| ²é¿´: 362 | »Ø¸´: 0 | |||
| µ±Ç°Ö÷ÌâÒѾ´æµµ¡£ | |||
sdlj8051½ð³æ (ÖøÃûдÊÖ)
|
[½»Á÷]
[תÌù]Ó¦ÓÃÄÚ´æ¶ÏµãµÄLoader
|
||
|
program Loader; (***********************************) (* *) (* Memory Access Breakpoint Loader *) (* by tt.t *) (* *) (* *) (***********************************) { Ä¿±ê£ºÀ¹½Ø¶ÔÖ¸¶¨µØÖ·µÄд²Ù×÷£¬nopµôдµØÖ·µÄÖ¸Áî¡£ Äѵ㣺ÔÚÒª²¹¶¡µØÖ·ÉèMemory Write Breakpoint£¬²éÁË°ëÌìûÕÒµ½ÏֳɵĶ«Î÷£¬Ö»ºÃ×Ô¼ºÐ´¡£ ˼·£º½«Òª²¹¶¡µÄµØÖ·ÉèΪ²»¿Éд£¬µ±Ð´Ê±»á·¢ÉúAV´íÎó£¬È»ºó½øÐÐPatch¡£µ«VirtualProtectEx»á½«Õû ¸öPageÉèΪ²»¿ÉдÊôÐÔ£¬ËùÓÐдPageµÄ²Ù×÷¶¼»á²úÉúAccess violation£¬ÎÞ·¨Ö±½ÓÕÒµ½ÒªPatchµÄ´úÂë¡£ ½â¾ö·½·¨£ºÒª±£´æµØÖ·ËùÔÚPageµÄµØÖ··¶Î§£¬·¢ÉúAV´íÎóʱÅжÏÊÇ·ñÒòΪVirtualProtect²úÉúµÄExceptio n£¬Èç²»Êǽ«PageµÄÊôÐÔÉèΪ¿Éд£¬Í¬Ê±ÉèÖõ¥²½±êÖ¾£¬Ð´²Ù×÷Íê³Éºó»Ö¸´PageΪ²»¿ÉдÊôÐÔ£¬¼ÌÐøÖ´ ÐУ¬Ö±ÖÁÕÒµ½ÐèPatch´úÂë¡£ ²»ÖªµÀÓÐûÓиüºÃµÄ·½·¨¡£ } uses JwaWinType, JwaWinNt, JwaWinBase, JwaWinUser; {$R *.res} var si: STARTUPINFO; pi: PROCESS_INFORMATION; function MyExtractFilePath(f: String): String; var i, l: integer; begin l := Length(f); for i := l downto 1 do if f = '' then Break; result := copy(f, 0, i); end; procedure CreateVictimProcess(Path: String); const Nop: PChar = Chr($90) + Chr($90) + Chr($90); var DbgEvent: TDebugEvent; DbgParam: DWORD; OldPrt, NewPrt: DWORD; pPatch: PByte; PgMin, PgMax: DWORD; MemInfo: TMemoryBasicInformation; WExpAddr: DWORD; DbgContext: TContext; rm: Boolean; hThread: DWORD; begin ZeroMemory(@si, sizeof(STARTUPINFO)); si.cb := sizeof(STARTUPINFO); if not CreateProcess(PChar(Path), nil, nil, nil, False, CREATE_SUSPENDED or CREATE_DEFAULT_ERROR_MODE, nil, PChar(MyExtractFilePath(Path)), si, pi) then begin MessageBox(0, 'CreateProcess failed! ', 'Error!', 0); exit; end; ResumeThread(pi.hThread); if WaitForInputIdle(pi.hProcess, INFINITE) <> 0 then begin MessageBox(0, 'WaitForInputIdle failed! ', 'Error!', 0); exit; end; if not DebugActiveProcess(pi.dwProcessId) then begin MessageBox(0, 'DebugActiveProcess failed! ', 'Error!', 0); exit; end; if VirtualQueryEx(pi.hProcess, Pointer($9c66BC), MemInfo, SizeOf(MemInfo)) = 0 then begin MessageBox(0, 'VirtualQueryEx failed! ', 'Error!', 0); exit; end; PgMin := DWORD(MemInfo.BaseAddress); pgMax := PgMin + MemInfo.RegionSize; {VirtualProtect»á½«Õû¸öPageÉèΪ²»¿ÉдÊôÐÔ£¬ËùÓÐдPageµÄ²Ù×÷¶¼»á²úÉúAccess violation£¬Òª±£´æ Õû¸öPageµÄµØÖ··¶Î§£¬ ºóÃæ¿ÉÒÔÅжÏÊÇ·ñÒòΪVirtualProtect²úÉúµÄException} if not VirtualProtectEx(pi.hProcess, Pointer($9c66BC), 1, PAGE_EXECUTE_READ, @OldPrt) then begin MessageBox(0, 'VirtualProtectEx failed! ', 'Error!', 0); exit; end; {¸ÄдPageÊôÐÔΪ²»¿Éд} rm := false; while WaitForDebugEvent(DbgEvent, INFINITE) do begin DbgParam := DBG_CONTINUE; case DbgEvent.dwDebugEventCode of EXCEPTION_DEBUG_EVENT: begin if DbgEvent.Exception.ExceptionRecord.ExceptionCode <> EXCEPTION_BREAKPOINT then case DbgEvent.Exception.ExceptionRecord.ExceptionCode of EXCEPTION_SINGLE_STEP: {µ¥²½ÖжÏ} begin if rm then {ÓÉÓÚEXCEPTION_ACCESS_VIOLATION²úÉúµÄµ¥²½Öжϣ¬»Ö¸´PageΪ²»¿ÉдÊôÐÔ} begin rm := false; VirtualProtectEx(pi.hProcess, Pointer($9c66BC), 1, PAGE_EXECUTE_READ, @NewPrt); end; end; EXCEPTION_ACCESS_VIOLATION: {AVÖжÏ} begin DbgParam := DBG_EXCEPTION_NOT_HANDLED; if DbgEvent.Exception.ExceptionRecord.ExceptionInformation[0] = 1 then {д²Ù×÷} begin WExpAddr := DbgEvent.Exception.ExceptionRecord.ExceptionInformation[1]; {д²Ù×÷µÄÄ¿±êµØ Ö·} if (WExpAddr >= PgMin) and (WExpAddr <= PgMax) then {Ä¿±êµØÖ·ÔÚPage·¶Î§} begin DbgParam := DBG_CONTINUE; if(WExpAddr <> $9c66BC) then {²»ÊÇдָ¶¨µØÖ·} begin VirtualProtectEx(pi.hProcess, Pointer($9c66BC), 1, OldPrt, @NewPrt); DbgContext.ContextFlags := CONTEXT_CONTROL; hThread := OpenThread(THREAD_ALL_ACCESS, false, DbgEvent.dwThreadId); GetThreadContext(hThread, DbgContext); DbgContext.EFlags := DbgContext.EFlags or $100; {Éèµ¥²½±êÖ¾£¬»á´¥·¢EXCEPTION_SINGLE_STEP} SetThreadContext(hThread, DbgContext); rm := true; {±êÖ¾£¬±íÃ÷ÊÇEXCEPTION_ACCESS_VIOLATION²úÉúµÄµ¥²½ÖжÏ} end else begin {Patch} pPatch := DbgEvent.Exception.ExceptionRecord.ExceptionAddress; VirtualProtectEx(pi.hProcess, pPatch, 3, PAGE_READWRITE, @NewPrt); WriteProcessMemory(pi.hProcess, pPatch, Nop, 3, nil); VirtualProtectEx(pi.hProcess, pPatch, 3, NewPrt, @NewPrt); end; end; end; end; else DbgParam := DBG_EXCEPTION_NOT_HANDLED; end; end; EXIT_PROCESS_DEBUG_EVENT: begin ContinueDebugEvent(DbgEvent.dwProcessId, DbgEvent.dwThreadId, DbgParam); Break; end; end; ContinueDebugEvent(DbgEvent.dwProcessId, DbgEvent.dwThreadId, DbgParam); end; end; var Victim: string; begin Victim := MyExtractFilePath(ParamStr(0)) + 'Wise***.exe'; //Êܺ¦³ÌÐò CreateVictimProcess(Victim); halt; end. -------------------------------------------------------------------------------- ±ê Ìâ: ´ð¸´ ·¢ÌûÈË:ttui ʱ ¼ä: 2005-10-28 10:09 ÏêϸÐÅÏ¢: ft£¬¼ÈÈ»¿´²»¶®ÄǾÍÄǾÍÏêϸעÊÍÏ¡£ ¼ÇµÃÒª´óÌåÁ˽âÏÂdeubg apiµÄÓ÷¨ºÍʹÓÃÁ÷³ÌÏÈ. procedure CreateVictimProcess(Path: String); const Nop: PChar = Chr($90) + Chr($90) + Chr($90); var DbgEvent: TDebugEvent; DbgParam: DWORD; //ContinueDebugEventÓÃ,±êÖ¾ÈçºÎ´¦Àíµ÷ÊÔÏûÏ¢ OldPrt, NewPrt: DWORD; pPatch: PByte; PgMin, PgMax: DWORD; MemInfo: TMemoryBasicInformation; WExpAddr: DWORD; DbgContext: TContext; rm: Boolean; hThread: DWORD; begin ZeroMemory(@si, sizeof(STARTUPINFO)); si.cb := sizeof(STARTUPINFO); if not CreateProcess(PChar(Path), nil, nil, nil, False, CREATE_SUSPENDED or CREATE_DEFAULT_ERROR_MODE, nil, PChar(MyExtractFilePath(Path)), si, pi) then begin MessageBox(0, 'CreateProcess failed! ', 'Error!', 0); exit; end; //½¨Á¢Ä¿±ê½ø³Ì ResumeThread(pi.hThread); //»Ö¸´½ø³ÌÖ´ÐÐ.ÆäʵCreateProcessʱ²»¼ÓCREATE_SUSPENDED±êÖ¾¾Í¿ÉÒÔÊ¡µôÕâ¾ä if WaitForInputIdle(pi.hProcess, INFINITE) <> 0 then begin MessageBox(0, 'WaitForInputIdle failed! ', 'Error!', 0); exit; end; //µÈ´ýÄ¿±ê½ø³ÌÍêÈ«ÔËÐÐÖÁÆ俪ʼµÈ´ýÓû§ÊäÈë. //ÒòΪĿ±ê³ÌÐòÊǼӹý¿ÇµÄ,¿ÇµÄ²¿·Ö»á¼ì²éµ÷ÊÔÆ÷,ËùÒԵȵ½¿ÇÔËÐнáÊøÔÚÈ¥debugËü. if not DebugActiveProcess(pi.dwProcessId) then begin MessageBox(0, 'DebugActiveProcess failed! ', 'Error!', 0); exit; end; //¹ÒÉÏÄ¿±ê³ÌÐò if VirtualQueryEx(pi.hProcess, Pointer($9c66BC), MemInfo, SizeOf(MemInfo)) = 0 then begin MessageBox(0, 'VirtualQueryEx failed! ', 'Error!', 0); exit; end; //²éѯÐèÒªÉèÄÚ´æ¶ÏµãµÄµØÖ·($9c66BC,Ò²¾ÍÊÇ0x9c66BC,ºóÃæ¼ò³Æaddr)ËùÔÚpageµÄÇé¿ö PgMin := DWORD(MemInfo.BaseAddress); pgMax := PgMin + MemInfo.RegionSize; //µÃµ½addrËùÔÚµÄpageµÄʼĩµØÖ·. {ÒòΪVirtualProtect»á½«addrËùÔÚÕû¸öPageÉèΪ²»¿ÉдÊôÐÔ(¼ûVirtualProtectµÄAPI˵Ã÷)£¬ËùÓÐдPageµÄ²Ù×÷,¼´Ê¹²»ÊÇдÎÒÃǸÐÐËȤ(µ«Î»ÓÚÄǸöpageÉÏ)µÄµØÖ·µÄ²Ù×÷,¶¼»áÒòΪ½«addrÉèΪ²»¿ÉдÊôÐÔ¶ø²úÉúAccess violation.ËùÒÔÕâÀïÒª±£´æÕû¸öPageµÄµØÖ··¶Î§£¬ÒÔ±ãºóÃæÅжÏAVÊDz»ÊÇÒòдaddr¶ø²úÉúµÄ} if not VirtualProtectEx(pi.hProcess, Pointer($9c66BC), 1, PAGE_EXECUTE_READ, @OldPrt) then begin MessageBox(0, 'VirtualProtectEx failed! ', 'Error!', 0); exit; end; {¸ÄдaddrÊôÐÔΪ²»¿Éд.ÕâÀï»á½«addrËùÔÚµÄÕû¸öPageÉèΪ²»¿ÉдÊôÐÔ} rm := false; {±êÖ¾ÊDz»ÊÇÒò´¦ÀíAVÉèÖõĵ¥²½ÖжϲúÉúµÄÖжÏ} while WaitForDebugEvent(DbgEvent, INFINITE) do //µÈ´ýµ÷ÊÔÏûÏ¢ begin DbgParam := DBG_CONTINUE; //ĬÈÏ´¦Àíµ÷ÊÔÏûÏ¢ case DbgEvent.dwDebugEventCode of EXCEPTION_DEBUG_EVENT: begin if DbgEvent.Exception.ExceptionRecord.ExceptionCode <> EXCEPTION_BREAKPOINT then //ÅжÏÊDz»ÊÇint 3²úÉúµÄÖжÏ.ÒòΪDebugActiveProcess¹ÒÉϳÌÐòºó»áÏòdebuger·¢³öÒ»¸öEXCEPTION_BREAKPOINTµ÷ÊÔÏûÏ¢,ÕâÀïºöÂÔËü case DbgEvent.Exception.ExceptionRecord.ExceptionCode of //ÅжÏÒì³£ÀàÐÍ EXCEPTION_ACCESS_VIOLATION: {AVÒì³£} begin DbgParam := DBG_EXCEPTION_NOT_HANDLED; //±íʾÓÉÄ¿±ê³ÌÐòµÄSEH´¦ÀíÒì³£ if DbgEvent.Exception.ExceptionRecord.ExceptionInformation[0] = 1 then begin {ÊÇд²Ù×÷²úÉúµÄAV} WExpAddr := DbgEvent.Exception.ExceptionRecord.ExceptionInformation[1]; {WExpAddr =д²Ù×÷µÄÄ¿±êµØÖ·} if (WExpAddr >= PgMin) and (WExpAddr <= PgMax) then {WExpAddrÔÚaddrËùÔÚPageÉÏ} begin DbgParam := DBG_CONTINUE;//±íʾÎÒÃÇÀ´´¦ÀíÒì³£,ÈÃÄ¿±ê³ÌÐò´Ó·¢ÉúÒì³£´¦¼ÌÐøÖ´ÐÐ. if(WExpAddr <> $9c66BC) then {WExpAddr²»ÊÇдaddr,ÒªÔÊÐíÄ¿±ê³ÌÐòд²Ù×÷} begin VirtualProtectEx(pi.hProcess, Pointer($9c66BC), 1, OldPrt, @NewPrt);//»Ö¸´addrËùÔÚpageΪÔÀ´µÄÊôÐÔ(¿Éд) DbgContext.ContextFlags := CONTEXT_CONTROL; hThread := OpenThread(THREAD_ALL_ACCESS, false, DbgEvent.dwThreadId); //ÓÉThread IdµÃµ½Thread handle GetThreadContext(hThread, DbgContext); //µÃµ½threadµÄContext,ÉèÖõ¥²½Ö´ÐбêÖ¾,ÈÃд²Ù×÷Íê³Éºó·¢Éúµ¥²½ÖжÏ,ÒԱ㽫addrÖØÐÂÉèΪ²»¿Éд,À¹½ØÏÂÒ»´Îд²Ù×÷. DbgContext.EFlags := DbgContext.EFlags or $100; {Éèµ¥²½±êÖ¾} SetThreadContext(hThread, DbgContext); //ÉèÖÃthreadµÄContext rm := true; {±êÖ¾£¬±íÃ÷ÊÇÎÒÃÇ´¦ÀíAV¶ø²úÉúµÄµ¥²½ÖжÏ} end else //{WExpAddrÊÇдaddr,½øÐÐPatch} begin pPatch := DbgEvent.Exception.ExceptionRecord.ExceptionAddress; //дµØÖ·²Ù×÷Óï¾äµØÖ· VirtualProtectEx(pi.hProcess, pPatch, 3, PAGE_READWRITE, @NewPrt); //Éè²Ù×÷Óï¾äµØַΪ¿Éд WriteProcessMemory(pi.hProcess, pPatch, Nop, 3, nil); //nopµôдµØÖ·Óï¾ä VirtualProtectEx(pi.hProcess, pPatch, 3, NewPrt, @NewPrt); //»Ö¸´Óï¾äµØÖ·ÊôÐÔ end; end; end; end;{AVÒì³£´¦ÀíÍê±Ï} EXCEPTION_SINGLE_STEP: {·¢Éúµ¥²½ÖжÏ} begin if rm then {ÓÉÓÚ´¦ÀíAV²úÉúµÄµ¥²½ÖжÏ.} begin rm := false; //ÖØÖñêÖ¾ VirtualProtectEx(pi.hProcess, Pointer($9c66BC), 1, PAGE_EXECUTE_READ, @NewPrt); //»Ö¸´PageΪ²»¿ÉдÊôÐÔ,ÒÔ±ãÀ¹½ØÏ´Îд²Ù×÷ end; end; else//²»ÊÇAVÖжϻòµ¥²½ÖжÏ,ÓÉÄ¿±ê³ÌÐòµÄSEH´¦ÀíÒì³£ DbgParam := DBG_EXCEPTION_NOT_HANDLED; end; end; EXIT_PROCESS_DEBUG_EVENT: begin ContinueDebugEvent(DbgEvent.dwProcessId, DbgEvent.dwThreadId, DbgParam); //Ä¿±ê³ÌÐòÍƳö,loaderʹÃü½áÊø,Í˳ö Break; end; end; ContinueDebugEvent(DbgEvent.dwProcessId, DbgEvent.dwThreadId, DbgParam); end; end; [ Last edited by sdlj8051 on 2006-10-6 at 11:31 ] |
»Ø¸´´ËÂ¥» ²ÂÄãϲ»¶
0703 ×Ü·Ö319Çóµ÷¼Á
ÒѾÓÐ3È˻ظ´
-
»¯¹¤¾©Çø271Çóµ÷¼Á
ÒѾÓÐ5È˻ظ´
-
»¶Ó²É¿ó¡¢µØÖÊ¡¢ÑÒÍÁ¡¢¼ÆËã»ú¡¢È˹¤ÖÇÄܵÈרҵµÄͬѧ±¨¿¼
ÒѾÓÐ8È˻ظ´
-
»¯Ñ§£¬²ÄÁÏ£¬»·¾³ÀàÇóµ÷¼Á
ÒѾÓÐ4È˻ظ´
-
½ÓÊÕµ÷¼Á
ÒѾÓÐ12È˻ظ´
-
085600Çóµ÷¼Á
ÒѾÓÐ3È˻ظ´
-
¿¼Ñи´ÊÔµ÷¼Á£¬¹ý¹ú¼ÒÏßµÄͬѧ¶¼¿É±¨Ãû
ÒѾÓÐ5È˻ظ´
-
085600 Ó¢Ò»Êý¶þ272Çóµ÷¼Á
ÒѾÓÐ13È˻ظ´
-
Àíѧ£¬¹¤Ñ§£¬Å©Ñ§µ÷¼Á£¬ÉÙ×ßÍä·£¬ÕâÀﻶÓÄú£¡
ÒѾÓÐ5È˻ظ´
-
Ò»Ö¾Ô¸»ªÄÏÀí¹¤´óѧ²ÄÁÏÓ뻯¹¤326·Ö£¬Çóµ÷¼Á
ÒѾÓÐ3È˻ظ´
