#include "public.h"
#include "injectDLL.h"
#include "nativeApi.h"
#include "allocVM.h"
#include "globals.h"
#define ULONG_PTR_SUB(a,b) ((ULONG)(((ULONG_PTR)(a))-((ULONG_PTR)(b))))
//设置当前模式为内核
char setKernelMode(char mode)
{
char ret = 0;
int offset = g_undocument_data.PreviousMode;
void *pEthread = PsGetCurrentThread();
ret = *((char *)pEthread+offset);
*((char *)pEthread+offset) = mode;
return ret;
/*
__asm{
push eax;
mov eax,fs:0x124;//获取_KTHREAD 结构体地址
add eax,0x140;//获取previousmode位置
mov byte ptr [eax],0;
pop eax;
}*/
}
//获取导入表所在区的偏移
template <class T>
ULONG getVirtualAddressForIAT(T pNTHeader,PULONG sizeOfSection)
{
ULONG importDescRVA = pNTHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
int numOfSections = pNTHeader->FileHeader.NumberOfSections;
PIMAGE_SECTION_HEADER pSectionHeader = IMAGE_FIRST_SECTION(pNTHeader);
for (int i=0;i<numOfSections;i++)
{
if ((importDescRVA>=pSectionHeader->VirtualAddress)&&(importDescRVA<(pSectionHeader->SizeOfRawData+pSectionHeader->VirtualAddress)))
{
*sizeOfSection = pSectionHeader->Misc.VirtualSize == 0?pSectionHeader->SizeOfRawData:pSectionHeader->Misc.VirtualSize;
return pSectionHeader->VirtualAddress;
}
pSectionHeader++;
}
return NULL;
}
HANDLE OpenProcess(HANDLE ProcessId)
{
HANDLE result = NULL;
PEPROCESS pEProcess = NULL;
if (NT_SUCCESS(PsLookupProcessByProcessId(ProcessId, &pEProcess)))
{
ObOpenObjectByPointer(pEProcess, OBJ_KERNEL_HANDLE , NULL, PROCESS_ALL_ACCESS, NULL, KernelMode, &result);
ObDereferenceObject(pEProcess);
}
return result;
}
//由于有些程序的导入表大小并不准确,需要自己遍历导入表,获取大小。
//
ULONG getImportTableSize(PIMAGE_IMPORT_DESCRIPTOR pDes)
{
ULONG i=0;
while (pDes->Name != 0)
{
i++;
pDes++;
}
return ++i;//包含最后全0项
}
VOID addIAT (
IN HANDLE ProcessId, // where image is mapped
IN PVOID BaseImage,
IN char* DllName,
IN char* FunctionName
)
{
NTSTATUS ntStatus;
PEPROCESS Process;
KAPC_STATE ApcState;
ULONG Attached = FALSE;
PEPROCESS CurrentProcess;
PIMAGE_IMPORT_DESCRIPTOR pImportNew;
PIMAGE_IMPORT_DESCRIPTOR pImportDesc;
HANDLE hProcessHandle;
SIZE_T allocSize = 0,tempSize = 0;
IMAGE_IMPORT_DESCRIPTOR Add_ImportDesc;
PIMAGE_IMPORT_BY_NAME pApiName;
IMAGE_THUNK_DATA *pOriginalThunkData;
IMAGE_THUNK_DATA *pFirstThunkData;
PIMAGE_BOUND_IMPORT_DESCRIPTOR pBoundImport;
char preMode = 0;
LARGE_INTEGER procTimeout = { 0 };
PIMAGE_DOS_HEADER pDos;
PIMAGE_NT_HEADERS32 pHeader;
PIMAGE_NT_HEADERS64 pHeader64;
bool bIs64Bit;
MyZwProtectVirtualMemory g_NtProtectVirtualMemory = (MyZwProtectVirtualMemory)g_undocument_data.NtProtectVirtualMemory;
typedef struct
{
char dllName[128];
char apiName[128];
DWORD thunk;
DWORD thunkEnd;
DWORD orgthunk;
DWORD orgthunkEnd;
}ExtData,*PExtData;
if ((DllName == NULL)||(FunctionName) == NULL)
{
return;
}
if((sizeof(DllName)>128)||(sizeof(FunctionName)>128))
{
return;
}
//修改先前模式为内核态
preMode = setKernelMode(0);
PVOID lpBuffer = NULL;
ntStatus = PsLookupProcessByProcessId(ProcessId,&Process);
if (!NT_SUCCESS(ntStatus)) {
return ;
}
// if (KeWaitForSingleObject( Process, Executive, KernelMode, FALSE, &procTimeout ) == STATUS_WAIT_0)
// {
// KdPrint(( "Process is terminating. Abort\n"));
//
// if (Process)
// ObDereferenceObject( Process );
//
// return ;
// }
PVOID ulBaseImage = BaseImage;// 进程基地址
CurrentProcess = PsGetCurrentProcess();
if (CurrentProcess != Process) {
KeStackAttachProcess (Process, &ApcState);
Attached = TRUE;
}
//获取pe头
pDos = (PIMAGE_DOS_HEADER) ulBaseImage;
pHeader = (PIMAGE_NT_HEADERS32)((ULONG_PTR)ulBaseImage+pDos->e_lfanew);
pHeader64 = (PIMAGE_NT_HEADERS64)pHeader;
//判断是否为64位程序
bIs64Bit = ( pHeader->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC );
ULONG nImportDllCount = 1;//无导入表,如ntdll
if(bIs64Bit)
pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)(pHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + (ULONG_PTR)ulBaseImage);
else
pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)(pHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + (ULONG_PTR)ulBaseImage);
if ( (ULONG_PTR)pImportDesc != (ULONG_PTR)ulBaseImage)
{
nImportDllCount = getImportTableSize(pImportDesc);
}
PExtData pExtData = NULL;
//获取句柄
hProcessHandle = OpenProcess(ProcessId);
if(NULL == hProcessHandle)
{
ObDereferenceObject(Process);
return ;
}
//加上一个导入表描述,再加上一个自己的结构,ExtData。
allocSize =sizeof(ExtData) + sizeof(IMAGE_IMPORT_DESCRIPTOR) * (nImportDllCount + 1);
//分配导入表
tempSize = allocSize;
if (bIs64Bit)
lpBuffer = (PVOID)((ULONG_PTR)BaseImage+pHeader64->OptionalHeader.SizeOfImage+2*allocSize+100000);//SizeOfImage
//32位程序在0x70000000出分配内存
else
lpBuffer = (PVOID)0x70000000;
lpBuffer = AllocateInjectMemory(hProcessHandle,lpBuffer,tempSize);
/*
ntStatus = ZwAllocateVirtualMemory(hProcessHandle, &lpBuffer, 0, (PSIZE_T)&tempSize,
MEM_COMMIT|MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE);*/
//偏移为负数
if((ULONG_PTR)ulBaseImage>(ULONG_PTR)lpBuffer)
{
KdPrint(("can't allocate suite memory! \n"));
ZwClose(hProcessHandle);
return ;
}
//指向新导入表后面的额外数据(用于存放dll名,函数名等信息)
pExtData = (PExtData)((char *)lpBuffer + sizeof(IMAGE_IMPORT_DESCRIPTOR) * (nImportDllCount + 1));
RtlZeroMemory(lpBuffer,allocSize);
RtlCopyMemory(pExtData->apiName,FunctionName,strlen(FunctionName));
RtlCopyMemory(pExtData->dllName,DllName,strlen(DllName));
pImportNew = (PIMAGE_IMPORT_DESCRIPTOR)lpBuffer;
// 把原来数据移至新空间。
RtlCopyMemory(pImportNew , pImportDesc, sizeof(IMAGE_IMPORT_DESCRIPTOR) * nImportDllCount );
// 构造自己的DLL IMAGE_IMPORT_DESCRIPTOR结构
pExtData->thunkEnd = 0;
pExtData->orgthunkEnd = 0;
pOriginalThunkData = (PIMAGE_THUNK_DATA)&(pExtData->orgthunk);
pFirstThunkData = (PIMAGE_THUNK_DATA)&(pExtData->thunk);
pApiName = (PIMAGE_IMPORT_BY_NAME)pExtData->apiName;
pApiName->Hint = 0;
// 至少要一个导出API,并让thunk指向函数名
pOriginalThunkData[0].u1.AddressOfData = ULONG_PTR_SUB(pApiName,ulBaseImage);
pFirstThunkData[0].u1.AddressOfData = ULONG_PTR_SUB(pApiName,ulBaseImage);
// DLL名字的RVA
Add_ImportDesc.Name = ULONG_PTR_SUB(pExtData->dllName,ulBaseImage);
//构造加入项
Add_ImportDesc.FirstThunk = ULONG_PTR_SUB(pFirstThunkData,ulBaseImage);
Add_ImportDesc.Characteristics = ULONG_PTR_SUB(pOriginalThunkData,ulBaseImage);
Add_ImportDesc.TimeDateStamp = 0;
Add_ImportDesc.ForwarderChain = 0;
//将自己的表追加在末尾
pImportNew += (nImportDllCount-1);
RtlCopyMemory(pImportNew, &Add_ImportDesc, sizeof(IMAGE_IMPORT_DESCRIPTOR));
//表尾清零
pImportNew += 1;
RtlZeroMemory(pImportNew, sizeof(IMAGE_IMPORT_DESCRIPTOR));
ULONG *pVirtualAddr,*pSize;
if (bIs64Bit)
{
pVirtualAddr = &(pHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
pSize = &(pHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size);
}
else
{
pVirtualAddr = &(pHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
pSize = &(pHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size);
}
PVOID temp_BaseAddr = NULL;
//将8个表项设置为可写
SIZE_T protectSize = 16*sizeof(IMAGE_DATA_DIRECTORY);
ULONG oldProtect = 0;
//调用nt函数前将先前模式设置为内核模式
temp_BaseAddr = (PVOID)pVirtualAddr;
//更改内存属性为可写
ntStatus = g_NtProtectVirtualMemory(hProcessHandle,&temp_BaseAddr,(PSIZE_T)&protectSize,PAGE_EXECUTE_READWRITE,&oldProtect);
if (!NT_SUCCE
没有合适的资源?快使用搜索试试~ 我知道了~
资源推荐
资源详情
资源评论
收起资源包目录
dllInject.zip (25个子文件)
dllInject
buildnumber.h 70B
getSSDTIndexByName.cpp 6KB
injectDLL.h 340B
injectWork.h 187B
allocVM.h 2KB
drvcommon.h 1KB
Utils.cpp 4KB
drvversion.h 2KB
loadConfigFile.cpp 1KB
getNtFunFromIndex.h 6KB
globals.h 202B
main.cpp 2KB
functions.h 2KB
allocVM.cpp 1KB
injectWork.cpp 3KB
sources 437B
makefile 260B
nativeApi.h 735B
public.h 126B
getNtFunFromIndex.cpp 6KB
injectDLL.cpp 10KB
initUndocumentData.cpp 951B
functions.cpp 3KB
importTableInjectDll.h 2KB
Utils.h 522B
共 25 条
- 1
uncia_me
- 粉丝: 6
- 资源: 2
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功
- 1
- 2
前往页