressOfEntryPoint = 0;
          _is64 = true;
        }
      }
    }
    __except (EXCEPTION_EXECUTE_HANDLER)
    {
      MessageBoxA(nullptr, "fucker", "ff", MB_OK);
    }


  }
  void mark_all_modules(PVOID Self)
  {
    NTDLL::PROCESS_BASIC_INFORMATION stInfo = { 0 };
    DWORD dwRetnLen = 0;
    DWORD dw = NTDLL::NtQueryInformationProcess(GetCurrentProcess(), NTDLL::ProcessBasicInformation, &stInfo, sizeof(stInfo), &dwRetnLen);
    PPEB pPeb = (PPEB)stInfo.PebBaseAddress;
    PLIST_ENTRY ListHead, Current;
    NTDLL::LDR_DATA_TABLE_ENTRY *pstEntry = NULL;

    ListHead = &(((PPEB)stInfo.PebBaseAddress)->Ldr->InMemoryOrderModuleList);
    Current = ListHead->Flink;
    while (Current != ListHead)
    {
      pstEntry = CONTAINING_RECORD(Current, NTDLL::LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
      mark_pe_packed(pstEntry->DllBase);
      Current = pstEntry->InMemoryOrderLinks.Flink;
    }
  }
};

int main()
{
  user::mark_all_modules(GetModuleHandle(nullptr));
  MessageBoxA(nullptr, "test", "me", MB_OK);
    return 0;
}


评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值